The Problem with IP-Based Networking
IP addresses make for inherently fragile identifiers. They change whenever a device switches from Wi-Fi to cellular, reboots, or updates its DHCP lease. In modern network environments, where devices are frequently trapped behind multiple layers of NAT or CGNAT, these shifts break existing connections. Historically, developers have relied on complex or centralized solutions like STUN, TURN, or stateful VPN overlays to manage connectivity, all of which introduce latency or maintenance overhead.
Enter Iroh 1.0: Identity Through Keys
Released in June 2026, Iroh 1.0 shifts the focus from IP addresses to cryptographic public keys. By treating the public key as the stable identifier for a node, Iroh allows the network layer to handle the routing details. This ensures that even if the underlying IP changes, the connection remains authenticated and persistent.
How Iroh Stacks Up
- Connection Lifecycle: Iroh attempts a direct QUIC-based UDP hole punch first, which succeeds in roughly 90% of cases. When direct connectivity fails—often due to symmetric NAT—it falls back to a stateless relay.
- Efficient Infrastructure: By leveraging QUIC with TLS 1.3, Iroh ensures end-to-end encryption. Because the relay servers are stateless and merely forward encrypted packets, they are significantly cheaper and easier to scale than stateful WebRTC TURN servers.
- Standardization: Iroh adopts QUIC-NAT-Traversal (QNT), an IETF standard that integrates hole punching directly into the QUIC stack. This allows for better congestion control and cleaner connection handoffs.
Implementation
Using Iroh is straightforward across multiple languages. Here is a minimal implementation in Rust using the iroh crate:
use iroh::{Endpoint, endpoint::presets, protocol::Router};
// Accepting side
let endpoint = Endpoint::bind(presets::N0).await?;
let router = Router::builder(endpoint.clone())
.accept(ECHO_ALPN, EchoHandler)
.spawn();
endpoint.online().await?;
let addr = endpoint.node_addr().await?;
// Connecting side
let other = Endpoint::bind(presets::N0).await?;
let conn = other.connect(addr, ECHO_ALPN).await?;
let (mut send, mut recv) = conn.open_bi().await?;
send.write_all(b"hello iroh").await?;
send.finish()?;
Trade-offs and Use Cases
Unlike WebRTC or libp2p, Iroh prioritizes practical connectivity over extreme decentralization. It avoids the bloat of ICE/SDP and the complexity of Kademlia DHTs. While Iroh is excellent for direct peer-to-peer data, it is not a web server. If your application requires handling webhooks or providing a standard HTTPS interface for external clients, you will still need a public entry point.
For local development or demoing web-facing components of your P2P app, you can use ssh to expose a local port:
ssh -p 443 -R0:localhost:8080 free.pinggy.io
By splitting your architecture-Iroh for the P2P data plane and a tunnel for the public HTTP ingress, you get the best of both worlds: decentralization where performance matters and web standard compatibility where accessibility matters.
Reference
-
Iroh 1.0: Dial Keys, Not IPs
Iroh 1.0 ships a stable P2P networking library that connects devices by cryptographic key instead of IP address. QUIC under the hood, 90% hole-punch success, 200M+ endpoints/month, and now stable language bindings for Python, Node.js, Swift, and Kotlin.
pinggy.io
- https://github.com/n0-computer/iroh
Top comments (0)