The principle of network IP hole------to-peer realization

Find a lot of online, code large heap, the principle of clear and thorough not much.

I find a few well-spoken to tidy up a bit.

A piece of technical articles, the most important to clarify the principle, if there is a complete can run the source code can also, the key is to the core part of the code analysis clearly.

(1) The origin of the problem:

Most computers use dynamic IP addresses for Internet access. The IP of the intranet is assigned by net (routing, gateway), and when net is emitted, it is mapped to a public address, which is a dynamic computing process (especially the port number) and is therefore called a dynamic IP address. The external network is not able to directly access the intranet computer, but in most cases, with a public network IP address of the computer (here called the server), in some way, can realize the connection, this technology is more "hole".

(2) Dynamic IP specific analysis:

As shown in figure:

There is a private network 192.168.0.2,client A is one of the computers, the network Gateway Nata (a NAT device) of the external network IP is 202.103.142.29 (there should be an intranet IP address, such as 10.0.0.10). If a process in client a (this process creates a socket that is bound to port 1234) wants to access the 2000 port of the extranet host 129.208.12.38, what happens when the packet passes through NAT.

Nat will change the original IP address of this packet instead of 202.103.142.29. Nat then creates a session for the transfer (the session is an abstract concept, and if it is TCP, perhaps the session is started by a SYN packet and ended with a fin packet.) And UDP, with this IP port of the first UDP start, the end is uncertain, maybe a few minutes, maybe a few hours, this depends on the specific implementation of the session and assign a port, such as 62000, and then change the packet source port is 62000. So it would have been

(192.168.0.2:1234->129.208.12.38:2000)

Data packets to the Internet changed to

(202.103.142.29:62000->129.208.12.38:2000).

Once Nat has created a session, Nat remembers that port 62000 corresponds to port 1234 of 192.168.0.2, and data sent from 129.208.12.38 to Port 62000 will be automatically forwarded to 192.168.0.2 by Nat. (Note: This is to say that the data sent to port 62000 will be forwarded, other IP data sent to this port will be discarded by NAT, this is the real headache problem) so that client A is established with the server S1 a connection.

If the original socket of client A (the UDP socket that is bound to port 1234) then sends a UDP packet to another server server S2, what happens when this UDP packet passes through NAT?

The answer is net-determined, and different net has different answers.

Here's the type of NAT you'll need to explain:
The type of NAT device is very important to TCP traversal NAT, according to port mapping, NAT can be divided into the following 4 classes, the first 3 types of NAT can be collectively referred to as the cone type.
(1) Clone full Cone: NAT maps all requests from the same internal IP address and port to the same external IP address and port. Any external host can send IP packets to the internal host through this mapping.
(2) Restrictive cloning (Restricted Cone): NAT maps all requests from the same internal IP address and port to the same external IP address and port. However, the external host can send IP packets to the internal host only if it sends an IP packet to an external host with an IP address of x first.
(3) Port-restrictive cloning (Port Restricted Cone): Ports restrictive cloning is similar to restrictive cloning, only the limit of the port number, that is, only the internal host to the IP address of x, the port number is P of the external host to send 1 IP packets, The external host is able to send the IP packets with the source port number p to the internal host.
(4) Symmetric NAT (symmetric NAT): This type of NAT differs from the above 3 types in that when the same internal host uses the same port to communicate with an external host of different addresses, NAT maps to that internal host differently. Symmetric NAT does not guarantee the consistency of the bindings between private addresses and public IPs in all sessions. Instead, it assigns a new port number to each new session.

The first is the most ideal, basic is no need to make holes;

The fourth worst is that you can't make a hole at all. The good news is that this net is basically not, very little.

So the key is the second and third type of net.

So the essence of punch is to take advantage of the net feature "only if an internal host sends an IP packet to an external host with an IP address of x, the external host can send IP packets to that internal host"

(3) Implementation steps (each implementation may not be the same)

Let us first assume: There is a server s on the public network has an IP, two private networks by Nat-a and Nat-b connected to the public network, nat-a behind a client a,nat-b behind a client B, now, we need to use a and B to establish a direct TCP connection, That is, a hole from B to a, so that a can be directly connected to the B host along this hole, as if Nat-b does not exist. The
implementation process is as follows:
1, S initiates two network listens, one is called "The main connection" listens, one is called "assists the hole" the interception.
2, A, and b remain in contact with the "primary connection" of S.
3, when a needs to establish a direct TCP connection with B, first connect the "assist hole" port of S and send the assistance connection request. Start listening on the port number at the same time (to ensure that net Type 3 succeeds). Note Because you want to bind to different sockets on the same network terminal, you must set the So_reuseaddr property (that is, allow reuse) for these sockets, or the listener fails.
4, S of the "assist hole" connection received a application through "Primary connection" notification B, and a after Nat-a converted public IP address and port information to tell B.
5, B received a connection notification s after the first with the "assist hole" port connection, casually send some data immediately after disconnection, so that the purpose is to let S know b after nat-b converted public IP and port number.
6,  b attempt with a after the Nat-a converted public IP address and port to connect (this is called "Punch hole"), depending on the router will have different results, some routers in this operation can establish a connection (for example, I use the Tplink R402), Most routers fail to connect directly to the unsolicited SYN request packet, but Nat-a will record the source address and port number of the connection, preparing for the next real connection, which is called a hole, B to a. The next time a will be able to connect directly to the port number that B just used.
7, Client B hits the hole and starts listening on the same port. B After everything is ready through the "master connection" with s reply message "I am ready", s after receiving the B after the Nat-b converted public IP and port number to tell a.
8, a received s reply to the B's public IP and port number and other information, began to connect to the B public IP and port number, because in step 6, B has tried to connect a public IP address and port, nat-a record the connection information, so when a active connection B, The nat-b would be considered a legitimate SYN data and allowed to pass through, thus establishing a direct TCP connection.

(4) Let intranet host do server

The above application is mainly to do peer software, if we want to use the home computer, do the server, do not need this technology ("Punch hole"), should we can set the router to Net1 type, can directly set the port mapping:

But still need an external network fixed IP server to be responsible for notifying other customer service side, because the IP that is obtained when dialing (this is also the external network IP, is the other computer can directly access your) every time or change.

(5) What is a peanut shell?

Peanut shell can be the change of IP map to fixed domain Name service provider, if you do not need domain name services, as long as the use of IP access to the application (such as the database), is not used this software.

But there is another way, if you already have a static IP server, on the top of the deployment of a proxy server (such as Nginx), and then the dynamic IP to notify it.