draft-ietf-tram-stunbis-17.txt   draft-ietf-tram-stunbis-18.txt 
TRAM M. Petit-Huguenin TRAM M. Petit-Huguenin
Internet-Draft Impedance Mismatch Internet-Draft Impedance Mismatch
Obsoletes: 5389 (if approved) G. Salgueiro Obsoletes: 5389 (if approved) G. Salgueiro
Intended status: Standards Track J. Rosenberg Intended status: Standards Track J. Rosenberg
Expires: November 4, 2018 Cisco Expires: November 15, 2018 Cisco
D. Wing D. Wing
R. Mahy R. Mahy
Unaffiliated Unaffiliated
P. Matthews P. Matthews
Nokia Nokia
May 3, 2018 May 14, 2018
Session Traversal Utilities for NAT (STUN) Session Traversal Utilities for NAT (STUN)
draft-ietf-tram-stunbis-17 draft-ietf-tram-stunbis-18
Abstract Abstract
Session Traversal Utilities for NAT (STUN) is a protocol that serves Session Traversal Utilities for NAT (STUN) is a protocol that serves
as a tool for other protocols in dealing with Network Address as a tool for other protocols in dealing with Network Address
Translator (NAT) traversal. It can be used by an endpoint to Translator (NAT) traversal. It can be used by an endpoint to
determine the IP address and port allocated to it by a NAT. It can determine the IP address and port allocated to it by a NAT. It can
also be used to check connectivity between two endpoints, and as a also be used to check connectivity between two endpoints, and as a
keep-alive protocol to maintain NAT bindings. STUN works with many keep-alive protocol to maintain NAT bindings. STUN works with many
existing NATs, and does not require any special behavior from them. existing NATs, and does not require any special behavior from them.
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 4, 2018. This Internet-Draft will expire on November 15, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 28 skipping to change at page 3, line 28
14.5. MESSAGE-INTEGRITY . . . . . . . . . . . . . . . . . . . 40 14.5. MESSAGE-INTEGRITY . . . . . . . . . . . . . . . . . . . 40
14.6. MESSAGE-INTEGRITY-SHA256 . . . . . . . . . . . . . . . . 41 14.6. MESSAGE-INTEGRITY-SHA256 . . . . . . . . . . . . . . . . 41
14.7. FINGERPRINT . . . . . . . . . . . . . . . . . . . . . . 42 14.7. FINGERPRINT . . . . . . . . . . . . . . . . . . . . . . 42
14.8. ERROR-CODE . . . . . . . . . . . . . . . . . . . . . . . 42 14.8. ERROR-CODE . . . . . . . . . . . . . . . . . . . . . . . 42
14.9. REALM . . . . . . . . . . . . . . . . . . . . . . . . . 44 14.9. REALM . . . . . . . . . . . . . . . . . . . . . . . . . 44
14.10. NONCE . . . . . . . . . . . . . . . . . . . . . . . . . 44 14.10. NONCE . . . . . . . . . . . . . . . . . . . . . . . . . 44
14.11. PASSWORD-ALGORITHMS . . . . . . . . . . . . . . . . . . 44 14.11. PASSWORD-ALGORITHMS . . . . . . . . . . . . . . . . . . 44
14.12. PASSWORD-ALGORITHM . . . . . . . . . . . . . . . . . . . 45 14.12. PASSWORD-ALGORITHM . . . . . . . . . . . . . . . . . . . 45
14.13. UNKNOWN-ATTRIBUTES . . . . . . . . . . . . . . . . . . . 46 14.13. UNKNOWN-ATTRIBUTES . . . . . . . . . . . . . . . . . . . 46
14.14. SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . 46 14.14. SOFTWARE . . . . . . . . . . . . . . . . . . . . . . . . 46
14.15. ALTERNATE-SERVER . . . . . . . . . . . . . . . . . . . . 47 14.15. ALTERNATE-SERVER . . . . . . . . . . . . . . . . . . . . 46
14.16. ALTERNATE-DOMAIN . . . . . . . . . . . . . . . . . . . . 47 14.16. ALTERNATE-DOMAIN . . . . . . . . . . . . . . . . . . . . 47
15. Operational Considerations . . . . . . . . . . . . . . . . . 47 15. Operational Considerations . . . . . . . . . . . . . . . . . 47
16. Security Considerations . . . . . . . . . . . . . . . . . . . 47 16. Security Considerations . . . . . . . . . . . . . . . . . . . 47
16.1. Attacks against the Protocol . . . . . . . . . . . . . . 47 16.1. Attacks against the Protocol . . . . . . . . . . . . . . 47
