draft-ietf-tsvwg-natsupp-16.txt   draft-ietf-tsvwg-natsupp-17.txt 
Network Working Group R. R. Stewart Network Working Group R. R. Stewart
Internet-Draft Netflix, Inc. Internet-Draft Netflix, Inc.
Intended status: Standards Track M. Tuexen Intended status: Standards Track M. Tüxen
Expires: 10 September 2020 I. Ruengeler Expires: 14 January 2021 I. Rüngeler
Muenster Univ. of Appl. Sciences Münster Univ. of Appl. Sciences
9 March 2020 13 July 2020
Stream Control Transmission Protocol (SCTP) Network Address Translation Stream Control Transmission Protocol (SCTP) Network Address Translation
Support Support
draft-ietf-tsvwg-natsupp-16 draft-ietf-tsvwg-natsupp-17
Abstract Abstract
The Stream Control Transmission Protocol (SCTP) provides a reliable The Stream Control Transmission Protocol (SCTP) provides a reliable
communications channel between two end-hosts in many ways similar to communications channel between two end-hosts in many ways similar to
the Transmission Control Protocol (TCP). With the widespread the Transmission Control Protocol (TCP). With the widespread
deployment of Network Address Translators (NAT), specialized code has deployment of Network Address Translators (NAT), specialized code has
been added to NAT for TCP that allows multiple hosts to reside behind been added to NAT functions for TCP that allows multiple hosts to
a NAT and yet share a single IPv4 address, even when two hosts reside behind a NAT function and yet share a single IPv4 address,
(behind a NAT) choose the same port numbers for their connection. even when two hosts (behind a NAT function) choose the same port
This additional code is sometimes classified as Network Address and numbers for their connection. This additional code is sometimes
Port Translation (NAPT). classified as Network Address and Port Translation (NAPT).
This document describes the protocol extensions required for the SCTP This document describes the protocol extensions required for the SCTP
endpoints and the mechanisms for NAT devices necessary to provide endpoints and the mechanisms for NAT functions necessary to provide
similar features of NAPT in the single point and multi point similar features of NAPT in the single point and multi point
traversal scenario. traversal scenario.
Finally, a YANG module for SCTP NAT is defined. Finally, a YANG module for SCTP NAT is defined.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 10 September 2020. This Internet-Draft will expire on 14 January 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 26 skipping to change at page 2, line 26
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1. SCTP NAT Traversal Scenarios . . . . . . . . . . . . . . 6 4.1. SCTP NAT Traversal Scenarios . . . . . . . . . . . . . . 6
4.1.1. Single Point Traversal . . . . . . . . . . . . . . . 6 4.1.1. Single Point Traversal . . . . . . . . . . . . . . . 7
4.1.2. Multi Point Traversal . . . . . . . . . . . . . . . . 7 4.1.2. Multi Point Traversal . . . . . . . . . . . . . . . . 7
4.2. Limitations of Classical NAPT for SCTP . . . . . . . . . 8 4.2. Limitations of Classical NAPT for SCTP . . . . . . . . . 8
4.3. The SCTP-Specific Variant of NAT . . . . . . . . . . . . 8 4.3. The SCTP-Specific Variant of NAT . . . . . . . . . . . . 8
5. Data Formats . . . . . . . . . . . . . . . . . . . . . . . . 13 5. Data Formats . . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Modified Chunks . . . . . . . . . . . . . . . . . . . . . 13 5.1. Modified Chunks . . . . . . . . . . . . . . . . . . . . . 13
5.1.1. Extended ABORT Chunk . . . . . . . . . . . . . . . . 13 5.1.1. Extended ABORT Chunk . . . . . . . . . . . . . . . . 13
5.1.2. Extended ERROR Chunk . . . . . . . . . . . . . . . . 13 5.1.2. Extended ERROR Chunk . . . . . . . . . . . . . . . . 13
5.2. New Error Causes . . . . . . . . . . . . . . . . . . . . 14 5.2. New Error Causes . . . . . . . . . . . . . . . . . . . . 14
5.2.1. VTag and Port Number Collision Error Cause . . . . . 14 5.2.1. VTag and Port Number Collision Error Cause . . . . . 14
5.2.2. Missing State Error Cause . . . . . . . . . . . . . . 14 5.2.2. Missing State Error Cause . . . . . . . . . . . . . . 14
5.2.3. Port Number Collision Error Cause . . . . . . . . . . 15 5.2.3. Port Number Collision Error Cause . . . . . . . . . . 15
5.3. New Parameters . . . . . . . . . . . . . . . . . . . . . 15 5.3. New Parameters . . . . . . . . . . . . . . . . . . . . . 16
5.3.1. Disable Restart Parameter . . . . . . . . . . . . . . 16 5.3.1. Disable Restart Parameter . . . . . . . . . . . . . . 16
5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16 5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16
6. Procedures for SCTP Endpoints and NAT Devices . . . . . . . . 17 6. Procedures for SCTP Endpoints and NAT Functions . . . . . . . 18
6.1. Association Setup Considerations for Endpoints . . . . . 18 6.1. Association Setup Considerations for Endpoints . . . . . 18
6.2. Handling of Internal Port Number and Verification Tag 6.2. Handling of Internal Port Number and Verification Tag
Collisions . . . . . . . . . . . . . . . . . . . . . . . 18 Collisions . . . . . . . . . . . . . . . . . . . . . . . 19
6.2.1. NAT Device Considerations . . . . . . . . . . . . . . 19 6.2.1. NAT Function Considerations . . . . . . . . . . . . . 19
6.2.2. Endpoint Considerations . . . . . . . . . . . . . . . 19 6.2.2. Endpoint Considerations . . . . . . . . . . . . . . . 20
6.3. Handling of Internal Port Number Collisions . . . . . . . 19 6.3. Handling of Internal Port Number Collisions . . . . . . . 20
6.3.1. NAT Device Considerations . . . . . . . . . . . . . . 20 6.3.1. NAT Function Considerations . . . . . . . . . . . . . 20
6.3.2. Endpoint Considerations . . . . . . . . . . . . . . . 20 6.3.2. Endpoint Considerations . . . . . . . . . . . . . . . 21
6.4. Handling of Missing State . . . . . . . . . . . . . . . . 21 6.4. Handling of Missing State . . . . . . . . . . . . . . . . 21
6.4.1. NAT Device Considerations . . . . . . . . . . . . . . 21 6.4.1. NAT Function Considerations . . . . . . . . . . . . . 21
6.4.2. Endpoint Considerations . . . . . . . . . . . . . . . 21 6.4.2. Endpoint Considerations . . . . . . . . . . . . . . . 22
6.5. Handling of Fragmented SCTP Packets by NAT Devices . . . 22 6.5. Handling of Fragmented SCTP Packets by NAT Functions . . 23
6.6. Multi Point Traversal Considerations for Endpoints . . . 23 6.6. Multi Point Traversal Considerations for Endpoints . . . 24
7. Various Examples of NAT Traversals . . . . . . . . . . . . . 23 7. Various Examples of NAT Traversals . . . . . . . . . . . . . 24
7.1. Single-homed Client to Single-homed Server . . . . . . . 23 7.1. Single-homed Client to Single-homed Server . . . . . . . 24
7.2. Single-homed Client to Multi-homed Server . . . . . . . . 25 7.2. Single-homed Client to Multi-homed Server . . . . . . . . 26
7.3. Multihomed Client and Server . . . . . . . . . . . . . . 27 7.3. Multihomed Client and Server . . . . . . . . . . . . . . 28
7.4. NAT Loses Its State . . . . . . . . . . . . . . . . . . . 30 7.4. NAT Function Loses Its State . . . . . . . . . . . . . . 31
7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 32 7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 33
8. SCTP NAT YANG Module . . . . . . . . . . . . . . . . . . . . 36 8. SCTP NAT YANG Module . . . . . . . . . . . . . . . . . . . . 38
8.1. Tree Structure . . . . . . . . . . . . . . . . . . . . . 36 8.1. Tree Structure . . . . . . . . . . . . . . . . . . . . . 38
8.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 37 8.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 39
9. Socket API Considerations . . . . . . . . . . . . . . . . . . 39 9. Socket API Considerations . . . . . . . . . . . . . . . . . . 41
9.1. Get or Set the NAT Friendliness (SCTP_NAT_FRIENDLY) . . . 40 9.1. Get or Set the NAT Friendliness (SCTP_NAT_FRIENDLY) . . . 42
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42
10.1. New Chunk Flags for Two Existing Chunk Types . . . . . . 40 10.1. New Chunk Flags for Two Existing Chunk Types . . . . . . 42
10.2. Three New Error Causes . . . . . . . . . . . . . . . . . 42 10.2. Three New Error Causes . . . . . . . . . . . . . . . . . 44
10.3. Two New Chunk Parameter Types . . . . . . . . . . . . . 43 10.3. Two New Chunk Parameter Types . . . . . . . . . . . . . 45
10.4. One New URI . . . . . . . . . . . . . . . . . . . . . . 43 10.4. One New URI . . . . . . . . . . . . . . . . . . . . . . 45
10.5. One New YANG Module . . . . . . . . . . . . . . . . . . 43 10.5. One New YANG Module . . . . . . . . . . . . . . . . . . 45
11. Security Considerations . . . . . . . . . . . . . . . . . . . 43 11. Security Considerations . . . . . . . . . . . . . . . . . . . 45
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 44 12. Normative References . . . . . . . . . . . . . . . . . . . . 46
13. Normative References . . . . . . . . . . . . . . . . . . . . 44 13. Informative References . . . . . . . . . . . . . . . . . . . 48
14. Informative References . . . . . . . . . . . . . . . . . . . 46 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 49
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49
1. Introduction 1. Introduction
Stream Control Transmission Protocol [RFC4960] provides a reliable Stream Control Transmission Protocol (SCTP) [RFC4960] provides a
communications channel between two end-hosts in many ways similar to reliable communications channel between two end-hosts in many ways
TCP [RFC0793]. With the widespread deployment of Network Address similar to TCP [RFC0793]. With the widespread deployment of Network
Translators (NAT), specialized code has been added to NAT for TCP Address Translators (NAT), specialized code has been added to NAT
that allows multiple hosts to reside behind a NAT using private functions for TCP that allows multiple hosts to reside behind a NAT
addresses (see [RFC6890]) and yet share single IPv4 address, even functions using internal addresses (see [RFC6890]) and yet share
when two hosts (behind a NAT) choose the same port numbers for their single IPv4 address, even when two hosts (behind a NAT function)
connection. This additional code is sometimes classified as Network choose the same port numbers for their connection. This additional
Address and Port Translation (NAPT). Please note that this document code is sometimes classified as Network Address and Port Translation
focuses on the case where the NAT maps a single or multiple private (NAPT). Please note that this document focuses on the case where the
addresses to a single public address and vice versa. To date, NAT function maps a single or multiple internal addresses to a single
specialized code for SCTP has not yet been added to most NAT devices external address and vice versa. To date, specialized code for SCTP
so that only a translation of IP addresses is supported. The end has not yet been added to most NAT functions so that only a
result of this is that only one SCTP-capable host can successfully translation of IP addresses is supported. The end result of this is
operate behind such a NAT and this host can only be single-homed. that only one SCTP-capable host can successfully operate behind such
The only alternative for supporting legacy NAT devices is to use UDP a NAT function and this host can only be single-homed. The only
alternative for supporting legacy NAT functions is to use UDP
encapsulation as specified in [RFC6951]. encapsulation as specified in [RFC6951].
This document specifies procedures allowing a NAT to support SCTP by The NAT function in the document refers to NAPT functions described
providing similar features to those provided by a NAPT for TCP and in Section 2.2 of [RFC3022], NAT64 [RFC6146], or DS-Lite [RFC6333].
other supported protocols. The document also specifies a set of data
formats for SCTP packets and a set of SCTP endpoint procedures to This document specifies procedures allowing a NAT function to support
support NAT traversal. An SCTP implementation supporting these SCTP by providing similar features to those provided by a NAPT for
procedures can assure that in both single-homed and multi-homed cases TCP and other supported protocols. The document also specifies a set
a NAT will maintain the appropriate state without the NAT needing to of data formats for SCTP packets and a set of SCTP endpoint
change port numbers. procedures to support NAT traversal. An SCTP implementation
supporting these procedures can assure that in both single-homed and
multi-homed cases a NAT function will maintain the appropriate state
without the NAT function needing to change port numbers.
It is possible and desirable to make these changes for a number of It is possible and desirable to make these changes for a number of
reasons: reasons:
* It is desirable for SCTP internal end-hosts on multiple platforms * It is desirable for SCTP internal end-hosts on multiple platforms
to be able to share a NAT's public IP address in the same way that to be able to share a NAT function's external IP address in the
a TCP session can use a NAT. same way that a TCP session can use a NAT function.
* If a NAT does not need to change any data within an SCTP packet it * If a NAT function does not need to change any data within an SCTP
will reduce the processing burden of NAT'ing SCTP by not needing packet it will reduce the processing burden of NAT'ing SCTP by not
to execute the CRC32c checksum required by SCTP. needing to execute the CRC32c checksum required by SCTP.
* Not having to touch the IP payload makes the processing of ICMP * Not having to touch the IP payload makes the processing of ICMP
messages in NAT devices easier. messages in NAT functions easier.
An SCTP-aware NAT will need to follow these procedures for generating An SCTP-aware NAT function will need to follow these procedures for
appropriate SCTP packet formats. generating appropriate SCTP packet formats.
When considering this feature it is possible to have multiple levels When considering this feature it is possible to have multiple levels
of support. At each level, the Internal Host, External Host and NAT of support. At each level, the Internal Host, Remote Host and NAT
may or may not support the features described in this document. The function may or may not support the features described in this
following table illustrates the results of the various combinations document. The following table illustrates the results of the various
of support and if communications can occur between two endpoints. combinations of support and if communications can occur between two
endpoints.
+---------------+------------+---------------+---------------+ +===============+==============+=============+===============+
| Internal Host | NAT Device | External Host | Communication | | Internal Host | NAT Function | Remote Host | Communication |
+===============+============+===============+===============+ +===============+==============+=============+===============+
| Support | Support | Support | Yes | | Support | Support | Support | Yes |
+---------------+------------+---------------+---------------+ +---------------+--------------+-------------+---------------+
| Support | Support | No Support | Limited | | Support | Support | No Support | Limited |
+---------------+------------+---------------+---------------+ +---------------+--------------+-------------+---------------+
| Support | No Support | Support | None | | Support | No Support | Support | None |
+---------------+------------+---------------+---------------+ +---------------+--------------+-------------+---------------+
| Support | No Support | No Support | None | | Support | No Support | No Support | None |
+---------------+------------+---------------+---------------+ +---------------+--------------+-------------+---------------+
| No Support | Support | Support | Limited | | No Support | Support | Support | Limited |
+---------------+------------+---------------+---------------+ +---------------+--------------+-------------+---------------+
| No Support | Support | No Support | Limited | | No Support | Support | No Support | Limited |
+---------------+------------+---------------+---------------+ +---------------+--------------+-------------+---------------+
| No Support | No Support | Support | None | | No Support | No Support | Support | None |
+---------------+------------+---------------+---------------+ +---------------+--------------+-------------+---------------+
| No Support | No Support | No Support | None | | No Support | No Support | No Support | None |
+---------------+------------+---------------+---------------+ +---------------+--------------+-------------+---------------+
Table 1: Communication possibilities Table 1: Communication possibilities
From the table it can be seen that when a NAT device does not support From the table it can be seen that when a NAT function does not
the extension no communication can occur. This assumes that the NAT support the extension no communication can occur. This assumes that
device does not handle SCTP packets at all and all SCTP packets sent the NAT function does not handle SCTP packets at all and all SCTP
externally from behind a NAT device are discarded by the NAT. In packets sent externally from behind a NAT function are discarded by
some cases, where the NAT device supports the feature but one of the the NAT function. In some cases, where the NAT function supports the
two hosts does not support the feature, communication may occur but feature but one of the two hosts does not support the feature,
in a limited way. For example only one host may be able to have a communication may occur but in a limited way. For example only one
connection when a collision case occurs. host may be able to have a connection when a collision case occurs.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Terminology 3. Terminology
This document uses the following terms, which are depicted in This document uses the following terms, which are depicted in
Figure 1. Familiarity with the terminology used in [RFC4960] and Figure 1. Familiarity with the terminology used in [RFC4960] and
[RFC5061] is assumed. [RFC5061] is assumed.
Private-Address (Priv-Addr) The private address that is known to the Internal-Address (Int-Addr)
internal host. The internal address that is known to the internal host.
Internal-Port (Int-Port) The port number that is in use by the host Internal-Port (Int-Port)
holding the Private-Address. The port number that is in use by the host holding the Internal-
Address.
Internal-VTag (Int-VTag) The SCTP Verification Tag (VTag) (see Internal-VTag (Int-VTag)
Section 3.1 of [RFC4960]) that the internal host has chosen for The SCTP Verification Tag (VTag) (see Section 3.1 of [RFC4960])
its communication. The VTag is a unique 32-bit tag that must that the internal host has chosen for its communication. The VTag
accompany any incoming SCTP packet for this association to the is a unique 32-bit tag that must accompany any incoming SCTP
Private-Address. packet for this association to the Internal-Address.
External-Address (Ext-Addr) The address that an internal host is Remote-Address (Rem-Addr)
attempting to contact. The address that an internal host is attempting to contact.
External-Port (Ext-Port) The port number of the peer process at the Remote-Port (Rem-Port)
External-Address. The port number of the peer process at the Remote-Address.
External-VTag (Ext-VTag) The Verification Tag that the host holding Remote-VTag (Rem-VTag)
the External-Address has chosen for its communication. The VTag The Verification Tag (VTag) (see Section 3.1 of [RFC4960]) that
is a unique 32-bit tag that must accompany any incoming SCTP the host holding the Remote-Address has chosen for its
packet for this association to the External-Address. communication. The VTag is a unique 32-bit tag that must
accompany any incoming SCTP packet for this association to the
Remote-Address.
Public-Address (Pub-Addr) The public address assigned to the NAT External-Address (Ext-Addr)
device that it uses as a source address when sending packets The external address assigned to the NAT function, that it uses as
towards the External-Address. a source address when sending packets towards the Remote-Address.
Internal Network | External Network Internal Network | External Network
| |
Private | Public External Internal | External Remote
+--------+ Address | Address /--\/--\ Address +--------+ +--------+ Address | Address /--\/--\ Address +--------+
| SCTP | +-----+ / \ | SCTP | | SCTP | +-----+ / \ | SCTP |
|endpoint|=========| NAT |=======| Internet |==========|endpoint| |endpoint|=========| NAT |=======| Internet |==========|endpoint|
| A | +-----+ \ / | B | | A | +-----+ \ / | B |
+--------+ Internal | \--/\--/ External+--------+ +--------+ Internal | \--/\--/ Remote +--------+
Internal Port | Port External Internal Port | Port Remote
VTag | VTag VTag | VTag
Figure 1: Basic network setup Figure 1: Basic network setup
4. Motivation 4. Motivation
4.1. SCTP NAT Traversal Scenarios 4.1. SCTP NAT Traversal Scenarios
This section defines the notion of single and multi point NAT This section defines the notion of single and multi point NAT
traversal. traversal.
4.1.1. Single Point Traversal 4.1.1. Single Point Traversal
In this case, all packets in the SCTP association go through a single In this case, all packets in the SCTP association go through a single
NAT, as shown below: NAT function, as shown below:
Internal Network | External Network Internal Network | External Network
| |
+--------+ | /--\/--\ +--------+ +--------+ | /--\/--\ +--------+
| SCTP | +-----+ / \ | SCTP | | SCTP | +-----+ / \ | SCTP |
|endpoint|=========| NAT |========= | Internet | ========|endpoint| |endpoint|=========| NAT |========= | Internet | ========|endpoint|
| A | +-----+ \ / | B | | A | +-----+ \ / | B |
+--------+ | \--/\--/ +--------+ +--------+ | \--/\--/ +--------+
| |
Figure 2: Single NAT scenario Figure 2: Single NAT scenario
A variation of this case is shown below, i.e., multiple NAT devices A variation of this case is shown below, i.e., multiple NAT functions
in a single path: in a single path:
Internal | External : Internal | External Internal | External : Internal | External
| : | | : |
+--------+ | : | /--\/--\ +--------+ +--------+ | : | /--\/--\ +--------+
| SCTP | +-----+ : +-----+ / \ | SCTP | | SCTP | +-----+ : +-----+ / \ | SCTP |
|endpoint|==| NAT |=======:=======| NAT |==| Internet |==|endpoint| |endpoint|==| NAT |=======:=======| NAT |==| Internet |==|endpoint|
| A | +-----+ : +-----+ \ / | B | | A | +-----+ : +-----+ \ / | B |
+--------+ | : | \--/\--/ +--------+ +--------+ | : | \--/\--/ +--------+
| : | | : |
Figure 3: Serial NAT Devices scenario Figure 3: Serial NAT Functions scenario
Although one of the main benefits of SCTP multi-homing is redundant Although one of the main benefits of SCTP multi-homing is redundant
paths, in the single point traversal scenario the NAT function paths, in the single point traversal scenario the NAT function
represents a single point of failure in the path of the SCTP multi- represents a single point of failure in the path of the SCTP multi-
homed association. However, the rest of the path may still benefit homed association. However, the rest of the path may still benefit
from path diversity provided by SCTP multi-homing. from path diversity provided by SCTP multi-homing.
The two SCTP endpoints in this case can be either single-homed or The two SCTP endpoints in this case can be either single-homed or
multi-homed. However, the important thing is that the NAT device (or multi-homed. However, the important thing is that the NAT function
NAT devices) in this case sees all the packets of the SCTP in this case sees all the packets of the SCTP association.
association.
4.1.2. Multi Point Traversal 4.1.2. Multi Point Traversal
This case involves multiple NAT devices and each NAT device only sees This case involves multiple NAT functions and each NAT function only
some of the packets in the SCTP association. An example is shown sees some of the packets in the SCTP association. An example is
below: shown below:
Internal | External Internal | External
+------+ /---\/---\ +------+ /---\/---\
+--------+ /=======|NAT A |=========\ / \ +--------+ +--------+ /=======|NAT A |=========\ / \ +--------+
| SCTP | / +------+ \/ \ | SCTP | | SCTP | / +------+ \/ \ | SCTP |
|endpoint|/ ... | Internet |===|endpoint| |endpoint|/ ... | Internet |===|endpoint|
| A |\ \ / | B | | A |\ \ / | B |
+--------+ \ +------+ / \ / +--------+ +--------+ \ +------+ / \ / +--------+
\=======|NAT B |=========/ \---\/---/ \=======|NAT B |=========/ \---\/---/
+------+ +------+
| |
Figure 4: Parallel NAT devices scenario Figure 4: Parallel NAT functions scenario
This case does not apply to a single-homed SCTP association (i.e., This case does not apply to a single-homed SCTP association (i.e.,
both endpoints in the association use only one IP address). The both endpoints in the association use only one IP address). The
advantage here is that the existence of multiple NAT traversal points advantage here is that the existence of multiple NAT traversal points
can preserve the path diversity of a multi-homed association for the can preserve the path diversity of a multi-homed association for the
entire path. This in turn can improve the robustness of the entire path. This in turn can improve the robustness of the
communication. communication.
4.2. Limitations of Classical NAPT for SCTP 4.2. Limitations of Classical NAPT for SCTP
Using classical NAPT may result in changing one of the SCTP port Using classical NAPT may result in changing one of the SCTP port
numbers during the processing which requires the recomputation of the numbers during the processing which requires the recomputation of the
transport layer checksum by the NAPT device. Whereas for UDP and TCP transport layer checksum by the NAPT device. Whereas for UDP and TCP
this can be done very efficiently, for SCTP the checksum (CRC32c) this can be done very efficiently, for SCTP the checksum (CRC32c)
over the entire packet needs to be recomputed. See Appendix B of over the entire packet needs to be recomputed (see Appendix B of
[RFC4960] for details of the CRC32c computation. This would [RFC4960] for details of the CRC32c computation). This would
considerably add to the NAT computational burden, however hardware considerably add to the NAT computational burden, however hardware
support may mitigate this in some implementations. support may mitigate this in some implementations.
An SCTP endpoint may have multiple addresses but only has a single An SCTP endpoint may have multiple addresses but only has a single
port number. To make multipoint traversal work, all the NAT devices port number. To make multipoint traversal work, all the NAT
involved must recognize the packets they see as belonging to the same functions involved must recognize the packets they see as belonging
SCTP association and perform port number translation in a consistent to the same SCTP association and perform port number translation in a
way. One possible way of doing this is to use a pre-defined table of consistent way. One possible way of doing this is to use a pre-
ports and addresses configured within each NAT. Other mechanisms defined table of ports and addresses configured within each NAT
could make use of NAT to NAT communication. Such mechanisms have not function. Other mechanisms could make use of NAT to NAT
been deployed on a wide scale base and thus are not a recommended communication. Such mechanisms have not been deployed on a wide
solution. Therefore an SCTP variant of NAT has been developed. scale base and thus are not a recommended solution. Therefore an
SCTP variant of NAT function has been developed.
4.3. The SCTP-Specific Variant of NAT 4.3. The SCTP-Specific Variant of NAT
In this section it is allowed that there are multiple SCTP capable In this section it is allowed that there are multiple SCTP capable
hosts behind a NAT that has one Public-Address. Furthermore this hosts behind a NAT function that has one Exernal-Address.
section focuses on the single point traversal scenario. Furthermore this section focuses on the single point traversal
scenario.
The modification of SCTP packets sent to the Internet is simple: the The modification of SCTP packets sent to the Internet is simple: the
source address of the packet has to be replaced with the Public- source address of the packet has to be replaced with the External-
Address. It may also be necessary to establish some state in the NAT Address. It may also be necessary to establish some state in the NAT
device to later handle incoming packets. function to later handle incoming packets.
For the SCTP NAT processing the NAT device has to maintain a NAT For the SCTP NAT processing the NAT function has to maintain a NAT
binding table of Internal-VTag, Internal-Port, External-VTag, binding table of Internal-VTag, Internal-Port, Remote-VTag, Remote-
External-Port, Private-Address, and whether the restart procedure is Port, Internal-Address, and whether the restart procedure is disabled
disabled or not. An entry in that NAT binding table is called a NAT or not. An entry in that NAT binding table is called a NAT-State
state control block. The function Create() obtains the just control block. The function Create() obtains the just mentioned
mentioned parameters and returns a NAT-State control block. A NAT parameters and returns a NAT-State control block. A NAT function MAY
device MAY allow creating NAT-State control blocks via a management allow creating NAT-State control blocks via a management interface.
interface.
For SCTP packets coming from the public Internet the destination For SCTP packets coming from the public Internet the destination
address of the packets has to be replaced with the Private-Address of address of the packets has to be replaced with the Internal-Address
the host the packet has to be delivered to. The lookup of the of the host to which the packet has to be delivered. The lookup of
Private-Address is based on the External-VTag, External-Port, the Internal-Address is based on the Remote-VTag, Remote-Port,
Internal-VTag and the Internal-Port. Internal-VTag and the Internal-Port.
The entries in the NAT binding table need to fulfill some uniqueness The entries in the NAT binding table need to fulfill some uniqueness
conditions. There must not be more than one entry NAT binding table conditions. There must not be more than one entry NAT binding table
with the same pair of Internal-Port and External-Port. This rule can with the same pair of Internal-Port and Remote-Port. This rule can
be relaxed, if all NAT binding table entries with the same Internal- be relaxed, if all NAT binding table entries with the same Internal-
Port and External-Port have the support for the restart procedure Port and Remote-Port have the support for the restart procedure
enabled. In this case there must be no more than one entry with the enabled. In this case there must be no more than one entry with the
same Internal-Port, External-Port and Ext-VTag and no more than one same Internal-Port, Remote-Port and Remote-VTag and no more than one
NAT binding table entry with the same Internal-Port, External-Port NAT binding table entry with the same Internal-Port, Remote-Port and
and Int-VTag. Int-VTag.
The processing of outgoing SCTP packets containing an INIT chunk is The processing of outgoing SCTP packets containing an INIT chunk is
described in the following figure. The scenario shown is valid for described in the following figure. The scenario shown is valid for
all message flows in this section. all message flows in this section.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT[Initiate-Tag] INIT[Initiate-Tag]
Priv-Addr:Int-Port ------> Ext-Addr:Ext-Port Int-Addr:Int-Port ------> Rem-Addr:Rem-Port
Ext-VTag=0 Rem-VTag=0
Create(Initiate-Tag, Int-Port, 0, Ext-Port, Priv-Addr, Create(Initiate-Tag, Int-Port, 0, Rem-Port, Int-Addr,
RestartSupported) RestartSupported)
Returns(NAT-State control block) Returns(NAT-State control block)
Translate To: Translate To:
INIT[Initiate-Tag] INIT[Initiate-Tag]
Pub-Addr:Int-Port ------> Ext-Addr:Ext-Port Ext-Addr:Int-Port ------> Rem-Addr:Rem-Port
Ext-VTag=0 Rem-VTag=0
Normally a NAT binding table entry will be created. Normally a NAT binding table entry will be created.
However, it is possible that there is already a NAT binding table However, it is possible that there is already a NAT binding table
entry with the same External-Port, Internal-Port, and Internal-VTag entry with the same Remote-Port, Internal-Port, and Internal-VTag but
but different Private-Address. In this case the INIT MUST be dropped different Internal-Address. In this case the packet containing the
by the NAT and an ABORT MUST be sent back to the SCTP host with the INIT chunk MUST be dropped by the NAT and a packet containing an
M-Bit set and an appropriate error cause (see Section 5.1.1 for the ABORT chunk SHOULD be sent to the SCTP host that originated the
format). The source address of the packet containing the ABORT chunk packet with the M-Bit set and an appropriate error cause (see
MUST be the destination address of the packet containing the INIT Section 5.1.1 for the format). The source address of the packet
chunk. containing the ABORT chunk MUST be the destination address of the
packet containing the INIT chunk.
If an outgoing SCTP packet contains an INIT or ASCONF chunk and a If an outgoing SCTP packet contains an INIT or ASCONF chunk and a
matching NAT binding table entry is found, the packet is processed as matching NAT binding table entry is found, the packet is processed as
a normal outgoing packet. a normal outgoing packet.
It is also possible that a connection to External-Address and It is also possible that a connection to Remote-Address and Remote-
External-Port exists without an Internal-VTag conflict but there Port exists without an Internal-VTag conflict but there exists a NAT
exists a NAT binding table entry with the same port numbers but a binding table entry with the same port numbers but a different
different Private-Address. In such a case the INIT MUST be dropped Internal-Address. In such a case the packet containing the INIT
by the NAT and an ABORT SHOULD be sent back to the SCTP host with the chunk MUST be dropped by the NAT function and a packet containing an
M-Bit set and an appropriate error cause (see Section 5.1.1 for the ABORT chunk SHOULD be sent to the SCTP host that originated the
format). packet with the M-Bit set and an appropriate error cause (see
Section 5.1.1 for the format).
The processing of outgoing SCTP packets containing no INIT chunks is The processing of outgoing SCTP packets containing no INIT chunks is
described in the following figure. described in the following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Priv-Addr:Int-Port ------> Ext-Addr:Ext-Port Int-Addr:Int-Port ------> Rem-Addr:Rem-Port
Ext-VTag Rem-VTag
Translate To: Translate To:
Pub-Addr:Int-Port ------> Ext-Addr:Ext-Port Ext-Addr:Int-Port ------> Rem-Addr:Rem-Port
Ext-VTag Rem-VTag
The processing of incoming SCTP packets containing an INIT ACK chunk The processing of incoming SCTP packets containing an INIT ACK chunk
is described in the following figure. The Lookup() function getting is described in the following figure. The Lookup() function getting
as input the Internal-VTag, Internal-Port, External-VTag, and as input the Internal-VTag, Internal-Port, Remote-VTag, and Remote-
External-Port, returns the corresponding entry of the NAT binding Port, returns the corresponding entry of the NAT binding table and
table and updates the External-VTag by substituting it with the value updates the Remote-VTag by substituting it with the value of the
of the Initiate-Tag of the INIT ACK chunk. The wildcard character Initiate-Tag of the INIT ACK chunk. The wildcard character signifies
signifies that the parameter's value is not considered in the that the parameter's value is not considered in the Lookup() function
Lookup() function or changed in the Update() function, respectively. or changed in the Update() function, respectively.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT ACK[Initiate-Tag] INIT ACK[Initiate-Tag]
Pub-Addr:Int-Port <---- Ext-Addr:Ext-Port Ext-Addr:Int-Port <---- Rem-Addr:Rem-Port
Int-VTag Int-VTag
Lookup(Int-VTag, Int-Port, *, Ext-Port) Lookup(Int-VTag, Int-Port, *, Rem-Port)
Update(*, *, Initiate-Tag, *) Update(*, *, Initiate-Tag, *)
Returns(NAT-State control block containing Priv-Addr) Returns(NAT-State control block containing Int-Addr)
INIT ACK[Initiate-Tag] INIT ACK[Initiate-Tag]
Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port Int-Addr:Int-Port <------ Rem-Addr:Rem-Port
Int-VTag Int-VTag
In the case Lookup fails, the SCTP packet is dropped. If it In the case Lookup fails, the SCTP packet is dropped. If it
succeeds, the Update routine inserts the External-VTag (the Initiate- succeeds, the Update routine inserts the Remote-VTag (the Initiate-
Tag of the INIT ACK chunk) in the NAT state control block. Tag of the INIT ACK chunk) in the NAT-State control block.
The processing of incoming SCTP packets containing an ABORT or The processing of incoming SCTP packets containing an ABORT or
SHUTDOWN COMPLETE chunk with the T-Bit set is described in the SHUTDOWN COMPLETE chunk with the T-Bit set is described in the
following figure. following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Pub-Addr:Int-Port <------ Ext-Addr:Ext-Port Ext-Addr:Int-Port <------ Rem-Addr:Rem-Port
Ext-VTag Rem-VTag
Lookup(*, Int-Port, Ext-VTag, Ext-Port) Lookup(*, Int-Port, Rem-VTag, Rem-Port)
Returns(NAT-State control block containing Priv-Addr) Returns(NAT-State control block containing Int-Addr)
Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port Int-Addr:Int-Port <------ Rem-Addr:Rem-Port
Ext-VTag Rem-VTag
For an incoming packet containing an INIT chunk a table lookup is For an incoming packet containing an INIT chunk a table lookup is
made only based on the addresses and port numbers. If an entry with made only based on the addresses and port numbers. If an entry with
an External-VTag of zero is found, it is considered a match and the an Remote-VTag of zero is found, it is considered a match and the
External-VTag is updated. If an entry with a non-matching External- Remote-VTag is updated. If an entry with a non-matching Remote-VTag
VTag is found or no entry is found, the incoming packet is dropped. is found or no entry is found, the incoming packet is dropped. If an
If an entry with a matching External-VTag is found, the incoming entry with a matching Remote-VTag is found, the incoming packet is
packet is forwarded. This allows the handling of INIT collision forwarded. This allows the handling of INIT collision through NAT
through NAT. functions.
The processing of other incoming SCTP packets is described in the The processing of other incoming SCTP packets is described in the
following figure. following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Pub-Addr:Int-Port <------ Ext-Addr:Ext-Port Ext-Addr:Int-Port <------ Rem-Addr:Rem-Port
Int-VTag Int-VTag
Lookup(Int-VTag, Int-Port, *, Ext-Port) Lookup(Int-VTag, Int-Port, *, Rem-Port)
Returns(NAT-State control block containing Private-Address) Returns(NAT-State control block containing Internal-Address)
Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port Int-Addr:Int-Port <------ Rem-Addr:Rem-Port
Int-VTag Int-VTag
5. Data Formats 5. Data Formats
This section defines the formats used to support NAT traversal. This section defines the formats used to support NAT traversal.
Section 5.1 and Section 5.2 describe chunks and error causes sent by Section 5.1 and Section 5.2 describe chunks and error causes sent by
NAT devices and received by SCTP endpoints. Section 5.3 describes NAT functions and received by SCTP endpoints. Section 5.3 describes
parameters sent by SCTP endpoints and used by NAT devices and SCTP parameters sent by SCTP endpoints and used by NAT functions and SCTP
endpoints. endpoints.
5.1. Modified Chunks 5.1. Modified Chunks
This section presents existing chunks defined in [RFC4960] that are This section presents existing chunks defined in [RFC4960] for which
modified by this document. additional flags are specified by this document.
5.1.1. Extended ABORT Chunk 5.1.1. Extended ABORT Chunk
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 6 | Reserved |M|T| Length | | Type = 6 | Reserved |M|T| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \ \ \
/ zero or more Error Causes / / zero or more Error Causes /
skipping to change at page 14, line 22 skipping to change at page 14, line 22
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B0 | Cause Length = Variable | | Cause Code = 0x00B0 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Chunk / \ Chunk /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) This field holds the IANA Cause Code: 2 bytes (unsigned integer)
defined cause code for the 'VTag and Port Number Collision' Error This field holds the IANA defined cause code for the 'VTag and
Cause. IANA is requested to assign the value 0x00B0 for this Port Number Collision' Error Cause. IANA is requested to assign
cause code. the value 0x00B0 for this cause code.
Cause Length: 2 bytes (unsigned integer) This field holds the length Cause Length: 2 bytes (unsigned integer)
in bytes of the error cause. The value MUST be the length of the This field holds the length in bytes of the error cause. The
Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length The Cause-Specific Information is filled with Chunk: variable length
the chunk that caused this error. This can be an INIT, INIT ACK, The Cause-Specific Information is filled with the chunk that
or ASCONF chunk. Note that if the entire chunk will not fit in caused this error. This can be an INIT, INIT ACK, or ASCONF
the ERROR chunk or ABORT chunk being sent then the bytes that do chunk. Note that if the entire chunk will not fit in the ERROR
not fit are truncated. chunk or ABORT chunk being sent then the bytes that do not fit are
truncated.
[NOTE to RFC-Editor: Assignment of cause code to be confirmed by [NOTE to RFC-Editor: Assignment of cause code to be confirmed by
IANA.] IANA.]
5.2.2. Missing State Error Cause 5.2.2. Missing State Error Cause
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B1 | Cause Length = Variable | | Cause Code = 0x00B1 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Incoming Packet / \ Incoming Packet /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) This field holds the IANA Cause Code: 2 bytes (unsigned integer)
defined cause code for the 'Missing State' Error Cause. IANA is This field holds the IANA defined cause code for the 'Missing
requested to assign the value 0x00B1 for this cause code. State' Error Cause. IANA is requested to assign the value 0x00B1
for this cause code.
Cause Length: 2 bytes (unsigned integer) This field holds the length Cause Length: 2 bytes (unsigned integer)
in bytes of the error cause. The value MUST be the length of the This field holds the length in bytes of the error cause. The
Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Incoming Packet: variable length The Cause-Specific Information is Incoming Packet: variable length
filled with the IPv4 or IPv6 packet that caused this error. The The Cause-Specific Information is filled with the IPv4 or IPv6
IPv4 or IPv6 header MUST be included. Note that if the packet packet that caused this error. The IPv4 or IPv6 header MUST be
will not fit in the ERROR chunk or ABORT chunk being sent then the included. Note that if the packet will not fit in the ERROR chunk
bytes that do not fit are truncated. or ABORT chunk being sent then the bytes that do not fit are
truncated.
[NOTE to RFC-Editor: Assignment of cause code to be confirmed by [NOTE to RFC-Editor: Assignment of cause code to be confirmed by
IANA.] IANA.]
5.2.3. Port Number Collision Error Cause 5.2.3. Port Number Collision Error Cause
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B2 | Cause Length = Variable | | Cause Code = 0x00B2 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Chunk / \ Chunk /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) This field holds the IANA Cause Code: 2 bytes (unsigned integer)
defined cause code for the 'Port Number Collision' Error Cause. This field holds the IANA defined cause code for the 'Port Number
IANA is requested to assign the value 0x00B2 for this cause code. Collision' Error Cause. IANA is requested to assign the value
0x00B2 for this cause code.
Cause Length: 2 bytes (unsigned integer) This field holds the length Cause Length: 2 bytes (unsigned integer)
in bytes of the error cause. The value MUST be the length of the This field holds the length in bytes of the error cause. The
Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length The Cause-Specific Information is filled with Chunk: variable length
the chunk that caused this error. This can be an INIT, INIT ACK, The Cause-Specific Information is filled with the chunk that
or ASCONF chunk. Note that if the entire chunk will not fit in caused this error. This can be an INIT, INIT ACK, or ASCONF
the ERROR chunk or ABORT chunk being sent then the bytes that do chunk. Note that if the entire chunk will not fit in the ERROR
not fit are truncated. chunk or ABORT chunk being sent then the bytes that do not fit are
truncated.
[NOTE to RFC-Editor: Assignment of cause code to be confirmed by [NOTE to RFC-Editor: Assignment of cause code to be confirmed by
IANA.] IANA.]
5.3. New Parameters 5.3. New Parameters
This section defines new parameters and their valid appearance This section defines new parameters and their valid appearance
defined by this document. defined by this document.
5.3.1. Disable Restart Parameter 5.3.1. Disable Restart Parameter
skipping to change at page 16, line 19 skipping to change at page 16, line 24
include this parameter in the INIT chunk and INIT ACK chunk when include this parameter in the INIT chunk and INIT ACK chunk when
establishing an association and MUST include it in the ASCONF chunk establishing an association and MUST include it in the ASCONF chunk
when adding an address to successfully disable the restart procedure. when adding an address to successfully disable the restart procedure.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0xC007 | Length = 4 | | Type = 0xC007 | Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Parameter Type: 2 bytes (unsigned integer) This field holds the IANA Parameter Type: 2 bytes (unsigned integer)
defined parameter type for the Disable Restart Parameter. IANA is This field holds the IANA defined parameter type for the Disable
requested to assign the value 0xC007 for this parameter type. Restart Parameter. IANA is requested to assign the value 0xC007
for this parameter type.
Parameter Length: 2 bytes (unsigned integer) This field holds the Parameter Length: 2 bytes (unsigned integer)
length in bytes of the parameter. The value MUST be 4. This field holds the length in bytes of the parameter. The value
MUST be 4.
[NOTE to RFC-Editor: Assignment of parameter type to be confirmed by [NOTE to RFC-Editor: Assignment of parameter type to be confirmed by
IANA.] IANA.]
This parameter MAY appear in INIT, INIT ACK and ASCONF chunks and This parameter MAY appear in INIT, INIT ACK and ASCONF chunks and
MUST NOT appear in any other chunk. MUST NOT appear in any other chunk.
5.3.2. VTags Parameter 5.3.2. VTags Parameter
This parameter is used to help a NAT recover from state loss. This parameter is used to help a NAT function to recover from state
loss.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Parameter Type = 0xC008 | Parameter Length = 16 | | Parameter Type = 0xC008 | Parameter Length = 16 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ASCONF-Request Correlation ID | | ASCONF-Request Correlation ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internal Verification Tag | | Internal Verification Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| External Verification Tag | | Remote Verification Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Parameter Type: 2 bytes (unsigned integer) This field holds the IANA Parameter Type: 2 bytes (unsigned integer)
defined parameter type for the VTags Parameter. IANA is requested This field holds the IANA defined parameter type for the VTags
to assign the value 0xC008 for this parameter type. Parameter. IANA is requested to assign the value 0xC008 for this
parameter type.
Parameter Length: 2 bytes (unsigned integer) This field holds the Parameter Length: 2 bytes (unsigned integer)
length in bytes of the parameter. The value MUST be 16. This field holds the length in bytes of the parameter. The value
MUST be 16.
ASCONF-Request Correlation ID: 4 bytes (unsigned integer) This is an ASCONF-Request Correlation ID: 4 bytes (unsigned integer)
opaque integer assigned by the sender to identify each request This is an opaque integer assigned by the sender to identify each
parameter. The receiver of the ASCONF Chunk will copy this 32-bit request parameter. The receiver of the ASCONF Chunk will copy
value into the ASCONF Response Correlation ID field of the ASCONF this 32-bit value into the ASCONF Response Correlation ID field of
ACK response parameter. The sender of the ASCONF can use this the ASCONF ACK response parameter. The sender of the packet
same value in the ASCONF ACK to find which request the response is containing the ASCONF chunk can use this same value in the ASCONF
for. Note that the receiver MUST NOT change this 32-bit value. ACK chunk to find which request the response is for. Note that
the receiver MUST NOT change this 32-bit value.
Internal Verification Tag: 4 bytes (unsigned integer) The Internal Verification Tag: 4 bytes (unsigned integer)
Verification Tag that the internal host has chosen for its The Verification Tag that the internal host has chosen for its
communication. The Verification Tag is a unique 32-bit tag that communication. The Verification Tag is a unique 32-bit tag that
must accompany any incoming SCTP packet for this association to must accompany any incoming SCTP packet for this association to
the Private-Address. the Internal-Address.
External Verification Tag: 4 bytes (unsigned integer) The Remote Verification Tag: 4 bytes (unsigned integer)
Verification Tag that the host holding the External-Address has The Verification Tag that the host holding the Remote-Address has
chosen for its communication. The VTag is a unique 32-bit tag chosen for its communication. The VTag is a unique 32-bit tag
that must accompany any incoming SCTP packet for this association that must accompany any incoming SCTP packet for this association
to the External-Address. to the Remote-Address.
[NOTE to RFC-Editor: Assignment of parameter type to be confirmed by [NOTE to RFC-Editor: Assignment of parameter type to be confirmed by
IANA.] IANA.]
This parameter MAY appear in ASCONF chunks and MUST NOT appear in any This parameter MAY appear in ASCONF chunks and MUST NOT appear in any
other chunk. other chunk.
6. Procedures for SCTP Endpoints and NAT Devices 6. Procedures for SCTP Endpoints and NAT Functions
When an SCTP endpoint is behind an SCTP-aware NAT a number of When an SCTP endpoint is behind an SCTP-aware NAT a number of
problems may arise as it tries to communicate with its peer: problems may arise as it tries to communicate with its peer:
* IP addresses can not be included in the SCTP packet. This is * IP addresses can not be included in the SCTP packet. This is
discussed in Section 6.1. discussed in Section 6.1.
* More than one host behind a NAT device could select the same VTag * More than one host behind a NAT function could select the same
and source port when talking to the same peer server. This VTag and source port when talking to the same peer server. This
creates a situation where the NAT will not be able to tell the two creates a situation where the NAT function will not be able to
associations apart. This situation is discussed in Section 6.2. tell the two associations apart. This situation is discussed in
Section 6.2.
* When an SCTP endpoint is a server communicating with multiple * When an SCTP endpoint is a server communicating with multiple
peers and the peers are behind the same NAT, then the two peers and the peers are behind the same NAT function, then the two
endpoints cannot be distinguished by the server. This case is endpoints cannot be distinguished by the server. This case is
discussed in Section 6.3. discussed in Section 6.3.
* A restart of a NAT during a conversation could cause a loss of its * A restart of a NAT function during a conversation could cause a
state. This problem and its solution is discussed in Section 6.4. loss of its state. This problem and its solution is discussed in
Section 6.4.
* NAT devices need to deal with SCTP packets being fragmented at the * NAT functions need to deal with SCTP packets being fragmented at
IP layer. This is discussed in Section 6.5. the IP layer. This is discussed in Section 6.5.
* An SCTP endpoint may be behind two NAT devices providing * An SCTP endpoint can be behind two NAT functions in parallel
redundancy. The method to set up this scenario is discussed in providing redundancy. The method to set up this scenario is
Section 6.6. discussed in Section 6.6.
Each of these mechanisms requires additional chunks and parameters, Each of these mechanisms requires additional chunks and parameters,
defined in this document, and possibly modified handling procedures defined in this document, and modified handling procedures from those
from those specified in [RFC4960]. specified in [RFC4960] as described below.
6.1. Association Setup Considerations for Endpoints 6.1. Association Setup Considerations for Endpoints
The association setup procedure defined in [RFC4960] allows multi- The association setup procedure defined in [RFC4960] allows multi-
homed SCTP endpoints to exchange its IP-addresses by using IPv4 or homed SCTP endpoints to exchange its IP-addresses by using IPv4 or
IPv6 address parameters in the INIT and INIT ACK chunks. However, IPv6 address parameters in the INIT and INIT ACK chunks. However,
this doesn't work when NAT devices are present. this does not work when NAT functions are present.
Every association setup from a host behind a NAT MUST NOT use Every association setup from a host behind a NAT function MUST NOT
multiple private addresses. There MUST NOT be any IPv4 Address use multiple internal addresses. The INIT chunk MUST NOT contain an
parameter, IPv6 Address parameter, or Supported Address Types IPv4 Address parameter, IPv6 Address parameter, or Supported Address
parameter in the INIT chunk. The INIT ACK chunk MUST NOT contain any Types parameter. The INIT ACK chunk MUST NOT contain any IPv4
IPv4 Address parameter or IPv6 Address parameter using non-global Address parameter or IPv6 Address parameter using non-global
addresses. The INIT chunk and the INIT ACK chunk MUST NOT contain addresses. The INIT chunk and the INIT ACK chunk MUST NOT contain
any Host Name parameters. any Host Name parameters.
If the association should finally be multi-homed, the procedure in If the association should finally be multi-homed, the procedure in
Section 6.6 MUST be used. Section 6.6 MUST be used.
The INIT and INIT ACK chunk SHOULD contain the Disable Restart The INIT and INIT ACK chunk SHOULD contain the Disable Restart
parameter defined in Section 5.3.1. parameter defined in Section 5.3.1.
6.2. Handling of Internal Port Number and Verification Tag Collisions 6.2. Handling of Internal Port Number and Verification Tag Collisions
Consider the case where two hosts in the Private-Address space want Consider the case where two hosts in the Internal-Address space want
to set up an SCTP association with the same service provided by some to set up an SCTP association with the same service provided by some
hosts in the Internet. This means that the External-Port is the hosts in the Internet. This means that the Remote-Port is the same.
same. If they both choose the same Internal-Port and Internal-VTag, If they both choose the same Internal-Port and Internal-VTag, the NAT
the NAT device cannot distinguish between incoming packets anymore. function cannot distinguish between incoming packets anymore.
But this is very unlikely. The Internal-VTags are chosen at random However, this is unlikely. The Internal-VTags are chosen at random
and if the Internal-Ports are also chosen from the ephemeral port and if the Internal-Ports are also chosen from the ephemeral port
range at random this gives a 46-bit random number that has to match. range at random this gives a 46-bit random number that has to match.
A NAPT device can control the 16-bit Natted Port and therefore avoid A NAPT device can control the Port number and therefore avoid
collisions deterministically. collisions deterministically.
The same can happen with the External-VTag when an INIT ACK chunk or The same can happen with the Remote-VTag when a packet containing an
an ASCONF chunk is processed by the NAT. INIT ACK chunk or an ASCONF chunk is processed by the NAT function.
6.2.1. NAT Device Considerations 6.2.1. NAT Function Considerations
If the NAT device detects a collision of internal port numbers and If the NAT function detects a collision of internal port numbers and
verification tags, it MUST send an ABORT chunk with the M bit set if verification tags, it SHOULD send a packet containing an ABORT chunk
the collision is triggered by an INIT or INIT ACK chunk. If such a with the M bit set if the collision is triggered by a packet
collision is triggered by an ASCONF chunk, it MUST send an ERROR containing an INIT or INIT ACK chunk. If such a collision is
chunk with the M bit. The M bit is a new bit defined by this triggered by a packet containing an ASCONF chunk, it SHOULD send a
document to express to SCTP that the source of this packet is a packet containing an ERROR chunk with the M bit. The M bit is a new
"middle" box, not the peer SCTP endpoint (see Section 5.1.1). If a bit defined by this document to express to SCTP that the source of
packet containing an INIT ACK chunk triggers the collision, the this packet is a "middle" box, not the peer SCTP endpoint (see
corresponding packet containing the ABORT chunk MUST contain the same Section 5.1.1). If a packet containing an INIT ACK chunk triggers
source and destination address and port numbers as the packet the collision, the corresponding packet containing the ABORT chunk
containing the INIT ACK chunk. In the other two cases, the source MUST contain the same source and destination address and port numbers
and destination address and port numbers MUST be swapped. as the packet containing the INIT ACK chunk. If a packet containing
an INIT chunk or an ASCONF chunk, the source and destination address
and port numbers MUST be swapped.
The sender of the ERROR or ABORT chunk MUST include the error cause The sender of the packet containing an ERROR or ABORT chunk MUST
with cause code 'VTag and Port Number Collision' (see Section 5.2.1). include the error cause with cause code 'VTag and Port Number
Collision' (see Section 5.2.1).
6.2.2. Endpoint Considerations 6.2.2. Endpoint Considerations
The sender of the packet containing the INIT chunk or the receiver of The sender of the packet containing the INIT chunk or the receiver of
the INIT ACK chunk, upon reception of an ABORT chunk with M bit set a packet containing the INIT ACK chunk, upon reception of a packet
and the appropriate error cause code for colliding NAT binding table containign an ABORT chunk with M bit set and the appropriate error
state is included, SHOULD reinitiate the association setup procedure cause code for colliding NAT binding table state is included, SHOULD
after choosing a new initiate tag, if the association is in COOKIE- reinitiate the association setup procedure after choosing a new
WAIT state. In any other state, the SCTP endpoint MUST NOT respond. initiate tag, if the association is in COOKIE-WAIT state. In any
other state, the SCTP endpoint MUST NOT respond.
The sender of the ASCONF chunk, upon reception of an ERROR chunk with The sender of packet containing the ASCONF chunk, upon reception of a
M bit set, MUST stop adding the path to the association. packet containing an ERROR chunk with M bit set, MUST stop adding the
path to the association.
6.3. Handling of Internal Port Number Collisions 6.3. Handling of Internal Port Number Collisions
When two SCTP hosts are behind an SCTP-aware NAT it is possible that When two SCTP hosts are behind an SCTP-aware NAT it is possible that
two SCTP hosts in the Private-Address space will want to set up an two SCTP hosts in the Internal-Address space will want to set up an
SCTP association with the same server running on the same host in the SCTP association with the same server running on the same host in the
Internet. If the two hosts choose the same internal port, this is Internet. If the two hosts choose the same internal port, this is
considered an internal port number collision. considered an internal port number collision.
For the NAT, appropriate tracking may be performed by assuring that For the NAT function, appropriate tracking may be performed by
the VTags are unique between the two hosts. assuring that the VTags are unique between the two hosts.
6.3.1. NAT Device Considerations 6.3.1. NAT Function Considerations
The NAT, when processing the INIT ACK, should note in its NAT binding The NAT function, when processing the packet containing the INIT ACK
table that the association supports the disable restart extension. chunk, should note in its NAT binding table that the association
This note is used when establishing future associations (i.e. when supports the disable restart extension. This note is used when
processing an INIT from an internal host) to decide if the connection establishing future associations (i.e. when processing a packet
should be allowed. The NAT device does the following when processing containing an INIT chunk from an internal host) to decide if the
an INIT: connection should be allowed. The NAT function does the following
when processing a packet containing an INIT chunk:
* If the INIT is originating from an internal port to an external * If the packet containing the INIT chunk is originating from an
port for which the NAT device has no matching NAT binding table internal port to an remote port for which the NAT function has no
entry, it MUST allow the INIT creating an NAT binding table entry. matching NAT binding table entry, it MUST allow the packet
containing the INIT chunk creating an NAT binding table entry.
* If the INIT matches an existing NAT binding table entry, it MUST * If the packet containing the INIT chunk matches an existing NAT
validate that the disable restart feature is supported and, if it binding table entry, it MUST validate that the disable restart
does, allow the INIT to be forwarded. feature is supported and, if it does, allow the packet containing
the INIT chunk to be forwarded.
* If the disable restart feature is not supported, the NAT device * If the disable restart feature is not supported, the NAT function
MUST send an ABORT with the M bit set. MUST send a packet containing an ABORT chunk with the M bit set.
The 'Port Number Collision' error cause (see Section 5.2.3) MUST be The 'Port Number Collision' error cause (see Section 5.2.3) MUST be
included in the ABORT chunk sent in response to the INIT chunk. included in the ABORT chunk sent in response to the packet containing
an INIT chunk.
If the collision is triggered by an ASCONF chunk, a packet containing If the collision is triggered by a packet containing an ASCONF chunk,
an ERROR chunk with the 'Port Number Collision' error cause MUST be a packet containing an ERROR chunk with the 'Port Number Collision'
sent in response to the ASCONF chunk. error cause MUST be sent in response to the packet containing the
ASCONF chunk.
6.3.2. Endpoint Considerations 6.3.2. Endpoint Considerations
For the external SCTP server on the Internet this means that the For the remote SCTP server on the Internet this means that the
External-Port and the External-Address are the same. If they both Remote-Port and the Remote-Address are the same. If they both have
have chosen the same Internal-Port the server cannot distinguish chosen the same Internal-Port the server cannot distinguish between
between both associations based on the address and port numbers. For both associations based on the address and port numbers. For the
the server it looks like the association is being restarted. To server it looks like the association is being restarted. To overcome
overcome this limitation the client sends a Disable Restart parameter this limitation the client sends a Disable Restart parameter in the
in the INIT chunk. INIT chunk.
When the server receives this parameter it does the following: When the server receives this parameter it does the following:
* It MUST include a Disable Restart parameter in the INIT ACK to * It MUST include a Disable Restart parameter in the INIT ACK to
inform the client that it will support the feature. inform the client that it will support the feature.
* It MUST disable the restart procedures defined in [RFC4960] for * It MUST disable the restart procedures defined in [RFC4960] for
this association. this association.
Servers that support this feature will need to be capable of Servers that support this feature will need to be capable of
maintaining multiple connections to what appears to be the same peer maintaining multiple connections to what appears to be the same peer
(behind the NAT) differentiated only by the VTags. (behind the NAT function) differentiated only by the VTags.
6.4. Handling of Missing State 6.4. Handling of Missing State
6.4.1. NAT Device Considerations 6.4.1. NAT Function Considerations
If the NAT device receives a packet from the internal network for If the NAT function receives a packet from the internal network for
which the lookup procedure does not find an entry in the NAT binding which the lookup procedure does not find an entry in the NAT binding
table, a packet containing an ERROR chunk is sent back with the M bit table, a packet containing an ERROR chunk SHOULD be sent back with
set. The source address of the packet containing the ERROR chunk the M bit set. The source address of the packet containing the ERROR
MUST be the destination address of the incoming SCTP packet. The chunk MUST be the destination address of the incoming SCTP packet.
verification tag is reflected and the T bit is set. Such a packet The verification tag is reflected and the T bit is set. Such a
containing an ERROR chunk SHOULD NOT be sent if the received packet packet containing an ERROR chunk SHOULD NOT be sent if the received
contains an ABORT, SHUTDOWN COMPLETE or INIT ACK chunk. An ERROR packet contains an ABORT, SHUTDOWN COMPLETE or INIT ACK chunk. A
chunk MUST NOT be sent if the received packet contains an ERROR chunk packet containing an ERROR chunk MUST NOT be sent if the received
with the M bit set. In any case, the packet SHOULD NOT be forwarded packet contains an ERROR chunk with the M bit set. In any case, the
to the external address. packet SHOULD NOT be forwarded to the remote address.
When sending the ERROR chunk, the error cause 'Missing State' (see When sending a packet containing an ERROR chunk, the error cause
Section 5.2.2) MUST be included and the M bit of the ERROR chunk MUST 'Missing State' (see Section 5.2.2) MUST be included and the M bit of
be set (see Section 5.1.2). the ERROR chunk MUST be set (see Section 5.1.2).
If the NAT device receives a packet for which it has no NAT binding If the NAT device receives a packet for which it has no NAT binding
table entry and the packet contains an ASCONF chunk with the VTags table entry and the packet contains an ASCONF chunk with the VTags
parameter, the NAT device MUST update its NAT binding table according parameter, the NAT function MUST update its NAT binding table
to the verification tags in the VTags parameter and the optional according to the verification tags in the VTags parameter and the
Disable Restart parameter. optional Disable Restart parameter.
6.4.2. Endpoint Considerations 6.4.2. Endpoint Considerations
Upon reception of this ERROR chunk by an SCTP endpoint the receiver Upon reception of this packet containing the ERROR chunk by an SCTP
takes the following actions: endpoint the receiver takes the following actions:
* It SHOULD validate that the verification tag is reflected by * It SHOULD validate that the verification tag is reflected by
looking at the VTag that would have been included in the outgoing looking at the VTag that would have been included in the outgoing
packet. If the validation fails, discard the incoming ERROR packet. If the validation fails, discard the incoming packet
chunk. containing the ERROR chunk.
* It SHOULD validate that the peer of the SCTP association supports * It SHOULD validate that the peer of the SCTP association supports
the dynamic address extension. If the validation fails, discard the dynamic address extension. If the validation fails, discard
the incoming ERROR chunk. the incoming packet containing the ERROR chunk.
* It SHOULD generate a new ASCONF chunk containing the VTags * It SHOULD generate a packet containing a new ASCONF chunk
parameter (see Section 5.3.2) and the Disable Restart parameter containing the VTags parameter (see Section 5.3.2) and the Disable
(see Section 5.3.1) if the association is using the disable Restart parameter (see Section 5.3.1) if the association is using
restart feature. By processing this packet the NAT device can the disable restart feature. By processing this packet the NAT
recover the appropriate state. The procedures for generating an function can recover the appropriate state. The procedures for
ASCONF chunk can be found in [RFC5061]. generating an ASCONF chunk can be found in [RFC5061].
The peer SCTP endpoint receiving such an ASCONF chunk SHOULD either The peer SCTP endpoint receiving such a packet containing an ASCONF
add the address and respond with an acknowledgment, if the address is chunk SHOULD either add the address and respond with an
new to the association (following all procedures defined in acknowledgment, if the address is new to the association (following
[RFC5061]). Or, if the address is already part of the association, all procedures defined in [RFC5061]). Or, if the address is already
the SCTP endpoint MUST NOT respond with an error, but instead SHOULD part of the association, the SCTP endpoint MUST NOT respond with an
respond with an ASCONF ACK chunk acknowledging the address and take error, but instead SHOULD respond with packet containing an ASCONF
no action (since the address is already in the association). ACK chunk acknowledging the address and take no action (since the
address is already in the association).
Note that it is possible that upon receiving an ASCONF chunk Note that it is possible that upon receiving a packet containing an
containing the VTags parameter the NAT will realize that it has an ASCONF chunk containing the VTags parameter the NAT function will
'Internal Port Number and Verification Tag collision'. In such a realize that it has an 'Internal Port Number and Verification Tag
case the NAT MUST send an ERROR chunk with the error cause code set collision'. In such a case the NAT function SHOULD send a packet
to 'VTag and Port Number Collision' (see Section 5.2.1). containing an ERROR chunk with the error cause code set to 'VTag and
Port Number Collision' (see Section 5.2.1).
If an SCTP endpoint receives an ERROR with 'Internal Port Number and If an SCTP endpoint receives a packet containing an ERROR chunk with
Verification Tag collision' as the error cause and the packet in the 'Internal Port Number and Verification Tag collision' as the error
Error Chunk contains an ASCONF with the VTags parameter, careful cause and the packet in the Error Chunk contains an ASCONF with the
examination of the association is required. The endpoint does the VTags parameter, careful examination of the association is required.
following: The endpoint does the following:
* It MUST validate that the verification tag is reflected by looking * It MUST validate that the verification tag is reflected by looking
at the VTag that would have been included in the outgoing packet. at the VTag that would have been included in the outgoing packet.
If the validation fails, it MUST discard the packet. If the validation fails, it MUST discard the packet.
* It MUST validate that the peer of the SCTP association supports * It MUST validate that the peer of the SCTP association supports
the dynamic address extension. If the peer does not support it, the dynamic address extension. If the peer does not support it,
the NAT Device MUST discard the incoming ERROR chunk. the NAT function MUST discard the incoming packet containing the
ERROR chunk.
* If the association is attempting to add an address (i.e. following * If the association is attempting to add an address (i.e. following
the procedures in Section 6.6) then the endpoint MUST NOT consider the procedures in Section 6.6) then the endpoint MUST NOT consider
the address part of the association and SHOULD make no further the address part of the association and SHOULD make no further
attempt to add the address (i.e. cancel any ASCONF timers and attempt to add the address (i.e. cancel any ASCONF timers and
remove any record of the path), since the NAT device has a VTag remove any record of the path), since the NAT function has a VTag
collision and the association cannot easily create a new VTag (as collision and the association cannot easily create a new VTag (as
it would if the error occurred when sending an INIT). it would if the error occurred when sending a packet containing an
INIT chunk).
* If the endpoint has no other path, i.e. the procedure was executed * If the endpoint has no other path, i.e. the procedure was executed
due to missing a state in the NAT device, then the endpoint MUST due to missing a state in the NAT function, then the endpoint MUST
abort the association. This would occur only if the local NAT abort the association. This would occur only if the local NAT
device restarted and accepted a new association before attempting function restarted and accepted a new association before
to repair the missing state (Note that this is no different than attempting to repair the missing state (Note that this is no
what happens to all TCP connections when a NAT device looses its different than what happens to all TCP connections when a NAT
state). function looses its state).
6.5. Handling of Fragmented SCTP Packets by NAT Devices 6.5. Handling of Fragmented SCTP Packets by NAT Functions
A NAT device MUST support IP reassembly of received fragmented SCTP SCTP minimizes the use of IP-level fragmentation. However, it can
packets. The fragments may arrive in any order. happen that using IP-level fragmentation is needed to continue an
SCTP association. For example, if the path MTU is reduced and there
are still some DATA chunk in flight, which require packets larger
than the new path MTU. If IP-level fragmentation can not be used,
the SCTP association will be terminated in a non-graceful way.
When an SCTP packet has to be fragmented by the NAT device and the IP Therefore, a NAT function MUST support IP reassembly of received
header forbids fragmentation a corresponding ICMP packet SHOULD be fragmented SCTP packets. The fragments may arrive in any order.
sent.
When an SCTP packet has to be fragmented by the NAT function and the
IP header forbids fragmentation a corresponding ICMP packet SHOULD be
sent. This allows for a faster recovery from this packet drop.
6.6. Multi Point Traversal Considerations for Endpoints 6.6. Multi Point Traversal Considerations for Endpoints
If a multi-homed SCTP endpoint behind a NAT connects to a peer, it If a multi-homed SCTP endpoint behind a NAT function connects to a
MUST first set up the association single-homed with only one address peer, it MUST first set up the association single-homed with only one
causing the first NAT to populate its state. Then it SHOULD add each address causing the first NAT function to populate its state. Then
IP address using ASCONF chunks sent via their respective NAT devices. it SHOULD add each IP address using packets containing ASCONF chunks
The address to add is the wildcard address and the lookup address sent via their respective NAT functions. The address to add is the
SHOULD also contain the VTags parameter and optionally the Disable wildcard address and the lookup address SHOULD also contain the VTags
Restart parameter. parameter and optionally the Disable Restart parameter.
7. Various Examples of NAT Traversals 7. Various Examples of NAT Traversals
Please note that this section is informational only. Please note that this section is informational only.
The addresses being used in the following examples are IPv4 addresses The addresses being used in the following examples are IPv4 addresses
for private-use networks and for documentation as specified in for private-use networks and for documentation as specified in
[RFC6890]. However, the method described here is not limited to this [RFC6890]. However, the method described here is not limited to this
NAT44 case. NAT44 case.
The NAT binding table entries shown in the following examples do not The NAT binding table entries shown in the following examples do not
include the flag indicating whether the restart procedure is include the flag indicating whether the restart procedure is
supported or not. This flag is not relevant for these examples. supported or not. This flag is not relevant for these examples.
7.1. Single-homed Client to Single-homed Server 7.1. Single-homed Client to Single-homed Server
The internal client starts the association with the external server The internal client starts the association with the remote server via
via a four-way-handshake. Host A starts by sending an INIT chunk. a four-way-handshake. Host A starts by sending a packet containing
an INIT chunk.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 ------> 203.0.113.1:2 10.0.0.1:1 ------> 203.0.113.1:2
Ext-VTtag = 0 Rem-VTtag = 0
A NAT binding tabled entry is created, the source address is A NAT binding tabled entry is created, the source address is
substituted and the packet is sent on: substituted and the packet is sent on:
NAT creates entry: NAT function creates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 0 | 2 | 10.0.0.1 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 ------------------------> 203.0.113.1:2 192.0.2.1:1 ------------------------> 203.0.113.1:2
Ext-VTtag = 0 Rem-VTtag = 0
Host B receives the INIT and sends an INIT ACK with the NAT's Host B receives the packet containing an INIT chunk and sends a
external address as destination address. packet containing an INIT ACK chunk with the NAT's Remote-address as
destination address.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
192.0.2.1:1 <----------------------- 203.0.113.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT updates entry: NAT function updates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <------ 203.0.113.1:2 10.0.0.1:1 <------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
ACK. ACK.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
COOKIE ECHO COOKIE ECHO
10.0.0.1:1 ------> 203.0.113.1:2 10.0.0.1:1 ------> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
COOKIE ECHO COOKIE ECHO
192.0.2.1:1 -----------------------> 203.0.113.1:2 192.0.2.1:1 -----------------------> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
COOKIE ACK COOKIE ACK
192.0.2.1:1 <----------------------- 203.0.113.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
COOKIE ACK COOKIE ACK
10.0.0.1:1 <------ 203.0.113.1:2 10.0.0.1:1 <------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
7.2. Single-homed Client to Multi-homed Server 7.2. Single-homed Client to Multi-homed Server
The internal client is single-homed whereas the external server is The internal client is single-homed whereas the remote server is
multi-homed. The client (Host A) sends an INIT like in the single- multi-homed. The client (Host A) sends a packet containing an INIT
homed case. chunk like in the single-homed case.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Internet | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 ---> 203.0.113.1:2 10.0.0.1:1 ---> 203.0.113.1:2
Ext-VTag = 0 Rem-VTag = 0
NAT creates entry: NAT function creates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 0 | 2 | 10.0.0.1 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 --------------------------> 203.0.113.1:2 192.0.2.1:1 --------------------------> 203.0.113.1:2
Ext-VTag = 0 Rem-VTag = 0
The server (Host B) includes its two addresses in the INIT ACK chunk. The server (Host B) includes its two addresses in the INIT ACK chunk.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Internet | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
INIT ACK[Initiate-tag = 5678, IP-Addr = 203.0.113.129] INIT ACK[Initiate-tag = 5678, IP-Addr = 203.0.113.129]
192.0.2.1:1 <-------------------------- 203.0.113.1:2 192.0.2.1:1 <-------------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The NAT device does not need to change the NAT binding table for the The NAT function does not need to change the NAT binding table for
second address: the second address:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <--- 203.0.113.1:2 10.0.0.1:1 <--- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
skipping to change at page 27, line 15 skipping to change at page 28, line 15
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Internet | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
COOKIE ECHO COOKIE ECHO
10.0.0.1:1 ---> 203.0.113.1:2 10.0.0.1:1 ---> 203.0.113.1:2
ExtVTag = 5678 Rem-VTag = 5678
COOKIE ECHO COOKIE ECHO
192.0.2.1:1 --------------------------> 203.0.113.1:2 192.0.2.1:1 --------------------------> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
COOKIE ACK COOKIE ACK
192.0.2.1:1 <-------------------------- 203.0.113.1:2 192.0.2.1:1 <-------------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
COOKIE ACK COOKIE ACK
10.0.0.1:1 <--- 203.0.113.1:2 10.0.0.1:1 <--- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
7.3. Multihomed Client and Server 7.3. Multihomed Client and Server
The client (Host A) sends an INIT to the server (Host B), but does The client (Host A) sends a packet containing an INIT chunk to the
not include the second address. server (Host B), but does not include the second address.
+-------+ +-------+
/--| NAT 1 |--\ /--\/--\ /--| NAT 1 |--\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |====| Host B | | Host |=== ====| Internet |====| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--| NAT 2 |--/ \--/\--/ +------+ \--| NAT 2 |--/ \--/\--/
+-------+ +-------+
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Ext | Ext | Priv | NAT 1 | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 --------> 203.0.113.1:2 10.0.0.1:1 --------> 203.0.113.1:2
Ext-VTag = 0 Rem-VTag = 0
NAT 1 creates entry: NAT function 1 creates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Ext | Ext | Priv | NAT 1 | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 0 | 2 | 10.0.0.1 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 ---------------------> 203.0.113.1:2 192.0.2.1:1 ---------------------> 203.0.113.1:2
ExtVTag = 0 Rem-VTag = 0
Host B includes its second address in the INIT ACK. Host B includes its second address in the INIT ACK.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Internet |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
INIT ACK[Initiate-Tag = 5678, IP-Addr = 203.0.113.129] INIT ACK[Initiate-Tag = 5678, IP-Addr = 203.0.113.129]
192.0.2.1:1 <----------------------- 203.0.113.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT 1 does not need to update the NAT binding table for the second NAT function 1 does not need to update the NAT binding table for the
address: second address:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Ext | Ext | Priv | NAT 1 | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <-------- 203.0.113.1:2 10.0.0.1:1 <-------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
skipping to change at page 29, line 15 skipping to change at page 30, line 15
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Internet |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
COOKIE ECHO COOKIE ECHO
10.0.0.1:1 --------> 203.0.113.1:2 10.0.0.1:1 --------> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
COOKIE ECHO COOKIE ECHO
192.0.2.1:1 ------------------> 203.0.113.1:2 192.0.2.1:1 ------------------> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
COOKIE ACK COOKIE ACK
192.0.2.1:1 <------------------ 203.0.113.1:2 192.0.2.1:1 <------------------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
COOKIE ACK COOKIE ACK
10.0.0.1:1 <------- 203.0.113.1:2 10.0.0.1:1 <------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
Host A announces its second address in an ASCONF chunk. The address Host A announces its second address in an ASCONF chunk. The address
parameter contains an undefined address (0) to indicate that the parameter contains an undefined address (0) to indicate that the
source address should be added. The lookup address parameter within source address should be added. The lookup address parameter within
the ASCONF chunk will also contain the pair of VTags (external and the ASCONF chunk will also contain the pair of VTags (remote and
internal) so that the NAT may populate its NAT binding table entry internal) so that the NAT function may populate its NAT binding table
completely with this single packet. entry completely with this single packet.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Internet |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
ASCONF [ADD-IP=0.0.0.0, INT-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP=0.0.0.0, INT-VTag=1234, Rem-VTag = 5678]
10.1.0.1:1 --------> 203.0.113.129:2 10.1.0.1:1 --------> 203.0.113.129:2
Ext-VTag = 5678 Rem-VTag = 5678
NAT 2 creates a complete entry: NAT function 2 creates a complete entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT 2 | Int | Int | Ext | Ext | Priv | NAT 2 | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.1.0.1 | | 1234 | 1 | 5678 | 2 | 10.1.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
ASCONF [ADD-IP, Int-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP, Int-VTag=1234, Rem-VTag = 5678]
192.0.2.129:1 -------------------> 203.0.113.129:2 192.0.2.129:1 -------------------> 203.0.113.129:2
Ext-VTag = 5678 Rem-VTag = 5678
ASCONF ACK ASCONF ACK
192.0.2.129:1 <------------------- 203.0.113.129:2 192.0.2.129:1 <------------------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
ASCONF ACK ASCONF ACK
10.1.0.1:1 <----- 203.0.113.129:2 10.1.0.1:1 <----- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
7.4. NAT Loses Its State 7.4. NAT Function Loses Its State
Association is already established between Host A and Host B, when Association is already established between Host A and Host B, when
the NAT loses its state and obtains a new public address. Host A the NAT function loses its state and obtains a new external address.
sends a DATA chunk to Host B. Host A sends a DATA chunk to Host B.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
DATA DATA
10.0.0.1:1 ----------> 203.0.113.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
The NAT device cannot find an entry in the NAT binding table for the The NAT function cannot find an entry in the NAT binding table for
association. It sends ERROR an message with the M-Bit set and the the association. It sends a packet containing an ERROR chunk with
cause "NAT state missing". the M-Bit set and the cause "NAT state missing".
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ERROR [M-Bit, NAT state missing] ERROR [M-Bit, NAT state missing]
10.0.0.1:1 <---------- 203.0.113.1:2 10.0.0.1:1 <---------- 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
On reception of the ERROR message, Host A sends an ASCONF chunk On reception of the packet containing the ERROR chunk, Host A sends a
indicating that the former information has to be deleted and the packet containing an ASCONF chunk indicating that the former
source address of the actual packet added. information has to be deleted and the source address of the actual
packet added.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Rem-VTag = 5678]
10.0.0.1:1 ----------> 203.0.113.129:2 10.0.0.1:1 ----------> 203.0.113.129:2
Ext-VTag = 5678 Rem-VTag = 5678
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Rem-VTag = 5678]
192.0.2.2:1 -----------------> 203.0.113.129:2 192.0.2.2:1 -----------------> 203.0.113.129:2
Ext-VTag = 5678 Rem-VTag = 5678
Host B adds the new source address to this association and deletes Host B adds the new source address to this association and deletes
all other addresses from this association. all other addresses from this association.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ASCONF ACK ASCONF ACK
192.0.2.2:1 <----------------- 203.0.113.129:2 192.0.2.2:1 <----------------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
ASCONF ACK ASCONF ACK
10.1.0.1:1 <---------- 203.0.113.129:2 10.1.0.1:1 <---------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
DATA DATA
10.0.0.1:1 ----------> 203.0.113.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
DATA DATA
192.0.2.2:1 -----------------> 203.0.113.129:2 192.0.2.2:1 -----------------> 203.0.113.129:2
Ext-VTag = 5678 Rem-VTag = 5678
7.5. Peer-to-Peer Communication 7.5. Peer-to-Peer Communication
If two hosts are behind NAT devices and want to communicate with each If two hosts, each of them behind a NAT function, want to communicate
other, they have to get knowledge of the peer's public address. This with each other, they have to get knowledge of the peer's external
can be achieved with a so-called rendezvous server. Afterwards the address. This can be achieved with a so-called rendezvous server.
destination addresses are public, and the association is set up with Afterwards the destination addresses are external, and the
the help of the INIT collision. The NAT devices create their entries association is set up with the help of the INIT collision. The NAT
according to their internal peer's point of view. Therefore, NAT A's functions create their entries according to their internal peer's
Internal-VTag and Internal-Port are NAT B's External-VTag and point of view. Therefore, NAT function A's Internal-VTag and
External-Port, respectively. The naming (internal/external) of the Internal-Port are NAT function B's Remote-VTag and Remote-Port,
verification tag in the packet flow is done from the sending host's respectively. The naming (internal/remote) of the verification tag
point of view. in the packet flow is done from the sending host's point of view.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
NAT Binding Tables NAT Binding Tables
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT A | Int | Int | Ext | Ext | Priv | NAT A | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT B | Int | Int | Ext | Ext | Priv | NAT B | Int | Int | Rem | Rem | Int |
| v-tag | port | v-tag | port | Addr | | v-tag | port | v-tag | port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 --> 203.0.113.1:2 10.0.0.1:1 --> 203.0.113.1:2
Ext-VTag = 0 Rem-VTag = 0
NAT A creates entry: NAT function A creates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT A | Int | Int | Ext | Ext | Priv | NAT A | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 0 | 2 | 10.0.0.1 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 ----------------> 203.0.113.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Ext-VTag = 0 Rem-VTag = 0
NAT B processes INIT, but cannot find an entry. The SCTP packet is NAT function B processes the packet containing the INIT chunk, but
silently discarded and leaves the NAT binding table of NAT B cannot find an entry. The SCTP packet is silently discarded and
unchanged. leaves the NAT binding table of NAT function B unchanged.
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT B | Int | Int | Ext | Ext | Priv | NAT B | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
Now Host B sends INIT, which is processed by NAT B. Its parameters Now Host B sends a packet containing an INIT chunk, which is
are used to create an entry. processed by NAT function B. Its parameters are used to create an
entry.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
INIT[Initiate-Tag = 5678] INIT[Initiate-Tag = 5678]
192.0.2.1:1 <-- 10.1.0.1:2 192.0.2.1:1 <-- 10.1.0.1:2
Ext-VTag = 0 Rem-VTag = 0
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT B | Int | Int | Priv | Ext | Ext | NAT B | Int | Int | Rem | Rem | Int |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 5678 | 2 | 10.1.0.1 | 0 | 1 | | 5678 | 2 | 0 | 1 | 10.1.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 5678] INIT[Initiate-Tag = 5678]
192.0.2.1:1 <--------------- 203.0.113.1:2 192.0.2.1:1 <--------------- 203.0.113.1:2
Ext-VTag = 0 Rem-VTag = 0
NAT A processes INIT. As the outgoing INIT of Host A has already NAT function A processes the packet containing the INIT chunk. As
the outgoing packet containing an INIT chunk of Host A has already
created an entry, the entry is found and updated: created an entry, the entry is found and updated:
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
VTag != Int-VTag, but Ext-VTag == 0, find entry. VTag != Int-VTag, but Rem-VTag == 0, find entry.
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT A | Int | Int | Ext | Ext | Priv | NAT A | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-tag = 5678] INIT[Initiate-tag = 5678]
10.0.0.1:1 <-- 203.0.113.1:2 10.0.0.1:1 <-- 203.0.113.1:2
Ext-VTag = 0 Rem-VTag = 0
Host A sends INIT ACK, which can pass through NAT B: Host A sends a packet containing an INIT ACK chunk, which can pass
through NAT function B:
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
INIT ACK[Initiate-Tag = 1234] INIT ACK[Initiate-Tag = 1234]
10.0.0.1:1 --> 203.0.113.1:2 10.0.0.1:1 --> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
INIT ACK[Initiate-Tag = 1234] INIT ACK[Initiate-Tag = 1234]
192.0.2.1:1 ----------------> 203.0.113.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
NAT B updates entry: NAT function B updates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT B | Int | Int | Ext | Ext | Priv | NAT B | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 5678 | 2 | 1234 | 1 | 10.1.0.1 | | 5678 | 2 | 1234 | 1 | 10.1.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT ACK[Initiate-Tag = 1234] INIT ACK[Initiate-Tag = 1234]
192.0.2.1:1 --> 10.1.0.1:2 192.0.2.1:1 --> 10.1.0.1:2
Ext-VTag = 5678 Rem-VTag = 5678
The lookup for COOKIE ECHO and COOKIE ACK is successful. The lookup for COOKIE ECHO and COOKIE ACK is successful.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
COOKIE ECHO COOKIE ECHO
192.0.2.1:1 <-- 10.1.0.1:2 192.0.2.1:1 <-- 10.1.0.1:2
Ext-VTag = 1234 Rem-VTag = 1234
COOKIE ECHO COOKIE ECHO
192.0.2.1:1 <------------- 203.0.113.1:2 192.0.2.1:1 <------------- 203.0.113.1:2
Ext-VTag = 1234 Rem-VTag = 1234
COOKIE ECHO COOKIE ECHO
10.0.0.1:1 <-- 203.0.113.1:2 10.0.0.1:1 <-- 203.0.113.1:2
Ext-VTag = 1234 Rem-VTag = 1234
COOKIE ACK COOKIE ACK
10.0.0.1:1 --> 203.0.113.1:2 10.0.0.1:1 --> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
COOKIE ACK COOKIE ACK
192.0.2.1:1 ----------------> 203.0.113.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Ext-VTag = 5678 Rem-VTag = 5678
COOKIE ACK COOKIE ACK
192.0.2.1:1 --> 10.1.0.1:2 192.0.2.1:1 --> 10.1.0.1:2
Ext-VTag = 5678 Rem-VTag = 5678
8. SCTP NAT YANG Module 8. SCTP NAT YANG Module
This section defines a YANG module for SCTP NAT. This section defines a YANG module for SCTP NAT.
The terminology for describing YANG data models is defined in The terminology for describing YANG data models is defined in
[RFC7950]. The meaning of the symbols in tree diagrams is defined in [RFC7950]. The meaning of the symbols in tree diagrams is defined in
[RFC8340]. [RFC8340].
8.1. Tree Structure 8.1. Tree Structure
skipping to change at page 37, line 14 skipping to change at page 39, line 14
The tree structure of the SCTP NAT YANG module is provided below: The tree structure of the SCTP NAT YANG module is provided below:
module: ietf-nat-sctp module: ietf-nat-sctp
augment /nat:nat/nat:instances/nat:instance augment /nat:nat/nat:instances/nat:instance
/nat:policy/nat:timers: /nat:policy/nat:timers:
+--rw sctp-timeout? uint32 +--rw sctp-timeout? uint32
augment /nat:nat/nat:instances/nat:instance augment /nat:nat/nat:instances/nat:instance
/nat:mapping-table/nat:mapping-entry: /nat:mapping-table/nat:mapping-entry:
+--rw int-VTag? uint32 {sctp-nat}? +--rw int-VTag? uint32 {sctp-nat}?
+--rw ext-VTag? uint32 {sctp-nat}? +--rw rem-VTag? uint32 {sctp-nat}?
Concretely, the SCTP NAT YANG module augments the NAT YANG module Concretely, the SCTP NAT YANG module augments the NAT YANG module
(policy, in particular) with the following: (policy, in particular) with the following:
* The sctp-timeout is used to control the SCTP inactivity timeout. * The sctp-timeout is used to control the SCTP inactivity timeout.
That is, the time an SCTP mapping will stay active without SCTP That is, the time an SCTP mapping will stay active without SCTP
packets traversing the NAT. This timeout can be set only for packets traversing the NAT. This timeout can be set only for
SCTP. Hence, "/nat:nat/nat:instances/nat:instance/nat:policy/ SCTP. Hence, "/nat:nat/nat:instances/nat:instance/nat:policy/
nat:transport-protocols/nat:protocol-id" MUST be set to '132' nat:transport-protocols/nat:protocol-id" MUST be set to '132'
(SCTP). (SCTP).
In addition, the SCTP NAT YANG module augments the mapping entry with In addition, the SCTP NAT YANG module augments the mapping entry with
the following parameters defined in Section 3. These parameters the following parameters defined in Section 3. These parameters
apply only for SCTP NAT mapping entries (i.e., apply only for SCTP NAT mapping entries (i.e.,
"/nat/instances/instance/mapping-table/mapping-entry/transport- "/nat/instances/instance/mapping-table/mapping-entry/transport-
protocol" MUST be set to '132'); protocol" MUST be set to '132');
* The Internal Verification Tag (Int-VTag) * The Internal Verification Tag (Int-VTag)
* The External Verification Tag (Ext-VTag) * The Remote Verification Tag (Rem-VTag)
8.2. YANG Module 8.2. YANG Module
<CODE BEGINS> <CODE BEGINS> file "ietf-nat-sctp@2020-07-13.yang"
module ietf-nat-sctp { module ietf-nat-sctp {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat-sctp"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat-sctp";
prefix nat-sctp; prefix nat-sctp;
import ietf-nat { import ietf-nat {
prefix nat; prefix nat;
reference reference
"RFC 8512: A YANG Module for Network Address Translation "RFC 8512: A YANG Module for Network Address Translation
(NAT) and Network Prefix Translation (NPT)"; (NAT) and Network Prefix Translation (NPT)";
skipping to change at page 38, line 18 skipping to change at page 40, line 18
Author: Mohamed Boucadair Author: Mohamed Boucadair
<mailto:mohamed.boucadair@orange.com>"; <mailto:mohamed.boucadair@orange.com>";
description description
"This module augments NAT YANG module with Stream Control "This module augments NAT YANG module with Stream Control
Transmission Protocol (SCTP) specifics. The extension supports Transmission Protocol (SCTP) specifics. The extension supports
both a classical SCTP NAT (that is, rewrite port numbers) both a classical SCTP NAT (that is, rewrite port numbers)
and a, SCTP-specific variant where the ports numbers are and a, SCTP-specific variant where the ports numbers are
not altered. not altered.
Copyright (c) 2019 IETF Trust and the persons identified as Copyright (c) 2020 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
skipping to change at page 39, line 30 skipping to change at page 41, line 30
if-feature "sctp-nat"; if-feature "sctp-nat";
description description
"Extends the mapping entry with SCTP specifics."; "Extends the mapping entry with SCTP specifics.";
leaf int-VTag { leaf int-VTag {
type uint32; type uint32;
description description
"The Internal Verification Tag that the internal "The Internal Verification Tag that the internal
host has chosen for this communication."; host has chosen for this communication.";
} }
leaf ext-VTag { leaf rem-VTag {
type uint32; type uint32;
description description
"The External Verification Tag that the remote "The Remote Verification Tag that the remote
peer has chosen for this communication."; peer has chosen for this communication.";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
9. Socket API Considerations 9. Socket API Considerations
This section describes how the socket API defined in [RFC6458] is This section describes how the socket API defined in [RFC6458] is
extended to provide a way for the application to control NAT extended to provide a way for the application to control NAT
skipping to change at page 40, line 17 skipping to change at page 42, line 17
This socket option uses the option_level IPPROTO_SCTP and the This socket option uses the option_level IPPROTO_SCTP and the
option_name SCTP_NAT_FRIENDLY. It can be used to enable/disable the option_name SCTP_NAT_FRIENDLY. It can be used to enable/disable the
NAT friendliness for future associations and retrieve the value for NAT friendliness for future associations and retrieve the value for
future and specific ones. future and specific ones.
struct sctp_assoc_value { struct sctp_assoc_value {
sctp_assoc_t assoc_id; sctp_assoc_t assoc_id;
uint32_t assoc_value; uint32_t assoc_value;
}; };
assoc_id This parameter is ignored for one-to-one style sockets. assoc_id
For one-to-many style sockets the application may fill in an This parameter is ignored for one-to-one style sockets. For one-
association identifier or SCTP_FUTURE_ASSOC for this query. It is to-many style sockets the application may fill in an association
an error to use SCTP_{CURRENT|ALL}_ASSOC in assoc_id. identifier or SCTP_FUTURE_ASSOC for this query. It is an error to
use SCTP_{CURRENT|ALL}_ASSOC in assoc_id.
assoc_value A non-zero value indicates a NAT-friendly mode. assoc_value
A non-zero value indicates a NAT-friendly mode.
10. IANA Considerations 10. IANA Considerations
[NOTE to RFC-Editor: "RFCXXXX" is to be replaced by the RFC number [NOTE to RFC-Editor: "RFCXXXX" is to be replaced by the RFC number
you assign this document.] you assign this document.]
[NOTE to RFC-Editor: The requested values for the chunk type and the [NOTE to RFC-Editor: The requested values for the chunk type and the
chunk parameter types are tentative and to be confirmed by IANA.] chunk parameter types are tentative and to be confirmed by IANA.]
This document (RFCXXXX) is the reference for all registrations This document (RFCXXXX) is the reference for all registrations
skipping to change at page 41, line 4 skipping to change at page 43, line 4
10.1. New Chunk Flags for Two Existing Chunk Types 10.1. New Chunk Flags for Two Existing Chunk Types
As defined in [RFC6096] two chunk flags have to be assigned by IANA As defined in [RFC6096] two chunk flags have to be assigned by IANA
for the ERROR chunk. The requested value for the T bit is 0x01 and for the ERROR chunk. The requested value for the T bit is 0x01 and
for the M bit is 0x02. for the M bit is 0x02.
This requires an update of the "ERROR Chunk Flags" registry for SCTP: This requires an update of the "ERROR Chunk Flags" registry for SCTP:
ERROR Chunk Flags ERROR Chunk Flags
+------------------+-----------------+-----------+ +==================+=================+===========+
| Chunk Flag Value | Chunk Flag Name | Reference | | Chunk Flag Value | Chunk Flag Name | Reference |
+==================+=================+===========+ +==================+=================+===========+
| 0x01 | T bit | [RFCXXXX] | | 0x01 | T bit | [RFCXXXX] |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| 0x02 | M bit | [RFCXXXX] | | 0x02 | M bit | [RFCXXXX] |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| 0x04 | Unassigned | | | 0x04 | Unassigned | |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| 0x08 | Unassigned | | | 0x08 | Unassigned | |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
skipping to change at page 42, line 4 skipping to change at page 44, line 4
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
Table 2 Table 2
As defined in [RFC6096] one chunk flag has to be assigned by IANA for As defined in [RFC6096] one chunk flag has to be assigned by IANA for
the ABORT chunk. The requested value of the M bit is 0x02. the ABORT chunk. The requested value of the M bit is 0x02.
This requires an update of the "ABORT Chunk Flags" registry for SCTP: This requires an update of the "ABORT Chunk Flags" registry for SCTP:
ABORT Chunk Flags ABORT Chunk Flags
+------------------+-----------------+-----------+ +==================+=================+===========+
| Chunk Flag Value | Chunk Flag Name | Reference | | Chunk Flag Value | Chunk Flag Name | Reference |
+==================+=================+===========+ +==================+=================+===========+
| 0x01 | T bit | [RFC4960] | | 0x01 | T bit | [RFC4960] |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| 0x02 | M bit | [RFCXXXX] | | 0x02 | M bit | [RFCXXXX] |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| 0x04 | Unassigned | | | 0x04 | Unassigned | |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| 0x08 | Unassigned | | | 0x08 | Unassigned | |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
skipping to change at page 42, line 36 skipping to change at page 44, line 36
10.2. Three New Error Causes 10.2. Three New Error Causes
Three error causes have to be assigned by IANA. It is requested to Three error causes have to be assigned by IANA. It is requested to
use the values given below. use the values given below.
This requires three additional lines in the "Error Cause Codes" This requires three additional lines in the "Error Cause Codes"
registry for SCTP: registry for SCTP:
Error Cause Codes Error Cause Codes
+-------+--------------------------------+-----------+ +=======+================================+===========+
| Value | Cause Code | Reference | | Value | Cause Code | Reference |
+=======+================================+===========+ +=======+================================+===========+
| 176 | VTag and Port Number Collision | [RFCXXXX] | | 176 | VTag and Port Number Collision | [RFCXXXX] |
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
| 177 | Missing State | [RFCXXXX] | | 177 | Missing State | [RFCXXXX] |
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
| 178 | Port Number Collision | [RFCXXXX] | | 178 | Port Number Collision | [RFCXXXX] |
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
Table 4 Table 4
skipping to change at page 43, line 17 skipping to change at page 45, line 17
Two chunk parameter types have to be assigned by IANA. It is Two chunk parameter types have to be assigned by IANA. It is
requested to use the values given below. IANA should assign these requested to use the values given below. IANA should assign these
values from the pool of parameters with the upper two bits set to values from the pool of parameters with the upper two bits set to
'11'. '11'.
This requires two additional lines in the "Chunk Parameter Types" This requires two additional lines in the "Chunk Parameter Types"
registry for SCTP: registry for SCTP:
Chunk Parameter Types Chunk Parameter Types
+----------+--------------------------+-----------+ +==========+==========================+===========+
| ID Value | Chunk Parameter Type | Reference | | ID Value | Chunk Parameter Type | Reference |
+==========+==========================+===========+ +==========+==========================+===========+
| 49159 | Disable Restart (0xC007) | [RFCXXXX] | | 49159 | Disable Restart (0xC007) | [RFCXXXX] |
+----------+--------------------------+-----------+ +----------+--------------------------+-----------+
| 49160 | VTags (0xC008) | [RFCXXXX] | | 49160 | VTags (0xC008) | [RFCXXXX] |
+----------+--------------------------+-----------+ +----------+--------------------------+-----------+
Table 5 Table 5
10.4. One New URI 10.4. One New URI
skipping to change at page 43, line 49 skipping to change at page 45, line 49
"YANG Parameters" registry has to be assigned by IANA ([RFC6020]): "YANG Parameters" registry has to be assigned by IANA ([RFC6020]):
Name: ietf-nat-sctp Name: ietf-nat-sctp
Namespace: urn:ietf:params:xml:ns:yang:ietf-nat-sctp Namespace: urn:ietf:params:xml:ns:yang:ietf-nat-sctp
Maintained by IANA: N Maintained by IANA: N
Prefix: nat-sctp Prefix: nat-sctp
Reference: RFCXXXX Reference: RFCXXXX
11. Security Considerations 11. Security Considerations
State maintenance within a NAT is always a subject of possible Denial State maintenance within a NAT function is always a subject of
Of Service attacks. This document recommends that at a minimum a NAT possible Denial Of Service attacks. This document recommends that at
runs a timer on any SCTP state so that old association state can be a minimum a NAT function runs a timer on any SCTP state so that old
cleaned up. association state can be cleaned up.
Generic issues related to address sharing are discussed in [RFC6269] Generic issues related to address sharing are discussed in [RFC6269]
and apply to SCTP as well. and apply to SCTP as well.
For SCTP endpoints, this document does not add any additional For SCTP endpoints not disabling the restart procedure, this document
security considerations to the ones given in [RFC4960], [RFC4895], does not add any additional security considerations to the ones given
and [RFC5061]. In particular, SCTP is protected by the verification in [RFC4960], [RFC4895], and [RFC5061].
tags and the usage of [RFC4895] against off-path attackers.
SCTP endpoints disabling the restart procedure, should monitor the
status of all associations to mitigate resource exhaustion attacks by
establishing a lot of associations sharing the same IP addresses and
port numbers.
In any case, SCTP is protected by the verification tags and the usage
of [RFC4895] against off-path attackers.
The YANG module specified in this document defines a schema for data The YANG module specified in this document defines a schema for data
that is designed to be accessed via network management protocols such that is designed to be accessed via network management protocols such
as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer
is the secure transport layer, and the mandatory-to-implement secure is the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer
is HTTPS, and the mandatory-to-implement secure transport is TLS is HTTPS, and the mandatory-to-implement secure transport is TLS
[RFC8446]. [RFC8446].
The Network Configuration Access Control Model (NACM) [RFC8341] The Network Configuration Access Control Model (NACM) [RFC8341]
skipping to change at page 44, line 38 skipping to change at page 46, line 45
considered sensitive. Write operations (e.g., edit-config) applied considered sensitive. Write operations (e.g., edit-config) applied
to these data nodes without proper protection can negatively affect to these data nodes without proper protection can negatively affect
network operations. An attacker who is able to access the SCTP NAT network operations. An attacker who is able to access the SCTP NAT
function can undertake various attacks, such as: function can undertake various attacks, such as:
* Setting a low timeout for SCTP mapping entries to cause failures * Setting a low timeout for SCTP mapping entries to cause failures
to deliver incoming SCTP packets. to deliver incoming SCTP packets.
* Instantiating mapping entries to cause NAT collision. * Instantiating mapping entries to cause NAT collision.
12. Acknowledgments 12. Normative References
The authors wish to thank Mohamed Boucadair, Gorry Fairhurst, Bryan
Ford, David Hayes, Alfred Hines, Karen E. E. Nielsen, Henning
Peters, Maksim Proshin, Timo Voelker, Dan Wing, and Qiaobing Xie for
their invaluable comments.
In addition, the authors wish to thank David Hayes, Jason But, and
Grenville Armitage, the authors of [DOI_10.1145_1496091.1496095], for
their suggestions.
The authors also wish to thank Mohamed Boucadair for contributing the
text related to the YANG module.
13. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
skipping to change at page 46, line 24 skipping to change at page 48, line 20
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8512] Boucadair, M., Ed., Sivakumar, S., Jacquenet, C., [RFC8512] Boucadair, M., Ed., Sivakumar, S., Jacquenet, C.,
Vinapamula, S., and Q. Wu, "A YANG Module for Network Vinapamula, S., and Q. Wu, "A YANG Module for Network
Address Translation (NAT) and Network Prefix Translation Address Translation (NAT) and Network Prefix Translation
(NPT)", RFC 8512, DOI 10.17487/RFC8512, January 2019, (NPT)", RFC 8512, DOI 10.17487/RFC8512, January 2019,
<https://www.rfc-editor.org/info/rfc8512>. <https://www.rfc-editor.org/info/rfc8512>.
14. Informative References 13. Informative References
[DOI_10.1145_1496091.1496095] [DOI_10.1145_1496091.1496095]
Hayes, D., But, J., and G. Armitage, "Issues with network Hayes, D., But, J., and G. Armitage, "Issues with network
address translation for SCTP", ACM SIGCOMM Computer address translation for SCTP", ACM SIGCOMM Computer
Communication Review Vol. 39, pp. 23, Communication Review Vol. 39, pp. 23-33,
DOI 10.1145/1496091.1496095, December 2008, DOI 10.1145/1496091.1496095, December 2008,
<https://doi.org/10.1145/1496091.1496095>. <https://doi.org/10.1145/1496091.1496095>.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001,
<https://www.rfc-editor.org/info/rfc3022>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <https://www.rfc-editor.org/info/rfc6146>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269, P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011, DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>. <https://www.rfc-editor.org/info/rfc6269>.
[RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
Stack Lite Broadband Deployments Following IPv4
Exhaustion", RFC 6333, DOI 10.17487/RFC6333, August 2011,
<https://www.rfc-editor.org/info/rfc6333>.
[RFC6458] Stewart, R., Tuexen, M., Poon, K., Lei, P., and V. [RFC6458] Stewart, R., Tuexen, M., Poon, K., Lei, P., and V.
Yasevich, "Sockets API Extensions for the Stream Control Yasevich, "Sockets API Extensions for the Stream Control
Transmission Protocol (SCTP)", RFC 6458, Transmission Protocol (SCTP)", RFC 6458,
DOI 10.17487/RFC6458, December 2011, DOI 10.17487/RFC6458, December 2011,
<https://www.rfc-editor.org/info/rfc6458>. <https://www.rfc-editor.org/info/rfc6458>.
[RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
"Special-Purpose IP Address Registries", BCP 153, "Special-Purpose IP Address Registries", BCP 153,
RFC 6890, DOI 10.17487/RFC6890, April 2013, RFC 6890, DOI 10.17487/RFC6890, April 2013,
<https://www.rfc-editor.org/info/rfc6890>. <https://www.rfc-editor.org/info/rfc6890>.
skipping to change at page 47, line 19 skipping to change at page 49, line 30
<https://www.rfc-editor.org/info/rfc6951>. <https://www.rfc-editor.org/info/rfc6951>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
Acknowledgments
The authors wish to thank Mohamed Boucadair, Gorry Fairhurst, Bryan
Ford, David Hayes, Alfred Hines, Karen E. E. Nielsen, Henning
Peters, Maksim Proshin, Timo Voelker, Dan Wing, and Qiaobing Xie for
their invaluable comments.
In addition, the authors wish to thank David Hayes, Jason But, and
Grenville Armitage, the authors of [DOI_10.1145_1496091.1496095], for
their suggestions.
The authors also wish to thank Mohamed Boucadair for contributing the
text related to the YANG module.
Authors' Addresses Authors' Addresses
Randall R. Stewart Randall R. Stewart
Netflix, Inc. Netflix, Inc.
Chapin, SC 29036 Chapin, SC 29036
United States of America United States of America
Email: randall@lakerest.net Email: randall@lakerest.net
Michael Tüxen
Michael Tuexen Münster University of Applied Sciences
Muenster University of Applied Sciences
Stegerwaldstrasse 39 Stegerwaldstrasse 39
48565 Steinfurt 48565 Steinfurt
Germany Germany
Email: tuexen@fh-muenster.de Email: tuexen@fh-muenster.de
Irene Ruengeler Irene Rüngeler
Muenster University of Applied Sciences Münster University of Applied Sciences
Stegerwaldstrasse 39 Stegerwaldstrasse 39
48565 Steinfurt 48565 Steinfurt
Germany Germany
Email: i.ruengeler@fh-muenster.de Email: i.ruengeler@fh-muenster.de
 End of changes. 242 change blocks. 
592 lines changed or deleted 665 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/