Note: This article is good. The previous section describes some basic Nat knowledge. The subsequent sections clearly illustrate the principle of UDP Nat penetration. Let's take a look at this article first.
========================================================== ========================================================== ====
Nat
Complete analysis and UDP penetration Solution
I. Basic Terms
FirewallThe firewall limits the communication between the private network and the public network. It mainly discards the packets that are considered unauthorized by the firewall. The firewall only checks the data of the packets, the IP address and TCP/UDP port information in the data packet are not modified.
Network Address Translation (NAT)When a packet passes, the network address converter not only checks the packet information, but also modifies the IP address and port information in the packet header. In this way, the machine that is in Nat can share several public IP addresses (usually one ). There are two main types of network address converters.
P2P
ApplicationsP2P applications refer to establishing an end-to-end session communication based on an existing public server and using its own private address or public address (or both.
P2P
FirewallP2P Firewall is a P2P proxy that provides firewall functions, but does not perform address conversion.
P2P-NATP2P-NAT is a P2P proxy, provides the function of NAT, also provides the function of firewall, the simplest P2P proxy must have the function of cone Nat to UDP communication support, it also allows applications to establish robust P2P connections using UDP hole-hitting technology.
Loop ConversionWhen the NAT Intranet Machine wants to access the machine in the same LAN through a public address, the NAT device is equivalent to doing Nat twice, before the package arrives at the target machine, convert the private address to the public address, and then convert the public address back to the private address. We call a NAT device with the upstream translation function a "loop translation" device.
Ii. Nat Classification
Can be divided
Basic Nat
And
Network address and port conversion (napt)
Two categories
(
1): Basic NatBasic Nat converts the private IP address of a private network host to a public IP address, but does not convert the TCP/UDP port information. Basic Nat is generally used when Nat has many public IP addresses, it binds the public IP address with the internal host, so that the external can use the public IP address to access the internal host. (In fact, only the IP address is converted, 192.168.0.23 <-> 210.42.106.35, which is different from directly setting the IP address to a public IP address, especially for enterprises, all external information must pass through the unified firewall before it can reach the internal, but the internal host can use the public ip)
(
2) network address and port conversion (napt)This is the most common situation. The network address/port converter checks and modifies the packet IP address and TCP/UDP port information, so that more internal hosts can use a public IP address at the same time. For more information about Nat categories and terms, see [rfc1631], [rfc2993], and [rfc2663. In addition, [rfc2663] has made more definitions about napt classification and terminology. When an intranet host opens an out-of-office TCP or UDP session through NAT, napt assigns this session a public IP address and port to receive packets from the Internet, and the host is notified through conversion. In this way, napt establishes a port binding between [private IP: Private Port] and [Public IP: public port. Port binding specifies that napt will perform address translation tasks during the lifetime of this session. There is a problem in the middle. If a P2P application sends multiple sessions to different Internet hosts from a [private IP Address: Port] on the internal network, what Will Nat do? This can be divided
Conical Nat(
Cone Nat) andSymmetric NAT (symmtric Nat)) To consider:
A.
Conical Nat(Why is it a cone? Please refer to the form. Both the terminal and external server send information through the bound address pair assigned by Nat, just like a funnel, filtering and passing information) after a [private IP: Port]-[Public IP: Port] port is bound, for a session from the same [private IP: Port, the conical Nat server allows the application that initiates the session to repeat the port binding until the session ends (Port binding ). For example, if Client A (as shown in the IP address information) initiates two outgoing connections simultaneously through a conical Nat, it uses the same internal port (10.0.0.1: 1234) for two different servers on the public network, S1 and S2. Only one public IP address and port (155.99.25.11: 62000) are allocated to the two sessions, address translation ensures that the client uses the port "same" (that is, this client only uses this port ). However, the basic NATs and firewall cannot modify the port number of the data packet. They can be seen as the simplified version of the conical Nat. For further analysis
Cone NatRestricted conical NAT (restrict cone)AndPort restricted conical NAT (Port restrict cone)Three categories:Divided
Full-duplex conical Nat
(Full cone),
1.
