Complete Nat analysis and complete UDP penetration Solution

Nat Complete analysis and UDP penetration Solution I. Basic Terms FirewallThe firewall limits the communication between the private network and the public network. It mainly discards the packets that are considered unauthorized by the firewall. The firewall only checks the data of the packets, the IP address and TCP/UDP port information in the data packet are not modified. Network Address Translation (NAT)When a packet passes, the network address converter not only checks the packet information, but also modifies the IP address and port information in the packet header. In this way, the machine that is in Nat can share several public IP addresses (usually one ). There are two main types of network address converters. P2P ApplicationsP2P applications refer to establishing an end-to-end session communication based on an existing public server and using its own private address or public address (or both. P2P FirewallP2P Firewall is a P2P proxy that provides firewall functions, but does not perform address conversion. P2P-NATP2P-NAT is a P2P proxy, provides the function of NAT, also provides the function of firewall, the simplest P2P proxy must have the function of cone Nat to UDP communication support, it also allows applications to establish robust P2P connections using UDP hole-hitting technology. Loop ConversionWhen the NAT Intranet Machine wants to access the machine in the same LAN through a public address, the NAT device is equivalent to doing Nat twice, before the package arrives at the target machine, convert the private address to the public address, and then convert the public address back to the private address. We call a NAT device with the upstream translation function a "loop translation" device. Ii. Nat Classification Can be divided Basic Nat And Network address and port conversion (napt) Two categories ( 1): Basic NatBasic Nat converts the private IP address of a private network host to a public IP address, but does not convert the TCP/UDP port information. Basic Nat 1
When Nat has many public IP addresses, it binds the public IP address with the internal host so that the external can access the internal host with the public IP address. (In fact, only the IP address is transferred
For example, 192.168.0.23 <->
210.42.106.35, which is different from directly setting an IP address as a public IP address. Especially for enterprises, external information must go through the unified firewall before it can reach the internal,
You can also use public IP addresses for some hosts) ( 2) network address and port conversion (napt)This is the most common situation. The network address/port converter checks and modifies the packet IP address and TCP/UDP port information, so that more internal hosts can use a public IP address at the same time. For more information about Nat categories and terms, see [rfc1631], [rfc2993], and [rfc2663. In addition, [rfc2663] has made more definitions about napt classification and terminology. When an intranet host opens an out-of-office TCP or UDP session through NAT, napt assigns this session a public IP address and port to receive packets from the Internet, and the host is notified through conversion. In this way, napt establishes a port binding between [private IP: Private Port] and [Public IP: public port. Port binding specifies that napt will perform address translation tasks during the lifetime of this session. There is a problem in the middle. If a P2P application sends multiple sessions to different Internet hosts from a [private IP Address: Port] on the internal network, what Will Nat do? This can be divided Conical Nat( Cone Nat) andSymmetric NAT (symmtric Nat)) To consider: A. Conical Nat(Why is it a cone? Please refer to the form. Both the terminal and external server send information through the bound address pair assigned by Nat, just like a funnel, filtering and passing information) after a [private IP: Port]-[Public IP: Port] port is bound, for a session from the same [private IP: Port, the conical Nat server allows the application that initiates the session to repeat the port binding until the session ends (Port binding ). For example, assume that
Client A (as shown in Figure) uses a conical Nat
Initiate two outgoing connections at the same time. It uses the same internal port (10.0.0.1: 1234) to give two different servers on the public network, S1 and S2. Conical Nat
Assign only one public IP address and port (155.99.25.11: 62000) to the two sessions.
The client uses the "same" port (that is, this client only uses this port ). However, the basic NATs and firewall cannot modify the port numbers of data packets. They can be seen as tapered data packets.
A simplified version of Nat. For further analysis Cone NatRestricted conical NAT (restrict cone)AndPort restricted conical NAT (Port restrict cone)Three categories:Divided Full-duplex conical Nat (Full cone), 1. Full-duplex conical NatWhen an internal host sends out a connection session, a public/private address is created. Once this address pair is created, full-duplex conical Nat receives the communication from any external port that is subsequently passed in to this public port address. Therefore, full-duplex conical Nat is sometimes called "hybrid" nat. 2. Restricted conical NatRestricted conical Nat
The incoming packets are filtered. When an internal host sends an "out" session, Nat records the IP address information of this external host. Therefore, only these recorded external IP addresses are available, can send emails
Information is passed into the NAT, and the restricted conical Nat effectively refines the filtering packet principle for the firewall-that is, only the known external addresses are allowed to "pass" the information to the nat. 3. Limited-port conical NatThe restricted conical Nat port, which is different from the restricted conical NAT: it records the IP address and port information of the external host at the same time, the restricted conical NAT provides the same level of protection for internal nodes. When the port is "same", the information returned by Symmetric Nat is discarded. B. Symmetric NatSymmetric Nat is very different from cone Nat. Instead of binding ports to sessions, a new public port is allocated to each new session. Or the example above: If
Client A (10.0.0.1: 1234) simultaneously initiates two "outbound"
Session, sent to S1 and S2 respectively. Symmetric Nat allocates a public address 155.99.25.11: 62000 to session1, and then allocates a different public address.
