网络中检测共享(NAT)的原理分析
Now that we've described a system for classifying a NAT by its functionality and limitations, the next task is to examine a network endpoint to detect what kind of address translation is in effect, if any. NAT detection involves exchanging several probe packets with a remote "probe server" somewhere on the Internet (and clearly not behind NAT).
Not That Kind of Probe
The probe server is composed of 4 endpoints across 3 different IP addresses (whether by multihosting or coordinating between processes on separate host machines). The client endpoint initiates the NAT detection process by sending 2 request packets, and the server responds with 4 probes back to the apparent sender, as follows:
1. Request sent to Probe Server 1
1a. Probe Server 1 sends response
1b. Alternate Port sends probe
1c. Alternate Host sends probe
2. Request sent to Probe Server 2
2a. Probe Server 2 sends response
Because the Client Endpoint may or may not be behind NAT, each probe server sends its packets back at the "apparent" endpoint that originated the probe request. The client must wait to for the probes to arrive or time out, to determine the nature of its network connection.
Packet 1: Request to Probe Server 1
The initial packet tells the server to send 3 probes at the apparent address of the sender. If the Client Endpoint is behind NAT, this packet creates a mapping between it and Probe Server 1, so that some or all probe packets will may be forwarded.
Packet 1a: Probe Server 1 Response
This packet acknowledges the initial Probe Request, telling the client that the process has started and demonstrating that it is not offline or firewalled from the Internet. It also returns the "apparent address" of the client back to the client endpoint itself. Since Packet 1 has already created an outgoing mapping, all NAT configurations should forward this packet successfully.
Packet 1b: Alternate Port Probe
If the client receives this packet, then it knows that the NAT mapping for this endpoint forwards traffic from any port on the remote host. If the client NAT rejects the packet, then it's likely that the NAT will reject all unsolicited messages from remote hosts.
Packet 1c: Alternate Host Probe
If the client receives this packet, it should expect the NAT mapping for this endpoint to forward traffic from any host on the Internet. If the client NAT rejects the packet, then it's likely that the NAT will reject all unsolicited messages from remote hosts.
Packet 2: Request to Probe Server 2
The second request tells a different probe server to send only 1 probe, the response packet, back to the "apparent" endpoint that originated the request. If there is an intervening NAT, this packet will either expand the previous mapping to include the new remote host, or a new mapping will be created with a different apparent address or port.
Packet 2a: Probe Server 2 Response
This message returns the "apparent" address of the client back to the client endpoint itself. By comparing this address with that returned in Packet 1b, the endpoint can determine whether the NAT uses the same mapping consistently for the same endpoint, or creates a new one on the fly each time.
Analyzing The Results
Before sending any probe requests, the client application assumes the most pessimistic view -- that it's either offline or blocked from Internet access. It then refines (improves) its opinion of the network limitations as response and probe packets are returned, up to a reasonable timeout period (say 5 seconds). This estimate is never lowered based on incoming data, as each response suggests additional features are supported -- or just confirms something it already knows.
Also note that this information only supplements what the operating system already knows -- if there are no active network interfaces, then the client application has a pretty good idea that the it is offline without sending any probes.
Receive no packets: Offline or blocked network
By default, the client application assumes that it is offline or blocked. If no response packets arrive within the reasonable timeout period, then this becomes the final determination.
Receive packet 1a or 2a: Restrictive network or better
When the client receives a response to its probe request, it assumes that the network is up and that the NAT (if any) will forward packets from remote hosts that already have an established mapping with the local endpoint. In addition, the client application saves the contents of this packet, which indicate the "apparent" network address that the remote host observed.
Receive packets 1a and 2a and (1a == 2a): Consistent network or better
If the client receives a response to the second request, it compares the "apparent" network address returned in each packet. If both servers report the same host and port for the local endpoint, then the client can assume that its address mapping is consistent.
Receive packet 1b and 2a and (1b == 2a): Protective network or better
If the client receives a packet from an unsolicited port on the probe server, it knows that the NAT allows incoming packets from any port on a remote host when a mapping already exists for that host.
Receive packet 1c: Permissive network or better
If the client receives a packet from a host where no previous mapping exists, it knows that the NAT is very permissive or has been configured to forward incoming packets on that port. Note that a NAT may be explicitly configured to allow packets on a single port (if the user knows which port your software uses), or it may simply forward all unknown packets to this host (often called a demilitarized zone) -- but there is no automatic way to tell the difference.
Receive packets 1a and 1c and (1a == local): Direct network
If the client knows that it is on a permissive network, it compares the apparent host address and port against the address and port on the local interface it is bound to. If they are identical, the client may assume it is directly connected to the Internet and that no NAT is present -- or is sufficiently camoflauged as to make no difference.
