NAT/Firewall 穿越技术

常见的 NAT 种类

Full Cone Restricted Cone Port Restricted Cone Symmetric NAT

Full Cone

Restricted Cone(1/2)

Restricted Cone(2/2)

Port Restricted Cone

Symmetric NAT

NAT Detection Flow

防火牆造成的問題

NAT 造出的问题

NAT/Firewall 穿越技术

IPV6(Internet Protocol Version 6) UPnP(Universal Plug and Play) TRUN(Traversal Using Relay NAT) ALG(Application Layer Gatewqy) ICE(Interactive Connectivity Establish) STUN(Simple Traversal of UDP

Through Netwoek Address Translators)

UPnP

Universal Plug and Play

It's being pushed by Microsoft

A UPnP-aware client can ask the UPnP-enabled NAT how it would map a particular IP:port through UPnP

UPnP Operation

STUN(1/2)

Simple Traversal of UDP Through Network Address Translators

需要在 NAT 外部架设 STUN Server Client 端需有特殊的 STUN Client 功能 无法穿透 symmetric NAT 未来将被 ICE 整合

STUN(2/2)

TURN(1/2)

Traversal Using Relay NAT 主要是为了解決 symmetric NATs 必须要架設 TURN Server 未来也将被包含进 ICE

TURN(2/2)

SIP using STUN

1 STUN SharedSecretRequest/TLS

9 100 Trying

User Agent 1

10.2.1.1

STUN Server Registrar/Proxy User Agent 2

7 INVITE Contact:UA1@192.0.2.101

10 200 OK

NAT

192.0.2.101

2 STUN SharedSecretResponse/TLS

3 STUN BindingtRequest/UDP

4 STUN BindingResponse/UDP

6 200 OK

5 REGISTER Contact:UA1@192.0.2.101

8 INVITE Contact:UA1@192.0.2.101

11 200 OK

12 ACK

13 ACK

RTP Media Session

SIP using TURN

User Agent 1

10.2.1.1

STUN/TURN Svr 1 STUN/TURN Svr 2 User Agent 2

192.168.1.1

NAT 1 NAT 2

1 STUN Requests

2 STUN Responses

3 STUN Requests

4 STUN Responses

7 180 Ringing

8 200 OK

9 ACK

12 Peer-to-Peer STUN Responses

11 Peer-to-Peer STUN Requests

14 Peer-to-Peer STUN Responses

13 Peer-to-Peer STUN Requests

RTP Media Session

Established using Derived Transport Addresses

Proxy

5 INVITE 6 INVITE

10 ACK

ALG(1/2)

Application Layer gateway It Understands the signalling messages

and their relationship with the resulting media flows.

It can modify the signalling to reflect the public IP address and ports being used by singalling and media traffic.

ALG(2/2)

ICE

Interactive Connectivity Establishment 非 protocol 而是 framework 主要技术包括： STUN, TRUN, SIP 目前仍在 RFC 草案讨论阶段