Hole Punching (networking)
   HOME

TheInfoList



OR:

Hole punching (or sometimes punch-through) is a technique in
computer networking A computer network is a collection of communicating computers and other devices, such as printers and smart phones. In order to communicate, the computers and devices must be connected by wired media like copper cables, optical fibers, or b ...
for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use
network address translation Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic Router (computing), routing device. The te ...
(NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal
address An address is a collection of information, presented in a mostly fixed format, used to give the location of a building, apartment, or other structure or a plot of land, generally using border, political boundaries and street names as references, ...
and
port A port is a maritime facility comprising one or more wharves or loading areas, where ships load and discharge cargo and passengers. Although usually situated on a sea coast or estuary, ports can also be found far inland, such as Hamburg, Manch ...
information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side. Hole punching does not require any knowledge of the network topology to function. ICMP hole punching,
UDP hole punching UDP hole punching is a commonly used technique employed in network address translation (NAT) applications for maintaining User Datagram Protocol (UDP) packet streams that traverse the NAT. NAT traversal techniques are typically required for clien ...
and TCP hole punching respectively use Internet Control Message, User Datagram and
Transmission Control Protocol The Transmission Control Protocol (TCP) is one of the main communications protocol, protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, th ...
s.


Overview

Networked devices with public or globally accessible
IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...
es can create connections between one another easily. Clients with private addresses may also easily connect to public servers, as long as the client behind a router or firewall initiates the connection. However, hole punching (or some other form of
NAT traversal Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across Gateway (telecommunications), gateways that implement network address translation (NAT). NAT traversal te ...
) is required to establish a direct connection between two clients that both reside behind different firewalls or routers that use network address translation (NAT). Both clients initiate a connection to an unrestricted server, which notes endpoint and session information including public IP and port along with private IP and port. The firewalls also note the endpoints in order to allow responses from the server to pass back through. The server then sends each client's endpoint and session information to the other client, or peer. Each client tries to connect to its peer through the specified IP address and port that the peer's firewall has opened for the server. The new connection attempt punches a hole in the client's firewall as the endpoint now becomes open to receive a response from its peer. Depending on network conditions, one or both clients might receive a connection request. Successful exchange of an authentication nonce between both clients indicates the completion of a hole punching procedure.Ford, Bryan; Srisuresh, Pyda; Kegel, Dan (2005)
Peer-to-Peer Communication Across Network Address Translators
/ref>


Examples

VoIP Voice over Internet Protocol (VoIP), also known as IP telephony, is a set of technologies used primarily for voice communication sessions over Internet Protocol (IP) networks, such as the Internet. VoIP enables voice calls to be transmitted as ...
products, online gaming applications, and P2P networking software all use hole punching. *Telephony software
Skype Skype () was a proprietary telecommunications application operated by Skype Technologies, a division of Microsoft, best known for IP-based videotelephony, videoconferencing and voice calls. It also had instant messaging, file transfer, ...
uses hole punching to allow users to communicate with one or more users.Schmidt, Jürgen (2006)
The hole trick
/ref> *Fast-paced online multi-player games may use a hole punching technique or require users to create a permanent firewall pinhole in order to reduce network latency. * VPN applications such as Hamachi, ZeroTier, and Tailscale utilize hole punching to allow users to connect directly to subscribed devices behind firewalls. *Decentralized
peer-to-peer file sharing Peer-to-peer file sharing is the distribution and sharing of digital media using peer-to-peer (P2P) networking technology. P2P file sharing allows users to access media files such as books, music, movies, and games using a P2P software program th ...
software relies on hole punching for file distribution.


Requirements

Reliable hole punching requires consistent endpoint translation, and for multiple levels of NATs, hairpin translation. When an outbound connection from a private endpoint passes through a firewall, it receives a public endpoint (public IP address and port number), and the firewall translates traffic between them. Until the connection is closed, the client and server communicate through the public endpoint, and the firewall directs traffic appropriately. Consistent endpoint translation reuses the same public endpoint for a given private endpoint, instead of allocating a new public endpoint for every new connection. Hairpin translation creates a loopback connection between two of its own private endpoints when it recognizes that the destination endpoint is itself. This functionality is necessary for hole punching only when used within a multiple-layered NAT.


See also

* Port Control Protocol (PCP) * NAT Port Mapping Protocol (NAT-PMP) *
Internet Gateway Device Protocol Internet Gateway Device (UPnP IGD) Control Protocol is a protocol based on Universal Plug and Play, UPnP for mapping Port (computer networking), ports in network address translation (NAT) setups, supported by some NAT-enabled Router (computing), ...
(UPnP IGD) *
Port knocking In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules ...
*
Session Initiation Protocol The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telepho ...
* STUN


References

{{Reflist


External links


How NAT traversal works
Computer network security