I'm curious why is it more pervasive. Does it has a better API?
I remember long ago when i first learned about NAT (i used it for sharing a dialup 14.4kbps modem), i thought that someday every home would have a router with NAT included, but it would "obviously" need also a SOCKS process to be able to open listening ports. When broadband started appearing, it was nice to see NAT as a common feature, and I supposed that SOCKS would be an extra, and slowly become more and more common... but nothing! i had to manually forward ports. then appeared that uPNP, but very few 'serious' applications support it, mostly P2P sharing, games, and some IM.
I still haven't seen any home router to include SOCKS (apart from Linux-based firmware upgrades, of course). does anybody know why??
edit:
as Vartec noted, UPnP is a zeroconf and service discovery, not proxy service. now i know that what i'm referring to is IGD protocol, the NAT traversal service present in home routers, and discovered via UPnP. so, my question would more properly be "Why IGD/UPnP instead of SOCKS?"
SOCKS has limitations compared to UPnP. Generally SOCKS requires configuration on each client and isn't transparent to applications (system-wide socket SOCKSification isn't installed/enabled by default on Windows), while NAT even without UPnP mostly works transparently and without any additional client configuration for outgoing TCP sockets and outgoing UDP.
NAT with UPnP also supports server TCP sockets better than SOCKS: SOCKS can only accept a single connection with its BIND request, which is okay for receiving a single TCP connection in a protocol like FTP, but useless for running a server that needs to accept many connections from many clients. SOCKS 4 also had a 2 minute timeout on the BIND request, but a server generally cannot know when the next client will try to connect.
Low-level TCP settings (eg. TCP Nagle, traffic class) also don't work across the SOCKS proxy, but they work through a NAT.
As far as I know, UPnP is zeroconf discovery type of protocol for devices in local networks, while SOCKS is tunnel-proxy server. They are completely different, actually I don't see anything, that they would have in common.
these are two different things, socks is a protocol that allows you to route tcp and udp (socks v5) through a proxy server and it's for outgoing connections, routers dont have anything to do with this (except they are acting as a proxy too)
the IGD of upnp is an 'api' that allows you to tell your router that you want to open a port and foward it to a computer, this is for incoming connections.. my linksys came with upnp enabled by default and one app i know to use this is msn messenger (maybe only for file transfers)
Related
If I am building a WebRTC app and using a Selective Forwarding Unit media server, does this mean that I will have no need for STUN / TURN servers?
From what I understand, STUN servers are used for clients to discover their public IP / port, and TURN servers are used to relay data between clients when they are unable to connect directly to each other via STUN.
My question is, if I deploy my SFU media server with a public address, does this eliminate the need for STUN and TURN servers? Since data will always be relayed through the SFU and the clients / peers will never actually talk to each other directly?
However, I noticed that the installation guide for Kurento (a popular media server with SFU functionality) contains a section about configuring STUN or TURN servers. Why would STUN or TURN servers be necessary?
You should still use a TURN server when running an SFU. To understand diving into ICE a little bit will help. All SFUs work a little differently, but this is true for most.
For each PeerConnection the SFU will listen on a random UDP (and sometimes TCP port)
This IP/Port combination is giving to each peer who then attempts to contact the SFU.
The SFU then checks the incoming packets if they contain a valid hash (determined by upwd). This ensures there is no attacker connecting to this port.
A TURN server works by
Provides a single allocation port that peers can connect to. You can use UDP, DTLS, TCP or TLS. You need a valid username/password.
Once authenticated you send packets via this connection and the TURN server relays them for you.
The TURN server will then listen on a random port so that others can then send stuff back to the Peer.
So a TURN server has a few nice things that an SFU doesn't
You only have to listen on a single public port. If you are communicating with a service not on the internet you can just have your clients only connect to the allocation
You can also make your service available via UDP, DTLS, TCP and TLS. Most ICE implementations only support UDP.
These two factors are really important in government/hospital situations. You have networks that only allow TLS traffic over port 443. So a TURN server is your only solution (you run your allocation on TLS 443)
So you need to design your system to your needs. But IMO you should always run a well configured TURN server in real world environments.
I'm looking for suggestions about approaches to allow multiple applications to use port 80 for communication.
I know it's impossible, or at lease not sensible to have multiple applications to actually bind to port 80, however, I've seen appliances when there is a device that provides both a web interface (HTTP) and RTSP with RTP using port 80.
I have two ideas on how this is achieved:
Are those custom made apps that implement all the functions?
For example the same binary is used for a web server and a RTSP server. That seems kind of limiting due to the fact that you would have to do sever modifications to already developed apps if you want, for example, Apache and openSSH both on port 80.
Are there a "port 80 multiplexers" sort of a pattern?
For example, a parser application that listens to port 80 and depending on the header of the received package, passes the package to the required application.
Found some related references, will give them a try.
https://bbs.archlinux.org/viewtopic.php?id=99457
http://www.rutschle.net/tech/sslh.shtml
I really don't think this is possible in a standard way: port number is actually the one that allows multiplexing among different applications in TCP and UDP protocols. More generic, TSAP, Transport Service Access Point allows multiplexing at the transport layer. TSAP is the port in protocols such as TCP, UDP, or SCTP.
One reason you may want two applications listening on the same port is that a second application can monitor or process in some other way the messages received, and eventually processed, by the first one. In this case, using pcap library other applications could read messages received by the main application that will probably response those messages.
Netfilter can also be useful, http://www.netfilter.org/
However, if you intend two applications to respond messages that arrive to the same port, that would be tricky and would have dependency on each application.
In this response I'm assuming you are thinking of applications listening to the same port at the same IP address. Something different is working with multihost servers where two applications could listen to same port number in different IP addresses.
I'm trying to transmit data in UDP datagrams into a client in external location to a pc in my local lan.
But my network is over a ADSL modem sending to a pc with Slackware, this pc redirect packages into other pcs.
I'm using socat to redirect UDP:
socat -v udp-listen:1935,fork,reuseaddr udp:192.168.0.40:37000
In LAN the conection is fine, but external IPs don't work.
Somebody help?
I don't think socat is the culprit, however consider to use stone instead of socat, because using a fork() for each received packet is a bit weird. Stone is called in your case like this (I think):
stone -n -d -d -d -d 192.168.0.40:37000/udp 1935/udp
Now why external IPs perhaps do not work. Sadly your text does not tell much about your setup, so I have to guess:
It depends on your firewall/modem/router if it is able to forward UDP packets. Usually, if you initiate the UDP requests from the inside, the router will open a NAT connection, which often means, that not only the source IP of the packets change, but the source port as well. As UDP is connectionless, UDP NAT connections usually time out very quickly, say after 5 minutes, if no data is transferred on them.
If the UDP must be opened in the opposite direction (from Internet to Intranet), the router usually discards all the UDP packets coming in from Internet, because it does not know where to forward them to. A router cannot just choose some arbitrary machine, this would be a security hole. So in the "Internet connecting to a machine behind the router" you must open the UDP port on the router and let it forward to the right machine. In that case packets sent from your internal machine will get their source IP and the source port rewritten, the machine on the Internet always will see the packets as coming from your router. So except for the additional rule in the router this case is the same as the outgoing case.
Note that there are several different ways how to make NAT (symmetric, etc.) and several methods on how to open a port on the router (Config, UPnP, etc.) so the ways to poke some holes into it always depends on your hardware capabilities. This all cannot be answered here.
Some other ideas what might go wrong as well:
Some UDP protocols encode IP addresses within the payload. In that case it is not enough just to forward the packets, you must change the payload as well to correct the IP addresses exchanged to enable all machines to talk together. Such UDP protocols are badly designed, anyway, because you never should assume that two arbitrary machines can directly talk with each other, so all good protocols should support easy proxying.
Some ISPs filter certain UDP ports, for arbitrary reason. If you have problems talking from Internet to your DSL, try with two external machines directly connected to different ISPs. If these can talk via UDP check if you can talk from your Intranet to one of the external machines. If this still works, this means, that you can talk backwards as well, as usually UDP is not a directed protocol, but if there is some NAT involved you somehow must make sure that the communication ports stay open.
Mobile Internet plans often do not support P2P. This probably means, those plans do not support Internet at all, as IP, by definition, is P2P. What the ISPs really want to say with "no P2P" is (my guess), that connections from Internet to the mobile device are not supported. In that case you always must initiate a connection from the mobile device, so you cannot use push methods (Internet to Mobile), the mobile device always must pull (data from Internet). Some broadband/cable providers might do the same. Usually you can see this if your ISP hands out an IP in the 10.x.y.z range to you.
There might be another trick how to get the connection working:
Ask your ISP to get some IPv6. Perhaps use 6to4. With IPv6 you eliminate NAT completely, your local LAN then directly interconnects to the Internet on IPv6. Be sure to activate your firewall/iptables on your Intranet host on the IPv6 interface, else you might see Intruders very quickly.
HTH
How can two computers that are on separate networks connect to each other using UDP? I know that you can do this by setting up port forwarding but I services like Xbox Live don't work through that. How is this possible and is there a way to obtain an address to another computer on a separate network?
EDIT
Ok thanks for the help I am using objc so I ended up using asyncsocket and portmapper for doing router configuration.
http://code.google.com/p/cocoaasyncsocket/
http://www.codingmonkeys.de/portmap/
First, obtaining the public IP of a remote computer:
Use dynamic dns.
Make your own protocol and run a server to keep the list of users and IP.
Working out incoming UDP packets:
Use client/server communication instead of peer-to-peer.
Use UPnP protocol (i think xbox does this) to ask your router for a port. Not all routers support or have UPnP enabled.
Use TURN/STUN protocol. This protocol has been designed to bypass UDP nat. This requires an external server, but there are free servers available.
I think there are libraries for UPnP and STUN, but i can't tell you for sure.
LatinSuD are right, STUN is good solution - check out STUN protocol implementation for iOS https://github.com/soulfly/STUN-iOS
I created a vb .net app and basically it connects to the server (my brother's computer at his house) and sends messages. The problem I'm having is, we both have routers. The only way I'v gotten all of this to work, is by both of us connecting ppeo broadband and then our ips work, otherwise the "real ip" is used for all the pcs in my house. How can I connect tcp to him wothout him having to connect broadband. Because to connect broadband he needs to be connected to an ethernet port, so then he cannot be wireless.
Thanks
I don't know what you mean by "connect broadband", but if the computers are not on the same local network, and you have a NAT router in between, you will either have to connect them via a VPN (like Hamachi for example) or configure port forwarding on both sides on the routers.
See: How do you get Java sockets working with public IPs?
Some routers also have "Dynamic Port Forwarding", where if you are using, say port 8084 for your traffic, both your and your brother set your routers to dynamic port forward port 8084.
The router then listens for client computers connecting across port 8084, and when it sees that traffic, it will route traffic across that port to the client computer that first requested it.
Another popular "NAT-traversal" technology is UPnP. See this SO question and associated article for more information on how to use .NET to control UPnP. Again, router hardware must support it and be configured to use UPnP.
Edit: Untested, but you could try also to use and IPv6 tunneling software such as the one from go6 to create a public IP. This is like VPN, but one-sided, and less private.
Rather than router configuration, you could use a VPN. Hamachi is free and easy.