The IP communication protocol is widely used for communication in the data communication field, including the Internet, GPRS and CDMA 1x, and respective organizations within a company. Due to its openness, simplicity, low cost and other factors, the IP communication protocol enjoys its support among communication devices and host devices and has hence become a data communication protocol in the most common use.
The current IP communication mode was established according to the IPv4 communication protocol which was formulated by the IETF international organization and which defines an IP address is identified with four bytes. However, the common use of the IP communication protocol in the business area leads to a severe shortage of IP addresses. In this view, the IETF organization has mapped out the NAT technical specification, specifying that reserved addresses can be used as internal private addresses within organizations and enterprises. When users of these addresses need to access other users on the Internet, the function of address translation is performed to translate private addresses into public addresses at the organization or enterprise outbound and by using a NAT device. Either one-to-one translation or multiple-to-one translation (discriminated according to port number) can be implemented. During multiple-to-one translation or multiple-to-multiple (when there are more internal addresses than public addresses) translation (called PAT or NAPT sometimes, but here called NAT for short, because one-to-one NAT has found almost no application field), public addresses are thereby saved. At present, nearly all organizations and enterprises apply NAT (Network Address Translator) technology, wherein private addresses are used within a company and a NAT device is deployed to perform address translation at the outbound of the company to the Internet.
Another purpose of applying NAT technology is to protect internal devices and hosts. Since NAT shields an internal host from being accessed by an external host (unless fixed port mapping from an internal host to external addresses is enabled on NAT, whereas such a case is only that the internal host wishes to provide services to the outside), users within organizations and enterprises are placed in a relatively secure position and are prevented from malicious attack. Such NAT technology is widely used for the firewall policy of companies.
Therefore, the presence of NAT in the IPv4 field saves IP addresses and enhances security. In the IPv6 field, however, since an IP address is identified with six bytes, address saving gets no longer necessary. Firewalls still use NAT technology to protect internal users for the security consideration.
According to the definition of NAT by the IETF, NATs fall into two main categories, i.e. basic NAT (one-to-one address translation) and NAPT (multiple-to-one or majority-to-minority address translation).
In IETF RFC3489 STUN-Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs), NAPTs fall into two main categories, i.e. Cone NATs and Symmetric NATs. Cone NATs are characterized in that when an internal host accesses any external address through the same source port, the NAT device uses the same port number after translation and implements port unbinding after a session ends. Symmetric NATs are characterized in that when an internal host accesses any external address and port, the NAT device uses a new port number after translation.
Cone NATs fall into full-duplex Cone NATs, restricted Cone NATs and port-restricted Cone NATs.
A full-duplex Cone NAT will create a public network/private network address when an internal address initiates an “outbound” connection session. Once this address is created, the full-duplex Cone NAT will receive communication transferred to this public port address from any external port.
A restricted Cone NAT screens transferred data packets. When an internal host initiates an “outbound” session, the NAT will record the IP address information of this external host. Therefore, only these recorded external IP addresses can transfer information to the inside of the NAT. Restricted Cone NATs refine the packet screening principle for firewalls effectively, i.e. defines that only known external addresses are allowed to “transfer” information to the inside of NATs.
Different from a restricted Cone NAT, a port-restricted Cone NAT records both the IP address and the port information of an external host. Therefore, only external hosts with recorded IP addresses and port information can transfer information to the inside of the NAT.
For the security consideration, full-duplex Cone NATs and restricted Cone NATs are seldom employed. Only when an internal host wishes to provide services to the outside, will a full-duplex Cone NAT be used to establish one-to-one mapping from the internal server to NAT public network addresses and a particular port.
During applications, a NAT shields internal users from being accessed by external hosts. Therefore, internal users can freely access external hosts through the NAT, whereas external hosts cannot freely access internal users through the NAT. Likewise, internal users under one NAT cannot directly access internal users under another NAT.
This mode is completely feasible in the current application environment with BS (browser/server) and CS (client/server) architecture. However, it is not the same case in the P2P application environment, because besides servers having public network addresses, every user might provide services for other users.
In the prior art, there are two technical solutions that can solve the two problems mentioned above.
The first one is directed at solving the problem of accessing internal users by external users. A certain method is employed to notify an internal user to actively access an external user, and the IP address and port number of this external user is then recorded by a NAT, so that the external user can access internal users through the NAT. In fact, this is a reverse-contact manner, and this notification procedure is implemented by a third-party device. Therefore, all external/internal users establish relations with said third-party device in advance, and the third-party device implements the notification procedure.
The second one is directed at the problem of mutual access between internal users under one NAT and internal users under another NAT. In this technical solution, a third-party device in a public network is employed, and all internal users can freely access this third-party device which serves as a proxy to forward all data messages between any two internal users.
The second solution has an obvious deficiency. That is, it is needed that the third-party device in a public network forwards all traffic, which will cost a huge amount of network resources. As is well known, Cone NATs (hereinafter, unless otherwise indicated, NATs generally mean port-restricted Cone NATs) have a property. That is, when a user uses the same source IP address and port to access hosts at any addresses in an external network during a session, the Cone NAT will use the same NAT external network outbound address and source port to access the hosts in the external network. The present invention has recognized that such a property of Cone NATs can be used to implement direct access between internal users under one NAT and internal users under another NAT without an external third-party proxy.
However, a grave problem arises. That is, most of NAT devices, such as Cisco routers, WinXP, Linux IPTABLE, Wingate, and Sysgate, are usually manifested as Symmetric NATs and exhibit Cone NAT properties only under some particular conditions.
Term Explanation:
                NAT: a device used for translation between internal addresses and external addresses. Defined in IETF RFC1631, RFC3022.        Cone NAT: in a session, connection messages sent to different target addresses and ports by using the same port number will be translated by such NAT into messages of the same source port.        Symmetric NAT: connection messages sent to different target addresses and ports by using the same port number will be translated by such NAT into messages of different source ports.        User device: detects a NAT and communicates with user devices under another NAT.        Notifying device: forwards notification messages of user devices under a NAT.        Auxiliary detecting device: replies to a detection message sent by a user device, obtains a NAT external-network address and source port information translated by the NAT, and sends them to a corresponding user device.        NAT penetrated port: a port on a NAT, which is detected by a user device and used for NAT penetrating communication and corresponds to a local penetrated port of an internal-network user device.        Local penetrated port: a local source port which is detected by a user device and used for NAT penetrating communication and corresponds to a NAT penetrated port on a NAT.        