路由器在 NAT 中保留记录多长时间,是否可以重复使用它们转发来自其他主机的请求? [英] For how long a router keeps records in the NAT and can they be reused forwarding requests from other hosts?
问题描述
有一个答案简单地解释了路由器如何将请求从本地网络传输到外部和返回(https://superuser.com/questions/105838/how-does-router-know-where-to-forward-packet) 什么不清楚 - 持续多久是否保留 NAT 中的记录?
There is an answer explaining in simple terms how a router works translating requests from the local network to outside and back (https://superuser.com/questions/105838/how-does-router-know-where-to-forward-packet) what is not clear - for how long a record in the NAT is kept?
例如,如果我向 25.34.11.56:3874 发送 UDP 请求,而我的本地端点是 192.168.1.21:54389,路由器会重写请求数据包并向 NAT 添加记录.假设外部端点是 68.55.32.89:34535.然后收到我请求的计算机响应 68.55.32.89:34535 并根据 NAT 记录转发到本地 192.168.1.21:54389 的数据包.之后记录会怎样?
For example, if I send a UDP request to 25.34.11.56:3874 and my local endpoint is 192.168.1.21:54389 the router rewrites the request packet and adds a record to the NAT. Let's say the external endpoint will be 68.55.32.89:34535. Then the computer which received my request responds to the 68.55.32.89:34535 and the packet it forwarded to the local 192.168.1.21:54389 in accordance with the NAT record. What happens after that to the records?
如果 25.34.11.56:3874 决定在 10 或 100 分钟后向我的外部端点 68.55.32.89:34535 发送请求怎么办?还会被路由器转发到192.168.1.21:54389吗?
What if the 25.34.11.56:3874 decides to send a request to my external endpoint 68.55.32.89:34535 after 10 or 100 minutes? Will it still be forwarded by the router to the 192.168.1.21:54389?
假设有另一台远程计算机的端点为 55.43.77.98:8765.如果这台计算机向我的外部端点 68.55.32.89:34535 发送请求会发生什么?它会被转发到本地 192.168.1.21:54389 还是会因为远程端点与最初用于第一个请求和 NAT 记录的 25.34.11.56:3874 不匹配而被路由器过滤掉?
Let's say there is another remote computer with the endpoint 55.43.77.98:8765. What will happen if this computer sends a request to my external endpoint 68.55.32.89:34535? Will it be forwarded to the local 192.168.1.21:54389 or will it be filtered out by the router because the remote endpoint does not match 25.34.11.56:3874 which was initially used for the first request and for the NAT record?
推荐答案
视情况而定.
根据 RFC 4787 的第 4.3 节,NAT 的 UDP 超时应该不小于 2 分钟(120 秒),选定的知名端口除外.然而,在实践中,路由器倾向于使用较小的超时.例如,OpenWRT 14.07 使用的超时时间仅为 60 秒.
According to Section 4.3 of RFC 4787, the UDP timeout of a NAT should not be smaller than 2 minutes (120 seconds), except for selected, well-known ports. In practice, however, routers tend to use smaller timeouts. For example, OpenWRT 14.07 uses a timeout of just 60 seconds.
对于 TCP,超时可能要大得多,因为 TCP 连接通常由明确的 FIN/FIN-ACK 交换终止.对于已建立的 TCP 连接,RFC 5382 的第 5 节指定不小于 2 的超时小时 4 分钟(7204 秒),而 OpenWRT 使用 7440 秒.
For TCP, the timeouts can be much larger, since TCP connections are usually terminated by an explicit FIN/FIN-ACK exchange. For established TCP connections, Section 5 of RFC 5382 specifies a timeout of no less than 2 hours 4 minutes (7204 seconds), and OpenWRT uses 7440 seconds.
关于您的第二个问题,大多数 NAT 维护特定于一对端点(套接字地址)的映射.如果 NAT 内的主机 A 向套接字地址 B 发送数据报,则映射将仅适用于 A 和 B 之间的通信——NAT 外的不同主机 C 将无法使用该特定映射向 A 发送数据.(一些所谓的 full cone NAT 允许这样做,但它们相当罕见.)
Concerning your second question, most NATs maintain mappings that are specific to a pair of endpoints (socket addresses). If a host A inside the NAT sends a datagram to socket adress B, then the mapping will only apply to communication between A and B — a different host C outside the NAT will not be able to use that particular mapping to send data to A. (Some so-called full cone NATs allow that, but they are fairly rare.)
这篇关于路由器在 NAT 中保留记录多长时间,是否可以重复使用它们转发来自其他主机的请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
