[OpenSIPS-Devel] STUN module

Razvan Pistolea razvy000 at yahoo.com
Mon Sep 7 18:11:46 CEST 2009


This STUN module is required to run on 2 ports; and it does, but it is required by OpenSIPS that the primary_port is the same as OpenSIPS one (usually 5060).
IANA ports for stun are:
stun            3478/tcp   Session Traversal Utilities for NAT (STUN) port
stun            3478/udp   Session Traversal Utilities for NAT (STUN) port
stuns           5349/tcp   STUN over TLS
stuns           5349/udp   Reserved for a future enhancement of STUN



I rephrase the question:
1.nat traversal module sends pings to keepalive;
2.stun clients can send BINDING_REQUESTS to stun module to keepalive;
3.stun module could tell the nat traversal module not to keepalive the clients because they can keepalive themselves thus saving extra traffic;

It is indeed a great idea but:
rfc3489 or rfc5389 don't require clients to do that;

the usage of keepalive is somewhat strange:
rfc3489 tells about how to measure the bindings time using binary search in the time interval between received response and failed one; therefore there exists a time where while measuring the exact bindings expiration time the binding will expire.
-not to mention the NAT might have restarted -> bindings lost; or be under load and behave chaotic.

rfc5389 and [SIP-OUTBOUND] just say it is possible to send either SIP keepalives or STUN ones.
A discussion is in order.


I don't see where stund supports rfc5389.
So yes this is a replacement.


I tested my server with handmade messages(valid and very invalid) and wireshark.
I don't know software to do that (but it would be great).

Please explain what multiple instances means.



Cheers,

Razvan





Thomas Gelf <thomas at gelf.net> wrote:
> Razvan Pistolea wrote:
> > Thx for the enthusiasm!
> > The plan was to wait until Monday for an announcement
> but what the hell.
> 
> Sorry ;-)
> 
> >> - As far as I understood OpenSIPS' STUN module is
> not able
> >>   to run on multiple ports (i.e.
> 5060 as of rfc5389 and 3478
> >>   as of rfc3489), however it
> suggests using 3479 as secondary
> >>   port (and 5060 as the default
> one)
> >>
> > You can change the secondary port(3479) to any port...
> say
> > (3478) and then you don't have to make any change to
> the clients
> 
> 3478 is probable not the best choice for the secondary
> port, but
> I'll find another one :-p
> 
> > and it even helps the SIP server (not having to
> differentiate
> > between incoming STUN/SIP messages).
> 
> I'd like to add it that additional burden, that's the most
> exciting
> part of RFC 5389 - you can use STUN for keepalives. Did you
> already
> reflect whether it could make sense to let nat_traversal
> and stun
> modules somehow "talk" to each other (e.g. "client is
> sending stun
> keepalives from socket X, therefore no SIP keepalive is
> required on
> that socket)?
> 
> >> - Therefore: to provide RFC 5389 and 3489 support
> without
> >>   requiring customers to
> reconfigure their clients, I'll remain
> >>   with two STUN servers, stund and
> OpenSIPS?!
> >>
> > Yes. Until i implement rfc 5389.
> 
> Ok. So choosing primary port 3478 and secondary port 3479
> to replace
> stund is probably the way to go right now. Is your stun
> module a full
> replacement for stund? Are you aware of a free software
> allowing to
> (entirely) test their behaviour?
> 
> > It can work on port 3478 and 5060(primary_port) but
> you will have
> > (just) a STUN rfc 3478 server.
> 
> Got it. Running on both of them (= multiple instances)
> isn't possible,
> is it?
> 
> >> - Are there clients already making use of RFC
> 5389?
> > I don't know.
> Me too :-) Anyone else?
> 
> Cheers,
> Thomas
> 
> 
> _______________________________________________
> Devel mailing list
> Devel at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/devel
> 


      




More information about the Devel mailing list