1 - 3 - 4 - 6 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W
IP
Click on the red underlined text to get to the source
... NATs), while providing many benefits,
also come with many drawbacks. The most troublesome of those
drawbacks is the fact that they break many existing IP applications,
and make it difficult to deploy new ones. Guidelines have been
developed [8 ...
... (such as the games described in RFC 3027 [11]) and Voice over IP,
have developed tricks that allow them to operate through NATs without
...
... Full Cone: A full cone NAT is one where all requests from the
same internal IP address and port are mapped to the same external
IP address ...
... IP address and port are mapped to the same external
IP address and port. Furthermore, any external host can send a
...
... Restricted Cone: A restricted cone NAT is one where all requests
from the same internal IP address and port are mapped to the same
external IP address ...
... IP address and port are mapped to the same
external IP address and port. Unlike a full cone NAT, an external
...
... NAT, an external
host (with IP address X) can send a packet to the internal host
only if the internal host ...
... port numbers.
Specifically, an external host can send a packet, with source IP
address X and source port P, to the internal host only if the
...
... Symmetric: A symmetric NAT is one where all requests from the
same internal IP address and port, to a specific destination IP
address and port ...
... same internal IP address and port, to a specific destination IP
address and port, are mapped to the same external IP address and
...
... port, to a specific destination IP
address and port, are mapped to the same external IP address and
port. If the same host ...
... Binding Request to the server, over UDP.
The server examines the source IP address and port of the request,
and copies them into a response that is sent back to the client ...
... STUN client is typically embedded in an application which needs
to obtain a public IP address and port that can be used to receive
data. For example, it might need to obtain an IP address ...
... IP address and port that can be used to receive
data. For example, it might need to obtain an IP address and port to
receive Real Time Transport Protocol ...
... Binding Request is used to discover the presence of a NAT,
and to discover the public IP address and port mappings generated by
the NAT ...
... NAT closest to the server.
The STUN server copies that source IP address and port into a STUN
...
... STUN Binding Response, it compares
the IP address and port in the packet with the local IP address and
...
... the IP address and port in the packet with the local IP address and
port it bound to when the request was sent. If these do not match,
...
... NATs. In the case of a full-
cone NAT, the IP address and port in the body of the STUN response
...
... send packets to the application that sent the STUN request. An
application need only listen on the IP address and port from which
...
... STUN Binding Request, this time to a
different IP address, but from the same source IP address and port.
...
... Binding Request, this time to a
different IP address, but from the same source IP address and port.
If the IP address ...
... source IP address and port.
If the IP address and port in the response are different from those
in the first response, the client ...
... Binding Request with flags that tell the STUN server to send a
response from a different IP address and port than the request was
received on. In other words, if the client ...
... STUN
server would send the Binding Response to X/Y using source IP
address/port C/D. If the client receives this response, it knows it
...
... client to ask the server to send the Binding
Response from the same IP address the request was received on, but
with a different port. This can be used to detect whether the client ...
... STUN attributes are defined. The first is a MAPPED-ADDRESS
attribute, which is an IP address and port. It is always placed in
the Binding ...
... port. It is always placed in
the Binding Response, and it indicates the source IP address and port
the server saw in the Binding ...
... Binding Request. There is also a RESPONSE-
ADDRESS attribute, which contains an IP address and port. The
RESPONSE-ADDRESS ...
... Binding Response is to be sent. It's optional,
and when not present, the Binding Response is sent to the source IP
address and port of the Binding Request.
...
...
The third attribute is the CHANGE-REQUEST attribute, and it contains
two flags to control the IP address and port used to send the
response. These flags are called "change IP ...
... IP address and port used to send the
response. These flags are called "change IP" and "change port"
flags. The CHANGE-REQUEST attribute is allowed only in the Binding ...
... flags. The CHANGE-REQUEST attribute is allowed only in the Binding
Request. The "change IP" and "change port" flags are useful for
determining whether the client ...
... NAT. They instruct the server to send the
Binding Responses from a different source IP address and port. The
CHANGE-REQUEST attribute is optional in the Binding ...
... in Binding Responses. It informs the client of the source IP address
and port that would be used if the client ...
... and port that would be used if the client requested the "change IP"
and "change port" behavior.
...
... ADDRESS attribute. It is only
present in Binding Responses. It indicates the source IP address and
port where the response was sent from. It is useful for detecting
...
... eleventh attribute is the REFLECTED-FROM attribute, which is present
in Binding Responses. It indicates the IP address and port of the
...
... Binding Error Response is sent
to the IP address and port the Binding Request came from, and sent
...
... port the Binding Request came from, and sent
from the IP address and port the Binding Request was sent to.
...
... ADDRESS attribute to the Binding
Response. The IP address component of this attribute MUST be set to
the source IP address observed in the Binding ...
... Response. The IP address component of this attribute MUST be set to
the source IP address observed in the Binding Request. The port
...
... port of the Binding
Response MUST be the value of the IP address and port in the
RESPONSE-ADDRESS ...
... Binding Request was received on, and are summarized in Table 1.
Let Da represent the destination IP address of the Binding Request
(which will be either A1 or A2), and Dp represent the destination
port ...
... flag was set in CHANGE-REQUEST attribute of the Binding Request, and
the "change IP" flag was not set, the source IP address of the
Binding ...
... Binding Request, and
the "change IP" flag was not set, the source IP address of the
Binding Response MUST be Da and the source port ...
... port of the Binding
Response MUST be Cp. If the "change IP" flag was set in the Binding
Request, and the "change port ...
... Binding
Request, and the "change port" flag was not set, the source IP
address of the Binding Response MUST be Ca and the source port of the
...
... port of the
Binding Response MUST be Dp. When both flags are set, the source IP
address of the Binding Response MUST be Ca and the source port of the
...
... Binding Response MUST be Cp. If neither flag is set, or if the
CHANGE-REQUEST attribute is absent entirely, the source IP address of
the Binding Response MUST be Da and the source port ...
... ADDRESS attribute to the Binding
Response. This contains the source IP address and port that would be
used if the client ...
... port that would be
used if the client had set the "change IP" and "change port" flags in
the Binding ...
... Shared Secret Request, the REFLECTED-FROM attribute MUST contain the
source IP address and port where that Shared Secret Request came
...
... username was not present in the request, and
the server was willing to process the request, the REFLECTED-FROM
attribute SHOULD contain the source IP address and port where the
request came from.
...
... Shared Secret Error Response is
sent to the source IP address and port that the request came from.
...
... prefix is some random text string (different for each shared
secret request), rounded-time is the current time modulo 20 minutes,
clientIP is the source IP address where the Shared Secret Request
came from, and hmac is an HMAC ...
... username itself, which will be present in
the Binding Request, contains the source IP address where the Shared
Secret Request came from. That allows the server to meet the
requirements ...
... provider of the STUN servers. This domain name is resolved to an IP
address and port using the SRV procedures specified in RFC 2782prop ...
... lookup
of the domain name. The result will be a list of IP addresses, each
of which can be contacted at the default port.
...
... client treats the
domain name or IP address used in Section 9.1 as the host portion of
the URI ...
... defined in Section 11. Any two requests that are not bit-wise
identical, and not sent to the same server from the same IP address
and port, MUST carry different transaction ...
... It is used if the client wishes the response to be sent to a
different IP address and port than the one the request was sent from.
This is useful for determining whether the client ...
... client sends a
Binding Request with both the "change IP" and "change port" flags
from the CHANGE-REQUEST attribute set. In test III, the client ...
... ADDRESS attribute. If this address and port are the same
as the local IP address and port of the socket used to send the
...
... address and port from the CHANGED-ADDRESS attribute
from the response to test I. If the IP address and port returned in
the MAPPED-ADDRESS ...
... N / \ Y / \ Y +--------+
UDP <-------/Resp\--------->/ IP \------------->| Test |
Blocked \ ? / \Same/ | II |
\ / \? / +--------+
...
... Symmetric N / \ +--------+ N / \ V
NAT <--- / IP \<-----| Test |<--- /Resp\ Open
\Same/ | I | \ ? / Internet
...
...
In order to make a voice call, the phone needs to obtain an IP
address and port that it can place in the call setup message as the
destination ...
... Binding Response. This Binding
Request is passed to the media component, along with the IP address
and port of the STUN ...
... Binding Response back to the control component. The control
component receives this, and now has learned an IP address and port
that will be routed back to the media component that sent the
...
...
The MAPPED-ADDRESS attribute indicates the mapped IP address and
port. It consists of an eight bit ...
...
The CHANGED-ADDRESS attribute indicates the IP address and port where
responses would have been sent from if the "change IP ...
... IP address and port where
responses would have been sent from if the "change IP" and "change
port" flags had been set in the CHANGE-REQUEST attribute of the
...
... The meaning of the flags is:
A: This is the "change IP" flag. If true, it requests the server
to send the Binding Response with a different IP address ...
... IP" flag. If true, it requests the server
to send the Binding Response with a different IP address than the
one the Binding Request was received on.
...
... ADDRESS attribute is present in Binding Responses. It
indicates the source IP address and port that the server is sending
the response from. Its syntax is identical to that of MAPPED-
...
... ADDRESS attribute. The
attribute contains the identity (in terms of IP address) of the
source where the request came from. Its purpose is to provide
traceability, so that a STUN ...
... ADDRESS. The MAPPED-ADDRESS it
provides is an IP address that routes to nowhere. As a result, the
client won't receive any of the packets it expects to receive when it
...
... can compromise the DNS, it can inject fake records which map a domain
name to the IP address of a STUN server run by the attacker. This
...
... STUN request towards the server. This STUN request is identical to
the one it saw, but with a spoofed source IP address. The spoofed
address is equal to the one that the attacker ...
... DoS attack against the STUN
server or the IP network, to prevent the valid response from being
sent or received, is problematic. The attacker ...
... address bindings will result in an
increase in latency for applications. For example, a Voice over
IP application will see an increase of call setup delays equal to
at least one RTT to the STUN ...
... X, and sends it to client B, B may not be able to send to A using
that IP address. The address will not work if any of the
following is true:
...
... That is because some NATs will not accept an internal packet
sent to a public IP address which is mapped back to an internal
address. To deal with this, additional protocol mechanisms or
...
... Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827 ...
... Holdrege, M. and P. Srisuresh, "Protocol Complications with the IP Network Address Translator", RFC 3027, January 2001. ...