From NAT to NAT Traversal
9 likes3,691 views
This document discusses network address translation (NAT) and NAT traversal techniques. It begins with an overview of NAT and why NAT traversal is needed to access network resources behind NAT. It then covers various NAT traversal solutions including port forwarding, NAT traversal protocols like STUN and TURN, and implementations like ICE and WebRTC that use these protocols. The document provides examples and diagrams to illustrate key NAT concepts and how different traversal techniques work.
From NAT to NAT Traversal
- 1. From NAT to NAT Traversal 2014/12/25 Qlync Inc. YAO, LI-WEI 1
- 2. How to access network resource anytime and anywhere? 2
- 3. How to access network resource anytime and anywhere? • Locate Resource • Signal —> Not Today • Access Resource • P2P Communication —> Today 3
- 4. Agenda • Network Resource or Service • Public and Private IP Address • What is NAT? • How to access Network Resource behind NAT? • Port Forwarding • NAT Traversal • ICE Protocol • ICE related projects - WebRTC 4
- 5. Network Resource/Service • Web Page • • File Download • • Video/Audio Streaming • 5
- 6. Network Resource/Service • Web Page —> HTTP/HTTPS • • File Download —> FTP/SAMBA • • Video/Audio Streaming —> RTSP/RTP • 6
- 7. Network Resource/Service • Web Page —> HTTP/HTTPS • —> TCP:80/TCP:443 • File Download —> FTP/SAMBA • —> TCP:21/TCP:445 • Video/Audio Streaming —> RTSP/RTP • —> TCP:554/UDP:554/UDP:16384-32767 7
- 8. Network Resource/Service • Web Page —> HTTP/HTTPS • —> TCP:80/TCP:443 • File Download —> FTP/SAMBA • —> TCP:21/TCP:445 • Video/Audio Streaming —> RTSP/RTP • —> TCP:554/UDP:554/UDP:16384-32767 + Server IP Address 8
- 9. Public and Private IP Address http://developer.eyeball.com/faq.php 9
- 10. Public and Private IP Address http://www.ic.ims.hr 10
- 11. Public and Private IP Address http://www.highteck.net/EN/Network/Addressing_the_Network-IPv4.html 11
- 12. What is NAT? • Remapping one IP address space into another • Private IP/port mapping to Public IP/port • Rewrite the source and/or destination addresses of IP packets as they pass the router or firewall • Server: IP address • Resource: Protocol:Port 12
- 13. http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html 13
- 14. SNAT - Private to Public http://linux.vbird.org/linux_server/0250simple_firewall.php 14
- 15. SNAT - Private to Public http://linux.vbird.org/linux_server/0250simple_firewall.php 15
- 16. How to access Network Resource behind NAT? = Public to Private? 16
- 17. DNAT - Public to Private http://linux.vbird.org/linux_server/0250simple_firewall.php 17
- 18. Port Forwarding http://panasonic.net/pcc/support/netwkcam/technic/port_fwrd.html 18
- 20. With Router or Gateway Control Port Forwarding + Static Public IP/ Dynamic Public IP + DDNS* *http://www.tp-link.tw/article/?faqid=297 20
- 21. With Router or Gateway Control http://www.quickmeme.com/IM-KING-OF-THE-WORLD 21
- 22. Without Router or Gateway Control 22
- 23. Without Router or Gateway Control https://www.flickr.com/photos/39561139@N05/4488876837/galleries/ 23
- 24. Nothing is Impossible! R&D CAN DO ANYTHING! http://www.englishbaby.com/findfriends/view_photo/251578 24
- 25. Without Router or Gateway Control How to access Network Resource behind NAT? = NAT Traversal Solutions 25
- 26. NAT Traversal Solutions • Universal Plug and Play - Internet Gateway Device: UPnP-IGD • SOCKS Proxy • Application Layer Gateway: ALG • Interactive Connection Establishment: ICE = STUN + TURN 26
- 29. SOCKS Proxy 29 http://stackoverflow.com/questions/18428498/sending-udp-packets-through-socks-proxy
- 30. SOCKS Proxy http://stackoverflow.com/questions/18428498/sending-udp-packets-through-socks-proxy 30
- 32. ICE STUN + TURN UDP Hole Punching + Relay http://thesalesblog.com/blog/2013/09/01/some-thoughts-on-pricing-power/32
- 33. ICE = STUN + TURN http://blog.schertz.name/2012/10/lync-edge-stun-turn/ 33
- 34. NAT Types • Full Cone NAT • Address Restricted NAT • Port Restricted NAT • Symmetric NAT 34
- 35. Full Cone Mapping: 192.168.2.2:4445 <-> 1.1.1.4:10100 Policy: ALLOW ALL TO 1.1.1.4:10100 Full Cone 只是單純的做位址轉換,並未對進出的封包設限。︒ http://www.slideshare.net/dadaista/nat-traversal 35
- 36. Address Restricted Mapping: 192.168.2.2:4445 <-> 1.1.1.4:10100 Policy: ALLOW 1.1.1.5 TO 1.1.1.4:10100 ALLOW 1.1.1.6 TO 1.1.1.4:10100 只有收過NAT 內部送來的封包的地址才能將封包送入 Restrict Cone NAT 內 http://www.slideshare.net/dadaista/nat-traversal 36
- 37. Port Restricted 只有收過NAT 內部送來的封包的地址及 Port Number 才能將封包送入 Restrict Cone NAT 內。︒ Mapping: 192.168.2.2:4445 <-> 1.1.1.4:10100 Policy: ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 *ALLOW 1.1.1.6:7777 TO 1.1.1.4:10100 http://www.slideshare.net/dadaista/nat-traversal 37
- 38. Symmetric Symmetric NAT只允許先由私有網域內的使⽤用者發送封包到網際網路中的使⽤用者 可以回傳封包 Mapping: 192.168.2.2:4445 <-> 1.1.1.4:10100 192.168.2.2:4445 <-> 1.1.1.4:10179 Policy: ALLOW 1.1.1.5:7777 TO 1.1.1.4:10100 ALLOW 1.1.1.6:7777 TO 1.1.1.4:10179 http://www.slideshare.net/dadaista/nat-traversal 38
- 39. UDP Hole Punching Different NAT Type, Different Approach http://www.drdobbs.com/jvm/punching-holes-with-java-rmi/217400127 39
- 41. STUN (RFC 5389/3489) Abstract Session Traversal Utilities for NAT (STUN) is a protocol that serves as a tool for other protocols in dealing with Network Address Translator (NAT) traversal. It can be used by an endpoint to determine the IP address and port allocated to it by a NAT. It can also be used to check connectivity between two endpoints, and as a keep-alive protocol to maintain NAT bindings. STUN works with many existing NATs, and does not require any special behavior from them. STUN is not a NAT traversal solution by itself. Rather, it is a tool to be used in the context of a NAT traversal solution. This is an important change from the previous version of this specification (RFC 3489), which presented STUN as a complete solution. This document obsoletes RFC 3489. 41
- 46. TURN (RFC 5766/6062) Abstract If a host is located behind a NAT, then in certain situations it can be impossible for that host to communicate directly with other hosts (peers). In these situations, it is necessary for the host to use the services of an intermediate node that acts as a communication relay. This specification defines a protocol, called TURN (Traversal Using Relays around NAT), that allows the host to control the operation of the relay and to exchange packets with its peers using the relay. TURN differs from some other relay control protocols in that it allows a client to communicate with multiple peers using a single relay address. The TURN protocol was designed to be used as part of the ICE (Interactive Connectivity Establishment) approach to NAT traversal, though it also can be used without ICE. 46
- 47. ICE = STUN + TURN http://blog.schertz.name/2012/10/lync-edge-stun-turn/ 47
- 48. ICE (5245/5768) Abstract This document describes a protocol for Network Address Translator (NAT) traversal for UDP-based multimedia sessions established with the offer/answer model. This protocol is called Interactive Connectivity Establishment (ICE). ICE makes use of the Session Traversal Utilities for NAT (STUN) protocol and its extension, Traversal Using Relay NAT (TURN). ICE can be used by any protocol utilizing the offer/answer model, such as the Session Initiation Protocol (SIP). 48
- 50. WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs. 50
- 51. On-demand Live Video and Audio https://fr.jocly.com/node/339 51
- 53. WebRTC Find Connection Candidates http://www.html5rocks.com/en/tutorials/webrtc/basics/ 53