• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 369
  • Last Modified:

Transfer data between nodes without public IP

Hy. We developed a messenger system, and want to include a file transfering  in the system, but in a way, that the actual data of the transfer should't go throught our server. The server should just connect the 2 parts, and let them transfer the data like in a p2p connection. Is it possible? (The problem begin where 2 nodes, which don't have public IPs try to communicate...0
0
Centauri
Asked:
Centauri
  • 4
  • 2
1 Solution
 
Adrien de CroyCommented:

I take it the peers that wish to communicate are both behind different NAT routers, so only know about their private IP addresses.

When you're in this situation, you have the problem that the NAT routers are only going to forward packets on communications they already know about.  This falls into 2 categories:

a) communications initiated on the trusted internal network (i.e. normal outbound comms).
b) communications that matches admin-configured rules for inbound connections (i.e. port forwarding).

Other than these 2 cases, the NAT device has no idea what to do with a packet and will drop it.

What this usually means is that unless in your application you can get your users to open up a port in their firewall device for your peer-peer transfers, then there's no solution to the problem other than to have the communications go through some intermediary server, since that's the only way you can get both ends to initiate a connection to something which will be allowed through the firewall.
0
 
CentauriAuthor Commented:
The problem is that this is an Internet wide program, so I don't know much about my users. Opening the firewall is not difficult, but as AdriendeC stated I know only their private IP (since they don't have public). Communictaions going through an intermediary server would be a solution, but I want to prevent the huge traffice generated by file transfers for my server.
0
 
Adrien de CroyCommented:
Hi

If you don't want the bulk data from a transfer to go through the intermediary, then there's only 2 solutions.

1. open ports in the firewalls (at least one end of each communications link needs to be opened).
2. get public IPs.

Sorry, it's just the nature of how NAT/firewalls work - you can only initiate comms outbound, or accept inbound comms on pre-configured ports.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Adrien de CroyCommented:
another way could be if you can use another public server for file transfer.  E.g get a cheap hosting account somewhere to handle the bulk transfers.

then use your message protocol to send a URL to the other end to download.  client A uploads first to public server, sends URL to client B, client B downloads it.
0
 
CentauriAuthor Commented:
I just found out that it is possible...it is called UDP Hole Punching (or TCP Hole Punching) and here is a nice document about it http://www.bford.info/pub/net/p2pnat/

The thing is that you have to use a Rendezvous Server, with a public IP (which is NOT a problem in my case, and I think in many cases)
0
 
Adrien de CroyCommented:
interesting paper.

Note that it depends on cone-NATs, which according to the paper are prevalent, but with symmetric NATs it won't work, since the NAT will check all of the 4 bits of information (source and dest IP and port), and if it doesn't match a known connection it will be dropped.

There's been a bit of discussion about relative merits of cone vs symmetric NATs, and some people still perceive a security issue with cone NATs.  Having said that, our own NAT product behaves in a secured cone-like fashion for UDP.  For TCP though, you come up against the other issue of stateful inspection by firewalls (not covered in that paper), where a NAT knows who sent the first SYN, and if it gets a SYN back (rather than a SYN ACK with matching sequence numbers) from a SYN, it drops it, so you can't use the same association to reverse connect back through.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now