rfc2694.txt

NAT协议完整源代码

   Private.com perform a reverse name lookup on 171.68.10.1, which is
   host X's global address. Following is a sequence of events.

   1. Host A sends a UDP based inverse name lookup query (PTR record)
      for "1.10.68.171.IN-ADDR.ARPA." to its local DNS server.

   2. Local DNS server sends the query to the root server enroute NAT.
      As before, NAT would change the IP and UDP headers to reflect DNS
      server's statically assigned external address.  DNS_ALG will make
      no changes to the payload.

   3. The root server, in turn, refers the local DNS server to query the
      DNS server for External.com. This referal transits the NAT enroute
      to the local DNS server.  NAT would  simply translate the IP and
      UDP headers of the incoming packet to reflect DNS server's private
      address. No changes to the payload by DNS_ALG.

   4. Private.com DNS server will now send the query to the DNS server
      for external.com, once again, enroute NAT. Just as with the query
      to root, The NAT router would change the IP and UDP headers to
      reflect the DNS server's statically assigned external address.
      And, DNS_ALG will make no changes to the payload.




Srisuresh, et al.            Informational                     [Page 17]

RFC 2694                 DNS extensions to NAT            September 1999


   5. The DNS server for external.com replies with the host name of
      "X.External.Com.". This reply also transits the NAT. NAT would
      translate the IP and UDP headers of the incoming packet to reflect
      DNS server's private address. Once again, no changes to the
      payload by DNS_ALG.

   6. The DNS server in Private.com replies to host A.

   Note, DNS_ALG does not change the payload in either direction.

5.3. Incoming Name-lookup queries

   This time, host X in external.com wishes to initiate a session with
   host A in Private.com. Below are the sequence of events that take
   place.

   1. Host X sends a UDP based name lookup query  (A record) for
      "A.Private.com" to its local DNS server.

   2. Local DNS server in External.com sends the query to root server.

   3. The root server, in turn, refers the DNS server in External.com to
      query the DNS server for private.com,

   4. External.com DNS server will now send the query to the DNS server
      for Private.com. This query traverses the NAT router. NAT would
      change the IP and UDP headers of the packet to reflect the DNS
      server's private address. DNS_ALG will make no changes to the
      payload.

   5. The DNS server for Private.com replies with the IP address
      172.19.1.10 for host A.  This reply also transits the NAT. NAT
      would translate the IP and UDP headers of the outgoing packet from
      the DNS server.

      DNS_ALG will request NAT to (a) setup a temporary binding for Host
      A (172.19.1.10) with an external address and (b) initiate Bind-
      holdout timer. When NAT successfully sets up a temporary binding
      with an external address (say, 131.108.1.12), DNS_ALG would modify
      the payload to replace A's private address with its external
      assigned address and set the Cache timeout to 0.

   6. The server in External.com replies to host X

   When Host X finds the address of Host A, X initiates a session with
   A, using a destination IP address of 131.108.1.12. This datagram and
   any others that follow in this session will be translated as usual by
   the NAT.



Srisuresh, et al.            Informational                     [Page 18]

RFC 2694                 DNS extensions to NAT            September 1999


   Note, DNS_ALG changes only the response packets from the DNS server
   for Private domain.

5.4. Reverse name lookups originated from external domain

   This scenario builds on the previous case (section 5.3) by having
   host X in External.com perform a reverse name lookup on 131.108.1.12,
   which is host A's assigned external address. The following sequence
   of events take place.

   1. Host X sends a UDP based inverse name lookup query (PTR record)
      for "12.1.108.131.IN-ADDR.ARPA." to its local DNS server.

   2. Local DNS server in External.com sends the query to the root
      server.

   3. The root server, in turn, refers the local DNS server to query the
      DNS server for Private.com.

   4. External.com DNS server will now send the query to the DNS server
      for Private.com. This query traverses the NAT router. NAT would
      change the IP and UDP headers to reflect the DNS server's private
      address.

      DNS_ALG will enquire NAT for the private address associated with
      the external address of 131.108.1.12 and modify the payload,
      replacing 131.108.1.12 with the private address of 172.19.1.10.

   5. The DNS server for Private.com replies with the host name of
      "A.Private.Com.". This reply also transits the NAT. NAT would
      translate the IP and UDP headers of the incoming packet to reflect
      DNS server's private address.

      Once again, DNS_ALG will enquire NAT for the assigned external
      address associated with the private address of 172.19.1.10 and
      modify the payload, replacing 172.19.1.10 with the assigned
      external address of 131.108.1.12.

   6. The DNS server in External.com replies to host X.

   Note, DNS_ALG changes the query as well as response packets from DNS
   server for Private domain.

6. Illustration of DNS_ALG in conjunction with Twice-NAT

   The following diagram illustrates the operation of DNS_ALG in a Twice
   NAT router. As before, we will illustrate by walking through how name
   lookup and reverse name lookup queries are processed.



