NAT的完全分析及其UDP穿透的完全解决方案

最新推荐文章于 2022-09-21 10:58:20 发布
最新推荐文章于 2022-09-21 10:58:20 发布
阅读量4.6k 收藏 2
点赞数
分类专栏: Linux 文章标签: translation tcp session network application protocols
NAT的完全分析及其UDP穿透的完全解决方案
 
一:基本术语
防火墙
防火墙限制了私网与公网的通信,它主要是将(防火墙)认为未经授权的的包丢弃,防火墙只是检验包的数据,并不修改数据包中的 IP地址和TCP/UDP端口信息。
网络地址转换(NAT)
当有数据包通过时,网络地址转换器不仅检查包的信息,还要将包头中的 IP地址和端口信息进行修改。以使得处于NAT之后的机器共享几个仅有的公网IP地址(通常是一个)。网络地址转换器主要有两种类型.
P2P应用程序
P2P应用程序是指,在已有的一个公共服务器的基础上,并分别利用自己的私有地址或者公有地址(或者两者兼备)来建立一个端到端的会话通信。
P2P防火墙
P2P防火墙是一个提供了防火墙的功能的 P2P代理,但是不进行地址转换.
P2P-NAT
P2P-NAT 是一个  P2P代理,提供了NAT的功能,也提供了防火墙的功能,一个最简的P2P代理必须具有锥形NAT对Udp通信支持的功能,并允许应用程序利用Udp打洞技术建立强健的P2P连接。
回环转换
当 NAT的私网内部机器想通过公共地址来访问同一台局域网内的机器的时,NAT设备等价于做了两次NAT的事情,在包到达目标机器之前,先将私有地址转换为公网地址,然后再将公网地址转换回私有地址。我们把具有上叙转换功能的NAT设备叫做“回环转换”设备。
 
二:NAT分类
可以分为基础NAT网络地址和端口转换(NAPT)两大类
(一):基础NAT
基础NAT 将私网主机的私有 IP地址转换成公网IP地址,但并不将TCP/UDP端口信息进行转换。基础NAT一般用在当NAT拥有很多公网IP地址的时候,它将公网IP地址与内部主机进行绑定,使得外部可以用公网IP地址访问内部主机。(实际上是只将IP转换,192.168.0.23 <-> 210.42.106.35,这与直接设置IP地址为公网IP还是有一定区别的,特别是对于企业来说,外部的信息都要经过统一防火墙才能到达内部,但是内部主机又可以使用公网IP)
(二):网络地址和端口转换 (NAPT)
这是最普遍的情况,网络地址 /端口转换器检查、修改包的IP地址和TCP/UDP端口信息,这样,更多的内部主机就可以同时使用一个公网IP地址。
请参考 [RFC1631]和[RFC2993]及[RFC2663]这三个文档了解更多的NAT分类和术语信息。另外,关于NAPT的分类和术语,[RFC2663]做了更多的定义。当一个内部网主机通过NAT打开一个“外出”的TCP或UDP会话时,NAPT分配给这个会话一个公网IP和端口,用来接收外网的响应的数据包,并经过转换通知内部网的主机。这样做的效果是,NAPT在 [私有IP:私有端口] 和[公网IP:公网端口]之间建立了一个端口绑定。
端口绑定指定了 NAPT将在这个会话的生存期内进行地址转换任务。这中间存在一个这样的问题,如果P2P应用程序从内部网络的一个[私有IP地址:端口]对同时发出多条会话给不同的外网主机,那么NAT会怎样处理呢?这又可以分为锥形NAT (CONE NAT)对称NAT (SYMMTRIC NAT)两大类来考虑:
A.锥形NAT
(为什么叫做锥形呢?请看以下图形 ,终端和外部服务器,都通过NAT分派的这个绑定地址对来传送信息,就象一个漏斗一样,筛选并传递信息)
                               
  当建立了一个  [私有IP:端口]-[公网IP:端口] 端口绑定之后,对于来自同一个[私有IP:端口]会话,锥形NAT服务器允许发起会话的应用程序 重复使用这个端口绑定,一直到这个会话结束才解除(端口绑定)。
  例如,假设  Client A(IP地址信息如上图所示)通过一个锥形NAT 同时发起两个外出的连接,它使用同一个内部端口(10.0.0.1:1234)给公网的两台不同的服务器,S1和S2。锥形NAT 只分配一个公网IP和端口(155.99.25.11:62000)给这个两个会话,通过地址转换可以确保 Client使用端口的“同一性”(即这个Client只使用这个端口)。而基础NATs和防火墙却不能修改经过的数据包端口号,它们可以看作是锥形NAT的精简版本。
进一步分析可以将 CONE NAT受限制锥形NAT (RESTRICT CONE) 与端口受限锥形NAT (PORT RESTRICT CONE) 三大类,以下是详细论述: 分为 全双工锥形NAT (FULL CONE) ,
1.全双工锥形NAT
当内部主机发出一个 “外出”的连接会话,就会创建了一个公网/私网 地址,一旦这个地址对被创建,全双工锥形NAT会接收随后任何外部端口传入这个公共端口地址的通信。因此,全双工锥形NAT有时候又被称为"混杂"NAT。
2.受限制锥形NAT
受限制的锥形 NAT会对传入的数据包进行筛选,当内部主机发出“外出”的会话时,NAT会记录这个外部主机的IP地址信息,所以,也只有这些有记录的外部IP地址,能够将信息传入到NAT内部,受限制的锥形NAT 有效的给防火墙提炼了筛选包的原则——即限定只给那些已知的外部地址“传入”信息到NAT内部。
3.端口受限锥形NAT
端口受限制的锥形 NAT,与受限制的锥形NAT不同的是:它同时记录了外部主机的IP地址和端口信息,端口受限制的锥形NAT给内部节点提供了同一级别的保护,在维持端口“同一性”过程中,将会丢弃对称NAT传回的信息。
B.对称NAT
对称 NAT,与Cone NAT是大不相同的,并不对会话进行端口绑定,而是分配一个全新的公网端口 给每一个新的会话。
还是上面那个例子:如果  Client A (10.0.0.1:1234)同时发起两个 "外出" 会话,分别发往S1和S2。对称Nat会分配公共地址155.99.25.11:62000给Session1,然后分配另一个不同的公共地址155.99.25.11:62001给Session2。对称Nat能够区别两个不同的会话并进行地址转换,因为在 Session1 和 Session2中的外部地址是不同的,正是因为这样,Client端的应用程序就迷失在这个地址转换边界线了,因为这个应用程序每发出一个会话都会使用一个新的端口,无法保障只使用同一个端口了。
在 TCP和UDP通信中,(到底是使用同一个端口,还是分配不同的端口给同一个应用程序),锥形NAT和对称NAT各有各的理由。当然锥形NAT在根据如何公平地将NAT接受的连接直达一个已创建的地址对上有更多的分类。这个分类一般应用在Udp通信(而不是Tcp通信上),因为NATs和防火墙阻止了试图无条件传入的TCP连接,除非明确设置NAT不这样做。
三:NAT对session的处理
以下分析 NAPT是依据什么策略来判断是否要为一个请求发出的UDP数据包建立Session的.主要有一下几个策略:
A. 源地址 (内网IP地址)不同,忽略其它因素, 在NAPT上肯定对应不同的Session
B. 源地址 (内网IP地址)相同,源端口不同,忽略其它的因素,则在NAPT上也肯定对应不同的Session
C. 源地址 (内网IP地址)相同,源端口相同,目的地址(公网IP地址)相同,目的端口不同,则在NAPT上肯定对应同一个Session
D. 源地址 (内网IP地址)相同,源端口相同,目的地址(公网IP地址)不同,忽略目的端口,则在NAPT上是如何处理Session的呢?
A,B,C三种情况的都是比较简单的 ,可以很容易的实现.而D的情况就比较复杂了.所以D情况才是我们要重点关心和讨论的问题。
四:完全解决方案
以下针对四种 SESSION与四种NAT的完全解决方案,为了方便将使用以下缩写形式:
C代表  CONE NAT
S代表 SYMMETRIC NAT,
FC代表  FULL CONE NAT,
RC代表  RESTRICT CONE NAT,
PC 代表  PORT RESTRICT CONE NAT.
首先依据 CLIENT (客户)端在NAT后 的个数不同可以分为两大类:
TYPE ONE :一个在NAT后 + 一个在公网中.
这种情况下可以分为两大类 :
A. S VS 公网:此种情况下,由于公网的地址在一个SESSION内是不变的,所以可以打洞是可以成功的.
B. C VS 公网与上面类似,这种情口下打洞是可以成功的.
TYPE TWO:两个客户都在NAT后面.
这种情况下也可以细分为两大类 :
A. 其中一个NAT 是 S(SYMMETRIC NAT) 的,既:S VS C或者是S VS S .
下面论证这种情口下按照常规打洞是行不通的 ,在常规打洞中,所有的客户首先登陆到一个服务器上去.服务器记录下每个客户的[公网IP:端口],然后在打洞过程中就使用这个记录的值,然而对于S的NAT来说,它并不绑定[私网IP:端口][公网IP:端口]的映射.所以在不同的SESSION中,NAT将会重新分配一对[公网IP:端口].这样一来对于S型的NAT来说打洞的[公网IP:端口]与登记在服务器上的[公网IP:端口]是不同的.而且也没有办法将打洞的[公网IP:端口]通知到另一个位于NAT下的客户端, 所以打洞是不会成功的.然而如果另一个客户端是在公网时,打洞是可以的.前面已经论证了这种情况.
这种情况下的解决方案是只能通过端口预测来进行打洞 ,具体解决方法如下:例如 (以两个都是S型的为例) NAT A 分配了它自己的UDP端口62000 用来保持  客户端A 与 服务器S的通信会话  NAT B 也分配了 31000端口 用来保持 客户端B服务器S 的通信会话 通过与  服务器S的对话 客户端A 和 客户端B都相互知道了对方所映射的真实 IP和端口
   客户端A发送一条 UDP消息到 138.76.29.7:31001(请注意到端口号的增加 ) 同时 客户端B发送一条 UDP消息到 155.99.25.11:62001 如果NAT A 和NAT B继续分配端口给新的会话,并且从 A-S和B-S的会话时间消耗得并不多的话,那么一条处于客户端A和客户端B之间的双向会话通道就建立了。
   客户端A发出的消息送达 B导致了NAT A打开了一个新的会话,并且我们希望 NAT A将会指派 62001端口给这个新的会话,因为62001是继62000 NAT会自动指派给  从服务器S到客户端A之间的新会话的端口号;类似的,客户端B发出的消息送达A导致了 NAT B打开了一个新的会话,并且我们希望 NAT B将会指派 31001这个端口给新的会话;如果两个客户端都正确的猜测到了对方新会话被指派的端口号,那么这个 客户端A-客户端B的双向连接就被打通了。其结果如下图所示:
明显的,有许多因素会导致这个方法失败:如果这个预言的新端口( 62001和31001) 恰好已经被一个不相关的会话所使用,那么NAT就会跳过这个端口号,这个连接就会宣告失败;如果两个NAT有时或者总是不按照顺序来生成新的端口号,那么这个方法也是行不通的
如果隐藏在 NAT A后的一个不同的 客户端X(或者在NAT B后)打开了一个新的“外出”UDP 连接,并且无论这个连接的目的如何;只要这个动作发生在 客户端A 建立了与服务器S的连接之后 客户端A 与 客户端B 建立连接之前;那么这个无关的 客户端X 就会趁人不备地“偷” 到这个我们渴望分配的端口。所以,这个方法变得如此脆弱而且不堪一击,只要任何一个NAT方包含以上碰到的问题,这个方法都不会奏效。
在处于  cone NAT 系列的网络环境中这个方法还是实用的;如果有一方为 cone NAT 而另外一方为 symmetric NAT,那么应用程序就应该预先发现另外一方的 NAT 是什么类型,再做出正确的行为来处理通信,这样就增大了算法的复杂度,并且降低了在真实网络环境中的普适性。
    最后,如果 P2P的一方处在两级或者两级以上的NAT下面,并且这些NATS 接近这个客户端是SYMMETRIC NAT的话,端口号预言是无效的!
因此,并不推荐使用这个方法来写新的 P2P应用程序,这也是历史的经验和教训!
B. 两个都是CONE NAT型.
这种情况下可以分为六大类型 :
A:  FC + FC
B:  FC + RC
C:  FC + PC
D:  PC + RC
E:  PC + PC
F:  RC + RC
虽然有这么多种情况 ,但是由于CONE NAT 的特性,所以还是很好办的,因为对于CONE NAT 来说,在同一个SESSION中它会绑定一对[私网IP:端口][公网IP:端口]的映射,所以它们打洞用的[公网IP:端口]与登记在服务器上的[公网IP:端口]是一致的,所以打洞是可以行的通的.
综上所述 ,就已经完全的概括了所有类型的NAT之间的可能的通信情况了.并且都提供了可行的解决方案.
五:对前一阶段的总结
1.前一阶段使用的打洞方法是有缺陷的 ,它只适应于两个都是FULL CONE NAT的类型的CLIENT(客户端).以下论证它不适应于两个都是CONE NAT的类型中的
B:  FC + RC
C:  FC + PC
D:  PC + RC
E:  PC + PC
F:  RC + RC
这五种情况 .
因为对于 受限的NAT它登记了外出包的[IP地址&端口],它仅仅接受这些已登记地址发过来的包,所以它们报告服务器的端口只能接受来自服务器的包.不能接受来自另一客户端的包.所以前一阶段的打洞方法是不可行的.
六: 存在的问题

按照理论 .NAT将在一定时间后关闭UDP的一个映射,所以为了保持与服务器能够一直通信,服务器必须要发送UDP心跳包,来保持映射不被关闭.这就需要一个合适的时间值.

参考URL:http://blog.csdn.net/colinchan/article/details/712773
这个博客写的不错

Peer-to-Peer Communication Across Network Address Translators

Bryan Ford
Massachusetts Institute of Technology
baford (at) mit.edu

Pyda Srisuresh
Caymas Systems, Inc.
srisuresh (at) yahoo.com

Dan Kegel
dank (at) kegel.com

J'fais des trous, des petits trous$\dots$
toujours des petits trous
     - S. Gainsbourg

Abstract:

Network Address Translation (NAT) causes well-known difficulties for peer-to-peer (P2P) communication, since the peers involved may not be reachable at any globally valid IP address. Several NAT traversal techniques are known, but their documentation is slim, and data about their robustness or relative merits is slimmer. This paper documents and analyzes one of the simplest but most robust and practical NAT traversal techniques, commonly known as “hole punching.” Hole punching is moderately well-understood for UDP communication, but we show how it can be reliably used to set up peer-to-peer TCP streams as well. After gathering data on the reliability of this technique on a wide variety of deployed NATs, we find that about 82% of the NATs tested support hole punching for UDP, and about 64% support hole punching for TCP streams. As NAT vendors become increasingly conscious of the needs of important P2P applications such as Voice over IP and online gaming protocols, support for hole punching is likely to increase in the future.

1 Introduction

The combined pressures of tremendous growth and massive security challenges have forced the Internet to evolve in ways that make life difficult for many applications. The Internet's original uniform address architecture, in which every node has a globally unique IP address and can communicate directly with every other node, has been replaced with a new de facto Internet address architecture, consisting of a global address realm and many private address realms interconnected by Network Address Translators (NAT). In this new address architecture, illustrated in Figure 1, only nodes in the “main,” global address realm can be easily contacted from anywhere in the network, because only they have unique, globally routable IP addresses. Nodes on private networks can connect to other nodes on the same private network, and they can usually open TCP or UDP connections to “well-known” nodes in the global address realm. NATs on the path allocate temporary public endpoints for outgoing connections, and translate the addresses and port numbers in packets comprising those sessions, while generally blocking all incoming traffic unless otherwise specifically configured.

Figure 1: Public and private IP address domains
\begin{figure}\centerline{\epsfig{file=twicenat.eps, scale=0.40}}\end{figure}

The Internet's new de facto address architecture is suitable for client/server communication in the typical case when the client is on a private network and the server is in the global address realm. The architecture makes it difficult for two nodes on different private networks to contact each other directly, however, which is often important to the “peer-to-peer” communication protocols used in applications such as teleconferencing and online gaming. We clearly need a way to make such protocols function smoothly in the presence of NAT.

One of the most effective methods of establishing peer-to-peer communication between hosts on different private networks is known as “hole punching.” This technique is widely used already in UDP-based applications, but essentially the same technique also works for TCP. Contrary to what its name may suggest, hole punching does not compromise the security of a private network. Instead, hole punching enables applications to function within the the default security policy of most NATs, effectively signaling to NATs on the path that peer-to-peer communication sessions are “solicited” and thus should be accepted. This paper documents hole punching for both UDP and TCP, and details the crucial aspects of both application and NAT behavior that make hole punching work.

Unfortunately, no traversal technique works with all existing NATs, because NAT behavior is not standardized. This paper presents some experimental results evaluating hole punching support in current NATs. Our data is derived from results submitted by users throughout the Internet by running our “NAT Check” tool over a wide variety of NATs by different vendors. While the data points were gathered from a “self-selecting” user community and may not be representative of the true distribution of NAT implementations deployed on the Internet, the results are nevertheless generally encouraging.

While evaluating basic hole punching, we also point out variations that can make hole punching work on a wider variety of existing NATs at the cost of greater complexity. Our primary focus, however, is on developing the simplest hole punching technique that works cleanly and robustly in the presence of “well-behaved” NATs in any reasonable network topology. We deliberately avoid excessively clever tricks that may increase compatibility with some existing “broken” NATs in the short term, but which only work some of the time and may cause additional unpredictability and network brittleness in the long term.

