Introduction of the principle of UDP punching hole

　　
Design and implementation of NAT traversal module

The rapid development of the Internet and the insufficient number of IPV4 addresses have enabled NAT devices to be used on a large scale, but this has also brought more and more end-to-end communication problems. In general, the NAT device allows the host within the intranet to actively send data to the public network host, but it prohibits the host outside the intranet from actively transmitting data to the host within the intranet. Since many of the sessions are in different NAT devices, they generally communicate through a public network server, and to establish peer-to-peer communication, the NAT traversal problem must be resolved to establish communication.

NAT is a device between the intranet and the public network, the IP address in the public network is the only one in the world, and the IP address in the intranet can be repeated, but it cannot appear in the public network [18]. The basic function of NAT is to use one or several LP addresses to enable all hosts on the LAN to access the Internet [19].

Nat realizes the mapping between the public address and the intranet address, which can be summarized from two aspects: (1) when the IP packets in the intranet need to flow into the public network, NAT will change the IP packet's source IP address and port to a public address and port on the NAT interface, (2) when the IP packets in the public network are NAT When access to intranet resources is required, NAT changes the destination address and port of this IP packet to the intranet IP address and port.

Figure 3.1 UDP packet through NAT schematic diagram

Figure 3.1 is a UDP packet after the NAT, you can see the UDP packet from the intranet host A, when it arrives at NAT, its source IP and port have been changed. NAT automatically forwards the UDP packet from Host B to the nat-a's public IP and port after it is sent to host a.

3.1 NAT Traversal Scenario analysis of 3.1.1 NAT types

The type of NAT device has a very important impact on traversing NAT, according to its port mapping, NAT can be divided into the following 4 classes, the first 3 NAT types can be collectively referred to as Cone NAT.

(1) Clone full Cone: NAT maps all requests from the same internal IP address and port to the same external IP address and port. Any external host can send IP packets to the internal host through this mapping.
(2) Restrictive cloning (Restricted Cone): NAT maps all requests from the same internal IP address and port to the same external IP address and port. However, the external host can send IP packets to the internal host only if it sends an IP packet to an external host with an IP address of x first.
(3) Port-restrictive cloning (Port Restricted Cone): Ports restrictive cloning is similar to restrictive cloning, only the limit of the port number, that is, only the internal host to the IP address of x, the port number is P of the external host to send 1 IP packets, The external host is able to send the IP packets with the source port number p to the internal host.
(4) Symmetric NAT (symmetric NAT): This type of NAT differs from the above 3 types in that when the same internal host uses the same port to communicate with an external host of different addresses, NAT maps to that internal host differently. Symmetric NAT does not guarantee the consistency of the bindings between addresses and public IPs within all sessions. Instead, it assigns a new port number to each new session. So even if the same external host different connections, its assigned port number is not the same, usually in the original port number plus one.

Thus, symmetriccone conditions are the most stringent, port/restricted cone second, full cone conditions least stringent. Because China's network technology application is relatively late, so it can be said that most of the network is cone nat[20].

Research on the problems caused by 3.1.2 Nat to the peer communication

The existence of NAT, so that LAN users can share an IP address to access the Internet, solve the problem of IP address, and play a role in the firewall. But the existence of NAT to the network also brings problems: (1) intranet host IP address is virtual, is illegal on the Internet, so the intranet host to the public network is not visible. (2) Even if the IP address of the host inside the intranet is known, Nat still prevents the public host from actively accessing the intranet host. (3) Intranet host can be used as a client to access the extranet, but not as a server to provide services to the external network [21].

NAT causes a variety of problems mainly because NAT does not allow the external host to actively access the internal host, although the advantages of high security, but at the same time bring low service performance. These restrictions make the network in the NAT, the external network host can not cross the NAT active communication with the intranet host, peer-to-peer network hosts can not find each other for reciprocal information exchange, especially in different NAT after the different intranet machine, but also can not connect with each other. Without the ability to traverse the NAT,P2P network to achieve true equivalence, it is impossible to exchange or share all the information.

Host traffic that is currently in NAT is generally brokered by the server, for example, when both client A and client B are behind different NAT, each initiating a TCP or UDP connection to a server s that everyone knows has a fixed IP address. Because A and B cannot be connected directly, two clients use the S server for message delivery. For example, a to send a message to client B, client a simply send a message to the S server with the C/s connection, and the s server sends this message to client B using the C/s connection already established with Client B. Nat after the host does not establish peer-to-peer communication when sending data is shown in the specific procedure 3.2.

The advantage of this approach is that as long as two clients are connected to the server, it is valid. Its obvious disadvantage is that it requires the processing of the server and occupy the bandwidth, and even if the server network condition is good, there is a certain communication lag problem. So we need to improve the scheme and propose the NAT traversal technology.

Figure 3.2 Nat After the host does not set up the communication when the data sent to the specific process

The main purpose of NAT traversal is to allow the communication host after Nat to set up the connection, and can bypass the server's relay, directly to the peer communication. This can greatly save network bandwidth, and data transmission is more stable, there is less delay phenomenon.

3.1.3 Cone type of UDP traversal

UDP is a non-connected protocol that provides virtually no reliability measure, but UDP is very efficient. Unlike the TCP protocol, it does not need to establish a virtual connection relationship before transmitting data. So the UDP connection can transmit data as long as it knows the IP address and UDP port of the other side.

In the peer network, the use of UDP data transmission, only the other host's public IP address and port can be exchanged. Therefore, it is necessary to set up a registered server with a public IP address in the peer-to network, any host must first log on to the registration server, the registration server will record this IP address and port number for the public IP address and UDP port. This will create a mapping table on the registration server, which records the IP address and port number in the network, and the IP address and port number assigned by Nat NAT, i.e. (intranet IP address: UDP port number), which logs the host to the registered server. If the host is not behind NAT, the two are the same, so that each logged-on host has a unique (public IP address: UDP port number) on the Internet.

Figure 3.3 UDP traversal

When a host to communicate with another host, it first from the registration server to obtain the destination host's public IP address and port number, and then you can directly communicate, the actual data exchange does not need to register the server to participate, so as to achieve peer-crossing NAT.

When the host A1 and B1 are located in different NAT, they use UDP to cross the NAT to establish direct communication 3.3, as shown in the following procedure:

(1) A1 and B1 first log on to the public register server and send their actual IP address and UDP port information to the server.

(2) The registration server is recorded as two public IP address and port number, while extracting the IP address and ports information from the received UDP data header, recorded as the intranet IP address and number, so that the mapping table on the registration server added two records, respectively: A1: ( 192.168.1.2:2000) One (10.10.10.10:2000), B1: (192.168.2.2:4000) One (20.20.20.20:4000).

(3) The mapping table from the registration server can be known that A1 and B1 are located behind different Nat. A1 to send a UDP message to B1 then A1 sends the command to the server, requests the Server command B1 to the A1 direction, and the server sends the public address of client a while sending the hole command 10.10.10.10 : 2000 sent to B1 (20.20.20.20:4000). B1 sends a message to A1 's public address 10.10.10.10:2000 after receiving the command, although Nat A will discard this information (because such information is unsolicited, and for security purposes, most NAT will perform the discard action). But we've already hit a hole in Nat B on the 20.20.20.20:4000 (ie, A1 's extranet address), then A1 sends the message to 20.20.20.20:4000, and B1 can get it. Then A1 can communicate with B1 through B1 's extranet address.

(4) At this point, two different NAT after the host A1 and B1 through the NAT, the realization of peer-to information direct connection.

3.1.4 Cone type of TCP traversal

For UDP traversal NAT, there are now some relatively standard and effective methods, such as the stun protocol. However, the problem of TCP cross-NAT is not yet fully solved, even if there are some methods, but also in the testing phase. This article introduces the current implementation of a TCP traversal, the principle is that the two sides of the call in different NAT, the host after the NAT with the registration server on the public network to establish a secondary connection (TCP, UDP can), in the event of a call, through the registration of the server to facilitate the call between the two parties to establish TCP direct connections.

For the cone type of NAT can use the method shown in Figure 3.4 to solve the TCP traversal problem, the main process can be divided into the establishment of auxiliary connections, query is called, TCP drilling, the establishment of TCP direct connection 4 parts.

3.1 Establishing a secondary connection

Each session user establishes a UDP connection to the registration server (hereinafter referred to as the secondary channel) and always sends a UDP packet on that connection channel to keep itself active, and the server records the ID of each user (ID is the user's unique identifier).

Figure 3.4 "TCP Punch" method crossing the NAT process

(Note: The contents of the message are in parentheses inside the diagram, and the message path is in square brackets.) such as connection notification (C:V) udp[c:r >nb:q >b:p] indicates that the message content is the server address, port (C:V), the message from the IP address C port R to go through the IP address NB port Q to reach IP address B port P. ）

3.2 Queries are called

(1) called A and call Server C to establish a TCP connection, and send to the server called ID, the request Server assistance query called IP address, port. The server record is called the IP address, port (na:n), and Port v used by this connection before and after the NAT mapping. The request is answered in step 3 of establishing the TCP direct connection.

(2) The calling server notifies the called sending connection via an established auxiliary channel, which carries the IP address, port (C:V) that is used to establish the TCP connection with the caller, that is, the notification is called to the address, and the port loopback message.

(3) Called to the connection server to reply to the connection request, establish a TCP connection, the server records are called in the Nat map before and after the IP address, port (nb:y).

3.3 TCP Punch

(1) The connection server to the call back to the details of the connection, such as the caller ID and the host called Nat mapped IP address, port (na:n), and close the TCP connection with the call;

(2) A request to establish a TCP connection is sent to the calling NAT mapped IP address, port (na:n).

(3) According to the above-mentioned NAT type, there may be 2 scenarios: 1) fullcone mode, NATA will forward the TCP message to the internal network of the calling Port M, because the caller a has used this port and the connection server to establish a TCP connection, so called a will return a port occupied messages; 2) Restricted Cone or port Restricted Cone mode, NAT A does not forward the message to the caller, but instead returns an error message to the called. If NAT B receives the error message and forwards it to the called B within the Intranet, the TCP connection terminates and the TCP punch fails. However, in most cases, NATB will not forward the above 2 error messages to the host within the intranet, thus completing the TCP punch.

3.4 Establishing a TCP direct connection

(1) Called B initiates TCP snooping on port X and uses a different port G with the above to establish a TCP connection with the server, and notifies the server that it has completed TCP punch and is ready to make TCP direct connections.

(2) The server sends a called (B:X) NAT-mapped IP address, port (nb:y) to the caller, and closes the TCP connection established with the caller.

(3) The caller (A:M) sends a TCP connection request to the above IP address, port (nb:y), and can successfully establish TCP direct connect with called B.

3.1.5 Symmetric Cone UDP traversal

For cone type NAT, because each session has a fixed port, the client can obtain a connection by indirectly acquiring the mapped IP and port of its public network through the registration server. For symmetric type NAT, when Host B's session port is reassigned to host A, Host B will not know the port and the client will not be able to establish a connection.

Since symmetric NAT maps a new port in three main ways: one is to add 1 (or add a fixed integer t,t>1) to the port number of the previous map, and the second is to increment or decrease on the port number of the previous map, and the variable value is randomly generated within a small range; 1024,65535) randomly generated. The first of these mappings is most common, followed by the second and third. If you can guess UDP ports, then the possibility of establishing a connection can be achieved.

At present, a researcher proposes a random guessing method based on the regularity of port mapping to guess the UDP port, the algorithm is designed to determine the mapping of the target party NAT, so that the client initiating the visit (such as A) queries the server s for the last 3 registrations, which are mapped to the target client (e.g. B) The port number of the B-party client of the same global address (for example, 202.1.1.1), if its value is incremented and the port number of the client last registered (as P0) is the largest, then "decision 1" symmetric NAT is most likely the first mapping method, and possibly the second or third mapping method If the last registered port number is not the maximum, then "decision 2" symmetric NAT must be the second or third mapping method. An extreme situation, the current B-party intranet host includes B in the internal S registered mapping for the address 202.1.1.1 of less than 3 units, if only B registration, then as a "decision 1" case processing; if there are 2 registers, still according to the last map of the port number is larger and determine its mapping mode.

