P2P,UDP and TCP penetrate NAT_TCP

1. NAT Introduction

NAT (Network address translation) is a widely used solution for IP shortage

Effectively, NAT converts intranet address and port number into legitimate public network address and port number, establishes a session, communicates with public network host.

1.1. NAT classification

There are three types of NAT on the surface: static NAT, dynamic address NAT, address port conversion napt.

(1) Static NAT: Static address translation Converts the internal private network address to the legal public network address on a one-to-one conversion, and each internal address conversion is determined.

(2) Dynamic NAT: Dynamic address Translation is also the internal local address and the internal legal address one-to-one conversion, but dynamic address translation is from the legal address pool dynamically select an unused address to the internal private address conversion.

(3) Napt: It is also a dynamic transformation, and multiple internal addresses are converted to the same legitimate public network address, using different port numbers to distinguish between different hosts, different processes.

From the technical perspective of implementation, NAT can be divided into the following categories: Full-cone NAT (fully Cone NAT), restrictive cone NAT (restricted Cone NAT), Port restrictive cone NAT (ports restricted Cone NAT), symmetric NAT ( Symmetric NAT).

(1) All-cone NAT: All-cone NAT maps all requests from the same internal IP address and port to the same external IP address and port. Any external host can send packets to the internal host through this mapping.

(2) Restrictive cone NAT: restrictive cone NAT maps all requests from the same internal IP address and port to the same external IP address and port. However, unlike a full cone NAT, the external host can send packets to the internal host only if the internal host sends packets to the external host first.

(3) Port restrictive cone NAT: Port restrictive cone nat similar to restrictive cone NAT, only the limit of the port number, that is, only the internal host to the external address: port number to send packets, the external host can use a specific port number to send packets to the internal host.

(4) Symmetric NAT: Symmetric NAT is different from the above 3 types, whether it is full cone NAT, restrictive cone NAT or port restrictive cone NAT, they all belong to Cone NAT (Cone NAT). When the same internal host uses the same port to communicate with the external host of different addresses, the symmetric NAT will re-establish a session, assign a different port number for this session, and perhaps change the IP address.

The role of 1.2. NAT

NAT not only realizes address translation, but also acts as a firewall, hides the internal network topology and protects internal hosts. NAT not only solves the problem of insufficient LP address, but also can effectively avoid the attack from outside the network, hide and protect the computer inside the network. In this way, the internal host is not visible to the external host. However, for peer-to-peer applications, it is required to be able to establish end-to-end connectivity, so how to penetrate NAT is also a key to Peer-to-peer technology.

2. Peer-to-peer penetration NAT

To create a peer-to-peer connection between a host with a private IP address after a NAT device, you must find a way to wear

Through NAT, now commonly used transport layer protocols are mainly TCP and UDP, the following is the use of these two protocols to introduce the strategy to penetrate NAT.

2.1. Network topology Structure

The following assumptions resemble the network topology diagram shown in Figure 1.

Figure 1. Network topology structure diagram

Server (129.208.12.38) is a public network of servers, nat-a and Nat-b are two NAT devices (may be integrated NAT function routers, firewalls, etc.), they have a number of legitimate public network IP, in the nat-a blocked private network has several hosts " ClientA-1, Clienta-n ", there are also several hosts" ClientB-1, Clientb-n "in the Nat-b Barrier's private network. In order to explain the problem conveniently later, only the host ClientA-1 and ClientB-1 are discussed.

Assume that both the host ClientA-1 and the host ClientB-1 have established a "connection" with server servers, as shown in Figure 2.

Figure 2. ClientA-1, ClientB-1 and server communication

Because of the transparency of NAT, ClientA-1 and ClientB-1 don't care about the process of communicating with the server, they only need to know the address and port number of the server open service. As shown in Figure 1, there is a process in ClientA-1 that uses sockets (192.168.0.2:7000) and server communication, and in ClientB-1 there is a process using sockets (192.168.1.12:8000) and server communication. They are converted into sockets (202.103.142.29:5000) and sockets (221.10.145.84:6000), respectively, by their respective NAT transformations.

