draft-ietf-tsvwg-natsupp-14.txt   draft-ietf-tsvwg-natsupp-15.txt 
Network Working Group R. Stewart Network Working Group R. Stewart
Internet-Draft Netflix, Inc. Internet-Draft Netflix, Inc.
Intended status: Standards Track M. Tuexen Intended status: Standards Track M. Tuexen
Expires: May 7, 2020 I. Ruengeler Expires: May 20, 2020 I. Ruengeler
Muenster Univ. of Appl. Sciences Muenster Univ. of Appl. Sciences
November 4, 2019 November 17, 2019
Stream Control Transmission Protocol (SCTP) Network Address Translation Stream Control Transmission Protocol (SCTP) Network Address Translation
Support Support
draft-ietf-tsvwg-natsupp-14 draft-ietf-tsvwg-natsupp-15
Abstract Abstract
The Stream Control Transmission Protocol (SCTP) provides a reliable The Stream Control Transmission Protocol (SCTP) provides a reliable
communications channel between two end-hosts in many ways similar to communications channel between two end-hosts in many ways similar to
the Transmission Control Protocol (TCP). With the widespread the Transmission Control Protocol (TCP). With the widespread
deployment of Network Address Translators (NAT), specialized code has deployment of Network Address Translators (NAT), specialized code has
been added to NAT for TCP that allows multiple hosts to reside behind been added to NAT for TCP that allows multiple hosts to reside behind
a NAT and yet use only a single globally unique IPv4 address, even a NAT and yet use only a single globally unique IPv4 address, even
when two hosts (behind a NAT) choose the same port numbers for their when two hosts (behind a NAT) choose the same port numbers for their
connection. This additional code is sometimes classified as Network connection. This additional code is sometimes classified as Network
Address and Port Translation (NAPT). Address and Port Translation (NAPT).
This document describes the protocol extensions required for the SCTP This document describes the protocol extensions required for the SCTP
endpoints and the mechanisms for NAT devices necessary to provide endpoints and the mechanisms for NAT devices necessary to provide
similar features of NAPT in the single-point and multi-point similar features of NAPT in the single point and multi point
traversal scenario. traversal scenario.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 7, 2020. This Internet-Draft will expire on May 20, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 36 skipping to change at page 2, line 36
4.1. SCTP NAT Traversal Scenarios . . . . . . . . . . . . . . 6 4.1. SCTP NAT Traversal Scenarios . . . . . . . . . . . . . . 6
4.1.1. Single Point Traversal . . . . . . . . . . . . . . . 6 4.1.1. Single Point Traversal . . . . . . . . . . . . . . . 6
4.1.2. Multi Point Traversal . . . . . . . . . . . . . . . . 7 4.1.2. Multi Point Traversal . . . . . . . . . . . . . . . . 7
4.2. Limitations of Classical NAPT for SCTP . . . . . . . . . 8 4.2. Limitations of Classical NAPT for SCTP . . . . . . . . . 8
4.3. The SCTP-Specific Variant of NAT . . . . . . . . . . . . 8 4.3. The SCTP-Specific Variant of NAT . . . . . . . . . . . . 8
5. Data Formats . . . . . . . . . . . . . . . . . . . . . . . . 12 5. Data Formats . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Modified Chunks . . . . . . . . . . . . . . . . . . . . . 12 5.1. Modified Chunks . . . . . . . . . . . . . . . . . . . . . 12
5.1.1. Extended ABORT Chunk . . . . . . . . . . . . . . . . 12 5.1.1. Extended ABORT Chunk . . . . . . . . . . . . . . . . 12
5.1.2. Extended ERROR Chunk . . . . . . . . . . . . . . . . 13 5.1.2. Extended ERROR Chunk . . . . . . . . . . . . . . . . 13
5.2. New Error Causes . . . . . . . . . . . . . . . . . . . . 13 5.2. New Error Causes . . . . . . . . . . . . . . . . . . . . 13
5.2.1. VTag and Port Number Collision Error Cause . . . . . 13 5.2.1. VTag and Port Number Collision Error Cause . . . . . 14
5.2.2. Missing State Error Cause . . . . . . . . . . . . . . 14 5.2.2. Missing State Error Cause . . . . . . . . . . . . . . 14
5.2.3. Port Number Collision Error Cause . . . . . . . . . . 15 5.2.3. Port Number Collision Error Cause . . . . . . . . . . 15
5.3. New Parameters . . . . . . . . . . . . . . . . . . . . . 15 5.3. New Parameters . . . . . . . . . . . . . . . . . . . . . 16
5.3.1. Disable Restart Parameter . . . . . . . . . . . . . . 16 5.3.1. Disable Restart Parameter . . . . . . . . . . . . . . 16
5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16 5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16
6. Procedures for SCTP Endpoints and NAT Devices . . . . . . . . 17 6. Procedures for SCTP Endpoints and NAT Devices . . . . . . . . 18
6.1. Association Setup Considerations for Endpoints . . . . . 18 6.1. Association Setup Considerations for Endpoints . . . . . 18
6.2. Handling of Internal Port Number and Verification Tag 6.2. Handling of Internal Port Number and Verification Tag
Collisions . . . . . . . . . . . . . . . . . . . . . . . 18 Collisions . . . . . . . . . . . . . . . . . . . . . . . 19
6.2.1. NAT Device Considerations . . . . . . . . . . . . . . 19 6.2.1. NAT Device Considerations . . . . . . . . . . . . . . 19
6.2.2. Endpoint Considerations . . . . . . . . . . . . . . . 19 6.2.2. Endpoint Considerations . . . . . . . . . . . . . . . 19
6.3. Handling of Internal Port Number Collisions . . . . . . . 19 6.3. Handling of Internal Port Number Collisions . . . . . . . 20
6.3.1. NAT Device Considerations . . . . . . . . . . . . . . 20 6.3.1. NAT Device Considerations . . . . . . . . . . . . . . 20
6.3.2. Endpoint Considerations . . . . . . . . . . . . . . . 20 6.3.2. Endpoint Considerations . . . . . . . . . . . . . . . 21
6.4. Handling of Missing State . . . . . . . . . . . . . . . . 21 6.4. Handling of Missing State . . . . . . . . . . . . . . . . 21
6.4.1. NAT Device Considerations . . . . . . . . . . . . . . 21 6.4.1. NAT Device Considerations . . . . . . . . . . . . . . 21
6.4.2. Endpoint Considerations . . . . . . . . . . . . . . . 21 6.4.2. Endpoint Considerations . . . . . . . . . . . . . . . 22
6.5. Handling of Fragmented SCTP Packets by NAT Devices . . . 23 6.5. Handling of Fragmented SCTP Packets by NAT Devices . . . 23
6.6. Multi-Point Traversal Considerations for Endpoints . . . 23 6.6. Multi Point Traversal Considerations for Endpoints . . . 23
7. Various Examples of NAT Traversals . . . . . . . . . . . . . 23 7. Various Examples of NAT Traversals . . . . . . . . . . . . . 23
7.1. Single-homed Client to Single-homed Server . . . . . . . 23 7.1. Single-homed Client to Single-homed Server . . . . . . . 24
7.2. Single-homed Client to Multi-homed Server . . . . . . . . 25 7.2. Single-homed Client to Multi-homed Server . . . . . . . . 26
7.3. Multihomed Client and Server . . . . . . . . . . . . . . 28 7.3. Multihomed Client and Server . . . . . . . . . . . . . . 29
7.4. NAT Loses Its State . . . . . . . . . . . . . . . . . . . 32 7.4. NAT Loses Its State . . . . . . . . . . . . . . . . . . . 33
7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 34 7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 35
8. Socket API Considerations . . . . . . . . . . . . . . . . . . 39 8. Socket API Considerations . . . . . . . . . . . . . . . . . . 40
8.1. Get or Set the NAT Friendliness 8.1. Get or Set the NAT Friendliness
(SCTP_NAT_FRIENDLY) . . . . . . . . . . . . . . . . . . . 40 (SCTP_NAT_FRIENDLY) . . . . . . . . . . . . . . . . . . . 41
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41
9.1. New Chunk Flags for Two Existing Chunk Types . . . . . . 40 9.1. New Chunk Flags for Two Existing Chunk Types . . . . . . 41
9.2. Three New Error Causes . . . . . . . . . . . . . . . . . 41 9.2. Three New Error Causes . . . . . . . . . . . . . . . . . 42
9.3. Two New Chunk Parameter Types . . . . . . . . . . . . . . 42 9.3. Two New Chunk Parameter Types . . . . . . . . . . . . . . 43
10. Security Considerations . . . . . . . . . . . . . . . . . . . 42 10. Security Considerations . . . . . . . . . . . . . . . . . . . 43
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 42 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 43
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 43 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
12.1. Normative References . . . . . . . . . . . . . . . . . . 43 12.1. Normative References . . . . . . . . . . . . . . . . . . 44
12.2. Informative References . . . . . . . . . . . . . . . . . 43 12.2. Informative References . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45
1. Introduction 1. Introduction
Stream Control Transmission Protocol [RFC4960] provides a reliable Stream Control Transmission Protocol [RFC4960] provides a reliable
communications channel between two end-hosts in many ways similar to communications channel between two end-hosts in many ways similar to
TCP [RFC0793]. With the widespread deployment of Network Address TCP [RFC0793]. With the widespread deployment of Network Address
Translators (NAT), specialized code has been added to NAT for TCP Translators (NAT), specialized code has been added to NAT for TCP
that allows multiple hosts to reside behind a NAT using private that allows multiple hosts to reside behind a NAT using private
addresses (see [RFC6890]) and yet use only a single globally unique addresses (see [RFC6890]) and yet use only a single globally unique
IPv4 address, even when two hosts (behind a NAT) choose the same port IPv4 address, even when two hosts (behind a NAT) choose the same port
numbers for their connection. This additional code is sometimes numbers for their connection. This additional code is sometimes
classified as Network Address and Port Translation (NAPT). Please classified as Network Address and Port Translation (NAPT). Please
note that this document focuses on the case where the NAT maps note that this document focuses on the case where the NAT maps a
multiple private addresses to a single public address. To date, single or multiple private addresses to a single public address and
specialized code for SCTP has not yet been added to most NAT devices vice versa. To date, specialized code for SCTP has not yet been
so that only a translation of IP addresses is supported. The end added to most NAT devices so that only a translation of IP addresses
result of this is that only one SCTP-capable host can successfully is supported. The end result of this is that only one SCTP-capable
operate behind such a NAT and this host can only be single-homed. host can successfully operate behind such a NAT and this host can
The only alternative for supporting legacy NAT devices is to use UDP only be single-homed. The only alternative for supporting legacy NAT
encapsulation as specified in [RFC6951]. devices is to use UDP encapsulation as specified in [RFC6951].
This document specifies procedures allowing a NAT to support SCTP by This document specifies procedures allowing a NAT to support SCTP by
providing similar features to those provided by a NAPT for TCP and providing similar features to those provided by a NAPT for TCP and
other supported protocols. The document also specifies a set of data other supported protocols. The document also specifies a set of data
formats for SCTP packets and a set of SCTP endpoint procedures to formats for SCTP packets and a set of SCTP endpoint procedures to
support NAT traversal. An SCTP implementation supporting these support NAT traversal. An SCTP implementation supporting these
procedures can assure that in both single-homed and multi-homed cases procedures can assure that in both single-homed and multi-homed cases
a NAT will maintain the appropriate state without the NAT needing to a NAT will maintain the appropriate state without the NAT needing to
change port numbers. change port numbers.
skipping to change at page 6, line 22 skipping to change at page 6, line 22
+--------+ Internal | \--/\--/ External+--------+ +--------+ Internal | \--/\--/ External+--------+
Internal Port | Port External Internal Port | Port External
VTag | VTag VTag | VTag
Figure 1: Basic network setup Figure 1: Basic network setup
4. Motivation 4. Motivation
4.1. SCTP NAT Traversal Scenarios 4.1. SCTP NAT Traversal Scenarios
This section defines the notion of single and multi-point NAT This section defines the notion of single and multi point NAT
traversal. traversal.
4.1.1. Single Point Traversal 4.1.1. Single Point Traversal
In this case, all packets in the SCTP association go through a single In this case, all packets in the SCTP association go through a single
NAT, as shown below: NAT, as shown below:
Internal Network | External Network Internal Network | External Network
| |
+--------+ | /--\/--\ +--------+ +--------+ | /--\/--\ +--------+
skipping to change at page 7, line 17 skipping to change at page 7, line 17
+--------+ | : | /--\/--\ +--------+ +--------+ | : | /--\/--\ +--------+
| SCTP | +-----+ : +-----+ / \ | SCTP | | SCTP | +-----+ : +-----+ / \ | SCTP |
|endpoint|==| NAT |=======:=======| NAT |==| Internet |==|endpoint| |endpoint|==| NAT |=======:=======| NAT |==| Internet |==|endpoint|
| A | +-----+ : +-----+ \ / | B | | A | +-----+ : +-----+ \ / | B |
+--------+ | : | \--/\--/ +--------+ +--------+ | : | \--/\--/ +--------+
| : | | : |
Serial NAT Devices scenario Serial NAT Devices scenario
Although one of the main benefits of SCTP multi-homing is redundant Although one of the main benefits of SCTP multi-homing is redundant
paths, In this single point traversal scenario the NAT function paths, in the single point traversal scenario the NAT function
represents a single point of failure in the path of the SCTP multi- represents a single point of failure in the path of the SCTP multi-
home association. However, the rest of the path may still benefit homed association. However, the rest of the path may still benefit
from path diversity provided by SCTP multi-homing. from path diversity provided by SCTP multi-homing.
The two SCTP endpoints in this case can be either single-homed or The two SCTP endpoints in this case can be either single-homed or
multi-homed. However, the important thing is that the NAT device (or multi-homed. However, the important thing is that the NAT device (or
NAT devices) in this case sees all the packets of the SCTP NAT devices) in this case sees all the packets of the SCTP
association. association.
4.1.2. Multi Point Traversal 4.1.2. Multi Point Traversal
This case involves multiple NAT devices and each NAT device only sees This case involves multiple NAT devices and each NAT device only sees
skipping to change at page 9, line 11 skipping to change at page 9, line 11
The entries in the NAT binding table need to fulfill some uniqueness The entries in the NAT binding table need to fulfill some uniqueness
conditions. There must not be more than one entry NAT binding table conditions. There must not be more than one entry NAT binding table
with the same pair of Internal-Port and External-Port. This rule can with the same pair of Internal-Port and External-Port. This rule can
be relaxed, if all NAT binding table entries with the same Internal- be relaxed, if all NAT binding table entries with the same Internal-
Port and External-Port have the support for the restart procedure Port and External-Port have the support for the restart procedure
enabled. In this case there must be no more than one entry with the enabled. In this case there must be no more than one entry with the
same Internal-Port, External-Port and Ext-VTag and no more than one same Internal-Port, External-Port and Ext-VTag and no more than one
NAT binding table entry with the same Internal-Port, External-Port NAT binding table entry with the same Internal-Port, External-Port
and Int-VTag. and Int-VTag.
The processing of outgoing SCTP packets containing an INIT-chunk is The processing of outgoing SCTP packets containing an INIT chunk is
described in the following figure. The scenario shown is valid for described in the following figure. The scenario shown is valid for
all message flows in this section. all message flows in this section.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT[Initiate-Tag] INIT[Initiate-Tag]
skipping to change at page 9, line 38 skipping to change at page 9, line 38
Translate To: Translate To:
INIT[Initiate-Tag] INIT[Initiate-Tag]
Pub-Addr:Int-Port ------> Ext-Addr:Ext-Port Pub-Addr:Int-Port ------> Ext-Addr:Ext-Port
Ext-VTag=0 Ext-VTag=0
Normally a NAT binding table entry will be created. Normally a NAT binding table entry will be created.
However, it is possible that there is already a NAT binding table However, it is possible that there is already a NAT binding table
entry with the same External-Address, External-Port, Internal-Port, entry with the same External-Port, Internal-Port, and Internal-VTag
and Internal-VTag but different Private-Address. In this case the but different Private-Address. In this case the INIT MUST be dropped
INIT MUST be dropped by the NAT and an ABORT MUST be sent back to the by the NAT and an ABORT MUST be sent back to the SCTP host with the
SCTP host with the M-Bit set and an appropriate error cause (see M-Bit set and an appropriate error cause (see Section 5.1.1 for the
Section 5.1.1 for the format). The source address of the packet format). The source address of the packet containing the ABORT chunk
containing the ABORT chunk MUST be the destination address of the MUST be the destination address of the packet containing the INIT
packet containing the INIT chunk. chunk.
It is also possible that a connection to External-Address and It is also possible that a connection to External-Address and
External-Port exists without an Internal-VTag conflict but the External-Port exists without an Internal-VTag conflict but there
External-Address does not support the DISABLE_RESTART feature (noted exists a NAT binding table entry with the same port numbers but a
in the NAT binding table entry when the prior connection was different Private-Address. In such a case the INIT MUST be dropped
established). In such a case the INIT SHOULD be dropped by the NAT by the NAT and an ABORT SHOULD be sent back to the SCTP host with the
and an ABORT SHOULD be sent back to the SCTP host with the M-Bit set M-Bit set and an appropriate error cause (see Section 5.1.1 for the
and an appropriate error cause (see Section 5.1.1 for the format). format).
The processing of outgoing SCTP packets containing no INIT-chunk is The processing of outgoing SCTP packets containing no INIT chunks is
described in the following figure. described in the following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Priv-Addr:Int-Port ------> Ext-Addr:Ext-Port Priv-Addr:Int-Port ------> Ext-Addr:Ext-Port
Ext-VTag Ext-VTag
Translate To: Translate To:
Pub-Addr:Int-Port ------> Ext-Addr:Ext-Port Pub-Addr:Int-Port ------> Ext-Addr:Ext-Port
Ext-VTag Ext-VTag
The processing of incoming SCTP packets containing INIT-ACK chunks is The processing of incoming SCTP packets containing an INIT ACK chunk
described in the following figure. The Lookup() function getting as is described in the following figure. The Lookup() function getting
input the Internal-VTag, Internal-Port, External-VTag, and External- as input the Internal-VTag, Internal-Port, External-VTag, and
Port, returns the corresponding entry of the NAT binding table and External-Port, returns the corresponding entry of the NAT binding
updates the External-VTag by substituting it with the value of the table and updates the External-VTag by substituting it with the value
Initiate-Tag of the INIT-ACK chunk. The wildcard character signifies of the Initiate-Tag of the INIT ACK chunk. The wildcard character
that the parameter's value is not considered in the Lookup() function signifies that the parameter's value is not considered in the
or changed in the Update() function, respectively. Lookup() function or changed in the Update() function, respectively.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT-ACK[Initiate-Tag] INIT ACK[Initiate-Tag]
Pub-Addr:Int-Port <---- Ext-Addr:Ext-Port Pub-Addr:Int-Port <---- Ext-Addr:Ext-Port
Int-VTag Int-VTag
Lookup(Int-VTag, Int-Port, *, Ext-Port) Lookup(Int-VTag, Int-Port, *, Ext-Port)
Update(*, *, Initiate-Tag, *) Update(*, *, Initiate-Tag, *)
Returns(NAT-State control block containing Priv-Addr) Returns(NAT-State control block containing Priv-Addr)
INIT-ACK[Initiate-Tag] INIT ACK[Initiate-Tag]
Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port
Int-VTag Int-VTag
In the case Lookup fails, the SCTP packet is dropped. The Update In the case Lookup fails, the SCTP packet is dropped. If it
routine inserts the External-VTag (the Initiate-Tag of the INIT-ACK succeeds, the Update routine inserts the External-VTag (the Initiate-
chunk) in the NAT state control block. Tag of the INIT ACK chunk) in the NAT state control block.
The processing of incoming SCTP packets containing an ABORT or The processing of incoming SCTP packets containing an ABORT or
SHUTDOWN-COMPLETE chunk with the T-Bit set is described in the SHUTDOWN COMPLETE chunk with the T-Bit set is described in the
following figure. following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Pub-Addr:Int-Port <------ Ext-Addr:Ext-Port Pub-Addr:Int-Port <------ Ext-Addr:Ext-Port
Ext-VTag Ext-VTag
Lookup(*, Int-Port, Ext-VTag, Ext-Port) Lookup(*, Int-Port, Ext-VTag, Ext-Port)
Returns(NAT-State control block containing Priv-Addr) Returns(NAT-State control block containing Priv-Addr)
Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port
Ext-VTag Ext-VTag
For an incoming packet containing an INIT chunk a table lookup is
made only based on the addresses and port numbers. If an entry with
an External-VTag of zero is found, it is considered a match and the
External-VTag is updated. This allows the handling of INIT collision
through NAT.
The processing of other incoming SCTP packets is described in the The processing of other incoming SCTP packets is described in the
following figure. following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Pub-Addr:Int-Port <------ Ext-Addr:Ext-Port Pub-Addr:Int-Port <------ Ext-Addr:Ext-Port
Int-VTag Int-VTag
Lookup(Int-VTag, Int-Port, *, Ext-Port) Lookup(Int-VTag, Int-Port, *, Ext-Port)
Returns(NAT-State control block containing Local-Address) Returns(NAT-State control block containing Private-Address)
Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port
Int-VTag Int-VTag
For an incoming packet containing an INIT-chunk a table lookup is
made only based on the addresses and port numbers. If an entry with
an External-VTag of zero is found, it is considered a match and the
External-VTag is updated. This allows the handling of INIT-collision
through NAT.
