NAT

最後更新: 2017-01-20

 

介紹

 

 


NAT Type

Full Cone                          # NAT map 好後, 不會理 sport 及 src 都比連
Address Restricted Cone    # NAT map 好後, 只有 src 才比連
Port Restricted Cone          # sport 及 src 都會 check
Symmetric NAT                 # Each request from the same internal IP address and port to
                                       # a specific destination IP address and port is mapped to
                                       # a unique external source IP address and port.

穿越防火牆 NAT 技術

PnP(Universal Plug and Play)
STUN(Simple Traversal of UDP Through Netwoek Address Translators)-RFC 3489
TRUN(Traversal Using Relay NAT)
ALG(Application Layer Gatewqy)
ICE(Interactive Connectivity Establish)              

 


TURN

 

* Client-Server

足以穿透Symmetric NAT 防火牆

UA -- TURN allocate --> TURN Server

 


stun

 

* STUN enables a device to find out its public IP address and the type of NAT service its sitting behind.

STUN may use DNS SRV records to find STUN servers attached to a domain. (_stun._udp or _stun._tcp)

linux server - myStun

Public STUN servers

 


Hole punching

 

To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client.

The server then relays each client's information to the other, and using that information each client tries to establish direct connection;
Depending on network conditions, one or both clients might receive a connection request.

Successful exchange of an authentication nonce between both clients indicates the completion of a hole punching procedure.

Requirements

Reliable hole punching requires consistent endpoint translation, and for multiple levels of NATs, hairpin translation.

Consistent endpoint translation reuses the same public endpoint for a given private endpoint, instead of allocating a new public endpoint for every new connection.

Hairpin translation creates a loopback connection between two of its own private endpoints when it recognizes that the destination endpoint is itself.

This functionality is necessary for hole punching only when used within a multiple-layered NAT.

UDP hole punching

UDP hole punching will not work with symmetric NAT devices (also known as bi-directional NAT)

same technique is sometimes extended to Transmission Control Protocol (TCP) connections, with less success due to the fact that TCP connection streams are controlled by the host OS, not the application, and sequence numbers are selected randomly; thus any NAT device that performs sequence number checking will not consider the packets to be associated with an existing connection and drop them.

Full-cone NAT

Any external host can send packets to iAddr:iPort by sending packets to eAddr:ePort.

restricted-cone NAT

An external host (hAddr:any) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:any. "Any" means the port number doesn't matter.

Port-restricted cone NAT

An external host (hAddr:hPort) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:hPort.

Symmetric NAT

Only an external host that receives a packet from an internal host can send a packet back.

TCP hole punching