I've been largely ignoring STUN protocol as noise for a while, but I keep encountering it here and there, and I'm wondering of it's general usability.
If I understand it right, STUN is only useful if the most outer NAT allows in packets sent from addr:port pair than what the source used when establishing the mapping.
I had an obviously delusional understanding that a sane NAT will only allow back packets from the same addr:port pair that a connection was established to (Endpoint-Dependent Filtering). Not enforcing this seems to be a serious security problem in and of itself. Building whole protocols and RFCs on top of that seems crazy.
Questions:
- Are there truly a lot of NATs that only do Endpoint-Independent Filtering?
- Is there any good reason behind doing Endpoint-Independent Filtering on a NAT besides being lazy, endangering the systems behind it, and charging extra $$ for a "p2p friendly" feature?
NAT is not intended as a security feature - it is a hack to stave off running out of IPv4 addresses, as a stopgap until IPv6 is fully deployed. As such, it makes sense to implement it in a way that maximizes utility rather than security.
As such, the premise of your question number 2 wrong, since NAT is not intended as a security device. If enforcing the remote endpoint to always be the same breaks even one application, I would consider it more sane not to enforce the same remote endpoint, given the goals of the technology.
Peer-to-peer IP telephony (such as Skype) would be a notable example of a legitimate application that wouldn't work well without the ability to punch holes in NAT:s, whether it's by STUN or similar technologies that exploit the behaviour of NAT:s, or through technologies like UPnP.