Sorry organization, 90-year thing I concealed the --NAT (network address translation)

NAT (Network Addresss Translation), network address translation, is essentially different places on the Internet that allows repeated use of the same mechanism to set the IP address, while a part of the transition public IP address and private IP address, while also having some defense - to filter packets. NAT as IPv4 and IPv6 transition program, and it appears to alleviate the shortage of IPv4 address number of the early 1990s problem. But obstruct the development of IPv6 has to a certain extent.

NAT is a very complicated thing, because with many agreements NAT has a very close relationship, especially the firewall, NAT will have many protocols and even for some specific rules. Difficult in an article to such a mess of things, all in a very clear, this article only describes NAT some of the more basic concepts, interaction with other aspects of the agreement do not intend to elaborate.

Gangster tribute to what the article: CSDN escape the Earth blogger little stay " NAT (address translation technology) explain ," big brother article gave me a lot of help, let me look at TCP / IP protocol have more time profound understanding.
URL: https:? //Blog.csdn.net/gui951753/article/details/79593307 depth_1-utm_source = distribute.pc_relevant.none-task & utm_source = distribute.pc_relevant.none-task

1. That year (1990) development of the Internet what actually happened

In the 1980s, which is when the Internet just appeared, due to hardware limitations conditions, IPv4 network address can be assigned up to 16 777 216 + 65 536 + 256 = 16 843 008, but also a carrot a pit, a computer a IP addresses. This number of hosts in the 80's really no problem, but to less than 90 years the number of IPv4 addresses become increasingly serious problem.


At the time there are two ways to deal with this problem: one is the IPv6 address, a progressive transformation of the existing foundation, and take effective measures to manage the distribution and use of IP addresses (which is now NAT). But with all IPv6 addresses, hardware measures can not keep up (expensive, small purse can not stand ah). Therefore, in order to save money, then on the development of the Internet Gangster on the IPv4 subnet, but also with NAT allows duplicate protocol addresses within the subnet. After using NAT technology, the Internet address is no longer required to be globally unique, and therefore can be different portions of the Internet (referred to as an address range (address realm)) is reused. It allows multiple ranges of the same address can be used, greatly easing the problem of address exhaustion. A pit can plug a few more sweet potato, IP address, this world is also divided into private and public IP network IP.

So it turns out that the NAT protocol that is quite the top, until recently 4.3 billion IPv4 addresses was only assignment is completed.

February 3, 2011 Chinese Lunar New Year, IANA announced: IPv4 address space of the last five blocks of addresses have been assigned to the five regional committees subordinates. April 15, 2011, Asia-Pacific APNIC Commission announced that in addition to individual reserved addresses, IPv4 addresses all of the region almost exhausted. UTC + 1 time at 15:35 on November 25, 2019 (Beijing time 22:35 minutes), responsible for Internet resource allocation Britain, Europe, the Middle East and parts of Central Asia, the European Network Coordination Center (RIPE NCC) announced that all the world 4.3 billion IPv4 addresses have been allocated, which means no more IPv4 addresses can be assigned to the ISP (Internet Service provider) and other large network infrastructure providers. (News Tencent, Baidu Encyclopedia) ---------- images from CSDN consulting, link below.

But ironically, the rapid development and widespread use of NAT has seriously affected the process forward IPv6. In the many benefits of IPv6, the one that eliminates the need NAT.

The above-mentioned IPv4, IPv6, subnets are some very long thing, so I'm not going to elaborate. Put a link here, we are interested to look at. (Bloggers not to write your own thing)

1. CSDN blogger little escape from the Earth to stay " subnetting subnetting example Illustration and refined analysis ", URL: https: //blog.csdn.net/gui951753/article/details/79412524 depth_1-utm_source = distribute?. pc_relevant.none-task & utm_source = distribute.pc_relevant.none- task
2. CSDN bloggers "chao199512 the difference between IPV4 and IPV6 (the most detailed history) ," available at: https: //blog.csdn.net/chao199512/article/details/86139714

2. The role of NAT finished past lives to a more intuitive feel of NAT

1. Open the Baidu search -> hit IP address lookup

2. Use the command line, " how to find ip address on a computer " at: http: //xinzhi.wenda.so.com/a/1520415964612980

computer IP:. 169.254.120 +++ ++ and 113.117.208. +, it is quite different, and this is a reflection of NAT very intuitive: different private IP and public IP network.

3. NAT working mechanism (processed before entering the data)

NAT works is to rewrite the identification information of the packet through the router, it can be appreciated that less accurate, the working principle is the replacement address information of NAT IP packet header, implemented by a public IP address to the IP address of the private network conversion .

NAT needs to be rewritten to the IP address of the source packet data transmission in one direction, rewriting the destination IP address of the packet transmission in the other direction. This allows outgoing packets source IP address becomes the interface address of the NAT router for network access Intemet Day address, instead of the original host. Therefore, the host on the Internet the other side of the view, the data packet from a router with NAT global IP routing, rather than the host located inside the NAT private address.

3.1 for replacing the IP address of the packet header information, there are two basic ideas:

Basic NAT (ie, static NAT) and NAPT (also known as dynamic NAT), unless distinction is important, otherwise we are talking about NAT will include both traditional NAT and NAPT.

1. Basic NAT, also known as static NAT (wing singled out, a one-for-limit): use the address pool address rewriting IP address, but retain the same port that only performs IP address rewriting, in essence, the private address rewrite a public address - often taken from a provided by the ISP (Internet service provider) address pool or public address range. This type of NAT is not the most popular, because it does not help to reduce the number of IP addresses you want to use, and the number of globally routable address must be greater than or equal to want to visit at the same time the number of internal hosts of the Intemet.
2. NAPT, also known as dynamic NAT (many-war group): NAPT, also known as IP masquerading, usually all addresses are rewritten to an address, NAPT is sometimes necessary to rewrite the port number to avoid conflict. NAPT using a transport layer identifier (i.e., TCP and UDP port day, ICMP query identifier) to identify a particular packet in the end stage and which is associated private host inside the NAT. This makes a lot of internal hosts (ie, thousands of units) to access the Internet at the same time, while the number of public addresses used rarely, usually only need one.
   

In NAT "behind" or "internal" private address range used without restriction in addition to the local network management staff of anyone. Therefore, it is possible to use the global address space within the private range. In principle, this is acceptable. However, when such a global address is also used by another entity on the Internet, the local system is in the private range most likely not reach the public system use the same address, this is because the local system using the same address will be masked remote system using the same address.

In order to avoid this undesirable situation, it retained the three IPv4 address ranges as private address ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/160 These address ranges are often used as an embedded DHCP formula the default value of the address pool server.

3.2 NAT work steps

1. Network is divided into private and public networks in two parts, NAT gateway setting in the private network to the public network routing exit position, two-way traffic must go through the NAT gateway
2. Network access can only be initiated first by the private network side, the public can not take the initiative to access the private network host;
3. NAT gateway access is completed in both directions two address conversion or translation, the direction, to be replaced source information, destination information inbound do replacement;
4. NAT gateway exists on both sides of communication remains transparent;
5. NAT gateways in order to achieve two-way translation function, it is necessary to maintain an association table, the saved information session.

3.3 It is also because NAT rewrite the basic principle of identifying information packet, brought many problems

1. Need to do a special configuration to make in the internal NAT host can provide Internet access for services, because the user can not access the Internet on the host with private address directly,
2. While NAT protocol undermine the ability of undermining the IP end to end communication, so that the service provided by the host after the external network can not directly access the NAT . (Such as a country over the wall out of hate "** virus")
3. In order to work properly NAT, each belonging to a connection or association with a two-way data packet must pass through the same NAT . This is because the NAT addressing information must be rewritten each packet, so that the normal communication between a host system and a private address space Intemet.
4. Some application protocol NAT will cause problems, especially those of Protocol (IP) address information is recorded in the payload of the application layer. Connections multiplexed onto an IP, which makes dependent on a host IP tracking mechanism in NAT on the issue of multiple internal host implementations are ineffective. Web-based applications such as traffic analysis can not be traced to specific end-user behavior and traffic management network of relationships needed. Log analysis based on user behavior has become difficult because IP is shared by a lot of users, user behavior if there is malicious, it is difficult to locate a host that initiated the connection.
5. NAT IP session holding the aging becomes shorter . Because it will establish an association table on the NAT device after a session is established, the session silent this time, aging NAT gateway will operate.

