1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
3245
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
4001
4002
4003
4004
4005
4006
4007
4008
4009
4010
4011
4012
4013
4014
4015
4016
4017
4018
4019
4020
4021
4022
4023
4024
4025
4026
4027
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038
4039
4040
4041
4042
4043
4044
4045
4046
4047
4048
4049
4050
4051
4052
4053
4054
4055
4056
4057
4058
4059
4060
4061
4062
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073
4074
4075
4076
4077
4078
4079
4080
4081
4082
4083
4084
4085
4086
4087
4088
4089
4090
4091
4092
4093
4094
4095
4096
4097
4098
4099
4100
4101
4102
4103
4104
4105
4106
4107
4108
4109
4110
4111
4112
4113
4114
4115
4116
4117
4118
4119
4120
4121
4122
4123
4124
4125
4126
4127
4128
4129
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139
4140
4141
4142
4143
4144
4145
4146
4147
4148
4149
4150
4151
4152
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163
4164
4165
4166
4167
4168
4169
4170
4171
4172
4173
4174
4175
4176
4177
4178
4179
4180
4181
4182
4183
4184
4185
4186
4187
4188
4189
4190
4191
4192
4193
4194
4195
4196
4197
4198
4199
4200
4201
4202
4203
4204
4205
4206
4207
4208
4209
4210
4211
4212
4213
4214
4215
4216
4217
4218
4219
4220
4221
4222
4223
4224
4225
4226
4227
4228
4229
4230
4231
4232
4233
4234
4235
4236
4237
4238
4239
4240
4241
4242
4243
4244
4245
4246
4247
4248
4249
4250
4251
4252
4253
4254
4255
4256
4257
4258
4259
4260
4261
4262
4263
4264
4265
4266
4267
4268
4269
4270
4271
4272
4273
4274
4275
4276
4277
4278
4279
4280
4281
4282
4283
4284
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296
4297
4298
4299
4300
4301
4302
4303
4304
4305
4306
4307
4308
4309
4310
4311
4312
4313
4314
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325
4326
4327
4328
4329
4330
4331
4332
4333
4334
4335
4336
4337
4338
4339
4340
4341
4342
4343
4344
4345
4346
4347
4348
4349
4350
4351
4352
4353
4354
4355
4356
4357
4358
4359
4360
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371
4372
4373
4374
4375
4376
4377
4378
4379
4380
4381
4382
4383
4384
4385
4386
4387
4388
4389
4390
4391
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406
4407
4408
4409
4410
4411
4412
4413
4414
4415
4416
4417
4418
4419
4420
4421
4422
4423
4424
4425
4426
4427
4428
4429
4430
4431
4432
4433
4434
4435
4436
4437
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447
4448
4449
4450
4451
4452
4453
4454
4455
4456
4457
4458
4459
4460
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473
4474
4475
4476
4477
4478
4479
4480
4481
4482
4483
4484
4485
4486
4487
4488
4489
4490
4491
4492
4493
4494
4495
4496
4497
4498
4499
4500
4501
4502
4503
4504
4505
4506
4507
4508
4509
4510
4511
4512
4513
4514
4515
4516
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526
4527
4528
4529
4530
4531
4532
4533
4534
4535
4536
4537
4538
4539
4540
4541
4542
4543
4544
4545
4546
4547
4548
4549
4550
4551
4552
4553
4554
4555
4556
4557
4558
4559
4560
4561
4562
4563
4564
4565
4566
4567
4568
4569
4570
4571
4572
4573
4574
4575
4576
4577
4578
4579
4580
4581
4582
4583
4584
4585
4586
4587
4588
4589
4590
4591
4592
4593
4594
4595
4596
4597
4598
4599
4600
4601
4602
4603
4604
4605
4606
4607
4608
4609
4610
4611
4612
4613
4614
4615
4616
4617
4618
4619
4620
4621
4622
4623
4624
4625
4626
4627
4628
4629
4630
4631
4632
4633
4634
4635
4636
4637
4638
4639
4640
4641
4642
4643
4644
4645
4646
4647
4648
4649
4650
4651
4652
4653
4654
4655
4656
4657
4658
4659
4660
4661
4662
4663
4664
4665
4666
4667
4668
4669
4670
4671
4672
4673
4674
4675
4676
4677
4678
4679
4680
4681
4682
4683
4684
4685
4686
4687
4688
4689
4690
4691
4692
4693
4694
4695
4696
4697
4698
4699
4700
4701
4702
4703
4704
4705
4706
4707
4708
4709
4710
4711
4712
4713
4714
4715
4716
4717
4718
4719
4720
4721
4722
4723
4724
4725
4726
4727
4728
4729
4730
4731
4732
4733
4734
4735
4736
4737
4738
4739
4740
4741
4742
4743
4744
4745
4746
4747
4748
4749
4750
4751
4752
4753
4754
4755
4756
4757
4758
4759
4760
4761
4762
4763
4764
4765
4766
4767
4768
4769
4770
4771
4772
4773
4774
4775
4776
4777
4778
4779
4780
4781
4782
4783
4784
4785
4786
4787
4788
4789
4790
4791
4792
4793
4794
4795
4796
4797
4798
4799
4800
4801
4802
4803
4804
4805
4806
4807
4808
4809
4810
4811
4812
4813
4814
4815
4816
4817
4818
4819
4820
4821
4822
4823
4824
4825
4826
4827
4828
4829
4830
4831
4832
4833
4834
4835
4836
4837
4838
4839
4840
4841
4842
4843
4844
4845
4846
4847
4848
4849
4850
4851
4852
4853
4854
4855
4856
4857
4858
4859
4860
4861
4862
4863
4864
4865
4866
4867
4868
4869
4870
4871
4872
4873
4874
4875
4876
4877
4878
4879
4880
4881
4882
4883
4884
4885
4886
4887
4888
4889
4890
4891
4892
4893
4894
4895
4896
4897
4898
4899
4900
4901
4902
4903
4904
4905
4906
4907
4908
4909
4910
4911
4912
4913
4914
4915
4916
4917
4918
4919
4920
4921
4922
4923
4924
4925
4926
4927
4928
4929
4930
4931
|
Internet Engineering Task Force (IETF) D. Wing, Ed.
Request for Comments: 6887 Cisco
Category: Standards Track S. Cheshire
ISSN: 2070-1721 Apple
M. Boucadair
France Telecom
R. Penno
Cisco
P. Selkirk
ISC
April 2013
Port Control Protocol (PCP)
Abstract
The Port Control Protocol allows an IPv6 or IPv4 host to control how
incoming IPv6 or IPv4 packets are translated and forwarded by a
Network Address Translator (NAT) or simple firewall, and also allows
a host to optimize its outgoing NAT keepalive messages.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6887.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Wing, et al. Standards Track [Page 1]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Deployment Scenarios . . . . . . . . . . . . . . . . . . . 5
2.2. Supported Protocols . . . . . . . . . . . . . . . . . . . 5
2.3. Single-Homed Customer Premises Network . . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Relationship between PCP Server and Its PCP-Controlled
Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5. Note on Fixed-Size Addresses . . . . . . . . . . . . . . . . . 10
6. Protocol Design Note . . . . . . . . . . . . . . . . . . . . . 11
7. Common Request and Response Header Format . . . . . . . . . . 13
7.1. Request Header . . . . . . . . . . . . . . . . . . . . . . 14
7.2. Response Header . . . . . . . . . . . . . . . . . . . . . 15
7.3. Options . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.4. Result Codes . . . . . . . . . . . . . . . . . . . . . . . 19
8. General PCP Operation . . . . . . . . . . . . . . . . . . . . 20
8.1. General PCP Client: Generating a Request . . . . . . . . . 21
8.1.1. PCP Client Retransmission . . . . . . . . . . . . . . 22
8.2. General PCP Server: Processing a Request . . . . . . . . . 24
8.3. General PCP Client: Processing a Response . . . . . . . . 25
8.4. Multi-Interface Issues . . . . . . . . . . . . . . . . . . 27
8.5. Epoch . . . . . . . . . . . . . . . . . . . . . . . . . . 27
9. Version Negotiation . . . . . . . . . . . . . . . . . . . . . 29
10. Introduction to MAP and PEER Opcodes . . . . . . . . . . . . . 30
10.1. For Operating a Server . . . . . . . . . . . . . . . . . . 33
10.2. For Operating a Symmetric Client/Server . . . . . . . . . 35
10.3. For Reducing NAT or Firewall Keepalive Messages . . . . . 37
10.4. For Restoring Lost Implicit TCP Dynamic Mapping State . . 38
11. MAP Opcode . . . . . . . . . . . . . . . . . . . . . . . . . . 39
11.1. MAP Operation Packet Formats . . . . . . . . . . . . . . . 40
11.2. Generating a MAP Request . . . . . . . . . . . . . . . . . 43
11.2.1. Renewing a Mapping . . . . . . . . . . . . . . . . . . 44
11.3. Processing a MAP Request . . . . . . . . . . . . . . . . . 44
11.4. Processing a MAP Response . . . . . . . . . . . . . . . . 48
11.5. Address Change Events . . . . . . . . . . . . . . . . . . 49
11.6. Learning the External IP Address Alone . . . . . . . . . . 50
12. PEER Opcode . . . . . . . . . . . . . . . . . . . . . . . . . 50
12.1. PEER Operation Packet Formats . . . . . . . . . . . . . . 51
12.2. Generating a PEER Request . . . . . . . . . . . . . . . . 54
12.3. Processing a PEER Request . . . . . . . . . . . . . . . . 55
12.4. Processing a PEER Response . . . . . . . . . . . . . . . . 56
Wing, et al. Standards Track [Page 2]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
13. Options for MAP and PEER Opcodes . . . . . . . . . . . . . . . 57
13.1. THIRD_PARTY Option for MAP and PEER Opcodes . . . . . . . 57
13.2. PREFER_FAILURE Option for MAP Opcode . . . . . . . . . . . 59
13.3. FILTER Option for MAP Opcode . . . . . . . . . . . . . . . 61
14. Rapid Recovery . . . . . . . . . . . . . . . . . . . . . . . . 63
14.1. ANNOUNCE Opcode . . . . . . . . . . . . . . . . . . . . . 64
14.1.1. ANNOUNCE Operation . . . . . . . . . . . . . . . . . . 65
14.1.2. Generating and Processing a Solicited ANNOUNCE
Message . . . . . . . . . . . . . . . . . . . . . . . 65
14.1.3. Generating and Processing an Unsolicited ANNOUNCE
Message . . . . . . . . . . . . . . . . . . . . . . . 66
14.2. PCP Mapping Update . . . . . . . . . . . . . . . . . . . . 67
15. Mapping Lifetime and Deletion . . . . . . . . . . . . . . . . 69
15.1. Lifetime Processing for the MAP Opcode . . . . . . . . . . 71
16. Implementation Considerations . . . . . . . . . . . . . . . . 72
16.1. Implementing MAP with EDM Port-Mapping NAT . . . . . . . . 72
16.2. Lifetime of Explicit and Implicit Dynamic Mappings . . . . 72
16.3. PCP Failure Recovery . . . . . . . . . . . . . . . . . . . 72
16.3.1. Recreating Mappings . . . . . . . . . . . . . . . . . 73
16.3.2. Maintaining Mappings . . . . . . . . . . . . . . . . . 73
16.3.3. SCTP . . . . . . . . . . . . . . . . . . . . . . . . . 74
16.4. Source Address Replicated in PCP Header . . . . . . . . . 75
16.5. State Diagram . . . . . . . . . . . . . . . . . . . . . . 76
17. Deployment Considerations . . . . . . . . . . . . . . . . . . 77
17.1. Ingress Filtering . . . . . . . . . . . . . . . . . . . . 77
17.2. Mapping Quota . . . . . . . . . . . . . . . . . . . . . . 77
18. Security Considerations . . . . . . . . . . . . . . . . . . . 78
18.1. Simple Threat Model . . . . . . . . . . . . . . . . . . . 78
18.1.1. Attacks Considered . . . . . . . . . . . . . . . . . . 79
18.1.2. Deployment Examples Supporting the Simple Threat
Model . . . . . . . . . . . . . . . . . . . . . . . . 79
18.2. Advanced Threat Model . . . . . . . . . . . . . . . . . . 80
18.3. Residual Threats . . . . . . . . . . . . . . . . . . . . . 80
18.3.1. Denial of Service . . . . . . . . . . . . . . . . . . 80
18.3.2. Ingress Filtering . . . . . . . . . . . . . . . . . . 81
18.3.3. Mapping Theft . . . . . . . . . . . . . . . . . . . . 81
18.3.4. Attacks against Server Discovery . . . . . . . . . . . 81
19. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 82
19.1. Port Number . . . . . . . . . . . . . . . . . . . . . . . 82
19.2. Opcodes . . . . . . . . . . . . . . . . . . . . . . . . . 82
19.3. Result Codes . . . . . . . . . . . . . . . . . . . . . . . 82
19.4. Options . . . . . . . . . . . . . . . . . . . . . . . . . 82
20. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 83
21. References . . . . . . . . . . . . . . . . . . . . . . . . . . 84
21.1. Normative References . . . . . . . . . . . . . . . . . . . 84
21.2. Informative References . . . . . . . . . . . . . . . . . . 84
Appendix A. NAT-PMP Transition . . . . . . . . . . . . . . . . . . 87
Wing, et al. Standards Track [Page 3]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
1. Introduction
The Port Control Protocol (PCP) provides a mechanism to control how
incoming packets are forwarded by upstream devices such as Network
Address Translator IPv6/IPv4 (NAT64), Network Address Translator
IPv4/IPv4 (NAT44), and IPv6 and IPv4 firewall devices, and a
mechanism to reduce application keepalive traffic. PCP is designed
to be implemented in the context of Carrier-Grade NATs (CGNs) and
small NATs (e.g., residential NATs), as well as with dual-stack and
IPv6-only Customer Premises Equipment (CPE) routers, and all of the
currently known transition scenarios towards IPv6-only CPE routers.
PCP allows hosts to operate servers for a long time (e.g., a network-
attached home security camera) or a short time (e.g., while playing a
game or on a phone call) when behind a NAT device, including when
behind a CGN operated by their Internet service provider or an IPv6
firewall integrated in their CPE router.
PCP allows applications to create mappings from an external IP
address, protocol, and port to an internal IP address, protocol, and
port. These mappings are required for successful inbound
communications destined to machines located behind a NAT or a
firewall.
After creating a mapping for incoming connections, it is necessary to
inform remote computers about the IP address, protocol, and port for
the incoming connection. This is usually done in an application-
specific manner. For example, a computer game might use a rendezvous
server specific to that game (or specific to that game developer), a
SIP phone would use a SIP proxy, and a client using DNS-Based Service
Discovery [RFC6763] would use DNS Update [RFC2136] [RFC3007]. PCP
does not provide this rendezvous function. The rendezvous function
may support IPv4, IPv6, or both. Depending on that support and the
application's support of IPv4 or IPv6, the PCP client may need an
IPv4 mapping, an IPv6 mapping, or both.
Many NAT-friendly applications send frequent application-level
messages to ensure that their session will not be timed out by a NAT.
These are commonly called "NAT keepalive" messages, even though they
are not sent to the NAT itself (rather, they are sent 'through' the
NAT). These applications can reduce the frequency of such NAT
keepalive messages by using PCP to learn (and influence) the NAT
mapping lifetime. This helps reduce bandwidth on the subscriber's
access network, traffic to the server, and battery consumption on
mobile devices.
Many NATs and firewalls include Application Layer Gateways (ALGs) to
create mappings for applications that establish additional streams or
accept incoming connections. ALGs incorporated into NATs may also
Wing, et al. Standards Track [Page 4]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
modify the application payload. Industry experience has shown that
these ALGs are detrimental to protocol evolution. PCP allows an
application to create its own mappings in NATs and firewalls,
reducing the incentive to deploy ALGs in NATs and firewalls.
2. Scope
2.1. Deployment Scenarios
PCP can be used in various deployment scenarios, including:
o Basic NAT [RFC3022]
o Network Address and Port Translation [RFC3022], such as commonly
deployed in residential NAT devices
o Carrier-Grade NAT [RFC6888]
o Dual-Stack Lite (DS-Lite) [RFC6333]
o NAT that is Layer-2 Aware [L2NAT]
o Dual-Stack Extra Lite [RFC6619]
o NAT64, both Stateless [RFC6145] and Stateful [RFC6146]
o IPv4 and IPv6 simple firewall control [RFC6092]
o IPv6-to-IPv6 Network Prefix Translation (NPTv6) [RFC6296]
2.2. Supported Protocols
The PCP Opcodes defined in this document are designed to support
transport-layer protocols that use a 16-bit port number (e.g., TCP,
UDP, Stream Control Transmission Protocol (SCTP) [RFC4960], and
Datagram Congestion Control Protocol (DCCP) [RFC4340]). Protocols
that do not use a port number (e.g., Resource Reservation Protocol
(RSVP), IP Encapsulating Security Payload (ESP) [RFC4303], ICMP, and
ICMPv6) are supported for IPv4 firewall, IPv6 firewall, and NPTv6
functions, but are out of scope for any NAT functions.
2.3. Single-Homed Customer Premises Network
PCP assumes a single-homed IP address model. That is, for a given IP
address of a host, only one default route exists to reach other hosts
on the Internet from that source IP address. This is important
because after a PCP mapping is created and an inbound packet (e.g.,
TCP SYN) is rewritten and delivered to a host, the outbound response
Wing, et al. Standards Track [Page 5]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
(e.g., TCP SYNACK) has to go through the same (reverse) path so it
passes through the same NAT to have the necessary inverse rewrite
performed. This restriction exists because otherwise there would
need to be a PCP-enabled NAT for every egress (because the host could
not reliably determine which egress path packets would take), and the
client would need to be able to reliably make the same internal/
external mapping in every NAT gateway, which in general is not
possible (because the other NATs might already have the necessary
external port mapped to another host).
3. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
"Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].
Internal Host:
A host served by a NAT gateway, or protected by a firewall. This
is the host that will receive incoming traffic resulting from a
PCP mapping request, or the host that initiated an implicit
dynamic outbound mapping (e.g., by sending a TCP SYN) across a
firewall or a NAT.
Remote Peer Host:
A host with which an internal host is communicating. This can
include another internal host (or even the same internal host); if
a NAT is involved, the NAT would need to hairpin the traffic
[RFC4787].
Internal Address:
The address of an internal host served by a NAT gateway or
protected by a firewall.
External Address:
The address of an internal host as seen by other remote peers on
the Internet with which the internal host is communicating, after
translation by any NAT gateways on the path. An external address
is generally a public routable (i.e., non-private) address. In
the case of an internal host protected by a pure firewall, with no
address translation on the path, its external address is the same
as its internal address.
Endpoint-Dependent Mapping (EDM): A term applied to NAT operation
where an implicit mapping created by outgoing traffic (e.g., TCP
SYN) from a single internal address, protocol, and port to
different remote peers and ports may be assigned different
external ports, and a subsequent PCP mapping request for that
Wing, et al. Standards Track [Page 6]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
internal address, protocol, and port may be assigned yet another
different external port. This term encompasses both Address-
Dependent Mapping and Address and Port-Dependent Mapping
[RFC4787].
Endpoint-Independent Mapping (EIM): A term applied to NAT operation
where all mappings from a single internal address, protocol, and
port to different remote peers and ports are all assigned the same
external address and port.
Remote Peer Address:
The address of a remote peer, as seen by the internal host. A
remote address is generally a publicly routable address. In the
case of a remote peer that is itself served by a NAT gateway, the
remote address may in fact be the remote peer's external address,
but since this remote translation is generally invisible to
software running on the internal host, the distinction can safely
be ignored for the purposes of this document.
Third Party:
In the common case, an internal host manages its own mappings
using PCP requests, and the internal address of those mappings is
the same as the source IP address of the PCP request packet.
In the case where one device is managing mappings on behalf of
some other device that does not implement PCP, the presence of the
THIRD_PARTY option in the MAP request signifies that the specified
address, rather than the source IP address of the PCP request
packet, should be used as the internal address for the mapping.
Mapping, Port Mapping, Port Forwarding:
A NAT mapping creates a relationship between an internal IP
address, protocol, and port, and an external IP address, protocol,
and port. More specifically, it creates a translation rule where
packets destined *to* the external IP address, protocol, and port
have their destination address and port translated to the internal
address and port, and conversely, packets *from* the internal IP
address, protocol, and port have their source address and port
translated to the external address and port. In the case of a
pure firewall, the "mapping" is the identity function, translating
an internal IP address, protocol, and port number to the same
external IP address, protocol, and port number. Firewall
filtering, applied in addition to that identity mapping function,
is separate from the mapping itself.
Wing, et al. Standards Track [Page 7]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Mapping Types:
There are three dimensions to classifying mapping types: how they
are created (implicitly/explicitly), their primary purpose
(outbound/inbound), and how they are deleted (dynamic/static).
Implicit mappings are created as a side effect of some other
operation; explicit mappings are created by a mechanism explicitly
dealing with mappings. Outbound mappings exist primarily to
facilitate outbound communication; inbound mappings exist
primarily to facilitate inbound communication. Dynamic mappings
are deleted when their lifetime expires, or through other protocol
action; static mappings are permanent until the user chooses to
delete them.
* Implicit dynamic mappings are created implicitly as a side
effect of traffic such as an outgoing TCP SYN or outgoing UDP
packet. Such packets were not originally designed explicitly
for creating NAT (or firewall) state, but they can have that
effect when they pass through a NAT (or firewall) device.
Implicit dynamic mappings usually have a finite lifetime,
though this lifetime is generally not known to the client using
them.
* Explicit dynamic mappings are created as a result of explicit
PCP MAP and PEER requests. Like a DHCP address lease, explicit
dynamic mappings have a finite lifetime, and this lifetime is
communicated to the client. As with a DHCP address lease, if
the client wants a mapping to persist the client must prove
that it is still present by periodically renewing the mapping
to prevent it from expiring. If a PCP client goes away, then
any mappings it created will be automatically cleaned up when
they expire.
* Explicit static mappings are created by manual configuration
(e.g., via command-line interface or other user interface) and
persist until the user changes that manual configuration.
Both implicit and explicit dynamic mappings are dynamic in the
sense that they are created on demand, as requested (implicitly or
explicitly) by the internal host, and have a lifetime. After the
lifetime, the mapping is deleted unless the lifetime is extended
by action by the internal host (e.g., sending more traffic or
sending another PCP request).
Static mappings are, by their nature, always explicit. Static
mappings differ from explicit dynamic mappings in that their
lifetime is effectively infinite (they exist until manually
removed), but otherwise they behave exactly the same as explicit
MAP mappings.
Wing, et al. Standards Track [Page 8]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
While all mappings are, by necessity, bidirectional (most Internet
communication requires information to flow in both directions for
successful operation), when talking about mappings, it can be
helpful to identify them loosely according to their 'primary'
purpose.
* Outbound mappings exist primarily to enable outbound
communication. For example, when a host calls connect() to
make an outbound connection, a NAT gateway will create an
implicit dynamic outbound mapping to facilitate that outbound
communication.
* Inbound mappings exist primarily to enable listening servers to
receive inbound connections. Generally, when a client calls
listen() to listen for inbound connections, a NAT gateway will
not implicitly create any mapping to facilitate that inbound
communication. A PCP MAP request can be used explicitly to
create a dynamic inbound mapping to enable the desired inbound
communication.
Explicit static (manual) mappings and explicit dynamic (MAP)
mappings both allow internal hosts to receive inbound traffic that
is not in direct response to any immediately preceding outbound
communication (i.e., to allow internal hosts to operate a "server"
that is accessible to other hosts on the Internet).
PCP Client:
A PCP software instance responsible for issuing PCP requests to a
PCP server. Several independent PCP clients can exist on the same
host. Several PCP clients can be located in the same local
network. A PCP client can issue PCP requests on behalf of a
third-party device for which it is authorized to do so. An
interworking function from Universal Plug and Play Internet
Gateway Device (UPnP IGDv1 [IGDv1]) to PCP is another example of a
PCP client. A PCP server in a NAT gateway that is itself a client
of another NAT gateway (nested NAT) may itself act as a PCP client
to the upstream NAT.
PCP-Controlled Device:
A NAT or firewall that controls or rewrites packet flows between
internal hosts and remote peer hosts. PCP manages the mappings on
this device.
PCP Server:
A PCP software instance that resides on the PCP-Controlled Device
that receives PCP requests from the PCP client and creates
appropriate state in response to that request.
Wing, et al. Standards Track [Page 9]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Subscriber:
The unit of billing for a commercial ISP. A subscriber may have a
single IP address from the commercial ISP (which can be shared
among multiple hosts using a NAT gateway, thereby making them
appear to be a single host to the ISP) or may have multiple IP
addresses provided by the commercial ISP. In either case, the IP
address or addresses provided by the ISP may themselves be further
translated by a Carrier-Grade NAT (CGN) operated by the ISP.
4. Relationship between PCP Server and Its PCP-Controlled Device
The PCP server receives and responds to PCP requests. The PCP server
functionality is typically a capability of a NAT or firewall device,
as shown in Figure 1. It is also possible for the PCP functionality
to be provided by some other device, which communicates with the
actual NAT(s) or firewall(s) via some other proprietary mechanism, as
long as from the PCP client's perspective such split operation is
indistinguishable from the integrated case.
+-----------------+
+------------+ | NAT or firewall |
| PCP client |-<network>-+ with +---<Internet>
+------------+ | PCP server |
+-----------------+
Figure 1: PCP-Enabled NAT or Firewall
A NAT or firewall device, between the PCP client and the Internet,
might implement simple or advanced firewall functionality. This may
be a side effect of the technology implemented by the device (e.g., a
network address and port translator, by virtue of its port rewriting,
normally requires connections to be initiated from an inside host
towards the Internet), or this might be an explicit firewall policy
to deny unsolicited traffic from the Internet. Some firewall devices
deny certain unsolicited traffic from the Internet (e.g., TCP, UDP to
most ports) but allow certain other unsolicited traffic from the
Internet (e.g., UDP port 500 and IP ESP) [RFC6092]. Such default
filtering (or lack thereof) is out of scope of PCP itself. If a
client device wants to receive traffic and supports PCP, and does not
possess prior knowledge of such default filtering policy, it SHOULD
use PCP to request the necessary mappings to receive the desired
traffic.
5. Note on Fixed-Size Addresses
For simplicity in building and parsing request and response packets,
PCP always uses fixed-size 128-bit IP address fields for both IPv6
addresses and IPv4 addresses.
Wing, et al. Standards Track [Page 10]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
When the address field holds an IPv6 address, the fixed-size 128-bit
IP address field holds the IPv6 address stored as is.
When the address field holds an IPv4 address, an IPv4-mapped IPv6
address [RFC4291] is used (::ffff:0:0/96). This has the first 80
bits set to zero and the next 16 set to one, while its last 32 bits
are filled with the IPv4 address. This is unambiguously
distinguishable from a native IPv6 address, because an IPv4-mapped
IPv6 address [RFC4291] would not be valid for a mapping.
When checking for an IPv4-mapped IPv6 address, all of the first 96
bits MUST be checked for the pattern -- it is not sufficient to check
for ones in bits 81-96.
The all-zeros IPv6 address MUST be expressed by filling the
fixed-size 128-bit IP address field with all zeros (::).
The all-zeros IPv4 address MUST be expressed by 80 bits of zeros,
16 bits of ones, and 32 bits of zeros (::ffff:0:0).
6. Protocol Design Note
PCP can be viewed as a request/response protocol, much like many
other UDP-based request/response protocols, and can be implemented
perfectly well as such. It can also be viewed as what might be
called a hint/notification protocol, and this observation can help
simplify implementations.
Rather than viewing the message streams between PCP client and PCP
server as following a strict request/response pattern, where every
response is associated with exactly one request, the message flows
can be viewed as two somewhat independent streams carrying
information in opposite directions:
o A stream of hints flowing from PCP client to PCP server, where the
client indicates to the server what it would like the state of its
mappings to be, and
o A stream of notifications flowing from PCP server to PCP client,
where the server informs the clients what the state of its
mappings actually is.
To an extent, some of this approach is required anyway in a UDP-based
request/response protocol, since UDP packets can be lost, duplicated,
or reordered.
Wing, et al. Standards Track [Page 11]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
In this view of the protocol, the client transmits hints to the
server at various intervals signaling its desires, and the server
transmits notifications to the client signaling the actual state of
its mappings. These two message flows are loosely correlated in that
a client request (hint) usually elicits a server response
(notification), but only loosely, in that a client request may result
in no server response (in the case of packet loss), and a server
response may be generated gratuitously without an immediately
preceding client request (in the case where server configuration
change, e.g., change of external IP address on a NAT gateway, results
in a change of mapping state).
The exact times that client requests are sent are influenced by a
client timing state machine taking into account whether (i) the
client has not yet received a response from the server for a prior
request (retransmission), or (ii) the client has previously received
a response from the server saying how long the indicated mapping
would remain active (renewal). This design philosophy is the reason
why PCP's retransmissions and renewals are exactly the same packet on
the wire. Typically, retransmissions are sent with exponentially
increasing intervals as the client waits for the server to respond,
whereas renewals are sent with exponentially decreasing intervals as
the expiry time approaches, but, from the server's point of view,
both packets are identical, and both signal the client's desire that
the stated mapping exist or continue to exist.
A PCP server usually sends responses as a direct result of client
requests, but not always. For example, if a server is too overloaded
to respond, it is allowed to silently ignore a request message and
let the client retransmit. Also, if external factors cause a NAT
gateway or firewall's configuration to change, then the PCP server
can send unsolicited responses to clients informing them of the new
state of their mappings. Such reconfigurations are expected to be
rare, because of the disruption they can cause to clients, but should
they happen, PCP provides a way for servers to communicate the new
state to clients promptly, without having to wait for the next
periodic renewal request.
This design goal helps explain why PCP request and response messages
have no transaction ID, because such a transaction ID is unnecessary,
and would unnecessarily limit the protocol and unnecessarily
complicate implementations. A PCP server response (i.e.,
notification) is self-describing and complete. It communicates the
internal and external addresses, protocol, and ports for a mapping,
and its remaining lifetime. If the client does in fact currently
want such a mapping to exist, then it can identify the mapping in
question from the internal address, protocol, and port, and update
its state to reflect the current external address and port, and
Wing, et al. Standards Track [Page 12]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
remaining lifetime. If a client does not currently want such a
mapping to exist, then it can safely ignore the message. No client
action is required for unexpected mapping notifications. In today's
world, a NAT gateway can have a static mapping, and the client device
has no explicit knowledge of this, and no way to change the fact.
Also, in today's world, a client device can be connected directly to
the public Internet, with a globally routable IP address, and, in
this case, it effectively has "mappings" for all of its listening
ports. Such a device has to be responsible for its own security and
cannot rely on assuming that some other network device will be
blocking all incoming packets.
7. Common Request and Response Header Format
All PCP messages are sent over UDP, with a maximum UDP payload length
of 1100 octets. The PCP messages contain a request or response
header containing an Opcode, any relevant Opcode-specific
information, and zero or more options. All numeric quantities larger
than a single octet (e.g., result codes, lifetimes, Epoch times,
etc.) are represented in conventional IETF network order, i.e., most
significant octet first. Non-numeric quantities are represented as
is on all platforms, with no byte swapping (e.g., IP addresses and
ports are placed in PCP messages using the same representation as
when placed in IP or TCP headers).
The packet layout for the common header, and operation of the PCP
client and PCP server, are described in the following sections. The
information in this section applies to all Opcodes. Behavior of the
Opcodes defined in this document is described in Sections 10, 11, and
12.
Wing, et al. Standards Track [Page 13]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
7.1. Request Header
All requests have the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version = 2 |R| Opcode | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Requested Lifetime (32 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| PCP Client's IP Address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: :
: (optional) Opcode-specific information :
: :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: :
: (optional) PCP Options :
: :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 2: Common Request Packet Format
These fields are described below:
Version: This document specifies protocol version 2. PCP clients
and servers compliant with this document use the value 2. This
field is used for version negotiation as described in Section 9.
R: Indicates Request (0) or Response (1).
Opcode: A 7-bit value specifying the operation to be performed. MAP
and PEER Opcodes are defined in Sections 11 and 12.
Reserved: 16 reserved bits. MUST be zero on transmission and MUST
be ignored on reception.
Requested Lifetime: An unsigned 32-bit integer, in seconds, ranging
from 0 to 2^32-1 seconds. This is used by the MAP and PEER
Opcodes defined in this document for their requested lifetime.
Wing, et al. Standards Track [Page 14]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
PCP Client's IP Address: The source IPv4 or IPv6 address in the IP
header used by the PCP client when sending this PCP request. An
IPv4 address is represented using an IPv4-mapped IPv6 address.
The PCP Client IP Address in the PCP message header is used to
detect an unexpected NAT on the path between the PCP client and
the PCP-controlled NAT or firewall device. See Section 8.1.
Opcode-specific information: Payload data for this Opcode. The
length of this data is determined by the Opcode definition.
PCP Options: Zero, one, or more options that are legal for both a
PCP request and for this Opcode. See Section 7.3.
7.2. Response Header
All responses have the following format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Version = 2 |R| Opcode | Reserved | Result Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Lifetime (32 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Epoch Time (32 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Reserved (96 bits) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: :
: (optional) Opcode-specific response data :
: :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: (optional) Options :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Common Response Packet Format
These fields are described below:
Version: Responses from servers compliant with this specification
MUST use version 2. This is set by the server.
R: Indicates Request (0) or Response (1). All Responses MUST use 1.
This is set by the server.
Wing, et al. Standards Track [Page 15]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Opcode: The 7-bit Opcode value. The server copies this value from
the request.
Reserved: 8 reserved bits, MUST be sent as 0, MUST be ignored when
received. This is set by the server.
Result Code: The result code for this response. See Section 7.4 for
values. This is set by the server.
Lifetime: An unsigned 32-bit integer, in seconds, ranging from 0 to
2^32-1 seconds. On an error response, this indicates how long
clients should assume they'll get the same error response from
that PCP server if they repeat the same request. On a success
response for the PCP Opcodes that create a mapping (MAP and PEER),
the Lifetime field indicates the lifetime for this mapping. This
is set by the server.
Epoch Time: The server's Epoch Time value. See Section 8.5 for
discussion. This value is set by the server, in both success and
error responses.
Reserved: 96 reserved bits. For requests that were successfully
parsed, this MUST be sent as 0, MUST be ignored when received.
This is set by the server. For requests that were not
successfully parsed, the server copies the last 96 bits of the PCP
Client's IP Address field from the request message into this
corresponding 96-bit field of the response.
Opcode-specific information: Payload data for this Opcode. The
length of this data is determined by the Opcode definition.
PCP Options: Zero, one, or more options that are legal for both a
PCP response and for this Opcode. See Section 7.3.
7.3. Options
A PCP Opcode can be extended with one or more options. Options can
be used in requests and responses. The design decisions in this
specification about whether to include a given piece of information
in the base Opcode format or in an option were an engineering trade-
off between packet size and code complexity. For information that is
usually (or always) required, placing it in the fixed Opcode data
results in simpler code to generate and parse the packet, because the
information is a fixed location in the Opcode data, but wastes space
in the packet in the event that field is all zeros because the
information is not needed or not relevant. For information that is
required less often, placing it in an option results in slightly more
complicated code to generate and parse packets containing that
Wing, et al. Standards Track [Page 16]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
option, but saves space in the packet when that information is not
needed. Placing information in an option also means that an
implementation that never uses that information doesn't even need to
implement code to generate and parse it. For example, a client that
never requests mappings on behalf of some other device doesn't need
to implement code to generate the THIRD_PARTY option, and a PCP
server that doesn't implement the necessary security measures to
create third-party mappings safely doesn't need to implement code to
parse the THIRD_PARTY option.
Options use the following Type-Length-Value format:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code | Reserved | Option Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: (optional) Data :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Options Header
The description of the fields is as follows:
Option Code: 8 bits. Its most significant bit indicates if this
option is mandatory (0) or optional (1) to process.
Reserved: 8 bits. MUST be set to 0 on transmission and MUST be
ignored on reception.
Option Length: 16 bits. Indicates the length of the enclosed data,
in octets. Options with length of 0 are allowed. Options that
are not a multiple of 4 octets long are followed by one, two, or
three 0 octets to pad their effective length in the packet to be a
multiple of 4 octets. The Option Length reflects the semantic
length of the option, not including any padding octets.
Data: Option data.
If several options are included in a PCP request, they MAY be encoded
in any order by the PCP client, but MUST be processed by the PCP
server in the order in which they appear. It is the responsibility
of the PCP client to ensure that the server has sufficient room to
reply without exceeding the 1100-octet size limit; if its reply would
exceed that size, the server generates an error.
Wing, et al. Standards Track [Page 17]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If, while processing a PCP request, including its options, an error
is encountered that causes a PCP error response to be generated, the
PCP request MUST cause no state change in the PCP server or the
PCP-controlled device (i.e., it rolls back any tentative changes it
might have made while processing the request). Such an error
response MUST consist of a complete copy of the request packet with
the error code and other appropriate fields set in the header.
An option MAY appear more than once in a request or in a response, if
permitted by the definition of the option. If the option's
definition allows the option to appear only once but it appears more
than once in a request, and the option is understood by the PCP
server, the PCP server MUST respond with the MALFORMED_OPTION result
code. If the PCP server encounters an invalid option (e.g., PCP
option length is longer than the UDP packet length), the error
MALFORMED_OPTION SHOULD be returned (rather than MALFORMED_REQUEST),
as that helps the client better understand how the packet was
malformed. If a PCP response would have exceeded the maximum PCP
message size, the PCP server SHOULD respond with MALFORMED_REQUEST.
If the overall option structure of a request cannot successfully be
parsed (e.g., a nonsensical option length), the PCP server MUST
generate an error response with code MALFORMED_OPTION.
If the overall option structure of a request is valid, then how each
individual option is handled is determined by the most significant
bit in the option code. If the most significant bit is set, handling
this option is optional, and a PCP server MAY process or ignore this
option, entirely at its discretion. If the most significant bit is
clear, handling this option is mandatory, and a PCP server MUST
return the error MALFORMED_OPTION if the option contents are
malformed, or UNSUPP_OPTION if the option is unrecognized,
unimplemented, or disabled, or if the client is not authorized to use
the option. In error responses, all options are returned. In
success responses, all processed options are included and unprocessed
options are not included.
Because the PCP client cannot reject a response containing an Option,
PCP clients MUST ignore Options that they do not understand that
appear in responses, including Options in the mandatory-to-process
range. Naturally, if a client explicitly requests an Option where
correct execution of that Option requires processing the Option data
in the response, that client SHOULD implement code to do that.
Wing, et al. Standards Track [Page 18]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Different options are valid for different Opcodes. For example:
o The THIRD_PARTY option is valid for both MAP and PEER Opcodes.
o The FILTER option is valid only for the MAP Opcode (for the PEER
Opcode it would have no meaning).
o The PREFER_FAILURE option is valid only for the MAP Opcode (for
the PEER Opcode, similar semantics are automatically implied).
7.4. Result Codes
The following result codes may be returned as a result of any Opcode
received by the PCP server. The only success result code is 0; other
values indicate an error. If a PCP server encounters multiple errors
during processing of a request, it SHOULD use the most specific error
message. Each error code below is classified as either a 'long
lifetime' error or a 'short lifetime' error, which provides guidance
to PCP server developers for the value of the Lifetime field for
these errors. It is RECOMMENDED that short lifetime errors use a
30-second lifetime and long lifetime errors use a 30-minute lifetime.
0 SUCCESS: Success.
1 UNSUPP_VERSION: The version number at the start of the PCP Request
header is not recognized by this PCP server. This is a long
lifetime error. This document describes PCP version 2.
2 NOT_AUTHORIZED: The requested operation is disabled for this PCP
client, or the PCP client requested an operation that cannot be
fulfilled by the PCP server's security policy. This is a long
lifetime error.
3 MALFORMED_REQUEST: The request could not be successfully parsed.
This is a long lifetime error.
4 UNSUPP_OPCODE: Unsupported Opcode. This is a long lifetime error.
5 UNSUPP_OPTION: Unsupported option. This error only occurs if the
option is in the mandatory-to-process range. This is a long
lifetime error.
6 MALFORMED_OPTION: Malformed option (e.g., appears too many times,
invalid length). This is a long lifetime error.
