Complete analysis of NAT and complete solution of UDP penetration

http://blog.csdn.net/ronmy/article/details/6403051

One: Basic terminology FirewallsThe firewall restricts the communication between private network and public network, it mainly considers the unauthorized packets discarded, the firewall only verifies the packet data, does not modify the IP address and TCP/UDP port information in the packet.Network Address Translation (NAT)When a packet is passed, the network address translator not only checks the packet's information, but also modifies the IP address and port information in the header. So that the machines behind the NAT share several of the only public-network IP addresses (usually one). There are two main types of network address converters.Peer-to-peer ApplicationsPeer-to-peer applications are the creation of an End-to-end session communication based on an existing public server and using its own private address or public address (or both).Peer-to-peer FirewallsPeer-to-peer firewalls are a Peer-to-peer proxy that provides the functionality of a firewall, but does not address translation.P2p-natP2p-nat is a peer-to-peer agent, provides the function of NAT, also provides the function of the firewall, a minimalist Peer-to-peer proxy must have the function of conical NAT to support UDP communication, and allow the application to build robust peer-to-peer connection with UDP hole-making technology.Loopback ConversionWhen the private network internal machine of Nat wants to access the machine in the same LAN through the public address, NAT devices are equivalent to doing two NAT things, before the package arrives at the target machine, the private address is converted to the public network address before the public network address is converted back to the private address. We call the NAT device with the function of "loopback conversion".two: Nat classification can be divided into basic NAT and network address and port conversion (NAPT) two major categories (i): Basic NATThe basic NAT converts the private IP address of the private network host to the public network IP address, but does not convert the TCP/UDP port information. Basic NAT is generally used when NAT has a lot of public network IP address, it will the public IP address and the internal host binding, so that external can use public network IP address to access the internal host. (In fact, only IP conversion, 192.168.0.23 <-> 210.42.106.35, this is directly set IP address for public network IP or there is a certain difference, especially for enterprises, external information must go through a unified firewall to reach the interior, But the internal host can also use the public network IP)(ii): Network address and Port conversion (NAPT)This is the most common case where the network address/Port converter checks and modifies the packet's IP address and TCP/UDP port information so that more internal hosts can use a public IP address at the same time. Refer to the three documents [RFC1631] and [RFC2993] and [RFC2663] for more NAT classification and terminology information. In addition, [RFC2663] makes more definitions about the classification and terminology of NAPT. When an intranet host opens an "out" TCP or UDP session via NAT, NAPT assigns the session a public IP and port, a packet that receives the response from the extranet, and is transformed to notify the intranet's host. The effect of this is that NAPT establishes a port binding between private IP: Private port and public IP: public network port. The port bindings specify that NAPT will perform address translation tasks during the lifetime of this session. There is a problem with this, if the Peer-to-peer application from the internal network of a [private IP address: port] to the simultaneous issue of multiple sessions to different extranet host, then how NAT will deal with it. This can also be divided intoconical Nat(CONE NAT) and symmetric NAT (Symmtric Nat) are two broad categories to consider: A. Conical Nat(Why is it called cone-shaped?) See the following graphics, terminals, and external servers that transmit information via NAT-assigned address pairs, like a funnel that filters and delivers information when a [private IP: Port]-[public IP: port] Port is tied   After that, for a session from the same private IP: port, the Cone NAT server allows the application that initiates the session to reuse this port binding until the end of the session is released (port bindings). For example, suppose that Client A (IP address information as shown above) initiates two outgoing connections through a conical NAT, using the same internal port (10.0.0.1:1234) for two different servers, S1, and S2 on the public network. The cone NAT allocates only one public IP and port (155.99.25.11:62000) to the two sessions, and the address translation ensures that the client uses the "identity" of the port (that is, this client uses only this port). The underlying NATS and firewalls, however, cannot modify the packet port numbers that pass through, and they can be viewed as a condensed version of a tapered Nat. Further