Original copyright: Copyright (c) The Internet society (2003).? All rights address: http://midcom-p2p.sourceforge.net/draft-ford-midcom-p2p-01.txt
The translation copyright has declaration: Please refer to the author or website of this article indicate: http://blog.9cbs.net/hxhbluestar to respect the translator's labor results! 2. TERMINOLOGY
Term
In this section we first summarize some middlebox terms. We focus here.................
In this chapter, first introduce some terms of "agent" technology. Then discuss two proxy mechanisms that causing P2P application issues.
Firewall
A firewall restricts communication between a private internal network and the public Internet, typically by dropping packets that are deemed unauthorized. A firewall examines but does not modify the IP address and TCP / UDP port information in packets crossing the boundary.
Firewall
The firewall limits the communication of private networks and public networks. It is mainly to discard unauthorized packages, and the firewall is just the data of the package, and does not modify the IP address in the packet and TCP / UDP port information.
Network Address Translator (NAT)
A network address translator not only examines but also modifies the header information in packets flowing across the boundary, allowing many hosts behind the NAT to share the use of a smaller number of public IP addresses (often one). Network address translators in turn have two Main Varieties:
Network address conversion (NAT)
When there is a packet through, the network address converter not only checks the information of the package, but also modifies the IP address and port information in the header. To make the machine after NAT sharing several only public IP addresses (usually one). There are two main types of network address converters:
Basic Nat
A Basic NAT maps an internal host's private IP address to a public IP address without changing the TCP / UDP port numbers in packets crossing the boundary. Basic NAT is generally only useful when the NAT has a pool of public IP addresses from which to make address Bindings on Behalf of Internal Hosts.
Foundation NAT
The base NAT converts the private IP address of the private network host into a public IP address, but does not convert TCP / UDP port information. The base NAT is generally used when NAT has many public IP addresses, which binds the public network IP address to the internal host so that the outside can access the internal host with the public IP address. (Translator Note: It is actually only IP conversion, 192.168.0.23 <-> 210.42.106.35, this is still a certain difference from the direct settings IP address for public network IP, especially for enterprises, external information It is necessary to reach the internal firewall, but the internal host can use public IP) Network Address / Port Translator (NAPT)
By far the most common, a Network Address / Port Translator examines and modifies both the IP address and the TCP / UDP port number fields of packets crossing the boundary, allowing multiple internal hosts to share a single public IP address simultaneously.
Refer to [NAT-TRAD] and [NAT-TERM] for more general information on NAT taxonomy and terminology. Additional terms that further classify NAPT are defined in more recent work [STUN]. When an internal host opens an outgoing TCP or UDP session through a network address / port translator, the NAPT assigns the session a public IP address and port number so that subsequent response packets from the external endpoint can be received by the NAPT, translated, and forwarded to the internal host. The effect is that the Napt Establishes a Port Binding Between (Private Port Number) and (Public IP Address).
The port binding defines the address translation the NAPT will perform for the duration of the session. An issue of relevance to P2P applications is how the NAT behaves when an internal host initiates multiple simultaneous sessions from a single (private IP, private port) pair to Multiple Distinct Endpoints on The External Network.
Network address and port conversion (NAPT)
This is the most common situation, network address / port converter check, modify the IP address of the package and TCP / UDP port information, so that more internal hosts can use a public IP address at the same time.
Please refer to [NAT-TRAD] and [NAT-TERM] two documents to learn more NAT categories and terminology information. In addition, the classification and terminology of NAPT, [Stun] have recently done more definitions. When an internal network host opens a "out" TCP or UDP session via NAT, NAPT assigns a public network IP and port to receive a packet of the external network, and transform the internal network host . The effect of this is that NAPT establishes a port binding between [Private IP: Private Port] and [Public IP: Public Network Port]. Port binding specifies that NAPT will perform address conversion tasks within the survival of this session. There is such a problem in this middle, if the P2P application has a [private IP address: port] from the internal network, how will NAT gives different external network hosts at the same time? Please see the following programs.
