Introduction
Recently, I have been involved in testing the related logic of P2P, so I have a certain degree of understanding of the principle of NAT penetration (of course not very deep). This article also synthesizes and refers to some information on the Internet and in the literature (the citation is not marked in the article, please forgive me). The purpose of writing this article is to describe this process in my own language, and at the same time add some of my own understanding in the description process, forming an article as a record of the main points. For this piece of knowledge, I also have a lot of blind spots, and I also ask the great gods from all walks of life for advice.
1. Background knowledge introduction
1. What is NAT?
NAT (Network Address Translation, network address translation), also called network masking or IP masking. NAT is a network address translation technology, which mainly converts internal private IP addresses (private IP) into public IP (public IP) that can be used on the public network.
2. Why is there NAT?
Time goes back to the 1980s. When people were designing network addresses, they felt that no matter how long there would be a 32-th power terminal device with a bit length of 2 or more than 32 bits, it would be connected to the Internet, plus the addition of IP. The length (even if it is increased from 4 bytes to 6 bytes) is quite huge for the calculation, storage, and transmission costs of the equipment at that time. It was gradually discovered that the IP address was not enough, and then NAT was born! (Although ipv6 is also a solution, it is still not popular, and it is still unknown whether ipv6 is enough in the future).
Therefore, the reason for the rise of NAT technology is that there are too few public network IP addresses in our country and not enough, so this address translation strategy is adopted. It can be seen that the essence of NAT is to allow a group of machines to share the same IP, which temporarily solves the problem of IP shortage.
3. What are the advantages and disadvantages of NAT?
Advantages have just been discussed above. According to the definition, it is easy to see that NAT can allow multiple computers to connect to the Internet at the same time, and hide their internal network IP, thus increasing the network security of the internal network; in addition, NAT External data checks its NAT mapping records, and rejects data packets without corresponding records, which improves network security.
So, NAT also brings some disadvantages at the same time: First, the NAT device will edit and modify the data packet, which reduces the efficiency of sending data; in addition, the application of various protocols is different, and some protocols cannot Passing NAT (there are many protocols that cannot pass NAT), which needs to be solved through penetration technology. We will focus on penetration technology later.
After understanding the simple background, the main methods of NAT implementation and the types of NAT are described below.
2. NAT implementation methods and main types 1. NAT
implementation methods
1) Static NAT: that is, static address translation. It means that a public network IP corresponds to a private IP, which is a one-to-one conversion. At the same time, note that only IP conversion is performed here, and no port conversion is performed. Give a chestnut:
2) NAPT: Port multiplexing technology. The difference with static NAT is that NAPT not only needs to translate the IP address, but also performs port translation at the transport layer. The specific manifestation is that there is only one public network IP externally, and the data of different private IP hosts are distinguished by ports. Give another chestnut.
Through the introduction of the NAT implementation above, it is not difficult to see that the application of NAPT in the real environment is obviously more extensive. Therefore, the following focuses on the main types of NAPT.
2. The main types of NAT
For NAPT, we mainly divide it into two categories: cone NAT and symmetric NAT. Among them, the cone type NAT is divided into: complete cone type, restricted cone type and port restricted cone type. In a nutshell: Symmetric NAT means one request corresponds to one port; Cone NAT (asymmetric NAT) means multiple requests (from external to internal) correspond to one port, as long as the source IP port remains unchanged, regardless of whether the destination IP is sent The same, they are all mapped to the same port on NAT, which looks like an awl. The four types and their differences are described below.
1) Full Cone NAT (Full Cone NAT, hereinafter referred to as FC)
Features: IP and port are not restricted.
Manifestation: mapping the host monitoring/request from the same internal IP address and port number (IP_IN_A: PORT_IN_A) to the monitoring of a certain port (IP_OUT_B: PORT_OUT_B) of the public network IP. Any external IP address and port access to the mapped port (IP_OUT_B: PORT_OUT_B) of its own public network will be relocated to the internal host (IP_IN_A: PORT_IN_A). In this technology, applications based on the C/S architecture can initiate a connection at either end. Isn't it very confusing? To put it simply, as long as the client establishes a mapping from the inside to the outside (NatIP:NatPort -> A:P1), the host B or port A:P2 of other IPs can use this hole to send to the client data. See the picture below (picture from the Internet).
2) Restricted Cone NAT (Restricted Cone NAT)
Features: IP is restricted and ports are not restricted.
Manifestation: Different from the full cone NAT, after the port is mapped on the public network, all IPs are not allowed to access the port. In order to communicate, the internal host must initiate a connection to an external IP host, and then this external The IP host can communicate with the internal host, but the port is not restricted. Give a chestnut. When the client establishes a mapping from the inside to the outside (NatIP:NatPort --> A:P1), machine A can use its other port (P2) to actively connect to the client, but machine B is not allowed. Because the IP is restricted, but the port is arbitrary. See the figure below (green is to allow communication, red is to prohibit communication).
