One document matched: draft-ietf-pcp-upnp-igd-interworking-03.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-pcp-upnp-igd-interworking-03"
ipr="trust200902">
<front>
<title abbrev="UPnP IGD-PCP Interworking Function">Universal Plug and Play
(UPnP) Internet Gateway Device (IGD)-Port Control Protocol (PCP)
Interworking Function</title>
<author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
<organization>France Telecom</organization>
<address>
<postal>
<street></street>
<city>Rennes</city>
<region></region>
<code>35000</code>
<country>France</country>
</postal>
<email>mohamed.boucadair@orange.com</email>
</address>
</author>
<author fullname="Francis Dupont" initials="F." surname="Dupont">
<organization>Internet Systems Consortium</organization>
<address>
<email>fdupont@isc.org</email>
</address>
</author>
<author fullname="Reinaldo Penno" initials="R." surname="Penno">
<organization>Cisco</organization>
<address>
<postal>
<street></street>
<code></code>
<country>USA</country>
</postal>
<email>repenno@cisco.com</email>
</address>
</author>
<author fullname="Dan Wing" initials="D." surname="Wing">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>170 West Tasman Drive</street>
<city>San Jose</city>
<region>California</region>
<code>95134</code>
<country>USA</country>
</postal>
<email>dwing@cisco.com</email>
</address>
</author>
<date day="14" month="September" year="2012" />
<workgroup>PCP Working Group</workgroup>
<keyword>UPnP, pinhole, PCP, mapping, NAT control, interworking</keyword>
<abstract>
<t>This document specifies the behavior of the UPnP IGD (Internet
Gateway Device)/PCP Interworking Function. An UPnP IGD-PCP Interworking
Function (IGD-PCP IWF) is required to be embedded in CP (Customer
Premises) routers to allow for transparent NAT control in environments
where UPnP IGD is used in the LAN side and PCP in the external side of
the CP router.</t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</note>
</front>
<middle>
<section title="Introduction">
<t>PCP <xref target="I-D.ietf-pcp-base"></xref> discusses the
implementation of NAT control features that rely upon Carrier Grade NAT
devices such as a DS-Lite AFTR <xref target="RFC6333"></xref> or NAT64
<xref target="RFC6146"></xref>. Nevertheless, in environments where UPnP
IGD is used in the local network, an interworking function between UPnP
IGD and PCP is required to be embedded in the IGD (see the example
illustrated in <xref target="iwf_example"></xref>).</t>
<t>Two configurations are considered:<list style="symbols">
<t>No NAT function is embedded in the IGD (Internet Gateway Device).
This is required for instance in DS-Lite or NAT64 deployments;</t>
<t>The IGD embeds a NAT function.</t>
</list></t>
<t><figure anchor="iwf_example" title="Flow Example">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddPortMapping | |
|--------------------->| |
| | (2) PCP MAP Request |
| |-------------------------->|
| | |]]></artwork>
<postamble></postamble>
</figure></t>
<t>The UPnP IGD-PCP Interworking Function (IGD-PCP IWF) maintains a
local mapping table that stores all active mappings instructed by
internal UPnP Control Points. This design choice restricts the amount of
PCP messages to be exchanged with the PCP Server.</t>
<t>Triggers for deactivating the UPnP IGD-PCP Interworking Function from
the IGD and relying on a PCP-only mode are out of scope of this
document.</t>
<t>Considerations related to co-existence of the UPnP IGD-PCP
Interworking Function and PCP Proxy <xref
target="I-D.ietf-pcp-proxy"></xref> are out of scope.</t>
</section>
<section title="Acronyms">
<t>This document makes use of the following abbreviations:</t>
<t><figure>
<preamble></preamble>
<artwork><![CDATA[ DS-Lite Dual-Stack Lite
IGD Internet Gateway Device
IGD:1 UPnP Forum's nomenclature for version 1 of IGD [IGD1]
IGD:2 UPnP Forum's nomenclature for version 2 of IGD [IGD2]
IWF Interworking Function
NAT Network Address Translation
PCP Port Control Protocol
UPnP Universal Plug and Play
UPnP CP UPnP Control Point
]]></artwork>
<postamble></postamble>
</figure></t>
</section>
<section title="Architecture Model">
<t>As a reminder, <xref target="igd_model"></xref> illustrates the
architecture model adopted by UPnP IGD <xref target="IGD2"></xref>. In
<xref target="igd_model"></xref>, the following UPnP terminology is
used:<list style="symbols">
<t>Client refers to a host located in the local network.</t>
<t>IGD Control Point is a UPnP control point using UPnP to control
an IGD (Internet Gateway Device).</t>
<t>IGD is a router supporting UPnP IGD. It is typically a NAT or a
firewall.</t>
<t>Host represents a remote peer reachable in the Internet.</t>
</list></t>
<t><figure align="center" anchor="igd_model" title="UPnP IGD Model">
<preamble></preamble>
<artwork><![CDATA[+-------------+
| IGD Control |
| Point |-----+
+-------------+ | +-----+ +------+
+---| | | |
| IGD |-------| Host |
+---| | | |
+-------------+ | +-----+ +------+
| Client |-----+
+-------------+
]]></artwork>
<postamble></postamble>
</figure></t>
<t>This model is not valid when PCP is used to control for instance a
Carrier Grade NAT (a.k.a., Provider NAT) while internal hosts continue
to use UPnP. In such scenarios, <xref target="igdpcp"></xref> shows the
updated model.</t>
<t><figure align="center" anchor="igdpcp"
title="UPnP IGD-PCP Interworking Model">
<preamble></preamble>
<artwork><![CDATA[+-------------+
| IGD Control |
| Point |----+
+-------------+ | +-----+ +--------+ +------+
+---| IGD-| |Provider| | |
| PCP |------| NAT |--<Internet>---| Peer |
+---| IWF | | | | |
+-------------+ | +-----+ +--------+ +------+
| Local Host |----+
+-------------+
LAN Side External Side
<======UPnP IGD==============><=====PCP=====>
]]></artwork>
<postamble></postamble>
</figure></t>
<t>In the updated model depicted in <xref target="igdpcp"></xref>, one
or two levels of NAT can be encountered in the data path. Indeed, in
addition to the Carrier Grade NAT, the IGD may embed a NAT function
(<xref target="multinat"></xref>).</t>
<t><figure align="center" anchor="multinat"
title="Cascaded NAT scenario">
<preamble></preamble>
<artwork><![CDATA[+-------------+
| IGD Control |
| Point |-----+
+-------------+ | +-----+ +----+ +------+
+---| IGD-| | | |Remote|
| PCP |-------|NAT2|--<Internet>---| Host |
+---| IWF | | | | |
+-------------+ | +-----+ +----+ +------+
| Local Host |-----+ NAT1
+-------------+
]]></artwork>
<postamble></postamble>
</figure></t>
<t>To ensure a successful interworking between UPnP IGD and PCP, an
interworking function is embedded in the IGD. In the model defined in
<xref target="igdpcp"></xref>, all UPnP IGD server-oriented functions, a
PCP Client <xref target="I-D.ietf-pcp-base"></xref> and a UPnP IGD-PCP
Interworking Function are embedded in the IGD. In the rest of the
document, IGD-PCP Interworking Function refers the UPnP IGD-PCP
Interworking Function, which includes PCP Client functionality.</t>
<t>UPnP IGD-PCP Interworking Function is responsible for generating a
well-formed PCP message from a received UPnP IGD message, and vice
versa.</t>
</section>
<section title="UPnP IGD-PCP Interworking Function: Overview">
<t>Three tables are provided to specify the correspondence between UPnP
IGD and PCP:<list style="format (%d)">
<t><xref target="variables"></xref> provides the mapping between
WANIPConnection State Variables and PCP parameters;</t>
<t><xref target="methods"></xref> focuses on the correspondence
between supported methods;</t>
<t><xref target="errors"></xref> lists the PCP error messages and
their corresponding IGD ones.</t>
</list></t>
<t>Note that some enhancements have been integrated in WANIPConnection
as documented in <xref target="IGD2"></xref>.</t>
<section anchor="variables" title="UPnP IGD-PCP: State Variables">
<t>Below are listed only the UPnP IGD state variables applicable to
the IGD-PCP Interworking Function:</t>
<t><list style="hanging">
<t hangText="ExternaIPAddress:">External IP Address <vspace />
Read-only variable with the value from the last PCP response or
the empty string if none was received yet. This state is stored on
a per UPnP CP basis.</t>
<t hangText="PortMappingNumberOfEntries:">Managed locally by the
UPnP IGD-PCP Interworking Function.<vspace /></t>
<t hangText="PortMappingEnabled:"><vspace /> PCP does not support
deactivating the dynamic NAT mapping since the initial goal of PCP
is to ease the traversal of Carrier Grade NAT. Supporting such
per-subscriber function may overload the Carrier Grade NAT.
