Use pwnat to punch the holes

[RubenKelevra]

pwnat uses a completely different method to punch holes in the nat. The node would just need to send ping packages to a randomly chosen address which is not routable. This address would need to be published in the DHT and other nodes can start to send UDP packages to this node. There's no middle man required - which reduces the security implications (see paper for details):

http://samy.pl/pwnat/pwnat.pdf

@Stebalien wrote:

That's what UPnP is for.

We have UPnP support on by default and it barely helps.

And it's not needed for IPv6 which gets adopted quite fast.

In practice, routers block all inbound connections by default for security reasons, even IPv6 ones.

Maybe ICMP-hole punching, like pwnat offers, which doesn't need a third party to negotiate might be worth a look? :)

Originally posted by @RubenKelevra in ipfs/kubo#7053 (comment)

[aschmahmann]

From what I recall pwnat is pretty cool, but I'm not sure if it's something that still works. E.g. comments like https://stackoverflow.com/questions/22985793/is-pwnat-still-an-applicable-solution/38223370#38223370 or issues like samyk/pwnat#18.

It's worth noting that since peers will likely (although it's not the only option) learn about peer addresses via the DHT we could have DHT nodes act as the coordinating parties for hole punching without really adding any more risk. Still it would obviously be great if a third party wasn't required.

If you have any evidence of a non-third party scheme working here that'd be useful in building a proposal.

[BigLep]

Closing but there is related hole-punching work happening at protocol/web3-dev-team#21