Source code download: http://www.ppcn.net/upload/2005_08/05080425299104.rar reference: http://midcom-p2p.sourceforge. Net/draft-ford-midcom-p2p-01. Txt
Principles and implementation of P2P UDP-based NAT penetration (shootingstar)S)
Description:
There are only a few Chinese documents about UDP-based NAT penetration over the network. <<ShootingstaRS)> This article has practical reference value. I have been engaged in P2 for nearly two years.P is representative of bittorren developed by individuals.T download software-flashbt (abnormal Express Train). Anyone interested in P2P download or P2P development can visit the official software homepage.: Http://www.hwysoft.com/chs/ download look, maybe there are gains. The main purpose of writing this article is to be lazy and then returnAnswer some users' questions and write them down at one time, which saves their time and facilitates users interested in P2P UDP penetration.Read and understand. If you are interested or experienced in this, you can send me an email or visit one of myBlog message: http://hwycheng.blogchina.com. You can freely reprint this article, but please keep this description.
Thanks again to the early contribution of shootingstars.
What is the concept and significance of NAT (the IP network address translator?
Nat. For more information, see RFC 1631-http://www.faqs.org/rfcs./Rfc1631.html, which is the most authoritative description of NAT definition and interpretation. Network terms are abstract andDifficult. Unless it is a professional, it is difficult to understand the meaning of NAT literally..
To fully understand the role of Nat, we must understand the two categories of IP addresses. One is private IP addresses.In this example, we call it an intranet IP address. A non-private IP AddressIn this example, we call it a public IP address. Introduction parameters of the concept and function of IP addressesSee my other article: http://hwycheng.blogchina.com/2402121.html
Intranet IP Address: it refers to the use of private IP addresses in A/B/C categories. The assigned IP address is globally unique and therefore cannot be directly used by other Internet hosts.Access. Public IP Address: a globally unique IP address that can be directly accessed by other hosts.
Nat is initially designed to provide a few computers with Internet IP addressesThe IP address of the computer to access the external network. Nat is responsible for the source I of IP packets sent from computers with some Intranet IP addresses to external networks.The P address is converted to the IP address of the NAT public network. The destination IP address remains unchanged and the IP packet is forwarded to the router.. At the same time, it is responsible for converting the destination IP address of the IP packet returned by the external computerThe IP address of the network, the source IP address remains unchanged, and finally sent to the computer in the intranet.
Figure 1: Nat allows a computer with a private IP address to share several public IP addresses to access the Internet.
With the popularization of networks, limitations of IPv4 are exposed. Public IP address becomes one typeScarce resources. At this time, the limitations of NAT functions are also exposed. the IP address of the same public network can only be onePrivate IP address used by the computer. As a result, napt (the IP network address/port translator) emerged, implementing multiple private IP addressesYou can use a public IP address to access the Internet.Yes. This Temporarily relieves the shortage of IPv4 address resources.
Napt is responsible for transmitting the TCP/Convert the source IP address of the UDP packet to the public IP address of the napt.The source port is converted into a port of the napt itself. The destination IP address and port remain unchanged, and the IP packet is sent to the router, and finally to the external computer. At the same time, it is responsible for converting the destination IP address of the IP packet returned by the external computer into the IntranetThe destination port is the port of the Intranet computer. The source IP address and source port are notAnd finally sent to the computer in the intranet.
Figure 2: napt allows a computer with a private IP address to share a public IP address to access the Internet.
In our work and life, the role of napt can be seen everywhere, and the network architecture of most companiesOne to N vrouters supporting napt are used to connect all the computers in the company.Connected to the Internet. Including when I was writing this articleIt is also accessed through a desktop with a broadband connection using an IBM laptop at home.Internet. This article focuses on the napt issue.
Why does napt (the IP network address/port translator) impede the application of P2P software?
The napt determines that only the computers in the napt can take the initiative to access the master node outside the napt.The external host wants to directly establish a connection with the computer in napt.Not allowed. Im (instant messaging), which means that due to the computing in naptComputers outside of the server and napt can only transmit data through servers for communication.. For P2P download programs, it means that the computers in napt cannot accessWhen I receive an external connection from napt, the number of connections is too small and the download speed is very difficult.. Therefore, a problem that P2P software must solve is to be able to solve to a certain extent.The computer in napt cannot be connected externally.
What is the principle of UDP penetration through NAT (the IP network address translator?
TCP and UDP protocols are mainly used for TCP/IP transmission. TCP protocol is reliableConnection-oriented transmission protocol. UDP is unreliable and has no connection protocol.. Based on the implementation principles of TCP and UDP protocols, napt penetrationMainly refers to the UDP protocol. The TCP protocol is also possible, but the feasibility is very small.Higher requirements. We will not discuss it here. If you are interested, you can search for it on Google.Suo, some articles have made an exploratory description of this issue. Next let's take a look at using udWhat is the principle of P protocol to penetrate napt:
Figure 3: How the napt transparently transmits the UDP packet of the private IP address with the public network host.
