draft-ietf-tsvwg-natsupp-15.txt   draft-ietf-tsvwg-natsupp-16.txt 
Network Working Group R. Stewart Network Working Group R. R. Stewart
Internet-Draft Netflix, Inc. Internet-Draft Netflix, Inc.
Intended status: Standards Track M. Tuexen Intended status: Standards Track M. Tuexen
Expires: May 20, 2020 I. Ruengeler Expires: 10 September 2020 I. Ruengeler
Muenster Univ. of Appl. Sciences Muenster Univ. of Appl. Sciences
November 17, 2019 9 March 2020
Stream Control Transmission Protocol (SCTP) Network Address Translation Stream Control Transmission Protocol (SCTP) Network Address Translation
Support Support
draft-ietf-tsvwg-natsupp-15 draft-ietf-tsvwg-natsupp-16
Abstract Abstract
The Stream Control Transmission Protocol (SCTP) provides a reliable The Stream Control Transmission Protocol (SCTP) provides a reliable
communications channel between two end-hosts in many ways similar to communications channel between two end-hosts in many ways similar to
the Transmission Control Protocol (TCP). With the widespread the Transmission Control Protocol (TCP). With the widespread
deployment of Network Address Translators (NAT), specialized code has deployment of Network Address Translators (NAT), specialized code has
been added to NAT for TCP that allows multiple hosts to reside behind been added to NAT for TCP that allows multiple hosts to reside behind
a NAT and yet use only a single globally unique IPv4 address, even a NAT and yet share a single IPv4 address, even when two hosts
when two hosts (behind a NAT) choose the same port numbers for their (behind a NAT) choose the same port numbers for their connection.
connection. This additional code is sometimes classified as Network This additional code is sometimes classified as Network Address and
Address and Port Translation (NAPT). Port Translation (NAPT).
This document describes the protocol extensions required for the SCTP This document describes the protocol extensions required for the SCTP
endpoints and the mechanisms for NAT devices necessary to provide endpoints and the mechanisms for NAT devices necessary to provide
similar features of NAPT in the single point and multi point similar features of NAPT in the single point and multi point
traversal scenario. traversal scenario.
Finally, a YANG module for SCTP NAT is defined.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 20, 2020. This Internet-Draft will expire on 10 September 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents (https://trustee.ietf.org/
(https://trustee.ietf.org/license-info) in effect on the date of license-info) in effect on the date of publication of this document.
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document. Code Components
to this document. Code Components extracted from this document must extracted from this document must include Simplified BSD License text
include Simplified BSD License text as described in Section 4.e of as described in Section 4.e of the Trust Legal Provisions and are
the Trust Legal Provisions and are provided without warranty as provided without warranty as described in the Simplified BSD License.
described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. SCTP NAT Traversal Scenarios . . . . . . . . . . . . . . 6 4.1. SCTP NAT Traversal Scenarios . . . . . . . . . . . . . . 6
4.1.1. Single Point Traversal . . . . . . . . . . . . . . . 6 4.1.1. Single Point Traversal . . . . . . . . . . . . . . . 6
4.1.2. Multi Point Traversal . . . . . . . . . . . . . . . . 7 4.1.2. Multi Point Traversal . . . . . . . . . . . . . . . . 7
4.2. Limitations of Classical NAPT for SCTP . . . . . . . . . 8 4.2. Limitations of Classical NAPT for SCTP . . . . . . . . . 8
4.3. The SCTP-Specific Variant of NAT . . . . . . . . . . . . 8 4.3. The SCTP-Specific Variant of NAT . . . . . . . . . . . . 8
5. Data Formats . . . . . . . . . . . . . . . . . . . . . . . . 12 5. Data Formats . . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Modified Chunks . . . . . . . . . . . . . . . . . . . . . 12 5.1. Modified Chunks . . . . . . . . . . . . . . . . . . . . . 13
5.1.1. Extended ABORT Chunk . . . . . . . . . . . . . . . . 12 5.1.1. Extended ABORT Chunk . . . . . . . . . . . . . . . . 13
5.1.2. Extended ERROR Chunk . . . . . . . . . . . . . . . . 13 5.1.2. Extended ERROR Chunk . . . . . . . . . . . . . . . . 13
5.2. New Error Causes . . . . . . . . . . . . . . . . . . . . 13 5.2. New Error Causes . . . . . . . . . . . . . . . . . . . . 14
5.2.1. VTag and Port Number Collision Error Cause . . . . . 14 5.2.1. VTag and Port Number Collision Error Cause . . . . . 14
5.2.2. Missing State Error Cause . . . . . . . . . . . . . . 14 5.2.2. Missing State Error Cause . . . . . . . . . . . . . . 14
5.2.3. Port Number Collision Error Cause . . . . . . . . . . 15 5.2.3. Port Number Collision Error Cause . . . . . . . . . . 15
5.3. New Parameters . . . . . . . . . . . . . . . . . . . . . 16 5.3. New Parameters . . . . . . . . . . . . . . . . . . . . . 15
5.3.1. Disable Restart Parameter . . . . . . . . . . . . . . 16 5.3.1. Disable Restart Parameter . . . . . . . . . . . . . . 16
5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16 5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16
6. Procedures for SCTP Endpoints and NAT Devices . . . . . . . . 18 6. Procedures for SCTP Endpoints and NAT Devices . . . . . . . . 17
6.1. Association Setup Considerations for Endpoints . . . . . 18 6.1. Association Setup Considerations for Endpoints . . . . . 18
6.2. Handling of Internal Port Number and Verification Tag 6.2. Handling of Internal Port Number and Verification Tag
Collisions . . . . . . . . . . . . . . . . . . . . . . . 19 Collisions . . . . . . . . . . . . . . . . . . . . . . . 18
6.2.1. NAT Device Considerations . . . . . . . . . . . . . . 19 6.2.1. NAT Device Considerations . . . . . . . . . . . . . . 19
6.2.2. Endpoint Considerations . . . . . . . . . . . . . . . 19 6.2.2. Endpoint Considerations . . . . . . . . . . . . . . . 19
6.3. Handling of Internal Port Number Collisions . . . . . . . 20 6.3. Handling of Internal Port Number Collisions . . . . . . . 19
6.3.1. NAT Device Considerations . . . . . . . . . . . . . . 20 6.3.1. NAT Device Considerations . . . . . . . . . . . . . . 20
6.3.2. Endpoint Considerations . . . . . . . . . . . . . . . 21 6.3.2. Endpoint Considerations . . . . . . . . . . . . . . . 20
6.4. Handling of Missing State . . . . . . . . . . . . . . . . 21 6.4. Handling of Missing State . . . . . . . . . . . . . . . . 21
6.4.1. NAT Device Considerations . . . . . . . . . . . . . . 21 6.4.1. NAT Device Considerations . . . . . . . . . . . . . . 21
6.4.2. Endpoint Considerations . . . . . . . . . . . . . . . 22 6.4.2. Endpoint Considerations . . . . . . . . . . . . . . . 21
6.5. Handling of Fragmented SCTP Packets by NAT Devices . . . 23
6.5. Handling of Fragmented SCTP Packets by NAT Devices . . . 22
6.6. Multi Point Traversal Considerations for Endpoints . . . 23 6.6. Multi Point Traversal Considerations for Endpoints . . . 23
7. Various Examples of NAT Traversals . . . . . . . . . . . . . 23 7. Various Examples of NAT Traversals . . . . . . . . . . . . . 23
7.1. Single-homed Client to Single-homed Server . . . . . . . 24 7.1. Single-homed Client to Single-homed Server . . . . . . . 23
7.2. Single-homed Client to Multi-homed Server . . . . . . . . 26 7.2. Single-homed Client to Multi-homed Server . . . . . . . . 25
7.3. Multihomed Client and Server . . . . . . . . . . . . . . 29 7.3. Multihomed Client and Server . . . . . . . . . . . . . . 27
7.4. NAT Loses Its State . . . . . . . . . . . . . . . . . . . 33 7.4. NAT Loses Its State . . . . . . . . . . . . . . . . . . . 30
7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 35 7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 32
8. Socket API Considerations . . . . . . . . . . . . . . . . . . 40 8. SCTP NAT YANG Module . . . . . . . . . . . . . . . . . . . . 36
8.1. Get or Set the NAT Friendliness 8.1. Tree Structure . . . . . . . . . . . . . . . . . . . . . 36
(SCTP_NAT_FRIENDLY) . . . . . . . . . . . . . . . . . . . 41 8.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 37
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 9. Socket API Considerations . . . . . . . . . . . . . . . . . . 39
9.1. New Chunk Flags for Two Existing Chunk Types . . . . . . 41 9.1. Get or Set the NAT Friendliness (SCTP_NAT_FRIENDLY) . . . 40
9.2. Three New Error Causes . . . . . . . . . . . . . . . . . 42 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
9.3. Two New Chunk Parameter Types . . . . . . . . . . . . . . 43 10.1. New Chunk Flags for Two Existing Chunk Types . . . . . . 40
10. Security Considerations . . . . . . . . . . . . . . . . . . . 43 10.2. Three New Error Causes . . . . . . . . . . . . . . . . . 42
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 43 10.3. Two New Chunk Parameter Types . . . . . . . . . . . . . 43
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 10.4. One New URI . . . . . . . . . . . . . . . . . . . . . . 43
12.1. Normative References . . . . . . . . . . . . . . . . . . 44 10.5. One New YANG Module . . . . . . . . . . . . . . . . . . 43
12.2. Informative References . . . . . . . . . . . . . . . . . 44 11. Security Considerations . . . . . . . . . . . . . . . . . . . 43
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 44
13. Normative References . . . . . . . . . . . . . . . . . . . . 44
14. Informative References . . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47
1. Introduction 1. Introduction
Stream Control Transmission Protocol [RFC4960] provides a reliable Stream Control Transmission Protocol [RFC4960] provides a reliable
communications channel between two end-hosts in many ways similar to communications channel between two end-hosts in many ways similar to
TCP [RFC0793]. With the widespread deployment of Network Address TCP [RFC0793]. With the widespread deployment of Network Address
Translators (NAT), specialized code has been added to NAT for TCP Translators (NAT), specialized code has been added to NAT for TCP
that allows multiple hosts to reside behind a NAT using private that allows multiple hosts to reside behind a NAT using private
addresses (see [RFC6890]) and yet use only a single globally unique addresses (see [RFC6890]) and yet share single IPv4 address, even
IPv4 address, even when two hosts (behind a NAT) choose the same port when two hosts (behind a NAT) choose the same port numbers for their
numbers for their connection. This additional code is sometimes connection. This additional code is sometimes classified as Network
classified as Network Address and Port Translation (NAPT). Please Address and Port Translation (NAPT). Please note that this document
note that this document focuses on the case where the NAT maps a focuses on the case where the NAT maps a single or multiple private
single or multiple private addresses to a single public address and addresses to a single public address and vice versa. To date,
vice versa. To date, specialized code for SCTP has not yet been specialized code for SCTP has not yet been added to most NAT devices
added to most NAT devices so that only a translation of IP addresses so that only a translation of IP addresses is supported. The end
is supported. The end result of this is that only one SCTP-capable result of this is that only one SCTP-capable host can successfully
host can successfully operate behind such a NAT and this host can operate behind such a NAT and this host can only be single-homed.
only be single-homed. The only alternative for supporting legacy NAT The only alternative for supporting legacy NAT devices is to use UDP
devices is to use UDP encapsulation as specified in [RFC6951]. encapsulation as specified in [RFC6951].
This document specifies procedures allowing a NAT to support SCTP by This document specifies procedures allowing a NAT to support SCTP by
providing similar features to those provided by a NAPT for TCP and providing similar features to those provided by a NAPT for TCP and
other supported protocols. The document also specifies a set of data other supported protocols. The document also specifies a set of data
formats for SCTP packets and a set of SCTP endpoint procedures to formats for SCTP packets and a set of SCTP endpoint procedures to
support NAT traversal. An SCTP implementation supporting these support NAT traversal. An SCTP implementation supporting these
procedures can assure that in both single-homed and multi-homed cases procedures can assure that in both single-homed and multi-homed cases
a NAT will maintain the appropriate state without the NAT needing to a NAT will maintain the appropriate state without the NAT needing to
change port numbers. change port numbers.
It is possible and desirable to make these changes for a number of It is possible and desirable to make these changes for a number of
reasons: reasons:
o It is desirable for SCTP internal end-hosts on multiple platforms * It is desirable for SCTP internal end-hosts on multiple platforms
to be able to share a NAT's public IP address in the same way that to be able to share a NAT's public IP address in the same way that
a TCP session can use a NAT. a TCP session can use a NAT.
o If a NAT does not need to change any data within an SCTP packet it * If a NAT does not need to change any data within an SCTP packet it
will reduce the processing burden of NAT'ing SCTP by NOT needing will reduce the processing burden of NAT'ing SCTP by not needing
to execute the CRC32c checksum required by SCTP. to execute the CRC32c checksum required by SCTP.
o Not having to touch the IP payload makes the processing of ICMP * Not having to touch the IP payload makes the processing of ICMP
messages in NAT devices easier. messages in NAT devices easier.
An SCTP-aware NAT will need to follow these procedures for generating An SCTP-aware NAT will need to follow these procedures for generating
appropriate SCTP packet formats. appropriate SCTP packet formats.
When considering this feature it is possible to have multiple levels When considering this feature it is possible to have multiple levels
of support. At each level, the Internal Host, External Host and NAT of support. At each level, the Internal Host, External Host and NAT
may or may not support the features described in this document. The may or may not support the features described in this document. The
following table illustrates the results of the various combinations following table illustrates the results of the various combinations
of support and if communications can occur between two endpoints. of support and if communications can occur between two endpoints.
+---------------+------------+---------------+---------------+ +---------------+------------+---------------+---------------+
| Internal Host | NAT Device | External Host | Communication | | Internal Host | NAT Device | External Host | Communication |
+---------------+------------+---------------+---------------+ +===============+============+===============+===============+
| Support | Support | Support | Yes | | Support | Support | Support | Yes |
+---------------+------------+---------------+---------------+
| Support | Support | No Support | Limited | | Support | Support | No Support | Limited |
+---------------+------------+---------------+---------------+
| Support | No Support | Support | None | | Support | No Support | Support | None |
+---------------+------------+---------------+---------------+
| Support | No Support | No Support | None | | Support | No Support | No Support | None |
+---------------+------------+---------------+---------------+
| No Support | Support | Support | Limited | | No Support | Support | Support | Limited |
+---------------+------------+---------------+---------------+
| No Support | Support | No Support | Limited | | No Support | Support | No Support | Limited |
+---------------+------------+---------------+---------------+
| No Support | No Support | Support | None | | No Support | No Support | Support | None |
+---------------+------------+---------------+---------------+
| No Support | No Support | No Support | None | | No Support | No Support | No Support | None |
+---------------+------------+---------------+---------------+ +---------------+------------+---------------+---------------+
Table 1: Communication possibilities Table 1: Communication possibilities
From the table it can be seen that when a NAT device does not support From the table it can be seen that when a NAT device does not support
the extension no communication can occur. This assumes that the NAT the extension no communication can occur. This assumes that the NAT
device does not handle SCTP packets at all and all SCTP packets sent device does not handle SCTP packets at all and all SCTP packets sent
externally from behind a NAT device are discarded by the NAT. In externally from behind a NAT device are discarded by the NAT. In
some cases, where the NAT device supports the feature but one of the some cases, where the NAT device supports the feature but one of the
skipping to change at page 5, line 21 skipping to change at page 5, line 50
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Terminology 3. Terminology
This document uses the following terms, which are depicted in This document uses the following terms, which are depicted in
Figure 1. Familiarity with the terminology used in [RFC4960] and Figure 1. Familiarity with the terminology used in [RFC4960] and
[RFC5061] is assumed. [RFC5061] is assumed.
Private-Address (Priv-Addr): The private address that is known to Private-Address (Priv-Addr) The private address that is known to the
the internal host. internal host.
Internal-Port (Int-Port): The port number that is in use by the host Internal-Port (Int-Port) The port number that is in use by the host
holding the Private-Address. holding the Private-Address.
Internal-VTag (Int-VTag): The SCTP Verification Tag (VTag) (see Internal-VTag (Int-VTag) The SCTP Verification Tag (VTag) (see
Section 3.1 of [RFC4960]) that the internal host has chosen for Section 3.1 of [RFC4960]) that the internal host has chosen for
its communication. The VTag is a unique 32-bit tag that must its communication. The VTag is a unique 32-bit tag that must
accompany any incoming SCTP packet for this association to the accompany any incoming SCTP packet for this association to the
Private-Address. Private-Address.
External-Address (Ext-Addr): The address that an internal host is External-Address (Ext-Addr) The address that an internal host is
attempting to contact. attempting to contact.
External-Port (Ext-Port): The port number of the peer process at the External-Port (Ext-Port) The port number of the peer process at the
External-Address. External-Address.
External-VTag (Ext-VTag): The Verification Tag that the host holding External-VTag (Ext-VTag) The Verification Tag that the host holding
the External-Address has chosen for its communication. The VTag the External-Address has chosen for its communication. The VTag
is a unique 32-bit tag that must accompany any incoming SCTP is a unique 32-bit tag that must accompany any incoming SCTP
packet for this association to the External-Address. packet for this association to the External-Address.
Public-Address (Pub-Addr): The public address assigned to the NAT Public-Address (Pub-Addr) The public address assigned to the NAT
device that it uses as a source address when sending packets device that it uses as a source address when sending packets
towards the External-Address. towards the External-Address.
Internal Network | External Network Internal Network | External Network
| |
Private | Public External Private | Public External
+--------+ Address | Address /--\/--\ Address +--------+ +--------+ Address | Address /--\/--\ Address +--------+
| SCTP | +-----+ / \ | SCTP | | SCTP | +-----+ / \ | SCTP |
|endpoint|=========| NAT |=======| Internet |==========|endpoint| |endpoint|=========| NAT |=======| Internet |==========|endpoint|
| A | +-----+ \ / | B | | A | +-----+ \ / | B |
+--------+ Internal | \--/\--/ External+--------+ +--------+ Internal | \--/\--/ External+--------+
Internal Port | Port External Internal Port | Port External
VTag | VTag VTag | VTag
Figure 1: Basic network setup Figure 1: Basic network setup
4. Motivation 4. Motivation
4.1. SCTP NAT Traversal Scenarios 4.1. SCTP NAT Traversal Scenarios
This section defines the notion of single and multi point NAT This section defines the notion of single and multi point NAT
traversal. traversal.
4.1.1. Single Point Traversal 4.1.1. Single Point Traversal
In this case, all packets in the SCTP association go through a single In this case, all packets in the SCTP association go through a single
NAT, as shown below: NAT, as shown below:
Internal Network | External Network Internal Network | External Network
| |
+--------+ | /--\/--\ +--------+ +--------+ | /--\/--\ +--------+
| SCTP | +-----+ / \ | SCTP | | SCTP | +-----+ / \ | SCTP |
|endpoint|=========| NAT |========= | Internet | ========|endpoint| |endpoint|=========| NAT |========= | Internet | ========|endpoint|
| A | +-----+ \ / | B | | A | +-----+ \ / | B |
+--------+ | \--/\--/ +--------+ +--------+ | \--/\--/ +--------+
| |
Single NAT scenario Figure 2: Single NAT scenario
A variation of this case is shown below, i.e., multiple NAT devices A variation of this case is shown below, i.e., multiple NAT devices
in a single path: in a single path:
Internal | External : Internal | External Internal | External : Internal | External
| : | | : |
+--------+ | : | /--\/--\ +--------+ +--------+ | : | /--\/--\ +--------+
| SCTP | +-----+ : +-----+ / \ | SCTP | | SCTP | +-----+ : +-----+ / \ | SCTP |
|endpoint|==| NAT |=======:=======| NAT |==| Internet |==|endpoint| |endpoint|==| NAT |=======:=======| NAT |==| Internet |==|endpoint|
| A | +-----+ : +-----+ \ / | B | | A | +-----+ : +-----+ \ / | B |
+--------+ | : | \--/\--/ +--------+ +--------+ | : | \--/\--/ +--------+
| : | | : |
Serial NAT Devices scenario Figure 3: Serial NAT Devices scenario
Although one of the main benefits of SCTP multi-homing is redundant Although one of the main benefits of SCTP multi-homing is redundant
paths, in the single point traversal scenario the NAT function paths, in the single point traversal scenario the NAT function
represents a single point of failure in the path of the SCTP multi- represents a single point of failure in the path of the SCTP multi-
homed association. However, the rest of the path may still benefit homed association. However, the rest of the path may still benefit
from path diversity provided by SCTP multi-homing. from path diversity provided by SCTP multi-homing.
The two SCTP endpoints in this case can be either single-homed or The two SCTP endpoints in this case can be either single-homed or
multi-homed. However, the important thing is that the NAT device (or multi-homed. However, the important thing is that the NAT device (or
NAT devices) in this case sees all the packets of the SCTP NAT devices) in this case sees all the packets of the SCTP
association. association.
4.1.2. Multi Point Traversal 4.1.2. Multi Point Traversal
This case involves multiple NAT devices and each NAT device only sees This case involves multiple NAT devices and each NAT device only sees
some of the packets in the SCTP association. An example is shown some of the packets in the SCTP association. An example is shown
below: below:
Internal | External Internal | External
+------+ /---\/---\ +------+ /---\/---\
+--------+ /=======|NAT A |=========\ / \ +--------+ +--------+ /=======|NAT A |=========\ / \ +--------+
| SCTP | / +------+ \/ \ | SCTP | | SCTP | / +------+ \/ \ | SCTP |
|endpoint|/ ... | Internet |===|endpoint| |endpoint|/ ... | Internet |===|endpoint|
| A |\ \ / | B | | A |\ \ / | B |
+--------+ \ +------+ / \ / +--------+ +--------+ \ +------+ / \ / +--------+
\=======|NAT B |=========/ \---\/---/ \=======|NAT B |=========/ \---\/---/
+------+ +------+
| |
Parallel NAT devices scenario Figure 4: Parallel NAT devices scenario
This case does NOT apply to a single-homed SCTP association (i.e., This case does not apply to a single-homed SCTP association (i.e.,
BOTH endpoints in the association use only one IP address). The both endpoints in the association use only one IP address). The
advantage here is that the existence of multiple NAT traversal points advantage here is that the existence of multiple NAT traversal points
can preserve the path diversity of a multi-homed association for the can preserve the path diversity of a multi-homed association for the
entire path. This in turn can improve the robustness of the entire path. This in turn can improve the robustness of the
communication. communication.
4.2. Limitations of Classical NAPT for SCTP 4.2. Limitations of Classical NAPT for SCTP
Using classical NAPT may result in changing one of the SCTP port Using classical NAPT may result in changing one of the SCTP port
numbers during the processing which requires the recomputation of the numbers during the processing which requires the recomputation of the
transport layer checksum by the NAPT device. Whereas for UDP and TCP transport layer checksum by the NAPT device. Whereas for UDP and TCP
skipping to change at page 8, line 23 skipping to change at page 8, line 43
considerably add to the NAT computational burden, however hardware considerably add to the NAT computational burden, however hardware
support may mitigate this in some implementations. support may mitigate this in some implementations.
An SCTP endpoint may have multiple addresses but only has a single An SCTP endpoint may have multiple addresses but only has a single
port number. To make multipoint traversal work, all the NAT devices port number. To make multipoint traversal work, all the NAT devices
involved must recognize the packets they see as belonging to the same involved must recognize the packets they see as belonging to the same
SCTP association and perform port number translation in a consistent SCTP association and perform port number translation in a consistent
way. One possible way of doing this is to use a pre-defined table of way. One possible way of doing this is to use a pre-defined table of
ports and addresses configured within each NAT. Other mechanisms ports and addresses configured within each NAT. Other mechanisms
could make use of NAT to NAT communication. Such mechanisms have not could make use of NAT to NAT communication. Such mechanisms have not
been deployabled on a wide scale base and thus are not a recommended been deployed on a wide scale base and thus are not a recommended
solution. Therefore the SCTP variant of NAT has been developed. solution. Therefore an SCTP variant of NAT has been developed.
4.3. The SCTP-Specific Variant of NAT 4.3. The SCTP-Specific Variant of NAT
In this section it is allowed that there are multiple SCTP capable In this section it is allowed that there are multiple SCTP capable
hosts behind a NAT that has one Public-Address. Furthermore this hosts behind a NAT that has one Public-Address. Furthermore this
section focuses on the single point traversal scenario. section focuses on the single point traversal scenario.
The modification of SCTP packets sent to the public Internet is The modification of SCTP packets sent to the Internet is simple: the
simple: the source address of the packet has to be replaced with the source address of the packet has to be replaced with the Public-
Public-Address. It may also be necessary to establish some state in Address. It may also be necessary to establish some state in the NAT
the NAT device to later handle incoming packets. device to later handle incoming packets.
For the SCTP NAT processing the NAT device has to maintain a NAT For the SCTP NAT processing the NAT device has to maintain a NAT
binding table of Internal-VTag, Internal-Port, External-VTag, binding table of Internal-VTag, Internal-Port, External-VTag,
External-Port, Private-Address, and whether the restart procedure is External-Port, Private-Address, and whether the restart procedure is
disabled or not. An entry in that NAT binding table is called a NAT disabled or not. An entry in that NAT binding table is called a NAT
state control block. The function Create() obtains the just state control block. The function Create() obtains the just
mentioned parameters and returns a NAT-State control block. mentioned parameters and returns a NAT-State control block. A NAT
device MAY allow creating NAT-State control blocks via a management
interface.
For SCTP packets coming from the public Internet the destination For SCTP packets coming from the public Internet the destination
address of the packets has to be replaced with the Private-Address of address of the packets has to be replaced with the Private-Address of
the host the packet has to be delivered to. The lookup of the the host the packet has to be delivered to. The lookup of the
Private-Address is based on the External-VTag, External-Port, Private-Address is based on the External-VTag, External-Port,
Internal-VTag and the Internal-Port. Internal-VTag and the Internal-Port.
The entries in the NAT binding table need to fulfill some uniqueness The entries in the NAT binding table need to fulfill some uniqueness
conditions. There must not be more than one entry NAT binding table conditions. There must not be more than one entry NAT binding table
with the same pair of Internal-Port and External-Port. This rule can with the same pair of Internal-Port and External-Port. This rule can
skipping to change at page 9, line 46 skipping to change at page 10, line 36
However, it is possible that there is already a NAT binding table However, it is possible that there is already a NAT binding table
entry with the same External-Port, Internal-Port, and Internal-VTag entry with the same External-Port, Internal-Port, and Internal-VTag
but different Private-Address. In this case the INIT MUST be dropped but different Private-Address. In this case the INIT MUST be dropped
by the NAT and an ABORT MUST be sent back to the SCTP host with the by the NAT and an ABORT MUST be sent back to the SCTP host with the
M-Bit set and an appropriate error cause (see Section 5.1.1 for the M-Bit set and an appropriate error cause (see Section 5.1.1 for the
format). The source address of the packet containing the ABORT chunk format). The source address of the packet containing the ABORT chunk
MUST be the destination address of the packet containing the INIT MUST be the destination address of the packet containing the INIT
chunk. chunk.
If an outgoing SCTP packet contains an INIT or ASCONF chunk and a
matching NAT binding table entry is found, the packet is processed as
a normal outgoing packet.
It is also possible that a connection to External-Address and It is also possible that a connection to External-Address and
External-Port exists without an Internal-VTag conflict but there External-Port exists without an Internal-VTag conflict but there
exists a NAT binding table entry with the same port numbers but a exists a NAT binding table entry with the same port numbers but a
different Private-Address. In such a case the INIT MUST be dropped different Private-Address. In such a case the INIT MUST be dropped
by the NAT and an ABORT SHOULD be sent back to the SCTP host with the by the NAT and an ABORT SHOULD be sent back to the SCTP host with the
M-Bit set and an appropriate error cause (see Section 5.1.1 for the M-Bit set and an appropriate error cause (see Section 5.1.1 for the
format). format).
The processing of outgoing SCTP packets containing no INIT chunks is The processing of outgoing SCTP packets containing no INIT chunks is
described in the following figure. described in the following figure.
skipping to change at page 12, line 5 skipping to change at page 12, line 28
Lookup(*, Int-Port, Ext-VTag, Ext-Port) Lookup(*, Int-Port, Ext-VTag, Ext-Port)
Returns(NAT-State control block containing Priv-Addr) Returns(NAT-State control block containing Priv-Addr)
Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port
Ext-VTag Ext-VTag
For an incoming packet containing an INIT chunk a table lookup is For an incoming packet containing an INIT chunk a table lookup is
made only based on the addresses and port numbers. If an entry with made only based on the addresses and port numbers. If an entry with
an External-VTag of zero is found, it is considered a match and the an External-VTag of zero is found, it is considered a match and the
External-VTag is updated. This allows the handling of INIT collision External-VTag is updated. If an entry with a non-matching External-
VTag is found or no entry is found, the incoming packet is dropped.
If an entry with a matching External-VTag is found, the incoming
packet is forwarded. This allows the handling of INIT collision
through NAT. through NAT.
The processing of other incoming SCTP packets is described in the The processing of other incoming SCTP packets is described in the
following figure. following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
skipping to change at page 13, line 14 skipping to change at page 13, line 30
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 6 | Reserved |M|T| Length | | Type = 6 | Reserved |M|T| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \ \ \
/ zero or more Error Causes / / zero or more Error Causes /
\ \ \ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The ABORT chunk is extended to add the new 'M-bit'. The M-bit The ABORT chunk is extended to add the new 'M bit'. The M bit
indicates to the receiver of the ABORT chunk that the chunk was not indicates to the receiver of the ABORT chunk that the chunk was not
generated by the peer SCTP endpoint, but instead by a middle box. generated by the peer SCTP endpoint, but instead by a middle box.
[NOTE to RFC-Editor: [NOTE to RFC-Editor: Assignment of M bit to be confirmed by IANA.]
Assignment of M-bit to be confirmed by IANA.
]
5.1.2. Extended ERROR Chunk 5.1.2. Extended ERROR Chunk
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 9 | Reserved |M|T| Length | | Type = 9 | Reserved |M|T| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \ \ \
/ zero or more Error Causes / / zero or more Error Causes /
\ \ \ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The ERROR chunk defined in [RFC4960] is extended to add the new The ERROR chunk defined in [RFC4960] is extended to add the new 'M
'M-bit'. The M-bit indicates to the receiver of the ERROR chunk that bit'. The M bit indicates to the receiver of the ERROR chunk that
the chunk was not generated by the peer SCTP endpoint, but instead by the chunk was not generated by the peer SCTP endpoint, but instead by
a middle box. a middle box.
[NOTE to RFC-Editor: [NOTE to RFC-Editor: Assignment of M bit to be confirmed by IANA.]
Assignment of M-bit to be confirmed by IANA.
]
5.2. New Error Causes 5.2. New Error Causes
This section defines the new error causes added by this document. This section defines the new error causes added by this document.
5.2.1. VTag and Port Number Collision Error Cause 5.2.1. VTag and Port Number Collision Error Cause
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B0 | Cause Length = Variable | | Cause Code = 0x00B0 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Chunk / \ Chunk /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer) This field holds the IANA
This field holds the IANA defined cause code for the 'VTag and defined cause code for the 'VTag and Port Number Collision' Error
Port Number Collision' Error Cause. IANA is requested to assign Cause. IANA is requested to assign the value 0x00B0 for this
the value 0x00B0 for this cause code. cause code.
Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length
The Cause-Specific Information is filled with the chunk that
caused this error. This can be an INIT, INIT ACK, or ASCONF
chunk. Note that if the entire chunk will not fit in the ERROR
chunk or ABORT chunk being sent then the bytes that do not fit are
truncated.
[NOTE to RFC-Editor: Cause Length: 2 bytes (unsigned integer) This field holds the length
in bytes of the error cause. The value MUST be the length of the
Cause-Specific Information plus 4.
Assignment of cause code to be confirmed by IANA. Chunk: variable length The Cause-Specific Information is filled with
the chunk that caused this error. This can be an INIT, INIT ACK,
or ASCONF chunk. Note that if the entire chunk will not fit in
the ERROR chunk or ABORT chunk being sent then the bytes that do
not fit are truncated.
] [NOTE to RFC-Editor: Assignment of cause code to be confirmed by
IANA.]
5.2.2. Missing State Error Cause 5.2.2. Missing State Error Cause
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B1 | Cause Length = Variable | | Cause Code = 0x00B1 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Incoming Packet / \ Incoming Packet /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer) This field holds the IANA
This field holds the IANA defined cause code for the 'Missing defined cause code for the 'Missing State' Error Cause. IANA is
State' Error Cause. IANA is requested to assign the value 0x00B1 requested to assign the value 0x00B1 for this cause code.
for this cause code.
Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4.
Incoming Packet: variable length
The Cause-Specific Information is filled with the IPv4 or IPv6
packet that caused this error. The IPv4 or IPv6 header MUST be
included. Note that if the packet will not fit in the ERROR chunk
or ABORT chunk being sent then the bytes that do not fit are
truncated.
[NOTE to RFC-Editor: Cause Length: 2 bytes (unsigned integer) This field holds the length
in bytes of the error cause. The value MUST be the length of the
Cause-Specific Information plus 4.
Assignment of cause code to be confirmed by IANA. Incoming Packet: variable length The Cause-Specific Information is
filled with the IPv4 or IPv6 packet that caused this error. The
IPv4 or IPv6 header MUST be included. Note that if the packet
will not fit in the ERROR chunk or ABORT chunk being sent then the
bytes that do not fit are truncated.
] [NOTE to RFC-Editor: Assignment of cause code to be confirmed by
IANA.]
5.2.3. Port Number Collision Error Cause 5.2.3. Port Number Collision Error Cause
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B2 | Cause Length = Variable | | Cause Code = 0x00B2 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Chunk / \ Chunk /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer) This field holds the IANA
This field holds the IANA defined cause code for the 'Port Number defined cause code for the 'Port Number Collision' Error Cause.
Collision' Error Cause. IANA is requested to assign the value IANA is requested to assign the value 0x00B2 for this cause code.
0x00B2 for this cause code.
Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length
The Cause-Specific Information is filled with the chunk that
caused this error. This can be an INIT, INIT ACK, or ASCONF
chunk. Note that if the entire chunk will not fit in the ERROR
chunk or ABORT chunk being sent then the bytes that do not fit are
truncated.
[NOTE to RFC-Editor: Cause Length: 2 bytes (unsigned integer) This field holds the length
in bytes of the error cause. The value MUST be the length of the
Cause-Specific Information plus 4.
Assignment of cause code to be confirmed by IANA. Chunk: variable length The Cause-Specific Information is filled with
the chunk that caused this error. This can be an INIT, INIT ACK,
or ASCONF chunk. Note that if the entire chunk will not fit in
the ERROR chunk or ABORT chunk being sent then the bytes that do
not fit are truncated.
] [NOTE to RFC-Editor: Assignment of cause code to be confirmed by
IANA.]
5.3. New Parameters 5.3. New Parameters
This section defines new parameters and their valid appearance This section defines new parameters and their valid appearance
defined by this document. defined by this document.
5.3.1. Disable Restart Parameter 5.3.1. Disable Restart Parameter
This parameter is used to indicate that the restart procedure is This parameter is used to indicate that the restart procedure is
requested to be disabled. Both endpoints of an association MUST requested to be disabled. Both endpoints of an association MUST
include this parameter in the INIT chunk and INIT ACK chunk when include this parameter in the INIT chunk and INIT ACK chunk when
establishing an association and MUST include it in the ASCONF chunk establishing an association and MUST include it in the ASCONF chunk
when adding an address to successfully disable the restart procedure. when adding an address to successfully disable the restart procedure.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0xC007 | Length = 4 | | Type = 0xC007 | Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Parameter Type: 2 bytes (unsigned integer) Parameter Type: 2 bytes (unsigned integer) This field holds the IANA
This field holds the IANA defined parameter type for the Disable defined parameter type for the Disable Restart Parameter. IANA is
Restart Parameter. IANA is requested to assign the value 0xC007 requested to assign the value 0xC007 for this parameter type.
for this parameter type.
Parameter Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the parameter. The value
MUST be 4.
[NOTE to RFC-Editor:
Assignment of parameter type to be confirmed by IANA. Parameter Length: 2 bytes (unsigned integer) This field holds the
length in bytes of the parameter. The value MUST be 4.
] [NOTE to RFC-Editor: Assignment of parameter type to be confirmed by
IANA.]
This parameter MAY appear in INIT, INIT ACK and ASCONF chunks and This parameter MAY appear in INIT, INIT ACK and ASCONF chunks and
MUST NOT appear in any other chunk. MUST NOT appear in any other chunk.
5.3.2. VTags Parameter 5.3.2. VTags Parameter
This parameter is used to help a NAT recover from state loss. This parameter is used to help a NAT recover from state loss.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0xC008 | Parameter Length = 16 | | Parameter Type = 0xC008 | Parameter Length = 16 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ASCONF-Request Correlation ID | | ASCONF-Request Correlation ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internal Verification Tag | | Internal Verification Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| External Verification Tag | | External Verification Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Parameter Type: 2 bytes (unsigned integer) Parameter Type: 2 bytes (unsigned integer) This field holds the IANA
This field holds the IANA defined parameter type for the VTags defined parameter type for the VTags Parameter. IANA is requested
Parameter. IANA is requested to assign the value 0xC008 for this to assign the value 0xC008 for this parameter type.
parameter type.
Parameter Length: 2 bytes (unsigned integer) Parameter Length: 2 bytes (unsigned integer) This field holds the
This field holds the length in bytes of the parameter. The value length in bytes of the parameter. The value MUST be 16.
MUST be 16.
ASCONF-Request Correlation ID: 4 bytes (unsigned integer) ASCONF-Request Correlation ID: 4 bytes (unsigned integer) This is an
This is an opaque integer assigned by the sender to identify each opaque integer assigned by the sender to identify each request
request parameter. The receiver of the ASCONF Chunk will copy parameter. The receiver of the ASCONF Chunk will copy this 32-bit
this 32-bit value into the ASCONF Response Correlation ID field of value into the ASCONF Response Correlation ID field of the ASCONF
the ASCONF ACK response parameter. The sender of the ASCONF can ACK response parameter. The sender of the ASCONF can use this
use this same value in the ASCONF ACK to find which request the same value in the ASCONF ACK to find which request the response is
response is for. Note that the receiver MUST NOT change this for. Note that the receiver MUST NOT change this 32-bit value.
32-bit value.
Internal Verification Tag: 4 bytes (unsigned integer) Internal Verification Tag: 4 bytes (unsigned integer) The
The Verification Tag that the internal host has chosen for its Verification Tag that the internal host has chosen for its
communication. The Verification Tag is a unique 32-bit tag that communication. The Verification Tag is a unique 32-bit tag that
must accompany any incoming SCTP packet for this association to must accompany any incoming SCTP packet for this association to
the Private-Address. the Private-Address.
External Verification Tag: 4 bytes (unsigned integer) The External Verification Tag: 4 bytes (unsigned integer) The
Verification Tag that the host holding the External-Address has Verification Tag that the host holding the External-Address has
chosen for its communication. The VTag is a unique 32-bit tag chosen for its communication. The VTag is a unique 32-bit tag
that must accompany any incoming SCTP packet for this association that must accompany any incoming SCTP packet for this association
to the External-Address. to the External-Address.
[NOTE to RFC-Editor: [NOTE to RFC-Editor: Assignment of parameter type to be confirmed by
IANA.]
Assignment of parameter type to be confirmed by IANA.
]
This parameter MAY appear in ASCONF chunks and MUST NOT appear in any This parameter MAY appear in ASCONF chunks and MUST NOT appear in any
other chunk. other chunk.
6. Procedures for SCTP Endpoints and NAT Devices 6. Procedures for SCTP Endpoints and NAT Devices
When an SCTP endpoint is behind an SCTP-aware NAT a number of When an SCTP endpoint is behind an SCTP-aware NAT a number of
problems may arise as it tries to communicate with its peer: problems may arise as it tries to communicate with its peer:
o IP addresses can not not be included in the SCTP packet. This is * IP addresses can not be included in the SCTP packet. This is
discussed in Section 6.1. discussed in Section 6.1.
o More than one host behind a NAT device could select the same VTag * More than one host behind a NAT device could select the same VTag
and source port when talking to the same peer server. This and source port when talking to the same peer server. This
creates a situation where the NAT will not be able to tell the two creates a situation where the NAT will not be able to tell the two
associations apart. This situation is discussed in Section 6.2. associations apart. This situation is discussed in Section 6.2.
o When an SCTP endpoint is a server communicating with multiple * When an SCTP endpoint is a server communicating with multiple
peers and the peers are behind the same NAT, then the two peers and the peers are behind the same NAT, then the two
endpoints cannot be distinguished by the server. This case is endpoints cannot be distinguished by the server. This case is
discussed in Section 6.3. discussed in Section 6.3.
o A restart of a NAT during a conversation could cause a loss of its * A restart of a NAT during a conversation could cause a loss of its
state. This problem and its solution is discussed in Section 6.4. state. This problem and its solution is discussed in Section 6.4.
o NAT devices need to deal with SCTP packets being fragmented at the * NAT devices need to deal with SCTP packets being fragmented at the
IP layer. This is discussed in Section 6.5. IP layer. This is discussed in Section 6.5.
o An SCTP endpoint may be behind two NAT devices providing * An SCTP endpoint may be behind two NAT devices providing
redundancy. The method to set up this scenario is discussed in redundancy. The method to set up this scenario is discussed in
Section 6.6. Section 6.6.
Each of these mechanisms requires additional chunks and parameters, Each of these mechanisms requires additional chunks and parameters,
defined in this document, and possibly modified handling procedures defined in this document, and possibly modified handling procedures
from those specified in [RFC4960]. from those specified in [RFC4960].
6.1. Association Setup Considerations for Endpoints 6.1. Association Setup Considerations for Endpoints
The association setup procedure defined in [RFC4960] allows multi- The association setup procedure defined in [RFC4960] allows multi-
skipping to change at page 19, line 32 skipping to change at page 19, line 11
range at random this gives a 46-bit random number that has to match. range at random this gives a 46-bit random number that has to match.
