Traversing X11 clients behind NAT (or X11 end-to-end connectivity)

Sascha Hlusiak saschahlusiak at
Fri Mar 21 15:16:52 PDT 2008


> I was thinking how we could make remotely X clients totally connective
> with the server when _both_ are behind a NAT/firewall.
Get IPv6, the network of tomorrow -- today. And a firewall is not a thing to 
bypass because the admin installed it for a reason.
Why to increase the codebase of every little Internet program by a big load of 
hacks? Have it included in the Socket API.

> We can imagine one big motivation to do this: a scenario where someone
> using his thin and poor machine wants to use the resources of some "fat"
> machines which he simply doesn't know where they are seated. Those fat
> machines could be arranged through a P2P network of "X11 pool of
> resources" and the list of machines displayed to the user select his
> desired one (e.g. with minor lag/load). Someone more capitalist than me
> could go further and imagine a provider selling X11 resources to mobile
> devices. Or just open your home machine's web browser in any place of
> the world. Well, the field of applications would be huge.
X11 reacts very allergic to high latency and need quite some bandwidth whereas 
NX works extremely well here and it's easier to maintain (ssh). If necessary 
you can forward ports if you are behind a NAT. 

> - How?
> There's a technique to create TCP connections between machines behind
> NAT/firewall called "hole punching' [0, 1]. With the help of a server
> (called rendezvous) two machines behind NAT/firewall open a 'hole' in
> their NAT/firewall to establish a connection. A similar technique --
> using UDP -- is what Skype and others are relaying today.
It probably scares the sh** out of the admin to have more programs like Skype 
that are not under control because they punch holes in the firewall and 
bypass NAT. While it's desireable by people to have it work, I'd prefer IPv6 
to come to put NAT finally to it's grave. 

> - Why ssh -X and xfwp is not the way?
> Simply because it doesn't let end-to-end connectivity.
I see rare cases where this real end-to-end connectivity is necessary. If it's 
a server, they'd be plain dumb to put it behind a NAT. 

> I didn't thought what would be the impact in both client and server
> side. Probably all this will touch some aspects of authentication and
> security. I don't know.
Nobody knows anymore which whom it's talking and encryption would be 
necessary. Then you can as well just use ssh -X, which adds both. Why not 
rather have ssh traversing NAT's? Poor admins.

> So I would like to hear from you what do you think about this all (and
> eventually find a mentor to apply this in GSoC ;) )
Sorry, just my 2 cents. I'd like to have all the loose development energy 
bundled to really improve the X11 world. There is much more work left in 
current markets than in future ones.

- Sascha
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the xorg mailing list