[tor-bugs] #34129 [Circumvention/Snowflake]: Use STUN to determine NAT behaviour of peers

Wed May 6 19:38:29 UTC 2020

#34129: Use STUN to determine NAT behaviour of peers
-------------------------------------+---------------------------
 Reporter:  cohosh                   |          Owner:  (none)
     Type:  enhancement              |         Status:  new
 Priority:  Medium                   |      Milestone:
Component:  Circumvention/Snowflake  |        Version:
 Severity:  Normal                   |     Resolution:
 Keywords:                           |  Actual Points:
Parent ID:                           |         Points:
 Reviewer:                           |        Sponsor:  Sponsor28
-------------------------------------+---------------------------
Description changed by cohosh:

Old description:

> In investigating high proxy failure rates at clients (#33666) and the
> logistics of running our own STUN server (#25591), I came across I just
> found [https://tools.ietf.org/html/rfc5780 RFC5780], which outlines steps
> to identify NATs with "endpoint independent mapping and filtering".
>
> [https://tools.ietf.org/html/rfc5780#section-4.3 Section 4.3] outlines
> how a client can use a STUN server with an alternate IP address (returned
> in the first STUN binding request response) to determine how restrictive
> their NAT is.
>
> This would be useful to match up clients with snowflake proxies that have
> compatible NATs. We still have the following questions:
>
> - are there public STUN servers that support this feature?
>
> - does the pion/stun library we use support this feature for STUN
> clients?
>
> - If we're able to implement our own STUN server behind a domain-fronted
> connection (#25591), how can we implement this functionality?
>
> I see at least one open source STUN server implementation that claims to
> support this (written in C): https://github.com/coturn/coturn

New description:

 In investigating high proxy failure rates at clients (#33666) and the
 logistics of running our own STUN server (#25591), I came across
 [https://tools.ietf.org/html/rfc5780 RFC5780], which outlines steps to
 identify NATs with "endpoint independent mapping and filtering".

 [https://tools.ietf.org/html/rfc5780#section-4.3 Section 4.3] outlines how
 a client can use a STUN server with an alternate IP address (returned in
 the first STUN binding request response) to determine how restrictive
 their NAT is.

 This would be useful to match up clients with snowflake proxies that have
 compatible NATs. We still have the following questions:

 - are there public STUN servers that support this feature?

 - does the pion/stun library we use support this feature for STUN clients?

 - If we're able to implement our own STUN server behind a domain-fronted
 connection (#25591), how can we implement this functionality?

 I see at least one open source STUN server implementation that claims to
 support this (written in C): https://github.com/coturn/coturn

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34129#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online