idnits 2.17.1 draft-ietf-midcom-stun-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about the list of Shadow Directories. == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The "Author's Address" (or "Authors' Addresses") section title is misspelled. == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 9, 2002) is 7802 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2246 (ref. '2') (Obsoleted by RFC 4346) ** Downref: Normative reference to an Informational RFC: RFC 2104 (ref. '14') ** Obsolete normative reference: RFC 3268 (ref. '5') (Obsoleted by RFC 5246) ** Obsolete normative reference: RFC 2818 (ref. '6') (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 1889 (ref. '13') (Obsoleted by RFC 3550) -- Obsolete informational reference (is this intentional?): RFC 1510 (ref. '15') (Obsoleted by RFC 4120, RFC 6649) -- Obsolete informational reference (is this intentional?): RFC 2616 (ref. '16') (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) Summary: 7 errors (**), 0 flaws (~~), 3 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force MIDCOM WG 3 Internet Draft J. Rosenberg 4 dynamicsoft 5 J. Weinberger 6 dynamicsoft 7 C. Huitema 8 Microsoft 9 R. Mahy 10 Cisco 11 draft-ietf-midcom-stun-04.txt 12 December 9, 2002 13 Expires: June 2003 15 STUN - Simple Traversal of UDP Through Network Address 16 Translators 18 STATUS OF THIS MEMO 20 This document is an Internet-Draft and is in full conformance with 21 all provisions of Section 10 of RFC2026. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as Internet- 26 Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress". 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/ietf/1id-abstracts.txt 36 To view the list Internet-Draft Shadow Directories, see 37 http://www.ietf.org/shadow.html. 39 Abstract 41 Simple Traversal of UDP Through NATs (STUN) is a lightweight protocol 42 that allows applications to discover the presence and types of 43 Network Address Translators (NATs) and firewalls between them and the 44 public Internet. It also provides the ability for applications to 45 determine the public IP addresses allocated to them by the NAT. STUN 46 works with many existing NATs, and does not require any special 47 behavior from them. As a result, it allows a wide variety of 48 applications to work through existing NAT infrastructure. 50 Table of Contents 52 1 Applicability Statement ............................. 5 53 2 Introduction ........................................ 5 54 3 Terminology ......................................... 6 55 4 Definitions ......................................... 6 56 5 NAT Variations ...................................... 7 57 6 Overview of Operation ............................... 7 58 7 Message Overview .................................... 10 59 8 Server Behavior ..................................... 12 60 8.1 Binding Requests .................................... 12 61 8.2 Shared Secret Requests .............................. 14 62 9 Client Behavior ..................................... 16 63 9.1 Discovery ........................................... 16 64 9.2 Obtaining a Shared Secret ........................... 17 65 9.3 Formulating the Binding Request ..................... 18 66 9.4 Processing Binding Responses ........................ 19 67 10 Use Cases ........................................... 20 68 10.1 Discovery Process ................................... 21 69 10.2 Binding Lifetime Discovery .......................... 22 70 10.3 Binding Acquisition ................................. 24 71 11 Protocol Details .................................... 25 72 11.1 Message Header ...................................... 26 73 11.2 Message Attributes .................................. 26 74 11.2.1 MAPPED-ADDRESS ...................................... 27 75 11.2.2 RESPONSE-ADDRESS .................................... 28 76 11.2.3 CHANGED-ADDRESS ..................................... 29 77 11.2.4 CHANGE-REQUEST ...................................... 29 78 11.2.5 SOURCE-ADDRESS ...................................... 29 79 11.2.6 USERNAME ............................................ 29 80 11.2.7 PASSWORD ............................................ 30 81 11.2.8 MESSAGE-INTEGRITY ................................... 30 82 11.2.9 ERROR-CODE .......................................... 30 83 11.2.10 UNKNOWN-ATTRIBUTES .................................. 31 84 11.2.11 REFLECTED-FROM ...................................... 32 85 12 Security Considerations ............................. 32 86 12.1 Attacks on STUN ..................................... 32 87 12.1.1 Attack I: DDOS Against a Target ..................... 32 88 12.1.2 Attack II: Silencing a Client ....................... 33 89 12.1.3 Attack III: Assuming the Identity of a Client ....... 33 90 12.1.4 Attack IV: Eavesdropping ............................ 33 91 12.2 Launching the Attacks ............................... 33 92 12.2.1 Approach I: Compromise a Legitimate STUN Server ..... 34 93 12.2.2 Approach II: DNS Attacks ............................ 34 94 12.2.3 Approach III: Rogue Router or NAT ................... 34 95 12.2.4 Approach IV: MITM ................................... 35 96 12.2.5 Approach V: Response Injection Plus DoS ............. 35 97 12.2.6 Approach VI: Duplication ............................ 36 98 12.3 Countermeasures ..................................... 37 99 12.4 Residual Threats .................................... 38 100 13 IANA Considerations ................................. 38 101 14 IAB Considerations .................................. 38 102 14.1 Problem Definition .................................. 39 103 14.2 Exit Strategy ....................................... 39 104 14.3 Brittleness Introduced by STUN ...................... 40 105 14.4 Requirements for a Long Term Solution ............... 42 106 14.5 Issues with Existing NAPT Boxes ..................... 43 107 14.6 In Closing .......................................... 44 108 15 Acknowledgments ..................................... 44 109 16 Authors Addresses ................................... 44 110 17 Normative References ................................ 45 111 18 Informative References .............................. 45 113 1 Applicability Statement 115 This protocol is not a cure-all for the problems associated with NAT. 116 It does not enable incoming TCP connections through NAT. It allows 117 incoming UDP packets through NAT, but only through a subset of 118 existing NAT types. In particular, STUN does not enable incoming UDP 119 packets through symmetric NATs (defined below), which are common in 120 large enterprises. STUN's discovery procedures are based on 121 assumptions on NAT treatment of UDP; such assumptions may prove 122 invalid down the road as new NAT devices are deployed. STUN does not 123 work when it is used to obtain an address to communicate with a peer 124 which happens to be behind the same NAT. STUN does not work when the 125 STUN server is not in a common shared address realm. For a more 126 complete discussion of the limitations of STUN, see Section 14. 128 2 Introduction 130 Network Address Translators (NATs), while providing many benefits, 131 also come with many drawbacks. The most troublesome of those 132 drawbacks is the fact that they break many existing IP applications, 133 and make it difficult to deploy new ones. Guidelines have been 134 developed [9] that describe how to build "NAT friendly" protocols, 135 but many protocols simply cannot be constructed according to those 136 guidelines. Examples of such protocols include almost all peer-to- 137 peer protocols, such as multimedia communications, file sharing and 138 games. 140 To combat this problem, Application Layer Gateways (ALGs) have been 141 embedded in NATs. ALGs perform the application layer functions 142 required for a particular protocol to traverse a NAT. Typically, this 143 involves rewriting application layer messages to contain translated 144 addresses, rather than the ones inserted by the sender of the 145 message. ALGs have serious limitations, including scalability, 146 reliability, and speed of deploying new applications. To resolve 147 these problems, the Middlebox Communications (MIDCOM) protocol is 148 being developed [10]. MIDCOM allows an application entity, such as an 149 end client or network server of some sort (like a Session Initiation 150 Protocol (SIP) proxy [11]) to control a NAT (or firewall), in order 151 to obtain NAT bindings and open or close pinholes. In this way, NATs 152 and applications can be separated once more, eliminating the need for 153 embedding ALGs in NATs, and resolving the limitations imposed by 154 current architectures. 156 Unfortunately, MIDCOM requires upgrades to existing NAT and 157 firewalls, in addition to application components. Complete upgrades 158 of these NAT and firewall products will take a long time, potentially 159 years. This is due, in part, to the fact that the deployers of NAT 160 and firewalls are not the same people who are deploying and using 161 applications. As a result, the incentive to upgrade these devices 162 will be low in many cases. Consider, for example, an airport Internet 163 lounge that provides access with a NAT. A user connecting to the 164 natted network may wish to use a peer-to-peer service, but cannot, 165 because the NAT doesn't support it. Since the administrators of the 166 lounge are not the ones providing the service, they are not motivated 167 to upgrade their NAT equipment to support it, using either an ALG, or 168 MIDCOM. 170 Another problem is that the MIDCOM protocol requires that the agent 171 controlling the middleboxes know the identity of those middleboxes, 172 and have a relationship with them which permits control. In many 173 configurations, this will not be possible. For example, many cable 174 access providers use NAT in front of their entire access network. 175 This NAT could be in addition to a residential NAT purchased and 176 operated by the end user. The end user will probably not have a 177 control relationship with the NAT in the cable access network, and 178 may not even know of its existence. 180 Many existing proprietary protocols, such as those for online games 181 (such as the games described in RFC 3027 [12]) and Voice over IP, 182 have developed tricks that allow them to operate through NATs without 183 changing those NATs. This draft is an attempt to take some of those 184 ideas, and codify them into an interoperable protocol that can meet 185 the needs of many applications. 187 The protocol described here, Simple Traversal of UDP Through NAT 188 (STUN), allows entities behind a NAT to first discover the presence 189 of a NAT and the type of NAT, and then to learn the addresses 190 bindings allocated by the NAT. STUN requires no changes to NATs, and 191 works with an arbitrary number of NATs in tandem between the 192 application entity and the public Internet. 194 3 Terminology 196 In this document, the key words "MUST", "MUST NOT", "REQUIRED", 197 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", 198 and "OPTIONAL" are to be interpreted as described in RFC 2119 [1] and 199 indicate requirement levels for compliant STUN implementations. 201 4 Definitions 203 STUN Client: A STUN client (also just referred to as a client) 204 is an entity that generates STUN requests. A STUN client 205 can execute on an end system, such as a user's PC, or can 206 run in a network element, such as a conferencing server. 208 STUN Server: A STUN Server (also just referred to as a server) 209 is an entity that receives STUN requests, and sends STUN 210 responses. STUN servers are generally attached to the 211 public Internet. 213 5 NAT Variations 215 It is assumed that the reader is familiar with NATs. It has been 216 observed that NAT treatment of UDP varies among implementations. The 217 four treatments observed in implementations are: 219 Full Cone: A full cone NAT is one where all requests from the 220 same internal IP address and port are mapped to the same 221 external IP address and port. Furthermore, any external 222 host can send a packet to the internal host, by sending a 223 packet to the mapped external address. 225 Restricted Cone: A restricted cone NAT is one where all requests 226 from the same internal IP address and port are mapped to 227 the same external IP address and port. Unlike a full cone 228 NAT, an external host (with IP address X) can send a packet 229 to the internal host only if the internal host had 230 previously sent a packet to IP address X. 232 Port Restricted Cone: A port restricted cone NAT is like a 233 restricted cone NAT, but the restriction includes port 234 numbers. Specifically, an external host can send a packet, 235 with source IP address X and source port P, to the internal 236 host only if the internal host had previously sent a packet 237 to IP address X and port P. 239 Symmetric: A symmetric NAT is one where all requests from the 240 same internal IP address and port, to a specific 241 destination IP address and port, are mapped to the same 242 external IP address and port. If the same host sends a 243 packet with the same source address and port, but to a 244 different destination, a different mapping is used. 245 Furthermore, only the external host that receives a packet 246 can send a UDP packet back to the internal host. 248 Determining the type of NAT is important in many cases. Depending on 249 what the application wants to do, it may need to take the particular 250 behavior into account. 252 6 Overview of Operation 254 This section is descriptive only. Normative behavior is described in 255 Sections 8 and 9. 257 /-----\ 258 // STUN \\ 259 | Server | 260 \\ // 261 \-----/ 263 +--------------+ Public Internet 264 ................| NAT 2 |....................... 265 +--------------+ 267 +--------------+ Private NET 2 268 ................| NAT 1 |....................... 269 +--------------+ 271 /-----\ 272 // STUN \\ 273 | Client | 274 \\ // Private NET 1 275 \-----/ 277 Figure 1: STUN Configuration 279 The typical STUN configuration is shown in Figure 1. A STUN client is 280 connected to private network 1. This network connects to private 281 network 2 through NAT 1. Private network 2 connects to the public 282 Internet through NAT 2. The STUN server resides on the public 283 Internet. 285 STUN is a simple client-server protocol. A client sends a request to 286 a server, and the server returns a response. There are two types of 287 requests - Binding Requests, sent over UDP, and Shared Secret 288 Requests, sent over TLS [2] over TCP. Shared Secret Requests ask the 289 server to return a temporary username and password. This username and 290 password are used in a subsequent Binding Request and Binding 291 Response, for the purposes of authentication and message integrity. 293 Binding requests are used to determine the bindings allocated by 294 NATs. The client sends a Binding Request to the server, over UDP. 295 The server examines the source IP address and port of the request, 296 and copies them into a response that is sent back to the client. 297 There are some parameters in the request that allow the client to ask 298 that the response be sent elsewhere, or that the server send the 299 response from a different address and port. There are attributes for 300 providing message integrity and authentication. 302 The trick is using STUN to discover the presence of NAT, and to learn 303 and use the bindings they allocate. 305 The STUN client is typically embedded in an application which needs 306 to obtain a public IP address and port that can be used to receive 307 data. For example, it might need to obtain an IP address and port to 308 receive Real Time Transport Protocol (RTP) [13] traffic. When the 309 application starts, the STUN client within the application sends a 310 STUN Shared Secret Request to its server, obtains a username and 311 password, and then sends it a Binding Request. STUN servers can be 312 discovered through DNS SRV records [3], and it is generally assumed 313 that the client is configured with the domain to use to find the STUN 314 server. Generally, this will be the domain of the provider of the 315 service the application is using (such a provider is incented to 316 deploy STUN servers in order to allow its customers to use its 317 application through NAT). Of course, a client can determine the 318 address or domain name of a STUN server through other means. A STUN 319 server can even be embedded within an end system. 321 The STUN Binding Request is used to discover the presence of a NAT, 322 and to discover the public IP address and port mappings generated by 323 the NAT. Binding Requests are sent to the STUN server using UDP. When 324 a Binding Request arrives at the STUN server, it may have passed 325 through one or more NATs between the STUN client and the STUN server. 326 As a result, the source address of the request received by the server 327 will be the mapped address created by the NAT closest to the server. 328 The STUN server copies that source IP address and port into a STUN 329 Binding Response, and sends it back to the source IP address and port 330 of the STUN request. For all of the NAT types above, this response 331 will arrive at the STUN client. 333 When the STUN client receives the STUN Binding Response, it compares 334 the IP address and port in the packet with the local IP address and 335 port it bound to when the request was sent. If these do not match, 336 the STUN client is behind one or more NATs. In the case of a full- 337 cone NAT, the IP address and port in the body of the STUN response 338 are public, and can be used by any host on the public Internet to 339 send packets to the application that sent the STUN request. An 340 application need only listen on the IP address and port from which 341 the STUN request was sent, and send the IP address and port learned 342 in the STUN response to hosts that wish to communicate with it. 344 Of course, the host may not be behind a full-cone NAT. Indeed, it 345 doesn't yet know what type of NAT it is behind. To determine that, 346 the client uses additional STUN Binding Requests. The exact procedure 347 is flexible, but would generally work as follows. The client would 348 send a second STUN Binding Request, this time to a different IP 349 address, but from the same source IP address and port. If the IP 350 address and port in the response are different from those in the 351 first response, the client knows it is behind a symmetric NAT. To 352 determine if its behind a full-cone NAT, the client can send a STUN 353 Binding Request with flags that tell the STUN server to send a 354 response from a different IP address and port than the request was 355 received on. In other words, if the client sent a Binding Request to 356 IP address/port A/B using a source IP address/port of X/Y, the STUN 357 server would send the Binding Response to X/Y using source IP 358 address/port C/D. If the client receives this response, it knows it 359 is behind a full cone NAT. 361 STUN also allows the client to ask the server to send the Binding 362 Response from the same IP address the request was received on, but 363 with a different port. This can be used to detect whether the client 364 is behind a port restricted cone NAT or just a restricted cone NAT. 366 It should be noted that the configuration in Figure 1 is not the only 367 permissible configuration. The STUN server can be located anywhere, 368 including within another client. The only requirement is that the 369 STUN server is reachable by the client, and if the client is trying 370 to obtain a publically routable address, that the server reside on 371 the public Internet. 373 7 Message Overview 375 STUN messages are TLV (type-length-value) encoded using big endian 376 (network ordered) binary. All STUN messages start with a STUN header, 377 followed by a STUN payload. The payload is a series of STUN 378 attributes, the set of which depends on the message type. The STUN 379 header contains a STUN message type, transaction ID, and length. The 380 message type can be Binding Request, Binding Response, Binding Error 381 Response, Shared Secret Request, Shared Secret Response, or Shared 382 Secret Error Response. The transaction ID is used to correlate 383 requests and responses. The length indicates the total length of the 384 STUN payload, not including the header. This allows STUN to run over 385 TCP. Shared Secret Requests are always sent over TCP (indeed, using 386 TLS over TCP). 388 Several STUN attributes are defined for usage in Binding Requests and 389 Binding Responses. The first is a MAPPED-ADDRESS attribute, which is 390 an IP address and port. It is always placed in the Binding Response, 391 and it indicates the source IP address and port the server saw in the 392 Binding Request. There is also a RESPONSE-ADDRESS attribute, which 393 contains an IP address and port. The RESPONSE-ADDRESS attribute can 394 be present in the Binding Request, and indicates where the Binding 395 Response is to be sent. Its optional, and when not present, the 396 Binding Response is sent to the source IP address and port of the 397 Binding Request. 399 The third attribute is the CHANGE-REQUEST attribute, and it contains 400 two flags to control the IP address and port used to send the 401 response. These flags are called "change IP" and "change port" flags. 402 The CHANGE-REQUEST attribute is allowed only in the Binding Request. 403 The "change IP" and "change port" flags are useful for determining 404 whether the client is behind a restricted cone NAT or restricted port 405 cone NAT. They instruct the server to send the Binding Responses from 406 a different source IP address and port. The CHANGE-REQUEST attribute 407 is optional in the Binding Request. 409 The fourth attribute is the CHANGED-ADDRESS attribute. It is present 410 in Binding Responses. It informs the client of the source IP address 411 and port that would be used if the client requested the "change IP" 412 and "change port" behavior. 414 The fifth attribute is the SOURCE-ADDRESS attribute. It is only 415 present in Binding Responses. It indicates the source IP address and 416 port where the response was sent from. It is useful for detecting 417 twice NAT configurations. 419 The sixth attribute is the USERNAME attribute. It is present in a 420 Shared Secret Response, which provides the client with a temporary 421 username and password (encoded in the PASSWORD attribute). The 422 USERNAME is also present in Binding Requests, serving as an index to 423 the shared secret used for the integrity protection of the Binding 424 Request. The seventh attribute, PASSWORD, is only found in Binding 425 Response messages. The eight attribute is the MESSAGE-INTEGRITY 426 attribute, which contains a message integrity check over the Binding 427 Request or Binding Response. 429 The ninth attribute is the ERROR-CODE attribute. This is present in 430 the Binding Error Response. It indicates the error that has occurred. 431 The tenth attribute is the UNKNOWN-ATTRIBUTES attribute, which is 432 present in either the Binding Error Response or Shared Secret Error 433 Response. It indicates the mandatory attributes from the request 434 which were unknown. The eleventh attribute is the REFLECTED-FROM 435 attribute, which is present in Binding Responses. It indicates the IP 436 address of the sender of a Binding Request, used for traceability 437 purposes to prevent certain denial-of-service attacks. 439 8 Server Behavior 441 The server behavior depends on whether the request is a Binding 442 Request or a Shared Secret Request. 444 8.1 Binding Requests 446 A STUN server MUST be prepared to receive Binding Requests on four 447 address/port combinations - (A1, P1), (A2, P1), (A1, P2), and (A2, 448 P2). (A1, P1) represent the primary address and port, and these are 449 the ones obtained through the client discovery procedures below. 450 Typically, P1 will be port 3478, the default STUN port. A2 and P2 are 451 arbitrary. A2 and P2 are advertised by the server through the 452 CHANGED-ADDRESS attribute, as described below. 454 It is RECOMMENDED that the server check the Binding Request for a 455 MESSAGE-INTEGRITY attribute. If not present, and the server requires 456 integrity checks on the request, it generates a Binding Error 457 Response with an ERROR-CODE attribute with response code 401. If the 458 MESSAGE-INTEGRITY attribute was present, the server computes the HMAC 459 over the request as described in Section 11.2.8. The key to use 460 depends on the shared secret mechanism. If the STUN Shared Secret 461 Request was used, the key MUST be the one associated with the 462 USERNAME attribute present in the request. If the USERNAME attribute 463 was not present, the server MUST generate a Binding Error Response. 464 The Binding Error Response MUST include an ERROR-CODE attribute with 465 response code 432. If the USERNAME is present, but the server doesn't 466 remember the shared secret for that USERNAME (because it timed out, 467 for example), the server MUST generate a Binding Error Response. The 468 Binding Error Response MUST include an ERROR-CODE attribute with 469 response code 430. If the server does know the shared secret, but the 470 computed HMAC differs from the one in the request, the server MUST 471 generate a Binding Error Response with an ERROR-CODE attribute with 472 response code 431. The Binding Error Response is sent to the IP 473 address and port the Binding Request came from, and sent from the IP 474 address and port the Binding Request was sent to. 476 Assuming the message integrity check passed, processing continues. 478 The server MUST check for any attributes in the request with values 479 less than or equal to 0x7fff which it does not understand. If it 480 encounters any, the server MUST generate a Binding Error Response, 481 and it MUST include an ERROR-CODE attribute with a 420 response code. 483 That response MUST contain an UNKNOWN-ATTRIBUTES attribute listing 484 the attributes with values less than or equal to 0x7fff which were 485 not understood. The Binding Error Response is sent to the IP address 486 and port the Binding Request came from, and sent from the IP address 487 and port the Binding Request was sent to. 489 Assuming the request was correctly formed, the server MUST generate a 490 single Binding Response. The Binding Response MUST contain the same 491 transaction ID contained in the Binding Request. The length in the 492 message header MUST contain the total length of the message in bytes, 493 excluding the header. The Binding Response MUST have a message type 494 of "Binding Response". 496 The server MUST add a MAPPED-ADDRESS attribute to the Binding 497 Response. The IP address component of this attribute MUST be set to 498 the source IP address observed in the Binding Request. The port 499 component of this attribute MUST be set to the source port observed 500 in the Binding Request. 502 If the RESPONSE-ADDRESS attribute was absent from the Binding 503 Request, the destination address and port of the Binding Response 504 MUST be the same as the source address and port of the Binding 505 Request. Otherwise, the destination address and port of the Binding 506 Response MUST be the value of the IP address and port in the 507 RESPONSE-ADDRESS attribute. 509 The source address and port of the Binding Response depend on the 510 value of the CHANGE-REQUEST attribute and on the address and port the 511 Binding Request was received on, and are summarized in Table 1. 513 Let Da represent the destination IP address of the Binding Request 514 (which will be either A1 or A2), and Dp represent the destination 515 port of the Binding Request (which will be either P1 or P2). Let Ca 516 represent the other address, so that if Da is A1, Ca is A2. If Da is 517 A2, Ca is A1. Similarly, let Cp represent the other port, so that if 518 Dp is P1, Cp is P2. If Dp is P2, Cp is P1. If the "change port" flag 519 was set in CHANGE-REQUEST attribute of the Binding Request, and the 520 "change IP" flag was not set, the source IP address of the Binding 521 Response MUST be Da and the source port of the Binding Response MUST 522 be Cp. If the "change IP" flag was set in the Binding Request, and 523 the "change port" flag was not set, the source IP address of the 524 Binding Response MUST be Ca and the source port of the Binding 525 Response MUST be Dp. When both flags are set, the source IP address 526 of the Binding Response MUST be Ca and the source port of the Binding 527 Response MUST be Cp. If neither flag is set, or if the CHANGE-REQUEST 528 attribute is absent entirely, the source IP address of the Binding 529 Response MUST be Da and the source port of the Binding Response MUST 530 be Dp. 532 Flags Source Address Source Port 533 none Da Dp 534 Change IP Ca Dp 535 Change port Da Cp 536 Change IP and 537 Change port Ca Cp 539 Table 1: Impact of Flags on Packet Source 541 The server MUST add a SOURCE-ADDRESS attribute to the Binding 542 Response, containing the source address and port used to send the 543 Binding Response. 545 The server MUST add a CHANGED-ADDRESS attribute to the Binding 546 Response. This contains the source IP address and port that would be 547 used if the client had set the "change IP" and "change port" flags in 548 the Binding Request. These are Ca and Cp, respectively. 550 If the Binding Request contained both the USERNAME and MESSAGE- 551 INTEGRITY attributes, the server MUST add a MESSAGE-INTEGRITY 552 attribute to the Binding Response. The attribute contains an HMAC 553 [14]. The key to use depends on the shared secret mechanism. If the 554 STUN Shared Secret Request was used, the key MUST be the one 555 associated with the USERNAME attribute present in the Binding 556 Request. 558 If the Binding Request contained a RESPONSE-ADDRESS attribute, the 559 server MUST add a REFLECTED-FROM attribute to the response. If the 560 Binding Request was authenticated using a username obtained from a 561 Shared Secret Request, the REFLECTED-FROM attribute MUST contain the 562 source IP address and port where that Shared Secret Request came 563 from. If the username present in the request was not allocated using 564 a Shared Secret Request, the REFLECTED-FROM attribute MUST contain 565 the source address and port of the entity which obtained the 566 username, as best can be verified with the mechanism used to allocate 567 the username. If the username was not present in the request, and the 568 server was willing to process the request, the REFLECTED-FROM 569 attribute SHOULD contain the source IP address and port where the 570 request came from. 572 The server SHOULD NOT retransmit the response. Reliability is 573 achieved by having the client periodically resend the request, each 574 of which triggers a response from the server. 576 8.2 Shared Secret Requests 577 Shared Secret Requests are always received on TLS connections. When 578 the server receives a request from the client to establish a TLS 579 connection, it MUST proceed with TLS, and SHOULD present a site 580 certificate. The TLS ciphersuite TLS_RSA_WITH_AES_128_CBC_SHA [5] 581 SHOULD be used. Client TLS authentication MUST NOT be done, since the 582 server is not allocating any resources to clients, and the 583 computational burden can be a source of attacks. 585 If the server receives a Shared Secret Request, it MUST verify that 586 the request arrived on a TLS connection. If not, it discards the 587 request. 589 The server MUST check for any attributes in the request with values 590 less than or equal to 0x7fff which it does not understand. If it 591 encounters any, the server MUST generate a Shared Secret Error 592 Response, and it MUST include an ERROR-CODE attribute with a 420 593 response code. That response MUST contain an UNKNOWN-ATTRIBUTES 594 attribute listing the attributes with values less than or equal to 595 0x7fff which were not understood. The Shared Secret Error Response is 596 sent over the TLS connection. 598 Assuming the request was properly constructed, the server creates a 599 Shared Secret Response. The Shared Secret Response MUST contain the 600 same transaction ID contained in the Shared Secret Request. The 601 length in the message header MUST contain the total length of the 602 message in bytes, excluding the header. The Shared Secret Response 603 MUST have a message type of "Shared Secret Response". The Shared 604 Secret Response MUST contain a USERNAME attribute and a PASSWORD 605 attribute. The USERNAME attribute serves as an index to the password, 606 which is contained in the PASSWORD attribute. The server can use any 607 mechanism it chooses to generate the username. However, the username 608 MUST be valid for a period of at least 10 minutes. Validity means 609 that the server can compute the password for that username. There 610 MUST be a single password for each username. In other words, the 611 server cannot, 10 minutes later, assign a different password to the 612 same username. The server MUST hand out a different username for each 613 distinct Shared Secret Request. Distinct, in this case, implies a 614 different transaction ID. It is RECOMMENDED that the server 615 explicitly invalidate the username after ten minutes. It MUST 616 invalidate the username after 30 minutes. The PASSWORD contains the 617 password bound to that username. The password MUST have at least 128 618 bits. The likelihood that the server assigns the same password for 619 two different usernames MUST be vanishingly small, and the passwords 620 MUST be unguessable. In other words, they MUST be a cryptographically 621 random function of the username. 623 These requirements can still be met using a stateless server, by 624 intelligently computing the USERNAME and PASSWORD. One approach is to 625 construct the USERNAME as: 627 USERNAME = 629 Where prefix is some random text string (different for each shared 630 secret request), rounded-time is the current time modulo 20 minutes, 631 clientIP is the source IP address where the Shared Secret Request 632 came from, and hmac is an HMAC [14] over the prefix, rounded-time, 633 and client IP, using a server private key. 635 The password is then computed as: 637 password = 639 With this structure, the username itself, which will be present in 640 the Binding Request, contains the source IP address where the Shared 641 Secret Request came from. That allows the server to meet the 642 requirements specified in Section 8.1 for constructing the 643 REFLECTED-FROM attribute. The server can verify that the username was 644 not tampered with, using the hmac present in the username. 646 The Shared Secret Response is sent over the same TLS connection the 647 request was received on. The server SHOULD keep the connection open, 648 and let the client close it. 650 9 Client Behavior 652 The behavior of the client is very straightforward. Its task is to 653 discover the STUN server, obtain a shared secret, formulate the 654 Binding Request, handle request reliability, and process the Binding 655 Responses. 657 9.1 Discovery 659 Generally, the client will be configured with a domain name of the 660 provider of the STUN servers. This domain name is resolved to an IP 661 address and port using the SRV procedures specified in RFC 2782 [3]. 663 Specifically, the service name is "stun". The protocol is "udp" for 664 sending Binding Requests, or "tcp" for sending Shared Secret 665 Requests. The procedures of RFC 2782 are followed to determine the 666 server to contact. RFC 2782 spells out the details of how a set of 667 SRV records are sorted and then tried. However, it only states that 668 the client should "try to connect to the (protocol, address, 669 service)" without giving any details on what happens in the event of 670 failure. Those details are described here for STUN. 672 For STUN requests, failure occurs if there is a transport failure of 673 some sort (generally, due to fatal ICMP errors in UDP or connection 674 failures in TCP). Failure also occurs if the the request does not 675 solicit a response after 30 seconds. If a failure occurs, the client 676 SHOULD create a new request, which is identical to the previous, but 677 has a different transaction ID. That request is sent to the next 678 element in the list as specified by RFC 2782. 680 The default port for STUN requests is 3478, for both TCP and UDP. 681 Administrators SHOULD use this port in their SRV records, but MAY use 682 others. 684 If no SRV records were found, the client performs an A record lookup 685 of the domain name. The result will be a list of IP addresses, each 686 of which can be contacted at the default port. 688 This would allow a firewall admin to open the STUN port, so 689 hosts within the enterprise could access new applications. 690 Whether they will or won't do this is a good question. 692 9.2 Obtaining a Shared Secret 694 As discussed in Section 12, there are several attacks possible on 695 STUN systems. Many of these are prevented through integrity of 696 requests and responses. To provide that integrity, STUN makes use of 697 a shared secret between client and server, used as the keying 698 material for an HMAC used in both the Binding Request and Binding 699 Response. STUN allows for the shared secret to be obtained in any way 700 (for example, Kerberos [15]). However, it MUST have at least 128 bits 701 of randomness. In order to ensure interoperability, this 702 specification describes a TLS-based mechanism. This mechanism, 703 described in this section, MUST be implemented by clients and 704 servers. 706 First, the client determines the IP address and port that it will 707 open a TCP connection to. This is done using the discovery procedures 708 in Section 9.1. The client opens up the connection to that address 709 and port, and immediately begins TLS negotiation [2]. The client MUST 710 verify the identity of the server. To do that, it follows the 711 identification procedures defined in Section 3.1 of RFC 2818 [6]. 712 Those procedures assume the client is derefencing a URI. For purposes 713 of usage with this specification, the client treats the domain name 714 or IP address used in Section 9.1 as the host portion of the URI that 715 has been dereferenced. 717 Once the connection is opened, the client sends a Shared Secret 718 request. This request has no attributes, just the header. The 719 transaction ID in the header MUST meet the requirements outlined for 720 the transaction ID in a binding request, described in Section 9.3 721 below. The server generates a response, which can either be a Shared 722 Secret Response or a Shared Secret Error Response. 724 If the response was a Shared Secret Error Response, the client checks 725 the response code in the ERROR-CODE attribute. Interpretation of 726 those response codes is identical to the processing of Section 9.4 727 for the Shared Secret Error Response. 729 If a client receives a Shared Secret Response with an attribute whose 730 type is greater than 0x7fff, the attribute MUST be ignored. If the 731 client receives a Shared Secret Response with an attribute whose type 732 is less than or equal to 0x7fff, the response is ignored. 734 If the response was a Shared Secret Response, the it will contain a 735 short lived username and password, encoded in the USERNAME and 736 PASSWORD attributes, respectively. 738 The client MAY generate multiple Shared Secret Requests on the 739 connection, and it MAY do so before receiving Shared Secret Responses 740 to previous Shared Secret Requests. The client SHOULD close the 741 connection as soon as it has finished obtaining usernames and 742 passwords. 744 Section 9.3 describes how these passwords are used to provide 745 integrity protection over Binding Requests, and Section 8.1 describes 746 how it is used in Binding Responses. 748 9.3 Formulating the Binding Request 750 A Binding Request formulated by the client follows the syntax rules 751 defined in Section 11. Any two requests that are not bit-wise 752 identical, or not sent to the same server from the same IP address 753 and port, MUST carry different transaction IDs. The transaction ID 754 MUST be uniformly and randomly chosen between 0 and 2**128 - 1. The 755 large range is needed because the transaction ID serves as a form of 756 randomization, helping to prevent replays of previously signed 757 responses from the server. The message type of the request MUST be 758 "Binding Request". 760 The RESPONSE-ADDRESS attribute is optional in the Binding Request. It 761 is used if the client wishes the response to be sent to a different 762 IP address and port than the one the request was sent from. This is 763 useful for determining whether the client is behind a firewall, and 764 for applications that have separated control and data components. See 765 Section 10.3 for more details. The CHANGE-REQUEST attribute is also 766 optional. Whether it is present depends on what the application is 767 trying to accomplish. See Section 10 for some example uses. 769 The client SHOULD add a MESSAGE-INTEGRITY and USERNAME attribute to 770 the Binding Request. This MESSAGE-INTEGRITY attribute contains an 771 HMAC [14]. The value of the username, and the key to use in the 772 MESSAGE-INTEGRITY attribute depend on the shared secret mechanism. If 773 the STUN Shared Secret Request was used, the USERNAME must be a valid 774 username obtained from a Shared Secret Response within the last nine 775 minutes. The shared secret for the HMAC is the value of the PASSWORD 776 attribute obtained from the same Shared Secret Response. 778 Once formulated, the client sends the Binding Request. Reliability is 779 accomplished through client retransmissions. Clients SHOULD 780 retransmit the request starting with an interval of 100ms, doubling 781 every retransmit until the interval reaches 1.6s. Retransmissions 782 continue with intervals of 1.6s until a response is received, or a 783 total of 9 requests have been sent, at which time the client SHOULD 784 give up. 786 9.4 Processing Binding Responses 788 The response can either be a Binding Response or Binding Error 789 Response. Binding Error Responses are always received on the source 790 address and port the request was sent from. A Binding Response will 791 be received on the address and port placed in the RESPONSE-ADDRESS 792 attribute of the request. If none was present, the Binding Responses 793 will be received on the source address and port the request was sent 794 from. 796 If the response is a Binding Error Response, the client checks the 797 response code from the ERROR-CODE attribute of the response. For a 798 400 response code, the client SHOULD display the reason phrase to the 799 user. For a 420 response code, the client SHOULD retry the request, 800 this time omitting any attributes listed in the UNKNOWN-ATTRIBUTES 801 attribute of the response. For a 430 response code, the client SHOULD 802 obtain a new shared secret, and retry the Binding Request with a new 803 transaction. For 401 and 432 response codes, if the client had 804 omitted the USERNAME or MESSAGE-INTEGRITY attribute as indicated by 805 the error, it SHOULD try again with those attributes. For a 431 806 response code, the client SHOULD alert the user, and MAY try the 807 request again after obtaining a new username and password. For a 500 808 response code, the client MAY wait several seconds and then retry the 809 request. For a 600 response code, the client MUST NOT retry the 810 request, and SHOULD display the reason phrase to the user. Unknown 811 attributes between 400 and 499 are treated like a 400, unknown 812 attributes between 500 and 599 are treated like a 500, and unknown 813 attributes between 600 and 699 are treated like a 600. Any response 814 between 100 and 399 MUST result in the cessation of request 815 retransmissions, but otherwise is discarded. 817 If a client receives a response with an attribute whose type is 818 greater than 0x7fff, the attribute MUST be ignored. If the client 819 receives a response with an attribute whose type is less than or 820 equal to 0x7fff, request retransmissions MUST cease, but the entire 821 response is otherwise ignored. 823 If the response is a Binding Response, the client SHOULD check the 824 response for a MESSAGE-INTEGRITY attribute. If not present, and the 825 client placed a MESSAGE-INTEGRITY attribute into the request, it MUST 826 discard the response. If present, the client computes the HMAC over 827 the response as described in Section 11.2.8. The key to use depends 828 on the shared secret mechanism. If the STUN Shared Secret Request was 829 used, the key MUST be same as used to compute the MESSAGE-INTEGRITY 830 attribute in the request. If the computed HMAC differs from the one 831 in the response, the client MUST discard the response, and SHOULD 832 alert the user about a possible attack. If the computed HMAC matches 833 the one from the response, processing continues. 835 Reception of a response (either Binding Error Response or Binding 836 Response) to a Binding Request will terminate retransmissions of that 837 request. However, clients MUST continue to listen for responses to a 838 Binding Request for 10 seconds after the first response. If it 839 receives any responses in this interval with different message types 840 (Binding Responses and Binding Error Responses, for example) or 841 different MAPPED-ADDRESSes, it is an indication of a possible attack. 842 The client MUST NOT use the MAPPED-ADDRESS from any of those 843 responses, and SHOULD alert the user. 845 Furthermore, if a client receives more than twice as many Binding 846 Responses as the number of Binding Requests it sent, it MUST NOT use 847 the MAPPED-ADDRESS from any of those responses, and SHOULD alert the 848 user about a potential attack. 850 If the Binding Response is authenticated, and the MAPPED-ADDRESS was 851 not discarded because of a potential attack, the CLIENT MAY use the 852 MAPPED-ADDRESS and SOURCE-ADDRESS attributes. 854 10 Use Cases 856 The rules of Sections 8 and 9 describe exactly how a client and 857 server interact to send requests and get responses. However, they do 858 not dictate how the STUN protocol is used to accomplish useful tasks. 859 That is at the discretion of the client. Here, we provide some useful 860 scenarios for applying STUN. 862 10.1 Discovery Process 864 In this scenario, a user is running a multimedia application which 865 needs to determine which of the following scenarios applies to it: 867 o On the open Internet 869 o Firewall that blocks UDP 871 o Firewall that allows UDP out, and responses have to come back 872 to the source of the request (like a symmetric NAT, but no 873 translation. We call this a symmetric UDP Firewall) 875 o Full-cone NAT 877 o Symmetric NAT 879 o Restricted cone or restricted port cone NAT 881 Which of the six scenarios applies can be determined through the flow 882 chart described in Figure 2. The chart refers only to the sequence of 883 Binding Requests; Shared Secret Requests will, of course, be needed 884 to authenticate each Binding Request used in the sequence. 886 The flow makes use of three tests. In test I, the client sends a STUN 887 Binding Request to a server, without any flags set in the CHANGE- 888 REQUEST attribute, and without the RESPONSE-ADDRESS attribute. This 889 causes the server to send the response back to the address and port 890 that the request came from. In test II, the client sends a Binding 891 Request with both the "change IP" and "change port" flags from the 892 CHANGE-REQUEST attribute set. In test III, the client sends a Binding 893 Request with only the "change port" flag set. 895 The client begins by initiating test I. If this test yields no 896 response, the client knows right away that it is not capable of UDP 897 connectivity. If the test produces a response, the client examines 898 the MAPPED-ADDRESS attribute. If this address and port are the same 899 as the local IP address and port of the socket used to send the 900 request, the client knows that it is not natted. It executes test II. 901 If a response is received, the client knows that it has open access 902 to the Internet (or, at least, its behind a firewall that behaves 903 like a full-cone NAT, but without the translation). If no response is 904 received, the client knows its behind a symmetric UDP firewall. 906 In the event that the IP address and port of the socket did not match 907 the MAPPED-ADDRESS attribute in the response to test I, the client 908 knows that it is behind a NAT. It performs test II. If a response is 909 received, the client knows that it is behind a full-cone NAT. If no 910 response is received, it performs test I again, but this time, does 911 so to the address and port from the CHANGED-ADDRESS attribute from 912 the response to test I. If the IP address and port returned in the 913 MAPPED-ADDRESS attribute are not the same as the ones from the first 914 test I, the client knows its behind a symmetric NAT. If the address 915 and port are the same, the client is either behind a restricted or 916 port restricted NAT. To make a determination about which one it is 917 behind, the client initiates test III. If a response is received, its 918 behind a restricted NAT, and if no response is received, its behind a 919 port restricted NAT. 921 This procedure yields substantial information about the operating 922 condition of the client application. In the event of multiple NATs 923 between the client and the Internet, the type that is discovered will 924 be the type of the most restrictive NAT between the client and the 925 Internet. The types of NAT, in order of restrictiveness, from most to 926 least, are symmetric, port restricted cone, restricted cone, and full 927 cone. 929 Typically, a client will re-do this discovery process periodically to 930 detect changes, or look for inconsistent results. It is important to 931 note that when the discovery process is redone, it should not 932 generally be done from the same local address and port used in the 933 previous discovery process. If the same local address and port are 934 reused, bindings from the previous test may still be in existence, 935 and these will invalidate the results of the test. Using a different 936 local address and port for subsequent tests resolves this problem. An 937 alternative is to wait sufficiently long to be confident that the old 938 bindings have expired (half an hour should more than suffice). 940 10.2 Binding Lifetime Discovery 942 STUN can also be used to discover the lifetimes of the bindings 943 created by the NAT. In many cases, the client will need to refresh 944 the binding, either through a new STUN request, or an application 945 packet, in order for the application to continue to use the binding. 946 By discovering the binding lifetime, the client can determine how 947 frequently it needs to refresh. 949 To determine the binding lifetime, the client first sends a Binding 950 Request to the server from a particular socket, X. This creates a 951 binding in the NAT. The response from the server contains a MAPPED- 952 ADDRESS attribute, providing the public address and port on the NAT. 953 Call this Pa and Pp, respectively. The client then starts a timer 954 +--------+ 955 | Test | 956 | I | 957 +--------+ 958 | 959 | 960 V 961 /\ /\ 962 N / \ Y / \ Y +--------+ 963 UDP <-------/Resp\---------->/ IP \------------>| Test | 964 Blocked \ ? / \Same/ | II | 965 \ / \? / +--------+ 966 \/ \/ | 967 | N | 968 | V 969 V /\ 970 +--------+ Sym. N / \ 971 | Test | UDP <---/Resp\ 972 | II | Firewall \ ? / 973 +--------+ \ / 974 | \/ 975 V |Y 976 /\ /\ | 977 Symmetric N / \ +--------+ N / \ V 978 NAT <--- / IP \<-----| Test |<--- /Resp\ Open 979 \Same/ | I | \ ? / Internet 980 \? / +--------+ \ / 981 \/ \/ 982 | |Y 983 | | 984 | V 985 | Full 986 | Cone 987 V /\ 988 +--------+ / \ Y 989 | Test |------>/Resp\---->Restricted 990 | III | \ ? / 991 +--------+ \ / 992 \/ 993 |N 994 | Port 995 +------>Restricted 997 Figure 2: Flow for type discovery process 998 with a value of T seconds. When this timer fires, the client sends 999 another Binding Request to the server, using the same destination 1000 address and port, but from a different socket, Y. This request 1001 contains a RESPONSE-ADDRESS address attribute, set to (Pa,Pp). This 1002 will create a new binding on the NAT, and cause the STUN server to 1003 send a Binding Response that would match the old binding, if it still 1004 exists. If the client receives the Binding Response on socket X, it 1005 knows that the binding has not expired. If the client receives the 1006 Binding Response on socket Y (which is possible if the old binding 1007 expired, and the NAT allocated the same public address and port to 1008 the new binding), or receives no response at all, it knows that the 1009 binding has expired. 1011 The client can find the value of the binding lifetime by doing a 1012 binary search through T, arriving eventually at the value where the 1013 response is not received for any timer greater than T, but is 1014 received for any timer less than T. 1016 This discovery process takes quite a bit of time, and is something 1017 that will typically be run in the background on a device once it 1018 boots. 1020 It is possible that the client can get inconsistent results each time 1021 this process is run. For example, if the NAT should reboot, or be 1022 reset for some reason, the process may discover a lifetime than is 1023 shorter than the actual one. For this reason, implementations are 1024 encouraged to run the test numerous times, and be prepared to get 1025 inconsistent results. 1027 10.3 Binding Acquisition 1029 Consider once more the case of a VoIP phone. It used the discovery 1030 process above when it started up, to discover its environment. Now, 1031 it wants to make a call. As part of the discovery process, it 1032 determined that it was behind a full-cone NAT. 1034 Consider further that this phone consists of two logically separated 1035 components - a control component that handles signaling, and a media 1036 component that handles the audio, video, and RTP [13]. Both are 1037 behind the same NAT. Because of this separation of control and media, 1038 we wish to minimize the communication required between them. In fact, 1039 they may not even run on the same host. 1041 In order to make a voice call, the phone needs to obtain an IP 1042 address and port that it can place in the call setup message as the 1043 destination for receiving audio. 1045 To obtain an address, the control component sends a Shared Secret 1046 Request to the server, obtains a shared secret, and then sends a 1047 Binding Request to the server. No CHANGE-REQUEST attribute is present 1048 in the Binding Request, and neither is the RESPONSE-ADDRESS 1049 attribute. The Binding Response contains a mapped address. The 1050 control component then formulates a second Binding Request. This 1051 request contains a RESPONSE-ADDRESS, which is set to the mapped 1052 address learned from the previous Binding Response. This Binding 1053 Request is passed to the media component, along with the IP address 1054 and port of the STUN server. The media component sends the Binding 1055 Request. The request goes to the STUN server, which sends the Binding 1056 Response back to the control component. The control component 1057 receives this, and now has learned an IP address and port that will 1058 be routed back to the media component that sent the request. 1060 The client will be able to receive media from anywhere on this mapped 1061 address. 1063 In the case of silence suppression, there may be periods where the 1064 client receives no media. In this case, the UDP bindings could 1065 timeout (UDP bindings in NATs are typically short). To deal with 1066 this, the application can periodically retransmit the query in order 1067 to keep the binding fresh. 1069 It is possible that both participants in the multimedia session are 1070 behind the same NAT. In that case, both will repeat this procedure 1071 above, and both will obtain public address bindings. When one sends 1072 media to the other, the media is routed to the NAT, and then turns 1073 right back around to come back into the enterprise, where it is 1074 translated to the private address of the recipient. This is not 1075 particularly efficient, and unfortunately, does not work in many 1076 commercial NATs. In such cases, the clients may need to retry using 1077 private addresses. 1079 11 Protocol Details 1081 This section presents the detailed encoding of a STUN message. 1083 STUN is a request-response protocol. Clients send a request, and the 1084 server sends a response. There are two requests, Binding Request, and 1085 Shared Secret Request. The response to a Binding Request can either 1086 be the Binding Response or Binding Error Response. The response to a 1087 Shared Secret Request can either be a Shared Secret Response or a 1088 Shared Secret Error Response. 1090 STUN messages are encoded using binary fields. All integer fields are 1091 carried in network byte order, that is, most significant byte (octet) 1092 first. This byte order is commonly known as big-endian. The 1093 transmission order is described in detail in Appendix B of RFC 791 1095 [7]. Unless otherwise noted, numeric constants are in decimal (base 1096 10). 1098 11.1 Message Header 1100 All STUN messages consist of a 20 byte header: 1102 0 1 2 3 1103 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1104 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1105 | STUN Message Type | Message Length | 1106 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1107 | 1108 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1110 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1111 Transaction ID 1112 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1113 | 1114 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1116 The Message Types can take on the following values: 1118 0x0001 : Binding Request 1119 0x0101 : Binding Response 1120 0x0111 : Binding Error Response 1121 0x0002 : Shared Secret Request 1122 0x0102 : Shared Secret Response 1123 0x0112 : Shared Secret Error Response 1125 The message length is the count, in bytes, of the size of the 1126 message, not including the 20 byte header. 1128 The transaction ID is a 128 bit identifier. It also serves as salt to 1129 randomize the request and the response. All responses carry the same 1130 identifier as the request they correspond to. 1132 11.2 Message Attributes 1134 After the header are 0 or more attributes. Each attribute is TLV 1135 encoded, with a 16 bit type, 16 bit length, and variable value: 1137 0 1 2 3 1138 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1139 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1140 | Type | Length | 1141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1142 | Value .... 1143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1145 The following types are defined: 1147 0x0001: MAPPED-ADDRESS 1148 0x0002: RESPONSE-ADDRESS 1149 0x0003: CHANGE-REQUEST 1150 0x0004: SOURCE-ADDRESS 1151 0x0005: CHANGED-ADDRESS 1152 0x0006: USERNAME 1153 0x0007: PASSWORD 1154 0x0008: MESSAGE-INTEGRITY 1155 0x0009: ERROR-CODE 1156 0x000a: UNKNOWN-ATTRIBUTES 1157 0x000b: REFLECTED-FROM 1159 Extensions, documented in standards track IETF RFCs, MAY define new 1160 attributes. Attributes with values greater than 0x7fff are optional, 1161 and those less than or equal to 0x7fff are mandatory to understand. 1163 The MESSAGE-INTEGRITY attribute MUST be the last attribute within a 1164 message. Any attributes that are known, but are not supposed to be 1165 present in a message (MAPPED-ADDRESS in a request, for example) MUST 1166 be ignored. 1168 Table 2 indicates which attributes are present in which messages. An 1169 M indicates that inclusion of the attribute in the message is 1170 mandatory, O means its optional, C means it's conditional based on 1171 some other aspect of the message, and N/A means that the attribute is 1172 not applicable to that message type. 1174 The length refers to the length of the value element, expressed as an 1175 unsigned integral number of bytes. 1177 11.2.1 MAPPED-ADDRESS 1178 Binding Shared Shared Shared 1179 Binding Binding Error Secret Secret Secret 1180 Att. Req. Resp. Resp. Req. Resp. Error 1181 Resp. 1183 ______________________________________________________________________ 1184 MAPPED-ADDRESS N/A M N/A N/A N/A N/A 1185 RESPONSE-ADDRESS O N/A N/A N/A N/A N/A 1186 CHANGE-REQUEST O N/A N/A N/A N/A N/A 1187 SOURCE-ADDRESS N/A M N/A N/A N/A N/A 1188 CHANGED-ADDRESS N/A M N/A N/A N/A N/A 1189 USERNAME O N/A N/A N/A M N/A 1190 PASSWORD N/A N/A N/A N/A M N/A 1191 MESSAGE-INTEGRITY O O N/A N/A N/A N/A 1192 ERROR-CODE N/A N/A M N/A N/A M 1193 UNKNOWN-ATTRIBUTES N/A N/A C N/A N/A C 1194 REFLECTED-FROM N/A C N/A N/A N/A N/A 1196 Table 2: Summary of Attributes 1198 The MAPPED-ADDRESS attribute indicates the mapped IP address and 1199 port. It consists of an eight bit address family, and a sixteen bit 1200 port, followed by a fixed length value representing the IP address. 1202 0 1 2 3 1203 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1204 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1205 |x x x x x x x x| Family | Port | 1206 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1207 | Address | 1208 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1210 The port is a network byte ordered representation of the mapped port. 1211 The address family is always 0x02, corresponding to IPv4. The first 8 1212 bits of the MAPPED-ADDRESS are ignored, for the purposes of aligning 1213 parameters on natural boundaries. The IPv4 address is 32 bits. 1215 11.2.2 RESPONSE-ADDRESS 1217 The RESPONSE-ADDRESS attribute indicates where the response to a 1218 Binding Request should be sent. Its syntax is identical to MAPPED- 1219 ADDRESS. 1221 11.2.3 CHANGED-ADDRESS 1223 The CHANGED-ADDRESS attribute indicates the IP address and port where 1224 responses will be sent from if the "change IP" and "change port" 1225 flags were set in the CHANGE-REQUEST attribute of the Binding 1226 Request. The attribute is always present in a Binding Response, 1227 independent of the value of the flags. Its syntax is identical to 1228 MAPPED-ADDRESS. 1230 11.2.4 CHANGE-REQUEST 1232 The CHANGE-REQUEST attribute is used by the client to request that 1233 the server use a different address and/or port when sending the 1234 response. The attribute is 32 bits long, although only two bits (A 1235 and b) are used: 1237 0 1 2 3 1238 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1240 |0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A B 0| 1241 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1243 The meaning of the flags is: 1245 A: This is the "change IP" flag. If true, it requests the server 1246 to send the Binding Response with a different IP address 1247 than the one the Binding Request was received on. 1249 B: This is the "change port" flag. If true, it requests the 1250 server to send the Binding Response with a different port 1251 than the one the Binding Request was received on. 1253 11.2.5 SOURCE-ADDRESS 1255 The SOURCE-ADDRESS attribute is present in Binding Responses. It 1256 indicates the source IP address and port that the server is sending 1257 the response from. Its syntax is identical to that of MAPPED-ADDRESS. 1259 11.2.6 USERNAME 1261 The USERNAME attribute is used for message integrity. It serves as a 1262 means to identify the shared secret used in the message integrity 1263 check. The USERNAME is always present in a Shared Secret Response, 1264 along with the PASSWORD. It is optionally present in a Binding 1265 Request when message integrity is used. 1267 The value of USERNAME is a variable length opaque value. Its length 1268 MUST be a multiple of 4 (measured in bytes) in order to guarantee 1269 alignment of attributes on word boundaries. 1271 11.2.7 PASSWORD 1273 The PASSWORD attribute is used in Shared Secret Responses. It is 1274 always present in a Shared Secret Response, along with the USERNAME. 1276 The value of PASSWORD is a variable length value that is to be used 1277 as a shared secret. Its length MUST be a multiple of 4 (measured in 1278 bytes) in order to guarantee alignment of attributes on word 1279 boundaries. 1281 11.2.8 MESSAGE-INTEGRITY 1283 The MESSAGE-INTEGRITY attribute contains an HMAC-SHA1 [14] of the 1284 STUN message. It can be present in Binding Requests or Binding 1285 Responses. Since it uses the SHA1 hash, the HMAC will be 20 bytes. 1286 The text used as input to HMAC is the STUN message, including the 1287 header, up to and including the attribute preceding the MESSAGE- 1288 INTEGRITY attribute. As a result, the MESSAGE-INTEGRITY attribute 1289 MUST be the last attribute in any STUN message. The key used as input 1290 to HMAC depends on the context. 1292 11.2.9 ERROR-CODE 1294 The ERROR-CODE attribute is present in the Binding Error Response and 1295 Shared Secret Error Response. It is a numeric value in the range of 1296 100 to 699 plus a textual reason phrase, and is consistent in its 1297 code assignments and semantics with SIP [11] and HTTP [16]. The 1298 reason phrase is meant for user consumption, and can be anything 1299 appropriate for the response code. The lengths of the reason phrases 1300 MUST be a multiple of 4 (measured in bytes). This can be accomplished 1301 by added spaces to the end of the text, if necessary. Recommended 1302 reason phrases for the defined response codes are presented below. 1304 To facilitate processing, the class of the error code (the hundreds 1305 digit) is encoded separately from the rest of the code. 1307 0 1 2 3 1308 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1309 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1310 | 0 |Class| Number | 1311 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1312 | Reason Phrase (variable) .. 1313 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1315 The class represents the hundreds digit of the response code. The 1316 value MUST be between 1 and 6. The number represents the response 1317 code modulo 100, and its value MUST be between 0 and 99. 1319 The following response codes, along with their recommended reason 1320 phrases (in brackets) are defined at this time: 1322 400 (Bad Request): The request was malformed. The client should 1323 not retry the request without modification from the 1324 previous attempt. 1326 401 (Unauthorized): The Binding Request did not contain a 1327 MESSAGE-INTEGRITY attribute. 1329 420 (Unknown Attribute): The server did not understand a 1330 mandatory attribute in the request. 1332 430 (Stale Credentials): The Binding Request did contain a 1333 MESSAGE-INTEGRITY attribute, but it used a shared secret 1334 that has expired. The client should obtain a new shared 1335 secret and try again. 1337 431 (Integrity Check Failure): The Binding Request contained a 1338 MESSAGE-INTEGRITY attribute, but the HMAC failed 1339 verification. This could be a sign of a potential attack, 1340 or client implementation error. 1342 432 (Missing Username): The Binding Request contained a 1343 MESSAGE-INTEGRITY attribute, but not a USERNAME attribute. 1344 Both must be present for integrity checks. 1346 500 (Server Error): The server has suffered a temporary error. 1347 The client should try again. 1349 600 (Global Failure:) The server is refusing to fulfill the 1350 request. The client should not retry. 1352 11.2.10 UNKNOWN-ATTRIBUTES 1354 The UNKNOWN-ATTRIBUTES attribute is present only in a Binding Error 1355 Response or Shared Secret Error Response when the response code in 1356 the ERROR-CODE attribute is 420. 1358 The attribute contains a list of 16 bit values, each of which 1359 represents an attribute type that was not understood by the server. 1360 If the number of unknown attributes is an odd number, one of the 1361 attributes MUST be repeated in the list, so that the total length of 1362 the list is a multiple of 4 bytes. 1364 0 1 2 3 1365 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1366 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1367 | Attribute 1 Type | Attribute 2 Type | 1368 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1369 | Attribute 3 Type | Attribute 4 Type ... 1370 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1372 11.2.11 REFLECTED-FROM 1374 The REFLECTED-FROM attribute is present only in Binding Responses, 1375 when the Binding Request contained a RESPONSE-ADDRESS attribute. The 1376 attribute contains the identity (in terms of IP address) of the 1377 source where the request came from. Its purpose is to provide 1378 traceability, so that a STUN server cannot be used as a reflector for 1379 denial-of-service attacks. 1381 Its syntax is identical to the MAPPED-ADDRESS attribute. 1383 12 Security Considerations 1385 12.1 Attacks on STUN 1387 Generally speaking, attacks on STUN can be classified into denial of 1388 service attacks and eavesdropping attacks. Denial of service attacks 1389 can be launched against a STUN server itself, or against other 1390 elements using the STUN protocol. 1392 STUN servers create state through the Shared Secret Request 1393 mechanism. To prevent being swamped with traffic, a STUN server 1394 SHOULD limit the number of simultaneous TLS connections it will hold 1395 open by dropping an existing connection when a new connection request 1396 arrives (based on an Least Recently Used (LRU) policy, for example). 1397 Similarly, it SHOULD limit the number of shared secrets it will 1398 store, in the event that the server is storing the shared secrets. 1400 The attacks of greater interest are those in which the STUN server 1401 and client are used to launch DOS attacks against other entities, 1402 including the client itself. 1404 Many of the attacks require the attacker to generate a response to a 1405 legitimate STUN request, in order to provide the client with a faked 1406 MAPPED-ADDRESS. The attacks that can be launched using such a 1407 technique include: 1409 12.1.1 Attack I: DDOS Against a Target 1410 In this case, the attacker provides a large number of clients with 1411 the same faked MAPPED-ADDRESS that points to the intended target. 1412 This will trick all the STUN clients into thinking that their 1413 addresses are equal to that of the target. The clients then hand out 1414 that address in order to receive traffic on it (for example, in SIP 1415 or H.323 messages). However, all of that traffic becomes focused at 1416 the intended target. The attack can provide substantial 1417 amplification, especially when used with clients that are using STUN 1418 to enable multimedia applications. 1420 12.1.2 Attack II: Silencing a Client 1422 In this attack, the attacker seeks to deny a client access to 1423 services enabled by STUN (for example, a client using STUN to enable 1424 SIP-based multimedia traffic). To do that, the attacker provides that 1425 client with a faked MAPPED-ADDRESS. The MAPPED-ADDRESS it provides is 1426 an IP address that routes to nowhere. As a result, the client won't 1427 receive any of the packets it expects to receive when it hands out 1428 the MAPPED-ADDRESS. 1430 This exploitation is not very interesting for the attacker. It 1431 impacts a single client, which is frequently not the desired target. 1432 Moreover, any attacker that can mount the attack could also deny 1433 service to the client by other means, such as preventing the client 1434 from receiving any response from the STUN server, or even a DHCP 1435 server. 1437 12.1.3 Attack III: Assuming the Identity of a Client 1439 This attack is similar to attack II. However, the faked MAPPED- 1440 ADDRESS points to the attacker themself. This allows the attacker to 1441 receive traffic which was destined for the client. 1443 12.1.4 Attack IV: Eavesdropping 1445 In this attack, the attacker forces the client to use a MAPPED- 1446 ADDRESS that routes to itself. It then forwards any packets it 1447 receives to the client. This attack would allow the attacker to 1448 observe all packets sent to the client. However, in order to launch 1449 the attack, the attacker must have already been able to observe 1450 packets from the client to the STUN server. In most cases (such as 1451 when the attack is launched from an access network), this means that 1452 the attacker could already observe packets sent to the client. This 1453 attack is, as a result, only useful for observing traffic by 1454 attackers on the path from the client to the STUN server, but not 1455 generally on the path of packets being routed towards the client. 1457 12.2 Launching the Attacks 1458 It is important to note that attacks of this nature (injecting 1459 responses with fake MAPPED-ADDRESSes) require that the attacker be 1460 capable of eavesdropping requests sent from the client to the server 1461 (or to act as a MITM for such attacks). This is because STUN requests 1462 contain a transaction identifier, selected by the client, which is 1463 random with 128 bits of entropy. The server echoes this value in the 1464 response, and the client ignores any responses that don't have a 1465 matching transaction ID. Therefore, in order for an attacker to 1466 provide a faked response that is accepted by the client, the attacker 1467 needs to know what the transaction ID in the request was. The large 1468 amount of randomness, combined with the need to know when the client 1469 sends a request, precludes attacks that involve guessing the 1470 transaction ID. 1472 Since all of the above attacks rely on this one primitive - injecting 1473 a response with a faked MAPPED-ADDRESS - preventing the attacks is 1474 accomplished by preventing this one operation. To prevent it, we need 1475 to consider the various ways in which it can be accomplished. There 1476 are several: 1478 12.2.1 Approach I: Compromise a Legitimate STUN Server 1480 In this attack, the attacker compromises a legitimate STUN server 1481 through a virus or trojan horse. Presumably, this would allow the 1482 attacker to take over the STUN server, and control the types of 1483 responses it generates. 1485 Compromise of a STUN server can also lead to discovery of open ports. 1486 Knowledge of an open port creates an opportunity for DoS attacks on 1487 those ports (or DDoS attacks if the traversed NAT is a full cone 1488 NAT). Discovering open ports is already fairly trivial using port 1489 probing, so this does not represent a major threat. 1491 12.2.2 Approach II: DNS Attacks 1493 STUN servers are discovered using DNS SRV records. If an attacker can 1494 compromise the DNS, it can inject fake records which map a domain 1495 name to the IP address of a STUN server run by the attacker. This 1496 will allow it to inject fake responses to launch any of the attacks 1497 above. 1499 12.2.3 Approach III: Rogue Router or NAT 1501 Rather than compromise the STUN server, an attacker can cause a STUN 1502 server to generate responses with the wrong MAPPED-ADDRESS by 1503 compromising a router or NAT on the path from the client to the STUN 1504 server. When the STUN request passes through the rogue router or NAT, 1505 it rewrites the source address of the packet to be that of the 1506 desired MAPPED-ADDRESS. This address cannot be arbitrary. If the 1507 attacker is on the public Internet (that is, there are no NATs 1508 between it and the STUN server), and the attacker doesn't modify the 1509 STUN request, the address has to have the property that packets sent 1510 from the STUN server to that address would route through the 1511 compromised router. This is because the STUN server will send the 1512 responses back to the source address of the request. With a modified 1513 source address, the only way they can reach the client is if the 1514 compromised router directs them there. If the attacker is on the 1515 public Internet, but they can modify the STUN request, they can 1516 insert a RESPONSE-ADDRESS attribute into the request, containing the 1517 actual source address of the STUN request. This will cause the server 1518 to send the response to the client, independent of the source address 1519 the STUN server sees. This gives the attacker the ability to forge an 1520 arbitrary source address when it forwards the STUN request. 1522 If the attacker is on a private network (that is, there are NATs 1523 between it and the STUN server), the attacker will not be able to 1524 force the server to generate arbitrary MAPPED-ADRESSes in responses. 1525 They will only be able force the STUN server to generate MAPPED- 1526 ADDRESSes which route to the private network. This is because the NAT 1527 between the attacker and the STUN server will rewrite the source 1528 address of the STUN request, mapping it to a public address that 1529 routes to the private network. Because of this, the attacker can only 1530 force the server to generate faked mapped addresses that route to the 1531 private network. Unfortunately, it is possible that a low quality NAT 1532 would be willing to map an allocated public address to another public 1533 address (as opposed to an internal private address), in which case 1534 the attacker could forge the source address in a STUN request to be 1535 an arbitrary public address. This kind of behavior from NATs does 1536 appear to be rare. 1538 12.2.4 Approach IV: MITM 1540 As an alternative to approach III, if the attacker can place an 1541 element on the path from the client to the server, the element can 1542 act as a man-in-the-middle. In that case, it can intercept a STUN 1543 request, and generate a STUN response directly with any desired value 1544 of the MAPPED-ADDRESS field. Alternatively, it can forward the STUN 1545 request to the server (after potential modification), receive the 1546 response, and forward it to the client. When forwarding the request 1547 and response, this attack is subject to the same limitations on the 1548 MAPPED-ADDRESS described in Section 12.2.3. 1550 12.2.5 Approach V: Response Injection Plus DoS 1552 In this approach, the attacker does not need to be a MITM (as in 1553 approaches III and IV). Rather, it only needs to be able to eavesdrop 1554 onto a network segment that carries STUN requests. This is easily 1555 done in multiple access networks such as ethernet or unprotected 1556 802.11. To inject the fake response, the attacker listens on the 1557 network for a STUN request. When it sees one, it simultaneously 1558 launches a DoS attack on the STUN server, and generates its own STUN 1559 response with the desired MAPPED-ADDRESS value. The STUN response 1560 generated by the attacker will reach the client, and the DoS attack 1561 against the server is aimed at preventing the legitimate response 1562 from the server from reaching the client. Arguably, the attacker can 1563 do without the DoS attack on the server, so long as the faked 1564 response beats the real response back to the client, and the client 1565 uses the first response, and ignores the second (even though its 1566 different). 1568 12.2.6 Approach VI: Duplication 1570 This approach is similar to approach V. The attacker listens on the 1571 network for a STUN request. When it sees it, it generates its own 1572 STUN request towards the server. This STUN request is identical to 1573 the one it saw, but with a spoofed source IP address. The spoofed 1574 address is equal to the one that the attacker desires to have placed 1575 in the MAPPED-ADDRESS of the STUN response. In fact, the attacker 1576 generates a flood of such packets. The STUN server will receive the 1577 one original request, plus a flood of duplicate fake ones. It 1578 generates responses to all of them. If the flood is sufficiently 1579 large for the responses to congest routers or some other equipment, 1580 there is a reasonable probability that the one real response is lost 1581 (along with many of the faked ones), but the net result is that only 1582 the faked responses are received by the STUN client. These responses 1583 are all identical and all contain the MAPPED-ADDRESS that the 1584 attacker wanted the client to use. 1586 The flood of duplicate packets is not needed (that is, only one faked 1587 request is sent), so long as the faked response beats the real 1588 response back to the client, and the client uses the first response, 1589 and ignores the second (even though its different). 1591 Note that, in this approach, launching a DoS attack against the STUN 1592 server or the IP network, to prevent the valid response from being 1593 sent or received, is problematic. The attacker needs the STUN server 1594 to be available to handle its own request. Due to the periodic 1595 retransmissions of the request from the client, this leaves a very 1596 tiny window of opportunity. The attacker must start the DoS attack 1597 immediately after the actual request from the client, causing the 1598 correct response to be discarded, and then cease the DoS attack in 1599 order to send its own request, all before the next retransmission 1600 from the client. Due to the close spacing of the retransmits (100ms 1601 to a few seconds), this is very difficult to do. 1603 Besides DoS attacks, there may be other ways to prevent the actual 1604 request from the client from reaching the server. Layer 2 1605 manipulations, for example, might be able to accomplish it. 1607 Fortunately, Approach IV is subject to the same limitations 1608 documented in Section 12.2.3, which limit the range of MAPPED- 1609 ADDRESSes the attacker can cause the STUN server to generate. 1611 12.3 Countermeasures 1613 STUN provides mechanisms to counter the approaches described above, 1614 and additional, non-STUN techniques can be used as well. 1616 First off, it is RECOMMENDED that networks with STUN clients 1617 implement ingress source filtering (RFC 2827 [8]). This is 1618 particularly important for the NATs themselves. As Section 12.2.3 1619 explains, NATs which do not perform this check can be used as 1620 "reflectors" in DDoS attacks. Most NATs do perform this check as a 1621 default mode of operation. We strongly advise people that purchase 1622 NATs to ensure that this capability is present and enabled. 1624 Secondly, it is RECOMMENDED that STUN servers be run on hosts 1625 dedicated to STUN, with all UDP and TCP ports disabled except for the 1626 STUN ports. This is to prevent viruses and trojan horses from 1627 infecting STUN servers, in order to prevent their compromise. This 1628 helps mitigate Approach I 12.2.1. 1630 Thirdly, to prevent the DNS attack of Section 12.2.2, Section 9.2 1631 recommends that the client verify the credentials provided by the 1632 server with the name used in the DNS lookup. 1634 Finally, all of the attacks above rely on the client taking the 1635 mapped address it learned from STUN, and using it in application 1636 layer protocols. If encryption and message integrity are provided 1637 within those protocols, the eavesdropping and identity assumption 1638 attacks can be prevented. As such, applications that make use of STUN 1639 addresses in application protocols SHOULD use integrity and 1640 encryption, even if a SHOULD level strength is not specified for that 1641 protocol. For example, multimedia applications using STUN addresses 1642 to receive RTP traffic would use secure RTP [17]. 1644 The above three techniques are non-STUN mechanisms. STUN itself 1645 provides several countermeasures. 1647 Approaches IV (Section 12.2.4), when generating the response locally, 1648 and V (Section 12.2.5) require an attacker to generate a faked 1649 response. This attack is prevented using the server signature scheme 1650 provided in STUN, described in Section 8.1. 1652 Approaches III (Section 12.2.3) IV (Section 12.2.4), when using the 1653 relaying technique, and VI (12.2.6), however, are not preventable 1654 through server signatures. Both approaches are most potent when the 1655 attacker can modify the request, inserting a RESPONSE-ADDRESS that 1656 routes to the client. Fortunately, such modifications are preventable 1657 using the message integrity techniques described in Section 9.3. 1658 However, these three approaches are still functional when the 1659 attacker modifies nothing but the source address of the STUN request. 1660 Sadly, this is the one thing that cannot be protected through 1661 cryptographic means, as this is the change that STUN itself is 1662 seeking to detect and report. It is therefore an inherent weakness in 1663 NAT, and not fixable in STUN. To help mitigate these attacks, Section 1664 9.4 provides several heuristics for the client to follow. The client 1665 looks for inconsistent or extra responses, both of which are signs of 1666 the attacks described above. However, these heuristics are just that 1667 - heuristics, and cannot be guaranteed to prevent attacks. The 1668 heuristics appear to prevent the attacks as we know how to launch 1669 them today. Implementors should stay posted for information on new 1670 heuristics that might be required in the future. Such information 1671 will be distributed on the IETF MIDCOM mailing list, midcom@ietf.org. 1673 12.4 Residual Threats 1675 None of the countermeasures listed above can prevent the attacks 1676 described in Section 12.2.3 if the attacker is in the appropriate 1677 network paths. Specifically, consider the case in which the attacker 1678 wishes to convince client C that it has address V. The attacker needs 1679 to have a network element on the path between A and the server (in 1680 order to modify the request) and on the path between the server and V 1681 so that it can forward the response to C. Furthermore, if there is a 1682 NAT between the attacker and the server, V must also be behind the 1683 same NAT. In such a situation, the attacker can either gain access to 1684 all the application-layer traffic or mount the DDOS attack described 1685 in Section 12.1.1. Note that any host which exists in the correct 1686 topological relationship can be DDOSed. It need not be using STUN. 1688 13 IANA Considerations 1690 There are no IANA considerations associated with this specification. 1692 14 IAB Considerations 1694 The IAB has studied the problem of "Unilateral Self Address Fixing", 1695 which is the general process by which a client attempts to determine 1696 its address in another realm on the other side of a NAT through a 1697 collaborative protocol reflection mechanism (RFC 3424 [18]). STUN is 1698 an example of a protocol that performs this type of function. The IAB 1699 has mandated that any protocols developed for this purpose document a 1700 specific set of considerations. This section meets those 1701 requirements. 1703 14.1 Problem Definition 1705 From RFC 3424 [18], any UNSAF proposal must provide: 1707 Precise definition of a specific, limited-scope problem 1708 that is to be solved with the UNSAF proposal. A short term 1709 fix should not be generalized to solve other problems; this 1710 is why "short term fixes usually aren't". 1712 The specific problems being solved by STUN are: 1714 o Provide a means for a client to detect the presence of one or 1715 more NATs between it and a server run by a service provider on 1716 the public Internet. The purpose of such detection is to 1717 determine additional steps that might be necessary in order to 1718 receive service from that particular provider. 1720 o Provide a means for a client to detect the presence of one or 1721 more NATs between it and another client, where the second 1722 client is reachable from the first, but it is not known 1723 whether the second client resides on the public Internet. 1725 o Provide a means for a client to obtain an address on the 1726 public Internet from a non-symmetric NAT, for the express 1727 purpose of receiving incoming UDP traffic from another host, 1728 targeted to that address. 1730 STUN does not address TCP, either incoming or outgoing, and does not 1731 address outgoing UDP communications. 1733 14.2 Exit Strategy 1735 From [18], any UNSAF proposal must provide: 1737 Description of an exit strategy/transition plan. The better 1738 short term fixes are the ones that will naturally see less 1739 and less use as the appropriate technology is deployed. 1741 STUN comes with its own built in exit strategy. This strategy is the 1742 detection operation that is performed as a precursor to the actual 1743 UNSAF address-fixing operation. This discovery operation, documented 1744 in Section 10.1, attempts to discover the existence of, and type of, 1745 any NATS between the client and the service provider network. Whilst 1746 the detection of the specific type of NAT may be brittle, the 1747 discovery of the existence of NAT is itself quite robust. As NATs are 1748 phased out through the deployment of IPv6, the discovery operation 1749 will return immediately with the result that there is no NAT, and no 1750 further operations are required. Indeed, the discovery operation 1751 itself can be used to help motivate deployment of IPv6; if a user 1752 detects a NAT between themselves and the public Internet, they can 1753 call up their access provider and complain about it. 1755 STUN can also help facilitate the introduction of midcom. As midcom- 1756 capable NATs are deployed, applications will, instead of using STUN 1757 (which also resides at the application layer), first allocate an 1758 address binding using midcom. However, it is a well-known limitation 1759 of midcom that it only works when the agent knows the middleboxes 1760 through which its traffic will flow. Once bindings have been 1761 allocated from those middleboxes, a STUN detection procedure can 1762 validate that there are no additional middleboxes on the path from 1763 the public Internet to the client. If this is the case, the 1764 application can continue operation using the address bindings 1765 allocated from midcom. If it is not the case, STUN provides a 1766 mechanism for self-address fixing through the remaining midcom- 1767 unaware middleboxes. Thus, STUN provides a way to help transition to 1768 full midcom-aware networks. 1770 14.3 Brittleness Introduced by STUN 1772 From [18], any UNSAF proposal must provide: 1774 Discussion of specific issues that may render systems more 1775 "brittle". For example, approaches that involve using data 1776 at multiple network layers create more dependencies, 1777 increase debugging challenges, and make it harder to 1778 transition. 1780 STUN introduces brittleness into the system in several ways: 1782 o The discovery process assumes a certain classification of 1783 devices based on their treatment of UDP. There could be other 1784 types of NATs that are deployed that would not fit into one of 1785 these molds. Therefore, future NATs may not be properly 1786 detected by STUN. STUN clients (but not servers) would need to 1787 change to accommodate that. 1789 o The binding acquisition usage of STUN does not work for all 1790 NAT types. It will work for any application for full cone NATs 1791 only. For restricted cone and port restricted cone NAT, it 1792 will work for some applications depending on the application. 1794 Application specific processing will generally be needed. For 1795 symmetric NATs, the binding acquisition will not yield a 1796 usable address. The tight dependency on the specific type of 1797 NAT makes the protocol brittle. 1799 o STUN assumes that the server exists on the public Internet. If 1800 the server is located in another private address realm, the 1801 user may or may not be able to use its discovered address to 1802 communicate with other users. There is no way to detect such a 1803 condition. 1805 o The bindings allocated from the NAT need to be continuously 1806 refreshed. Since the timeouts for these bindings is very 1807 implementation specific, the refresh interval cannot easily be 1808 determined. When the binding is not being actively used to 1809 receive traffic, but to wait for an incoming message, the 1810 binding refresh will needlessly consume network bandwidth. 1812 o The use of the STUN server as an additional network element 1813 introduces another point of potential security attack. These 1814 attacks are largely prevented by the security measures 1815 provided by STUN, but not entirely. 1817 o The use of the STUN server as an additional network element 1818 introduces another point of failure. If the client cannot 1819 locate a STUN server, or if the server should be unavailable 1820 due to failure, the application cannot function. 1822 o The use of STUN to discover address bindings will result in an 1823 increase in latency for applications. For example, a Voice 1824 over IP application will see an increase of call setup delays 1825 equal to at least one RTT to the STUN server. 1827 o The discovery of binding lifetimes is prone to error. It 1828 assumes that the same lifetime will exist for all bindings. 1829 This may not be true if the NAT uses dynamic binding lifetimes 1830 to handle overload, or if the NAT itself reboots during the 1831 discovery process. 1833 o STUN imposes some restrictions on the network topologies for 1834 proper operation. If client A obtains an address from STUN 1835 server X, and sends it to client B, B may not be able to send 1836 to A using that IP address. The address will not work if any 1837 of the following is true: 1839 - The STUN server is not in an address realm that is a common 1840 ancestor (topologically) of both clients A and B. For 1841 example, consider client A and B, both of which have 1842 residential NAT devices. Both devices connect them to their 1843 cable operators, but both clients have different providers. 1844 Each provider has a NAT in front of their entire network, 1845 connecting it to the public Internet. If the STUN server 1846 used by A is in A's cable operator's network, an address 1847 obtained by it will not be usable by B. The STUN server must 1848 be in the network which is a common ancestor to both - in 1849 this case, the public Internet. 1851 - The STUN server is in an address realm that is a common 1852 ancestor to both clients, but both clients are behind the 1853 same NAT connecting to that address realm. For example, if 1854 the two clients in the previous example had the same cable 1855 operator, that cable operator had a single NAT connecting 1856 their network to the public Internet, and the STUN server 1857 was on the public Internet, the address obtained by A would 1858 not be usable by B. That is because most NATs will not 1859 accept an internal packet sent to a public IP address which 1860 is mapped back to an internal address. To deal with this, 1861 additional protocol mechanisms or configuration parameters 1862 need to be introduced which detect this case. 1864 o Most significantly, STUN introduces potential security threats 1865 which cannot be eliminated. This specification describes 1866 heuristics that can be used to mitigate the problem, but it is 1867 provably unsolvable given what STUN is trying to accomplish. 1868 These security problems are described fully in Section 12. 1870 14.4 Requirements for a Long Term Solution 1872 From [18], any UNSAF proposal must provide: 1874 Identify requirements for longer term, sound technical 1875 solutions -- contribute to the process of finding the right 1876 longer term solution. 1878 Our experience with STUN has led to the following requirements for a 1879 long term solution to the NAT problem: 1881 Requests for bindings and control of other resources in a NAT 1882 need to be explicit. Much of the brittleness in STUN 1883 derives from its guessing at the parameters of the NAT, 1884 rather than telling the NAT what parameters to use. 1886 Control needs to be "in-band". There are far too many scenarios 1887 in which the client will not know about the location of 1888 middleboxes ahead of time. Instead, control of such boxes 1889 needs to occur in-band, traveling along the same path as 1890 the data will itself travel. This guarantees that the right 1891 set of middleboxes are controlled. This is only true for 1892 first-party controls; third-party controls are best handled 1893 using the midcom framework. 1895 Control needs to be limited. Users will need to communicate 1896 through NATs which are outside of their administrative 1897 control. In order for providers to be willing to deploy 1898 NATs which can be controlled by users in different domains, 1899 the scope of such controls needs to be extremely limited - 1900 typically, allocating a binding to reach the address where 1901 the control packets are coming from. 1903 Simplicity is Paramount. The control protocol will need to be 1904 implement in very simple clients. The servers will need to 1905 support extremely high loads. The protocol will need to be 1906 extremely robust, being the precursor to a host of 1907 application protocols. As such, simplicity is key. 1909 14.5 Issues with Existing NAPT Boxes 1911 From [18], any UNSAF proposal must provide: 1913 Discussion of the impact of the noted practical issues with 1914 existing, deployed NA[P]Ts and experience reports. 1916 Several of the practical issues with STUN involve future proofing - 1917 breaking the protocol when new NAT types get deployed. Fortunately, 1918 this is not an issue at the current time, since most of the deployed 1919 NATs are of the types assumed by STUN. The primary usage STUN has 1920 found is in the area of VoIP, to facilitate allocation of addresses 1921 for receiving RTP [13] traffic. In that application, the periodic 1922 keepalives are provided by the RTP traffic itself. However, several 1923 practical problems arise for RTP. First, RTP assumes that RTCP 1924 traffic is on a port one higher than the RTP traffic. This pairing 1925 property cannot be guaranteed through NATs that are not directly 1926 controllable. As a result, RTCP traffic may not be properly received. 1927 Protocol extensions to SDP have been proposed which mitigate this by 1928 allowing the client to signal a different port for RTCP [19]. 1929 However, there will be interoperability problems for some time. 1931 For VoIP, silence suppression can cause a gap in the transmission of 1932 RTP packets. This could result in the loss of a binding in the middle 1933 of a call, if that silence period exceeds the binding timeout. This 1934 can be mitigated by sending occasional silence packets to keep the 1935 binding alive. However, the result is additional brittleness; proper 1936 operation depends on the the silence suppression algorithm in use, 1937 the usage of a comfort noise codec, the duration of the silence 1938 period, and the binding lifetime in the NAT. 1940 14.6 In Closing 1942 The problems with STUN are not design flaws in STUN. The problems in 1943 STUN have to do with the lack of standardized behaviors and controls 1944 in NATs. The result of this lack of standardization has been a 1945 proliferation of devices whose behavior is highly unpredictable, 1946 extremely variable, and uncontrollable. STUN does the best it can in 1947 such a hostile environment. Ultimately, the solution is to make the 1948 environment less hostile, and to introduce controls and standardized 1949 behaviors into NAT. However, until such time as that happens, STUN 1950 provides a good short term solution given the terrible conditions 1951 under which it is forced to operate. 1953 15 Acknowledgments 1955 The authors would like to thank Cedric Aoun, Pete Cordell, Cullen 1956 Jennings, Bob Penfield and Chris Sullivan for their comments, and 1957 Baruch Sterman and Alan Hawrylyshen for initial implementations. 1958 Thanks for Leslie Daigle, Allison Mankin, Eric Rescorla, and Henning 1959 Schulzrinne for IESG and IAB input on this work. 1961 16 Authors Addresses 1963 Jonathan Rosenberg 1964 dynamicsoft 1965 72 Eagle Rock Avenue 1966 First Floor 1967 East Hanover, NJ 07936 1968 email: jdrosen@dynamicsoft.com 1970 Joel Weinberger 1971 dynamicsoft 1972 72 Eagle Rock Avenue 1973 First Floor 1974 East Hanover, NJ 07936 1975 email: jweinberger@dynamicsoft.com 1977 Christian Huitema 1978 Microsoft Corporation 1979 One Microsoft Way 1980 Redmond, WA 98052-6399 1981 email: huitema@microsoft.com 1982 Rohan Mahy 1983 Cisco Systems 1984 170 West Tasman Dr, MS: SJC-21/3 1985 Phone: +1 408 526 8570 1986 Email: rohan@cisco.com 1988 17 Normative References 1990 [1] S. Bradner, "Key words for use in RFCs to indicate requirement 1991 levels," RFC 2119, Internet Engineering Task Force, Mar. 1997. 1993 [2] T. Dierks and C. Allen, "The TLS protocol version 1.0," RFC 2246, 1994 Internet Engineering Task Force, Jan. 1999. 1996 [3] A. Gulbrandsen, P. Vixie, and L. Esibov, "A DNS RR for specifying 1997 the location of services (DNS SRV)," RFC 2782, Internet Engineering 1998 Task Force, Feb. 2000. 2000 [14] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: keyed-hashing 2001 for message authentication," RFC 2104, Internet Engineering Task 2002 Force, Feb. 1997. 2004 [5] P. Chown, "Advanced encryption standard (AES) ciphersuites for 2005 transport layer security (TLS)," RFC 3268, Internet Engineering Task 2006 Force, June 2002. 2008 [6] E. Rescorla, "HTTP over TLS," RFC 2818, Internet Engineering Task 2009 Force, May 2000. 2011 [7] J. Postel, "Internet protocol," RFC 791, Internet Engineering 2012 Task Force, Sept. 1981. 2014 [8] P. Ferguson and D. Senie, "Network ingress filtering: Defeating 2015 denial of service attacks which employ IP source address spoofing," 2016 RFC 2827, Internet Engineering Task Force, May 2000. 2018 18 Informative References 2020 [9] D. Senie, "Network address translator (nat)-friendly application 2021 design guidelines," RFC 3235, Internet Engineering Task Force, Jan. 2022 2002. 2024 [10] P. Srisuresh, J. Kuthan, J. Rosenberg, A. Molitor, and A. 2025 Rayhan, "Middlebox communication architecture and framework," RFC 2026 3303, Internet Engineering Task Force, Aug. 2002. 2028 [11] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. 2029 Peterson, R. Sparks, M. Handley, and E. Schooler, "SIP: session 2030 initiation protocol," RFC 3261, Internet Engineering Task Force, June 2031 2002. 2033 [12] M. Holdrege and P. Srisuresh, "Protocol complications with the 2034 IP network address translator," RFC 3027, Internet Engineering Task 2035 Force, Jan. 2001. 2037 [13] H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson, "RTP: 2038 a transport protocol for real-time applications," RFC 1889, Internet 2039 Engineering Task Force, Jan. 1996. 2041 [14] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: keyed-hashing 2042 for message authentication," RFC 2104, Internet Engineering Task 2043 Force, Feb. 1997. 2045 [15] J. Kohl and C. Neuman, "The kerberos network authentication 2046 service (V5)," RFC 1510, Internet Engineering Task Force, Sept. 1993. 2048 [16] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. 2049 Leach, and T. Berners-Lee, "Hypertext transfer protocol -- HTTP/1.1," 2050 RFC 2616, Internet Engineering Task Force, June 1999. 2052 [17] M. Baugher et al. , "The secure real-time transport protocol," 2053 Internet Draft, Internet Engineering Task Force, June 2002. Work in 2054 progress. 2056 [18] "IAB considerations for UNilateral self-address fixing (UNSAF) 2057 across network address translation," RFC 3424, Internet Engineering 2058 Task Force, Nov. 2002. 2060 [19] C. Huitema, "RTCP attribute in SDP," Internet Draft, Internet 2061 Engineering Task Force, Nov. 2002. Work in progress. 2063 Full Copyright Statement 2065 Copyright (c) The Internet Society (2002). All Rights Reserved. 2067 This document and translations of it may be copied and furnished to 2068 others, and derivative works that comment on or otherwise explain it 2069 or assist in its implementation may be prepared, copied, published 2070 and distributed, in whole or in part, without restriction of any 2071 kind, provided that the above copyright notice and this paragraph are 2072 included on all such copies and derivative works. However, this 2073 document itself may not be modified in any way, such as by removing 2074 the copyright notice or references to the Internet Society or other 2075 Internet organizations, except as needed for the purpose of 2076 developing Internet standards in which case the procedures for 2077 copyrights defined in the Internet Standards process must be 2078 followed, or as required to translate it into languages other than 2079 English. 2081 The limited permissions granted above are perpetual and will not be 2082 revoked by the Internet Society or its successors or assigns. 2084 This document and the information contained herein is provided on an 2085 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 2086 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 2087 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 2088 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 2089 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.