Stun Protocol, Port and Traffic

STUN is a protocol that is designed to overcome barriers in communication that are introduced by NAT.

STUN protocol enables devices that are behind a NAT to discover their own public IP address and port number.

The devices communicate with a STUN server that is on the internet, and the STUN server provides this information to the client device

The device can then share this information with another device or devices on the Internet with which it wants to communicate

This allows external devices to communicate with each other directly, effectively traversing the NAT

STUN is important in facilitating peer-to-peer communication in real time.

If you want to know more about what is a STUN server, then you can refer to our article: Stun Server: What is Session Traversal Utilities for NAT?

---

Understanding the NAT Problem

Explanation of Network Address Translation (NAT) and its widespread use.

Routers map multiple private IP addresses to a single IP public IP address using a technique called NAT or Network Address Translation

This allows multiple devices that are on the local network to connect to the internet using a single public IP.

Thus conserving the limited number of IPv4 addresses.

NAT become widespread due to exponential growth in devices that were connected to the internet and there was a delay in adopting IPv6 which offers a larger address space.

Issues Introduced by NAT in peer-to-peer communication

NAT blocks direct communication between devices by blocking inbound traffic, altering the port mappings and hiding the public IP address from the devices that are behind the NAT

Thus overcoming barriers created by NAT is important for enabling direct communication between devices that are on different networks across the internet

NAT transversal solutions like STUN protocol allow devices to discover their own public IP address and negotiate connections through NAT routers

Many times STUN servers are not enough for NAT traversal and you need to fallback on TURN servers

If you are implementing one to one communication and need a reliable STUN and TURN servers then you can consider

Open Relay Project: Free TURN / STUN servers

Metered.ca TURN servers: Premium TURN servers with global reach

Services like VoIP and Video conferencing require STUN and TURN servers.

---

STUN Protocol: Solution for NAT Traversal

What is STUN?

STUN or Session Traversal Utilities for NAT is a standardized protocol that is defined in the RFC 5389 that enables devices that are behind a NAT or firewall to discover their own public IP address and PORT number

STUN also lets devices and applications discover what kind of NAT they are behind and obtain the necessary information to establish a direct communication channel with other devices on the internet

The core functionalities of STUN include:

1. Public IP address discovery: STUN allows a client device to learn its public IP address

2. Port Mapping: STUN helps the client device know what port number it has been assigned by the NAT device

3. NAT type detection: The STUN server helps client device know what kind of NAT device it is behind. NAT types include full cone NAT, restricted cone NAT, symmetric NAT etc

4. Facilitating Peer-to-Peer Communication: Thus the STUN server facilitates peer-to-peer communication between devices

---

How STUN Works

How STUN helps devices to Discover their own Public IP Address and Port number

When a client device sends a request to the STUN server, which is on the internet. The STUN server can see the public IP address and port number from which the request is coming from.

The STUN server then sends this information back to the client. This is how the STUN server helps devices discover their own public IP and port number that is assigned to them by the NAT router.

The process enables the client to

• Learn its public endpoint: Understand how other devices see it on the internet

• Share correction details with peers: Once the client device gets the details from the STUN server, it can then share it with other devices on the internet with which it wants to start communication

• Adapt NAT behaviour: Adjust strategies on how to traverse the NAT based on what type of NAT the client device is behind

Step by Step how STUN works

1. Client Initiation

   1. The client device sends a request to the STUN server using the UDP protocol to learn its own public IP address and port number
   2. It sends a STUN binding request over UDP User datagram protocol

2. STUN server reception

   1. The STUN server accepts the request and notes the source IP and port number from which the request is coming from.
   2. The STUN server then responds back with the IP address and port number, back to the client

3. Binding response

   1. The STUN server contracts a STUN binding response message
   2. This response includes a MAPPED-ADDRESS attribute, client public IP address and port.

4. Client receipt

   1. The client device then receives the binding response from the server
   2. The client device then retrieves the Public IP and port number from the MAPPED-ADDRESS attribute

5. NAT type discovery (optional):

   1. The client can then perform additional tests from different STUN servers to determine what type of NAT the client is behind
   2. This involves sending different requests from different ports and evaluating the response

6. Establishing communication

   1. With the public IP address and port number, the client device can then share this information with other devices on the internet to establish communication

---

STUN vs TURN and ICE Protocol

STUN vs other NAT Traversal Methods

1. STUN ( Session Traversal Utilities for NAT)

   1. Purpose: Enables the client devices to discover their public IP and port number
   2. Use-Case: Good for when NAT and firewalls allow for peer-to-peer direct communication after public IP addresses are known.
   3. Limitations: Does not work when NAT and firewall rules are restrictive.