Although the larger address space of IPv6 [3] may eventually reduce the need for NAT, in the short term IPv6 is increasing the demand for NAT, because NAT itself provides the easiest way to achieve interoperability between IPv4 and IPv6 address domains [24]. Further, the anonymity and inaccessibility of hosts on private networks has widely perceived security and privacy benefits. Firewalls are unlikely to go away even when there are enough IP addresses: IPv6 firewalls will still commonly block unsolicited incoming traffic by default, making hole punching useful even to IPv6 applications.

The rest of this paper is organized as follows. Section 2 introduces basic terminology and NAT traversal concepts. Section 3 details hole punching for UDP, and Section 4 introduces hole punching for TCP. Section 5 summarizes important properties a NAT must have in order to enable hole punching. Section 6 presents our experimental results on hole punching support in popular NATs, Section 7 discusses related work, and Section 8 concludes.

2 General Concepts

This section introduces basic NAT terminology used throughout the paper, and then outlines general NAT traversal techniques that apply equally to TCP and UDP.

2.1 NAT Terminology

This paper adopts the NAT terminology and taxonomy defined in RFC 2663 [21], as well as additional terms defined more recently in RFC 3489 [19].

Of particular importance is the notion of session. A session endpoint for TCP or UDP is an (IP address, port number) pair, and a particular session is uniquely identified by its two session endpoints. From the perspective of one of the hosts involved, a session is effectively identified by the 4-tuple (local IP, local port, remote IP, remote port). The direction of a session is normally the flow direction of the packet that initiates the session: the initial SYN packet for TCP, or the first user datagram for UDP.

Of the various flavors of NAT, the most common type is traditional or outbound NAT, which provides an asymmetric bridge between a private network and a public network. Outbound NAT by default allows only outbound sessions to traverse the NAT: incoming packets are dropped unless the NAT identifies them as being part of an existing session initiated from within the private network. Outbound NAT conflicts with peer-to-peer protocols because when both peers desiring to communicate are “behind” (on the private network side of) two different NATs, whichever peer tries to initiate a session, the other peer's NAT rejects it. NAT traversal entails making P2P sessions look like “outbound” sessions to both NATs.

Outbound NAT has two sub-varieties: Basic NAT, which only translates IP addresses, and Network Address/Port Translation (NAPT), which translates entire session endpoints. NAPT, the more general variety, has also become the most common because it enables the hosts on a private network to share the use of a single public IP address. Throughout this paper we assume NAPT, though the principles and techniques we discuss apply equally well (if sometimes trivially) to Basic NAT.

2.2 Relaying

The most reliable--but least efficient--method of P2P communication across NAT is simply to make the communication look to the network like standard client/server communication, through relaying. Suppose two client hosts $A$ and $B$ have each initiated TCP or UDP connections to a well-known server $S$, at $S$'s global IP address 18.181.0.31 and port number 1234. As shown in Figure 2, the clients reside on separate private networks, and their respective NATs prevent either client from directly initiating a connection to the other. Instead of attempting a direct connection, the two clients can simply use the server $S$ to relay messages between them. For example, to send a message to client $B$, client $A$ simply sends the message to server $S$ along its already-established client/server connection, and server $S$ forwards the message on to client $B$ using its existing client/server connection with $B$.

Figure 2: NAT Traversal by Relaying
\begin{figure}\centerline{\epsfig{file=relay.eps, scale=0.40}}\end{figure}

Relaying always works as long as both clients can connect to the server. Its disadvantages are that it consumes the server's processing power and network bandwidth, and communication latency between the peering clients is likely increased even if the server is well-connected. Nevertheless, since there is no more efficient technique that works reliably on all existing NATs, relaying is a useful fall-back strategy if maximum robustness is desired. The TURN protocol [18] defines a method of implementing relaying in a relatively secure fashion.

2.3 Connection Reversal

Some P2P applications use a straightforward but limited technique, known as connection reversal, to enable communication when both hosts have connections to a well-known rendezvous server $S$ and only one of the peers is behind a NAT, as shown in Figure 3. If $A$ wants to initiate a connection to $B$, then a direct connection attempt works automatically, because $B$ is not behind a NAT and $A$'s NAT interprets the connection as an outgoing session. If $B$ wants to initiate a connection to $A$, however, any direct connection attempt to $A$ is blocked by $A$'s NAT. $B$ can instead relay a connection request to $A$ through a well-known server $S$, asking $A$ to attempt a “reverse” connection back to $B$. Despite the obvious limitations of this technique, the central idea of using a well-known rendezvous server as an intermediary to help set up direct peer-to-peer connections is fundamental to the more general hole punching techniques described next.

Figure 3: NAT Traversal by Connection Reversal
\begin{figure}\centerline{\epsfig{file=reversal.eps, scale=0.40}}\end{figure}

3 UDP Hole Punching

UDP hole punching enables two clients to set up a direct peer-to-peer UDP session with the help of a well-known rendezvous server, even if the clients are both behind NATs. This technique was mentioned in section 5.1 of RFC 3027 [10], documented more thoroughly elsewhere on the Web [13], and used in recent experimental Internet protocols [17,11]. Various proprietary protocols, such as those for on-line gaming, also use UDP hole punching.

3.1 The Rendezvous Server

Hole punching assumes that the two clients, $A$ and $B$, already have active UDP sessions with a rendezvous server $S$. When a client registers with $S$, the server records two endpoints for that client: the (IP address, UDP port) pair that the client believes itself to be using to talk with $S$, and the (IP address, UDP port) pair that the server observes the client to be using to talk with it. We refer to the first pair as the client's private endpoint and the second as the client's public endpoint. The server might obtain the client's private endpoint from the client itself in a field in the body of the client's registration message, and obtain the client's public endpoint from the source IP address and source UDP port fields in the IP and UDP headers of that registration message. If the client is not behind a NAT, then its private and public endpoints should be identical.

A few poorly behaved NATs are known to scan the body of UDP datagrams for 4-byte fields that look like IP addresses, and translate them as they would the IP address fields in the IP header. To be robust against such behavior, applications may wish to obfuscate IP addresses in messages bodies slightly, for example by transmitting the one's complement of the IP address instead of the IP address itself. Of course, if the application is encrypting its messages, then this behavior is not likely to be a problem.

3.2 Establishing Peer-to-Peer Sessions

Suppose client $A$ wants to establish a UDP session directly with client $B$. Hole punching proceeds as follows:

  1. $A$ initially does not know how to reach $B$, so $A$ asks $S$ for help establishing a UDP session with $B$.

  2. $S$ replies to $A$ with a message containing $B$'s public and private endpoints. At the same time, $S$ uses its UDP session with $B$ to send $B$ a connection request message containing $A$'s public and private endpoints. Once these messages are received, $A$ and $B$ know each other's public and private endpoints.

  3. When $A$ receives $B$'s public and private endpoints from $S$, $A$ starts sending UDP packets to both of these endpoints, and subsequently “locks in” whichever endpoint first elicits a valid response from $B$. Similarly, when $B$ receives $A$'s public and private endpoints in the forwarded connection request, $B$ starts sending UDP packets to $A$ at each of $A$'s known endpoints, locking in the first endpoint that works. The order and timing of these messages are not critical as long as they are asynchronous.

We now consider how UDP hole punching handles each of three specific network scenarios. In the first situation, representing the “easy” case, the two clients actually reside behind the same NAT, on one private network. In the second, most common case, the clients reside behind different NATs. In the third scenario, the clients each reside behind two levels of NAT: a common “first-level” NAT deployed by an ISP for example, and distinct “second-level” NATs such as consumer NAT routers for home networks.

It is in general difficult or impossible for the application itself to determine the exact physical layout of the network, and thus which of these scenarios (or the many other possible ones) actually applies at a given time. Protocols such as STUN [19] can provide some information about the NATs present on a communication path, but this information may not always be complete or reliable, especially when multiple levels of NAT are involved. Nevertheless, hole punching works automatically in all of these scenarios without the application having to know the specific network organization, as long as the NATs involved behave in a reasonable fashion. (“Reasonable” behavior for NATs will be described later in Section 5.)

3.3 Peers Behind a Common NAT

First consider the simple scenario in which the two clients (probably unknowingly) happen to reside behind the same NAT, and are therefore located in the same private IP address realm, as shown in Figure 4. Client $A$ has established a UDP session with server $S$, to which the common NAT has assigned its own public port number 62000. Client $B$ has similarly established a session with $S$, to which the NAT has assigned public port number 62005.

Figure 4: UDP Hole Punching, Peers Behind a Common NAT
\begin{figure*}\centerline{\epsfig{file=samenat.eps, scale=0.34}}\end{figure*}

Suppose that client $A$ uses the hole punching technique outlined above to establish a UDP session with $B$, using server $S$ as an introducer. Client $A$ sends $S$ a message requesting a connection to $B$. $S$ responds to $A$ with $B$'s public and private endpoints, and also forwards $A$'s public and private endpoints to $B$. Both clients then attempt to send UDP datagrams to each other directly at each of these endpoints. The messages directed to the public endpoints may or may not reach their destination, depending on whether or not the NAT supports hairpin translation as described below in Section 3.5. The messages directed at the private endpoints do reach their destinations, however, and since this direct route through the private network is likely to be faster than an indirect route through the NAT anyway, the clients are most likely to select the private endpoints for subsequent regular communication.

