這次我用第一段做總結,因為這篇會牽涉到的領域比較廣,有興趣請自行往下閱讀;若您是網管入門更要閱讀,因為會影響未來IPv6業務整合。
反應問題:在玩線上遊戲時,A玩家反應建立房間後,B玩家和其他玩家無法加入,但是A玩家能夠加入其他玩家的房間。
解決方案之一:A玩家必須給電腦配上實體IP,方法例如PPPoE、掛VPN等等,A玩家開房間後,其他玩家就能順利加入。
在IP制定的年代,當時世界人口數40億左右,所以IP長度被定32位元,大約有42.9億個地址,當初認為可以分配給世界上每個人使用。
後來IP網路成長迅速,IP地址逐漸不夠用,於是衍生NAT技術;請注意,當時的NAT設計理念是完全for用戶端的!完全僅是IPv4地址不夠的解決方案,後來才有相應的port forwarding。
然後釐清幾個重要觀念...
Q1:電腦或路由器能認得被設定的位址是實體IP還是私有IP嗎?
A1:都不能,實體或私有是人定義的,而路由器只是連接2個以上的不同的網段,若路由器做了NAT設定,就有分NAT inside、NAT outside,一般俗稱內網(LAN端)、外網(WAN端)。
Q2:可以部署多個NAT網路並相連嗎?對網域有影響嗎?
A2:可以,例如串接分享器;若僅客戶端需求,對網域無影響。路由器C的外網是路由器B的內網,B的外網又是A的內網,這是一種串接網路。網域的範圍可大可小,大可以到一個洲或國家,小可以到一台主機、一張網卡或一個應用程式。不變的是,從外網來看NAT路由器,它僅是一台主機而不是路由器,外網並不會知道NAT後面的世界,若NAT後面有服務端需求,才會在NAT路由器設定port forwarding。
Q3:VPN能通過NAT路由器嗎?
A3:不一定,取決於路由器規格(大部分都可以,那個叫ALG)。但是VPN容易使分享器更忙,典型VPN是GRE+IPsec的組合,而VPN連線建立後,用戶端上網的回包(也就是流量從VPN伺服器回來)在返回用戶電腦前,必須在分享器先解密再加密,而不是直接返回用戶電腦解密,因為外網看分享器僅是1台主機,畢竟VPN還是依賴實體線路。
Q4:我的上網很單純僅使用私有IP,沒有VPN、PPPoE都沒有,可是我玩遊戲卻沒有或很少遇到如標題所述的遊戲問題。
A4:遊戲商在這方面設計得比較好。
Q5:我和電信業者買60 / 20 M的頻寬,可是玩線上遊戲或大檔傳輸其他雲端服務卻不到這個速率,或許只有14 / 6 M,難道被偷吃了?
A5:向電信業者買的頻寬是指從用戶到電信商這一段的速率,而電信商到其他雲端服務的速率會受後段節點的影響。
Q6:我的電腦透過DHCP取得IP,再透過分享器轉NAT出去,在這種普遍情形下,大檔傳輸雲端的速度上限為7 / 3 M;若主機再使用PPPoE撥號上網,速度上限可提升到14 / 6M,為什麼?
A6:影響速度的因素眾多,假設其他因素不變,因為目前乙太網路最普遍,乙太網路屬於廣播網路,而PPP屬於點對點網路。主要差異在廣播網路共享線路,但是點對點網路不是共享線路,道理如同廣播網路才需要ARP,形成IP與MAC的對應表,然而點對點網路不需要ARP,不需要L2地址直接就出去了。
NAT內外部的處理,或許TCP還能夠彈性控制,但是UDP就有難度了,因為UDP是無狀態的協定。
寫到這裡我認不住要先罵人,wiki對NAT的缺點描述如下:「...因此有些人據此認為NAT是對公用網際網路的一個破壞。一些網際網路服務提供商(ISP)只向他們的客戶提供本地IP位址,所以他們必須通過NAT來存取ISP網路以外的服務,並且這些公司能不能算的上真正的提供了網際網路服務的話題也被談起。...」
我對這段話感到有些不滿,制定IP標準是國際組織,同意並標準化NAT技術也是國際組織,制定IP不是電信業者工作,分配IP是由各個管理機構層層下來的。
網際網路服務的範圍很大,不應以實體IP評斷是否享受到網路服務;電腦能認得這組值是否合乎正確性,例如192.168.1.1是對的,192.256.abc.00001111是錯的,但是電腦不能認得192.168.1.1是否實體IP。
網路服務的具體效益在應用層不在下層,下層只是網路服務的條件。我要去台北看演唱會,我有高鐵有捷運有公車等交通工具,我坐高鐵,高鐵有服務我、我坐捷運,捷運有服務我,卻沒有門票,有票入、沒票滾,那管我走中山路還是中正路?管我坐高鐵還是坐捷運?路由交換使路由器學習路徑,這條路可達那條路不可達;而嚴重破壞網路的是應用程式,如電腦病毒,這反而體現NAT的優點,因為當外部有惡意流量時,分享器只是一台主機,它使NAT後的世界(你的電腦)沒有被直接攻擊。
既然NAT有這樣的問題,那採用不需要NAT的IPv6如何?您可以試試看關閉TCP/IPv4、啟動TCP/IPv6(預設),可能會有多數網路應用軟體無法使用,卻還能上網瀏覽google、youtube、facebook,這意味著上網是透過IPv6網路,另外那些不能使用的應用軟體是基於IPv4開發。
請注意,導入IPv6不是一個純網路的問題,並且IPv4遷移IPv6是長期工程,儘管是一個雙堆疊(dual stack)的網路,也就是IPv4與v6共存的網路,for IPv6的應用程式仍然需要重新開發與日後維護。
業務IPv6化有以下過程:
(1)評估業務IPv6化的影響
(2)建立業務IPv6專案管理小組
(3)制定業務IPv6架構與策略
(4)評定業務IPv6模組化,例如網路、系統、應用程式。
(5)制定排程表、成本或採購清單。
(6)進行IPv6地址管理與網路安全規劃
(7)進行測試與驗收結果。
(8)如果(7)順利,向員工、客戶進行業務IPv6化的教育訓練。
以上SOP是參考思科協助用戶遷移IPv6的解決方案。另外思科有提出一種簡化IPv6的管理技術,稱「定位ID分離協定(LISP,Locator Id Separation Protocol)」,LISP能夠在IPv4的通道上自動建立與維護IPv6的網路工作。
