1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
|
Network Working Group R. Denis-Courmont
Request for Comments: 5597 VideoLAN project
BCP: 150 September 2009
Category: Best Current Practice
Network Address Translation (NAT) Behavioral Requirements for the
Datagram Congestion Control Protocol
Abstract
This document defines a set of requirements for NATs handling the
Datagram Congestion Control Protocol (DCCP). These requirements
allow DCCP applications, such as streaming applications, to operate
consistently, and they are very similar to the TCP requirements for
NATs, which have already been published by the IETF. Ensuring that
NATs meet this set of requirements will greatly increase the
likelihood that applications using DCCP will function properly.
Status of This Memo
This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for
improvements. Distribution of this memo is unlimited.
Copyright and License Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
Denis-Courmont Best Current Practice [Page 1]
^L
RFC 5597 NAT DCCP Requirements September 2009
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Applicability Statement . . . . . . . . . . . . . . . . . . . . 3
4. DCCP Connection Initiation . . . . . . . . . . . . . . . . . . 4
5. NAT Session Refresh . . . . . . . . . . . . . . . . . . . . . . 5
6. Application-Level Gateways . . . . . . . . . . . . . . . . . . 5
7. Other Requirements Applicable to DCCP . . . . . . . . . . . . . 5
8. Requirements Specific to DCCP . . . . . . . . . . . . . . . . . 6
9. DCCP without NAT Support . . . . . . . . . . . . . . . . . . . 7
10. Security Considerations . . . . . . . . . . . . . . . . . . . . 7
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 8
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
For historical reasons, NAT devices are not typically capable of
handling datagrams and flows for applications that use the Datagram
Congestion Control Protocol (DCCP) [RFC4340].
This memo discusses the technical issues involved and proposes a set
of requirements for NAT devices to handle DCCP in a way that enables
communications when either or both of the DCCP endpoints are located
behind one or more NAT devices. All definitions and requirements in
[RFC4787] are inherited here. The requirements are otherwise
designed similarly to those in [RFC5382], from which this memo
borrows its structure and much of its content.
Note however that, if both endpoints are hindered by NAT devices, the
normal model for DCCP of asymmetric connection will not work. A
simultaneous-open must be performed, as in [RFC5596]. Also, a
separate, unspecified mechanism may be needed, such as Unilateral
Self Address Fixing (UNSAF) [RFC3424] protocols, if an endpoint needs
to learn its own external NAT mappings.
2. Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Denis-Courmont Best Current Practice [Page 2]
^L
RFC 5597 NAT DCCP Requirements September 2009
This document uses the term "DCCP connection" to refer to individual
DCCP flows, as uniquely identified by the quadruple (source and
destination IP addresses and DCCP ports) at a given time.
This document uses the term "NAT mapping" to refer to a state at the
NAT that is necessary for network address and port translation of
DCCP connections. This document also uses the terms "endpoint-
independent mapping", "address-dependent mapping", "address and port-
dependent mapping", "filtering behavior", "endpoint-independent
filtering", "address-dependent filtering", "address and port-
dependent filtering", "port assignment", "port overloading",
"hairpinning", and "external source IP address and port" as defined
in [RFC4787].
3. Applicability Statement
This document applies to NAT devices that want to handle DCCP
datagrams. It is not the intent of this document to deprecate the
overwhelming majority of deployed NAT devices. These NATs are simply
not expected to handle DCCP, so this memo is not applicable to them.
Expected NAT behaviors applicable to DCCP connections are very
similar to those applicable to TCP connections (with the exception of
REQ-6 below). The following requirements are discussed and justified
extensively in [RFC5382]. These justifications are not reproduced
here for the sake of brevity.
In addition to the usual changes to the IP header (in particular, the
IP addresses), NAT devices need to mangle:
o the DCCP source port for outgoing packets, depending on the NAT
mapping,
o the DCCP destination port for incoming packets, depending on the
NAT mapping, and
o the DCCP checksum, to compensate for IP address and port number
modifications.
Because changing the source or destination IP address of a DCCP
packet will normally invalidate the DCCP checksum, it is not possible
to use DCCP through a NAT without dedicated support. Some NAT
devices are known to provide "generic" transport-protocol support,
whereby only the IP header is mangled. That scheme is not sufficient
to support DCCP.
Denis-Courmont Best Current Practice [Page 3]
^L
RFC 5597 NAT DCCP Requirements September 2009
4. DCCP Connection Initiation
4.1. Address and Port Mapping Behavior
A NAT uses a mapping to translate packets for each DCCP connection.
A mapping is dynamically allocated for connections initiated from the
internal side, and is potentially reused for certain subsequent
connections. NAT behavior regarding when a mapping can be reused
differs for different NATs, as described in [RFC4787].
REQ-1: A NAT MUST have an "Endpoint-Independent Mapping" behavior for
DCCP.
4.2. Established Connections
REQ-2: A NAT MUST support all valid sequences of DCCP packets
(defined in [RFC4340] and its updates) for connections initiated both
internally as well as externally when the connection is permitted by
the NAT. In particular, in addition to handling the DCCP 3-way
handshake mode of connection initiation, A NAT MUST handle the DCCP
simultaneous-open mode of connection initiation, defined in
[RFC5596]. That mode updates DCCP by adding a new packet type: DCCP-
Listen. The DCCP-Listen packet communicates the information
necessary to uniquely identify a DCCP session. NATs may utilise the
connection information (address, port, Service Code) to establish
local forwarding state.
4.3. Externally Initiated Connections
REQ-3: If application transparency is most important, it is
RECOMMENDED that a NAT have an "Endpoint-independent filtering"
behavior for DCCP. If a more stringent filtering behavior is most
important, it is RECOMMENDED that a NAT have an "Address-dependent
filtering" behavior for DCCP.
o The filtering behavior MAY be an option configurable by the
administrator of the NAT.
o The filtering behavior for DCCP MAY be independent of the
filtering behavior for any other transport-layer protocol, such as
UDP, UDP-Lite, TCP, and SCTP (Stream Control Transmission
Protocol).
REQ-4: A NAT MUST wait for at least 6 seconds from the reception of
an unsolicited, inbound DCCP-Listen or DCCP-Sync packet before it may
respond with an ICMP Port Unreachable error, an ICMP Protocol
Unreachable error, or a DCCP-Reset. If, during this interval, the
NAT receives and translates an outbound DCCP-Request packet for the
Denis-Courmont Best Current Practice [Page 4]
^L
RFC 5597 NAT DCCP Requirements September 2009
connection, the NAT MUST silently drop the original unsolicited,
inbound DCCP-Listen packet. Otherwise, the NAT SHOULD send an ICMP
Port Unreachable error (Type 3, Code 3) for the original DCCP-Listen
unless the security policy forbids it.
5. NAT Session Refresh
The "established connection idle-timeout" for a NAT is defined as the
minimum time a DCCP connection in the established phase must remain
idle before the NAT considers the associated session a candidate for
removal. The "transitory connection idle-timeout" for a NAT is
defined as the minimum time a DCCP connection in the CLOSEREQ or
CLOSING phases must remain idle before the NAT considers the
associated session a candidate for removal. DCCP connections in the
TIMEWAIT state are not affected by the "transitory connection idle-
timeout".
REQ-5: If a NAT cannot determine whether the endpoints of a DCCP
connection are active, it MAY abandon the session if it has been idle
for some time. Where a NAT implements session timeouts, the default
value of the "established connection idle-timeout" MUST be of 124
minutes or longer, and the default value of the "transitory
connection idle-timeout" MUST be of 4 minutes or longer. A NAT that
implements session timeouts may be configurable to use smaller values
for the NAT idle-timeouts.
NAT behavior for handling DCCP-Reset packets or connections in the
TIMEWAIT state is left unspecified.
6. Application-Level Gateways
Contrary to TCP, DCCP is a loss-tolerant protocol. Therefore,
modifying the payload of DCCP packets may present a significant
additional challenge in maintaining any application-layer state
needed for an Application Level Gateway (ALG) to function properly.
Additionally, there are no known DCCP-capable ALGs at the time of
writing this document.
REQ-6: If a NAT includes ALGs, these ALGs MUST NOT affect DCCP.
NOTE: This is not consistent with REQ-6 of [RFC5382].
7. Other Requirements Applicable to DCCP
A list of general and UDP-specific NAT behavioral requirements are
described in [RFC4787]. A list of ICMP-specific NAT behavioral
requirements are described in [RFC5508]. The requirements listed
Denis-Courmont Best Current Practice [Page 5]
^L
RFC 5597 NAT DCCP Requirements September 2009
below reiterate the requirements from these two documents that
directly affect DCCP. The following requirements do not relax any
requirements in [RFC4787] or [RFC5508].
7.1. Port Assignment
REQ-7: A NAT MUST NOT have a "Port assignment" behavior of "Port
overloading" for DCCP.
7.2. Hairpinning Behavior
REQ-8: A NAT MUST support "hairpinning" for DCCP. Furthermore, a
NAT's hairpinning behavior MUST be of type "External source IP
address and port".
7.3. ICMP Responses to DCCP Packets
REQ-9: If a NAT translates DCCP, it SHOULD translate ICMP Destination
Unreachable (Type 3) messages.
REQ-10: Receipt of any sort of ICMP message MUST NOT terminate the
NAT mapping or DCCP connection for which the ICMP was generated.
8. Requirements Specific to DCCP
8.1. Partial Checksum Coverage
DCCP supports partial checksum coverage. A NAT will usually need to
perform incremental changes to the packet Checksum field, as for
other IETF-defined protocols. However, if it needs to recalculate a
correct checksum value, it must take the checksum coverage into
account, as described in Section 9.2 of [RFC4340].
REQ-11: If a NAT translates a DCCP packet with a valid DCCP checksum,
it MUST ensure that the DCCP checksum is translated such that it is
valid after the translation.
REQ-12: A NAT MUST NOT modify the value of the DCCP Checksum
Coverage.
The Checksum Coverage field in the DCCP header determines the parts
of the packet that are covered by the Checksum field. This always
includes the DCCP header and options, but some or all of the
application data may be excluded as determined on a packet-by-packet
basis by the application. Changing the Checksum Coverage in the
network violates the integrity assumptions at the receiver and may
result in unpredictable or incorrect application behaviour.
Denis-Courmont Best Current Practice [Page 6]
^L
RFC 5597 NAT DCCP Requirements September 2009
8.2. Services Codes
DCCP specifies a Service Code as a 4-byte value (32 bits) that
describes the application-level service to which a client application
wishes to connect [RFC4340].
REQ-13: If a NAT translates a DCCP packet, it MUST NOT modify its
DCCP Service Code value.
Further guidance on the use of Service Codes by middleboxes,
including NATs, can be found in [RFC5595].
9. DCCP without NAT Support
If the NAT device cannot be updated to support DCCP, DCCP datagrams
can be encapsulated within a UDP transport header. Indeed, most NAT
devices are already capable of handling UDP. This is however beyond
the scope of this document.
10. Security Considerations
[RFC4787] discusses security considerations for NATs that handle IP
and unicast (UDP) traffic, all of which apply equally to this
document. Security concerns specific to handling DCCP packets are
discussed in this section.
REQ-1 and REQ-6 through REQ-13 do not introduce any new known
security concerns.
REQ-2 does not introduce any new known security concerns. While a
NAT may elect to keep track of some DCCP-specific, per-flow state
(compared to UDP), it has no obligations to do so.
REQ-3 allows a NAT to adopt either a more secure or a more
application-transparent filtering policy. This is already addressed
in [RFC4787] and [RFC5382].
Similar to [RFC5382], REQ-4 of this document recommends that a NAT
respond to unsolicited, inbound Listen and Sync packets with an ICMP
error delayed by a few seconds. Doing so may reveal the presence of
a NAT to an external attacker. Silently dropping the Listen makes it
harder to diagnose network problems and forces applications to wait
for the DCCP stack to finish several retransmissions before reporting
an error. An implementer must therefore understand and carefully
weigh the effects of not sending an ICMP error or rate-limiting such
ICMP errors to a very small number.
Denis-Courmont Best Current Practice [Page 7]
^L
RFC 5597 NAT DCCP Requirements September 2009
REQ-5 recommends that a NAT that passively monitors DCCP state keep
idle sessions alive for at least 124 minutes or 4 minutes, depending
on the state of the connection. To protect against denial-of-service
attacks filling its state storage capacity, a NAT may attempt to
actively determine the liveliness of a DCCP connection, or the NAT
administrator could configure more conservative timeouts.
11. Acknowledgments
The author would like to thank Gorry Fairhurst, Eddie Kohler, Dan
Wing, Alfred Hoenes, Magnus Westerlund, Miguel Garcia, Catherine
Meadows, Tim Polk, Lars Eggert, and Christian Vogt for their comments
and help on this document.
This memo borrows heavily from [RFC5382] by S. Guha (editor), K.
Biswas, B. Ford, S. Sivakumar, and P. Srisuresh.
12. References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
Congestion Control Protocol (DCCP)", RFC 4340, March 2006.
[RFC4787] Audet, F. and C. Jennings, "Network Address Translation
(NAT) Behavioral Requirements for Unicast UDP", BCP 127,
RFC 4787, January 2007.
[RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
Behavioral Requirements for ICMP", BCP 148, RFC 5508,
April 2009.
[RFC5596] Fairhurst, G., "Datagram Congestion Control Protocol
(DCCP) Simultaneous-Open Technique to Facilitate NAT/
Middlebox Traversal", RFC 5596, September 2009.
12.2. Informative References
[RFC3424] Daigle, L. and IAB, "IAB Considerations for UNilateral
Self-Address Fixing (UNSAF) Across Network Address
Translation", RFC 3424, November 2002.
[RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P.
Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
RFC 5382, October 2008.
Denis-Courmont Best Current Practice [Page 8]
^L
RFC 5597 NAT DCCP Requirements September 2009
[RFC5595] Fairhurst, G., "The Datagram Congestion Control Protocol
(DCCP) Service Codes", RFC 5595, September 2009.
Author's Address
Remi Denis-Courmont
VideoLAN project
EMail: rem@videolan.org
URI: http://www.videolan.org/
Denis-Courmont Best Current Practice [Page 9]
^L
|