2013年1月7日 星期一

NAT -- STUN 測試

近期因為工作上的需要,因此針對 NAT 技術做一粗略的了解,本篇將紀錄使用 STUN 的實驗過程。


STUN簡介

STUN 全名為 Simple Traversal of UDP Through Netwoek Address Translators,利用位於 Internet 上的伺服器幫助防火牆內的UA獲知他們被NAT 轉換過的外部位址, 並協助他人的VoIP呼叫穿透防火牆送達牆內的UA。很多應用層的 VoIP程式必須仰賴 UA 主動提供自身的IP 位址及port number, 讓VoIP兩端的UA 彼此知道對方的IP 位址及port number, 才能互送封包, 建立雙向的通話。但是如果UA 是在NAT 後面, 在沒有外部的協助下,一個UA 無法看到 它自己被NAT 轉換過的外部位址,就無法提供此項資訊,讓 VoIP順利運作。原理部分可參考http://www.cs.nccu.edu.tw/~lien/Writing/NGN/firewall.htm


網路上提供了許多免費的 STUN Server,如下:
  • stun.stunprotocol.org
  • stun.fwdnet.net
  • stun.fwd.org (no DNS SRV record)
  • stun01.sipphone.com (no DNS SRV record)
  • stun.softjoys.com (no DNS SRV record)
  • stun.voipbuster.com (no DNS SRV record)
  • stun.voxgratia.org (no DNS SRV record)
  • stun.xten.com
  • stun1.noc.ams-ix.net (DNS SRV record on domain ams-ix.net not noc.ams-ix.net)





測試一:Find Public IP

Step1. Check current network configuration,此機器有兩個網路卡介面,其分別是 192.168.0.169 與 10.158.2.43。

 Step2. use ministun to ask for the public ip address,此處可得知 ip 為 60.251.30.66

 Step3. capture the wireshark log and analysis
當發出一個 Binding Request,若不帶任何 attribute,則 STUN Server便會回許多Attributes,其中最基本的就是 MAPPED-ADDRESS,可從此處得知 public ip address = 60.251.30.66 與 port number = 46759。
 



測試二:Find NAT type
此測試方式乃是透過發出多個 Binding Request,此時設定 Attribute 為 CHANGE-REQUEST,並且分別進行以下設定,根據 STUN 的回復來判斷處於哪種 NAT 架構之下。
  • Change IP: Not set, Change Port: Not set
  • Change IP: Set, Change Port: Not set
  • Change IP: Not set, Change Port: Set

偵測後的結果,可根據 Primary log 解讀,方式如下:
  • "Open" = Open Internet
  • "Independent Mapping, Independent Filter" = Full Cone NAT
  • "Independedt Mapping, Address Dependendent Filter" = Restricted Core NAT
  • "Indepndent Mapping, Port Dependent Filter" = Port Restricted Core NAT
  • "Dependent Mapping" = Symmetric NAT
  • "Firewall" = Symmetric Firewall
  • "Blocked or could not reach STUN server" = UDP Blocked

使用 stund 進行各種 NAT 測試,log舉例如下:

1. Full Cone
使用Hinet ADSL,透過Corega AP上網,此時可能會產生 hairpin 的問題。
test I = 1
test II = 1
test III = 1
test I(2) = 1
is nat = 1
mapped IP same = 1
hairpin = 1
preserver port = 0
Primary: Independent Mapping, Independent Filter, random port, will hairpin
Return value is 0x000002 
使用中華電信 3G,透過 iPhone 熱點分享。
test I = 1
test II = 1
test III = 1
test I(2) = 1
is nat = 1
mapped IP same = 1
hairpin = 0
preserver port = 0
Primary: Independent Mapping, Independent Filter, random port, no hairpin
Return value is 0x000012

2. (Address) Restricted Cone NAT
test I = 1
test II = 0
test III = 1
test I(2) = 0
is nat  = 1
mapped IP same = 1
hairpin = 0
preserver port = 0
Primary: Independent Mapping, Address Dependent Filter, random port, no hairpin
Return value is 0x000014

3. Port Restricted Cone NAT
// Preserves Port 
test I = 1
test II = 0
test III = 0
test I(2) = 1
is nat  = 1
mapped IP same = 1
hairpin = 0
preserver port = 1
Primary: Independent Mapping, Port Dependent Filter, preserves ports, no hairpin
Return value is 0x000017
// Ramdom Port 
test I = 1
test II = 0
test III = 0
test I(2) = 1
is nat  = 1
mapped IP same = 1
hairpin = 0
preserver port = 0
Primary: Independent Mapping, Port Dependent Filter, random port, no hairpin Return value is 0x000016

4. Symmetri NAT
test I = 1
test II = 0
test III = 0
test I(2) = 1
is nat  = 1
mapped IP same = 0
hairpin = 0
preserver port = 0
Primary: Dependent Mapping, random port, no hairpin Return value is 0x000018



參考資料
  • Ministun   
    • http://code.google.com/p/ministun/source/browse/ministun.c
  • Stun Client and Server   
    • http://sourceforge.net/projects/stun/
  • http://wiki.snom.com/Networking/NAT