STUN is a protocol that is designed to discover the presence of NAT and through the use of an Internet STUN Server, obtain the Global Internet IP Address and Port Number of the UDP connection. Some applications such as SIP use the local IP Address on the client device such as an IP Phone when forming the various connection messages and writes this address in the contact field. The problem with this is that the remote host or server would use this address when replying, but because it is a Private IP Address the reply will not be routed back to the sender’s domain. The IP Phone needs to write the Internet Address that has been allocated after NAT has taken place but the local SIP device does not have this information. By incorporating a STUN client on the originating device, it will be informed of the outgoing IP Address and Port Number and so be able to write the correct information in the outgoing SIP messages.
So STUN is a Client/Server protocol that requires help from an Internet STUN Server in order to resolve addresses and port numbers following the NAT process. The STUN client device will be configured with the domain addresses or IP Addresses of one or more STUN Servers which operates using port number 3478 for normal UDP or TCP connections, if TLS (Traffic Layer Security) is being implemented then port number 5349.
STUN does have a built-in feature to authenticate clients and check the integrity of STUN messages via a number of message types. When the process is successful the client device will have discovered it external global address that can be used in place of the private internal address. There are different forms of NAT and some of the more restrictive forms require that both sides of a connection are able to establish the port bindings with NAT within strict time frames.
There are 2 types of STUN messages, those sent by the client on the private network known as binding requests and the reply from the server known as the binding response. Normal binding requests are sent using UDP and binding requests where Traffic Layer Security is involved are sent using the reliable TCP.
The binding requests sent from the client device are used by the servers to determine the IP Address and Port numbers to be used for the binding. When the STUN server receives a binding request, it copies the IP Address and Port number back to the client in the binding response.
STUN is covered in our 3-Day VoIP with SIP Training Course.