2. TURN (Traversal Using Relays around NAT)

   1. Purpose: Provides a fallback mechanism by relaying the data through a TURN server when peer to peer direct communication is not possible
   2. Use-Case: Essential when restrictive NAT and firewall rules does not allow direct communication between devices on the internet
   3. Operation: All the traffic is end to end encrypted and send through the TURN server, which relays the data to each client
   4. Trade-Offs: You need turn servers near the client devices, in order to reduce latency and improve communication

3. ICE (Interactive Connectivity Establishment)

   1. Purpose:ICE is a framework that combines STUN and TURN to establish the best possible connection between clients.
   2. Use-Case: Used in WebRTC and other real time communication systems in order to handle various network configurations

   3. Operation

      1. Candidate Gathering: Clients first gathers candidates to see possible endpoint connections, these are found using host, reflexive via STUN and TURN
      2. Connectivity checks: Clients then perform checks to see using which candidates they can establish a connection
      3. Candidate selection: The optimal path that is the one with the lowest latency is selected by the ICE framework for establishing the communication

   4. Advantages: Maximizes the chances of establishing a connection while optimizing for best performance

When to use STUN over other methods

1. Use STUN alone when

   1. Both the clients are behind NAT and firewall that enable direct communication after discovering the IP address and port number
   2. Both the clients have good internet connection and the network environment is predictable, for example devices are not changing their networks like in the case of mobile phones etc

2. Use STUN TURN and ICE when

   1. The devices are behind restrictive NAT and firewall rules
   2. The network environment is changing like in case of mobile devices etc
   3. Reliability is important, you cannot have devices disconnecting for some reason or the other

Summary of Considerations

• Performance

  • STUN memberikan prestasi yang baik apabila menyambungkan pelanggan berdekatan tetapi ia tidak boleh dipercayai juga, tetapi ia adalah pilihan percuma
  • TURN memberikan prestasi terbaik tetapi memerlukan pelayan yang lebih dekat dengan peranti klien untuk mengurangkan kependaman. Pada masa kini, anda mempunyai perkhidmatan pelayan giliran global seperti metered.ca yang berfungsi dengan baik

• Kerumitan:

  • STUN agak mudah untuk dilaksanakan dan digunakan
  • TURN: Ia agak ringkas dan mudah digunakan

• Kadar Kejayaan:

  • STUN: Ia akan gagal dalam peraturan NAT dan firewall yang ketat
  • TURN: Lebih dipercayai dan berfungsi dengan peraturan NAT dan firewall yang ketat

---

Pelabuhan STUN dan pengendalian trafik

Port lalai yang digunakan oleh STUN

Port UDP dan TCP yang biasa digunakan ialah 3478 dan 5349

Protokol STUN menggunakan port rangkaian khusus untuk berkomunikasi antara pelanggan dan pelayan STUN

• Pelabuhan UDP

  • Port 3478: Ini ialah port lalai untuk STUN untuk protokol UDP, STUN biasanya beroperasi melalui protokol UDP kerana sifat overhednya yang rendah dan port 3478 biasanya digunakan
  • Port 5349: Ini biasanya port untuk UDP melalui DTLS, yang menyediakan penyulitan untuk komunikasi UDP

• Pelabuhan TCP

  • Port 3478: STUN : STUN boleh beroperasi pada port yang sama iaitu 3478 untuk TCP apabila UDP tidak sesuai atau disekat
  • Port 5349: Ini digunakan untuk STUN dengan TLS iaitu Transport Layer Security yang menawarkan sambungan TCP

• Port ganti

  • Walaupun ini adalah port lalai untuk pelayan STUN, mana-mana port lain juga boleh dikonfigurasikan untuk digunakan untuk pelayan STUN dan TURN.
  • Atas sebab keselamatan, selalunya dinasihatkan untuk menjalankan pelayan STUN pada port lain.

Pertimbangan Keselamatan dengan penggunaan Port

1. Pendedahan kepada pengimbasan port

   1. Penyerang sering mengimbas internet untuk mencari port lalai untuk pelayan STUN, mengekalkan pelayan STUN pada port lalai mungkin menjadikan lebih terdedah kepada aktiviti peninjauan sedemikian

2. Tatarajah Firewall

   1. Trafik masuk

      1. Secara lalai, banyak tembok api menyekat trafik masuk yang tidak diminta pada port STUN untuk menghalang akses tanpa kebenaran
      2. Tembok api hanya membenarkan trafik masuk, jika ia sebagai tindak balas kepada permintaan sah yang telah dimulakan oleh peranti di dalam rangkaian

   2. Trafik keluar:

      1. Izinkan trafik keluar hanya kepada pelayan STUN dan TURN yang dipercayai dan pada port yang diperlukan.

3. Menggunakan Penyulitan

   1. STUN melalui TLS/DTLS (port 5349): Semasa trafik pelayan TURN disulitkan hujung ke hujung. Trafik pelayan STUN bukan, tetapi anda boleh mendayakan penyulitan STUN juga.

4. Kemas Kini dan tampalan Biasa: Apabila anda menjalankan pelayan STUN/TURN anda sendiri, anda perlu mengemas kininya secara kerap dan menampalnya untuk keselamatan.

5. Log dan pemantauan: Sentiasa log dan pantau pelayan STUN dan TURN jika anda menjalankan pelayan STUN/TURN anda sendiri untuk kelemahan keselamatan

---

Pelayan STUN berasaskan awan lwn Penyelesaian Dihoskan Sendiri

Pelayan TURN berasaskan awan

• Pelayan TURN/STUN bermeter: Menawarkan perkhidmatan STUN dan TURN Global, boleh skala, terurus dan TURN dengan API

• Pelayan STUN Awam Google: Google menawarkan senarai pelayan STUN percuma, anda boleh mendapatkan senarai pelayan Google STUN

• Pelayan TURN / STUN Relay Terbuka: Pelayan TURN percuma untuk orang ramai

Penyelesaian Dihoskan Sendiri

• Pelayan Coturn STUN / TURN: Anda boleh menjalankan pelayan giliran anda sendiri dengan kapas projek sumber terbuka. Berikut ialah panduan tentang : Bagaimana untuk menyediakan dan mengkonfigurasi pelayan TURN menggunakan coTURN?

• Pelayan AWS TURN: Anda juga boleh menjalankan coturn pada AWS: Berikut ialah panduan mengenainya: Pelayan AWS TURN: Dalam 7 Langkah Mudah

• Pelayan Azure TURN: Anda juga boleh menjalankan pelayan TURN pada Azure. Berikut ialah panduan mengenainya: Pelayan Azure TURN: Panduan Langkah demi Langkah.

• TURN kos pelayan: berikut ialah panduan tentang potensi kos dan pertimbangan apabila menjalankan pelayan TURN anda sendiri: TURN Kos Pelayan: Panduan Lengkap

---

Pelayan TURN bermeter

1. API: HIDUPKAN pengurusan pelayan dengan API berkuasa. Anda boleh melakukan perkara seperti Tambah/Alih keluar bukti kelayakan melalui API, Dapatkan Setiap Pengguna / Bukti kelayakan dan metrik Pengguna melalui API, Dayakan/ Lumpuhkan bukti kelayakan melalui API, Dapatkan semula data Penggunaan mengikut tarikh melalui API.

2. Penyasaran Geo-Lokasi Global: Menghalakan trafik ke pelayan terdekat secara automatik, untuk kependaman serendah mungkin dan prestasi kualiti tertinggi. kependaman kurang daripada 50 ms di mana-mana sahaja di seluruh dunia

3. Pelayan di semua Wilayah di dunia: Toronto, Miami, San Francisco, Amsterdam, London, Frankfurt, Bangalore, Singapura, Sydney, Seoul, Dallas, New York

4. Kependaman Rendah: kurang daripada 50 ms kependaman, di mana-mana sahaja di seluruh dunia.

5. Kos Efektif: harga bayar semasa anda pergi dengan lebar jalur dan diskaun volum tersedia.

6. Pentadbiran Mudah: Dapatkan log penggunaan, e-mel apabila akaun mencapai had ambang, rekod pengebilan dan sokongan e-mel serta telefon.

7. Patuh Standard: Mematuhi RFC 5389, 5769, 5780, 5766, 6062, 6156, 5245, 5768, 6336, 59244, TLS dan TLS. 🎜>

8. Berbilang‑Penyewaan: Buat berbilang bukti kelayakan dan asingkan penggunaan mengikut pelanggan atau apl yang berbeza. Dapatkan log Penggunaan, rekod pengebilan dan makluman ambang.

9. Kebolehpercayaan Perusahaan: 99.999% Masa Beroperasi dengan SLA.

10. Skala Perusahaan: Tanpa had pada trafik serentak atau jumlah trafik. Pelayan TURN Bermeter menyediakan Kebolehskalaan Perusahaan

11. 5 GB/bln Percuma: Dapatkan 5 GB penggunaan pelayan TURN percuma setiap bulan dengan Pelan Percuma

12. Berjalan pada port 80 dan 443

13. Sokongan MENGUBAH SSL untuk membenarkan sambungan melalui tembok api pemeriksaan paket dalam.

14. Menyokong kedua-dua TCP dan UDP

15. STUN Tanpa Had Percuma

The above is the detailed content of Stun Protocol, Port and Traffic. For more information, please follow other related articles on the PHP Chinese website!