<vspace /> Only "1" is allowed: i.e., the UPnP IGD-PCP
Interworking Function MUST send back an error if not a value
different from 1 is signaled.</t>
<t hangText="PortMappingLeaseDuration:">Requested Mapping Lifetime
<vspace /> In IGD:1 <xref target="IGD1"></xref> value 0 means
infinite, in IGD:2 it is remapped to the IGD maximum of 604800
seconds <xref target="IGD2"></xref>. PCP allows for a maximum
value of 4294967296 seconds. <vspace /> The UPnP IGD-PCP
Interworking Function simulates long and even infinite lifetimes
using renewals (see <xref target="renewal"></xref>). The behavior
in the case of a failing renewal is currently undefined.
<vspace /> IGD:1 doesn't define the behavior in the case of state
lost, IGD:2 doesn't require to keep state in stable storage, i.e.,
to make the state to survive resets/reboots. The UPnP IGD-PCP
Interworking Function MUST support IGD:2 behavior.</t>
<t hangText="RemoteHost:">Remote Peer IP Address <vspace /> Note a
domain name is allowed by IGD:2 and has to be resolved into an IP
address.</t>
<t hangText="ExternalPort:">External Port Number <vspace /> Mapped
to the suggested PCP external port in MAP messages.</t>
<t hangText="InternalPort:">Internal Port Number <vspace /> Mapped
to PCP internal port field in MAP messages.</t>
<t hangText="PortMappingProtocol:">Transport Protocol <vspace />
Mapped to PCP protocol field in MAP messages. Note IGD only
supports TCP and UDP.</t>
<t hangText="InternalClient:">Internal IP Address <vspace />
InternalClient can be an IP address or a domain name. Only an IP
address scheme is supported in PCP. If a domain name is used
Point, it must be resolved to an IP address by the Interworking
Function when relying the message to the PCP Server.</t>
<t hangText="PortMappingDescription:">Not supported in base
PCP<vspace /> If the local PCP Client support a PCP Option to
convey the description, this option SHOULD be used to relay the
mapping description.</t>
<t hangText="SystemUpdateID (only for IGD:2):">Managed locally by
the UPnP IGD-PCP Interworking Function<vspace /></t>
<t hangText="A_ARG_TYPE_PortListing (only for IGD:2):">Managed
locally by the UPnP IGD-PCP Interworking Function <vspace /></t>
</list></t>
</section>
<section anchor="methods" title="IGD-PCP: Methods">
<t>Both IGD:1 and IGD:2 methods applicable to the UPnP IGD-PCP
Interworking Function are listed here. <list style="hanging">
<t hangText="GetGenericPortMappingEntry:">This request is not
relayed to the PCP Server <vspace /> IGD-PCP Interworking Function
maintains an updated list of active mappings instantiated in the
PCP Server by internal hosts. See <xref target="list"></xref> for
more information.</t>
<t hangText="GetSpecificPortMappingEntry:">MAP with PREFER_FAILURE
Option<vspace /> This request is relayed to the PCP Server by
issuing MAP with PREFER_FAILURE Option. It is RECOMMENDED to use a
short lifetime (e.g., 60s).</t>
<t hangText="AddPortMapping:">MAP <vspace /> Refer to <xref
target="addportmapping"></xref>.</t>
<t hangText="AddAnyPortMapping (for IGD:2 only):">MAP <vspace />
No issue is encountered to proxy this request to the PCP Server.
Refer to <xref target="addanyportmapping"></xref> for more
details.</t>
<t hangText="DeletePortMapping:">MAP with a requested lifetime set
to 0 <vspace /> Refer to <xref target="delete"></xref>.</t>
<t hangText="DeletePortMappingRange (for IGD:2 only):">MAP with a
lifetime positioned to 0 <vspace /> Individual requests are issued
by the IGD-PCP Interworking Function. Refer to <xref
target="delete"></xref> for more details</t>
<t hangText="GetExternalIPAddress:">MAP OpCode (see Section 10.7
of <xref target="I-D.ietf-pcp-base"></xref>) <vspace /> This can
be achieved by requesting a short-lived mapping (e.g., to the
Discard service (TCP/9 or UDP/9) or some other port). However,
once that mapping expires a subsequent implicit or explicit
dynamic mapping might be mapped to a different external IP
address. <vspace /> MUST directly return the value of the
corresponding State Variable.</t>
<t hangText="GetListOfPortMappings:">See <xref
target="list"></xref> for more information<vspace /> The IGD-PCP
Interworking Function maintains an updated list of active mappings
as instantiated in the PCP Server. The IGD-PCP Interworking
Function handles locally this request.</t>
</list></t>
</section>
<section anchor="errors" title="UPnP IGD-PCP: Errors">
<t>This section lists PCP errors codes and the corresponding UPnP IGD
ones. Error codes specific to IGD:2 are tagged accordingly.</t>
<t><figure>
<artwork><![CDATA[ 1 UNSUPP_VERSION: 501 "ActionFailed"
Should not happen.
2 NOT_AUTHORIZED: IGD:1 718 "ConflictInMappingEntry" / IGD:2 606
"Action not authorized"
3 MALFORMED_REQUEST: 501 "ActionFailed"
4 UNSUPP_OPCODE: 501 "ActionFailed"
Should not happen.
5 UNSUPP_OPTION: 501 "ActionFailed"
Should not happen the exception of PREFER_FAILURE (this
option is not mandatory to support but AddPortMapping() cannot be
implemented without it).
6 MALFORMED_OPTION: 501 "ActionFailed"
Should not happen.
7 NETWORK_FAILURE: Not applicable
Should not happen after communication was successfully established
with a PCP Server.
8 NO_RESOURCES: IGD:1 501 "ActionFailed" / IGD:2 728
"NoPortMapsAvailable"
Cannot be distinguished from USER_EX_QUOTA.
9 UNSUPP_PROTOCOL: 501 "ActionFailed"
Should not happen.
10 USER_EX_QUOTA: IGD:1 501 "ActionFailed" / IGD:2 728
"NoPortMapsAvailable"
Cannot be distinguished from NO_RESOURCES.
11 CANNOT_PROVIDE_EXTERNAL: 718 "ConflictInMappingEntry"
or 714 "NoSuchEntryInArray"
12 ADDRESS_MISMATCH: 501 "ActionFailed"
Should not happen.
13 EXCESSIVE_REMOTE_PEERS: 501 "ActionFailed"
]]></artwork>
</figure></t>
</section>
</section>
<section title="Specification of the IGD-PCP Interworking Function">
<t>This section covers the scenarios with or without NAT in the IGD.</t>
<t>This specification assumes the PCP Server is configured to accept MAP
OpCode.</t>
<t>The IGD-PCP Interworking Function handles the "Mapping Nonce" as any
PCP Client <xref target="I-D.ietf-pcp-base"></xref>.</t>
<t>Further analysis of PCP failure scenarios for the IGD-PCP
Interworking Function are discussed in <xref
target="I-D.boucadair-pcp-failure"></xref>.</t>
<section title="PCP Server Discovery">
<t>The IGD-PCP Interworking Function implements one of the discovery
methods identified in <xref target="I-D.ietf-pcp-base"></xref> (e.g.,
DHCP <xref target="I-D.ietf-pcp-dhcp"></xref>). The IGD-PCP
Interworking Function behaves as a PCP Client when communicating with
provisioned PCP Server(s).</t>
<t>In order to not impact the delivery of local services requiring the
control of the local IGD during any failure event to reach the PCP
Server (e.g., no IP address/prefix is assigned to the IGD, IGD-PCP
Interworking Function MUST NOT be invoked. Indeed, UPnP machinery is
used to control that device and therefore lead to successful
operations of internal services.</t>
</section>
<section title="Control of the Firewall">
<t>In order to configure security policies to be applied to inbound
and outbound traffic, UPnP IGD can be used to control a local firewall
engine.</t>
<t>No IGD-PCP Interworking Function is therefore required for that
purpose.</t>
</section>
<section title="NAT Control in LAN Side">
<t>Internal UPnP Control Points are not aware of the presence of the
IGD-PCP Interworking Function in the IGD.</t>
<t>No modification is required in the UPnP Control Point.</t>
</section>
<section title="Port Mapping Tables">
<t>IGD-PCP Interworking Function MUST store locally all the mappings
instantiated by internal UPnP Control Points in the PCP Server. All
mappings SHOULD be stored in a permanent storage.</t>
<t>Upon receipt of a PCP MAP Response from the PCP Server, the IGD-PCP
Interworking Function MUST retrieve the enclosed mapping and MUST
store it in the local mapping table. The local mapping table is an
image of the mapping table as maintained by the PCP Server for a given
subscriber.</t>
</section>
<section anchor="spec_no_nat"
title="Interworking Function Without NAT in the IGD"
toc="default">
<t>When no NAT is embedded in the IGD, the content of received
WANIPConnection and PCP messages is not altered by the IGD-PCP
Interworking Function (i.e., the content of WANIPConnection messages
are mapped to the PCP messages (and mapped back) according to <xref
target="variables"></xref>).</t>
</section>
<section anchor="spec_nat" title="NAT Embedded in the IGD" toc="default">
<t>When NAT is embedded in the IGD, the IGD-PCP Interworking Function
MUST update the content of received mapping messages with the IP
address and/or port number belonging to the external interface of the
IGD (i.e., after the NAT1 operation in <xref
target="multinat"></xref>) and not as initially positioned by the UPnP
Control Point.</t>
<t>All WANIPConnection messages issued by the UPnP Control Point
(resp., PCP Server) are intercepted by the IGD-PCP Interworking
Function. Then, the corresponding messages (see <xref
target="variables"></xref>, <xref target="methods"></xref> and <xref
target="errors"></xref>) are generated by the IGD-PCP Interworking
Function and sent to the provisioned PCP Server (resp., corresponding
UPnP Control Point). The content of PCP messages received by the PCP
Server reflects the mapping information as enforced in the first NAT.
In particular, the internal IP address and/or port number of the
requests are replaced with the IP address and port number as assigned
by the NAT of the IGD. For the reverse path, PCP response messages are
intercepted by the IGD-PCP Interworking Function. The content of the
corresponding WANIPConnection messages are updated: <list
style="symbols">
<t>The internal IP address and/or port number as initially
positioned by the UPnP Control Point and stored in the IGD NAT are
used to update the corresponding fields in received PCP
responses.</t>
<t>The external IP and port number are not altered by the IGD-PCP
Interworking Function.</t>
<t>The NAT mapping entry in the IGD is updated with the result of
PCP request.</t>
</list></t>
<t>The lifetime of the mappings instantiated in the IGD SHOULD be the
one assigned by the terminating PCP Server. In any case, the lifetime
MUST be lower or equal to the one assigned by the terminating PCP
Server.</t>
<t>Without the involvement of the IGD-PCP Interworking Function, the
UPnP CP would retrieve an external IP address and port number having a
limited scope and which can not be used to communicate with hosts
located beyond NAT2 (i.e., assigned by the IGD and not the ones
assigned by NAT2 in <xref target="multinat"></xref>).</t>
</section>
<section title="Creating a Mapping">
<t>Two methods can be used to create a mapping: AddPortMapping() or
AddAnyPortMapping().</t>
<section anchor="addanyportmapping" title="AddAnyPortMapping()">
<t>When a UPnP Control Point issues a AddAnyPortMapping(), this
request is received by the UPnP Server. The request is then relayed
to the IGD-PCP Interworking Function which generates a PCP MAP
Request (see <xref target="variables"></xref> for mapping between
WANIPConnection and PCP parameters). Upon receipt of a PCP MAP
Response from the PCP Server, an XML mapping is returned to the
requesting UPnP Control Point (the content of the messages follows
the recommendations listed in <xref target="spec_nat"></xref> or
<xref target="spec_no_nat"></xref> according to the deployed
scenario). A flow example is depicted in <xref
target="igd2"></xref>.</t>
<t>If a PCP Error is received from the PCP Server, a corresponding
WANIPConnection error code (see <xref target="errors"></xref>) is
generated by the IGD-PCP Interworking Function and sent to the
requesting UPnP Control Point. If a short lifetime error is returned
(e.g., NETWORK_FAILURE, NO_RESOURCES), the PCP IWF MAY re-send the
same request to the PCP Server after 30s. If a negative answer is
received, the error is then relayed to the requesting UPnP Control
Point.<list style="empty">
<t>Justification: Some applications (e.g., uTorrent, Vuzz,
Emule) wait approximately 150s, 90s, 90s, respectively for a
response after sending an UPnP request. If a short lifetime
error occurs, re-sending the requesting may lead to a positive
response from the PCP Server. UPnP Control Points are therefore
not aware of short lifetime errors that were recovered
quickly.</t>
</list></t>
<t><!--
XD Comment:
But, what if the PCP error is due to a short life time error: e.g, NETWORK_FAILURE or NO_RESOURCES?
It may worthy IWF to try again (after sometime defined in the returned lifetime) before returning WANIPConnection error code to Control Point.
Because according to current practice, e.g., utorrent, vuzz and emule wait approximately 150s, 90s, 90s,
respectively for a response after sending an UPnP request.
That is to say, if short life time error occurred, and the IWF retry (recommended as 30s in base draft) and probably get
positive response finally (error healed in a short time), it makes Control points not necessary to be aware of the short life time errors that
were recovered quickly.