Full-duplex conical NatWhen an internal host sends out a connection session, a public/private address is created. Once this address pair is created, full-duplex conical Nat receives the communication from any external port that is subsequently passed in to this public port address. Therefore, full-duplex conical Nat is sometimes called "hybrid" nat.
2.
Restricted conical NatRestricted conical Nat filters incoming packets. When an internal host sends an "out" session, Nat records the IP address of the external host, only these recorded external IP addresses can pass information into the nat, the restricted conical Nat effectively refines the packet filtering principle for the firewall-that is, only the known external addresses are allowed to "pass" the information to the nat.
3.
Limited-port conical NatThe restricted conical Nat port, which is different from the restricted conical NAT: it records the IP address and port information of the external host at the same time, the restricted conical NAT provides the same level of protection for internal nodes. When the port is "same", the information returned by Symmetric Nat is discarded.
B.
Symmetric NatSymmetric Nat is very different from cone Nat. Instead of binding ports to sessions, a new public port is allocated to each new session. In the preceding example, if Client A (10.0.0.1: 1234) initiates two "outbound" sessions and sends them to S1 and S2 respectively. Symmetric NAT will assign the public address 155.99.25.11: 62000 to session1, and then assign another different public address 155.99.25.11: 62001 to session2. Symmetric Nat can distinguish two different sessions and perform address translation, because the external addresses in session1 and session2 are different because, the client-side application gets lost in this address translation boundary line, because each session sent by this application uses a new port, and it cannot be guaranteed that only the same port is used. In TCP and UDP Communication (whether to use the same port or assign different ports to the same application), there are different reasons for conical Nat and symmetric Nat. Of course, conical NAT provides more categories for connecting Nat accepted connections to a created address based on fair conditions. This classification is generally applied to UDP Communication (rather than TCP communication), because NATs and firewall prevent TCP connections that attempt to pass in unconditionally, unless Nat is explicitly set.
Iii. Nat session ProcessingThe following analyzes the policies that napt uses to determine whether to establish a session for a UDP packet sent by a request. there are several strategies:. if the source address (intranet IP address) is different and other factors are ignored, the napt must correspond to different sessionb. the source address (intranet IP address) is the same, and the source port is different. If other factors are ignored, the napt must correspond to different sessionc. the source address (intranet IP address) is the same, the source port is the same, the destination address (Public IP address) is the same, and the destination port is different, the napt must correspond to the same sessiond. the source address (intranet IP address) is the same, the source port is the same, and the destination address (Public IP address) is different. If the destination port is ignored, how does one process the session on the napt? A, B, and C are simple and easy to implement. D is complicated. so D is what we should focus on and discuss.
Iv. Complete SolutionThe following is a complete solution for four sessions and four Nat methods. For convenience, The following abbreviations are used: C stands for Cone NATs stands for symmetric Nat, and FC stands for full cone Nat, RC stands for restrict cone Nat, PC stands for port restrict cone Nat. the number of clients after Nat can be divided into two categories:
Type one:
One is after Nat and the other is in the public network.
.In this case, it can be divided into two categories:
A.
S
VS
Public Network:
In this case, because the public network address remains unchanged in a session, it can be successful.
B.
C
VS
Public Network
:
Similar to the above, this kind of situation can be successful.
Type two:
Both customers are behind Nat.In this case, it can be subdivided into two categories:
A.
