PCP working group | S. Cheshire |
Internet-Draft | Apple |
Intended status: Standards Track | Mar 10, 2013 |
Recursive PCP
draft-cheshire-recursive-pcp-02
The Port Control Protocol (PCP) allows clients to request explicit dynamic inbound and outbound port mappings in their closest on-path NAT, firewall, or other middlebox. However, in today's world, there may be more than one NAT on the path between a client and the public Internet. This document describes how the closest on-path middlebox generates a corresponding upstream PCP request to the next closest on-path middlebox, to request an appropriate explicit dynamic port mapping in that middlebox too. Applied recursively, this generates the necessary chain of port mappings in any number of middleboxes on the path between the client and the public Internet.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
When NAT Port Mapping Protocol [NAT-PMP] was first created in 2004, a common network configuration was that a residential customer received a single public routable IPv4 address from their ISP, and had a single NAT gateway serving multiple computers in their home. Consequently, creating appropriate mappings in that single NAT gateway was sufficient to provide full Internet connectivity.
In today's world, with public routable IPv4 addresses becoming less readily available, it is increasingly common for customers to receive a private address from their ISP, and the ISP uses a NAT gateway of its own to translate those packets before sending them out onto the public Internet. This means that there is likely to be more than on NAT on the path between client machines and the public Internet:
While it is possible, in theory, that client devices could somehow discover all the NATs on the path, and communicate with each one separately using Port Control Protocol [PCP] (NAT-PMP's IETF Standards Track successor), in practice it's not clear how client devices would reliably learn this information. Since the NAT gateways are installed and operated by different individuals and organizations, no single entity has knowledge of all the NATs on the path. Also, even if a client device could somehow know all the NATs on the path, requiring a client device to communicate separately with all of them imposes unreasonable complexity on PCP clients, many of which are expected to be simple low-cost devices.
In addition, this goes against the spirit of NAT gateways. The main purpose of a NAT gateway is to make multiple downstream client devices making outgoing TCP connections to appear, from the point of view of everything upstream of the NAT gateway, to be a single client device making outgoing TCP connections. In the same spirit, it makes sense for a PCP-capable NAT gateway to make multiple downstream client devices requesting port mappings to appear, from the point of view of everything upstream of the NAT gateway, to be a single client device requesting port mappings.
This document specifies how a PCP-capable NAT gateway uses Recursive PCP to create the appearance of being a single device, from the point of view of the upstream network.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].
Where this document uses the terms "upstream" and "downstream", the term "upstream" refers to the direction outbound packets travel towards the public Internet, and the term "downstream" refers to the direction inbound packets travel from the public Internet towards client systems. Typically when a home user views a web site, their computer sends an outbound TCP SYN packet upstream towards the public Internet, and an inbound downstream TCP SYN ACK reply comes back from the public Internet.
The protocol specified is described as "recursive" because of the following properties:
This recursive operation is an important simplifying property of the design.
When a PCP client talks to a PCP server, that PCP server behaves *exactly* as if it were the one and only NAT gateway on the path to the public Internet. If the PCP server is not in fact the final outermost NAT gateway, it is the PCP server's responsibility to hide that fact. The client should never have to be aware of the difference between talking to a single NAT gateway, and talking to a NAT gateway which is itself behind one or more other NAT gateways. This simplifying property applies both when the PCP client is a simple end-host client, and when the PCP client is itself the client face of a Recursive PCP server.
Similarly, when a PCP server receives a request from a PCP client, that PCP client behaves exactly as if it were a simple end-host PCP client requesting mappings for itself. If the client is not in fact a simple end-host PCP client, it is the PCP client's responsibility to hide that fact. The server should never have to be aware of the difference between talking to an end-host PCP client, and talking to the client face of a Recursive PCP server that is requesting mappings on behalf of its own downstream clients. If the PCP client is a firewall device, and it chooses to use the PCP THIRD_PARTY Option to make mappings on behalf of its downstream clients, then it should still behave like any other PCP client using the THIRD_PARTY Option.
Upon receipt of a PCP mapping-creation request from a downstream PCP client, a Recursive PCP server first examines its local mapping table to see if it already has a valid active mapping matching the Internal Address and Internal Port (and in the case of PEER requests, remote peer) given in the request.
If the Recursive PCP server does not already have a valid active mapping for this mapping-creation request, then it allocates an available port on its external interface. We assume for the sake of this description that the address of its external interface is itself a private address, subject to translation by an upstream NAT. The Recursive PCP server then constructs an appropriate corresponding PCP request of its own (described below), and sends it to its upstream NAT, and the newly-created local mapping is considered temporary until a confirming reply is received from the upstream PCP server.
If the Recursive PCP server does already have a valid active mapping for this mapping-creation request, and the lifetime remaining on the local mapping is at least 3/4 of the lifetime requested by the PCP client, then the Recursive PCP server SHOULD send an immediate reply giving the outermost External Address and Port (previously learned using Recursive PCP, as described below), and the actual lifetime remaining for this mapping. If the lifetime remaining on the local mapping is less than 3/4 of the lifetime requested by the PCP client, then the Recursive PCP server MUST generate an upstream request as described below.
For mapping-deletion requests (Lifetime = 0), the local mapping, if any, is deleted, and then (regardless of whether a local mapping existed) a corresponding upstream request is generated.
How the Recursive PCP server knows the destination IP address for its upstream PCP request is outside the scope of this document, but this may be achieved in a zero-configuration manner using PCP Anycast [Anycast]. In the upstream PCP request:
Upon receipt of a PCP reply giving the outermost (i.e. publicly routable) External Address, Port and Lifetime, the Recursive PCP server records this information in its own mapping table and relays the information to the requesting downstream PCP client in a PCP reply. The Recursive PCP server therefore records, among other things, the following information in its mapping table:
In the downstream PCP reply:
A Recursive PCP server SHOULD implement Optimized Hairpin Routing. What this means is the following:
Any recursive algorithm needs a mechanism to terminate the recursion at the appropriate point. This termination of recursion can be achieved in a variety of ways:
When a Recursive PCP server is a NAT gateway, it sends out upstream PCP requests using its own external IP address. When a Recursive PCP server is a firewall, it still needs to install upstream mappings on behalf of its downstream clients. It should do this either by using the downstream client's IP address as the source IP address in its upstream PCP request, or by using the PCP THIRD_PARTY Option in its upstream PCP request.
No IANA actions are required by this document.
No new security concerns are raised by use of Recursive PCP. Since the purpose of a NAT gateway is to enable multiple client devices to appear as a single client device to the upstream network, a NAT gateway implementing Recursive PCP maintains this property, appearing to the upstream network to be a single client device using PCP to request port mappings for itself. Whether those port mappings are for multiple processes running on multiple CPUs connected via an internal bus in a single computer, or multiple processes running on multiple CPUs connected via an IP network, is transparent to the external network.
[RFC1918] | Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G. and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC6598] | Weil, J., Kuarsingh, V., Donley, C., Liljenstolpe, C. and M. Azinger, "IANA-Reserved IPv4 Prefix for Shared Address Space", BCP 153, RFC 6598, April 2012. |
[PCP] | Wing, D., Cheshire, S., Boucadair, M., Penno, R. and P. Selkirk, "Port Control Protocol (PCP)", Internet-Draft draft-ietf-pcp-base-29, November 2012. |
[Anycast] | Cheshire, S., "PCP Anycast Address", Internet-Draft draft-cheshire-pcp-anycast-00, February 2013. |
[NAT-PMP] | Cheshire, S., "NAT Port Mapping Protocol (NAT-PMP)", Internet-Draft draft-cheshire-nat-pmp-07, January 2013. |