Brief Introduction to NAT penetration technology principles

The principle of NAT penetration technology today we will look at the NAT technology. When it comes to NAT technology, we may not be unfamiliar with it. It actually exists around us, but we seldom pay attention to it. NAT is a network address translation technique that changes an internal private IP address to a public IP address that can be used on the Internet. the background is that our country's public IP addresses are too small to be used, leading to the rise of NAT technology. here, I will not elaborate on how NAT converts IP addresses. The technical principle is not very difficult. the use of NAT technology has both advantages and disadvantages from a technical perspective. we can connect multiple computers to the Internet at the same time, while also hiding the internal address. NAT can view the NAT ing records of external data and REJECT packets without corresponding records, this improves network security. on the other hand, the NAT device edits and modifies data packets, reducing the data transmission rate. due to the complexity of the technology, troubleshooting becomes more difficult. We have to consider this port ing issue when releasing a server internally. this is the end. Today, with the prevalence of the network, various applications are constantly applied, and their protocol applications are also different. NAT cannot be used. this is the biggest headache. to solve these problems, many penetration technologies are available. let's talk about it later. static address translation: one public IP address corresponds to one internal IP address. One-to-one Dynamic Address Translation: N public IP addresses correspond to M internal Ip addresses, an unfixed one-to-one IP address conversion relationship. at the same time, a host with a M-N cannot be networked. port multiplexing: only one public IP address is used to distinguish data of hosts with different internal IP addresses. the IP address translation policy performs static and dynamic address translation. When the data package is out of the station, the source address is converted. we call it SNAT [source address]. the internal source IP address is changed to the public source IP address. when the data packet enters the station, the destination address is converted to DNAT [destination address], and its external public ip address is changed to the internal ip address. static and Dynamic port conversion is not performed. port multiplexing technology. not only must the IP address be converted, but also the port at the transport layer must be converted. use this unique port number to differentiate different internal data [an internal-to-External ing table will be created during communication]. We call it NATP [nat port] technology. most of our home networks use port multiplexing technology. in Port multiplexing technology, there are two types of data processing: conical NAT and symmetric NAT. conical NAT is divided into fully conical NAT [full cone] | RESTRICTED conical NAT [restricted cone] | port restricted conical NAT [port restricted cone]. full conical NAT: maps host listening/requests from the same internal IP address and the same port number to a listener of a port of a public IP address. access from any external IP address or port mapped to its own public IP address will be relocated to the internal host. I personally think that the internal Publishing Server to the Internet, this technical principle is completely not in line with this technical principle, of course, some P2P may also use this technology. in this technology, applications based on the C/S architecture can initiate connections at any end. restricted conical NAT: Unlike full NAT, after a port is mapped to a public network, all IP addresses are not allowed to access the port. To communicate with a public network, the internal host must Host P initiates a connection, and the external IP host can communicate with the internal host. but the port is not restricted. for example, if the outbound source IP address is port A and port B, if the external IP address is replied, the destination IP address is A and the destination port can be any. all NAPT devices are successfully forwarded to the internal host. the NAPT device determines Based on the ing record. in this technology, only the internal host can initiate connection communication before it succeeds. restricted cone NAT: this technology is stricter than restricted cone NAT. in addition to the limited cone NAT feature. the source port of the reply host is also required. where can I access you through port B? The reply port to the external host is only B. no discount communication failed. in this technology, only the internal host can initiate connection communication before it succeeds. symmetric NAT: the internal host uses the same IP address to communicate with multiple external IP addresses on the same port. the NAPT device converts different source ports for each session. it is not converted to the same source port. for the reply packet, only the sink IP address and port are completely consistent. of course, the source IP address also needs to be checked, and it is impossible for external IP addresses to access it at will. why does NAT penetration technology emerge? We know that ports are required for communication in NAPT technology applications. IP address modification is required. it is cruel now. the FTP application protocol divides the control port and data port. The tragedy is that the data port is not fixed. After successful negotiation, the data port content of the other party is sent to the application layer. the NAT device cannot analyze it and map it accordingly, resulting in communication failure. the PPTP protocol in the VPN protocol does not have a port in the data connection. how to Make NAT decisions? The ipsec security protocol is invented to ensure data security and authenticate the source. It performs IP verification on the network layer, encrypts the input layer, and encrypts the data. for NAT, it is even more nonsense. of course, there are many other factors that cannot pass through NAT, such as the H.323 and SIP protocols in voice VOIP. in order to successfully apply these protocols, a wide variety of penetration NAT technologies have emerged. its technologies include UPNP technology. ALG [Application Layer Gateway identification technology] SBC [session Boundary Control] ICE [interactive connection establishment] MIDCOM [intermediate box technology] TURN [relay NAT traversal] STUN Technology. TCP/UDP hole punching [TCP/UDP punching Technology] NAT-T technology... In