CONE NAT
After establishing a port binding between a (private IP, private port) tuple and a (public IP, public port) tuple, a cone NAT will re-use this port binding for subsequent sessions the application may initiate from the same private IP address and Port Number, for as long as at Least One Session Using The Port Binding Remains Active.
Conical NAT
(Translator Note: Why is it called a cone? Please see the following graphics, terminals and external servers, all of which pass this binding address pair through the NAT assigned, just like a funnel, filter and deliver information)
After a [private IP: port] - [Public IP: Port] port binding is established, for the application from the same [private IP: port] session, the cone NAT server allows initiating sessions to reuse this port tie Decomes, until this session ends (port binding).
For Example, Suppose Client a in The Diagram Below Initiates Two Simultaneous Outgoing Sessions Through a CONE NAT, From The Same Internal Endpoint
10.0.0
.1:. 1234) to two different external servers, S1 and S2 The cone NAT assigns just one public endpoint tuple (tuple), 155.99.25.11:62000, to both of these sessions, ensuring that the "identity" of the client's port is maintained across address translation. Since Basic NATs and firewalls do not modify port numbers as packets flow across the middlebox, these types of middleboxes can be viewed as a degenerate form of Cone NAT.
For example, it is assumed that the client a (IP address information is shown above) simultaneously initiates two outgoing connections through a tapered NAT, which uses the same internal port (
10.0.0
. 1: 1234) Two different servers, S1 and S2 for the public network. Conical NAT only assigns a public IP and port (155.99.25.11:62000) to this two sessions, ensuring that the client uses port "identity" by address translation (translator Note: This client only uses this port) . The base nats and firewalls cannot modify the passed packet port number, which can be seen as a streamlined version of the tapered NAT. Symmetric Nat
A Symmetric Nat, in Contrast, Does Not Maintain a Consistent Port Binding Between (Private IP, Private Port) And (Public IP, Public Port) Across All Sessions.
.. Instead, it assigns a new public port to each new session For example, suppose Client A initiates two outgoing sessions from the same port as above, one with S1 and one with S2 A symmetric NAT might allocate the public endpoint 155.99.25.11: 62000 to session 1, and then allocate a different public endpoint 155.99.25.11:62001, when the application initiates session 2. The NAT is able to differentiate between the two sessions for translation purposes because the external endpoints involved in the sessions (those of S1 And S2) Differ, Even as the endpoint Identity of The Client Application IS Lost Across The Address Translation Boundary.
Symmetrical NAT
Symmetrical NAT, with CONE NAT is large, and does not bind the session, but allocated a new public port to each new session.
Or the above example: if Client A (
10.0.0
. 1: 1234) Simultaneously initiate two "outgoing" sessions, sent to S1 and S2, respectively. Symmetric NAT will allocate public address 155.99.25.11:62000 to session1, then assign another different public address 155.99.25.11:62001 to session2. Symmetrical NAT can distinguish two different sessions and perform address translation, because the external address in Session1 and Session 2 is different, because so, the application of the Client side is lost in this address conversion boundary line, because this application Every time you send a session, you will use a new port and you cannot guarantee that only the same port is used.
The issue of cone versus symmetric NAT behavior applies equally to TCP and UDP traffic. Cone NAT is further classified according to how liberally the NAT accepts incoming traffic directed to an already-established (publicIP, public port) pair. This classification generally applies only to UDP Traffic, Since Nats and Firewalls Reject Incoming TCP Connection Attempts UNCONDITIONALELESS SPECIFICLY Configured to do Otherwise. In TCP and UDP communication, (in the same port, or allocating different ports to the same application), cone NAT And symmetrical NAT has various reasons. Of course, the conical NAT has more classifications on how to accept NAT accepted by NAT is fairly equally. This classification is generally applied in UDP communication (instead of TCP communication), because NATS and firewall block TCP connections attempting to invigorate unless NAT is not explicitly set. These classifications are as follows:
Full Cone Nat
After establishing a public / private port binding for a new outgoing session, a full cone NAT will subsequently accept incoming traffic to the corresponding public port from ANY external endpoint on the public network. Full cone NAT is also sometimes called "promiscuous" NAT.
