RFC5780

4. Discovery Process

This section provides a descriptive overview of how the NAT Behavior

Discovery usage primitives allow checks to be made to discover the

current behavior of the NAT or NATs an application is behind. These

tests can only give the instantaneous behavior of a NAT; it has been

found that NATs can change behavior under load and over time. The

results of these tests therefore can be regarded as upper bounds --

an application must assume that NAT behavior can become more

restrictive at any time. Results from tests performed using a

particular port on the client may also not indicate the behavior

experienced by a different port, as described in Section 4.1.

这段描述的是 NAT Behavior Discovery 方法如何允许 check 去发现当前 application 前面

的一个或者多个 NAT 的行为；已经发现 NAT 随着负载增加和时间增加可能改变 NAT 的行为。

因此这些测试结果被认为是一个上限，这个上限就是应用程序必须假设 NAT 行为可能变得更

加严格。client 用一个特定端口的测试结果不能代表不同的端口的行为，描述在 section 4.1

Definitions for NAT filtering and mapping behavior are from

[RFC4787]. The tests described here are for UDP connectivity, NAT

mapping behavior, NAT filtering behavior, and NAT binding lifetime

discovery; additional tests could be designed using this usage's

mechanisms. The tests described below include only tests that can be

performed using a client with a single IP address. A client with

multiple IP addresses (or multiple clients collaborating) behind the

same NAT can combine their probes to test additional aspects of NAT

behavior, such as port overloading. This section provides a

descriptive overview of how the primitives provided by the STUN

attributes in this specification may be used to perform behavior

tests.

NAT filtering 和 mapping behavior 定义来自 RFC4787。这里描述的是 UDP 连接测试，

NAT mapping behavior， NAT filtering behavior，NAT binding lifetime discovery；

附加的测试也可以用这个机制来设计。下面描述的测试执行时用一个 client 和 一个单独的

IP address。相同 NAT 后面的 client，有多个 IP address（或者多个 client 组合），他们

可以组合探测 NAT 的其他的行为，比如 port overloading。本节描述了 STUN 属性如何用来

执行 behavior 测试。

Normative specifications for the attributes are defined in later

sections.

属性的定义在后面的章节中。

4.1. Source Port Selection

Proper source port selection is important to ensuring the usefulness

and accuracy of the Behavior Discovery tests. There are two

preconditions for tests:

合适的 source port 选择对于保证 Behavior Discovery 测试的正确性和有效性是很重要的。

对于这些测试有 2 个前提条件：

o Because mapping behavior can vary on a port-by-port basis, an

application should perform its tests using the source port

intended for use by the application whenever possible. If it

intends to use multiple source ports, it should repeat these tests

for each source port. Such tests should be performed sequentially

to reduce load on the NAT.

因为 mapping behavior 针对每一个 port 的 behaivor 可能都不一样，一个应用程序最好可以

使用应用程序要使用的 port 去测试。如果应用程序会使用多个 port，应用程序应该为每一个 port

执行这些测试。这些测试应该是依次执行，这样可以减少 NAT 的负载。

o Because the results of some diagnostic checks depend on previous

state in the NAT created by prior traffic, the tests should be

performed using a source port that has not generated recent

traffic. Therefore, the application should use a random source

port or ensure that no traffic has previously occurred on the

selected port prior to performing tests, generally by allocating a

port and holding it unused for at least 15 minutes prior to the

tests.

因为一些诊断结果依赖于之前流量在 NAT 上创建的状态，测试执行的使用不要使用

最近流量使用的 port。所以应用程序应该使用随机的 source port 或者保证没有流量

在当前选择使用的 port 上发生。通常申请的 port 至少 15 分钟前不能有过测试。

Ensuring both of these preconditions can be challenging, particularly

for a device or application wishing to perform Behavior Discovery

tests at startup. The following guidelines are suggested for

reducing the likelihood of problems:

要保证这两个前提条件是有挑战性的，尤其是设备或者应用程序希望启动的时候去执行

Behavior Discovery 测试。接下来的建议会减少这些问题发生的可能性：

o An application intended to operate behind a NAT should not attempt

to allocate a specific or well-known port. Because such software

must be designed to interoperate using whatever port is mapped to

it by the NAT, the specific port is unnecessary. Instead, on

startup, a random port should be selected (see below for

recommended ranges). An application, particularly on an embedded

device, should not rely on the host operating system to select the

next available port because that might result in the application

receiving the same port on each restart. An application using the

same port between restarts may not receive accurate results from

Behavior Discovery tests that are intended to test state-related

behavior of NATs, such as filtering and binding lifetime.

假设一个在 NAT 后面的应用程序操作的时候不应该去使用一个特殊的 port 或者 众所周知

的 port。因为这样的软件一定是被设计成和任何的 NAT 映射的端口交互，指定一个 port

是不需要的。相反，在开始的时候，应该选择一个随机的 port （看下面推荐的范围）。一个

应用程序，尤其在一个嵌入式设备上，不要依赖主机操作系统选择的下一个可以用的 port，

因为在每次重启的时候，应用程序可能会得到相同的 port。应用程序如果用了相同的 port，

在两次重启之间可能不会得到准确的结果，因为 Behavior Discovery 测试假设测试是 NAT

的 behavior 是 state-related，还有 filtering 和 binding lifetime 也是。

o An application requiring multiple ports, such as separate ports

for control and media, should allocate those ports on startup when

possible. Even if there is no immediate need for media flow, if

Behavior Discovery tests will be run on those ports, allocating

them early will allow them to be left idle, increasing the chance

of obtaining accurate results from Behavior Discovery tests.

一个应用程序要求使用多个 port，比如 control 和 media 是分离的端口，可能的话应该在启动

的时候申请这些 port。即使媒体流不是立即需要使用这些端口，Behavior Discovery 测试也将

会在这些端口上进行，可以提前申请这些 port 允许他们在空闲状态，这样可以增加获取到准确

Behavior Discovery 测试结果的机会。

o Although the most reliable results are obtained when performing

tests with the specific ports that the application will use, in

many cases an application will need to allocate and use ports

without being able to perform complete Behavior Discovery tests on

those ports. In those cases, an application should randomly

select its ports from a range likely to receive the same treatment

by the NAT. This document recommends ranges of 32768-49151, which

is the upper end of IANA's Registered Ports range, and 49152-

65535, which is IANA's Dynamic and/or Private port range, for

random selection. To attempt to characterize a NAT's general

treatment of ports in these ranges, a small number of ports within

a range can be randomly selected and characterized.

虽然如果执行测试使用的 port 就是应用程序要使用的 port 这样做可以得到最可靠的测试结果，

但是许多情况下应用程序申请使用的 port 不能进行完成 Behavior Discovery 测试。对于这些

情况，应用程序应该从一个范围随机选择 port，在这些端口上和 NAT 进行测试，测试结果就当

成和应用程序要使用的 port 的测试结果一样。文档推荐 port 范围是 32768-49151，这个是 IANA

的注册 port 范围的上限，49152-65535 是 IANA 的动态和私有 port 的范围。为了表现出 NAT 在

一个 port 范围内的正常表现，可以在一个 port 范围内选取少量的 port 去表现。

Those tests particularly sensitive to prior state on a NAT will be

indicated below.

这些测试对在 NAT 上一次的状态特别敏感，这些将在下面支出。

4.2. Checking for UDP Connectivity with the STUN Server

The client sends a STUN Binding Request to a server. This causes the

server to send the response back to the address and port that the

request came from. If this test yields no response, the client knows

right away that it does not have UDP connectivity with the STUN

server. This test requires only STUN [RFC5389] functionality.

client 发送 STUN Binding 请求到一个 server。这会引起 server 发送 response 回去。

如果这个测试项没有响应，client 立即知道自己不能和 STUN server 进行 UDP 通信。

4.3. Determining NAT Mapping Behavior

This will require at most three tests. In test I, the client

performs the UDP connectivity test. The server will return its

alternate address and port in OTHER-ADDRESS in the binding response.

