What is the difference between UDP hole punching and UPnP?

6

6

So Skype and other p2p type applications often work by what is called hole punching (see simple guide here) to get two clients connected to each other that are both behind firewalls which block incoming connections.

uPnP is also used to get around the user manually having to forward ports. How exactly is it different to the kind of hole punching described above? I assume it must operate differently as most routers have the setting to turn it on/off, whereas I see no way one could stop the above type of UDP hole punching (aside blocking outgoing connections and incoming established/related).

Second, if say Skype/bittorrent can set up and direct connection between A-B with hole punching, does that mean it doesn't need upnp enable on the router?

fpghost

Posted 2013-07-09T00:34:37.313

Reputation: 339

Answers

9

For UPnP to work, the router in question must support it. A device with UPnP basically asks the UPnP enabled router to open a port and forward traffic to it. No party external to the LAN should be able to do this unless the LAN's router is horribly misconfigured or wide open to the world at large.

Hole punching takes advantage of UDP's connectionless nature:

  • A sends UDP packet on a port+IP to B
  • A's NAT remembers this, and since A originated the packet, considers A to have started a conversation (even though technically with UDP there is no way to know that for sure) and then allows incoming traffic on that port+IP
  • An intermediate party (in the article you provided, that's the Skype "switching" server) is still needed since B's firewall will block the incoming traffic, but now the switching server can MITM and send a response through A's port+IP, which should reach A because NAT is forwarding due to A originating traffic.

Hole punching basically lets a party external to the LAN reach something listening behind a NAT with the help of an intermediary.

LawrenceC

Posted 2013-07-09T00:34:37.313

Reputation: 63 487

So to summarise: 1)UPnP: protocol for letting devices/applications internal to a network tell the router to forward a given port (without the user having done so manually) 2) UDP punching: no ports are forwarded, but the router A accepts traffic from B because it tracks that outbound traffic from A to B has already occured (even though that first packet never reached B etc) and vice versa for router B. All this is negotiated by some third-party server which both A and B are connected to. – fpghost – 2013-07-09T07:44:01.867

So providing the firewall allows Skype outbound access there would be no need to enable UPnP on a router which Skype was behind in order for it to establish a A-B direct connection; it could just establish this with UDP hole punching instead? – fpghost – 2013-07-09T07:46:38.800

You are correct. – LawrenceC – 2013-07-09T10:49:18.350

Asked: 2013-07-09T00:34:37.313

Viewed: 7 827 times

Active: 2013-07-09T01:52:40.623