K
kkkchenA
Unregistered / Unconfirmed
GUEST, unregistred user!
在网上以2k的速度下载的RFC中文汉化包,拨号上网下载了6个小时。真是汗得要命。
<a href="http://www.eChinaEdu.com">汉化:《魔鬼英语》课题组·中国教育e网(www.eChinaEdu.com)·奥运龙工作室<BR>《魔鬼单词学习法》:史上最强之英语教材,听懂80歌经典英文歌曲,便可记住5000个常用单词,免费下载.</a>
Network Working Group J. Rosenberg
Request(请求,需要) for Comments(评论,意见,注解): 3489 J. Weinberger
Category(范畴,类别,类目): Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) dynamicsoft
C. Huitema
Microsoft
R. Mahy
Cisco(鱼,思科)
March 2003
STUN(打晕,吓呆) - Simple Traversal(遍历) of User Datagram(数据报) Protocol(礼节,协议) (UDP)
Through Network Address Translators(译音,译码器,转换器) (NATs)
Status(地位,状态) of this Memo(便笺,备忘录)
This do
cument(公文,文档,证件) specifies(规定,指定,明确说明) an Internet standards track protocol for the
Internet community(公社,社会,团体), and requests discussion(论述,谈论) and suggestions(暗示,建议,意见) for
improvements(改进,好转,增进). Please refer(参考,查阅,归于,谈到,提出,求助于) to the current(流,当前,流动,通用) edition of the "Internet
Official(官方,官员,正式,职员) Protocol Standards" (STD 1) for the standardization(标准化) state
and status of this protocol. Distribution(分布,分配) of this memo is unlimited(不定,无限).
Copyright(版权,著作权) Notice
Copyright (C) The Internet Society (2003). All Rights Reserved(保留,说话不多).
Abstract(抽象,分心,难懂,摘提)
Simple Traversal of User Datagram Protocol (UDP) Through Network
Address Translators (NATs) (STUN(打晕,吓呆)) is a lightweight(轻,轻量) protocol that
allows applications(请求,施/应用,程序,软件) to discover(暴露,发现,看出) the presence(有,在,出席,存在,到场) and types of NATs and
firewalls(防火壁) between them and the public Internet. It also provides(供给,提供,装备) the
ability(本领,才干,才能,技能) for applications to determine(测定,查明,决定,决心) the public Internet Protocol(礼节,协议)
(IP) addresses allocated(拨下,分配) to them by the NAT. STUN works with many
existing NATs, and do
es not require(命令,请求,需要) any special(特别,特设,专门) behavior(表现,举止,态度,行为) from them.
As a result, it allows a wide variety(变化,变种,多样,多样性) of applications to work through
existing NAT infrastructure(下部构造).
Table of Contents(含量,内容,满意)
1. Applicability(适用性) Statement(陈述,声明,语句) ................................... 3
2. Introduction(介绍,引进/言) .............................................. 3
3. Terminology(术语,术语学) ............................................... 4
4. Definitions(定界,定义,释义) ............................................... 5
5. NAT Variations(变动,变更) ............................................ 5
6. Overview of Operation(操作,手术,运算) ..................................... 6
7. Message Overview .......................................... 8
8. Server Behavior ........................................... 10
8.1 Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests .................................... 10
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 1]
RFC 3489 STUN(打晕,吓呆) March 2003
8.2 Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Requests .............................. 13
9. Client(顾客,用户,当事人) Behavior ........................................... 14
9.1 Discovery(暴露,发现,看出) ........................................... 15
9.2 Obtaining(得到) a Shared Secret ........................... 15
9.3 Formulating(公式化,系统阐述) the Binding Request(请求,需要) ..................... 17
9.4 Processing(程序,处理,起诉,变) Binding Responses(反应,回签,回音) ........................ 17
10. Use Cases ................................................. 19
10.1 Discovery Process ................................... 19
10.2 Binding Lifetime(终生,一直,寿命) Discovery .......................... 21
10.3 Binding Acquisition(获得) ................................. 23
11. Protocol(礼节,协议) Details(零件,细节,枝节) .......................................... 24
11.1 Message Header ...................................... 25
11.2 Message Attributes(归于,品质,特性) .................................. 26
11.2.1 MAPPED-ADDRESS .............................. 27
11.2.2 RESPONSE-ADDRESS ............................ 27
11.2.3 CHANGED-ADDRESS ............................. 28
11.2.4 CHANGE-REQUEST .............................. 28
11.2.5 SOURCE-ADDRESS .............................. 28
11.2.6 USERNAME(用户名) .................................... 28
11.2.7 PASSWORD .................................... 29
11.2.8 MESSAGE-INTEGRITY(诚实,完整,正直) ........................... 29
11.2.9 ERROR-CODE .................................. 29
11.2.10 UNKNOWN(未知,未知的)-ATTRIBUTES .......................... 31
11.2.11 REFLECTED(反射,思考)-FROM .............................. 31
12. Security(安全,证券) Considerations(考虑,体贴) ................................... 31
12.1 Attacks(攻击,侵袭,受袭) on STUN(打晕,吓呆) ..................................... 31
12.1.1 Attack I: DDOS Against a Target ............. 32
12.1.2 Attack II: Silencing a Client ............... 32
12.1.3 Attack III: Assuming(呈现,承担,假定) the Identity(认同,身分,特性) of a Client(顾客,用户,当事人) 32
12.1.4 Attack IV: Eavesdropping .................... 33
12.2 Launching(创办,发动,投射,开始) the Attacks ............................... 33
12.2.1 Approach(逼近,态度,途径) I: Compromise(和解,损害,妥协) a Legitimate(合法,合理,证明有理)
STUN Server ................................. 33
12.2.2 Approach II: DNS Attacks .................... 34
12.2.3 Approach III: Rogue(恶棍,流氓,捉弄) Router(刻,大败,溃败,输送) or NAT ........... 34
12.2.4 Approach IV: MITM ........................... 35
12.2.5 Approach V: Response(反应,回签,回音) Injection(充满,注入) Plus do
S ..... 35
12.2.6 Approach VI: Duplication(加倍,成双重) .................... 35
12.3 Countermeasures(对策,干扰) ..................................... 36
12.4 Residual(残留,剩余) Threats(恐吓,威胁,凶兆) .................................... 37
13. IANA Considerations ....................................... 38
14. IAB Considerations ........................................ 38
14.1 Problem(课题,难题) Definition(定界,定义,释义) .................................. 38
14.2 Exit Strategy(策略,计谋,战略) ....................................... 39
14.3 Brittleness(脆度,脆性) Introduced(采用,传入,介绍) by STUN ...................... 40
14.4 Requirements(需求,需要) for a Long Term(词,期,项,称为,术语,条件) Solution(解答,解决,溶液) ............... 42
14.5 Issues(颁布,发出,问题,争议) with Existing NAPT Boxes ..................... 43
14.6 In Closing .......................................... 43
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 2]
RFC 3489 STUN(打晕,吓呆) March 2003
15. Acknowledgments(承认,鸣谢) ........................................... 44
16. Normative(惯常,规范,定标准) References(参考,出处,定位,叁考) ...................................... 44
17. Informative(情报,供给消息) References .................................... 44
18. Authors(写作/者,创始人)' Addresses ........................................ 46
19. Full Copyright(版权,著作权) Statement(陈述,声明,语句)................................... 47
1. Applicability(适用性) Statement
This protocol(礼节,协议) is not a cure(矫正,消除,医治,治疗)-all for the problems associated(伙伴,交往,联合,同事) with NAT.
It do
es not enable incoming(进款,收入,收益,所得) TCP connections(连接,联系,连贯性) through NAT. It allows
incoming UDP packets(包,袋,群,组,套,捆) through NAT, but only through a subset(子集,子集合) of
existing NAT types. In particular(苛求,事实,特别,细节), STUN do
es not enable incoming UDP
packets through symmetric(对称) NATs (defined(立,定义,规定,准确说明) below), which are common in
large enterprises(企业,事业). STUN's discovery(暴露,发现,看出) procedures are based on
assumptions(傲慢,采取,假定) on NAT treatment(处理,待遇,治疗) of UDP;
such assumptions may prove(表明,显示,证明,结果是)
invalid(病人,伤残,无效) do
wn the road as new NAT devices(方法,设备,装置) are deployed(布置,散开,展开). STUN(打晕,吓呆) do
es not
work when it is used to obtain(得到) an address to communicate(传播/递,通话/信) with a peer
which happens to be behind the same NAT. STUN do
es not work when the
STUN server is not in a common shared(份,有,分担,共享/用) address realm(国土,领域,区域). For a more
complete(彻底,竣工,完成) discussion(论述,谈论) of the limitations(局限,限度) of STUN, see Section(部分,部门,切片,区) 14.
2. Introduction(介绍,引进/言)
Network Address Translators(译音,译码器,转换器) (NATs), while providing(供给,提供,装备) many benefits(恩惠,津贴,利益),
also come with many drawbacks(弊端,妨碍,欠缺,退款). The most troublesome(困难,累赘) of those
drawbacks is the fact that they break many existing IP applications(请求,施/应用,程序,软件),
and make it difficult(艰苦,困难) to deploy new ones. Guidelines(方针,指导,指南,准则) have been
developed(成长,发展,开发,显现) [8] that describe(描绘,描述,形容,作图) how to build "NAT friendly" protocols(礼节,协议),
but many protocols simply cannot be constructed(构造,建立,建设) according(符合,和谐/音,协调,根据,据说) to those
guidelines. Examples of such protocols include almost all peer-to-
peer protocols, such as multimedia(多媒体,多种手段) communications(传达,交通,通讯), file sharing(份,有,分担,共享/用) and
games.
To combat(斗争,反对) this problem(课题,难题), Application Layer Gateways(大门,关口,入口,通道) (ALGs) have been
embedded in NATs. ALGs perform(表演,履行,提供,完成) the application layer functions
required(命令,请求,需要) for a particular(苛求,事实,特别,细节) protocol to traverse(横渡,横过,曲线) a NAT. Typically(标准,典型),
this involves(包括,牵涉,占用,参加) rewriting(改写,再生,重写) application layer messages to contain(包含,等于,容纳,抑制)
translated(译,翻译) addresses, rather than the ones inserted by the sender of
the message. ALGs have serious(认真,慎重,严肃) limitations(局限,限度), including scalability(可量测性),
reliability(可靠性), and speed of deploying(布置,散开,展开) new applications(请求,施/应用,程序,软件). To resolve(分辨,分解,解决,决定)
these problems, the Middlebox Communications (MIDCOM) protocol(礼节,协议) is
being developed(成长,发展,开发,显现) [9]. MIDCOM allows an application entity(存在,实体,实体物,统一体), such as an
end client(顾客,用户,当事人) or network server of some sort (like a Session(会议,一段时间) Initiation(开始,正式加入)
Protocol (SIP) proxy [10]) to control a NAT (or firewall(防火壁)), in order
to obtain(得到) NAT bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) and open or close pinholes(梢孔,针孔). In this way, NATs
and applications can be separated(分隔,分开,个别) once more, eliminating(除去,排除,取消,淘汰,消灭) the need for
embedding ALGs in NATs, and resolving the limitations imposed(征,强迫,欺骗,征税) by
current(流,当前,流动,通用) architectures(建筑学,体系结构).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 3]
RFC 3489 STUN(打晕,吓呆) March 2003
Unfortunately(不幸,可取), MIDCOM requires(命令,请求,需要) upgrades(改善,升级,提高) to existing NAT and
firewalls, in addition(加,加法,附加物) to application(请求,施/应用,程序,软件) components(部件,成分,零组件). Complete(彻底,竣工,完成) upgrades
of these NAT and firewall products(积,产品,产物,作品) will take a long time, potentially(可能,潜力,电动势)
years. This is due, in part, to the fact that the deployers(布置,散开,展开) of NAT
and firewalls are not the same people who are deploying and using
applications. As a result, the incentive(豉励,刺激,动机) to upgrade these devices(方法,设备,装置)
will be low in many cases. Consider(关心,考虑,认为,体谅), for example, an airport(机场,航空站)
Internet lounge(坐靠,闲逛,休息室) that provides(供给,提供,装备) access(访问,接近,入口,通道) with a NAT. A user connecting
to the NATed(抚慰) network may wish to use a peer-to-peer service, but
cannot, because the NAT do
esn't support it. Since the administrators(管理人,管理员)
of the lounge are not the ones providing the service, they are not
motivated(促动,促进,激发,激起) to upgrade their NAT equipment(配备,器材,设备) to support it, using either
an ALG, or MIDCOM.
Another problem(课题,难题) is that the MIDCOM protocol(礼节,协议) requires(命令,请求,需要) that the agent(代理,服务,试剂,特工)
controlling the middleboxes know the identity(认同,身分,特性) of those middleboxes,
and have a relationship(关系,联系) with them which permits(容许,许可,执照) control. In many
configurations(构造), this will not be possible. For example, many cable
access providers use NAT in front of their entire(全部,整个,总体) access network.
This NAT could be in addition(加,加法,附加物) to a residential(住宅) NAT purchased(买,采购,支点,珀切斯) and
operated by the end user. The end user will probably(大概,或许,可能) not have a
control relationship with the NAT in the cable access network, and
may not even know of its existence(存在,生存,实在).
Many existing proprietary(私有,专利,所有权) protocols, such as those for online games
(such as the games described(描绘,描述,形容,作图) in RFC 3027 [11]) and Voice(声,发声,嗓音,吐露,意见,语态) over IP,
have developed(成长,发展,开发,显现) tricks(诡计) that allow them to operate through NATs without
changing those NATs. This do
cument(公文,文档,证件) is an attempt(尝试,攻击,企图,袭击) to take some of
those ideas, and codify(编码,编成法典) them into an interoperable(彼此协作) protocol(礼节,协议) that can
meet the needs of many applications(请求,施/应用,程序,软件).
The protocol described here, Simple Traversal(遍历) of UDP Through NAT
(STUN(打晕,吓呆)), allows entities(存在,实体,实体物,统一体) behind a NAT to first discover(暴露,发现,看出) the presence(有,在,出席,存在,到场)
of a NAT and the type of NAT, and then
to learn the addresses
bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) allocated(拨下,分配) by the NAT. STUN requires(命令,请求,需要) no changes to NATs, and
works with an arbitrary(任意,专断,不理智) number of NATs in tandem(级联,双轴,前后直排地) between the
application entity and the public Internet.
3. Terminology(术语,术语学)
In this do
cument, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED(建议,介绍,劝告,推荐)", "MAY",
and "OPTIONAL(任选,随意,可自由选择)" are to be interpreted(阐明,翻译,解释) as described(描绘,描述,形容,作图) in BCP 14, RFC 2119
[1] and indicate(标示,表明,显示,指明) requirement(需求,需要) levels for compliant(服从,顺从) STUN
implementations(实现,实行).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 4]
RFC 3489 STUN March 2003
4. Definitions(定界,定义,释义)
STUN Client(顾客,用户,当事人): A STUN client (also just referred to as a client)
is an entity that generates(导致,引起) STUN(打晕,吓呆) requests. A STUN client can
execute(处决,处死,实施,执行) on an end system, such as a user's PC, or can run in a
network element(成分,要素,元件), such as a conferencing(会议,讨论会) server.
STUN Server: A STUN Server (also just referred to as a server)
is an entity(存在,实体,实体物,统一体) that receives(承受,得到,接待) STUN requests(请求,需要), and sends STUN
responses(反应,回签,回音). STUN servers are generally(总,将军,一般) attached(随员,馆馆员) to the public
Internet.
5. NAT Variations(变动,变更)
It is assumed(假定,假装,设想) that the reader is familiar(惯用,冒昧,亲友,熟悉) with NATs. It has been
observed(遵守,观测/察,注意) that NAT treatment(处理,待遇,治疗) of UDP varies(变化,改变,转换,多样化) among implementations. The
four treatments observed in implementations are:
Full Cone(圆锥,锥体,成锥形): A full cone NAT is one where all requests from the
same internal(内,本质性) IP address and port are mapped to the same external(药,对外,外部)
IP address and port. Furthermore(此外,而且), any external host can send a
packet(包,袋,群,组,套,捆) to the internal host, by sending a packet to the mapped
external address.
Restricted(限定,限制,约束) Cone: A restricted cone NAT is one where all requests
from the same internal IP address and port are mapped to the same
external IP address and port. Unlike(不同,不象) a full cone NAT, an external
host (with IP address X) can send a packet to the internal host
only if the internal host had previously(前,先,在前) sent a packet to IP
address X.
Port Restricted Cone: A port restricted cone NAT is like a
restricted cone NAT, but the restriction includes port numbers.
Specifically(明确地,特别地), an external host can send a packet, with source IP
address X and source port P, to the internal host only if the
internal host had previously sent a packet to IP address X and
port P.
Symmetric(对称): A symmetric NAT is one where all requests from the
same internal IP address and port, to a specific(精确,特定,特性,细微) destination(目标,终点) IP
address and port, are mapped to the same external IP address and
port. If the same host sends a packet with the same source
address and port, but to a different(不同,差异,各种) destination, a different
mapping is used. Furthermore, only the external host that
receives(承受,得到,接待) a packet can send a UDP packet back to the internal host.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 5]
RFC 3489 STUN(打晕,吓呆) March 2003
Determining(测定,查明,决定,决心) the type of NAT is important in many cases. Depending(相信,依靠,取决于) on
what the application(请求,施/应用,程序,软件) wants to do
, it may need to take the particular(苛求,事实,特别,细节)
behavior(表现,举止,态度,行为) into account(占,计算,记述,解释).
6. Overview of Operation(操作,手术,运算)
This section(部分,部门,切片,区) is descriptive(记述,描述) only. Normative(惯常,规范,定标准) behavior is described(描绘,描述,形容,作图) in
Sections 8 and 9.
/-----/
// STUN //
| Server |
// //
/-----/
+--------------+ Public Internet
................| NAT 2 |.......................
+--------------+
+--------------+ Private(个人,秘密,专用) NET 2
................| NAT 1 |.......................
+--------------+
/-----/
// STUN //
| Client(顾客,用户,当事人) |
// // Private NET 1
/-----/
Figure(图,计算,人物,数) 1: STUN Configuration(构造)
The typical(标准,典型) STUN configuration is shown in Figure 1. A STUN client
is connected to private network 1. This network connects to private
network 2 through NAT 1. Private network 2 connects to the public
Internet through NAT 2. The STUN server resides(存在,居住,属于,驻留) on the public
Internet.
STUN is a simple client-server protocol(礼节,协议). A client sends a request(请求,需要) to
a server, and the server returns a response(反应,回签,回音). There are two types of
requests - Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests, sent over UDP, and Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情)
Requests, sent over TLS [2] over TCP. Shared Secret Requests ask the
server to return a temporary(短暂,临时,临时工) username(用户名) and password. This username
and password are used in a subsequent(尔后,后来) Binding Request and Binding
Response, for the purposes(打算,效果,意图,用途) of authen
tication(确证,证明) and message integrity(诚实,完整,正直).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 6]
RFC 3489 STUN(打晕,吓呆) March 2003
Binding requests are used to determine(测定,查明,决定,决心) the bindings allocated(拨下,分配) by
NATs. The client sends a Binding Request to the server, over UDP.
The server examines(检查,考试,审查,细看) the source IP address and port of the request,
and copies them into a response that is sent back to the client(顾客,用户,当事人).
There are some parameters(参数,参量) in the request that allow the client to ask
that the response be sent else
where, or that the server send the
response from a different(不同,差异,各种) address and port. There are attributes(归于,品质,特性) for
providing(供给,提供,装备) message integrity and authen
tication.
The trick(诡计,哄骗,窍门) is using STUN to discover(暴露,发现,看出) the presence(有,在,出席,存在,到场) of NAT, and to learn
and use the bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) they allocate.
The STUN client is typically(标准,典型) embedded in an application(请求,施/应用,程序,软件) which needs
to obtain(得到) a public IP address and port that can be used to receive(承受,得到,接待)
data. For example, it might need to obtain an IP address and port to
receive Real Time Transport(传送,运输,运输工具) Protocol(礼节,协议) (RTP) [12] traffic(车,交通,交易,运). When the
application starts, the STUN client within the application sends a
STUN Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request(请求,需要) to its server, obtains a username(用户名) and
password, and then
sends it a Binding Request. STUN(打晕,吓呆) servers can be
discovered through DNS SRV records(唱片,档案,记录) [3], and it is generally(总,将军,一般) assumed(假定,假装,设想)
that the client(顾客,用户,当事人) is configured(架构,配置,成形) with the do
main(领土,领域,主机) to use to find the STUN
server. Generally, this will be the do
main of the provider(供给,提供,装备) of the
service the application is using (such a provider is incented to
deploy(布置,散开,展开) STUN servers in order to allow its customers(定做,风俗,海关,用户) to use its
application through NAT). Of course, a client can determine(测定,查明,决定,决心) the
address or do
main name of a STUN server through other means. A STUN
server can even be embedded within an end system.
The STUN Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request is used to discover(暴露,发现,看出) the presence(有,在,出席,存在,到场) of a NAT,
and to discover the public IP address and port mappings generated(导致,引起) by
the NAT. Binding Requests are sent to the STUN server using UDP.
When a Binding Request arrives(达到,来临,抵达某地) at the STUN server, it may have passed
through one or more NATs between the STUN client and the STUN server.
As a result, the source address of the request received(承受,得到,接待) by the server
will be the mapped address created by the NAT closest to the server.
The STUN server copies that source IP address and port into a STUN
Binding Response(反应,回签,回音), and sends it back to the source IP address and port
of the STUN request. For all of the NAT types above, this response
will arrive at the STUN client.
When the STUN client receives the STUN Binding Response, it compares(比较,比作,对照)
the IP address and port in the packet(包,袋,群,组,套,捆) with the local(本地,区域,地方性) IP address and
port it bound(缚,捆,必定,边界,跳跃) to when the request(请求,需要) was sent. If these do
not match,
the STUN(打晕,吓呆) client is behind one or more NATs. In the case of a full-
cone(圆锥,锥体,成锥形) NAT, the IP address and port in the body of the STUN response
are public, and can be used by any host on the public Internet to
send packets to the application(请求,施/应用,程序,软件) that sent the STUN request. An
application need only listen on the IP address and port from which
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 7]
RFC 3489 STUN March 2003
the STUN request was sent. Any packets sent by a host on the public
Internet to the public address and port learned by STUN will be
received by the application.
Of course, the host may not be behind a full-cone NAT. Indeed, it
do
esn't yet know what type of NAT it is behind. To determine that,
the client(顾客,用户,当事人) uses additional(附加,增加) STUN Binding Requests. The exact(精密/确,要求)
procedure is flexible(灵活,柔韧,可变通), but would generally(总,将军,一般) work as follows. The
client would send a second STUN Binding Request, this time to a
different(不同,差异,各种) IP address, but from the same source IP address and port.
If the IP address and port in the response are different from those
in the first response, the client knows it is behind a symmetric(对称) NAT.
To determine(测定,查明,决定,决心) if it's behind a full-cone NAT, the client can send a
STUN Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request with flags that tell the STUN server to send a
response from a different IP address and port than the request was
received on. In other words, if the client sent a Binding Request to
IP address/port A/B using a source IP address/port of X/Y, the STUN
server would send the Binding Response to X/Y using source IP
address/port C/D. If the client receives this response, it knows it
is behind a full cone NAT.
STUN also allows the client to ask the server to send the Binding
Response from the same IP address the request was received on, but
with a different port. This can be used to detect(察觉,发觉,发现,检测) whether the client
is behind a port restricted(限定,限制,约束) cone NAT or just a restricted cone NAT.
It should be noted that the configuration(构造) in Figure(图,计算,人物,数) 1 is not the only
permissible(可容许) configuration. The STUN server can be located(查出,地点,定位,找出) anywhere,
including within another client. The only requirement(需求,需要) is that the
STUN server is reachable(可达到) by the client, and if the client is trying
to obtain(得到) a publicly routable address, that the server reside(存在,居住,属于,驻留) on the
public Internet.
7. Message Overview
STUN(打晕,吓呆) messages are TLV (type-length-value) encoded(编码) using big endian(字节存储次序)
(network ordered) binary(二,二成分). All STUN messages start with a STUN
header, followed by a STUN payload(荷载,有效负载). The payload is a series(成批,连续,系列) of STUN
attributes(归于,品质,特性), the set of which depends(相信,依靠,取决于) on the message type. The STUN
header contains(包含,等于,容纳,抑制) a STUN message type, transaction(处理,和解,交易) ID, and length. The
message type can be Binding Request(请求,需要), Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Response(反应,回签,回音), Binding Error
Response, Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request, Shared Secret Response, or Shared
Secret Error Response. The transaction ID is used to correlate(关联,相关,相关的事物)
requests and responses. The length indicates(标示,表明,显示,指明) the total length of the
STUN payload, not including the header. This allows STUN to run over
TCP. Shared Secret Requests are always sent over TCP (indeed, using
TLS over TCP).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 8]
RFC 3489 STUN March 2003
Several STUN attributes are defined(立,定义,规定,准确说明). The first is a MAPPED-ADDRESS
attribute, which is an IP address and port. It is always placed in
the Binding Response, and it indicates the source IP address and port
the server saw in the Binding Request. There is also a RESPONSE-
ADDRESS attribute, which contains an IP address and port. The
RESPONSE-ADDRESS attribute can be present(给,礼物,显示,现在) in the Binding Request, and
indicates where the Binding Response is to be sent. It's optional(任选,随意,可自由选择),
and when not present, the Binding Response is sent to the source IP
address and port of the Binding Request.
The third attribute is the CHANGE-REQUEST attribute, and it contains
two flags to control the IP address and port used to send the
response. These flags are called "change IP" and "change port"
flags. The CHANGE-REQUEST attribute is allowed only in the Binding
Request. The "change IP" and "change port" flags are useful for
determining(测定,查明,决定,决心) whether the client(顾客,用户,当事人) is behind a restricted(限定,限制,约束) cone(圆锥,锥体,成锥形) NAT or
restricted port cone NAT. They instruct(教,告知,命令) the server to send the
Binding Responses from a different(不同,差异,各种) source IP address and port. The
CHANGE-REQUEST attribute is optional in the Binding Request.
The fourth attribute is the CHANGED-ADDRESS attribute. It is present
in Binding Responses. It informs(伸冤,通知,有识) the client of the source IP address
and port that would be used if the client requested the "change IP"
and "change port" behavior(表现,举止,态度,行为).
The fifth attribute(归于,品质,特性) is the SOURCE-ADDRESS attribute. It is only
present in Binding Responses. It indicates the source IP address and
port where the response was sent from. It is useful for detecting(察觉,发觉,发现,检测)
twice(两倍,两次) NAT configurations(构造).
The sixth attribute is the USERNAME(用户名) attribute. It is present in a
Shared Secret Response(反应,回签,回音), which provides(供给,提供,装备) the client with a temporary(短暂,临时,临时工)
username and password (encoded(编码) in the PASSWORD attribute). The
USERNAME is also present in Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests(请求,需要), serving(服务) as an index to
the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) used for the integrity(诚实,完整,正直) protection(保护,警戒) of the Binding
Request. The seventh(第七,七分) attribute, PASSWORD, is only found in Shared
Secret Response messages. The eight attribute is the MESSAGE-
INTEGRITY attribute, which contains(包含,等于,容纳,抑制) a message integrity check over
the Binding Request or Binding Response.
The ninth attribute is the ERROR-CODE attribute. This is present(给,礼物,显示,现在) in
the Binding Error Response and Shared Secret Error Response. It
indicates(标示,表明,显示,指明) the error that has occurred. The tenth attribute is the
UNKNOWN(未知,未知的)-ATTRIBUTES attribute, which is present in either the Binding
Error Response or Shared Secret Error Response. It indicates the
mandatory(命令者) attributes(归于,品质,特性) from the request which were unknown. The
eleventh(第十一) attribute is the REFLECTED(反射,思考)-FROM attribute, which is present
in Binding Responses. It indicates the IP address and port of the
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 9]
RFC 3489 STUN(打晕,吓呆) March 2003
sender of a Binding Request, used for traceability(跟踪能力) purposes(打算,效果,意图,用途) to
prevent(防止,妨碍,阻碍) certain denial(否定,否认,拒绝)-of-service attacks(攻击,侵袭,受袭).
8. Server Behavior(表现,举止,态度,行为)
The server behavior depends(相信,依靠,取决于) on whether the request(请求,需要) is a Binding(绑捆,包扎,结合,联接,凝固,约束,装钉)
Request or a Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request.
8.1 Binding Requests
A STUN server MUST be prepared(预制,准备) to receive(承受,得到,接待) Binding Requests on four
address/port combinations(化合,结合) - (A1, P1), (A2, P1), (A1, P2), and (A2,
P2). (A1, P1) represent(表现,代表,象征) the primary(初级,基色,首要,原色) address and port, and these are
the ones obtained through the client(顾客,用户,当事人) discovery(暴露,发现,看出) procedures below.
Typically(标准,典型), P1 will be port 3478, the default STUN port. A2 and P2
are arbitrary(任意,专断,不理智). A2 and P2 are advertised(通知,推销,广告) by the server through the
CHANGED-ADDRESS attribute(归于,品质,特性), as described(描绘,描述,形容,作图) below.
It is RECOMMENDED(建议,介绍,劝告,推荐) that the server check the Binding Request for a
MESSAGE-INTEGRITY(诚实,完整,正直) attribute. If not present(给,礼物,显示,现在), and the server requires(命令,请求,需要)
integrity checks on the request, it generates(导致,引起) a Binding Error
Response(反应,回签,回音) with an ERROR-CODE attribute with response code 401. If the
MESSAGE-INTEGRITY attribute was present, the server computes the HMAC
over the request as described in Section(部分,部门,切片,区) 11.2.8. The key to use
depends(相信,依靠,取决于) on the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) mechanism(机理,机械). If the STUN(打晕,吓呆) Shared Secret
Request was used, the key MUST be the one associated(伙伴,交往,联合,同事) with the
USERNAME(用户名) attribute present in the request. If the USERNAME attribute
was not present, the server MUST generate a Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Error Response.
The Binding Error Response MUST include an ERROR-CODE attribute with
response code 432. If the USERNAME is present, but the server
do
esn't remember the shared secret for that USERNAME (because it
timed out, for example), the server MUST generate a Binding Error
Response. The Binding Error Response MUST include an ERROR-CODE
attribute with response code 430. If the server do
es know the shared
secret, but the computed HMAC differs(不同,差异,各种) from the one in the request,
the server MUST generate a Binding Error Response with an ERROR-CODE
attribute with response code 431. The Binding Error Response is sent
to the IP address and port the Binding Request came from, and sent
from the IP address and port the Binding Request was sent to.
Assuming(呈现,承担,假定) the message integrity check passed, processing(程序,处理,起诉,变) continues.
The server MUST check for any attributes in the request with values
less than or equal(等于,胜任) to 0x7fff which it do
es not understand. If it
encounters(面临,碰到,碰撞,遭遇) any, the server MUST generate a Binding Error Response,
and it MUST include an ERROR-CODE attribute(归于,品质,特性) with a 420 response code.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 10]
RFC 3489 STUN March 2003
That response MUST contain(包含,等于,容纳,抑制) an UNKNOWN(未知,未知的)-ATTRIBUTES attribute listing
the attributes with values less than or equal to 0x7fff which were
not understood. The Binding Error Response is sent to the IP address
and port the Binding Request came from, and sent from the IP address
and port the Binding Request was sent to.
Assuming the request was correctly(改正,纠正,恰当) formed, the server MUST generate a
single Binding Response. The Binding Response MUST contain the same
transaction(处理,和解,交易) ID contained in the Binding Request(请求,需要). The length in the
message header MUST contain the total length of the message in bytes,
excluding(拒绝,排斥) the header. The Binding Response(反应,回签,回音) MUST have a message type
of "Binding Response".
The server MUST add a MAPPED-ADDRESS attribute to the Binding
Response. The IP address component(部件,成分,零组件) of this attribute MUST be set to
the source IP address observed(遵守,观测/察,注意) in the Binding Request. The port
component of this attribute MUST be set to the source port observed
in the Binding Request.
If the RESPONSE-ADDRESS attribute was absent(不在,离开,缺乏,不存在) from the Binding
Request, the destination(目标,终点) address and port of the Binding Response
MUST be the same as the source address and port of the Binding
Request. Otherwise, the destination address and port of the Binding
Response MUST be the value of the IP address and port in the
RESPONSE-ADDRESS attribute.
The source address and port of the Binding Response depend(相信,依靠,取决于) on the
value of the CHANGE-REQUEST attribute and on the address and port the
Binding Request was received(承受,得到,接待) on, and are summarized(概括,相加,总结) in Table 1.
Let Da represent(表现,代表,象征) the destination IP address of the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request
(which will be either A1 or A2), and Dp represent the destination
port of the Binding Request (which will be either P1 or P2). Let Ca
represent the other address, so that if Da is A1, Ca is A2. If Da is
A2, Ca is A1. Similarly(类似,相象), let Cp represent the other port, so that if
Dp is P1, Cp is P2. If Dp is P2, Cp is P1. If the "change port"
flag was set in CHANGE-REQUEST attribute of the Binding Request, and
the "change IP" flag was not set, the source IP address of the
Binding Response MUST be Da and the source port of the Binding
Response MUST be Cp. If the "change IP" flag was set in the Binding
Request, and the "change port" flag was not set, the source IP
address of the Binding Response MUST be Ca and the source port of the
Binding Response MUST be Dp. When both flags are set, the source IP
address of the Binding Response MUST be Ca and the source port of the
Binding Response MUST be Cp. If neither flag is set, or if the
CHANGE-REQUEST attribute is absent entirely(全部,整个,总体), the source IP address of
the Binding Response MUST be Da and the source port of the Binding
Response MUST be Dp.
Rosenberg, et al. Standards Track [Page 11]
RFC 3489 STUN(打晕,吓呆) March 2003
Flags Source Address Source Port CHANGED-ADDRESS
none Da Dp Ca:Cp
Change IP Ca Dp Ca:Cp
Change port Da Cp Ca:Cp
Change IP and
Change port Ca Cp Ca:Cp
Table 1: Impact(冲击,碰撞,压紧,影响) of Flags on Packet(包,袋,群,组,套,捆) Source and CHANGED-ADDRESS
The server MUST add a SOURCE-ADDRESS attribute(归于,品质,特性) to the Binding
Response, containing(包含,等于,容纳,抑制) the source address and port used to send the
Binding Response.
