tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Glossaries     Architecture     IMS     UICC    |    search

RFC 5389

 
 
 

Session Traversal Utilities for NAT (STUN)

Part 2 of 3, p. 12 to 31
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 12 
7.  Base Protocol Procedures

   This section defines the base procedures of the STUN protocol.  It
   describes how messages are formed, how they are sent, and how they
   are processed when they are received.  It also defines the detailed
   processing of the Binding method.  Other sections in this document
   describe optional procedures that a usage may elect to use in certain
   situations.  Other documents may define other extensions to STUN, by
   adding new methods, new attributes, or new error response codes.

7.1.  Forming a Request or an Indication

   When formulating a request or indication message, the agent MUST
   follow the rules in Section 6 when creating the header.  In addition,
   the message class MUST be either "Request" or "Indication" (as
   appropriate), and the method must be either Binding or some method
   defined in another document.

   The agent then adds any attributes specified by the method or the
   usage.  For example, some usages may specify that the agent use an
   authentication method (Section 10) or the FINGERPRINT attribute
   (Section 8).

Top      Up      ToC       Page 13 
   If the agent is sending a request, it SHOULD add a SOFTWARE attribute
   to the request.  Agents MAY include a SOFTWARE attribute in
   indications, depending on the method.  Extensions to STUN should
   discuss whether SOFTWARE is useful in new indications.

   For the Binding method with no authentication, no attributes are
   required unless the usage specifies otherwise.

   All STUN messages sent over UDP SHOULD be less than the path MTU, if
   known.  If the path MTU is unknown, messages SHOULD be the smaller of
   576 bytes and the first-hop MTU for IPv4 [RFC1122] and 1280 bytes for
   IPv6 [RFC2460].  This value corresponds to the overall size of the IP
   packet.  Consequently, for IPv4, the actual STUN message would need
   to be less than 548 bytes (576 minus 20-byte IP header, minus 8-byte
   UDP header, assuming no IP options are used).  STUN provides no
   ability to handle the case where the request is under the MTU but the
   response would be larger than the MTU.  It is not envisioned that
   this limitation will be an issue for STUN.  The MTU limitation is a
   SHOULD, and not a MUST, to account for cases where STUN itself is
   being used to probe for MTU characteristics [BEHAVE-NAT].  Outside of
   this or similar applications, the MTU constraint MUST be followed.

7.2.  Sending the Request or Indication

   The agent then sends the request or indication.  This document
   specifies how to send STUN messages over UDP, TCP, or TLS-over-TCP;
   other transport protocols may be added in the future.  The STUN usage
   must specify which transport protocol is used, and how the agent
   determines the IP address and port of the recipient.  Section 9
   describes a DNS-based method of determining the IP address and port
   of a server that a usage may elect to use.  STUN may be used with
   anycast addresses, but only with UDP and in usages where
   authentication is not used.

   At any time, a client MAY have multiple outstanding STUN requests
   with the same STUN server (that is, multiple transactions in
   progress, with different transaction IDs).  Absent other limits to
   the rate of new transactions (such as those specified by ICE for
   connectivity checks or when STUN is run over TCP), a client SHOULD
   space new transactions to a server by RTO and SHOULD limit itself to
   ten outstanding transactions to the same server.

7.2.1.  Sending over UDP

   When running STUN over UDP, it is possible that the STUN message
   might be dropped by the network.  Reliability of STUN request/
   response transactions is accomplished through retransmissions of the

Top      Up      ToC       Page 14 
   request message by the client application itself.  STUN indications
   are not retransmitted; thus, indication transactions over UDP are not
   reliable.

   A client SHOULD retransmit a STUN request message starting with an
   interval of RTO ("Retransmission TimeOut"), doubling after each
   retransmission.  The RTO is an estimate of the round-trip time (RTT),
   and is computed as described in RFC 2988 [RFC2988], with two
   exceptions.  First, the initial value for RTO SHOULD be configurable
   (rather than the 3 s recommended in RFC 2988) and SHOULD be greater
   than 500 ms.  The exception cases for this "SHOULD" are when other
   mechanisms are used to derive congestion thresholds (such as the ones
   defined in ICE for fixed rate streams), or when STUN is used in non-
   Internet environments with known network capacities.  In fixed-line
   access links, a value of 500 ms is RECOMMENDED.  Second, the value of
   RTO SHOULD NOT be rounded up to the nearest second.  Rather, a 1 ms
   accuracy SHOULD be maintained.  As with TCP, the usage of Karn's
   algorithm is RECOMMENDED [KARN87].  When applied to STUN, it means
   that RTT estimates SHOULD NOT be computed from STUN transactions that
   result in the retransmission of a request.

   The value for RTO SHOULD be cached by a client after the completion
   of the transaction, and used as the starting value for RTO for the
   next transaction to the same server (based on equality of IP
   address).  The value SHOULD be considered stale and discarded after
   10 minutes.

   Retransmissions continue until a response is received, or until a
   total of Rc requests have been sent.  Rc SHOULD be configurable and
   SHOULD have a default of 7.  If, after the last request, a duration
   equal to Rm times the RTO has passed without a response (providing
   ample time to get a response if only this final request actually
   succeeds), the client SHOULD consider the transaction to have failed.
   Rm SHOULD be configurable and SHOULD have a default of 16.  A STUN
   transaction over UDP is also considered failed if there has been a
   hard ICMP error [RFC1122].  For example, assuming an RTO of 500 ms,
   requests would be sent at times 0 ms, 500 ms, 1500 ms, 3500 ms, 7500
   ms, 15500 ms, and 31500 ms.  If the client has not received a
   response after 39500 ms, the client will consider the transaction to
   have timed out.

7.2.2.  Sending over TCP or TLS-over-TCP

   For TCP and TLS-over-TCP, the client opens a TCP connection to the
   server.

Top      Up      ToC       Page 15 
   In some usages of STUN, STUN is sent as the only protocol over the
   TCP connection.  In this case, it can be sent without the aid of any
   additional framing or demultiplexing.  In other usages, or with other
   extensions, it may be multiplexed with other data over a TCP
   connection.  In that case, STUN MUST be run on top of some kind of
   framing protocol, specified by the usage or extension, which allows
   for the agent to extract complete STUN messages and complete
   application layer messages.  The STUN service running on the well-
   known port or ports discovered through the DNS procedures in
   Section 9 is for STUN alone, and not for STUN multiplexed with other
   data.  Consequently, no framing protocols are used in connections to
   those servers.  When additional framing is utilized, the usage will
   specify how the client knows to apply it and what port to connect to.
   For example, in the case of ICE connectivity checks, this information
   is learned through out-of-band negotiation between client and server.

   When STUN is run by itself over TLS-over-TCP, the
   TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite MUST be implemented at a
   minimum.  Implementations MAY also support any other ciphersuite.
   When it receives the TLS Certificate message, the client SHOULD
   verify the certificate and inspect the site identified by the
   certificate.  If the certificate is invalid or revoked, or if it does
   not identify the appropriate party, the client MUST NOT send the STUN
   message or otherwise proceed with the STUN transaction.  The client
   MUST verify the identity of the server.  To do that, it follows the
   identification procedures defined in Section 3.1 of RFC 2818
   [RFC2818].  Those procedures assume the client is dereferencing a
   URI.  For purposes of usage with this specification, the client
   treats the domain name or IP address used in Section 8.1 as the host
   portion of the URI that has been dereferenced.  Alternatively, a
   client MAY be configured with a set of domains or IP addresses that
   are trusted; if a certificate is received that identifies one of
   those domains or IP addresses, the client considers the identity of
   the server to be verified.

   When STUN is run multiplexed with other protocols over a TLS-over-TCP
   connection, the mandatory ciphersuites and TLS handling procedures
   operate as defined by those protocols.

   Reliability of STUN over TCP and TLS-over-TCP is handled by TCP
   itself, and there are no retransmissions at the STUN protocol level.
   However, for a request/response transaction, if the client has not
   received a response by Ti seconds after it sent the SYN to establish
   the connection, it considers the transaction to have timed out.  Ti
   SHOULD be configurable and SHOULD have a default of 39.5s.  This
   value has been chosen to equalize the TCP and UDP timeouts for the
   default initial RTO.

Top      Up      ToC       Page 16 
   In addition, if the client is unable to establish the TCP connection,
   or the TCP connection is reset or fails before a response is
   received, any request/response transaction in progress is considered
   to have failed.

   The client MAY send multiple transactions over a single TCP (or TLS-
   over-TCP) connection, and it MAY send another request before
   receiving a response to the previous.  The client SHOULD keep the
   connection open until it:

   o  has no further STUN requests or indications to send over that
      connection, and

   o  has no plans to use any resources (such as a mapped address
      (MAPPED-ADDRESS or XOR-MAPPED-ADDRESS) or relayed address
      [BEHAVE-TURN]) that were learned though STUN requests sent over
      that connection, and

   o  if multiplexing other application protocols over that port, has
      finished using that other application, and

   o  if using that learned port with a remote peer, has established
      communications with that remote peer, as is required by some TCP
      NAT traversal techniques (e.g., [MMUSIC-ICE-TCP]).

   At the server end, the server SHOULD keep the connection open, and
   let the client close it, unless the server has determined that the
   connection has timed out (for example, due to the client
   disconnecting from the network).  Bindings learned by the client will
   remain valid in intervening NATs only while the connection remains
   open.  Only the client knows how long it needs the binding.  The
   server SHOULD NOT close a connection if a request was received over
   that connection for which a response was not sent.  A server MUST NOT
   ever open a connection back towards the client in order to send a
   response.  Servers SHOULD follow best practices regarding connection
   management in cases of overload.

7.3.  Receiving a STUN Message

   This section specifies the processing of a STUN message.  The
   processing specified here is for STUN messages as defined in this
   specification; additional rules for backwards compatibility are
   defined in Section 12.  Those additional procedures are optional, and
   usages can elect to utilize them.  First, a set of processing
   operations is applied that is independent of the class.  This is
   followed by class-specific processing, described in the subsections
   that follow.

Top      Up      ToC       Page 17 
   When a STUN agent receives a STUN message, it first checks that the
   message obeys the rules of Section 6.  It checks that the first two
   bits are 0, that the magic cookie field has the correct value, that
   the message length is sensible, and that the method value is a
   supported method.  It checks that the message class is allowed for
   the particular method.  If the message class is "Success Response" or
   "Error Response", the agent checks that the transaction ID matches a
   transaction that is still in progress.  If the FINGERPRINT extension
   is being used, the agent checks that the FINGERPRINT attribute is
   present and contains the correct value.  If any errors are detected,
   the message is silently discarded.  In the case when STUN is being
   multiplexed with another protocol, an error may indicate that this is
   not really a STUN message; in this case, the agent should try to
   parse the message as a different protocol.

   The STUN agent then does any checks that are required by a
   authentication mechanism that the usage has specified (see
   Section 10).

   Once the authentication checks are done, the STUN agent checks for
   unknown attributes and known-but-unexpected attributes in the
   message.  Unknown comprehension-optional attributes MUST be ignored
   by the agent.  Known-but-unexpected attributes SHOULD be ignored by
   the agent.  Unknown comprehension-required attributes cause
   processing that depends on the message class and is described below.

   At this point, further processing depends on the message class of the
   request.

7.3.1.  Processing a Request

   If the request contains one or more unknown comprehension-required
   attributes, the server replies with an error response with an error
   code of 420 (Unknown Attribute), and includes an UNKNOWN-ATTRIBUTES
   attribute in the response that lists the unknown comprehension-
   required attributes.

   The server then does any additional checking that the method or the
   specific usage requires.  If all the checks succeed, the server
   formulates a success response as described below.

   When run over UDP, a request received by the server could be the
   first request of a transaction, or a retransmission.  The server MUST
   respond to retransmissions such that the following property is
   preserved: if the client receives the response to the retransmission
   and not the response that was sent to the original request, the
   overall state on the client and server is identical to the case where
   only the response to the original retransmission is received, or

Top      Up      ToC       Page 18 
   where both responses are received (in which case the client will use
   the first).  The easiest way to meet this requirement is for the
   server to remember all transaction IDs received over UDP and their
   corresponding responses in the last 40 seconds.  However, this
   requires the server to hold state, and will be inappropriate for any
   requests which are not authenticated.  Another way is to reprocess
   the request and recompute the response.  The latter technique MUST
   only be applied to requests that are idempotent (a request is
   considered idempotent when the same request can be safely repeated
   without impacting the overall state of the system) and result in the
   same success response for the same request.  The Binding method is
   considered to be idempotent.  Note that there are certain rare
   network events that could cause the reflexive transport address value
   to change, resulting in a different mapped address in different
   success responses.  Extensions to STUN MUST discuss the implications
   of request retransmissions on servers that do not store transaction
   state.

7.3.1.1.  Forming a Success or Error Response

   When forming the response (success or error), the server follows the
   rules of Section 6.  The method of the response is the same as that
   of the request, and the message class is either "Success Response" or
   "Error Response".

   For an error response, the server MUST add an ERROR-CODE attribute
   containing the error code specified in the processing above.  The
   reason phrase is not fixed, but SHOULD be something suitable for the
   error code.  For certain errors, additional attributes are added to
   the message.  These attributes are spelled out in the description
   where the error code is specified.  For example, for an error code of
   420 (Unknown Attribute), the server MUST include an UNKNOWN-
   ATTRIBUTES attribute.  Certain authentication errors also cause
   attributes to be added (see Section 10).  Extensions may define other
   errors and/or additional attributes to add in error cases.

   If the server authenticated the request using an authentication
   mechanism, then the server SHOULD add the appropriate authentication
   attributes to the response (see Section 10).

   The server also adds any attributes required by the specific method
   or usage.  In addition, the server SHOULD add a SOFTWARE attribute to
   the message.

   For the Binding method, no additional checking is required unless the
   usage specifies otherwise.  When forming the success response, the
   server adds a XOR-MAPPED-ADDRESS attribute to the response, where the
   contents of the attribute are the source transport address of the

Top      Up      ToC       Page 19 
   request message.  For UDP, this is the source IP address and source
   UDP port of the request message.  For TCP and TLS-over-TCP, this is
   the source IP address and source TCP port of the TCP connection as
   seen by the server.

7.3.1.2.  Sending the Success or Error Response

   The response (success or error) is sent over the same transport as
   the request was received on.  If the request was received over UDP,
   the destination IP address and port of the response are the source IP
   address and port of the received request message, and the source IP
   address and port of the response are equal to the destination IP
   address and port of the received request message.  If the request was
   received over TCP or TLS-over-TCP, the response is sent back on the
   same TCP connection as the request was received on.

7.3.2.  Processing an Indication

   If the indication contains unknown comprehension-required attributes,
   the indication is discarded and processing ceases.

   The agent then does any additional checking that the method or the
   specific usage requires.  If all the checks succeed, the agent then
   processes the indication.  No response is generated for an
   indication.

   For the Binding method, no additional checking or processing is
   required, unless the usage specifies otherwise.  The mere receipt of
   the message by the agent has refreshed the "bindings" in the
   intervening NATs.

   Since indications are not re-transmitted over UDP (unlike requests),
   there is no need to handle re-transmissions of indications at the
   sending agent.

7.3.3.  Processing a Success Response

   If the success response contains unknown comprehension-required
   attributes, the response is discarded and the transaction is
   considered to have failed.

   The client then does any additional checking that the method or the
   specific usage requires.  If all the checks succeed, the client then
   processes the success response.

   For the Binding method, the client checks that the XOR-MAPPED-ADDRESS
   attribute is present in the response.  The client checks the address
   family specified.  If it is an unsupported address family, the

Top      Up      ToC       Page 20 
   attribute SHOULD be ignored.  If it is an unexpected but supported
   address family (for example, the Binding transaction was sent over
   IPv4, but the address family specified is IPv6), then the client MAY
   accept and use the value.

7.3.4.  Processing an Error Response

   If the error response contains unknown comprehension-required
   attributes, or if the error response does not contain an ERROR-CODE
   attribute, then the transaction is simply considered to have failed.

   The client then does any processing specified by the authentication
   mechanism (see Section 10).  This may result in a new transaction
   attempt.

   The processing at this point depends on the error code, the method,
   and the usage; the following are the default rules:

   o  If the error code is 300 through 399, the client SHOULD consider
      the transaction as failed unless the ALTERNATE-SERVER extension is
      being used.  See Section 11.

   o  If the error code is 400 through 499, the client declares the
      transaction failed; in the case of 420 (Unknown Attribute), the
      response should contain a UNKNOWN-ATTRIBUTES attribute that gives
      additional information.

   o  If the error code is 500 through 599, the client MAY resend the
      request; clients that do so MUST limit the number of times they do
      this.

   Any other error code causes the client to consider the transaction
   failed.

8.  FINGERPRINT Mechanism

   This section describes an optional mechanism for STUN that aids in
   distinguishing STUN messages from packets of other protocols when the
   two are multiplexed on the same transport address.  This mechanism is
   optional, and a STUN usage must describe if and when it is used.  The
   FINGERPRINT mechanism is not backwards compatible with RFC 3489, and
   cannot be used in environments where such compatibility is required.

   In some usages, STUN messages are multiplexed on the same transport
   address as other protocols, such as the Real Time Transport Protocol
   (RTP).  In order to apply the processing described in Section 7, STUN
   messages must first be separated from the application packets.

Top      Up      ToC       Page 21 
   Section 6 describes three fixed fields in the STUN header that can be
   used for this purpose.  However, in some cases, these three fixed
   fields may not be sufficient.

   When the FINGERPRINT extension is used, an agent includes the
   FINGERPRINT attribute in messages it sends to another agent.
   Section 15.5 describes the placement and value of this attribute.
   When the agent receives what it believes is a STUN message, then, in
   addition to other basic checks, the agent also checks that the
   message contains a FINGERPRINT attribute and that the attribute
   contains the correct value.  Section 7.3 describes when in the
   overall processing of a STUN message the FINGERPRINT check is
   performed.  This additional check helps the agent detect messages of
   other protocols that might otherwise seem to be STUN messages.

9.  DNS Discovery of a Server

   This section describes an optional procedure for STUN that allows a
   client to use DNS to determine the IP address and port of a server.
   A STUN usage must describe if and when this extension is used.  To
   use this procedure, the client must know a server's domain name and a
   service name; the usage must also describe how the client obtains
   these.  Hard-coding the domain name of the server into software is
   NOT RECOMMENDED in case the domain name is lost or needs to change
   for legal or other reasons.

   When a client wishes to locate a STUN server in the public Internet
   that accepts Binding request/response transactions, the SRV service
   name is "stun".  When it wishes to locate a STUN server that accepts
   Binding request/response transactions over a TLS session, the SRV
   service name is "stuns".  STUN usages MAY define additional DNS SRV
   service names.

   The domain name is resolved to a transport address using the SRV
   procedures specified in [RFC2782].  The DNS SRV service name is the
   service name provided as input to this procedure.  The protocol in
   the SRV lookup is the transport protocol the client will run STUN
   over: "udp" for UDP and "tcp" for TCP.  Note that only "tcp" is
   defined with "stuns" at this time.

