Technical support QQ group: 782508536
Recently, I participated in testing P2P related logic, and I have a certain understanding of NAT penetration principle (of course, it is not very in-depth). This paper also comprehensively quotes some information from the internet and literature (please forgive me for not quoting in the article). The purpose of writing this article is to describe this process in your own language, and at the same time add some understanding to the description process to form an article as a record of the main points. For this piece of knowledge, I also have many blind spots, please give me some advice.
NAT (Network Address Translation) is also called network screening or IP screening. NAT is a network address translation technology, which mainly converts internal private IP addresses into IP (public IP) that can be used in public networks.
Back in the 1980s, when people designed the network address, they thought that no matter how long it was, there would be no 32-power terminal device accessing the Internet. In addition, increasing the length of ip (even from 4 bytes to 6 bytes) will increase the cost of computing, storage and transmission of equipment at that time. Later, I gradually found that the IP address was not enough, and then NAT was born! (Although ipv6 is also a solution, it has not been popularized, and it is still unknown whether ipv6 will be enough in the future).
Therefore, NAT technology can rise because there are too few IP addresses in public networks in China, so this address translation strategy will be adopted. It can be seen that the essence of NAT is to let a group of machines share the same IP, which temporarily solves the problem of insufficient IP.
In fact, the advantages have already been mentioned above. According to the definition, it is easy to see that NAT can connect multiple computers at the same time and hide their intranet IP, thus increasing the network security of the intranet; In addition, NAT checks the NAT mapping records of external data and rejects packets without corresponding records, thus improving network security.
Then, NAT also brings some disadvantages: first, NAT devices will edit and modify data packets, which reduces the efficiency of sending data; In addition, the application of various protocols is different. Some protocols can't pass NAT (quite a few protocols can't pass NAT), and they need to be solved by penetrating technology. We will focus on infiltration technology later.
After understanding the simple background, the following introduces the main ways of NAT implementation and what types of NAT are.
1) static NAT: static address translation. It means that public IP corresponds to private IP, which is a one-to-one conversion. At the same time, note that only IP conversion is performed here, and port conversion is not performed. Give a chestnut:
2)NAPT: port multiplexing technology. The difference from static NAT is that NAPT needs to convert not only IP addresses, but also ports in the transport layer. Specifically, there is only one public IP to the outside world, and the data of different private IP hosts are distinguished through ports. Give me another chestnut.
Through the introduction of NAT implementation above, it is not difficult to see that NAPT is obviously more widely used in real environment. Therefore, the following focuses on the main types of NAPT.
For NAPT, we mainly divide it into two categories: conical NAT and symmetric NAT. Among them, cone NAT is divided into complete cone, finite cone and port finite cone. To sum up: symmetric NAT is a request corresponding to a port; Cone NAT (asymmetric NAT) means that one port corresponds to multiple requests (external to internal). As long as the source IP port is unchanged, regardless of whether the destination IP is the same or not, it is mapped to the same port on NAT, which looks like an awl. The following are four types and their differences.
1) full cone NAT (FC).
Features: IP and port are not limited.
Manifestation: mapping host listening/requests from the same internal IP address and the same port number (IP_IN_A: PORT_IN_A) to the listening of a common IP port (IP_OUT_B: PORT_OUT_B). Any external IP address and port access (IP_OUT_B: PORT_OUT_B) mapped to its own public IP will be relocated to the internal host (IP_IN_A: PORT_IN_A). In this technology, applications based on C/S architecture can initiate connections at any end. Simply put, it is a detour, as long as the client establishes a mapping (natip: natport->; A:P 1), host B or port A: P2 of other IP can use this hole to send data to the client. See the figure below ().
2) Restricted Cone NAT (Restricted Cone NAT)
Features: limited IP and unlimited ports.
Manifestation: Different from full cone NAT, after the public network maps the port, all IPS are not allowed to access the port. In order to communicate, the internal host must have initiated a connection with the external IP host, and then the external IP host can communicate with the internal host, but the port is not limited. Give a chestnut. When the client establishes the mapping from the inside out (natip: natport->; A:P 1), Machine A can use its other port (P2) to actively connect to the client, but Machine B does not allow it. Because the IP is limited, but the ports are random. See the figure below (green means communication is allowed and red means communication is forbidden).
3) NAT with restricted port cone.
Features: limited IP and ports.
Performance: This technology is stricter than restricted cone NAT. In addition to the restricted cone NAT function, there are also requirements for the port of the reply host. That is to say, only when the internal host has sent a message to the external host (assuming that its IP address is a and its port is P 1), the external host can send a UDP message to the internal host with the information in the public IP:PORT as the destination address and destination port. At the same time, the IP of the request message must be A, and the port must be P 1 (using IP address A, port P2 or IP address). See the example in the figure below. This requirement further strengthens the restrictions on the sources of external message requests and is more secure than Restrictd Cone.
4) symmetric NAT (symmetric NAT)
Function: Sessions to each external host or port will be mapped to different ports (holes).
Manifestation: Only requests from the same internal IP:PORT and pointing to the same target IP:PORT will be converted into the same public (external) IP:PORT by NAT, otherwise NAT will assign them a new external (public) IP:PORT. In addition, only external hosts that receive requests from internal hosts can send packets to internal hosts. Internal hosts use the same IP and the same port to communicate with external multi-IP. The client wants to establish a connection with server A(IP_A:PORT_A) by mapping NAT to NatIP:NatPortA. The connection between client and server B(IP_B:PORT_B) is realized by mapping NAT to NatIP:NatPortB. That is to say, the same client communicates with different target IP: ports, and the public network IP: ports mapped by NAT are different. At this time, if B wants to communicate with the client, it can only be done through NatIP:NatPortB (that is, purple hole), but not through NatIP:NatPortA (that is, yellow hole).
These are the four NAT types of NAPT. It can be seen that from 1) type to 4) type, NAT has more and more restrictions.
According to the above introduction, we can know that in the actual network situation, the network environment in which each device is located is different. Then, if these devices want to communicate, it is very important to judge the network type of the devices first. For example, video conferencing and VoIP software, the communication between hosts located in different NAT needs to be forwarded by the server, which will increase the burden on the server. In order to solve this problem, it is necessary to establish direct communication between hosts located in different NAT as much as possible. The most important thing is to determine the type of NAT, and then design a direct communication scheme according to the type of NAT. Otherwise, how can two terminals in NAT communicate? We don't know each other's intranet IP, so what if we send the message to each other's gateway? How does the gateway know who this message is for and who allows it to do so?
In order to solve this problem, that is, hosts in an intranet can establish direct communication through NAT, many methods have been proposed, among which Stun (NAT session transversal application) technology is one of the most important solutions and has been widely used. In this section, we will focus on the principle of STUN technology. (PS: In addition, there are UPNP technology, ALG application layer gateway identification technology, SBC session boundary control, ICE interactive connection establishment, TURN relay NAT traversal technology, etc. This article will not introduce them one by one. )
STUN is a network protocol, which allows clients behind NAT (or multiple NATs) to find out their public network address, what kind of NAT is behind, and the Internet port where NAT is bound to the local port. This information is used to establish UDP communication between two hosts behind the NAT router. This protocol is defined by RFC 5389. STUN consists of three parts: STUN client, STUN server and NAT router. STUN server is deployed on a server with two public IP addresses. See the figure below for the overall structure. STUN client sends different message types to the server and makes corresponding judgments according to the different responses of the server. Once the client knows the UDP port on the Internet, it can start communication.
STUN protocol defines three test procedures for detecting NAT types.
Test 1: Stun client sends a binding request to Stun server {IP-S 1: Port-S 1} (no attribute is set). After receiving the request, the STUN server sends the IP of the STUN client and its ports {IP-M 1, Port-M 1} which are regarded as binding response contents back to the STUN client. Test 1 # 2: Stun client sends a binding request to Stun server {IP-S2: port -S2} through port {IP-C 1} (no attribute is set). After receiving the request, the STUN server sends the IP and port {IP-M 1 # 2, Port-M 1 # 2} of the STUN client back as the contents of the binding response.
Test2: STUN client sends a binding request to STUN server {IP-S 1: Port-C 1} (IP change and port attribute change are set). After receiving the request, the STUN server sends back the IP of the STUN client and the port {IP-M2, port -M2} that it regards as binding the response content to the STUN client through port {IP-S2: port -S2}.
Test3: STUN client sends a binding request to STUN server {IP-S 1: Port-C 1} (with the port property changed). After receiving the request, the STUN server sends back the IP of the STUN client and the port {IP-M3, Port-M3} that it regards as binding the response content to the STUN client through the port {IP-S 1:Port-S2}.
The output of STUN protocol is: 1) public network IP and port 2) whether a firewall is set 3) whether the client is behind NAT and the type of NAT it is in.
Therefore, we further sorted out that there are seven types of * * * that can be detected through the STUN protocol:
A: Public Internet IP. The host has a public network IP, no firewall, and can communicate freely with the outside world. B: full cone NAT. C: restricted cone NAT. D: NAT with limited port. E: symmetric UDP firewall. There is no NAT device at the exit of the host, but there is a firewall. The firewall rules are as follows: the packet sent by UDP port A of the host keeps the source address, but only the packet sent by the destination IP/ port of the last packet sent by the host to host port A can pass through the firewall. F: symmetric NAT G: firewall restricts UDP communication.
After the input and output are ready, the flow chart of Wikipedia is attached to describe the judgment process of STUN protocol.
Step 1: Check whether the client can communicate with UDP, whether the client establishes a UDP socket after NAT -Test 1, and then use this socket to send data packets (IP- 1, Port- 1) to the server, requesting the server to return the IP and port of the client, and the client immediately starts to accept data packets after sending the request. Repeat it several times. A) If no response is received from the server every time, it means that the client can't communicate with UDP, which may be: G firewall prevents UDP communication; B) If the response can be received, compare the (IP:PORT) of the client returned by the server with (Local IP: Local Port): if they are completely the same, the client is not behind NAT. Such a client is: A has a public IP and can directly listen to the UDP port to receive data for communication or E. Otherwise, the client will do further NAT type detection after NAT (continue).
Step 2: Detect the firewall type of the client-Test2STUN client sends a request to Stun server, asking the server to reply the data packet from other IP addresses to the client: a) If the reply from the server with other IP addresses is PORT received, it is considered that the data packet is intercepted by the front-end firewall, and the network type is E b) If it is received, it is considered that the client is on an open network with the network type of A..
Step 3: Check whether the client NAT is a full cone NAT- Test 2. The client establishes a UDP socket, and then sends a data packet (IP- 1, Port- 1) to the server, requesting the server to send a data packet with another pair (IP-2, Port-2) to respond to the client's request. After the client sends the request, it immediately begins to accept the data packet. Repeat this process several times. A) If the server fails to respond every time it times out, it means that the NAT of the client is not a full cone NAT, and the specific type needs to be detected in the next step (continued). B) If the response UDP packet returned by the server from (IP-2, Port-2) can be received, it means that the client is a full-cone NAT, so that the client can carry out UDP-P2P communication.
Step 4: Check whether the client NAT is symmetric NAT-test 1 # 2. The client establishes a UDP socket, and then uses this socket to send data packets (IP- 1, Port- 1) to the server, requesting the server to return the IP and port of the client, and the client immediately begins to accept data packets after sending the request. Repeat this process until you receive a response (you will receive a response because the first step is to ensure that this client can communicate with UDP). Similarly, socket is used to send data packets to the (IP-2, Port-2) of the server, and the server is required to return the IP and port of the client. Compare the clients (IP, Port) returned from the server by the above two procedures. If a pair of (IP, Port) returned by two processes is different, it means that the client is a symmetric NAT, and such a client cannot communicate with UDP-P2P (detection stops). Because symmetric NAT has different connection ports every time, it is impossible to know what port the symmetric NAT client will use next time. Otherwise, it is a restricted cone NAT, and whether it is a port restricted cone NAT remains to be tested (continued).
Step 5: Detect whether the client NAT is a restricted cone or a port restricted cone-Test 3. The client establishes a UDP socket, and then uses this socket to send data packets (IP- 1, Port- 1) to the server. The server needs to use IP- 1 and a port different from port-1 to send UDP packets to the client. Repeat this process several times after the client sends the request. If it times out every time and can't receive the response from the server, it means that the client is a port-limited cone NAT; if it can receive the response from the server, it means that the client is a restricted cone NAT. Both NAT can be used for UDP-P2P communication.
Through the above process, we can analyze and judge whether the client is behind NAT, the type of NAT and its public IP, and judge whether the client has the ability of P2P communication. Of course, this is the first one of my personal notes. I will make another explanation later, "Analysis of NAT Penetration Principle (II)", to analyze the penetration strategies of different NAT types.