Comment by someguydave

someguydave Oct 28, 2017 parent

How do you solve the problem of penetrating NATs and firewalls without relying on a central coordination server?

saurik Oct 28, 2017

If I understand your question correctly, and you are looking at "how do we do hole punching and NAT traversal without a way to get your canonical external IP address", in addition to techniques that don't require that kind of functionality (such as modern routers with UPnP port forwarding support), other nodes on the network can run something analogous to ICE servers (we have yet to decide if it should literally be STUN or if we need to integrate it into the security model), so all you will need is the address and public key of another node (which you will need anyway in order to connect to the network).

someguydave OP Oct 28, 2017

>so all you will need is the address and public key of another node (which you will need anyway in order to connect to the network).

But this begs the question. How does the user get the public key and address of a node without connecting to a public directory? How does he know he's connecting to something trustworthy?

saurik Oct 28, 2017

Oh, I'm sorry: because I have been living and breathing this for months, it is very easy for me to assume context :(. Once you connect to the network, you are able to judge the size of the network to know you aren't on a fake network (this is a scenario similar to judging the size of the longest chain of Bitcoin blocks) and you are able to verify signatures of routing table entries (which have been built up as the network was formed by nodes verifying reachability properties of other nodes), which itself is more trustworthy due to proof-of-work and "cryptographic puzzles" which are used to make the cost of sybil and eclipse attacks prohibitively high.

Given that context, you really just need the address of any node, not the address of a particularly "trustworthy" node, so you can get one from a friend's client or from a random website. We have discussed some alternatives, such as being able to put out a bounty on an existing peer-to-peer cryptocurrency blockchain (one which would have to not itself be fully blocked for you, of course). We also have been getting interest from some people in academia who have a number of other techniques, which again are mostly viable because of the background that "what if we can provide enough mitigations in the network itself and use what has been learned from blockchains to mean you don't need to find a trustworthy node".

caust1c Oct 30, 2017

Do you have a reference implementation of using WebRTC as a networking layer?

As far as I've researched, I've not seen anything which would enable reliable NAT traversal which wouldn't also make the network traffic trivially identifiable.

STUN works only for certain types of NAT and requires servers which aren't behind NAT. TURN is an external proxy, so can easily be identified by monitors of the network.

The concept of Orchid seems nice but the actual implementation seems very hand-wavy.

someguydave OP Nov 2, 2017

>The concept of Orchid seems nice but the actual implementation seems very hand-wavy.

Yes that was also my conclusion.

This item has no comments currently.