If OTHER-ADDRESS is not returned, the server does not support this

usage and this test cannot be run. The client examines the XOR-

MAPPED-ADDRESS attribute. If this address and port are the same as

the local IP address and port of the socket used to send the request,

the client knows that it is not NATed and the effective mapping will

be Endpoint-Independent.

这个最多需要 3 个测试。在 test I，client 执行 UDP 连通性测试。server 会在响应的

OTHER-ADDRESS 中返回备用 address 和 port。如果 OTHER-ADDRESS 没有返回，

server 不支持这种用法并且测试不能进行。client 检查 XOR-MAPPED-ADDRESS 属性。

如果属性中的 address 和 port 和 发送请求的 socket 的 local ip address 和 port 相同，

client 知道它不在 NAT 后面，并且 mapping 是 Endpoint-Independent。

In test II, the client sends a Binding Request to the alternate

address, but primary port. If the XOR-MAPPED-ADDRESS in the Binding

Response is the same as test I the NAT currently has Endpoint-

Independent Mapping. If not, test III is performed: the client sends

a Binding Request to the alternate address and port. If the XOR-

MAPPED-ADDRESS matches test II, the NAT currently has Address-

Dependent Mapping; if it doesn't match it currently has Address and

Port-Dependent Mapping.

在 test II，client 发送 Binding 请求到备用 address，但是还是用主 port。如果响应中的

XOR-MAPPED-ADDRESS 和 test I 中的一样，NAT 就是 Endpoint-Independent Mapping。

如果不是，test III 被执行：client 发送 Binding 请求到备用 address 和 port。如果 XOR-MAPPED-ADDRESS

匹配到 test II，NAT 就是 Address-Dependent Mapping；如果没有匹配到就是 Address and

Port-Dependent Mapping。

4.4. Determining NAT Filtering Behavior

This will also require at most three tests. These tests are

sensitive to prior state on the NAT.

这个检测最多需要 3 个测试，这些测试对 NAT 上次状态敏感。

In test I, the client performs the UDP connectivity test. The server

will return its alternate address and port in OTHER-ADDRESS in the

binding response. If OTHER-ADDRESS is not returned, the server does

not support this usage and this test cannot be run.

在 test I 中，client 执行 UDP 连通性测试。server 在 response 中 OTHER-ADDRESS 属性

返回备用 address 和 port。如果 OTHER-ADDRESS 没有返回，server 不支持这个用法，测试

不行进行。

In test II, the client sends a binding request to the primary address

of the server with the CHANGE-REQUEST attribute set to change-port

and change-IP. This will cause the server to send its response from

its alternate IP address and alternate port. If the client receives

a response, the current behavior of the NAT is Endpoint-Independent

Filtering.

在 test II 中，client 发送 binding 请求到 server的 主 address，并且 CHANGE-REQUEST

属性设置 change-port 和 change-ip。这会引起 server 从备用 IP address 和 备用 port 发送

response。如果 client 收到了 response，NAT 就是 Endpoint-Independent Filtering。

If no response is received, test III must be performed to distinguish

between Address-Dependent Filtering and Address and Port-Dependent

Filtering. In test III, the client sends a binding request to the

original server address with CHANGE-REQUEST set to change-port. If

the client receives a response, the current behavior is Address-

Dependent Filtering; if no response is received, the current behavior

is Address and Port-Dependent Filtering.