A NAPT device can control the 16-bit Natted Port and therefore avoid A NAPT device can control the 16-bit Natted Port and therefore avoid
collisions deterministically. collisions deterministically.
The same can happen with the External-VTag when an INIT ACK chunk or The same can happen with the External-VTag when an INIT ACK chunk or
an ASCONF chunk is processed by the NAT. an ASCONF chunk is processed by the NAT.
6.2.1. NAT Device Considerations 6.2.1. NAT Device Considerations
If the NAT device detects a collision of internal port numbers and If the NAT device detects a collision of internal port numbers and
verification tags, it MUST send an ABORT chunk with the M-bit set if verification tags, it MUST send an ABORT chunk with the M bit set if
the collision is triggered by an INIT or INIT ACK chunk. If such a the collision is triggered by an INIT or INIT ACK chunk. If such a
collision is triggered by an ASCONF chunk, it MUST send an ERROR collision is triggered by an ASCONF chunk, it MUST send an ERROR
chunk with the M-bit. The M-bit is a new bit defined by this chunk with the M bit. The M bit is a new bit defined by this
document to express to SCTP that the source of this packet is a document to express to SCTP that the source of this packet is a
"middle" box, not the peer SCTP endpoint (see Section 5.1.1). If a "middle" box, not the peer SCTP endpoint (see Section 5.1.1). If a
packet containing an INIT ACK chunk triggers the collision, the packet containing an INIT ACK chunk triggers the collision, the
corresponding packet containing the ABORT chunk MUST contain the same corresponding packet containing the ABORT chunk MUST contain the same
source and destination address and port numbers as the packet source and destination address and port numbers as the packet
containing the INIT ACK chunk. In the other two cases, the source containing the INIT ACK chunk. In the other two cases, the source
and destination address and port numbers MUST be swapped. and destination address and port numbers MUST be swapped.
The sender of the ERROR or ABORT chunk MUST include the error cause The sender of the ERROR or ABORT chunk MUST include the error cause
with cause code 'VTag and Port Number Collision' (see Section 5.2.1). with cause code 'VTag and Port Number Collision' (see Section 5.2.1).
6.2.2. Endpoint Considerations 6.2.2. Endpoint Considerations
The sender of the packet containing the INIT chunk or the receiver of The sender of the packet containing the INIT chunk or the receiver of
the INIT ACK chunk, upon reception of an ABORT chunk with M-bit set the INIT ACK chunk, upon reception of an ABORT chunk with M bit set
and the appropriate error cause code for colliding NAT binding table and the appropriate error cause code for colliding NAT binding table
state is included, SHOULD reinitiate the association setup procedure state is included, SHOULD reinitiate the association setup procedure
after choosing a new initiate tag, if the association is in COOKIE- after choosing a new initiate tag, if the association is in COOKIE-
WAIT state. In any other state, the SCTP endpoint MUST NOT respond. WAIT state. In any other state, the SCTP endpoint MUST NOT respond.
The sender of the ASCONF chunk, upon reception of an ERROR chunk with The sender of the ASCONF chunk, upon reception of an ERROR chunk with
M-bit set, MUST stop adding the path to the association. M bit set, MUST stop adding the path to the association.
6.3. Handling of Internal Port Number Collisions 6.3. Handling of Internal Port Number Collisions
When two SCTP hosts are behind an SCTP-aware NAT it is possible that When two SCTP hosts are behind an SCTP-aware NAT it is possible that
two SCTP hosts in the Private-Address space will want to set up an two SCTP hosts in the Private-Address space will want to set up an
SCTP association with the same server running on the same host in the SCTP association with the same server running on the same host in the
Internet. If the two hosts choose the same internal port, this is Internet. If the two hosts choose the same internal port, this is
considered an internal port number collision. considered an internal port number collision.
For the NAT, appropriate tracking may be performed by assuring that For the NAT, appropriate tracking may be performed by assuring that
skipping to change at page 20, line 31 skipping to change at page 20, line 14
6.3.1. NAT Device Considerations 6.3.1. NAT Device Considerations
The NAT, when processing the INIT ACK, should note in its NAT binding The NAT, when processing the INIT ACK, should note in its NAT binding
table that the association supports the disable restart extension. table that the association supports the disable restart extension.
This note is used when establishing future associations (i.e. when This note is used when establishing future associations (i.e. when
processing an INIT from an internal host) to decide if the connection processing an INIT from an internal host) to decide if the connection
should be allowed. The NAT device does the following when processing should be allowed. The NAT device does the following when processing
an INIT: an INIT:
o If the INIT is originating from an internal port to an external * If the INIT is originating from an internal port to an external
port for which the NAT device has no matching NAT binding table port for which the NAT device has no matching NAT binding table
entry, it MUST allow the INIT creating an NAT binding table entry. entry, it MUST allow the INIT creating an NAT binding table entry.
o If the INIT matches an existing NAT binding table entry, it MUST * If the INIT matches an existing NAT binding table entry, it MUST
validate that the disable restart feature is supported and, if it validate that the disable restart feature is supported and, if it
does, allow the INIT to be forwarded. does, allow the INIT to be forwarded.
o If the disable restart feature is not supported, the NAT device * If the disable restart feature is not supported, the NAT device
MUST send an ABORT with the M-bit set. MUST send an ABORT with the M bit set.
The 'Port Number Collision' error cause (see Section 5.2.3) MUST be The 'Port Number Collision' error cause (see Section 5.2.3) MUST be
included in the ABORT chunk sent in response to the INIT chunk. included in the ABORT chunk sent in response to the INIT chunk.
If the collision is triggered by an ASCONF chunk, a packet containing If the collision is triggered by an ASCONF chunk, a packet containing
an ERROR chunk with the 'Port Number Collision' error cause MUST be an ERROR chunk with the 'Port Number Collision' error cause MUST be
sent in response to the ASCONF chunk. sent in response to the ASCONF chunk.
6.3.2. Endpoint Considerations 6.3.2. Endpoint Considerations
For the external SCTP server on the Internet this means that the For the external SCTP server on the Internet this means that the
External-Port and the External-Address are the same. If they both External-Port and the External-Address are the same. If they both
have chosen the same Internal-Port the server cannot distinguish have chosen the same Internal-Port the server cannot distinguish
between both associations based on the address and port numbers. For between both associations based on the address and port numbers. For
the server it looks like the association is being restarted. To the server it looks like the association is being restarted. To
overcome this limitation the client sends a Disable Restart parameter overcome this limitation the client sends a Disable Restart parameter
in the INIT chunk. in the INIT chunk.
When the server receives this parameter it does the following: When the server receives this parameter it does the following:
o It MUST include a Disable Restart parameter in the INIT ACK to * It MUST include a Disable Restart parameter in the INIT ACK to
inform the client that it will support the feature. inform the client that it will support the feature.
o It MUST disable the restart procedures defined in [RFC4960] for * It MUST disable the restart procedures defined in [RFC4960] for
this association. this association.
Servers that support this feature will need to be capable of Servers that support this feature will need to be capable of
maintaining multiple connections to what appears to be the same peer maintaining multiple connections to what appears to be the same peer
(behind the NAT) differentiated only by the VTags. (behind the NAT) differentiated only by the VTags.
6.4. Handling of Missing State 6.4. Handling of Missing State
6.4.1. NAT Device Considerations 6.4.1. NAT Device Considerations
If the NAT device receives a packet from the internal network for If the NAT device receives a packet from the internal network for
which the lookup procedure does not find an entry in the NAT binding which the lookup procedure does not find an entry in the NAT binding
table, a packet containing an ERROR chunk is sent back with the M-bit table, a packet containing an ERROR chunk is sent back with the M bit
set. The source address of the packet containing the ERROR chunk set. The source address of the packet containing the ERROR chunk
MUST be the destination address of the incoming SCTP packet. The MUST be the destination address of the incoming SCTP packet. The
verification tag is reflected and the T-bit is set. Such a packet verification tag is reflected and the T bit is set. Such a packet
containing an ERROR chunk SHOULD NOT be sent if the received packet containing an ERROR chunk SHOULD NOT be sent if the received packet
contains an ABORT, SHUTDOWN COMPLETE or INIT ACK chunk. An ERROR contains an ABORT, SHUTDOWN COMPLETE or INIT ACK chunk. An ERROR
chunk MUST NOT be sent if the received packet contains an ERROR chunk chunk MUST NOT be sent if the received packet contains an ERROR chunk
with the M-bit set. In any case, the packet SHOULD NOT be forwarded with the M bit set. In any case, the packet SHOULD NOT be forwarded
to the external address. to the external address.
When sending the ERROR chunk, the error cause 'Missing State' (see When sending the ERROR chunk, the error cause 'Missing State' (see
Section 5.2.2) MUST be included and the M-bit of the ERROR chunk MUST Section 5.2.2) MUST be included and the M bit of the ERROR chunk MUST
be set (see Section 5.1.2). be set (see Section 5.1.2).
If the NAT device receives a packet for which it has no NAT binding If the NAT device receives a packet for which it has no NAT binding
table entry and the packet contains an ASCONF chunk with the VTags table entry and the packet contains an ASCONF chunk with the VTags
parameter, the NAT device MUST update its NAT binding table according parameter, the NAT device MUST update its NAT binding table according
to the verification tags in the VTags parameter and the optional to the verification tags in the VTags parameter and the optional
Disable Restart parameter. Disable Restart parameter.
6.4.2. Endpoint Considerations 6.4.2. Endpoint Considerations
Upon reception of this ERROR chunk by an SCTP endpoint the receiver Upon reception of this ERROR chunk by an SCTP endpoint the receiver
takes the following actions: takes the following actions:
o It SHOULD validate that the verification tag is reflected by * It SHOULD validate that the verification tag is reflected by
looking at the VTag that would have been included in the outgoing looking at the VTag that would have been included in the outgoing
packet. If the validation fails, discard the incoming ERROR packet. If the validation fails, discard the incoming ERROR
chunk. chunk.
o It SHOULD validate that the peer of the SCTP association supports * It SHOULD validate that the peer of the SCTP association supports
the dynamic address extension. If the validation fails, discard the dynamic address extension. If the validation fails, discard
the incoming ERROR chunk. the incoming ERROR chunk.
o It SHOULD generate a new ASCONF chunk containing the VTags * It SHOULD generate a new ASCONF chunk containing the VTags
parameter (see Section 5.3.2) and the Disable Restart parameter parameter (see Section 5.3.2) and the Disable Restart parameter
(see Section 5.3.1) if the association is using the disable (see Section 5.3.1) if the association is using the disable
restart feature. By processing this packet the NAT device can restart feature. By processing this packet the NAT device can
recover the appropriate state. The procedures for generating an recover the appropriate state. The procedures for generating an
ASCONF chunk can be found in [RFC5061]. ASCONF chunk can be found in [RFC5061].
The peer SCTP endpoint receiving such an ASCONF chunk SHOULD either The peer SCTP endpoint receiving such an ASCONF chunk SHOULD either
add the address and respond with an acknowledgment, if the address is add the address and respond with an acknowledgment, if the address is
new to the association (following all procedures defined in new to the association (following all procedures defined in
[RFC5061]). Or, if the address is already part of the association, [RFC5061]). Or, if the address is already part of the association,
skipping to change at page 22, line 46 skipping to change at page 22, line 25
'Internal Port Number and Verification Tag collision'. In such a 'Internal Port Number and Verification Tag collision'. In such a
case the NAT MUST send an ERROR chunk with the error cause code set case the NAT MUST send an ERROR chunk with the error cause code set
to 'VTag and Port Number Collision' (see Section 5.2.1). to 'VTag and Port Number Collision' (see Section 5.2.1).
If an SCTP endpoint receives an ERROR with 'Internal Port Number and If an SCTP endpoint receives an ERROR with 'Internal Port Number and
Verification Tag collision' as the error cause and the packet in the Verification Tag collision' as the error cause and the packet in the
Error Chunk contains an ASCONF with the VTags parameter, careful Error Chunk contains an ASCONF with the VTags parameter, careful
examination of the association is required. The endpoint does the examination of the association is required. The endpoint does the
following: following:
o It MUST validate that the verification tag is reflected by looking * It MUST validate that the verification tag is reflected by looking
at the VTag that would have been included in the outgoing packet. at the VTag that would have been included in the outgoing packet.
If the validation fails, it MUST discard the packet. If the validation fails, it MUST discard the packet.
o It MUST validate that the peer of the SCTP association supports * It MUST validate that the peer of the SCTP association supports
the dynamic address extension. If the peer does not support it, the dynamic address extension. If the peer does not support it,
the NAT Device MUST discard the incoming ERROR chunk. the NAT Device MUST discard the incoming ERROR chunk.
o If the association is attempting to add an address (i.e. following * If the association is attempting to add an address (i.e. following
the procedures in Section 6.6) then the endpoint MUST NOT consider the procedures in Section 6.6) then the endpoint MUST NOT consider
the address part of the association and SHOULD make no further the address part of the association and SHOULD make no further
attempt to add the address (i.e. cancel any ASCONF timers and attempt to add the address (i.e. cancel any ASCONF timers and
remove any record of the path), since the NAT devie has a VTag remove any record of the path), since the NAT device has a VTag
collision and the association cannot easily create a new VTag (as collision and the association cannot easily create a new VTag (as
it would if the error occurred when sending an INIT). it would if the error occurred when sending an INIT).
o If the endpoint has no other path, i.e. the procedure was executed * If the endpoint has no other path, i.e. the procedure was executed
due to missing a state in the NAT device, then the endpoint MUST due to missing a state in the NAT device, then the endpoint MUST
abort the association. This would occur only if the local NAT abort the association. This would occur only if the local NAT
device restarted and accepted a new association before attempting device restarted and accepted a new association before attempting
to repair the missing state (Note that this is no different than to repair the missing state (Note that this is no different than
what happens to all TCP connections when a NAT device looses its what happens to all TCP connections when a NAT device looses its
state). state).
6.5. Handling of Fragmented SCTP Packets by NAT Devices 6.5. Handling of Fragmented SCTP Packets by NAT Devices
A NAT device MUST support IP reassembly of received fragmented SCTP A NAT device MUST support IP reassembly of received fragmented SCTP
skipping to change at page 28, line 17 skipping to change at page 26, line 30
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Internet | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
INIT ACK[Initiate-tag = 5678, IP-Addr = 203.0.113.129] INIT ACK[Initiate-tag = 5678, IP-Addr = 203.0.113.129]
192.0.2.1:1 <-------------------------- 203.0.113.1:2 192.0.2.1:1 <-------------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT does not need to change the NAT binding table for the second The NAT device does not need to change the NAT binding table for the
address: second address:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <--- 203.0.113.1:2 10.0.0.1:1 <--- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
ACK. ACK.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Internet | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
skipping to change at page 30, line 5 skipping to change at page 27, line 34
COOKIE ACK COOKIE ACK
10.0.0.1:1 <--- 203.0.113.1:2 10.0.0.1:1 <--- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
7.3. Multihomed Client and Server 7.3. Multihomed Client and Server
The client (Host A) sends an INIT to the server (Host B), but does The client (Host A) sends an INIT to the server (Host B), but does
not include the second address. not include the second address.
+-------+ +-------+
/--| NAT 1 |--\ /--\/--\ /--| NAT 1 |--\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |====| Host B | | Host |=== ====| Internet |====| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--| NAT 2 |--/ \--/\--/ +------+ \--| NAT 2 |--/ \--/\--/
+-------+ +-------+
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Ext | Ext | Priv | NAT 1 | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 --------> 203.0.113.1:2 10.0.0.1:1 --------> 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
NAT 1 creates entry: NAT 1 creates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Ext | Ext | Priv | NAT 1 | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 0 | 2 | 10.0.0.1 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
skipping to change at page 31, line 20 skipping to change at page 28, line 33
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
INIT ACK[Initiate-Tag = 5678, IP-Addr = 203.0.113.129] INIT ACK[Initiate-Tag = 5678, IP-Addr = 203.0.113.129]
192.0.2.1:1 <----------------------- 203.0.113.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT 1 does not need to update the NAT binding table for the second NAT 1 does not need to update the NAT binding table for the second
address: address:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Ext | Ext | Priv | NAT 1 | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <-------- 203.0.113.1:2 10.0.0.1:1 <-------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
ACK. ACK.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Internet |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
skipping to change at page 33, line 5 skipping to change at page 30, line 5
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
ASCONF [ADD-IP=0.0.0.0, INT-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP=0.0.0.0, INT-VTag=1234, Ext-VTag = 5678]
10.1.0.1:1 --------> 203.0.113.129:2 10.1.0.1:1 --------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
NAT 2 creates a complete entry: NAT 2 creates a complete entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT 2 | Int | Int | Ext | Ext | Priv | NAT 2 | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.1.0.1 | | 1234 | 1 | 5678 | 2 | 10.1.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
ASCONF [ADD-IP, Int-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP, Int-VTag=1234, Ext-VTag = 5678]
192.0.2.129:1 ---------------------> 203.0.113.129:2 192.0.2.129:1 -------------------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
ASCONF ACK ASCONF ACK
192.0.2.129:1 <--------------------- 203.0.113.129:2 192.0.2.129:1 <------------------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
ASCONF ACK ASCONF ACK
10.1.0.1:1 <----- 203.0.113.129:2 10.1.0.1:1 <----- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
7.4. NAT Loses Its State 7.4. NAT Loses Its State
Association is already established between Host A and Host B, when Association is already established between Host A and Host B, when
the NAT loses its state and obtains a new public address. Host A the NAT loses its state and obtains a new public address. Host A
sends a DATA chunk to Host B. sends a DATA chunk to Host B.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
skipping to change at page 34, line 19 skipping to change at page 31, line 19
\--/\--/ \--/\--/
ERROR [M-Bit, NAT state missing] ERROR [M-Bit, NAT state missing]
10.0.0.1:1 <---------- 203.0.113.1:2 10.0.0.1:1 <---------- 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
On reception of the ERROR message, Host A sends an ASCONF chunk On reception of the ERROR message, Host A sends an ASCONF chunk
indicating that the former information has to be deleted and the indicating that the former information has to be deleted and the
source address of the actual packet added. source address of the actual packet added.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Ext-VTag = 5678]
10.0.0.1:1 ----------> 203.0.113.129:2 10.0.0.1:1 ----------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Ext-VTag = 5678]
192.0.2.2:1 -------------------> 203.0.113.129:2 192.0.2.2:1 -----------------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
Host B adds the new source address to this association and deletes Host B adds the new source address to this association and deletes
all other addresses from this association. all other addresses from this association.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ASCONF ACK ASCONF ACK
192.0.2.2:1 <------------------- 203.0.113.129:2 192.0.2.2:1 <----------------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
ASCONF ACK ASCONF ACK
10.1.0.1:1 <---------- 203.0.113.129:2 10.1.0.1:1 <---------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
DATA DATA
10.0.0.1:1 ----------> 203.0.113.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
DATA DATA
192.0.2.2:1 -------------------> 203.0.113.129:2 192.0.2.2:1 -----------------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
7.5. Peer-to-Peer Communication 7.5. Peer-to-Peer Communication
If two hosts are behind NAT devices and want to communicate with each If two hosts are behind NAT devices and want to communicate with each
other, they have to get knowledge of the peer's public address. This other, they have to get knowledge of the peer's public address. This
can be achieved with a so-called rendezvous server. Afterwards the can be achieved with a so-called rendezvous server. Afterwards the
destination addresses are public, and the association is set up with destination addresses are public, and the association is set up with
the help of the INIT collision. The NAT devices create their entries the help of the INIT collision. The NAT devices create their entries
according to their internal peer's point of view. Therefore, NAT A's according to their internal peer's point of view. Therefore, NAT A's
Internal-VTag and Internal-Port are NAT B's External-VTag and Internal-VTag and Internal-Port are NAT B's External-VTag and
skipping to change at page 36, line 30 skipping to change at page 33, line 30
NAT B | Int | Int | Ext | Ext | Priv | NAT B | Int | Int | Ext | Ext | Priv |
| v-tag | port | v-tag | port | Addr | | v-tag | port | v-tag | port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 --> 203.0.113.1:2 10.0.0.1:1 --> 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
NAT A creates entry: NAT A creates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT A | Int | Int | Ext | Ext | Priv | NAT A | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 0 | 2 | 10.0.0.1 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 ----------------> 203.0.113.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
NAT B processes INIT, but cannot find an entry. The SCTP packet is NAT B processes INIT, but cannot find an entry. The SCTP packet is
silently discarded and leaves the NAT binding table of NAT B silently discarded and leaves the NAT binding table of NAT B
unchanged. unchanged.
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT B | Int | Int | Ext | Ext | Priv | NAT B | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
Now Host B sends INIT, which is processed by NAT B. Its parameters Now Host B sends INIT, which is processed by NAT B. Its parameters
are used to create an entry. are used to create an entry.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
skipping to change at page 40, line 37 skipping to change at page 36, line 37
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE ACK COOKIE ACK
192.0.2.1:1 ----------------> 203.0.113.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE ACK COOKIE ACK
192.0.2.1:1 --> 10.1.0.1:2 192.0.2.1:1 --> 10.1.0.1:2
Ext-VTag = 5678 Ext-VTag = 5678
8. Socket API Considerations 8. SCTP NAT YANG Module
This section defines a YANG module for SCTP NAT.
The terminology for describing YANG data models is defined in
[RFC7950]. The meaning of the symbols in tree diagrams is defined in
[RFC8340].
8.1. Tree Structure
This module augments NAT YANG module [RFC8512] with SCTP specifics.
The module supports both classical SCTP NAT (that is, rewrite port
numbers) and SCTP-specific variant where the ports numbers are not
altered. The YANG "feature" is used to indicate whether SCTP-
specific variant is supported.
The tree structure of the SCTP NAT YANG module is provided below:
module: ietf-nat-sctp
augment /nat:nat/nat:instances/nat:instance
/nat:policy/nat:timers:
+--rw sctp-timeout? uint32
augment /nat:nat/nat:instances/nat:instance
/nat:mapping-table/nat:mapping-entry:
+--rw int-VTag? uint32 {sctp-nat}?
+--rw ext-VTag? uint32 {sctp-nat}?
Concretely, the SCTP NAT YANG module augments the NAT YANG module
(policy, in particular) with the following:
* The sctp-timeout is used to control the SCTP inactivity timeout.
That is, the time an SCTP mapping will stay active without SCTP
packets traversing the NAT. This timeout can be set only for
SCTP. Hence, "/nat:nat/nat:instances/nat:instance/nat:policy/
nat:transport-protocols/nat:protocol-id" MUST be set to '132'
(SCTP).
In addition, the SCTP NAT YANG module augments the mapping entry with
the following parameters defined in Section 3. These parameters
apply only for SCTP NAT mapping entries (i.e.,
"/nat/instances/instance/mapping-table/mapping-entry/transport-
protocol" MUST be set to '132');
* The Internal Verification Tag (Int-VTag)
* The External Verification Tag (Ext-VTag)
8.2. YANG Module
<CODE BEGINS>
module ietf-nat-sctp {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat-sctp";
prefix nat-sctp;
import ietf-nat {
prefix nat;
reference
"RFC 8512: A YANG Module for Network Address Translation
(NAT) and Network Prefix Translation (NPT)";
}
organization
"IETF TSVWG Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/tsvwg/>
WG List: <mailto:tsvwg@ietf.org>
Author: Mohamed Boucadair
<mailto:mohamed.boucadair@orange.com>";
description
"This module augments NAT YANG module with Stream Control
Transmission Protocol (SCTP) specifics. The extension supports
both a classical SCTP NAT (that is, rewrite port numbers)
and a, SCTP-specific variant where the ports numbers are
not altered.
Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision 2019-11-18 {
description
"Initial revision.";
reference
"RFC XXXX: Stream Control Transmission Protocol (SCTP)
Network Address Translation Support";
}
feature sctp-nat {
description
"This feature means that SCTP-specific variant of NAT
is supported. That is, avoid rewriting port numbers.";
reference
"Section 4.3 of RFC XXXX.";
}
augment "/nat:nat/nat:instances/nat:instance"
+ "/nat:policy/nat:timers" {
when "/nat:nat/nat:instances/nat:instance"
+ "/nat:policy/nat:transport-protocols"
+ "/nat:protocol-id = 132";
description
"Extends NAT policy with a timeout for SCTP mapping
entries.";
leaf sctp-timeout {
type uint32;
units "seconds";
description
"SCTP inactivity timeout. That is, the time an SCTP
mapping entry will stay active without packets
traversing the NAT.";
}
}
augment "/nat:nat/nat:instances/nat:instance"
+ "/nat:mapping-table/nat:mapping-entry" {
when "nat:transport-protocol = 132";
if-feature "sctp-nat";
description
"Extends the mapping entry with SCTP specifics.";
leaf int-VTag {
type uint32;
description
"The Internal Verification Tag that the internal
host has chosen for this communication.";
}
leaf ext-VTag {
type uint32;
description
"The External Verification Tag that the remote
peer has chosen for this communication.";
}
}
}
<CODE ENDS>
9. Socket API Considerations
This section describes how the socket API defined in [RFC6458] is This section describes how the socket API defined in [RFC6458] is
extended to provide a way for the application to control NAT extended to provide a way for the application to control NAT
friendliness. friendliness.
Please note that this section is informational only. Please note that this section is informational only.
A socket API implementation based on [RFC6458] is extended by A socket API implementation based on [RFC6458] is extended by
supporting one new read/write socket option. supporting one new read/write socket option.
8.1. Get or Set the NAT Friendliness (SCTP_NAT_FRIENDLY) 9.1. Get or Set the NAT Friendliness (SCTP_NAT_FRIENDLY)
This socket option uses the option_level IPPROTO_SCTP and the This socket option uses the option_level IPPROTO_SCTP and the
option_name SCTP_NAT_FRIENDLY. It can be used to enable/disable the option_name SCTP_NAT_FRIENDLY. It can be used to enable/disable the
NAT friendliness for future associations and retrieve the value for NAT friendliness for future associations and retrieve the value for
future and specific ones. future and specific ones.
struct sctp_assoc_value { struct sctp_assoc_value {
sctp_assoc_t assoc_id; sctp_assoc_t assoc_id;
uint32_t assoc_value; uint32_t assoc_value;
}; };
assoc_id: This parameter is ignored for one-to-one style sockets. assoc_id This parameter is ignored for one-to-one style sockets.
For one-to-many style sockets the application may fill in an For one-to-many style sockets the application may fill in an
association identifier or SCTP_FUTURE_ASSOC for this query. It is association identifier or SCTP_FUTURE_ASSOC for this query. It is
an error to use SCTP_{CURRENT|ALL}_ASSOC in assoc_id. an error to use SCTP_{CURRENT|ALL}_ASSOC in assoc_id.
assoc_value: A non-zero value indicates a NAT-friendly mode. assoc_value A non-zero value indicates a NAT-friendly mode.
9. IANA Considerations
[NOTE to RFC-Editor:
"RFCXXXX" is to be replaced by the RFC number you assign this
document.
]
[NOTE to RFC-Editor: 10. IANA Considerations
The requested values for the chunk type and the chunk parameter [NOTE to RFC-Editor: "RFCXXXX" is to be replaced by the RFC number
types are tentative and to be confirmed by IANA. you assign this document.]
] [NOTE to RFC-Editor: The requested values for the chunk type and the
chunk parameter types are tentative and to be confirmed by IANA.]
This document (RFCXXXX) is the reference for all registrations This document (RFCXXXX) is the reference for all registrations
described in this section. The requested changes are described described in this section. The requested changes are described
below. below.
9.1. New Chunk Flags for Two Existing Chunk Types 10.1. New Chunk Flags for Two Existing Chunk Types
As defined in [RFC6096] two chunk flags have to be assigned by IANA As defined in [RFC6096] two chunk flags have to be assigned by IANA
for the ERROR chunk. The requested value for the T bit is 0x01 and for the ERROR chunk. The requested value for the T bit is 0x01 and
for the M bit is 0x02. for the M bit is 0x02.
This requires an update of the "ERROR Chunk Flags" registry for SCTP: This requires an update of the "ERROR Chunk Flags" registry for SCTP:
ERROR Chunk Flags ERROR Chunk Flags
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| Chunk Flag Value | Chunk Flag Name | Reference | | Chunk Flag Value | Chunk Flag Name | Reference |
+------------------+-----------------+-----------+ +==================+=================+===========+
| 0x01 | T bit | [RFCXXXX] | | 0x01 | T bit | [RFCXXXX] |
+------------------+-----------------+-----------+
| 0x02 | M bit | [RFCXXXX] | | 0x02 | M bit | [RFCXXXX] |
+------------------+-----------------+-----------+
| 0x04 | Unassigned | | | 0x04 | Unassigned | |
+------------------+-----------------+-----------+
| 0x08 | Unassigned | | | 0x08 | Unassigned | |
+------------------+-----------------+-----------+
| 0x10 | Unassigned | | | 0x10 | Unassigned | |
+------------------+-----------------+-----------+
| 0x20 | Unassigned | | | 0x20 | Unassigned | |
+------------------+-----------------+-----------+
| 0x40 | Unassigned | | | 0x40 | Unassigned | |
+------------------+-----------------+-----------+
| 0x80 | Unassigned | | | 0x80 | Unassigned | |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
Table 2
As defined in [RFC6096] one chunk flag has to be assigned by IANA for As defined in [RFC6096] one chunk flag has to be assigned by IANA for
the ABORT chunk. The requested value of the M bit is 0x02. the ABORT chunk. The requested value of the M bit is 0x02.
This requires an update of the "ABORT Chunk Flags" registry for SCTP: This requires an update of the "ABORT Chunk Flags" registry for SCTP:
ABORT Chunk Flags ABORT Chunk Flags
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| Chunk Flag Value | Chunk Flag Name | Reference | | Chunk Flag Value | Chunk Flag Name | Reference |
+------------------+-----------------+-----------+ +==================+=================+===========+
| 0x01 | T bit | [RFC4960] | | 0x01 | T bit | [RFC4960] |
+------------------+-----------------+-----------+
| 0x02 | M bit | [RFCXXXX] | | 0x02 | M bit | [RFCXXXX] |
+------------------+-----------------+-----------+
| 0x04 | Unassigned | | | 0x04 | Unassigned | |
+------------------+-----------------+-----------+
| 0x08 | Unassigned | | | 0x08 | Unassigned | |
+------------------+-----------------+-----------+
| 0x10 | Unassigned | | | 0x10 | Unassigned | |
+------------------+-----------------+-----------+
| 0x20 | Unassigned | | | 0x20 | Unassigned | |
+------------------+-----------------+-----------+
| 0x40 | Unassigned | | | 0x40 | Unassigned | |
+------------------+-----------------+-----------+
| 0x80 | Unassigned | | | 0x80 | Unassigned | |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
9.2. Three New Error Causes Table 3
10.2. Three New Error Causes
Three error causes have to be assigned by IANA. It is requested to Three error causes have to be assigned by IANA. It is requested to
use the values given below. use the values given below.
This requires three additional lines in the "Error Cause Codes" This requires three additional lines in the "Error Cause Codes"
registry for SCTP: registry for SCTP:
Error Cause Codes Error Cause Codes
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
| Value | Cause Code | Reference | | Value | Cause Code | Reference |
+-------+--------------------------------+-----------+ +=======+================================+===========+
| 176 | VTag and Port Number Collision | [RFCXXXX] | | 176 | VTag and Port Number Collision | [RFCXXXX] |
+-------+--------------------------------+-----------+
| 177 | Missing State | [RFCXXXX] | | 177 | Missing State | [RFCXXXX] |
+-------+--------------------------------+-----------+
| 178 | Port Number Collision | [RFCXXXX] | | 178 | Port Number Collision | [RFCXXXX] |
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
9.3. Two New Chunk Parameter Types Table 4
10.3. Two New Chunk Parameter Types
Two chunk parameter types have to be assigned by IANA. It is Two chunk parameter types have to be assigned by IANA. It is
requested to use the values given below. IANA should assign these requested to use the values given below. IANA should assign these
values from the pool of parameters with the upper two bits set to values from the pool of parameters with the upper two bits set to
'11'. '11'.
This requires two additional lines in the "Chunk Parameter Types" This requires two additional lines in the "Chunk Parameter Types"
registry for SCTP: registry for SCTP:
Chunk Parameter Types Chunk Parameter Types
+----------+--------------------------+-----------+ +----------+--------------------------+-----------+
| ID Value | Chunk Parameter Type | Reference | | ID Value | Chunk Parameter Type | Reference |
+----------+--------------------------+-----------+ +==========+==========================+===========+
| 49159 | Disable Restart (0xC007) | [RFCXXXX] | | 49159 | Disable Restart (0xC007) | [RFCXXXX] |
+----------+--------------------------+-----------+
| 49160 | VTags (0xC008) | [RFCXXXX] | | 49160 | VTags (0xC008) | [RFCXXXX] |
+----------+--------------------------+-----------+ +----------+--------------------------+-----------+
10. Security Considerations Table 5
10.4. One New URI
An URI in the "ns" subregistry within the "IETF XML" registry has to
be assigned by IANA ([RFC3688]):
URI: urn:ietf:params:xml:ns:yang:ietf-nat-sctp
Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace.
10.5. One New YANG Module
An YANG module in the "YANG Module Names" subregistry within the
"YANG Parameters" registry has to be assigned by IANA ([RFC6020]):
Name: ietf-nat-sctp
Namespace: urn:ietf:params:xml:ns:yang:ietf-nat-sctp
Maintained by IANA: N
Prefix: nat-sctp
Reference: RFCXXXX
11. Security Considerations
State maintenance within a NAT is always a subject of possible Denial State maintenance within a NAT is always a subject of possible Denial
Of Service attacks. This document recommends that at a minimum a NAT Of Service attacks. This document recommends that at a minimum a NAT
runs a timer on any SCTP state so that old association state can be runs a timer on any SCTP state so that old association state can be
cleaned up. cleaned up.
Generic issues related to address sharing are discussed in [RFC6269]
and apply to SCTP as well.
For SCTP endpoints, this document does not add any additional For SCTP endpoints, this document does not add any additional
security considerations to the ones given in [RFC4960], [RFC4895], security considerations to the ones given in [RFC4960], [RFC4895],
and [RFC5061]. In particular, SCTP is protected by the verification and [RFC5061]. In particular, SCTP is protected by the verification
tags and the usage of [RFC4895] against off-path attackers. tags and the usage of [RFC4895] against off-path attackers.
11. Acknowledgments The YANG module specified in this document defines a schema for data
that is designed to be accessed via network management protocols such
as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer
is the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the mandatory-to-implement secure transport is TLS
[RFC8446].
The authors wish to thank Gorry Fairhurst, Bryan Ford, David Hayes, The Network Configuration Access Control Model (NACM) [RFC8341]
Alfred Hines, Karen E. E. Nielsen, Henning Peters, Maksim Proshin, provides the means to restrict access for particular NETCONF or
Timo Voelker, Dan Wing, and Qiaobing Xie for their invaluable RESTCONF users to a preconfigured subset of all available NETCONF or
comments. RESTCONF protocol operations and content.
All data nodes defined in the YANG module that can be created,
modified, and deleted (i.e., config true, which is the default) are
considered sensitive. Write operations (e.g., edit-config) applied
to these data nodes without proper protection can negatively affect
network operations. An attacker who is able to access the SCTP NAT
function can undertake various attacks, such as:
* Setting a low timeout for SCTP mapping entries to cause failures
to deliver incoming SCTP packets.
* Instantiating mapping entries to cause NAT collision.
12. Acknowledgments
The authors wish to thank Mohamed Boucadair, Gorry Fairhurst, Bryan
Ford, David Hayes, Alfred Hines, Karen E. E. Nielsen, Henning
Peters, Maksim Proshin, Timo Voelker, Dan Wing, and Qiaobing Xie for
their invaluable comments.
In addition, the authors wish to thank David Hayes, Jason But, and In addition, the authors wish to thank David Hayes, Jason But, and
Grenville Armitage, the authors of [DOI_10.1145_1496091.1496095], for Grenville Armitage, the authors of [DOI_10.1145_1496091.1496095], for
their suggestions. their suggestions.
12. References The authors also wish to thank Mohamed Boucadair for contributing the
text related to the YANG module.
12.1. Normative References 13. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>.
[RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla, [RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla,
"Authenticated Chunks for the Stream Control Transmission "Authenticated Chunks for the Stream Control Transmission
Protocol (SCTP)", RFC 4895, DOI 10.17487/RFC4895, August Protocol (SCTP)", RFC 4895, DOI 10.17487/RFC4895, August
2007, <https://www.rfc-editor.org/info/rfc4895>. 2007, <https://www.rfc-editor.org/info/rfc4895>.
[RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol",
RFC 4960, DOI 10.17487/RFC4960, September 2007, RFC 4960, DOI 10.17487/RFC4960, September 2007,
<https://www.rfc-editor.org/info/rfc4960>. <https://www.rfc-editor.org/info/rfc4960>.
[RFC5061] Stewart, R., Xie, Q., Tuexen, M., Maruyama, S., and M. [RFC5061] Stewart, R., Xie, Q., Tuexen, M., Maruyama, S., and M.
Kozuka, "Stream Control Transmission Protocol (SCTP) Kozuka, "Stream Control Transmission Protocol (SCTP)
Dynamic Address Reconfiguration", RFC 5061, Dynamic Address Reconfiguration", RFC 5061,
DOI 10.17487/RFC5061, September 2007, DOI 10.17487/RFC5061, September 2007,
<https://www.rfc-editor.org/info/rfc5061>. <https://www.rfc-editor.org/info/rfc5061>.
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>.
[RFC6096] Tuexen, M. and R. Stewart, "Stream Control Transmission [RFC6096] Tuexen, M. and R. Stewart, "Stream Control Transmission
Protocol (SCTP) Chunk Flags Registration", RFC 6096, Protocol (SCTP) Chunk Flags Registration", RFC 6096,
DOI 10.17487/RFC6096, January 2011, DOI 10.17487/RFC6096, January 2011,
<https://www.rfc-editor.org/info/rfc6096>. <https://www.rfc-editor.org/info/rfc6096>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC6242] Wasserman, M., "Using the NETCONF Protocol over Secure
Shell (SSH)", RFC 6242, DOI 10.17487/RFC6242, June 2011,
<https://www.rfc-editor.org/info/rfc6242>.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017,
<https://www.rfc-editor.org/info/rfc8040>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
12.2. Informative References [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration
Access Control Model", STD 91, RFC 8341,
DOI 10.17487/RFC8341, March 2018,
<https://www.rfc-editor.org/info/rfc8341>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8512] Boucadair, M., Ed., Sivakumar, S., Jacquenet, C.,
Vinapamula, S., and Q. Wu, "A YANG Module for Network
Address Translation (NAT) and Network Prefix Translation
(NPT)", RFC 8512, DOI 10.17487/RFC8512, January 2019,
<https://www.rfc-editor.org/info/rfc8512>.
14. Informative References
[DOI_10.1145_1496091.1496095] [DOI_10.1145_1496091.1496095]
Hayes, D., But, J., and G. Armitage, "Issues with network Hayes, D., But, J., and G. Armitage, "Issues with network
address translation for SCTP", ACM SIGCOMM Computer address translation for SCTP", ACM SIGCOMM Computer
Communication Review Vol. 39, pp. 23, Communication Review Vol. 39, pp. 23,
DOI 10.1145/1496091.1496095, December 2008. DOI 10.1145/1496091.1496095, December 2008,
<https://doi.org/10.1145/1496091.1496095>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>.
[RFC6458] Stewart, R., Tuexen, M., Poon, K., Lei, P., and V. [RFC6458] Stewart, R., Tuexen, M., Poon, K., Lei, P., and V.
Yasevich, "Sockets API Extensions for the Stream Control Yasevich, "Sockets API Extensions for the Stream Control
Transmission Protocol (SCTP)", RFC 6458, Transmission Protocol (SCTP)", RFC 6458,
DOI 10.17487/RFC6458, December 2011, DOI 10.17487/RFC6458, December 2011,
<https://www.rfc-editor.org/info/rfc6458>. <https://www.rfc-editor.org/info/rfc6458>.
[RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
"Special-Purpose IP Address Registries", BCP 153, "Special-Purpose IP Address Registries", BCP 153,
RFC 6890, DOI 10.17487/RFC6890, April 2013, RFC 6890, DOI 10.17487/RFC6890, April 2013,
<https://www.rfc-editor.org/info/rfc6890>. <https://www.rfc-editor.org/info/rfc6890>.
[RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream [RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream
Control Transmission Protocol (SCTP) Packets for End-Host Control Transmission Protocol (SCTP) Packets for End-Host
to End-Host Communication", RFC 6951, to End-Host Communication", RFC 6951,
DOI 10.17487/RFC6951, May 2013, DOI 10.17487/RFC6951, May 2013,
<https://www.rfc-editor.org/info/rfc6951>. <https://www.rfc-editor.org/info/rfc6951>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>.
Authors' Addresses Authors' Addresses
Randall R. Stewart Randall R. Stewart
Netflix, Inc. Netflix, Inc.
Chapin, SC 29036 Chapin, SC 29036
US United States of America
Email: randall@lakerest.net Email: randall@lakerest.net
Michael Tuexen Michael Tuexen
Muenster University of Applied Sciences Muenster University of Applied Sciences
Stegerwaldstrasse 39 Stegerwaldstrasse 39
48565 Steinfurt 48565 Steinfurt
DE Germany
Email: tuexen@fh-muenster.de Email: tuexen@fh-muenster.de
Irene Ruengeler Irene Ruengeler
Muenster University of Applied Sciences Muenster University of Applied Sciences
Stegerwaldstrasse 39 Stegerwaldstrasse 39
48565 Steinfurt 48565 Steinfurt
DE Germany
Email: i.ruengeler@fh-muenster.de Email: i.ruengeler@fh-muenster.de
 End of changes. 177 change blocks. 
387 lines changed or deleted 640 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/