Nat type description and type detection

Original article:

Http://choudaxian.blog.163.com/blog/static/1900141120090122925744/

(1) Full Cone: Nat maps all requests from the same internal IP address and port to the same external IP address and port. Any external host can send IP packets to the internal host through the ing.

(2) Restricted Cone: Nat maps all requests from the same internal IP address and port to the same external IP address and port. However, an internal host can only send an IP packet to an external host whose IP address is X.

(3) Port restricted Cone: the port restriction clone is similar to the restriction clone, but the port number restriction is exceeded, that is, only the internal host is directed to the IP address X first, only when an external host whose port is P sends an IP packet can the external host send an IP packet whose source port is P to the internal host.

(4) symmetric NAT: This type of NAT is different from the preceding three types, when the same internal host uses the same port to communicate with the external host with different addresses, Nat maps the internal host differently. Symmetric Nat does not guarantee the consistency between the private and public IP addresses in all sessions. Instead, it assigns a new port number for each new session.

The full name of the STUN Protocol is simple traversal of user datateprotocol through network address translators. The main function is to check whether it is behind Nat. If it is behind Nat, what is the address and port after Nat translation? In addition, you can check the NAT type.

 

Now machine A is connected to machine B. Assume It is a (192.168.0.4: 5000)-> NAT (210.21.12.140: 8000 after translation)-> B (210.15.27.166: 2000 ). At the same time, a has never communicated with C. Different types of NAT have the following results:

Cone Nat

Full cone NAT: C sends data to 210.21.12.140: 8000. Nat sends data packets to a (192.168.0.4: 5000 ). Because there is a 192.168.ing between 192.168.0.4: 5000 and 210.21.12.140: 8000 on Nat. (That is, hosts on the internet can actively connect to a host on the Intranet)

Restricted Cone: C cannot communicate with A, because a never communicates with C, Nat will reject the action C tries to connect to. However, B can communicate with 192.168.0.4: 8000 of A through 210.21.12.140: 5000, and B can use any port to communicate with. For example, 210.15.27.166: 2001-> 210.21.12.140: 8000, Nat will be sent to port 5000 of.
(That is, the host on the Internet cannot establish a connection with the host on the Intranet, but the connection established between A and B on the Intranet still exists, and B can change the port number and a connection .)

Port restricted Cone: C cannot communicate with a because a never communicates with C. B can only use its 210.15.27.166: 2000 to communicate with 192.168.0.4: 5000 of A, because a never communicates with other ports of B. This type of NAT is port-limited. (That is, a and B must be connected according to the original method. The port number cannot be changed, and hosts on the Internet cannot be connected to hosts on the Intranet .)

Symmetric NAT: The above three types, collectively referred to as cone Nat, have one thing in common: as long as it is a packet from the same internal address and port, nat converts it to the same external address and port. However, distributed Ric is a little different, as long as it is from the same internal address and port, and to the same external destination address and port, nat also converts it to the same external address and port. However, if the source address and port are from the same external destination address and port, Nat will use different ing to convert them to different ports (the external address has only one, ). And Port
Like restricted cone, only the external address that has received the packet from the internal address can send packets to the internal address through the NAT ing address.

Here is an example of symmetric NAT:

Machine A is connected to machine B. If it is a (192.168.0.4: 5000)-> NAT (210.21.12.140: 8000 after conversion)-> B (210.15.27.166: 2000)

If machine A (192.168.0.4: 5000) still wants to connect to machine C (210.15.27.140: 2000) at this time, a new ing will be generated on Nat, and the corresponding conversion may be a (192.168.0.4: 5000) -> NAT (210.21.12.140: 8001)-> C (210.15.27.140: 2000 ). At this time, B can only use its (210.15.27.166: 2000) to communicate with a (192.168.0.4: 8000) through NAT (210.21.12.140: 5000,
C can only use its (210.15.27.140: 2000) to communicate with a (192.168.0.4: 8001) through NAT (210.21.12.140: 5000, other ports of B or C cannot communicate with a (192.168.0.4: 5000.

 

 

Symmetric Nat

[202.223.98.78: 9696] [202.223.98.78: 9696] [202.223.98.78: 9696]
^
|
V v
9883 9882 9881
\ |/
[Nat]

^
|
V
[192.168.0.0.6: 1827]

Symmetric Ric is symmetric. Multiple ports correspond to multiple hosts. They are parallel and symmetric!

 

Intranet address

10.0.0.0 ~ 10.20.255.255, 172.16.0.0 ~ 172.16.255.255, 192.168.0.0 ~ 192.168.255.255.

 

Steps for detecting Nat types:

Link: http://www.cnblogs.com/my_life/articles/1908552.html

Prerequisites: there is a public network server and two public network IP addresses (IP-1, IP-2) are bound ). This server performs UDP listening (IP-1, Port-1), (IP-2, Port-2), and responds according to client requirements.

Step 1:

Check whether the client can perform UDP Communication and whether the client is located after Nat?

The client establishes a UDP socket and then uses this socket to send data packets to the server (IP-1, Port-1) to require the server to return the client's IP and port, the client immediately began to accept the packet after sending the request, set the socket timeout (300 ms) to prevent infinite congestion. repeat this process several times. If a request times out and cannot receive a response from the server, the client cannot perform UDP communication, which may be caused by firewall or NAT blocking, such a client cannot be P2P (detection stops ).

When the client can receive responses from the server, compare the client (IP, Port) returned by the server with the client socket (localip, localport. If they are the same, the client is not in Nat, and such a client has a public IP address, you can directly listen to the UDP port to receive data for Communication (check and test ). Otherwise, the client needs to perform further operations after Nat.Nat typeDetection (continue ).

Step 2:

Check whether the client Nat is full cone Nat?

The client establishes a UDP socket and then uses this socket to send packets to the server (IP-1, Port-1) that requires the server to use another pair (IP-2, Port-2) send a data packet back in response to the client's request. The client receives the data packet immediately after sending the request. Set the socket timeout (300 ms) to avoid infinite congestion. repeat this process several times. If the request times out and the response from the server cannot be received, it indicates that the client Nat is not a full cone Nat. The specific type is subject to further detection (continue ). If a response UDP packet is received from the server (IP-2, Port-2), it indicates that the client is a full
Cone Nat, which allows clients to communicate with UDP-P2P (detection stops ).

Step 3:

Check whether the client Nat is elastic Ric Nat?

The client establishes a UDP socket and then uses this socket to send data packets to the server (IP-1, Port-1) to require the server to return the client's IP and port, the client immediately began to accept the packet after sending the request, set the socket timeout (300 ms) to prevent infinite congestion. repeat this process until you receive a response (you must be able to receive the response, because the first step ensures that the client can perform UDP communication ).

Sending packets to the server (IP-2, Port-2) using a socket in the same way requires the server to return the client's IP and port.
Compared with the client (IP, Port) returned from the server in the preceding two processes, if there is a difference between the two processes (IP, port), it indicates that the client is using hierarchical Nat, such clients cannot communicate with UDP-P2P (detection stops ). Otherwise it is restricted cone Nat, and whether it is port restricted cone Nat is to be detected (continue ).

Step 4:

Check whether the client Nat is restricted cone Nat or port restricted cone Nat?

The client establishes a UDP socket and then uses this socket to send packets to the server (IP-1, Port-1) which requires the server to send a UDP packet to the client in response to a IP-1 and a port different from Port-1, the client starts to accept data packets immediately after sending the request. Set the socket timeout (300 ms) to prevent infinite congestion. repeat this process several times. If the response times out and cannot be received from the server, the client is a port restricted cone Nat. If the response is received from the server, the client is a restricted
Cone Nat. Both types of NAT can be used for UDP-P2P communication.

Note: The above detection process only shows whether the UDP-P2P can be drilled-in communication, the specific communication is generally based on rendezvous server. In addition, for the wide Ric Nat does not mean that the UDP-P2P can not communicate with holes, you can predict the port holes, but cannot guarantee success.