📄 draft-ford-midcom-p2p-01.txt
字号:
Internet Draft B. FordDocument: draft-ford-midcom-p2p-01.txt M.I.T.Expires: April 27, 2004 P. Srisuresh Caymas Systems D. Kegel kegel.com October 2003 Peer-to-Peer (P2P) communication across middleboxesStatus of this Memo This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Distribution of this document is unlimited.Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved.Abstract This memo documents the methods used by the current peer-to-peer (P2P) applications to communicate in the presence of middleboxes such as firewalls and network address translators (NAT). In addition, the memo suggests guidelines to application designers and middlebox implementers on the measures they could take to enable immediate, wide deployment of P2P applications with or without requiring the use of special proxy, relay or midcom protocols. Ford, Srisuresh & Kegel [Page 1]
Internet-Draft P2P applications across middleboxes October 2003Table of Contents 1. Introduction ................................................. 2. Terminology .................................................. 3. Techniques for P2P communication over middleboxes ............ 3.1. Relaying ............................................... 3.2. Connection reversal .................................... 3.3. UDP Hole Punching ...................................... 3.3.1. Peers behind different NATs .................. 3.3.2. Peers behind the same NAT .................... 3.3.3. Peers separated by multiple NATs ............... 3.3.4. Consistent port bindings ....................... 3.4. UDP Port number prediction ............................. 3.5. Simultaneous TCP open .................................. 4. Application design guidelines ................................ 4.1. What works with P2P middleboxes ......................... 4.2. Applications behind the same NAT ........................ 4.3. Peer discovery .......................................... 4.4. TCP P2P applications .................................... 4.5. Use of midcom protocol .................................. 5. NAT design guidelines ........................................ 5.1. Deprecate the use of symmetric NATs ..................... 5.2. Add incremental Cone-NAT support to symmetric NAT devices 5.3. Maintaining consistent port bindings for UDP ports ..... 5.3.1. Preserving Port Numbers ........................ 5.4. Maintaining consistent port bindings for TCP ports ..... 5.5. Large timeout for P2P applications ...................... 6. Security considerations ......................................1. Introduction Present-day Internet has seen ubiquitous deployment of "middleboxes" such as network address translators(NAT), driven primarily by the ongoing depletion of the IPv4 address space. The asymmetric addressing and connectivity regimes established by these middleboxes, however, have created unique problems for peer-to-peer (P2P) applications and protocols, such as teleconferencing and multiplayer on-line gaming. These issues are likely to persist even into the IPv6 world, where NAT is often used as an IPv4 compatibility mechanism [NAT-PT], and firewalls will still be commonplace even after NAT is no longer required. Currently deployed middleboxes are designed primarily around the client/server paradigm, in which relatively anonymous client machines actively initiate connections to well-connected servers having stable IP addresses and DNS names. Most middleboxes implement an asymmetricFord, Srisuresh & Kegel [Page 2]
Internet-Draft P2P applications across middleboxes October 2003 communication model in which hosts on the private internal network can initiate outgoing connections to hosts on the public network, but external hosts cannot initiate connections to internal hosts except as specifically configured by the middlebox's administrator. In the common case of NAPT, a client on the internal network does not have a unique IP address on the public Internet, but instead must share a single public IP address, managed by the NAPT, with other hosts on the same private network. The anonymity and inaccessibility of the internal hosts behind a middlebox is not a problem for client software such as web browsers, which only need to initiate outgoing connections. This inaccessibility is sometimes seen as a privacy benefit. In the peer-to-peer paradigm, however, Internet hosts that would normally be considered "clients" need to establish communication sessions directly with each other. The initiator and the responder might lie behind different middleboxes with neither endpoint having any permanent IP address or other form of public network presence. A common on-line gaming architecture, for example, is for the participating application hosts to contact a well-known server for initialization and administration purposes. Subsequent to this, the hosts establish direct connections with each other for fast and efficient propagation of updates during game play. Similarly, a file sharing application might contact a