draft-ietf-tsvwg-natsupp-20.txt   draft-ietf-tsvwg-natsupp-21.txt 
Network Working Group R. R. Stewart Network Working Group R. R. Stewart
Internet-Draft Netflix, Inc. Internet-Draft Netflix, Inc.
Intended status: Standards Track M. Tüxen Intended status: Standards Track M. Tüxen
Expires: 29 January 2021 I. Rüngeler Expires: 5 May 2021 I. Rüngeler
Münster Univ. of Appl. Sciences Münster Univ. of Appl. Sciences
28 July 2020 1 November 2020
Stream Control Transmission Protocol (SCTP) Network Address Translation Stream Control Transmission Protocol (SCTP) Network Address Translation
Support Support
draft-ietf-tsvwg-natsupp-20 draft-ietf-tsvwg-natsupp-21
Abstract Abstract
The Stream Control Transmission Protocol (SCTP) provides a reliable The Stream Control Transmission Protocol (SCTP) provides a reliable
communications channel between two end-hosts in many ways similar to communications channel between two end-hosts in many ways similar to
the Transmission Control Protocol (TCP). With the widespread the Transmission Control Protocol (TCP). With the widespread
deployment of Network Address Translators (NAT), specialized code has deployment of Network Address Translators (NAT), specialized code has
been added to NAT functions for TCP that allows multiple hosts to been added to NAT functions for TCP that allows multiple hosts to
reside behind a NAT function and yet share a single IPv4 address, reside behind a NAT function and yet share a single IPv4 address,
even when two hosts (behind a NAT function) choose the same port even when two hosts (behind a NAT function) choose the same port
numbers for their connection. This additional code is sometimes numbers for their connection. This additional code is sometimes
classified as Network Address and Port Translation (NAPT). classified as Network Address and Port Translation (NAPT).
This document describes the protocol extensions required for the SCTP This document describes the protocol extensions needed for the SCTP
endpoints and the mechanisms for NAT functions necessary to provide endpoints and the mechanisms for NAT functions necessary to provide
similar features of NAPT in the single point and multi point similar features of NAPT in the single point and multipoint traversal
traversal scenario. scenario.
Finally, a YANG module for SCTP NAT is defined. Finally, a YANG module for SCTP NAT is defined.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 29 January 2021. This Internet-Draft will expire on 5 May 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 6 4. Motivation and Overview . . . . . . . . . . . . . . . . . . . 6
4.1. SCTP NAT Traversal Scenarios . . . . . . . . . . . . . . 6 4.1. SCTP NAT Traversal Scenarios . . . . . . . . . . . . . . 6
4.1.1. Single Point Traversal . . . . . . . . . . . . . . . 7 4.1.1. Single Point Traversal . . . . . . . . . . . . . . . 7
4.1.2. Multi Point Traversal . . . . . . . . . . . . . . . . 7 4.1.2. Multipoint Traversal . . . . . . . . . . . . . . . . 7
4.2. Limitations of Classical NAPT for SCTP . . . . . . . . . 8 4.2. Limitations of Classical NAPT for SCTP . . . . . . . . . 8
4.3. The SCTP-Specific Variant of NAT . . . . . . . . . . . . 8 4.3. The SCTP-Specific Variant of NAT . . . . . . . . . . . . 8
5. Data Formats . . . . . . . . . . . . . . . . . . . . . . . . 13 5. Data Formats . . . . . . . . . . . . . . . . . . . . . . . . 13
5.1. Modified Chunks . . . . . . . . . . . . . . . . . . . . . 13 5.1. Modified Chunks . . . . . . . . . . . . . . . . . . . . . 13
5.1.1. Extended ABORT Chunk . . . . . . . . . . . . . . . . 13 5.1.1. Extended ABORT Chunk . . . . . . . . . . . . . . . . 13
5.1.2. Extended ERROR Chunk . . . . . . . . . . . . . . . . 13 5.1.2. Extended ERROR Chunk . . . . . . . . . . . . . . . . 14
5.2. New Error Causes . . . . . . . . . . . . . . . . . . . . 14 5.2. New Error Causes . . . . . . . . . . . . . . . . . . . . 14
5.2.1. VTag and Port Number Collision Error Cause . . . . . 14 5.2.1. VTag and Port Number Collision Error Cause . . . . . 14
5.2.2. Missing State Error Cause . . . . . . . . . . . . . . 14 5.2.2. Missing State Error Cause . . . . . . . . . . . . . . 15
5.2.3. Port Number Collision Error Cause . . . . . . . . . . 15 5.2.3. Port Number Collision Error Cause . . . . . . . . . . 15
5.3. New Parameters . . . . . . . . . . . . . . . . . . . . . 16 5.3. New Parameters . . . . . . . . . . . . . . . . . . . . . 16
5.3.1. Disable Restart Parameter . . . . . . . . . . . . . . 16 5.3.1. Disable Restart Parameter . . . . . . . . . . . . . . 16
5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16 5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 17
6. Procedures for SCTP Endpoints and NAT Functions . . . . . . . 18 6. Procedures for SCTP Endpoints and NAT Functions . . . . . . . 18
6.1. Association Setup Considerations for Endpoints . . . . . 18 6.1. Association Setup Considerations for Endpoints . . . . . 19
6.2. Handling of Internal Port Number and Verification Tag 6.2. Handling of Internal Port Number and Verification Tag
Collisions . . . . . . . . . . . . . . . . . . . . . . . 19 Collisions . . . . . . . . . . . . . . . . . . . . . . . 19
6.2.1. NAT Function Considerations . . . . . . . . . . . . . 19 6.2.1. NAT Function Considerations . . . . . . . . . . . . . 19
6.2.2. Endpoint Considerations . . . . . . . . . . . . . . . 20 6.2.2. Endpoint Considerations . . . . . . . . . . . . . . . 20
6.3. Handling of Internal Port Number Collisions . . . . . . . 20 6.3. Handling of Internal Port Number Collisions . . . . . . . 20
6.3.1. NAT Function Considerations . . . . . . . . . . . . . 20 6.3.1. NAT Function Considerations . . . . . . . . . . . . . 20
6.3.2. Endpoint Considerations . . . . . . . . . . . . . . . 21 6.3.2. Endpoint Considerations . . . . . . . . . . . . . . . 21
6.4. Handling of Missing State . . . . . . . . . . . . . . . . 21 6.4. Handling of Missing State . . . . . . . . . . . . . . . . 21
6.4.1. NAT Function Considerations . . . . . . . . . . . . . 21 6.4.1. NAT Function Considerations . . . . . . . . . . . . . 22
6.4.2. Endpoint Considerations . . . . . . . . . . . . . . . 22 6.4.2. Endpoint Considerations . . . . . . . . . . . . . . . 22
6.5. Handling of Fragmented SCTP Packets by NAT Functions . . 23 6.5. Handling of Fragmented SCTP Packets by NAT Functions . . 24
6.6. Multi Point Traversal Considerations for Endpoints . . . 24 6.6. Multi Point Traversal Considerations for Endpoints . . . 24
7. Various Examples of NAT Traversals . . . . . . . . . . . . . 24 7. Various Examples of NAT Traversals . . . . . . . . . . . . . 24
7.1. Single-homed Client to Single-homed Server . . . . . . . 24 7.1. Single-homed Client to Single-homed Server . . . . . . . 24
7.2. Single-homed Client to Multi-homed Server . . . . . . . . 26 7.2. Single-homed Client to Multi-homed Server . . . . . . . . 27
7.3. Multihomed Client and Server . . . . . . . . . . . . . . 28 7.3. Multihomed Client and Server . . . . . . . . . . . . . . 29
7.4. NAT Function Loses Its State . . . . . . . . . . . . . . 31 7.4. NAT Function Loses Its State . . . . . . . . . . . . . . 32
7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 33 7.5. Peer-to-Peer Communications . . . . . . . . . . . . . . . 34
8. SCTP NAT YANG Module . . . . . . . . . . . . . . . . . . . . 38 8. SCTP NAT YANG Module . . . . . . . . . . . . . . . . . . . . 39
8.1. Tree Structure . . . . . . . . . . . . . . . . . . . . . 38 8.1. Tree Structure . . . . . . . . . . . . . . . . . . . . . 39
8.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 39 8.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 40
9. Socket API Considerations . . . . . . . . . . . . . . . . . . 41 9. Socket API Considerations . . . . . . . . . . . . . . . . . . 42
9.1. Get or Set the NAT Friendliness (SCTP_NAT_FRIENDLY) . . . 42 9.1. Get or Set the NAT Friendliness (SCTP_NAT_FRIENDLY) . . . 43
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43
10.1. New Chunk Flags for Two Existing Chunk Types . . . . . . 42 10.1. New Chunk Flags for Two Existing Chunk Types . . . . . . 43
10.2. Three New Error Causes . . . . . . . . . . . . . . . . . 44 10.2. Three New Error Causes . . . . . . . . . . . . . . . . . 45
10.3. Two New Chunk Parameter Types . . . . . . . . . . . . . 45 10.3. Two New Chunk Parameter Types . . . . . . . . . . . . . 46
10.4. One New URI . . . . . . . . . . . . . . . . . . . . . . 45 10.4. One New URI . . . . . . . . . . . . . . . . . . . . . . 46
10.5. One New YANG Module . . . . . . . . . . . . . . . . . . 45 10.5. One New YANG Module . . . . . . . . . . . . . . . . . . 46
11. Security Considerations . . . . . . . . . . . . . . . . . . . 45 11. Security Considerations . . . . . . . . . . . . . . . . . . . 46
12. Normative References . . . . . . . . . . . . . . . . . . . . 46 12. Normative References . . . . . . . . . . . . . . . . . . . . 47
13. Informative References . . . . . . . . . . . . . . . . . . . 48 13. Informative References . . . . . . . . . . . . . . . . . . . 49
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 49 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 51
1. Introduction 1. Introduction
Stream Control Transmission Protocol (SCTP) [RFC4960] provides a Stream Control Transmission Protocol (SCTP) [RFC4960] provides a
reliable communications channel between two end-hosts in many ways reliable communications channel between two end-hosts in many ways
similar to TCP [RFC0793]. With the widespread deployment of Network similar to TCP [RFC0793]. With the widespread deployment of Network
Address Translators (NAT), specialized code has been added to NAT Address Translators (NAT), specialized code has been added to NAT
functions for TCP that allows multiple hosts to reside behind a NAT functions for TCP that allows multiple hosts to reside behind a NAT
functions using internal addresses (see [RFC6890]) and yet share function using private-use addresses (see [RFC6890]) and yet share a
single IPv4 address, even when two hosts (behind a NAT function) single IPv4 address, even when two hosts (behind a NAT function)
choose the same port numbers for their connection. This additional choose the same port numbers for their connection. This additional
code is sometimes classified as Network Address and Port Translation code is sometimes classified as Network Address and Port Translation
(NAPT). Please note that this document focuses on the case where the (NAPT). Please note that this document focuses on the case where the
NAT function maps a single or multiple internal addresses to a single NAT function maps a single or multiple internal addresses to a single
external address and vice versa. To date, specialized code for SCTP external address and vice versa.
has not yet been added to most NAT functions so that only a
translation of IP addresses is supported. The end result of this is To date, specialized code for SCTP has not yet been added to most NAT
that only one SCTP-capable host can successfully operate behind such functions so that only a translation of IP addresses is supported.
a NAT function and this host can only be single-homed. The only The end result of this is that only one SCTP-capable host can
alternative for supporting legacy NAT functions is to use UDP successfully operate behind such a NAT function and this host can
encapsulation as specified in [RFC6951]. only be single-homed. The only alternative for supporting legacy NAT
functions is to use UDP encapsulation as specified in [RFC6951].
