NAT traversal: STUN, TURN, ICE, what do they actually do?
When searching for nat traversal I found all these protocols but no one can tell me what do they essentially do to traverse nat, surely not by magic, but what? Turns out it’s conceptually very simple.
What nat traversal does is not really “punching holes” on the nat, or delivering message through some tunnel, or some arcane magic, but to simply find the public address:port that can can reach me.
If I’m behind a nat or even multiple nat’s, my packets are relayed by these nat’s and they appears on the public Internet at the out-most nat’s address and port. And reply packets going to that address:port are relayed back to me. So essentially I got a public address:port that can reach me on the public Internet. The purpose of nat traversal is to find that public address:port. That’s basically what the initial/classic stun (rfc 3489) does.
The truly host-to-host traversal is just that, finding the public
address:port.
That’s what classic stun does. You send a
stun server a message, the stun server looks at the source ip address and port of the ip packet, and reply that back to you. Voilà, you know
you public address:port
!
Sometimes having that address:port is not enough, because nat poses extra restrictions1. Then we have to resort to having a public-visible relay server in the middle, which is what turn (rfc 5766) does. But any host-to-host traversal is just finding public address:port. There is no extra magic there.
But stunnd turn still isn’t enough. For one, one can usually find multiple address that could possibly work, but then which one to use? Eg, maybe a host has an ip assigned by a vpn, if the other host is also in the vpn, we should use this ip over the others; similarly, if the other host is in the same lan, we should use the local ip; even over nat, there could be multiple ip’s that can reach us.
ice fills that gap. It gathers a bunch
of address:port
’s that possibly works (through stun messages with stun servers), sorts them by
preference, and tries them one-by-one according to some algorithm, and
reports to you the best one. If none works, it tries to establish a relay
through turn.
And here is where the new stun comes
in. People threw away the algorithm for finding address:port
in classic stun, and kept and extended the
stun message format. Now ice runs a more thorough algorithm that uses
stun messages to communicate with
stun servers. And the new stun (rfc 5389) just
defines the stun message format. There is
a even newer version (rfc 8489) that
updated rfc
5389 slightly, but with no fundamental changes.
Similarly, turn is updated in rfc 8656 and now is a method used by ice rather than a standalone solution.