Skip to content

feat(iroh): defer NAT traversal until admission#4

Open
azooz2003-bit wants to merge 6 commits into
fix/cmux-iroh-1.0.2-bounds-relay-refreshfrom
feat/cmux-deferred-nat-authorization
Open

feat(iroh): defer NAT traversal until admission#4
azooz2003-bit wants to merge 6 commits into
fix/cmux-iroh-1.0.2-bounds-relay-refreshfrom
feat/cmux-deferred-nat-authorization

Conversation

@azooz2003-bit

@azooz2003-bit azooz2003-bit commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Stacked on #3.

Adds an opt-in endpoint gate that keeps NAT traversal, candidate exchange, probing, cached direct-path reuse, and direct migration disabled until the application authorizes the exact live connection. Relay and explicitly supplied initial direct paths remain available for the admission protocol.

Authorization fails closed if the endpoint actor, remote actor, or exact connection is gone. Repeated authorization is idempotent. Multiple connections to one EndpointID maintain independent authorization and retry state.

Pins noq, noq-proto, and noq-udp to the security-fixed commit from manaflow-ai/noq#1 so passive local-IP migration is also gated on both client and server.

Verification:

  • cargo test --workspace --all-targets
  • cargo check --workspace --all-targets
  • cargo clippy --workspace --all-targets -- -D warnings
  • cargo test -p iroh --lib deferred_nat_traversal
  • cargo test -p iroh --lib endpoint_two_relay_only_becomes_direct
  • cargo check -p iroh --no-default-features --features tls-ring
  • cargo test -p iroh --doc
  • cargo fmt --all -- --check
  • git diff --check

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.


Summary by cubic

Defers NAT traversal until the app authorizes each exact connection, while keeping relay or explicitly supplied initial direct paths available for admission. Also scopes bootstrap authority per dial so Initials only go to that attempt’s allowed addresses.

  • New Features

    • Add Builder::defer_nat_traversal_until_authorized(true) to opt in.
    • Add Connection::authorize_nat_traversal(); idempotent; fails closed with NatTraversalAuthorizationError if the endpoint, remote actor, or connection is gone.
    • Gate covers candidate advertise/react, probing, direct-path reuse, and migration. Relay and explicit initial direct paths remain usable pre-authorization. Initials only go to permitted bootstrap paths for that dial.
    • Per-connection state is isolated. Reconnects via cached direct paths are not auto-authorized. Concurrent dials to the same EndpointId never share bootstrap paths.
  • Dependencies

    • Pin noq, noq-proto, and noq-udp to the security-fixed git revision so passive local-IP handshake migration is authorized on both client and server.
    • Update quick-xml to 0.41.0.
    • Bump plist to 1.10.0.

Written for commit 6b2c35b. Summary will update on new commits.

Review in cubic

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5581a350-d002-4715-944c-bfe11bebb33b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/cmux-deferred-nat-authorization

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@azooz2003-bit

Copy link
Copy Markdown
Collaborator Author

Added a fail-closed per-dial bootstrap authority fix in 3ca9903 and 0daf035.

The regression stages two concurrent dials to the same EndpointID with disjoint direct destinations before either QUIC Initial is sent. Before the fix, both Initials reached the second destination. Each resolve now returns a unique mapped-address token whose immutable authority contains only that dial’s canonical explicit paths. Initial dispatch looks up and carries that authority into the remote actor, filters its shared path set per attempt, rejects endpoint mismatches, and unregisters the token when the dial completes or is dropped.

Verification at 0daf035:

  • 125 Iroh unit tests passed, 1 ignored flaky
  • integration test passed
  • all 4 deferred-NAT tests passed
  • affected socket recovery and authority cleanup tests passed
  • strict all-feature clippy passed
  • strict rustdoc and 26 doctests passed, 2 ignored examples
  • no-default tls-ring check passed
  • x86_64-apple-darwin all-feature check passed
  • rustfmt and diff checks passed

Dependency pins: Iroh 0daf035, noq d8534ca45d2f00a3db06914b9f265b8f53d35d03.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant