A brief introduction to NAT types, STUN and TURN

Others 2020-10-29 12:58:31 views: null

A brief introduction to NAT types, STUN and TURN

Overview

The full name of NAT in English is "Network Address Translation", which means "Network Address Translation" in Chinese. It is an IETF (Internet Engineering Task Force, Internet Engineering Task Force) standard that allows an entire organization to appear as a public IP (Internet Protocol) address On the Internet. As the name suggests, it is a technology that translates an internal private network address (IP address) into a legal network IP address. NAT allows those internal networks that use private addresses to connect to the Internet or other IP networks. This process is transparent to users. When the NAT router sends the internal network data packet to the public network, it converts the private address into a legal IP address in the IP packet header. Therefore, we can think that NAT can effectively solve the problem of insufficient public network addresses to a certain extent.

Side effects of NAT and solutions

After domestic mobile wireless network operators have no data communication on the link for a period of time, they will eliminate the corresponding items in the NAT table, causing the link to be interrupted.

This is the first side effect of NAT-NAT timeout:

Domestic operators generally have a NAT timeout period of 5 minutes, so usually the time interval of our TCP long connection heartbeat setting is 3-5 minutes.

The second side effect is the NAT wall.

NAT will have a mechanism. All requests from the outside world to the internal network will be discarded by the NAT when they reach the NAT, so that if we are behind a NAT device, we will not be able to get any external data.

But this mechanism has a solution: if we A actively send a message to B, then A will make a hole to B in its NAT. In this way, when A’s message reaches B’s NAT, although it is lost, if B is sending a message to A at this time, when it reaches A’s NAT, it can be sent to A has it.

There are 4 different types of NAT

  • Full Cone

After machine A inside this NAT connects to machine C on the external network, NAT will open a port. Then any UDP datagram from the external network sent to this open port can reach A, whether it is from C or not (very This type is rarely).
For example,
A: 192.168.8.100
NAT: 202.100.100.100
C: 292.88.88.88
A(192.168.8.100:5000) ——> NAT(202.100.100.100:8000) ——> C(292.88.88.88:2000)
Anything sent to NAT (202.100.100.100:8000) data can reach A (192.168.8.100:5000)

  • Address Restricted Cone

After machine A inside this NAT connects to machine C on the external network, NAT opens a port. Then C can communicate with A using any port . Other external machines cannot.
For example,
A: 192.168.8.100
NAT: 202.100.100.100
C: 292.88.88.88

A(192.168.8.100:5000)——>NAT(202.100.100.100: 8000) ——> C(292.88.88.88:2000)
Any data sent from C to NAT (202.100.100.100:8000) can reach A( 192.168.8.100:5000)

  • Port Restricted Cone

After machine A inside this NAT connects to machine C on the external network, NAT opens a port. Then C can use the original port to communicate with A. Other external machines cannot.
For example,
A: 192.168.8.100
NAT: 202.100.100.100
C: 292.88.88.88

A(192.168.8.100:5000) ——> NAT(202.100.100.100: 8000)——> C(292.88.88.88:2000)
C(202.88.88.88:2000) Data sent to NAT(202.100.100.100:8000) Can reach A (192.168.8.100:5000)

The above three types of NAT are generally called Cone NAT. The so-called cone NAT refers to: As long as it is a packet from the same internal address and port, regardless of whether the destination address is the same, NAT will convert it to the same external address and port. "The same external address and port" and "regardless of whether the destination address is the same" form a cone-like network structure, which is the origin of this name. Conversely, the one that does not meet this condition is symmetric NAT.

We can only use this NAT for UDP hole punching .

  • Symmetric (symmetrical shape)

For this NAT. When connecting to different external servers, the ports opened by NAT will change. That is, when internal machine A connects to external network machine B, NAT will open one port, and when connecting to external network machine C, it will open another port.

Symmetric NAT will follow two principles:

  1. Try not to modify the source port, that is, the source port after ip masquerading remains unchanged as much as possible.
  2. More importantly, after masquerading ip, the source address/port and destination address/port (so-called socket) must be unique after masquerading.
    Assume the following situation (the internal network has hosts A and D, and the public network has hosts B and C):

The following three connections are established successively:

A ( 1000 ) —— > NAT ( 1000 )—— > B ( 2000 )
D ( 1000 ) —— > NAT ( 1000 )—— > C ( 2000 )
A ( 1000 ) —— > NAT ( 1001 )—— > C ( 2000 )

It can be seen that the first two connections follow principle 1 and do not violate principle 2, and the third connection changes the source port in order to avoid the same socket as the second one. Comparing the first and third connections, the source port of the data packet from A(1000) is changed to 1000 and 1001 respectively after passing through NAT. Explain that Linux NAT is a symmetric NAT.

The difference between cone and symmetric NAT

  • If it is a cone NAT:

After a successful connection, the status must be as follows:

A ( 1000 ) —— > NAT ( 5001 )—— > B ( 2000 )

A ( 1000 ) —— > NAT ( 5001 )—— > C ( 3000 )

In other words, as long as the packet is sent from port 1000 of host A, the source port after address translation must be the same.

  • If it is a symmetrical NAT:

After connection, the status is possible (note that it is possible, not necessarily) as follows:

A ( 1000 ) —— > NAT ( 5001 )—— > B ( 2000 )

A ( 1000 ) —— > NAT ( 5002 )—— > C ( 3000 )

The difference between the two is obvious.

A brief introduction to STUN and TURN

STUN Server mainly does two things:

  • Accept the client's request, and encapsulate the client's public IP and Port into the ICE Candidate.
  • Through a complicated mechanism, the NAT type of the client is obtained.

TURN Server also mainly did two things:

  • Punching holes for NAT:
    If A and B want to communicate with each other, then TURN Server will order A and B to send a message to each other, so that their respective NATs leave a hole for each other, and they can communicate with each other next time.

  • Provide message forwarding for symmetric NAT:
    When one of A or B is a symmetric NAT, then the message to this party can only be forwarded through the TURN Server.

Three forwarding scenarios

STUN Server determines what type of NAT the client is under, and then performs subsequent processing. STUN Server will return its public IP, Port, and NAT type to the client. In addition:

  • If A is on the public network or Full Cone Nat, STUN will not do anything else, because other clients can communicate with A directly.
    Insert picture description here

  • If A is under Restrict Cone or Port Restrict NAT, STUN will also coordinate TURN for NAT hole punching.

Insert picture description here

  • If A is under symmetric NAT, then under the point-to-point connection, NAT cannot perform hole punching. Therefore, for communication, the only last resort is to switch to the C/S architecture. STUN will coordinate TURN for message forwarding.
    Insert picture description here

Guess you like

Origin blog.csdn.net/qq_40741808/article/details/107686105
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com