Shulou(Shulou.com)11/24 Report--

Last article, "Why do all IP in our family start with 192.168?" "it is mentioned that because the IPv4 address is limited, the maximum number is 4.2 billion. In order to make better use of this limited number of IP, the network is divided into local area network and wide area network. IP is divided into private IP and public network IP. More than N machines in a local area network can share a public network IP, thus greatly increasing the "number of available IP".

Sending and receiving data is like sending and receiving express when we need to send network packets, in the IP layer, we need to fill in the source IP address and the destination IP address, that is, the shipping address and receiving address of the corresponding express delivery.

The IP header contains sending and receiving IP addresses, but private IP such as 192.168.xx.xx is basically used in our local area network.

If we are sending network packets, fill it in like this. What should I do when the other party returns the data packet? After all, thousands of families use 192.168.0.1, how does the network know who to send it to?

So you definitely need to convert this 192.168.xx private IP to a public IP.

So at the end of the last article, I left such a question. Private IP is used in the LAN and public IP is used in the public network. If a private IP in a local area network wants to access a public IP outside the local area network, it is necessary to make an IP conversion. Where is this conversion done?

Where do private IP and public IP translate? the answer is NAT device, full name Network Address Translation, network address translation. Basically, home routers support this function.

Let's talk about how it works.

The working principle of NAT is simple, let's assume that you are very rich, your home is assigned a public network IP address 20.20.20.20.20, corresponding to your home router with NAT function, there are many devices that need to surf the Internet in your home, such as your mobile phone and computer, they form a local area network, using private IP, such as 192.168.xx. When you execute the ifconfig command on your computer, you find that the IP of your computer at home is 192.168.30.5. The IP address of the public network you want to visit is 30.30.30.30.

So there is a picture like this.

The intranet IP accesses the public network IP. When you are ready to send a packet, your computer kernel protocol stack will construct an IP packet. The sender IP address in this IP packet header is 192.168.30.5, and the receiver IP address is 30.30.30.30. Send the packet to the NAT router.

At this point, the NAT router will modify the source IP address in the IP packet and rewrite the private IP address 192.168.30.5 to the public network IP address 20.20.20.20, which is called SNAT (Source Network Address Translation, source address translation). It will also leave a mapping record of 192.168.30.5-> 20.20.20.20 inside the NAT router, which will be used later. After that, the IP packet is forwarded by each router in the public network and sent to the receiver 30.30.30.30, where the sending process ends.

SNAT if the receiver has finished processing the data and needs to send a response to your computer, you need to fill in the sender's IP address with its own 30.30.30.30, fill in the receiver's address as your public network IP address 20.20.20.20, and send it to the NAT router. After receiving the message from the public network, the NAT router will check its previous mapping information and find that it has left such a record of 192.168.30.5-> 20.20.20.20. It will change the destination IP address of the packet to the intranet IP address 192.168.30.5, which is also called DNAT (destination address Translation). And then forward it to your computer.

During the whole process of DNAT, NAT quietly changed the IP address of the sender and receiver of the IP packet, but to the real sender and receiver, they knew nothing about it.

This is how NAT works.

At this point, I believe everyone has a big question about the principle of NAPT.

There is not only one machine in the local area network, and the mapping information left by each machine in the local area network under the NAT will be 192.168.xx.xx-> 20.20.20.20.20. It's okay to send a message, but you don't know who to give it back to when you receive the message.

The problem with NAT is so fatal that you don't actually use normal NAT most of the time.

What are we going to do?

The problem is that we can't distinguish between multiple network connections in the intranet.

So...

We can add other information to distinguish the various network connections in the intranet, and we can naturally think of ports.

However, the IP packet (network layer) itself does not have port information. The port information is only found in the common transport layer protocols TCP and UDP.

The TCP header has a port number

The UDP header also has a port number, so the process looks like this.

When you are ready to send data packets, your computer kernel protocol stack will first construct a TCP or UDP header with port numbers written in it, such as sending port 5000 and receiving port 3000. Then, on this basis, add the IP header and fill in the IP addresses of the sender and receiver.

The packet looks like this.

The composition of the packet assumes that the IP address of the sender is 192.168.30.5 and the IP address of the receiver is 30.30.30.30.

Send the packet to the NAT router.

At this point, the NAT router will change the source IP address and port number in the IP packet from 192.168.30.5 to 20.20.20.20. It will also leave a mapping record of 192.168.30.5 virtual 5000-> 20.20.20.20 virtual 6000 inside the NAT router. After that, the packet is forwarded by each router in the public network and sent to the receiver 30.30.30.30, where the sending process ends.

When NAPT sends a response from the receiver, it will fill the packet with the sender address of 30.30.30.30, and send the receiver to the NAT router with the address of 20.20.20.20. When the NAT router discovers that it has previously left a record of 192.168.30.5 5000-> 20.20.20.20 VR 6000, it will change the destination IP address and port of the packet back to the original 192.168.30.5 Hua 5000. And then forward it to your computer.

NAPT receives data if there are multiple devices in the local area network, they will be mapped to different public network ports. After all, the port can be up to 65535, which is fully sufficient. So that everyone can be at peace with each other.

A technology like this that translates both IP and port is NAPT (Network Address Port Transfer, network address port translation).

See here, the problem comes.

So only the network protocol that uses the port can be identified and forwarded by NAT?

But how does this explain the ping command? Ping is based on the ICMP protocol, while the ICMP protocol message does not contain port information. I can still connect to the public network machine with normal ping and receive reply packets.

In fact, the ping header is specially handled by the NAT router for the ICMP protocol. There is an Identifier message in the header of the ping message, which actually refers to the process id that issues the ping command.

To a NAT router, this Identifier acts like a port.

In addition, when we go to grab the bag, we will find that there are two Identifier, one with a BE (Big Endian) and the other with a LE (Little Endian).

In fact, they are all the same value, but the size of the end is different, the value read is not the same. It's like the same number 345, which is 543 if you read it backwards. This is to be compatible with different sizes under different operating systems, such as linux and Windows.

1667783441963 what the intranet penetration is to see here, we probably found it, too. If NAT is used to access the Internet, it is necessary for the private network machine to actively request the public network IP, so that the NAT can convert the IP port of the internal network to the IP port of the external network.

On the other hand, if the public network machine wants to actively request the private network machine, it will be blocked on the NAT router. Because the NAT router does not have any mapping record of the relevant IP ports, it will not forward the data to any of the machines in the private network.

In a real-life scenario, you start a HTTP service on your computer at 192.168.30.5. When you try to access it on your cell phone in your company office, you find that you can't.

Then the question arises, is there any way for the external network machine to access the intranet service?

Yes.

You should have heard the saying, "there is nothing that cannot be solved by adding a middle tier. If so, add another layer."

If you put it here, it still applies.

In the final analysis, because of the existence of NAT, we can only initiate a connection from the private network, otherwise the NAT device will not record the corresponding mapping relationship, and the data cannot be forwarded without the mapping relationship.

So we add a server x to the public network, expose an access domain name, and then let the service of the internal network actively connect to server x, so that there is a corresponding mapping relationship on the NAT router. Then, everyone accesses server x, which forwards the data to the intranet machine and returns the response the same way, so that the data is connected. This is called intranet penetration.

Like the server x mentioned above, you don't need to build it yourself. There are many ready-made solutions that can be done with money, such as spending a shell.

When the intranet penetrates here, we can answer the question of the title of the article.

Why can't I access my home computer in the company?

That's because the computer at home is in the local area network, and there is a NAT router between the local area network and the wide area network. Due to the existence of the NAT router, the external network service can not actively connect with the computers in the local area network.

The problem arises as to how to establish communication between the two intranet chat software.

My home machine is in the local area network of our community, and the machine of Banhua family is also in the local area network of their community. They are all in the local area network, and the NAT can only be connected from the internal network to the external network, so how does the QQ logged on on my computer connect with the QQ in the Banhua computer?

The services in the two Lans cannot be connected directly. The above question is actually a misunderstanding that the two qq client applications are directly connected.

In fact, however, it is not. There is a server between the two qq clients.