The NAT function in the document refers to NAPT functions described The NAT function in the document refers to NAPT functions described
in Section 2.2 of [RFC3022], NAT64 [RFC6146], or DS-Lite [RFC6333]. in Section 2.2 of [RFC3022], NAT64 [RFC6146], or DS-Lite AFTR
[RFC6333].
This document specifies procedures allowing a NAT function to support This document specifies procedures allowing a NAT function to support
SCTP by providing similar features to those provided by a NAPT for SCTP by providing similar features to those provided by a NAPT for
TCP and other supported protocols. The document also specifies a set TCP (see [RFC5382] and [RFC7857]), UDP (see [RFC4787] and [RFC7857]),
of data formats for SCTP packets and a set of SCTP endpoint and ICMP (see [RFC5508] and [RFC7857]). This document also specifies
a set of data formats for SCTP packets and a set of SCTP endpoint
procedures to support NAT traversal. An SCTP implementation procedures to support NAT traversal. An SCTP implementation
supporting these procedures can assure that in both single-homed and supporting these procedures can assure that in both single-homed and
multi-homed cases a NAT function will maintain the appropriate state multi-homed cases a NAT function will maintain the appropriate state
without the NAT function needing to change port numbers. without the NAT function needing to change port numbers.
It is possible and desirable to make these changes for a number of It is possible and desirable to make these changes for a number of
reasons: reasons:
* It is desirable for SCTP internal end-hosts on multiple platforms * It is desirable for SCTP internal end-hosts on multiple platforms
to be able to share a NAT function's external IP address in the to be able to share a NAT function's external IP address in the
same way that a TCP session can use a NAT function. same way that a TCP session can use a NAT function.
* If a NAT function does not need to change any data within an SCTP * If a NAT function does not need to change any data within an SCTP
packet it will reduce the processing burden of NAT'ing SCTP by not packet, it will reduce the processing burden of NAT'ing SCTP by
needing to execute the CRC32c checksum required by SCTP. not needing to execute the CRC32c checksum used by SCTP.
* Not having to touch the IP payload makes the processing of ICMP * Not having to touch the IP payload makes the processing of ICMP
messages in NAT functions easier. messages by NAT functions easier.
An SCTP-aware NAT function will need to follow these procedures for An SCTP-aware NAT function will need to follow these procedures for
generating appropriate SCTP packet formats. generating appropriate SCTP packet formats.
When considering this feature it is possible to have multiple levels When considering SCTP-aware NAT it is possible to have multiple
of support. At each level, the Internal Host, Remote Host and NAT levels of support. At each level, the Internal Host, Remote Host,
function may or may not support the features described in this and NAT function does or does not support the procedures described in
document. The following table illustrates the results of the various this document. The following table illustrates the results of the
combinations of support and if communications can occur between two various combinations of support and if communications can occur
endpoints. between two endpoints.
+===============+==============+=============+===============+ +===============+==============+=============+===============+
| Internal Host | NAT Function | Remote Host | Communication | | Internal Host | NAT Function | Remote Host | Communication |
+===============+==============+=============+===============+ +===============+==============+=============+===============+
| Support | Support | Support | Yes | | Support | Support | Support | Yes |
+---------------+--------------+-------------+---------------+ +---------------+--------------+-------------+---------------+
| Support | Support | No Support | Limited | | Support | Support | No Support | Limited |
+---------------+--------------+-------------+---------------+ +---------------+--------------+-------------+---------------+
| Support | No Support | Support | None | | Support | No Support | Support | None |
+---------------+--------------+-------------+---------------+ +---------------+--------------+-------------+---------------+
skipping to change at page 5, line 28 skipping to change at page 5, line 28
| No Support | Support | No Support | Limited | | No Support | Support | No Support | Limited |
+---------------+--------------+-------------+---------------+ +---------------+--------------+-------------+---------------+
| No Support | No Support | Support | None | | No Support | No Support | Support | None |
+---------------+--------------+-------------+---------------+ +---------------+--------------+-------------+---------------+
| No Support | No Support | No Support | None | | No Support | No Support | No Support | None |
+---------------+--------------+-------------+---------------+ +---------------+--------------+-------------+---------------+
Table 1: Communication possibilities Table 1: Communication possibilities
From the table it can be seen that when a NAT function does not From the table it can be seen that when a NAT function does not
support the extension no communication can occur. This assumes that support SCTP-aware NAT no communication can occur. This assumes that
the NAT function does not handle SCTP packets at all and all SCTP the NAT function does not handle SCTP packets at all and all SCTP
packets sent externally from behind a NAT function are discarded by packets sent from behind a NAT function are discarded by the NAT
the NAT function. In some cases, where the NAT function supports the function. In some cases, where the NAT function supports SCTP-aware
feature but one of the two hosts does not support the feature, NAT but one of the two hosts does not support the feature,
communication may occur but in a limited way. For example only one communication possibly occurs but in a limited way. For example only
host may be able to have a connection when a collision case occurs. one host can have a connection when a collision case occurs.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. Terminology 3. Terminology
This document uses the following terms, which are depicted in This document uses the following terms, which are depicted in
Figure 1. Familiarity with the terminology used in [RFC4960] and Figure 1. Familiarity with the terminology used in [RFC4960] and
[RFC5061] is assumed. [RFC5061] is assumed.
Internal-Address (Int-Addr) Internal-Address (Int-Addr)
The internal address that is known to the internal host. An internal address that is known to the internal host.
Internal-Port (Int-Port) Internal-Port (Int-Port)
The port number that is in use by the host holding the Internal- The port number that is in use by the host holding the Internal-
Address. Address.
Internal-VTag (Int-VTag) Internal-VTag (Int-VTag)
The SCTP Verification Tag (VTag) (see Section 3.1 of [RFC4960]) The SCTP Verification Tag (VTag) (see Section 3.1 of [RFC4960])
that the internal host has chosen for its communication. The VTag that the internal host has chosen for an association. The VTag is
is a unique 32-bit tag that must accompany any incoming SCTP a unique 32-bit tag that accompanies any incoming SCTP packet for
packet for this association to the Internal-Address. this association to the Internal-Address.
Remote-Address (Rem-Addr) Remote-Address (Rem-Addr)
The address that an internal host is attempting to contact. The address that an internal host is attempting to contact.
Remote-Port (Rem-Port) Remote-Port (Rem-Port)
The port number of the peer process at the Remote-Address. The port number used by the host holding the Remote-Address.
Remote-VTag (Rem-VTag) Remote-VTag (Rem-VTag)
The Verification Tag (VTag) (see Section 3.1 of [RFC4960]) that The Verification Tag (VTag) (see Section 3.1 of [RFC4960]) that
the host holding the Remote-Address has chosen for its the host holding the Remote-Address has chosen for an association.
communication. The VTag is a unique 32-bit tag that must The VTag is a unique 32-bit tag that accompanies any outgoing SCTP
accompany any incoming SCTP packet for this association to the packet for this association to the Remote-Address.
Remote-Address.
External-Address (Ext-Addr) External-Address (Ext-Addr)
The external address assigned to the NAT function, that it uses as An external address assigned to the NAT function, that it uses as
a source address when sending packets towards the Remote-Address. a source address when sending packets towards a Remote-Address.
Internal Network | External Network Internal Network | External Network
| |
Internal | External Remote Internal | External Remote
+--------+ Address | Address /--\/--\ Address +--------+ Address | Address /--\/--\ Address
| SCTP | +-----+ / \ | SCTP | +--------+ +-----+ / \ +--------+
|endpoint|=========| NAT |=======| Internet |==========|endpoint| | Host A |=========| NAT |=======| Network |==========| Host B |
| A | +-----+ \ / | B | +--------+ +-----+ \ / +--------+
+--------+ Internal | \--/\--/ Remote +--------+ Internal | \--/\--/ Remote
Internal Port | Port Remote Internal Port | Port Remote
VTag | VTag VTag | VTag
Figure 1: Basic network setup Figure 1: Basic Network Setup
4. Motivation 4. Motivation and Overview
4.1. SCTP NAT Traversal Scenarios 4.1. SCTP NAT Traversal Scenarios
This section defines the notion of single and multi point NAT This section defines the notion of single and multipoint NAT
traversal. traversal.
4.1.1. Single Point Traversal 4.1.1. Single Point Traversal
In this case, all packets in the SCTP association go through a single In this case, all packets in the SCTP association go through a single
NAT function, as shown below: NAT function, as shown in Figure 2.
Internal Network | External Network Internal Network | External Network
| |
+--------+ | /--\/--\ +--------+ | /--\/--\
| SCTP | +-----+ / \ | SCTP | +--------+ +-----+ / \ +--------+
|endpoint|=========| NAT |========= | Internet | ========|endpoint| | Host A |=========| NAT |========= | Network | ========| Host B |
| A | +-----+ \ / | B | +--------+ +-----+ \ / +--------+
+--------+ | \--/\--/ +--------+ | \--/\--/
| |
Figure 2: Single NAT scenario Figure 2: Single NAT Function Scenario
A variation of this case is shown below, i.e., multiple NAT functions A variation of this case is shown in Figure 3, i.e., multiple NAT
in a single path: functions in the forwarding path between two endpoints.
Internal | External : Internal | External Internal | External : Internal | External
| : | | : |
+--------+ | : | /--\/--\ +--------+ | : | /--\/--\
| SCTP | +-----+ : +-----+ / \ | SCTP | +--------+ +-----+ : +-----+ / \ +--------+
|endpoint|==| NAT |=======:=======| NAT |==| Internet |==|endpoint| | Host A |==| NAT |=======:=======| NAT |==| Network |==| Host B |
| A | +-----+ : +-----+ \ / | B | +--------+ +-----+ : +-----+ \ / +--------+
+--------+ | : | \--/\--/ +--------+ | : | \--/\--/
| : | | : |
Figure 3: Serial NAT Functions scenario Figure 3: Serial NAT Functions Scenario
Although one of the main benefits of SCTP multi-homing is redundant Although one of the main benefits of SCTP multi-homing is redundant
paths, in the single point traversal scenario the NAT function paths, in the single point traversal scenario the NAT function
represents a single point of failure in the path of the SCTP multi- represents a single point of failure in the path of the SCTP multi-
homed association. However, the rest of the path may still benefit homed association. However, the rest of the path can still benefit
from path diversity provided by SCTP multi-homing. from path diversity provided by SCTP multi-homing.
