說明:這篇文章是IETF的RFC,具體連結忘記了,大家google下就很容易找到了,原連結需要國際流量的。
原檔案名為draft-rosenberg-midcom-stun-00.txt
====================================================================================
Internet Engineering Task Force MIDCOM WG
Internet Draft Rosenberg,Weinberger,Huitema,Mahy
draft-rosenberg-midcom-stun-00.txt dynamicsoft,Microsoft,Cisco
October 1, 2001
Expires: March 2002
STUN - Simple Traversal of UDP Through NATs
STATUS OF THIS MEMO
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress".
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
To view the list Internet-Draft Shadow Directories, see
http://www.ietf.org/shadow.html.
Abstract
Simple Traversal of UDP Through NATs (STUN) is a lightweight protocol
that allows applications to discover the presence and types of
Network Address Translators (NATs) and firewalls between them and the
public Internet. It also provides the ability for applications to
determine the public IP addresses allocated to them by the nat. STUN
works with nearly all existing NATs, and does not require any special
behavior from them. As a result, it allows a wide variety of
applications to work through existing NAT infrastructure. The STUN
protocol is very simple, being almost identical to echo.
1 Introduction
Network Address Translators (NATs), while providing many benefits,
also come with many drawbacks. The most troublesome of those
Rosenberg,Weinberger,Huitema,Mahy [Page 1]
Internet Draft stun October 1, 2001
drawbacks is the fact that they break many existing IP applications,
and make it difficult to deploy new ones. Guidlines have been
developed [1] that describe how to build "NAT friendly" protocols,
but many protocols simply cannot be constructed according to those
guidelines. Examples of such protocols include almost all peer-to-
peer protocols, such as multimedia communications, file sharing and
games.
To combat that problem, Application Layer Gateways (ALGs) have been
embedded in NATs. ALGs perform the application layer functions
required for a particular protocol to traverse a NAT. Typically, this
involves rewriting messages to contain translated addresses, rather
than the ones inserted by the sender of the protocol message. ALGs
have serious limitations, including scalability, reliability, and
speed of deploying new applications. To resolve these problems, the
Middlebox Communciations (MIDCOM) protocol is being developed [2].
MIDCOM allows an application entity, such as an end client or network
server of some sort (like a SIP proxy [3]) to control a NAT (or
firewall), in order to obtain NAT bindings and open or close
pinholes. In this way, NATs and applications can be separated once
more, eliminating the need for embedding ALGs in NATs, and resolving
the limitations imposed by current architectures.
Unfortunately, MIDCOM requires upgrades to existing NAT and
firewalls, in addition to application components. Complete upgrades
of these NAT and firewall products will take a long time, potentially
years. This is due, in part, to the fact that the deployers of NAT
and firewalls are not the same people who are deploying and using
applications. As a result, the incentive to upgrade these devices
will be low in many cases. Consider, for example, an airport Internet
lounge that provides access with a NAT. A user connecting to the
natted network may wish to use a peer-to-peer service, but cannot,
because the NAT doesn't support it. Since the administrators of the
lounge are not the ones providing the service, they are not motivated
to upgrade their NAT equipment to support it, using either an ALG, or
MIDCOM.
Many existing proprietary protocols, such as those for online games
(such as the games described in RFC 3027 [4]) and Voice over IP, have
developed tricks that allow them to operate through NATs without
changing those NATs. This draft is an attempt to take some of those
ideas, and codify them into an interoperable protocol that can meet
the needs of many applications.
The protocol described here, Simple Traversal of UDP Through NAT
(STUN), provides is an extremely simple protocol that allows entities
behind a NAT to first discover the presence of a NAT, and the type of
NAT, and then to learn the addresses bindings allocated by the NAT.
Rosenberg,Weinberger,Huitema,Mahy [Page 2]
Internet Draft stun October 1, 2001
STUN requires no changes to NATs, and works with an arbitrary number
of NATs in tandem between the application entity and the public
Internet.
