Simple traversal of UDP over NATs

From Wikipedia, the free encyclopedia

STUN (Simple Traversal of UDP (User Datagram Protocol) through NATs (Network Address Translators)) is a network protocol allowing a client behind a NAT (or multiple NATs) to find out its public address, the type of NAT it is behind and the internet-side port associated by the NAT with a particular local port. This information is used to set up UDP communication between two hosts that are both behind NAT routers. The protocol is defined in RFC 3489.

[edit] Protocol overview

STUN is a client-server protocol. A VoIP phone or software package may include a STUN client, which will send a request to a STUN server. The server then reports back to the STUN client what the public IP address of the NAT router is, and what port was opened by the NAT to allow incoming traffic back in to the network.

The response also allows the STUN client to determine what type of NAT is in use, as different types of NATs handle incoming UDP packets differently. It will work with three of four main types: Full Cone, Restricted Cone, and Port Restricted Cone. (In the case of Restricted Cone or Port Restricted Cone NATs, the client must send out a packet to the endpoint before the NAT will allow packets from the endpoint through to the client.) STUN will not work with Symmetric NAT (also known as bi-directional NAT) which is often found in the networks of large companies. With Symmetric NAT, the IP address of the STUN server is different than that of the endpoint, and therefore the NAT mapping the STUN server sees is different than the mapping that the endpoint would use to send packets through to the client. For details on the different types of NAT, see network address translation.

Once a client has discovered its external addresses, it can relate it to its peers. If the NATs are full cone then either side can initiate communication. If they are restricted cone or restricted port cone both sides must start transmitting together.

Note that using the techniques described in the STUN RFC does not necessarily require using the STUN protocol; they can be used in the design of any UDP protocol.

Protocols like SIP use UDP packets for the transfer of sound/video/text signaling traffic over the Internet. Unfortunately as both endpoints are often behind NAT, a connection cannot be set up in the traditional way. This is where STUN is useful.

The STUN server is contacted on UDP port 3478, however the server will hint clients to perform tests on alternate IP and port number too (STUN servers have two IP addresses). The RFC states that this port and IP are arbitrary.

[edit] Algorithm

STUN uses the following algorithm (adapted from RFC 3489) to discover the presence of NAT gateways and firewalls:

Where the path through the diagram ends in a red box, UDP communication is not possible. Where the path ends in a yellow or green box, communication is possible.

[edit] See also

• Interactive Connectivity Establishment (ICE)
• Traversal Using Relay NAT (TURN)
• UDP hole punching
• Teredo tunneling

[edit] External links

• RFC 3489, STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)
• Latest revision (bis) to the RFC - draft-ietf-behave-rfc3489bis-10
• NAT traversal White Paper comparing STUN with other NAT traversal techniques such as TURN, ICE, ALGs and Session Border Controllers - Source: Newport Networks
• STUNT - "STUN and TCP too", which extends STUN to include TCP functionality
• Yahoo! - Director of Engineering explaining STUN and TURN (Video)

[edit] Implementations

• STUN Client and Server library
• JSTUN - A Java STUN implementation
• Java STUN library "stun4j"