One document matched: draft-ietf-pcp-upnp-igd-interworking-07.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="no"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-pcp-upnp-igd-interworking-07"
ipr="trust200902">
<front>
<title abbrev="UPnP IGD-PCP IWF">Universal Plug and Play (UPnP) Internet
Gateway Device (IGD)-Port Control Protocol (PCP) Interworking
Function</title>
<author fullname="Mohamed Boucadair" initials="M." surname="Boucadair">
<organization>France Telecom</organization>
<address>
<postal>
<street></street>
<city>Rennes</city>
<region></region>
<code>35000</code>
<country>France</country>
</postal>
<email>mohamed.boucadair@orange.com</email>
</address>
</author>
<author fullname="Reinaldo Penno" initials="R." surname="Penno">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>170 West Tasman Drive</street>
<city>San Jose</city>
<region>California</region>
<code>95134</code>
<country>USA</country>
</postal>
<email>repenno@cisco.com</email>
</address>
</author>
<author fullname="Dan Wing" initials="D." surname="Wing">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>170 West Tasman Drive</street>
<city>San Jose</city>
<region>California</region>
<code>95134</code>
<country>USA</country>
</postal>
<email>dwing@cisco.com</email>
</address>
</author>
<date day="25" month="March" year="2013" />
<workgroup>PCP Working Group</workgroup>
<keyword>UPnP, pinhole, PCP, mapping, NAT control, interworking</keyword>
<abstract>
<t>This document specifies the behavior of the UPnP IGD (Internet
Gateway Device)/PCP Interworking Function. A UPnP IGD-PCP Interworking
Function (IGD-PCP IWF) is required to be embedded in CP (Customer
Premises) routers to allow for transparent NAT control in environments
where UPnP IGD is used on the LAN side and PCP on the external side of
the CP router.</t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</note>
</front>
<middle>
<section title="Introduction">
<t>PCP <xref target="I-D.ietf-pcp-base"></xref> discusses the
implementation of NAT control features that rely upon Carrier Grade NAT
devices such as a DS-Lite AFTR <xref target="RFC6333"></xref> or NAT64
<xref target="RFC6146"></xref>. Nevertheless, in environments where UPnP
IGD is used in the local network, an interworking function between UPnP
IGD and PCP is required to be embedded in the IGD (see the example
illustrated in <xref target="iwf_example"></xref>).</t>
<t>Two configurations are considered:<list style="symbols">
<t>No NAT function is embedded in the IGD (Internet Gateway Device).
This is required for instance in DS-Lite or NAT64 deployments;</t>
<t>The IGD embeds a NAT function.</t>
</list></t>
<t><figure anchor="iwf_example" title="Flow Example">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddPortMapping | |
|--------------------->| |
| | (2) PCP MAP Request |
| |-------------------------->|
| | |]]></artwork>
<postamble></postamble>
</figure></t>
<t>The UPnP IGD-PCP IWF (IGD-PCP IWF) maintains a local mapping table
that stores all active mappings constructed by internal UPnP Control
Points. This design choice restricts the amount of PCP messages to be
exchanged with the PCP Server.</t>
<t>Triggers for deactivating the UPnP IGD-PCP IWF from the IGD and
relying on a PCP-only mode are out of scope of this document.</t>
<t>Considerations related to co-existence of the UPnP IGD-PCP
Interworking Function and a PCP Proxy <xref
target="I-D.ietf-pcp-proxy"></xref> are out of scope.</t>
</section>
<section title="Acronyms">
<t>This document makes use of the following abbreviations:</t>
<?rfc subcompact="yes"?>
<t><list style="empty">
<t>DS-Lite - Dual-Stack Lite</t>
<t>IGD - Internet Gateway Device</t>
<t>IGD:1 - UPnP Forum's nomenclature for version 1 of IGD [IGD1]</t>
<t>IGD:2 - UPnP Forum's nomenclature for version 2 of IGD [IGD2]</t>
<t>IWF - Interworking Function</t>
<t>NAT - Network Address Translation</t>
<t>PCP - Port Control Protocol</t>
<t>UPnP - Universal Plug and Play</t>
</list></t>
<?rfc subcompact="no"?>
</section>
<section title="Architecture Model">
<t>As a reminder, <xref target="igd_model"></xref> illustrates the
architecture model adopted by UPnP IGD <xref target="IGD2"></xref>. In
<xref target="igd_model"></xref>, the following UPnP terminology is
used:<list style="symbols">
<t>'Client' refers to a host located in the local network.</t>
<t>'IGD Control Point' is a device using UPnP to control an IGD
(Internet Gateway Device).</t>
<t>'IGD' is a router supporting UPnP IGD. It is typically a NAT or a
firewall.</t>
<t>'Host' is a remote peer reachable in the Internet.</t>
</list></t>
<t><figure align="center" anchor="igd_model" title="UPnP IGD Model">
<preamble></preamble>
<artwork><![CDATA[+-------------+
| IGD Control |
| Point |-----+
+-------------+ | +-----+ +------+
+---| | | |
| IGD |-------| Host |
+---| | | |
+-------------+ | +-----+ +------+
| Client |-----+
+-------------+
]]></artwork>
<postamble></postamble>
</figure></t>
<t>This model is not valid when PCP is used to control for instance a
Carrier Grade NAT (a.k.a., Provider NAT) while internal hosts continue
to use UPnP IGD. In such scenarios, <xref target="igdpcp"></xref> shows
the updated model.</t>
<t><figure align="center" anchor="igdpcp"
title="UPnP IGD-PCP Interworking Model">
<preamble></preamble>
<artwork><![CDATA[+-------------+
| IGD Control |
| Point |----+
+-------------+ | +-----+ +--------+ +------+
+---| IGD-| |Provider| | |
| PCP |------| NAT |--<Internet>---| Peer |
+---| IWF | | | | |
+-------------+ | +-----+ +--------+ +------+
| Local Host |----+
+-------------+
LAN Side External Side
<======UPnP IGD==============><=====PCP=====>
]]></artwork>
<postamble></postamble>
</figure></t>
<t>In the updated model depicted in <xref target="igdpcp"></xref>, one
or two levels of NAT can be encountered in the data path. Indeed, in
addition to the Carrier Grade NAT, the IGD may embed a NAT function
(<xref target="multinat"></xref>).</t>
<t><figure align="center" anchor="multinat"
title="Cascaded NAT scenario">
<preamble></preamble>
<artwork><![CDATA[+-------------+
| IGD Control |
| Point |-----+
+-------------+ | +-----+ +----+ +------+
+---| IGD-| | | |Remote|
| PCP |-------|NAT2|--<Internet>---| Host |
+---| IWF | | | | |
+-------------+ | +-----+ +----+ +------+
| Local Host |-----+ NAT1
+-------------+
]]></artwork>
<postamble></postamble>
</figure></t>
<t>To ensure successful interworking between UPnP IGD and PCP, an
interworking function is embedded in the IGD. In the model defined in
<xref target="igdpcp"></xref>, all UPnP IGD server-oriented functions, a
PCP Client <xref target="I-D.ietf-pcp-base"></xref> and a UPnP IGD-PCP
Interworking Function are embedded in the IGD. In the rest of the
document, IGD-PCP IWF refers the UPnP IGD-PCP Interworking Function,
which includes PCP Client functionality.</t>
<t>Without the involvement of the IGD-PCP IWF, the UPnP Control Point
would retrieve an external IP address and port number having a limited
scope and which can not be used to communicate with hosts located beyond
NAT2 (i.e., assigned by the IGD and not the ones assigned by NAT2 in
<xref target="multinat"></xref>).</t>
<t>UPnP IGD-PCP IWF is responsible for generating a well-formed PCP
message from a received UPnP IGD message, and vice versa.</t>
</section>
<section title="UPnP IGD-PCP IWF: Overview">
<t>Three tables are provided to specify the correspondence between UPnP
IGD and PCP:<list style="format (%d)">
<t><xref target="variables"></xref> provides the mapping between
WANIPConnection State Variables and PCP parameters;</t>
<t><xref target="methods"></xref> focuses on the correspondence
between supported methods;</t>
<t><xref target="errors"></xref> lists the PCP error messages and
their corresponding IGD ones.</t>
</list></t>
<t>Note that some enhancements have been integrated in WANIPConnection
as documented in <xref target="IGD2"></xref>.</t>
<section anchor="variables" title="UPnP IGD-PCP: State Variables">
<t>Below are listed only the UPnP IGD state variables applicable to
the IGD-PCP IWF:</t>
<t><list style="hanging">
<t hangText="ExternalIPAddress:">External IP Address <vspace />
Read-only variable with the value from the last PCP response or
the empty string if none was received yet. This state is stored on
a per UPnP Control Point basis.</t>
<t hangText="PortMappingNumberOfEntries:">Managed locally by the
UPnP IGD-PCP IWF.<vspace /></t>
<t hangText="PortMappingEnabled:"><vspace /> PCP does not support
deactivating the dynamic NAT mapping since the initial goal of PCP
is to ease the traversal of Carrier Grade NAT. Supporting such
per-subscriber function may overload the Carrier Grade NAT.
<vspace /> Only "1" is allowed: i.e., the UPnP IGD-PCP
Interworking Function MUST send back an error if a value different
from 1 is signaled.</t>
<t hangText="PortMappingLeaseDuration:">Requested Mapping Lifetime
<vspace /> In IGD:1 <xref target="IGD1"></xref> the value 0 means
infinite, in IGD:2 it is remapped to the IGD maximum of 604800
seconds <xref target="IGD2"></xref>. PCP allows for a maximum
value of 4294967296 seconds. <vspace /> The UPnP IGD-PCP
Interworking Function simulates long and even infinite lifetimes
using renewals (see <xref target="renewal"></xref>). The behavior
in the case of a failing renewal is currently undefined.