By assuming that NATs support hairpin translation, the application might dispense with the complexity of trying private as well as public endpoints, at the cost of making local communication behind a common NAT unnecessarily pass through the NAT. As our results in Section 6 show, however, hairpin translation is still much less common among existing NATs than are other “P2P-friendly” NAT behaviors. For now, therefore, applications may benefit substantially by using both public and private endpoints.

3.4 Peers Behind Different NATs

Suppose clients $A$ and $B$ have private IP addresses behind different NATs, as shown in Figure 5. $A$ and $B$ have each initiated UDP communication sessions from their local port 4321 to port 1234 on server $S$. In handling these outbound sessions, NAT $A$ has assigned port 62000 at its own public IP address, 155.99.25.11, for the use of $A$'s session with $S$, and NAT $B$ has assigned port 31000 at its IP address, 138.76.29.7, to $B$'s session with $S$.

Figure 5: UDP Hole Punching, Peers Behind Different NATs
\begin{figure*}\centerline{\epsfig{file=diffnat.eps, scale=0.34}}\end{figure*}

In $A$'s registration message to $S$, $A$ reports its private endpoint to $S$ as 10.0.0.1:4321, where 10.0.0.1 is $A$'s IP address on its own private network. $S$ records $A$'s reported private endpoint, along with $A$'s public endpoint as observed by $S$ itself. $A$'s public endpoint in this case is 155.99.25.11:62000, the temporary endpoint assigned to the session by the NAT. Similarly, when client $B$ registers, $S$ records $B$'s private endpoint as 10.1.1.3:4321 and $B$'s public endpoint as 138.76.29.7:31000.

Now client $A$ follows the hole punching procedure described above to establish a UDP communication session directly with $B$. First, $A$ sends a request message to $S$ asking for help connecting with $B$. In response, $S$ sends $B$'s public and private endpoints to $A$, and sends $A$'s public and private endpoints to $B$. $A$ and $B$ each start trying to send UDP datagrams directly to each of these endpoints.

Since $A$ and $B$ are on different private networks and their respective private IP addresses are not globally routable, the messages sent to these endpoints will reach either the wrong host or no host at all. Because many NATs also act as DHCP servers, handing out IP addresses in a fairly deterministic way from a private address pool usually determined by the NAT vendor by default, it is quite likely in practice that $A$'s messages directed at $B$'s private endpoint will reach some (incorrect) host on $A$'s private network that happens to have the same private IP address as $B$ does. Applications must therefore authenticate all messages in some way to filter out such stray traffic robustly. The messages might include application-specific names or cryptographic tokens, for example, or at least a random nonce pre-arranged through $S$.

Now consider $A$'s first message sent to $B$'s public endpoint, as shown in Figure 5. As this outbound message passes through $A$'s NAT, this NAT notices that this is the first UDP packet in a new outgoing session. The new session's source endpoint (10.0.0.1:4321) is the same as that of the existing session between $A$ and $S$, but its destination endpoint is different. If NAT $A$ is well-behaved, it preserves the identity of $A$'s private endpoint, consistently translating all outbound sessions from private source endpoint 10.0.0.1:4321 to the corresponding public source endpoint 155.99.25.11:62000. $A$'s first outgoing message to $B$'s public endpoint thus, in effect, “punches a hole” in $A$'s NAT for a new UDP session identified by the endpoints (10.0.0.1:4321, 138.76.29.7:31000) on $A$'s private network, and by the endpoints (155.99.25.11:62000, 138.76.29.7:31000) on the main Internet.

If $A$'s message to $B$'s public endpoint reaches $B$'s NAT before $B$'s first message to $A$ has crossed $B$'s own NAT, then $B$'s NAT may interpret $A$'s inbound message as unsolicited incoming traffic and drop it. $B$'s first message to $A$'s public address, however, similarly opens a hole in $B$'s NAT, for a new UDP session identified by the endpoints (10.1.1.3:4321, 155.99.25.11:62000) on $B$'s private network, and by the endpoints (138.76.29.7:31000, 155.99.25.11:62000) on the Internet. Once the first messages from $A$ and $B$ have crossed their respective NATs, holes are open in each direction and UDP communication can proceed normally. Once the clients have verified that the public endpoints work, they can stop sending messages to the alternative private endpoints.

3.5 Peers Behind Multiple Levels of NAT

In some topologies involving multiple NAT devices, two clients cannot establish an “optimal” P2P route between them without specific knowledge of the topology. Consider a final scenario, depicted in Figure 6. Suppose NAT $C$ is a large industrial NAT deployed by an internet service provider (ISP) to multiplex many customers onto a few public IP addresses, and NATs $A$ and $B$ are small consumer NAT routers deployed independently by two of the ISP's customers to multiplex their private home networks onto their respective ISP-provided IP addresses. Only server $S$ and NAT $C$ have globally routable IP addresses; the “public” IP addresses used by NAT $A$ and NAT $B$ are actually private to the ISP's address realm, while client $A$'s and $B$'s addresses in turn are private to the addressing realms of NAT $A$ and NAT $B$, respectively. Each client initiates an outgoing connection to server $S$ as before, causing NATs $A$ and $B$ each to create a single public/private translation, and causing NAT $C$ to establish a public/private translation for each session.

Figure 6: UDP Hole Punching, Peers Behind Multiple Levels of NAT
\begin{figure*}\centerline{\epsfig{file=multinat.eps, scale=0.34}}\end{figure*}

Now suppose $A$ and $B$ attempt to establish a direct peer-to-peer UDP connection via hole punching. The optimal routing strategy would be for client $A$ to send messages to client $B$'s “semi-public” endpoint at NAT $B$, 10.0.1.2:55000 in the ISP's addressing realm, and for client $B$ to send messages to $A$'s “semi-public” endpoint at NAT $B$, namely 10.0.1.1:45000. Unfortunately, $A$ and $B$ have no way to learn these addresses, because server $S$ only sees the truly global public endpoints of the clients, 155.99.25.11:62000 and 155.99.25.11:62005 respectively. Even if $A$ and $B$ had some way to learn these addresses, there is still no guarantee that they would be usable, because the address assignments in the ISP's private address realm might conflict with unrelated address assignments in the clients' private realms. (NAT $A$'s IP address in NAT $C$'s realm might just as easily have been 10.1.1.3, for example, the same as client $B$'s private address in NAT $B$'s realm.)

The clients therefore have no choice but to use their global public addresses as seen by $S$ for their P2P communication, and rely on NAT $C$ providing hairpin or loopback translation. When $A$ sends a UDP datagram to $B$'s global endpoint, 155.99.25.11:62005, NAT $A$ first translates the datagram's source endpoint from 10.0.0.1:4321 to 10.0.1.1:45000. The datagram now reaches NAT $C$, which recognizes that the datagram's destination address is one of NAT $C$'s own translated public endpoints. If NAT $C$ is well-behaved, it then translates both the source and destination addresses in the datagram and “loops” the datagram back onto the private network, now with a source endpoint of 155.99.25.11:62000 and a destination endpoint of 10.0.1.2:55000. NAT $B$ finally translates the datagram's destination address as the datagram enters $B$'s private network, and the datagram reaches $B$. The path back to $A$ works similarly. Many NATs do not yet support hairpin translation, but it is becoming more common as NAT vendors become aware of this issue.

3.6 UDP Idle Timeouts

Since the UDP transport protocol provides NATs with no reliable, application-independent way to determine the lifetime of a session crossing the NAT, most NATs simply associate an idle timer with UDP translations, closing the hole if no traffic has used it for some time period. There is unfortunately no standard value for this timer: some NATs have timeouts as short as 20 seconds. If the application needs to keep an idle UDP session active after establishing the session via hole punching, the application must send periodic keep-alive packets to ensure that the relevant translation state in the NATs does not disappear.

Unfortunately, many NATs associate UDP idle timers with individual UDP sessions defined by a particular pair of endpoints, so sending keep-alives on one session will not keep other sessions active even if all the sessions originate from the same private endpoint. Instead of sending keep-alives on many different P2P sessions, applications can avoid excessive keep-alive traffic by detecting when a UDP session no longer works, and re-running the original hole punching procedure again “on demand.”

4 TCP Hole Punching

Establishing peer-to-peer TCP connections between hosts behind NATs is slightly more complex than for UDP, but TCP hole punching is remarkably similar at the protocol level. Since it is not as well-understood, it is currently supported by fewer existing NATs. When the NATs involved do support it, however, TCP hole punching is just as fast and reliable as UDP hole punching. Peer-to-peer TCP communication across well-behaved NATs may in fact be more robust than UDP communication, because unlike UDP, the TCP protocol's state machine gives NATs on the path a standard way to determine the precise lifetime of a particular TCP session.