One Nat is
S (elastic Ric Nat)
Type
, Namely:
S
VS
C
Or
S
VS
S
.The following example shows that this kind of logging is not feasible. In the conventional logging, all customers first log on to a server. the server records the [Public IP: Port] of each customer, and then uses the record value during the punching process. However, for the S-type Nat, it is not bound to the [private IP: port] and [Public IP: Port] ing. therefore, in different sessions, Nat will re-allocate a pair of [Public IP: Port]. in this way, for S-type Nat, the [Public IP: Port] is different from the [Public IP: Port] registered on the server. there is also no way to notify another client that is located under Nat of the [Public IP: Port. however, if the other client is in the public network, it is possible to create a hole. we have already demonstrated this situation. in this case, the solution can only be implemented through port prediction. The specific solution is as follows: for example, (take two S-type instances as examples) Nat a allocates its own UDP port 62000, it is used to maintain the communication session between Client A and server s, and Nat B also allocates 3 Port 1000 is used to maintain the communication session between client B and server S. Through the conversation with server s, Client A and client B both know the real IP address and port mapped by the other party. Client A sends a UDP message to 138.76.29.7: 31001 (Please note that the port number is increased), and client B sends a UDP message to 155.99.25.11: 62001. If Nat A and Nat B continue to assign a port to a new session, and the session time from the A-S and B-S is not much consumed, A two-way session channel is established between Client A and client B. The message sent by Client A to client B causes Nat a to open a new session, and we want Nat a to assign port 62001 to the new session, because 62001 is followed by 62000, Nat will automatically assign the port number for the new session from server s to Client A; similarly, the message sent by client B to a causes Nat B to open a new session, and we hope that Nat B will assign port 31001 to the new session; if both clients correctly guess the port number assigned to the new session of the peer, the two-way connection of the client a-client B will be connected. The result is as follows: Obviously, many factors may cause this method to fail: If the predicted new ports (62001 and 31001) are used by an unrelated session, the Nat will skip this port number, and the connection will fail. If two Nat addresses sometimes or do not generate new port numbers in order, this method will not work. If a different client X (or after Nat B) after Nata opens a new "outbound" UDP connection, regardless of the purpose of the connection; as long as this action occurs after Client A establishes a connection with server s, before client a establishes a connection with client B; then this unrelated client X will "steal" the port we are eager to allocate without preparation. Therefore, this method becomes so fragile and vulnerable. As long as any Nat party includes the above problems, this method will not work. This method is still practical in the network environment of the cone Nat series; if one party is cone Nat and the other party is symmetric Nat, then, the application should first discover the type of Nat on the other side, and then make the correct behavior to handle the communication, which increases the complexity of the algorithm, it also reduces the universality in the real network environment. Finally, if the peer-to-peer network is under two or more Nat levels and these NATs are nearing this client as nat-based NAT, the port number prediction is invalid! Therefore, it is not recommended to use this method to write new P2P applications. This is also a historical experience and lesson!
B.
Two
All are cone Nat
Of
.In this case, there are six types: A: Fc + FCB: Fc + RCC: Fc + pc d: PC + rc e: PC + pc f: although RC + RC has many situations, it is still very easy to handle due to the characteristics of cone Nat, because for Cone Nat, in the same session, it will bind a pair of ing between [private IP: Port] and [Public IP: Port], so they use the [Public IP: the port] is consistent with the [Public IP: Port] registered on the server. Therefore, the hole can be implemented. in summary, we have completely summarized the possible communication between all types of Nat. and provide feasible solutions.
V. Summary of the previous stage1. the method used in the previous stage is flawed. It only applies
Full cone NatClient (client). The following arguments do not apply
Both are the cone Nat type.B: Fc + RCC: Fc + PC D: PC + RC E: PC + PC F: RC + RC in five cases. for restricted Nat, it registers the [IP address & Port] of the outgoing packet. It only accepts the packets sent from these registered addresses, therefore, they report that the server port can only accept packets from the server. cannot accept packages from another client. therefore, the method of punching in the previous stage is not feasible.
Vi. Existing ProblemsAccording to theory. nat will disable a UDP ing after a certain period of time. To maintain continuous communication with the server, the server must send a UDP heartbeat packet to ensure that the ing is not disabled. this requires an appropriate time value.