GENWiki

Premier IT Outsourcing and Support Services within the UK

User Tools

Site Tools


rfc:rfc6887

Internet Engineering Task Force (IETF) D. Wing, Ed. Request for Comments: 6887 Cisco Category: Standards Track S. Cheshire ISSN: 2070-1721 Apple

                                                          M. Boucadair
                                                        France Telecom
                                                              R. Penno
                                                                 Cisco
                                                            P. Selkirk
                                                                   ISC
                                                            April 2013
                    Port Control Protocol (PCP)

Abstract

 The Port Control Protocol allows an IPv6 or IPv4 host to control how
 incoming IPv6 or IPv4 packets are translated and forwarded by a
 Network Address Translator (NAT) or simple firewall, and also allows
 a host to optimize its outgoing NAT keepalive messages.

Status of This Memo

 This is an Internet Standards Track document.
 This document is a product of the Internet Engineering Task Force
 (IETF).  It represents the consensus of the IETF community.  It has
 received public review and has been approved for publication by the
 Internet Engineering Steering Group (IESG).  Further information on
 Internet Standards is available in Section 2 of RFC 5741.
 Information about the current status of this document, any errata,
 and how to provide feedback on it may be obtained at
 http://www.rfc-editor.org/info/rfc6887.

Copyright Notice

 Copyright (c) 2013 IETF Trust and the persons identified as the
 document authors.  All rights reserved.
 This document is subject to BCP 78 and the IETF Trust's Legal
 Provisions Relating to IETF Documents
 (http://trustee.ietf.org/license-info) in effect on the date of
 publication of this document.  Please review these documents
 carefully, as they describe your rights and restrictions with respect
 to this document.  Code Components extracted from this document must
 include Simplified BSD License text as described in Section 4.e of

Wing, et al. Standards Track [Page 1] RFC 6887 Port Control Protocol (PCP) April 2013

 the Trust Legal Provisions and are provided without warranty as
 described in the Simplified BSD License.

Table of Contents

 1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
 2.  Scope  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  5
   2.1.  Deployment Scenarios . . . . . . . . . . . . . . . . . . .  5
   2.2.  Supported Protocols  . . . . . . . . . . . . . . . . . . .  5
   2.3.  Single-Homed Customer Premises Network . . . . . . . . . .  5
 3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  6
 4.  Relationship between PCP Server and Its PCP-Controlled
     Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
 5.  Note on Fixed-Size Addresses . . . . . . . . . . . . . . . . . 10
 6.  Protocol Design Note . . . . . . . . . . . . . . . . . . . . . 11
 7.  Common Request and Response Header Format  . . . . . . . . . . 13
   7.1.  Request Header . . . . . . . . . . . . . . . . . . . . . . 14
   7.2.  Response Header  . . . . . . . . . . . . . . . . . . . . . 15
   7.3.  Options  . . . . . . . . . . . . . . . . . . . . . . . . . 16
   7.4.  Result Codes . . . . . . . . . . . . . . . . . . . . . . . 19
 8.  General PCP Operation  . . . . . . . . . . . . . . . . . . . . 20
   8.1.  General PCP Client: Generating a Request . . . . . . . . . 21
     8.1.1.  PCP Client Retransmission  . . . . . . . . . . . . . . 22
   8.2.  General PCP Server: Processing a Request . . . . . . . . . 24
   8.3.  General PCP Client: Processing a Response  . . . . . . . . 25
   8.4.  Multi-Interface Issues . . . . . . . . . . . . . . . . . . 27
   8.5.  Epoch  . . . . . . . . . . . . . . . . . . . . . . . . . . 27
 9.  Version Negotiation  . . . . . . . . . . . . . . . . . . . . . 29
 10. Introduction to MAP and PEER Opcodes . . . . . . . . . . . . . 30
   10.1. For Operating a Server . . . . . . . . . . . . . . . . . . 33
   10.2. For Operating a Symmetric Client/Server  . . . . . . . . . 35
   10.3. For Reducing NAT or Firewall Keepalive Messages  . . . . . 37
   10.4. For Restoring Lost Implicit TCP Dynamic Mapping State  . . 38
 11. MAP Opcode . . . . . . . . . . . . . . . . . . . . . . . . . . 39
   11.1. MAP Operation Packet Formats . . . . . . . . . . . . . . . 40
   11.2. Generating a MAP Request . . . . . . . . . . . . . . . . . 43
     11.2.1. Renewing a Mapping . . . . . . . . . . . . . . . . . . 44
   11.3. Processing a MAP Request . . . . . . . . . . . . . . . . . 44
   11.4. Processing a MAP Response  . . . . . . . . . . . . . . . . 48
   11.5. Address Change Events  . . . . . . . . . . . . . . . . . . 49
   11.6. Learning the External IP Address Alone . . . . . . . . . . 50
 12. PEER Opcode  . . . . . . . . . . . . . . . . . . . . . . . . . 50
   12.1. PEER Operation Packet Formats  . . . . . . . . . . . . . . 51
   12.2. Generating a PEER Request  . . . . . . . . . . . . . . . . 54
   12.3. Processing a PEER Request  . . . . . . . . . . . . . . . . 55
   12.4. Processing a PEER Response . . . . . . . . . . . . . . . . 56

Wing, et al. Standards Track [Page 2] RFC 6887 Port Control Protocol (PCP) April 2013

 13. Options for MAP and PEER Opcodes . . . . . . . . . . . . . . . 57
   13.1. THIRD_PARTY Option for MAP and PEER Opcodes  . . . . . . . 57
   13.2. PREFER_FAILURE Option for MAP Opcode . . . . . . . . . . . 59
   13.3. FILTER Option for MAP Opcode . . . . . . . . . . . . . . . 61
 14. Rapid Recovery . . . . . . . . . . . . . . . . . . . . . . . . 63
   14.1. ANNOUNCE Opcode  . . . . . . . . . . . . . . . . . . . . . 64
     14.1.1. ANNOUNCE Operation . . . . . . . . . . . . . . . . . . 65
     14.1.2. Generating and Processing a Solicited ANNOUNCE
             Message  . . . . . . . . . . . . . . . . . . . . . . . 65
     14.1.3. Generating and Processing an Unsolicited ANNOUNCE
             Message  . . . . . . . . . . . . . . . . . . . . . . . 66
   14.2. PCP Mapping Update . . . . . . . . . . . . . . . . . . . . 67
 15. Mapping Lifetime and Deletion  . . . . . . . . . . . . . . . . 69
   15.1. Lifetime Processing for the MAP Opcode . . . . . . . . . . 71
 16. Implementation Considerations  . . . . . . . . . . . . . . . . 72
   16.1. Implementing MAP with EDM Port-Mapping NAT . . . . . . . . 72
   16.2. Lifetime of Explicit and Implicit Dynamic Mappings . . . . 72
   16.3. PCP Failure Recovery . . . . . . . . . . . . . . . . . . . 72
     16.3.1. Recreating Mappings  . . . . . . . . . . . . . . . . . 73
     16.3.2. Maintaining Mappings . . . . . . . . . . . . . . . . . 73
     16.3.3. SCTP . . . . . . . . . . . . . . . . . . . . . . . . . 74
   16.4. Source Address Replicated in PCP Header  . . . . . . . . . 75
   16.5. State Diagram  . . . . . . . . . . . . . . . . . . . . . . 76
 17. Deployment Considerations  . . . . . . . . . . . . . . . . . . 77
   17.1. Ingress Filtering  . . . . . . . . . . . . . . . . . . . . 77
   17.2. Mapping Quota  . . . . . . . . . . . . . . . . . . . . . . 77
 18. Security Considerations  . . . . . . . . . . . . . . . . . . . 78
   18.1. Simple Threat Model  . . . . . . . . . . . . . . . . . . . 78
     18.1.1. Attacks Considered . . . . . . . . . . . . . . . . . . 79
     18.1.2. Deployment Examples Supporting the Simple Threat
             Model  . . . . . . . . . . . . . . . . . . . . . . . . 79
   18.2. Advanced Threat Model  . . . . . . . . . . . . . . . . . . 80
   18.3. Residual Threats . . . . . . . . . . . . . . . . . . . . . 80
     18.3.1. Denial of Service  . . . . . . . . . . . . . . . . . . 80
     18.3.2. Ingress Filtering  . . . . . . . . . . . . . . . . . . 81
     18.3.3. Mapping Theft  . . . . . . . . . . . . . . . . . . . . 81
     18.3.4. Attacks against Server Discovery . . . . . . . . . . . 81
 19. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 82
   19.1. Port Number  . . . . . . . . . . . . . . . . . . . . . . . 82
   19.2. Opcodes  . . . . . . . . . . . . . . . . . . . . . . . . . 82
   19.3. Result Codes . . . . . . . . . . . . . . . . . . . . . . . 82
   19.4. Options  . . . . . . . . . . . . . . . . . . . . . . . . . 82
 20. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 83
 21. References . . . . . . . . . . . . . . . . . . . . . . . . . . 84
   21.1. Normative References . . . . . . . . . . . . . . . . . . . 84
   21.2. Informative References . . . . . . . . . . . . . . . . . . 84
 Appendix A. NAT-PMP Transition . . . . . . . . . . . . . . . . . . 87

Wing, et al. Standards Track [Page 3] RFC 6887 Port Control Protocol (PCP) April 2013

1. Introduction

 The Port Control Protocol (PCP) provides a mechanism to control how
 incoming packets are forwarded by upstream devices such as Network
 Address Translator IPv6/IPv4 (NAT64), Network Address Translator
 IPv4/IPv4 (NAT44), and IPv6 and IPv4 firewall devices, and a
 mechanism to reduce application keepalive traffic.  PCP is designed
 to be implemented in the context of Carrier-Grade NATs (CGNs) and
 small NATs (e.g., residential NATs), as well as with dual-stack and
 IPv6-only Customer Premises Equipment (CPE) routers, and all of the
 currently known transition scenarios towards IPv6-only CPE routers.
 PCP allows hosts to operate servers for a long time (e.g., a network-
 attached home security camera) or a short time (e.g., while playing a
 game or on a phone call) when behind a NAT device, including when
 behind a CGN operated by their Internet service provider or an IPv6
 firewall integrated in their CPE router.
 PCP allows applications to create mappings from an external IP
 address, protocol, and port to an internal IP address, protocol, and
 port.  These mappings are required for successful inbound
 communications destined to machines located behind a NAT or a
 firewall.
 After creating a mapping for incoming connections, it is necessary to
 inform remote computers about the IP address, protocol, and port for
 the incoming connection.  This is usually done in an application-
 specific manner.  For example, a computer game might use a rendezvous
 server specific to that game (or specific to that game developer), a
 SIP phone would use a SIP proxy, and a client using DNS-Based Service
 Discovery [RFC6763] would use DNS Update [RFC2136] [RFC3007].  PCP
 does not provide this rendezvous function.  The rendezvous function
 may support IPv4, IPv6, or both.  Depending on that support and the
 application's support of IPv4 or IPv6, the PCP client may need an
 IPv4 mapping, an IPv6 mapping, or both.
 Many NAT-friendly applications send frequent application-level
 messages to ensure that their session will not be timed out by a NAT.
 These are commonly called "NAT keepalive" messages, even though they
 are not sent to the NAT itself (rather, they are sent 'through' the
 NAT).  These applications can reduce the frequency of such NAT
 keepalive messages by using PCP to learn (and influence) the NAT
 mapping lifetime.  This helps reduce bandwidth on the subscriber's
 access network, traffic to the server, and battery consumption on
 mobile devices.
 Many NATs and firewalls include Application Layer Gateways (ALGs) to
 create mappings for applications that establish additional streams or
 accept incoming connections.  ALGs incorporated into NATs may also

Wing, et al. Standards Track [Page 4] RFC 6887 Port Control Protocol (PCP) April 2013

 modify the application payload.  Industry experience has shown that
 these ALGs are detrimental to protocol evolution.  PCP allows an
 application to create its own mappings in NATs and firewalls,
 reducing the incentive to deploy ALGs in NATs and firewalls.

2. Scope

2.1. Deployment Scenarios

 PCP can be used in various deployment scenarios, including:
 o  Basic NAT [RFC3022]
 o  Network Address and Port Translation [RFC3022], such as commonly
    deployed in residential NAT devices
 o  Carrier-Grade NAT [RFC6888]
 o  Dual-Stack Lite (DS-Lite) [RFC6333]
 o  NAT that is Layer-2 Aware [L2NAT]
 o  Dual-Stack Extra Lite [RFC6619]
 o  NAT64, both Stateless [RFC6145] and Stateful [RFC6146]
 o  IPv4 and IPv6 simple firewall control [RFC6092]
 o  IPv6-to-IPv6 Network Prefix Translation (NPTv6) [RFC6296]

2.2. Supported Protocols

 The PCP Opcodes defined in this document are designed to support
 transport-layer protocols that use a 16-bit port number (e.g., TCP,
 UDP, Stream Control Transmission Protocol (SCTP) [RFC4960], and
 Datagram Congestion Control Protocol (DCCP) [RFC4340]).  Protocols
 that do not use a port number (e.g., Resource Reservation Protocol
 (RSVP), IP Encapsulating Security Payload (ESP) [RFC4303], ICMP, and
 ICMPv6) are supported for IPv4 firewall, IPv6 firewall, and NPTv6
 functions, but are out of scope for any NAT functions.

2.3. Single-Homed Customer Premises Network

 PCP assumes a single-homed IP address model.  That is, for a given IP
 address of a host, only one default route exists to reach other hosts
 on the Internet from that source IP address.  This is important
 because after a PCP mapping is created and an inbound packet (e.g.,
 TCP SYN) is rewritten and delivered to a host, the outbound response

Wing, et al. Standards Track [Page 5] RFC 6887 Port Control Protocol (PCP) April 2013

 (e.g., TCP SYNACK) has to go through the same (reverse) path so it
 passes through the same NAT to have the necessary inverse rewrite
 performed.  This restriction exists because otherwise there would
 need to be a PCP-enabled NAT for every egress (because the host could
 not reliably determine which egress path packets would take), and the
 client would need to be able to reliably make the same internal/
 external mapping in every NAT gateway, which in general is not
 possible (because the other NATs might already have the necessary
 external port mapped to another host).

3. Terminology

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
 "OPTIONAL" in this document are to be interpreted as described in
 "Key words for use in RFCs to Indicate Requirement Levels" [RFC2119].
 Internal Host:
    A host served by a NAT gateway, or protected by a firewall.  This
    is the host that will receive incoming traffic resulting from a
    PCP mapping request, or the host that initiated an implicit
    dynamic outbound mapping (e.g., by sending a TCP SYN) across a
    firewall or a NAT.
 Remote Peer Host:
    A host with which an internal host is communicating.  This can
    include another internal host (or even the same internal host); if
    a NAT is involved, the NAT would need to hairpin the traffic
    [RFC4787].
 Internal Address:
    The address of an internal host served by a NAT gateway or
    protected by a firewall.
 External Address:
    The address of an internal host as seen by other remote peers on
    the Internet with which the internal host is communicating, after
    translation by any NAT gateways on the path.  An external address
    is generally a public routable (i.e., non-private) address.  In
    the case of an internal host protected by a pure firewall, with no
    address translation on the path, its external address is the same
    as its internal address.
 Endpoint-Dependent Mapping (EDM):  A term applied to NAT operation
    where an implicit mapping created by outgoing traffic (e.g., TCP
    SYN) from a single internal address, protocol, and port to
    different remote peers and ports may be assigned different
    external ports, and a subsequent PCP mapping request for that

