TWI600298B - Methods for nat (network address translation) traversal and systems using the same - Google Patents

Description

Network address translation penetration method and system using the same

The present invention relates to a network address translation technique, and more particularly to a network address translation penetration method and a system using the same.

Network Address Transition traversal (NAT), also known as hole punching, is a computer network method used to establish a connection between two devices. NAT technology does not know each other's address. In order to implement the NAT penetration technology, the system needs an intermediate server to exchange the external address of the device behind the NAT, such as the STARAN (Session Traversal Utilities for NAT) server, interaction ICE (Interactive Connectivity Establishment) server, etc. The workflow of the intermediate server is streamlined to record the external address of the client when the connection between the two is established. Once another client (referred to as B) wishes to establish a connection with client A after NAT, client B issues a punch request to the intermediate server. Then, the intermediate server will assist in the exchange of external addresses between client A and client B, so that client A and client B can start the NAT program. The performance of the NAT method is related to the current NAT operating mechanism and may have the following disadvantages. First, in order to make the connection between the client and the intermediate server in the NAT work phase table The recording continues to live, and the client must periodically send the packet to the intermediate server, causing the intermediate server to bear a lot of burden. Second, because the information exchange between the intermediate servers in the cluster is difficult, the cluster cannot randomly add new intermediate servers or remove the original intermediate servers. Therefore, there is a need for a network address translation penetration method and a system using the same that solve the above-described drawbacks.

Embodiments of the present invention propose a network address translation penetration method, which is executed by a processing unit in a node, and includes the following steps. The processing unit sends the initial packet to the intermediate server via the router, which contains the identification information of the node. The processing unit periodically sends the packet to the black hole via the router, so that the router can maintain the working phase information between the node and the black hole.

Embodiments of the present invention propose a network address translation penetration method, which is executed by a processing unit in an intermediate server, and includes the following steps. A puncturing request is received from the first node, which includes identification information of the second node. The error packet between the black hole and the second node is forged, and the error packet is transmitted to the second node, and the data segment of the error packet includes the external address of the first node.

Embodiments of the present invention provide a network address translation penetration system that includes a node. The node sends the initial packet to the intermediate server via the router, which contains the identification information of the node. The node further determines the type of network address translation of the router; and if the network address translation type is not a symmetric network address translation, periodically sends a packet to the black hole via the router, so that the router can maintain the working phase information between the node and the black hole. .

100‧‧‧Network

110‧‧‧ router

111‧‧‧Network Attached Storage System

130‧‧‧ router

131‧‧‧Mobile phones

133‧‧‧ Tablet PC

135‧‧‧ PC

150_1,...,150_n‧‧‧Intermediate server

210‧‧‧Processing unit

220‧‧‧ display device

230‧‧‧ Input device

240‧‧‧ storage unit

250‧‧‧ memory

260‧‧‧Network Interface Card

261‧‧‧Import and export

263_1,...,263_n‧‧‧Transmission/receive queue

310‧‧‧Processing unit

340‧‧‧Storage device

350‧‧‧ memory

360‧‧‧Communication interface

410‧‧‧Processing unit

420‧‧‧ display unit

430‧‧‧ input device

440‧‧‧ storage unit

450‧‧‧ memory

460‧‧‧Communication interface

(1),...,(6)‧‧‧ steps

500‧‧‧Black Hole

S710~S770‧‧‧ method steps

1 is a network architecture diagram of a network address translation penetration system in accordance with an embodiment of the present invention.

2 is a system architecture diagram of a router according to an embodiment of the present invention.

Figure 3 is a system architecture diagram of network attached storage in accordance with an embodiment of the present invention.

Figure 4 is a system architecture diagram of a client in accordance with an embodiment of the present invention.

5A-5C are schematic diagrams of network address translation penetration in accordance with an embodiment of the present invention.

Figure 6 is a message flow diagram of network address translation penetration in accordance with an embodiment of the present invention.

FIG. 7 is a flow chart of a method for periodically transmitting a packet outward according to an embodiment of the present invention.

The following description is a preferred embodiment of the invention, which is intended to describe the basic spirit of the invention, but is not intended to limit the invention. The actual inventive content must be referenced to the scope of the following claims.

It must be understood that the terms "comprising", "comprising" and "the" are used in the <RTI ID=0.0> </RTI> <RTIgt; </ RTI> to indicate the existence of specific technical features, numerical values, method steps, work processes, components and/or components, but do not exclude Add more technical features, values, method steps, job processing, components, components, or any combination of the above.

The words "first", "second", and "third" are used in the claims to modify the elements in the claims, and are not used to indicate a priority order, an advance relationship, or a component. Before another component, or The chronological order of the method steps is only used to distinguish components with the same name.

1 is a network architecture diagram of a network address translation penetration system according to an embodiment of the present invention, including two routers 110 and 130. Each of routers 110 and 130 communicates a network packet between computer networks. Network packets are typically passed from one router to another via network 100 until the destination node, thereby forming an Internet path. The router connects to different networks with two data lines. When a packet is passed from a data line to a router, the router reads the address information in the packet and determines the final destination. The network packet is then passed to the next network using the information of the routing table or routing policy of the memory. Any of the routers 110 and 130 can be a home or small office router for transferring data between the connection device and the network 100, such as web pages, emails, instant messages, voice streams, video streams, and the like. Each of routers 110 and 130 implements a network address translation technique for mapping a plurality of internal devices to a public Internet Protocol (IP) address. In a common setting, a local area network (LAN) uses one of a plurality of designated internal IP address subdomains. The router on the local area network has an internal address in the above address space and an external address given by the ISP provider to connect to the network 100. When a network packet is passed from the local area network to the network 100, the source address of each packet is quickly changed from the internal address to the external address. The router keeps track of the basics of each active connection (especially the destination address and nickname). When a reply is passed back to the router, the router uses the connection tracking data stored in the outbound phase to decide to pass this The internal address of the reply to which local area network.

The Network-Attached Storage (NAS) system 111 is connected to the router 110 through a local area network, and provides data access services to heterogeneous clients, such as the mobile phone 131, the tablet 133, the personal computer 135, and the like. The NAS system 111 includes one or more storage devices, usually organized as Redundant Array of Independent Disks (RAID). The mobile phone 131, the tablet 133, and the personal computer 135 are connected to the router 130 via a local area network. Although the embodiment of the present invention describes the network attached storage system 111 as an example, the present invention can also be implemented in other clients, such as a smart TV, a video monitoring system, a video player, and the like. The intermediate servers 150_1 to 150_n form a cluster for storing the identification information of the client and the external address, for example, the mobile phone 131, the tablet 133, the personal computer 135, the NAS system 111, and the like. The client may request any of the intermediate servers 150_1 through 150_n to obtain external addresses of other clients.

2 is a system architecture diagram of a router according to an embodiment of the present invention. This system architecture can be implemented in any of routers 110 and 130. The router is configured to receive network packets and determine the final output node to pass the network packets out of the router. The processing unit 210 can be implemented in a variety of manners, such as a dedicated hardware circuit or a general purpose hardware (eg, a single processor, a multiprocessor with parallel processing capabilities, a graphics processor, or other computing capable processor), and When the code or software is executed, the functions described later are provided. The system architecture further includes a memory 250 for storing data required for execution, such as variables, data tables, data structures, and the like, and a storage unit 240 for storing data. The input device 230 can include a button, a keyboard, a mouse, and a touch surface. Board and so on. The user can press a button to generate a control signal, press a hard key on the keyboard to input a character, control the mouse by operating a mouse, or create a gesture on the touch panel to control an executing application. The gesture may include, but is not limited to, a click, a double click, a single-finger drag, a multi-finger drag, and the like. The display unit 220 can include a display panel (eg, a thin film liquid crystal display panel, an organic light emitting diode panel, or other display capable panel) for displaying input characters, numbers, symbols, dragging the mouse's movement track, and drawing The picture provided by the pattern or application is provided for viewing by the user. The Network adapter 260 can be configured to use Ethernet communication with the Transmission Control Protocol/Internet Protocol (TCP/IP), User Packet Protocol ( UDP, User Datagram Protocol, and/or other protocol capabilities. The network interface card 260 includes a plurality of ports 261, each of which is configured as an internal port or an external port. The network interface card 260 can include a plurality of transmit/receive (Tx/Rx, transmit and/or receive) queues 263_1 through 263_n for temporarily storing network data to be transmitted and/or received.

Figure 3 is a system architecture diagram of network attached storage in accordance with an embodiment of the present invention. Processing unit 310 can be implemented in a variety of manners, such as with dedicated hardware circuitry or general purpose hardware (eg, a single processor, multiple processors with parallel processing capabilities, graphics processors, or other computing capable processors), and When the code or software is executed, the functions described later are provided. The system architecture further includes a memory 350 for storing data required for execution, such as variables, data sheets, and the like. The storage device 340 can be organized as a redundant array of independent disks for storing a variety of electronic files, such as web pages, files, audio files, video files, and the like. The system architecture further includes a communication interface 360 for the processing unit 310 to communicate with other electronic devices. The communication interface 360 can be a regional network communication module or a wireless local area network communication module.

Figure 4 is a system architecture diagram of a client in accordance with an embodiment of the present invention. The system architecture can be implemented in any of the mobile phone 131, the tablet 133, the personal computer 135, the intermediate servers 150_1 to 150_n, or other electronic devices having computing capabilities. Processing unit 410 can be implemented in a variety of manners, such as with dedicated hardware circuitry or general purpose hardware (eg, a single processor, multiprocessor with parallel processing capabilities, a graphics processor, or other computing capable processor), and When the code or software is executed, the functions described later are provided. The system architecture further includes a memory 450 for storing data required for execution, such as variables, data sheets, etc., and a storage device 440 for storing various electronic files, such as web pages, files, audio files, Video files, etc. The system architecture further includes a communication interface 460 for the processing unit 410 to communicate with other electronic devices. The communication interface 460 can be a regional network communication module or a wireless area network communication module. The input device 430 can include a keyboard, a mouse, a touch panel, and the like. The user can press a hard key on the keyboard to enter a character, control the mouse by operating the mouse, or create a gesture on the touch panel to control the executing application. The gesture may include, but is not limited to, a click, a double click, a single-finger drag, a multi-finger drag, and the like. The display unit 420 can include a display panel (eg, a thin film liquid crystal display panel, an organic light emitting diode panel, or other display capable panel) for displaying input characters, numbers, symbols, dragging the mouse's movement track, and drawing The picture provided by the pattern or application is provided for viewing by the user.

The following is a scenario, the mobile phone described after the router 130 131. One of the tablet computer 133 and the personal computer 135 (hereinafter referred to as Node B) attempts to establish a connection with the NAS system 111 (hereinafter referred to as node A) after the router 110. 5A-5C are schematic diagrams of network address translation penetration in accordance with an embodiment of the present invention. Figure 6 is a message flow diagram of network address translation penetration in accordance with an embodiment of the present invention. The internal address of node A is 192.168.1.2:3456. After the power-on is ready, the node A sends an initial packet to the intermediate server 150_1 via the router 110, which contains the identification information of the node A (step 1). It should be noted that since the initial packet needs to comply with the Transmission Control Protocol/Internet Protocol, the header of the initial packet contains the location other than the node A, so the intermediate server 150_1 can be initially encapsulated. Know the location outside the node A 60.251.87.147:6543.

Router 110 performs a NAT function to assign the internal address and external address of node A. The intermediate server 150_1 receives the initial packet sent by the node A, and records the identification information of the node A and the external address to the local database. It should be noted here that the database record of the intermediate server 150_1 can be instantly synchronized to other intermediate servers 150_2 to 150_n in the cluster, n being an integer greater than or equal to 2, so that the intermediate servers 150_2 to 150_n also have service nodes. B's ability to punch requests. Then, since it is impossible to predict the point in time at which the Node B establishes the connection, the node A periodically transmits the packet to the black hole 500 for the router 110 to maintain the session information related to the node A and the black hole ( Step 2). The sample work phase information records are as follows:

The black hole 500 can be a device that does not reply to the message, or a network address that is not bound to any device. In addition, the network address and location of the black hole may be a preset network address and port, and the preset network address and the network address may be registered by the node A to the intermediate server 150_1. The server 150_1 is assigned to the node A. In other embodiments, the initial packet may further include a black hole network address and port, and the intermediate server 150_1 may record the identification information of the node A, the external address, and the network address of the black hole and the local data. Library. It should be noted that the router 110 records the work phase information between the node A and the intermediate server 150_1 when the initial packet is forwarded to the intermediate server 150_1. In addition, once the router 110 does not receive any packets transmitted by the node A within the specified time interval, the session information associated with the node A is deleted, and the node B cannot establish a connection with the node A through the router 110. In some other implementations, node A may periodically transmit packets to intermediate server 150_1. However, the above-described embodiments may cause the intermediate server 150_1 to consume unnecessary computing resources to process the packets transmitted by the node A.

Refer to Figure 5B. The internal address of Node B is 192.168.6.5:4321. Since the Node B does not know the external address of the node A, the Node B can transmit a punching request to the intermediate server 150_n via the router 130, which contains the identification information of the node A (step 3). The intermediate server 150_n can know the external address of the Node B by the address of the packet of the puncturing request 60.251.87.148:1234. Router 130 performs a NAT function to assign the internal address and external address of Node B. The intermediate server 150_n forges an ICMP (Internet Control Message Protocol) TTL (Time To Live) packet (that is, an error packet) between the black hole and the node A, and transmits it to the node A via the router 110, The data payload of the ICMP TTL packet contains the external address of Node B 60.251.87.148:1234 (step 4). It should be noted that, because the router 110 has information about the working phase between the node A and the black hole 500, as shown in Table 1, the ICMP TTL packet can be successfully transferred to the node A. Conversely, if the intermediate server 150_n attempts to transmit the ICMP TTL packet (ie, an ICMP error packet) initiated by the Node B to the node A via the router 110, the router 110 may have no session information between the node A and the node B. Block ICMP TTL packets. The internal and external addresses of Node B are assigned by router 130. In addition, the intermediate server 150_n searches the local database according to the identification information of the node A to obtain the external address 60.251.87.147:6543 of the node A, and replies to the external address of the node A to the node B (step 5).

Refer to Figure 5C. Node B obtains the external address 60.251.87.147:6543 of node A from intermediate server 150_n, and node A obtains the external address of node B from the data segment of ICMP TTL packet 60.251.87.148:1234. Therefore, both node A and node B have external address information of the other party, so a hole punching process can be performed between node A and node B (step 6). In other words, the node A can transmit a connection request to the node B according to the location address 60.251.87.148:1234 outside the node B. At this time, the router 110 records the work phase information related between the node A and the node B. Therefore, when the Node B transmits a connection request to the node A, the connection request can be forwarded to the node A via the router 110. On the other hand, when the node B transmits a connection request to the node A according to the location address 60.251.87.147:6543 of the node A, the router 130 records the work phase information related between the node A and the node B. Therefore, the information returned by node A can be forwarded to node B via router 130. Since this hole punching procedure is well known to those of ordinary skill in the art, the present invention is no longer Said. When the hole punching process is completed, Node B can request the service of Node A, such as NAS data access.

However, a node after a symmetric NAT cannot transfer a packet to a black hole to achieve the purpose of maintaining the information of the work phase. For example, when node A transmits the initial packet to intermediate server 150_1, router 110 transmits the initial packet to intermediate server 150_1 with 埠A1. However, when node A periodically transmits a packet to black hole 500, router 110 periodically transmits the packet to black hole 500 with 埠A2 (different from 埠A1). Therefore, the intermediate server 150_n cannot forge the ICMP TTL packet between the black hole 500 and the node A, and transmits it to the node A via the router 110. FIG. 7 is a flow chart of a method for periodically transmitting a packet outward according to an embodiment of the present invention. This flow is implemented by the processing unit 410 in node A when loading and executing a particular code. First, the node A detects the NAT type in the router 110 (step S710), and judges whether the NAT type is a symmetric NAT (step S730). In step S710, the result of requesting the NAT type and receiving the reply can be transmitted to the router 110 via the communication interface 460. If so, the packet is periodically transmitted to the intermediate server 150_1, so that the router 110 maintains the work phase information between the node A and the intermediate server 150_1 (step S770); otherwise, the packet is periodically transmitted to the black hole 500 (step S750), so that The router 110 maintains information on the work phase related to the relationship between the node A and the black hole 500.

Although the above-described elements are included in FIGS. 2 to 4, it is not excluded that more other additional elements are used without departing from the spirit of the invention, and a better technical effect has been achieved. In addition, although the method flowchart of FIG. 7 is executed in a specific order, without knowing the spirit of the invention, those skilled in the art can modify the order among the steps while achieving the same effect. Therefore, the present invention is not limited to the use of only the order as described above.

Although the present invention has been described using the above embodiments, it should be noted that these descriptions are not intended to limit the invention. On the contrary, this invention covers modifications and similar arrangements that are apparent to those skilled in the art. Therefore, the scope of the claims should be interpreted in the broadest form to include all obvious modifications and similar arrangements.

110‧‧‧ router

111‧‧‧Node A

130‧‧‧ router

131, 133, 135‧‧‧ Node B

150_1, 150_n‧‧‧ intermediate server

500‧‧‧Black Hole

Claims (11)

A network address translation penetration method is performed by a processing unit in a node, comprising: sending an initial packet to an intermediate server via a router, wherein the initial packet includes an identification information of the node; Sending a packet to a black hole through the router, so that the router can maintain the working phase information between the node and the black hole, wherein the black hole is a device that does not reply to the message or a network address that is not bound to any device. The network address translation type of the above router is not a symmetric network address translation. A network address translation penetration method is performed by a processing unit in an intermediate server, comprising: receiving a puncturing request from a first node, wherein the puncturing request includes identification information of a second node; Forging an error packet between a black hole and the second node, and transmitting the error packet to the second node via a router, where a data segment of the error packet includes an external address of the first node, where The router has a working phase information associated with the second node and the black hole, wherein the black hole is a device that does not reply to the message or a network address that is not bound to any device. The network address translation penetration method according to claim 2, wherein the error packet is ICMP (Internet Control Message) Protocol) TTL (Time To Live) packet. The network address translation penetration method of claim 2, further comprising: searching a local database according to the identification information of the second node to obtain the external address of the second node; and replying to the foregoing The above external address of the second node is given to the first node. A network address translation penetration system, comprising: a first node, sending an initial packet to a first intermediate server via a router, wherein the initial packet includes an identification information of the first node; determining the router a network address translation type; if the network address translation type is not a symmetric network address translation, periodically sending a packet to the black hole via the router, so that the router can maintain the first node and the black hole Working phase information; and if the network address translation type is symmetric network address translation, the first node periodically sends a packet to the first intermediate server by using the router, so that the router maintains the node and the foregoing An information about the working phase between the intermediate servers, wherein the black hole is a device that does not reply to the message or a network address that is not bound to any device. The network address translation penetration system of claim 5, further comprising: a second intermediate server, receiving a puncturing request from a second node, wherein the puncturing request comprises the first node Identification information; and forging an error packet between the black hole and the first node, and transmitting the above The error packet is sent to the first node, wherein a data segment of the error packet includes an external address of the second node. The network address translation penetration system of claim 6, wherein the error packet is an ICMP (Internet Control Message Protocol) TTL (Time To Live) packet. The network address translation penetrating system of claim 6, wherein the second intermediate server searches for a local database according to the identification information of the first node to obtain the external bit of the first node. Addressing; and replying to the external address of the first node to the second node. The network address translation penetration system of claim 8, wherein the external address of the first node stored in the local database is obtained from the first intermediate server. The network address translation penetration system of claim 9, wherein the first intermediate server and the second intermediate server form a cluster. The network address translation penetration system of claim 8, wherein the first node obtains the external address of the second node from the data segment in the error packet, thereby making the first The node and the second node may perform a hole punching procedure.