short, there are many different principles, and I don't have time to learn and analyze them one by one. here are several examples of more applications. ALG technology: traditional NAT technology can only detect network and transport layer addresses. Isn't your FTP transfer port address at the application layer? Therefore, ALG is an application-layer address recognition technology that detects addresses based on different protocols, modifies the addresses found, and notifies NAT of corresponding ing records to achieve successful communication. for this technology, each new protocol support on the Internet must be updated to its device or not unidentifiable. poor scalability. for some protocols, this technology cannot solve the problem, such as the IPSEC protocol. STUN Technology: establish a connection with a third-party server through the STUN Protocol to determine the NAT type of the client. further communication. RFC3489/STUN Protocol process [from cr0_3 Baidu space]. the STUN Protocol defines three types of test procedures to detect NAT types, as described below: Test1: STUN Client through port {IP-c1: Port-c1} to STUN Server {IP-s1: port-s1} sends a Binding Request (no property is set ). After the STUN Server receives the request, it returns the IP and port {IP-s1: Port-s1} of the STUN Client it sees to the STUN Client as the content of the Binding Response to the STUN Client. Test1 #2: STUN Client sends a Binding Request to STUN Server {IP-c1: Port-c1} through port {IP-s2: Port-s2} (no properties set ). After STUN Server receives the request, the STUN Client's IP and port {IP-s2 #2, port-m1 #2} is returned to STUN Client as the content of Binding Response. Test2: STUN Client sends a Binding Request (with the Change IP and Change Port properties set) to STUN Server {IP-c1: Port-c1} through the Port {IP-s1: Port-s1 ). After the STUN Server receives the request, it returns the IP and port {IP-s2: Port-s2} of the STUN Client it sees to the STUN Client as the content of the Binding Response to the STUN Client. Test3: STUN Client sends a Binding Request (with the Change Port property set) to the STUN Server {IP-c1: Port-c1} through the Port {IP-s1: Port-s1 ). After the STUN Server receives the request, it returns the IP and port {IP-s1: Port-s2} of the STUN Client it sees to the STUN Client as the content of the Binding Response to the STUN Client. The NAT type detection process is as follows: 1. test1. If the STUN Client cannot receive the response from the STUN Server (repeated confirmation), it indicates that the STUN Client is of the UDP Blocked type (or it may be that the STUN Server is not reachable, otherwise, the STUN Client compares the returned {IP-m1, Port-m1} with the local {IP-c1: Port-c1}, if the same, this indicates that the local machine is directly connected to the public network. Otherwise, the local machine is located after NAT, but you need to further determine the specific type. 1.1. If the local machine is directly connected to the public network, perform Test2. If the STUN Client cannot receive a response from the STUN Server (repeated confirmation), it indicates that the STUN Client is of the structured Ric Firewall type; otherwise, the STUN Client is of the Open Internet type. 1.2. If the local machine is located after NAT, perform Test2. If the STUN Client can receive a response from the STUN Server, it indicates that the STUN Client is Full Cone NAT; otherwise, further testing is required. 1.2.1. Perform Test1 #2. STUN Client compare whether the IP-m1 and IP-m1 #2 are the same, if not the same, it means that the STUN Client is the sort Ric NAT type; otherwise, further testing is required. 1.2.1.1 Test3. If the STUN Client can receive a response from the STUN Server, it indicates that the STUN Client is of the Restricted Cone NAT type; otherwise, the STUN Client is of the Port Restricted Cone NAT type. Most of this technology is applicable to P2P application environments. NAT-T technology: In the ESP tunnel mode, 8 bytes of UDP customs are added to the middle of the outer IP header and ESP header, so that the NAT is mapped successfully. IPSec provides the security of end-to-end IP communication, but there is limited support for IPSec in the NAT environment. AH must not be able to perform NAT, this is contrary to the concept of AH design. In a NAT environment, the ESP Protocol can only have one VPN host to establish a VPN channel, multiple machines cannot communicate with each other in a NAT environment. NAT Traversal (NAT Traversal, NAT-T) is proposed to solve this problem, RFC3947, 3948 definition, RFC4306 also added the description of the NAT-T, but did not abolish RFC3947, 3948, only phase 1 and phase 2 are not differentiated. This method encapsulates the ESP protocol package into the UDP packet (Add a new IP header and UDP header out of the original ESP Protocol IP header ), it can be used in a NAT environment, so that multiple IPSec hosts can establish VPN connections in the NAT Intranet for communication. AH encapsulation: Check of AH encapsulation starts from the IP header. If NAT modifies the IP header, AH verification fails. Therefore, we conclude that AH cannot coexist with NAT. ESP encapsulation transmission mode: For NAT, the advantage of ESP encapsulation over AH is that the IP header is not included in both encryption and integrity verification. However, there are still new problems. For the ESP transmission mode, NAT cannot update the upper-layer checksum. The TCP and UDP headers contain a Checksum, which integrates the source and target IP addresses and port numbers. When NAT changes the IP address and port number of a packet, it usually needs to update the TCP or UDP checksum. When the TCP or UDP checksum is encrypted using ESP, it cannot update this checksum. Because the address or port has been changed by NAT, the checksum of the destination fails. Although UDP checksum is optional, TCP checksum is required. Tunnel mode of ESP encapsulation: From the encapsulation of the ESP tunnel mode, we can find that the ESP tunnel mode encrypts the entire original IP packet, A new IP header is added to the ESP header. Therefore, if NAT only changes the front IP address, it will not affect the protected part. Therefore, IPsec can coexist with NAT only when the ESP tunnel mode is used to encapsulate data. The transmission mode of ESP. Because the TCP part is encrypted, NAT cannot modify the TCP checksum and is not compatible. In the ESP tunnel mode, the original encrypted IP address cannot be changed because NAT modifies the external IP address, so that it can coexist with NAT only in this case.