1 - 3 - 4 - 6 - 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - W
STUN
Click on the red underlined text to get to the source
... NAT, but only through a subset of
existing NAT types. In particular, STUN does not enable incoming UDP
packets through symmetric NATs ...
... packets through symmetric NATs (defined below), which are common in
large enterprises. STUN's discovery procedures are based on
assumptions on NAT treatment of UDP ...
... UDP; such assumptions may prove
invalid down the road as new NAT devices are deployed. STUN does not
work when it is used to obtain an address to communicate with a peer
...
... address to communicate with a peer
which happens to be behind the same NAT. STUN does not work when the
STUN server is not in a common shared address ...
... NAT. STUN does not work when the
STUN server is not in a common shared address realm. For a more
complete discussion ...
... UDP Through NAT
(STUN), allows entities behind a NAT to first discover the presence
of a NAT ...
... bindings allocated by the NAT. STUN requires no changes to NATs, and
works with an arbitrary number of NATs ...
... is an entity that generates STUN requests. A STUN client can
execute on an end system, such as a user's PC ...
... network element, such as a conferencing server.
STUN Server: A STUN Server (also just referred to as a server)
is an entity ...
...
STUN Server: A STUN Server (also just referred to as a server)
is an entity that receives STUN ...
... STUN Server (also just referred to as a server)
is an entity that receives STUN requests, and sends STUN
responses. STUN ...
... is an entity that receives STUN requests, and sends STUN
responses. STUN servers are generally attached to the public
Internet ...
... STUN requests, and sends STUN
responses. STUN servers are generally attached to the public
Internet.
...
...
/-----\
// STUN \\
| Server |
\\ //
...
...
The typical STUN configuration is shown in Figure 1. A STUN client
is connected to private network ...
... Private network 2 connects to the public
Internet through NAT 2. The STUN server resides on the public
Internet.
...
... authentication.
The trick is using STUN to discover the presence of NAT, and to learn
and use the bindings ...
... bindings they allocate.
The STUN client is typically embedded in an application which needs
to obtain a public IP address ...
... STUN client within the application sends a
STUN Shared Secret Request to its server, obtains a username and
...
... password, and then sends it a Binding Request. STUN servers can be
discovered through DNS SRV records [3 ...
... that the client is configured with the domain to use to find the STUN
server. Generally, this will be the domain of the provider ...
... service the application is using (such a provider is incented to
deploy STUN servers in order to allow its customers to use its
application through NAT ...
... address or domain name of a STUN server through other means. A STUN
server can even be embedded within an end system.
...
... address or domain name of a STUN server through other means. A STUN
server can even be embedded within an end system.
...
... server can even be embedded within an end system.
The STUN Binding Request is used to discover the presence of a NAT,
...
... UDP.
When a Binding Request arrives at the STUN server, it may have passed
through one or more NATs between the STUN ...
... STUN server, it may have passed
through one or more NATs between the STUN client and the STUN server.
...
... NATs between the STUN client and the STUN server.
As a result, the source address of the request received by the server ...
... created by the NAT closest to the server.
The STUN server copies that source IP address and port into a STUN ...
... STUN server copies that source IP address and port into a STUN
Binding Response, and sends it back to the source IP address ...
... source IP address and port
of the STUN request. For all of the NAT types above, this response
will arrive at the STUN ...
... port it bound to when the request was sent. If these do not match,
the STUN client is behind one or more NATs. In the case of a full-
...
... NAT, the IP address and port in the body of the STUN response
are public, and can be used by any host on the public Internet ...
... host on the public Internet to
send packets to the application that sent the STUN request. An
application need only listen on the IP address and port ...
... port from which
the STUN request was sent. Any packets sent by a host on the public
Internet to the public address and port ...
... host on the public
Internet to the public address and port learned by STUN will be
received by the application.
...
... NAT it is behind. To determine that,
the client uses additional STUN Binding Requests. The exact
procedure is flexible, but would generally work as follows. The
...
... procedure is flexible, but would generally work as follows. The
client would send a second STUN Binding Request, this time to a
different IP address ...
... NAT, the client can send a
STUN Binding Request with flags that tell the STUN server to send a
...
... STUN Binding Request with flags that tell the STUN server to send a
response from a different IP address and port ...
... port A/B using a source IP address/port of X/Y, the STUN
server would send the Binding Response to X/Y using source IP
address ...
...
It should be noted that the configuration in Figure 1 is not the only
permissible configuration. The STUN server can be located anywhere,
including within another client. The only requirement ...
... client. The only requirement is that the
STUN server is reachable by the client, and if the client is trying
...
... type-length-value) encoded using big endian
(network ordered) binary. All STUN messages start with a STUN
...
... STUN payload. The payload is a series of STUN
attributes, the set of which depends on the message type. The STUN ...
... STUN
attributes, the set of which depends on the message type. The STUN
header contains a STUN ...
... transaction ID is used to correlate
requests and responses. The length indicates the total length of the
STUN payload, not including the header. This allows STUN ...
... TCP).
Several STUN attributes are defined. The first is a MAPPED-ADDRESS
attribute, which is an IP address ...
... client discovery procedures below.
Typically, P1 will be port 3478, the default STUN port. A2 and P2
are arbitrary. A2 and P2 are advertised by the server ...
... over the request as described in Section 11.2.8. The key to use
depends on the shared secret mechanism. If the STUN Shared Secret
Request was used, the key MUST be the one associated with the
...
... 13] over the response, as described in Section 11.2.8. The key to
use depends on the shared secret mechanism. If the STUN Shared
Secret Request was used, the key MUST be the one associated with the
USERNAME ...
... The behavior of the client is very straightforward. Its task is to
discover the STUN server, obtain a shared secret, formulate the
Binding ...
... domain name of the
provider of the STUN servers. This domain name is resolved to an IP
address and port ...
... service)" without giving any details on what happens in the event of
failure. Those details are described here for STUN.
For STUN ...
... STUN.
For STUN requests, failure occurs if there is a transport failure of
some sort (generally, due to fatal ICMP ...
... As discussed in Section 12, there are several attacks possible on
STUN systems. Many of these are prevented through integrity of
requests and responses. To provide that integrity ...
... integrity of
requests and responses. To provide that integrity, STUN makes use of
a shared secret between client and server ...
... Binding Request and Binding
Response. STUN allows for the shared secret to be obtained in any
way (for example, Kerberos ...
... INTEGRITY attribute depend on the shared secret mechanism.
If the STUN Shared Secret Request was used, the USERNAME must be a
...
... the response as described in Section 11.2.8. The key to use depends
on the shared secret mechanism. If the STUN Shared Secret Request
was used, the key MUST be same as used to compute the MESSAGE-
...
... The rules of Sections 8 and 9 describe exactly how a client and
server interact to send requests and get responses. However, they do
not dictate how the STUN protocol is used to accomplish useful tasks.
That is at the discretion of the client. Here, we provide some
...
... That is at the discretion of the client. Here, we provide some
useful scenarios for applying STUN.
...
... flow makes use of three tests. In test I, the client sends a
STUN Binding Request to a server, without any flags set in the
CHANGE-REQUEST attribute, and without the RESPONSE-ADDRESS ...
... refresh
the binding, either through a new STUN request, or an application
packet, in order for the application to continue to use the binding.
...
... create a new binding on the NAT, and cause the STUN server to
send a Binding Response that would match the old binding ...
... IP address
and port of the STUN server. The media component sends the Binding
Request. The request goes to the STUN ...
... STUN server. The media component sends the Binding
Request. The request goes to the STUN server, which sends the
Binding Response back to the control component. The control
...
... Error Response.
STUN messages are encoded using binary fields. All integer fields
are carried in network byte order ...
... 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| STUN Message Type | Message Length |
...
... HMAC will be 20 bytes.
The text used as input to HMAC is the STUN message, including the
header, up to and including the attribute preceding the MESSAGE-
...
... 64 bytes. As a result, the MESSAGE-INTEGRITY attribute
MUST be the last attribute in any STUN message. The key used as
input to HMAC depends on the context ...
... IP address) of the
source where the request came from. Its purpose is to provide
traceability, so that a STUN server cannot be used as a reflector for
denial-of-service attacks.
...
...
Generally speaking, attacks on STUN can be classified into denial of
service attacks and eavesdropping attacks. Denial of service attacks ...
... attacks. Denial of service attacks
can be launched against a STUN server itself, or against other
elements using the STUN ...
... Shared Secret Request
mechanism. To prevent being swamped with traffic, a STUN server
SHOULD limit the number of simultaneous TLS connections it will hold
...
...
The attacks of greater interest are those in which the STUN server
and client are used to launch DOS attacks ...
... attacks require the attacker to generate a response to a
legitimate STUN request, in order to provide the client with a faked
MAPPED-ADDRESS ...
... ADDRESS that points to the intended target.
This will trick all the STUN clients into thinking that their
addresses ...
... attack can provide substantial
amplification, especially when used with clients that are using STUN
to enable multimedia applications.
...
... services enabled by STUN (for example, a client using STUN to enable
SIP-based multimedia traffic ...
... attacker must have already been able to observe
packets from the client to the STUN server. In most cases (such as
when the attack is launched from an access network ...
... attackers on the path from the client to the STUN server, but not
generally on the path of packets being routed towards the client.
...
... (or to act as a MITM for such attacks). This is because STUN
requests contain a transaction identifier ...
... Approach I: Compromise a Legitimate STUN Server ...
... In this attack, the attacker compromises a legitimate STUN server
through a virus or Trojan horse. Presumably, this would allow the
...
... virus or Trojan horse. Presumably, this would allow the
attacker to take over the STUN server, and control the types of
responses it generates.
...
... responses it generates.
Compromise of a STUN server can also lead to discovery of open ports.
Knowledge of an open port ...
... DNS, it can inject fake records which map a domain
name to the IP address of a STUN server run by the attacker. This
will allow it to inject fake responses to launch any of the attacks ...
... Rather than compromise the STUN server, an attacker can cause a STUN
server to generate responses with the wrong MAPPED-ADDRESS by
...
... router or NAT on the path from the client to the STUN
server. When the STUN request passes through the rogue router ...
... public Internet (that is, there are no NATs
between it and the STUN server), and the attacker doesn't modify the
STUN ...
... STUN server), and the attacker doesn't modify the
STUN request, the address has to have the property that packets sent
from the STUN ...
... STUN request, the address has to have the property that packets sent
from the STUN server to that address would route through the
...
... route through the
compromised router. This is because the STUN server will send the
responses back to the source address of the request. With a modified
...
... attacker is on the
public Internet, but they can modify the STUN request, they can
insert a RESPONSE-ADDRESS attribute into the request, containing the
...
... ADDRESS attribute into the request, containing the
actual source address of the STUN request. This will cause the
server to send the response to the client, independent of the source
address ...
... server to send the response to the client, independent of the source
address the STUN server sees. This gives the attacker the ability to
forge an arbitrary source address ...
... attacker the ability to
forge an arbitrary source address when it forwards the STUN request.
If the attacker ...
... private network (that is, there are NATs
between it and the STUN server), the attacker will not be able to
force the server to generate arbitrary MAPPED-ADRESSes in responses.
...
... attacker will not be able to
force the server to generate arbitrary MAPPED-ADRESSes in responses.
They will only be able force the STUN server to generate MAPPED-
ADDRESSes which route ...
... NAT between the attacker and the STUN server will rewrite the source
address of the STUN request, mapping it to a public address ...
... attacker and the STUN server will rewrite the source
address of the STUN request, mapping it to a public address that
routes to the private network ...
... in which case the attacker could forge the source address in a STUN
request to be an arbitrary public address. This kind of behavior
...
... element can
act as a man-in-the-middle. In that case, it can intercept a STUN
request, and generate a STUN response directly with any desired value
...
... man-in-the-middle. In that case, it can intercept a STUN
request, and generate a STUN response directly with any desired value
of the MAPPED-ADDRESS field. Alternatively, it can forward the STUN ...
... STUN response directly with any desired value
of the MAPPED-ADDRESS field. Alternatively, it can forward the STUN
request to the server (after potential modification), receive the
response, and forward it to the client ...
... eavesdrop onto a network segment that carries STUN requests. This is
easily done in multiple access networks such as ethernet ...
... attacker
listens on the network for a STUN request. When it sees one, it
simultaneously launches a DoS attack on the STUN ...
