-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decentralised NAT Relaying #182
Comments
This is primarily used by symmetric NAT architectures. See #152. |
Specced out some additional details for this issue. Task list still requires work. This is scheduled to be post-release. |
As a note on terminology.
|
@emmacasolin this also related for #365. And if we can do #365, then we should be able to do this issue, and just change from signalling to full proxying/relay. |
Renamed this issue to focus on decentralised relaying as the third-option after first direct connection and secondly hole-punch signalling. |
Tailscale's network is quite interesting. We were building some similar in the past few years called Matrix Relay also using wireguard. Now that they have launched, I can see how they address the problem of carrier grade NAT. A test between my home laptop matrix-vostro-5402-1 and the office mac matrix-mac-1 showed that the connection used their sydney DERP relay. Both end points are behind carrier grade NAT. Which means there's a NAT router that's local at each position, and then an additional NAT at the ISP. The fact that even tailscale's network requires using a relay and is not going through a direct or signalled connection means that bidirectional holepunching is simply not sufficient for connections between CGNAT devices. With the growth of mobile networks, and our goal to deploy on mobile phones, we will need to address CGNAT devices, and it's unlikely to see full adoption of IPv6 any time soon in mobile land since CGNAT is "good enough". The DERP concept is explained here https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp. And the code is relatively simple and opensource here: https://tailscale.com/kb/1118/custom-derp-servers/ Basically they use wireguard keys, and HTTP tunneling. The choice of HTTP over TCP was because this protocol is the least likely to be blocked by corporate firewalls. Main difference in our system are:
In our development of decentralised relays, the first problem we must solve is the best way to select a decentralised relay path (this is path finding/optimisation problem). Since our decentralised relays are not stable, this algorithm has to be dynamic/online. Subsequently, our proxy system should then include the ability to alternatively proxy via HTTP/TCP instead of just UDP. How exactly we do that depends on whether we integrate QUIC or not atm in #234. |
Closing in favour of a new issue #713 focusing on a new issue representing a top-level epic issue as a new project path in relation to the project graph. |
Specification
Recall that a network structure that uses symmetric NAT cannot establish a connection between two nodes via hole-punching. For this, we require a relay connection. Suppose we have a keynode
A
that wants to connect to keynodeB
. However,B
is behind a symmetric NAT structure. KeynodeC
is assumed to already have a direct connection toB
:In order for
A
to send a request toB
, it can send this request toC
, to then relay to nodeB
. To implement this, we need some mechanism from theReverseProxy
to theForwardProxy
(as seen in keynodeC
).Currently we will rely on the seed/bootstrap node cluster #194 as the designated nodes to do P2P kademlia seeding, hole punch relaying AND also proxy relaying.
Hole punch relaying is needed to traverse restricted-cone NATs and below. We implemented a bidirectional hole punching protocol, which means this is still needed even in the case of full cone NAT. Although I'm not entirely sure if this is in fact true, and may need to be proven on #159.
Proxy relaying is needed to traverse symmetric NATs.
Relying on our seed/bootstrap keynode cluster is a centralised situation, and doesn't fulfill our promise of decentralisation. Therefore we should be decentralising the relay functionality itself. This means any keynode should be capable of acting as a hole punch relay and/or the proxy relay.
Additional context
Some constraints of this problem is discussed here:
Tasks
The text was updated successfully, but these errors were encountered: