第十章.穿越NAT的技术.ppt

单击此处编辑母版标题样式,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,*,TCP,穿越,NAT,的技术的比较,NAT Definition,NAT is Network Address Translation(,网络地址转换器,),一种让多台计算机共享一个互联网地址的技术，得到内部地址的计算机只能够通过,NAT,，才能够与公网通信。,NAT,使用端口转换技术（,port translation,）来确定哪个内部计算机应该得到来自公网的返回信息。,NAT,的四种类型,1.Full Cone,2.Restricted Cone,3.Port Restricted Cone,4.Symmetric,1.Full Cone,NAT,会将内外主机地址（,X:y,）转换成公网地址（,A:b,）并绑定；任何外网主机都可以通过地址（,A:b,）送到内网主机的（,X:y,）地址上。,NAT,不限制外网的,IP,和端口,2.Restricted Cone,NAT,会将内网主机地址（,X:y,）转换成公网地址（,A:b,）并绑定；只有来自主机,P,的数据包才能和（,X:y,）进行通信。,其中,P,是内网主机主动联系过的。,NAT,检查外网的源,IP,3.Port Restricted Cone,NAT,会将客户机地址（,X:y,）转换成公网地址（,A:b,）并绑定；只有来自主机（,P,：,q,）的数据包才能和（,X:y,）进行通信。,其中主机应用（,P,：,q,）是内网主机主动发起联系的；,NAT,检查外网到达的,IP,和,Port,NAT,的映射点,(A:b),对不同的,Session,可能相同,4.Symmetric,只有来自相同内部,IP,地址和端口号，并且发送同一个目的地址和端口的请求消息才能被映射为相同的外部地址和端口号。同时，一个,NAT,以外的外部节点可以向,NAT,之后的节点发送数据包，当且仅当在这之前该外部节点曾接收过该内部节点发送给他的,UDP,数据包。,NAT,problems,NAT,外面的用户不能够主动建立与,NAT,内部用户的连接,当两个用户都位于,NAT,后面,不能够建立连接,尤其是对,P2P,网络应用、游戏、网络电话等应用,Solutions,NAT Transversal Techniques(NAT,穿越技术,),Nat gateway optimized and plugged techniques:,1.,Universal Plug and Play(UPnP),2,.Application Level Gateway,Employ relay server,3,.STUN,4.,TCP/UDP hole punching,1.UPnP NAT Traversal,UPnP:Universal Plug and Play,Windows Internet Sharing(ICS)in Windows XP,Based on TCP/IP,2.Application Level Gateway,DNS Application Level Gateway(DNS_ALG)helps translate Name-to-Private-Address mapping in,DNS,payloads into Name-to-external-address mapping and vice versa using state information available on NAT,位于,NAT,或防火墙,要求改变,NAT,、防火墙的配置，限制其推广,Solutions,NAT Transversal Techniques(NAT,穿越技术,),Nat gateway optimized and plugged techniques:,1.,Universal Plug and Play(UPnP),2,.Application Level Gateway,Employ relay server,3,.STUN,4.,TCP/UDP hole punching,预备知识：,NAT Relaying,1.,用户与中继服务器建立联系,2.,中继服务器转发消息问题,:1.,服务器耗费的时间、计算量大,2.,通信时延大,3.,网络带宽资源的耗费,.,3.STUN,（,RFC 3489,）,UDP,穿越,NAT,的技术,STUN Client C,(C,IP,:C,Port,),STUN Server S,(S,IP,:S,Port,),NAT(N,IP,:N,Port,),STUN Request(UDP),(C,IP,:C,Port,)-(S,IP,:S,Port,),STUN Request(UDP),(N,IP,:N,Port,)-(S,IP,:S,Port,),3.STUN,（,RFC 3489,）,UDP,穿越,NAT,的技术,STUN Client C,(C,IP,:C,Port,),STUN Server S,(S,IP,:S,Port,),STUN Response,(S,IP,:S,Port,)-(N,IP,:N,Port,),将,(N,IP,:N,Port,),反馈给用户,NAT(N,IP,:N,Port,),NAT,将,(C,IP,:C,Port,),映射成,(N,IP,:N,Port,),3.STUN,发现,NAT,类型的方法,STUN Client C,(C,IP,:C,Port,),第一次应答（,N,IP,：,N,Port,）,STUN Server S,(S,IP,:S,Port,),STUN Request(UDP),(C,IP,:C,Port,)-(U,IP,:U,Port,),STUN Request(UDP),(N,IP2,:N,Port2,)-(U,IP,:U,Port,),STUN Server U,(U,IP,:U,Port,),STUN Response,(U,IP,:U,Port,)-(N,IP2,:N,Port2,),比较两次应答的结果,(N,IP,:,N,Port,),（,N,IP2,:,N,Port2,）：,symmetric NAT,3.STUN,发现,NAT,类型的方法,STUN Client C,(C,IP,:C,Port,),STUN Server S,(S,IP,:S,Port,),STUN Request(UDP),(C,IP,:C,Port,)-(U,IP,:U,Port,),STUN Request(UDP),(N,IP1,:N,Port2,)-(U,IP,:U,Port,),STUN Server U,(U,IP,:U,Port,),STUN Response,(S,IP,:S,Port,)-(N,IP2,:N,Port2,),1.,倘若发送端收到应答：,full cone NAT,2.,没有收到应答，则不是,full cone NAT,4.TCP/UDP hole punching,Bran Ford,Massachusetts Institute of Technology,Pyda Srisuresh,Caymas Systems,Inc.,USENIX Annual Technical Conference,April 2005,Connection Reversal,Client B,(10.0.010),Server S,(18.18.1.1),Client A,(8.8.8.8),Reverse Connection,Request,Relayed Connection,Request,Reverse,Connection,基本思想：使用一个中继服务器来建立,P2P,连接,hole punching,前提：,隐藏在,NAT,后面用户都已经与中继服务器建立了,UDP,连接,服务器知道用户的转换地址,/,端口，以及用户在内网的地址,/,端口，通过比较这两对数据，就可以判断用户是否是隐藏在,NAT,后面的用户。,UDP Hole Punching,(S,SP),(A,AP),(B,BP),(NA,NAP),(NB,NBP),Session A-S,(A,AP)-(S,SP),Session A-S,(NA,NAP)-(S,SP),Session B-S,(B,BP)-(S,SP),Session B-S,(NB,NBP)-(S,SP),UDP Hole Punching,(S,SP),(A,AP),(B,BP),(NA,NAP),(NB,NBP),Help me reach B,UDP Hole Punching,(S,SP),(A,AP),(B,BP),(NA,NAP),(NB,NBP),B is at(NB,NBP),A is at(NA,NAP),UDP Hole Punching,(S,SP),(A,AP),(B,BP),(NA,NAP),(NB,NBP),Problem:,UDP traversal doesnt work for Symmetric Nat,TCP Hole Punching,(S,SP),(A,AP),Connect soket for S,(B,BP),Connect soket for S,(NA,NAP),(NB,NBP),Help me reach B,TCP Hole Punching,(S,SP),(A,AP),Connect soket for S,(B,BP),Connect soket for S,(NA,NAP),(NB,NBP),B is at(NB,NBP),A is at(NA,NAP),TCP Hole Punching,(S,SP),(A,AP),Connect soket for S,Connect soket for B,(B,BP),Connect soket for S,Connect soket for A,SYN,SYN,TCP Hole Punching,(S,SP),(A,AP),Connect soket for S,Connect soket for B,(B,BP),Connect soket for S,Connect soket for A,ACK,ACK,TCP Hole Punching,(S,SP),Problem,Inconsistent endpoint translation,Same as for UDP(NAT,没有统一的标准,因此,任何穿越,NAT,的技术都有失效的情况,),NAT could reject“unsolicited”incoming SYNs,with RSTs or ICMP errs instead of just dropping,Connection failures,retry oscillation,Buggy TCP state machine in host OS,Windows before XP SP2,TCP/UDP hole punching,帮助建立,P2P,连接,优点：,不需要知道网络拓扑、,NAT,的位置,不需要改变,NAT,配置,缺点：,在,symmetric NAT,中无效,82%,的,NAT,支持,UDP hole punching,64%,的,NAT,支持,TCP hole punching,Stunt,NUTSS:A SIPbased Approach to UDP and TCP Network Connectivity,Saikat Guha,Cornell University,Proxy:pass messages between hosts A and B to coordinate the establishment of TCP.,STUNT Server must be placed in the public internet and must be able to spoof IP source addresses.,solid lines:actual TCP packets,dashed lines:messages sent between hosts and their STUNT Servers,or between themselves via Proxies.,reference,BIGGADIKE,A.,FERULLO,D.,WILSON,G.,AND PERRIG,A.NATBLASTER:Establishing TCP connections between hosts behind NATs.In,Proceedings of ACM SIGCOMM ASIA Workshop,(Beijing,China,Apr.2005).,EPPINGER,J.L.TCP Connections for P2P Apps:A Software Approach to Solving the NAT Problem.Tech.Rep.CMU-ISRI-05-104,Carnegie Mellon University,Pittsburgh,PA,Jan.2005.,FORD,B.,SRISURESH,P.,AND KEGEL,D.Peer-to-peer communication across network address translators.In,Proceedings of the 2005 USENIX Annual Technical Conference,(Anaheim,CA,Apr.2005).,GUHA,S.,TAKEDA,Y.,AND FRANCIS,P.NUTSS:A SIP-based Approach to UDP and TCP Network Connectivity.In,Proceedings of SIGCOMM04 Workshops,(Portland,OR,Aug.2004),pp.4348.,3.STUN,的用途,1th UDP,测试,无应答,禁止,UDP,有应答,映射地址与源地址相同,映射地址与源地址不相同,2th UDP,测试,2th UDP,测试,Binding Request with change IP&change port flags,无应答,有应答,In Internet,无应答,1th UDP,测试,有应答,Full Cone,应答,IP,不相同,Symmetric NAT,应答,IP,相同,3thUDP,测试,Binding Request with only the change port flag,无应答,Port Restricted,有应答,Restricted,Cone,