... STUN request. When it sees one, it
simultaneously launches a DoS attack on the STUN server, and
generates its own STUN response with the desired MAPPED-ADDRESS ...
... DoS attack on the STUN server, and
generates its own STUN response with the desired MAPPED-ADDRESS
value. The STUN ...
... STUN response with the desired MAPPED-ADDRESS
value. The STUN response generated by the attacker will reach the
client ...
... attacker listens on the
network for a STUN request. When it sees it, it generates its own
STUN request towards the server. This STUN ...
... network for a STUN request. When it sees it, it generates its own
STUN request towards the server. This STUN request is identical to
the one it saw, but with a spoofed source IP address ...
... STUN request. When it sees it, it generates its own
STUN request towards the server. This STUN request is identical to
the one it saw, but with a spoofed source IP address. The spoofed
...
... attacker desires to have placed
in the MAPPED-ADDRESS of the STUN response. In fact, the attacker
generates a flood ...
... attacker
generates a flood of such packets. The STUN server will receive the
one original request, plus a flood of duplicate fake ones. It
...
... there is a reasonable probability that the one real response is lost
(along with many of the faked ones), but the net result is that only
the faked responses are received by the STUN client. These responses
are all identical and all contain the MAPPED-ADDRESS ...
...
Note that, in this approach, launching a DoS attack against the STUN
server or the IP network, to prevent the valid ...
... valid response from being
sent or received, is problematic. The attacker needs the STUN server
to be available to handle its own request. Due to the periodic
retransmissions ...
...
STUN provides mechanisms to counter the approaches described above,
and additional, non-STUN ...
... STUN provides mechanisms to counter the approaches described above,
and additional, non-STUN techniques can be used as well.
First off, it is RECOMMENDED that networks ...
...
First off, it is RECOMMENDED that networks with STUN clients
implement ingress source filtering ...
... NATs to ensure that this capability is present and enabled.
Secondly, it is RECOMMENDED that STUN servers be run on hosts
dedicated to STUN ...
... TCP ports disabled except for the
STUN ports. This is to prevent viruses and Trojan horses from
...
... ports. This is to prevent viruses and Trojan horses from
infecting STUN servers, in order to prevent their compromise. This
helps mitigate Approach I (Section 12.2.1).
...
... client taking the
mapped address it learned from STUN, and using it in application
layer protocols. If encryption and message integrity ...
... attacks can be prevented. As such, applications that make use of
STUN addresses in application protocols SHOULD use integrity and
encryption ...
... application protocols SHOULD use integrity and
encryption, even if a SHOULD level strength is not specified for that
protocol. For example, multimedia applications using STUN addresses
to receive RTP ...
... 16].
The above three techniques are non-STUN mechanisms. STUN itself
provides several countermeasures.
...
...
The above three techniques are non-STUN mechanisms. STUN itself
provides several countermeasures.
...
... attack is prevented using the message integrity
mechanism provided in STUN, described in Section 8.1.
Approaches III (Section 12.2.3) IV ...
... when the attacker modifies nothing but the source address of the STUN
request. Sadly, this is the one thing that cannot be protected
through cryptographic ...
... request. Sadly, this is the one thing that cannot be protected
through cryptographic means, as this is the change that STUN itself
is seeking to detect and report. It is therefore an inherent
weakness in NAT ...
... is seeking to detect and report. It is therefore an inherent
weakness in NAT, and not fixable in STUN. To help mitigate these
attacks, Section 9.4 provides several heuristics ...
... host which exists
in the correct topological relationship can be DDOSed. It need not
be using STUN.
...
...
STUN cannot be extended. Changes to the protocol are made through a
standards track revision of this specification. As a result, no IANA
registries are needed. Any future extensions will establish any
...
... collaborative protocol reflection mechanism (RFC 3424 [17]). STUN is
an example of a protocol that performs this type of function. The
IAB ...
... usually aren't".
The specific problems being solved by STUN are:
o Provide a means for a client ...
... as the appropriate technology is deployed.
STUN comes with its own built in exit strategy. This strategy is the
detection operation that is performed as a precursor to the actual
UNSAF ...
... provider and complain about it.
STUN can also help facilitate the introduction of midcom. As
midcom-capable NATs are deployed, applications will, instead of using
...
... midcom-capable NATs are deployed, applications will, instead of using
STUN (which also resides at the application layer), first allocate an
address binding ...
... flow. Once bindings have been
allocated from those middleboxes, a STUN detection procedure can
validate that there are no additional middleboxes on the path from
...
... application can continue operation using the address bindings
allocated from midcom. If it is not the case, STUN provides a
mechanism for self-address fixing through the remaining midcom-
...
... mechanism for self-address fixing through the remaining midcom-
unaware middleboxes. Thus, STUN provides a way to help transition to
full midcom-aware networks.
...
... Brittleness Introduced by STUN ...
... debugging challenges, and make it harder to transition.
STUN introduces brittleness into the system in several ways:
o The discovery process assumes a certain classification of devices
...
... NATs that are deployed that would not fit into one of these molds.
Therefore, future NATs may not be properly detected by STUN. STUN
clients ...
... Therefore, future NATs may not be properly detected by STUN. STUN
clients (but not servers) would need to change to accommodate
...
...
o The binding acquisition usage of STUN does not work for all NAT
types. It will work for any application for full cone NATs ...
... brittle.
o STUN assumes that the server exists on the public Internet. If
the server is located in another private address ...
... network bandwidth.
o The use of the STUN server as an additional network element
introduces another point of potential security attack ...
... attacks are largely prevented by the security measures provided by
STUN, but not entirely.
o The use of the STUN ...
... STUN, but not entirely.
o The use of the STUN server as an additional network element
introduces another point of failure. If the client ...
... introduces another point of failure. If the client cannot locate
a STUN server, or if the server should be unavailable due to
failure, the application cannot function.
...
... failure, the application cannot function.
o The use of STUN to discover address bindings will result in an
increase in latency ...
... Voice over
IP application will see an increase of call setup delays equal to
at least one RTT to the STUN server.
o The discovery of binding ...
... process.
o STUN imposes some restrictions on the network topologies for
proper operation. If client ...
... proper operation. If client A obtains an address from STUN server
X, and sends it to client B, B may not be able to send to A using
...
... following is true:
- The STUN server is not in an address realm that is a common
ancestor (topologically) of both clients ...
... network, connecting it to the
public Internet. If the STUN server used by A is in A's cable
operator's network, an address ...
... network, an address obtained by it will not be
usable by B. The STUN server must be in the network which is a
common ancestor to both - in this case, the public Internet ...
... public Internet.
- The STUN server is in an address realm that is a common
ancestor to both clients ...
... network
to the public Internet, and the STUN server was on the public
Internet, the address obtained by A would not be usable by B.
...
... this case.
o Most significantly, STUN introduces potential security threats
which cannot be eliminated. This specification describes
...
... heuristics that can be used to mitigate the problem, but it is
provably unsolvable given what STUN is trying to accomplish.
These security problems are described fully in Section 12.
...
... solution.
Our experience with STUN has led to the following requirements for a
long term solution to the NAT problem ...
... bindings and control of other resources in a NAT
need to be explicit. Much of the brittleness in STUN derives from
its guessing at the parameters of the NAT, rather than telling the
...
... NA[P]Ts and experience reports.
Several of the practical issues with STUN involve future proofing -
breaking the protocol when new NAT types get deployed. Fortunately,
...
... this is not an issue at the current time, since most of the deployed
NATs are of the types assumed by STUN. The primary usage STUN has
found is in the area of VoIP ...
... NATs are of the types assumed by STUN. The primary usage STUN has
found is in the area of VoIP, to facilitate allocation of addresses ...
...
The problems with STUN are not design flaws in STUN. The problems in
STUN have to do with the lack of standardized behaviors and controls
...
... STUN are not design flaws in STUN. The problems in
STUN have to do with the lack of standardized behaviors and controls
in NATs. The result of this lack of standardization has been a
...
... NATs. The result of this lack of standardization has been a
proliferation of devices whose behavior is highly unpredictable,
extremely variable, and uncontrollable. STUN does the best it can in
such a hostile environment. Ultimately, the solution is to make the
environment less hostile, and to introduce controls and standardized
...
... environment less hostile, and to introduce controls and standardized
behaviors into NAT. However, until such time as that happens, STUN
provides a good short term solution given the terrible conditions
under which it is forced to operate.
...