Disclaimer: This article is little stay @ the original article, the source! https://blog.csdn.net/gui951753/article/details/79593307
table of Contents
Background NAT
ip address the basics of
NAT technology works and characteristics of
static NAT
dynamic NAT
NAT overload (often into practice)
the advantages and disadvantages of NAT technology
advantages
disadvantages of
NAT traversal technology
application layer gateway (ALG)
ALG practical application of
NAT technology future
References
NAT Background
Today, many Internet users happy to enjoy the fun of Internet brings. They read news, search for information, download the software, make new friends, share information, and even homes get everything for daily needs. Companies use the Internet to publish information, transmission of information and orders, provide technical support to complete their daily work. However, giving hundreds of millions of Internet users convenience, itself is facing a fatal problem: build the foundation for the all-powerful Internet protocol IPv4 can no longer provide a new network address.
February 3, 2011 Chinese Lunar New Year, IANA announced: IPv4 address space of the last five blocks of addresses have been assigned to the five regional committees subordinates. April 15, 2011, Asia-Pacific APNIC Commission announced that in addition to individual reserved addresses, IPv4 addresses all of the region almost exhausted. All of a sudden, IPv4 address as an endangered resource worth increased sharply, major Internet companies huge amounts of money to acquire the remaining free addresses. In fact, IPv4 address shortage problem is not new, as early as 20 years ago, IPv4 addresses will run out of the question had been put in front of Internet pioneers. It makes us want to know, it is what makes this crisis delayed the technology to do for 20 years.
To find the answer, let's briefly review the IPv4 protocol.
That IPv4 internet protocol version 4 --Internet Protocol Version 4 of the abbreviation. IPv4 is defined across a heterogeneous network interconnection super network, it is assigned a globally unique IP address for each node of the Internet network. If we take the Internet compared to a postal system, then the effect is equivalent to an IP address that contains the full address of the city, street, house number, including. Expression of an IPv4 address using 32bits integers, the maximum address range 232 is about 43 million. IP-founding period can be networked device point of view, such a large space has been hard to be a short run. However, the fact that far more than people imagine, the rapid growth of computer networks in the next few decades, the explosive growth in the number of network terminals.
Worse, in order to facilitate management and routing, the address space is 4,300,000,000 as A, B, C, Class D address and a network address retained in a different prefix length divided. Wherein, A class of network address 127 segments each including a host address of about 16,780,000. 16384 Class B network address segments, each segment comprising a host address 65536.
ANA Class A network addresses assigned to large enterprises / organizations for some time. Class B network addresses assigned to medium-sized enterprises or educational institutions, a period of time. Such an IP address allocation strategy so that waste is very serious, many addresses are assigned out to be no real use, address consume quickly. So early 1990s, experts realized that network, so recklessly down, IPv4 addresses will soon run out. As a result, people began to consider alternatives to IPv4, while taking a series of measures to slow the depletion of IPv4 addresses. It is against such a background, the current protagonist debut, it is the network address translation --NAT.
NAT is an amazing technology, it appears that it's almost magical the IPv4 back to life. IPv4 has been considered in the past 20 years after historic mission draws to a close, people almost forgot the IPv4 address space is running out of the fact that - in a new era of rapid technological change, 20 years can be considered a long history. Needless to say, after the NAT produced, the number of network terminals accelerating upward trend, the demand for IP addresses increased dramatically. The success of this demonstration of NAT technology, the far-reaching effects.
It magical, but also because NAT to the IP network model has had a profound impact on its shadow over the network every corner. According to a recent study, 70% of P2P users located within the NAT gateway. Because most major PC P2P running on the end user's PC, this figure means that the connection to the Internet through a NAT gateway. If coupled with 2G and 3G networking way of smart phones and other mobile terminals, users behind a NAT gateway, far more than the ratio.
ip address basics
Now do you operate two students
Open your command line, type ipconfig query your Ip address
to open Baidu, enter Ip query, your ip address
you are not discovered a very wonderful thing, these two addresses are not the same. But we often say that each host is only one ip, ip this is his identity. This is totally contradictory ah. This leads to the NAT technology we want to talk today
is not contradictory. Here we want to introduce these two concepts ip ip public and private networks, reading on the subject. You can see my blog post. Why Baidu found in ipconfig ip and found not the same
Working principle and characteristics of NAT technology
NAT name is very accurate, network address translation, is to replace the address in the IP packet header. NAT typically deployed in an organization network egress position, by replacing the internal IP address of the network to provide connectivity to the public network reachability and the upper layer protocol is IP address of the exporter. So, what is the internal network IP address?