<vspace /> IGD:1 doesn't define the behavior in the case of state
loss, IGD:2 doesn't require to keep state in stable storage, i.e.,
to allow the state to survive resets/reboots. The UPnP IGD-PCP
Interworking Function MUST support IGD:2 behavior.</t>
<t hangText="RemoteHost:">Remote Peer IP Address <vspace /> Note
that IGD:2 allows a domain name, which has to be resolved to an IP
address.</t>
<t hangText="ExternalPort:">External Port Number <vspace /> Mapped
to the Suggested External Port in MAP messages.</t>
<t hangText="InternalPort:">Internal Port Number <vspace /> Mapped
to the Internal Port field in MAP messages.</t>
<t hangText="PortMappingProtocol:">Transport Protocol <vspace />
Mapped to the Protocol field in MAP messages. Note that UPnP IGD
only supports TCP and UDP.</t>
<t hangText="InternalClient:">Internal IP Address <vspace /> Note
that IGD:2 allows a domain name, which has to be resolved to an IP
address.</t>
<t hangText="PortMappingDescription:">Not supported in base
PCP.<vspace /> If the local PCP Client supports a PCP Option to
convey the description (e.g., <xref
target="I-D.ietf-pcp-description-option"></xref>), this option
SHOULD be used to relay the mapping description.</t>
<t hangText="SystemUpdateID (IGD:2 only):">Managed locally by the
UPnP IGD-PCP IWF.<vspace /></t>
<t hangText="A_ARG_TYPE_PortListing (IGD:2 only):">Managed locally
by the UPnP IGD-PCP IWF. <vspace /></t>
</list></t>
</section>
<section anchor="methods" title="IGD-PCP: Methods">
<t>Both IGD:1 and IGD:2 methods applicable to the UPnP IGD-PCP
Interworking Function are listed here. <list style="hanging">
<t hangText="GetGenericPortMappingEntry:">This request is not
relayed to the PCP Server. <vspace /> IGD-PCP Interworking
Function maintains a list of active mappings instantiated in the
PCP Server by internal hosts. See <xref target="list"></xref> for
more information.</t>
<t hangText="GetSpecificPortMappingEntry:">MAP with PREFER_FAILURE
Option<vspace /> This request is relayed to the PCP Server by
issuing a MAP request with the PREFER_FAILURE Option. It is
RECOMMENDED to use a short lifetime (e.g., 60 seconds).</t>
<t hangText="AddPortMapping:">MAP <vspace /> See <xref
target="addportmapping"></xref>.</t>
<t hangText="AddAnyPortMapping (IGD:2 only):">MAP <vspace /> See
<xref target="addanyportmapping"></xref>.</t>
<t hangText="DeletePortMapping:">MAP with Requested Lifetime set
to 0. <vspace /> See <xref target="delete"></xref>.</t>
<t hangText="DeletePortMappingRange (IGD:2 only):">MAP with
Requested Lifetime set to 0. <vspace /> Individual requests are
issued by the IGD-PCP IWF. See <xref target="delete"></xref> for
more details.</t>
<t hangText="GetExternalIPAddress:">MAP <vspace /> This can be
learned from any active mapping. If there are no active mappings,
the IGD-PCP IWF MAY request a short-lived mapping (e.g., to the
Discard service (TCP/9 or UDP/9) or some other port). However,
once that mapping expires a subsequent implicit or explicit
dynamic mapping might be mapped to a different external IP
address. See section 11.6 of <xref
target="I-D.ietf-pcp-base"></xref> for more discussion.</t>
<t hangText="GetListOfPortMappings:">See <xref
target="list"></xref> for more information.<vspace /> The IGD-PCP
Interworking Function maintains a list of active mappings
instantiated in the PCP Server. The IGD-PCP Interworking Function
handles this request locally.</t>
</list></t>
</section>
<section anchor="errors" title="UPnP IGD-PCP: Errors">
<t>This section lists PCP errors codes and the corresponding UPnP IGD
ones. Error codes specific to IGD:2 are tagged accordingly.</t>
<t><list hangIndent="3" style="hanging">
<t hangText="1 UNSUPP_VERSION:">501 "ActionFailed" <vspace />
Should not happen.</t>
<t hangText="2 NOT_AUTHORIZED:">IGD:1 718 "ConflictInMappingEntry"
/ IGD:2 606 "Action not authorized"</t>
<t hangText="3 MALFORMED_REQUEST:">501 "ActionFailed"</t>
<t hangText="4 UNSUPP_OPCODE:">501 "ActionFailed" <vspace />
Should not happen. <xref target="I-D.ietf-pcp-base"></xref> allows
the PCP server to be configured to disable support for the MAP
