1 NAT ALG Introduction
Normal NAT IP address and port to achieve a conversion of UDP or TCP packet header, but the application layer data in the payload field inability, in many applications layer protocol, such as multimedia protocol (H.323, SIP, etc.) , FTP, SQLNET etc., TCP / UDP payload information with the address or port, the contents can not be effectively converted NAT, may cause problems. And NAT ALG (Application Level Gateway, ALG) technology can be parsed and addresses of the application layer message information is converted to multi-channel protocol, the payload is required IP address and port address translation or requiring special fields corresponding and conversion processing to ensure the correctness of the application-layer communications.
For example, FTP application to control and connected by a common data connection is completed, and dynamically creates the control information determining the payload field of the connection, which needs to be done ALG information into the payload field of a data connection, to ensure proper subsequent data connection set up.
2 NAT ALG Features
NAT ALG provides access control based on the application for communication between the internal network and external networks, has the following advantages:
(1) ALG uniform for each application layer protocol packet analysis processing, other modules are repeated the same type of analytic application layer protocol packets, packet forwarding can improve efficiency.
(2) can support multiple application layer protocol: FTP, H.323 (including RAS, H.225, H.245), SIP, DNS, ILS, MSN / QQ, NBT, RTSP, SQLNET, TFTP like.
3 NAT ALG technology
ALG first introduce two concepts relate to:
Session: the recorded interaction information between the transport layer packets, including source IP address of the VPN instance, source port, destination IP address, destination port, protocol type and source / destination IP address belongs. Same interaction information packets belonging to a flow, in general, each session corresponding to a direction and the two directions of flow.
Dynamic channel: when an application layer protocol message carries address information, address information is used to establish a dynamic channel, the subsequent address matches the connection information with the already established channels to transmit dynamic data.
Below multi-channel application protocol FTP ALG Application NAT network environment to the detailed procedure of the packet payload.
3.1 ALG and FTP applications
Two different operating modes of FTP: PORT (active mode) and PASV (passive mode).
FTP need to use two connections: a control connected to the data connection, FTP control connection dedicated to the control command and command information transmission; dedicated data link for transmitting data (upload / download).
3.1.1 Active mode (PORT) connection procedure
As in FIG. 1 , the internal network of the clients to access the external network PORT FTP server, an intermediate device through the NAT is enabled on the device with ALG.
FIG 1 FTP PORT mode packet payload ALG processing of FIG.
In the private network host 1 to access the public network of FIG FTP server. Configure the NAT device on the private network address of the public network address 192.168.1.2 8.8.8.11 map to achieve the NAT address in support of the private network host access to the public network. Networking, if not treated PORT packets to ALG, host private network packet payload transmitted after reaching the server, the server can not be addressed according to the private network address, it can not establish a data connection proper. Communication process includes the following four stages:
By TCP three-way handshake between (1) the private network and public network FTP server host establishes a control connection.
(2) a control connection is established, the host sends a PORT packet, destination address and port carried in the packet data specified by the host private network connection to the FTP server, the address used by the server and data connection and its own port .
(3) PORT packets when enabled with ALG of the NAT device, private address and port of the packet payload will be converted to the corresponding public IP address and the port. I.e., the device private address 192.168.1.2 PORT receives the packet payload into a public IP address 8.8.8.11, port 1084 is converted to 12,487.
(4) the public network server receives PORT FTP packet, parses its content, and initiates a private network connected to a data host, the destination address of the data connection is 8.8.8.11, destination port 12487 (Note: in general, packet source port is 20, but since the FTP protocol is not critical, some of the data sent by the server random port is connected to the source port is greater than 1024, as in the present embodiment uses a wftpd server, the source port 3004 is used). Since the destination address is a public address, subsequent data connection can be successfully established so that the private host can access the public network server.
In the HOST (FTP client) capture Figure 2:
FIG 2 PORT capture mode FTP client
On the FTP server 3 shown in FIG capture:
FIG 3 PORT capture mode FTP server
Ethereal can be seen from the above: Active Mode (PORT) of the connection process is: First, the client program will assign a random TCP port for myself, it uses this port to the FTP server port (default is 21) sends a connection request, the server accepts the request then creates a control link, and the client program sends a PORT command to the server (usually format PORT A1, A2, A3, A4, P1, P2, wherein A1, A2, A3, A4 to the client IP address, P1, P2 a random data connection port number, the port number is equal to P1 * 256 + P2), the port telling the server that it opens the data channel. When required to transmit data, a random port transmits a connection request server to the client, after the request is accepted then begins to transmit data, the active mode needs to be done ALG processing is PORT packets sent by the client, such as a FTP client the capture of packets 13, which has a field that contains the address and port of Request arg, shown in Figure 4:
图4 ALG转换前的PORT报文
FTP客户端发出的PORT报文经过NAT设备后对应FTP服务器端上抓的第13个报文,私网地址192.168.1.2转换成公网地址8.8.8.11,端口1084转换成12487,如图5所示:
图5 ALG转换后的PORT报文
3.1.2 被动模式(PASV)的连接过程
如图6所示,位于外部网络的FTP客户端以PASV方式访问内部网络的FTP服务器,经过中间的设备进行NAT转换,该设备上使能了ALG特性。
图6 FTP PASV方式报文载荷的ALG处理图
图2中的NAT设备上配置了私网地址192.168.1.1到公网地址8.8.8.2的映射,实现地址的NAT转换。整个通信过程包括如下四个阶段:
(1) 建立控制通道
客户端向服务器发送TCP连接请求。TCP连接建立成功后,服务器和客户端进入用户认证阶段。若TCP连接失败,服务器会断开与客户端的连接。
(2) 用户认证
客户端向服务器发送认证请求,报文中包含FTP命令(USER、PASSWORD)及命令所对应的内容。客户端发送的认证请求报文在通过配置了ALG的设备时,报文载荷中携带的命令字将会被解析出来,用于进行状态机转换过程是否正确的检查。若状态机转换发生错误,则丢弃报文。这样可防止客户端发送状态机错误的报文攻击服务器或者非法登陆服务器,起到保护服务器的作用。客户端的认证请求报文通过ALG处理之后,到达服务器端,服务器将对其进行响应。
(3) 创建数据通道
认证状态正确且用户是服务器已经授权的客户端,才能和服务器建立数据连接,进行数据的交互。如图6所示,当客户端发送“PASV”命令发起连接时,服务器会在发送给客户端的PASV响应报文中携带自己的私网地址和端口号(IP1,Port1),响应报文经过ALG设备时被解析,其中携带的服务器的私网地址和端口号被转换成其对应的公网地址和端口号(IP2,Port2),之后在该地址和端口与客户端的地址和端口之间将建立起数据通道。
(4) 数据交互
客户端和服务器之间的数据交互可以直接通过数据通道来进行。
在FTP服务器端抓包如图7所示:
图7 PASV模式FTP服务器端抓包
