STUN Protocol Analysis

Libjingle UDP holes are implemented through the stun/Turn protocol. This article introduces the basic working principle of stun.

From: http://blog.163.com/philly_li/blog/static/392674052008414252404/

The full name of the STUN Protocol is simple traversal of user datateprotocol through network address translators. The main function is to check whether it is behind Nat. If it is behind Nat, what is the address and port after Nat translation? In addition, you can check the NAT type.

Basic Ideas

Install a stun client on the private network and a stun server on the public network. The STUN Protocol defines some message formats, which are generally divided into request/response. The client sends a request to the server, server sends response to the client. How can I check whether the stun client is behind Nat? The principle is very simple. After the server receives the UDP packet from the client, the server will transmit the address and port of the packet back to the client using UDP, the client compares these addresses and ports with the local IP addresses and ports. If they are different, they are behind Nat; otherwise, they are behind Nat. To detect different types of NAT, the STUN Protocol defines message attributes and requires the server to have different actions, such as using different IP addresses and ports when sending responses, or changing ports. The STUN Protocol may be effective for Nat, but it is powerless for the firewall, because the firewall may not open the UDP port.

Nat category

Stun roughly divides NAT into four types: Full cone, restricted cone, port restricted cone, and reply Ric. Here is an example to illustrate the differences between the four Nat methods:

Machine A is on the private network (192.168.0.4)

Nat server (210.21.12.140)

Machine B is on the public network (210.15.27.166)

Machine C is on the public network (210.15.27.140)

Now machine A is connected to machine B. Assume It is a (192.168.0.4: 5000)-> NAT (210.21.12.140: 8000 after translation)-> B (210.15.27.166: 2000 ).

At the same time, a has never communicated with C.

Different types of NAT have the following results:

Full cone NAT: C sends data to 210.21.12.140: 8000. Nat sends data packets to a (192.168.0.4: 5000 ). Because there is a 192.168.ing between 192.168.0.4: 5000 and 210.21.12.140: 8000 on Nat.

Restricted Cone: C cannot communicate with A, because a never communicates with C, Nat will reject the action C tries to connect to. However, B can communicate with 192.168.0.4: 8000 of A through 210.21.12.140: 5000, and B can use any port to communicate with. For example, 210.15.27.166: 2001-> 210.21.12.140: 8000, Nat will be sent to port 5000 of.

Port restricted Cone: C cannot communicate with a because a never communicates with C. B can only use its 210.15.27.166: 2000 to communicate with 192.168.0.4: 5000 of A, because a never communicates with other ports of B. This type of NAT is port-limited.

Symmetric NAT: The above three types, collectively referred to as cone Nat, have one thing in common: as long as it is a packet from the same internal address and port, nat converts it to the same external address and port. However, distributed Ric is a little different, as long as it is from the same internal address and port, and to the same external destination address and port, nat also converts it to the same external address and port. However, if the source address and port are from the same external destination address and port, Nat will use different ing to convert them to different ports (the external address has only one, ). In addition, like port restricted cone, only the external address that has received the packet from the internal address can send packets to the internal address through the NAT ing address.

Here is an example of symmetric NAT:

Machine A is connected to machine B. If it is a (192.168.0.4: 5000)-> NAT (210.21.12.140: 8000 after conversion)-> B (210.15.27.166: 2000)

If machine A (192.168.0.4: 5000) still wants to connect to machine C (210.15.27.140: 2000) at this time, a new ing will be generated on Nat, and the corresponding conversion may be a (192.168.0.4: 5000) -> NAT (210.21.12.140: 8001)-> C (210.15.27.140: 2000 ). At this time, B can only use its 210.15.27.166: 2000 to communicate with a's 192.168.0.4: 8000 through NAT 210.21.12.140: 5000, and C can only use its 210.15.27.140: 2000 through Nat's 210.21.12.140: 8001 communicates with 192.168.0.4: 5000 of A, while
Other ports of B or C cannot communicate with 192.168.0.4: 5000 of.