Overview

Iroh lets you establish direct peer-to-peer connections whenever possible, falling back to relay servers if necessary. This gives you fast, reliable connections that are authenticated and encrypted end-to-end using QUIC.

Iroh is "dial by public key"

In the iroh world, you dial another node by its NodeId, a 32-byte ed25519 public key. Unlike IP addresses, this ID is globally unique, and instead of being assigned, you can cheaply generate as many as you want yourself. It also doesn't change when you change networks. You won't have to think about NATs getting in your way, iroh traverses them for you. Basing connections on asymmetric public keys is what allows iroh to always end-to-end encrypt and authenticate connections.

How it works

It's built on peer-to-peer QUIC using both relays and holepunching.

Peer to peer connectivity is established with the help of a relay server. The relay server provides Session Traversal Utilities for NAT (STUN) for the peers. If no direct connection can be established, the connection is relayed via the server.

Peers must know and do verify the PeerID of each other before they can connect. When using a relay server to aid the connection establishment they will register with a home relay server using their PublicKey. Other peers which can not establish a direct connection can then establish connection via this relay server. This will try to assist establishing a direct connection using STUN and holepunching but continue relaying if not possible.

Peers can also connect directly without using a relay server. For this, however the listening peer must be directly reachable by the connecting peer via one of it's addresses.

Iroh is built on QUIC

This gives iroh super-powers:

  • encryption & authentication
  • stream multiplexing
    • no head-of-line blocking issues
    • stream priorities
    • one shared congestion controller
  • an encrypted, unreliable datagram transport
  • zero round trip time connection establishment if you've connected to another node before

A single QUIC connection can power all of your protocol's complex interactions:

  • Stream both video and audio without video packet loss affecting audio. Prioritize audio by increasing that stream's priority.
  • Use the unreliable datagram transport for your game's state and input networking. Also re-use the same connection for streaming assets or real-time audio or video.
  • Avoid unnecessary network round-trips when your phone comes back from suspension with zero round trip time connection establishment.

The higher level: Give your users agency back

Iroh bootstraps a new internet: Your user's home computer is as inter-connected as a virtual private server. There might not be a need for intermediaries if their powerful smartphone can accept incoming connections like any other service.

This gives users back power and agency to use their devices the way they want to.
No need to fight for static IP addresses from your ISP.
No need to buy domain names to participate in the internet.
No need to set up complicated TLS certificates to get what should be a baseline feature: Encryption.

Want to see where iroh's headed?

See our roadmap to find out what's planned.