RFC1918 specifies three paragraphs reserved Address: 10.0.0.0-10.255.255.255; 172.16.0.0-172.31.255.255; 192.168.0.0-192.168.255.255. In these three ranges are A, B, address segment class C, not more assigned to a specific user, the private address as reserved IANA. These addresses can be used in any organization or enterprise, and the difference between other Internet addresses that can only be used internally, not as a global routing address. That is to say, the scope of management of these organizations addresses no longer made sense, either as a source address or destination address. For a closed organization, if its network is not connected to the Internet, you can use these addresses without having to apply to the IANA, but there was no difference with the other networks in the internal management of the routing and packet transfer mode.
For Internet access needs of the internal network and the use of private addresses, it is necessary to deploy NAT gateways in the export position of the tissue, when the message leaves the private network into the Internet, will replace the source IP address for the public network, usually the export of equipment interfaces address. An external access request after reaching the target, the performance by the Organization initiated the export of equipment, and therefore requested a response from the server can be exported back to Internet gateway. Gateway then export destination IP address of the source host address private network, back inside. Completed such a request and response to the public network server in a case where no perceived by the ends of the communication private host. According to this model, a huge number of internal hosts no longer need a public IP address.
NAT conversion mode is shown below
We generally use private ip as host identity within the LAN, using the public network ip as identification on the Internet to communicate
throughout the NAT conversion, the most critical processes are the following
Network is divided into two parts private network and public network, NAT gateway setting in the private network to the public network routing exit position, two-way traffic must go through the NAT gateway
network access can only be initiated first by the private network side, the public can not take the initiative access to the private host;
NAT gateway access is completed in both directions two address conversion or translation, the direction, to be replaced source information, the direction information of the replacement object done;
the presence of NAT gateway remains transparent communication parties;
NAT gateway in order to achieve a two-way translation function, it is necessary to maintain an association table, the saved information session.
Static NAT
If an internal host occupies a unique public IP, this way is known as one model. In this embodiment, the upper layer protocol conversion is unnecessary as a public IP network can be uniquely corresponds to an internal host. Obviously, this approach does not make much sense to save public network IP, mainly in order to achieve some special networking requirements. For example the user wishes to hide the true internal IP host, or two overlapping IP addresses for communication networks.
Dynamic NAT
It can be unregistered IP addresses are mapped to an address registered IP address pool. Unlike using static NAT so that you do not need to statically configure the router so that it maps each internal address to an external address, but there must be sufficient public Internet IP address, allowing the host to connect to the Internet can send and receive packets simultaneously
NAT overload (often into practice)
This is the most common type of NAT. Overload also dynamic NAT NAT, from a source port mapping using multiple private address to a public network ip ip address (many). Well, it is unique in what it? It is also called special port address change (PAT). By using PAT (NAT overloading), just use a public network ip address, thousands of users can connect to the Internet. Its core is that the use of the port numbers to achieve the conversion of public and private networks.
Face internal private network and a huge number of hosts, if only a simple NAT replaces the IP address, the question arises: When there are multiple internal hosts to access the same server, the information from the return is not sufficient to distinguish the response should be forwarded to which internal hosts. In this case, it is necessary to distinguish the NAT device in accordance with the transport layer information or the upper layer protocols different sessions, and may want to identify the upper layer protocol conversion, such as TCP or UDP port numbers. Such NAT gateway can be connected to different internal access ports mapped to different transport layers of the same public IP, public IP realize multiplexing and demultiplexing in this way. This approach is also referred to as port converted PAT, NAPT or an IP masquerade, but more often is called the NAT directly, because it is the most typical one application mode.
For example, 172.18.250.6 and client server communication Baidu 202.108.22.5, 172.18.250.6 when transmission data is first converted to 219.155.6.240:1723 (arbitrary> random port 1024), and then use this data to the identity of the sender Baidu server, then Baidu server response data and sends 219.155.6.240:1723,NAT gateway check their association table, realize that this is their own private network packet to 172.18.250.6, and then sends this data to the client
In other words, we use the port number of the uniqueness of this step is to achieve a public network ip ip is converted to a private network. PAT (NAT overloading) the transport layer port numbers can be used to identify the host, and therefore, in theory, allows up to about 65,000 hosts share one public IP address.
