Comment by zackmorris

6 months ago

After writing a response about using this for games below, it occurred to me that most tunneling solutions have one or more fatal flaws that prevent them from being "the one true" tunnel. There are enough footguns that maybe we need a checklist similar to the "Why your anti-spam idea won’t work" checklist:

https://trog.qgl.org/20081217/the-why-your-anti-spam-idea-wo...

I'll start:

  Your solution..
  ( ) Can't punch through NAT
  ( ) Isn't fully cross-platform
  ( ) Must be installed at the OS level and can't be used standalone by an executable
  ( ) Only provides reliable or best-effort streams but not both
  ( ) Can't handle when the host or peer IP address changes
  ( ) Doesn't checksum data
  ( ) Doesn't automatically use encryption or default to using it
  ( ) Doesn't allow multiple connections to the same peer for channels or load balancing
  ( ) Doesn't contain window logic to emulate best-effort datagrams over about 1500 bytes
  ( ) Uses a restrictive license like GPL instead of MIT

Please add more and/or list solutions that pass the whole checklist!

8 comments

zackmorris

Reply
rklaehn  6 months ago

Nice list.

I think iroh checks all the boxes but one.

( ) Doesn't contain window logic to emulate best-effort datagrams over about 1500 bytes

So you want a way to send unreliable datagrams larger than one MTU. We don't have that, since we only support datagrams via https://datatracker.ietf.org/doc/html/rfc9221 .

You could just use streams - they are extremely lightweight. But those would then be reliable datagrams, which comes with some overhead you might not want.

So how hard would it be to implement window logic on top of RFC9221 datagrams?

  • flub  6 months ago

    I'm not sure I fully understand this window logic question. QUIC does MTU discovery, so if the link supports bigger datagrams the MTU will go up. Unreliable datagrams using RFC9221 can be sent up to the MTU size minus the QUIC packet overhead. So if your link supports >1500 bytes then you should be able to send datagrams >1500 bytes using iroh.

  • GoblinSlayer  6 months ago

    Also there's no solution to punch through NAT.

    • rklaehn  6 months ago

      Iroh will do hole punching through NATs. It will even work in many cases when there are NATs on both sides.

      There are some limitations regarding some double NATs or very strictly configured corporate firewalls. This is why there is always the relay path as a fallback.

      If you have a specific situation in mind and want to know if hole punching works, we got a tool iroh-doctor to measure connection speed and connection status (relay, direct, mixed):

      https://crates.io/crates/iroh-doctor , can be installed using cargo install iroh-doctor if you have rust installed.

    • flub  6 months ago

      There might be some confusion here, holepunching is a core functionality of iroh. There are still some firewall configurations that iroh can not yet holepunch and that can still be improved, but in general the holepunching works rather well.