Status of this Memo

This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on August 2, 2003.

Copyright Notice

Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

STUN (Simple Traversal of UDP for NATS) specifies a mechanism which enables nodes in a private network to determine if they are behind a NAT, to discover their remapped address and port, and for many types of NATs to send UDP traffic through them. In addition TCP connections initiated from the private side of NATs already works. This document specifies requirements for a mechanism that enables traversal of expected TCP traffic through all NATs, and traversal of UDP traffic through symmetric NATs.

Table of Contents

1.  Overview
2.  Requirements
3.  Security Considerations
4.  Acknowledgments
§  Normative References
§  Author's Address
§  Intellectual Property and Copyright Statements

1. Overview

STUN[1] (Simple Traversal of UDP for NATS) specifies a mechanism which enables nodes in a private network to determine if they are behind a NAT. It also allows STUN Clients to discover their address as viewed from a STUN Server. For full cone, address-restricted cone, and port-restricted cone NATs, this knowledge allows the STUN client to receive UDP traffic. (Nodes behind a NAT can initiate TCP connections and send UDP traffic without the need for any additional protocol). In order to allow nodes on the private side of a NAT to receive incoming TCP connections and to receive UDP traffic through a symmetric NAT, some type of simple relay-based solution is necessary. This document describes the requirements such a solution need to provide a useful service which does not prolong the life of IPv4.

2. Requirements

1. Passes bidirectional UDP through one or two NATs, at least one of which may be symmetric or port-restricted
2. Allows "expected" TCP connection from a single source to be received by a user behind a NAT.
3. The implementation of the previous requirement (relay of TCP traffic) must not interfere with TLS
4. Prevents the node on the private network from running a server (can't receive multiple connections on the same well known port).
5. The implementation allows nodes to reference the relay session/stream/connection by an identifier which is unique to the stream and which is valid in the public Internet (i.e. globally unique)
6. Works where the endpoints and relay server are all IPv4 endpoints
7. Works where the private endpoint is IPv4 and another is IPv6, when the relay supports both IPv4 and IPv6.
8. The originator of the relay session can terminate the relay session
9. The originator of the relay session can determine the relay timeout interval
10. The relay should be able to open a port number such that the actual address and port of one end of the relay is not fixed until the first packet arrives from that end.
11. The relay can "passthrough" UDP traffic (in the case of a symmetric NAT) to a known IP address and UDP port number
12. The relay does not forward TCP connections originating from inside a NAT. Presumably, a node on the inside of the NAT can already originate outgoing connections.
13. Supports strong authentication and message integrity of control traffic
14. Does not attempt to protect data traffic
15. Does not require data traffic to be modified or escaped in any way
16. Existing end-to-end integrity and encryption of data traffic is encouraged and must still work through the solution
17. Needs the ability to reserve a port on the relay for future use
18. Needs the ability to promote a reserved port to a full mapping. When two nodes are behind different NATs, this allows one to obtain a port before use. It also enables nodes an opportunity to attempt allocation of contiguous ports for applications which require this behavior (for example RTP and RTCP).
19. Need ability to release a reserved port.
20. Supports a keepalive, so that the client does not have to send traffic to keep the mapping active
21. Does not increase packet sizes for data traffic.
22. Allows for the client to indicate how much bandwidth they expect to use, so that the server can do policing if needed.
23. Allows for the server to redirect the client to a different server.

3. Security Considerations

Security-related requirements are discussed in the body of the document.

4. Acknowledgments

Thanks to Jonathan Rosenberg for his comments.

Normative References

Author's Address

Intellectual Property Statement

The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.

Full Copyright Statement

Copyright (C) The Internet Society (2003). All Rights Reserved.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees.

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

Funding for the RFC Editor function is currently provided by the Internet Society.