CN100334858C - Method of breakthrough NAT using dual tunnel mechanism - Google Patents

Abstract

A method for penetrating NAT (Network Address Translation) using a double-tunnel mechanism, mainly using an IPv4 (IP 4th Edition) message containing a pseudo-tunnel header to encapsulate and transmit an IPv6 (IP 6th Edition) message, and passing The re-encapsulation of a tunnel server enables the IPv6/IPv4 dual-stack host behind the IPv4 NAT to use its own IPv4 private address to establish a double tunnel, thereby traversing the IPv4 network and establishing connections with other IPv6 hosts. This method can penetrate all types of NAT, and is compatible with the existing network system, without upgrading the existing routing equipment. When using this method to penetrate NAT, the IPv6/IPv4 dual-stack host behind the IPv4 NAT can use any IPv6 address independent of the IPv4 address. Actively initiated connections, and can establish connections with other IPv6/IPv4 dual-stack hosts behind IPv4 NAT.

Description

A Method of Penetrating NAT Using Double Tunnel Mechanism

technical field

The present invention relates to a method for penetrating NAT (Network Address Translation, Network Address Translation) by using a double tunnel mechanism, and in particular to a method for using a tunnel server to establish a double tunnel and use IPv4 (Internet Protocol Version 4, IP version 4) to report The text is used to encapsulate and transmit IPv6 (Internet Protocol Version 6, IP version 6) packets, so that the IPv6/IPv4 dual-stack host behind the IPv4 NAT can use its own IPv4 private address, pass through the IPv4 network through the tunnel mechanism, and other The method by which an IPv6 host establishes a connection.

Background technique

As mentioned above, the exhaustion of IPv4 address space makes IPv4 face difficulties while achieving great success. Although the use of NAT technology and CIDR (Classless Addressing) technology has alleviated the shortage of IP (Internet Protocol) addresses to a certain extent, the development of mobile communication technology has put forward a greater demand for IP address space. Therefore, the implementation of the next generation Internet protocol IPv6 is imperative. IPv6 is a network layer protocol designed for the next generation Internet. To implement IPv6 network, we must make full use of the existing network environment to construct the next generation Internet, so as to avoid excessive waste of investment. IPv4 has achieved great success in the Internet field because of its excellent technical characteristics. The current Internet is based on IPv4, and it is impossible to transition them to IPv6-based networks in a short period of time. Therefore, for a long period of time, IPv6 networks will coexist with IPv4 networks. How to realize the interoperability and smooth transition between IPv4 and IPv6 is an important issue at present. Since the packet formats of IPv6 and IPv4 are not compatible, various transition mechanisms have been designed to enable IPv6 to realize virtual network interconnection on the widely used IPv4 infrastructure today. Tunnel technology is widely used because it meets the requirements of IPv6 end-to-end communication. The core of the tunnel technology is to encapsulate IPv6 packets into IPv4 packets, and use the existing Internet that supports IPv4 to transmit IPv6 packets. If a tunnel is established between two IPv6 nodes A and B, when node A wants to send an IPv6 message to node B, it encapsulates the IPv6 message in an IPv4 message with the IPv4 address of node B as the destination address After sending it out, Node B will remove the IPv4 encapsulation after receiving the message, take out the IPv6 message and put it into its own IPv6 protocol stack, so as to realize IPv6 intercommunication on the IPv4 infrastructure. However, none of the traditional tunneling technologies can penetrate NAT because the filtering mechanism of NAT does not allow certain types of packets to pass through. Even if it is allowed, private addresses cannot be used to establish tunnels.

The Teredo solution proposed by Microsoft can solve this problem, but the implementation of Teredo is complicated and difficult to be compatible with the existing network structure. Not only does it need to add Teredo Server (Teredo server) to assist Teredo Client (Teredo user) to establish a connection, but also requires the router near the general IPv6 site to be accessed by Teredo Client to have the function of TeredoRelay (Teredo relay), that is, the router can not only recognize the Teredo format IPv6 address, and can work with Teredo Server to complete the function of penetrating NAT, and then forward the message between Teredo Client and other IPv6 nodes. This will necessarily require upgrading of routers at the ingress of all IPv6 networks. In addition, the IPv6 address of the Teredo Client is composed of the IPv4 address and port of the Teredo Server, and the external public IPv4 address and port of the Teredo Client converted by NAT, so its IPv6 network identification also depends on the IPv4 address, which requires application and registration Specific IPv6 address space, otherwise it cannot receive connections first initiated by other IPv6 nodes.

Contents of the invention

An object of the present invention is to provide a kind of method utilizing double tunnel mechanism to penetrate NAT, make the IPv6/IPv4 dual-stack host computer behind IPv4 NAT, utilize a tunnel server, establish double tunnel, thus can use own IPv4 private address, Through the IPv4 network, establish connections with other IPv6 hosts.

Another object of the present invention is to provide a general method for penetrating NAT, which can penetrate all types of NAT by adding a pseudo-tunnel header, and is compatible with existing network systems, without the need for existing routing equipment upgrade. The pseudo-tunnel header defined in the payload part of the UDP message is used to indicate the IPv4 entry address of the IPv6 network where the destination node is located, as well as necessary control information, which can be used for transmission performance optimization, network security, and network control and management.

Another object of the present invention is to provide a method for traversing NAT, which provides a public address server for registering and querying all IPv6 network addresses and their corresponding IPv4 entry addresses, so as to ensure that all IPv6 network packets will be sent to this IPv4 entry address after encapsulation, which not only facilitates centralized query and management of addresses, effectively improves the efficiency of packet transmission, but also can be well integrated with other network services such as DNS (Domain Name Service) integrated.

Another object of the present invention is to provide a kind of method of penetrating NAT, make the IPv6/IPv4 dual-stack host computer behind IPv4 NAT can use any IPv6 address independent of IPv4 address, after this address is registered on public address server, That is, the connection firstly initiated by other IPv6 nodes can be received.

Another object of the present invention is to provide a method for traversing NAT, so that the IPv6/IPv4 dual-stack host behind the IPv4 NAT can not only establish a connection with a general IPv6 node, but also connect with other IPv6/IPv4 hosts behind the IPv4 NAT. An IPv4 dual-stack host establishes a connection.

To solve the problem of traversing NAT, we must first analyze the implementation mechanism of NAT. The core of NAT implementation is to translate the address of the data packet in the internal network (called internal address or private address) into an external legal address (called external address or public address) and send it to the external network. After the text, it is translated into an internal address and sent to the internal network. The so-called external address or public address is a global IP address assigned by the Inter NIC (Internet Network Information Center) to the applying organization that can directly access the Internet. The internal address or private address is a non-registered address, which is specially used within the organization and cannot directly access the external Internet. The essence of NAT is to dynamically maintain a mapping table, which is used to map internal addresses (IP addresses, ports) to legal external addresses. Use <IN.ip, IN.port> to indicate the address of the internal computer, the corresponding legal external address after NAT translation is <NAT.ip, NAT.port>, and the address of the external computer communicating with it is correspondingly expressed as <OUT .ip,out.port>. Therefore, in the NAT system, the mapping table is represented as a set of mapping table entries of such a <IN.ip, IN.port, NAT.ip, NAT.port, OUT.ip, OUT.port> six-tuple. When there is a message in the internal network, if the destination address is not inside, NAT will search the mapping table with <IN.ip, IN.port> as the key word, and if the entry exists, it will directly translate and forward the message; otherwise, it will allocate The new address resource <NAT.ip, NAT.port>, record the new entry and then translate and forward the message. After receiving the external message, use <NAT.ip, NAT.port> as the keyword to search, and after finding it, translate the address and forward it to the inside. This kind of entry is dynamically maintained, and the <NAT.ip, NAT.port> that has not been used for a certain period of time will be automatically recycled by the system for the next redistribution.

NATs can be classified according to the policies used in the specific implementation of NATs. When the source of the packet is inside the NAT, it is classified according to the matching process when the internal packet is forwarded from the inside to the outside. When the corresponding tuple is found according to <IN.ip, IN.port> (matching failure indicates that a new network resource needs to be applied for), there are mainly two specific implementation methods. One is called the least port allocation method. At this time, the address translation can be performed directly, and then the data can be sent. The other method is called competitive port allocation method, which needs to match the original pre-stored <OUT.ip, OUT.port> (or one of the two). If the matching results are inconsistent, it is considered that a new port needs to be regenerated; otherwise, it is allowed Translate the address and send it. When the source of the message is outside the NAT, it is divided according to the matching process of the external message: after receiving the external message, the corresponding tuple is found according to <NAT.ip, NAT.port>, and the matching failure indicates that the message If it is illegal, discard it directly; otherwise, there are 3 common matching rules:

I. Do not perform any matching, and directly use <IN.ip, IN.port> for address translation, which is called wide matching.

II. Only match OUT.ip or OUT.port, that is, screen the source address or port of the message. If it does not match the one stored in the corresponding tuple, it will be considered as an illegal message and discarded directly, otherwise, address translation will be performed. Correspondingly, it can be called the address matching/port matching mode.

III. Match OUT.ip and OUT.port, and address translation is performed only when both match. This is called a safe matching method.

The method proposed by the present invention can penetrate all above-mentioned NAT types, mainly utilizes the UDP (User Datagram Protocol) message of the IPv4 that contains the pseudo-tunnel header to encapsulate and deliver the IPv6 message, and establishes a dual channel through a tunnel server. Tunnel to complete the function of traversing NAT. The reason why UDP packets are selected as bearer packets is that TCP (Transmission Control Protocol) packets and UDP packets are the only two types of packets that can pass through all commonly used NAT types. However, due to the congestion control mechanism of TCP, the real-time performance of using TCP to transmit IPv6 packets is poor, so UDP packets are selected as bearer packets. The tunnel server must have an IPv4 public address, and it can be an IPv6/IPv4 dual-stack host or a pure IPv4 host. It mainly completes the reassembly of the IPv4 packets with pseudo-tunnel headers (IPv6 packets encapsulated inside) transmitted from the IPv6/IPv4 dual-stack host behind the IPv4NAT, removes the pseudo-tunnel headers and forwards to the real destination node. Point forwarding; the function of reassembling the IPv4 packets encapsulated with IPv6 packets from the outside, and forwarding them to the IPv6/IPv4 dual-stack host behind the IPv4 NAT.

This method provides a public address server for registering and querying all IPv6 network addresses and their corresponding IPv4 entry addresses, so as to ensure that all packets sent to the IPv6 network will be sent to this IPv4 entry address after encapsulation. This not only facilitates centralized query and management of addresses, can effectively improve the efficiency of message transmission, but also can be well integrated with DNS domain name service network services.

In addition, the IPv4 address of the tunnel server is required to be open to the IPv6/IPv4 dual-stack host behind the IPv4 NAT, that is, the address or address list of the available tunnel server is known to the host. In addition, the IPv4 entry registered by the IPv6 address of the IPv6/IPv4 dual-stack host behind the IPv4 NAT on the public address server is the IPv4 address of the tunnel server. And the tunnel server keeps an address mapping table, which records the real IPv4 entry of the IPv6 address registered with its own IPv4 address (that is, the public IPv4 address of the IPv6/IPv4 dual-stack host behind the IPv4 NAT converted by NAT).

The present invention is realized through the following technical solutions.

A kind of method utilizing double tunnel mechanism to penetrate NAT (network address translation), it is characterized in that, set up double tunnel by a tunnel server, make the IPv6/IPv4 dual stack that is positioned at IPv4 (Internet ProtocolVersion 4, IP 4th edition) NAT back The host uses the IPv4 UDP message containing the pseudo-tunnel header to encapsulate and transmit the IPv6 message, and establishes a connection with other IPv6 (Internet Protocol Version 6, IP version 6) hosts, where the pseudo-tunnel header is used to indicate the location of the target host The IPv4 entry address of the IPv6 network (queried on the public address server) and the necessary control information, the destination address of the IPv4 UDP message containing the pseudo-tunnel header and encapsulated with IPv6 messages sent by the dual-stack host is the tunnel server After the tunnel server receives the packet, it takes out the fake tunnel header, and then re-encapsulates an IPv4 packet with the IPv4 address of the tunnel server and the IPv4 entry address of the IPv6 network where the target host is located as the source and destination addresses respectively. and forward it outward; otherwise, other IPv6 hosts send IPv6 messages to this dual-stack host and send them to the tunnel server after encapsulation (the IPv4 entry address registered by the IPv6 address of the dual-stack host is the IPv4 address of the tunnel server), The tunnel server matches the mapping table according to the destination IPv6 address, finds the public IPv4 address of the dual-stack host after NAT mapping, and then re-encapsulates with the IPv4 address of the tunnel server and the public IPv4 address of the dual-stack host after NAT mapping as the source and destination addresses respectively An IPv4 UDP packet is forwarded outward.

The pseudo-tunnel header defined in the payload part of the UDP message is used to indicate the IPv4 entry address of the IPv6 network where the destination node is located and necessary control information, which can be used for transmission performance optimization, network security, and network control and management.

This method can penetrate all types of NAT, and is compatible with the existing network system, without upgrading the existing routing equipment.

The method of traversing NAT provides a public address server for registering and querying all IPv6 network addresses and their corresponding IPv4 entry addresses, so as to ensure that all packets destined for the IPv6 network will be sent to this IPv6 network after encapsulation. IPv4 entry address, which not only facilitates centralized query and management of addresses, can effectively improve the efficiency of message transmission, but also can be well integrated with DNS (Domain Name Service) and other network services.

The IPv6/IPv4 dual-stack host behind the IPv4 NAT can use any IPv6 address independent of the IPv4 address. After the address is registered on the public address server, it can receive the connection first initiated by other IPv6 nodes.

The IPv6/IPv4 dual-stack host behind the IPv4 NAT can not only establish connections with general IPv6 nodes, but also establish connections with other IPv6/IPv4 dual-stack hosts behind the IPv4 NAT.

Description of drawings

Fig. 1 is a schematic diagram of the working process of the double tunnel mechanism.

Detailed ways

In Fig. 1, first look at the communication process between general IPv6 nodes. Suppose IPv6 node A wants to initiate a connection to IPv6 node B. Because the current Internet is still based on IPv4, each IPv6 network is connected to the IPv4 network through a dual-stack host or router to achieve intercommunication with other IPv4 or IPv6 networks. The IPv4 address of this dual-stack host or router It is the entry address of the IPv6 network. Here we provide a public address server for registering and querying all IPv6 network addresses and their corresponding IPv4 entry addresses. Therefore, A needs to obtain the IPv4 entry address of B's IPv6 network from the public address server first, and then encapsulates the IPv6 packet with A and B as source and destination addresses in the IPv4 packet and sends it to the IPv6 network of B. (if A is a pure IPv6 node, the encapsulation process needs to be completed by the IPv4 entrance of the network where A is located), the dual-stack host or router at the IPv4 entrance of the IPv6 network where B is located removes the IPv4 packet header, and then Forward the IPv6 packet to B. Of course, if B itself is a dual-stack host and has registered, the packet will be sent directly to B's IPv4 address, and B will remove the IPv4 packet header.

Now, assume that A is a dual-stack node and is located behind an IPv4 NAT, that is, A only has an IPv4 private address assigned by the NAT, and has no IPv4 public address. A wants to initiate a connection to an IPv6 node B of another IPv6 network (B can be a general IPv6 host, or an IPv6/IPv4 dual-stack host behind an IPv4 NAT). A first forms an IPv6 message with A and B as source and destination addresses, and forms a pseudo-tunnel header, which indicates the IPv4 entry address of B's IPv6 network (obtained by querying on a public address server) and the necessary Control information, and then encapsulate the two parts together in the IPv4 UDP message, the destination address of this message is the IPv4 address of the tunnel server S. After receiving this message, S takes out the pseudo-tunnel header, and then regenerates an IPv4 message, using the IPv4 address of S and the IPv4 entry address of B's IPv6 network as the source and destination addresses respectively, and its content is encapsulated by A IPv6 packets with A and B as source and destination addresses. S can be a pure IPv4 host without specific identification of IPv6 packets. It just removes the fake tunnel header from the packets sent by A and regenerates the source and destination addresses with the IPv4 address of S and the IPv4 entry address of the IPv6 network where B is located. IPv4 packets. Conversely, since the IPv4 entry registered by A's IPv6 address is the IPv4 address of tunnel server S, the IPv6 packet sent by B to A will be encapsulated and sent to S's IPv4 address. After receiving it, S takes out the destination address of the IPv6 packet. S can be a pure IPv4 host, without actually identifying the IPv6 message, it just takes out the part corresponding to the IPv6 destination address in the IPv4 message content of the received encapsulated IPv6 message, matches the address mapping table, and finds out the real IPv4 message. Ingress (that is, the public IPv4 address of A after NAT mapping). Then regenerate an IPv4 UDP message, use the IPv4 address of S and the public IPv4 address of A after NAT mapping as the source and destination addresses respectively, and the UDP message content is the data part of the message just received (that is, B IPv6 packets sent to A). Since a mapping entry has been established between A and S in the address mapping table of NAT, NAT will forward the packet to A. In this way, through the reassembly and forwarding of data by the tunnel server, a double tunnel is established, so that the IPv6/IPv4 dual-stack host behind the IPv4 NAT can use its own IPv4 private address to traverse the IPv4 network and establish a tunnel with other IPv6 hosts. connect. Figure 1 illustrates the working process of the above-mentioned double tunneling mechanism. It should be noted that no matter what kind of NAT, the mapping table entries are not permanently saved. Therefore, A should periodically send contact messages to S to maintain the corresponding mapping entries in the NAT.

The method we propose to use the tunnel server to establish a double tunnel to penetrate NAT can enable the IPv6/IPv4 dual-stack host behind the IPv4 NAT to use its own IPv4 private address, pass through the IPv4 network through the tunnel mechanism, and establish a tunnel with other IPv6 hosts. connect. The method can penetrate all types of NAT by adding a pseudo-tunnel header, and is compatible with the existing network system without upgrading the existing routing equipment. The pseudo-tunnel header defined in the payload part of the UDP message is used to indicate the IPv4 entry address of the IPv6 network where the destination node is located and necessary control information, which can be used for transmission performance optimization, network security, and network control and management. This method uses a public address server to register and query the IPv4 entry address of the IPv6 network. All IPv6 network addresses and their corresponding IPv4 entry addresses must be registered on the server to ensure that all reports sent to the IPv6 network All files will be sent to this IPv4 entry address after encapsulation, which not only facilitates centralized management and query of addresses, effectively improves the efficiency of message transmission, but also can be well integrated with other network services such as DNS. Using this method, the IPv6/IPv4 dual-stack host behind the IPv4 NAT can use any IPv6 address independent of the IPv4 address. After the address is registered on the public address server, it can receive the connection initiated by the general IPv6 node. , and can establish connections with other IPv6/IPv4 dual-stack hosts behind IPv4 NAT. This is of great significance for dealing with the relationship between the existing IPv4 network and the future IPv6 network, so as to realize the smooth transition from IPv4 to IPv6.

Claims (6)

1. A kind of method that utilizes double tunnel mechanism to penetrate NAT, it is characterized in that, set up double tunnel by a tunnel server, make the IPv6/IPv4 dual-stack host that is positioned at the IPv4 NAT back, utilize the UDP report that contains the IPv4 of false tunnel head To encapsulate and transmit IPv6 packets, and establish connections with other IPv6 hosts, the pseudo-tunnel header is used to indicate the IPv4 entry address of the IPv6 network where the target host is located and necessary control information, and the dual-stack host sends a pseudo-tunnel header. And the destination address of the IPv4 UDP message encapsulated with IPv6 message is the IPv4 address of the tunnel server. The IPv4 ingress address of the host is used as the source and destination addresses to re-encapsulate an IPv4 packet and forward it outward; otherwise, the IPv6 packets sent by other IPv6 hosts to this dual-stack host will also be encapsulated and sent to the tunnel server. The destination IPv6 address matches the mapping table to find the public IPv4 address of the dual-stack host after NAT mapping, and then re-encapsulates an IPv4 address with the IPv4 address of the tunnel server and the public IPv4 address of the dual-stack host after NAT mapping as the source and destination addresses respectively. UDP packets, and then forwarded outward. 2. the method for traversing NAT according to claim 1, is characterized in that, the pseudo-tunnel header defined in the load part of UDP message, is used for specifying the IPv4 entry address of destination node place IPv6 network and necessary Control information, which can be used for transmission performance optimization, network security, and network control and management. 3. The method for penetrating NAT according to claim 1, characterized in that, the method utilizes a tunnel server to establish a double tunnel, which can penetrate all types of NAT, and is compatible with existing network systems, without requiring Routing equipment is upgraded. 4. The method for traversing NAT according to claim 1, wherein a public address server is provided for registering and querying all IPv6 network addresses and their corresponding IPv4 entry addresses, so as to ensure that all The packets of the IPv6 network will be sent to the IPv4 entry address after encapsulation, which not only facilitates the centralized query and management of addresses, but also effectively improves the efficiency of packet transmission, and can also be well integrated with other DNS network services . 5. the method for penetrating NAT according to claim 1, is characterized in that, the IPv6/IPv4 dual-stack host computer that is positioned at IPv4NAT back can use the arbitrary IPv6 address independent of IPv4 address, after this address is registered on public address server , to receive the connection first initiated by other IPv6 nodes. 6. the method for penetrating NAT according to claim 1, is characterized in that, the IPv6/IPv4 dual-stack host computer that is positioned at IPv4 NAT back not only can establish connection with general IPv6 node, also can be positioned at other behind IPv4 NAT An IPv6/IPv4 dual-stack host establishes a connection.