2013年1月24日 星期四

STUN -- RFC 3489 與 RFC 5389


本篇整理 RFC3489 RFC5389內容,針對STUN技術作一基本介紹,並將重點放在比較兩份規範之不同。

RFC3489 
STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)
RFC5389 
Session Traversal Utilities for NAT (STUN)


一、目的不同:

n   RFC3489:用來查詢設備位於何種 NAT firewall 之下,並且取得設備的 Public IP
n   Sepc原文:discover the presence and types of NATs and firewalls between them and the public Internet determine the public Internet Protocol(IP) addresses allocated to them by the NAT.

n   RFC5389:定義如何使用 STUN 來完成穿透NAT的功能
n   Sepc原文:Session Traversal Utilities for NAT (STUN) is a protocol that serves as a tool for other protocols in dealing with Network Address Translator (NAT) traversal.


二、Message Attributes不同:

STUN 是一個簡單的 request-response 協定,其封包格式如下:


其中 Message Type2BytesLengthOfPayload2BytesTransactionID16Bytes

RFC 5389 定義的封包略有不同,如下圖

主要作了三個更改
1.     將原本的128bits TransactionID分成32bits Magic Cookie96bits TransactionID 
2.     重新定義MessageType的編碼方式。 
3.     Magic cookie 的值固定為0x2112A442


Message Type可為以下六種Type
a.     Binding Request,
b.     Binding Response,
c.      Binding Error Response,
d.     Shared Secret Request,
e.     Shared Secret Response,
f.       Shared Secret Error Response

Payload內可帶有0個或多個message attributes,每個attributes都是一個TLV結構,TYPELength都固定為2BytesValue的長度則由Length值來決定。

RFC5389針對message attributes新增了幾個Attributes,茲將兩份規範的不同處整理如下表
RFC 3489
RFC 5389
MAPPED-ADDRESS
MAPPED-ADDRESS
RESPONSE-ADDRESS
CHANGE-REQUEST
CHANGED-ADDRESS
SOURCE-ADDRESS
USERNAME
USERNAME
PASSWORD
MESSAGE-INTEGRITY
MESSAGE-INTEGRITY
ERROR-CODE
ERROR-CODE
UNKNOWN-ATTRIBUTES
UNKNOWN-ATTRIBUTES
REFLECTED-FROM
XOR-MAPPED-ADDRESS
FINGERPRINT
REALM
NONCE
SOFTWARE39
ALTERNATE-SERVER

各個屬性的定義整理如下,其中req=request, rsp=response
RFC3489
        MAPPED-ADDRESS    (rsp)
       indicates the source IP address and port the server saw in the Binding Request
        RESPONSE-ADDRESS  (req)
       indicates where the Binding Response is to be sent.
        CHANGE-REQUEST    (req)
       Contains two flags to control the IP address and port used to send the response. These flags are called “change IP” and “change port” flags.
        CHANGED-ADDRESS   (rsp)
       informs the client of the source IP address and port that would be used if the client requested the “change IP” and "change port" behavior.
        SOURCE-ADDRESS    (rsp)
       indicates the source IP address and port where the response was sent from.
        USERNAME          (rsp)
       Used for Shared Secret authentication
        PASSWORD          (rsp)
       Used for Shared Secret authentication
        MESSAGE-INTEGRITY (req,rsp)
       Use HMAC to do integrity check over the Binding Request or Binding Response.
        ERROR-CODE        (rsp)
       Indicate error code
        UNKNOWN-ATTRIBUTES(rsp)
       When error code is 420, use this attribute to indicate the mandatory attributes from the request which were unknown.
        REFLECTED-FROM    (rsp)
       indicates the IP address and port of the sender of a Binding Request, used for traceability purposes to prevent certain denial-of-service attacks.

RFC5389新增部分
        XOR-MAPPED-ADDRESS
       is identical to the MAPPED-ADDRESS attribute, except that the reflexive transport address is obfuscated through the XOR function.
       根據實際經驗,發現某些NAT會改寫MAPPED-ADDRESS,因此新增此屬性
        FINGERPRINT
       computed as the CRC-32 of the STUN message up to (but excluding) the FINGERPRINT attribute itself,
       XOR’ed with the 32-bit value 0x5354554e
       When present, the FINGERPRINT attribute MUST be the last attribute in the message, and thus will appear after MESSAGE-INTEGRITY.
        REALM
       contains text that meets the grammar for “realm-value” as described in RFC 3261 [RFC3261] but without the double quotes and their surrounding whitespace.
       is an unquoted realm-value (and is therefore a sequence of qdtext or quoted-pair).
       It MUST be a UTF-8 [RFC3629] encoded sequence of less than 128 characters (which can be as long as 763 bytes), and MUST have been processed using SASLprep [RFC4013].
        NONCE
       contains a sequence of qdtext or quoted-pair, which are defined in RFC 3261 [RFC3261].
        SOFTWARE
       contains a textual description of the software being used by the agent sending the message
        ALTERNATE-SERVER
       represents an alternate transport address identifying a different STUN server that the STUN client should try.


三、NAT Type Discovery
RFC3489定義了一個測試流程以確認目前處於哪種 NAT 網路之下。其流程如下: 

Test I、II、III 說明如下:
  • In test I, the client sends a STUN Binding Request to a server, without any flags set in the CHANGE-REQUEST attribute, and without the RESPONSE-ADDRESS attribute. This causes the server to send the response back to the address and port that the request came from.
  • In test II, the client sends a Binding Request with both the "change IP" and "change port" flags from the CHANGE-REQUEST attribute set.  
  • it performs test I again, but this time, does so to the address and port from the CHANGED-ADDRESS attribute from the response to test I. If the IP address and port returned in the MAPPED-ADDRESS attribute are not the same as the ones from the first test I, the client knows its behind a symmetric NAT. If the address and port are the same, the client is either behind a restricted or port restricted NAT.
  • In test III, the client sends a Binding Request with only the "change port" flag set.

四、重傳機制不同 
Client送出Reqeust之後,遲遲無法收到Response,此時便會啟動重傳機制,當重傳多次都無法收到response,才會認定重傳失敗。 
RFC3489 (固定重傳9)

Requests would be sent at times 0ms, 100ms, 300ms, 700ms, 1500ms, 3100ms,   4700ms, 6300ms, and 7900ms. At 9500ms, the client considers the transaction to have failed if no response has been received.
RFC5389 (重傳次數與重傳時間間隔是可變的)

For example, assuming an RTO of 500 ms, requests would be sent at times 0 ms, 500 ms, 1500 ms, 3500 ms, 7500 ms, 15500 ms, and 31500 ms. If the client has not received a response after 39500 ms, the client will consider the transaction to have timed out.


其他注意事項
1.     要使用STUN 服務,一開始便需要獲得STUN Server的位址,spec 建議使用 DNS SRV 的方式獲得 stun server ip address,但並非每個 DNS server都支援SRV功能,因此個人建議應該兩者並用。原文摘錄如下:
   Hard-coding the domain name of the server into software is   NOT RECOMMENDED in case the domain name is lost or needs to change   for legal or other reasons.
   When a client wishes to locate a STUN server in the public Internet   that accepts Binding request/response transactions, the SRV service   name is "stun". When it wishes to locate a STUN server that accepts   Binding request/response transactions over a TLS session, the SRV   service name is "stuns". STUN usages MAY define additional DNS SRV   service names.    If no SRV records were found, the client performs an A or AAAA record   lookup of the domain name.

2.     NAT binding lifetime
NAT address binding 可能會timeout,因此需要定期更新以維持bindingspec 建議兩種做法,
l   使用一個新的 STUN request
l   使用an application packet

IPCAM 的使用情景,因為會持續的送出 RTP 封包,符合第二種做法,所以應該是不會發生 timeout 的。

以下就 new STUN request 說明其作法,
a.     socket X 送出一個 Binding Request STUN Server, 此時會在 NAT 上建立一組 mapping, 藉由收到的Binding ResponseMAPPED-ADDRESS,可以得知 Client Public Address Public Port, 分別稱為 Pa, Pp.
b.     設定一個 timer T,
c.      timer T timeout之後,由 socket Y 送出一個 Binding Request STUN Server, 此次需要設定 RESPONSE-ADDRESS = (Pa, Pp), 此時會在 NAT 上建立一組新的 mapping, 並且要求 Binding Response要送往 step a 所建立的 mapping address
d.     如果 socket X 能夠正確收到 Binding Response,便表示 Binding 存在,否則便是 Binding 已經 timeout
e.     改變 timer T 的值,重複 step b ~ step e. 直到確認 binding lifetime 為止。

參考 RFC3489 說明,UDP bindings in NATs are typically short; 30 seconds is common 因此一開始找lifetime時,建議設定 T=30  
實際 bindings 的剩餘時間,可以使用 "cat /proc/net/ip_conntrack" 進行查詢。

要改變 binding 時間,可以使用下列指令
sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=600000  

3.     Changes since RFC 3489
n   RFC 3489 只使用 UDP, RFC 5389 可以使用 UDP, TCP TLS
n   RFC 3489 TransactionID 欄位現在拿來當作 magic cookie,並且將長度由 128bits 縮短為 32bits
n   RFC 5389 定義 STUN 的前兩個 bits = 0x0b00,當用作ICE時,可以加速處理
n   RFC 5389 支援 IPv6
n   RFC 5389 移除 SharedSecret method 以及 PASSWORD attribute
n   RFC 5389 定義 REALM, SERVER, reason phrases, NONCE 的長度限制為 127 charactersUSERNAME則是 513 bytes.
n   RFC 5389 新增 SOFTWARE, REALM, NONCE, ALTERNATE-SERVER, XOR-MAPPED-ADDRESS, FINGERPRINT

4. 安全性的考量 For RFC 3489
對於STUN可進行的攻擊可分成兩大類,一是denial of service,一是eavesdropping attacks,以下各舉一例說明。
  1. 網路上的某台機器假裝是STUN Server,並且幫忙回 Binding Response,其中帶一個假的 MAPPED-ADDRESS(例如:168.95.1.2),若有很多機器都像這台假的STUN Server詢問,則168.95.1.2這台機器便會收到非常多的封包,而無法正常提供服務。 
  2.   網路上的某台機器假裝是STUN Server,並且幫忙回 Binding Response,其中帶一個假的 MAPPED-ADDRESS(例如:168.95.1.3),假設168.95.1.3 是一個惡意攻擊者,那麼向此STUN Server詢問服務的使用者,之後建立連線時,預期將收到的封包便會被惡意攻擊者收到,此攻擊者可以竄改封包後再將封包送給使用者。