Full double work cone NAT
When the internal host issues a "out" connection session, a public / private network address will be created. Once this address is created, the full-duplex cone NAT will receive any external port to pass in this public port address. Communication. Therefore, the full-duplex cone NAT is sometimes referred to as "mixed" NAT.
Restricted cone nat
A restricted cone NAT only forwards an incoming packet directed to a public port if its external (source) IP address matches the address of a node to which the internal host has previously sent one or more outgoing packets. A restricted cone NAT effectively refines the firewall Principle of rejecting unsolicited incoming traffic, by restricting incoming traffic to a set of "known" External IP Addresses.
Restricted tapered NAT
The restricted conical NAT will screen for the incoming packet. When the internal host issues "out" session, NAT will record the IP address information of this external host, so there is only these recorded external IP addresses, It is possible to incorporate information into the NAT inside, and the restricted tapered NAT is effective to refine the principle of filtering packages to the firewall - that is, only gives only known external addresses "incoming" information to the inside of NAT. Port-restricted cone nat
A port-restricted cone NAT, in turn, only forwards an incoming packet if its external IP address AND port number match those of an external endpoint to which the internal host has previously sent outgoing packets. A port-restricted cone NAT provides internal nodes the Same Level of Protection Traffic That A Symmetric Nat Does, While Maintaining a Private Port's Identity Across Translation.
Port limited CONE NAT
The port restricted tapered NAT is different from the restricted tapered NAT: it records the IP address and port information of the external host, and the port restricted tapered NAT provides the internal node to the same level of protection, The information transferred back by the symmetric NAT will be discarded during the "identity" process of the port "identity".
Finally, In this Document We define new Terms for classifying the p2p-release behavior of middleboxes:
Finally, in this document we will define a set of new terms in order to better classify P2P proxy.
P2P application
The P2P application refers to the establishment of an end-to-end session communication based on an existing public server and uses its own private address or public address (or both.
P2P-Application
P2P-application as used in this document is establish peering sessions an application in which each P2P participant registers with a public registration server, and subsequently uses either its private endpoint, or public endpoint, or both, to.
P2P-MIDDLEBOX
A p2p-middlebox is MiddleBox That Permits The Traversal of P2P Applications.
P2P agent
P2P agent is a proxy mechanism that allows P2P applications to communicate
P2P-firewall
A p2p-firewall is a p2p-middlebox That Provides FireWall FunctionAlity But Performs No Address Translation.
P2P firewall
The P2P firewall is a P2P agent that provides a function of a firewall, but does not perform address conversion.
P2P-NAT
A P2P-NAT is a P2P-Middlebox that provides NAT functionality, and may also provide firewall functionality. At minimum, a P2P-Middlebox must implement Cone NAT behavior for UDP traffic, allowing applications to establish robust P2P connectivity using the UDP hole punching technique .P2p-nat
P2P-NAT is a P2P agent that provides NAT's functionality, and the function of the firewall, one of the simple P2P proxy must have the function of conical NAT to UDP communication, and allows applications to use UDP hole technology to establish strong P2P connection.
Loopback Translation
When a host in the private domain of a NAT device attempts to connect with another host behind the same NAT device using the public address of the host, the NAT device performs the equivalent of a "Twice-nat" translation on the packet as follows. The originating host's private endpoint is translated into its assigned public endpoint, and the target host's public endpoint is translated into its private endpoint, before the packet is forwarded to the target host. We refer the above translation performed by a NAT device as "Loopback translation ".
Loopback conversion
When NAT's private network internal machine wants to access the machine in the same LAN, NAT device is equivalent to the two NAT, and the private address is converted to public network before the package arrives at the target machine. Address, then convert the public network address back to the private address. We call the NAT device with the above-described conversion function "Back Ring Conversion" device.
