river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sim IJskes - QCG <...@qcg.nl>
Subject Re: Firewall traversal
Date Fri, 22 Jul 2011 08:41:49 GMT
On 22-07-11 06:23, Peter Firmstone wrote:

> You're right about allowing for local connection paths for TURN, I
> wonder how we can tell we've got the right local subnet.

Indeed. You need an external identity for your exported endpoint usable 
from the outside, and an internal identity for the inside connections, 
or a symbolic identity that resolves to the internal address or outside 
proxy address. This excludes solutions based on internal address network 
part matching, because 2 NAT islands using the same private-net address 
should be able to communicate to each other.

A UUID based solution would be a solution where an ServerEndpoint can 
establish identity without first connecting a identity service on the 
internet. If and only if a ServerEndpoint has internet access, it could 
then register its identity on the same internet server that serves as a 
proxy. If the same channel is used, the registration attempt can also be 
used to determine part or all of the external address.

What this boils down to possibly, is a lookup service with a 
replicatable database with mappings from UUID to address, with shorter 
TTLs than any DNS service.

Maybe we could build a symbolic address composed of 
{net-uuid,host-uuid}. With a fixed net-uuid for the internet.

Gr. Sim



-- 
QCG, Software voor het MKB, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397

Mime
View raw message