The Internet Protocol Journal - Volume 7, Number 4

Letter to the Editor

Ole,

I was reading your latest issue of IPJ (Volume 7, No. 3, September 2004) and I could be wrong but I think you mis-typed an explanation about the STUN protocol. On page 12, 3rd paragraph, last sentence, it reads: "A received response indicates the presence of a port-restricted cone, and the lack of a response indicates the presence of a restricted cone."

According to the definitions you gave about "restricted cone" and "port-restricted cone" on pages 10 and 11. Shouldn't this sentence instead read: "A received response indicates the presence of a restricted cone, and the lack of a response indicates the presence of a port-restricted cone."

—Ryan Liles
ryanliles@hotmail.com

The author responds:

Ryan is correct, there is an error here in the text.

The flow control of the sequence of STUN tests is detailed in Figure 9 of the article. The test referred to here is to determine if the NAT is a restricted cone NAT, or a port-restricted cone NAT.

The restricted cone NAT, in Figure 7, is one where the NAT binding is accessible using any source port number on the external host when responding to a UDP packet from the internal sending host.

The port-restricted cone NAT, in Figure 8, is one where the NAT binding is accessible using the same port number as originally used by the internal lost host, and this binding is accessible from any external IP address.

The test referenced in this section, as per Figure 9, is one where the local host requests the external agent to respond using the same port number, but an altered source address. The text should read "This fourth request includes a control flag to direct the STUN server to respond using the alternate IP address, but with the same port value," in which case the interpretation of the response—that a response indicates the presence of a port-restricted cone NAT and the lack of response indicates the presence of a restricted cone NAT—would be correct.

Ryan is also correct in that if the test is performed the other way, requesting the agent to use the same IP address, but with the alternate port value, then the opposite interpretation would hold, namely that a response indicates the presence of a restricted cone NAT, and the lack of a response would indicate the presence of a port-restricted cone NAT, as Ryan points out.

Thanks to Ryan for following through this rather complex explanation of the STUN algorithm and spotting this error.

Regards,

—Geoff Huston, APNIC
gih@apnic.net