draft-ietf-tsvwg-natsupp-12.txt   draft-ietf-tsvwg-natsupp-13.txt 
Network Working Group R. Stewart Network Working Group R. Stewart
Internet-Draft Netflix, Inc. Internet-Draft Netflix, Inc.
Intended status: Standards Track M. Tuexen Intended status: Standards Track M. Tuexen
Expires: January 3, 2019 I. Ruengeler Expires: January 9, 2020 I. Ruengeler
Muenster Univ. of Appl. Sciences Muenster Univ. of Appl. Sciences
July 2, 2018 July 8, 2019
Stream Control Transmission Protocol (SCTP) Network Address Translation Stream Control Transmission Protocol (SCTP) Network Address Translation
Support Support
draft-ietf-tsvwg-natsupp-12.txt draft-ietf-tsvwg-natsupp-13.txt
Abstract Abstract
The Stream Control Transmission Protocol (SCTP) provides a reliable The Stream Control Transmission Protocol (SCTP) provides a reliable
communications channel between two end-hosts in many ways similar to communications channel between two end-hosts in many ways similar to
the Transmission Control Protocol (TCP). With the widespread the Transmission Control Protocol (TCP). With the widespread
deployment of Network Address Translators (NAT), specialized code has deployment of Network Address Translators (NAT), specialized code has
been added to NAT for TCP that allows multiple hosts to reside behind been added to NAT for TCP that allows multiple hosts to reside behind
a NAT and yet use only a single globally unique IPv4 address, even a NAT and yet use only a single globally unique IPv4 address, even
when two hosts (behind a NAT) choose the same port numbers for their when two hosts (behind a NAT) choose the same port numbers for their
connection. This additional code is sometimes classified as Network connection. This additional code is sometimes classified as Network
Address and Port Translation (NAPT). Address and Port Translation (NAPT).
This document describes the protocol extensions required for the SCTP This document describes the protocol extensions required for the SCTP
endpoints and the mechanisms for NATs necessary to provide similar endpoints and the mechanisms for NAT devices necessary to provide
features of NAPT in the single-point and multi-point traversal similar features of NAPT in the single-point and multi-point
scenario. traversal scenario.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2019. This Internet-Draft will expire on January 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 42 skipping to change at page 2, line 42
5.1. Modified Chunks . . . . . . . . . . . . . . . . . . . . . 12 5.1. Modified Chunks . . . . . . . . . . . . . . . . . . . . . 12
5.1.1. Extended ABORT Chunk . . . . . . . . . . . . . . . . 12 5.1.1. Extended ABORT Chunk . . . . . . . . . . . . . . . . 12
5.1.2. Extended ERROR Chunk . . . . . . . . . . . . . . . . 13 5.1.2. Extended ERROR Chunk . . . . . . . . . . . . . . . . 13
5.2. New Error Causes . . . . . . . . . . . . . . . . . . . . 13 5.2. New Error Causes . . . . . . . . . . . . . . . . . . . . 13
5.2.1. VTag and Port Number Collision Error Cause . . . . . 13 5.2.1. VTag and Port Number Collision Error Cause . . . . . 13
5.2.2. Missing State Error Cause . . . . . . . . . . . . . . 14 5.2.2. Missing State Error Cause . . . . . . . . . . . . . . 14
5.2.3. Port Number Collision Error Cause . . . . . . . . . . 15 5.2.3. Port Number Collision Error Cause . . . . . . . . . . 15
5.3. New Parameters . . . . . . . . . . . . . . . . . . . . . 15 5.3. New Parameters . . . . . . . . . . . . . . . . . . . . . 15
5.3.1. Disable Restart Parameter . . . . . . . . . . . . . . 16 5.3.1. Disable Restart Parameter . . . . . . . . . . . . . . 16
5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16 5.3.2. VTags Parameter . . . . . . . . . . . . . . . . . . . 16
6. Procedures for SCTP End Points and NATs . . . . . . . . . . . 17 6. Procedures for SCTP Endpoints and NAT Devices . . . . . . . . 17
6.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 17 6.1. Association Setup Considerations for Endpoints . . . . . 18
6.2. Association Setup Considerations . . . . . . . . . . . . 18 6.2. Handling of Internal Port Number and Verification Tag
6.3. Handling of Internal Port Number and Verification Tag
Collisions . . . . . . . . . . . . . . . . . . . . . . . 18 Collisions . . . . . . . . . . . . . . . . . . . . . . . 18
6.4. Handling of Internal Port Number Collisions . . . . . . . 19 6.2.1. NAT Device Considerations . . . . . . . . . . . . . . 19
6.5. Handling of Missing State . . . . . . . . . . . . . . . . 20 6.2.2. Endpoint Considerations . . . . . . . . . . . . . . . 19
6.6. Handling of Fragmented SCTP Packets . . . . . . . . . . . 22 6.3. Handling of Internal Port Number Collisions . . . . . . . 19
6.7. Multi-Point Traversal Considerations . . . . . . . . . . 22 6.3.1. NAT Device Considerations . . . . . . . . . . . . . . 20
6.3.2. Endpoint Considerations . . . . . . . . . . . . . . . 20
6.4. Handling of Missing State . . . . . . . . . . . . . . . . 21
6.4.1. NAT Device Considerations . . . . . . . . . . . . . . 21
6.4.2. Endpoint Considerations . . . . . . . . . . . . . . . 21
6.5. Handling of Fragmented SCTP Packets by NAT Devices . . . 22
6.6. Multi-Point Traversal Considerations for Endpoints . . . 23
7. Various Examples of NAT Traversals . . . . . . . . . . . . . 23 7. Various Examples of NAT Traversals . . . . . . . . . . . . . 23
7.1. Single-homed Client to Single-homed Server . . . . . . . 23 7.1. Single-homed Client to Single-homed Server . . . . . . . 23
7.2. Single-homed Client to Multi-homed Server . . . . . . . . 25 7.2. Single-homed Client to Multi-homed Server . . . . . . . . 25
7.3. Multihomed Client and Server . . . . . . . . . . . . . . 28 7.3. Multihomed Client and Server . . . . . . . . . . . . . . 28
7.4. NAT Loses Its State . . . . . . . . . . . . . . . . . . . 32 7.4. NAT Loses Its State . . . . . . . . . . . . . . . . . . . 32
7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 34 7.5. Peer-to-Peer Communication . . . . . . . . . . . . . . . 34
8. Socket API Considerations . . . . . . . . . . . . . . . . . . 39 8. Socket API Considerations . . . . . . . . . . . . . . . . . . 39
8.1. Get or Set the NAT Friendliness 8.1. Get or Set the NAT Friendliness
(SCTP_NAT_FRIENDLY) . . . . . . . . . . . . . . . . . . . 40 (SCTP_NAT_FRIENDLY) . . . . . . . . . . . . . . . . . . . 40
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
skipping to change at page 3, line 35 skipping to change at page 3, line 40
communications channel between two end-hosts in many ways similar to communications channel between two end-hosts in many ways similar to
TCP [RFC0793]. With the widespread deployment of Network Address TCP [RFC0793]. With the widespread deployment of Network Address
Translators (NAT), specialized code has been added to NAT for TCP Translators (NAT), specialized code has been added to NAT for TCP
that allows multiple hosts to reside behind a NAT using private that allows multiple hosts to reside behind a NAT using private
addresses (see [RFC6890]) and yet use only a single globally unique addresses (see [RFC6890]) and yet use only a single globally unique
IPv4 address, even when two hosts (behind a NAT) choose the same port IPv4 address, even when two hosts (behind a NAT) choose the same port
numbers for their connection. This additional code is sometimes numbers for their connection. This additional code is sometimes
classified as Network Address and Port Translation (NAPT). Please classified as Network Address and Port Translation (NAPT). Please
note that this document focuses on the case where the NAT maps note that this document focuses on the case where the NAT maps
multiple private addresses to a single public address. To date, multiple private addresses to a single public address. To date,
specialized code for SCTP has not yet been added to most NATs so that specialized code for SCTP has not yet been added to most NAT devices
only true NAT is available. The end result of this is that only one so that only true NAT is available. The end result of this is that
SCTP capable host can be behind a NAT and this host can only be only one SCTP capable host can be behind a NAT and this host can only
single-homed. The only alternative for supporting legacy NATs is to be single-homed. The only alternative for supporting legacy NAT
use UDP encapsulation as specified in [RFC6951]. devices is to use UDP encapsulation as specified in [RFC6951].
This document describes an SCTP specific variant NAT and specific This document specifies procedures allowing a NAT to support SCTP by
packets and procedures to help NATs provide similar features of NAPT providing similar features to those provided by a NAPT for TCP and
in the single-point and multi-point traversal scenario. An SCTP other supported protocols. The document also specifies a set of data
implementation supporting this extension will follow these procedures formats for SCTP packets and a set of SCTP endpoint procedures to
to assure that in both single-homed and multi-homed cases a NAT will support NAT traversal. An SCTP implementation supporting these
maintain the proper state without needing to change port numbers. procedures can assure that in both single-homed and multi-homed cases
a NAT will maintain the proper state without needing to change port
numbers.
It is possible and desirable to make these changes for a number of It is possible and desirable to make these changes for a number of
reasons: reasons:
o It is desirable for SCTP internal end-hosts on multiple platforms o It is desirable for SCTP internal end-hosts on multiple platforms
to be able to share a NAT's public IP address in the same way that to be able to share a NAT's public IP address in the same way that
a TCP session can use a NAT. a TCP session can use a NAT.
o If a NAT does not need to change any data within an SCTP packet it o If a NAT does not need to change any data within an SCTP packet it
will reduce the processing burden of NAT'ing SCTP by NOT needing will reduce the processing burden of NAT'ing SCTP by NOT needing
to execute the CRC32c checksum required by SCTP. to execute the CRC32c checksum required by SCTP.
o Not having to touch the IP payload makes the processing of ICMP o Not having to touch the IP payload makes the processing of ICMP
messages in NATs easier. messages in NAT devices easier.
An SCTP-aware NAT will need to follow these procedures for generating An SCTP-aware NAT will need to follow these procedures for generating
appropriate SCTP packet formats. appropriate SCTP packet formats.
When considering this feature it is possible to have multiple levels When considering this feature it is possible to have multiple levels
of support. At each level, the Internal Host, External Host and NAT of support. At each level, the Internal Host, External Host and NAT
may or may not support the features described in this document. The may or may not support the features described in this document. The
following table illustrates the results of the various combinations following table illustrates the results of the various combinations
of support and if communications can occur between two endpoints. of support and if communications can occur between two endpoints.
+---------------+------------+---------------+---------------+ +---------------+------------+---------------+---------------+
| Internal Host | NAT | External Host | Communication | | Internal Host | NAT Device | External Host | Communication |
+---------------+------------+---------------+---------------+ +---------------+------------+---------------+---------------+
| Support | Support | Support | Yes | | Support | Support | Support | Yes |
| Support | Support | No Support | Limited | | Support | Support | No Support | Limited |
| Support | No Support | Support | None | | Support | No Support | Support | None |
| Support | No Support | No Support | None | | Support | No Support | No Support | None |
| No Support | Support | Support | Limited | | No Support | Support | Support | Limited |
| No Support | Support | No Support | Limited | | No Support | Support | No Support | Limited |
| No Support | No Support | Support | None | | No Support | No Support | Support | None |
| No Support | No Support | No Support | None | | No Support | No Support | No Support | None |
+---------------+------------+---------------+---------------+ +---------------+------------+---------------+---------------+
Table 1: Communication possibilities Table 1: Communication possibilities
From the table we can see that when a NAT does not support the From the table it can be seen that when a NAT device does not support
extension no communication can occur. This is because for the most the extension no communication can occur. This assumes that the NAT
part of the current situation i.e. SCTP packets sent externally from device does not handle SCTP packets at all and all SCTP packets sent
behind a NAT are discarded by the NAT. In some cases, where the NAT externally from behind a NAT device are discarded by the NAT. In
supports the feature but one of the two external hosts does not some cases, where the NAT device supports the feature but one of the
support the feature, communication may occur but in a limited way. two hosts does not support the feature, communication may occur but
For example only one host may be able to have a connection when a in a limited way. For example only one host may be able to have a
collision case occurs. connection when a collision case occurs.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Terminology 3. Terminology
This document uses the following terms, which are depicted in This document uses the following terms, which are depicted in
skipping to change at page 5, line 40 skipping to change at page 5, line 42
External-Port (Ext-Port): The port number of the peer process at the External-Port (Ext-Port): The port number of the peer process at the
External-Address. External-Address.
External-VTag (Ext-VTag): The Verification Tag that the host holding External-VTag (Ext-VTag): The Verification Tag that the host holding
the External-Address has chosen for its communication. The VTag the External-Address has chosen for its communication. The VTag
is a unique 32-bit tag that must accompany any incoming SCTP is a unique 32-bit tag that must accompany any incoming SCTP
packet for this association to the External-Address. packet for this association to the External-Address.
Public-Address (Pub-Addr): The public address assigned to the NAT Public-Address (Pub-Addr): The public address assigned to the NAT
box which it uses as a source address when sending packets towards device that it uses as a source address when sending packets
the External-Address. towards the External-Address.
Internal Network | External Network Internal Network | External Network
| |
Private | Public External Private | Public External
+---------+ Address | Address /--\/--\ Address +---------+ +--------+ Address | Address /--\/--\ Address +--------+
| SCTP | +-----+ / \ | SCTP | | SCTP | +-----+ / \ | SCTP |
|end point|=========| NAT |=======| Internet |==========|end point| |endpoint|=========| NAT |=======| Internet |==========|endpoint|
| A | +-----+ \ / | B | | A | +-----+ \ / | B |
+---------+ Internal | \--/\--/ External+---------+ +--------+ Internal | \--/\--/ External+--------+
Internal Port | Port External Internal Port | Port External
VTag | VTag VTag | VTag
Figure 1: Basic network setup Figure 1: Basic network setup
4. Motivation 4. Motivation
4.1. SCTP NAT Traversal Scenarios 4.1. SCTP NAT Traversal Scenarios
This section defines the notion of single and multi-point NAT This section defines the notion of single and multi-point NAT
traversal. traversal.
4.1.1. Single Point Traversal 4.1.1. Single Point Traversal
In this case, all packets in the SCTP association go through a single In this case, all packets in the SCTP association go through a single
NAT, as shown below: NAT, as shown below:
Internal Network | External Network Internal Network | External Network
| |
+---------+ | /--\/--\ +---------+ +--------+ | /--\/--\ +--------+
| SCTP | +-----+ / \ | SCTP | | SCTP | +-----+ / \ | SCTP |
|end point|=========| NAT |========= | Internet | ========|end point| |endpoint|=========| NAT |========= | Internet | ========|endpoint|
| A | +-----+ \ / | B | | A | +-----+ \ / | B |
+---------+ | \--/\--/ +---------+ +--------+ | \--/\--/ +--------+
| |
Single NAT scenario Single NAT scenario
A variation of this case is shown below, i.e., multiple NATs in a A variation of this case is shown below, i.e., multiple NAT devices
single path: in a single path:
Internal | External : Internal | External Internal | External : Internal | External
| : | | : |
+---------+ | : | /--\/--\ +---------+ +--------+ | : | /--\/--\ +--------+
| SCTP | +-----+ : +-----+ / \ | SCTP | | SCTP | +-----+ : +-----+ / \ | SCTP |
|end point|==| NAT |=======:=======| NAT |==| Internet |==|end point| |endpoint|==| NAT |=======:=======| NAT |==| Internet |==|endpoint|
| A | +-----+ : +-----+ \ / | B | | A | +-----+ : +-----+ \ / | B |
+---------+ | : | \--/\--/ +---------+ +--------+ | : | \--/\--/ +--------+
| : | | : |
Serial NATs scenario Serial NAT Devices scenario
In this single point traversal scenario, we must acknowledge that Although one of the main benefits of SCTP multi-homing is redundant
while one of the main benefits of SCTP multi-homing is redundant paths, In this single point traversal scenario the NAT function
paths, the NAT function represents a single point of failure in the represents a single point of failure in the path of the SCTP multi-
path of the SCTP multi-home association. However, the rest of the home association. However, the rest of the path may still benefit
path may still benefit from path diversity provided by SCTP multi- from path diversity provided by SCTP multi-homing.
homing.
The two SCTP endpoints in this case can be either single-homed or The two SCTP endpoints in this case can be either single-homed or
multi-homed. However, the important thing is that the NAT (or NATs) multi-homed. However, the important thing is that the NAT device (or
in this case sees all the packets of the SCTP association. NAT devices) in this case sees all the packets of the SCTP
association.
4.1.2. Multi Point Traversal 4.1.2. Multi Point Traversal
This case involves multiple NATs and each NAT only sees some of the This case involves multiple NAT devices and each NAT device only sees
packets in the SCTP association. An example is shown below: some of the packets in the SCTP association. An example is shown
below:
Internal | External Internal | External
+------+ /---\/---\ +------+ /---\/---\
+---------+ /=======|NAT A |=========\ / \ +---------+ +--------+ /=======|NAT A |=========\ / \ +--------+
| SCTP | / +------+ \/ \ | SCTP | | SCTP | / +------+ \/ \ | SCTP |
|end point|/ ... | Internet |===|end point| |endpoint|/ ... | Internet |===|endpoint|
| A |\ \ / | B | | A |\ \ / | B |
+---------+ \ +------+ / \ / +---------+ +--------+ \ +------+ / \ / +--------+
\=======|NAT B |=========/ \---\/---/ \=======|NAT B |=========/ \---\/---/
+------+ +------+
| |
Parallel NATs scenario Parallel NAT devices scenario
This case does NOT apply to a single-homed SCTP association (i.e., This case does NOT apply to a single-homed SCTP association (i.e.,
BOTH endpoints in the association use only one IP address). The BOTH endpoints in the association use only one IP address). The
advantage here is that the existence of multiple NAT traversal points advantage here is that the existence of multiple NAT traversal points
can preserve the path diversity of a multi-homed association for the can preserve the path diversity of a multi-homed association for the
entire path. This in turn can improve the robustness of the entire path. This in turn can improve the robustness of the
communication. communication.
4.2. Limitations of Classical NAPT for SCTP 4.2. Limitations of Classical NAPT for SCTP
Using classical NAPT may result in changing one of the SCTP port Using classical NAPT may result in changing one of the SCTP port
numbers during the processing which requires the recomputation of the numbers during the processing which requires the recomputation of the
transport layer checksum. Whereas for UDP and TCP this can be done transport layer checksum. Whereas for UDP and TCP this can be done
very efficiently, for SCTP the checksum (CRC32c) over the entire very efficiently, for SCTP the checksum (CRC32c) over the entire
packet needs to be recomputed. This would considerably add to the packet needs to be recomputed. This would considerably add to the
NAT computational burden, however hardware support may mitigate this NAT computational burden, however hardware support may mitigate this
in some implementations. in some implementations.
An SCTP endpoint may have multiple addresses but only has a single An SCTP endpoint may have multiple addresses but only has a single
port number. To make multipoint traversal work, all the NATs port number. To make multipoint traversal work, all the NAT devices
involved must recognize the packets they see as belonging to the same involved must recognize the packets they see as belonging to the same
SCTP association and perform port number translation in a consistent SCTP association and perform port number translation in a consistent
way. One possible way of doing this is to use pre-defined table of way. One possible way of doing this is to use pre-defined table of
ports and addresses configured within each NAT. Other mechanisms ports and addresses configured within each NAT. Other mechanisms
could make use of NAT to NAT communication. Such mechanisms are not could make use of NAT to NAT communication. Such mechanisms are not
to be deployable on a wide scale base and thus not a recommended to be deployable on a wide scale base and thus not a recommended
solution. Therefore the SCTP variant of NAT has been developed. solution. Therefore the SCTP variant of NAT has been developed.
4.3. The SCTP Specific Variant of NAT 4.3. The SCTP Specific Variant of NAT
In this section we assume that we have multiple SCTP capable hosts In this section it is assumed that there are multiple SCTP capable
behind a NAT which has one Public-Address. Furthermore we are hosts behind a NAT that has one Public-Address. Furthermore this
focusing in this section on the single point traversal scenario. section focuses on the single point traversal scenario.
The modification of SCTP packets sent to the public Internet is easy.
The source address of the packet has to be replaced with the Public-
Address. It may also be necessary to establish some state in the NAT
box to handle incoming packets, which is discussed later.
For SCTP packets coming from the public Internet the destination The modification of SCTP packets sent to the public Internet is
address of the packets has to be replaced with the Private-Address of simple: the source address of the packet has to be replaced with the
the host the packet has to be delivered to. The lookup of the Public-Address. It may also be necessary to establish some state in
Private-Address is based on the External-VTag, External-Port, the NAT device to later handle incoming packets.
Internal-VTag and the Internal-Port.
For the SCTP NAT processing the NAT box has to maintain a table of For the SCTP NAT processing the NAT device has to maintain a table of
Internal-VTag, Internal-Port, External-VTag, External-Port, Private- Internal-VTag, Internal-Port, External-VTag, External-Port, Private-
Address, and whether the restart procedure is disabled or not. An Address, and whether the restart procedure is disabled or not. An
entry in that table is called a NAT state control block. The entry in that table is called a NAT state control block. The
function Create() obtains the just mentioned parameters and returns a function Create() obtains the just mentioned parameters and returns a
NAT-State control block. NAT-State control block.
The entries in this table fulfill some uniqueness conditions. There For SCTP packets coming from the public Internet the destination
address of the packets has to be replaced with the Private-Address of
the host the packet has to be delivered to. The lookup of the
Private-Address is based on the External-VTag, External-Port,
Internal-VTag and the Internal-Port.
The entries in the table fulfill some uniqueness conditions. There
must not be more than one entry with the same pair of Internal-Port must not be more than one entry with the same pair of Internal-Port
and External-Port. This rule can be relaxed, if all entries with the and External-Port. This rule can be relaxed, if all entries with the
same Internal-Port and External-Port have the support for the restart same Internal-Port and External-Port have the support for the restart
procedure enabled. In this case there must be no more than one entry procedure enabled. In this case there must be no more than one entry
with the same Internal-Port, External-Port and Ext-VTag and no more with the same Internal-Port, External-Port and Ext-VTag and no more
than one entry with the same Internal-Port, External-Port and Int- than one entry with the same Internal-Port, External-Port and Int-
VTag. VTag.
The processing of outgoing SCTP packets containing an INIT-chunk is The processing of outgoing SCTP packets containing an INIT-chunk is
described in the following figure. The scenario shown is valid for described in the following figure. The scenario shown is valid for
skipping to change at page 12, line 32 skipping to change at page 12, line 32
made only based on the addresses and port numbers. If an entry with made only based on the addresses and port numbers. If an entry with
an External-VTag of zero is found, it is considered a match and the an External-VTag of zero is found, it is considered a match and the
External-VTag is updated. External-VTag is updated.
This allows the handling of INIT-collision through NAT. This allows the handling of INIT-collision through NAT.
5. Data Formats 5. Data Formats
This section defines the formats used to support NAT traversal. This section defines the formats used to support NAT traversal.
Section 5.1 and Section 5.2 describe chunks and error causes sent by Section 5.1 and Section 5.2 describe chunks and error causes sent by
NATs and received by SCTP end points. Section 5.3 describes NAT devices and received by SCTP endpoints. Section 5.3 describes
parameters sent by SCTP end points and used by NATs and SCTP end parameters sent by SCTP endpoints and used by NAT devices and SCTP
points. endpoints.
5.1. Modified Chunks 5.1. Modified Chunks
This section presents existing chunks defined in [RFC4960] that are This section presents existing chunks defined in [RFC4960] that are
modified by this document. modified by this document.
5.1.1. Extended ABORT Chunk 5.1.1. Extended ABORT Chunk
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 13, line 8 skipping to change at page 13, line 8
| Type = 6 | Reserved |M|T| Length | | Type = 6 | Reserved |M|T| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \ \ \
/ zero or more Error Causes / / zero or more Error Causes /
\ \ \ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The ABORT chunk is extended to add the new 'M-bit'. The M-bit The ABORT chunk is extended to add the new 'M-bit'. The M-bit
indicates to the receiver of the ABORT chunk that the chunk was not indicates to the receiver of the ABORT chunk that the chunk was not
generated by the peer SCTP endpoint, but instead by a middle box. generated by the peer SCTP endpoint, but instead by a middle box.
[NOTE: [NOTE to RFC-Editor:
ASSIGNMENT OF M-BIT TO BE CONFIRMED BY IANA. Assignment of M-bit to be confirmed by IANA.
] ]
5.1.2. Extended ERROR Chunk 5.1.2. Extended ERROR Chunk
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 9 | Reserved |M|T| Length | | Type = 9 | Reserved |M|T| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ \ \ \
/ zero or more Error Causes / / zero or more Error Causes /
\ \ \ \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The ERROR chunk defined in [RFC4960] is extended to add the new The ERROR chunk defined in [RFC4960] is extended to add the new
'M-bit'. The M-bit indicates to the receiver of the ERROR chunk that 'M-bit'. The M-bit indicates to the receiver of the ERROR chunk that
the chunk was not generated by the peer SCTP endpoint, but instead by the chunk was not generated by the peer SCTP endpoint, but instead by
a middle box. a middle box.
[NOTE: [NOTE to RFC-Editor:
ASSIGNMENT OF M-BIT TO BE CONFIRMED BY IANA. Assignment of M-bit to be confirmed by IANA.
] ]
5.2. New Error Causes 5.2. New Error Causes
This section defines the new error causes added by this document. This section defines the new error causes added by this document.
5.2.1. VTag and Port Number Collision Error Cause 5.2.1. VTag and Port Number Collision Error Cause
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B0 | Cause Length = Variable | | Cause Code = 0x00B0 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Chunk / \ Chunk /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer)
This field holds the IANA defined cause code for the 'VTag and This field holds the IANA defined cause code for the 'VTag and
Port Number Collision' Error Cause. The suggested value of this Port Number Collision' Error Cause. IANA is requested to assign
field for IANA is 0x00B0. the value 0x00B0 for this cause code.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length Chunk: variable length
The Cause-Specific Information is filled with the chunk that The Cause-Specific Information is filled with the chunk that
caused this error. This can be an INIT, INIT-ACK, or ASCONF caused this error. This can be an INIT, INIT-ACK, or ASCONF
chunk. Note that if the entire chunk will not fit in the ERROR chunk. Note that if the entire chunk will not fit in the ERROR
chunk or ABORT chunk being sent then the bytes that do not fit are chunk or ABORT chunk being sent then the bytes that do not fit are
truncated. truncated.
[NOTE: [NOTE to RFC-Editor:
ASSIGNMENT OF CAUSE-CODE TO BE CONFIRMED BY IANA. Assignment of cause code to be confirmed by IANA.
] ]
5.2.2. Missing State Error Cause 5.2.2. Missing State Error Cause
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B1 | Cause Length = Variable | | Cause Code = 0x00B1 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Incoming Packet / \ Incoming Packet /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer)
This field holds the IANA defined cause code for the 'Missing This field holds the IANA defined cause code for the 'Missing
State' Error Cause. The suggested value of this field for IANA is State' Error Cause. IANA is requested to assign the value 0x00B1
0x00B1. for this cause code.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Incoming Packet: variable length Incoming Packet: variable length
The Cause-Specific Information is filled with the IPv4 or IPv6 The Cause-Specific Information is filled with the IPv4 or IPv6
packet that caused this error. The IPv4 or IPv6 header MUST be packet that caused this error. The IPv4 or IPv6 header MUST be
included. Note that if the packet will not fit in the ERROR chunk included. Note that if the packet will not fit in the ERROR chunk
or ABORT chunk being sent then the bytes that do not fit are or ABORT chunk being sent then the bytes that do not fit are
truncated. truncated.
[NOTE: [NOTE to RFC-Editor:
ASSIGNMENT OF CAUSE-CODE TO BE CONFIRMED BY IANA. Assignment of cause code to be confirmed by IANA.
] ]
5.2.3. Port Number Collision Error Cause 5.2.3. Port Number Collision Error Cause
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cause Code = 0x00B2 | Cause Length = Variable | | Cause Code = 0x00B2 | Cause Length = Variable |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
\ Chunk / \ Chunk /
/ \ / \
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Cause Code: 2 bytes (unsigned integer) Cause Code: 2 bytes (unsigned integer)
This field holds the IANA defined cause code for the 'Port Number This field holds the IANA defined cause code for the 'Port Number
Collision' Error Cause. The suggested value of this field for Collision' Error Cause. IANA is requested to assign the value
IANA is 0x00B2. 0x00B2 for this cause code.
Cause Length: 2 bytes (unsigned integer) Cause Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the error cause. The This field holds the length in bytes of the error cause. The
value MUST be the length of the Cause-Specific Information plus 4. value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length Chunk: variable length
The Cause-Specific Information is filled with the chunk that The Cause-Specific Information is filled with the chunk that
caused this error. This can be an INIT, INIT-ACK, or ASCONF caused this error. This can be an INIT, INIT-ACK, or ASCONF
chunk. Note that if the entire chunk will not fit in the ERROR chunk. Note that if the entire chunk will not fit in the ERROR
chunk or ABORT chunk being sent then the bytes that do not fit are chunk or ABORT chunk being sent then the bytes that do not fit are
truncated. truncated.
[NOTE: [NOTE to RFC-Editor:
ASSIGNMENT OF CAUSE-CODE TO BE CONFIRMED BY IANA. Assignment of cause code to be confirmed by IANA.
] ]
5.3. New Parameters 5.3. New Parameters
This section defines new parameters and their valid appearance This section defines new parameters and their valid appearance
defined by this document. defined by this document.
5.3.1. Disable Restart Parameter 5.3.1. Disable Restart Parameter
skipping to change at page 16, line 21 skipping to change at page 16, line 21
when adding an address to successfully disable the restart procedure. when adding an address to successfully disable the restart procedure.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 0xC007 | Length = 4 | | Type = 0xC007 | Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Parameter Type: 2 bytes (unsigned integer) Parameter Type: 2 bytes (unsigned integer)
This field holds the IANA defined parameter type for the Disable This field holds the IANA defined parameter type for the Disable
Restart Parameter. The suggested value of this field for IANA is Restart Parameter. IANA is requested to assign the value 0xC007
0xC007. for this parameter type.
Parameter Length: 2 bytes (unsigned integer) Parameter Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the parameter. The value This field holds the length in bytes of the parameter. The value
MUST be 4. MUST be 4.
[NOTE: [NOTE to RFC-Editor:
ASSIGNMENT OF PARAMETER TYPE TO BE CONFIRMED BY IANA. Assignment of parameter type to be confirmed by IANA.
] ]
This parameter MAY appear in INIT, INIT-ACK and ASCONF chunks and This parameter MAY appear in INIT, INIT-ACK and ASCONF chunks and
MUST NOT appear in any other chunk. MUST NOT appear in any other chunk.
5.3.2. VTags Parameter 5.3.2. VTags Parameter
This parameter is used to help a NAT recover from state loss. This parameter is used to help a NAT recover from state loss.
skipping to change at page 17, line 6 skipping to change at page 17, line 6
| Parameter Type = 0xC008 | Parameter Length = 16 | | Parameter Type = 0xC008 | Parameter Length = 16 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ASCONF-Request Correlation ID | | ASCONF-Request Correlation ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Internal Verification Tag | | Internal Verification Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| External Verification Tag | | External Verification Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Parameter Type: 2 bytes (unsigned integer) Parameter Type: 2 bytes (unsigned integer)
This field holds the IANA defined parameter type for the VTags This field holds the IANA defined parameter type for the VTags
Parameter. The suggested value of this field for IANA is 0xC008. Parameter. IANA is requested to assign the value 0xC008 for this
parameter type.
Parameter Length: 2 bytes (unsigned integer) Parameter Length: 2 bytes (unsigned integer)
This field holds the length in bytes of the parameter. The value This field holds the length in bytes of the parameter. The value
MUST be 16. MUST be 16.
ASCONF-Request Correlation ID: 4 bytes (unsigned integer) ASCONF-Request Correlation ID: 4 bytes (unsigned integer)
This is an opaque integer assigned by the sender to identify each This is an opaque integer assigned by the sender to identify each
request parameter. The receiver of the ASCONF Chunk will copy request parameter. The receiver of the ASCONF Chunk will copy
this 32-bit value into the ASCONF Response Correlation ID field of this 32-bit value into the ASCONF Response Correlation ID field of
the ASCONF-ACK response parameter. The sender of the ASCONF can the ASCONF-ACK response parameter. The sender of the ASCONF can
skipping to change at page 17, line 33 skipping to change at page 17, line 34
communication. The Verification Tag is a unique 32-bit tag that communication. The Verification Tag is a unique 32-bit tag that
must accompany any incoming SCTP packet for this association to must accompany any incoming SCTP packet for this association to
the Private-Address. the Private-Address.
External Verification Tag: 4 bytes (unsigned integer) The External Verification Tag: 4 bytes (unsigned integer) The
Verification Tag that the host holding the External-Address has Verification Tag that the host holding the External-Address has
chosen for its communication. The VTag is a unique 32-bit tag chosen for its communication. The VTag is a unique 32-bit tag
that must accompany any incoming SCTP packet for this association that must accompany any incoming SCTP packet for this association
to the External-Address. to the External-Address.
[NOTE: [NOTE to RFC-Editor:
ASSIGNMENT OF PARAMETER TYPE TO BE CONFIRMED BY IANA. Assignment of parameter type to be confirmed by IANA.
] ]
This parameter MAY appear in ASCONF chunks and MUST NOT appear in any This parameter MAY appear in ASCONF chunks and MUST NOT appear in any
other chunk. other chunk.
6. Procedures for SCTP End Points and NATs 6. Procedures for SCTP Endpoints and NAT Devices
6.1. Overview
When an SCTP endpoint is behind an SCTP-aware NAT a number of When an SCTP endpoint is behind an SCTP-aware NAT a number of
problems may arise as it tries to communicate with its peer: problems may arise as it tries to communicate with its peer:
o IP addresses can not not be included in the SCTP packet. This is o IP addresses can not not be included in the SCTP packet. This is
discussed in Section 6.2. discussed in Section 6.1.
o More than one host behind a NAT may pick the same VTag and source o More than one host behind a NAT device could select the same VTag
port when talking to the same peer server. This creates a and source port when talking to the same peer server. This
situation where the NAT will not be able to tell the two creates a situation where the NAT will not be able to tell the two
associations apart. This situation is discussed in Section 6.3. associations apart. This situation is discussed in Section 6.2.
o When an SCTP endpoint is a server communicating with multiple o When an SCTP endpoint is a server communicating with multiple
peers and the peers are behind the same NAT, then the two peers and the peers are behind the same NAT, then the two
endpoints cannot be distinguished by the server. This case is endpoints cannot be distinguished by the server. This case is
discussed in Section 6.4. discussed in Section 6.3.
o A restart of a NAT during a conversation could cause a loss of its o A restart of a NAT during a conversation could cause a loss of its
state. This problem and its solution is discussed in Section 6.5. state. This problem and its solution is discussed in Section 6.4.
o NAT boxes need to deal with SCTP packets being fragmented at the o NAT devices need to deal with SCTP packets being fragmented at the
IP layer. This is discussed in Section 6.6. IP layer. This is discussed in Section 6.5.
o An SCTP endpoint may be behind two NATs providing redundancy. The o An SCTP endpoint may be behind two NAT devices providing
method to set up this scenario is discussed in Section 6.7. redundancy. The method to set up this scenario is discussed in
Section 6.6.
Each of these mechanisms requires additional chunks and parameters, Each of these mechanisms requires additional chunks and parameters,
defined in this document, and possibly modified handling procedures defined in this document, and possibly modified handling procedures
from those specified in [RFC4960]. from those specified in [RFC4960].
6.2. Association Setup Considerations 6.1. Association Setup Considerations for Endpoints
The association setup procedure defined in [RFC4960] allows multi- The association setup procedure defined in [RFC4960] allows multi-
homed SCTP end points to exchange its IP-addresses by using IPv4 or homed SCTP endpoints to exchange its IP-addresses by using IPv4 or
IPv6 address parameters in the INIT and INIT-ACK chunks. However, IPv6 address parameters in the INIT and INIT-ACK chunks. However,
this can't be used when NATs are present. this doesn't work when NAT devices are present.
Every association MUST initially be set up single-homed. There MUST Every association MUST initially be set up single-homed. There MUST
NOT be any IPv4 Address parameter, IPv6 Address parameter, or NOT be any IPv4 Address parameter, IPv6 Address parameter, or
Supported Address Types parameter in the INIT-chunk. The INIT-ACK Supported Address Types parameter in the INIT-chunk. The INIT-ACK
chunk MUST NOT contain any IPv4 Address parameter or IPv6 Address chunk MUST NOT contain any IPv4 Address parameter or IPv6 Address
parameter. parameter.
If the association should finally be multi-homed, the procedure in If the association should finally be multi-homed, the procedure in
Section 6.7 MUST be used. Section 6.6 MUST be used.
The INIT and INIT-ACK chunk SHOULD contain the Disable Restart The INIT and INIT-ACK chunk SHOULD contain the Disable Restart
parameter defined in Section 5.3.1. parameter defined in Section 5.3.1.
6.3. Handling of Internal Port Number and Verification Tag Collisions 6.2. Handling of Internal Port Number and Verification Tag Collisions
Consider the case where two hosts in the Private-Address space want Consider the case where two hosts in the Private-Address space want
to set up an SCTP association with the same service provided by some to set up an SCTP association with the same service provided by some
hosts in the Internet. This means that the External-Port is the hosts in the Internet. This means that the External-Port is the
same. If they both choose the same Internal-Port and Internal-VTag, same. If they both choose the same Internal-Port and Internal-VTag,
the NAT box cannot distinguish between incoming packets anymore. But the NAT device cannot distinguish between incoming packets anymore.
this is very unlikely. The Internal-VTags are chosen at random and But this is very unlikely. The Internal-VTags are chosen at random
if the Internal-Ports are also chosen from the ephemeral port range and if the Internal-Ports are also chosen from the ephemeral port
at random this gives a 46-bit random number which has to match. In range at random this gives a 46-bit random number which has to match.
the TCP-like NAPT case the NAT box can control the 16-bit Natted Port In the TCP-like NAPT case the NAT device can control the 16-bit
and therefore avoid collisions deterministically. Natted Port and therefore avoid collisions deterministically.
The same can happen with the External-VTag when an INIT-ACK chunk or The same can happen with the External-VTag when an INIT-ACK chunk or
an ASCONF chunk is processed by the NAT. an ASCONF chunk is processed by the NAT.
However, in this unlikely event the NAT box MUST send an ABORT chunk 6.2.1. NAT Device Considerations
with the M-bit set if the collision is triggered by an INIT or INIT-
ACK chunk or send an ERROR chunk with the M-bit set if the collision However, in this unlikely event the NAT device MUST send an ABORT
is triggered by an ASCONF chunk. The M-bit is a new bit defined by chunk with the M-bit set if the collision is triggered by an INIT or
this document to express to SCTP that the source of this packet is a INIT-ACK chunk or send an ERROR chunk with the M-bit set if the
"middle" box, not the peer SCTP endpoint (see Section 5.1.1). If a collision is triggered by an ASCONF chunk. The M-bit is a new bit
packet containing an INIT-ACK chunk triggers the collision, the defined by this document to express to SCTP that the source of this
corresponding packet containing the ABORT chunk MUST contain the same packet is a "middle" box, not the peer SCTP endpoint (see
source and destination address and port numbers as the packet Section 5.1.1). If a packet containing an INIT-ACK chunk triggers
containing the INIT-ACK chunk. In the other two cases, the source the collision, the corresponding packet containing the ABORT chunk
and destination address and port numbers MUST be swapped. MUST contain the same source and destination address and port numbers
as the packet containing the INIT-ACK chunk. In the other two cases,
the source and destination address and port numbers MUST be swapped.
The sender of the ERROR or ABORT chunk MUST include the error cause
with cause code 'VTag and Port Number Collision' (see Section 5.2.1).
6.2.2. Endpoint Considerations
The sender of the packet containing the INIT chunk or the receiver of The sender of the packet containing the INIT chunk or the receiver of
the INIT-ACK chunk, upon reception of an ABORT chunk with M-bit set the INIT-ACK chunk, upon reception of an ABORT chunk with M-bit set
and the appropriate error cause code for colliding NAT table state is and the appropriate error cause code for colliding NAT table state is
included, MUST reinitiate the association setup procedure after included, MUST reinitiate the association setup procedure after
choosing a new initiate tag, if the association is in COOKIE-WAIT choosing a new initiate tag, if the association is in COOKIE-WAIT
state. In any other state, the SCTP endpoint MUST NOT respond. state. In any other state, the SCTP endpoint MUST NOT respond.
The sender of the ASCONF chunk, upon reception of an ERROR chunk with The sender of the ASCONF chunk, upon reception of an ERROR chunk with
M-bit set, MUST stop adding the path to the association. M-bit set, MUST stop adding the path to the association.
The sender of the ERROR or ABORT chunk MUST include the error cause 6.3. Handling of Internal Port Number Collisions
with cause code 'VTag and Port Number Collision' (see Section 5.2.1).
6.4. Handling of Internal Port Number Collisions
When two SCTP hosts are behind an SCTP-aware NAT it is possible that When two SCTP hosts are behind an SCTP-aware NAT it is possible that
two SCTP hosts in the Private-Address space will want to set up an two SCTP hosts in the Private-Address space will want to set up an
SCTP association with the same server running on the same host in the SCTP association with the same server running on the same host in the
Internet. For the NAT, appropriate tracking may be performed by Internet. For the NAT, appropriate tracking may be performed by
assuring that the VTags are unique between the two hosts. assuring that the VTags are unique between the two hosts.
But for the external SCTP server on the Internet this means that the 6.3.1. NAT Device Considerations
External-Port and the External-Address are the same. If they both
have chosen the same Internal-Port the server cannot distinguish
between both associations based on the address and port numbers. For
the server it looks like the association is being restarted. To
overcome this limitation the client sends a Disable Restart parameter
in the INIT-chunk.
When the server receives this parameter it MUST do the following:
o Include a Disable Restart parameter in the INIT-ACK to inform the
client that it will support the feature.
o Disable the restart procedures defined in [RFC4960] for this
association.
Servers that support this feature will need to be capable of
maintaining multiple connections to what appears to be the same peer
(behind the NAT) differentiated only by the VTags.
The NAT, when processing the INIT-ACK, should note in its internal The NAT, when processing the INIT-ACK, should note in its internal
table that the association supports the Disable Restart extension. table that the association supports the Disable Restart extension.
This note is used when establishing future associations (i.e. when This note is used when establishing future associations (i.e. when
processing an INIT from an internal host) to decide if the connection processing an INIT from an internal host) to decide if the connection
should be allowed. The NAT MUST do the following when processing an should be allowed. The NAT device does the following when processing
INIT: an INIT:
o If the INIT is destined to an external address and port for which o If the INIT is destined to an external address and port for which
the NAT has no outbound connection, allow the INIT creating an the NAT device has no outbound connection, it MUST allow the INIT
internal mapping table. creating an internal mapping table.
o If the INIT matches the external address and port of an already o If the INIT matches the external address and port of an already
existing connection, validate that the external server supports existing connection, it MUST validate that the external server
the Disable Restart feature, if it does allow the INIT to be supports the Disable Restart feature and, if it does, allow the
forwarded. INIT to be forwarded.
o If the external server does not support the Disable Restart o If the external server does not support the Disable Restart
extension the NAT MUST send an ABORT with the M-bit set. extension the NAT device MUST send an ABORT with the M-bit set.
The 'Port Number Collision' error cause (see Section 5.2.3) MUST be The 'Port Number Collision' error cause (see Section 5.2.3) MUST be
included in the ABORT chunk. included in the ABORT chunk.
If the collision is triggered by an ASCONF chunk, a packet containing If the collision is triggered by an ASCONF chunk, a packet containing
an ERROR chunk with the 'Port Number Collision' error cause MUST be an ERROR chunk with the 'Port Number Collision' error cause MUST be
sent back. sent back.
6.5. Handling of Missing State 6.3.2. Endpoint Considerations
If the NAT box receives a packet from the internal network for which For the external SCTP server on the Internet this means that the
the lookup procedure does not find an entry in the NAT table, a External-Port and the External-Address are the same. If they both
have chosen the same Internal-Port the server cannot distinguish
between both associations based on the address and port numbers. For
the server it looks like the association is being restarted. To
overcome this limitation the client sends a Disable Restart parameter
in the INIT-chunk.
When the server receives this parameter it does the following:
o It MUST include a Disable Restart parameter in the INIT-ACK to
inform the client that it will support the feature.
o It MUST Disable the restart procedures defined in [RFC4960] for
this association.
Servers that support this feature will need to be capable of
maintaining multiple connections to what appears to be the same peer
(behind the NAT) differentiated only by the VTags.
6.4. Handling of Missing State
6.4.1. NAT Device Considerations
If the NAT device receives a packet from the internal network for
which the lookup procedure does not find an entry in the NAT table, a
packet containing an ERROR chunk is sent back with the M-bit set. packet containing an ERROR chunk is sent back with the M-bit set.
The source address of the packet containing the ERROR chunk MUST be The source address of the packet containing the ERROR chunk MUST be
the destination address of the incoming SCTP packet. The the destination address of the incoming SCTP packet. The
verification tag is reflected and the T-bit is set. Please note that verification tag is reflected and the T-bit is set. Please note that
such a packet containing an ERROR chunk SHOULD NOT be sent if the such a packet containing an ERROR chunk SHOULD NOT be sent if the
received packet contains an ABORT, SHUTDOWN-COMPLETE or INIT-ACK received packet contains an ABORT, SHUTDOWN-COMPLETE or INIT-ACK
chunk. An ERROR chunk MUST NOT be sent if the received packet chunk. An ERROR chunk MUST NOT be sent if the received packet
contains an ERROR chunk with the M-bit set. contains an ERROR chunk with the M-bit set.
When sending the ERROR chunk, the new error cause 'Missing State' When sending the ERROR chunk, the new error cause 'Missing State'
(see Section 5.2.2) MUST be included and the new M-bit of the ERROR (see Section 5.2.2) MUST be included and the new M-bit of the ERROR
chunk MUST be set (see Section 5.1.2). chunk MUST be set (see Section 5.1.2).
If the NAT device receives a packet for which it has no NAT table
entry and the packet contains an ASCONF chunk with the VTags
parameter, the NAT device MUST update its NAT table according to the
verification tags in the VTags parameter and the optional Disable
Restart parameter.
6.4.2. Endpoint Considerations
Upon reception of this ERROR chunk by an SCTP endpoint the receiver Upon reception of this ERROR chunk by an SCTP endpoint the receiver
SHOULD take the following actions: takes the following actions:
o Validate that the verification tag is reflected by looking at the o It SHOULD validate that the verification tag is reflected by
VTag that would have been included in the outgoing packet. looking at the VTag that would have been included in the outgoing
packet.
o Validate that the peer of the SCTP association supports the o It SHOULD validate that the peer of the SCTP association supports
dynamic address extension, if it does not discard the incoming the dynamic address extension, if it does not discard the incoming
ERROR chunk. ERROR chunk.
o Generate a new ASCONF chunk containing the VTags parameter (see o It SHOULD generate a new ASCONF chunk containing the VTags
Section 5.3.2) and the Disable Restart parameter if the parameter (see Section 5.3.2) and the Disable Restart parameter if
association is using the disabled restart feature. By processing the association is using the disabled restart feature. By
this packet the NAT can recover the appropriate state. The processing this packet the NAT device can recover the appropriate
procedures for generating an ASCONF chunk can be found in state. The procedures for generating an ASCONF chunk can be found
[RFC5061]. in [RFC5061].
If the NAT box receives a packet for which it has no NAT table entry
and the packet contains an ASCONF chunk with the VTags parameter, the
NAT box MUST update its NAT table according to the verification tags
in the VTags parameter and the optional Disable Restart parameter.
The peer SCTP endpoint receiving such an ASCONF chunk SHOULD either The peer SCTP endpoint receiving such an ASCONF chunk SHOULD either
add the address and respond with an acknowledgment, if the address is add the address and respond with an acknowledgment, if the address is
new to the association (following all procedures defined in new to the association (following all procedures defined in
[RFC5061]). Or, if the address is already part of the association, [RFC5061]). Or, if the address is already part of the association,
the SCTP endpoint MUST NOT respond with an error, but instead should the SCTP endpoint MUST NOT respond with an error, but instead should
respond with an ASCONF-ACK chunk acknowledging the address but take respond with an ASCONF-ACK chunk acknowledging the address but take
no action (since the address is already in the association). no action (since the address is already in the association).
Note that it is possible that upon receiving an ASCONF chunk Note that it is possible that upon receiving an ASCONF chunk
containing the VTags parameter the NAT will realize that it has an containing the VTags parameter the NAT will realize that it has an
'Internal Port Number and Verification Tag collision'. In such a 'Internal Port Number and Verification Tag collision'. In such a
case the NAT MUST send an ERROR chunk with the error cause code set case the NAT MUST send an ERROR chunk with the error cause code set
to 'VTag and Port Number Collision' (see Section 5.2.1). to 'VTag and Port Number Collision' (see Section 5.2.1).
If an SCTP endpoint receives an ERROR with 'Internal Port Number and If an SCTP endpoint receives an ERROR with 'Internal Port Number and
Verification Tag collision' as the error cause and the packet in the Verification Tag collision' as the error cause and the packet in the
Error Chunk contains an ASCONF with the VTags parameter, careful Error Chunk contains an ASCONF with the VTags parameter, careful
examination of the association is required. The endpoint MUST do the examination of the association is required. The endpoint does the
following: following:
o Validate that the verification tag is reflected by looking at the o It MUST validate that the verification tag is reflected by looking
VTag that would have been included in the outgoing packet. at the VTag that would have been included in the outgoing packet.
o Validate that the peer of the SCTP association supports the o It MUST validate that the peer of the SCTP association supports
dynamic address extension, if it does not discard the incoming the dynamic address extension. If the peer does not support it,
ERROR chunk. the NAT Device MUST discard the incoming ERROR chunk.
o If the association is attempting to add an address (i.e. following o If the association is attempting to add an address (i.e. following
the procedures in Section 6.7) then the endpoint MUST-NOT consider the procedures in Section 6.6) then the endpoint MUST NOT consider
the address part of the association and SHOULD make no further the address part of the association and SHOULD make no further
attempt to add the address (i.e. cancel any ASCONF timers and attempt to add the address (i.e. cancel any ASCONF timers and
remove any record of the path), since the NAT has a VTag collision remove any record of the path), since the NAT devie has a VTag
and the association cannot easily create a new VTag (as it would collision and the association cannot easily create a new VTag (as
if the error occurred when sending an INIT). it would if the error occurred when sending an INIT).
o If the endpoint has no other path, i. e. the procedure was o If the endpoint has no other path, i.e. the procedure was executed
executed due to missing a state in the NAT, then the endpoint MUST due to missing a state in the NAT device , then the endpoint MUST
abort the association. This would occur only if the local NAT abort the association. This would occur only if the local NAT
restarted and accepted a new association before attempting to device restarted and accepted a new association before attempting
repair the missing state (Note that this is no different than what to repair the missing state (Note that this is no different than
happens to all TCP connections when a NAT looses its state). what happens to all TCP connections when a NAT device looses its
state).
6.6. Handling of Fragmented SCTP Packets 6.5. Handling of Fragmented SCTP Packets by NAT Devices
A NAT box MUST support IP reassembly of received fragmented SCTP A NAT device MUST support IP reassembly of received fragmented SCTP
packets. The fragments may arrive in any order. packets. The fragments may arrive in any order.
When an SCTP packet has to be fragmented by the NAT box and the IP When an SCTP packet has to be fragmented by the NAT device and the IP
header forbids fragmentation a corresponding ICMP packet SHOULD be header forbids fragmentation a corresponding ICMP packet SHOULD be
sent. sent.
6.7. Multi-Point Traversal Considerations 6.6. Multi-Point Traversal Considerations for Endpoints
If a multi-homed SCTP endpoint behind a NAT connects to a peer, it If a multi-homed SCTP endpoint behind a NAT connects to a peer, it
SHOULD first set up the association single-homed with only one SHOULD first set up the association single-homed with only one
address causing the first NAT to populate its state. Then it SHOULD address causing the first NAT to populate its state. Then it SHOULD
add each IP address using ASCONF chunks sent via their respective add each IP address using ASCONF chunks sent via their respective NAT
NATs. The address to add is the wildcard address and the lookup devices. The address to add is the wildcard address and the lookup
address SHOULD also contain the VTags parameter and optionally the address SHOULD also contain the VTags parameter and optionally the
Disable Restart parameter as illustrated above. Disable Restart parameter as illustrated above.
7. Various Examples of NAT Traversals 7. Various Examples of NAT Traversals
Please note that this section is informational only. Please note that this section is informational only.
The addresses being used in the following examples are IPv4 addresses The addresses being used in the following examples are IPv4 addresses
for private-use networks and for documentation as specified in for private-use networks and for documentation as specified in
[RFC6890]. However, the method described here is not limited to this [RFC6890]. However, the method described here is not limited to this
skipping to change at page 32, line 47 skipping to change at page 32, line 47
NAT | Int | Int | Ext | Ext | Priv | NAT | Int | Int | Ext | Ext | Priv |
| VTag | Port | VTag | Port | Addr | | VTag | Port | VTag | Port | Addr |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
| 1234 | 1 | 5678 | 2 | 10.0.0.1 | | 1234 | 1 | 5678 | 2 | 10.0.0.1 |
+---------+--------+----------+--------+-----------+ +---------+--------+----------+--------+-----------+
DATA DATA
10.0.0.1:1 ----------> 203.0.113.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
The NAT box cannot find entry for the association. It sends ERROR The NAT device cannot find entry for the association. It sends ERROR
message with the M-Bit set and the cause "NAT state missing". message with the M-Bit set and the cause "NAT state missing".
/--\/--\ /--\/--\
+--------+ +-----+ / \ +--------+ +--------+ +-----+ / \ +--------+
| Host A | <----------> | NAT | <----> | Internet | <----> | Host B | | Host A | <----------> | NAT | <----> | Internet | <----> | Host B |
+--------+ +-----+ \ / +--------+ +--------+ +-----+ \ / +--------+
\--/\--/ \--/\--/
ERROR [M-Bit, NAT state missing] ERROR [M-Bit, NAT state missing]
10.0.0.1:1 <---------- 203.0.113.1:2 10.0.0.1:1 <---------- 203.0.113.1:2
skipping to change at page 34, line 28 skipping to change at page 34, line 28
DATA DATA
10.0.0.1:1 ----------> 203.0.113.1:2 10.0.0.1:1 ----------> 203.0.113.1:2
Ext-VTag = 5678 Ext-VTag = 5678
DATA DATA
192.0.2.2:1 -------------------> 203.0.113.129:2 192.0.2.2:1 -------------------> 203.0.113.129:2
Ext-VTag = 5678 Ext-VTag = 5678
7.5. Peer-to-Peer Communication 7.5. Peer-to-Peer Communication
If two hosts are behind NATs, they have to get knowledge of the If two hosts are behind NAT devices, they have to get knowledge of
peer's public address. This can be achieved with a so-called the peer's public address. This can be achieved with a so-called
rendezvous server. Afterwards the destination addresses are public, rendezvous server. Afterwards the destination addresses are public,
and the association is set up with the help of the INIT collision. and the association is set up with the help of the INIT collision.
