Skip to main content

19. Changes since RFC 3489

This specification obsoletes RFC 3489 [RFC3489]. This specification differs from RFC 3489 in the following ways:

  • Removed the concept that STUN was a complete NAT traversal solution. STUN is now a tool that is utilized as part of a complete NAT traversal solution. Consequently, the name of the protocol has been changed to Session Traversal Utilities for NAT.

  • Introduced the concept of a STUN usage and described what a STUN usage must document.

  • Removed the usage of STUN for NAT type detection and binding lifetime discovery. These techniques proved too brittle given the wide range of NAT variation seen in deployment since the publication of RFC 3489. The RESPONSE-ADDRESS, CHANGED-ADDRESS, CHANGE-REQUEST, SOURCE-ADDRESS, and REFLECTED-FROM attributes have been removed.

  • Added a fixed 32-bit magic cookie and reduced the length of the transaction ID by 32 bits. The magic cookie starts at the same offset as the original transaction ID.

  • Added the XOR-MAPPED-ADDRESS attribute, which is included in Binding responses if the magic cookie is present in the request. Otherwise, RFC 3489 behavior is preserved (i.e., the Binding response includes MAPPED-ADDRESS). See XOR-MAPPED-ADDRESS for a discussion of this change.

  • Introduced formal structure into the message type header field, explicitly using a pair of bits to indicate request, response, error response, or indication. As a result, the message type field is divided into class (one of the first four) and method.

  • Explicitly stated that the most significant 2 bits of STUN are 0b00, allowing easy differentiation of RTP packets when used with ICE.

  • Added the FINGERPRINT attribute to provide an explicit way to differentiate STUN from another protocol when the two are multiplexed together.

  • Added support for IPv6. Explicitly stated that IPv4 clients can obtain v6 mapped addresses and vice versa.

  • Added long-term credential-based authentication.

  • Added the SOFTWARE, REALM, NONCE, and ALTERNATE-SERVER attributes.

  • Removed the SharedSecret method and therefore the PASSWORD attribute. This method was never implemented and is not needed by current usages.

  • Removed the recommendation to continue listening for STUN responses for 10 seconds to try to identify attacks.

  • Changed the transaction timers to be more TCP-friendly.

  • Removed the STUN examples around separation of control and media plane. Instead, provided more information on using STUN with protocols.

  • Defined a generic padding mechanism, changing the interpretation of the length attribute. In theory, this breaks backwards compatibility. However, the mechanism in RFC 3489 never worked for the small number of attributes that were not naturally aligned to 32-bit boundaries.

  • REALM, SERVER, reason phrases, and NONCE are limited to 127 characters. USERNAME is limited to 513 bytes.

  • Changed the DNS SRV procedures for TCP and TLS. UDP remains the same as before.

Last updated on