The two SCTP endpoints in this case can be either single-homed or The two SCTP endpoints in this case can be either single-homed or
multi-homed. However, the important thing is that the NAT function multi-homed. However, the important thing is that the NAT function
in this case sees all the packets of the SCTP association. in this case sees all the packets of the SCTP association.
4.1.2. Multi Point Traversal 4.1.2. Multipoint Traversal
This case involves multiple NAT functions and each NAT function only This case involves multiple NAT functions and each NAT function only
sees some of the packets in the SCTP association. An example is sees some of the packets in the SCTP association. An example is
shown below: shown in Figure 4.
Internal | External Internal | External
+------+ /---\/---\ +------+ /---\/---\
+--------+ /=======|NAT A |=========\ / \ +--------+ /=======|NAT A |=========\ / \
| SCTP | / +------+ \/ \ | SCTP | +--------+ / +------+ \/ \ +--------+
|endpoint|/ ... | Internet |===|endpoint| | Host A |/ | | Network |===| Host B |
| A |\ \ / | B | +--------+\ | \ / +--------+
+--------+ \ +------+ / \ / +--------+ \ +------+ / \ /
\=======|NAT B |=========/ \---\/---/ \=======|NAT B |=========/ \---\/---/
+------+ +------+
| |
Figure 4: Parallel NAT functions scenario Figure 4: Parallel NAT Functions Scenario
This case does not apply to a single-homed SCTP association (i.e., This case does not apply to a single-homed SCTP association (i.e.,
both endpoints in the association use only one IP address). The both endpoints in the association use only one IP address). The
advantage here is that the existence of multiple NAT traversal points advantage here is that the existence of multiple NAT traversal points
can preserve the path diversity of a multi-homed association for the can preserve the path diversity of a multi-homed association for the
entire path. This in turn can improve the robustness of the entire path. This in turn can improve the robustness of the
communication. communication.
4.2. Limitations of Classical NAPT for SCTP 4.2. Limitations of Classical NAPT for SCTP
Using classical NAPT may result in changing one of the SCTP port Using classical NAPT possibly results in changing one of the SCTP
numbers during the processing which requires the recomputation of the port numbers during the processing which requires the recomputation
transport layer checksum by the NAPT device. Whereas for UDP and TCP of the transport layer checksum by the NAPT function. Whereas for
this can be done very efficiently, for SCTP the checksum (CRC32c) UDP and TCP this can be done very efficiently, for SCTP the checksum
over the entire packet needs to be recomputed (see Appendix B of (CRC32c) over the entire packet needs to be recomputed (see
[RFC4960] for details of the CRC32c computation). This would Appendix B of [RFC4960] for details of the CRC32c computation). This
considerably add to the NAT computational burden, however hardware would considerably add to the NAT computational burden, however
support may mitigate this in some implementations. hardware support can mitigate this in some implementations.
An SCTP endpoint may have multiple addresses but only has a single An SCTP endpoint can have multiple addresses but only has a single
port number. To make multipoint traversal work, all the NAT port number to use. To make multipoint traversal work, all the NAT
functions involved must recognize the packets they see as belonging functions involved need to recognize the packets they see as
to the same SCTP association and perform port number translation in a belonging to the same SCTP association and perform port number
consistent way. One possible way of doing this is to use a pre- translation in a consistent way. One possible way of doing this is
defined table of ports and addresses configured within each NAT to use a pre-defined table of port numbers and addresses configured
function. Other mechanisms could make use of NAT to NAT within each NAT function. Other mechanisms could make use of NAT to
communication. Such mechanisms have not been deployed on a wide NAT communication. Such mechanisms have not been deployed on a wide
scale base and thus are not a recommended solution. Therefore an scale base and thus are not a preferred solution. Therefore an SCTP
SCTP variant of NAT function has been developed. variant of NAT function has been developed (see Section 4.3).
4.3. The SCTP-Specific Variant of NAT 4.3. The SCTP-Specific Variant of NAT
In this section it is allowed that there are multiple SCTP capable In this section it is allowed that there are multiple SCTP capable
hosts behind a NAT function that has one Exernal-Address. hosts behind a NAT function that share one External-Address.
Furthermore this section focuses on the single point traversal Furthermore, this section focuses on the single point traversal
scenario. scenario (see Section 4.1.1).
The modification of SCTP packets sent to the Internet is simple: the The modification of outgoing SCTP packets sent from an internal host
source address of the packet has to be replaced with the External- is simple: the source address of the packets has to be replaced with
Address. It may also be necessary to establish some state in the NAT the External-Address. It might also be necessary to establish some
function to later handle incoming packets. state in the NAT function to later handle incoming packets.
For the SCTP NAT processing the NAT function has to maintain a NAT Typically, the NAT function has to maintain a NAT binding table of
binding table of Internal-VTag, Internal-Port, Remote-VTag, Remote- Internal-VTag, Internal-Port, Remote-VTag, Remote-Port, Internal-
Port, Internal-Address, and whether the restart procedure is disabled Address, and whether the restart procedure is disabled or not. An
or not. An entry in that NAT binding table is called a NAT-State entry in that NAT binding table is called a NAT-State control block.
control block. The function Create() obtains the just mentioned The function Create() obtains the just mentioned parameters and
parameters and returns a NAT-State control block. A NAT function MAY returns a NAT-State control block. A NAT function MAY allow creating
allow creating NAT-State control blocks via a management interface. NAT-State control blocks via a management interface.
For SCTP packets coming from the public Internet the destination For SCTP packets coming from the external realm of the NAT function
address of the packets has to be replaced with the Internal-Address the destination address of the packets has to be replaced with the
of the host to which the packet has to be delivered. The lookup of Internal-Address of the host to which the packet has to be delivered,
the Internal-Address is based on the Remote-VTag, Remote-Port, if a NAT state entry is found. The lookup of the Internal-Address is
Internal-VTag and the Internal-Port. based on the Remote-VTag, Remote-Port, Internal-VTag and the
Internal-Port.
The entries in the NAT binding table need to fulfill some uniqueness The entries in the NAT binding table need to fulfill some uniqueness
conditions. There must not be more than one entry NAT binding table conditions. There can not be more than one entry NAT binding table
with the same pair of Internal-Port and Remote-Port. This rule can with the same pair of Internal-Port and Remote-Port. This rule can
be relaxed, if all NAT binding table entries with the same Internal- be relaxed, if all NAT binding table entries with the same Internal-
Port and Remote-Port have the support for the restart procedure Port and Remote-Port have the support for the restart procedure
enabled. In this case there must be no more than one entry with the disabled (see Section 5.3.1). In this case there can not be no more
same Internal-Port, Remote-Port and Remote-VTag and no more than one than one entry with the same Internal-Port, Remote-Port and Remote-
NAT binding table entry with the same Internal-Port, Remote-Port and VTag and no more than one NAT binding table entry with the same
Int-VTag. Internal-Port, Remote-Port, and Int-VTag.
The processing of outgoing SCTP packets containing an INIT chunk is The processing of outgoing SCTP packets containing an INIT chunk is
described in the following figure. The scenario shown is valid for described in the following figure. The scenario shown is valid for
all message flows in this section. all message flows in this section.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Network | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT[Initiate-Tag] INIT[Initiate-Tag]
Int-Addr:Int-Port ------> Rem-Addr:Rem-Port Int-Addr:Int-Port ------> Rem-Addr:Rem-Port
Rem-VTag=0 Rem-VTag=0
Create(Initiate-Tag, Int-Port, 0, Rem-Port, Int-Addr, Create(Initiate-Tag, Int-Port, 0, Rem-Port, Int-Addr,
RestartSupported) IsRestartDisabled)
Returns(NAT-State control block) Returns(NAT-State control block)
Translate To: Translate To:
INIT[Initiate-Tag] INIT[Initiate-Tag]
Ext-Addr:Int-Port ------> Rem-Addr:Rem-Port Ext-Addr:Int-Port ------> Rem-Addr:Rem-Port
Rem-VTag=0 Rem-VTag=0
Normally a NAT binding table entry will be created. Normally a NAT binding table entry will be created.
However, it is possible that there is already a NAT binding table However, it is possible that there is already a NAT binding table
entry with the same Remote-Port, Internal-Port, and Internal-VTag but entry with the same Remote-Port, Internal-Port, and Internal-VTag but
different Internal-Address. In this case the packet containing the different Internal-Address and the restart procedure is disabled. In
INIT chunk MUST be dropped by the NAT and a packet containing an this case the packet containing the INIT chunk MUST be dropped by the
ABORT chunk SHOULD be sent to the SCTP host that originated the NAT and a packet containing an ABORT chunk SHOULD be sent to the SCTP
packet with the M-Bit set and an appropriate error cause (see host that originated the packet with the M bit set and 'VTag and Port
Section 5.1.1 for the format). The source address of the packet Number Collision' error cause (see Section 5.1.1 for the format).
containing the ABORT chunk MUST be the destination address of the The source address of the packet containing the ABORT chunk MUST be
packet containing the INIT chunk. the destination address of the packet containing the INIT chunk.
If an outgoing SCTP packet contains an INIT or ASCONF chunk and a If an outgoing SCTP packet contains an INIT or ASCONF chunk and a
matching NAT binding table entry is found, the packet is processed as matching NAT binding table entry is found, the packet is processed as
a normal outgoing packet. a normal outgoing packet.
It is also possible that a connection to Remote-Address and Remote- It is also possible that a NAT binding table entry with the same
Port exists without an Internal-VTag conflict but there exists a NAT Remote-Port and Internal-Port exists without an Internal-VTag
binding table entry with the same port numbers but a different conflict but there exists a NAT binding table entry with the same
Internal-Address. In such a case the packet containing the INIT port numbers but a different Internal-Address and the restart
chunk MUST be dropped by the NAT function and a packet containing an procedure is not disabled. In such a case the packet containing the
ABORT chunk SHOULD be sent to the SCTP host that originated the INIT chunk MUST be dropped by the NAT function and a packet
packet with the M-Bit set and an appropriate error cause (see containing an ABORT chunk SHOULD be sent to the SCTP host that
Section 5.1.1 for the format). originated the packet with the M bit set and 'Port Number Collision'
error cause (see Section 5.1.1 for the format).
The processing of outgoing SCTP packets containing no INIT chunks is The processing of outgoing SCTP packets containing no INIT chunks is
described in the following figure. described in the following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Network | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Int-Addr:Int-Port ------> Rem-Addr:Rem-Port Int-Addr:Int-Port ------> Rem-Addr:Rem-Port
Rem-VTag Rem-VTag
Translate To: Translate To:
Ext-Addr:Int-Port ------> Rem-Addr:Rem-Port Ext-Addr:Int-Port ------> Rem-Addr:Rem-Port
Rem-VTag Rem-VTag
skipping to change at page 11, line 30 skipping to change at page 11, line 33
is described in the following figure. The Lookup() function getting is described in the following figure. The Lookup() function getting
as input the Internal-VTag, Internal-Port, Remote-VTag, and Remote- as input the Internal-VTag, Internal-Port, Remote-VTag, and Remote-
Port, returns the corresponding entry of the NAT binding table and Port, returns the corresponding entry of the NAT binding table and
updates the Remote-VTag by substituting it with the value of the updates the Remote-VTag by substituting it with the value of the
Initiate-Tag of the INIT ACK chunk. The wildcard character signifies Initiate-Tag of the INIT ACK chunk. The wildcard character signifies
that the parameter's value is not considered in the Lookup() function that the parameter's value is not considered in the Lookup() function
or changed in the Update() function, respectively. or changed in the Update() function, respectively.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Network | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT ACK[Initiate-Tag] INIT ACK[Initiate-Tag]
Ext-Addr:Int-Port <---- Rem-Addr:Rem-Port Ext-Addr:Int-Port <---- Rem-Addr:Rem-Port
Int-VTag Int-VTag
Lookup(Int-VTag, Int-Port, *, Rem-Port) Lookup(Int-VTag, Int-Port, *, Rem-Port)
Update(*, *, Initiate-Tag, *) Update(*, *, Initiate-Tag, *)
Returns(NAT-State control block containing Int-Addr) Returns(NAT-State control block containing Int-Addr)
INIT ACK[Initiate-Tag] INIT ACK[Initiate-Tag]
Int-Addr:Int-Port <------ Rem-Addr:Rem-Port Int-Addr:Int-Port <------ Rem-Addr:Rem-Port
Int-VTag Int-VTag
In the case Lookup fails, the SCTP packet is dropped. If it In the case where the Lookup function fails because it does not find
succeeds, the Update routine inserts the Remote-VTag (the Initiate- an entry, the SCTP packet is dropped. If it succeeds, the Update
Tag of the INIT ACK chunk) in the NAT-State control block. routine inserts the Remote-VTag (the Initiate-Tag of the INIT ACK
chunk) in the NAT-State control block.
The processing of incoming SCTP packets containing an ABORT or The processing of incoming SCTP packets containing an ABORT or
SHUTDOWN COMPLETE chunk with the T-Bit set is described in the SHUTDOWN COMPLETE chunk with the T bit set is illustrated in the
following figure. following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Network | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Ext-Addr:Int-Port <------ Rem-Addr:Rem-Port Ext-Addr:Int-Port <------ Rem-Addr:Rem-Port
Rem-VTag Rem-VTag
Lookup(*, Int-Port, Rem-VTag, Rem-Port) Lookup(*, Int-Port, Rem-VTag, Rem-Port)
Returns(NAT-State control block containing Int-Addr) Returns(NAT-State control block containing Int-Addr)
Int-Addr:Int-Port <------ Rem-Addr:Rem-Port Int-Addr:Int-Port <------ Rem-Addr:Rem-Port
Rem-VTag Rem-VTag
For an incoming packet containing an INIT chunk a table lookup is For an incoming packet containing an INIT chunk a table lookup is
made only based on the addresses and port numbers. If an entry with made only based on the addresses and port numbers. If an entry with
an Remote-VTag of zero is found, it is considered a match and the a Remote-VTag of zero is found, it is considered a match and the
Remote-VTag is updated. If an entry with a non-matching Remote-VTag Remote-VTag is updated. If an entry with a non-matching Remote-VTag
is found or no entry is found, the incoming packet is dropped. If an is found or no entry is found, the incoming packet is silently
entry with a matching Remote-VTag is found, the incoming packet is dropped. If an entry with a matching Remote-VTag is found, the
forwarded. This allows the handling of INIT collision through NAT incoming packet is forwarded. This allows the handling of INIT
functions. collision through NAT functions.
The processing of other incoming SCTP packets is described in the The processing of other incoming SCTP packets is described in the
following figure. following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Network | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Ext-Addr:Int-Port <------ Rem-Addr:Rem-Port Ext-Addr:Int-Port <------ Rem-Addr:Rem-Port
Int-VTag Int-VTag
Lookup(Int-VTag, Int-Port, *, Rem-Port) Lookup(Int-VTag, Int-Port, *, Rem-Port)
Returns(NAT-State control block containing Internal-Address) Returns(NAT-State control block containing Internal-Address)
skipping to change at page 13, line 32 skipping to change at page 13, line 48
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 6 | Reserved |M|T| Length | | Type = 6 | Reserved |M|T| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \ \ \
/ zero or more Error Causes / / zero or more Error Causes /
\ \ \ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The ABORT chunk is extended to add the new 'M bit'. The M bit The ABORT chunk is extended to add the new 'M bit'. The M bit
indicates to the receiver of the ABORT chunk that the chunk was not indicates to the receiver of the ABORT chunk that the chunk was not
generated by the peer SCTP endpoint, but instead by a middle box. generated by the peer SCTP endpoint, but instead by a middle box
(e.g., NAT).
[NOTE to RFC-Editor: Assignment of M bit to be confirmed by IANA.] [NOTE to RFC-Editor: Assignment of M bit to be confirmed by IANA.]
5.1.2. Extended ERROR Chunk 5.1.2. Extended ERROR Chunk
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 9 | Reserved |M|T| Length | | Type = 9 | Reserved |M|T| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 14, line 48 skipping to change at page 15, line 20
[NOTE to RFC-Editor: Assignment of cause code to be confirmed by [NOTE to RFC-Editor: Assignment of cause code to be confirmed by
IANA.] IANA.]
5.2.2. Missing State Error Cause 5.2.2. Missing State Error Cause
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B1 | Cause Length = Variable | | Cause Code = 0x00B1 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Incoming Packet / \ Original Packet /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer)
This field holds the IANA defined cause code for the 'Missing This field holds the IANA defined cause code for the 'Missing
State' Error Cause. IANA is requested to assign the value 0x00B1 State' Error Cause. IANA is requested to assign the value 0x00B1
for this cause code. for this cause code.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Incoming Packet: variable length Original Packet: variable length
The Cause-Specific Information is filled with the IPv4 or IPv6 The Cause-Specific Information is filled with the IPv4 or IPv6
packet that caused this error. The IPv4 or IPv6 header MUST be packet that caused this error. The IPv4 or IPv6 header MUST be
included. Note that if the packet will not fit in the ERROR chunk included. Note that if the packet will not fit in the ERROR chunk
or ABORT chunk being sent then the bytes that do not fit are or ABORT chunk being sent then the bytes that do not fit are
truncated. truncated.
[NOTE to RFC-Editor: Assignment of cause code to be confirmed by [NOTE to RFC-Editor: Assignment of cause code to be confirmed by
IANA.] IANA.]
5.2.3. Port Number Collision Error Cause 5.2.3. Port Number Collision Error Cause
skipping to change at page 17, line 36 skipping to change at page 18, line 6
ASCONF-Request Correlation ID: 4 bytes (unsigned integer) ASCONF-Request Correlation ID: 4 bytes (unsigned integer)
This is an opaque integer assigned by the sender to identify each This is an opaque integer assigned by the sender to identify each
request parameter. The receiver of the ASCONF Chunk will copy request parameter. The receiver of the ASCONF Chunk will copy
this 32-bit value into the ASCONF Response Correlation ID field of this 32-bit value into the ASCONF Response Correlation ID field of
the ASCONF ACK response parameter. The sender of the packet the ASCONF ACK response parameter. The sender of the packet
containing the ASCONF chunk can use this same value in the ASCONF containing the ASCONF chunk can use this same value in the ASCONF
ACK chunk to find which request the response is for. Note that ACK chunk to find which request the response is for. Note that
the receiver MUST NOT change this 32-bit value. the receiver MUST NOT change this 32-bit value.
Internal Verification Tag: 4 bytes (unsigned integer) Internal Verification Tag: 4 bytes (unsigned integer)
The Verification Tag that the internal host has chosen for its The Verification Tag that the internal host has chosen for the
communication. The Verification Tag is a unique 32-bit tag that association. The Verification Tag is a unique 32-bit tag that
must accompany any incoming SCTP packet for this association to accompanies any incoming SCTP packet for this association to the
the Internal-Address. Internal-Address.
Remote Verification Tag: 4 bytes (unsigned integer) Remote Verification Tag: 4 bytes (unsigned integer)
The Verification Tag that the host holding the Remote-Address has The Verification Tag that the host holding the Remote-Address has
chosen for its communication. The VTag is a unique 32-bit tag chosen for the association. The VTag is a unique 32-bit tag that
that must accompany any incoming SCTP packet for this association accompanies any outgoing SCTP packet for this association to the
to the Remote-Address. Remote-Address.
[NOTE to RFC-Editor: Assignment of parameter type to be confirmed by [NOTE to RFC-Editor: Assignment of parameter type to be confirmed by
IANA.] IANA.]
This parameter MAY appear in ASCONF chunks and MUST NOT appear in any This parameter MAY appear in ASCONF chunks and MUST NOT appear in any
other chunk. other chunk.
6. Procedures for SCTP Endpoints and NAT Functions 6. Procedures for SCTP Endpoints and NAT Functions
When an SCTP endpoint is behind an SCTP-aware NAT a number of If an SCTP endpoint is behind an SCTP-aware NAT, a number of problems
problems may arise as it tries to communicate with its peer: can arise as it tries to communicate with its peers:
* IP addresses can not be included in the SCTP packet. This is * IP addresses can not be included in the SCTP packet. This is
discussed in Section 6.1. discussed in Section 6.1.
* More than one host behind a NAT function could select the same * More than one host behind a NAT function could select the same
VTag and source port when talking to the same peer server. This VTag and source port number when communicating with the same peer
creates a situation where the NAT function will not be able to server. This creates a situation where the NAT function will not
tell the two associations apart. This situation is discussed in be able to tell the two associations apart. This situation is
Section 6.2. discussed in Section 6.2.
* When an SCTP endpoint is a server communicating with multiple * If an SCTP endpoint is a server communicating with multiple peers
peers and the peers are behind the same NAT function, then the two and the peers are behind the same NAT function, then the these
endpoints cannot be distinguished by the server. This case is peers cannot be distinguished by the server. This case is
discussed in Section 6.3. discussed in Section 6.3.
* A restart of a NAT function during a conversation could cause a * A restart of a NAT function during a conversation could cause a
loss of its state. This problem and its solution is discussed in loss of its state. This problem and its solution is discussed in
Section 6.4. Section 6.4.
* NAT functions need to deal with SCTP packets being fragmented at * NAT functions need to deal with SCTP packets being fragmented at
the IP layer. This is discussed in Section 6.5. the IP layer. This is discussed in Section 6.5.
* An SCTP endpoint can be behind two NAT functions in parallel * An SCTP endpoint can be behind two NAT functions in parallel
providing redundancy. The method to set up this scenario is providing redundancy. The method to set up this scenario is
discussed in Section 6.6. discussed in Section 6.6.
Each of these mechanisms requires additional chunks and parameters, The mechanisms to solve these problems require additional chunks and
defined in this document, and modified handling procedures from those parameters, defined in this document, and modified handling
specified in [RFC4960] as described below. procedures from those specified in [RFC4960] as described below.
