classification of net 'mid-box'

Note:

   This classification generally applies only to

 UDP traffic, since NATs and firewalls reject incoming TCP

 connection attempts unconditionally unless specifically configured to

 do otherwise.

 

Basic NAT

{

      A Basic NAT maps an internal host's private IP address to a

      public IP address without changing the TCP/UDP port

      numbers in packets crossing the boundary.  Basic NAT is generally

      only useful when the NAT has a pool of public IP addresses from

      which to make address bindings on behalf of internal hosts.

 

}else NAPT   (most commonly)

{

  Cone NAT

  {

Full Cone NAT

{

            After establishing a public/private port binding for a new

            outgoing session, a full cone NAT will subsequently accept

            incoming traffic to the corresponding public port from ANY

            external endpoint on the public network.  Full cone NAT is

            also sometimes called "promiscuous" NAT.

}or

        Restricted Cone NAT

{

            A restricted cone NAT only forwards an incoming packet directed to

            a public port if its external (source) IP address matches the

            address of a node to which the internal host has previously sent

            one or more outgoing packets.  A restricted cone NAT effectively

            refines the firewall principle of rejecting unsolicited incoming

            traffic, by restricting incoming traffic to a set of "known" 

            external IP addresses.

        }or

Port-Restricted Cone NAT

{

            A port-restricted cone NAT, in turn, only forwards an incoming

            packet if its external IP address AND port number match those of

            an external endpoint to which the internal host has previously

            sent outgoing packets.  A port-restricted cone NAT provides 

            internal nodes the same level of protection against unsolicited

            incoming traffic that a symmetric NAT does, while maintaining a

            private port's identity across translation.

}

  }else Symmetric NAT

  {

        A symmetric NAT, in contrast, does not maintain a consistent

        port binding  between (private IP, private port) and (public IP,

        public port) across all sessions. Instead, it assigns a new

        public port to each new session.  For example, suppose Client A

        initiates two outgoing sessions from the same port as above, one

        with S1 and one with S2.  A symmetric NAT might allocate the

        public endpoint 155.99.25.11:62000 to session 1, and then allocate

        a different public endpoint 155.99.25.11:62001, when the

        application initiates session 2.  The NAT is able to differentiate

        between the two sessions for translation purposes because the

        external endpoints involved in the sessions (those of S1

        and S2) differ, even as the endpoint identity of the client 

        application is lost across the address translation boundary.

  }

}

 

 摘自RFC2026,略有整理 (draft-ford-midcom-p2p-01)

 

by ga6840

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值