Wing, et al. Standards Track [Page 6] RFC 6887 Port Control Protocol (PCP) April 2013

    internal address, protocol, and port may be assigned yet another
    different external port.  This term encompasses both Address-
    Dependent Mapping and Address and Port-Dependent Mapping
    [RFC4787].
 Endpoint-Independent Mapping (EIM):  A term applied to NAT operation
    where all mappings from a single internal address, protocol, and
    port to different remote peers and ports are all assigned the same
    external address and port.
 Remote Peer Address:
    The address of a remote peer, as seen by the internal host.  A
    remote address is generally a publicly routable address.  In the
    case of a remote peer that is itself served by a NAT gateway, the
    remote address may in fact be the remote peer's external address,
    but since this remote translation is generally invisible to
    software running on the internal host, the distinction can safely
    be ignored for the purposes of this document.
 Third Party:
    In the common case, an internal host manages its own mappings
    using PCP requests, and the internal address of those mappings is
    the same as the source IP address of the PCP request packet.
    In the case where one device is managing mappings on behalf of
    some other device that does not implement PCP, the presence of the
    THIRD_PARTY option in the MAP request signifies that the specified
    address, rather than the source IP address of the PCP request
    packet, should be used as the internal address for the mapping.
 Mapping, Port Mapping, Port Forwarding:
    A NAT mapping creates a relationship between an internal IP
    address, protocol, and port, and an external IP address, protocol,
    and port.  More specifically, it creates a translation rule where
    packets destined *to* the external IP address, protocol, and port
    have their destination address and port translated to the internal
    address and port, and conversely, packets *from* the internal IP
    address, protocol, and port have their source address and port
    translated to the external address and port.  In the case of a
    pure firewall, the "mapping" is the identity function, translating
    an internal IP address, protocol, and port number to the same
    external IP address, protocol, and port number.  Firewall
    filtering, applied in addition to that identity mapping function,
    is separate from the mapping itself.

Wing, et al. Standards Track [Page 7] RFC 6887 Port Control Protocol (PCP) April 2013

 Mapping Types:
    There are three dimensions to classifying mapping types: how they
    are created (implicitly/explicitly), their primary purpose
    (outbound/inbound), and how they are deleted (dynamic/static).
    Implicit mappings are created as a side effect of some other
    operation; explicit mappings are created by a mechanism explicitly
    dealing with mappings.  Outbound mappings exist primarily to
    facilitate outbound communication; inbound mappings exist
    primarily to facilitate inbound communication.  Dynamic mappings
    are deleted when their lifetime expires, or through other protocol
    action; static mappings are permanent until the user chooses to
    delete them.
  • Implicit dynamic mappings are created implicitly as a side

effect of traffic such as an outgoing TCP SYN or outgoing UDP

       packet.  Such packets were not originally designed explicitly
       for creating NAT (or firewall) state, but they can have that
       effect when they pass through a NAT (or firewall) device.
       Implicit dynamic mappings usually have a finite lifetime,
       though this lifetime is generally not known to the client using
       them.
  • Explicit dynamic mappings are created as a result of explicit

PCP MAP and PEER requests. Like a DHCP address lease, explicit

       dynamic mappings have a finite lifetime, and this lifetime is
       communicated to the client.  As with a DHCP address lease, if
       the client wants a mapping to persist the client must prove
       that it is still present by periodically renewing the mapping
       to prevent it from expiring.  If a PCP client goes away, then
       any mappings it created will be automatically cleaned up when
       they expire.
  • Explicit static mappings are created by manual configuration

(e.g., via command-line interface or other user interface) and

       persist until the user changes that manual configuration.
    Both implicit and explicit dynamic mappings are dynamic in the
    sense that they are created on demand, as requested (implicitly or
    explicitly) by the internal host, and have a lifetime.  After the
    lifetime, the mapping is deleted unless the lifetime is extended
    by action by the internal host (e.g., sending more traffic or
    sending another PCP request).
    Static mappings are, by their nature, always explicit.  Static
    mappings differ from explicit dynamic mappings in that their
    lifetime is effectively infinite (they exist until manually
    removed), but otherwise they behave exactly the same as explicit
    MAP mappings.

Wing, et al. Standards Track [Page 8] RFC 6887 Port Control Protocol (PCP) April 2013

    While all mappings are, by necessity, bidirectional (most Internet
    communication requires information to flow in both directions for
    successful operation), when talking about mappings, it can be
    helpful to identify them loosely according to their 'primary'
    purpose.
  • Outbound mappings exist primarily to enable outbound

communication. For example, when a host calls connect() to

       make an outbound connection, a NAT gateway will create an
       implicit dynamic outbound mapping to facilitate that outbound
       communication.
  • Inbound mappings exist primarily to enable listening servers to

receive inbound connections. Generally, when a client calls

       listen() to listen for inbound connections, a NAT gateway will
       not implicitly create any mapping to facilitate that inbound
       communication.  A PCP MAP request can be used explicitly to
       create a dynamic inbound mapping to enable the desired inbound
       communication.
    Explicit static (manual) mappings and explicit dynamic (MAP)
    mappings both allow internal hosts to receive inbound traffic that
    is not in direct response to any immediately preceding outbound
    communication (i.e., to allow internal hosts to operate a "server"
    that is accessible to other hosts on the Internet).
 PCP Client:
    A PCP software instance responsible for issuing PCP requests to a
    PCP server.  Several independent PCP clients can exist on the same
    host.  Several PCP clients can be located in the same local
    network.  A PCP client can issue PCP requests on behalf of a
    third-party device for which it is authorized to do so.  An
    interworking function from Universal Plug and Play Internet
    Gateway Device (UPnP IGDv1 [IGDv1]) to PCP is another example of a
    PCP client.  A PCP server in a NAT gateway that is itself a client
    of another NAT gateway (nested NAT) may itself act as a PCP client
    to the upstream NAT.
 PCP-Controlled Device:
    A NAT or firewall that controls or rewrites packet flows between
    internal hosts and remote peer hosts.  PCP manages the mappings on
    this device.
 PCP Server:
    A PCP software instance that resides on the PCP-Controlled Device
    that receives PCP requests from the PCP client and creates
    appropriate state in response to that request.

Wing, et al. Standards Track [Page 9] RFC 6887 Port Control Protocol (PCP) April 2013

 Subscriber:
    The unit of billing for a commercial ISP.  A subscriber may have a
    single IP address from the commercial ISP (which can be shared
    among multiple hosts using a NAT gateway, thereby making them
    appear to be a single host to the ISP) or may have multiple IP
    addresses provided by the commercial ISP.  In either case, the IP
    address or addresses provided by the ISP may themselves be further
    translated by a Carrier-Grade NAT (CGN) operated by the ISP.

4. Relationship between PCP Server and Its PCP-Controlled Device

 The PCP server receives and responds to PCP requests.  The PCP server
 functionality is typically a capability of a NAT or firewall device,
 as shown in Figure 1.  It is also possible for the PCP functionality
 to be provided by some other device, which communicates with the
 actual NAT(s) or firewall(s) via some other proprietary mechanism, as
 long as from the PCP client's perspective such split operation is
 indistinguishable from the integrated case.
                                +-----------------+
       +------------+           | NAT or firewall |
       | PCP client |-<network>-+      with       +---<Internet>
       +------------+           |    PCP server   |
                                +-----------------+
                 Figure 1: PCP-Enabled NAT or Firewall
 A NAT or firewall device, between the PCP client and the Internet,
 might implement simple or advanced firewall functionality.  This may
 be a side effect of the technology implemented by the device (e.g., a
 network address and port translator, by virtue of its port rewriting,
 normally requires connections to be initiated from an inside host
 towards the Internet), or this might be an explicit firewall policy
 to deny unsolicited traffic from the Internet.  Some firewall devices
 deny certain unsolicited traffic from the Internet (e.g., TCP, UDP to
 most ports) but allow certain other unsolicited traffic from the
 Internet (e.g., UDP port 500 and IP ESP) [RFC6092].  Such default
 filtering (or lack thereof) is out of scope of PCP itself.  If a
 client device wants to receive traffic and supports PCP, and does not
 possess prior knowledge of such default filtering policy, it SHOULD
 use PCP to request the necessary mappings to receive the desired
 traffic.

