Why a STUN Server Needs Two Different Public IP addresses

metdos picture metdos · Sep 29, 2011 · Viewed 13.8k times · Source

I have took a look to STUN Server settings in openfire, and this statement from there:

"In order to act as a STUN server, two different public IP addresses on the same machine are required, as well as two different port numbers for each IP."

I have researched on google, and generally stun servers need two public IPs, what is reason for that?

Answer

selbie picture selbie · Dec 4, 2011

For attempting to establish P2P connectivity, the STUN binding request and response to/from the STUN service's primary address (IP and port) is all that really matters. The mapped address returned in the response body of this request is passed (via XMPP or other service) to the remote node that the local client is attempting to establish directly communication with.

The second IP and port that the STUN service listens on are useful for determining NAT port mapping behavior and NAT filtering behavior.

By making binding requests to the alternate IP:port on the service, a client can discover if his NAT has consistent mapping semantics for local ports. In the event he gets different port mapping values for each test, the client can conclude it is behind a "symmetric NAT" - which are the most difficult to traverse for P2P.

By sending up a bind request with a "change request" attribute that asks the service to respond from the other IP or port, a client can detect if his NAT just filters datagrams from remote hosts based on IP and port, or allows for datagrams from alternate ports on hosts it has sent outbound datagrams to.

The mapping behavior and filtering tests only provide limited information for subsequent P2P connections. In the case of determining a symmetric NAT is between the host and the Internet, some implementations may observe the NAT to have a consistent incremental value of the port value in each binding response. (e.g. the external port observed by the STUN service increases by one). As such, the client can offer an IP and guessed port number for the remote client to try to send to instead of the one mapped back from the first binding request. Or the client may use this behavior/filtering test for logging. Or to automatically allocate a relay in the event of symmetric NAT.