6.1. Association Setup Considerations for Endpoints 6.1. Association Setup Considerations for Endpoints
The association setup procedure defined in [RFC4960] allows multi- The association setup procedure defined in [RFC4960] allows multi-
homed SCTP endpoints to exchange its IP-addresses by using IPv4 or homed SCTP endpoints to exchange its IP-addresses by using IPv4 or
IPv6 address parameters in the INIT and INIT ACK chunks. However, IPv6 address parameters in the INIT and INIT ACK chunks. However,
this does not work when NAT functions are present. this does not work when NAT functions are present.
Every association setup from a host behind a NAT function MUST NOT Every association setup from a host behind a NAT function MUST NOT
use multiple internal addresses. The INIT chunk MUST NOT contain an use multiple internal addresses. The INIT chunk MUST NOT contain an
IPv4 Address parameter, IPv6 Address parameter, or Supported Address IPv4 Address parameter, IPv6 Address parameter, or Supported Address
Types parameter. The INIT ACK chunk MUST NOT contain any IPv4 Types parameter. The INIT ACK chunk MUST NOT contain any IPv4
Address parameter or IPv6 Address parameter using non-global Address parameter or IPv6 Address parameter using non-global
addresses. The INIT chunk and the INIT ACK chunk MUST NOT contain addresses. The INIT chunk and the INIT ACK chunk MUST NOT contain
any Host Name parameters. any Host Name parameters.
If the association should finally be multi-homed, the procedure in If the association is intended to be finally multi-homed, the
Section 6.6 MUST be used. procedure in Section 6.6 MUST be used.
The INIT and INIT ACK chunk SHOULD contain the Disable Restart The INIT and INIT ACK chunk SHOULD contain the Disable Restart
parameter defined in Section 5.3.1. parameter defined in Section 5.3.1.
6.2. Handling of Internal Port Number and Verification Tag Collisions 6.2. Handling of Internal Port Number and Verification Tag Collisions
Consider the case where two hosts in the Internal-Address space want Consider the case where two hosts in the Internal-Address space want
to set up an SCTP association with the same service provided by some to set up an SCTP association with the same service provided by some
hosts in the Internet. This means that the Remote-Port is the same. remote hosts. This means that the Remote-Port is the same. If they
If they both choose the same Internal-Port and Internal-VTag, the NAT both choose the same Internal-Port and Internal-VTag, the NAT
function cannot distinguish between incoming packets anymore. function cannot distinguish between incoming packets anymore.
However, this is unlikely. The Internal-VTags are chosen at random However, this is unlikely. The Internal-VTags are chosen at random
and if the Internal-Ports are also chosen from the ephemeral port and if the Internal-Ports are also chosen from the ephemeral port
range at random this gives a 46-bit random number that has to match. range at random (see [RFC6056]) this gives a 46-bit random number
A NAPT device can control the Port number and therefore avoid that has to match.
collisions deterministically.
The same can happen with the Remote-VTag when a packet containing an The same can happen with the Remote-VTag when a packet containing an
INIT ACK chunk or an ASCONF chunk is processed by the NAT function. INIT ACK chunk or an ASCONF chunk is processed by the NAT function.
6.2.1. NAT Function Considerations 6.2.1. NAT Function Considerations
If the NAT function detects a collision of internal port numbers and If the NAT function detects a collision of internal port numbers and
verification tags, it SHOULD send a packet containing an ABORT chunk verification tags, it SHOULD send a packet containing an ABORT chunk
with the M bit set if the collision is triggered by a packet with the M bit set if the collision is triggered by a packet
containing an INIT or INIT ACK chunk. If such a collision is containing an INIT or INIT ACK chunk. If such a collision is
skipping to change at page 20, line 9 skipping to change at page 20, line 21
and port numbers MUST be swapped. and port numbers MUST be swapped.
The sender of the packet containing an ERROR or ABORT chunk MUST The sender of the packet containing an ERROR or ABORT chunk MUST
include the error cause with cause code 'VTag and Port Number include the error cause with cause code 'VTag and Port Number
Collision' (see Section 5.2.1). Collision' (see Section 5.2.1).
6.2.2. Endpoint Considerations 6.2.2. Endpoint Considerations
The sender of the packet containing the INIT chunk or the receiver of The sender of the packet containing the INIT chunk or the receiver of
a packet containing the INIT ACK chunk, upon reception of a packet a packet containing the INIT ACK chunk, upon reception of a packet
containign an ABORT chunk with M bit set and the appropriate error containing an ABORT chunk with M bit set and the appropriate error
cause code for colliding NAT binding table state is included, SHOULD cause code for colliding NAT binding table state is included, SHOULD
reinitiate the association setup procedure after choosing a new reinitiate the association setup procedure after choosing a new
initiate tag, if the association is in COOKIE-WAIT state. In any initiate tag, if the association is in COOKIE-WAIT state. In any
other state, the SCTP endpoint MUST NOT respond. other state, the SCTP endpoint MUST NOT respond.
The sender of packet containing the ASCONF chunk, upon reception of a The sender of the packet containing the ASCONF chunk, upon reception
packet containing an ERROR chunk with M bit set, MUST stop adding the of a packet containing an ERROR chunk with M bit set, MUST stop
path to the association. adding the path to the association.
6.3. Handling of Internal Port Number Collisions 6.3. Handling of Internal Port Number Collisions
When two SCTP hosts are behind an SCTP-aware NAT it is possible that When two SCTP hosts are behind an SCTP-aware NAT it is possible that
two SCTP hosts in the Internal-Address space will want to set up an two SCTP hosts in the Internal-Address space will want to set up an
SCTP association with the same server running on the same host in the SCTP association with the same server running on the same remote
Internet. If the two hosts choose the same internal port, this is host. If the two hosts choose the same internal port, this is
considered an internal port number collision. considered an internal port number collision.
For the NAT function, appropriate tracking may be performed by For the NAT function, appropriate tracking can be performed by
assuring that the VTags are unique between the two hosts. assuring that the VTags are unique between the two hosts.
6.3.1. NAT Function Considerations 6.3.1. NAT Function Considerations
The NAT function, when processing the packet containing the INIT ACK The NAT function, when processing the packet containing the INIT ACK
chunk, should note in its NAT binding table that the association chunk, SHOULD note in its NAT binding table if the association
supports the disable restart extension. This note is used when supports the disable restart extension. This note is used when
establishing future associations (i.e. when processing a packet establishing future associations (i.e. when processing a packet
containing an INIT chunk from an internal host) to decide if the containing an INIT chunk from an internal host) to decide if the
connection should be allowed. The NAT function does the following connection can be allowed. The NAT function does the following when
when processing a packet containing an INIT chunk: processing a packet containing an INIT chunk:
* If the packet containing the INIT chunk is originating from an * If the packet containing the INIT chunk is originating from an
internal port to an remote port for which the NAT function has no internal port to a remote port for which the NAT function has no
matching NAT binding table entry, it MUST allow the packet matching NAT binding table entry, it MUST allow the packet
containing the INIT chunk creating an NAT binding table entry. containing the INIT chunk creating an NAT binding table entry.
* If the packet containing the INIT chunk matches an existing NAT * If the packet containing the INIT chunk matches an existing NAT
binding table entry, it MUST validate that the disable restart binding table entry, it MUST validate that the disable restart
feature is supported and, if it does, allow the packet containing feature is supported and, if it does, allow the packet containing
the INIT chunk to be forwarded. the INIT chunk to be forwarded.
* If the disable restart feature is not supported, the NAT function * If the disable restart feature is not supported, the NAT function
SHOULD send a packet containing an ABORT chunk with the M bit set. SHOULD send a packet containing an ABORT chunk with the M bit set.
skipping to change at page 21, line 16 skipping to change at page 21, line 29
included in the ABORT chunk sent in response to the packet containing included in the ABORT chunk sent in response to the packet containing
an INIT chunk. an INIT chunk.
If the collision is triggered by a packet containing an ASCONF chunk, If the collision is triggered by a packet containing an ASCONF chunk,
a packet containing an ERROR chunk with the 'Port Number Collision' a packet containing an ERROR chunk with the 'Port Number Collision'
error cause SHOULD be sent in response to the packet containing the error cause SHOULD be sent in response to the packet containing the
ASCONF chunk. ASCONF chunk.
6.3.2. Endpoint Considerations 6.3.2. Endpoint Considerations
For the remote SCTP server on the Internet this means that the For the remote SCTP server this means that the Remote-Port and the
Remote-Port and the Remote-Address are the same. If they both have Remote-Address are the same. If they both have chosen the same
chosen the same Internal-Port the server cannot distinguish between Internal-Port the server cannot distinguish between both associations
both associations based on the address and port numbers. For the based on the address and port numbers. For the server it looks like
server it looks like the association is being restarted. To overcome the association is being restarted. To overcome this limitation the
this limitation the client sends a Disable Restart parameter in the client sends a Disable Restart parameter in the INIT chunk.
INIT chunk.
When the server receives this parameter it does the following: When the server receives this parameter it does the following:
* It MUST include a Disable Restart parameter in the INIT ACK to * It MUST include a Disable Restart parameter in the INIT ACK to
inform the client that it will support the feature. inform the client that it will support the feature.
* It MUST disable the restart procedures defined in [RFC4960] for * It MUST disable the restart procedures defined in [RFC4960] for
this association. this association.
Servers that support this feature will need to be capable of Servers that support this feature will need to be capable of
skipping to change at page 21, line 37 skipping to change at page 22, line 4
inform the client that it will support the feature. inform the client that it will support the feature.
* It MUST disable the restart procedures defined in [RFC4960] for * It MUST disable the restart procedures defined in [RFC4960] for
this association. this association.
Servers that support this feature will need to be capable of Servers that support this feature will need to be capable of
maintaining multiple connections to what appears to be the same peer maintaining multiple connections to what appears to be the same peer
(behind the NAT function) differentiated only by the VTags. (behind the NAT function) differentiated only by the VTags.
6.4. Handling of Missing State 6.4. Handling of Missing State
6.4.1. NAT Function Considerations 6.4.1. NAT Function Considerations
If the NAT function receives a packet from the internal network for If the NAT function receives a packet from the internal network for
which the lookup procedure does not find an entry in the NAT binding which the lookup procedure does not find an entry in the NAT binding
table, a packet containing an ERROR chunk SHOULD be sent back with table, a packet containing an ERROR chunk SHOULD be sent back with
the M bit set. The source address of the packet containing the ERROR the M bit set. The source address of the packet containing the ERROR
chunk MUST be the destination address of the incoming SCTP packet. chunk MUST be the destination address of the packet received from the
The verification tag is reflected and the T bit is set. Such a internal network. The verification tag is reflected and the T bit is
packet containing an ERROR chunk SHOULD NOT be sent if the received set. Such a packet containing an ERROR chunk SHOULD NOT be sent if
packet contains an ABORT, SHUTDOWN COMPLETE or INIT ACK chunk. A the received packet contains an ASCONF chunk with the VTags parameter
packet containing an ERROR chunk MUST NOT be sent if the received or an ABORT, SHUTDOWN COMPLETE or INIT ACK chunk. A packet
packet contains an ERROR chunk with the M bit set. In any case, the containing an ERROR chunk MUST NOT be sent if the received packet
packet SHOULD NOT be forwarded to the remote address. contains an ERROR chunk with the M bit set. In any case, the packet
SHOULD NOT be forwarded to the remote address.
If the NAT function receives a packet from the internal network for
which it has no NAT binding table entry and the packet contains an
ASCONF chunk with the VTags parameter, the NAT function MUST update
its NAT binding table according to the verification tags in the VTags
parameter and, if present, the Disable Restart parameter.
When sending a packet containing an ERROR chunk, the error cause When sending a packet containing an ERROR chunk, the error cause
'Missing State' (see Section 5.2.2) MUST be included and the M bit of 'Missing State' (see Section 5.2.2) MUST be included and the M bit of
the ERROR chunk MUST be set (see Section 5.1.2). the ERROR chunk MUST be set (see Section 5.1.2).
If the NAT device receives a packet for which it has no NAT binding
table entry and the packet contains an ASCONF chunk with the VTags
parameter, the NAT function MUST update its NAT binding table
according to the verification tags in the VTags parameter and the
optional Disable Restart parameter.
6.4.2. Endpoint Considerations 6.4.2. Endpoint Considerations
Upon reception of this packet containing the ERROR chunk by an SCTP Upon reception of this packet containing the ERROR chunk by an SCTP
endpoint the receiver takes the following actions: endpoint the receiver takes the following actions:
* It SHOULD validate that the verification tag is reflected by * It SHOULD validate that the verification tag is reflected by
looking at the VTag that would have been included in the outgoing looking at the VTag that would have been included in an outgoing
packet. If the validation fails, discard the incoming packet packet. If the validation fails, discard the received packet
containing the ERROR chunk. containing the ERROR chunk.
* It SHOULD validate that the peer of the SCTP association supports * It SHOULD validate that the peer of the SCTP association supports
the dynamic address extension. If the validation fails, discard the dynamic address extension. If the validation fails, discard
the incoming packet containing the ERROR chunk. the received packet containing the ERROR chunk.
* It SHOULD generate a packet containing a new ASCONF chunk * It SHOULD generate a packet containing a new ASCONF chunk
containing the VTags parameter (see Section 5.3.2) and the Disable containing the VTags parameter (see Section 5.3.2) and the Disable
Restart parameter (see Section 5.3.1) if the association is using Restart parameter (see Section 5.3.1) if the association is using
the disable restart feature. By processing this packet the NAT the disable restart feature. By processing this packet the NAT
function can recover the appropriate state. The procedures for function can recover the appropriate state. The procedures for
generating an ASCONF chunk can be found in [RFC5061]. generating an ASCONF chunk can be found in [RFC5061].
The peer SCTP endpoint receiving such a packet containing an ASCONF The peer SCTP endpoint receiving such a packet containing an ASCONF
chunk SHOULD either add the address and respond with an chunk SHOULD add the address and respond with an acknowledgment if
acknowledgment, if the address is new to the association (following the address is new to the association (following all procedures
all procedures defined in [RFC5061]). Or, if the address is already defined in [RFC5061]). If the address is already part of the
part of the association, the SCTP endpoint MUST NOT respond with an association, the SCTP endpoint MUST NOT respond with an error, but
error, but instead SHOULD respond with packet containing an ASCONF instead SHOULD respond with a packet containing an ASCONF ACK chunk
ACK chunk acknowledging the address and take no action (since the acknowledging the address and take no action (since the address is
address is already in the association). already in the association).
Note that it is possible that upon receiving a packet containing an Note that it is possible that upon receiving a packet containing an
ASCONF chunk containing the VTags parameter the NAT function will ASCONF chunk containing the VTags parameter the NAT function will
realize that it has an 'Internal Port Number and Verification Tag realize that it has an 'Internal Port Number and Verification Tag
collision'. In such a case the NAT function SHOULD send a packet collision'. In such a case the NAT function SHOULD send a packet
containing an ERROR chunk with the error cause code set to 'VTag and containing an ERROR chunk with the error cause code set to 'VTag and
Port Number Collision' (see Section 5.2.1). Port Number Collision' (see Section 5.2.1).
If an SCTP endpoint receives a packet containing an ERROR chunk with If an SCTP endpoint receives a packet containing an ERROR chunk with
'Internal Port Number and Verification Tag collision' as the error 'Internal Port Number and Verification Tag collision' as the error
cause and the packet in the Error Chunk contains an ASCONF with the cause and the packet in the Error Chunk contains an ASCONF with the
VTags parameter, careful examination of the association is required. VTags parameter, careful examination of the association is necessary.
The endpoint does the following: The endpoint does the following:
* It MUST validate that the verification tag is reflected by looking * It MUST validate that the verification tag is reflected by looking
at the VTag that would have been included in the outgoing packet. at the VTag that would have been included in the outgoing packet.
If the validation fails, it MUST discard the packet. If the validation fails, it MUST discard the packet.
* It MUST validate that the peer of the SCTP association supports * It MUST validate that the peer of the SCTP association supports
the dynamic address extension. If the peer does not support it, the dynamic address extension. If the peer does not support this
the NAT function MUST discard the incoming packet containing the extension, it MUST discard the received packet containing the
ERROR chunk. ERROR chunk.
* If the association is attempting to add an address (i.e. following * If the association is attempting to add an address (i.e. following
the procedures in Section 6.6) then the endpoint MUST NOT consider the procedures in Section 6.6) then the endpoint MUST NOT consider
the address part of the association and SHOULD make no further the address part of the association and SHOULD make no further
attempt to add the address (i.e. cancel any ASCONF timers and attempt to add the address (i.e. cancel any ASCONF timers and
remove any record of the path), since the NAT function has a VTag remove any record of the path), since the NAT function has a VTag
collision and the association cannot easily create a new VTag (as collision and the association cannot easily create a new VTag (as
it would if the error occurred when sending a packet containing an it would if the error occurred when sending a packet containing an
INIT chunk). INIT chunk).
skipping to change at page 23, line 47 skipping to change at page 24, line 15
6.5. Handling of Fragmented SCTP Packets by NAT Functions 6.5. Handling of Fragmented SCTP Packets by NAT Functions
SCTP minimizes the use of IP-level fragmentation. However, it can SCTP minimizes the use of IP-level fragmentation. However, it can
happen that using IP-level fragmentation is needed to continue an happen that using IP-level fragmentation is needed to continue an
SCTP association. For example, if the path MTU is reduced and there SCTP association. For example, if the path MTU is reduced and there
are still some DATA chunk in flight, which require packets larger are still some DATA chunk in flight, which require packets larger
than the new path MTU. If IP-level fragmentation can not be used, than the new path MTU. If IP-level fragmentation can not be used,
the SCTP association will be terminated in a non-graceful way. the SCTP association will be terminated in a non-graceful way.
Therefore, a NAT function MUST be able to handle IP-level fragmented Therefore, a NAT function MUST be able to handle IP-level fragmented
SCTP packets. The fragments may arrive in any order. SCTP packets. The fragments MAY arrive in any order.
When an SCTP packet can not be forwarded by the NAT function due to When an SCTP packet can not be forwarded by the NAT function due to
MTU issues and the IP header forbids fragmentation, the NAT MUST send MTU issues and the IP header forbids fragmentation, the NAT MUST send
back a "Fragmentation needed and DF set" ICMPv4 or PTB ICMPv6 message back a "Fragmentation needed and DF set" ICMPv4 or PTB ICMPv6 message
to the internal host. This allows for a faster recovery from this to the internal host. This allows for a faster recovery from this
packet drop. packet drop.
6.6. Multi Point Traversal Considerations for Endpoints 6.6. Multi Point Traversal Considerations for Endpoints
If a multi-homed SCTP endpoint behind a NAT function connects to a If a multi-homed SCTP endpoint behind a NAT function connects to a
peer, it MUST first set up the association single-homed with only one peer, it MUST first set up the association single-homed with only one
address causing the first NAT function to populate its state. Then address causing the first NAT function to populate its state. Then
it SHOULD add each IP address using packets containing ASCONF chunks it SHOULD add each IP address using packets containing ASCONF chunks
sent via their respective NAT functions. The address to add is the sent via their respective NAT functions. The address used in the Add
wildcard address and the lookup address SHOULD also contain the VTags IP address parameter is the wildcard address (0.0.0.0 or ::0) and the
address parameter in the ASCONF chunk SHOULD also contain the VTags
parameter and optionally the Disable Restart parameter. parameter and optionally the Disable Restart parameter.
7. Various Examples of NAT Traversals 7. Various Examples of NAT Traversals
Please note that this section is informational only. Please note that this section is informational only.
The addresses being used in the following examples are IPv4 addresses The addresses being used in the following examples are IPv4 addresses
for private-use networks and for documentation as specified in for private-use networks and for documentation as specified in
[RFC6890]. However, the method described here is not limited to this [RFC6890]. However, the method described here is not limited to this
NAT44 case. NAT44 case.
skipping to change at page 24, line 42 skipping to change at page 25, line 7
supported or not. This flag is not relevant for these examples. supported or not. This flag is not relevant for these examples.
7.1. Single-homed Client to Single-homed Server 7.1. Single-homed Client to Single-homed Server
The internal client starts the association with the remote server via The internal client starts the association with the remote server via
a four-way-handshake. Host A starts by sending a packet containing a four-way-handshake. Host A starts by sending a packet containing
an INIT chunk. an INIT chunk.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Network | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Rem | Rem | Int | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 ------> 203.0.113.1:2 10.0.0.1:1 ------> 203.0.113.1:2
Rem-VTtag = 0 Rem-VTtag = 0
skipping to change at page 25, line 26 skipping to change at page 26, line 7
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 ------------------------> 203.0.113.1:2 192.0.2.1:1 ------------------------> 203.0.113.1:2
Rem-VTtag = 0 Rem-VTtag = 0
Host B receives the packet containing an INIT chunk and sends a Host B receives the packet containing an INIT chunk and sends a
packet containing an INIT ACK chunk with the NAT's Remote-address as packet containing an INIT ACK chunk with the NAT's Remote-address as
destination address. destination address.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Network | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
192.0.2.1:1 <----------------------- 203.0.113.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT function updates entry: NAT function updates entry:
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Rem | Rem | Int | NAT | Int | Int | Rem | Rem | Int |
skipping to change at page 26, line 7 skipping to change at page 26, line 32
INIT ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <------ 203.0.113.1:2 10.0.0.1:1 <------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
ACK. ACK.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Network | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
COOKIE ECHO COOKIE ECHO
10.0.0.1:1 ------> 203.0.113.1:2 10.0.0.1:1 ------> 203.0.113.1:2
Rem-VTag = 5678 Rem-VTag = 5678
COOKIE ECHO COOKIE ECHO
192.0.2.1:1 -----------------------> 203.0.113.1:2 192.0.2.1:1 -----------------------> 203.0.113.1:2
Rem-VTag = 5678 Rem-VTag = 5678
skipping to change at page 26, line 36 skipping to change at page 27, line 14
7.2. Single-homed Client to Multi-homed Server 7.2. Single-homed Client to Multi-homed Server
The internal client is single-homed whereas the remote server is The internal client is single-homed whereas the remote server is
multi-homed. The client (Host A) sends a packet containing an INIT multi-homed. The client (Host A) sends a packet containing an INIT
chunk like in the single-homed case. chunk like in the single-homed case.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Network | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Rem | Rem | Int | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
skipping to change at page 27, line 21 skipping to change at page 28, line 8
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 --------------------------> 203.0.113.1:2 192.0.2.1:1 --------------------------> 203.0.113.1:2
Rem-VTag = 0 Rem-VTag = 0
The server (Host B) includes its two addresses in the INIT ACK chunk. The server (Host B) includes its two addresses in the INIT ACK chunk.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Network | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
INIT ACK[Initiate-tag = 5678, IP-Addr = 203.0.113.129] INIT ACK[Initiate-tag = 5678, IP-Addr = 203.0.113.129]
192.0.2.1:1 <-------------------------- 203.0.113.1:2 192.0.2.1:1 <-------------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The NAT function does not need to change the NAT binding table for The NAT function does not need to change the NAT binding table for
the second address: the second address:
skipping to change at page 28, line 8 skipping to change at page 29, line 8
INIT ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <--- 203.0.113.1:2 10.0.0.1:1 <--- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
ACK. ACK.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Network | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
COOKIE ECHO COOKIE ECHO
10.0.0.1:1 ---> 203.0.113.1:2 10.0.0.1:1 ---> 203.0.113.1:2
Rem-VTag = 5678 Rem-VTag = 5678
COOKIE ECHO COOKIE ECHO
192.0.2.1:1 --------------------------> 203.0.113.1:2 192.0.2.1:1 --------------------------> 203.0.113.1:2
skipping to change at page 28, line 37 skipping to change at page 29, line 37
Int-VTag = 1234 Int-VTag = 1234
7.3. Multihomed Client and Server 7.3. Multihomed Client and Server
The client (Host A) sends a packet containing an INIT chunk to the The client (Host A) sends a packet containing an INIT chunk to the
server (Host B), but does not include the second address. server (Host B), but does not include the second address.
+-------+ +-------+
/--| NAT 1 |--\ /--\/--\ /--| NAT 1 |--\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |====| Host B | | Host |=== ====| Network |====| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--| NAT 2 |--/ \--/\--/ +------+ \--| NAT 2 |--/ \--/\--/
+-------+ +-------+
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Rem | Rem | Int | NAT 1 | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
skipping to change at page 29, line 21 skipping to change at page 30, line 21
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
192.0.2.1:1 ---------------------> 203.0.113.1:2 192.0.2.1:1 ---------------------> 203.0.113.1:2
Rem-VTag = 0 Rem-VTag = 0
Host B includes its second address in the INIT ACK. Host B includes its second address in the INIT ACK.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Network |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
INIT ACK[Initiate-Tag = 5678, IP-Addr = 203.0.113.129] INIT ACK[Initiate-Tag = 5678, IP-Addr = 203.0.113.129]
192.0.2.1:1 <----------------------- 203.0.113.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT function 1 does not need to update the NAT binding table for the NAT function 1 does not need to update the NAT binding table for the
second address: second address:
skipping to change at page 30, line 8 skipping to change at page 31, line 8
INIT ACK[Initiate-Tag = 5678] INIT ACK[Initiate-Tag = 5678]
10.0.0.1:1 <-------- 203.0.113.1:2 10.0.0.1:1 <-------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE The handshake finishes with a COOKIE ECHO acknowledged by a COOKIE
ACK. ACK.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Network |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
COOKIE ECHO COOKIE ECHO
10.0.0.1:1 --------> 203.0.113.1:2 10.0.0.1:1 --------> 203.0.113.1:2
Rem-VTag = 5678 Rem-VTag = 5678
COOKIE ECHO COOKIE ECHO
192.0.2.1:1 ------------------> 203.0.113.1:2 192.0.2.1:1 ------------------> 203.0.113.1:2
skipping to change at page 30, line 30 skipping to change at page 31, line 30
COOKIE ACK COOKIE ACK
192.0.2.1:1 <------------------ 203.0.113.1:2 192.0.2.1:1 <------------------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
COOKIE ACK COOKIE ACK
10.0.0.1:1 <------- 203.0.113.1:2 10.0.0.1:1 <------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
Host A announces its second address in an ASCONF chunk. The address Host A announces its second address in an ASCONF chunk. The address
parameter contains an undefined address (0) to indicate that the parameter contains a wildcard address (0.0.0.0 or ::0) to indicate
source address should be added. The lookup address parameter within that the source address has to be be added. The address parameter
the ASCONF chunk will also contain the pair of VTags (remote and within the ASCONF chunk will also contain the pair of VTags (remote
internal) so that the NAT function may populate its NAT binding table and internal) so that the NAT function can populate its NAT binding
entry completely with this single packet. table entry completely with this single packet.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Network |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
ASCONF [ADD-IP=0.0.0.0, INT-VTag=1234, Rem-VTag = 5678] ASCONF [ADD-IP=0.0.0.0, INT-VTag=1234, Rem-VTag = 5678]
10.1.0.1:1 --------> 203.0.113.129:2 10.1.0.1:1 --------> 203.0.113.129:2
Rem-VTag = 5678 Rem-VTag = 5678
NAT function 2 creates a complete entry: NAT function 2 creates a complete entry:
skipping to change at page 31, line 32 skipping to change at page 32, line 32
Int-VTag = 1234 Int-VTag = 1234
7.4. NAT Function Loses Its State 7.4. NAT Function Loses Its State
Association is already established between Host A and Host B, when Association is already established between Host A and Host B, when
the NAT function loses its state and obtains a new external address. the NAT function loses its state and obtains a new external address.
Host A sends a DATA chunk to Host B. Host A sends a DATA chunk to Host B.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Network | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Rem | Rem | Int | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
DATA DATA
10.0.0.1:1 ----------> 203.0.113.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Rem-VTag = 5678 Rem-VTag = 5678
The NAT function cannot find an entry in the NAT binding table for The NAT function cannot find an entry in the NAT binding table for
the association. It sends a packet containing an ERROR chunk with the association. It sends a packet containing an ERROR chunk with
the M-Bit set and the cause "NAT state missing". the M bit set and the cause "NAT state missing".
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Network | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ERROR [M-Bit, NAT state missing] ERROR [M bit, NAT state missing]
10.0.0.1:1 <---------- 203.0.113.1:2 10.0.0.1:1 <---------- 203.0.113.1:2
Rem-VTag = 5678 Rem-VTag = 5678
On reception of the packet containing the ERROR chunk, Host A sends a On reception of the packet containing the ERROR chunk, Host A sends a
packet containing an ASCONF chunk indicating that the former packet containing an ASCONF chunk indicating that the former
information has to be deleted and the source address of the actual information has to be deleted and the source address of the actual
packet added. packet added.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Network | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Rem-VTag = 5678] ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Rem-VTag = 5678]
10.0.0.1:1 ----------> 203.0.113.129:2 10.0.0.1:1 ----------> 203.0.113.129:2
Rem-VTag = 5678 Rem-VTag = 5678
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Rem | Rem | Int | NAT | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
skipping to change at page 33, line 7 skipping to change at page 34, line 7
ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Rem-VTag = 5678] ASCONF [ADD-IP, DELETE-IP, Int-VTag=1234, Rem-VTag = 5678]
192.0.2.2:1 -----------------> 203.0.113.129:2 192.0.2.2:1 -----------------> 203.0.113.129:2
Rem-VTag = 5678 Rem-VTag = 5678
Host B adds the new source address to this association and deletes Host B adds the new source address to this association and deletes
all other addresses from this association. all other addresses from this association.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Network | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ASCONF ACK ASCONF ACK
192.0.2.2:1 <----------------- 203.0.113.129:2 192.0.2.2:1 <----------------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
ASCONF ACK ASCONF ACK
10.1.0.1:1 <---------- 203.0.113.129:2 10.1.0.1:1 <---------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
DATA DATA
10.0.0.1:1 ----------> 203.0.113.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Rem-VTag = 5678 Rem-VTag = 5678
DATA DATA
192.0.2.2:1 -----------------> 203.0.113.129:2 192.0.2.2:1 -----------------> 203.0.113.129:2
Rem-VTag = 5678 Rem-VTag = 5678
7.5. Peer-to-Peer Communication 7.5. Peer-to-Peer Communications
If two hosts, each of them behind a NAT function, want to communicate If two hosts, each of them behind a NAT function, want to communicate
with each other, they have to get knowledge of the peer's external with each other, they have to get knowledge of the peer's external
address. This can be achieved with a so-called rendezvous server. address. This can be achieved with a so-called rendezvous server.
Afterwards the destination addresses are external, and the Afterwards the destination addresses are external, and the
association is set up with the help of the INIT collision. The NAT association is set up with the help of the INIT collision. The NAT
functions create their entries according to their internal peer's functions create their entries according to their internal peer's
point of view. Therefore, NAT function A's Internal-VTag and point of view. Therefore, NAT function A's Internal-VTag and
Internal-Port are NAT function B's Remote-VTag and Remote-Port, Internal-Port are NAT function B's Remote-VTag and Remote-Port,
respectively. The naming (internal/remote) of the verification tag respectively. The naming (internal/remote) of the verification tag
in the packet flow is done from the sending host's point of view. in the packet flow is done from the sending host's point of view.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Network |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
NAT Binding Tables NAT Binding Tables
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT A | Int | Int | Rem | Rem | Int | NAT A | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
skipping to change at page 35, line 13 skipping to change at page 36, line 13
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
Now Host B sends a packet containing an INIT chunk, which is Now Host B sends a packet containing an INIT chunk, which is
processed by NAT function B. Its parameters are used to create an processed by NAT function B. Its parameters are used to create an
entry. entry.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Network |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
INIT[Initiate-Tag = 5678] INIT[Initiate-Tag = 5678]
192.0.2.1:1 <-- 10.1.0.1:2 192.0.2.1:1 <-- 10.1.0.1:2
Rem-VTag = 0 Rem-VTag = 0
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT B | Int | Int | Rem | Rem | Int | NAT B | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
skipping to change at page 36, line 9 skipping to change at page 37, line 9
Rem-VTag = 0 Rem-VTag = 0
NAT function A processes the packet containing the INIT chunk. As NAT function A processes the packet containing the INIT chunk. As
the outgoing packet containing an INIT chunk of Host A has already the outgoing packet containing an INIT chunk of Host A has already
created an entry, the entry is found and updated: created an entry, the entry is found and updated:
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Network |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
VTag != Int-VTag, but Rem-VTag == 0, find entry. VTag != Int-VTag, but Rem-VTag == 0, find entry.
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
NAT A | Int | Int | Rem | Rem | Int | NAT A | Int | Int | Rem | Rem | Int |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
skipping to change at page 37, line 9 skipping to change at page 38, line 9
10.0.0.1:1 <-- 203.0.113.1:2 10.0.0.1:1 <-- 203.0.113.1:2
Rem-VTag = 0 Rem-VTag = 0
Host A sends a packet containing an INIT ACK chunk, which can pass Host A sends a packet containing an INIT ACK chunk, which can pass
through NAT function B: through NAT function B:
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Network |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
INIT ACK[Initiate-Tag = 1234] INIT ACK[Initiate-Tag = 1234]
10.0.0.1:1 --> 203.0.113.1:2 10.0.0.1:1 --> 203.0.113.1:2
Rem-VTag = 5678 Rem-VTag = 5678
INIT ACK[Initiate-Tag = 1234] INIT ACK[Initiate-Tag = 1234]
192.0.2.1:1 ----------------> 203.0.113.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Rem-VTag = 5678 Rem-VTag = 5678
skipping to change at page 38, line 9 skipping to change at page 39, line 9
INIT ACK[Initiate-Tag = 1234] INIT ACK[Initiate-Tag = 1234]
192.0.2.1:1 --> 10.1.0.1:2 192.0.2.1:1 --> 10.1.0.1:2
Rem-VTag = 5678 Rem-VTag = 5678
The lookup for COOKIE ECHO and COOKIE ACK is successful. The lookup for COOKIE ECHO and COOKIE ACK is successful.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Network |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
COOKIE ECHO COOKIE ECHO
192.0.2.1:1 <-- 10.1.0.1:2 192.0.2.1:1 <-- 10.1.0.1:2
Rem-VTag = 1234 Rem-VTag = 1234
COOKIE ECHO COOKIE ECHO
192.0.2.1:1 <------------- 203.0.113.1:2 192.0.2.1:1 <------------- 203.0.113.1:2
Rem-VTag = 1234 Rem-VTag = 1234
skipping to change at page 39, line 38 skipping to change at page 40, line 38
apply only for SCTP NAT mapping entries (i.e., apply only for SCTP NAT mapping entries (i.e.,
"/nat/instances/instance/mapping-table/mapping-entry/transport- "/nat/instances/instance/mapping-table/mapping-entry/transport-
protocol" MUST be set to '132'); protocol" MUST be set to '132');
* The Internal Verification Tag (Int-VTag) * The Internal Verification Tag (Int-VTag)
* The Remote Verification Tag (Rem-VTag) * The Remote Verification Tag (Rem-VTag)
8.2. YANG Module 8.2. YANG Module
<CODE BEGINS> file "ietf-nat-sctp@2020-07-13.yang" <CODE BEGINS> file "ietf-nat-sctp@2020-11-02.yang"
module ietf-nat-sctp { module ietf-nat-sctp {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-nat-sctp"; namespace "urn:ietf:params:xml:ns:yang:ietf-nat-sctp";
prefix nat-sctp; prefix nat-sctp;
import ietf-nat { import ietf-nat {
prefix nat; prefix nat;
reference reference
"RFC 8512: A YANG Module for Network Address Translation "RFC 8512: A YANG Module for Network Address Translation
(NAT) and Network Prefix Translation (NPT)"; (NAT) and Network Prefix Translation (NPT)";
skipping to change at page 42, line 19 skipping to change at page 43, line 19
NAT friendliness for future associations and retrieve the value for NAT friendliness for future associations and retrieve the value for
future and specific ones. future and specific ones.
struct sctp_assoc_value { struct sctp_assoc_value {
sctp_assoc_t assoc_id; sctp_assoc_t assoc_id;
uint32_t assoc_value; uint32_t assoc_value;
}; };
assoc_id assoc_id
This parameter is ignored for one-to-one style sockets. For one- This parameter is ignored for one-to-one style sockets. For one-
to-many style sockets the application may fill in an association to-many style sockets the application can fill in an association
identifier or SCTP_FUTURE_ASSOC for this query. It is an error to identifier or SCTP_FUTURE_ASSOC for this query. It is an error to
use SCTP_{CURRENT|ALL}_ASSOC in assoc_id. use SCTP_{CURRENT|ALL}_ASSOC in assoc_id.
assoc_value assoc_value
A non-zero value indicates a NAT-friendly mode. A non-zero value indicates a NAT-friendly mode.
10. IANA Considerations 10. IANA Considerations
[NOTE to RFC-Editor: "RFCXXXX" is to be replaced by the RFC number [NOTE to RFC-Editor: "RFCXXXX" is to be replaced by the RFC number
you assign this document.] you assign this document.]
skipping to change at page 45, line 7 skipping to change at page 46, line 7
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
| 177 | Missing State | [RFCXXXX] | | 177 | Missing State | [RFCXXXX] |
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
| 178 | Port Number Collision | [RFCXXXX] | | 178 | Port Number Collision | [RFCXXXX] |
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
Table 4 Table 4
10.3. Two New Chunk Parameter Types 10.3. Two New Chunk Parameter Types
Two chunk parameter types have to be assigned by IANA. It is Two chunk parameter types have to be assigned by IANA. IANA is
requested to use the values given below. IANA should assign these requested to assign these values from the pool of parameters with the
values from the pool of parameters with the upper two bits set to upper two bits set to '11' and to use the values given below.
'11'.
This requires two additional lines in the "Chunk Parameter Types" This requires two additional lines in the "Chunk Parameter Types"
registry for SCTP: registry for SCTP:
Chunk Parameter Types Chunk Parameter Types
+==========+==========================+===========+ +==========+==========================+===========+
| ID Value | Chunk Parameter Type | Reference | | ID Value | Chunk Parameter Type | Reference |
+==========+==========================+===========+ +==========+==========================+===========+
| 49159 | Disable Restart (0xC007) | [RFCXXXX] | | 49159 | Disable Restart (0xC007) | [RFCXXXX] |
skipping to change at page 46, line 12 skipping to change at page 47, line 12
a minimum a NAT function runs a timer on any SCTP state so that old a minimum a NAT function runs a timer on any SCTP state so that old
association state can be cleaned up. association state can be cleaned up.
Generic issues related to address sharing are discussed in [RFC6269] Generic issues related to address sharing are discussed in [RFC6269]
and apply to SCTP as well. and apply to SCTP as well.
For SCTP endpoints not disabling the restart procedure, this document For SCTP endpoints not disabling the restart procedure, this document
does not add any additional security considerations to the ones given does not add any additional security considerations to the ones given
in [RFC4960], [RFC4895], and [RFC5061]. in [RFC4960], [RFC4895], and [RFC5061].
SCTP endpoints disabling the restart procedure, should monitor the SCTP endpoints disabling the restart procedure, need to monitor the
status of all associations to mitigate resource exhaustion attacks by status of all associations to mitigate resource exhaustion attacks by
establishing a lot of associations sharing the same IP addresses and establishing a lot of associations sharing the same IP addresses and
port numbers. port numbers.
In any case, SCTP is protected by the verification tags and the usage In any case, SCTP is protected by the verification tags and the usage
of [RFC4895] against off-path attackers. of [RFC4895] against off-path attackers.
For IP-level fragmentation and reassembly related issues see For IP-level fragmentation and reassembly related issues see
[RFC4963]. [RFC4963].
skipping to change at page 48, line 42 skipping to change at page 49, line 42
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<https://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network
Address Translator (Traditional NAT)", RFC 3022, Address Translator (Traditional NAT)", RFC 3022,
DOI 10.17487/RFC3022, January 2001, DOI 10.17487/RFC3022, January 2001,
<https://www.rfc-editor.org/info/rfc3022>. <https://www.rfc-editor.org/info/rfc3022>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address
Translation (NAT) Behavioral Requirements for Unicast
UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January
2007, <https://www.rfc-editor.org/info/rfc4787>.
[RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly
Errors at High Data Rates", RFC 4963, Errors at High Data Rates", RFC 4963,
DOI 10.17487/RFC4963, July 2007, DOI 10.17487/RFC4963, July 2007,
<https://www.rfc-editor.org/info/rfc4963>. <https://www.rfc-editor.org/info/rfc4963>.
[RFC5382] Guha, S., Ed., Biswas, K., Ford, B., Sivakumar, S., and P.
Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142,
RFC 5382, DOI 10.17487/RFC5382, October 2008,
<https://www.rfc-editor.org/info/rfc5382>.
[RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT
Behavioral Requirements for ICMP", BCP 148, RFC 5508,
DOI 10.17487/RFC5508, April 2009,
<https://www.rfc-editor.org/info/rfc5508>.
[RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport-
Protocol Port Randomization", BCP 156, RFC 6056,
DOI 10.17487/RFC6056, January 2011,
<https://www.rfc-editor.org/info/rfc6056>.
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
NAT64: Network Address and Protocol Translation from IPv6 NAT64: Network Address and Protocol Translation from IPv6
Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
April 2011, <https://www.rfc-editor.org/info/rfc6146>. April 2011, <https://www.rfc-editor.org/info/rfc6146>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269, P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011, DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>. <https://www.rfc-editor.org/info/rfc6269>.
skipping to change at page 49, line 36 skipping to change at page 51, line 9
[RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream [RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream
Control Transmission Protocol (SCTP) Packets for End-Host Control Transmission Protocol (SCTP) Packets for End-Host
to End-Host Communication", RFC 6951, to End-Host Communication", RFC 6951,
DOI 10.17487/RFC6951, May 2013, DOI 10.17487/RFC6951, May 2013,
<https://www.rfc-editor.org/info/rfc6951>. <https://www.rfc-editor.org/info/rfc6951>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC7857] Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar,
S., and K. Naito, "Updates to Network Address Translation
(NAT) Behavioral Requirements", BCP 127, RFC 7857,
DOI 10.17487/RFC7857, April 2016,
<https://www.rfc-editor.org/info/rfc7857>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
Acknowledgments Acknowledgments
The authors wish to thank Mohamed Boucadair, Gorry Fairhurst, Bryan The authors wish to thank Mohamed Boucadair, Gorry Fairhurst, Bryan
Ford, David Hayes, Alfred Hines, Karen E. E. Nielsen, Henning Ford, David Hayes, Alfred Hines, Karen E. E. Nielsen, Henning Peters,
Peters, Maksim Proshin, Timo Voelker, Dan Wing, and Qiaobing Xie for Maksim Proshin, Timo Völker, Dan Wing, and Qiaobing Xie for their
their invaluable comments. invaluable comments.
In addition, the authors wish to thank David Hayes, Jason But, and In addition, the authors wish to thank David Hayes, Jason But, and
Grenville Armitage, the authors of [DOI_10.1145_1496091.1496095], for Grenville Armitage, the authors of [DOI_10.1145_1496091.1496095], for
their suggestions. their suggestions.
The authors also wish to thank Mohamed Boucadair for contributing the The authors also wish to thank Mohamed Boucadair for contributing the
text related to the YANG module. text related to the YANG module.
Authors' Addresses Authors' Addresses
 End of changes. 125 change blocks. 
290 lines changed or deleted 320 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/