Instructions on transparent transmission of UDP packets through napt:
Napt assigns a napt port number for each session.Based on the port number to determine the TCP/IP data packets are forwarded to the computer with the Intranet IP address. Here sessioN is virtual, and UDP communication does not need to establish a connection, but for naptA session must exist. Napt for UDP protocolAn important issue facing transparent packet transmission is how to handle this virtual sessIon. We all know that TCP connection sessions start with SYN packets., Ended with a fin package, napt can easily obtain and process the TCP session lifecycle. But for UDPIt is troublesome. napt does not know whether the forwarded UDP protocol package has reached the destination.And there is no way to know. In addition, due to the characteristics of the UDP protocol, the reliability is very poor.Therefore, napt must force the existence of the sessionIn order to wait for the external data to be sent back and forward to the Intranet IP address that once initiated the request. How does napt deal with UDP session timeout? Implementation of napt for devices provided by different vendorsNot nearly the same, maybe a few minutes, maybe a few hours, some napt implementation will be based onThe amount of time-out for smart computing in the busy state of the slave node.
Figure 4: napt transfers the source address and source port of the internal UDP protocol package to the public IP host.
Figure 5: napt changes the destination address and destination port of the UDP protocol package returned by the Public IP hostNow we understand how napt implements Intranet computing.Transparent communication between the host and the Internet host. Now let's take a look at our most concerned questions.Which is the policy based on which the napt determines whether or not to send UDP for a request.What about creating a session for a data packet? There are several strategies:
A. The source IP address (intranet IP address) is different. If other factors are ignored, the napt must correspond to different sessions. B. The source IP address (intranet IP address) is the same, and the source port is different. Other factors are ignored.The source address (intranet IP address) is the same, the source port is the same, and the destination address is(Public IP address) is the same, and the destination port is different, it must correspond to the sameSession D. The source address (intranet IP address) is the same, the source port is the same, the destination address(Public IP address) Different, ignore the target port, then how to deal with S on the naptWhat about ession?
D. The issues we are concerned about and want to discuss. Destination Address(Public network IP address) for the session establishment decision method we will napT devices are divided into two categories:
Symmetric napt: for connections to the same IP address, use the same sessio for connections to any port.N; for connections to different IP addresses, use different sessions for any port. we call this napt structured napt. that is, as long as the locally bound UDP port is the same and the destination IP address is different, different sessions will be created.
Figure 6: symmetric ric. Multiple ports correspond to multiple hosts. They are parallel and symmetric!
Cone napt: for connections to the same IP address, use the same sessio for connections to any port.N; for connections to different IP addresses, the same session is used for any port connection.. We call this napt cone napt. That is, as long as the locally bound UDP port is the same, whether or not the destination address is the same or not, the same session is used.
Figure 7: Cone indicates a cone. A port corresponds to multiple hosts. Is it like a cone?
Currently, the vast majority of napts belong to the latter, namely, cone Nat. During the test, I had to use a Japanese mirror R.IC Nat. Fortunately, I didn't buy it by myself. I never buy Japanese goods. I hope that my friends who read this article will consciously not buy Japanese goods. Win9xThe napt of the/2 k/XP/2003 system also belongs to the cone Nat. This is a blessing, because the UDP penetration we want to do can only be performed in conIf one Nat server is not cone Nat, sorry, UDP penetration is hopeless. Please forward it to the server.. Detailed analysis will be performed later!
Next we will analyze some data structures when napt is working. Here we will really show that UDP can penetrate conE. The basis of Nat. The data structure described here is only to illustrate the principleAnd does not have practical reference value. If you are really interested, read about Na in Linux.T. The real Nat implementation does not use the database either.For speed!
The symmeting data structure of the worker Ric napt is as follows:
Intranet info table:
[Napt allocation port] [Intranet IP address] [Intranet port] [Internet IP address] [sessiontime start time]
Primary Key ([napt allocation port])-> indicates that a primary key is created based on [napt allocation port]. It must be unique and indexed to speed up searching. unique ([Intranet IP address], [Intranet port])-> indicates that the two fields cannot be duplicated. unique ([Intranet IP address], [Intranet port], [Internet IP address])-> indicates that the three fields cannot be combined.
Ing table:
[Napt allocation port] [Internet port]
Unique ([napt allocation port], [Internet port])-> indicates that the two fields cannot be duplicated.
The port ing data structure when cone napt is working is as follows:
Intranet info table:
[Napt allocation port] [Intranet IP address] [Intranet port] [sessiontime start time]
Primary Key ([napt allocation port])-> indicates that a primary key is created based on [napt allocation port]. It must be unique and indexed to speed up searching. unique ([Intranet IP address], [Intranet port])-> indicates that the two fields cannot be duplicated.
Internet information table:
[WID primary key ID] [Internet IP address] [Internet port]
Primary Key ([WID primary key ID])-> indicates that a primary key is created based on [WID primary key ID]. It must be unique and indexed to speed up searching. unique ([Internet IP address], [Internet port])-> indicates that the two fields cannot be duplicated.
Ing table: one-to-many
[Napt allocation port] [WID primary key ID]
Unique ([napt allocation port], [WID primary key ID])-> indicates that the two fields cannot be duplicated when combined. unique ([WID primary key ID])-> this field cannot be repeated.
After reading the data structure above, do you better understand or get dizzy? Haha! I think it will be clear later. Through Nat, computers on the Intranet are very connected externally.It's easy, napt will automatically process it, and our applications don't have to worry about how it works.Processed. How can external computers access computers in the Intranet?? Let's take a look at the following process:
C is an intranet computer behind napt, and S is a computation with an Internet IP address.Machine. C actively initiates a connection request to S. napt records the data structure according to the rules described above.Next, create a session, and then implement two-way transparent data transmission between C and S. As shown below:
c[192.168.0.6:1827] <-> [priv ip: 192.168.0.1]NAPT[pub ip: 61.51.99.86:9881] <-> s[61.51.76.102:8098]
It can be seen that a computer with an Internet IP address and an Intranet computer behind naptThe communication condition is that the Intranet computer after napt takes the initiative to the Internet IP address.The computer initiates a UDP packet. Computers with Internet IP addresses use the received udP packet to get the Internet IP address of napt and the mapped PortLater, you can transparently communicate with the computer with the Intranet IP address.
Now let's analyze the Intranet computers behind the two most concerned napt, suchHow can we achieve direct communication? Neither of them can actively send connection requests, and no one knows the public IP address of the other's napt.The port number mapped to the address and napt. Therefore, we need to rely on a public IP AddressThe server helps the two to establish a connection. When the Intranet computers behind two napt are connected separatelyAfter the server is connected to a public IP address, the server can obtainObtain the public IP address of the two napt devices and the sess established by the two connections.Ion ing port. The two Intranet computers can obtain the NA of the other party from the server.The public IP address of the PT device and the mapped port.
Assume that the two Intranet computers are a and B, and the corresponding napt is an andBN. If a obtains the IP address of BN corresponding to B and the mapped portAnd sends a UDP packet to the IP address and the mapped port urgently. What will happen?? Based on the above principles and data structure, we will know that an will be in its own data structureGenerate a record to identify the existence of a new session. BN receives data packetsThen, the packet is discarded because no relevant records are found in the data structure query.. B is a chronic Sub-Account. At this time, it is slowly sent to an IP address and the mapped port.What is the result of sending a UDP packet? Of course it is our expected structure., An finds records from its own data structure after receiving the data packetTherefore, packet processing is sent to. When a sends data packets to B again, everything is unobstructed. OK, big work! Slow. What about cone napt? Let's analyze it by yourself...
Napt (the IP network address/port translator) to analyze the specific situation of UDP penetration!
First, we will clearly divide the napt device into the following parts according to the above description: Hybrid Ric napt and cone napt, which we need. The napt that comes with Win9x/2 k/XP/2003 is also cone napt.
In the first case, both parties are using Symmetric napt:
In this case, there is no problem. UDP penetration is certainly not supported.
In the second case, both parties are cone napt:
This is what we need. We can perform UDP penetration.
In the third case, one is symmetric napt and the other is cone napt:
This situation is complicated, but the analysis based on the above description and data organization is also very complicated.It's easy to understand. The analysis is as follows,
Assume: A-> symmetric Nat, B-> cone Nat
1. A wants to connect to B. A obtains the NAT address and ing port of B from the server. A notifies the server that the server notifies B a of the NAT address and ing port, and B initiates a connection to, A certainly cannot receive it. At this time, a initiates a connection to B. The Nat corresponding to a creates a new session and assigns a new ing end.After Nat of port B receives the UDP packet, it cannot find the ing item in its own ing table.Therefore, the packet is discarded.
2. B wants to connect a and B to obtain the NAT address and ing port of a from the server, B notifies the server, the server informs a B of the NAT address and ing port, and a initiates a connection to B, nat corresponding to a creates a new session and assigns a new ing end.Port B cannot receive the message. At this time, B initiates a connection to a. Because B cannot obtain the ing port of the new session established by a, it still uses the ing obtained on the server.Therefore, after receiving a UDP packet, Nat of a queries in its own ing tableThe ing item cannot be found, so the package is discarded.
According to the above analysis, only when the NAT addresses at both ends of the connection are cone Nat can UDP Intranet penetration be achieved.
Napt (the IP network address/port translator) for UDP penetration how to verify and analyze the reality!
The required network structure is as follows:
The Intranet machines behind the three Nat servers and the two Internet servers. Two of them are cone napt and one is symmetric napt.
Verification Method:
You can use the source code provided by this program to compile and then run the server program and client respectively.. The modified source code adds the client to send messages directly through IP addresses and ports.Using this command, you can manually verify the napt penetration. For ease of operation, we recommend that you use a remote login software that can be directly deployed on a machine.Operate on all related computers, so that it is very convenient for one person to complete all the workDone. That's how I did it. Welcome to comments from friends who are interested and experiencedCorrect and make progress together.