summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc6887.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc6887.txt')
-rw-r--r--doc/rfc/rfc6887.txt4931
1 files changed, 4931 insertions, 0 deletions
diff --git a/doc/rfc/rfc6887.txt b/doc/rfc/rfc6887.txt
new file mode 100644
index 0000000..7e5c038
--- /dev/null
+++ b/doc/rfc/rfc6887.txt
@@ -0,0 +1,4931 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) D. Wing, Ed.
+Request for Comments: 6887 Cisco
+Category: Standards Track S. Cheshire
+ISSN: 2070-1721 Apple
+ M. Boucadair
+ France Telecom
+ R. Penno
+ Cisco
+ P. Selkirk
+ ISC
+ April 2013
+
+
+ Port Control Protocol (PCP)
+
+Abstract
+
+ The Port Control Protocol allows an IPv6 or IPv4 host to control how
+ incoming IPv6 or IPv4 packets are translated and forwarded by a
+ Network Address Translator (NAT) or simple firewall, and also allows
+ a host to optimize its outgoing NAT keepalive messages.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc6887.
+
+Copyright Notice
+
+ Copyright (c) 2013 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+
+
+
+Wing, et al. Standards Track [Page 1]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2.1. Deployment Scenarios . . . . . . . . . . . . . . . . . . . 5
+ 2.2. Supported Protocols . . . . . . . . . . . . . . . . . . . 5
+ 2.3. Single-Homed Customer Premises Network . . . . . . . . . . 5
+ 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 4. Relationship between PCP Server and Its PCP-Controlled
+ Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
+ 5. Note on Fixed-Size Addresses . . . . . . . . . . . . . . . . . 10
+ 6. Protocol Design Note . . . . . . . . . . . . . . . . . . . . . 11
+ 7. Common Request and Response Header Format . . . . . . . . . . 13
+ 7.1. Request Header . . . . . . . . . . . . . . . . . . . . . . 14
+ 7.2. Response Header . . . . . . . . . . . . . . . . . . . . . 15
+ 7.3. Options . . . . . . . . . . . . . . . . . . . . . . . . . 16
+ 7.4. Result Codes . . . . . . . . . . . . . . . . . . . . . . . 19
+ 8. General PCP Operation . . . . . . . . . . . . . . . . . . . . 20
+ 8.1. General PCP Client: Generating a Request . . . . . . . . . 21
+ 8.1.1. PCP Client Retransmission . . . . . . . . . . . . . . 22
+ 8.2. General PCP Server: Processing a Request . . . . . . . . . 24
+ 8.3. General PCP Client: Processing a Response . . . . . . . . 25
+ 8.4. Multi-Interface Issues . . . . . . . . . . . . . . . . . . 27
+ 8.5. Epoch . . . . . . . . . . . . . . . . . . . . . . . . . . 27
+ 9. Version Negotiation . . . . . . . . . . . . . . . . . . . . . 29
+ 10. Introduction to MAP and PEER Opcodes . . . . . . . . . . . . . 30
+ 10.1. For Operating a Server . . . . . . . . . . . . . . . . . . 33
+ 10.2. For Operating a Symmetric Client/Server . . . . . . . . . 35
+ 10.3. For Reducing NAT or Firewall Keepalive Messages . . . . . 37
+ 10.4. For Restoring Lost Implicit TCP Dynamic Mapping State . . 38
+ 11. MAP Opcode . . . . . . . . . . . . . . . . . . . . . . . . . . 39
+ 11.1. MAP Operation Packet Formats . . . . . . . . . . . . . . . 40
+ 11.2. Generating a MAP Request . . . . . . . . . . . . . . . . . 43
+ 11.2.1. Renewing a Mapping . . . . . . . . . . . . . . . . . . 44
+ 11.3. Processing a MAP Request . . . . . . . . . . . . . . . . . 44
+ 11.4. Processing a MAP Response . . . . . . . . . . . . . . . . 48
+ 11.5. Address Change Events . . . . . . . . . . . . . . . . . . 49
+ 11.6. Learning the External IP Address Alone . . . . . . . . . . 50
+ 12. PEER Opcode . . . . . . . . . . . . . . . . . . . . . . . . . 50
+ 12.1. PEER Operation Packet Formats . . . . . . . . . . . . . . 51
+ 12.2. Generating a PEER Request . . . . . . . . . . . . . . . . 54
+ 12.3. Processing a PEER Request . . . . . . . . . . . . . . . . 55
+ 12.4. Processing a PEER Response . . . . . . . . . . . . . . . . 56
+
+
+
+
+
+Wing, et al. Standards Track [Page 2]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ 13. Options for MAP and PEER Opcodes . . . . . . . . . . . . . . . 57
+ 13.1. THIRD_PARTY Option for MAP and PEER Opcodes . . . . . . . 57
+ 13.2. PREFER_FAILURE Option for MAP Opcode . . . . . . . . . . . 59
+ 13.3. FILTER Option for MAP Opcode . . . . . . . . . . . . . . . 61
+ 14. Rapid Recovery . . . . . . . . . . . . . . . . . . . . . . . . 63
+ 14.1. ANNOUNCE Opcode . . . . . . . . . . . . . . . . . . . . . 64
+ 14.1.1. ANNOUNCE Operation . . . . . . . . . . . . . . . . . . 65
+ 14.1.2. Generating and Processing a Solicited ANNOUNCE
+ Message . . . . . . . . . . . . . . . . . . . . . . . 65
+ 14.1.3. Generating and Processing an Unsolicited ANNOUNCE
+ Message . . . . . . . . . . . . . . . . . . . . . . . 66
+ 14.2. PCP Mapping Update . . . . . . . . . . . . . . . . . . . . 67
+ 15. Mapping Lifetime and Deletion . . . . . . . . . . . . . . . . 69
+ 15.1. Lifetime Processing for the MAP Opcode . . . . . . . . . . 71
+ 16. Implementation Considerations . . . . . . . . . . . . . . . . 72
+ 16.1. Implementing MAP with EDM Port-Mapping NAT . . . . . . . . 72
+ 16.2. Lifetime of Explicit and Implicit Dynamic Mappings . . . . 72
+ 16.3. PCP Failure Recovery . . . . . . . . . . . . . . . . . . . 72
+ 16.3.1. Recreating Mappings . . . . . . . . . . . . . . . . . 73
+ 16.3.2. Maintaining Mappings . . . . . . . . . . . . . . . . . 73
+ 16.3.3. SCTP . . . . . . . . . . . . . . . . . . . . . . . . . 74
+ 16.4. Source Address Replicated in PCP Header . . . . . . . . . 75
+ 16.5. State Diagram . . . . . . . . . . . . . . . . . . . . . . 76
+ 17. Deployment Considerations . . . . . . . . . . . . . . . . . . 77
+ 17.1. Ingress Filtering . . . . . . . . . . . . . . . . . . . . 77
+ 17.2. Mapping Quota . . . . . . . . . . . . . . . . . . . . . . 77
+ 18. Security Considerations . . . . . . . . . . . . . . . . . . . 78
+ 18.1. Simple Threat Model . . . . . . . . . . . . . . . . . . . 78
+ 18.1.1. Attacks Considered . . . . . . . . . . . . . . . . . . 79
+ 18.1.2. Deployment Examples Supporting the Simple Threat
+ Model . . . . . . . . . . . . . . . . . . . . . . . . 79
+ 18.2. Advanced Threat Model . . . . . . . . . . . . . . . . . . 80
+ 18.3. Residual Threats . . . . . . . . . . . . . . . . . . . . . 80
+ 18.3.1. Denial of Service . . . . . . . . . . . . . . . . . . 80
+ 18.3.2. Ingress Filtering . . . . . . . . . . . . . . . . . . 81
+ 18.3.3. Mapping Theft . . . . . . . . . . . . . . . . . . . . 81
+ 18.3.4. Attacks against Server Discovery . . . . . . . . . . . 81
+ 19. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 82
+ 19.1. Port Number . . . . . . . . . . . . . . . . . . . . . . . 82
+ 19.2. Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . 82
+ 19.3. Result Codes . . . . . . . . . . . . . . . . . . . . . . . 82
+ 19.4. Options . . . . . . . . . . . . . . . . . . . . . . . . . 82
+ 20. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 83
+ 21. References . . . . . . . . . . . . . . . . . . . . . . . . . . 84
+ 21.1. Normative References . . . . . . . . . . . . . . . . . . . 84
+ 21.2. Informative References . . . . . . . . . . . . . . . . . . 84
+ Appendix A. NAT-PMP Transition . . . . . . . . . . . . . . . . . . 87
+
+
+
+
+Wing, et al. Standards Track [Page 3]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+1. Introduction
+
+ The Port Control Protocol (PCP) provides a mechanism to control how
+ incoming packets are forwarded by upstream devices such as Network
+ Address Translator IPv6/IPv4 (NAT64), Network Address Translator
+ IPv4/IPv4 (NAT44), and IPv6 and IPv4 firewall devices, and a
+ mechanism to reduce application keepalive traffic. PCP is designed
+ to be implemented in the context of Carrier-Grade NATs (CGNs) and
+ small NATs (e.g., residential NATs), as well as with dual-stack and
+ IPv6-only Customer Premises Equipment (CPE) routers, and all of the
+ currently known transition scenarios towards IPv6-only CPE routers.
+ PCP allows hosts to operate servers for a long time (e.g., a network-
+ attached home security camera) or a short time (e.g., while playing a
+ game or on a phone call) when behind a NAT device, including when
+ behind a CGN operated by their Internet service provider or an IPv6
+ firewall integrated in their CPE router.
+
+ PCP allows applications to create mappings from an external IP
+ address, protocol, and port to an internal IP address, protocol, and
+ port. These mappings are required for successful inbound
+ communications destined to machines located behind a NAT or a
+ firewall.
+
+ After creating a mapping for incoming connections, it is necessary to
+ inform remote computers about the IP address, protocol, and port for
+ the incoming connection. This is usually done in an application-
+ specific manner. For example, a computer game might use a rendezvous
+ server specific to that game (or specific to that game developer), a
+ SIP phone would use a SIP proxy, and a client using DNS-Based Service
+ Discovery [RFC6763] would use DNS Update [RFC2136] [RFC3007]. PCP
+ does not provide this rendezvous function. The rendezvous function
+ may support IPv4, IPv6, or both. Depending on that support and the
+ application's support of IPv4 or IPv6, the PCP client may need an
+ IPv4 mapping, an IPv6 mapping, or both.
+
+ Many NAT-friendly applications send frequent application-level
+ messages to ensure that their session will not be timed out by a NAT.
+ These are commonly called "NAT keepalive" messages, even though they
+ are not sent to the NAT itself (rather, they are sent 'through' the
+ NAT). These applications can reduce the frequency of such NAT
+ keepalive messages by using PCP to learn (and influence) the NAT
+ mapping lifetime. This helps reduce bandwidth on the subscriber's
+ access network, traffic to the server, and battery consumption on
+ mobile devices.
+
+ Many NATs and firewalls include Application Layer Gateways (ALGs) to
+ create mappings for applications that establish additional streams or
+ accept incoming connections. ALGs incorporated into NATs may also
+
+
+
+Wing, et al. Standards Track [Page 4]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ modify the application payload. Industry experience has shown that
+ these ALGs are detrimental to protocol evolution. PCP allows an
+ application to create its own mappings in NATs and firewalls,
+ reducing the incentive to deploy ALGs in NATs and firewalls.
+
+2. Scope
+
+2.1. Deployment Scenarios
+
+ PCP can be used in various deployment scenarios, including:
+
+ o Basic NAT [RFC3022]
+
+ o Network Address and Port Translation [RFC3022], such as commonly
+ deployed in residential NAT devices
+
+ o Carrier-Grade NAT [RFC6888]
+
+ o Dual-Stack Lite (DS-Lite) [RFC6333]
+
+ o NAT that is Layer-2 Aware [L2NAT]
+
+ o Dual-Stack Extra Lite [RFC6619]
+
+ o NAT64, both Stateless [RFC6145] and Stateful [RFC6146]
+
+ o IPv4 and IPv6 simple firewall control [RFC6092]
+
+ o IPv6-to-IPv6 Network Prefix Translation (NPTv6) [RFC6296]
+
+2.2. Supported Protocols
+
+ The PCP Opcodes defined in this document are designed to support
+ transport-layer protocols that use a 16-bit port number (e.g., TCP,
+ UDP, Stream Control Transmission Protocol (SCTP) [RFC4960], and
+ Datagram Congestion Control Protocol (DCCP) [RFC4340]). Protocols
+ that do not use a port number (e.g., Resource Reservation Protocol
+ (RSVP), IP Encapsulating Security Payload (ESP) [RFC4303], ICMP, and
+ ICMPv6) are supported for IPv4 firewall, IPv6 firewall, and NPTv6
+ functions, but are out of scope for any NAT functions.
+
+2.3. Single-Homed Customer Premises Network
+
+ PCP assumes a single-homed IP address model. That is, for a given IP
+ address of a host, only one default route exists to reach other hosts
+ on the Internet from that source IP address. This is important
+ because after a PCP mapping is created and an inbound packet (e.g.,
+ TCP SYN) is rewritten and delivered to a host, the outbound response
+
+
+
+Wing, et al. Standards Track [Page 5]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ (e.g., TCP SYNACK) has to go through the same (reverse) path so it
+ passes through the same NAT to have the necessary inverse rewrite
+ performed. This restriction exists because otherwise there would
+ need to be a PCP-enabled NAT for every egress (because the host could
+ not reliably determine which egress path packets would take), and the
+ client would need to be able to reliably make the same internal/
+ external mapping in every NAT gateway, which in general is not
+ possible (because the other NATs might already have the necessary
+ external port mapped to another host).
+
+3. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].
+
+ Internal Host:
+ A host served by a NAT gateway, or protected by a firewall. This
+ is the host that will receive incoming traffic resulting from a
+ PCP mapping request, or the host that initiated an implicit
+ dynamic outbound mapping (e.g., by sending a TCP SYN) across a
+ firewall or a NAT.
+
+ Remote Peer Host:
+ A host with which an internal host is communicating. This can
+ include another internal host (or even the same internal host); if
+ a NAT is involved, the NAT would need to hairpin the traffic
+ [RFC4787].
+
+ Internal Address:
+ The address of an internal host served by a NAT gateway or
+ protected by a firewall.
+
+ External Address:
+ The address of an internal host as seen by other remote peers on
+ the Internet with which the internal host is communicating, after
+ translation by any NAT gateways on the path. An external address
+ is generally a public routable (i.e., non-private) address. In
+ the case of an internal host protected by a pure firewall, with no
+ address translation on the path, its external address is the same
+ as its internal address.
+
+ Endpoint-Dependent Mapping (EDM): A term applied to NAT operation
+ where an implicit mapping created by outgoing traffic (e.g., TCP
+ SYN) from a single internal address, protocol, and port to
+ different remote peers and ports may be assigned different
+ external ports, and a subsequent PCP mapping request for that
+
+
+
+Wing, et al. Standards Track [Page 6]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ internal address, protocol, and port may be assigned yet another
+ different external port. This term encompasses both Address-
+ Dependent Mapping and Address and Port-Dependent Mapping
+ [RFC4787].
+
+ Endpoint-Independent Mapping (EIM): A term applied to NAT operation
+ where all mappings from a single internal address, protocol, and
+ port to different remote peers and ports are all assigned the same
+ external address and port.
+
+ Remote Peer Address:
+ The address of a remote peer, as seen by the internal host. A
+ remote address is generally a publicly routable address. In the
+ case of a remote peer that is itself served by a NAT gateway, the
+ remote address may in fact be the remote peer's external address,
+ but since this remote translation is generally invisible to
+ software running on the internal host, the distinction can safely
+ be ignored for the purposes of this document.
+
+ Third Party:
+ In the common case, an internal host manages its own mappings
+ using PCP requests, and the internal address of those mappings is
+ the same as the source IP address of the PCP request packet.
+
+ In the case where one device is managing mappings on behalf of
+ some other device that does not implement PCP, the presence of the
+ THIRD_PARTY option in the MAP request signifies that the specified
+ address, rather than the source IP address of the PCP request
+ packet, should be used as the internal address for the mapping.
+
+ Mapping, Port Mapping, Port Forwarding:
+ A NAT mapping creates a relationship between an internal IP
+ address, protocol, and port, and an external IP address, protocol,
+ and port. More specifically, it creates a translation rule where
+ packets destined *to* the external IP address, protocol, and port
+ have their destination address and port translated to the internal
+ address and port, and conversely, packets *from* the internal IP
+ address, protocol, and port have their source address and port
+ translated to the external address and port. In the case of a
+ pure firewall, the "mapping" is the identity function, translating
+ an internal IP address, protocol, and port number to the same
+ external IP address, protocol, and port number. Firewall
+ filtering, applied in addition to that identity mapping function,
+ is separate from the mapping itself.
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 7]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Mapping Types:
+ There are three dimensions to classifying mapping types: how they
+ are created (implicitly/explicitly), their primary purpose
+ (outbound/inbound), and how they are deleted (dynamic/static).
+ Implicit mappings are created as a side effect of some other
+ operation; explicit mappings are created by a mechanism explicitly
+ dealing with mappings. Outbound mappings exist primarily to
+ facilitate outbound communication; inbound mappings exist
+ primarily to facilitate inbound communication. Dynamic mappings
+ are deleted when their lifetime expires, or through other protocol
+ action; static mappings are permanent until the user chooses to
+ delete them.
+
+ * Implicit dynamic mappings are created implicitly as a side
+ effect of traffic such as an outgoing TCP SYN or outgoing UDP
+ packet. Such packets were not originally designed explicitly
+ for creating NAT (or firewall) state, but they can have that
+ effect when they pass through a NAT (or firewall) device.
+ Implicit dynamic mappings usually have a finite lifetime,
+ though this lifetime is generally not known to the client using
+ them.
+
+ * Explicit dynamic mappings are created as a result of explicit
+ PCP MAP and PEER requests. Like a DHCP address lease, explicit
+ dynamic mappings have a finite lifetime, and this lifetime is
+ communicated to the client. As with a DHCP address lease, if
+ the client wants a mapping to persist the client must prove
+ that it is still present by periodically renewing the mapping
+ to prevent it from expiring. If a PCP client goes away, then
+ any mappings it created will be automatically cleaned up when
+ they expire.
+
+ * Explicit static mappings are created by manual configuration
+ (e.g., via command-line interface or other user interface) and
+ persist until the user changes that manual configuration.
+
+ Both implicit and explicit dynamic mappings are dynamic in the
+ sense that they are created on demand, as requested (implicitly or
+ explicitly) by the internal host, and have a lifetime. After the
+ lifetime, the mapping is deleted unless the lifetime is extended
+ by action by the internal host (e.g., sending more traffic or
+ sending another PCP request).
+
+ Static mappings are, by their nature, always explicit. Static
+ mappings differ from explicit dynamic mappings in that their
+ lifetime is effectively infinite (they exist until manually
+ removed), but otherwise they behave exactly the same as explicit
+ MAP mappings.
+
+
+
+Wing, et al. Standards Track [Page 8]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ While all mappings are, by necessity, bidirectional (most Internet
+ communication requires information to flow in both directions for
+ successful operation), when talking about mappings, it can be
+ helpful to identify them loosely according to their 'primary'
+ purpose.
+
+ * Outbound mappings exist primarily to enable outbound
+ communication. For example, when a host calls connect() to
+ make an outbound connection, a NAT gateway will create an
+ implicit dynamic outbound mapping to facilitate that outbound
+ communication.
+
+ * Inbound mappings exist primarily to enable listening servers to
+ receive inbound connections. Generally, when a client calls
+ listen() to listen for inbound connections, a NAT gateway will
+ not implicitly create any mapping to facilitate that inbound
+ communication. A PCP MAP request can be used explicitly to
+ create a dynamic inbound mapping to enable the desired inbound
+ communication.
+
+ Explicit static (manual) mappings and explicit dynamic (MAP)
+ mappings both allow internal hosts to receive inbound traffic that
+ is not in direct response to any immediately preceding outbound
+ communication (i.e., to allow internal hosts to operate a "server"
+ that is accessible to other hosts on the Internet).
+
+ PCP Client:
+ A PCP software instance responsible for issuing PCP requests to a
+ PCP server. Several independent PCP clients can exist on the same
+ host. Several PCP clients can be located in the same local
+ network. A PCP client can issue PCP requests on behalf of a
+ third-party device for which it is authorized to do so. An
+ interworking function from Universal Plug and Play Internet
+ Gateway Device (UPnP IGDv1 [IGDv1]) to PCP is another example of a
+ PCP client. A PCP server in a NAT gateway that is itself a client
+ of another NAT gateway (nested NAT) may itself act as a PCP client
+ to the upstream NAT.
+
+ PCP-Controlled Device:
+ A NAT or firewall that controls or rewrites packet flows between
+ internal hosts and remote peer hosts. PCP manages the mappings on
+ this device.
+
+ PCP Server:
+ A PCP software instance that resides on the PCP-Controlled Device
+ that receives PCP requests from the PCP client and creates
+ appropriate state in response to that request.
+
+
+
+
+Wing, et al. Standards Track [Page 9]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Subscriber:
+ The unit of billing for a commercial ISP. A subscriber may have a
+ single IP address from the commercial ISP (which can be shared
+ among multiple hosts using a NAT gateway, thereby making them
+ appear to be a single host to the ISP) or may have multiple IP
+ addresses provided by the commercial ISP. In either case, the IP
+ address or addresses provided by the ISP may themselves be further
+ translated by a Carrier-Grade NAT (CGN) operated by the ISP.
+
+4. Relationship between PCP Server and Its PCP-Controlled Device
+
+ The PCP server receives and responds to PCP requests. The PCP server
+ functionality is typically a capability of a NAT or firewall device,
+ as shown in Figure 1. It is also possible for the PCP functionality
+ to be provided by some other device, which communicates with the
+ actual NAT(s) or firewall(s) via some other proprietary mechanism, as
+ long as from the PCP client's perspective such split operation is
+ indistinguishable from the integrated case.
+
+ +-----------------+
+ +------------+ | NAT or firewall |
+ | PCP client |-<network>-+ with +---<Internet>
+ +------------+ | PCP server |
+ +-----------------+
+
+ Figure 1: PCP-Enabled NAT or Firewall
+
+ A NAT or firewall device, between the PCP client and the Internet,
+ might implement simple or advanced firewall functionality. This may
+ be a side effect of the technology implemented by the device (e.g., a
+ network address and port translator, by virtue of its port rewriting,
+ normally requires connections to be initiated from an inside host
+ towards the Internet), or this might be an explicit firewall policy
+ to deny unsolicited traffic from the Internet. Some firewall devices
+ deny certain unsolicited traffic from the Internet (e.g., TCP, UDP to
+ most ports) but allow certain other unsolicited traffic from the
+ Internet (e.g., UDP port 500 and IP ESP) [RFC6092]. Such default
+ filtering (or lack thereof) is out of scope of PCP itself. If a
+ client device wants to receive traffic and supports PCP, and does not
+ possess prior knowledge of such default filtering policy, it SHOULD
+ use PCP to request the necessary mappings to receive the desired
+ traffic.
+
+5. Note on Fixed-Size Addresses
+
+ For simplicity in building and parsing request and response packets,
+ PCP always uses fixed-size 128-bit IP address fields for both IPv6
+ addresses and IPv4 addresses.
+
+
+
+Wing, et al. Standards Track [Page 10]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ When the address field holds an IPv6 address, the fixed-size 128-bit
+ IP address field holds the IPv6 address stored as is.
+
+ When the address field holds an IPv4 address, an IPv4-mapped IPv6
+ address [RFC4291] is used (::ffff:0:0/96). This has the first 80
+ bits set to zero and the next 16 set to one, while its last 32 bits
+ are filled with the IPv4 address. This is unambiguously
+ distinguishable from a native IPv6 address, because an IPv4-mapped
+ IPv6 address [RFC4291] would not be valid for a mapping.
+
+ When checking for an IPv4-mapped IPv6 address, all of the first 96
+ bits MUST be checked for the pattern -- it is not sufficient to check
+ for ones in bits 81-96.
+
+ The all-zeros IPv6 address MUST be expressed by filling the
+ fixed-size 128-bit IP address field with all zeros (::).
+
+ The all-zeros IPv4 address MUST be expressed by 80 bits of zeros,
+ 16 bits of ones, and 32 bits of zeros (::ffff:0:0).
+
+6. Protocol Design Note
+
+ PCP can be viewed as a request/response protocol, much like many
+ other UDP-based request/response protocols, and can be implemented
+ perfectly well as such. It can also be viewed as what might be
+ called a hint/notification protocol, and this observation can help
+ simplify implementations.
+
+ Rather than viewing the message streams between PCP client and PCP
+ server as following a strict request/response pattern, where every
+ response is associated with exactly one request, the message flows
+ can be viewed as two somewhat independent streams carrying
+ information in opposite directions:
+
+ o A stream of hints flowing from PCP client to PCP server, where the
+ client indicates to the server what it would like the state of its
+ mappings to be, and
+
+ o A stream of notifications flowing from PCP server to PCP client,
+ where the server informs the clients what the state of its
+ mappings actually is.
+
+ To an extent, some of this approach is required anyway in a UDP-based
+ request/response protocol, since UDP packets can be lost, duplicated,
+ or reordered.
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 11]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ In this view of the protocol, the client transmits hints to the
+ server at various intervals signaling its desires, and the server
+ transmits notifications to the client signaling the actual state of
+ its mappings. These two message flows are loosely correlated in that
+ a client request (hint) usually elicits a server response
+ (notification), but only loosely, in that a client request may result
+ in no server response (in the case of packet loss), and a server
+ response may be generated gratuitously without an immediately
+ preceding client request (in the case where server configuration
+ change, e.g., change of external IP address on a NAT gateway, results
+ in a change of mapping state).
+
+ The exact times that client requests are sent are influenced by a
+ client timing state machine taking into account whether (i) the
+ client has not yet received a response from the server for a prior
+ request (retransmission), or (ii) the client has previously received
+ a response from the server saying how long the indicated mapping
+ would remain active (renewal). This design philosophy is the reason
+ why PCP's retransmissions and renewals are exactly the same packet on
+ the wire. Typically, retransmissions are sent with exponentially
+ increasing intervals as the client waits for the server to respond,
+ whereas renewals are sent with exponentially decreasing intervals as
+ the expiry time approaches, but, from the server's point of view,
+ both packets are identical, and both signal the client's desire that
+ the stated mapping exist or continue to exist.
+
+ A PCP server usually sends responses as a direct result of client
+ requests, but not always. For example, if a server is too overloaded
+ to respond, it is allowed to silently ignore a request message and
+ let the client retransmit. Also, if external factors cause a NAT
+ gateway or firewall's configuration to change, then the PCP server
+ can send unsolicited responses to clients informing them of the new
+ state of their mappings. Such reconfigurations are expected to be
+ rare, because of the disruption they can cause to clients, but should
+ they happen, PCP provides a way for servers to communicate the new
+ state to clients promptly, without having to wait for the next
+ periodic renewal request.
+
+ This design goal helps explain why PCP request and response messages
+ have no transaction ID, because such a transaction ID is unnecessary,
+ and would unnecessarily limit the protocol and unnecessarily
+ complicate implementations. A PCP server response (i.e.,
+ notification) is self-describing and complete. It communicates the
+ internal and external addresses, protocol, and ports for a mapping,
+ and its remaining lifetime. If the client does in fact currently
+ want such a mapping to exist, then it can identify the mapping in
+ question from the internal address, protocol, and port, and update
+ its state to reflect the current external address and port, and
+
+
+
+Wing, et al. Standards Track [Page 12]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ remaining lifetime. If a client does not currently want such a
+ mapping to exist, then it can safely ignore the message. No client
+ action is required for unexpected mapping notifications. In today's
+ world, a NAT gateway can have a static mapping, and the client device
+ has no explicit knowledge of this, and no way to change the fact.
+ Also, in today's world, a client device can be connected directly to
+ the public Internet, with a globally routable IP address, and, in
+ this case, it effectively has "mappings" for all of its listening
+ ports. Such a device has to be responsible for its own security and
+ cannot rely on assuming that some other network device will be
+ blocking all incoming packets.
+
+7. Common Request and Response Header Format
+
+ All PCP messages are sent over UDP, with a maximum UDP payload length
+ of 1100 octets. The PCP messages contain a request or response
+ header containing an Opcode, any relevant Opcode-specific
+ information, and zero or more options. All numeric quantities larger
+ than a single octet (e.g., result codes, lifetimes, Epoch times,
+ etc.) are represented in conventional IETF network order, i.e., most
+ significant octet first. Non-numeric quantities are represented as
+ is on all platforms, with no byte swapping (e.g., IP addresses and
+ ports are placed in PCP messages using the same representation as
+ when placed in IP or TCP headers).
+
+ The packet layout for the common header, and operation of the PCP
+ client and PCP server, are described in the following sections. The
+ information in this section applies to all Opcodes. Behavior of the
+ Opcodes defined in this document is described in Sections 10, 11, and
+ 12.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 13]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+7.1. Request Header
+
+ All requests have the following format:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Version = 2 |R| Opcode | Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Requested Lifetime (32 bits) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | PCP Client's IP Address (128 bits) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ : :
+ : (optional) Opcode-specific information :
+ : :
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ : :
+ : (optional) PCP Options :
+ : :
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 2: Common Request Packet Format
+
+ These fields are described below:
+
+ Version: This document specifies protocol version 2. PCP clients
+ and servers compliant with this document use the value 2. This
+ field is used for version negotiation as described in Section 9.
+
+ R: Indicates Request (0) or Response (1).
+
+ Opcode: A 7-bit value specifying the operation to be performed. MAP
+ and PEER Opcodes are defined in Sections 11 and 12.
+
+ Reserved: 16 reserved bits. MUST be zero on transmission and MUST
+ be ignored on reception.
+
+ Requested Lifetime: An unsigned 32-bit integer, in seconds, ranging
+ from 0 to 2^32-1 seconds. This is used by the MAP and PEER
+ Opcodes defined in this document for their requested lifetime.
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 14]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ PCP Client's IP Address: The source IPv4 or IPv6 address in the IP
+ header used by the PCP client when sending this PCP request. An
+ IPv4 address is represented using an IPv4-mapped IPv6 address.
+ The PCP Client IP Address in the PCP message header is used to
+ detect an unexpected NAT on the path between the PCP client and
+ the PCP-controlled NAT or firewall device. See Section 8.1.
+
+ Opcode-specific information: Payload data for this Opcode. The
+ length of this data is determined by the Opcode definition.
+
+ PCP Options: Zero, one, or more options that are legal for both a
+ PCP request and for this Opcode. See Section 7.3.
+
+7.2. Response Header
+
+ All responses have the following format:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Version = 2 |R| Opcode | Reserved | Result Code |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Lifetime (32 bits) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Epoch Time (32 bits) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Reserved (96 bits) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ : :
+ : (optional) Opcode-specific response data :
+ : :
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ : (optional) Options :
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 3: Common Response Packet Format
+
+ These fields are described below:
+
+ Version: Responses from servers compliant with this specification
+ MUST use version 2. This is set by the server.
+
+ R: Indicates Request (0) or Response (1). All Responses MUST use 1.
+ This is set by the server.
+
+
+
+
+
+Wing, et al. Standards Track [Page 15]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Opcode: The 7-bit Opcode value. The server copies this value from
+ the request.
+
+ Reserved: 8 reserved bits, MUST be sent as 0, MUST be ignored when
+ received. This is set by the server.
+
+ Result Code: The result code for this response. See Section 7.4 for
+ values. This is set by the server.
+
+ Lifetime: An unsigned 32-bit integer, in seconds, ranging from 0 to
+ 2^32-1 seconds. On an error response, this indicates how long
+ clients should assume they'll get the same error response from
+ that PCP server if they repeat the same request. On a success
+ response for the PCP Opcodes that create a mapping (MAP and PEER),
+ the Lifetime field indicates the lifetime for this mapping. This
+ is set by the server.
+
+ Epoch Time: The server's Epoch Time value. See Section 8.5 for
+ discussion. This value is set by the server, in both success and
+ error responses.
+
+ Reserved: 96 reserved bits. For requests that were successfully
+ parsed, this MUST be sent as 0, MUST be ignored when received.
+ This is set by the server. For requests that were not
+ successfully parsed, the server copies the last 96 bits of the PCP
+ Client's IP Address field from the request message into this
+ corresponding 96-bit field of the response.
+
+ Opcode-specific information: Payload data for this Opcode. The
+ length of this data is determined by the Opcode definition.
+
+ PCP Options: Zero, one, or more options that are legal for both a
+ PCP response and for this Opcode. See Section 7.3.
+
+7.3. Options
+
+ A PCP Opcode can be extended with one or more options. Options can
+ be used in requests and responses. The design decisions in this
+ specification about whether to include a given piece of information
+ in the base Opcode format or in an option were an engineering trade-
+ off between packet size and code complexity. For information that is
+ usually (or always) required, placing it in the fixed Opcode data
+ results in simpler code to generate and parse the packet, because the
+ information is a fixed location in the Opcode data, but wastes space
+ in the packet in the event that field is all zeros because the
+ information is not needed or not relevant. For information that is
+ required less often, placing it in an option results in slightly more
+ complicated code to generate and parse packets containing that
+
+
+
+Wing, et al. Standards Track [Page 16]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ option, but saves space in the packet when that information is not
+ needed. Placing information in an option also means that an
+ implementation that never uses that information doesn't even need to
+ implement code to generate and parse it. For example, a client that
+ never requests mappings on behalf of some other device doesn't need
+ to implement code to generate the THIRD_PARTY option, and a PCP
+ server that doesn't implement the necessary security measures to
+ create third-party mappings safely doesn't need to implement code to
+ parse the THIRD_PARTY option.
+
+ Options use the following Type-Length-Value format:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Code | Reserved | Option Length |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ : (optional) Data :
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 4: Options Header
+
+ The description of the fields is as follows:
+
+ Option Code: 8 bits. Its most significant bit indicates if this
+ option is mandatory (0) or optional (1) to process.
+
+ Reserved: 8 bits. MUST be set to 0 on transmission and MUST be
+ ignored on reception.
+
+ Option Length: 16 bits. Indicates the length of the enclosed data,
+ in octets. Options with length of 0 are allowed. Options that
+ are not a multiple of 4 octets long are followed by one, two, or
+ three 0 octets to pad their effective length in the packet to be a
+ multiple of 4 octets. The Option Length reflects the semantic
+ length of the option, not including any padding octets.
+
+ Data: Option data.
+
+ If several options are included in a PCP request, they MAY be encoded
+ in any order by the PCP client, but MUST be processed by the PCP
+ server in the order in which they appear. It is the responsibility
+ of the PCP client to ensure that the server has sufficient room to
+ reply without exceeding the 1100-octet size limit; if its reply would
+ exceed that size, the server generates an error.
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 17]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If, while processing a PCP request, including its options, an error
+ is encountered that causes a PCP error response to be generated, the
+ PCP request MUST cause no state change in the PCP server or the
+ PCP-controlled device (i.e., it rolls back any tentative changes it
+ might have made while processing the request). Such an error
+ response MUST consist of a complete copy of the request packet with
+ the error code and other appropriate fields set in the header.
+
+ An option MAY appear more than once in a request or in a response, if
+ permitted by the definition of the option. If the option's
+ definition allows the option to appear only once but it appears more
+ than once in a request, and the option is understood by the PCP
+ server, the PCP server MUST respond with the MALFORMED_OPTION result
+ code. If the PCP server encounters an invalid option (e.g., PCP
+ option length is longer than the UDP packet length), the error
+ MALFORMED_OPTION SHOULD be returned (rather than MALFORMED_REQUEST),
+ as that helps the client better understand how the packet was
+ malformed. If a PCP response would have exceeded the maximum PCP
+ message size, the PCP server SHOULD respond with MALFORMED_REQUEST.
+
+ If the overall option structure of a request cannot successfully be
+ parsed (e.g., a nonsensical option length), the PCP server MUST
+ generate an error response with code MALFORMED_OPTION.
+
+ If the overall option structure of a request is valid, then how each
+ individual option is handled is determined by the most significant
+ bit in the option code. If the most significant bit is set, handling
+ this option is optional, and a PCP server MAY process or ignore this
+ option, entirely at its discretion. If the most significant bit is
+ clear, handling this option is mandatory, and a PCP server MUST
+ return the error MALFORMED_OPTION if the option contents are
+ malformed, or UNSUPP_OPTION if the option is unrecognized,
+ unimplemented, or disabled, or if the client is not authorized to use
+ the option. In error responses, all options are returned. In
+ success responses, all processed options are included and unprocessed
+ options are not included.
+
+ Because the PCP client cannot reject a response containing an Option,
+ PCP clients MUST ignore Options that they do not understand that
+ appear in responses, including Options in the mandatory-to-process
+ range. Naturally, if a client explicitly requests an Option where
+ correct execution of that Option requires processing the Option data
+ in the response, that client SHOULD implement code to do that.
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 18]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Different options are valid for different Opcodes. For example:
+
+ o The THIRD_PARTY option is valid for both MAP and PEER Opcodes.
+
+ o The FILTER option is valid only for the MAP Opcode (for the PEER
+ Opcode it would have no meaning).
+
+ o The PREFER_FAILURE option is valid only for the MAP Opcode (for
+ the PEER Opcode, similar semantics are automatically implied).
+
+7.4. Result Codes
+
+ The following result codes may be returned as a result of any Opcode
+ received by the PCP server. The only success result code is 0; other
+ values indicate an error. If a PCP server encounters multiple errors
+ during processing of a request, it SHOULD use the most specific error
+ message. Each error code below is classified as either a 'long
+ lifetime' error or a 'short lifetime' error, which provides guidance
+ to PCP server developers for the value of the Lifetime field for
+ these errors. It is RECOMMENDED that short lifetime errors use a
+ 30-second lifetime and long lifetime errors use a 30-minute lifetime.
+
+ 0 SUCCESS: Success.
+
+ 1 UNSUPP_VERSION: The version number at the start of the PCP Request
+ header is not recognized by this PCP server. This is a long
+ lifetime error. This document describes PCP version 2.
+
+ 2 NOT_AUTHORIZED: The requested operation is disabled for this PCP
+ client, or the PCP client requested an operation that cannot be
+ fulfilled by the PCP server's security policy. This is a long
+ lifetime error.
+
+ 3 MALFORMED_REQUEST: The request could not be successfully parsed.
+ This is a long lifetime error.
+
+ 4 UNSUPP_OPCODE: Unsupported Opcode. This is a long lifetime error.
+
+ 5 UNSUPP_OPTION: Unsupported option. This error only occurs if the
+ option is in the mandatory-to-process range. This is a long
+ lifetime error.
+
+ 6 MALFORMED_OPTION: Malformed option (e.g., appears too many times,
+ invalid length). This is a long lifetime error.
+
+ 7 NETWORK_FAILURE: The PCP server or the device it controls is
+ experiencing a network failure of some sort (e.g., has not yet
+ obtained an external IP address). This is a short lifetime error.
+
+
+
+Wing, et al. Standards Track [Page 19]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ 8 NO_RESOURCES: Request is well-formed and valid, but the server has
+ insufficient resources to complete the requested operation at this
+ time. For example, the NAT device cannot create more mappings at
+ this time, is short of CPU cycles or memory, or is unable to
+ handle the request due to some other temporary condition. The
+ same request may succeed in the future. This is a system-wide
+ error, different from USER_EX_QUOTA. This can be used as a catch-
+ all error, should no other error message be suitable. This is a
+ short lifetime error.
+
+ 9 UNSUPP_PROTOCOL: Unsupported transport protocol, e.g., SCTP in a
+ NAT that handles only UDP and TCP. This is a long lifetime error.
+
+ 10 USER_EX_QUOTA: This attempt to create a new mapping would exceed
+ this subscriber's port quota. This is a short lifetime error.
+
+ 11 CANNOT_PROVIDE_EXTERNAL: The suggested external port and/or
+ external address cannot be provided. This error MUST only be
+ returned for:
+ * MAP requests that included the PREFER_FAILURE option
+ (normal MAP requests will return an available external port)
+ * MAP requests for the SCTP protocol (PREFER_FAILURE is implied)
+ * PEER requests
+
+ See Section 13.2 for details of the PREFER_FAILURE Option. The
+ error lifetime depends on the reason for the failure.
+
+ 12 ADDRESS_MISMATCH: The source IP address of the request packet does
+ not match the contents of the PCP Client's IP Address field, due
+ to an unexpected NAT on the path between the PCP client and the
+ PCP-controlled NAT or firewall. This is a long lifetime error.
+
+ 13 EXCESSIVE_REMOTE_PEERS: The PCP server was not able to create the
+ filters in this request. This result code MUST only be returned
+ if the MAP request contained the FILTER option. See Section 13.3
+ for details of the FILTER Option. This is a long lifetime error.
+
+8. General PCP Operation
+
+ PCP messages MUST be sent over UDP [RFC0768]. Every PCP request
+ generates at least one response, so PCP does not need to run over a
+ reliable transport protocol.
+
+ When receiving multiple identical requests, the PCP server will
+ generally generate identical responses -- barring cases where the PCP
+ server's state changes between those requests due to other activity.
+ As an example of how such a state change could happen, a request
+ could be received while the PCP-controlled device has no mappings
+
+
+
+Wing, et al. Standards Track [Page 20]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ available, and the PCP server will generate an error response. If
+ mappings become available and then another copy of that same request
+ arrives (perhaps duplicated in transit in the network), the PCP
+ server will allocate a mapping and generate a non-error response. A
+ PCP client MUST handle such updated responses for any request it
+ sends, most notably to support rapid recovery (Section 14). Also see
+ the Protocol Design Note (Section 6).
+
+8.1. General PCP Client: Generating a Request
+
+ This section details operation specific to a PCP client, for any
+ Opcode. Procedures specific to the MAP Opcode are described in
+ Section 11, and procedures specific to the PEER Opcode are described
+ in Section 12.
+
+ Prior to sending its first PCP message, the PCP client determines
+ which server to use. The PCP client performs the following steps to
+ determine its PCP server:
+
+ 1. if a PCP server is configured (e.g., in a configuration file or
+ via DHCP), that single configuration source is used as the list
+ of PCP server(s), else
+
+ 2. the default router list (for IPv4 and IPv6) is used as the list
+ of PCP server(s). Thus, if a PCP client has both an IPv4 and
+ IPv6 address, it will have an IPv4 PCP server (its IPv4 default
+ router) for its IPv4 mappings, and an IPv6 PCP server (its IPv6
+ default router) for its IPv6 mappings.
+
+ For the purposes of this document, only a single PCP server address
+ is supported. Should future specifications define configuration
+ methods that provide a longer list of PCP server addresses, those
+ specifications will define how clients select one or more addresses
+ from that list.
+
+ With that PCP server address, the PCP client formulates its PCP
+ request. The PCP request contains a PCP common header, PCP Opcode
+ and payload, and (possibly) options. As with all UDP client software
+ on any operating system, when several independent PCP clients exist
+ on the same host, each uses a distinct source port number to
+ disambiguate their requests and replies. The PCP client's source
+ port SHOULD be randomly generated [RFC6056].
+
+ The PCP client MUST include the source IP address of the PCP message
+ in the PCP request. This is typically its own IP address; see
+ Section 16.4 for how this can be coded. This is used to detect an
+ unexpected NAT on the path between the PCP client and the
+ PCP-controlled NAT or firewall device, to avoid wasting resources on
+
+
+
+Wing, et al. Standards Track [Page 21]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ the PCP-controlled NAT creating pointless non-functional mappings.
+ When such an intervening non-PCP-aware inner NAT is detected,
+ mappings must first be created by some other means in the inner NAT,
+ before mappings can be usefully created in the outer PCP-controlled
+ NAT. Having created mappings in the inner NAT by some other means,
+ the PCP client should then use the inner NAT's external address as
+ the client IP address, to signal to the outer PCP-controlled NAT that
+ the client is aware of the inner NAT, and has taken steps to create
+ mappings in it by some other means, so that mappings created in the
+ outer NAT will not be a pointless waste of resources.
+
+8.1.1. PCP Client Retransmission
+
+ PCP clients are responsible for reliable delivery of PCP request
+ messages. If a PCP client fails to receive an expected response from
+ a server, the client must retransmit its message. The
+ retransmissions MUST use the same Mapping Nonce value (see Sections
+ 11.1 and 12.1). The client begins the message exchange by
+ transmitting a message to the server. The message exchange continues
+ for as long as the client wishes to maintain the mapping, and
+ terminates when the PCP client is no longer interested in the PCP
+ transaction (e.g., the application that requested the mapping is no
+ longer interested in the mapping) or (optionally) when the message
+ exchange is considered to have failed according to the retransmission
+ mechanism described below.
+
+ The client retransmission behavior is controlled and described by the
+ following variables:
+
+ RT: Retransmission timeout, calculated as described below
+
+ IRT: Initial retransmission time, SHOULD be 3 seconds
+
+ MRC: Maximum retransmission count, SHOULD be 0 (0 indicates no
+ maximum)
+
+ MRT: Maximum retransmission time, SHOULD be 1024 seconds
+
+ MRD: Maximum retransmission duration, SHOULD be 0 (0 indicates no
+ maximum)
+
+ RAND: Randomization factor, calculated as described below
+
+ With each message transmission or retransmission, the client sets RT
+ according to the rules given below. If RT expires before a response
+ is received, the client retransmits the request and computes a new
+ RT.
+
+
+
+
+Wing, et al. Standards Track [Page 22]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Each of the computations of a new RT include a new randomization
+ factor (RAND), which is a random number chosen with a uniform
+ distribution between -0.1 and +0.1. The randomization factor is
+ included to minimize synchronization of messages transmitted by PCP
+ clients. The algorithm for choosing a random number does not need to
+ be cryptographically sound. The algorithm SHOULD produce a different
+ sequence of random numbers from each invocation of the PCP client.
+
+ The RT value is initialized based on IRT:
+
+ RT = (1 + RAND) * IRT
+
+ RT for each subsequent message transmission is based on the previous
+ value of RT, subject to the upper bound on the value of RT specified
+ by MRT. If MRT has a value of 0, there is no upper limit on the
+ value of RT, and MRT is treated as "infinity". The new value of RT
+ is calculated as shown below, where RTprev is the current value of
+ RT:
+
+ RT = (1 + RAND) * MIN (2 * RTprev, MRT)
+
+ MRC specifies an upper bound on the number of times a client may
+ retransmit a message. Unless MRC is zero, the message exchange fails
+ once the client has transmitted the message MRC times.
+
+ MRD specifies an upper bound on the length of time a client may
+ retransmit a message. Unless MRD is zero, the message exchange fails
+ once MRD seconds have elapsed since the client first transmitted the
+ message.
+
+ If both MRC and MRD are non-zero, the message exchange fails whenever
+ either of the conditions specified in the previous two paragraphs are
+ met. If both MRC and MRD are zero, the client continues to transmit
+ the message until it receives a response or the client no longer
+ wants a mapping.
+
+ Once a PCP client has successfully received a response from a PCP
+ server on that interface, it resets RT to a value randomly selected
+ in the range 1/2 to 5/8 of the mapping lifetime, as described in
+ Section 11.2.1, "Renewing a Mapping", and sends subsequent PCP
+ requests for that mapping to that same server.
+
+ Note: If the server's state changes between retransmissions and
+ the server's response is delayed or lost, the state in the PCP
+ client and server may not be synchronized. This is not unique to
+ PCP, but also occurs with other network protocols (e.g., TCP). In
+ the unlikely event that such de-synchronization occurs, PCP heals
+ itself after lifetime seconds.
+
+
+
+Wing, et al. Standards Track [Page 23]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+8.2. General PCP Server: Processing a Request
+
+ This section details operation specific to a PCP server. Processing
+ SHOULD be performed in the order of the following paragraphs.
+
+ A PCP server MUST only accept normal (non-THIRD_PARTY) PCP requests
+ from a client on the same interface from which it would normally
+ receive packets from that client, and it MUST silently ignore PCP
+ requests arriving on any other interface. For example, a residential
+ NAT gateway accepts PCP requests only when they arrive on its (LAN)
+ interface connecting to the internal network, and silently ignores
+ any PCP requests arriving on its external (WAN) interface. A PCP
+ server that supports THIRD_PARTY requests MAY be configured to accept
+ THIRD_PARTY requests on other configured interfaces (see Section 13.1
+ for details on the THIRD_PARTY Option).
+
+ Upon receiving a request, the PCP server parses and validates it. A
+ valid request contains a valid PCP common header, one valid PCP
+ Opcode, and zero or more options (which the server might or might not
+ comprehend). If an error is encountered during processing, the
+ server generates an error response that is sent back to the PCP
+ client. Processing of an Opcode and its options is specific to each
+ Opcode.
+
+ Error responses have the same packet layout as success responses,
+ with certain fields from the request copied into the response, and
+ other fields assigned by the PCP server set as indicated in Figure 3.
+
+ Copying request fields into the response is important because this is
+ what enables a client to identify to which request a given response
+ pertains. For Opcodes that are understood by the PCP server, it
+ follows the requirements of that Opcode to copy the appropriate
+ fields. For Opcodes that are not understood by the PCP server, it
+ simply generates the UNSUPP_OPCODE response and copies fields from
+ the PCP header and copies the rest of the PCP payload as is (without
+ attempting to interpret it).
+
+ All responses (both error and success) contain the same Opcode as the
+ request, but with the "R" bit set.
+
+ Any error response has a non-zero result code, and is created by:
+
+ o Copying the entire UDP payload, or 1100 octets, whichever is less,
+ and zero-padding the response to a multiple of 4 octets if
+ necessary
+ o Setting the R bit
+ o Setting the result code
+ o Setting the Lifetime, Epoch Time, and Reserved fields
+
+
+
+Wing, et al. Standards Track [Page 24]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ o Updating other fields in the response, as indicated by 'set by the
+ server' in the PCP response field description
+
+ A success response has a zero result code, and is created by:
+
+ o Copying the first 4 octets of request packet header
+ o Setting the R bit
+ o Setting the result code to zero
+ o Setting the Lifetime, Epoch Time, and Reserved fields
+ o Possibly setting Opcode-specific response data if appropriate
+ o Adding any processed options to the response message
+
+ If the received PCP request message is less than 2 octets long, it is
+ silently dropped.
+
+ If the R bit is set, the message is silently dropped.
+
+ If the first octet (version) is a version that is not supported, a
+ response is generated with the UNSUPP_VERSION result code, and the
+ Version Negotiation steps detailed in Section 9 are followed.
+
+ Otherwise, if the version is supported but the received message is
+ shorter than 24 octets, the message is silently dropped.
+
+ If the server is overloaded by requests (from a particular client or
+ from all clients), it MAY simply silently discard requests, as the
+ requests will be retried by PCP clients, or it MAY generate the
+ NO_RESOURCES error response.
+
+ If the length of the message exceeds 1100 octets, is not a multiple
+ of 4 octets, or is too short for the Opcode in question, it is
+ invalid and a MALFORMED_REQUEST response is generated, and the
+ response message is truncated to 1100 octets.
+
+ The PCP server compares the source IP address (from the received IP
+ header) with the field PCP Client IP Address. If they do not match,
+ the error ADDRESS_MISMATCH MUST be returned. This is done to detect
+ and prevent accidental use of PCP where a non-PCP-aware NAT exists
+ between the PCP client and PCP server. If the PCP client wants such
+ a mapping, it needs to ensure that the PCP field matches its apparent
+ IP address from the perspective of the PCP server.
+
+8.3. General PCP Client: Processing a Response
+
+ The PCP client receives the response and verifies that the source IP
+ address and port belong to the PCP server of a previously sent PCP
+ request. If not, the response is silently dropped.
+
+
+
+
+Wing, et al. Standards Track [Page 25]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If the received PCP response message is less than 4 octets long, it
+ is silently dropped.
+
+ If the R bit is clear, the message is silently dropped.
+
+ If the error code is UNSUPP_VERSION, Version Negotiation processing
+ continues as described in Section 9.
+
+ Responses shorter than 24 octets, longer than 1100 octets, or not a
+ multiple of 4 octets are invalid and ignored.
+
+ The PCP client then validates that the Opcode matches a previous PCP
+ request. If the response does not match a previous PCP request, the
+ response is ignored. The response is further matched by comparing
+ fields in the response Opcode-specific data to fields in the request
+ Opcode-specific data, as described by the processing for that Opcode.
+ If that fails, the response is ignored.
+
+ After these matches are successful, the PCP client checks the Epoch
+ Time field (see Section 8.5) to determine if it needs to restore its
+ state to the PCP server. A PCP client SHOULD be prepared to receive
+ multiple responses from the PCP server at any time after a single
+ request is sent. This allows the PCP server to inform the client of
+ mapping changes such as an update or deletion. For example, a PCP
+ server might send a SUCCESS response and, after a configuration
+ change on the PCP server, later send a NOT_AUTHORIZED response. A
+ PCP client MUST be prepared to receive responses for requests it
+ never sent (which could have been sent by a previous PCP instance on
+ this same host, or by a previous host that used the same client IP
+ address, or by a malicious attacker) by simply ignoring those
+ unexpected messages.
+
+ If the error ADDRESS_MISMATCH is received, it indicates the presence
+ of a NAT between the PCP client and PCP server. Procedures to
+ resolve this problem are beyond the scope of this document.
+
+ For both success and error responses, a Lifetime value is returned.
+ The lifetime indicates how long this response should be considered
+ valid by the client (i.e for success results, how long the mapping
+ will last, and for failure results how long the same failure
+ condition should be expected to persist). The PCP client SHOULD
+ impose an upper limit on this returned value (to protect against
+ absurdly large values, e.g., 5 years), detailed in Section 15,
+ "Mapping Lifetime and Deletion".
+
+ If the result code is 0 (SUCCESS), the request succeeded.
+
+
+
+
+
+Wing, et al. Standards Track [Page 26]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If the result code is not 0, the request failed, and the PCP client
+ SHOULD NOT resend the same request for the indicated lifetime of the
+ error (as limited by the sanity checking detailed in Section 15).
+
+ If the PCP client has discovered a new PCP server (e.g., connected to
+ a new network), the PCP client MAY immediately begin communicating
+ with this PCP server, without regard to hold times from communicating
+ with a previous PCP server.
+
+8.4. Multi-Interface Issues
+
+ Hosts that desire a PCP mapping might be multi-interfaced (i.e., own
+ several logical/physical interfaces). Indeed, a host can be
+ configured with several IPv4 addresses (e.g., WiFi and Ethernet) or
+ dual-stacked. These IP addresses may have distinct reachability
+ scopes (e.g., if IPv6, they might have global reachability scope as
+ is the case for a Global Unicast Address (GUA) [RFC3587] or limited
+ scope as is the case for a Unique Local Address (ULA) [RFC4193]).
+
+ IPv6 addresses with global reachability (e.g., GUAs) SHOULD be used
+ as the source address when generating a PCP request. IPv6 addresses
+ without global reachability (e.g., ULAs) SHOULD NOT be used as the
+ source interface when generating a PCP request. If IPv6 privacy
+ addresses [RFC4941] are used for PCP mappings, a new PCP request will
+ need to be issued whenever the IPv6 privacy address is changed. This
+ PCP request SHOULD be sent from the IPv6 privacy address itself. It
+ is RECOMMENDED that the client delete its mappings to the previous
+ privacy address after it no longer needs those old mappings.
+
+ Due to the ubiquity of IPv4 NAT, IPv4 addresses with limited scope
+ (e.g., private addresses [RFC1918]) MAY be used as the source
+ interface when generating a PCP request.
+
+8.5. Epoch
+
+ Every PCP response sent by the PCP server includes an Epoch Time
+ field. This time field increments by one every second. Anomalies in
+ the received Epoch Time value provide a hint to PCP clients that a
+ PCP server state loss may have occurred. Clients respond to such
+ state loss hints by promptly renewing their mappings, so as to
+ quickly restore any lost state at the PCP server.
+
+ If the PCP server resets or loses the state of its explicit dynamic
+ mappings (that is, those mappings created by PCP requests), due to
+ reboot, power failure, or any other reason, it MUST reset its Epoch
+ time to its initial starting value (usually zero) to provide this
+ hint to PCP clients. After resetting its Epoch time, the PCP server
+ resumes incrementing the Epoch Time value by one every second.
+
+
+
+Wing, et al. Standards Track [Page 27]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Similarly, if the external IP address(es) of the NAT (controlled by
+ the PCP server) changes, the Epoch time MUST be reset. A PCP server
+ MAY maintain one Epoch Time value for all PCP clients or MAY maintain
+ distinct Epoch Time values (per PCP client, per interface, or based
+ on other criteria); this choice is implementation-dependent.
+
+ Whenever a client receives a PCP response, the client validates the
+ received Epoch Time value according to the procedure below, using
+ integer arithmetic:
+
+ o If this is the first PCP response the client has received from
+ this PCP server, the Epoch Time value is treated as necessarily
+ valid, otherwise
+
+ * If the current PCP server Epoch time (curr_server_time) is less
+ than the previously received PCP server Epoch time
+ (prev_server_time) by more than one second, then the client
+ treats the Epoch time as obviously invalid (time should not go
+ backwards). The server Epoch time apparently going backwards
+ by *up to* one second is not deemed invalid, so that minor
+ packet reordering on the path from PCP server to PCP client
+ does not trigger a cascade of unnecessary mapping renewals. If
+ the server Epoch time passes this check, then further
+ validation checks are performed:
+
+ + The client computes the difference between its
+ current local time (curr_client_time) and the
+ time the previous PCP response was received from this PCP
+ server (prev_client_time):
+ client_delta = curr_client_time - prev_client_time;
+
+ + The client computes the difference between the
+ current PCP server Epoch time (curr_server_time) and the
+ previously received Epoch time (prev_server_time):
+ server_delta = curr_server_time - prev_server_time;
+
+ + If client_delta+2 < server_delta - server_delta/16
+ or server_delta+2 < client_delta - client_delta/16,
+ then the client treats the Epoch Time value as invalid,
+ else the client treats the Epoch Time value as valid.
+
+ o The client records the current time values for use in its next
+ comparison:
+ prev_client_time = curr_client_time
+ prev_server_time = curr_server_time
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 28]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If the PCP client determined that the Epoch Time value it received
+ was invalid, then it concludes that the PCP server may have lost
+ state, and promptly renews all its active port mapping leases
+ following the mapping recreation procedure described in
+ Section 16.3.1.
+
+ Notes:
+
+ o The client clock MUST never go backwards. If curr_client_time is
+ found to be less than prev_client_time, then this is a client bug,
+ and how the client deals with this client bug is implementation
+ specific.
+
+ o The calculations above are constructed to allow client_delta and
+ server_delta to be computed as unsigned integer values.
+
+ o The "+2" in the calculations above is to accommodate quantization
+ errors in client and server clocks (up to one-second quantization
+ error each in server and client time intervals).
+
+ o The "/16" in the calculations above is to accommodate inaccurate
+ clocks in low-cost devices. This allows for a total discrepancy
+ of up to 1/16 (6.25%) to be considered benign; e.g., if one clock
+ were to run too fast by 3% while the other clock ran too slow by
+ 3%, then the client would not consider this difference to be
+ anomalous or indicative of a restart having occurred. This
+ tolerance is strict enough to be effective at detecting reboots,
+ while not being so strict as to generate false alarms.
+
+9. Version Negotiation
+
+ A PCP client sends its requests using PCP version number 2. Should
+ later updates to this document specify different message formats with
+ a version number greater than 2, it is expected that PCP servers will
+ still support version 2 in addition to the newer version(s).
+ However, in the event that a server returns a response with result
+ code UNSUPP_VERSION, the client MAY log an error message to inform
+ the user that it is too old to work with this server.
+
+ Should later updates to this document specify different message
+ formats with a version number greater than 2, and backwards
+ compatibility be desired, this first octet can be used for forward
+ and backward compatibility.
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 29]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If future PCP versions greater than 2 are specified, version
+ negotiation proceeds as follows:
+
+ 1. The client sends its first request using the highest
+ (i.e., presumably 'best') version number it supports.
+
+ 2. If the server supports that version, it responds normally.
+
+ 3. If the server does not support that version, it replies giving a
+ result containing the result code UNSUPP_VERSION, and the closest
+ version number it does support (if the server supports a range of
+ versions higher than the client's requested version, the server
+ returns the lowest of that supported range; if the server
+ supports a range of versions lower than the client's requested
+ version, the server returns the highest of that supported range).
+
+ 4. If the client receives an UNSUPP_VERSION result containing a
+ version it does support, it records this fact and proceeds to use
+ this message version for subsequent communication with this PCP
+ server (until a possible future UNSUPP_VERSION response if the
+ server is later updated, at which point the version negotiation
+ process repeats). If the version number in the UNSUPP_VERSION
+ response is zero then that means this is a NAT-PMP server
+ [RFC6886], and a client MAY choose to communicate with it using
+ the older NAT-PMP protocol, as described in Appendix A.
+
+ 5. If the client receives an UNSUPP_VERSION result containing a
+ version it does not support, then the client SHOULD try the next-
+ lower version supported by the client. The attempt to use the
+ next-lower version repeats until the client has tried version 2.
+ If using version 2 fails, the client MAY log an error message to
+ inform the user that it is too old to work with this server, and
+ the client SHOULD set a timer to retry its request in 30 minutes
+ or the returned Lifetime value, whichever is smaller. By
+ automatically retrying in 30 minutes, the protocol accommodates
+ an upgrade of the PCP server.
+
+10. Introduction to MAP and PEER Opcodes
+
+ There are four uses for the MAP and PEER Opcodes defined in this
+ document:
+
+ o a host operating a server and wanting an incoming connection
+ (Section 10.1);
+
+ o a host operating a client and server on the same port
+ (Section 10.2);
+
+
+
+
+Wing, et al. Standards Track [Page 30]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ o a host operating a client and wanting to optimize the application
+ keepalive traffic (Section 10.3); and
+
+ o a host operating a client and wanting to restore lost state in its
+ NAT (Section 10.4).
+
+ These are discussed in the following sections, and a (non-normative)
+ state diagram is provided in Section 16.5.
+
+ When operating a server (see Sections 10.1 and 10.2), the PCP client
+ knows if it wants an IPv4 listener, IPv6 listener, or both on the
+ Internet. The PCP client also knows if it has an IPv4 address or
+ IPv6 address configured on one of its interfaces. It takes the union
+ of this knowledge to decide to which of its PCP servers to send the
+ request (e.g., an IPv4 address or an IPv6 address), and whether to
+ send one or two MAP requests for each of its interfaces (e.g., if the
+ PCP client has only an IPv4 address but wants both IPv6 and IPv4
+ listeners, it sends a MAP request containing the all-zeros IPv6
+ address in the Suggested External Address field, and sends a second
+ MAP request containing the all-zeros IPv4 address in the Suggested
+ External Address field). If the PCP client has both an IPv4 and IPv6
+ address, and only wants an IPv4 listener, it sends one MAP request
+ from its IPv4 address (if the PCP server supports NAT44 or IPv4
+ firewall) or one MAP request from its IPv6 address (if the PCP server
+ supports NAT64). The PCP client can simply request the desired
+ mapping to determine if the PCP server supports the desired mapping.
+ Applications that embed IP addresses in payloads (e.g., FTP, SIP)
+ will find it beneficial to avoid address family translation, if
+ possible.
+
+ The MAP and PEER requests include a Suggested External IP Address
+ field. Some PCP-controlled devices, especially CGN but also multi-
+ homed NPTv6 networks, have a pool of public-facing IP addresses. PCP
+ allows the client to indicate if it wants a mapping assigned on a
+ specific address of that pool or any address of that pool. Some
+ applications will break if mappings are created on different IP
+ addresses (e.g., active mode FTP), so applications should carefully
+ consider the implications of using this capability. Static mappings
+ for that internal address (e.g., those created by a command-line
+ interface on the PCP server or PCP-controlled device) may exist to a
+ certain external address, and if the suggested external IP address is
+ the IPv4 or IPv6 all-zeros address, PCP SHOULD assign its mappings to
+ the same external address, as this can also help applications using a
+ mix of both static mappings and PCP-created mappings. If, on the
+ other hand, the suggested external IP address contains a non-zero IP
+ address the PCP server SHOULD create a mapping to that external
+ address, even if there are other mappings from that same internal
+ address to a different external address. Once an internal address
+
+
+
+Wing, et al. Standards Track [Page 31]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ has no implicit dynamic mappings and no explicit dynamic mappings in
+ the PCP-controlled device, a subsequent implicit or explicit mapping
+ for that internal address MAY be assigned to a different External
+ address. Generally, this reassignment would occur when a CGN device
+ is load balancing newly seen internal addresses to its public pool of
+ external addresses.
+
+ The following table summarizes how various common PCP deployments use
+ IPv6 and IPv4 addresses.
+
+ The 'internal' address is implicitly the same as the source IP
+ address of the PCP request, except when the THIRD_PARTY option is
+ used.
+
+ The 'external' address is the Suggested External Address field of the
+ MAP or PEER request, and its address family is usually the same as
+ the 'internal' address family, except when technologies like NAT64
+ are used.
+
+ The 'remote peer' address is the remote peer IP address of the PEER
+ request or the FILTER option of the MAP request, and is always the
+ same address family as the 'internal' address, even when NAT64 is
+ used. In NAT64, the IPv6 PCP client is not necessarily aware of the
+ NAT64 or aware of the actual IPv4 address of the remote peer, so it
+ expresses the IPv6 address from its perspective, as shown in Figure
+ 5.
+
+ internal external PCP remote peer actual remote peer
+ -------- ------- --------------- ------------------
+ IPv4 firewall IPv4 IPv4 IPv4 IPv4
+ IPv6 firewall IPv6 IPv6 IPv6 IPv6
+ NAT44 IPv4 IPv4 IPv4 IPv4
+ NAT46 IPv4 IPv6 IPv4 IPv6
+ NAT64 IPv6 IPv4 IPv6 IPv4
+ NPTv6 IPv6 IPv6 IPv6 IPv6
+
+ Figure 5: Address Families with MAP and PEER
+
+ Note that the internal address and the remote peer address are always
+ the same address family, and the external address and the actual
+ remote peer address are always the same address family.
+
+
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 32]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+10.1. For Operating a Server
+
+ A host operating a server (e.g., a web server) listens for traffic on
+ a port, but the server never initiates traffic from that port. For
+ this to work across a NAT or a firewall, the host needs to (a) create
+ a mapping from a public IP address, protocol, and port to itself
+ using the MAP Opcode, as described in Section 11; (b) publish that
+ public IP address, protocol, and port via some sort of rendezvous
+ server (e.g., DNS, a SIP message, or a proprietary protocol); and
+ (c) ensure that any other non-PCP-speaking packet filtering
+ middleboxes on the path (e.g., host-based firewall, network-based
+ firewall, or other NATs) will also allow the incoming traffic.
+ Publishing the public IP address and port is out of scope of this
+ specification. To accomplish (a), the host follows the procedures
+ described in this section.
+
+ As normal, the application needs to begin listening on a port. Then,
+ the application constructs a PCP message with the MAP Opcode, with
+ the external address set to the appropriate all-zeros address,
+ depending on whether it wants a public IPv4 or IPv6 address.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 33]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ The following pseudocode shows how PCP can be reliably used to
+ operate a server:
+
+ /* start listening on the local server port */
+ int s = socket(...);
+ bind(s, ...);
+ listen(s, ...);
+
+ getsockname(s, &internal_sockaddr, ...);
+ bzero(&external_sockaddr, sizeof(external_sockaddr));
+
+ while (1)
+ {
+ /* Note: The "time_to_send_pcp_request()" check below includes:
+ * 1. Sending the first request
+ * 2. Retransmitting requests due to packet loss
+ * 3. Resending a request due to impending lease expiration
+ * 4. Resending a request due to server state loss
+ * The PCP packet sent is identical in all four cases; from
+ * the PCP server's point of view they are the same operation.
+ * The suggested external address and port may be updated
+ * repeatedly during the lifetime of the mapping.
+ * Other fields in the packet generally remain unchanged.
+ */
+ if (time_to_send_pcp_request())
+ pcp_send_map_request(internal_sockaddr.sin_port,
+ internal_sockaddr.sin_addr,
+ &external_sockaddr, /* will be zero the first time */
+ requested_lifetime, &assigned_lifetime);
+
+ if (pcp_response_received())
+ update_rendezvous_server("Client Ident", external_sockaddr);
+
+ if (received_incoming_connection_or_packet())
+ process_it(s);
+
+ if (other_work_to_do())
+ do_it();
+
+ /* ... */
+
+ block_until_we_need_to_do_something_else();
+ }
+
+ Figure 6: Pseudocode for Using PCP to Operate a Server
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 34]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+10.2. For Operating a Symmetric Client/Server
+
+ A host operating a client and server on the same port (e.g.,
+ Symmetric RTP [RFC4961] or SIP Symmetric Response Routing (rport)
+ [RFC3581]) first establishes a local listener, (usually) sends the
+ local and public IP addresses, protocol, and ports to a rendezvous
+ service (which is out of scope of this document), and initiates an
+ outbound connection from that same source address and same port. To
+ accomplish this, the application uses the procedure described in this
+ section.
+
+ An application that is using the same port for outgoing connections
+ as well as incoming connections MUST first signal its operation of a
+ server using the PCP MAP Opcode, as described in Section 11, and
+ receive a positive PCP response before it sends any packets from that
+ port.
+
+ Discussion: In general, a PCP client doesn't know in advance if it
+ is behind a NAT or firewall. On detecting that the host has
+ connected to a new network, the PCP client can attempt to request
+ a mapping using PCP; if that succeeds, then the client knows it
+ has successfully created a mapping. If, after multiple retries,
+ it has received no PCP response, then either the client is *not*
+ behind a NAT or firewall and has unfettered connectivity or the
+ client *is* behind a NAT or firewall that doesn't support PCP (and
+ the client may still have working connectivity by virtue of static
+ mappings previously created manually by the user). Retransmitting
+ PCP requests multiple times before giving up and assuming
+ unfettered connectivity adds delay in that case. Initiating
+ outbound TCP connections immediately without waiting for PCP
+ avoids this delay, and will work if the NAT has endpoint-
+ independent mapping (EIM) behavior, but may fail if the NAT has
+ endpoint-dependent mapping (EDM) behavior. Waiting enough time to
+ allow an explicit PCP MAP mapping to be created (if possible)
+ first ensures that the same external port will then be used for
+ all subsequent implicit dynamic mappings (e.g., TCP SYNs) sent
+ from the specified internal address, protocol, and port. PCP
+ supports both EIM and EDM NATs, so clients need to assume they may
+ be dealing with an EDM NAT. In this case, the client will
+ experience more reliable connectivity if it attempts explicit PCP
+ MAP requests first, before initiating any outbound TCP connections
+ from that internal address and port. For further information on
+ using PCP with EDM NATs, see Section 16.1.
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 35]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ The following pseudocode shows how PCP can be used to operate a
+ symmetric client and server:
+
+ /* start listening on the local server port */
+ int s = socket(...);
+ bind(s, ...);
+ listen(s, ...);
+
+ getsockname(s, &internal_sockaddr, ...);
+ bzero(&external_sockaddr, sizeof(external_sockaddr));
+
+ while (1)
+ {
+ /* Note: The "time_to_send_pcp_request()" check below includes:
+ * 1. Sending the first request
+ * 2. Retransmitting requests due to packet loss
+ * 3. Resending a request due to impending lease expiration
+ * 4. Resending a request due to server state loss
+ */
+ if (time_to_send_pcp_request())
+ pcp_send_map_request(internal_sockaddr.sin_port,
+ internal_sockaddr.sin_addr,
+ &external_sockaddr, /* will be zero the first time */
+ requested_lifetime, &assigned_lifetime);
+
+ if (pcp_response_received())
+ update_rendezvous_server("Client Ident", external_sockaddr);
+
+ if (received_incoming_connection_or_packet())
+ process_it(s);
+
+ if (need_to_make_outgoing_connection())
+ make_outgoing_connection(s, ...);
+
+ if (data_to_send())
+ send_it(s);
+
+ if (other_work_to_do())
+ do_it();
+
+ /* ... */
+
+ block_until_we_need_to_do_something_else();
+ }
+
+ Figure 7: Pseudocode for Using PCP to Operate a
+ Symmetric Client/Server
+
+
+
+
+Wing, et al. Standards Track [Page 36]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+10.3. For Reducing NAT or Firewall Keepalive Messages
+
+ A host operating a client (e.g., XMPP client, SIP client) sends from
+ a port, and may receive responses, but never accepts incoming
+ connections from other remote peers on this port. It wants to ensure
+ that the flow to its remote peer is not terminated (due to
+ inactivity) by an on-path NAT or firewall. To accomplish this, the
+ application uses the procedure described in this section.
+
+ Middleboxes, such as NATs or firewalls, generally need to see
+ occasional traffic or they will terminate their session state,
+ causing application failures. To avoid this, many applications
+ routinely generate keepalive traffic for the primary (or sole)
+ purpose of maintaining state with such middleboxes. Applications can
+ reduce such application keepalive traffic by using PCP.
+
+ Note: For reasons beyond NAT, an application may find it useful to
+ perform application-level keepalives, such as to detect a broken
+ path between the client and server, keep state alive on the remote
+ peer, or detect a powered-down client. These keepalives are not
+ related to maintaining middlebox state, and PCP cannot do anything
+ useful to reduce those keepalives.
+
+ To use PCP for this function, the application first connects to its
+ server, as normal. Afterwards, it issues a PCP request with the PEER
+ Opcode as described in Section 12 to learn and/or extend the lifetime
+ of its mapping.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 37]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ The following pseudocode shows how PCP can be reliably used with a
+ dynamic socket, for the purposes of reducing application keepalive
+ messages:
+
+ /* make outgoing connection to server */
+ int s = socket(...);
+ connect(s, &remote_peer, ...);
+
+ getsockname(s, &internal_sockaddr, ...);
+ bzero(&external_sockaddr, sizeof(external_sockaddr));
+
+ while (1)
+ {
+ /* Note: The "time_to_send_pcp_request()" check below includes:
+ * 1. Sending the first request
+ * 2. Retransmitting requests due to packet loss
+ * 3. Resending a request due to impending lease expiration
+ * 4. Resending a request due to server state loss
+ */
+ if (time_to_send_pcp_request())
+ pcp_send_peer_request(internal_sockaddr.sin_port,
+ internal_sockaddr.sin_addr,
+ &external_sockaddr, /* will be zero the first time */
+ remote_peer, requested_lifetime, &assigned_lifetime);
+
+ if (data_to_send())
+ send_it(s);
+
+ if (received_incoming_data())
+ process_it(s);
+
+ if (other_work_to_do())
+ do_it();
+
+ /* ... */
+
+ block_until_we_need_to_do_something_else();
+ }
+
+ Figure 8: Pseudocode Using PCP with a Dynamic Socket
+
+10.4. For Restoring Lost Implicit TCP Dynamic Mapping State
+
+ After a NAT loses state (e.g., because of a crash or power failure),
+ it is useful for clients to re-establish TCP mappings on the NAT.
+ This allows servers on the Internet to see traffic from the same IP
+ address and port, so that sessions can be resumed exactly where they
+ were left off. This can be useful for long-lived connections
+
+
+
+Wing, et al. Standards Track [Page 38]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ (e.g., instant messaging) or for connections transferring a lot of
+ data (e.g., FTP). This can be accomplished by first establishing a
+ TCP connection normally and then sending a PEER request/response and
+ remembering the external address and external port. Later, when the
+ NAT has lost state, the client can send a PEER request with the
+ suggested external port and suggested external address remembered
+ from the previous session, which will create a mapping in the NAT
+ that functions exactly as an implicit dynamic mapping. The client
+ then resumes sending TCP data to the server.
+
+ Note: This procedure works well for TCP, provided:
+
+ (i) the NAT creates a new implicit dynamic outbound mapping
+ only for outbound TCP segments with the SYN bit set (i.e., the
+ newly booted NAT silently drops outbound data segments from the
+ client when the NAT does not have an active mapping for those
+ segments), and
+
+ (ii) the newly booted NAT does not send a TCP RST in response
+ to receiving unexpected inbound TCP segments.
+
+ This procedure works less well for UDP, because as soon as
+ outbound UDP traffic is seen by the NAT, a new UDP implicit
+ dynamic outbound mapping will be created (probably on a different
+ port).
+
+11. MAP Opcode
+
+ This section defines an Opcode that controls inbound forwarding from
+ a NAT (or firewall) to an internal host.
+
+ MAP: Create an explicit dynamic mapping between an Internal Address
+ + Port and an External Address + Port.
+
+ PCP servers SHOULD provide a configuration option to allow
+ administrators to disable MAP support if they wish.
+
+ Mappings created by PCP MAP requests are, by definition, endpoint-
+ independent mappings (EIMs) with endpoint-independent filtering (EIF)
+ (unless the FILTER option is used), even on a NAT that usually
+ creates endpoint-dependent mapping (EDM) or endpoint-dependent
+ filtering (EDF) for outgoing connections, since the purpose of an
+ (unfiltered) MAP mapping is to receive inbound traffic from any
+ remote endpoint, not from only one specific remote endpoint.
+
+ Note also that all NAT mappings (created by PCP or otherwise) are by
+ necessity bidirectional and symmetric. For any packet going in one
+ direction (in or out) that is translated by the NAT, a reply going in
+
+
+
+Wing, et al. Standards Track [Page 39]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ the opposite direction needs to have the corresponding opposite
+ translation done so that the reply arrives at the right endpoint.
+ This means that if a client creates a MAP mapping, and then later
+ sends an outgoing packet using the mapping's internal address,
+ protocol, and port, the NAT should translate that packet's internal
+ address and port to the mapping's external address and port, so that
+ replies addressed to the external address and port are correctly
+ translated back to the mapping's internal address and port.
+
+ On operating systems that allow multiple listening servers to bind to
+ the same internal address, protocol, and port, servers MUST ensure
+ that they have exclusive use of that internal address, protocol, and
+ port (e.g., by binding the port using INADDR_ANY, or using
+ SO_EXCLUSIVEADDRUSE or similar) before sending their PCP MAP request,
+ to ensure that no other PCP clients on the same machine are also
+ listening on the same internal protocol and internal port.
+
+ As a side effect of creating a mapping, ICMP messages associated with
+ the mapping MUST be forwarded (and also translated, if appropriate)
+ for the duration of the mapping's lifetime. This is done to ensure
+ that ICMP messages can still be used by hosts, without application
+ programmers or PCP client implementations needing to use PCP
+ separately to create ICMP mappings for those flows.
+
+ The operation of the MAP Opcode is described in this section.
+
+11.1. MAP Operation Packet Formats
+
+ The MAP Opcode has a similar packet layout for both requests and
+ responses. If the assigned external IP address and port in the PCP
+ response always match the internal IP address and port from the PCP
+ request, then the functionality is purely a firewall; otherwise, the
+ functionality is a Network Address Translator that might also perform
+ firewall-like functions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 40]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ The following diagram shows the format of the Opcode-specific
+ information in a request for the MAP Opcode.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Mapping Nonce (96 bits) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Protocol | Reserved (24 bits) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Internal Port | Suggested External Port |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Suggested External IP Address (128 bits) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 9: MAP Opcode Request
+
+ These fields are described below:
+
+ Requested lifetime (in common header): Requested lifetime of this
+ mapping, in seconds. The value 0 indicates "delete".
+
+ Mapping Nonce: Random value chosen by the PCP client. See
+ Section 11.2, "Generating a MAP Request". Zero is a legal value
+ (but unlikely, occurring in roughly one in 2^96 requests).
+
+ Protocol: Upper-layer protocol associated with this Opcode. Values
+ are taken from the IANA protocol registry [proto_numbers]. For
+ example, this field contains 6 (TCP) if the Opcode is intended to
+ create a TCP mapping. This field contains 17 (UDP) if the Opcode
+ is intended to create a UDP mapping. The value 0 has a special
+ meaning for 'all protocols'.
+
+ Reserved: 24 reserved bits, MUST be sent as 0 and MUST be ignored
+ when received.
+
+ Internal Port: Internal port for the mapping. The value 0 indicates
+ 'all ports', and is legal when the lifetime is zero (a delete
+ request), if the protocol does not use 16-bit port numbers, or the
+ client is requesting 'all ports'. If the protocol is zero
+ (meaning 'all protocols'), then internal port MUST be zero on
+ transmission and MUST be ignored on reception.
+
+
+
+
+Wing, et al. Standards Track [Page 41]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Suggested External Port: Suggested external port for the mapping.
+ This is useful for refreshing a mapping, especially after the PCP
+ server loses state. If the PCP client does not know the external
+ port, or does not have a preference, it MUST use 0.
+
+ Suggested External IP Address: Suggested external IPv4 or IPv6
+ address. This is useful for refreshing a mapping, especially
+ after the PCP server loses state. If the PCP client does not know
+ the external address, or does not have a preference, it MUST use
+ the address-family-specific all-zeros address (see Section 5).
+
+ The internal address for the request is the source IP address of the
+ PCP request message itself, unless the THIRD_PARTY option is used.
+
+ The following diagram shows the format of Opcode-specific information
+ in a response packet for the MAP Opcode:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Mapping Nonce (96 bits) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Protocol | Reserved (24 bits) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Internal Port | Assigned External Port |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Assigned External IP Address (128 bits) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 10: MAP Opcode Response
+
+ These fields are described below:
+
+ Lifetime (in common header): On an error response, this indicates
+ how long clients should assume they'll get the same error response
+ from the PCP server if they repeat the same request. On a success
+ response, this indicates the lifetime for this mapping, in
+ seconds.
+
+ Mapping Nonce: Copied from the request.
+
+ Protocol: Copied from the request.
+
+
+
+
+Wing, et al. Standards Track [Page 42]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Reserved: 24 reserved bits, MUST be sent as 0 and MUST be ignored
+ when received.
+
+ Internal Port: Copied from the request.
+
+ Assigned External Port: On a success response, this is the assigned
+ external port for the mapping. On an error response, the
+ suggested external port is copied from the request.
+
+ Assigned External IP Address: On a success response, this is the
+ assigned external IPv4 or IPv6 address for the mapping. An IPv4
+ address is encoded using IPv4-mapped IPv6 address. On an error
+ response, the suggested external IP address is copied from the
+ request.
+
+11.2. Generating a MAP Request
+
+ This section describes the operation of a PCP client when sending
+ requests with the MAP Opcode.
+
+ The request MAY contain values in the Suggested External Port and
+ Suggested External IP Address fields. This allows the PCP client to
+ attempt to rebuild lost state on the PCP server, which improves the
+ chances of existing connections surviving, and helps the PCP client
+ avoid having to change information maintained at its rendezvous
+ server. Of course, due to other activity on the network (e.g., by
+ other users or network renumbering), the PCP server may not be able
+ to grant the suggested external IP address, protocol, and port, and
+ in that case it will assign a different external IP address and port.
+
+ A PCP client MUST be written assuming that it may *never* be assigned
+ the external port it suggests. In the case of recreating state after
+ a NAT gateway crash, the suggested external port, being one that was
+ previously allocated to this client, is likely to be available for
+ this client to continue using. In all other cases, the client MUST
+ assume that it is unlikely that its suggested external port will be
+ granted. For example, when many subscribers are sharing a Carrier-
+ Grade NAT, popular ports such as 80, 443, and 8080 are likely to be
+ in high demand. At most one client can have each of those popular
+ ports for each external IP address, and all the other clients will be
+ assigned other, dynamically allocated, external ports. Indeed, some
+ ISPs may, by policy, choose not to grant those external ports to
+ *anyone*, so that none of their clients are *ever* assigned external
+ ports 80, 443, or 8080.
+
+ If the protocol does not use 16-bit port numbers (e.g., RSVP, IP
+ protocol number 46), the port number MUST be zero. This will cause
+ all traffic matching that protocol to be mapped.
+
+
+
+Wing, et al. Standards Track [Page 43]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If the client wants all protocols mapped, it uses protocol 0 (zero)
+ and internal port 0 (zero).
+
+ The Mapping Nonce value is randomly chosen by the PCP client,
+ following accepted practices for generating unguessable random
+ numbers [RFC4086], and is used as part of the validation of PCP
+ responses (see below) by the PCP client, and validation for mapping
+ refreshes by the PCP server. The client MUST use a different mapping
+ nonce for each PCP server it communicates with, and it is RECOMMENDED
+ to choose a new random mapping nonce whenever the PCP client is
+ initialized. The client MAY use a different mapping nonce for every
+ mapping.
+
+11.2.1. Renewing a Mapping
+
+ An existing mapping SHOULD have its lifetime extended by the PCP
+ client for as long as the client wishes to have that mapping continue
+ to exist. To do this, the PCP client sends a new MAP request
+ indicating the internal port. The PCP MAP request SHOULD also
+ include the currently assigned external IP address and port in the
+ Suggested External IP Address and Suggested External Port fields, so
+ if the PCP server has lost state it can recreate the lost mapping
+ with the same parameters.
+
+ The PCP client SHOULD renew the mapping before its expiry time;
+ otherwise, it will be removed by the PCP server (see Section 15,
+ "Mapping Lifetime and Deletion"). To reduce the risk of inadvertent
+ synchronization of renewal requests, a random jitter component should
+ be included. It is RECOMMENDED that PCP clients send a single
+ renewal request packet at a time chosen with uniform random
+ distribution in the range 1/2 to 5/8 of expiration time. If no
+ SUCCESS response is received, then the next renewal request should be
+ sent 3/4 to 3/4 + 1/16 to expiration, and then another 7/8 to 7/8 +
+ 1/32 to expiration, and so on, subject to the constraint that renewal
+ requests MUST NOT be sent less than four seconds apart (a PCP client
+ MUST NOT send a flood of ever-closer-together requests in the last
+ few seconds before a mapping expires).
+
+11.3. Processing a MAP Request
+
+ This section describes the operation of a PCP server when processing
+ a request with the MAP Opcode. Processing SHOULD be performed in the
+ order of the following paragraphs.
+
+ The Protocol, Internal Port, and Mapping Nonce fields from the MAP
+ request are copied into the MAP response. The THIRD_PARTY option, if
+ present, and processed by the PCP server, is also copied into the MAP
+ response.
+
+
+
+Wing, et al. Standards Track [Page 44]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If the requested lifetime is non-zero, then:
+
+ o If both the protocol and internal port are non-zero, it indicates
+ a request to create a mapping or extend the lifetime of an
+ existing mapping. If the PCP server or PCP-controlled device does
+ not support the protocol, the UNSUPP_PROTOCOL error MUST be
+ returned.
+
+ o If the protocol is non-zero and the internal port is zero, it
+ indicates a request to create or extend a mapping for all incoming
+ traffic for that entire protocol -- a 'wildcard' (all-ports)
+ mapping for that protocol. If this request cannot be fulfilled in
+ its entirety, the UNSUPP_PROTOCOL error MUST be returned.
+
+ o If both the protocol and internal port are zero, it indicates a
+ request to create or extend a mapping for all incoming traffic for
+ all protocols (commonly called a 'DMZ host'). If this request
+ cannot be fulfilled in its entirety, the UNSUPP_PROTOCOL error
+ MUST be returned.
+
+ o If the protocol is zero and the internal port is non-zero, then
+ the request is invalid and the PCP server MUST return a
+ MALFORMED_REQUEST error to the client.
+
+ If the requested lifetime is zero, it indicates a request to delete
+ an existing mapping.
+
+ Further processing of the lifetime is described in Section 15,
+ "Mapping Lifetime and Deletion".
+
+ If operating in the Simple Threat Model (Section 18.1), and the
+ internal port, protocol, and internal address match an existing
+ explicit dynamic mapping, but the mapping nonce does not match, the
+ request MUST be rejected with a NOT_AUTHORIZED error with the
+ lifetime of the error indicating duration of that existing mapping.
+ The PCP server only needs to remember one Mapping Nonce value for
+ each explicit dynamic mapping. This specification makes no statement
+ about mapping nonce with the Advanced Threat Model.
+
+ If the internal port, protocol, and internal address match an
+ existing static mapping (which will have no nonce), then a PCP reply
+ is sent giving the external address and port of that static mapping,
+ using the nonce from the PCP request. The server does not record the
+ nonce.
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 45]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If an option with value less than 128 exists (i.e., mandatory to
+ process) but that option does not make sense (e.g., the
+ PREFER_FAILURE option is included in a request with lifetime=0), the
+ request is invalid and generates a MALFORMED_OPTION error.
+
+ If the PCP-controlled device is stateless (that is, it does not
+ establish any per-flow state, and simply rewrites the address and/or
+ port in a purely algorithmic fashion, including no rewriting), the
+ PCP server simply returns an answer indicating the external IP
+ address and port yielded by this stateless algorithmic translation.
+ This allows the PCP client to learn its external IP address and port
+ as seen by remote peers. Examples of stateless translators include
+ stateless NAT64, 1:1 NAT44, and NPTv6 [RFC6296], all of which modify
+ addresses but not port numbers, and pure firewalls, which modify
+ neither the address nor the port.
+
+ It is possible that a mapping might already exist for a requested
+ internal address, protocol, and port. If so, the PCP server takes
+ the following actions:
+
+ 1. If the MAP request contains the PREFER_FAILURE option, but the
+ suggested external address and port do not match the external
+ address and port of the existing mapping, the PCP server MUST
+ return CANNOT_PROVIDE_EXTERNAL.
+
+ 2. If the existing mapping is static (created outside of PCP), the
+ PCP server MUST return the external address and port of the
+ existing mapping in its response and SHOULD indicate a lifetime
+ of 2^32-1 seconds, regardless of the suggested external address
+ and port in the request.
+
+ 3. If the existing mapping is explicit dynamic inbound (created by a
+ previous MAP request), the PCP server MUST return the existing
+ external address and port in its response, regardless of the
+ suggested external address and port in the request.
+ Additionally, the PCP server MUST update the lifetime of the
+ existing mapping, in accordance with Section 15, "Mapping
+ Lifetime and Deletion".
+
+ 4. If the existing mapping is dynamic outbound (created by outgoing
+ traffic or a previous PEER request), the PCP server SHOULD create
+ a new explicit inbound mapping, replicating the ports and
+ addresses from the outbound mapping (but the outbound mapping
+ continues to exist, and remains in effect if the explicit inbound
+ mapping is later deleted).
+
+ If no mapping exists for the internal address, protocol, and port,
+ and the PCP server is able to create a mapping using the suggested
+
+
+
+Wing, et al. Standards Track [Page 46]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ external address and port, it SHOULD do so. This is beneficial for
+ re-establishing state lost in the PCP server (e.g., due to a reboot).
+ There are, however, cases where the PCP server is not able to create
+ a new mapping using the suggested external address and port:
+
+ o The suggested external address, protocol, and port is already
+ assigned to another existing explicit or implicit mapping
+ (i.e., is already forwarding traffic to some other internal
+ address and port).
+
+ o The suggested external address, protocol, and port is already used
+ by the NAT gateway for one of its own services, for example, TCP
+ port 80 for the NAT gateway's own configuration web pages, or UDP
+ ports 5350 and 5351, used by PCP itself. A PCP server MUST NOT
+ create client mappings for external UDP ports 5350 or 5351.
+
+ o The suggested external address, protocol, and port is otherwise
+ prohibited by the PCP server's policy.
+
+ o The suggested external IP address, protocol, or suggested port are
+ invalid or invalid combinations (e.g., external address 127.0.0.1,
+ ::1, a multicast address, or the suggested port is not valid for
+ the protocol).
+
+ o The suggested external address does not belong to the NAT gateway.
+
+ o The suggested external address is not configured to be used as an
+ external address of the firewall or NAT gateway.
+
+ If the PCP server cannot assign the suggested external address,
+ protocol, and port, then:
+
+ o If the request contained the PREFER_FAILURE option, then the PCP
+ server MUST return CANNOT_PROVIDE_EXTERNAL.
+
+ o If the request did not contain the PREFER_FAILURE option, and the
+ PCP server can assign some other external address and port for
+ that protocol, then the PCP server MUST do so and return the newly
+ assigned external address and port in the response. In no case is
+ the client penalized for a 'poor' choice of suggested external
+ address and port. The suggested external address and port may be
+ used by the server to guide its choice of what external address
+ and port to assign, but in no case do they cause the server to
+ fail to allocate an external address and port where otherwise it
+ would have succeeded. The presence of a non-zero suggested
+ external address or port is merely a hint; it never does any harm.
+
+
+
+
+
+Wing, et al. Standards Track [Page 47]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ A PCP-controlled device MUST NOT create mappings for a protocol not
+ indicated in the request. For example, if the request was for a TCP
+ mapping, an additional corresponding UDP mapping MUST NOT be
+ automatically created.
+
+ Mappings typically consume state on the PCP-controlled device, and it
+ is RECOMMENDED that a per-host and/or per-subscriber limit be
+ enforced by the PCP server to prevent exhausting the mapping state.
+ If this limit is exceeded, the result code USER_EX_QUOTA is returned.
+
+ If all of the preceding operations were successful (did not generate
+ an error response), then the requested mapping is created or
+ refreshed as described in the request and a SUCCESS response is
+ built.
+
+11.4. Processing a MAP Response
+
+ This section describes the operation of the PCP client when it
+ receives a PCP response for the MAP Opcode.
+
+ After performing common PCP response processing, the response is
+ further matched with a previously sent MAP request by comparing the
+ internal IP address (the destination IP address of the PCP response,
+ or other IP address specified via the THIRD_PARTY option), the
+ protocol, the internal port, and the mapping nonce. Other fields are
+ not compared, because the PCP server sets those fields. The PCP
+ server will send a Mapping Update (Section 14.2) if the mapping
+ changes (e.g., due to IP renumbering).
+
+ If the result code is NO_RESOURCES and the request was for the
+ creation or renewal of a mapping, then the PCP client SHOULD NOT send
+ further requests for any new mappings to that PCP server for the
+ (limited) value of the lifetime. If the result code is NO_RESOURCES
+ and the request was for the deletion of a mapping, then the PCP
+ client SHOULD NOT send further requests of *any kind* to that PCP
+ server for the (limited) value of the lifetime.
+
+ On a success response, the PCP client can use the external IP address
+ and port as needed. Typically, the PCP client will communicate the
+ external IP address and port to another host on the Internet using an
+ application-specific rendezvous mechanism such as DNS SRV records.
+
+ After a success response, for as long as renewal is desired, the PCP
+ client MUST set a timer or otherwise schedule an event to renew the
+ mapping before its lifetime expires. Renewing a mapping is performed
+ by sending another MAP request, exactly as described in Section 11.2,
+ except that the suggested external address and port SHOULD be set to
+ the values received in the response. From the PCP server's point of
+
+
+
+Wing, et al. Standards Track [Page 48]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ view a MAP request to renew a mapping is identical to a MAP request
+ to create a new mapping, and is handled identically. Indeed, in the
+ event of PCP server state loss, a renewal request from a PCP client
+ will appear to the server to be a request to create a new mapping,
+ with a particular suggested external address and port, which happen
+ to be what the PCP server previously assigned. See also
+ Section 16.3.1, "Recreating Mappings".
+
+ On an error response, the client SHOULD NOT repeat the same request
+ to the same PCP server within the lifetime returned in the response.
+
+11.5. Address Change Events
+
+ A customer premises router might obtain a new external IP address,
+ for a variety of reasons including a reboot, power outage, DHCP lease
+ expiry, or other action by the ISP. If this occurs, traffic
+ forwarded to a host's previous address might be delivered to another
+ host that now has that address. This affects all mapping types,
+ whether implicit or explicit. This same problem already occurs today
+ when a host's IP address is reassigned, without PCP and without an
+ ISP-operated CGN. The solution is the same as today: the problems
+ associated with host renumbering are caused by host renumbering, and
+ are eliminated if host renumbering is avoided. PCP defined in this
+ document does not provide machinery to reduce the host renumbering
+ problem.
+
+ When an internal host changes its internal IP address (e.g., by
+ having a different address assigned by the DHCP server), the NAT (or
+ firewall) will continue to send traffic to the old IP address.
+ Typically, the internal host will no longer receive traffic sent to
+ that old IP address. Assuming the internal host wants to continue
+ receiving traffic, it needs to install new mappings for its new IP
+ address. The Suggested External Port field will not be fulfilled by
+ the PCP server, in all likelihood, because it is still being
+ forwarded to the old IP address. Thus, a mapping is likely to be
+ assigned a new external port number and/or external IP address. Note
+ that such host renumbering is not expected to happen routinely on a
+ regular basis for most hosts, since most hosts renew their DHCP
+ leases before they expire (or re-request the same address after
+ reboot) and most DHCP servers honor such requests and grant the host
+ the same address it was previously using before the reboot.
+
+ A host might gain or lose interfaces while existing mappings are
+ active (e.g., Ethernet cable plugged in or removed, joining/leaving a
+ WiFi network). Because of this, if the PCP client is sending a PCP
+ request to maintain state in the PCP server, it SHOULD ensure that
+ those PCP requests continue to use the same interface (e.g., when
+ refreshing mappings). If the PCP client is sending a PCP request to
+
+
+
+Wing, et al. Standards Track [Page 49]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ create new state in the PCP server, it MAY use a different source
+ interface or different source address.
+
+11.6. Learning the External IP Address Alone
+
+ NAT-PMP [RFC6886] includes a mechanism to allow clients to learn the
+ external IP address alone, without also requesting a port mapping.
+ NAT-PMP was designed for residential NAT gateways, where such an
+ operation makes sense because a typical residential NAT gateway has
+ only one external IP address. PCP has broader scope, and also
+ supports Carrier-Grade NATs (CGNs) that may have a pool of external
+ IP addresses, not just one. A client may not be assigned any
+ particular external IP address from that pool until it has at least
+ one implicit, explicit, or static port mapping, and even then only
+ for as long as that mapping remains valid. Client software that just
+ wishes to display the user's external IP address for cosmetic
+ purposes can achieve that by requesting a short-lived mapping (e.g.,
+ to the Discard service (TCP/9 or UDP/9) or some other port) and then
+ displaying the resulting external IP address. However, once that
+ mapping expires a subsequent implicit or explicit dynamic mapping
+ might be mapped to a different external IP address.
+
+12. PEER Opcode
+
+ This section defines an Opcode for controlling dynamic outbound
+ mappings.
+
+ PEER: Create a new dynamic outbound mapping to a remote peer's IP
+ address and port, or extend the lifetime of an existing
+ outbound mapping.
+
+ The use of this Opcodes is described in this section.
+
+ PCP servers SHOULD provide a configuration option to allow
+ administrators to disable PEER support if they wish.
+
+ Because a mapping created or managed by PEER behaves almost exactly
+ like an implicit dynamic outbound mapping created as a side effect of
+ a packet (e.g., TCP SYN) sent by the host, mappings created or
+ managed using PCP PEER requests may be endpoint-independent mapping
+ (EIM) or endpoint-dependent mapping (EDM), with endpoint-independent
+ filtering (EIF) or endpoint-dependent filtering (EDF), consistent
+ with the existing behavior of the NAT gateway or firewall in question
+ for implicit outbound mappings it creates automatically as a result
+ of observing outgoing traffic from internal hosts.
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 50]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+12.1. PEER Operation Packet Formats
+
+ The PEER Opcode allows a PCP client to create a new explicit dynamic
+ outbound mapping (which functions similarly to an outbound mapping
+ created implicitly when a host sends an outbound TCP SYN) or to
+ extend the lifetime of an existing outbound mapping.
+
+ The following diagram shows the Opcode layout for the PEER Opcode.
+ The formats for the PEER request and response packets are aligned so
+ that related fields fall at the same offsets in the packet.
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Mapping Nonce (96 bits) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Protocol | Reserved (24 bits) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Internal Port | Suggested External Port |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Suggested External IP Address (128 bits) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Remote Peer Port | Reserved (16 bits) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Remote Peer IP Address (128 bits) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 11: PEER Opcode Request
+
+ These fields are described below:
+
+ Requested Lifetime (in common header): Requested lifetime of this
+ mapping, in seconds. Note that it is not possible to reduce the
+ lifetime of a mapping (or delete it, with requested lifetime=0)
+ using PEER.
+
+ Mapping Nonce: Random value chosen by the PCP client. See
+ Section 12.2, "Generating a PEER Request". Zero is a legal value
+ (but unlikely, occurring in roughly one in 2^96 requests).
+
+
+
+
+Wing, et al. Standards Track [Page 51]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Protocol: Upper-layer protocol associated with this Opcode. Values
+ are taken from the IANA protocol registry [proto_numbers]. For
+ example, this field contains 6 (TCP) if the Opcode is describing a
+ TCP mapping. This field contains 17 (UDP) if the Opcode is
+ describing a UDP mapping. Protocol MUST NOT be zero.
+
+ Reserved: 24 reserved bits, MUST be set to 0 on transmission and
+ MUST be ignored on reception.
+
+ Internal Port: Internal port for the mapping. Internal port MUST
+ NOT be zero.
+
+ Suggested External Port: Suggested external port for the mapping.
+ If the PCP client does not know the external port, or does not
+ have a preference, it MUST use 0.
+
+ Suggested External IP Address: Suggested external IP address for the
+ mapping. If the PCP client does not know the external address, or
+ does not have a preference, it MUST use the address-family-
+ specific all-zeros address (see Section 5).
+
+ Remote Peer Port: Remote peer's port for the mapping. Remote peer
+ port MUST NOT be zero.
+
+ Reserved: 16 reserved bits, MUST be set to 0 on transmission and
+ MUST be ignored on reception.
+
+ Remote Peer IP Address: Remote peer's IP address. This is from the
+ perspective of the PCP client, so that the PCP client does not
+ need to concern itself with NAT64 or NAT46 (which both cause the
+ client's idea of the remote peer's IP address to differ from the
+ remote peer's actual IP address). This field allows the PCP
+ client and PCP server to disambiguate multiple connections from
+ the same port on the internal host to different servers. An IPv6
+ address is represented directly, and an IPv4 address is
+ represented using the IPv4-mapped address syntax (Section 5).
+
+ When attempting to re-create a lost mapping, the suggested external
+ IP address and port are set to the External IP Address and Port
+ fields received in a previous PEER response from the PCP server. On
+ an initial PEER request, the external IP address and port are set to
+ zero.
+
+ Note that semantics similar to the PREFER_FAILURE option are
+ automatically implied by PEER requests. If the Suggested External IP
+ Address or Suggested External Port fields are non-zero, and the PCP
+ server is unable to honor the suggested external IP address,
+ protocol, or port, then the PCP server MUST return a
+
+
+
+Wing, et al. Standards Track [Page 52]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ CANNOT_PROVIDE_EXTERNAL error response. The PREFER_FAILURE option is
+ neither required nor allowed in PEER requests, and if a PCP server
+ receives a PEER request containing the PREFER_FAILURE option it MUST
+ return a MALFORMED_REQUEST error response.
+
+ The following diagram shows the Opcode response for the PEER Opcode:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Mapping Nonce (96 bits) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Protocol | Reserved (24 bits) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Internal Port | Assigned External Port |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Assigned External IP Address (128 bits) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Remote Peer Port | Reserved (16 bits) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Remote Peer IP Address (128 bits) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 12: PEER Opcode Response
+
+ Lifetime (in common header): On a success response, this indicates
+ the lifetime for this mapping, in seconds. On an error response,
+ this indicates how long clients should assume they'll get the same
+ error response from the PCP server if they repeat the same
+ request.
+
+ Mapping Nonce: Copied from the request.
+
+ Protocol: Copied from the request.
+
+ Reserved: 24 reserved bits, MUST be set to 0 on transmission, MUST
+ be ignored on reception.
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 53]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Internal Port: Copied from request.
+
+ Assigned External Port: On a success response, this is the assigned
+ external port for the mapping. On an error response, the
+ suggested external port is copied from the request.
+
+ Assigned External IP Address: On a success response, this is the
+ assigned external IPv4 or IPv6 address for the mapping. On an
+ error response, the suggested external IP address is copied from
+ the request.
+
+ Remote Peer Port: Copied from request.
+
+ Reserved: 16 reserved bits, MUST be set to 0 on transmission, MUST
+ be ignored on reception.
+
+ Remote Peer IP Address: Copied from the request.
+
+12.2. Generating a PEER Request
+
+ This section describes the operation of a client when generating a
+ message with the PEER Opcode.
+
+ The PEER Opcode MAY be sent before or after establishing
+ bidirectional communication with the remote peer.
+
+ If sent before, this is considered a PEER-created mapping that
+ creates a new dynamic outbound mapping in the PCP-controlled device.
+
+ If sent after, this allows the PCP client to learn the IP address,
+ port, and lifetime of the assigned external address and port for the
+ existing implicit dynamic outbound mapping, and potentially to extend
+ this lifetime (for reducing NAT or firewall keepalive messages, as
+ described in Section 10.3).
+
+ PEER requests are also useful for restoring mappings after a NAT has
+ lost its mapping state (e.g., due to a crash).
+
+ The Mapping Nonce value is randomly chosen by the PCP client,
+ following accepted practices for generating unguessable random
+ numbers [RFC4086], and is used as part of the validation of PCP
+ responses (see below) by the PCP client, and validation for mapping
+ refreshes by the PCP server. The client MUST use a different mapping
+ nonce for each PCP server it communicates with, and it is RECOMMENDED
+ to choose a new random mapping nonce whenever the PCP client is
+ initialized. The client MAY use a different mapping nonce for every
+ mapping.
+
+
+
+
+Wing, et al. Standards Track [Page 54]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ The PEER Opcode contains a Remote Peer Address field, which is always
+ from the perspective of the PCP client. Note that when the
+ PCP-controlled device is performing address family translation (NAT46
+ or NAT64), the remote peer address from the perspective of the PCP
+ client is different from the remote peer address on the other side of
+ the address family translation device.
+
+12.3. Processing a PEER Request
+
+ This section describes the operation of a server when receiving a
+ request with the PEER Opcode. Processing SHOULD be performed in the
+ order of the following paragraphs.
+
+ The following fields from a PEER request are copied into the
+ response: Protocol, Internal Port, Remote Peer IP Address, Remote
+ Peer Port, and Mapping Nonce.
+
+ When an implicit dynamic mapping is created, some NATs and firewalls
+ validate destination addresses and will not create an implicit
+ dynamic mapping if the destination address is invalid (e.g.,
+ 127.0.0.1). If a PCP-controlled device does such validation for
+ implicit dynamic mappings, it SHOULD also do a similar validation of
+ the remote peer IP address, protocol, and port for PEER-created
+ explicit dynamic mappings. If the validation determines the remote
+ peer IP address of a PEER request is invalid, then no mapping is
+ created, and a MALFORMED_REQUEST error result is returned.
+
+ On receiving the PEER Opcode, the PCP server examines the mapping
+ table for a matching five-tuple { Protocol, Internal Address,
+ Internal Port, Remote Peer Address, Remote Peer Port }.
+
+ If no matching mapping is found, and the suggested external address
+ and port are either zero or can be honored for the specified
+ Protocol, a new mapping is created. By having the PEER create such a
+ mapping, we avoid a race condition between the PEER request and the
+ initial outgoing packet arriving at the NAT or firewall device first,
+ and allow PEER to be used to recreate a lost outbound dynamic mapping
+ (see Section 16.3.1, "Recreating Mappings"). Thereafter, this PEER-
+ created mapping is treated as if it was an implicit dynamic outbound
+ mapping (e.g., as if the PCP client sent a TCP SYN) and a lifetime
+ appropriate to such a mapping is returned (note: on many NATs and
+ firewalls, such mapping lifetimes are very short until bidirectional
+ traffic is seen by the NAT or firewall).
+
+ If no matching mapping is found, and the suggested external address
+ and port cannot be honored, then no new state is created, and the
+ error CANNOT_PROVIDE_EXTERNAL is returned.
+
+
+
+
+Wing, et al. Standards Track [Page 55]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If a matching mapping is found, and no previous PEER Opcode was
+ successfully processed for this mapping, then the Suggested External
+ Address and Port values in the request are ignored, the lifetime of
+ that mapping is adjusted as described below, and information about
+ the existing mapping is returned. This allows a client to explicitly
+ extend the lifetime of an existing mapping and/or to learn an
+ existing mapping's external address, port, and lifetime. The mapping
+ nonce is remembered for this mapping.
+
+ If operating in the Simple Threat Model (Section 18.1), and the
+ internal port, protocol, and internal address match a mapping that
+ already exists, but the mapping nonce does not match (that is, a
+ previous PEER request was processed), the request MUST be rejected
+ with a NOT_AUTHORIZED error with the lifetime of the error indicating
+ duration of that existing mapping. The PCP server only needs to
+ remember one Mapping Nonce value for each mapping. This
+ specification makes no statement about mapping nonce with the
+ Advanced Threat Model.
+
+ Processing the Lifetime value of the PEER Opcode is described in
+ Section 15, "Mapping Lifetime and Deletion". Sending a PEER request
+ with a very short requested lifetime can be used to query the
+ lifetime of an existing mapping. So that PCP clients can reduce the
+ frequency of their NAT and firewall keepalive messages, it is
+ RECOMMENDED that lifetimes of mappings created or lengthened with
+ PEER be longer than the lifetimes of implicitly created mappings.
+
+ If all of the preceding operations were successful (did not generate
+ an error response), then a SUCCESS response is generated, with the
+ Lifetime field containing the lifetime of the mapping.
+
+ If a PEER-created or PEER-managed mapping is not renewed using PEER,
+ then it reverts to the NAT's usual behavior for implicit mappings.
+ For example, continued outbound traffic keeps the mapping alive, as
+ per the NAT or firewall device's existing policy. A PEER-created or
+ PEER-managed mapping may be terminated at any time by action of the
+ TCP client or server (e.g., due to TCP FIN or TCP RST), as per the
+ NAT or firewall device's existing policy.
+
+12.4. Processing a PEER Response
+
+ This section describes the operation of a client when processing a
+ response with the PEER Opcode.
+
+ After performing common PCP response processing, the response is
+ further matched with an outstanding PEER request by comparing the
+ internal IP address (the destination IP address of the PCP response,
+ or other IP address specified via the THIRD_PARTY option), the
+
+
+
+Wing, et al. Standards Track [Page 56]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ protocol, the internal port, the remote peer address, the remote peer
+ port, and the mapping nonce. Other fields are not compared, because
+ the PCP server sets those fields to provide information about the
+ mapping created by the Opcode. The PCP server will send a Mapping
+ Update (Section 14.2) if the mapping changes (e.g., due to IP
+ renumbering).
+
+ If the result code is NO_RESOURCES and the request was for the
+ creation or renewal of a mapping, then the PCP client SHOULD NOT send
+ further requests for any new mappings to that PCP server for the
+ (limited) value of the lifetime.
+
+ On a successful response, the application can use the assigned
+ Lifetime value to reduce its frequency of application keepalives for
+ that particular NAT mapping. Of course, there may be other reasons,
+ specific to the application, to use more frequent application
+ keepalives. For example, the PCP assigned lifetime could be one hour
+ but the application may want to maintain state on its server (e.g.,
+ "busy" / "away") more frequently than once an hour. If the response
+ indicates an unexpected IP address or port (e.g., due to IP
+ renumbering), the PCP client will want to re-establish its connection
+ to its remote server.
+
+ If the PCP client wishes to keep this mapping alive beyond the
+ indicated lifetime, it MAY rely on continued inside-to-outside
+ traffic to ensure that the mapping will continue to exist, or it MAY
+ issue a new PCP request prior to the expiration. The recommended
+ timings for renewing PEER mappings are the same as for MAP mappings,
+ as described in Section 11.2.1.
+
+ Note: Implementations need to expect the PEER response may contain
+ an external IP address with a different family than the remote
+ peer IP address, e.g., when NAT64 or NAT46 are being used.
+
+13. Options for MAP and PEER Opcodes
+
+ This section describes options for the MAP and PEER Opcodes. These
+ options MUST NOT appear with other Opcodes, unless permitted by those
+ other Opcodes.
+
+13.1. THIRD_PARTY Option for MAP and PEER Opcodes
+
+ This option is used when a PCP client wants to control a mapping to
+ an internal host other than itself. This is used with both MAP and
+ PEER Opcodes.
+
+ Due to security concerns with the THIRD_PARTY option, this option
+ MUST NOT be implemented or used unless the network on which the PCP
+
+
+
+Wing, et al. Standards Track [Page 57]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ messages are to be sent is fully trusted. For example, if access
+ control lists (ACLs) are installed on the PCP client, PCP server, and
+ the network between them, so those ACLs allow only communications
+ from a trusted PCP client to the PCP server.
+
+ A management device would use this option to control a PCP server on
+ behalf of users. For example, a management device located in a
+ network operations center, which presents a user interface to end
+ users or to network operations staff, and issues PCP requests with
+ the THIRD_PARTY option to the appropriate PCP server.
+
+ The THIRD_PARTY option is formatted as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Code=1 | Reserved | Option Length=16 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Internal IP Address (128 bits) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 13: THIRD_PARTY Option
+
+ The fields are described below:
+
+ Internal IP Address: Internal IP address for this mapping.
+
+ Option Name: THIRD_PARTY
+ Number: 1
+ Purpose: Indicates the MAP or PEER request is for a host other
+ than the host sending the PCP option.
+ Valid for Opcodes: MAP, PEER
+ Length: 16 octets
+ May appear in: request. May appear in response only if it
+ appeared in the associated request.
+ Maximum occurrences: 1
+
+ A THIRD_PARTY option MUST NOT contain the same address as the source
+ address of the packet. This is because many PCP servers may not
+ implement the THIRD_PARTY option at all, and with those servers a
+ client redundantly using the THIRD_PARTY option to specify its own IP
+ address would cause such mapping requests to fail where they would
+ otherwise have succeeded. A PCP server receiving a THIRD_PARTY
+ option specifying the same address as the source address of the
+ packet MUST return a MALFORMED_REQUEST result code.
+
+
+
+Wing, et al. Standards Track [Page 58]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ A PCP server MAY be configured to permit or to prohibit the use of
+ the THIRD_PARTY option. If this option is permitted, properly
+ authorized clients may perform these operations on behalf of other
+ hosts. If this option is prohibited, and a PCP server receives a PCP
+ MAP request with a THIRD_PARTY option, it MUST generate a
+ UNSUPP_OPTION response.
+
+ It is RECOMMENDED that customer premises equipment implementing a PCP
+ server be configured to prohibit third-party mappings by default.
+ With this default, if a user wants to create a third-party mapping,
+ the user needs to interact out-of-band with their customer premises
+ router (e.g., using its HTTP administrative interface).
+
+ It is RECOMMENDED that service provider NAT and firewall devices
+ implementing a PCP server be configured to permit the THIRD_PARTY
+ option, when sent by a properly authorized host. If the packet
+ arrives from an unauthorized host, the PCP server MUST generate an
+ UNSUPP_OPTION error.
+
+ Note that the THIRD_PARTY option is not needed for today's common
+ scenario of an ISP offering a single IP address to a customer who is
+ using NAT to share that address locally, since in this scenario all
+ the customer's hosts appear, from the point of view of the ISP, to be
+ a single host.
+
+ When a PCP client is using the THIRD_PARTY option to make and
+ maintain mappings on behalf of some other device, it may be
+ beneficial if, where possible, the PCP client verifies that the other
+ device is actually present and active on the network. Otherwise, the
+ PCP client risks maintaining those mappings forever, long after the
+ device that required them has gone. This would defeat the purpose of
+ PCP mappings having a finite lifetime so that they can be
+ automatically deleted after they are no longer needed.
+
+13.2. PREFER_FAILURE Option for MAP Opcode
+
+ This option is only used with the MAP Opcode.
+
+ This option indicates that if the PCP server is unable to map both
+ the suggested external port and suggested external address, the PCP
+ server should not create a mapping. This differs from the behavior
+ without this option, which is to create a mapping.
+
+ PREFER_FAILURE is never necessary for a PCP client to manage mappings
+ for itself, and its use causes additional work in the PCP client and
+ in the PCP server. This option exists for interworking with non-PCP
+ mapping protocols that have different semantics than PCP (e.g., UPnP
+ IGDv1 interworking [PNP-IGD-PCP], where the semantics of UPnP IGDv1
+
+
+
+Wing, et al. Standards Track [Page 59]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ only allow the UPnP IGDv1 client to dictate mapping a specific port),
+ or separate port allocation systems that allocate ports to a
+ subscriber (e.g., a subscriber-accessed web portal operated by the
+ same ISP that operates the PCP server). A PCP server MAY support
+ this option, if its designers wish to support such downstream devices
+ or separate port allocation systems. PCP servers that are not
+ intended to interface with such systems are not required to support
+ this option. PCP clients other than UPnP IGDv1 interworking clients
+ or other than a separate port allocation system SHOULD NOT use this
+ option because it results in inefficient operation, and they cannot
+ safely assume that all PCP servers will implement it. It is
+ anticipated that this option will be deprecated in the future as more
+ clients adopt PCP natively and the need for this option declines.
+
+ The PREFER_FAILURE option is formatted as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Code=2 | Reserved | Option Length=0 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 14: PREFER_FAILURE Option
+
+ Option Name: PREFER_FAILURE
+ Number: 2
+ Purpose: indicates that the PCP server should not create an
+ alternative mapping if the suggested external port and address
+ cannot be mapped.
+ Valid for Opcodes: MAP
+ Length: 0
+ May appear in: request. May appear in response only if it
+ appeared in the associated request.
+ Maximum occurrences: 1
+
+ The result code CANNOT_PROVIDE_EXTERNAL is returned if the suggested
+ external address, protocol, and port cannot be mapped. This can
+ occur because the external port is already mapped to another host's
+ outbound dynamic mapping, an inbound dynamic mapping, a static
+ mapping, or the same internal address, protocol, and port already
+ have an outbound dynamic mapping that is mapped to a different
+ external port than suggested. This can also occur because the
+ external address is no longer available (e.g., due to renumbering).
+ The server MAY set the lifetime in the response to the remaining
+ lifetime of the conflicting mapping + TIME_WAIT [RFC0793], rounded up
+ to the next larger integer number of seconds.
+
+
+
+
+
+Wing, et al. Standards Track [Page 60]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If a PCP request contains the PREFER_FAILURE option and has zero in
+ the Suggested External Port field, then it is invalid. The PCP
+ server MUST reject such a message with the MALFORMED_OPTION error
+ code.
+
+ PCP servers MAY choose to rate-limit their handling of PREFER_FAILURE
+ requests, to protect themselves from a rapid flurry of 65535
+ consecutive PREFER_FAILURE requests from clients probing to discover
+ which external ports are available.
+
+ There can exist a race condition between the MAP Opcode using the
+ PREFER_FAILURE option and Mapping Update (Section 14.2). For
+ example, a previous host on the local network could have previously
+ had the same internal address, with a mapping for the same internal
+ port. At about the same moment that the current host sends a MAP
+ Request using the PREFER_FAILURE option, the PCP server could send a
+ spontaneous Mapping Update for the old mapping due to an external
+ configuration change, which could appear to be a reply to the new
+ mapping request. Because of this, the PCP client MUST validate that
+ the external IP address, protocol, port, and nonce in a success
+ response match the associated suggested values from the request. If
+ they do not match, it is because the Mapping Update was sent before
+ the MAP request was processed.
+
+13.3. FILTER Option for MAP Opcode
+
+ This option is only used with the MAP Opcode.
+
+ This option indicates that filtering incoming packets is desired.
+ The protocol being filtered is indicated by the Protocol field in the
+ MAP Request, and the remote peer IP address and remote peer port of
+ the FILTER option indicate the permitted remote peer's source IP
+ address and source port for packets from the Internet; other traffic
+ from other addresses is blocked. The remote peer prefix length
+ indicates the length of the remote peer's IP address that is
+ significant; this allows a single option to permit an entire subnet.
+ After processing this MAP request containing the FILTER option and
+ generating a successful response, the PCP-controlled device will drop
+ packets received on its public-facing interface that don't match the
+ filter fields. After dropping the packet, if its security policy
+ allows, the PCP-controlled device MAY also generate an ICMP error in
+ response to the dropped packet.
+
+ The use of the FILTER option can be seen as a performance
+ optimization. Since all software using PCP to receive incoming
+ connections also has to deal with the case where it may be directly
+ connected to the Internet and receive unrestricted incoming TCP
+ connections and UDP packets, if it wishes to restrict incoming
+
+
+
+Wing, et al. Standards Track [Page 61]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ traffic to a specific source address or group of source addresses,
+ such software already needs to check the source address of incoming
+ traffic and reject unwanted traffic. However, the FILTER option is a
+ particularly useful performance optimization for battery powered
+ wireless devices, because it can enable them to conserve battery
+ power by not having to wake up just to reject unwanted traffic.
+
+ The FILTER option is formatted as follows:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Option Code=3 | Reserved | Option Length=20 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Reserved | Prefix Length | Remote Peer Port |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ | Remote Peer IP address (128 bits) |
+ | |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 15: FILTER Option Layout
+
+ These fields are described below:
+
+ Reserved: 8 reserved bits, MUST be sent as 0 and MUST be ignored
+ when received.
+
+ Prefix Length: indicates how many bits of the IPv4 or IPv6 address
+ are relevant for this filter. The value 0 indicates "no filter",
+ and will remove all previous filters. See below for detail.
+
+ Remote Peer Port: the port number of the remote peer. The value 0
+ indicates "all ports".
+
+ Remote Peer IP address: The IP address of the remote peer.
+
+ Option Name: FILTER
+ Number: 3
+ Purpose: specifies a filter for incoming packets
+ Valid for Opcodes: MAP
+ Length: 20 octets
+ May appear in: request. May appear in response only if it
+ appeared in the associated request.
+ Maximum occurrences: as many as fit within maximum PCP message
+ size
+
+
+
+
+Wing, et al. Standards Track [Page 62]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ The Prefix Length indicates how many bits of the address are used for
+ the filter. For IPv4 addresses (which are encoded using the
+ IPv4-mapped address format (::FFFF:0:0/96)), this means valid prefix
+ lengths are between 96 and 128 bits, inclusive. That is, add 96 to
+ the IPv4 prefix length. For IPv6 addresses, valid prefix lengths are
+ between 0 and 128 bits, inclusive. Values outside those ranges cause
+ the PCP server to return the MALFORMED_OPTION result code.
+
+ If multiple occurrences of the FILTER option exist in the same MAP
+ request, they are processed in the order received (as per normal PCP
+ option processing), and they MAY overlap the filtering requested. If
+ there is an existing mapping (with or without a filter) and the
+ server receives a MAP request with FILTER, the filters indicated in
+ the new request are added to any existing filters. If a MAP request
+ has a lifetime of 0 and contains the FILTER option, the error
+ MALFORMED_OPTION is returned.
+
+ If any occurrences of the FILTER option in a request packet are not
+ successfully processed then an error is returned (e.g.,
+ MALFORMED_OPTION if one of the options was malformed) and as with
+ other PCP errors, returning an error causes no state to be changed in
+ the PCP server or in the PCP-controlled device.
+
+ To remove all existing filters, the Prefix Length 0 is used. There
+ is no mechanism to remove a specific filter.
+
+ To change an existing filter, the PCP client sends a MAP request
+ containing two FILTER options, the first option containing a prefix
+ length of 0 (to delete all existing filters) and the second
+ containing the new remote peer's IP address, protocol, and port.
+ Other FILTER options in that PCP request, if any, add more allowed
+ remote peers.
+
+ The PCP server or the PCP-controlled device is expected to have a
+ limit on the number of remote peers it can support. This limit might
+ be as small as one. If a MAP request would exceed this limit, the
+ entire MAP request is rejected with the result code
+ EXCESSIVE_REMOTE_PEERS, and the state on the PCP server is unchanged.
+
+ All PCP servers MUST support at least one filter per MAP mapping.
+
+14. Rapid Recovery
+
+ PCP includes a rapid recovery feature, which allows PCP clients to
+ repair failed mappings within seconds, rather than the minutes or
+ hours it might take if they relied solely on waiting for the next
+ routine renewal of the mapping. Mapping failures may occur when a
+ NAT gateway is rebooted and loses its mapping state, or when a NAT
+
+
+
+Wing, et al. Standards Track [Page 63]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ gateway has its external IP address changed so that its current
+ mapping state becomes invalid.
+
+ The PCP rapid recovery feature enables users to, for example, connect
+ to remote machines using ssh, and then reboot their NAT or firewall
+ device (or even replace it with completely new hardware) without
+ losing their established ssh connections.
+
+ Use of PCP rapid recovery is a performance optimization to PCP's
+ routine self-healing. Without rapid recovery, PCP clients will still
+ recreate their correct state when they next renew their mappings, but
+ this routine self-healing process may take hours rather than seconds,
+ and will probably not happen fast enough to prevent active TCP
+ connections from timing out.
+
+ There are two mechanisms to perform rapid recovery, described below.
+ Failing to implement and deploy a rapid recovery mechanism will
+ encourage application developers to feel the need to refresh their
+ PCP state more frequently than necessary, causing more network
+ traffic. Therefore, a PCP server that can lose state (e.g., due to
+ reboot) or might have a mapping change (e.g., due to IP renumbering)
+ MUST implement either the Announce Opcode or the Mapping Update
+ mechanism and SHOULD implement both mechanisms.
+
+14.1. ANNOUNCE Opcode
+
+ This rapid recovery mechanism uses the ANNOUNCE Opcode. When the PCP
+ server loses its state (e.g., it lost its state when rebooted), it
+ resets its Epoch time to its initial starting value (usually zero)
+ and sends the ANNOUNCE response to the link-scoped multicast address
+ (specific address explained below) if a multicast network exists on
+ its local interface, or, if configured with the IP address(es) and
+ port(s) of PCP client(s), it sends unicast ANNOUNCE responses to
+ those address(es) and port(s). This means ANNOUNCE may not be
+ available on all networks (such as networks without a multicast link
+ between the PCP server and its PCP clients). Additionally, an
+ ANNOUNCE request can be sent (unicast) by a PCP client that elicits a
+ unicast ANNOUNCE response like any other Opcode.
+
+ Upon receiving PCP response packets with an anomalous Epoch time,
+ clients deduce that the PCP server lost state and recreate their lost
+ mappings.
+
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 64]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+14.1.1. ANNOUNCE Operation
+
+ The PCP ANNOUNCE Opcode requests and responses have no
+ Opcode-specific payload (that is, the length of the Opcode-specific
+ data is zero). The Requested Lifetime field of requests and Lifetime
+ field of responses are both set to 0 on transmission and ignored on
+ reception.
+
+ If a PCP server receives an ANNOUNCE request, it first parses it and
+ generates a SUCCESS if parsing and processing of ANNOUNCE is
+ successful. An error is generated if the client's IP Address field
+ does not match the packet source address, or the request packet is
+ otherwise malformed, such as packet length less than 24 octets. Note
+ that, in the future, options MAY be sent with the PCP ANNOUNCE
+ Opcode; PCP clients and servers need to be prepared to receive
+ options with the ANNOUNCE Opcode.
+
+ Discussion: Client-to-server request messages are sent, from any
+ client source port, to listening UDP port 5351 on the server;
+ server-to-client multicast notifications are sent from the
+ server's UDP port (5351) to listening UDP port 5350 on the client.
+ The reason the same listening UDP port is not used for both
+ purposes is that a single device may have multiple roles. For
+ example, a multi-function home gateway that provides NAT service
+ (PCP server) may also provide printer sharing (which wants a PCP
+ client), or a home computer (PCP client) may also provide
+ "Internet Sharing" (NAT) functionality (which needs to offer PCP
+ service). Such devices need to act as both a PCP server and a PCP
+ client at the same time, and the software that implements the PCP
+ server on the device may not be the same software component that
+ implements the PCP client. The software that implements the PCP
+ server needs to listen for unicast client requests, whereas the
+ software that implements the PCP client needs to listen for
+ multicast restart announcements. In many networking APIs it is
+ difficult or impossible to have two independent clients listening
+ for both unicasts and multicasts on the same port at the same
+ time. For this reason, two ports are used.
+
+14.1.2. Generating and Processing a Solicited ANNOUNCE Message
+
+ The PCP ANNOUNCE Opcode MAY be sent (unicast) by a PCP client. The
+ Requested Lifetime value MUST be set to zero.
+
+ When the PCP server receives the ANNOUNCE Opcode and successfully
+ parses and processes it, it generates SUCCESS response with an
+ assigned lifetime of zero.
+
+
+
+
+
+Wing, et al. Standards Track [Page 65]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ This functionality allows a PCP client to determine a server's Epoch,
+ or to determine if a PCP server is running, without changing the
+ server's state.
+
+14.1.3. Generating and Processing an Unsolicited ANNOUNCE Message
+
+ When sending unsolicited responses, the ANNOUNCE Opcode MUST have
+ result code equal to zero (SUCCESS), and the packet MUST be sent from
+ the unicast IP address and UDP port number on which PCP requests are
+ received (so that the PCP response processing described in
+ Section 8.3 will accept the message). This message is most typically
+ multicast, but can also be unicast. Multicast PCP restart
+ announcements are sent to 224.0.0.1:5350 and/or [ff02::1]:5350, as
+ described below. Sending PCP restart announcements via unicast
+ requires that the PCP server know the IP address(es) and port(s) of
+ its listening clients, which means that sending PCP restart
+ announcements via unicast is only applicable to PCP servers that
+ retain knowledge of the IP address(es) and port(s) of their clients
+ even after they otherwise lose the rest of their state.
+
+ When a PCP server device that implements this functionality reboots,
+ restarts its NAT engine, or otherwise enters a state where it may
+ have lost some or all of its previous mapping state (or enters a
+ state where it doesn't even know whether it may have had prior state
+ that it lost), it MUST inform PCP clients of this fact by unicasting
+ or multicasting a gratuitous PCP ANNOUNCE Opcode response packet, as
+ shown below, via paths over which it accepts PCP requests. If
+ sending a multicast ANNOUNCE message, a PCP server device that
+ accepts PCP requests over IPv4 sends the Restart Announcement to the
+ IPv4 multicast address 224.0.0.1:5350 (224.0.0.1 is the All Hosts
+ multicast group address), and a PCP server device that accepts PCP
+ requests over IPv6 sends the Restart Announcement to the IPv6
+ multicast address [ff02::1]:5350 (ff02::1 is for all nodes on the
+ local segment). A PCP server device that accepts PCP requests over
+ both IPv4 and IPv6 sends a pair of Restart Announcements, one to each
+ multicast address. If sending a unicast ANNOUNCE messages, it sends
+ ANNOUNCE response message to the IP address(es) and port(s) of its
+ PCP clients. To accommodate packet loss, the PCP server device MAY
+ transmit such packets (or packet pairs) up to ten times (with an
+ appropriate Epoch Time value in each to reflect the passage of time
+ between transmissions) provided that the interval between the first
+ two notifications is at least 250 ms, and the interval between
+ subsequent notification at least doubles.
+
+ A PCP client that sends PCP requests to a PCP server via a multicast-
+ capable path, and implements the Restart Announcement feature, and
+ wishes to receive these announcements, MUST listen to receive these
+ PCP Restart Announcements (gratuitous PCP ANNOUNCE Opcode response
+
+
+
+Wing, et al. Standards Track [Page 66]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ packets) on the appropriate multicast-capable interfaces on which it
+ sends PCP requests, and MAY also listen for unicast announcements
+ from the server too, (using the UDP port it already uses to issue
+ unicast PCP requests to, and receive unicast PCP responses from, that
+ server). A PCP client device that sends PCP requests using IPv4
+ listens for packets sent to the IPv4 multicast address
+ 224.0.0.1:5350. A PCP client device that sends PCP requests using
+ IPv6 listens for packets sent to the IPv6 multicast address
+ [ff02::1]:5350. A PCP client device that sends PCP requests using
+ both IPv4 and IPv6 listens for both types of Restart Announcement.
+ The SO_REUSEPORT socket option or equivalent should be used for the
+ multicast UDP port, if required by the host OS to permit multiple
+ independent listeners on the same multicast UDP port.
+
+ Upon receiving a unicasted or multicasted PCP ANNOUNCE Opcode
+ response packet, a PCP client MUST (as it does with all received PCP
+ response packets) inspect the announcement's source IP address, and
+ if the Epoch Time value is outside the expected range for that
+ server, it MUST wait a random amount of time between 0 and 5 seconds
+ (to prevent synchronization of all PCP clients), then for all PCP
+ mappings it made at that server address the client issues new PCP
+ requests to recreate any lost mapping state. The use of the
+ Suggested External IP Address and Suggested External Port fields in
+ the client's renewal requests allows the client to remind the
+ restarted PCP server device of what mappings the client had
+ previously been given, so that in many cases the prior state can be
+ recreated. For PCP server devices that reboot relatively quickly it
+ is usually possible to reconstruct lost mapping state fast enough
+ that existing TCP connections and UDP communications do not time out,
+ and continue without failure. As for all PCP response messages, if
+ the Epoch Time value is within the expected range for that server,
+ the PCP client does not recreate its mappings. As for all PCP
+ response messages, after receiving and validating the ANNOUNCE
+ message, the client updates its own Epoch time for that server, as
+ described in Section 8.5.
+
+14.2. PCP Mapping Update
+
+ This rapid recovery mechanism is used when the PCP server remembers
+ its state and determines its existing mappings are invalid (e.g., IP
+ renumbering changes the external IP address of a PCP-controlled NAT).
+
+ It is anticipated that servers that are routinely reconfigured by an
+ administrator or have their WAN address changed frequently will
+ implement this feature (e.g., residential CPE routers). It is
+ anticipated that servers that are not routinely reconfigured will not
+ implement this feature (e.g., service provider-operated CGN).
+
+
+
+
+Wing, et al. Standards Track [Page 67]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If a PCP server device has not forgotten its mapping state, but for
+ some other reason has determined that some or all of its mappings
+ have become unusable (e.g., when a home gateway is assigned a
+ different external IPv4 address by the upstream DHCP server), then
+ the PCP server device automatically repairs its mappings and notifies
+ its clients by following the procedure described below.
+
+ For PCP-managed mappings, for each one the PCP server device should
+ update the external IP address and external port to appropriate
+ available values, and then send unicast PCP MAP or PEER responses (as
+ appropriate for the mapping) to inform the PCP client of the new
+ external IP address and external port. Such unsolicited responses
+ are identical to the MAP or PEER responses normally returned in
+ response to client MAP or PEER requests, containing newly updated
+ External IP Address and External Port values, and are sent to the
+ same client IP address and port that the PCP server used to send the
+ prior response for that mapping. If the earlier associated request
+ contained the THIRD_PARTY option, the THIRD_PARTY option MUST also
+ appear in the Mapping Update as it is necessary for the PCP client to
+ disambiguate the response. If the earlier associated request
+ contained the PREFER_FAILURE option, and the same external IP
+ address, protocol, and port cannot be provided, the error
+ CANNOT_PROVIDE_EXTERNAL SHOULD be sent. If the earlier associated
+ request contained the FILTER option, the filters are moved to the new
+ mapping and the FILTER option is sent in the Mapping Update response.
+ Non-mandatory options SHOULD NOT be sent in the Mapping Update
+ response.
+
+ Discussion: It could have been possible to design this so that the
+ PCP server (1) sent an ANNOUNCE Opcode to the PCP client, the PCP
+ client reacted by (2) sending a new MAP request and (3) receiving
+ a MAP response. Instead, the server can create a shortcut for
+ that design by simply sending the message it would have sent in
+ (3).
+
+ To accommodate packet loss, the PCP server device SHOULD transmit
+ such packets three times, with an appropriate Epoch Time value in
+ each to reflect the passage of time between transmissions. The
+ interval between the first two notifications MUST be at least 250 ms,
+ and the third packet after a 500-ms interval. Once the PCP server
+ has received a refreshed state for that mapping, the PCP server
+ SHOULD cease those retransmissions for that mapping, as it serves no
+ further purpose to continue sending messages regarding that mapping.
+
+ Upon receipt of such an updated MAP or PEER response, a PCP client
+ uses the information in the response to adjust rendezvous servers or
+ reconnect to servers, respectively. For MAP, this would mean
+ updating the DNS entries or other address and port information
+
+
+
+Wing, et al. Standards Track [Page 68]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ recorded with some kind of application-specific rendezvous server.
+ For PEER responses giving a CANNOT_PROVIDE_EXTERNAL error, this would
+ typically mean establishing new connections to servers. Anytime the
+ external address or port changes, existing TCP and UDP connections
+ will be lost; PCP can't avoid that, but does provide immediate
+ notification of the event to lessen the impact.
+
+15. Mapping Lifetime and Deletion
+
+ The PCP client requests a certain lifetime, and the PCP server
+ responds with the assigned lifetime. The PCP server MAY grant a
+ lifetime smaller or larger than the requested lifetime. The PCP
+ server SHOULD be configurable for permitted minimum and maximum
+ lifetime, and the minimum value SHOULD be 120 seconds. The maximum
+ value SHOULD be the remaining lifetime of the IP address assigned to
+ the PCP client if that information is available (e.g., from the DHCP
+ server), or half the lifetime of IP address assignments on that
+ network if the remaining lifetime is not available, or 24 hours.
+ Excessively long lifetimes can cause consumption of ports even if the
+ internal host is no longer interested in receiving the traffic or is
+ no longer connected to the network. These recommendations are not
+ strict, and deployments should evaluate the trade-offs to determine
+ their own minimum and maximum Lifetime values.
+
+ Once a PCP server has responded positively to a MAP request for a
+ certain lifetime, the port mapping is active for the duration of the
+ lifetime unless the lifetime is reduced by the PCP client (to a
+ shorter lifetime or to zero) or until the PCP server loses its state
+ (e.g., crashes). Mappings created by PCP MAP requests are not
+ special or different from mappings created in other ways. In
+ particular, it is implementation-dependent if outgoing traffic
+ extends the lifetime of such mappings beyond the PCP-assigned
+ lifetime. PCP clients MUST NOT depend on this behavior to keep
+ mappings active, and MUST explicitly renew their mappings as required
+ by the Lifetime field in PCP response messages.
+
+ Upon receipt of a PCP response with an absurdly long assigned
+ lifetime, the PCP client SHOULD behave as if it received a more sane
+ value (e.g., 24 hours), and renew the mapping accordingly, to ensure
+ that if the static mapping is removed, the client will continue to
+ maintain the mapping it desires.
+
+ An application that forgets its PCP-assigned mappings (e.g., the
+ application or OS crashes) will request new PCP mappings. This may
+ consume port mappings, if the application binds to a different
+ internal port every time it runs. The application will also likely
+ initiate new outbound TCP connections, which create implicit dynamic
+ outbound mappings without using PCP, which will also consume port
+
+
+
+Wing, et al. Standards Track [Page 69]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ mappings. If there is a port mapping quota for the internal host,
+ frequent restarts such as this may exhaust the quota.
+
+ To help clean PCP state, when the PCP-controlled device is collocated
+ with the address assignment (DHCP) server, such as in a typical
+ residential CPE, it is RECOMMENDED that when an IP address becomes
+ invalid (e.g., the DHCP lease expires, or the DHCP client sends an
+ explicit DHCP RELEASE) the PCP-controlled device SHOULD also discard
+ any dynamic mapping state relating to that expired IP address.
+
+ When using NAT, the same external port may be assigned for use by
+ different internal hosts at different times. For example, if an
+ internal host using an external port ceases sending traffic using
+ that port, then its mapping may expire, and then later the same
+ external port may be assigned to a new internal host. The new
+ internal host could then receive incoming traffic that was intended
+ for the previous internal host. This generally happens
+ inadvertently, and this reassignment of the external port only
+ happens after the current holder of the external port has ceased
+ using it for some period of time. It would be unacceptable if an
+ attacker could use PCP to intentionally speed up this reassignment of
+ the external port in order to deliberately steal traffic intended for
+ the current holder, by (i) spoofing PCP requests using the current
+ holder's source IP address and mapping nonce to fraudulently delete
+ the mapping or shorten its lifetime, and then (ii) subsequently
+ claiming the external port for itself.
+
+ Therefore, in the simple security model, to protect against this
+ attack, PCP MUST NOT allow a PCP request (even a PCP request that
+ appears to come from the current holder of the mapping) to cause a
+ mapping to expire sooner than it would naturally have expired
+ otherwise by virtue of outbound traffic keeping the mapping active.
+ A PCP server MUST set the lifetime of a mapping to no less than the
+ remaining time before the mapping would expire if no further outbound
+ traffic is seen for that mapping. This means a MAP or PEER request
+ with lifetime of 0 will only set the assigned lifetime to 0 (i.e.,
+ delete the mapping) if the internal host had not sent a packet using
+ that mapping for the idle-timeout time, otherwise the assigned
+ lifetime will be the remaining idle-timeout time.
+
+ Finally, to reduce unwanted traffic and data corruption for both TCP
+ and UDP, the assigned external port created by the MAP Opcode or PEER
+ Opcode SHOULD NOT be reused for an interval equal to the reuse time
+ limit enforced by the NAT for its implicit dynamic mappings
+ (typically, the maximum TCP segment lifetime of 2 minutes [RFC0793]).
+ Furthermore, to reduce port stealing attacks, the assigned external
+ port also SHOULD NOT be reused for an interval equal to the time the
+ PCP- controlled device would normally maintain an idle (no traffic)
+
+
+
+Wing, et al. Standards Track [Page 70]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ implicit dynamic mapping (e.g., 2 minutes for UDP [RFC4787] and 124
+ minutes for TCP [RFC5382]). However, within these time windows, the
+ PCP server SHOULD allow an external port to be reclaimed by the same
+ client, where "same client" means "same internal IP address, internal
+ port, and mapping nonce".
+
+15.1. Lifetime Processing for the MAP Opcode
+
+ If the requested lifetime is zero then:
+
+ o If both the protocol and internal port are non-zero, it indicates
+ a request to delete the indicated mapping immediately.
+
+ o If the protocol is non-zero and the internal port is zero, it
+ indicates a request to delete a previous 'wildcard' (all-ports)
+ mapping for that protocol. The nonce MUST match the nonce used to
+ create the 'wildcard' mapping.
+
+ o If both the protocol and internal port are zero, it indicates a
+ request to delete a previous 'DMZ host' (all incoming traffic for
+ all protocols) mapping. The nonce MUST match the nonce used to
+ create the 'DMZ host' mapping.
+
+ o If the protocol is zero and the internal port is non-zero, then
+ the request is invalid and the PCP server MUST return a
+ MALFORMED_REQUEST error to the client.
+
+ In requests where the requested Lifetime is 0, the Suggested External
+ Address and Suggested External Port fields MUST be set to zero on
+ transmission and MUST be ignored on reception, and these fields MUST
+ be copied into the assigned external IP address and assigned external
+ port of the response.
+
+ PCP MAP requests can only delete or shorten lifetimes of MAP-created
+ mappings. If the PCP client attempts to delete a static mapping
+ (i.e., a mapping created outside of PCP itself), or an outbound
+ (implicit or PEER-created) mapping, the PCP server MUST return
+ NOT_AUTHORIZED. If the PCP client attempts to delete a mapping that
+ does not exist, the SUCCESS result code is returned (this is
+ necessary for PCP to return the same response for retransmissions or
+ duplications of the same request). If the deletion request was
+ properly formatted and successfully processed, a SUCCESS response is
+ generated with the protocol and internal port number copied from the
+ request, and the response lifetime set to zero. An inbound mapping
+ (i.e., static mapping or MAP-created dynamic mapping) MUST NOT have
+ its lifetime reduced by transport protocol messages (e.g., TCP RST,
+ TCP FIN). Note the THIRD_PARTY option (Section 13.1), if authorized,
+ can also delete PCP-created MAP mappings.
+
+
+
+Wing, et al. Standards Track [Page 71]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+16. Implementation Considerations
+
+ Section 16 provides non-normative guidance that may be useful to
+ implementers.
+
+16.1. Implementing MAP with EDM Port-Mapping NAT
+
+ For implicit dynamic outbound mappings, some existing NAT devices
+ have endpoint-independent mapping (EIM) behavior while other NAT
+ devices have endpoint-dependent mapping (EDM) behavior. NATs that
+ have EIM behavior do not suffer from the problem described in this
+ section. The IETF strongly encourages EIM behavior
+ [RFC4787][RFC5382].
+
+ In EDM NAT devices, the same external port may be used by an outbound
+ dynamic mapping and an inbound dynamic mapping (from the same
+ internal host or from a different internal host). This complicates
+ the interaction with the MAP Opcode. With such NAT devices, there
+ are two ways envisioned to implement the MAP Opcode:
+
+ 1. Have outbound mappings use a different set of external ports than
+ inbound mappings (e.g., those created with MAP), thus reducing
+ the interaction problem between them; or
+
+ 2. On arrival of a packet (inbound from the Internet or outbound
+ from an internal host), first attempt to use a dynamic outbound
+ mapping to process that packet. If none match, attempt to use an
+ inbound mapping to process that packet. This effectively
+ 'prioritizes' outbound mappings above inbound mappings.
+
+16.2. Lifetime of Explicit and Implicit Dynamic Mappings
+
+ No matter if a NAT is EIM or EDM, it is possible that one (or more)
+ outbound mappings, using the same internal port on the internal host,
+ might be created before or after a MAP request. When this occurs, it
+ is important that the NAT honor the lifetime returned in the MAP
+ response. Specifically, if an inbound mapping was created with the
+ MAP Opcode, the implementation needs to ensure that termination of an
+ outbound mapping (e.g., via a TCP FIN handshake) does not prematurely
+ destroy the MAP-created inbound mapping.
+
+16.3. PCP Failure Recovery
+
+ If an event occurs that causes the PCP server to lose dynamic mapping
+ state (such as a crash or power outage), the mappings created by PCP
+ are lost. Occasional loss of state may be unavoidable in a
+ residential NAT device that does not write transient information to
+ non-volatile memory. Loss of state is expected to be rare in a
+
+
+
+Wing, et al. Standards Track [Page 72]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ service provider environment (due to redundant power, disk drives for
+ storage, etc.). Of course, due to outright failure of service
+ provider equipment (e.g., software malfunction), state may still be
+ lost.
+
+ The Epoch time allows a client to deduce when a PCP server may have
+ lost its state. When the Epoch Time value is observed to be outside
+ the expected range, the PCP client can attempt to recreate the
+ mappings following the procedures described in this section.
+
+ Further analysis of PCP failure scenarios is planned for a future
+ document [PCP-FAIL].
+
+16.3.1. Recreating Mappings
+
+ A mapping renewal packet is formatted identically to an original
+ mapping request; from the point of view of the client, it is a
+ renewal of an existing mapping; however, from the point of view of a
+ newly rebooted PCP server, it appears as a new mapping request. In
+ the normal process of routinely renewing its mappings before they
+ expire, a PCP client will automatically recreate all its lost
+ mappings.
+
+ When the PCP server loses state and begins processing new PCP
+ messages, its Epoch time is reset and begins counting again. As the
+ result of receiving a packet where the Epoch Time field is outside
+ the expected range (Section 8.5), indicating that a reboot or similar
+ loss of state has occurred, the client can renew its port mappings
+ sooner, without waiting for the normal routine renewal time.
+
+16.3.2. Maintaining Mappings
+
+ A PCP client refreshes a mapping by sending a new PCP request
+ containing information learned from the earlier PCP response. The
+ PCP server will respond indicating the new lifetime. It is possible,
+ due to reconfiguration or failure of the PCP server, that the
+ external IP address and/or external port, or the PCP server itself,
+ has changed (due to a new route to a different PCP server). Such
+ events are rare, but not an error. The PCP server will simply return
+ a new external address and/or external port to the client, and the
+ client should record this new external address and port with its
+ rendezvous service. To detect such events more quickly, a server
+ that requires extremely high availability may find it beneficial to
+ use shorter lifetimes in its PCP mappings requests, so that it
+ communicates with the PCP server more often. This is an engineering
+ trade-off based on (i) the acceptable downtime for the service in
+ question, (ii) the expected likelihood of NAT or firewall state loss,
+ and (iii) the amount of PCP maintenance traffic that is acceptable.
+
+
+
+Wing, et al. Standards Track [Page 73]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ If the PCP client has several mappings, the Epoch Time value only
+ needs to be retrieved for one of them to determine whether or not it
+ appears the PCP server may have suffered a catastrophic loss of
+ state. If the client wishes to check the PCP server's Epoch time, it
+ sends a PCP request for any one of the client's mappings. This will
+ return the current Epoch Time value. In that request, the PCP client
+ could extend the mapping lifetime (by asking for more time) or
+ maintain the current lifetime (by asking for the same number of
+ seconds that it knows are remaining of the lifetime).
+
+ If a PCP client changes its internal IP address (e.g., because the
+ internal host has moved to a new network), and the PCP client wishes
+ to still receive incoming traffic, it needs create new mappings on
+ that new network. New mappings will typically also require an update
+ to the application-specific rendezvous server if the external address
+ or port is different from the previous values (see Sections 10.1 and
+ 11.5).
+
+16.3.3. SCTP
+
+ Although SCTP has port numbers like TCP and UDP, SCTP works
+ differently when behind an address-sharing NAT, in that SCTP port
+ numbers are not changed [SCTPNAT]. Outbound dynamic SCTP mappings
+ use the verification tag of the association instead of the local and
+ remote peer port numbers. As with TCP, explicit outbound mappings
+ can be made to reduce keepalive intervals, and explicit inbound
+ mappings can be made by passive listeners expecting to receive new
+ associations at the external port.
+
+ Because an SCTP-aware NAT does not (currently) rewrite SCTP port
+ numbers, it will not be able to assign an external port that is
+ different from the client's internal port. A PCP client making a MAP
+ request for SCTP should be aware of this restriction. The PCP client
+ SHOULD make its SCTP MAP request just as it would for a TCP MAP
+ request: in its initial PCP MAP request it SHOULD specify zero for
+ the external address and port, and then in subsequent renewals it
+ SHOULD echo the assigned external address and port. However, since a
+ current SCTP-aware NAT can only assign an external port that is the
+ same as the internal port, it may not be able to do that if the
+ external port is already assigned to a different PCP client. This is
+ likely if there is more than one instance of a given SCTP service on
+ the local network, since both instances are likely to listen on the
+ same well-known SCTP port for that service on their respective hosts,
+ but they can't both have the same external port on the NAT gateway's
+ external address. A particular external port may not be assignable
+ for other reasons, such as when it is already in use by the NAT
+ device itself, or otherwise prohibited by policy, as described in
+ Section 11.3, "Processing a MAP Request". In the event that the
+
+
+
+Wing, et al. Standards Track [Page 74]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ external port matching the internal port cannot be assigned (and the
+ SCTP-aware NAT does not perform SCTP port rewriting), the SCTP-aware
+ NAT MUST return a CANNOT_PROVIDE_EXTERNAL error to the requesting PCP
+ client. Note that this restriction places an extra burden on the
+ SCTP server whose MAP request failed, because it then has to tear
+ down its exiting listening socket and try again with a different
+ internal port, repeatedly until it is successful in finding an
+ external port it can use.
+
+ The SCTP complications described above occur because of address
+ sharing. The SCTP complications are avoided when address sharing is
+ avoided (e.g., 1:1 NAT, firewall).
+
+16.4. Source Address Replicated in PCP Header
+
+ All PCP requests include the PCP client's IP address replicated in
+ the PCP header. This is used to detect unexpected address rewriting
+ (NAT) on the path between the PCP client and its PCP server. On
+ operating systems that support the sockets API, the following steps
+ are RECOMMENDED for a PCP client to insert the correct source address
+ in the PCP header:
+
+ 1. Create a UDP socket.
+ 2. Call "connect" on this UDP socket using the address and port of
+ the desired PCP server.
+ 3. Call the getsockname() function to retrieve a sockaddr containing
+ the source address the kernel will use for UDP packets sent
+ through this socket.
+ 4. If the IP address is an IPv4 address, encode the address into an
+ IPv4-mapped IPv6 address. Place the IPv4-mapped IPv6 address or
+ the native IPv6 address into the PCP Client's IP Address field in
+ the PCP header.
+ 5. Send PCP requests using this connected UDP socket.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 75]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+16.5. State Diagram
+
+ Each mapping entry of the PCP-controlled device would go through the
+ state machine shown below. This state diagram is non-normative.
+
+ CLOSE_MSG or
+ (NO_TRAFFIC and EXPIRY) +---------+ NO_TRAFFIC and EXPIRY
+ +-------------->| |<------------+
+ | |NO_ENTRY | |
+ | +-----------| |---------+ |
+ | | +---------+ | |
+ | | ^ | | |
+ | | NO_TRAFFIC | | | |
+ | | or | | | |
+ | | CLOSE_MSGS | | | |
+ | | | | | |
+ | |PEER request | | MAP request| |
+ | V | | V |
+ +---------+ | | +---------+
+ +-->| "P", | | | M-R | "M", |<--+
+ P-R | | PEER |-----------|--|-------->| MAP | | M-R or
+ +---| mapping| | | | mapping|---+ P-R or
+ +---------+ | | +---------+ CLOSE_MSGS
+ | ^ | | ^ |
+ | |PEER request | | MAP request| |
+ | | | | | |
+ | | | | | |
+ | | | | | |
+ | | | | outbound | |
+ | | | | TRAFFIC | |
+ | | | V | |
+ | | +---------+ | |
+ | +-----------| "I", |---------+ |
+ | | implicit| |
+ +-------------->| mapping |<------------+
+ TRAFFIC and EXPIRY +---------+ TRAFFIC and EXPIRY
+
+ Figure 16: PCP State Diagram
+
+ The meanings of the states and events are:
+
+ NO_ENTRY: Invalid state represents Entry does not exist. This is
+ the only possible start state.
+
+ M-R: MAP request
+
+ P-R: PEER request
+
+
+
+
+Wing, et al. Standards Track [Page 76]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ M: Mapping entry when created by MAP request
+
+ P: Mapping entry when created/managed by PEER request
+
+ I: Implicit mapping created by an outgoing packet from the
+ client (e.g., TCP SYN), and also the state when a
+ PCP-created mapping's lifetime expires while there is still
+ active traffic.
+
+ EXPIRY: PEER or MAP lifetime expired
+
+ TRAFFIC: Traffic seen by PCP-controlled device using this entry
+ within the expiry time for that entry. This traffic may be
+ inbound or outbound.
+
+ NO_TRAFFIC: Indicates that there is no TRAFFIC.
+
+ CLOSE_MSG: Protocol messages from the client or server to close
+ the session (e.g., TCP FIN or TCP RST), as per the NAT or
+ firewall device's handling of such protocol messages.
+
+ Notes on the diagram:
+
+ 1. The 'and' clause indicates the events on either side of 'and' are
+ required for the state-transition. The 'or' clause indicates
+ either one of the events are enough for the state-transition.
+
+ 2. Transition from state M to state I is implementation dependent.
+
+17. Deployment Considerations
+
+17.1. Ingress Filtering
+
+ As with implicit dynamic mappings created by outgoing TCP SYN
+ packets, explicit dynamic mappings created via PCP use the source IP
+ address of the packet as the internal address for the mappings.
+ Therefore, ingress filtering [RFC2827] SHOULD be used on the path
+ between the internal host and the PCP server to prevent the injection
+ of spoofed packets onto that path.
+
+17.2. Mapping Quota
+
+ On PCP-controlled devices that create state when a mapping is created
+ (e.g., NAT), the PCP server SHOULD maintain per-host and/or per-
+ subscriber quotas for mappings. It is implementation specific
+ whether the PCP server uses a separate quotas for implicit, explicit,
+ and static mappings, a combined quota for all of them, or some other
+ policy.
+
+
+
+Wing, et al. Standards Track [Page 77]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+18. Security Considerations
+
+ The goal of the PCP protocol is to improve the ability of end nodes
+ to control their associated NAT state, and to improve the efficiency
+ and error handling of NAT mappings when compared to existing implicit
+ mapping mechanisms in NAT boxes and stateful firewalls. It is the
+ security goal of the PCP protocol to limit any new denial-of-service
+ opportunities, and to avoid introducing new attacks that can result
+ in unauthorized changes to mapping state. One of the most serious
+ consequences of unauthorized changes in mapping state is traffic
+ theft. All mappings that could be created by a specific host using
+ implicit mapping mechanisms are inherently considered to be
+ authorized. Confidentiality of mappings is not a requirement, even
+ in cases where the PCP messages may transit paths that would not be
+ traveled by the mapped traffic.
+
+18.1. Simple Threat Model
+
+ PCP servers are secure against off-path attackers who cannot spoof a
+ packet that the PCP server will view as a packet received from the
+ internal network. PCP clients are secure against off-path attackers
+ who can spoof the PCP server's IP address.
+
+ Defending against attackers who can modify or drop packets between
+ the internal network and the PCP server, or who can inject spoofed
+ packets that appear to come from the internal network is out of
+ scope. Such an attacker can redirect traffic to a host of their
+ choosing.
+
+ A PCP server is secure under this threat model if the PCP server is
+ constrained so that it does not configure any explicit mapping that
+ it would not configure implicitly. In most cases, this means that
+ PCP servers running on NAT boxes or stateful firewalls that support
+ the PEER and MAP Opcodes can be secure under this threat model if
+ (1) all of their hosts are within a single administrative domain (or
+ if the internal hosts can be securely partitioned into separate
+ administrative domains, as in the DS-Lite B4 case), (2) explicit
+ mappings are created with the same lifetime as implicit mappings, and
+ (3) the THIRD_PARTY option is not supported. PCP servers can also
+ securely support the MAP Opcode under this threat model if the
+ security policy on the device running the PCP server would permit
+ endpoint-independent filtering of implicit mappings.
+
+ PCP servers that comply with the Simple Threat Model and do not
+ implement a PCP security mechanism described in Section 18.2 MUST
+ enforce the constraints described in the paragraph above.
+
+
+
+
+
+Wing, et al. Standards Track [Page 78]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+18.1.1. Attacks Considered
+
+ o If you allow multiple administrative domains to send PCP requests
+ to a single PCP server that does not enforce a boundary between
+ the domains, it is possible for a node in one domain to perform a
+ denial-of-service attack on other domains or to capture traffic
+ that is intended for a node in another domain.
+
+ o If explicit mappings have longer lifetimes than implicit mappings,
+ it makes it easier to perpetrate a denial-of-service attack than
+ it would be if the PCP server was not present.
+
+ o If the PCP server supports deleting or reducing the lifetime of
+ existing mappings, this allows an attacking node to steal an
+ existing mapping and receive traffic that was intended for another
+ node.
+
+ o If the THIRD_PARTY option is supported, this also allows an
+ attacker to open a window for an external node to attack an
+ internal node, allows an attacker to steal traffic that was
+ intended for another node, or may facilitate a denial-of-service
+ attack. One example of how the THIRD_PARTY option could grant an
+ attacker more capability than a spoofed implicit mapping is that
+ the PCP server (especially if it is running in a service
+ provider's network) may not be aware of internal filtering that
+ would prevent spoofing an equivalent implicit mapping, such as
+ filtering between a guest and corporate network.
+
+ o If the MAP Opcode is supported by the PCP server in cases where
+ the security policy would not support endpoint-independent
+ filtering of implicit mappings, then the MAP Opcode changes the
+ security properties of the device running the PCP server by
+ allowing explicit mappings that violate the security policy.
+
+18.1.2. Deployment Examples Supporting the Simple Threat Model
+
+ This section offers two examples of how the Simple Threat Model can
+ be supported in real-world deployment scenarios.
+
+18.1.2.1. Residential Gateway Deployment
+
+ Parity with many currently deployed residential gateways can be
+ achieved using a PCP server that is constrained as described in
+ Section 18.1 above.
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 79]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+18.2. Advanced Threat Model
+
+ In the Advanced Threat Model, the PCP protocol ensures that attackers
+ (on- or off-path) cannot create unauthorized mappings or make
+ unauthorized changes to existing mappings. The protocol must also
+ limit the opportunity for on- or off-path attackers to perpetrate
+ denial-of-service attacks.
+
+ The Advanced Threat Model security model will be needed in the
+ following cases:
+
+ o Security infrastructure equipment, such as corporate firewalls,
+ that does not create implicit mappings.
+
+ o Equipment (such as CGNs or service provider firewalls) that serves
+ multiple administrative domains and does not have a mechanism to
+ securely partition traffic from those domains.
+
+ o Any implementation that wants to be more permissive in authorizing
+ explicit mappings than it is in authorizing implicit mappings.
+
+ o Implementations that wish to support any deployment scenario that
+ does not meet the constraints described in Section 18.1.
+
+ To protect against attacks under this threat model, a PCP security
+ mechanism that provides an authenticated, integrity-protected
+ signaling channel would need to be specified.
+
+ PCP servers that implement a PCP security mechanism MAY accept
+ unauthenticated requests. In their default configuration, PCP
+ servers implementing the PCP security mechanism MUST still enforce
+ the constraints described in Section 18.1 when processing
+ unauthenticated requests.
+
+18.3. Residual Threats
+
+ This section describes some threats that are not addressed in either
+ of the above threat models and recommends appropriate mitigation
+ strategies.
+
+18.3.1. Denial of Service
+
+ Because of the state created in a NAT or firewall, a per-host and/or
+ per-subscriber quota will likely exist for both implicit dynamic
+ mappings and explicit dynamic mappings. A host might make an
+ excessive number of implicit or explicit dynamic mappings, consuming
+
+
+
+
+
+Wing, et al. Standards Track [Page 80]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ an inordinate number of ports, causing a denial of service to other
+ hosts. Thus, Section 17.2 recommends that hosts be limited to a
+ reasonable number of explicit dynamic mappings.
+
+ An attacker, on the path between the PCP client and PCP server, can
+ drop PCP requests, drop PCP responses, or spoof a PCP error, all of
+ which will effectively deny service. Through such actions, the PCP
+ client might not be aware the PCP server might have actually
+ processed the PCP request. An attacker sending a NO_RESOURCES error
+ can cause the PCP client to not send messages to that server for a
+ while. There is no mitigation to this on-path attacker.
+
+18.3.2. Ingress Filtering
+
+ It is important to prevent a host from fraudulently creating,
+ deleting, or refreshing a mapping (or filtering) for another host,
+ because this can expose the other host to unwanted traffic, prevent
+ it from receiving wanted traffic, or consume the other host's mapping
+ quota. Both implicit and explicit dynamic mappings are created based
+ on the source IP address in the packet, and hence depend on ingress
+ filtering to guard against spoof source IP addresses.
+
+18.3.3. Mapping Theft
+
+ In the time between when a PCP server loses state and the PCP client
+ notices the lower-than-expected Epoch Time value, it is possible that
+ the PCP client's mapping will be acquired by another host (via an
+ explicit dynamic mapping or implicit dynamic mapping). This means
+ incoming traffic will be sent to a different host ("theft"). Rapid
+ recovery reduces this interval, but does not completely eliminate
+ this threat. The PCP client can reduce this interval by using a
+ relatively short lifetime; however, this increases the amount of PCP
+ chatter. This threat is reduced by using persistent storage of
+ explicit dynamic mappings in the PCP server (so it does not lose
+ explicit dynamic mapping state), or by ensuring that the previous
+ external IP address, protocol, and port cannot be used by another
+ host (e.g., by using a different IP address pool).
+
+18.3.4. Attacks against Server Discovery
+
+ This document does not specify server discovery, beyond contacting
+ the default gateway.
+
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 81]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+19. IANA Considerations
+
+ IANA has performed the following actions.
+
+19.1. Port Number
+
+ PCP uses ports 5350 and 5351, previously assigned by IANA to NAT-PMP
+ [RFC6886]. IANA has reassigned those ports to PCP.
+
+19.2. Opcodes
+
+ IANA has created a new protocol registry for PCP Opcodes, numbered
+ 0-127, initially populated with the values:
+
+ Value Opcode
+ ----- -------------------------
+ 0 ANNOUNCE
+ 1 MAP
+ 2 PEER
+ 3-31 Standards Action [RFC5226]
+ 32-63 Specification Required [RFC5226]
+ 96-126 Reserved for Private Use [RFC5226]
+ 127 Reserved, Standards Action [RFC5226]
+
+ The value 127 is Reserved and may be assigned via Standards Action
+ [RFC5226]. The values in the range 3-31 can be assigned via
+ Standards Action [RFC5226], 32-63 via Specification Required
+ [RFC5226], and the range 96-126 is for Private Use [RFC5226].
+
+19.3. Result Codes
+
+ IANA has created a new registry for PCP result codes, numbered 0-255,
+ initially populated with the result codes from Section 7.4. The
+ value 255 is Reserved and may be assigned via Standards Action
+ [RFC5226].
+
+ The values in the range 14-127 can be assigned via Standards Action
+ [RFC5226], 128-191 via Specification Required [RFC5226], and the
+ range 191-254 is for Private Use [RFC5226].
+
+19.4. Options
+
+ IANA has created a new registry for PCP options, numbered 0-255, each
+ with an associated mnemonic. The values 0-127 are mandatory to
+ process, and 128-255 are optional to process. The initial registry
+ contains the options described in Section 13. The option values 0,
+ 127, and 255 are Reserved and may be assigned via Standards Action
+ [RFC5226].
+
+
+
+Wing, et al. Standards Track [Page 82]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ Additional PCP option codes in the ranges 4-63 and 128-191 can be
+ created via Standards Action [RFC5226], the ranges 64-95 and 192-223
+ are for Specification Required [RFC5226], and the ranges 96-126 and
+ 224-254 are for Private Use [RFC5226].
+
+ Documents describing an option should describe the processing for
+ both the PCP client and server, and the information below:
+
+ Option Name: <mnemonic>
+ Number: <value>
+ Purpose: <textual description>
+ Valid for Opcodes: <list of Opcodes>
+ Length: <rules for length>
+ May appear in: <requests/responses/both>
+ Maximum occurrences: <count>
+
+20. Acknowledgments
+
+ Thanks to Xiaohong Deng, Alain Durand, Christian Jacquenet, Jacni
+ Qin, Simon Perreault, James Yu, Tina TSOU (Ting ZOU), Felipe Miranda
+ Costa, James Woodyatt, Dave Thaler, Masataka Ohta, Vijay K. Gurbani,
+ Loa Andersson, Richard Barnes, Russ Housley, Adrian Farrel, Pete
+ Resnick, Pasi Sarolahti, Robert Sparks, Wesley Eddy, Dan Harkins,
+ Peter Saint-Andre, Stephen Farrell, Ralph Droms, Felipe Miranda
+ Costa, Amit Jain, and Wim Henderickx for their comments and review.
+
+ Thanks to Simon Perreault for highlighting the interaction of dynamic
+ connections with PCP-created mappings and for many other review
+ comments.
+
+ Thanks to Francis Dupont for his several thorough reviews of the
+ specification, which improved the protocol significantly.
+
+ Thanks to T. S. Ranganathan for the state diagram.
+
+ Thanks to Peter Lothberg for clock skew information, which guided the
+ choice of tolerance levels for deciding when an Epoch time should be
+ considered to be anomalous.
+
+ Thanks to Margaret Wasserman and Sam Hartman for writing the Security
+ Considerations section.
+
+ Thanks to authors of DHCPv6 for retransmission text.
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 83]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+21. References
+
+21.1. Normative References
+
+ [RFC0768] Postel, J., "User Datagram Protocol", STD 6,
+ RFC 768, August 1980.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC2827] Ferguson, P. and D. Senie, "Network Ingress
+ Filtering: Defeating Denial of Service Attacks which
+ employ IP Source Address Spoofing", BCP 38,
+ RFC 2827, May 2000.
+
+ [RFC4086] Eastlake, D., Schiller, J., and S. Crocker,
+ "Randomness Requirements for Security", BCP 106,
+ RFC 4086, June 2005.
+
+ [RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6
+ Unicast Addresses", RFC 4193, October 2005.
+
+ [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
+ Architecture", RFC 4291, February 2006.
+
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for
+ Writing an IANA Considerations Section in RFCs",
+ BCP 26, RFC 5226, May 2008.
+
+ [RFC6056] Larsen, M. and F. Gont, "Recommendations for
+ Transport-Protocol Port Randomization", BCP 156,
+ RFC 6056, January 2011.
+
+ [proto_numbers] IANA, "Protocol Numbers", 2011,
+ <http://www.iana.org/assignments/protocol-numbers>.
+
+21.2. Informative References
+
+ [IGDv1] UPnP Gateway Committee, "WANIPConnection:1",
+ November 2001, <http://upnp.org/specs/gw/
+ UPnP-gw-WANIPConnection-v1-Service.pdf>.
+
+ [L2NAT] Miles, D. and M. Townsley, "Layer2-Aware NAT", Work
+ in Progress, March 2009.
+
+ [PCP-FAIL] Boucadair, M., Dupont, F., and R. Penno, "Port
+ Control Protocol (PCP) Failure Scenarios", Work
+ in Progress, August 2012.
+
+
+
+Wing, et al. Standards Track [Page 84]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ [PNP-IGD-PCP] Boucadair, M., Penno, R., and D. Wing, "Universal
+ Plug and Play (UPnP) Internet Gateway Device (IGD)-
+ Port Control Protocol (PCP) Interworking Function",
+ Work in Progress, December 2012.
+
+ [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
+ RFC 793, September 1981.
+
+ [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot,
+ G., and E. Lear, "Address Allocation for Private
+ Internets", BCP 5, RFC 1918, February 1996.
+
+ [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
+ "Dynamic Updates in the Domain Name System (DNS
+ UPDATE)", RFC 2136, April 1997.
+
+ [RFC3007] Wellington, B., "Secure Domain Name System (DNS)
+ Dynamic Update", RFC 3007, November 2000.
+
+ [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP
+ Network Address Translator (Traditional NAT)",
+ RFC 3022, January 2001.
+
+ [RFC3581] Rosenberg, J. and H. Schulzrinne, "An Extension to
+ the Session Initiation Protocol (SIP) for Symmetric
+ Response Routing", RFC 3581, August 2003.
+
+ [RFC3587] Hinden, R., Deering, S., and E. Nordmark, "IPv6
+ Global Unicast Address Format", RFC 3587,
+ August 2003.
+
+ [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
+ RFC 4303, December 2005.
+
+ [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
+ Congestion Control Protocol (DCCP)", RFC 4340,
+ March 2006.
+
+ [RFC4787] Audet, F. and C. Jennings, "Network Address
+ Translation (NAT) Behavioral Requirements for
+ Unicast UDP", BCP 127, RFC 4787, January 2007.
+
+ [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy
+ Extensions for Stateless Address Autoconfiguration
+ in IPv6", RFC 4941, September 2007.
+
+ [RFC4960] Stewart, R., "Stream Control Transmission Protocol",
+ RFC 4960, September 2007.
+
+
+
+Wing, et al. Standards Track [Page 85]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+ [RFC4961] Wing, D., "Symmetric RTP / RTP Control Protocol
+ (RTCP)", BCP 131, RFC 4961, July 2007.
+
+ [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and
+ P. Srisuresh, "NAT Behavioral Requirements for TCP",
+ BCP 142, RFC 5382, October 2008.
+
+ [RFC6092] Woodyatt, J., "Recommended Simple Security
+ Capabilities in Customer Premises Equipment (CPE)
+ for Providing Residential IPv6 Internet Service",
+ RFC 6092, January 2011.
+
+ [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
+ Algorithm", RFC 6145, April 2011.
+
+ [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum,
+ "Stateful NAT64: Network Address and Protocol
+ Translation from IPv6 Clients to IPv4 Servers",
+ RFC 6146, April 2011.
+
+ [RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network
+ Prefix Translation", RFC 6296, June 2011.
+
+ [RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee,
+ "Dual-Stack Lite Broadband Deployments Following
+ IPv4 Exhaustion", RFC 6333, August 2011.
+
+ [RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable
+ Operation of Address Translators with Per-Interface
+ Bindings", RFC 6619, June 2012.
+
+ [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
+ Discovery", RFC 6763, February 2013.
+
+ [RFC6886] Cheshire, S. and M. Krochmal, "NAT Port Mapping
+ Protocol (NAT-PMP)", RFC 6886, April 2013.
+
+ [RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S.,
+ Nakagawa, A., and H. Ashida, "Common Requirements
+ for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888,
+ April 2013.
+
+ [SCTPNAT] Stewart, R., Tuexen, M., and I. Ruengeler, "Stream
+ Control Transmission Protocol (SCTP) Network Address
+ Translation", Work in Progress, February 2013.
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 86]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+Appendix A. NAT-PMP Transition
+
+ The Port Control Protocol (PCP) is a successor to the NAT Port
+ Mapping Protocol, NAT-PMP [RFC6886], and shares similar semantics,
+ concepts, and packet formats. Because of this, NAT-PMP and PCP both
+ use the same port and use NAT-PMP and PCP's version negotiation
+ capabilities to determine which version to use. This section
+ describes how an orderly transition from NAT-PMP to PCP may be
+ achieved.
+
+ A client supporting both NAT-PMP and PCP SHOULD send its request
+ using the PCP packet format. This will be received by a NAT-PMP
+ server or a PCP server. If received by a NAT-PMP server, the
+ response will be UNSUPP_VERSION, as indicated by the NAT-PMP
+ specification [RFC6886], which will cause the client to downgrade to
+ NAT-PMP and resend its request in NAT-PMP format. If received by a
+ PCP server, the response will be as described by this document and
+ processing continues as expected.
+
+ A PCP server supporting both NAT-PMP and PCP can handle requests in
+ either format. The first octet of the packet indicates if it is
+ NAT-PMP (first octet zero) or PCP (first octet non-zero).
+
+ A PCP-only gateway receiving a NAT-PMP request (identified by the
+ first octet being zero) will interpret the request as a version
+ mismatch. Normal PCP processing will emit a PCP response that is
+ compatible with NAT-PMP, without any special handling by the PCP
+ server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 87]
+
+RFC 6887 Port Control Protocol (PCP) April 2013
+
+
+Authors' Addresses
+
+ Dan Wing (editor)
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, California 95134
+ USA
+
+ EMail: dwing@cisco.com
+
+
+ Stuart Cheshire
+ Apple Inc.
+ 1 Infinite Loop
+ Cupertino, California 95014
+ USA
+
+ Phone: +1 408 974 3207
+ EMail: cheshire@apple.com
+
+
+ Mohamed Boucadair
+ France Telecom
+ Rennes 35000
+ France
+
+ EMail: mohamed.boucadair@orange.com
+
+
+ Reinaldo Penno
+ Cisco Systems, Inc.
+ 170 West Tasman Drive
+ San Jose, California 95134
+ USA
+
+ EMail: repenno@cisco.com
+
+
+ Paul Selkirk
+ Internet Systems Consortium
+ 950 Charter Street
+ Redwood City, California 94063
+ USA
+
+ EMail: pselkirk@isc.org
+
+
+
+
+
+
+Wing, et al. Standards Track [Page 88]
+