The server MUST add a CHANGED-ADDRESS attribute to the Binding
Response. This contains the source IP address and port that would be
used if the client(顾客,用户,当事人) had set the "change IP" and "change port" flags in
the Binding Request. As summarized in Table 1, these are Ca and Cp,
respectively(分别,个别), regardless(不顾,不管) of the value of the CHANGE-REQUEST(请求,需要) flags.
If the Binding Request contained both the USERNAME(用户名) and MESSAGE-
INTEGRITY(诚实,完整,正直) attributes, the server MUST add a MESSAGE-INTEGRITY
attribute to the Binding Response(反应,回签,回音). The attribute contains an HMAC
[13] over the response, as described(描绘,描述,形容,作图) in Section(部分,部门,切片,区) 11.2.8. The key to
use depends on the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) mechanism(机理,机械). If the STUN Shared
Secret Request was used, the key MUST be the one associated(伙伴,交往,联合,同事) with the
USERNAME attribute present(给,礼物,显示,现在) in the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request.
If the Binding Request contained a RESPONSE-ADDRESS attribute, the
server MUST add a REFLECTED(反射,思考)-FROM attribute to the response. If the
Binding Request was authen
ticated(鉴定,为真,证明) using a username obtained(得到) from a
Shared Secret Request, the REFLECTED-FROM attribute MUST contain the
source IP address and port where that Shared Secret Request came
from. If the username present in the request was not allocated(拨下,分配) using
a Shared Secret Request, the REFLECTED-FROM attribute MUST contain
the source address and port of the entity(存在,实体,实体物,统一体) which obtained the
username, as best can be verified(查证,核实,检验,证明) with the mechanism used to allocate
the username. If the username was not present in the request, and
the server was willing to process(程序,处理,起诉,变) the request, the REFLECTED-FROM
attribute(归于,品质,特性) SHOULD contain(包含,等于,容纳,抑制) the source IP address and port where the
request came from.
The server SHOULD NOT retransmit(中继,重新发送) the response. Reliability(可靠性) is
achieved(达到,获得,实现,完成) by having the client(顾客,用户,当事人) periodically(期刊,杂志) resend(再送) the request(请求,需要), each
of which triggers(扳机,触发,导致) a response(反应,回签,回音) from the server.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 12]
RFC 3489 STUN(打晕,吓呆) March 2003
8.2 Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Requests
Shared Secret Requests are always received(承受,得到,接待) on TLS connections(连接,联系,连贯性). When
the server receives a request from the client to establish(建立,确定,移植) a TLS
connection, it MUST proceed(继续,开始,进行,程序) with TLS, and SHOULD present(给,礼物,显示,现在) a site
certificate(鉴定,证件,执照). The TLS ciphersuite TLS_RSA_WITH_AES_128_CBC_SHA [4]
SHOULD be used. Client TLS authen
tication(确证,证明) MUST NOT be do
ne, since
the server is not allocating(拨下,分配) any resources(策略,机智,物力,资源) to clients, and the
computational(计算) burden(负担,加载,载量) can be a source of attacks(攻击,侵袭,受袭).
If the server receives a Shared Secret Request, it MUST verify(查证,核实,检验,证明) that
the request arrived(达到,来临,抵达某地) on a TLS connection. If it did not receive the
request over TLS, it MUST generate(导致,引起) a Shared Secret Error Response,
and it MUST include an ERROR-CODE attribute(归于,品质,特性) with a 433 response code.
The destination(目标,终点) for the error response(反应,回签,回音) depends(相信,依靠,取决于) on the transport(传送,运输,运输工具) on
which the request(请求,需要) was received. If the Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request was
received(承受,得到,接待) over TCP, the Shared Secret Error Response is sent over the
same connection(连接,联系,连贯性) the request was received on. If the Shared Secret
Request was receive over UDP, the Shared Secret Error Response is
sent to the source IP address and port that the request came from.
The server MUST check for any attributes in the request with values
less than or equal(等于,胜任) to 0x7fff which it do
es not understand. If it
encounters(面临,碰到,碰撞,遭遇) any, the server MUST generate a Shared Secret Error
Response, and it MUST include an ERROR-CODE attribute with a 420
response code. That response MUST contain(包含,等于,容纳,抑制) an UNKNOWN(未知,未知的)-ATTRIBUTES
attribute listing the attributes with values less than or equal to
0x7fff which were not understood. The Shared Secret Error Response
is sent over the TLS connection.
All Shared Secret Error Responses MUST contain the same transaction(处理,和解,交易)
ID contained in the Shared Secret Request. The length in the message
header MUST contain the total length of the message in bytes,
excluding(拒绝,排斥) the header. The Shared Secret Error Response MUST have a
message type of "Shared Secret Error Response" (0x0112).
Assuming(呈现,承担,假定) the request was properly(本来,合适,完全地) constructed(构造,建立,建设), the server creates a
Shared Secret Response. The Shared Secret Response MUST contain the
same transaction ID contained in the Shared Secret Request. The
length in the message header MUST contain the total length of the
message in bytes, excluding the header. The Shared Secret Response
MUST have a message type of "Shared Secret Response". The Shared
Secret Response MUST contain a USERNAME(用户名) attribute and a PASSWORD
attribute. The USERNAME attribute serves(适合,服务/役,任职,招待) as an index to the
password, which is contained in the PASSWORD attribute. The server
can use any mechanism(机理,机械) it chooses(宁愿,情愿,挑选) to generate(导致,引起) the username. However,
the username MUST be valid(有效,正当) for a period(句号,时期,学时,周期) of at least 10 minutes.
Validity(确实,效力,正确,有效性) means that the server can compute the password for that
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 13]
RFC 3489 STUN(打晕,吓呆) March 2003
username. There MUST be a single password for each username. In
other words, the server cannot, 10 minutes later, assign(分配,赋值,给定) a different(不同,差异,各种)
password to the same username. The server MUST hand out a different
username for each distinct(不同,独特,分别) Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request(请求,需要). Distinct, in this
case, implies(暗示,含意,意味) a different transaction(处理,和解,交易) ID. It is RECOMMENDED(建议,介绍,劝告,推荐) that the
server explicitly(明白,明确,清楚) invalidate(无效,无效,作废) the username after ten minutes. It MUST
invalidate the username after 30 minutes. The PASSWORD contains(包含,等于,容纳,抑制) the
password bound(缚,捆,必定,边界,跳跃) to that username(用户名). The password MUST have at least 128
bits. The likelihood(可能,似真,可能性,相似性) that the server assigns the same password for
two different usernames MUST be vanishingly small, and the passwords
MUST be unguessable. In other words, they MUST be a
cryptographically random function of the username.
These requirements(需求,需要) can still be met using a stateless(无国籍) server, by
intelligently(聪慧,聪明,理智) computing the USERNAME and PASSWORD. One approach(逼近,态度,途径) is
to construct(构造,建立,建设) the USERNAME as:
USERNAME = <prefix,rounded-time,clientIP,hmac>
Where prefix(词头,前缀,添以词头) is some random text string (different for each shared
secret request), rounded(围,圆,环绕,舍入,一轮,周围)-time is the current(流,当前,流动,通用) time modulo(模,模数,按模计算) 20 minutes,
clientIP is the source IP address where the Shared Secret Request
came from, and hmac is an HMAC [13] over the prefix, rounded-time,
and client(顾客,用户,当事人) IP, using a server private(个人,秘密,专用) key.
The password is then
computed as:
password = <hmac(USERNAME,anotherprivatekey)>
With this structure(构造,建造,组织), the username itself, which will be present(给,礼物,显示,现在) in
the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request(请求,需要), contains the source IP address where the Shared(份,有,分担,共享/用)
Secret(秘密,隐蔽,隐情) Request came from. That allows the server to meet the
requirements specified(规定,指定,明确说明) in Section(部分,部门,切片,区) 8.1 for constructing the
REFLECTED(反射,思考)-FROM attribute(归于,品质,特性). The server can verify(查证,核实,检验,证明) that the username(用户名)
was not tampered(坦派勒) with, using the hmac present in the username.
The Shared Secret Response(反应,回签,回音) is sent over the same TLS connection(连接,联系,连贯性) the
request was received(承受,得到,接待) on. The server SHOULD keep the connection open,
and let the client close it.
9. Client Behavior(表现,举止,态度,行为)
The behavior of the client is very straightforward(老实,坦率,率直地). Its task(派,工作,任务,作业) is to
discover(暴露,发现,看出) the STUN(打晕,吓呆) server, obtain a shared secret, formulate(公式化,系统阐述) the
Binding Request, handle request reliability(可靠性), and process(程序,处理,起诉,变) the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉)
Responses.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 14]
RFC 3489 STUN March 2003
9.1 Discovery
Generally(总,将军,一般), the client(顾客,用户,当事人) will be configured(架构,配置,成形) with a do
main(领土,领域,主机) name of the
provider(供给,提供,装备) of the STUN servers. This do
main name is resolved(坚决,有决心) to an IP
address and port using the SRV procedures specified(规定,指定,明确说明) in RFC 2782 [3].
Specifically(明确地,特别地), the service name is "stun". The protocol(礼节,协议) is "udp" for
sending Binding Requests(请求,需要), or "tcp" for sending Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情)
Requests. The procedures of RFC 2782 are followed to determine(测定,查明,决定,决心) the
server to contact(触点,触体,联系). RFC 2782 spells(带来,轮班,拼出,咒语,一阵子) out the details(零件,细节,枝节) of how a set of
SRV records(唱片,档案,记录) are sorted and then
tried. However, it only states that
the client should "try to connect to the (protocol, address,
service)" without giving any details on what happens in the event of
failure(破产,失败,失灵,疏忽). Those details are described(描绘,描述,形容,作图) here for STUN(打晕,吓呆).
For STUN requests, failure occurs(出现,存在,发生,产出) if there is a transport(传送,运输,运输工具) failure of
some sort (generally(总,将军,一般), due to fatal(命运,致命) ICMP errors in UDP or connection(连接,联系,连贯性)
failures in TCP). Failure also occurs if the transaction(处理,和解,交易) fails due
to timeout(超时,停工时间). This occurs 9.5 seconds after the first request is sent,
for both Shared Secret Requests and Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests. See Section(部分,部门,切片,区)
9.3 for details on transaction timeouts for Binding Requests. If a
failure occurs, the client(顾客,用户,当事人) SHOULD create a new request, which is
identical(恒等,同样,相同) to the previous(前,先,在前), but has a different(不同,差异,各种) transaction ID and
MESSAGE INTEGRITY(诚实,完整,正直) attribute(归于,品质,特性) (the HMAC will change because the
transaction ID has changed). That request(请求,需要) is sent to the next
element(成分,要素,元件) in the list as specified(规定,指定,明确说明) by RFC 2782.
The default port for STUN requests is 3478, for both TCP and UDP.
Administrators(管理人,管理员) SHOULD use this port in their SRV records(唱片,档案,记录), but MAY use
others.
If no SRV records were found, the client performs(表演,履行,提供,完成) an A record lookup(检查)
of the do
main(领土,领域,主机) name. The result will be a list of IP addresses, each
of which can be contacted(触点,触体,联系) at the default port.
This would allow a firewall(防火壁) admin(主管) to open the STUN(打晕,吓呆) port, so hosts
within the enterprise(企业,事业) could access(访问,接近,入口,通道) new applications(请求,施/应用,程序,软件). Whether they
will or won't do
this is a good question.
9.2 Obtaining(得到) a Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情)
As discussed(讨论,谈论,论述) in Section(部分,部门,切片,区) 12, there are several attacks(攻击,侵袭,受袭) possible on
STUN systems. Many of these are prevented(防止,妨碍,阻碍) through integrity(诚实,完整,正直) of
requests(请求,需要) and responses(反应,回签,回音). To provide(供给,提供,装备) that integrity, STUN makes use of
a shared secret between client(顾客,用户,当事人) and server, used as the keying
material(材料,料子,素材,物质) for an HMAC used in both the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request and Binding
Response. STUN allows for the shared secret to be obtained in any
way (for example, Kerberos [14]). However, it MUST have at least 128
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 15]
RFC 3489 STUN March 2003
bits of randomness(随机性). In order to ensure(保护,保险,赋予) interoperability, this
specification(规格,详述,载明) describes(描绘,描述,形容,作图) a TLS-based mechanism(机理,机械). This mechanism,
described in this section, MUST be implemented(仪器,工具,执行,生效) by clients and
servers.
First, the client determines(测定,查明,决定,决心) the IP address and port that it will
open a TCP connection(连接,联系,连贯性) to. This is do
ne using the discovery(暴露,发现,看出)
procedures in Section 9.1. The client opens up the connection to
that address and port, and immediately(立即,立刻,直接) begin
s TLS negotiation(谈判) [2].
The client MUST verify(查证,核实,检验,证明) the identity(认同,身分,特性) of the server. To do
that, it
follows the identification(鉴定,身份,识别) procedures defined(立,定义,规定,准确说明) in Section(部分,部门,切片,区) 3.1 of RFC
2818 [5]. Those procedures assume(呈现,承担,假定) the client is dereferencing a URI.
For purposes(打算,效果,意图,用途) of usage(对待,用,用法,习惯法) with this specification, the client(顾客,用户,当事人) treats(处理,论述,享受,宴,治疗) the
do
main(领土,领域,主机) name or IP address used in Section 9.1 as the host portion(部分,分配) of
the URI that has been dereferenced.
Once the connection is opened, the client sends a Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情)
request(请求,需要). This request has no attributes(归于,品质,特性), just the header. The
transaction(处理,和解,交易) ID in the header MUST meet the requirements(需求,需要) outlined(图,大纲,轮廓,描绘) for
the transaction ID in a binding(绑捆,包扎,结合,联接,凝固,约束,装钉) request, described(描绘,描述,形容,作图) in Section 9.3
below. The server generates(导致,引起) a response(反应,回签,回音), which can either be a Shared
Secret Response or a Shared Secret Error Response.
If the response was a Shared Secret Error Response, the client checks
the response code in the ERROR-CODE attribute. Interpretation(解释,口译) of
those response codes is identical(恒等,同样,相同) to the processing(程序,处理,起诉,变) of Section(部分,部门,切片,区) 9.4
for the Binding Error Response.
If a client receives(承受,得到,接待) a Shared Secret Response with an attribute whose
type is greater than 0x7fff, the attribute MUST be ignored(不顾,不理,忽略,忽视). If the
client receives a Shared Secret Response with an attribute whose type
is less than or equal(等于,胜任) to 0x7fff, the response is ignored.
If the response was a Shared Secret Response, it will contain(包含,等于,容纳,抑制) a short
lived username(用户名) and password, encoded(编码) in the USERNAME and PASSWORD
attributes, respectively(分别,个别).
The client(顾客,用户,当事人) MAY generate multiple(倍数,并联,多个) Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Requests(请求,需要) on the
connection(连接,联系,连贯性), and it MAY do
so before receiving Shared Secret Responses
to previous(前,先,在前) Shared Secret Requests. The client SHOULD close the
connection as soon as it has finished obtaining usernames and
passwords.
Section 9.3 describes how these passwords are used to provide(供给,提供,装备)
integrity(诚实,完整,正直) protection(保护,警戒) over Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests, and Section 8.1 describes(描绘,描述,形容,作图)
how it is used in Binding Responses(反应,回签,回音).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 16]
RFC 3489 STUN(打晕,吓呆) March 2003
9.3 Formulating(公式化,系统阐述) the Binding Request
A Binding Request formulated by the client follows the syntax(句法,语法) rules
defined(立,定义,规定,准确说明) in Section(部分,部门,切片,区) 11. Any two requests that are not bit-wise(博学,聪明,方式,怀斯)
identical(恒等,同样,相同), and not sent to the same server from the same IP address
and port, MUST carry different(不同,差异,各种) transaction(处理,和解,交易) IDs. The transaction ID
MUST be uniformly(均匀,统一,制服) and randomly distributed(分布,分配,配给,散布) between 0 and 2**128 - 1.
The large range(排,行,山脉,范围) is needed because the transaction ID serves(适合,服务/役,任职,招待) as a form
of randomization(不规则分布), helping to prevent(防止,妨碍,阻碍) replays of previously(前,先,在前) signed
responses from the server. The message type of the request(请求,需要) MUST be
"Binding Request".
The RESPONSE-ADDRESS attribute(归于,品质,特性) is optional(任选,随意,可自由选择) in the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request.
It is used if the client(顾客,用户,当事人) wishes the response(反应,回签,回音) to be sent to a
different IP address and port than the one the request was sent from.
This is useful for determining(测定,查明,决定,决心) whether the client is behind a
firewall(防火壁), and for applications(请求,施/应用,程序,软件) that have separated(分隔,分开,个别) control and data
components(部件,成分,零组件). See Section(部分,部门,切片,区) 10.3 for more details(零件,细节,枝节). The CHANGE-REQUEST
attribute is also optional. Whether it is present(给,礼物,显示,现在) depends(相信,依靠,取决于) on what
the application is trying to accomplish(达到,精通,完成). See Section 10 for some
example uses.
The client SHOULD add a MESSAGE-INTEGRITY(诚实,完整,正直) and USERNAME(用户名) attribute to
the Binding Request. This MESSAGE-INTEGRITY attribute contains(包含,等于,容纳,抑制) an
HMAC [13]. The value of the username, and the key to use in the
MESSAGE-INTEGRITY attribute depend on the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) mechanism(机理,机械).
If the STUN(打晕,吓呆) Shared Secret Request(请求,需要) was used, the USERNAME must be a
valid(有效,正当) username obtained(得到) from a Shared Secret Response within the last
nine minutes. The shared secret for the HMAC is the value of the
PASSWORD attribute(归于,品质,特性) obtained from the same Shared Secret Response(反应,回签,回音).
Once formulated(公式化,系统阐述), the client(顾客,用户,当事人) sends the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request. Reliability(可靠性)
is accomplished through client retransmissions(中继). Clients SHOULD
retransmit(中继,重新发送) the request starting with an interval(间隔,间距,休息) of 100ms, do
ubling
every retransmit until the interval reaches 1.6s. Retransmissions
continue with intervals of 1.6s until a response is received(承受,得到,接待), or a
total of 9 requests have been sent. If no response is received by 1.6
seconds after the last request has been sent, the client SHOULD
consider(关心,考虑,认为,体谅) the transaction(处理,和解,交易) to have failed. In other words, requests
would be sent at times 0ms, 100ms, 300ms, 700ms, 1500ms, 3100ms,
4700ms, 6300ms, and 7900ms. At 9500ms, the client considers the
transaction to have failed if no response has been received.
9.4 Processing(程序,处理,起诉,变) Binding Responses
The response can either be a Binding Response or Binding Error
Response. Binding Error Responses are always received on the source
address and port the request was sent from. A Binding Response will
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 17]
RFC 3489 STUN March 2003
be received on the address and port placed in the RESPONSE-ADDRESS
attribute of the request. If none was present(给,礼物,显示,现在), the Binding Responses
will be received on the source address and port the request was sent
from.
If the response is a Binding Error Response, the client checks the
response code from the ERROR-CODE attribute of the response. For a
400 response code, the client SHOULD display the reason phrase(词组,短语,警句,惯语) to the
user. For a 420 response code, the client SHOULD retry(缩进) the request,
this time omitting any attributes listed in the UNKNOWN(未知,未知的)-ATTRIBUTES
attribute of the response. For a 430 response code, the client
SHOULD obtain a new shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情), and retry the Binding Request(请求,需要) with
a new transaction. For 401 and 432 response codes, if the client had
omitted the USERNAME(用户名) or MESSAGE-INTEGRITY(诚实,完整,正直) attribute(归于,品质,特性) as indicated(标示,表明,显示,指明) by
the error, it SHOULD try again with those attributes. For a 431
response(反应,回签,回音) code, the client(顾客,用户,当事人) SHOULD alert(报警,活跃,禁戒,灵活) the user, and MAY try the
request again after obtaining a new username and password. For a 500
response code, the client MAY wait several seconds and then
retry the
request. For a 600 response code, the client MUST NOT retry the
request, and SHOULD display the reason phrase to the user. Unknown
attributes between 400 and 499 are treated(处理,论述,享受,宴,治疗) like a 400, unknown
attributes between 500 and 599 are treated like a 500, and unknown
attributes between 600 and 699 are treated like a 600. Any response
between 100 and 399 MUST result in the cessation(中止) of request
retransmissions(中继), but otherwise is discarded(丢弃,废除,扔掉,删除).
If a client receives(承受,得到,接待) a response with an attribute whose type is
greater than 0x7fff, the attribute MUST be ignored(不顾,不理,忽略,忽视). If the client
receives a response with an attribute whose type is less than or
equal(等于,胜任) to 0x7fff, request retransmissions MUST cease(间断,结束,平息,停止), but the entire(全部,整个,总体)
response is otherwise ignored.
If the response is a Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Response, the client SHOULD check the
response for a MESSAGE-INTEGRITY attribute. If not present(给,礼物,显示,现在), and the
client placed a MESSAGE-INTEGRITY attribute into the request, it MUST
discard the response. If present, the client computes the HMAC over
the response as described(描绘,描述,形容,作图) in Section(部分,部门,切片,区) 11.2.8. The key to use depends(相信,依靠,取决于)
on the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) mechanism(机理,机械). If the STUN(打晕,吓呆) Shared Secret Request(请求,需要)
was used, the key MUST be same as used to compute the MESSAGE-
INTEGRITY(诚实,完整,正直) attribute(归于,品质,特性) in the request. If the computed HMAC differs(不同,差异,各种)
from the one in the response(反应,回签,回音), the client(顾客,用户,当事人) MUST discard the response,
and SHOULD alert(报警,活跃,禁戒,灵活) the user about a possible attack(攻击,侵袭,受袭). If the computed
HMAC matches the one from the response, processing(程序,处理,起诉,变) continues.
Reception(接待,接收,招待会) of a response (either Binding Error Response or Binding
Response) to a Binding Request will terminate(结束,停止,有界限) retransmissions(中继) of that
request. However, clients MUST continue to listen for responses to a
Binding Request for 10 seconds after the first response. If it
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 18]
RFC 3489 STUN March 2003
receives(承受,得到,接待) any responses in this interval(间隔,间距,休息) with different message types
(Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Responses and Binding Error Responses, for example) or
different MAPPED-ADDRESSes, it is an indication(表明,表示,指示) of a possible attack.
The client MUST NOT use the MAPPED-ADDRESS from any of the responses
it received (either the first or the additional(附加,增加) ones), and SHOULD
alert the user.
Furthermore(此外,而且), if a client receives more than twice(两倍,两次) as many Binding
Responses as the number of Binding Requests it sent, it MUST NOT use
the MAPPED-ADDRESS from any of those responses, and SHOULD alert the
user about a potential(可能,潜力,电动势) attack.
If the Binding Response is authen
ticated(鉴定,为真,证明), and the MAPPED-ADDRESS was
not discarded(丢弃,废除,扔掉,删除) because of a potential attack, the CLIENT MAY use the
MAPPED-ADDRESS and SOURCE-ADDRESS attributes.
10. Use Cases
The rules of Sections(部分,部门,切片,区) 8 and 9 describe(描绘,描述,形容,作图) exactly(精密/确,要求) how a client and
server interact(插曲,横切,交叉,相互影响) to send requests(请求,需要) and get responses(反应,回签,回音). However, they do
not dictate(规定,口授,命令,要求) how the STUN(打晕,吓呆) protocol(礼节,协议) is used to accomplish(达到,精通,完成) useful tasks(派,工作,任务,作业).
That is at the discretion(谨慎,判断,斟酌办理) of the client(顾客,用户,当事人). Here, we provide(供给,提供,装备) some
useful scenarios(剧本,情节,剧情说明书) for applying(涂,申请,实施,用,添加) STUN.
10.1 Discovery(暴露,发现,看出) Process(程序,处理,起诉,变)
In this scenario, a user is running a multimedia(多媒体,多种手段) application(请求,施/应用,程序,软件) which
needs to determine(测定,查明,决定,决心) which of the following scenarios applies to it:
o On the open Internet
o Firewall(防火壁) that blocks UDP
o Firewall that allows UDP out, and responses have to come back to
the source of the request (like a symmetric(对称) NAT, but no
translation(翻译,译本). We call this a symmetric UDP Firewall)
o Full-cone(圆锥,锥体,成锥形) NAT
o Symmetric NAT
o Restricted(限定,限制,约束) cone or restricted port cone NAT
Which of the six scenarios applies can be determined(坚决,决定) through the flow(流,流畅,飘垂,涨潮)
chart(图,海图) described(描绘,描述,形容,作图) in Figure(图,计算,人物,数) 2. The chart refers(参考,查阅,归于,谈到,提出,求助于) only to the sequence(次序,继续,系列)
of Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests(请求,需要);
Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Requests will, of course, be
needed to authen
ticate(鉴定,为真,证明) each Binding Request used in the sequence.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 19]
RFC 3489 STUN(打晕,吓呆) March 2003
The flow makes use of three tests. In test I, the client(顾客,用户,当事人) sends a
STUN Binding Request to a server, without any flags set in the
CHANGE-REQUEST attribute(归于,品质,特性), and without the RESPONSE(反应,回签,回音)-ADDRESS attribute.
This causes the server to send the response back to the address and
port that the request came from. In test II, the client sends a
Binding Request with both the "change IP" and "change port" flags
from the CHANGE-REQUEST attribute set. In test III, the client sends
a Binding Request with only the "change port" flag set.
The client begin
s by initiating(创/开始,启蒙/动) test I. If this test yields(产出,产量,屈服,让与) no
response, the client knows right away that it is not capable(有才能,有能力) of UDP
connectivity(连接,连通性). If the test produces a response, the client examines(检查,考试,审查,细看)
the MAPPED-ADDRESS attribute. If this address and port are the same
as the local(本地,区域,地方性) IP address and port of the socket(插座,套接) used to send the
request, the client knows that it is not natted. It executes(处决,处死,实施,执行) test
II.
If a response is received(承受,得到,接待), the client knows that it has open access(访问,接近,入口,通道)
to the Internet (or, at least, its behind a firewall(防火壁) that behaves(表现,举动,行动,运转)
like a full-cone(圆锥,锥体,成锥形) NAT, but without the translation(翻译,译本)). If no response
is received, the client knows its behind a symmetric(对称) UDP firewall.
In the event that the IP address and port of the socket did not match
the MAPPED-ADDRESS attribute in the response to test I, the client
knows that it is behind a NAT. It performs(表演,履行,提供,完成) test II. If a response
is received, the client knows that it is behind a full-cone NAT. If
no response is received, it performs test I again, but this time,
do
es so to the address and port from the CHANGED-ADDRESS attribute
from the response to test I. If the IP address and port returned in
the MAPPED-ADDRESS attribute are not the same as the ones from the
first test I, the client knows its behind a symmetric NAT. If the
address and port are the same, the client is either behind a
restricted(限定,限制,约束) or port restricted NAT. To make a determination(决定,决心,确定) about
which one it is behind, the client initiates test III. If a response
is received, its behind a restricted NAT, and if no response is
received, its behind a port restricted NAT.
This procedure yields substantial(本质,大量,坚固,物质) information(数据,通知,信息,资料) about the operating
condition(环境,条件,支配,状况) of the client(顾客,用户,当事人) application(请求,施/应用,程序,软件). In the event of multiple(倍数,并联,多个) NATs
between the client and the Internet, the type that is discovered(暴露,发现,看出) will
be the type of the most restrictive NAT between the client and the
Internet. The types of NAT, in order of restrictiveness, from most
to least, are symmetric, port restricted cone, restricted cone, and
full cone.
Typically(标准,典型), a client will re-do this discovery process(程序,处理,起诉,变) periodically(期刊,杂志) to
detect(察觉,发觉,发现,检测) changes, or look for inconsistent(不一致) results. It is important to
note that when the discovery process is redone(重做), it should not
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 20]
RFC 3489 STUN(打晕,吓呆) March 2003
generally(总,将军,一般) be do
ne from the same local(本地,区域,地方性) address and port used in the
previous(前,先,在前) discovery process. If the same local address and port are
reused(再使用), bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) from the previous test may still be in existence(存在,生存,实在),
and these will invalidate(无效,无效,作废) the results of the test. Using a different(不同,差异,各种)
local address and port for subsequent(尔后,后来) tests resolves(分辨,分解,解决,决定) this problem(课题,难题).
An alternative(交替,选择,替换) is to wait sufficiently(充分,充足) long to be confident(确信) that the
old bindings have expired(到期,断气,去世,终止) (half an hour should more than suffice(满足,足够,有能力)).
10.2 Binding Lifetime(终生,一直,寿命) Discovery(暴露,发现,看出)
STUN can also be used to discover the lifetimes of the bindings
created by the NAT. In many cases, the client(顾客,用户,当事人) will need to refresh(刷新,清新,振作,恢复)
the binding, either through a new STUN request(请求,需要), or an application(请求,施/应用,程序,软件)
packet(包,袋,群,组,套,捆), in order for the application to continue to use the binding.
By discovering the binding lifetime, the client can determine(测定,查明,决定,决心) how
frequently(常到,常去,频繁) it needs to refresh.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 21]
RFC 3489 STUN(打晕,吓呆) March 2003
+--------+
| Test |
| I |
+--------+
|
|
V
// //
N / / Y / / Y +--------+
UDP <-------/Resp/--------->/ IP /------------->| Test |
Blocked / ? / /Same/ | II |
/ / /? / +--------+
// // |
| N |
| V
V //
+--------+ Sym. N / /
| Test | UDP <---/Resp/
| II | Firewall / ? /
+--------+ / /
| //
V |Y
// // |
Symmetric N / / +--------+ N / / V
NAT <--- / IP /<-----| Test |<--- /Resp/ Open
/Same/ | I | / ? / Internet
/? / +--------+ / /
// //
| |Y
| |
| V
| Full
| Cone
V //
+--------+ / / Y
| Test |------>/Resp/---->Restricted(限定,限制,约束)
| III | / ? /
+--------+ / /
//
|N
| Port
+------>Restricted
Figure(图,计算,人物,数) 2: Flow(流,流畅,飘垂,涨潮) for type discovery process(程序,处理,起诉,变)
Rosenberg, et al. Standards Track [Page 22]
RFC 3489 STUN March 2003
To determine the binding(绑捆,包扎,结合,联接,凝固,约束,装钉) lifetime, the client first sends a Binding
Request to the server from a particular(苛求,事实,特别,细节) socket(插座,套接), X. This creates a
binding in the NAT. The response(反应,回签,回音) from the server contains(包含,等于,容纳,抑制) a MAPPED-
ADDRESS attribute(归于,品质,特性), providing(供给,提供,装备) the public address and port on the NAT.
Call this Pa and Pp, respectively(分别,个别). The client then
starts a timer
with a value of T seconds. When this timer fires, the client sends
another Binding Request to the server, using the same destination(目标,终点)
address and port, but from a different(不同,差异,各种) socket, Y. This request
contains a RESPONSE-ADDRESS address attribute, set to (Pa,Pp). This
will create a new binding on the NAT, and cause the STUN server to
send a Binding Response that would match the old binding, if it still
exists. If the client(顾客,用户,当事人) receives(承受,得到,接待) the Binding Response on socket X, it
knows that the binding has not expired(到期,断气,去世,终止). If the client receives the
Binding Response on socket Y (which is possible if the old binding
expired, and the NAT allocated(拨下,分配) the same public address and port to
the new binding), or receives no response at all, it knows that the
binding has expired.
The client can find the value of the binding lifetime(终生,一直,寿命) by do
ing a
binary(二,二成分) search through T, arriving(达到,来临,抵达某地) eventually(最后) at the value where the
response is not received for any timer greater than T, but is
received for any timer less than T.
This discovery(暴露,发现,看出) process takes quite a bit of time, and is something
that will typically(标准,典型) be run in the background on a device(方法,设备,装置) once it
boots.
It is possible that the client can get inconsistent(不一致) results each time
this process(程序,处理,起诉,变) is run. For example, if the NAT should reboot(重新启动), or be
reset(复位,重新安置) for some reason, the process may discover a lifetime than is
shorter than the actual(实际,现行) one. For this reason, implementations(实现,实行) are
encouraged(促进,鼓励,赞助,支持) to run the test numerous(大量,无数,许多) times, and be prepared(预制,准备) to get
inconsistent results.
10.3 Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Acquisition(获得)
Consider(关心,考虑,认为,体谅) once more the case of a VoIP phone. It used the discovery
process above when it started up, to discover its environment(环境,外界,围绕). Now,
it wants to make a call. As part of the discovery process, it
determined(坚决,决定) that it was behind a full-cone(圆锥,锥体,成锥形) NAT.
Consider further that this phone consists(包括,符合,在于,组成) of two logically(逻辑,逻辑或) separated(分隔,分开,个别)
components(部件,成分,零组件) - a control component that handles signaling(暗号,动机,显著,手势), and a media
component that handles the audio(声频,成音频率), video, and RTP [12]. Both are
behind the same NAT. Because of this separation(分居,分开) of control and
media, we wish to minimize(极小,最小化) the communication(传达,交通,通讯) required(命令,请求,需要) between them.
In fact, they may not even run on the same host.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 23]
RFC 3489 STUN(打晕,吓呆) March 2003
In order to make a voice(声,发声,嗓音,吐露,意见,语态) call, the phone needs to obtain(得到) an IP
address and port that it can place in the call setup message as the
destination(目标,终点) for receiving(承受,得到,接待) audio.
To obtain an address, the control component sends a Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情)
Request to the server, obtains a shared secret, and then
sends a
Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request to the server. No CHANGE-REQUEST attribute(归于,品质,特性) is
present(给,礼物,显示,现在) in the Binding Request, and neither is the RESPONSE(反应,回签,回音)-ADDRESS
attribute. The Binding Response contains(包含,等于,容纳,抑制) a mapped address. The
control component then
formulates(公式化,系统阐述) a second Binding Request. This
request contains a RESPONSE-ADDRESS, which is set to the mapped
address learned from the previous(前,先,在前) Binding Response. This Binding
Request is passed to the media component(部件,成分,零组件), along with the IP address
and port of the STUN server. The media component sends the Binding
Request. The request goes to the STUN server, which sends the
Binding Response back to the control component. The control
component receives this, and now has learned an IP address and port
that will be routed(路,航线,路程) back to the media component that sent the
request.
The client(顾客,用户,当事人) will be able to receive media from anywhere on this mapped
address.
In the case of silence suppression(压制,镇压), there may be periods(句号,时期,学时,周期) where the
client receives no media. In this case, the UDP bindings could
timeout(超时,停工时间) (UDP bindings in NATs are typically(标准,典型) short;
30 seconds is
common). To deal(处理,待遇,对付,给,交易,买卖,数量) with this, the application(请求,施/应用,程序,软件) can periodically(期刊,杂志)
retransmit(中继,重新发送) the query(查询,问题,疑问) in order to keep the binding fresh.
It is possible that both participants(参与,有份,参加者) in the multimedia(多媒体,多种手段) session(会议,一段时间) are
behind the same NAT. In that case, both will repeat this procedure
above, and both will obtain(得到) public address bindings(绑捆,包扎,结合,联接,凝固,约束,装钉). When one sends
media to the other, the media is routed to the NAT, and then
turns
right back around to come back into the enterprise(企业,事业), where it is
translated(译,翻译) to the private(个人,秘密,专用) address of the recipient(接收器/者,收件人). This is not
particularly(苛求,事实,特别,细节) efficient(因素,效率高,有能力), and unfortunately(不幸,可取), do
es not work in many
commercial(经济,商务,广告) NATs. In such cases, the clients(顾客,用户,当事人) may need to retry(缩进) using
private addresses.
11. Protocol(礼节,协议) Details(零件,细节,枝节)
This section(部分,部门,切片,区) presents(给,礼物,显示,现在) the detailed encoding(编码) of a STUN(打晕,吓呆) message.
STUN is a request(请求,需要)-response(反应,回签,回音) protocol. Clients send a request, and the
server sends a response. There are two requests, Binding Request,
and Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request. The response to a Binding Request can
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 24]
RFC 3489 STUN March 2003
either be the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Response or Binding Error Response. The
response to a Shared Secret Request can either be a Shared Secret
Response or a Shared Secret Error Response.
STUN messages are encoded using binary(二,二成分) fields. All integer fields
are carried in network byte order, that is, most significant(有效,重大) byte
(octet(八隅体,八位位组)) first. This byte order is commonly known as big-endian(字节存储次序). The
transmission(传动,传输,发射) order is described(描绘,描述,形容,作图) in detail in Appendix(附录,附庸,阑尾,盲肠) B of RFC 791
[6]. Unless otherwise noted, numeric(数字) constants(常数,恒定,坚贞) are in decimal(十进,小数) (base
10).
11.1 Message Header
All STUN messages consist(包括,符合,在于,组成) of a 20 byte header:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| STUN Message Type | Message Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Transaction(处理,和解,交易) ID
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Message Types can take on the following values:
0x0001 : Binding Request
0x0101 : Binding Response
0x0111 : Binding Error Response
0x0002 : Shared Secret Request
0x0102 : Shared Secret Response
0x0112 : Shared Secret Error Response
The message length is the count, in bytes, of the size of the
message, not including the 20 byte header.
The transaction ID is a 128 bit identifier(标识,鉴别,认出,验明). It also serves(适合,服务/役,任职,招待) as salt(盐,芒硝,撒盐)
to randomize(随机化) the request(请求,需要) and the response(反应,回签,回音). All responses carry the
same identifier as the request they correspond(符合,通信,相当) to.
Rosenberg, et al. Standards Track [Page 25]
RFC 3489 STUN(打晕,吓呆) March 2003
11.2 Message Attributes(归于,品质,特性)
After the header are 0 or more attributes. Each attribute is TLV
encoded(编码), with a 16 bit type, 16 bit length, and variable(变量,变数) value:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The following types are defined(立,定义,规定,准确说明):
0x0001: MAPPED-ADDRESS
0x0002: RESPONSE-ADDRESS
0x0003: CHANGE-REQUEST
0x0004: SOURCE-ADDRESS
0x0005: CHANGED-ADDRESS
0x0006: USERNAME(用户名)
0x0007: PASSWORD
0x0008: MESSAGE-INTEGRITY(诚实,完整,正直)
0x0009: ERROR-CODE
0x000a: UNKNOWN(未知,未知的)-ATTRIBUTES
0x000b: REFLECTED(反射,思考)-FROM
To allow future(将来,期货,前途) revisions(复习,修订本) of this specification(规格,详述,载明) to add new attributes
if needed, the attribute space is divided(除,分,分开) into optional(任选,随意,可自由选择) and mandatory(命令者)
ones. Attributes with values greater than 0x7fff are optional, which
means that the message can be processed(程序,处理,起诉,变) by the client(顾客,用户,当事人) or server even
though the attribute is not understood. Attributes with values less
than or equal(等于,胜任) to 0x7fff are mandatory to understand, which means that
the client or server cannot process the message unless it understands
the attribute.
The MESSAGE-INTEGRITY attribute MUST be the last attribute within a
message. Any attributes that are known, but are not supposed(假定,推测,想象上) to be
present(给,礼物,显示,现在) in a message (MAPPED-ADDRESS in a request(请求,需要), for example) MUST
be ignored(不顾,不理,忽略,忽视).
Table 2 indicates(标示,表明,显示,指明) which attributes(归于,品质,特性) are present in which messages. An
M indicates that inclusion(包括,包括在内) of the attribute in the message is
mandatory, O means its optional, C means it's conditional(假定,条件) based on
some other aspect(香润,方向,容貌) of the message, and N/A means that the attribute is
not applicable(合适,生动) to that message type.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 26]
RFC 3489 STUN(打晕,吓呆) March 2003
Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Shared(份,有,分担,共享/用) Shared Shared
Binding Binding Error Secret(秘密,隐蔽,隐情) Secret Secret
Att. Req. Resp. Resp. Req. Resp. Error
Resp.
_____________________________________________________________________
MAPPED-ADDRESS N/A M N/A N/A N/A N/A
RESPONSE(反应,回签,回音)-ADDRESS O N/A N/A N/A N/A N/A
CHANGE-REQUEST O N/A N/A N/A N/A N/A
SOURCE-ADDRESS N/A M N/A N/A N/A N/A
CHANGED-ADDRESS N/A M N/A N/A N/A N/A
USERNAME(用户名) O N/A N/A N/A M N/A
PASSWORD N/A N/A N/A N/A M N/A
MESSAGE-INTEGRITY(诚实,完整,正直) O O N/A N/A N/A N/A
ERROR-CODE N/A N/A M N/A N/A M
UNKNOWN(未知,未知的)-ATTRIBUTES N/A N/A C N/A N/A C
REFLECTED(反射,思考)-FROM N/A C N/A N/A N/A N/A
Table 2: Summary(概要,简短) of Attributes
The length refers(参考,查阅,归于,谈到,提出,求助于) to the length of the value element(成分,要素,元件), expressed(表白,快/车,明确) as an
unsigned(未署名,无符号) integral(整,整体,组成) number of bytes.
11.2.1 MAPPED-ADDRESS
The MAPPED-ADDRESS attribute indicates(标示,表明,显示,指明) the mapped IP address and
port. It consists(包括,符合,在于,组成) of an eight bit address family, and a sixteen bit
port, followed by a fixed length value representing(表现,代表,象征) the IP address.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|x x x x x x x x| Family | Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The port is a network byte ordered representation(陈述,代表,描写) of the mapped port.
The address family is always 0x01, corresponding(符合,通信,相当) to IPv4. The first
8 bits of the MAPPED-ADDRESS are ignored(不顾,不理,忽略,忽视), for the purposes(打算,效果,意图,用途) of
aligning(定位,对齐,均衡,排列,成一直线) parameters(参数,参量) on natural(本来,天然,通常) boundaries(办界,边界). The IPv4 address is 32
bits.
11.2.2 RESPONSE(反应,回签,回音)-ADDRESS
The RESPONSE-ADDRESS attribute(归于,品质,特性) indicates where the response to a
Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request(请求,需要) should be sent. Its syntax(句法,语法) is identical(恒等,同样,相同) to MAPPED-
ADDRESS.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 27]
RFC 3489 STUN(打晕,吓呆) March 2003
11.2.3 CHANGED-ADDRESS
The CHANGED-ADDRESS attribute indicates the IP address and port where
responses would have been sent from if the "change IP" and "change
port" flags had been set in the CHANGE-REQUEST attribute of the
Binding Request. The attribute is always present(给,礼物,显示,现在) in a Binding
Response, independent(独立,自主,无党派) of the value of the flags. Its syntax is
identical to MAPPED-ADDRESS.
11.2.4 CHANGE-REQUEST
The CHANGE-REQUEST attribute is used by the client(顾客,用户,当事人) to request that
the server use a different(不同,差异,各种) address and/or port when sending the
response. The attribute is 32 bits long, although only two bits (A
and B) are used:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A B 0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The meaning of the flags is:
A: This is the "change IP" flag. If true, it requests the server
to send the Binding Response with a different IP address than the
one the Binding Request was received(承受,得到,接待) on.
B: This is the "change port" flag. If true, it requests the
server to send the Binding Response with a different port than the
one the Binding Request was received on.
11.2.5 SOURCE-ADDRESS
The SOURCE-ADDRESS attribute is present in Binding Responses. It
indicates(标示,表明,显示,指明) the source IP address and port that the server is sending
the response from. Its syntax is identical to that of MAPPED-
ADDRESS.
11.2.6 USERNAME(用户名)
The USERNAME attribute is used for message integrity(诚实,完整,正直). It serves(适合,服务/役,任职,招待) as a
means to identify(标识,鉴别,认出,验明) the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) used in the message integrity
check. The USERNAME is always present in a Shared Secret Response,
along with the PASSWORD. It is optionally(任选,随意,可自由选择) present in a Binding
Request when message integrity is used.
Rosenberg, et al. Standards Track [Page 28]
RFC 3489 STUN March 2003
The value of USERNAME is a variable(变量,变数) length opaque(难懂,不传导,不透明) value. Its length
MUST be a multiple(倍数,并联,多个) of 4 (measured(测量,尺寸,措施) in bytes) in order to guarantee(保证,承认,担保物)
alignment(调整,队列,对准,联合,对齐) of attributes(归于,品质,特性) on word boundaries(办界,边界).
11.2.7 PASSWORD
The PASSWORD attribute is used in Shared Secret Responses(反应,回签,回音). It is
always present(给,礼物,显示,现在) in a Shared Secret Response, along with the USERNAME.
The value of PASSWORD is a variable length value that is to be used
as a shared secret. Its length MUST be a multiple of 4 (measured in
bytes) in order to guarantee alignment of attributes on word
boundaries.
11.2.8 MESSAGE-INTEGRITY
The MESSAGE-INTEGRITY attribute contains(包含,等于,容纳,抑制) an HMAC-SHA1 [13] of the
STUN(打晕,吓呆) message. It can be present in Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests(请求,需要) or Binding
Responses. Since it uses the SHA1 hash(混乱,弄乱,哈希/散列表), the HMAC will be 20 bytes.
The text used as input to HMAC is the STUN message, including the
header, up to and including the attribute preceding(高于,领先,在前) the MESSAGE-
INTEGRITY(诚实,完整,正直) attribute. That text is then
padded with zeroes so as to be
a multiple of 64 bytes. As a result, the MESSAGE-INTEGRITY attribute
MUST be the last attribute in any STUN message. The key used as
input to HMAC depends(相信,依靠,取决于) on the context(环/语境,上下文,关系).
11.2.9 ERROR-CODE
The ERROR-CODE attribute is present in the Binding Error Response and
Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Error Response. It is a numeric(数字) value in the range(排,行,山脉,范围) of
100 to 699 plus a textual(课文) reason phrase(词组,短语,警句,惯语) encoded(编码) in UTF-8, and is
consistent(符合,坚持,坚固) in its code assignments(分配,转让,任务) and semantics(语义,语义学) with SIP [10] and
HTTP [15]. The reason phrase is meant(意指,意思是) for user consumption(消耗,消耗量), and can
be anything appropriate(拨给,恰当,侵占) for the response(反应,回签,回音) code. The lengths of the
reason phrases MUST be a multiple(倍数,并联,多个) of 4 (measured(测量,尺寸,措施) in bytes). This can
be accomplished(达到,精通,完成) by added spaces to the end of the text, if necessary.
Recommended(建议,介绍,劝告,推荐) reason phrases for the defined(立,定义,规定,准确说明) response codes are
presented(给,礼物,显示,现在) below.
To facilitate(帮助,促进,助长,容易) processing(程序,处理,起诉,变), the class of the error code (the hundreds
digit) is encoded separately(分隔,分开,个别) from the rest of the code.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 29]
RFC 3489 STUN(打晕,吓呆) March 2003
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 |Class| Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reason Phrase (variable(变量,变数)) ..
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The class represents(表现,代表,象征) the hundreds digit of the response code. The
value MUST be between 1 and 6. The number represents the response
code modulo(模,模数,按模计算) 100, and its value MUST be between 0 and 99.
The following response codes, along with their recommended reason
phrases(词组,短语,警句,惯语) (in brackets(括号,托架)) are defined at this time:
400 (Bad Request(请求,需要)): The request was malformed(畸形,难看). The client(顾客,用户,当事人) should not
retry(缩进) the request without modification(改变,缓和,修饰) from the previous(前,先,在前)
attempt(尝试,攻击,企图,袭击).
401 (Unauthorized(非法,未授权/批准)): The Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request did not contain(包含,等于,容纳,抑制) a MESSAGE-
INTEGRITY(诚实,完整,正直) attribute(归于,品质,特性).
420 (Unknown(未知,未知的) Attribute): The server did not understand a mandatory(命令者)
attribute in the request.
430 (Stale(陈腐,陈旧,走了气) Credentials(信任,证书)): The Binding Request did contain a MESSAGE-
INTEGRITY attribute, but it used a shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) that has
expired(到期,断气,去世,终止). The client should obtain(得到) a new shared secret and try
again.
431 (Integrity Check Failure(破产,失败,失灵,疏忽)): The Binding Request contained a
MESSAGE-INTEGRITY attribute, but the HMAC failed verification(检验).
This could be a sign of a potential(可能,潜力,电动势) attack(攻击,侵袭,受袭), or client(顾客,用户,当事人)
implementation(实现,实行) error.
432 (Missing Username(用户名)): The Binding Request(请求,需要) contained a MESSAGE-
INTEGRITY attribute, but not a USERNAME attribute. Both must be
present(给,礼物,显示,现在) for integrity checks.
433 (Use TLS): The Shared Secret request has to be sent over TLS, but
was not received(承受,得到,接待) over TLS.
500 (Server Error): The server has suffered(经受,忍受,容许,受痛苦) a temporary(短暂,临时,临时工) error. The
client should try again.
600 (Global(总,球面,全局) Failure
The server is refusing(渣,报废,不愿,拒绝) to fulfill(履行,满足,完成) the request.
The client should not retry(缩进).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 30]
RFC 3489 STUN(打晕,吓呆) March 2003
11.2.10 UNKNOWN(未知,未知的)-ATTRIBUTES(归于,品质,特性)
The UNKNOWN-ATTRIBUTES attribute is present only in a Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Error
Response(反应,回签,回音) or Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Error Response when the response code in
the ERROR-CODE attribute is 420.
The attribute contains(包含,等于,容纳,抑制) a list of 16 bit values, each of which
represents(表现,代表,象征) an attribute type that was not understood by the server.
If the number of unknown attributes is an odd number, one of the
attributes MUST be repeated in the list, so that the total length of
the list is a multiple(倍数,并联,多个) of 4 bytes.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute 1 Type | Attribute 2 Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute 3 Type | Attribute 4 Type ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
11.2.11 REFLECTED(反射,思考)-FROM
The REFLECTED-FROM attribute is present only in Binding Responses,
when the Binding Request contained a RESPONSE-ADDRESS attribute. The
attribute contains the identity(认同,身分,特性) (in terms(词,期,项,称为,术语,条件) of IP address) of the
source where the request(请求,需要) came from. Its purpose(打算,效果,意图,用途) is to provide(供给,提供,装备)
traceability(跟踪能力), so that a STUN server cannot be used as a reflector(反射镜,反射器) for
denial(否定,否认,拒绝)-of-service attacks(攻击,侵袭,受袭).
Its syntax(句法,语法) is identical(恒等,同样,相同) to the MAPPED-ADDRESS attribute.
12. Security(安全,证券) Considerations(考虑,体贴)
12.1 Attacks on STUN(打晕,吓呆)
Generally(总,将军,一般) speaking, attacks on STUN can be classified(分等,分类,归类) into denial of
service attacks and eavesdropping attacks. Denial of service attacks
can be launched(创办,发动,投射,开始) against a STUN server itself, or against other
elements(成分,要素,元件) using the STUN protocol(礼节,协议).
STUN servers create state through the Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request
mechanism(机理,机械). To prevent(防止,妨碍,阻碍) being swamped(淹没,沼泽,泥沼状) with traffic(车,交通,交易,运), a STUN server
SHOULD limit(范围,极限,界限) the number of simultaneous(同时,同时存在) TLS connections(连接,联系,连贯性) it will hold
open by dropping an existing connection when a new connection request(请求,需要)
arrives(达到,来临,抵达某地) (based on an Least Recently(近来,新近,最近的) Used (LRU) policy(方针,政策,保险单), for example).
Similarly(类似,相象), it SHOULD limit the number of shared secrets it will
store, in the event that the server is storing the shared secrets.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 31]
RFC 3489 STUN March 2003
The attacks(攻击,侵袭,受袭) of greater interest are those in which the STUN(打晕,吓呆) server
and client(顾客,用户,当事人) are used to launch do
S attacks against other entities(存在,实体,实体物,统一体),
including the client itself.
Many of the attacks require(命令,请求,需要) the attacker to generate(导致,引起) a response(反应,回签,回音) to a
legitimate(合法,合理,证明有理) STUN request, in order to provide(供给,提供,装备) the client with a faked(伪造,虚构,云母板状岩)
MAPPED-ADDRESS. The attacks that can be launched(创办,发动,投射,开始) using such a
technique(技能,技术) include:
12.1.1 Attack I: DDOS Against a Target
In this case, the attacker provides a large number of clients with
the same faked MAPPED-ADDRESS that points to the intended(打算,企图,想要,意指) target.
This will trick(诡计,哄骗,窍门) all the STUN clients into thinking that their
addresses are equal(等于,胜任) to that of the target. The clients then
hand out
that address in order to receive(承受,得到,接待) traffic(车,交通,交易,运) on it (for example, in SIP
or H.323 messages). However, all of that traffic becomes focused at
the intended target. The attack can provide substantial(本质,大量,坚固,物质)
amplification(放大), especially(特别,特殊,专门) when used with clients that are using STUN
to enable multimedia(多媒体,多种手段) applications(请求,施/应用,程序,软件).
12.1.2 Attack(攻击,侵袭,受袭) II: Silencing a Client
In this attack, the attacker seeks to deny a client access(访问,接近,入口,通道) to
services enabled by STUN(打晕,吓呆) (for example, a client(顾客,用户,当事人) using STUN to enable
SIP-based multimedia traffic). To do
that, the attacker provides
that client with a faked MAPPED-ADDRESS. The MAPPED-ADDRESS it
provides is an IP address that routes(路,航线,路程) to nowhere. As a result, the
client won't receive any of the packets(包,袋,群,组,套,捆) it expects(等待,期待,预期) to receive when it
hands out the MAPPED-ADDRESS.
This exploitation(开发,利用) is not very interesting for the attacker. It
impacts(冲击,碰撞,压紧,影响) a single client, which is frequently(常到,常去,频繁) not the desired(期望,相望,想要,要求) target.
Moreover(此外,而且,况且), any attacker that can mount(爬,安装,山,固定) the attack could also deny
service to the client by other means, such as preventing(防止,妨碍,阻碍) the client
from receiving any response(反应,回签,回音) from the STUN server, or even a DHCP
server.
12.1.3 Attack III: Assuming(呈现,承担,假定) the Identity(认同,身分,特性) of a Client
This attack is similar(类似,相象) to attack II. However, the faked(伪造,虚构,云母板状岩) MAPPED-
ADDRESS points to the attacker themself. This allows the attacker to
receive(承受,得到,接待) traffic(车,交通,交易,运) which was destined(命定,预定) for the client.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 32]
RFC 3489 STUN March 2003
12.1.4 Attack(攻击,侵袭,受袭) IV: Eavesdropping
In this attack, the attacker forces the client to use a MAPPED-
ADDRESS that routes to itself. It then
forwards any packets it
receives to the client. This attack would allow the attacker to
observe(遵守,观测/察,注意) all packets sent to the client(顾客,用户,当事人). However, in order to launch(创办,发动,投射,开始)
the attack, the attacker must have already been able to observe
packets(包,袋,群,组,套,捆) from the client to the STUN(打晕,吓呆) server. In most cases (such as
when the attack is launched from an access(访问,接近,入口,通道) network), this means that
the attacker could already observe packets sent to the client. This
attack is, as a result, only useful for observing traffic by
attackers on the path from the client to the STUN server, but not
generally(总,将军,一般) on the path of packets being routed(路,航线,路程) towards the client.
12.2 Launching the Attacks
It is important to note that attacks of this nature (injecting(喷射,注满,注入)
responses with fake MAPPED-ADDRESSes) require(命令,请求,需要) that the attacker be
capable(有才能,有能力) of eavesdropping requests sent from the client to the server
(or to act as a MITM for such attacks). This is because STUN
requests contain(包含,等于,容纳,抑制) a transaction(处理,和解,交易) identifier(标识,鉴别,认出,验明), selected(选,精选) by the client,
which is random with 128 bits of entropy(熵). The server echoes this
value in the response(反应,回签,回音), and the client ignores(不顾,不理,忽略,忽视) any responses that
do
n't have a matching transaction ID. Therefore, in order for an
attacker to provide(供给,提供,装备) a faked(伪造,虚构,云母板状岩) response that is accepted(承担,公认,接受,同意) by the client,
the attacker(攻击,侵袭,受袭) needs to know what the transaction ID in the request
was. The large amount(和,合计,金额,数量) of randomness(随机性), combined(集团,结合,收割机) with the need to know
when the client(顾客,用户,当事人) sends a request, precludes(避免,除去,排除,预防) attacks that involve(包括,牵涉,占用,参加)
guessing the transaction ID.
Since all of the above attacks rely(信赖,依靠) on this one primitive(粗糙,简单,原语,原始人) - injecting(喷射,注满,注入)
a response with a faked MAPPED-ADDRESS - preventing(防止,妨碍,阻碍) the attacks is
accomplished(达到,精通,完成) by preventing this one operation(操作,手术,运算). To prevent it, we
need to consider(关心,考虑,认为,体谅) the various(不同,多样,各种) ways in which it can be accomplished.
There are several:
12.2.1 Approach(逼近,态度,途径) I: Compromise(和解,损害,妥协) a Legitimate(合法,合理,证明有理) STUN(打晕,吓呆) Server
In this attack, the attacker compromises a legitimate STUN server
through a virus(病毒,毒素,病原体) or Trojan(troy的,特洛伊) horse. Presumably(大概,也许,推测起来), this would allow the
attacker(攻击,侵袭,受袭) to take over the STUN server, and control the types of
responses(反应,回签,回音) it generates(导致,引起).
Compromise of a STUN server can also lead to discovery(暴露,发现,看出) of open ports.
Knowledge(学识,知道) of an open port creates an opportunity(机会) for do
S attacks on
those ports (or DDoS attacks if the traversed(横渡,横过,曲线) NAT is a full cone(圆锥,锥体,成锥形)
NAT). Discovering open ports is already fairly(公平,集市,相当,修整,博览会,流线型) trivial(平常,平庸,琐碎,细小) using port
probing(或然), so this do
es not represent(表现,代表,象征) a major(多数,较大,主修,专业) threat(恐吓,威胁,凶兆).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 33]
RFC 3489 STUN March 2003
12.2.2 Approach(逼近,态度,途径) II: DNS Attacks
STUN servers are discovered using DNS SRV records(唱片,档案,记录). If an attacker
can compromise(和解,损害,妥协) the DNS, it can inject(喷射,注满,注入) fake(伪造,虚构,云母板状岩) records which map a do
main(领土,领域,主机)
name to the IP address of a STUN(打晕,吓呆) server run by the attacker(攻击,侵袭,受袭). This
will allow it to inject fake responses(反应,回签,回音) to launch(创办,发动,投射,开始) any of the attacks
above.
12.2.3 Approach III: Rogue(恶棍,流氓,捉弄) Router(刻,大败,溃败,输送) or NAT
Rather than compromise the STUN server, an attacker can cause a STUN
server to generate(导致,引起) responses with the wrong MAPPED-ADDRESS by
compromising a router or NAT on the path from the client(顾客,用户,当事人) to the STUN
server. When the STUN request(请求,需要) passes through the rogue router or
NAT, it rewrites(改写,再生,重写) the source address of the packet(包,袋,群,组,套,捆) to be that of the
desired(期望,相望,想要,要求) MAPPED-ADDRESS. This address cannot be arbitrary(任意,专断,不理智). If the
attacker is on the public Internet (that is, there are no NATs
between it and the STUN server), and the attacker do
esn't modify(变更,缓和,修改,修饰) the
STUN request, the address has to have the property(财产,特性,性能) that packets sent
from the STUN server to that address would route(路,航线,路程) through the
compromised router. This is because the STUN server will send the
responses back to the source address of the request. With a modified
source address, the only way they can reach the client is if the
compromised router directs them there. If the attacker is on the
public Internet, but they can modify the STUN request, they can
insert a RESPONSE-ADDRESS attribute(归于,品质,特性) into the request, containing(包含,等于,容纳,抑制) the
actual(实际,现行) source address of the STUN request. This will cause the
server to send the response to the client, independent(独立,自主,无党派) of the source
address the STUN server sees. This gives the attacker the ability(本领,才干,才能,技能) to
forge(编造,锤炼,铁铺,前进) an arbitrary source address when it forwards the STUN(打晕,吓呆) request.
If the attacker(攻击,侵袭,受袭) is on a private(个人,秘密,专用) network (that is, there are NATs
between it and the STUN server), the attacker will not be able to
force the server to generate arbitrary MAPPED-ADRESSes in responses(反应,回签,回音).
They will only be able force the STUN server to generate MAPPED-
ADDRESSes which route to the private network. This is because the
NAT between the attacker and the STUN server will rewrite the source
address of the STUN request, mapping it to a public address that
routes to the private network. Because of this, the attacker can
only force the server to generate faked(伪造,虚构,云母板状岩) mapped addresses that route
to the private network. Unfortunately(不幸,可取), it is possible that a low
quality(合格,品质,特性) NAT would be willing to map an allocated(拨下,分配) public address to
another public address (as opposed(反对,反抗,对比) to an internal(内,本质性) private address),
in which case the attacker could forge the source address in a STUN
request(请求,需要) to be an arbitrary public address. This kind of behavior(表现,举止,态度,行为)
from NATs do
es appear to be rare(非常,罕见,稀罕,稀少).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 34]
RFC 3489 STUN March 2003
12.2.4 Approach(逼近,态度,途径) IV: MITM
As an alternative(交替,选择,替换) to approach III, if the attacker can place an
element(成分,要素,元件) on the path from the client(顾客,用户,当事人) to the server, the element can
act as a man-in-the-middle. In that case, it can intercept(截距,截取,阻止) a STUN
request, and generate(导致,引起) a STUN response directly with any desired(期望,相望,想要,要求) value
of the MAPPED-ADDRESS field. Alternatively, it can forward the STUN
request to the server (after potential(可能,潜力,电动势) modification(改变,缓和,修饰)), receive(承受,得到,接待) the
response, and forward it to the client. When forwarding the request
and response, this attack(攻击,侵袭,受袭) is subject(从属,科目,事物,主题) to the same limitations(局限,限度) on the
MAPPED-ADDRESS described(描绘,描述,形容,作图) in Section(部分,部门,切片,区) 12.2.3.
12.2.5 Approach V: Response(反应,回签,回音) Injection(充满,注入) Plus do
S
In this approach, the attacker do
es not need to be a MITM (as in
approaches III and IV). Rather, it only needs to be able to
eavesdrop(窃听,偷听) onto a network segment(段,部分,切,扇形) that carries STUN(打晕,吓呆) requests(请求,需要). This is
easily do
ne in multiple(倍数,并联,多个) access(访问,接近,入口,通道) networks such as ethernet(以太网) or
unprotected 802.11. To inject(喷射,注满,注入) the fake(伪造,虚构,云母板状岩) response, the attacker
listens on the network for a STUN request. When it sees one, it
simultaneously(同时,同时存在) launches(创办,发动,投射,开始) a do
S attack on the STUN server, and
generates(导致,引起) its own STUN response with the desired(期望,相望,想要,要求) MAPPED-ADDRESS
value. The STUN response generated by the attacker will reach the
client(顾客,用户,当事人), and the do
S attack against the server is aimed(瞄准,目标,针对,指向) at preventing(防止,妨碍,阻碍)
the legitimate(合法,合理,证明有理) response from the server from reaching the client.
Arguably(可论证地), the attacker(攻击,侵袭,受袭) can do
without the do
S attack on the server,
so long as the faked response beats(打,敲,击败,搅拌,拍音,心跳) the real response(反应,回签,回音) back to the
client, and the client uses the first response, and ignores(不顾,不理,忽略,忽视) the
second (even though it's different(不同,差异,各种)).
12.2.6 Approach(逼近,态度,途径) VI: Duplication(加倍,成双重)
This approach is similar(类似,相象) to approach V. The attacker listens on the
network for a STUN(打晕,吓呆) request(请求,需要). When it sees it, it generates its own
STUN request towards the server. This STUN request is identical(恒等,同样,相同) to
the one it saw, but with a spoofed(嘲讽,诳骗,揶揄) source IP address. The spoofed
address is equal(等于,胜任) to the one that the attacker desires to have placed
in the MAPPED-ADDRESS of the STUN response. In fact, the attacker
generates a flood(泛滥,洪水,淹没,涨潮) of such packets(包,袋,群,组,套,捆). The STUN server will receive(承受,得到,接待) the
one original(新颖,原始,原物,最初) request, plus a flood of duplicate(二重,复本,加倍) fake(伪造,虚构,云母板状岩) ones. It
generates(导致,引起) responses to all of them. If the flood is sufficiently(充分,充足)
large for the responses to congest(充血,拥挤,阻塞,充满) routers(刻,大败,溃败,输送) or some other equipment(配备,器材,设备),
there is a reasonable(公道,合理) probability(概率,可能,可能性) that the one real response(反应,回签,回音) is lost
(along with many of the faked ones), but the net result is that only
the faked responses are received by the STUN client(顾客,用户,当事人). These responses
are all identical and all contain(包含,等于,容纳,抑制) the MAPPED-ADDRESS that the
attacker(攻击,侵袭,受袭) wanted the client to use.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 35]
RFC 3489 STUN(打晕,吓呆) March 2003
The flood of duplicate packets is not needed (that is, only one faked
request(请求,需要) is sent), so long as the faked response beats(打,敲,击败,搅拌,拍音,心跳) the real
response back to the client, and the client uses the first response,
and ignores(不顾,不理,忽略,忽视) the second (even though it's different(不同,差异,各种)).
Note that, in this approach(逼近,态度,途径), launching(创办,发动,投射,开始) a do
S attack against the STUN
server or the IP network, to prevent(防止,妨碍,阻碍) the valid(有效,正当) response from being
sent or received(承受,得到,接待), is problematic(有问题). The attacker needs the STUN server
to be available(可用,通用) to handle its own request. Due to the periodic(定时,周期)
retransmissions(中继) of the request from the client, this leaves a very
tiny window of opportunity(机会). The attacker must start the do
S attack
immediately(立即,立刻,直接) after the actual(实际,现行) request from the client, causing the
correct(改正,纠正,恰当) response(反应,回签,回音) to be discarded(丢弃,废除,扔掉,删除), and then
cease(间断,结束,平息,停止) the do
S attack(攻击,侵袭,受袭) in
order to send its own request, all before the next retransmission
from the client(顾客,用户,当事人). Due to the close spacing of the retransmits(中继,重新发送) (100ms
to a few seconds), this is very difficult(艰苦,困难) to do
.
Besides do
S attacks, there may be other ways to prevent the actual
request(请求,需要) from the client from reaching the server. Layer 2
manipulations(操纵), for example, might be able to accomplish(达到,精通,完成) it.
Fortunately(侥幸,带来好运), Approach(逼近,态度,途径) IV is subject(从属,科目,事物,主题) to the same limitations(局限,限度)
do
cumented(公文,文档,证件) in Section(部分,部门,切片,区) 12.2.3, which limit(范围,极限,界限) the range(排,行,山脉,范围) of MAPPED-
ADDRESSes the attacker can cause the STUN(打晕,吓呆) server to generate(导致,引起).
12.3 Countermeasures(对策,干扰)
STUN provides(供给,提供,装备) mechanisms(机理,机械) to counter the approaches described(描绘,描述,形容,作图) above,
and additional(附加,增加), non-STUN techniques(技能,技术) can be used as well.
First off, it is RECOMMENDED(建议,介绍,劝告,推荐) that networks with STUN clients(顾客,用户,当事人)
implement(仪器,工具,执行,生效) ingress source filtering(过滤,渗入,筛选) (RFC 2827 [7]). This is
particularly(苛求,事实,特别,细节) important for the NATs themselves. As Section 12.2.3
explains(辩解,解释,说明), NATs which do
not perform(表演,履行,提供,完成) this check can be used as
"reflectors(反射镜,反射器)" in DDoS attacks(攻击,侵袭,受袭). Most NATs do
perform this check as a
default mode of operation(操作,手术,运算). We strongly advise(建议,劝告,通知) people that purchase(买,采购,支点,珀切斯)
NATs to ensure(保护,保险,赋予) that this capability(才能,能力) is present(给,礼物,显示,现在) and enabled.
Secondly, it is RECOMMENDED that STUN(打晕,吓呆) servers be run on hosts
dedicated(奉献,贡献,致力,专用) to STUN, with all UDP and TCP ports disabled(禁用,残废,伤残) except for the
STUN ports. This is to prevent(防止,妨碍,阻碍) viruses(病毒,毒素,病原体) and Trojan(troy的,特洛伊) horses from
infecting(传染,感染,受影响) STUN servers, in order to prevent their compromise(和解,损害,妥协). This
helps mitigate(缓和,减轻) Approach(逼近,态度,途径) I (Section(部分,部门,切片,区) 12.2.1).
Thirdly, to prevent the DNS attack of Section 12.2.2, Section 9.2
recommends(建议,介绍,劝告,推荐) that the client(顾客,用户,当事人) verify(查证,核实,检验,证明) the credentials(信任,证书) provided(供给,提供,装备) by the
server with the name used in the DNS lookup(检查).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 36]
RFC 3489 STUN March 2003
Finally(结局,决赛,最后,决定性), all of the attacks(攻击,侵袭,受袭) above rely(信赖,依靠) on the client taking the
mapped address it learned from STUN, and using it in application(请求,施/应用,程序,软件)
layer protocols(礼节,协议). If encryption(加密) and message integrity(诚实,完整,正直) are provided
within those protocols, the eavesdropping and identity(认同,身分,特性) assumption(傲慢,采取,假定)
attacks can be prevented(防止,妨碍,阻碍). As such, applications that make use of
STUN(打晕,吓呆) addresses in application protocols SHOULD use integrity and
encryption, even if a SHOULD level strength is not specified(规定,指定,明确说明) for that
protocol. For example, multimedia(多媒体,多种手段) applications using STUN addresses
to receive(承受,得到,接待) RTP traffic(车,交通,交易,运) would use secure(安全,保证,获得,无虑的) RTP [16].
The above three techniques(技能,技术) are non-STUN mechanisms(机理,机械). STUN itself
provides several countermeasures(对策,干扰).
Approaches(逼近,态度,途径) IV (Section(部分,部门,切片,区) 12.2.4), when generating(导致,引起) the response(反应,回签,回音) locally(本地,区域,地方性),
and V (Section 12.2.5) require(命令,请求,需要) an attacker(攻击,侵袭,受袭) to generate a faked(伪造,虚构,云母板状岩)
response. This attack is prevented using the message integrity
mechanism provided(供给,提供,装备) in STUN, described(描绘,描述,形容,作图) in Section 8.1.
Approaches III (Section 12.2.3) IV (Section 12.2.4), when using the
relaying(换班,中继,转播,继电器,接替) technique, and VI (12.2.6), however, are not preventable(可防止)
through server signatures(签名,说明). Both approaches are most potent(有效,强有力) when the
attacker can modify(变更,缓和,修改,修饰) the request, inserting a RESPONSE-ADDRESS that
routes(路,航线,路程) to the client(顾客,用户,当事人). Fortunately(侥幸,带来好运), such modifications(改变,缓和,修饰) are
preventable using the message integrity(诚实,完整,正直) techniques(技能,技术) described in
Section 9.3. However, these three approaches are still functional(功能,函数,起作用)
when the attacker modifies nothing but the source address of the STUN(打晕,吓呆)
request. Sadly, this is the one thing that cannot be protected(保护,保卫,警戒)
through cryptographic(密码,关于暗号) means, as this is the change that STUN itself
is seeking to detect(察觉,发觉,发现,检测) and report. It is therefore an inherent(固有,内在,与生俱来)
weakness(脆弱,缺点) in NAT, and not fixable(可安定) in STUN. To help mitigate(缓和,减轻) these
attacks(攻击,侵袭,受袭), Section(部分,部门,切片,区) 9.4 provides(供给,提供,装备) several heuristics(渐进,试探,推断) for the client to
follow. The client looks for inconsistent(不一致) or extra responses(反应,回签,回音), both
of which are signs of the attacks described(描绘,描述,形容,作图) above. However, these
heuristics are just that - heuristics, and cannot be guaranteed(保证,承认,担保物) to
prevent(防止,妨碍,阻碍) attacks. The heuristics appear to prevent the attacks as we
know how to launch(创办,发动,投射,开始) them today. Implementors should stay posted for
information(数据,通知,信息,资料) on new heuristics that might be required(命令,请求,需要) in the future(将来,期货,前途).
Such information will be distributed(分布,分配,配给,散布) on the IETF MIDCOM mailing list,
midcom@ietf.org.
12.4 Residual(残留,剩余) Threats(恐吓,威胁,凶兆)
None of the countermeasures(对策,干扰) listed above can prevent the attacks
described in Section 12.2.3 if the attacker is in the appropriate(拨给,恰当,侵占)
network paths. Specifically(明确地,特别地), consider(关心,考虑,认为,体谅) the case in which the attacker
wishes to convince(信服,确信,认识) client(顾客,用户,当事人) C that it has address V. The attacker(攻击,侵袭,受袭)
needs to have a network element(成分,要素,元件) on the path between A and the server
(in order to modify(变更,缓和,修改,修饰) the request) and on the path between the server
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 37]
RFC 3489 STUN(打晕,吓呆) March 2003
and V so that it can forward the response(反应,回签,回音) to C. Furthermore(此外,而且), if
there is a NAT between the attacker and the server, V must also be
behind the same NAT. In such a situation(处境,情形,位置,状况), the attacker can either
gain access(访问,接近,入口,通道) to all the application(请求,施/应用,程序,软件)-layer traffic(车,交通,交易,运) or mount(爬,安装,山,固定) the DDOS
attack described(描绘,描述,形容,作图) in Section(部分,部门,切片,区) 12.1.1. Note that any host which exists
in the correct(改正,纠正,恰当) topological(拓扑) relationship(关系,联系) can be DDOSed. It need not
be using STUN.
13. IANA Considerations(考虑,体贴)
STUN cannot be extended(长期,扩大,伸长). Changes to the protocol(礼节,协议) are made through a
standards track revision(复习,修订本) of this specification(规格,详述,载明). As a result, no IANA
registries(登记) are needed. Any future(将来,期货,前途) extensions(伸展,延长) will establish(建立,确定,移植) any
needed registries.
14. IAB Considerations
The IAB has studied the problem(课题,难题) of "Unilateral(单边,片面,单向作用) Self Address Fixing",
which is the general(总,将军,一般) process(程序,处理,起诉,变) by which a client(顾客,用户,当事人) attempts(尝试,攻击,企图,袭击) to determine(测定,查明,决定,决心)
its address in another realm(国土,领域,区域) on the other side of a NAT through a
collaborative(合作,协作) protocol reflection(反射,反映,感想,思考) mechanism(机理,机械) (RFC 3424 [17]). STUN(打晕,吓呆) is
an example of a protocol that performs(表演,履行,提供,完成) this type of function. The
IAB has mandated(命令,批准,委托,要求) that any protocols developed(成长,发展,开发,显现) for this purpose(打算,效果,意图,用途)
do
cument(公文,文档,证件) a specific(精确,特定,特性,细微) set of considerations(考虑,体贴). This section(部分,部门,切片,区) meets those
requirements(需求,需要).
14.1 Problem Definition(定界,定义,释义)
From RFC 3424 [17], any UNSAF proposal(计划,建议,求婚,提出) must provide(供给,提供,装备):
Precise(精密,精确,严格) definition of a specific, limited(范围,极限,界限)-scope(域,范围,机会,显微镜) problem(课题,难题) that is to
be solved(解答,解决) with the UNSAF proposal. A short term(词,期,项,称为,术语,条件) fix should not be
generalized(概括,归纳,总结) to solve other problems;
this is why "short term fixes
usually aren't".
The specific problems being solved by STUN are:
o Provide a means for a client(顾客,用户,当事人) to detect(察觉,发觉,发现,检测) the presence(有,在,出席,存在,到场) of one or more
NATs between it and a server run by a service provider on the
public Internet. The purpose of such detection(察觉,发觉,探测) is to determine(测定,查明,决定,决心)
additional(附加,增加) steps that might be necessary in order to receive(承受,得到,接待)
service from that particular(苛求,事实,特别,细节) provider.
o Provide a means for a client to detect the presence of one or more
NATs between it and another client, where the second client is
reachable(可达到) from the first, but it is not known whether the second
client resides(存在,居住,属于,驻留) on the public Internet.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 38]
RFC 3489 STUN(打晕,吓呆) March 2003
o Provide a means for a client to obtain an address on the public
Internet from a non-symmetric(对称) NAT, for the express(表白,快/车,明确) purpose(打算,效果,意图,用途) of
receiving incoming(进款,收入,收益,所得) UDP traffic(车,交通,交易,运) from another host, targeted to that
address.
STUN do
es not address TCP, either incoming or outgoing(动身,输出,外出,即将离去), and do
es not
address outgoing UDP communications(传达,交通,通讯).
14.2 Exit Strategy(策略,计谋,战略)
From [17], any UNSAF proposal(计划,建议,求婚,提出) must provide(供给,提供,装备):
Description(描写,叙述,种类) of an exit strategy/transition(变迁,过渡,转变) plan. The better short
term(词,期,项,称为,术语,条件) fixes are the ones that will naturally(本来,天然,通常) see less and less use
as the appropriate(拨给,恰当,侵占) technology(工艺,技术,工艺学,制造学) is deployed(布置,散开,展开).
STUN comes with its own built in exit strategy. This strategy is the
detection(察觉,发觉,探测) operation(操作,手术,运算) that is performed(表演,履行,提供,完成) as a precursor(先驱,先兆,预报器) to the actual(实际,现行)
UNSAF address-fixing operation. This discovery(暴露,发现,看出) operation, do
cumented(公文,文档,证件)
in Section(部分,部门,切片,区) 10.1, attempts(尝试,攻击,企图,袭击) to discover the existence(存在,生存,实在) of, and type of,
any NATS between the client(顾客,用户,当事人) and the service provider network. Whilst
the detection of the specific(精确,特定,特性,细微) type of NAT may be brittle(脆,易碎), the
discovery of the existence of NAT is itself quite robust(粗壮,坚固,强健). As NATs
are phased(相,侧/方面,阶段,时期,形态,调整) out through the deployment(部署,展开) of IPv6, the discovery
operation will return immediately(立即,立刻,直接) with the result that there is no
NAT, and no further operations are required(命令,请求,需要). Indeed, the discovery
operation itself can be used to help motivate(促动,促进,激发,激起) deployment of IPv6;
if
a user detects(察觉,发觉,发现,检测) a NAT between themselves and the public Internet, they
can call up their access(访问,接近,入口,通道) provider(供给,提供,装备) and complain(抱怨,拆苦,控告) about it.
STUN(打晕,吓呆) can also help facilitate(帮助,促进,助长,容易) the introduction(介绍,引进/言) of midcom. As
midcom-capable(有才能,有能力) NATs are deployed(布置,散开,展开), applications(请求,施/应用,程序,软件) will, instead(代替,当作,反而,改为) of using
STUN (which also resides(存在,居住,属于,驻留) at the application layer), first allocate(拨下,分配) an
address binding(绑捆,包扎,结合,联接,凝固,约束,装钉) using midcom. However, it is a well-known limitation(局限,限度)
of midcom that it only works when the agent(代理,服务,试剂,特工) knows the middleboxes
through which its traffic(车,交通,交易,运) will flow(流,流畅,飘垂,涨潮). Once bindings have been
allocated from those middleboxes, a STUN detection(察觉,发觉,探测) procedure can
validate(确认,验证,证实,生效) that there are no additional(附加,增加) middleboxes on the path from
the public Internet to the client(顾客,用户,当事人). If this is the case, the
application can continue operation(操作,手术,运算) using the address bindings
allocated from midcom. If it is not the case, STUN provides a
mechanism(机理,机械) for self-address fixing through the remaining(保持,残骸,废墟,留下) midcom-
unaware(意外,不知道) middleboxes. Thus, STUN(打晕,吓呆) provides(供给,提供,装备) a way to help transition(变迁,过渡,转变) to
full midcom-aware(知道,意识到) networks.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 39]
RFC 3489 STUN March 2003
14.3 Brittleness(脆度,脆性) Introduced(采用,传入,介绍) by STUN
From [17], any UNSAF proposal(计划,建议,求婚,提出) must provide:
Discussion(论述,谈论) of specific(精确,特定,特性,细微) issues(颁布,发出,问题,争议) that may render(表达,翻译,给予,渲染) systems more
"brittle(脆,易碎)". For example, approaches(逼近,态度,途径) that involve(包括,牵涉,占用,参加) using data at
multiple(倍数,并联,多个) network layers create more dependencies(属国,从属性), increase(增长,增大)
debugging challenges(挑战,需要,质问), and make it harder to transition.
STUN introduces brittleness into the system in several ways:
o The discovery(暴露,发现,看出) process(程序,处理,起诉,变) assumes(呈现,承担,假定) a certain classification(分级,分类) of devices(方法,设备,装置)
based on their treatment(处理,待遇,治疗) of UDP. There could be other types of
NATs that are deployed(布置,散开,展开) that would not fit into one of these molds(霉,浇铸,模压,模子,气质,塑造).
Therefore, future(将来,期货,前途) NATs may not be properly(本来,合适,完全地) detected(察觉,发觉,发现,检测) by STUN(打晕,吓呆). STUN
clients(顾客,用户,当事人) (but not servers) would need to change to accommodate(调节/停,供给,适应)
that.
o The binding(绑捆,包扎,结合,联接,凝固,约束,装钉) acquisition(获得) usage(对待,用,用法,习惯法) of STUN do
es not work for all NAT
types. It will work for any application(请求,施/应用,程序,软件) for full cone(圆锥,锥体,成锥形) NATs only.
For restricted(限定,限制,约束) cone and port restricted cone NAT, it will work for
some applications depending(相信,依靠,取决于) on the application. Application
specific(精确,特定,特性,细微) processing will generally(总,将军,一般) be needed. For symmetric(对称) NATs,
the binding acquisition will not yield(产出,产量,屈服,让与) a usable(可用) address. The
tight(紧,绷紧,牢固,紧身衣) dependency(属国,从属性) on the specific type of NAT makes the protocol(礼节,协议)
brittle(脆,易碎).
o STUN assumes(呈现,承担,假定) that the server exists on the public Internet. If
the server is located(查出,地点,定位,找出) in another private(个人,秘密,专用) address realm(国土,领域,区域), the user
may or may not be able to use its discovered(暴露,发现,看出) address to
communicate(传播/递,通话/信) with other users. There is no way to detect(察觉,发觉,发现,检测) such a
condition(环境,条件,支配,状况).
o The bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) allocated(拨下,分配) from the NAT need to be continuously
refreshed(刷新,清新,振作,恢复). Since the timeouts(超时,停工时间) for these bindings is very
implementation(实现,实行) specific(精确,特定,特性,细微), the refresh interval(间隔,间距,休息) cannot easily be
determined(坚决,决定). When the binding is not being actively used to
receive(承受,得到,接待) traffic(车,交通,交易,运), but to wait for an incoming(进款,收入,收益,所得) message, the binding
refresh will needlessly(无用,不必要) consume(花费,用,消费,消耗) network bandwidth(带幅,带宽).
o The use of the STUN(打晕,吓呆) server as an additional(附加,增加) network element(成分,要素,元件)
introduces(采用,传入,介绍) another point of potential(可能,潜力,电动势) security(安全,证券) attack(攻击,侵袭,受袭). These
attacks are largely prevented(防止,妨碍,阻碍) by the security measures(测量,尺寸,措施) provided(供给,提供,装备) by
STUN, but not entirely(全部,整个,总体).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 40]
RFC 3489 STUN March 2003
o The use of the STUN server as an additional network element
introduces another point of failure(破产,失败,失灵,疏忽). If the client(顾客,用户,当事人) cannot locate(查出,地点,定位,找出)
a STUN server, or if the server should be unavailable(不近便,不能利用) due to
failure, the application(请求,施/应用,程序,软件) cannot function.
o The use of STUN to discover(暴露,发现,看出) address bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) will result in an
increase(增长,增大) in latency(潜伏,潜在,等待时间) for applications. For example, a Voice(声,发声,嗓音,吐露,意见,语态) over
IP application will see an increase of call setup delays(耽搁,耽误,推迟,延迟) equal(等于,胜任) to
at least one RTT to the STUN(打晕,吓呆) server.
o The discovery of binding lifetimes(终生,一直,寿命) is prone(俯伏,俯卧,易于) to error. It assumes(呈现,承担,假定)
that the same lifetime will exist for all bindings. This may not
be true if the NAT uses dynamic(动力,动态,有活力) binding lifetimes to handle
overload(超载,超载,负担过重), or if the NAT itself reboots(重新启动) during the discovery
process(程序,处理,起诉,变).
o STUN imposes(征,强迫,欺骗,征税) some restrictions(限定,限制,约束) on the network topologies(拓扑,地志学) for
proper(本来,合适,完全地) operation(操作,手术,运算). If client(顾客,用户,当事人) A obtains(得到) an address from STUN server
X, and sends it to client B, B may not be able to send to A using
that IP address. The address will not work if any of the
following is true:
- The STUN server is not in an address realm(国土,领域,区域) that is a common
ancestor(上代,祖先) (topologically) of both clients A and B. For example,
consider(关心,考虑,认为,体谅) client A and B, both of which have residential(住宅) NAT
devices(方法,设备,装置). Both devices connect them to their cable operators(操作员,运算符),
but both clients have different(不同,差异,各种) providers(供给,提供,装备). Each provider has a
NAT in front of their entire(全部,整个,总体) network, connecting it to the
public Internet. If the STUN(打晕,吓呆) server used by A is in A's cable
operator's network, an address obtained by it will not be
usable(可用) by B. The STUN server must be in the network which is a
common ancestor to both - in this case, the public Internet.
- The STUN server is in an address realm that is a common
ancestor to both clients, but both clients are behind the same
NAT connecting to that address realm. For example, if the two
clients in the previous(前,先,在前) example had the same cable operator,
that cable operator had a single NAT connecting their network
to the public Internet, and the STUN server was on the public
Internet, the address obtained by A would not be usable by B.
That is because some NATs will not accept(承担,公认,接受,同意) an internal(内,本质性) packet(包,袋,群,组,套,捆)
sent to a public IP address which is mapped back to an internal
address. To deal(处理,待遇,对付,给,交易,买卖,数量) with this, additional(附加,增加) protocol(礼节,协议) mechanisms(机理,机械) or
configuration(构造) parameters(参数,参量) need to be introduced(采用,传入,介绍) which detect(察觉,发觉,发现,检测)
this case.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 41]
RFC 3489 STUN March 2003
o Most significantly(有效,重大), STUN introduces potential(可能,潜力,电动势) security(安全,证券) threats(恐吓,威胁,凶兆)
which cannot be eliminated(除去,排除,取消,淘汰,消灭). This specification(规格,详述,载明) describes(描绘,描述,形容,作图)
heuristics(渐进,试探,推断) that can be used to mitigate(缓和,减轻) the problem(课题,难题), but it is
provably(可证明地) unsolvable(不可解) given what STUN(打晕,吓呆) is trying to accomplish(达到,精通,完成).
These security problems are described fully in Section(部分,部门,切片,区) 12.
14.4 Requirements(需求,需要) for a Long Term(词,期,项,称为,术语,条件) Solution(解答,解决,溶液)
From [17], any UNSAF proposal(计划,建议,求婚,提出) must provide(供给,提供,装备):
Identify(标识,鉴别,认出,验明) requirements for longer term, sound technical(工艺,技能,技术术语) solutions
-- contribute(贡献,捐助,投稿) to the process(程序,处理,起诉,变) of finding the right longer term
solution.
Our experience(感受,经历,经验) with STUN has led to the following requirements for a
long term solution to the NAT problem:
Requests(请求,需要) for bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) and control of other resources(策略,机智,物力,资源) in a NAT
need to be explicit(明白,明确,清楚). Much of the brittleness(脆度,脆性) in STUN derives(导致,得来,起源) from
its guessing at the parameters(参数,参量) of the NAT, rather than telling the
NAT what parameters to use.
Control needs to be "in-band". There are far too many scenarios(剧本,情节,剧情说明书)
in which the client(顾客,用户,当事人) will not know about the location of
middleboxes ahead of time. Instead(代替,当作,反而,改为), control of such boxes needs
to occur(出现,存在,发生,产出) in-band, traveling(传导,旅行) along the same path as the data will
itself travel. This guarantees(保证,承认,担保物) that the right set of middleboxes
are controlled. This is only true for first-party controls;
third-party controls are best handled using the midcom framework(构架,框架,体制,组织).
Control needs to be limited(范围,极限,界限). Users will need to communicate(传播/递,通话/信)
through NATs which are outside of their administrative(管理,行政) control.
In order for providers(供给,提供,装备) to be willing to deploy(布置,散开,展开) NATs which can be
controlled by users in different(不同,差异,各种) do
mains(领土,领域,主机), the scope(域,范围,机会,显微镜) of such
controls needs to be extremely(极度,尽头,极端事物) limited - typically(标准,典型), allocating(拨下,分配) a
binding(绑捆,包扎,结合,联接,凝固,约束,装钉) to reach the address where the control packets(包,袋,群,组,套,捆) are coming
from.
Simplicity(单纯,简单,简朴,朴素) is Paramount(最高,派拉蒙,最重要). The control protocol(礼节,协议) will need to be
implement(仪器,工具,执行,生效) in very simple clients(顾客,用户,当事人). The servers will need to
support extremely high loads. The protocol will need to be
extremely robust(粗壮,坚固,强健), being the precursor(先驱,先兆,预报器) to a host of application(请求,施/应用,程序,软件)
protocols. As such, simplicity is key.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 42]
RFC 3489 STUN(打晕,吓呆) March 2003
14.5 Issues(颁布,发出,问题,争议) with Existing NAPT Boxes
From [17], any UNSAF proposal(计划,建议,求婚,提出) must provide(供给,提供,装备):
Discussion(论述,谈论) of the impact(冲击,碰撞,压紧,影响) of the noted practical(可行,实际) issues with
existing, deployed(布置,散开,展开) NA[P]Ts and experience(感受,经历,经验) reports.
Several of the practical issues with STUN involve(包括,牵涉,占用,参加) future(将来,期货,前途) proofing(论证,实验,校对,证据) -
breaking the protocol when new NAT types get deployed. Fortunately(侥幸,带来好运),
this is not an issue at the current(流,当前,流动,通用) time, since most of the deployed
NATs are of the types assumed(假定,假装,设想) by STUN. The primary(初级,基色,首要,原色) usage(对待,用,用法,习惯法) STUN has
found is in the area of VoIP, to facilitate(帮助,促进,助长,容易) allocation(分配) of addresses
for receiving(承受,得到,接待) RTP [12] traffic(车,交通,交易,运). In that application(请求,施/应用,程序,软件), the periodic(定时,周期)
keepalives(点火电极) are provided by the RTP traffic itself. However, several
practical problems(课题,难题) arise(出现,发生,起来,起应) for RTP. First, RTP assumes(呈现,承担,假定) that RTCP
traffic is on a port one higher than the RTP traffic. This pairing
property(财产,特性,性能) cannot be guaranteed(保证,承认,担保物) through NATs that are not directly
controllable(可支配). As a result, RTCP traffic may not be properly(本来,合适,完全地)
received. Protocol(礼节,协议) extensions(伸展,延长) to SDP have been proposed(打算,建议,求婚) which
mitigate(缓和,减轻) this by allowing the client(顾客,用户,当事人) to signal(暗号,动机,显著,手势) a different(不同,差异,各种) port for
RTCP [18]. However, there will be interoperability problems for some
time.
For VoIP, silence suppression(压制,镇压) can cause a gap in the transmission(传动,传输,发射) of
RTP packets(包,袋,群,组,套,捆). This could result in the loss(丢,亏损,丧失,失败) of a binding(绑捆,包扎,结合,联接,凝固,约束,装钉) in the
middle of a call, if that silence period(句号,时期,学时,周期) exceeds(超出,过度,胜过) the binding timeout(超时,停工时间).
This can be mitigated by sending occasional(不时,临时,偶尔) silence packets to keep
the binding alive. However, the result is additional(附加,增加) brittleness(脆度,脆性);
proper operation(操作,手术,运算) depends(相信,依靠,取决于) on the silence suppression algorithm(算法,演算法) in use,
the usage(对待,用,用法,习惯法) of a comfort(安慰,舒适,慰藉) noise codec, the duration(持久,持续) of the silence
period, and the binding lifetime(终生,一直,寿命) in the NAT.
14.6 In Closing
The problems(课题,难题) with STUN(打晕,吓呆) are not design(花样,设计,图案) flaws(缝隙,裂缝,破裂,缺点,瑕疵) in STUN. The problems in
STUN have to do
with the lack(不足,没有,缺乏,缺少) of standardized(标准化,与标准比较) behaviors(表现,举止,态度,行为) and controls
in NATs. The result of this lack of standardization has been a
proliferation(增殖) of devices(方法,设备,装置) whose behavior is highly unpredictable(不可预测,无法预测),
extremely(极度,尽头,极端事物) variable(变量,变数), and uncontrollable(难控制,脱缰之马). STUN do
es the best it can in
such a hostile(不利,敌意,不友好) environment(环境,外界,围绕). Ultimately(基本,极限,首要), the solution(解答,解决,溶液) is to make the
environment less hostile, and to introduce(采用,传入,介绍) controls and standardized
behaviors into NAT. However, until such time as that happens, STUN
provides(供给,提供,装备) a good short term(词,期,项,称为,术语,条件) solution given the terrible(非常,极度,可怕,可怕的) conditions(环境,条件,支配,状况)
under which it is forced to operate.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 43]
RFC 3489 STUN(打晕,吓呆) March 2003
15. Acknowledgments(承认,鸣谢)
The authors(写作/者,创始人) would like to thank Cedric Aoun, Pete Cordell, Cullen
Jennings, Bob Penfield and Chris(克理斯) Sullivan(萨利文) for their comments(评论,意见,注解), and
Baruch(巴鲁克) Sterman and Alan(阿伦) Hawrylyshen for initial(初始,词首,缩写) implementations(实现,实行).
Thanks for Leslie(莱斯利) Daigle, Allison Mankin, Eric(埃里克子遥控) Rescorla, and Henning
Schulzrinne for IESG and IAB input on this work.
16. Normative(惯常,规范,定标准) References(参考,出处,定位,叁考)
[1] Bradner, S., "Key words for use in RFCs to indicate(标示,表明,显示,指明) requirement(需求,需要)
levels", BCP 14, RFC 2119, March 1997.
[2] Dierks, T. and C. Allen, "The TLS protocol(礼节,协议) Version 1.0", RFC
2246, January(1月,一月) 1999.
[3] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
specifying(规定,指定,明确说明) the location of services (DNS SRV)", RFC 2782,
February(2月,二月) 2000.
[4] Chown(中国种狗), P., "Advanced(前进,提出,预先) Encryption(加密) Standard (AES) Ciphersuites for
Transport(传送,运输,运输工具) Layer Security(安全,证券) (TLS)", RFC 3268, June 2002.
[5] Rescorla, E., "HTTP over TLS", RFC 2818, May 2000.
[6] Postel, J., "Internet Protocol", STD 5, RFC 791, September(9月,九月) 1981.
[7] Ferguson(弗格森), P. and D. Senie, "Network Ingress Filtering(过滤,渗入,筛选): Defeating(挫败,击败,破坏,战胜)
Denial(否定,否认,拒绝) of Service Attacks(攻击,侵袭,受袭) which employ(用,从事,雇佣) IP Source Address
Spoofing(嘲讽,诳骗,揶揄)", BCP 38, RFC 2827, May 2000.
17. Informative(情报,供给消息) References
[8] Senie, D., "Network Address Translator(译音,译码器,转换器) (NAT)-Friendly
Application(请求,施/应用,程序,软件) Design(花样,设计,图案) Guidelines(方针,指导,指南,准则)", RFC 3235, January 2002.
[9] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A. and A.
Rayhan, "Middlebox Communication(传达,交通,通讯) Architecture(建筑学,体系结构) and Framework(构架,框架,体制,组织)",
RFC 3303, August(8月,八月,庄严) 2002.
[10] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston(约翰斯顿), A.,
Peterson, J., Sparks(点燃,火花,激发,斯帕克), R., Handley, M. and E. Schooler, "SIP:
Session(会议,一段时间) Initiation(开始,正式加入) Protocol(礼节,协议)", RFC 3261, June 2002.
[11] Holdrege, M. and P. Srisuresh, "Protocol Complications(并发症,复杂) with the
IP Network Address Translator", RFC 3027, January(1月,一月) 2001.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 44]
RFC 3489 STUN(打晕,吓呆) March 2003
[12] Schulzrinne, H., Casner, S., Frederick(弗雷德里克), R. and V. Jacobson,
"RTP: A Transport(传送,运输,运输工具) Protocol for Real-Time Applications", RFC
1889, January 1996.
[13] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing(混乱,弄乱,哈希/散列表)
for Message Authen
tication(确证,证明)", RFC 2104, February(2月,二月) 1997.
[14] Kohl(柯尔,化妆墨), J. and C. Neuman, "The kerberos Network Authen
tication
Service (V5)", RFC 1510, September(9月,九月) 1993.
[15] Fielding, R., Gettys(格蒂), J., Mogul(蒙古人,权势者), J., Frystyk, H., Masinter, L.,
Leach(滤,分离,滤掉,沥滤器), P. and T. Berners(伯恩,伯尔尼)-Lee, "Hypertext(超文本) Transfer(传递,调动,转让/移) Protocol --
HTTP/1.1", RFC 2616, June 1999.
[16] Baugher M., et al., "The secure(安全,保证,获得,无虑的) real-time transport protocol",
Work in Progress(改进,进度,前进力).
[17] Daigle, L., Editor, "IAB Considerations(考虑,体贴) for UNilateral(单边,片面,单向作用) Self-
Address Fixing (UNSAF) Across Network Address Translation(翻译,译本)", RFC
3424, November 2002.
[18] Huitema, C., "RTCP attribute(归于,品质,特性) in SDP", Work in Progress.
Rosenberg, et al. Standards Track [Page 45]
RFC 3489 STUN March 2003
18. Authors(写作/者,创始人)' Addresses
Jonathan(乔纳森) Rosenberg
dynamicsoft
72 Eagle(鹰) Rock(岩,摇,暗礁,石头) Avenue(大街,道路,渠道,途径)
First Floor(层,地板,楼层,铺地板)
East Hanover(汉诺威), NJ 07936
EMail: jdrosen@dynamicsoft.com
Joel(乔尔,约耳书) Weinberger
dynamicsoft
72 Eagle Rock Avenue
First Floor
East Hanover, NJ 07936
EMail: jweinberger@dynamicsoft.com
Christian(基督徒,克里斯琴) Huitema
Microsoft Corporation(公司,企业,社团)
One Microsoft Way
Redmond(雷德蒙), WA 98052-6399
EMail: huitema@microsoft.com
Rohan Mahy
Cisco(鱼,思科) Systems
101 Cooper(库柏,库珀,桶匠) St
Santa(圣特) Cruz, CA 95060
EMail: rohan@cisco.com
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 46]
RFC 3489 STUN(打晕,吓呆) March 2003
19. Full Copyright(版权,著作权) Statement(陈述,声明,语句)
Copyright (C) The Internet Society (2003). All Rights Reserved(保留,说话不多).
This do
cument(公文,文档,证件) and translations(翻译,译本) of it may be copied and furnished(供给/应,装备,配料) to
others, and derivative(导出,导数,派生) works that comment(评论,意见,注解) on or otherwise explain(辩解,解释,说明) it
or assist(帮助,搀扶,辅助,加速器) in its implementation(实现,实行) may be prepared(预制,准备), copied, published(出版,发表,发行,公布)
and distributed(分布,分配,配给,散布), in whole or in part, without restriction(限定,限制,约束) of any
kind, provided(供给,提供,装备) that the above copyright notice and this paragraph(段,节,短评,小新闻) are
included on all such copies and derivative works. However, this
do
cument itself may not be modified(变更,缓和,修改,修饰) in any way, such as by removing
the copyright notice or references(参考,出处,定位,叁考) to the Internet Society or other
Internet organizations(机构,团体,组织), except as needed for the purpose(打算,效果,意图,用途) of
developing(成长,发展,开发,显现) Internet standards in which case the procedures for
copyrights(版权,著作权) defined(立,定义,规定,准确说明) in the Internet Standards process(程序,处理,起诉,变) must be
followed, or as required(命令,请求,需要) to translate(译,翻译) it into languages(语言,语言课) other than
English.
The limited(范围,极限,界限) permissions(同意,许可,允许) granted(拨款,承认,格兰特,假设) above are perpetual(永恒,永久) and will not be
revoked(撤回,废除,取消) by the Internet Society or its successors(后续,继承人) or assigns(分配,赋值,给定).
This do
cument(公文,文档,证件) and the information(数据,通知,信息,资料) contained(包含,等于,容纳,抑制) herein(在此,在这里) is provided(供给,提供,装备) on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING(技师,设计,工程师)
TASK(派,工作,任务,作业) FORCE DISCLAIMS(放弃,否认,不承认) ALL WARRANTIES(保证,授权), EXPRESS(表白,快/车,明确) OR IMPLIED(暗含,储蓄,意思是), INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE(侵犯,侵害,违反) ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS(健康,恰当,适合,适应性) FOR A PARTICULAR(苛求,事实,特别,细节) PURPOSE(打算,效果,意图,用途).