7 NETWORK_FAILURE: The PCP server or the device it controls is
experiencing a network failure of some sort (e.g., has not yet
obtained an external IP address). This is a short lifetime error.
Wing, et al. Standards Track [Page 19]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
8 NO_RESOURCES: Request is well-formed and valid, but the server has
insufficient resources to complete the requested operation at this
time. For example, the NAT device cannot create more mappings at
this time, is short of CPU cycles or memory, or is unable to
handle the request due to some other temporary condition. The
same request may succeed in the future. This is a system-wide
error, different from USER_EX_QUOTA. This can be used as a catch-
all error, should no other error message be suitable. This is a
short lifetime error.
9 UNSUPP_PROTOCOL: Unsupported transport protocol, e.g., SCTP in a
NAT that handles only UDP and TCP. This is a long lifetime error.
10 USER_EX_QUOTA: This attempt to create a new mapping would exceed
this subscriber's port quota. This is a short lifetime error.
11 CANNOT_PROVIDE_EXTERNAL: The suggested external port and/or
external address cannot be provided. This error MUST only be
returned for:
* MAP requests that included the PREFER_FAILURE option
(normal MAP requests will return an available external port)
* MAP requests for the SCTP protocol (PREFER_FAILURE is implied)
* PEER requests
See Section 13.2 for details of the PREFER_FAILURE Option. The
error lifetime depends on the reason for the failure.
12 ADDRESS_MISMATCH: The source IP address of the request packet does
not match the contents of the PCP Client's IP Address field, due
to an unexpected NAT on the path between the PCP client and the
PCP-controlled NAT or firewall. This is a long lifetime error.
13 EXCESSIVE_REMOTE_PEERS: The PCP server was not able to create the
filters in this request. This result code MUST only be returned
if the MAP request contained the FILTER option. See Section 13.3
for details of the FILTER Option. This is a long lifetime error.
8. General PCP Operation
PCP messages MUST be sent over UDP [RFC0768]. Every PCP request
generates at least one response, so PCP does not need to run over a
reliable transport protocol.
When receiving multiple identical requests, the PCP server will
generally generate identical responses -- barring cases where the PCP
server's state changes between those requests due to other activity.
As an example of how such a state change could happen, a request
could be received while the PCP-controlled device has no mappings
Wing, et al. Standards Track [Page 20]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
available, and the PCP server will generate an error response. If
mappings become available and then another copy of that same request
arrives (perhaps duplicated in transit in the network), the PCP
server will allocate a mapping and generate a non-error response. A
PCP client MUST handle such updated responses for any request it
sends, most notably to support rapid recovery (Section 14). Also see
the Protocol Design Note (Section 6).
8.1. General PCP Client: Generating a Request
This section details operation specific to a PCP client, for any
Opcode. Procedures specific to the MAP Opcode are described in
Section 11, and procedures specific to the PEER Opcode are described
in Section 12.
Prior to sending its first PCP message, the PCP client determines
which server to use. The PCP client performs the following steps to
determine its PCP server:
1. if a PCP server is configured (e.g., in a configuration file or
via DHCP), that single configuration source is used as the list
of PCP server(s), else
2. the default router list (for IPv4 and IPv6) is used as the list
of PCP server(s). Thus, if a PCP client has both an IPv4 and
IPv6 address, it will have an IPv4 PCP server (its IPv4 default
router) for its IPv4 mappings, and an IPv6 PCP server (its IPv6
default router) for its IPv6 mappings.
For the purposes of this document, only a single PCP server address
is supported. Should future specifications define configuration
methods that provide a longer list of PCP server addresses, those
specifications will define how clients select one or more addresses
from that list.
With that PCP server address, the PCP client formulates its PCP
request. The PCP request contains a PCP common header, PCP Opcode
and payload, and (possibly) options. As with all UDP client software
on any operating system, when several independent PCP clients exist
on the same host, each uses a distinct source port number to
disambiguate their requests and replies. The PCP client's source
port SHOULD be randomly generated [RFC6056].
The PCP client MUST include the source IP address of the PCP message
in the PCP request. This is typically its own IP address; see
Section 16.4 for how this can be coded. This is used to detect an
unexpected NAT on the path between the PCP client and the
PCP-controlled NAT or firewall device, to avoid wasting resources on
Wing, et al. Standards Track [Page 21]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
the PCP-controlled NAT creating pointless non-functional mappings.
When such an intervening non-PCP-aware inner NAT is detected,
mappings must first be created by some other means in the inner NAT,
before mappings can be usefully created in the outer PCP-controlled
NAT. Having created mappings in the inner NAT by some other means,
the PCP client should then use the inner NAT's external address as
the client IP address, to signal to the outer PCP-controlled NAT that
the client is aware of the inner NAT, and has taken steps to create
mappings in it by some other means, so that mappings created in the
outer NAT will not be a pointless waste of resources.
8.1.1. PCP Client Retransmission
PCP clients are responsible for reliable delivery of PCP request
messages. If a PCP client fails to receive an expected response from
a server, the client must retransmit its message. The
retransmissions MUST use the same Mapping Nonce value (see Sections
11.1 and 12.1). The client begins the message exchange by
transmitting a message to the server. The message exchange continues
for as long as the client wishes to maintain the mapping, and
terminates when the PCP client is no longer interested in the PCP
transaction (e.g., the application that requested the mapping is no
longer interested in the mapping) or (optionally) when the message
exchange is considered to have failed according to the retransmission
mechanism described below.
The client retransmission behavior is controlled and described by the
following variables:
RT: Retransmission timeout, calculated as described below
IRT: Initial retransmission time, SHOULD be 3 seconds
MRC: Maximum retransmission count, SHOULD be 0 (0 indicates no
maximum)
MRT: Maximum retransmission time, SHOULD be 1024 seconds
MRD: Maximum retransmission duration, SHOULD be 0 (0 indicates no
maximum)
RAND: Randomization factor, calculated as described below
With each message transmission or retransmission, the client sets RT
according to the rules given below. If RT expires before a response
is received, the client retransmits the request and computes a new
RT.
Wing, et al. Standards Track [Page 22]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Each of the computations of a new RT include a new randomization
factor (RAND), which is a random number chosen with a uniform
distribution between -0.1 and +0.1. The randomization factor is
included to minimize synchronization of messages transmitted by PCP
clients. The algorithm for choosing a random number does not need to
be cryptographically sound. The algorithm SHOULD produce a different
sequence of random numbers from each invocation of the PCP client.
The RT value is initialized based on IRT:
RT = (1 + RAND) * IRT
RT for each subsequent message transmission is based on the previous
value of RT, subject to the upper bound on the value of RT specified
by MRT. If MRT has a value of 0, there is no upper limit on the
value of RT, and MRT is treated as "infinity". The new value of RT
is calculated as shown below, where RTprev is the current value of
RT:
RT = (1 + RAND) * MIN (2 * RTprev, MRT)
MRC specifies an upper bound on the number of times a client may
retransmit a message. Unless MRC is zero, the message exchange fails
once the client has transmitted the message MRC times.
MRD specifies an upper bound on the length of time a client may
retransmit a message. Unless MRD is zero, the message exchange fails
once MRD seconds have elapsed since the client first transmitted the
message.
If both MRC and MRD are non-zero, the message exchange fails whenever
either of the conditions specified in the previous two paragraphs are
met. If both MRC and MRD are zero, the client continues to transmit
the message until it receives a response or the client no longer
wants a mapping.
Once a PCP client has successfully received a response from a PCP
server on that interface, it resets RT to a value randomly selected
in the range 1/2 to 5/8 of the mapping lifetime, as described in
Section 11.2.1, "Renewing a Mapping", and sends subsequent PCP
requests for that mapping to that same server.
Note: If the server's state changes between retransmissions and
the server's response is delayed or lost, the state in the PCP
client and server may not be synchronized. This is not unique to
PCP, but also occurs with other network protocols (e.g., TCP). In
the unlikely event that such de-synchronization occurs, PCP heals
itself after lifetime seconds.
Wing, et al. Standards Track [Page 23]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
8.2. General PCP Server: Processing a Request
This section details operation specific to a PCP server. Processing
SHOULD be performed in the order of the following paragraphs.
A PCP server MUST only accept normal (non-THIRD_PARTY) PCP requests
from a client on the same interface from which it would normally
receive packets from that client, and it MUST silently ignore PCP
requests arriving on any other interface. For example, a residential
NAT gateway accepts PCP requests only when they arrive on its (LAN)
interface connecting to the internal network, and silently ignores
any PCP requests arriving on its external (WAN) interface. A PCP
server that supports THIRD_PARTY requests MAY be configured to accept
THIRD_PARTY requests on other configured interfaces (see Section 13.1
for details on the THIRD_PARTY Option).
Upon receiving a request, the PCP server parses and validates it. A
valid request contains a valid PCP common header, one valid PCP
Opcode, and zero or more options (which the server might or might not
comprehend). If an error is encountered during processing, the
server generates an error response that is sent back to the PCP
client. Processing of an Opcode and its options is specific to each
Opcode.
Error responses have the same packet layout as success responses,
with certain fields from the request copied into the response, and
other fields assigned by the PCP server set as indicated in Figure 3.
Copying request fields into the response is important because this is
what enables a client to identify to which request a given response
pertains. For Opcodes that are understood by the PCP server, it
follows the requirements of that Opcode to copy the appropriate
fields. For Opcodes that are not understood by the PCP server, it
simply generates the UNSUPP_OPCODE response and copies fields from
the PCP header and copies the rest of the PCP payload as is (without
attempting to interpret it).
All responses (both error and success) contain the same Opcode as the
request, but with the "R" bit set.
Any error response has a non-zero result code, and is created by:
o Copying the entire UDP payload, or 1100 octets, whichever is less,
and zero-padding the response to a multiple of 4 octets if
necessary
o Setting the R bit
o Setting the result code
o Setting the Lifetime, Epoch Time, and Reserved fields
Wing, et al. Standards Track [Page 24]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
o Updating other fields in the response, as indicated by 'set by the
server' in the PCP response field description
A success response has a zero result code, and is created by:
o Copying the first 4 octets of request packet header
o Setting the R bit
o Setting the result code to zero
o Setting the Lifetime, Epoch Time, and Reserved fields
o Possibly setting Opcode-specific response data if appropriate
o Adding any processed options to the response message
If the received PCP request message is less than 2 octets long, it is
silently dropped.
If the R bit is set, the message is silently dropped.
If the first octet (version) is a version that is not supported, a
response is generated with the UNSUPP_VERSION result code, and the
Version Negotiation steps detailed in Section 9 are followed.
Otherwise, if the version is supported but the received message is
shorter than 24 octets, the message is silently dropped.
If the server is overloaded by requests (from a particular client or
from all clients), it MAY simply silently discard requests, as the
requests will be retried by PCP clients, or it MAY generate the
NO_RESOURCES error response.
If the length of the message exceeds 1100 octets, is not a multiple
of 4 octets, or is too short for the Opcode in question, it is
invalid and a MALFORMED_REQUEST response is generated, and the
response message is truncated to 1100 octets.
The PCP server compares the source IP address (from the received IP
header) with the field PCP Client IP Address. If they do not match,
the error ADDRESS_MISMATCH MUST be returned. This is done to detect
and prevent accidental use of PCP where a non-PCP-aware NAT exists
between the PCP client and PCP server. If the PCP client wants such
a mapping, it needs to ensure that the PCP field matches its apparent
IP address from the perspective of the PCP server.
8.3. General PCP Client: Processing a Response
The PCP client receives the response and verifies that the source IP
address and port belong to the PCP server of a previously sent PCP
request. If not, the response is silently dropped.
Wing, et al. Standards Track [Page 25]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If the received PCP response message is less than 4 octets long, it
is silently dropped.
If the R bit is clear, the message is silently dropped.
If the error code is UNSUPP_VERSION, Version Negotiation processing
continues as described in Section 9.
Responses shorter than 24 octets, longer than 1100 octets, or not a
multiple of 4 octets are invalid and ignored.
The PCP client then validates that the Opcode matches a previous PCP
request. If the response does not match a previous PCP request, the
response is ignored. The response is further matched by comparing
fields in the response Opcode-specific data to fields in the request
Opcode-specific data, as described by the processing for that Opcode.
If that fails, the response is ignored.
After these matches are successful, the PCP client checks the Epoch
Time field (see Section 8.5) to determine if it needs to restore its
state to the PCP server. A PCP client SHOULD be prepared to receive
multiple responses from the PCP server at any time after a single
request is sent. This allows the PCP server to inform the client of
mapping changes such as an update or deletion. For example, a PCP
server might send a SUCCESS response and, after a configuration
change on the PCP server, later send a NOT_AUTHORIZED response. A
PCP client MUST be prepared to receive responses for requests it
never sent (which could have been sent by a previous PCP instance on
this same host, or by a previous host that used the same client IP
address, or by a malicious attacker) by simply ignoring those
unexpected messages.
If the error ADDRESS_MISMATCH is received, it indicates the presence
of a NAT between the PCP client and PCP server. Procedures to
resolve this problem are beyond the scope of this document.
For both success and error responses, a Lifetime value is returned.
The lifetime indicates how long this response should be considered
valid by the client (i.e for success results, how long the mapping
will last, and for failure results how long the same failure
condition should be expected to persist). The PCP client SHOULD
impose an upper limit on this returned value (to protect against
absurdly large values, e.g., 5 years), detailed in Section 15,
"Mapping Lifetime and Deletion".
If the result code is 0 (SUCCESS), the request succeeded.
Wing, et al. Standards Track [Page 26]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If the result code is not 0, the request failed, and the PCP client
SHOULD NOT resend the same request for the indicated lifetime of the
error (as limited by the sanity checking detailed in Section 15).
If the PCP client has discovered a new PCP server (e.g., connected to
a new network), the PCP client MAY immediately begin communicating
with this PCP server, without regard to hold times from communicating
with a previous PCP server.
8.4. Multi-Interface Issues
Hosts that desire a PCP mapping might be multi-interfaced (i.e., own
several logical/physical interfaces). Indeed, a host can be
configured with several IPv4 addresses (e.g., WiFi and Ethernet) or
dual-stacked. These IP addresses may have distinct reachability
scopes (e.g., if IPv6, they might have global reachability scope as
is the case for a Global Unicast Address (GUA) [RFC3587] or limited
scope as is the case for a Unique Local Address (ULA) [RFC4193]).
IPv6 addresses with global reachability (e.g., GUAs) SHOULD be used
as the source address when generating a PCP request. IPv6 addresses
without global reachability (e.g., ULAs) SHOULD NOT be used as the
source interface when generating a PCP request. If IPv6 privacy
addresses [RFC4941] are used for PCP mappings, a new PCP request will
need to be issued whenever the IPv6 privacy address is changed. This
PCP request SHOULD be sent from the IPv6 privacy address itself. It
is RECOMMENDED that the client delete its mappings to the previous
privacy address after it no longer needs those old mappings.
Due to the ubiquity of IPv4 NAT, IPv4 addresses with limited scope
(e.g., private addresses [RFC1918]) MAY be used as the source
interface when generating a PCP request.
8.5. Epoch
Every PCP response sent by the PCP server includes an Epoch Time
field. This time field increments by one every second. Anomalies in
the received Epoch Time value provide a hint to PCP clients that a
PCP server state loss may have occurred. Clients respond to such
state loss hints by promptly renewing their mappings, so as to
quickly restore any lost state at the PCP server.
If the PCP server resets or loses the state of its explicit dynamic
mappings (that is, those mappings created by PCP requests), due to
reboot, power failure, or any other reason, it MUST reset its Epoch
time to its initial starting value (usually zero) to provide this
hint to PCP clients. After resetting its Epoch time, the PCP server
resumes incrementing the Epoch Time value by one every second.
Wing, et al. Standards Track [Page 27]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Similarly, if the external IP address(es) of the NAT (controlled by
the PCP server) changes, the Epoch time MUST be reset. A PCP server
MAY maintain one Epoch Time value for all PCP clients or MAY maintain
distinct Epoch Time values (per PCP client, per interface, or based
on other criteria); this choice is implementation-dependent.
Whenever a client receives a PCP response, the client validates the
received Epoch Time value according to the procedure below, using
integer arithmetic:
o If this is the first PCP response the client has received from
this PCP server, the Epoch Time value is treated as necessarily
valid, otherwise
* If the current PCP server Epoch time (curr_server_time) is less
than the previously received PCP server Epoch time
(prev_server_time) by more than one second, then the client
treats the Epoch time as obviously invalid (time should not go
backwards). The server Epoch time apparently going backwards
by *up to* one second is not deemed invalid, so that minor
packet reordering on the path from PCP server to PCP client
does not trigger a cascade of unnecessary mapping renewals. If
the server Epoch time passes this check, then further
validation checks are performed:
+ The client computes the difference between its
current local time (curr_client_time) and the
time the previous PCP response was received from this PCP
server (prev_client_time):
client_delta = curr_client_time - prev_client_time;
+ The client computes the difference between the
current PCP server Epoch time (curr_server_time) and the
previously received Epoch time (prev_server_time):
server_delta = curr_server_time - prev_server_time;
+ If client_delta+2 < server_delta - server_delta/16
or server_delta+2 < client_delta - client_delta/16,
then the client treats the Epoch Time value as invalid,
else the client treats the Epoch Time value as valid.
o The client records the current time values for use in its next
comparison:
prev_client_time = curr_client_time
prev_server_time = curr_server_time
Wing, et al. Standards Track [Page 28]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If the PCP client determined that the Epoch Time value it received
was invalid, then it concludes that the PCP server may have lost
state, and promptly renews all its active port mapping leases
following the mapping recreation procedure described in
Section 16.3.1.
Notes:
o The client clock MUST never go backwards. If curr_client_time is
found to be less than prev_client_time, then this is a client bug,
and how the client deals with this client bug is implementation
specific.
o The calculations above are constructed to allow client_delta and
server_delta to be computed as unsigned integer values.
o The "+2" in the calculations above is to accommodate quantization
errors in client and server clocks (up to one-second quantization
error each in server and client time intervals).
o The "/16" in the calculations above is to accommodate inaccurate
clocks in low-cost devices. This allows for a total discrepancy
of up to 1/16 (6.25%) to be considered benign; e.g., if one clock
were to run too fast by 3% while the other clock ran too slow by
3%, then the client would not consider this difference to be
anomalous or indicative of a restart having occurred. This
tolerance is strict enough to be effective at detecting reboots,
while not being so strict as to generate false alarms.
9. Version Negotiation
A PCP client sends its requests using PCP version number 2. Should
later updates to this document specify different message formats with
a version number greater than 2, it is expected that PCP servers will
still support version 2 in addition to the newer version(s).
However, in the event that a server returns a response with result
code UNSUPP_VERSION, the client MAY log an error message to inform
the user that it is too old to work with this server.
Should later updates to this document specify different message
formats with a version number greater than 2, and backwards
compatibility be desired, this first octet can be used for forward
and backward compatibility.
Wing, et al. Standards Track [Page 29]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If future PCP versions greater than 2 are specified, version
negotiation proceeds as follows:
1. The client sends its first request using the highest
(i.e., presumably 'best') version number it supports.
2. If the server supports that version, it responds normally.
3. If the server does not support that version, it replies giving a
result containing the result code UNSUPP_VERSION, and the closest
version number it does support (if the server supports a range of
versions higher than the client's requested version, the server
returns the lowest of that supported range; if the server
supports a range of versions lower than the client's requested
version, the server returns the highest of that supported range).
4. If the client receives an UNSUPP_VERSION result containing a
version it does support, it records this fact and proceeds to use
this message version for subsequent communication with this PCP
server (until a possible future UNSUPP_VERSION response if the
server is later updated, at which point the version negotiation
process repeats). If the version number in the UNSUPP_VERSION
response is zero then that means this is a NAT-PMP server
[RFC6886], and a client MAY choose to communicate with it using
the older NAT-PMP protocol, as described in Appendix A.
5. If the client receives an UNSUPP_VERSION result containing a
version it does not support, then the client SHOULD try the next-
lower version supported by the client. The attempt to use the
next-lower version repeats until the client has tried version 2.
If using version 2 fails, the client MAY log an error message to
inform the user that it is too old to work with this server, and
the client SHOULD set a timer to retry its request in 30 minutes
or the returned Lifetime value, whichever is smaller. By
automatically retrying in 30 minutes, the protocol accommodates
an upgrade of the PCP server.
