You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@river.apache.org by Peter Firmstone <ji...@zeus.net.au> on 2011/07/17 12:43:17 UTC

Custom SocketFactory for UDT - NAT Traversal

 From the UDT website http://udt.sourceforge.net


          UDT: Breaking the Data Transfer Bottleneck

    UDT is a reliable UDP based application level data transport
    protocol for distributed data intensive applications over wide area
    high-speed networks. UDT uses UDP to transfer bulk data with its own
    reliability control and congestion control mechanisms. The new
    protocol can transfer data at a much higher speed than TCP does. UDT
    is also a highly configurable framework that can accommodate various
    congestion control algorithms.

The main attraction for me, is by using existing UDP channels, it's much 
easier to traverse firewalls.  UDP is a connectionless protocol.   
Additional performance may be obtained by using UDT in preference to TCP 
over wide area networks when NAT traversal isn't required.

NAT is used to share a public IP address among a number of privately 
addressed network computers.

Computer (A) behind a NAT can send data to the internet, the NAT re 
writes packet headers, a remote computer (B) can respond, the response 
packets are returned to computer (A) by the NAT.

If a River installation resides on a box in a private network behind a 
firewall and exports a service, and a proxy for this service is at some 
point obtained by a client residing outside the the private network, 
then that remote client cannot contact the service, unless a port is 
opened on the firewall and redirects packets to the service.

To cut a long story short, a service needs a port opened on a firewall, 
providing a way for external clients to contact it.

This can be done in the following ways:

   1. Configuring the firewall manually.
   2. NAT-PMP (If supported by NAT gateway)
      http://tools.ietf.org/html/draft-cheshire-nat-pmp-03
   3. UPnP IGD (If supported by NAT gateway)
   4. STUN http://tools.ietf.org/html/rfc5389

The limitation with NAT-PMP and UPnP is, they must be supported and 
enabled on a router but cannot be used for multi layer router network 
topographies.

The STUN protocol allows a network node residing behind a firewall to 
discover it's public port on a firewall and to keep it open by 
connecting to a public STUN server.  Publicly accessible STUN servers 
are available on the internet.  STUN doesn't succeed in all cases. 

Publicly accessible TURN servers, available on the internet, provide a 
method of relaying packets when STUN doesn't work.

Work on NAT Traversal is more mature and less complex for UDP than TCP, 
see http://tools.ietf.org/html/draft-ietf-mmusic-ice-tcp-14#appendix-A

It should be recognised that any connection obtained using these methods 
is not secure, STUN could misinform a client of it's public address to 
perform a substitution attack, a TURN server could perform a man in the 
middle attack.  These network connections should only be used with 
secure Endpoints, utilising cryptographic authentication.

A ServerSocketFactory could be designed to perform the necessary steps 
to open a firewall port, discover public address, port and keep the 
connection open.

Cheers,

Peter.