5. Data Formats 5. Data Formats
This section defines the formats used to support NAT traversal. This section defines the formats used to support NAT traversal.
Section 5.1 and Section 5.2 describe chunks and error causes sent by Section 5.1 and Section 5.2 describe chunks and error causes sent by
NAT devices and received by SCTP endpoints. Section 5.3 describes NAT devices and received by SCTP endpoints. Section 5.3 describes
parameters sent by SCTP endpoints and used by NAT devices and SCTP parameters sent by SCTP endpoints and used by NAT devices and SCTP
endpoints. endpoints.
5.1. Modified Chunks 5.1. Modified Chunks
skipping to change at page 14, line 15 skipping to change at page 14, line 27
This field holds the IANA defined cause code for the 'VTag and This field holds the IANA defined cause code for the 'VTag and
Port Number Collision' Error Cause. IANA is requested to assign Port Number Collision' Error Cause. IANA is requested to assign
the value 0x00B0 for this cause code. the value 0x00B0 for this cause code.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length Chunk: variable length
The Cause-Specific Information is filled with the chunk that The Cause-Specific Information is filled with the chunk that
caused this error. This can be an INIT, INIT-ACK, or ASCONF caused this error. This can be an INIT, INIT ACK, or ASCONF
chunk. Note that if the entire chunk will not fit in the ERROR chunk. Note that if the entire chunk will not fit in the ERROR
chunk or ABORT chunk being sent then the bytes that do not fit are chunk or ABORT chunk being sent then the bytes that do not fit are
truncated. truncated.
[NOTE to RFC-Editor: [NOTE to RFC-Editor:
Assignment of cause code to be confirmed by IANA. Assignment of cause code to be confirmed by IANA.
] ]
skipping to change at page 15, line 33 skipping to change at page 15, line 44
This field holds the IANA defined cause code for the 'Port Number This field holds the IANA defined cause code for the 'Port Number
Collision' Error Cause. IANA is requested to assign the value Collision' Error Cause. IANA is requested to assign the value
0x00B2 for this cause code. 0x00B2 for this cause code.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length Chunk: variable length
The Cause-Specific Information is filled with the chunk that The Cause-Specific Information is filled with the chunk that
caused this error. This can be an INIT, INIT-ACK, or ASCONF caused this error. This can be an INIT, INIT ACK, or ASCONF
chunk. Note that if the entire chunk will not fit in the ERROR chunk. Note that if the entire chunk will not fit in the ERROR
chunk or ABORT chunk being sent then the bytes that do not fit are chunk or ABORT chunk being sent then the bytes that do not fit are
truncated. truncated.
[NOTE to RFC-Editor: [NOTE to RFC-Editor:
Assignment of cause code to be confirmed by IANA. Assignment of cause code to be confirmed by IANA.
] ]
5.3. New Parameters 5.3. New Parameters
This section defines new parameters and their valid appearance This section defines new parameters and their valid appearance
defined by this document. defined by this document.
5.3.1. Disable Restart Parameter 5.3.1. Disable Restart Parameter
This parameter is used to indicate that the RESTART procedure is This parameter is used to indicate that the restart procedure is
requested to be disabled. Both endpoints of an association MUST requested to be disabled. Both endpoints of an association MUST
include this parameter in the INIT chunk and INIT-ACK chunk when include this parameter in the INIT chunk and INIT ACK chunk when
establishing an association and MUST include it in the ASCONF chunk establishing an association and MUST include it in the ASCONF chunk
when adding an address to successfully disable the restart procedure. when adding an address to successfully disable the restart procedure.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0xC007 | Length = 4 | | Type = 0xC007 | Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Parameter Type: 2 bytes (unsigned integer) Parameter Type: 2 bytes (unsigned integer)
skipping to change at page 16, line 34 skipping to change at page 16, line 41
Parameter Length: 2 bytes (unsigned integer) Parameter Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the parameter. The value This field holds the length in bytes of the parameter. The value
MUST be 4. MUST be 4.
[NOTE to RFC-Editor: [NOTE to RFC-Editor:
Assignment of parameter type to be confirmed by IANA. Assignment of parameter type to be confirmed by IANA.
] ]
This parameter MAY appear in INIT, INIT-ACK and ASCONF chunks and This parameter MAY appear in INIT, INIT ACK and ASCONF chunks and
MUST NOT appear in any other chunk. MUST NOT appear in any other chunk.
5.3.2. VTags Parameter 5.3.2. VTags Parameter
This parameter is used to help a NAT recover from state loss. This parameter is used to help a NAT recover from state loss.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0xC008 | Parameter Length = 16 | | Parameter Type = 0xC008 | Parameter Length = 16 |
skipping to change at page 17, line 17 skipping to change at page 17, line 30
parameter type. parameter type.
Parameter Length: 2 bytes (unsigned integer) Parameter Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the parameter. The value This field holds the length in bytes of the parameter. The value
MUST be 16. MUST be 16.
ASCONF-Request Correlation ID: 4 bytes (unsigned integer) ASCONF-Request Correlation ID: 4 bytes (unsigned integer)
This is an opaque integer assigned by the sender to identify each This is an opaque integer assigned by the sender to identify each
request parameter. The receiver of the ASCONF Chunk will copy request parameter. The receiver of the ASCONF Chunk will copy
this 32-bit value into the ASCONF Response Correlation ID field of this 32-bit value into the ASCONF Response Correlation ID field of
the ASCONF-ACK response parameter. The sender of the ASCONF can the ASCONF ACK response parameter. The sender of the ASCONF can
use this same value in the ASCONF-ACK to find which request the use this same value in the ASCONF ACK to find which request the
response is for. Note that the receiver MUST NOT change this response is for. Note that the receiver MUST NOT change this
32-bit value. 32-bit value.
Internal Verification Tag: 4 bytes (unsigned integer) Internal Verification Tag: 4 bytes (unsigned integer)
The Verification Tag that the internal host has chosen for its The Verification Tag that the internal host has chosen for its
communication. The Verification Tag is a unique 32-bit tag that communication. The Verification Tag is a unique 32-bit tag that
must accompany any incoming SCTP packet for this association to must accompany any incoming SCTP packet for this association to
the Private-Address. the Private-Address.
External Verification Tag: 4 bytes (unsigned integer) The External Verification Tag: 4 bytes (unsigned integer) The
skipping to change at page 18, line 33 skipping to change at page 18, line 43
Section 6.6. Section 6.6.
Each of these mechanisms requires additional chunks and parameters, Each of these mechanisms requires additional chunks and parameters,
defined in this document, and possibly modified handling procedures defined in this document, and possibly modified handling procedures
from those specified in [RFC4960]. from those specified in [RFC4960].
6.1. Association Setup Considerations for Endpoints 6.1. Association Setup Considerations for Endpoints
The association setup procedure defined in [RFC4960] allows multi- The association setup procedure defined in [RFC4960] allows multi-
homed SCTP endpoints to exchange its IP-addresses by using IPv4 or homed SCTP endpoints to exchange its IP-addresses by using IPv4 or
IPv6 address parameters in the INIT and INIT-ACK chunks. However, IPv6 address parameters in the INIT and INIT ACK chunks. However,
this doesn't work when NAT devices are present. this doesn't work when NAT devices are present.
