{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT (Network Address Translation,網絡地址映射)也叫做網絡掩蔽或者IP掩蔽,主要是將私有IP地址轉換成可以在公網使用的公網IP地址。而能夠進行映射的網絡裝置被稱爲 NAT 路由。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在講解NAT穿透之前我們先來想想爲什麼需要NAT呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要想回答這個問題就不得不瞭解IPv4與IPv6的區別了。IPv4中規定IP地址長度爲32,即有2^32-1個地址,而IPv6中IP地址的長度爲128,即有2^128-1個地址。誇張點說,如果IPv6被廣泛應用以後,全世界的每一粒塵埃都分配一個IP地址都夠用。回到我們的問題,答案應該清楚了,那就是爲了解決IP地址不夠而誕生的。通過公網 IP 地址與端口映射到私網機器的 IP 地址與端口。這樣就能通過少量的公有 IP 地址來代表較多的私有 IP 地址,有助於減緩 IPv4 地址的耗盡問題。放張圖大家來直觀地瞭解下。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d9/d95d361fb37b3d3210ea3b1df3c1c29f.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"先來提幾個問題,帶着問題去看文章,看完你就知道答案了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"兩個都在NAT之後的終端怎麼通信呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們不知道對方的內網IP,即使把消息發到對方的網關,然後呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網關怎麼知道這條消息給誰,而且誰允許網關這麼做了?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"好了,接下來我們開始講解NAT的種類。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT的種類","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"按實現方式劃分","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT按","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"實現","attrs":{}},{"type":"text","text":"方式分有三種,即","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"靜態轉換","attrs":{}},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"動態轉換","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"端口多路複用","attrs":{}},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"靜態轉換","attrs":{}},{"type":"text","text":"是指將內部網絡的私有IP地址轉換爲公有IP地址,IP地址對是一對一的,是一成不變的,某個私有IP地址只轉換爲某個公有IP地址。藉助於靜態轉換,可以實現外部網絡對內部網絡中某些特定設備(如服務器)的訪問。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"動態轉換","attrs":{}},{"type":"text","text":"是指將內部網絡的私有IP地址轉換爲公用IP地址時,IP地址是不確定的,是隨機的,所有被授權訪問上Internet的私有IP地址可隨機轉換爲任何指定的合法IP地址。也就是說,只要指定哪些內部地址可以進行轉換,以及用哪些合法地址作爲外部地址時,就可以進行動態轉換。動態轉換可以使用多個合法外部地址集。當ISP提供的合法IP地址略少於網絡內部的計算機數量時,就可以採用動態轉換的方式。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"端口多路複用","attrs":{}},{"type":"text","text":"是指改變外出數據包的源端口並進行端口轉換,即端口地址轉換(PAT,Port Address Translation)。採用端口多路複用方式,內部網絡的所有主機均可共享一個合法外部IP地址實現對Internet的訪問,從而可以最大限度地節約IP地址資源。同時,又可隱藏網絡內部的所有主機,有效避免來自internet的攻擊。因此,目前網絡中應用最多的就是端口多路複用方式。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"按功能分劃分","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT按","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"功能","attrs":{}},{"type":"text","text":"分有兩大類,","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"錐型NAT","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"對稱型NAT","attrs":{}},{"type":"text","text":"。其中錐型NAT又分:","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"完全錐型NAT,對稱NAT,IP限制錐型NAT,端口限制錐形NAT","attrs":{}},{"type":"text","text":"。概括的說:對稱型NAT是一個請求對應一個端口;錐型NAT(非對稱NAT)是多個請求(外部發向內部)對應一個端口,只要源IP端口不變,無論發往的目的IP是否相同,在NAT上都映射爲同一個端口,形象的看起來就像錐子一樣。下面來介紹一下這四種類型。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"完全錐型NAT(Full Cone NAT)特點:","attrs":{}},{"type":"text","text":"IP和端口都不受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表現形式:","attrs":{}},{"type":"text","text":"將來自內部同一個IP地址同一個端口的主機監聽/請求,映射到公網IP某個端口的監聽。任意外部IP地址與端口對其自己公網的IP這個映射後的端口訪問,都將重新定位到內部這個主機。該技術中,基於C/S架構的應用可以在任何一端發起連接。簡單一點的說,就是隻要客戶端由內到外建立一個映射之後,其他IP的主機或端口都可以使用這個洞給客戶端發送數據。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"受限錐型NAT(Restricted Cone NAT)特點:","attrs":{}},{"type":"text","text":"IP受限,端口不受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表現形式:","attrs":{}},{"type":"text","text":"與完全錐形NAT不同的是,在公網映射端口後,並不允許所有IP進行對於該端口的訪問,要想通信必需內部主機對某個外部IP主機發起過連接,然後這個外部IP主機就可以與該內部主機通信了,但端口不做限制。舉個栗子:當客戶端由內到外建立映射,A機器可以使用他的其他端口主動連接客戶端,但B機器則不被允許。因爲IP受限啦,但是端口隨便。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"端口受限型NAT(Port Restricted Cone NAT)特點:","attrs":{}},{"type":"text","text":"IP和端口都受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表現形式:","attrs":{}},{"type":"text","text":"該技術與受限錐形NAT相比更爲嚴格。除具有受限錐形NAT特性,對於回覆主機的端口也有要求。也就是說:只有當內部主機曾經發送過報文給外部主機(假設其IP地址爲A且端口爲P1)之後,外部主機才能以公網IPORT中的信息作爲目標地址和目標端口,向內部主機發送UDP報文,同時,其請求報文的IP必須是A,端口必須爲P1(使用IP地址爲A,端口爲P2,或者IP地址爲B,端口爲P1都將通信失敗)。這一要求進一步強化了對外部報文請求來源的限制,因此它比受限錐型NAT更具安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"對稱型NAT(Symmetric NAT)特點:","attrs":{}},{"type":"text","text":"對每個外部主機或端口的會話都會映射爲不同的端口(洞)。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表現形式:","attrs":{}},{"type":"text","text":"只有來自同一內部IPort、且針對同一目標IPORT的請求才被NAT轉換至同一個公網(外部)IPort,否則的話,NAT將爲之分配一個新的外部(公網)IPort。並且,只有曾經收到過內部主機請求的外部主機才能向內部主機發送數據包。內部主機用同一IP與同一端口與外部多IP通信。客戶端想和服務器A(IP_AORT_A)建立連接,是通過NAT映射爲NatIP:NatPortA來進行的。而客戶端和服務器B(IP_BORT_B)建立連接,是通過NAT映射爲NatIP:NatPortB來進行的。即同一個客戶端和不同的目標IP:PORT通信,經過NAT映射後的公網IP:PORT是不同的。此時,如果B想要和客戶端通信,也只能通過NatIP:NatPortB來進行,而不能通過NatIP:NatPortA。以上,就是四種NAT類型。可以看出從類型1至類型4,NAT的限制是越來越大的,其穿透也越來越複雜。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT優點","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT可以同時讓多個計算機同時聯網,並隱藏其內網IP,因此也增加了內網的網絡安全性。此外,NAT對來自外部的數據查看其NAT映射記錄,對沒有相應記錄的數據包進行拒絕,提高了網絡安全性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT缺點","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先是,NAT設備會對數據包進行編輯修改,這樣就降低了發送數據的效率。此外,各種協議的應用各有不同,有的協議是無法通過NAT的,這就需要通過NAT穿透技術來解決。要想使用NAT穿透,就不得不知道如何鑑別NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"如何鑑別NAT?","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/96/962961a6853b67c59f07877596b0868c.png","alt":null,"title":"NAT類別圖","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從上圖可知只用檢測四種NAT類型,來欣賞筆者的一副手繪圖~","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/0d/0ddc27eeeac6fd4a0dfdc8ea10b34c34.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們先通過大學男生通過樓管阿姨能否進入女生宿舍的例子來簡單理解下識別NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"完全錐形NAT:","attrs":{}},{"type":"text","text":"樓管阿姨不管男生是誰,都讓進入女生宿舍(這是親媽吧。。。)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"IP限制錐形NAT","attrs":{}},{"type":"text","text":":樓管阿姨只讓與校花是同專業的男生進。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"端口限制","attrs":{}},{"type":"text","text":":樓管阿姨只讓與校花是同專業並且是班幹部的男生進。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"對稱NAT","attrs":{}},{"type":"text","text":":進入的男生必須與阿姨對暗號,正確才能進。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在講解NAT鑑別前來了解一個重要的概念,如下:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對稱 NAT 與錐型 NAT 的區別,在於私網機器與不同的公網機器通信在 NAT 路由器上產 生映射表記錄的條數。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"對稱 NAT 與 N 臺公網機器通信則生成 N 條記錄","attrs":{}},{"type":"text","text":";","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"而錐形 NAT 與 N 臺 公網機器通信則生成 1 條記錄","attrs":{}},{"type":"text","text":"。因此對稱NAT穿透比較麻煩。接下來開始講如何鑑別NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"對稱NAT與錐形NAT鑑別","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ca/ca3f4aac5e63b0e1c04932e2a8be5b6d.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):Clinet(客戶端)發送報文到Server 1(服務器)時網關產生了對外公網 IP,此時Server 1 獲取到的Client IP 地址即爲Client的對外公網 IP。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2):Clinet發送報文到Server 2,Server 2 獲取到Client的 IP 地址(ip:port)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 3):Server 1 將獲取到的客戶端的 IP 地址,發送給Server 2,然後Server 2 對比Server 1 發過來的地址與自己獲取的Client IP 地址。如果兩個Client IP 地址完全一致,則爲錐型 NAT,否則爲對稱 NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"完全錐形NAT與限制錐形NAT鑑別","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/29/29d5a26edf528f12bc07643dba7af162.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1):Client(客戶端)網絡進程發送報文給Server 1(服務器)。 Server 1 獲取到Client IP 地址(對外公網 IP 地址)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):Server 1 將獲取的客戶端 IP 地址發送給Server 2。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):Server 2 收到Client IP 地址後,發送報文給Client ,然後檢測Client能否收到報文數據。若能收到,則是完全錐型 NAT,否則是限制錐形 NAT。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):Client網絡進程收到報文數據後,繼續發送報文給Server 1。Server 1 收到報文數據,則爲完全錐型 NAT,否則爲限制錐型 NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第4步是爲了保證鑑別的準確性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"IP限制錐形NAT與端口限制錐形NAT鑑別","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/95/95c364ac1f34007710b348dc99fc879e.