   The procedures of RFC 2782 are followed to determine the server to
   contact.  RFC 2782 spells out the details of how a set of SRV records
   is sorted and then tried.  However, RFC 2782 only states that the
   client should "try to connect to the (protocol, address, service)"
   without giving any details on what happens in the event of failure.
   When following these procedures, if the STUN transaction times out
   without receipt of a response, the client SHOULD retry the request to

Top      Up      ToC       Page 22 
   the next server in the ordered defined by RFC 2782.  Such a retry is
   only possible for request/response transmissions, since indication
   transactions generate no response or timeout.

   The default port for STUN requests is 3478, for both TCP and UDP.

   Administrators of STUN servers SHOULD use this port in their SRV
   records for UDP and TCP.  In all cases, the port in DNS MUST reflect
   the one on which the server is listening.  The default port for STUN
   over TLS is 5349.  Servers can run STUN over TLS on the same port as
   STUN over TCP if the server software supports determining whether the
   initial message is a TLS or STUN message.

   If no SRV records were found, the client performs an A or AAAA record
   lookup of the domain name.  The result will be a list of IP
   addresses, each of which can be contacted at the default port using
   UDP or TCP, independent of the STUN usage.  For usages that require
   TLS, the client connects to one of the IP addresses using the default
   STUN over TLS port.

10.  Authentication and Message-Integrity Mechanisms

   This section defines two mechanisms for STUN that a client and server
   can use to provide authentication and message integrity; these two
   mechanisms are known as the short-term credential mechanism and the
   long-term credential mechanism.  These two mechanisms are optional,
   and each usage must specify if and when these mechanisms are used.
   Consequently, both clients and servers will know which mechanism (if
   any) to follow based on knowledge of which usage applies.  For
   example, a STUN server on the public Internet supporting ICE would
   have no authentication, whereas the STUN server functionality in an
   agent supporting connectivity checks would utilize short-term
   credentials.  An overview of these two mechanisms is given in
   Section 3.

   Each mechanism specifies the additional processing required to use
   that mechanism, extending the processing specified in Section 7.  The
   additional processing occurs in three different places: when forming
   a message, when receiving a message immediately after the basic
   checks have been performed, and when doing the detailed processing of
   error responses.

10.1.  Short-Term Credential Mechanism

   The short-term credential mechanism assumes that, prior to the STUN
   transaction, the client and server have used some other protocol to
   exchange a credential in the form of a username and password.  This
   credential is time-limited.  The time limit is defined by the usage.

Top      Up      ToC       Page 23 
   As an example, in the ICE usage [MMUSIC-ICE], the two endpoints use
   out-of-band signaling to agree on a username and password, and this
   username and password are applicable for the duration of the media
   session.

   This credential is used to form a message-integrity check in each
   request and in many responses.  There is no challenge and response as
   in the long-term mechanism; consequently, replay is prevented by
   virtue of the time-limited nature of the credential.

10.1.1.  Forming a Request or Indication

   For a request or indication message, the agent MUST include the
   USERNAME and MESSAGE-INTEGRITY attributes in the message.  The HMAC
   for the MESSAGE-INTEGRITY attribute is computed as described in
   Section 15.4.  Note that the password is never included in the
   request or indication.

10.1.2.  Receiving a Request or Indication

   After the agent has done the basic processing of a message, the agent
   performs the checks listed below in order specified:

   o  If the message does not contain both a MESSAGE-INTEGRITY and a
      USERNAME attribute:

      *  If the message is a request, the server MUST reject the request
         with an error response.  This response MUST use an error code
         of 400 (Bad Request).

      *  If the message is an indication, the agent MUST silently
         discard the indication.

   o  If the USERNAME does not contain a username value currently valid
      within the server:

      *  If the message is a request, the server MUST reject the request
         with an error response.  This response MUST use an error code
         of 401 (Unauthorized).

      *  If the message is an indication, the agent MUST silently
         discard the indication.

   o  Using the password associated with the username, compute the value
      for the message integrity as described in Section 15.4.  If the
      resulting value does not match the contents of the MESSAGE-
      INTEGRITY attribute:

Top      Up      ToC       Page 24 
      *  If the message is a request, the server MUST reject the request
         with an error response.  This response MUST use an error code
         of 401 (Unauthorized).

      *  If the message is an indication, the agent MUST silently
         discard the indication.

   If these checks pass, the agent continues to process the request or
   indication.  Any response generated by a server MUST include the
   MESSAGE-INTEGRITY attribute, computed using the password utilized to
   authenticate the request.  The response MUST NOT contain the USERNAME
   attribute.

   If any of the checks fail, a server MUST NOT include a MESSAGE-
   INTEGRITY or USERNAME attribute in the error response.  This is
   because, in these failure cases, the server cannot determine the
   shared secret necessary to compute MESSAGE-INTEGRITY.

10.1.3.  Receiving a Response

   The client looks for the MESSAGE-INTEGRITY attribute in the response.
   If present, the client computes the message integrity over the
   response as defined in Section 15.4, using the same password it
   utilized for the request.  If the resulting value matches the
   contents of the MESSAGE-INTEGRITY attribute, the response is
   considered authenticated.  If the value does not match, or if
   MESSAGE-INTEGRITY was absent, the response MUST be discarded, as if
   it was never received.  This means that retransmits, if applicable,
   will continue.