well-known server for resource discovery or searching, but establish direct connections with peer hosts for data transfer. Middleboxes create problems for peer-to-peer connections because hosts behind a middlebox normally have no permanently usable public ports on the Internet to which incoming TCP or UDP connections from other peers can be directed. RFC 3235 [NAT-APPL] briefly addresses this issue, but does not offer any general solutions. In this document we address the P2P/middlebox problem in two ways. First, we summarize known methods by which P2P applications can work around the presence of middleboxes. Second, we provide a set of application design guidelines based on these practices to make P2P applications operate more robustly over currently-deployed middleboxes. Further, we provide design guidelines for future middleboxes to allow them to support P2P applications more effectively. Our focus is to enable immediate and wide deployment of P2P applications requiring to traverse middleboxes.2. TerminologyIn this section we first summarize some middlebox terms. We focus hereon the two kinds of middleboxes that commonly cause problems for P2Papplications.Ford, Srisuresh & Kegel [Page 3]
Internet-Draft P2P applications across middleboxes October 2003 Firewall A firewall restricts communication between a private internal network and the public Internet, typically by dropping packets that are deemed unauthorized. A firewall examines but does not modify the IP address and TCP/UDP port information in packets crossing the boundary. Network Address Translator (NAT) A network address translator not only examines but also modifies the header information in packets flowing across the boundary, allowing many hosts behind the NAT to share the use of a smaller number of public IP addresses (often one). Network address translators in turn have two main varieties: Basic NAT A Basic NAT maps an internal host's private IP address to a public IP address without changing the TCP/UDP port numbers in packets crossing the boundary. Basic NAT is generally only useful when the NAT has a pool of public IP addresses from which to make address bindings on behalf of internal hosts. Network Address/Port Translator (NAPT) By far the most common, a Network Address/Port Translator examines and modifies both the IP address and the TCP/UDP port number fields of packets crossing the boundary, allowing multiple internal hosts to share a single public IP address simultaneously. Refer to [NAT-TRAD] and [NAT-TERM] for more general information on NAT taxonomy and terminology. Additional terms that further classify NAPT are defined in more recent work [STUN]. When an internal host opens an outgoing TCP or UDP session through a network address/port translator, the NAPT assigns the session a public IP address and port number so that subsequent response packets from the external endpoint can be received by the NAPT, translated, and forwarded to the internal host. The effect is that the NAPT establishes a port binding between (private IP address, private port number) and (public IP address, public port number). The port binding defines the address translation the NAPT will perform for the duration of the session. An issue of relevance to P2P applications is how the NAT behaves when an internal host initiates multiple simultaneous sessions from a single (private IP, private port) pair to multiple distinct endpoints on the external network. Cone NAT After establishing a port binding between a (private IP, private port) tuple and a (public IP, public port) tuple, a cone NAT will re-use this port binding for subsequent sessions theFord, Srisuresh & Kegel [Page 4]
Internet-Draft P2P applications across middleboxes October 2003 application may initiate from the same private IP address and port number, for as long as at least one session using the port binding remains active. For example, suppose Client A in the diagram below initiates two simultaneous outgoing sessions through a cone NAT, from the same internal endpoint (10.0.0.1:1234) to two different external servers, S1 and S2. The cone NAT assigns just one public endpoint tuple, 155.99.25.11:62000, to both of these sessions, ensuring that the "identity" of the client's port is maintained across address translation. Since Basic NATs and firewalls do not modify port numbers as packets flow across the middlebox, these types of middleboxes can be viewed as a degenerate form of Cone NAT. Server S1 Server S2 18.181.0.31:1235 138.76.29.7:1235 | | | | +----------------------+----------------------+ | ^ Session 1 (A-S1) ^ | ^ Session 2 (A-S2) ^ | 18.181.0.31:1235 | | | 138.76.29.7:1235 | v 155.99.25.11:62000 v | v 155.99.25.11:62000 v | Cone NAT 155.99.25.11 | ^ Session 1 (A-S1) ^ | ^ Session 2 (A-S2) ^ | 18.181.0.31:1235 | | | 138.76.29.7:1235 | v 10.0.0.1:1234 v | v 10.0.0.1:1234 v | Client A 10.0.0.1:1234Ford, Srisuresh & Kegel [Page 5]
Internet-Draft P2P applications across middleboxes October 2003⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -