Stun details


Stun is a NAT penetration mode specified in rfc3489. It uses auxiliary methods to detect the IP and port of NAT. The stun detection process requires a stun server with public IP. The UAC behind the NAT must cooperate with this server to send several UDP packets to each other. UDP packets contain information that UAC needs to know, such as NAT, extranet IP, port, etc. UAC determines its NAT type by whether it obtains the UDP packet and the data in the packet.

Nat detection process

It is assumed that there are UAC (b), NAT (a) and server (c). The IP of UAC is IPB, the IP of NAT is IPA, and the IP of server is ipc1 and ipc2.


B sends a UDP packet to port1 port of ipc1 of C. After receiving the packet, C will write the source IP and port of the received packet to the UDP packet, and then send the packet back to B through ipc1 and port1. This IP and port is the external IP and port of NAT, that is, you get the external IP of NAT in step 1.

If you do not receive any response packets from stun after sending data packets to a stun server, there are only two possibilities: 1. The stun server does not exist or the port is wrong; 2. The NAT device rejects all UDP packets from the outside to the inside (cone NAT is not supported).

After receiving this UDP, B compares the IP in this UDP with its own IP. If it is the same, it indicates that it is on the public network. In the next step, NAT will detect the firewall type. If it is different, it indicates that NAT exists and the system operates Step2.


B sends a UDP packet to ipc1 of C and requests C to return a UDP packet to B through another ipc2 and port (ipc1 different from setp1) (the two IP servers are used to detect the type of cone NAT).

If B receives this packet, it means that NAT does not refuse to come and does not filter the packet, which is full cone NAT in stun standard. Unfortunately, there are too few full cone NATs, which means that it is unlikely to receive this packet. If not, the system will operate Step3.


B sends a packet to port2 of ipc2 of C. After receiving the packet, C writes the source IP and port of the received packet to the UDP packet, and then sends the packet back to B through its own ipc2 and port2.

Like step 1, B is sure to receive this response UDP packet. The port in this package is the data we care about most. If the port is the same as the port in step 1, you can be sure that the NAT is a cone NAT, otherwise it is a symmetric NAT. The reason is simple: according to the rules of symmetric NAT, when the IP and port of the destination address change, NAT will reassign a port for use. In step 3, corresponding to step 1, we change the IP and port. Therefore, if it is a symmetric NAT, the two ports must be different.

If the port is different at this point, your stun is dead. If they are the same, only the restrict cone and port restrict cone are left. The system uses Step4 to detect which one is.


B sends a data request packet to a port PD of ipc2 of C and requires C to return a data packet to B with ipc2 and a port different from PD.

If B receives it, it means that as long as the IP is the same, even if the ports are different, NAT allows UDP packets to pass. Obviously, this is restrict cone NAT. If you don’t receive it, there’s nothing else to say, port restrict NAT.

Recommended Today

MySQL related

Indexes Bottom structure Disadvantages of hash table index: Using hash storage requires adding all files to memory, which consumes more memory space If all queries are equivalent queries, the hash is indeed fast, but in the actual scene, more data is found, and not all queries are equivalent queries, so the hash table is not […]