16.1.1. Outside Attacks . . . . . . . . . . . . . . . . . . 47 16.1.1. Outside Attacks . . . . . . . . . . . . . . . . . . 47
16.1.2. Inside Attacks . . . . . . . . . . . . . . . . . . . 48 16.1.2. Inside Attacks . . . . . . . . . . . . . . . . . . . 48
16.1.3. Bid-Down Attacks . . . . . . . . . . . . . . . . . . 49 16.1.3. Bid-Down Attacks . . . . . . . . . . . . . . . . . . 49
16.2. Attacks Affecting the Usage . . . . . . . . . . . . . . 50 16.2. Attacks Affecting the Usage . . . . . . . . . . . . . . 50
16.2.1. Attack I: Distributed DoS (DDoS) against a Target . 50 16.2.1. Attack I: Distributed DoS (DDoS) against a Target . 50
16.2.2. Attack II: Silencing a Client . . . . . . . . . . . 51 16.2.2. Attack II: Silencing a Client . . . . . . . . . . . 51
skipping to change at page 4, line 16 skipping to change at page 4, line 16
18.6. STUN UDP and TCP Port Numbers . . . . . . . . . . . . . 55 18.6. STUN UDP and TCP Port Numbers . . . . . . . . . . . . . 55
19. Changes since RFC 5389 . . . . . . . . . . . . . . . . . . . 56 19. Changes since RFC 5389 . . . . . . . . . . . . . . . . . . . 56
20. References . . . . . . . . . . . . . . . . . . . . . . . . . 56 20. References . . . . . . . . . . . . . . . . . . . . . . . . . 56
20.1. Normative References . . . . . . . . . . . . . . . . . . 56 20.1. Normative References . . . . . . . . . . . . . . . . . . 56
20.2. Informative References . . . . . . . . . . . . . . . . . 59 20.2. Informative References . . . . . . . . . . . . . . . . . 59
Appendix A. C Snippet to Determine STUN Message Types . . . . . 61 Appendix A. C Snippet to Determine STUN Message Types . . . . . 61
Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 62 Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 62
B.1. Sample Request with Long-Term Authentication with B.1. Sample Request with Long-Term Authentication with
MESSAGE-INTEGRITY-SHA256 and USERHASH . . . . . . . . . . 62 MESSAGE-INTEGRITY-SHA256 and USERHASH . . . . . . . . . . 62
Appendix C. Release notes . . . . . . . . . . . . . . . . . . . 64 Appendix C. Release notes . . . . . . . . . . . . . . . . . . . 64
C.1. Modifications between draft-ietf-tram-stunbis-17 and C.1. Modifications between draft-ietf-tram-stunbis-18 and
draft-ietf-tram-stunbis-17 . . . . . . . . . . . . . . . 64
C.2. Modifications between draft-ietf-tram-stunbis-17 and
draft-ietf-tram-stunbis-16 . . . . . . . . . . . . . . . 64 draft-ietf-tram-stunbis-16 . . . . . . . . . . . . . . . 64
C.2. Modifications between draft-ietf-tram-stunbis-16 and C.3. Modifications between draft-ietf-tram-stunbis-16 and
draft-ietf-tram-stunbis-15 . . . . . . . . . . . . . . . 64 draft-ietf-tram-stunbis-15 . . . . . . . . . . . . . . . 64
C.3. Modifications between draft-ietf-tram-stunbis-15 and C.4. Modifications between draft-ietf-tram-stunbis-15 and
draft-ietf-tram-stunbis-14 . . . . . . . . . . . . . . . 65 draft-ietf-tram-stunbis-14 . . . . . . . . . . . . . . . 65
C.4. Modifications between draft-ietf-tram-stunbis-14 and C.5. Modifications between draft-ietf-tram-stunbis-14 and
draft-ietf-tram-stunbis-13 . . . . . . . . . . . . . . . 65 draft-ietf-tram-stunbis-13 . . . . . . . . . . . . . . . 65
C.5. Modifications between draft-ietf-tram-stunbis-13 and C.6. Modifications between draft-ietf-tram-stunbis-13 and
draft-ietf-tram-stunbis-12 . . . . . . . . . . . . . . . 65 draft-ietf-tram-stunbis-12 . . . . . . . . . . . . . . . 65
C.6. Modifications between draft-ietf-tram-stunbis-12 and C.7. Modifications between draft-ietf-tram-stunbis-12 and
draft-ietf-tram-stunbis-11 . . . . . . . . . . . . . . . 65 draft-ietf-tram-stunbis-11 . . . . . . . . . . . . . . . 66
C.7. Modifications between draft-ietf-tram-stunbis-11 and C.8. Modifications between draft-ietf-tram-stunbis-11 and
draft-ietf-tram-stunbis-10 . . . . . . . . . . . . . . . 66 draft-ietf-tram-stunbis-10 . . . . . . . . . . . . . . . 66
C.8. Modifications between draft-ietf-tram-stunbis-10 and C.9. Modifications between draft-ietf-tram-stunbis-10 and
draft-ietf-tram-stunbis-09 . . . . . . . . . . . . . . . 66 draft-ietf-tram-stunbis-09 . . . . . . . . . . . . . . . 66
C.9. Modifications between draft-ietf-tram-stunbis-09 and
draft-ietf-tram-stunbis-08 . . . . . . . . . . . . . . . 67
C.10. Modifications between draft-ietf-tram-stunbis-09 and C.10. Modifications between draft-ietf-tram-stunbis-09 and
draft-ietf-tram-stunbis-08 . . . . . . . . . . . . . . . 67 draft-ietf-tram-stunbis-08 . . . . . . . . . . . . . . . 67
C.11. Modifications between draft-ietf-tram-stunbis-08 and C.11. Modifications between draft-ietf-tram-stunbis-08 and
draft-ietf-tram-stunbis-07 . . . . . . . . . . . . . . . 68 draft-ietf-tram-stunbis-07 . . . . . . . . . . . . . . . 67
C.12. Modifications between draft-ietf-tram-stunbis-07 and C.12. Modifications between draft-ietf-tram-stunbis-07 and
draft-ietf-tram-stunbis-06 . . . . . . . . . . . . . . . 68 draft-ietf-tram-stunbis-06 . . . . . . . . . . . . . . . 68
C.13. Modifications between draft-ietf-tram-stunbis-06 and C.13. Modifications between draft-ietf-tram-stunbis-06 and
draft-ietf-tram-stunbis-05 . . . . . . . . . . . . . . . 68 draft-ietf-tram-stunbis-05 . . . . . . . . . . . . . . . 68
C.14. Modifications between draft-ietf-tram-stunbis-05 and C.14. Modifications between draft-ietf-tram-stunbis-05 and
draft-ietf-tram-stunbis-04 . . . . . . . . . . . . . . . 68 draft-ietf-tram-stunbis-04 . . . . . . . . . . . . . . . 68
C.15. Modifications between draft-ietf-tram-stunbis-04 and C.15. Modifications between draft-ietf-tram-stunbis-04 and
draft-ietf-tram-stunbis-03 . . . . . . . . . . . . . . . 69 draft-ietf-tram-stunbis-03 . . . . . . . . . . . . . . . 68
C.16. Modifications between draft-ietf-tram-stunbis-03 and C.16. Modifications between draft-ietf-tram-stunbis-03 and
draft-ietf-tram-stunbis-02 . . . . . . . . . . . . . . . 69 draft-ietf-tram-stunbis-02 . . . . . . . . . . . . . . . 69
C.17. Modifications between draft-ietf-tram-stunbis-02 and C.17. Modifications between draft-ietf-tram-stunbis-02 and
draft-ietf-tram-stunbis-01 . . . . . . . . . . . . . . . 69 draft-ietf-tram-stunbis-01 . . . . . . . . . . . . . . . 69
C.18. Modifications between draft-ietf-tram-stunbis-01 and C.18. Modifications between draft-ietf-tram-stunbis-01 and
draft-ietf-tram-stunbis-00 . . . . . . . . . . . . . . . 70 draft-ietf-tram-stunbis-00 . . . . . . . . . . . . . . . 69
C.19. Modifications between draft-salgueiro-tram-stunbis-02 and C.19. Modifications between draft-salgueiro-tram-stunbis-02 and
draft-ietf-tram-stunbis-00 . . . . . . . . . . . . . . . 71 draft-ietf-tram-stunbis-00 . . . . . . . . . . . . . . . 70
C.20. Modifications between draft-salgueiro-tram-stunbis-02 and C.20. Modifications between draft-salgueiro-tram-stunbis-02 and
draft-salgueiro-tram-stunbis-01 . . . . . . . . . . . . . 71 draft-salgueiro-tram-stunbis-01 . . . . . . . . . . . . . 70
C.21. Modifications between draft-salgueiro-tram-stunbis-01 and C.21. Modifications between draft-salgueiro-tram-stunbis-01 and
draft-salgueiro-tram-stunbis-00 . . . . . . . . . . . . . 71 draft-salgueiro-tram-stunbis-00 . . . . . . . . . . . . . 71
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 71 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 71
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 72 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 72
1. Introduction 1. Introduction
The protocol defined in this specification, Session Traversal The protocol defined in this specification, Session Traversal
Utilities for NAT, provides a tool for dealing with NATs. It Utilities for NAT, provides a tool for dealing with NATs. It