2.2. Use UDP to penetrate NAT

Typically, when a process uses UDP to communicate with an external host, NAT establishes a session that can be kept for as long as there is no standard, maybe a few seconds, a few minutes, a few hours. Suppose ClientA-1 sees ClientB-1 online in an application and wants to communicate with ClientB-1, one way is for the server to be the middleman, responsible for forwarding the messages between ClientA-1 and ClientB-1, but the servers are too tired to be overwhelmed. Another way is to get ClientA-1 ClientB-1 to establish end-to-end connections and then communicate with them themselves. This is the Peer-to-peer connection. According to the different types of NAT, the following are explained separately.

(1) All-cone NAT, penetrating all-cone-type NAT is easy, simply not to penetrate, because the full cone NAT maps the internal host to the identified address, does not prevent the outgoing connection request, so you can establish the connection without any auxiliary means.

(2) Restrictive cone NAT and port restrictive cone NAT (referred to as restrictive NAT), penetrating restrictive cone NAT discards its unknown source address to the internal host packet. So if now ClientA-1 send UDP packets directly to ClientB-1, then the packets will be nat-b mercilessly discarded. So use the following method to establish the communication between ClientA-1 and ClientB-1.

1. ClientA-1 (202.103.142.29:5000) sends packets to the server, requesting and ClientB-1 (221.10.145.84:6000) communication.

2. Server sends ClientA-1 's address and port (202.103.142.29:5000) to ClientB-1, telling ClientB-1 that ClientA-1 wants to communicate with it.

3. ClientB-1 send UDP packets to ClientA-1 (202.103.142.29:5000), of course, this package will be discarded when it arrives at Nat-a, which is not critical, because this UDP packet is sent only to let Nat-b Remember the purpose of this communication: port number, the next time the source of this address and port data will not be discarded by nat-b, so that the nat-b on a hole from ClientB-1 to ClientA-1.

4. In order for ClientA-1 to know when to send data to ClientB-1, ClientB-1 sends a message to the server after punching ClientA-1 (202.103.142.29:5000), telling the server It's ready for the job.

5. Server sends a message to CLIENTA-1, the content is: ClientB-1 is ready, you can send a message to ClientB-1.

6. ClientA-1 sends UDP packets to ClientB-1. This packet will not be discarded by nat-b, and the packets sent by ClientB-1 to ClientA-1 will not be discarded by ClientA-1 because Nat-a has already known that ClientA-1 was the first to initiate the communication. At this point, ClientA-1 and ClientB-1 will be able to communicate.

2.3. Using TCP to penetrate NAT

Using the TCP protocol to penetrate NAT is almost the same as using a UDP protocol to penetrate NAT, with no fundamental distinction, but to turn connectionless UDP into a connection-oriented TCP. It is worth noting that:

1. ClientB-1 The SYN packets sent when the hole is punched to the ClientA-1, and the same will be discarded by nat-a. At the same time, ClientB-1 need to listen on the original socket, because reuse socket, so you need to set the socket property to SO_REUSEADDR.

2. ClientA-1 sends a connection request to ClientB-1. Similarly, because the ClientB-1 to the ClientA-1 direction of the hole has been played well, so the connection will be successful, after 3 handshake, ClientA-1 to ClientB-1 between the connection was established.

2.4. Penetrating symmetric NAT

The above discussion is all about how to penetrate cone (Cone) NAT, which is very different from symmetric NAT and cone NAT. For symmetric NAT, symmetric NAT does not assign the same port as a cone (Cone, full cone, restricted cone, or port restrictive cone), when a private network host communicates with multiple different hosts on the outside. Instead, a new session is created, and a port is reassigned. Refer to the process of penetrating the restrictive cone NAT above, at step 3 o'clock: ClientB-1 (221.10.145.84:. When drilling to ClientA-1, symmetric NAT assigns ClientB-1 a port number that is unknown to the server, ClientB-1, and ClientA-1. Similarly, ClientA-1 does not receive this message at all, and in step 4, ClientB-1 sends a notification message to the server that ClientB-1 's socket is still (221.10.145.84:6000). Also, at step 6 o'clock: ClientA-1 sends a packet to the ClientB-1 it knows but is wrong, NAT-1 also assigns the port number to ClientA-1. So the chances of penetrating a symmetric nat are small. Here are two strategies that are likely to penetrate symmetric NAT.

2.4.1. Simultaneous open TCP (simultaneous TCP open) policy

If a symmetric NAT receives a TCP SYN packet from outside the local private network, the package would like to initiate a "introduced" TCP connection, in general, NAT will reject the connection request and discard the SYN packet, or send a loopback TCP RST (Connection reset, reestablish connection) is wrapped to the requesting party. In one case, however, this "introduction" connection is accepted.

The RFC stipulates that for symmetric NAT, Nat will release the SYN packet when the source IP address in the received SYN packet: port, Destination IP address: Port matches the address information in an activated TCP session of NAT registration. What needs to be highlighted is how a TCP connection has been activated. In addition to the truly established TCP connections, the RFC specification states that NAT will assume that the TCP connection has been stimulated if it happens to see a SYN packet that just sent out and the address in the SYN packet that was received: the Port information matches. Live, and will allow the SYN packets in this direction to enter the NAT interior. At the same time, the open TCP strategy is to use this time to establish the connection.

If the client A-1 and the client B-1 are able to correctly predict each other's NAT will give the next TCP connection to the public network TCP port allocated, and two clients can simultaneously launch an "out of the other" T The CP connection request, and a end-to-end TCP connection can be successfully established before the other's SYN packet arrives, and the SYN packet that you just sent is able to pass through your NAT smoothly.

2.4.2. UDP Port Guessing strategy

At the same time, the open TCP strategy relies heavily on guessing the next port, and relies heavily on the timing of sending a connection request, as well as the uncertainty of the network, so that the opportunity to build is small, even if the server acts as a synchronous clock role. The following is a way to penetrate through UDP, because UDP does not need to establish a connection, so there is no need to consider the "open at the same time" problem.

In order to introduce ClientB-1 's ruse, first introduce the stun agreement. The STUN (simple traversal of UDP through NATs) protocol is a lightweight protocol used to probe the address after NAT mapping: port. STUN using C/s structure, need to detect their own NAT converted address: The port of the client to the server to send a request, the server returned to the client converted address: port.

Refer to Step 2 of the NAT in section 4.2, and when ClientB-1 receives the message that is sent to it by the server, ClientB-1 opens 3 sockets. Socket-0 sends a request to stun Server, receives a reply, assumes that it has been converted address: port (221.10.145.84:600 5), socket-1 send a UDP packet to ClientA-1, socket-2 Send a request again to another stun Server, assuming that it has been converted to an address: port (221.10.145.84:60 20). In general, there are two strategies for symmetric NAT allocation ports, one in order and one in random allocation. If the symmetric NAT is used in order to increase the policy, then ClientB-1 will send two of addresses: port to the server, the server can notify ClientA-1 in this port range to guess just ClientB-1 sent to it socket-1 In the address of the NAT map: Port, ClientA-1 is very likely to successfully guess the port number within the hole validity period, thereby communicating successfully with ClientB-1.

2.4.3. Summary of problems

From the above two methods of penetrating the symmetric NAT, it is established under the strict assumption. However, most of the NAT in reality is cone NAT, because the resource is very important, the inverse of the symmetric NAT, because too do not save the port number, so relatively high cost. So, whether it's penetrating cone NAT or symmetric NAT, it can be done in reality. Unless the symmetric NAT really uses random algorithms to allocate the available ports.