To Home page

How to punch holes in firewalls

Assume an identity system that finds the entity you want to talk to.

If it is behind a firewall, you cannot notify it, cannot send an interrupt, cannot ring its phone.

Assume the identity system can notify it. Maybe it has a permanent connection to an entity in the identity system.

Your target agrees to take the call. Both parties are informed of each other's IP address and port number on which they will be taking the call by the identity system.

Both parties send off introduction UDP packets to the other's IP address and port number - thereby punching holes in their firewall for return packets. When they get a return packet, an introduction acknowledgement, the connection is assumed established.

It is that simple.

Of course networks are necessarily non deterministic, therefore all beliefs about the state of the network need to be represented in a Bayesian manner, so any assumption must be handled in such a manner that the computer is capable of doubting it.

We have finite, and slowly changing, probability that our packets get into the cloud, a finite and slowly changing probability that our messages get from the cloud to our target. We have finite probability that our target has opened its firewall, finite probability that our target can open its firewall, which transitions to extremely high probability when we get an acknowledgement - which prior probability diminishes over time.

As I observe in Estimating Frequencies from Small Samples any adequately flexible representation of the state of the network has to be complex, a fairly large body of data, more akin to a spam filter than a boolean. 

These documents are licensed under the Creative Commons Attribution-Share Alike 3.0 License