Chinaunix首页 | 论坛 | 博客
  • 博客访问: 161789
  • 博文数量: 24
  • 博客积分: 2019
  • 博客等级: 大尉
  • 技术积分: 352
  • 用 户 组: 普通用户
  • 注册时间: 2010-01-22 17:36
文章分类
文章存档

2011年(2)

2010年(22)

我的朋友

分类: 网络与安全

2010-04-10 18:29:43

Notes: NAT Addressing and Port Mapping and Filter Behavior - RFC4787


  1. NAT Addressing and Port Mapping

    1. Endpoint-Independent Mapping

            The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to any external IP address and port. Specifically, X1':x1' equals X2':x2' for all values of Y2:y2.
    1. Address-Dependent Mapping

            The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to the same external IP address, regardless of the external port. Specifically, X1':x1' equals X2':x2' if and only if, Y2 equals Y1.
    1. Address and Port-Dependent Mapping

            The NAT reuses the port mapping for subsequent packets sent from the same internal IP address and port (X:x) to the same external IP address and port while the mapping is still active. Specially, X1':x1' equals X2:x2' if and only if Y2:y2 equals Y1:y1. 
         
    REQ-1: A NAT MUST have an "Endpoint-Independent Mapping" behavior.

  1. NAT Filtering Behavior

        The key behavior to describe is what criteria are used by the NAT to filter packets originating from specific external endpoints.
    1. Endpoint-Independent Filtering

            The NAT filters out only packets not destined to the internal address and port X:x, regardless of the external IP address and port source (Z:z). The NAT forwards any packets destined to X:x. In other words, sending packets from the internal side of the NAT to any external IP address is sufficient to allow any packets back to the internal endpoint.
    1. Address-Dependent Filtering

            The NAT filters out packets not destined to the internal address X:x. Additionally, the NAT will filter out packets from Y:y destined for the internal endpoint X:x if X:x has not sent packets to Y previously(independently of the port used by Y). In other words, for receiving packets from a specific external endpoint, it is necessary for the internal endpoint to send packets first to that specific external endpoint's IP address.
    1. Address and Port-Dependent Filtering

            This is similar to the previours behavior, except that the external port is also relevant. The NAT filters out packets not destined for the internal address X:x. Additionally, the NAT will filter out packets from Y:y destined for the internal endpoint X:x if X:x has not sent packets to Y:y previously. In other words, for receiving packets from a specific external endpoint, it is necessary for the internal endpoint to send packets first to that external endpoint's IP address and port. 

        REQ-8: If application transparency is most important, it is RECOMMENDED that a NAT have an "Endpoint-Independent Filtering" behavior. If a more stringent filtering behavior is most import, it is RECOMMENDED that a NAT have an "Address-Dependent Filtering" behavior.
        a) The filtering behavior MAY be an option configurable by the administrator of the NAT.

阅读(3295) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~