** 2. Terminology **
** 2. ** ** 术语 ** ** **
In this section we first summarize some middlebox terms. We focus hereon the two kinds of middleboxes that commonly cause problems for P2P applications.
在这一章节中,首先概要的介绍一下 “ 代理 ” 技术的一些术语。然后集中讨论两种造成 P2P 应用问题的代理机制。
** Firewall **
A firewall restricts communication between a private internal network and the public Internet, typically by dropping packets that are deemed unauthorized. A firewall examines but does not modify the IP address and TCP/UDP port information in packets crossing the boundary.
** 防火墙 ** ** **
防火墙限制了私网与公网的通信,它主要是将(防火墙)认为未经授权的的包丢弃,防火墙只是检验包的数据,并不修改数据包中的 IP 地址和 TCP/UDP 端口信息。
** Network Address Translator (NAT) **
A network address translator not only examines but also modifies the header information in packets flowing across the boundary, allowing many hosts behind the NAT to share the use of a smaller number of public IP addresses (often one). Network address translators in turn have two main varieties:
** 网络地址转换( ** ** NAT ** ** ) ** ** **
当有数据包通过时,网络地址转换器不仅检查包的信息,还要将包头中的 IP 地址和端口信息进行修改。以使得处于 NAT 之后的机器共享几个仅有的公网 IP 地址(通常是一个)。网络地址转换器主要有两种类型:
** Basic NAT **
A Basic NAT maps an internal host's private IP address to a public IP address without changing the TCP/UDP port numbers in packets crossing the boundary. Basic NAT is generally only useful when the NAT has a pool of public IP addresses from which to make address bindings on behalf of internal hosts.
** 基础 ** ** NAT **
基础 NAT 将私网主机的私有 IP 地址转换成公网 IP 地址,但并不将 TCP/UDP 端口信息进行转换。 基础 NAT 一般用在当 NAT 拥有很多公网 IP 地址的时候,它将公网 IP 地址与内部主机进行绑定,使得外部可以用公网 IP 地址访问内部主机。( 译者注 :实际上是只将 IP 转换, 192.168.0.23 <-> 210.42.106.35, 这与直接设置 IP 地址为公网 IP 还是有一定区别的,特别是对于企业来说,外部的信息都要经过统一防火墙才能到达内部,但是内部主机又可以使用公网 IP )
** Network Address/Port Translator (NAPT) **
By far the most common, a Network Address/Port Translator examines and modifies both the IP address and the TCP/UDP port number fields of packets crossing the boundary, allowing multiple internal hosts to share a single public IP address simultaneously.
Refer to [NAT-TRAD] and [NAT-TERM] for more general information on NAT taxonomy and terminology. Additional terms that further classify NAPT are defined in more recent work [STUN]. When an internal host opens an outgoing TCP or UDP session through a network address/port translator, the NAPT assigns the session a public IP address and port number so that subsequent response packets from the external endpoint can be received by the NAPT, translated, and forwarded to the internal host. The effect is that the NAPT establishes a port binding between (private IP address, private port number) and (public IP address, public port number).
The port binding defines the address translation the NAPT will perform for the duration of the session. An issue of relevance to P2P applications is how the NAT behaves when an internal host initiates multiple simultaneous sessions from a single (private IP, private port) pair to multiple distinct endpoints on the external network.
** 网络地址和端口转换 ** ** ** ** ( ** ** NAPT ** ** ) ** ** **
这是最普遍的情况,网络地址 / 端口转换器检查、修改包的 IP 地址和 TCP/UDP 端口信息,这样,更多的内部主机就可以同时使用一个公网 IP 地址。
请参考 [NAT-TRAD] 和 [NAT-TERM] 两个文档了解更多的 NAT 分类和术语信息。另外,关于 NAPT 的分类和术语, [STUN] 在最近做了更多的定义。当一个内部网主机通过 NAT 打开一个 “ 外出 ” 的 TCP 或 UDP 会话时, NAPT 分配给这个会话一个公网 IP 和端口,用来接收外网的响应的数据包,并经过转换通知内部网的主机。这样做的效果是, NAPT 在 [ 私有 IP: 私有端口 ] 和 [ 公网 IP: 公网端口 ] 之间建立了一个端口绑定。
端口绑定指定了 NAPT 将在这个会话的生存期内进行地址转换任务。这中间存在一个这样的问题,如果 P2P 应用程序从内部网络的一个 [ 私有 IP 地址 : 端口 ] 对同时发出多条会话给不同的外网主机,那么 NAT 会怎样处理呢?请看以下几种方案。
** Cone NAT **
After establishing a port binding between a (private IP, private port) tuple and a (public IP, public port) tuple, a cone NAT will re-use this port binding for subsequent sessions the application may initiate from the same private IP address and port number, for as long as at least one session using the port binding remains active.
** 锥形 ** ** NAT **
(译者注:为什么叫做锥形呢?请看以下图形 , 终端和外部服务器,都通过 NAT 分派的这个绑定地址对来传送信息,就象一个漏斗一样,筛选并传递信息)
当建立了一个 [ 私有 IP: 端口 ]-[ 公网 IP: 端口 ] 端口绑定之后,对于来自同一个 [ 私有 IP: 端口 ] 会话,锥形 NAT 服务器允许发起会话的应用程序 重复使用这个端口绑定,一直到这个会话结束才解除(端口绑定)。
For example, suppose Client A in the diagram below initiates two simultaneous outgoing sessions through a cone NAT, from the same internal endpoint ( 10.0.0 .1:1234) to two different external servers, S1 and S2. The cone NAT assigns just one public endpoint tuple (元组) , 155.99.25.11:62000, to both of these sessions, ensuring that the "identity" of the client's port is maintained across address translation. Since Basic NATs and firewalls do not modify port numbers as packets flow across the middlebox, these types of middleboxes can be viewed as a degenerate form of Cone NAT.
例如,假设 Client A ( IP 地址信息如上图所示)通过一个 锥形 NAT 同时发起两个外出的连接,它使用同一个内部端口( 10.0.0 .1:1234 )给公网的两台不同的服务器, S1 和 S2 。 锥形 NAT 只分配一个公网 IP 和端口( 155.99.25.11:62000 )给这个两个会话,通过地址转换可以 确保 Client 使用端口的 “ 同一性 ” (译者注:即这个 Client 只使用这个端口)。 而基础 NATs 和防火墙却不能修改经过的数据包端口号,它们可以看作是锥形 NAT 的精简版本。
** Symmetric NAT **
A symmetric NAT, in contrast, does not maintain a consistent port binding between (private IP, private port) and (public IP, public port) across all sessions.
Instead, it assigns a new public port to each new session. For example, suppose Client A initiates two outgoing sessions from the same port as above, one with S1 and one with S2. A symmetric NAT might allocate the public endpoint 155.99.25.11:62000 to session 1, and then allocate a different public endpoint 155.99.25.11:62001, when the application initiates session 2. The NAT is able to differentiate between the two sessions for translation purposes because the external endpoints involved in the sessions (those of S1 and S2) differ, even as the endpoint identity of the client application is lost across the address translation boundary.
** 对称 ** ** NAT **
对称 NAT ,与 Cone NAT 是大不相同的,并不对会话进行端口绑定,而是分配一个全新的 公网端口 给每一个新的会话。
还是上面那个例子:如果 Client A ( 10.0.0 .1:1234) 同时发起两个 " 外出 " 会话 , 分别发往 S1 和 S2 。对称 Nat 会分配公共地址 155.99.25.11:62000 给 Session1 ,然后分配另一个不同的公共地址 155.99.25.11:62001 给 Session2 。对称 Nat 能够区别两个不同的会话并进行地址转换,因为在 Session1 和 Session2 中的外部地址是不同的,正是因为这样, Client 端的应用程序就迷失在这个地址转换边界线了,因为这个应用程序每发出一个会话都会使用一个新的端口,无法保障只使用同一个端口了。
The issue of cone versus symmetric NAT behavior applies equally to TCP and UDP traffic. Cone NAT is further classified according to how liberally the NAT accepts incoming traffic directed to an already-established (publicIP, public port) pair. This classification generally applies only to UDP traffic, since NATs and firewalls reject incoming TCP connection attempts unconditionally unless specifically configured to do otherwise.
在 TCP 和 UDP 通信中, (到底是使用同一个端口,还是分配不同的端口给同一个应用程序),锥形 NAT 和对称 NAT 各有各的理由。当然锥形 NAT 在根据如何公平地将 NAT 接受的连接直达一个已创建的地址对上有更多的分类。这个分类一般应用在 Udp 通信(而不是 Tcp 通信上),因为 NATs 和防火墙阻止了试图无条件传入的 TCP 连接,除非明确设置 NAT 不这样做。这些分类如下:
** Full Cone NAT **
After establishing a public/private port binding for a new outgoing session, a full cone NAT will subsequently accept incoming traffic to the corresponding public port from ANY external endpoint on the public network. Full cone NAT is also sometimes called "promiscuous" NAT.
** 全双工锥形 ** ** NAT **
当内部主机发出一个 “ 外出 ” 的连接会话,就会创建了一个 公网 / 私网 地址,一旦这个地址对被创建,全双工锥形 NAT 会接收随后任何外部端口传入这个公共端口地址的通信。因此,全双工锥形 NAT 有时候又被称为 " 混杂 "NAT 。
** Restricted Cone NAT **
A restricted cone NAT only forwards an incoming packet directed to a public port if its external (source) IP address matches the address of a node to which the internal host has previously sent one or more outgoing packets. A restricted cone NAT effectively refines the firewall principle of rejecting unsolicited incoming traffic, by restricting incoming traffic to a set of "known" external IP addresses.
** 受限制的锥形 ** ** NAT **
受限制的锥形 NAT 会对传入的数据包进行筛选,当内部主机发出 “ 外出 ” 的会话时, NAT 会记录这个外部主机的 IP 地址信息,所以,也只有这些有记录的外部 IP 地址,能够将信息传入到 NAT 内部,受限制的锥形 NAT 有效的给防火墙提炼了筛选包的原则 —— 即限定只给那些已知的外部地址 “ 传入 ” 信息到 NAT 内部。
** Port-Restricted Cone NAT **
A port-restricted cone NAT, in turn, only forwards an incoming packet if its external IP address AND port number match those of an external endpoint to which the internal host has previously sent outgoing packets. A port-restricted cone NAT provides internal nodes the same level of protection against unsolicited incoming traffic that a symmetric NAT does, while maintaining a private port's identity across translation.
** 端口受限制的 ** ** Cone NAT **
端口受限制的锥形 NAT ,与受限制的锥形 NAT 不同的是:它同时记录了外部主机的 IP 地址和端口信息,端口受限制的锥形 NAT 给内部节点提供了同一级别的保护,在维持端口 “ 同一性 ” 过程中,将会丢弃对称 NAT 传回的信息。
Finally, in this document we define new terms for classifying the P2P-relevant behavior of middleboxes:
最后,在这篇文档里我们将定义一组新的术语 ,以便更好的对 P2P 代理相关的行为进行分类。
** P2P ** ** 应用程序 ** ** **
P2P 应用程序是指,在已有的一个公共服务器的基础上,并分别利用自己的私有地址或者公有地址(或者两者兼备)来建立一个端到端的会话通信。
** P2P-Application **
P2P-application as used in this document is an application in which each P2P participant registers with a public registration server, and subsequently uses either its private endpoint, or public endpoint, or both, to establish peering sessions.
** P2P-Middlebox **
A P2P-Middlebox is middlebox that permits the traversal of P2P applications.
** P2P ** ** 代理 ** ** **
<SPAN lang=EN-US style="FONT-SIZE: 9pt;