NAT - Iyini? NAT Isethaphu

Network Ikheli Translation (Nat) iyindlela kucelwa kabusha eyodwa isikhala ikheli kwenye ngokushintsha ulwazi ikheli inethiwekhi IP (Inthanethi). Okungukuthi, izihloko iphakethe baguqulelwa ngesikhathi lapho kukhona sisendleleni ngedivayisi umzila. Le ndlela ekuqaleni esasisetshenziselwa ukuqondisa kabusha traffic lula e-IP amanethiwekhi, impi ngamunye ngaphandle renumbering. Waba ithuluzi ethandwa futhi kubalulekile ukongiwa nokusatshalaliswa isikhala lwamakheli in the nemibandela ukushoda IPv4 amakheli.

NAT - Iyini?

Ukusetshenziswa yokuqala translation ikheli inethiwekhi kumephu ikheli ngamunye kusukela isikhala eyodwa ikheli ikheli okuhambisanayo nezinye isikhala. Ngokwesibonelo, kubalulekile uma wesevisi Inthanethi okushintshile, futhi umsebenzisi akakwazi ukumemezela umzila omusha esidlangalaleni kunethiwekhi. Ngaphansi kwale mibandela engenzeki Ukuwohloka global IP-ikheli isikhala NAT ubuchwepheshe ngokwethukela kusetshenziswa kakhulu kusukela 1990 ngasekupheleni ngokuhlanganyela ne-IP ukubethela (okuyinto indlela ezokuthutha eziningana IP amakheli ngesikhathi isikhala efanayo). Le ndlela yokwenza ukusebenza idivayisi umzila esebenzisa amatafula translation stateful ukubonisa amakheli "ocashe" komunye IP-ikheli kanye athumele aphumayo-IP amaphakethe okukhishwayo. Ngakho, zikhonjisiwe ephuma idivayisi umzila. In reverse ukuxhumana isiteshi izimpendulo ziboniswa umthombo IP-ikheli usebenzisa imithetho agcinwe amatafula wokuhumusha. ithebula Imithetho wokuhumusha, esikhundleni salokho, usule emva esifushane uma traffic entsha akusho update isimo salo. Lona indlela eyisisekelo Nat. Ukuthi lokho kusho?

Le ndlela ikuvumela ukuba ukuxhumana ngokusebenzisa router kuphela uma uxhumano senziwa kunethiwekhi ebethelwe, njengoba kudala itafula wokuhumusha. Ngokwesibonelo, isiphequluli sewebhu ngaphakathi inethiwekhi angase ayisebenzise isayithi phesheya, kodwa, uma ayifakiwe ngaphandle, ayikwazi ukuvula umthombo, ibekwe kuwo. Noma kunjalo, namadivayisi amaningi NAT namuhla uvumele kumphathi inethiwekhi ukumisa okufakile itafula translation ukusetshenziswa unomphela. Lesi sici uvame ukubizwa ngokuthi static NAT noma port ukudlulisa, futhi ikuvumela traffic evela ku "ngaphandle" inethiwekhi ukufinyelela aphethe yendawo inethiwekhi ngekhodi.

Ngenxa ukuthandwa le ndlela isetshenziswa ukuba alondoloze IPv4 ikheli isikhala, igama elithi NAT (Yilokhu empeleni - ngenhla), cishe sekube lahlotshaniswa nokuba indlela ukubethela.

Ngenxa NAT okushintsha ulwazi ikheli le-IP iphakethe, it has libangele imiphumela engathi sina izinga uxhumano lwe-inthanethi, futhi kudinga ukulalelisisa umniningwane ekwenzeni lokho okuhleliwe.

Izindlela Ukusebenzisa NAT ihluke nomunye ekuziphatheni kwazo ikakhulukazi ezimweni ezahlukene ezihilela umthelela kwenethiwekhi.

Basic NAT

Uhlobo olula Network Ikheli Translation (Nat) inikeza ukusakaza IP-amakheli "okukodwa-munye." RFC 2663 kuyinto uhlobo eyinhloko kokusakaza. Kulesi hlobo ushintsho kuphela IP-ikheli kanye checksum IP-unhlokweni. Izinhlobo ezinkulu translation ingasetshenziswa ukuxhuma ezimbili-IP amanethiwekhi zazo akuhambisani ekhuluma.