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1): Client(客戶端)網絡進程發送報文給Server服務器(ip:8888)。然後服務器獲取到客戶端的 IP 地址。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):服務器使用相同IP不同端口(ip:8889)發送報文數據給Client(客戶端)。如果Client能收到報文則爲 IP 限制錐型NAT,否則爲端口限制錐型NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):Client網絡進程回發報文給Server的8888端口,Server收到報文數據,則爲IP 限制錐形 NAT,否則爲端口限制錐型 NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同樣的第3步是爲了保證鑑別的準確性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT如何實現穿透?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"兩臺客戶端通過網關穿透總共有16種情況,但我們只需要考慮3種情況即可。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1、任意一端爲完全錐形NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2、兩端均爲限制錐形NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3、兩邊均爲對稱NAT或者一端爲限制錐形NAT一端爲對稱NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透完全錐形NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在穿透過程中,兩端私網機器都是在 NAT 路由器之下的。兩端 NAT 只要有一方爲完全錐型 NAT 的時候,就是可以穿透的。完全錐形NAT穿透流程如下圖所示, NAT1 爲完全錐形 NAT,NAT2 爲 任意 NAT。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/74/74e2d42d1314cbbe07eccf01126cad5f.png","alt":null,"title":"穿透完全錐形 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1):私網機器 1(192.168.1.3:2341)發送報文給服務器(180.93.45.46:8888)。服務器獲取到私網機器 1 的公網 IP 地址與端口(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):服務器收到報文信息後,通知私網機器 2(192.168.2.6:6583),通知信息內包含有私網機器 1 的公網 IP 地址與端口(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私網機器 2(192.168.2.6:6583)收到通知信息後直接發送數據給私網機器 1 的公網 IP 地址與端口 (112.93.14.56:43891),此時私網機器 1 就能收到私網機器 2 發送的報文數據,並且能獲取到私網機器 2 的公網 IP 地址與端口(iAddr:iPort)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私網機器 1 回發報文信息給私網機器 2 的公網 IP 地址與端口(iAddr:iPort),此時私網機器 2 也能收到私網機器 1回發的報文數據。穿透結束。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透限制錐形NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制錐型 NAT 的特點是限制了其他公網機器報文數據傳輸。如果這裏採用上邊穿透完全錐型 NAT 的穿透步驟來穿透限制錐型 NAT,那麼在步驟 3時私網機器 1 不能收到私網機器 2 發送的報文數據,穿透失敗。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下邊來講限制錐形NAT的穿透,穿透流程如下圖所示。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/74/74e2d42d1314cbbe07eccf01126cad5f.png","alt":null,"title":"穿透限制錐形 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):私網機器 1(192.168.1.3:2341)發送報文給服務器(180.93.45.46:8888),服務器獲取到私網機器的公網 IP 地址(112.93.14.56:43891)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):然後服務器發送通知報文給私網機器 2(192.168.2.6:6583),通知報文中包含私網機器 1 的公網 IP 地址(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私網機器 2 發送報文數據到私網機器 1 的公網 IP 地址(112.93.14.56:43891)。由 於 NAT1 是限制錐型 NAT,此時私網機器 1 不能收到報文數據。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私網機器 2 進行完步驟 3 以後,立即發送報文給服務器(180.93.45.46:8888),要求私網機器 1 發送數據給私網機器 2 的公網 IP 地址。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5):服務器通知私網機器 1,通知信息中包含私網機器 2 的公網 IP 地址(180.20.198.42.9681)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6):私網機器 1接到服務器通知後發送報文數據給私網機器 2 的公網 IP 地址。由於步驟 3中私網機器 2 給私網機器 1的公網 IP 地址發送過報文,此份報文此時會被 NAT2 的路由器認爲是上述步驟 3 的回覆,所以此步驟會被允許通過,此時穿透 NAT2成功。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"7):私網機器 2 回發報文給私網機器 1,此時穿透了 NAT1。穿透結束。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透對稱NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對稱 NAT 的特點是每一個不同公網機器的通信,都會被分配不同的映射端口(NAT會產生兩條記錄),如果參照限制錐型 NAT 的穿透流程,則不能準確地知道步驟 3 所產生的公網 IP 地址與端口,不知道通知對方的公網IP與端口,那就基本靠技術性的猜測了。 對稱穿透流程如下圖所示,NAT1 爲限制錐型 NAT,NAT2 爲對稱 NAT。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ad/ad45bada5370674f6a48ea1fc7413a85.png","alt":null,"title":"穿透對稱 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):私網機器 1(192.168.1.3:2341)發送報文數據給服務器(180.93.45.46:8888), 請求與私網機器 2 進行透傳。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2):服務器(180.93.45.46:8888)發送通知信息給私網機器 2。通知信息內含私網機器 1 的公網 IP 地址(112.93.14.56:43891)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私網機器 2 收到通知信息,發送報文數據給私網機器 1 的公網 IP 地址。此時由於 NAT1 爲限制錐形 NAT,數據是不被允許進入私網的。同時由於 NAT2 爲對稱 NAT,所以會在 此次報文發送過程中,會被產生新的映射記錄,分配新的公網地址與端口(iAddr:iPort)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私網機器 2 進行完步驟 3 以後,發送報文信息給服務器的另一個端口 8889,此步驟也會在路由器上產生一條新的映射記錄,分配公網地址與端口(mAddr:mPort)。服務器同時也獲取到新的公網地址與端口(mAddr:mPort)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5):服務器(180.93.45.46:8889)發送通知信息給私網機器 1。通知信息內包含步驟 4 產生的新記錄公網地址與端口(mAddr:mPort)。此時可以根據 iPort 與 mPort 產生的時間間隔很短來判斷 iPort 的值,即需要穿透的端口。爲了判斷的準確性,可以在產生 mPort 之前也加上一次新記錄,即在步驟 3 以前讓 NAT 路由器產生一條記錄,這樣會大大地提升穿透的概率。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6):根據 mPort 的值,來猜測 iPort 的值,發送報文信息給私網機器 2 的公網地址與端口(mAddr:mPort)。如果是準確的 mPort 值,則能夠穿透 NAT2。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 7):收到穿透報文信息後,回覆報文信息,穿透結束。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"注:","attrs":{}},{"type":"text","text":"第6步猜測端口可以多試幾次。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT解決方案","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"ICE","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Interactive Connectivity Establishment:翻譯爲互動式連接建立,ICE 不是一種協議,它是一個框架,整合了 STUN(簡單的用 UDP 穿透 NAT,是個輕量級的協議,是基於 UDP 的完整的穿透 NAT 的解決方案) 和 TURN(使用中繼穿透 NAT,是 STUN 的一個擴展),使各種 NAT 穿透技術可以實現統一。當穿越網絡時,ICE 會先嚐試 STUN,查出自己位於哪種類型的 NAT 之後以及 NAT 爲某一個本地端口所綁定的 Internet 端端口從而建立 UDP 連接,如果失敗了 ICE 就會再嘗試 TCP(先嚐試 HTTP,再嘗試 HTTPS),如果仍然失敗就使用中繼的 TURN 服務器。因此,","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"ICE 可以實現在未知網絡拓撲結構中實現設備互連","attrs":{}},{"type":"text","text":"。除ICE技術外,還有UPNP技術,ALG應用層網關識別技術,SBC會話邊界控制等等。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT的應用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT 在互聯網中被廣泛應用,小到家庭網關,大到企業廣域網出口甚至到運營商業務網絡出口。NAT也廣泛用在音視頻通信中,使用NAT打洞的方式讓客戶端直接通信從而減輕服務器壓力。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前國內主流的音視頻解決方案廠商有","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Agora(聲網)","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.agora.io/cn","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"環信","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.easemob.com/","title":"","type":null},"content":[{"type":"text","text":"https://www.easemob.com/","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"ZEGO(即構科技)","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.zego.im/","title":"","type":null},"content":[{"type":"text","text":"https://www.zego.im/","attrs":{}}]},{"type":"text","text":"等,其中","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Agora(聲網)","attrs":{}},{"type":"text","text":"使用其","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"自研音視頻編解碼算法","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"優異弱網對抗能力","attrs":{}},{"type":"text","text":",在80% 丟包情況下音頻通話流暢,70%情況丟包下視頻通話流暢,是目前有國外音視頻通信需求用戶的首要選擇。並且聲網在聲音處理上採用業界領先的 3A 算法,智能適應各類環境,全面消除回聲,並提供超一流的雙講表現。可在不損傷語音音質的情況下,有效消除各類噪音。可實現音頻的自動增益,即使在嘈雜環境下用戶也能體驗優異。點擊鏈接體驗:","attrs":{}},{"type":"link","attrs":{"href":"https://www.agora.io/cn/audio-demo","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn/audio-demo","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"結語","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"筆者儘量對NAT做了比較詳細的介紹,但由於筆者也是初學音視頻技術,有些技術觀點可能不一定十分準確,如果有什麼錯誤歡迎留言指正。如果本文對你有幫助,歡迎點個關注~","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"參考:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://baike.baidu.com/item/nat/320024","title":"","type":null},"content":[{"type":"text","text":"https://baike.baidu.com/item/nat/320024","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://zhidao.baidu.com/question/113756183.html","title":"","type":null},"content":[{"type":"text","text":"https://zhidao.baidu.com/question/113756183.html","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.zhihu.com/question/31332694/answer/470426521","title":"","type":null},"content":[{"type":"text","text":"https://www.zhihu.com/question/31332694/answer/470426521","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://zhuanlan.zhihu.com/p/134045027","title":"","type":null},"content":[{"type":"text","text":"https://zhuanlan.zhihu.com/p/134045027","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.agora.io/cn","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn","attrs":{}}]}]}]}
NAT穿透原理詳解
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT (Network Address Translation,網絡地址映射)也叫做網絡掩蔽或者IP掩蔽,主要是將私有IP地址轉換成可以在公網使用的公網IP地址。而能夠進行映射的網絡裝置被稱爲 NAT 路由。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在講解NAT穿透之前我們先來想想爲什麼需要NAT呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要想回答這個問題就不得不瞭解IPv4與IPv6的區別了。IPv4中規定IP地址長度爲32,即有2^32-1個地址,而IPv6中IP地址的長度爲128,即有2^128-1個地址。誇張點說,如果IPv6被廣泛應用以後,全世界的每一粒塵埃都分配一個IP地址都夠用。回到我們的問題,答案應該清楚了,那就是爲了解決IP地址不夠而誕生的。通過公網 IP 地址與端口映射到私網機器的 IP 地址與端口。這樣就能通過少量的公有 IP 地址來代表較多的私有 IP 地址,有助於減緩 IPv4 地址的耗盡問題。放張圖大家來直觀地瞭解下。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d9/d95d361fb37b3d3210ea3b1df3c1c29f.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"先來提幾個問題,帶着問題去看文章,看完你就知道答案了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"兩個都在NAT之後的終端怎麼通信呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們不知道對方的內網IP,即使把消息發到對方的網關,然後呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"網關怎麼知道這條消息給誰,而且誰允許網關這麼做了?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"好了,接下來我們開始講解NAT的種類。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT的種類","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"按實現方式劃分","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT按","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"實現","attrs":{}},{"type":"text","text":"方式分有三種,即","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"靜態轉換","attrs":{}},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"動態轉換","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"端口多路複用","attrs":{}},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"靜態轉換","attrs":{}},{"type":"text","text":"是指將內部網絡的私有IP地址轉換爲公有IP地址,IP地址對是一對一的,是一成不變的,某個私有IP地址只轉換爲某個公有IP地址。藉助於靜態轉換,可以實現外部網絡對內部網絡中某些特定設備(如服務器)的訪問。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"動態轉換","attrs":{}},{"type":"text","text":"是指將內部網絡的私有IP地址轉換爲公用IP地址時,IP地址是不確定的,是隨機的,所有被授權訪問上Internet的私有IP地址可隨機轉換爲任何指定的合法IP地址。也就是說,只要指定哪些內部地址可以進行轉換,以及用哪些合法地址作爲外部地址時,就可以進行動態轉換。動態轉換可以使用多個合法外部地址集。當ISP提供的合法IP地址略少於網絡內部的計算機數量時,就可以採用動態轉換的方式。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"端口多路複用","attrs":{}},{"type":"text","text":"是指改變外出數據包的源端口並進行端口轉換,即端口地址轉換(PAT,Port Address Translation)。採用端口多路複用方式,內部網絡的所有主機均可共享一個合法外部IP地址實現對Internet的訪問,從而可以最大限度地節約IP地址資源。同時,又可隱藏網絡內部的所有主機,有效避免來自internet的攻擊。因此,目前網絡中應用最多的就是端口多路複用方式。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"按功能分劃分","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT按","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"功能","attrs":{}},{"type":"text","text":"分有兩大類,","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"錐型NAT","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"對稱型NAT","attrs":{}},{"type":"text","text":"。其中錐型NAT又分:","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"完全錐型NAT,對稱NAT,IP限制錐型NAT,端口限制錐形NAT","attrs":{}},{"type":"text","text":"。概括的說:對稱型NAT是一個請求對應一個端口;錐型NAT(非對稱NAT)是多個請求(外部發向內部)對應一個端口,只要源IP端口不變,無論發往的目的IP是否相同,在NAT上都映射爲同一個端口,形象的看起來就像錐子一樣。下面來介紹一下這四種類型。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"完全錐型NAT(Full Cone NAT)特點:","attrs":{}},{"type":"text","text":"IP和端口都不受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表現形式:","attrs":{}},{"type":"text","text":"將來自內部同一個IP地址同一個端口的主機監聽/請求,映射到公網IP某個端口的監聽。任意外部IP地址與端口對其自己公網的IP這個映射後的端口訪問,都將重新定位到內部這個主機。該技術中,基於C/S架構的應用可以在任何一端發起連接。簡單一點的說,就是隻要客戶端由內到外建立一個映射之後,其他IP的主機或端口都可以使用這個洞給客戶端發送數據。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"受限錐型NAT(Restricted Cone NAT)特點:","attrs":{}},{"type":"text","text":"IP受限,端口不受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表現形式:","attrs":{}},{"type":"text","text":"與完全錐形NAT不同的是,在公網映射端口後,並不允許所有IP進行對於該端口的訪問,要想通信必需內部主機對某個外部IP主機發起過連接,然後這個外部IP主機就可以與該內部主機通信了,但端口不做限制。舉個栗子:當客戶端由內到外建立映射,A機器可以使用他的其他端口主動連接客戶端,但B機器則不被允許。因爲IP受限啦,但是端口隨便。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"端口受限型NAT(Port Restricted Cone NAT)特點:","attrs":{}},{"type":"text","text":"IP和端口都受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表現形式:","attrs":{}},{"type":"text","text":"該技術與受限錐形NAT相比更爲嚴格。除具有受限錐形NAT特性,對於回覆主機的端口也有要求。也就是說:只有當內部主機曾經發送過報文給外部主機(假設其IP地址爲A且端口爲P1)之後,外部主機才能以公網IPORT中的信息作爲目標地址和目標端口,向內部主機發送UDP報文,同時,其請求報文的IP必須是A,端口必須爲P1(使用IP地址爲A,端口爲P2,或者IP地址爲B,端口爲P1都將通信失敗)。這一要求進一步強化了對外部報文請求來源的限制,因此它比受限錐型NAT更具安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"對稱型NAT(Symmetric NAT)特點:","attrs":{}},{"type":"text","text":"對每個外部主機或端口的會話都會映射爲不同的端口(洞)。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表現形式:","attrs":{}},{"type":"text","text":"只有來自同一內部IPort、且針對同一目標IPORT的請求才被NAT轉換至同一個公網(外部)IPort,否則的話,NAT將爲之分配一個新的外部(公網)IPort。並且,只有曾經收到過內部主機請求的外部主機才能向內部主機發送數據包。內部主機用同一IP與同一端口與外部多IP通信。客戶端想和服務器A(IP_AORT_A)建立連接,是通過NAT映射爲NatIP:NatPortA來進行的。而客戶端和服務器B(IP_BORT_B)建立連接,是通過NAT映射爲NatIP:NatPortB來進行的。即同一個客戶端和不同的目標IP:PORT通信,經過NAT映射後的公網IP:PORT是不同的。此時,如果B想要和客戶端通信,也只能通過NatIP:NatPortB來進行,而不能通過NatIP:NatPortA。以上,就是四種NAT類型。可以看出從類型1至類型4,NAT的限制是越來越大的,其穿透也越來越複雜。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT優點","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT可以同時讓多個計算機同時聯網,並隱藏其內網IP,因此也增加了內網的網絡安全性。此外,NAT對來自外部的數據查看其NAT映射記錄,對沒有相應記錄的數據包進行拒絕,提高了網絡安全性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT缺點","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先是,NAT設備會對數據包進行編輯修改,這樣就降低了發送數據的效率。此外,各種協議的應用各有不同,有的協議是無法通過NAT的,這就需要通過NAT穿透技術來解決。要想使用NAT穿透,就不得不知道如何鑑別NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"如何鑑別NAT?","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/96/962961a6853b67c59f07877596b0868c.png","alt":null,"title":"NAT類別圖","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"從上圖可知只用檢測四種NAT類型,來欣賞筆者的一副手繪圖~","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/0d/0ddc27eeeac6fd4a0dfdc8ea10b34c34.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們先通過大學男生通過樓管阿姨能否進入女生宿舍的例子來簡單理解下識別NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"完全錐形NAT:","attrs":{}},{"type":"text","text":"樓管阿姨不管男生是誰,都讓進入女生宿舍(這是親媽吧。。。)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"IP限制錐形NAT","attrs":{}},{"type":"text","text":":樓管阿姨只讓與校花是同專業的男生進。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"端口限制","attrs":{}},{"type":"text","text":":樓管阿姨只讓與校花是同專業並且是班幹部的男生進。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"對稱NAT","attrs":{}},{"type":"text","text":":進入的男生必須與阿姨對暗號,正確才能進。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們在講解NAT鑑別前來了解一個重要的概念,如下:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對稱 NAT 與錐型 NAT 的區別,在於私網機器與不同的公網機器通信在 NAT 路由器上產 生映射表記錄的條數。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"對稱 NAT 與 N 臺公網機器通信則生成 N 條記錄","attrs":{}},{"type":"text","text":";","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"而錐形 NAT 與 N 臺 公網機器通信則生成 1 條記錄","attrs":{}},{"type":"text","text":"。因此對稱NAT穿透比較麻煩。接下來開始講如何鑑別NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"對稱NAT與錐形NAT鑑別","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ca/ca3f4aac5e63b0e1c04932e2a8be5b6d.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):Clinet(客戶端)發送報文到Server 1(服務器)時網關產生了對外公網 IP,此時Server 1 獲取到的Client IP 地址即爲Client的對外公網 IP。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2):Clinet發送報文到Server 2,Server 2 獲取到Client的 IP 地址(ip:port)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 3):Server 1 將獲取到的客戶端的 IP 地址,發送給Server 2,然後Server 2 對比Server 1 發過來的地址與自己獲取的Client IP 地址。如果兩個Client IP 地址完全一致,則爲錐型 NAT,否則爲對稱 NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"完全錐形NAT與限制錐形NAT鑑別","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/29/29d5a26edf528f12bc07643dba7af162.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1):Client(客戶端)網絡進程發送報文給Server 1(服務器)。 Server 1 獲取到Client IP 地址(對外公網 IP 地址)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):Server 1 將獲取的客戶端 IP 地址發送給Server 2。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):Server 2 收到Client IP 地址後,發送報文給Client ,然後檢測Client能否收到報文數據。若能收到,則是完全錐型 NAT,否則是限制錐形 NAT。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):Client網絡進程收到報文數據後,繼續發送報文給Server 1。Server 1 收到報文數據,則爲完全錐型 NAT,否則爲限制錐型 NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第4步是爲了保證鑑別的準確性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"IP限制錐形NAT與端口限制錐形NAT鑑別","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/95/95c364ac1f34007710b348dc99fc879e.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1): Client(客戶端)網絡進程發送報文給Server服務器(ip:8888)。然後服務器獲取到客戶端的 IP 地址。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):服務器使用相同IP不同端口(ip:8889)發送報文數據給Client(客戶端)。如果Client能收到報文則爲 IP 限制錐型NAT,否則爲端口限制錐型NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):Client網絡進程回發報文給Server的8888端口,Server收到報文數據,則爲IP 限制錐形 NAT,否則爲端口限制錐型 NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同樣的第3步是爲了保證鑑別的準確性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT如何實現穿透?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"兩臺客戶端通過網關穿透總共有16種情況,但我們只需要考慮3種情況即可。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1、任意一端爲完全錐形NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2、兩端均爲限制錐形NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3、兩邊均爲對稱NAT或者一端爲限制錐形NAT一端爲對稱NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透完全錐形NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在穿透過程中,兩端私網機器都是在 NAT 路由器之下的。兩端 NAT 只要有一方爲完全錐型 NAT 的時候,就是可以穿透的。完全錐形NAT穿透流程如下圖所示, NAT1 爲完全錐形 NAT,NAT2 爲 任意 NAT。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/74/74e2d42d1314cbbe07eccf01126cad5f.png","alt":null,"title":"穿透完全錐形 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1):私網機器 1(192.168.1.3:2341)發送報文給服務器(180.93.45.46:8888)。服務器獲取到私網機器 1 的公網 IP 地址與端口(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):服務器收到報文信息後,通知私網機器 2(192.168.2.6:6583),通知信息內包含有私網機器 1 的公網 IP 地址與端口(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私網機器 2(192.168.2.6:6583)收到通知信息後直接發送數據給私網機器 1 的公網 IP 地址與端口 (112.93.14.56:43891),此時私網機器 1 就能收到私網機器 2 發送的報文數據,並且能獲取到私網機器 2 的公網 IP 地址與端口(iAddr:iPort)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私網機器 1 回發報文信息給私網機器 2 的公網 IP 地址與端口(iAddr:iPort),此時私網機器 2 也能收到私網機器 1回發的報文數據。穿透結束。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透限制錐形NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制錐型 NAT 的特點是限制了其他公網機器報文數據傳輸。如果這裏採用上邊穿透完全錐型 NAT 的穿透步驟來穿透限制錐型 NAT,那麼在步驟 3時私網機器 1 不能收到私網機器 2 發送的報文數據,穿透失敗。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下邊來講限制錐形NAT的穿透,穿透流程如下圖所示。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/74/74e2d42d1314cbbe07eccf01126cad5f.png","alt":null,"title":"穿透限制錐形 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):私網機器 1(192.168.1.3:2341)發送報文給服務器(180.93.45.46:8888),服務器獲取到私網機器的公網 IP 地址(112.93.14.56:43891)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):然後服務器發送通知報文給私網機器 2(192.168.2.6:6583),通知報文中包含私網機器 1 的公網 IP 地址(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私網機器 2 發送報文數據到私網機器 1 的公網 IP 地址(112.93.14.56:43891)。由 於 NAT1 是限制錐型 NAT,此時私網機器 1 不能收到報文數據。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私網機器 2 進行完步驟 3 以後,立即發送報文給服務器(180.93.45.46:8888),要求私網機器 1 發送數據給私網機器 2 的公網 IP 地址。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5):服務器通知私網機器 1,通知信息中包含私網機器 2 的公網 IP 地址(180.20.198.42.9681)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6):私網機器 1接到服務器通知後發送報文數據給私網機器 2 的公網 IP 地址。由於步驟 3中私網機器 2 給私網機器 1的公網 IP 地址發送過報文,此份報文此時會被 NAT2 的路由器認爲是上述步驟 3 的回覆,所以此步驟會被允許通過,此時穿透 NAT2成功。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"7):私網機器 2 回發報文給私網機器 1,此時穿透了 NAT1。穿透結束。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透對稱NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對稱 NAT 的特點是每一個不同公網機器的通信,都會被分配不同的映射端口(NAT會產生兩條記錄),如果參照限制錐型 NAT 的穿透流程,則不能準確地知道步驟 3 所產生的公網 IP 地址與端口,不知道通知對方的公網IP與端口,那就基本靠技術性的猜測了。 對稱穿透流程如下圖所示,NAT1 爲限制錐型 NAT,NAT2 爲對稱 NAT。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ad/ad45bada5370674f6a48ea1fc7413a85.png","alt":null,"title":"穿透對稱 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):私網機器 1(192.168.1.3:2341)發送報文數據給服務器(180.93.45.46:8888), 請求與私網機器 2 進行透傳。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2):服務器(180.93.45.46:8888)發送通知信息給私網機器 2。通知信息內含私網機器 1 的公網 IP 地址(112.93.14.56:43891)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私網機器 2 收到通知信息,發送報文數據給私網機器 1 的公網 IP 地址。此時由於 NAT1 爲限制錐形 NAT,數據是不被允許進入私網的。同時由於 NAT2 爲對稱 NAT,所以會在 此次報文發送過程中,會被產生新的映射記錄,分配新的公網地址與端口(iAddr:iPort)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私網機器 2 進行完步驟 3 以後,發送報文信息給服務器的另一個端口 8889,此步驟也會在路由器上產生一條新的映射記錄,分配公網地址與端口(mAddr:mPort)。服務器同時也獲取到新的公網地址與端口(mAddr:mPort)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5):服務器(180.93.45.46:8889)發送通知信息給私網機器 1。通知信息內包含步驟 4 產生的新記錄公網地址與端口(mAddr:mPort)。此時可以根據 iPort 與 mPort 產生的時間間隔很短來判斷 iPort 的值,即需要穿透的端口。爲了判斷的準確性,可以在產生 mPort 之前也加上一次新記錄,即在步驟 3 以前讓 NAT 路由器產生一條記錄,這樣會大大地提升穿透的概率。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6):根據 mPort 的值,來猜測 iPort 的值,發送報文信息給私網機器 2 的公網地址與端口(mAddr:mPort)。如果是準確的 mPort 值,則能夠穿透 NAT2。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 7):收到穿透報文信息後,回覆報文信息,穿透結束。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"注:","attrs":{}},{"type":"text","text":"第6步猜測端口可以多試幾次。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT解決方案","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"ICE","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Interactive Connectivity Establishment:翻譯爲互動式連接建立,ICE 不是一種協議,它是一個框架,整合了 STUN(簡單的用 UDP 穿透 NAT,是個輕量級的協議,是基於 UDP 的完整的穿透 NAT 的解決方案) 和 TURN(使用中繼穿透 NAT,是 STUN 的一個擴展),使各種 NAT 穿透技術可以實現統一。當穿越網絡時,ICE 會先嚐試 STUN,查出自己位於哪種類型的 NAT 之後以及 NAT 爲某一個本地端口所綁定的 Internet 端端口從而建立 UDP 連接,如果失敗了 ICE 就會再嘗試 TCP(先嚐試 HTTP,再嘗試 HTTPS),如果仍然失敗就使用中繼的 TURN 服務器。因此,","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"ICE 可以實現在未知網絡拓撲結構中實現設備互連","attrs":{}},{"type":"text","text":"。除ICE技術外,還有UPNP技術,ALG應用層網關識別技術,SBC會話邊界控制等等。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT的應用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT 在互聯網中被廣泛應用,小到家庭網關,大到企業廣域網出口甚至到運營商業務網絡出口。NAT也廣泛用在音視頻通信中,使用NAT打洞的方式讓客戶端直接通信從而減輕服務器壓力。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前國內主流的音視頻解決方案廠商有","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Agora(聲網)","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.agora.io/cn","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"環信","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.easemob.com/","title":"","type":null},"content":[{"type":"text","text":"https://www.easemob.com/","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"ZEGO(即構科技)","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.zego.im/","title":"","type":null},"content":[{"type":"text","text":"https://www.zego.im/","attrs":{}}]},{"type":"text","text":"等,其中","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Agora(聲網)","attrs":{}},{"type":"text","text":"使用其","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"自研音視頻編解碼算法","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"優異弱網對抗能力","attrs":{}},{"type":"text","text":",在80% 丟包情況下音頻通話流暢,70%情況丟包下視頻通話流暢,是目前有國外音視頻通信需求用戶的首要選擇。並且聲網在聲音處理上採用業界領先的 3A 算法,智能適應各類環境,全面消除回聲,並提供超一流的雙講表現。可在不損傷語音音質的情況下,有效消除各類噪音。可實現音頻的自動增益,即使在嘈雜環境下用戶也能體驗優異。點擊鏈接體驗:","attrs":{}},{"type":"link","attrs":{"href":"https://www.agora.io/cn/audio-demo","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn/audio-demo","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"結語","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"筆者儘量對NAT做了比較詳細的介紹,但由於筆者也是初學音視頻技術,有些技術觀點可能不一定十分準確,如果有什麼錯誤歡迎留言指正。如果本文對你有幫助,歡迎點個關注~","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"參考:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://baike.baidu.com/item/nat/320024","title":"","type":null},"content":[{"type":"text","text":"https://baike.baidu.com/item/nat/320024","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://zhidao.baidu.com/question/113756183.html","title":"","type":null},"content":[{"type":"text","text":"https://zhidao.baidu.com/question/113756183.html","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.zhihu.com/question/31332694/answer/470426521","title":"","type":null},"content":[{"type":"text","text":"https://www.zhihu.com/question/31332694/answer/470426521","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://zhuanlan.zhihu.com/p/134045027","title":"","type":null},"content":[{"type":"text","text":"https://zhuanlan.zhihu.com/p/134045027","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.agora.io/cn","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn","attrs":{}}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章