本篇整理 RFC3489 與 RFC5389內容,針對STUN技術作一基本介紹,並將重點放在比較兩份規範之不同。
RFC3489
STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)
RFC5389
Session Traversal Utilities for NAT (STUN)
一、目的不同:
n RFC3489:用來查詢設備位於何種 NAT 或firewall 之下,並且取得設備的 Public IP。
n Sepc原文:discover the presence and types of NATs
and firewalls between them and the public Internet determine the public
Internet Protocol(IP) addresses allocated to them by the NAT.
n RFC5389:定義如何使用 STUN 來完成穿透NAT的功能。
n Sepc原文:Session Traversal Utilities for NAT (STUN)
is a protocol that serves as a tool for other protocols in dealing with Network
Address Translator (NAT) traversal.
二、Message Attributes不同:
STUN 是一個簡單的
request-response 協定,其封包格式如下:
其中 Message Type佔2Bytes,LengthOfPayload佔2Bytes,TransactionID佔16Bytes。
RFC 5389 定義的封包略有不同,如下圖
主要作了三個更改
1. 將原本的128bits TransactionID分成32bits Magic Cookie與96bits TransactionID。
2. 重新定義MessageType的編碼方式。
3. Magic cookie 的值固定為0x2112A442
Message Type可為以下六種Type:
a.
Binding Request,
b.
Binding Response,
c.
Binding Error Response,
d.
Shared Secret Request,
e.
Shared Secret Response,
f.
Shared Secret Error Response
Payload內可帶有0個或多個message attributes,每個attributes都是一個TLV結構,TYPE與Length都固定為2Bytes,Value的長度則由Length值來決定。
RFC5389針對message
attributes新增了幾個Attributes,茲將兩份規範的不同處整理如下表
RFC 3489
|
RFC 5389
|
MAPPED-ADDRESS
|
MAPPED-ADDRESS
|
RESPONSE-ADDRESS
|
|
CHANGE-REQUEST
|
|
CHANGED-ADDRESS
|
|
SOURCE-ADDRESS
|
|
USERNAME
|
USERNAME
|
PASSWORD
|
|
MESSAGE-INTEGRITY
|
MESSAGE-INTEGRITY
|
ERROR-CODE
|
ERROR-CODE
|
UNKNOWN-ATTRIBUTES
|
UNKNOWN-ATTRIBUTES
|
REFLECTED-FROM
|
|
XOR-MAPPED-ADDRESS
|
|
FINGERPRINT
|
|
REALM
|
|
NONCE
|
|
SOFTWARE39
|
|
ALTERNATE-SERVER
|
各個屬性的定義整理如下,其中req=request, rsp=response:
RFC3489
•
MAPPED-ADDRESS (rsp)
– indicates the source IP address and port the server saw in the
Binding Request
•
RESPONSE-ADDRESS (req)
– indicates where the Binding Response is to be sent.
•
CHANGE-REQUEST (req)
– Contains two flags to control the IP address and port used to send
the response. These flags are called “change IP” and “change port” flags.
•
CHANGED-ADDRESS (rsp)
– informs the client of the source IP address and port that would be
used if the client requested the “change IP” and "change port"
behavior.
•
SOURCE-ADDRESS (rsp)
– indicates the source IP address and port where the response was sent
from.
•
USERNAME (rsp)
– Used for Shared Secret authentication
•
PASSWORD (rsp)
– Used for Shared Secret authentication
•
MESSAGE-INTEGRITY (req,rsp)
– Use HMAC to do integrity check over the Binding Request or Binding
Response.
•
ERROR-CODE (rsp)
– Indicate error code
•
UNKNOWN-ATTRIBUTES(rsp)
– When error code is 420, use this attribute to indicate the mandatory
attributes from the request which were unknown.
•
REFLECTED-FROM (rsp)
– indicates the IP address and port of the sender of a Binding
Request, used for traceability purposes to prevent certain denial-of-service
attacks.
RFC5389新增部分
•
XOR-MAPPED-ADDRESS
– is identical to the MAPPED-ADDRESS attribute, except that the
reflexive transport address is obfuscated through the XOR function.
– 根據實際經驗,發現某些NAT會改寫MAPPED-ADDRESS,因此新增此屬性
•
FINGERPRINT
– computed as the CRC-32 of the STUN message up to (but excluding) the
FINGERPRINT attribute itself,
– XOR’ed with the 32-bit value 0x5354554e
– When present, the FINGERPRINT attribute MUST be the last attribute
in the message, and thus will appear after MESSAGE-INTEGRITY.
•
REALM
– contains text that meets the grammar for “realm-value” as described
in RFC 3261 [RFC3261] but without the double quotes and their surrounding
whitespace.
– is an unquoted realm-value (and is therefore a sequence of qdtext or
quoted-pair).
– It MUST be a UTF-8 [RFC3629] encoded sequence of less than 128
characters (which can be as long as 763 bytes), and MUST have been
processed using SASLprep [RFC4013].
•
NONCE
– contains a sequence of qdtext or quoted-pair, which are defined in
RFC 3261 [RFC3261].
•
SOFTWARE
–
contains a textual description
of the software being used by the agent sending the message
•
ALTERNATE-SERVER
–
represents an alternate
transport address identifying a different STUN server that the STUN client
should try.
三、NAT Type
Discovery
RFC3489定義了一個測試流程以確認目前處於哪種 NAT 網路之下。其流程如下:
Test I、II、III 說明如下:
- In test I, the client sends a STUN Binding Request to a server, without any flags set in the CHANGE-REQUEST attribute, and without the RESPONSE-ADDRESS attribute. This causes the server to send the response back to the address and port that the request came from.
- In test II, the client sends a Binding Request with both the "change IP" and "change port" flags from the CHANGE-REQUEST attribute set.
- it performs test I again, but this time, does so to the address and port from the CHANGED-ADDRESS attribute from the response to test I. If the IP address and port returned in the MAPPED-ADDRESS attribute are not the same as the ones from the first test I, the client knows its behind a symmetric NAT. If the address and port are the same, the client is either behind a restricted or port restricted NAT.
- In test III, the client sends a Binding Request with only the "change port" flag set.
四、重傳機制不同
當 Client送出Reqeust之後,遲遲無法收到Response,此時便會啟動重傳機制,當重傳多次都無法收到response,才會認定重傳失敗。
RFC3489 (固定重傳9次)
Requests would be sent at times 0ms, 100ms, 300ms, 700ms, 1500ms, 3100ms, 4700ms, 6300ms, and 7900ms. At 9500ms, the client considers the transaction to have failed if no response has been received.RFC5389 (重傳次數與重傳時間間隔是可變的)
For example, assuming an RTO of 500 ms, requests would be sent at times 0 ms, 500 ms, 1500 ms, 3500 ms, 7500 ms, 15500 ms, and 31500 ms. If the client has not received a response after 39500 ms, the client will consider the transaction to have timed out.
其他注意事項
1.
要使用STUN 服務,一開始便需要獲得STUN Server的位址,spec 建議使用 DNS SRV 的方式獲得 stun server ip address,但並非每個 DNS server都支援SRV功能,因此個人建議應該兩者並用。原文摘錄如下:
Hard-coding the domain name of the server into software is NOT RECOMMENDED in case the domain name is lost or needs to change for legal or other reasons.
When a client wishes to locate a STUN server in the public Internet that accepts Binding request/response transactions, the SRV service name is "stun". When it wishes to locate a STUN server that accepts Binding request/response transactions over a TLS session, the SRV service name is "stuns". STUN usages MAY define additional DNS SRV service names. If no SRV records were found, the client performs an A or AAAA record lookup of the domain name.
2.
NAT binding lifetime
NAT 的 address binding 可能會timeout,因此需要定期更新以維持binding,spec 建議兩種做法,
l 使用一個新的 STUN request 或
l 使用an application packet。
就 IPCAM 的使用情景,因為會持續的送出 RTP 封包,符合第二種做法,所以應該是不會發生 timeout 的。
以下就 new STUN request 說明其作法,
a.
由 socket X 送出一個 Binding Request 到 STUN Server, 此時會在 NAT 上建立一組 mapping, 藉由收到的Binding Response的MAPPED-ADDRESS,可以得知 Client 的 Public Address 與 Public Port, 分別稱為 Pa, Pp.
b.
設定一個 timer T,
c.
當 timer T timeout之後,由 socket Y 送出一個 Binding Request 到 STUN Server, 此次需要設定 RESPONSE-ADDRESS
= (Pa, Pp), 此時會在 NAT 上建立一組新的
mapping, 並且要求 Binding Response要送往 step a 所建立的 mapping address。
d.
如果 socket X 能夠正確收到 Binding Response,便表示 Binding 存在,否則便是 Binding 已經 timeout。
e.
改變 timer T 的值,重複 step b ~ step e. 直到確認 binding lifetime
為止。
參考 RFC3489 說明,UDP
bindings in NATs are typically short; 30 seconds is common。 因此一開始找lifetime時,建議設定 T=30
實際 bindings 的剩餘時間,可以使用 "cat /proc/net/ip_conntrack" 進行查詢。
要改變 binding 時間,可以使用下列指令
實際 bindings 的剩餘時間,可以使用 "cat /proc/net/ip_conntrack" 進行查詢。
要改變 binding 時間,可以使用下列指令
sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=600000
3.
Changes since RFC 3489
n RFC 3489 只使用 UDP, RFC 5389 可以使用 UDP, TCP 與 TLS
n RFC 3489 的 TransactionID 欄位現在拿來當作 magic cookie,並且將長度由 128bits 縮短為 32bits
n RFC 5389 定義 STUN 的前兩個 bits =
0x0b00,當用作ICE時,可以加速處理
n RFC 5389 支援 IPv6。
n RFC 5389 移除 SharedSecret method 以及 PASSWORD attribute
n RFC 5389 定義 REALM, SERVER, reason phrases, NONCE 的長度限制為 127 characters。USERNAME則是 513 bytes.
n RFC 5389 新增 SOFTWARE, REALM, NONCE,
ALTERNATE-SERVER, XOR-MAPPED-ADDRESS, FINGERPRINT
4. 安全性的考量 For RFC 3489
對於STUN可進行的攻擊可分成兩大類,一是denial of service,一是eavesdropping attacks,以下各舉一例說明。
- 網路上的某台機器假裝是STUN Server,並且幫忙回 Binding Response,其中帶一個假的 MAPPED-ADDRESS(例如:168.95.1.2),若有很多機器都像這台假的STUN Server詢問,則168.95.1.2這台機器便會收到非常多的封包,而無法正常提供服務。
- 網路上的某台機器假裝是STUN Server,並且幫忙回 Binding Response,其中帶一個假的 MAPPED-ADDRESS(例如:168.95.1.3),假設168.95.1.3 是一個惡意攻擊者,那麼向此STUN Server詢問服務的使用者,之後建立連線時,預期將收到的封包便會被惡意攻擊者收到,此攻擊者可以竄改封包後再將封包送給使用者。
