NAT traversal principle-Stun

Stun (Simple Traversal of user datateprotocol through network address translators (NATs), Nat UDP Simple Traversal) is a network protocol that allows) the client then finds out its own public IP address, and finds out which type of NAT it is located, and the NAT is the Internet port bound to a local port. This information is used to establish UDP communication between two hosts after the NAT router at the same time. This Protocol is defined by RFC 3489.

 

 

From: http://zh.wikipedia.org/wiki/STUN

 

Stun requires a public IP address of the stun server. The UAC behind the NAT must work with the server to send several UDP packets to each other. The UDP packet contains information that UAC needs to know, such as the NAT Internet IP address and port. UAC determines its Nat type by checking whether the UDP packet and the data in the packet are obtained.

Assume that the following UAC (B), NAT (A), Server (C), UAC IP is IPB, Nat IP is IPA, and Server IP is ipc1 and ipc2. Note that server C has two IP addresses, and you will understand why two IP addresses are needed later.

(1) Nat detection process: (eat mango first, haha, Mom gave it)

Step 1: B sends a UDP packet to the pot1 port of ip1. C. After receiving the package, C writes the source IP address and port of the received package to the UDP package, and sends the package back to B through IP1 and port1. This IP address and port are the Internet IP address and port of NAT (if you do not understand it, please read the NAT principles and categories in my blog ), that is to say, you get the NAT Internet IP address in step 1.

Anyone familiar with the working principles of NAT can know that the UDP packet B returned by C to B must have received it (if you do not know, read my other articles ). If you do not receive any response packet from stun after sending data packets to a stun server in your application, there are only two possibilities: 1. the stun server does not exist, or you have the wrong port. 2. Your Nat rejects all UDP packets from external to internal (our company's Nat is ).

When B receives the UDP packet, it compares the IP address in the UDP packet with its own IP address. If the IP address is the same, it indicates that it is in the public network. Next, Nat will detect the firewall type, I don't want to say more. If they are different, it indicates that Nat exists and the system performs step 2.

Step 2: B sends a UDP packet to IP1 of C, requesting C to pass another ip2 and port (different from IP1 of setp1) return a UDP packet to B (now I know why C has two IP addresses, although I still don't understand why ).

Let's analyze. If B receives this packet, what does it mean? It indicates that Nat is not rejected, and no data packet is filtered, that is, full cone Nat In the stun standard. Unfortunately, full cone Nat is too small, which means you are unlikely to receive this packet. If you do not receive the request, the system performs step 3.

Step 3: B sends a packet to port2 of ip2 of C. After C receives the packet, C writes the source IP address and port of the packet it receives to the UDP packet, then, send the package back to B through ip2 and port2.

Like step 1, B will certainly receive this UDP response packet. The port in this package is the data we are most concerned about. Let's analyze it as follows:

If the port is the same as the port in step 1, it is certain that the NAT is a cone Nat; otherwise, it is a symmetric Nat. The principle is simple: According to the symmetric Nat rule, when the IP address and port of the destination address change, Nat will allocate a port again, and in step 3, it corresponds to step 1, we changed the IP address and port. Therefore, for symmetric Nat, the two ports must be different.

If the port is different in your application at this step, congratulations, your stun is dead. If it is different (note: the same), only restrict cone and port restrict cone are left. The system uses Step 4 for testing.

Step 4: B sends a data request packet to a port PD of ip2 in C, requiring C to return a packet to B using ip2 and a port different from PD.

Analysis result: If B receives the packet, it means that as long as the IP address is the same, Nat allows UDP packets to pass through even if the port is different. Apparently this is restrict cone Nat. If you do not receive the packet, you can say nothing about port restrict Nat.

 

From: http://www.yuanma.org/data/2007/0323/article_2446.htm