The NAT boxes create their entries according to their internal peer's The NAT devices create their entries according to their internal
point of view. Therefore, NAT A's Internal-VTag and Internal-Port peer's point of view. Therefore, NAT A's Internal-VTag and Internal-
are NAT B's External-VTag and External-Port, respectively. The Port are NAT B's External-VTag and External-Port, respectively. The
naming of the verification tag in the packet flow is done from the naming of the verification tag in the packet flow is done from the
sending peer's point of view. sending peer's point of view.
Internal | External External | Internal Internal | External External | Internal
| | | |
| /--\/---\ | | /--\/---\ |
+--------+ +-------+ / \ +-------+ +--------+ +--------+ +-------+ / \ +-------+ +--------+
| Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B | | Host A |<--->| NAT A |<-->| Internet |<-->| NAT B |<--->| Host B |
+--------+ +-------+ \ / +-------+ +--------+ +--------+ +-------+ \ / +-------+ +--------+
| \--/\---/ | | \--/\---/ |
skipping to change at page 40, line 35 skipping to change at page 40, line 35
[NOTE to RFC-Editor: [NOTE to RFC-Editor:
"RFCXXXX" is to be replaced by the RFC number you assign this "RFCXXXX" is to be replaced by the RFC number you assign this
document. document.
] ]
[NOTE to RFC-Editor: [NOTE to RFC-Editor:
The suggested values for the chunk type and the chunk parameter The requested values for the chunk type and the chunk parameter
types are tentative and to be confirmed by IANA. types are tentative and to be confirmed by IANA.
] ]
This document (RFCXXXX) is the reference for all registrations This document (RFCXXXX) is the reference for all registrations
described in this section. The suggested changes are described described in this section. The requested changes are described
below. below.
9.1. New Chunk Flags for Two Existing Chunk Types 9.1. New Chunk Flags for Two Existing Chunk Types
As defined in [RFC6096] two chunk flags have to be assigned by IANA As defined in [RFC6096] two chunk flags have to be assigned by IANA
for the ERROR chunk. The suggested value for the T bit is 0x01 and for the ERROR chunk. The requested value for the T bit is 0x01 and
for the M bit is 0x02. for the M bit is 0x02.
This requires an update of the "ERROR Chunk Flags" registry for SCTP: This requires an update of the "ERROR Chunk Flags" registry for SCTP:
ERROR Chunk Flags ERROR Chunk Flags
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| Chunk Flag Value | Chunk Flag Name | Reference | | Chunk Flag Value | Chunk Flag Name | Reference |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| 0x01 | T bit | [RFCXXXX] | | 0x01 | T bit | [RFCXXXX] |
| 0x02 | M bit | [RFCXXXX] | | 0x02 | M bit | [RFCXXXX] |
| 0x04 | Unassigned | | | 0x04 | Unassigned | |
| 0x08 | Unassigned | | | 0x08 | Unassigned | |
| 0x10 | Unassigned | | | 0x10 | Unassigned | |
| 0x20 | Unassigned | | | 0x20 | Unassigned | |
| 0x40 | Unassigned | | | 0x40 | Unassigned | |
| 0x80 | Unassigned | | | 0x80 | Unassigned | |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
As defined in [RFC6096] one chunk flag has to be assigned by IANA for As defined in [RFC6096] one chunk flag has to be assigned by IANA for
the ABORT chunk. The suggested value of the M bit is 0x02. the ABORT chunk. The requested value of the M bit is 0x02.
This requires an update of the "ABORT Chunk Flags" registry for SCTP: This requires an update of the "ABORT Chunk Flags" registry for SCTP:
ABORT Chunk Flags ABORT Chunk Flags
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| Chunk Flag Value | Chunk Flag Name | Reference | | Chunk Flag Value | Chunk Flag Name | Reference |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
| 0x01 | T bit | [RFC4960] | | 0x01 | T bit | [RFC4960] |
| 0x02 | M bit | [RFCXXXX] | | 0x02 | M bit | [RFCXXXX] |
| 0x04 | Unassigned | | | 0x04 | Unassigned | |
| 0x08 | Unassigned | | | 0x08 | Unassigned | |
| 0x10 | Unassigned | | | 0x10 | Unassigned | |
| 0x20 | Unassigned | | | 0x20 | Unassigned | |
| 0x40 | Unassigned | | | 0x40 | Unassigned | |
| 0x80 | Unassigned | | | 0x80 | Unassigned | |
+------------------+-----------------+-----------+ +------------------+-----------------+-----------+
9.2. Three New Error Causes 9.2. Three New Error Causes
Three error causes have to be assigned by IANA. It is suggested to Three error causes have to be assigned by IANA. It is requested to
use the values given below. use the values given below.
This requires three additional lines in the "Error Cause Codes" This requires three additional lines in the "Error Cause Codes"
registry for SCTP: registry for SCTP:
Error Cause Codes Error Cause Codes
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
| Value | Cause Code | Reference | | Value | Cause Code | Reference |
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
| 176 | VTag and Port Number Collision | [RFCXXXX] | | 176 | VTag and Port Number Collision | [RFCXXXX] |
| 177 | Missing State | [RFCXXXX] | | 177 | Missing State | [RFCXXXX] |
| 178 | Port Number Collision | [RFCXXXX] | | 178 | Port Number Collision | [RFCXXXX] |
+-------+--------------------------------+-----------+ +-------+--------------------------------+-----------+
9.3. Two New Chunk Parameter Types 9.3. Two New Chunk Parameter Types
Two chunk parameter types have to be assigned by IANA. It is Two chunk parameter types have to be assigned by IANA. It is
suggested to use the values given below. IANA should assign these requested to use the values given below. IANA should assign these
values from the pool of parameters with the upper two bits set to values from the pool of parameters with the upper two bits set to
'11'. '11'.
This requires two additional lines in the "Chunk Parameter Types" This requires two additional lines in the "Chunk Parameter Types"
registry for SCTP: registry for SCTP:
Chunk Parameter Types Chunk Parameter Types
+----------+--------------------------+-----------+ +----------+--------------------------+-----------+
| ID Value | Chunk Parameter Type | Reference | | ID Value | Chunk Parameter Type | Reference |
skipping to change at page 42, line 41 skipping to change at page 42, line 41
| 49160 | VTags (0xC008) | [RFCXXXX] | | 49160 | VTags (0xC008) | [RFCXXXX] |
+----------+--------------------------+-----------+ +----------+--------------------------+-----------+
10. Security Considerations 10. Security Considerations
State maintenance within a NAT is always a subject of possible Denial State maintenance within a NAT is always a subject of possible Denial
Of Service attacks. This document recommends that at a minimum a NAT Of Service attacks. This document recommends that at a minimum a NAT
runs a timer on any SCTP state so that old association state can be runs a timer on any SCTP state so that old association state can be
cleaned up. cleaned up.
For SCTP end points, this document does not add any additional For SCTP endpoints, this document does not add any additional
security considerations to the ones given in [RFC4960], [RFC4895], security considerations to the ones given in [RFC4960], [RFC4895],
and [RFC5061]. In particular, SCTP is protected by the verification and [RFC5061]. In particular, SCTP is protected by the verification
tags and the usage of [RFC4895] against off-path attackers. tags and the usage of [RFC4895] against off-path attackers.
11. Acknowledgments 11. Acknowledgments
The authors wish to thank Gorry Fairhurst, Bryan Ford, David Hayes, The authors wish to thank Gorry Fairhurst, Bryan Ford, David Hayes,
Alfred Hines, Karen E. E. Nielsen, Henning Peters, Timo Voelker, Alfred Hines, Karen E. E. Nielsen, Henning Peters, Timo Voelker,
Dan Wing, and Qiaobing Xie for their invaluable comments. Dan Wing, and Qiaobing Xie for their invaluable comments.
 End of changes. 98 change blocks. 
251 lines changed or deleted 274 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/