provides a means for an endpoint to determine the IP address and port provides a means for an endpoint to determine the IP address and port
allocated by a NAT that corresponds to its private IP address and allocated by a NAT that corresponds to its private IP address and
port. It also provides a way for an endpoint to keep a NAT binding port. It also provides a way for an endpoint to keep a NAT binding
alive. With some extensions, the protocol can be used to do alive. With some extensions, the protocol can be used to do
skipping to change at page 14, line 18 skipping to change at page 14, line 18
is possible that the STUN message might be dropped by the network. is possible that the STUN message might be dropped by the network.
Reliability of STUN request/response transactions is accomplished Reliability of STUN request/response transactions is accomplished
through retransmissions of the request message by the client through retransmissions of the request message by the client
application itself. STUN indications are not retransmitted; thus, application itself. STUN indications are not retransmitted; thus,
indication transactions over UDP or DTLS-over-UDP are not reliable. indication transactions over UDP or DTLS-over-UDP are not reliable.
A client SHOULD retransmit a STUN request message starting with an A client SHOULD retransmit a STUN request message starting with an
interval of RTO ("Retransmission TimeOut"), doubling after each interval of RTO ("Retransmission TimeOut"), doubling after each
retransmission. The RTO is an estimate of the round-trip time (RTT), retransmission. The RTO is an estimate of the round-trip time (RTT),
and is computed as described in [RFC6298], with two exceptions. and is computed as described in [RFC6298], with two exceptions.
First, the initial value for RTO SHOULD be greater or equal than 500 First, the initial value for RTO SHOULD be greater or equal to 500
ms. The exception cases for this "SHOULD" are when other mechanisms ms. The exception cases for this "SHOULD" are when other mechanisms
are used to derive congestion thresholds (such as the ones defined in are used to derive congestion thresholds (such as the ones defined in
ICE for fixed rate streams), or when STUN is used in non-Internet ICE for fixed rate streams), or when STUN is used in non-Internet
environments with known network capacities. In fixed-line access environments with known network capacities. In fixed-line access
links, a value of 500 ms is RECOMMENDED. Second, the value of RTO links, a value of 500 ms is RECOMMENDED. Second, the value of RTO
SHOULD NOT be rounded up to the nearest second. Rather, a 1 ms SHOULD NOT be rounded up to the nearest second. Rather, a 1 ms
accuracy SHOULD be maintained. As with TCP, the usage of Karn's accuracy SHOULD be maintained. As with TCP, the usage of Karn's
algorithm is RECOMMENDED [KARN87]. When applied to STUN, it means algorithm is RECOMMENDED [KARN87]. When applied to STUN, it means
that RTT estimates SHOULD NOT be computed from STUN transactions that that RTT estimates SHOULD NOT be computed from STUN transactions that
result in the retransmission of a request. result in the retransmission of a request.
skipping to change at page 16, line 51 skipping to change at page 16, line 51
[BCP195] that implementations and deployments of a STUN Usage using [BCP195] that implementations and deployments of a STUN Usage using
TLS or DTLS MUST follow. TLS or DTLS MUST follow.
When it receives the TLS Certificate message, the client MUST verify When it receives the TLS Certificate message, the client MUST verify
the certificate and inspect the site identified by the certificate. the certificate and inspect the site identified by the certificate.
If the certificate is invalid or revoked, or if it does not identify If the certificate is invalid or revoked, or if it does not identify
the appropriate party, the client MUST NOT send the STUN message or the appropriate party, the client MUST NOT send the STUN message or
otherwise proceed with the STUN transaction. The client MUST verify otherwise proceed with the STUN transaction. The client MUST verify
the identity of the server. To do that, it follows the the identity of the server. To do that, it follows the
identification procedures defined in [RFC6125], with a certificate identification procedures defined in [RFC6125], with a certificate
containing an identifier of type DNS-ID or CN-ID, eventually with containing an identifier of type DNS-ID or CN-ID, eventually with a
wildcards, but not of type SRV-ID or URI-ID. Alternatively, a client wildcard character as leftmost label, but not of type SRV-ID or URI-
MAY be configured with a set of IP addresses that are trusted; if a ID. Alternatively, a client MAY be configured with a set of IP
certificate is received that identifies one of those IP addresses, addresses that are trusted; if a certificate is received that
the client considers the identity of the server to be verified. identifies one of those IP addresses, the client considers the
identity of the server to be verified.
When STUN is run multiplexed with other protocols over a TLS-over-TCP When STUN is run multiplexed with other protocols over a TLS-over-TCP
connection or a DTLS-over-UDP association, the mandatory ciphersuites connection or a DTLS-over-UDP association, the mandatory ciphersuites
and TLS handling procedures operate as defined by those protocols. and TLS handling procedures operate as defined by those protocols.
6.3. Receiving a STUN Message 6.3. Receiving a STUN Message
This section specifies the processing of a STUN message. The This section specifies the processing of a STUN message. The
processing specified here is for STUN messages as defined in this processing specified here is for STUN messages as defined in this
specification; additional rules for backwards compatibility are specification; additional rules for backwards compatibility are
skipping to change at page 37, line 39 skipping to change at page 37, line 39
| Value (variable) .... | Value (variable) ....
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Format of STUN Attributes Figure 4: Format of STUN Attributes
The value in the length field MUST contain the length of the Value The value in the length field MUST contain the length of the Value
part of the attribute, prior to padding, measured in bytes. Since part of the attribute, prior to padding, measured in bytes. Since
STUN aligns attributes on 32-bit boundaries, attributes whose content STUN aligns attributes on 32-bit boundaries, attributes whose content
is not a multiple of 4 bytes are padded with 1, 2, or 3 bytes of is not a multiple of 4 bytes are padded with 1, 2, or 3 bytes of
padding so that its value contains a multiple of 4 bytes. The padding so that its value contains a multiple of 4 bytes. The
padding bits MUST be set to zero on sending and must be ignored by padding bits MUST be set to zero on sending and MUST be ignored by
the receiver. the receiver.
Any attribute type MAY appear more than once in a STUN message. Any attribute type MAY appear more than once in a STUN message.
Unless specified otherwise, the order of appearance is significant: Unless specified otherwise, the order of appearance is significant:
only the first occurrence needs to be processed by a receiver, and only the first occurrence needs to be processed by a receiver, and
any duplicates MAY be ignored by a receiver. any duplicates MAY be ignored by a receiver.
To allow future revisions of this specification to add new attributes To allow future revisions of this specification to add new attributes
if needed, the attribute space is divided into two ranges. if needed, the attribute space is divided into two ranges.
Attributes with type values between 0x0000 and 0x7FFF are Attributes with type values between 0x0000 and 0x7FFF are
skipping to change at page 46, line 34 skipping to change at page 46, line 34
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute 1 Type | Attribute 2 Type | | Attribute 1 Type | Attribute 2 Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Attribute 3 Type | Attribute 4 Type ... | Attribute 3 Type | Attribute 4 Type ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10: Format of UNKNOWN-ATTRIBUTES Attribute Figure 10: Format of UNKNOWN-ATTRIBUTES Attribute
Note: In [RFC3489], this field was padded to 32 by duplicating the Note: In [RFC3489], this field was padded to 32 by duplicating the
last attribute. In this version of the specification, thPetriNet last attribute. In this version of the specification, the normal
m --> PetriNet m --> e normal padding rules for attributes are padding rules for attributes are used instead.
used instead.
14.14. SOFTWARE 14.14. SOFTWARE
The SOFTWARE attribute contains a textual description of the software The SOFTWARE attribute contains a textual description of the software
being used by the agent sending the message. It is used by clients being used by the agent sending the message. It is used by clients
and servers. Its value SHOULD include manufacturer and version and servers. Its value SHOULD include manufacturer and version
number. The attribute has no impact on operation of the protocol, number. The attribute has no impact on operation of the protocol,
and serves only as a tool for diagnostic and debugging purposes. The and serves only as a tool for diagnostic and debugging purposes. The
value of SOFTWARE is variable length. It MUST be a UTF-8 [RFC3629] value of SOFTWARE is variable length. It MUST be a UTF-8 [RFC3629]
encoded sequence of less than 128 characters (which can be as long as encoded sequence of less than 128 characters (which can be as long as
skipping to change at page 64, line 9 skipping to change at page 64, line 9
Note: Before publication, the XX XX placeholder must be replaced by Note: Before publication, the XX XX placeholder must be replaced by
the value assigned to MESSAGE-INTEGRITY-SHA256 and USERHASH by the value assigned to MESSAGE-INTEGRITY-SHA256 and USERHASH by
IANA. The MESSAGE-INTEGRITY-SHA256 attribute value will need to IANA. The MESSAGE-INTEGRITY-SHA256 attribute value will need to
be updated after this. be updated after this.
Appendix C. Release notes Appendix C. Release notes
This section must be removed before publication as an RFC. This section must be removed before publication as an RFC.
C.1. Modifications between draft-ietf-tram-stunbis-17 and draft-ietf- C.1. Modifications between draft-ietf-tram-stunbis-18 and draft-ietf-
tram-stunbis-17
o Nits.
C.2. Modifications between draft-ietf-tram-stunbis-17 and draft-ietf-
tram-stunbis-16 tram-stunbis-16
o Modifications following IESG, GENART and SECDIR reviews. o Modifications following IESG, GENART and SECDIR reviews.
C.2. Modifications between draft-ietf-tram-stunbis-16 and draft-ietf- C.3. Modifications between draft-ietf-tram-stunbis-16 and draft-ietf-
tram-stunbis-15 tram-stunbis-15
o Replace "failure response" with "error response". o Replace "failure response" with "error response".
o Fix wrong section number. o Fix wrong section number.
o Use "Username anonymity" everywhere. o Use "Username anonymity" everywhere.
o Align with UTF-8 deprecation. o Align with UTF-8 deprecation.
skipping to change at page 65, line 12 skipping to change at page 65, line 16
o s/invalidate/revoke/. o s/invalidate/revoke/.
o Removed sentences about checking USERHASH in responses, as this o Removed sentences about checking USERHASH in responses, as this
should not happen. should not happen.
o Specify that ALTERNATE-SERVER carries an IP address. o Specify that ALTERNATE-SERVER carries an IP address.
o More modifications following review... o More modifications following review...
C.3. Modifications between draft-ietf-tram-stunbis-15 and draft-ietf- C.4. Modifications between draft-ietf-tram-stunbis-15 and draft-ietf-
tram-stunbis-14 tram-stunbis-14
o Reverted the RFC 2119 boilerplate to what was in RFC 5389. o Reverted the RFC 2119 boilerplate to what was in RFC 5389.
o Reverted the V.42 reference to the 2002 version. o Reverted the V.42 reference to the 2002 version.
o Updated some references. o Updated some references.
C.4. Modifications between draft-ietf-tram-stunbis-14 and draft-ietf- C.5. Modifications between draft-ietf-tram-stunbis-14 and draft-ietf-
tram-stunbis-13 tram-stunbis-13
o Reorder the paragraphs in section 9.1.4. o Reorder the paragraphs in section 9.1.4.
o The realm is now processed through Opaque in section 9.2.2. o The realm is now processed through Opaque in section 9.2.2.
o Make clear in section 9.2.4 that it is an exclusive-xor. o Make clear in section 9.2.4 that it is an exclusive-xor.
o Removed text that implied that nonce sharing was explicitly o Removed text that implied that nonce sharing was explicitly
permitted in RFC 5389. permitted in RFC 5389.
o In same section, s/username/value/ for USERCASH. o In same section, s/username/value/ for USERCASH.
o Modify the IANA requests to explicitly say that the reserved o Modify the IANA requests to explicitly say that the reserved
codepoints were prior to RFC 5389. codepoints were prior to RFC 5389.
C.5. Modifications between draft-ietf-tram-stunbis-13 and draft-ietf- C.6. Modifications between draft-ietf-tram-stunbis-13 and draft-ietf-
tram-stunbis-12 tram-stunbis-12
o Update references. o Update references.
o Fixes some text following Shepherd review. o Fixes some text following Shepherd review.
o Update co-author info. o Update co-author info.
C.6. Modifications between draft-ietf-tram-stunbis-12 and draft-ietf- C.7. Modifications between draft-ietf-tram-stunbis-12 and draft-ietf-
tram-stunbis-11 tram-stunbis-11
o Clarifies the procedure to define a new hash algorithm for o Clarifies the procedure to define a new hash algorithm for
message-integrity. message-integrity.
o Explain the procedure to deprecate SHA1 as message-integrity. o Explain the procedure to deprecate SHA1 as message-integrity.
o Added procedure for Happy Eyeballs (RFC 6555). o Added procedure for Happy Eyeballs (RFC 6555).
o Added verification that Happy Eyeballs works in the STUN Usage o Added verification that Happy Eyeballs works in the STUN Usage
checklist. checklist.
o Add reference to Base64 RFC. o Add reference to Base64 RFC.
o Changed co-author affiliation. o Changed co-author affiliation.
C.7. Modifications between draft-ietf-tram-stunbis-11 and draft-ietf- C.8. Modifications between draft-ietf-tram-stunbis-11 and draft-ietf-
tram-stunbis-10 tram-stunbis-10
o Made clear that the same HMAC than received in response of short o Made clear that the same HMAC than received in response of short
term credential must be used for subsequent transactions. term credential must be used for subsequent transactions.
o s/URL/URI/ o s/URL/URI/
o The "nonce cookie" is now mandatory to signal that SHA256 must be o The "nonce cookie" is now mandatory to signal that SHA256 must be
used in the next transaction. used in the next transaction.
o s/SHA1/SHA256/ o s/SHA1/SHA256/
o Changed co-author affiliation. o Changed co-author affiliation.
C.8. Modifications between draft-ietf-tram-stunbis-10 and draft-ietf- C.9. Modifications between draft-ietf-tram-stunbis-10 and draft-ietf-
tram-stunbis-09 tram-stunbis-09
o Removed the reserved value in the security registry, as it does o Removed the reserved value in the security registry, as it does
not make sense in a bitset. not make sense in a bitset.
o Updated change list. o Updated change list.
o Updated the minimum truncation size for M-I-256 to 16 bytes. o Updated the minimum truncation size for M-I-256 to 16 bytes.
o Changed the truncation order to match RFC 7518. o Changed the truncation order to match RFC 7518.
skipping to change at page 67, line 5 skipping to change at page 67, line 11
o Stated that STUN Usages have to explicitly state that they can use o Stated that STUN Usages have to explicitly state that they can use
truncation. truncation.
o Removed truncation from the MESSAGE-INTEGRITY attribute. o Removed truncation from the MESSAGE-INTEGRITY attribute.
o Add reference to C code in RFC 1952. o Add reference to C code in RFC 1952.
o Replaced RFC 2818 reference to RFC 6125. o Replaced RFC 2818 reference to RFC 6125.
C.9. Modifications between draft-ietf-tram-stunbis-09 and draft-ietf-
tram-stunbis-08
o Removed the reserved value in the security registry, as it does
not make sense in a bitset.
o Updated change list.
o Updated the minimum truncation size for M-I-256 to 16 bytes.
o Changed the truncation order to match RFC 7518.
o Fixed bugs in truncation boundary text.
o Stated that STUN Usages have to explicitly state that they can use
truncation.
o Removed truncation from the MESSAGE-INTEGRITY attribute.
o Add reference to C code in RFC 1952.
o Replaced RFC 2818 reference to RFC 6125.
C.10. Modifications between draft-ietf-tram-stunbis-09 and draft-ietf- C.10. Modifications between draft-ietf-tram-stunbis-09 and draft-ietf-
tram-stunbis-08 tram-stunbis-08
o Packets discarded in a reliable or unreliable transaction triggers o Packets discarded in a reliable or unreliable transaction triggers
an attack error instead of a timeout error. An attack error on a an attack error instead of a timeout error. An attack error on a
reliable transport is signaled immediately instead of waiting for reliable transport is signaled immediately instead of waiting for
the timeout. the timeout.
o Explicitly state that a received 400 response without o Explicitly state that a received 400 response without
authentication will be dropped until timeout. authentication will be dropped until timeout.
 End of changes. 32 change blocks. 
63 lines changed or deleted 45 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/