NAT Traversal (TCP/UDP hole punching)

Posted on Edited on In , Symbols count in article: 15k Reading time ≈ 14 mins.

Friend ship

IPv4 addresses have dried up in 2019, so network operators have begun to promote IPv6 and use NAT technology on a large scale to recover public network IPv4 addresses. Without the public network IPv4 address, we cannot use many applications (such as a self-built web server). The solution is to use NAT traversal.

Backgroud

Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.[1] The technique was originally used as a shortcut to avoid the need to readdress every host when a network was moved. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

  • Advantages of NAT: increase the security of the internal network, such as hiding real IP and filtering illegal packets
  • Disadvantages of NAT:
  • The NAT device edits and modifies the data packets, which reduces the efficiency of sending data;
  • The applications of various protocols are different, and some protocols cannot pass NAT, that is, the PCs on both sides cannot directly establish a link.

NAT Type

We usually say NAT1 / NAT2 / NAT3 / NAT4, from NAT1 to NAT4, the restrictions are becoming stricter.

Full Cone NAT

This is NAT1, which is also desired by all BT users.

  1. Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort.
  2. Any external host can send packets to iAddr:iPort by sending packets to eAddr:ePort.

Example

Full Cone NAT

  1. Client A sends Packet-Z from port 4000 to server A’s port 8000
    Packet-Z analysis:
  • source IP and port number 192.168.0.2:4000
  • destination IP and port number 6.6.6.6:8000
  1. The router receives packet-z from client A port 4000 for the first time.
  • The router randomly opens an external port, such as 5000, here is 2.2.2.2:5000.
  • Map external port 2.2.2.2:5000 to 4000 port of intranet client A.
  • After that, all packets from client A’s 4000 port will be forwarded through router external port 5000.
  • After that, all packets destined for external port 5000 of the router will be done DNAT and forwarded to Client A.
  1. The router performs SNAT on the Packet-Z and forwards it.
    Packet-Z analyzes:
  • Source IP and port 2.2.2.2:5000
  • Destination IP and port 6.6.6.6:8000
  1. Server A receives packet-Z from client A on port 8000.
    Packet-Z analyzes:
  • Source IP and port 2.2.2.2:5000
  • Destination IP and port 6.6.6.6:8000
  1. Server A sends Packet-X to client A. The source port can be any port, and port 9000 is used here.
    Packet-X analyzes:
  • Source IP and port 6.6.6.6:9000
  • Destination IP and port 2.2.2.2:5000
  1. Router receives Packet-X and analyzes it
  • The destination IP and port of the packet-X point to the external port 2.2.2.2:5000
  • External port 2.2.2.2:5000 has been mapped to port 192.168.0.2:4000 of intranet client A.
  1. The router performs DNAT on packet-X and forwards it.
    Packet-X analyzes:
  • Source IP and port 6.6.6.6:9000
  • Destination IP and port 192.168.0.2:4000
  1. Client A receives packet-X from server A on port 4000.
    Packet-X analysis:
  • Source IP and port 6.6.6.6:9000
  • Destination IP and port 192.168.0.2:4000

Other IPs in the public network, such as server B / server C, etc., can connect with client A’s port 192.168.0.2:4000 through the router 2.2.2.2:5000.

This is why BT software likes users to be in NAT1 environment, because other BT users can easily connect with the port you have opened.

Address-Restricted Cone NAT

This is NAT2, which adds a restriction on the IP of external hosts based on NAT1 (Full Cone NAT).

  1. Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort.
  2. An external host (hAddr:any) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:any. “Any” means the port number doesn’t matter.

Example

Address-Restricted Cone NAT

  1. Client A sends packet-Z from port 4000 to server A port 8000.
    Packet-Z analyzes:
  • Source IP and port 192.168.0.2:4000
  • Destination IP and port 6.6.6.6:8000
  1. The router receives packet-z from client A port 4000 for the first time.
  • The router randomly opens an external port, such as 5000, here is 2.2.2.2:5000.
  • Map external port 2.2.2.2:5000 to 4000 port of intranet client A.
  • Associate external port 2.2.2.2:5000 with destination IP 6.6.6.6
  • After that, all packets from 192.168.0.2:4000 are forwarded through router external port 5000.
  • After that, the external port 2.2.2.2:5000 only receives packets from the IP 6.6.6.6, all other packets are dropped.
  1. The router performs SNAT on packet-Z.
    Packet-Z analyzes:
  • Source IP and Port 2.2.2.2:5000
  • Destination IP and Port 6.6.6.6:8000
  1. Server A receives packet-Z from client A on port 8000.
    Packet-Z analyzes:
  • Source IP and port 2.2.2.2:5000
  • Destination IP and port 6.6.6.6:8000
  1. Server A sends Packet-X to client A. The source port can be any port, here is 8000.
    Packet-X analyzes:
  • Source IP and port 6.6.6.6:8000
  • Destination IP and port 2.2.2.2:5000
  1. Router receives Packet-X and analyzes it.
  • The destination IP and port of the packet-X point to the external port 2.2.2.2:5000.
  • External port 2.2.2.2:5000 has been mapped to port 192.168.0.2:4000 of intranet client A.
  • External port 2.2.2.2:5000 has been associated with IP 6.6.6.6.
  1. The router performs DNAT on packet-X and forwards it.
    Packet-X analyzes:
  • Source IP and port 6.6.6.6:8000
  • Destination IP and port 192.168.0.2:4000
  1. Client A receives packet-X from server A on port 4000.
    Packet-X analysis:
  • Source IP and port 6.6.6.6:8000
  • Destination IP and port 192.168.0.2:4000

Other IPs in the public network, such as server B / server C, etc., all the packets sented for the router 2.2.2.2:5000 were dropped by the router because the router’s external port 2.2.2.2:5000 was not associated with their IP.

How other IPs connected with client A?

If server B wants to communicate with client A, it needs to follow steps 1-8 again, that is, client A first sends a data connection request to server B, and then server B can communicate with client A through the router.

How other BT users exchange data with us when we are under NAT2?

The following is the general steps, and the specific implementation details may differ.

  1. We need a middleman A, which can be a seed center or a seed user that we have connected.
  2. The middleman A tells us that user B wants to exchange seed data with us, and the IP address of user B is B.B.B.B: bPort
  3. We proactively sent a packet of invalid content to B.B.B.B: bPort.
  • The purpose of this packet is just to let the gateway do the mapping
  • This packet is eventually dropped. If user B is in NAT1 or without NAT, it will discard this packet when receiving it; if user B is also under NAT2, the packet will be dropped by user B’s gateway because it does not open the corresponding port.
  1. After receiving the packet, the gateway associates the external port (eAddr: ePort) with IP B.B.B.B and forwards it.
  2. We tell middleman A that the request has been sent.
  3. After middleman A receives the message that we have sent request to user B, it tells user B that data exchange with eAddr: ePort is possible.
  4. User B receives the message and sends a request to eAddr: ePort to exchange seed data.
  5. After we receive the message from user B, then we can exchange seed data.

Port-Restricted Cone NAT

This is NAT3, which adds restrictions on external host port numbers based on NAT2 (Address-Port Cone NAT).

  1. Once an internal address (iAddr:iPort) is mapped to an external address (eAddr:ePort), any packets from iAddr:iPort are sent through eAddr:ePort.
  2. An external host (hAddr:hPort) can send packets to iAddr:iPort by sending packets to eAddr:ePort only if iAddr:iPort has previously sent a packet to hAddr:hPort.

Example

Port-Restricted Cone NAT

  1. Client A sends packet-Z from port 4000 to server A port 8000.
    Packet-Z analyzes:
  • Source IP and port 192.168.0.2:4000
  • Destination IP and port 6.6.6.6:8000
  1. The router receives packet-z from client A port 4000 for the first time.
  • Randomly opens an external port, such as 5000, here is 2.2.2.2:5000.
  • Map external port 2.2.2.2:5000 to 4000 port of intranet client A.
  • Associate external port 2.2.2.2:5000 with destination IP and port 6.6.6.6:8000.
  • After that, all packets from 192.168.0.2:4000 are forwarded through router external port 5000.
  • After that, the external port 2.2.2.2:5000 only receives packets from the IP 6.6.6.6:8000, all other packets are dropped.
  1. The router performs SNAT on packet-Z.
    Packet-Z analyzes:
  • Source IP and Port 2.2.2.2:5000
  • Destination IP and Port 6.6.6.6:8000
  1. Server A receives packet-Z from client A on port 8000.
    Packet-Z analyzes:
  • Source IP and port 2.2.2.2:5000
  • Destination IP and port 6.6.6.6:8000
  1. Server A sends Packet-X to client A. The source port must be specify port, here is 8000.
    Packet-X analyzes:
  • Source IP and port 6.6.6.6:8000
  • Destination IP and port 2.2.2.2:5000
  1. Router receives Packet-X and analyzes it.
  • The destination IP and port of the packet-X point to the external port 2.2.2.2:5000.
  • External port 2.2.2.2:5000 has been mapped to port 192.168.0.2:4000 of intranet client A.
  • External port 2.2.2.2:5000 has been associated with IP and port 6.6.6.6:8000.
  1. The router performs DNAT on packet-X and forwards it.
    Packet-X analyzes:
  • Source IP and port 6.6.6.6:8000
  • Destination IP and port 192.168.0.2:4000
  1. Client A receives packet-X from server A on port 4000.
    Packet-X analysis:
  • Source IP and port 6.6.6.6:8000
  • Destination IP and port 192.168.0.2:4000

