--- 1/draft-ietf-behave-rfc3489bis-13.txt 2008-02-12 04:12:19.000000000 +0100 +++ 2/draft-ietf-behave-rfc3489bis-14.txt 2008-02-12 04:12:19.000000000 +0100 @@ -1,23 +1,23 @@ BEHAVE Working Group J. Rosenberg Internet-Draft Cisco Obsoletes: 3489 (if approved) R. Mahy Intended status: Standards Track Plantronics -Expires: May 20, 2008 P. Matthews +Expires: August 14, 2008 P. Matthews Avaya D. Wing Cisco - November 17, 2007 + February 11, 2008 Session Traversal Utilities for (NAT) (STUN) - draft-ietf-behave-rfc3489bis-13 + draft-ietf-behave-rfc3489bis-14 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -28,25 +28,25 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on May 20, 2008. + This Internet-Draft will expire on August 14, 2008. Copyright Notice - Copyright (C) The IETF Trust (2007). + Copyright (C) The IETF Trust (2008). Abstract Session Traversal Utilities for NAT (STUN) is a protocol that serves as a tool for other protocols in dealing with NAT traversal. It can be used by an endpoint to determine the IP address and port allocated to it by a NAT. It can also be used to check connectivity between two endpoints, and as a keep-alive protocol to maintain NAT bindings. STUN works with many existing NATs, and does not require any special behavior from them. @@ -64,82 +64,83 @@ 2. Evolution from RFC 3489 . . . . . . . . . . . . . . . . . . . 4 3. Overview of Operation . . . . . . . . . . . . . . . . . . . . 5 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 5. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 8 6. STUN Message Structure . . . . . . . . . . . . . . . . . . . . 10 7. Base Protocol Procedures . . . . . . . . . . . . . . . . . . . 12 7.1. Forming a Request or an Indication . . . . . . . . . . . 12 7.2. Sending the Request or Indication . . . . . . . . . . . . 13 7.2.1. Sending over UDP . . . . . . . . . . . . . . . . . . . 13 7.2.2. Sending over TCP or TLS-over-TCP . . . . . . . . . . . 14 - 7.3. Receiving a STUN Message . . . . . . . . . . . . . . . . 15 - 7.3.1. Processing a Request . . . . . . . . . . . . . . . . . 16 + 7.3. Receiving a STUN Message . . . . . . . . . . . . . . . . 16 + 7.3.1. Processing a Request . . . . . . . . . . . . . . . . . 17 7.3.1.1. Forming a Success or Error Response . . . . . . . 17 - 7.3.1.2. Sending the Success or Error Response . . . . . . 17 + 7.3.1.2. Sending the Success or Error Response . . . . . . 18 7.3.2. Processing an Indication . . . . . . . . . . . . . . . 18 - 7.3.3. Processing a Success Response . . . . . . . . . . . . 18 - 7.3.4. Processing an Error Response . . . . . . . . . . . . . 18 - 8. FINGERPRINT Mechanism . . . . . . . . . . . . . . . . . . . . 19 + 7.3.3. Processing a Success Response . . . . . . . . . . . . 19 + 7.3.4. Processing an Error Response . . . . . . . . . . . . . 19 + 8. FINGERPRINT Mechanism . . . . . . . . . . . . . . . . . . . . 20 9. DNS Discovery of a Server . . . . . . . . . . . . . . . . . . 20 10. Authentication and Message-Integrity Mechanisms . . . . . . . 21 - 10.1. Short-Term Credential Mechanism . . . . . . . . . . . . . 21 + 10.1. Short-Term Credential Mechanism . . . . . . . . . . . . . 22 10.1.1. Forming a Request or Indication . . . . . . . . . . . 22 10.1.2. Receiving a Request or Indication . . . . . . . . . . 22 10.1.3. Receiving a Response . . . . . . . . . . . . . . . . . 23 - 10.2. Long-term Credential Mechanism . . . . . . . . . . . . . 23 + 10.2. Long-term Credential Mechanism . . . . . . . . . . . . . 24 10.2.1. Forming a Request . . . . . . . . . . . . . . . . . . 24 - 10.2.1.1. First Request . . . . . . . . . . . . . . . . . . 24 - 10.2.1.2. Subsequent Requests . . . . . . . . . . . . . . . 24 + 10.2.1.1. First Request . . . . . . . . . . . . . . . . . . 25 + 10.2.1.2. Subsequent Requests . . . . . . . . . . . . . . . 25 10.2.2. Receiving a Request . . . . . . . . . . . . . . . . . 25 10.2.3. Receiving a Response . . . . . . . . . . . . . . . . . 26 - 11. ALTERNATE-SERVER Mechanism . . . . . . . . . . . . . . . . . . 26 + 11. ALTERNATE-SERVER Mechanism . . . . . . . . . . . . . . . . . . 27 12. Backwards Compatibility with RFC 3489 . . . . . . . . . . . . 27 - 12.1. Changes to Client Processing . . . . . . . . . . . . . . 27 + 12.1. Changes to Client Processing . . . . . . . . . . . . . . 28 12.2. Changes to Server Processing . . . . . . . . . . . . . . 28 - 13. STUN Usages . . . . . . . . . . . . . . . . . . . . . . . . . 28 - 14. STUN Attributes . . . . . . . . . . . . . . . . . . . . . . . 29 - 14.1. MAPPED-ADDRESS . . . . . . . . . . . . . . . . . . . . . 30 - 14.2. XOR-MAPPED-ADDRESS . . . . . . . . . . . . . . . . . . . 31 - 14.3. USERNAME . . . . . . . . . . . . . . . . . . . . . . . . 32 - 14.4. MESSAGE-INTEGRITY . . . . . . . . . . . . . . . . . . . . 32 - 14.5. FINGERPRINT . . . . . . . . . . . . . . . . . . . . . . . 33 - 14.6. ERROR-CODE . . . . . . . . . . . . . . . . . . . . . . . 34 - 14.7. REALM . . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 14.8. NONCE . . . . . . . . . . . . . . . . . . . . . . . . . . 35 - 14.9. UNKNOWN-ATTRIBUTES . . . . . . . . . . . . . . . . . . . 36 - 14.10. SERVER . . . . . . . . . . . . . . . . . . . . . . . . . 36 - 14.11. ALTERNATE-SERVER . . . . . . . . . . . . . . . . . . . . 36 - 15. Security Considerations . . . . . . . . . . . . . . . . . . . 37 - 15.1. Attacks against the Protocol . . . . . . . . . . . . . . 37 - 15.1.1. Outside Attacks . . . . . . . . . . . . . . . . . . . 37 - 15.1.2. Inside Attacks . . . . . . . . . . . . . . . . . . . . 37 - 15.2. Attacks Affecting the Usage . . . . . . . . . . . . . . . 38 - 15.2.1. Attack I: DDoS Against a Target . . . . . . . . . . . 38 - 15.2.2. Attack II: Silencing a Client . . . . . . . . . . . . 38 - 15.2.3. Attack III: Assuming the Identity of a Client . . . . 39 - 15.2.4. Attack IV: Eavesdropping . . . . . . . . . . . . . . . 39 - 15.3. Hash Agility Plan . . . . . . . . . . . . . . . . . . . . 39 - 16. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 39 - 17. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 - 17.1. STUN Methods Registry . . . . . . . . . . . . . . . . . . 40 - 17.2. STUN Attribute Registry . . . . . . . . . . . . . . . . . 40 - 17.3. STUN Error Code Registry . . . . . . . . . . . . . . . . 41 - 17.4. STUN UDP and TCP Port Numbers . . . . . . . . . . . . . . 42 - 18. Changes Since RFC 3489 . . . . . . . . . . . . . . . . . . . . 42 - 19. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 43 - 20. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 43 - 21. References . . . . . . . . . . . . . . . . . . . . . . . . . . 44 - 21.1. Normative References . . . . . . . . . . . . . . . . . . 44 - 21.2. Informational References . . . . . . . . . . . . . . . . 45 - Appendix A. C Snippet to Determine STUN Message Types . . . . . . 46 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 46 - Intellectual Property and Copyright Statements . . . . . . . . . . 48 + 13. Basic Server Behavior . . . . . . . . . . . . . . . . . . . . 29 + 14. STUN Usages . . . . . . . . . . . . . . . . . . . . . . . . . 29 + 15. STUN Attributes . . . . . . . . . . . . . . . . . . . . . . . 31 + 15.1. MAPPED-ADDRESS . . . . . . . . . . . . . . . . . . . . . 32 + 15.2. XOR-MAPPED-ADDRESS . . . . . . . . . . . . . . . . . . . 33 + 15.3. USERNAME . . . . . . . . . . . . . . . . . . . . . . . . 34 + 15.4. MESSAGE-INTEGRITY . . . . . . . . . . . . . . . . . . . . 34 + 15.5. FINGERPRINT . . . . . . . . . . . . . . . . . . . . . . . 35 + 15.6. ERROR-CODE . . . . . . . . . . . . . . . . . . . . . . . 35 + 15.7. REALM . . . . . . . . . . . . . . . . . . . . . . . . . . 37 + 15.8. NONCE . . . . . . . . . . . . . . . . . . . . . . . . . . 37 + 15.9. UNKNOWN-ATTRIBUTES . . . . . . . . . . . . . . . . . . . 38 + 15.10. SERVER . . . . . . . . . . . . . . . . . . . . . . . . . 38 + 15.11. ALTERNATE-SERVER . . . . . . . . . . . . . . . . . . . . 38 + 16. Security Considerations . . . . . . . . . . . . . . . . . . . 39 + 16.1. Attacks against the Protocol . . . . . . . . . . . . . . 39 + 16.1.1. Outside Attacks . . . . . . . . . . . . . . . . . . . 39 + 16.1.2. Inside Attacks . . . . . . . . . . . . . . . . . . . . 39 + 16.2. Attacks Affecting the Usage . . . . . . . . . . . . . . . 40 + 16.2.1. Attack I: DDoS Against a Target . . . . . . . . . . . 40 + 16.2.2. Attack II: Silencing a Client . . . . . . . . . . . . 41 + 16.2.3. Attack III: Assuming the Identity of a Client . . . . 41 + 16.2.4. Attack IV: Eavesdropping . . . . . . . . . . . . . . . 41 + 16.3. Hash Agility Plan . . . . . . . . . . . . . . . . . . . . 41 + 17. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 42 + 18. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 + 18.1. STUN Methods Registry . . . . . . . . . . . . . . . . . . 