STUN, TURN, and ICE
The IETF has standardized three protocols to help assist in NAT traversal.
They are Simple Traversal of UDP through NAT (STUN), Traversal Using
Relay NAT (TURN), and Interactive Connectivity Establishment (ICE).
STUN [6] is a simple protocol that allows a UA to discover if it is behind a
NAT, and, if so, what type of NAT and what its public IP address is. STUN
packets are sent by the UA to a STUN Server, which is located in the public
Internet. The STUN responses tell the STUN client the public IP address and
port that the STUN server received the STUN requests from. If the sent and
received addresses and ports are the same, there is no NAT. If they are differ-
ent, there is a NAT between them. In cases where a UA behind a NAT is trying
to talk to a gateway or UA that has a public IP address, STUN allows a UA to
“fix” all the parts of a SIP and SDP message with the correct public IP address.
In this way, the UA manages its own NAT traversal. However, this does not
work if both ends of the SIP and media session are behind NATs. For this,
TURN may be required.
TURN [7] is a protocol that allows a client to obtain transport addresses
from a TURN server on the public Internet. Since the TURN server is located
in the public Internet, TURN addresses will always be routable. However,
TURN addresses used for signaling or media are not optimal IP routes—the
packets will traverse a triangular path. However, for some symmetric NAT
and strict firewall traversal situations, TURN is the only way for a session to be
established.
ICE [8] is a methodology for using STUN and TURN in a P2P manner that
guarantees that the most efficient routing through NATs will occur. Using ICE,
during the offer/answer session establishment, each UA signals all possible
address candidates that it knows. For example, a UA may have three possible
addresses:
■■ Private IP address, local to the LAN
■■ Public IP address discovered through STUN
■■ Media-relay address obtained using TURNIf a UA is multi-homed, has multiple Internet connections, or has a dual-
stack IPv4/v6, these additional address candidates would be listed as well.
The list is ordered by preference—direct addresses would be listed first, while
relay addresses listed last.
After this exchange, the two UAs begin sending STUN packets to the candi-
date addresses received from the other UA. The STUN packets are sent using
the same IP address and port numbers as the intended media stream. As a
NAT and Firewall Traversal 179