第十章穿越NAT的技術ppt課件

1、TCP穿越NAT的技術的比較NAT DefinitionvNAT is Network Address Translation(網(wǎng)絡地址轉換器)v一種讓多臺計算機共享一個互聯(lián)網(wǎng)地址的技術，得到內部地址的計算機只可以經過NAT，才可以與公網(wǎng)通訊。NAT運用端口轉換技術port translation來確定哪個內部計算機應該得到來自公網(wǎng)的前往信息。NAT的四種類型v1. Full Conev2. Restricted Conev3. Port Restricted Conev4. Symmetric1. Full ConevNAT會將內外主機地址X:y轉換成公網(wǎng)地址A:b并綁定；任何外網(wǎng)主機都可以

2、經過地址A:b送到內網(wǎng)主機的X:y地址上。vNAT不限制外網(wǎng)的IP和端口2. Restricted ConevNAT會將內網(wǎng)主機地址X:y轉換成公網(wǎng)地址A:b并綁定；只需來自主機P的數(shù)據(jù)包才干和X:y進展通訊。v其中P是內網(wǎng)主機自動聯(lián)絡過的。vNAT檢查外網(wǎng)的源IP3. Port Restricted ConevNAT會將客戶機地址X:y轉換成公網(wǎng)地址A:b并綁定；只需來自主機P：q的數(shù)據(jù)包才干和X:y進展通訊。v其中主機運用P：q是內網(wǎng)主機自動發(fā)起聯(lián)絡的；vNAT檢查外網(wǎng)到達的IP和PortvNAT的映射點(A:b)對不同的Session能夠一樣4. Symmetricv只需來自一樣內部IP

3、地址和端口號，并且發(fā)送同一個目的地址和端口的懇求音訊才干被映射為一樣的外部地址和端口號。同時，一個NAT以外的外部節(jié)點可以向NAT之后的節(jié)點發(fā)送數(shù)據(jù)包，當且僅當在這之前該外部節(jié)點曾接納過該內部節(jié)點發(fā)送給他的UDP數(shù)據(jù)包。NAT problemsvNAT外面的用戶不可以自動建立與NAT內部用戶的銜接v當兩個用戶都位于NAT后面,不可以建立銜接v尤其是對P2P網(wǎng)絡運用、游戲、網(wǎng)絡等運用SolutionsvNAT Transversal Techniques(NAT穿越技術)vNat gateway optimized and plugged techniques:v1.Universal Plug

4、 and Play(UPnP)v2.Application Level GatewayvEmploy relay serverv3.STUNv4.TCP/UDP hole punching1. UPnP NAT TraversalvUPnP: Universal Plug and PlayvWindows Internet Sharing (ICS) in Windows XPvBased on TCP/IP2. Application Level GatewayvDNS Application Level Gateway (DNS_ALG) helps translate Name-to-P

5、rivate-Address mapping in DNS payloads into Name- to-external-address mapping and vice versa using state information available on NAT v位于NAT或防火墻v要求改動NAT、防火墻的配置，限制其推行SolutionsvNAT Transversal Techniques(NAT穿越技術)vNat gateway optimized and plugged techniques:v1.Universal Plug and Play(UPnP)v2.Applicati

6、on Level GatewayvEmploy relay serverv3.STUNv4.TCP/UDP hole punching預備知識：NAT Relaying1.用戶與中繼效力器建立聯(lián)絡2.中繼效力器轉發(fā)音訊問題:1.效力器耗費的時間、計算量大2.通訊時延大3.網(wǎng)絡帶寬資源的耗費.3. STUNRFC 3489 UDP穿越NAT的技術STUN Client C(CIP:CPort)STUN Server S(SIP:SPort)NAT(NIP:NPort)STUN Request (UDP)( C I P : C P o r t ) -(SIP:SPort)STUN Request

7、(UDP)(NIP:NPort)-(SIP:SPort)3. STUN RFC 3489 UDP穿越NAT的技術STUN Client C(CIP:CPort)STUN Server S(SIP:SPort)STUN Response(SIP:SPort)-(NIP:NPort)將將(NIP:NPort)反響給用戶反響給用戶NAT(NIP:NPort)N AT 將將 ( C I P : C P o r t ) 映 射 成映 射 成 (NIP:NPort)3. STUN 發(fā)現(xiàn)NAT類型的方法STUN Client C(CIP:CPort)第一次應對第一次應對NIP：NPortSTUN Serve

8、r S(SIP:SPort)STUN Request(UDP)( C I P : C P o r t ) -(UIP:UPort)STUN Request (UDP)( N I P 2 : N P o r t 2 ) -(UIP:UPort)STUN Server U(UIP:UPort)STUN Response( U I P : U P o r t ) -(NIP2:NPort2)比較兩次應對的結果(NIP : NPort) NIP2 : NPort2：symmetric NAT3. STUN 發(fā)現(xiàn)NAT類型的方法STUN Client C(CIP:CPort)STUN Server S(