42 + 18.2. STUN Attribute Registry . . . . . . . . . . . . . . . . . 43 + 18.3. STUN Error Code Registry . . . . . . . . . . . . . . . . 43 + 18.4. STUN UDP and TCP Port Numbers . . . . . . . . . . . . . . 44 + 19. Changes Since RFC 3489 . . . . . . . . . . . . . . . . . . . . 44 + 20. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 46 + 21. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 46 + 22. References . . . . . . . . . . . . . . . . . . . . . . . . . . 46 + 22.1. Normative References . . . . . . . . . . . . . . . . . . 46 + 22.2. Informational References . . . . . . . . . . . . . . . . 47 + Appendix A. C Snippet to Determine STUN Message Types . . . . . . 48 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 49 + Intellectual Property and Copyright Statements . . . . . . . . . . 50 1. Introduction The protocol defined in this specification, Session Traversal Utilities for NAT, provides a tool for dealing with NATs. It provides a means for an endpoint to determine the IP address and port allocated by a NAT that corresponds to its private IP address and port. It also provides a way for an endpoint to keep a NAT binding alive. With some extensions, the protocol can be used to do connectivity checks between two endpoints [I-D.ietf-mmusic-ice], or @@ -152,63 +153,67 @@ STUN is intended to be used in context of one or more NAT traversal solutions. These solutions are known as STUN usages. Each usage describes how STUN is utilized to achieve the NAT traversal solution. Typically, a usage indicates when STUN messages get sent, which optional attributes to include, what server is used, and what authentication mechanism is to be used. Interactive Connectivity Establishment (ICE) [I-D.ietf-mmusic-ice] is one usage of STUN. SIP Outbound [I-D.ietf-sip-outbound] is another usage of STUN. In some cases, a usage will require extensions to STUN. A STUN extension can be in the form of new methods, attributes, or error response codes. - More information on STUN usages can be found in Section 13. + More information on STUN usages can be found in Section 14. 2. Evolution from RFC 3489 STUN was originally defined in RFC 3489 [RFC3489]. That specification, sometimes referred to as "classic STUN", represented itself as a complete solution to the NAT traversal problem. In that solution, a client would discover whether it was behind a NAT, determine its NAT type, discover its IP address and port on the public side of the outermost NAT, and then utilize that IP address and port within the body of protocols, such as the Session Initiation Protocol (SIP) [RFC3261]. However, experience since the publication of RFC 3489 has found that classic STUN simply does not work sufficiently well to be a deployable solution. The address and port learned through classic STUN are sometimes usable for communications with a peer, and sometimes not. Classic STUN provided no way to discover whether it would, in fact, work or not, and it provided no remedy in cases where it did not. Furthermore, classic STUN's algorithm for classification of NAT types was found to be faulty, as - many NATs did not fit cleanly into the types defined there. Classic - STUN also had security vulnerabilities which required an extremely - complicated mechanism to address, and despite the complexity of the - mechanism, were not fully remedied. + many NATs did not fit cleanly into the types defined there. + + Classic STUN also had a security vulnerability - attackers could + provide the client with incorrect mapped addresses under certain + topologies and constraints, and this was fundamentally not solvable + through any cryptographic means. Though this problem remains with + this specification, those attacks are now mitigated through the use + of more complete solutions that make use of STUN. For these reasons, this specification obsoletes RFC 3489, and instead describes STUN as a tool that is utilized as part of a complete NAT traversal solution. ICE [I-D.ietf-mmusic-ice] is a complete NAT traversal solution for protocols based on the offer/answer [RFC3264] methodology, such as SIP. SIP Outbound [I-D.ietf-sip-outbound] is a complete solution for traversal of SIP signaling, and it uses STUN in a very different way. Though it is possible that a protocol may be able to use STUN by itself (classic STUN) as a traversal solution, such usage is not described here and is strongly discouraged for the reasons described above. The on-the-wire protocol described here is changed only slightly from classic STUN. The protocol now runs over TCP in addition to UDP. Extensibility was added to the protocol in a more structured way. A magic-cookie mechanism for demultiplexing STUN with application protocols was added by stealing 32 bits from the 128 bit transaction ID defined in RFC 3489, allowing the change to be backwards compatible. Mapped addresses are encoded using a new exclusive-or - format. There are other, more minor changes. See Section 18 for a + format. There are other, more minor changes. See Section 19 for a more complete listing. Due to the change in scope, STUN has also been renamed from "Simple Traversal of UDP Through NAT" to "Session Traversal Utilities for NAT". The acronym remains STUN, which is all anyone ever remembers anyway. 3. Overview of Operation This section is descriptive only. @@ -494,21 +499,21 @@ The message length MUST contain the size, in bytes, of the message not including the 20 byte STUN header. Since all STUN attributes are padded to a multiple of four bytes, the last two bits of this field are always zero. This provides another way to distinguish STUN packets from packets of other protocols. Following the STUN fixed portion of the header are zero or more attributes. Each attribute is TLV (type-length-value) encoded. The details of the encoding, and of the attributes themselves is given in - Section 14. + Section 15. 7. Base Protocol Procedures This section defines the base procedures of the STUN protocol. It describes how messages are formed, how they are sent, and how they are processed when they are received. It also defines the detailed processing of the Binding method. Other sections in this document describe optional procedures that a usage may elect to use in certain situations. Other documents may define other extensions to STUN, by adding new methods, new attributes, or new error response codes. @@ -522,116 +527,139 @@ defined in another document. The agent then adds any attributes specified by the method or the usage. For example, some usages may specify that the agent use an authentication method (Section 10) or the FINGERPRINT attribute (Section 8). For the Binding method with no authentication, no attributes are required unless the usage specifies otherwise. - All STUN requests (and responses) sent over UDP MUST be less than the - path MTU, or 1500 bytes if the MTU is not known. STUN provides no + All STUN requests and responses sent over UDP MUST be less than the + path MTU, if known. If the path MTU is unknown, requests and + responses MUST be the smaller of 576 bytes and the first-hop MTU for + IPv4 [RFC1122] and 1280 bytes for IPv6 [RFC2460]. STUN provides no ability to handle the case where the request is under the MTU but the response would be larger than the MTU. It is not envisioned that this limitation will be an issue for STUN. 7.2. Sending the Request or Indication The agent then sends the request or indication. This document specifies how to send STUN messages over UDP, TCP, or TLS-over-TCP; other transport protocols may be added in the future. The STUN usage must specify which transport protocol is used, and how the agent determines the IP address and port of the recipient. Section 9 describes a DNS-based method of determining the IP address and port of a server which a usage may elect to use. STUN may be used with anycast addresses, but only with UDP and in usages where authentication is not used. At any time, a client MAY have multiple outstanding STUN requests with the same STUN server (that is, multiple transactions in - progress, with different transaction ids). + progress, with different transaction ids). Absent other limits to + the rate of new transactions (such as those specified by ICE for + connectivity checks), a client SHOULD space new transactions to a + server by RTO and SHOULD limit itself to ten outstanding transactions + to the same sevrer. 7.2.1. Sending over UDP When running STUN over UDP it is possible that the STUN message might be dropped by the network. Reliability of STUN request/response transactions is accomplished through retransmissions of the request message by the client application itself. STUN indications are not retransmitted; thus indication transactions over UDP are not reliable. A client SHOULD retransmit a STUN request message starting with an interval of RTO ("Retransmission TimeOut"), doubling after each retransmission. The RTO is an estimate of the round-trip-time, and is computed as described in RFC 2988 [RFC2988], with two exceptions. First, the initial value for RTO SHOULD be configurable (rather than - the 3s recommended in RFC 2988) and SHOULD be greater than 100ms. In - fixed-line access links, a value of 100ms is RECOMMENDED. Secondly, - the value of RTO MUST NOT be rounded up to the nearest second. - Rather, a 1ms accuracy MUST be maintained. As with TCP, the usage of - Karn's algorithm is RECOMMENDED [KARN87]. When applied to STUN, it - means that RTT estimates SHOULD NOT be computed from STUN - transactions which result in the retransmission of a request. + the 3s recommended in RFC 2988) and SHOULD be greater than 500ms. + The exception cases for this SHOULD are when other mechanisms are + used to derive congestion thresholds (such as the ones defined in ICE + for fixed rate streams), or when STUN is used in non-Internet + environments with known network capacities. In fixed-line access + links, a value of 500ms is RECOMMENDED. Secondly, the value of RTO + MUST NOT be rounded up to the nearest second. Rather, a 1ms accuracy + MUST be maintained. As with TCP, the usage of Karn's algorithm is + RECOMMENDED [KARN87]. When applied to STUN, it means that RTT + estimates SHOULD NOT be computed from STUN transactions which result + in the retransmission of a request. The value for RTO SHOULD be cached by a client after the completion of the transaction, and used as the starting value for RTO for the next transaction to the same server (based on equality of IP address). The value SHOULD be considered stale and discarded after 10 minutes. Retransmissions continue until a response is received, or until a - total of 7 requests have been sent. If, after the last request, a - duration equal to 16 times the RTO has passed without a response - (providing ample time to get a response if only this final request - actually succeeds), the client SHOULD consider the transaction to - have failed. A STUN transaction over UDP is also considered failed - if there has been a transport failure of some sort, such as a fatal - ICMP error. For example, assuming an RTO of 100ms, requests would be - sent at times 0ms, 100ms, 300ms, 700ms, 1500ms, 3100ms, and 6300ms. - If the client has not received a response after 7900ms, the client - will consider the transaction to have timed out. + total of Rc requests have been sent. Rc SHOULD be configurable and + SHOULD have a default of 7. If, after the last request, a duration + equal to 16 times the RTO has passed without a response (providing + ample time to get a response if only this final request actually + succeeds), the client SHOULD consider the transaction to have failed. + A STUN transaction over UDP is also considered failed if there has + been a hard ICMP error [RFC1122]. For example, assuming an RTO of + 500ms, requests would be sent at times 0ms, 500ms, 1500ms, 3500ms, + 7500ms, 15500ms, and 31500ms. If the client has not received a + response after 39500ms, the client will consider the transaction to + have timed out. 7.2.2. Sending over TCP or TLS-over-TCP For TCP and TLS-over-TCP, the client opens a TCP connection to the server. - In some usage of STUN, STUN is sent as the only protocol over the TCP - connection. In this case, it can be sent without the aid of any + In some usages of STUN, STUN is sent as the only protocol over the + TCP connection. In this case, it can be sent without the aid of any additional framing or demultiplexing. In other usages, or with other extensions, it may be multiplexed with other data over a TCP connection. In that case, STUN MUST be run on top of some kind of framing protocol, specified by the usage or extension, which allows for the agent to extract complete STUN messages and complete - application layer messages. + application layer messages. The STUN service running on the well + known port or ports discovered through the the DNS procedures in + Section 9 is for STUN alone, and not for STUN multiplexed with other + data. Consequently, no framing protocols are used in connections to + those servers. When additional framing is utilized, the usage will + specify how the client knows to apply it and what port to connect to. + For example, in the case of ICE connectivity checks, this information + is learned through out-of-band negotiation between client and server. - For TLS-over-TCP, the TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite MUST - be supported at a minimum. Implementations MAY also support any - other ciphersuite. When it receives the TLS Certificate message, the - client SHOULD verify the certificate and inspect the site identified - by the certificate. If the certificate is invalid, revoked, or if it - does not identify the appropriate party, the client MUST NOT send the - STUN message or otherwise proceed with the STUN transaction. The - client MUST verify the identity of the server. To do that, it - follows the identification procedures defined in Section 3.1 of RFC - 2818 [RFC2818]. Those procedures assume the client is dereferencing - a URI. For purposes of usage with this specification, the client + When STUN is run by itself over TLS-over-TCP, the + TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite MUST be supported at a + minimum. Implementations MAY also support any other ciphersuite. + When it receives the TLS Certificate message, the client SHOULD + verify the certificate and inspect the site identified by the + certificate. If the certificate is invalid, revoked, or if it does + not identify the appropriate party, the client MUST NOT send the STUN + message or otherwise proceed with the STUN transaction. The client + MUST verify the identity of the server. To do that, it follows the + identification procedures defined in Section 3.1 of RFC 2818 + [RFC2818]. Those procedures assume the client is dereferencing a + URI. For purposes of usage with this specification, the client treats the domain name or IP address used in Section 8.1 as the host portion of the URI that has been dereferenced. If DNS was not used, the client MUST be configured with a set of authorized domains whose certificates will be accepted. + When STUN is run multiplexed with other protocols over a TLS-over-TCP + connection, the mandatory ciphersuites and TLS handling procedures + operate as defined by those protocols. + Reliability of STUN over TCP and TLS-over-TCP is handled by TCP itself, and there are no retransmissions at the STUN protocol level. However, for a request/response transaction, if the client has not - received a response 7900ms after it sent the SYN to establish the + received a response 39500ms after it sent the SYN to establish the connection, it considers the transaction to have timed out. This value has been chosen to equalize the TCP and UDP timeouts for the default initial RTO. In addition, if the client is unable to establish the TCP connection, or the TCP connection is reset or fails before a response is received, any request/response transaction in progress is considered to have failed The client MAY send multiple transactions over a single TCP (or TLS- @@ -642,33 +670,33 @@ o has no further STUN requests or indications to send over that connection, and; o has no plans to use any resources (such as a mapped address (MAPPED-ADDRESS or XOR-MAPPED-ADDRESS) or relayed address [I-D.ietf-behave-turn]) that were learned though STUN requests sent over that connection, and; o if multiplexing other application protocols over that port, has finished using that other application, and; - o if using that learned port with a remote peer, has established communications with that remote peer, as is required by some TCP NAT traversal techniques (e.g., [I-D.ietf-mmusic-ice-tcp]). At the server end, the server SHOULD keep the connection open, and - let the client close it. If a server becomes overloaded and needs to - close connections to free up resources, it SHOULD close an existing - connection rather than reject new connection requests. The server + let the client close it. Bindings learned by the client will remain + valid in intervening NATs only while the connection remains open. + Only the client knows how long it needs the binding. The server SHOULD NOT close a connection if a request was received over that connection for which a response was not sent. A server MUST NOT ever open a connection back towards the client in order to send a - response. + response. Servers SHOULD follow best practices regarding connection + management in cases of overload. 7.3. Receiving a STUN Message This section specifies the processing of a STUN message. The processing specified here is for STUN messages as defined in this specification; additional rules for backwards compatibility are defined in in Section 12. Those additional procedures are optional, and usages can elect to utilize them. First, a set of processing operations are applied that are independent of the class. This is followed by class-specific processing, described in the subsections @@ -709,21 +737,21 @@ code of 420 (Unknown Attribute), and includes an UNKNOWN-ATTRIBUTES attribute in the response that lists the unknown comprehension- required attributes. The server then does any additional checking that the method or the specific usage requires. If all the checks succeed, the server formulates a success response as described below. If the request uses UDP transport and is a retransmission of a request for which the server has already generated a success response - within the last 10 seconds, the server MUST retransmit the same + within the last 40 seconds, the server MUST retransmit the same success response. One way for a server to do this is to remember all transaction IDs received over UDP and their corresponding responses in the last 10 seconds. Another way is to reprocess the request and recompute the response. The latter technique MUST only be applied to requests which are idempotent (a request is considered idempotent when the same request can be safely repeated without impacting the overall state of the system) and result in the same success response for the same request. The Binding method is considered to idempotent in this way (even though certain rare network events could cause the reflexive transport address value to change). Extensions to STUN @@ -839,33 +867,35 @@ this. Any other error code causes the client to consider the transaction failed. 8. FINGERPRINT Mechanism This section describes an optional mechanism for STUN that aids in distinguishing STUN messages from packets of other protocols when the two are multiplexed on the same transport address. This mechanism is - optional, and a STUN usage must describe if and when it is used. + optional, and a STUN usage must describe if and when it is used. The + FINGERPRINT mechanism is not backwards compatible with RFC3489, and + cannot be used in environments where such compatibility is required. In some usages, STUN messages are multiplexed on the same transport address as other protocols, such as RTP. In order to apply the processing described in Section 7, STUN messages must first be separated from the application packets. Section 6 describes three fixed fields in the STUN header that can be used for this purpose. However, in some cases, these three fixed fields may not be sufficient. When the FINGERPRINT extension is used, an agent includes the FINGERPRINT attribute in messages it sends to another agent. - Section 14.5 describes the placement and value of this attribute. + Section 15.5 describes the placement and value of this attribute. When the agent receives what it believes is a STUN message, then, in addition to other basic checks, the agent also checks that the message contains a FINGERPRINT attribute and that the attribute contains the correct value. Section 7.3 describes when in the overall processing of a STUN message the FINGERPRINT check is performed. This additional check helps the agent detect messages of other protocols that might otherwise seem to be STUN messages. 9. DNS Discovery of a Server @@ -898,26 +928,26 @@ client should "try to connect to the (protocol, address, service)" without giving any details on what happens in the event of failure. When following these procedures, if the STUN transaction times out without receipt of a response, the client SHOULD retry the request to the next server in the ordered defined by RFC 2782. Such a retry is only possible for request/response transmissions, since indication transactions generate no response or timeout. The default port for STUN requests is 3478, for both TCP and UDP. Administrators of STUN servers SHOULD use this port in their SRV - records for UDP and TCP, but MAY use others. In all cases, the port - in DNS MUST reflect the one the server is listening on. There is no - default port for STUN over TLS, however a STUN server SHOULD use a - port number for TLS different from 3478 so that the server can - determine whether the first message it will receive after the TCP - connection is set up, is a STUN message or a TLS message. + records for UDP and TCP. In all cases, the port in DNS MUST reflect + the one the server is listening on. The default port for STUN over + TLS is XXXX [[NOTE TO RFC EDITOR: Replace with IANA registered port + number for stuns]]. Servers can run STUN over TLS on the same port + as STUN over TCP if the server software supports determining whether + the initial message is a TLS or STUN message. If no SRV records were found, the client performs an A or AAAA record lookup of the domain name. The result will be a list of IP addresses, each of which can be contacted at the default port using UDP or TCP, independent of the STUN usage. For usages that require TLS, lack of SRV records is equivalent to a failure of the transaction, since the request or indication MUST NOT be sent unless SRV records provided a transport address specifically for TLS. 10. Authentication and Message-Integrity Mechanisms @@ -956,21 +986,21 @@ This credential is used to form a message integrity check in each request and in many responses. There is no challenge and response as in the long term mechanism; consequently, replay is prevented by virtue of the time-limited nature of the credential. 10.1.1. Forming a Request or Indication For a request or indication message, the agent MUST include the USERNAME and MESSAGE-INTEGRITY attributes in the message. The HMAC for the MESSAGE-INTEGRITY attribute is computed as described in - Section 14.4. Note that the password is never included in the + Section 15.4. Note that the password is never included in the request or indication. 10.1.2. Receiving a Request or Indication After the agent has done the basic processing of a message, the agent performs the checks listed below in order specified: o If the message does not contain both a MESSAGE-INTEGRITY and a USERNAME attribute: @@ -985,21 +1015,21 @@ within the server: * If the message is a request, the server MUST reject the request with an error response. This response MUST use an error code of 401 (Unauthorized). * If the message is an indication, the agent MUST silently discard the indication. o Using the password associated with the username, compute the value - for the message-integrity as described in Section 14.4. If the + for the message-integrity as described in Section 15.4. If the resulting value does not match the contents of the MESSAGE- INTEGRITY attribute: * If the message is a request, the server MUST reject the request with an error response. This response MUST use an error code of 401 (Unauthorized). * If the message is an indication, the agent MUST silently discard the indication. @@ -1011,21 +1041,21 @@ If any of the checks fail, a server MUST NOT include a MESSAGE- INTEGRITY or USERNAME attribute in the error response. This is because, in these failure cases, the server cannot determine the shared secret necessary to compute MESSAGE-INTEGRITY. 10.1.3. Receiving a Response The client looks for the MESSAGE-INTEGRITY attribute in the response. If present, the client computes the message integrity over the - response as defined in Section 14.4, using the same password it + response as defined in Section 15.4, using the same password it utilized for the request. If the resulting value matches the contents of the MESSAGE-INTEGRITY attribute, the response is considered authenticated. If the value does not match, or if MESSAGE-INTEGRITY was absent, the response MUST be discarded, as if it was never received. This means that retransmits, if applicable, will continue. 10.2. Long-term Credential Mechanism The long-term credential mechanism relies on a long term credential, @@ -1093,21 +1123,21 @@ 10.2.1.2. Subsequent Requests Once a request/response transaction has completed successfully, the client will have been been presented a realm and nonce by the server, and selected a username and password with which it authenticated. The client SHOULD cache the username, password, realm, and nonce for subsequent communications with the server. When the client sends a subsequent request, it SHOULD include the USERNAME, REALM, and NONCE attributes with these cached values. It SHOULD include a MESSAGE- - INTEGRITY attribute, computed as described in Section 14.4 using the + INTEGRITY attribute, computed as described in Section 15.4 using the cached password. 10.2.2. Receiving a Request After the server has done the basic processing of a request, it performs the checks listed below in the order specified: o If the message does not contain a MESSAGE-INTEGRITY attribute, the server MUST generate an error response with an error code of 401 (Unauthorized). This response MUST include a REALM value. It is @@ -1118,33 +1148,35 @@ o If the message contains a MESSAGE-INTEGRITY attribute, but is missing the USERNAME, REALM or NONCE attributes, the server MUST generate an error response with an error code of 400 (Bad Request). This response SHOULD NOT include a USERNAME, NONCE, REALM or MESSAGE-INTEGRITY attribute. o If the NONCE is no longer valid, the server MUST generate an error response with an error code of 438 (Stale Nonce). This response MUST include a NONCE and REALM attribute and SHOULD NOT incude the - USERNAME or MESSAGE-INTEGRITY attribute. + USERNAME or MESSAGE-INTEGRITY attribute. Servers can invalidate + nonces in order to provide additional security. See Section 4.3 + of [RFC2617] for guidelines. o If the username in the USERNAME attribute is not valid, the server MUST generate an error response with an error code of 401 (Unauthorized). This response MUST include a REALM value. It is RECOMMENDED that the REALM value be the domain name of the provider of the STUN server. The response MUST include a NONCE, selected by the server. The response SHOULD NOT contain a USERNAME or MESSAGE-INTEGRITY attribute. o Using the password associated with the username in the USERNAME attribute, compute the value for the message-integrity as - described in Section 14.4. If the resulting value does not match + described in Section 15.4. If the resulting value does not match the contents of the MESSAGE-INTEGRITY attribute, the server MUST reject the request with an error response. This response MUST use an error code of 401 (Unauthorized). It MUST include a REALM and NONCE attribute and SHOULD NOT include the USERNAME or MESSAGE- INTEGRITY attribute. If these checks pass, the server continues to process the request. Any response generated by the server (excepting the cases described above) MUST include the MESSAGE-INTEGRITY attribute, computed using the username and password utilized to authenticate the request. The @@ -1164,21 +1196,21 @@ not changing the USERNAME or REALM or its associated password, from the previous attempt. If the response is an error response with an error code of 438 (Stale Nonce), the client MUST retry the request, using the new NONCE supplied in the 438 (Stale Nonce) response. This retry MUST also include the USERNAME, REALM and MESSAGE-INTEGRITY. The client looks for the MESSAGE-INTEGRITY attribute in the response (either success or failure). If present, the client computes the - message integrity over the response as defined in Section 14.4, using + message integrity over the response as defined in Section 15.4, using the same password it utilized for the request. If the resulting value matches the contents of the MESSAGE-INTEGRITY attribute, the response is considered authenticated. If the value does not match, or if MESSAGE-INTEGRITY was absent, the response MUST be discarded, as if it was never received. This means that retransmits, if applicable, will continue. 11. ALTERNATE-SERVER Mechanism This section describes a mechanism in STUN that allows a server to @@ -1193,33 +1225,38 @@ error code of 300 (Try Alternate). The server MUST include a ALTERNATE-SERVER attribute in the error response. The error response message MUST be authenticated, which in practice means the request message must have passed the authentication checks. A client using this extension handles a 300 (Try Alternate) error code as follows. If the error response has passed the authentication checks, then the client looks for a ALTERNATE-SERVER attribute in the error response. If one is found, then the client considers the current transaction as failed, and re-attempts the request with the - server specified in the attribute. The client SHOULD reuse any + server specified in the attribute, using the same transport protocol + used for the previous request. The client SHOULD reuse any authentication credentials from the old request in the new - transaction. + transaction. If the server has been redirected to a server on which + it has already tried this request within the last five minutes, it + MUST ignore the redirection and consider the transaction to have + failed. This prevents infinite ping-ponging between servers in case + of redirection loops. 12. Backwards Compatibility with RFC 3489 This section define procedures that allow a degree of backwards compatible with the original protocol defined in RFC 3489 [RFC3489]. This mechanism is optional, meant to be utilized only in cases where a new client can connect to an old server, or vice-a-versa. A usage must define if and when this procedure is used. - Section 18 lists all the changes between this specification and RFC + Section 19 lists all the changes between this specification and RFC 3489 [RFC3489]. However, not all of these differences are important, because "classic STUN" was only used in a few specific ways. For the purposes of this extension, the important changes are the following. In RFC 3489: o UDP was the only supported transport; o The field that is now the Magic Cookie field was a part of the transaction id field, and transaction ids were 128 bits long; @@ -1261,41 +1298,72 @@ acceptable. The RFC 3489 version of STUN lacks both the Magic Cookie and the FINGERPRINT attribute that allows for a very high probablility of correctly identifying STUN messages when multiplexed with other protocols. Therefore, STUN implementations that are backwards compatible with RFC 3489 SHOULD NOT be used in cases where STUN will be multiplexed with another protocol. However, that should not be an issues as such multiplexing was not available in RFC 3489. -13. STUN Usages +13. Basic Server Behavior + + This section defines the behavior of a basic, standalone STUN server. + A basic STUN server provides clients with server reflexive transport + addresses by receiving and replying to STUN Binding Requests. + + The STUN server MUST support the Binding method. It SHOULD NOT + utilize the short term or long term credential mechanism. This is + because the work involved in authenticating the request is more than + the work in simply processing it. It SHOULD NOT utilize the + ALTERNATE-SERVER mechanism for the same reason. It MUST support UDP + and TCP. It MAY support STUN over TCP/TLS, however TLS provides + minimal security benefits in this basic mode of operation. It MAY + utilize the FINGERPRINT mechanism but MUST NOT require it. Since the + standalove server only runs STUN, FINGERPRINT provides no benefit. + Requiring it would break compatibility with RFC 3489, and such + compatibility is desirable in a standalone server. Standalone STUN + servers SHOULD support backwards compatibility with [RFC3489] + clients, as described in Section 12. + + It is RECOMMENDED that administrators of STUN servers provide DNS + entries for those servers as described in Section 9. + + A basic STUN server is not a solution for NAT traversal by itself. + However, it can be utilized as part of a solution through STUN + usages. This is discussed further in Section 14. + +14. STUN Usages STUN by itself is not a solution to the NAT traversal problem. Rather, STUN defines a tool that can be used inside a larger solution. The term "STUN Usage" is used for any solution that uses STUN as a component. At the time of writing, three STUN usages are defined: Interactive Connectivity Establishment (ICE) [I-D.ietf-mmusic-ice], Client- initiated connections for SIP [I-D.ietf-sip-outbound], and NAT Behavior Discovery [I-D.ietf-behave-nat-behavior-discovery]. Other STUN usages may be defined in the future. A STUN usage defines how STUN is actually utilized - when to send requests, what to do with the responses, and which optional procedures defined here (or in an extension to STUN) are to be used. A usage would also define: o Which STUN methods are used; o What authentication and message integrity mechanisms are used; + + o The considerations around manual vs. automatic key derivation for + the integrity mechanism, as discussed in [RFC4107]; + o What mechanisms are used to distinguish STUN messages from other messages. When STUN is run over TCP, a framing mechanism may be required; o How a STUN client determines the IP address and port of the STUN server; o Whether backwards compatibility to RFC 3489 is required; o What optional attributes defined here (such as FINGERPRINT and @@ -1305,21 +1373,21 @@ of using STUN in that usage. A number of attacks against STUN are known (see the Security Considerations section in this document) and any usage must consider how these attacks can be thwarted or mitigated. Finally, a usage must consider whether its usage of STUN is an example of the Unilateral Self-Address Fixing approach to NAT traversal, and if so, address the questions raised in RFC 3424. [RFC3424] -14. STUN Attributes +15. STUN Attributes After the STUN header are zero or more attributes. Each attribute MUST be TLV encoded, with a 16 bit type, 16 bit length, and value. Each STUN attribute MUST end on a 32 bit boundary. As mentioned above, all fields in an attribute are transmitted most significant bit first. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -1366,21 +1434,21 @@ 0x0020: XOR-MAPPED-ADDRESS Comprehension-optional range (0x8000-0xFFFF) 0x8022: SERVER 0x8023: ALTERNATE-SERVER 0x8028: FINGERPRINT The rest of this section describes the format of the various attributes defined in this specification. -14.1. MAPPED-ADDRESS +15.1. MAPPED-ADDRESS The MAPPED-ADDRESS attribute indicates a reflexive transport address of the client. It consists of an eight bit address family, and a sixteen bit port, followed by a fixed length value representing the IP address. If the address family is IPv4, the address MUST be 32 bits. If the address family is IPv6, the address MUST be 128 bits. All fields must be in network byte order. The format of the MAPPED-ADDRESS attribute is: @@ -1401,21 +1468,21 @@ 0x01:IPv4 0x02:IPv6 The first 8 bits of the MAPPED-ADDRESS MUST be set to 0 and MUST be ignored by receivers. These bits are present for aligning parameters on natural 32 bit boundaries. This attribute is used only by servers for achieving backwards compatibility with RFC 3489 [RFC3489] clients. -14.2. XOR-MAPPED-ADDRESS +15.2. XOR-MAPPED-ADDRESS The XOR-MAPPED-ADDRESS attribute is identical to the MAPPED-ADDRESS attribute, except that the reflexive transport address is obfuscated through the XOR function. The format of the XOR-MAPPED-ADDRESS is: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -1449,71 +1516,74 @@ encoding of the transport address. The former encodes the transport address by exclusive-or'ing it with the magic cookie. The latter encodes it directly in binary. RFC 3489 originally specified only MAPPED-ADDRESS. However, deployment experience found that some NATs rewrite the 32-bit binary payloads containing the NAT's public IP address, such as STUN's MAPPED-ADDRESS attribute, in the well-meaning but misguided attempt at providing a generic ALG function. Such behavior interferes with the operation of STUN and also causes failure of STUN's message integrity checking. -14.3. USERNAME +15.3. USERNAME The USERNAME attribute is used for message integrity. It identifies the username and password combination used in the message integrity check. The value of USERNAME is a variable length value. It MUST contain a - UTF-8 [RFC3629] encoded sequence of less than 513 bytes. + UTF-8 [RFC3629] encoded sequence of less than 513 bytes, and MUST + have been processed using SASLPrep [RFC4013]. -14.4. MESSAGE-INTEGRITY +15.4. MESSAGE-INTEGRITY The MESSAGE-INTEGRITY attribute contains an HMAC-SHA1 [RFC2104] of the STUN message. The MESSAGE-INTEGRITY attribute can be present in any STUN message type. Since it uses the SHA1 hash, the HMAC will be 20 bytes. The text used as input to HMAC is the STUN message, including the header, up to and including the attribute preceding the MESSAGE-INTEGRITY attribute. With the exception of the FINGERPRINT attribute, which appears after MESSAGE-INTEGRITY, agents MUST ignore all other attributes that follow MESSAGE-INTEGRITY. The key for the HMAC depends on whether long term or short term credentials are in use. For long term credentials: - key = MD5(username ":" realm ":" password) + key = MD5(username ":" realm ":" SASLPrep(password)) For short term credentials: - key = password + key = SASLPrep(password) - Where MD5 is defined in RFC 1321 [RFC1321]. + Where MD5 is defined in RFC 1321 [RFC1321] and SASLPrep() is defined + in [RFC4013]. The structure of the key when used with long term credentials facilitates deployment in systems that also utilize SIP. Typically, SIP systems utilizing SIP's digest authentication mechanism do not actually store the password in the database. Rather, they store a value called H(A1), which is equal to the key defined above. Based on the rules above, the hash includes the length field from the - STUN message header. This length indicates the length of the entire - message, including the MESSAGE-INTEGRITY attribute itself. - Consequently, the MESSAGE-INTEGRITY attribute MUST be inserted into - the message (with dummy content) prior to the computation of the - integrity check. Once the computation is performed, the value of the - attribute can be filled in. This ensures the length has the correct - value when the hash is performed. Similarly, when validating the - MESSAGE-INTEGRITY, the length field should be adjusted to point to - the end of the MESSAGE-INTEGRITY attribute prior to calculating the - HMAC. Such adjustment is necessary when attributes, such as - FINGERPRINT, appear after MESSAGE-INTEGRITY. + STUN message header. Prior to performing the hash, the MESSAGE- + INTEGRITY attribute MUST be inserted into the message (with dummy + content). The length MUST then be set to point to the length of the + message up to, and including, the MESSAGE-INTEGRITY attribute itself, + but excluding any attributes after it. Once the computation is + performed, the value of the MESSAGE-INTEGRITY attribute can be filled + in, and the value of the length in the STUN header can be set to its + correct value - the length of the entire message. Similarly, when + validating the MESSAGE-INTEGRITY, the length field should be adjusted + to point to the end of the MESSAGE-INTEGRITY attribute prior to + calculating the HMAC. Such adjustment is necessary when attributes, + such as FINGERPRINT, appear after MESSAGE-INTEGRITY. -14.5. FINGERPRINT +15.5. FINGERPRINT The FINGERPRINT attribute MAY be present in all STUN messages. The value of the attribute is computed as the CRC-32 of the STUN message up to (but excluding) the FINGERPRINT attribute itself, xor-d with the 32 bit value 0x5354554e (the XOR helps in cases where an application packet is also using CRC-32 in it). The 32 bit CRC is the one defined in ITU V.42 [ITU.V42.2002], which has a generator polynomial of x32+x26+x23+x22+x16+x12+x11+x10+x8+x7+x5+x4+x2+x+1. When present, the FINGERPRINT attribute MUST be the last attribute in the message, and thus will appear after MESSAGE-INTEGRITY. @@ -1525,21 +1595,21 @@ covers the length field from the STUN message header. Therefore, this value must be correct, and include the CRC attribute as part of the message length, prior to computation of the CRC. When using the FINGERPRINT attribute in a message, the attribute is first placed into the message with a dummy value, then the CRC is computed, and then the value of the attribute is updated. If the MESSAGE-INTEGRITY attribute is also present, then it must be present with the correct message-integrity value before the CRC is computed, since the CRC is done over the value of the MESSAGE-INTEGRITY attribute as well. -14.6. ERROR-CODE +15.6. ERROR-CODE The ERROR-CODE attribute is used in Error Response messages. It contains a numeric error code value in the range of 300 to 699 plus a textual reason phrase encoded in UTF-8 [RFC3629], and is consistent in its code assignments and semantics with SIP [RFC3261] and HTTP [RFC2616]. The reason phrase is meant for user consumption, and can be anything appropriate for the error code. Recommended reason phrases for the defined error codes are presented below. The reason phrase MUST be a UTF-8 [RFC3629] encoded sequence of less than 128 characters (which can be as long as 763 bytes). @@ -1596,46 +1666,47 @@ The server MUST put this unknown attribute in the UNKNOWN- ATTRIBUTE attribute of its error response. 438 Stale Nonce: The NONCE used by the client was no longer valid. The client should retry, using the NONCE provided in the response. 500 Server Error: The server has suffered a temporary error. The client should try again. -14.7. REALM +15.7. REALM The REALM attribute may be present in requests and responses. It contains text which meets the grammar for "realm-value" as described in RFC 3261 [RFC3261] but without the double quotes and their surrounding whitespace. That is, it is an unquoted realm-value (and is therefore a sequence of qdtext or quoted-pair). It MUST be a UTF-8 [RFC3629] encoded sequence of less than 128 characters (which - can be as long as 763 bytes). + can be as long as 763 bytes), and MUST have been processed using + SASLPrep [RFC4013]. Presence of the REALM attribute in a request indicates that long-term credentials are being used for authentication. Presence in certain error responses indicates that the server wishes the client to use a long-term credential for authentication. -14.8. NONCE +15.8. NONCE The NONCE attribute may be present in requests and responses. It contains a sequence of qdtext or quoted-pair, which are defined in RFC 3261 [RFC3261]. Note that this means that the NONCE attribute will not contain actual quote characters. See RFC 2617 [RFC2617], Section 4.3, for guidance on selection of nonce values in a server. It MUST be less than 128 characters (which can be as long as 763 bytes). -14.9. UNKNOWN-ATTRIBUTES +15.9. UNKNOWN-ATTRIBUTES The UNKNOWN-ATTRIBUTES attribute is present only in an error response when the response code in the ERROR-CODE attribute is 420. The attribute contains a list of 16 bit values, each of which represents an attribute type that was not understood by the server. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -1643,84 +1714,102 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute 3 Type | Attribute 4 Type ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 12: Format of UNKNOWN-ATTRIBUTES attribute Note: In [RFC3489], this field was padded to 32 by duplicating the last attribute. In this version of the specification, the normal padding rules for attributes are used instead. -14.10. SERVER +15.10. SERVER The server attribute contains a textual description of the software being used by the server, including manufacturer and version number. The attribute has no impact on operation of the protocol, and serves only as a tool for diagnostic and debugging purposes. The value of SERVER is variable length. It MUST be a UTF-8 [RFC3629] encoded sequence of less than 128 characters (which can be as long as 763 bytes). -14.11. ALTERNATE-SERVER +15.11. ALTERNATE-SERVER The alternate server represents an alternate transport address identifying a different STUN server which the STUN client should try. It is encoded in the same way as MAPPED-ADDRESS, and thus refers to a single server by IP address. The IP address family MUST be identical to that of the source IP address of the request. This attribute MUST only appear in an error response that contains a MESSAGE-INTEGRITY attribute. This prevents it from being used in denial-of-service attacks. -15. Security Considerations +16. Security Considerations -15.1. Attacks against the Protocol +16.1. Attacks against the Protocol -15.1.1. Outside Attacks +16.1.1. Outside Attacks An attacker can try to modify STUN messages in transit, in order to cause a failure in STUN operation. These attacks are detected for both requests and responses through the message integrity mechanism, using either a short term or long term credential. Of course, once detected, the manipulated packets will be dropped, causing the STUN transaction to effectively fail. This attack is possible only by an on-path attacker. An attacker that can observe, but not modify STUN messages in-transit (for example, an attacker present on a shared access medium, such as Wi-Fi), can see a STUN request, and then immediately send a STUN response, typically an error response, in order to disrupt STUN processing. This attack is also prevented for messages that utilize MESSAGE-INTEGRITY. However, some error responses, those related to authentication in particular, cannot be protected by MESSAGE- INTEGRITY. When STUN itself is run over a secure transport protocol (e.g., TLS), these attacks are completely mitigated. -15.1.2. Inside Attacks + Depending on the STUN usage, these attacks may be of minimal + consequence and thus do not require message integrity to mitigate. + For example, when STUN is used to a basic STUN server to discover a + server reflexive candidate for usage with ICE, authentication and + message integrity are not required since these attacks are detected + during the connectivity check phase. The connectivity checks + themselves, however, require protection for proper operation of ICE + overall. As described in Section 14, STUN usages describe when + authentication and message integrity are needed. + + Since STUN uses the HMAC of a shared secret for authentication and + integrity protection, it is subject to offline dictionary attacks. + When authentication is utilized, it SHOULD be with a strong password + that is not readily subject to offline dictionary attacks. + Protection of the channel itself, using TLS, mitigates these attacks. + However, STUN is most often run over UDP and in those cases, strong + passwords are the only way to protect against these attacks. + +16.1.2. Inside Attacks A rogue client may try to launch a DoS attack against a server by sending it a large number of STUN requests. Fortunately, STUN requests can be processed statelessly by a server, making such attacks hard to launch. A rogue client may use a STUN server as a reflector, sending it requests with a falsified source IP address and port. In such a case, the response would be delivered to that source IP and port. There is no amplification of the number of packets with this attack (the STUN server sends one packet for each packet sent by the client), though there is a small increase in the amount of data, since STUN responses are typically larger than requests. This attack is mitigated by ingress source address filtering. -15.2. Attacks Affecting the Usage +16.2. Attacks Affecting the Usage This section lists attacks that might be launched against a usage of STUN. Each STUN usage must consider whether these attacks are applicable to it, and if so, discuss counter-measures. Most of the attacks in this section revolve around an attacker modifying the reflexive address learned by a STUN client through a Binding Request/Binding Response transaction. Since the usage of the reflexive address is a function of the usage, the applicability and remediation of these attacks is usage-specific. In common @@ -1734,125 +1823,125 @@ port. If the attacker can also intercept this response, it can direct it back towards the client. Protecting against this attack by using a message-integrity check is impossible, since a message- integrity value cannot cover the source IP address, since the intervening NAT must be able to modify this value. Instead, one solution to preventing the attacks listed below is for the client to verify the reflexive address learned, as is done in ICE [I-D.ietf-mmusic-ice]. Other usages may use other means to prevent these attacks. -15.2.1. Attack I: DDoS Against a Target +16.2.1. Attack I: DDoS Against a Target In this attack, the attacker provides one or more clients with the same faked reflexive address that points to the intended target. This will trick the STUN clients into thinking that their reflexive addresses are equal to that of the target. If the clients hand out that reflexive address in order to receive traffic on it (for example, in SIP messages), the traffic will instead be sent to the target. This attack can provide substantial amplification, especially when used with clients that are using STUN to enable multimedia applications. However, it can only be launched against targets for which packets from the STUN server to the target pass through the attacker, limiting the cases in which it is possible -15.2.2. Attack II: Silencing a Client +16.2.2. Attack II: Silencing a Client In this attack, the attacker provides a STUN client with a faked reflexive address. The reflexive address it provides is a transport address that routes to nowhere. As a result, the client won't receive any of the packets it expects to receive when it hands out the reflexive address. This exploitation is not very interesting for the attacker. It impacts a single client, which is frequently not the desired target. Moreover, any attacker that can mount the attack could also deny service to the client by other means, such as preventing the client from receiving any response from the STUN - server, or even a DHCP server. As with the attack in Section 15.2.1, + server, or even a DHCP server. As with the attack in Section 16.2.1, this attack is only possible when the attacker is on path for packets sent from the STUN server towards this unused IP address. -15.2.3. Attack III: Assuming the Identity of a Client +16.2.3. Attack III: Assuming the Identity of a Client This attack is similar to attack II. However, the faked reflexive address points to the attacker itself. This allows the attacker to receive traffic which was destined for the client. -15.2.4. Attack IV: Eavesdropping +16.2.4. Attack IV: Eavesdropping In this attack, the attacker forces the client to use a reflexive address that routes to itself. It then forwards any packets it receives to the client. This attack would allow the attacker to observe all packets sent to the client. However, in order to launch the attack, the attacker must have already been able to observe packets from the client to the STUN server. In most cases (such as when the attack is launched from an access network), this means that the attacker could already observe packets sent to the client. This attack is, as a result, only useful for observing traffic by attackers on the path from the client to the STUN server, but not generally on the path of packets being routed towards the client. -15.3. Hash Agility Plan +16.3. Hash Agility Plan This specification uses HMAC-SHA-1 for computation of the message integrity. If, at a later time, HMAC-SHA-1 is found to be compromised, the following is the remedy that will be applied. We will define a STUN extension which introduces a new message integrity attribute, computed using a new hash. Clients would be required to include both the new and old message integrity attributes in their requests or indications. A new server will utilize the new message integrity attribute, and an old one, the old. After a transition period where mixed implementations are in deployment, the old message-integrity attribute will be deprecated by another specification, and clients will cease including it in requests. -16. IAB Considerations +17. IAB Considerations The IAB has studied the problem of "Unilateral Self Address Fixing" (UNSAF), which is the general process by which a client attempts to determine its address in another realm on the other side of a NAT through a collaborative protocol reflection mechanism (RFC3424 [RFC3424]). STUN can be used to perform this function using a Binding Request/Response transaction if one agent is behind a NAT and the other is on the public side of the NAT. The IAB has mandated that protocols developed for this purpose document a specific set of considerations. Because some STUN usages provide UNSAF functions (such as ICE [I-D.ietf-mmusic-ice] ), and others do not (such as SIP Outbound [I-D.ietf-sip-outbound]), answers to these considerations need to be addressed by the usages themselves. -17. IANA Considerations +18. IANA Considerations IANA is hereby requested to create three new registries: a STUN methods registry, a STUN Attributes registry, and a STUN Error Codes registry. IANA is also requested to change the name of the assigned IANA port for STUN from "nat-stun-port" to "stun". -17.1. STUN Methods Registry +18.1. STUN Methods Registry A STUN method is a hex number in the range 0x000 - 0x3FF. The encoding of STUN method into a STUN message is described in Section 6. The initial STUN methods are: 0x000: (Reserved) 0x001: Binding 0x002: (Reserved; was SharedSecret) STUN methods in the range 0x000 - 0x1FF are assigned by IETF Consensus [RFC2434]. STUN methods in the range 0x200 - 0x3FF are assigned on a First Come First Served basis [RFC2434] -17.2. STUN Attribute Registry +18.2. STUN Attribute Registry A STUN Attribute type is a hex number in the range 0x0000 - 0xFFFF. STUN attribute types in the range 0x0000 - 0x7FFF are considered comprehension-required; STUN attribute types in the range 0x8000 - 0xFFFF are considered comprehension-optional. A STUN agent handles unknown comprehension-required and comprehension-optional attributes differently. The initial STUN Attributes types are: @@ -1875,51 +1964,55 @@ 0x8028: FINGERPRINT STUN Attribute types in the first half of the comprehension-required range (0x0000 - 0x3FFF) and in the first half of the comprehension- optional range (0x8000 - 0xBFFF) are assigned by IETF Consensus [RFC2434]. STUN Attribute types in the second half of the comprehension-required range (0x4000 - 0x7FFF) and in the second half of the comprehension-optional range (0xC000 - 0xFFFF) are assigned on a First Come First Served basis [RFC2434]. -17.3. STUN Error Code Registry +18.3. STUN Error Code Registry A STUN Error code is a number in the range 0 - 699. STUN error codes are accompanied by a textual reason phrase in UTF-8 [RFC3629] which is intended only for human consumption and can be anything appropriate; this document proposes only suggested values. STUN error codes are consistent in codepoint assignments and semantics with SIP [RFC3261] and HTTP [RFC2616]. - The initial values in this registry are given in Section 14.6. + The initial values in this registry are given in Section 15.6. - New STUN error codes are assigned on a Specification-Required basis + New STUN error codes are assigned on an IETF Consensus basis [RFC2434]. The specification must carefully consider how clients that do not understand this error code will process it before granting the request. See the rules in Section 7.3.4. -17.4. STUN UDP and TCP Port Numbers +18.4. STUN UDP and TCP Port Numbers IANA has previously assigned port 3478 for STUN. This port appears in the IANA registry under the moniker "nat-stun-port". In order to align the DNS SRV procedures with the registered protocol service, IANA is requested to change the name of protocol assigned to port 3478 from "nat-stun-port" to "stun", and the textual name from "Simple Traversal of UDP Through NAT (STUN)" to "Session Traversal Utilities for NAT", so that the IANA port registry would read: stun 3478/tcp Session Traversal Utilities for NAT (STUN) port stun 3478/udp Session Traversal Utilities for NAT (STUN) port -18. Changes Since RFC 3489 + In addition, IANA is requested to assign port numbers for the "stuns" + service, defined over TCP and UDP. The UDP port is not currently + defined however is reserved for future use. + +19. Changes Since RFC 3489 This specification obsoletes RFC3489 [RFC3489]. This specification differs from RFC3489 in the following ways: o Removed the notion that STUN is a complete NAT traversal solution. STUN is now a tool that can be used to produce a NAT traversal solution. As a consequence, changed the name of the protocol to Session Traversal Utilities for NAT. o Introduced the concept of STUN usages, and described what a usage @@ -1977,50 +2071,59 @@ o Defined a generic padding mechanism that changes the interpretation of the length attribute. This would, in theory, break backwards compatibility. However, the mechanism in RFC 3489 never worked for the few attributes that weren't aligned naturally on 32 bit boundaries. o REALM, SERVER, reason phrases and NONCE limited to 127 characters. USERNAME to 513 bytes. -19. Contributors + o Changed the DNS SRV procedures for TCP and TLS. UDP remains the + same as before. + +20. Contributors Christian Huitema and Joel Weinberger were original co-authors of RFC 3489. -20. Acknowledgements +21. Acknowledgements The authors would like to thank Cedric Aoun, Pete Cordell, Cullen Jennings, Bob Penfield, Xavier Marjou, Magnus Westerlund, Miguel Garcia, Bruce Lowekamp and Chris Sullivan for their comments, and Baruch Sterman and Alan Hawrylyshen for initial implementations. Thanks for Leslie Daigle, Allison Mankin, Eric Rescorla, and Henning Schulzrinne for IESG and IAB input on this work. -21. References +22. References -21.1. Normative References +22.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981. [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. + [RFC1122] Braden, R., "Requirements for Internet Hosts - + Communication Layers", STD 3, RFC 1122, October 1989. + + [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", RFC 2460, December 1998. + [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999. [RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission Timer", RFC 2988, November 2000. [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- Hashing for Message Authentication", RFC 2104, @@ -2030,31 +2133,37 @@ International Telecommunications Union, "Error-correcting Procedures for DCEs Using Asynchronous-to-Synchronous Conversion", ITU-T Recommendation V.42, March 2002. [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003. [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992. -21.2. Informational References + [RFC4013] Zeilenga, K., "SASLprep: Stringprep Profile for User Names + and Passwords", RFC 4013, February 2005. + +22.2. Informational References [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. + [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic + Key Management", BCP 107, RFC 4107, June 2005. + [I-D.ietf-mmusic-ice] Rosenberg, J., "Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols", draft-ietf-mmusic-ice-19 (work in progress), October 2007. [RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, "STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)", RFC 3489, March 2003. @@ -2139,21 +2249,21 @@ Dan Wing Cisco 771 Alder Drive San Jose, CA 95035 US Email: dwing@cisco.com Full Copyright Statement - Copyright (C) The IETF Trust (2007). + Copyright (C) The IETF Trust (2008). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF