1 - 3 - 4 - 6 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W
address
Click on the red underlined text to get to the source
... NAT devices are deployed. STUN does not
work when it is used to obtain an address to communicate with a peer
which happens to be behind the same NAT. STUN ...
... STUN does not work when the
STUN server is not in a common shared address realm. For a more
complete discussion of the limitations of STUN ...
...
Network Address Translators (NATs), while providing many benefits,
also come with many drawbacks. The most troublesome of those
...
... this involves rewriting application layer messages to contain
translated addresses, rather than the ones inserted by the sender of
the message. ALGs ...
... Full Cone: A full cone NAT is one where all requests from the
same internal IP address and port are mapped to the same external
IP address ...
... IP address and port are mapped to the same external
IP address and port. Furthermore, any external host can send a
...
... packet to the internal host, by sending a packet to the mapped
external address.
Restricted Cone: A restricted cone NAT ...
... Restricted Cone: A restricted cone NAT is one where all requests
from the same internal IP address and port are mapped to the same
external IP address ...
... IP address and port are mapped to the same
external IP address and port. Unlike a full cone NAT, an external
...
... NAT, an external
host (with IP address X) can send a packet to the internal host
only if the internal host ...
... port numbers.
Specifically, an external host can send a packet, with source IP
address X and source port P, to the internal host only if the
...
... Symmetric: A symmetric NAT is one where all requests from the
same internal IP address and port, to a specific destination IP
address and port ...
... same internal IP address and port, to a specific destination IP
address and port, are mapped to the same external IP address and
...
... port, to a specific destination IP
address and port, are mapped to the same external IP address and
port. If the same host ...
... port. If the same host sends a packet with the same source
address and port, but to a different destination, a different
...
... Binding Request to the server, over UDP.
The server examines the source IP address and port of the request,
and copies them into a response that is sent back to the client ...
... client to ask
that the response be sent elsewhere, or that the server send the
response from a different address and port. There are attributes for
providing message integrity and authentication ...
... STUN client is typically embedded in an application which needs
to obtain a public IP address and port that can be used to receive
data. For example, it might need to obtain an IP address ...
... IP address and port that can be used to receive
data. For example, it might need to obtain an IP address and port to
receive Real Time Transport Protocol ...
... NAT). Of course, a client can determine the
address or domain name of a STUN server through other means. A STUN ...
... Binding Request is used to discover the presence of a NAT,
and to discover the public IP address and port mappings generated by
the NAT ...
... client and the STUN server.
As a result, the source address of the request received by the server
will be the mapped address ...
... source address of the request received by the server
will be the mapped address created by the NAT closest to the server.
...
... NAT closest to the server.
The STUN server copies that source IP address and port into a STUN
...
... STUN Binding Response, it compares
the IP address and port in the packet with the local IP address and
...
... the IP address and port in the packet with the local IP address and
port it bound to when the request was sent. If these do not match,
...
... NATs. In the case of a full-
cone NAT, the IP address and port in the body of the STUN response
...
... send packets to the application that sent the STUN request. An
application need only listen on the IP address and port from which
...
... STUN request was sent. Any packets sent by a host on the public
Internet to the public address and port learned by STUN will be
received by the application.
...
... STUN Binding Request, this time to a
different IP address, but from the same source IP address and port.
...
... Binding Request, this time to a
different IP address, but from the same source IP address and port.
If the IP address ...
... source IP address and port.
If the IP address and port in the response are different from those
in the first response, the client ...
... Binding Request with flags that tell the STUN server to send a
response from a different IP address and port than the request was
received on. In other words, if the client ...
... STUN
server would send the Binding Response to X/Y using source IP
address/port C/D. If the client receives this response, it knows it
...
... client to ask the server to send the Binding
Response from the same IP address the request was received on, but
with a different port. This can be used to detect whether the client ...
... by the client, and if the client is trying
to obtain a publicly routable address, that the server reside on the
public Internet.
...
...
Several STUN attributes are defined. The first is a MAPPED-ADDRESS
attribute, which is an IP address and port ...
... STUN attributes are defined. The first is a MAPPED-ADDRESS
attribute, which is an IP address and port. It is always placed in
the Binding ...
... port. It is always placed in
the Binding Response, and it indicates the source IP address and port
the server saw in the Binding ...
... the server saw in the Binding Request. There is also a RESPONSE-
ADDRESS attribute, which contains an IP address and port. The
...
... Binding Request. There is also a RESPONSE-
ADDRESS attribute, which contains an IP address and port. The
RESPONSE-ADDRESS ...
... IP address and port. The
RESPONSE-ADDRESS attribute can be present in the Binding Request, and
indicates where the Binding ...
... Binding Response is to be sent. It's optional,
and when not present, the Binding Response is sent to the source IP
address and port of the Binding Request.
...
...
The third attribute is the CHANGE-REQUEST attribute, and it contains
two flags to control the IP address and port used to send the
response. These flags are called "change IP ...
... NAT. They instruct the server to send the
Binding Responses from a different source IP address and port. The
CHANGE-REQUEST attribute is optional in the Binding ...
... Binding Request.
The fourth attribute is the CHANGED-ADDRESS attribute. It is present
in Binding Responses. It informs the client ...
... in Binding Responses. It informs the client of the source IP address
and port that would be used if the client ...
... port" behavior.
The fifth attribute is the SOURCE-ADDRESS attribute. It is only
present in Binding Responses. It indicates the source IP address ...
... ADDRESS attribute. It is only
present in Binding Responses. It indicates the source IP address and
port where the response was sent from. It is useful for detecting
...
... eleventh attribute is the REFLECTED-FROM attribute, which is present
in Binding Responses. It indicates the IP address and port of the
...
... STUN server MUST be prepared to receive Binding Requests on four
address/port combinations - (A1, P1), (A2, P1), (A1, P2), and (A2,
P2). (A1, P1) represent the primary address and port ...
... address/port combinations - (A1, P1), (A2, P1), (A1, P2), and (A2,
P2). (A1, P1) represent the primary address and port, and these are
the ones obtained through the client discovery procedures below.
...
... are arbitrary. A2 and P2 are advertised by the server through the
CHANGED-ADDRESS attribute, as described below.
It is RECOMMENDED that the server check the Binding ...
... Binding Error Response is sent
to the IP address and port the Binding Request came from, and sent
...
... port the Binding Request came from, and sent
from the IP address and port the Binding Request was sent to.
...
... Binding Response".
The server MUST add a MAPPED-ADDRESS attribute to the Binding
Response. The IP address ...
... ADDRESS attribute to the Binding
Response. The IP address component of this attribute MUST be set to
the source IP address observed in the Binding ...
... Response. The IP address component of this attribute MUST be set to
the source IP address observed in the Binding Request. The port
...
... Binding Request.
If the RESPONSE-ADDRESS attribute was absent from the Binding
Request, the destination address ...
... ADDRESS attribute was absent from the Binding
Request, the destination address and port of the Binding Response
...
... port of the Binding
Response MUST be the value of the IP address and port in the
RESPONSE-ADDRESS ...
... port of the Binding Response depend on the
value of the CHANGE-REQUEST attribute and on the address and port the
Binding Request was received on, and are summarized in Table 1.
...
... Binding Request was received on, and are summarized in Table 1.
Let Da represent the destination IP address of the Binding Request
(which will be either A1 or A2), and Dp represent the destination
port ...
... destination
port of the Binding Request (which will be either P1 or P2). Let Ca
represent the other address, so that if Da is A1, Ca is A2. If Da is
A2, Ca is A1. Similarly, let Cp represent the other port, so that if
...
... Binding Request, and
the "change IP" flag was not set, the source IP address of the
Binding Response MUST be Da and the source port ...
... Binding
Request, and the "change port" flag was not set, the source IP
address of the Binding Response MUST be Ca and the source port of the
...
... port of the
Binding Response MUST be Dp. When both flags are set, the source IP
address of the Binding Response MUST be Ca and the source port of the
...
... Binding Response MUST be Cp. If neither flag is set, or if the
CHANGE-REQUEST attribute is absent entirely, the source IP address of
the Binding Response MUST be Da and the source port ...
... port Ca Cp Ca:Cp
Table 1: Impact of Flags on Packet Source and CHANGED-ADDRESS
The server MUST add a SOURCE-ADDRESS ...
... ADDRESS
The server MUST add a SOURCE-ADDRESS attribute to the Binding
Response, containing the source address ...
... ADDRESS attribute to the Binding
Response, containing the source address and port used to send the
Binding ...
... Binding Response.
The server MUST add a CHANGED-ADDRESS attribute to the Binding
Response. This contains the source IP address ...
... ADDRESS attribute to the Binding
Response. This contains the source IP address and port that would be
used if the client ...
...
If the Binding Request contained a RESPONSE-ADDRESS attribute, the
server MUST add a REFLECTED-FROM attribute to the response. If the
Binding ...
... Shared Secret Request, the REFLECTED-FROM attribute MUST contain the
source IP address and port where that Shared Secret Request came
...
... a Shared Secret Request, the REFLECTED-FROM attribute MUST contain
the source address and port of the entity which obtained the
...
... username was not present in the request, and
the server was willing to process the request, the REFLECTED-FROM
attribute SHOULD contain the source IP address and port where the
request came from.
...
... Shared Secret Error Response is
sent to the source IP address and port that the request came from.
...
... prefix is some random text string (different for each shared
secret request), rounded-time is the current time modulo 20 minutes,
clientIP is the source IP address where the Shared Secret Request
came from, and hmac is an HMAC ...
... username itself, which will be present in
the Binding Request, contains the source IP address where the Shared
Secret Request came from. That allows the server to meet the
requirements ...
... provider of the STUN servers. This domain name is resolved to an IP
address and port using the SRV procedures specified in RFC 2782prop ...
... SRV records are sorted and then tried. However, it only states that
the client should "try to connect to the (protocol, address,
service)" without giving any details on what happens in the event of
...
... lookup
of the domain name. The result will be a list of IP addresses, each
of which can be contacted at the default port.
...
... client opens up the connection to
that address and port, and immediately begins TLS negotiation [2].
...
... client treats the
domain name or IP address used in Section 9.1 as the host portion of
the URI ...
... defined in Section 11. Any two requests that are not bit-wise
identical, and not sent to the same server from the same IP address
and port, MUST carry different transaction ...
... Binding Request".
The RESPONSE-ADDRESS attribute is optional in the Binding Request.
It is used if the client ...
... It is used if the client wishes the response to be sent to a
different IP address and port than the one the request was sent from.
This is useful for determining whether the client ...
... Error
Response. Binding Error Responses are always received on the source
address and port the request was sent from. A Binding Response will
...
... Binding Response will
be received on the address and port placed in the RESPONSE-ADDRESS
attribute of the request. If none was present, the Binding ...
...
be received on the address and port placed in the RESPONSE-ADDRESS
attribute of the request. If none was present, the Binding Responses
...
... attribute of the request. If none was present, the Binding Responses
will be received on the source address and port the request was sent
from.
...
... Binding Error Responses, for example) or
different MAPPED-ADDRESSes, it is an indication of a possible attack.
The client ...
... attack.
The client MUST NOT use the MAPPED-ADDRESS from any of the responses
it received (either the first or the additional ones), and SHOULD
alert ...
... Responses as the number of Binding Requests it sent, it MUST NOT use
the MAPPED-ADDRESS from any of those responses, and SHOULD alert the
user about a potential attack ...
... If the Binding Response is authenticated, and the MAPPED-ADDRESS was
not discarded because of a potential attack, the CLIENT ...
... STUN Binding Request to a server, without any flags set in the
CHANGE-REQUEST attribute, and without the RESPONSE-ADDRESS attribute.
This causes the server to send the response back to the address and
port that the request came from. In test II, the client ...
... CHANGE-REQUEST attribute, and without the RESPONSE-ADDRESS attribute.
This causes the server to send the response back to the address and
port that the request came from. In test II, the client sends a
Binding ...
... connectivity. If the test produces a response, the client examines
the MAPPED-ADDRESS attribute. If this address and port are the same
as the local IP address ...
... client examines
the MAPPED-ADDRESS attribute. If this address and port are the same
as the local IP address and port ...
... ADDRESS attribute. If this address and port are the same
as the local IP address and port of the socket used to send the
...
... port of the socket did not match
the MAPPED-ADDRESS attribute in the response to test I, the client
knows that it is behind a NAT ...
... NAT. If
no response is received, it performs test I again, but this time,
does so to the address and port from the CHANGED-ADDRESS attribute
from the response to test I. If the IP address ...
... no response is received, it performs test I again, but this time,
does so to the address and port from the CHANGED-ADDRESS attribute
from the response to test I. If the IP address and port ...
... address and port from the CHANGED-ADDRESS attribute
from the response to test I. If the IP address and port returned in
the MAPPED-ADDRESS ...
... IP address and port returned in
the MAPPED-ADDRESS attribute are not the same as the ones from the
first test I, the client knows its behind a symmetric NAT ...
... client knows its behind a symmetric NAT. If the
address and port are the same, the client is either behind a
restricted or port ...
... note that when the discovery process is redone, it should not
generally be done from the same local address and port used in the
previous discovery process. If the same local address ...
... local address and port used in the
previous discovery process. If the same local address and port are
reused, bindings ...
... bindings from the previous test may still be in existence,
and these will invalidate the results of the test. Using a different
local address and port for subsequent tests resolves this problem.
An alternative is to wait sufficiently long to be confident that the
...
... binding in the NAT. The response from the server contains a MAPPED-
ADDRESS attribute, providing the public address and port on the NAT.
...
... NAT. The response from the server contains a MAPPED-
ADDRESS attribute, providing the public address and port on the NAT.
Call this Pa and Pp, respectively. The client ...
... client sends
another Binding Request to the server, using the same destination
address and port, but from a different socket, Y. This request
...
... port, but from a different socket, Y. This request
contains a RESPONSE-ADDRESS address attribute, set to (Pa,Pp). This
will create ...
... socket, Y. This request
contains a RESPONSE-ADDRESS address attribute, set to (Pa,Pp). This
will create a new binding ...
... binding
expired, and the NAT allocated the same public address and port to
the new binding), or receives no response at all, it knows that the
...
...
In order to make a voice call, the phone needs to obtain an IP
address and port that it can place in the call setup message as the
destination ...
... audio.
To obtain an address, the control component sends a Shared Secret
Request to the server, obtains a shared secret ...
... Binding Request to the server. No CHANGE-REQUEST attribute is
present in the Binding Request, and neither is the RESPONSE-ADDRESS
attribute. The Binding Response contains a mapped address ...
... ADDRESS
attribute. The Binding Response contains a mapped address. The
control component then formulates a second Binding Request. This
...
... control component then formulates a second Binding Request. This
request contains a RESPONSE-ADDRESS, which is set to the mapped
address learned from the previous Binding Response. This Binding ...
... Binding Request. This
request contains a RESPONSE-ADDRESS, which is set to the mapped
address learned from the previous Binding Response. This Binding
...
... Binding Response. This Binding
Request is passed to the media component, along with the IP address
and port of the STUN ...
... Binding Response back to the control component. The control
component receives this, and now has learned an IP address and port
that will be routed back to the media component that sent the
...
...
The client will be able to receive media from anywhere on this mapped
address.
In the case of silence suppression, there may be periods where the
...
... behind the same NAT. In that case, both will repeat this procedure
above, and both will obtain public address bindings. When one sends
media to the other, the media is routed to the NAT, and then turns
...
... NAT, and then turns
right back around to come back into the enterprise, where it is
translated to the private address of the recipient. This is not
particularly efficient, and unfortunately, does not work in many
commercial NATs ...
... 0x0001: MAPPED-ADDRESS
0x0002: RESPONSE-ADDRESS
0x0003: CHANGE-REQUEST
0x0004: SOURCE-ADDRESS ...
... INTEGRITY attribute MUST be the last attribute within a
message. Any attributes that are known, but are not supposed to be
present in a message (MAPPED-ADDRESS in a request, for example) MUST
be ignored.
...
... Resp.
_____________________________________________________________________
MAPPED-ADDRESS N/A M N/A N/A N/A N/A
RESPONSE-ADDRESS O N/A N/A N/A N/A N/A
...
... MAPPED-ADDRESS N/A M N/A N/A N/A N/A
RESPONSE-ADDRESS O N/A N/A N/A N/A N/A
CHANGE-REQUEST O N/A N/A N/A N/A N/A
SOURCE-ADDRESS ...
... ADDRESS O N/A N/A N/A N/A N/A
CHANGE-REQUEST O N/A N/A N/A N/A N/A
SOURCE-ADDRESS N/A M N/A N/A N/A N/A
CHANGED-ADDRESS N/A M N/A N/A N/A N/A
...
... SOURCE-ADDRESS N/A M N/A N/A N/A N/A
CHANGED-ADDRESS N/A M N/A N/A N/A N/A
USERNAME O N/A N/A N/A M N/A
...
... MAPPED-ADDRESS ...
...
The MAPPED-ADDRESS attribute indicates the mapped IP address and
port. It consists of an eight bit ...
... Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...
... network byte ordered representation of the mapped port.
The address family is always 0x01, corresponding to IPv4. The first
8 bits ...
... IPv4. The first
8 bits of the MAPPED-ADDRESS are ignored, for the purposes of
aligning parameters on natural boundaries. The IPv4 address is 32
bits ...
... 8 bits of the MAPPED-ADDRESS are ignored, for the purposes of
aligning parameters on natural boundaries. The IPv4 address is 32
bits.
...
... RESPONSE-ADDRESS ...
...
The RESPONSE-ADDRESS attribute indicates where the response to a
Binding Request should be sent. Its syntax is identical to MAPPED-
...
... CHANGED-ADDRESS ...
...
The CHANGED-ADDRESS attribute indicates the IP address and port where
responses would have been sent from if the "change IP ...
... Binding
Response, independent of the value of the flags. Its syntax is
identical to MAPPED-ADDRESS.
...
... The CHANGE-REQUEST attribute is used by the client to request that
the server use a different address and/or port when sending the
response. The attribute is 32 bits ...
... IP" flag. If true, it requests the server
to send the Binding Response with a different IP address than the
one the Binding Request was received on.
...
... SOURCE-ADDRESS ...
...
The SOURCE-ADDRESS attribute is present in Binding Responses. It
indicates the source IP address ...
... ADDRESS attribute is present in Binding Responses. It
indicates the source IP address and port that the server is sending
the response from. Its syntax is identical to that of MAPPED-
...
... port that the server is sending
the response from. Its syntax is identical to that of MAPPED-
ADDRESS.
...
... Binding Responses,
when the Binding Request contained a RESPONSE-ADDRESS attribute. The
attribute contains the identity (in terms of IP address ...
... ADDRESS attribute. The
attribute contains the identity (in terms of IP address) of the
source where the request came from. Its purpose is to provide
traceability, so that a STUN ...
... denial-of-service attacks.
Its syntax is identical to the MAPPED-ADDRESS attribute.
...
... STUN request, in order to provide the client with a faked
MAPPED-ADDRESS. The attacks that can be launched using such a
technique include:
...
... attacker provides a large number of clients with
the same faked MAPPED-ADDRESS that points to the intended target.
This will trick all the STUN ...
... STUN clients into thinking that their
addresses are equal to that of the target. The clients then hand out
...
... target. The clients then hand out
that address in order to receive traffic on it (for example, in SIP
...
... attacker provides
that client with a faked MAPPED-ADDRESS. The MAPPED-ADDRESS it
provides is an IP address ...
... that client with a faked MAPPED-ADDRESS. The MAPPED-ADDRESS it
provides is an IP address that routes to nowhere. As a result, the
...
... ADDRESS. The MAPPED-ADDRESS it
provides is an IP address that routes to nowhere. As a result, the
client won't receive any of the packets it expects to receive when it
...
... client won't receive any of the packets it expects to receive when it
hands out the MAPPED-ADDRESS.
This exploitation is not very interesting for the attacker ...
... attack is similar to attack II. However, the faked MAPPED-
ADDRESS points to the attacker themself. This allows the attacker to
...
... forces the client to use a MAPPED-
ADDRESS that routes to itself. It then forwards any packets it
receives to the client. This attack ...
... It is important to note that attacks of this nature (injecting
responses with fake MAPPED-ADDRESSes) require that the attacker be
capable of eavesdropping requests sent from the client to the server ...
... Since all of the above attacks rely on this one primitive - injecting
a response with a faked MAPPED-ADDRESS - preventing the attacks is
accomplished by preventing this one operation. To prevent it, we
...
... can compromise the DNS, it can inject fake records which map a domain
name to the IP address of a STUN server run by the attacker. This
...
... attacker can cause a STUN
server to generate responses with the wrong MAPPED-ADDRESS by
compromising a router or NAT ...
... router or
NAT, it rewrites the source address of the packet to be that of the
desired MAPPED-ADDRESS. This address ...
... NAT, it rewrites the source address of the packet to be that of the
desired MAPPED-ADDRESS. This address cannot be arbitrary. If the
attacker ...
... source address of the packet to be that of the
desired MAPPED-ADDRESS. This address cannot be arbitrary. If the
attacker is on the public Internet ...
... attacker doesn't modify the
STUN request, the address has to have the property that packets sent
from the STUN server to that address ...
... address has to have the property that packets sent
from the STUN server to that address would route through the
compromised router ...
... router. This is because the STUN server will send the
responses back to the source address of the request. With a modified
source address, the only way they can reach the client ...
... responses back to the source address of the request. With a modified
source address, the only way they can reach the client is if the
compromised router ...
... public Internet, but they can modify the STUN request, they can
insert a RESPONSE-ADDRESS attribute into the request, containing the
actual source address of the STUN ...
... insert a RESPONSE-ADDRESS attribute into the request, containing the
actual source address of the STUN request. This will cause the
server to send the response to the client ...
... STUN request. This will cause the
server to send the response to the client, independent of the source
address the STUN server sees. This gives the attacker the ability to
...
... STUN server sees. This gives the attacker the ability to
forge an arbitrary source address when it forwards the STUN request.
...
... They will only be able force the STUN server to generate MAPPED-
ADDRESSes which route to the private network. This is because the
...
... NAT between the attacker and the STUN server will rewrite the source
address of the STUN request, mapping it to a public address that
...
... STUN server will rewrite the source
address of the STUN request, mapping it to a public address that
routes to the private network. Because of this, the attacker ...
... private network. Because of this, the attacker can
only force the server to generate faked mapped addresses that route
to the private network ...
... private network. Unfortunately, it is possible that a low
quality NAT would be willing to map an allocated public address to
another public address (as opposed to an internal private address ...
... NAT would be willing to map an allocated public address to
another public address (as opposed to an internal private address),
in which case the attacker ...
... address to
another public address (as opposed to an internal private address),
in which case the attacker could forge the source address ...
... address),
in which case the attacker could forge the source address in a STUN
request to be an arbitrary public address ...
... source address in a STUN
request to be an arbitrary public address. This kind of behavior
from NATs does appear to be rare.
...
... request, and generate a STUN response directly with any desired value
of the MAPPED-ADDRESS field. Alternatively, it can forward the STUN
request to the server (after potential modification), receive the
...
... attack is subject to the same limitations on the
MAPPED-ADDRESS described in Section 12.2.3.
...
... STUN server, and
generates its own STUN response with the desired MAPPED-ADDRESS
value. The STUN response generated by the attacker ...
... STUN request towards the server. This STUN request is identical to
the one it saw, but with a spoofed source IP address. The spoofed
address is equal to the one that the attacker ...
... the one it saw, but with a spoofed source IP address. The spoofed
address is equal to the one that the attacker desires to have placed
in the MAPPED-ADDRESS ...
... address is equal to the one that the attacker desires to have placed
in the MAPPED-ADDRESS of the STUN response. In fact, the attacker
...
... STUN client. These responses
are all identical and all contain the MAPPED-ADDRESS that the
attacker wanted the client ...
... documented in Section 12.2.3, which limit the range of MAPPED-
ADDRESSes the attacker can cause the STUN server to generate.
...
... attacks above rely on the client taking the
mapped address it learned from STUN, and using it in application
layer protocols. If encryption ...
... attacks can be prevented. As such, applications that make use of
STUN addresses in application protocols SHOULD use integrity and
encryption, even if a SHOULD level strength is not specified for that
...
... integrity and
encryption, even if a SHOULD level strength is not specified for that
protocol. For example, multimedia applications using STUN addresses
to receive RTP traffic ...
... signatures. Both approaches are most potent when the
attacker can modify the request, inserting a RESPONSE-ADDRESS that
routes to the client. Fortunately, such modifications are
...
... Section 9.3. However, these three approaches are still functional
when the attacker modifies nothing but the source address of the STUN
request. Sadly, this is the one thing that cannot be protected
...
... attacker
wishes to convince client C that it has address V. The attacker
needs to have a network element ...
...
The IAB has studied the problem of "Unilateral Self Address Fixing",
which is the general process by which a client attempts to determine
...
... which is the general process by which a client attempts to determine
its address in another realm on the other side of a NAT through a
collaborative protocol reflection mechanism (RFC 3424 ...
...
o Provide a means for a client to obtain an address on the public
Internet from a non-symmetric NAT, for the express purpose of
...
... detection operation that is performed as a precursor to the actual
UNSAF address-fixing operation. This discovery operation, documented
in Section 10.1, attempts to discover the existence of, and type of,
any NATS between the client ...
... STUN (which also resides at the application layer), first allocate an
address binding using midcom. However, it is a well-known limitation
of midcom that it only works when the agent ...
... public Internet to the client. If this is the case, the
application can continue operation using the address bindings
allocated from midcom. If it is not the case, STUN provides a
...
... allocated from midcom. If it is not the case, STUN provides a
mechanism for self-address fixing through the remaining midcom-
unaware middleboxes. Thus, STUN provides a way to help transition to
...
... NATs,
the binding acquisition will not yield a usable address. The
tight dependency on the specific type of NAT makes the protocol
...
... STUN assumes that the server exists on the public Internet. If
the server is located in another private address realm, the user
may or may not be able to use its discovered address to
...
... the server is located in another private address realm, the user
may or may not be able to use its discovered address to
communicate with other users. There is no way to detect such a
condition.
...
...
o The use of STUN to discover address bindings will result in an
increase in latency for applications. For example, a Voice over
IP ...
... network topologies for
proper operation. If client A obtains an address from STUN server
X, and sends it to client ...
... X, and sends it to client B, B may not be able to send to A using
that IP address. The address will not work if any of the
following is true:
...
... client B, B may not be able to send to A using
that IP address. The address will not work if any of the
following is true:
...
...
- The STUN server is not in an address realm that is a common
ancestor (topologically) of both clients A and B. For example,
...
... STUN server used by A is in A's cable
operator's network, an address obtained by it will not be
usable by B. The STUN server must be in the network ...
...
- The STUN server is in an address realm that is a common
ancestor to both clients, but both clients ...
... clients are behind the same
NAT connecting to that address realm. For example, if the two
clients in the previous example had the same cable operator,
...
... public Internet, and the STUN server was on the public
Internet, the address obtained by A would not be usable by B.
That is because some NATs will not accept an internal packet
...
... That is because some NATs will not accept an internal packet
sent to a public IP address which is mapped back to an internal
address. To deal with this, additional protocol mechanisms or
...
... NATs will not accept an internal packet
sent to a public IP address which is mapped back to an internal
address. To deal with this, additional protocol mechanisms or
configuration parameters ...
... controls needs to be extremely limited - typically, allocating a
binding to reach the address where the control packets are coming
from.
...
... STUN has
found is in the area of VoIP, to facilitate allocation of addresses
for receiving RTP ...
... Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827 ...
... Senie, D., "Network Address Translator (NAT)-Friendly Application Design Guidelines", RFC 3235, January 2002. ...
... Holdrege, M. and P. Srisuresh, "Protocol Complications with the IP Network Address Translator", RFC 3027, January 2001. ...
... Daigle, L., Editor, "IAB Considerations for UNilateral Self- Address Fixing (UNSAF) Across Network Address Translation", RFC