10. Introduction to MAP and PEER Opcodes
There are four uses for the MAP and PEER Opcodes defined in this
document:
o a host operating a server and wanting an incoming connection
(Section 10.1);
o a host operating a client and server on the same port
(Section 10.2);
Wing, et al. Standards Track [Page 30]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
o a host operating a client and wanting to optimize the application
keepalive traffic (Section 10.3); and
o a host operating a client and wanting to restore lost state in its
NAT (Section 10.4).
These are discussed in the following sections, and a (non-normative)
state diagram is provided in Section 16.5.
When operating a server (see Sections 10.1 and 10.2), the PCP client
knows if it wants an IPv4 listener, IPv6 listener, or both on the
Internet. The PCP client also knows if it has an IPv4 address or
IPv6 address configured on one of its interfaces. It takes the union
of this knowledge to decide to which of its PCP servers to send the
request (e.g., an IPv4 address or an IPv6 address), and whether to
send one or two MAP requests for each of its interfaces (e.g., if the
PCP client has only an IPv4 address but wants both IPv6 and IPv4
listeners, it sends a MAP request containing the all-zeros IPv6
address in the Suggested External Address field, and sends a second
MAP request containing the all-zeros IPv4 address in the Suggested
External Address field). If the PCP client has both an IPv4 and IPv6
address, and only wants an IPv4 listener, it sends one MAP request
from its IPv4 address (if the PCP server supports NAT44 or IPv4
firewall) or one MAP request from its IPv6 address (if the PCP server
supports NAT64). The PCP client can simply request the desired
mapping to determine if the PCP server supports the desired mapping.
Applications that embed IP addresses in payloads (e.g., FTP, SIP)
will find it beneficial to avoid address family translation, if
possible.
The MAP and PEER requests include a Suggested External IP Address
field. Some PCP-controlled devices, especially CGN but also multi-
homed NPTv6 networks, have a pool of public-facing IP addresses. PCP
allows the client to indicate if it wants a mapping assigned on a
specific address of that pool or any address of that pool. Some
applications will break if mappings are created on different IP
addresses (e.g., active mode FTP), so applications should carefully
consider the implications of using this capability. Static mappings
for that internal address (e.g., those created by a command-line
interface on the PCP server or PCP-controlled device) may exist to a
certain external address, and if the suggested external IP address is
the IPv4 or IPv6 all-zeros address, PCP SHOULD assign its mappings to
the same external address, as this can also help applications using a
mix of both static mappings and PCP-created mappings. If, on the
other hand, the suggested external IP address contains a non-zero IP
address the PCP server SHOULD create a mapping to that external
address, even if there are other mappings from that same internal
address to a different external address. Once an internal address
Wing, et al. Standards Track [Page 31]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
has no implicit dynamic mappings and no explicit dynamic mappings in
the PCP-controlled device, a subsequent implicit or explicit mapping
for that internal address MAY be assigned to a different External
address. Generally, this reassignment would occur when a CGN device
is load balancing newly seen internal addresses to its public pool of
external addresses.
The following table summarizes how various common PCP deployments use
IPv6 and IPv4 addresses.
The 'internal' address is implicitly the same as the source IP
address of the PCP request, except when the THIRD_PARTY option is
used.
The 'external' address is the Suggested External Address field of the
MAP or PEER request, and its address family is usually the same as
the 'internal' address family, except when technologies like NAT64
are used.
The 'remote peer' address is the remote peer IP address of the PEER
request or the FILTER option of the MAP request, and is always the
same address family as the 'internal' address, even when NAT64 is
used. In NAT64, the IPv6 PCP client is not necessarily aware of the
NAT64 or aware of the actual IPv4 address of the remote peer, so it
expresses the IPv6 address from its perspective, as shown in Figure
5.
internal external PCP remote peer actual remote peer
-------- ------- --------------- ------------------
IPv4 firewall IPv4 IPv4 IPv4 IPv4
IPv6 firewall IPv6 IPv6 IPv6 IPv6
NAT44 IPv4 IPv4 IPv4 IPv4
NAT46 IPv4 IPv6 IPv4 IPv6
NAT64 IPv6 IPv4 IPv6 IPv4
NPTv6 IPv6 IPv6 IPv6 IPv6
Figure 5: Address Families with MAP and PEER
Note that the internal address and the remote peer address are always
the same address family, and the external address and the actual
remote peer address are always the same address family.
Wing, et al. Standards Track [Page 32]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
10.1. For Operating a Server
A host operating a server (e.g., a web server) listens for traffic on
a port, but the server never initiates traffic from that port. For
this to work across a NAT or a firewall, the host needs to (a) create
a mapping from a public IP address, protocol, and port to itself
using the MAP Opcode, as described in Section 11; (b) publish that
public IP address, protocol, and port via some sort of rendezvous
server (e.g., DNS, a SIP message, or a proprietary protocol); and
(c) ensure that any other non-PCP-speaking packet filtering
middleboxes on the path (e.g., host-based firewall, network-based
firewall, or other NATs) will also allow the incoming traffic.
Publishing the public IP address and port is out of scope of this
specification. To accomplish (a), the host follows the procedures
described in this section.
As normal, the application needs to begin listening on a port. Then,
the application constructs a PCP message with the MAP Opcode, with
the external address set to the appropriate all-zeros address,
depending on whether it wants a public IPv4 or IPv6 address.
Wing, et al. Standards Track [Page 33]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
The following pseudocode shows how PCP can be reliably used to
operate a server:
/* start listening on the local server port */
int s = socket(...);
bind(s, ...);
listen(s, ...);
getsockname(s, &internal_sockaddr, ...);
bzero(&external_sockaddr, sizeof(external_sockaddr));
while (1)
{
/* Note: The "time_to_send_pcp_request()" check below includes:
* 1. Sending the first request
* 2. Retransmitting requests due to packet loss
* 3. Resending a request due to impending lease expiration
* 4. Resending a request due to server state loss
* The PCP packet sent is identical in all four cases; from
* the PCP server's point of view they are the same operation.
* The suggested external address and port may be updated
* repeatedly during the lifetime of the mapping.
* Other fields in the packet generally remain unchanged.
*/
if (time_to_send_pcp_request())
pcp_send_map_request(internal_sockaddr.sin_port,
internal_sockaddr.sin_addr,
&external_sockaddr, /* will be zero the first time */
requested_lifetime, &assigned_lifetime);
if (pcp_response_received())
update_rendezvous_server("Client Ident", external_sockaddr);
if (received_incoming_connection_or_packet())
process_it(s);
if (other_work_to_do())
do_it();
/* ... */
block_until_we_need_to_do_something_else();
}
Figure 6: Pseudocode for Using PCP to Operate a Server
Wing, et al. Standards Track [Page 34]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
10.2. For Operating a Symmetric Client/Server
A host operating a client and server on the same port (e.g.,
Symmetric RTP [RFC4961] or SIP Symmetric Response Routing (rport)
[RFC3581]) first establishes a local listener, (usually) sends the
local and public IP addresses, protocol, and ports to a rendezvous
service (which is out of scope of this document), and initiates an
outbound connection from that same source address and same port. To
accomplish this, the application uses the procedure described in this
section.
An application that is using the same port for outgoing connections
as well as incoming connections MUST first signal its operation of a
server using the PCP MAP Opcode, as described in Section 11, and
receive a positive PCP response before it sends any packets from that
port.
Discussion: In general, a PCP client doesn't know in advance if it
is behind a NAT or firewall. On detecting that the host has
connected to a new network, the PCP client can attempt to request
a mapping using PCP; if that succeeds, then the client knows it
has successfully created a mapping. If, after multiple retries,
it has received no PCP response, then either the client is *not*
behind a NAT or firewall and has unfettered connectivity or the
client *is* behind a NAT or firewall that doesn't support PCP (and
the client may still have working connectivity by virtue of static
mappings previously created manually by the user). Retransmitting
PCP requests multiple times before giving up and assuming
unfettered connectivity adds delay in that case. Initiating
outbound TCP connections immediately without waiting for PCP
avoids this delay, and will work if the NAT has endpoint-
independent mapping (EIM) behavior, but may fail if the NAT has
endpoint-dependent mapping (EDM) behavior. Waiting enough time to
allow an explicit PCP MAP mapping to be created (if possible)
first ensures that the same external port will then be used for
all subsequent implicit dynamic mappings (e.g., TCP SYNs) sent
from the specified internal address, protocol, and port. PCP
supports both EIM and EDM NATs, so clients need to assume they may
be dealing with an EDM NAT. In this case, the client will
experience more reliable connectivity if it attempts explicit PCP
MAP requests first, before initiating any outbound TCP connections
from that internal address and port. For further information on
using PCP with EDM NATs, see Section 16.1.
Wing, et al. Standards Track [Page 35]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
The following pseudocode shows how PCP can be used to operate a
symmetric client and server:
/* start listening on the local server port */
int s = socket(...);
bind(s, ...);
listen(s, ...);
getsockname(s, &internal_sockaddr, ...);
bzero(&external_sockaddr, sizeof(external_sockaddr));
while (1)
{
/* Note: The "time_to_send_pcp_request()" check below includes:
* 1. Sending the first request
* 2. Retransmitting requests due to packet loss
* 3. Resending a request due to impending lease expiration
* 4. Resending a request due to server state loss
*/
if (time_to_send_pcp_request())
pcp_send_map_request(internal_sockaddr.sin_port,
internal_sockaddr.sin_addr,
&external_sockaddr, /* will be zero the first time */
requested_lifetime, &assigned_lifetime);
if (pcp_response_received())
update_rendezvous_server("Client Ident", external_sockaddr);
if (received_incoming_connection_or_packet())
process_it(s);
if (need_to_make_outgoing_connection())
make_outgoing_connection(s, ...);
if (data_to_send())
send_it(s);
if (other_work_to_do())
do_it();
/* ... */
block_until_we_need_to_do_something_else();
}
Figure 7: Pseudocode for Using PCP to Operate a
Symmetric Client/Server
Wing, et al. Standards Track [Page 36]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
10.3. For Reducing NAT or Firewall Keepalive Messages
A host operating a client (e.g., XMPP client, SIP client) sends from
a port, and may receive responses, but never accepts incoming
connections from other remote peers on this port. It wants to ensure
that the flow to its remote peer is not terminated (due to
inactivity) by an on-path NAT or firewall. To accomplish this, the
application uses the procedure described in this section.
Middleboxes, such as NATs or firewalls, generally need to see
occasional traffic or they will terminate their session state,
causing application failures. To avoid this, many applications
routinely generate keepalive traffic for the primary (or sole)
purpose of maintaining state with such middleboxes. Applications can
reduce such application keepalive traffic by using PCP.
Note: For reasons beyond NAT, an application may find it useful to
perform application-level keepalives, such as to detect a broken
path between the client and server, keep state alive on the remote
peer, or detect a powered-down client. These keepalives are not
related to maintaining middlebox state, and PCP cannot do anything
useful to reduce those keepalives.
To use PCP for this function, the application first connects to its
server, as normal. Afterwards, it issues a PCP request with the PEER
Opcode as described in Section 12 to learn and/or extend the lifetime
of its mapping.
Wing, et al. Standards Track [Page 37]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
The following pseudocode shows how PCP can be reliably used with a
dynamic socket, for the purposes of reducing application keepalive
messages:
/* make outgoing connection to server */
int s = socket(...);
connect(s, &remote_peer, ...);
getsockname(s, &internal_sockaddr, ...);
bzero(&external_sockaddr, sizeof(external_sockaddr));
while (1)
{
/* Note: The "time_to_send_pcp_request()" check below includes:
* 1. Sending the first request
* 2. Retransmitting requests due to packet loss
* 3. Resending a request due to impending lease expiration
* 4. Resending a request due to server state loss
*/
if (time_to_send_pcp_request())
pcp_send_peer_request(internal_sockaddr.sin_port,
internal_sockaddr.sin_addr,
&external_sockaddr, /* will be zero the first time */
remote_peer, requested_lifetime, &assigned_lifetime);
if (data_to_send())
send_it(s);
if (received_incoming_data())
process_it(s);
if (other_work_to_do())
do_it();
/* ... */
block_until_we_need_to_do_something_else();
}
Figure 8: Pseudocode Using PCP with a Dynamic Socket
10.4. For Restoring Lost Implicit TCP Dynamic Mapping State
After a NAT loses state (e.g., because of a crash or power failure),
it is useful for clients to re-establish TCP mappings on the NAT.
This allows servers on the Internet to see traffic from the same IP
address and port, so that sessions can be resumed exactly where they
were left off. This can be useful for long-lived connections
Wing, et al. Standards Track [Page 38]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
(e.g., instant messaging) or for connections transferring a lot of
data (e.g., FTP). This can be accomplished by first establishing a
TCP connection normally and then sending a PEER request/response and
remembering the external address and external port. Later, when the
NAT has lost state, the client can send a PEER request with the
suggested external port and suggested external address remembered
from the previous session, which will create a mapping in the NAT
that functions exactly as an implicit dynamic mapping. The client
then resumes sending TCP data to the server.
Note: This procedure works well for TCP, provided:
(i) the NAT creates a new implicit dynamic outbound mapping
only for outbound TCP segments with the SYN bit set (i.e., the
newly booted NAT silently drops outbound data segments from the
client when the NAT does not have an active mapping for those
segments), and
(ii) the newly booted NAT does not send a TCP RST in response
to receiving unexpected inbound TCP segments.
This procedure works less well for UDP, because as soon as
outbound UDP traffic is seen by the NAT, a new UDP implicit
dynamic outbound mapping will be created (probably on a different
port).
11. MAP Opcode
This section defines an Opcode that controls inbound forwarding from
a NAT (or firewall) to an internal host.
MAP: Create an explicit dynamic mapping between an Internal Address
+ Port and an External Address + Port.
PCP servers SHOULD provide a configuration option to allow
administrators to disable MAP support if they wish.
Mappings created by PCP MAP requests are, by definition, endpoint-
independent mappings (EIMs) with endpoint-independent filtering (EIF)
(unless the FILTER option is used), even on a NAT that usually
creates endpoint-dependent mapping (EDM) or endpoint-dependent
filtering (EDF) for outgoing connections, since the purpose of an
(unfiltered) MAP mapping is to receive inbound traffic from any
remote endpoint, not from only one specific remote endpoint.
Note also that all NAT mappings (created by PCP or otherwise) are by
necessity bidirectional and symmetric. For any packet going in one
direction (in or out) that is translated by the NAT, a reply going in
Wing, et al. Standards Track [Page 39]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
the opposite direction needs to have the corresponding opposite
translation done so that the reply arrives at the right endpoint.
This means that if a client creates a MAP mapping, and then later
sends an outgoing packet using the mapping's internal address,
protocol, and port, the NAT should translate that packet's internal
address and port to the mapping's external address and port, so that
replies addressed to the external address and port are correctly
translated back to the mapping's internal address and port.
On operating systems that allow multiple listening servers to bind to
the same internal address, protocol, and port, servers MUST ensure
that they have exclusive use of that internal address, protocol, and
port (e.g., by binding the port using INADDR_ANY, or using
SO_EXCLUSIVEADDRUSE or similar) before sending their PCP MAP request,
to ensure that no other PCP clients on the same machine are also
listening on the same internal protocol and internal port.
As a side effect of creating a mapping, ICMP messages associated with
the mapping MUST be forwarded (and also translated, if appropriate)
for the duration of the mapping's lifetime. This is done to ensure
that ICMP messages can still be used by hosts, without application
programmers or PCP client implementations needing to use PCP
separately to create ICMP mappings for those flows.
The operation of the MAP Opcode is described in this section.
11.1. MAP Operation Packet Formats
The MAP Opcode has a similar packet layout for both requests and
responses. If the assigned external IP address and port in the PCP
response always match the internal IP address and port from the PCP
request, then the functionality is purely a firewall; otherwise, the
functionality is a Network Address Translator that might also perform
firewall-like functions.
Wing, et al. Standards Track [Page 40]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
The following diagram shows the format of the Opcode-specific
information in a request for the MAP Opcode.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Mapping Nonce (96 bits) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | Reserved (24 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internal Port | Suggested External Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Suggested External IP Address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 9: MAP Opcode Request
These fields are described below:
Requested lifetime (in common header): Requested lifetime of this
mapping, in seconds. The value 0 indicates "delete".
Mapping Nonce: Random value chosen by the PCP client. See
Section 11.2, "Generating a MAP Request". Zero is a legal value
(but unlikely, occurring in roughly one in 2^96 requests).
Protocol: Upper-layer protocol associated with this Opcode. Values
are taken from the IANA protocol registry [proto_numbers]. For
example, this field contains 6 (TCP) if the Opcode is intended to
create a TCP mapping. This field contains 17 (UDP) if the Opcode
is intended to create a UDP mapping. The value 0 has a special
meaning for 'all protocols'.
Reserved: 24 reserved bits, MUST be sent as 0 and MUST be ignored
when received.
Internal Port: Internal port for the mapping. The value 0 indicates
'all ports', and is legal when the lifetime is zero (a delete
request), if the protocol does not use 16-bit port numbers, or the
client is requesting 'all ports'. If the protocol is zero
(meaning 'all protocols'), then internal port MUST be zero on
transmission and MUST be ignored on reception.
Wing, et al. Standards Track [Page 41]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Suggested External Port: Suggested external port for the mapping.
This is useful for refreshing a mapping, especially after the PCP
server loses state. If the PCP client does not know the external
port, or does not have a preference, it MUST use 0.
Suggested External IP Address: Suggested external IPv4 or IPv6
address. This is useful for refreshing a mapping, especially
after the PCP server loses state. If the PCP client does not know
the external address, or does not have a preference, it MUST use
the address-family-specific all-zeros address (see Section 5).
The internal address for the request is the source IP address of the
PCP request message itself, unless the THIRD_PARTY option is used.
The following diagram shows the format of Opcode-specific information
in a response packet for the MAP Opcode:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Mapping Nonce (96 bits) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | Reserved (24 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internal Port | Assigned External Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Assigned External IP Address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 10: MAP Opcode Response
These fields are described below:
Lifetime (in common header): On an error response, this indicates
how long clients should assume they'll get the same error response
from the PCP server if they repeat the same request. On a success
response, this indicates the lifetime for this mapping, in
seconds.
Mapping Nonce: Copied from the request.
Protocol: Copied from the request.
Wing, et al. Standards Track [Page 42]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Reserved: 24 reserved bits, MUST be sent as 0 and MUST be ignored
when received.
Internal Port: Copied from the request.
Assigned External Port: On a success response, this is the assigned
external port for the mapping. On an error response, the
suggested external port is copied from the request.
Assigned External IP Address: On a success response, this is the
assigned external IPv4 or IPv6 address for the mapping. An IPv4
address is encoded using IPv4-mapped IPv6 address. On an error
response, the suggested external IP address is copied from the
request.
11.2. Generating a MAP Request
This section describes the operation of a PCP client when sending
requests with the MAP Opcode.
The request MAY contain values in the Suggested External Port and
Suggested External IP Address fields. This allows the PCP client to
attempt to rebuild lost state on the PCP server, which improves the
chances of existing connections surviving, and helps the PCP client
avoid having to change information maintained at its rendezvous
server. Of course, due to other activity on the network (e.g., by
other users or network renumbering), the PCP server may not be able
to grant the suggested external IP address, protocol, and port, and
in that case it will assign a different external IP address and port.
A PCP client MUST be written assuming that it may *never* be assigned
the external port it suggests. In the case of recreating state after
a NAT gateway crash, the suggested external port, being one that was
previously allocated to this client, is likely to be available for
this client to continue using. In all other cases, the client MUST
assume that it is unlikely that its suggested external port will be
granted. For example, when many subscribers are sharing a Carrier-
Grade NAT, popular ports such as 80, 443, and 8080 are likely to be
in high demand. At most one client can have each of those popular
ports for each external IP address, and all the other clients will be
assigned other, dynamically allocated, external ports. Indeed, some
ISPs may, by policy, choose not to grant those external ports to
*anyone*, so that none of their clients are *ever* assigned external
ports 80, 443, or 8080.
If the protocol does not use 16-bit port numbers (e.g., RSVP, IP
protocol number 46), the port number MUST be zero. This will cause
all traffic matching that protocol to be mapped.
Wing, et al. Standards Track [Page 43]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If the client wants all protocols mapped, it uses protocol 0 (zero)
and internal port 0 (zero).
The Mapping Nonce value is randomly chosen by the PCP client,
following accepted practices for generating unguessable random
numbers [RFC4086], and is used as part of the validation of PCP
responses (see below) by the PCP client, and validation for mapping
refreshes by the PCP server. The client MUST use a different mapping
nonce for each PCP server it communicates with, and it is RECOMMENDED
to choose a new random mapping nonce whenever the PCP client is
initialized. The client MAY use a different mapping nonce for every
mapping.
11.2.1. Renewing a Mapping
An existing mapping SHOULD have its lifetime extended by the PCP
client for as long as the client wishes to have that mapping continue
to exist. To do this, the PCP client sends a new MAP request
indicating the internal port. The PCP MAP request SHOULD also
include the currently assigned external IP address and port in the
Suggested External IP Address and Suggested External Port fields, so
if the PCP server has lost state it can recreate the lost mapping
with the same parameters.
The PCP client SHOULD renew the mapping before its expiry time;
otherwise, it will be removed by the PCP server (see Section 15,
"Mapping Lifetime and Deletion"). To reduce the risk of inadvertent
synchronization of renewal requests, a random jitter component should
be included. It is RECOMMENDED that PCP clients send a single
renewal request packet at a time chosen with uniform random
distribution in the range 1/2 to 5/8 of expiration time. If no
SUCCESS response is received, then the next renewal request should be
sent 3/4 to 3/4 + 1/16 to expiration, and then another 7/8 to 7/8 +
1/32 to expiration, and so on, subject to the constraint that renewal
requests MUST NOT be sent less than four seconds apart (a PCP client
MUST NOT send a flood of ever-closer-together requests in the last
few seconds before a mapping expires).
11.3. Processing a MAP Request
This section describes the operation of a PCP server when processing
a request with the MAP Opcode. Processing SHOULD be performed in the
order of the following paragraphs.
The Protocol, Internal Port, and Mapping Nonce fields from the MAP
request are copied into the MAP response. The THIRD_PARTY option, if
present, and processed by the PCP server, is also copied into the MAP
response.
Wing, et al. Standards Track [Page 44]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If the requested lifetime is non-zero, then:
o If both the protocol and internal port are non-zero, it indicates
a request to create a mapping or extend the lifetime of an
existing mapping. If the PCP server or PCP-controlled device does
not support the protocol, the UNSUPP_PROTOCOL error MUST be
returned.
o If the protocol is non-zero and the internal port is zero, it
indicates a request to create or extend a mapping for all incoming
traffic for that entire protocol -- a 'wildcard' (all-ports)
mapping for that protocol. If this request cannot be fulfilled in
its entirety, the UNSUPP_PROTOCOL error MUST be returned.
o If both the protocol and internal port are zero, it indicates a
request to create or extend a mapping for all incoming traffic for
all protocols (commonly called a 'DMZ host'). If this request
cannot be fulfilled in its entirety, the UNSUPP_PROTOCOL error
MUST be returned.
o If the protocol is zero and the internal port is non-zero, then
the request is invalid and the PCP server MUST return a
MALFORMED_REQUEST error to the client.
If the requested lifetime is zero, it indicates a request to delete
an existing mapping.
Further processing of the lifetime is described in Section 15,
"Mapping Lifetime and Deletion".
If operating in the Simple Threat Model (Section 18.1), and the
internal port, protocol, and internal address match an existing
explicit dynamic mapping, but the mapping nonce does not match, the
request MUST be rejected with a NOT_AUTHORIZED error with the
lifetime of the error indicating duration of that existing mapping.
The PCP server only needs to remember one Mapping Nonce value for
each explicit dynamic mapping. This specification makes no statement
about mapping nonce with the Advanced Threat Model.
If the internal port, protocol, and internal address match an
existing static mapping (which will have no nonce), then a PCP reply
is sent giving the external address and port of that static mapping,
using the nonce from the PCP request. The server does not record the
nonce.
Wing, et al. Standards Track [Page 45]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If an option with value less than 128 exists (i.e., mandatory to
process) but that option does not make sense (e.g., the
PREFER_FAILURE option is included in a request with lifetime=0), the
request is invalid and generates a MALFORMED_OPTION error.
If the PCP-controlled device is stateless (that is, it does not
establish any per-flow state, and simply rewrites the address and/or
port in a purely algorithmic fashion, including no rewriting), the
PCP server simply returns an answer indicating the external IP
address and port yielded by this stateless algorithmic translation.
This allows the PCP client to learn its external IP address and port
as seen by remote peers. Examples of stateless translators include
stateless NAT64, 1:1 NAT44, and NPTv6 [RFC6296], all of which modify
addresses but not port numbers, and pure firewalls, which modify
neither the address nor the port.
It is possible that a mapping might already exist for a requested
internal address, protocol, and port. If so, the PCP server takes
the following actions:
1. If the MAP request contains the PREFER_FAILURE option, but the
suggested external address and port do not match the external
address and port of the existing mapping, the PCP server MUST
return CANNOT_PROVIDE_EXTERNAL.
2. If the existing mapping is static (created outside of PCP), the
PCP server MUST return the external address and port of the
existing mapping in its response and SHOULD indicate a lifetime
of 2^32-1 seconds, regardless of the suggested external address
and port in the request.
3. If the existing mapping is explicit dynamic inbound (created by a
previous MAP request), the PCP server MUST return the existing
external address and port in its response, regardless of the
suggested external address and port in the request.
Additionally, the PCP server MUST update the lifetime of the
existing mapping, in accordance with Section 15, "Mapping
Lifetime and Deletion".
4. If the existing mapping is dynamic outbound (created by outgoing
traffic or a previous PEER request), the PCP server SHOULD create
a new explicit inbound mapping, replicating the ports and
addresses from the outbound mapping (but the outbound mapping
continues to exist, and remains in effect if the explicit inbound
mapping is later deleted).
If no mapping exists for the internal address, protocol, and port,
and the PCP server is able to create a mapping using the suggested
Wing, et al. Standards Track [Page 46]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
external address and port, it SHOULD do so. This is beneficial for
re-establishing state lost in the PCP server (e.g., due to a reboot).
There are, however, cases where the PCP server is not able to create
a new mapping using the suggested external address and port:
o The suggested external address, protocol, and port is already
assigned to another existing explicit or implicit mapping
(i.e., is already forwarding traffic to some other internal
address and port).
o The suggested external address, protocol, and port is already used
by the NAT gateway for one of its own services, for example, TCP
port 80 for the NAT gateway's own configuration web pages, or UDP
ports 5350 and 5351, used by PCP itself. A PCP server MUST NOT
create client mappings for external UDP ports 5350 or 5351.
o The suggested external address, protocol, and port is otherwise
prohibited by the PCP server's policy.
o The suggested external IP address, protocol, or suggested port are
invalid or invalid combinations (e.g., external address 127.0.0.1,
::1, a multicast address, or the suggested port is not valid for
the protocol).
o The suggested external address does not belong to the NAT gateway.
o The suggested external address is not configured to be used as an
external address of the firewall or NAT gateway.
If the PCP server cannot assign the suggested external address,
protocol, and port, then:
o If the request contained the PREFER_FAILURE option, then the PCP
server MUST return CANNOT_PROVIDE_EXTERNAL.
o If the request did not contain the PREFER_FAILURE option, and the
PCP server can assign some other external address and port for
that protocol, then the PCP server MUST do so and return the newly
assigned external address and port in the response. In no case is
the client penalized for a 'poor' choice of suggested external
address and port. The suggested external address and port may be
used by the server to guide its choice of what external address
and port to assign, but in no case do they cause the server to
fail to allocate an external address and port where otherwise it
would have succeeded. The presence of a non-zero suggested
external address or port is merely a hint; it never does any harm.
Wing, et al. Standards Track [Page 47]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
A PCP-controlled device MUST NOT create mappings for a protocol not
indicated in the request. For example, if the request was for a TCP
mapping, an additional corresponding UDP mapping MUST NOT be
automatically created.
Mappings typically consume state on the PCP-controlled device, and it
is RECOMMENDED that a per-host and/or per-subscriber limit be
enforced by the PCP server to prevent exhausting the mapping state.
If this limit is exceeded, the result code USER_EX_QUOTA is returned.
If all of the preceding operations were successful (did not generate
an error response), then the requested mapping is created or
refreshed as described in the request and a SUCCESS response is
built.
11.4. Processing a MAP Response
This section describes the operation of the PCP client when it
receives a PCP response for the MAP Opcode.
After performing common PCP response processing, the response is
further matched with a previously sent MAP request by comparing the
internal IP address (the destination IP address of the PCP response,
or other IP address specified via the THIRD_PARTY option), the
protocol, the internal port, and the mapping nonce. Other fields are
not compared, because the PCP server sets those fields. The PCP
server will send a Mapping Update (Section 14.2) if the mapping
changes (e.g., due to IP renumbering).
If the result code is NO_RESOURCES and the request was for the
creation or renewal of a mapping, then the PCP client SHOULD NOT send
further requests for any new mappings to that PCP server for the
(limited) value of the lifetime. If the result code is NO_RESOURCES
and the request was for the deletion of a mapping, then the PCP
client SHOULD NOT send further requests of *any kind* to that PCP
server for the (limited) value of the lifetime.
On a success response, the PCP client can use the external IP address
and port as needed. Typically, the PCP client will communicate the
external IP address and port to another host on the Internet using an
application-specific rendezvous mechanism such as DNS SRV records.
After a success response, for as long as renewal is desired, the PCP
client MUST set a timer or otherwise schedule an event to renew the
mapping before its lifetime expires. Renewing a mapping is performed
by sending another MAP request, exactly as described in Section 11.2,
except that the suggested external address and port SHOULD be set to
the values received in the response. From the PCP server's point of
Wing, et al. Standards Track [Page 48]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
view a MAP request to renew a mapping is identical to a MAP request
to create a new mapping, and is handled identically. Indeed, in the
event of PCP server state loss, a renewal request from a PCP client
will appear to the server to be a request to create a new mapping,
with a particular suggested external address and port, which happen
to be what the PCP server previously assigned. See also
Section 16.3.1, "Recreating Mappings".
On an error response, the client SHOULD NOT repeat the same request
to the same PCP server within the lifetime returned in the response.
11.5. Address Change Events
A customer premises router might obtain a new external IP address,
for a variety of reasons including a reboot, power outage, DHCP lease
expiry, or other action by the ISP. If this occurs, traffic
forwarded to a host's previous address might be delivered to another
host that now has that address. This affects all mapping types,
whether implicit or explicit. This same problem already occurs today
when a host's IP address is reassigned, without PCP and without an
ISP-operated CGN. The solution is the same as today: the problems
associated with host renumbering are caused by host renumbering, and
are eliminated if host renumbering is avoided. PCP defined in this
document does not provide machinery to reduce the host renumbering
problem.
When an internal host changes its internal IP address (e.g., by
having a different address assigned by the DHCP server), the NAT (or
firewall) will continue to send traffic to the old IP address.
Typically, the internal host will no longer receive traffic sent to
that old IP address. Assuming the internal host wants to continue
receiving traffic, it needs to install new mappings for its new IP
address. The Suggested External Port field will not be fulfilled by
the PCP server, in all likelihood, because it is still being
forwarded to the old IP address. Thus, a mapping is likely to be
assigned a new external port number and/or external IP address. Note
that such host renumbering is not expected to happen routinely on a
regular basis for most hosts, since most hosts renew their DHCP
leases before they expire (or re-request the same address after
reboot) and most DHCP servers honor such requests and grant the host
the same address it was previously using before the reboot.
A host might gain or lose interfaces while existing mappings are
active (e.g., Ethernet cable plugged in or removed, joining/leaving a
WiFi network). Because of this, if the PCP client is sending a PCP
request to maintain state in the PCP server, it SHOULD ensure that
those PCP requests continue to use the same interface (e.g., when
refreshing mappings). If the PCP client is sending a PCP request to
Wing, et al. Standards Track [Page 49]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
create new state in the PCP server, it MAY use a different source
interface or different source address.
11.6. Learning the External IP Address Alone
NAT-PMP [RFC6886] includes a mechanism to allow clients to learn the
external IP address alone, without also requesting a port mapping.
NAT-PMP was designed for residential NAT gateways, where such an
operation makes sense because a typical residential NAT gateway has
only one external IP address. PCP has broader scope, and also
supports Carrier-Grade NATs (CGNs) that may have a pool of external
IP addresses, not just one. A client may not be assigned any
particular external IP address from that pool until it has at least
one implicit, explicit, or static port mapping, and even then only
for as long as that mapping remains valid. Client software that just
wishes to display the user's external IP address for cosmetic
purposes can achieve that by requesting a short-lived mapping (e.g.,
to the Discard service (TCP/9 or UDP/9) or some other port) and then
displaying the resulting external IP address. However, once that
mapping expires a subsequent implicit or explicit dynamic mapping
might be mapped to a different external IP address.
12. PEER Opcode
This section defines an Opcode for controlling dynamic outbound
mappings.
PEER: Create a new dynamic outbound mapping to a remote peer's IP
address and port, or extend the lifetime of an existing
outbound mapping.
The use of this Opcodes is described in this section.
PCP servers SHOULD provide a configuration option to allow
administrators to disable PEER support if they wish.
Because a mapping created or managed by PEER behaves almost exactly
like an implicit dynamic outbound mapping created as a side effect of
a packet (e.g., TCP SYN) sent by the host, mappings created or
managed using PCP PEER requests may be endpoint-independent mapping
(EIM) or endpoint-dependent mapping (EDM), with endpoint-independent
filtering (EIF) or endpoint-dependent filtering (EDF), consistent
with the existing behavior of the NAT gateway or firewall in question
for implicit outbound mappings it creates automatically as a result
of observing outgoing traffic from internal hosts.
Wing, et al. Standards Track [Page 50]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
12.1. PEER Operation Packet Formats
The PEER Opcode allows a PCP client to create a new explicit dynamic
outbound mapping (which functions similarly to an outbound mapping
created implicitly when a host sends an outbound TCP SYN) or to
extend the lifetime of an existing outbound mapping.
The following diagram shows the Opcode layout for the PEER Opcode.
The formats for the PEER request and response packets are aligned so
that related fields fall at the same offsets in the packet.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Mapping Nonce (96 bits) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | Reserved (24 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internal Port | Suggested External Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Suggested External IP Address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Remote Peer Port | Reserved (16 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Remote Peer IP Address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 11: PEER Opcode Request
These fields are described below:
Requested Lifetime (in common header): Requested lifetime of this
mapping, in seconds. Note that it is not possible to reduce the
lifetime of a mapping (or delete it, with requested lifetime=0)
using PEER.
Mapping Nonce: Random value chosen by the PCP client. See
Section 12.2, "Generating a PEER Request". Zero is a legal value
(but unlikely, occurring in roughly one in 2^96 requests).
Wing, et al. Standards Track [Page 51]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Protocol: Upper-layer protocol associated with this Opcode. Values
are taken from the IANA protocol registry [proto_numbers]. For
example, this field contains 6 (TCP) if the Opcode is describing a
TCP mapping. This field contains 17 (UDP) if the Opcode is
describing a UDP mapping. Protocol MUST NOT be zero.
Reserved: 24 reserved bits, MUST be set to 0 on transmission and
MUST be ignored on reception.
Internal Port: Internal port for the mapping. Internal port MUST
NOT be zero.
Suggested External Port: Suggested external port for the mapping.
If the PCP client does not know the external port, or does not
have a preference, it MUST use 0.
Suggested External IP Address: Suggested external IP address for the
mapping. If the PCP client does not know the external address, or
does not have a preference, it MUST use the address-family-
specific all-zeros address (see Section 5).
Remote Peer Port: Remote peer's port for the mapping. Remote peer
port MUST NOT be zero.
Reserved: 16 reserved bits, MUST be set to 0 on transmission and
MUST be ignored on reception.
Remote Peer IP Address: Remote peer's IP address. This is from the
perspective of the PCP client, so that the PCP client does not
need to concern itself with NAT64 or NAT46 (which both cause the
client's idea of the remote peer's IP address to differ from the
remote peer's actual IP address). This field allows the PCP
client and PCP server to disambiguate multiple connections from
the same port on the internal host to different servers. An IPv6
address is represented directly, and an IPv4 address is
represented using the IPv4-mapped address syntax (Section 5).
When attempting to re-create a lost mapping, the suggested external
IP address and port are set to the External IP Address and Port
fields received in a previous PEER response from the PCP server. On
an initial PEER request, the external IP address and port are set to
zero.
Note that semantics similar to the PREFER_FAILURE option are
automatically implied by PEER requests. If the Suggested External IP
Address or Suggested External Port fields are non-zero, and the PCP
server is unable to honor the suggested external IP address,
protocol, or port, then the PCP server MUST return a
Wing, et al. Standards Track [Page 52]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
CANNOT_PROVIDE_EXTERNAL error response. The PREFER_FAILURE option is
neither required nor allowed in PEER requests, and if a PCP server
receives a PEER request containing the PREFER_FAILURE option it MUST
return a MALFORMED_REQUEST error response.
The following diagram shows the Opcode response for the PEER Opcode:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Mapping Nonce (96 bits) |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Protocol | Reserved (24 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internal Port | Assigned External Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Assigned External IP Address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Remote Peer Port | Reserved (16 bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Remote Peer IP Address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 12: PEER Opcode Response
Lifetime (in common header): On a success response, this indicates
the lifetime for this mapping, in seconds. On an error response,
this indicates how long clients should assume they'll get the same
error response from the PCP server if they repeat the same
request.
Mapping Nonce: Copied from the request.
Protocol: Copied from the request.
Reserved: 24 reserved bits, MUST be set to 0 on transmission, MUST
be ignored on reception.
Wing, et al. Standards Track [Page 53]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Internal Port: Copied from request.
Assigned External Port: On a success response, this is the assigned
external port for the mapping. On an error response, the
suggested external port is copied from the request.
Assigned External IP Address: On a success response, this is the
assigned external IPv4 or IPv6 address for the mapping. On an
error response, the suggested external IP address is copied from
the request.
Remote Peer Port: Copied from request.
Reserved: 16 reserved bits, MUST be set to 0 on transmission, MUST
be ignored on reception.
Remote Peer IP Address: Copied from the request.
12.2. Generating a PEER Request
This section describes the operation of a client when generating a
message with the PEER Opcode.
The PEER Opcode MAY be sent before or after establishing
bidirectional communication with the remote peer.
If sent before, this is considered a PEER-created mapping that
creates a new dynamic outbound mapping in the PCP-controlled device.
If sent after, this allows the PCP client to learn the IP address,
port, and lifetime of the assigned external address and port for the
existing implicit dynamic outbound mapping, and potentially to extend
this lifetime (for reducing NAT or firewall keepalive messages, as
described in Section 10.3).
PEER requests are also useful for restoring mappings after a NAT has
lost its mapping state (e.g., due to a crash).
The Mapping Nonce value is randomly chosen by the PCP client,
following accepted practices for generating unguessable random
numbers [RFC4086], and is used as part of the validation of PCP
responses (see below) by the PCP client, and validation for mapping
refreshes by the PCP server. The client MUST use a different mapping
nonce for each PCP server it communicates with, and it is RECOMMENDED
to choose a new random mapping nonce whenever the PCP client is
initialized. The client MAY use a different mapping nonce for every
mapping.
Wing, et al. Standards Track [Page 54]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
The PEER Opcode contains a Remote Peer Address field, which is always
from the perspective of the PCP client. Note that when the
PCP-controlled device is performing address family translation (NAT46
or NAT64), the remote peer address from the perspective of the PCP
client is different from the remote peer address on the other side of
the address family translation device.
12.3. Processing a PEER Request
This section describes the operation of a server when receiving a
request with the PEER Opcode. Processing SHOULD be performed in the
order of the following paragraphs.
The following fields from a PEER request are copied into the
response: Protocol, Internal Port, Remote Peer IP Address, Remote
Peer Port, and Mapping Nonce.
When an implicit dynamic mapping is created, some NATs and firewalls
validate destination addresses and will not create an implicit
dynamic mapping if the destination address is invalid (e.g.,
127.0.0.1). If a PCP-controlled device does such validation for
implicit dynamic mappings, it SHOULD also do a similar validation of
the remote peer IP address, protocol, and port for PEER-created
explicit dynamic mappings. If the validation determines the remote
peer IP address of a PEER request is invalid, then no mapping is
created, and a MALFORMED_REQUEST error result is returned.
On receiving the PEER Opcode, the PCP server examines the mapping
table for a matching five-tuple { Protocol, Internal Address,
Internal Port, Remote Peer Address, Remote Peer Port }.
If no matching mapping is found, and the suggested external address
and port are either zero or can be honored for the specified
Protocol, a new mapping is created. By having the PEER create such a
mapping, we avoid a race condition between the PEER request and the
initial outgoing packet arriving at the NAT or firewall device first,
and allow PEER to be used to recreate a lost outbound dynamic mapping
(see Section 16.3.1, "Recreating Mappings"). Thereafter, this PEER-
created mapping is treated as if it was an implicit dynamic outbound
mapping (e.g., as if the PCP client sent a TCP SYN) and a lifetime
appropriate to such a mapping is returned (note: on many NATs and
firewalls, such mapping lifetimes are very short until bidirectional
traffic is seen by the NAT or firewall).
If no matching mapping is found, and the suggested external address
and port cannot be honored, then no new state is created, and the
error CANNOT_PROVIDE_EXTERNAL is returned.
Wing, et al. Standards Track [Page 55]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If a matching mapping is found, and no previous PEER Opcode was
successfully processed for this mapping, then the Suggested External
Address and Port values in the request are ignored, the lifetime of
that mapping is adjusted as described below, and information about
the existing mapping is returned. This allows a client to explicitly
extend the lifetime of an existing mapping and/or to learn an
existing mapping's external address, port, and lifetime. The mapping
nonce is remembered for this mapping.
If operating in the Simple Threat Model (Section 18.1), and the
internal port, protocol, and internal address match a mapping that
already exists, but the mapping nonce does not match (that is, a
previous PEER request was processed), the request MUST be rejected
with a NOT_AUTHORIZED error with the lifetime of the error indicating
duration of that existing mapping. The PCP server only needs to
remember one Mapping Nonce value for each mapping. This
specification makes no statement about mapping nonce with the
Advanced Threat Model.
Processing the Lifetime value of the PEER Opcode is described in
Section 15, "Mapping Lifetime and Deletion". Sending a PEER request
with a very short requested lifetime can be used to query the
lifetime of an existing mapping. So that PCP clients can reduce the
frequency of their NAT and firewall keepalive messages, it is
RECOMMENDED that lifetimes of mappings created or lengthened with
PEER be longer than the lifetimes of implicitly created mappings.
If all of the preceding operations were successful (did not generate
an error response), then a SUCCESS response is generated, with the
Lifetime field containing the lifetime of the mapping.
If a PEER-created or PEER-managed mapping is not renewed using PEER,
then it reverts to the NAT's usual behavior for implicit mappings.
For example, continued outbound traffic keeps the mapping alive, as
per the NAT or firewall device's existing policy. A PEER-created or
PEER-managed mapping may be terminated at any time by action of the
TCP client or server (e.g., due to TCP FIN or TCP RST), as per the
NAT or firewall device's existing policy.
12.4. Processing a PEER Response
This section describes the operation of a client when processing a
response with the PEER Opcode.
After performing common PCP response processing, the response is
further matched with an outstanding PEER request by comparing the
internal IP address (the destination IP address of the PCP response,
or other IP address specified via the THIRD_PARTY option), the
Wing, et al. Standards Track [Page 56]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
protocol, the internal port, the remote peer address, the remote peer
port, and the mapping nonce. Other fields are not compared, because
the PCP server sets those fields to provide information about the
mapping created by the Opcode. The PCP server will send a Mapping
Update (Section 14.2) if the mapping changes (e.g., due to IP
renumbering).
If the result code is NO_RESOURCES and the request was for the
creation or renewal of a mapping, then the PCP client SHOULD NOT send
further requests for any new mappings to that PCP server for the
(limited) value of the lifetime.
On a successful response, the application can use the assigned
Lifetime value to reduce its frequency of application keepalives for
that particular NAT mapping. Of course, there may be other reasons,
specific to the application, to use more frequent application
keepalives. For example, the PCP assigned lifetime could be one hour
but the application may want to maintain state on its server (e.g.,
"busy" / "away") more frequently than once an hour. If the response
indicates an unexpected IP address or port (e.g., due to IP
renumbering), the PCP client will want to re-establish its connection
to its remote server.
If the PCP client wishes to keep this mapping alive beyond the
indicated lifetime, it MAY rely on continued inside-to-outside
traffic to ensure that the mapping will continue to exist, or it MAY
issue a new PCP request prior to the expiration. The recommended
timings for renewing PEER mappings are the same as for MAP mappings,
as described in Section 11.2.1.
Note: Implementations need to expect the PEER response may contain
an external IP address with a different family than the remote
peer IP address, e.g., when NAT64 or NAT46 are being used.
13. Options for MAP and PEER Opcodes
This section describes options for the MAP and PEER Opcodes. These
options MUST NOT appear with other Opcodes, unless permitted by those
other Opcodes.
13.1. THIRD_PARTY Option for MAP and PEER Opcodes
This option is used when a PCP client wants to control a mapping to
an internal host other than itself. This is used with both MAP and
PEER Opcodes.
Due to security concerns with the THIRD_PARTY option, this option
MUST NOT be implemented or used unless the network on which the PCP
Wing, et al. Standards Track [Page 57]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
messages are to be sent is fully trusted. For example, if access
control lists (ACLs) are installed on the PCP client, PCP server, and
the network between them, so those ACLs allow only communications
from a trusted PCP client to the PCP server.
A management device would use this option to control a PCP server on
behalf of users. For example, a management device located in a
network operations center, which presents a user interface to end
users or to network operations staff, and issues PCP requests with
the THIRD_PARTY option to the appropriate PCP server.
The THIRD_PARTY option is formatted as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code=1 | Reserved | Option Length=16 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Internal IP Address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 13: THIRD_PARTY Option
The fields are described below:
Internal IP Address: Internal IP address for this mapping.
Option Name: THIRD_PARTY
Number: 1
Purpose: Indicates the MAP or PEER request is for a host other
than the host sending the PCP option.
Valid for Opcodes: MAP, PEER
Length: 16 octets
May appear in: request. May appear in response only if it
appeared in the associated request.
Maximum occurrences: 1
A THIRD_PARTY option MUST NOT contain the same address as the source
address of the packet. This is because many PCP servers may not
implement the THIRD_PARTY option at all, and with those servers a
client redundantly using the THIRD_PARTY option to specify its own IP
address would cause such mapping requests to fail where they would
otherwise have succeeded. A PCP server receiving a THIRD_PARTY
option specifying the same address as the source address of the
packet MUST return a MALFORMED_REQUEST result code.
Wing, et al. Standards Track [Page 58]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
A PCP server MAY be configured to permit or to prohibit the use of
the THIRD_PARTY option. If this option is permitted, properly
authorized clients may perform these operations on behalf of other
hosts. If this option is prohibited, and a PCP server receives a PCP
MAP request with a THIRD_PARTY option, it MUST generate a
UNSUPP_OPTION response.
It is RECOMMENDED that customer premises equipment implementing a PCP
server be configured to prohibit third-party mappings by default.
With this default, if a user wants to create a third-party mapping,
the user needs to interact out-of-band with their customer premises
router (e.g., using its HTTP administrative interface).
It is RECOMMENDED that service provider NAT and firewall devices
implementing a PCP server be configured to permit the THIRD_PARTY
option, when sent by a properly authorized host. If the packet
arrives from an unauthorized host, the PCP server MUST generate an
UNSUPP_OPTION error.
Note that the THIRD_PARTY option is not needed for today's common
scenario of an ISP offering a single IP address to a customer who is
using NAT to share that address locally, since in this scenario all
the customer's hosts appear, from the point of view of the ISP, to be
a single host.
When a PCP client is using the THIRD_PARTY option to make and
maintain mappings on behalf of some other device, it may be
beneficial if, where possible, the PCP client verifies that the other
device is actually present and active on the network. Otherwise, the
PCP client risks maintaining those mappings forever, long after the
device that required them has gone. This would defeat the purpose of
PCP mappings having a finite lifetime so that they can be
automatically deleted after they are no longer needed.
13.2. PREFER_FAILURE Option for MAP Opcode
This option is only used with the MAP Opcode.
This option indicates that if the PCP server is unable to map both
the suggested external port and suggested external address, the PCP
server should not create a mapping. This differs from the behavior
without this option, which is to create a mapping.
PREFER_FAILURE is never necessary for a PCP client to manage mappings
for itself, and its use causes additional work in the PCP client and
in the PCP server. This option exists for interworking with non-PCP
mapping protocols that have different semantics than PCP (e.g., UPnP
IGDv1 interworking [PNP-IGD-PCP], where the semantics of UPnP IGDv1
Wing, et al. Standards Track [Page 59]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
only allow the UPnP IGDv1 client to dictate mapping a specific port),
or separate port allocation systems that allocate ports to a
subscriber (e.g., a subscriber-accessed web portal operated by the
same ISP that operates the PCP server). A PCP server MAY support
this option, if its designers wish to support such downstream devices
or separate port allocation systems. PCP servers that are not
intended to interface with such systems are not required to support
this option. PCP clients other than UPnP IGDv1 interworking clients
or other than a separate port allocation system SHOULD NOT use this
option because it results in inefficient operation, and they cannot
safely assume that all PCP servers will implement it. It is
anticipated that this option will be deprecated in the future as more
clients adopt PCP natively and the need for this option declines.
The PREFER_FAILURE option is formatted as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code=2 | Reserved | Option Length=0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 14: PREFER_FAILURE Option
Option Name: PREFER_FAILURE
Number: 2
Purpose: indicates that the PCP server should not create an
alternative mapping if the suggested external port and address
cannot be mapped.
Valid for Opcodes: MAP
Length: 0
May appear in: request. May appear in response only if it
appeared in the associated request.
Maximum occurrences: 1
The result code CANNOT_PROVIDE_EXTERNAL is returned if the suggested
external address, protocol, and port cannot be mapped. This can
occur because the external port is already mapped to another host's
outbound dynamic mapping, an inbound dynamic mapping, a static
mapping, or the same internal address, protocol, and port already
have an outbound dynamic mapping that is mapped to a different
external port than suggested. This can also occur because the
external address is no longer available (e.g., due to renumbering).
The server MAY set the lifetime in the response to the remaining
lifetime of the conflicting mapping + TIME_WAIT [RFC0793], rounded up
to the next larger integer number of seconds.
Wing, et al. Standards Track [Page 60]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If a PCP request contains the PREFER_FAILURE option and has zero in
the Suggested External Port field, then it is invalid. The PCP
server MUST reject such a message with the MALFORMED_OPTION error
code.
PCP servers MAY choose to rate-limit their handling of PREFER_FAILURE
requests, to protect themselves from a rapid flurry of 65535
consecutive PREFER_FAILURE requests from clients probing to discover
which external ports are available.
There can exist a race condition between the MAP Opcode using the
PREFER_FAILURE option and Mapping Update (Section 14.2). For
example, a previous host on the local network could have previously
had the same internal address, with a mapping for the same internal
port. At about the same moment that the current host sends a MAP
Request using the PREFER_FAILURE option, the PCP server could send a
spontaneous Mapping Update for the old mapping due to an external
configuration change, which could appear to be a reply to the new
mapping request. Because of this, the PCP client MUST validate that
the external IP address, protocol, port, and nonce in a success
response match the associated suggested values from the request. If
they do not match, it is because the Mapping Update was sent before
the MAP request was processed.
13.3. FILTER Option for MAP Opcode
This option is only used with the MAP Opcode.
This option indicates that filtering incoming packets is desired.
The protocol being filtered is indicated by the Protocol field in the
MAP Request, and the remote peer IP address and remote peer port of
the FILTER option indicate the permitted remote peer's source IP
address and source port for packets from the Internet; other traffic
from other addresses is blocked. The remote peer prefix length
indicates the length of the remote peer's IP address that is
significant; this allows a single option to permit an entire subnet.
After processing this MAP request containing the FILTER option and
generating a successful response, the PCP-controlled device will drop
packets received on its public-facing interface that don't match the
filter fields. After dropping the packet, if its security policy
allows, the PCP-controlled device MAY also generate an ICMP error in
response to the dropped packet.
The use of the FILTER option can be seen as a performance
optimization. Since all software using PCP to receive incoming
connections also has to deal with the case where it may be directly
connected to the Internet and receive unrestricted incoming TCP
connections and UDP packets, if it wishes to restrict incoming
Wing, et al. Standards Track [Page 61]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
traffic to a specific source address or group of source addresses,
such software already needs to check the source address of incoming
traffic and reject unwanted traffic. However, the FILTER option is a
particularly useful performance optimization for battery powered
wireless devices, because it can enable them to conserve battery
power by not having to wake up just to reject unwanted traffic.
The FILTER option is formatted as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Code=3 | Reserved | Option Length=20 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | Prefix Length | Remote Peer Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Remote Peer IP address (128 bits) |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 15: FILTER Option Layout
These fields are described below:
Reserved: 8 reserved bits, MUST be sent as 0 and MUST be ignored
when received.
Prefix Length: indicates how many bits of the IPv4 or IPv6 address
are relevant for this filter. The value 0 indicates "no filter",
and will remove all previous filters. See below for detail.
Remote Peer Port: the port number of the remote peer. The value 0
indicates "all ports".
Remote Peer IP address: The IP address of the remote peer.
Option Name: FILTER
Number: 3
Purpose: specifies a filter for incoming packets
Valid for Opcodes: MAP
Length: 20 octets
May appear in: request. May appear in response only if it
appeared in the associated request.
Maximum occurrences: as many as fit within maximum PCP message
size
Wing, et al. Standards Track [Page 62]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
The Prefix Length indicates how many bits of the address are used for
the filter. For IPv4 addresses (which are encoded using the
IPv4-mapped address format (::FFFF:0:0/96)), this means valid prefix
lengths are between 96 and 128 bits, inclusive. That is, add 96 to
the IPv4 prefix length. For IPv6 addresses, valid prefix lengths are
between 0 and 128 bits, inclusive. Values outside those ranges cause
the PCP server to return the MALFORMED_OPTION result code.
If multiple occurrences of the FILTER option exist in the same MAP
request, they are processed in the order received (as per normal PCP
option processing), and they MAY overlap the filtering requested. If
there is an existing mapping (with or without a filter) and the
server receives a MAP request with FILTER, the filters indicated in
the new request are added to any existing filters. If a MAP request
has a lifetime of 0 and contains the FILTER option, the error
MALFORMED_OPTION is returned.
If any occurrences of the FILTER option in a request packet are not
successfully processed then an error is returned (e.g.,
MALFORMED_OPTION if one of the options was malformed) and as with
other PCP errors, returning an error causes no state to be changed in
the PCP server or in the PCP-controlled device.
To remove all existing filters, the Prefix Length 0 is used. There
is no mechanism to remove a specific filter.
To change an existing filter, the PCP client sends a MAP request
containing two FILTER options, the first option containing a prefix
length of 0 (to delete all existing filters) and the second
containing the new remote peer's IP address, protocol, and port.
Other FILTER options in that PCP request, if any, add more allowed
remote peers.
The PCP server or the PCP-controlled device is expected to have a
limit on the number of remote peers it can support. This limit might
be as small as one. If a MAP request would exceed this limit, the
entire MAP request is rejected with the result code
EXCESSIVE_REMOTE_PEERS, and the state on the PCP server is unchanged.
All PCP servers MUST support at least one filter per MAP mapping.
14. Rapid Recovery
PCP includes a rapid recovery feature, which allows PCP clients to
repair failed mappings within seconds, rather than the minutes or
hours it might take if they relied solely on waiting for the next
routine renewal of the mapping. Mapping failures may occur when a
NAT gateway is rebooted and loses its mapping state, or when a NAT
Wing, et al. Standards Track [Page 63]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
gateway has its external IP address changed so that its current
mapping state becomes invalid.
The PCP rapid recovery feature enables users to, for example, connect
to remote machines using ssh, and then reboot their NAT or firewall
device (or even replace it with completely new hardware) without
losing their established ssh connections.
Use of PCP rapid recovery is a performance optimization to PCP's
routine self-healing. Without rapid recovery, PCP clients will still
recreate their correct state when they next renew their mappings, but
this routine self-healing process may take hours rather than seconds,
and will probably not happen fast enough to prevent active TCP
connections from timing out.
There are two mechanisms to perform rapid recovery, described below.
Failing to implement and deploy a rapid recovery mechanism will
encourage application developers to feel the need to refresh their
PCP state more frequently than necessary, causing more network
traffic. Therefore, a PCP server that can lose state (e.g., due to
reboot) or might have a mapping change (e.g., due to IP renumbering)
MUST implement either the Announce Opcode or the Mapping Update
mechanism and SHOULD implement both mechanisms.
14.1. ANNOUNCE Opcode
This rapid recovery mechanism uses the ANNOUNCE Opcode. When the PCP
server loses its state (e.g., it lost its state when rebooted), it
resets its Epoch time to its initial starting value (usually zero)
and sends the ANNOUNCE response to the link-scoped multicast address
(specific address explained below) if a multicast network exists on
its local interface, or, if configured with the IP address(es) and
port(s) of PCP client(s), it sends unicast ANNOUNCE responses to
those address(es) and port(s). This means ANNOUNCE may not be
available on all networks (such as networks without a multicast link
between the PCP server and its PCP clients). Additionally, an
ANNOUNCE request can be sent (unicast) by a PCP client that elicits a
unicast ANNOUNCE response like any other Opcode.
Upon receiving PCP response packets with an anomalous Epoch time,
clients deduce that the PCP server lost state and recreate their lost
mappings.
Wing, et al. Standards Track [Page 64]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
14.1.1. ANNOUNCE Operation
The PCP ANNOUNCE Opcode requests and responses have no
Opcode-specific payload (that is, the length of the Opcode-specific
data is zero). The Requested Lifetime field of requests and Lifetime
field of responses are both set to 0 on transmission and ignored on
reception.
If a PCP server receives an ANNOUNCE request, it first parses it and
generates a SUCCESS if parsing and processing of ANNOUNCE is
successful. An error is generated if the client's IP Address field
does not match the packet source address, or the request packet is
otherwise malformed, such as packet length less than 24 octets. Note
that, in the future, options MAY be sent with the PCP ANNOUNCE
Opcode; PCP clients and servers need to be prepared to receive
options with the ANNOUNCE Opcode.
Discussion: Client-to-server request messages are sent, from any
client source port, to listening UDP port 5351 on the server;
server-to-client multicast notifications are sent from the
server's UDP port (5351) to listening UDP port 5350 on the client.
The reason the same listening UDP port is not used for both
purposes is that a single device may have multiple roles. For
example, a multi-function home gateway that provides NAT service
(PCP server) may also provide printer sharing (which wants a PCP
client), or a home computer (PCP client) may also provide
"Internet Sharing" (NAT) functionality (which needs to offer PCP
service). Such devices need to act as both a PCP server and a PCP
client at the same time, and the software that implements the PCP
server on the device may not be the same software component that
implements the PCP client. The software that implements the PCP
server needs to listen for unicast client requests, whereas the
software that implements the PCP client needs to listen for
multicast restart announcements. In many networking APIs it is
difficult or impossible to have two independent clients listening
for both unicasts and multicasts on the same port at the same
time. For this reason, two ports are used.
14.1.2. Generating and Processing a Solicited ANNOUNCE Message
The PCP ANNOUNCE Opcode MAY be sent (unicast) by a PCP client. The
Requested Lifetime value MUST be set to zero.
When the PCP server receives the ANNOUNCE Opcode and successfully
parses and processes it, it generates SUCCESS response with an
assigned lifetime of zero.
Wing, et al. Standards Track [Page 65]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
This functionality allows a PCP client to determine a server's Epoch,
or to determine if a PCP server is running, without changing the
server's state.
14.1.3. Generating and Processing an Unsolicited ANNOUNCE Message
When sending unsolicited responses, the ANNOUNCE Opcode MUST have
result code equal to zero (SUCCESS), and the packet MUST be sent from
the unicast IP address and UDP port number on which PCP requests are
received (so that the PCP response processing described in
Section 8.3 will accept the message). This message is most typically
multicast, but can also be unicast. Multicast PCP restart
announcements are sent to 224.0.0.1:5350 and/or [ff02::1]:5350, as
described below. Sending PCP restart announcements via unicast
requires that the PCP server know the IP address(es) and port(s) of
its listening clients, which means that sending PCP restart
announcements via unicast is only applicable to PCP servers that
retain knowledge of the IP address(es) and port(s) of their clients
even after they otherwise lose the rest of their state.