--></t>
<t><figure anchor="igd2"
title="Flow example when AddAnyPortMapping() is used">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
|(1) AddAnyPortMapping | |
| ExternalPort=8080 | |
|--------------------->| |
| | (2) PCP MAP Request |
| |requested external port=8080 |
| |---------------------------->|
| | |
| | (3) PCP MAP Response |
| | assigned external port=6598 |
| |<----------------------------|
|(4) AddAnyPortMapping | |
| ReservedPort=6598 | |
|<---------------------| |
]]></artwork>
<postamble></postamble>
</figure></t>
<t>If the IGD-PCP Interworking Function fails to establish a
communication with the PCP Server, "501 ActionFailed" error code is
to be returned to requesting UPnP CP.</t>
</section>
<section anchor="addportmapping" title="AddPortMapping()">
<t>A dedicated option called PREFER_FAILURE is defined in <xref
target="I-D.ietf-pcp-base"></xref> to toggle the behavior in a PCP
Request message. This option is inserted by the IGD-PCP IWF when
issuing its requests to the PCP Server only if a specific external
port is requested by the UPnP Control Point.</t>
<t>Upon receipt of AddPortMapping() from an UPnP Control Point, the
IGD-PCP Interworking Function MUST generate a PCP MAP Request with
all requested mapping information as indicated by the UPnP Control
Point if no NAT is embedded in the IGD or updated as specified in
<xref target="spec_nat"></xref>. In addition, the IGD-PCP IWF MUST
insert a PREFER_FAILURE Option to the generated PCP request.</t>
<t>If the requested external port is in use, a PCP error message
will be sent by the PCP Server to the IGD-PCP IWF indicating
CANNOT_PROVIDE_EXTERNAL as the error cause. If a short lifetime
error is returned, the PCP IWF MAY re-send the same request to the
PCP Server after 30s. If a negative answer is received, the IGD-PCP
IWF relays a negative message to the UPnP Control Point indicating
ConflictInMappingEntry as error code. The UPnP Control Point may
re-issue a new request with a new requested external port number.
This process is repeated until a positive answer is received or
maximum retry is reached.</t>
<t>If the PCP Server is able to honor the requested external port, a
positive response is sent to the requesting IGD-PCP IWF. Upon
receipt of the response from the PCP Server, the returned mapping
MUST be stored by the IGD-PCP Interworking Function in its local
mapping table and a positive answer MUST be sent to the requesting
UPnP Control Point. This answer terminates this exchange.</t>
<t>If the IGD-PCP Interworking Function fails to establish a
communication with the PCP Server, "501 ActionFailed" error code is
to be returned to requesting UPnP CP.</t>
<t><xref target="positive"></xref> shows an example of the flow
exchange that occurs when the PCP Server satisfies the request from
the IGD-PCP IWF. <xref target="negative"></xref> shows the messages
exchange when the requested external port is in use.</t>
<t><figure anchor="positive" title="Flow Example (Positive Answer)">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddPortMapping | |
| ExternalPort=8080 | |
| Protocol=TCP | |
|--------------------->| |
| | (2) PCP MAP Request |
| |requested external port=8080 |
| | protocol=TCP |
| | PREFER_FAILURE |
| |---------------------------->|
| | |
| | (3) PCP MAP Response |
| | assigned external port=8080 |
| | protocol=TCP |
| |<----------------------------|
| (4) AddPortMapping | |
| ExternalPort=8080 | |
| Protocol=TCP | |
|<---------------------| |
]]></artwork>
<postamble></postamble>
</figure></t>
<t><figure anchor="negative" title="Flow Example (Negative Answer)">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddPortMapping | |
| ExternalPort=8080 | |
|--------------------->| |
| | (2) PCP MAP Request |
| |requested external port=8080 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (3) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (4) Error: | |
|ConflictInMappingEntry| |
|<---------------------| |
| (5) AddPortMapping | |
| ExternalPort=5485 | |
|--------------------->| |
| | (6) PCP MAP Request |
| |requested external port=5485 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (7) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (8) Error: | |
|ConflictInMappingEntry| |
|<---------------------| |
....
| (a) AddPortMapping | |
| ExternalPort=6591 | |
|--------------------->| |
| | (b) PCP MAP Request |
| |requested external port=6591 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (c) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (d) Error: | |
|ConflictInMappingEntry| |
|<---------------------| |
]]></artwork>
<postamble></postamble>
</figure><list style="empty">
<t>Note: According to some experiments, some UPnP 1.0
implementations, e.g., uTorrent, simply try the same external
port X times (usually 4 times) and then fail if the port is in
use; if it finds an external port not being used before X times,
it will call AddPortMapping(). Also note that some applications
uses GetSpecificPortMapping() to check whether a mapping
exists.</t>
</list></t>
</section>
</section>
<section anchor="list" title="Listing One or a Set of Mappings">
<t>In order to list active mappings, an UPnP Control Point may issue
GetGenericPortMappingEntry(), GetSpecificPortMappingEntry() or
GetListOfPortMappings().</t>
<t>GetGenericPortMappingEntry() and GetListOfPortMappings() methods
MUST NOT be proxied to the PCP Server since a local mapping is
maintained by the IGD-PCP Interworking Function.</t>
<t>Upon receipt of GetSpecificPortMappingEntry() from a UPnP Control
Point, the IGD-PCP IWF MUST check first if the external port number is
used by the requesting UPnP Control Point. If the external port is
already in use by the requesting UPnP Control Point, the IGD-PCP IWF
MUST send back a positive answer. If not, the IGD-PCP IWF MUST relay
to the PCP Server a MAP request, with short lifetime (e.g., 60s),
including a PREFER_FAILURE Option. If the requested external port is
in use, a PCP error message will be sent by the PCP Server to the
IGD-PCP IWF indicating CANNOT_PROVIDE_EXTERNAL as the error cause.