由上抓包可知:被动模式(PASV)的连接过程是客户端程序首先为自己随机分配一个TCP端口,使用这个端口向服务器的FTP端口发出连接请求,服务器接受请求之后会建立一条控制链路,然后客户端程序发出PASV命令,要求服务器采用PASV模式建立数据连接,服务器便为自己随机分配一个数据通道端口,并将这个端口号告诉客户端程序(通常格式为:Entering Passive Mode (A1,A2,A3,A4,P1,P2),其中A1,A2,A3,A4为服务器IP地址,P1,P2为随机端口号)。当需要传送数据时,客户端程序采用另一个随机端口向服务器提供的数据通道端口发送连接请求,请求被接受之后便开始传输数据,数据链路通道打开,被动模式下,需要做ALG处理的是服务器发出的Pasv response报文,如上抓包中的第14个包,其中有一个包含地址和端口的字段为Response arg,如图8所示:
图8 需要做ALG的Pasv response报文
3.2 ALG与H323/SIP的应用
3.2.1 ALG与H323的应用
H.323协议用于发起会话,它能控制多个参与者参加的多媒体会话的建立和终结,并能动态调整和修改会话属性,如会话带宽要求、传输的媒体类型(语音、视频等)、媒体的编解码格式、广播的支持等。
H.323协议采用Client/Server模型,如在图9所示的语音组网中,主要通过网关(Gateway)与网守(Gatekeeper)之间的通信来完成用户呼叫的建立过程。
网关(Gateway):用于连接H323电话终端;
网守(Gatekeeper):注册/位置/代理服务器,管理各gateway
图9 H.323语音应用组网图
H323协议栈如图10所示:
图10 H.323协议栈
由协议栈可知,H323是一个协议族,由众多协议来完成地址定位,注册,媒体协商等一系列工作。其中TCP/UDP载荷中带有地址或者端口信息,若在网关进行了NAT处理后,则需要进行ALG处理的有H.225、H.245、RAS等信令协议报文,具体为:
(1) UDP RAS报文:gatekeeper、registar、admission的request和confirm报文
(2) TCP H.225报文:setup、alerting、connect报文
(3) TCP H.245报文:open logical chanel、open logical chanel ACK报文
H323通信中会建立4种连接:
RAS连接:网关与网守之间的UDP连接,源目的端口均是1719。
H.225连接:routed模式建立在网关与网守之间,redirect模式建立在网关与网关之间的TCP连接。源端口一般是发起方随机分配的,目的端口是1720。
H.245连接:routed模式建立在网关与网守之间,redirect模式建立在网关与网关之间的TCP连接。源端口一般是发起方随机分配的,目的端口通过H.225的connect报文协商。
RTP/RTCP连接:建立在网关与网关之间的UDP连接。源和目的通过H.245连接里的open logical chanel及其ACK报文协商。
3.2.2 ALG与SIP的应用
SIP(Session Initiation Protocol,会话初始协议)是一个用于建立、更改和终止多媒体会话的应用层控制协议,其中的会话可以是IP电话、多媒体会话或多媒体会议。SIP是通过各种头域里的信息的交互来管理会话的。而头域里与呼叫建立相关的包含IP地址和端口信息的字段需要被ALG处理,否则无法正确进行呼叫。SIP UA直接呼叫组网如图11所示(两台路语音由器作为SIP UA,能够互相直接呼叫):
图11 SIP UA直接呼叫组网图
SIP消息采用文本方式编码,包括请求消息与响应消息两类。SIP请求消息包括如下六种。
(1) INVITE:用于邀请用户加入一个呼叫。
(2) ACK:用于对请求消息的响应消息进行确认。
(3) OPTIONS:用于请求协商能力信息。
(4) BYE:用于释放已建立的呼叫。
(5) CANCEL:用于释放尚未建立的呼叫。
(6) REGISTER:用于向SIP注册服务器登记用户位置等信息。
SIP响应消息用于对请求消息进行响应,指示呼叫或注册的成功或失败状态。在请求与响应报文中需要进行ALG处理的地址字段类型主要有:Via、Record_Route、Contact、SDP。
ALG处理流程为如下三个步骤:
首先,ALG根据会话标识的协议类型对报文进行解码,若解码发现报文为不需要做ALG或解码发现为错误字段时退出,解码发现需进行字段转换时进一步处理;
其次,ALG查找接口上的NAT配置,根据NAT配置转换报文中的IP地址、端口、call-id等信息并建立关联表,关联表记录了载荷地址的转换关系;
最后,ALG调整报文载荷中的长度字段,如sipmessage header的content-length字段标识message body的长度,ALG对message body中的地址转换后,message body长度可能变化,content-length字段值需要置为变化后的值。