事實上,在談LISP前,應該要先談NAT64,請注意!IPv6沒有實體IPv6、私有IPv6的區別,NAT64是一個IPv4與IPv6的轉換技術,其概念類似私有IP轉實體IP上網。實作NAT64通常有2種方式,1是有狀態NAT64、2是無狀態NAT64,兩者之間存在各種差異,個人認為最大差異在前者是1對多轉換、後者是1對1轉換。
回題,遷移或共存IPv6是一個複雜工程,從IPv6規範制定至今(2018)經過數十年,目前IPv4仍是主流,因為IPv6還沒有任何一個完勝IPv4的優點;順道一提,SLAAC(StateLess Address Auto Configuration)是有狀態NAT64的特性之一,頭痛的是SLAAC不支援DNS,需要和DHCPv6組合才能支援DNS。
當初我們認為導入NAT技術是IPv4的過渡期,就像計算機概論、網路概論寫的那樣。然而從今天的網路來看,網路導入NAT並非過渡方案,更正確來說,IPv4是for 人、IPv6是for 物。
I had summary in first section word at this time, because the writings involved with wide scope. If you have interested, please read it yourself. If you are a novice for network management, you should more read. It will effect IPv6 business integrated.
The problem: When playing online game, after player A opened room. Other player and B can not join the room, but player A can join other players's room.
One of the solutions: player A is must set public IP address for computer. These methods such as PPPoE, VPN and so on. After player A opened room, other players can join A.
In the age for formulate Internet Protocol. At that time, the world population has about 40 billions that because it make IP length is 32 bits.
There are about 42.9 billions addresses, and we thought 32 bits could assign to everyone in the world.
Later, IP network grew rapidly that make IP addresses not with gradually enough. Thus, be born NAT technology. Notice, design idea of NAT is for clients only! And then, there is a corresponding port forwarding technology too.
We are clarify some important concepts...
Q1: Can computer or router to identify my IP address is public or private?
A1: No. Public and private address are defined by human. Router is connect 2 or more network. If router have NAT configuration, there are difference for NAT inside and outside. We have call them for LAN end and WAN end.
Q2: Can I deploy more NAT network and they interconnected? Have effect for domain?
A2: Yes. Such as router concatenation. If you have demand for client end only, have not effect to domain. Router C outside is router B inside, and router B outside is router A inside.
It is concatenate network.
Domain can be large or micro. To increase domain may be continent or country, and to decrease domain may be a interface or app. The same fact, NAT router is host not router from outside view. Outside network does not know world that at the NAT back. If NAT back has service demand, will setting port forwarding at NAT router.
Q3: Can VPN to pass NAT router?
