Section 1 states:

   Implementations and deployments of a STUN usage using TLS or DTLS
   should follow the recommendations in [RFC7525].

Wouldn't the security considerations be a better location for that text?

And given that this specification cites RFC 8174, I suggest changing
"should" to "SHOULD".

(I suggest that the authors review the usage of lowercase and uppercase
requirements keywords, because there might be inconsistencies, e.g., in
the first paragraphs of Section 6.1 and Section 6.2.)

In Section 4, please consider spelling out "SIP" on first use and
including a reference to RFC 3261.

The first paragaraph of Section 6.2.3 restates recommendations from RFC
7525; why not simply reference that specification?

Section 6.3.4 states:

   o  If the error code is 500 through 599, the client MAY resend the
      request; clients that do so MUST limit the number of times they do
      this.

It is reasonable to provide guidance as to the number of re-sends?

Section 9.1.1 and other sections invoke the OpaqueString profile of the
PRECIS FreeformClass; it might be helpful to mention that the profile is
used to handle Unicode characters outside the ASCII range, and that no
changes result if only ASCII characters are used.

In Section 14.2, please consider spelling out "ALG" on first use.

A reference to RFC 6151 seems appropriate regarding the fact that this
specification retains the use of MD5; in particular, the usage here is
actually HMAC-MD5, which is still sanctioned by RFC 6151.