diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc3489.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc3489.txt')
-rw-r--r-- | doc/rfc/rfc3489.txt | 2635 |
1 files changed, 2635 insertions, 0 deletions
diff --git a/doc/rfc/rfc3489.txt b/doc/rfc/rfc3489.txt new file mode 100644 index 0000000..226b4a6 --- /dev/null +++ b/doc/rfc/rfc3489.txt @@ -0,0 +1,2635 @@ + + + + + + +Network Working Group J. Rosenberg +Request for Comments: 3489 J. Weinberger +Category: Standards Track dynamicsoft + C. Huitema + Microsoft + R. Mahy + Cisco + March 2003 + + + STUN - Simple Traversal of User Datagram Protocol (UDP) + Through Network Address Translators (NATs) + +Status of this Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2003). All Rights Reserved. + +Abstract + + Simple Traversal of User Datagram Protocol (UDP) Through Network + Address Translators (NATs) (STUN) is a lightweight protocol that + allows applications to discover the presence and types of NATs and + firewalls between them and the public Internet. It also provides the + ability for applications to determine the public Internet Protocol + (IP) addresses allocated to them by the NAT. STUN works with many + existing NATs, and does not require any special behavior from them. + As a result, it allows a wide variety of applications to work through + existing NAT infrastructure. + +Table of Contents + + 1. Applicability Statement ................................... 3 + 2. Introduction .............................................. 3 + 3. Terminology ............................................... 4 + 4. Definitions ............................................... 5 + 5. NAT Variations ............................................ 5 + 6. Overview of Operation ..................................... 6 + 7. Message Overview .......................................... 8 + 8. Server Behavior ........................................... 10 + 8.1 Binding Requests .................................... 10 + + + +Rosenberg, et al. Standards Track [Page 1] + +RFC 3489 STUN March 2003 + + + 8.2 Shared Secret Requests .............................. 13 + 9. Client Behavior ........................................... 14 + 9.1 Discovery ........................................... 15 + 9.2 Obtaining a Shared Secret ........................... 15 + 9.3 Formulating the Binding Request ..................... 17 + 9.4 Processing Binding Responses ........................ 17 + 10. Use Cases ................................................. 19 + 10.1 Discovery Process ................................... 19 + 10.2 Binding Lifetime Discovery .......................... 21 + 10.3 Binding Acquisition ................................. 23 + 11. Protocol Details .......................................... 24 + 11.1 Message Header ...................................... 25 + 11.2 Message Attributes .................................. 26 + 11.2.1 MAPPED-ADDRESS .............................. 27 + 11.2.2 RESPONSE-ADDRESS ............................ 27 + 11.2.3 CHANGED-ADDRESS ............................. 28 + 11.2.4 CHANGE-REQUEST .............................. 28 + 11.2.5 SOURCE-ADDRESS .............................. 28 + 11.2.6 USERNAME .................................... 28 + 11.2.7 PASSWORD .................................... 29 + 11.2.8 MESSAGE-INTEGRITY ........................... 29 + 11.2.9 ERROR-CODE .................................. 29 + 11.2.10 UNKNOWN-ATTRIBUTES .......................... 31 + 11.2.11 REFLECTED-FROM .............................. 31 + 12. Security Considerations ................................... 31 + 12.1 Attacks on STUN ..................................... 31 + 12.1.1 Attack I: DDOS Against a Target ............. 32 + 12.1.2 Attack II: Silencing a Client ............... 32 + 12.1.3 Attack III: Assuming the Identity of a Client 32 + 12.1.4 Attack IV: Eavesdropping .................... 33 + 12.2 Launching the Attacks ............................... 33 + 12.2.1 Approach I: Compromise a Legitimate + STUN Server ................................. 33 + 12.2.2 Approach II: DNS Attacks .................... 34 + 12.2.3 Approach III: Rogue Router or NAT ........... 34 + 12.2.4 Approach IV: MITM ........................... 35 + 12.2.5 Approach V: Response Injection Plus DoS ..... 35 + 12.2.6 Approach VI: Duplication .................... 35 + 12.3 Countermeasures ..................................... 36 + 12.4 Residual Threats .................................... 37 + 13. IANA Considerations ....................................... 38 + 14. IAB Considerations ........................................ 38 + 14.1 Problem Definition .................................. 38 + 14.2 Exit Strategy ....................................... 39 + 14.3 Brittleness Introduced by STUN ...................... 40 + 14.4 Requirements for a Long Term Solution ............... 42 + 14.5 Issues with Existing NAPT Boxes ..................... 43 + 14.6 In Closing .......................................... 43 + + + +Rosenberg, et al. Standards Track [Page 2] + +RFC 3489 STUN March 2003 + + + 15. Acknowledgments ........................................... 44 + 16. Normative References ...................................... 44 + 17. Informative References .................................... 44 + 18. Authors' Addresses ........................................ 46 + 19. Full Copyright Statement................................... 47 + +1. Applicability Statement + + This protocol is not a cure-all for the problems associated with NAT. + It does not enable incoming TCP connections through NAT. It allows + incoming UDP packets through NAT, but only through a subset of + existing NAT types. In particular, STUN does not enable incoming UDP + packets through symmetric NATs (defined below), which are common in + large enterprises. STUN's discovery procedures are based on + assumptions on NAT treatment of UDP; such assumptions may prove + invalid down the road as new NAT devices are deployed. STUN does not + work when it is used to obtain an address to communicate with a peer + which happens to be behind the same NAT. STUN does not work when the + STUN server is not in a common shared address realm. For a more + complete discussion of the limitations of STUN, see Section 14. + +2. Introduction + + Network Address Translators (NATs), while providing many benefits, + also come with many drawbacks. The most troublesome of those + drawbacks is the fact that they break many existing IP applications, + and make it difficult to deploy new ones. Guidelines have been + developed [8] that describe how to build "NAT friendly" protocols, + but many protocols simply cannot be constructed according to those + guidelines. Examples of such protocols include almost all peer-to- + peer protocols, such as multimedia communications, file sharing and + games. + + To combat this problem, Application Layer Gateways (ALGs) have been + embedded in NATs. ALGs perform the application layer functions + required for a particular protocol to traverse a NAT. Typically, + this involves rewriting application layer messages to contain + translated addresses, rather than the ones inserted by the sender of + the message. ALGs have serious limitations, including scalability, + reliability, and speed of deploying new applications. To resolve + these problems, the Middlebox Communications (MIDCOM) protocol is + being developed [9]. MIDCOM allows an application entity, such as an + end client or network server of some sort (like a Session Initiation + Protocol (SIP) proxy [10]) to control a NAT (or firewall), in order + to obtain NAT bindings and open or close pinholes. In this way, NATs + and applications can be separated once more, eliminating the need for + embedding ALGs in NATs, and resolving the limitations imposed by + current architectures. + + + +Rosenberg, et al. Standards Track [Page 3] + +RFC 3489 STUN March 2003 + + + Unfortunately, MIDCOM requires upgrades to existing NAT and + firewalls, in addition to application components. Complete upgrades + of these NAT and firewall products will take a long time, potentially + years. This is due, in part, to the fact that the deployers of NAT + and firewalls are not the same people who are deploying and using + applications. As a result, the incentive to upgrade these devices + will be low in many cases. Consider, for example, an airport + Internet lounge that provides access with a NAT. A user connecting + to the NATed network may wish to use a peer-to-peer service, but + cannot, because the NAT doesn't support it. Since the administrators + of the lounge are not the ones providing the service, they are not + motivated to upgrade their NAT equipment to support it, using either + an ALG, or MIDCOM. + + Another problem is that the MIDCOM protocol requires that the agent + controlling the middleboxes know the identity of those middleboxes, + and have a relationship with them which permits control. In many + configurations, this will not be possible. For example, many cable + access providers use NAT in front of their entire access network. + This NAT could be in addition to a residential NAT purchased and + operated by the end user. The end user will probably not have a + control relationship with the NAT in the cable access network, and + may not even know of its existence. + + Many existing proprietary protocols, such as those for online games + (such as the games described in RFC 3027 [11]) and Voice over IP, + have developed tricks that allow them to operate through NATs without + changing those NATs. This document is an attempt to take some of + those ideas, and codify them into an interoperable protocol that can + meet the needs of many applications. + + The protocol described here, Simple Traversal of UDP Through NAT + (STUN), allows entities behind a NAT to first discover the presence + of a NAT and the type of NAT, and then to learn the addresses + bindings allocated by the NAT. STUN requires no changes to NATs, and + works with an arbitrary number of NATs in tandem between the + application entity and the public Internet. + +3. Terminology + + In this document, the key words "MUST", "MUST NOT", "REQUIRED", + "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", + and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 + [1] and indicate requirement levels for compliant STUN + implementations. + + + + + + +Rosenberg, et al. Standards Track [Page 4] + +RFC 3489 STUN March 2003 + + +4. Definitions + + STUN Client: A STUN client (also just referred to as a client) + is an entity that generates STUN requests. A STUN client can + execute on an end system, such as a user's PC, or can run in a + network element, such as a conferencing server. + + STUN Server: A STUN Server (also just referred to as a server) + is an entity that receives STUN requests, and sends STUN + responses. STUN servers are generally attached to the public + Internet. + +5. NAT Variations + + It is assumed that the reader is familiar with NATs. It has been + observed that NAT treatment of UDP varies among implementations. The + four treatments observed in implementations are: + + Full Cone: A full cone NAT is one where all requests from the + same internal IP address and port are mapped to the same external + IP address and port. Furthermore, any external host can send a + packet to the internal host, by sending a packet to the mapped + external address. + + Restricted Cone: A restricted cone NAT is one where all requests + from the same internal IP address and port are mapped to the same + external IP address and port. Unlike a full cone NAT, an external + host (with IP address X) can send a packet to the internal host + only if the internal host had previously sent a packet to IP + address X. + + Port Restricted Cone: A port restricted cone NAT is like a + restricted cone NAT, but the restriction includes port numbers. + Specifically, an external host can send a packet, with source IP + address X and source port P, to the internal host only if the + internal host had previously sent a packet to IP address X and + port P. + + Symmetric: A symmetric NAT is one where all requests from the + same internal IP address and port, to a specific destination IP + address and port, are mapped to the same external IP address and + port. If the same host sends a packet with the same source + address and port, but to a different destination, a different + mapping is used. Furthermore, only the external host that + receives a packet can send a UDP packet back to the internal host. + + + + + + +Rosenberg, et al. Standards Track [Page 5] + +RFC 3489 STUN March 2003 + + + Determining the type of NAT is important in many cases. Depending on + what the application wants to do, it may need to take the particular + behavior into account. + +6. Overview of Operation + + This section is descriptive only. Normative behavior is described in + Sections 8 and 9. + + /-----\ + // STUN \\ + | Server | + \\ // + \-----/ + + + +--------------+ Public Internet + ................