When a PCP server device that implements this functionality reboots,
restarts its NAT engine, or otherwise enters a state where it may
have lost some or all of its previous mapping state (or enters a
state where it doesn't even know whether it may have had prior state
that it lost), it MUST inform PCP clients of this fact by unicasting
or multicasting a gratuitous PCP ANNOUNCE Opcode response packet, as
shown below, via paths over which it accepts PCP requests. If
sending a multicast ANNOUNCE message, a PCP server device that
accepts PCP requests over IPv4 sends the Restart Announcement to the
IPv4 multicast address 224.0.0.1:5350 (224.0.0.1 is the All Hosts
multicast group address), and a PCP server device that accepts PCP
requests over IPv6 sends the Restart Announcement to the IPv6
multicast address [ff02::1]:5350 (ff02::1 is for all nodes on the
local segment). A PCP server device that accepts PCP requests over
both IPv4 and IPv6 sends a pair of Restart Announcements, one to each
multicast address. If sending a unicast ANNOUNCE messages, it sends
ANNOUNCE response message to the IP address(es) and port(s) of its
PCP clients. To accommodate packet loss, the PCP server device MAY
transmit such packets (or packet pairs) up to ten times (with an
appropriate Epoch Time value in each to reflect the passage of time
between transmissions) provided that the interval between the first
two notifications is at least 250 ms, and the interval between
subsequent notification at least doubles.
A PCP client that sends PCP requests to a PCP server via a multicast-
capable path, and implements the Restart Announcement feature, and
wishes to receive these announcements, MUST listen to receive these
PCP Restart Announcements (gratuitous PCP ANNOUNCE Opcode response
Wing, et al. Standards Track [Page 66]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
packets) on the appropriate multicast-capable interfaces on which it
sends PCP requests, and MAY also listen for unicast announcements
from the server too, (using the UDP port it already uses to issue
unicast PCP requests to, and receive unicast PCP responses from, that
server). A PCP client device that sends PCP requests using IPv4
listens for packets sent to the IPv4 multicast address
224.0.0.1:5350. A PCP client device that sends PCP requests using
IPv6 listens for packets sent to the IPv6 multicast address
[ff02::1]:5350. A PCP client device that sends PCP requests using
both IPv4 and IPv6 listens for both types of Restart Announcement.
The SO_REUSEPORT socket option or equivalent should be used for the
multicast UDP port, if required by the host OS to permit multiple
independent listeners on the same multicast UDP port.
Upon receiving a unicasted or multicasted PCP ANNOUNCE Opcode
response packet, a PCP client MUST (as it does with all received PCP
response packets) inspect the announcement's source IP address, and
if the Epoch Time value is outside the expected range for that
server, it MUST wait a random amount of time between 0 and 5 seconds
(to prevent synchronization of all PCP clients), then for all PCP
mappings it made at that server address the client issues new PCP
requests to recreate any lost mapping state. The use of the
Suggested External IP Address and Suggested External Port fields in
the client's renewal requests allows the client to remind the
restarted PCP server device of what mappings the client had
previously been given, so that in many cases the prior state can be
recreated. For PCP server devices that reboot relatively quickly it
is usually possible to reconstruct lost mapping state fast enough
that existing TCP connections and UDP communications do not time out,
and continue without failure. As for all PCP response messages, if
the Epoch Time value is within the expected range for that server,
the PCP client does not recreate its mappings. As for all PCP
response messages, after receiving and validating the ANNOUNCE
message, the client updates its own Epoch time for that server, as
described in Section 8.5.
14.2. PCP Mapping Update
This rapid recovery mechanism is used when the PCP server remembers
its state and determines its existing mappings are invalid (e.g., IP
renumbering changes the external IP address of a PCP-controlled NAT).
It is anticipated that servers that are routinely reconfigured by an
administrator or have their WAN address changed frequently will
implement this feature (e.g., residential CPE routers). It is
anticipated that servers that are not routinely reconfigured will not
implement this feature (e.g., service provider-operated CGN).
Wing, et al. Standards Track [Page 67]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If a PCP server device has not forgotten its mapping state, but for
some other reason has determined that some or all of its mappings
have become unusable (e.g., when a home gateway is assigned a
different external IPv4 address by the upstream DHCP server), then
the PCP server device automatically repairs its mappings and notifies
its clients by following the procedure described below.
For PCP-managed mappings, for each one the PCP server device should
update the external IP address and external port to appropriate
available values, and then send unicast PCP MAP or PEER responses (as
appropriate for the mapping) to inform the PCP client of the new
external IP address and external port. Such unsolicited responses
are identical to the MAP or PEER responses normally returned in
response to client MAP or PEER requests, containing newly updated
External IP Address and External Port values, and are sent to the
same client IP address and port that the PCP server used to send the
prior response for that mapping. If the earlier associated request
contained the THIRD_PARTY option, the THIRD_PARTY option MUST also
appear in the Mapping Update as it is necessary for the PCP client to
disambiguate the response. If the earlier associated request
contained the PREFER_FAILURE option, and the same external IP
address, protocol, and port cannot be provided, the error
CANNOT_PROVIDE_EXTERNAL SHOULD be sent. If the earlier associated
request contained the FILTER option, the filters are moved to the new
mapping and the FILTER option is sent in the Mapping Update response.
Non-mandatory options SHOULD NOT be sent in the Mapping Update
response.
Discussion: It could have been possible to design this so that the
PCP server (1) sent an ANNOUNCE Opcode to the PCP client, the PCP
client reacted by (2) sending a new MAP request and (3) receiving
a MAP response. Instead, the server can create a shortcut for
that design by simply sending the message it would have sent in
(3).
To accommodate packet loss, the PCP server device SHOULD transmit
such packets three times, with an appropriate Epoch Time value in
each to reflect the passage of time between transmissions. The
interval between the first two notifications MUST be at least 250 ms,
and the third packet after a 500-ms interval. Once the PCP server
has received a refreshed state for that mapping, the PCP server
SHOULD cease those retransmissions for that mapping, as it serves no
further purpose to continue sending messages regarding that mapping.
Upon receipt of such an updated MAP or PEER response, a PCP client
uses the information in the response to adjust rendezvous servers or
reconnect to servers, respectively. For MAP, this would mean
updating the DNS entries or other address and port information
Wing, et al. Standards Track [Page 68]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
recorded with some kind of application-specific rendezvous server.
For PEER responses giving a CANNOT_PROVIDE_EXTERNAL error, this would
typically mean establishing new connections to servers. Anytime the
external address or port changes, existing TCP and UDP connections
will be lost; PCP can't avoid that, but does provide immediate
notification of the event to lessen the impact.
15. Mapping Lifetime and Deletion
The PCP client requests a certain lifetime, and the PCP server
responds with the assigned lifetime. The PCP server MAY grant a
lifetime smaller or larger than the requested lifetime. The PCP
server SHOULD be configurable for permitted minimum and maximum
lifetime, and the minimum value SHOULD be 120 seconds. The maximum
value SHOULD be the remaining lifetime of the IP address assigned to
the PCP client if that information is available (e.g., from the DHCP
server), or half the lifetime of IP address assignments on that
network if the remaining lifetime is not available, or 24 hours.
Excessively long lifetimes can cause consumption of ports even if the
internal host is no longer interested in receiving the traffic or is
no longer connected to the network. These recommendations are not
strict, and deployments should evaluate the trade-offs to determine
their own minimum and maximum Lifetime values.
Once a PCP server has responded positively to a MAP request for a
certain lifetime, the port mapping is active for the duration of the
lifetime unless the lifetime is reduced by the PCP client (to a
shorter lifetime or to zero) or until the PCP server loses its state
(e.g., crashes). Mappings created by PCP MAP requests are not
special or different from mappings created in other ways. In
particular, it is implementation-dependent if outgoing traffic
extends the lifetime of such mappings beyond the PCP-assigned
lifetime. PCP clients MUST NOT depend on this behavior to keep
mappings active, and MUST explicitly renew their mappings as required
by the Lifetime field in PCP response messages.
Upon receipt of a PCP response with an absurdly long assigned
lifetime, the PCP client SHOULD behave as if it received a more sane
value (e.g., 24 hours), and renew the mapping accordingly, to ensure
that if the static mapping is removed, the client will continue to
maintain the mapping it desires.
An application that forgets its PCP-assigned mappings (e.g., the
application or OS crashes) will request new PCP mappings. This may
consume port mappings, if the application binds to a different
internal port every time it runs. The application will also likely
initiate new outbound TCP connections, which create implicit dynamic
outbound mappings without using PCP, which will also consume port
Wing, et al. Standards Track [Page 69]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
mappings. If there is a port mapping quota for the internal host,
frequent restarts such as this may exhaust the quota.
To help clean PCP state, when the PCP-controlled device is collocated
with the address assignment (DHCP) server, such as in a typical
residential CPE, it is RECOMMENDED that when an IP address becomes
invalid (e.g., the DHCP lease expires, or the DHCP client sends an
explicit DHCP RELEASE) the PCP-controlled device SHOULD also discard
any dynamic mapping state relating to that expired IP address.
When using NAT, the same external port may be assigned for use by
different internal hosts at different times. For example, if an
internal host using an external port ceases sending traffic using
that port, then its mapping may expire, and then later the same
external port may be assigned to a new internal host. The new
internal host could then receive incoming traffic that was intended
for the previous internal host. This generally happens
inadvertently, and this reassignment of the external port only
happens after the current holder of the external port has ceased
using it for some period of time. It would be unacceptable if an
attacker could use PCP to intentionally speed up this reassignment of
the external port in order to deliberately steal traffic intended for
the current holder, by (i) spoofing PCP requests using the current
holder's source IP address and mapping nonce to fraudulently delete
the mapping or shorten its lifetime, and then (ii) subsequently
claiming the external port for itself.
Therefore, in the simple security model, to protect against this
attack, PCP MUST NOT allow a PCP request (even a PCP request that
appears to come from the current holder of the mapping) to cause a
mapping to expire sooner than it would naturally have expired
otherwise by virtue of outbound traffic keeping the mapping active.
A PCP server MUST set the lifetime of a mapping to no less than the
remaining time before the mapping would expire if no further outbound
traffic is seen for that mapping. This means a MAP or PEER request
with lifetime of 0 will only set the assigned lifetime to 0 (i.e.,
delete the mapping) if the internal host had not sent a packet using
that mapping for the idle-timeout time, otherwise the assigned
lifetime will be the remaining idle-timeout time.
Finally, to reduce unwanted traffic and data corruption for both TCP
and UDP, the assigned external port created by the MAP Opcode or PEER
Opcode SHOULD NOT be reused for an interval equal to the reuse time
limit enforced by the NAT for its implicit dynamic mappings
(typically, the maximum TCP segment lifetime of 2 minutes [RFC0793]).
Furthermore, to reduce port stealing attacks, the assigned external
port also SHOULD NOT be reused for an interval equal to the time the
PCP- controlled device would normally maintain an idle (no traffic)
Wing, et al. Standards Track [Page 70]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
implicit dynamic mapping (e.g., 2 minutes for UDP [RFC4787] and 124
minutes for TCP [RFC5382]). However, within these time windows, the
PCP server SHOULD allow an external port to be reclaimed by the same
client, where "same client" means "same internal IP address, internal
port, and mapping nonce".
15.1. Lifetime Processing for the MAP Opcode
If the requested lifetime is zero then:
o If both the protocol and internal port are non-zero, it indicates
a request to delete the indicated mapping immediately.
o If the protocol is non-zero and the internal port is zero, it
indicates a request to delete a previous 'wildcard' (all-ports)
mapping for that protocol. The nonce MUST match the nonce used to
create the 'wildcard' mapping.
o If both the protocol and internal port are zero, it indicates a
request to delete a previous 'DMZ host' (all incoming traffic for
all protocols) mapping. The nonce MUST match the nonce used to
create the 'DMZ host' mapping.
o If the protocol is zero and the internal port is non-zero, then
the request is invalid and the PCP server MUST return a
MALFORMED_REQUEST error to the client.
In requests where the requested Lifetime is 0, the Suggested External
Address and Suggested External Port fields MUST be set to zero on
transmission and MUST be ignored on reception, and these fields MUST
be copied into the assigned external IP address and assigned external
port of the response.
PCP MAP requests can only delete or shorten lifetimes of MAP-created
mappings. If the PCP client attempts to delete a static mapping
(i.e., a mapping created outside of PCP itself), or an outbound
(implicit or PEER-created) mapping, the PCP server MUST return
NOT_AUTHORIZED. If the PCP client attempts to delete a mapping that
does not exist, the SUCCESS result code is returned (this is
necessary for PCP to return the same response for retransmissions or
duplications of the same request). If the deletion request was
properly formatted and successfully processed, a SUCCESS response is
generated with the protocol and internal port number copied from the
request, and the response lifetime set to zero. An inbound mapping
(i.e., static mapping or MAP-created dynamic mapping) MUST NOT have
its lifetime reduced by transport protocol messages (e.g., TCP RST,
TCP FIN). Note the THIRD_PARTY option (Section 13.1), if authorized,
can also delete PCP-created MAP mappings.
Wing, et al. Standards Track [Page 71]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
16. Implementation Considerations
Section 16 provides non-normative guidance that may be useful to
implementers.
16.1. Implementing MAP with EDM Port-Mapping NAT
For implicit dynamic outbound mappings, some existing NAT devices
have endpoint-independent mapping (EIM) behavior while other NAT
devices have endpoint-dependent mapping (EDM) behavior. NATs that
have EIM behavior do not suffer from the problem described in this
section. The IETF strongly encourages EIM behavior
[RFC4787][RFC5382].
In EDM NAT devices, the same external port may be used by an outbound
dynamic mapping and an inbound dynamic mapping (from the same
internal host or from a different internal host). This complicates
the interaction with the MAP Opcode. With such NAT devices, there
are two ways envisioned to implement the MAP Opcode:
1. Have outbound mappings use a different set of external ports than
inbound mappings (e.g., those created with MAP), thus reducing
the interaction problem between them; or
2. On arrival of a packet (inbound from the Internet or outbound
from an internal host), first attempt to use a dynamic outbound
mapping to process that packet. If none match, attempt to use an
inbound mapping to process that packet. This effectively
'prioritizes' outbound mappings above inbound mappings.
16.2. Lifetime of Explicit and Implicit Dynamic Mappings
No matter if a NAT is EIM or EDM, it is possible that one (or more)
outbound mappings, using the same internal port on the internal host,
might be created before or after a MAP request. When this occurs, it
is important that the NAT honor the lifetime returned in the MAP
response. Specifically, if an inbound mapping was created with the
MAP Opcode, the implementation needs to ensure that termination of an
outbound mapping (e.g., via a TCP FIN handshake) does not prematurely
destroy the MAP-created inbound mapping.
16.3. PCP Failure Recovery
If an event occurs that causes the PCP server to lose dynamic mapping
state (such as a crash or power outage), the mappings created by PCP
are lost. Occasional loss of state may be unavoidable in a
residential NAT device that does not write transient information to
non-volatile memory. Loss of state is expected to be rare in a
Wing, et al. Standards Track [Page 72]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
service provider environment (due to redundant power, disk drives for
storage, etc.). Of course, due to outright failure of service
provider equipment (e.g., software malfunction), state may still be
lost.
The Epoch time allows a client to deduce when a PCP server may have
lost its state. When the Epoch Time value is observed to be outside
the expected range, the PCP client can attempt to recreate the
mappings following the procedures described in this section.
Further analysis of PCP failure scenarios is planned for a future
document [PCP-FAIL].
16.3.1. Recreating Mappings
A mapping renewal packet is formatted identically to an original
mapping request; from the point of view of the client, it is a
renewal of an existing mapping; however, from the point of view of a
newly rebooted PCP server, it appears as a new mapping request. In
the normal process of routinely renewing its mappings before they
expire, a PCP client will automatically recreate all its lost
mappings.
When the PCP server loses state and begins processing new PCP
messages, its Epoch time is reset and begins counting again. As the
result of receiving a packet where the Epoch Time field is outside
the expected range (Section 8.5), indicating that a reboot or similar
loss of state has occurred, the client can renew its port mappings
sooner, without waiting for the normal routine renewal time.
16.3.2. Maintaining Mappings
A PCP client refreshes a mapping by sending a new PCP request
containing information learned from the earlier PCP response. The
PCP server will respond indicating the new lifetime. It is possible,
due to reconfiguration or failure of the PCP server, that the
external IP address and/or external port, or the PCP server itself,
has changed (due to a new route to a different PCP server). Such
events are rare, but not an error. The PCP server will simply return
a new external address and/or external port to the client, and the
client should record this new external address and port with its
rendezvous service. To detect such events more quickly, a server
that requires extremely high availability may find it beneficial to
use shorter lifetimes in its PCP mappings requests, so that it
communicates with the PCP server more often. This is an engineering
trade-off based on (i) the acceptable downtime for the service in
question, (ii) the expected likelihood of NAT or firewall state loss,
and (iii) the amount of PCP maintenance traffic that is acceptable.
Wing, et al. Standards Track [Page 73]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
If the PCP client has several mappings, the Epoch Time value only
needs to be retrieved for one of them to determine whether or not it
appears the PCP server may have suffered a catastrophic loss of
state. If the client wishes to check the PCP server's Epoch time, it
sends a PCP request for any one of the client's mappings. This will
return the current Epoch Time value. In that request, the PCP client
could extend the mapping lifetime (by asking for more time) or
maintain the current lifetime (by asking for the same number of
seconds that it knows are remaining of the lifetime).
If a PCP client changes its internal IP address (e.g., because the
internal host has moved to a new network), and the PCP client wishes
to still receive incoming traffic, it needs create new mappings on
that new network. New mappings will typically also require an update
to the application-specific rendezvous server if the external address
or port is different from the previous values (see Sections 10.1 and
11.5).
16.3.3. SCTP
Although SCTP has port numbers like TCP and UDP, SCTP works
differently when behind an address-sharing NAT, in that SCTP port
numbers are not changed [SCTPNAT]. Outbound dynamic SCTP mappings
use the verification tag of the association instead of the local and
remote peer port numbers. As with TCP, explicit outbound mappings
can be made to reduce keepalive intervals, and explicit inbound
mappings can be made by passive listeners expecting to receive new
associations at the external port.
Because an SCTP-aware NAT does not (currently) rewrite SCTP port
numbers, it will not be able to assign an external port that is
different from the client's internal port. A PCP client making a MAP
request for SCTP should be aware of this restriction. The PCP client
SHOULD make its SCTP MAP request just as it would for a TCP MAP
request: in its initial PCP MAP request it SHOULD specify zero for
the external address and port, and then in subsequent renewals it
SHOULD echo the assigned external address and port. However, since a
current SCTP-aware NAT can only assign an external port that is the
same as the internal port, it may not be able to do that if the
external port is already assigned to a different PCP client. This is
likely if there is more than one instance of a given SCTP service on
the local network, since both instances are likely to listen on the
same well-known SCTP port for that service on their respective hosts,
but they can't both have the same external port on the NAT gateway's
external address. A particular external port may not be assignable
for other reasons, such as when it is already in use by the NAT
device itself, or otherwise prohibited by policy, as described in
Section 11.3, "Processing a MAP Request". In the event that the
Wing, et al. Standards Track [Page 74]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
external port matching the internal port cannot be assigned (and the
SCTP-aware NAT does not perform SCTP port rewriting), the SCTP-aware
NAT MUST return a CANNOT_PROVIDE_EXTERNAL error to the requesting PCP
client. Note that this restriction places an extra burden on the
SCTP server whose MAP request failed, because it then has to tear
down its exiting listening socket and try again with a different
internal port, repeatedly until it is successful in finding an
external port it can use.
The SCTP complications described above occur because of address
sharing. The SCTP complications are avoided when address sharing is
avoided (e.g., 1:1 NAT, firewall).
16.4. Source Address Replicated in PCP Header
All PCP requests include the PCP client's IP address replicated in
the PCP header. This is used to detect unexpected address rewriting
(NAT) on the path between the PCP client and its PCP server. On
operating systems that support the sockets API, the following steps
are RECOMMENDED for a PCP client to insert the correct source address
in the PCP header:
1. Create a UDP socket.
2. Call "connect" on this UDP socket using the address and port of
the desired PCP server.
3. Call the getsockname() function to retrieve a sockaddr containing
the source address the kernel will use for UDP packets sent
through this socket.
4. If the IP address is an IPv4 address, encode the address into an
IPv4-mapped IPv6 address. Place the IPv4-mapped IPv6 address or
the native IPv6 address into the PCP Client's IP Address field in
the PCP header.
5. Send PCP requests using this connected UDP socket.
Wing, et al. Standards Track [Page 75]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
16.5. State Diagram
Each mapping entry of the PCP-controlled device would go through the
state machine shown below. This state diagram is non-normative.
CLOSE_MSG or
(NO_TRAFFIC and EXPIRY) +---------+ NO_TRAFFIC and EXPIRY
+-------------->| |<------------+
| |NO_ENTRY | |
| +-----------| |---------+ |
| | +---------+ | |
| | ^ | | |
| | NO_TRAFFIC | | | |
| | or | | | |
| | CLOSE_MSGS | | | |
| | | | | |
| |PEER request | | MAP request| |
| V | | V |
+---------+ | | +---------+
+-->| "P", | | | M-R | "M", |<--+
P-R | | PEER |-----------|--|-------->| MAP | | M-R or
+---| mapping| | | | mapping|---+ P-R or
+---------+ | | +---------+ CLOSE_MSGS
| ^ | | ^ |
| |PEER request | | MAP request| |
| | | | | |
| | | | | |
| | | | | |
| | | | outbound | |
| | | | TRAFFIC | |
| | | V | |
| | +---------+ | |
| +-----------| "I", |---------+ |
| | implicit| |
+-------------->| mapping |<------------+
TRAFFIC and EXPIRY +---------+ TRAFFIC and EXPIRY
Figure 16: PCP State Diagram
The meanings of the states and events are:
NO_ENTRY: Invalid state represents Entry does not exist. This is
the only possible start state.
M-R: MAP request
P-R: PEER request
Wing, et al. Standards Track [Page 76]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
M: Mapping entry when created by MAP request
P: Mapping entry when created/managed by PEER request
I: Implicit mapping created by an outgoing packet from the
client (e.g., TCP SYN), and also the state when a
PCP-created mapping's lifetime expires while there is still
active traffic.
EXPIRY: PEER or MAP lifetime expired
TRAFFIC: Traffic seen by PCP-controlled device using this entry
within the expiry time for that entry. This traffic may be
inbound or outbound.
NO_TRAFFIC: Indicates that there is no TRAFFIC.
CLOSE_MSG: Protocol messages from the client or server to close
the session (e.g., TCP FIN or TCP RST), as per the NAT or
firewall device's handling of such protocol messages.
Notes on the diagram:
1. The 'and' clause indicates the events on either side of 'and' are
required for the state-transition. The 'or' clause indicates
either one of the events are enough for the state-transition.
2. Transition from state M to state I is implementation dependent.
17. Deployment Considerations
17.1. Ingress Filtering
As with implicit dynamic mappings created by outgoing TCP SYN
packets, explicit dynamic mappings created via PCP use the source IP
address of the packet as the internal address for the mappings.
Therefore, ingress filtering [RFC2827] SHOULD be used on the path
between the internal host and the PCP server to prevent the injection
of spoofed packets onto that path.
17.2. Mapping Quota
On PCP-controlled devices that create state when a mapping is created
(e.g., NAT), the PCP server SHOULD maintain per-host and/or per-
subscriber quotas for mappings. It is implementation specific
whether the PCP server uses a separate quotas for implicit, explicit,
and static mappings, a combined quota for all of them, or some other
policy.
Wing, et al. Standards Track [Page 77]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
18. Security Considerations
The goal of the PCP protocol is to improve the ability of end nodes
to control their associated NAT state, and to improve the efficiency
and error handling of NAT mappings when compared to existing implicit
mapping mechanisms in NAT boxes and stateful firewalls. It is the
security goal of the PCP protocol to limit any new denial-of-service
opportunities, and to avoid introducing new attacks that can result
in unauthorized changes to mapping state. One of the most serious
consequences of unauthorized changes in mapping state is traffic
theft. All mappings that could be created by a specific host using
implicit mapping mechanisms are inherently considered to be
authorized. Confidentiality of mappings is not a requirement, even
in cases where the PCP messages may transit paths that would not be
traveled by the mapped traffic.
18.1. Simple Threat Model
PCP servers are secure against off-path attackers who cannot spoof a
packet that the PCP server will view as a packet received from the
internal network. PCP clients are secure against off-path attackers
who can spoof the PCP server's IP address.
Defending against attackers who can modify or drop packets between
the internal network and the PCP server, or who can inject spoofed
packets that appear to come from the internal network is out of
scope. Such an attacker can redirect traffic to a host of their
choosing.
A PCP server is secure under this threat model if the PCP server is
constrained so that it does not configure any explicit mapping that
it would not configure implicitly. In most cases, this means that
PCP servers running on NAT boxes or stateful firewalls that support
the PEER and MAP Opcodes can be secure under this threat model if
(1) all of their hosts are within a single administrative domain (or
if the internal hosts can be securely partitioned into separate
administrative domains, as in the DS-Lite B4 case), (2) explicit
mappings are created with the same lifetime as implicit mappings, and
(3) the THIRD_PARTY option is not supported. PCP servers can also
securely support the MAP Opcode under this threat model if the
security policy on the device running the PCP server would permit
endpoint-independent filtering of implicit mappings.
PCP servers that comply with the Simple Threat Model and do not
implement a PCP security mechanism described in Section 18.2 MUST
enforce the constraints described in the paragraph above.
Wing, et al. Standards Track [Page 78]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
18.1.1. Attacks Considered
o If you allow multiple administrative domains to send PCP requests
to a single PCP server that does not enforce a boundary between
the domains, it is possible for a node in one domain to perform a
denial-of-service attack on other domains or to capture traffic
that is intended for a node in another domain.
o If explicit mappings have longer lifetimes than implicit mappings,
it makes it easier to perpetrate a denial-of-service attack than
it would be if the PCP server was not present.
o If the PCP server supports deleting or reducing the lifetime of
existing mappings, this allows an attacking node to steal an
existing mapping and receive traffic that was intended for another
node.
o If the THIRD_PARTY option is supported, this also allows an
attacker to open a window for an external node to attack an
internal node, allows an attacker to steal traffic that was
intended for another node, or may facilitate a denial-of-service
attack. One example of how the THIRD_PARTY option could grant an
attacker more capability than a spoofed implicit mapping is that
the PCP server (especially if it is running in a service
provider's network) may not be aware of internal filtering that
would prevent spoofing an equivalent implicit mapping, such as
filtering between a guest and corporate network.
o If the MAP Opcode is supported by the PCP server in cases where
the security policy would not support endpoint-independent
filtering of implicit mappings, then the MAP Opcode changes the
security properties of the device running the PCP server by
allowing explicit mappings that violate the security policy.
18.1.2. Deployment Examples Supporting the Simple Threat Model
This section offers two examples of how the Simple Threat Model can
be supported in real-world deployment scenarios.
18.1.2.1. Residential Gateway Deployment
Parity with many currently deployed residential gateways can be
achieved using a PCP server that is constrained as described in
Section 18.1 above.
Wing, et al. Standards Track [Page 79]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
18.2. Advanced Threat Model
In the Advanced Threat Model, the PCP protocol ensures that attackers
(on- or off-path) cannot create unauthorized mappings or make
unauthorized changes to existing mappings. The protocol must also
limit the opportunity for on- or off-path attackers to perpetrate
denial-of-service attacks.
The Advanced Threat Model security model will be needed in the
following cases:
o Security infrastructure equipment, such as corporate firewalls,
that does not create implicit mappings.
o Equipment (such as CGNs or service provider firewalls) that serves
multiple administrative domains and does not have a mechanism to
securely partition traffic from those domains.
o Any implementation that wants to be more permissive in authorizing
explicit mappings than it is in authorizing implicit mappings.
o Implementations that wish to support any deployment scenario that
does not meet the constraints described in Section 18.1.
To protect against attacks under this threat model, a PCP security
mechanism that provides an authenticated, integrity-protected
signaling channel would need to be specified.
PCP servers that implement a PCP security mechanism MAY accept
unauthenticated requests. In their default configuration, PCP
servers implementing the PCP security mechanism MUST still enforce
the constraints described in Section 18.1 when processing
unauthenticated requests.
18.3. Residual Threats
This section describes some threats that are not addressed in either
of the above threat models and recommends appropriate mitigation
strategies.
18.3.1. Denial of Service
Because of the state created in a NAT or firewall, a per-host and/or
per-subscriber quota will likely exist for both implicit dynamic
mappings and explicit dynamic mappings. A host might make an
excessive number of implicit or explicit dynamic mappings, consuming
Wing, et al. Standards Track [Page 80]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
an inordinate number of ports, causing a denial of service to other
hosts. Thus, Section 17.2 recommends that hosts be limited to a
reasonable number of explicit dynamic mappings.
An attacker, on the path between the PCP client and PCP server, can
drop PCP requests, drop PCP responses, or spoof a PCP error, all of
which will effectively deny service. Through such actions, the PCP
client might not be aware the PCP server might have actually
processed the PCP request. An attacker sending a NO_RESOURCES error
can cause the PCP client to not send messages to that server for a
while. There is no mitigation to this on-path attacker.
18.3.2. Ingress Filtering
It is important to prevent a host from fraudulently creating,
deleting, or refreshing a mapping (or filtering) for another host,
because this can expose the other host to unwanted traffic, prevent
it from receiving wanted traffic, or consume the other host's mapping
quota. Both implicit and explicit dynamic mappings are created based
on the source IP address in the packet, and hence depend on ingress
filtering to guard against spoof source IP addresses.
18.3.3. Mapping Theft
In the time between when a PCP server loses state and the PCP client
notices the lower-than-expected Epoch Time value, it is possible that
the PCP client's mapping will be acquired by another host (via an
explicit dynamic mapping or implicit dynamic mapping). This means
incoming traffic will be sent to a different host ("theft"). Rapid
recovery reduces this interval, but does not completely eliminate
this threat. The PCP client can reduce this interval by using a
relatively short lifetime; however, this increases the amount of PCP
chatter. This threat is reduced by using persistent storage of
explicit dynamic mappings in the PCP server (so it does not lose
explicit dynamic mapping state), or by ensuring that the previous
external IP address, protocol, and port cannot be used by another
host (e.g., by using a different IP address pool).
18.3.4. Attacks against Server Discovery
This document does not specify server discovery, beyond contacting
the default gateway.
Wing, et al. Standards Track [Page 81]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
19. IANA Considerations
IANA has performed the following actions.
19.1. Port Number
PCP uses ports 5350 and 5351, previously assigned by IANA to NAT-PMP
[RFC6886]. IANA has reassigned those ports to PCP.
19.2. Opcodes
IANA has created a new protocol registry for PCP Opcodes, numbered
0-127, initially populated with the values:
Value Opcode
----- -------------------------
0 ANNOUNCE
1 MAP
2 PEER
3-31 Standards Action [RFC5226]
32-63 Specification Required [RFC5226]
96-126 Reserved for Private Use [RFC5226]
127 Reserved, Standards Action [RFC5226]
The value 127 is Reserved and may be assigned via Standards Action
[RFC5226]. The values in the range 3-31 can be assigned via
Standards Action [RFC5226], 32-63 via Specification Required
[RFC5226], and the range 96-126 is for Private Use [RFC5226].
19.3. Result Codes
IANA has created a new registry for PCP result codes, numbered 0-255,
initially populated with the result codes from Section 7.4. The
value 255 is Reserved and may be assigned via Standards Action
[RFC5226].
The values in the range 14-127 can be assigned via Standards Action
[RFC5226], 128-191 via Specification Required [RFC5226], and the
range 191-254 is for Private Use [RFC5226].
19.4. Options
IANA has created a new registry for PCP options, numbered 0-255, each
with an associated mnemonic. The values 0-127 are mandatory to
process, and 128-255 are optional to process. The initial registry
contains the options described in Section 13. The option values 0,
127, and 255 are Reserved and may be assigned via Standards Action
[RFC5226].
Wing, et al. Standards Track [Page 82]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Additional PCP option codes in the ranges 4-63 and 128-191 can be
created via Standards Action [RFC5226], the ranges 64-95 and 192-223
are for Specification Required [RFC5226], and the ranges 96-126 and
224-254 are for Private Use [RFC5226].
Documents describing an option should describe the processing for
both the PCP client and server, and the information below:
Option Name: <mnemonic>
Number: <value>
Purpose: <textual description>
Valid for Opcodes: <list of Opcodes>
Length: <rules for length>
May appear in: <requests/responses/both>
Maximum occurrences: <count>
20. Acknowledgments
Thanks to Xiaohong Deng, Alain Durand, Christian Jacquenet, Jacni
Qin, Simon Perreault, James Yu, Tina TSOU (Ting ZOU), Felipe Miranda
Costa, James Woodyatt, Dave Thaler, Masataka Ohta, Vijay K. Gurbani,
Loa Andersson, Richard Barnes, Russ Housley, Adrian Farrel, Pete
Resnick, Pasi Sarolahti, Robert Sparks, Wesley Eddy, Dan Harkins,
Peter Saint-Andre, Stephen Farrell, Ralph Droms, Felipe Miranda
Costa, Amit Jain, and Wim Henderickx for their comments and review.
Thanks to Simon Perreault for highlighting the interaction of dynamic
connections with PCP-created mappings and for many other review
comments.
Thanks to Francis Dupont for his several thorough reviews of the
specification, which improved the protocol significantly.
Thanks to T. S. Ranganathan for the state diagram.
Thanks to Peter Lothberg for clock skew information, which guided the
choice of tolerance levels for deciding when an Epoch time should be
considered to be anomalous.
Thanks to Margaret Wasserman and Sam Hartman for writing the Security
Considerations section.
Thanks to authors of DHCPv6 for retransmission text.
Wing, et al. Standards Track [Page 83]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
21. References
21.1. Normative References
[RFC0768] Postel, J., "User Datagram Protocol", STD 6,
RFC 768, August 1980.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress
Filtering: Defeating Denial of Service Attacks which
employ IP Source Address Spoofing", BCP 38,
RFC 2827, May 2000.
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106,
RFC 4086, June 2005.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6
Unicast Addresses", RFC 4193, October 2005.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for
Writing an IANA Considerations Section in RFCs",
BCP 26, RFC 5226, May 2008.
[RFC6056] Larsen, M. and F. Gont, "Recommendations for
Transport-Protocol Port Randomization", BCP 156,
RFC 6056, January 2011.
[proto_numbers] IANA, "Protocol Numbers", 2011,
<http://www.iana.org/assignments/protocol-numbers>.
21.2. Informative References
[IGDv1] UPnP Gateway Committee, "WANIPConnection:1",
November 2001, <http://upnp.org/specs/gw/
UPnP-gw-WANIPConnection-v1-Service.pdf>.
[L2NAT] Miles, D. and M. Townsley, "Layer2-Aware NAT", Work
in Progress, March 2009.
[PCP-FAIL] Boucadair, M., Dupont, F., and R. Penno, "Port
Control Protocol (PCP) Failure Scenarios", Work
in Progress, August 2012.
Wing, et al. Standards Track [Page 84]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
[PNP-IGD-PCP] Boucadair, M., Penno, R., and D. Wing, "Universal
Plug and Play (UPnP) Internet Gateway Device (IGD)-
Port Control Protocol (PCP) Interworking Function",
Work in Progress, December 2012.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, September 1981.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot,
G., and E. Lear, "Address Allocation for Private
Internets", BCP 5, RFC 1918, February 1996.
[RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
"Dynamic Updates in the Domain Name System (DNS
UPDATE)", RFC 2136, April 1997.
[RFC3007] Wellington, B., "Secure Domain Name System (DNS)
Dynamic Update", RFC 3007, November 2000.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP
Network Address Translator (Traditional NAT)",
RFC 3022, January 2001.
[RFC3581] Rosenberg, J. and H. Schulzrinne, "An Extension to
the Session Initiation Protocol (SIP) for Symmetric
Response Routing", RFC 3581, August 2003.
[RFC3587] Hinden, R., Deering, S., and E. Nordmark, "IPv6
Global Unicast Address Format", RFC 3587,
August 2003.
[RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
RFC 4303, December 2005.
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
Congestion Control Protocol (DCCP)", RFC 4340,
March 2006.
[RFC4787] Audet, F. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for
Unicast UDP", BCP 127, RFC 4787, January 2007.
[RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy
Extensions for Stateless Address Autoconfiguration
in IPv6", RFC 4941, September 2007.
[RFC4960] Stewart, R., "Stream Control Transmission Protocol",
RFC 4960, September 2007.
Wing, et al. Standards Track [Page 85]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
[RFC4961] Wing, D., "Symmetric RTP / RTP Control Protocol
(RTCP)", BCP 131, RFC 4961, July 2007.
[RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and
P. Srisuresh, "NAT Behavioral Requirements for TCP",
BCP 142, RFC 5382, October 2008.
[RFC6092] Woodyatt, J., "Recommended Simple Security
Capabilities in Customer Premises Equipment (CPE)
for Providing Residential IPv6 Internet Service",
RFC 6092, January 2011.
[RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
Algorithm", RFC 6145, April 2011.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum,
"Stateful NAT64: Network Address and Protocol
Translation from IPv6 Clients to IPv4 Servers",
RFC 6146, April 2011.
[RFC6296] Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network
Prefix Translation", RFC 6296, June 2011.
[RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee,
"Dual-Stack Lite Broadband Deployments Following
IPv4 Exhaustion", RFC 6333, August 2011.
[RFC6619] Arkko, J., Eggert, L., and M. Townsley, "Scalable
Operation of Address Translators with Per-Interface
Bindings", RFC 6619, June 2012.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, February 2013.
[RFC6886] Cheshire, S. and M. Krochmal, "NAT Port Mapping
Protocol (NAT-PMP)", RFC 6886, April 2013.
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S.,
Nakagawa, A., and H. Ashida, "Common Requirements
for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888,
April 2013.
[SCTPNAT] Stewart, R., Tuexen, M., and I. Ruengeler, "Stream
Control Transmission Protocol (SCTP) Network Address
Translation", Work in Progress, February 2013.
Wing, et al. Standards Track [Page 86]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Appendix A. NAT-PMP Transition
The Port Control Protocol (PCP) is a successor to the NAT Port
Mapping Protocol, NAT-PMP [RFC6886], and shares similar semantics,
concepts, and packet formats. Because of this, NAT-PMP and PCP both
use the same port and use NAT-PMP and PCP's version negotiation
capabilities to determine which version to use. This section
describes how an orderly transition from NAT-PMP to PCP may be
achieved.
A client supporting both NAT-PMP and PCP SHOULD send its request
using the PCP packet format. This will be received by a NAT-PMP
server or a PCP server. If received by a NAT-PMP server, the
response will be UNSUPP_VERSION, as indicated by the NAT-PMP
specification [RFC6886], which will cause the client to downgrade to
NAT-PMP and resend its request in NAT-PMP format. If received by a
PCP server, the response will be as described by this document and
processing continues as expected.
A PCP server supporting both NAT-PMP and PCP can handle requests in
either format. The first octet of the packet indicates if it is
NAT-PMP (first octet zero) or PCP (first octet non-zero).
A PCP-only gateway receiving a NAT-PMP request (identified by the
first octet being zero) will interpret the request as a version
mismatch. Normal PCP processing will emit a PCP response that is
compatible with NAT-PMP, without any special handling by the PCP
server.
Wing, et al. Standards Track [Page 87]
^L
RFC 6887 Port Control Protocol (PCP) April 2013
Authors' Addresses
Dan Wing (editor)
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134
USA
EMail: dwing@cisco.com
Stuart Cheshire
Apple Inc.
1 Infinite Loop
Cupertino, California 95014
USA
Phone: +1 408 974 3207
EMail: cheshire@apple.com
Mohamed Boucadair
France Telecom
Rennes 35000
France
EMail: mohamed.boucadair@orange.com
Reinaldo Penno
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134
USA
EMail: repenno@cisco.com
Paul Selkirk
Internet Systems Consortium
950 Charter Street
Redwood City, California 94063
USA
EMail: pselkirk@isc.org
Wing, et al. Standards Track [Page 88]
^L
|