NAT traversal: STUN, TURN, ICE, what do they actually do?

When searching for nat traversal I found all these protocols but no one can tell me what do they essentially do to traverse nat, surely not by magic, but what? Turns out it’s conceptually very simple.

What nat traversal does is not really “punching holes” on the nat, or delivering message through some tunnel, or some arcane magic, but to simply find the public address:port that can can reach me.

If I’m behind a nat or even multiple nat’s, what happens is that my packets get relayed by my nat’s and they appears on the public Internet at the out-most nat’s address with a port assigned to me. And reply packets going to that address:port are relayed back to me. So essentially I got a public address:port that can reach me on the public Internet. The purpose of nat traversal is to find that public address:port. That’s basically what the initial/classic stun (rfc 3489) does.

The truly host-to-host traversal is just that, finding the public address:port. Sometimes having that address:port is not enough, because nat poses extra restrictions1. Then we have to resort to having a public-visible relay server in the middle, which is what turn (rfc 5766) does. But any host-to-host traversal is just finding public address:port. There is no extra magic there.

How does the classic stun works is quite simple. You send a stun server a message, the stun server looks at the source IP address and port of the IP packet, and reply that back to you. Voilà, you know you public address:port!

That leaves us with ice, what does it do? Basically, people realize that there are so many network environments that are wildly different, so there is no one single method that guarantees to work everywhere. It is best to try a bunch of ways and pick the one that works and works best.

ice does basically that. It gathers a bunch of address:port’s that possibly works (through stun messages with stun servers) and tries them one-by-one according to some algorithm, and reports to you the best one. If none works, it tries to establish a relay through turn.

And here is where the new stun comes in. People threw away the algorithm for finding address:port in classic stun, and kept and extended the stun message format. Now ice runs a more thorough algorithm that uses stun messages to communicate with stun servers. And the new stun (rfc 5389) just defines the stun message format. There is a even newer version (rfc 8489) that updated rfc 5389 slightly, but with no fundamental changes.

Similarly, turn is updated in rfc 8656 and now is a method used by ice rather than a standalone solution.

Some nat wouldn’t let a packet from an external host through if the host inside never sent a packet to that external host before. There are many ways a nat could make your life difficult, check out “full cone”, “restricted cone”, “symmetric nat”, etc.