NAT penetration (UDP hole)

Source: Internet
Author: User
Tags sessions

Turn from: http://www.cnblogs.com/GO-NO-1/p/7241556.html

1, NAT (network address Translator) Introduction

NAT has two broad categories, basic NAT and NAPT. 1.1. Basic NAT

Static NAT: A public IP corresponding to an internal IP, one-to-one conversion

Dynamic nat:n IP corresponds to m internal IP, not fixed one-to-one conversion relationship 1.2, NAPT (Network Address/port Translator)

Now the basic use of this, but also divided into symmetric and cone-type NAT.

Cone-type NAT, has complete cone type, restricted cone type, port restricted cone type three kinds: a) Full Cone NAT (complete cone type): All requests from the same private network address port 192.168.0.8:4000 to the public network are mapped to the same public address port 1.2.3.4:62000, 192.168.0.8 can receive datagrams sent to 1.2.3.4:62000 by any external host. Address restricted Cone NAT (restricted cone type): All requests from the same private network address port 192.168.0.8:4000 to the public network are mapped to the same public network address port 1.2.3.4 : 62000, only when the internal host 192.168.0.8 first to the server C 6.7.8.9 sent a datagram, 192.168.0.8 can receive 6.7.8.9 sent to 1.2.3.4:62000 datagram. c) port restricted Cone NAT (port restricted cone type): All requests sent from the same private network address port 192.168.0.8:4000 to the public network are mapped to the same public address port 1.2.3.4 : 62000, only when the internal host 192.168.0.8 to the external host address port 6.7.8.9:8000 send a datagram, 192.168.0.8 can receive 6.7.8.9:8000 sent to 1.2.3.4:62000 datagram.

Symmetric NAT:

Maps all requests from the same internal IP address and port number to a specific destination IP address and port number to the same external IP address and ports. If the same host uses different source and port pairs, and the destination addresses are sent differently, a different mapping is used. Only an external host that receives an IP packet can send back a UDP packet to the internal host. Symmetric NAT does not guarantee the consistency of bindings between (private, private) and (public IP, public ports) in all sessions. Instead, it assigns a new port number to each new session.

A symmetric NAT is a request that corresponds to a port, and an asymmetric NAT is a port for multiple requests (like a cone, so called cone NAT). 1.3, detect NAT type:

The connection server is b for the A,nat detection server.

The first step: when a receiving client (Endpoint-receiver, short ep-r) needs to receive file information, it sends a file request to the connection server and sends a NAT detection request to the detection server. Again, this is "immediately followed", because for symmetric NAT, this operation can directly calculate the increment of its address assignment (⊿P).

The second step: when the Ep-r received a or b feedback information, found that its external address and its own address is different when you can determine their own behind the NAT, otherwise, is the public network IP.

Step three: Server A sends the external mapping address (Ipa/porta) of the ep-r it obtains to B, compares the server B when it is obtained, and if the port is different, it is symmetric NAT and can calculate its allocation increment directly:

⊿p=portb-porta

Fourth step: If the port number is the same, then by B to Ep-r Porta send the connection request, if ep-r have a response, then Ep-r no IP and port restrictions, belong to the Conenat type.

Step Fifth: If there is no response, Then Server B uses its new Port B ' to send a connection request to the Ep-r PORTB port, and if so, it indicates that the EP-R is restricted to IP only and is of a restrictive conenat type;

The above five steps can basically detect whether the ep-r is in the public net or behind some kind of Nat.

1.4, NAT mapping aging Time

This is also an optional configuration task that configures the aging time for the NAT address mapping table as needed to control the user's use of the NAT configuration and to ensure the security of the internal and external network communication.

The method for configuring the aging time of NAT address map entries is also simple to use Firewall-nat session {DNS | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | | Sip-media | RTSP |rtsp-media}aging-time time-value command configuration. The value range of the parameter time-value is an integer second of 1~65 535. If you want to configure a time-out for multiple session table entries, you need to configure this command separately.