3) Port Restricted Cone NAT (Port Restricted Cone NAT)
Features: IP and port are restricted.
Manifestation: This technology is more stringent than restricted cone NAT. In addition to the restricted cone NAT feature, there are also requirements for the port of the reply host. That is to say: only after the internal host has sent a message to the external host (assuming its IP address is A and the port is P1), the external host can use the information in the public network IP:PORT as the target address and target port to The internal host sends a UDP packet. At the same time, the IP of the request packet must be A and the port must be P1 (using the IP address as A and the port as P2, or the IP address as B and the port as P1 will fail communication). See the figure below for an example. This requirement further strengthens the restriction on the source of external message requests, making it more secure than Restrictd Cone.
4) Symmetric NAT (Symmetric NAT)
Features: The session for each external host or port will be mapped to a different port (hole).
Manifestation: Only requests from the same internal IP:PORT and for the same target IP:PORT will be translated by NAT to the same public network (external) IP:PORT, otherwise, NAT will assign a new external (public) Net) IP: PORT. Also, only external hosts that have received requests from internal hosts can send data packets to internal hosts. The internal host uses the same IP and the same port to communicate with the external multi-IP. The client wants to establish a connection with server A (IP_A:PORT_A) through NAT mapping to NatIP:NatPortA. The client and server B (IP_B:PORT_B) establish a connection through NAT mapping to NatIP:NatPortB. That is, the same client communicates with different target IP:PORT, and the public IP:PORT after NAT mapping is different. At this time, if B wants to communicate with the client, it can only be done through NatIP:NatPortB (that is, the purple hole), but not through NatIP:NatPortA (that is, the yellow hole).
The above are the four NAT types of NAPT. It can be seen that from type 1) to type 4), the restrictions of NAT are getting bigger and bigger.
Three, NAT routing type judgment
According to the above introduction, we can understand that in the actual network situation, the network environment of each device is different. Then, if these devices want to communicate, it is a very important step to first determine the type of network the device is in. For example, for video conferencing and VoIP software, communication between hosts located in different NATs needs to be forwarded by the server, which will increase the burden on the server. In order to solve this problem, it is necessary to establish direct communication between hosts located inside different NATs. The most important point is to determine the type of NAT, and then design a direct communication scheme based on the type of NAT. Otherwise, how do two terminals that are both in NAT communicate? We don't know the other party's intranet IP, even if we send the message to the other party's gateway, what then? How does the gateway know to whom this message is addressed, and who allowed the gateway to do so?
In order to solve this problem, that is, the hosts on the internal network can traverse the NAT between them to establish direct communication, many methods have been proposed, STUN (Session Traversal Utilities for NAT, NAT session traversal application) technology is one of the more important One of the solutions, and has been widely used. In this section, we will focus on the principles of STUN technology. (PS: In addition, there are UPNP technology, ALG application layer gateway identification technology, SBC session boundary control, ICE interactive connection establishment, TURN relay NAT traversal technology, etc., this article will not introduce them one by one.)
Fourth, STUN protocol
STUN is a network protocol that allows clients behind NAT (or multiple NAT) to find out their own public network address, find out which type of NAT they are behind and NAT for a certain local port. The bound Internet port. This information is used to establish UDP communication between two hosts behind the NAT router at the same time. This protocol is defined by RFC 5389. STUN consists of three parts: STUN client, STUN server, and NAT router. The STUN server is deployed on a server with two public IPs. Refer to the figure below for the approximate structure. The STUN client sends different message types to the server and makes corresponding judgments based on the different responses from the server. Once the client knows the UDP port on the Internet, the communication can begin.
The STUN protocol defines three types of test procedures to detect the NAT type.
Test1: STUN Client sends a Binding Request to STUN Server{IP-S1:Port-S1} through port {IP-C1:Port-C1} (without setting any attributes). After STUN Server receives the request, it sends back the STUN Client's IP and port {IP-M1, Port-M1} as the Binding Response content to STUN Client through port {IP-S1:Port-S1}.
Test1#2: STUN Client sends a Binding Request to STUN Server{IP-S2:Port-S2} through port {IP-C1:Port-C1} (without setting any attributes). After STUN Server receives the request, it sends back the STUN Client IP and port {IP-M1#2,Port-M1#2} it sees as the content of the Binding Response via port {IP-S2:Port-S2} To STUN Client.
Test2: STUN Client sends a Binding Request to STUN Server{IP-S1:Port-S1} through port {IP-C1:Port-C1} (with Change IP and Change Port properties set). After STUN Server receives the request, it sends back the STUN Client's IP and port {IP-M2, Port-M2} as the Binding Response content to the STUN Client through the port {IP-S2:Port-S2}.
Test3: STUN Client sends a Binding Request (with Change Port property set) to STUN Server{IP-S1:Port-S1} through port {IP-C1:Port-C1}. After STUN Server receives the request, it sends back the STUN Client's IP and port {IP-M3, Port-M3} as the content of the Binding Response to the STUN Client through the port {IP-S1:Port-S2}.
The output of STUN protocol is:
1) Public IP and Port
2) Whether the firewall is set
3) Whether the client is behind NAT, and the type of NAT
Therefore, we further sorted out that through the STUN protocol, we can detect a total of the following seven types:
A: Public Internet IP. The host has a public IP, and there is no firewall, and it can communicate with the outside freely
. B: Full cone NAT.
C: Restricted cone NAT.
D: Port restricted NAT.
E: Symmetric UDP firewall. There is no NAT device at the exit of the host, but there is a firewall, and the firewall rules are as follows: The data packet sent from the host UDP port A keeps the source address, but only the packet sent from the previous destination IP/PORT of the host to the host port A To pass through the firewall.
F: Symmetric NAT
G: Firewall restricts UDP communication.
After the input and output are ready, attach a Wikipedia flowchart to describe the judgment process of the STUN protocol.
STEP1: Check whether the client is capable of UDP communication and whether the client is behind NAT-Test1
client establishes a UDP socket, and then uses this socket to send data packets to the server (IP-1, Port-1) to request the server to return the client's IP and Port, the client immediately starts to accept data packets after sending the request. Repeat several times.
a) If no response from the server is received every time overtime, it means that the client cannot perform UDP communication. It may be: G firewall blocks UDP communication.
b) If the response can be received, the server returns the client's (IP:PORT) ) Compare with (Local IP: Local Port):
If they are exactly the same, the client is not behind the NAT. Such a client is: A has a public IP and can directly listen to the UDP port for data communication or E.
Otherwise, the client needs to do further NAT type detection after NAT (continue).
STEP2: Detect the client firewall type-Test2
STUN client sends a request to the STUN server, asking the server to reply to the client from other IP and PORT:
a) If the server cannot receive a reply from another IP address, it is considered that the packet is preceded Firewall blocking, the network type is E
b) When received, the client is considered to be on an open network, and the network type is A
STEP3: Check whether the client NAT is FULL CONE NAT-Test2 The
client establishes a UDP socket and then uses this socket to send data packets to the server's (IP-1, Port-1) requesting the server to use another pair (IP-2, Port- 2) In response to the client's request, a data packet is sent back, and the client immediately starts to accept the data packet after sending the request. Repeat this process several times.
a) If it times out every time and cannot receive the response from the server, it means that the client's NAT is not a Full Cone NAT, and the specific type needs to be checked in the next step (continue).
b) If you can receive the response UDP packet returned by the server from (IP-2, Port-2), it means that the client is a Full Cone NAT, and such a client can perform UDP-P2P communication.
STEP4: Detect whether the client NAT is SYMMETRIC NAT-Test1#2 The
client establishes a UDP socket and then uses this socket to send data packets to the server's (IP-1, Port-1) requesting the server to return the client's IP and Port, and the client sends Start receiving data packets immediately after the request. Repeat this process until you receive a response (it must be received, because the first step ensures that the client can communicate with UDP).
In the same way, a socket is used to send a packet to the server's (IP-2, Port-2) to request the server to return the client's IP and Port.
Compare the client (IP, Port) returned from the server in the above two processes. If there is a pair of different (IP, Port) returned by the two processes, it means that the client is Symmetric NAT. Such a client cannot perform UDP-P2P communication ( Detection stop) Because the symmetric NAT has a different connection port every time, it is impossible to know what port the client of the symmetric NAT will use next time. Otherwise, it is Restricted Cone NAT. Whether it is Port Restricted Cone NAT is to be checked (continue).
STEP5: Detect whether the client NAT is Restricted Cone or Port Restricted Cone-Test3 the
client establishes a UDP socket and then uses this socket to send data packets to the server's (IP-1, Port-1). It requires the server to use IP-1 and a different port The port of -1 sends a UDP data packet in response to the client, and the client immediately starts to accept the data packet after sending the request. Repeat this process several times. If it times out every time and cannot receive a response from the server, it means that the client is a Port Restricted Cone NAT. If it can receive a response from the server, it means that the client is a Restricted Cone NAT. Both of the above NATs can perform UDP-P2P communication.
Through the above process, at this point, it is possible to analyze and determine whether the client is behind NAT, the type of NAT and its public IP, and to determine whether the client has the capability of P2P communication. Of course, this is the first one of my personal notes. Later, I will make another note "Analysis of NAT Penetration Principles (2)" to analyze different NAT types of penetration hole punching strategies.
Share 15-minute technical summary selected readings every day, pay attention to a wave, and keep learning motivation together!
