The present invention generally relates to a system and method for network address translation (NAT), and more specifically to a system and method for connection of hosts behind NATs.
With the growth of the Internet, problems reveal the shortage of IPv4's address space. As more and more computer hosts are connecting into the Internet, the speedy growth rate makes IPv4's 32-bit addresses space depletion. To mitigate the problem, Network Address Translator (NAT) is designed to reuse part of IPv4's addresses. These reusable addresses are called private IP addresses to distinguish from other globally unique public IP addresses. Multiple hosts behind NAT can use private IP addresses to form a private network and share with one or few public IP addresses via the address/port translating of NATs. In a NAT, an IP mapping table records the translating rule between the private IP addresses/port and public IP addresses/port. This table directs the NAT to translate the inbound and outbound traffic. In consequence, the same private IP addresses can be reused in different private networks and the problem of IPv4 address's shortage can be alleviated.
When NAT device 101 receives an inbound packet from web server host 105 on the Internet, according to NAT IP mapping table 110, NAT device 101 translates the destination IP address of the packet, i.e., 140.116.177.55, to the corresponding private IP address, i.e., 192.168.50.100. If there is no corresponding private IP address in NAT IP mapping table 110, the inbound packet will be dropped by the NAT device 101.
Typically, NAT devices may be classified into two types. The first type is the cone-based NAT, and the second type is symmetric NAT. The difference between the two types is in the mapping rule of port number for the outbound packets. A public IP address/port in the cone-based NAT may map to a plurality of private IP addresses/ports, while the mapping rule of the symmetric NAT is limited to one-to-one mapping.
The cone-based NAT may be further classified into full-cone NAT, restricted-cone NAT and port restricted-cone NAT. The major difference among the three is the way of NAT device filtering inbound packets.
Although NAT allows the hosts to reuse the same IP addresses, there is negative impact. NAT device has to set up the translation rule before the connection establishment, only the host behind NAT may be the originating host and the host in the public network can be the terminating host. This means that it is impossible to define server behind the NAT device, and also impossible to establish connections between two hosts behind two different NATs. It violates the end-to-end connectivity model of the Internet. If the server or the host at both ends is behind NAT, the network application is not inherited because of the hindrance from NAT deployment.
To solve the above problem, a possible solution is to use relay approach or the hole punching approach for the external server. The relay approach is a typical NAT traversal method. This approach solves the problem by means of a relay server located in the public network. After each end host has established the connection with the relay server in the public network, all the packets will be forwarded by the server. In this manner, the detoured data path will consume extra network resource and the packet delivery suffers longer transmission time.
The hole punching approach is to let hosts behind NAT device to establish connection directly. Both end hosts send out a packet to register with NAT mapping table before establishing the connection. For example, the Simple Traversal of UDP through NATs and TCP (STUNT) is a well-known hole punching approach. Before the direct TCP connection, both ends of TCP connection must send out an SYN packet to other end simultaneously. This hole punching approach defines certain coordinate processes. Although this approach is an efficient method of NAT traversal, applications have to be modified or redesigned one by one to adapt to this coordinate process for integration.
The disclosed exemplary embodiments of present invention may provide a system and method for connection of hosts behind NATs.
In an exemplary embodiment, the disclosed is directed to a system for connection of hosts behind NATs. The system comprises a server located in a public network for receiving the registration of each host and recording the related information of each host and at least a NAT device; and a transparent middleware (TMW) executed on each host respectively. When a first host of a first NAT device tries to establish connection to a second host of a second NAT device, through the server, the TMW looks up a first IP address mapping from the first host to the second NAT device, and a second IP address mapping from the second host to the first NAT device. Accordingly, the TMW accomplishes the support for establishing connection between the first and the second hosts.
In another exemplary embodiment, the disclosed is directed to a method for connection of hosts behind NATs. The method comprises a receiving host and a transmitting host registering through TMW to the server; the transmitting host requesting to the server for the private IP address information of the receiving host; the server replying the private IP address information of the receiving host to the transmitting host; the transmitting host requesting to the server for the IP address information of the receiving NAT device; the server replying the IP address information of the receiving NAT device to the transmitting host; and TMW transmitting the IP address information of the transmitting NAT device to the receiving host.
The aforementioned embodiments are applicable to the situation when hosts behind NATs try to establish connection. For example, the external host tries to establish the connection to a host behind NAT, or hosts behind different NATs try to establish connection with each other.
The foregoing and other features, aspects and advantages of the present invention will become better understood from a careful reading of a detailed description provided herein below with appropriate reference to the accompanying drawings.
In
Referring to
In the example of
The system is applicable to a first NAT device different from a second NAT device, and the first host and the second host behind the first NAT device and the second NAT device, respectively. The system is also applicable to the case when the first NAT device and the second NAT device, and the first host and the second host are behind the same first NAT device.
TMW 31 may be installed at the kernel level or the user level of the host. When installed at the kernel level, TMW 31 is to rewrite packet driver. When installed at the user level, TMW 31 may use the driver socket routine.
First host 30a and second host 30B, for example, may be a notebook PC, desktop PC, a server or any combination of the above.
Labels 401-406 shown in
Step 401 is the registration activity. That is, first host 30A and second host 30B register to server 35. The registration activity makes server 35 check whether both first host 30A and second host 30B are online and makes server 35 check the uniqueness of the information of first host 30A and second host 30B in the public network where server 35 resides. The information may be such as IP address/port and domain name. Each host uses own IP address to register a domain name to any domain name system (DNS), and uses the domain name to register to server 35. The detailed registration process is described in
Step 402 indicates sending a request to inquire of the private IP address of second host 30B. That is, first 30A may use the domain name of second host 30B to send a request to server 35 to inquire of the private IP address of second host 30B. For example, first host 30A may send a DNS request packet with the domain name of second host 30B to server 35.
Step 403 indicates replying the private IP address of second host 30B. That is, server 35 replies the private IP address information to first host 30A. For example, according to the domain name of second host 30B, server 35 may execute a DNS inquiry and find the private IP address/port of second host 30B.
Step 404 indicates sending a request to inquire of the IP address of the NAT device. That is, according to the private IP address information of second host 30B, TMW 31 on first host 30A send a request to inquire the IP address of the NAT device to server 35. For example, TMW 31 may send an IP lookup query packet with the information of the private IP address/port of second host 30B.
If in TCP mode, after first host 30A receives the DNS reply from server 35 (step 403), first host 30A will send a SYN packet with the IP address information of the second host to second host 30B. Therefore, the aforementioned IP lookup query packet may also include the information in SYN packet send by first host 30A, such as TCP packet serial number. The details of this process will be described in
Step 405 indicates replying the IP address of second NAT device 33B. That is, server 35 replies the IP address of second NAT device 33B to first host 30A. For example, server 35 may reply an IP lookup reply packet to TMW 31 of first host 30A to inform of the IP address information of second NAT device 33B.
Step 406 indicates replying the IP address of first NAT device 33A. That is, server 35 replies the IP address of first NAT device 33A to second host 30B, and sends a connect request packet to second host 33B. The connect request packet may include the IP address/port information of first NAT 33A, as well as the information of the SYN packet sent by first host 30A.
The above steps 401-406 describe how the transparent traversal for NAT system supports the connection establishment between two hosts behind different NAT devices.
In other words, the connection support may include: receiving host and transmitting host both registering to the server through TMW; the transmitting host sending request for private IP address of receiving host to the server; the server replying the private IP address of receiving host; the transmitting host sending request for IP address of receiving NAT device to the server; the server replying the IP address of receiving NAT device to transmitting host; and TMW sending IP address of transmitting NAT device to receiving host.
After finishing steps 401-406, first host 30A behind first NAT device 33A and second host 30B behind second NAT device 33B successfully establish connection. Then, first host 30A and second host 30B may transmit data to each other directly.
Thereby, TMW 31 of first host 30A records the mapping between the private IP address/port of second host 30B and the IP address/port of second NAT device 33B. Similarly, TMW 31 of second host 30B records the mapping between the private IP address/port of first host 30A and the IP address/port of first NAT device 33A.
According to the disclosed embodiments, first host 30A and second host 30B may execute TMW 31 respectively. The existing architecture and application programs on first host 30A and second host 30B, such as client/server or peer-to-peer (P2P) architecture, may directly connect without rewriting.
If the packets are transmitted in the TCP mode, first host 30A and second host 30B may accomplish the 3-way handshake protocol to establish the connection acknowledgement.
Referring to
First host 30A then sends an encapsulated SYN packet (Encapsulated SYN(X)). Encapsulated SYN(X) includes the sequence number of initialization SYN packet, and is transmitted to second host 30B through server 35. When receiving this request packet, TMW 31 of second host 30B will generate an issue SYN packet with sequence number X (Issue SYN(X)) according to sequence number X of the initialization packet, and transmit Issue SYN(X) to the TCP layer of second host 30B, as indicated in label 501.
After receiving SYNACK(Y, X+1) packet, first host 30A replies an ACK packet to second host 30B. At this point, the TCP 3-way handshake protocol is accomplished.
According to the disclosed embodiments of the present invention, in step 501 of the TCP 3-way handshake protocol, TMW 31 of second host 30B generates Issue SYN(X) packet and transmits to TCP layer, the Issue SYN(X) packet does not need to go through the external network. In other words, the packet will not be filtered by the routers of the external ISP.
Label 601 indicates sending registration related information of first host 30A to server 35. TMWS 31 of first host 30A first searches for the private IP address of first host 30A, such as 192.168.50.100, and the domain name, such as DNA. Then, TMW 31 randomly selects a contact port number CPort and generates a registration packet, such as Registry (192.168.50.100, DNA). The registration packet may include the private IP address, such as 192.168.50.100, of first host 30A, Cport, such as 1111, and domain name, such as DNA. TMW 31 transmits the registration packet to server 35.
Label 602 indicates server 35 checks the uniqueness of the related information of first host 30A. After server 35 receives the registration packet from first host 30A, server 35 checks with registry database 61 to determine whether the registration information (private IP address, Cport, and domain name) of first host 30A is unique, and obtains the registration result reply(1/0), where reply(1) indicates a successful registration, and reply(0) is a failure. The registry database may be stored in server 35.
Label 603 indicates server 35 replies the registration result to fist host 30A. If the registration is successful, server 35 replies a “registry reply(1)” packet, and stores the registration information of first host 30A in registry database 61, such as IP address, Cport, domain name and IP address of first NAT device.
If the registration is unsuccessful, server 35 replies a “registry reply(0)” packet, and TMW 31 randomly selects a new Cport again, and repeats the above steps 601-601 until the registration information of first host 30A is unique.
After both first host 30A and second host 30B register successfully, because NAT devices 33a, 33B have the capability of keeping packet alive so that during the period of packet alive, TMW 31 may still maintain connection to Cport for transmitting packets to server 35.
As aforementioned steps 402-403, according to domain name of second host 30B, first host 30A may send a request for inquiry of the private IP address of second host 30B to server 35. According to the domain name of second host 30B, server 35 may execute a DNS query to find the private IP address/port of second host 30B. Server 35 will record the relation between first host 30A and second host 30B.
Label 701 indicates that first host 30A sends a DNS request packet to server 35. The DNS request packet includes domain name DNB of second host 30B and private IP address of first host 30A added by TMW 31, such as 192.168.50.100, and port, such as 1111. The DNS request packet can be expressed as “DNS (DNB, 192.168.50.100.1111)”. TMW 31 of first host 31 sends the DNS request packet to server 35.
Label 702 indicates that server 35 sends a query packet of domain name DNB of second host 30B “Lookup(“DNB”)” to registry database 61.
Label 703 indicates if registry database 61 has no record of domain name DNB of second host 30B, registry database 61 replies a “Lookup reply(0)” packet to server 35. Server 35 sends another packet with domain name of second host 30B to another DNS for lookup.
Label 704 indicates if registry database 61 includes a record of domain name DNB of second host 30B, server 35 generates a new DNS response packet with private IP address/Cport of second host 30b, such as “DNS reply(192.168.50.100, 2222)”, and transmits to first host 30A. The related information of first host 30A and second host 30B, such as private IP address/Cport of first host 30A, IP address of first NAT device 33A, private IP address/Cport of second host 30B, and IP address of second NAT device 33B, will be recorded in IP lookup database 71. The packet format may be expressed as “Storage Lookup(192.168.200.100, 140.116.177.55, 2222, 192.168.50.100, 140.116.72.94, 1111)”.
Data transmission may be divided into two modes, i.e., in TCP mode and in UDP mode. The following describes exemplary operations in TCP mode and in UDP mode respectively for the disclosed NAT system with transparent traversal.
First host 30A and second host 30B first register to server 35, and first host 30A sends a DNS query packet to server 35 to obtain the private IP address of second host 30B.
When first host 30A and second host 30B try to establish a TCP connection, first host 30A sends a TCP_SYN packet with private IP address/port of second host 30B to second host 30B, as indicated by label 801. TMW 31 keeps the TCP_SYN packet and generates a new UDP packet to server 35. Server 35 sends a “Lookup( ) packet and uses the private IP address of second host 30B to inquire lookup database 81 for the IP address of second NAT device 33B, as indicated by label 802. The UDP packet includes the Cport, IP address, port and TCP sequence number of first host 30A and second host 30B.
According to the private IP address of second host 30B, server 35 inquires lookup database 81 of the IP address of second NAT device 33B, and replies to TMW 31 of first host 30A, as indicated by label 803.
Server 35 generates a new connection request packet and transmits to TMW 31, as indicated by label 804. The connection request packet includes the IP address of second host 30B, Cport and IP address/port of first host 30A, IP address of first NAT device 33A, and TCP packet sequence number. After TMW 31 receives connection request packet from server 35, a TCP_SYN packet is solicited to the TCP layer of second host 30B, as indicated by label 805.
On the other hand, after receiving the IP address of second NAT device 33B replied from server 35 (step 803), TMW 31 of first host 30A releases the original TCP_SYN packet, changes the private IP address of second host 30B in the TCP_SYN packet to IP address of second NAT 33B, and sends a low TTL TCP_SYN packet “TCP_SYN(X, low TTL)”. In this manner, the IP mapping table of first NAT device 33A records the IP address mapping from first host 30A to second NAT device 33B. In other words, a TCP hole is punched on first NAT device 33A, as indicated by label 806.
After the TCP layer of second host 30B receives the TCP_SYN packet (step 805), the AP layer of second host 30B will send a TCP_SUNACK packet to first host 30A, as indicated by label 807. To transmit TCP_SYNACK packet correctly, TMW 31 of second host 30B changes the private IP address of first host 30A in the TCP_SYNACK packet to the IP address of first NAT device 33A, and transmits to first NAT device 33A. Similarly, the IP mapping table of second Nat device 33B also records the IP address mapping from second host 30B to first Nat device 33A; i.e., punching a TCP hole on second NAT device 33B.
After TMW 31 of first host 30A receives a TCP_SYNACK packet, TMW 31 changes the IP address of second NAT device 33B in the TCP_SYNACK packet to the private IP address of second host 30B, and transits to the TCP layer of first host 30A, as indicated by label 808.
When the application programs of the AP layer of first host 30A receives the TCP_SYNACK packet from second host 30B, first host 30A sends a TCP_ACK packet to second host 30B to accomplish the TCP 3-way handshake protocol and establish TCP connection and acknowledgement, as indicated by label 809. Therefore, when the network packets are transmitted in TCP mode, the transmitting host and the receiving host may accomplish the TCP 3-way handshake to establish the connection acknowledgement.
First host 30A first sends a UDP packet with private IP address of second host 30B. TMW 31 will look up the internal port table 92A, i.e., issuing “Port Lookup( )” to compare the private IP address/port of second host 30B and port table 92A and replies the result to TMW 31, i.e., returning “Lookup reply( )” to TMW 31, as indicated by label 901.
If port table 92A has no record of the private IP address/port of second host 30B, TMW 31 will generate a “UDP Lookup request( )” packet and transmit to server 35 for inquiring lookup database 91 of the IP address of second NAT device 33B; i.e., sending a “Lookup( )” packet and replying the result “reply( )” to server 35, as indicated by label. The UDP Lookup request( ) packet includes the IP address/port of first host 30A and second host 30B, and the Cport of first host 30A.
In the step indicated by 902, if the related information of second host 30B is correctly queried, server 35 will execute the following two tasks. The first is to generate a “UDP Request( )” to ask second host 30B to generate a UDP packet with the IP address of first NAT device 33A as the destination address, as indicated by label 903. The UDP Request( ) packet includes the IP address/port and Cport of first host 30A, the IP address of first NAT device 33A, and the port of second host 30B.
The other task is for server 35 to reply the IP address of second NAT device 33B to first host 30A; i.e., replying the “UDP Lookup reply( )” to server 35, as indicated by label 904.
After receiving the UDP Request ( ) packet, TMW 31 of second host 30B sends a low TTL UDP packet. Thereby, the IP mapping table of second NAT device 33B records the IP address mapping from second host 30B to first NAT device 33A. In other words, a UDP hole is punched on second NAT device 33B, as indicated by label 905.
In the step indicated by 904, after receiving the UDP Lookup reply( ) packet replied from server 35, TMW 31 of first host 30A releases the original UDP packet, changes the destination address in the UDP packet from the private IP address of second host 30B to IP address of second NAT 33B, and transmits to second host 30B. Thereby, the IP mapping table of first NAT device 33A records the IP address mapping from first host 30A to second NAT device 33B. In other words, a UDP hole is punched on first NAT device 33A, as indicated by label 906.
After TMW 31 of first host 30A receives a UDP packet from first host 30A, because the IP mapping table of second NAT device 33B has recorded the IP address mapping from second host 30B to first NAT device 33A, TMW 31 changes the source address in the UDP packet from IP address of first NAT device 33A to the private IP address of first host 30A, and transmits to the TCP layer of second host 30B, as indicated by label 907. The application layer of second host 30B may then expect to receive the UDP packets from first host 30A.
In the step indicated by 901, if port table 92A already recorded the IP address of second NAT device 33B, then the step indicated by 907 is executed directly.
In the disclosed embodiments of the present invention, either first NAT device 33A or second NAT device 33B may be a stand-alone server or a server cluster, or even a module operating in a host. In other words, the first Nat device and the second NAT device may be a NAT unit with many possible implementations, such as a single server, a server cluster or a module on a host.
Although the present invention has been described with reference to the exemplary disclosed embodiments, it will be understood that the invention is not limited to the details described thereof. Various substitutions and modifications have been suggested in the foregoing description, and others will occur to those of ordinary skill in the art. Therefore, all such substitutions and modifications are intended to be embraced within the scope of the invention as defined in the appended claims.
Number | Date | Country | Kind |
---|---|---|---|
096145011 | Nov 2007 | TW | national |