By default, the aging time for each protocol is: DNS (s), FTP (s), Ftp-data (s), HTTP (s), ICMP (s), TCP (s), Tcp-proxy (s), UDP (s), SIP (1 s), Sip-media (s), RTSP (s), Rtsp-media (s), available undo Firewall-natsession {All | dns | ftp | ftp-da Ta | HTTP | ICMP | TCP | Tcp-proxy | UDP | SIP | Sip-media | RTSP |rtsp-media} aging-time the time-out for the corresponding session table entry is the default value.

2. UDP Punching Hole 2.1, Peer-to-peer can be achieved by the conditions required:

1, intermediary server to save information, and can issue the establishment of a UDP tunnel command

2, gateways are required for the cone NAT type. Symmetric NAT is not appropriate.

3, complete cone-type gateway can not establish a UDP tunnel, but this situation is very small, require both sides of this type of gateway less.

4, if the X1 gateway for symmetric NAT, Y1 for address restricted Cone NAT or full Cone NAT Gateway, after each build tunnel, A1 can send the data to X1 through Y1 to B1 (because Y1 only IP-level screening), But B2 sent to X1 will be discarded (because the port in the datagram being sent is inconsistent with the port on the X1 that has a session on it, although the IP address is consistent), so it doesn't make any sense.

5, if both sides are symmetric NAT situation, the new port, the other side can not know the case to try to guess the solution, but also to achieve the goal, but this situation is very low success rate, and bring additional system expenditure, is not a good solution.

6, the difference between the different gateway settings is that the way to replace the IP, the use of different ports and different sessions, using the same port different sessions of the way; The foreign will adopt what is unrestricted, limit IP address, limit IP address and port.

7, here has not considered the same intranet different users access the same server situation, if the gateway using addressrestricted Cone NAT or full Cone NAT, it may lead to different user clients can receive data packets, this is obviously inappropriate.

2.2, UDP and TCP hole

Why the net talk about the Peer-to-peer hole is basically based on the UDP protocol hole. Can't tcp make holes. Or TCP hole is difficult to achieve.
Assume that there is now intranet client A and intranet client B, there is a public network service end S.
If A and B want to do UDP communication, they must penetrate both NAT routes. Assumed to be nat-a and nat-b.

A sends the packet to the public net S,B sends the data packet to the public net s, then s obtains the A and B's public network IP respectively,
s also has a session with a B, and the packet sent by S to Nat-a will be forwarded directly to a by nat-a,
Packets sent by S to Nat-b will be forwarded directly to B by the nat-b, except packets sent by S will be discarded.
So: Now a B can be full duplex communication with S, but a B can not communicate directly.

The solution is: A to send a packet to B's public network IP, then nat-a can receive packets from Nat-b
and forwarded to a (that is, B now has access to a), and then the S command B sends a packet to the public network IP of a, then
Nat-b can receive packets from nat-a and forward them to B (that is, a can now access B).

The above is the principle of "punching hole".

In order to ensure that a router has with B session,a to do heartbeat packet, the same, B also timed with a heartbeat, so that both sides of the communication channel are pass, you can do any communication.


But TCP and UDP are a little different on holes. This is because the Berkeley socket (standard socket specification)
caused by the API.
The UDP socket allows multiple sockets to be bound to the same local port, while TCP sockets are not allowed.
This is the meaning: a B to connect to S, is sure first a b both sides will create a socket locally,
To connect the socket on S. Creating a socket is bound to bind a local port (even if the application doesn't write
Port, which is actually bound, at least in Java, is assumed to be 8888 so that A and B are respectively established to
The communication channel of S. Then you need to make a hole, the hole will need A and B to send packets to each other's public network IP. But
The problem is here: Because the NAT device is based on the port number to determine the session, if UDP Socket,a B can
Create the socket separately, then bind the socket to 8888, so the hole is successful. But if it's TCP,
Socket, you can no longer create the socket and bind to 8888, so the hole will not succeed.

The process of UDP hole-punching is roughly the same:

1, both sides through UDP communication with the server, the gateway default is to do an extranet IP and port number with your intranet IP and port number mapping, this need not be set, the server does not need to know the customer's true intranet IP

2, User A first through the server to know User B's external network address and port

3. User A sends messages to User B's extranet address and port,

4. In this one send, User B's gateway will reject this message because it does not have this rule in its mapping.

5, but user A's gateway adds an allowable rule that allows messages sent from B to be received

6, the server requires User B to send a message to the user A's extranet IP and port number

7, User B sends a message, then user A can receive B message, and Gateway B also increased the Allow rule

8. After that, because both gateway A and Gateway B have increased the allowed rules, A and B can send messages to each other's extranet IP and port number.


TCP Hole-punching technology:
TCP holes also require NAT device support.
TCP's Hole-making process is the same as UDP's, but TCP's API determines the TCP hole-making process and UDP.
TCP works in CS mode, one port can only be used for connect or listen, so it is necessary to use port reuse in order to take advantage of the port mapping relationship of local NAT. (Set SO_REUSEADDR to set these two parameters on a system that supports so_reuseport.) )

Connection process: (Example of a 2nd case in which UDP holes are made (typical)
The two peer,a and B,a and B after Nat bind their own listen ports, initiating a connection (connect) that uses the same port to connect and wait for the connection. Because A and B have a time lag in the order in which they are connected, assuming A's SYN packet arrives at B's Nat, and B's SYN packet has not been issued, then B's NAT mapping has not been established, causing a connection request to fail (the connection fails or cannot be connected, if NAT returns RST or ICMP error, The API may appear to be rst; some NAT do not return the information to discard the SYN packet (better)), (the inability to turn off socket,closesocket () when the application finds it fails) may cause NAT to remove port mappings ; not connected after a period of time (1-2s) to continue to try); But after the SYN packet of B is reached Nat of a, because of the mapping relation that A's NAT already established, B's SYN packet passes the NAT of a, the NAT to the listen port of a, thus goes in three times handshake, completes the TCP connection.

From an application perspective, the process of connecting successfully may have two different manifestations: (take the above hypothetical process as an example)
1, the connection to establish a successful performance of a connect return success. That is, a terminal opens the process at the same time as TCP to complete the connection.
2, a end through the listen port to complete and b handshake, and connect attempt to continue to fail, the application through the accept get to the connection, and finally give up connect (at this time can closesocket (CONN_FD)).
Most Linux and Windows protocol stacks represent the 2nd type.

However, there is a problem is that the client side of the connection, its connect bound port number is the host listen port number, perhaps this peer follow-up will have more such sockets. Although theoretically, the socket is a five-tuple, the port number is a logical number, the transport layer can be different from the five-tuple to distinguish between these sockets, but whether there is an actual exception, still need more observation.

2.3, another question

1, the Windows XP SP2 operating system before the host, these hosts do not properly handle TCP open at the same time, or TCP sockets do not support SO_REUSEADDR parameters. The need for an ordered AB to initiate a connection may be completed.

The above TCP connection process is valid only for NAT1, 2, 3, and is not valid for NAT4 (symmetric type).
Because symmetric NAT usually uses the regular external port assignment method, the port prediction can be used to nat4 the holes.

2.4. Some common techniques

ALG (Application-tier Gateway): It can be a device or plug-in that supports SIP protocols, primarily similar to opening a gateway specifically for networking and extranet connections, in other words, this is a custom gateways. More applies only to the internal use of their application groups.

UpnP: It is a gateway device that looks for a globally shared, routable IP as a channel for its work, thus avoiding the impact of the port. Requires the device to support and turn on UPnP, but most of the time, these features are in security consideration and are closed. Instant Open, the actual application effect has not been tested.

STUN (Simple Traversalof UDP through Network): This approach is similar to the way that server C is handled in the example above. is also a common approach at present. But the concrete implementation is much more complicated than we describe, and the only gateway NAT type judgment is a lot of work, RFC3489 described in detail.

TURN (traveral Using Relay NAT): This way is to all data exchange through the server to complete, so NAT will not be a hindrance, but the server's load, packet loss, latency is a big problem. At present, many games use this method to avoid the problem of NAT. This way is not called Peer-to-peer.

ICE (Interactive connectivity Establishment): It is a combination of the above technologies, but it obviously brings complexity.

Reference and Reference:

http://pennlee.blog.163.com/blog/static/5259930200752511814652/

https://www.zhihu.com/question/38729355/answer/86531260

http://blog.csdn.net/byxdaz/article/details/52785697

Http://book.51cto.com/art/201408/449058.htm

http://blog.csdn.net/weiyuefei/article/details/52247497

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.