@@ -416,6 +416,64 @@ ENR as its potential relay, the longer time that has passed since a peer sent us
416416the less guarantee we have that the peer is in fact connected to the owner of that ENR and
417417hence of its ability to relay.
418418
419+
420+ ### Job of keeping the hole punched falls on Bob and Bob's incentive to do so
421+
422+ UDP session table entry lifetimes are configurable, though a common lower bound is 20
423+ seconds. Bob must periodically reset the session table entry for Alice in its NAT to keep
424+ the hole for Alice punched. If Alice too is behind NAT, it must do the same for Bob.
425+ Implementations must ensure, when a node behind NAT does not send a packet to a peer
426+ within the entry lifetime then an empty packet is sent that is dropped by the peer.
427+
428+ NAT hole punching unavoidably creates overhead for all nodes in the network but once a
429+ hole is punched, keeping it punched requires no interaction between peers. The incentive
430+ for nodes behind NAT to keep holes for its peers punched is to avoid reestablishing a
431+ session. If there is no hole for Alice in Bob's NAT when Alice carries out a [ liveness
432+ check] , Bob is considered offline and the session to Bob useless. If the node behind NAT
433+ intends to frequently communicate with a peer, reestablishing the session is more costly
434+ than managing the interval of sent packets to that peer.
435+
436+ ### Discovering if the local node is behind NAT and must keep holes for peers punched
437+
438+ A node may at start-up be assigned an externally reachable socket to advertise as well as
439+ a listen socket. If those sockets are not equivalent, the node is behind NAT and the
440+ [ mechanism for keeping holes punched] is activated. Like so, a node assumes it is behind
441+ NAT if an externally reachable socket is omitted from the initial configuration and must
442+ activate the mechanism for keeping holes punched. The [ runtime address discovery]
443+ mechanism can discovery the external endpoint address used by the local node. Once a new
444+ externally reachable endpoint is known, implementations will try to bind to its IP address
445+ at some number of randomly selected ports from a given range of probably unused ports. If
446+ binding succeeds with any port, the node is not behind NAT and the mechanism for keeping
447+ holes punched is deactivated.
448+
449+ This solution assumes, in most scenarios where port-forwarding cannot be configured the
450+ local node host's address is private to the address realm of the device operating the NAT
451+ level furthest from the local node host. If the host and NAT device use the same IP
452+ address, binding will always succeed, so this method may give a false negative. However,
453+ this is not detrimental. A node behind NAT that deactivates the mechanism for keeping
454+ holes punched will more frequently have to re-establish sessions to its peers.
455+
456+ ### Limiting resource consumption of peers behind symmetric NATs, useful for light-clients
457+
458+ Peers with unreachable ENRs do not get inserted into node table buckets. Nodes that are
459+ behind symmetric NATs will naturally never succeed in pinpointing one external socket for
460+ peers to reach them on by [ runtime address discovery] and therefore their unreachable ENRs
461+ will never update to reachable ENRs.
462+
463+ This means, these peers will never respond to requests, as only peers in the node table
464+ are sent requests. This does not cohere with the p2p-model, rather the server-client model
465+ where the peer with a unreachable ENR acts as the client. This misalignment is especially
466+ bothersome for well behaving (externally reachable) light-clients operating on limited
467+ resources. Discv5.2 corrects this side-effect of runtime address discovery by introducing
468+ a configurable limit to the number of sessions at a time with peers with unreachable ENRs,
469+ the lower limit being 1. Nodes must accept sessions with at least one peer with a
470+ unreachable ENR to for runtime address discovery to be enabled on the discv5.2 network.
471+
472+ ### Fault tolerance
473+
474+ As was already the case in discv5, if a request to a node times out, (after the configured
475+ number of retries) that peer is considered unresponsive and the session can be failed.
476+
419477[ EIP-778 ] : ../enr.md
420478[ identity scheme ] : ../enr.md#record-structure
421479[ message packet ] : ./discv5-wire.md#ordinary-message-packet-flag--0
@@ -430,6 +488,8 @@ hence of its ability to relay.
430488[ RELAYMSG ] : ./discv5-wire.md#relaymsg-notification-0x08
431489
432490[ Sessions ] : ./discv5-theory.md#sessions
491+ [ runtime address discovery ] : ./discv5-theory.md#maintaining-the-local-node-record
492+ [ mechanism for keeping holes punched ] : ./discv5-theory.md#job-of-keeping-the-hole-punched-falls-on-bob-and-bobs-incentive-to-do-so
433493[ natpaper ] : https://pdos.csail.mit.edu/papers/p2pnat.pdf
434494[ RFC4787 ] : https://datatracker.ietf.org/doc/html/rfc4787
435495[ RFC6146 ] : https://datatracker.ietf.org/doc/html/rfc6146
0 commit comments