stako
28-04-04, 20:43
Διαβάζοντας ένα ebook έπεσα πάνω στο παρακάτω. Αφορά NAT και συγκεκριμένα λέει κάτι για NAT Traversal. Από ότι κατάλαβα είναι πάρα πολύ σημαντικό χαρακτηριστικό και μάλλον ο λόγος που δεν μπορώ να κάνω host ένα online game. (Είμαι με JetSpeed 500i, switch, 2 PC πάνω στο switch).
Γνωρίζει κανείς εαν το JetSpeed είναι NAT Traversal enabled??? Εαν όχι, ποιό ADSL modem/router είναι? Υπάρχει τρόπος να ξεπεράσω ενδεχόμενη αδυναμία του hardware σχετικά με αυτό???
Sorry αν δεν φαίνεται πολύ καλά το κείμενο, είναι copy paste απο Acrobat...
Προσέξτε επίσης και το "IPSec NAT Traversal" section.
NAT Traversal
----------------
First, XP introduced NAT Traversal. For those who don’t know what that is, NAT Traversal tries
to solve the problem of “how do I communicate from inside one NAT network to another?”
More specifically: suppose you’ve got a cable modem or DSL connection with a connection
sharing device of some kind, like a DSL router. The DSL router has two IP addresses. First, there’s
the honest-to-God, fully routable IP address that it got from your Internet provider, connected to the
DSL or cable modem connection. Then there’s the connection to a switch that you’ve got all of your
internal machines connected to—the old Windows 9x
boxes, NT machines, 2000 systems, Macintoshes,
or whatever. The DSL router’s job is to share the one “legal” Internet address among several devices.
But every device needs a unique IP address. Lots of devices, but just one IP address—what to do?
As you may know, DSL routers solve this problem by giving all of the internal systems—those
Windows, NT, 2000, and Mac machines—IP addresses from a block of addresses set aside to be
nonroutable. Anyone can use them.
There are several of these nonroutable blocks, but most DSL routers seem to use the 192.168.1.x
or 192.168.0.x subnets. The DSL routers then use something called network address translation or,
more correctly, port address translation (again, see Chapter 6 if this isn’t familiar) to share the one
routable address with all of the internal systems. How it does it is pretty simple: whenever an internal
system wants to access the Internet, perhaps to browse some Web site, then that system just says
to the DSL router, “Please forward this request to Internet address so-and-so,” as routers normally
do. But the DSL router knows perfectly well that it
can’t
do that: if it says to the Internet, “Hey, someone
at 192.168.1.3 has a request,” then the first Internet router to see the message will simply refuse
to route it, as the address is in a range of addresses that are, by definition, NONroutable. So the DSL
router
doesn’t
say “192.168.1.3 wants something”; instead, the DSL router substitutes
its
routable
address. Then, when the answer to 192.168.1.3’s question comes back, the DSL router remembers
which machine asked the question in the first place and routes the answer to 192.168.1.3. The result
is that to the general Internet, that DSL router sure seems like a demanding system, when in fact
it is simply busy because it is impersonating a bunch of systems.
In any case, notice that it’s possible for an internal system (one with one of those 192.168.x.x
addresses) to initiate a communication with a device on the public, routable Internet, but it’s NOT
possible for a device on the public, routable Internet to initiate a conversation with an internal
192.168.x.x system.
Here, then, is the problem. Suppose I’m sitting at a Windows 2000 Pro box in my home that
has a 192.168.x.x address, accessing the Internet via my DSL router or cable modem sharing device.
You’re sitting in
your
house, also using some kind of DSL router or cable modem sharing device to
access the Internet. We meet on-line and decide to play some networkable game and start to set up
our connection. One of us acts as the server and one as the client. The client then initiates communication
with the server. That’s where the problem appears. I could initiate a communication to a
routable address, or YOU could initiate a communication to a routable address, but neither of us
has a routable address… and so we can’t communicate.
(Note that some of you might be scratching your heads saying, “Mark, I don’t have that problem.”
In that case, I’m guessing that you use your Windows 98 SE, Windows Me, or 2000-based system
as the DSL or cable modem–sharing device. As you know if you read Chapter 6 of
Mastering
Windows 2000 Server
, you can easily activate something called Internet Connection Sharing to
make your 98 SE/Me/2000 device into a simple NAT router. But if you do your gaming while
sitting at that box, then NAT isn’t a problem, as that particular computer has a legal IP address, recall,
as
it’s
the device connected to the Internet.)
How, then, to create a meeting of the minds in PC-land? With NAT Traversal. The idea is that
if your DSL router (or other sharing device), your opponent’s sharing device, and your game software
understand NAT Traversal, then the two sharing devices work out the details to allow 192.168.x.xto-
192.168.x.x communications with no muss, fuss, or greasy aftertaste. And XP Pro’s version of
Internet Connection Sharing supports NAT Traversal, so if you replaced your DSL router with an
XP Pro (or Home) box, you’d have all the more online gaming options. (And of course it’s good
for more than just gaming; you could use this for any peer-to-peer communications that must go
through a NAT-type router, like Webcam-type videoconferencing—once there’s videoconferencing
software that understands NAT Traversal.)
NAT Traversal’s migration to Windows Server 2003 is, then, pretty good news.
IPSec NAT Traversal
---------------------
I discussed NAT Traversal as if it were mainly of interest to gamers, and I suppose that at first it was.
But you could just as easily imagine 192-to-192 type network communications in business as well.
Consider a business with two offices in different cities and about 50 employees in each location.
They’d like to connect the offices but don’t want to have to buy a dedicated leased line or frame relay
between the offices, so they get DSL in each location.
In each location they end up with network addresses that look like 192.168.0. something, but
they’d like to communicate from location to location. Their problem is, as you can see, exactly the
same problem that the gamers in my earlier example face. So they could just put in NAT Traversal
hardware and software and be done with it.
But then they’d be transmitting office-to-office data in cleartext over the Internet. An OK thing in
1993, I suppose, but a definite no-no in these modern times. Running sensitive data over the Internet
is exactly what IPSec (Internet Protocol Security) was built for. IPSec (also covered in Chapter 6)
converts an IP connection into an
encrypted
IP communication.
The only trouble is that IPSec and NAT don’t mix. Or didn’t, until Windows Server 2003.
Windows Server 2003 includes a new kind of IPSec that is NAT Traversal–aware. So you can have
as many 192 networks as you like, and they can all talk to one another, and securely. Of course, this
isn’t free—you need firewalls and routers that are NAT Traversal–aware—which is probably one
reason Microsoft has started selling network hardware, including some interesting wireless devices.
Γνωρίζει κανείς εαν το JetSpeed είναι NAT Traversal enabled??? Εαν όχι, ποιό ADSL modem/router είναι? Υπάρχει τρόπος να ξεπεράσω ενδεχόμενη αδυναμία του hardware σχετικά με αυτό???
Sorry αν δεν φαίνεται πολύ καλά το κείμενο, είναι copy paste απο Acrobat...
Προσέξτε επίσης και το "IPSec NAT Traversal" section.
NAT Traversal
----------------
First, XP introduced NAT Traversal. For those who don’t know what that is, NAT Traversal tries
to solve the problem of “how do I communicate from inside one NAT network to another?”
More specifically: suppose you’ve got a cable modem or DSL connection with a connection
sharing device of some kind, like a DSL router. The DSL router has two IP addresses. First, there’s
the honest-to-God, fully routable IP address that it got from your Internet provider, connected to the
DSL or cable modem connection. Then there’s the connection to a switch that you’ve got all of your
internal machines connected to—the old Windows 9x
boxes, NT machines, 2000 systems, Macintoshes,
or whatever. The DSL router’s job is to share the one “legal” Internet address among several devices.
But every device needs a unique IP address. Lots of devices, but just one IP address—what to do?
As you may know, DSL routers solve this problem by giving all of the internal systems—those
Windows, NT, 2000, and Mac machines—IP addresses from a block of addresses set aside to be
nonroutable. Anyone can use them.
There are several of these nonroutable blocks, but most DSL routers seem to use the 192.168.1.x
or 192.168.0.x subnets. The DSL routers then use something called network address translation or,
more correctly, port address translation (again, see Chapter 6 if this isn’t familiar) to share the one
routable address with all of the internal systems. How it does it is pretty simple: whenever an internal
system wants to access the Internet, perhaps to browse some Web site, then that system just says
to the DSL router, “Please forward this request to Internet address so-and-so,” as routers normally
do. But the DSL router knows perfectly well that it
can’t
do that: if it says to the Internet, “Hey, someone
at 192.168.1.3 has a request,” then the first Internet router to see the message will simply refuse
to route it, as the address is in a range of addresses that are, by definition, NONroutable. So the DSL
router
doesn’t
say “192.168.1.3 wants something”; instead, the DSL router substitutes
its
routable
address. Then, when the answer to 192.168.1.3’s question comes back, the DSL router remembers
which machine asked the question in the first place and routes the answer to 192.168.1.3. The result
is that to the general Internet, that DSL router sure seems like a demanding system, when in fact
it is simply busy because it is impersonating a bunch of systems.
In any case, notice that it’s possible for an internal system (one with one of those 192.168.x.x
addresses) to initiate a communication with a device on the public, routable Internet, but it’s NOT
possible for a device on the public, routable Internet to initiate a conversation with an internal
192.168.x.x system.
Here, then, is the problem. Suppose I’m sitting at a Windows 2000 Pro box in my home that
has a 192.168.x.x address, accessing the Internet via my DSL router or cable modem sharing device.
You’re sitting in
your
house, also using some kind of DSL router or cable modem sharing device to
access the Internet. We meet on-line and decide to play some networkable game and start to set up
our connection. One of us acts as the server and one as the client. The client then initiates communication
with the server. That’s where the problem appears. I could initiate a communication to a
routable address, or YOU could initiate a communication to a routable address, but neither of us
has a routable address… and so we can’t communicate.
(Note that some of you might be scratching your heads saying, “Mark, I don’t have that problem.”
In that case, I’m guessing that you use your Windows 98 SE, Windows Me, or 2000-based system
as the DSL or cable modem–sharing device. As you know if you read Chapter 6 of
Mastering
Windows 2000 Server
, you can easily activate something called Internet Connection Sharing to
make your 98 SE/Me/2000 device into a simple NAT router. But if you do your gaming while
sitting at that box, then NAT isn’t a problem, as that particular computer has a legal IP address, recall,
as
it’s
the device connected to the Internet.)
How, then, to create a meeting of the minds in PC-land? With NAT Traversal. The idea is that
if your DSL router (or other sharing device), your opponent’s sharing device, and your game software
understand NAT Traversal, then the two sharing devices work out the details to allow 192.168.x.xto-
192.168.x.x communications with no muss, fuss, or greasy aftertaste. And XP Pro’s version of
Internet Connection Sharing supports NAT Traversal, so if you replaced your DSL router with an
XP Pro (or Home) box, you’d have all the more online gaming options. (And of course it’s good
for more than just gaming; you could use this for any peer-to-peer communications that must go
through a NAT-type router, like Webcam-type videoconferencing—once there’s videoconferencing
software that understands NAT Traversal.)
NAT Traversal’s migration to Windows Server 2003 is, then, pretty good news.
IPSec NAT Traversal
---------------------
I discussed NAT Traversal as if it were mainly of interest to gamers, and I suppose that at first it was.
But you could just as easily imagine 192-to-192 type network communications in business as well.
Consider a business with two offices in different cities and about 50 employees in each location.
They’d like to connect the offices but don’t want to have to buy a dedicated leased line or frame relay
between the offices, so they get DSL in each location.
In each location they end up with network addresses that look like 192.168.0. something, but
they’d like to communicate from location to location. Their problem is, as you can see, exactly the
same problem that the gamers in my earlier example face. So they could just put in NAT Traversal
hardware and software and be done with it.
But then they’d be transmitting office-to-office data in cleartext over the Internet. An OK thing in
1993, I suppose, but a definite no-no in these modern times. Running sensitive data over the Internet
is exactly what IPSec (Internet Protocol Security) was built for. IPSec (also covered in Chapter 6)
converts an IP connection into an
encrypted
IP communication.
The only trouble is that IPSec and NAT don’t mix. Or didn’t, until Windows Server 2003.
Windows Server 2003 includes a new kind of IPSec that is NAT Traversal–aware. So you can have
as many 192 networks as you like, and they can all talk to one another, and securely. Of course, this
isn’t free—you need firewalls and routers that are NAT Traversal–aware—which is probably one
reason Microsoft has started selling network hardware, including some interesting wireless devices.