CN115022281B - NAT penetration method, client and system - Google Patents

NAT penetration method, client and system Download PDF

Info

Publication number
CN115022281B
CN115022281B CN202210683265.0A CN202210683265A CN115022281B CN 115022281 B CN115022281 B CN 115022281B CN 202210683265 A CN202210683265 A CN 202210683265A CN 115022281 B CN115022281 B CN 115022281B
Authority
CN
China
Prior art keywords
nat
client
mapping
address
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210683265.0A
Other languages
Chinese (zh)
Other versions
CN115022281A (en
Inventor
郝悦集
李贵伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Kaizhi Technology Co ltd
Original Assignee
Hangzhou Kaizhi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Kaizhi Technology Co ltd filed Critical Hangzhou Kaizhi Technology Co ltd
Priority to CN202210683265.0A priority Critical patent/CN115022281B/en
Publication of CN115022281A publication Critical patent/CN115022281A/en
Application granted granted Critical
Publication of CN115022281B publication Critical patent/CN115022281B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2567NAT traversal for reachability, e.g. inquiring the address of a correspondent behind a NAT server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a NAT penetrating method, a client and a system, wherein the method comprises the following steps: the method comprises the steps that an external network IP address, a mapping port and an order type of an NAT which the external network IP address belongs to are interacted between a first client in a first local area network and a second client in a second local area network, wherein the order type of the NAT is the correlation between the validity of the NAT mapping port and the data receiving and transmitting order on the mapping port; judging whether a P2P data transmission channel can be established between the first client and the second client according to the sequence type of the second NAT and the sequence type of the first NAT; and if the P2P data transmission channel can be established between the first client and the second client, triggering to establish the P2P data transmission channel between the first client and the second client. The invention can identify the correlation between the validity of the NAT mapping port and the data receiving and transmitting sequence on the port, so that the P2P data transmission can be established between two hosts in different local area networks.

Description

NAT penetration method, client and system
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a NAT traversal method, a client, and a system.
Background
Network address translation (Network Address Translation, NAT), also called network masking or IP-to-port mapping, is a standard developed by IETF (Internet Engineering Task Force ), NAT is a network address translation technique that is mainly used to modify IP protocol and TCP/UDP protocol messages when an intranet packet leaves a NAT (router), to replace the internal private IP address (private IP) of the IP layer with public IP (public IP) of the domain where the router is located, and to transfer (translate or correspond) the port of the TCP/UDP protocol layer to a certain port of the NAT according to some rules. The functionality of NAT is typically integrated into a router, firewall, ISDN router, or a separate NAT device.
NAT can simultaneously enable a plurality of computers to be networked at the same time and hide the IP of the intranet, so that the network security of the intranet is increased; NAT checks NAT records of data from outside, refuses data packets without corresponding records, and improves network security; NAT can not only solve the problem of insufficient IP address, but also effectively avoid the attack from outside the network, conceal and protect the computer inside the network.
The mapping behavior and filtering behavior of the NAT can be detected through the detection mode proposed by RFC5780, so that before two clients located in different NAT establish a P2P data transmission channel, the NAT behavior of the clients can be detected, and after the NAT type corresponding to the clients is obtained, the clients are informed of the NAT type mutually through some message forwarding servers, and both parties can judge through the combination of the NAT type of the clients and the NAT type of the other party, so that whether the P2P channel can be established between the two clients is obtained.
However, when testing in different NAT environments, there is a special NAT (firewall) behavior at present, where the NAT can shield the ports that are not received before sending, and thus a P2P channel cannot be established between two clients, so that direct communication between two clients cannot be performed. The P2P data transmission between two clients located in different NAT intranets is to be able to be established, and in addition to the NAT mapping behavior and filtering behavior defined in RFC4787, the data transceiving order of the mapping ports already established on the NAT (NAT has allocated mapping ports corresponding to NAT for IP and ports of the client), when the client uses a certain address and port IP-a: PORT-a sends a STUN protocol to a STUN server at a certain address and PORT IP-S: PORT-S sends a STUN binding request to obtain NAT external network IP address IP-O and client IP address and PORT IP-a: after PORT-a mapping PORT-O on NAT, if the client does not use IP-a: when PORT-a sends data and any IP address and PORT of any external host sends data to the mapping PORT-O of the NAT, the NAT will mask the mapping PORT-O, i.e. the mapping PORT can no longer be used as the previous address and PORT IP-a for the internal network host: mapping the PORT-a with the IP address and PORT of the data source, that is, the intranet host cannot send data to the IP address and PORT of the data source through the PORT of the NAT, the masking time varies according to NAT of different manufacturers, and if the intranet client host uses the address and PORT IP-a later: when PORT-a sends data to the IP address and PORT of the data source, NAT maps the sending relationship to a different other PORT, so how to implement P2P penetration between clients in different lans for such NAT becomes particularly important.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, and provides a NAT traversal method, a client and a system, wherein the correlation between the validity of a mapping port and the data receiving and transmitting sequence on the port can be identified among the clients, so that P2P data transmission can be established between two hosts in different local area networks.
In order to solve the above problems, the present invention proposes a NAT traversal method, which includes the steps of:
the method comprises the steps that mapping addresses of NAT and sequence types of the NAT are interacted between a first client in a first local area network and a second client in a second local area network, wherein the mapping addresses of the NAT and the sequence types of the NAT are related to validity of NAT mapping ports and data receiving and transmitting sequences on the ports, and the mapping addresses of the NAT comprise external network IP addresses of the NAT and mapping ports distributed by the NAT for different IP addresses and ports of clients in an intranet of the NAT;
analyzing the sequence type of the second NAT to which the second client belongs and the sequence type of the first NAT to which the first client belongs;
judging whether a P2P data transmission channel can be established between the first client and the second client according to the sequence type of the second NAT and the sequence type of the first NAT;
And triggering to establish the P2P data transmission channel between the first client and the second client if the P2P data transmission channel can be established between the first client and the second client.
The sequence type of the NAT is acquired based on a NAT detection method, and the NAT detection method comprises the following steps:
each client initiates mapping behavior detection to the STUN server, and identifies the mapping type of the NAT to which each client belongs based on the mapping behavior detection;
when the mapping type of the NAT to which each client belongs is identified as the 'endpoint irrelevant mapping NAT' type based on mapping behavior detection, filtering behavior detection is initiated to the STUN server, and the filtering type of the NAT to which each client belongs is identified based on filtering behavior detection;
when the filtering type of the NAT to which each client belongs is identified as the NAT type of address and port related filtering based on filtering behavior detection, initiating sequential behavior detection of each client to the STUN server, and identifying the sequential type of the NAT to which each client belongs based on the sequential behavior detection.
Each client initiates mapping behavior detection to the STUN server, and identifies the mapping type of the NAT to which each client belongs based on the mapping behavior detection, including:
Sending a first STUN binding request to a first service IP address and a first service port of a STUN server by using a fixed IP address and a first client port of each client, and obtaining an external network IP address and a first mapping port of the NAT from a response of the first STUN binding request returned by the STUN server;
sending a second STUN binding request to a second service IP address and a first service port of the STUN server by using the fixed IP address and the first client port of each client, and obtaining an external network IP address and a second mapping port of the NAT from a response of the second STUN binding request returned by the STUN server;
and when the first mapping port and the second mapping port are judged to be the same, identifying that the NAT mapping type is the NAT type of the endpoint irrelevant mapping.
The step of initiating filtering behavior detection to the STUN server and identifying the filtering type of the NAT to which each client belongs based on the filtering behavior detection includes:
sending a third STUN binding request to the first service IP address and the first service port of the STUN server by using the fixed IP address and the second client port of each client, receiving a response of the third STUN binding request, and obtaining an external network IP address and a third mapping port of the NAT from the response of the third STUN binding request;
Sending a fourth STUN binding request to a first service IP address and a first service PORT of a STUN server by using a fixed IP address and a second client PORT of each client, wherein the Change IP and Change PORT attribute of a STUN request message is set as 1 in the fourth STUN binding request, and the fourth STUN binding request is used for requesting the STUN server to reply to the fourth STUN binding request by using a second service IP address and a second service PORT of the STUN server;
and receiving a response of a fourth STUN binding request returned by the STUN server, judging the NAT filtering type according to the response of the fourth STUN binding request, and identifying that the NAT filtering type is the NAT type filtered by the address and port correlation if the client side does not receive the response of the fourth STUN binding request and causes the receiving timeout.
The initiating the sequential behavior detection of each client to the STUN server, and identifying the sequential type of NAT to which each client belongs based on the sequential behavior detection includes:
sending a fifth STUN binding request to a first service IP address and a second service port of the STUN server by using a fixed IP address and a second client port of each client, and obtaining an external network IP address and a fifth mapping port of the NAT from a response of the fifth STUN binding request returned by the STUN server;
Analyzing whether the fifth mapping port is the same as the third mapping port, if the fifth mapping port is the same as the third mapping port, the NAT sequence type is the NAT type of the receiving and transmitting sequence irrelevant mapping, and if the fifth mapping port is different from the third mapping port, the NAT sequence type is the NAT type of the receiving and transmitting sequence relevant mapping.
When the P2P data transmission channel can be established between the first client and the second client, triggering the establishment of the P2P data transmission channel between the first client and the second client comprises:
when a first client identifies that the sequence type of a second NAT to which a second client belongs is a NAT type of receiving and dispatching sequence irrelevant mapping, and the sequence type of the first NAT to which the first client belongs is a NAT type of receiving and dispatching sequence relevant mapping, triggering the first client to send a first penetration request data packet based on a STUN protocol to a second NAT mapping address to which the second client belongs based on a first NAT mapping address, wherein the first NAT mapping address is an external network IP address of the NAT to which the first client belongs and a mapping port allocated by the NAT to different IP addresses and ports of an intranet client, and the second NAT mapping address is an external network IP address of the second client and a mapping port allocated by the NAT to different IP addresses and ports of the intranet client;
The first client receives a penetration request response data packet sent by the second client to a first NAT mapping address to which the first client belongs based on the first penetration request data packet;
the first client analyzes the penetration request response data packet, and establishes a P2P data transmission channel between the first client and the second client based on the penetration request response data packet.
The establishing a P2P data transmission channel between the first client and the second client based on the penetration request response data packet includes:
after the first client analyzes the penetration request response data packet, a P2P data transmission channel for transmitting data from the second client to the first client is established based on the penetration request response data packet;
and the first client sends a second penetration request data packet based on the STUN protocol to a second NAT mapping address to which the second client belongs based on the first NAT mapping address, and establishes a P2P data transmission channel for sending data from the first client to the second client based on the second penetration request data packet.
Correspondingly, the invention also provides a client, which comprises:
the NAT detection module is used for acquiring the sequence type of the NAT to which the client belongs based on the NAT detection method;
The NAT interaction module is used for interacting the mapping address of each NAT and the sequence type of the NAT between the first client in the first local area network and the second client in the second local area network, wherein the sequence type of the NAT is the correlation between the validity of an NAT mapping port and the data receiving and transmitting sequence on the port, and the NAT mapping address comprises an external network IP address of the NAT and mapping ports distributed by the NAT for different IP addresses and ports of the clients in the internal network;
the NAT analyzing module is used for analyzing the sequence type of the second NAT to which the second client belongs and the sequence type of the first NAT to which the first client belongs;
the judging and processing module is used for judging whether a P2P data transmission channel can be established between the first client and the second client according to the sequence type of the second NAT and the sequence type of the first NAT;
and the P2P data module is used for triggering and establishing the P2P data transmission channel between the first client and the second client when judging that the P2P data transmission channel can be established between the first client and the second client.
The P2P data module is configured to trigger, when the first client identifies that the order type of the second NAT to which the second client belongs is a NAT type of "send-receive order independent mapping", and the order type of the first NAT to which the first client belongs is a NAT type of "send-receive order dependent mapping", the first NAT mapping address to which the first client belongs to send a first penetration request packet based on the STUN protocol to the second NAT mapping address to which the second client belongs, where the first NAT mapping address is an external network IP address of the NAT to which the first client belongs and a mapping port allocated by the NAT to different IP addresses and ports of its intranet client, and the second NAT mapping address is an external network IP address of the NAT to which the second client belongs and a mapping port allocated by the NAT to different IP addresses and ports of its intranet client; receiving a penetration request response data packet sent by a second client to a first NAT mapping address to which the first client belongs based on the first penetration request data packet; and analyzing the penetration request response data packet, and establishing a P2P data transmission channel between the first client and the second client based on the penetration request response data packet.
Correspondingly, the invention also provides a NAT traversal system, which comprises:
the method comprises the steps that a first client in a first local area network is used for interacting mapping addresses of NAT and sequence types of the NAT with a second client in a second local area network, wherein the sequence types of the NAT are correlation between validity of NAT mapping ports and data receiving and transmitting sequences on the ports, and the NAT mapping addresses comprise external network IP addresses of the NAT and mapping ports distributed by the NAT for different IP addresses and ports of clients in an intranet of the NAT; analyzing the sequence type of the second NAT to which the second client belongs and the sequence type of the first NAT to which the first client belongs; judging whether a P2P data transmission channel can be established between the first client and the second client according to the sequence type of the second NAT and the sequence type of the first NAT; if the P2P data transmission channel can be established between the first client and the second client, triggering to establish the P2P data transmission channel between the first client and the second client;
the second client in the second local area network is used for interacting the mapping address of each NAT and the sequence type of the NAT with the first client in the first local area network, wherein the sequence type of the NAT is the correlation between the validity of the NAT mapping port and the data receiving and transmitting sequence on the mapping port, and the NAT mapping address comprises the external network IP address of the NAT and the mapping port distributed by the NAT for different IP addresses and ports of the internal network client;
A first NAT device supporting communication between the first client and the external network for providing network address translation for the first client;
a second NAT device supporting communication between the second client and the external network for providing network address translation for the second client;
and the STUN server provides server side support of STUN protocol and is used for assisting the first client side and the second client side to pass through different NAT equipment through UDP protocol.
The clients in the embodiment of the invention can recognize the correlation between the validity of the NAT mapping port and the data receiving and transmitting sequence on the port, so that the clients can establish P2P data transmission based on two hosts in different local area networks. The method can make up for the supplement of NAT behavior division in RFC4787, and by the penetrating mode of the NAT, two clients positioned in different NAT can detect the NAT behaviors before the P2P data transmission channel is established, so that the NAT types corresponding to the clients can be known, the prediction of the clients can be realized, whether the P2P channel can be established between the two clients or not can be obtained, and the mode and efficiency of P2P channel establishment can be perfected.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings which are required in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a system architecture of NAT detection in an embodiment of the invention;
FIG. 2 is a flow chart of a method of NAT detection in an embodiment of the invention;
FIG. 3 is a flowchart of a specific method for NAT detection in an embodiment of the present invention;
FIG. 4 is a schematic diagram of a system architecture of NAT traversal in an embodiment of the invention;
FIG. 5 is a schematic diagram of a client architecture in an embodiment of the invention;
FIG. 6 is a flow chart of a method of NAT traversal in an embodiment of the invention;
fig. 7 is a schematic diagram of a system structure of NAT traversal under dual ports in an embodiment of the invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that P2P refers to that two clients directly communicate with each other without going through a server, or two terminals may directly establish a communication link with the assistance of the server. Not all two peers can establish a P2P channel, for example, two host computers, mobile phones and other terminals in different local area networks, and some terminals cannot establish P2P due to NAT type differences of routers.
The mapping behavior and filtering behavior of the NAT can be detected through the detection mode proposed by RFC5780, so that before two clients located in different NAT establish a P2P data transmission channel, the NAT behavior of the clients can be detected, and after the NAT type corresponding to the clients is obtained, the clients are informed of the NAT type mutually through some message forwarding servers, and both parties can judge through the combination of the NAT type of the clients and the NAT type of the other party, so that whether the P2P channel can be established between the two clients is obtained. There is a special NAT (firewall) behavior that NAT devices can mask non-pre-sent mapping ports. Therefore, in the embodiment of the present invention, it is proposed that the port mapping behavior of the NAT is related to the data transceiving sequence on the mapping port, and the NAT type is defined as "Receive-Send-Order-Dependent Mapping NAT" and "Receive-Send-Order-irrelevant-mapped NAT (Receive-Send-Order-Independent Mapping NAT)", and the detection mode of the NAT of this type is provided.
Specifically, fig. 1 shows a schematic system structure of NAT detection in an embodiment of the present invention, where the system includes:
the client is local area network client A, which is used for initiating mapping behavior detection to the STUN server and identifying the mapping type of the NAT based on the mapping behavior detection; when the mapping type of the NAT which belongs to is identified as the NAT type of 'endpoint irrelevant mapping' based on the mapping behavior detection, the filtering behavior detection is initiated to the STUN server, and the filtering type of the NAT which belongs to is identified based on the filtering behavior detection; when the filtering type of the NAT is identified as the type of address and port related filtering based on filtering behavior detection, initiating sequential behavior detection to the STUN server, and identifying the sequential type of the NAT based on the sequential behavior detection;
NAT equipment, is used for providing the network address translation when the customer end communicates with STUN server;
and the STUN server provides server side support of STUN protocol and is used for assisting the client side in traversing different routers through UDP protocol, and the STUN server performs data communication with the client side through NAT equipment.
The client acquires the external network IP address of the NAT to which the client belongs and the mapping port allocated by the NAT through the network topology structure shown in fig. 1, and the STUN server has two IP addresses and two ports, wherein the IP addresses of the STUN server are set to be a first service IP address s.s.s.t.t.t, respectively, and the ports are a first service port 3478 and a second service port 3479, respectively; the client has an IP address a.a.a.a, and the two ports are a first client port 10000 and a second client port 20000, respectively.
The client is configured to send a fifth STUN binding request to the first service IP address s.s.s.s. and the second service port 3479 of the STUN server by using the fixed IP address a.a.a. of the client and the second client port 20000, and obtain the external network IP address and the fifth mapping port of the NAT from the response of the fifth STUN binding request returned by the STUN server; analyzing whether the fifth mapping port is the same as the third mapping port (i.e. equal in value), if the fifth mapping port is the same as the third mapping port, the NAT sequence type is the NAT type of 'transmit-receive sequence independent mapping', and if the fifth mapping port is different from the third mapping port, the NAT sequence type is the NAT type of 'transmit-receive sequence related mapping'.
Specifically, fig. 2 shows a flowchart of a method for NAT detection in an embodiment of the present invention, where the method includes the following steps:
s201, a client initiates mapping behavior detection to a STUN server, and identifies the mapping type of NAT based on the mapping behavior detection;
specifically, the client initiates mapping behavior detection to the STUN server, and identifies a mapping type of the NAT based on the mapping behavior detection, including: sending a first STUN binding request to a first service IP address and a first service port of a STUN server by using a fixed IP address and a first client port of a client, and obtaining an external network IP address and a first mapping port of the NAT from a response of the first STUN binding request returned by the STUN server; sending a second STUN binding request to a second service IP address and a first service port of the STUN server by using a fixed IP address and a first client port of the client, and obtaining an external network IP address and a second mapping port of the NAT from a response of the second STUN binding request returned by the STUN server; and when the first mapping port is judged to be the same as the second mapping port, namely the first mapping port and the second mapping port are equal in value, identifying that the NAT type is the NAT type of 'endpoint irrelevant mapping'.
It should be noted that, when the mapping type of the NAT is the "NAT with no mapping for the endpoint", the mapping IP address is the external network IP address on the NAT device, and the first mapping port and the second mapping port are the same mapping port (i.e. equal in value).
S202, when the mapping type of the NAT is identified as the NAT type of 'endpoint irrelevant mapping' based on mapping behavior detection, filtering behavior detection is initiated to the STUN server, and the filtering type of the NAT is identified based on the filtering behavior detection;
the initiating filtering behavior detection to the STUN server, and identifying the filtering type of the NAT based on the filtering behavior detection includes: sending a third STUN binding request to a first service IP address and a first service port of a STUN server by using a fixed IP address and a second client port of the client, receiving a response of the third STUN binding request, and obtaining an external network IP address and a third mapping port of the NAT from the response of the third STUN binding request; sending a fourth STUN binding request to a first service IP address and a first service PORT of a STUN server by using a fixed IP address and a second client PORT of a client, wherein the Change IP and Change PORT attribute of a STUN request message is set as 1 in the fourth STUN binding request, and the fourth STUN binding request is used for requesting the STUN server to respond to the fourth STUN binding request by using a second service IP address and a second service PORT of the STUN server; and receiving a response of a fourth STUN binding request returned by the STUN server, judging the filtering type of the NAT according to the response of the fourth STUN binding request, and identifying that the filtering type of the NAT is the NAT type of address and port related filtering if the client side does not receive the response of the fourth STUN binding request and causes receiving timeout.
It should be noted that, when the filtering type of the NAT is identified as "address and port related filtering" type, the mapped IP address herein is the external network IP address on the NAT device, and the value of the third mapped port depends on the allocation policy of the NAT, which has no special meaning.
S203, when the filtering type of the NAT is identified as the NAT type of address and port related filtering based on filtering behavior detection, initiating sequential behavior detection to the STUN server, and identifying the sequential type of the NAT based on the sequential behavior detection.
The initiating sequential behavior detection to the STUN server and identifying the sequence type of the NAT based on the sequential behavior detection includes: sending a fifth STUN binding request to a first service IP address and a second service port of a STUN server by using a fixed IP address and a second client port of the client, and obtaining an external network IP address and a fifth mapping port of the NAT from a response of the fifth STUN binding request returned by the STUN server; analyzing whether the fifth mapping port is the same as the third mapping port (i.e. equal in value), if the fifth mapping port is the same as the third mapping port, the sequence type of the NAT is the NAT type of 'receiving and transmitting sequence independent mapping', and if the fifth mapping port is different from the third mapping port, the sequence type of the NAT is the NAT type of 'receiving and transmitting sequence related mapping'.
It should be noted that, when the sequence type of the NAT is identified, the mapping IP address herein is the external network IP address on the NAT device, and the value of the fifth mapping port depends on the allocation policy of the NAT, which has no special meaning.
The method and the device for detecting the data transmission and receiving sequence of the NAT mapping port can obtain the judgment of whether the mapping port is effective or not by identifying the data transmission and receiving sequence type on the NAT mapping port, so that the client can predict whether the P2P data transmission can be established between two hosts in different local area networks under specific conditions.
The system architecture of NAT detection shown in fig. 1 is described herein by taking the technical principle of fig. 1 to 3 as an example as follows:
the method flow chart of NAT probing shown in fig. 3, which may first perform "mapping behavior probing" and "filtering behavior probing" (i.e. 301-304) according to the probing flow of RFC5780, and then perform "sequential behavior probing" i.e. 305, where IP address and port number numbers are not mandatory, are arbitrarily specified merely for illustrating the principle, and reference may be made to the specification requirements in RFC4787 and RFC5780 if specific STUN protocols are involved, which will not be described in detail herein.
1. Mapping behavior detection is as follows:
301. The client A sends a STUN binding request to the address and port s.s.s.s.3478 of the STUN server at the address and port a.a.a.10000; the external network IP address and NAT mapping port of the belonging NAT are obtained from the response returned by the STUN server: 10000 m.m.m.m;
302. the client A sends a STUN binding request to the address and port t.t.t.t.3478 of the STUN server at the address and port a.a.a.10000; the foreign network IP address and NAT mapping port of the belonging NAT obtained from the response returned from the STUN server are still: m.m.m.10000.
According to RFC4787 and RFC5780, the mapping type of the NAT is 'Endpoint-independent mapping NAT (Endpoint-Independent Mapping NAT)', if the mapping type of the NAT is not 'Endpoint-independent mapping NAT', the condition set by the invention is not satisfied, and the following filtering behavior detection step is not needed.
It should be noted that "mapping" and "filtering" are two behaviors of NAT, where "mapping" refers to how an IP address and a port number in a lan correspond to a port on NAT, when a packet sent from the lan to the external network passes through NAT, the NAT replaces a source IP address in the packet with an external network IP address of NAT, and replaces a source port number in the packet with a port number mapped by NAT, allocation rules of mapping ports are determined by different NAT port allocation policies, after data from the external network reaches NAT, the NAT retrieves a destination port in the packet, and if the destination port is a mapping port previously allocated by NAT, replaces a destination IP address and a destination port in the packet (replaces an IP address and a port number of an intranet host that receives data) and forwards the data to the intranet host. "filtering" refers to whether the NAT allows data from outside to pass through the NAT and forward to some intranet host.
2. The filtering behavior is detected as follows:
303. the client A sends a binding request to the address and port s.s.s.s.s.3478 of the STUN server at the address and port a.a.a.a.20000, and the client receives the response of the STUN server and obtains the current passing address and port a.a.a.a from the response returned by the STUN server: 20000 addresses and ports s.s.s.s. to STUN server: the external network IP address and mapping port of NAT when the 3478 sends data are: m.m.m.m. 20000;
304. the client A sends a binding request to the address and PORT a.a.a.a.20000 of the STUN server and the address and PORT s.s.s.s.3478 of the STUN server, sets the Change IP and the Change PORT attribute of the STUN request message to be 1, and sets the Change IP and the Change PORT attribute value of the request message to be 1 so as to request the server to reply the request by another address and PORT (namely, replies the request by t.t.t.t.t.3479), and the client replies the request by the following two kinds of judgment:
(1) If the client a does not receive the response of the request and causes the reception timeout, the NAT type belongs to "Address and Port-related filtering NAT (Address and Port-Dependent Filtering NAT)", because when the STUN server uses t.t.t.t:3479 when sending data to address and port (m.m.m.m. 20000) of NAT, NAT discards the data (NAT discarding strategy is four-tuple, intranet IP+intranet port+extranet IP+extranet port, namely only if certain intranet address and port send data to certain extranet address and port, the data from the extranet address and port is received and forwarded);
(2) If the client receives the response of the request, the NAT belongs to 'Endpoint independent filtering NAT (Endpoint-Independent Filtering NAT)', and the NAT forwards the data to the corresponding intranet host.
If the filtering behavior of the NAT is (1), that is, the filtering behavior of the NAT is "Address and Port-Dependent Filtering NAT", the following "sequential behavior detection" step may be continued, otherwise, if the filtering behavior is (2), the filtering behavior does not meet the conditions set herein, and the following "sequential behavior detection" detection step does not have to be continued.
3. Sequential behavior detection is as follows:
305. client a uses address and port a.a.a.a:20000, to STUN server s.s.s.s:3479 address and port send binding request, then:
(a) If the NAT belongs to the NAT (Receive-Send-Order-Dependent Mapping NAT) of the "Send-Receive Order related mapping", the NAT will mask 20000 this port, the NAT will use another port to re-use the mapping of the quadruple at the Send-Receive end, as in fig. 4, 1111 port is used as a new mapping port, the STUN response message returned from the STUN server can see that the NAT uses the new 1111 port as a mapping port, and the 20000 mapping port is temporarily masked by the NAT, where the 1111 mapping port is numerically determined by the allocation policy of the NAT.
(b) If the NAT belongs to the "Receive-Send-Order-Independent Mapping NAT" NAT, the NAT still uses the previous 20000 mapping port as the mapping port of the quadruple at the receiving end, and the STUN binding request can be seen in the STUN response message returned from the STUN server, and the NAT still uses the previous 20000 port as the mapping port.
To this end, the result of step 705 in the above "sequential behavior probe" can be used to determine which of the following the behavior of the NAT belongs to, namely:
NAT (Send-Receive-Order-Dependent Mapping NAT) of the Send-Receive Order-dependent mapping;
NAT (Send-Receive-Order-Independent Mapping NAT) of the Order independent mapping.
These two NAT behaviors can be used as a complement to RFC4787 specifications, and the above "sequential behavior probing" can also be used as a complement to RFC5780 probing for NAT behavior.
After P2P penetration is realized among devices in different local area networks, data based on UDP protocol can be directly transmitted between two devices in different local area networks, so that traffic cost and operation cost caused by using a server to forward the data are avoided, whether P2P can be built between NAT and a method for building P2P can be predicted based on sequential behavior detection of NAT. Based on the detection mode of the NAT in the embodiment of the invention, before the P2P data transmission channel is established, two clients positioned in different NAT can detect the NAT behaviors of the clients, so as to know the NAT types corresponding to each other, thereby realizing the prediction of the clients to determine whether the P2P channel can be established between the two clients.
Specifically, P2P communications may be established between hosts of different lans by using an ICE (Interactive Connectivity Establishment, described in RFC 5245) or other P2P methods, and these P2P methods refer to related documents, and are not within the scope of the description of the present invention, for a NAT (Send-Receive-Order-Dependent Mapping NAT) of a "Send-Receive Order-related mapping" and a NAT (Send-Receive-Order-Independent Mapping NAT) of a "Send-Receive Order-related mapping", where the "mapping" characteristic of the NAT is an Endpoint-independent mapping (Endpoint-Independent Mapping NAT), the "filtering" characteristic of the NAT is any one of those described in RFC4787 (i.e., any one of Endpoint-independent filtering, address-related filtering, address-and port-related filtering), and the NAT type shown in the embodiment of the present invention is described in RFC4787, and the filtering type of the NAT is "address-port-related filtering", and the embodiment of the present invention is directed to a NAT which is a "address-related filtering" for a local area network that conforms to this type and combines the "address-port-related filtering" and "NAT-related filtering" of the NAT "mapping" and the NAT-related filtering "of the NAT is described in the embodiment of the present invention, and if the NAT-related NAT is not described in the theory of the type of the NAT 4787:
1. P2P cannot be established between hosts that both belong to NAT for "send/receive order dependent mapping" (not within the scope of the discussion of embodiments of the present invention);
2. the existing method in RFC can establish P2P communication between two hosts which belong to NAT of the 'receiving and transmitting order irrelevant mapping' (also not in the discussion scope of the embodiment of the invention);
3. if one host belongs to 'NAT of receiving and dispatching sequence irrelevant mapping', the other host belongs to 'NAT of receiving and dispatching sequence relevant mapping', although P2P communication can be established between the two hosts, the method for establishing P2P communication has the sequence problem of data receiving and dispatching on a mapping port.
Specifically, fig. 4 shows a schematic system structure diagram of NAT traversal in an embodiment of the present invention, where the system includes:
the method comprises the steps that a first client in a first local area network is used for interacting mapping addresses of NAT and sequence types of the NAT with a second client in a second local area network, wherein the sequence types of the NAT are correlation between validity of NAT mapping ports and data receiving and transmitting sequences on the ports, and the mapping addresses of the NAT comprise external network IP addresses of the NAT and mapping ports distributed by the NAT for different IP addresses and ports of clients in an intranet of the NAT; analyzing the sequence type of the second NAT to which the second client belongs and the sequence type of the first NAT to which the first client belongs; judging whether a P2P data transmission channel can be established between the first client and the second client according to the sequence type of the second NAT and the sequence type of the first NAT; if the P2P data transmission channel can be established between the first client and the second client, triggering to establish the P2P data transmission channel between the first client and the second client;
The second client in the second local area network is used for interacting the mapping address of each NAT and the sequence type of the NAT with the first client in the first local area network, wherein the sequence type of the NAT is the correlation between the validity of the NAT mapping port and the data receiving and transmitting sequence on the port; the NAT mapping address comprises the external network IP address of the NAT and the mapping ports distributed by the NAT for different IP addresses and ports of the internal network client
A first NAT device supporting communication between the first client and the external network for providing network address translation for the first client;
a second NAT device supporting communication between the second client and the external network for providing network address translation for the second client;
and the STUN server provides server side support of STUN protocol and is used for assisting the first client side and the second client side to pass through different NAT equipment through UDP protocol.
The first client and the second client complete the NAT sequential type identification process by using the NAT probe method shown in fig. 1 to 3.
Based on the system, the clients can recognize the correlation between the validity of NAT mapping ports and the data receiving and transmitting sequence on the ports, so that P2P data transmission can be established between the clients based on two hosts in different local area networks. The method can make up for the supplement of NAT behavior division in RFC4787, and by the penetrating mode of the NAT, two clients positioned in different NAT can detect the NAT behaviors before the P2P data transmission channel is established, so that the NAT types corresponding to the clients can be known, the prediction of the clients can be realized, whether the P2P channel can be established between the two clients or not can be obtained, and the mode and efficiency of P2P channel establishment can be perfected.
Specifically, fig. 5 shows a schematic diagram of a client structure in an embodiment of the present invention, where the client includes:
the NAT detection module is used for acquiring the sequence type of the NAT of the client based on the NAT detection method;
the NAT interaction module is used for interacting the mapping address of each NAT and the sequence type of the NAT between the first client in the first local area network and the second client in the second local area network, wherein the sequence type of the NAT is the correlation between the validity of an NAT mapping port and the data receiving and transmitting sequence on the port, and the NAT mapping address comprises an external network IP address of the NAT and mapping ports distributed by the NAT for different IP addresses and ports of the clients in the internal network;
the NAT analyzing module is used for analyzing the sequence type of the second NAT to which the second client belongs and the sequence type of the first NAT to which the first client belongs;
the judging and processing module is used for judging whether a P2P data transmission channel can be established between the first client and the second client according to the sequence type of the second NAT and the sequence type of the first NAT;
and the P2P data module is used for triggering and establishing the P2P data transmission channel between the first client and the second client when judging that the P2P data transmission channel can be established between the first client and the second client.
It should be noted that, the method of NAT detection implemented in the NAT detection module may be implemented based on the technical contents shown in fig. 1 to 3, which is not described herein in detail.
The P2P data module is configured to trigger, when the first client identifies that the order type of the second NAT to which the second client belongs is a NAT type of "send-receive order independent mapping", and the order type of the first NAT to which the first client belongs is a NAT type of "send-receive order dependent mapping", the first client to send a first tunneling request packet based on a STUN protocol to a second NAT mapping address to which the second client belongs based on a first NAT mapping address, where the first NAT mapping address is an external network IP address of the NAT to which the first client belongs and a mapping port allocated by the NAT to different IP addresses and ports of an intranet client, and the second NAT mapping address is an external network IP address of the NAT to which the second client belongs and a mapping port allocated by the NAT to different IP addresses and ports of the intranet client; receiving a penetration request response data packet sent by a second client to a first NAT mapping address to which the first client belongs based on the first penetration request data packet; and analyzing the penetration request response data packet, and establishing a P2P data transmission channel between the first client and the second client based on the penetration request response data packet.
The client can identify the correlation between the validity of the NAT mapping port and the data receiving and transmitting sequence on the mapping port, so that P2P data transmission can be established between the clients based on two hosts in different local area networks. The method can make up for the supplement of NAT behavior division in RFC4787, and by the penetrating mode of the NAT, two clients positioned in different NAT can detect the NAT behaviors of the clients before the P2P data transmission channel is established, so that the NAT types corresponding to the clients are known, the prediction of the clients is realized, whether the P2P channel can be established between the two clients is obtained, and the establishment mode and efficiency of the P2P channel are improved.
The NAT traversal method in the embodiment of the invention comprises the following steps: the method comprises the steps that an external network IP address, a mapping port and sequence types of NAT which each NAT belongs to are interacted between a first client in a first local area network and a second client in a second local area network, wherein the sequence types of the NAT are the correlation between the validity of the NAT mapping port and the data receiving and transmitting sequence on the mapping port; analyzing the sequence type of the second NAT to which the second client belongs and the sequence type of the first NAT to which the first client belongs; judging whether a P2P data transmission channel can be established between the first client and the second client according to the sequence type of the second NAT and the sequence type of the first NAT; and triggering to establish the P2P data transmission channel between the first client and the second client if the P2P data transmission channel can be established between the first client and the second client.
The type of NAT supported by the first client is "NAT of related mapping of transceiving order", the type of NAT supported by the second client is "NAT of unrelated mapping of transceiving order", and a P2P data transmission channel is to be established between the two clients, which may be performed according to the NAT traversal method flowchart shown in fig. 6, fig. 6 shows the following steps in the embodiment of the present invention:
s601, interaction between a first client in a first local area network and a second client in a second local area network is performed to obtain the sequence type of each NAT;
it should be noted that, the order type of the NAT is the correlation between the validity of the NAT mapping port and the data receiving and transmitting order on the mapping port; the sequence type of the NAT is obtained based on a 'sequence behavior detection' method of the NAT, namely each client initiates mapping behavior detection to a STUN server, and the mapping type of the NAT to which each client belongs is identified based on the mapping behavior detection; when the mapping type of the NAT to which each client belongs is identified as the 'endpoint irrelevant mapping NAT' type based on mapping behavior detection, filtering behavior detection is initiated to the STUN server, and the filtering type of the NAT to which each client belongs is identified based on filtering behavior detection; when the filtering type of the NAT to which each client belongs is identified as the NAT type of address and port related filtering based on filtering behavior detection, initiating sequential behavior detection of each client to the STUN server, and identifying the sequential type of the NAT to which each client belongs based on the sequential behavior detection.
Because the first client and the second client in the embodiment of the present invention both need to rely on the NAT order type to establish the P2P data transmission channel, they all need to adopt the NAT probing technical solutions shown in fig. 1 to 3 to acquire the respective NAT order type, and how to implement the NAT probing process is not repeated here.
In the implementation process of the step, the mapping address of each NAT and the sequence type of the NAT are interacted between the first client in the first local area network and the second client in the second local area network, wherein the sequence type of the NAT is the correlation between the validity of the NAT mapping port and the data receiving and transmitting sequence on the port, and the mapping address of the NAT comprises the external network IP address of the NAT and the mapping port distributed by the NAT for different IP addresses and ports of the intranet clients.
S602, analyzing the sequence type of a second NAT to which the second client belongs and the sequence type of a first NAT to which the first client belongs;
s603, judging whether a P2P data transmission channel can be established between the first client and the second client;
here, whether a P2P data transmission channel can be established between the first client and the second client is determined according to the order type of the second NAT and the order type of the first NAT, which is the following case:
1. If the two hosts belonging to the NAT of the related mapping of the receiving and transmitting sequence are unable to establish P2P (not belonging to the discussion scope of the embodiment of the invention), ending the flow;
2. the existing method in RFC can establish P2P communication between hosts that both belong to NAT with "send-receive order independent mapping" (also not in the discussion scope of the embodiment of the present invention), and it can enter step S607;
3. if one host belongs to 'NAT of transmit-receive sequence irrelevant mapping', and the other host belongs to 'NAT of transmit-receive sequence relevant mapping', although the two hosts can also establish P2P communication, the method of establishing P2P communication has the sequence problem of data transmit-receive on mapping ports, the invention provides the method of establishing P2P communication under the condition, the current commonly used P2P establishing method uses STUN protocol based on UDP, essentially UDP protocol, which can enter step S604.
S604, triggering the first client to send a first penetration request data packet based on a STUN protocol to a second NAT mapping address to which the second client belongs based on the first NAT mapping address;
specifically, when the first client identifies that the sequence type of the second NAT to which the second client belongs is a "NAT with send-receive sequence independent mapping" type, and the sequence type of the first NAT to which the first client belongs is a "NAT with send-receive sequence dependent mapping", the first client is triggered to send a first penetration request packet based on the STUN protocol to the mapping address of the second NAT to which the second client belongs (i.e., the external network IP address and the mapping port of the NAT to which the second client belongs) based on the first NAT mapping address (i.e., the external network IP address and the mapping port of the NAT to which the first client belongs).
S605, the first client receives a penetration request response data packet sent by the second client to a first NAT mapping address of the first client based on the first penetration request data packet;
s606, the first client analyzes the penetration request response data packet, and establishes a P2P data transmission channel between the first client and the second client based on the penetration request response data packet;
specifically, establishing a P2P data transmission channel between the first client and the second client based on the penetration request response data packet includes: after the first client analyzes the penetration request response data packet, a P2P data transmission channel for transmitting data from the second client to the first client is established based on the penetration request response data packet; the first client sends a second penetration request data packet based on the STUN protocol to a second NAT mapping address of a second client based on the first NAT mapping address, and establishes a P2P data transmission channel for sending data from the first client to the second client based on the second penetration request data packet.
S607, establishing a P2P data transmission channel through the existing mode in RFC;
the steps involved in S607 are: the existing method in the RFC can be used for establishing P2P communication between the hosts of which the two clients belong to NAT of the receiving and transmitting sequence irrelevant mapping, and the specific method for establishing the P2P communication can be seen in the implementation process in the RFC, and the details are not repeated here.
And (5) ending.
Based on the NAT penetration method, the clients can recognize the correlation between the validity of the NAT mapping port and the data receiving and transmitting sequence on the port, so that the clients can establish P2P data transmission based on two hosts in different local area networks. The method can make up for the supplement of NAT behavior division in RFC4787, and by the penetrating mode of the NAT, two clients positioned in different NAT can detect the NAT behaviors before the P2P data transmission channel is established, so that the NAT types corresponding to each other are known, the prediction of the clients is realized, whether the P2P channel can be established between the two clients is obtained, and the mode and efficiency of P2P channel establishment are perfected.
The implementation of the NAT traversal system of fig. 4 is described in detail herein with reference to the method principle of fig. 6, and the specific steps are as follows:
after the first client and the second client establish P2P communication, the data packet sent by the first client to the second client sequentially passes through the first client, the first NAT device, the second NAT device, and finally arrives at the second client, and the data packet sent by the second client to the first client sequentially passes through the second client, the second NAT device, the first NAT device, and finally arrives at the first client, and the method for establishing P2P for the NAT mapped by "sequence correlation" and NAT mapped by "sequence independent" may employ the following steps:
701. The first client and the second client can acquire the NAT types of the first client and the second client by adopting the NAT probing method in fig. 1 to 3, wherein the first NAT type of the first client is set to be the NAT of the relevant mapping of the receiving and transmitting sequence, the second NAT type of the second client is set to be the NAT of the irrelevant mapping of the receiving and transmitting sequence, and simultaneously, the first client and the second client both acquire the external network IP address and the mapping port of the NAT of the first client through the STUN server, and the external network IP address and the mapping port of the first NAT of the first client are set to be 10.10.10.10:10000; the second NAT external network IP address and mapping port to which the second client belongs is 20.20.20.20:20000.
702. The first client and the second client may notify each other, through some intermediary (such as a message forwarding server of a third party), the NAT external network IP address and the mapping port of the counterpart and the NAT type (including whether it is a NAT for "send/receive order related mapping" or whether it is a NAT for "send/receive order independent mapping").
S703, the client of the NAT type of the "transmit-receive sequence related mapping" sends the STUN binding request packet to the client of the NAT type of the "transmit-receive sequence unrelated mapping" (for example, it can be realized by the methods of coordination of the intermediary server, delay, etc.). The client of the NAT type of which is the NAT of the receiving and transmitting sequence irrelevant mapping sends a STUN binding request data packet to the client of the NAT type of which is the NAT of the receiving and transmitting sequence relevant mapping. The specific flow is as follows:
1) The first client sends a binding request data packet based on a STUN protocol, namely a first penetration request data packet, to an external network IP address and a mapping port 20.20.20:20000 of the second NAT device through an external network IP address and a mapping port 10.10.10:10000 of the first NAT device.
2) The second NAT device receives the STUN binding request from the first NAT device and maps port 10.10.10.10:10000, and the packet must be intercepted and discarded by the second NAT device (or firewall), because the second NAT device (or firewall) did not send data to the IP address and port 10.10.10.10:10000 before receiving the packet from the IP address and port 10.10.10:10000, and the second NAT device (firewall) discarded the packet and did not forward the data to the second client, and the second client did not receive the data sent by the first client, but at this time left a record on the first NAT that is a quadruple of IP address and port 10.10.10:10000 sent data to the IP address and port 20.20.20:20000 (i.e.: sender IP address + sender port number + receiver IP address + receiver port number).
3) The second client then sends a packet to the first NAT device via the external network IP address and mapping port 20.20.20:20000 of the second NAT device, where the first NAT device releases the packet and forwards it to the first client, and the second NAT device also leaves a quadruple record of the second NAT device sending data to the first NAT device (i.e., IP address and port 20.20.20:20000 sent data to IP address and port 10.10.10:10000) since the first NAT device has a quadruple record of the first NAT device sending data to the second NAT device (i.e., IP address and port 20.20:20000 sent data to IP address and port 10.10.10:10000).
4) Finally, the first client sends data to the external network IP address and mapping port 20.20.20:20000 of the second NAT device via the external network IP address and mapping port 10.10.10.10:10000 of the first NAT again, and since the external network IP address and mapping port 20.20.20:20000 of the second NAT device already exist on the second NAT device and the quadruple record of the data has been sent to the external network IP address and mapping port 10.10.10:10000 of the first NAT device, the second NAT device of the second client will release the data and forward the data to the second client, so that a P2P channel is established from the first client to the second client, and since the bi-directional transceiving channels between the first client and the second client are established, a P2P data transmission channel is also established between the first client and the second client.
The P2P data transmission channel between the first client and the second client can be established through the above sequence of steps, otherwise if the second client sends data to the first client first, since the first NAT device of the first client is of the NAT type mapped by the transmit-receive sequence, the first NAT device of the first client can mask the previous mapping port 10000 (i.e. the mapping port 10000 is no longer used as the mapping port of the four-tuple data transmit-receive relationship), so that the P2P data transmission channel cannot be established between the first client and the second client.
Fig. 7 shows a system structure diagram of NAT traversal under dual ports in the embodiment of the present invention, where NAT-a of a client a is a "NAT of a mapping related to a transceiving sequence", NAT-B of a client B is a "NAT of a mapping related to a transceiving sequence", NAT-a external network IP address of a client a is 10.10.10.10.10, and two UDP ports are bound, which are 10000 and 10001 respectively, NAT-B external network IP address of a client B is 20.20.20, and two UDP ports are bound, which are 20000 and 20002 respectively, and the client a and the client B exchange respective external network IP addresses and two sets of port numbers with each other through a message forwarding server, as shown in fig. 7, after the client a and the client B establish P2P communication, a data packet sent by the client a to the client B sequentially passes through the client A, NAT-A, NAT-B and finally reaches the client B, and a data packet sent by the client B to the client a sequentially passes through the client B, NAT-B, NAT-a and finally reaches the client a, and the specific procedure of the mapping related to the client a "NAT mapping related to the mapping P6" is set forth in the following detailed procedure "the method is implemented by combining the following steps" the specific procedure of the mapping map "method of the mapping 2" in the detailed description "method" in the following fig. 7:
81. the client A firstly sends a STUN binding request to the external network IP address and the port 20.20.20:20000 of the NAT-B to which the client B belongs through the external network IP address and the mapping port 10.10.10:10000 of the NAT-A (the client A sends the STUN binding request to the port 20000 with smaller numerical value in two groups of ports of the client B), as shown by an arrow index 1 in figure 7, and the data packets sequentially pass through the clients A, NAT-A, NAT-B;
82. Since NAT-B of client B is of the "send-receive order independent mapped NAT" type, NAT-B of client B will not mask PORT 20000, but the policy of NAT-B is that only if NAT-B has previously sent data to NAT-a with IP address and PORT 20.20.20.20:20000, 10.10.10:10000 will it receive data from this IP PORT (i.e. 10.10.10.10:10000) and forward it to the intranet host, so client a will discard the STUN binding request (e.g. 10.10.10.10.10:10000 received UDP message from client B) from NAT-a first time with NAT-a IP address and PORT 10.10.10.10:10000 to NAT-B, and PORT 20.20.20:20000, but will leave a record on NAT-a of client a, i.e. a four-tuple relation: IP address and port 10.10.10.10:10000 sent data to IP address and port 20.20.20.20:20000;
83. next, the client B sends a STUN binding request to the external network IP address and the mapping port 10.10.10.10:10000 of the NAT-a to which the client a belongs via the external network IP address and the port 20.20.20.20:20000 of the NAT-B, as in the opposite direction of the arrow 1 in fig. 7, since the NAT-a has recorded the four-tuple relationship of the IP address and the port 10.10.10:10000, which sent the data to the IP address and the port 20.20.20:20000 of the NAT-B in step 2, the NAT-a of the client a will release the data and forward to the client a.
84. Finally, the client A uses the external network IP address and the mapping port 10.10.10.10:10000 of the NAT-A to the external network IP address and the mapping port 20.20.20.20 of the NAT-B again: 20000 sends STUN binding request, and because the step 83 has established on NAT-B of client B a four tuple relationship record between the external network IP address and mapping port of NAT to which client a belongs and the external network IP address and mapping port of NAT to which client B belongs (i.e. 20.20.20:20000 sent data to 10.10.10.10:10000 once), NAT-B of client B will release the data and forward it to client B. The bidirectional data transmission channel of the UDP-based P2P is established between the client A and the client B through the NAT-A external network IP address and the mapping port 10.10.10.10:10000 and the client B through the NAT-B external network IP address and the mapping port 20.20.20:20000 (namely, the client A and the client B can transmit data through the P2P channel).
85. While executing the above step 81, the client B sends a STUN binding request to the external network IP address and mapping port 10.10.10.10:10001 of NAT-a (the client B sends a STUN binding request to the port with the larger value of the two ports of the client a) via the external network IP address and mapping port 20.20.20:20002 of NAT-B, as indicated by the arrow index 2 in fig. 7;
86. Since NAT-A is the NAT of the relevant mapping of the receiving and dispatching sequence, the 10001 port of NAT-A will be shielded by NAT-A, namely NAT-A will discard 10001 port that has been mapped for customer end A, of course this time the data transmission fails, all data that send to NAT-A mapping port 10001 will be discarded by NAT-A subsequently, therefore set up P2P failure in customer end B through NAT-B's external network IP address and mapping port 20.20.20:20002 and customer end A through NAT-A's external network IP address and mapping port 10.10.10:10001;
87. because in step 84 described above, client a and client B have established a bi-directional P2P data transfer path between IP address and port 10.10.10:10000 and IP address and port 20.20.20:20000, it is no longer necessary to establish a P2P data path between the other two ports, i.e. 10001 of a and 20002 of B.
If the client B initiates a UDP-based STUN binding request for establishing P2P, the procedure is as follows:
91. the client B sends a STUN binding request to the external network IP address and mapping port 10.10.10.10:10001 of the NAT-A through the external network IP address and mapping port 20.20.20:20002 of the NAT-B, as shown by an arrow index 2 in figure 7;
92. since NAT-A is the "NAT of the relative mapping of receiving and dispatching order", so 10001 port of NAT-A will be shielded, namely NAT-A will discard 10001 port, this time data transmission fails, the data of 10001 port that send to NAT-A subsequently will be discarded by NAT-A, therefore set up P2P data channel failure between IP address and port 10.10.10.10:10001 of NAT-A and IP address and port 20.20.20:20002 of NAT-B;
93. Then the client a sends a STUN binding request to the external network IP address and mapping port 20.20.20:20000 of NAT-B via the external network IP address and mapping port 10.10.10.10:10000 of NAT-a, as shown by arrow index 1 in fig. 7, and the following procedure is consistent with the above steps 81-84, and a P2P data channel can be established, so that the description is omitted.
In summary, when implementing P2P establishment through the dual-port P2P scheme, the client a and the client B need to distinguish between the active party and the passive party before performing P2P establishment, and the purpose of distinguishing between the active party and the passive party is to distinguish which port of the peer sends data to the local end first, that is, whether the local end sends data to the big port of the peer or sends data to the small port of the peer first, for example: if the active party sends a P2P setup request to the passive party's miniport by using the two ports of the home terminal, the passive party needs to send a P2P setup request to the active party's big port by using the two ports of the home terminal, and vice versa. After both client a and client B determine the active and the passive (this information can be attached by the message forwarding server when forwarding the address, port and sequence type of the belonging NAT to each other), whichever of NAT-a and NAT-B is the "sequence dependent mapped NAT" or which is the "sequence independent mapped NAT", and whether client a issues a P2P setup request first or client B issues a set up P2P request first. The P2P data transmission channel may be established through a dual port scheme.
Embodiments also provide a computer storage medium having instructions stored therein, which when run on a computer or processor, cause the computer or processor to perform one or more steps of the method of any of the embodiments described above. The respective constituent modules of the above apparatus, if implemented in the form of software functional units and sold or used as separate products, may be stored in the computer-readable storage medium, and based on such understanding, the technical solution of the present application may be embodied essentially or partly or wholly or partly in the form of a software product, which is stored in the computer-readable storage medium.
The computer readable storage medium may be an internal storage unit of the apparatus according to the foregoing embodiment, such as a hard disk or a memory. The computer-readable storage medium may be an external storage device of the above device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like. Further, the computer-readable storage medium may include both an internal storage unit and an external storage device of the above device. The computer-readable storage medium is used to store the computer program and other programs and data required by the apparatus. The above-described computer-readable storage medium may also be used to temporarily store data that has been output or is to be output.
Those skilled in the art will appreciate that implementing all or part of the above-described embodiment methods may be accomplished by way of a computer program, which may be stored in a computer-readable storage medium and which, when executed, may comprise the steps of the embodiments of the methods described above. And the aforementioned storage medium includes: various media capable of storing program code, such as ROM, RAM, magnetic or optical disks.
The foregoing has outlined rather broadly the more detailed description of embodiments of the invention, wherein the principles and embodiments of the invention are explained in detail using specific examples, the description of the embodiments being merely intended to facilitate an understanding of the method of the invention and its core concepts; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.

Claims (10)

1. A method of NAT traversal, the method comprising the steps of:
the method comprises the steps that mapping addresses of NAT and sequence types of the NAT are interacted between a first client in a first local area network and a second client in a second local area network, wherein the mapping addresses of the NAT and the sequence types of the NAT are related to validity of NAT mapping ports and data receiving and transmitting sequences on the ports, and the mapping addresses of the NAT comprise external network IP addresses of the NAT and mapping ports distributed by the NAT for different IP addresses and ports of clients in an intranet of the NAT;
Analyzing the sequence type of the second NAT to which the second client belongs and the sequence type of the first NAT to which the first client belongs;
judging whether a P2P data transmission channel can be established between the first client and the second client according to the sequence type of the second NAT and the sequence type of the first NAT;
and triggering to establish the P2P data transmission channel between the first client and the second client if the P2P data transmission channel can be established between the first client and the second client.
2. The NAT traversal method according to claim 1, wherein the sequential type of NATs is obtained based on a method of NAT probing comprising:
each client initiates mapping behavior detection to the STUN server, and identifies the mapping type of the NAT to which each client belongs based on the mapping behavior detection;
when the mapping type of the NAT to which each client belongs is identified as the 'endpoint irrelevant mapping NAT' type based on mapping behavior detection, filtering behavior detection is initiated to the STUN server, and the filtering type of the NAT to which each client belongs is identified based on filtering behavior detection;
when the filtering type of the NAT to which each client belongs is identified as the NAT type of address and port related filtering based on filtering behavior detection, initiating sequential behavior detection of each client to the STUN server, and identifying the sequential type of the NAT to which each client belongs based on the sequential behavior detection.
3. The method of NAT probing of claim 2, wherein each client initiates mapping behavior probing with the STUN server and identifying the type of mapping of the NAT to which each client belongs based on the mapping behavior probing comprises:
sending a first STUN binding request to a first service IP address and a first service port of a STUN server by using a fixed IP address and a first client port of each client, and obtaining an external network IP address and a first mapping port of the NAT from a response of the first STUN binding request returned by the STUN server;
sending a second STUN binding request to a second service IP address and a first service port of the STUN server by using the fixed IP address and the first client port of each client, and obtaining an external network IP address and a second mapping port of the NAT from a response of the second STUN binding request returned by the STUN server;
and when the first mapping port and the second mapping port are judged to be the same, identifying the NAT type as the NAT type of the endpoint irrelevant mapping.
4. A method of NAT probing as recited in claim 3, wherein initiating filtering behavior probing with the STUN server and identifying the type of filtering to which each client belongs based on the filtering behavior probing comprises:
Sending a third STUN binding request to the first service IP address and the first service port of the STUN server by using the fixed IP address and the second client port of each client, receiving a response of the third STUN binding request, and obtaining an external network IP address and a third mapping port of the NAT from the response of the third STUN binding request;
sending a fourth STUN binding request to a first service IP address and a first service PORT of a STUN server by using a fixed IP address and a second client PORT of each client, wherein the Change IP and Change PORT attribute of a STUN request message is set as 1 in the fourth STUN binding request, and the fourth STUN binding request is used for requesting the STUN server to reply to the fourth STUN binding request by using a second service IP address and a second service PORT of the STUN server;
and receiving a response of a fourth STUN binding request returned by the STUN server, judging the NAT filtering type according to the response of the fourth STUN binding request, and identifying that the NAT filtering type is the NAT type filtered by the address and port correlation if the client side does not receive the response of the fourth STUN binding request and causes the receiving timeout.
5. The method of NAT probing of claim 4, wherein initiating sequential behavior probing of each client to the STUN server and identifying the sequential type of NAT to which each client belongs based on the sequential behavior probing comprises:
Sending a fifth STUN binding request to a first service IP address and a second service port of the STUN server by using a fixed IP address and a second client port of each client, and obtaining an external network IP address and a fifth mapping port of the NAT from a response of the fifth STUN binding request returned by the STUN server;
analyzing whether the fifth mapping port is the same as the third mapping port, if the fifth mapping port is the same as the third mapping port, the NAT sequence type is the NAT type of the receiving and transmitting sequence irrelevant mapping, and if the fifth mapping port is different from the third mapping port, the NAT sequence type is the NAT type of the receiving and transmitting sequence relevant mapping.
6. The NAT traversal method according to any one of claims 1-5, wherein when it is determined that a P2P data transfer channel can be established between the first client and the second client, then triggering establishment of the P2P data transfer channel between the first client and the second client comprises:
when a first client identifies that the sequence type of a second NAT to which a second client belongs is a NAT type of receiving and dispatching sequence irrelevant mapping, and the sequence type of the first NAT to which the first client belongs is a NAT type of receiving and dispatching sequence relevant mapping, triggering the first client to send a first penetration request data packet based on a STUN protocol to a second NAT mapping address to which the second client belongs based on a first NAT mapping address, wherein the first NAT mapping address is an external network IP address of the NAT to which the first client belongs and a mapping port allocated by the NAT to different IP addresses and ports of an intranet client, and the second NAT mapping address is an external network IP address of the second client and a mapping port allocated by the NAT to different IP addresses and ports of the intranet client;
The first client receives a penetration request response data packet sent by the second client to a first NAT mapping address to which the first client belongs based on the first penetration request data packet;
the first client analyzes the penetration request response data packet, and establishes a P2P data transmission channel between the first client and the second client based on the penetration request response data packet.
7. The NAT traversal method of claim 6, wherein the establishing a P2P data transfer channel between the first client and the second client based on the traversal request response packet comprises:
after the first client analyzes the penetration request response data packet, a P2P data transmission channel for transmitting data from the second client to the first client is established based on the penetration request response data packet;
and the first client sends a second penetration request data packet based on the STUN protocol to a second NAT mapping address to which the second client belongs based on the first NAT mapping address, and establishes a P2P data transmission channel for sending data from the first client to the second client based on the second penetration request data packet.
8. A client, the client comprising:
The NAT detection module is used for acquiring the sequence type of the NAT to which the client belongs based on the NAT detection method;
the NAT interaction module is used for interacting the mapping address of each NAT and the sequence type of the NAT between the first client in the first local area network and the second client in the second local area network, wherein the sequence type of the NAT is the correlation between the validity of an NAT mapping port and the data receiving and transmitting sequence on the port, and the NAT mapping address comprises an external network IP address of the NAT and mapping ports distributed by the NAT for different IP addresses and ports of the clients in the internal network;
the NAT analyzing module is used for analyzing the sequence type of the second NAT to which the second client belongs and the sequence type of the first NAT to which the first client belongs;
the judging and processing module is used for judging whether a P2P data transmission channel can be established between the first client and the second client according to the sequence type of the second NAT and the sequence type of the first NAT;
and the P2P data module is used for triggering and establishing the P2P data transmission channel between the first client and the second client when judging that the P2P data transmission channel can be established between the first client and the second client.
9. The client of claim 8, wherein the P2P data module is configured to trigger, when the first client identifies that the order type of the second NAT to which the second client belongs is a "transception order independent mapped NAT" type and the order type of the first NAT to which the first client belongs is a "transception order dependent mapped NAT" type, the first NAT mapping address to which the first client belongs to send a first tunneling request packet based on the STUN protocol to the second NAT mapping address to which the second client belongs, where the first NAT mapping address is a mapping port allocated by the external network IP address of the NAT to which the first client belongs and the NAT to which the different IP addresses and ports of the intranet client are allocated, and the second NAT mapping address is a mapping port allocated by the external network IP address of the NAT to which the second client belongs and the NAT to which the different IP addresses and ports of the intranet client are allocated; receiving a penetration request response data packet sent by a second client to a first NAT mapping address to which the first client belongs based on the first penetration request data packet; and analyzing the penetration request response data packet, and establishing a P2P data transmission channel between the first client and the second client based on the penetration request response data packet.
10. A system for NAT traversal, the system comprising:
the method comprises the steps that a first client in a first local area network is used for interacting mapping addresses of NAT and sequence types of the NAT with a second client in a second local area network, wherein the sequence types of the NAT are correlation between validity of NAT mapping ports and data receiving and transmitting sequences on the ports, and the NAT mapping addresses comprise external network IP addresses of the NAT and mapping ports distributed by the NAT for different IP addresses and ports of clients in an intranet of the NAT; analyzing the sequence type of the second NAT to which the second client belongs and the sequence type of the first NAT to which the first client belongs; judging whether a P2P data transmission channel can be established between the first client and the second client according to the sequence type of the second NAT and the sequence type of the first NAT; if the P2P data transmission channel can be established between the first client and the second client, triggering to establish the P2P data transmission channel between the first client and the second client;
the second client in the second local area network is used for interacting the mapping address of each NAT and the sequence type of the NAT with the first client in the first local area network, wherein the sequence type of the NAT is the correlation between the validity of the NAT mapping port and the data receiving and transmitting sequence on the mapping port;
A first NAT device supporting communication between the first client and the external network for providing network address translation for the first client;
a second NAT device supporting communication between the second client and the external network for providing network address translation for the second client;
and the STUN server provides server side support of STUN protocol and is used for assisting the first client side and the second client side to pass through different NAT equipment through UDP protocol.
CN202210683265.0A 2022-06-16 2022-06-16 NAT penetration method, client and system Active CN115022281B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210683265.0A CN115022281B (en) 2022-06-16 2022-06-16 NAT penetration method, client and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210683265.0A CN115022281B (en) 2022-06-16 2022-06-16 NAT penetration method, client and system

Publications (2)

Publication Number Publication Date
CN115022281A CN115022281A (en) 2022-09-06
CN115022281B true CN115022281B (en) 2023-07-14

Family

ID=83074584

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210683265.0A Active CN115022281B (en) 2022-06-16 2022-06-16 NAT penetration method, client and system

Country Status (1)

Country Link
CN (1) CN115022281B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116436929B (en) * 2023-06-14 2023-09-08 深圳市玩物科技有限公司 Auxiliary P2P hole punching method for assembling UDP message by using server and server

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101938532A (en) * 2010-09-17 2011-01-05 北京神州泰岳软件股份有限公司 UDP-based method and system for penetrating through NAT equipment
CN103348633A (en) * 2011-03-21 2013-10-09 苹果公司 Apparatus and method for managing peer-to-peer connections between different service providers
CN103957287A (en) * 2014-04-25 2014-07-30 浙江大学城市学院 Internet of things device P2P connection method based on NAT penetration adapter
CN105577560A (en) * 2016-02-04 2016-05-11 豪威科技(上海)有限公司 Data packet as well as data transmission system and method
CN109600449A (en) * 2018-12-24 2019-04-09 深圳市网心科技有限公司 A kind of P2P penetrating method, device, system and storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7801059B2 (en) * 2007-04-20 2010-09-21 Panasonic Corporation IP communication apparatus and NAT type determination method by the same
TWI493924B (en) * 2013-04-10 2015-07-21 D Link Corp Through the two network devices to help complete the STUN technology network system and its methods
TWI508495B (en) * 2013-04-10 2015-11-11 D Link Corp Method of exchanging distributed network messages

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101938532A (en) * 2010-09-17 2011-01-05 北京神州泰岳软件股份有限公司 UDP-based method and system for penetrating through NAT equipment
CN103348633A (en) * 2011-03-21 2013-10-09 苹果公司 Apparatus and method for managing peer-to-peer connections between different service providers
CN103957287A (en) * 2014-04-25 2014-07-30 浙江大学城市学院 Internet of things device P2P connection method based on NAT penetration adapter
CN105577560A (en) * 2016-02-04 2016-05-11 豪威科技(上海)有限公司 Data packet as well as data transmission system and method
CN109600449A (en) * 2018-12-24 2019-04-09 深圳市网心科技有限公司 A kind of P2P penetrating method, device, system and storage medium

Also Published As

Publication number Publication date
CN115022281A (en) 2022-09-06

Similar Documents

Publication Publication Date Title
RU2543304C2 (en) Packet relay method and device
US7716369B2 (en) Data transmission system with a mechanism enabling any application to run transparently over a network address translation device
EP3219087B1 (en) Methods, systems, and computer readable media for facilitating the resolving of endpoint hostnames in test environments with firewalls, network address translators(nats), or clouds
US8867553B2 (en) Performing interactive connectivity checks in a mobility environment
US8254286B2 (en) Method and system for detection of NAT devices in a network
US9705844B2 (en) Address management in a connectivity platform
JP2011515945A (en) Method and apparatus for communicating data packets between local networks
WO2005109785A1 (en) Information processing device, and bubble packet transmission method and program
US20080205388A1 (en) Discovery of network devices logically located between a client and a service
GB2505288A (en) Identifying address translations
CN110086798B (en) Method and device for communication based on public virtual interface
CN115022281B (en) NAT penetration method, client and system
EP2822256B1 (en) Nat traversal using udp, tcp or http
WO2007019809A1 (en) A method and ststem for establishing a direct p2p channel
CN110995763B (en) Data processing method and device, electronic equipment and computer storage medium
CN111478821B (en) Network performance test method and system
EP2725765A1 (en) Method and system for TCP turn operation behind a restrictive firewall
CN110351159B (en) Cross-intranet network performance testing method and device
CN115022280B (en) NAT detection method, client and system
WO2011044810A1 (en) Method, device and system for implementing multiparty communication
CN108337331B (en) Network penetration method, device and system and network connectivity checking method
KR100562390B1 (en) Network Data Flow Identification Method and System Using Host Routing and IP Aliasing Technique
CN113067908B (en) NAT (network Address translation) traversing method and device, electronic equipment and storage medium
CN112751946B (en) Tunnel establishment method, device, equipment and computer readable storage medium
KR101896551B1 (en) Separated network bridge system and control method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant