[go: up one dir, main page]

CN116137619B - Public network address prediction method and device for symmetric NAT network - Google Patents

Public network address prediction method and device for symmetric NAT network Download PDF

Info

Publication number
CN116137619B
CN116137619B CN202310205945.6A CN202310205945A CN116137619B CN 116137619 B CN116137619 B CN 116137619B CN 202310205945 A CN202310205945 A CN 202310205945A CN 116137619 B CN116137619 B CN 116137619B
Authority
CN
China
Prior art keywords
public network
address data
data
hole punching
port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310205945.6A
Other languages
Chinese (zh)
Other versions
CN116137619A (en
Inventor
李铭豪
梁锦华
王攀峰
张书阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202310205945.6A priority Critical patent/CN116137619B/en
Publication of CN116137619A publication Critical patent/CN116137619A/en
Application granted granted Critical
Publication of CN116137619B publication Critical patent/CN116137619B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2557Translation policies or rules

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请提供了一种对称型NAT网络公网地址预测方法及装置,可用于金融领域或其他领域,该方法包括:接收第一用户端发送的第一打洞报文和第二用户端发送的第二打洞报文;根据第一打洞报文、第二打洞报文、第一公网地址端口映射关系及第二公网地址端口映射关系联立打洞方程组,解打洞方程组得到所有可行的打洞方案;随机选取一个打洞方案,并根据选取的打洞方案向第一用户端和第二用户端发送打洞所需的地址端口信息。所述装置用于执行上述方法。本申请提供的对称型NAT网络公网地址预测方法及装置,实现了对称型NAT网络公网地址的预测,防止了内网地址泄露,打洞完成后,不再需要第三方服务器进行转发,节约了成本,保证了信息安全。

The present application provides a method and device for predicting the public network address of a symmetric NAT network, which can be used in the financial field or other fields. The method includes: receiving a first hole punching message sent by a first user terminal and a second hole punching message sent by a second user terminal; jointly establishing a hole punching equation group according to the first hole punching message, the second hole punching message, the first public network address port mapping relationship and the second public network address port mapping relationship, and solving the hole punching equation group to obtain all feasible hole punching schemes; randomly selecting a hole punching scheme, and sending the address port information required for hole punching to the first user terminal and the second user terminal according to the selected hole punching scheme. The device is used to execute the above method. The method and device for predicting the public network address of a symmetric NAT network provided by the present application realize the prediction of the public network address of the symmetric NAT network, prevent the leakage of the intranet address, and after the hole punching is completed, a third-party server is no longer required to forward, which saves costs and ensures information security.

Description

Public network address prediction method and device for symmetric NAT network
Technical Field
The application relates to the field of finance, in particular to a public network address prediction method and device of a symmetrical NAT network.
Background
In computer networks, network Address Translation (NAT) is a technique for rewriting a source or destination IP address as IP packets pass through a router or firewall. Network address port translation (NATP) is one of implementation strategies of NAT, and when an intranet host communicates with a public network host, an intranet IP address is converted into a corresponding public network address in a NAT table by NAT equipment. NAT can be classified into full cone NAT, restricted cone NAT, port restricted cone NAT, and symmetric NAT.
In the prior art, intranet penetration is mainly realized by two modes of P2P hole punching and relay server forwarding. In the process of P2P hole punching, as shown in fig. 1, after the user end A1 and the user end B1 convert the IP address and the port to the external network through the NAT router gateway A2 and the NAT router gateway B2, respectively, a notification message is sent to the public network information exchange server C, and the public network information exchange server C forwards the public network address of the user end A1 to the user end B1 and forwards the public network address of the user end B1 to the user end A1, so as to realize hole punching. However, in the symmetric NAT, the change of any one of the IP and the port of the transmitting end and the IP and the port of the receiving end may cause the change of the public network address of the transmitting end, so the P2P tunneling is only suitable for three kinds of conical NATs, and the communication between the symmetric NATs cannot be realized.
The forwarding process of the relay server is shown in fig. 2, wherein the relay server comprises a NAT router gateway A2 and a NAT router gateway B2, a public network relay server C is provided with a fixed IP address and a port, a user end A1 and a user end B1 actively establish stable connection channels with the public network relay server C, the stable connection channels are respectively marked as alpha and beta, and the public network relay server C realizes direct connection of the connection alpha and beta according to corresponding forwarding rules. The data packet sent to the relay server C by the user terminal A1 is forwarded to the beta and then reaches the user terminal B1, and the data packet sent to the relay server C by the user terminal B1 is forwarded to the alpha and then reaches the user terminal A1, so that the P2P data transmission is indirectly realized. However, this approach requires additional fees to be paid to the relay server, which is costly, and the transmitted content may be captured and stolen by the service provider who provides the relay server, creating information security concerns.
Disclosure of Invention
Aiming at the problems in the prior art, the application provides a method and a device for predicting the public network address of a symmetrical NAT network, which can at least partially solve the problems in the prior art.
In a first aspect, the present application provides a method for predicting public network addresses of a symmetric NAT network, including:
Receiving a first tunneling message sent by a first user side and a second tunneling message sent by a second user side, wherein the first tunneling message comprises a first predicted tunneling time and encrypted first source address data, and the second tunneling message comprises a second predicted time and encrypted second source address data;
according to the first hole punching message, the second hole punching message, the first public network address port mapping relation and the second public network address port mapping relation, a hole punching equation set is established simultaneously, and the hole punching equation set is solved to obtain all feasible hole punching schemes;
and randomly selecting a hole punching scheme, and sending first address port information required by punching to the first user terminal according to the selected hole punching scheme, and sending second address port information required by punching to the second user terminal.
The first source address data comprises first source IP address data and first source port data, and the second source address data comprises second source IP address data and second source port data;
the sending the first address port information required by the hole punching to the first user terminal includes:
sending public network IP address data and public network port data of the second user side to the first user side;
The sending the second address port information required by the hole punching to the second user terminal includes:
and sending the public network IP address data and the public network port data of the first user side to the second user side.
Wherein the first source address data comprises first source IP address data and the second source address data comprises second source IP address data;
the sending the first address port information required by the hole punching to the first user terminal includes:
sending encrypted first source port data, public network IP address data and public network port data of the second user side to the first user side;
The sending the second address port information required by the hole punching to the second user terminal includes:
and sending the encrypted second source port data, the public network IP address data and the public network port data of the first user side to the second user side.
Wherein, still include:
Receiving hole punching failure information sent by the first user side and/or the second user side;
and selecting a hole punching scheme again from all feasible hole punching schemes, and sending third address port information required by hole punching to the first user side and fourth address port information required by hole punching to the second user side according to the selected hole punching scheme again.
The first source address data comprises first source IP address data and first source port data, and the second source address data comprises second source IP address data and second source port data;
The step of obtaining the mapping relation of the first public network address port comprises the following steps:
receiving a plurality of first tunneling messages sent by the first user terminal by using different IP addresses;
The method comprises the steps of obtaining public network address data and destination address data corresponding to each first tunneling message from a TCP network layer, and taking message sending time, first source address data, public network address data and destination address data of one tunneling message as a group of training data;
Carrying out regression analysis by using training data to obtain a mapping relation of the first public network address port, wherein the mapping relation of the first public network address port is a mapping relation from encrypted first source address data, message sending time and destination address data to the public network address data;
the step of obtaining the second public network address port mapping relation comprises the following steps:
receiving a plurality of second hole punching messages sent by the second user terminal by using different IP addresses, wherein the second hole punching messages comprise message sending time and encrypted second source address data;
The method comprises the steps of obtaining public network address data and destination address data of each second tunneling message from a TCP network layer, and taking the second source address data, the public network address data, the destination address data and the message sending time of one tunneling message as a group of training data;
And carrying out regression analysis by using training data to obtain a mapping relation of the second public network address port, wherein the mapping relation of the second public network address port is the mapping relation of the encrypted second source address data, message sending time and destination address data to the public network address data.
Before receiving the first hole punching message sent by the first user terminal and the second hole punching message sent by the second user terminal, the method further includes:
and receiving the homomorphic encryption key sent by the first user terminal, and forwarding the homomorphic encryption key to the second user terminal.
In a second aspect, the present application provides a symmetric NAT network public network address prediction apparatus, including:
The system comprises a first user terminal, a first tunneling message receiving unit, a second tunneling message receiving unit and a second tunneling unit, wherein the first tunneling message receiving unit is used for receiving a first tunneling message sent by the first user terminal and a second tunneling message sent by the second user terminal, the first tunneling message comprises a first predicted tunneling time and encrypted first source address data, and the second tunneling message comprises a second predicted tunneling time and encrypted second source address data;
The hole punching scheme calculation unit is used for solving a hole punching equation set according to the first hole punching message, the second hole punching message, the first public network address port mapping relation and the second public network address port mapping relation to obtain all feasible hole punching schemes;
And the hole punching information sending unit is used for randomly selecting a hole punching scheme, sending first address port information required by hole punching to the first user terminal according to the selected hole punching scheme, and sending second address port information required by hole punching to the second user terminal.
In a third aspect, the present application provides a computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method according to any of the embodiments above when executing the computer program.
In a fourth aspect, the present application provides a computer readable storage medium storing a computer program which, when executed by a processor, implements a method according to any of the embodiments described above.
In a fifth aspect, a computer program product comprising a computer program which, when executed by a processor, implements a method according to any of the embodiments described above.
The symmetrical NAT network public network address prediction method and device provided by the application have the advantages that the first tunneling message sent by the first user side and the second tunneling message sent by the second user side are received, all feasible tunneling schemes are obtained according to the first tunneling message, the second tunneling message, the first public network address port mapping relation and the second public network address port mapping relation, one tunneling scheme is randomly selected, the first address port information required by tunneling is sent to the first user side according to the selected tunneling scheme, the second address port information required by tunneling is sent to the second user side, the prediction of the symmetrical NAT network public network address is realized, the size of a solution space can be adjusted through adjusting the content of source address data, the different requirements on single hit rate and integral hit rate are met, the internal network address data received and predicted by a server are encrypted data in the prediction process, the internal network address leakage is prevented, the internal network address safety is ensured, the third party server is not required to forward information after the tunneling is completed, and the information leakage is prevented.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a P2P hole punching process;
Fig. 2 is a schematic diagram of a relay server forwarding process;
fig. 3 is a flowchart of a method for predicting public network addresses of a symmetric NAT network according to an embodiment of the application;
Fig. 4 is a flowchart of a method for predicting public network addresses of a symmetric NAT network according to an embodiment of the application;
Fig. 5 is a flowchart of acquiring a mapping relationship of a first public network address port according to an embodiment of the present application;
fig. 6 is a flowchart of acquiring a mapping relationship of a second public network address port according to an embodiment of the present application;
fig. 7 is a flowchart of a method for predicting public network addresses of a symmetric NAT network according to an embodiment of the application;
Fig. 8 is a schematic structural diagram of a public network address prediction device of a symmetric NAT network according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a public network address prediction device of a symmetric NAT network according to an embodiment of the present application;
Fig. 10 is a schematic structural diagram of a public network address prediction device of a symmetric NAT network according to an embodiment of the present application;
Fig. 11 is a schematic structural diagram of a public network address prediction device of a symmetric NAT network according to an embodiment of the present application;
Fig. 12 is a schematic physical structure of an electronic device according to an embodiment of the application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in further detail with reference to the accompanying drawings. The exemplary embodiments of the present application and their descriptions herein are for the purpose of explaining the present application, but are not to be construed as limiting the application. It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be arbitrarily combined with each other.
It should be noted that the client information mining method and device disclosed by the application can be used in the technical field of finance, and can also be used in any field except the technical field of finance, and the application field of the client information mining method and device disclosed by the application is not limited.
The basic concepts involved in the present application will be briefly described below.
Network Address Translation (NAT), which is a technique in computer networks for rewriting source or destination IP addresses as IP packets pass through routers or firewalls.
Network Address translation mainly includes network Address Port translation (NATP), full cone NAT (Full cone NAT), restricted cone NAT (Address-RESTRICTED CONE NAT), port restricted cone NAT (Port-RESTRICTED CONE NAT), and symmetric NAT (Symmetric NAT).
The symmetrical NAT refers to that each request from the same internal IP and port to a specific destination IP and port is mapped to a different external IP and port, any one of the internal IP, the internal port, the destination IP and the destination port is changed, the mapped external IP and port are changed, and only the external host which has received the internal host data can send the data packet back.
The following describes a specific implementation procedure of the symmetric NAT network public network address prediction method provided in the embodiment of the present invention, taking a server as an execution body as an example.
Fig. 3 is a flowchart of a method for predicting a public network address of a symmetric NAT network according to an embodiment of the present application, where, as shown in fig. 3, the method for predicting a public network address of a symmetric NAT network according to the present application includes:
S301, receiving a first tunneling message sent by a first user side and a second tunneling message sent by a second user side, wherein the first tunneling message comprises a first expected arrival time and encrypted first source address data, and the second tunneling message comprises a second expected time and encrypted second source address data;
S302, a hole punching equation set is established according to the first hole punching message, the second hole punching message, the first public network address port mapping relation and the second public network address port mapping relation, and all feasible hole punching schemes are obtained by solving the hole punching equation set;
S303, randomly selecting a hole punching scheme, and sending first address port information required by punching to a first user terminal and second address port information required by punching to a second user terminal according to the selected hole punching scheme.
The symmetrical NAT network public network address prediction method provided by the application has the advantages that the first tunneling message sent by the first user side and the second tunneling message sent by the second user side are received, all feasible tunneling schemes are obtained according to the first tunneling message, the second tunneling message, the first public network address port mapping relation and the second public network address port mapping relation, one tunneling scheme is randomly selected, the first address port information required by the tunneling is sent to the first user side according to the selected tunneling scheme, the second address port information required by the tunneling is sent to the second user side, the prediction of the symmetrical NAT network public network address is realized, the size of a solution space can be adjusted through adjusting the content of source address data, the different requirements on single hit rate and integral hit rate are met, in the prediction process, the intranet address data received and predicted by a server are encrypted data, the intranet address leakage is prevented, the intranet address safety is ensured, the third server is not required to forward information after the tunneling is finished, and the information leakage is prevented.
The steps will be described in detail below.
S301, receiving a first tunneling message sent by a first user side and a second tunneling message sent by a second user side, wherein the first tunneling message comprises a first predicted time and encrypted first source address data, and the second tunneling message comprises a second predicted time and encrypted second source address data;
Specifically, the first user side homomorphic encrypts first source address data for communication with the second side, and generates a first tunneling message together with a first predicted tunneling time and sends the first tunneling message to the server; and the second user end carries out homomorphic encryption on second source address data for communicating with the first end, and generates a second punching message together with a second predicted punching time and sends the second punching message to the server. The server receives the first tunneling message and the second tunneling message. The first predicted hole punching time is the time when the first user terminal predicts to punch holes by sending messages to the second user terminal, and the second predicted hole punching time is the time when the second user terminal predicts to punch holes by sending messages to the first user terminal.
S302, a hole punching equation set is established according to the first hole punching message, the second hole punching message, the first public network address port mapping relation and the second public network address port mapping relation, and all feasible hole punching schemes are obtained by solving the hole punching equation set;
Specifically, the server obtains the following equation set according to the received first tunneling message, second tunneling message, and the pre-obtained mapping relation between the first public network address port and the second public network address port:
Wherein f is a mapping relationship of a first public network address port, f 'is a mapping relationship of a second public network address port, iAddr is first source IP address data, iport is first source port data, i' Addr is second source IP address data, i 'port is second source port data, t is first predicted hole punching time, t' is second predicted hole punching time, eAddr is public network IP address data of a first user terminal, eport is public network port data of the first user terminal, e 'Addr is public network IP address data of a second user terminal, and e' port is public network port data of the second user terminal. The first source address data in the first tunneling message comprises first source IP address data or first source IP address data and first source port data, and the second source address data in the second tunneling message comprises second source IP address data or second source IP address data and second source port data.
The server obtains a solution space of the equation set by solving the equation set (1), and each feasible solution in the solution space is a feasible punching scheme.
S303, randomly selecting a hole punching scheme, and sending first address port information required by punching to a first user terminal and second address port information required by punching to a second user terminal according to the selected hole punching scheme.
Specifically, the server randomly selects one hole punching scheme from all feasible hole punching schemes, sends address port data required by the first user end in the hole punching scheme to the first user end, and sends address port data required by the second user end in the hole punching scheme to the second user end.
In an embodiment, the first source address data comprises first source IP address data and first source port data, and the second source address data comprises second source IP address data and second source port data;
at this time, the sending of the first address port information required for punching to the first user terminal includes:
Sending public network IP address data and public network port data of a second user side to a first user side;
Specifically, as can be seen from equation set (1), the known data in this equation set are the first source IP address data iAddr, the first source port data iport, the first predicted hole punching time t, the second source IP address data i ' Addr, the second source port data i ' port, and the second predicted hole punching time t '. Each possible solution of the equation set thus contains a set of possible values of the first user's public network IP address data eAddr, the first user's public network port data eport, the second user's public network IP address data e' Addr, and the second user's public network port data e' port.
The server sends the public network IP address data e 'Addr of the second user side and the public network port data e' port of the second user side in the selected hole punching scheme to the first user side as first address port information. The first user end sends a message to (e 'Addr, e' port) for punching at a first predicted punching time t from (iAddr, iport).
And sending second address port information required by punching to a second user terminal, wherein the second address port information comprises:
and sending the public network IP address data and the public network port data of the first user side to the second user side.
Specifically, the server sends the public network IP address data eAddr of the first user side and the public network port data eport of the first user side in the selected hole punching scheme to the second user side as the second address port information. And the second user end sends a message to (eAddr, eport) from (i ' Addr, i ' port) at a second predicted hole punching time t ' to punch holes.
At this time, the first source address data and the second source address data contain more information, the unknown number in the equation set (1) is less, the limiting condition is more, the obtained solution space is smaller, and the single hole punching success rate of each feasible solution in the solution space is higher. The scheme is suitable for scenes needing rapid hole punching.
In an embodiment, the first source address data comprises first source IP address data and the second source address data comprises second source IP address data;
at this time, the sending of the first address port information required for punching to the first user terminal includes:
Sending the encrypted first source port data, the public network IP address data and the public network port data of the second user terminal to the first user terminal;
Specifically, as can be seen from equation set (1), the known data in this equation set are the first source IP address data iAddr, the first predicted hole-punching time t, the second source IP address data i 'Addr, and the two predicted hole-punching times t'. Each possible solution of the equation set thus contains a set of possible values of the first source port data iport, the first user's public network IP address data eAddr, the first user's public network port data eport, the second source port data i ' port, the second user's public network IP address data e ' Addr, and the second user's public network port data e ' port.
And the server sends the public network IP address data e 'addr of the second user terminal, the public network port data e' port of the second user terminal and the encrypted first source port data iport in the selected hole punching scheme to the first user terminal as first address port information. The first user end decrypts the first source port data to obtain first source port data iport, and sends a message to (e 'Addr, e' port) for punching at a first predicted punching time t from (iAddr, iport).
And sending second address port information required by punching to a second user terminal, wherein the second address port information comprises:
And sending the encrypted second source port data, the public network IP address data of the first user side and the public network port data to the second user side.
Specifically, in the selected hole punching scheme, the server sends the public network IP address data eaddr of the first user terminal, the public network port data eport of the first user terminal and the second source port data i' port of the first user terminal to the second user terminal as second address port information. The second user end decrypts the second source port data to obtain second source port data i 'port, and sends a message from (i' Addr, i 'port) to (eAddr, eport) for punching at a second predicted punching time t'.
At this time, the first source address data and the second source address data only contain corresponding source IP address data, the number of unknowns in the equation set (1) is large, the limiting condition is small, a larger solution space can be obtained, more feasible hole punching schemes can be tried, and the overall hole punching success rate after all the hole punching schemes are tried is high. The scheme is suitable for a scene without higher time limit requirements, but the final hole punching success rate needs to be ensured.
The symmetrical NAT network public network address prediction method provided by the application has the advantages that the first tunneling message sent by the first user side and the second tunneling message sent by the second user side are received, all feasible tunneling schemes are obtained according to the first tunneling message, the second tunneling message, the first public network address port mapping relation and the second public network address port mapping relation, one tunneling scheme is randomly selected, the first address port information required by the tunneling is sent to the first user side according to the selected tunneling scheme, and the second address port information required by the tunneling is sent to the second user side, so that the prediction of the symmetrical NAT network public network address is realized, the size of a solution space can be adjusted by adjusting the content of source address data, the different requirements on single hit rate and integral hit rate are met, and after the tunneling is finished, a third party server is not required to forward information, so that the cost is saved, and the information leakage is prevented.
Fig. 4 is a flowchart of a method for predicting a public network address of a symmetric NAT network according to an embodiment of the present application, as shown in fig. 4, further, when a hole is made in the public network address of the symmetric NAT network according to the present application, the method further includes:
s401, receiving hole punching failure information sent by a first user side and/or a second user side;
Specifically, when one hole is failed, the first user side and/or the second user side sends hole failure information to the server. After receiving the hole punching failure information of any one end, the server can determine the current hole punching failure. The server can be set with a waiting time according to the actual conditions such as the longest time required by the hole punching, and if the server does not receive the hole punching failure information in the waiting time, the hole punching is considered to be successful.
S402, selecting a hole punching scheme again from all feasible hole punching schemes, and sending third address port information required by hole punching to the first user side and fourth address port information required by hole punching to the second user side according to the hole punching scheme selected again.
Specifically, after determining that the current hole punching fails, the server selects one hole punching scheme again from all feasible hole punching schemes, sends third address port information required by hole punching to the first user terminal, and sends fourth address port information required by hole punching to the second user terminal. The server may repeat the operations of S401 to S402 multiple times until the hole forming failure information is no longer received, and the first ue and the second ue succeed in forming holes.
The symmetrical NAT network public network address prediction method provided by the application has the advantages that the first user side and/or the second user side are/is used for receiving the hole punching failure information sent by the first user side and/or the second user side, one hole punching scheme is selected again from all feasible hole punching schemes, the third address port information required by hole punching is sent to the first user side according to the hole punching scheme selected again, the fourth address port information required by hole punching is sent to the second user side, the full utilization of all feasible hole punching schemes is realized, and a new hole punching scheme can be provided quickly after one hole punching failure so as to ensure the final success of hole punching.
Fig. 5 is a flowchart of acquiring a first public network address port mapping relationship according to an embodiment of the present application, where when acquiring the first public network address port mapping relationship, the first source address data includes first source IP address data and first source port data, and as shown in fig. 5, further, based on the foregoing embodiments, the step of obtaining the first public network address port mapping relationship includes:
S501, receiving a plurality of first tunneling messages sent by a first user terminal by using different IP addresses;
Specifically, in the symmetric NAT, any one of the intranet IP address, the intranet port, the destination IP address, and the destination port changes, and the intranet IP address and the port mapped to the IP address and the port of the public network change, so the server may have multiple different IP addresses, each IP address may have multiple different ports, and the first user end may send the first tunneling message with the different IP addresses and ports of the server as the destination address, and meanwhile, the first user end may also send the first tunneling message from the different ports to the server. The server receives a plurality of first tunneling messages sent by the first user terminal from different IP addresses.
S502, acquiring public network address data and destination address data corresponding to each first tunneling message from a TCP network layer, and taking message sending time, first source address data, public network address data and destination address data of one tunneling message as a group of training data;
Specifically, after each time a server receives a first tunneling message, public network address data and destination address data corresponding to the first tunneling message are obtained from a TCP network layer, and message sending time, first source address data, obtained public network address data and destination address data in the first tunneling message are used as a group of training data. The public network address data comprise public network IP address data and public network port data corresponding to source IP address port data for sending the first message, and the destination address data comprise destination IP address data and destination port data.
And S503, carrying out regression analysis by using the training data to obtain a first public network address port mapping relation, wherein the first public network address port mapping relation is the mapping relation between the encrypted first source address data, the message sending time and the destination address data and the public network address data.
Specifically, the server performs regression analysis on each group of training data to obtain the mapping relationship between the encrypted first source address data, the message sending time and the destination address data to the public network address data. The regression analysis can be multiple linear regression, logistic regression, ridge regression, random forest, decision tree regression and the like, and the method for carrying out the regression analysis is not limited.
When regression analysis is performed by using each regression analysis method, only one dependent variable exists, and when a plurality of dependent variables exist, regression analysis is often performed on different dependent variables respectively to obtain the corresponding mapping relation between the respective variable and the different dependent variables. However, in actual situations, the public network IP address data and the public network port data are not irrelevant, and if regression analysis is performed to obtain the mapping relationship between the first source address data, the message sending time, and the destination address data to the public network IP address data, and the mapping relationship between the first source address data, the message sending time, and the destination address data to the public network port data, the obtained mapping relationship is inaccurate because the correlation relationship between the public network IP address data and the public network port data is ignored.
In order to solve the problem, in an embodiment of the present application, regression analysis may be performed by using public network IP address data as a dependent variable to obtain a first public network IP address mapping relationship from first source address data, message sending time, and destination address data to public network IP address data, and then regression analysis is performed on public network port data according to the first public network IP address mapping relationship to obtain a first public network port mapping relationship from public network IP address data, first source address data, message sending time, and destination address data to public network port data. At this time, the first public network address port mapping relation f may be expressed by the following formula set:
Wherein f 1 is a first public network IP address mapping relationship, f 2 is a first public network port mapping relationship, addr is destination IP address data, port is destination port data, and the other symbols have the same meaning as expressed in equation (1).
Because the IP address contains four-bit address data, it may be difficult to operate as a numerical value when performing regression analysis, in an embodiment, the sections of the intranet IP address and the public network IP address may be determined, and all possible IP addresses are digitally encoded, so that different IP addresses have different encodings, and regression analysis is performed using the digital encodings of the IP addresses as feature values.
The method for predicting the public network address of the symmetrical NAT network provided by the application receives a plurality of first tunneling messages sent by a first user terminal by using different IP addresses, acquires public network address data and destination address data corresponding to each first tunneling message from a TCP network layer, takes message sending time, first source address data, public network address data and destination address data of one tunneling message as a group of training data, carries out regression analysis on each group of training data, can obtain a mapping relation of a first public network address port, fits existing widely-different NAT conversion strategies by regression analysis, is not influenced by NAT equipment brands, and can be even used for multiple NAT networks, so that the method provided by the application has higher universality. When regression analysis is carried out, the relevance between the public network IP address data and the public network port data is fully considered, so that the mapping relation of the first public network address port can better describe the relation among variables, the subsequent prediction of the public network address data is more accurate, and the hole punching success rate is improved.
Fig. 6 is a flowchart of obtaining a second public network address port mapping relationship according to an embodiment of the present application, where when obtaining the second public network address port mapping relationship, the second source address data includes second source IP address data and second source port data, and as shown in fig. 6, further, on the basis of the above embodiments, the step of obtaining the second public network address port mapping relationship includes:
S601, receiving a plurality of second hole punching messages sent by a second user terminal by using different IP addresses, wherein the second hole punching messages comprise message sending time and encrypted second source address data;
Specifically, the second user end uses different IP addresses and ports of the server as destination addresses to send the second tunneling message, and at the same time, the second user end may also send the second tunneling message from different ports to the server. The server receives a plurality of second tunneling messages sent by the second user terminal from different IP addresses.
S602, acquiring public network address data and destination address data of each second tunneling message from a TCP network layer, and taking second source address data, public network address data, destination address data and message sending time of one tunneling message as a group of training data;
specifically, after each time the server receives a second tunneling message, public network address data and destination address data corresponding to the second tunneling message are obtained from the TCP network layer, and the message sending time, the second source address data, the obtained public network address data and destination address data in the second tunneling message are used as a set of training data.
And S603, carrying out regression analysis by using the training data to obtain a second public network address port mapping relation, wherein the second public network address port mapping relation is the mapping relation of the encrypted second source address data, the message sending time and the destination address data to the public network address data.
Specifically, the server performs regression analysis on each group of training data to obtain the mapping relationship between the encrypted second source address data, the message sending time and the destination address data to the public network address data. The regression analysis can be multiple linear regression, logistic regression, ridge regression, random forest, decision tree regression and the like, and the method for carrying out the regression analysis is not limited.
In an embodiment of the present application, regression analysis may be performed by using the public network IP address data as a dependent variable to obtain a second public network IP address mapping relationship from the second source address data, the message sending time, and the destination address data to the public network IP address data, and then regression analysis may be performed on the public network port data according to the second public network IP address mapping relationship to obtain a second public network port mapping relationship from the public network IP address data, the second source address data, the message sending time, and the destination address data to the public network port data. At this time, the second public network address port mapping relation f' may be expressed by the following formula set:
Wherein f 1 'is a second public network IP address mapping relationship, f 2' is a second public network port mapping relationship, addr is destination IP address data, port is destination port data, and the other symbols have the same meaning as expressed in equation (1).
The method for predicting the public network address of the symmetrical NAT network provided by the application receives a plurality of second tunneling messages sent by a second user terminal by using different IP addresses, acquires public network address data and destination address data corresponding to each second tunneling message from a TCP network layer, takes message sending time, second source address data, public network address data and destination address data of one tunneling message as a group of training data, carries out regression analysis on each group of training data, can obtain a mapping relation of a second public network address port, fits existing widely-different NAT conversion strategies by regression analysis, is not influenced by NAT equipment brand manufacturers, and can be even used for multiple NAT networks, so that the method provided by the application has higher universality. When regression analysis is carried out, the relevance between the public network IP address data and the public network port data is fully considered, so that the mapping relation of the second public network address port can better describe the relation among variables, the subsequent prediction of the public network address data is more accurate, and the hole punching success rate is improved.
On the basis of the above embodiments, further, before receiving the first hole punching message sent by the first user end and the second hole punching message sent by the second user end, the server further includes:
And receiving the homomorphic encryption key sent by the first user terminal and forwarding the homomorphic encryption key to the second user terminal.
Specifically, homomorphic encryption (Homomorphic encryption) is an encrypted form that allows one to perform algebraic operations on ciphertext in a particular form to obtain the result that is still encrypted, and to decrypt it to obtain the result that is the same as the result of performing the same operations on plaintext. The first user terminal randomly generates homomorphic encryption keys, and the server receives the homomorphic encryption keys sent by the first user terminal and forwards the homomorphic encryption keys to the second user terminal. The homomorphic encryption key may be any form such as addition, subtraction, multiplication, division, or a combination thereof, for example, g (x) =x-7, if a source IP port number is 50, the encrypted port number is 43, and the application does not limit the specific form of the homomorphic encryption key.
According to the public network address prediction method of the symmetric NAT network, the homomorphic encryption key sent by the first user side is received, and the homomorphic encryption key is forwarded to the second user side, so that encryption of the first user side and the intranet address ports of the second user side is achieved, the mapping relation is obtained, and in the prediction process, the intranet address data received and predicted by the server are encrypted data, so that intranet address leakage is prevented, and the security of the symmetric NAT is guaranteed not to be damaged.
In the application, the first user terminal and the second user terminal can be mutually converted.
The method for predicting the public network address of the symmetric NAT network provided by the application is described in the following by using a specific embodiment.
Fig. 7 is a flowchart of a method for predicting public network addresses of a symmetric NAT network according to an embodiment of the present application, as shown in fig. 7, the method for predicting public network addresses of a symmetric NAT network according to the present application includes:
s701, receiving a plurality of first tunneling messages sent by a first user terminal by using different IP addresses, wherein the first tunneling messages comprise message sending time and encrypted first source address data;
Specifically, the server may have a plurality of different IP addresses, each IP address may have a plurality of different ports, and the first user side may send the first tunneling packet with the server different IP addresses and ports as destination addresses, and at the same time, the first user side may also send the first tunneling packet to the server from different ports. The server receives a plurality of first tunneling messages sent by the first user end from different ports from different IP addresses.
S702, acquiring public network address data and destination address data corresponding to each first tunneling message from a TCP network layer, and taking message sending time, first source address data, public network address data and destination address data of one tunneling message as a group of training data;
specifically, after each time a server receives a first tunneling message, public network address data and destination address data corresponding to the first tunneling message are obtained from a TCP network layer, and message sending time, first source address data, obtained public network address data and destination address data in the first tunneling message are used as a group of training data.
S703, carrying out regression analysis by using training data to obtain a first public network address port mapping relation, wherein the first public network address port mapping relation is the mapping relation between encrypted first source address data, message sending time and destination address data and public network address data;
Specifically, the server performs multiple linear regression analysis on each group of training data to obtain the mapping relationship between the encrypted first source address data, the message sending time and the destination address data to the public network address data. The first public network address port mapping relation f can be expressed by the following formula set:
wherein a1, a2, a3, a4, b1, b2, b3, b4, b5 are constants obtained by regression analysis.
S704, receiving a plurality of second hole punching messages sent by a second user terminal by using different IP addresses, wherein the second hole punching messages comprise message sending time and encrypted second source address data;
specifically, the server receives a plurality of second tunneling messages sent from different ports by the second user terminal from different IP addresses.
S705, obtaining public network address data and destination address data of each second tunneling message from a TCP network layer, and taking second source address data, public network address data, destination address data and message sending time of one tunneling message as a group of training data;
specifically, after each time the server receives a second tunneling message, public network address data and destination address data corresponding to the second tunneling message are obtained from the TCP network layer, and the message sending time, the second source address data, the obtained public network address data and destination address data in the second tunneling message are used as a set of training data.
S706, carrying out regression analysis by using training data to obtain a second public network address port mapping relation, wherein the second public network address port mapping relation is the mapping relation between encrypted second source address data, message sending time and destination address data and public network address data;
Specifically, the server performs multiple linear regression analysis on each group of training data to obtain the mapping relationship between the encrypted second source address data, the message sending time and the destination address data to the public network address data. The second public network address port mapping relation f' can be expressed by the following formula set:
Wherein, c1, c2, c3, c4, d1, d2, d3, d4, d5 are constants obtained by regression analysis.
S707, receiving the homomorphic encryption key sent by the first user terminal and forwarding the homomorphic encryption key to the second user terminal;
Specifically, the homomorphic encryption key is-7, that is, g (x) =x-7 operation is performed on each IP address and port number, if a source IP port number is 50, the encrypted port number is 43, and the server receives the key and forwards the key to the second client.
S708, receiving a first tunneling message sent by a first user side and a second tunneling message sent by a second user side, wherein the first tunneling message comprises a first predicted time and encrypted first source address data, and the second tunneling message comprises a second predicted time and encrypted second source address data;
Specifically, the first user side homomorphic encrypts first source address data for communication with the second side, and generates a first tunneling message together with a first predicted tunneling time and sends the first tunneling message to the server; and the second user terminal carries out homomorphic encryption on second source address data for communicating with the first terminal, and generates a second punching message together with a second predicted punching time and sends the second punching message to the server. The server receives the first tunneling message and the second tunneling message.
S709, according to the first hole punching message, the second hole punching message, the first public network address port mapping relation and the second public network address port mapping relation, the hole punching equation set is established simultaneously, and all feasible hole punching schemes are obtained by solving the hole punching equation set;
specifically, the server obtains the following equation set according to the received first hole punching message, second hole punching message and equation sets (4) and (5):
The server obtains a solution space of the equation set through solving the equation set (6), and each feasible solution in the solution space is a feasible punching scheme.
S710, randomly selecting a hole punching scheme, and sending first address port information required by punching to a first user terminal according to the selected hole punching scheme, and sending second address port information required by punching to a second user terminal;
Specifically, the server randomly selects one hole punching scheme from all feasible hole punching schemes, sends address port data required by the first user end in the hole punching scheme to the first user end, and sends address port data required by the second user end in the hole punching scheme to the second user end.
S711, judging whether the hole punching failure information sent by the first user side and/or the second user side is received.
Specifically, when one hole is failed, the first user side and/or the second user side sends hole failure information to the server. If the server receives the hole punching failure information of any end, it determines that the hole punching fails this time, and then it re-enters S710.
The symmetrical NAT network public network address prediction method provided by the application has the advantages that the first tunneling message sent by the first user side and the second tunneling message sent by the second user side are received, all feasible tunneling schemes are obtained according to the first tunneling message, the second tunneling message, the first public network address port mapping relation and the second public network address port mapping relation, one tunneling scheme is randomly selected, the first address port information required by the tunneling is sent to the first user side according to the selected tunneling scheme, the second address port information required by the tunneling is sent to the second user side, the prediction of the symmetrical NAT network public network address is realized, the size of a solution space can be adjusted through adjusting the content of source address data, the different requirements on single hit rate and integral hit rate are met, in the prediction process, the intranet address data received and predicted by a server are encrypted data, the intranet address leakage is prevented, the intranet address safety is ensured, the third server is not required to forward information after the tunneling is finished, and the information leakage is prevented.
The technical scheme of the application obtains, stores, uses, processes and the like the data, which all meet the relevant regulations of national laws and regulations.
Based on the same inventive concept, the embodiment of the present application also provides a symmetric NAT network public network address prediction device, which can be used to implement the method described in the above embodiment, as described in the following embodiment. Because the principle of solving the problem of the symmetric NAT network public network address prediction device is similar to that of the symmetric NAT network public network address prediction method, the implementation of the symmetric NAT network public network address prediction device can be referred to the implementation of the software performance reference-based determination method, and the repetition is omitted. As used below, the term "unit" or "module" may be a combination of software and/or hardware that implements the intended function. While the system described in the following embodiments is preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 8 is a schematic structural diagram of a public network address prediction device of a symmetric NAT network according to an embodiment of the present application, and as shown in fig. 8, the public network address prediction device of a symmetric NAT network according to the present application includes:
A hole-forming message receiving unit 801, configured to receive a first hole-forming message sent by a first user terminal and a second hole-forming message sent by a second user terminal, where the first hole-forming message includes a first predicted hole-forming time and encrypted first source address data, and the second hole-forming message includes the first predicted time and encrypted second source address data;
Specifically, the first user side performs homomorphic encryption on first source address data for communication with the second side, generates a first tunneling message together with a first predicted tunneling time, and sends the first tunneling message to the tunneling message receiving unit 801, and the second user side performs homomorphic encryption on second source address data for communication with the first side, generates a second tunneling message together with a second predicted tunneling time, and sends the second tunneling message to the tunneling message receiving unit 801. The hole-punched message receiving unit 801 receives the first hole-punched message and the second hole-punched message.
A hole punching scheme calculating unit 802, configured to combine the hole punching equation sets according to the first hole punching message, the second hole punching message, the first public network address port mapping relation and the second public network address port mapping relation, and solve the hole punching equation sets to obtain all feasible hole punching schemes;
Specifically, the hole punching scheme calculating unit 802 obtains equation set (1) by combining the received first hole punching message, the second hole punching message, and the first public network address port mapping relationship and the second public network address port mapping relationship obtained in advance. The hole punching scheme calculating unit 802 obtains a solution space of the equation set by solving the equation set (1), and each feasible solution in the solution space is a feasible hole punching scheme.
