STUN协议解释[通俗易懂]

大家好，又见面了，我是你们的朋友全栈君。

最近工作中要用到stun，故学习了一下stun协议的知识。中文的文档没找到讲的比较好的，所以只能自己翻译了，官方文档太长就找了个谷歌排名第一的文章翻译一下。机翻+人翻，原文地址如下，在学习过程中还发现了原文作者的一个错误。。。应该是他错了。

https://www.3cx.com/blog/voip-howto/stun-details/

https://www.ietf.org/rfc/rfc3489.txt

The STUN Protocol

STUN is a client-server protocol. A STUN client (typically embedded in VoIP software, such as an IP PBX or IP Phone) sends a request to a STUN server to discover its public IP and port(s), and the STUN server returns a response. There are two types of requests; Binding Requests which are typically sent over UDP, and Shared Secret Requests, which are sent over TLS (secure communication) over TCP. Shared Secret Requests ask the server to return a temporary set of credentials which are then used in a Binding Request and Binding Response exchange, for the purposes of authentication and message integrity.

Binding requests sent from the STUN client to the STUN server are used to determine the IP and port(s) bindings allocated by NAT’s. The STUN client sends a Binding Request to the STUN server, over UDP; the server examines the source IP address and port of the binding request, and copies them into a binding response that is sent back to the client. There are also Attributes (explained in more detail later in this article) in the request that allow the client to ask that the response be sent elsewhere; to a different IP address and port(s).

stun是个客户端对服务端的协议。一个stun客户端（基本都是嵌入在啊voip软件内的，例如ip话机或者ip pbx）会发送一个请求给stun服务器用来发现客户端的公网ip以及端口，并且stun服务器会返回一个响应。

通过UDP发送的请求叫做binging requests；通过tcp或tls发送的请求叫做shared secret requests。（该请求要求服务器返回一个临时的凭证集，然后在绑定请求和绑定响应交换中使用，以便身份验证和消息完整性。）

从客户端发给服务器的binding requests用于确定由NAT分配的IP和端口绑定。服务器会验证binding requests发送来源ip和端口，并且会复制该ip和端口进binding response返给client

在请求中也有一些属性（在本文后面的详细解释）中，允许客户机请求将响应发送到其他地方;到一个不同的IP地址和端口（s）。

STUN Messages

STUN messages are TLV (type-length-value) encoded using big endian (network ordered) binary. All STUN messages start with a STUN header, followed by a STUN payload. The payload is a series of STUN attributes (explained in more detail later in this article), the set of which depends on the message type. The STUN header contains:

stun消息由stun头和一段stun有效负载（stun payload）组成，stun payload是一系列的STUN属性。

stun头通常是下面的某个：

• 0x0001 : Binding Request
• 0x0101 : Binding Response
• 0x0111 : Binding Error Response
• 0x0002 : Shared Secret Request
• 0x0102 : Shared Secret Response
• 0x0112 : Shared Secret Error Response

• Message length – Indicates the total length of the STUN payload in bytes but does not include the 20 bytes header.
• 消息长度：表示stun payload的总长度，以字节为单位，不包括20字节的头
• Transaction id –Is used to correlate requests and responses.
• 事务id：用于关联请求和响应。
•  

STUN Protocol Attributes present in STUN requests and responses

present in 存在于

stun协议属性存在于requests和responses

Both STUN server requests and responses contain message attributes. As we will see below, some of the attributes are not mandatory, some can be found in both binding requests and binding responses, some of them can be present only in binding requests only and some other can be present in binding responses only. Below is a list of STUN attributes and a short explanation of each:

stun服务器的requests和responses都包含消息属性，我们将在下面看到，一些属性不是墙纸的，一些能够在binding requests和binding responses中一起被找到。一些只存在与binding requests，bingding responses同理。下面是一个stun属性的列表并附带一个简要说明

• 0x0001: MAPPED-ADDRESS – This attribute contains an IP address and port. It is always placed in the Binding Response, and it indicates the source IP address and port the server saw in the Binding Request sent from the client, i.e.; the STUN client’s public IP address and port where it can be reached from the internet.
• 这个属性包含一个ip地址和端口。总是存在与binding responses。 他表明服务器接收到从客户端发来的binding request中发现源ip和端口
• 0x0002: RESPONSE-ADDRESS – This attribute contains an IP address and port and is an optional attribute, typically in the Binding Request (sent from the STUN client to the STUN server). It indicates where the Binding Response (sent from the STUN server to the STUN client) is to be sent. If this attribute is not present in the Binding Request, the Binding Response is sent to the source IP address and port of the Binding Request which is attribute 0x0001: MAPPED-ADDRESS.
• 该属性包含一个IP地址和端口，是一个可选属性，通常在bingding request中(从STUN客户机发送到STUN服务器)。它指示要发送的binding responses往哪发(从STUN服务器发送到STUN客户机)。如果该属性在绑定请求中不存在，则绑定响应被发送到绑定请求的源IP地址和端口，这是属性0x0001: MAPPED-ADDRESS。
• 0x0003: CHANGE-REQUEST – This attribute, which is only allowed in the Binding Request and optional, contains two flags; to control the IP address and port used to send the response. These flags are called “change IP” and “change Port” flags. The “change IP” and “change Port” flags are useful for determining whether the client is behind a restricted cone NAT or restricted port cone NAT. They instruct the server to send the Binding Responses from a different source IP address and port.
• 此属性仅允许在bingding request中允许且是可选的，包含两个标记;用于控制发送响应的IP地址和端口。这些标志被称为“更改IP”和“更改端口”标志。“更改IP”和“更改端口”标志用于确定客户端是否位于受限的锥体NAT或受限的端口锥体NAT后面，它们指示服务器从不同的源IP地址和端口发送绑定响应。
• 0x0004: SOURCE-ADDRESS – This attribute is usually present in Binding Responses; it indicates the source IP address and port where the response was sent from, i.e. the IP address of the machine the client is running on (typically an internal private IP address). It is very useful as from this attribute the STUN server can detect twice NAT configurations.
• 这个属性通常出现在binding responses 中;它表明响应是从哪里被发出的的源IP地址和端口（这段和上下文连不起来，我认为应该是服务器端机器的地址），即客户端运行的机器的IP地址(通常是一个内部私有IP地址)。它非常有用，因为从这个属性中，STUN服务器可以检测到两次NAT配置。
• ——————————-好吧，我特地去翻了ietf官方文档，解释如下———————
• The fifth attribute is the SOURCE-ADDRESS attribute. It is only present in Binding Responses. It indicates the source IP address and port where the response was sent from. It is useful for detecting twice NAT configurations.
• The SOURCE-ADDRESS attribute is present in Binding Responses. It indicates the source IP address and port that the server is sending the response from. Its syntax is identical to that of MAPPED- ADDRESS.

那就是服务器的ip地址和端口号了

————————————————————————————————–

• 0x0005: CHANGED-ADDRESS – This attribute is usually present in Binding Responses; it informs the client of the source IP address and port that would be used if the client requested the “change IP” and “change port” behaviour.
• 这个属性通常出现在绑定响应中;它通知客户端IP地址和端口，如果客户机请求“更改IP”和“更改端口”行为则将使用该ip地址和端口。
• 0x0006: USERNAME – This attribute is optional and is present in a Shared Secret Response with the PASSWORD attribute. It serves as a means to identify the shared secret used in the message integrity check.
• 这个属性是可选的，并且出现在一个带有password属性的shared secret responses中。它作为一种方法识别shared secret的消息完整性。
• 0x0007: PASSWORD – This attribute is optional and only present in Shared Secret Response along with the USERNAME attribute. The value of the PASSWORD attribute is of variable length and used as a shared secret between the STUN server and the STUN client.
• 同上
• 0x0008: MESSAGE-INTEGRITY – This attribute must be the last attribute in a STUN message and can be present in both Binding Request and Binding Response. It contains HMAC-SHA1 of the STUN message.
• 此属性必须是STUN消息中的最后一个属性，并且可以在绑定请求和绑定响应中出现。它包含STUN消息的hmc – sha1。
• 0x0009: ERROR-CODE – This attribute is present in the Binding Error Response and Shared Secret Error Response only. It indicates that an error has occurred and indicates also the type of error which has occurred. It contains a numerical value in the range of 100 to 699; which is the error code and also a textual reason phrase encoded in UTF-8 describing the error code, which is meant for the client.
• 此属性仅存在于绑定错误响应中，且仅存在于Shared Secret Error Response。它表示发生了一个错误，并指出了发生的错误类型。它的数值范围在100到699之间;这是错误代码，也是UTF-8编码的文本原因短语，描述错误代码，这是为客户端编写的。
• 0x000a: UNKNOWN-ATTRIBUTES – This attribute is present in the Binding Error Response or Shared Secret Error response when the error code is 420; some attributes sent from the client in the Request are unknown and the server does not understand them.
• 当错误代码为420时，该属性存在于绑定错误响应或 Shared Secret Error response中;在请求中从客户端发送的一些属性是未知的，服务器不理解它们。
• 0x000b: REFLECTED-FROM – This attribute is present only in Binding Response and its use is to provide traceability so the STUN server cannot be used as part of a denial of service attack. It contains the IP address of the source from where the request came from, i.e. the IP address of the STUN client.
• 此属性仅存在于绑定响应中，其使用是提供可跟踪性，因此STUN服务器不能用作拒绝服务攻击的一部分。它包含来自请求来自何处的源的IP地址，即STUN客户机的IP地址。

Common STUN Server error codes

普通的stun服务器错误代码

Like many other protocols, the STUN protocol has a list of error codes. STUN protocol error codes are similar to those of HTTP or SIP. Below is a list of most common error codes encountered when using the STUN protocol. For a complete list of STUN protocol error codes refer to the STUN RFC 3489.

与许多其他协议一样，STUN协议有一个错误代码列表。STUN协议错误代码类似于HTTP或SIP。下面是使用STUN协议时遇到的最常见错误代码的列表。对于STUN协议错误代码的完整列表，请参考STUN RFC 3489。

• Error Code 400 – Bad request; the request was malformed. Client must modify request and try sending it again.
• 坏的请求;请求是畸形的。客户端必须修改请求并再次发送。
• Error Code 420 – Unknown attribute; the server did not understand an attribute in the request.
• 未知的属性;服务器不理解请求中的属性。
• Error Code 430 – Stale credentials; the shared secret sent in the request is expired; the client should obtain a new shared secret.
• 陈旧的凭证;在请求中发送的共享密钥已过期;客户端应该获得一个新的共享密钥。
• Error Code 432 – Missing username; the username attribute is not present in the request.
• 丢失的用户名;请求中不存在用户名属性。
• Error Code 500 – Server error; temporary error and the client should try to send the request again.
• 服务器错误;临时错误和客户端应该尝试再次发送请求。