Roger Dingledine:
On Thu, Dec 13, 2012 at 06:38:03PM +0000, adrelanos wrote:
Have you considered Hole punching techniques? [1] TCP, UDP, ICMP hole punching... There are many techniques. I don't know if the WebSocket protocol would prevent it.
STUN [2] like techniques where a third non-firewalled server helps to traversal the NAT. (Only NAT, not used a proxy.)
pwnat [3] also looks interesting. It doesn't need a third server and lets connect two nat'ed machines with each other.
Better nat punching is on the 'future research' list.
The main challenge is that if you're trying to provide a circumvention system, then relying on a "reliably reachable third party" is exactly what you can't do.
I agree, the report you linked below gives indeed good reasons against.
Whether these various "look, no hands" punching tools and tricks can be done using only websockets on the remote side is a great question for somebody to answer.
I copied the relevant parts about pwnat from the report you linked below and tried to rephrase it to talk only about pwnat.
We consider pwnat to be out of scope at this time due because it
requires specialized client software to access services offered behind a NAT device. The technique implemented by pwnat is much more attractive. It is generally friendly to privacy and does not rely on NAT router configuration.
Is "requires specialized client software" is really a blocker? UPnP and NATāPMP are also "requires specialized third party libraries".
See also Jake's NAT investigation tech report at http://research.torproject.org/techreports.html
Great reading!