P2P communication across middleboxes(翻译3)

原文版权:Copyright (C) The Internet Society (2003).All Rights Reserved.


3.3.2. Peers behind the same NAT  客户端都处于相同的NAT之后

Now consider the scenario in which the two clients (probably unknowingly) happen to reside behind the same NAT, and are therefore located in the same private IP address space.  Client A has established a UDP session with server S, to which the common NAT has assigned public port number 62000.  Client B has similarly established a session with S, to which the NAT has assigned public port number 62001.

现在让我们来考虑一下两个客户端(很有可能不知不觉的就会)同时位于相同的NAT之后,而且是在同一个子网内部的情况, Client A与S之间的会话使用了NAT的62000端口,Client B与S之间的会话使用了62001端口,如下图所示:

   Suppose that A and B use the UDP hole punching technique as outlined above to establish a communication channel using server S as an introducer.  Then A and B will learn each other's public IP addresses and port numbers as observed by server S, and start sending each other messages at those public addresses.The two clients will be able to communicate with each other this way as long as the NAT allows hosts on the internal network to open translated UDP sessions with other internal hosts and not just with external hosts. We refer to this situation as "loopback translation," because packets arriving at the NAT from the private network are translated and then "looped back" to the private network rather than being passed through to the public network.  For example, when A sends a UDP packet to B's public address, the packet initially has a source IP address and port number of and a destination of  The NAT receives this packet, translates it to have a source of (A's public address) and a destination of, and then forwards it on to B.  Even if loopback translation is supported by the NAT, this translation and forwarding   step is obviously unnecessary in this situation, and is likely to add latency to the dialog between A and B as well as burdening the NAT.


我们假设,Client A 和 Client B 要使用上一节我们所描述的 “UDP打洞技术”,并通过服务器S这个“媒人”来认识,这样Client A 和Client B首先从服务端S得到了彼此的公网IP地址和端口,然后就往对方的公网IP地址和端口上发送消息。在这种情况下,如果NAT 仅仅允许在 内部网主机与其他内部网主机(处于同一个NAT之后的网络主机)之间打开UDP会话通信通道,而内部网主机与其他外部网主机就不允许的话,那么Client A 和Client B就可以通话了。我们把这种情形叫做“loopback translation”(“回环转换”),因为数据包首先从局域网的私有IP发送到NAT转换,然后“绕一圈”,再回到局域网中来,但是这样总比这些数据通过公网传送好。举例来说,当 Client A发送了一个UDP数据包到 Client B的公网IP地址,这个数据包的报头中就会有一个源地址10.0.0.1:124和一个目标地址155.99.25.11:62001。NAT接收到这个包以后,就会(进行地址转换)解析出这个包中有一个公网地址源地址155.99.25.11:62000和一个目标地址10.1.1.3:1234,然后再发送给B,虽说NAT支持“loopback translation”,我们也发现,在这种情形下,这个解析和发送的过程有些多余,并且这个Client A 和Client B 之间的对话可能潜在性地给NAT增加了负担。

The solution to this problem is straightforward, however. When A and B initially exchange address information through server S, they should include their own IP addresses and port numbers as "observed" by themselves, as well as their addresses as observed by S.The clients    then simultaneously start sending packets to each other at each of the alternative addresses they know about, and use the first address that leads to successful communication. If the two clients are behind the same NAT, then the packets directed to their private addresses are likely to arrive first, resulting in a direct communication channel not involving the NAT.  If the two clients are behind different NATs, then the packets directed to their private addresses will fail to reach each other at all, but the clients will hopefully establish connectivity using their respective public addresses. It is important that these packets be authenticated in some way, however, since in the case of different NATs it is entirely possible for A's messages directed at B's private address to reach some other, unrelated node on A's private network, or vice versa.

其实,解决这个问题的方案是显而易见的。当 Client A和ClientB 最初通过服务器S交换彼此的地址信息时,他们也就应该“发现”了自己的IP地址和端口——也就是服务器S所发现的。两个客户端同时的发送 数据包 到对方的公网地址和私有地址上,然后选择首先使得通信成功的那个地址就可以了。如果两个客户端都位于同一个NAT之后,那么发往私有地址的数据包应该先于发往公网地址的数据包到达,这样就建立了一个不包括NAT的直连通信通道。如果两个客户端位于不同NAT之后,虽然发送到对方私有地址的数据包会毫无疑问的发送失败,但还是很有可能使用他们各自的公网IP地址来建立一条通信通道的。所以检测这些数据包的方法和工作就变得非常重要,不论如何,只要双方都处于不同NAT之后,就完全有可能 Client A 想发送到 Client B 的信息会被发到别的无关的地方去,反之亦然(Client B 想发送到 Client A的消息也会被发到别的无关的地方去)。

(最后一句“unrelated node on A's private network”没有完全理解是什么意思,总之,放到整个语境中,应该就是说,Client A 瞄准 Client B的私有地址端口的信息会被NAT转发到别的地方去,因为两者处于不同的NAT之后,NAT A 如果在 内部网络 找到了一个拥有与Client B相同的私有地址的电脑,就会把信息发送过去,这样,就根本不会发送到 Client B 上去)