5. Note on Fixed-Size Addresses

 For simplicity in building and parsing request and response packets,
 PCP always uses fixed-size 128-bit IP address fields for both IPv6
 addresses and IPv4 addresses.

Wing, et al. Standards Track [Page 10] RFC 6887 Port Control Protocol (PCP) April 2013

 When the address field holds an IPv6 address, the fixed-size 128-bit
 IP address field holds the IPv6 address stored as is.
 When the address field holds an IPv4 address, an IPv4-mapped IPv6
 address [RFC4291] is used (::ffff:0:0/96).  This has the first 80
 bits set to zero and the next 16 set to one, while its last 32 bits
 are filled with the IPv4 address.  This is unambiguously
 distinguishable from a native IPv6 address, because an IPv4-mapped
 IPv6 address [RFC4291] would not be valid for a mapping.
 When checking for an IPv4-mapped IPv6 address, all of the first 96
 bits MUST be checked for the pattern -- it is not sufficient to check
 for ones in bits 81-96.
 The all-zeros IPv6 address MUST be expressed by filling the
 fixed-size 128-bit IP address field with all zeros (::).
 The all-zeros IPv4 address MUST be expressed by 80 bits of zeros,
 16 bits of ones, and 32 bits of zeros (::ffff:0:0).

6. Protocol Design Note

 PCP can be viewed as a request/response protocol, much like many
 other UDP-based request/response protocols, and can be implemented
 perfectly well as such.  It can also be viewed as what might be
 called a hint/notification protocol, and this observation can help
 simplify implementations.
 Rather than viewing the message streams between PCP client and PCP
 server as following a strict request/response pattern, where every
 response is associated with exactly one request, the message flows
 can be viewed as two somewhat independent streams carrying
 information in opposite directions:
 o  A stream of hints flowing from PCP client to PCP server, where the
    client indicates to the server what it would like the state of its
    mappings to be, and
 o  A stream of notifications flowing from PCP server to PCP client,
    where the server informs the clients what the state of its
    mappings actually is.
 To an extent, some of this approach is required anyway in a UDP-based
 request/response protocol, since UDP packets can be lost, duplicated,
 or reordered.

Wing, et al. Standards Track [Page 11] RFC 6887 Port Control Protocol (PCP) April 2013

 In this view of the protocol, the client transmits hints to the
 server at various intervals signaling its desires, and the server
 transmits notifications to the client signaling the actual state of
 its mappings.  These two message flows are loosely correlated in that
 a client request (hint) usually elicits a server response
 (notification), but only loosely, in that a client request may result
 in no server response (in the case of packet loss), and a server
 response may be generated gratuitously without an immediately
 preceding client request (in the case where server configuration
 change, e.g., change of external IP address on a NAT gateway, results
 in a change of mapping state).
 The exact times that client requests are sent are influenced by a
 client timing state machine taking into account whether (i) the
 client has not yet received a response from the server for a prior
 request (retransmission), or (ii) the client has previously received
 a response from the server saying how long the indicated mapping
 would remain active (renewal).  This design philosophy is the reason
 why PCP's retransmissions and renewals are exactly the same packet on
 the wire.  Typically, retransmissions are sent with exponentially
 increasing intervals as the client waits for the server to respond,
 whereas renewals are sent with exponentially decreasing intervals as
 the expiry time approaches, but, from the server's point of view,
 both packets are identical, and both signal the client's desire that
 the stated mapping exist or continue to exist.
 A PCP server usually sends responses as a direct result of client
 requests, but not always.  For example, if a server is too overloaded
 to respond, it is allowed to silently ignore a request message and
 let the client retransmit.  Also, if external factors cause a NAT
 gateway or firewall's configuration to change, then the PCP server
 can send unsolicited responses to clients informing them of the new
 state of their mappings.  Such reconfigurations are expected to be
 rare, because of the disruption they can cause to clients, but should
 they happen, PCP provides a way for servers to communicate the new
 state to clients promptly, without having to wait for the next
 periodic renewal request.
 This design goal helps explain why PCP request and response messages
 have no transaction ID, because such a transaction ID is unnecessary,
 and would unnecessarily limit the protocol and unnecessarily
 complicate implementations.  A PCP server response (i.e.,
 notification) is self-describing and complete.  It communicates the
 internal and external addresses, protocol, and ports for a mapping,
 and its remaining lifetime.  If the client does in fact currently
 want such a mapping to exist, then it can identify the mapping in
 question from the internal address, protocol, and port, and update
 its state to reflect the current external address and port, and

Wing, et al. Standards Track [Page 12] RFC 6887 Port Control Protocol (PCP) April 2013

 remaining lifetime.  If a client does not currently want such a
 mapping to exist, then it can safely ignore the message.  No client
 action is required for unexpected mapping notifications.  In today's
 world, a NAT gateway can have a static mapping, and the client device
 has no explicit knowledge of this, and no way to change the fact.
 Also, in today's world, a client device can be connected directly to
 the public Internet, with a globally routable IP address, and, in
 this case, it effectively has "mappings" for all of its listening
 ports.  Such a device has to be responsible for its own security and
 cannot rely on assuming that some other network device will be
 blocking all incoming packets.

7. Common Request and Response Header Format

 All PCP messages are sent over UDP, with a maximum UDP payload length
 of 1100 octets.  The PCP messages contain a request or response
 header containing an Opcode, any relevant Opcode-specific
 information, and zero or more options.  All numeric quantities larger
 than a single octet (e.g., result codes, lifetimes, Epoch times,
 etc.) are represented in conventional IETF network order, i.e., most
 significant octet first.  Non-numeric quantities are represented as
 is on all platforms, with no byte swapping (e.g., IP addresses and
 ports are placed in PCP messages using the same representation as
 when placed in IP or TCP headers).
 The packet layout for the common header, and operation of the PCP
 client and PCP server, are described in the following sections.  The
 information in this section applies to all Opcodes.  Behavior of the
 Opcodes defined in this document is described in Sections 10, 11, and
 12.

Wing, et al. Standards Track [Page 13] RFC 6887 Port Control Protocol (PCP) April 2013

7.1. Request Header

 All requests have the following format:
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Version = 2  |R|   Opcode    |         Reserved              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                 Requested Lifetime (32 bits)                  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |            PCP Client's IP Address (128 bits)                 |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                                                               :
   :             (optional) Opcode-specific information            :
   :                                                               :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                                                               :
   :             (optional) PCP Options                            :
   :                                                               :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                Figure 2: Common Request Packet Format
 These fields are described below:
 Version:  This document specifies protocol version 2.  PCP clients
    and servers compliant with this document use the value 2.  This
    field is used for version negotiation as described in Section 9.
 R: Indicates Request (0) or Response (1).
 Opcode:  A 7-bit value specifying the operation to be performed.  MAP
    and PEER Opcodes are defined in Sections 11 and 12.
 Reserved:  16 reserved bits.  MUST be zero on transmission and MUST
    be ignored on reception.
 Requested Lifetime:  An unsigned 32-bit integer, in seconds, ranging
    from 0 to 2^32-1 seconds.  This is used by the MAP and PEER
    Opcodes defined in this document for their requested lifetime.

Wing, et al. Standards Track [Page 14] RFC 6887 Port Control Protocol (PCP) April 2013

 PCP Client's IP Address:  The source IPv4 or IPv6 address in the IP
    header used by the PCP client when sending this PCP request.  An
    IPv4 address is represented using an IPv4-mapped IPv6 address.
    The PCP Client IP Address in the PCP message header is used to
    detect an unexpected NAT on the path between the PCP client and
    the PCP-controlled NAT or firewall device.  See Section 8.1.
 Opcode-specific information:  Payload data for this Opcode.  The
    length of this data is determined by the Opcode definition.
 PCP Options:  Zero, one, or more options that are legal for both a
    PCP request and for this Opcode.  See Section 7.3.