The hole punching information sending unit 803 is configured to randomly select a hole punching scheme, send first address port information required for punching to the first user terminal according to the selected hole punching scheme, and send second address port information required for punching to the second user terminal.
Specifically, the hole punching information sending unit 803 randomly selects a hole punching scheme from all possible hole punching schemes, sends address port data required by the first user terminal in the hole punching scheme to the first user terminal, and sends address port data required by the second user terminal in the hole punching scheme to the second user terminal.
The symmetrical NAT network public network address prediction device provided by the application realizes the prediction of the symmetrical NAT network public network address through the hole punching message receiving unit 801, the hole punching scheme calculating unit 802 and the hole punching information sending unit 803, and can adjust the size of a solution space by adjusting the content of source address data, thereby meeting different requirements on single hit rate and overall hit rate, and after hole punching is completed, a third party server is not required to forward information, thereby saving cost and preventing information leakage.
Fig. 9 is a schematic structural diagram of a symmetric NAT network public network address prediction device according to an embodiment of the present application, where when a mapping relationship of a first public network address port is obtained, first source address data includes first source IP address data and first source port data, and as shown in fig. 9, on the basis of the above embodiments, the symmetric NAT network public network address prediction device further includes:
a first multi-IP receiving unit 901, configured to receive a plurality of first tunneling packets sent by a first user side by using different IP addresses;
specifically, the first multi-IP receiving unit 901 may have a plurality of different IP addresses, each IP address may have a plurality of different ports, and the first user side may send the first tunneling packet with the different IP addresses and ports of the first multi-IP receiving unit 901 as destination addresses, and at the same time, the first user side may also send the first tunneling packet to the first multi-IP receiving unit 901 from the different ports. The first multi-IP receiving unit 901 receives a plurality of first tunneling messages sent by the first user terminal from different IP addresses.
The first training data generating unit 902 is configured to obtain public network address data and destination address data corresponding to each first tunneling packet from the TCP network layer, and take a packet sending time, first source address data, public network address data and destination address data of one tunneling packet as a set of training data;
Specifically, after each time the first multi-IP receiving unit 901 receives a first tunneling packet, the first training data generating unit 902 obtains public network address data and destination address data corresponding to the first tunneling packet from the TCP network layer, and uses the packet sending time, the first source address data, the obtained public network address data and destination address data in the packet as a set of training data.
The first mapping relationship generating unit 903 is configured to perform regression analysis using the training data to obtain a first public network address port mapping relationship, where the first public network address port mapping relationship is a mapping relationship between the encrypted first source address data, the message sending time, and the destination address data to the public network address data.
Specifically, the first mapping relation generating unit 903 performs regression analysis on each set of training data to obtain the mapping relation between the encrypted first source address data, the message sending time, and the destination address data to the public network address data. The regression analysis can be multiple linear regression, logistic regression, ridge regression, random forest, decision tree regression and the like, and the method for carrying out the regression analysis is not limited.
The symmetric NAT network public network address prediction device provided by the application can obtain the mapping relation of the first public network address port through the first multi-IP receiving unit 901, the first training data generating unit 902 and the first mapping relation generating unit 903, and fits the existing widely different NAT conversion strategies through regression analysis, so that the method is not influenced by NAT equipment brand manufacturers, can be even used for a multi-NAT network, and has higher universality. When regression analysis is carried out, the relevance between the public network IP address data and the public network port data is fully considered, so that the mapping relation of the first public network address port can better describe the relation among variables, the subsequent prediction of the public network address data is more accurate, and the hole punching success rate is improved.
Fig. 10 is a schematic structural diagram of a symmetric NAT network public network address prediction device according to an embodiment of the present application, where when a mapping relationship of a second public network address port is obtained, the second source address data includes second source IP address data and second source port data, and as shown in fig. 10, on the basis of the above embodiments, the symmetric NAT network public network address prediction device further includes:
A second multi-IP receiving unit 1001, configured to receive, using different IP addresses, a plurality of second hole-forming packets sent by a second user terminal, where the second hole-forming packets include a packet sending time and encrypted second source address data;
Specifically, the second ue sends the second tunneling message with a different IP address and port of the second multi-IP receiving unit 1001 as the destination address, and at the same time, the second ue may also send the second tunneling message from the different port to the second multi-IP receiving unit 1001. The second multi-IP receiving unit 1001 receives a plurality of second tunneling messages sent by the second user terminal from different IP addresses.
A second training data generating unit 1002, configured to obtain public network address data and destination address data of each second tunneling packet from the TCP network layer, and take second source address data, public network address data, destination address data and packet sending time of one tunneling packet as a set of training data;
Specifically, after each time the second multi-IP receiving unit 1001 receives a second tunneling packet, the second training data generating unit 1002 obtains, from the TCP network layer, public network address data and destination address data corresponding to the second tunneling packet, and uses the packet sending time, the second source address data, and the obtained public network address data and destination address data in the packet as a set of training data.
The second mapping relationship generating unit 1003 is configured to perform regression analysis using the training data to obtain a second public network address port mapping relationship, where the second public network address port mapping relationship is a mapping relationship between the encrypted second source address data, the message sending time, and the destination address data to the public network address data.
Specifically, the second mapping relation generating unit 1003 performs regression analysis on each set of training data to obtain the mapping relation between the encrypted second source address data, the message sending time, the destination address data and the public network address data.
The symmetric NAT network public network address prediction device provided by the application can obtain the second public network address port mapping relation through the second multi-IP receiving unit 1001, the second training data generating unit 1002 and the second mapping relation generating unit 1003, and fits the existing widely different NAT conversion strategies through regression analysis, so that the method is not influenced by NAT equipment brand manufacturers, can be even used for a multi-NAT network, and has higher universality. When regression analysis is carried out, the relevance between the public network IP address data and the public network port data is fully considered, so that the mapping relation of the second public network address port can better describe the relation among variables, the subsequent prediction of the public network address data is more accurate, and the hole punching success rate is improved.
Fig. 11 is a schematic structural diagram of a public network address prediction device of a symmetric NAT network according to an embodiment of the present application, as shown in fig. 11, further, based on the above embodiments, the public network address prediction device of a symmetric NAT network according to the present application further includes:
the key receiving and forwarding unit 1101 is configured to receive the homomorphic encryption key sent by the first user terminal, and forward the homomorphic encryption key to the second user terminal.
Specifically, the first ue randomly generates a homomorphic encryption key, and the key receiving and forwarding unit 1101 receives the homomorphic encryption key sent by the first ue and forwards the homomorphic encryption key to the second ue.
The public network address prediction device of the symmetric NAT network provided by the application realizes the encryption of the intranet address ports of the first user side and the second user side through the key receiving and forwarding unit 1101, and the intranet address data received and predicted by the server are encrypted data in the process of obtaining the mapping relation and predicting, so that the intranet address leakage is prevented, and the security of the symmetric NAT is ensured not to be damaged.
Fig. 12 is a schematic physical structure of an electronic device according to an embodiment of the present application, as shown in fig. 12, the electronic device may include a processor 1201, a communication interface (Communications Interface), a memory 1203, and a communication bus 1204, where the processor 1201, the communication interface 1202, and the memory 1203 complete communication with each other through the communication bus 1204. The processor 1201 may invoke logic instructions in the memory 1203 to perform a method of receiving a first tunneling packet sent by a first user terminal and a second tunneling packet sent by a second user terminal, where the first tunneling packet includes a first predicted tunneling time and encrypted first source address data, the second tunneling packet includes a second predicted tunneling time and encrypted second source address data, obtaining all feasible tunneling schemes according to the first tunneling packet, the second tunneling packet, the first public network address port mapping relationship, and the second public network address port mapping relationship, randomly selecting one tunneling scheme, and sending first address port information required for tunneling to the first user terminal and second address port information required for tunneling to the second user terminal according to the selected tunneling scheme.
Further, the logic instructions in the memory 1203 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, an optical disk, or other various media capable of storing program codes.
The embodiment discloses a computer program product, which comprises a computer program stored on a computer readable storage medium, wherein the computer program comprises program instructions, when the program instructions are executed by a computer, the computer can execute the method provided by the method embodiments, for example, the method comprises the steps of receiving a first hole punching message sent by a first user side and a second hole punching message sent by a second user side, wherein the first hole punching message comprises a first expected hole punching time and encrypted first source address data, the second hole punching message comprises a second expected hole punching time and encrypted second source address data, obtaining all feasible hole punching schemes according to the first hole punching message, the second hole punching message, a first public network address port mapping relation and a second public network address port mapping relation, randomly selecting one hole punching scheme, and sending the first address port information required by hole punching to the first user side according to the selected hole punching scheme, and sending the second address port information required by hole punching to the second user side.
The embodiment provides a computer readable storage medium storing a computer program, the computer program causing a computer to execute the method provided by the above embodiments of the method, for example, the method includes receiving a first tunneling message sent by a first user terminal and a second tunneling message sent by a second user terminal, the first tunneling message including a first predicted tunneling time and encrypted first source address data, the second tunneling message including a second predicted tunneling time and encrypted second source address data, obtaining all feasible tunneling schemes according to the first tunneling message, the second tunneling message, the first public network address port mapping relation and the second public network address port mapping relation, randomly selecting one tunneling scheme, and sending first address port information required by the tunneling to the first user terminal and second address port information required by the second user terminal according to the selected tunneling scheme.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In the description of the present specification, reference to the terms "one embodiment," "one particular embodiment," "some embodiments," "for example," "an example," "a particular example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (9)

1. A public network address prediction method of a symmetric NAT network is characterized by comprising the following steps:
Receiving a first tunneling message sent by a first user side and a second tunneling message sent by a second user side, wherein the first tunneling message comprises a first predicted tunneling time and encrypted first source address data, and the second tunneling message comprises a second predicted tunneling time and encrypted second source address data;
according to the first hole punching message, the second hole punching message, the first public network address port mapping relation and the second public network address port mapping relation, a hole punching equation set is established simultaneously, and the hole punching equation set is solved to obtain all feasible hole punching schemes;
Randomly selecting a hole punching scheme, and sending first address port information required by punching to the first user terminal according to the selected hole punching scheme, and sending second address port information required by punching to the second user terminal;
the step of obtaining the mapping relation of the first public network address port comprises the following steps:
receiving a plurality of first tunneling messages sent by the first user terminal by using different IP addresses;
The method comprises the steps of obtaining public network address data and destination address data corresponding to each first tunneling message from a TCP network layer, taking message sending time, first source address data, public network address data and destination address data of one tunneling message as a group of training data, wherein the public network address data corresponding to the first tunneling message comprises public network IP address data and public network port data corresponding to source IP address port data of the first tunneling message, and the destination address data corresponding to the first tunneling message comprises destination IP address data and destination port data;
Carrying out regression analysis by using training data to obtain a mapping relation of the first public network address port, wherein the mapping relation of the first public network address port is a mapping relation from encrypted first source address data, message sending time and destination address data to the public network address data;
the step of obtaining the mapping relation of the second public network address port comprises the following steps:
Receiving a plurality of second tunneling messages sent by the second user terminal by using different IP addresses;
The method comprises the steps of obtaining public network address data and destination address data corresponding to each second tunneling message from a TCP network layer, taking second source address data, public network address data, destination address data and message sending time of one tunneling message as a group of training data, wherein the public network address data corresponding to the second tunneling message comprises public network IP address data and public network port data corresponding to source IP address port data of the second tunneling message, and the destination address data corresponding to the second tunneling message comprises destination IP address data and destination port data;
And carrying out regression analysis by using training data to obtain a mapping relation of the second public network address port, wherein the mapping relation of the second public network address port is the mapping relation of the encrypted second source address data, message sending time and destination address data to the public network address data.
2. The method of claim 1, wherein the first source address data comprises first source IP address data and first source port data, and the second source address data comprises second source IP address data and second source port data;
the sending the first address port information required by the hole punching to the first user terminal includes:
sending public network IP address data and public network port data of the second user side to the first user side;
The sending the second address port information required by the hole punching to the second user terminal includes:
and sending the public network IP address data and the public network port data of the first user side to the second user side.
3. The method of claim 1, wherein the first source address data comprises first source IP address data and the second source address data comprises second source IP address data;
the sending the first address port information required by the hole punching to the first user terminal includes:
sending encrypted first source port data, public network IP address data and public network port data of the second user side to the first user side;
The sending the second address port information required by the hole punching to the second user terminal includes:
and sending the encrypted second source port data, the public network IP address data and the public network port data of the first user side to the second user side.
4. The method for predicting public network addresses of a symmetric NAT network of claim 1, further comprising:
Receiving hole punching failure information sent by the first user side and/or the second user side;
and selecting a hole punching scheme again from all feasible hole punching schemes, and sending third address port information required by hole punching to the first user side and fourth address port information required by hole punching to the second user side according to the selected hole punching scheme again.
5. The method for predicting public network address of symmetric NAT network according to claim 1, wherein before receiving the first tunneling message sent by the first user side and the second tunneling message sent by the second user side, further comprising:
and receiving the homomorphic encryption key sent by the first user terminal, and forwarding the homomorphic encryption key to the second user terminal.
6. A symmetric NAT network public network address predicting apparatus comprising:
The system comprises a hole punching message receiving unit, a first user terminal and a second user terminal, wherein the hole punching message receiving unit is used for receiving a first hole punching message sent by the first user terminal and a second hole punching message sent by the second user terminal, the first hole punching message comprises first predicted hole punching time and encrypted first source address data, and the second hole punching message comprises second predicted hole punching time and encrypted second source address data;
The hole punching scheme calculation unit is used for solving a hole punching equation set according to the first hole punching message, the second hole punching message, the first public network address port mapping relation and the second public network address port mapping relation to obtain all feasible hole punching schemes;
The hole punching information sending unit is used for randomly selecting a hole punching scheme, sending first address port information required by hole punching to the first user terminal according to the selected hole punching scheme, and sending second address port information required by hole punching to the second user terminal;
A first multi-IP receiving unit, configured to receive a plurality of first tunneling packets sent by the first user side by using different IP addresses;
the first training data generation unit is used for acquiring public network address data and destination address data corresponding to each first tunneling message from a TCP network layer, and taking message sending time, first source address data, public network address data and destination address data of one tunneling message as a group of training data, wherein the public network address data corresponding to the first tunneling message comprises public network IP address data and public network port data corresponding to source IP address port data of the first tunneling message, and the destination address data corresponding to the first tunneling message comprises destination IP address data and destination port data;
The first mapping relation generating unit is used for carrying out regression analysis by using training data to obtain a first public network address port mapping relation, wherein the first public network address port mapping relation is the mapping relation from encrypted first source address data, message sending time and destination address data to the public network address data;
A second multi-IP receiving unit, configured to receive a plurality of second tunneling packets sent by the second user side by using different IP addresses;
The second training data generation unit is used for acquiring public network address data and destination address data corresponding to each second tunneling message from a TCP network layer, taking the second source address data, the public network address data, the destination address data and the message sending time of one tunneling message as a group of training data, wherein the public network address data corresponding to the second tunneling message comprises public network IP address data and public network port data corresponding to source IP address port data of the second tunneling message, and the destination address data corresponding to the second tunneling message comprises destination IP address data and destination port data;
The second mapping relation generating unit is used for carrying out regression analysis by using training data to obtain a second public network address port mapping relation, wherein the second public network address port mapping relation is the mapping relation from the encrypted second source address data, message sending time and destination address data to the public network address data.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 5 when executing the computer program.
8. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, implements the method of any one of claims 1 to 5.
9. A computer program product, characterized in that the computer program product comprises a computer program which, when executed by a processor, implements the method of any one of claims 1 to 5.
CN202310205945.6A 2023-03-06 2023-03-06 Public network address prediction method and device for symmetric NAT network Active CN116137619B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310205945.6A CN116137619B (en) 2023-03-06 2023-03-06 Public network address prediction method and device for symmetric NAT network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310205945.6A CN116137619B (en) 2023-03-06 2023-03-06 Public network address prediction method and device for symmetric NAT network

