Embodiment
The method of the traverse network address transferring device/firewall that the embodiment of the invention provides, system and client, needing to be used for the occasion of reliable data transmission at the P2P network, set up TCP and directly connect (TCP is direct-connected), the method that the embodiment of the invention provides also can abbreviate the TCP method that burrows as.
For the purpose that makes the embodiment of the invention, technical scheme, and advantage clearer, below in conjunction with accompanying drawing the embodiment of the invention is elaborated.
Below be the method that the example explanation embodiment of the invention provides with the method for passing through network address switching device, this method also can be used in passing fire wall.
See also Fig. 2, the system of the passing through network address switching device that provides for the embodiment of the invention forms schematic diagram, and this system comprises: customer end A (first client) 201, and customer end B (second client) 202, secondary server 203 burrows;
Wherein, the survey secondary server 203 that burrows, it is direct-connected to be used to assist customer end A 201 and customer end B 202 cross-over NAT equipments to set up TCP shown in dotted lines in Figure 2, burrow secondary server 203 assist customer end A 201 and customer end B 202 set up TCP direct-connected after, can not get involved data transmission procedure, transfer of data is independently finished by customer end A 201 and customer end B 202.
In embodiments of the present invention, at cross-over NAT equipment, set up TCP direct-connected before, client need be tested the environment that burrows, and preservation test result, the environmental testing that burrows comprises: whether the Test Operating System version meets the requirement that burrows, whether the test subscriber has superuser right (general windows user has superuser right), whether test can use operating system interface that the ttl value of public network IP address is set, and whether the TCP packet sequence shown in the test chart 1 is the TCP packet sequence that can be used for burrowing, wherein, the TCP packet sequence that can be used for burrowing is meant the TCP packet sequence that is not filtered by TNAT equipment.
Wherein, the operating system version test that whether meets the requirement that burrows, user and whether superuser right is arranged and whether can use operating system interface that the ttl value of IP address the is set interface that uses operating system to provide by client is independently finished.And in embodiments of the present invention, the operating system version of client is WinXP SP2 and above version, then meets the requirement that burrows.
In order to finish the test that TCP packet sequence shown in the his-and-hers watches 1 filters situation, further comprise in the system shown in Figure 2: testing server A204, testing server B205;
Wherein, testing server A204 is used to assist the filtration situation of TCP packet sequence shown in NAT device (NAT-A) his-and-hers watches 1 of customer end A 201 test client A, and promptly which the TCP packet sequence in the test client A free list 1 burrows; Testing server B205 is used to assist the filtration situation of TCP packet sequence shown in NAT device (NAT-B) his-and-hers watches 1 of customer end B 202 test client B, and promptly which the TCP packet sequence in the test client B free list 1 burrows.
It should be noted that for conserve network resources in embodiments of the present invention, if the environment that burrows does not change, then client can directly be obtained the test result of having preserved, and burrows according to this result, does not influence the realization of the embodiment of the invention.
TCP packet sequence shown in the following his-and-hers watches 1 is introduced.TCP packet sequence of each line display of table 1, wherein, the packet that first bag expression client sends to testing server, second bag and the 3rd bag expression testing server after receiving first bag, the packet that returns to client.
Sequence number |
First bag |
Second bag |
The 3rd bag |
1 |
SYN
out |
SYN
in |
Do not have |
2 |
SYN
out |
ICMP
in |
SYN
in |
3 |
SYNo
ut |
ICMP
in |
SYNACK
in |
4 |
SYN
out |
RST
in |
SYN
in |
5 |
SYN
out |
RST
in |
SYNACK
in |
Table 1
Below in conjunction with system shown in Figure 2 the method that the embodiment of the invention provides is described in detail.
See also Fig. 3, the method for the passing through network address switching device that provides for the embodiment of the invention, this method comprises:
Step 301: customer end A is initiated the direct connection request of TCP by the secondary server that burrows to customer end B;
Step 302: the secondary server that burrows sends to customer end B with the public network IP address and the port numbers of customer end A, and the public network IP address and the port numbers of customer end B sent to customer end A;
Step 303: customer end A is obtained and is tested the adoptable TCP packet sequence that burrows that obtains;
Step 304: customer end A and customer end B are under the assistance of the secondary server that burrows, and according to the adoptable TCP packet sequence that burrows that step 303 obtains, public network IP address and port numbers transmission packet to the other side directly connect up to successfully setting up TCP.
