NAT and Intranet Penetration

Posted on Edited on In Waline:

When IPv4 addresses are not enough, we need to use NAT technology to reduce the consumption of public network IP, so that one local area network on the Internet can consume a public network IP, but the IP address of the device in the local area network is the intranet IP address, which is meaningless for the public network.

So if we develop an application on our own machine and hope that others can access it, what do we need to do?

If we have a static public IP, it is very simple, just need to do a Port Mapping can be, the public network IP + Port Mapping to our intranet IP + port, but this generally requires our router can set Port Mapping and have a public network IP.

If we have a dynamic public IP, we need to add DDNS (dynamic domain name resolution) on the basis of Port Mapping, which is to first obtain a domain name, and the intranet machine sends requests to the DDNS server every once in a while., the mapping relationship between its own intranet IP and domain name is constantly refreshed to the DDNS server.

If your machine is hidden under multiple routers or the NAT type is NAPT, then intranet penetration technology is required.

What is NAT?

Why do you need NAT?

Because IPv4 addresses are not enough, we can use NAT to map internal IP addresses in the local area network to public IP addresses.

Definition

The NAT name is accurate, network address translation, which is to replace the address information of the IP message network packet header. NAT is usually deployed at an organization’s network exit location, providing public network accessibility and upper layer protocol connectivity by replacing the internal network IP Address with the exit IP Address. So, what is an internal network IP address?

RFC 1918 specifies three reserved address paragraphs: 10.0.0.0 - 10.255.255.255; 172.16.0.0 - 172.31.255.255; 192.168.0.0 - 192.168.255.255. These three ranges are in the address segments of classes A, B, and C, respectively. They are not assigned to specific users and are reserved by IANA as private addresses. These addresses can be used within any organization or enterprise. The difference between these and other Internet addresses is that they can only be used internally and cannot be used as global routing addresses. This means that outside the administrative scope of the organization, these addresses no longer make sense, either as source or destination addresses. For a closed organization, if its network is not connected to the Internet, these addresses can be used without submitting a request to IANA, and the internal routing management and messaging network packet delivery methods are no different from other networks.

For networks that have Internet access requirements and internally use private addresses, it is necessary to deploy NAT Gateway at the egress location of the organization. When the message network packet leaves the private network and enters the Internet, the source IP is replaced by the public network address, usually the interface of the egress device. address. After an external access request reaches the target, it is initiated by the egress device of the organization, so the requested server level can send the response back to the egress gateway from the Internet. The egress gateway then replaces the destination address with the source host address of the private network and sends it back internally. Such a request and response from the private network host to the public network server is completed without awareness on both ends of the communication. According to this model, a large number of intranet hosts no longer need public IP addresses.

Principle of NAT

  1. The network is divided into two parts: the private network and the public network. The NAT Gateway is set at the routing exit position from the private network to the public network. Bidirectional traffic must go through the NAT Gateway;
  2. ** Network access can only be initiated by the private network side first, and the public network cannot actively access the private network host; **
  3. NAT Gateway completes the conversion or translation of two addresses in two access directions, the source information is replaced in the outgoing direction, and the destination information is replaced in the incoming direction;
  4. The existence of NAT Gateway is transparent to both parties;
  5. In order to realize the function of two-way translation, NAT Gateway needs to maintain an association table to save the information of the conversation.

Three NAT techniques

Static NAT

Static NAT is one-to-one mapping. How many private addresses need to communicate with the outside, how many extranet IP Addresses need to be configured to correspond to it, and it does not save extranet IP, so it is generally not necessary

Dynamic NAT

Dynamic NAT is to configure an extranet IP Address pool on the router. When an internal computer needs to communicate with the outside world, an extranet IP is dynamically removed from the address pool and their correspondence is bound to the NAT table. After the communication is completed, this extranet IP is released and can be used for other internal IP Address conversions. This DHCP lease IP has similarities.

