References
Summary
- Requirements
- A UDP-based protocol to augment
- Direct access to a socket in your program
- A communication side channel with your peers
- A couple of STUN servers
- A network of fallback relays (optional, but highly recommended)
- Steps
- Enumerate all the ip:ports for your socket on your directly connected interfaces
- Query STUN servers to discover WAN ip:ports and the “difficulty” of your NAT, if any
- Try using the port mapping protocols to find more WAN ip:ports
- Check for NAT64 and discover a WAN ip:port through that as well, if applicable
- Exchange all those ip:ports with your peer through your side channel, along with some cryptographic keys to secure everything.
- Begin communicating with your peer through fallback relays (optional, for quick connection establishment)
- Probe all of your peer’s ip:ports for connectivity and if necessary/desired, also execute birthday attacks to get through harder NATs
- As you discover connectivity paths that are better than the one you’re currently using, transparently upgrade away from the previous paths.
- If the active path stops working, downgrade as needed to maintain connectivity.
- Make sure everything is encrypted and authenticated end-to-end.