如果没有 response 收到，test III 必须执行，用来区分 Address-Dependent Filtering 和

Address and Port-Dependent Filtering。在 test III 中，client 发送 binding 请求到原始

的 server address，并且 CHANGE-REQUEST 属性设置 change-port。如果 client 收到

response，behavior is Address-Dependent Filtering；如果没有收到 response，behavior

就是 Address and Port-Dependent Filtering。

4.5. Combining and Ordering Tests

Clients may wish to combine and parallelize these tests to reduce the

number of packets sent and speed the discovery process. For example,

test I of the filtering and mapping tests also checks if UDP is

blocked. Furthermore, an application or user may not need as much

detail as these sample tests provide. For example, establishing

connectivity between nodes becomes significantly more difficult if a

NAT has any behavior other than Endpoint-Independent Mapping, which

requires only test I and II of Section 4.3. An application that

determines its NAT does not always provide Endpoint-Independent

Mapping might notify the user if no relay is configured, whereas an

application behind a NAT that provides Endpoint-Independent Mapping

might not notify the user until a subsequent connection actually

fails or might provide a less urgent notification that no relay is

configured. Such a test does not alleviate the need for [RFC5245],

but it does provide some information regarding whether ICE is likely

to be successful establishing non-relayed connections.

client 可能希望组合和并行这些测试，减少 discovery process 发送数据包和降低速度。比如：

filtering 的 test I 和 mapping test 的 test I 都是测试 UDP 是否可以联通。 此外，应用程序和

用户可能不需要测试示例提供如此多的细节。比如，如果一个 NAT 的 behavior 比 Endpoint-

Independent Mapping 更加严格，节点之间建立连通性明显会更难，这仅仅需要 section 4.3

的 test I 和 test II。应用程序发现它的 NAT 不总是能提供 Endpoint-Independent Mapping，

并且如果 user 没有配置 relay，应用程序可能会通知用户，然而 NAT 提供了 Endpoint-Independent

Mapping 可能不通知用户，直到后续连接失败了，或者可能提供了一个不紧迫的通知告诉用户

relay 没有配置。这样的测试不能减轻 RFC5245 需要的东西，但是测试可以提供一些信息，这些

信息就是和 ICE 可能成功建立一个不需要 relayed 的连接相关。

Care must be taken when combining and parallelizing tests, due to the

sensitivity of certain tests to prior state on the NAT and because

some NAT devices have an upper limit on how quickly bindings will be

allocated. Section 5 restricts the rate at which clients may begin

new STUN transactions.

组合并行测试的时候必须小心，测试对 NAT 上次的状态很敏感，因为有一些 NAT 设备有一个上限，

这个上限就是 binding 的速度有多快。section 5 中限制了 client 开始新的 STUN transaction 的

速率。

5.1. Discovery

Unless the user or application is aware of the transport address of a

STUN server supporting the NAT Behavior Discovery usage through other

means, a client is configured with the domain name of the provider of

the STUN servers. The domain is resolved to a transport address

using SRV procedures [RFC2782]. The mechanism for configuring the

client with the domain name of the STUN servers or of acquiring a

specific transport address is out of scope for this document.

除非用户或者应用程序知道支持 NAT Behavior Discovery 的 STUN server 的 transport address，

client 需要配置 STUN server 的域名。域名用来解析 transport address。配置 client 使用的 STUN

server 域名的机制不在本文档范围内。

For the Behavior Discovery usage, the service name is "stun-behavior"

for UDP and TCP. The service name is "stun-behaviors" for TLS over

TCP. Only "tcp" is defined as a protocol for "stun-behaviors".

Other aspects of handling failures and default ports are followed as

described in STUN [RFC5389].

对于 Behavior Discovery 用途，对于 UDP 和 TCP 服务名字是 "stun-behavior"。对于 TLS over TCP

服务名字是 “stun-behaviors”。只有 “tcp”被定义为 “stun-behaviors” 的协议。处理失败和默认 port

的描述在 STUN [RFC5389]。

6. Server Behavior

Unless otherwise specified here, all procedures for preparing,

sending, and processing messages as described for the STUN Binding

Usage of STUN [RFC5389] are followed.