The advantages and disadvantages of NAT technique
advantage
Save legitimate public ip address
when address overlap, providing solutions to
network changes, avoid re-addressing (the issue has personal experience, internships relocation of the original location, we moved to a new residence, the network environment has undergone some changes, However, due to the characteristics of nat technology, our LAN address has not changed, we still use the original addressing scheme)
NAT greatest contribution for us is to help us save a lot of resources ip
Shortcoming
Before many shortcomings introduction of NAT, we briefly explain what is the end to end IP communication:
a vital contribution to the IP protocol is to become the world equality. In theory, each site has an IP address in the protocol level have considerable ability to access to services and service delivery, there is no difference between different IP address. It is well known in the server and the client is actually distinguished role in the application protocol layer, but no difference at the network and transport layers. A host with an IP address can be either a client, it can also be a server, in most cases, both the client and also server. End-to-peer appears to be a very common thing, but meaning is not unusual. However, in the conventional art, many of the network protocol architecture defined in the capability of the terminal. It is this openness of IP, making the TCP / IP protocol suite can provide a wealth of features, provides a broad platform for application implementation. Because all IP host can appear in the form of a server, so the design can be more flexible communication. The use of UNIX / LINUX systems take advantage of this feature, so that any one host can create their own HTTP, SMTP, POP3, DNS, DHCP and other services. At the same time, many applications are the roles of client and server combine completion. For example, in VoIP applications, the user logs in to the registration server's own IP address and port information process, the host is the client; the time and when a call arrives, the call processing server sends the call request to the client, the client actually working in a server mode. After the process of establishing the voice media stream channel, two-way transmission of voice data communication, the sender is the customer mode, the receiver is a server mode. In P2P applications, the user of a host to download both customers, while also providing data to other clients, a C / S hybrid model. Application has been able to top this design is that the ability to define the IP protocol stack. Imagine if the ability to provide IP unequal, then each communication session can only be initiated in one direction, it will greatly limit the ability to communicate. Careful readers will find a presentation in front of the characteristics of NAT is such a limit. Yes, NAT biggest drawbacks is this - undermines the ability of end to end IP communication.
NAT drawbacks
First, NAT keeping the aging IP sessions shorter. Because it will establish an association table on the NAT device after a session is established, the session silent this time, aging NAT gateway will operate. This is either NAT gateway must be done, because of the limited IP and port resources, unlimited demand for communication, it is necessary to reclaim resources at the end of the session. TCP sessions usually take the initiative to close the connection by way of negotiation, NAT gateway can track these messages, but there are always exceptions, to rely on their own timer to reclaim resources. UDP-based communication protocol and is difficult to determine when the end of the communication, the NAT gateway depends recovery timeout mechanism external port. Bring a timer aging problem will be recovered, if the application needs to maintain the connection time is greater than the NAT gateway settings, communication will be interrupted unexpectedly. Because the gateway recovered after the relevant resource conversion table, the conversion can not find the relevant information when new data arrives, it must establish a new connection. When new data is transmitted from the public network side to the private network, occurs not trigger a new connection is established, the host can not be notified to the private network side to rebuild the connection. This time communication is interrupted, it can not be automatically restored. Even if the new data is sent from a private network to the public network side, because before the sessions often reconstructed using a different public IP and port addresses, public network corresponding to a host can not communicate on before, resulting in user-perceptible connection is broken. NAT gateway should reclaim idle connection is set to something sustainable resource loss does not occur, and maintain most of the connection is not interrupted unexpectedly, is a relatively difficult. NAT has been popular in the era, many designers use agreement has taken into account this situation, it is usually set up a connection keep-alive mechanism, ie no data to send, it sends a NAT can be perceived in some time keep-alive messages and no actual data, the main purpose of doing so is to reset the NAT session timer.
Secondly, in connection multiplexing NAT on the issue of multiple internal host implementations use one IP, which makes tracking mechanism relies on a host of IP are ineffective. Web-based applications such as traffic analysis can not be traced to specific end-user behavior and traffic management network of relationships needed. Log analysis based on user behavior has become difficult because IP is shared by a lot of users, user behavior if there is malicious, it is difficult to locate a host that initiated the connection. Even some mechanism provides a method to connect to track on the NAT gateway, but the relationship continue this transformation it is also difficult. IP-based user authorization no longer reliable because it has an IP is not equal to a user or host. A server can not be simply regarded as the same access to the same IP host-initiated, can not be associated. Some server is provided with a connection limit, the same time accept only limited access from an IP (and sometimes only one visit), which can cause service between different users preemption and queuing. Sometimes the server is done for DOS attack protection considerations should not be established because a large number of connection requests a user under normal circumstances, excessive use of resources is understood as service attacks. But this can not be simply determined in accordance with the number of connections in the presence of a NAT.
In short, the disadvantage is probably as follows:
Ip-end can not be tracked (destroys the equality of the end to end communication)
many unrecognized application layer protocol (such as ftp protocol)
NAT traversal technology
Previously explained the shortcomings of NAT, in order to solve the problem of IP end to end application environment encountered in NAT, network protocol designers to create a variety of weapons to deal with. Unfortunately, each of these methods are not perfect here, but also require additional processing on the internal host, application, or NAT gateway.
Application Layer Gateway (ALG)
We have already introduced to, NAT realized the IP address and port translation for UDP or TCP packet header, but on the field powerless application layer data in the payload (that is, the payload of the data can not be modified), in many the application layer protocol, such as multimedia protocol (H.323, SIP, etc.), FTP, SQLNET etc., TCP / UDP payload information with the address or port, the contents can not be effectively converted NAT, may cause problems. In other words, NAT will only header ip address and port number of packets have been converted, but there is no packet data within the ip address and port number conversion so we can not begin to imagine using an effective method ip guaranteed header and the packet data with a port number in the address and port number ip is converted into ip address and port of the public network.
The practical application of ALG
For the implementation mechanism ALG is still unclear if there is to understand the big brother, the recommendation of books
following the example we give an FTP transfer to briefly explain the practical application of ALG
host the figure on the private network to access the public network FTP server.
Configure the NAT device on the private network address of the public network address 192.168.1.2 8.8.8.11 map to achieve the NAT address in support of the private network host access to the public network. Networking, if not treated PORT packets to ALG, host private network packet payload transmitted after reaching the server, the server can not be addressed according to the private network address, it can not establish a data connection proper. Communication process includes the following four stages:
By TCP three-way handshake between (1) the private network and public network FTP server host establishes a control connection.
(2) a control connection is established, the host sends a PORT packet, destination address and port carried in the packet data specified by the host private network connection to the FTP server, the address used by the server and data connection and its own port .
(3) PORT packets when enabled with ALG of the NAT device, private address and port of the packet payload will be converted to the corresponding public IP address and the port. I.e., the device private address 192.168.1.2 PORT receives the packet payload into a public IP address 8.8.8.11, port 1084 is converted to 12,487.
(4) the public network server receives PORT FTP packet, parses its content, and initiates a private network connected to a data host, the destination address of the data connection is 8.8.8.11, destination port 12487 (Note: in general, packet source port is 20, but since the FTP protocol is not critical, some of the data sent by the server random port is connected to the source port is greater than 1024, as in the present embodiment uses a wftpd server, the source port 3004 is used). Since the destination address is a public address, subsequent data connection can be successfully established so that the private host can access the public network server.
NAT technology of the future
Such a statement seen on almost know, with the arrival of ipV6 technology, NAT technology is no longer needed. In my opinion, the revolutionary technology must be implemented step by step, such as first use IPV6 in the local area, and then gradually expand the scale, reduce the size of IPv4, so NAT technology still needed. And by that time, the online world will be filled with two kinds of address ipV4 and ipV6, this time need NAT technology, the NAT because the Chinese translation is called network address translation ah. So learn this knowledge to our understanding of the network is critical. Every time will be feeling, the knowledge learned at school is really only superficial, but it is the foundation of all knowledge of me now.
references
Download the book "CCNA Study Guide," click here
ALG principle and application of
P2P technology explain
---------------------
Disclaimer: This article is CSDN bloggers "to escape Earth original articles to stay small ", following the CC 4.0 by-sa copyright agreement, reproduced, please attach the original source link and this statement.
Original link: https: //blog.csdn.net/gui951753/article/details/79593307