Acknowledgement(承认,鸣谢)
Funding(存款,积累,基/资金) for the RFC Editor function is currently(流,当前,流动,通用) provided by the
Internet Society.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 47]
<br><a href="http://www.eChinaEdu.com/xdoc.htm">中国教育e网"xDOC"文库(http://www.eChinaEdu.com/xdoc.htm),全球最大的汉化文档中心.</a>
<a href="http://www.eChinaEdu.com">汉化:《魔鬼英语》课题组·中国教育e网(www.eChinaEdu.com)·奥运龙工作室<BR>《魔鬼单词学习法》:史上最强之英语教材,听懂80歌经典英文歌曲,便可记住5000个常用单词,免费下载.</a>
Network Working Group J. Rosenberg
Request(请求,需要) for Comments(评论,意见,注解): 3489 J. Weinberger
Category(范畴,类别,类目): Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) dynamicsoft
C. Huitema
Microsoft
R. Mahy
Cisco(鱼,思科)
March 2003
STUN(打晕,吓呆) - Simple Traversal(遍历) of User Datagram(数据报) Protocol(礼节,协议) (UDP)
Through Network Address Translators(译音,译码器,转换器) (NATs)
Status(地位,状态) of this Memo(便笺,备忘录)
This do
cument(公文,文档,证件) specifies(规定,指定,明确说明) an Internet standards track protocol for the
Internet community(公社,社会,团体), and requests discussion(论述,谈论) and suggestions(暗示,建议,意见) for
improvements(改进,好转,增进). Please refer(参考,查阅,归于,谈到,提出,求助于) to the current(流,当前,流动,通用) edition of the "Internet
Official(官方,官员,正式,职员) Protocol Standards" (STD 1) for the standardization(标准化) state
and status of this protocol. Distribution(分布,分配) of this memo is unlimited(不定,无限).
Copyright(版权,著作权) Notice
Copyright (C) The Internet Society (2003). All Rights Reserved(保留,说话不多).
Abstract(抽象,分心,难懂,摘提)
Simple Traversal of User Datagram Protocol (UDP) Through Network
Address Translators (NATs) (STUN(打晕,吓呆)) is a lightweight(轻,轻量) protocol that
allows applications(请求,施/应用,程序,软件) to discover(暴露,发现,看出) the presence(有,在,出席,存在,到场) and types of NATs and
firewalls(防火壁) between them and the public Internet. It also provides(供给,提供,装备) the
ability(本领,才干,才能,技能) for applications to determine(测定,查明,决定,决心) the public Internet Protocol(礼节,协议)
(IP) addresses allocated(拨下,分配) to them by the NAT. STUN works with many
existing NATs, and do
es not require(命令,请求,需要) any special(特别,特设,专门) behavior(表现,举止,态度,行为) from them.
As a result, it allows a wide variety(变化,变种,多样,多样性) of applications to work through
existing NAT infrastructure(下部构造).
Table of Contents(含量,内容,满意)
1. Applicability(适用性) Statement(陈述,声明,语句) ................................... 3
2. Introduction(介绍,引进/言) .............................................. 3
3. Terminology(术语,术语学) ............................................... 4
4. Definitions(定界,定义,释义) ............................................... 5
5. NAT Variations(变动,变更) ............................................ 5
6. Overview of Operation(操作,手术,运算) ..................................... 6
7. Message Overview .......................................... 8
8. Server Behavior ........................................... 10
8.1 Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests .................................... 10
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 1]
RFC 3489 STUN(打晕,吓呆) March 2003
8.2 Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Requests .............................. 13
9. Client(顾客,用户,当事人) Behavior ........................................... 14
9.1 Discovery(暴露,发现,看出) ........................................... 15
9.2 Obtaining(得到) a Shared Secret ........................... 15
9.3 Formulating(公式化,系统阐述) the Binding Request(请求,需要) ..................... 17
9.4 Processing(程序,处理,起诉,变) Binding Responses(反应,回签,回音) ........................ 17
10. Use Cases ................................................. 19
10.1 Discovery Process ................................... 19
10.2 Binding Lifetime(终生,一直,寿命) Discovery .......................... 21
10.3 Binding Acquisition(获得) ................................. 23
11. Protocol(礼节,协议) Details(零件,细节,枝节) .......................................... 24
11.1 Message Header ...................................... 25
11.2 Message Attributes(归于,品质,特性) .................................. 26
11.2.1 MAPPED-ADDRESS .............................. 27
11.2.2 RESPONSE-ADDRESS ............................ 27
11.2.3 CHANGED-ADDRESS ............................. 28
11.2.4 CHANGE-REQUEST .............................. 28
11.2.5 SOURCE-ADDRESS .............................. 28
11.2.6 USERNAME(用户名) .................................... 28
11.2.7 PASSWORD .................................... 29
11.2.8 MESSAGE-INTEGRITY(诚实,完整,正直) ........................... 29
11.2.9 ERROR-CODE .................................. 29
11.2.10 UNKNOWN(未知,未知的)-ATTRIBUTES .......................... 31
11.2.11 REFLECTED(反射,思考)-FROM .............................. 31
12. Security(安全,证券) Considerations(考虑,体贴) ................................... 31
12.1 Attacks(攻击,侵袭,受袭) on STUN(打晕,吓呆) ..................................... 31
12.1.1 Attack I: DDOS Against a Target ............. 32
12.1.2 Attack II: Silencing a Client ............... 32
12.1.3 Attack III: Assuming(呈现,承担,假定) the Identity(认同,身分,特性) of a Client(顾客,用户,当事人) 32
12.1.4 Attack IV: Eavesdropping .................... 33
12.2 Launching(创办,发动,投射,开始) the Attacks ............................... 33
12.2.1 Approach(逼近,态度,途径) I: Compromise(和解,损害,妥协) a Legitimate(合法,合理,证明有理)
STUN Server ................................. 33
12.2.2 Approach II: DNS Attacks .................... 34
12.2.3 Approach III: Rogue(恶棍,流氓,捉弄) Router(刻,大败,溃败,输送) or NAT ........... 34
12.2.4 Approach IV: MITM ........................... 35
12.2.5 Approach V: Response(反应,回签,回音) Injection(充满,注入) Plus do
S ..... 35
12.2.6 Approach VI: Duplication(加倍,成双重) .................... 35
12.3 Countermeasures(对策,干扰) ..................................... 36
12.4 Residual(残留,剩余) Threats(恐吓,威胁,凶兆) .................................... 37
13. IANA Considerations ....................................... 38
14. IAB Considerations ........................................ 38
14.1 Problem(课题,难题) Definition(定界,定义,释义) .................................. 38
14.2 Exit Strategy(策略,计谋,战略) ....................................... 39
14.3 Brittleness(脆度,脆性) Introduced(采用,传入,介绍) by STUN ...................... 40
14.4 Requirements(需求,需要) for a Long Term(词,期,项,称为,术语,条件) Solution(解答,解决,溶液) ............... 42
14.5 Issues(颁布,发出,问题,争议) with Existing NAPT Boxes ..................... 43
14.6 In Closing .......................................... 43
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 2]
RFC 3489 STUN(打晕,吓呆) March 2003
15. Acknowledgments(承认,鸣谢) ........................................... 44
16. Normative(惯常,规范,定标准) References(参考,出处,定位,叁考) ...................................... 44
17. Informative(情报,供给消息) References .................................... 44
18. Authors(写作/者,创始人)' Addresses ........................................ 46
19. Full Copyright(版权,著作权) Statement(陈述,声明,语句)................................... 47
1. Applicability(适用性) Statement
This protocol(礼节,协议) is not a cure(矫正,消除,医治,治疗)-all for the problems associated(伙伴,交往,联合,同事) with NAT.
It do
es not enable incoming(进款,收入,收益,所得) TCP connections(连接,联系,连贯性) through NAT. It allows
incoming UDP packets(包,袋,群,组,套,捆) through NAT, but only through a subset(子集,子集合) of
existing NAT types. In particular(苛求,事实,特别,细节), STUN do
es not enable incoming UDP
packets through symmetric(对称) NATs (defined(立,定义,规定,准确说明) below), which are common in
large enterprises(企业,事业). STUN's discovery(暴露,发现,看出) procedures are based on
assumptions(傲慢,采取,假定) on NAT treatment(处理,待遇,治疗) of UDP;
such assumptions may prove(表明,显示,证明,结果是)
invalid(病人,伤残,无效) do
wn the road as new NAT devices(方法,设备,装置) are deployed(布置,散开,展开). STUN(打晕,吓呆) do
es not
work when it is used to obtain(得到) an address to communicate(传播/递,通话/信) with a peer
which happens to be behind the same NAT. STUN do
es not work when the
STUN server is not in a common shared(份,有,分担,共享/用) address realm(国土,领域,区域). For a more
complete(彻底,竣工,完成) discussion(论述,谈论) of the limitations(局限,限度) of STUN, see Section(部分,部门,切片,区) 14.
2. Introduction(介绍,引进/言)
Network Address Translators(译音,译码器,转换器) (NATs), while providing(供给,提供,装备) many benefits(恩惠,津贴,利益),
also come with many drawbacks(弊端,妨碍,欠缺,退款). The most troublesome(困难,累赘) of those
drawbacks is the fact that they break many existing IP applications(请求,施/应用,程序,软件),
and make it difficult(艰苦,困难) to deploy new ones. Guidelines(方针,指导,指南,准则) have been
developed(成长,发展,开发,显现) [8] that describe(描绘,描述,形容,作图) how to build "NAT friendly" protocols(礼节,协议),
but many protocols simply cannot be constructed(构造,建立,建设) according(符合,和谐/音,协调,根据,据说) to those
guidelines. Examples of such protocols include almost all peer-to-
peer protocols, such as multimedia(多媒体,多种手段) communications(传达,交通,通讯), file sharing(份,有,分担,共享/用) and
games.
To combat(斗争,反对) this problem(课题,难题), Application Layer Gateways(大门,关口,入口,通道) (ALGs) have been
embedded in NATs. ALGs perform(表演,履行,提供,完成) the application layer functions
required(命令,请求,需要) for a particular(苛求,事实,特别,细节) protocol to traverse(横渡,横过,曲线) a NAT. Typically(标准,典型),
this involves(包括,牵涉,占用,参加) rewriting(改写,再生,重写) application layer messages to contain(包含,等于,容纳,抑制)
translated(译,翻译) addresses, rather than the ones inserted by the sender of
the message. ALGs have serious(认真,慎重,严肃) limitations(局限,限度), including scalability(可量测性),
reliability(可靠性), and speed of deploying(布置,散开,展开) new applications(请求,施/应用,程序,软件). To resolve(分辨,分解,解决,决定)
these problems, the Middlebox Communications (MIDCOM) protocol(礼节,协议) is
being developed(成长,发展,开发,显现) [9]. MIDCOM allows an application entity(存在,实体,实体物,统一体), such as an
end client(顾客,用户,当事人) or network server of some sort (like a Session(会议,一段时间) Initiation(开始,正式加入)
Protocol (SIP) proxy [10]) to control a NAT (or firewall(防火壁)), in order
to obtain(得到) NAT bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) and open or close pinholes(梢孔,针孔). In this way, NATs
and applications can be separated(分隔,分开,个别) once more, eliminating(除去,排除,取消,淘汰,消灭) the need for
embedding ALGs in NATs, and resolving the limitations imposed(征,强迫,欺骗,征税) by
current(流,当前,流动,通用) architectures(建筑学,体系结构).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 3]
RFC 3489 STUN(打晕,吓呆) March 2003
Unfortunately(不幸,可取), MIDCOM requires(命令,请求,需要) upgrades(改善,升级,提高) to existing NAT and
firewalls, in addition(加,加法,附加物) to application(请求,施/应用,程序,软件) components(部件,成分,零组件). Complete(彻底,竣工,完成) upgrades
of these NAT and firewall products(积,产品,产物,作品) will take a long time, potentially(可能,潜力,电动势)
years. This is due, in part, to the fact that the deployers(布置,散开,展开) of NAT
and firewalls are not the same people who are deploying and using
applications. As a result, the incentive(豉励,刺激,动机) to upgrade these devices(方法,设备,装置)
will be low in many cases. Consider(关心,考虑,认为,体谅), for example, an airport(机场,航空站)
Internet lounge(坐靠,闲逛,休息室) that provides(供给,提供,装备) access(访问,接近,入口,通道) with a NAT. A user connecting
to the NATed(抚慰) network may wish to use a peer-to-peer service, but
cannot, because the NAT do
esn't support it. Since the administrators(管理人,管理员)
of the lounge are not the ones providing the service, they are not
motivated(促动,促进,激发,激起) to upgrade their NAT equipment(配备,器材,设备) to support it, using either
an ALG, or MIDCOM.
Another problem(课题,难题) is that the MIDCOM protocol(礼节,协议) requires(命令,请求,需要) that the agent(代理,服务,试剂,特工)
controlling the middleboxes know the identity(认同,身分,特性) of those middleboxes,
and have a relationship(关系,联系) with them which permits(容许,许可,执照) control. In many
configurations(构造), this will not be possible. For example, many cable
access providers use NAT in front of their entire(全部,整个,总体) access network.
This NAT could be in addition(加,加法,附加物) to a residential(住宅) NAT purchased(买,采购,支点,珀切斯) and
operated by the end user. The end user will probably(大概,或许,可能) not have a
control relationship with the NAT in the cable access network, and
may not even know of its existence(存在,生存,实在).
Many existing proprietary(私有,专利,所有权) protocols, such as those for online games
(such as the games described(描绘,描述,形容,作图) in RFC 3027 [11]) and Voice(声,发声,嗓音,吐露,意见,语态) over IP,
have developed(成长,发展,开发,显现) tricks(诡计) that allow them to operate through NATs without
changing those NATs. This do
cument(公文,文档,证件) is an attempt(尝试,攻击,企图,袭击) to take some of
those ideas, and codify(编码,编成法典) them into an interoperable(彼此协作) protocol(礼节,协议) that can
meet the needs of many applications(请求,施/应用,程序,软件).
The protocol described here, Simple Traversal(遍历) of UDP Through NAT
(STUN(打晕,吓呆)), allows entities(存在,实体,实体物,统一体) behind a NAT to first discover(暴露,发现,看出) the presence(有,在,出席,存在,到场)
of a NAT and the type of NAT, and then
to learn the addresses
bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) allocated(拨下,分配) by the NAT. STUN requires(命令,请求,需要) no changes to NATs, and
works with an arbitrary(任意,专断,不理智) number of NATs in tandem(级联,双轴,前后直排地) between the
application entity and the public Internet.
3. Terminology(术语,术语学)
In this do
cument, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED(建议,介绍,劝告,推荐)", "MAY",
and "OPTIONAL(任选,随意,可自由选择)" are to be interpreted(阐明,翻译,解释) as described(描绘,描述,形容,作图) in BCP 14, RFC 2119
[1] and indicate(标示,表明,显示,指明) requirement(需求,需要) levels for compliant(服从,顺从) STUN
implementations(实现,实行).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 4]
RFC 3489 STUN March 2003
4. Definitions(定界,定义,释义)
STUN Client(顾客,用户,当事人): A STUN client (also just referred to as a client)
is an entity that generates(导致,引起) STUN(打晕,吓呆) requests. A STUN client can
execute(处决,处死,实施,执行) on an end system, such as a user's PC, or can run in a
network element(成分,要素,元件), such as a conferencing(会议,讨论会) server.
STUN Server: A STUN Server (also just referred to as a server)
is an entity(存在,实体,实体物,统一体) that receives(承受,得到,接待) STUN requests(请求,需要), and sends STUN
responses(反应,回签,回音). STUN servers are generally(总,将军,一般) attached(随员,馆馆员) to the public
Internet.
5. NAT Variations(变动,变更)
It is assumed(假定,假装,设想) that the reader is familiar(惯用,冒昧,亲友,熟悉) with NATs. It has been
observed(遵守,观测/察,注意) that NAT treatment(处理,待遇,治疗) of UDP varies(变化,改变,转换,多样化) among implementations. The
four treatments observed in implementations are:
Full Cone(圆锥,锥体,成锥形): A full cone NAT is one where all requests from the
same internal(内,本质性) IP address and port are mapped to the same external(药,对外,外部)
IP address and port. Furthermore(此外,而且), any external host can send a
packet(包,袋,群,组,套,捆) to the internal host, by sending a packet to the mapped
external address.
Restricted(限定,限制,约束) Cone: A restricted cone NAT is one where all requests
from the same internal IP address and port are mapped to the same
external IP address and port. Unlike(不同,不象) a full cone NAT, an external
host (with IP address X) can send a packet to the internal host
only if the internal host had previously(前,先,在前) sent a packet to IP
address X.
Port Restricted Cone: A port restricted cone NAT is like a
restricted cone NAT, but the restriction includes port numbers.
Specifically(明确地,特别地), an external host can send a packet, with source IP
address X and source port P, to the internal host only if the
internal host had previously sent a packet to IP address X and
port P.
Symmetric(对称): A symmetric NAT is one where all requests from the
same internal IP address and port, to a specific(精确,特定,特性,细微) destination(目标,终点) IP
address and port, are mapped to the same external IP address and
port. If the same host sends a packet with the same source
address and port, but to a different(不同,差异,各种) destination, a different
mapping is used. Furthermore, only the external host that
receives(承受,得到,接待) a packet can send a UDP packet back to the internal host.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 5]
RFC 3489 STUN(打晕,吓呆) March 2003
Determining(测定,查明,决定,决心) the type of NAT is important in many cases. Depending(相信,依靠,取决于) on
what the application(请求,施/应用,程序,软件) wants to do
, it may need to take the particular(苛求,事实,特别,细节)
behavior(表现,举止,态度,行为) into account(占,计算,记述,解释).
6. Overview of Operation(操作,手术,运算)
This section(部分,部门,切片,区) is descriptive(记述,描述) only. Normative(惯常,规范,定标准) behavior is described(描绘,描述,形容,作图) in
Sections 8 and 9.
/-----/
// STUN //
| Server |
// //
/-----/
+--------------+ Public Internet
................| NAT 2 |.......................
+--------------+
+--------------+ Private(个人,秘密,专用) NET 2
................| NAT 1 |.......................
+--------------+
/-----/
// STUN //
| Client(顾客,用户,当事人) |
// // Private NET 1
/-----/
Figure(图,计算,人物,数) 1: STUN Configuration(构造)
The typical(标准,典型) STUN configuration is shown in Figure 1. A STUN client
is connected to private network 1. This network connects to private
network 2 through NAT 1. Private network 2 connects to the public
Internet through NAT 2. The STUN server resides(存在,居住,属于,驻留) on the public
Internet.
STUN is a simple client-server protocol(礼节,协议). A client sends a request(请求,需要) to
a server, and the server returns a response(反应,回签,回音). There are two types of
requests - Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests, sent over UDP, and Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情)
Requests, sent over TLS [2] over TCP. Shared Secret Requests ask the
server to return a temporary(短暂,临时,临时工) username(用户名) and password. This username
and password are used in a subsequent(尔后,后来) Binding Request and Binding
Response, for the purposes(打算,效果,意图,用途) of authen
tication(确证,证明) and message integrity(诚实,完整,正直).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 6]
RFC 3489 STUN(打晕,吓呆) March 2003
Binding requests are used to determine(测定,查明,决定,决心) the bindings allocated(拨下,分配) by
NATs. The client sends a Binding Request to the server, over UDP.
The server examines(检查,考试,审查,细看) the source IP address and port of the request,
and copies them into a response that is sent back to the client(顾客,用户,当事人).
There are some parameters(参数,参量) in the request that allow the client to ask
that the response be sent else
where, or that the server send the
response from a different(不同,差异,各种) address and port. There are attributes(归于,品质,特性) for
providing(供给,提供,装备) message integrity and authen
tication.
The trick(诡计,哄骗,窍门) is using STUN to discover(暴露,发现,看出) the presence(有,在,出席,存在,到场) of NAT, and to learn
and use the bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) they allocate.
The STUN client is typically(标准,典型) embedded in an application(请求,施/应用,程序,软件) which needs
to obtain(得到) a public IP address and port that can be used to receive(承受,得到,接待)
data. For example, it might need to obtain an IP address and port to
receive Real Time Transport(传送,运输,运输工具) Protocol(礼节,协议) (RTP) [12] traffic(车,交通,交易,运). When the
application starts, the STUN client within the application sends a
STUN Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request(请求,需要) to its server, obtains a username(用户名) and
password, and then
sends it a Binding Request. STUN(打晕,吓呆) servers can be
discovered through DNS SRV records(唱片,档案,记录) [3], and it is generally(总,将军,一般) assumed(假定,假装,设想)
that the client(顾客,用户,当事人) is configured(架构,配置,成形) with the do
main(领土,领域,主机) to use to find the STUN
server. Generally, this will be the do
main of the provider(供给,提供,装备) of the
service the application is using (such a provider is incented to
deploy(布置,散开,展开) STUN servers in order to allow its customers(定做,风俗,海关,用户) to use its
application through NAT). Of course, a client can determine(测定,查明,决定,决心) the
address or do
main name of a STUN server through other means. A STUN
server can even be embedded within an end system.
The STUN Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request is used to discover(暴露,发现,看出) the presence(有,在,出席,存在,到场) of a NAT,
and to discover the public IP address and port mappings generated(导致,引起) by
the NAT. Binding Requests are sent to the STUN server using UDP.
When a Binding Request arrives(达到,来临,抵达某地) at the STUN server, it may have passed
through one or more NATs between the STUN client and the STUN server.
As a result, the source address of the request received(承受,得到,接待) by the server
will be the mapped address created by the NAT closest to the server.
The STUN server copies that source IP address and port into a STUN
Binding Response(反应,回签,回音), and sends it back to the source IP address and port
of the STUN request. For all of the NAT types above, this response
will arrive at the STUN client.
When the STUN client receives the STUN Binding Response, it compares(比较,比作,对照)
the IP address and port in the packet(包,袋,群,组,套,捆) with the local(本地,区域,地方性) IP address and
port it bound(缚,捆,必定,边界,跳跃) to when the request(请求,需要) was sent. If these do
not match,
the STUN(打晕,吓呆) client is behind one or more NATs. In the case of a full-
cone(圆锥,锥体,成锥形) NAT, the IP address and port in the body of the STUN response
are public, and can be used by any host on the public Internet to
send packets to the application(请求,施/应用,程序,软件) that sent the STUN request. An
application need only listen on the IP address and port from which
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 7]
RFC 3489 STUN March 2003
the STUN request was sent. Any packets sent by a host on the public
Internet to the public address and port learned by STUN will be
received by the application.
Of course, the host may not be behind a full-cone NAT. Indeed, it
do
esn't yet know what type of NAT it is behind. To determine that,
the client(顾客,用户,当事人) uses additional(附加,增加) STUN Binding Requests. The exact(精密/确,要求)
procedure is flexible(灵活,柔韧,可变通), but would generally(总,将军,一般) work as follows. The
client would send a second STUN Binding Request, this time to a
different(不同,差异,各种) IP address, but from the same source IP address and port.
If the IP address and port in the response are different from those
in the first response, the client knows it is behind a symmetric(对称) NAT.
To determine(测定,查明,决定,决心) if it's behind a full-cone NAT, the client can send a
STUN Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request with flags that tell the STUN server to send a
response from a different IP address and port than the request was
received on. In other words, if the client sent a Binding Request to
IP address/port A/B using a source IP address/port of X/Y, the STUN
server would send the Binding Response to X/Y using source IP
address/port C/D. If the client receives this response, it knows it
is behind a full cone NAT.
STUN also allows the client to ask the server to send the Binding
Response from the same IP address the request was received on, but
with a different port. This can be used to detect(察觉,发觉,发现,检测) whether the client
is behind a port restricted(限定,限制,约束) cone NAT or just a restricted cone NAT.
It should be noted that the configuration(构造) in Figure(图,计算,人物,数) 1 is not the only
permissible(可容许) configuration. The STUN server can be located(查出,地点,定位,找出) anywhere,
including within another client. The only requirement(需求,需要) is that the
STUN server is reachable(可达到) by the client, and if the client is trying
to obtain(得到) a publicly routable address, that the server reside(存在,居住,属于,驻留) on the
public Internet.
7. Message Overview
STUN(打晕,吓呆) messages are TLV (type-length-value) encoded(编码) using big endian(字节存储次序)
(network ordered) binary(二,二成分). All STUN messages start with a STUN
header, followed by a STUN payload(荷载,有效负载). The payload is a series(成批,连续,系列) of STUN
attributes(归于,品质,特性), the set of which depends(相信,依靠,取决于) on the message type. The STUN
header contains(包含,等于,容纳,抑制) a STUN message type, transaction(处理,和解,交易) ID, and length. The
message type can be Binding Request(请求,需要), Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Response(反应,回签,回音), Binding Error
Response, Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request, Shared Secret Response, or Shared
Secret Error Response. The transaction ID is used to correlate(关联,相关,相关的事物)
requests and responses. The length indicates(标示,表明,显示,指明) the total length of the
STUN payload, not including the header. This allows STUN to run over
TCP. Shared Secret Requests are always sent over TCP (indeed, using
TLS over TCP).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 8]
RFC 3489 STUN March 2003
Several STUN attributes are defined(立,定义,规定,准确说明). The first is a MAPPED-ADDRESS
attribute, which is an IP address and port. It is always placed in
the Binding Response, and it indicates the source IP address and port
the server saw in the Binding Request. There is also a RESPONSE-
ADDRESS attribute, which contains an IP address and port. The
RESPONSE-ADDRESS attribute can be present(给,礼物,显示,现在) in the Binding Request, and
indicates where the Binding Response is to be sent. It's optional(任选,随意,可自由选择),
and when not present, the Binding Response is sent to the source IP
address and port of the Binding Request.
The third attribute is the CHANGE-REQUEST attribute, and it contains
two flags to control the IP address and port used to send the
response. These flags are called "change IP" and "change port"
flags. The CHANGE-REQUEST attribute is allowed only in the Binding
Request. The "change IP" and "change port" flags are useful for
determining(测定,查明,决定,决心) whether the client(顾客,用户,当事人) is behind a restricted(限定,限制,约束) cone(圆锥,锥体,成锥形) NAT or
restricted port cone NAT. They instruct(教,告知,命令) the server to send the
Binding Responses from a different(不同,差异,各种) source IP address and port. The
CHANGE-REQUEST attribute is optional in the Binding Request.
The fourth attribute is the CHANGED-ADDRESS attribute. It is present
in Binding Responses. It informs(伸冤,通知,有识) the client of the source IP address
and port that would be used if the client requested the "change IP"
and "change port" behavior(表现,举止,态度,行为).
The fifth attribute(归于,品质,特性) is the SOURCE-ADDRESS attribute. It is only
present in Binding Responses. It indicates the source IP address and
port where the response was sent from. It is useful for detecting(察觉,发觉,发现,检测)
twice(两倍,两次) NAT configurations(构造).
The sixth attribute is the USERNAME(用户名) attribute. It is present in a
Shared Secret Response(反应,回签,回音), which provides(供给,提供,装备) the client with a temporary(短暂,临时,临时工)
username and password (encoded(编码) in the PASSWORD attribute). The
USERNAME is also present in Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests(请求,需要), serving(服务) as an index to
the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) used for the integrity(诚实,完整,正直) protection(保护,警戒) of the Binding
Request. The seventh(第七,七分) attribute, PASSWORD, is only found in Shared
Secret Response messages. The eight attribute is the MESSAGE-
INTEGRITY attribute, which contains(包含,等于,容纳,抑制) a message integrity check over
the Binding Request or Binding Response.
The ninth attribute is the ERROR-CODE attribute. This is present(给,礼物,显示,现在) in
the Binding Error Response and Shared Secret Error Response. It
indicates(标示,表明,显示,指明) the error that has occurred. The tenth attribute is the
UNKNOWN(未知,未知的)-ATTRIBUTES attribute, which is present in either the Binding
Error Response or Shared Secret Error Response. It indicates the
mandatory(命令者) attributes(归于,品质,特性) from the request which were unknown. The
eleventh(第十一) attribute is the REFLECTED(反射,思考)-FROM attribute, which is present
in Binding Responses. It indicates the IP address and port of the
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 9]
RFC 3489 STUN(打晕,吓呆) March 2003
sender of a Binding Request, used for traceability(跟踪能力) purposes(打算,效果,意图,用途) to
prevent(防止,妨碍,阻碍) certain denial(否定,否认,拒绝)-of-service attacks(攻击,侵袭,受袭).
8. Server Behavior(表现,举止,态度,行为)
The server behavior depends(相信,依靠,取决于) on whether the request(请求,需要) is a Binding(绑捆,包扎,结合,联接,凝固,约束,装钉)
Request or a Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request.
8.1 Binding Requests
A STUN server MUST be prepared(预制,准备) to receive(承受,得到,接待) Binding Requests on four
address/port combinations(化合,结合) - (A1, P1), (A2, P1), (A1, P2), and (A2,
P2). (A1, P1) represent(表现,代表,象征) the primary(初级,基色,首要,原色) address and port, and these are
the ones obtained through the client(顾客,用户,当事人) discovery(暴露,发现,看出) procedures below.
Typically(标准,典型), P1 will be port 3478, the default STUN port. A2 and P2
are arbitrary(任意,专断,不理智). A2 and P2 are advertised(通知,推销,广告) by the server through the
CHANGED-ADDRESS attribute(归于,品质,特性), as described(描绘,描述,形容,作图) below.
It is RECOMMENDED(建议,介绍,劝告,推荐) that the server check the Binding Request for a
MESSAGE-INTEGRITY(诚实,完整,正直) attribute. If not present(给,礼物,显示,现在), and the server requires(命令,请求,需要)
integrity checks on the request, it generates(导致,引起) a Binding Error
Response(反应,回签,回音) with an ERROR-CODE attribute with response code 401. If the
MESSAGE-INTEGRITY attribute was present, the server computes the HMAC
over the request as described in Section(部分,部门,切片,区) 11.2.8. The key to use
depends(相信,依靠,取决于) on the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) mechanism(机理,机械). If the STUN(打晕,吓呆) Shared Secret
Request was used, the key MUST be the one associated(伙伴,交往,联合,同事) with the
USERNAME(用户名) attribute present in the request. If the USERNAME attribute
was not present, the server MUST generate a Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Error Response.
The Binding Error Response MUST include an ERROR-CODE attribute with
response code 432. If the USERNAME is present, but the server
do
esn't remember the shared secret for that USERNAME (because it
timed out, for example), the server MUST generate a Binding Error
Response. The Binding Error Response MUST include an ERROR-CODE
attribute with response code 430. If the server do
es know the shared
secret, but the computed HMAC differs(不同,差异,各种) from the one in the request,
the server MUST generate a Binding Error Response with an ERROR-CODE
attribute with response code 431. The Binding Error Response is sent
to the IP address and port the Binding Request came from, and sent
from the IP address and port the Binding Request was sent to.
Assuming(呈现,承担,假定) the message integrity check passed, processing(程序,处理,起诉,变) continues.
The server MUST check for any attributes in the request with values
less than or equal(等于,胜任) to 0x7fff which it do
es not understand. If it
encounters(面临,碰到,碰撞,遭遇) any, the server MUST generate a Binding Error Response,
and it MUST include an ERROR-CODE attribute(归于,品质,特性) with a 420 response code.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 10]
RFC 3489 STUN March 2003
That response MUST contain(包含,等于,容纳,抑制) an UNKNOWN(未知,未知的)-ATTRIBUTES attribute listing
the attributes with values less than or equal to 0x7fff which were
not understood. The Binding Error Response is sent to the IP address
and port the Binding Request came from, and sent from the IP address
and port the Binding Request was sent to.
Assuming the request was correctly(改正,纠正,恰当) formed, the server MUST generate a
single Binding Response. The Binding Response MUST contain the same
transaction(处理,和解,交易) ID contained in the Binding Request(请求,需要). The length in the
message header MUST contain the total length of the message in bytes,
excluding(拒绝,排斥) the header. The Binding Response(反应,回签,回音) MUST have a message type
of "Binding Response".
The server MUST add a MAPPED-ADDRESS attribute to the Binding
Response. The IP address component(部件,成分,零组件) of this attribute MUST be set to
the source IP address observed(遵守,观测/察,注意) in the Binding Request. The port
component of this attribute MUST be set to the source port observed
in the Binding Request.
If the RESPONSE-ADDRESS attribute was absent(不在,离开,缺乏,不存在) from the Binding
Request, the destination(目标,终点) address and port of the Binding Response
MUST be the same as the source address and port of the Binding
Request. Otherwise, the destination address and port of the Binding
Response MUST be the value of the IP address and port in the
RESPONSE-ADDRESS attribute.
The source address and port of the Binding Response depend(相信,依靠,取决于) on the
value of the CHANGE-REQUEST attribute and on the address and port the
Binding Request was received(承受,得到,接待) on, and are summarized(概括,相加,总结) in Table 1.
Let Da represent(表现,代表,象征) the destination IP address of the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request
(which will be either A1 or A2), and Dp represent the destination
port of the Binding Request (which will be either P1 or P2). Let Ca
represent the other address, so that if Da is A1, Ca is A2. If Da is
A2, Ca is A1. Similarly(类似,相象), let Cp represent the other port, so that if
Dp is P1, Cp is P2. If Dp is P2, Cp is P1. If the "change port"
flag was set in CHANGE-REQUEST attribute of the Binding Request, and
the "change IP" flag was not set, the source IP address of the
Binding Response MUST be Da and the source port of the Binding
Response MUST be Cp. If the "change IP" flag was set in the Binding
Request, and the "change port" flag was not set, the source IP
address of the Binding Response MUST be Ca and the source port of the
Binding Response MUST be Dp. When both flags are set, the source IP
address of the Binding Response MUST be Ca and the source port of the
Binding Response MUST be Cp. If neither flag is set, or if the
CHANGE-REQUEST attribute is absent entirely(全部,整个,总体), the source IP address of
the Binding Response MUST be Da and the source port of the Binding
Response MUST be Dp.
Rosenberg, et al. Standards Track [Page 11]
RFC 3489 STUN(打晕,吓呆) March 2003
Flags Source Address Source Port CHANGED-ADDRESS
none Da Dp Ca:Cp
Change IP Ca Dp Ca:Cp
Change port Da Cp Ca:Cp
Change IP and
Change port Ca Cp Ca:Cp
Table 1: Impact(冲击,碰撞,压紧,影响) of Flags on Packet(包,袋,群,组,套,捆) Source and CHANGED-ADDRESS
The server MUST add a SOURCE-ADDRESS attribute(归于,品质,特性) to the Binding
Response, containing(包含,等于,容纳,抑制) the source address and port used to send the
Binding Response.
The server MUST add a CHANGED-ADDRESS attribute to the Binding
Response. This contains the source IP address and port that would be
used if the client(顾客,用户,当事人) had set the "change IP" and "change port" flags in
the Binding Request. As summarized in Table 1, these are Ca and Cp,
respectively(分别,个别), regardless(不顾,不管) of the value of the CHANGE-REQUEST(请求,需要) flags.
If the Binding Request contained both the USERNAME(用户名) and MESSAGE-
INTEGRITY(诚实,完整,正直) attributes, the server MUST add a MESSAGE-INTEGRITY
attribute to the Binding Response(反应,回签,回音). The attribute contains an HMAC
[13] over the response, as described(描绘,描述,形容,作图) in Section(部分,部门,切片,区) 11.2.8. The key to
use depends on the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) mechanism(机理,机械). If the STUN Shared
Secret Request was used, the key MUST be the one associated(伙伴,交往,联合,同事) with the
USERNAME attribute present(给,礼物,显示,现在) in the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request.
If the Binding Request contained a RESPONSE-ADDRESS attribute, the
server MUST add a REFLECTED(反射,思考)-FROM attribute to the response. If the
Binding Request was authen
ticated(鉴定,为真,证明) using a username obtained(得到) from a
Shared Secret Request, the REFLECTED-FROM attribute MUST contain the
source IP address and port where that Shared Secret Request came
from. If the username present in the request was not allocated(拨下,分配) using
a Shared Secret Request, the REFLECTED-FROM attribute MUST contain
the source address and port of the entity(存在,实体,实体物,统一体) which obtained the
username, as best can be verified(查证,核实,检验,证明) with the mechanism used to allocate
the username. If the username was not present in the request, and
the server was willing to process(程序,处理,起诉,变) the request, the REFLECTED-FROM
attribute(归于,品质,特性) SHOULD contain(包含,等于,容纳,抑制) the source IP address and port where the
request came from.
The server SHOULD NOT retransmit(中继,重新发送) the response. Reliability(可靠性) is
achieved(达到,获得,实现,完成) by having the client(顾客,用户,当事人) periodically(期刊,杂志) resend(再送) the request(请求,需要), each
of which triggers(扳机,触发,导致) a response(反应,回签,回音) from the server.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 12]
RFC 3489 STUN(打晕,吓呆) March 2003
8.2 Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Requests
Shared Secret Requests are always received(承受,得到,接待) on TLS connections(连接,联系,连贯性). When
the server receives a request from the client to establish(建立,确定,移植) a TLS
connection, it MUST proceed(继续,开始,进行,程序) with TLS, and SHOULD present(给,礼物,显示,现在) a site
certificate(鉴定,证件,执照). The TLS ciphersuite TLS_RSA_WITH_AES_128_CBC_SHA [4]
SHOULD be used. Client TLS authen
tication(确证,证明) MUST NOT be do
ne, since
the server is not allocating(拨下,分配) any resources(策略,机智,物力,资源) to clients, and the
computational(计算) burden(负担,加载,载量) can be a source of attacks(攻击,侵袭,受袭).
If the server receives a Shared Secret Request, it MUST verify(查证,核实,检验,证明) that
the request arrived(达到,来临,抵达某地) on a TLS connection. If it did not receive the
request over TLS, it MUST generate(导致,引起) a Shared Secret Error Response,
and it MUST include an ERROR-CODE attribute(归于,品质,特性) with a 433 response code.
The destination(目标,终点) for the error response(反应,回签,回音) depends(相信,依靠,取决于) on the transport(传送,运输,运输工具) on
which the request(请求,需要) was received. If the Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request was
received(承受,得到,接待) over TCP, the Shared Secret Error Response is sent over the
same connection(连接,联系,连贯性) the request was received on. If the Shared Secret
Request was receive over UDP, the Shared Secret Error Response is
sent to the source IP address and port that the request came from.
The server MUST check for any attributes in the request with values
less than or equal(等于,胜任) to 0x7fff which it do
es not understand. If it
encounters(面临,碰到,碰撞,遭遇) any, the server MUST generate a Shared Secret Error
Response, and it MUST include an ERROR-CODE attribute with a 420
response code. That response MUST contain(包含,等于,容纳,抑制) an UNKNOWN(未知,未知的)-ATTRIBUTES
attribute listing the attributes with values less than or equal to
0x7fff which were not understood. The Shared Secret Error Response
is sent over the TLS connection.
All Shared Secret Error Responses MUST contain the same transaction(处理,和解,交易)
ID contained in the Shared Secret Request. The length in the message
header MUST contain the total length of the message in bytes,
excluding(拒绝,排斥) the header. The Shared Secret Error Response MUST have a
message type of "Shared Secret Error Response" (0x0112).
Assuming(呈现,承担,假定) the request was properly(本来,合适,完全地) constructed(构造,建立,建设), the server creates a
Shared Secret Response. The Shared Secret Response MUST contain the
same transaction ID contained in the Shared Secret Request. The
length in the message header MUST contain the total length of the
message in bytes, excluding the header. The Shared Secret Response
MUST have a message type of "Shared Secret Response". The Shared
Secret Response MUST contain a USERNAME(用户名) attribute and a PASSWORD
attribute. The USERNAME attribute serves(适合,服务/役,任职,招待) as an index to the
password, which is contained in the PASSWORD attribute. The server
can use any mechanism(机理,机械) it chooses(宁愿,情愿,挑选) to generate(导致,引起) the username. However,
the username MUST be valid(有效,正当) for a period(句号,时期,学时,周期) of at least 10 minutes.
Validity(确实,效力,正确,有效性) means that the server can compute the password for that
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 13]
RFC 3489 STUN(打晕,吓呆) March 2003
username. There MUST be a single password for each username. In
other words, the server cannot, 10 minutes later, assign(分配,赋值,给定) a different(不同,差异,各种)
password to the same username. The server MUST hand out a different
username for each distinct(不同,独特,分别) Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request(请求,需要). Distinct, in this
case, implies(暗示,含意,意味) a different transaction(处理,和解,交易) ID. It is RECOMMENDED(建议,介绍,劝告,推荐) that the
server explicitly(明白,明确,清楚) invalidate(无效,无效,作废) the username after ten minutes. It MUST
invalidate the username after 30 minutes. The PASSWORD contains(包含,等于,容纳,抑制) the
password bound(缚,捆,必定,边界,跳跃) to that username(用户名). The password MUST have at least 128
bits. The likelihood(可能,似真,可能性,相似性) that the server assigns the same password for
two different usernames MUST be vanishingly small, and the passwords
MUST be unguessable. In other words, they MUST be a
cryptographically random function of the username.
These requirements(需求,需要) can still be met using a stateless(无国籍) server, by
intelligently(聪慧,聪明,理智) computing the USERNAME and PASSWORD. One approach(逼近,态度,途径) is
to construct(构造,建立,建设) the USERNAME as:
USERNAME = <prefix,rounded-time,clientIP,hmac>
Where prefix(词头,前缀,添以词头) is some random text string (different for each shared
secret request), rounded(围,圆,环绕,舍入,一轮,周围)-time is the current(流,当前,流动,通用) time modulo(模,模数,按模计算) 20 minutes,
clientIP is the source IP address where the Shared Secret Request
came from, and hmac is an HMAC [13] over the prefix, rounded-time,
and client(顾客,用户,当事人) IP, using a server private(个人,秘密,专用) key.
The password is then
computed as:
password = <hmac(USERNAME,anotherprivatekey)>
With this structure(构造,建造,组织), the username itself, which will be present(给,礼物,显示,现在) in
the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request(请求,需要), contains the source IP address where the Shared(份,有,分担,共享/用)
Secret(秘密,隐蔽,隐情) Request came from. That allows the server to meet the
requirements specified(规定,指定,明确说明) in Section(部分,部门,切片,区) 8.1 for constructing the
REFLECTED(反射,思考)-FROM attribute(归于,品质,特性). The server can verify(查证,核实,检验,证明) that the username(用户名)
was not tampered(坦派勒) with, using the hmac present in the username.
The Shared Secret Response(反应,回签,回音) is sent over the same TLS connection(连接,联系,连贯性) the
request was received(承受,得到,接待) on. The server SHOULD keep the connection open,
and let the client close it.
9. Client Behavior(表现,举止,态度,行为)
The behavior of the client is very straightforward(老实,坦率,率直地). Its task(派,工作,任务,作业) is to
discover(暴露,发现,看出) the STUN(打晕,吓呆) server, obtain a shared secret, formulate(公式化,系统阐述) the
Binding Request, handle request reliability(可靠性), and process(程序,处理,起诉,变) the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉)
Responses.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 14]
RFC 3489 STUN March 2003
9.1 Discovery
Generally(总,将军,一般), the client(顾客,用户,当事人) will be configured(架构,配置,成形) with a do
main(领土,领域,主机) name of the
provider(供给,提供,装备) of the STUN servers. This do
main name is resolved(坚决,有决心) to an IP
address and port using the SRV procedures specified(规定,指定,明确说明) in RFC 2782 [3].
Specifically(明确地,特别地), the service name is "stun". The protocol(礼节,协议) is "udp" for
sending Binding Requests(请求,需要), or "tcp" for sending Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情)
Requests. The procedures of RFC 2782 are followed to determine(测定,查明,决定,决心) the
server to contact(触点,触体,联系). RFC 2782 spells(带来,轮班,拼出,咒语,一阵子) out the details(零件,细节,枝节) of how a set of
SRV records(唱片,档案,记录) are sorted and then
tried. However, it only states that
the client should "try to connect to the (protocol, address,
service)" without giving any details on what happens in the event of
failure(破产,失败,失灵,疏忽). Those details are described(描绘,描述,形容,作图) here for STUN(打晕,吓呆).
For STUN requests, failure occurs(出现,存在,发生,产出) if there is a transport(传送,运输,运输工具) failure of
some sort (generally(总,将军,一般), due to fatal(命运,致命) ICMP errors in UDP or connection(连接,联系,连贯性)
failures in TCP). Failure also occurs if the transaction(处理,和解,交易) fails due
to timeout(超时,停工时间). This occurs 9.5 seconds after the first request is sent,
for both Shared Secret Requests and Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests. See Section(部分,部门,切片,区)
9.3 for details on transaction timeouts for Binding Requests. If a
failure occurs, the client(顾客,用户,当事人) SHOULD create a new request, which is
identical(恒等,同样,相同) to the previous(前,先,在前), but has a different(不同,差异,各种) transaction ID and
MESSAGE INTEGRITY(诚实,完整,正直) attribute(归于,品质,特性) (the HMAC will change because the
transaction ID has changed). That request(请求,需要) is sent to the next
element(成分,要素,元件) in the list as specified(规定,指定,明确说明) by RFC 2782.
The default port for STUN requests is 3478, for both TCP and UDP.
Administrators(管理人,管理员) SHOULD use this port in their SRV records(唱片,档案,记录), but MAY use
others.
If no SRV records were found, the client performs(表演,履行,提供,完成) an A record lookup(检查)
of the do
main(领土,领域,主机) name. The result will be a list of IP addresses, each
of which can be contacted(触点,触体,联系) at the default port.
This would allow a firewall(防火壁) admin(主管) to open the STUN(打晕,吓呆) port, so hosts
within the enterprise(企业,事业) could access(访问,接近,入口,通道) new applications(请求,施/应用,程序,软件). Whether they
will or won't do
this is a good question.
9.2 Obtaining(得到) a Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情)
As discussed(讨论,谈论,论述) in Section(部分,部门,切片,区) 12, there are several attacks(攻击,侵袭,受袭) possible on
STUN systems. Many of these are prevented(防止,妨碍,阻碍) through integrity(诚实,完整,正直) of
requests(请求,需要) and responses(反应,回签,回音). To provide(供给,提供,装备) that integrity, STUN makes use of
a shared secret between client(顾客,用户,当事人) and server, used as the keying
material(材料,料子,素材,物质) for an HMAC used in both the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request and Binding
Response. STUN allows for the shared secret to be obtained in any
way (for example, Kerberos [14]). However, it MUST have at least 128
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 15]
RFC 3489 STUN March 2003
bits of randomness(随机性). In order to ensure(保护,保险,赋予) interoperability, this
specification(规格,详述,载明) describes(描绘,描述,形容,作图) a TLS-based mechanism(机理,机械). This mechanism,
described in this section, MUST be implemented(仪器,工具,执行,生效) by clients and
servers.
First, the client determines(测定,查明,决定,决心) the IP address and port that it will
open a TCP connection(连接,联系,连贯性) to. This is do
ne using the discovery(暴露,发现,看出)
procedures in Section 9.1. The client opens up the connection to
that address and port, and immediately(立即,立刻,直接) begin
s TLS negotiation(谈判) [2].
The client MUST verify(查证,核实,检验,证明) the identity(认同,身分,特性) of the server. To do
that, it
follows the identification(鉴定,身份,识别) procedures defined(立,定义,规定,准确说明) in Section(部分,部门,切片,区) 3.1 of RFC
2818 [5]. Those procedures assume(呈现,承担,假定) the client is dereferencing a URI.
For purposes(打算,效果,意图,用途) of usage(对待,用,用法,习惯法) with this specification, the client(顾客,用户,当事人) treats(处理,论述,享受,宴,治疗) the
do
main(领土,领域,主机) name or IP address used in Section 9.1 as the host portion(部分,分配) of
the URI that has been dereferenced.
Once the connection is opened, the client sends a Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情)
request(请求,需要). This request has no attributes(归于,品质,特性), just the header. The
transaction(处理,和解,交易) ID in the header MUST meet the requirements(需求,需要) outlined(图,大纲,轮廓,描绘) for
the transaction ID in a binding(绑捆,包扎,结合,联接,凝固,约束,装钉) request, described(描绘,描述,形容,作图) in Section 9.3
below. The server generates(导致,引起) a response(反应,回签,回音), which can either be a Shared
Secret Response or a Shared Secret Error Response.
If the response was a Shared Secret Error Response, the client checks
the response code in the ERROR-CODE attribute. Interpretation(解释,口译) of
those response codes is identical(恒等,同样,相同) to the processing(程序,处理,起诉,变) of Section(部分,部门,切片,区) 9.4
for the Binding Error Response.
If a client receives(承受,得到,接待) a Shared Secret Response with an attribute whose
type is greater than 0x7fff, the attribute MUST be ignored(不顾,不理,忽略,忽视). If the
client receives a Shared Secret Response with an attribute whose type
is less than or equal(等于,胜任) to 0x7fff, the response is ignored.
If the response was a Shared Secret Response, it will contain(包含,等于,容纳,抑制) a short
lived username(用户名) and password, encoded(编码) in the USERNAME and PASSWORD
attributes, respectively(分别,个别).
The client(顾客,用户,当事人) MAY generate multiple(倍数,并联,多个) Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Requests(请求,需要) on the
connection(连接,联系,连贯性), and it MAY do
so before receiving Shared Secret Responses
to previous(前,先,在前) Shared Secret Requests. The client SHOULD close the
connection as soon as it has finished obtaining usernames and
passwords.
Section 9.3 describes how these passwords are used to provide(供给,提供,装备)
integrity(诚实,完整,正直) protection(保护,警戒) over Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests, and Section 8.1 describes(描绘,描述,形容,作图)
how it is used in Binding Responses(反应,回签,回音).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 16]
RFC 3489 STUN(打晕,吓呆) March 2003
9.3 Formulating(公式化,系统阐述) the Binding Request
A Binding Request formulated by the client follows the syntax(句法,语法) rules
defined(立,定义,规定,准确说明) in Section(部分,部门,切片,区) 11. Any two requests that are not bit-wise(博学,聪明,方式,怀斯)
identical(恒等,同样,相同), and not sent to the same server from the same IP address
and port, MUST carry different(不同,差异,各种) transaction(处理,和解,交易) IDs. The transaction ID
MUST be uniformly(均匀,统一,制服) and randomly distributed(分布,分配,配给,散布) between 0 and 2**128 - 1.
The large range(排,行,山脉,范围) is needed because the transaction ID serves(适合,服务/役,任职,招待) as a form
of randomization(不规则分布), helping to prevent(防止,妨碍,阻碍) replays of previously(前,先,在前) signed
responses from the server. The message type of the request(请求,需要) MUST be
"Binding Request".
The RESPONSE-ADDRESS attribute(归于,品质,特性) is optional(任选,随意,可自由选择) in the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request.
It is used if the client(顾客,用户,当事人) wishes the response(反应,回签,回音) to be sent to a
different IP address and port than the one the request was sent from.
This is useful for determining(测定,查明,决定,决心) whether the client is behind a
firewall(防火壁), and for applications(请求,施/应用,程序,软件) that have separated(分隔,分开,个别) control and data
components(部件,成分,零组件). See Section(部分,部门,切片,区) 10.3 for more details(零件,细节,枝节). The CHANGE-REQUEST
attribute is also optional. Whether it is present(给,礼物,显示,现在) depends(相信,依靠,取决于) on what
the application is trying to accomplish(达到,精通,完成). See Section 10 for some
example uses.
The client SHOULD add a MESSAGE-INTEGRITY(诚实,完整,正直) and USERNAME(用户名) attribute to
the Binding Request. This MESSAGE-INTEGRITY attribute contains(包含,等于,容纳,抑制) an
HMAC [13]. The value of the username, and the key to use in the
MESSAGE-INTEGRITY attribute depend on the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) mechanism(机理,机械).
If the STUN(打晕,吓呆) Shared Secret Request(请求,需要) was used, the USERNAME must be a
valid(有效,正当) username obtained(得到) from a Shared Secret Response within the last
nine minutes. The shared secret for the HMAC is the value of the
PASSWORD attribute(归于,品质,特性) obtained from the same Shared Secret Response(反应,回签,回音).
Once formulated(公式化,系统阐述), the client(顾客,用户,当事人) sends the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request. Reliability(可靠性)
is accomplished through client retransmissions(中继). Clients SHOULD
retransmit(中继,重新发送) the request starting with an interval(间隔,间距,休息) of 100ms, do
ubling
every retransmit until the interval reaches 1.6s. Retransmissions
continue with intervals of 1.6s until a response is received(承受,得到,接待), or a
total of 9 requests have been sent. If no response is received by 1.6
seconds after the last request has been sent, the client SHOULD
consider(关心,考虑,认为,体谅) the transaction(处理,和解,交易) to have failed. In other words, requests
would be sent at times 0ms, 100ms, 300ms, 700ms, 1500ms, 3100ms,
4700ms, 6300ms, and 7900ms. At 9500ms, the client considers the
transaction to have failed if no response has been received.
9.4 Processing(程序,处理,起诉,变) Binding Responses
The response can either be a Binding Response or Binding Error
Response. Binding Error Responses are always received on the source
address and port the request was sent from. A Binding Response will
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 17]
RFC 3489 STUN March 2003
be received on the address and port placed in the RESPONSE-ADDRESS
attribute of the request. If none was present(给,礼物,显示,现在), the Binding Responses
will be received on the source address and port the request was sent
from.
If the response is a Binding Error Response, the client checks the
response code from the ERROR-CODE attribute of the response. For a
400 response code, the client SHOULD display the reason phrase(词组,短语,警句,惯语) to the
user. For a 420 response code, the client SHOULD retry(缩进) the request,
this time omitting any attributes listed in the UNKNOWN(未知,未知的)-ATTRIBUTES
attribute of the response. For a 430 response code, the client
SHOULD obtain a new shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情), and retry the Binding Request(请求,需要) with
a new transaction. For 401 and 432 response codes, if the client had
omitted the USERNAME(用户名) or MESSAGE-INTEGRITY(诚实,完整,正直) attribute(归于,品质,特性) as indicated(标示,表明,显示,指明) by
the error, it SHOULD try again with those attributes. For a 431
response(反应,回签,回音) code, the client(顾客,用户,当事人) SHOULD alert(报警,活跃,禁戒,灵活) the user, and MAY try the
request again after obtaining a new username and password. For a 500
response code, the client MAY wait several seconds and then
retry the
request. For a 600 response code, the client MUST NOT retry the
request, and SHOULD display the reason phrase to the user. Unknown
attributes between 400 and 499 are treated(处理,论述,享受,宴,治疗) like a 400, unknown
attributes between 500 and 599 are treated like a 500, and unknown
attributes between 600 and 699 are treated like a 600. Any response
between 100 and 399 MUST result in the cessation(中止) of request
retransmissions(中继), but otherwise is discarded(丢弃,废除,扔掉,删除).
If a client receives(承受,得到,接待) a response with an attribute whose type is
greater than 0x7fff, the attribute MUST be ignored(不顾,不理,忽略,忽视). If the client
receives a response with an attribute whose type is less than or
equal(等于,胜任) to 0x7fff, request retransmissions MUST cease(间断,结束,平息,停止), but the entire(全部,整个,总体)
response is otherwise ignored.
If the response is a Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Response, the client SHOULD check the
response for a MESSAGE-INTEGRITY attribute. If not present(给,礼物,显示,现在), and the
client placed a MESSAGE-INTEGRITY attribute into the request, it MUST
discard the response. If present, the client computes the HMAC over
the response as described(描绘,描述,形容,作图) in Section(部分,部门,切片,区) 11.2.8. The key to use depends(相信,依靠,取决于)
on the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) mechanism(机理,机械). If the STUN(打晕,吓呆) Shared Secret Request(请求,需要)
was used, the key MUST be same as used to compute the MESSAGE-
INTEGRITY(诚实,完整,正直) attribute(归于,品质,特性) in the request. If the computed HMAC differs(不同,差异,各种)
from the one in the response(反应,回签,回音), the client(顾客,用户,当事人) MUST discard the response,
and SHOULD alert(报警,活跃,禁戒,灵活) the user about a possible attack(攻击,侵袭,受袭). If the computed
HMAC matches the one from the response, processing(程序,处理,起诉,变) continues.
Reception(接待,接收,招待会) of a response (either Binding Error Response or Binding
Response) to a Binding Request will terminate(结束,停止,有界限) retransmissions(中继) of that
request. However, clients MUST continue to listen for responses to a
Binding Request for 10 seconds after the first response. If it
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 18]
RFC 3489 STUN March 2003
receives(承受,得到,接待) any responses in this interval(间隔,间距,休息) with different message types
(Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Responses and Binding Error Responses, for example) or
different MAPPED-ADDRESSes, it is an indication(表明,表示,指示) of a possible attack.
The client MUST NOT use the MAPPED-ADDRESS from any of the responses
it received (either the first or the additional(附加,增加) ones), and SHOULD
alert the user.
Furthermore(此外,而且), if a client receives more than twice(两倍,两次) as many Binding
Responses as the number of Binding Requests it sent, it MUST NOT use
the MAPPED-ADDRESS from any of those responses, and SHOULD alert the
user about a potential(可能,潜力,电动势) attack.
If the Binding Response is authen
ticated(鉴定,为真,证明), and the MAPPED-ADDRESS was
not discarded(丢弃,废除,扔掉,删除) because of a potential attack, the CLIENT MAY use the
MAPPED-ADDRESS and SOURCE-ADDRESS attributes.
10. Use Cases
The rules of Sections(部分,部门,切片,区) 8 and 9 describe(描绘,描述,形容,作图) exactly(精密/确,要求) how a client and
server interact(插曲,横切,交叉,相互影响) to send requests(请求,需要) and get responses(反应,回签,回音). However, they do
not dictate(规定,口授,命令,要求) how the STUN(打晕,吓呆) protocol(礼节,协议) is used to accomplish(达到,精通,完成) useful tasks(派,工作,任务,作业).
That is at the discretion(谨慎,判断,斟酌办理) of the client(顾客,用户,当事人). Here, we provide(供给,提供,装备) some
useful scenarios(剧本,情节,剧情说明书) for applying(涂,申请,实施,用,添加) STUN.
10.1 Discovery(暴露,发现,看出) Process(程序,处理,起诉,变)
In this scenario, a user is running a multimedia(多媒体,多种手段) application(请求,施/应用,程序,软件) which
needs to determine(测定,查明,决定,决心) which of the following scenarios applies to it:
o On the open Internet
o Firewall(防火壁) that blocks UDP
o Firewall that allows UDP out, and responses have to come back to
the source of the request (like a symmetric(对称) NAT, but no
translation(翻译,译本). We call this a symmetric UDP Firewall)
o Full-cone(圆锥,锥体,成锥形) NAT
o Symmetric NAT
o Restricted(限定,限制,约束) cone or restricted port cone NAT
Which of the six scenarios applies can be determined(坚决,决定) through the flow(流,流畅,飘垂,涨潮)
chart(图,海图) described(描绘,描述,形容,作图) in Figure(图,计算,人物,数) 2. The chart refers(参考,查阅,归于,谈到,提出,求助于) only to the sequence(次序,继续,系列)
of Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests(请求,需要);
Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Requests will, of course, be
needed to authen
ticate(鉴定,为真,证明) each Binding Request used in the sequence.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 19]
RFC 3489 STUN(打晕,吓呆) March 2003
The flow makes use of three tests. In test I, the client(顾客,用户,当事人) sends a
STUN Binding Request to a server, without any flags set in the
CHANGE-REQUEST attribute(归于,品质,特性), and without the RESPONSE(反应,回签,回音)-ADDRESS attribute.
This causes the server to send the response back to the address and
port that the request came from. In test II, the client sends a
Binding Request with both the "change IP" and "change port" flags
from the CHANGE-REQUEST attribute set. In test III, the client sends
a Binding Request with only the "change port" flag set.
The client begin
s by initiating(创/开始,启蒙/动) test I. If this test yields(产出,产量,屈服,让与) no
response, the client knows right away that it is not capable(有才能,有能力) of UDP
connectivity(连接,连通性). If the test produces a response, the client examines(检查,考试,审查,细看)
the MAPPED-ADDRESS attribute. If this address and port are the same
as the local(本地,区域,地方性) IP address and port of the socket(插座,套接) used to send the
request, the client knows that it is not natted. It executes(处决,处死,实施,执行) test
II.
If a response is received(承受,得到,接待), the client knows that it has open access(访问,接近,入口,通道)
to the Internet (or, at least, its behind a firewall(防火壁) that behaves(表现,举动,行动,运转)
like a full-cone(圆锥,锥体,成锥形) NAT, but without the translation(翻译,译本)). If no response
is received, the client knows its behind a symmetric(对称) UDP firewall.
In the event that the IP address and port of the socket did not match
the MAPPED-ADDRESS attribute in the response to test I, the client
knows that it is behind a NAT. It performs(表演,履行,提供,完成) test II. If a response
is received, the client knows that it is behind a full-cone NAT. If
no response is received, it performs test I again, but this time,
do
es so to the address and port from the CHANGED-ADDRESS attribute
from the response to test I. If the IP address and port returned in
the MAPPED-ADDRESS attribute are not the same as the ones from the
first test I, the client knows its behind a symmetric NAT. If the
address and port are the same, the client is either behind a
restricted(限定,限制,约束) or port restricted NAT. To make a determination(决定,决心,确定) about
which one it is behind, the client initiates test III. If a response
is received, its behind a restricted NAT, and if no response is
received, its behind a port restricted NAT.
This procedure yields substantial(本质,大量,坚固,物质) information(数据,通知,信息,资料) about the operating
condition(环境,条件,支配,状况) of the client(顾客,用户,当事人) application(请求,施/应用,程序,软件). In the event of multiple(倍数,并联,多个) NATs
between the client and the Internet, the type that is discovered(暴露,发现,看出) will
be the type of the most restrictive NAT between the client and the
Internet. The types of NAT, in order of restrictiveness, from most
to least, are symmetric, port restricted cone, restricted cone, and
full cone.
Typically(标准,典型), a client will re-do this discovery process(程序,处理,起诉,变) periodically(期刊,杂志) to
detect(察觉,发觉,发现,检测) changes, or look for inconsistent(不一致) results. It is important to
note that when the discovery process is redone(重做), it should not
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 20]
RFC 3489 STUN(打晕,吓呆) March 2003
generally(总,将军,一般) be do
ne from the same local(本地,区域,地方性) address and port used in the
previous(前,先,在前) discovery process. If the same local address and port are
reused(再使用), bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) from the previous test may still be in existence(存在,生存,实在),
and these will invalidate(无效,无效,作废) the results of the test. Using a different(不同,差异,各种)
local address and port for subsequent(尔后,后来) tests resolves(分辨,分解,解决,决定) this problem(课题,难题).
An alternative(交替,选择,替换) is to wait sufficiently(充分,充足) long to be confident(确信) that the
old bindings have expired(到期,断气,去世,终止) (half an hour should more than suffice(满足,足够,有能力)).
10.2 Binding Lifetime(终生,一直,寿命) Discovery(暴露,发现,看出)
STUN can also be used to discover the lifetimes of the bindings
created by the NAT. In many cases, the client(顾客,用户,当事人) will need to refresh(刷新,清新,振作,恢复)
the binding, either through a new STUN request(请求,需要), or an application(请求,施/应用,程序,软件)
packet(包,袋,群,组,套,捆), in order for the application to continue to use the binding.
By discovering the binding lifetime, the client can determine(测定,查明,决定,决心) how
frequently(常到,常去,频繁) it needs to refresh.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 21]
RFC 3489 STUN(打晕,吓呆) March 2003
+--------+
| Test |
| I |
+--------+
|
|
V
// //
N / / Y / / Y +--------+
UDP <-------/Resp/--------->/ IP /------------->| Test |
Blocked / ? / /Same/ | II |
/ / /? / +--------+
// // |
| N |
| V
V //
+--------+ Sym. N / /
| Test | UDP <---/Resp/
| II | Firewall / ? /
+--------+ / /
| //
V |Y
// // |
Symmetric N / / +--------+ N / / V
NAT <--- / IP /<-----| Test |<--- /Resp/ Open
/Same/ | I | / ? / Internet
/? / +--------+ / /
// //
| |Y
| |
| V
| Full
| Cone
V //
+--------+ / / Y
| Test |------>/Resp/---->Restricted(限定,限制,约束)
| III | / ? /
+--------+ / /
//
|N
| Port
+------>Restricted
Figure(图,计算,人物,数) 2: Flow(流,流畅,飘垂,涨潮) for type discovery process(程序,处理,起诉,变)
Rosenberg, et al. Standards Track [Page 22]
RFC 3489 STUN March 2003
To determine the binding(绑捆,包扎,结合,联接,凝固,约束,装钉) lifetime, the client first sends a Binding
Request to the server from a particular(苛求,事实,特别,细节) socket(插座,套接), X. This creates a
binding in the NAT. The response(反应,回签,回音) from the server contains(包含,等于,容纳,抑制) a MAPPED-
ADDRESS attribute(归于,品质,特性), providing(供给,提供,装备) the public address and port on the NAT.
Call this Pa and Pp, respectively(分别,个别). The client then
starts a timer
with a value of T seconds. When this timer fires, the client sends
another Binding Request to the server, using the same destination(目标,终点)
address and port, but from a different(不同,差异,各种) socket, Y. This request
contains a RESPONSE-ADDRESS address attribute, set to (Pa,Pp). This
will create a new binding on the NAT, and cause the STUN server to
send a Binding Response that would match the old binding, if it still
exists. If the client(顾客,用户,当事人) receives(承受,得到,接待) the Binding Response on socket X, it
knows that the binding has not expired(到期,断气,去世,终止). If the client receives the
Binding Response on socket Y (which is possible if the old binding
expired, and the NAT allocated(拨下,分配) the same public address and port to
the new binding), or receives no response at all, it knows that the
binding has expired.
The client can find the value of the binding lifetime(终生,一直,寿命) by do
ing a
binary(二,二成分) search through T, arriving(达到,来临,抵达某地) eventually(最后) at the value where the
response is not received for any timer greater than T, but is
received for any timer less than T.
This discovery(暴露,发现,看出) process takes quite a bit of time, and is something
that will typically(标准,典型) be run in the background on a device(方法,设备,装置) once it
boots.
It is possible that the client can get inconsistent(不一致) results each time
this process(程序,处理,起诉,变) is run. For example, if the NAT should reboot(重新启动), or be
reset(复位,重新安置) for some reason, the process may discover a lifetime than is
shorter than the actual(实际,现行) one. For this reason, implementations(实现,实行) are
encouraged(促进,鼓励,赞助,支持) to run the test numerous(大量,无数,许多) times, and be prepared(预制,准备) to get
inconsistent results.
10.3 Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Acquisition(获得)
Consider(关心,考虑,认为,体谅) once more the case of a VoIP phone. It used the discovery
process above when it started up, to discover its environment(环境,外界,围绕). Now,
it wants to make a call. As part of the discovery process, it
determined(坚决,决定) that it was behind a full-cone(圆锥,锥体,成锥形) NAT.
Consider further that this phone consists(包括,符合,在于,组成) of two logically(逻辑,逻辑或) separated(分隔,分开,个别)
components(部件,成分,零组件) - a control component that handles signaling(暗号,动机,显著,手势), and a media
component that handles the audio(声频,成音频率), video, and RTP [12]. Both are
behind the same NAT. Because of this separation(分居,分开) of control and
media, we wish to minimize(极小,最小化) the communication(传达,交通,通讯) required(命令,请求,需要) between them.
In fact, they may not even run on the same host.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 23]
RFC 3489 STUN(打晕,吓呆) March 2003
In order to make a voice(声,发声,嗓音,吐露,意见,语态) call, the phone needs to obtain(得到) an IP
address and port that it can place in the call setup message as the
destination(目标,终点) for receiving(承受,得到,接待) audio.
To obtain an address, the control component sends a Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情)
Request to the server, obtains a shared secret, and then
sends a
Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request to the server. No CHANGE-REQUEST attribute(归于,品质,特性) is
present(给,礼物,显示,现在) in the Binding Request, and neither is the RESPONSE(反应,回签,回音)-ADDRESS
attribute. The Binding Response contains(包含,等于,容纳,抑制) a mapped address. The
control component then
formulates(公式化,系统阐述) a second Binding Request. This
request contains a RESPONSE-ADDRESS, which is set to the mapped
address learned from the previous(前,先,在前) Binding Response. This Binding
Request is passed to the media component(部件,成分,零组件), along with the IP address
and port of the STUN server. The media component sends the Binding
Request. The request goes to the STUN server, which sends the
Binding Response back to the control component. The control
component receives this, and now has learned an IP address and port
that will be routed(路,航线,路程) back to the media component that sent the
request.
The client(顾客,用户,当事人) will be able to receive media from anywhere on this mapped
address.
In the case of silence suppression(压制,镇压), there may be periods(句号,时期,学时,周期) where the
client receives no media. In this case, the UDP bindings could
timeout(超时,停工时间) (UDP bindings in NATs are typically(标准,典型) short;
30 seconds is
common). To deal(处理,待遇,对付,给,交易,买卖,数量) with this, the application(请求,施/应用,程序,软件) can periodically(期刊,杂志)
retransmit(中继,重新发送) the query(查询,问题,疑问) in order to keep the binding fresh.
It is possible that both participants(参与,有份,参加者) in the multimedia(多媒体,多种手段) session(会议,一段时间) are
behind the same NAT. In that case, both will repeat this procedure
above, and both will obtain(得到) public address bindings(绑捆,包扎,结合,联接,凝固,约束,装钉). When one sends
media to the other, the media is routed to the NAT, and then
turns
right back around to come back into the enterprise(企业,事业), where it is
translated(译,翻译) to the private(个人,秘密,专用) address of the recipient(接收器/者,收件人). This is not
particularly(苛求,事实,特别,细节) efficient(因素,效率高,有能力), and unfortunately(不幸,可取), do
es not work in many
commercial(经济,商务,广告) NATs. In such cases, the clients(顾客,用户,当事人) may need to retry(缩进) using
private addresses.
11. Protocol(礼节,协议) Details(零件,细节,枝节)
This section(部分,部门,切片,区) presents(给,礼物,显示,现在) the detailed encoding(编码) of a STUN(打晕,吓呆) message.
STUN is a request(请求,需要)-response(反应,回签,回音) protocol. Clients send a request, and the
server sends a response. There are two requests, Binding Request,
and Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request. The response to a Binding Request can
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 24]
RFC 3489 STUN March 2003
either be the Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Response or Binding Error Response. The
response to a Shared Secret Request can either be a Shared Secret
Response or a Shared Secret Error Response.
STUN messages are encoded using binary(二,二成分) fields. All integer fields
are carried in network byte order, that is, most significant(有效,重大) byte
(octet(八隅体,八位位组)) first. This byte order is commonly known as big-endian(字节存储次序). The
transmission(传动,传输,发射) order is described(描绘,描述,形容,作图) in detail in Appendix(附录,附庸,阑尾,盲肠) B of RFC 791
[6]. Unless otherwise noted, numeric(数字) constants(常数,恒定,坚贞) are in decimal(十进,小数) (base
10).
11.1 Message Header
All STUN messages consist(包括,符合,在于,组成) of a 20 byte header:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| STUN Message Type | Message Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Transaction(处理,和解,交易) ID
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Message Types can take on the following values:
0x0001 : Binding Request
0x0101 : Binding Response
0x0111 : Binding Error Response
0x0002 : Shared Secret Request
0x0102 : Shared Secret Response
0x0112 : Shared Secret Error Response
The message length is the count, in bytes, of the size of the
message, not including the 20 byte header.
The transaction ID is a 128 bit identifier(标识,鉴别,认出,验明). It also serves(适合,服务/役,任职,招待) as salt(盐,芒硝,撒盐)
to randomize(随机化) the request(请求,需要) and the response(反应,回签,回音). All responses carry the
same identifier as the request they correspond(符合,通信,相当) to.
Rosenberg, et al. Standards Track [Page 25]
RFC 3489 STUN(打晕,吓呆) March 2003
11.2 Message Attributes(归于,品质,特性)
After the header are 0 or more attributes. Each attribute is TLV
encoded(编码), with a 16 bit type, 16 bit length, and variable(变量,变数) value:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Value ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The following types are defined(立,定义,规定,准确说明):
0x0001: MAPPED-ADDRESS
0x0002: RESPONSE-ADDRESS
0x0003: CHANGE-REQUEST
0x0004: SOURCE-ADDRESS
0x0005: CHANGED-ADDRESS
0x0006: USERNAME(用户名)
0x0007: PASSWORD
0x0008: MESSAGE-INTEGRITY(诚实,完整,正直)
0x0009: ERROR-CODE
0x000a: UNKNOWN(未知,未知的)-ATTRIBUTES
0x000b: REFLECTED(反射,思考)-FROM
To allow future(将来,期货,前途) revisions(复习,修订本) of this specification(规格,详述,载明) to add new attributes
if needed, the attribute space is divided(除,分,分开) into optional(任选,随意,可自由选择) and mandatory(命令者)
ones. Attributes with values greater than 0x7fff are optional, which
means that the message can be processed(程序,处理,起诉,变) by the client(顾客,用户,当事人) or server even
though the attribute is not understood. Attributes with values less
than or equal(等于,胜任) to 0x7fff are mandatory to understand, which means that
the client or server cannot process the message unless it understands
the attribute.
The MESSAGE-INTEGRITY attribute MUST be the last attribute within a
message. Any attributes that are known, but are not supposed(假定,推测,想象上) to be
present(给,礼物,显示,现在) in a message (MAPPED-ADDRESS in a request(请求,需要), for example) MUST
be ignored(不顾,不理,忽略,忽视).
Table 2 indicates(标示,表明,显示,指明) which attributes(归于,品质,特性) are present in which messages. An
M indicates that inclusion(包括,包括在内) of the attribute in the message is
mandatory, O means its optional, C means it's conditional(假定,条件) based on
some other aspect(香润,方向,容貌) of the message, and N/A means that the attribute is
not applicable(合适,生动) to that message type.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 26]
RFC 3489 STUN(打晕,吓呆) March 2003
Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Shared(份,有,分担,共享/用) Shared Shared
Binding Binding Error Secret(秘密,隐蔽,隐情) Secret Secret
Att. Req. Resp. Resp. Req. Resp. Error
Resp.
_____________________________________________________________________
MAPPED-ADDRESS N/A M N/A N/A N/A N/A
RESPONSE(反应,回签,回音)-ADDRESS O N/A N/A N/A N/A N/A
CHANGE-REQUEST O N/A N/A N/A N/A N/A
SOURCE-ADDRESS N/A M N/A N/A N/A N/A
CHANGED-ADDRESS N/A M N/A N/A N/A N/A
USERNAME(用户名) O N/A N/A N/A M N/A
PASSWORD N/A N/A N/A N/A M N/A
MESSAGE-INTEGRITY(诚实,完整,正直) O O N/A N/A N/A N/A
ERROR-CODE N/A N/A M N/A N/A M
UNKNOWN(未知,未知的)-ATTRIBUTES N/A N/A C N/A N/A C
REFLECTED(反射,思考)-FROM N/A C N/A N/A N/A N/A
Table 2: Summary(概要,简短) of Attributes
The length refers(参考,查阅,归于,谈到,提出,求助于) to the length of the value element(成分,要素,元件), expressed(表白,快/车,明确) as an
unsigned(未署名,无符号) integral(整,整体,组成) number of bytes.
11.2.1 MAPPED-ADDRESS
The MAPPED-ADDRESS attribute indicates(标示,表明,显示,指明) the mapped IP address and
port. It consists(包括,符合,在于,组成) of an eight bit address family, and a sixteen bit
port, followed by a fixed length value representing(表现,代表,象征) the IP address.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|x x x x x x x x| Family | Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The port is a network byte ordered representation(陈述,代表,描写) of the mapped port.
The address family is always 0x01, corresponding(符合,通信,相当) to IPv4. The first
8 bits of the MAPPED-ADDRESS are ignored(不顾,不理,忽略,忽视), for the purposes(打算,效果,意图,用途) of
aligning(定位,对齐,均衡,排列,成一直线) parameters(参数,参量) on natural(本来,天然,通常) boundaries(办界,边界). The IPv4 address is 32
bits.
11.2.2 RESPONSE(反应,回签,回音)-ADDRESS
The RESPONSE-ADDRESS attribute(归于,品质,特性) indicates where the response to a
Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request(请求,需要) should be sent. Its syntax(句法,语法) is identical(恒等,同样,相同) to MAPPED-
ADDRESS.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 27]
RFC 3489 STUN(打晕,吓呆) March 2003
11.2.3 CHANGED-ADDRESS
The CHANGED-ADDRESS attribute indicates the IP address and port where
responses would have been sent from if the "change IP" and "change
port" flags had been set in the CHANGE-REQUEST attribute of the
Binding Request. The attribute is always present(给,礼物,显示,现在) in a Binding
Response, independent(独立,自主,无党派) of the value of the flags. Its syntax is
identical to MAPPED-ADDRESS.
11.2.4 CHANGE-REQUEST
The CHANGE-REQUEST attribute is used by the client(顾客,用户,当事人) to request that
the server use a different(不同,差异,各种) address and/or port when sending the
response. The attribute is 32 bits long, although only two bits (A
and B) are used:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 A B 0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The meaning of the flags is:
A: This is the "change IP" flag. If true, it requests the server
to send the Binding Response with a different IP address than the
one the Binding Request was received(承受,得到,接待) on.
B: This is the "change port" flag. If true, it requests the
server to send the Binding Response with a different port than the
one the Binding Request was received on.
11.2.5 SOURCE-ADDRESS
The SOURCE-ADDRESS attribute is present in Binding Responses. It
indicates(标示,表明,显示,指明) the source IP address and port that the server is sending
the response from. Its syntax is identical to that of MAPPED-
ADDRESS.
11.2.6 USERNAME(用户名)
The USERNAME attribute is used for message integrity(诚实,完整,正直). It serves(适合,服务/役,任职,招待) as a
means to identify(标识,鉴别,认出,验明) the shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) used in the message integrity
check. The USERNAME is always present in a Shared Secret Response,
along with the PASSWORD. It is optionally(任选,随意,可自由选择) present in a Binding
Request when message integrity is used.
Rosenberg, et al. Standards Track [Page 28]
RFC 3489 STUN March 2003
The value of USERNAME is a variable(变量,变数) length opaque(难懂,不传导,不透明) value. Its length
MUST be a multiple(倍数,并联,多个) of 4 (measured(测量,尺寸,措施) in bytes) in order to guarantee(保证,承认,担保物)
alignment(调整,队列,对准,联合,对齐) of attributes(归于,品质,特性) on word boundaries(办界,边界).
11.2.7 PASSWORD
The PASSWORD attribute is used in Shared Secret Responses(反应,回签,回音). It is
always present(给,礼物,显示,现在) in a Shared Secret Response, along with the USERNAME.
The value of PASSWORD is a variable length value that is to be used
as a shared secret. Its length MUST be a multiple of 4 (measured in
bytes) in order to guarantee alignment of attributes on word
boundaries.
11.2.8 MESSAGE-INTEGRITY
The MESSAGE-INTEGRITY attribute contains(包含,等于,容纳,抑制) an HMAC-SHA1 [13] of the
STUN(打晕,吓呆) message. It can be present in Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Requests(请求,需要) or Binding
Responses. Since it uses the SHA1 hash(混乱,弄乱,哈希/散列表), the HMAC will be 20 bytes.
The text used as input to HMAC is the STUN message, including the
header, up to and including the attribute preceding(高于,领先,在前) the MESSAGE-
INTEGRITY(诚实,完整,正直) attribute. That text is then
padded with zeroes so as to be
a multiple of 64 bytes. As a result, the MESSAGE-INTEGRITY attribute
MUST be the last attribute in any STUN message. The key used as
input to HMAC depends(相信,依靠,取决于) on the context(环/语境,上下文,关系).
11.2.9 ERROR-CODE
The ERROR-CODE attribute is present in the Binding Error Response and
Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Error Response. It is a numeric(数字) value in the range(排,行,山脉,范围) of
100 to 699 plus a textual(课文) reason phrase(词组,短语,警句,惯语) encoded(编码) in UTF-8, and is
consistent(符合,坚持,坚固) in its code assignments(分配,转让,任务) and semantics(语义,语义学) with SIP [10] and
HTTP [15]. The reason phrase is meant(意指,意思是) for user consumption(消耗,消耗量), and can
be anything appropriate(拨给,恰当,侵占) for the response(反应,回签,回音) code. The lengths of the
reason phrases MUST be a multiple(倍数,并联,多个) of 4 (measured(测量,尺寸,措施) in bytes). This can
be accomplished(达到,精通,完成) by added spaces to the end of the text, if necessary.
Recommended(建议,介绍,劝告,推荐) reason phrases for the defined(立,定义,规定,准确说明) response codes are
presented(给,礼物,显示,现在) below.
To facilitate(帮助,促进,助长,容易) processing(程序,处理,起诉,变), the class of the error code (the hundreds
digit) is encoded separately(分隔,分开,个别) from the rest of the code.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 29]
RFC 3489 STUN(打晕,吓呆) March 2003
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0 |Class| Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reason Phrase (variable(变量,变数)) ..
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The class represents(表现,代表,象征) the hundreds digit of the response code. The
value MUST be between 1 and 6. The number represents the response
code modulo(模,模数,按模计算) 100, and its value MUST be between 0 and 99.
The following response codes, along with their recommended reason
phrases(词组,短语,警句,惯语) (in brackets(括号,托架)) are defined at this time:
400 (Bad Request(请求,需要)): The request was malformed(畸形,难看). The client(顾客,用户,当事人) should not
retry(缩进) the request without modification(改变,缓和,修饰) from the previous(前,先,在前)
attempt(尝试,攻击,企图,袭击).
401 (Unauthorized(非法,未授权/批准)): The Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Request did not contain(包含,等于,容纳,抑制) a MESSAGE-
INTEGRITY(诚实,完整,正直) attribute(归于,品质,特性).
420 (Unknown(未知,未知的) Attribute): The server did not understand a mandatory(命令者)
attribute in the request.
430 (Stale(陈腐,陈旧,走了气) Credentials(信任,证书)): The Binding Request did contain a MESSAGE-
INTEGRITY attribute, but it used a shared(份,有,分担,共享/用) secret(秘密,隐蔽,隐情) that has
expired(到期,断气,去世,终止). The client should obtain(得到) a new shared secret and try
again.
431 (Integrity Check Failure(破产,失败,失灵,疏忽)): The Binding Request contained a
MESSAGE-INTEGRITY attribute, but the HMAC failed verification(检验).
This could be a sign of a potential(可能,潜力,电动势) attack(攻击,侵袭,受袭), or client(顾客,用户,当事人)
implementation(实现,实行) error.
432 (Missing Username(用户名)): The Binding Request(请求,需要) contained a MESSAGE-
INTEGRITY attribute, but not a USERNAME attribute. Both must be
present(给,礼物,显示,现在) for integrity checks.
433 (Use TLS): The Shared Secret request has to be sent over TLS, but
was not received(承受,得到,接待) over TLS.
500 (Server Error): The server has suffered(经受,忍受,容许,受痛苦) a temporary(短暂,临时,临时工) error. The
client should try again.
600 (Global(总,球面,全局) Failure
The server is refusing(渣,报废,不愿,拒绝) to fulfill(履行,满足,完成) the request.The client should not retry(缩进).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 30]
RFC 3489 STUN(打晕,吓呆) March 2003
11.2.10 UNKNOWN(未知,未知的)-ATTRIBUTES(归于,品质,特性)
The UNKNOWN-ATTRIBUTES attribute is present only in a Binding(绑捆,包扎,结合,联接,凝固,约束,装钉) Error
Response(反应,回签,回音) or Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Error Response when the response code in
the ERROR-CODE attribute is 420.
The attribute contains(包含,等于,容纳,抑制) a list of 16 bit values, each of which
represents(表现,代表,象征) an attribute type that was not understood by the server.
If the number of unknown attributes is an odd number, one of the
attributes MUST be repeated in the list, so that the total length of
the list is a multiple(倍数,并联,多个) of 4 bytes.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute 1 Type | Attribute 2 Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute 3 Type | Attribute 4 Type ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
11.2.11 REFLECTED(反射,思考)-FROM
The REFLECTED-FROM attribute is present only in Binding Responses,
when the Binding Request contained a RESPONSE-ADDRESS attribute. The
attribute contains the identity(认同,身分,特性) (in terms(词,期,项,称为,术语,条件) of IP address) of the
source where the request(请求,需要) came from. Its purpose(打算,效果,意图,用途) is to provide(供给,提供,装备)
traceability(跟踪能力), so that a STUN server cannot be used as a reflector(反射镜,反射器) for
denial(否定,否认,拒绝)-of-service attacks(攻击,侵袭,受袭).
Its syntax(句法,语法) is identical(恒等,同样,相同) to the MAPPED-ADDRESS attribute.
12. Security(安全,证券) Considerations(考虑,体贴)
12.1 Attacks on STUN(打晕,吓呆)
Generally(总,将军,一般) speaking, attacks on STUN can be classified(分等,分类,归类) into denial of
service attacks and eavesdropping attacks. Denial of service attacks
can be launched(创办,发动,投射,开始) against a STUN server itself, or against other
elements(成分,要素,元件) using the STUN protocol(礼节,协议).
STUN servers create state through the Shared(份,有,分担,共享/用) Secret(秘密,隐蔽,隐情) Request
mechanism(机理,机械). To prevent(防止,妨碍,阻碍) being swamped(淹没,沼泽,泥沼状) with traffic(车,交通,交易,运), a STUN server
SHOULD limit(范围,极限,界限) the number of simultaneous(同时,同时存在) TLS connections(连接,联系,连贯性) it will hold
open by dropping an existing connection when a new connection request(请求,需要)
arrives(达到,来临,抵达某地) (based on an Least Recently(近来,新近,最近的) Used (LRU) policy(方针,政策,保险单), for example).
Similarly(类似,相象), it SHOULD limit the number of shared secrets it will
store, in the event that the server is storing the shared secrets.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 31]
RFC 3489 STUN March 2003
The attacks(攻击,侵袭,受袭) of greater interest are those in which the STUN(打晕,吓呆) server
and client(顾客,用户,当事人) are used to launch do
S attacks against other entities(存在,实体,实体物,统一体),
including the client itself.
Many of the attacks require(命令,请求,需要) the attacker to generate(导致,引起) a response(反应,回签,回音) to a
legitimate(合法,合理,证明有理) STUN request, in order to provide(供给,提供,装备) the client with a faked(伪造,虚构,云母板状岩)
MAPPED-ADDRESS. The attacks that can be launched(创办,发动,投射,开始) using such a
technique(技能,技术) include:
12.1.1 Attack I: DDOS Against a Target
In this case, the attacker provides a large number of clients with
the same faked MAPPED-ADDRESS that points to the intended(打算,企图,想要,意指) target.
This will trick(诡计,哄骗,窍门) all the STUN clients into thinking that their
addresses are equal(等于,胜任) to that of the target. The clients then
hand out
that address in order to receive(承受,得到,接待) traffic(车,交通,交易,运) on it (for example, in SIP
or H.323 messages). However, all of that traffic becomes focused at
the intended target. The attack can provide substantial(本质,大量,坚固,物质)
amplification(放大), especially(特别,特殊,专门) when used with clients that are using STUN
to enable multimedia(多媒体,多种手段) applications(请求,施/应用,程序,软件).
12.1.2 Attack(攻击,侵袭,受袭) II: Silencing a Client
In this attack, the attacker seeks to deny a client access(访问,接近,入口,通道) to
services enabled by STUN(打晕,吓呆) (for example, a client(顾客,用户,当事人) using STUN to enable
SIP-based multimedia traffic). To do
that, the attacker provides
that client with a faked MAPPED-ADDRESS. The MAPPED-ADDRESS it
provides is an IP address that routes(路,航线,路程) to nowhere. As a result, the
client won't receive any of the packets(包,袋,群,组,套,捆) it expects(等待,期待,预期) to receive when it
hands out the MAPPED-ADDRESS.
This exploitation(开发,利用) is not very interesting for the attacker. It
impacts(冲击,碰撞,压紧,影响) a single client, which is frequently(常到,常去,频繁) not the desired(期望,相望,想要,要求) target.
Moreover(此外,而且,况且), any attacker that can mount(爬,安装,山,固定) the attack could also deny
service to the client by other means, such as preventing(防止,妨碍,阻碍) the client
from receiving any response(反应,回签,回音) from the STUN server, or even a DHCP
server.
12.1.3 Attack III: Assuming(呈现,承担,假定) the Identity(认同,身分,特性) of a Client
This attack is similar(类似,相象) to attack II. However, the faked(伪造,虚构,云母板状岩) MAPPED-
ADDRESS points to the attacker themself. This allows the attacker to
receive(承受,得到,接待) traffic(车,交通,交易,运) which was destined(命定,预定) for the client.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 32]
RFC 3489 STUN March 2003
12.1.4 Attack(攻击,侵袭,受袭) IV: Eavesdropping
In this attack, the attacker forces the client to use a MAPPED-
ADDRESS that routes to itself. It then
forwards any packets it
receives to the client. This attack would allow the attacker to
observe(遵守,观测/察,注意) all packets sent to the client(顾客,用户,当事人). However, in order to launch(创办,发动,投射,开始)
the attack, the attacker must have already been able to observe
packets(包,袋,群,组,套,捆) from the client to the STUN(打晕,吓呆) server. In most cases (such as
when the attack is launched from an access(访问,接近,入口,通道) network), this means that
the attacker could already observe packets sent to the client. This
attack is, as a result, only useful for observing traffic by
attackers on the path from the client to the STUN server, but not
generally(总,将军,一般) on the path of packets being routed(路,航线,路程) towards the client.
12.2 Launching the Attacks
It is important to note that attacks of this nature (injecting(喷射,注满,注入)
responses with fake MAPPED-ADDRESSes) require(命令,请求,需要) that the attacker be
capable(有才能,有能力) of eavesdropping requests sent from the client to the server
(or to act as a MITM for such attacks). This is because STUN
requests contain(包含,等于,容纳,抑制) a transaction(处理,和解,交易) identifier(标识,鉴别,认出,验明), selected(选,精选) by the client,
which is random with 128 bits of entropy(熵). The server echoes this
value in the response(反应,回签,回音), and the client ignores(不顾,不理,忽略,忽视) any responses that
do
n't have a matching transaction ID. Therefore, in order for an
attacker to provide(供给,提供,装备) a faked(伪造,虚构,云母板状岩) response that is accepted(承担,公认,接受,同意) by the client,
the attacker(攻击,侵袭,受袭) needs to know what the transaction ID in the request
was. The large amount(和,合计,金额,数量) of randomness(随机性), combined(集团,结合,收割机) with the need to know
when the client(顾客,用户,当事人) sends a request, precludes(避免,除去,排除,预防) attacks that involve(包括,牵涉,占用,参加)
guessing the transaction ID.
Since all of the above attacks rely(信赖,依靠) on this one primitive(粗糙,简单,原语,原始人) - injecting(喷射,注满,注入)
a response with a faked MAPPED-ADDRESS - preventing(防止,妨碍,阻碍) the attacks is
accomplished(达到,精通,完成) by preventing this one operation(操作,手术,运算). To prevent it, we
need to consider(关心,考虑,认为,体谅) the various(不同,多样,各种) ways in which it can be accomplished.
There are several:
12.2.1 Approach(逼近,态度,途径) I: Compromise(和解,损害,妥协) a Legitimate(合法,合理,证明有理) STUN(打晕,吓呆) Server
In this attack, the attacker compromises a legitimate STUN server
through a virus(病毒,毒素,病原体) or Trojan(troy的,特洛伊) horse. Presumably(大概,也许,推测起来), this would allow the
attacker(攻击,侵袭,受袭) to take over the STUN server, and control the types of
responses(反应,回签,回音) it generates(导致,引起).
Compromise of a STUN server can also lead to discovery(暴露,发现,看出) of open ports.
Knowledge(学识,知道) of an open port creates an opportunity(机会) for do
S attacks on
those ports (or DDoS attacks if the traversed(横渡,横过,曲线) NAT is a full cone(圆锥,锥体,成锥形)
NAT). Discovering open ports is already fairly(公平,集市,相当,修整,博览会,流线型) trivial(平常,平庸,琐碎,细小) using port
probing(或然), so this do
es not represent(表现,代表,象征) a major(多数,较大,主修,专业) threat(恐吓,威胁,凶兆).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 33]
RFC 3489 STUN March 2003
12.2.2 Approach(逼近,态度,途径) II: DNS Attacks
STUN servers are discovered using DNS SRV records(唱片,档案,记录). If an attacker
can compromise(和解,损害,妥协) the DNS, it can inject(喷射,注满,注入) fake(伪造,虚构,云母板状岩) records which map a do
main(领土,领域,主机)
name to the IP address of a STUN(打晕,吓呆) server run by the attacker(攻击,侵袭,受袭). This
will allow it to inject fake responses(反应,回签,回音) to launch(创办,发动,投射,开始) any of the attacks
above.
12.2.3 Approach III: Rogue(恶棍,流氓,捉弄) Router(刻,大败,溃败,输送) or NAT
Rather than compromise the STUN server, an attacker can cause a STUN
server to generate(导致,引起) responses with the wrong MAPPED-ADDRESS by
compromising a router or NAT on the path from the client(顾客,用户,当事人) to the STUN
server. When the STUN request(请求,需要) passes through the rogue router or
NAT, it rewrites(改写,再生,重写) the source address of the packet(包,袋,群,组,套,捆) to be that of the
desired(期望,相望,想要,要求) MAPPED-ADDRESS. This address cannot be arbitrary(任意,专断,不理智). If the
attacker is on the public Internet (that is, there are no NATs
between it and the STUN server), and the attacker do
esn't modify(变更,缓和,修改,修饰) the
STUN request, the address has to have the property(财产,特性,性能) that packets sent
from the STUN server to that address would route(路,航线,路程) through the
compromised router. This is because the STUN server will send the
responses back to the source address of the request. With a modified
source address, the only way they can reach the client is if the
compromised router directs them there. If the attacker is on the
public Internet, but they can modify the STUN request, they can
insert a RESPONSE-ADDRESS attribute(归于,品质,特性) into the request, containing(包含,等于,容纳,抑制) the
actual(实际,现行) source address of the STUN request. This will cause the
server to send the response to the client, independent(独立,自主,无党派) of the source
address the STUN server sees. This gives the attacker the ability(本领,才干,才能,技能) to
forge(编造,锤炼,铁铺,前进) an arbitrary source address when it forwards the STUN(打晕,吓呆) request.
If the attacker(攻击,侵袭,受袭) is on a private(个人,秘密,专用) network (that is, there are NATs
between it and the STUN server), the attacker will not be able to
force the server to generate arbitrary MAPPED-ADRESSes in responses(反应,回签,回音).
They will only be able force the STUN server to generate MAPPED-
ADDRESSes which route to the private network. This is because the
NAT between the attacker and the STUN server will rewrite the source
address of the STUN request, mapping it to a public address that
routes to the private network. Because of this, the attacker can
only force the server to generate faked(伪造,虚构,云母板状岩) mapped addresses that route
to the private network. Unfortunately(不幸,可取), it is possible that a low
quality(合格,品质,特性) NAT would be willing to map an allocated(拨下,分配) public address to
another public address (as opposed(反对,反抗,对比) to an internal(内,本质性) private address),
in which case the attacker could forge the source address in a STUN
request(请求,需要) to be an arbitrary public address. This kind of behavior(表现,举止,态度,行为)
from NATs do
es appear to be rare(非常,罕见,稀罕,稀少).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 34]
RFC 3489 STUN March 2003
12.2.4 Approach(逼近,态度,途径) IV: MITM
As an alternative(交替,选择,替换) to approach III, if the attacker can place an
element(成分,要素,元件) on the path from the client(顾客,用户,当事人) to the server, the element can
act as a man-in-the-middle. In that case, it can intercept(截距,截取,阻止) a STUN
request, and generate(导致,引起) a STUN response directly with any desired(期望,相望,想要,要求) value
of the MAPPED-ADDRESS field. Alternatively, it can forward the STUN
request to the server (after potential(可能,潜力,电动势) modification(改变,缓和,修饰)), receive(承受,得到,接待) the
response, and forward it to the client. When forwarding the request
and response, this attack(攻击,侵袭,受袭) is subject(从属,科目,事物,主题) to the same limitations(局限,限度) on the
MAPPED-ADDRESS described(描绘,描述,形容,作图) in Section(部分,部门,切片,区) 12.2.3.
12.2.5 Approach V: Response(反应,回签,回音) Injection(充满,注入) Plus do
S
In this approach, the attacker do
es not need to be a MITM (as in
approaches III and IV). Rather, it only needs to be able to
eavesdrop(窃听,偷听) onto a network segment(段,部分,切,扇形) that carries STUN(打晕,吓呆) requests(请求,需要). This is
easily do
ne in multiple(倍数,并联,多个) access(访问,接近,入口,通道) networks such as ethernet(以太网) or
unprotected 802.11. To inject(喷射,注满,注入) the fake(伪造,虚构,云母板状岩) response, the attacker
listens on the network for a STUN request. When it sees one, it
simultaneously(同时,同时存在) launches(创办,发动,投射,开始) a do
S attack on the STUN server, and
generates(导致,引起) its own STUN response with the desired(期望,相望,想要,要求) MAPPED-ADDRESS
value. The STUN response generated by the attacker will reach the
client(顾客,用户,当事人), and the do
S attack against the server is aimed(瞄准,目标,针对,指向) at preventing(防止,妨碍,阻碍)
the legitimate(合法,合理,证明有理) response from the server from reaching the client.
Arguably(可论证地), the attacker(攻击,侵袭,受袭) can do
without the do
S attack on the server,
so long as the faked response beats(打,敲,击败,搅拌,拍音,心跳) the real response(反应,回签,回音) back to the
client, and the client uses the first response, and ignores(不顾,不理,忽略,忽视) the
second (even though it's different(不同,差异,各种)).
12.2.6 Approach(逼近,态度,途径) VI: Duplication(加倍,成双重)
This approach is similar(类似,相象) to approach V. The attacker listens on the
network for a STUN(打晕,吓呆) request(请求,需要). When it sees it, it generates its own
STUN request towards the server. This STUN request is identical(恒等,同样,相同) to
the one it saw, but with a spoofed(嘲讽,诳骗,揶揄) source IP address. The spoofed
address is equal(等于,胜任) to the one that the attacker desires to have placed
in the MAPPED-ADDRESS of the STUN response. In fact, the attacker
generates a flood(泛滥,洪水,淹没,涨潮) of such packets(包,袋,群,组,套,捆). The STUN server will receive(承受,得到,接待) the
one original(新颖,原始,原物,最初) request, plus a flood of duplicate(二重,复本,加倍) fake(伪造,虚构,云母板状岩) ones. It
generates(导致,引起) responses to all of them. If the flood is sufficiently(充分,充足)
large for the responses to congest(充血,拥挤,阻塞,充满) routers(刻,大败,溃败,输送) or some other equipment(配备,器材,设备),
there is a reasonable(公道,合理) probability(概率,可能,可能性) that the one real response(反应,回签,回音) is lost
(along with many of the faked ones), but the net result is that only
the faked responses are received by the STUN client(顾客,用户,当事人). These responses
are all identical and all contain(包含,等于,容纳,抑制) the MAPPED-ADDRESS that the
attacker(攻击,侵袭,受袭) wanted the client to use.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 35]
RFC 3489 STUN(打晕,吓呆) March 2003
The flood of duplicate packets is not needed (that is, only one faked
request(请求,需要) is sent), so long as the faked response beats(打,敲,击败,搅拌,拍音,心跳) the real
response back to the client, and the client uses the first response,
and ignores(不顾,不理,忽略,忽视) the second (even though it's different(不同,差异,各种)).
Note that, in this approach(逼近,态度,途径), launching(创办,发动,投射,开始) a do
S attack against the STUN
server or the IP network, to prevent(防止,妨碍,阻碍) the valid(有效,正当) response from being
sent or received(承受,得到,接待), is problematic(有问题). The attacker needs the STUN server
to be available(可用,通用) to handle its own request. Due to the periodic(定时,周期)
retransmissions(中继) of the request from the client, this leaves a very
tiny window of opportunity(机会). The attacker must start the do
S attack
immediately(立即,立刻,直接) after the actual(实际,现行) request from the client, causing the
correct(改正,纠正,恰当) response(反应,回签,回音) to be discarded(丢弃,废除,扔掉,删除), and then
cease(间断,结束,平息,停止) the do
S attack(攻击,侵袭,受袭) in
order to send its own request, all before the next retransmission
from the client(顾客,用户,当事人). Due to the close spacing of the retransmits(中继,重新发送) (100ms
to a few seconds), this is very difficult(艰苦,困难) to do
.
Besides do
S attacks, there may be other ways to prevent the actual
request(请求,需要) from the client from reaching the server. Layer 2
manipulations(操纵), for example, might be able to accomplish(达到,精通,完成) it.
Fortunately(侥幸,带来好运), Approach(逼近,态度,途径) IV is subject(从属,科目,事物,主题) to the same limitations(局限,限度)
do
cumented(公文,文档,证件) in Section(部分,部门,切片,区) 12.2.3, which limit(范围,极限,界限) the range(排,行,山脉,范围) of MAPPED-
ADDRESSes the attacker can cause the STUN(打晕,吓呆) server to generate(导致,引起).
12.3 Countermeasures(对策,干扰)
STUN provides(供给,提供,装备) mechanisms(机理,机械) to counter the approaches described(描绘,描述,形容,作图) above,
and additional(附加,增加), non-STUN techniques(技能,技术) can be used as well.
First off, it is RECOMMENDED(建议,介绍,劝告,推荐) that networks with STUN clients(顾客,用户,当事人)
implement(仪器,工具,执行,生效) ingress source filtering(过滤,渗入,筛选) (RFC 2827 [7]). This is
particularly(苛求,事实,特别,细节) important for the NATs themselves. As Section 12.2.3
explains(辩解,解释,说明), NATs which do
not perform(表演,履行,提供,完成) this check can be used as
"reflectors(反射镜,反射器)" in DDoS attacks(攻击,侵袭,受袭). Most NATs do
perform this check as a
default mode of operation(操作,手术,运算). We strongly advise(建议,劝告,通知) people that purchase(买,采购,支点,珀切斯)
NATs to ensure(保护,保险,赋予) that this capability(才能,能力) is present(给,礼物,显示,现在) and enabled.
Secondly, it is RECOMMENDED that STUN(打晕,吓呆) servers be run on hosts
dedicated(奉献,贡献,致力,专用) to STUN, with all UDP and TCP ports disabled(禁用,残废,伤残) except for the
STUN ports. This is to prevent(防止,妨碍,阻碍) viruses(病毒,毒素,病原体) and Trojan(troy的,特洛伊) horses from
infecting(传染,感染,受影响) STUN servers, in order to prevent their compromise(和解,损害,妥协). This
helps mitigate(缓和,减轻) Approach(逼近,态度,途径) I (Section(部分,部门,切片,区) 12.2.1).
Thirdly, to prevent the DNS attack of Section 12.2.2, Section 9.2
recommends(建议,介绍,劝告,推荐) that the client(顾客,用户,当事人) verify(查证,核实,检验,证明) the credentials(信任,证书) provided(供给,提供,装备) by the
server with the name used in the DNS lookup(检查).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 36]
RFC 3489 STUN March 2003
Finally(结局,决赛,最后,决定性), all of the attacks(攻击,侵袭,受袭) above rely(信赖,依靠) on the client taking the
mapped address it learned from STUN, and using it in application(请求,施/应用,程序,软件)
layer protocols(礼节,协议). If encryption(加密) and message integrity(诚实,完整,正直) are provided
within those protocols, the eavesdropping and identity(认同,身分,特性) assumption(傲慢,采取,假定)
attacks can be prevented(防止,妨碍,阻碍). As such, applications that make use of
STUN(打晕,吓呆) addresses in application protocols SHOULD use integrity and
encryption, even if a SHOULD level strength is not specified(规定,指定,明确说明) for that
protocol. For example, multimedia(多媒体,多种手段) applications using STUN addresses
to receive(承受,得到,接待) RTP traffic(车,交通,交易,运) would use secure(安全,保证,获得,无虑的) RTP [16].
The above three techniques(技能,技术) are non-STUN mechanisms(机理,机械). STUN itself
provides several countermeasures(对策,干扰).
Approaches(逼近,态度,途径) IV (Section(部分,部门,切片,区) 12.2.4), when generating(导致,引起) the response(反应,回签,回音) locally(本地,区域,地方性),
and V (Section 12.2.5) require(命令,请求,需要) an attacker(攻击,侵袭,受袭) to generate a faked(伪造,虚构,云母板状岩)
response. This attack is prevented using the message integrity
mechanism provided(供给,提供,装备) in STUN, described(描绘,描述,形容,作图) in Section 8.1.
Approaches III (Section 12.2.3) IV (Section 12.2.4), when using the
relaying(换班,中继,转播,继电器,接替) technique, and VI (12.2.6), however, are not preventable(可防止)
through server signatures(签名,说明). Both approaches are most potent(有效,强有力) when the
attacker can modify(变更,缓和,修改,修饰) the request, inserting a RESPONSE-ADDRESS that
routes(路,航线,路程) to the client(顾客,用户,当事人). Fortunately(侥幸,带来好运), such modifications(改变,缓和,修饰) are
preventable using the message integrity(诚实,完整,正直) techniques(技能,技术) described in
Section 9.3. However, these three approaches are still functional(功能,函数,起作用)
when the attacker modifies nothing but the source address of the STUN(打晕,吓呆)
request. Sadly, this is the one thing that cannot be protected(保护,保卫,警戒)
through cryptographic(密码,关于暗号) means, as this is the change that STUN itself
is seeking to detect(察觉,发觉,发现,检测) and report. It is therefore an inherent(固有,内在,与生俱来)
weakness(脆弱,缺点) in NAT, and not fixable(可安定) in STUN. To help mitigate(缓和,减轻) these
attacks(攻击,侵袭,受袭), Section(部分,部门,切片,区) 9.4 provides(供给,提供,装备) several heuristics(渐进,试探,推断) for the client to
follow. The client looks for inconsistent(不一致) or extra responses(反应,回签,回音), both
of which are signs of the attacks described(描绘,描述,形容,作图) above. However, these
heuristics are just that - heuristics, and cannot be guaranteed(保证,承认,担保物) to
prevent(防止,妨碍,阻碍) attacks. The heuristics appear to prevent the attacks as we
know how to launch(创办,发动,投射,开始) them today. Implementors should stay posted for
information(数据,通知,信息,资料) on new heuristics that might be required(命令,请求,需要) in the future(将来,期货,前途).
Such information will be distributed(分布,分配,配给,散布) on the IETF MIDCOM mailing list,
midcom@ietf.org.
12.4 Residual(残留,剩余) Threats(恐吓,威胁,凶兆)
None of the countermeasures(对策,干扰) listed above can prevent the attacks
described in Section 12.2.3 if the attacker is in the appropriate(拨给,恰当,侵占)
network paths. Specifically(明确地,特别地), consider(关心,考虑,认为,体谅) the case in which the attacker
wishes to convince(信服,确信,认识) client(顾客,用户,当事人) C that it has address V. The attacker(攻击,侵袭,受袭)
needs to have a network element(成分,要素,元件) on the path between A and the server
(in order to modify(变更,缓和,修改,修饰) the request) and on the path between the server
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 37]
RFC 3489 STUN(打晕,吓呆) March 2003
and V so that it can forward the response(反应,回签,回音) to C. Furthermore(此外,而且), if
there is a NAT between the attacker and the server, V must also be
behind the same NAT. In such a situation(处境,情形,位置,状况), the attacker can either
gain access(访问,接近,入口,通道) to all the application(请求,施/应用,程序,软件)-layer traffic(车,交通,交易,运) or mount(爬,安装,山,固定) the DDOS
attack described(描绘,描述,形容,作图) in Section(部分,部门,切片,区) 12.1.1. Note that any host which exists
in the correct(改正,纠正,恰当) topological(拓扑) relationship(关系,联系) can be DDOSed. It need not
be using STUN.
13. IANA Considerations(考虑,体贴)
STUN cannot be extended(长期,扩大,伸长). Changes to the protocol(礼节,协议) are made through a
standards track revision(复习,修订本) of this specification(规格,详述,载明). As a result, no IANA
registries(登记) are needed. Any future(将来,期货,前途) extensions(伸展,延长) will establish(建立,确定,移植) any
needed registries.
14. IAB Considerations
The IAB has studied the problem(课题,难题) of "Unilateral(单边,片面,单向作用) Self Address Fixing",
which is the general(总,将军,一般) process(程序,处理,起诉,变) by which a client(顾客,用户,当事人) attempts(尝试,攻击,企图,袭击) to determine(测定,查明,决定,决心)
its address in another realm(国土,领域,区域) on the other side of a NAT through a
collaborative(合作,协作) protocol reflection(反射,反映,感想,思考) mechanism(机理,机械) (RFC 3424 [17]). STUN(打晕,吓呆) is
an example of a protocol that performs(表演,履行,提供,完成) this type of function. The
IAB has mandated(命令,批准,委托,要求) that any protocols developed(成长,发展,开发,显现) for this purpose(打算,效果,意图,用途)
do
cument(公文,文档,证件) a specific(精确,特定,特性,细微) set of considerations(考虑,体贴). This section(部分,部门,切片,区) meets those
requirements(需求,需要).
14.1 Problem Definition(定界,定义,释义)
From RFC 3424 [17], any UNSAF proposal(计划,建议,求婚,提出) must provide(供给,提供,装备):
Precise(精密,精确,严格) definition of a specific, limited(范围,极限,界限)-scope(域,范围,机会,显微镜) problem(课题,难题) that is to
be solved(解答,解决) with the UNSAF proposal. A short term(词,期,项,称为,术语,条件) fix should not be
generalized(概括,归纳,总结) to solve other problems;
this is why "short term fixes
usually aren't".
The specific problems being solved by STUN are:
o Provide a means for a client(顾客,用户,当事人) to detect(察觉,发觉,发现,检测) the presence(有,在,出席,存在,到场) of one or more
NATs between it and a server run by a service provider on the
public Internet. The purpose of such detection(察觉,发觉,探测) is to determine(测定,查明,决定,决心)
additional(附加,增加) steps that might be necessary in order to receive(承受,得到,接待)
service from that particular(苛求,事实,特别,细节) provider.
o Provide a means for a client to detect the presence of one or more
NATs between it and another client, where the second client is
reachable(可达到) from the first, but it is not known whether the second
client resides(存在,居住,属于,驻留) on the public Internet.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 38]
RFC 3489 STUN(打晕,吓呆) March 2003
o Provide a means for a client to obtain an address on the public
Internet from a non-symmetric(对称) NAT, for the express(表白,快/车,明确) purpose(打算,效果,意图,用途) of
receiving incoming(进款,收入,收益,所得) UDP traffic(车,交通,交易,运) from another host, targeted to that
address.
STUN do
es not address TCP, either incoming or outgoing(动身,输出,外出,即将离去), and do
es not
address outgoing UDP communications(传达,交通,通讯).
14.2 Exit Strategy(策略,计谋,战略)
From [17], any UNSAF proposal(计划,建议,求婚,提出) must provide(供给,提供,装备):
Description(描写,叙述,种类) of an exit strategy/transition(变迁,过渡,转变) plan. The better short
term(词,期,项,称为,术语,条件) fixes are the ones that will naturally(本来,天然,通常) see less and less use
as the appropriate(拨给,恰当,侵占) technology(工艺,技术,工艺学,制造学) is deployed(布置,散开,展开).
STUN comes with its own built in exit strategy. This strategy is the
detection(察觉,发觉,探测) operation(操作,手术,运算) that is performed(表演,履行,提供,完成) as a precursor(先驱,先兆,预报器) to the actual(实际,现行)
UNSAF address-fixing operation. This discovery(暴露,发现,看出) operation, do
cumented(公文,文档,证件)
in Section(部分,部门,切片,区) 10.1, attempts(尝试,攻击,企图,袭击) to discover the existence(存在,生存,实在) of, and type of,
any NATS between the client(顾客,用户,当事人) and the service provider network. Whilst
the detection of the specific(精确,特定,特性,细微) type of NAT may be brittle(脆,易碎), the
discovery of the existence of NAT is itself quite robust(粗壮,坚固,强健). As NATs
are phased(相,侧/方面,阶段,时期,形态,调整) out through the deployment(部署,展开) of IPv6, the discovery
operation will return immediately(立即,立刻,直接) with the result that there is no
NAT, and no further operations are required(命令,请求,需要). Indeed, the discovery
operation itself can be used to help motivate(促动,促进,激发,激起) deployment of IPv6;
if
a user detects(察觉,发觉,发现,检测) a NAT between themselves and the public Internet, they
can call up their access(访问,接近,入口,通道) provider(供给,提供,装备) and complain(抱怨,拆苦,控告) about it.
STUN(打晕,吓呆) can also help facilitate(帮助,促进,助长,容易) the introduction(介绍,引进/言) of midcom. As
midcom-capable(有才能,有能力) NATs are deployed(布置,散开,展开), applications(请求,施/应用,程序,软件) will, instead(代替,当作,反而,改为) of using
STUN (which also resides(存在,居住,属于,驻留) at the application layer), first allocate(拨下,分配) an
address binding(绑捆,包扎,结合,联接,凝固,约束,装钉) using midcom. However, it is a well-known limitation(局限,限度)
of midcom that it only works when the agent(代理,服务,试剂,特工) knows the middleboxes
through which its traffic(车,交通,交易,运) will flow(流,流畅,飘垂,涨潮). Once bindings have been
allocated from those middleboxes, a STUN detection(察觉,发觉,探测) procedure can
validate(确认,验证,证实,生效) that there are no additional(附加,增加) middleboxes on the path from
the public Internet to the client(顾客,用户,当事人). If this is the case, the
application can continue operation(操作,手术,运算) using the address bindings
allocated from midcom. If it is not the case, STUN provides a
mechanism(机理,机械) for self-address fixing through the remaining(保持,残骸,废墟,留下) midcom-
unaware(意外,不知道) middleboxes. Thus, STUN(打晕,吓呆) provides(供给,提供,装备) a way to help transition(变迁,过渡,转变) to
full midcom-aware(知道,意识到) networks.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 39]
RFC 3489 STUN March 2003
14.3 Brittleness(脆度,脆性) Introduced(采用,传入,介绍) by STUN
From [17], any UNSAF proposal(计划,建议,求婚,提出) must provide:
Discussion(论述,谈论) of specific(精确,特定,特性,细微) issues(颁布,发出,问题,争议) that may render(表达,翻译,给予,渲染) systems more
"brittle(脆,易碎)". For example, approaches(逼近,态度,途径) that involve(包括,牵涉,占用,参加) using data at
multiple(倍数,并联,多个) network layers create more dependencies(属国,从属性), increase(增长,增大)
debugging challenges(挑战,需要,质问), and make it harder to transition.
STUN introduces brittleness into the system in several ways:
o The discovery(暴露,发现,看出) process(程序,处理,起诉,变) assumes(呈现,承担,假定) a certain classification(分级,分类) of devices(方法,设备,装置)
based on their treatment(处理,待遇,治疗) of UDP. There could be other types of
NATs that are deployed(布置,散开,展开) that would not fit into one of these molds(霉,浇铸,模压,模子,气质,塑造).
Therefore, future(将来,期货,前途) NATs may not be properly(本来,合适,完全地) detected(察觉,发觉,发现,检测) by STUN(打晕,吓呆). STUN
clients(顾客,用户,当事人) (but not servers) would need to change to accommodate(调节/停,供给,适应)
that.
o The binding(绑捆,包扎,结合,联接,凝固,约束,装钉) acquisition(获得) usage(对待,用,用法,习惯法) of STUN do
es not work for all NAT
types. It will work for any application(请求,施/应用,程序,软件) for full cone(圆锥,锥体,成锥形) NATs only.
For restricted(限定,限制,约束) cone and port restricted cone NAT, it will work for
some applications depending(相信,依靠,取决于) on the application. Application
specific(精确,特定,特性,细微) processing will generally(总,将军,一般) be needed. For symmetric(对称) NATs,
the binding acquisition will not yield(产出,产量,屈服,让与) a usable(可用) address. The
tight(紧,绷紧,牢固,紧身衣) dependency(属国,从属性) on the specific type of NAT makes the protocol(礼节,协议)
brittle(脆,易碎).
o STUN assumes(呈现,承担,假定) that the server exists on the public Internet. If
the server is located(查出,地点,定位,找出) in another private(个人,秘密,专用) address realm(国土,领域,区域), the user
may or may not be able to use its discovered(暴露,发现,看出) address to
communicate(传播/递,通话/信) with other users. There is no way to detect(察觉,发觉,发现,检测) such a
condition(环境,条件,支配,状况).
o The bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) allocated(拨下,分配) from the NAT need to be continuously
refreshed(刷新,清新,振作,恢复). Since the timeouts(超时,停工时间) for these bindings is very
implementation(实现,实行) specific(精确,特定,特性,细微), the refresh interval(间隔,间距,休息) cannot easily be
determined(坚决,决定). When the binding is not being actively used to
receive(承受,得到,接待) traffic(车,交通,交易,运), but to wait for an incoming(进款,收入,收益,所得) message, the binding
refresh will needlessly(无用,不必要) consume(花费,用,消费,消耗) network bandwidth(带幅,带宽).
o The use of the STUN(打晕,吓呆) server as an additional(附加,增加) network element(成分,要素,元件)
introduces(采用,传入,介绍) another point of potential(可能,潜力,电动势) security(安全,证券) attack(攻击,侵袭,受袭). These
attacks are largely prevented(防止,妨碍,阻碍) by the security measures(测量,尺寸,措施) provided(供给,提供,装备) by
STUN, but not entirely(全部,整个,总体).
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 40]
RFC 3489 STUN March 2003
o The use of the STUN server as an additional network element
introduces another point of failure(破产,失败,失灵,疏忽). If the client(顾客,用户,当事人) cannot locate(查出,地点,定位,找出)
a STUN server, or if the server should be unavailable(不近便,不能利用) due to
failure, the application(请求,施/应用,程序,软件) cannot function.
o The use of STUN to discover(暴露,发现,看出) address bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) will result in an
increase(增长,增大) in latency(潜伏,潜在,等待时间) for applications. For example, a Voice(声,发声,嗓音,吐露,意见,语态) over
IP application will see an increase of call setup delays(耽搁,耽误,推迟,延迟) equal(等于,胜任) to
at least one RTT to the STUN(打晕,吓呆) server.
o The discovery of binding lifetimes(终生,一直,寿命) is prone(俯伏,俯卧,易于) to error. It assumes(呈现,承担,假定)
that the same lifetime will exist for all bindings. This may not
be true if the NAT uses dynamic(动力,动态,有活力) binding lifetimes to handle
overload(超载,超载,负担过重), or if the NAT itself reboots(重新启动) during the discovery
process(程序,处理,起诉,变).
o STUN imposes(征,强迫,欺骗,征税) some restrictions(限定,限制,约束) on the network topologies(拓扑,地志学) for
proper(本来,合适,完全地) operation(操作,手术,运算). If client(顾客,用户,当事人) A obtains(得到) an address from STUN server
X, and sends it to client B, B may not be able to send to A using
that IP address. The address will not work if any of the
following is true:
- The STUN server is not in an address realm(国土,领域,区域) that is a common
ancestor(上代,祖先) (topologically) of both clients A and B. For example,
consider(关心,考虑,认为,体谅) client A and B, both of which have residential(住宅) NAT
devices(方法,设备,装置). Both devices connect them to their cable operators(操作员,运算符),
but both clients have different(不同,差异,各种) providers(供给,提供,装备). Each provider has a
NAT in front of their entire(全部,整个,总体) network, connecting it to the
public Internet. If the STUN(打晕,吓呆) server used by A is in A's cable
operator's network, an address obtained by it will not be
usable(可用) by B. The STUN server must be in the network which is a
common ancestor to both - in this case, the public Internet.
- The STUN server is in an address realm that is a common
ancestor to both clients, but both clients are behind the same
NAT connecting to that address realm. For example, if the two
clients in the previous(前,先,在前) example had the same cable operator,
that cable operator had a single NAT connecting their network
to the public Internet, and the STUN server was on the public
Internet, the address obtained by A would not be usable by B.
That is because some NATs will not accept(承担,公认,接受,同意) an internal(内,本质性) packet(包,袋,群,组,套,捆)
sent to a public IP address which is mapped back to an internal
address. To deal(处理,待遇,对付,给,交易,买卖,数量) with this, additional(附加,增加) protocol(礼节,协议) mechanisms(机理,机械) or
configuration(构造) parameters(参数,参量) need to be introduced(采用,传入,介绍) which detect(察觉,发觉,发现,检测)
this case.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 41]
RFC 3489 STUN March 2003
o Most significantly(有效,重大), STUN introduces potential(可能,潜力,电动势) security(安全,证券) threats(恐吓,威胁,凶兆)
which cannot be eliminated(除去,排除,取消,淘汰,消灭). This specification(规格,详述,载明) describes(描绘,描述,形容,作图)
heuristics(渐进,试探,推断) that can be used to mitigate(缓和,减轻) the problem(课题,难题), but it is
provably(可证明地) unsolvable(不可解) given what STUN(打晕,吓呆) is trying to accomplish(达到,精通,完成).
These security problems are described fully in Section(部分,部门,切片,区) 12.
14.4 Requirements(需求,需要) for a Long Term(词,期,项,称为,术语,条件) Solution(解答,解决,溶液)
From [17], any UNSAF proposal(计划,建议,求婚,提出) must provide(供给,提供,装备):
Identify(标识,鉴别,认出,验明) requirements for longer term, sound technical(工艺,技能,技术术语) solutions
-- contribute(贡献,捐助,投稿) to the process(程序,处理,起诉,变) of finding the right longer term
solution.
Our experience(感受,经历,经验) with STUN has led to the following requirements for a
long term solution to the NAT problem:
Requests(请求,需要) for bindings(绑捆,包扎,结合,联接,凝固,约束,装钉) and control of other resources(策略,机智,物力,资源) in a NAT
need to be explicit(明白,明确,清楚). Much of the brittleness(脆度,脆性) in STUN derives(导致,得来,起源) from
its guessing at the parameters(参数,参量) of the NAT, rather than telling the
NAT what parameters to use.
Control needs to be "in-band". There are far too many scenarios(剧本,情节,剧情说明书)
in which the client(顾客,用户,当事人) will not know about the location of
middleboxes ahead of time. Instead(代替,当作,反而,改为), control of such boxes needs
to occur(出现,存在,发生,产出) in-band, traveling(传导,旅行) along the same path as the data will
itself travel. This guarantees(保证,承认,担保物) that the right set of middleboxes
are controlled. This is only true for first-party controls;
third-party controls are best handled using the midcom framework(构架,框架,体制,组织).
Control needs to be limited(范围,极限,界限). Users will need to communicate(传播/递,通话/信)
through NATs which are outside of their administrative(管理,行政) control.
In order for providers(供给,提供,装备) to be willing to deploy(布置,散开,展开) NATs which can be
controlled by users in different(不同,差异,各种) do
mains(领土,领域,主机), the scope(域,范围,机会,显微镜) of such
controls needs to be extremely(极度,尽头,极端事物) limited - typically(标准,典型), allocating(拨下,分配) a
binding(绑捆,包扎,结合,联接,凝固,约束,装钉) to reach the address where the control packets(包,袋,群,组,套,捆) are coming
from.
Simplicity(单纯,简单,简朴,朴素) is Paramount(最高,派拉蒙,最重要). The control protocol(礼节,协议) will need to be
implement(仪器,工具,执行,生效) in very simple clients(顾客,用户,当事人). The servers will need to
support extremely high loads. The protocol will need to be
extremely robust(粗壮,坚固,强健), being the precursor(先驱,先兆,预报器) to a host of application(请求,施/应用,程序,软件)
protocols. As such, simplicity is key.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 42]
RFC 3489 STUN(打晕,吓呆) March 2003
14.5 Issues(颁布,发出,问题,争议) with Existing NAPT Boxes
From [17], any UNSAF proposal(计划,建议,求婚,提出) must provide(供给,提供,装备):
Discussion(论述,谈论) of the impact(冲击,碰撞,压紧,影响) of the noted practical(可行,实际) issues with
existing, deployed(布置,散开,展开) NA[P]Ts and experience(感受,经历,经验) reports.
Several of the practical issues with STUN involve(包括,牵涉,占用,参加) future(将来,期货,前途) proofing(论证,实验,校对,证据) -
breaking the protocol when new NAT types get deployed. Fortunately(侥幸,带来好运),
this is not an issue at the current(流,当前,流动,通用) time, since most of the deployed
NATs are of the types assumed(假定,假装,设想) by STUN. The primary(初级,基色,首要,原色) usage(对待,用,用法,习惯法) STUN has
found is in the area of VoIP, to facilitate(帮助,促进,助长,容易) allocation(分配) of addresses
for receiving(承受,得到,接待) RTP [12] traffic(车,交通,交易,运). In that application(请求,施/应用,程序,软件), the periodic(定时,周期)
keepalives(点火电极) are provided by the RTP traffic itself. However, several
practical problems(课题,难题) arise(出现,发生,起来,起应) for RTP. First, RTP assumes(呈现,承担,假定) that RTCP
traffic is on a port one higher than the RTP traffic. This pairing
property(财产,特性,性能) cannot be guaranteed(保证,承认,担保物) through NATs that are not directly
controllable(可支配). As a result, RTCP traffic may not be properly(本来,合适,完全地)
received. Protocol(礼节,协议) extensions(伸展,延长) to SDP have been proposed(打算,建议,求婚) which
mitigate(缓和,减轻) this by allowing the client(顾客,用户,当事人) to signal(暗号,动机,显著,手势) a different(不同,差异,各种) port for
RTCP [18]. However, there will be interoperability problems for some
time.
For VoIP, silence suppression(压制,镇压) can cause a gap in the transmission(传动,传输,发射) of
RTP packets(包,袋,群,组,套,捆). This could result in the loss(丢,亏损,丧失,失败) of a binding(绑捆,包扎,结合,联接,凝固,约束,装钉) in the
middle of a call, if that silence period(句号,时期,学时,周期) exceeds(超出,过度,胜过) the binding timeout(超时,停工时间).
This can be mitigated by sending occasional(不时,临时,偶尔) silence packets to keep
the binding alive. However, the result is additional(附加,增加) brittleness(脆度,脆性);
proper operation(操作,手术,运算) depends(相信,依靠,取决于) on the silence suppression algorithm(算法,演算法) in use,
the usage(对待,用,用法,习惯法) of a comfort(安慰,舒适,慰藉) noise codec, the duration(持久,持续) of the silence
period, and the binding lifetime(终生,一直,寿命) in the NAT.
14.6 In Closing
The problems(课题,难题) with STUN(打晕,吓呆) are not design(花样,设计,图案) flaws(缝隙,裂缝,破裂,缺点,瑕疵) in STUN. The problems in
STUN have to do
with the lack(不足,没有,缺乏,缺少) of standardized(标准化,与标准比较) behaviors(表现,举止,态度,行为) and controls
in NATs. The result of this lack of standardization has been a
proliferation(增殖) of devices(方法,设备,装置) whose behavior is highly unpredictable(不可预测,无法预测),
extremely(极度,尽头,极端事物) variable(变量,变数), and uncontrollable(难控制,脱缰之马). STUN do
es the best it can in
such a hostile(不利,敌意,不友好) environment(环境,外界,围绕). Ultimately(基本,极限,首要), the solution(解答,解决,溶液) is to make the
environment less hostile, and to introduce(采用,传入,介绍) controls and standardized
behaviors into NAT. However, until such time as that happens, STUN
provides(供给,提供,装备) a good short term(词,期,项,称为,术语,条件) solution given the terrible(非常,极度,可怕,可怕的) conditions(环境,条件,支配,状况)
under which it is forced to operate.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 43]
RFC 3489 STUN(打晕,吓呆) March 2003
15. Acknowledgments(承认,鸣谢)
The authors(写作/者,创始人) would like to thank Cedric Aoun, Pete Cordell, Cullen
Jennings, Bob Penfield and Chris(克理斯) Sullivan(萨利文) for their comments(评论,意见,注解), and
Baruch(巴鲁克) Sterman and Alan(阿伦) Hawrylyshen for initial(初始,词首,缩写) implementations(实现,实行).
Thanks for Leslie(莱斯利) Daigle, Allison Mankin, Eric(埃里克子遥控) Rescorla, and Henning
Schulzrinne for IESG and IAB input on this work.
16. Normative(惯常,规范,定标准) References(参考,出处,定位,叁考)
[1] Bradner, S., "Key words for use in RFCs to indicate(标示,表明,显示,指明) requirement(需求,需要)
levels", BCP 14, RFC 2119, March 1997.
[2] Dierks, T. and C. Allen, "The TLS protocol(礼节,协议) Version 1.0", RFC
2246, January(1月,一月) 1999.
[3] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
specifying(规定,指定,明确说明) the location of services (DNS SRV)", RFC 2782,
February(2月,二月) 2000.
[4] Chown(中国种狗), P., "Advanced(前进,提出,预先) Encryption(加密) Standard (AES) Ciphersuites for
Transport(传送,运输,运输工具) Layer Security(安全,证券) (TLS)", RFC 3268, June 2002.
[5] Rescorla, E., "HTTP over TLS", RFC 2818, May 2000.
[6] Postel, J., "Internet Protocol", STD 5, RFC 791, September(9月,九月) 1981.
[7] Ferguson(弗格森), P. and D. Senie, "Network Ingress Filtering(过滤,渗入,筛选): Defeating(挫败,击败,破坏,战胜)
Denial(否定,否认,拒绝) of Service Attacks(攻击,侵袭,受袭) which employ(用,从事,雇佣) IP Source Address
Spoofing(嘲讽,诳骗,揶揄)", BCP 38, RFC 2827, May 2000.
17. Informative(情报,供给消息) References
[8] Senie, D., "Network Address Translator(译音,译码器,转换器) (NAT)-Friendly
Application(请求,施/应用,程序,软件) Design(花样,设计,图案) Guidelines(方针,指导,指南,准则)", RFC 3235, January 2002.
[9] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A. and A.
Rayhan, "Middlebox Communication(传达,交通,通讯) Architecture(建筑学,体系结构) and Framework(构架,框架,体制,组织)",
RFC 3303, August(8月,八月,庄严) 2002.
[10] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston(约翰斯顿), A.,
Peterson, J., Sparks(点燃,火花,激发,斯帕克), R., Handley, M. and E. Schooler, "SIP:
Session(会议,一段时间) Initiation(开始,正式加入) Protocol(礼节,协议)", RFC 3261, June 2002.
[11] Holdrege, M. and P. Srisuresh, "Protocol Complications(并发症,复杂) with the
IP Network Address Translator", RFC 3027, January(1月,一月) 2001.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 44]
RFC 3489 STUN(打晕,吓呆) March 2003
[12] Schulzrinne, H., Casner, S., Frederick(弗雷德里克), R. and V. Jacobson,
"RTP: A Transport(传送,运输,运输工具) Protocol for Real-Time Applications", RFC
1889, January 1996.
[13] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing(混乱,弄乱,哈希/散列表)
for Message Authen
tication(确证,证明)", RFC 2104, February(2月,二月) 1997.
[14] Kohl(柯尔,化妆墨), J. and C. Neuman, "The kerberos Network Authen
tication
Service (V5)", RFC 1510, September(9月,九月) 1993.
[15] Fielding, R., Gettys(格蒂), J., Mogul(蒙古人,权势者), J., Frystyk, H., Masinter, L.,
Leach(滤,分离,滤掉,沥滤器), P. and T. Berners(伯恩,伯尔尼)-Lee, "Hypertext(超文本) Transfer(传递,调动,转让/移) Protocol --
HTTP/1.1", RFC 2616, June 1999.
[16] Baugher M., et al., "The secure(安全,保证,获得,无虑的) real-time transport protocol",
Work in Progress(改进,进度,前进力).
[17] Daigle, L., Editor, "IAB Considerations(考虑,体贴) for UNilateral(单边,片面,单向作用) Self-
Address Fixing (UNSAF) Across Network Address Translation(翻译,译本)", RFC
3424, November 2002.
[18] Huitema, C., "RTCP attribute(归于,品质,特性) in SDP", Work in Progress.
Rosenberg, et al. Standards Track [Page 45]
RFC 3489 STUN March 2003
18. Authors(写作/者,创始人)' Addresses
Jonathan(乔纳森) Rosenberg
dynamicsoft
72 Eagle(鹰) Rock(岩,摇,暗礁,石头) Avenue(大街,道路,渠道,途径)
First Floor(层,地板,楼层,铺地板)
East Hanover(汉诺威), NJ 07936
EMail: jdrosen@dynamicsoft.com
Joel(乔尔,约耳书) Weinberger
dynamicsoft
72 Eagle Rock Avenue
First Floor
East Hanover, NJ 07936
EMail: jweinberger@dynamicsoft.com
Christian(基督徒,克里斯琴) Huitema
Microsoft Corporation(公司,企业,社团)
One Microsoft Way
Redmond(雷德蒙), WA 98052-6399
EMail: huitema@microsoft.com
Rohan Mahy
Cisco(鱼,思科) Systems
101 Cooper(库柏,库珀,桶匠) St
Santa(圣特) Cruz, CA 95060
EMail: rohan@cisco.com
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 46]
RFC 3489 STUN(打晕,吓呆) March 2003
19. Full Copyright(版权,著作权) Statement(陈述,声明,语句)
Copyright (C) The Internet Society (2003). All Rights Reserved(保留,说话不多).
This do
cument(公文,文档,证件) and translations(翻译,译本) of it may be copied and furnished(供给/应,装备,配料) to
others, and derivative(导出,导数,派生) works that comment(评论,意见,注解) on or otherwise explain(辩解,解释,说明) it
or assist(帮助,搀扶,辅助,加速器) in its implementation(实现,实行) may be prepared(预制,准备), copied, published(出版,发表,发行,公布)
and distributed(分布,分配,配给,散布), in whole or in part, without restriction(限定,限制,约束) of any
kind, provided(供给,提供,装备) that the above copyright notice and this paragraph(段,节,短评,小新闻) are
included on all such copies and derivative works. However, this
do
cument itself may not be modified(变更,缓和,修改,修饰) in any way, such as by removing
the copyright notice or references(参考,出处,定位,叁考) to the Internet Society or other
Internet organizations(机构,团体,组织), except as needed for the purpose(打算,效果,意图,用途) of
developing(成长,发展,开发,显现) Internet standards in which case the procedures for
copyrights(版权,著作权) defined(立,定义,规定,准确说明) in the Internet Standards process(程序,处理,起诉,变) must be
followed, or as required(命令,请求,需要) to translate(译,翻译) it into languages(语言,语言课) other than
English.
The limited(范围,极限,界限) permissions(同意,许可,允许) granted(拨款,承认,格兰特,假设) above are perpetual(永恒,永久) and will not be
revoked(撤回,废除,取消) by the Internet Society or its successors(后续,继承人) or assigns(分配,赋值,给定).
This do
cument(公文,文档,证件) and the information(数据,通知,信息,资料) contained(包含,等于,容纳,抑制) herein(在此,在这里) is provided(供给,提供,装备) on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING(技师,设计,工程师)
TASK(派,工作,任务,作业) FORCE DISCLAIMS(放弃,否认,不承认) ALL WARRANTIES(保证,授权), EXPRESS(表白,快/车,明确) OR IMPLIED(暗含,储蓄,意思是), INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE(侵犯,侵害,违反) ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS(健康,恰当,适合,适应性) FOR A PARTICULAR(苛求,事实,特别,细节) PURPOSE(打算,效果,意图,用途).
Acknowledgement(承认,鸣谢)
Funding(存款,积累,基/资金) for the RFC Editor function is currently(流,当前,流动,通用) provided by the
Internet Society.
Rosenberg, et al. Standards Track(磁道,道路,跟踪,痕迹,进程,竞赛,土地) [Page 47]
<br><a href="http://www.eChinaEdu.com/xdoc.htm">中国教育e网"xDOC"文库(http://www.eChinaEdu.com/xdoc.htm),全球最大的汉化文档中心.</a>