NAT - ukuthi yokuxhuma "okukodwa-abaningi"?

izinhlobonhlobo Iningi NAT singafaka kumephu Sebawoti yangasese amaningi olulodwa esiqokiwe esidlangalaleni IP-ikheli. Encwadini ukumisa ejwayelekile, inethiwekhi yendawo elisebenzisa owodwa wale okhethiwe "yangasese» IP-subnet amakheli (RFC 1918). I-router ngalolo inethiwekhi has a ikheli yangasese lesi sikhala.

I-router futhi ixhuma ku-intanethi usebenzisa amakheli "umphakathi" enikezwe i-ISP yakho. Njengoba traffic Idlula inethiwekhi yendawo ekhelini Inthanethi umthombo ephaketheni ngalinye lihunyushwe epheshaneni kusukela amakheli yangasese emphakathini. I-router ilandelela idatha eziyisisekelo mayelana uxhumano ngamunye asebenzayo (ikakhulukazi ikheli ukuphela kanye ne-port). Lapho impendulo ebuyela kuye, isebenzisa lwedatha ukuthi lilondolozwe ngesikhathi sesigaba aphumayo ukucacisa ikheli yangasese inethiwekhi yangaphakathi lapho ukuthumela impendulo.

Enye inzuzo kulo msebenzi wukuthi siwulimi ikhambi ukukhathala olusondelayo IPv4 isikhala ikheli. Ngisho amanethiwekhi ezinkulu kungenziwa exhunywe kwi-Inthanethi ngokusebenzisa omunye IP-ikheli.

Zonke amaphakethe datagram kumanethiwekhi IP ezisekelwe 2 IP-ikheli - omthombo nesiphetho. Ngokuvamile, amaphakethe esisuka senethiwekhi ezimele kunethiwekhi yomphakathi, kuzodingeka ikheli umthombo amaphakethe, ukushintsha ngesikhathi Ukuqeda inethiwekhi umphakathi emuva yangasese. Okuningi ukucupha eziyinkimbinkimbi futhi zingenzeka.

Izici

NAT umsebenzi angase abe ezinye izici ezikhethekile. Ukuze ugweme nobunzima indlela ukuhumusha amaphakheji wabuya zidinga ukulungiswa kwabo okwengeziwe. Iningi traffic Inthanethi udabula yezifiso TCP kanye UDP, kanye ne-port izinombolo baguqulelwa ukuze inhlanganisela IP-ikheli kanye nenombolo ye-port ohlangothini reverse iqala ukuba idatha kumephu.

Izivumelwano ukuthi azisekelwe TCP noma UDP, zidinga izindlela ezahlukene wokuhumusha. Control Umlayezo lePhrothokholi ye-Inthanethi (ICMP), njengoba umthetho, correlates idatha ngocansi nge uxhumano ekhona. Lokhu kusho ukuthi kufanele kusetshenziswa efanayo IP-ikheli kanye nenombolo setha ekuqaleni.

Yini okufanele mina cabanga?

Ilungiselela NAT kwi-router akukuniki kuye kungenzeka ukuxhumana "kusukela komunye umkhawulo kuya ekupheleni." Ngakho-ke, lezi imizila awukwazi ukubamba iqhaza kwezinye yezifiso Inthanethi. Amasevisi zidinga emizameni yokuthuthukisa TCP-uxhumano inethiwekhi yangaphandle noma abasebenzisi ngaphandle yezifiso kungenzeka zingatholakali. Uma router NAT ayenzi ababengaboshiwe benza umzamo omkhulu ukusekela yezifiso ezinjalo, amaphakethe engenayo awukwazi sifinyelele lapho siphokophele khona kwabo. Ezinye yezifiso angazamukela enguqulweni ngayinye phakathi iqhaza Sebawoti ( "Imodi yokwenziwa» FTP, isibonelo), ngezinye izikhathi ngosizo isicelo esangweni, kodwa uxhumano Kumiswa lapho kokubili izinhlelo abahlukene-Inthanethi usebenzisa i-NAT. Ukusebenzisa NAT futhi nzima ezifana "mhubhe" yezifiso, ezifana IPsec, ngoba kushintsha amagugu enhlokweni, okuyinto uxhumana ubuqotho isicelo isibuyekezo.