analysis can beThe CONE nat restricted cone nat (RESTRICT CONE) and Port-restricted cone-shaped nat (Port RESTRICT CONE) are described in detail in the following three categories:Divided intoFull-duplex conical Nat (full CONE),1. Full Duplex conical NatWhen an "out" connection session is issued by an internal host, a public/private network address is created, and once the address pair is created, a Full-duplex conical NAT receives communication from any subsequent external port to the public port address. Therefore, Full-duplex conical NAT is sometimes referred to as "promiscuous" Nat.2. Restricted cone NATRestricted cone NAT filters incoming packets. When an internal host issues an "out of office" session, Nat records the IP address information of this external host, so only these recorded external IP addresses can pass the information inside the NAT, restricted cone NAT Effective to refine the principle of filtering packets to the firewall--that is, limit to only those known external address "incoming" information to the NAT internal.3. Port restricted cone NATPort-Restricted cone NAT, unlike restricted cone NAT, which records both the IP address and the port information of the external host, the restricted cone NAT provides the same level of protection for the internal nodes, and the information that is returned by the symmetric NAT is discarded during the maintenance of the port "identity".B. Symmetric NATSymmetric NAT, which is very different from cone NAT, does not port bind to a session, but instead allocates a new public network port to each new session. Or the example above: if Client A (10.0.0.1:1234) initiates two "out" sessions at the same time, it is sent to S1 and S2 respectively. The symmetric NAT assigns the public address 155.99.25.11:62000 to Session1, and then assigns another different public address 155.99.25.11:62001 to Session2. Symmetric NAT distinguishes between two different sessions and addresses translation, because the external addresses in Session1 and Session2 are different, and that is why the client-side applications are lost at this address conversion boundary line, Because the application uses a new port for every session it emits, it is not guaranteed to use only the same port. In the case of TCP and UDP communications (whether using the same port or assigning a different port to the same application), conical NAT and symmetric NAT each have their own reasons. Of course, Cone NAT has more classifications on how to fairly connect a NAT-accepted connection directly to a created address pair. This classification is generally applied to UDP communications (rather than TCP traffic) because Nats and firewalls block attempts to unconditionally pass in TCP connections unless explicitly set NAT does not do so.Third: The processing of the session by NatThe following analysis napt the strategy to determine whether a session is to be established for a UDP packet that is being requested. There are a few strategies: a. Source Address (intranet IP address) different, ignoring other factors, in the napt definitely corresponding to different session B. Source Address ( Intranet IP address) the same, the source port is different, ignoring other factors, on the NAPT also certainly corresponding to the different session C. The Source Address (intranet IP address) is the same, the source port is the same, the destination address (public IP address) is the same, the destination port is different, Then on the napt must correspond to the same session D. The Source Address (intranet IP address) is the same, the source port is the same, the destination address (public network IP address) is different, ignoring the destination port, then how to deal with the session in the NAPT. A,b,c Three kinds of cases are relatively simple, can be easily achieved. And d is more complicated. So the D situation is the problem that we should focus on and discuss.Four: Complete solutionThe following is a complete solution for four sessions and four NAT, in order to facilitate the use of the following abbreviated form: C represents the CONE Nat s for symmetric NAT, FC represents full CONE NAT, RC Representative RESTRICT CONE NAT, The PC represents Port RESTRICT CONE Nat. First, depending on the number of client (client)-side after NAT, there are two main categories:TYPE One: a post in Nat + one in the public net.In this case, there are two main categories:A. S VS Public network: In this case, because the public network address in a session is unchanged, so you can hit the hole can be successful. B. C VS Public network: Similar to the above, this kind of feeling can be hit by holes is successful. TYPE Two: Two clients are behind the NAT.This situation can also be subdivided into two broad categories:A. One of the NAT is S (symmetric NAT) type, both: S vs C or S vs S. The following demonstrates that this kind of feeling in accordance with the conventional hole is not workable, in conventional holes, all customers first log on to a server. The server records each customer's [public IP: Port], and then uses the value of this record in