[JDEV] NAT Issues

Charles Forsythe forsythe at netvoice.net
Sun Dec 17 12:05:37 CST 2000 

Michael Brown wrote:
> Has this be covered already?  If so, is there a solution?

I've been looking into this issue and I've found three basic approaches:

  - Put software on your NAT/Firewall to handle the protocol.  BUT:
	Inexperienced users may not know how to do this.
	NAT/Firewall vendors may not support your protocol.
	The NAT/Firewall may not be under your control (ISP or corporate)

  - NATs compliant with RFC 2663 can use a UDP hack (see link below).
BUT:
	UDP-based transports are a headache
	UDP traffic has higher priority and can clog your network
	UDP introduces security issues
	If multiple peers are behind given NAT, they each need a unique
	  UDP port number (someone has to keep track of this)

  - Offer peer-to-peer proxy service to paying customers only.

I'm going with this last option.  People can use the P2P functions of my
client for free if they can, but if they want a Quality Of Service
guarantee (we promise you can do P2P even if you're both behind
firewalls), they can help pay for the server capacity to support them.

Anyway, here's a nice little whitepaper on the subject:
	http://www.alumni.caltech.edu/~dank/peer-nat.html

This may a stupid question (I've got a whole two weeks of experience
with Jabber), but how would you use or extend the Jabber protocol to
provide P2P negotiation?  Basically, one Jabber presence ("client")
would request a P2P connection to another Jabber presence ("server"). 
The Jabber "cloud" would first determine whether the "server" presence
is willing or able to support the connection.  If it will, and then the
Jabber servers will orchestrate the connection mechanism between the
"client" and "server" peers.  The options are:

	- client to server TCP socket (client may use Socks protocol)
	- server to client TCP socket (reverse connection)
	- client to server HTTP on port 80 (hack around firewalls)
	- client to server TLS on port 443 (better hack around firewalls)
	- UDP transport
	- client and server connect through proxy server via TCP sockets
	  (client and/or server may need to use HTTP tunneling to connect
	   to proxy server)

The decision on what method to use depends on:

	- what options the peers support
	- what options the Jabber servers are allowed to negotiate
	  (the proxy server option may not be provided)

Any thoughts?

-- Charles

More information about the JDev mailing list