Then, the IGD-PCP IWF relays a negative message to the UPnP Control
Point. If the port is not in use, the mapping will be created by the
PCP Server and a positive response will be sent back to the IGD-PCP
IWF. Once received by the IGD-PCP IWF, it MUST relay a negative
message to the UPnP Control Point indicating NoSuchEntryInArray as
error code so that the UPnP control point knows the enquired mapping
doesn't exist.</t>
</section>
<section anchor="delete"
title="Delete One or a Set of Mappings: DeletePortMapping() or DeletePortMappingRange()">
<t>A UPnP Control Point requests the deletion of one or a list of
mappings by issuing DeletePortMapping() or DeletePortMappingRange().
In IGD:2, we assume the IGD applies the appropriate security policies
to grant whether a Control Point has the rights to delete one or a set
of mappings. When authorization fails, "606 Action Not Authorized"
error code MUST be returned the requesting Control Point.</t>
<t>When DeletePortMapping() or DeletePortMappingRange() is received by
the IGD-PCP Interworking Function, it first checks if the requested
mappings to be removed are present in the local mapping table. If no
mapping matching the request is found in the local table, an error
code is sent back to the UPnP Control Point: "714 NoSuchEntryInArray"
for DeletePortMapping() or "730 PortMappingNotFound" for
DeletePortMappingRange().</t>
<t><xref target="local_delete"></xref> shows an example of UPnP
Control Point asking to delete a mapping which is not instantiated in
the local table of the IWF.</t>
<figure anchor="local_delete" title="Local Delete (IGD-PCP IWF)">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
|(1) DeletePortMapping | |
|--------------------->| |
| | |
| (2) Error: | |
| NoSuchEntryInArray | |
|<---------------------| |
| | |
]]></artwork>
<postamble></postamble>
</figure>
<t></t>
<t>If a mapping matches in the local table, a PCP MAP delete request
is generated taking into account the input arguments as included in
DeletePortMapping() if no NAT is enabled in the IGD or the
corresponding local IP address and port number as assigned by the
local NAT if a NAT is enabled in the IGD. When a positive answer is
received from the PCP Server, the IGD-PCP Interworking Function
updates its local mapping table (i.e., remove the corresponding entry)
and notifies the UPnP Control Point about the result of the removal
operation. Once PCP MAP delete request is received by the PCP Server,
it proceeds to removing the corresponding entry. A PCP MAP delete
response is sent back if the removal of the corresponding entry was
successful; if not, a PCP Error is sent back to the IGD-PCP
Interworking Function including the corresponding error cause (See
<xref target="errors"></xref>).</t>
<t>In case DeletePortMappingRange() is used, the IGD-PCP IWF
undertakes a lookup on its local mapping table to retrieve individual
mappings instantiated by the requesting Control Point (i.e.,
authorization checks) and matching the signaled port range (i.e., the
external port is within "StartPort" and "EndPort" arguments of
DeletePortMappingRange()). If no mapping is found, "730
PortMappingNotFound" error code is sent to the UPnP Control Point
(<xref target="delete_range_error"></xref>). If a set of mappings are
found, the IGD-PCP IWF generates individual PCP MAP delete requests
corresponding to these mappings (See the example shown in <xref
target="delete_range"></xref>). <list style="empty">
<t>The IWF MAY send a positive answer to the requesting UPnP
Control Point without waiting to receive all the answers from the
PCP Server. It is unlikely to encounter a problem in the PCP leg
because the IWF has verified authorization rights and also the
presence of the mapping in the local table.</t>
</list></t>
<t><figure anchor="delete_range_error"
title="Flow example when an error encountered when processing DeletePortMappingRange()">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
|(1)DeletePortMappingRange() | |
| StartPort=8596 | |
| EndPort =9000 | |
| Protocol =UDP | |
|--------------------------->| |
| | |
| (2) Error: | |
| PortMappingNotFound | |
|<---------------------------| |
| | |
]]></artwork>
<postamble></postamble>
</figure></t>
<t><figure anchor="delete_range"
title="Example of DeletePortMappingRange()">
<preamble>This example illustrates the exchanges that occur when
the IWF receives DeletePortMappingRange(). In this example, only
two mappings having the external port number in the 6000-6050