2 Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALLNOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in RFC 2119 [5] and
indicate requirement levels for compliant STUN implementations.
3 Definitions
STUN Client: A STUN client (also just referred to as a client)
is an entity that generates STUN requests. A STUN client
can execute on an end system, such as a users PC, or can
run in a network element, such as a server.
STUN Server: A STUN Server (also just referred to as a server)
is an entity that receives STUN requests, and sends STUN
responses. STUN servers are generally attached to the
public Internet. STUN servers are stateless.
4 NAT Variations
It is assumed that the reader is familiar with NATs. It has been
observed that NAT treatment of UDP is variable amongst
implementations. The four types defined in [6] are:
Full Cone: A full cone NAT is one where all requests from the
same internal IP address and port are mapped to the same
external IP address and port. Furthermore, any external
host can send a packet to the internal host, by sending a
packet to the mapped external address.
Restricted Cone: A restricted cone NAT is one where all requests
from the same internal IP address and port are mapped to
the same external IP address and port. Unlike a full cone
NAT, an external host (with IP address X) can send a packet
to the internal host only if the internal host had
previously sent a packet to IP address X.
Port Restricted Cone: A port restricted cone NAT is like a
restricted cone NAT, but the restriction includes port
numbers. Specifically, an external host can send a packet,
with source IP address X and source port P, to the internal
host only if the internal host had previously sent a packet
to IP address X and port P.
Rosenberg,Weinberger,Huitema,Mahy [Page 3]
Internet Draft stun October 1, 2001
Symmetric: A symmetric NAT is one where all requests from the
same internal IP address and port, to a specific
destination IP address and port, are mapped to the same
external IP address and port. If the same host sends a
packet with the same source port, but to a different
destination, a different mapping is used. Furthermore, only
the external host that receives a packet can send a UDP
packet back to the internal host.
Determining the type of NAT is important in many cases. Depending on
what the application wants to do, the particular behavior may need to
be taken into account.
5 Overview of Operation
This section is descriptive only. Normative behavior is described in
Sections 7 and 8.
The typical STUN configuration is shown in Figure 1. A STUN client is
connected to private network 1. This network connects to private
network 2 through NAT 1. Private network 2 connects to the public
Internet through NAT 2. On the public Internet is a STUN server.
STUN is a simple client-server protocol. Its operation is trivial. A
client sends a request to a server. The server examines the source IP
address and port of the request, and copies them into a response that
is sent back to the client. There are some parameters in the request
that allow the client to ask that the response be sent elsewhere, or
that the server send the response from a different address and port.
Thats it.
The trick is using this simple protocol to discover the presence of
nats, and to learn and use the bindings they allocate.
The STUN client is typically embedded in an application which needs
to obtain a public IP address and port that can be used to receive
data. For example, it might need to obtain an IP address and port to
receive RTP [7] traffic. When the application starts, the STUN client
within the application sends a STUN request to its STUN server. STUN
servers are discovered through DNS SRV records [8], and is generally
assumed that the client is configured with the domain to use to find
the STUN server. Generally, this will be the domain of the provider
of the service the application is using (such a provider is incented
to deploy STUN servers in order to allow its customers to use its
application through NAT).
The STUN request is used to discover the presence of a NAT, and to
Rosenberg,Weinberger,Huitema,Mahy [Page 4]
Internet Draft stun October 1, 2001
/-----/ ............
// STUN // . STUN .
| Server | .Translator.
// // . .
/-----/ ............
+--------------+ Public Internet
................| NAT 2 |.......................
+--------------+
+--------------+ Private NET 1
................| NAT 1 |.......................
+--------------+
/-----/
// STUN //
| Client |
// // Private NET 2
/-----/
Figure 1: STUN Configuration
discover the public IP address and port mappings generated by the
NAT. Requests are sent to the STUN server using UDP. When a request
arrives at the STUN server, it may have passed through one or more
NATs between the STUN client and the STUN server. As a result, the
source address of the request received by the server will be the
mapped address created by the nat closest to the server. The STUN
server copies that source IP address and port into a STUN response,
and sends it back to the source IP address and port of the STUN
request. For all of the NAT types above, this response will arrive at
the STUN client.
When the STUN client receives the STUN response, it compares the IP
Rosenberg,Weinberger,Huitema,Mahy [Page 5]
Internet Draft stun October 1, 2001
address and port in the packet with the local IP address and port it
bound to when the request was sent. If these do not match, the STUN
client is behind one or more NATs. In the case of a full-cone NAT,
the IP address and port in the body of the STUN response are public,
and can be used by any host on the public Internet to send packets to
the application that sent the STUN request. An application need only
listen on the IP address and port from which the STUN request was
sent, and send the IP address and port learned in the STUN response
to hosts that wish to communicate with it.
Of course, the host may not be behind a full-cone NAT. Indeed, it
doesn't yet know what type of NAT it is behind. To determine that,
the client uses additional STUN requests. The exact procedure is
flexible, but would generally work as follows. The client would send
a second STUN request, this time to a different STUN server, but from
the same source IP address and port. If the IP address and port in
the response are different from those in the first response, the
client knows it is behind a symmetric NAT. To determine if its behind
a full-cone NAT, the client can send a STUN request with flags that
tell the STUN server to send a response from a different IP address
and port than the request was received on. In other words, if the
client sent a request to IP address/port A/B using a source IP
address/port of X/Y, the STUN server would send the response to X/Y
using source IP address/port C/D. If the client receives this
response, it knows it is behind a full cone NAT.
STUN also allows the client to ask the server to send the response
from the same IP address the request was received on, but with a
different port. This can be used to detect whether the client is
behind a port restricted cone nat or just a restricted cone nat.
6 Message Overview
STUN messages are TLV (type-length-value) encoded using big endian
(network ordered) binary. All STUN messages start with a STUN header,
followed by a series of STUN attributes. The STUN header contains a
STUN message type, transaction ID, and length. The message type can
be request or response. The transaction ID is used to correlate
requests and responses. The length indicates the total length of the
STUN message. This allows STUN to run over TCP, although that is not
currently specified.
Several STUN attributes are defined. The first is a MAPPED-ADDRESS
attribute, which is an IP address and port. It is placed in the
response, and it indicates the source IP address and port the server
saw in the request. There is also a RESPONSE-ADDRESS attribute, which
is also an IP address and port. The RESPONSE-ADDRESS attribute can be
present in the request, and indicates where the response is to be
Rosenberg,Weinberger,Huitema,Mahy [Page 6]
Internet Draft stun October 1, 2001
sent. Its optional, and when not present, the response is sent to the
source IP address and port of the request.
The third attribute is the FLAG attribute, and it contains boolean
flags to control behavior. Three flags are defined: "discard",
"change IP" and "change port". The FLAG attribute is allowed only in
the request. The discard attribute tells the server to not send a
reply. The change IP and change port attributes are useful for
determining whether the client is behind a restricted cone nat or
restricted port cone nat. They instruct the server to send the
responses from a different source IP address and port.
The fourth attribute is the CHANGED-ADDRESS attribute. It is present
in responses. It informs the client of the source IP address and port
that would be used if the client requested the "change IP" and
"change port" behavior.
The final attribute is the SOURCE-ADDRESS attribute. It is only
present in responses. It indicates the source IP address and port
where the response was sent from. It is useful for detecting twice
NAT configurations.
7 Server Behavior
If the request contains the flag attribute, and the discard flag is
true, the server MUST discard the request.
The server MUST generate a single response when a request is received
(assuming the request is not discarded). The response MUST contain
the same transaction ID contained in the request. The length in the
message header MUST contain the total length of the message in bytes,
excluding the header. The response MUST have a message type of
"Response".
The server MUST add a MAPPED-ADDRESS attribute to the response. The
IP address component of this attribute MUST be set to the source IP
address observed in the request. The port component of this attribute
MUST be set to the source port observed in the query request.
If the RESPONSE-ADDRESS attribute was absent from the Query request,
the destination address and port of the response MUST be the same as
the source address and port of the request. Otherwise, the
destination address and port of the response MUST be the value of the
IP address and port in the RESPONSE-ADDRESS attribute.
The source address and port of the response are computed as follows.
If the "change port" FLAG was present in the request, the source port
of the response MUST NOT be the same as the destination port of the
Rosenberg,Weinberger,Huitema,Mahy [Page 7]
Internet Draft stun October 1, 2001
query request. If the "change IP" FLAG was present in the request,
the source IP address of the response MUST NOT be the same as the
destination IP address of the query request. Exactly how this is
implemented is a local decision.
The server MUST add a SOURCE-ADDRESS attribute to the response,
containing the address and port used to send the response.
The server MUST add a CHANGED-ADDRESS attribute to the response. This
contains the source IP address and port that would be used if the
client requested the "change IP" and "change port" capabilities of
the server. This address MUST be invariant across requests with the
same source IP address and port for a duration of 10 minutes. In
other words, if the client sends a request from a particular socket,
and the response contains a specific CHANGED-ADDRESS, subsequent
requests from the same socket should return the same CHANGED-ADDRESS.
One potential way to implement the change-IP feature is for the
server to generate its own request, and send it to another server,
running on a different host. That request is the same as the request
received by the first server, except that a RESPONSE-ADDRESS
attribute has been added, containing the source address and port of
the original request. If the server receives a request with a
RESPONSE-ADDRESS attribute, it must send the response to the address
and port in that attribute. The second server will therefore send the
response back to the original client. Since the response is sent by a
different server, the IP address and port are different. This is
shown in Figure 2.
The server SHOULD NOT retransmit the response. Reliability is
achieved by having the client periodically resend the request, each
of which triggers a response from the server.
8 Client Behavior
The behavior of the client is very simple. Its main task is to
discover the STUN server, formulate the request, and handle request
reliability.
8.1 Discovery
Generally, the client will be configured with a domain name of the
provider of the STUN servers. This domain name is resolved to an IP
address and port of using the SRV procedures specified in [8].
Specifically, the service name is "stun". The protocol is "udp". The
procedures of RFC 2782 are followed to determine the server to
Rosenberg,Weinberger,Huitema,Mahy [Page 8]
Internet Draft stun October 1, 2001
+---------+
+-+ | Query |
| | | Server |
| | ------->| 1 |
| |--- +---------+
Query | | |
S:10.0.1.1 ---| | Query |
-- | | S:14.1.2.2 | Query
--- (1) |N| | RESPONSE-ADDRESS=
--- | | |(2) 14.1.2.2
+------+ -- |A| |
| | | | |
|Client| |T| |
| |<--- | | |
+------+ ------ | | //
----| | (3) +---------+
Query | |----- | Query |
Response | | ------| Server |
D: 10.0.1.1 | | Query | 2 |
+-+ Response +---------+
D:14.1.2.2
Figure 2: Sending a response from a different address/port
contact, with the following additions. If an attempt is made to
contact a server, and that attempt results in an ICMP error, or no
response within 30 seconds, the client SHOULD attempt to contact the
next server.
There are some cases where the client needs to discover N servers.
This is done by following the same process as above, but once a
server is found, SRV processing continues until N-1 more are found.
The default port for STUN requests is [to be assigned by IANA].
Administrators SHOULD use this port in their SRV records, but MAY use
others.
This would allow a firewall admin to open the STUN port, so
Rosenberg,Weinberger,Huitema,Mahy [Page 9]
Internet Draft stun October 1, 2001
hosts within the enterprise could access new applications.
Whether they will or won't do this is a good question.
8.2 Formulating the Request
A request formulated by the client follows the syntax rules defined
in Section 10. Any two requests that are not bit-wise identical, or
not sent to the same server from the same IP address and port, MUST
carry different transaction IDs. The transaction ID MUST be uniformly
and randomly chosen between 0 and 2^^32 - 1. The message type of the
request MUST be "Request".
The RESPONSE-ADDRESS attribute is optional in the request. It is used
if the client wishes the response to be sent to a different IP
address and port. This is useful for determining whether the client
is behind a firewall, and for applications that have separated
control and data components. See Section 9.3 for more details. The
FLAGS attribute is also optional. Whether it is present depends on
what the application is trying to accomplish. See Section 9 for some
example uses.
Once formulated, the client sends the request. Reliability is
accomplished through client retransmissions. Clients SHOULD
retransmit the request starting with an interval of 100ms, doubling
every retransmit until the interval reaches 1.6s. Retranmissions
continue with intervals of 1.6s until a total of 9 requests have been
sent, at which time the client SHOULD give up.
The response will contain the MAPPED-ADDRESS and SOURCE-ADDRESS
attributes.
9 Use Cases
The rules of Sections 7 and 8 describe exactly how a client and
server interact to send requests and get responses. However, they do
not dictate how the STUN protocol is used to accomplish useful tasks.
That is at the discretion of the client. Here, we provide some useful
scenarios for applying STUN.
9.1 Discovery Process
In this scenario, a user is running a multimedia application which
needs to determine which of the following scenarios applies to it:
o On the open Internet
o Firewall that blocks UDP
Rosenberg,Weinberger,Huitema,Mahy [Page 10]
Internet Draft stun October 1, 2001
o Firewall that allows UDP out, and responses have to come back
to the source of the request (like a symmetric NAT, but no
translation. We call this symmetric UDP Firewall)
o Full-cone NAT
o Symmetric NAT
o Restricted cone or restricted port cone NAT
Which of the six scenarios applies can be determined through the flow
chart described in Figure 3.
The flow makes use of three tests. In test I, the client sends a STUN
request to a server, without any flags set, and without the
RESPONSE-ADDRESS attribute. This causes the server to send the
response back to the address and port that the request came from.
This response provides the IP address and port for the third party
address that would be used if the source IP and/or port were changed.
In test II, the client sends a request with both the "change IP" and
"change port" flags set. In test II, the client sends a request with
only the "change port" flag set.
The client begins by initiating test I. If this test yields no
response, the client knows right away that it is not capable of UDP
connectivity. If the test produces a response, the client examines
the MAPPED-ADDRESS attribute. If this address is the same as the
local IP address and port of the socket used to send the request, the
client knows that it is not natted. It executes test II. If a
response is received, the client knows that it has open access to the
Internet (or, at least, its behind a firewall that behaves like a
port restricted NAT, but without the translation). If no response is
received, the client knows its behind a symmetric UDP firewall.
In the event that the IP address and port of the socket did not match
the MAPPED-ADDRESS attribute in the response to test I, the client
knows that it is behind a NAT. It performs test II. If a response is
received, the client knows that it is behind a full-cone NAT. If no
response is received, it performs test I again, but this time, does
so to the address from the CHANGED-ADDRESS attribute. If the IP
address returned in the MAPPED-ADDRESS attribute is not the same as
the one from the first test I, the client knows its behind a
symmetric NAT. If the address is the same, the client is either
behind a restricted or port restricted NAT. To make a determination
about which one it is behind, the client initiates test III. If a
response is received, its behind a restricted NAT, and if no response
is received, its behind a port restricted NAT.
Rosenberg,Weinberger,Huitema,Mahy [Page 11]
Internet Draft stun October 1, 2001
This simple procedure yields substantial information about the
operating condition of the client application. In the event of
multiple NATs between the client and the Internet, the type that is
discovered will be the type of the most restrictive NAT between the
client and the Internet. The types of NAT, in order of
restrictiveness, from most to least, are symmetric, port restricted
cone, restricted cone, and full cone.
