idnits 2.17.1 draft-ietf-behave-rfc3489bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1.a on line 21. -- Found old boilerplate from RFC 3978, Section 5.5 on line 2103. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 2080. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 2087. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 2093. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document uses RFC 3667 boilerplate or RFC 3978-like boilerplate instead of verbatim RFC 3978 boilerplate. After 6 May 2005, submission of drafts without verbatim RFC 3978 boilerplate is not accepted. The following non-3978 patterns matched text found in the document. That text should be removed or replaced: This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 21, 2005) is 7002 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2246 (ref. '2') (Obsoleted by RFC 4346) ** Obsolete normative reference: RFC 3268 (ref. '4') (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 2818 (ref. '5') (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 1510 (ref. '14') (Obsoleted by RFC 4120, RFC 6649) -- Obsolete informational reference (is this intentional?): RFC 2616 (ref. '15') (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 3489 (ref. '19') (Obsoleted by RFC 5389) -- Obsolete informational reference (is this intentional?): RFC 2327 (ref. '20') (Obsoleted by RFC 4566) == Outdated reference: A later version (-19) exists of draft-ietf-mmusic-ice-03 Summary: 8 errors (**), 0 flaws (~~), 4 warnings (==), 11 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 BEHAVE J. Rosenberg 3 Internet-Draft Cisco Systems 4 Expires: August 22, 2005 C. Huitema 5 Microsoft 6 R. Mahy 7 Airspace 8 February 21, 2005 10 Simple Traversal of UDP Through Network Address Translators (NAT) 11 (STUN) 12 draft-ietf-behave-rfc3489bis-01 14 Status of this Memo 16 This document is an Internet-Draft and is subject to all provisions 17 of section 3 of RFC 3667. By submitting this Internet-Draft, each 18 author represents that any applicable patent or other IPR claims of 19 which he or she is aware have been or will be disclosed, and any of 20 which he or she become aware will be disclosed, in accordance with 21 RFC 3668. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as 26 Internet-Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt. 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html. 39 This Internet-Draft will expire on August 22, 2005. 41 Copyright Notice 43 Copyright (C) The Internet Society (2005). 45 Abstract 47 Simple Traversal of UDP Through NATs (STUN) is a lightweight protocol 48 that provides the ability for applications to determine the public IP 49 addresses allocated to them by the NAT. These addresses can be 50 placed into protocol payloads where a client needs to provide a 51 publically routable IP address. STUN works with many existing NATs, 52 and does not require any special behavior from them. As a result, it 53 allows a wide variety of applications to work through existing NAT 54 infrastructure. 56 Table of Contents 58 1. Applicability Statement . . . . . . . . . . . . . . . . . . . 4 59 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 4. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 62 5. NAT Variations . . . . . . . . . . . . . . . . . . . . . . . . 6 63 6. Overview of Operation . . . . . . . . . . . . . . . . . . . . 6 64 7. Message Overview . . . . . . . . . . . . . . . . . . . . . . . 9 65 8. Server Behavior . . . . . . . . . . . . . . . . . . . . . . . 10 66 8.1 Binding Requests . . . . . . . . . . . . . . . . . . . . . 10 67 8.2 Shared Secret Requests . . . . . . . . . . . . . . . . . . 14 68 9. Client Behavior . . . . . . . . . . . . . . . . . . . . . . . 16 69 9.1 Discovery . . . . . . . . . . . . . . . . . . . . . . . . 16 70 9.2 Obtaining a Shared Secret . . . . . . . . . . . . . . . . 17 71 9.3 Formulating the Binding Request . . . . . . . . . . . . . 18 72 9.4 Processing Binding Responses . . . . . . . . . . . . . . . 19 73 9.5 Using the Mapped Address . . . . . . . . . . . . . . . . . 21 74 10. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 22 75 10.1 Message Header . . . . . . . . . . . . . . . . . . . . . . 22 76 10.2 Message Attributes . . . . . . . . . . . . . . . . . . . . 23 77 10.2.1 MAPPED-ADDRESS . . . . . . . . . . . . . . . . . . . . 25 78 10.2.2 RESPONSE-ADDRESS . . . . . . . . . . . . . . . . . . . 26 79 10.2.3 CHANGED-ADDRESS . . . . . . . . . . . . . . . . . . . 26 80 10.2.4 CHANGE-REQUEST . . . . . . . . . . . . . . . . . . . . 26 81 10.2.5 SOURCE-ADDRESS . . . . . . . . . . . . . . . . . . . . 26 82 10.2.6 USERNAME . . . . . . . . . . . . . . . . . . . . . . . 27 83 10.2.7 PASSWORD . . . . . . . . . . . . . . . . . . . . . . . 27 84 10.2.8 MESSAGE-INTEGRITY . . . . . . . . . . . . . . . . . . 27 85 10.2.9 ERROR-CODE . . . . . . . . . . . . . . . . . . . . . . 27 86 10.2.10 UNKNOWN-ATTRIBUTES . . . . . . . . . . . . . . . . . 29 87 10.2.11 REFLECTED-FROM . . . . . . . . . . . . . . . . . . . 29 88 10.2.12 XOR-MAPPED-ADDRESS . . . . . . . . . . . . . . . . . 29 89 10.2.13 XOR-ONLY . . . . . . . . . . . . . . . . . . . . . . 30 90 10.2.14 SERVER . . . . . . . . . . . . . . . . . . . . . . . 30 91 11. Security Considerations . . . . . . . . . . . . . . . . . . 31 92 11.1 Attacks on STUN . . . . . . . . . . . . . . . . . . . . . 31 93 11.1.1 Attack I: DDOS Against a Target . . . . . . . . . . . 31 94 11.1.2 Attack II: Silencing a Client . . . . . . . . . . . . 31 95 11.1.3 Attack III: Assuming the Identity of a Client . . . . 32 96 11.1.4 Attack IV: Eavesdropping . . . . . . . . . . . . . . . 32 97 11.2 Launching the Attacks . . . . . . . . . . . . . . . . . . 32 98 11.2.1 Approach I: Compromise a Legitimate STUN Server . . . 33 99 11.2.2 Approach II: DNS Attacks . . . . . . . . . . . . . . . 33 100 11.2.3 Approach III: Rogue Router or NAT . . . . . . . . . . 33 101 11.2.4 Approach IV: MITM . . . . . . . . . . . . . . . . . . 34 102 11.2.5 Approach V: Response Injection Plus DoS . . . . . . . 34 103 11.2.6 Approach VI: Duplication . . . . . . . . . . . . . . . 34 104 11.3 Countermeasures . . . . . . . . . . . . . . . . . . . . . 35 105 11.4 Residual Threats . . . . . . . . . . . . . . . . . . . . . 37 106 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . 37 107 13. IAB Considerations . . . . . . . . . . . . . . . . . . . . . 37 108 13.1 Problem Definition . . . . . . . . . . . . . . . . . . . . 37 109 13.2 Exit Strategy . . . . . . . . . . . . . . . . . . . . . . 38 110 13.3 Brittleness Introduced by STUN . . . . . . . . . . . . . . 38 111 13.4 Requirements for a Long Term Solution . . . . . . . . . . 40 112 13.5 Issues with Existing NAPT Boxes . . . . . . . . . . . . . 41 113 13.6 In Closing . . . . . . . . . . . . . . . . . . . . . . . . 42 114 14. Changes Since RFC 3489 . . . . . . . . . . . . . . . . . . . 42 115 15. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 43 116 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 117 16.1 Normative References . . . . . . . . . . . . . . . . . . . . 43 118 16.2 Informative References . . . . . . . . . . . . . . . . . . . 43 119 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 45 120 Intellectual Property and Copyright Statements . . . . . . . . 46 122 1. Applicability Statement 124 This protocol is not a cure-all for the problems associated with NAT. 125 It does not enable incoming TCP connections through NAT. It allows 126 incoming UDP packets through NAT, but only through a subset of 127 existing NAT types. In particular, STUN does not enable incoming UDP 128 packets through symmetric NATs (defined below), which are common in 129 large enterprises. STUN does not work when it is used to obtain an 130 address to communicate with a peer which happens to be behind the 131 same NAT. STUN does not work when the STUN server is not in a common 132 shared address realm. For a more complete discussion of the 133 limitations of STUN, see Section 13. 135 2. Introduction 137 Network Address Translators (NATs), while providing many benefits, 138 also come with many drawbacks. The most troublesome of those 139 drawbacks is the fact that they break many existing IP applications, 140 and make it difficult to deploy new ones. Guidelines have been 141 developed [8] that describe how to build "NAT friendly" protocols, 142 but many protocols simply cannot be constructed according to those 143 guidelines. Examples of such protocols include almost all peer-to- 144 peer protocols, such as multimedia communications, file sharing and 145 games. 147 To combat this problem, Application Layer Gateways (ALGs) have been 148 embedded in NATs. ALGs perform the application layer functions 149 required for a particular protocol to traverse a NAT. Typically, 150 this involves rewriting application layer messages to contain 151 translated addresses, rather than the ones inserted by the sender of 152 the message. ALGs have serious limitations, including scalability, 153 reliability, and speed of deploying new applications. To resolve 154 these problems, the Middlebox Communications (MIDCOM) protocol is 155 being developed [9]. MIDCOM allows an application entity, such as an 156 end client or network server of some sort (like a Session Initiation 157 Protocol (SIP) proxy [10]) to control a NAT (or firewall), in order 158 to obtain NAT bindings and open or close pinholes. In this way, NATs 159 and applications can be separated once more, eliminating the need for 160 embedding ALGs in NATs, and resolving the limitations imposed by 161 current architectures. 163 Unfortunately, MIDCOM requires upgrades to existing NAT and 164 firewalls, in addition to application components. Complete upgrades 165 of these NAT and firewall products will take a long time, potentially 166 years. This is due, in part, to the fact that the deployers of NAT 167 and firewalls are not the same people who are deploying and using 168 applications. As a result, the incentive to upgrade these devices 169 will be low in many cases. Consider, for example, an airport 170 Internet lounge that provides access with a NAT. A user connecting 171 to the NATed network may wish to use a peer-to-peer service, but 172 cannot, because the NAT doesn't support it. Since the administrators 173 of the lounge are not the ones providing the service, they are not 174 motivated to upgrade their NAT equipment to support it, using either 175 an ALG, or MIDCOM. 177 Another problem is that the MIDCOM protocol requires that the agent 178 controlling the middleboxes know the identity of those middleboxes, 179 and have a relationship with them which permits control. In many 180 configurations, this will not be possible. For example, many cable 181 access providers use NAT in front of their entire access network. 182 This NAT could be in addition to a residential NAT purchased and 183 operated by the end user. The end user will probably not have a 184 control relationship with the NAT in the cable access network, and 185 may not even know of its existence. 187 Many existing proprietary protocols, such as those for online games 188 (such as the games described in RFC 3027 [11]) and Voice over IP, 189 have developed tricks that allow them to operate through NATs without 190 changing those NATs. This document is an attempt to take some of 191 those ideas, and codify them into an interoperable protocol that can 192 meet the needs of many applications. 194 The protocol described here, Simple Traversal of UDP Through NAT 195 (STUN), allows entities behind a NAT to learn the address bindings 196 allocated by the NAT. STUN requires no changes to NATs, and works 197 with an arbitrary number of NATs in tandem between the application 198 entity and the public Internet. 200 3. Terminology 202 In this document, the key words "MUST", "MUST NOT", "REQUIRED", 203 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", 204 and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 205 [1] and indicate requirement levels for compliant STUN 206 implementations. 208 4. Definitions 210 STUN Client: A STUN client (also just referred to as a client) is an 211 entity that generates STUN requests. A STUN client can execute on 212 an end system, such as a user's PC, or can run in a network 213 element, such as a conferencing server. 215 STUN Server: A STUN Server (also just referred to as a server) is an 216 entity that receives STUN requests, and sends STUN responses. 217 STUN servers are generally attached to the public Internet. 219 5. NAT Variations 221 It is assumed that the reader is familiar with NATs. It has been 222 observed that NAT treatment of UDP varies among implementations. The 223 four treatments observed in implementations are: 225 Full Cone: A full cone NAT is one where all requests from the same 226 internal IP address and port are mapped to the same external IP 227 address and port. Furthermore, any external host can send a 228 packet to the internal host, by sending a packet to the mapped 229 external address. 231 Restricted Cone: A restricted cone NAT is one where all requests from 232 the same internal IP address and port are mapped to the same 233 external IP address and port. Unlike a full cone NAT, an external 234 host (with IP address X) can send a packet to the internal host 235 only if the internal host had previously sent a packet to IP 236 address X. 238 Port Restricted Cone: A port restricted cone NAT is like a restricted 239 cone NAT, but the restriction includes port numbers. 240 Specifically, an external host can send a packet, with source IP 241 address X and source port P, to the internal host only if the 242 internal host had previously sent a packet to IP address X and 243 port P. 245 Symmetric: A symmetric NAT is one where all requests from the same 246 internal IP address and port, to a specific destination IP address 247 and port, are mapped to the same external IP address and port. If 248 the same host sends a packet with the same source address and 249 port, but to a different destination, a different mapping is used. 250 Furthermore, only the external host that receives a packet can 251 send a UDP packet back to the internal host. 253 6. Overview of Operation 255 This section is descriptive only. Normative behavior is described in 256 Section 8 and Section 9. 258 /-----\ 259 // STUN \\ 260 | Server | 261 \\ // 262 \-----/ 264 +--------------+ Public Internet 265 ................| NAT 2 |....................... 266 +--------------+ 268 +--------------+ Private NET 2 269 ................| NAT 1 |....................... 270 +--------------+ 272 /-----\ 273 // STUN \\ 274 | Client | 275 \\ // Private NET 1 276 \-----/ 278 Figure 1 280 The typical STUN configuration is shown in Figure 1. A STUN client 281 is connected to private network 1. This network connects to private 282 network 2 through NAT 1. Private network 2 connects to the public 283 Internet through NAT 2. The STUN server resides on the public 284 Internet. 286 STUN is a simple client-server protocol. A client sends a request to 287 a server, and the server returns a response. There are two types of 288 requests - Binding Requests, sent over UDP, and Shared Secret 289 Requests, sent over TLS [2] over TCP. Shared Secret Requests ask the 290 server to return a temporary username and password. This username 291 and password are used in a subsequent Binding Request and Binding 292 Response, for the purposes of authentication and message integrity. 294 Binding requests are used to determine the bindings allocated by 295 NATs. The client sends a Binding Request to the server, over UDP. 296 The server examines the source IP address and port of the request, 297 and copies them into a response that is sent back to the client. 298 There are some parameters in the request that allow the client to ask 299 that the response be sent elsewhere, or that the server send the 300 response from a different address and port. The flags allow for STUN 301 to be used in diagnostic applications. There are attributes for 302 providing message integrity and authentication. 304 The STUN client is typically embedded in an application which needs 305 to obtain a public IP address and port that can be used to receive 306 data. For example, it might need to obtain an IP address and port to 307 receive Real Time Transport Protocol (RTP) [12] traffic. When the 308 application starts, the STUN client within the application sends a 309 STUN Shared Secret Request to its server, obtains a username and 310 password, and then sends it a Binding Request. STUN servers can be 311 discovered through DNS SRV records [3], and it is generally assumed 312 that the client is configured with the domain to use to find the STUN 313 server. Generally, this will be the domain of the provider of the 314 service the application is using (such a provider is incented to 315 deploy STUN servers in order to allow its customers to use its 316 application through NAT). Of course, a client can determine the 317 address or domain name of a STUN server through other means. A STUN 318 server can even be embedded within an end system. 320 The STUN Binding Request is used to discover the public IP address 321 and port mappings generated by the NAT. Binding Requests are sent to 322 the STUN server using UDP. When a Binding Request arrives at the 323 STUN server, it may have passed through one or more NATs between the 324 STUN client and the STUN server. As a result, the source address of 325 the request received by the server will be the mapped address created 326 by the NAT closest to the server. The STUN server copies that source 327 IP address and port into a STUN Binding Response, and sends it back 328 to the source IP address and port of the STUN request. For all of 329 the NAT types above, this response will arrive at the STUN client. 331 When the STUN client receives the STUN Binding Response, it compares 332 the IP address and port in the packet with the local IP address and 333 port it bound to when the request was sent. If these do not match, 334 the STUN client is behind one or more NATs. The IP address and port 335 in the body of the STUN response are public, and can be used by any 336 host on the public Internet to send packets to the application that 337 sent the STUN request. An application need only listen on the IP 338 address and port from which the STUN request was sent. Packets sent 339 by a host on the public Internet to the public address and port 340 learned by STUN will be received by the application, so long as 341 conditions permit. The conditions in which these packets will not be 342 received by the client are described in Section 1. 344 It should be noted that the configuration in Figure 1 is not the only 345 permissible configuration. The STUN server can be located anywhere, 346 including within another client. The only requirement is that the 347 STUN server is reachable by the client, and if the client is trying 348 to obtain a publicly routable address, that the server reside on the 349 public Internet. 351 7. Message Overview 353 STUN messages are TLV (type-length-value) encoded using big endian 354 (network ordered) binary. All STUN messages start with a STUN 355 header, followed by a STUN payload. The payload is a series of STUN 356 attributes, the set of which depends on the message type. The STUN 357 header contains a STUN message type, transaction ID, and length. The 358 message type can be Binding Request, Binding Response, Binding Error 359 Response, Shared Secret Request, Shared Secret Response, or Shared 360 Secret Error Response. The transaction ID is used to correlate 361 requests and responses. The length indicates the total length of the 362 STUN payload, not including the header. This allows STUN to run over 363 TCP. Shared Secret Requests are always sent over TCP (indeed, using 364 TLS over TCP). 366 Several STUN attributes are defined. The first is a MAPPED-ADDRESS 367 attribute, which is an IP address and port. It is always placed in 368 the Binding Response, and it indicates the source IP address and port 369 the server saw in the Binding Request. There is also a RESPONSE- 370 ADDRESS attribute, which contains an IP address and port. The 371 RESPONSE-ADDRESS attribute can be present in the Binding Request, and 372 indicates where the Binding Response is to be sent. It's optional, 373 and when not present, the Binding Response is sent to the source IP 374 address and port of the Binding Request. 376 The third attribute is the CHANGE-REQUEST attribute, and it contains 377 two flags to control the IP address and port used to send the 378 response. These flags are called "change IP" and "change port" 379 flags. The CHANGE-REQUEST attribute is allowed only in the Binding 380 Request. They instruct the server to send the Binding Responses from 381 a different source IP address and port. The CHANGE-REQUEST attribute 382 is optional in the Binding Request. 384 The fourth attribute is the CHANGED-ADDRESS attribute. It is present 385 in Binding Responses. It informs the client of the source IP address 386 and port that would be used if the client requested the "change IP" 387 and "change port" behavior. 389 The fifth attribute is the SOURCE-ADDRESS attribute. It is only 390 present in Binding Responses. It indicates the source IP address and 391 port where the response was sent from. 393 The RESPONSE-ADDRESS, CHANGE-REQUEST, CHANGED-ADDRESS and 394 SOURCE-ADDRESS attributes are primarily useful for diagnostic 395 applications that use STUN in order to determine information about 396 the type of NAT. The usage of these attributes for such purposes is 397 outside the scope of this specification. 399 The sixth attribute is the USERNAME attribute. It is present in a 400 Shared Secret Response, which provides the client with a temporary 401 username and password (encoded in the PASSWORD attribute). The 402 USERNAME is also present in Binding Requests, serving as an index to 403 the shared secret used for the integrity protection of the Binding 404 Request. The seventh attribute, PASSWORD, is only found in Shared 405 Secret Response messages. The eight attribute is the MESSAGE- 406 INTEGRITY attribute, which contains a message integrity check over 407 the Binding Request or Binding Response. 409 The ninth attribute is the ERROR-CODE attribute. This is present in 410 the Binding Error Response and Shared Secret Error Response. It 411 indicates the error that has occurred. The tenth attribute is the 412 UNKNOWN-ATTRIBUTES attribute, which is present in either the Binding 413 Error Response or Shared Secret Error Response. It indicates the 414 mandatory attributes from the request which were unknown. The 415 eleventh attribute is the REFLECTED-FROM attribute, which is present 416 in Binding Responses. It indicates the IP address and port of the 417 sender of a Binding Request, used for traceability purposes to 418 prevent certain denial-of-service attacks. 420 The twelfth attribute is XOR-MAPPED-ADDRESS. Like MAPPED-ADDRESS, it 421 is present in the Binding Response, and tells the client the source 422 IP address and port where the Binding Request came from. However, it 423 is encoded using an Exclusive Or (XOR) operation with the transaction 424 ID. Some NAT devices have been found to rewrite binary encoded IP 425 addresses present in protocol PDUs. Such behavior interferes with 426 the operation of STUN. Clients use XOR-MAPPED-ADDRESS instead of 427 MAPPED-ADDRESS whenever both are present in a Binding Response. 428 Using XOR-MAPPED-ADDRESS protects the client from such interfering 429 NAT devices. 431 The last attribute is XOR-ONLY. It can be present in the Binding 432 Request. It tells the server to only send a XOR-MAPPED-ADDRESS in 433 the Binding Response. 435 8. Server Behavior 437 The server behavior depends on whether the request is a Binding 438 Request or a Shared Secret Request. 440 8.1 Binding Requests 442 A STUN server MUST be prepared to receive Binding Requests on four 443 address/port combinations - (A1, P1), (A2, P1), (A1, P2), and (A2, 444 P2). (A1, P1) represent the primary address and port, and these are 445 the ones obtained through the client discovery procedures below. 446 Typically, P1 will be port 3478, the default STUN port. A2 and P2 447 are arbitrary. A2 and P2 are advertised by the server through the 448 CHANGED-ADDRESS attribute, as described below. 450 OPEN ISSUE: Experience has shown that the usage of a dynamic port 451 for P2 has been problematic. This is because firewall 452 administrators have opened up port 3478 to permit STUN, but 453 disallowed the dynamic port used by the server. This causes the 454 diagnostic techniques to fail. This can be fixed through 455 allocation of a second port number from IANA. Does that belong in 456 this specification or in the diagnostic specification? I think it 457 has to go here. 459 It is RECOMMENDED that the server check the Binding Request for a 460 MESSAGE-INTEGRITY attribute. If not present, and the server requires 461 integrity checks on the request, it generates a Binding Error 462 Response with an ERROR-CODE attribute with response code 401. If the 463 MESSAGE-INTEGRITY attribute was present, the server computes the HMAC 464 over the request as described in Section 10.2.8. The key to use 465 depends on the shared secret mechanism. If the STUN Shared Secret 466 Request was used, the key MUST be the one associated with the 467 USERNAME attribute present in the request. If the USERNAME attribute 468 was not present, the server MUST generate a Binding Error Response. 469 The Binding Error Response MUST include an ERROR-CODE attribute with 470 response code 432. If the USERNAME is present, but the server 471 doesn't remember the shared secret for that USERNAME (because it 472 timed out, for example), the server MUST generate a Binding Error 473 Response. The Binding Error Response MUST include an ERROR-CODE 474 attribute with response code 430. If the server does know the shared 475 secret, but the computed HMAC differs from the one in the request, 476 the server MUST generate a Binding Error Response with an ERROR-CODE 477 attribute with response code 431. The Binding Error Response is sent 478 to the IP address and port the Binding Request came from, and sent 479 from the IP address and port the Binding Request was sent to. 481 Assuming the message integrity check passed, processing continues. 482 The server MUST check for any attributes in the request with values 483 less than or equal to 0x7fff which it does not understand. If it 484 encounters any, the server MUST generate a Binding Error Response, 485 and it MUST include an ERROR-CODE attribute with a 420 response code. 487 That response MUST contain an UNKNOWN-ATTRIBUTES attribute listing 488 the attributes with values less than or equal to 0x7fff which were 489 not understood. The Binding Error Response is sent to the IP address 490 and port the Binding Request came from, and sent from the IP address 491 and port the Binding Request was sent to. 493 Assuming the request was correctly formed, the server MUST generate a 494 single Binding Response. The Binding Response MUST contain the same 495 transaction ID contained in the Binding Request. The length in the 496 message header MUST contain the total length of the message in bytes, 497 excluding the header. The Binding Response MUST have a message type 498 of "Binding Response". 500 If the XOR-ONLY attribute was not present in the request, the server 501 MUST add a MAPPED-ADDRESS attribute to the Binding Response. The IP 502 address component of this attribute MUST be set to the source IP 503 address observed in the Binding Request. The port component of this 504 attribute MUST be set to the source port observed in the Binding 505 Request. If the XOR-ONLY attribute was present in the request, the 506 server MUST NOT include the MAPPED-ADDRESS attribute in the Binding 507 Response. 509 The server MUST add a XOR-MAPPED-ADDRESS attribute to the Binding 510 Response. This attribute has the same information content as 511 MAPPED-ADDRESS (in particular, it conveys the IP address and port 512 observed in the source IP and source port fields of the STUN 513 request), but is encoded by performing an XOR operation between the 514 transaction ID and the IP address and port. The details on the 515 encoding can be found in Section 10.2.12. 517 The server SHOULD add a SERVER attribute to any Binding Response or 518 Binding Error Response it generates, and its value SHOULD indicate 519 the manufacturer of the software and a software version or build 520 number. 522 If the RESPONSE-ADDRESS attribute was absent from the Binding 523 Request, the destination address and port of the Binding Response 524 MUST be the same as the source address and port of the Binding 525 Request. Otherwise, the destination address and port of the Binding 526 Response MUST be the value of the IP address and port in the 527 RESPONSE-ADDRESS attribute. 529 The source address and port of the Binding Response depend on the 530 value of the CHANGE-REQUEST attribute and on the address and port the 531 Binding Request was received on, and are summarized in Table 1. 533 Let Da represent the destination IP address of the Binding Request 534 (which will be either A1 or A2), and Dp represent the destination 535 port of the Binding Request (which will be either P1 or P2). Let Ca 536 represent the other address, so that if Da is A1, Ca is A2. If Da is 537 A2, Ca is A1. Similarly, let Cp represent the other port, so that if 538 Dp is P1, Cp is P2. If Dp is P2, Cp is P1. If the "change port" 539 flag was set in CHANGE-REQUEST attribute of the Binding Request, and 540 the "change IP" flag was not set, the source IP address of the 541 Binding Response MUST be Da and the source port of the Binding 542 Response MUST be Cp. If the "change IP" flag was set in the Binding 543 Request, and the "change port" flag was not set, the source IP 544 address of the Binding Response MUST be Ca and the source port of the 545 Binding Response MUST be Dp. When both flags are set, the source IP 546 address of the Binding Response MUST be Ca and the source port of the 547 Binding Response MUST be Cp. If neither flag is set, or if the 548 CHANGE-REQUEST attribute is absent entirely, the source IP address of 549 the Binding Response MUST be Da and the source port of the Binding 550 Response MUST be Dp. 552 Flags Source Address Source Port CHANGED-ADDRESS 553 none Da Dp Ca:Cp 554 Change IP Ca Dp Ca:Cp 555 Change port Da Cp Ca:Cp 556 Change IP and 557 Change port Ca Cp Ca:Cp 559 Figure 2 561 The server MUST add a SOURCE-ADDRESS attribute to the Binding 562 Response, containing the source address and port used to send the 563 Binding Response. 565 The server MUST add a CHANGED-ADDRESS attribute to the Binding 566 Response. This contains the source IP address and port that would be 567 used if the client had set the "change IP" and "change port" flags in 568 the Binding Request. As summarized in Table 1, these are Ca and Cp, 569 respectively, regardless of the value of the CHANGE-REQUEST flags. 571 If the Binding Request contained both the USERNAME and MESSAGE- 572 INTEGRITY attributes, the server MUST add a MESSAGE-INTEGRITY 573 attribute to the Binding Response. The attribute contains an HMAC 574 [13] over the response, as described in Section 10.2.8. The key to 575 use depends on the shared secret mechanism. If the STUN Shared 576 Secret Request was used, the key MUST be the one associated with the 577 USERNAME attribute present in the Binding Request. 579 If the Binding Request contained a RESPONSE-ADDRESS attribute, the 580 server MUST add a REFLECTED-FROM attribute to the response. If the 581 Binding Request was authenticated using a username obtained from a 582 Shared Secret Request, the REFLECTED-FROM attribute MUST contain the 583 source IP address and port where that Shared Secret Request came 584 from. If the username present in the request was not allocated using 585 a Shared Secret Request, the REFLECTED-FROM attribute MUST contain 586 the source address and port of the entity which obtained the 587 username, as best can be verified with the mechanism used to allocate 588 the username. If the username was not present in the request, and 589 the server was willing to process the request, the REFLECTED-FROM 590 attribute SHOULD contain the source IP address and port where the 591 request came from. 593 The server SHOULD NOT retransmit the response. Reliability is 594 achieved by having the client periodically resend the request, each 595 of which triggers a response from the server. 597 8.2 Shared Secret Requests 599 Shared Secret Requests are always received on TLS connections. When 600 the server receives a request from the client to establish a TLS 601 connection, it MUST proceed with TLS, and SHOULD present a site 602 certificate. The TLS ciphersuite TLS_RSA_WITH_AES_128_CBC_SHA [4] 603 SHOULD be used. Client TLS authentication MUST NOT be done, since 604 the server is not allocating any resources to clients, and the 605 computational burden can be a source of attacks. 607 If the server receives a Shared Secret Request, it MUST verify that 608 the request arrived on a TLS connection. If it did not receive the 609 request over TLS, it MUST generate a Shared Secret Error Response, 610 and it MUST include an ERROR-CODE attribute with a 433 response code. 611 The destination for the error response depends on the transport on 612 which the request was received. If the Shared Secret Request was 613 received over TCP, the Shared Secret Error Response is sent over the 614 same connection the request was received on. If the Shared Secret 615 Request was receive over UDP, the Shared Secret Error Response is 616 sent to the source IP address and port that the request came from. 618 The server MUST check for any attributes in the request with values 619 less than or equal to 0x7fff which it does not understand. If it 620 encounters any, the server MUST generate a Shared Secret Error 621 Response, and it MUST include an ERROR-CODE attribute with a 420 622 response code. That response MUST contain an UNKNOWN-ATTRIBUTES 623 attribute listing the attributes with values less than or equal to 624 0x7fff which were not understood. The Shared Secret Error Response 625 is sent over the TLS connection. 627 All Shared Secret Error Responses MUST contain the same transaction 628 ID contained in the Shared Secret Request. The length in the message 629 header MUST contain the total length of the message in bytes, 630 excluding the header. The Shared Secret Error Response MUST have a 631 message type of "Shared Secret Error Response" (0x0112). 633 Assuming the request was properly constructed, the server creates a 634 Shared Secret Response. The Shared Secret Response MUST contain the 635 same transaction ID contained in the Shared Secret Request. The 636 length in the message header MUST contain the total length of the 637 message in bytes, excluding the header. The Shared Secret Response 638 MUST have a message type of "Shared Secret Response". The Shared 639 Secret Response MUST contain a USERNAME attribute and a PASSWORD 640 attribute. The USERNAME attribute serves as an index to the 641 password, which is contained in the PASSWORD attribute. The server 642 can use any mechanism it chooses to generate the username. However, 643 the username MUST be valid for a period of at least 10 minutes. 644 Validity means that the server can compute the password for that 645 username. There MUST be a single password for each username. In 646 other words, the server cannot, 10 minutes later, assign a different 647 password to the same username. The server MUST hand out a different 648 username for each distinct Shared Secret Request. Distinct, in this 649 case, implies a different transaction ID. It is RECOMMENDED that the 650 server explicitly invalidate the username after ten minutes. It MUST 651 invalidate the username after 30 minutes. The PASSWORD contains the 652 password bound to that username. The password MUST have at least 128 653 bits. The likelihood that the server assigns the same password for 654 two different usernames MUST be vanishingly small, and the passwords 655 MUST be unguessable. In other words, they MUST be a 656 cryptographically random function of the username. 658 These requirements can still be met using a stateless server, by 659 intelligently computing the USERNAME and PASSWORD. One approach is 660 to construct the USERNAME as: 662 USERNAME = 664 Where prefix is some random text string (different for each shared 665 secret request), rounded-time is the current time modulo 20 minutes, 666 clientIP is the source IP address where the Shared Secret Request 667 came from, and hmac is an HMAC [13] over the prefix, rounded-time, 668 and client IP, using a server private key. 670 The password is then computed as: 672 password = 674 With this structure, the username itself, which will be present in 675 the Binding Request, contains the source IP address where the Shared 676 Secret Request came from. That allows the server to meet the 677 requirements specified in Section 8.1 for constructing the 678 REFLECTED-FROM attribute. The server can verify that the username 679 was not tampered with, using the hmac present in the username. 681 The server SHOULD include a SERVER attribute in any Shared Secret 682 Response or Shared Secret Error response it generates, and its value 683 SHOULD indicate the manufacturer of the software and a software 684 version or build number. 686 The Shared Secret Response is sent over the same TLS connection the 687 request was received on. The server SHOULD keep the connection open, 688 and let the client close it. 690 9. Client Behavior 692 The behavior of the client is very straightforward. Its task is to 693 discover the STUN server, obtain a shared secret, formulate the 694 Binding Request, handle request reliability, process the Binding 695 Responses, and use the resulting addresses. 697 9.1 Discovery 699 Generally, the client will be configured with a domain name of the 700 provider of the STUN servers. This domain name is resolved to an IP 701 address and port using the SRV procedures specified in RFC 2782 [3]. 703 Specifically, the service name is "stun". The protocol is "udp" for 704 sending Binding Requests, or "tcp" for sending Shared Secret 705 Requests. The procedures of RFC 2782 are followed to determine the 706 server to contact. RFC 2782 spells out the details of how a set of 707 SRV records are sorted and then tried. However, it only states that 708 the client should "try to connect to the (protocol, address, 709 service)" without giving any details on what happens in the event of 710 failure. Those details are described here for STUN. 712 For STUN requests, failure occurs if there is a transport failure of 713 some sort (generally, due to fatal ICMP errors in UDP or connection 714 failures in TCP). Failure also occurs if the transaction fails due 715 to timeout. This occurs 9.5 seconds after the first request is sent, 716 for both Shared Secret Requests and Binding Requests. See Section 717 9.3 for details on transaction timeouts for Binding Requests. If a 718 failure occurs, the client SHOULD create a new request, which is 719 identical to the previous, but has a different transaction ID and 720 MESSAGE INTEGRITY attribute (the HMAC will change because the 721 transaction ID has changed). That request is sent to the next 722 element in the list as specified by RFC 2782. 724 The default port for STUN requests is 3478, for both TCP and UDP. 725 Administrators SHOULD use this port in their SRV records, but MAY use 726 others. 728 If no SRV records were found, the client performs an A record lookup 729 of the domain name. The result will be a list of IP addresses, each 730 of which can be contacted at the default port. 732 This would allow a firewall admin to open the STUN port, so hosts 733 within the enterprise could access new applications. Whether they 734 will or won't do this is a good question. 736 9.2 Obtaining a Shared Secret 738 As discussed in Section 11, there are several attacks possible on 739 STUN systems. Many of these are prevented through integrity of 740 requests and responses. To provide that integrity, STUN makes use of 741 a shared secret between client and server, used as the keying 742 material for an HMAC used in both the Binding Request and Binding 743 Response. STUN allows for the shared secret to be obtained in any 744 way (for example, Kerberos [14]). However, it MUST have at least 128 745 bits of randomness. In order to ensure interoperability, this 746 specification describes a TLS-based mechanism. This mechanism, 747 described in this section, MUST be implemented by clients and 748 servers. 750 First, the client determines the IP address and port that it will 751 open a TCP connection to. This is done using the discovery 752 procedures in Section 9.1. The client opens up the connection to 753 that address and port, and immediately begins TLS negotiation [2]. 754 The client MUST verify the identity of the server. To do that, it 755 follows the identification procedures defined in Section 3.1 of RFC 756 2818 [5]. Those procedures assume the client is dereferencing a URI. 757 For purposes of usage with this specification, the client treats the 758 domain name or IP address used in Section 9.1 as the host portion of 759 the URI that has been dereferenced. 761 Once the connection is opened, the client sends a Shared Secret 762 request. This request has no attributes, just the header. The 763 transaction ID in the header MUST meet the requirements outlined for 764 the transaction ID in a binding request, described in Section 9.3 765 below. The server generates a response, which can either be a Shared 766 Secret Response or a Shared Secret Error Response. 768 If the response was a Shared Secret Error Response, the client checks 769 the response code in the ERROR-CODE attribute. Interpretation of 770 those response codes is identical to the processing of Section 9.4 771 for the Binding Error Response. 773 If a client receives a Shared Secret Response with an attribute whose 774 type is greater than 0x7fff, the attribute MUST be ignored. If the 775 client receives a Shared Secret Response with an attribute whose type 776 is less than or equal to 0x7fff, the response is ignored. 778 If the response was a Shared Secret Response, it will contain a short 779 lived username and password, encoded in the USERNAME and PASSWORD 780 attributes, respectively. 782 The client MAY generate multiple Shared Secret Requests on the 783 connection, and it MAY do so before receiving Shared Secret Responses 784 to previous Shared Secret Requests. The client SHOULD close the 785 connection as soon as it has finished obtaining usernames and 786 passwords. 788 Section 9.3 describes how these passwords are used to provide 789 integrity protection over Binding Requests, and Section 8.1 describes 790 how it is used in Binding Responses. 792 9.3 Formulating the Binding Request 794 A Binding Request formulated by the client follows the syntax rules 795 defined in Section 10. Any two requests that are not bit-wise 796 identical, and not sent to the same server from the same IP address 797 and port, MUST carry different transaction IDs. The transaction ID 798 MUST be uniformly and randomly distributed between 0 and 2**128 - 1. 799 The large range is needed because the transaction ID serves as a form 800 of randomization, helping to prevent replays of previously signed 801 responses from the server. The message type of the request MUST be 802 "Binding Request". 804 The RESPONSE-ADDRESS attribute is optional in the Binding Request. 805 It is used if the client wishes the response to be sent to a 806 different IP address and port than the one the request was sent from. 807 The CHANGE-REQUEST attribute is also optional. It tells the server 808 to send the response from a different address or port. Both 809 RESPONSE-ADDRESS and CHANGE-REQUEST are primarily useful in 810 diagnostic operations for analyzing the behavior of a NAT. Under 811 normal usage, neither of these attributes will be present. 813 The client SHOULD add a MESSAGE-INTEGRITY and USERNAME attribute to 814 the Binding Request. This MESSAGE-INTEGRITY attribute contains an 815 HMAC [13]. The value of the username, and the key to use in the 816 MESSAGE-INTEGRITY attribute depend on the shared secret mechanism. 817 If the STUN Shared Secret Request was used, the USERNAME must be a 818 valid username obtained from a Shared Secret Response within the last 819 nine minutes. The shared secret for the HMAC is the value of the 820 PASSWORD attribute obtained from the same Shared Secret Response. 822 Once formulated, the client sends the Binding Request. Reliability 823 is accomplished through client retransmissions. Clients SHOULD 824 retransmit the request starting with an interval of 100ms, doubling 825 every retransmit until the interval reaches 1.6s. Retransmissions 826 continue with intervals of 1.6s until a response is received, or a 827 total of 9 requests have been sent. If no response is received by 828 1.6 seconds after the last request has been sent, the client SHOULD 829 consider the transaction to have failed. In other words, requests 830 would be sent at times 0ms, 100ms, 300ms, 700ms, 1500ms, 3100ms, 831 4700ms, 6300ms, and 7900ms. At 9500ms, the client considers the 832 transaction to have failed if no response has been received. 834 9.4 Processing Binding Responses 836 The response can either be a Binding Response or Binding Error 837 Response. Binding Error Responses are always received on the source 838 address and port the request was sent from. A Binding Response will 839 be received on the address and port placed in the RESPONSE-ADDRESS 840 attribute of the request. If none was present, the Binding Responses 841 will be received on the source address and port the request was sent 842 from. 844 If the response is a Binding Error Response, the client checks the 845 response code from the ERROR-CODE attribute of the response. For a 846 400 response code, the client SHOULD display the reason phrase to the 847 user. For a 420 response code, the client SHOULD retry the request, 848 this time omitting any attributes listed in the UNKNOWN-ATTRIBUTES 849 attribute of the response. For a 430 response code, the client 850 SHOULD obtain a new shared secret, and retry the Binding Request with 851 a new transaction. For 401 and 432 response codes, if the client had 852 omitted the USERNAME or MESSAGE-INTEGRITY attribute as indicated by 853 the error, it SHOULD try again with those attributes. For a 431 854 response code, the client SHOULD alert the user, and MAY try the 855 request again after obtaining a new username and password. For a 500 856 response code, the client MAY wait several seconds and then retry the 857 request. For a 600 response code, the client MUST NOT retry the 858 request, and SHOULD display the reason phrase to the user. Unknown 859 attributes between 400 and 499 are treated like a 400, unknown 860 attributes between 500 and 599 are treated like a 500, and unknown 861 attributes between 600 and 699 are treated like a 600. Any response 862 between 100 and 399 MUST result in the cessation of request 863 retransmissions, but otherwise is discarded. 865 If a client receives a response with an attribute whose type is 866 greater than 0x7fff, the attribute MUST be ignored. If the client 867 receives a response with an attribute whose type is less than or 868 equal to 0x7fff, request retransmissions MUST cease, but the entire 869 response is otherwise ignored. 871 If the response is a Binding Response, the client SHOULD check the 872 response for a MESSAGE-INTEGRITY attribute. If not present, and the 873 client placed a MESSAGE-INTEGRITY attribute into the request, it MUST 874 discard the response. If present, the client computes the HMAC over 875 the response as described in Section 10.2.8. The key to use depends 876 on the shared secret mechanism. If the STUN Shared Secret Request 877 was used, the key MUST be same as used to compute the MESSAGE- 878 INTEGRITY attribute in the request. If the computed HMAC differs 879 from the one in the response, the client SHOULD determine if the 880 integrity check failed due to a NAT rewriting the MAPPED-ADDRESS. To 881 perform this check, the client compares the IP address and port in 882 the MAPPED-ADDRESS with the IP address and port extracted from 883 XOR-MAPPED-ADDRESS (extraction involves xor'ing the contents of 884 X-port and X-value with the transaction ID, as described in Section 885 10). If the two IP addresses and ports differ, the client MUST 886 discard the response, but then it SHOULD retry the Binding Request 887 with the XOR-ONLY attribute included. This tells the server not to 888 include a MAPPED-ADDRESS in the Binding Response. 890 If there is no XOR-MAPPED-ADDRESS, or if there is, but there are no 891 differences between the two IP addresses and ports, the client MUST 892 discard the response and SHOULD alert the user about a possible 893 attack. 895 If the computed HMAC matches the one from the response, processing 896 continues. 898 Reception of a response (either Binding Error Response or Binding 899 Response) to a Binding Request will terminate retransmissions of that 900 request. However, clients MUST continue to listen for responses to a 901 Binding Request for 10 seconds after the first response. If it 902 receives any responses in this interval with different message types 903 (Binding Responses and Binding Error Responses, for example), 904 different MAPPED-ADDRESSes, or different XOR-MAPPED-ADDRESSes, it is 905 an indication of a possible attack. The client MUST NOT use the 906 MAPPED-ADDRESS or XOR-MAPPED-ADDRESS from any of the responses it 907 received (either the first or the additional ones), and SHOULD alert 908 the user. 910 Furthermore, if a client receives more than twice as many Binding 911 Responses as the number of Binding Requests it sent, it MUST NOT use 912 the MAPPED-ADDRESS or XOR-MAPPED-ADDRESS from any of those responses, 913 and SHOULD alert the user about a potential attack. 915 If the Binding Response is authenticated, and the MAPPED-ADDRESS or 916 XOR-MAPPED-ADDRESS was not discarded because of a potential attack, 917 the CLIENT MAY use the information in the Binding Response. In 918 particular, the client SHOULD used the IP address and port from the 919 XOR-MAPPED-ADDRESS instead of the information from the 920 MAPPED-ADDRESS, assuming XOR-MAPPED-ADDRESS was present in the 921 Binding Response. Servers compliant to RFC 3489 [19] will not 922 generate XOR-MAPPED-ADDRESS, so a client MUST be prepared to handle 923 the case where only MAPPED-ADDRESS is present. In such a case, the 924 information from MAPPED-ADDRESS is used. 926 It is also possible for an IPv4 host to receive a XOR-MAPPED-ADDRESS 927 or MAPPED-ADDRESS containing an IPv6 address, or for an IPv6 host to 928 receive a XOR-MAPPED-ADDRESS or MAPPED-ADDRESS containing an IPv4 929 address. Clients MUST be prepared for this case. 931 The next section provides additional details on how the mapped 932 address information is used. 934 9.5 Using the Mapped Address 936 The mapped address present in the XOR-MAPPED-ADDRESS attribute (or 937 MAPPED-ADDRESS if not present) of the binding response can be used by 938 clients to facilitate UDP traversal of NATs for many applications. 940 NAT traversal is problematic for applications which require a client 941 to insert an IP address and port into a message, to which subsequent 942 messages will be delivered by other entities in a network. Normally, 943 the client would insert the IP address and port from a local 944 interface into the message. However, if the client is behind a NAT, 945 this local interface will be a private address. Clients within other 946 address realms will not be able to send messages to that address. 948 An example of a such an application is SIP, which requires a client 949 to include IP address and port information in several places, 950 including the Session Description Protocol (SDP) body [20] carried by 951 SIP. The IP address and port present in the SDP is used for receipt 952 of media. 954 To use STUN as a technique for traversal of SIP and other protocols, 955 when the client wishes to send a protocol message, it figures out the 956 places in the protocol data unit where it is supposed to insert its 957 own IP address along with a port. Instead of directly using a port 958 allocated from a local interface, the client allocates a port from 959 the local interface, and from that port, initiates the STUN 960 procedures described above. The XOR-MAPPED-ADDRESS (or 961 MAPPED-ADDRESS if not present) in the STUN Binding Response provides 962 the client with an alternative IP address and port which it can then 963 include in the protocol PDU. This IP address and port may be within 964 a different address family than the local interfaces used by the 965 client. This is not an error condition. In such a case, the client 966 would use the learned IP address and port as if the client was a host 967 with an interface within that address family. 969 In the case of SIP, to populate the SDP appropriately, a client would 970 generate two STUN Binding Request messages at the time a call is 971 initiated or answered. One is used to obtain the IP address and port 972 for RTP, and the other, for the Real Time Control Protocol (RTCP) 973 [12]. The client might also need to use STUN to obtain IP addresses 974 and ports for usage in other parts of the SIP message. The detailed 975 usage of STUN to facilitate SIP NAT traversal is outside the scope of 976 this specification. 978 As discussed above, the addresses learned by STUN may not be usable 979 with all entities with whom a client might wish to communicate. The 980 way in which this problem is handled depends on the application 981 protocol. The ideal solution is for a protocol to allow a client to 982 include a multiplicity of addresses and ports in the PDU. One of 983 those can be the address and port determined from STUN, and the 984 others can include addresses and ports learned from other techniques. 985 The application protocol would then provide a means for dynamically 986 detecting which one works. An example of such an an approach is 987 Interactive Connectivity Establishment (ICE) [21]. 989 10. Protocol Details 991 This section presents the detailed encoding of a STUN message. 993 STUN is a request-response protocol. Clients send a request, and the 994 server sends a response. There are two requests, Binding Request, 995 and Shared Secret Request. The response to a Binding Request can 996 either be the Binding Response or Binding Error Response. The 997 response to a Shared Secret Request can either be a Shared Secret 998 Response or a Shared Secret Error Response. 1000 STUN messages are encoded using binary fields. All integer fields 1001 are carried in network byte order, that is, most significant byte 1002 (octet) first. This byte order is commonly known as big-endian. The 1003 transmission order is described in detail in Appendix B of RFC 791 1004 [6]. Unless otherwise noted, numeric constants are in decimal (base 1005 10). 1007 10.1 Message Header 1009 All STUN messages consist of a 20 byte header: 1011 0 1 2 3 1012 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1013 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1014 | STUN Message Type | Message Length | 1015 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1016 | 1017 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1019 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1020 Transaction ID 1021 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1022 | 1023 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1025 The Message Types can take on the following values: 1027 0x0001 : Binding Request 1028 0x0101 : Binding Response 1029 0x0111 : Binding Error Response 1030 0x0002 : Shared Secret Request 1031 0x0102 : Shared Secret Response 1032 0x0112 : Shared Secret Error Response 1034 It is important to note that the most significant two bits of every 1035 STUN message are equal to 0b00. This aids in differentiating STUN 1036 packets from RTP packets, in the case that both are sent to the same 1037 IP address and port, as is done with ICE. 1039 The message length is the count, in bytes, of the size of the 1040 message, not including the 20 byte header. 1042 The transaction ID is a 128 bit identifier. It also serves as salt 1043 to randomize the request and the response. All responses carry the 1044 same identifier as the request they correspond to. 1046 10.2 Message Attributes 1048 After the header are 0 or more attributes. Each attribute is TLV 1049 encoded, with a 16 bit type, 16 bit length, and variable value: 1051 0 1 2 3 1052 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1053 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1054 | Type | Length | 1055 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1056 | Value .... 1058 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1060 The following types are defined: 1062 0x0001: MAPPED-ADDRESS 1063 0x0002: RESPONSE-ADDRESS 1064 0x0003: CHANGE-REQUEST 1065 0x0004: SOURCE-ADDRESS 1066 0x0005: CHANGED-ADDRESS 1067 0x0006: USERNAME 1068 0x0007: PASSWORD 1069 0x0008: MESSAGE-INTEGRITY 1070 0x0009: ERROR-CODE 1071 0x000a: UNKNOWN-ATTRIBUTES 1072 0x000b: REFLECTED-FROM 1073 0x0020: XOR-MAPPED-ADDRESS 1074 0x0021: XOR-ONLY 1075 0x0022: SERVER 1077 To allow future revisions of this specification to add new attributes 1078 if needed, the attribute space is divided into optional and mandatory 1079 ones. Attributes with values greater than 0x7fff are optional, which 1080 means that the message can be processed by the client or server even 1081 though the attribute is not understood. Attributes with values less 1082 than or equal to 0x7fff are mandatory to understand, which means that 1083 the client or server cannot process the message unless it understands 1084 the attribute. 1086 The MESSAGE-INTEGRITY attribute MUST be the last attribute within a 1087 message. Any attributes that are known, but are not supposed to be 1088 present in a message (MAPPED-ADDRESS in a request, for example) MUST 1089 be ignored. 1091 Figure 9 indicates which attributes are present in which messages. 1092 An M indicates that inclusion of the attribute in the message is 1093 mandatory, O means its optional, C means it's conditional based on 1094 some other aspect of the message, and N/A means that the attribute is 1095 not applicable to that message type. 1097 Binding Shared Shared Shared 1098 Binding Binding Error Secret Secret Secret 1099 Att. Req. Resp. Resp. Req. Resp. Error 1100 Resp. 1101 _____________________________________________________________________ 1102 MAPPED-ADDRESS N/A M N/A N/A N/A N/A 1103 RESPONSE-ADDRESS O N/A N/A N/A N/A N/A 1104 CHANGE-REQUEST O N/A N/A N/A N/A N/A 1105 SOURCE-ADDRESS N/A M N/A N/A N/A N/A 1106 CHANGED-ADDRESS N/A M N/A N/A N/A N/A 1107 USERNAME O N/A N/A N/A M N/A 1108 PASSWORD N/A N/A N/A N/A M N/A 1109 MESSAGE-INTEGRITY O O N/A N/A N/A N/A 1110 ERROR-CODE N/A N/A M N/A N/A M 1111 UNKNOWN-ATTRIBUTES N/A N/A C N/A N/A C 1112 REFLECTED-FROM N/A C N/A N/A N/A N/A 1113 XOR-MAPPED-ADDRESS N/A M N/A N/A N/A N/A 1114 XOR-ONLY O N/A N/A N/A N/A N/A 1115 SERVER N/A O O N/A O O 1117 Figure 9 1119 The length refers to the length of the value element, expressed as an 1120 unsigned integral number of bytes. 1122 10.2.1 MAPPED-ADDRESS 1124 The MAPPED-ADDRESS attribute indicates the mapped IP address and 1125 port. It consists of an eight bit address family, and a sixteen bit 1126 port, followed by a fixed length value representing the IP address. 1127 If the address family is IPv4, the address is 32 bits. If the 1128 address family is IPv6, the address is 128 bits. 1130 0 1 2 3 1131 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1133 |x x x x x x x x| Family | Port | 1134 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1135 | Address (variable) 1136 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1138 The port is a network byte ordered representation of the mapped port. 1139 The address family can take on the following values: 1141 0x01: IPv4 1142 0x02: IPv6 1144 The first 8 bits of the MAPPED-ADDRESS are ignored, for the purposes 1145 of aligning parameters on natural boundaries. 1147 10.2.2 RESPONSE-ADDRESS 1149 The RESPONSE-ADDRESS attribute indicates where the response to a 1150 Binding Request should be sent. Its syntax is identical to MAPPED- 1151 ADDRESS. 1153 10.2.3 CHANGED-ADDRESS 1155 The CHANGED-ADDRESS attribute indicates the IP address and port where 1156 responses would have been sent from if the "change IP" and "change 1157 port" flags had been set in the CHANGE-REQUEST attribute of the 1158 Binding Request. The attribute is always present in a Binding 1159 Response, independent of the value of the flags. Its syntax is 1160 identical to MAPPED-ADDRESS. 1162 10.2.4 CHANGE-REQUEST 1164 The CHANGE-REQUEST attribute is used by the client to request that 1165 the server use a different address and/or port when sending the 1166 response. The attribute is 32 bits long, although only two bits (A 1167 and B) are used: 1169 0 1 2 3 1170 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1172 |0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A B 0| 1173 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1175 The meaning of the flags is: 1177 A: This is the "change IP" flag. If true, it requests the server to 1178 send the Binding Response with a different IP address than the one 1179 the Binding Request was received on. 1181 B: This is the "change port" flag. If true, it requests the server 1182 to send the Binding Response with a different port than the one 1183 the Binding Request was received on. 1185 10.2.5 SOURCE-ADDRESS 1187 The SOURCE-ADDRESS attribute is present in Binding Responses. It 1188 indicates the source IP address and port that the server is sending 1189 the response from. Its syntax is identical to that of MAPPED- 1190 ADDRESS. 1192 10.2.6 USERNAME 1194 The USERNAME attribute is used for message integrity. It serves as a 1195 means to identify the shared secret used in the message integrity 1196 check. The USERNAME is always present in a Shared Secret Response, 1197 along with the PASSWORD. It is optionally present in a Binding 1198 Request when message integrity is used. 1200 The value of USERNAME is a variable length opaque value. Its length 1201 MUST be a multiple of 4 (measured in bytes) in order to guarantee 1202 alignment of attributes on word boundaries. 1204 10.2.7 PASSWORD 1206 The PASSWORD attribute is used in Shared Secret Responses. It is 1207 always present in a Shared Secret Response, along with the USERNAME. 1209 The value of PASSWORD is a variable length value that is to be used 1210 as a shared secret. Its length MUST be a multiple of 4 (measured in 1211 bytes) in order to guarantee alignment of attributes on word 1212 boundaries. 1214 10.2.8 MESSAGE-INTEGRITY 1216 The MESSAGE-INTEGRITY attribute contains an HMAC-SHA1 [13] of the 1217 STUN message. It can be present in Binding Requests or Binding 1218 Responses. Since it uses the SHA1 hash, the HMAC will be 20 bytes. 1219 The text used as input to HMAC is the STUN message, including the 1220 header, up to and including the attribute preceding the MESSAGE- 1221 INTEGRITY attribute. That text is then padded with zeroes so as to 1222 be a multiple of 64 bytes. As a result, the MESSAGE-INTEGRITY 1223 attribute MUST be the last attribute in any STUN message. The key 1224 used as input to HMAC depends on the context. 1226 10.2.9 ERROR-CODE 1228 The ERROR-CODE attribute is present in the Binding Error Response and 1229 Shared Secret Error Response. It is a numeric value in the range of 1230 100 to 699 plus a textual reason phrase encoded in UTF-8, and is 1231 consistent in its code assignments and semantics with SIP [10] and 1232 HTTP [15]. The reason phrase is meant for user consumption, and can 1233 be anything appropriate for the response code. The lengths of the 1234 reason phrases MUST be a multiple of 4 (measured in bytes). This can 1235 be accomplished by added spaces to the end of the text, if necessary. 1237 Recommended reason phrases for the defined response codes are 1238 presented below. 1240 To facilitate processing, the class of the error code (the hundreds 1241 digit) is encoded separately from the rest of the code. 1243 0 1 2 3 1244 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1246 | 0 |Class| Number | 1247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1248 | Reason Phrase (variable) .. 1249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1251 The class represents the hundreds digit of the response code. The 1252 value MUST be between 1 and 6. The number represents the response 1253 code modulo 100, and its value MUST be between 0 and 99. 1255 The following response codes, along with their recommended reason 1256 phrases (in brackets) are defined at this time: 1258 400 (Bad Request): The request was malformed. The client should not 1259 retry the request without modification from the previous attempt. 1261 401 (Unauthorized): The Binding Request did not contain a 1262 MESSAGE-INTEGRITY attribute. 1264 420 (Unknown Attribute): The server did not understand a mandatory 1265 attribute in the request. 1267 430 (Stale Credentials): The Binding Request did contain a 1268 MESSAGE-INTEGRITY attribute, but it used a shared secret that has 1269 expired. The client should obtain a new shared secret and try 1270 again. 1272 431 (Integrity Check Failure): The Binding Request contained a 1273 MESSAGE-INTEGRITY attribute, but the HMAC failed verification. 1274 This could be a sign of a potential attack, or client 1275 implementation error. 1277 432 (Missing Username): The Binding Request contained a MESSAGE- 1278 INTEGRITY attribute, but not a USERNAME attribute. Both must be 1279 present for integrity checks. 1281 433 (Use TLS): The Shared Secret request has to be sent over TLS, but 1282 was not received over TLS. 1284 500 (Server Error): The server has suffered a temporary error. The 1285 client should try again. 1287 600 (Global Failure): The server is refusing to fulfill the request. 1288 The client should not retry. 1290 10.2.10 UNKNOWN-ATTRIBUTES 1292 The UNKNOWN-ATTRIBUTES attribute is present only in a Binding Error 1293 Response or Shared Secret Error Response when the response code in 1294 the ERROR-CODE attribute is 420. 1296 The attribute contains a list of 16 bit values, each of which 1297 represents an attribute type that was not understood by the server. 1298 If the number of unknown attributes is an odd number, one of the 1299 attributes MUST be repeated in the list, so that the total length of 1300 the list is a multiple of 4 bytes. 1302 0 1 2 3 1303 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1304 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1305 | Attribute 1 Type | Attribute 2 Type | 1306 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1307 | Attribute 3 Type | Attribute 4 Type ... 1308 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1310 10.2.11 REFLECTED-FROM 1312 The REFLECTED-FROM attribute is present only in Binding Responses, 1313 when the Binding Request contained a RESPONSE-ADDRESS attribute. The 1314 attribute contains the identity (in terms of IP address) of the 1315 source where the request came from. Its purpose is to provide 1316 traceability, so that a STUN server cannot be used as a reflector for 1317 denial-of-service attacks. 1319 Its syntax is identical to the MAPPED-ADDRESS attribute. 1321 10.2.12 XOR-MAPPED-ADDRESS 1323 The XOR-MAPPED-ADDRESS attribute is only present in Binding 1324 Responses. It provides the same information that is present in the 1325 MAPPED-ADDRESS attribute. However, the information is encoded by 1326 performing an exclusive or (XOR) operation between the mapped address 1327 and the transaction ID. Unfortunately, some NAT devices have been 1328 found to rewrite binary encoded IP addresses and ports that are 1329 present in protocol payloads. This behavior interferes with the 1330 operation of STUN. By providing the mapped address in an obfuscated 1331 form, STUN can continue to operate through these devices. 1333 The format of the XOR-MAPPED-ADDRESS is: 1335 0 1 2 3 1336 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1337 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1338 |x x x x x x x x| Family | X-Port | 1339 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1340 | X-Address (Variable) 1341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1343 The Family represents the IP address family, and is encoded 1344 identically to the Family in MAPPED-ADDRESS. 1346 X-Port is equal to the port in MAPPED-ADDRESS, exclusive or'ed with 1347 most significant 16 bits of the transaction ID. If the IP address 1348 family is IPv4, X-Address is equal to the IP address in 1349 MAPPED-ADDRESS, exclusive or'ed with the most significant 32 bits of 1350 the transaction ID. If the IP address family is IPv6, the X-Address 1351 is equal to the IP address in MAPPED-ADDRESS, exclusive or'ed with 1352 the entire 128 bit transaction ID. 1354 10.2.13 XOR-ONLY 1356 This attribute is present in a Binding Request. It is used by a 1357 client to request that a server compliant to this specification omit 1358 the MAPPED-ADDRESS from a Binding Response, and include only the 1359 XOR-MAPPED-ADDRESS. This is necessary in cases where a Binding 1360 Response is failing integrity checks because a NAT is rewriting the 1361 contents of a MAPPED-ADDRESS in the Binding Response. 1363 This attribute has a length of zero, and therefore contains no other 1364 information past the common attribute header. 1366 10.2.14 SERVER 1368 The server attribute contains a textual description of the software 1369 being used by the server, including manufacturer and version number. 1370 The attribute has no impact on operation of the protocol, and serves 1371 only as a tool for diagnostic and debugging purposes. 1373 The value of SERVER is variable length. Its length MUST be a 1374 multiple of 4 (measured in bytes) in order to guarantee alignment of 1375 attributes on word boundaries. 1377 11. Security Considerations 1379 11.1 Attacks on STUN 1381 Generally speaking, attacks on STUN can be classified into denial of 1382 service attacks and eavesdropping attacks. Denial of service attacks 1383 can be launched against a STUN server itself, or against other 1384 elements using the STUN protocol. 1386 STUN servers create state through the Shared Secret Request 1387 mechanism. To prevent being swamped with traffic, a STUN server 1388 SHOULD limit the number of simultaneous TLS connections it will hold 1389 open by dropping an existing connection when a new connection request 1390 arrives (based on an Least Recently Used (LRU) policy, for example). 1391 Similarly, it SHOULD limit the number of shared secrets it will 1392 store, in the event that the server is storing the shared secrets. 1394 The attacks of greater interest are those in which the STUN server 1395 and client are used to launch DOS attacks against other entities, 1396 including the client itself. 1398 Many of the attacks require the attacker to generate a response to a 1399 legitimate STUN request, in order to provide the client with a faked 1400 XOR-MAPPED-ADDRESS or MAPPED-ADDRESS. In the sections below, we 1401 refer to either the XOR-MAPPED-ADDRESS or MAPPED-ADDRESS as just the 1402 mapped address (note the lower case). The attacks that can be 1403 launched using such a technique include: 1405 11.1.1 Attack I: DDOS Against a Target 1407 In this case, the attacker provides a large number of clients with 1408 the same faked mapped address that points to the intended target. 1409 This will trick all the STUN clients into thinking that their 1410 addresses are equal to that of the target. The clients then hand out 1411 that address in order to receive traffic on it (for example, in SIP 1412 or H.323 messages). However, all of that traffic becomes focused at 1413 the intended target. The attack can provide substantial 1414 amplification, especially when used with clients that are using STUN 1415 to enable multimedia applications. 1417 11.1.2 Attack II: Silencing a Client 1419 In this attack, the attacker seeks to deny a client access to 1420 services enabled by STUN (for example, a client using STUN to enable 1421 SIP-based multimedia traffic). To do that, the attacker provides 1422 that client with a faked mapped address. The mapped address it 1423 provides is an IP address that routes to nowhere. As a result, the 1424 client won't receive any of the packets it expects to receive when it 1425 hands out the mapped address. 1427 This exploitation is not very interesting for the attacker. It 1428 impacts a single client, which is frequently not the desired target. 1429 Moreover, any attacker that can mount the attack could also deny 1430 service to the client by other means, such as preventing the client 1431 from receiving any response from the STUN server, or even a DHCP 1432 server. 1434 11.1.3 Attack III: Assuming the Identity of a Client 1436 This attack is similar to attack II. However, the faked mapped 1437 address points to the attacker themself. This allows the attacker to 1438 receive traffic which was destined for the client. 1440 11.1.4 Attack IV: Eavesdropping 1442 In this attack, the attacker forces the client to use a mapped 1443 address that routes to itself. It then forwards any packets it 1444 receives to the client. This attack would allow the attacker to 1445 observe all packets sent to the client. However, in order to launch 1446 the attack, the attacker must have already been able to observe 1447 packets from the client to the STUN server. In most cases (such as 1448 when the attack is launched from an access network), this means that 1449 the attacker could already observe packets sent to the client. This 1450 attack is, as a result, only useful for observing traffic by 1451 attackers on the path from the client to the STUN server, but not 1452 generally on the path of packets being routed towards the client. 1454 11.2 Launching the Attacks 1456 It is important to note that attacks of this nature (injecting 1457 responses with fake mapped addresses) require that the attacker be 1458 capable of eavesdropping requests sent from the client to the server 1459 (or to act as a MITM for such attacks). This is because STUN 1460 requests contain a transaction identifier, selected by the client, 1461 which is random with 128 bits of entropy. The server echoes this 1462 value in the response, and the client ignores any responses that 1463 don't have a matching transaction ID. Therefore, in order for an 1464 attacker to provide a faked response that is accepted by the client, 1465 the attacker needs to know what the transaction ID in the request 1466 was. The large amount of randomness, combined with the need to know 1467 when the client sends a request, precludes attacks that involve 1468 guessing the transaction ID. 1470 Since all of the above attacks rely on this one primitive - injecting 1471 a response with a faked mapped address - preventing the attacks is 1472 accomplished by preventing this one operation. To prevent it, we 1473 need to consider the various ways in which it can be accomplished. 1474 There are several: 1476 11.2.1 Approach I: Compromise a Legitimate STUN Server 1478 In this attack, the attacker compromises a legitimate STUN server 1479 through a virus or Trojan horse. Presumably, this would allow the 1480 attacker to take over the STUN server, and control the types of 1481 responses it generates. 1483 Compromise of a STUN server can also lead to discovery of open ports. 1484 Knowledge of an open port creates an opportunity for DoS attacks on 1485 those ports (or DDoS attacks if the traversed NAT is a full cone 1486 NAT). Discovering open ports is already fairly trivial using port 1487 probing, so this does not represent a major threat. 1489 11.2.2 Approach II: DNS Attacks 1491 STUN servers are discovered using DNS SRV records. If an attacker 1492 can compromise the DNS, it can inject fake records which map a domain 1493 name to the IP address of a STUN server run by the attacker. This 1494 will allow it to inject fake responses to launch any of the attacks 1495 above. 1497 11.2.3 Approach III: Rogue Router or NAT 1499 Rather than compromise the STUN server, an attacker can cause a STUN 1500 server to generate responses with the wrong mapped address by 1501 compromising a router or NAT on the path from the client to the STUN 1502 server. When the STUN request passes through the rogue router or 1503 NAT, it rewrites the source address of the packet to be that of the 1504 desired mapped address. This address cannot be arbitrary. If the 1505 attacker is on the public Internet (that is, there are no NATs 1506 between it and the STUN server), and the attacker doesn't modify the 1507 STUN request, the address has to have the property that packets sent 1508 from the STUN server to that address would route through the 1509 compromised router. This is because the STUN server will send the 1510 responses back to the source address of the request. With a modified 1511 source address, the only way they can reach the client is if the 1512 compromised router directs them there. If the attacker is on the 1513 public Internet, but they can modify the STUN request, they can 1514 insert a RESPONSE-ADDRESS attribute into the request, containing the 1515 actual source address of the STUN request. This will cause the 1516 server to send the response to the client, independent of the source 1517 address the STUN server sees. This gives the attacker the ability to 1518 forge an arbitrary source address when it forwards the STUN request. 1520 If the attacker is on a private network (that is, there are NATs 1521 between it and the STUN server), the attacker will not be able to 1522 force the server to generate arbitrary mapped addresses in responses. 1523 They will only be able force the STUN server to generate mapped 1524 addresses which route to the private network. This is because the 1525 NAT between the attacker and the STUN server will rewrite the source 1526 address of the STUN request, mapping it to a public address that 1527 routes to the private network. Because of this, the attacker can 1528 only force the server to generate faked mapped addresses that route 1529 to the private network. Unfortunately, it is possible that a low 1530 quality NAT would be willing to map an allocated public address to 1531 another public address (as opposed to an internal private address), 1532 in which case the attacker could forge the source address in a STUN 1533 request to be an arbitrary public address. This kind of behavior 1534 from NATs does appear to be rare. 1536 11.2.4 Approach IV: MITM 1538 As an alternative to approach III, if the attacker can place an 1539 element on the path from the client to the server, the element can 1540 act as a man-in-the-middle. In that case, it can intercept a STUN 1541 request, and generate a STUN response directly with any desired value 1542 of the mapped address field. Alternatively, it can forward the STUN 1543 request to the server (after potential modification), receive the 1544 response, and forward it to the client. When forwarding the request 1545 and response, this attack is subject to the same limitations on the 1546 mapped address described in Section 11.2.3. 1548 11.2.5 Approach V: Response Injection Plus DoS 1550 In this approach, the attacker does not need to be a MITM (as in 1551 approaches III and IV). Rather, it only needs to be able to 1552 eavesdrop onto a network segment that carries STUN requests. This is 1553 easily done in multiple access networks such as ethernet or 1554 unprotected 802.11. To inject the fake response, the attacker 1555 listens on the network for a STUN request. When it sees one, it 1556 simultaneously launches a DoS attack on the STUN server, and 1557 generates its own STUN response with the desired mapped address 1558 value. The STUN response generated by the attacker will reach the 1559 client, and the DoS attack against the server is aimed at preventing 1560 the legitimate response from the server from reaching the client. 1561 Arguably, the attacker can do without the DoS attack on the server, 1562 so long as the faked response beats the real response back to the 1563 client, and the client uses the first response, and ignores the 1564 second (even though it's different). 1566 11.2.6 Approach VI: Duplication 1568 This approach is similar to approach V. The attacker listens on the 1569 network for a STUN request. When it sees it, it generates its own 1570 STUN request towards the server. This STUN request is identical to 1571 the one it saw, but with a spoofed source IP address. The spoofed 1572 address is equal to the one that the attacker desires to have placed 1573 in the mapped address of the STUN response. In fact, the attacker 1574 generates a flood of such packets. The STUN server will receive the 1575 one original request, plus a flood of duplicate fake ones. It 1576 generates responses to all of them. If the flood is sufficiently 1577 large for the responses to congest routers or some other equipment, 1578 there is a reasonable probability that the one real response is lost 1579 (along with many of the faked ones), but the net result is that only 1580 the faked responses are received by the STUN client. These responses 1581 are all identical and all contain the mapped address that the 1582 attacker wanted the client to use. 1584 The flood of duplicate packets is not needed (that is, only one faked 1585 request is sent), so long as the faked response beats the real 1586 response back to the client, and the client uses the first response, 1587 and ignores the second (even though it's different). 1589 Note that, in this approach, launching a DoS attack against the STUN 1590 server or the IP network, to prevent the valid response from being 1591 sent or received, is problematic. The attacker needs the STUN server 1592 to be available to handle its own request. Due to the periodic 1593 retransmissions of the request from the client, this leaves a very 1594 tiny window of opportunity. The attacker must start the DoS attack 1595 immediately after the actual request from the client, causing the 1596 correct response to be discarded, and then cease the DoS attack in 1597 order to send its own request, all before the next retransmission 1598 from the client. Due to the close spacing of the retransmits (100ms 1599 to a few seconds), this is very difficult to do. 1601 Besides DoS attacks, there may be other ways to prevent the actual 1602 request from the client from reaching the server. Layer 2 1603 manipulations, for example, might be able to accomplish it. 1605 Fortunately, Approach IV is subject to the same limitations 1606 documented in Section 11.2.3, which limit the range of mapped 1607 addresses the attacker can cause the STUN server to generate. 1609 11.3 Countermeasures 1611 STUN provides mechanisms to counter the approaches described above, 1612 and additional, non-STUN techniques can be used as well. 1614 First off, it is RECOMMENDED that networks with STUN clients 1615 implement ingress source filtering (RFC 2827 [7]). This is 1616 particularly important for the NATs themselves. As Section 11.2.3 1617 explains, NATs which do not perform this check can be used as 1618 "reflectors" in DDoS attacks. Most NATs do perform this check as a 1619 default mode of operation. We strongly advise people that purchase 1620 NATs to ensure that this capability is present and enabled. 1622 Secondly, it is RECOMMENDED that STUN servers be run on hosts 1623 dedicated to STUN, with all UDP and TCP ports disabled except for the 1624 STUN ports. This is to prevent viruses and Trojan horses from 1625 infecting STUN servers, in order to prevent their compromise. This 1626 helps mitigate Approach I (Section 11.2.1). 1628 Thirdly, to prevent the DNS attack of Section 11.2.2, Section 9.2 1629 recommends that the client verify the credentials provided by the 1630 server with the name used in the DNS lookup. 1632 Finally, all of the attacks above rely on the client taking the 1633 mapped address it learned from STUN, and using it in application 1634 layer protocols. If encryption and message integrity are provided 1635 within those protocols, the eavesdropping and identity assumption 1636 attacks can be prevented. As such, applications that make use of 1637 STUN addresses in application protocols SHOULD use integrity and 1638 encryption, even if a SHOULD level strength is not specified for that 1639 protocol. For example, multimedia applications using STUN addresses 1640 to receive RTP traffic would use secure RTP [16]. 1642 The above three techniques are non-STUN mechanisms. STUN itself 1643 provides several countermeasures. 1645 Approaches IV (Section 11.2.4), when generating the response locally, 1646 and V (Section 11.2.5) require an attacker to generate a faked 1647 response. This attack is prevented using the message integrity 1648 mechanism provided in STUN, described in Section 8.1. 1650 Approaches III (Section 11.2.3) IV (Section 11.2.4), when using the 1651 relaying technique, and VI (Section 11.2.6), however, are not 1652 preventable through server signatures. Both approaches are most 1653 potent when the attacker can modify the request, inserting a 1654 RESPONSE-ADDRESS that routes to the client. Fortunately, such 1655 modifications are preventable using the message integrity techniques 1656 described in Section 9.3. However, these three approaches are still 1657 functional when the attacker modifies nothing but the source address 1658 of the STUN request. Sadly, this is the one thing that cannot be 1659 protected through cryptographic means, as this is the change that 1660 STUN itself is seeking to detect and report. It is therefore an 1661 inherent weakness in NAT, and not fixable in STUN. To help mitigate 1662 these attacks, Section 9.4 provides several heuristics for the client 1663 to follow. The client looks for inconsistent or extra responses, 1664 both of which are signs of the attacks described above. However, 1665 these heuristics are just that - heuristics, and cannot be guaranteed 1666 to prevent attacks. The heuristics appear to prevent the attacks as 1667 we know how to launch them today. Implementors should stay posted 1668 for information on new heuristics that might be required in the 1669 future. Such information will be distributed on the IETF MIDCOM 1670 mailing list, midcom@ietf.org. 1672 11.4 Residual Threats 1674 None of the countermeasures listed above can prevent the attacks 1675 described in Section 11.2.3 if the attacker is in the appropriate 1676 network paths. Specifically, consider the case in which the attacker 1677 wishes to convince client C that it has address V. The attacker 1678 needs to have a network element on the path between A and the server 1679 (in order to modify the request) and on the path between the server 1680 and V so that it can forward the response to C. Furthermore, if 1681 there is a NAT between the attacker and the server, V must also be 1682 behind the same NAT. In such a situation, the attacker can either 1683 gain access to all the application-layer traffic or mount the DDOS 1684 attack described in Section 11.1.1. Note that any host which exists 1685 in the correct topological relationship can be DDOSed. It need not 1686 be using STUN. 1688 12. IANA Considerations 1690 STUN cannot be extended. Changes to the protocol are made through a 1691 standards track revision of this specification. As a result, no IANA 1692 registries are needed. Any future extensions will establish any 1693 needed registries. 1695 13. IAB Considerations 1697 The IAB has studied the problem of "Unilateral Self Address Fixing", 1698 which is the general process by which a client attempts to determine 1699 its address in another realm on the other side of a NAT through a 1700 collaborative protocol reflection mechanism (RFC 3424 [17]). STUN is 1701 an example of a protocol that performs this type of function. The 1702 IAB has mandated that any protocols developed for this purpose 1703 document a specific set of considerations. This section meets those 1704 requirements. 1706 13.1 Problem Definition 1708 From RFC 3424 [17], any UNSAF proposal must provide: 1710 Precise definition of a specific, limited-scope problem that is to 1711 be solved with the UNSAF proposal. A short term fix should not be 1712 generalized to solve other problems; this is why "short term fixes 1713 usually aren't". 1715 The specific problem being solved by STUN is to provide a means for a 1716 client to obtain an address on the public Internet from a 1717 non-symmetric NAT, for the express purpose of receiving incoming UDP 1718 traffic from another host, targeted to that address. 1720 STUN does not address TCP, either incoming or outgoing, and does not 1721 address outgoing UDP communications. 1723 13.2 Exit Strategy 1725 From [17], any UNSAF proposal must provide: 1727 Description of an exit strategy/transition plan. The better short 1728 term fixes are the ones that will naturally see less and less use 1729 as the appropriate technology is deployed. 1731 STUN by itself does not provide an exit strategy. This is provided 1732 by techniques, such as Interactive Connectivity Establishment (ICE) 1733 [21], which allow a client to determine whether addresses learned 1734 from STUN are needed, or whether other addresses, such as the one on 1735 the local interface, will work when communicating with another host. 1736 With such a detection technique, as a client finds that the addresses 1737 provided by STUN are never used, STUN queries can cease to be made, 1738 thus allowing them to phase out. 1740 STUN can also help facilitate the introduction of midcom. As 1741 midcom-capable NATs are deployed, applications will, instead of using 1742 STUN (which also resides at the application layer), first allocate an 1743 address binding using midcom. However, it is a well-known limitation 1744 of midcom that it only works when the agent knows the middleboxes 1745 through which its traffic will flow. Once bindings have been 1746 allocated from those middleboxes, a STUN detection procedure can 1747 validate that there are no additional middleboxes on the path from 1748 the public Internet to the client. If this is the case, the 1749 application can continue operation using the address bindings 1750 allocated from midcom. If it is not the case, STUN provides a 1751 mechanism for self-address fixing through the remaining midcom- 1752 unaware middleboxes. Thus, STUN provides a way to help transition to 1753 full midcom-aware networks. 1755 13.3 Brittleness Introduced by STUN 1757 From [17], any UNSAF proposal must provide: 1759 Discussion of specific issues that may render systems more 1760 "brittle". For example, approaches that involve using data at 1761 multiple network layers create more dependencies, increase 1762 debugging challenges, and make it harder to transition. 1764 STUN introduces brittleness into the system in several ways: 1766 o The binding acquisition usage of STUN does not work for all NAT 1767 types. It will work for any application for full cone NATs only. 1768 For restricted cone and port restricted cone NAT, it will work for 1769 some applications depending on the application. Application 1770 specific processing will generally be needed. For symmetric NATs, 1771 the binding acquisition will not yield a usable address. The 1772 tight dependency on the specific type of NAT makes the protocol 1773 brittle. 1775 o STUN assumes that the server exists on the public Internet. If 1776 the server is located in another private address realm, the user 1777 may or may not be able to use its discovered address to 1778 communicate with other users. There is no way to detect such a 1779 condition. 1781 o The bindings allocated from the NAT need to be continuously 1782 refreshed. Since the timeouts for these bindings is very 1783 implementation specific, the refresh interval cannot easily be 1784 determined. When the binding is not being actively used to 1785 receive traffic, but to wait for an incoming message, the binding 1786 refresh will needlessly consume network bandwidth. 1788 o The use of the STUN server as an additional network element 1789 introduces another point of potential security attack. These 1790 attacks are largely prevented by the security measures provided by 1791 STUN, but not entirely. 1793 o The use of the STUN server as an additional network element 1794 introduces another point of failure. If the client cannot locate 1795 a STUN server, or if the server should be unavailable due to 1796 failure, the application cannot function. 1798 o The use of STUN to discover address bindings will result in an 1799 increase in latency for applications. For example, a Voice over 1800 IP application will see an increase of call setup delays equal to 1801 at least one RTT to the STUN server. 1803 o STUN imposes some restrictions on the network topologies for 1804 proper operation. If client A obtains an address from STUN server 1805 X, and sends it to client B, B may not be able to send to A using 1806 that IP address. The address will not work if any of the 1807 following is true: 1809 * The STUN server is not in an address realm that is a common 1810 ancestor (topologically) of both clients A and B. For example, 1811 consider client A and B, both of which have residential NAT 1812 devices. Both devices connect them to their cable operators, 1813 but both clients have different providers. Each provider has a 1814 NAT in front of their entire network, connecting it to the 1815 public Internet. If the STUN server used by A is in A's cable 1816 operator's network, an address obtained by it will not be 1817 usable by B. The STUN server must be in the network which is a 1818 common ancestor to both - in this case, the public Internet. 1820 * The STUN server is in an address realm that is a common 1821 ancestor to both clients, but both clients are behind the same 1822 NAT connecting to that address realm. For example, if the two 1823 clients in the previous example had the same cable operator, 1824 that cable operator had a single NAT connecting their network 1825 to the public Internet, and the STUN server was on the public 1826 Internet, the address obtained by A would not be usable by B. 1827 That is because some NATs will not accept an internal packet 1828 sent to a public IP address which is mapped back to an internal 1829 address. To deal with this, additional protocol mechanisms or 1830 configuration parameters need to be introduced which detect 1831 this case. 1833 o Most significantly, STUN introduces potential security threats 1834 which cannot be eliminated. This specification describes 1835 heuristics that can be used to mitigate the problem, but it is 1836 provably unsolvable given what STUN is trying to accomplish. 1837 These security problems are described fully in Section 11. 1839 13.4 Requirements for a Long Term Solution 1841 From [17], any UNSAF proposal must provide: 1843 Identify requirements for longer term, sound technical solutions 1844 -- contribute to the process of finding the right longer term 1845 solution. 1847 Our experience with STUN has led to the following requirements for a 1848 long term solution to the NAT problem: 1850 Requests for bindings and control of other resources in a NAT need to 1851 be explicit. Much of the brittleness in STUN derives from its 1852 guessing at the parameters of the NAT, rather than telling the NAT 1853 what parameters to use. 1855 Control needs to be in-band. There are far too many scenarios in 1856 which the client will not know about the location of middleboxes 1857 ahead of time. Instead, control of such boxes needs to occur 1858 in-band, traveling along the same path as the data will itself 1859 travel. This guarantees that the right set of middleboxes are 1860 controlled. This is only true for first-party controls; 1861 third-party controls are best handled using the midcom framework. 1863 Control needs to be limited. Users will need to communicate through 1864 NATs which are outside of their administrative control. In order 1865 for providers to be willing to deploy NATs which can be controlled 1866 by users in different domains, the scope of such controls needs to 1867 be extremely limited - typically, allocating a binding to reach 1868 the address where the control packets are coming from. 1870 Simplicity is Paramount. The control protocol will need to be 1871 implement in very simple clients. The servers will need to 1872 support extremely high loads. The protocol will need to be 1873 extremely robust, being the precursor to a host of application 1874 protocols. As such, simplicity is key. 1876 13.5 Issues with Existing NAPT Boxes 1878 From [17], any UNSAF proposal must provide: 1880 Discussion of the impact of the noted practical issues with 1881 existing, deployed NA[P]Ts and experience reports. 1883 Several of the practical issues with STUN involve future proofing - 1884 breaking the protocol when new NAT types get deployed. Fortunately, 1885 this is not an issue at the current time, since most of the deployed 1886 NATs are of the types assumed by STUN. The primary usage STUN has 1887 found is in the area of VoIP, to facilitate allocation of addresses 1888 for receiving RTP [12] traffic. In that application, the periodic 1889 keepalives are provided by the RTP traffic itself. However, several 1890 practical problems arise for RTP. First, RTP assumes that RTCP 1891 traffic is on a port one higher than the RTP traffic. This pairing 1892 property cannot be guaranteed through NATs that are not directly 1893 controllable. As a result, RTCP traffic may not be properly 1894 received. Protocol extensions to SDP have been proposed which 1895 mitigate this by allowing the client to signal a different port for 1896 RTCP [18]. However, there will be interoperability problems for some 1897 time. 1899 For VoIP, silence suppression can cause a gap in the transmission of 1900 RTP packets. This could result in the loss of a binding in the 1901 middle of a call, if that silence period exceeds the binding timeout. 1903 This can be mitigated by sending occasional silence packets to keep 1904 the binding alive. However, the result is additional brittleness; 1905 proper operation depends on the silence suppression algorithm in use, 1906 the usage of a comfort noise codec, the duration of the silence 1907 period, and the binding lifetime in the NAT. 1909 13.6 In Closing 1911 The problems with STUN are not design flaws in STUN. The problems in 1912 STUN have to do with the lack of standardized behaviors and controls 1913 in NATs. The result of this lack of standardization has been a 1914 proliferation of devices whose behavior is highly unpredictable, 1915 extremely variable, and uncontrollable. STUN does the best it can in 1916 such a hostile environment. Ultimately, the solution is to make the 1917 environment less hostile, and to introduce controls and standardized 1918 behaviors into NAT. However, until such time as that happens, STUN 1919 provides a good short term solution given the terrible conditions 1920 under which it is forced to operate. 1922 14. Changes Since RFC 3489 1924 This specification updates RFC 3489 [19]. This specification differs 1925 from RFC 3489 in the following ways: 1927 o Removed the usage of STUN for NAT type detection and binding 1928 lifetime discovery. These techniques have proven overly brittle 1929 due to wider variations in the types of NAT devices than described 1930 in this document. The protocol semantics used for NAT type 1931 detection remain, however, to provide backwards compatibility, and 1932 to allow for the NAT type detection to occur in purely diagnostic 1933 applications. 1935 o Removed the STUN example that centered around the separation of 1936 the control and media planes. Instead, provided more information 1937 on using STUN with protocols. 1939 o Added the XOR-MAPPED-ADDRESS attribute, which clients prefer to 1940 the MAPPED-ADDRESS when both are present in a Binding Response. 1941 XOR-MAPPED-ADDRESS is obfuscated so that NATs which try to "help" 1942 by rewriting binary IP addresses they find in protocols will not 1943 interfere with the operation of STUN. 1945 o Added the XOR-ONLY attribute, which clients can use to request 1946 that the server send a response with only the XOR-MAPPED-ADDRESS. 1947 This is necessary in case a Binding Response fails integrity 1948 checks due to a NAT that rewrites the MAPPED-ADDRESS. 1950 o Explicitly point out that the most significant two bits of STUN 1951 are 0b00, allowing easy differentiation with RTP packets when used 1952 with ICE. 1954 o Added support for IPv6. Made it clear that an IPv4 client could 1955 get a v6 mapped address, and vice-a-versa. 1957 o Added the SERVER attribute. 1959 15. Acknowledgments 1961 The authors would like to thank Cedric Aoun, Pete Cordell, Cullen 1962 Jennings, Bob Penfield and Chris Sullivan for their comments, and 1963 Baruch Sterman and Alan Hawrylyshen for initial implementations. 1964 Thanks for Leslie Daigle, Allison Mankin, Eric Rescorla, and Henning 1965 Schulzrinne for IESG and IAB input on this work. 1967 16. References 1969 16.1 Normative References 1971 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1972 Levels", BCP 14, RFC 2119, March 1997. 1974 [2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 1975 2246, January 1999. 1977 [3] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for 1978 specifying the location of services (DNS SRV)", RFC 2782, 1979 February 2000. 1981 [4] Chown, P., "Advanced Encryption Standard (AES) Ciphersuites for 1982 Transport Layer Security (TLS)", RFC 3268, June 2002. 1984 [5] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 1986 [6] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981. 1988 [7] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating 1989 Denial of Service Attacks which employ IP Source Address 1990 Spoofing", BCP 38, RFC 2827, May 2000. 1992 16.2 Informative References 1994 [8] Senie, D., "Network Address Translator (NAT)-Friendly 1995 Application Design Guidelines", RFC 3235, January 2002. 1997 [9] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A. and A. 1999 Rayhan, "Middlebox communication architecture and framework", 2000 RFC 3303, August 2002. 2002 [10] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., 2003 Peterson, J., Sparks, R., Handley, M. and E. Schooler, "SIP: 2004 Session Initiation Protocol", RFC 3261, June 2002. 2006 [11] Holdrege, M. and P. Srisuresh, "Protocol Complications with the 2007 IP Network Address Translator", RFC 3027, January 2001. 2009 [12] Schulzrinne, H., Casner, S., Frederick, R. and V. Jacobson, 2010 "RTP: A Transport Protocol for Real-Time Applications", RFC 2011 3550, July 2003. 2013 [13] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing 2014 for Message Authentication", RFC 2104, February 1997. 2016 [14] Kohl, J. and B. Neuman, "The Kerberos Network Authentication 2017 Service (V5)", RFC 1510, September 1993. 2019 [15] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., 2020 Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol -- 2021 HTTP/1.1", RFC 2616, June 1999. 2023 [16] Baugher, M., McGrew, D., Naslund, M., Carrara, E. and K. 2024 Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 2025 3711, March 2004. 2027 [17] Daigle, L. and IAB, "IAB Considerations for UNilateral 2028 Self-Address Fixing (UNSAF) Across Network Address 2029 Translation", RFC 3424, November 2002. 2031 [18] Huitema, C., "Real Time Control Protocol (RTCP) attribute in 2032 Session Description Protocol (SDP)", RFC 3605, October 2003. 2034 [19] Rosenberg, J., Weinberger, J., Huitema, C. and R. Mahy, "STUN - 2035 Simple Traversal of User Datagram Protocol (UDP) Through 2036 Network Address Translators (NATs)", RFC 3489, March 2003. 2038 [20] Handley, M. and V. Jacobson, "SDP: Session Description 2039 Protocol", RFC 2327, April 1998. 2041 [21] Rosenberg, J., "Interactive Connectivity Establishment (ICE): A 2042 Methodology for Network Address Translator (NAT) Traversal for 2043 Multimedia Session Establishment Protocols", 2044 draft-ietf-mmusic-ice-03 (work in progress), October 2004. 2046 Authors' Addresses 2048 Jonathan Rosenberg 2049 Cisco Systems 2050 600 Lanidex Plaza 2051 Parsippany, NJ 07054 2052 US 2054 Phone: +1 973 952-5000 2055 EMail: jdrosen@cisco.com 2056 URI: http://www.jdrosen.net 2058 Christian Huitema 2059 Microsoft 2060 One Microsoft Way 2061 Redmond, WA 98052 2062 US 2064 EMail: huitema@microsoft.com 2066 Rohan Mahy 2067 Airspace 2069 EMail: rohan@ekabal.com 2071 Intellectual Property Statement 2073 The IETF takes no position regarding the validity or scope of any 2074 Intellectual Property Rights or other rights that might be claimed to 2075 pertain to the implementation or use of the technology described in 2076 this document or the extent to which any license under such rights 2077 might or might not be available; nor does it represent that it has 2078 made any independent effort to identify any such rights. Information 2079 on the procedures with respect to rights in RFC documents can be 2080 found in BCP 78 and BCP 79. 2082 Copies of IPR disclosures made to the IETF Secretariat and any 2083 assurances of licenses to be made available, or the result of an 2084 attempt made to obtain a general license or permission for the use of 2085 such proprietary rights by implementers or users of this 2086 specification can be obtained from the IETF on-line IPR repository at 2087 http://www.ietf.org/ipr. 2089 The IETF invites any interested party to bring to its attention any 2090 copyrights, patents or patent applications, or other proprietary 2091 rights that may cover technology that may be required to implement 2092 this standard. Please address the information to the IETF at 2093 ietf-ipr@ietf.org. 2095 Disclaimer of Validity 2097 This document and the information contained herein are provided on an 2098 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 2099 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 2100 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 2101 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 2102 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 2103 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2105 Copyright Statement 2107 Copyright (C) The Internet Society (2005). This document is subject 2108 to the rights, licenses and restrictions contained in BCP 78, and 2109 except as set forth therein, the authors retain all their rights. 2111 Acknowledgment 2113 Funding for the RFC Editor function is currently provided by the 2114 Internet Society.