Say I'm behind a Restricted Cone NAT and I want to be able to receive a UDP message from some endpoint EP-A (of some PC on the internet not behind a NAT). I first send a UDP packet to that EP-A to punch a hole in the NAT.
This means that the NAT needs to remember the mapping:
(My local endpoint, EP-A)
But what happens when I send another UDP packet to another remote endpoint EP-B? Will the new mapping (My local endpoint, EP-B) overwrite the old one? Or will the NAT remember both?
If the NAT is capable of remembering more than one such mapping, then what is the maximum?
I understand that this may differ from one NAT to another, thus if there isn't an RFC for it I'd be also very interested in any statistics, "recommendations for NAT manufacturers",...
Will the new mapping (My local endpoint, EP-B) overwrite the old one?
No.
Or will the NAT remember both?
Generally yes. Upon saturation is will usually keep the old ones and drop new mappings, possibly with an ICMP error.
If the NAT is capable of remembering more than one such mapping, then what is the maximum?
Implementation-dependent and often configurable if you have access to the system.
thus if there isn't an RFC for it I'd be also very interested in any statistics
There actually are several RFCs for NAT, 4787 specifically refers to NAT in the case of UDP. But they do not specify concrete numbers, as it depends a lot on the equipment and network sizes.
In my personal experience running a UDP-based DHT node or a DNS resolver can be sufficient overwhelm the default configuration of a home router (custom firmware can alleviate this problem) or CGNATs that do not implement EIMs.
I remember reading some research paper that investigate the mapping retention time, port numbering behavior and mapping type of NATs across various ISPs, but I don't recall whether they also tested saturation.
Related
The RFP for TFTP says that TID's in most circumstances:
should be randomly chosen, so that the probability that the same
number is chosen twice in immediate succession is very low.
The thing is, these "TID"s are also used as UDP port numbers. But a typical network interface cannot just be dedicated for TFTP use. Some ports are liable to be in use, and others should essentially be "reserved" for specific applications. I'm not even sure where a program could go to look up this information at runtime.
So how is a TFTP implementation supposed to deal with this?
Since the host selecting the TID/port is the one opening it and telling the other party which one it's opened, you can simply try to open the port; if it's already in use or otherwise unavailable, this will fail, and you can re-try with a different port. (Note that since UDP and TCP are difference protocols, a TCP application and a UDP application can both be using the "same" port, since they are not, in fact, the same at all!) Do this in a simple loop until you find a "good" one. (Probably best to define a maximum number of tries and simply fail the connection if that's met before a good port is found, as this could be a sign of other issues that prohibit this from working at all.)
Stick to the ephemeral port range to play nice with best practices, although note that different systems define different ranges for this purpose. You could pick the range suitable to your system, or simply try to use a port above the "well-known" port range (i.e. above 1024); this may not give you an "ephemeral port" per se for your system, but so long as you can open it it should work fine.
I newly wrote a simple chat application, but I didn't really understand the background of ICE Candidates.
When the peer create a connection they get ICE Candidates and they exchange them and set
them finally to the peerconnection.
So my question is, where do the ICE Candidates come from and how are they used and are they all really used ?
I have noticed that my colleague got less candidates when he executes the application on his machine, what could be the reason for different amount of Candidates ?
the answer from #Ichigo is correct, but it is a litte bit bigger. Every ICE contains 'a node' of your network, until it has reached the outside. By this you send these ICE's to the other peer, so they know through what connection points they can reach you.
See it as a large building: one is in the building, and needs to tell the other (who is not familiar) how to walk through it. Same here, if I have a lot of network devices, the incoming connection somehow needs to find the right way to my computer.
By providing all nodes, the RTC connection finds the shortest route itself. So when you would connect to the computer next to you, which is connected to the same router/switch/whatever, it uses all ICE's and determine the shortest, and that is directly through that point. That your collegue got less ICE candidates has to do with the ammount of devices it has to go through.
Please note that every network adapter inside your computer which has an IP adress (I have a vEthernet switch from hyper-v) it also creates an ICE for it.
ICE stands for Interactive Connectivity Establishment , its a techniques used in NAT( network address translator ) for establishing communication for VOIP, peer-peer, instant-messaging, and other kind of interactive media.
Typically ice candidate provides the information about the ipaddress and port from where the data is going to be exchanged.
It's format is something like follows
a=candidate:1 1 UDP 2130706431 192.168.1.102 1816 typ host
here UDP specifies the protocol to be used, the typ host specifies which type of ice candidates it is, host means the candidates is generated within the firewall.
If you use wireshark to monitor the traffic then you can see the ports that are used for data transfer are same as the one present in ice-candidates.
Another type is relay , which denotes this candidates can be used when communication is to be done outside the firewall.
It may contain more information depending on browser you are using.
Many time i have seen 8-12 ice-candidates are generated by browser.
Ichigo has a good answer, but doesn't emphasise how each candidate is used. I think MarijnS95's answer is plain wrong:
Every ICE contains 'a node' of your network, until it has reached the outside
By providing all nodes, the RTC connection finds the shortest route itself.
First, he means ICE candidate, but that part is fine. Maybe I'm misinterpreting him, but by saying 'until it has reached the outside', he makes it seem like a client (the initiating peer) is the inner most layer of an onion, and suggests the ICE candidate helps you peel the layers until you get to the 'internet', where can get to the responding peer, perhaps peeling another onion to get to it. This is just not true. If an initiating peer fails to reach a responding peer through the transport address, it discards this candidate and will try a different candidate. It does not store any nodes anywhere in the candidate. The ICE candidates are generated before any communication with the responding peer. An ice candidate does not help you peel the proverbial NAT onion. Also regarding the second quote I made from his answer, he makes it seem like ICE is used in a shortest path algorithm, where 'shortest' does not show up in the ICE RFC at all.
From RFC8445 terminology list:
ICE allows the agents to discover enough information
about their topologies to potentially find one or more paths by which
they can establish a data session.
The purpose of ICE is to discover which pairs of addresses will work. The way that ICE does this is to systematically try all possible pairs (in a carefully sorted order) until it finds one or more that work.
Candidate, Candidate Information: A transport address that is a
potential point of contact for receipt of data. Candidates also
have properties -- their type (server reflexive, relayed, or
host), priority, foundation, and base.
Transport Address: The combination of an IP address and the
transport protocol (such as UDP or TCP) port.
So there you have it, (ICE) Candidate was defined (an IP address and port that could potentially be an address that receives data, which might not work), and the selection process was explained (the first transport address pair that works). Note, it is not a list of nodes or onion peels.
Different users may have different ice candidates because of the process of "gathering candidates". There are different types of candidates, and some are obtained from the local interface. If you have an extra virtual interface on your device, then an extra ICE will be generated (I did not test this!). If you want to know how ICE candidates are 'gathered', read the 2.1. Gathering Candidates
I have a weird problem. I have a successfully working C++ (boost asio) P2P application which works on most of the NAT. The problem is when I give the initial start port number as 1000 it checks if 1000 is free else increment by one and chooses a port and starts handshaking. But when I have 10000, 20000, or any other huge port number the hole punching doesn't work on port restricted cone NAT.
How is that possible? I am pretty sure it nothing to do with the code. and recently it doesn't work on one of my friends' full cone NAT as well, but it has worked in many other full cone NATs. What could be the reason? Is there something I am missing about how a NAT behaves?
In many NAT implementations, there are protection rules in place which prevent one host from tying up a large percentage of ports on the WAN interface, e.g. like described here.
Depending on the router, the NAT table entries have different lifetimes, and there are always limits on how many ports can be allocated to a single client (I've seen numbers from 128 to 4096).
So I think when you get to the point where you need to use high ports, the NAT table for your source IP address is already full (or almost full) with entries from old connections, or connections from other apps, so the router either decides to decline or can't fit the new NAT entry for your port.
However, to be sure, I would try to repeat that on a controlled environment collecting Wireshark dumps on both sides of the NAT and analyze the packets. If possible, it would also be helpful to enable router logs and peek into them.
I understand this is not a "magic bullet", but hope it somehow helps you.
Don't try to choose the port number yourself. The operating system can do this faster and better than your code can.
Bind your socket to port 0 and let the OS choose an available port number for you. You didn't specify what programming language, but it usually involves a call to getsockname() after the bind() call is made to discover what local port is going to be used. Java and .NET have equivalent APIs for doing the same thing.
Then follow all the other steps here:
https://stackoverflow.com/a/8524609/104458
Not sure if this'll help but have you tried having one instance of the client application starting at 1001 and the other starting at 1000, then both increment by 1.
While the 1000 will fail on client B, client A has already tried 1001 and so punched that hole, so hopefully it'll work, right? In theory, it sounds OK in my head.
I've read a lot about WebRTC, but there's one question that still remains. I hope you can help me with that:
Does WebRTC allow me to create a one-to-many connection? I don't mean "being able to have multiple connections to different computers", I really talk about having one connection that multicasts its data to multiple endpoints without the need to "upload" the data once for each endpoint. Will it be possible to send one single package to the web, that, when it reaches the web, magically splits itself into multiple packages with different targets?
I hope you get what I'm looking for :)
Until now, I've only seen one-to-one connections, or solutions that have one connection to a central server that does the multicast for them (which usually results in twice the ping).
But to me, one-to-one connections don't seem to be really useful (due to low upload-bandwith of clients), and solutions with a central server are also possible without WebRTC (using WebSockets), so the only real use case for WebRTC would be one-to-many connections.
So.. is this something that will be possible in the future? Or is it already possible today?
Three things:
IP multicast in the Internet is not possible at the moment (multicast addresses are not routed by ISPs)
WebRTC fits many use cases beyond one-to-many communication, just have a look at this document: https://datatracker.ietf.org/doc/html/draft-ietf-rtcweb-use-cases-and-requirements-06
WebRTC connections between browsers are always encrypted (using SRTP for A/V data and DTLS for generic data) and the encryption parameters (session keys etc.) are negotiated for every connection separately. How would you do that in a multicast environment (think of it as a distribution tree)?
So no, WebRTC cannot be used with IP multicast.
I would answer "It doesn't for now", because as a programmer, I can tell you, that there are number of ways browser devs to make it work if we (users) insist on it's importance. But how ? Since there's encryption, they could allow sharing of the session's encryption keys to the group of 'registered' (multicast) users. But how ? Well, Web was created for sharing. The most obvious way is through web server mediation and JS WebRTC API function (to load the user keys). Since multicast is most often used for efficient video distribution, you have a RTP/SRTP video server. The web server can coexist at the same machine. If they decide to extend it to web browsers - then just the "server" role can be done by the Web browser who created the multicast stream (the sender). The clients need to know who is it.
Again: In December 2013, this is still not possible. And multicasts are allowed on the Internet only in:
some experimental WAN nets
some internet+video ISP nets
LANs (when enabled at switch level, cheap switches transmit it to all ports). But you can be an ISP, researcher or LAN user, so it's necessary.
I have an application that is sending some UDP packets using multicast. I looked at the network traffic and there seems to be a lot of ancillary packets related to using multicast. I don't totally understand it, but does multicast by nature result in MORE network traffic. If so how can I throttle this down?
x
Other than the Multicast group join/remove messages, there are no ancillary messages created from you sending multicast data.
However, NIC's, routers, switches, printers, etc. all usually send some kind of multicast traffic, which is probably what you are seeing if you record the traffic.
In short, you need the networking equipment that forwards traffic between the client nodes to take care of this. Those vary depending on the network topology but would normally be:
Ethernet switches
IP routers.
Switch / router (implements functionality of a switch & router)
There are multicast control protocols such as IGMP but of course the source nodes and/or intermediate nodes (e.g. switches) must comply to these control protocols.
And YES multicast result in more network traffic : this is why plain Ethernet hubbing is practically extinct and additions to IEEE Ethernet such as VLANs are prevalent nowadays.
This is probably best addressed on some other sites (maybe this SO-style site PacketDrop).
LLC packets means you probably have sub-netting on your local segment, usually this doesn't mean extra packets though. You should change the network to a full class C if you want to remove LLC. On regular packets LLC or SNAP adds a 8-byte header.
http://ckp.made-it.com/ieee8022.html