9.2 Binding Lifetime Discovery
STUN can also be used to discover the lifetimes of the bindings
created by the NAT. To do that, the client first sends a simple
request (no attributes) to server A. The response from A will contain
the CHANGED-ADDRESS attribute. The client sends another simple
request to that address (server B). It then starts a timer with a
value of T seconds. When this timer fires, the client sends a request
to server A, with the "change IP" and "change port" flags set. If the
binding is still active, this response should be received through all
nat types. The client can find the value of the binding lifetime by
doing a binary search through T, arriving eventually at the value
where the response is not received for any timer greater than T, but
is received for any timer less than T.
9.3 Binding Acquisition
Consider once more the case of a VoIP phone. It used the discovery
process above when it started up, to discover its environment. Now,
it wants to make a call. As part of the discovery process, it
determined that it was behind a full-cone NAT.
Consider further that this phone consists of two logically separated
components - a control component that handles signaling, and a media
component that handles the audio, video, and RTP [7]. Because of this
separation of control and media, we wish to minimize the
communication required between them. In fact, they may not even run
on the same host.
In order to make a voice call, the phone needs to obtain an IP
address and port that it can place in the call setup message as the
destination for receiving audio.
To obtain an address, the control component first sends a STUN
request to a server. No flags are present, and neither is the
RESPONSE-ADDRESS field. The response contains a mapped address. The
control component then formulates a second request. This request
contains a RESPONSE-ADDRESS, which is set to that mapped address.
This request is passed to the media component, along with the IP
address and port of the STUN server. The media component sends the
Rosenberg,Weinberger,Huitema,Mahy [Page 12]
Internet Draft stun October 1, 2001
+--------+
| Test |
| I |
+--------+
|
|
V
// //
N / / Y / / Y +--------+
UDP <-------/Resp/---------->/ IP /------------>| Test |
Blocked / ? / /Same/ | II |
/ / /? / +--------+
// // |
| N |
| V
V //
+--------+ Sym. N / /
| Test | UDP <---/Resp/
| II | Firewall / ? /
+--------+ / /
| //
V |Y
// // |
Symmetric N / / +--------+ N / / V
NAT <--- / IP /<-----| Test |<--- /Resp/ Open
/Same/ | I | / ? / Internet
/? / +--------+ / /
// //
| |Y
| |
| V
| Full
| Cone
V //
+--------+ / / Y
| Test |------>/Resp/---->Restricted
| III | / ? /
+--------+ / /
//
|N
| Port
+------>Restricted
Figure 3: Flow for type discovery process
Rosenberg,Weinberger,Huitema,Mahy [Page 13]
Internet Draft stun October 1, 2001
request. The request goes to the STUN server, which sends the
response back to the control component. The control component
receives this, and now has learned an IP address and port that will
be routed back to the media component that sent the request.
The client will be able to receive media from anywhere on this mapped
address.
In the case of silence suppression, there may be periods where the
client receives no media. In this case, the UDP bindings could
timeout (UDP bindings in nats are typically short). To deal with
this, the application can periodically retransmit the query in order
to keep the binding fresh.
It is possible that both participants in the multimedia session are
behind the same NAT. In that case, both will repeat this procedure
above, and both will obtain public address bindings. When one sends
media to the other, the media is routed to the nat, and then turns
right back around to come back into the enterprise, where it is
translated to the private address of the recipient. This is not
particularly efficient, but it does work.
10 Protocol Details
This section presents the detailed encoding of a STUN message.
10.1 Message Header
All STUN messages consist of a 64 bit header:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| STUN Message Type | Message Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Transaction ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Message Types can take on the following values:
0x0001 : Request
0x0101 : Response
The message length is the count, in byes, of the size of the message,
Rosenberg,Weinberger,Huitema,Mahy [Page 14]
Internet Draft stun October 1, 2001
not including the 64 bit header.
The transaction ID is a 32 bit identifier. All responses carry the
same identifier as the request they correspond to.
10.2 Message Attributes
After the header are 0 or more attributes. Each attribute is TLV
encoded, with a 16 bit type, 16 bit length, and variable value:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The following types are defined:
0x0001: MAPPED-ADDRESS
0x0002: RESPONSE-ADDRESS
0x0003: FLAGS
0x0004: SOURCE-ADDRESS
Future extensions MAY define new attributes. If a stun client or
server receives a message with an unknown attribute with a type lower
than or equal to 0x7fff, the message MUST be discarded. If the type
is greater than 0x7fff, the attribute MUST be ignored.
10.2.1 MAPPED-ADDRESS
The MAPPED-ADDRESS attribute indicates the mapped IP address and
port. It consists of a sixteen bit port, eight bit address family,
followed by a fixed length value representing the IP address.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Port | Family | Address ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The port is a network byte ordered representation of the mapped port.
Rosenberg,Weinberger,Huitema,Mahy [Page 15]
Internet Draft stun October 1, 2001
The following families are defined:
0x01: IPv4
0x02: IPv6
For IPv4 addresses, the address is 32 bits. For IPV6, it is 128 bits.
New address families MAY be defined by extensions. A message with an
unknown address family is discarded.
10.2.2 RESPONSE-ADDRESS
The RESPONSE-ADDRESS attribute indicates where the response to a
request is sent. Its syntax is identical to MAPPED-ADDRESS.
10.2.3 CHANGED-ADDRESS
The CHANGED-ADDRESS attribute indicates the IP address and port of a
STUN server where responses will be sent from if the "change IP"
and/or "change port" flags are set. Its syntax is identical to
MAPPED-ADDRESS.
10.2.4 FLAGS
The FLAGS attribute is a series of boolean flags. It is 32 bits long:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|A|B|C| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Only three flags, A,B,C, are currently defined. The other bits MAY be
used by extensions to define additional flags. Unknown flags are
ignored.
Each flag is a binary one if true, zero otherwise.
The meaning of the flags is:
A: This is the "change IP" flag. If true, it requests the server
to send the response with a different IP address than the
one the request was received on.
Rosenberg,Weinberger,Huitema,Mahy [Page 16]
Internet Draft stun October 1, 2001
B: This is the "change port" flag. If true, it requests the
server to send the response with a different port than the
one the request was received on.
C: This is the dicard flag. If true, the message is discarded.
10.2.5 SOURCE-ADDRESS
The SOURCE-ADDRESS attribute is present in responses. It indicates
the source IP address and port that the server is sending the
response from. Its syntax is identical to that of MAPPED-ADDRESS.
11 Security Considerations
Because query servers do not create state or perform any intensive
functions, there is little need for them to even authenticate
clients. In fact, the complexity of authenticating the request is far
greater than just generating the response. Therefore, no
authentication is provided.
The stateless nature of query servers makes them immune to DoS
attacks as well.
Compromise of a STUN server can lead to discovery of open ports.
Knowledge of an open port creates an opportunity for DoS attacks on
those ports (or DDoS attacks if the traversed NAT is a full cone
NAT). Discovering open ports is already fairly trivial using port
probing, so this does not represent a major threat.
STUN servers constitute a reflector type of server, and can therefore
be used as launching grounds for distributed DoS attacks [9]. The
problem is amplified by the existence of the RESPONSE-ADDRESS
attribute, which can render ingress filtering useless in prevention
of attacks. Interestingly, the MAPPED-ADDRESS in the response
provides a form of traceback in order to counter such attacks. An
attacker would need to spoof their source address in order to avoid
the traceback mechanism. Usage of a set of well known ports could
also be useful to enable filtering to prevent the usage of STUN for
reflector attacks [9]. This requires more consideration.
STUN can potentially introduce attacks which result in the theft of
addresses. When a client sends a request, an attacker can guess the
value of the mapped address used by the nat, and quickly generate its
own faked response, sending it to that address. This response would
contain a faked MAPPED-ADDRESS which actually routes to a different
host. This could enable DoS attacks, by using a victim's address, or
theft attacks, by using the address of the host run by the attacker.
More consideration is required to prevent such attacks.