Every association MUST initially be set up single-homed. There MUST Every association setup from a host behind a NAT MUST NOT use
NOT be any IPv4 Address parameter, IPv6 Address parameter, or multiple private addresses. There MUST NOT be any IPv4 Address
Supported Address Types parameter in the INIT-chunk. The INIT-ACK parameter, IPv6 Address parameter, or Supported Address Types
chunk MUST NOT contain any IPv4 Address parameter or IPv6 Address parameter in the INIT chunk. The INIT ACK chunk MUST NOT contain any
parameter. IPv4 Address parameter or IPv6 Address parameter using non-global
addresses. The INIT chunk and the INIT ACK chunk MUST NOT contain
any Host Name parameters.
If the association should finally be multi-homed, the procedure in If the association should finally be multi-homed, the procedure in
Section 6.6 MUST be used. Section 6.6 MUST be used.
The INIT and INIT-ACK chunk SHOULD contain the Disable Restart The INIT and INIT ACK chunk SHOULD contain the Disable Restart
parameter defined in Section 5.3.1. parameter defined in Section 5.3.1.
6.2. Handling of Internal Port Number and Verification Tag Collisions 6.2. Handling of Internal Port Number and Verification Tag Collisions
Consider the case where two hosts in the Private-Address space want Consider the case where two hosts in the Private-Address space want
to set up an SCTP association with the same service provided by some to set up an SCTP association with the same service provided by some
hosts in the Internet. This means that the External-Port is the hosts in the Internet. This means that the External-Port is the
same. If they both choose the same Internal-Port and Internal-VTag, same. If they both choose the same Internal-Port and Internal-VTag,
the NAT device cannot distinguish between incoming packets anymore. the NAT device cannot distinguish between incoming packets anymore.
But this is very unlikely. The Internal-VTags are chosen at random But this is very unlikely. The Internal-VTags are chosen at random
and if the Internal-Ports are also chosen from the ephemeral port and if the Internal-Ports are also chosen from the ephemeral port
range at random this gives a 46-bit random number that has to match. range at random this gives a 46-bit random number that has to match.
A NAPT device can control the 16-bit Natted Port and therefore avoid A NAPT device can control the 16-bit Natted Port and therefore avoid
collisions deterministically. collisions deterministically.
The same can happen with the External-VTag when an INIT-ACK chunk or The same can happen with the External-VTag when an INIT ACK chunk or
an ASCONF chunk is processed by the NAT. an ASCONF chunk is processed by the NAT.
6.2.1. NAT Device Considerations 6.2.1. NAT Device Considerations
If the NAT device detects a collision of internal port numbers and If the NAT device detects a collision of internal port numbers and
verification tags, it MUST send an ABORT chunk with the M-bit set if verification tags, it MUST send an ABORT chunk with the M-bit set if
the collision is triggered by an INIT or INIT-ACK chunk. If such a the collision is triggered by an INIT or INIT ACK chunk. If such a
collision is triggered by an ASCONF chunk, it MUST send an ERROR collision is triggered by an ASCONF chunk, it MUST send an ERROR
chunk with the M-bit. The M-bit is a new bit defined by this chunk with the M-bit. The M-bit is a new bit defined by this
document to express to SCTP that the source of this packet is a document to express to SCTP that the source of this packet is a
"middle" box, not the peer SCTP endpoint (see Section 5.1.1). If a "middle" box, not the peer SCTP endpoint (see Section 5.1.1). If a
packet containing an INIT-ACK chunk triggers the collision, the packet containing an INIT ACK chunk triggers the collision, the
corresponding packet containing the ABORT chunk MUST contain the same corresponding packet containing the ABORT chunk MUST contain the same
source and destination address and port numbers as the packet source and destination address and port numbers as the packet
containing the INIT-ACK chunk. In the other two cases, the source containing the INIT ACK chunk. In the other two cases, the source
and destination address and port numbers MUST be swapped. and destination address and port numbers MUST be swapped.
The sender of the ERROR or ABORT chunk MUST include the error cause The sender of the ERROR or ABORT chunk MUST include the error cause
with cause code 'VTag and Port Number Collision' (see Section 5.2.1). with cause code 'VTag and Port Number Collision' (see Section 5.2.1).
6.2.2. Endpoint Considerations 6.2.2. Endpoint Considerations
The sender of the packet containing the INIT chunk or the receiver of The sender of the packet containing the INIT chunk or the receiver of
the INIT-ACK chunk, upon reception of an ABORT chunk with M-bit set the INIT ACK chunk, upon reception of an ABORT chunk with M-bit set
and the appropriate error cause code for colliding NAT binding table and the appropriate error cause code for colliding NAT binding table
state is included, MUST reinitiate the association setup procedure state is included, SHOULD reinitiate the association setup procedure
after choosing a new initiate tag, if the association is in COOKIE- after choosing a new initiate tag, if the association is in COOKIE-
WAIT state. In any other state, the SCTP endpoint MUST NOT respond. WAIT state. In any other state, the SCTP endpoint MUST NOT respond.
The sender of the ASCONF chunk, upon reception of an ERROR chunk with The sender of the ASCONF chunk, upon reception of an ERROR chunk with
M-bit set, MUST stop adding the path to the association. M-bit set, MUST stop adding the path to the association.
6.3. Handling of Internal Port Number Collisions 6.3. Handling of Internal Port Number Collisions
When two SCTP hosts are behind an SCTP-aware NAT it is possible that When two SCTP hosts are behind an SCTP-aware NAT it is possible that
two SCTP hosts in the Private-Address space will want to set up an two SCTP hosts in the Private-Address space will want to set up an
SCTP association with the same server running on the same host in the SCTP association with the same server running on the same host in the
Internet. For the NAT, appropriate tracking may be performed by Internet. If the two hosts choose the same internal port, this is
assuring that the VTags are unique between the two hosts. considered an internal port number collision.
For the NAT, appropriate tracking may be performed by assuring that
the VTags are unique between the two hosts.
6.3.1. NAT Device Considerations 6.3.1. NAT Device Considerations
The NAT, when processing the INIT-ACK, should note in its NAT binding The NAT, when processing the INIT ACK, should note in its NAT binding
table that the association supports the Disable Restart extension. table that the association supports the disable restart extension.
This note is used when establishing future associations (i.e. when This note is used when establishing future associations (i.e. when
processing an INIT from an internal host) to decide if the connection processing an INIT from an internal host) to decide if the connection
should be allowed. The NAT device does the following when processing should be allowed. The NAT device does the following when processing
an INIT: an INIT:
o If the INIT is destined to an external address and port for which o If the INIT is originating from an internal port to an external
the NAT device has no outbound connection, it MUST allow the INIT port for which the NAT device has no matching NAT binding table
creating an NAT binding table entry. entry, it MUST allow the INIT creating an NAT binding table entry.
o If the INIT matches the external address and port of an already o If the INIT matches an existing NAT binding table entry, it MUST
existing connection, it MUST validate that the external server validate that the disable restart feature is supported and, if it
supports the Disable Restart feature and, if it does, allow the does, allow the INIT to be forwarded.
INIT to be forwarded.
o If the external server does not support the Disable Restart o If the disable restart feature is not supported, the NAT device
extension the NAT device MUST send an ABORT with the M-bit set. MUST send an ABORT with the M-bit set.
The 'Port Number Collision' error cause (see Section 5.2.3) MUST be The 'Port Number Collision' error cause (see Section 5.2.3) MUST be
included in the ABORT chunk sent in response to the INIT chunk. included in the ABORT chunk sent in response to the INIT chunk.
If the collision is triggered by an ASCONF chunk, a packet containing If the collision is triggered by an ASCONF chunk, a packet containing
an ERROR chunk with the 'Port Number Collision' error cause MUST be an ERROR chunk with the 'Port Number Collision' error cause MUST be
sent in response to the ASCONF chunk. sent in response to the ASCONF chunk.
6.3.2. Endpoint Considerations 6.3.2. Endpoint Considerations
For the external SCTP server on the Internet this means that the For the external SCTP server on the Internet this means that the
External-Port and the External-Address are the same. If they both External-Port and the External-Address are the same. If they both
have chosen the same Internal-Port the server cannot distinguish have chosen the same Internal-Port the server cannot distinguish
between both associations based on the address and port numbers. For between both associations based on the address and port numbers. For
the server it looks like the association is being restarted. To the server it looks like the association is being restarted. To
overcome this limitation the client sends a Disable Restart parameter overcome this limitation the client sends a Disable Restart parameter
in the INIT-chunk. in the INIT chunk.
When the server receives this parameter it does the following: When the server receives this parameter it does the following:
o It MUST include a Disable Restart parameter in the INIT-ACK to o It MUST include a Disable Restart parameter in the INIT ACK to
inform the client that it will support the feature. inform the client that it will support the feature.
o It MUST Disable the restart procedures defined in [RFC4960] for o It MUST disable the restart procedures defined in [RFC4960] for
this association. this association.
Servers that support this feature will need to be capable of Servers that support this feature will need to be capable of
maintaining multiple connections to what appears to be the same peer maintaining multiple connections to what appears to be the same peer
(behind the NAT) differentiated only by the VTags. (behind the NAT) differentiated only by the VTags.
6.4. Handling of Missing State 6.4. Handling of Missing State
6.4.1. NAT Device Considerations 6.4.1. NAT Device Considerations
If the NAT device receives a packet from the internal network for If the NAT device receives a packet from the internal network for
which the lookup procedure does not find an entry in the NAT binding which the lookup procedure does not find an entry in the NAT binding
table, a packet containing an ERROR chunk is sent back with the M-bit table, a packet containing an ERROR chunk is sent back with the M-bit
set. The source address of the packet containing the ERROR chunk set. The source address of the packet containing the ERROR chunk
MUST be the destination address of the incoming SCTP packet. The MUST be the destination address of the incoming SCTP packet. The
verification tag is reflected and the T-bit is set. Such a packet verification tag is reflected and the T-bit is set. Such a packet
containing an ERROR chunk SHOULD NOT be sent if the received packet containing an ERROR chunk SHOULD NOT be sent if the received packet
contains an ABORT, SHUTDOWN-COMPLETE or INIT-ACK chunk. An ERROR contains an ABORT, SHUTDOWN COMPLETE or INIT ACK chunk. An ERROR
chunk MUST NOT be sent if the received packet contains an ERROR chunk chunk MUST NOT be sent if the received packet contains an ERROR chunk
with the M-bit set. with the M-bit set. In any case, the packet SHOULD NOT be forwarded
to the external address.
When sending the ERROR chunk, the error cause 'Missing State' (see When sending the ERROR chunk, the error cause 'Missing State' (see
Section 5.2.2) MUST be included and the M-bit of the ERROR chunk MUST Section 5.2.2) MUST be included and the M-bit of the ERROR chunk MUST
be set (see Section 5.1.2). be set (see Section 5.1.2).
If the NAT device receives a packet for which it has no NAT binding If the NAT device receives a packet for which it has no NAT binding
table entry and the packet contains an ASCONF chunk with the VTags table entry and the packet contains an ASCONF chunk with the VTags
parameter, the NAT device MUST update its NAT binding table according parameter, the NAT device MUST update its NAT binding table according
to the verification tags in the VTags parameter and the optional to the verification tags in the VTags parameter and the optional
Disable Restart parameter. Disable Restart parameter.
skipping to change at page 21, line 49 skipping to change at page 22, line 20
o It SHOULD validate that the verification tag is reflected by o It SHOULD validate that the verification tag is reflected by
looking at the VTag that would have been included in the outgoing looking at the VTag that would have been included in the outgoing
packet. If the validation fails, discard the incoming ERROR packet. If the validation fails, discard the incoming ERROR
chunk. chunk.
o It SHOULD validate that the peer of the SCTP association supports o It SHOULD validate that the peer of the SCTP association supports
the dynamic address extension. If the validation fails, discard the dynamic address extension. If the validation fails, discard
the incoming ERROR chunk. the incoming ERROR chunk.
o It SHOULD generate a new ASCONF chunk containing the VTags o It SHOULD generate a new ASCONF chunk containing the VTags
parameter (see Section 5.3.2) and the Disable Restart parameter if parameter (see Section 5.3.2) and the Disable Restart parameter
the association is using the disabled restart feature. By (see Section 5.3.1) if the association is using the disable
processing this packet the NAT device can recover the appropriate restart feature. By processing this packet the NAT device can
state. The procedures for generating an ASCONF chunk can be found recover the appropriate state. The procedures for generating an
in [RFC5061]. ASCONF chunk can be found in [RFC5061].
The peer SCTP endpoint receiving such an ASCONF chunk SHOULD either The peer SCTP endpoint receiving such an ASCONF chunk SHOULD either
add the address and respond with an acknowledgment, if the address is add the address and respond with an acknowledgment, if the address is
new to the association (following all procedures defined in new to the association (following all procedures defined in
[RFC5061]). Or, if the address is already part of the association, [RFC5061]). Or, if the address is already part of the association,
the SCTP endpoint MUST NOT respond with an error, but instead SHOULD the SCTP endpoint MUST NOT respond with an error, but instead SHOULD
respond with an ASCONF-ACK chunk acknowledging the address and take respond with an ASCONF ACK chunk acknowledging the address and take
no action (since the address is already in the association). no action (since the address is already in the association).
Note that it is possible that upon receiving an ASCONF chunk Note that it is possible that upon receiving an ASCONF chunk
containing the VTags parameter the NAT will realize that it has an containing the VTags parameter the NAT will realize that it has an
'Internal Port Number and Verification Tag collision'. In such a 'Internal Port Number and Verification Tag collision'. In such a
case the NAT MUST send an ERROR chunk with the error cause code set case the NAT MUST send an ERROR chunk with the error cause code set
to 'VTag and Port Number Collision' (see Section 5.2.1). to 'VTag and Port Number Collision' (see Section 5.2.1).
If an SCTP endpoint receives an ERROR with 'Internal Port Number and If an SCTP endpoint receives an ERROR with 'Internal Port Number and
Verification Tag collision' as the error cause and the packet in the Verification Tag collision' as the error cause and the packet in the
skipping to change at page 23, line 14 skipping to change at page 23, line 30
6.5. Handling of Fragmented SCTP Packets by NAT Devices 6.5. Handling of Fragmented SCTP Packets by NAT Devices
A NAT device MUST support IP reassembly of received fragmented SCTP A NAT device MUST support IP reassembly of received fragmented SCTP
packets. The fragments may arrive in any order. packets. The fragments may arrive in any order.
When an SCTP packet has to be fragmented by the NAT device and the IP When an SCTP packet has to be fragmented by the NAT device and the IP
header forbids fragmentation a corresponding ICMP packet SHOULD be header forbids fragmentation a corresponding ICMP packet SHOULD be
sent. sent.
6.6. Multi-Point Traversal Considerations for Endpoints 6.6. Multi Point Traversal Considerations for Endpoints
If a multi-homed SCTP endpoint behind a NAT connects to a peer, it If a multi-homed SCTP endpoint behind a NAT connects to a peer, it
SHOULD first set up the association single-homed with only one MUST first set up the association single-homed with only one address
address causing the first NAT to populate its state. Then it SHOULD causing the first NAT to populate its state. Then it SHOULD add each
add each IP address using ASCONF chunks sent via their respective NAT IP address using ASCONF chunks sent via their respective NAT devices.
devices. The address to add is the wildcard address and the lookup The address to add is the wildcard address and the lookup address
address SHOULD also contain the VTags parameter and optionally the SHOULD also contain the VTags parameter and optionally the Disable
Disable Restart parameter as illustrated above. Restart parameter.
7. Various Examples of NAT Traversals 7. Various Examples of NAT Traversals
Please note that this section is informational only. Please note that this section is informational only.
The addresses being used in the following examples are IPv4 addresses The addresses being used in the following examples are IPv4 addresses
for private-use networks and for documentation as specified in for private-use networks and for documentation as specified in
[RFC6890]. However, the method described here is not limited to this [RFC6890]. However, the method described here is not limited to this
NAT44 case. NAT44 case.
The NAT binding table entries shown in the following examples do not
include the flag indicating whether the restart procedure is
supported or not. This flag is not relevant for these examples.
7.1. Single-homed Client to Single-homed Server 7.1. Single-homed Client to Single-homed Server
The internal client starts the association with the external server The internal client starts the association with the external server
via a four-way-handshake. Host A starts by sending an INIT chunk. via a four-way-handshake. Host A starts by sending an INIT chunk.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 ------> 203.0.113.1:2 10.0.0.1:1 ------> 203.0.113.1:2
Ext-VTtag = 0 Ext-VTtag = 0
A NAT entry is created, the source address is substituted and the A NAT binding tabled entry is created, the source address is
packet is sent on: substituted and the packet is sent on:
NAT creates entry: NAT creates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 0 | 2 | 10.0.0.1 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 ------------------------> 203.0.113.1:2 192.0.2.1:1 ------------------------> 203.0.113.1:2
Ext-VTtag = 0 Ext-VTtag = 0
Host B receives the INIT and sends an INIT-ACK with the NAT's Host B receives the INIT and sends an INIT ACK with the NAT's
external address as destination address. external address as destination address.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT-ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
192.0.2.1:1 <----------------------- 203.0.113.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT updates entry: NAT updates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT-ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <------ 203.0.113.1:2 10.0.0.1:1 <------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE-ECHO acknowledged by a COOKIE- The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
ACK. ACK.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
COOKIE-ECHO COOKIE ECHO
10.0.0.1:1 ------> 203.0.113.1:2 10.0.0.1:1 ------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ECHO COOKIE ECHO
192.0.2.1:1 -----------------------> 203.0.113.1:2 192.0.2.1:1 -----------------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ACK COOKIE ACK
192.0.2.1:1 <----------------------- 203.0.113.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
COOKIE-ACK COOKIE ACK
10.0.0.1:1 <------ 203.0.113.1:2 10.0.0.1:1 <------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
7.2. Single-homed Client to Multi-homed Server 7.2. Single-homed Client to Multi-homed Server
The internal client is single-homed whereas the external server is The internal client is single-homed whereas the external server is
multi-homed. The client (Host A) sends an INIT like in the single- multi-homed. The client (Host A) sends an INIT like in the single-
homed case. homed case.
+--------+ +--------+
skipping to change at page 26, line 35 skipping to change at page 27, line 35
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 0 | 2 | 10.0.0.1 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 --------------------------> 203.0.113.1:2 192.0.2.1:1 --------------------------> 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
The server (Host B) includes its two addresses in the INIT-ACK chunk, The server (Host B) includes its two addresses in the INIT ACK chunk.
which results in two NAT entries.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Internet | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
INIT-ACK[Initiate-tag = 5678, IP-Addr = 203.0.113.129] INIT ACK[Initiate-tag = 5678, IP-Addr = 203.0.113.129]
192.0.2.1:1 <-------------------------- 203.0.113.1:2 192.0.2.1:1 <-------------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT does need to change the NAT binding table for the second address: NAT does not need to change the NAT binding table for the second
address:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT-ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <--- 203.0.113.1:2 10.0.0.1:1 <--- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE-ECHO acknowledged by a COOKIE- The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
ACK. ACK.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Internet | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
COOKIE-ECHO COOKIE ECHO
10.0.0.1:1 ---> 203.0.113.1:2 10.0.0.1:1 ---> 203.0.113.1:2
ExtVTag = 5678 ExtVTag = 5678
COOKIE-ECHO COOKIE ECHO
192.0.2.1:1 --------------------------> 203.0.113.1:2 192.0.2.1:1 --------------------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ACK COOKIE ACK
192.0.2.1:1 <-------------------------- 203.0.113.1:2 192.0.2.1:1 <-------------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
COOKIE-ACK COOKIE ACK
10.0.0.1:1 <--- 203.0.113.1:2 10.0.0.1:1 <--- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
7.3. Multihomed Client and Server 7.3. Multihomed Client and Server
The client (Host A) sends an INIT to the server (Host B), but does The client (Host A) sends an INIT to the server (Host B), but does
not include the second address. not include the second address.
+-------+ +-------+
/--| NAT 1 |--\ /--\/--\ /--| NAT 1 |--\ /--\/--\
skipping to change at page 29, line 35 skipping to change at page 30, line 35
NAT 1 | Int | Int | Ext | Ext | Priv | NAT 1 | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 0 | 2 | 10.0.0.1 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 ---------------------> 203.0.113.1:2 192.0.2.1:1 ---------------------> 203.0.113.1:2
ExtVTag = 0 ExtVTag = 0
Host B includes its second address in the INIT-ACK, which results in Host B includes its second address in the INIT ACK.
two NAT entries in NAT 1.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Internet |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
INIT-ACK[Initiate-Tag = 5678, IP-Addr = 203.0.113.129] INIT ACK[Initiate-Tag = 5678, IP-Addr = 203.0.113.129]
192.0.2.1:1 <----------------------- 203.0.113.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT 1 does not need to update the NAT binding table for the second NAT 1 does not need to update the NAT binding table for the second
address: address:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Ext | Ext | Priv | NAT 1 | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT-ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <-------- 203.0.113.1:2 10.0.0.1:1 <-------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE-ECHO acknowledged by a COOKIE- The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
ACK. ACK.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Internet |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
COOKIE-ECHO COOKIE ECHO
10.0.0.1:1 --------> 203.0.113.1:2 10.0.0.1:1 --------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ECHO COOKIE ECHO
192.0.2.1:1 ------------------> 203.0.113.1:2 192.0.2.1:1 ------------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ACK COOKIE ACK
192.0.2.1:1 <------------------ 203.0.113.1:2 192.0.2.1:1 <------------------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
COOKIE-ACK COOKIE ACK
10.0.0.1:1 <------- 203.0.113.1:2 10.0.0.1:1 <------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
Host A announces its second address in an ASCONF chunk. The address Host A announces its second address in an ASCONF chunk. The address
parameter contains an undefined address (0) to indicate that the parameter contains an undefined address (0) to indicate that the
source address should be added. The lookup address parameter within source address should be added. The lookup address parameter within
the ASCONF chunk will also contain the pair of VTags (external and the ASCONF chunk will also contain the pair of VTags (external and
internal) so that the NAT may populate its NAT binding table entry internal) so that the NAT may populate its NAT binding table entry
completely with this single packet. completely with this single packet.
skipping to change at page 32, line 16 skipping to change at page 33, line 16
NAT 2 | Int | Int | Ext | Ext | Priv | NAT 2 | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.1.0.1 | | 1234 | 1 | 5678 | 2 | 10.1.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
ASCONF [ADD-IP, Int-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP, Int-VTag=1234, Ext-VTag = 5678]
192.0.2.129:1 ---------------------> 203.0.113.129:2 192.0.2.129:1 ---------------------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
ASCONF-ACK ASCONF ACK
192.0.2.129:1 <--------------------- 203.0.113.129:2 192.0.2.129:1 <--------------------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
ASCONF-ACK ASCONF ACK
10.1.0.1:1 <----- 203.0.113.129:2 10.1.0.1:1 <----- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
7.4. NAT Loses Its State 7.4. NAT Loses Its State
Association is already established between Host A and Host B, when Association is already established between Host A and Host B, when
the NAT loses its state and obtains a new public address. Host A the NAT loses its state and obtains a new public address. Host A
sends a DATA chunk to Host B. sends a DATA chunk to Host B.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+
DATA DATA
10.0.0.1:1 ----------> 203.0.113.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
The NAT device cannot find an entry in the NAT binding table for the The NAT device cannot find an entry in the NAT binding table for the
association. It sends ERROR an message with the M-Bit set and the association. It sends ERROR an message with the M-Bit set and the
cause "NAT state missing". cause "NAT state missing".
/--\/--\ /--\/--\
skipping to change at page 34, line 11 skipping to change at page 35, line 11
Host B adds the new source address to this association and deletes Host B adds the new source address to this association and deletes
all other addresses from this association. all other addresses from this association.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ASCONF-ACK ASCONF ACK
192.0.2.2:1 <------------------- 203.0.113.129:2 192.0.2.2:1 <------------------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
ASCONF-ACK ASCONF ACK
10.1.0.1:1 <---------- 203.0.113.129:2 10.1.0.1:1 <---------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
DATA DATA
10.0.0.1:1 ----------> 203.0.113.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
DATA DATA
192.0.2.2:1 -------------------> 203.0.113.129:2 192.0.2.2:1 -------------------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
skipping to change at page 37, line 25 skipping to change at page 38, line 25
NAT A | Int | Int | Ext | Ext | Priv | NAT A | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-tag = 5678] INIT[Initiate-tag = 5678]
10.0.0.1:1 <-- 203.0.113.1:2 10.0.0.1:1 <-- 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
Host A sends INIT-ACK, which can pass through NAT B: Host A sends INIT ACK, which can pass through NAT B:
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
INIT-ACK[Initiate-Tag = 1234] INIT ACK[Initiate-Tag = 1234]
10.0.0.1:1 --> 203.0.113.1:2 10.0.0.1:1 --> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
INIT-ACK[Initiate-Tag = 1234] INIT ACK[Initiate-Tag = 1234]
192.0.2.1:1 ----------------> 203.0.113.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
NAT B updates entry: NAT B updates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT B | Int | Int | Ext | Ext | Priv | NAT B | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 5678 | 2 | 1234 | 1 | 10.1.0.1 | | 5678 | 2 | 1234 | 1 | 10.1.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT-ACK[Initiate-Tag = 1234] INIT ACK[Initiate-Tag = 1234]
192.0.2.1:1 --> 10.1.0.1:2 192.0.2.1:1 --> 10.1.0.1:2
Ext-VTag = 5678 Ext-VTag = 5678
The lookup for COOKIE-ECHO and COOKIE-ACK is successful. The lookup for COOKIE ECHO and COOKIE ACK is successful.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
COOKIE-ECHO COOKIE ECHO
192.0.2.1:1 <-- 10.1.0.1:2 192.0.2.1:1 <-- 10.1.0.1:2
Ext-VTag = 1234 Ext-VTag = 1234
COOKIE-ECHO COOKIE ECHO
192.0.2.1:1 <------------- 203.0.113.1:2 192.0.2.1:1 <------------- 203.0.113.1:2
Ext-VTag = 1234 Ext-VTag = 1234
COOKIE-ECHO COOKIE ECHO
10.0.0.1:1 <-- 203.0.113.1:2 10.0.0.1:1 <-- 203.0.113.1:2
Ext-VTag = 1234 Ext-VTag = 1234
COOKIE-ACK COOKIE ACK
10.0.0.1:1 --> 203.0.113.1:2 10.0.0.1:1 --> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ACK COOKIE ACK
192.0.2.1:1 ----------------> 203.0.113.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ACK COOKIE ACK
192.0.2.1:1 --> 10.1.0.1:2 192.0.2.1:1 --> 10.1.0.1:2
Ext-VTag = 5678 Ext-VTag = 5678
8. Socket API Considerations 8. Socket API Considerations
This section describes how the socket API defined in [RFC6458] is This section describes how the socket API defined in [RFC6458] is
extended to provide a way for the application to control NAT extended to provide a way for the application to control NAT
friendliness. friendliness.
Please note that this section is informational only. Please note that this section is informational only.
skipping to change at page 42, line 49 skipping to change at page 43, line 49
cleaned up. cleaned up.
For SCTP endpoints, this document does not add any additional For SCTP endpoints, this document does not add any additional
security considerations to the ones given in [RFC4960], [RFC4895], security considerations to the ones given in [RFC4960], [RFC4895],
and [RFC5061]. In particular, SCTP is protected by the verification and [RFC5061]. In particular, SCTP is protected by the verification
tags and the usage of [RFC4895] against off-path attackers. tags and the usage of [RFC4895] against off-path attackers.
11. Acknowledgments 11. Acknowledgments
The authors wish to thank Gorry Fairhurst, Bryan Ford, David Hayes, The authors wish to thank Gorry Fairhurst, Bryan Ford, David Hayes,
Alfred Hines, Karen E. E. Nielsen, Henning Peters, Timo Voelker, Alfred Hines, Karen E. E. Nielsen, Henning Peters, Maksim Proshin,
Dan Wing, and Qiaobing Xie for their invaluable comments. Timo Voelker, Dan Wing, and Qiaobing Xie for their invaluable
comments.
In addition, the authors wish to thank David Hayes, Jason But, and In addition, the authors wish to thank David Hayes, Jason But, and
Grenville Armitage, the authors of [DOI_10.1145_1496091.1496095], for Grenville Armitage, the authors of [DOI_10.1145_1496091.1496095], for
their suggestions. their suggestions.
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
 End of changes. 104 change blocks. 
176 lines changed or deleted 183 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/