| NAT 2 |....................... + +--------------+ + + + +--------------+ Private NET 2 + ................| NAT 1 |....................... + +--------------+ + + /-----\ + // STUN \\ + | Client | + \\ // Private NET 1 + \-----/ + + Figure 1: STUN Configuration + + The typical STUN configuration is shown in Figure 1. A STUN client + is connected to private network 1. This network connects to private + network 2 through NAT 1. Private network 2 connects to the public + Internet through NAT 2. The STUN server resides on the public + Internet. + + STUN is a simple client-server protocol. A client sends a request to + a server, and the server returns a response. There are two types of + requests - Binding Requests, sent over UDP, and Shared Secret + Requests, sent over TLS [2] over TCP. Shared Secret Requests ask the + server to return a temporary username and password. This username + and password are used in a subsequent Binding Request and Binding + Response, for the purposes of authentication and message integrity. + + + + + +Rosenberg, et al. Standards Track [Page 6] + +RFC 3489 STUN March 2003 + + + Binding requests are used to determine the bindings allocated by + NATs. The client sends a Binding Request to the server, over UDP. + The server examines the source IP address and port of the request, + and copies them into a response that is sent back to the client. + There are some parameters in the request that allow the client to ask + that the response be sent elsewhere, or that the server send the + response from a different address and port. There are attributes for + providing message integrity and authentication. + + The trick is using STUN to discover the presence of NAT, and to learn + and use the bindings they allocate. + + The STUN client is typically embedded in an application which needs + to obtain a public IP address and port that can be used to receive + data. For example, it might need to obtain an IP address and port to + receive Real Time Transport Protocol (RTP) [12] traffic. When the + application starts, the STUN client within the application sends a + STUN Shared Secret Request to its server, obtains a username and + password, and then sends it a Binding Request. STUN servers can be + discovered through DNS SRV records [3], and it is generally assumed + that the client is configured with the domain to use to find the STUN + server. Generally, this will be the domain of the provider of the + service the application is using (such a provider is incented to + deploy STUN servers in order to allow its customers to use its + application through NAT). Of course, a client can determine the + address or domain name of a STUN server through other means. A STUN + server can even be embedded within an end system. + + The STUN Binding Request is used to discover the presence of a NAT, + and to discover the public IP address and port mappings generated by + the NAT. Binding Requests are sent to the STUN server using UDP. + When a Binding Request arrives at the STUN server, it may have passed + through one or more NATs between the STUN client and the STUN server. + As a result, the source address of the request received by the server + will be the mapped address created by the NAT closest to the server. + The STUN server copies that source IP address and port into a STUN + Binding Response, and sends it back to the source IP address and port + of the STUN request. For all of the NAT types above, this response + will arrive at the STUN client. + + When the STUN client receives the STUN Binding Response, it compares + the IP address and port in the packet with the local IP address and + port it bound to when the request was sent. If these do not match, + the STUN client is behind one or more NATs. In the case of a full- + cone NAT, the IP address and port in the body of the STUN response + are public, and can be used by any host on the public Internet to + send packets to the application that sent the STUN request. An + application need only listen on the IP address and port from which + + + +Rosenberg, et al. Standards Track [Page 7] + +RFC 3489 STUN March 2003 + + + the STUN request was sent. Any packets sent by a host on the public + Internet to the public address and port learned by STUN will be + received by the application. + + Of course, the host may not be behind a full-cone NAT. Indeed, it + doesn't yet know what type of NAT it is behind. To determine that, + the client uses additional STUN Binding Requests. The exact + procedure is flexible, but would generally work as follows. The + client would send a second STUN Binding Request, this time to a + different IP address, but from the same source IP address and port. + If the IP address and port in the response are different from those + in the first response, the client knows it is behind a symmetric NAT. + To determine if it's behind a full-cone NAT, the client can send a + STUN Binding Request with flags that tell the STUN server to send a + response from a different IP address and port than the request was + received on. In other words, if the client sent a Binding Request to + IP address/port A/B using a source IP address/port of X/Y, the STUN + server would send the Binding Response to X/Y using source IP + address/port C/D. If the client receives this response, it knows it + is behind a full cone NAT. + + STUN also allows the client to ask the server to send the Binding + Response from the same IP address the request was received on, but + with a different port. This can be used to detect whether the client + is behind a port restricted cone NAT or just a restricted cone NAT. + + It should be noted that the configuration in Figure 1 is not the only + permissible configuration. The STUN server can be located anywhere, + including within another client. The only requirement is that the + STUN server is reachable by the client, and if the client is trying + to obtain a publicly routable address, that the server reside on the + public Internet. + +7. Message Overview + + STUN messages are TLV (type-length-value) encoded using big endian + (network ordered) binary. All STUN messages start with a STUN + header, followed by a STUN payload. The payload is a series of STUN + attributes, the set of which depends on the message type. The STUN + header contains a STUN message type, transaction ID, and length. The + message type can be Binding Request, Binding Response, Binding Error + Response, Shared Secret Request, Shared Secret Response, or Shared + Secret Error Response. The transaction ID is used to correlate + requests and responses. The length indicates the total length of the + STUN payload, not including the header. This allows STUN to run over + TCP. Shared Secret Requests are always sent over TCP (indeed, using + TLS over TCP). + + + + +Rosenberg, et al. Standards Track [Page 8] + +RFC 3489 STUN March 2003 + + + Several STUN attributes are defined. The first is a MAPPED-ADDRESS + attribute, which is an IP address and port. It is always placed in + the Binding Response, and it indicates the source IP address and port + the server saw in the Binding Request. There is also a RESPONSE- + ADDRESS attribute, which contains an IP address and port. The + RESPONSE-ADDRESS attribute can be present in the Binding Request, and + indicates where the Binding Response is to be sent. It's optional, + and when not present, the Binding Response is sent to the source IP + address and port of the Binding Request. + + The third attribute is the CHANGE-REQUEST attribute, and it contains + two flags to control the IP address and port used to send the + response. These flags are called "change IP" and "change port" + flags. The CHANGE-REQUEST attribute is allowed only in the Binding + Request. The "change IP" and "change port" flags are useful for + determining whether the client is behind a restricted cone NAT or + restricted port cone NAT. They instruct the server to send the + Binding Responses from a different source IP address and port. The + CHANGE-REQUEST attribute is optional in the Binding Request. + + The fourth attribute is the CHANGED-ADDRESS attribute. It is present + in Binding Responses. It informs the client of the source IP address + and port that would be used if the client requested the "change IP" + and "change port" behavior. + + The fifth attribute is the SOURCE-ADDRESS attribute. It is only + present in Binding Responses. It indicates the source IP address and + port where the response was sent from. It is useful for detecting + twice NAT configurations. + + The sixth attribute is the USERNAME attribute. It is present in a + Shared Secret Response, which provides the client with a temporary + username and password (encoded in the PASSWORD attribute). The + USERNAME is also present in Binding Requests, serving as an index to + the shared secret used for the integrity protection of the Binding + Request. The seventh attribute, PASSWORD, is only found in Shared + Secret Response messages. The eight attribute is the MESSAGE- + INTEGRITY attribute, which contains a message integrity check over + the Binding Request or Binding Response. + + The ninth attribute is the ERROR-CODE attribute. This is present in + the Binding Error Response and Shared Secret Error Response. It + indicates the error that has occurred. The tenth attribute is the + UNKNOWN-ATTRIBUTES attribute, which is present in either the Binding + Error Response or Shared Secret Error Response. It indicates the + mandatory attributes from the request which were unknown. The + eleventh attribute is the REFLECTED-FROM attribute, which is present + in Binding Responses. It indicates the IP address and port of the + + + +Rosenberg, et al. Standards Track [Page 9] + +RFC 3489 STUN March 2003 + + + sender of a Binding Request, used for traceability purposes to + prevent certain denial-of-service attacks. + +8. Server Behavior + + The server behavior depends on whether the request is a Binding + Request or a Shared Secret Request. + +8.1 Binding Requests + + A STUN server MUST be prepared to receive Binding Requests on four + address/port combinations - (A1, P1), (A2, P1), (A1, P2), and (A2, + P2). (A1, P1) represent the primary address and port, and these are + the ones obtained through the client discovery procedures below. + Typically, P1 will be port 3478, the default STUN port. A2 and P2 + are arbitrary. A2 and P2 are advertised by the server through the + CHANGED-ADDRESS attribute, as described below. + + It is RECOMMENDED that the server check the Binding Request for a + MESSAGE-INTEGRITY attribute. If not present, and the server requires + integrity checks on the request, it generates a Binding Error + Response with an ERROR-CODE attribute with response code 401. If the + MESSAGE-INTEGRITY attribute was present, the server computes the HMAC + over the request as described in Section 11.2.8. The key to use + depends on the shared secret mechanism. If the STUN Shared Secret + Request was used, the key MUST be the one associated with the + USERNAME attribute present in the request. If the USERNAME attribute + was not present, the server MUST generate a Binding Error Response. + The Binding Error Response MUST include an ERROR-CODE attribute with + response code 432. If the USERNAME is present, but the server + doesn't remember the shared secret for that USERNAME (because it + timed out, for example), the server MUST generate a Binding Error + Response. The Binding Error Response MUST include an ERROR-CODE + attribute with response code 430. If the server does know the shared + secret, but the computed HMAC differs from the one in the request, + the server MUST generate a Binding Error Response with an ERROR-CODE + attribute with response code 431. The Binding Error Response is sent + to the IP address and port the Binding Request came from, and sent + from the IP address and port the Binding Request was sent to. + + Assuming the message integrity check passed, processing continues. + The server MUST check for any attributes in the request with values + less than or equal to 0x7fff which it does not understand. If it + encounters any, the server MUST generate a Binding Error Response, + and it MUST include an ERROR-CODE attribute with a 420 response code. + + + + + + +Rosenberg, et al. Standards Track [Page 10] + +RFC 3489 STUN March 2003 + + + That response MUST contain an UNKNOWN-ATTRIBUTES attribute listing + the attributes with values less than or equal to 0x7fff which were + not understood. The Binding Error Response is sent to the IP address + and port the Binding Request came from, and sent from the IP address + and port the Binding Request was sent to. + + Assuming the request was correctly formed, the server MUST generate a + single Binding Response. The Binding Response MUST contain the same + transaction ID contained in the Binding Request. The length in the + message header MUST contain the total length of the message in bytes, + excluding the header. The Binding Response MUST have a message type + of "Binding Response". + + The server MUST add a