Publications (2)

Publication Number Publication Date
CN116137619A CN116137619A (en) 2023-05-19
CN116137619B true CN116137619B (en) 2025-01-07

Family

ID=86334631

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310205945.6A Active CN116137619B (en) 2023-03-06 2023-03-06 Public network address prediction method and device for symmetric NAT network

Country Status (1)

Country Link
CN (1) CN116137619B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141711A (en) * 2015-08-24 2015-12-09 北京息通网络技术有限公司 Symmetrical NAT traversal method and system based on big data analysis

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8224985B2 (en) * 2005-10-04 2012-07-17 Sony Computer Entertainment Inc. Peer-to-peer communication traversing symmetric network address translators
CN107580081A (en) * 2017-09-18 2018-01-12 北京奇艺世纪科技有限公司 A kind of NAT penetrating methods and device
CN112351115B (en) * 2019-08-09 2022-03-04 华为技术有限公司 Port prediction method and device of symmetric NAT equipment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141711A (en) * 2015-08-24 2015-12-09 北京息通网络技术有限公司 Symmetrical NAT traversal method and system based on big data analysis

Also Published As

Publication number Publication date
CN116137619A (en) 2023-05-19

Similar Documents

Publication Publication Date Title
US11683401B2 (en) Correlating packets in communications networks
US10749794B2 (en) Enhanced error signaling and error handling in a network environment with segment routing
CN101335692B (en) Method for negotiating security capability between PCC and PCE and network system thereof
US10623308B2 (en) Flow routing system
US10812525B2 (en) Method and system for defending distributed denial of service attack
US20060159091A1 (en) Active multicast information protocol
CN104348722A (en) Method for determining content access path, content request processing method and corresponding device and system
CN109698791B (en) Anonymous access method based on dynamic path
Al-Ani et al. DAD-match; Security technique to prevent denial of service attack on duplicate address detection process in IPv6 link-local network
CN108777654B (en) Message forwarding method and routing equipment
CN116137619B (en) Public network address prediction method and device for symmetric NAT network
CN114338127B (en) Data transmission method and device for anonymous communication, electronic equipment and storage medium
US20160099891A1 (en) Packet processing method, apparatus and system
US11399016B2 (en) System and method for identifying exchanges of encrypted communication traffic
CN110177116A (en) Intelligence melts the safety data transmission method and device of mark network
CN108011991B (en) Data stream forwarding method, main control board, interface board, engine board and distributed firewall
US9455911B1 (en) In-band centralized control with connection-oriented control protocols
JP4190521B2 (en) Multiprotocol address registration method, multiprotocol address registration system, multiprotocol address registration server, and multiprotocol address communication terminal
CN115913654A (en) Anonymous communication method, terminal device and computer-readable storage medium
Velvindron et al. Increase the Secure Shell Minimum Recommended Diffie-Hellman Modulus Size to 2048 Bits
US10841283B2 (en) Smart sender anonymization in identity enabled networks
Simsek Blind packet forwarding: a clean-slate security approach for future networks
CN111510427B (en) Method for mitigating path creation attack in I2P network system, computer-readable storage medium, and I2P network system
Yadav et al. Enhancing Duplicate Address Detection to Prevent Address Conflicts in IPv6 Link-Local Networks
Salem et al. Formal validation of the security properties of AMT's three-way handshake

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant