> Yes indeed. Probably the #1 biggest use for STUN short term is going to be > SIP. It seems like not too much information has to go thru the known > reachable machine. Maybe just about the same loading as a DNS server? > > So, although its kind of a work around, its probably going to do the job. > > Does that seem right? Well, sort off. STUN is indeed a great protocol, with all the right authors, but it makes a couple of assumptions about the type of NATs and about the structure of the network. The assumption about NAT boxes tend to be correct, mostly because vendors know about STUN and about similar workaround used by various video-games manufacturers as well as by some IPv6 services (Teredo). Most new NATs adopt the "cone" or "protected cone" model that work for STUN, rather than the so call "symmetric" model. But there are still some old fashioned designs that try hard to break things, so YMMV. The assumption about topology is more likely to be wrong. STUN works well in a "core and leaves" model in which privates networks are directly to a globally addressed IPv4 core, with a single NAT. In this model, two STUN hosts are either on the same private network, or connected through the core. Things get much harder when there are multiple layers of NAT, or when there are backdoor connections between private networks. STUN is an OK solution now, but it will stop working when the topology becomes more complex -- communications will randomly fail. It is just as easy to deploy IPv6 using Teredo now. As we go on deploying IPv6, we have a chance to support these more complex topologies. -- Christian Huitema