opcode, but the IGD-PCP IWF cannot work in this situation.</t>
<t hangText="5 UNSUPP_OPTION:">501 "ActionFailed" <vspace />
Should not happen except if PREFER_FAILURE is not supported on the
PCP server. Note that PREFER_FAILURE is not mandatory to support,
but AddPortMapping() cannot be implemented without it.</t>
<t hangText="6 MALFORMED_OPTION:">501 "ActionFailed" <vspace />
Should not happen.</t>
<t hangText="7 NETWORK_FAILURE:">Not applicable <vspace /> Should
not happen after communication has been successfully established
with a PCP Server.</t>
<t hangText="8 NO_RESOURCES:">IGD:1 501 "ActionFailed" / IGD:2 728
<vspace /> "NoPortMapsAvailable" <vspace /> Cannot be
distinguished from USER_EX_QUOTA.</t>
<t hangText="9 UNSUPP_PROTOCOL:">501 "ActionFailed" <vspace />
Should not happen.</t>
<t hangText="10 USER_EX_QUOTA:">IGD:1 501 "ActionFailed" / IGD:2
728 <vspace /> "NoPortMapsAvailable" <vspace /> Cannot be
distinguished from NO_RESOURCES.</t>
<t hangText="11 CANNOT_PROVIDE_EXTERNAL:">718
"ConflictInMappingEntry" (see Section 5.7.2) or 714
"NoSuchEntryInArray" (see Section 5.8).</t>
<t hangText="12 ADDRESS_MISMATCH:">501 "ActionFailed" <vspace />
Should not happen.</t>
<t hangText="13 EXCESSIVE_REMOTE_PEERS:">501 "ActionFailed"
<vspace /> Should not happen, since the IGD-PCP Interworking
Function should not need to use the FILTER option.</t>
</list></t>
</section>
</section>
<section title="Specification of the IGD-PCP IWF">
<t>This section covers the scenarios with or without NAT in the IGD.</t>
<t>This specification assumes the PCP Server is configured to accept the
MAP OpCode.</t>
<t>The IGD-PCP IWF handles the "Mapping Nonce" as any PCP Client <xref
target="I-D.ietf-pcp-base"></xref>.</t>
<section title="PCP Server Discovery">
<t>The IGD-PCP IWF implements one of the discovery methods identified
in <xref target="I-D.ietf-pcp-base"></xref> (e.g., DHCP <xref
target="I-D.ietf-pcp-dhcp"></xref>). The IGD-PCP Interworking Function
behaves as a PCP Client when communicating with provisioned PCP
Server(s).</t>
<t>If no IPv4 address / IPv6 prefix is assigned to the IGD or the IGD
is unable to determine it should contact an upstream PCP Server, the
IGD-PCP Interworking Function MUST NOT be invoked.</t>
<t>If the IGD determines that it should establish communication with
an upstream PCP server (e.g., because of DHCP configuration or having
previously been talking to a PCP server), a "501 ActionFailed" error
message is returned to requesting UPnP Control Point in case the
IGD-PCP IWF fails to establish communication with that PCP Server.</t>
</section>
<section title="Control of the Firewall">
<t>In order to configure security policies to be applied to inbound
and outbound traffic, UPnP IGD can be used to control a local firewall
engine. No IGD-PCP IWF is therefore required for that purpose.</t>
<t>The use of IGD-PCP IWF to control an upstream PCP-controlled
firewall is out of scope of this document.</t>
</section>
<section title="Port Mapping Table">
<t>The IGD-PCP IWF MUST store locally all the mappings instantiated by
internal UPnP Control Points in the PCP Server. All mappings SHOULD be
stored in permanent storage.</t>
<t>Upon receipt of a PCP MAP Response from the PCP Server, the IGD-PCP
Interworking Function MUST retrieve the enclosed mapping and MUST
store it in the local mapping table. The local mapping table is an
image of the mapping table as maintained by the PCP Server for a given
subscriber.</t>
</section>
<section anchor="spec_no_nat"
title="Interworking Function Without NAT in the IGD"
toc="default">
<t>When no NAT is embedded in the IGD, the content of received
WANIPConnection and PCP messages is not altered by the IGD-PCP
Interworking Function (i.e., the content of WANIPConnection messages
are mapped to PCP messages (and mapped back) according to <xref
target="variables"></xref>).</t>
</section>
<section anchor="spec_nat" title="NAT Embedded in the IGD" toc="default">
<t>When NAT is embedded in the IGD, the IGD-PCP IWF updates the
content of mapping messages received from the UPnP Control Point.
