P2P networks "freely" Break Through Nat "secrets"

Meaning of NAT traversal:

Nat is designed to save IP addresses, but it hides the addresses of Intranet machines. "unexpected" plays a role in security. Invisible to the outside, non-transparent internal networks are also "fair" applications of the Internet, and the idea of "sharing" is not acceptable, especially the purpose of "Mutual Service" in P2P networks, therefore, traversing NAT has always been what P2P developers hope to allow numerous internal network machines to participate in the P2P network. NAT traversal requires external support. To put it bluntly, it means "internal and external collusion" and hackers have cheated Nat. Many P2P networks have successfully achieved this goal, but there are still some "regrets"-not all situations are acceptable. Because the client can actively log on to the P2P network, the P2P method does not violate the internal management principles of the enterprise. After all, the "free world" is voluntary.

Nat principles:

NAT (Network Address Translation) Network Address Translation/network address translation.

Working principle: Nat mainly replaces the IP address of the data packet header to enable the Intranet computer to access the Internet service. When the internal machine wants to access the external network, the NAT device converts the internal IP1 and port number 1 (network layer address and transport layer address) into the NAT external ip2 and the new port number 2, send the data to the external network. when the data is returned, replace the packet destined for ip2: Port 2 with IP1: Port 1 and send it to the Intranet machine. If the communication protocol contains IP address transfer, such as the FTP protocol, during translation, note that the IP address interaction in the packet must also be replaced. Otherwise, the Protocol may cause address confusion. The ing table of the address to be replaced is maintained on the NAT device, and the table is maintained according to the communication requirements of the internal computer. Whether data packets can enter Nat in the external network depends on whether there are table items that can be mapped. If not, data packets are discarded.

The external public IP address of NAT can be an IP address or a CIDR block to form an address pool. Nat can also direct an Internet address to a server on the intranet so that users on the internet can directly access the server. The Nat operation hides Intranet machines, but allows the Intranet to actively open the communication "channel" to the Internet, that is, to create a ing table.

The problem that Nat brings to P2P is that Nat only allows unilateral connection initiation. The communication parties are not equal, and the P2P network has a problem. The specific performance is as follows:

The Intranet Host IP address is private and cannot be viewed by the external host or initiate a connection.

. Even if you know the Intranet IP address, Nat will discard packets not in the shadow table.

The Intranet host can access the Internet as a client, but cannot provide services as a server.

. When both hosts are located in their respective Nat, P2P connection is required, not only who takes the initiative to solve the problem, but how to solve the problem of having a ing table between the two Nat hosts at the same time.

STUN Protocol (ietf rfc 3489 ):

The stun protocol is a channel protocol that can be established as a channel before formal communication. It uses a method of user terminal intervention, it can solve the problem of Nat when an IP address is transferred inside the application protocol. You can obtain the external address corresponding to the address at the NAT egress through other methods. Then, the address information described in the packet load is directly filled with the external address on the NAT, instead of the private IP address on the Intranet, in this way, the content of the packet is converted to the IP address of the packet header according to the normal Nat process when it passes through the NAT process. The IP address information in the load does not need to be modified. The stun idea can be used to traverse NAT. The stun protocol is a client/server protocol. There are two request methods: binding requests sent by UDP and Shared Secret requests ). The binding request is used to determine the NAT allocated binding address.

In the stun standard, Nat is divided into four types based on the inner terminal address (P: p) to the public IP address (A: B) at the NAT egress:

1. Full Cone: request messages from the same internal address are mapped to the same external address, which is irrelevant to the external address (destination address. The ing relationship is P: P? A: B. Any external host can send data to (P: p) through (A: B.

 

2. Restricted Cone: request messages from the same internal address are mapped to the same external address, and the returned data only accepts the computer address X that has sent data to the internal node. The ing relationship is P: P? A: B? X. Only data packets from X can be sent to (P: p) through (A: B.

3. Port restricted Cone: request messages from the same internal address are mapped to the same external address. The returned data only accepts the target address X: X that has previously sent data from the internal node. The ing relationship is P: P? A: B? X: X. Only data packets from X: X can be sent to (P: p) through (A: B.

4. symmetric RIC (symmetric) NAT: only request messages from the same internal address (P: P) and sent to the same address (X: X, is mapped to the same external address (A: B). The returned data only accepts the destination address X: X that has sent data to the internal node. The ing relationship is P: P? A: B? X: X. When (P: p) accesses (Y: Y), The ing is P: P? B: C? Y: Y.

 

P2P uses stun to traverse NAT:

 

Terminals A and B located behind Nat need to communicate directly through NAT. They can be assisted by third-party servers on the public network.

NAT traversal can be divided into two methods: 1. One party is on the public network after Nat. This situation is relatively simple. As long as the terminal after Nat initiates a communication, Nat does not work. It can obtain the address of another peer from the server and actively connect to it, the returned data packets can easily Traverse NAT. 2. If both parties are after Nat, the connection success or failure is related to the two Nat types. The main idea is to first connect the terminal to the server to obtain the addresses (IP addresses and port numbers) of the two terminals outside the NAT, and then send an invitation packet to the external address of the other terminal, obtain the external address that you want to communicate with the other party ". The key is to obtain the NAT external ing address, and then send packets directly to establish a connection. However, when one side is symmetric and the other side is port restricted or symmetric, the external address cannot be effectively obtained, and the invitation package cannot reach the other side, so it cannot cross Nat. The specific analysis can be divided into several situations based on the two Nat types. Here is a typical traversal example.

Instance: UDP traversal NAT:

 

A. log on to the server. Nat a allocates port 11000. The server obtains the address 100.10.10: 11000.

B. log on to the server. Nat B allocates port 22000. The server obtains the address 200.0000000020: 22000.

At this time, B will discard the packet directly from a. Therefore, to make a hole in the direction of a on Nat B, A can send data to 200.0000000020: 22000.

The command for logging is from the server. B sends a UDP packet to address 100.10.10.10: 11000 of A, which is discarded by Nat A. However, a ing record is established on Nat B. Nat B does not discard packets from.

Server notifies a to communicate. A initiates a UDP packet to B, and Nat B releases the packet. B receives the packet from a, and both parties start to communicate.

NOTE: If symmetric Nat is used, B cannot obtain this port when it needs to be re-allocated to port A (Port 11000 is not distributed to port a). Therefore, this method is not applicable.

Instance: TCP traversal NAT:

A. log on to the server. Nat a allocates port 11000. The server obtains the address 100.10.10: 11000.

B. log on to the server. Nat B allocates port 22000. The server obtains the address 200.0000000020: 22000.

A sends TCP packet SYN: 192.168.10.11: 1234 => 200.0000000020: 22000 to B and holes in Nat.

B sends TCP packet SYN: 192.168.000022: 1234 => 100.10.10: 11000 to A, and holes in Nat B.

the channel is established, and A and B are handshakes three times to establish a TCP connection