If client is to carry out TCP for the first time to burrow, then said method further comprises the steps:
Customer end A and customer end B are tested the environment that burrows under the assistance of testing server;
Burrow environmental testing result and customer end B that customer end A is preserved self by the secondary server that burrows to its environmental testing result that burrows who returns.
Illustrating client and testing server, how to test which TCP packet sequence be the TCP sequence that can be used to burrow.Such as, customer end A is after testing server A sends first bag SYNout, client has been received second bag ICMPin and the 3rd bag SYNin that testing server returns, this explanation sequence number is that 2 TCP packet sequence is not filtered by NAT device, then the customer end A LSN is that 2 TCP packet sequence is the available TCP packet sequence that burrows, otherwise, if customer end A is not received the packet that testing server returns, illustrate that the TCP packet sequence is filtered by NAT device, then this sequence can not be used to burrow.
More than introduced the method for the cross-over NAT equipment that the embodiment of the invention provides, in other embodiments of the invention, any one position execution in step 303 that client can be before step 304 does not influence the realization of the embodiment of the invention.
During specific implementation, can there be the multiple different environmental testing result that burrows, below the specific implementation process of the embodiment of the invention be described in detail at the different environmental testing results that burrow.
See also Fig. 4, the method flow diagram of the cross-over NAT equipment that provides for first embodiment of the invention, this method comprises:
Step 401: the assistance that customer end A connects the secondary server that the burrows port that burrows, and send the direct connection request of TCP;
Step 402: after the secondary server that burrows is received described request, connect to customer end B transmission TCP connection notice, and the public network IP address of customer end A process NAT-A device translates is sent to customer end B with port numbers by main the connection by the master;
Customer end B is after receiving that TCP connects notice, be connected with the assistance of the secondary server that the burrows port that burrows, careless some data that send disconnect to the secondary server that burrows immediately, so that burrow public network IP address and the port numbers of secondary server record customer end B after the NAT-B device translates;
Step 403: the secondary server that burrows sends to customer end A by main public network IP address and the port numbers that connects customer end B;
At this moment, customer end A has been known the public network IP address and the port numbers of customer end B, and customer end B has also been known the public network IP address and the port numbers of customer end A;
Step 404: customer end A is obtained and is tested the adoptable TCP packet sequence that burrows that obtains, if described TCP sequence is that sequence number is a ㈠ spoon TCP packet sequence in the table 1, then customer end A is obtained the environmental testing result who has deposited, if the environmental testing result for system version for WinXP SP2 and more than, then enter step 405;
Step 405: customer end A sends a notification message to customer end B by the secondary server that burrows, and this notification message is used to notify public network IP address and the port numbers of customer end B to customer end A to send the SYN bag;
Step 406: customer end A and customer end B send public network IP address from the SYN bag to the other side and port numbers;
Step 407: customer end A and customer end B are returned synchronization packets acknowledge message (SYNACK) to the other side after receiving the SYN bag;
So far TCP is direct-connected sets up, and according to the regulation of Transmission Control Protocol, said method further comprises:
Step 408: customer end A and customer end B are returned acknowledge message (ACK) to the other side after receiving SYNACK.
See also Fig. 5, the method flow diagram of the passing through network address switching device that provides for second embodiment of the invention, the difference of this method and first embodiment is:
Step 504: customer end A is obtained and is tested the adoptable TCP packet sequence that burrows that obtains, if described TCP sequence is that sequence number is 2 TCP packet sequence in the table 1, then customer end A is obtained the environmental testing result who has deposited, if the environmental testing result for system version for can use operating system interface that the ttl value of public network IP address is set, then enter step 505;
Step 505: customer end A sends SYN bag by the secondary server that burrows to customer end B, and the ttl value that SYN bag carries the public network IP address of customer end B is set to low;
Wherein, the requirement of low ttl value is: ttl value can make the first SYN free clothing cross NAT-A equipment, but can not arrive customer end B;
And SYN bag utilizes bottom-layer network function oneself structure by customer end A.
Step 506: burrow secondary server to customer end A return the Internet Control Message Protocol bag (Internet Control Message Protocol, ICMP), the ttl value that ICMP bag carries the public network IP address of customer end A is set to expired;
Step 507: the secondary server that burrows sends a notification message to customer end B;
Step 508: customer end B sends the 2nd SYN bag to the public network IP address of customer end A and port numbers after receiving described notification message;
Step 509: customer end A sends the SYNACK bag to customer end B after receiving the 2nd SYN bag that customer end B is sent, so far TCP is direct-connected sets up.
See also Fig. 6, the method flow diagram of the cross-over NAT equipment that provides for third embodiment of the invention, the difference that this method and preamble have been stated embodiment is:
Step 604: customer end A is obtained and is tested the adoptable TCP packet sequence that burrows that obtains, if described TCP sequence is that sequence number is 3 TCP packet sequence in the table 1, then customer end A is obtained the environmental testing result who has deposited, if the environmental testing result is that operating system version is more than Win XP SP2 reaches for system version, the user has superuser right, and, can use operating system interface that the ttl value of public network IP address is set, then enter step 605;
Step 605: customer end A and customer end B send the SYN bag by the secondary server that burrows to the other side, and the ttl value that this SYN bag carries public network IP address is set to low ttl value;
Concrete, customer end A is carried the public network IP address of customer end B to the SYN bag that customer end B sends, the ttl value of this public network IP address is set to low ttl value, in like manner, customer end B is carried the public network IP address of customer end A to the 2nd SYN bag that customer end A sends, and the ttl value of this public network IP address is set to low ttl value;
And the requirement of low ttl value sees also the second embodiment relevant portion, repeats no more herein.
Step 606: the secondary server that burrows sends the ICMP bag respectively to customer end A and customer end B;
Wherein, the ICMP bag of issuing customer end A carries the public network IP address of customer end A, and the TTL of this public network IP address is set to expired, and in like manner, the ICMP that issues customer end B carries the public network IP address of customer end B, and the ttl value of this public network IP address is set to expired;
Step 607: customer end A and customer end B send the TCP sequence number of oneself to the other side by the secondary server that burrows after receiving the ICMP bag;
Wherein, TCP sequence number is that customer end A and customer end B oneself listen to sending the SYN bag to the other side when;
Step 608: customer end A and customer end B send the SYNACK bag to the other side after receiving the other side's TCP sequence number, so far TCP is direct-connected sets up.
More than introduced third embodiment of the invention, all packets all utilize bottom-layer network function oneself structure by customer end A and customer end B among this embodiment.
See also Fig. 7, the method flow diagram of the cross-over NAT equipment that provides for fourth embodiment of the invention, the difference that this method and preamble have been stated method is:
Step 704: customer end A is obtained and is tested the adoptable TCP packet sequence that burrows that obtains, if described TCP sequence is that sequence number is 4 TCP packet sequence in the table 1, then enters step 705;
Step 705: customer end A sends SYN bag to the public network IP address of customer end B and the NAT-B equipment of port numbers correspondence;
Wherein, SYN bag is the packet that customer end A is utilized bottom-layer network function oneself structure;
Step 706:NAT-B equipment returns RST message to customer end A, and RST message is that NAT-B equipment generates automatically;
Wherein, customer end A sends a SYN when wrapping NAT-B, owing to there is not the record of customer end A on the NAT-B equipment, so NAT-B equipment can generate a RST message automatically, and returns to customer end A, requires customer end A and NAT-A device reset.
Step 707: customer end A sends a notification message to customer end B by the secondary server that burrows;
Step 708: after customer end B receives down described notification message, send the 2nd SYN bag to the public network IP address of customer end A and port numbers;
Step 709: customer end A is returned the SYNACK bag to customer end B after receiving the 2nd SYN bag, so far TCP is direct-connected sets up.
See also Fig. 8, the method flow diagram of the cross-over NAT equipment that provides for fifth embodiment of the invention, the difference that this method and preamble have been stated embodiment is:
Step 804: customer end A is obtained and is tested the adoptable TCP packet sequence that burrows that obtains, if described TCP sequence is that sequence number is 5 TCP packet sequence in the table 1, then customer end A is obtained the environmental testing result who has deposited, if the environmental testing result for operating system version for WinXP SP2 and more than, the user has superuser right, then enters step 805;
Step 805: customer end A and customer end B send the SYN bag to the NAT device of the other side's public network IP address and port numbers correspondence respectively;
Step 806:NAT-A equipment and NAT-B equipment return RST message to customer end A and customer end B after receiving the SYN bag;
Step 807: customer end A and customer end B send to the other side by the secondary server that burrows with oneself TCP sequence;
Step 808: customer end A and customer end B are returned the SYNACK bag to the other side respectively after receiving the other side's TCP sequence number, so far TCP is direct-connected sets up.
More than the method that provides for fifth embodiment of the invention, except that RST message, other packet all utilizes bottom-layer network function oneself structure respectively by customer end A and customer end B in this method.
More than at the different environment that burrows the embodiment of the invention is introduced.
Further, in embodiments of the present invention, the method that above-mentioned five embodiment provide may operate on the same client, before beginning to burrow, obtain the test result of TCP packet sequence, if sequence number is N (N=1,2 in the table 1,5) TCP packet sequence is not filtered by NAT device, the method of selecting N embodiment to provide then, then, whether the test result of 2 column informations of test chart satisfies the requirement of N embodiment, if satisfy, then the method for using N embodiment to provide begins to burrow, if do not satisfy, then can not carry out TCP and burrow.Be that preamble has been stated 5 embodiment and needed the information of testing and not needing to test separately shown in the table 2, wherein, " √ " expression needs the information of test, and " * " expression does not need the information of testing.
Generally, the customer end B environmental testing result that oneself need be burrowed sends to customer end A by the secondary server that burrows, and the environmental testing result that burrows of burrow environmental testing result and the customer end B of customer end A by preserving oneself selects the method that burrows.
The TCP method that burrows |
Operating system version |
Ttl value is set |
Superuser right |
Embodiment one |
√ |
× |
× |
Embodiment two |
× |
√ |
× |
Embodiment three |
√ |
√ |
√ |
Embodiment four |
× |
× |
× |
Embodiment five |
√ |
× |
√ |
Table 2
More than introduced the method for the cross-over NAT equipment that the embodiment of the invention provides, in order to guarantee higher success rate, the method that the embodiment of the invention can be provided and the existing UDP method that burrows, and the method for super node interim data merges mutually.
See also Fig. 9, the fusion that provides for the embodiment of the invention method flow diagram of cross-over NAT equipment of the multiple mode that burrows, this method comprises:
Step 901: customer end A and customer end B utilize testing server A and testing server B to use the NAT type of Simple Traversal of UDP Through Network Address Translators test oneself;
The NAT type has four kinds: the tapered NAT of full duplex, the constrained NAT of IP, port restricted type NAT and symmetric form NAT.
Step 902: if customer end A judges that obtaining the obstructed or operation layer requirement of UDP must use TCP to burrow, then enter step 903, otherwise, enter step 904;
Step 903: customer end A is obtained the environmental testing result that burrows who has deposited, and according to described test result, the TCP method of burrowing of using the embodiment of the invention to provide is carried out TCP and burrowed;
Step 904: customer end A judges whether and can burrow, if can, then enter step 905, otherwise, step 906 entered;
Step 905: customer end A uses UDP to burrow according to the type of NAT device;
Step 906: customer end A triggers the super node interim data.
The embodiment of the invention also provides a kind of first client, and this client comprises:
Direct-connected request transmitting unit is used for initiating the direct connection request of TCP by the secondary server that burrows to customer end B;
The public network IP address receiving element is used to receive the burrow public network IP address and the port numbers of the customer end B that secondary server returns;
The packet sequence acquiring unit is used to obtain and has tested the adoptable transmission control protocol packet sequence that burrows that obtains;
The direct-connected unit of setting up is used under the assistance of the secondary server that burrows, and according to the described adoptable transmission control protocol packet sequence that burrows, public network IP address and port numbers transmission packet to customer end B directly connect up to successfully setting up TCP.
If first client is to carry out TCP for the first time to burrow, then above-mentioned first client further comprises:
The environmental testing unit is used for the test environment that burrows, and burrow environmental testing result and the customer end B of preserving first client storage self by the secondary server that burrows to its environmental testing result that burrows who returns.
The embodiment of the invention provides the specific implementation of several first clients at the different environmental testing results that burrows, and below describes in detail.
1, if sequence number is that 1 TCP packet sequence is the TCP sequence that can be used for burrowing in the table 1, then described client further comprises:
The test result acquiring unit is used to obtain the environmental testing result who has deposited, if test result is that operating system version meets the version condition that presets, then triggers the described direct-connected unit of setting up;
When specific implementation, the direct-connected unit of setting up comprises: synchronization packets transmitting element, synchronization packets receiving element, acknowledge message transmitting element;
The synchronization packets transmitting element is used for public network IP address and port numbers to customer end B, sends first synchronization packets;
The notification message transmitting element is used for sending a notification message to customer end B by the secondary server that burrows, and this notification message is used to notify public network IP address and the port numbers of customer end B to customer end A to send the SYN bag;
The synchronization packets receiving element is used to receive customer end B after receiving described notification message, second synchronization packets of transmission;
The acknowledge message transmitting element is used for after receiving described second synchronization packets, sends the synchronization packets acknowledge message to customer end B;
The acknowledge message receiving element is used to receive customer end B after receiving first synchronization packets, the synchronization packets acknowledge message of returning.
2, if sequence number is that 2 TCP packet sequence is the TCP sequence that can be used for burrowing in the table 1, then described client further comprises:
The test result acquiring unit is used to obtain the environmental testing result who has deposited, if test result for can use operating system interface that the ttl value of public network IP address is set, then triggers the described direct-connected unit of setting up;
When specific implementation, the direct-connected unit of setting up comprises:
The synchronization packets transmitting element is used for sending first synchronization packets by the secondary server that burrows to customer end B, and the ttl value that described first synchronization packets is carried the public network IP address of customer end B is set to low;
The protocol package receiving element is used to receive the internet control message protocol bag that secondary server returns that burrows, and the ttl value that described protocol package is carried the public network IP address of first client is set to expired;
The synchronization packets receiving element is used to receive second synchronization packets that customer end B sends;
The acknowledge message transmitting element is used for after the synchronization packets receiving element is received described second synchronization packets, sends the synchronization packets acknowledge message to customer end B.
3, if sequence number is that 3 TCP packet sequence is the TCP sequence that can be used for burrowing in the table 1, then described client further comprises:
The test result acquiring unit, be used to obtain the environmental testing result who has deposited, if test result be operating system version for WinXP SP2 and more than, can use operating system interface that the ttl value of public network IP address is set, and the user has superuser right, then triggers the described direct-connected unit of setting up;
When specific implementation, the direct-connected unit of setting up comprises:
The synchronization packets transmitting element is used for sending synchronization packets by the secondary server that burrows to customer end B, and the ttl value that described synchronization packets is carried the public network IP address of customer end B is set to low;
The protocol package receiving element is used to receive the internet control message protocol bag that secondary server returns that burrows, and the ttl value that described protocol package is carried the public network IP address of first client is set to expired;
The sequence number transmitting element is used for sending the first transmission control protocol sequence number by the secondary server that burrows to customer end B;
The sequence number receiving element is used to receive the second transmission control protocol sequence number of the customer end B that server sends of burrowing;
The acknowledge message transmitting element is used for after receiving the second transmission control protocol sequence number, sends the synchronization packets acknowledge message to customer end B;
The acknowledge message receiving element is used to receive customer end B after receiving the first transmission control protocol sequence number, the synchronization packets acknowledge message of returning.
4, if sequence number is that 4 TCP packet sequence is the TCP sequence that can be used for burrowing in the table 1, then when specific implementation, the direct-connected unit of setting up comprises:
The synchronization packets transmitting element is used for sending first synchronization packets to the public network IP address of customer end B and the network address translation apparatus of port numbers correspondence;
The reset message receiving element is used to receive the reset message that described network address translation apparatus returns;
The notification message transmitting element is used for sending a notification message to customer end B by the secondary server that burrows;
The synchronization packets receiving element is used to receive customer end B after notified message, second synchronization packets of transmission;
The acknowledge message transmitting element is used for returning the synchronization packets acknowledge message to customer end B after receiving described second synchronization packets.
5, if sequence number is that 5 TCP packet sequence is the TCP sequence that can be used for burrowing in the table 1, then described client further comprises
The test result acquiring unit is used to obtain the environmental testing result who has deposited, if test result is that operating system version is WinXP SP2, and the user has superuser right, then triggers the described direct-connected unit of setting up;
When specific implementation, the direct-connected unit of setting up comprises:
The synchronization packets transmitting element is used for sending first synchronization packets to the public network IP address of customer end B and the network address translation apparatus of port numbers correspondence;
The reset message receiving element is used to receive the reset message that described network address translation apparatus returns;
The sequence number transmitting element is used for sending the first transmission control protocol sequence number to the public network IP address and the port numbers of customer end B;
The sequence number receiving element is used to receive the second transmission control protocol sequence number that customer end B sends;
The acknowledge message transmitting element is used for returning the synchronization packets acknowledge message to customer end B after receiving the second transmission control protocol sequence number;
The acknowledge message receiving element is used to receive customer end B after receiving the first transmission control protocol sequence number, the synchronization packets acknowledge message of returning.
According to the requirement of Transmission Control Protocol, all further comprise in above-mentioned five kinds of direct-connected unit of setting up:
The response message transmitting element is used for after receiving the synchronization packets acknowledge message that second client is returned, and sends response message (ACK) to second client;
The response message receiving element is used to receive second client after receiving the synchronization packets acknowledge message that first client sends, the response message that returns.
In first client that the embodiment of the invention provides, further comprise: test packet transmitting element, test packet receiving element, sequential recording unit;
The test packet transmitting element is used for sending first synchronization packets to testing server,
The test packet receiving element is used for the packet that the acceptance test server returns;
If the packet that receives of test packet receiving element is second synchronization packets, sequential recording unit then, being used to write down the sequence that is made of described first synchronization packets and second synchronization packets is the transmission control protocol packet sequence that can be used for burrowing;
If it is the internet control message protocol bag and second synchronization packets that the test packet receiving element receives packet, sequential recording unit then, be used for record by described first synchronization packets, the internet control message protocol bag, and the sequence that second synchronization packets constitutes is the transmission control protocol packet sequence that can be used for burrowing;
If it is internet control message protocol bag and synchronization packets acknowledge message that the test packet receiving element receives packet, sequential recording unit then, be used for record by described first synchronization packets, the internet control message protocol bag, and the sequence that the synchronization packets acknowledge message constitutes is the transmission control protocol packet sequence that can be used for burrowing;
If it is the reset message and second synchronization packets that the test packet receiving element receives packet, sequential recording unit then, be used for record by described first synchronization packets, the sequence that the reset message and second synchronization packets constitute is the transmission control protocol packet sequence that can be used for burrowing;
If it is reset message and synchronization packets acknowledge message that the test packet receiving element receives packet, sequential recording unit then, be used for record by described first synchronization packets, the sequence that reset message and synchronization packets acknowledge message constitute is the transmission control protocol packet sequence that can be used for burrowing.
In order to guarantee the success rate of higher cross-over NAT equipment, first client that the embodiment of the invention provides further comprises:
The type of network address translation equipment test cell is used to utilize the type of testing server test network address-translating device;
The method that burrows selected cell, if judge obtain the User Datagram Protoco (UDP) bag can't by or the operation layer requirement use transmission control protocol to burrow, then trigger the test result acquiring unit, otherwise, judge whether and can burrow, if can, the direct-connected unit of setting up of user datagram then triggered, otherwise, trigger the super node interim data;
The direct-connected unit of setting up of user datagram is used for the type according to network address translation apparatus, uses User Datagram Protoco (UDP) to burrow.
More than method, system and the client of a kind of traverse network address transferring device/firewall provided by the present invention is described in detail, for one of ordinary skill in the art, thought according to the embodiment of the invention, part in specific embodiments and applications all can change, in sum, this description should not be construed as limitation of the present invention.