Sunday, March 18, 2012

VPN symmetric NAT

Peer registration provides a mechanism for edges to form direct connections thereby removing the supernode from the path. If the sender edge node receives an acknowledgement for a register message previously sent directly to a remote node, then the nodes can reach each other directly.  If one of the peers is behind symmetric NAT, the act of sending a registration request directly to the other peer opens a return path through the firewall. If both peers are behind symmetric NAT, direct connectivity is not possible. As happens with ARP [21], dynamic peer registrations expire if not renewed. Note that: The N2N community name is conceptually similar to the 802.1q VLAN ID. Dynamic peer registration may fail, e.g. due to firewalling. In this case packets can use asymmetric routing, e.g. A to B via S but direct from B to A. N2N uses Twofish [19] as its encryption algorithm. The authors chose this symmetric key block cipher as it is fast, unpatented and its source is uncopyrighted and licencefree. Each N2N community has a shared key that is used to encrypt/decrypt N2N n2nEdge An2nEdge BSuperNodeSymmetricalNATAsymmetricalNATpacket payloads. If a supernode is compromised, injected traffic will be discarded as supernodes do not ever know community keys. layer-2 frames are also compressed using the Lempel-Ziv-Oberhumer (LZO) [20] algorithm that, like Twofish, is fast, efficient and available under the GNU GPL license. The N2N packet header is not compressed (nor encrypted) which allows supernodes to forward packets.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.