7.2. Response Header

 All responses have the following format:
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Version = 2  |R|   Opcode    |   Reserved    |  Result Code  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Lifetime (32 bits)                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                     Epoch Time (32 bits)                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                      Reserved (96 bits)                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                                                               :
   :             (optional) Opcode-specific response data          :
   :                                                               :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :             (optional) Options                                :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                Figure 3: Common Response Packet Format
 These fields are described below:
 Version:  Responses from servers compliant with this specification
    MUST use version 2.  This is set by the server.
 R: Indicates Request (0) or Response (1).  All Responses MUST use 1.
    This is set by the server.

Wing, et al. Standards Track [Page 15] RFC 6887 Port Control Protocol (PCP) April 2013

 Opcode:  The 7-bit Opcode value.  The server copies this value from
    the request.
 Reserved:  8 reserved bits, MUST be sent as 0, MUST be ignored when
    received.  This is set by the server.
 Result Code:  The result code for this response.  See Section 7.4 for
    values.  This is set by the server.
 Lifetime:  An unsigned 32-bit integer, in seconds, ranging from 0 to
    2^32-1 seconds.  On an error response, this indicates how long
    clients should assume they'll get the same error response from
    that PCP server if they repeat the same request.  On a success
    response for the PCP Opcodes that create a mapping (MAP and PEER),
    the Lifetime field indicates the lifetime for this mapping.  This
    is set by the server.
 Epoch Time:  The server's Epoch Time value.  See Section 8.5 for
    discussion.  This value is set by the server, in both success and
    error responses.
 Reserved:  96 reserved bits.  For requests that were successfully
    parsed, this MUST be sent as 0, MUST be ignored when received.
    This is set by the server.  For requests that were not
    successfully parsed, the server copies the last 96 bits of the PCP
    Client's IP Address field from the request message into this
    corresponding 96-bit field of the response.
 Opcode-specific information:  Payload data for this Opcode.  The
    length of this data is determined by the Opcode definition.
 PCP Options:  Zero, one, or more options that are legal for both a
    PCP response and for this Opcode.  See Section 7.3.

7.3. Options

 A PCP Opcode can be extended with one or more options.  Options can
 be used in requests and responses.  The design decisions in this
 specification about whether to include a given piece of information
 in the base Opcode format or in an option were an engineering trade-
 off between packet size and code complexity.  For information that is
 usually (or always) required, placing it in the fixed Opcode data
 results in simpler code to generate and parse the packet, because the
 information is a fixed location in the Opcode data, but wastes space
 in the packet in the event that field is all zeros because the
 information is not needed or not relevant.  For information that is
 required less often, placing it in an option results in slightly more
 complicated code to generate and parse packets containing that

Wing, et al. Standards Track [Page 16] RFC 6887 Port Control Protocol (PCP) April 2013

 option, but saves space in the packet when that information is not
 needed.  Placing information in an option also means that an
 implementation that never uses that information doesn't even need to
 implement code to generate and parse it.  For example, a client that
 never requests mappings on behalf of some other device doesn't need
 to implement code to generate the THIRD_PARTY option, and a PCP
 server that doesn't implement the necessary security measures to
 create third-party mappings safely doesn't need to implement code to
 parse the THIRD_PARTY option.
 Options use the following Type-Length-Value format:
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Option Code  |  Reserved     |       Option Length           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   :                       (optional) Data                         :
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                       Figure 4: Options Header
 The description of the fields is as follows:
 Option Code:  8 bits.  Its most significant bit indicates if this
    option is mandatory (0) or optional (1) to process.
 Reserved:  8 bits.  MUST be set to 0 on transmission and MUST be
    ignored on reception.
 Option Length:  16 bits.  Indicates the length of the enclosed data,
    in octets.  Options with length of 0 are allowed.  Options that
    are not a multiple of 4 octets long are followed by one, two, or
    three 0 octets to pad their effective length in the packet to be a
    multiple of 4 octets.  The Option Length reflects the semantic
    length of the option, not including any padding octets.
 Data:  Option data.
 If several options are included in a PCP request, they MAY be encoded
 in any order by the PCP client, but MUST be processed by the PCP
 server in the order in which they appear.  It is the responsibility
 of the PCP client to ensure that the server has sufficient room to
 reply without exceeding the 1100-octet size limit; if its reply would
 exceed that size, the server generates an error.

Wing, et al. Standards Track [Page 17] RFC 6887 Port Control Protocol (PCP) April 2013

 If, while processing a PCP request, including its options, an error
 is encountered that causes a PCP error response to be generated, the
 PCP request MUST cause no state change in the PCP server or the
 PCP-controlled device (i.e., it rolls back any tentative changes it
 might have made while processing the request).  Such an error
 response MUST consist of a complete copy of the request packet with
 the error code and other appropriate fields set in the header.
 An option MAY appear more than once in a request or in a response, if
 permitted by the definition of the option.  If the option's
 definition allows the option to appear only once but it appears more
 than once in a request, and the option is understood by the PCP
 server, the PCP server MUST respond with the MALFORMED_OPTION result
 code.  If the PCP server encounters an invalid option (e.g., PCP
 option length is longer than the UDP packet length), the error
 MALFORMED_OPTION SHOULD be returned (rather than MALFORMED_REQUEST),
 as that helps the client better understand how the packet was
 malformed.  If a PCP response would have exceeded the maximum PCP
 message size, the PCP server SHOULD respond with MALFORMED_REQUEST.
 If the overall option structure of a request cannot successfully be
 parsed (e.g., a nonsensical option length), the PCP server MUST
 generate an error response with code MALFORMED_OPTION.
 If the overall option structure of a request is valid, then how each
 individual option is handled is determined by the most significant
 bit in the option code.  If the most significant bit is set, handling
 this option is optional, and a PCP server MAY process or ignore this
 option, entirely at its discretion.  If the most significant bit is
 clear, handling this option is mandatory, and a PCP server MUST
 return the error MALFORMED_OPTION if the option contents are
 malformed, or UNSUPP_OPTION if the option is unrecognized,
 unimplemented, or disabled, or if the client is not authorized to use
 the option.  In error responses, all options are returned.  In
 success responses, all processed options are included and unprocessed
 options are not included.
 Because the PCP client cannot reject a response containing an Option,
 PCP clients MUST ignore Options that they do not understand that
 appear in responses, including Options in the mandatory-to-process
 range.  Naturally, if a client explicitly requests an Option where
 correct execution of that Option requires processing the Option data
 in the response, that client SHOULD implement code to do that.

Wing, et al. Standards Track [Page 18] RFC 6887 Port Control Protocol (PCP) April 2013

 Different options are valid for different Opcodes.  For example:
 o  The THIRD_PARTY option is valid for both MAP and PEER Opcodes.
 o  The FILTER option is valid only for the MAP Opcode (for the PEER
    Opcode it would have no meaning).
 o  The PREFER_FAILURE option is valid only for the MAP Opcode (for
    the PEER Opcode, similar semantics are automatically implied).

7.4. Result Codes

 The following result codes may be returned as a result of any Opcode
 received by the PCP server.  The only success result code is 0; other
 values indicate an error.  If a PCP server encounters multiple errors
 during processing of a request, it SHOULD use the most specific error
 message.  Each error code below is classified as either a 'long
 lifetime' error or a 'short lifetime' error, which provides guidance
 to PCP server developers for the value of the Lifetime field for
 these errors.  It is RECOMMENDED that short lifetime errors use a
 30-second lifetime and long lifetime errors use a 30-minute lifetime.
 0  SUCCESS: Success.
 1  UNSUPP_VERSION: The version number at the start of the PCP Request
    header is not recognized by this PCP server.  This is a long
    lifetime error.  This document describes PCP version 2.
 2  NOT_AUTHORIZED: The requested operation is disabled for this PCP
    client, or the PCP client requested an operation that cannot be
    fulfilled by the PCP server's security policy.  This is a long
    lifetime error.
 3  MALFORMED_REQUEST: The request could not be successfully parsed.
    This is a long lifetime error.
 4  UNSUPP_OPCODE: Unsupported Opcode.  This is a long lifetime error.
 5  UNSUPP_OPTION: Unsupported option.  This error only occurs if the
    option is in the mandatory-to-process range.  This is a long
    lifetime error.
 6  MALFORMED_OPTION: Malformed option (e.g., appears too many times,
    invalid length).  This is a long lifetime error.
 7  NETWORK_FAILURE: The PCP server or the device it controls is
    experiencing a network failure of some sort (e.g., has not yet
    obtained an external IP address).  This is a short lifetime error.

Wing, et al. Standards Track [Page 19] RFC 6887 Port Control Protocol (PCP) April 2013

 8  NO_RESOURCES: Request is well-formed and valid, but the server has
    insufficient resources to complete the requested operation at this
    time.  For example, the NAT device cannot create more mappings at
    this time, is short of CPU cycles or memory, or is unable to
    handle the request due to some other temporary condition.  The
    same request may succeed in the future.  This is a system-wide
    error, different from USER_EX_QUOTA.  This can be used as a catch-
    all error, should no other error message be suitable.  This is a
    short lifetime error.
 9  UNSUPP_PROTOCOL: Unsupported transport protocol, e.g., SCTP in a
    NAT that handles only UDP and TCP.  This is a long lifetime error.
 10 USER_EX_QUOTA: This attempt to create a new mapping would exceed
    this subscriber's port quota.  This is a short lifetime error.
 11 CANNOT_PROVIDE_EXTERNAL: The suggested external port and/or
    external address cannot be provided.  This error MUST only be
    returned for:
    *  MAP requests that included the PREFER_FAILURE option
       (normal MAP requests will return an available external port)
    *  MAP requests for the SCTP protocol (PREFER_FAILURE is implied)
    *  PEER requests
    See Section 13.2 for details of the PREFER_FAILURE Option.  The
    error lifetime depends on the reason for the failure.
 12 ADDRESS_MISMATCH: The source IP address of the request packet does
    not match the contents of the PCP Client's IP Address field, due
    to an unexpected NAT on the path between the PCP client and the
    PCP-controlled NAT or firewall.  This is a long lifetime error.
 13 EXCESSIVE_REMOTE_PEERS: The PCP server was not able to create the
    filters in this request.  This result code MUST only be returned
    if the MAP request contained the FILTER option.  See Section 13.3
    for details of the FILTER Option.  This is a long lifetime error.

8. General PCP Operation

 PCP messages MUST be sent over UDP [RFC0768].  Every PCP request
 generates at least one response, so PCP does not need to run over a
 reliable transport protocol.
 When receiving multiple identical requests, the PCP server will
 generally generate identical responses -- barring cases where the PCP
 server's state changes between those requests due to other activity.
 As an example of how such a state change could happen, a request
 could be received while the PCP-controlled device has no mappings

Wing, et al. Standards Track [Page 20] RFC 6887 Port Control Protocol (PCP) April 2013

 available, and the PCP server will generate an error response.  If
 mappings become available and then another copy of that same request
 arrives (perhaps duplicated in transit in the network), the PCP
 server will allocate a mapping and generate a non-error response.  A
 PCP client MUST handle such updated responses for any request it
 sends, most notably to support rapid recovery (Section 14).  Also see
 the Protocol Design Note (Section 6).

8.1. General PCP Client: Generating a Request

 This section details operation specific to a PCP client, for any
 Opcode.  Procedures specific to the MAP Opcode are described in
 Section 11, and procedures specific to the PEER Opcode are described
 in Section 12.
 Prior to sending its first PCP message, the PCP client determines
 which server to use.  The PCP client performs the following steps to
 determine its PCP server:
 1.  if a PCP server is configured (e.g., in a configuration file or
     via DHCP), that single configuration source is used as the list
     of PCP server(s), else
 2.  the default router list (for IPv4 and IPv6) is used as the list
     of PCP server(s).  Thus, if a PCP client has both an IPv4 and
     IPv6 address, it will have an IPv4 PCP server (its IPv4 default
     router) for its IPv4 mappings, and an IPv6 PCP server (its IPv6
     default router) for its IPv6 mappings.
 For the purposes of this document, only a single PCP server address
 is supported.  Should future specifications define configuration
 methods that provide a longer list of PCP server addresses, those
 specifications will define how clients select one or more addresses
 from that list.
 With that PCP server address, the PCP client formulates its PCP
 request.  The PCP request contains a PCP common header, PCP Opcode
 and payload, and (possibly) options.  As with all UDP client software
 on any operating system, when several independent PCP clients exist
 on the same host, each uses a distinct source port number to
 disambiguate their requests and replies.  The PCP client's source
 port SHOULD be randomly generated [RFC6056].
 The PCP client MUST include the source IP address of the PCP message
 in the PCP request.  This is typically its own IP address; see
 Section 16.4 for how this can be coded.  This is used to detect an
 unexpected NAT on the path between the PCP client and the
 PCP-controlled NAT or firewall device, to avoid wasting resources on

Wing, et al. Standards Track [Page 21] RFC 6887 Port Control Protocol (PCP) April 2013

 the PCP-controlled NAT creating pointless non-functional mappings.
 When such an intervening non-PCP-aware inner NAT is detected,
 mappings must first be created by some other means in the inner NAT,
 before mappings can be usefully created in the outer PCP-controlled
 NAT.  Having created mappings in the inner NAT by some other means,
 the PCP client should then use the inner NAT's external address as
 the client IP address, to signal to the outer PCP-controlled NAT that
 the client is aware of the inner NAT, and has taken steps to create
 mappings in it by some other means, so that mappings created in the
 outer NAT will not be a pointless waste of resources.

8.1.1. PCP Client Retransmission

 PCP clients are responsible for reliable delivery of PCP request
 messages.  If a PCP client fails to receive an expected response from
 a server, the client must retransmit its message.  The
 retransmissions MUST use the same Mapping Nonce value (see Sections
 11.1 and 12.1).  The client begins the message exchange by
 transmitting a message to the server.  The message exchange continues
 for as long as the client wishes to maintain the mapping, and
 terminates when the PCP client is no longer interested in the PCP
 transaction (e.g., the application that requested the mapping is no
 longer interested in the mapping) or (optionally) when the message
 exchange is considered to have failed according to the retransmission
 mechanism described below.
 The client retransmission behavior is controlled and described by the
 following variables:
   RT:   Retransmission timeout, calculated as described below
  IRT:   Initial retransmission time, SHOULD be 3 seconds
  MRC:   Maximum retransmission count, SHOULD be 0 (0 indicates no
         maximum)
  MRT:   Maximum retransmission time, SHOULD be 1024 seconds
  MRD:   Maximum retransmission duration, SHOULD be 0 (0 indicates no
         maximum)
 RAND:   Randomization factor, calculated as described below
 With each message transmission or retransmission, the client sets RT
 according to the rules given below.  If RT expires before a response
 is received, the client retransmits the request and computes a new
 RT.

Wing, et al. Standards Track [Page 22] RFC 6887 Port Control Protocol (PCP) April 2013

 Each of the computations of a new RT include a new randomization
 factor (RAND), which is a random number chosen with a uniform
 distribution between -0.1 and +0.1.  The randomization factor is
 included to minimize synchronization of messages transmitted by PCP
 clients.  The algorithm for choosing a random number does not need to
 be cryptographically sound.  The algorithm SHOULD produce a different
 sequence of random numbers from each invocation of the PCP client.
 The RT value is initialized based on IRT:
    RT = (1 + RAND) * IRT
 RT for each subsequent message transmission is based on the previous
 value of RT, subject to the upper bound on the value of RT specified
 by MRT.  If MRT has a value of 0, there is no upper limit on the
 value of RT, and MRT is treated as "infinity".  The new value of RT
 is calculated as shown below, where RTprev is the current value of
 RT:
    RT = (1 + RAND) * MIN (2 * RTprev, MRT)
 MRC specifies an upper bound on the number of times a client may
 retransmit a message.  Unless MRC is zero, the message exchange fails
 once the client has transmitted the message MRC times.
 MRD specifies an upper bound on the length of time a client may
 retransmit a message.  Unless MRD is zero, the message exchange fails
 once MRD seconds have elapsed since the client first transmitted the
 message.
 If both MRC and MRD are non-zero, the message exchange fails whenever
 either of the conditions specified in the previous two paragraphs are
 met.  If both MRC and MRD are zero, the client continues to transmit
 the message until it receives a response or the client no longer
 wants a mapping.
 Once a PCP client has successfully received a response from a PCP
 server on that interface, it resets RT to a value randomly selected
 in the range 1/2 to 5/8 of the mapping lifetime, as described in
 Section 11.2.1, "Renewing a Mapping", and sends subsequent PCP
 requests for that mapping to that same server.
    Note: If the server's state changes between retransmissions and
    the server's response is delayed or lost, the state in the PCP
    client and server may not be synchronized.  This is not unique to
    PCP, but also occurs with other network protocols (e.g., TCP).  In
    the unlikely event that such de-synchronization occurs, PCP heals
    itself after lifetime seconds.

Wing, et al. Standards Track [Page 23] RFC 6887 Port Control Protocol (PCP) April 2013

8.2. General PCP Server: Processing a Request

 This section details operation specific to a PCP server.  Processing
 SHOULD be performed in the order of the following paragraphs.
 A PCP server MUST only accept normal (non-THIRD_PARTY) PCP requests
 from a client on the same interface from which it would normally
 receive packets from that client, and it MUST silently ignore PCP
 requests arriving on any other interface.  For example, a residential
 NAT gateway accepts PCP requests only when they arrive on its (LAN)
 interface connecting to the internal network, and silently ignores
 any PCP requests arriving on its external (WAN) interface.  A PCP
 server that supports THIRD_PARTY requests MAY be configured to accept
 THIRD_PARTY requests on other configured interfaces (see Section 13.1
 for details on the THIRD_PARTY Option).
 Upon receiving a request, the PCP server parses and validates it.  A
 valid request contains a valid PCP common header, one valid PCP
 Opcode, and zero or more options (which the server might or might not
 comprehend).  If an error is encountered during processing, the
 server generates an error response that is sent back to the PCP
 client.  Processing of an Opcode and its options is specific to each
 Opcode.
 Error responses have the same packet layout as success responses,
 with certain fields from the request copied into the response, and
 other fields assigned by the PCP server set as indicated in Figure 3.
 Copying request fields into the response is important because this is
 what enables a client to identify to which request a given response
 pertains.  For Opcodes that are understood by the PCP server, it
 follows the requirements of that Opcode to copy the appropriate
 fields.  For Opcodes that are not understood by the PCP server, it
 simply generates the UNSUPP_OPCODE response and copies fields from
 the PCP header and copies the rest of the PCP payload as is (without
 attempting to interpret it).
 All responses (both error and success) contain the same Opcode as the
 request, but with the "R" bit set.
 Any error response has a non-zero result code, and is created by:
 o  Copying the entire UDP payload, or 1100 octets, whichever is less,
    and zero-padding the response to a multiple of 4 octets if
    necessary
 o  Setting the R bit
 o  Setting the result code
 o  Setting the Lifetime, Epoch Time, and Reserved fields

Wing, et al. Standards Track [Page 24] RFC 6887 Port Control Protocol (PCP) April 2013

 o  Updating other fields in the response, as indicated by 'set by the
    server' in the PCP response field description
 A success response has a zero result code, and is created by:
 o  Copying the first 4 octets of request packet header
 o  Setting the R bit
 o  Setting the result code to zero
 o  Setting the Lifetime, Epoch Time, and Reserved fields
 o  Possibly setting Opcode-specific response data if appropriate
 o  Adding any processed options to the response message
 If the received PCP request message is less than 2 octets long, it is
 silently dropped.
 If the R bit is set, the message is silently dropped.
 If the first octet (version) is a version that is not supported, a
 response is generated with the UNSUPP_VERSION result code, and the
 Version Negotiation steps detailed in Section 9 are followed.
 Otherwise, if the version is supported but the received message is
 shorter than 24 octets, the message is silently dropped.
 If the server is overloaded by requests (from a particular client or
 from all clients), it MAY simply silently discard requests, as the
 requests will be retried by PCP clients, or it MAY generate the
 NO_RESOURCES error response.
 If the length of the message exceeds 1100 octets, is not a multiple
 of 4 octets, or is too short for the Opcode in question, it is
 invalid and a MALFORMED_REQUEST response is generated, and the
 response message is truncated to 1100 octets.
 The PCP server compares the source IP address (from the received IP
 header) with the field PCP Client IP Address.  If they do not match,
 the error ADDRESS_MISMATCH MUST be returned.  This is done to detect
 and prevent accidental use of PCP where a non-PCP-aware NAT exists
 between the PCP client and PCP server.  If the PCP client wants such
 a mapping, it needs to ensure that the PCP field matches its apparent
 IP address from the perspective of the PCP server.

8.3. General PCP Client: Processing a Response

 The PCP client receives the response and verifies that the source IP
 address and port belong to the PCP server of a previously sent PCP
 request.  If not, the response is silently dropped.

Wing, et al. Standards Track [Page 25] RFC 6887 Port Control Protocol (PCP) April 2013

 If the received PCP response message is less than 4 octets long, it
 is silently dropped.
 If the R bit is clear, the message is silently dropped.
 If the error code is UNSUPP_VERSION, Version Negotiation processing
 continues as described in Section 9.
 Responses shorter than 24 octets, longer than 1100 octets, or not a
 multiple of 4 octets are invalid and ignored.
 The PCP client then validates that the Opcode matches a previous PCP
 request.  If the response does not match a previous PCP request, the
 response is ignored.  The response is further matched by comparing
 fields in the response Opcode-specific data to fields in the request
 Opcode-specific data, as described by the processing for that Opcode.
 If that fails, the response is ignored.
 After these matches are successful, the PCP client checks the Epoch
 Time field (see Section 8.5) to determine if it needs to restore its
 state to the PCP server.  A PCP client SHOULD be prepared to receive
 multiple responses from the PCP server at any time after a single
 request is sent.  This allows the PCP server to inform the client of
 mapping changes such as an update or deletion.  For example, a PCP
 server might send a SUCCESS response and, after a configuration
 change on the PCP server, later send a NOT_AUTHORIZED response.  A
 PCP client MUST be prepared to receive responses for requests it
 never sent (which could have been sent by a previous PCP instance on
 this same host, or by a previous host that used the same client IP
 address, or by a malicious attacker) by simply ignoring those
 unexpected messages.
 If the error ADDRESS_MISMATCH is received, it indicates the presence
 of a NAT between the PCP client and PCP server.  Procedures to
 resolve this problem are beyond the scope of this document.
 For both success and error responses, a Lifetime value is returned.
 The lifetime indicates how long this response should be considered
 valid by the client (i.e for success results, how long the mapping
 will last, and for failure results how long the same failure
 condition should be expected to persist).  The PCP client SHOULD
 impose an upper limit on this returned value (to protect against
 absurdly large values, e.g., 5 years), detailed in Section 15,
 "Mapping Lifetime and Deletion".
 If the result code is 0 (SUCCESS), the request succeeded.

Wing, et al. Standards Track [Page 26] RFC 6887 Port Control Protocol (PCP) April 2013

 If the result code is not 0, the request failed, and the PCP client
 SHOULD NOT resend the same request for the indicated lifetime of the
 error (as limited by the sanity checking detailed in Section 15).
 If the PCP client has discovered a new PCP server (e.g., connected to
 a new network), the PCP client MAY immediately begin communicating
 with this PCP server, without regard to hold times from communicating
 with a previous PCP server.