4.1 Sockets and TCP Port Reuse

The main practical challenge to applications wishing to implement TCP hole punching is not a protocol issue but an application programming interface (API) issue. Because the standard Berkeley sockets API was designed around the client/server paradigm, the API allows a TCP stream socket to be used to initiate an outgoing connection via connect(), or to listen for incoming connections via listen() and accept(), but not both. Further, TCP sockets usually have a one-to-one correspondence to TCP port numbers on the local host: after the application binds one socket to a particular local TCP port, attempts to bind a second socket to the same TCP port fail.

For TCP hole punching to work, however, we need to use a single local TCP port to listen for incoming TCP connections and to initiate multiple outgoing TCP connections concurrently. Fortunately, all major operating systems support a special TCP socket option, commonly named SO_REUSEADDR, which allows the application to bind multiple sockets to the same local endpoint as long as this option is set on all of the sockets involved. BSD systems have introduced a SO_REUSEPORT option that controls port reuse separately from address reuse; on such systems both of these options must be set.

4.2 Opening Peer-to-Peer TCP Streams

Suppose that client $A$ wishes to set up a TCP connection with client $B$. We assume as usual that both $A$ and $B$ already have active TCP connections with a well-known rendezvous server $S$. The server records each registered client's public and private endpoints, just as for UDP. At the protocol level, TCP hole punching works almost exactly as for UDP:

  1. Client $A$ uses its active TCP session with $S$ to ask $S$ for help connecting to $B$.

  2. $S$ replies to $A$ with $B$'s public and private TCP endpoints, and at the same time sends $A$'s public and private endpoints to $B$.

  3. From the same local TCP ports that $A$ and $B$ used to register with $S$, $A$ and $B$ each asynchronously make outgoing connection attempts to the other's public and private endpoints as reported by $S$, while simultaneously listening for incoming connections on their respective local TCP ports.

  4. $A$ and $B$ wait for outgoing connection attempts to succeed, and/or for incoming connections to appear. If one of the outgoing connection attempts fails due to a network error such as “connection reset” or “host unreachable,” the host simply re-tries that connection attempt after a short delay (e.g., one second), up to an application-defind maximum timeout period.

  5. When a TCP connection is made, the hosts authenticate each other to verify that they connected to the intended host. If authentication fails, the clients close that connection and continue waiting for others to succeed. The clients use the first successfully authenticated TCP stream resulting from this process.

Unlike with UDP, where each client only needs one socket to communicate with both $S$ and any number of peers simultaneously, with TCP each client application must manage several sockets bound to a single local TCP port on that client node, as shown in Figure 7. Each client needs a stream socket representing its connection to $S$, a listen socket on which to accept incoming connections from peers, and at least two additional stream sockets with which to initiate outgoing connections to the other peer's public and private TCP endpoints.

Figure 7: Sockets versus Ports for TCP Hole Punching
\begin{figure}\centerline{\epsfig{file=tcpsocks.eps, scale=0.35}}\end{figure}

Consider the common-case scenario in which the clients $A$ and $B$ are behind different NATs, as shown in Figure 5, and assume that the port numbers shown in the figure are now for TCP rather than UDP ports. The outgoing connection attempts $A$ and $B$ make to each other's private endpoints either fail or connect to the wrong host. As with UDP, it is important that TCP applications authenticate their peer-to-peer sessions, due of the likelihood of mistakenly connecting to a random host on the local network that happens to have the same private IP address as the desired host on a remote private network.

The clients' outgoing connection attempts to each other's public endpoints, however, cause the respective NATs to open up new “holes” enabling direct TCP communication between $A$ and $B$. If the NATs are well-behaved, then a new peer-to-peer TCP stream automatically forms between them. If $A$'s first SYN packet to $B$ reaches $B$'s NAT before $B$'s first SYN packet to $A$ reaches $B$'s NAT, for example, then $B$'s NAT may interpret $A$'s SYN as an unsolicited incoming connection attempt and drop it. $B$'s first SYN packet to $A$ should subsequently get through, however, because $A$'s NAT sees this SYN as being part of the outbound session to $B$ that $A$'s first SYN had already initiated.

4.3 Behavior Observed by the Application

What the client applications observe to happen with their sockets during TCP hole punching depends on the timing and the TCP implementations involved. Suppose that $A$'s first outbound SYN packet to $B$'s public endpoint is dropped by NAT $B$, but $B$'s first subsequent SYN packet to $A$'s public endpoint gets through to $A$ before $A$'s TCP retransmits its SYN. Depending on the operating system involved, one of two things may happen:

  • $A$'s TCP implementation notices that the session endpoints for the incoming SYN match those of an outbound session $A$ was attempting to initiate. $A$'s TCP stack therefore associates this new session with the socket that the local application on $A$ was using to connect() to $B$'s public endpoint. The application's asynchronous connect() call succeeds, and nothing happens with the application's listen socket.

    Since the received SYN packet did not include an ACK for $A$'s previous outbound SYN, $A$'s TCP replies to $B$'s public endpoint with a SYN-ACK packet, the SYN part being merely a replay of $A$'s original outbound SYN, using the same sequence number. Once $B$'s TCP receives $A$'s SYN-ACK, it responds with its own ACK for $A$'s SYN, and the TCP session enters the connected state on both ends.

  • Alternatively, $A$'s TCP implementation might instead notice that $A$ has an active listen socket on that port waiting for incoming connection attempts. Since $B$'s SYN looks like an incoming connection attempt, $A$'s TCP creates a new stream socket with which to associate the new TCP session, and hands this new socket to the application via the application's next accept() call on its listen socket. $A$'s TCP then responds to $B$ with a SYN-ACK as above, and TCP connection setup proceeds as usual for client/server-style connections.

    Since $A$'s prior outbound connect() attempt to $B$ used a combination of source and destination endpoints that is now in use by another socket, namely the one just returned to the application via accept(), $A$'s asynchronous connect() attempt must fail at some point, typically with an “address in use” error. The application nevertheless has the working peer-to-peer stream socket it needs to communicate with $B$, so it ignores this failure.

The first behavior above appears to be usual for BSD-based operating systems, whereas the second behavior appears more common under Linux and Windows.

4.4 Simultaneous TCP Open

Suppose that the timing of the various connection attempts during the hole punching process works out so that the initial outgoing SYN packets from both clients traverse their respective local NATs, opening new outbound TCP sessions in each NAT, before reaching the remote NAT. In this “lucky” case, the NATs do not reject either of the initial SYN packets, and the SYNs cross on the wire between the two NATs. In this case, the clients observe an event known as a simultaneous TCP open: each peer's TCP receives a “raw” SYN while waiting for a SYN-ACK. Each peer's TCP responds with a SYN-ACK, whose SYN part essentially “replays” the peer's previous outgoing SYN, and whose ACK part acknowledges the SYN received from the other peer.

What the respective applications observe in this case again depends on the behavior of the TCP implementations involved, as described in the previous section. If both clients implement the second behavior above, it may be that all of the asynchronous connect() calls made by the application ultimately fail, but the application running on each client nevertheless receives a new, working peer-to-peer TCP stream socket via accept()--as if this TCP stream had magically “created itself” on the wire and was merely passively accepted at the endpoints! As long as the application does not care whether it ultimately receives its peer-to-peer TCP sockets via connect() or accept(), the process results in a working stream on any TCP implementation that properly implements the standard TCP state machine specified in RFC 793 [23].

Each of the alternative network organization scenarios discussed in Section 3 for UDP works in exactly the same way for TCP. For example, TCP hole punching works in multi-level NAT scenarios such as the one in Figure 6 as long as the NATs involved are well-behaved.

4.5 Sequential Hole Punching

In a variant of the above TCP hole punching procedure implemented by the NatTrav library [4], the clients attempt connections to each other sequentially rather than in parallel. For example: (1) $A$ informs $B$ via $S$ of its desire to communicate, without simultaneously listening on its local port; (2) $B$ makes a connect() attempt to $A$, which opens a hole in $B$'s NAT but then fails due to a timeout or RST from $A$'s NAT or a RST from $A$ itself; (3) $B$ closes its connection to $S$ and does a listen() on its local port; (4) $S$ in turn closes its connection with $A$, signaling $A$ to attempt a connect() directly to $B$.

This sequential procedure may be particularly useful on Windows hosts prior to XP Service Pack 2, which did not correctly implement simultaneous TCP open, or on sockets APIs that do not support the SO_REUSEADDR functionality. The sequential procedure is more timing-dependent, however, and may be slower in the common case and less robust in unusual situations. In step (2), for example, $B$ must allow its “doomed-to-fail” connect() attempt enough time to ensure that at least one SYN packet traverses all NATs on its side of the network. Too little delay risks a lost SYN derailing the process, whereas too much delay increases the total time required for hole punching. The sequential hole punching procedure also effectively “consumes” both clients' connections to the server $S$, requiring the clients to open fresh connections to $S$ for each new P2P connection to be forged. The parallel hole punching procedure, in contrast, typically completes as soon as both clients make their outgoing connect() attempts, and allows each client to retain and re-use a single connection to $S$ indefinitely.