These messages will contain an IP address and/or port number which
belong to an internal host. The IGD-PCP IWF MUST update such messages
with the IP address and/or port number belonging to the external
interface of the IGD (i.e., after the NAT1 operation in <xref
target="multinat"></xref>).</t>
<t>The IGD-PCP IWF intercepts all WANIPConnection messages issued by
the UPnP Control Point. For each such message, the IGD-PCP IWF then
generates one or more corresponding requests (see <xref
target="variables"></xref>, <xref target="methods"></xref> and <xref
target="errors"></xref>) and sends them to the provisioned PCP
Server.</t>
<t>Each request sent by the IGD-PCP IWF to the PCP Server MUST reflect
the mapping information as enforced in the first NAT. In particular,
the internal IP address and/or port number of the requests are
replaced with the IP address and/or port number as assigned by the NAT
of the IGD. For the reverse path, the IGD-PCP IWF intercepts PCP
response messages and generates WANIPConnection response messages. The
content of the generated WANIPConnection response messages are set as
follows:</t>
<t><list style="symbols">
<t>The internal IP address and/or port number as initially set by
the UPnP Control Point and stored in the IGD NAT are used to
update the corresponding fields in received PCP responses.</t>
<t>The external IP and port number are not altered by the IGD-PCP
Interworking Function.</t>
<t>The NAT mapping entry in the IGD is updated with the result of
PCP request.</t>
</list></t>
<t>The lifetime of the mappings instantiated in the IGD SHOULD be the
one assigned by the terminating PCP Server. In any case, the lifetime
MUST NOT be lower to the one assigned by the terminating PCP
Server.</t>
</section>
<section title="Creating a Mapping">
<t>Two methods can be used to create a mapping: AddPortMapping() or
AddAnyPortMapping().</t>
<section anchor="addanyportmapping" title="AddAnyPortMapping()">
<t>When a UPnP Control Point issues an AddAnyPortMapping(), this
request is received by the IGD. The request is then relayed to the
IGD-PCP IWF which generates a PCP MAP request (see <xref
target="variables"></xref> for mapping between WANIPConnection and
PCP parameters). Upon receipt of a PCP MAP response from the PCP
Server, the corresponding UPnP IGD method is returned to the
requesting UPnP Control Point (the content of the messages follows
the recommendations listed in <xref target="spec_nat"></xref> or
<xref target="spec_no_nat"></xref> according to the deployed
scenario). A flow example is depicted in <xref
target="igd2"></xref>.</t>
<t>If a PCP Error is received from the PCP Server, a corresponding
WANIPConnection error code (see <xref target="errors"></xref>) is
generated by the IGD-PCP IWF and sent to the requesting UPnP Control
Point. If a short lifetime error is returned (e.g., NETWORK_FAILURE,
NO_RESOURCES), the PCP IWF MAY re-send the same request to the PCP
Server after 30s. If a negative answer is received, the error is
then relayed to the requesting UPnP Control Point.<list
style="empty">
<t>Discussion: Some applications (e.g., uTorrent, Vuzz, eMule)
wait 90 seconds or more for a response after sending an UPnP
request. If a short lifetime error occurs, re-sending the
request may lead to a positive response from the PCP server.
UPnP Control Points are therefore not aware of transient
errors.</t>
</list></t>
<t><figure anchor="igd2"
title="Flow example when AddAnyPortMapping() is used">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
|(1) AddAnyPortMapping | |
| ExternalPort=8080 | |
|--------------------->| |
| | (2) PCP MAP Request |
| |Suggested External Port=8080 |
| |---------------------------->|
| | |
| | (3) PCP MAP Response |
| | Assigned External Port=6598 |
| |<----------------------------|
|(4) AddAnyPortMapping | |
| ReservedPort=6598 | |
|<---------------------| |
]]></artwork>
<postamble></postamble>
</figure></t>
<t></t>
</section>
<section anchor="addportmapping" title="AddPortMapping()">
<t>A dedicated option called PREFER_FAILURE is defined in <xref
target="I-D.ietf-pcp-base"></xref> to toggle the behavior in a PCP
Request message. This option is inserted by the IGD-PCP IWF when
issuing its requests to the PCP Server only if a specific external
port is requested by the UPnP Control Point.</t>
<t>Upon receipt of AddPortMapping() from an UPnP Control Point, the
IGD-PCP IWF MUST generate a PCP MAP Request with all requested
mapping information as indicated by the UPnP Control Point if no NAT
is embedded in the IGD or updated as specified in <xref
target="spec_nat"></xref>. In addition, the IGD-PCP IWF MUST insert
a PREFER_FAILURE Option in the generated PCP request.</t>
<t>If the requested external port is not available, the PCP server
will send a CANNOT_PROVIDE_EXTERNAL error response. If a short
lifetime error is returned, the IGD-PCP IWF MAY re-send the same
request to the PCP Server after 30 seconds. If a PCP error response
is received, the IGD-PCP IWF relays a negative message to the UPnP
Control Point with ConflictInMappingEntry as the error code. The
UPnP Control Point may re-issue a new request with a new requested
external port number. This process is typically repeated by the UPnP
Control Point until a positive answer is received or some maximum
retry limit is reached.</t>
<t>If the PCP Server is able to create or renew a mapping with the
requested external port, it sends a positive response to the IGD-PCP
IWF. Upon receipt of the response from the PCP Server, the IGD-PCP
IWF stores the returned mapping in its local mapping table, and
sends a positive answer to the requesting UPnP Control Point. This
answer terminates this exchange.</t>
<t></t>
<t><xref target="positive"></xref> shows an example of the flow
exchange that occurs when the PCP Server satisfies the request from
the IGD-PCP IWF. <xref target="negative"></xref> shows the messages
exchange when the requested external port is not available.</t>
<t><figure anchor="positive" title="Flow Example (Positive Answer)">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddPortMapping | |
| ExternalPort=8080 | |
|--------------------->| |
| | (2) PCP MAP request |
| |Suggested External Port=8080 |
| | PREFER_FAILURE |
| |---------------------------->|
| | |
| | (3) PCP MAP response |
| | Assigned External Port=8080 |
| |<----------------------------|
| (4) AddPortMapping | |
| ExternalPort=8080 | |
|<---------------------| |
]]></artwork>
<postamble></postamble>
</figure></t>
<t><figure anchor="negative" title="Flow Example (Negative Answer)">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddPortMapping | |
| ExternalPort=8080 | |
|--------------------->| |
| | (2) PCP MAP Request |
| |Suggested External Port=8080 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (3) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (4) Error: | |
|ConflictInMappingEntry| |
|<---------------------| |
| (5) AddPortMapping | |
| ExternalPort=5485 | |
|--------------------->| |
| | (6) PCP MAP Request |
| |Suggested External Port=5485 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (7) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (8) Error: | |
|ConflictInMappingEntry| |
|<---------------------| |
....
| (a) AddPortMapping | |
| ExternalPort=6591 | |
|--------------------->| |
| | (b) PCP MAP Request |
| |Suggested External Port=6591 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (c) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (d) Error: | |
|ConflictInMappingEntry| |
|<---------------------| |
]]></artwork>
<postamble></postamble>
</figure><list style="empty">
<t>Note: According to some experiments, some UPnP 1.0 Control
Point implementations, e.g., uTorrent, simply try the same
external port a number of times (usually 4 times), and then fail
if the port is in use. Also note that some applications use
GetSpecificPortMappingEntry() to check whether a mapping
exists.</t>
</list></t>
</section>
</section>
<section anchor="list" title="Listing One or a Set of Mappings">
<t>In order to list active mappings, a UPnP Control Point may issue
GetGenericPortMappingEntry(), GetSpecificPortMappingEntry() or
GetListOfPortMappings().</t>
<t>GetGenericPortMappingEntry() and GetListOfPortMappings() methods
MUST NOT be proxied to the PCP Server since a local mapping is
maintained by the IGD-PCP IWF.</t>
<t>Upon receipt of GetSpecificPortMappingEntry() from a UPnP Control
Point, the IGD-PCP IWF MUST check first if the external port number is
used by the requesting UPnP Control Point. If the external port is
already in use by the requesting UPnP Control Point, the IGD-PCP IWF
MUST send back a positive answer. If not, the IGD-PCP IWF MUST relay
to the PCP Server a MAP request, with short lifetime (e.g., 60s),
including a PREFER_FAILURE Option. If the requested external port is
in use, a PCP error message will be sent by the PCP Server to the
IGD-PCP IWF indicating CANNOT_PROVIDE_EXTERNAL as the error cause.