In this case, the non-8000 port of server A cannot communicate with client A, and other IPs (server B / server C) cannot communicate with client A even more.

How other BT users exchange data with us when we are under NAT3?

The following is the general steps, and the specific implementation details may differ.

  1. We need a middleman A, which can be a seed center or a seed user that we have connected.
  2. The middleman A tells us that user B wants to exchange seed data with us, and the IP address of user B is B.B.B.B: bPort
  3. We proactively sent a packet of invalid content to B.B.B.B: bPort.
  • The purpose of this packet is just to let the gateway do the mapping
  • This packet is eventually dropped. If user B is in NAT1 or without NAT, it will discard this packet when receiving it; if user B is also under NAT2, the packet will be dropped by user B’s gateway because it does not open the corresponding port.
  1. After receiving the packet, the gateway associates the external port (eAddr: ePort) with IP B.B.B.B and forwards it.
  2. We tell middleman A that the request has been sent.
  3. After middleman A receives the message that we have sent request to user B, it tells user B that data exchange with eAddr: ePort is possible.
  4. User B receives the message and sends a request to eAddr: ePort to exchange seed data.
  5. After we receive the message from user B, then we can exchange seed data.

Symmetric NAT

This is NAT4, the strictest NAT currently.
Based on NAT3 (Port-Restricted Cone NAT), restrictions on the external port of the router and the IP and port numbers of the associated internal and external hosts are added.

  1. Each request from the same internal IP address and port to a specific destination IP address and port is mapped to a unique external source IP address and port; if the same internal host sends a packet even with the same source address and port but to a different destination, a different mapping is used.
  2. Only an external host that receives a packet from an internal host can send a packet back.

Example

Symmetric NAT

  1. Client A sends packet-Z from port 4000 to server A port 8000.
    Packet-Z analyzes:
  • Source IP and port 192.168.0.2:4000
  • Destination IP and port 6.6.6.6:8000
  1. The router receives packet-z from client A port 4000 for the first time.
  • Randomly opens an external port, such as 5000, here is 2.2.2.2:5000.
  • Map external port 2.2.2.2:5000 to 4000 port of intranet client A.
  • Associate external port 2.2.2.2:5000 with destination IP and port 6.6.6.6:8000.
  • After that, the external port 2.2.2.2:5000 only receives packets from the IP 6.6.6.6:8000, all other packets are dropped.
  • After that,the external port 2.2.2.2:4000 only forwards the packets sent from the internal client A 4000 port to the destination IP 6.6.6.6:8000.
  • The packets sent from client A 192.168.0.2:4000 to other IPs or ports are re-opened an external port by router.
  1. The router performs SNAT on packet-Z.
    Packet-Z analyzes:
  • Source IP and Port 2.2.2.2:5000
  • Destination IP and Port 6.6.6.6:8000
  1. Server A receives packet-Z from client A on port 8000.
    Packet-Z analyzes:
  • Source IP and port 2.2.2.2:5000
  • Destination IP and port 6.6.6.6:8000
  1. Server A sends Packet-X to client A. The source port must be specify port, here is 8000.
    Packet-X analyzes:
  • Source IP and port 6.6.6.6:8000
  • Destination IP and port 2.2.2.2:5000
  1. Router receives Packet-X and analyzes it.
  • The destination IP and port of the packet-X point to the external port 2.2.2.2:5000.
  • External port 2.2.2.2:5000 has been mapped to port 192.168.0.2:4000 of intranet client A.
  • External port 2.2.2.2:5000 has been associated with IP and port 6.6.6.6:8000.
  1. The router performs DNAT on packet-X and forwards it.
    Packet-X analyzes:
  • Source IP and port 6.6.6.6:8000
  • Destination IP and port 192.168.0.2:4000
  1. Client A receives packet-X from server A on port 4000.
    Packet-X analysis:
  • Source IP and port 6.6.6.6:8000
  • Destination IP and port 192.168.0.2:4000
  1. Data packet-Y from client A 192.168.0.2:4000 to server A 6.6.6.6:9000 needs to perform steps 1-8 again, as in the second case in the picture above.
How other BT users exchange data with us when we are under NAT4?
The other users is not under NAT4

The following is the general steps, and the specific implementation details may differ.

  1. We need a middleman A, which can be a seed center or a seed user that we have connected.
  2. The middleman A tells user B that we wants to exchange seed data with it, and the IP address of us is eAddr:ePort
  3. User B proactively sent a packet of invalid content to eAddr:ePort.
  • The purpose of this packet is just to let the gateway do the mapping
  • This packet will be dropped by our gateway.
  1. B tell middleman A that the request has been sent.
  2. Middleman A receives the message then tells us that data exchange with B.B.B.B:bPort is possible.
  3. We send the request packet to B.
  4. After gateway receiving the packet, associates the external port (eAddr: ePort) with IP B.B.B.B and forwards it.
  5. User B receives the message and sends a respond to eAddr: ePort to exchange seed data.
Both sides are under NAT4

If both BT users are under NAT4, the connection cannot be established directly because the external port ePort opened by the two routers cannot be determined.
If the two parties really need to communicate, they can forward through the middleman.

NAT traversal

One. Middleman forwarding

The most reliable and inefficient point-to-point communication method is to treat p2p network communication as a C / S structure and forward information through the server.
As shown in the following picture, Server S has a fixed IP address on the public network, two clients A and B have initiated a TCP or UDP connection with server S. A and B’s NAT device will not allow them to connect directly, Server S will relay the message.

Intermediate server forwarding

Two. Reverse connection

This is the second technique, but it can only be used when only one end is behind NAT.
For example, client A is behind NAT and client B has a public IP address, as shown below.

Reverse connection

  1. Now we assume that client B will initiate a connection session with client A.
  2. B will first try to connect to an IP of A. Client A considers it’s own address 10.0.0.1:1234 or the address 155.99.25.11:62000 observed from server S. However, neither connection can be successful.
  • The first case: Attempting to connect to 10.0.0.1 will definitely fail, because 10.0.0.1 is not an IP address that can be routed on the public network.
  • In the second case, the request from B will reach port 62000 of NAT A, but NAT A will reject the connection request because only outgoing connections are allowed to enter. After all attempts fail, client B can only ask server S for help, server S tells A to make a “reverse” connection to client B. Client A will open a connection to communicate with client B (on B’s public IP address and port number). NAT A allows this connection to pass because the connection comes from inside. And at the same time, client B can accept this connection. Because B is not behind NAT.

The advantage of this method is that it is also suitable for any NAT including Symmetric NAT. The only limitation is that only one client can be behind NAT.

Three. UDP/TCP hole punching

This is the third method of penetration, as long as both parties are not behind NAT4 Symmetric NAT.

UDP/TCP Hole Punching

Process

Because TCP needs a handshake three times to establish a connection, this method generally uses the UDP protocol, but the process is basically the same

  1. After both the client and the server communicate through UDP, the gateway defaults to a mapping of the external network IP and port number to your internal network IP and port number. This does not need to be set, and the server does not need to know the client’s real internal IP.
  2. Client A learns the external network address and port of Client B from the server.
  3. Client A sends a message to the external network address and port of client B. In this transmission, the gateway of client B will reject the message because there is no such rule in its mapping. But client A’s gateway will add an allow rule to allow receiving messages from B.
  4. The server asks client B to send a message to client A’s external IP and port number.
  5. Client B sends a message. At this time, client A can receive the message from B, and gateway B also adds an allow rule.
  6. Later, since gateway A and gateway B have added permission rules, both A and B can send messages to each other’s external IP and port number.

Tools of hole punching

TCP hole punching,It is divided into android and server. The server is placed on the internal network. The android phone uses the mobile network and / or accesses the internal network wifi.

References:

  • csdn-nat
  • csdn-nate-2
  • wikipedia-nat
  • ietf-rfc-3489