A3: Not actually. It is depends on router level(most can, it call ALG). However, VPN will make router busy easily. The VPN is GRE+ IPsec.
After VPN session, back of packets must decrypt and then encrypt at router. It is not direct arrive client to decrypt. Because NAT router is host only from outside view. VPN has still depends on physical cables.
Q4: My Internet with private IP address by NAT router, no VPN, no PPPoE. But I have not or seldom meet the problem when I playing online game.
A4: The game factory is good at design game app.
Q5: I had buy bandwidth for 60 / 20 M by ISP. However, when I playing online game or transport large files to other cloud service, the speed maybe 14 / 6M. Why?
A5: The bandwidth mean from client to ISP. And then, rate from ISP go to other cloud service was effected by nodes at the back.
Q6: My host had IP address by DHCP, and access Internet by NAT router. In the common case, the speed of transport large file that upper limit is 7 / 3 M.
If my host have IP address by PPPoE, the speed of transport large file that upper limit is 14 / 6M. Why?
A6: There are many elements to affect speed. Assume other elements remain unchanged, because ethernet is the most common currently, it is belong broadcast network.
And PPP is belong point to point network, their important difference is broadcast network have shared line. But point to point network have not shared line.
Just like broadcast network need ARP, to perform mapping table with IP and MAC address. However, point to point network does not need ARP. It is not need L2 address and it can forward directly.
To handle NAT inside and outside, TCP has control maybe. But UDP can not, because UDP is stateless protocol.
Stop for so far. The wiki has describe NAT content:「...Current Internet architectural documents observe that NAT is a violation of the end-to-end principle, but that NAT does have a valid role in careful design. There is considerably more concern with the use of IPv6 NAT, and many IPv6 architects believe IPv6 was intended to remove the need for NAT...」
I feel displeasure for that. To formulate Internet Protocol by international organization, NAT too. And it is not business by ISP, is layered by various regulatory agencies.
Internet service has wide, not should determining whether me enjoy it with public IP address.
Computer is able to verify the value that correctness. Such as 192.168.1.1 is correct, 192.256.abc.00001111 is incorrect. However, computer can not verifies that is it public IP address?
Internet has benefits at app layer, has not lower layer. To destroy Internet is by app, such as computer virus.
But it reflect advantage of NAT, when because NAT outside appear malicious traffic. NAT router is a host only, it make world after NAT(your computer) not directly attacked.
Since NAT has such a problem. How to adopt IPv6 address without NAT? You can disable TCP/IPv4, and enable TCP/IPv6(default). It maybe make a lot of app can not working, but you still access Internet for google, youtube or facebook.
It mean access Internet by IPv6 network, and those app by IPv4.
Notice! To import IPv6 is not network problem, and IPv4 to migrate IPv6 is long project. Although it is a dual stack network, app for IPv6 still must re-develope and future maintenance.
Business IPv6 has these following process:
(1) Evaluating the impact of business IPv6
(2) Establish a business IPv6 project management team
(3) Develop business IPv6 architecture and strategy
(4) Assess the business IPv6 modularization, such as networks, systems, and applications.
(5) Develop a schedule, cost or purchase list.
(6) Perform IPv6 address management and network security planning
(7) Conduct test and acceptance results.
(8) If (7) is successful, educate employees and customers on IPv6 business.
The above SOP is according to Cisco's solution to assist users in migrating IPv6. And Cisco has proposed management technology that simplifies IPv6, it is LISP(Locator Id Separation Protocol).
LISP can establish and maintain IPv6 network work automatically on the IPv4 channel.
In fact, before talk about LISP. We should talk NAT64 first. Notice! IPv6 address has no difference of public and private. NAT64 is an IPv4 and IPv6 conversion technology.
The concept is similar private IP to transfer public IP to access Internet. To implement NAT64 has 2 methods. 1 is stateful NAT64, 2 is stateless NAT64. There are various differences.
I think that the most obvious difference, former is 1-to-many conversion, latter is 1-to-1 conversion.
Come back, migration or coexist IPv6 is a complex engineering. IPv4 is still main network currently after decades of development of the IPv6 specification (2018).
Because IPv6 has not any advantage of winning IPv4. By the way, SLAAC (StateLess Address Auto Configuration) is one of the features of stateful NAT64. But SLAAC has not to support DNS, you need DHCPv6.
We thought import NAT technology is transition period of IPv4 when that time. Just like introduction to computers, and introduction to computing network.
However now, to import NAT is not transition period project. More correctly, IPv4 is for people, and IPv6 is for things.
留言列表