Inkinga yamanje

Compound "kusukela komunye umkhawulo kuya komunye" iyona Isimiso esiyisisekelo kwi-Inthanethi, ekhona kusukela ukuthuthukiswa yayo. Isimo samanje inethiwekhi ebonisa ukuthi NAT kungukuphula zokusebenzisa lesi simiso. Ochwepheshe kukhona ukukhathazeka ngempela ukusetshenziswa kabanzi IPv6-ikheli inethiwekhi translation, futhi uvusa inkinga kanjani ukuqeda ngokuphumelelayo.

Ngenxa yesimo esikhashana amathebula stateful ukusakaza imizila Nat, amadivayisi kunethiwekhi yangaphakathi ulahlekelwe IP uxhumano, njengoba umthetho, kufanele kudliwe ngokushesha kakhulu isikhathi. Ngaphandle kweqiniso lokuthi NAT anjalo esikhathini router, ungakwazi ungakhohlwa leli qiniso. Lokhu kunciphisa kakhulu isikhathi yokusebenza amadivayisi compact ukuthi usebenza amabhethri nama-accumulator.

scalability

Ngaphezu kwalokho, uma usebenzisa NAT zilandelwa emachwebeni ukuthi kungenziwa ngokushesha mpilo izicelo yangaphakathi usebenzisa uxhumano kanyekanye amaningi (isibonelo, i-HTTP-izicelo amakhasi ewebhu nge inani elikhulu lezinto esishunyekiwe). Le nkinga kungenziwa mitigated by ukuqapha uya khona-IP ikheli ngaphezu port (Ngakho omunye port wendawo lihlukaniswe Sebawoti kude ngaphezulu).

obuthile

Njengoba wonke amakheli zangaphakathi ibonakale sengathi umphakathi, Sebawoti zangaphandle, kusuka kube nzima ukuqalisa uxhumano engeyokuqala ethize yangaphakathi ngaphandle ukucushwa okhethekileko firewall (okuyinto ukuqondisa kabusha ukuxhumana port ethize). Izicelo ezifana ne-IP wefoni, video umhlangano, futhi lawo masevisi kumele usebenzise amasu ukudlula kuhlelo NAT ukuze isebenze kahle.

Ukubuya ikheli kanye translation port (cwaka) evumela zebandla, real-IP ikheli lapho kuyahlukahluka ngezikhathi ezithile, ukuhlala etholakalayo njengoba iseva nge ezihleliwe IP-ikheli inethiwekhi ekhaya. Ngomqondo onabile, kufanele uvumele setting up amaseva ukulondoloza uxhumano. Naphezu kweqiniso lokuthi kule akusona isixazululo esiphelele inkinga, kungaba omunye ithuluzi eliwusizo ku arsenal of the nomlawuli wenethiwekhi ukuxazulula inkinga, indlela yokumisa NAT kwi-router.

Port Ikheli Translation (PAT)

Cisco cwaka ukusetshenziswa Port Ikheli Translation (PAT), elibonisa eziningana yangasese IP-ikheli njengoba omunye emphakathini. Amakheli amaningi ingaboniswa njengoba ikheli, ngoba ngamunye wabo kuyaqashwa ngenani port. Pat isebenzisa esiyingqayizivele umthombo port izinombolo ngaphakathi IP global, ukuhlukanisa isiqondiso ukudluliswa kwedatha. Lezi zinombolo-16-bit integers. Ubude amakheli zangaphakathi ezingaba lihunyushelwe eyodwa yangaphandle, ungakwazi kwakuthiwa ukufinyelela 65536. Inani eliqondile izimbobo lapho IP-ikheli elilodwa angabelwa, imayelana 4000. Ngokuvamile, PAT uzama ukulondoloza port umthombo "yoqobo". Uma isivele iyasebenza, Port Ikheli Translation ekwabela Inombolo yokuqala etholakalayo port kusukela ekuqaleni amaqembu abafanele - 0-511, 512-1023, noma 1024-65535. Lapho kungekho nezimbobo ibekhona futhi kukhona angaphezu kwelilodwa zangaphandle IP-ikheli, uhamba PAT elandelayo ukuzama ukuhlonza port umthombo. Le nqubo iyaqhubeka kuze kube yilapho azikho idatha atholakalayo.

