Port Control Protocol
|Internet protocol suite|
Port Control Protocol (PCP) is a computer networking protocol that allows hosts on IPv4 or IPv6 networks to control how the incoming IPv4 or IPv6 packets are translated and forwarded by an upstream router that performs network address translation (NAT) or packet filtering. By allowing hosts to create explicit port forwarding rules, handling of the network traffic can be easily configured to make hosts placed behind NATs or firewalls reachable from the rest of the Internet (so they can also act as network servers), which is a requirement for many applications.
Additionally, explicit port forwarding rules available through PCP allow hosts to reduce the amount of generated traffic by eliminating workarounds in form of outgoing NAT keepalive messages, which are required for maintaining connections to servers and for various NAT traversal techniques such as TCP hole punching. At the same time, less generated traffic reduces the power consumption, directly improving the battery runtime for mobile devices.
Many applications and network equipment deployments require their network locations to be reachable from outside their local networks, following the originally envisioned model of IP end-to-end connectivity across the Internet, so they can operate as network servers and accept connections from remote clients. An example of such equipment is an IP camera, which includes a network server that provides remote surveillance over IP networks.
Usually, network equipment deployments place the devices behind routers or firewalls that perform NAT (to enable sharing of an IPv4 address, for example) or packet filtering (for improved network security and protection), ending up with breaking the end-to-end connectivity and rendering the equipment and applications inaccessible from the rest of the Internet.
Making the deployed equipment accessible, by extending its server role beyond the local network, requires either manual configuration of port forwarding at the network gateway (which is usually a CPE), or application-level workarounds that initiate connections from the deployed equipment to additional intermediate servers used for "merging" those "firewall punching" connections and connections from the actual clients. Both approaches have their downsides – manual CPE configuration is usually either inconvenient or not possible, while using additional intermediate servers increases complexity and cost.
For example, an online computer game (which acts as a client) requires communication with a game server for exchanging gameplay data such as the movement of players, their different associated parameters, etc. In order to make it possible for a game server to provide such gameplay data updates to its online clients, those clients must be made accessible to the server. Usually, clients initiate connections to the game server, creating that way implicit mappings, which provide servers with the required communication channels. However, such connections can become idle and subsequently closed by the network gateways, leading to the necessity of maintaining them by using a form of keepalive messages.
Maintaining client-initiated implicit mappings alive is necessary because network gateways delete such mappings when they become idle, as a result of treating them as regular client connections; such implicit mappings are preserved by passing keepalive messages through NAT devices or firewalls. Thus, keeping such connections alive requires a constant exchange of otherwise useless keepalive messages between clients and servers, as a workaround that increases network chatter, wastes network bandwidth and CPU cycles, and decreases the autonomy of battery-powered devices. Additionally, some network applications (for example, FTP) require dynamic opening of multiple connections, which involves application-level gateways (ALGs) and additionally increases complexity.
PCP as a solution
PCP allows deployed equipment and applications to create explicit mappings between an external IP address, protocol and port, and an internal IP address, protocol and port. With such explicit mappings in place, inbound communication can reach the hosts behind a NAT or firewall, which either expands their server roles beyond boundaries of local networks, or makes use of various services simplified and less resource-consuming. Created mappings are permanent to the extent of having a known lifetime that can be extended, which is similar to the way Dynamic Host Configuration Protocol (DHCP) implements its leases. At the same time, PCP allows applications to create additional mappings dynamically as required, which reduces or eliminates the need for having ALG-enabled NAT devices and firewalls.
Created explicit mappings are permanent, with no need for application-level keepalive messages to be exchanged between hosts and servers for the purpose of preserving the mapping. As a result, network usage and power consumption are reduced, and application-level keepalive logic no longer needs to be implemented at client and server sides. After a PCP-based mapping is created, associated externally visible parameters (IP address, protocol and port) need to be announced to clients so incoming connections can be established, which is performed in application-specific ways. Additionally, PCP provides the functionality required to inform applications when the external IP address is changed while a mapping is already established.
Various types of NAT can be handled by PCP, providing support for IPv6/IPv4 NAT (NAT64, sharing of an IPv6 address) and IPv4/IPv4 NAT (NAT44, sharing of an IPv4 address); inclusion of PCP into IPv4 and IPv6 firewall devices is also supported. PCP is designed to be used on both large-scale aggregation points (for example, as part of carrier-grade NATs), and inside low-cost consumer-grade devices. Both long-term (for an IP camera or a temperature sensor acting as a server, for example) and short-term mappings (while playing an online computer game, for example) are supported.
PCP supports transport layer protocols that use 16-bit port numbers (for example, TCP, UDP, Stream Control Transmission Protocol (SCTP) or Datagram Congestion Control Protocol (DCCP). Protocols that do not use port numbers (for example, Resource Reservation Protocol (RSVP), Encapsulating Security Payload (ESP), ICMP or ICMPv6) are supported for IPv4 firewall, IPv6 firewall and NPTv6 (IPv6 prefix translation) functions, but are not supported for any NAT functions.
PCP may only be deployed in single-homed networks, leaving multi-homed networks (which have multiple network gateways or default routes) unsupported. This requirement comes from the fact that outbound packets (for example, a TCP SYNACK) as responses to inbound packets (for example, a TCP SYN) coming in through a PCP mapping as already rewritten by a NAT device or firewall, must also go back the same way so appropriate inverse packet rewritting can be performed. If there was no such restriction, simultaneous creation of PCP mappings would be required on all network gateways, which might not be consistently doable; for example, on one of the default gateways the required external port might be already taken by another application's mapping.
