January 24, 2006

NAT-Hole-Punching explained

Christian Decker wrote this in the early morning:
What is the difference between a server and a client? Those of you who have tried to explain this difference to non-technical people will have found it difficult, people seem always to think of servers to be different, huge machines sitting in some climatized room, they are disappointed when I tell them that even my Notebook can be used as a Server. For the purpose of this article a server will be simply a computer that offers some services over the network.
So why can’t every client be a server? A basic rule for servers is that they have to be reachable over the network, clients on the other hand don’t require this and most of aren’t either. The trend is going away from the classic layout where a computer would be connected directly to the internet using a Modem, and towards the small family networks, using wireless structures and requiring another layout:
The layout changes
Thus more and more computers on the network become unreachable from the outside, allowing them to be contacted often requires complex configurations on the NAT (Network Address Translation), and sometimes the simple user can’t do this. This is deadly for P2P! P2P is another approach to offering services, away from the Client-Server paradigm, in this new Network every Client is a Server in the meantime, it is used to distribute the service it’s using to other clients (often called peers since "Client" refers to the Client-Server paradigm). P2P is proving stronger than the Server modell, and is having a huge success amongst all kinds of Companies (no, I’m not only talking about FileSharing) it can be used in many different applications and is cheaper than having to buy huge dedicated machines.
Ignoring all those shielded and unreachable peers is a huge waste of resources, and we absolutely have to find a way to deal with this problem.

The Solution is NAT-Hole-Punching (also called UDP-Hole-Punching, but it is also applicable for TCP/IP) it is a way to reach otherwise unreachable hosts, with a minimal additional effort. All you need is a Peer that is reachable by both Peers that want to establish a connection that coordinates the connections. But let’s start from the beginning. Routers use a NAT-table to decide the packages to drop and those that are to be redirected to a host in its network. When a Computer in the network behind a router wants to open a connection to another computer a SYN-packet is sent to the server, through the router, and the router will register in its NAT-Table that all responses from the ip:port combination will be redirected to the client. Now the problem is if both peers are behind a Router:
Connections blocked by Routers

Wether Peer A or Peer B try to open a connection it will fail because the other Router will drop the unrequested packets. Now the idea is that both Peers punch a hole in the NAT of their router (punching is a bit a hard word for it, they just tell the router that they want the packets to a certain port to be redirected to them). But ports for outgoing connections are assigned by the Operating System randomly, so what we do is:
  1. Create a socket as we usually would in our program
  2. Get the port this socket is bound to
  3. Inform a transaction handler what our IP:Port combination is
  4. The transaction handler will tell the foreign host this combination and the same way we get the information from the foreign host
  5. Now that we have all the required information we start sending specifically crafted packets with source ip and port we told the transaction handler earlier, and destination ip and port the information we got from the transaction handler.
  6. Eventually one of the two routers will have the hole we were looking for and the packets from the other peers will finally reach the destination, thus the communication has been established.
In the entire process the only precondition is that we have a Peer that is reachable by both Peers, that will act as a transaction handler, this is already given in most of the layouts as for example a Chat where the peers are connected to a central server, MSN which could act as a transaction handler too, or a BitTorrent Tracker. The load on the transaction handler is minimal and does not affect the performance of the P2P Concept, because once the connection is established, the peers become completely independent from the transaction handler.

NAT-Hole-Punching does not weaken the protection that a Firewall or Router gives to its users as for a communication to be established an action from the inside must be taken to open the connection. It still remains difficult or even impossible to open unrequested connections to the inside!

In this article we focused on Routers because they are the most common problem for P2P-Communication, but the concepts are also applicable to most kinds of middleboxes as is explained in more detail in the draft at the bottom of this article.

Interesting readings and resources:
Applications that use NAT-Hole-Punching:
  • Skype: A VoIP Service, that relies on the technique for Client-to-Client communication.

*
* 2 Comments

January 18, 2006

25 GiB for free?

Christian Decker wrote this in the early evening:

Ever since Google’s GMail service revolutionized the Mail sector, online storage is becoming cheaper and cheaper. In a matter of sheer days we jumped from a few MiBs per Mail Account to GigaBytes, than a thousandfold what we had before!

Now Streamload MediaMax is offering 25 GigaBytes of online storage for free! With a monthly upload limit of 500 MiB and a FileSize Limit of 25 MiB per File.

It surely would be a nice idea to backup data using an online storage, but since it has no tool to do the tedious work for us right now, one would have to upload every single file by hand. It appears logical what the market for MediaMax is, and what audience they are targetting: File-Sharers.

To support this thesis it’s enough to take a look at the default categories with names such as Video Share, Photo Share, TV & Movie Locker, Music Locker. It seems obvious that their service may become a big platform for Copyright infringements and it would be interesting how they secured themselfs.

I personally don’t trust such services, as I confide some of my information to a stranger which may easily make this data accessible to others, and Filesharers, please don’t fall for it, it may be nice and fast at the beginning but they will log every transaction and therefore become a main target for Copyright Defenders… 

*
No Comments

Rant to Programmers

Christian Decker wrote this terribly early in the morning:

Today I stumbled across this post of the Jonathan from the Hak.5 Cast, and I must say he’s got a point!

During my work for the Functional Genomics Center Zurich I came across alot of these cases where we, the programmers, had to spend whole days reverse engineering and rewriting entire Parts, just because the company that gave us the bootstrap for the latest Project was unable to deliver a functional, or at least well documented code.

So just jump over to Jonathans Blog and read the post, it’s definitely worth itemoticon 

*
* 1 Comment

January 11, 2006

Reverse engineering a Cocoon Project

Christian Decker wrote this mid-afternoon:
Ok so here I am. I was told to try to understand how Cocoon works and I think I got it the right way. Next step is actually working with Cocoon… The problem is that I was given a project that is only halfway done, nothing is fixed by now and I really don’t have any idea on how the whole stuff works together, but worst of all, I cannot contact the developers and ask them for help. I’m not new to the reverse engineering business, I remember reverse engineering the whole HTTP protocoll and the HTTP-proxy behaviour by listening to the connection (long and difficult business if you only use telnet and a listening socket…), but this is worlds away from what I’ve done until now. So here are my tips to successfully reverse engineer a Cocoon application:
  1. Locate and print the sitemap.xmap, this will give you a general idea on how things work together.
  2. Identify the pipelines and try to understand what exactly they do, what are the inputs (generators), what is the output (serialiyers), and what may be the use of the inner transformations? I’d recommend starting with the simplest pipelines, those piping the input files directly to the output (i.e. images, binary files, …)
  3. Once you have a global overview try to make a picture of the URL-mapping as described in the sitemap, and don’t forget to heavily annotate it, you will be using this all the time from now on :)
This is it for now (I have to get back to work, my 5 minutes break is over :D) Good luck and let me know if you’ve found an easier way to do things ;)

*
No Comments

Being Goth

Christian Decker wrote this in the wee hours:

Last time I was in the X-Tra I was in a pretty melancholic mood and I wrote the following:

Wir sind die Szene vor der sich alle fuerchten. Wir sind diejenigen die den Tod feiern, wir sind diejenigen die keine Angst vor dem sterben haben. Wir sind die Schwarzen.

Wir hassen nicht, wir lieben nicht. Liebe ist ein Instinkt! Wir hingegen widmen einen Teil unseres Lebens einer anderen Person. der Unterschied ist minimal dennoch wichtig. Wir sind uns unserer endlichkeit bewusst. Wo andere ewige Liebe versprechen, versprechen wir Treue!

Well the translation looses a bit of meaning but I’ll try anyway:

We are those feared by all. We are those who celebrate death, we are those without fear of dying. We are the black ones

We don’t hate, we don’t love. Love is an instinct! Instead we dedicate a part of our live to another Person, the difference is minimal but important. We know about our destiny to die. Where others promise eternal love, we promise faithfullness!

Some say that things written while drunk come from the heart, and are not filtered by the mind. Up to you to judge emoticon 

*
No Comments