3. Overview of Operation

This section is descriptive only.

STUN is a client-server protocol. A client sends requests to servers, and servers send responses back. There are two types of transactions: request/response transactions and indication transactions.

All STUN messages consist of a 20-byte header followed by zero or more Attributes. The header contains a STUN message type, a magic cookie, a transaction ID, and the message length.

STUN attributes are encoded in Type-Length-Value (TLV) format, where the length does not include any padding.

STUN defines a single request/response pair. The Binding request is sent by a client to a server. When the Binding request arrives at the server, it may have passed through one or more NATs. As a result, the source transport address (source IP address and source port) of the request received by the server will be the public IP address and port allocated by the NAT. The server copies this source transport address into a STUN attribute in the Binding response and sends the response back to the client. The client examines the STUN attribute in the Binding response and learns its reflexive transport address from it.

STUN provides two basic authentication and message-integrity mechanisms. The first provides message integrity based on a shared secret. The second provides message integrity and authentication based on username and password. Both mechanisms use HMAC-SHA1.

STUN also defines a FINGERPRINT attribute that can be used to distinguish STUN messages from other protocols multiplexed on the same transport address.