What is the NAT
Network address translation is to replace the IP address in the header of an IP packet. Because IPv4 addresses are limited, it is impossible to assign an IP address to every internet-connected device, and NAT solves this problem. When surfing the Internet, we are likely to be behind a NAT device. The NAT device will change the source/target IP address and sometimes the TCP/UDP port number when an IP packet passes, so that multiple devices can use the same external IP address to communicate on the Internet
As shown above, all three devices use the public IP address 120.131.92.21. TCP/UDP requests sent by the three devices from their respective ports are mapped to different ports on the NAT device and recorded in the NAT table. This differentiates a request from which port on which device.
Characteristics of NAT
1, the network is divided into private and public two parts, the NAT gateway set up private network to the public network routing exports. 2, the network can only be initiated by private network side, public can not take the initiative to access to the private network host (is this design, but can make hole) 3, NAT gateway in two directions to complete two address conversion, export replacement source address, the entrance to replace the destination address 4. The NAT gateway is transparent to both communication parties. 5. To implement bidirectional translation, the NAT gateway needs to maintain an association table to store session information
Side effects of NAT
1. The elimination of NAT tables
If the records in the NAT table do not communicate with each other within a period of time, the network carrier will remove them. If the extranet communicates with the Intranet device through the original recorded extranet IP address, the extranet cannot communicate with the Intranet device.
2, NAT wall
When external requests to the Intranet reach the NAT device, they are discarded if they do not meet the requirements of the NAT device and NAT table. In this case, to implement communication between clients with fixed IP addresses, additional drilling operations are required (heartbeat packets are required to refresh the NAT table reset time).
3. Destruction of the end-to-end communication model
NAT implements the reuse of links sent by multiple internal hosts to a single IP address, so that the host cannot be traced based on the IP address, so that the server cannot simply hook the same IP address to the host. Sometimes, if a NAT device has multiple IP addresses, a group of associated sessions may be assigned to different public IP addresses. In short, NAT hides the other end of the communication.
NAT types
1, Full Cone NAT
The number of devices is small. Once the internal host port is mapped on the NAT gateway, any host on the external network can access the network through the mapped port
Restricted Cone NAT
Compared with full-embryonic NAT, after port mapping is complete, IP addresses are restricted. Only IP addresses that have been accessed from the Intranet can connect to the port
3, Port Restricted Cone NAT
In addition to limiting the embryonic NAT, the IP address and port can be accessed only after the Intranet has sent messages to the IP address and port
4. Symmetric NAT
In other words, although the same Intranet host accesses different external IP addresses and ports, different port numbers are mapped in the NAT table
Note:
In fact, the introduction of these terms is the source of much confusion. Many NAT devices in the real world work with a mix of these translation modes rather than just one, so these terms are appropriate to describe a mode of operation, not a device. For example, many NAT devices use symmetric NAT for internal connections while supporting static port mapping, which can be considered full-cone NAT. In some cases, one public address and port of the NAT device can be mapped to several internal servers to implement load balancing. For example, a site that provides WEB servers externally may have hundreds of servers providing HTTP services, but only one or a few IP addresses are displayed externally.
Intranet through
Application-layer Network Management (ALG)
Common NAT can translate IP addresses and ports in UDP or TCP packet headers, but cannot translate fields in application layer data payloads. Many application layer protocols, such as multimedia protocols (H.323, SIP, etc.), FTP, and SQLNET, carry address or port information in TCP/UDP payloads. These contents can cause problems if they are not effectively translated by NAT. The Application Level Gateway (NAT ALG) technology can parse and translate the application-layer message information of multi-channel protocols, and translate and process the IP addresses and ports that need address translation or the fields that need special processing in the payload. This ensures correct communication at the application layer.
For example, FTP application is jointly completed by data connection and control connection, and the establishment of data connection is dynamically determined by the load field information in control connection, so ALG is needed to complete the conversion of load field information to ensure the correct establishment of subsequent data connection.
In the figure, the private network host accesses the FTP server on the public network. A mapping from private IP address 192.168.1.2 to public IP address 8.8.8.11 is configured on the NAT device to implement NAT for private hosts to access the public network. In networking, if the ALG does not process the packet payload, the server cannot address the PORT packets sent by the private network host to the server based on the private network address, and therefore cannot establish a correct data connection. The whole communication process includes the following four stages:
(1) A control connection is successfully established between the private network host and the FTP server on the public network through TCP three-way handshake.