the hole-breaking process, but for S-type NAT, it does not bind to [private network IP: Ports] and [public network IP: port. So in different sessions, Nat will reassign a pair of [public IP: Ports]. So for the S-type NAT to hole the [public IP: Port] and registered on the server [public network IP: port] is different. And there is no way to hole the [public IP: port] Notice to another located in the NAT under the client, so the hole will not be successful. However, if another client is on a public network, a hole can be made. This has been demonstrated earlier. The solution in this case is to make holes only through the port prediction, as follows: For example (in the case of two S-type)  nat a  allocates its own UDP port 62000 to keep the   client a  Server S communication session,  nat b  also allocated 31000 ports, to maintain client B and server s  communication session. Through the conversation with the   server s, client A and client B know each other's real IP and port as they are mapped.    client A sends a UDP message to 138.76.29.7:31001 (note the increase in the port number), while Client B sends a UDP message to 155.99.25.11:62001. If Nat A and Nat B continue to allocate ports to new sessions, and the session time from A-s and b-s is not consumed much, a two-way conversation channel between client A and client B is established.    Client A's message delivery B caused Nat A to open a new session, and we hope Nat A will assign 62001 ports to this new session because 62001 is after 62000, NAT is automatically assigned to   The port number of the new session from server S to client A; Similarly, the message delivered by Client B sent a caused  nat b to open a fresh conversation, and we hope  nat B will assign the port 31001 to the new session If two clients correctly guessed the port number assigned by the new session, the client A-client B two-way connection was opened. The results are as follows: Obviously, there are many factors that can cause this method to loseDefeat: If the new Port (62001 and 31001) of this prophecy is already used by an unrelated session, the NAT will skip this port number, and the connection will fail, and if two NAT is sometimes or always not in order to generate a new port number, then this method is not feasible. If a different client X (or after Nat B) is hidden behind Nat A, a new outgoing UDP connection is opened. And regardless of the purpose of the connection, as long as this action occurs after client A has established a connection to server S, client A is connected to the client b  before it is established; Then this unrelated client x  will "steal"   to this port we are eager to allocate. So, this approach becomes so fragile and vulnerable that it will not work as long as any NAT includes the problems that are encountered. This approach is still practical in a network environment in the  cone NAT series, and if one party is cone NAT and the other is symmetric NAT, then the application should find out in advance what type of NAT the other side is, and then do the right thing to handle the communication. This increases the complexity of the algorithm and reduces the universality of the real network environment.     Finally, if the Peer-to-peer side is under a two or two-level NAT, and these Nats close to the client is symmetric NAT, the port-number prophecy is invalid. Therefore, it is not recommended to use this method to write new Peer-to-peer applications, which is also a historical experience and lesson.B. Two are cone NAT type.This situation can be divided into six major types: A:FC + FC B:FC + rc C:FC + PC D:PC + rc e:pc + PC F:RC + RC Although there are so many situations, but because of the characteristics of cone NAT, so still very good Because for Cone NAT, in the same session it will bind to a pair of [private network IP: port] and [public IP: port] mapping, so they play holes in the [public IP: Port] and registered on the server [public IP: port] is consistent, so the hole can be made through the line. In summary, the possible communication between all types of NAT has been fully summed up. And all of them offer a workable solution.v. Summary of the previous phase1. The hole-punching method used in the previous phase is defective and is adapted to only twoFull CONE NATType of client. The following argument it does not fit intwo are all types of cone NATIn the B:FC + RC C:FC + PC D:PC + rc e:pc + PC F:RC + RC These five kinds of situations. Because it has registered the [IP address & Port] of the Out-of-office package for the restricted NAT, it only accepts packets from these registered addresses, so they report that the server's ports can only accept packages from the server. Cannot accept packages from another client. So the hole-punching method in the previous stage is not feasible.VI: The problems that existAccording to the theory. Nat will turn off a mapping of UDP after a certain amount of time, so in order to maintain communication with the server, the server must send a UDP heartbeat packet to keep the mappings from shutting down. This requires a suitable time value