A number of tools like GridFTP are now available for efficient high-speed data transfer over long-distance congested data links. Some of these use user datagram protocol (UDP) connections in order to bypass the flow-control mechanisms that come with transmission control protocol (TCP), and this can present firewall problems for those (like GridFTP) that use a range of dynamically assigned ports.

The authors observe that current-generation firewall products are able to simulate a continuing connection for UDP requests (perhaps to a domain name system (DNS) server) from inside a firewall. They do this by creating a temporary access rule allowing packets from the destination to travel back to the source for a configurable period of time.

The concept of network address translation (NAT) traversal through UDP hole punching is illustrated with a simple example showing how two clients--each behind its own firewall--can set up a UDP connection by using a relay server. TCP connections to that server are used so that appropriate UDP holes are opened at each firewall. This concept is further illustrated with a simple netcat example.

Some details are provided showing how the UDP-based data transport (UDT) protocol is able to employ its own reliability and congestion control mechanisms to enhance net throughput. A new UDT-based UNICORE transfer service, which uses UDP hole punching, has now been developed. A Web service method is used to prepare a UDP server connection and perform the hole punching operation. A small comparison table shows that this arrangement can provide a significant increase in throughput over that which can be obtained using GridFTP.

Versions of GridFTP released since this paper were published are also able to use UDT. Those who use it and its associated Globus.org service will find the content of this paper invaluable.