(2) After the control connection is established, the private network host sends a PORT packet to the FTP server. The packet contains the destination IP address and PORT specified by the private network host and notifies the server to use this IP address and PORT for data connection.
(3) PORT When a packet passes through a NAT device that supports the ALG feature, the private IP address and PORT in the packet payload are translated into the corresponding public IP address and PORT. That is, the device translates the private IP address 192.168.1.2 in the payload of the received PORT packet into the public IP address 8.8.8.11 and PORT 1084 into 12487.
(4) After receiving the PORT packet, the FTP server on the public network parses its content and initiates a data connection to the private network host. The destination IP address of the data connection is 8.8.8.11 and the destination PORT is 12487 (Note: Generally, the source port of the packet is 20. However, because the FTP protocol is not strictly regulated, the source port of the packet sent by some servers is a random port larger than 1024. In this example, the WFTPD server uses port 3004. Since the destination IP address is a public IP address, subsequent data connections can be established, enabling the private network host to access the public network server.
In summary, the supported protocols configured in ALG enable reverse access
Middleware technology
This is also an effort to solve the NAT traversal problem by developing a common approach. Unlike the former, the NAT gateway is a participant in this solution. Different from ALG, the client participates in the maintenance of the gateway’s public network mapping information. In this case, the NAT gateway does not need to analyze the application layer data of the client as long as it understands the client’s request and allocates the translation table as required. UPnP is such a method. UPnP, universal Plug and Play (UPnP), is a universal communication protocol between network terminals and gateways, capable of information publishing and management control. The gateway mapping request can dynamically add mapping entries for customers. In this case, NAT does not need to understand the information carried by the application layer, but only translates the IP address and port information. The information sent from the client to the public network through the control message or signaling directly carries the IP address and port mapped from the public network. The receiver can establish a data connection based on the information. When receiving data or connection requests, the NAT gateway translates only the IP address and port information based on the entries established by the UPnP and forwards the data to the Intranet. This scheme can be implemented only when the gateway, internal host, and application all support UPnP technology and the network allows the UPnP signaling to be exchanged between the internal host and NAT gateway.
Relay agent technology
It’s not EXACTLY NAT traversal, it’s NAT bypass. To put it simply, an application server is placed next to the NAT gateway. The server has its own network connection to the internal network and the external public network. When network requests are made by client-specific applications, they are directed to the application proxy server. The application proxy server parses the client request based on the proxy protocol, sends a new request from the public network side of the server, relays the requested content to the external network, and relays the returned content in the reverse direction. This technique is very similar to ALG in that it requires that relay proxy services be deployed for each application type and that intermediate servers understand the requests.
Protocol specific time-travel technology
The most complex and reliable method of all is to solve your own problems. For example, IKE and IPsec are designed with NAT traversal in mind. Because this protocol is self-encrypting and has the ability to identify packets against modification, other common methods cannot help. In actual applications, NAT gateways are mostly in NAPT mode. Therefore, all packets carried by transport layer protocols can pass NAT. IKE and IPsec use UDP to add another layer to encapsulate UDP packets, so that internal packets are not affected. IKE also adds the ability to check whether NAT gateway exists and the method to bypass NAT gateway to detect IKE.
Probe techniques STUN and TURN
The so-called probe technology is a technology that installs probe plug-ins on all entities participating in communication to detect whether NAT gateways exist in the network and implements different traversal methods for different NAT models. The STUN server is deployed on the public network and is used to receive probe requests from communication entities. The server records the address and port of the received packets and fills them in the response packets sent back. The client compares the IP address and port recorded in the received response message with the locally selected IP address and port to identify the NAT gateway. If a NAT gateway exists, the client repeats the previous probe by making a request to another IP address of the server using the previous address and port. Then the two responses are compared to determine the NAT working mode. According to the one-to-many translation model mentioned above, except for the symmetric NAT model, the MAPPING of NAT gateway to the internal host address port is relatively fixed, so NAT traversal is easier to achieve. Symmetric NAT provides a mapping for each connection, making the translated public address and port pair unpredictable. In this case, TURN can be bound with STUN to provide NAT traversal service. That is, an address port pair is provided on the public network server. All data received by this address port pair is forwarded to the Intranet host through the connection established by detection. This mapping “address-port pair” assigned by TURN is sent through the STUN response to the internal host, which notifies the communicating peer of this information in the signaling that establishes the connection. This probe technique is a general-purpose approach that does not require the development of functionality for every application protocol on the NAT device and is more general than the ALG approach. But the TURN relay service can become a communication bottleneck. And adding probe functionality to the client requires additional code for each application to support.