draft-ietf-tsvwg-natsupp-11.txt   draft-ietf-tsvwg-natsupp-12.txt 
Network Working Group R. Stewart Network Working Group R. Stewart
Internet-Draft Netflix, Inc. Internet-Draft Netflix, Inc.
Intended status: Standards Track M. Tuexen Intended status: Standards Track M. Tuexen
Expires: January 4, 2018 I. Ruengeler Expires: January 3, 2019 I. Ruengeler
Muenster Univ. of Appl. Sciences Muenster Univ. of Appl. Sciences
July 3, 2017 July 2, 2018
Stream Control Transmission Protocol (SCTP) Network Address Translation Stream Control Transmission Protocol (SCTP) Network Address Translation
Support Support
draft-ietf-tsvwg-natsupp-11.txt draft-ietf-tsvwg-natsupp-12.txt
Abstract Abstract
The Stream Control Transmission Protocol (SCTP) provides a reliable The Stream Control Transmission Protocol (SCTP) provides a reliable
communications channel between two end-hosts in many ways similar to communications channel between two end-hosts in many ways similar to
the Transmission Control Protocol (TCP). With the widespread the Transmission Control Protocol (TCP). With the widespread
deployment of Network Address Translators (NAT), specialized code has deployment of Network Address Translators (NAT), specialized code has
been added to NAT for TCP that allows multiple hosts to reside behind been added to NAT for TCP that allows multiple hosts to reside behind
a NAT and yet use only a single globally unique IPv4 address, even a NAT and yet use only a single globally unique IPv4 address, even
when two hosts (behind a NAT) choose the same port numbers for their when two hosts (behind a NAT) choose the same port numbers for their
skipping to change at page 1, line 39 skipping to change at page 1, line 39
scenario. scenario.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2018. This Internet-Draft will expire on January 3, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
skipping to change at page 2, line 51 skipping to change at page 2, line 51
5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16 5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16
6. Procedures for SCTP End Points and NATs . . . . . . . . . . . 17 6. Procedures for SCTP End Points and NATs . . . . . . . . . . . 17
6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 17 6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 17
6.2. Association Setup Considerations . . . . . . . . . . . . 18 6.2. Association Setup Considerations . . . . . . . . . . . . 18
6.3. Handling of Internal Port Number and Verification Tag 6.3. Handling of Internal Port Number and Verification Tag
Collisions . . . . . . . . . . . . . . . . . . . . . . . 18 Collisions . . . . . . . . . . . . . . . . . . . . . . . 18
6.4. Handling of Internal Port Number Collisions . . . . . . . 19 6.4. Handling of Internal Port Number Collisions . . . . . . . 19
6.5. Handling of Missing State . . . . . . . . . . . . . . . . 20 6.5. Handling of Missing State . . . . . . . . . . . . . . . . 20
6.6. Handling of Fragmented SCTP Packets . . . . . . . . . . . 22 6.6. Handling of Fragmented SCTP Packets . . . . . . . . . . . 22
6.7. Multi-Point Traversal Considerations . . . . . . . . . . 22 6.7. Multi-Point Traversal Considerations . . . . . . . . . . 22
7. Various Examples of NAT Traversals . . . . . . . . . . . . . 22 7. Various Examples of NAT Traversals . . . . . . . . . . . . . 23
7.1. Single-homed Client to Single-homed Server . . . . . . . 22 7.1. Single-homed Client to Single-homed Server . . . . . . . 23
7.2. Single-homed Client to Multi-homed Server . . . . . . . . 25 7.2. Single-homed Client to Multi-homed Server . . . . . . . . 25
7.3. Multihomed Client and Server . . . . . . . . . . . . . . 28 7.3. Multihomed Client and Server . . . . . . . . . . . . . . 28
7.4. NAT Loses Its State . . . . . . . . . . . . . . . . . . . 32 7.4. NAT Loses Its State . . . . . . . . . . . . . . . . . . . 32
7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 34 7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 34
8. Socket API Considerations . . . . . . . . . . . . . . . . . . 39 8. Socket API Considerations . . . . . . . . . . . . . . . . . . 39
8.1. Get or Set the NAT Friendliness 8.1. Get or Set the NAT Friendliness
(SCTP_NAT_FRIENDLY) . . . . . . . . . . . . . . . . . . . 40 (SCTP_NAT_FRIENDLY) . . . . . . . . . . . . . . . . . . . 40
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
9.1. New Chunk Flags for Two Existing Chunk Types . . . . . . 40 9.1. New Chunk Flags for Two Existing Chunk Types . . . . . . 40
9.2. Three New Error Causes . . . . . . . . . . . . . . . . . 41 9.2. Three New Error Causes . . . . . . . . . . . . . . . . . 41
skipping to change at page 3, line 37 skipping to change at page 3, line 37
Translators (NAT), specialized code has been added to NAT for TCP Translators (NAT), specialized code has been added to NAT for TCP
that allows multiple hosts to reside behind a NAT using private that allows multiple hosts to reside behind a NAT using private
addresses (see [RFC6890]) and yet use only a single globally unique addresses (see [RFC6890]) and yet use only a single globally unique
IPv4 address, even when two hosts (behind a NAT) choose the same port IPv4 address, even when two hosts (behind a NAT) choose the same port
numbers for their connection. This additional code is sometimes numbers for their connection. This additional code is sometimes
classified as Network Address and Port Translation (NAPT). Please classified as Network Address and Port Translation (NAPT). Please
note that this document focuses on the case where the NAT maps note that this document focuses on the case where the NAT maps
multiple private addresses to a single public address. To date, multiple private addresses to a single public address. To date,
specialized code for SCTP has not yet been added to most NATs so that specialized code for SCTP has not yet been added to most NATs so that
only true NAT is available. The end result of this is that only one only true NAT is available. The end result of this is that only one
SCTP capable host can be behind a NAT. The only alternative for SCTP capable host can be behind a NAT and this host can only be
supporting legacy NATs is to use UDP encapsulation as specified in single-homed. The only alternative for supporting legacy NATs is to
[RFC6951]. use UDP encapsulation as specified in [RFC6951].
This document describes an SCTP specific variant NAT and specific This document describes an SCTP specific variant NAT and specific
packets and procedures to help NATs provide similar features of NAPT packets and procedures to help NATs provide similar features of NAPT
in the single-point and multi-point traversal scenario. An SCTP in the single-point and multi-point traversal scenario. An SCTP
implementation supporting this extension will follow these procedures implementation supporting this extension will follow these procedures
to assure that in both single-homed and multi-homed cases a NAT will to assure that in both single-homed and multi-homed cases a NAT will
maintain the proper state without needing to change port numbers. maintain the proper state without needing to change port numbers.
