21 June 2009

Game client-server coms - choice of IP port and data encapsulation

It's always fun to get down to the network protocol and packet level. One of the things I find frequently misunderstood is how IP port addressing works with respect to outbound firewalling. This comes up when considering how a gaming application can work within a corporate firewall that is blocking most outbound ports.

First, the basics:
  • IP is the network protocol. Basically, it deals with hooking up a client and server to talk to each other by using a source and destination IP address and ports.
  • http is a data format protocol. It is a description of how data will be sent between client and server, and specifies some "meta" data. Think of "meta" data as the address on the outside of an envelope you put in the mail and the letter in the envelope is the data itself.
  • SSL and TLS are two security protocols. They describe how a client and server can communicate with each other securely.
  • https is the combination of http, SSL/TLS
A high numbered port ("source port", "ephemeral port") is assigned by the IP stack on the client automatically when the connection request is sent by client to server. Intermediate networking components such as a firewall may select a different port (known as PAT or Port Address Translation) but regardless will allow inbound (back to client) traffic on the source port until the connection is closed or times out.

To avoid corporate firewalling blocks, a client gaming app should encapsulate data in https and use port 443 ("destination port") to communicate to the server.

Any service on the server can listen on port 443 or any available port for that matter. In the case of a game server, the application can listen for game client requests on port 443.

Using 443 also has the benefit of disabling most (but not all) stateful protocol inspection by a firewall. To be 100% confident of corporate firewall bypassing, the client-server protocol could be encapsulated in https so that the https (SSL/TLS) setup packet inspects as https. While http (https) is expensive in terms of bloat/performance to send small bits of information back and forth between client and server, it has the advantage of effectively tunneling through proxy and firewall security blocks. By implication, don't bother with port 80.

Note that using port 443 should play nicely with corporate proxy servers as well although you would need to explicitly set this up in the client unless you can find a way to inherit proxy settings automatically from the OS or browser.

Also note that while this approach is straight-forward for a downloadable rich game client, it can be harder in Flash game client.

A few documents you might find useful: