Scribd Logo
Upload

Welcome to Scribd!

  • Tong Quan Ve Nat Network Address Translation

    Uploaded by

    Trung Ngo
    38 views15 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    38 views15 pages

    Tong Quan Ve Nat Network Address Translation

    Uploaded by

    Trung Ngo

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    Phn I: Gii thiu tng quan v NAT (Network Address Translation) I : NAT (Network Address Translation) l g ?

    NAT ging nh mt router, n chuyn tip cc gi tin gia nhng lp mng khc nhau trn mt mng ln. NAT dch hay thay i mt hoc c hai a ch bn trong mt gi tin khi gi tin i qua mt router, hay mt s thit b khc. Thng thng, NAT thng thay i a ch (thng l a ch ring) c dng bn trong mt mng sang a ch cng cng. NAT cng c th coi nh mt firewall c bn. thc hin c cng vic , NAT duy tr mt bng thng tin v mi gi tin c gi qua. Khi mt PC trn mng kt ni n 1 website trn Internet header ca a ch IP ngun c thay i v thay th bng a ch Public m c cu hnh sn trn NAT server , sau khi c gi tin tr v NAT da vo bng record m n lu v cc gi tin, thay i a ch IP ch thnh a ch ca PC trong mng v chuyn tip i. Thng qua c ch qun tr mng c kh nng lc cc gi tin c gi n hay gi t mt a ch IP v cho php hay cm truy cp n mt port c th.
    II: NAT lm vic nh th no ?

    NAT s dng IP ca chnh n lm IP cng cng cho mi my con (client) vi IP ring. Khi mt my con thc hin kt ni hoc gi d liu ti mt my tnh no trn internet, d liu s c gi ti NAT, sau NAT s thay th a ch IP gc ca my con ri gi gi d liu i vi a ch IP ca NAT. My tnh t xa hoc my tnh no trn internet khi nhn c tn hiu s gi gi tin tr v cho NAT computer bi v chng ngh rng NAT computer l my gi nhng gi d liu i. NAT ghi li bng thng tin ca nhng my tnh gi nhng gi tin i ra ngoi trn mi cng dch v v gi nhng gi tin nhn c v ng my tnh (client). NAT x l mt gi tin xut pht t bn trong i ra bn ngoi mt mng theo cch thc sau: +> Khi NAT nhn mt gi tin t mt cng bn trong, gi tin ny p ng cc tiu chun NAT, router s tm kim trong bng NAT a ch bn ngoi (outside address) ca gi tin. Ni cch khc, tin trnh NAT tm kim mt hng trong bng NAT trong a ch outside local address bng vi a ch ch ca gi tin. Nu khng c php so trng no tm thy, gi tin s b loi b. +> Nu c mt hng trong bng NAT l tm thy (trong hng ny, a ch ch ca gi tin bng vi a ch outside local), NAT s thay th a ch ch trong gi tin bng a ch outside global theo thng tin trong bng NAT. +> Tin trnh NAT tip tc tm kim bng NAT xem c mt a ch inside local no bng vI a ch ngun ca gi tin hay khng. Nu c mt hng l tm thy, NAT tip tc thay th a ch ngun ca gi tin bng a ch inside global. Nu khng c mt hng no c tm thy, NAT s to ra mt hng mi trong bng NAT v chn a ch mi vo trong gi tin. NAT s x l mt gi tin xut pht t mng bn ngoi i vo mng bn trong theo cch sau:

    +> Khi NAT nhn c mt gi tin xut pht t mt cng bn ngoi, p ng cc tiu chun NAT, tin trnh NAT s tm kim trong bng NAT mt hng trong a ch inside global l bng vI ia ch ch ca gi tin. +> Nu khng c hng no trong bng NAT c tm thy, gi tin b loI b. Nu c mt hng tm thy trong bng NAT, NAT s thay th a ch ch bng a ch inside local t bng NAT. +> Router tm kim bng NAT tm ra a ch outside global bng vi a ch ngun ca gi tin. Nu c mt hng l tm thy, NAT s thay th a ch ch bng a ch outside local t bng NAT. Nu NAT khng tm thy mt hng no, n s to ra mt hng mi trong bng NAT v cng thc hin nh bc 2.

    tht. NAT table mappings: Private IP Translated IP Original Port Translated Port 192. 168. 1. 2 10. 3. 4. 5 1025 2000 192. 168. 1. 3 10. 3. 4. 5 1026 2001

    Nhn vo thanh bar xem kch thc tht.

    III: NAT gii quyt nhng vn no ? Ban u, NAT c a ra nhm gii quyt vn thiu ht a ch ca IPv4 . NAT gip chia s kt ni Internet (hay 1 mng khc) vi nhiu my trong LAN ch vi 1 IP duy nht. NAT che giu IP bn trong LAN NAT gip qun tr mng lc cc gi tin c gi n hay gi t mt a ch IP v cho php hay cm truy cp n mt port c th. IV: Cc khi nim c bn . 1. Inside local address - a ch IP c gn cho mt host ca mng trong. y l a ch c cu hnh nh l mt tham s ca h iu hnh trong my tnh hoc c gn mt cch t ng thng qua cc giao thc nh DHCP. a ch ny khng phi l nhng a ch IP hp l c cp bi NIC (Network Information Center) hoc nh cung cp dch v Internet 2. Inside global address - L mt a ch hp l c cp bi NIC hoc mt nh cung cp dch v trung gian. a ch ny i din cho mt hay nhiu a ch IP inside local trong vic giao tip vi mng bn ngoi. 3. Outside local address - L a ch IP ca mt host thuc mng bn ngoi, cc host thuc mng bn trong s nhn host thuc mng bn ngoi thng qua a ch ny. Outside local khng nht thit phi l mt a ch hp l trn mng IP (c th l a ch private). 4. Outside global address - L a ch IP c gn cho mt host thuc mng ngoi bi ngi s hu host . a ch ny c gn bng mt a ch IP hp l trn mng Internet Chng ta c th hnh dung phn bit 4 kiu a ch ny nh sau: Cc gi tin bt ngun t bn trong mng ni b (inside) s c source IP l a ch kiu inside

    local v destination IP l ouside local khi n cn trong phn mng ni b. Cng gi tin , khi c chuyn ra ngoi mng (qua NAT) source IP address s c chuyn thnh "inside global address" v a destination IP ca gi tin s l outside global address. Hay ngc li, khi mt gi tin bt ngun t mt mng bn ngoi, khi n cn ang mng bn ngoi , a ch source IP ca n s l "outside global address", a ch destination IP s l "inside global address". Cng gi tin khi c chuyn vo mng bn trong (qua NAT), a ch source s l "outside local address" v a ch destination ca gi tin s l "inside local address".

    Phn II: Cc k thut NAT I: K thut NAT tnh . Vi NAT tnh, a ch IP thng c nh x tnh vi nhau thng qua cc lnh cu hnh. Trong NAT tnh, mt a ch Inside Local lun lun c nh x vo a ch Inside Global. Nu c s dng, mi a ch Outside Local lun lun nh x vo cng a ch Outside Global. NAT tnh khng c tit kim a ch thc. Mc d NAT tnh khng gip tit kim a ch IP, c ch NAT tnh cho php mt my ch bn trong hin din ra ngoi Internet, bi v my ch s lun dng cng mt a ch IP thc . Cch thc thc hin NAT tnh th d dng v ton b c ch dch a ch c thc hin bi mt cng thc n gin: a ch ch =a ch mng mi OR (a ch ngun AND ( NOT netmask)) V d : Mt a ch private c map vi mt a ch public. V d 1 mt my trng mng LAN c a ch 10. 1. 1. 1 c phin dch thnh 1 a ch public 20. 1. 1. 1 khi gi tin ra ngoi Internet.

    Nhn vo thanh bar xem kch thc tht.

    Bt u bng mt gi tin c gi t mt PC bn tri ca hnh n mt my ch bn phi a ch 170. 1. 1. 1. a ch ngun private 10. 1. 1. 1 c dch thnh mt a ch thc 200. 1. 1. 1. My client gi ra mt gi tin vi a ch ngun 10. 1. 1. 1 nhng router NAT thay i a ch ngun thnh 200. 1. 1. 1. Khi server nhn c mt gi tin vi a ch ngun 200. 1. 1. 1, my ch ngh rng n ang ni chuyn vi my 200. 1. 1. 1, v vy my ch tr li li bng mt gi tin gi v a ch ch 200. 1. 1. 1. Router sau s dch a ch ch 200. 1. 1. 1 ngc li thnh 10. 1. 1. 1. II: K thut NAT ng (dynamic NAT). Vi NAT, khi s IP ngun khng bng s IP ch. S host chia s ni chung b gii hn bi s IP ch c sn. NAT ng phc tp hn NAT tnh, v th chng phi lu gi li thng tin kt ni v thm ch tm thng tin ca TCP trong packet. Mt s ngi dng n thay cho NAT tnh v mc ch bo mt. Nhng ngi t bn ngoi khng th tm c IP no kt ni vi host ch nh v ti thi im tip theo host ny c th nhn mt IP hon ton khc. Nhng kt ni t bn ngoi th ch c th khi nhng host ny vn cn nm gi mt IP trong bng NAT ng. Ni m NAT router lu gi nhng thng tin v IP bn trong (IP ngun )c lin kt vi NAT-IP(IP ch). Cho mt v d trong mt session ca FPT non-passive. Ni m server c gng thit lp mt knh truyn d liu v th khi server c gng gi mt IP packet n FTP client th phi c mt entry cho client trong bng NAT. N vn phi cn lin kt mt IPclient vi cng mt NAT-IPs khi client bt u mt knh truyn control tr khi FTP session ri sau mt thi gian timeout. Xin ni thm giao thc FTP c 2 c ch l passive v non-passive . Giao thc FTP lun dng 2 port (control v data) . Vi c ch passive (th ng ) host kt ni s nhn thng tin v data port t server v ngc li non-passive th host kt ni s ch nh dataport yu cu server lng nghe kt ni ti.

    Bt c khi no nu mt ngi t bn ngoi mun kt ni vo mt host ch nh bn trong mng ti mt thi im ty ch c 2 trng hp : + Host bn trong khng c mt entry trong bng NAT khi s nhn c thng tin host unreachable hoc c mt entry nhng NAT-IPs l khng bit. + Bit c IP ca mt kt ni bi v c mt kt ni t host bn trong ra ngoi mng. Tuy nhin ch l NAT-IPs v khng phi l IP tht ca host. V thng tin ny s b mt sau mt thii gian timeout ca entry ny trong bng NAT router. V d: Mt a ch private c map vi mt a ch public t mt nhm cc da ch public. V d mt mng LAN c a ch 10. 1. 1. 1/8 c phin dch thnh 1 a ch public trong di 200. 1. 1. 1 n 200. 1. 1. 100 khi gi tin ra ngoi Internet.

    III: K thut NAT overloading ( hay PAT) Dng nh x nhiu a ch IP ring sang mt a ch cng cng v mi a ch ring c phn bit bng s port. C ti 65. 356 a ch ni b c th chuyn i sang 1 a ch cng cng. Nhng thc t th khang 4000 port. PAT hot ng bng cch nh du mt s dng lu lng TCP hoc UDP t nhiu my cc b bn trong xut hin nh cng t mt hoc mt vi a ch Inside Global. Vi PAT, thay v ch dch a ch IP, NAT cng dch cc cng khi cn thit. V bi v cc trng ca cng c chiu di 16 bit, mi a ch Inside Global c th h tr ln n 65000 kt ni TCP v UDP ng thi. V d, trong mt h thng mng c 1000 my, mt a ch IP thc c dng nh l a ch Inside Global duy nht c th qun l trung bnh su dng d liu n v i t cc my trn Internet. V d : PAT map nhiu a ch Private n mt a ch Public, vic phn bit cc a ch Private ny c da theo port, v d IP address 10. 1. 1. 1 s c map n ip address 200. 1. 1. 6 ort_number

    Nhn vo thanh bar xem kch thc tht.

    Nhn vo thanh bar xem kch thc tht.

    * Mi quan h gia NAT v PAT PAT c mi quan h gn gi vi NAT nn vn thng c gi l NAT Trong NAT, nhn chung ch a ch ip c i. C s tng ng 1:1 gia a ch ring v a ch cng cng. Trong PAT, c a ch ring ca ngi gi v cng u c thay i. Thit b PAT s chn s

    cng m cc hosts trn mng cng cng s nhn thy. Trong NAT, nhng gi tin t ngoi mng vo c nh tuyn ti a ch IP ch ca n trn mng ring bng cch tham chiu a ch ngn i vo Trong PAT, Ch c mt a ch IP cng cng c nhn thy t bn ngoi v gi tin i vo t mng cng cng c nh tuyn ti ch ca chng trn mng ring bng cch tham chiu ti bng qun l tng cp cng private v public lu trong thit b PAT. Ci ny thng c gi l connection tracking Mt s thit b cung cp NAT, nh broadband routers, thc t cung cp PAT. v l do ny, c s nhm ln ng k gia cc thut ng. Nhn chung ngi ta s dng NAT bao gm nhng thit b PAT . IV: Masquerading ( hay NAPT) y l mt trng hp c bit ca NAT ng. N c s dng trong Linux. Vi NAPT, nhiu a ch IP c n i di mt a ch duy nht. N tng phn vi NAT ng , rng ch c mt kt ni cho mt IP duy nht ti mt thi im. Trong NAPT nhiu kt ni n cng mt IP s c phn chia thng qua TCP Port. Vn c bit ca NAPT l mt s service trn host ch nh ch chp nhn kt ni t nhng port c quyn m bo rng kt ni i vo khng phi l t mt user bnh thng. C l ch superuser c th x l nhng port ny. V trn DOS hoc Window mi ngi u c th s dng chng nn mt s chng trnh khng th s dng kt ni NAPT. NAPT thng s dng nhng port mt tm vc cao. Trong Linux , bt u l 61000 v kt thc l 61000+4096. Mc nh ny c th thay i . iu ny cng ch ra rng Linux hin thc NAPT ch cho ng thi 4096 kt ni NAPT . Kt ni NAPT cn phi lu gi nhiu thng tin v trng thi kt ni. V d trn Linux, n xem nh tt c cc packet vi Destination IP= Local IP v Destination port nm trong tm port cho php ca NAPT khi phi demasqueraded (phn gii nhng packet c masqueraded) . Thc cht l vic thay i destination address v source address trong header packet. Nh vy NAPT ch c mt chiu . Nhng kt ni vo th khng th Masquerading . V thm ch khi mt host c mt entry trong masquerading table ca NAT device th entry ny ch hp l khi mt kt ni ang c active. Ngay c mt ICMP-Reply lin quan n kt ni (host/port unreachable) cng phi c filter v relay bi NAT router. Li ch ln nht ca Masquerading l ch cn mt IP c cp m ton mng vn c th kt ni trc tip n Internet. V d : - Masquerading cho mng 203. 156. 0. 0 dng NAT n IP local - Cho mi packet IP i ra source IP s c thay bi IP ca NAT router. Source port s c i thnh mt port nm trong tm ca Masquerading. V: Mt s k thut NAT khc 1. Virtual Server (Loadbalancing)

    NAT router ng vai tr l mt virtual server v cc kt ni vo s c chuyn n 2 hay nhiu server tht . Ph thuc vo gii thut c xy dng m kt ni ny s i vo server no bn trong. V d : - To mt virtual server vi IP l 203. 156. 98. 100 - S dng 2 host l 203. 156. 98. 111 v 203. 156. 98. 112 l nhng real server cho virtual server. - Mt kt ni t bn ngoi s c remap bi NAT router s dng mt trong 2 host (realserver) - Load Balancing Gii thut quyt nh real server no c kt ni. Cho v d kim tra ti trn nhng real server da trn vic m s packet trn mi giy i qua NAT device n real server sau s chn ra real server c hiu nng nht. Bng cch y s iu chnh c traffic trn mng v gim ti cho cc server. S gii thut c s dng y th khng th m c v da trn nhng cch tnh ton khc nhau nhng tt c u c chung mc ch l gim ti cho server. Khi nim ti y th khng r rng v khng c nh ngha duy nht. V d: Chy mt deamon trn mi server cung cp thng tin cho NAT router v ti (load) trn my ny v remap nhng kt ni mi n h thng ni m s ny l thp nht. iu ny i hi s lin lc gia nhng host (real server) v NAT router v th chng ta nn s dng nhng thng tin c trn NAT router nh l s kt ni hin ti ang c remap n mt host hoc ta phi s dng nhng thng tin vn khng c trn server nhng c th d dng c tm thy nh l s byte hoc packet mi giy ca mt host hin ti handle. Yu t c cp y s l mt vi nim quyt nh vic t c s cn bng trong vic phn b ti. Chnh xc hn l chng ta c gng o lng v tnh ton ti cho mi host. C mt s gii thut v d nh gii thut da trn hc thuyt v nguyn l khng chc chn trong nh lng ca Heisenberg. V th chng ta phi tm cch lm ti thiu chi ph ca host quyt nh ti v host s c kt ni. Ngay c khi chng ta gi s tm ra mt phng thc chnh xc v tt quyt nh ti c s dng da trn vic nh ngha ti l g th thc tin vn cha phi l gii php tt nht v mt IP packet c kch thc nh nht ch c xc nh bng cch nh lng vt l. Chng ta c th ch mi chn c host no chng ta cn gi kt ni n khi mt kt ni mi c m m cha tht s ti u. Tuy nhin d sao i na cc phng thc cp trn cng c th c p dng vo thc tin cho vic xc nh cn bng ti ngoi ra c th c mt cch tnh ton no tt nht m chng ta cha tm ra. C nhiu cch tip cn gii quyt cho bi ton Load balancing , hu ht trong s chng u

    mc application. Mt v d c m t trong RFC 1794 l dng DNS support cho Load balancing. Trong ti liu ny cp n vic dng DNS cho vic iu khin ti ca my bng cch tm ra IP ca my t bn rn nht khi c cht vn (queried). V DNS-queries s c cache bi lin tip cc DNS-server vi vic iu khin cc gii hn mt cch kht khe. N lm vic hon ton tt khi c nhiu cht vn v ngay c khi chng n t nhiu my client. Tuy nhin d cho Load balancing c lm vic trong trng thi tt th cch tip cn ny s khng gip c g mt khi server b fail v thm ch ngay c khi cc IP c phn chia ring bit trong vic cht vn th n vn cn c cache do khi server b fail th c th server ny l hiu nng nht v c ch load balancing hon ton b ph v . Mt v d cho chng trnh cache ni ting l Squid n s dng gii thut phc tp tm ra mt mc tiu tt nht. Gii quyt ny cha hn ging trn NAT nhng mc tiu ca n l nh nhau. Vi NAT chng ta c th phn b ti cho nhng service ln v a dng da trn IP cn Squid phc v cho mt mc ch khc v s so snh ny cha hn hon ton hp l. Ngi vit chn squid l mt v d v trong squid thc hin vic load balancing tm ra mt d liu sao cho ti u mt cch thng minh. - Backup Systems Virtual server cng c th c s dng t c kh nng phc v tt nht nu gii quyt c bi ton mt real server bt k b fail trn. V cc service c cung cp bi Virtual server th c kh nng trn bt k real server . t trng hp mt real server b fail c xc sut l p th mt virtual server s dng NAT real server trong trng hp b fail c th c tnh ton nh sau: t + p1. . pn l kh nng xy ra li ca server n trn N (N l s server c cung cp cho virtual server) + pNAT: kh nng xy ra li ca NAT router, li ny khng ph thuc vo thit b khc + pvirt: kh nng xy ra li ca virtual server khi mt realserver b fail Cng thc c tnh ton l: Pvirt=1-((1- [tch(pi) chy t 1->n]) X (1-pNAT)) D nhin setup h thng s dng cng thc trn cho vic tnh ton load balancing phi thay i danh sch server c s dng bi NAT router ngay khi mt real server b fail . iu ny khng thuc v NAT-code nhng c th thc hin tt mc cao , thm ch t shell scripts. Quan trng l phi c c ch remove server b fail t bng virtual server v th phi xy dng bng virtual server c kh nng thay i d dng nhng IP c th thm vo hoc loi b trong thi gian thc thi (runtime) . Nh vy vi cch lm ny chng ta c mt lin kt gia 2 kh nng l load balancing v high availability dng virtual server. N th hon ton trong sut i vi tt c cc host , ngi s dng v nhng chng trnh dng virtual service. 2, Multiple routers per Destination Nh trn chng ta thy chng ta c th dng NAT phn b ti qua nhiu host v t c kh nng sn sng cao (high availability) . Chng ta c th s dng NAT lm iu ny cho

    nhiu mng khng? Vng chng ta c th. phn trn chng ta thy chng ta s dng virtual server thay th cho nhiu host tht s (real server) . Chng ta cng c th to ra kt ni mng o (virtual network) gm nhiu mch tht s (real wire) dng k thut virtual server. Chng ta c th lm iu ny vi NAT nh th no? Hy tng tng chng ta c 2 ngun cung cp Internet (Internet provider). Chn 2 bi v chng ta khng mun xy ra li khi mt ngun b hng. Mi host cn kt ni Internet phi c mt IP duy nht v th chng ta mua cho mi host mt IP t 2 nh cung cp khc nhau. Nh vy chng ta c th s dng mt trong 2 host gi packet n cng mt v tr. By gi chng ta s setup cho h thng m t trn, chng ta s phn b ti bng cch s dng mt t host thng qua provider 1 v mt vi ci khc thng qua provider 2 v chng ta c higher availibility ca kt ni n Internet . Tuy nhin chng ta cng c th hnh dung ra rng rt kh thc hin load balancing khi mi host quyt nh gi packet i. Chng ta khng cp n lm th no mt mng dng IP ny hay IP khc. y vn l s s dng mt central authority quyt nh host no s s dng provider no d nhin thng qua mt special NAT router. S dng Nat my tnh Local ca chng ta ch cn mt IP. Nu chng ta c mt provider tin cy chng ta c th s dng IP ca provider ny cung cp ng thi vn c th s dng cc IP bn trong mng. By gi nu mt host bn trong mng mun thit lp mt kt ni mi ti Internet n ch cn gi packet n default router (NAT-router) vi source IP l IP ca host ny. Do NATrouter bit c tt c nhng kt ni i ra, n s quyt nh provider gi packet i sao cho ti u. N s thay source IP l IP ca provider chn v gi packet n router ca provider ny. V source IP l IP ca provider cung cp nn con ng i tip theo ca packet s do provider quyt nh thng qua provider router . Host gi packet i s khng bao gi bit provider no c chn bi NAT router v th x l l trong sut. Chng ta c th s dng cng mt gii thut s dng cho Virtual server. im khc nhau gia ng dng l ng dng ny chng ta can thip vo x l routing. Phn III: Cc vn NAT cn gii quyt I: Lu gi thng tin trng thi Ngoi tr NAT tnh, cc ci cn li i hi chng ta cn phi lu tr v qun l thng tin ng t client ang s dng h thng l mt router. Thng tin ny phi c mt i sau mt thi gian timeout NAT-IP c gn cho mt host cn c th c s dng li. Thi gian timeout cng l mt l do ti sao phi c thng tin TCP-header. Timeout c th ngn cho mt TCP-connection va c ng v sao cho TCP-connection vn cn c thit lp. V d nhiu telnet session c th treo trong mt thi gian di khng c s trao i bt k packet no . Trong trng hp ny, nu chng ta c NAT-IP chng ta khng cn ngt kt ni ny , nhng gi s trong trng hp nhiu kt ni mi c yu cu v NAT-IP cn

    c thm IP th chng ta s cho telnet session ny b cht ly li IP. Mt cch khc l chng ta khng gi thng tin trng thi m ch cn tm IP ch nh (NAT-ip) . N th n gin hn cho vic hin thc NAT v trong nhiu trng hp s lm vic tt cho cc gii quyt trn. Khi lun c NAT-IP cn d cho vic s dng chng ta khng ch ti chi tit khc nhau ca 2 cch , ngoi tr trong mt telnet session hoc cc chng trnh lin quan chng hn nh ssh. Ch khi s NAT-IP khng nhiu v khng , chng ta mi cn lu gi thng tin trng thi v chng ta c th nhn ra ngay chnh xc mt kt ni va mi ng v c th ly li ngay IP cp pht m khng cn ht thi gian timeout. Vic lu gi du vt ca cc kt ni khc nhau phc v cho mc ch bo mt nu n c s dng bi firewall, y khng hn ch l NAT. C mt s trng hp vic NAT ch truy tm ch IP th hon ton khng hiu qu. l trong cc ng dng virtual server v virtual network bi v traffic c sinh ra bi mt IP th khng th no phn chia c na. Khi chng ta yu cu NAT truy tm thm c TCP/UDP port th chng ta c th cn bng ti v gim traffic tt hn bng cch remap cc kt ni n mt IP thch hp . II: Phn chia (fragmentation) Quan h mt thit vi vic lu gi thng tin trng thi v TCP v c th l UDP l vn IP fragment. N quyt nh vic thay i khng phi ch IP address m cn TCP/UDP port. Telnet packet c th c i x khc vi HTTP packet. Cho mt v d ch s dng mt virtual server hoc DNS cho tt c cc service n c map ti cc host cung cp service thc s , nhiu service thm ch c cung cp bi virtual host. Mt firewall l gateway mc application c th lm c iu ny nhng gateway th hu nh l khng trong sut. Vn l ngay khi mt packet c fragment n NAT-router , n khng th cung cp thng tin v port ngoi tr fragment u tin cha TCP-header. l l do ti sao chng ta phi lu gi nhng thng tin trng thi v mi fragment. Chng ta phi lu gi tt c thng d liu ca fragment u tin gm TCP/UDP port ca n m chng ta c th bit port ca nhng fragment khc ang hot ng. Nhiu khi phng php ny khng thch ng v IP layer khng m bo packet ti vi ng s th t (sequence) V d fragment th 3 ca packet c fragment c th i qua NAT router u tin trc khi fragment u tin vn cn lu gi thng tin port . Trong trng hp ny chng ta s ngn li cc fragment khng phi l fragment s 1 n khi fragment s 1 tI ch chng ta bit chng ta c cn phI thay I thng tin ca packet hay khng . Vic thay i khng ch IP m cn TCP/UDP port th khng quan trng nhng chc chn hu ch. V d chng ta s dng mt virtual server . Gi s chng ta mun to mt virtual webserver v deamon ca webserver tht s ang chy trn nhng my khc nhau v lng nghe trn nhng port khc nhau v mt s l do. Khi nu chng ta khng ghi nhn li destination port trong packet , default l port 80 n virtual server v thay destination port l port m real webserver ang lng nghe vo packet reply th chng ta khng th c c nhng g chng ta mong mun.

    Khi tt c cc real webserver phi lng nghe trn cng mt port m virtual server cung cp dch v web (default l port 80). Xin ni thm l mt TCP connection thc hin c ch handshaking 3 ln nh vy nu packet reply khng ch ra ng port kt ni ti th kt ni s khng c thit lp. III: nh ra giao thc (protocol) c th NAT khng phi lun lun trong sut nh ni , n ch hon ton trong sut khi m IP l giao thc nm gi thng tin v IP ca mt packet. C mt s giao thc chng gI IP l mt phn ca d liu truyn i. Nh vy nu IP ny c thay i vi NAT router th chng ta s gp nhiu vn trc trc khi gi ti ngi nhn . N khng th ng IP c truyn i. Mt cch gii quyt cho vn ny l tm thng tin data truyn i da trn mt giao thc no bit c thng tin v IP c thm vo. Qa trnh ny ch lm thm overhead v phc tp hn. * Mt s v d cho nhng Protocol lm vic vi NAT FTP FTP command PORT v response PASV c 2 u send mt IP v port cho u kt ni bn kia . Cho FTP lm vic vi mt kt ni b thay i chng ta phi thay th IP trong message . iu ny rt phc tp v IP v port c truyn i di dng m ASSCII m t cho mt s thp phn. Tc l mi s thp phn n l c m t l mt byte trong packet . V l do ny IP th khng c mt chiu di c nh trong mt FTP-packet, by gi chng ta thay th IP hin ti bi mt IP khc t hoc nhiu s hn , packet s ln hoc nh i iu ny buc phi chnh lI TCP sequence number v th chng ta phi gi mt s thng tin v nhng kt ni ny iu chnh cc sequence number thch hp trong mi packet . y khng ch l vn cho giao thc FTP m cn cho nhiu giao thc khc m khi thay i IP n lm thay i chiu di packet ICMP Mt s ICMP message ph thuc vo loi message , nu thm vo header ca packet c th gy ra nhng vn . Nu packet ny c thay i th header ny s cha NAT-Ip ch khng phi IP ca host s nhn message ICMP ny . Da trn iu ny nu by gi chng ta khng thay local IP m l thm vo NAT-Ip vo header th iu ny s c gii quyt. DNS D thy vn y l nu mt name service ca mt IP bn trong mun cung cp ra ngoi NAT-domain. Mt cch gii quyt l s dng 2 DNS service . Mt cho vic gii p cho cc IP bn trong v mt ci khc gii p cho cc IP ngoi mng . D nhin cc IP c gii p bi

    DNS server th 2 khng c a vo danh sch nhm IP ng cho NAT. NAT router th hu ht c t trn ranh gii gia cc mng phn chia internal DNS v external DNS v c m rng s dng cho l do bo mt Nu s dng mt cch tip cn phc tp hn l ghi li tt c cc DNS data c relay bi NAT router chng ta nn s dng mt gateway mc ng dng hn l hin thc mt NAT bi v DNS thch hp vI mc gateway hn v chng ta ch nn tc ng ti kernel khi tht s cn thit(xy dng NAT) BOOTP Giao thc ny khng c vn g vi NAT v n khng i ra khi ranh gii ca mt NATdomain. Routing Protocol (RIP, EGP) Khng cn phi gii thch ti sao routing protocol gp rt nhiu vn vi NAT . C nhiu giao thc tm ng khc nhau v lm vic vi n th khng d dng cht no C 3 cch gii quyt l: - Khng s dng nhng giao thc ny , ch s dng static routing. y l cch chn la tt cho phn ln cc kt ni t mng chng ta ra bn ngoi thng qua NAT router - S dng mt gateway mc ng dng - Ghi li thng tin ca packet IV: Tn mn nhng ng dng nh hng bi NAT Mt s giao thc lp trn ( nh l FTP v SIP) gi thng tin a ch tng mng bn trong ng dng payloads. FTP trong ch kch hot, v d, s dng vic chia kt ni iu khin traffic (cu lnh) v cho d liu (file contents). Khi ang yu cu truyn mt file, mt trm to ra yu cu xc lp kt ni trao i d liu bng a ch lp 3 v lp 4 ca n. Nu my trm to ra mt yu cu gi pha sau mt NAT firewall n gin, vic truyn a ch IP hoc s cng TCP to ra thng tin s c nhn bi mt Server khng hp l. Mt Gateway tng ng dng (ALG) c th sa li ny. Mt module phn mm ALG chy trn thit b NAT firewall cp nht bt k d liu payload no to ra bt hp l bi s dch chuyn a ch. ALG hin nhin cn phi hiu giao thc cp cao m chng cn sa cha, v v th mi giao thc vi nhng vn i hi khc nhau l mt phn ca ALG Mt gii php khc c th s dng gii quyt vn ny l s dng cng ngh NAT traversal s dng nhng giao thc nh l STUN hay ICE hay tip cn c quyn trong mt session border controller. NAT traversal c th l ng dng da trn c TCP v UDP, nhng k thut da trn UDP l n gian hn, c hiu bit rng ri hn, v tng thch vi legacy NATs hn. Trong c hai trng hp, giao thc tng cao phi c thit k vi NAT traversal gia, v n khng lm vic mt cch tin cy symmetric NATs hay poorly-behaved legacy NATs khc. Mt tin ch c trin vng khc l UPnP (Universal Plug and Play) hay Bonjour (NAT-PMP), nhng nhng ci ny yu cu s lin hp cc thit b NAT.

    Tuy nhin, hu ht cc giao thc client-server truyn thng (ngoi tr FTP), khng gi thnng tin lin h lp 3 v v vy khng yu cu phi c s x l c bit bng NAT. Trn thc t, trnh s phc tp NAT l yu cu thc t khi thit k mt giao thc tng cao mi ngy nay. NAT cng c th l nguyn nhn nhng vn ni m ha IPsec c ng dng v trong trng hp ni nhiu thit b nh l SIP phones c xc nh ng sau NAT. Phones m ha tn hiu vi IP sec tm lc thng tin cng trong gi tin IPsec ngha l thit b NA(P)T khng th truy cp v dch chuyn cng. Trong nhng trng hp ny thit b NA(P)T hon nguyn ti hat ng NAT n gin. iu ny ngha l tt c traffic tr li ti NAT s b map ti mt client nguyn nhn dch v li. C 2 gii php cho vn ny, mt l s dng TLS (hot ng tng th 4 trong m hnh tham chiu OSI) v v vy khng che du s hiu cng, hay tm lc IPsec trong UDP - gii php sau cng c TISPAN chn lu tr an ton NAT traversal.

    You might also like