{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT (Network Address Translation,网络地址映射)也叫做网络掩蔽或者IP掩蔽,主要是将私有IP地址转换成可以在公网使用的公网IP地址。而能够进行映射的网络装置被称为 NAT 路由。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在讲解NAT穿透之前我们先来想想为什么需要NAT呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要想回答这个问题就不得不了解IPv4与IPv6的区别了。IPv4中规定IP地址长度为32,即有2^32-1个地址,而IPv6中IP地址的长度为128,即有2^128-1个地址。夸张点说,如果IPv6被广泛应用以后,全世界的每一粒尘埃都分配一个IP地址都够用。回到我们的问题,答案应该清楚了,那就是为了解决IP地址不够而诞生的。通过公网 IP 地址与端口映射到私网机器的 IP 地址与端口。这样就能通过少量的公有 IP 地址来代表较多的私有 IP 地址,有助于减缓 IPv4 地址的耗尽问题。放张图大家来直观地了解下。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d9/d95d361fb37b3d3210ea3b1df3c1c29f.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"先来提几个问题,带着问题去看文章,看完你就知道答案了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"两个都在NAT之后的终端怎么通信呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我们不知道对方的内网IP,即使把消息发到对方的网关,然后呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"网关怎么知道这条消息给谁,而且谁允许网关这么做了?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"好了,接下来我们开始讲解NAT的种类。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT的种类","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"按实现方式划分","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT按","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"实现","attrs":{}},{"type":"text","text":"方式分有三种,即","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"静态转换","attrs":{}},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"动态转换","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"端口多路复用","attrs":{}},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"静态转换","attrs":{}},{"type":"text","text":"是指将内部网络的私有IP地址转换为公有IP地址,IP地址对是一对一的,是一成不变的,某个私有IP地址只转换为某个公有IP地址。借助于静态转换,可以实现外部网络对内部网络中某些特定设备(如服务器)的访问。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"动态转换","attrs":{}},{"type":"text","text":"是指将内部网络的私有IP地址转换为公用IP地址时,IP地址是不确定的,是随机的,所有被授权访问上Internet的私有IP地址可随机转换为任何指定的合法IP地址。也就是说,只要指定哪些内部地址可以进行转换,以及用哪些合法地址作为外部地址时,就可以进行动态转换。动态转换可以使用多个合法外部地址集。当ISP提供的合法IP地址略少于网络内部的计算机数量时,就可以采用动态转换的方式。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"端口多路复用","attrs":{}},{"type":"text","text":"是指改变外出数据包的源端口并进行端口转换,即端口地址转换(PAT,Port Address Translation)。采用端口多路复用方式,内部网络的所有主机均可共享一个合法外部IP地址实现对Internet的访问,从而可以最大限度地节约IP地址资源。同时,又可隐藏网络内部的所有主机,有效避免来自internet的攻击。因此,目前网络中应用最多的就是端口多路复用方式。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"按功能分划分","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT按","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"功能","attrs":{}},{"type":"text","text":"分有两大类,","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"锥型NAT","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"对称型NAT","attrs":{}},{"type":"text","text":"。其中锥型NAT又分:","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"完全锥型NAT,对称NAT,IP限制锥型NAT,端口限制锥形NAT","attrs":{}},{"type":"text","text":"。概括的说:对称型NAT是一个请求对应一个端口;锥型NAT(非对称NAT)是多个请求(外部发向内部)对应一个端口,只要源IP端口不变,无论发往的目的IP是否相同,在NAT上都映射为同一个端口,形象的看起来就像锥子一样。下面来介绍一下这四种类型。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"完全锥型NAT(Full Cone NAT)特点:","attrs":{}},{"type":"text","text":"IP和端口都不受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表现形式:","attrs":{}},{"type":"text","text":"将来自内部同一个IP地址同一个端口的主机监听/请求,映射到公网IP某个端口的监听。任意外部IP地址与端口对其自己公网的IP这个映射后的端口访问,都将重新定位到内部这个主机。该技术中,基于C/S架构的应用可以在任何一端发起连接。简单一点的说,就是只要客户端由内到外建立一个映射之后,其他IP的主机或端口都可以使用这个洞给客户端发送数据。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"受限锥型NAT(Restricted Cone NAT)特点:","attrs":{}},{"type":"text","text":"IP受限,端口不受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表现形式:","attrs":{}},{"type":"text","text":"与完全锥形NAT不同的是,在公网映射端口后,并不允许所有IP进行对于该端口的访问,要想通信必需内部主机对某个外部IP主机发起过连接,然后这个外部IP主机就可以与该内部主机通信了,但端口不做限制。举个栗子:当客户端由内到外建立映射,A机器可以使用他的其他端口主动连接客户端,但B机器则不被允许。因为IP受限啦,但是端口随便。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"端口受限型NAT(Port Restricted Cone NAT)特点:","attrs":{}},{"type":"text","text":"IP和端口都受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表现形式:","attrs":{}},{"type":"text","text":"该技术与受限锥形NAT相比更为严格。除具有受限锥形NAT特性,对于回复主机的端口也有要求。也就是说:只有当内部主机曾经发送过报文给外部主机(假设其IP地址为A且端口为P1)之后,外部主机才能以公网IPORT中的信息作为目标地址和目标端口,向内部主机发送UDP报文,同时,其请求报文的IP必须是A,端口必须为P1(使用IP地址为A,端口为P2,或者IP地址为B,端口为P1都将通信失败)。这一要求进一步强化了对外部报文请求来源的限制,因此它比受限锥型NAT更具安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"对称型NAT(Symmetric NAT)特点:","attrs":{}},{"type":"text","text":"对每个外部主机或端口的会话都会映射为不同的端口(洞)。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表现形式:","attrs":{}},{"type":"text","text":"只有来自同一内部IPort、且针对同一目标IPORT的请求才被NAT转换至同一个公网(外部)IPort,否则的话,NAT将为之分配一个新的外部(公网)IPort。并且,只有曾经收到过内部主机请求的外部主机才能向内部主机发送数据包。内部主机用同一IP与同一端口与外部多IP通信。客户端想和服务器A(IP_AORT_A)建立连接,是通过NAT映射为NatIP:NatPortA来进行的。而客户端和服务器B(IP_BORT_B)建立连接,是通过NAT映射为NatIP:NatPortB来进行的。即同一个客户端和不同的目标IP:PORT通信,经过NAT映射后的公网IP:PORT是不同的。此时,如果B想要和客户端通信,也只能通过NatIP:NatPortB来进行,而不能通过NatIP:NatPortA。以上,就是四种NAT类型。可以看出从类型1至类型4,NAT的限制是越来越大的,其穿透也越来越复杂。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT优点","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT可以同时让多个计算机同时联网,并隐藏其内网IP,因此也增加了内网的网络安全性。此外,NAT对来自外部的数据查看其NAT映射记录,对没有相应记录的数据包进行拒绝,提高了网络安全性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT缺点","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先是,NAT设备会对数据包进行编辑修改,这样就降低了发送数据的效率。此外,各种协议的应用各有不同,有的协议是无法通过NAT的,这就需要通过NAT穿透技术来解决。要想使用NAT穿透,就不得不知道如何鉴别NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"如何鉴别NAT?","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/96/962961a6853b67c59f07877596b0868c.png","alt":null,"title":"NAT类别图","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"从上图可知只用检测四种NAT类型,来欣赏笔者的一副手绘图~","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/0d/0ddc27eeeac6fd4a0dfdc8ea10b34c34.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我们先通过大学男生通过楼管阿姨能否进入女生宿舍的例子来简单理解下识别NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"完全锥形NAT:","attrs":{}},{"type":"text","text":"楼管阿姨不管男生是谁,都让进入女生宿舍(这是亲妈吧。。。)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"IP限制锥形NAT","attrs":{}},{"type":"text","text":":楼管阿姨只让与校花是同专业的男生进。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"端口限制","attrs":{}},{"type":"text","text":":楼管阿姨只让与校花是同专业并且是班干部的男生进。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"对称NAT","attrs":{}},{"type":"text","text":":进入的男生必须与阿姨对暗号,正确才能进。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我们在讲解NAT鉴别前来了解一个重要的概念,如下:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"对称 NAT 与锥型 NAT 的区别,在于私网机器与不同的公网机器通信在 NAT 路由器上产 生映射表记录的条数。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"对称 NAT 与 N 台公网机器通信则生成 N 条记录","attrs":{}},{"type":"text","text":";","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"而锥形 NAT 与 N 台 公网机器通信则生成 1 条记录","attrs":{}},{"type":"text","text":"。因此对称NAT穿透比较麻烦。接下来开始讲如何鉴别NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"对称NAT与锥形NAT鉴别","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ca/ca3f4aac5e63b0e1c04932e2a8be5b6d.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):Clinet(客户端)发送报文到Server 1(服务器)时网关产生了对外公网 IP,此时Server 1 获取到的Client IP 地址即为Client的对外公网 IP。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2):Clinet发送报文到Server 2,Server 2 获取到Client的 IP 地址(ip:port)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 3):Server 1 将获取到的客户端的 IP 地址,发送给Server 2,然后Server 2 对比Server 1 发过来的地址与自己获取的Client IP 地址。如果两个Client IP 地址完全一致,则为锥型 NAT,否则为对称 NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"完全锥形NAT与限制锥形NAT鉴别","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/29/29d5a26edf528f12bc07643dba7af162.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1):Client(客户端)网络进程发送报文给Server 1(服务器)。 Server 1 获取到Client IP 地址(对外公网 IP 地址)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):Server 1 将获取的客户端 IP 地址发送给Server 2。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):Server 2 收到Client IP 地址后,发送报文给Client ,然后检测Client能否收到报文数据。若能收到,则是完全锥型 NAT,否则是限制锥形 NAT。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):Client网络进程收到报文数据后,继续发送报文给Server 1。Server 1 收到报文数据,则为完全锥型 NAT,否则为限制锥型 NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第4步是为了保证鉴别的准确性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"IP限制锥形NAT与端口限制锥形NAT鉴别","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/95/95c364ac1f34007710b348dc99fc879e.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1): Client(客户端)网络进程发送报文给Server服务器(ip:8888)。然后服务器获取到客户端的 IP 地址。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):服务器使用相同IP不同端口(ip:8889)发送报文数据给Client(客户端)。如果Client能收到报文则为 IP 限制锥型NAT,否则为端口限制锥型NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):Client网络进程回发报文给Server的8888端口,Server收到报文数据,则为IP 限制锥形 NAT,否则为端口限制锥型 NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同样的第3步是为了保证鉴别的准确性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT如何实现穿透?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"两台客户端通过网关穿透总共有16种情况,但我们只需要考虑3种情况即可。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1、任意一端为完全锥形NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2、两端均为限制锥形NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3、两边均为对称NAT或者一端为限制锥形NAT一端为对称NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透完全锥形NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在穿透过程中,两端私网机器都是在 NAT 路由器之下的。两端 NAT 只要有一方为完全锥型 NAT 的时候,就是可以穿透的。完全锥形NAT穿透流程如下图所示, NAT1 为完全锥形 NAT,NAT2 为 任意 NAT。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/74/74e2d42d1314cbbe07eccf01126cad5f.png","alt":null,"title":"穿透完全锥形 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1):私网机器 1(192.168.1.3:2341)发送报文给服务器(180.93.45.46:8888)。服务器获取到私网机器 1 的公网 IP 地址与端口(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):服务器收到报文信息后,通知私网机器 2(192.168.2.6:6583),通知信息内包含有私网机器 1 的公网 IP 地址与端口(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私网机器 2(192.168.2.6:6583)收到通知信息后直接发送数据给私网机器 1 的公网 IP 地址与端口 (112.93.14.56:43891),此时私网机器 1 就能收到私网机器 2 发送的报文数据,并且能获取到私网机器 2 的公网 IP 地址与端口(iAddr:iPort)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私网机器 1 回发报文信息给私网机器 2 的公网 IP 地址与端口(iAddr:iPort),此时私网机器 2 也能收到私网机器 1回发的报文数据。穿透结束。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透限制锥形NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制锥型 NAT 的特点是限制了其他公网机器报文数据传输。如果这里采用上边穿透完全锥型 NAT 的穿透步骤来穿透限制锥型 NAT,那么在步骤 3时私网机器 1 不能收到私网机器 2 发送的报文数据,穿透失败。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下边来讲限制锥形NAT的穿透,穿透流程如下图所示。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/74/74e2d42d1314cbbe07eccf01126cad5f.png","alt":null,"title":"穿透限制锥形 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):私网机器 1(192.168.1.3:2341)发送报文给服务器(180.93.45.46:8888),服务器获取到私网机器的公网 IP 地址(112.93.14.56:43891)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):然后服务器发送通知报文给私网机器 2(192.168.2.6:6583),通知报文中包含私网机器 1 的公网 IP 地址(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私网机器 2 发送报文数据到私网机器 1 的公网 IP 地址(112.93.14.56:43891)。由 于 NAT1 是限制锥型 NAT,此时私网机器 1 不能收到报文数据。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私网机器 2 进行完步骤 3 以后,立即发送报文给服务器(180.93.45.46:8888),要求私网机器 1 发送数据给私网机器 2 的公网 IP 地址。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5):服务器通知私网机器 1,通知信息中包含私网机器 2 的公网 IP 地址(180.20.198.42.9681)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6):私网机器 1接到服务器通知后发送报文数据给私网机器 2 的公网 IP 地址。由于步骤 3中私网机器 2 给私网机器 1的公网 IP 地址发送过报文,此份报文此时会被 NAT2 的路由器认为是上述步骤 3 的回复,所以此步骤会被允许通过,此时穿透 NAT2成功。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"7):私网机器 2 回发报文给私网机器 1,此时穿透了 NAT1。穿透结束。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透对称NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"对称 NAT 的特点是每一个不同公网机器的通信,都会被分配不同的映射端口(NAT会产生两条记录),如果参照限制锥型 NAT 的穿透流程,则不能准确地知道步骤 3 所产生的公网 IP 地址与端口,不知道通知对方的公网IP与端口,那就基本靠技术性的猜测了。 对称穿透流程如下图所示,NAT1 为限制锥型 NAT,NAT2 为对称 NAT。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ad/ad45bada5370674f6a48ea1fc7413a85.png","alt":null,"title":"穿透对称 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):私网机器 1(192.168.1.3:2341)发送报文数据给服务器(180.93.45.46:8888), 请求与私网机器 2 进行透传。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2):服务器(180.93.45.46:8888)发送通知信息给私网机器 2。通知信息内含私网机器 1 的公网 IP 地址(112.93.14.56:43891)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私网机器 2 收到通知信息,发送报文数据给私网机器 1 的公网 IP 地址。此时由于 NAT1 为限制锥形 NAT,数据是不被允许进入私网的。同时由于 NAT2 为对称 NAT,所以会在 此次报文发送过程中,会被产生新的映射记录,分配新的公网地址与端口(iAddr:iPort)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私网机器 2 进行完步骤 3 以后,发送报文信息给服务器的另一个端口 8889,此步骤也会在路由器上产生一条新的映射记录,分配公网地址与端口(mAddr:mPort)。服务器同时也获取到新的公网地址与端口(mAddr:mPort)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5):服务器(180.93.45.46:8889)发送通知信息给私网机器 1。通知信息内包含步骤 4 产生的新记录公网地址与端口(mAddr:mPort)。此时可以根据 iPort 与 mPort 产生的时间间隔很短来判断 iPort 的值,即需要穿透的端口。为了判断的准确性,可以在产生 mPort 之前也加上一次新记录,即在步骤 3 以前让 NAT 路由器产生一条记录,这样会大大地提升穿透的概率。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6):根据 mPort 的值,来猜测 iPort 的值,发送报文信息给私网机器 2 的公网地址与端口(mAddr:mPort)。如果是准确的 mPort 值,则能够穿透 NAT2。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 7):收到穿透报文信息后,回复报文信息,穿透结束。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"注:","attrs":{}},{"type":"text","text":"第6步猜测端口可以多试几次。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT解决方案","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"ICE","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Interactive Connectivity Establishment:翻译为互动式连接建立,ICE 不是一种协议,它是一个框架,整合了 STUN(简单的用 UDP 穿透 NAT,是个轻量级的协议,是基于 UDP 的完整的穿透 NAT 的解决方案) 和 TURN(使用中继穿透 NAT,是 STUN 的一个扩展),使各种 NAT 穿透技术可以实现统一。当穿越网络时,ICE 会先尝试 STUN,查出自己位于哪种类型的 NAT 之后以及 NAT 为某一个本地端口所绑定的 Internet 端端口从而建立 UDP 连接,如果失败了 ICE 就会再尝试 TCP(先尝试 HTTP,再尝试 HTTPS),如果仍然失败就使用中继的 TURN 服务器。因此,","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"ICE 可以实现在未知网络拓扑结构中实现设备互连","attrs":{}},{"type":"text","text":"。除ICE技术外,还有UPNP技术,ALG应用层网关识别技术,SBC会话边界控制等等。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT的应用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT 在互联网中被广泛应用,小到家庭网关,大到企业广域网出口甚至到运营商业务网络出口。NAT也广泛用在音视频通信中,使用NAT打洞的方式让客户端直接通信从而减轻服务器压力。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前国内主流的音视频解决方案厂商有","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Agora(声网)","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.agora.io/cn","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"环信","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.easemob.com/","title":"","type":null},"content":[{"type":"text","text":"https://www.easemob.com/","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"ZEGO(即构科技)","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.zego.im/","title":"","type":null},"content":[{"type":"text","text":"https://www.zego.im/","attrs":{}}]},{"type":"text","text":"等,其中","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Agora(声网)","attrs":{}},{"type":"text","text":"使用其","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"自研音视频编解码算法","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"优异弱网对抗能力","attrs":{}},{"type":"text","text":",在80% 丢包情况下音频通话流畅,70%情况丢包下视频通话流畅,是目前有国外音视频通信需求用户的首要选择。并且声网在声音处理上采用业界领先的 3A 算法,智能适应各类环境,全面消除回声,并提供超一流的双讲表现。可在不损伤语音音质的情况下,有效消除各类噪音。可实现音频的自动增益,即使在嘈杂环境下用户也能体验优异。点击链接体验:","attrs":{}},{"type":"link","attrs":{"href":"https://www.agora.io/cn/audio-demo","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn/audio-demo","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"结语","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"笔者尽量对NAT做了比较详细的介绍,但由于笔者也是初学音视频技术,有些技术观点可能不一定十分准确,如果有什么错误欢迎留言指正。如果本文对你有帮助,欢迎点个关注~","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"参考:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://baike.baidu.com/item/nat/320024","title":"","type":null},"content":[{"type":"text","text":"https://baike.baidu.com/item/nat/320024","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://zhidao.baidu.com/question/113756183.html","title":"","type":null},"content":[{"type":"text","text":"https://zhidao.baidu.com/question/113756183.html","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.zhihu.com/question/31332694/answer/470426521","title":"","type":null},"content":[{"type":"text","text":"https://www.zhihu.com/question/31332694/answer/470426521","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://zhuanlan.zhihu.com/p/134045027","title":"","type":null},"content":[{"type":"text","text":"https://zhuanlan.zhihu.com/p/134045027","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.agora.io/cn","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn","attrs":{}}]}]}]}
NAT穿透原理详解
{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT (Network Address Translation,网络地址映射)也叫做网络掩蔽或者IP掩蔽,主要是将私有IP地址转换成可以在公网使用的公网IP地址。而能够进行映射的网络装置被称为 NAT 路由。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在讲解NAT穿透之前我们先来想想为什么需要NAT呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"要想回答这个问题就不得不了解IPv4与IPv6的区别了。IPv4中规定IP地址长度为32,即有2^32-1个地址,而IPv6中IP地址的长度为128,即有2^128-1个地址。夸张点说,如果IPv6被广泛应用以后,全世界的每一粒尘埃都分配一个IP地址都够用。回到我们的问题,答案应该清楚了,那就是为了解决IP地址不够而诞生的。通过公网 IP 地址与端口映射到私网机器的 IP 地址与端口。这样就能通过少量的公有 IP 地址来代表较多的私有 IP 地址,有助于减缓 IPv4 地址的耗尽问题。放张图大家来直观地了解下。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/d9/d95d361fb37b3d3210ea3b1df3c1c29f.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"先来提几个问题,带着问题去看文章,看完你就知道答案了。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"两个都在NAT之后的终端怎么通信呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我们不知道对方的内网IP,即使把消息发到对方的网关,然后呢?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"网关怎么知道这条消息给谁,而且谁允许网关这么做了?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"好了,接下来我们开始讲解NAT的种类。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT的种类","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"按实现方式划分","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT按","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"实现","attrs":{}},{"type":"text","text":"方式分有三种,即","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"静态转换","attrs":{}},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"动态转换","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"端口多路复用","attrs":{}},{"type":"text","text":"。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"静态转换","attrs":{}},{"type":"text","text":"是指将内部网络的私有IP地址转换为公有IP地址,IP地址对是一对一的,是一成不变的,某个私有IP地址只转换为某个公有IP地址。借助于静态转换,可以实现外部网络对内部网络中某些特定设备(如服务器)的访问。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"动态转换","attrs":{}},{"type":"text","text":"是指将内部网络的私有IP地址转换为公用IP地址时,IP地址是不确定的,是随机的,所有被授权访问上Internet的私有IP地址可随机转换为任何指定的合法IP地址。也就是说,只要指定哪些内部地址可以进行转换,以及用哪些合法地址作为外部地址时,就可以进行动态转换。动态转换可以使用多个合法外部地址集。当ISP提供的合法IP地址略少于网络内部的计算机数量时,就可以采用动态转换的方式。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"端口多路复用","attrs":{}},{"type":"text","text":"是指改变外出数据包的源端口并进行端口转换,即端口地址转换(PAT,Port Address Translation)。采用端口多路复用方式,内部网络的所有主机均可共享一个合法外部IP地址实现对Internet的访问,从而可以最大限度地节约IP地址资源。同时,又可隐藏网络内部的所有主机,有效避免来自internet的攻击。因此,目前网络中应用最多的就是端口多路复用方式。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"按功能分划分","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT按","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"功能","attrs":{}},{"type":"text","text":"分有两大类,","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"锥型NAT","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"对称型NAT","attrs":{}},{"type":"text","text":"。其中锥型NAT又分:","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"完全锥型NAT,对称NAT,IP限制锥型NAT,端口限制锥形NAT","attrs":{}},{"type":"text","text":"。概括的说:对称型NAT是一个请求对应一个端口;锥型NAT(非对称NAT)是多个请求(外部发向内部)对应一个端口,只要源IP端口不变,无论发往的目的IP是否相同,在NAT上都映射为同一个端口,形象的看起来就像锥子一样。下面来介绍一下这四种类型。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"完全锥型NAT(Full Cone NAT)特点:","attrs":{}},{"type":"text","text":"IP和端口都不受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表现形式:","attrs":{}},{"type":"text","text":"将来自内部同一个IP地址同一个端口的主机监听/请求,映射到公网IP某个端口的监听。任意外部IP地址与端口对其自己公网的IP这个映射后的端口访问,都将重新定位到内部这个主机。该技术中,基于C/S架构的应用可以在任何一端发起连接。简单一点的说,就是只要客户端由内到外建立一个映射之后,其他IP的主机或端口都可以使用这个洞给客户端发送数据。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"受限锥型NAT(Restricted Cone NAT)特点:","attrs":{}},{"type":"text","text":"IP受限,端口不受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表现形式:","attrs":{}},{"type":"text","text":"与完全锥形NAT不同的是,在公网映射端口后,并不允许所有IP进行对于该端口的访问,要想通信必需内部主机对某个外部IP主机发起过连接,然后这个外部IP主机就可以与该内部主机通信了,但端口不做限制。举个栗子:当客户端由内到外建立映射,A机器可以使用他的其他端口主动连接客户端,但B机器则不被允许。因为IP受限啦,但是端口随便。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"端口受限型NAT(Port Restricted Cone NAT)特点:","attrs":{}},{"type":"text","text":"IP和端口都受限。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表现形式:","attrs":{}},{"type":"text","text":"该技术与受限锥形NAT相比更为严格。除具有受限锥形NAT特性,对于回复主机的端口也有要求。也就是说:只有当内部主机曾经发送过报文给外部主机(假设其IP地址为A且端口为P1)之后,外部主机才能以公网IPORT中的信息作为目标地址和目标端口,向内部主机发送UDP报文,同时,其请求报文的IP必须是A,端口必须为P1(使用IP地址为A,端口为P2,或者IP地址为B,端口为P1都将通信失败)。这一要求进一步强化了对外部报文请求来源的限制,因此它比受限锥型NAT更具安全性。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"对称型NAT(Symmetric NAT)特点:","attrs":{}},{"type":"text","text":"对每个外部主机或端口的会话都会映射为不同的端口(洞)。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"表现形式:","attrs":{}},{"type":"text","text":"只有来自同一内部IPort、且针对同一目标IPORT的请求才被NAT转换至同一个公网(外部)IPort,否则的话,NAT将为之分配一个新的外部(公网)IPort。并且,只有曾经收到过内部主机请求的外部主机才能向内部主机发送数据包。内部主机用同一IP与同一端口与外部多IP通信。客户端想和服务器A(IP_AORT_A)建立连接,是通过NAT映射为NatIP:NatPortA来进行的。而客户端和服务器B(IP_BORT_B)建立连接,是通过NAT映射为NatIP:NatPortB来进行的。即同一个客户端和不同的目标IP:PORT通信,经过NAT映射后的公网IP:PORT是不同的。此时,如果B想要和客户端通信,也只能通过NatIP:NatPortB来进行,而不能通过NatIP:NatPortA。以上,就是四种NAT类型。可以看出从类型1至类型4,NAT的限制是越来越大的,其穿透也越来越复杂。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT优点","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT可以同时让多个计算机同时联网,并隐藏其内网IP,因此也增加了内网的网络安全性。此外,NAT对来自外部的数据查看其NAT映射记录,对没有相应记录的数据包进行拒绝,提高了网络安全性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT缺点","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"首先是,NAT设备会对数据包进行编辑修改,这样就降低了发送数据的效率。此外,各种协议的应用各有不同,有的协议是无法通过NAT的,这就需要通过NAT穿透技术来解决。要想使用NAT穿透,就不得不知道如何鉴别NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"如何鉴别NAT?","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/96/962961a6853b67c59f07877596b0868c.png","alt":null,"title":"NAT类别图","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"从上图可知只用检测四种NAT类型,来欣赏笔者的一副手绘图~","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/0d/0ddc27eeeac6fd4a0dfdc8ea10b34c34.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我们先通过大学男生通过楼管阿姨能否进入女生宿舍的例子来简单理解下识别NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"完全锥形NAT:","attrs":{}},{"type":"text","text":"楼管阿姨不管男生是谁,都让进入女生宿舍(这是亲妈吧。。。)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"IP限制锥形NAT","attrs":{}},{"type":"text","text":":楼管阿姨只让与校花是同专业的男生进。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"端口限制","attrs":{}},{"type":"text","text":":楼管阿姨只让与校花是同专业并且是班干部的男生进。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"underline","attrs":{}}],"text":"对称NAT","attrs":{}},{"type":"text","text":":进入的男生必须与阿姨对暗号,正确才能进。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我们在讲解NAT鉴别前来了解一个重要的概念,如下:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"对称 NAT 与锥型 NAT 的区别,在于私网机器与不同的公网机器通信在 NAT 路由器上产 生映射表记录的条数。","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"对称 NAT 与 N 台公网机器通信则生成 N 条记录","attrs":{}},{"type":"text","text":";","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"而锥形 NAT 与 N 台 公网机器通信则生成 1 条记录","attrs":{}},{"type":"text","text":"。因此对称NAT穿透比较麻烦。接下来开始讲如何鉴别NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"对称NAT与锥形NAT鉴别","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ca/ca3f4aac5e63b0e1c04932e2a8be5b6d.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):Clinet(客户端)发送报文到Server 1(服务器)时网关产生了对外公网 IP,此时Server 1 获取到的Client IP 地址即为Client的对外公网 IP。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2):Clinet发送报文到Server 2,Server 2 获取到Client的 IP 地址(ip:port)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 3):Server 1 将获取到的客户端的 IP 地址,发送给Server 2,然后Server 2 对比Server 1 发过来的地址与自己获取的Client IP 地址。如果两个Client IP 地址完全一致,则为锥型 NAT,否则为对称 NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"完全锥形NAT与限制锥形NAT鉴别","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/29/29d5a26edf528f12bc07643dba7af162.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1):Client(客户端)网络进程发送报文给Server 1(服务器)。 Server 1 获取到Client IP 地址(对外公网 IP 地址)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):Server 1 将获取的客户端 IP 地址发送给Server 2。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):Server 2 收到Client IP 地址后,发送报文给Client ,然后检测Client能否收到报文数据。若能收到,则是完全锥型 NAT,否则是限制锥形 NAT。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):Client网络进程收到报文数据后,继续发送报文给Server 1。Server 1 收到报文数据,则为完全锥型 NAT,否则为限制锥型 NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"第4步是为了保证鉴别的准确性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"IP限制锥形NAT与端口限制锥形NAT鉴别","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/95/95c364ac1f34007710b348dc99fc879e.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1): Client(客户端)网络进程发送报文给Server服务器(ip:8888)。然后服务器获取到客户端的 IP 地址。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):服务器使用相同IP不同端口(ip:8889)发送报文数据给Client(客户端)。如果Client能收到报文则为 IP 限制锥型NAT,否则为端口限制锥型NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):Client网络进程回发报文给Server的8888端口,Server收到报文数据,则为IP 限制锥形 NAT,否则为端口限制锥型 NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同样的第3步是为了保证鉴别的准确性。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT如何实现穿透?","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"两台客户端通过网关穿透总共有16种情况,但我们只需要考虑3种情况即可。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1、任意一端为完全锥形NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2、两端均为限制锥形NAT。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3、两边均为对称NAT或者一端为限制锥形NAT一端为对称NAT。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透完全锥形NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在穿透过程中,两端私网机器都是在 NAT 路由器之下的。两端 NAT 只要有一方为完全锥型 NAT 的时候,就是可以穿透的。完全锥形NAT穿透流程如下图所示, NAT1 为完全锥形 NAT,NAT2 为 任意 NAT。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/74/74e2d42d1314cbbe07eccf01126cad5f.png","alt":null,"title":"穿透完全锥形 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1):私网机器 1(192.168.1.3:2341)发送报文给服务器(180.93.45.46:8888)。服务器获取到私网机器 1 的公网 IP 地址与端口(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):服务器收到报文信息后,通知私网机器 2(192.168.2.6:6583),通知信息内包含有私网机器 1 的公网 IP 地址与端口(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私网机器 2(192.168.2.6:6583)收到通知信息后直接发送数据给私网机器 1 的公网 IP 地址与端口 (112.93.14.56:43891),此时私网机器 1 就能收到私网机器 2 发送的报文数据,并且能获取到私网机器 2 的公网 IP 地址与端口(iAddr:iPort)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私网机器 1 回发报文信息给私网机器 2 的公网 IP 地址与端口(iAddr:iPort),此时私网机器 2 也能收到私网机器 1回发的报文数据。穿透结束。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透限制锥形NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"限制锥型 NAT 的特点是限制了其他公网机器报文数据传输。如果这里采用上边穿透完全锥型 NAT 的穿透步骤来穿透限制锥型 NAT,那么在步骤 3时私网机器 1 不能收到私网机器 2 发送的报文数据,穿透失败。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下边来讲限制锥形NAT的穿透,穿透流程如下图所示。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/74/74e2d42d1314cbbe07eccf01126cad5f.png","alt":null,"title":"穿透限制锥形 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):私网机器 1(192.168.1.3:2341)发送报文给服务器(180.93.45.46:8888),服务器获取到私网机器的公网 IP 地址(112.93.14.56:43891)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2):然后服务器发送通知报文给私网机器 2(192.168.2.6:6583),通知报文中包含私网机器 1 的公网 IP 地址(112.93.14.56:43891)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私网机器 2 发送报文数据到私网机器 1 的公网 IP 地址(112.93.14.56:43891)。由 于 NAT1 是限制锥型 NAT,此时私网机器 1 不能收到报文数据。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私网机器 2 进行完步骤 3 以后,立即发送报文给服务器(180.93.45.46:8888),要求私网机器 1 发送数据给私网机器 2 的公网 IP 地址。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5):服务器通知私网机器 1,通知信息中包含私网机器 2 的公网 IP 地址(180.20.198.42.9681)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6):私网机器 1接到服务器通知后发送报文数据给私网机器 2 的公网 IP 地址。由于步骤 3中私网机器 2 给私网机器 1的公网 IP 地址发送过报文,此份报文此时会被 NAT2 的路由器认为是上述步骤 3 的回复,所以此步骤会被允许通过,此时穿透 NAT2成功。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"7):私网机器 2 回发报文给私网机器 1,此时穿透了 NAT1。穿透结束。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"穿透对称NAT","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"对称 NAT 的特点是每一个不同公网机器的通信,都会被分配不同的映射端口(NAT会产生两条记录),如果参照限制锥型 NAT 的穿透流程,则不能准确地知道步骤 3 所产生的公网 IP 地址与端口,不知道通知对方的公网IP与端口,那就基本靠技术性的猜测了。 对称穿透流程如下图所示,NAT1 为限制锥型 NAT,NAT2 为对称 NAT。","attrs":{}}]},{"type":"image","attrs":{"src":"https://static001.geekbang.org/infoq/ad/ad45bada5370674f6a48ea1fc7413a85.png","alt":null,"title":"穿透对称 NAT","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 1):私网机器 1(192.168.1.3:2341)发送报文数据给服务器(180.93.45.46:8888), 请求与私网机器 2 进行透传。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 2):服务器(180.93.45.46:8888)发送通知信息给私网机器 2。通知信息内含私网机器 1 的公网 IP 地址(112.93.14.56:43891)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3):私网机器 2 收到通知信息,发送报文数据给私网机器 1 的公网 IP 地址。此时由于 NAT1 为限制锥形 NAT,数据是不被允许进入私网的。同时由于 NAT2 为对称 NAT,所以会在 此次报文发送过程中,会被产生新的映射记录,分配新的公网地址与端口(iAddr:iPort)。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"4):私网机器 2 进行完步骤 3 以后,发送报文信息给服务器的另一个端口 8889,此步骤也会在路由器上产生一条新的映射记录,分配公网地址与端口(mAddr:mPort)。服务器同时也获取到新的公网地址与端口(mAddr:mPort)。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"5):服务器(180.93.45.46:8889)发送通知信息给私网机器 1。通知信息内包含步骤 4 产生的新记录公网地址与端口(mAddr:mPort)。此时可以根据 iPort 与 mPort 产生的时间间隔很短来判断 iPort 的值,即需要穿透的端口。为了判断的准确性,可以在产生 mPort 之前也加上一次新记录,即在步骤 3 以前让 NAT 路由器产生一条记录,这样会大大地提升穿透的概率。 ","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"6):根据 mPort 的值,来猜测 iPort 的值,发送报文信息给私网机器 2 的公网地址与端口(mAddr:mPort)。如果是准确的 mPort 值,则能够穿透 NAT2。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":" 7):收到穿透报文信息后,回复报文信息,穿透结束。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"注:","attrs":{}},{"type":"text","text":"第6步猜测端口可以多试几次。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT解决方案","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"ICE","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Interactive Connectivity Establishment:翻译为互动式连接建立,ICE 不是一种协议,它是一个框架,整合了 STUN(简单的用 UDP 穿透 NAT,是个轻量级的协议,是基于 UDP 的完整的穿透 NAT 的解决方案) 和 TURN(使用中继穿透 NAT,是 STUN 的一个扩展),使各种 NAT 穿透技术可以实现统一。当穿越网络时,ICE 会先尝试 STUN,查出自己位于哪种类型的 NAT 之后以及 NAT 为某一个本地端口所绑定的 Internet 端端口从而建立 UDP 连接,如果失败了 ICE 就会再尝试 TCP(先尝试 HTTP,再尝试 HTTPS),如果仍然失败就使用中继的 TURN 服务器。因此,","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"ICE 可以实现在未知网络拓扑结构中实现设备互连","attrs":{}},{"type":"text","text":"。除ICE技术外,还有UPNP技术,ALG应用层网关识别技术,SBC会话边界控制等等。","attrs":{}}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"NAT的应用","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"NAT 在互联网中被广泛应用,小到家庭网关,大到企业广域网出口甚至到运营商业务网络出口。NAT也广泛用在音视频通信中,使用NAT打洞的方式让客户端直接通信从而减轻服务器压力。","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前国内主流的音视频解决方案厂商有","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Agora(声网)","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.agora.io/cn","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"环信","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.easemob.com/","title":"","type":null},"content":[{"type":"text","text":"https://www.easemob.com/","attrs":{}}]},{"type":"text","text":"、","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"ZEGO(即构科技)","attrs":{}},{"type":"text","text":":","attrs":{}},{"type":"link","attrs":{"href":"https://www.zego.im/","title":"","type":null},"content":[{"type":"text","text":"https://www.zego.im/","attrs":{}}]},{"type":"text","text":"等,其中","attrs":{}},{"type":"text","marks":[{"type":"strong","attrs":{}}],"text":"Agora(声网)","attrs":{}},{"type":"text","text":"使用其","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"自研音视频编解码算法","attrs":{}},{"type":"text","text":"和","attrs":{}},{"type":"text","marks":[{"type":"underline","attrs":{}},{"type":"strong","attrs":{}}],"text":"优异弱网对抗能力","attrs":{}},{"type":"text","text":",在80% 丢包情况下音频通话流畅,70%情况丢包下视频通话流畅,是目前有国外音视频通信需求用户的首要选择。并且声网在声音处理上采用业界领先的 3A 算法,智能适应各类环境,全面消除回声,并提供超一流的双讲表现。可在不损伤语音音质的情况下,有效消除各类噪音。可实现音频的自动增益,即使在嘈杂环境下用户也能体验优异。点击链接体验:","attrs":{}},{"type":"link","attrs":{"href":"https://www.agora.io/cn/audio-demo","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn/audio-demo","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"结语","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"笔者尽量对NAT做了比较详细的介绍,但由于笔者也是初学音视频技术,有些技术观点可能不一定十分准确,如果有什么错误欢迎留言指正。如果本文对你有帮助,欢迎点个关注~","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"参考:","attrs":{}}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://baike.baidu.com/item/nat/320024","title":"","type":null},"content":[{"type":"text","text":"https://baike.baidu.com/item/nat/320024","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://zhidao.baidu.com/question/113756183.html","title":"","type":null},"content":[{"type":"text","text":"https://zhidao.baidu.com/question/113756183.html","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.zhihu.com/question/31332694/answer/470426521","title":"","type":null},"content":[{"type":"text","text":"https://www.zhihu.com/question/31332694/answer/470426521","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://zhuanlan.zhihu.com/p/134045027","title":"","type":null},"content":[{"type":"text","text":"https://zhuanlan.zhihu.com/p/134045027","attrs":{}}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https://www.agora.io/cn","title":"","type":null},"content":[{"type":"text","text":"https://www.agora.io/cn","attrs":{}}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章