| ID: |
6828
|
Fixed in: |
|
| Issue Date: |
2015-03-18 10:21 AEST
|
Owner: | CVS Support
|
| Last Modified: | 2017-06-21 11:30 AEST | Reporter: | Arthur Barrett
|
| Current Est. | 0.0 hours
| % Complete: | 0.0
|
| Status: | NEW /
|
Severity: | enhancement
|
| Affected: | 2.8.01
|
| Description: | enh: server/client: punch through firewall (dropbox easier server connections)
|
|
Actions:
|
2015-03-18 10:21 AEST by Arthur Barrett - We want 'dropbox like' easer server connections from the client.
i.e.: I've got a server on my work PC, but no authority to change firewalls/routers etc. to direct internet
2401 traffic to this PC
This is the same problem that 'back to my mac' solves. This uses a combination of Wide-Area Bonjour
and Universal Plug and Play (UPnP) or NAT Port Mapping Protocol (NAT-PMP). It uses UDP port 4500 for
point-to-point IPsec connections (which may be mapped to different UDP ports on the public side of a
NAT router).
https://en.wikipedia.org/wiki/Back_to_My_Mac
This will be critical for us to get 'average punters' using CVS clients, e.g.: iPhone users.
This is the key to getting people off cloud - realising they can have the ease of cloud without the
uncertainty and monthly fees. |
|
|
2015-03-18 10:22 AEST by Arthur Barrett - If firewalls don't accept incoming connections by default how do p2p networks work?
http://stackoverflow.com/questions/14926807/if-firewalls-dont-accept-incoming-connections-by-
default-how-do-p2p-networks-wo
'm not up on everything about BitTorrent, as I am about general P2P connectivity techniques. Typically
clients in a P2P network rendezvous on a common signaling server (e.g. SIP, XMPP, tracking server, web
site) to exchange IP addresses,other meta data, and messages to bootstrap direct connections. Then use
any of the following techniques below to get a communications session going:
* Both sides attempt to connect to each other simultaneously - in case one side can't accept incoming
connections, but is allowed to make outbound connections. Such is the case for the firewall scenario.
* Hole punching (used in conjunction with above). Relays are not required per se, but do help insure
connectivity when both peers are behind network devices that are difficult to traverse. There's both UDP
Hole Punching as well as TCP Hole Punching techniques. More info here.
http://en.wikipedia.org/wiki/UDP_hole_punching
http://en.wikipedia.org/wiki/TCP_hole_punching
http://www.bford.info/pub/net/p2pnat/index.html
* Relays, including TURN servers, can be deployed into a P2P network when direct connectivity is not
possible. All your favorite video call applications deploy relays for these scenarios, but do their best to get
peers directly connected to avoid the cost of relaying.
Bing for the following topics: STUN, TURN, ICE (Interactive Connectivity Establishment), libjingle, pjnath,
lib nice.
P2P message transfer behind firewalls and NAT
http://stackoverflow.com/questions/21501359/p2p-message-transfer-behind-firewalls-and-nat
I have two java applications running on two different machines in two different part of the world. The
machines can be behind NAT (or not!).
The applications are supposed transfer some data (<500kb).
We do have a server, which can do everything (like providing ip address of the peers) but the data from
the applications must always be transferred peer-to-peer. The data can not be routed through the server.
Do I have to deal with firewall mess?
Do I have to set port forwarding?
Are JXTA or JGroups something that I need? is UPNP something I need to look into? is UDP Hole Punching
something I should look into?
I know my question is a bit vague, but please don't shoot my question down, I just need a nudge in the
right direction. I am going to try and explain better as the comments/answers start coming in!
Answer: Start by studying ICE (RFC 5245) with STUN and TURN. WebRTC is mostly based on these
technologies.
Port forwarding is a way to configure your firewall so that your peers effectively communicate as if they
are not behind the firewall. This means that you can write your software as if there is no firewall. NAT hole
punching is an alternative to manual port forwarding. You can think of it as "automatic port forwarding."
UPnP is one possible NAT traversal strategy:
http://en.wikipedia.org/wiki/Universal_Plug_and_Play#NAT_traversal
Note that UPnP is known to be insecure and probably should not be enabled, see e.g.:
http://www.zdnet.com/how-to-fix-the-upnp-security-holes-7000010584/
My impression is that UPnP is not the most important NAT traversal technique, but it could be a useful
one to implement to achieve greater compatibility (i.e. as a fallback if STUN fails).
You will need a NAT traversal strategy. UDP Hole Punching (STUN etc.) is one such strategy, and as selbie
says, it is a common one. There are also serverless techniques (look into the mechanism that SubEthaEdit
uses).
A full NAT traversal stack may need to employ multiple approaches for maximum compatibility with
different routers/firewalls.
|
|
|
2015-03-18 10:23 AEST by Arthur Barrett - Created an attachment (id=2752)
Internet Engineering Task Force (IETF) Request for Comments: 6281
|
|
|
2015-03-18 10:23 AEST by Arthur Barrett - Created an attachment (id=2753)
Internet Engineering Task Force (IETF) Request for Comments: 6281 (text
format)
|
|
|
2015-03-18 10:24 AEST by Arthur Barrett - Created an attachment (id=2754)
Back to My Mac: Apple's Internet mashup
|
|
|
2015-03-18 11:40 AEST by Arthur Barrett - Created an attachment (id=2755)
Dyn Standard DNS : Bonjour and DNS Service Discovery
CVSNT has included Bonjour and Wide Area Bonjour support for many years. Both
are demonstrated in WorkspaceManager (CVS Suite Studio) - local servers
'automatically' appear, and 'public' servers like TortoiseCVS, WinCVS and CVSNT
are also displayed.
The wide area Bonjour support in CVSNT is barely documented.
Several years ago I moved the DNS for the wide area Bonjour to Dyn for hosting.
It appears that Dyn also have 'experimental' support for wide area bonjour -
but "You must use Dyn Standard DNS with your own domain name for this to work
properly.":
https://help.dyn.com/bonjour-and-dns-discovery/
That appears to be exactly the service we have:
cvsnt.org Dyn Standard DNS Service, active
For management see here:
https://account.dyn.com/dns/dyn-standard-dns/cvsnt.org
We can see from the stats, that quite a lot of people are using CVS Suite
Studio: in 2015-01 there were 279,000 queries.
It would be good to setup the Dyn Standard DNS Zone for updates and then
test/create a way for CVSNT Server to automatically/dynamically dynamically
update DNS server using the DNS Update [RFC 2136] protocol combined with TSIG
security [RFC 2845] as described in the attached article. The 'cvs.cvsnt.org'
server could then automagically update its own wide area bonjour (using the
TSIG key - so customers could be prevented from creating their own records,
until we want to allow them to).
https://account.dyn.com/profile/tsig.html
We'll need a 'TSIG key' setting in /etc/cvsnt/PServer
Note: While local Bonjour and Wide Area Bonjour with BIND currently support
uppercase, lowercase, and arbitrary UTF-8 encoded characters for their instance
names, the current Dyn implementation does not. Only lowercase ASCII
characters, numerals, and hyphens are allowed. For instance, if you advertise
an HTTP service instance named “My Personal Web Site” with Dyn Standard DNS and
Wide Area Bonjour, users will discover this as “my-personal-web-site”.
|
|
|
2017-06-21 11:30 AEST by Arthur Barrett - Note: more on the security problems of UPnP:
https://www.theregister.co.uk/2017/06/19/pinkslipbot_returns_withupnp_malware_attack/ |
|