RFC 5389 - Session Traversal Utilities for NAT (STUN)
Network address discovery and NAT behavior detection
What is STUN?
Session Traversal Utilities for NAT (STUN) is a protocol that allows hosts to discover the presence and types of NATs and firewalls between them and the public internet. It provides a mechanism for applications to discover their public IP address and determine the type of NAT they are behind.
Key Functions
Address Discovery
Discovers the public IP address and port as seen by the STUN server.
NAT Detection
Determines if the client is behind a NAT and what type.
Binding Maintenance
Keeps NAT bindings alive through periodic refresh requests.
Connectivity Checks
Tests connectivity between peers for ICE protocol.
Common STUN Attributes
- MAPPED-ADDRESS: Reflexive transport address of the client
- XOR-MAPPED-ADDRESS: Obfuscated version of mapped address
- USERNAME: Authentication credential identifier
- MESSAGE-INTEGRITY: HMAC-SHA1 fingerprint for authentication
- FINGERPRINT: CRC-32 fingerprint for message validation
- ERROR-CODE: Error information in error responses
- REALM: Authentication realm for digest authentication
- NONCE: Server-provided value for authentication
NAT Types Detected
Full Cone NAT
Most permissive - external hosts can send packets to the mapped address.
Restricted Cone NAT
External host must have received a packet from the internal host first.
Port Restricted Cone
External host must match both IP address and port number.
Symmetric NAT
Most restrictive - different mapping for each destination.
Applications
- ICE Protocol: Connectivity establishment for WebRTC and VoIP
- P2P Applications: Direct peer-to-peer connections
- Gaming: Multiplayer game server discovery
- VoIP Systems: SIP and other real-time communication protocols
- File Sharing: Direct file transfer applications