Then, the IGD-PCP IWF relays a negative message to the UPnP Control
Point. If the port is not in use, the mapping will be created by the
PCP Server and a positive response will be sent back to the IGD-PCP
IWF. Once received by the IGD-PCP IWF, it MUST relay a negative
message to the UPnP Control Point indicating NoSuchEntryInArray as
error code so that the UPnP control point knows the enquired mapping
doesn't exist.</t>
</section>
<section anchor="delete"
title="Delete One or a Set of Mappings: DeletePortMapping() or DeletePortMappingRange()">
<t>A UPnP Control Point requests the deletion of one or a list of
mappings by issuing DeletePortMapping() or
DeletePortMappingRange().</t>
<t>In IGD:2, we assume the IGD applies the appropriate security
policies to determine whether a Control Point has the rights to delete
one or a set of mappings. When authorization fails, "606 Action Not
Authorized" error code MUST be returned to the requesting Control
Point.</t>
<t>When DeletePortMapping() or DeletePortMappingRange() is received by
the IGD-PCP IWF, it first checks if the requested mappings to be
removed are present in the local mapping table. If no mapping matching
the request is found in the local table, an error code is sent back to
the UPnP Control Point: "714 NoSuchEntryInArray" for
DeletePortMapping() or "730 PortMappingNotFound" for
DeletePortMappingRange().</t>
<t><xref target="local_delete"></xref> shows an example of a UPnP
Control Point asking to delete a mapping which is not instantiated in
the local table of the IWF.</t>
<figure anchor="local_delete" title="Local Delete (IGD-PCP IWF)">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
|(1) DeletePortMapping | |
|--------------------->| |
| | |
| (2) Error: | |
| NoSuchEntryInArray | |
|<---------------------| |
| | |
]]></artwork>
<postamble></postamble>
</figure>
<t></t>
<t>If a mapping matches in the local table, a PCP MAP delete request
is generated. If no NAT is enabled in the IGD, the IGD-PCP IWF uses
the input arguments as included in DeletePortMapping(). If a NAT is
enabled in the IGD, the IGD-PCP IWF instead uses the corresponding IP
address and port number as assigned by the local NAT.</t>
<t>When a positive answer is received from the PCP Server, the IGD-PCP
IWF updates its local mapping table (i.e., removes the corresponding
entry) and notifies the UPnP Control Point about the result of the
removal operation. Once the PCP MAP delete request is received by the
PCP Server, it removes the corresponding entry. A PCP MAP SUCCESS
response is sent back if the removal of the corresponding entry was
successful; if not, a PCP Error is sent back to the IGD-PCP IWF
including the corresponding error cause (see <xref
target="errors"></xref>).</t>
<t>If DeletePortMappingRange() is used, the IGD-PCP IWF does a lookup
in its local mapping table to retrieve individual mappings
instantiated by the requesting Control Point (i.e., authorization
checks) and matching the signaled port range (i.e., the external port
is within the "StartPort" and "EndPort" arguments of
DeletePortMappingRange()). If no mapping is found, "730
PortMappingNotFound" error code is sent to the UPnP Control Point
(<xref target="delete_range_error"></xref>). If one or more mappings
are found, the IGD-PCP IWF generates individual PCP MAP delete
requests corresponding to these mappings (see the example shown in
<xref target="delete_range"></xref>). <list style="empty">
<t>The IWF MAY send a positive answer to the requesting UPnP
Control Point without waiting to receive all the answers from the
PCP Server. It is unlikely to encounter a problem in the PCP leg
because the IWF has verified authorization rights and also the
presence of the mapping in the local table.</t>
</list></t>
<t><figure anchor="delete_range_error"
title="Flow example when an error encountered when processing DeletePortMappingRange()">
<preamble></preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
|(1)DeletePortMappingRange() | |
| StartPort=8596 | |
| EndPort =9000 | |
| Protocol =UDP | |
|--------------------------->| |
| | |
| (2) Error: | |
| PortMappingNotFound | |
|<---------------------------| |
| | |
]]></artwork>
<postamble></postamble>
</figure></t>
<t><figure anchor="delete_range"
title="Example of DeletePortMappingRange()">
<preamble>This example illustrates the exchanges that occur when
the IWF receives DeletePortMappingRange(). In this example, only
two mappings having the external port number in the 6000-6050
range are maintained in the local table. The IWF issues two MAP
requests to delete these mappings.</preamble>
<artwork><![CDATA[ UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
|(1)DeletePortMappingRange() | |
| StartPort=6000 | |
| EndPort =6050 | |
| Protocol =UDP | |
|--------------------------->| |
| | |
| | (2a)PCP MAP Request |
| | protocol=UDP |
| | internal-ip-address |
| | internal-port |
| | external-ip-address |
| | external-port= 6030 |
| | Requested-lifetime= 0 |
| |-------------------------->|
| | |
| | (2c)PCP MAP Request |
| | protocol=UDP |
| | internal-ip-address |
| | internal-port |
| | external-ip-address |
| | external-port= 6045 |
| | Requested-lifetime= 0 |
| |-------------------------->|
| | |
| (2b)Positive answer | |
|<---------------------------| |
| | |
]]></artwork>
<postamble></postamble>
</figure></t>
</section>
<section anchor="renewal" title="Renewing a Mapping">
<t>Because of the incompatibility of mapping lifetimes between UPnP
IGD and PCP, the IGD-PCP IWF MUST simulate long and even infinite
lifetimes. Indeed, for requests having a requested infinite
PortMappingLeaseDuration, the IGD-PCP IWF MUST set the Requested
Lifetime of the corresponding PCP request to 4294967296. If
PortMappingLeaseDuration is not infinite, the IGD-PCP IWF MUST set the
Requested Lifetime of the corresponding PCP request to the same value
as PortMappingLeaseDuration. Furthermore, the IGD-PCP Interworking
Function MUST maintain an additional timer set to the initial
requested PortMappingLeaseDuration. Upon receipt of a positive answer
from the PCP server, the IGD-PCP IWF relays the corresponding UPnP IGD
response to the requesting UPnP Control Point with
PortMappingLeaseDuration set to the same value as the one of the
initial request. Then, the IGD-PCP IWF MUST renew periodically the
constructed PCP mapping until the expiry of PortMappingLeaseDuration.
