NAT 类型及检测方法
STUN协议是一个客户机/服务器协议,在公网上存在着大量的STUN服务器,用户可以通过在自己主机上运行STUN客户端远程连接STUN服务器来确认自身的网络状况.
客户端主机所在网络可以分为以下类型:
1, Opened: 即主机拥有公网IP,并且没有防火墙,可自由与外部通信.
2, Full Cone NAT: 主机前有NAT设备,NAT规则如下:从主机UDP端口A发出的数据包都会对应到NAT设备出口IP的端口B,并且从任意外部地址发送到该NAT设备UDP端口B的包都会被转到主机端口A.
3, Restricted cone NAT: 主机前有NAT设备,NAT规则如下:从主机UDP端口A发出的数据包都会对应到NAT设备出口IP的端口B,但只有从之前该主机发出包的目的IP发出到该NAT设备UDP端口B的包才会被转到主机端口A.
4, Port Restricted cone NAT: 主机前有NAT设备,NAT规则如下:从主机UDP端口A发出的数据包都会对应到NAT设备出口IP的端口B,但只有从之前该主机发出包的目的IP/PORT发出到该NAT设备UDP端口B的包才会被转到主机端口A.
5, Symmetric UDP Firewall: 主机出口处没有NAT设备,但有防火墙,且防火墙规则如下:从主机UDP端口A发出的数据包保持源地址,但只有从之前该主机发出包的目的IP/PORT发出到该主机端口A的包才能通过防火墙.
6, Symmetric NAT: 主机前有NAT设备,NAT规则如下:即使数据包都从主机UDP端A发出,但只要目的地址不同,NAT设备就会为之分配不同的出端口B.
7, Blocked: 防火墙限制UDP通信.
/// <summary> /// Specifies UDP network type. /// </summary> public enum STUN_NetType { /// <summary> /// UDP is always blocked. /// </summary> UdpBlocked, /// <summary> /// No NAT, public IP, no firewall. /// </summary> OpenInternet, /// <summary> /// No NAT, public IP, but symmetric UDP firewall. /// </summary> SymmetricUdpFirewall, /// <summary> /// A full cone NAT is one where all requests from the same internal IP address and port are /// mapped to the same external IP address and port. Furthermore, any external host can send /// a packet to the internal host, by sending a packet to the mapped external address. /// </summary> FullCone, /// <summary> /// A restricted cone NAT is one where all requests from the same internal IP address and /// port are mapped to the same external IP address and port. Unlike a full cone NAT, an external /// host (with IP address X) can send a packet to the internal host only if the internal host /// had previously sent a packet to IP address X. /// </summary> RestrictedCone, /// <summary> /// A port restricted cone NAT is like a restricted cone NAT, but the restriction /// includes port numbers. Specifically, an external host can send a packet, with source IP /// address X and source port P, to the internal host only if the internal host had previously /// sent a packet to IP address X and port P. /// </summary> PortRestrictedCone, /// <summary> /// A symmetric NAT is one where all requests from the same internal IP address and port, /// to a specific destination IP address and port, are mapped to the same external IP address and /// port. If the same host sends a packet with the same source address and port, but to /// a different destination, a different mapping is used. Furthermore, only the external host that /// receives a packet can send a UDP packet back to the internal host. /// </summary> Symmetric }测试过程
STUN服务器运行在UDP协议之上,它具有两个固定公网地址,能完成以下几个功能:
1. 告诉STUN客户端经NAT设备映射后的公网地址.
2. 根据STUN客户端的要求,从服务器的其他不同IP或端口向客户端回送包.
如何根据STUN服务器提供的功能来确认网络类型呢? rfc3489给出了如下图过程:
+--------+
| Test |
| I |
+--------+
|
|
V
/\ /\
N / \ Y / \ Y +--------+
UDP <-------/Resp\--------->/ IP \------------->| Test |
Blocked \ ? / \Same/ | II |
\ / \? / +--------+
\/ \/ |
| N |
| V
V /\
+--------+ Sym. N / \
| Test | UDP <---/Resp\
| II | Firewall \ ? /
+--------+ \ /
| \/
V |Y
/\ /\ |
Symmetric N / \ +--------+ N / \ V
NAT <--- / IP \<-----| Test |<--- /Resp\ Open
\Same/ | I | \ ? / Internet
\? / +--------+ \ /
\/ \/
| |Y
| |
| V
| Full
| Cone
V /\
+--------+ / \ Y
| Test |------>/Resp\---->Restricted
| III | \ ? /
+--------+ \ /
\/
|N
| Port
+------>Restricted
Figure 2: Flow for type discovery process这个过程可概括如下:
1, STUN客户端向STUN服务器发送请求,要求得到自身经NAT映射后的地址:
a,收不到服务器回复,则认为UDP被防火墙阻断,不能通信,网络类型:Blocked.
b,收到服务器回复,对比本地地址,如果相同,则认为无NAT设备,进入第2步,否则认为有NAT设备,进入3步.
2, (已确认无NAT设备)STUN客户端向STUN服务器发送请求,要求服务器从其他IP和PORT向客户端回复包:
a,收不到服务器从其他IP地址的回复,认为包被前置防火墙阻断,网络类型:Symmetric UDP Firewall.
b,收到则认为客户端处在一个开放的网络上,网络类型:Opened.
3, (已确认存在NAT设备)STUN客户端向STUN服务器发送请求,要求服务器从其他IP和PORT向客户端回复包:
a,收不到服务器从其他IP地址的回复,认为包被前置NAT设备阻断,进入第4步.
b,收到则认为NAT设备类型为Full Cone,即网络类型:Full Cone NAT.
4, STUN客户端向STUN服务器的另外一个IP地址发送请求,要求得到自身经NAT映射后的地址,并对比之:
a,地址不相同,则网络类型:Symmetric NAT.
b,相同则认为是Restricted NAT,进入第5步,进一步确认类型.
5, (已确认Restricted NAT设备)STUN客户端向STUN服务器发送请求,要求服务器从相同IP的其他PORT向客户端回复包:
a,收不到服务器从其他PORT地址的回复,认为包被前置NAT设备阻断,网络类型:Port Restricted cone NAT.
b,收到则认为网络类型: Restricted cone NAT.
免费可用的 Stun Server:
stun.ekiga.net
stun.stunprotocol.org
larry.gloo.net
几个NAT类型检查工具:
http://midcom-p2p.sourceforge.net/
http://www.9ht.com/xz/50176.html
http://download.csdn.net/download/delver2235/8109891
转载于:https://my.oschina.net/u/945874/blog/371562
今天的文章NAT 类型及检测方法分享到此就结束了,感谢您的阅读。
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
如需转载请保留出处:https://bianchenghao.cn/11089.html