MAPPED-ADDRESS attribute to the Binding + Response. The IP address component of this attribute MUST be set to + the source IP address observed in the Binding Request. The port + component of this attribute MUST be set to the source port observed + in the Binding Request. + + If the RESPONSE-ADDRESS attribute was absent from the Binding + Request, the destination address and port of the Binding Response + MUST be the same as the source address and port of the Binding + Request. Otherwise, the destination address and port of the Binding + Response MUST be the value of the IP address and port in the + RESPONSE-ADDRESS attribute. + + The source address and port of the Binding Response depend on the + value of the CHANGE-REQUEST attribute and on the address and port the + Binding Request was received on, and are summarized in Table 1. + + Let Da represent the destination IP address of the Binding Request + (which will be either A1 or A2), and Dp represent the destination + port of the Binding Request (which will be either P1 or P2). Let Ca + represent the other address, so that if Da is A1, Ca is A2. If Da is + A2, Ca is A1. Similarly, let Cp represent the other port, so that if + Dp is P1, Cp is P2. If Dp is P2, Cp is P1. If the "change port" + flag was set in CHANGE-REQUEST attribute of the Binding Request, and + the "change IP" flag was not set, the source IP address of the + Binding Response MUST be Da and the source port of the Binding + Response MUST be Cp. If the "change IP" flag was set in the Binding + Request, and the "change port" flag was not set, the source IP + address of the Binding Response MUST be Ca and the source port of the + Binding Response MUST be Dp. When both flags are set, the source IP + address of the Binding Response MUST be Ca and the source port of the + Binding Response MUST be Cp. If neither flag is set, or if the + CHANGE-REQUEST attribute is absent entirely, the source IP address of + the Binding Response MUST be Da and the source port of the Binding + Response MUST be Dp. + + + +Rosenberg, et al. Standards Track [Page 11] + +RFC 3489 STUN March 2003 + + + Flags Source Address Source Port CHANGED-ADDRESS + none Da Dp Ca:Cp + Change IP Ca Dp Ca:Cp + Change port Da Cp Ca:Cp + Change IP and + Change port Ca Cp Ca:Cp + + Table 1: Impact of Flags on Packet Source and CHANGED-ADDRESS + + The server MUST add a SOURCE-ADDRESS attribute to the Binding + Response, containing the source address and port used to send the + Binding Response. + + The server MUST add a CHANGED-ADDRESS attribute to the Binding + Response. This contains the source IP address and port that would be + used if the client had set the "change IP" and "change port" flags in + the Binding Request. As summarized in Table 1, these are Ca and Cp, + respectively, regardless of the value of the CHANGE-REQUEST flags. + + If the Binding Request contained both the USERNAME and MESSAGE- + INTEGRITY attributes, the server MUST add a MESSAGE-INTEGRITY + attribute to the Binding Response. The attribute contains an HMAC + [13] over the response, as described in Section 11.2.8. The key to + use depends on the shared secret mechanism. If the STUN Shared + Secret Request was used, the key MUST be the one associated with the + USERNAME attribute present in the Binding Request. + + If the Binding Request contained a RESPONSE-ADDRESS attribute, the + server MUST add a REFLECTED-FROM attribute to the response. If the + Binding Request was authenticated using a username obtained from a + Shared Secret Request, the REFLECTED-FROM attribute MUST contain the + source IP address and port where that Shared Secret Request came + from. If the username present in the request was not allocated using + a Shared Secret Request, the REFLECTED-FROM attribute MUST contain + the source address and port of the entity which obtained the + username, as best can be verified with the mechanism used to allocate + the username. If the username was not present in the request, and + the server was willing to process the request, the REFLECTED-FROM + attribute SHOULD contain the source IP address and port where the + request came from. + + The server SHOULD NOT retransmit the response. Reliability is + achieved by having the client periodically resend the request, each + of which triggers a response from the server. + + + + + + + +Rosenberg, et al. Standards Track [Page 12] + +RFC 3489 STUN March 2003 + + +8.2 Shared Secret Requests + + Shared Secret Requests are always received on TLS connections. When + the server receives a request from the client to establish a TLS + connection, it MUST proceed with TLS, and SHOULD present a site + certificate. The TLS ciphersuite TLS_RSA_WITH_AES_128_CBC_SHA [4] + SHOULD be used. Client TLS authentication MUST NOT be done, since + the server is not allocating any resources to clients, and the + computational burden can be a source of attacks. + + If the server receives a Shared Secret Request, it MUST verify that + the request arrived on a TLS connection. If it did not receive the + request over TLS, it MUST generate a Shared Secret Error Response, + and it MUST include an ERROR-CODE attribute with a 433 response code. + The destination for the error response depends on the transport on + which the request was received. If the Shared Secret Request was + received over TCP, the Shared Secret Error Response is sent over the + same connection the request was received on. If the Shared Secret + Request was receive over UDP, the Shared Secret Error Response is + sent to the source IP address and port that the request came from. + + The server MUST check for any attributes in the request with values + less than or equal to 0x7fff which it does not understand. If it + encounters any, the server MUST generate a Shared Secret Error + Response, and it MUST include an ERROR-CODE attribute with a 420 + response code. That response MUST contain an UNKNOWN-ATTRIBUTES + attribute listing the attributes with values less than or equal to + 0x7fff which were not understood. The Shared Secret Error Response + is sent over the TLS connection. + + All Shared Secret Error Responses MUST contain the same transaction + ID contained in the Shared Secret Request. The length in the message + header MUST contain the total length of the message in bytes, + excluding the header. The Shared Secret Error Response MUST have a + message type of "Shared Secret Error Response" (0x0112). + + Assuming the request was properly constructed, the server creates a + Shared Secret Response. The Shared Secret Response MUST contain the + same transaction ID contained in the Shared Secret Request. The + length in the message header MUST contain the total length of the + message in bytes, excluding the header. The Shared Secret Response + MUST have a message type of "Shared Secret Response". The Shared + Secret Response MUST contain a USERNAME attribute and a PASSWORD + attribute. The USERNAME attribute serves as an index to the + password, which is contained in the PASSWORD attribute. The server + can use any mechanism it chooses to generate the username. However, + the username MUST be valid for a period of at least 10 minutes. + Validity means that the server can compute the password for that + + + +Rosenberg, et al. Standards Track [Page 13] + +RFC 3489 STUN March 2003 + + + username. There MUST be a single password for each username. In + other words, the server cannot, 10 minutes later, assign a different + password to the same username. The server MUST hand out a different + username for each distinct Shared Secret Request. Distinct, in this + case, implies a different transaction ID. It is RECOMMENDED that the + server explicitly invalidate the username after ten minutes. It MUST + invalidate the username after 30 minutes. The PASSWORD contains the + password bound to that username. The password MUST have at least 128 + bits. The likelihood that the server assigns the same password for + two different usernames MUST be vanishingly small, and the passwords + MUST be unguessable. In other words, they MUST be a + cryptographically random function of the username. + + These requirements can still be met using a stateless server, by + intelligently computing the USERNAME and PASSWORD. One approach is + to construct the USERNAME as: + + USERNAME = <prefix,rounded-time,clientIP,hmac> + + Where prefix is some random text string (different for each shared + secret request), rounded-time is the current time modulo 20 minutes, + clientIP is the source IP address where the Shared Secret Request + came from, and hmac is an HMAC [13] over the prefix, rounded-time, + and client IP, using a server private key. + + The password is then computed as: + + password = <hmac(USERNAME,anotherprivatekey)> + + With this structure, the username itself, which will be present in + the Binding Request, contains the source IP address where the Shared + Secret Request came from. That allows the server to meet the + requirements specified in Section 8.1 for constructing the + REFLECTED-FROM attribute. The server can verify that the username + was not tampered with, using the hmac present in the username. + + The Shared Secret Response is sent over the same TLS connection the + request was received on. The server SHOULD keep the connection open, + and let the client close it. + +9. Client Behavior + + The behavior of the client is very straightforward. Its task is to + discover the STUN server, obtain a shared secret, formulate the + Binding Request, handle request reliability, and process the Binding + Responses. + + + + + +Rosenberg, et al. Standards Track [Page 14] + +RFC 3489 STUN March 2003 + + +9.1 Discovery + + Generally, the client will be configured with a domain name of the + provider of the STUN servers. This domain name is resolved to an IP + address and port using the SRV procedures specified in RFC 2782 [3]. + + Specifically, the service name is "stun". The protocol is "udp" for + sending Binding Requests, or "tcp" for sending Shared Secret + Requests. The procedures of RFC 2782 are followed to determine the + server to contact. RFC 2782 spells out the details of how a set of + SRV records are sorted and then tried. However, it only states that + the client should "try to connect to the (protocol, address, + service)" without giving any details on what happens in the event of + failure. Those details are described here for STUN. + + For STUN requests, failure occurs if there is a transport failure of + some sort (generally, due to fatal ICMP errors in UDP or connection + failures in TCP). Failure also occurs if the transaction fails due + to timeout. This occurs 9.5 seconds after the first request is sent, + for both Shared Secret Requests and Binding Requests. See Section + 9.3 for details on transaction timeouts for Binding Requests. If a + failure occurs, the client SHOULD create a new request, which is + identical to the previous, but has a different transaction ID and + MESSAGE INTEGRITY attribute (the HMAC will change because the + transaction ID has changed). That request is sent to the next + element in the list as specified by RFC 2782. + + The default port for STUN requests is 3478, for both TCP and UDP. + Administrators SHOULD use this port in their SRV records, but MAY use + others. + + If no SRV records were found, the client performs an A record lookup + of the domain name. The result will be a list of IP addresses, each + of which can be contacted at the default port. + + This would allow a firewall admin to open the STUN port, so hosts + within the enterprise could access new applications. Whether they + will or won't do this is a good question. + +9.2 Obtaining a Shared Secret + + As discussed in Section 12, there are several attacks possible on + STUN systems. Many of these are prevented through integrity of + requests and responses. To provide that integrity, STUN makes use of + a shared secret between client and server, used as the keying + material for an HMAC used in both the Binding Request and Binding + Response. STUN allows for the shared secret to be obtained in any + way (for example, Kerberos [14]). However, it MUST have at least 128 + + + +Rosenberg, et al. Standards Track [Page 15] + +RFC 3489 STUN March 2003 + + + bits of randomness. In order to ensure interoperability, this + specification describes a TLS-based mechanism. This mechanism, + described in this section, MUST be implemented by clients and + servers. + + First, the client determines the IP address and port that it will + open a TCP connection to. This is done using the discovery + procedures in Section 9.1. The client opens up the connection to + that address and port, and immediately begins TLS negotiation [2]. + The client MUST verify the identity of the server. To do that, it + follows the identification procedures defined in Section 3.1 of RFC + 2818 [5]. Those procedures assume the client is dereferencing a URI. + For purposes of usage with this specification, the client treats the + domain name or IP address used in Section 9.1 as the host portion