Malpractice 5: reference, CSDN blogger little escape from the Earth to stay " NAT (address translation technology) explain ," available at: https: //blog.csdn.net/gui951753/article/details/79593307 depth_1-utm_source = ? distribute.pc_relevant.none-task & utm_source = distribute.pc_relevant.none- task

4. NAT visit: address and port translation behavior (data reported over the treatment after NAT)

This should be mostly for NAPT, to handle public IP addresses to private IP address conversion problem.

1. Using the symbol X: x represents a host address in the private IP address range X, the port number x
2. Y: y indicates that the remote address Y: y
3. NAT NAT need to require the use of an external address (usually public and global routing) x1 'and the end of the day number x1l' to create a map

4.1 filtering behavior

4.2 port forwarding, handling behind the NAT server

Forwarding through the port, flow into the NAT is forwarded to the destination address of a specific configuration is located behind a NAT. By using NAT port forwarding, you can allow a server to provide services to the Internet, even if they are assigned a private, non-routable addresses.

Port forwarding, generally require the use of address and port number are forwarded to the server to configure static NAT . Static NAT port forwarding is like a map always present. If the IP address of the server is changed, NAT must update addressing information. Port forwarding has limitations, only a port number set for each combination of binding (IP address, transport protocol). Thus, if only one external IP address of the NAT, it is up to the same port to forward a transmission protocol to an internal machine.

4.3 hairpin and NAT loopback processing is in the same private address space NAT server access problems

5. NAT traversal (NAT-T, NAT traversal) (the processing proceeds in)

So good in front finish, and how public IP and port and private IP address and port conversion problems, now talk about how to use behind a NAT device to create a connection between the host problem.

NAT traversal (NAT traversal) involves a common problem in TCP / IP networks, that is in question to establish a connection between a NAT device is proprietary TCP / IP hosts on the network.

5.1 pinhole (pinhole) and punching (hole punching)

To explain the concept:

1. When the temporary creation of a NAT mapping to a single application in execution time, and this allows only temporary temporal mapping information flow through a portion of this mapping is called a pinhole (pinhole), the communication between programs with pinhole usually dynamically created and deleted.
2. By using two pinhole attempting to communicate directly behind the NAT or more than two systems a method called puncturing (hole punching).

To play a hole, a client needs an outward connection to access a known server, this will create a map locally by NAT. When another client to access the same server, and the server because each client has connected, so that they know the external addressing information. It was then exchanged between the client their external addressing information. Once you know this information, a client can attempt to connect directly to other clients. Skype and other popular applications of this method will be used.

5.2 unilateral self-address determination (UNilateral Self-Address)

Unilateral automatic address determination (UNSAF, UNilateral Self-Address), attempt to determine how to identify the heuristic traffic NAT, which is a fragile process, similar to ICE technology, has been recommended for other alternatives).

Applications use a range of methods to locate the address of its flow through the NAT employed. This will be called to determine (fixing) (learning and maintenance) address information. The method of determining the address is divided into direct and indirect.

1. Indirect methods to infer the behavior involved with NAT NAT exchange traffic, which is the most extensive use, is the most well-known VoIP applications. VoIP applications Reference: "CSDN micro-blogger Ye Guangming _ letter ye_guangming of VOIP Introduction " at: https: //blog.csdn.net/china_video_expert/article/details/70164428
2. The method involves direct application itself directly and NAT session via one or more special protocols (not IETF standard).

5.3 NAT Session Traversal tools: STUN

The main function of a UNSAF and NAT traversal is NAT traversal session tool (SessionTraversal Utilities for NAT, STUN) . STUN derived from the simple UDP tunnel through NAT (Simple Tumeling of UDP through NATnow known as the "classic STUN." The main work of the STUN server is echo STUN requests sent to it, to determine the addressing information for the client. It requires the presence of a valid "other" collaboration servers, as well as several configured global IP address can be visited on the Internet between the public side of the NAT STUN server.

STUN is conceived as a "temporary" solution until the development and implementation of more complex direct agreement, or due to the widespread adoption of IPv6 and makes NAT become obsolete. As a relatively simple client / server protocol, it is possible to determine the external IP address and port number in the NAT in a variety of environments, it may be maintained by maintaining current information NAT binding activated.

5.3.1 STUN header structure

5.4 use NAT traversal relay (final hand assurance measures)

Traversal using relay NAT (Traversal Using Relays around NAT, TURN ) is provided a plurality of communication systems, even if they are not located in a NAT collaboration. In this case, as the supporting means of the last communication, it requires a relay server can not transfer data between the system in communication. STUN and TURN use of some specific packet expansion, even though most all else fails it can still support the communication, as long as each client can not connect to the public NAT server.

Usually TURN client access are located behind a NAT TURN server on the public Internet, and suggests that wish to connect it to other systems (known as peer to peer (peer)). By using a special DNSNAPTR records, or by manual configuration, and you can find the corresponding address server protocols for communication.

客户端从服务器端获待的地址和端口信息,称为中继传输地址(relayed transport address),就是TURN服务器用于和其他对等客户机通信的地址和端日号。客户端也获得了它自已的服务器反向传输地址。对等客户机也得到了代表它们外部地址的服务器反向传输地址。这些地址是客户端和服务器用来连接客户机及其对等所必需的。交换寻址信息的方洼并没有在TURN中定义。相反,为了能够更加有效地使用TURN服务器,这些信息必须使用其他一些机制来完成交换。

5.4.1 TURN请求利用了STUN报文的形式

TURN请求采用了STUN报文的形式,其中报文类型是一个分配请求。

TURN通过6种方法、 9个属性以及6个错误响应代码增强STUN。这些大致可以分为支持建立和维护分配、认证以及操作隧道。6种方法和它们的方法号如下:分配(Allocate) ( 3 ),刷新(Refresh) (4),发送(Send) (6),数据(Data) (7),创建权限(CreatePermission) (8),隧道绑定(CharmelBind)( 9 )。

前两种方法用于建立并保持分配存活。 Send和Data使用STUN报文封装从客户端发送到服务器的数据,反之亦然o GreatePermission用于创建或刷新一个权限, CharmelBind通过一个16位的隧道号与一个特定的对等客户端相关联。错误报文表明与TURN功能相关的间题,如认证失败或资源耗尽。

5.5 交互连接建立（Interactive Cormectivity Establishment, ICE）

鉴于NAT的广泛部署及各种为穿越它们所必须采用的机制,一种称为交互式连接建立( Interactive Cormectivity Establishment, ICE) 的通用功能被发展出来,用于帮助位于NAT后的UDP应用程序主机建立连接。ICE是一套启发式,利用它应用程序能够以一个相对可预见的方式来执行UNSAF。在它的操作中, ICE使用了其他协议,如TURN和STUN。

6. 参考资料

1. CSDN博主逃离地球的小小呆的《NAT(地址转换技术)详解》，网址：https://blog.csdn.net/gui951753/article/details/79593307?depth_1-utm_source=distribute.pc_relevant.none-task&utm_source=distribute.pc_relevant.none-task
2. CSDN博主擒贼先擒王的《NAT 详解》，网址：https://blog.csdn.net/freeking101/article/details/77962312?depth_1-utm_source=distribute.pc_relevant.none-task&utm_source=distribute.pc_relevant.none-task
3. CSDN博主chao199512的《IPV4与IPV6的区别（史上最详细）》，网址：https://blog.csdn.net/chao199512/article/details/86139714
4. CSDN博主三支烟的《华为路由器NAT经典配置》（转载），网址：https://blog.csdn.net/qq_36357820/article/details/78918630?depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromBaidu-5&utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromBaidu-5
5. CSDN博主曹世宏的博客的《NAT穿越(NAT-T)原理》，网址：https://blog.csdn.net/qq_38265137/article/details/89423809
6. CSDN博主叶广明_微信ye_guangming的《VOIP简介》，网址：https://blog.csdn.net/china_video_expert/article/details/70164428
7. CSDN咨询《最后一个 IPV4 地址分配完毕，正式向IPV6过渡！》邮件截图，网址：https://blog.csdn.net/j3T9Z7H/article/details/103306122
8. 腾讯新闻《全球最后5个IPv4地址被分配 亚太IP将先耗尽》，网址：https://tech.qq.com/a/20110204/000053.htm
9. TCP/IP协议详解（原书第二版）卷一，协议：P23，P209—P247
10. " How to find ip address on a computer " at: http: //xinzhi.wenda.so.com/a/1520415964612980
11. Baidu Encyclopedia " NAT traversal " URL: https: //baike.baidu.com/item/NAT%E7%A9%BF%E8%B6%8A/2366420 fr = aladdin?