Nat penetration technology using TCP protocol

Source: Internet
Author: User

For a long time, many people have been told to use the UDP punch Technology for Nat penetration, basically, no one will tell you how to use the TCP protocol to penetrate (or even some people will tell you that the TCP protocol cannot penetrate ). However, we all know that UDP is a connectionless Datagram Protocol, which requires you to maintain the integrity of data packets sent and received by yourself, which often greatly increases the complexity of the program, in addition, some programs must use the TCP protocol for some reason, so that some TCP network program developers often "talk about penetration color change ". So, can TCP be used to achieve penetration? The answer is no: TCP not only achieves Nat penetration, but also is easier than UDP penetration.

To learn how to use TCP to penetrate NAT, we should first look at how to use UDP to penetrate NAT.

Suppose we have two clients a and B behind two different LAN, and the LAN where AB is located is connected to the Internet through a router. There is a server s on the Internet.

Currently, A and B cannot send messages directly to the other party. A and B do not know the real IP address and port of the other party on the Internet, the vro of the LAN where AB is located only allows information sent internally to the outside to pass through. For messages sent by B directly to a's vro, the routing will regard it as "untrusted" and directly discard it.

To achieve direct communication between A and B, you must perform the following three steps:
① A first connects to the server s on the Internet and sends a message (for a non-connection protocol such as UDP, you can directly send a message through the initial session ), in this way, s obtains the actual terminal (IP address and port number of the message sending) of a on the Internet ).
② Then B follows the same steps, and s will know the terminals of A and B on the Internet (this is "drilling holes ").
③ S then tells Client A and client B the actual terminal on the Internet, that is, client B's session terminal, and client B's session terminal.
In this way, after a and B know the actual terminal of the other party, they can directly send messages through the actual terminal (because both parties have previously sent messages, there is already a message channel on the route that allows data access ).

There is no theoretical problem when using UDP to implement the above three steps, because UDP is a connectionless protocol, it allows the socket to communicate "many-to-one" (that is, several sockets with different IP addresses and port numbers send messages to one receiving socket ). However, a problem occurs when TCP is used:
In general,TCP socket does not allow listening and using the local port on the port that has established a connection.. In other words, When AB connects to the server S, s will tell the actual terminal of AB to the other party, and the next step should be that A and B will use the actual terminal of the other party for direct connection, however, you will find that the actual terminal of the other party is occupied (that is, the session connecting to the server s occupies the terminal), and The listen and connect cannot be used at the same time. So many people come to the conclusion that TCP cannot achieve Nat penetration.

The key to the problem is how to reuse a TCP connection's local terminal. This is not a protocol issue, but an API issue. Fortunately, all mainstream operating systems support a specific TCP socket option-so_reuseaddr. This option allows you to bind multiple sockets to the same local terminal. When we create a socket, we only need to add the following line:

Setsockopt (socket, sol_socket, so_reuseaddr, & flag, Len); // C ++

_ Client. setsocketoption (socketoptionlevel. socket, socketoptionname. reuseaddress, true) 'This is more simple for VB.net

It is easy to understand the above knowledge. Next I will talk about the TCP protocol Penetration Process:

The machine layout is the same as that of UDP. Assume that customer a wants to establish a TCP connection with customer B.

First, establish connections between A and B and server s respectively, and s records the actual Internet terminals of A and B. Then s sends the actual terminal of the Peer to A and B respectively.
Next, the ports a and B use to connect to S. both A and B call the connect function asynchronously to connect to the other terminal (that is, the terminal notified by S). At the same time, both parties are listening for incoming connections on the same local port (you can also listen for connections first, and connect is better ). Since both parties send a CONNECT request to the other party (assuming that their respective Syn packets have passed through their own Nat), when the other party's CONNECT request reaches the local listening port, the router will think that this request is part of the Connect session just now and is licensed, and the local listening port will respond with a SYN-ACK and agree to the connection. In this way, the point-to-point connection through NAT through TCP is successful.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.