In the port testing process, it is necessary to determine whether the port is guessed: when A and b send each other, the NAT maps the respective global sockets for [IPA:PA] and [IPB:PB]. If the target port of the message sent by a is changed to PB, that is, the port of B is guessed first, and the NAT of B will discard the message of a. But at this time in a party established a session [IPA:PA, IPB:PB]; During the lifetime of this session, if B also guessed the port Pa of a, then B's guess message can be sent to a and received a response message, a received B's guess message. That is, either party receives a guessing message or response message indicating that both sides have guessed the other port. If a first guesses the port of B, and in the lifetime of the session B does not guess a, then a does not know that he has guessed and will continue to send a guess message to B.

Analysis of 3.1.6 NAT traversal scheme

For symmetric NAT, it is necessary to complete the traversal through the assistance of the address detection technique (22). Recent research has shown that there are few symmetric NAT applications on the market and that NAT is trying to reduce the use of symmetric mapping by recognizing that it poses a significant barrier to end-to-end communication. Considering that most of the NAT of the current application is cone type, which satisfies the marketization need of the latter two-way transparent conversion module, the NAT of cone type is chosen as the crossing target. The current UDP traversal NAT technology is mature and standard, while TCP crossing NAT has a successful experiment, but it is relatively unstable. Considering that this subject is based on the application, the system requirements are stable, and because the network data volume is also small, UDP can meet the requirements. Through comparison, the use of UDP through the cone type of NAT through the implementation of the NAT after the serial device to establish peer-communication functions.

Analysis and design of 3.2 heartbeat packet analysis of 3.2.1 Heartbeat packet

UDP is a non-connected protocol, NAT mapping of UDP transport is dynamic, that is, after a period of time, if the NAT after the intranet host no longer send or receive data, the mapped IP address and port number will change, the mapping relationship will be automatically lifted, the assigned UDP port number will be Nat back, Reassign to another connection. As a result, the mapping table on the registration server becomes invalid and the host cannot be recognized by other hosts, so the mapping of NAT must not be changed dynamically.

In order to maintain NAT's mapping to UDP, the host after NAT can periodically send UDP messages that remain mapped to NAT, ensuring that the UDP port assigned by NAT to the corresponding host is not retracted. The destination address that is sent is the Internet legal IP address and the appropriate UDP port that NAT assigns to the host when it logs on to the registered server. Because of the non-connectivity of UDP, any host sent to the Internet legitimate IP address and UDP port message, after the NAT message will be received by the corresponding intranet host, so this is equivalent to the host itself sent a UDP message, the host received such a message directly discarded, This way the mapping relationship can be maintained.

Design of 3.2.2 Heartbeat package

In the completion of the UDP traversal process, the heartbeat package is an essential part of the design. According to the theory, Nat will turn off a UDP mapping after a certain amount of time, so in order to maintain communication with the other side, the host must send the UDP heartbeat packet to keep the map from being closed. The heartbeat package content can be self-determined, or it can be an empty packet. In this design, the use of two timers to complete the heartbeat packet, the initial shutdown of the second timer, the first timer is responsible for sending a heartbeat packet to the server to maintain the connection with the server; after receiving the hole command, close the first timer, stop sending the heartbeat packet to the server, enable the second timer, It is responsible for sending the heartbeat packet to the peer-to host.

Heartbeat packet send interval time also need to pay attention to, the interval time is too long, the mapping relationship will be closed, can not play the role of heartbeat package. The interval is too short and sending too much data will consume a lot of network bandwidth while wasting resources. In this design, after a large number of tests, heartbeat packet delivery interval of 20 seconds is more appropriate.

Introduction of the principle of UDP punching hole