除非这里特别说明，所有的流程，准备，发送，处理消息按照 STUN [RFC5389]。

A server implementing the NAT Behavior Discovery usage SHOULD be

configured with two separate IP addresses on the public Internet. On

startup, the server SHOULD allocate a pair of ports for each of the

UDP, TCP, and TCP/TLS transport protocols, such that it can send and

receive datagrams using the same ports on each IP address (normally a

wildcard binding accomplishes this). TCP and TCP/TLS MUST use

different ports. If a server cannot allocate the same ports on two

different IP address, then it MUST NOT include an OTHER-ADDRESS

attribute in any Response and MUST respond with a 420 (Unknown

Attribute) to any Request with a CHANGE-REQUEST attribute. A server

with only one IP address MUST NOT be advertised using the SRV service

name "stun-behavior" or "stun-behaviors".

server 实现 NAT Behavior Discovery 用途应该配置两个独立的公网 IP。在启动的时候，

server 要为 UDP, TCP, TCP/TLS 传输协议中每一个协议申请一对 port，这样它就可以在

每一个 IP 地址上用相同的 port 发送和接受数据。（通常一个通配符 binding 可以完成这个）

TCP 和 TCP/TLS 必须用不同的 port。如果 server 不能在不同的 IP address 申请相同的 port，

它就不能在 response 中包含 OTHER-ADDRESS 属性，并且必须返回带有一个 420 错误码

（Unknown Attribute）的响应，并且再带一个 CHANGE-REQUEST 属性。一个 server 只有

一个 IP address 不能叫做 “sutn-behavior” 或者 “stun-behaviors”。

6.1. Preparing the Response

After performing all authentication and verification steps, the

server begins processing specific to this Usage if the Binding

Request contains any request attributes defined in this document:

执行完所有的认证和校验之后，如果 binding 请求包含的属性在下面的文档中，

server 开始处理指定的用法：

RESPONSE-PORT, CHANGE-REQUEST, or PADDING. If the Binding Request

does not contain any attributes from this document, OTHER-ADDRESS and

RESPONSE-ORIGIN are still included in the Binding Response.

如果 Binding 请求不包含这篇文档中的 RESPONSE-PORT, CHANGE-REQUEST, PADDING 属性，

Binding Response 中仍然要包含 OTHER-ADDRESS 和 RESPONSE-ORIGIN

The server MUST include both MAPPED-ADDRESS and XOR-MAPPED-ADDRESS in

its Response.

server 给出的 Response 中必须带有 MAPPED-ADDRESS 和 XOR-MAPPED-ADDRESS

If the Request contains the CHANGE-REQUEST attribute and the server

does not have an alternate address and port as described above, the

server MUST generate an error response of type 420.

如果请求中带有 CHANGE-REQUEST 属性，但是 server 没有备用 address 和 port，server 必须

生成一个带有错误吗 420 的响应。

The source address and port of the Binding Response depend on the

value of the CHANGE-REQUEST attribute and on the address and port on

which the Binding Request was received; this is summarized in

Table 1.

Binding Response 的 source address 和 port 依赖于 CHANGE-REQUEST 属性以及接收到 Binding

请求的 address 和 port；汇总在 Table 1.

Let A1 and A2 be the two IP addresses used by the server, and P1 and

P2 be the ports used by the server. Let Da represent the destination

IP address of the Binding Request (which will be either A1 or A2),

and Dp represent the destination port of the Binding Request (which

will be either P1 or P2). Let Ca represent the other address, so

that if Da is A1, Ca is A2. If Da is A2, Ca is A1. Similarly, let

Cp represent the other port, so that if Dp is P1, Cp is P2. If Dp is

P2, Cp is P1. If the "change port" flag was set in the CHANGE-

REQUEST attribute of the Binding Request, and the "change IP" flag

was not set, the source IP address of the Binding Response MUST be Da

and the source port of the Binding Response MUST be Cp. If the

"change IP" flag was set in the Binding Request, and the "change

port" flag was not set, the source IP address of the Binding Response

MUST be Ca and the source port of the Binding Response MUST be Dp.

When both flags are set, the source IP address of the Binding

Response MUST be Ca and the source port of the Binding Response MUST

be Cp. If neither flag is set, or if the CHANGE-REQUEST attribute is

absent entirely, the source IP address of the Binding Response MUST

be Da and the source port of the Binding Response MUST be Dp.

+--------------------+----------------+-------------+---------------+

| Flags | Source Address | Source Port | OTHER-ADDRESS |

+--------------------+----------------+-------------+---------------+

| none | Da | Dp | Ca:Cp |

| Change IP | Ca | Dp | Ca:Cp |

| Change port | Da | Cp | Ca:Cp |

| Change IP and | Ca | Cp | Ca:Cp |

| Change port | | | |

+--------------------+----------------+-------------+---------------+

Table 1: Impact of Flags on Packet Source and OTHER-ADDRESS

假设 A1 和 A2 是 server 的两个 IP，P1 和 P2 是 server 的两个 IP。Da 表示 Binding 请求的的目的

IP address（Da 不是 A1 就是 A2），Dp 表示 Binding 的目的 port （不是 P1 就是 P2）。Ca 表示

other address，所以如果 Da 是 A1，Ca 就是 A2。如果 Da 是 A2，Ca 就是 A1。相似的，Cp 表示

other port， 如果 Dp 是 P1，Cp 就是 P2。如果 Dp 是 P2，Cp 就是 P1。如果 Binding 请求中的

CHANGE-REQUEST 属性设置了 “change port”，“change ip” 没有设置，那么 Binding Response

的 source address 是 Da，source port 是 Cp。 如果 Binding 请求中设置了 “change ip” 设置了，

“change port” 没有设置，所以 Binding Response 的 source address 是 Ca 并且 source port 是

Dp。如果两个 flag 都设置，Binding Response 的 source IP address 必须是 Ca 并且 source port

必须是 Cp。如果两个 flag 没有设置，或者 CHANGE-REQUEST 属性也没有，Binding Response 的

source IP address 必须是 Da 并且 source port 必须是 Dp。

The server MUST add a RESPONSE-ORIGIN attribute to the Binding

Response, containing the source address and port used to send the

Binding Response.

server 必须要添加 RESPONSE-ORIGN 属性在 Binding Response 中，属性中包含 Binding Response

发出去的 source address and port。

If the server supports an alternate address and port, the server MUST

add an OTHER-ADDRESS attribute to the Binding Response. This

contains the source IP address and port that would be used if the

client had set the "change IP" and "change port" flags in the Binding

Request. As summarized in Table 1, these are Ca and Cp,

respectively, regardless of the value of the CHANGE-REQUEST flags.

如果 server 支持备用 address 和 port，server 必须在 Binding Response 中添加 OTHER-ADDRESS 属性。

OTHER-ADDRESS 属性中包含一个 source IP address 和 port，当 client 在 Binding 请求中设置了 “change ip”

和 “change port” flag，这个 address 和 port 就会被使用。Table 1 有汇总，无论 CHANGE-REQUEST 的 flag

如何设置，总是 Ca 和 Cp。

If the Request contained a PADDING attribute, PADDING MUST be

included in the Binding Response. The server SHOULD use a length of

PADDING equal to the MTU on the outgoing interface, rounded up to an

even multiple of four bytes. If the Request also contains the

RESPONSE-PORT attribute the server MUST return an error response of

type 400.

如果请求包含 PADDING 属性，Binding Response 中必须包含 PADDING。server 使用 PADDING 的长度等于

出口的 MTU，按 4 个字节进行四舍五入。如果请求也包含一个 RESPONSE-PORT 属性，server 必须返回一个

Response 带有错误吗 400。

Following that, the server completes the remainder of the processing

from STUN [RFC5389]. If authentication is being required, the server

MUST include a MESSAGE-INTEGRITY and associated attributes as

appropriate. A FINGERPRINT attribute is only required if the STUN

messages are being multiplexed with application traffic that requires

use of a FINGERPRINT to distinguish STUN messages.

接下来，server 按照 STUN [RFC5389] 完成剩余的处理流程。如果需要认证，server 必须包含一个

MESSAGE-INTEGRITY 和相关的适当的属性。使用 FINGERPRINT 属性的要求是，如果 STUN

message 和应用程序的一个流量复用了，需要用 FINGERPRINT 去区分 STUN message。

An ALTERNATE-SERVER attribute MUST NOT be included with any other

attribute defined in this specification.

ALTERNATE-SERVER 属性不能和本文档中定义的任何属性一起包含。

When the server sends the Response, it is sent from the source

address as determined above and to the source address of the Request.

If RESPONSE-PORT is present, the server sends the response to that

port instead of the originating port.

当 server 发送 Response，从 server 的哪一个 source address 发送的决定权定义在上面。

如果有 RESPONSE-PORT 选项，server 发送到 RESPONSE-PORT 指定的 port，而不使用

原始的 port。

8.1. Problem Definition

The specific problem being solved by the STUN NAT Behavior Discovery

usage is for a client, which may be located behind a NAT of any type,

to determine the instantaneous characteristics of that NAT. This

determination allows either the diagnosis of the cause of problems

experienced by that or other applications or the modification of an

application's behavior based on the current behavior of the NAT and

an appropriate statistical model of the behavior required for the

application to succeed.

STUN NAT Behavior Discovery 用来解决 client 具体的问题，这个 client 可能在任何类型的 NAT

后面，用这个方法去探测 NAT 的瞬间特性。这个检测可以诊断问题发生的原因，或者根据当前 NAT

的 behavior 和 应用程序成功的统计模块去更改应用程序的行为。

8.2. Exit Strategy

The STUN NAT Behavior Discovery usage does not itself provide an exit

strategy for v4 NATs. At the time of this writing, it appears some

sort of NAT will be necessary between v6 clients and v4 servers, but

this specification will not be necessary with those v6-to-v4 NATs

because the IETF is planning to adequately describe their operation.

This specification will be of no interest for v6-to-v6 connectivity.

STUN NAT Behavior Discovery 本身不提供 v4 NAT 的退出策略。在写这篇文章的时候，在 v6 client

和 v4 server 之间出现了一些必须需要的 NAT，但是这篇文档对于 v6-to-v4 NAT 不是必须的，因为 IETF

计划完整的描述这个操作。这篇文档也对 v6-to-v6 的链接没有意义。

8.3. Brittleness Introduced by STUN NAT Behavior Discovery

The STUN NAT Behavior Discovery usage allows a client to determine

the current behavior of a NAT. This information can be quite useful

to a developer or network administrator outside of an application,

and as such can be used to diagnose the brittleness induced in

another application. When used within an application itself, STUN

NAT Behavior Discovery allows the application to adjust its behavior

according to the current behavior of the NAT. This document is

experimental because the extent to which brittleness is introduced to

an application relying on the Behavior Discovery usage is unclear and

must be carefully evaluated by the designers of the protocol making

use of it. The experimental test for this protocol is essentially

determining whether an application can be made less brittle through

the use of behavior-discovery information than it would be if

attempted to make use of the network without any awareness of the

NATs its traffic must pass through.

STUN NAT BEhavior Discovery 允许 client 检测当前 NAT 的 behavior。这些信息对于开发或者

网络管理员是有用的，比如可以用来诊断应用程序的脆弱性。当应用程序自己使用的时候，STUN NAT

Behavior Discovery 允许根据当前 NAT 的 behavior 修改自己的行为。这篇文档是实验性的，因为

这个用法比较脆弱，应用程序依赖的 Behavior Discovery 并不是十分明确的，并且协议设计者使用这个

用法的时候也要十分的小心。这个实验的本质就是，应用程序通过使用 behavior-discovery 的信息，要

使比不使用 NAT 检测的方式减少程序的不稳定性。