It is possible and desirable to make these changes for a number of It is possible and desirable to make these changes for a number of
reasons: reasons:
skipping to change at page 8, line 40 skipping to change at page 8, line 40
The modification of SCTP packets sent to the public Internet is easy. The modification of SCTP packets sent to the public Internet is easy.
The source address of the packet has to be replaced with the Public- The source address of the packet has to be replaced with the Public-
Address. It may also be necessary to establish some state in the NAT Address. It may also be necessary to establish some state in the NAT
box to handle incoming packets, which is discussed later. box to handle incoming packets, which is discussed later.
For SCTP packets coming from the public Internet the destination For SCTP packets coming from the public Internet the destination
address of the packets has to be replaced with the Private-Address of address of the packets has to be replaced with the Private-Address of
the host the packet has to be delivered to. The lookup of the the host the packet has to be delivered to. The lookup of the
Private-Address is based on the External-VTag, External-Port, Private-Address is based on the External-VTag, External-Port,
External-Address, Internal-VTag and the Internal-Port. Internal-VTag and the Internal-Port.
For the SCTP NAT processing the NAT box has to maintain a table of For the SCTP NAT processing the NAT box has to maintain a table of
Internal-VTag, Internal-Port, Private-Address, External-VTag, Internal-VTag, Internal-Port, External-VTag, External-Port, Private-
External-Port and whether the restart procedure is disabled or not. Address, and whether the restart procedure is disabled or not. An
An entry in that table is called a NAT state control block. The entry in that table is called a NAT state control block. The
function Create() obtains the just mentioned parameters and returns a function Create() obtains the just mentioned parameters and returns a
NAT-State control block. NAT-State control block.
The entries in this table fulfill some uniqueness conditions. There The entries in this table fulfill some uniqueness conditions. There
must not be more than one entry with the same pair of Internal-Port must not be more than one entry with the same pair of Internal-Port
and External-Port. This rule can be relaxed, if all entries with the and External-Port. This rule can be relaxed, if all entries with the
same Internal-Port and External-Port have the support for the restart same Internal-Port and External-Port have the support for the restart
procedure enabled. In this case there must be no more than one entry procedure enabled. In this case there must be no more than one entry
with the same Internal-Port, External-Port and Ext-VTag and no more with the same Internal-Port, External-Port and Ext-VTag and no more
than one entry with the same Internal-Port, External-Port and Int- than one entry with the same Internal-Port, External-Port and Int-
skipping to change at page 9, line 23 skipping to change at page 9, line 23
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT[Initiate-Tag] INIT[Initiate-Tag]
Priv-Addr:Int-Port ------> Ext-Addr:Ext-Port Priv-Addr:Int-Port ------> Ext-Addr:Ext-Port
Ext-VTag=0 Ext-VTag=0
Create(Initiate-Tag, Int-Port, Priv-Addr, 0) Create(Initiate-Tag, Int-Port, 0, Ext-Port, Priv-Addr,
Returns(NAT-State control block) RestartSupported)
Returns(NAT-State control block)
Translate To: Translate To:
INIT[Initiate-Tag] INIT[Initiate-Tag]
Pub-Addr:Int-Port ------> Ext-Addr:Ext-Port Pub-Addr:Int-Port ------> Ext-Addr:Ext-Port
Ext-VTag=0 Ext-VTag=0
Normally a NAT control block will be created. However, it is Normally a NAT control block will be created. However, it is
possible that there is already a NAT control block with the same possible that there is already a NAT control block with the same
External-Address, External-Port, Internal-Port, and Internal-VTag but External-Address, External-Port, Internal-Port, and Internal-VTag but
skipping to change at page 10, line 24 skipping to change at page 10, line 26
Priv-Addr:Int-Port ------> Ext-Addr:Ext-Port Priv-Addr:Int-Port ------> Ext-Addr:Ext-Port
Ext-VTag Ext-VTag
Translate To: Translate To:
Pub-Addr:Int-Port ------> Ext-Addr:Ext-Port Pub-Addr:Int-Port ------> Ext-Addr:Ext-Port
Ext-VTag Ext-VTag
The processing of incoming SCTP packets containing INIT-ACK chunks is The processing of incoming SCTP packets containing INIT-ACK chunks is
described in the following figure. The Lookup() function getting as described in the following figure. The Lookup() function getting as
input the Internal-VTag, Internal-Port, External-VTag (=0), External- input the Internal-VTag, Internal-Port, External-VTag, and External-
Port, and External-Address, returns the corresponding entry of the Port, returns the corresponding entry of the NAT table and updates
NAT table and updates the External-VTag by substituting it with the the External-VTag by substituting it with the value of the Initiate-
value of the Initiate-Tag of the INIT-ACK chunk. The wildcard Tag of the INIT-ACK chunk. The wildcard character signifies that the
character signifies that the parameter's value is not considered in parameter's value is not considered in the Lookup() function or
the Lookup() function or changed in the Update() function, changed in the Update() function, respectively.
respectively.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT-ACK[Initiate-Tag] INIT-ACK[Initiate-Tag]
Pub-Addr:Int-Port <---- Ext-Addr:Ext-Port Pub-Addr:Int-Port <---- Ext-Addr:Ext-Port
Int-VTag Int-VTag
Lookup(Int-VTag, Int-Port, *, 0, Ext-Port) Lookup(Int-VTag, Int-Port, *, Ext-Port)
Update(*, *, *, Initiate-Tag, *) Update(*, *, Initiate-Tag, *)
Returns(NAT-State control block containing Private-Address) Returns(NAT-State control block containing Priv-Addr)
INIT-ACK[Initiate-Tag] INIT-ACK[Initiate-Tag]
Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port
Int-VTag Int-VTag
In the case Lookup fails, the SCTP packet is dropped. The Update In the case Lookup fails, the SCTP packet is dropped. The Update
routine inserts the External-VTag (the Initiate-Tag of the INIT-ACK routine inserts the External-VTag (the Initiate-Tag of the INIT-ACK
chunk) in the NAT state control block. chunk) in the NAT state control block.
The processing of incoming SCTP packets containing an ABORT or The processing of incoming SCTP packets containing an ABORT or
skipping to change at page 11, line 41 skipping to change at page 11, line 41
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Pub-Addr:Int-Port <------ Ext-Addr:Ext-Port Pub-Addr:Int-Port <------ Ext-Addr:Ext-Port
Ext-VTag Ext-VTag
Lookup(0, Int-Port, *, Ext-VTag, Ext-Port) Lookup(*, Int-Port, Ext-VTag, Ext-Port)
Returns(NAT-State control block containing Private-Address) Returns(NAT-State control block containing Priv-Addr)
Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port
Ext-VTag Ext-VTag
The processing of other incoming SCTP packets is described in the The processing of other incoming SCTP packets is described in the
following figure. following figure.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
Pub-Addr:Int-Port <------ Ext-Addr:Ext-Port Pub-Addr:Int-Port <------ Ext-Addr:Ext-Port
Int-VTag Int-VTag
Lookup(Int-VTag, Int-Port, *, *, Ext-Port) Lookup(Int-VTag, Int-Port, *, Ext-Port)
Returns(NAT-State control block containing Local-Address) Returns(NAT-State control block containing Local-Address)
Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port Priv-Addr:Int-Port <------ Ext-Addr:Ext-Port
Int-VTag Int-VTag
For an incoming packet containing an INIT-chunk a table lookup is For an incoming packet containing an INIT-chunk a table lookup is
made only based on the addresses and port numbers. If an entry with made only based on the addresses and port numbers. If an entry with
an External-VTag of zero is found, it is considered a match and the an External-VTag of zero is found, it is considered a match and the
External-VTag is updated. External-VTag is updated.
skipping to change at page 14, line 5 skipping to change at page 14, line 5
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B0 | Cause Length = Variable | | Cause Code = 0x00B0 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Chunk / \ Chunk /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer)
This field holds the IANA defined cause code for the VTag and Port This field holds the IANA defined cause code for the 'VTag and
Number Collision Error Cause. The suggested value of this field Port Number Collision' Error Cause. The suggested value of this
for IANA is 0x00B0. field for IANA is 0x00B0.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length Chunk: variable length
The Cause-Specific Information is filled with the chunk that The Cause-Specific Information is filled with the chunk that
caused this error. This can be an INIT, INIT-ACK, or ASCONF caused this error. This can be an INIT, INIT-ACK, or ASCONF
chunk. Note that if the entire chunk will not fit in the ERROR chunk. Note that if the entire chunk will not fit in the ERROR
chunk or ABORT chunk being sent then the bytes that do not fit are chunk or ABORT chunk being sent then the bytes that do not fit are
skipping to change at page 14, line 38 skipping to change at page 14, line 38
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B1 | Cause Length = Variable | | Cause Code = 0x00B1 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Incoming Packet / \ Incoming Packet /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer)
This field holds the IANA defined cause code for the Missing State This field holds the IANA defined cause code for the 'Missing
Error Cause. The suggested value of this field for IANA is State' Error Cause. The suggested value of this field for IANA is
0x00B1. 0x00B1.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Incoming Packet: variable length Incoming Packet: variable length
The Cause-Specific Information is filled with the IPv4 or IPv6 The Cause-Specific Information is filled with the IPv4 or IPv6
packet that caused this error. The IPv4 or IPv6 header MUST be packet that caused this error. The IPv4 or IPv6 header MUST be
included. Note that if the packet will not fit in the ERROR chunk included. Note that if the packet will not fit in the ERROR chunk
skipping to change at page 15, line 18 skipping to change at page 15, line 18
] ]
5.2.3. Port Number Collision Error Cause 5.2.3. Port Number Collision Error Cause
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B2 | Cause Length = Variable | | Cause Code = 0x00B2 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ chunk / \ Chunk /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer)
This field holds the IANA defined cause code for the Port Number This field holds the IANA defined cause code for the 'Port Number
Collision Error Cause. The suggested value of this field for IANA Collision' Error Cause. The suggested value of this field for
is 0x00B2. IANA is 0x00B2.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length Chunk: variable length
The Cause-Specific Information is filled with the chunk that The Cause-Specific Information is filled with the chunk that
caused this error. This can be an INIT, INIT-ACK, or ASCONF caused this error. This can be an INIT, INIT-ACK, or ASCONF
chunk. Note that if the entire chunk will not fit in the ERROR chunk. Note that if the entire chunk will not fit in the ERROR
chunk or ABORT chunk being sent then the bytes that do not fit are chunk or ABORT chunk being sent then the bytes that do not fit are
skipping to change at page 17, line 49 skipping to change at page 17, line 49
This parameter MAY appear in ASCONF chunks and MUST NOT appear in any This parameter MAY appear in ASCONF chunks and MUST NOT appear in any
other chunk. other chunk.
6. Procedures for SCTP End Points and NATs 6. Procedures for SCTP End Points and NATs
6.1. Overview 6.1. Overview
When an SCTP endpoint is behind an SCTP-aware NAT a number of When an SCTP endpoint is behind an SCTP-aware NAT a number of
problems may arise as it tries to communicate with its peer: problems may arise as it tries to communicate with its peer:
o IP addresses can not not be included in the SCTP packet. This is
discussed in Section 6.2.
o More than one host behind a NAT may pick the same VTag and source o More than one host behind a NAT may pick the same VTag and source
port when talking to the same peer server. This creates a port when talking to the same peer server. This creates a
situation where the NAT will not be able to tell the two situation where the NAT will not be able to tell the two
associations apart. This situation is discussed in Section 6.3. associations apart. This situation is discussed in Section 6.3.
o When an SCTP endpoint is a server communicating with multiple o When an SCTP endpoint is a server communicating with multiple
peers and the peers are behind the same NAT, then the two peers and the peers are behind the same NAT, then the two
endpoints cannot be distinguished by the server. This case is endpoints cannot be distinguished by the server. This case is
discussed in Section 6.4. discussed in Section 6.4.
o A restart of a NAT during a conversation could cause a loss of its o A restart of a NAT during a conversation could cause a loss of its
state. This problem and its solution is discussed in Section 6.5. state. This problem and its solution is discussed in Section 6.5.
o NAT boxes need to deal with SCTP packets being fragmented at the
IP layer. This is discussed in Section 6.6.
o An SCTP endpoint may be behind two NATs providing redundancy. The o An SCTP endpoint may be behind two NATs providing redundancy. The
method to set up this scenario is discussed in Section 6.7. method to set up this scenario is discussed in Section 6.7.
Each of these mechanisms requires additional chunks and parameters, Each of these mechanisms requires additional chunks and parameters,
defined in this document, and possibly modified handling procedures defined in this document, and possibly modified handling procedures
from those specified in [RFC4960]. from those specified in [RFC4960].
6.2. Association Setup Considerations 6.2. Association Setup Considerations
The association setup procedure defined in [RFC4960] allows multi- The association setup procedure defined in [RFC4960] allows multi-
skipping to change at page 18, line 44 skipping to change at page 18, line 50
If the association should finally be multi-homed, the procedure in If the association should finally be multi-homed, the procedure in
Section 6.7 MUST be used. Section 6.7 MUST be used.
The INIT and INIT-ACK chunk SHOULD contain the Disable Restart The INIT and INIT-ACK chunk SHOULD contain the Disable Restart
parameter defined in Section 5.3.1. parameter defined in Section 5.3.1.
6.3. Handling of Internal Port Number and Verification Tag Collisions 6.3. Handling of Internal Port Number and Verification Tag Collisions
Consider the case where two hosts in the Private-Address space want Consider the case where two hosts in the Private-Address space want
to set up an SCTP association with the same server running on the to set up an SCTP association with the same service provided by some
same host in the Internet. This means that the External-Port and the hosts in the Internet. This means that the External-Port is the
External-Address are the same. If they both choose the same same. If they both choose the same Internal-Port and Internal-VTag,
Internal-Port and Internal-VTag, the NAT box cannot distinguish the NAT box cannot distinguish between incoming packets anymore. But
between incoming packets anymore. But this is very unlikely. The this is very unlikely. The Internal-VTags are chosen at random and
Internal-VTags are chosen at random and if the Internal-Ports are if the Internal-Ports are also chosen from the ephemeral port range
also chosen from the ephemeral port range at random this gives a at random this gives a 46-bit random number which has to match. In
46-bit random number which has to match. In the TCP-like NAPT case the TCP-like NAPT case the NAT box can control the 16-bit Natted Port
the NAT box can control the 16-bit Natted Port and therefore avoid and therefore avoid collisions deterministically.
collisions deterministically.
The same can happen when an INIT-ACK chunk or an ASCONF chunk is The same can happen with the External-VTag when an INIT-ACK chunk or
processed by the NAT. an ASCONF chunk is processed by the NAT.
However, in this unlikely event the NAT box MUST send an ABORT chunk However, in this unlikely event the NAT box MUST send an ABORT chunk
with the M-bit set if the collision is triggered by an INIT or INIT- with the M-bit set if the collision is triggered by an INIT or INIT-
ACK chunk or send an ERROR chunk with the M-bit set if the collision ACK chunk or send an ERROR chunk with the M-bit set if the collision
is triggered by an ASCONF chunk. The M-bit is a new bit defined by is triggered by an ASCONF chunk. The M-bit is a new bit defined by
this document to express to SCTP that the source of this packet is a this document to express to SCTP that the source of this packet is a
"middle" box, not the peer SCTP endpoint (see Section 5.1.1). If a "middle" box, not the peer SCTP endpoint (see Section 5.1.1). If a
packet containing an INIT-ACK chunk triggers the collision, the packet containing an INIT-ACK chunk triggers the collision, the
corresponding packet containing the ABORT chunk MUST contain the same corresponding packet containing the ABORT chunk MUST contain the same
source and destination address and port numbers as the packet source and destination address and port numbers as the packet
skipping to change at page 21, line 5 skipping to change at page 21, line 10
the lookup procedure does not find an entry in the NAT table, a the lookup procedure does not find an entry in the NAT table, a
packet containing an ERROR chunk is sent back with the M-bit set. packet containing an ERROR chunk is sent back with the M-bit set.
The source address of the packet containing the ERROR chunk MUST be The source address of the packet containing the ERROR chunk MUST be
the destination address of the incoming SCTP packet. The the destination address of the incoming SCTP packet. The
verification tag is reflected and the T-bit is set. Please note that verification tag is reflected and the T-bit is set. Please note that
such a packet containing an ERROR chunk SHOULD NOT be sent if the such a packet containing an ERROR chunk SHOULD NOT be sent if the
received packet contains an ABORT, SHUTDOWN-COMPLETE or INIT-ACK received packet contains an ABORT, SHUTDOWN-COMPLETE or INIT-ACK
chunk. An ERROR chunk MUST NOT be sent if the received packet chunk. An ERROR chunk MUST NOT be sent if the received packet
contains an ERROR chunk with the M-bit set. contains an ERROR chunk with the M-bit set.
When sending the ERROR chunk, the new error cause Missing state (see When sending the ERROR chunk, the new error cause 'Missing State'
Section 5.2.2) MUST be included and the new M-bit of the ERROR chunk (see Section 5.2.2) MUST be included and the new M-bit of the ERROR
MUST be set (see Section 5.1.2). chunk MUST be set (see Section 5.1.2).
Upon reception of this ERROR chunk by an SCTP endpoint the receiver Upon reception of this ERROR chunk by an SCTP endpoint the receiver
SHOULD take the following actions: SHOULD take the following actions:
o Validate that the verification tag is reflected by looking at the o Validate that the verification tag is reflected by looking at the
VTag that would have been included in the outgoing packet. VTag that would have been included in the outgoing packet.
o Validate that the peer of the SCTP association supports the o Validate that the peer of the SCTP association supports the
dynamic address extension, if it does not discard the incoming dynamic address extension, if it does not discard the incoming
ERROR chunk. ERROR chunk.
skipping to change at page 22, line 47 skipping to change at page 23, line 9
address causing the first NAT to populate its state. Then it SHOULD address causing the first NAT to populate its state. Then it SHOULD
add each IP address using ASCONF chunks sent via their respective add each IP address using ASCONF chunks sent via their respective
NATs. The address to add is the wildcard address and the lookup NATs. The address to add is the wildcard address and the lookup
address SHOULD also contain the VTags parameter and optionally the address SHOULD also contain the VTags parameter and optionally the
Disable Restart parameter as illustrated above. Disable Restart parameter as illustrated above.
7. Various Examples of NAT Traversals 7. Various Examples of NAT Traversals
Please note that this section is informational only. Please note that this section is informational only.
The addresses being used in the following examples are IPv4 addresses
for private-use networks and for documentation as specified in
[RFC6890]. However, the method described here is not limited to this
NAT44 case.
7.1. Single-homed Client to Single-homed Server 7.1. Single-homed Client to Single-homed Server
The internal client starts the association with the external server The internal client starts the association with the external server
via a four-way-handshake. Host A starts by sending an INIT chunk. via a four-way-handshake. Host A starts by sending an INIT chunk.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Priv | Ext | Ext | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+--- -------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 ------> 100.0.0.1:2 10.0.0.1:1 ------> 203.0.113.1:2
Ext-VTtag = 0 Ext-VTtag = 0
A NAT entry is created, the source address is substituted and the A NAT entry is created, the source address is substituted and the
packet is sent on: packet is sent on:
NAT creates entry: NAT creates entry:
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Priv | Ext | Ext | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.0.0.1 | 0 | 2 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
101.0.0.1:1 --------------------------> 100.0.0.1:2 192.0.2.1:1 ------------------------> 203.0.113.1:2
Ext-VTtag = 0 Ext-VTtag = 0
Host B receives the INIT and sends an INIT-ACK with the NAT's Host B receives the INIT and sends an INIT-ACK with the NAT's
external address as destination address. external address as destination address.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
INIT-ACK[Initiate-Tag = 5678] INIT-ACK[Initiate-Tag = 5678]
101.0.0.1:1 <------------------------- 100.0.0.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT updates entry: NAT updates entry:
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Priv | Ext | Ext | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.0.0.1 | 5678 | 2 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT-ACK[Initiate-Tag = 5678] INIT-ACK[Initiate-Tag = 5678]
10.0.0.1:1 <------ 100.0.0.1:2 10.0.0.1:1 <------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE-ECHO acknowledged by a COOKIE- The handshake finishes with a COOKIE-ECHO acknowledged by a COOKIE-
ACK. ACK.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <------> | NAT | <------> | Internet | <------> | Host B | | Host A | <------> | NAT | <------> | Internet | <------> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\---/ \--/\---/
COOKIE-ECHO COOKIE-ECHO
10.0.0.1:1 ------> 100.0.0.1:2 10.0.0.1:1 ------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ECHO COOKIE-ECHO
101.0.0.1:1 -------------------------> 100.0.0.1:2 192.0.2.1:1 -----------------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ACK COOKIE-ACK
101.0.0.1:1 <------------------------- 100.0.0.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
COOKIE-ACK COOKIE-ACK
10.0.0.1:1 <------ 100.0.0.1:2 10.0.0.1:1 <------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
7.2. Single-homed Client to Multi-homed Server 7.2. Single-homed Client to Multi-homed Server
The internal client is single-homed whereas the external server is The internal client is single-homed whereas the external server is
multi-homed. The client (Host A) sends an INIT like in the single- multi-homed. The client (Host A) sends an INIT like in the single-
homed case. homed case.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Internet | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Priv | Ext | Ext | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 ---> 100.0.0.1:2 10.0.0.1:1 ---> 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
NAT creates entry: NAT creates entry:
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Priv | Ext | Ext | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.0.0.1 | 0 | 2 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
101.0.0.1:1 ----------------------------> 100.0.0.1:2 192.0.2.1:1 --------------------------> 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
The server (Host B) includes its two addresses in the INIT-ACK chunk, The server (Host B) includes its two addresses in the INIT-ACK chunk,
which results in two NAT entries. which results in two NAT entries.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Internet | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
INIT-ACK[Initiate-tag = 5678, IP-Addr = 100.1.0.1] INIT-ACK[Initiate-tag = 5678, IP-Addr = 203.0.113.129]
101.0.0.1:1 <---------------------------- 100.0.0.1:2 192.0.2.1:1 <-------------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT does need to change the table for second address: NAT does need to change the table for second address:
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Priv | Ext | Ext | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.0.0.1 | 5678 | 2 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT-ACK[Initiate-Tag = 5678] INIT-ACK[Initiate-Tag = 5678]
10.0.0.1:1 <--- 100.0.0.1:2 10.0.0.1:1 <--- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE-ECHO acknowledged by a COOKIE- The handshake finishes with a COOKIE-ECHO acknowledged by a COOKIE-
ACK. ACK.
+--------+ +--------+
/--\/--\ /-|Router 1| \ /--\/--\ /-|Router 1| \
+------+ +-----+ / \ / +--------+ \ +------+ +------+ +-----+ / \ / +--------+ \ +------+
| Host | <-----> | NAT | <-> | Internet | == =| Host | | Host | <-----> | NAT | <-> | Internet | == =| Host |
| A | +-----+ \ / \ +--------+ / | B | | A | +-----+ \ / \ +--------+ / | B |
+------+ \--/\--/ \-|Router 2|-/ +------+ +------+ \--/\--/ \-|Router 2|-/ +------+
+--------+ +--------+
COOKIE-ECHO COOKIE-ECHO
10.0.0.1:1 ---> 100.0.0.1:2 10.0.0.1:1 ---> 203.0.113.1:2
ExtVTag = 5678 ExtVTag = 5678
COOKIE-ECHO COOKIE-ECHO
101.0.0.1:1 ----------------------------> 100.0.0.1:2 192.0.2.1:1 --------------------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ACK COOKIE-ACK
101.0.0.1:1 <---------------------------- 100.0.0.1:2 192.0.2.1:1 <-------------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
COOKIE-ACK COOKIE-ACK
10.0.0.1:1 <--- 100.0.0.1:2 10.0.0.1:1 <--- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
7.3. Multihomed Client and Server 7.3. Multihomed Client and Server
The client (Host A) sends an INIT to the server (Host B), but does The client (Host A) sends an INIT to the server (Host B), but does
not include the second address. not include the second address.
+-------+ +-------+
/--| NAT 1 |--\ /--\/--\ /--| NAT 1 |--\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |====| Host B | | Host |=== ====| Internet |====| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--| NAT 2 |--/ \--/\--/ +------+ \--| NAT 2 |--/ \--/\--/
+-------+ +-------+
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Priv | Ext | Ext | NAT 1 | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+--- -------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 --------> 100.0.0.1:2 10.0.0.1:1 --------> 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
NAT 1 creates entry: NAT 1 creates entry:
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Priv | Ext | Ext | NAT 1 | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.0.0.1 | 0 | 2 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
101.0.0.1:1 -----------------------> 100.0.0.1:2 192.0.2.1:1 ---------------------> 203.0.113.1:2
ExtVTag = 0 ExtVTag = 0
Host B includes its second address in the INIT-ACK, which results in Host B includes its second address in the INIT-ACK, which results in
two NAT entries in NAT 1. two NAT entries in NAT 1.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Internet |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
INIT-ACK[Initiate-Tag = 5678, IP-Addr = 100.1.0.1] INIT-ACK[Initiate-Tag = 5678, IP-Addr = 203.0.113.129]
101.0.0.1:1 <------------------------- 100.0.0.1:2 192.0.2.1:1 <----------------------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
NAT 1 does not need to update the table for second address: NAT 1 does not need to update the table for second address:
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT 1 | Int | Int | Priv | Ext | Ext | NAT 1 | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.0.0.1 | 5678 | 2 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT-ACK[Initiate-Tag = 5678] INIT-ACK[Initiate-Tag = 5678]
10.0.0.1:1 <---------100.0.0.1:2 10.0.0.1:1 <-------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
The handshake finishes with a COOKIE-ECHO acknowledged by a COOKIE- The handshake finishes with a COOKIE-ECHO acknowledged by a COOKIE-
ACK. ACK.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Internet |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
COOKIE-ECHO COOKIE-ECHO
10.0.0.1:1 --------> 100.0.0.1:2 10.0.0.1:1 --------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ECHO COOKIE-ECHO
101.0.0.1:1 --------------------> 100.0.0.1:2 192.0.2.1:1 ------------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ACK COOKIE-ACK
101.0.0.1:1 <-------------------- 100.0.0.1:2 192.0.2.1:1 <------------------ 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
COOKIE-ACK COOKIE-ACK
10.0.0.1:1 <------- 100.0.0.1:2 10.0.0.1:1 <------- 203.0.113.1:2
Int-VTag = 1234 Int-VTag = 1234
Host A announces its second address in an ASCONF chunk. The address Host A announces its second address in an ASCONF chunk. The address
parameter contains an undefined address (0) to indicate that the parameter contains an undefined address (0) to indicate that the
source address should be added. The lookup address parameter within source address should be added. The lookup address parameter within
the ASCONF chunk will also contain the pair of VTags (external and the ASCONF chunk will also contain the pair of VTags (external and
internal) so that the NAT may populate its table completely with this internal) so that the NAT may populate its table completely with this
single packet. single packet.
+-------+ +-------+
/--------| NAT 1 |--------\ /--\/--\ /--------| NAT 1 |--------\ /--\/--\
+------+ / +-------+ \ / \ +--------+ +------+ / +-------+ \ / \ +--------+
| Host |=== ====| Internet |===| Host B | | Host |=== ====| Internet |===| Host B |
| A | \ +-------+ / \ / +--------+ | A | \ +-------+ / \ / +--------+
+------+ \--------| NAT 2 |--------/ \--/\--/ +------+ \--------| NAT 2 |--------/ \--/\--/
+-------+ +-------+
ASCONF [ADD-IP=0.0.0.0, INT-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP=0.0.0.0, INT-VTag=1234, Ext-VTag = 5678]
10.1.0.1:1 --------> 100.1.0.1:2 10.1.0.1:1 --------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
NAT 2 creates complete entry: NAT 2 creates complete entry:
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT 2 | Int | Int | Priv | Ext | Ext | NAT 2 | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.1.0.1 | 5678 | 2 | | 1234 | 1 | 5678 | 2 | 10.1.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
ASCONF [ADD-IP,Int-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP,Int-VTag=1234, Ext-VTag = 5678]
101.1.0.1:1 -----------------------> 100.1.0.1:2 192.0.2.129:1 ---------------------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
ASCONF-ACK ASCONF-ACK
101.1.0.1:1 <----------------------- 100.1.0.1:2 192.0.2.129:1 <--------------------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
ASCONF-ACK ASCONF-ACK
10.1.0.1:1 <----- 100.1.0.1:2 10.1.0.1:1 <----- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
7.4. NAT Loses Its State 7.4. NAT Loses Its State
Association is already established between Host A and Host B, when Association is already established between Host A and Host B, when
the NAT loses its state and obtains a new public address. Host A the NAT loses its state and obtains a new public address. Host A
sends a DATA chunk to Host B. sends a DATA chunk to Host B.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Priv | Ext | Ext | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.0.0.1 | 5678 | 2 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
DATA DATA
10.0.0.1:1 ----------> 100.0.0.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
The NAT box cannot find entry for the association. It sends ERROR The NAT box cannot find entry for the association. It sends ERROR
message with the M-Bit set and the cause "NAT state missing". message with the M-Bit set and the cause "NAT state missing".
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ERROR [M-Bit, NAT state missing] ERROR [M-Bit, NAT state missing]
10.0.0.1:1 <---------- 100.0.0.1:2 10.0.0.1:1 <---------- 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
On reception of the ERROR message, Host A sends an ASCONF chunk On reception of the ERROR message, Host A sends an ASCONF chunk
indicating that the former information has to be deleted and the indicating that the former information has to be deleted and the
source address of the actual packet added. source address of the actual packet added.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ASCONF [ADD-IP,DELETE-IP,Int-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP,DELETE-IP,Int-VTag=1234, Ext-VTag = 5678]
10.0.0.1:1 ----------> 100.1.0.1:2 10.0.0.1:1 ----------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT | Int | Int | Priv | Ext | Ext | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.0.0.1 | 5678 | 2 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
ASCONF [ADD-IP,DELETE-IP,Int-VTag=1234, Ext-VTag = 5678] ASCONF [ADD-IP,DELETE-IP,Int-VTag=1234, Ext-VTag = 5678]
102.1.0.1:1 ---------------------> 100.1.0.1:2 192.0.2.2:1 -------------------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
Host B adds the new source address and deletes all former entries. Host B adds the new source address and deletes all former entries.
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ASCONF-ACK ASCONF-ACK
102.1.0.1:1 <--------------------- 100.1.0.1:2 192.0.2.2:1 <------------------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
ASCONF-ACK ASCONF-ACK
10.1.0.1:1 <---------- 100.1.0.1:2 10.1.0.1:1 <---------- 203.0.113.129:2
Int-VTag = 1234 Int-VTag = 1234
DATA DATA
10.0.0.1:1 ----------> 100.0.0.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
DATA DATA
102.1.0.1:1 ---------------------> 100.1.0.1:2 192.0.2.2:1 -------------------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
7.5. Peer-to-Peer Communication 7.5. Peer-to-Peer Communication
If two hosts are behind NATs, they have to get knowledge of the If two hosts are behind NATs, they have to get knowledge of the
peer's public address. This can be achieved with a so-called peer's public address. This can be achieved with a so-called
rendezvous server. Afterwards the destination addresses are public, rendezvous server. Afterwards the destination addresses are public,
and the association is set up with the help of the INIT collision. and the association is set up with the help of the INIT collision.
The NAT boxes create their entries according to their internal peer's The NAT boxes create their entries according to their internal peer's
point of view. Therefore, NAT A's Internal-VTag and Internal-Port point of view. Therefore, NAT A's Internal-VTag and Internal-Port
are NAT B's External-VTag and External-Port, respectively. The are NAT B's External-VTag and External-Port, respectively. The
skipping to change at page 35, line 14 skipping to change at page 35, line 14
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
NAT-Tables NAT-Tables
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT A | Int | Int | Priv | Ext | Ext | NAT A | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+--- -------+----------+--------+ +---------+--------+----------+--------+-----------+
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT B | Int | Int | Priv | Ext | Ext | NAT B | Int | Int | Ext | Ext | Priv |
| v-tag | port | addr | v-tag | port | | v-tag | port | v-tag | port | Addr |
+---------+--------+--- -------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
10.0.0.1:1 --> 100.0.0.1:2 10.0.0.1:1 --> 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
NAT A creates entry: NAT A creates entry:
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT A | Int | Int | Priv | Ext | Ext | NAT A | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.0.0.1 | 0 | 2 | | 1234 | 1 | 0 | 2 | 10.0.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-Tag = 1234] INIT[Initiate-Tag = 1234]
101.0.0.1:1 ----------------> 100.0.0.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
NAT B processes INIT, but cannot find an entry. The SCTP packet is NAT B processes INIT, but cannot find an entry. The SCTP packet is
silently discarded and leaves the NAT table of NAT B unchanged. silently discarded and leaves the NAT table of NAT B unchanged.
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT B | Int | Int | Priv | Ext | Ext | NAT B | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
Now Host B sends INIT, which is processed by NAT B. Its parameters Now Host B sends INIT, which is processed by NAT B. Its parameters
are used to create an entry. are used to create an entry.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
INIT[Initiate-Tag = 5678] INIT[Initiate-Tag = 5678]
101.0.0.1:1 <-- 10.1.0.1:2 192.0.2.1:1 <-- 10.1.0.1:2
Ext-VTag = 0 Ext-VTag = 0
+---------+--------+-----------+----------+--------+ +---------+--------+-----------+----------+--------+
NAT B | Int | Int | Priv | Ext | Ext | NAT B | Int | Int | Priv | Ext | Ext |
| VTag | Port | Addr | VTag | Port | | VTag | Port | Addr | VTag | Port |
+---------+--------+-----------+----------+--------+ +---------+--------+-----------+----------+--------+
| 5678 | 2 | 10.1.0.1 | 0 | 1 | | 5678 | 2 | 10.1.0.1 | 0 | 1 |
+---------+--------+-----------+----------+--------+ +---------+--------+-----------+----------+--------+
INIT[Initiate-Tag = 5678] INIT[Initiate-Tag = 5678]
101.0.0.1:1 <--------------- 100.0.0.1:2 192.0.2.1:1 <--------------- 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
NAT A processes INIT. As the outgoing INIT of Host A has already NAT A processes INIT. As the outgoing INIT of Host A has already
created an entry, the entry is found and updated: created an entry, the entry is found and updated:
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
VTag != Int-VTag, but Ext-VTag == 0, find entry. VTag != Int-VTag, but Ext-VTag == 0, find entry.
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT A | Int | Int | Priv | Ext | Ext | NAT A | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 10.0.0.1 | 5678 | 2 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT[Initiate-tag = 5678] INIT[Initiate-tag = 5678]
10.0.0.1:1 <-- 100.0.0.1:2 10.0.0.1:1 <-- 203.0.113.1:2
Ext-VTag = 0 Ext-VTag = 0
Host A send INIT-ACK, which can pass through NAT B: Host A send INIT-ACK, which can pass through NAT B:
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
INIT-ACK[Initiate-Tag = 1234] INIT-ACK[Initiate-Tag = 1234]
10.0.0.1:1 -->; 100.0.0.1:2 10.0.0.1:1 --> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
INIT-ACK[Initiate-Tag = 1234] INIT-ACK[Initiate-Tag = 1234]
101.0.0.1:1 ----------------> 100.0.0.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
NAT B updates entry: NAT B updates entry:
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
NAT B | Int | Int | Priv | Ext | Ext | NAT B | Int | Int | Ext | Ext | Priv |
| VTag | Port | Addr | VTag | Port | | VTag | Port | VTag | Port | Addr |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
| 5678 | 2 | 10.1.0.1 | 1234 | 1 | | 5678 | 2 | 1234 | 1 | 10.1.0.1 |
+---------+--------+-----------+----------+--------+ +---------+--------+----------+--------+-----------+
INIT-ACK[Initiate-Tag = 1234] INIT-ACK[Initiate-Tag = 1234]
101.0.0.1:1 --> 10.1.0.1:2 192.0.2.1:1 --> 10.1.0.1:2
Ext-VTag = 5678 Ext-VTag = 5678
The lookup for COOKIE-ECHO and COOKIE-ACK is successful. The lookup for COOKIE-ECHO and COOKIE-ACK is successful.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
COOKIE-ECHO COOKIE-ECHO
101.0.0.1:1 <-- 10.1.0.1:2 192.0.2.1:1 <-- 10.1.0.1:2
Ext-VTag = 1234 Ext-VTag = 1234
COOKIE-ECHO COOKIE-ECHO
101.0.0.1:1 <------------- 100.0.0.1:2 192.0.2.1:1 <------------- 203.0.113.1:2
Ext-VTag = 1234 Ext-VTag = 1234
COOKIE-ECHO COOKIE-ECHO
10.0.0.1:1 <-- 100.0.0.1:2 10.0.0.1:1 <-- 203.0.113.1:2
Ext-VTag = 1234 Ext-VTag = 1234
COOKIE-ACK COOKIE-ACK
10.0.0.1:1 --> 100.0.0.1:2 10.0.0.1:1 --> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ACK COOKIE-ACK
101.0.0.1:1 ----------------> 100.0.0.1:2 192.0.2.1:1 ----------------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
COOKIE-ACK COOKIE-ACK
101.0.0.1:1 --> 10.1.0.1:2 192.0.2.1:1 --> 10.1.0.1:2
Ext-VTag = 5678 Ext-VTag = 5678
8. Socket API Considerations 8. Socket API Considerations
This section describes how the socket API defined in [RFC6458] is This section describes how the socket API defined in [RFC6458] is
extended to provide a way for the application to control NAT extended to provide a way for the application to control NAT
friendliness. friendliness.
Please note that this section is informational only. Please note that this section is informational only.
skipping to change at page 42, line 41 skipping to change at page 42, line 41
| 49160 | VTags (0xC008) | [RFCXXXX] | | 49160 | VTags (0xC008) | [RFCXXXX] |
+----------+--------------------------+-----------+ +----------+--------------------------+-----------+
10. Security Considerations 10. Security Considerations
State maintenance within a NAT is always a subject of possible Denial State maintenance within a NAT is always a subject of possible Denial
Of Service attacks. This document recommends that at a minimum a NAT Of Service attacks. This document recommends that at a minimum a NAT
runs a timer on any SCTP state so that old association state can be runs a timer on any SCTP state so that old association state can be
cleaned up. cleaned up.
For SCTP end-points, this document does not add any additional For SCTP end points, this document does not add any additional
security considerations to the ones given in [RFC4960], [RFC4895], security considerations to the ones given in [RFC4960], [RFC4895],
and [RFC5061]. In particular, SCTP is protected by the verification and [RFC5061]. In particular, SCTP is protected by the verification
tags and the usage of [RFC4895] against off-path attackers. tags and the usage of [RFC4895] against off-path attackers.
11. Acknowledgments 11. Acknowledgments
The authors wish to thank Jason But, Gorry Fairhurst, Bryan Ford, The authors wish to thank Gorry Fairhurst, Bryan Ford, David Hayes,
David Hayes, Alfred Hines, Henning Peters, Timo Voelker, Dan Wing, Alfred Hines, Karen E. E. Nielsen, Henning Peters, Timo Voelker,
and Qiaobing Xie for their invaluable comments. Dan Wing, and Qiaobing Xie for their invaluable comments.
In addition, the authors wish to thank David Hayes, Jason But, and
Grenville Armitage, the authors of [DOI_10.1145_1496091.1496095], for
their suggestions.
12. References 12. References
12.1. Normative References 12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla, [RFC4895] Tuexen, M., Stewart, R., Lei, P., and E. Rescorla,
"Authenticated Chunks for the Stream Control Transmission "Authenticated Chunks for the Stream Control Transmission
Protocol (SCTP)", RFC 4895, DOI 10.17487/RFC4895, August Protocol (SCTP)", RFC 4895, DOI 10.17487/RFC4895, August
2007, <http://www.rfc-editor.org/info/rfc4895>. 2007, <https://www.rfc-editor.org/info/rfc4895>.
[RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol",
RFC 4960, DOI 10.17487/RFC4960, September 2007, RFC 4960, DOI 10.17487/RFC4960, September 2007,
<http://www.rfc-editor.org/info/rfc4960>. <https://www.rfc-editor.org/info/rfc4960>.
[RFC5061] Stewart, R., Xie, Q., Tuexen, M., Maruyama, S., and M. [RFC5061] Stewart, R., Xie, Q., Tuexen, M., Maruyama, S., and M.
Kozuka, "Stream Control Transmission Protocol (SCTP) Kozuka, "Stream Control Transmission Protocol (SCTP)
Dynamic Address Reconfiguration", RFC 5061, Dynamic Address Reconfiguration", RFC 5061,
DOI 10.17487/RFC5061, September 2007, DOI 10.17487/RFC5061, September 2007,
<http://www.rfc-editor.org/info/rfc5061>. <https://www.rfc-editor.org/info/rfc5061>.
[RFC6096] Tuexen, M. and R. Stewart, "Stream Control Transmission [RFC6096] Tuexen, M. and R. Stewart, "Stream Control Transmission
Protocol (SCTP) Chunk Flags Registration", RFC 6096, Protocol (SCTP) Chunk Flags Registration", RFC 6096,
DOI 10.17487/RFC6096, January 2011, DOI 10.17487/RFC6096, January 2011,
<http://www.rfc-editor.org/info/rfc6096>. <https://www.rfc-editor.org/info/rfc6096>.
12.2. Informative References 12.2. Informative References
[DOI_10.1145_1496091.1496095]
Hayes, D., But, J., and G. Armitage, "Issues with network
address translation for SCTP", ACM SIGCOMM Computer
Communication Review Vol. 39, pp. 23,
DOI 10.1145/1496091.1496095, December 2008.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, DOI 10.17487/RFC0793, September 1981, RFC 793, DOI 10.17487/RFC0793, September 1981,
<http://www.rfc-editor.org/info/rfc793>. <https://www.rfc-editor.org/info/rfc793>.
[RFC6458] Stewart, R., Tuexen, M., Poon, K., Lei, P., and V. [RFC6458] Stewart, R., Tuexen, M., Poon, K., Lei, P., and V.
Yasevich, "Sockets API Extensions for the Stream Control Yasevich, "Sockets API Extensions for the Stream Control
Transmission Protocol (SCTP)", RFC 6458, Transmission Protocol (SCTP)", RFC 6458,
DOI 10.17487/RFC6458, December 2011, DOI 10.17487/RFC6458, December 2011,
<http://www.rfc-editor.org/info/rfc6458>. <https://www.rfc-editor.org/info/rfc6458>.
[RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman, [RFC6890] Cotton, M., Vegoda, L., Bonica, R., Ed., and B. Haberman,
"Special-Purpose IP Address Registries", BCP 153, "Special-Purpose IP Address Registries", BCP 153,
RFC 6890, DOI 10.17487/RFC6890, April 2013, RFC 6890, DOI 10.17487/RFC6890, April 2013,
<http://www.rfc-editor.org/info/rfc6890>. <https://www.rfc-editor.org/info/rfc6890>.
[RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream [RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream
Control Transmission Protocol (SCTP) Packets for End-Host Control Transmission Protocol (SCTP) Packets for End-Host
to End-Host Communication", RFC 6951, to End-Host Communication", RFC 6951,
DOI 10.17487/RFC6951, May 2013, DOI 10.17487/RFC6951, May 2013,
<http://www.rfc-editor.org/info/rfc6951>. <https://www.rfc-editor.org/info/rfc6951>.
Authors' Addresses Authors' Addresses
Randall R. Stewart Randall R. Stewart
Netflix, Inc. Netflix, Inc.
Chapin, SC 29036 Chapin, SC 29036
US US
Email: randall@lakerest.net Email: randall@lakerest.net
 End of changes. 109 change blocks. 
259 lines changed or deleted 279 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/