Srisuresh, et al.            Informational                     [Page 19]

RFC 2694                 DNS extensions to NAT            September 1999


                                             .
                         ________________    .     External.com
                        (                )   .
                       (                  )  .   +-------------+
            +--+      (      Internet      )-.---|Border Router|
            |__|------ (                  )  .   +-------------+
           /____\       (________________)   .          |
            Root                 |           .          |
         DNS Server              |           .     ---------------
                         +---------------+   .       |         |
                         |Provider Router|   .     +--+       +--+
                         +---------------+   .     |__|       |__|
                                 |           .    /____\     /____\
                                 |           .  DNS Server   Host X
       External domain           |           .  171.68.1.1  171.68.10.1
     ............................|...............................
       Private domain            |
                                 |        Private.com
                                 |
                +-------------------------------------------+
                | Twice-NAT router with DNS_ALG             |
                |                                           |
                | Private addresses:  171.68/16             |
                | Assigned External addresses: 131.108.1/24 |
                |                                           |
                | External addresses:  171.68/16            |
                | Assigned Private addresses: 10/8          |
                +-------------------------------------------+
                              |      |
                      ----------    ----------
                        |                  |    DNS Server
                       +--+               +--+  Authoritative
                       |__|               |__|  for private.com
                      /____\             /____\
                      Host A           DNS Server
                   171.68.1.10        171.68.2.1
                                      (Mapped to 131.108.1.8)

    Figure 4: DNS-ALG operation in Twice-NAT setup

   In this scenario, hosts in private.com were not numbered from the RFC
   1918 reserved 172.19/16 space, but rather were numbered with the
   globally-routable 171.68/16 network, the same as external.com.  Not
   only does private.com need translation service for its own host
   addresses, but it also needs translation service if any of those
   hosts are to be able to exchange datagrams with hosts in
   external.com. Twice-NAT accommodates the transition by translating
   the overlapping address space used in external.com with a unique



Srisuresh, et al.            Informational                     [Page 20]

RFC 2694                 DNS extensions to NAT            September 1999


   address block (10/8) from RFC 1918 address space. Routes are set up
   within the private domain to direct datagrams destined for the
   address block 10/8 through Twice-NAT device to the external global
   network space.

   Simplifications and assumptions made in section 5.0 will be valid
   here as well.

6.1. Outgoing Name-lookup queries

   Say, Host A in private.com needs to perform a name lookup for host X
   in external.com (host X has a FQDN of X.external.com), to find its
   address.  This would would proceed as follows.

   1. Host A sends a UDP based name lookup query (A record) for
      "X.External.Com" to its local DNS server.

   2. Local DNS server sends the query to the root server enroute NAT.
      NAT would change the IP and UDP headers to reflect DNS server's
      statically assigned external address.  DNS_ALG will make no
      changes to the payload.

   3. The root server, in turn, refers the local DNS server to query the
      DNS server for External.com. This referal transits the NAT enroute
      to the local DNS server.  NAT would  simply translate the IP and
      UDP headers of the incoming packet to reflect DNS server's private
      address.

      DNS_ALG will request NAT for an assigned private address for the
      referral server and replace the external address with its assigned
      private address in the payload.

   4. Private.com DNS server will now send the query to the DNS server
      for external.com, using its assigned private address, via NAT.
      This time, NAT would change the IP and UDP headers to reflect the
      External addresses of the DNS servers. I.e., Private.com DNS
      server's IP address is changed to its assigned external address
      and External.Com DNS server's assigned Private address is changed
      to its external address.

      DNS_ALG will make no changes to the payload.

   5. The DNS server for external.com replies with the IP address
      171.68.10.1.  This reply also transits the NAT. NAT would once
      again translate the IP and UDP headers of the incoming to reflect
      the private addresses of the DNS servers.  I.e., Private.com DNS





Srisuresh, et al.            Informational                     [Page 21]

RFC 2694                 DNS extensions to NAT            September 1999


      server's IP address is changed to its private address and
      External.Com DNS server's external address is changed to its
      assigned Private address.

      DNS_ALG will request NAT to (a) set up a temporary binding for
      Host X (171.68.10.1) with a private address and (b) initiate
      Bind-holdout timer. When NAT successfully sets up temporary
      binding with a private address (say, 10.0.0.254), DNS_ALG would
      modify the payload to replace X's external address with its
      assigned private address and set the Cache timeout to 0.

   6. The DNS server in Private.com replies to host A.

   When Host A finds the address of Host X, A initiates a session with
   host X, using a destination IP address of 10.0.0.254. This datagram
   and any others that follow in this session will be translated as
   usual by Twice NAT.

   Note, the DNS_ALG has had to change payload in both directions.

6.2. Reverse name lookups originated from private domain

   This scenario builds on the previous case by having host A in
   Private.com perform a reverse name lookup on 10.0.0.254, which is
   host X's assigned private address. Following is a sequence of events.

   1. Host A sends a UDP based inverse name lookup query (PTR record)
      for "254.0.0.10.IN-ADDR.ARPA." to its local DNS server.

   2. Local DNS server sends the query to the root server enroute NAT.
      As before, NAT would change the IP and UDP headers to reflect DNS
      server's statically assigned external address.

      DNS_ALG will translate the private assigned address 10.0.0.254
      with its external address 171.68.10.1.

   3. The root server, in turn, refers the local DNS server to query the
      DNS server for External.com. This referal transits the NAT enroute
      to the local DNS server.  NAT would  simply translate the IP and
      UDP headers of the incoming packet to reflect DNS server's private
      address.

      As with the original query, DNS_ALG will translate the private
      assigned address 10.0.0.254 with its external address 171.68.10.1.
      In addition, DNS_ALG will replace the external address of the
      referal server (i.e., the DNS server for External.com) with its
      assigned private address in the payload.




Srisuresh, et al.            Informational                     [Page 22]

RFC 2694                 DNS extensions to NAT            September 1999