NPAT

This is the most commonly used NAT technology, and it is also one of the most important reasons why IPv4 can be maintained today. It provides a many-to-one way. For multiple intranet IP Addresses, boundary routing can assign them an extranet IP., using different ports of this extranet IP to communicate with the outside world.

Intranet penetration technology

Disadvantages of NAT

NAT shortens the retention time of IP sessions

Because an association table will be established on the NAT device after a session is established, the NAT Gateway will perform aging operations during the period of silence of the session. This is something that any NAT Gateway must do, because IP and port resources are limited and communication needs are unlimited, so resources must be recovered after the session ends. Usually TCP sessions actively close the connection through negotiation, and NAT Gateways can track these message network packets, but there are always exceptions and rely on their own timers to recover resources. The UDP-based Communication Protocol is difficult to determine when the communication ends, so the NAT Gateway mainly relies on the timeout mechanism to reclaim the external port. Recycling through timer aging will bring a problem. If the application needs to maintain the connection for longer than the NAT Gateway setting, the communication will be interrupted unexpectedly. Because after the gateway recovers the relevant conversion table resources, the relevant conversion information cannot be found when the new data arrives, and a new connection must be established. When this new data is sent from the public network side to the private network side, it will occur that the new connection establishment cannot be triggered, nor can the host on the private network side be notified to rebuild the connection. At this time, the communication will be interrupted and cannot be automatically restored. Even if new data is sent from the private network side to the public network side, because the reconstructed session table often uses a different public IP and port address than before, the public network side host cannot correspond to the previous communication, resulting in a user-perceptible connection interruption. It is quite difficult for NAT Gateway to set the time to recover idle connections so that no continuous resource loss occurs, and to maintain most connections without accidental interruption. In the era when NAT has become popular, many application protocol designers have taken this situation into account, so a connection keep-alive mechanism is generally set, that is, when there is no data to be sent for a period of time, a keep-alive message that NAT can perceive without actual data is sent. The main purpose of this is to reset the NAT session timer.

Mechanism that relies on IP for host tracking failed

NAT is implemented by multiplexing connections issued by multiple internal hosts onto a single IP, which invalidates mechanisms that rely on IP for host tracking. For example, applications based on network traffic analysis required in network management cannot track the specific behavior of end users and traffic. Log analysis based on user behavior also becomes difficult because an IP is shared by many users, and if there is malicious user behavior, it is difficult to locate the host that initiated the connection. Even though there are mechanisms that provide a way to track connections on NAT Gateways, it is difficult to continue this transformation relationship. IP-based user authorization is no longer reliable, because owning an IP is not equal to a user or host. A server cannot simply regard access from the same IP as initiated by the same host and cannot be associated. Some servers have connection restrictions and only accept limited access from one IP at a time (sometimes only one access), which will cause service preemption and queuing between different users. Sometimes the server side does this for DOS attack protection considerations, because a user should not make a large number of connection requests under normal circumstances, and excessive use of service resources is understood as an attack. But this cannot be simply judged by the number of connections when NAT exists. In short, because NAT hides one end of the communication, it complicates simple things.

Breaking the IP end-to-end model

NAT transforms the address of the communication by modifying the information in the IP header. But in this conversion process, it can only be based on one session unit. When an application needs to maintain multiple bidirectional connections, it is very troublesome. NAT cannot understand the correlation between multiple sessions and cannot guarantee that the conversion meets the rules needed by the application. When NAT Gateway has multiple public IP addresses, a set of associated sessions may be assigned to different public network addresses, which is usually unacceptable to the server side. More seriously, when the host on the public network side wants to actively send data to the private network side, the NAT Gateway does not convert the association table required for this connection, and this data packet cannot reach the host on the private network side. These connections that send data in the opposite direction always have the agreement of the application protocol or have been negotiated in the initially established session. However, because NAT works at the network layer and transport layer, it cannot understand the behavior of the application layer protocol and is ignorant of this information.

The working mechanism of NAT relies on modifying the information in the IP header, which can hinder the work of some security protocols. Because NAT tampered with the IP Address, Transport Layer Port Number, and Checksum, this can cause the authentication protocol to completely fail to work, because the purpose of authentication is to ensure that this information does not change during transmission. For some tunneling protocols, the presence of NAT also causes additional problems, because tunneling protocols usually identify tunnel entities with outer addresses, and tunnels passing through NAT will have IP to reuse relationships, which need to be handled carefully at the other end. ICMP is a network control protocol, its working principle is to transfer error and control messages between two hosts, because the IP correspondence is remapped, ICMP also to reuse and to reuse processing, in many cases because ICMP message network packet load can not provide enough information, the solution to reuse will fail. The IP sharding mechanism is that when the size of the IP message network packet to be sent is larger than the maximum size that the path can actually carry on the information source or network path, the IP protocol layer divides a message network packet into multiple fragments to send, and then reorganizes them at the receiving end. These fragments restore the original message network packet. A sharding mechanism such as IP will cause the information of the transport layer to be only included in the first fragment, and it is difficult for NAT to identify the correspondence between subsequent sharding and the association table, so special treatment is required.

Principle of Intranet Penetration

Intranet penetration, also known as NAT (Network Address Translation) penetration. For nodes after NAT, it is not that they cannot actively access the public network port, but that they cannot in turn be effectively accessed by the public network. The main idea of intranet penetration is to take advantage of this, so that nodes after NAT actively access a server with a public IP address, and bridge the intermediate server to open the tunnel from other hosts to nodes behind NAT.

In addition to accessing nodes hidden behind NAT, this technology can also penetrate firewalls. Since the firewall only intercepts inbound and not outbound, the server within the firewall can actively connect to a public network server to open a tunnel, and ultimately link to other local ports through the tunnel.

  • Step 1: Open the tunnel
    For security reasons, unless the host actively sends a connection request to the other party (at this time, a record will be left in the data structure of the host), otherwise, when the host receives a data packet, if it cannot be queried in its data structure The corresponding record, those uninvited data packets will be discarded. Therefore, two hosts located in different LANs, even if they know the IP address and Port Number of the other party, send the data packet “wishfully”, the other party will not receive it, so we first need to open the tunnel. Suppose the public IP is X.X.X.X and the intranet IP is 192.168.1.2. The public network host first listens on port 80, which is used to provide an HTTP service to the outside world, and 80 is the default port of the WEB server. At the same time, any other port (here we assume 7777), listening to this port is used to allow the intranet server to actively connect to open a tunnel. Then the intranet actively initiates a request to the 7777 of the public network host, so that the intranet successfully establishes a connection channel with the public network host. Then, when any client actively connects to port 80 of the public network, the public network forwards the connection request to the intranet host through the previously established tunnel immediately after receiving the connection request.

  • Step 2: Port forwarding (public host port 80, forward to intranet port 80)
    When any client actively connects to port 80 of the public network, the public network immediately forwards the connection request to the intranet host through the previously established tunnel after receiving the data packet from the tunnel, and then actively connects to the intranet host. The intranet host’s own port 80 forwards the data packet to port 80 intact after the connection is successful.

  • Step 3: Forward the response message network packet in the same way
    After the intranet host receives the data packet from the tunnel, it actively connects to the intranet host’s own port 80. After the connection is successful, the data packet is forwarded unchanged to port 80. After the HTTP server program finishes processing the data packet, it is generated. After the response message network packet is forwarded back the original way, it finally reaches port 80 of the public network, and then returns to the Client who initially requested port 80 of the public network server.

In general, intranet penetration technology can be applied to all machines that can connect to the public network, providing a universal way to open the intranet.

Example

python端口转发

Reference article:

https://www.jianshu.com/p/62028875d53e

http://www.52im.net/article-64-1.html

https://blog.csdn.net/deng_xj/article/details/88922690