最近遇到了FTP的问题,牵扯到了ALG,在这里写一下,为了以后的学习参考.
先来认识一下ALG的概念,
It allows customized NAT traversal filters to be plugged into the gateway to support address andport translation for certain application layer "control/data" protocols such as FTP, BitTorrent, SIP,RTSP, file transfer in IM applications etc.
对于那种控制和数据会话的应用,比如FTP,BT,SIP,NAT处理的时候就会有问题,因为它们会把ip address 和port放在payload里面,这个时候就需要ALG来做处理,现在一般的网关(router)在默认情况下都会打开FTP ALG.
如果你的FTP 客户端在一个NAT router后面 ,客户端会和FTP服务器端首先建立一个控制连接,对于控制连接,一般服务器端的端口21,但是传递文件的时候,要先通过控制连接协商出一个数据连接来,也就是协商出一个ip address 和port,通过这个IP address和port,对方才可以连接过来做数据传输.
但是问题在于协商的ip address和port在payload里面,经过NAT router 的时候,不会改变,因为NAT router 只会改IP 层的,不会动TCP/UDP里面的数据,服务器最后得到的payload里面的是私有IP地址,这样就无法建立数据会话.
所以在应用ALG,ALG就是在发现IP报文头做了NAT,在这个时候出现port request,就需要同时改变PORT命令,我做试验抓包发现有的时候port不一定会变.
因为FTP是一个TCP的连接,如果更改payload,那么就涉及到整个TCP连接的一些参数的更改,比如sequence number,ack number,TCP报文的checksum等等。
这里有必有来说一下TCP checksum的计算,tcp checksum需要下列值,pseudo header,TCP header,data(payload)
对于pseudo header,解释如下,在这里,就需要你对TCP/IP比较了解了,TCP/IP是基础,一定要精通.
The pseudo header conceptually prefixed to the UDP header contains the source address, the destination address, the protocol, and the UDP length. This information gives protection against misrouted datagrams.
我贴了两张抓包的截图,
topo,pc(192.168.10.33)---NAT router(wan:172.25.27.78)---FTP server(172.25.5.8)
before ALG
after ALG
从两幅截图就可以看出,payload的ip地址变了,并且ip address 大小比之前小(192.168.10.33-->172.25.27.78),这样的话会导致next sequence number也会变化,带不管怎么样tcp checksum都会重新计算,因为payload变了.
在这样的TOPO里面(client在lan,server在wan),这种问题只会出现在PORT mode里面,在pass mode里面就没有问题,即使把FTP ALG关掉都没问题。
具体原因,去看一下port mode和pass mode的定义就能懂了.
具体如下,In active mode, the FTP client opens a dynamic port, sends the FTP server the dynamic port number on which it is listening over the control stream and waits for a connection from the FTP server. When the FTP server initiates the data connection to the FTP client it binds the source port to port 20 on the FTP server.
In passive mode, the FTP server opens a dynamic port, sends the FTP client the server's IP address to connect to and the port on which it is listening (a 16-bit value broken into a high and low byte, as explained above) over the control stream and waits for a connection from the FTP client. In this case, the FTP client binds the source port of the connection to a dynamic port.
对于FTP ALG的概念吧,下一段粘自RFC 2623 ,解释的很好,可以参考下,
"PORT" command and "PASV" response in FTP control session payload identify the IP address and TCP port that must be used for the data session it supports. The arguments to the PORT command and PASV response are an IP address and a TCP port in ASCII. An FTP ALG is required to monitor and update the FTP control session payload so that information contained in the payload is relevant to end nodes. The ALG must also update NAT with appropriate data session tuples and session orientation so that NAT could set up state information for the FTP data sessions. Because the address and TCP port are encoded in ASCII, this may result in a change in the size of packet. For instance, 10,18,177,42,64,87 is 18 ASCII characters, whereas 193,45,228,137,64,87 is 20 ASCII characters. If the new size is same as the previous, only the TCP checksum needs adjustment as a result of change of data. If the new size is less than or greater than the previous, TCP sequence numbers must also be changed to reflect the change in length of FTP control data portion. A special table may be used by the ALG to correct the TCP sequence and acknowledge numbers. The sequence number and acknowledgement correction will need to be performed on all future packet of the connection. 虽然这只是个ALG的应用,但还是牵扯到很多理论,同样,对于SIP ALG,H323 ALG,RTSP,道理也是一样,只不过是TCP和UDP的区别了。