of + the URI that has been dereferenced. + + Once the connection is opened, the client sends a Shared Secret + request. This request has no attributes, just the header. The + transaction ID in the header MUST meet the requirements outlined for + the transaction ID in a binding request, described in Section 9.3 + below. The server generates a response, which can either be a Shared + Secret Response or a Shared Secret Error Response. + + If the response was a Shared Secret Error Response, the client checks + the response code in the ERROR-CODE attribute. Interpretation of + those response codes is identical to the processing of Section 9.4 + for the Binding Error Response. + + If a client receives a Shared Secret Response with an attribute whose + type is greater than 0x7fff, the attribute MUST be ignored. If the + client receives a Shared Secret Response with an attribute whose type + is less than or equal to 0x7fff, the response is ignored. + + If the response was a Shared Secret Response, it will contain a short + lived username and password, encoded in the USERNAME and PASSWORD + attributes, respectively. + + The client MAY generate multiple Shared Secret Requests on the + connection, and it MAY do so before receiving Shared Secret Responses + to previous Shared Secret Requests. The client SHOULD close the + connection as soon as it has finished obtaining usernames and + passwords. + + Section 9.3 describes how these passwords are used to provide + integrity protection over Binding Requests, and Section 8.1 describes + how it is used in Binding Responses. + + + + + +Rosenberg, et al. Standards Track [Page 16] + +RFC 3489 STUN March 2003 + + +9.3 Formulating the Binding Request + + A Binding Request formulated by the client follows the syntax rules + defined in Section 11. Any two requests that are not bit-wise + identical, and not sent to the same server from the same IP address + and port, MUST carry different transaction IDs. The transaction ID + MUST be uniformly and randomly distributed between 0 and 2**128 - 1. + The large range is needed because the transaction ID serves as a form + of randomization, helping to prevent replays of previously signed + responses from the server. The message type of the request MUST be + "Binding Request". + + The RESPONSE-ADDRESS attribute is optional in the Binding Request. + It is used if the client wishes the response to be sent to a + different IP address and port than the one the request was sent from. + This is useful for determining whether the client is behind a + firewall, and for applications that have separated control and data + components. See Section 10.3 for more details. The CHANGE-REQUEST + attribute is also optional. Whether it is present depends on what + the application is trying to accomplish. See Section 10 for some + example uses. + + The client SHOULD add a MESSAGE-INTEGRITY and USERNAME attribute to + the Binding Request. This MESSAGE-INTEGRITY attribute contains an + HMAC [13]. The value of the username, and the key to use in the + MESSAGE-INTEGRITY attribute depend on the shared secret mechanism. + If the STUN Shared Secret Request was used, the USERNAME must be a + valid username obtained from a Shared Secret Response within the last + nine minutes. The shared secret for the HMAC is the value of the + PASSWORD attribute obtained from the same Shared Secret Response. + + Once formulated, the client sends the Binding Request. Reliability + is accomplished through client retransmissions. Clients SHOULD + retransmit the request starting with an interval of 100ms, doubling + every retransmit until the interval reaches 1.6s. Retransmissions + continue with intervals of 1.6s until a response is received, or a + total of 9 requests have been sent. If no response is received by 1.6 + seconds after the last request has been sent, the client SHOULD + consider the transaction to have failed. In other words, requests + would be sent at times 0ms, 100ms, 300ms, 700ms, 1500ms, 3100ms, + 4700ms, 6300ms, and 7900ms. At 9500ms, the client considers the + transaction to have failed if no response has been received. + +9.4 Processing Binding Responses + + The response can either be a Binding Response or Binding Error + Response. Binding Error Responses are always received on the source + address and port the request was sent from. A Binding Response will + + + +Rosenberg, et al. Standards Track [Page 17] + +RFC 3489 STUN March 2003 + + + be received on the address and port placed in the RESPONSE-ADDRESS + attribute of the request. If none was present, the Binding Responses + will be received on the source address and port the request was sent + from. + + If the response is a Binding Error Response, the client checks the + response code from the ERROR-CODE attribute of the response. For a + 400 response code, the client SHOULD display the reason phrase to the + user. For a 420 response code, the client SHOULD retry the request, + this time omitting any attributes listed in the UNKNOWN-ATTRIBUTES + attribute of the response. For a 430 response code, the client + SHOULD obtain a new shared secret, and retry the Binding Request with + a new transaction. For 401 and 432 response codes, if the client had + omitted the USERNAME or MESSAGE-INTEGRITY attribute as indicated by + the error, it SHOULD try again with those attributes. For a 431 + response code, the client SHOULD alert the user, and MAY try the + request again after obtaining a new username and password. For a 500 + response code, the client MAY wait several seconds and then retry the + request. For a 600 response code, the client MUST NOT retry the + request, and SHOULD display the reason phrase to the user. Unknown + attributes between 400 and 499 are treated like a 400, unknown + attributes between 500 and 599 are treated like a 500, and unknown + attributes between 600 and 699 are treated like a 600. Any response + between 100 and 399 MUST result in the cessation of request + retransmissions, but otherwise is discarded. + + If a client receives a response with an attribute whose type is + greater than 0x7fff, the attribute MUST be ignored. If the client + receives a response with an attribute whose type is less than or + equal to 0x7fff, request retransmissions MUST cease, but the entire + response is otherwise ignored. + + If the response is a Binding Response, the client SHOULD check the + response for a MESSAGE-INTEGRITY attribute. If not present, and the + client placed a MESSAGE-INTEGRITY attribute into the request, it MUST + discard the response. If present, the client computes the HMAC over + the response as described in Section 11.2.8. The key to use depends + on the shared secret mechanism. If the STUN Shared Secret Request + was used, the key MUST be same as used to compute the MESSAGE- + INTEGRITY attribute in the request. If the computed HMAC differs + from the one in the response, the client MUST discard the response, + and SHOULD alert the user about a possible attack. If the computed + HMAC matches the one from the response, processing continues. + + Reception of a response (either Binding Error Response or Binding + Response) to a Binding Request will terminate retransmissions of that + request. However, clients MUST continue to listen for responses to a + Binding Request for 10 seconds after the first response. If it + + + +Rosenberg, et al. Standards Track [Page 18] + +RFC 3489 STUN March 2003 + + + receives any responses in this interval with different message types + (Binding Responses and Binding Error Responses, for example) or + different MAPPED-ADDRESSes, it is an indication of a possible attack. + The client MUST NOT use the MAPPED-ADDRESS from any of the responses + it received (either the first or the additional ones), and SHOULD + alert the user. + + Furthermore, if a client receives more than twice as many Binding + Responses as the number of Binding Requests it sent, it MUST NOT use + the MAPPED-ADDRESS from any of those responses, and SHOULD alert the + user about a potential attack. + + If the Binding Response is authenticated, and the MAPPED-ADDRESS was + not discarded because of a potential attack, the CLIENT MAY use the + MAPPED-ADDRESS and SOURCE-ADDRESS attributes. + +10. Use Cases + + The rules of Sections 8 and 9 describe exactly how a client and + server interact to send requests and get responses. However, they do + not dictate how the STUN protocol is used to accomplish useful tasks. + That is at the discretion of the client. Here, we provide some + useful scenarios for applying STUN. + +10.1 Discovery Process + + In this scenario, a user is running a multimedia application which + needs to determine which of the following scenarios applies to it: + + o On the open Internet + + o Firewall that blocks UDP + + o Firewall that allows UDP out, and responses have to come back to + the source of the request (like a symmetric NAT, but no + translation. We call this a symmetric UDP Firewall) + + o Full-cone NAT + + o Symmetric NAT + + o Restricted cone or restricted port cone NAT + + Which of the six scenarios applies can be determined through the flow + chart described in Figure 2. The chart refers only to the sequence + of Binding Requests; Shared Secret Requests will, of course, be + needed to authenticate each Binding Request used in the sequence. + + + + +Rosenberg, et al. Standards Track [Page 19] + +RFC 3489 STUN March 2003 + + + The flow makes use of three tests. In test I, the client sends a + STUN Binding Request to a server, without any flags set in the + CHANGE-REQUEST attribute, and without the RESPONSE-ADDRESS attribute. + This causes the server to send the response back to the address and + port that the request came from. In test II, the client sends a + Binding Request with both the "change IP" and "change port" flags + from the CHANGE-REQUEST attribute set. In test III, the client sends + a Binding Request with only the "change port" flag set. + + The client begins by initiating test I. If this test yields no + response, the client knows right away that it is not capable of UDP + connectivity. If the test produces a response, the client examines + the MAPPED-ADDRESS attribute. If this address and port are the same + as the local IP address and port of the socket used to send the + request, the client knows that it is not natted. It executes test + II. + + If a response is received, the client knows that it has open access + to the Internet (or, at least, its behind a firewall that behaves + like a full-cone NAT, but without the translation). If no response + is received, the client knows its behind a symmetric UDP firewall. + + In the event that the IP address and port of the socket did not match + the MAPPED-ADDRESS attribute in the response to test I, the client + knows that it is behind a NAT. It performs test II. If a response + is received, the client knows that it is behind a full-cone NAT. If + no response is received, it performs test I again, but this time, + does so to the address and port from the CHANGED-ADDRESS attribute + from the response to test I. If the IP address and port returned in + the MAPPED-ADDRESS attribute are not the same as the ones from the + first test I, the client knows its behind a symmetric NAT. If the + address and port are the same, the client is either behind a + restricted or port restricted NAT. To make a determination about + which one it is behind, the client initiates test III. If a response + is received, its behind a restricted NAT, and if no response is + received, its behind a port restricted NAT. + + This procedure yields substantial information about the operating + condition of the client application. In the event of multiple NATs + between the client and the Internet, the type that is discovered will + be the type of the most restrictive NAT between the client and the + Internet. The types of NAT, in order of restrictiveness, from most + to least, are symmetric, port restricted cone, restricted cone, and + full cone. + + Typically, a client will re-do this discovery process periodically to + detect changes, or look for inconsistent results. It is important to + note that when the discovery process is redone, it should not + + + +Rosenberg, et al. Standards Track [Page 20] + +RFC 3489 STUN March 2003 + + + generally be done from the same local address and port used in the + previous discovery process. If the same local address and port are + reused, bindings from the previous test may still be in existence, + and these will invalidate the results of the test. Using a different + local address and port for subsequent tests resolves this problem. + An alternative is to wait sufficiently long to be confident that the + old bindings have expired (half an hour should more than suffice). + +10.2 Binding Lifetime Discovery + + STUN can also be used to discover the lifetimes of the bindings + created by the NAT. In many cases, the client will need to refresh + the binding, either through a new STUN request, or an application + packet, in order for the application to continue to use the binding. + By discovering the binding lifetime, the client can determine how + frequently it needs to refresh. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Rosenberg, et al. Standards Track [Page 21] + +RFC 3489 STUN March 2003 + + + +--------+ + | Test | + | I | + +--------+ + | + | + V + /\ /\ + N / \ Y / \ Y +--------+ + UDP <-------/Resp\--------->/ IP \------------->| Test | + Blocked \ ? / \Same/ | II | + \ / \? / +--------+ + \/ \/ | + | N | + | V + V /\ + +--------+ Sym. N / \ + | Test | UDP <---/Resp\ + | II | Firewall \ ? / + +--------+ \ / + | \/ + V |Y + /\ /\ | + Symmetric N / \ +--------+ N / \ V + NAT <--- / IP \<-----| Test |<--- /Resp\ Open + \Same/ | I | \ ? / Internet + \? / +--------+ \ / + \/ \/ + | |Y + | | + | V + | Full + | Cone + V /\ + +--------+ / \ Y + | Test |------>/Resp\---->Restricted + | III | \ ? / + +--------+ \ / + \/ + |N + | Port + +------>Restricted + + Figure 2: Flow for type discovery process + + + + + + + +Rosenberg, et al. Standards Track [Page 22] + +RFC 3489 STUN March 2003 + + + To determine the binding lifetime, the client first sends a Binding + Request to the server from a particular socket, X. This creates a + binding in the NAT. The response from the server contains a MAPPED- + ADDRESS attribute, providing the public address and port on the NAT. + Call this Pa and Pp, respectively. The client then starts a timer + with a value of T seconds. When this timer fires, the client sends + another Binding Request to the server, using the same destination + address and port, but from a different socket, Y. This request + contains a RESPONSE-ADDRESS address attribute, set to (Pa,Pp). This + will create a new binding on the NAT, and cause the STUN server to + send a Binding Response that would match the old binding, if it still + exists. If the client receives the Binding Response on socket X, it + knows that the binding has not expired. If the client receives the + Binding Response on socket Y (which is possible if the old binding + expired, and the NAT allocated the same public address and port to + the new binding), or receives no response at all, it knows that the + binding has expired. + + The client can find the value of the binding lifetime by doing a + binary search through T, arriving eventually at the value where the + response is not received for any timer greater than T, but is + received for any timer less than T. + + This discovery process takes quite a bit of time, and is something + that will typically be run in the background on a device once it + boots. + + It is possible that the client can get inconsistent results each time + this process is run. For example, if the NAT should reboot, or be + reset for some reason, the process may discover a lifetime than is + shorter than the actual one. For this reason, implementations are + encouraged to run the test numerous times, and be prepared to get + inconsistent results. + +10.3 Binding Acquisition + + Consider once more the case of a VoIP phone. It used the discovery + process above when it started up, to discover its environment. Now, + it wants to make a call. As part of the discovery process, it + determined that it was behind a full-cone NAT. + + Consider further that this phone consists of two logically separated + components - a control component that handles signaling, and a media + component that handles the audio, video, and RTP [12]. Both are + behind the same NAT. Because of this separation of control and + media, we wish to minimize the communication required between them. + In fact, they may not even run on the same host. + + + + +Rosenberg, et al. Standards Track [Page 23] + +RFC 3489 STUN March 2003 + + + In order to make a voice call, the phone needs to obtain an IP + address and port that it can place in the call setup message as the + destination for receiving audio. + + To obtain an address, the control component sends a Shared Secret + Request to the server, obtains a shared secret, and then sends a + Binding Request to the server. No CHANGE-REQUEST attribute is + present in the Binding Request, and neither is the RESPONSE-ADDRESS + attribute. The Binding Response contains a mapped address. The + control component then formulates a second Binding Request. This + request contains a RESPONSE-ADDRESS, which is set to the mapped + address learned from the previous Binding Response. This Binding + Request is passed to the media component, along with the IP address + and port of the STUN server. The media component sends the Binding + Request. The request goes to the STUN server, which sends the + Binding Response back to the control component. The control + component receives this, and now has learned an IP address and port + that will be routed back to the media component that sent the + request. + + The client will be able to receive media from anywhere on this mapped + address. + + In the case of silence suppression, there may be periods where the + client receives no media. In this case, the UDP bindings could + timeout (UDP bindings in NATs are typically short; 30 seconds is + common). To deal with this, the application can periodically + retransmit the query in order to keep the binding fresh. + + It is possible that both participants in the multimedia session are + behind the same NAT. In that case, both will repeat this procedure + above, and both will obtain public address bindings. When one sends + media to the other, the media is routed to the NAT, and then turns + right back around to come back into the enterprise, where it is + translated to the private address of the recipient. This is not + particularly efficient, and unfortunately, does not work in many + commercial NATs. In such cases, the clients may need to retry using + private addresses. + +11. Protocol Details + + This section presents the detailed encoding of a STUN message. + + STUN is a request-response protocol. Clients send a request, and the + server sends a response. There are two requests, Binding Request, + and Shared Secret Request. The response to a Binding Request can + + + + + +Rosenberg, et al. Standards Track [Page 24] + +RFC 3489 STUN March 2003 + + + either be the Binding Response or Binding Error Response. The + response to a Shared Secret Request can either be a Shared Secret + Response or a Shared Secret Error Response. + + STUN messages are encoded using binary fields. All integer fields + are carried in network byte order, that is, most significant byte + (octet) first. This byte order is commonly known as big-endian. The + transmission order is described in detail in Appendix B of RFC 791 + [6]. Unless otherwise noted, numeric constants are in decimal (base + 10). + +11.1 Message Header + + All STUN messages consist of a 20 byte header: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | STUN Message Type | Message Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Transaction ID + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The Message Types can take on the following values: + + 0x0001 : Binding Request + 0x0101 : Binding Response + 0x0111 : Binding Error Response + 0x0002 : Shared Secret Request + 0x0102 : Shared Secret Response + 0x0112 : Shared Secret Error Response + + The message length is the count, in bytes, of the size of the + message, not including the 20 byte header. + + The transaction ID is a 128 bit identifier. It also serves as salt + to randomize the request and the response. All responses carry the + same identifier as the request they correspond to. + + + + + + + +Rosenberg, et al. Standards Track [Page 25] + +RFC 3489 STUN March 2003 + + +11.2 Message Attributes + + After the header are 0 or more attributes. Each attribute is TLV + encoded, with a 16 bit type, 16 bit length, and variable value: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Value .... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The following types are defined: + + 0x0001: MAPPED-ADDRESS + 0x0002: RESPONSE-ADDRESS + 0x0003: CHANGE-REQUEST + 0x0004: SOURCE-ADDRESS + 0x0005: CHANGED-ADDRESS + 0x0006: USERNAME + 0x0007: PASSWORD + 0x0008: MESSAGE-INTEGRITY + 0x0009: ERROR-CODE + 0x000a: UNKNOWN-ATTRIBUTES + 0x000b: REFLECTED-FROM + + To allow future revisions of this specification to add new attributes + if needed, the attribute space is divided into optional and mandatory + ones. Attributes with values greater than 0x7fff are optional, which + means that the message can be processed by the client or server even + though the attribute is not understood. Attributes with values less + than or equal to 0x7fff are mandatory to understand, which means that + the client or server cannot process the message unless it understands + the attribute. + + The MESSAGE-INTEGRITY attribute MUST be the last attribute within a + message. Any attributes that are known, but are not supposed to be + present in a message (MAPPED-ADDRESS in a request, for example) MUST + be ignored. + + Table 2 indicates which attributes are present in which messages. An + M indicates that inclusion of the attribute in the message is + mandatory, O means its optional, C means it's conditional based on + some other aspect of the message, and N/A means that the attribute is + not applicable to that message type. + + + + + +Rosenberg, et al. Standards Track [Page 26] + +RFC 3489 STUN March 2003 + + + Binding Shared Shared Shared + Binding Binding Error Secret Secret Secret + Att. Req. Resp. Resp. Req. Resp. Error + Resp. + _____________________________________________________________________ + MAPPED-ADDRESS N/A M N/A N/A N/A N/A + RESPONSE-ADDRESS O N/A N/A N/A N/A N/A + CHANGE-REQUEST O N/A N/A N/A N/A N/A + SOURCE-ADDRESS N/A M N/A N/A N/A N/A + CHANGED-ADDRESS N/A M N/A N/A N/A N/A + USERNAME O N/A N/A N/A M N/A + PASSWORD N/A N/A N/A N/A M N/A + MESSAGE-INTEGRITY O O N/A N/A N/A N/A + ERROR-CODE N/A N/A M N/A N/A M + UNKNOWN-ATTRIBUTES N/A N/A C N/A N/A C + REFLECTED-FROM N/A C N/A N/A N/A N/A + + Table 2: Summary of Attributes + + The length refers to the length of the value element, expressed as an + unsigned integral number of bytes. + +11.2.1 MAPPED-ADDRESS + + The MAPPED-ADDRESS attribute indicates the mapped IP address and + port. It consists of an eight bit address family, and a sixteen bit + port, followed by a fixed length value representing the IP address. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |x x x x x x x x| Family | Port | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Address | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The port is a network byte ordered representation of the mapped port. + The address family is always 0x01, corresponding to IPv4. The first + 8 bits of the MAPPED-ADDRESS are ignored, for the purposes of + aligning parameters on natural boundaries. The IPv4 address is 32 + bits. + +11.2.2 RESPONSE-ADDRESS + + The RESPONSE-ADDRESS attribute indicates where the response to a + Binding Request should be sent. Its syntax is identical to MAPPED- + ADDRESS. + + + + +Rosenberg, et al. Standards Track [Page 27] + +RFC 3489 STUN March 2003 + + +11.2.3 CHANGED-ADDRESS + + The CHANGED-ADDRESS attribute indicates the IP address and port where + responses would have been sent from if the "change IP" and "change + port" flags had been set in the CHANGE-REQUEST attribute of the + Binding Request. The attribute is always present in a Binding + Response, independent of the value of the flags. Its syntax is + identical to MAPPED-ADDRESS. + +11.2.4 CHANGE-REQUEST + + The CHANGE-REQUEST attribute is used by the client to request that + the server use a different address and/or port when sending the + response. The attribute is 32 bits long, although only two bits (A + and B) are used: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + |0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A B 0| + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The meaning of the flags is: + + A: This is the "change IP" flag. If true, it requests the server + to send the Binding Response with a different IP address than the + one the Binding Request was received on. + + B: This is the "change port" flag. If true, it requests the + server to send the Binding Response with a different port than the + one the Binding Request was received on. + +11.2.5 SOURCE-ADDRESS + + The SOURCE-ADDRESS attribute is present in Binding Responses. It + indicates the source IP address and port that the server is sending + the response from. Its syntax is identical to that of MAPPED- + ADDRESS. + +11.2.6 USERNAME + + The USERNAME attribute is used for message integrity. It serves as a + means to identify the shared secret used in the message integrity + check. The USERNAME is always present in a Shared Secret Response, + along with the PASSWORD. It is optionally present in a Binding + Request when message integrity is used. + + + + + +Rosenberg, et al. Standards Track [Page 28] + +RFC 3489 STUN March 2003 + + + The value of USERNAME is a variable length opaque value. Its length + MUST be a multiple of 4 (measured in bytes) in order to guarantee + alignment of attributes on word boundaries. + +11.2.7 PASSWORD + + The PASSWORD attribute is used in Shared Secret Responses. It is + always present in a Shared Secret Response, along with the USERNAME. + + The value of PASSWORD is a variable length value that is to be used + as a shared secret. Its length MUST be a multiple of 4 (measured in + bytes) in order to guarantee alignment of attributes on word + boundaries. + +11.2.8 MESSAGE-INTEGRITY + + The MESSAGE-INTEGRITY attribute contains an HMAC-SHA1 [13] of the + STUN message. It can be present in Binding Requests or Binding + Responses. Since it uses the SHA1 hash, the HMAC will be 20 bytes. + The text used as input to HMAC is the STUN message, including the + header, up to and including the attribute preceding the MESSAGE- + INTEGRITY attribute. That text is then padded with zeroes so as to be + a multiple of 64 bytes. As a result, the MESSAGE-INTEGRITY attribute + MUST be the last attribute in any STUN message. The key used as + input to HMAC depends on the context. + +11.2.9 ERROR-CODE + + The ERROR-CODE attribute is present in the Binding Error Response and + Shared Secret Error Response. It is a numeric value in the range of + 100 to 699 plus a textual reason phrase encoded in UTF-8, and is + consistent in its code assignments and semantics with SIP [10] and + HTTP [15]. The reason phrase is meant for user consumption, and can + be anything appropriate for the response code. The lengths of the + reason phrases MUST be a multiple of 4 (measured in bytes). This can + be accomplished by added spaces to the end of the text, if necessary. + Recommended reason phrases for the defined response codes are + presented below. + + To facilitate processing, the class of the error code (the hundreds + digit) is encoded separately from the rest of the code. + + + + + + + + + + +Rosenberg, et al. Standards Track [Page 29] + +RFC 3489 STUN March 2003 + + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | 0 |Class| Number | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Reason Phrase (variable) .. + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + The class represents the hundreds digit of the response code. The + value MUST be between 1 and 6. The number represents the response + code modulo 100, and its value MUST be between 0 and 99. + + The following response codes, along with their recommended reason + phrases (in brackets) are defined at this time: + + 400 (Bad Request): The request was malformed. The client should not + retry the request without modification from the previous + attempt. + + 401 (Unauthorized): The Binding Request did not contain a MESSAGE- + INTEGRITY attribute. + + 420 (Unknown Attribute): The server did not understand a mandatory + attribute in the request. + + 430 (Stale Credentials): The Binding Request did contain a MESSAGE- + INTEGRITY attribute, but it used a shared secret that has + expired. The client should obtain a new shared secret and try + again. + + 431 (Integrity Check Failure): The Binding Request contained a + MESSAGE-INTEGRITY attribute, but the HMAC failed verification. + This could be a sign of a potential attack, or client + implementation error. + + 432 (Missing Username): The Binding Request contained a MESSAGE- + INTEGRITY attribute, but not a USERNAME attribute. Both must be + present for integrity checks. + + 433 (Use TLS): The Shared Secret request has to be sent over TLS, but + was not received over TLS. + + 500 (Server Error): The server has suffered a temporary error. The + client should try again. + + 600 (Global Failure:) The server is refusing to fulfill the request. + The client should not retry. + + + + +Rosenberg, et al. Standards Track [Page 30] + +RFC 3489 STUN March 2003 + + +11.2.10 UNKNOWN-ATTRIBUTES + + The UNKNOWN-ATTRIBUTES attribute is present only in a Binding Error + Response or Shared Secret Error Response when the response code in + the ERROR-CODE attribute is 420. + + The attribute contains a list of 16 bit values, each of which + represents an attribute type that was not understood by the server. + If the number of unknown attributes is an odd number, one of the + attributes MUST be repeated in the list, so that the total length of + the list is a multiple of 4 bytes. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attribute 1 Type | Attribute 2 Type | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Attribute 3 Type | Attribute 4 Type ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +11.2.11 REFLECTED-FROM + + The REFLECTED-FROM attribute is present only in Binding Responses, + when the Binding Request contained a RESPONSE-ADDRESS attribute. The + attribute contains the identity (in terms of IP address) of the + source where the request came from. Its purpose is to provide + traceability, so that a STUN server cannot be used as a reflector for + denial-of-service attacks. + + Its syntax is identical to the MAPPED-ADDRESS attribute. + +12. Security Considerations + +12.1 Attacks on STUN + + Generally speaking, attacks on STUN can be classified into denial of + service attacks and eavesdropping attacks. Denial of service attacks + can be launched against a STUN server itself, or against other + elements using the STUN protocol. + + STUN servers create state through the Shared Secret Request + mechanism. To prevent being swamped with traffic, a STUN server + SHOULD limit the number of simultaneous TLS connections it will hold + open by dropping an existing connection when a new connection request + arrives (based on an Least Recently Used (LRU) policy, for example). + Similarly, it SHOULD limit the number of shared secrets it will + store, in the event that the server is storing the shared secrets. + + + + +Rosenberg, et al. Standards Track [Page 31] + +RFC 3489 STUN March 2003 + + + The attacks of greater interest are those in which the STUN server + and client are used to launch DOS attacks against other entities, + including the client itself. + + Many of the attacks require the attacker to generate a response to a + legitimate STUN request, in order to provide the client with a faked + MAPPED-ADDRESS. The attacks that can be launched using such a + technique include: + +12.1.1 Attack I: DDOS Against a Target + + In this case, the attacker provides a large number of clients with + the same faked MAPPED-ADDRESS that points to the intended target. + This will trick all the STUN clients into thinking that their + addresses are equal to that of the target. The clients then hand out + that address in order to receive traffic on it (for example, in SIP + or H.323 messages). However, all of that traffic becomes focused at + the intended target. The attack can provide substantial + amplification, especially when used with clients that are using STUN + to enable multimedia applications. + +12.1.2 Attack II: Silencing a Client + + In this attack, the attacker seeks to deny a client access to + services enabled by STUN (for example, a client using STUN to enable + SIP-based multimedia traffic). To do that, the attacker provides + that client with a faked MAPPED-ADDRESS. The MAPPED-ADDRESS it + provides is an IP address that routes to nowhere. As a result, the + client won't receive any of the packets it expects to receive when it + hands out the MAPPED-ADDRESS. + + This exploitation is not very interesting for the attacker. It + impacts a single client, which is frequently not the desired target. + Moreover, any attacker that can mount the attack could also deny + service to the client by other means, such as preventing the client + from receiving any response from the STUN server, or even a DHCP + server. + +12.1.3 Attack III: Assuming the Identity of a Client + + This attack is similar to attack II. However, the faked MAPPED- + ADDRESS points to the attacker themself. This allows the attacker to + receive traffic which was destined for the client. + + + + + + + + +Rosenberg, et al. Standards Track [Page 32] + +RFC 3489 STUN March 2003 + + +12.1.4 Attack IV: Eavesdropping + + In this attack, the attacker forces the client to use a MAPPED- + ADDRESS that routes to itself. It then forwards any packets it + receives to the client. This attack would allow the attacker to + observe all packets sent to the client. However, in order to launch + the attack, the attacker must have already been able to observe + packets from the client to the STUN server. In most cases (such as + when the attack is launched from an access network), this means that + the attacker could already observe packets sent to the client. This + attack is, as a result, only useful for observing traffic by + attackers on the path from the client to the STUN server, but not + generally on the path of packets being routed towards the client. + +12.2 Launching the Attacks + + It is important to note that attacks of this nature (injecting + responses with fake MAPPED-ADDRESSes) require that the attacker be + capable of eavesdropping requests sent from the client to the server + (or to act as a MITM for such attacks). This is because STUN + requests contain a transaction identifier, selected by the client, + which is random with 128 bits of entropy. The server echoes this + value in the response, and the client ignores any responses that + don't have a matching transaction ID. Therefore, in order for an + attacker to provide a faked response that is accepted by the client, + the attacker needs to know what the transaction ID in the request + was. The large amount of randomness, combined with the need to know + when the client sends a request, precludes attacks that involve + guessing the transaction ID. + + Since all of the above attacks rely on this one primitive - injecting + a response with a faked MAPPED-ADDRESS - preventing the attacks is + accomplished by preventing this one operation. To prevent it, we + need to consider the various ways in which it can be accomplished. + There are several: + +12.2.1 Approach I: Compromise a Legitimate STUN Server + + In this attack, the attacker compromises a legitimate STUN server + through a virus or Trojan horse. Presumably, this would allow the + attacker to take over the STUN server, and control the types of + responses it generates. + + Compromise of a STUN server can also lead to discovery of open ports. + Knowledge of an open port creates an opportunity for DoS attacks on + those ports (or DDoS attacks if the traversed NAT is a full cone + NAT). Discovering open ports is already fairly trivial using port + probing, so this does not represent a major threat. + + + +Rosenberg, et al. Standards Track [Page 33] + +RFC 3489 STUN March 2003 + + +12.2.2 Approach II: DNS Attacks + + STUN servers are discovered using DNS SRV records. If an attacker + can compromise the DNS, it can inject fake records which map a domain + name to the IP address of a STUN server run by the attacker. This + will allow it to inject fake responses to launch any of the attacks + above. + +12.2.3 Approach III: Rogue Router or NAT + + Rather than compromise the STUN server, an attacker can cause a STUN + server to generate responses with the wrong MAPPED-ADDRESS by + compromising a router or NAT on the path from the client to the STUN + server. When the STUN request passes through the rogue router or + NAT, it rewrites the source address of the packet to be that of the + desired MAPPED-ADDRESS. This address cannot be arbitrary. If the + attacker is on the public Internet (that is, there are no NATs + between it and the STUN server), and the attacker doesn't modify the + STUN request, the address has to have the property that packets sent + from the STUN server to that address would route through the + compromised router. This is because the STUN server will send the + responses back to the source address of the request. With a modified + source address, the only way they can reach the client is if the + compromised router directs them there. If the attacker is on the + public Internet, but they can modify the STUN request, they can + insert a RESPONSE-ADDRESS attribute into the request, containing the + actual source address of the STUN request. This will cause the + server to send the response to the client, independent of the source + address the STUN server sees. This gives the attacker the ability to + forge an arbitrary source address when it forwards the STUN request. + + If the attacker is on a private network (that is, there are NATs + between it and the STUN server), the attacker will not be able to + force the server to generate arbitrary MAPPED-ADRESSes in responses. + They will only be able force the STUN server to generate MAPPED- + ADDRESSes which route to the private network. This is because the + NAT between the attacker and the STUN server will rewrite the source + address of the STUN request, mapping it to a public address that + routes to the private network. Because of this, the attacker can + only force the server to generate faked mapped addresses that route + to the private network. Unfortunately, it is possible that a low + quality NAT would be willing to map an allocated public address to + another public address (as opposed to an internal private address), + in which case the attacker could forge the source address in a STUN + request to be an arbitrary public address. This kind of behavior + from NATs does appear to be rare. + + + + + +Rosenberg, et al. Standards Track [Page 34] + +RFC 3489 STUN March 2003 + + +12.2.4 Approach IV: MITM + + As an alternative to approach III, if the attacker can place an + element on the path from the client to the server, the element can + act as a man-in-the-middle. In that case, it can intercept a STUN + request, and generate a STUN response directly with any desired value + of the MAPPED-ADDRESS field. Alternatively, it can forward the STUN + request to the server (after potential modification), receive the + response, and forward it to the client. When forwarding the request + and response, this attack is subject to the same limitations on the + MAPPED-ADDRESS described in Section 12.2.3. + +12.2.5 Approach V: Response Injection Plus DoS + + In this approach, the attacker does not need to be a MITM (as in + approaches III and IV). Rather, it only needs to be able to + eavesdrop onto a network segment that carries STUN requests. This is + easily done in multiple access networks such as ethernet or + unprotected 802.11. To inject the fake response, the attacker + listens on the network for a STUN request. When it sees one, it + simultaneously launches a DoS attack on the STUN server, and + generates its own STUN response with the desired MAPPED-ADDRESS + value. The STUN response generated by the attacker will reach the + client, and the DoS attack against the server is aimed at preventing + the legitimate response from the server from reaching the client. + Arguably, the attacker can do without the DoS attack on the server, + so long as the faked response beats the real response back to the + client, and the client uses the first response, and ignores the + second (even though it's different). + +12.2.6 Approach VI: Duplication + + This approach is similar to approach V. The attacker listens on the + network for a STUN request. When it sees it, it generates its own + STUN request towards the server. This STUN request is identical to + the one it saw, but with a spoofed source IP address. The spoofed + address is equal to the one that the attacker desires to have placed + in the MAPPED-ADDRESS of the STUN response. In fact, the attacker + generates a flood of such packets. The STUN server will receive the + one original request, plus a flood of duplicate fake ones. It + generates responses to all of them. If the flood is sufficiently + large for the responses to congest routers or some other equipment, + there is a reasonable probability that the one real response is lost + (along with many of the faked ones), but the net result is that only + the faked responses are received by the STUN client. These responses + are all identical and all contain the MAPPED-ADDRESS that the + attacker wanted the client to use. + + + + +Rosenberg, et al. Standards Track [Page 35] + +RFC 3489 STUN March 2003 + + + The flood of duplicate packets is not needed (that is, only one faked + request is sent), so long as the faked response beats the real + response back to the client, and the client uses the first response, + and ignores the second (even though it's different). + + Note that, in this approach, launching a DoS attack against the STUN + server or the IP network, to prevent the valid response from being + sent or received, is problematic. The attacker needs the STUN server + to be available to handle its own request. Due to the periodic + retransmissions of the request from the client, this leaves a very + tiny window of opportunity. The attacker must start the DoS attack + immediately after the actual request from the client, causing the + correct response to be discarded, and then cease the DoS attack in + order to send its own request, all before the next retransmission + from the client. Due to the close spacing of the retransmits (100ms + to a few seconds), this is very difficult to do. + + Besides DoS attacks, there may be other ways to prevent the actual + request from the client from reaching the server. Layer 2 + manipulations, for example, might be able to accomplish it. + + Fortunately, Approach IV is subject to the same limitations + documented in Section 12.2.3, which limit the range of MAPPED- + ADDRESSes the attacker can cause the STUN server to generate. + +12.3 Countermeasures + + STUN provides mechanisms to counter the approaches described above, + and additional, non-STUN techniques can be used as well. + + First off, it is RECOMMENDED that networks with STUN clients + implement ingress source filtering (RFC 2827 [7]). This is + particularly important for the NATs themselves. As Section 12.2.3 + explains, NATs which do not perform this check can be used as + "reflectors" in DDoS attacks. Most NATs do perform this check as a + default mode of operation. We strongly advise people that purchase + NATs to ensure that this capability is present and enabled. + + Secondly, it is RECOMMENDED that STUN servers be run on hosts + dedicated to STUN, with all UDP and TCP ports disabled except for the + STUN ports. This is to prevent viruses and Trojan horses from + infecting STUN servers, in order to prevent their compromise. This + helps mitigate Approach I (Section 12.2.1). + + Thirdly, to prevent the DNS attack of Section 12.2.2, Section 9.2 + recommends that the client verify the credentials provided by the + server with the name used in the DNS lookup. + + + + +Rosenberg, et al. Standards Track [Page 36] + +RFC 3489 STUN March 2003 + + + Finally, all of the attacks above rely on the client taking the + mapped address it learned from STUN, and using it in application + layer protocols. If encryption and message integrity are provided + within those protocols, the eavesdropping and identity assumption + attacks can be prevented. As such, applications that make use of + STUN addresses in application protocols SHOULD use integrity and + encryption, even if a SHOULD level strength is not specified for that + protocol. For example, multimedia applications using STUN addresses + to receive RTP traffic would use secure RTP [16]. + + The above three techniques are non-STUN mechanisms. STUN itself + provides several countermeasures. + + Approaches IV (Section 12.2.4), when generating the response locally, + and V (Section 12.2.5) require an attacker to generate a faked + response. This attack is prevented using the message integrity + mechanism provided in STUN, described in Section 8.1. + + Approaches III (Section 12.2.3) IV (Section 12.2.4), when using the + relaying technique, and VI (12.2.6), however, are not preventable + through server signatures. Both approaches are most potent when the + attacker can modify the request, inserting a RESPONSE-ADDRESS that + routes to the client. Fortunately, such modifications are + preventable using the message integrity techniques described in + Section 9.3. However, these three approaches are still functional + when the attacker modifies nothing but the source address of the STUN + request. Sadly, this is the one thing that cannot be protected + through cryptographic means, as this is the change that STUN itself + is seeking to detect and report. It is therefore an inherent + weakness in NAT, and not fixable in STUN. To help mitigate these + attacks, Section 9.4 provides several heuristics for the client to + follow. The client looks for inconsistent or extra responses, both + of which are signs of the attacks described above. However, these + heuristics are just that - heuristics, and cannot be guaranteed to + prevent attacks. The heuristics appear to prevent the attacks as we + know how to launch them today. Implementors should stay posted for + information on new heuristics that might be required in the future. + Such information will be distributed on the IETF MIDCOM mailing list, + midcom@ietf.org. + +12.4 Residual Threats + + None of the countermeasures listed above can prevent the attacks + described in Section 12.2.3 if the attacker is in the appropriate + network paths. Specifically, consider the case in which the attacker + wishes to convince client C that it has address V. The attacker + needs to have a network element on the path between A and the server + (in order to modify the request) and on the path between the server + + + +Rosenberg, et al. Standards Track [Page 37] + +RFC 3489 STUN March 2003 + + + and V so that it can forward the response to C. Furthermore, if + there is a NAT between the attacker and the server, V must also be + behind the same NAT. In such a situation, the attacker can either + gain access to all the application-layer traffic or mount the DDOS + attack described in Section 12.1.1. Note that any host which exists + in the correct topological relationship can be DDOSed. It need not + be using STUN. + +13. IANA Considerations + + STUN cannot be extended. Changes to the protocol are made through a + standards track revision of this specification. As a result, no IANA + registries are needed. Any future extensions will establish any + needed registries. + +14. IAB Considerations + + The IAB has studied the problem of "Unilateral Self Address Fixing", + which is the general process by which a client attempts to determine + its address in another realm on the other side of a NAT through a + collaborative protocol reflection mechanism (RFC 3424 [17]). STUN is + an example of a protocol that performs this type of function. The + IAB has mandated that any protocols developed for this purpose + document a specific set of considerations. This section meets those + requirements. + +14.1 Problem Definition + + From RFC 3424 [17], any UNSAF proposal must provide: + + Precise definition of a specific, limited-scope problem that is to + be solved with the UNSAF proposal. A short term fix should not be + generalized to solve other problems; this is why "short term fixes + usually aren't". + + The specific problems being solved by STUN are: + + o Provide a means for a client to detect the presence of one or more + NATs between it and a server run by a service provider on the + public Internet. The purpose of such detection is to determine + additional steps that might be necessary in order to receive + service from that particular provider. + + o Provide a means for a client to detect the presence of one or more + NATs between it and another client, where the second client is + reachable from the first, but it is not known whether the second + client resides on the public Internet. + + + + +Rosenberg, et al. Standards Track [Page 38] + +RFC 3489 STUN March 2003 + + + o Provide a means for a client to obtain an address on the public + Internet from a non-symmetric NAT, for the express purpose of + receiving incoming UDP traffic from another host, targeted to that + address. + + STUN does not address TCP, either incoming or outgoing, and does not + address outgoing UDP communications. + +14.2 Exit Strategy + + From [17], any UNSAF proposal must provide: + + Description of an exit strategy/transition plan. The better short + term fixes are the ones that will naturally see less and less use + as the appropriate technology is deployed. + + STUN comes with its own built in exit strategy. This strategy is the + detection operation that is performed as a precursor to the actual + UNSAF address-fixing operation. This discovery operation, documented + in Section 10.1, attempts to discover the existence of, and type of, + any NATS between the client and the service provider network. Whilst + the detection of the specific type of NAT may be brittle, the + discovery of the existence of NAT is itself quite robust. As NATs + are phased out through the deployment of IPv6, the discovery + operation will return immediately with the result that there is no + NAT, and no further operations are required. Indeed, the discovery + operation itself can be used to help motivate deployment of IPv6; if + a user detects a NAT between themselves and the public Internet, they + can call up their access provider and complain about it. + + STUN can also help facilitate the introduction of midcom. As + midcom-capable NATs are deployed, applications will, instead of using + STUN (which also resides at the application layer), first allocate an + address binding using midcom. However, it is a well-known limitation + of midcom that it only works when the agent knows the middleboxes + through which its traffic will flow. Once bindings have been + allocated from those middleboxes, a STUN detection procedure can + validate that there are no additional middleboxes on the path from + the public Internet to the client. If this is the case, the + application can continue operation using the address bindings + allocated from midcom. If it is not the case, STUN provides a + mechanism for self-address fixing through the remaining midcom- + unaware middleboxes. Thus, STUN provides a way to help transition to + full midcom-aware networks. + + + + + + + +Rosenberg, et al. Standards Track [Page 39] + +RFC 3489 STUN March 2003 + + +14.3 Brittleness Introduced by STUN + + From [17], any UNSAF proposal must provide: + + Discussion of specific issues that may render systems more + "brittle". For example, approaches that involve using data at + multiple network layers create more dependencies, increase + debugging challenges, and make it harder to transition. + + STUN introduces brittleness into the system in several ways: + + o The discovery process assumes a certain classification of devices + based on their treatment of UDP. There could be other types of + NATs that are deployed that would not fit into one of these molds. + Therefore, future NATs may not be properly detected by STUN. STUN + clients (but not servers) would need to change to accommodate + that. + + o The binding acquisition usage of STUN does not work for all NAT + types. It will work for any application for full cone NATs only. + For restricted cone and port restricted cone NAT, it will work for + some applications depending on the application. Application + specific processing will generally be needed. For symmetric NATs, + the binding acquisition will not yield a usable address. The + tight dependency on the specific type of NAT makes the protocol + brittle. + + o STUN assumes that the server exists on the public Internet. If + the server is located in another private address realm, the user + may or may not be able to use its discovered address to + communicate with other users. There is no way to detect such a + condition. + + o The bindings allocated from the NAT need to be continuously + refreshed. Since the timeouts for these bindings is very + implementation specific, the refresh interval cannot easily be + determined. When the binding is not being actively used to + receive traffic, but to wait for an incoming message, the binding + refresh will needlessly consume network bandwidth. + + o The use of the STUN server as an additional network element + introduces another point of potential security attack. These + attacks are largely prevented by the security measures provided by + STUN, but not entirely. + + + + + + + +Rosenberg, et al. Standards Track [Page 40] + +RFC 3489 STUN March 2003 + + + o The use of the STUN server as an additional network element + introduces another point of failure. If the client cannot locate + a STUN server, or if the server should be unavailable due to + failure, the application cannot function. + + o The use of STUN to discover address bindings will result in an + increase in latency for applications. For example, a Voice over + IP application will see an increase of call setup delays equal to + at least one RTT to the STUN server. + + o The discovery of binding lifetimes is prone to error. It assumes + that the same lifetime will exist for all bindings. This may not + be true if the NAT uses dynamic binding lifetimes to handle + overload, or if the NAT itself reboots during the discovery + process. + + o STUN imposes some restrictions on the network topologies for + proper operation. If client A obtains an address from STUN server + X, and sends it to client B, B may not be able to send to A using + that IP address. The address will not work if any of the + following is true: + + - The STUN server is not in an address realm that is a common + ancestor (topologically) of both clients A and B. For example, + consider client A and B, both of which have residential NAT + devices. Both devices connect them to their cable operators, + but both clients have different providers. Each provider has a + NAT in front of their entire network, connecting it to the + public Internet. If the STUN server used by A is in A's cable + operator's network, an address obtained by it will not be + usable by B. The STUN server must be in the network which is a + common ancestor to both - in this case, the public Internet. + + - The STUN server is in an address realm that is a common + ancestor to both clients, but both clients are behind the same + NAT connecting to that address realm. For example, if the two + clients in the previous example had the same cable operator, + that cable operator had a single NAT connecting their network + to the public Internet, and the STUN server was on the public + Internet, the address obtained by A would not be usable by B. + That is because some NATs will not accept an internal packet + sent to a public IP address which is mapped back to an internal + address. To deal with this, additional protocol mechanisms or + configuration parameters need to be introduced which detect + this case. + + + + + + +Rosenberg, et al. Standards Track [Page 41] + +RFC 3489 STUN March 2003 + + + o Most significantly, STUN introduces potential security threats + which cannot be eliminated. This specification describes + heuristics that can be used to mitigate the problem, but it is + provably unsolvable given what STUN is trying to accomplish. + These security problems are described fully in Section 12. + +14.4 Requirements for a Long Term Solution + + From [17], any UNSAF proposal must provide: + + Identify requirements for longer term, sound technical solutions + -- contribute to the process of finding the right longer term + solution. + + Our experience with STUN has led to the following requirements for a + long term solution to the NAT problem: + + Requests for bindings and control of other resources in a NAT + need to be explicit. Much of the brittleness in STUN derives from + its guessing at the parameters of the NAT, rather than telling the + NAT what parameters to use. + + Control needs to be "in-band". There are far too many scenarios + in which the client will not know about the location of + middleboxes ahead of time. Instead, control of such boxes needs + to occur in-band, traveling along the same path as the data will + itself travel. This guarantees that the right set of middleboxes + are controlled. This is only true for first-party controls; + third-party controls are best handled using the midcom framework. + + Control needs to be limited. Users will need to communicate + through NATs which are outside of their administrative control. + In order for providers to be willing to deploy NATs which can be + controlled by users in different domains, the scope of such + controls needs to be extremely limited - typically, allocating a + binding to reach the address where the control packets are coming + from. + + Simplicity is Paramount. The control protocol will need to be + implement in very simple clients. The servers will need to + support extremely high loads. The protocol will need to be + extremely robust, being the precursor to a host of application + protocols. As such, simplicity is key. + + + + + + + + +Rosenberg, et al. Standards Track [Page 42] + +RFC 3489 STUN March 2003 + + +14.5 Issues with Existing NAPT Boxes + + From [17], any UNSAF proposal must provide: + + Discussion of the impact of the noted practical issues with + existing, deployed NA[P]Ts and experience reports. + + Several of the practical issues with STUN involve future proofing - + breaking the protocol when new NAT types get deployed. Fortunately, + this is not an issue at the current time, since most of the deployed + NATs are of the types assumed by STUN. The primary usage STUN has + found is in the area of VoIP, to facilitate allocation of addresses + for receiving RTP [12] traffic. In that application, the periodic + keepalives are provided by the RTP traffic itself. However, several + practical problems arise for RTP. First, RTP assumes that RTCP + traffic is on a port one higher than the RTP traffic. This pairing + property cannot be guaranteed through NATs that are not directly + controllable. As a result, RTCP traffic may not be properly + received. Protocol extensions to SDP have been proposed which + mitigate this by allowing the client to signal a different port for + RTCP [18]. However, there will be interoperability problems for some + time. + + For VoIP, silence suppression can cause a gap in the transmission of + RTP packets. This could result in the loss of a binding in the + middle of a call, if that silence period exceeds the binding timeout. + This can be mitigated by sending occasional silence packets to keep + the binding alive. However, the result is additional brittleness; + proper operation depends on the silence suppression algorithm in use, + the usage of a comfort noise codec, the duration of the silence + period, and the binding lifetime in the NAT. + +14.6 In Closing + + The problems with STUN are not design flaws in STUN. The problems in + STUN have to do with the lack of standardized behaviors and controls + in NATs. The result of this lack of standardization has been a + proliferation of devices whose behavior is highly unpredictable, + extremely variable, and uncontrollable. STUN does the best it can in + such a hostile environment. Ultimately, the solution is to make the + environment less hostile, and to introduce controls and standardized + behaviors into NAT. However, until such time as that happens, STUN + provides a good short term solution given the terrible conditions + under which it is forced to operate. + + + + + + + +Rosenberg, et al. Standards Track [Page 43] + +RFC 3489 STUN March 2003 + + +15. Acknowledgments + + The authors would like to thank Cedric Aoun, Pete Cordell, Cullen + Jennings, Bob Penfield and Chris Sullivan for their comments, and + Baruch Sterman and Alan Hawrylyshen for initial implementations. + Thanks for Leslie Daigle, Allison Mankin, Eric Rescorla, and Henning + Schulzrinne for IESG and IAB input on this work. + +16. Normative References + + [1] Bradner, S., "Key words for use in RFCs to indicate requirement + levels", BCP 14, RFC 2119, March 1997. + + [2] Dierks, T. and C. Allen, "The TLS protocol Version 1.0", RFC + 2246, January 1999. + + [3] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for + specifying the location of services (DNS SRV)", RFC 2782, + February 2000. + + [4] Chown, P., "Advanced Encryption Standard (AES) Ciphersuites for + Transport Layer Security (TLS)", RFC 3268, June 2002. + + [5] Rescorla, E., "HTTP over TLS", RFC 2818, May 2000. + + [6] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981. + + [7] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating + Denial of Service Attacks which employ IP Source Address + Spoofing", BCP 38, RFC 2827, May 2000. + +17. Informative References + + [8] Senie, D., "Network Address Translator (NAT)-Friendly + Application Design Guidelines", RFC 3235, January 2002. + + [9] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A. and A. + Rayhan, "Middlebox Communication Architecture and Framework", + RFC 3303, August 2002. + + [10] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., + Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP: + Session Initiation Protocol", RFC 3261, June 2002. + + [11] Holdrege, M. and P. Srisuresh, "Protocol Complications with the + IP Network Address Translator", RFC 3027, January 2001. + + + + + +Rosenberg, et al. Standards Track [Page 44] + +RFC 3489 STUN March 2003 + + + [12] Schulzrinne, H., Casner, S., Frederick, R. and V. Jacobson, + "RTP: A Transport Protocol for Real-Time Applications", RFC + 1889, January 1996. + + [13] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing + for Message Authentication", RFC 2104, February 1997. + + [14] Kohl, J. and C. Neuman, "The kerberos Network Authentication + Service (V5)", RFC 1510, September 1993. + + [15] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., + Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- + HTTP/1.1", RFC 2616, June 1999. + + [16] Baugher M., et al., "The secure real-time transport protocol", + Work in Progress. + + [17] Daigle, L., Editor, "IAB Considerations for UNilateral Self- + Address Fixing (UNSAF) Across Network Address Translation", RFC + 3424, November 2002. + + [18] Huitema, C., "RTCP attribute in SDP", Work in Progress. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Rosenberg, et al. Standards Track [Page 45] + +RFC 3489 STUN March 2003 + + +18. Authors' Addresses + + Jonathan Rosenberg + dynamicsoft + 72 Eagle Rock Avenue + First Floor + East Hanover, NJ 07936 + + EMail: jdrosen@dynamicsoft.com + + + Joel Weinberger + dynamicsoft + 72 Eagle Rock Avenue + First Floor + East Hanover, NJ 07936 + + EMail: jweinberger@dynamicsoft.com + + + Christian Huitema + Microsoft Corporation + One Microsoft Way + Redmond, WA 98052-6399 + + EMail: huitema@microsoft.com + + + Rohan Mahy + Cisco Systems + 101 Cooper St + Santa Cruz, CA 95060 + + EMail: rohan@cisco.com + + + + + + + + + + + + + + + + + +Rosenberg, et al. Standards Track [Page 46] + +RFC 3489 STUN March 2003 + + +19. Full Copyright Statement + + Copyright (C) The Internet Society (2003). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + + + + + + + + + + + + + +Rosenberg, et al. Standards Track [Page 47] + |