Ibonisa amakheli kanye ne-port Cisco waqalisa inkonzo ehlanganisa amaphakethe idatha translation mhubhe IPv6 ikheli port phezu IPv4 intranet. Empeleni, enye lolungakahleleki CarrierGrade NAT futhi DS-Lite, olusekela le-IP-ikheli translation / port (futhi, ngakho-ke, asekelwe ukulungiselelwa Nat). Ngakho, it ugwema izinkinga ukufakwa kanye nokugcinwa uxhumano, futhi inikeza ushintsho indlela i-IPv6 ukuthunyelwa.

zokuhumusha

Kunezindlela eziningana ukusebenzisa ukuhunyushwa ikheli inethiwekhi kanye ne-port. Kwezinye izicelo, Izivumelwano zokusebenza ukusebenzisa ukusebenza IP amakheli, ezisebenza inethiwekhi ngekhodi, kumele ichaze ikheli zangaphandle NAT (esisetshenziselwa ngesikhathi komunye umkhawulo uxhumano), futhi, ngaphezu kwalokho, ngokuvamile kudingeka sitadishe futhi ahlukanisa uhlobo yokudlulisela. Ngokuvamile lokhu kwenziwa ngenxa kuyatuseka ukusungula wokuxhumana ngqo (noma ugcine ukudluliswa ungaphazanyiswa idatha ngokusebenzisa iseva noma ukuthuthukisa ukusebenza) phakathi amaklayenti ezimbili, kokubili okumane ka NAT ngabanye.

Ngenxa yale njongo, (indlela yokumisa Nat) ngo-2003 ithuthukiswe ekhethekile olandelwayo RFC 3489 ukudlula kuhlelo Simple UDP alunikeza nat. Namuhla-ke akusebenzi, ngoba lezi izindlela namuhla kukhona enganele ukuhlola kahle umsebenzi kumadivayisi amaningi. izindlela ezintsha eziye elivamile-RFC 5389 olandelwayo, olwakhiwa ngo-Okthoba 2008. Lokhu esifakiwe manje eyaziwa ngokuthi SessionTraversal futhi kuyinto Umbuso indawo ye-NAT.

Ukudala zokuxhumana ezimbili-ndlela

iphakethe ngasinye siqukethe TCP kanye UDP IP-umthombo ikheli kanye nenombolo ye-port, kanye izixhumanisi echwebeni uya khona.

Ngokuba abanjalo nezinsiza zomphakathi njengoba obusebenzayo-e-mail amaseva, inombolo port kubalulekile. Ngokwesibonelo, port 80 ixhunywe isofthiwe, web server, futhi 25 - kuya Iseva ye-SMTP imeyli. IP-ikheli seseva umphakathi nakho kubalulekile, efana ikheli leposi noma inombolo yocingo. Zombili lezi nemingcele kufanele kube evumelana aziwayo bonke ISIZINDA ukuthi bayahamba ukuxhuma.

Private IP amakheli anencazelo kuphela amanethiwekhi wendawo, lapho isetshenziswa basuke, kanye aphethe nezimbobo. Izimbobo kukhona ekupheleni esiyingqayizivele iphuzu uxhumano ku umninikhaya, ngakho uxhumano ngokusebenzisa NAT osekelwa elihlangene port lokuhlela kanye ne-IP amakheli.

Pat (Port AddressTranslation) kuxazululwa izingxabano ezingase zibe khona phakathi Sebawoti ezimbili ezihlukene usebenzisa inani elifanayo umthombo port ukusungula uxhumano eliyingqayizivele ngesikhathi esifanayo.