The underpinnings of
Back to My Mac
are fairly dense, but interesting, as Apple is mashing up a lot of protocols to punch tunnels through Internet architecture that wasn’t designed to be tunneled through.
Back to My Mac starts with a
as the fundamental. The .Mac service becomes the central point for authentication—proving your identity—and for connecting resources located at different locations on the Internet.
This binding puts together lots of pieces, worth picking apart one at a time:
allows services on a computer or device to advertise themselves across a network so that other equipment can discover them. Printers, Web servers, and a host of other protocols can be discoverable over a local network with Bonjour. Bonjour only works only local networks, however; it’s blocked by gateways, like an
AirPort Extreme Base Station, that connects different networks, such as your Internet connection to your local machines.
Most Wi-Fi and broadband routers support a protocol called Network Address Translation (NAT). NAT was created in part to deal with a shortage of IP addresses in the current IP system, known as IPv4. (IPv6 will solve the shortage, but it’s only very slowly rolled out over nearly a decade because of how much infrastructure must change.)
NAT makes use of private IP address ranges that can be used on local networks. These private ranges—ranges starting with 192.168.0.0 and 10.0.0.0, for instance—are guaranteed to not be assigned on the public Internet.
A NAT gateways typically works with DHCP (Dynamic Host Configuration Protocol). A DHCP server on the gateway pulls an address from a private range, and NAT handles requests that originate from the private range for the wide-area network, typically the Internet, for which the request is bound.
NAT uses ports to handle requests; ports are a fundamental building block of Internet networking. Where IP addresses uniquely define a computer or server somewhere on the Internet, ports define services at those addresses. Think of apartment buildings, which have a street number that uniquely defines their absolute location, and an apartment number, which lets you find the manager’s office or the laundry.
Common services like a Web server, Apple Filing Protocol (AFP), and FTP all have agreed-on ports that are used throughout the net for inbound access, like a request for a Web page. Outbound requests originate at randomly selected port numbers, as they’re only important for creating the association.
For instance, port 80 is used by default for all Web servers. If I try to load Macworld.com, which has an IP address of 188.8.131.52, from my Web browser, my computer first sends the request to the gateway, which my computer knows is the next step to reach the Internet. I might send a request for 184.108.40.206 port 80 from my computer at 192.168.1.100 port 11283. The NAT gateway receives the requests, makes a note of the port that I used to send the request, and opens a connection to Macworld’s Web server using its own port. When the connection is opened back to that NAT-handled port, the NAT gateway passes the traffic back to my computer on the private network.
These dynamically created NAT ports don’t allow persistent connections, which are needed for reaching computers from outside a private network. That’s where NAT-PMP (Port Mapping Protocol) and UPnP (Universal Plug and Play) come into being. NAT-PMP is an Apple-developed protocol open to the industry; UPnP is more widely used at present, though has many acknowledged limitations. Back to My Mac works with either standard.
Both NAT-PMP and UPnP allow a program on a computer on a private network to request a persistent open connection to the outside world. The gateway creates a fixed port for this program, and lets the program know which port is being used. That allows an outside connection to that port to reach a privately addressed computer reliably.
Where you can run into trouble here is that Internet service providers often use NAT themselves, built into the modems they provide to you or at a higher level of the network. You can sometimes be behind three levels of NAT, and that might be impenetrable to Apple’s current iteration of Back to My Mac.
You have Bonjour in use, you have a static port that can be reached, but how does Back to My Mac know about that port? Let’s tackle that.
Bonjour is designed to work on local networks, right? But wide-area Bonjour works over, well, wide-area networks. It does so by registering information in a DNS (domain name system) server. DNS servers are used to provide the Internet glue that connects human-readable domain names, like www.macworld.com, with their underlying IP addresses. They can also store related information about a domain. Properly equipped DNS servers can handle wide-area Bonjour records, and AirPort Extreme Base Stations can interact with these servers to update those records.
Apple has told me that there’s little support among DNS hosts and ISPs yet—the company couldn’t provide me with the name of any that support it—and thus the firm has enabled such support in a limited fashion at .Mac. .Mac handles DNS for Back to My Mac, creating a temporary domain name for your computer to handle its wide-area Bonjour records.
Deep breath for the last piece that ties it all together.
Because ISPs often provide IP addresses that persist only over short periods of time—so-called dynamic IP addresses—dynamic DNS (DDNS) arose as a way to allow you to alert a DNS host that an IP address has changed without manually modifying a DNS record.
DDNS software abounds for Mac, Windows, and other platforms, and in essence simply monitors your network for an IP address changing. When it does it pokes the DNS server which updates its record. This lets a static name map to a dynamic address.
Apple uses DDNS with Back to My Mac to create a private host name that’s not exposed, but that can be used by each Back to My Mac enabled Leopard computer. The DDNS record contains all the wide-area Bonjour information.
Tying it together. When you enable Back to My Mac, your computer:
Starts advertising the service on the local network using Bonjour;
Requests a NAT-PMP or UPnP connection from the router; and
publishes the port and IP address information it gets from the router to .Mac’s DDNS server as a wide-area Bonjour record associated with the domain.
And it’s as simple as that.
Glenn Fleishman is the author of
Take Control of Sharing Files in Leopard
and writes daily about wireless networking at his site
Wi-Fi Networking News.