range are maintained in the local table. The IWF issues two MAP
requests to delete these mappings.</preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
|(1)DeletePortMappingRange() | |
| StartPort=6000 | |
| EndPort =6050 | |
| Protocol =UDP | |
|--------------------------->| |
| | |
| | (2a)PCP MAP Request |
| | protocol=UDP |
| | internal-ip-address |
| | internal-port |
| | external-ip-address |
| | external-port= 6030 |
| | Requested-lifetime= 0 |
| |-------------------------->|
| | |
| | (2c)PCP MAP Request |
| | protocol=UDP |
| | internal-ip-address |
| | internal-port |
| | external-ip-address |
| | external-port= 6045 |
| | Requested-lifetime= 0 |
| |-------------------------->|
| | |
| (2b)Positive answer | |
|<---------------------------| |
| | |
]]></artwork>
<postamble></postamble>
</figure></t>
</section>
<section anchor="renewal" title="Renewal">
<t>Because of the incompatibility of mapping lifetimes between UPnP
IGD and PCP, the IGD-PCP Interworking Function MUST simulate long and
even infinite lifetimes. Indeed, for requests having a requested
infinite PortMappingLeaseDuration, the IGD-PCP Interworking Function
MUST set the requested PCP Lifetime of the corresponding PCP request
to 4294967296. If PortMappingLeaseDuration is not infinite, the
IGD-PCP Interworking Function MUST set the requested PCP Lifetime of
the corresponding PCP request to the same value as
PortMappingLeaseDuration. Furthermore, the IGD-PCP Interworking
Function MUST maintain an additional timer set to the initial
requested PortMappingLeaseDuration. Upon receipt of a positive answer
from the PCP server, the IGD-PCP Interworking Function relays the
corresponding UPnP IGD response to the requesting UPnP CP with
PortMappingLeaseDuration set to the same value as the one of the
initial request. Then, the IGD-PCP Interworking Function MUST renew
periodically the instructed PCP mapping until the expiry of
PortMappingLeaseDuration. Responses received when renewing the mapping
MUST NOT be relayed to the UPnP CP.</t>
<t>In case an error is encountered during mapping renewal, the IGD-PCP
Interworking Function has no means to inform the UPnP CP.</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document makes no request of IANA.</t>
<t>Note to RFC Editor: this section may be removed on publication as an
RFC.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>IGD:2 authorization framework SHOULD be used <xref
target="IGD2"></xref>. When only IGD:1 is available, one SHOULD consider
to enforce the default security, i.e., operation on the behalf of a
third party is not allowed.</t>
<t>This document defines a procedure to instruct PCP mappings for third
party devices belonging to the same subscriber. Identification means to
avoid a malicious user to instruct mappings on behalf of a third party
must be enabled. Such means are already discussed in Section 7.4.4 of
<xref target="I-D.ietf-pcp-base"></xref>.</t>
<t>Security considerations elaborated in <xref
target="I-D.ietf-pcp-base"></xref> and <xref target="Sec_DCP"></xref>
should be taken into account.</t>
</section>
<section title="Acknowledgments">
<t>Authors would like to thank F. Fontaine, C. Jacquenet, X. Deng, G.
Montenegro, D. Thaler and R. Tirumaleswar for their review and
comments.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"
?>
<?rfc include='reference.I-D.ietf-pcp-base'?>
</references>
<references title="Informative References">
<?rfc include='reference.RFC.6333'?>
<?rfc include='reference.RFC.6146'?>
<?rfc include='reference.I-D.boucadair-pcp-failure'?>
<?rfc include='reference.I-D.ietf-pcp-proxy'?>
<?rfc include='reference.I-D.ietf-pcp-dhcp'?>
<reference anchor="Sec_DCP" target="">
<front>
<title>Device Protection:1</title>
<author fullname="UPnP Forum" surname="UPnP Forum">
<organization>UPnP Forum</organization>
</author>
<date day="17" month="November" year="2009" />
</front>
</reference>
<reference anchor="IGD1">
<front>
<title>WANIPConnection:1 Service
(http://www.upnp.org/specs/gw/UPnP-gw-WANIPConnection-v1-Service.pdf)</title>
<author fullname="UPnP Forum" surname="UPnP Forum">
<organization></organization>
</author>
<date day="" month="November" year="2001" />
</front>
</reference>
<reference anchor="IGD2">
<front>
<title>WANIPConnection:2 Service
(http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf)</title>
<author fullname="UPnP Forum" surname="UPnP Forum">
<organization></organization>
</author>
<date day="15" month="September" year="2010" />
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 14:42:53 |