9、SIP:SPort)STUN Request(UDP)( C I P : C P o r t ) -(UIP:UPort)STUN Request (UDP)( N I P 1 : N P o r t 2 ) -(UIP:UPort)STUN Server U(UIP:UPort)STUN Response( S I P : S P o r t ) -(NIP2:NPort2)1.倘假設發(fā)送端收到應對：full cone NAT2.沒有收到應對，那么不是full cone NAT4. TCP/UDP hole punchingBran Ford, Massachusetts Institute

10、 of TechnologyPyda Srisuresh, Caymas Systems, Inc.USENIX Annual Technical Conference, April 2005 Connection ReversalClient B(10.0.010)Server S(18.18.1.1)Client A (8.8.8.8)Reverse Connection RequestRelayed Connection RequestReverse Connectionv根本思想：運用一個中繼效力器來建立P2P銜接hole punchingv前提：v隱藏在NAT后面用戶都曾經與中繼效力

11、器建立了UDP銜接v效力器知道用戶的轉換地址/端口，以及用戶在內網(wǎng)的地址/端口，經過比較這兩對數(shù)據(jù)，就可以判別用戶能否是隱藏在NAT后面的用戶。UDP Hole Punching(S,SP)(A,AP)(B,BP)(NA,NAP)(NB,NBP)Session A-S(A,AP)-(S,SP)Session A-S(NA,NAP)-(S,SP)Session B-S(B,BP)-(S,SP)Session B-S(NB,NBP)-(S,SP)UDP Hole Punching(S,SP)(A,AP)(B,BP)(NA,NAP)(NB,NBP)Help me reach BUDP Hole Pu

12、nching(S,SP)(A,AP)(B,BP)(NA,NAP)(NB,NBP)B is at (NB,NBP)A is at (NA,NAP)UDP Hole Punching(S,SP)(A,AP)(B,BP)(NA,NAP)(NB,NBP)vProblem :vUDP traversal doesnt work for Symmetric NatTCP Hole Punching(S,SP)(A,AP)Connect soket for S(B,BP)Connect soket for S(NA,NAP)(NB,NBP)Help me reach BTCP Hole Punching(S

13、,SP)(A,AP)Connect soket for S(B,BP)Connect soket for S(NA,NAP)(NB,NBP)B is at (NB,NBP)A is at (NA,NAP)TCP Hole Punching(S,SP)(A,AP)Connect soket for SConnect soket for B(B,BP)Connect soket for SConnect soket for ASYNSYNTCP Hole Punching(S,SP)(A,AP)Connect soket for SConnect soket for B(B,BP)Connect

14、soket for SConnect soket for AACKACKTCP Hole Punching(S,SP)ProblemvInconsistent endpoint translationvSame as for UDP(NAT沒有一致的規(guī)范,因此,任何穿越NAT的技術都有失效的情況)vNAT could reject “unsolicited incoming SYNsvwith RSTs or ICMP errs instead of just droppingv Connection failures, retry oscillationvBuggy TCP state ma

15、chine in host OSvWindows before XP SP2TCP/UDP hole punchingv協(xié)助建立P2P銜接v優(yōu)點：v不需求知道網(wǎng)絡拓撲、NAT的位置v不需求改動NAT配置v缺陷：v在symmetric NAT中無效v82%的NAT支持UDP hole punchingv64%的NAT支持TCP hole punchingStuntNUTSS: A SIPbased Approach to UDP and TCP Network ConnectivitySaikat Guha,Cornell UniversityvProxy : pass messages bet

16、ween hosts A and B to coordinate the establishment of TCP.vSTUNT Server must be placed in the public internet and must be able to spoof IP source addresses.vsolid lines : actual TCP packets vdashed lines : messages sent between hosts and their STUNT Servers, or between themselves via Proxies.referen

17、cevBIGGADIKE, A., FERULLO, D., WILSON, G., AND PERRIG, A. NATBLASTER: Establishing TCP connections between hosts behind NATs. In Proceedings of ACM SIGCOMM ASIA Workshop (Beijing, China, Apr. 2005).vEPPINGER, J. L. TCP Connections for P2P Apps: A Software Approach to Solving the NAT Problem. Tech. R

18、ep. CMU-ISRI-05-104, Carnegie Mellon University, Pittsburgh, PA, Jan. 2005.vFORD, B., SRISURESH, P., AND KEGEL, D. Peer-to-peer communication across network address translators. In Proceedings of the 2005 USENIX Annual Technical Conference (Anaheim, CA, Apr. 2005).vGUHA, S., TAKEDA, Y., AND FRANCIS, P. NUTSS: A SIP-based Approach to UDP and TCP Network Connectivity. In Proceedings of SIGCOMM04 Workshops (Portland, OR, Aug. 2004), pp. 4348.3. STUN 的用途1th UDP 測試測試無應對無應對制止制止UDP有應對有應對映射地址與源地址一樣映射