5 Properties of P2P-Friendly NATs

This section describes the key behavioral properties NATs must have in order for the hole punching techniques described above to work properly. Not all current NAT implementations satisfy these properties, but many do, and NATs are gradually becoming more “P2P-friendly” as NAT vendors recognize the demand for peer-to-peer protocols such as voice over IP and on-line gaming.

This section is not meant to be a complete or definitive specification for how NATs “should” behave; we provide it merely for information about the most commonly observed behaviors that enable or break P2P hole punching. The IETF has started a new working group, BEHAVE, to define official “best current practices” for NAT behavior. The BEHAVE group's initial drafts include the considerations outlined in this section and others; NAT vendors should of course follow the IETF working group directly as official behavioral standards are formulated.

5.1 Consistent Endpoint Translation

The hole punching techniques described here only work automatically if the NAT consistently maps a given TCP or UDP source endpoint on the private network to a single corresponding public endpoint controlled by the NAT. A NAT that behaves in this way is referred to as a cone NAT in RFC 3489 [19] and elsewhere, because the NAT “focuses” all sessions originating from a single private endpoint through the same public endpoint on the NAT.

Consider again the scenario in Figure 5, for example. When client $A$ initially contacted the well-known server $S$, NAT $A$ chose to use port 62000 at its own public IP address, 155.99.25.11, as a temporary public endpoint to representing $A$'s private endpoint 10.0.0.1:4321. When $A$ later attempts to establish a peer-to-peer session with $B$ by sending a message from the same local private endpoint to $B$'s public endpoint, $A$ depends on NAT $A$ preserving the identity of this private endpoint, and re-using the existing public endpoint of 155.99.25.11:62000, because that is the public endpoint for $A$ to which $B$ will be sending its corresponding messages.

A NAT that is only designed to support client/server protocols will not necessarily preserve the identities of private endpoints in this way. Such a NAT is a symmetric NAT in RFC 3489 terminology. For example, after the NAT assigns the public endpoint 155.99.25.11:62000 to client $A$'s session with server $S$, the NAT might assign a different public endpoint, such as 155.99.25.11:62001, to the P2P session that $A$ tries to initiate with $B$. In this case, the hole punching process fails to provide connectivity, because the subsequent incoming messages from $B$ reach NAT $A$ at the wrong port number.

Many symmetric NATs allocate port numbers for successive sessions in a fairly predictable way. Exploiting this fact, variants of hole punching algorithms [9,1] can be made to work “much of the time” even over symmetric NATs by first probing the NAT's behavior using a protocol such as STUN [19], and using the resulting information to “predict” the public port number the NAT will assign to a new session. Such prediction techniques amount to chasing a moving target, however, and many things can go wrong along the way. The predicted port number might already be in use causing the NAT to jump to another port number, for example, or another client behind the same NAT might initiate an unrelated session at the wrong time so as to allocate the predicted port number. While port number prediction can be a useful trick for achieving maximum compatibility with badly-behaved existing NATs, it does not represent a robust long-term solution. Since symmetric NAT provides no greater security than a cone NAT with per-session traffic filtering, symmetric NAT is becoming less common as NAT vendors adapt their algorithms to support P2P protocols.

5.2 Handling Unsolicited TCP Connections

When a NAT receives a SYN packet on its public side for what appears to be an unsolicited incoming connection attempt, it is important that the NAT just silently drop the SYN packet. Some NATs instead actively reject such incoming connections by sending back a TCP RST packet or even an ICMP error report, which interferes with the TCP hole punching process. Such behavior is not necessarily fatal, as long as the applications re-try outgoing connection attempts as specified in step 4 of the process described in Section 4.2, but the resulting transient errors can make hole punching take longer.

5.3 Leaving Payloads Alone

A few existing NATs are known to scan “blindly” through packet payloads for 4-byte values that look like IP addresses, and translate them as they would the IP address in the packet header, without knowing anything about the application protocol in use. This bad behavior fortunately appears to be uncommon, and applications can easily protect themselves against it by obfuscating IP addresses they send in messages, for example by sending the bitwise complement of the desired IP address.

5.4 Hairpin Translation

Some multi-level NAT situations require hairpin translation support in order for either TCP or UDP hole punching to work, as described in Section 3.5. The scenario shown in Figure 6, for example, depends on NAT $C$ providing hairpin translation. Support for hairpin translation is unfortunately rare in current NATs, but fortunately so are the network scenarios that require it. Multi-level NAT is becoming more common as IPv4 address space depletion continues, however, so support for hairpin translation is important in future NAT implementations.

6 Evaluation of Existing NATs

To evaluate the robustness of the TCP and UDP hole punching techniques described in this paper on a variety of existing NATs, we implemented and distributed a test program called NAT Check [16], and solicited data from Internet users about their NATs.

NAT Check's primary purpose is to test NATs for the two behavioral properties most crucial to reliable UDP and TCP hole punching: namely, consistent identity-preserving endpoint translation (Section 5.1), and silently dropping unsolicited incoming TCP SYNs instead of rejecting them with RSTs or ICMP errors (Section 5.2). In addition, NAT Check separately tests whether the NAT supports hairpin translation (Section 5.4), and whether the NAT filters unsolicited incoming traffic at all. This last property does not affect hole punching, but provides a useful indication the NAT's firewall policy.

NAT Check makes no attempt to test every relevant facet of NAT behavior individually: a wide variety of subtle behavioral differences are known, some of which are difficult to test reliably [12]. Instead, NAT Check merely attempts to answer the question, “how commonly can the proposed hole punching techniques be expected to work on deployed NATs, under typical network conditions?”

6.1 Test Method

NAT Check consists of a client program to be run on a machine behind the NAT to be tested, and three well-known servers at different global IP addresses. The client cooperates with the three servers to check the NAT behavior relevant to both TCP and UDP hole punching. The client program is small and relatively portable, currently running on Windows, Linux, BSD, and Mac OS X. The machines hosting the well-known servers all run FreeBSD.

6.1.1 UDP Test

To test the NAT's behavior for UDP, the client opens a socket and binds it to a local UDP port, then successively sends “ping”-like requests to servers 1 and 2, as shown in Figure 8. These servers each respond to the client's pings with a reply that includes the client's public UDP endpoint: the client's own IP address and UDP port number as observed by the server. If the two servers report the same public endpoint for the client, NAT Check assumes that the NAT properly preserves the identity of the client's private endpoint, satisfying the primary precondition for reliable UDP hole punching.

Figure 8: NAT Check Test Method for UDP
\begin{figure}\centerline{\epsfig{file=udptest.eps, scale=0.40}}\end{figure}

When server 2 receives a UDP request from the client, besides replying directly to the client it also forwards the request to server 3, which in turn replies to the client from its own IP address. If the NAT's firewall properly filters “unsolicited” incoming traffic on a per-session basis, then the client never sees these replies from server 3, even though they are directed at the same public port as the replies from servers 1 and 2.

To test the NAT for hairpin translation support, the client simply opens a second UDP socket at a different local port and uses it to send messages to the public endpoint representing the client's first UDP socket, as reported by server 2. If these messages reach the client's first private endpoint, then the NAT supports hairpin translation.

6.1.2 TCP Test

The TCP test follows a similar pattern as for UDP. The client uses a single local TCP port to initiate outbound sessions to servers 1 and 2, and checks whether the public endpoints reported by servers 1 and 2 are the same, the first precondition for reliable TCP hole punching.

The NAT's response to unsolicited incoming connection attempts also impacts the speed and reliability of TCP hole punching, however, so NAT Check also tests this behavior. When server 2 receives the client's request, instead of immediately replying to the client, it forwards a request to server 3 and waits for server 3 to respond with a “go-ahead” signal. When server 3 receives this forwarded request, it attempts to initiate an inbound connection to the client's public TCP endpoint. Server 3 waits up to five seconds for this connection to succeed or fail, and if the connection attempt is still “in progress” after five seconds, server 3 responds to server 2 with the “go-ahead” signal and continues waiting for up to 20 seconds. Once the client finally receives server 2's reply (which server 2 delayed waiting for server 3's “go-ahead” signal), the client attempts an outbound connection to server 3, effectively causing a simultaneous TCP open with server 3.

What happens during this test depends on the NAT's behavior as follows. If the NAT properly just drops server 3's “unsolicited” incoming SYN packets, then nothing happens on the client's listen socket during the five second period before server 2 replies to the client. When the client finally initiates its own connection to server 3, opening a hole through the NAT, the attempt succeeds immediately. If on the other hand the NAT does not drop server 3's unsolicited incoming SYNs but allows them through (which is fine for hole punching but not ideal for security), then the client receives an incoming TCP connection on its listen socket before receiving server 2's reply. Finally, if the NAT actively rejects server 3's unsolicited incoming SYNs by sending back TCP RST packets, then server 3 gives up and the client's subsequent attempt to connect to server 3 fails.

To test hairpin translation for TCP, the client simply uses a secondary local TCP port to attempt a connection to the public endpoint corresponding to its primary TCP port, in the same way as for UDP.

6.2 Test Results

The NAT Check data we gathered consists of 380 reported data points covering a variety of NAT router hardware from 68 vendors, as well as the NAT functionality built into different versions of eight popular operating systems. Only 335 of the total data points include results for UDP hairpin translation, and only 286 data points include results for TCP, because we implemented these features in later versions of NAT Check after we had already started gathering results. The data is summarized by NAT vendor in Table 1; the table only individually lists vendors for which at least five data points were available. The variations in the test results for a given vendor can be accounted for by a variety of factors, such as different NAT devices or product lines sold by the same vendor, different software or firmware versions of the same NAT implementation, different configurations, and probably occasional NAT Check testing or reporting errors.


Table 1: User Reports of NAT Support for UDP and TCP Hole Punching
 UDPTCP
  Hole Hole 
  PunchingHairpinPunchingHairpin
NAT Hardware        
 Linksys45/46(98%)5/42(12%)33/38(87%)3/38(8%)
 Netgear31/37(84%)3/35(9%)19/30(63%)0/30(0%)
 D-Link16/21(76%)11/21(52%)9/19(47%)2/19(11%)
 Draytek2/17(12%)3/12(25%)2/7(29%)0/7(0%)
 Belkin14/14(100%)1/14(7%)11/11(100%)0/11(0%)
 Cisco12/12(100%)3/9(33%)6/7(86%)2/7(29%)
 SMC12/12(100%)3/10(30%)8/9(89%)2/9(22%)
 ZyXEL7/9(78%)1/8(13%)0/7(0%)0/7(0%)
 3Com7/7(100%)1/7(14%)5/6(83%)0/6(0%)
OS-based NAT        
 Windows31/33(94%)11/32(34%)16/31(52%)28/31(90%)
 Linux26/32(81%)3/25(12%)16/24(67%)2/24(8%)
 FreeBSD7/9(78%)3/6(50%)2/3(67%)1/1(100%)
All Vendors310/380(82%)80/335(24%)184/286(64%)37/286(13%)


Out of the 380 reported data points for UDP, in 310 cases (82%) the NAT consistently translated the client's private endpoint, indicating basic compatibility with UDP hole punching. Support for hairpin translation is much less common, however: of the 335 data points that include UDP hairpin translation results, only 80 (24%) show hairpin translation support.

Out of the 286 data points for TCP, 184 (64%) show compatibility with TCP hole punching: the NAT consistently translates the client's private TCP endpoint, and does not send back RST packets in response to unsolicited incoming connection attempts. Hairpin translation support is again much less common: only 37 (13%) of the reports showed hairpin support for TCP.

Since these reports were generated by a “self-selecting” community of volunteers, they do not constitute a random sample and thus do not necessarily represent the true distribution of the NATs in common use. The results are nevertheless encouraging: it appears that the majority of commonly-deployed NATs already support UDP and TCP hole punching at least in single-level NAT scenarios.

6.3 Testing Limitations

There are a few limitations in NAT Check's current testing protocol that may cause misleading results in some cases. First, we only learned recently that a few NAT implementations blindly translate IP addresses they find in unknown application payloads, and the NAT Check protocol currently does not protect itself from this behavior by obfuscating the IP addresses it transmits.

Second, NAT Check's current hairpin translation checking may yield unnecessarily pessimistic results because it does not use the full, two-way hole punching procedure for this test. NAT Check currently assumes that a NAT supporting hairpin translation does not filter “incoming” hairpin connections arriving from the private network in the way it would filter incoming connections arriving at the public side of the NAT, because such filtering is unnecessary for security. We later realized, however, that a NAT might simplistically treat any traffic directed at the NAT's public ports as “untrusted” regardless of its origin. We do not yet know which behavior is more common.

Finally, NAT implementations exist that consistently translate the client's private endpoint as long as only one client behind the NAT is using a particular private port number, but switch to symmetric NAT or even worse behaviors if two or more clients with different IP addresses on the private network try to communicate through the NAT from the same private port number. NAT Check could only detect this behavior by requiring the user to run it on two or more client hosts behind the NAT at the same time. Doing so would make NAT Check much more difficult to use, however, and impossible for users who only have one usable machine behind the NAT. Nevertheless, we plan to implement this testing functionality as an option in a future version of NAT Check.

6.4 Corroboration of Results

Despite testing difficulties such as those above, our results are generally corroborated by those of a large ISP, who recently found that of the top three consumer NAT router vendors, representing 86% of the NATs observed on their network, all three vendors currently produce NATs compatible with UDP hole punching [25]. Additional independent results recently obtained using the UDP-oriented STUN protocol [12], and STUNT, a TCP-enabled extension [8,9], also appear consistent with our results. These latter studies provide more information on each NAT by testing a wider variety of behaviors individually, instead of just testing for basic hole punching compatibility as NAT Check does. Since these more extensive tests require multiple cooperating clients behind the NAT and thus are more difficult to run, however, these results are so far available on a more limited variety of NATs.

7 Related Work

UDP hole punching was first explored and publicly documented by Dan Kegel [13], and is by now well-known in peer-to-peer application communities. Important aspects of UDP hole punching have also been indirectly documented in the specifications of several experimental protocols, such as STUN [19], ICE [17], and Teredo [11]. We know of no existing published work that thoroughly analyzes hole punching, however, or that points out the hairpin translation issue for multi-level NAT (Section 3.5).

We also know of no prior work that develops TCP hole punching in the symmetric fashion described here. Even the existence of the crucial SO_REUSEADDR/SO_REUSEPORT options in the Berkeley sockets API appears to be little-known among P2P application developers. NatTrav [4] implements a similar but asymmetric TCP hole punching procedure outlined earlier in Section 4.5. NUTSS [9] and NATBLASTER [1] implement more complex TCP hole punching tricks that can work around some of the bad NAT behaviors mentioned in Section 5, but they require the rendezvous server to spoof source IP addresses, and they also require the client applications to have access to “raw” sockets, usually available only at root or administrator privilege levels.

Protocols such as SOCKS [14], UPnP [26], and MIDCOM [22] allow applications to traverse a NAT through explicit cooperation with the NAT. These protocols are not widely or consistently supported by NAT vendors or applications, however, and do not appear to address the increasingly important multi-level NAT scenarios. Explicit control of a NAT further requires the application to locate the NAT and perhaps authenticate itself, which typically involves explicit user configuration. When hole punching works, in contrast, it works with no user intervention.

Recent proposals such as HIP [15] and FARA [2] extend the Internet's basic architecture by decoupling a host's identity from its location [20]. IPNL [7], UIP [5,6], and DOA [27] propose schemes for routing across NATs in such an architecture. While such extensions are probably needed in the long term, hole punching enables applications to work over the existing network infrastructure immediately with no protocol stack upgrades, and leaves the notion of “host identity” for applications to define.

8 Conclusion

Hole punching is a general-purpose technique for establishing peer-to-peer connections in the presence of NAT. As long as the NATs involved meet certain behavioral requirements, hole punching works consistently and robustly for both TCP and UDP communication, and can be implemented by ordinary applications with no special privileges or specific network topology information. Hole punching fully preserves the transparency that is one of the most important hallmarks and attractions of NAT, and works even with multiple levels of NAT--though certain corner case situations require hairpin translation, a NAT feature not yet widely implemented.

Acknowledgments

The authors wish to thank Dave Andersen for his crucial support in gathering the results presented in Section 6. We also wish to thank Henrik Nordstrom, Christian Huitema, Justin Uberti, Mema Roussopoulos, and the anonymous USENIX reviewers for valuable feedback on early drafts of this paper. Finally, we wish to thank the many volunteers who took the time to run NAT Check on their systems and submit the results.

Bibliography

1
Andrew Biggadike, Daniel Ferullo, Geoffrey Wilson, and Adrian Perrig.
NATBLASTER: Establishing TCP connections between hosts behind NATs.
In ACM SIGCOMM Asia Workshop, Beijing, China, April 2005.

2
David Clark, Robert Braden, Aaron Falk, and Venkata Pingali.
FARA: Reorganizing the addressing architecture.
In ACM SIGCOMM FDNA Workshop, August 2003.

3
S. Deering and R. Hinden.
Internet protocol, version 6 (IPv6) specification, December 1998.
RFC 2460.

4
Jeffrey L. Eppinger.
TCP connections for P2P apps: A software approach to solving the NAT problem.
Technical Report CMU-ISRI-05-104, Carnegie Mellon University, January 2005.

5
Bryan Ford.
Scalable Internet routing on topology-independent node identities.
Technical Report MIT-LCS-TR-926, MIT Laboratory for Computer Science, October 2003.

6
Bryan Ford.
Unmanaged internet protocol: Taming the edge network management crisis.
In Second Workshop on Hot Topics in Networks, Cambridge, MA, November 2003.

7
Paul Francis and Ramakrishna Gummadi.
IPNL: A NAT-extended Internet architecture.
In ACM SIGCOMM, August 2002.

8
Saikat Guha and Paul Francis.
Simple traversal of UDP through NATs and TCP too (STUNT).
http://nutss.gforge.cis.cornell.edu/.

9
Saikat Guha, Yutaka Takeday, and Paul Francis.
NUTSS: A SIP-based approach to UDP and TCP network connectivity.
In SIGCOMM 2004 Workshops, August 2004.

10
M. Holdrege and P. Srisuresh.
Protocol complications with the IP network address translator, January 2001.
RFC 3027.

11
C. Huitema.
Teredo: Tunneling IPv6 over UDP through NATs, March 2004.
Internet-Draft (Work in Progress).

12
C. Jennings.
NAT classification results using STUN, October 2004.
Internet-Draft (Work in Progress).

13
Dan Kegel.
NAT and peer-to-peer networking, July 1999.
http://www.alumni.caltech.edu/~dank/peer-nat.html.

14
M. Leech et al.
SOCKS protocol, March 1996.
RFC 1928.

15
R. Moskowitz and P. Nikander.
Host identity protocol architecture, April 2003.
Internet-Draft (Work in Progress).

16
NAT check.
http://midcom-p2p.sourceforge.net/.

17
J. Rosenberg.
Interactive connectivity establishment (ICE), October 2003.
Internet-Draft (Work in Progress).

18
J. Rosenberg, C. Huitema, and R. Mahy.
Traversal using relay NAT (TURN), October 2003.
Internet-Draft (Work in Progress).

19
J. Rosenberg, J. Weinberger, C. Huitema, and R. Mahy.
STUN - simple traversal of user datagram protocol (UDP) through network address translators (NATs), March 2003.
RFC 3489.

20
J. Saltzer.
On the naming and binding of network destinations.
In P. Ravasio et al., editor, Local Computer Networks, pages 311-317. North-Holland, Amsterdam, 1982.
RFC 1498.

21
P. Srisuresh and M. Holdrege.
IP network address translator (NAT) terminology and considerations, August 1999.
RFC 2663.

22
P. Srisuresh, J. Kuthan, J. Rosenberg, A. Molitor, and A. Rayhan.
Middlebox communication architecture and framework, August 2002.
RFC 3303.

23
Transmission control protocol, September 1981.
RFC 793.

24
G. Tsirtsis and P. Srisuresh.
Network address translation - protocol translation (NAT-PT), February 2000.
RFC 2766.

25
Justin Uberti.
E-mail on IETF MIDCOM mailing list, February 2004.
Message-ID: <402CEB11.1060906@aol.com>.

26
UPnP Forum.
Internet gateway device (IGD) standardized device control protocol, November 2001.
http://www.upnp.org/.

27
Michael Walfish, Jeremy Stribling, Maxwell Krohn, Hari Balakrishnan, Robert Morris, and Scott Shenker.
Middleboxes no longer considered harmful.
In USENIX Symposium on Operating Systems Design and Implementation, San Francisco, CA, December 2004. 
http://www.brynosaurus.com/pub/net/p2pnat/
福海鑫森
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
调试FPGA与上位机进行udp通讯,wireshark报错:Bad udp Length xx 」 IP PAYLOAD Length
scottar的博客
06-28 7182
出现上述错误的根本原因是网卡的目前的传输协议只支持到1500bytes ,由于IP头部的字节长度位20字节,所以传输的数据字节就不能超过1480bytes 在这样的调整情况下,udp协议是可以正常运行的 , 并且不会报错,同时与上位机中的matlab进行联调(MATLAB接收数据的时候) 同样也可以完整接收数据 。对于如何解决大字节传输的问题,作者同样正在解决,随后关注本人随后的文章~~~...
linux, Bad UDP length > IP PAYLOAD length
dragon_cdut的博客
09-18 8287
错误:UDP数据包长度大于IP有效负载长度 解决:1, 减短UDP包长度             2,增大有效负载长度 个人情况需要增大有效负载长度,有同样问题的小伙伴可以私信我,我们一起交流怎么增大有效负载长度。
网络基础(六)传输层UDP & 报文格式
H_sen's Blog
02-27 2741
UDP Internet 协议集支持一个无连接的传输协议,该协议称为用户数据报协议(UDP,User Datagram Protocol)。UDP 为应用程序提供了一种无需建立连接就可以发送封装的 IP 数据包的方法。RFC 768 描述了 UDP。 Internet 的传输层有两个主要协议,互为补充。无连接的是 UDP,它除了给应用程序发送数据包功能并允许它们在所需的层次上架构自己的协议之外,几...
Bogus,bad length value xxx > IP Payload length
Vincent Luo 的专栏
09-20 7354
如果用Wireshark抓包看到有这种包,那么这个包肯定会被丢掉,表现在你的程序里面就是Server发包了,但是client没有收到,抓包看又有这个包 问题产生原因,包标记的 长度大于实际传输过来的数据长度,这种问题产生的原因大部分是硬件问题,比如HUB或者Switch在包比较多的时候产生掉包,建议换个HUB或者SWITCH试试或许问题就没有了。
UDP 用户数据报协议
java_0429的博客
09-16 1390
UDP 用户数据报协议 引言 ​ UDP是一种保留消息边界(不合并,不拆分)的简单的面向数据报的传输层协议。使用UDP协议的时候,一般来说,每个被应用程序请求的UDP输出操作只生产一个UDP数据报,并组装成一份待发送的IP数据报(与面向数据流的协议不同,如TCP,应用程序写入的数据与真正在单个IP数据报里传送的内容可能没有什么联系)。UDP不提供差错纠正、队列管理、重复消除、流量控制和拥塞控制,只提供差错校验(校验和)。(注:对于UDP网上有各种各样的描述,但是我个人觉得对UDP描述最到位的还是UDP自己
NAT穿透解决方案
02-20
详细介绍NAT穿透需要各自软件和硬件技术,包括tcpUDP对局域网防火墙的穿透方案
UDP不同网段内网NAT穿透实列(经本人测试成功穿透)
06-23
UDP 在外网环境中不同网段的NAT穿透,网上很多的 资料,但是基本上都是理论知识,而且java的代码很少。 我光是找资料就花了100多积分,经过这些天的努力, 终于被我解决了这个问题。现将完整项目共享给大家。 在test...
P2P之UDP穿透NAT的原理与实现
01-02
P2P之UDP穿透NAT的原理与实现,直接编译就能运行,可以参考实现跨网段穿透NAT的点对点的UDP通讯
VC++ UDP穿透NAT(P2P)原理及代码
03-15
内容索引:VC/C++源码,网络相关,UDP,P2P,点对点聊天 VC++ 局域网UDP穿透NAT(P2P)的原理及源代码,论坛上经常有对P2P原理的讨论,但是讨论归讨论,很少有实质的东西产生(源代码),这里就用自己实现的一个源代码来...
tcpdump.pdf
04-06
tcpdump使用说明t
P2P之UDP打洞穿透NAT的源代码
04-15
UDP打洞NAT代码,是VC6.0的工程,绝对可以编译成功,服务端在公网IP阿里云的window端,两端客户端在本地电脑和虚拟机中,可以进行点对点进行通信,大家可以参考下!
Java实现UDP穿透NAT技术
05-07
用Java实现的UDP穿透NAT技术,内有详细的注释,完全可以自己看懂的
通过UDP实现的NAT穿透测试程序
08-21
通过UDP实现的NAT穿透,使用C#语言实现,在外网使用需要知道测试双方的真实IP。
UDP穿越Symmetric NAT(对称型NAT)的端口猜测方法
07-22
UDP穿越Symmetric NAT(对称型NAT)的端口猜测方法的几篇文章
解决 UDP 接收不到数据问题
叶海
09-21 1万+
UDP接收不到数据
TCPUDP协议发送数据包的大小
08-15 1522
在进行UDP编程的时候,我们最容易想到的问题就是,一次发送多少bytes好?        当然,这个没有唯一答案,相对于不同的系统,不同的要求,其得到的答案是不一样的,这里仅对像ICQ一类的发送聊天消息的情况作分析,对于其他情况,或许也能得到一点帮助: 首先,我们知道,
【linux】tcpdump抓包
热门推荐
alexliu2360的专栏
12-10 2万+
tcpdump命令需要在root权限下运行。 1、指定端口Port抓包 示例:12500端口上抓包。 命令如下: tcpdump -n -X -i any port 12500 将会把抓包结果打印到控制台界面上。 命令如下: tcpdump -n -X -i any port 12500 > 1.txt 将会把抓包结果保存到当前路径下的1.txt中。 注意:指定端口抓包时,显示的抓包结果最大为1472字节的数据。udp大包的情况,一个4KB的包分成多个片,其他数据片的显示打印不出来。
ax3pro 路由器怎么配置nat穿透
最新发布
03-09
可以通过以下步骤进行 ax3pro 路由器的 NAT 穿透配置: 1. 打开 ax3pro 路由器的管理界面,输入用户名和密码登录。 2. 进入“高级设置”菜单,选择“NAT 穿透”选项。 3. 在“NAT 穿透”页面中,选择“启用 NAT ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值