155.99.25.11: 62001 to session2. Symmetric Nat can distinguish two different sessions and perform address translation, because in session1 and
The external address in session2 is different because the client application gets lost in the address translation boundary because the application uses
A new port cannot guarantee that only the same port is used. In TCP
In communication with UDP (whether to use the same port or allocate different ports to the same application), there are different reasons for conical Nat and symmetric Nat. Of course, according to how fair
There are more categories for connecting Nat accepted connections to a created address. This classification is generally applied to UDP Communication (rather than TCP communication), because NATs and the firewall prevent the attempt to unconditionally
The incoming TCP connection, unless the NAT is explicitly set. Iii. Nat session ProcessingThe following analyzes the policies that napt uses to determine whether to establish a session for a UDP packet sent by a request. there are several strategies:. if the source address (intranet IP address) is different and other factors are ignored, the napt must correspond to different sessionb. the source address (intranet IP address) is the same, and the source port is different. If other factors are ignored, the napt must correspond to different sessionc. the source address (intranet IP address) is the same, the source port is the same, the destination address (Public IP address) is the same, and the destination port is different, the napt must correspond to the same sessiond. the source address (intranet IP address) is the same, the source port is the same, and the destination address (Public IP address) is different. If the destination port is ignored, how does one process the session on the napt? A, B, and C are simple and easy to implement. D is complicated. so D is what we should focus on and discuss. Iv. Complete SolutionThe following is a complete solution for four sessions and four Nat methods. For convenience, The following abbreviations are used: C stands for Cone NATs stands for symmetric Nat, and FC stands for full cone Nat, RC stands for restrict cone Nat, PC stands for port restrict cone Nat. the number of clients after Nat can be divided into two categories: Type one: One is after Nat and the other is in the public network. .In this case, it can be divided into two categories: A. S VS Public Network: In this case, because the public network address remains unchanged in a session, it can be successful. B. C VS Public Network : Similar to the above, this kind of situation can be successful. Type two: Both customers are behind Nat.In this case, it can be subdivided into two categories: A. One Nat is S (elastic Ric Nat) Type , Namely: S VS C Or S VS S .The following example shows that this kind of logging is not feasible. In the conventional logging, all customers first log on to a server. the server records the [Public IP: Port] of each customer, and then uses the record value during the punching process. However, for the S-type Nat, it is not bound to the [private IP: port] and [Public IP: Port] ing. therefore, in different sessions, Nat will re-allocate a pair of [Public IP: Port]. in this way, for S-type Nat, the [Public IP: Port] is different from the [Public IP: Port] registered on the server. there is also no way to notify another client that is located under Nat of the [Public IP: Port. however, if the other client is in the public network, it is possible to create a hole. we have already demonstrated this situation. in this case, the solution can only be implemented through port prediction. The specific solution is as follows: for example, (take two S-type instances as examples) Nat a allocates its own UDP port 62000, it is used to maintain the communication session between Client A and server s, and Nat B also allocates 3 Port 1000 is used to maintain the communication session between client B and server S. Through the conversation with server s, Client A and client B both know the real IP address and port mapped by the other party. Client A sends a UDP message to 138.76.29.7: 31001 (Please note that the port number is increased), and client B sends a UDP message to 155.99.25.11: 62001. If Nat A and Nat B continue to assign a port to a new session, and the session time from the A-S and B-S is not much consumed, A two-way session channel is established between Client A and client B. The message sent by Client A to client B causes Nat a to open a new session, and we want Nat a to assign port 62001 to the new session, because 62001 is followed by 62000, Nat will automatically assign the port number for the new session from server s to Client A; similarly, the message sent by client B to a causes Nat B to open a new session, and we hope that Nat B will assign port 31001 to the new session; if both clients correctly guess the port number assigned to the new session of the peer, the two-way connection of the client a-client B will be connected. The result is as follows: Obviously, many factors may cause this method to fail: If the predicted new ports (62001 and 31001) are used by an unrelated session, the Nat will skip this port number, and the connection will fail. If two Nat addresses sometimes or do not generate new port numbers in order, this method will not work. If a different client X (or after Nat B) after Nata opens a new "outbound" UDP connection, regardless of the purpose of the connection; as long as this action occurs after Client A establishes a connection with server s, before client a establishes a connection with client B; then this unrelated client X will "steal" the port we are eager to allocate without preparation. Therefore, this method becomes so fragile and vulnerable. As long as any Nat party includes the above problems, this method will not work. In
This method is still practical in the network environment of the cone Nat series; if one party is cone Nat and the other party is
Nat, then the application should first find the NAT of the other party
What type is it, and then make the correct behavior to process the communication, which increases the complexity of the algorithm and reduces the universality in the real network environment. Finally, if the peer-to-peer network is under two or more Nat levels and these NATs are nearing this client as nat-based NAT, the port number prediction is invalid! Therefore, it is not recommended to use this method to write new P2P applications. This is also a historical experience and lesson! B. Two All are cone Nat Of .In this case, there are six types: A: Fc + FCB: Fc + RCC: Fc + pc d: PC + rc e: PC + pc f: although RC + RC has many situations, it is still very easy to handle due to the characteristics of cone Nat, because for Cone Nat, in the same session, it will bind a pair of ing between [private IP: Port] and [Public IP: Port], so they use the [Public IP: the port] is consistent with the [Public IP: Port] registered on the server. Therefore, the hole can be implemented. in summary, we have completely summarized the possible communication between all types of Nat. and provide feasible solutions. V. Summary of the previous stage1. the method used in the previous stage is flawed. It only applies Full cone NatClient (client). The following arguments do not apply Both are the cone Nat type.B: Fc + RCC: Fc + PC D: PC + RC E: PC + PC F: RC + RC in five cases. for restricted Nat, it registers the [IP address & Port] of the outgoing packet. It only accepts the packets sent from these registered addresses, therefore, they report that the server port can only accept packets from the server. cannot accept packages from another client. therefore, the method of punching in the previous stage is not feasible. Vi. Existing ProblemsAccording to theory. nat will disable a UDP ing after a certain period of time. To maintain continuous communication with the server, the server must send a UDP heartbeat packet to ensure that the ing is not disabled. this requires a suitable time value. original article: http://blog.csdn.net/colinchan/article/details/712773