Rosenberg,Weinberger,Huitema,Mahy [Page 17]
Internet Draft stun October 1, 2001
STUN has the important property that compromise of the STUN servers
cannot cause security breaches when the client is within an
enterprise. The only thing that a compromised server can do is return
false addresses, resulting in the inability of the client to receive
any data at all. The protocol is therefore fail safe.
12 Authors Addresses
Jonathan Rosenberg
dynamicsoft
72 Eagle Rock Avenue
First Floor
East Hanover, NJ 07936
email: [email protected]
Joel Weinberger
dynamicsoft
72 Eagle Rock Avenue
First Floor
East Hanover, NJ 07936
email: [email protected]
Christian Huitema
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
email: [email protected]
Rohan Mahy
Cisco Systems
170 West Tasman Dr, MS: SJC-21/3
Phone: +1 408 526 8570
Email: [email protected]
13 Bibliography
[1] D. Senie, "NAT friendly application design guidelines," Internet
Draft, Internet Engineering Task Force, Mar. 2001. Work in progress.
[2] P. Srisuresh, J. Kuthan, and J. Rosenberg, "Middlebox
communication architecture and framework," Internet Draft, Internet
Engineering Task Force, Feb. 2001. Work in progress.
Rosenberg,Weinberger,Huitema,Mahy [Page 18]
Internet Draft stun October 1, 2001
[3] M. Handley, H. Schulzrinne, E. Schooler, and J. Rosenberg, "SIP:
session initiation protocol," Request for Comments 2543, Internet
Engineering Task Force, Mar. 1999.
[4] M. Holdrege and P. Srisuresh, "Protocol complications with the IP
network address translator," Request for Comments 3027, Internet
Engineering Task Force, Jan. 2001.
[5] S. Bradner, "Key words for use in RFCs to indicate requirement
levels," Request for Comments 2119, Internet Engineering Task Force,
Mar. 1997.
[6] C. Huitema, "Short term NAT requirements for UDP based peer-to-
peer applications," Internet Draft, Internet Engineering Task Force,
Feb. 2001. Work in progress.
[7] H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson, "RTP: a
transport protocol for real-time applications," Request for Comments
1889, Internet Engineering Task Force, Jan. 1996.
[8] A. Gulbrandsen, P. Vixie, and L. Esibov, "A DNS RR for specifying
the location of services (DNS SRV)," Request for Comments 2782,
Internet Engineering Task Force, Feb. 2000.
[9] V. Paxson, "An analysis of using reflectors for distributed
denial of service attacks," ACM Computer Communication Review , Vol.
31, July 2001.
Table of Contents
1 Introduction ........................................ 1
2 Terminology ......................................... 3
3 Definitions ......................................... 3
4 NAT Variations ...................................... 3
5 Overview of Operation ............................... 4
6 Message Overview .................................... 6
7 Server Behavior ..................................... 7
8 Client Behavior ..................................... 8
8.1 Discovery ........................................... 8
8.2 Formulating the Request ............................. 10
9 Use Cases ........................................... 10
9.1 Discovery Process ................................... 10
Rosenberg,Weinberger,Huitema,Mahy [Page 19]
Internet Draft stun October 1, 2001
9.2 Binding Lifetime Discovery .......................... 12
9.3 Binding Acquisition ................................. 12
10 Protocol Details .................................... 14
10.1 Message Header ...................................... 14
10.2 Message Attributes .................................. 15
10.2.1 MAPPED-ADDRESS ...................................... 15
10.2.2 RESPONSE-ADDRESS .................................... 16
10.2.3 CHANGED-ADDRESS ..................................... 16
10.2.4 FLAGS ............................................... 16
10.2.5 SOURCE-ADDRESS ...................................... 17
11 Security Considerations ............................. 17
12 Authors Addresses ................................... 18
13 Bibliography ........................................ 18
Rosenberg,Weinberger,Huitema,Mahy [Page 20]
![Windows下配置Apache的SSL服務[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)