Chinaunix首页 | 论坛 | 博客
  • 博客访问: 265296
  • 博文数量: 74
  • 博客积分: 1470
  • 博客等级: 上尉
  • 技术积分: 793
  • 用 户 组: 普通用户
  • 注册时间: 2008-11-25 21:01
文章分类

全部博文(74)

文章存档

2011年(1)

2010年(32)

2009年(32)

2008年(9)

我的朋友

分类: 系统运维

2010-04-04 14:05:48


NAT的优点不必多讲,它提供了一系列相关技术来实现多个内网用户通过一个公网ip和外部通信,有效的解决了ipv4地址不够用的问题.那么位于NAT后的用户使用私网ip真的和使用公网ip一样吗?NAT解决了所有地址转换的相关问题了吗?
下面主要讲一些NAT不支持的方面,以及所谓的NAT的"缺陷".

一些应用层协议(如TCP和SIP),在它们的应用层数据中需要包含公网IP地址.拿FTP来说吧,众所周知,FTP是通过两个不同的连接来传输控制报文和数据报文的.当传输一个文件时,FTP服务器要求通过控制报文得到即将传输的数据报文的网络层和传输层地址(IP/PORT).如果这个时候客户主机是在NAT之后的,那么服务器端收到的ip/port将会是NAT转化前的私网IP地址,从而会导致文件传输失效.
SIP(Session Initiation Protocol)主要是来控制音频传输的,这个协议也面临同样的问题.因为SIP建立连接时,需要用到几个不同的端口来通过RTP传输音频流.而且这些端口以及IP会被编码到音频流中,传输给服务器端,从而实现后续的通信.
如果没有一些特殊的技术(如STUN),那么NAT是不支持这些协议的,这些协议经过NAT也肯定会失败.
Some Application Layer protocols (such as FTP and SIP) send explicit network addresses within their application data. FTP in active mode, for example, uses separate connections for control traffic (commands) and for data traffic (file contents). When requesting a file transfer, the host making the request identifies the corresponding data connection by its network layer and transport layer addresses. If the host making the request lies behind a simple NAT firewall, the translation of the IP address and/or TCP port number makes the information received by the server invalid. The Session Initiation Protocol (SIP) controls Voice over IP (VoIP) communications and suffers the same problem. SIP may use multiple ports to set up a connection and transmit voice stream via RTP. IP addresses and port numbers are encoded in the payload data and must be known prior to the traversal of NATs. Without special techniques, such as STUN, NAT behavior is unpredictable and communications may fail.

下面讲一些特殊的技术,来使NAT支持这些特殊的应用层协议.

最直观的想法就是:既然NAT修改了IP/PROT,那么我们也修改应用层数据中相应的IP/PORT.应用层网关(ALG)(硬件或软件都行)就是这样来解决这个问题的.应用层网关运行在设置了NAT的防火墙设备中,它会更新传输数据中的IP/PORT.所以,应用层网关也必须能够解析应用层协议,而且对于每一种协议,可能需要不同的应用层网关来做.
Application Layer Gateway (ALG) software or hardware may correct these problems. An ALG software module running on a NAT firewall device updates any payload data made invalid by address translation. ALGs obviously need to understand the higher-layer protocol that they need to fix, and so each protocol with this problem requires a separate ALG.

另外一个解决此问题的办法就是NAT穿透.此方法主要利用STUN或ICE等协议或者一些和会话控制相关的特有的方法来实现.理论上NAT穿透最好能够同时适用于基于TCP和基于UDP的应用,但是基于UDP的应用相对比较简单,更广为流传,也更适合兼容一些种类的NAT做穿透.这样,应用层协议在设计的时候,必须考虑到可支持NAT穿透.但一些其他类型的NAT(比如对称NAT)是无论如何也不能做穿透的.
Another possible solution to this problem is to use NAT traversal techniques using protocols such as STUN or ICE or proprietary approaches in a session border controller. NAT traversal is possible in both TCP- and UDP-based applications, but the UDP-based technique is simpler, more widely understood, and more compatible with legacy NATs. In either case, the high level protocol must be designed with NAT traversal in mind, and it does not work reliably across symmetric NATs or other poorly-behaved legacy NATs.


还有一些方法,比如UPnP (Universal Plug and Play) 或 Bonjour (NAT-PMP),但是这些方法都需要专门的NAT设备.
Other possibilities are UPnP (Universal Plug and Play) or Bonjour (NAT-PMP), but these require the cooperation of the NAT device.


大部分传统的客户-服务器协议(除了FTP),都不定义3层以上的数据格式,所以,也就可以和传统的NAT兼容.实际上,在设计应用层协议的时候应尽量避免涉及到3层以上的数据,因为这样会使它兼容NAT时复杂化.
Most traditional client-server protocols (FTP being the main exception), however, do not send layer 3 contact information and therefore do not require any special treatment by NATs. In fact, avoiding NAT complications is practically a requirement when designing new higher-layer protocols today.


NAT也会和利用ipsec加密的一些应用冲突.比如SIP电话,如果有很多SIP电话设备在NA(P)T之后,那么在电话利用ipsc加密它们的信号时,如果也加密了port信息,那么这就意味着NAPT就不能转换port,只能转换IP.但是这样就会导致回来的数据包都被NAT到同一个客户端,从而导致通信失败(不太明白).不过,这个问题有很多方法来解决,比如用TLS.TLS是运行在第四层(OSI模型)的,所以它不包含port信息.也可以在UDP之内来封装ipsec,TISPAN 就是用这种方法来实现安全NAT转化的.
NATs can also cause problems where IPsec encryption is applied and in cases where multiple devices such as SIP phones are located behind a NAT. Phones which encrypt their signaling with IPsec encapsulate the port information within the IPsec packet meaning that NA(P)T devices cannot access and translate the port. In these cases the NA(P)T devices revert to simple NAT operation. This means that all traffic returning to the NAT will be mapped onto one client causing the service to fail. There are a couple of solutions to this problem, one is to use TLS which operates at level 4 in the OSI Reference Model and therefore does not mask the port number, or to Encapsulate the IPsec within UDP - the latter being the solution chosen by TISPAN to achieve secure NAT traversal.


Dan Kaminsky 在2008年的时候提出NAPT还会间接的影响DNS协议的健壮性,为了避免DNS服务器缓存中毒,在NA(p)T防火墙之后的DNS服务器最好不要转换来自外部的DNS请求(UDP)的源端口.而对DNS缓存中毒攻击的应对措施就是使所有的DNS服务器用随机的端口来接收DNS请求.但如果NA(P)T使DNS请求的源端口也随机化,那么在NA(P)T防火墙后面的DNS服务器还是会崩溃的.
The DNS protocol vulnerability announced by Dan Kaminsky on 2008 July 8 is indirectly affected by NAT port mapping. To avoid DNS server cache poisoning, it is highly desirable to not translate UDP source port numbers of outgoing DNS requests from any DNS server which is behind a firewall which implements NAT. The recommended work-around for the DNS vulnerability is to make all caching DNS servers use randomized UDP source ports. If the NAT function de-randomizes the UDP source ports, the DNS server will be made vulnerable.

位于NAT后的主机不能实现真的端对端的通信,也不能使用一些和NAT冲突的internat协议.而且从外部发起的TCP连接和一些无状态的协议(利用udp的上层协议)也不能正常的进行,除非NAT所在设备通过相关技术支持这些协议.一些协议能够利用应用层网关或其他技术,来使只有一端处于NAT后的通信双方正常通信.但要是双方都在NAT后就会失败.NAT也和一些隧道协议(如ipsec)冲突,因为NAT会修改ip或port,从而会使协议的完整性校验失败.
Hosts behind NAT-enabled routers do not have end-to-end connectivity and cannot participate in some Internet protocols. Services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted. Unless the NAT router makes a specific effort to support such protocols, incoming packets cannot reach their destination. Some protocols can accommodate one instance of NAT between participating hosts ("passive mode" FTP, for example), sometimes with the assistance of an application-level gateway (see below), but fail when both systems are separated from the Internet by NAT. Use of NAT also complicates tunneling protocols such as IPsec because NAT modifies values in the headers which interfere with the integrity checks done by IPsec and other tunneling protocols.


端对端的连接是internet设计时的一个重要的核心的基本原则.而NAT是违背这一原则的,但是NAT在设计的时候也充分地考虑到了这些问题.现在基于ipv6的NAT已经被广泛关注,但许多ipv6架构设计者认为ipv6应该摒弃NAT.
End-to-end connectivity has been a core principle of the Internet, supported for example by the Internet Architecture Board. Current Internet architectural documents observe that NAT is a violation of the End-to-End Principle, but that NAT does have a valid role in careful design. There is considerably more concern with the use of IPv6 NAT, and many IPv6 architects believe IPv6 was intended to remove the need for NAT.


由于NAT的连接追踪具有短时效性.所以在特定的地址转换关系会在一小段时间后失效,除非遵守NAT的keep-alive机制,内网主机不时的去访问外部主机.这至少会造成一些不必要的消耗,比如消耗手持设备的电量.
Because of the short-lived nature of the stateful translation tables in NAT routers, devices on the internal network lose IP connectivity typically within a very short period of time unless they implement NAT keep-alive mechanisms by frequently accessing outside hosts. This dramatically shortens the power reserves on battery-operated hand-held devices and has thwarted more widespread deployment of such IP-native Internet-enabled devices.


一些IPS会直接提供给用户私网IP地址,这样用户就必须通过IPS的NAT来和外部INTERNET通信.这样,用户实际上没有实现端对端通信,中间加了一个IPS的NAT,这有悖于Internet Architecture Board列出的internal核心基本原则.
Some Internet service providers (ISPs) provide their customers only with "local" IP addresses.[citation needed]Thus, these customers must access services external to the ISP's network through NAT. As a result, the customers cannot achieve true end-to-end connectivity, in violation of the core principles of the Internet as laid out by the Internet Architecture Board.

NAT最后的一个缺陷就是:NAT的推广和使用,解决了ipv4下IP地址不够用的问题,大大的推迟了IPV6的发展.
(说它是优点好呢,还是缺陷好呢?)
it is possible that its [NAT] widespread use will significantly delay the need to deploy IPv6

Reference:


阅读(1391) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~