I know about STUN, TURN and ICE. Suppose 2 users u1, u2, are behind two seperate NATs respectively. If the NAT mapping behavior is address independent and filtering behavior is port restricted NAT than How can I create a direct connection between two peers using client sockets. If any two peers who have not established connected prior to each other and if there is not mapping in NAT can two peers connect to each other if in case they know each others external ip address and port to be chose by NAT(generally same as local port)
Related
When we establish a TCP connection from PC1 to Server and send data through this connection, how does the Router know to which of the two PCs (PC1 and PC2) should it communicate on the way back from Server to PC1?
And
How does ping (ICMP) know to which internal node it should send the answer?
NAT (Network Address Translation) is stateful. It creates a translation table that has the layer-3 and layer-4 protocols and addresses. By looking up the return traffic addresses in the translation table, the NAT process can determine which inside addresses should be placed in the packet.
Edit:
Per the edit to your question, asking about ICMP (it is very bad form to change the question in order to ask a different question because it can invalidate the perfectly acceptable answers already given):
It is all the same as TCP or UDP. NAT creates a state table that is dynamically built as traffic passes from inside to outside. NAPT will allow you to overload a single IP address with traffic from multiple inside addresses, and it will translate the return traffic by looking up where to send it in its state table.
With NAPT, besides looking at and translating the IP address, NAPT looks at the layer-4 protocol (TCP, UDP, ICMP) and translates the layer-4 addresses (TCP or UDP port numbers or ICMP identifies), too, storing the translations in its translation table. When return traffic is destined to a particular layer-3 and layer-4 address combination, from a particular layer-3 and layer-4 address combination, the NAPT process finds that in its translation table, and it can see where to send the traffic on the inside.
NAT is very resource intensive, and it breaks the IP paradigm of end-to-end connectivity, where every host is uniquely identified by its own IP address, which is why it is called a kludge (or worse). NAT was developed to extend the life of IPv4 until IPv6, with its nearly unlimited addressing, can become ubiquitous.
RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations:
4.1.2. Network Address Port Translation (NAPT)
NAPT extends the notion of translation one step further by also
translating transport identifier (e.g., TCP and UDP port numbers, ICMP
query identifiers). This allows the transport identifiers of a number
of private hosts to be multiplexed into the transport identifiers of a
single external address. NAPT allows a set of hosts to share a single
external address. Note that NAPT can be combined with Basic NAT so
that a pool of external addresses are used in conjunction with port
translation.
For packets outbound from the private network, NAPT would translate
the source IP address, source transport identifier and related fields
such as IP, TCP, UDP and ICMP header checksums. Transport identifier
can be one of TCP/UDP port or ICMP query ID. For inbound packets, the
destination IP address, destination transport identifier and the IP
and transport header checksums are translated.
A NAPT router in figure 2 may be configured to translate sessions
originated from N-Pri into a single external address, say Addr-i.
Very often, the external interface address Addr-Nx of NAPT router is
used as the address to map N-Pri to.
There is a large pool of resources describing NAT (Network Address Translation), which is available if you search "nat explained". A great resource is What is NAT and how it work tutorial.
The most important detail is that commonly we use NAPT (commonly used as PAT - Port Address Translation) (Network Address and Port Translation), alongside NAT.
When a device needs to use the Internet, it must open a local (source port) and send the IP request to the other end. For example, a notepad with source IP address 192.168.1.2 needs to communicate with a web server at 216.58.212.35.
It fires up random source port 1234 and requests information from target port 80 (HTTP - Web page).
This goes through the networks NAT device, which stores the information 192.168.1.2/1234 with the next information that it computes, and sends the request as 46.103.93.105 (its own IP public IP) and a new source port, for example 2345.
The web server responds to the NAT device, which in turn finds the correlated information (source port 2345 targets 192.168.1.2/1234). The notepad receives the information and displays it to the user.
The router adds information to the request header sent to the server that allows it to look up the sender when the reply is received. This is usually accomplished by using a table stored in the router's memory that maps the PC's address to the token added to the header.
I have two peer devices which are behind NAT. But the problem comes while establishing communication between them, as there are four different types of NAT and each observing a different behaviour. What can be the possible solution in this scenario?
Also I have a STUN server which is used to relay the IP addresses and port number of the peer device.
Without access to some interface with which you can configure the NAT'ing on the gateways, you can't establish a connection. Simple as that. NAT is designed to forward communication packets to the (hidden) host behind the NAT that is a) configured to get packets for that specific port or b) based on tracked connections.
Typically, this problem is overcome in SOHO routers by employing UPnP, which allows to set up port forwardings "on the fly". Knowing that this basically is the same as shutting down the firewall and exposing a PC, you won't get that in institutional networks. Your only choice then is to use a third party as kind of a broker/proxy or to use VPN technologies to "bridge" these networks (or to bring one party into the other party's network, to be more specific).
This paper has been very useful to me in order to learn about hole punching: https://www.usenix.org/legacy/event/usenix05/tech/general/full_papers/ford/ford.pdf
As last option, when you cannot do hole punching, what everybody does is the typical implementation through a server. Peer A and Peer B have a connection through a server that they can poll all the time.
Consider a phone which is connected to wifi with phones A, address as Dynamic Ip ex:192.168.0.34 and its listening over a server socket at port 7567, In what way can i connect to that socket using any programming language if i have another phone B to connect that which is on public ip say 10.0.0.56 and i have the wifi router ip say ex 55.56.89.76 ?
It is not possible to connect directly to a client behind a NAT if you don't use port forwarding. But there is a technique called hole punching to open a port thrue a NAT.
From Wikipedia:
Hole punching is a computer networking technique for establishing communications between two parties in separate organizations who are both behind restrictive firewalls. Used for applications such as online gaming, P2P and VoIP, both clients establish a connection with an unrestricted third-party server that uncovers external and internal address information for them. Since each client initiated the request to the server, the server knows their IP addresses and port numbers assigned for that session, which it shares one to the other. Having valid port numbers causes the firewalls to accept the incoming packets from each side. ICMP hole punching, UDP hole punching and TCP hole punching respectively use Internet Control Message, User Datagram and Transmission Control Protocols. Using TCP nefarious hole punching, it's possible to send compressed SYN packets through into a common ACK path. Numerous software does this.
See also the questions related to this topic.
The scenario is the following. I have two machines A and B:
A: Client (behind NAT)
B: Server (behind NAT)
I want B to be able to listen on any given port, so that A can send packets to B through that specific TCP port and receive any response. If both machines are not behind a NAT it is pretty straight foward process. However how do I make it work so that it works even when B is behind a router, without him having to go change the router configuration enable some port forwarding etc...
For example, how do peer-to-peer programs like torrent clients work without the user having anything to configure?
To answer the example of Peer to Peer programs, and in general: There is a technology called Universal Plug and Play which NAT routers can use to allow clients behind them to expose ports to the outside. That's what bittorrent clients can use so the other clients can directly connect to them.
An alternative to a proxy server is a match-making server. Instead of proxying all of the traffic, the match maker just negotiates until the peers can talk to each other. This involves finding the external public IPs of the peers and talking to each one so that the firewall/router knows that the peers wish to communicate.
This is called hole punching and it often has to be done by the match maker rather than the peers themselves. Once the hole are punched though, the match maker can tell the peers about each other and they can communicate directly.
You will have to either:
Set up port forwarding from the nat
gateway in front the server into the machine your server software is running, and have the client
connect to the IP address of that
gateway.
Create a proxy server sitting
inbetween the 2 nat gatewys so both
your server and client can connect
to that. Both your server and client
have to set up a connection to that
proxy which will mediate the data
between those 2 connections.
Hole punching is moderately well-understood for UDP communication, but it can be reliably used to set up peer-to-peer TCP streams as well. Here is the well detailed article on both TCP and UDP:
http://www.brynosaurus.com/pub/net/p2pnat/
I was wondering that how application like skype ( a popular chat client ) works in local network with one router, How it can listen on particular port?
for example:=
In one network A and B are two machines running skype , gateway of both is G1,
now how A and B will have same IP on internet that is of G1, but how can they ensure that they are listening on different ports? How can they ask to router G1 for unique port.
I want to make a simple text chat server on linux. How can I have connections between two different computers in two different networks?
Solution to your problem is to have a forwarding server somewhere in the net.
Different programs use different means to connect to each other. But every chat server, including Skype, has a server, which forwards data or information about subnet IP/port availability.
There are two types of clients: "listening" clients and "passive" ones. Listening clients have direct access to Internet via router port forwarding, and "passive" ones have to use additional tricks to get their hands on external data, line external servers or additional ports to listen.
The point is, not clients connect to each other, but they connect to a server, which then connects back to them to verify they are available, and, if at least one of them is not firewalled, direct another on to connect to the first one, excludint itself from further communication. And if both are firewalled, then is has to forward their messages through itself.
Host Discovery
Manual discovery, client A knowns who client B is
Discovery through broadcast UDP which is used by lot of games for LAN play. A client sends out a packet to the broadcast address for their subnet. The peers can choose to pick up this broadcast and respond. The downside is that this is limited to the current subnet. The more general INADDR_BROADCAST (255.255.255.255) works for all subnets on the local-link, but it cannot be routed, so won't work over internet (this is what DHCP auto-configuration uses).
Discovery through a central (Rendezvous) server. Each individual client knows the address of the server, and the latter informs them about each other. This technique is used by IRC, Voip, IMs and by most 'peer-to-peer' networks.
Communication
After the initial discovery is done you want to be able to talk to eachother. On the internet this can get tricky. Most people nowadays have their own router and sit behind a NAT, so direct connections are impossible.
Using a Rendezvous server, you can possibly talk to each other using the server itself. client A tells the server what to say, and it in turn tells client B, since both clients have an outbound connection to the server.
It is possible for the clients to talk to each other without the server proxying. This requires either DMZ, port forwarding or UPnP. DMZ will basically forward all incoming connections on all the ports to a given local IP. Port forwarding only forwards certain ports to local IPs. UPnP is a bit more advanced, the client requests that the router temporarily forwards a port to it, and you tell the other client via the rendezvous server where to connect.
Chatting app implementation
The easiest solution to your problem is most likely to use a central server, which is known by all the clients, that proxies host discovery and possibly the communication between the clients. If you want the clients to communicate directly, you can just proxy host discovery, and then let either DMz, manual port forwarding or UPnP do the rest.
Another solution would be to just have direct communication through NAT traversal techniques discussed above, and do manual host discovery.
Yet another solution would be to use a public webserver and 'abuse' its ability to insert content to chat with each other.
You need a central UDP Rendezvous Server.
After the initial connection from the client to the server the UDP clients can be redirected to talk to eachother directly even if firewalled.
The trick is to open an UDP connection from the inside.
Check out Real-Time Media Flow Protocol and how they use it.
Check out UDP Hole Punching
alt text http://labs.adobe.com/technologies/stratus/images/p2pvideo_250x215.jpg
Traditional NAT servers replace the source address and port with the address and a random port number of the external interface of the NAT server. This works well for simple protocols such as HTTP and SMTP, but it can create problems for more complex protocols that require multiple response ports on the external interface of the NAT server. NAT servers also aren’t aware of information stored in the data portion of the application layer header without the help of NAT editors and similar software fixes.
Windows XP’s answer to these problems is NAT Traversal, which can automatically allow the UPnP-enabled NAT client application to communicate with a UPnP NAT device. NAT Traversal provides methods to allow the UPnP client to learn the public IP address of the NAT server and to negotiate dynamically assigned port mappings for UPnP NAT client applications.
NAT Traversal features can be built into any hardware device or software application. Applications that commonly cause troubles for NAT devices but work well when UPnP-enabled include the following:
Multiplayer Internet games
Audio and video communications
Terminal Services clients and servers
Peer-to-peer file sharing applications
When these applications are UPnP-enabled, access through the Windows XP ICS allows them to work seamlessly.
Unless A and B are actually "listening" to the responses to outgoing requests, your router will need to be cofigured to forward the relevant port numbers to the relevant hosts. This isn't something that you can request in the code, it's something you need to configure on the router itself.