STUN
STUN is a protocol used to discover NATs and firewalls between a host and the Internet. It’s used by NAT traversal protocols like ICE.
Table of contents
Introduction
STUN (Session Traversal Utilities for NAT) is a protocol implementing features used for NAT traversal. It’s designed to be used by higher-level protocols, like ICE [1, Pp. 1, 4].
STUN is a client-server protocol and a STUN implementation is known as a STUN Agent [1, P. 6].
The main STUN method is Binding, which is used to determine the particular “binding” a NAT has allocated to a STUN client [1, P. 7].
In a Binding transaction, a request is sent from a client STUN Agent to a server STUN Agent. As the request passes through NATs along its route the NATs will modify the source IP address and port number. When the request reaches the STUN server, the request’s source will be the public IP address and port created by the NAT closest to the STUN server agent. This is known as the reflexive transport address [1, P. 7].
The STUN server then copies the reflexive transport address into an XOR-MAPPED-ADDRESS attribute in the STUN Binding response and sends a response to the client [1, P. 7].
STUN format
Each STUN message contains a STUN header and optional message attributes.
STUN header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0 0| STUN Message Type | Message Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Magic Cookie |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Transaction ID (96 bits) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The STUN Message Type field defines the message class (), and the message method [1, P. 10].
The Message Length field is the length (in bytes) of the message not including the 20-byte header [1, P. 12].
The Magic Cookie field contains the fixed value 0x2112A442. This was part of the Transaction ID field in a now-obsolete RFC. The Magic Cookie value is set so that agents can determine whether STUN clients are following RFC5389 and therefore support certain attributes [1, P. 11].
STUN attributes
A STUN message also contains zero or more Message Attributes. A Message Attribute is TLV encoded (Type-Length-Value):
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The MAPPED-ADDRESS attribute contains the reflexive transport address of the client. It’s maintained for legacy STUN servers following RFC3489 [1, Pp. 32-3].
The XOR-MAPPED-ADDRESS attribute contains the reflexive transport address of the client obfuscated by XORing the port and address with the Magic Cookie value to get X-Port and X-Address [1, P. 34].
The format is:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|x x x x x x x x| Family | X-Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| X-Address (Variable)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Note: See RFC5829 section 15.2 for the full specification for generating the XORed values.
References
- [1] P. Matthews, J. Rosenberg, D. Wing, and R. Mahy, “Session Traversal Utilities for NAT (STUN),” no. 5389. RFC Editor, Oct-2008.