PCP was standardized in 2013 as a successor to the NAT Port Mapping Protocol (NAT-PMP), sharing similar protocol concepts and packet formats with it. As one of the design differences, NAT-PMP is pretty much limited to the deployment on consumer-grade devices, while PCP is designed to also support carrier-grade equipment.:50, 87 Since 2005, NAT-PMP has been implemented in various Apple products.:1
NAT-PMP relates to the Internet Gateway Device Protocol (IGDP), which was standardized in 2001 as part of the Universal Plug and Play (UPnP) specification. While the IGDP is complex and tailored toward manual configuration, NAT-PMP is designed for simplicity and use within software applications.:26–32
Excluding the attackers capable of altering network packets exchanged while an explicit PCP mapping is created (packets that contain negotiation required for establishing an explicit mapping, which is exchanged between hosts and PCP-enabled NAT devices or firewalls), PCP is considered to be secure as long as created explicit mappings do not exceed the domain of implicit mappings. In other words, implicit mappings are created as a result of the way NAT devices and firewalls are handling regular outbound client connections, meaning that PCP is safe as long as no new mapping possibilities are introduced through the explicit mapping mechanism.
From the security standpoint, an important PCP feature is the THIRD_PARTY mapping request option. When used, this option signifies that the IP address specified additionally as part of the mapping request should be used as the internal address for the created explicit mapping, rather than following the default behavior of using source IP address of the actual mapping request packet for that purpose. Such mapping requests can end up with a PCP-enabled NAT device or firewall granting explicit mapping privileges higher than allowed by implicit mappings due to unknown rules imposed elsewhere for the specified IP address, allowing that way an attacker to steal some traffic, or to conduct a denial-of-service (DoS) attack.
Additionally, explicit PCP security mechanisms are available as extensions to the PCP protocol, providing authentication and access control mechanisms by using an authenticated and integrity-protected in-band signalling channel, which relies on Extensible Authentication Protocol (EAP) to perform the authentication between devices involved in a PCP negotiation session. Such PCP-enabled NAT devices or firewalls may still accept unauthenticated mapping requests; at the same time, all previously described explicit mapping constraints still apply.
Internally, PCP works by exchanging control messages between hosts and PCP-enabled NAT devices or firewalls (referred to as servers), using User Datagram Protocol (UDP) as the underlying protocol. This communication consists of port mapping requests created by the hosts that result in responses once submitted to and processed by the servers. Following UDP's nature of unreliability, which means that UDP datagrams can be lost, duplicated or reordered, after submitting a request there is no guarantee for a response of any kind, thus host requests are also referred to as "hints". In addition to direct responses, servers also generate gratuitous notifications – for example, unicast notifications to inform hosts of changes in the external IP address.
|MAP||Creates or renews a mapping for inbound forwarding, allowing a hosts to act as a server and receive inbound communication.|
|PEER||Creates or renews an outbound mapping, allowing a host to maintain opened its communication with a single peer.|
|ANNOUNCE||Announces various changes to the hosts, including server restarts and changes to the external IP address.|
Exchanged messages contain no means for determining either the transaction they belong to, or which stage of a "session" they represent. Such a simplified design is based on having all messages self-describing and complete, with no additional context required for each message to be successfully processed. Servers may decide to silently ignore host requests, in case they are unable to process them at the moment; in such cases, hosts need to retransmit the request. Also, hosts may safely decide to silently ignore any unwanted mapping responses.
For the purpose of creating PCP requests, IP address of the server is either manually configured on the host, found as part of the host's DHCP lease, or set to the host's configured default gateway. Host request messages are sent from any source UDP port on a client to the server's UDP port 5351 that it listens to; unsolicited multicast server notifications (such as server restart announcements) are sent from the server's UDP port 5351 to the UDP port 5350 on hosts which they listen to.
Maximum UDP payload length for all PCP messages is 1100 octets. Each PCP message consists of a request or response header containing an opcode that determines the associated operation, any relevant opcode-specific information (such as which ports are to be mapped), and zero or more options (such as the THIRD_PARTY option described above). Result codes are returned as part of server responses; each result code has an associated lifetime, which tells the hosts when certain operations may be retried or should be repeated. For example, result lifetimes can specify how long a failure condition is expected to persist, or how long the created mapping will last.
- DMZ (computing) – a subnetwork that contains and exposes one's external-facing services to a larger and untrusted network
- Hole punching (networking) – establishing direct connections between two networked parties residing behind firewalls or NAT-enabled routers
- Dan Wing (December 2011). "Port Control Protocol". The Internet Protocol Journal. Cisco Systems. Retrieved January 31, 2014.
- "Port Control Protocol Overview (Junos OS 13.3)". Juniper Networks. August 14, 2013. Retrieved January 31, 2014.
- D. Wing; S. Cheshire; M. Boucadair; R. Penno; P. Selkirk (April 2013). "RFC 6887: Port Control Protocol (PCP)". Internet Engineering Task Force (IETF). Retrieved January 31, 2014.
- S. Cheshire; M. Krochmal (April 2013). "RFC 6886: NAT Port Mapping Protocol (NAT-PMP)". Internet Engineering Task Force (IETF). Retrieved August 8, 2014.
- M. Cullen; S. Hartman; D. Zhang; T. Reddy (September 2015). "RFC 7652: Port Control Protocol (PCP) Authentication Mechanism". Internet Engineering Task Force (IETF). Retrieved April 29, 2016.