The chat software will actively establish a connection with the public network server, that is, when both clients log in to the qq in the intranet, they will actively establish a connection to the public network chat server, and the corresponding mapping relationship will be recorded in the NAT routers of both parties. When a message is sent on one of the qq, the data is first sent to the server and then forwarded to another client through the server. Vice versa, through this way to allow two intranet machines for data transmission.

In the case of how to directly establish a connection between two intranet applications, the two clients communicate through a third-party server, but in some scenarios, they need to put aside the third end and communicate directly between the two ends, such as P2P download. what should we do?

In this case, in fact, it is still inseparable from the help of third-party servers.

Suppose it is still a machine in two local area networks An and B, and the corresponding NAT device in An intranet is called NAT_A,B. The NAT device in the intranet is called NAT_B, and a third-party server server.

The process is as follows.

When step1 and 2: a take the initiative to connect to server, the NAT_A corresponding to A will leave the mapping relationship between A's internal network address and external network address, and server will also get A's corresponding public network IP address and port.

The operation of step3 and 4: B is the same as A, actively connecting the mapping relationship between the internal network address and the external network address of B left in the third party server,NAT_B, and then server also gets the corresponding external network IP address and port of B.

Step5 and step6 and step7: here comes the point. At this point, server sends a message to A, asking A to actively send UDP messages to B's public network IP address and port. When NAT_B receives the UDP packet of An at this time, according to the setting of NAT_B, it is possible that NAT_B can forward data directly to B. at this time, An and B will be connected. But it may not make sense, just lose the packet, but it doesn't matter. The purpose of this operation is to leave the mapping relationship of B on the NAT_A.

Step8, step9 and step10: the recipe is as familiar as step5. At this time, server sends messages to B, asking B to actively send UDP messages to A's public network IP address and port. The mapping relationship between An and B is also left on the NAT_B. At this time, because there was a mapping relationship about B on the NAT_A before, the NAT_A can normally accept the packet of B and forward it to A. At this point, An and B can communicate normally. This is called NAT drilling.

Step11: note that we used UDP packets before, just to make a hole in the NAT of the two Lans. In fact, most applications use TCP connections, so we also need to initiate a TCP connection to B on An at this time. At this point, we have completed the communication between the two ends.

NAT drilling holes here, I guess you will have doubts.

The port has been used by udp, TCP re-use, isn't that port reoccupation (address already in use)? In fact, it is not. Port reoccupation errors are often reported when two TCP connections reuse an IP port without using SO_REUSEADDR. This mistake will not be reported between UDP and TCP. The main reason for this error is that in a linux kernel, when the kernel receives network data, it uniquely identifies the recipient of the data through the quintuple (transport protocol, source IP, destination IP, source port, destination port). When the quintuples are identical, the kernel doesn't know who to send the data to. The "transport protocol" between UDP and TCP is different, so the quintuple is also different, so there will be no problem above.

Quintuple NAPT is also divided into many types, the above nat drilling scheme, can all be successful? With regard to NAPT, it is true that it is subdivided into several types, such as fully tapered NAT and restricted NAT, but this is not the focus of this article. So I skipped it. What we see now is a tapered NAT. The above drilling scheme is suitable for most scenarios, including the port-restricted conical NAT with the most restrictions.

1668247032737 summary IPV4 address is limited, but through the NAT router, you can make the entire internal network N multiple machines, external use only one public network IP, greatly saving IP resources.

The private network machine actively connects to the public network IP, and the middle NAT converts the private network IP of the private network machine into the public network IP, thus realizing the data exchange between the private network and the public network.

The ordinary NAT technology will only modify the IP addresses of the sender and receiver in the network packet, which may lead to conflicts when there are many intranet devices. Therefore, NAPT technology is generally used to modify the IP address and port of both the sender and the receiver.

Due to the existence of NAT, the public network IP cannot access the private network service, but through the private network penetration technology, the public network IP can access the private network service. After a wave of operation, you can access your home computer in the company's network.

Last but not least, with NAT, IPv4 addresses, which were not rich, suddenly became very adequate.

Then why do we need IPv6?

In addition, IPv6 claims that there are so many addresses that every grain of sand can have its own IP address, so do we still need NAT?

This article comes from the official account of Wechat: rookie debug (ID:xiaobaidebug), author: Xiaobai

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.