NAT 类型及检测方法
STUN协议是一个客户机/服务器协议,在公网上存在着大量的STUN服务器,用户可以通过在自己主机上运行STUN客户端远程连接STUN服务器来确认自身的网络状况.
客户端主机所在网络可以分为以下类型:
1, Opened: 即主机拥有公网IP,并且没有防火墙,可自由与外部通信.
2, Full Cone NAT: 主机前有NAT设备,NAT规则如下:从主机UDP端口A发出的数据包都会对应到NAT设备出口IP的端口B,并且从任意外部地址发送到该NAT设备UDP端口B的包都会被转到主机端口A.
3, Restricted cone NAT: 主机前有NAT设备,NAT规则如下:从主机UDP端口A发出的数据包都会对应到NAT设备出口IP的端口B,但只有从之前该主机发出包的目的IP发出到该NAT设备UDP端口B的包才会被转到主机端口A.
4, Port Restricted cone NAT: 主机前有NAT设备,NAT规则如下:从主机UDP端口A发出的数据包都会对应到NAT设备出口IP的端口B,但只有从之前该主机发出包的目的IP/PORT发出到该NAT设备UDP端口B的包才会被转到主机端口A.
5, Symmetric UDP Firewall: 主机出口处没有NAT设备,但有防火墙,且防火墙规则如下:从主机UDP端口A发出的数据包保持源地址,但只有从之前该主机发出包的目的IP/PORT发出到该主机端口A的包才能通过防火墙.
6, Symmetric NAT: 主机前有NAT设备,NAT规则如下:即使数据包都从主机UDP端A发出,但只要目的地址不同,NAT设备就会为之分配不同的出端口B.
7, Blocked: 防火墙限制UDP通信.
2 /// Specifies UDP network type.
3 /// </summary>
4 public enum STUN_NetType
5 {
6 /// <summary>
7 /// UDP is always blocked.
8 /// </summary>
9 UdpBlocked,
10
11 /// <summary>
12 /// No NAT, public IP, no firewall.
13 /// </summary>
14 OpenInternet,
15
16 /// <summary>
17 /// No NAT, public IP, but symmetric UDP firewall.
18 /// </summary>
19 SymmetricUdpFirewall,
20
21 /// <summary>
22 /// A full cone NAT is one where all requests from the same internal IP address and port are
23 /// mapped to the same external IP address and port. Furthermore, any external host can send
24 /// a packet to the internal host, by sending a packet to the mapped external address.
25 /// </summary>
26 FullCone,
27
28 /// <summary>
29 /// A restricted cone NAT is one where all requests from the same internal IP address and
30 /// port are mapped to the same external IP address and port. Unlike a full cone NAT, an external
31 /// host (with IP address X) can send a packet to the internal host only if the internal host
32 /// had previously sent a packet to IP address X.
33 /// </summary>
34 RestrictedCone,
35
36 /// <summary>
37 /// A port restricted cone NAT is like a restricted cone NAT, but the restriction
38 /// includes port numbers. Specifically, an external host can send a packet, with source IP
39 /// address X and source port P, to the internal host only if the internal host had previously
40 /// sent a packet to IP address X and port P.
41 /// </summary>
42 PortRestrictedCone,
43
44 /// <summary>
45 /// A symmetric NAT is one where all requests from the same internal IP address and port,
46 /// to a specific destination IP address and port, are mapped to the same external IP address and
47 /// port. If the same host sends a packet with the same source address and port, but to
48 /// a different destination, a different mapping is used. Furthermore, only the external host that
49 /// receives a packet can send a UDP packet back to the internal host.
50 /// </summary>
51 Symmetric
52 }
测试过程
STUN服务器运行在UDP协议之上,它具有两个固定公网地址,能完成以下几个功能:
1. 告诉STUN客户端经NAT设备映射后的公网地址.
2. 根据STUN客户端的要求,从服务器的其他不同IP或端口向客户端回送包.
如何根据STUN服务器提供的功能来确认网络类型呢? rfc3489给出了如下图过程:
这个过程可概括如下:
1, STUN客户端向STUN服务器发送请求,要求得到自身经NAT映射后的地址:
a,收不到服务器回复,则认为UDP被防火墙阻断,不能通信,网络类型:Blocked.
b,收到服务器回复,对比本地地址,如果相同,则认为无NAT设备,进入第2步,否则认为有NAT设备,进入3步.
2, (已确认无NAT设备)STUN客户端向STUN服务器发送请求,要求服务器从其他IP和PORT向客户端回复包:
a,收不到服务器从其他IP地址的回复,认为包被前置防火墙阻断,网络类型:Symmetric UDP Firewall.
b,收到则认为客户端处在一个开放的网络上,网络类型:Opened.
3, (已确认存在NAT设备)STUN客户端向STUN服务器发送请求,要求服务器从其他IP和PORT向客户端回复包:
a,收不到服务器从其他IP地址的回复,认为包被前置NAT设备阻断,进入第4步.
b,收到则认为NAT设备类型为Full Cone,即网络类型:Full Cone NAT.
4, STUN客户端向STUN服务器的另外一个IP地址发送请求,要求得到自身经NAT映射后的地址,并对比之:
a,地址不相同,则网络类型:Symmetric NAT.
b,相同则认为是Restricted NAT,进入第5步,进一步确认类型.
5, (已确认Restricted NAT设备)STUN客户端向STUN服务器发送请求,要求服务器从相同IP的其他PORT向客户端回复包:
a,收不到服务器从其他PORT地址的回复,认为包被前置NAT设备阻断,网络类型:Port Restricted cone NAT.
b,收到则认为网络类型: Restricted cone NAT.
2235
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
