Networking – Difference Between UDP Hole Punching and UPnP

upnp

So Skype and other p2p type applications often work by what is called hole punching (see simple guide here) to get two clients connected to each other that are both behind firewalls which block incoming connections.

uPnP is also used to get around the user manually having to forward ports. How exactly is it different to the kind of hole punching described above? I assume it must operate differently as most routers have the setting to turn it on/off, whereas I see no way one could stop the above type of UDP hole punching (aside blocking outgoing connections and incoming established/related).

Second, if say Skype/bittorrent can set up and direct connection between A-B with hole punching, does that mean it doesn't need upnp enable on the router?

Best Answer

For UPnP to work, the router in question must support it. A device with UPnP basically asks the UPnP enabled router to open a port and forward traffic to it. No party external to the LAN should be able to do this unless the LAN's router is horribly misconfigured or wide open to the world at large.

Hole punching takes advantage of UDP's connectionless nature:

  • A sends UDP packet on a port+IP to B
  • A's NAT remembers this, and since A originated the packet, considers A to have started a conversation (even though technically with UDP there is no way to know that for sure) and then allows incoming traffic on that port+IP
  • An intermediate party (in the article you provided, that's the Skype "switching" server) is still needed since B's firewall will block the incoming traffic, but now the switching server can MITM and send a response through A's port+IP, which should reach A because NAT is forwarding due to A originating traffic.

Hole punching basically lets a party external to the LAN reach something listening behind a NAT with the help of an intermediary.

Related Question