10.2.  Long-Term Credential Mechanism

   The long-term credential mechanism relies on a long-term credential,
   in the form of a username and password that are shared between client
   and server.  The credential is considered long-term since it is
   assumed that it is provisioned for a user, and remains in effect
   until the user is no longer a subscriber of the system, or is
   changed.  This is basically a traditional "log-in" username and
   password given to users.

   Because these usernames and passwords are expected to be valid for
   extended periods of time, replay prevention is provided in the form
   of a digest challenge.  In this mechanism, the client initially sends
   a request, without offering any credentials or any integrity checks.
   The server rejects this request, providing the user a realm (used to
   guide the user or agent in selection of a username and password) and
   a nonce.  The nonce provides the replay protection.  It is a cookie,
   selected by the server, and encoded in such a way as to indicate a

Top      Up      ToC       Page 25 
   duration of validity or client identity from which it is valid.  The
   client retries the request, this time including its username and the
   realm, and echoing the nonce provided by the server.  The client also
   includes a message-integrity, which provides an HMAC over the entire
   request, including the nonce.  The server validates the nonce and
   checks the message integrity.  If they match, the request is
   authenticated.  If the nonce is no longer valid, it is considered
   "stale", and the server rejects the request, providing a new nonce.

   In subsequent requests to the same server, the client reuses the
   nonce, username, realm, and password it used previously.  In this
   way, subsequent requests are not rejected until the nonce becomes
   invalid by the server, in which case the rejection provides a new
   nonce to the client.

   Note that the long-term credential mechanism cannot be used to
   protect indications, since indications cannot be challenged.  Usages
   utilizing indications must either use a short-term credential or omit
   authentication and message integrity for them.

   Since the long-term credential mechanism is susceptible to offline
   dictionary attacks, deployments SHOULD utilize passwords that are
   difficult to guess.  In cases where the credentials are not entered
   by the user, but are rather placed on a client device during device
   provisioning, the password SHOULD have at least 128 bits of
   randomness.  In cases where the credentials are entered by the user,
   they should follow best current practices around password structure.

10.2.1.  Forming a Request

   There are two cases when forming a request.  In the first case, this
   is the first request from the client to the server (as identified by
   its IP address and port).  In the second case, the client is
   submitting a subsequent request once a previous request/response
   transaction has completed successfully.  Forming a request as a
   consequence of a 401 or 438 error response is covered in
   Section 10.2.3 and is not considered a "subsequent request" and thus
   does not utilize the rules described in Section 10.2.1.2.

10.2.1.1.  First Request

   If the client has not completed a successful request/response
   transaction with the server (as identified by hostname, if the DNS
   procedures of Section 9 are used, else IP address if not), it SHOULD
   omit the USERNAME, MESSAGE-INTEGRITY, REALM, and NONCE attributes.
   In other words, the very first request is sent as if there were no
   authentication or message integrity applied.

Top      Up      ToC       Page 26 
10.2.1.2.  Subsequent Requests

   Once a request/response transaction has completed successfully, the
   client will have been presented a realm and nonce by the server, and
   selected a username and password with which it authenticated.  The
   client SHOULD cache the username, password, realm, and nonce for
   subsequent communications with the server.  When the client sends a
   subsequent request, it SHOULD include the USERNAME, REALM, and NONCE
   attributes with these cached values.  It SHOULD include a MESSAGE-
   INTEGRITY attribute, computed as described in Section 15.4 using the
   cached password.

10.2.2.  Receiving a Request

   After the server has done the basic processing of a request, it
   performs the checks listed below in the order specified:

   o  If the message does not contain a MESSAGE-INTEGRITY attribute, the
      server MUST generate an error response with an error code of 401
      (Unauthorized).  This response MUST include a REALM value.  It is
      RECOMMENDED that the REALM value be the domain name of the
      provider of the STUN server.  The response MUST include a NONCE,
      selected by the server.  The response SHOULD NOT contain a
      USERNAME or MESSAGE-INTEGRITY attribute.

   o  If the message contains a MESSAGE-INTEGRITY attribute, but is
      missing the USERNAME, REALM, or NONCE attribute, the server MUST
      generate an error response with an error code of 400 (Bad
      Request).  This response SHOULD NOT include a USERNAME, NONCE,
      REALM, or MESSAGE-INTEGRITY attribute.

   o  If the NONCE is no longer valid, the server MUST generate an error
      response with an error code of 438 (Stale Nonce).  This response
      MUST include NONCE and REALM attributes and SHOULD NOT include the
      USERNAME or MESSAGE-INTEGRITY attribute.  Servers can invalidate
      nonces in order to provide additional security.  See Section 4.3
      of [RFC2617] for guidelines.

   o  If the username in the USERNAME attribute is not valid, the server
      MUST generate an error response with an error code of 401
      (Unauthorized).  This response MUST include a REALM value.  It is
      RECOMMENDED that the REALM value be the domain name of the
      provider of the STUN server.  The response MUST include a NONCE,
      selected by the server.  The response SHOULD NOT contain a
      USERNAME or MESSAGE-INTEGRITY attribute.

Top      Up      ToC       Page 27 
   o  Using the password associated with the username in the USERNAME
      attribute, compute the value for the message integrity as
      described in Section 15.4.  If the resulting value does not match
      the contents of the MESSAGE-INTEGRITY attribute, the server MUST
      reject the request with an error response.  This response MUST use
      an error code of 401 (Unauthorized).  It MUST include REALM and
      NONCE attributes and SHOULD NOT include the USERNAME or MESSAGE-
      INTEGRITY attribute.

   If these checks pass, the server continues to process the request.
   Any response generated by the server (excepting the cases described
   above) MUST include the MESSAGE-INTEGRITY attribute, computed using
   the username and password utilized to authenticate the request.  The
   REALM, NONCE, and USERNAME attributes SHOULD NOT be included.

10.2.3.  Receiving a Response

   If the response is an error response with an error code of 401
   (Unauthorized), the client SHOULD retry the request with a new
   transaction.  This request MUST contain a USERNAME, determined by the
   client as the appropriate username for the REALM from the error
   response.  The request MUST contain the REALM, copied from the error
   response.  The request MUST contain the NONCE, copied from the error
   response.  The request MUST contain the MESSAGE-INTEGRITY attribute,
   computed using the password associated with the username in the
   USERNAME attribute.  The client MUST NOT perform this retry if it is
   not changing the USERNAME or REALM or its associated password, from
   the previous attempt.

   If the response is an error response with an error code of 438 (Stale
   Nonce), the client MUST retry the request, using the new NONCE
   supplied in the 438 (Stale Nonce) response.  This retry MUST also
   include the USERNAME, REALM, and MESSAGE-INTEGRITY.

   The client looks for the MESSAGE-INTEGRITY attribute in the response
   (either success or failure).  If present, the client computes the
   message integrity over the response as defined in Section 15.4, using
   the same password it utilized for the request.  If the resulting
   value matches the contents of the MESSAGE-INTEGRITY attribute, the
   response is considered authenticated.  If the value does not match,
   or if MESSAGE-INTEGRITY was absent, the response MUST be discarded,
   as if it was never received.  This means that retransmits, if
   applicable, will continue.

Top      Up      ToC       Page 28 
11.  ALTERNATE-SERVER Mechanism

   This section describes a mechanism in STUN that allows a server to
   redirect a client to another server.  This extension is optional, and
   a usage must define if and when this extension is used.

   A server using this extension redirects a client to another server by
   replying to a request message with an error response message with an
   error code of 300 (Try Alternate).  The server MUST include an
   ALTERNATE-SERVER attribute in the error response.  The error response
   message MAY be authenticated; however, there are uses cases for
   ALTERNATE-SERVER where authentication of the response is not possible
   or practical.

   A client using this extension handles a 300 (Try Alternate) error
   code as follows.  The client looks for an ALTERNATE-SERVER attribute
   in the error response.  If one is found, then the client considers
   the current transaction as failed, and reattempts the request with
   the server specified in the attribute, using the same transport
   protocol used for the previous request.  That request, if
   authenticated, MUST utilize the same credentials that the client
   would have used in the request to the server that performed the
   redirection.  If the client has been redirected to a server on which
   it has already tried this request within the last five minutes, it
   MUST ignore the redirection and consider the transaction to have
   failed.  This prevents infinite ping-ponging between servers in case
   of redirection loops.

12.  Backwards Compatibility with RFC 3489

   This section defines procedures that allow a degree of backwards
   compatibility with the original protocol defined in RFC 3489
   [RFC3489].  This mechanism is optional, meant to be utilized only in
   cases where a new client can connect to an old server, or vice versa.
   A usage must define if and when this procedure is used.

   Section 19 lists all the changes between this specification and RFC
   3489 [RFC3489].  However, not all of these differences are important,
   because "classic STUN" was only used in a few specific ways.  For the
   purposes of this extension, the important changes are the following.
   In RFC 3489:

   o  UDP was the only supported transport.

   o  The field that is now the magic cookie field was a part of the
      transaction ID field, and transaction IDs were 128 bits long.

Top      Up      ToC       Page 29 
   o  The XOR-MAPPED-ADDRESS attribute did not exist, and the Binding
      method used the MAPPED-ADDRESS attribute instead.

   o  There were three comprehension-required attributes, RESPONSE-
      ADDRESS, CHANGE-REQUEST, and CHANGED-ADDRESS, that have been
      removed from this specification.

      *  CHANGE-REQUEST and CHANGED-ADDRESS are now part of the NAT
         Behavior Discovery usage [BEHAVE-NAT], and the other is
         deprecated.

12.1.  Changes to Client Processing

   A client that wants to interoperate with an [RFC3489] server SHOULD
   send a request message that uses the Binding method, contains no
   attributes, and uses UDP as the transport protocol to the server.  If
   successful, the success response received from the server will
   contain a MAPPED-ADDRESS attribute rather than an XOR-MAPPED-ADDRESS
   attribute.  A client seeking to interoperate with an older server
   MUST be prepared to receive either.  Furthermore, the client MUST
   ignore any Reserved comprehension-required attributes that might
   appear in the response.  Of the Reserved attributes in Section 18.2,
   0x0002, 0x0004, 0x0005, and 0x000B may appear in Binding responses
   from a server compliant to RFC 3489.  Other than this change, the
   processing of the response is identical to the procedures described
   above.

12.2.  Changes to Server Processing

   A STUN server can detect when a given Binding request message was
   sent from an RFC 3489 [RFC3489] client by the absence of the correct
   value in the magic cookie field.  When the server detects an RFC 3489
   client, it SHOULD copy the value seen in the magic cookie field in
   the Binding request to the magic cookie field in the Binding response
   message, and insert a MAPPED-ADDRESS attribute instead of an XOR-
   MAPPED-ADDRESS attribute.

   The client might, in rare situations, include either the RESPONSE-
   ADDRESS or CHANGE-REQUEST attributes.  In these situations, the
   server will view these as unknown comprehension-required attributes
   and reply with an error response.  Since the mechanisms utilizing
   those attributes are no longer supported, this behavior is
   acceptable.

   The RFC 3489 version of STUN lacks both the magic cookie and the
   FINGERPRINT attribute that allows for a very high probability of
   correctly identifying STUN messages when multiplexed with other
   protocols.  Therefore, STUN implementations that are backwards

Top      Up      ToC       Page 30 
   compatible with RFC 3489 SHOULD NOT be used in cases where STUN will
   be multiplexed with another protocol.  However, that should not be an
   issue as such multiplexing was not available in RFC 3489.

13.  Basic Server Behavior

   This section defines the behavior of a basic, stand-alone STUN
   server.  A basic STUN server provides clients with server reflexive
   transport addresses by receiving and replying to STUN Binding
   requests.

   The STUN server MUST support the Binding method.  It SHOULD NOT
   utilize the short-term or long-term credential mechanism.  This is
   because the work involved in authenticating the request is more than
   the work in simply processing it.  It SHOULD NOT utilize the
   ALTERNATE-SERVER mechanism for the same reason.  It MUST support UDP
   and TCP.  It MAY support STUN over TCP/TLS; however, TLS provides
   minimal security benefits in this basic mode of operation.  It MAY
   utilize the FINGERPRINT mechanism but MUST NOT require it.  Since the
   stand-alone server only runs STUN, FINGERPRINT provides no benefit.
   Requiring it would break compatibility with RFC 3489, and such
   compatibility is desirable in a stand-alone server.  Stand-alone STUN
   servers SHOULD support backwards compatibility with [RFC3489]
   clients, as described in Section 12.

   It is RECOMMENDED that administrators of STUN servers provide DNS
   entries for those servers as described in Section 9.

   A basic STUN server is not a solution for NAT traversal by itself.
   However, it can be utilized as part of a solution through STUN
   usages.  This is discussed further in Section 14.

14.  STUN Usages

   STUN by itself is not a solution to the NAT traversal problem.
   Rather, STUN defines a tool that can be used inside a larger
   solution.  The term "STUN usage" is used for any solution that uses
   STUN as a component.

   At the time of writing, three STUN usages are defined: Interactive
   Connectivity Establishment (ICE) [MMUSIC-ICE], Client-initiated
   connections for SIP [SIP-OUTBOUND], and NAT Behavior Discovery
   [BEHAVE-NAT].  Other STUN usages may be defined in the future.

   A STUN usage defines how STUN is actually utilized -- when to send
   requests, what to do with the responses, and which optional
   procedures defined here (or in an extension to STUN) are to be used.
   A usage would also define:

Top      Up      ToC       Page 31 
   o  Which STUN methods are used.

   o  What authentication and message-integrity mechanisms are used.

   o  The considerations around manual vs. automatic key derivation for
      the integrity mechanism, as discussed in [RFC4107].

   o  What mechanisms are used to distinguish STUN messages from other
      messages.  When STUN is run over TCP, a framing mechanism may be
      required.

   o  How a STUN client determines the IP address and port of the STUN
      server.

   o  Whether backwards compatibility to RFC 3489 is required.

   o  What optional attributes defined here (such as FINGERPRINT and
      ALTERNATE-SERVER) or in other extensions are required.

   In addition, any STUN usage must consider the security implications
   of using STUN in that usage.  A number of attacks against STUN are
   known (see the Security Considerations section in this document), and
   any usage must consider how these attacks can be thwarted or
   mitigated.

   Finally, a usage must consider whether its usage of STUN is an
   example of the Unilateral Self-Address Fixing approach to NAT
   traversal, and if so, address the questions raised in RFC 3424
   [RFC3424].



(page 31 continued on part 3)

Next RFC Part