TR069-STUN

原理

1、NAT穿越技术，为了解决NAT设备对P2P网络的通信限制

 

2、作用：检测网络中是否存在NAT设备，并获取两个通信端点经NAT设备分配的IP地址和端口号，然后建立一条可穿越NAT的P2P链接，实现P2P通信

 

3、cwmp:依据TR111实现STUN Server功能，CPE作为STUN Client，向STUN Server发送BINDING-REQUEST，CPE 通过BINDING-RESPONSE响应消息获取设备是否在NAT之后，以及NAT类型

 

4、原理：ACS是如何主动发起连接？

ACS能够自动检测到位于NAT设备或者gateway后面的设备（与STUN bind成功），然后发送UDP connection Request到STUN server，通过STUN server进行转发到与STUN server关联的内部CPE设备，进而CPE发起tr069规范中定义的6 connection request事件（TCP连接成功），在tcp连接超时时间范围内可进行设备管理操作。如果超时，ACS再次主动发送UDP connection Request，然后对设备进行管理操作

 

CPE侧实现

流程图：

 

TR111扩展的STUN数据模型

UDPConnectionRequestAddress	string(:256)	R	Address and port to which an ACS MAY send a UDP Connection Request to the CPE (see [Annex G/TR-069a2]). This parameter is represented in the form of an Authority element as defined in [RFC3986]. The value MUST be in one of the following two forms: host:port host When STUNEnable is true, the host and port portions of this parameter MUST represent the public address and port corresponding to the NAT binding through which the ACS can send UDP Connection Request messages (once this information is learned by the CPE through the use of STUN). When STUNEnable is false, the host and port portions of the URL MUST represent the local IP address and port on which the CPE is listening for UDP Connection Request messages. The second form of this parameter MAY be used only if the port value is equal to “80”.	-	1.0
UDPConnectionRequestAddressNotificationLimit	unsignedInt	W	The minimum time, in seconds, between Active Notifications resulting from changes to the UDPConnectionRequestAddress (if Active Notification is enabled).	-	1.0
STUNEnable	boolean	W	Enables or disables the use of STUN by the CPE. This applies only to the use of STUN in association with the ACS to allow UDP Connection Requests.	-	1.0
STUNServerAddress	string(:256)	W	Host name or IP address of the STUN server for the CPE to send Binding Requests if STUN is enabled via STUNEnable. If an empty string and STUNEnable is true, the CPE MUST use the address of the ACS extracted from the host portion of the ACS URL.	-	1.0
STUNServerPort	unsignedInt(0:65535)	W	Port number of the STUN server for the CPE to send Binding Requests if STUN is enabled via STUNEnable. By default, this SHOULD be the equal to the default STUN port, 3478.	-	1.0
STUNUsername	string(:256)	W	If not an empty string, the value of the STUN USERNAME attribute to be used in Binding Requests (only if message integrity has been requested by the STUN server). If an empty string, the CPE MUST NOT send STUN Binding Requests with message integrity.	-	1.0
STUNPassword	string(:256)	W	The value of the STUN Password to be used in computing the MESSAGE-INTEGRITY attribute to be used in Binding Requests (only if message integrity has been requested by the STUN server). When read, this parameter returns an empty string, regardless of the actual value.	-	1.0
STUNMaximumKeepAlivePeriod	int(-1:)	W	If STUN Is enabled, the maximum period, in seconds, that STUN Binding Requests MUST be sent by the CPE for the purpose of maintaining the binding in the Gateway. This applies specifically to Binding Requests sent from the UDP Connection Request address and port. A value of -1 indicates that no maximum period is specified.	-	1.0
STUNMinimumKeepAlivePeriod	unsignedInt	W	If STUN Is enabled, the minimum period, in seconds, that STUN Binding Requests can be sent by the CPE for the purpose of maintaining the binding in the Gateway. This limit applies only to Binding Requests sent from the UDP Connection Request address and port, and only those that do not contain the BINDING-CHANGE attribute. This limit does not apply to retransmissions following the procedures defined in [RFC3489].	-	1.0
NATDetected	boolean	R	When STUN is enabled, this parameter indicates whether or not the CPE has detected address and/or port mapping in use. A true value indicates that the received MAPPED-ADDRESS in the most recent Binding Response differs from the CPE’s source address and port. When STUNEnable is false, this value MUST be false.	-	1.0

TR069实际实现

1、UDPConnectionRequestAddressNotificationLimit和STUNPassword、STUNUsername不实现

2、UDPConnectionRequestAddress和NATDetected为只读节点，通过inform报文发送

测试配置（XACS）

测试部环境：

1、远程控制10.50.100.254

2、开启stun进程指令后加一个&，使其在后台运行

禅道测试用例：

命令行测试stun功能：

/userfs/bin/stun-client 10.50.100.215 -v -p 0 -i 10.50.100.39   -min 30 -max 30 -sp 3478

页面配置测试stun功能：

报文

stun request+response：

 

request：

response:

重新inform上报UDPConnectionRequestAddress和NATDetected节点值