Responses received when renewing the mapping MUST NOT be relayed to
the UPnP Control Point.</t>
<t>In case an error is encountered during mapping renewal, the IGD-PCP
Interworking Function has no means to inform the UPnP Control
Point.</t>
</section>
<section title="Rapid Recovery">
<t>When the IWF is co-located with the DHCP server, the state
maintained by the IWF MUST be updated using the state of the local
DHCP server. Particularly, if an IP address expires or is released by
an internal host, the IWF MUST delete all the mappings bound to that
internal IP address.</t>
<t>Upon change of the external IP address of the IWF, the IWF MAY
renew the mappings it maintained. This can be achieved only if a full
state table is maintained by the IWF. If the port quota is not
exceeded in the PCP server, the IWF will receive a new external IP
address and port numbers. The IWF has no means to notify the change of
the external IP address and port to internal UPnP Control Points.
Stale mappings will be maintained by the PCP Server until their
lifetime expires.</t>
<t><xref target="I-D.ietf-pcp-base"></xref> defines a procedure for
the PCP Server to notify PCP Clients about changes related to the
mappings it maintains. When an unsolicited ANNOUNCE is received, the
IWF makes one or more MAP requests with the PREFER_FAILURE option to
re-install its mappings. If the PCP server cannot create the requested
mappings (signalled with the CANNOT_PROVIDE_EXTERNAL error response),
the IWF has no means to notify the change of the external IP address
and port to internal UPnP Control Points.</t>
<t>Unsolicited PCP MAP responses received from a PCP Server are
handled as any normal MAP response. If a response indicates that the
external IP address or port has changed, the IWF has no means to
notify the internal UPnP Control Point of this change.</t>
<t>Further analysis of PCP failure scenarios for the IGD-PCP
Interworking Function are discussed in <xref
target="I-D.boucadair-pcp-failure"></xref>.</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document makes no request of IANA.</t>
<t>Note to RFC Editor: this section may be removed on publication as an
RFC.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>The IGD:2 authorization framework SHOULD be used <xref
target="IGD2"></xref>. When only IGD:1 is available, operation on the
behalf of a third party SHOULD NOT be allowed.</t>
<t>This document defines a procedure to create PCP mappings for third
party devices belonging to the same subscriber. Means to prevent a
malicious user from creating mappings on behalf of a third party must be
enabled as discussed in Section 13.1 of <xref
target="I-D.ietf-pcp-base"></xref>.</t>
<t>The security considerations discussed in <xref
target="I-D.ietf-pcp-base"></xref> and <xref target="Sec_DCP"></xref>
should be taken into account.</t>
</section>
<section title="Acknowledgments">
<t>Authors would like to thank F. Fontaine, C. Jacquenet, X. Deng, G.
Montenegro, D. Thaler, R. Tirumaleswar, P. Selkirk, and T. Lemon for
their review and comments.</t>
<t>F. Dupont contributed to previous versions of this document. Thanks
to him for his thorough reviews and contribution.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"
?>
<?rfc include='reference.I-D.ietf-pcp-base'?>
</references>
<references title="Informative References">
<?rfc include='reference.RFC.6333'?>
<?rfc include='reference.RFC.6146'?>
<?rfc include='reference.I-D.boucadair-pcp-failure'?>
<?rfc include='reference.I-D.ietf-pcp-description-option'?>
<?rfc include='reference.I-D.ietf-pcp-proxy'?>
<?rfc include='reference.I-D.ietf-pcp-dhcp'?>
<reference anchor="Sec_DCP" target="">
<front>
<title>Device Protection:1</title>
<author fullname="UPnP Forum" surname="UPnP Forum">
<organization>UPnP Forum</organization>
</author>
<date day="17" month="November" year="2009" />
</front>
</reference>
<reference anchor="IGD1">
<front>
<title>WANIPConnection:1 Service
(http://www.upnp.org/specs/gw/UPnP-gw-WANIPConnection-v1-Service.pdf)</title>
<author fullname="UPnP Forum" surname="UPnP Forum">
<organization></organization>
</author>
<date day="" month="November" year="2001" />
</front>
</reference>
<reference anchor="IGD2">
<front>
<title>WANIPConnection:2 Service
(http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf)</title>
<author fullname="UPnP Forum" surname="UPnP Forum">
<organization></organization>
</author>
<date day="15" month="September" year="2010" />
</front>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 14:38:33 |