8.4. Multi-Interface Issues

 Hosts that desire a PCP mapping might be multi-interfaced (i.e., own
 several logical/physical interfaces).  Indeed, a host can be
 configured with several IPv4 addresses (e.g., WiFi and Ethernet) or
 dual-stacked.  These IP addresses may have distinct reachability
 scopes (e.g., if IPv6, they might have global reachability scope as
 is the case for a Global Unicast Address (GUA) [RFC3587] or limited
 scope as is the case for a Unique Local Address (ULA) [RFC4193]).
 IPv6 addresses with global reachability (e.g., GUAs) SHOULD be used
 as the source address when generating a PCP request.  IPv6 addresses
 without global reachability (e.g., ULAs) SHOULD NOT be used as the
 source interface when generating a PCP request.  If IPv6 privacy
 addresses [RFC4941] are used for PCP mappings, a new PCP request will
 need to be issued whenever the IPv6 privacy address is changed.  This
 PCP request SHOULD be sent from the IPv6 privacy address itself.  It
 is RECOMMENDED that the client delete its mappings to the previous
 privacy address after it no longer needs those old mappings.
 Due to the ubiquity of IPv4 NAT, IPv4 addresses with limited scope
 (e.g., private addresses [RFC1918]) MAY be used as the source
 interface when generating a PCP request.

8.5. Epoch

 Every PCP response sent by the PCP server includes an Epoch Time
 field.  This time field increments by one every second.  Anomalies in
 the received Epoch Time value provide a hint to PCP clients that a
 PCP server state loss may have occurred.  Clients respond to such
 state loss hints by promptly renewing their mappings, so as to
 quickly restore any lost state at the PCP server.
 If the PCP server resets or loses the state of its explicit dynamic
 mappings (that is, those mappings created by PCP requests), due to
 reboot, power failure, or any other reason, it MUST reset its Epoch
 time to its initial starting value (usually zero) to provide this
 hint to PCP clients.  After resetting its Epoch time, the PCP server
 resumes incrementing the Epoch Time value by one every second.

Wing, et al. Standards Track [Page 27] RFC 6887 Port Control Protocol (PCP) April 2013

 Similarly, if the external IP address(es) of the NAT (controlled by
 the PCP server) changes, the Epoch time MUST be reset.  A PCP server
 MAY maintain one Epoch Time value for all PCP clients or MAY maintain
 distinct Epoch Time values (per PCP client, per interface, or based
 on other criteria); this choice is implementation-dependent.
 Whenever a client receives a PCP response, the client validates the
 received Epoch Time value according to the procedure below, using
 integer arithmetic:
 o  If this is the first PCP response the client has received from
    this PCP server, the Epoch Time value is treated as necessarily
    valid, otherwise
  • If the current PCP server Epoch time (curr_server_time) is less

than the previously received PCP server Epoch time

       (prev_server_time) by more than one second, then the client
       treats the Epoch time as obviously invalid (time should not go
       backwards).  The server Epoch time apparently going backwards
       by *up to* one second is not deemed invalid, so that minor
       packet reordering on the path from PCP server to PCP client
       does not trigger a cascade of unnecessary mapping renewals.  If
       the server Epoch time passes this check, then further
       validation checks are performed:
       +  The client computes the difference between its
          current local time (curr_client_time) and the
          time the previous PCP response was received from this PCP
          server (prev_client_time):
          client_delta = curr_client_time - prev_client_time;
       +  The client computes the difference between the
          current PCP server Epoch time (curr_server_time) and the
          previously received Epoch time (prev_server_time):
          server_delta = curr_server_time - prev_server_time;
       +  If client_delta+2 < server_delta - server_delta/16
          or server_delta+2 < client_delta - client_delta/16,
          then the client treats the Epoch Time value as invalid,
          else the client treats the Epoch Time value as valid.
 o  The client records the current time values for use in its next
    comparison:
    prev_client_time = curr_client_time
    prev_server_time = curr_server_time

Wing, et al. Standards Track [Page 28] RFC 6887 Port Control Protocol (PCP) April 2013

 If the PCP client determined that the Epoch Time value it received
 was invalid, then it concludes that the PCP server may have lost
 state, and promptly renews all its active port mapping leases
 following the mapping recreation procedure described in
 Section 16.3.1.
 Notes:
 o  The client clock MUST never go backwards.  If curr_client_time is
    found to be less than prev_client_time, then this is a client bug,
    and how the client deals with this client bug is implementation
    specific.
 o  The calculations above are constructed to allow client_delta and
    server_delta to be computed as unsigned integer values.
 o  The "+2" in the calculations above is to accommodate quantization
    errors in client and server clocks (up to one-second quantization
    error each in server and client time intervals).
 o  The "/16" in the calculations above is to accommodate inaccurate
    clocks in low-cost devices.  This allows for a total discrepancy
    of up to 1/16 (6.25%) to be considered benign; e.g., if one clock
    were to run too fast by 3% while the other clock ran too slow by
    3%, then the client would not consider this difference to be
    anomalous or indicative of a restart having occurred.  This
    tolerance is strict enough to be effective at detecting reboots,
    while not being so strict as to generate false alarms.

9. Version Negotiation

 A PCP client sends its requests using PCP version number 2.  Should
 later updates to this document specify different message formats with
 a version number greater than 2, it is expected that PCP servers will
 still support version 2 in addition to the newer version(s).
 However, in the event that a server returns a response with result
 code UNSUPP_VERSION, the client MAY log an error message to inform
 the user that it is too old to work with this server.
 Should later updates to this document specify different message
 formats with a version number greater than 2, and backwards
 compatibility be desired, this first octet can be used for forward
 and backward compatibility.

Wing, et al. Standards Track [Page 29] RFC 6887 Port Control Protocol (PCP) April 2013

 If future PCP versions greater than 2 are specified, version
 negotiation proceeds as follows:
 1.  The client sends its first request using the highest
     (i.e., presumably 'best') version number it supports.
 2.  If the server supports that version, it responds normally.
 3.  If the server does not support that version, it replies giving a
     result containing the result code UNSUPP_VERSION, and the closest
     version number it does support (if the server supports a range of
     versions higher than the client's requested version, the server
     returns the lowest of that supported range; if the server
     supports a range of versions lower than the client's requested
     version, the server returns the highest of that supported range).
 4.  If the client receives an UNSUPP_VERSION result containing a
     version it does support, it records this fact and proceeds to use
     this message version for subsequent communication with this PCP
     server (until a possible future UNSUPP_VERSION response if the
     server is later updated, at which point the version negotiation
     process repeats).  If the version number in the UNSUPP_VERSION
     response is zero then that means this is a NAT-PMP server
     [RFC6886], and a client MAY choose to communicate with it using
     the older NAT-PMP protocol, as described in Appendix A.
 5.  If the client receives an UNSUPP_VERSION result containing a
     version it does not support, then the client SHOULD try the next-
     lower version supported by the client.  The attempt to use the
     next-lower version repeats until the client has tried version 2.
     If using version 2 fails, the client MAY log an error message to
     inform the user that it is too old to work with this server, and
     the client SHOULD set a timer to retry its request in 30 minutes
     or the returned Lifetime value, whichever is smaller.  By
     automatically retrying in 30 minutes, the protocol accommodates
     an upgrade of the PCP server.

10. Introduction to MAP and PEER Opcodes

 There are four uses for the MAP and PEER Opcodes defined in this
 document:
 o  a host operating a server and wanting an incoming connection
    (Section 10.1);
 o  a host operating a client and server on the same port
    (Section 10.2);

Wing, et al. Standards Track [Page 30] RFC 6887 Port Control Protocol (PCP) April 2013

 o  a host operating a client and wanting to optimize the application
    keepalive traffic (Section 10.3); and
 o  a host operating a client and wanting to restore lost state in its
    NAT (Section 10.4).
 These are discussed in the following sections, and a (non-normative)
 state diagram is provided in Section 16.5.
 When operating a server (see Sections 10.1 and 10.2), the PCP client
 knows if it wants an IPv4 listener, IPv6 listener, or both on the
 Internet.  The PCP client also knows if it has an IPv4 address or
 IPv6 address configured on one of its interfaces.  It takes the union
 of this knowledge to decide to which of its PCP servers to send the
 request (e.g., an IPv4 address or an IPv6 address), and whether to
 send one or two MAP requests for each of its interfaces (e.g., if the
 PCP client has only an IPv4 address but wants both IPv6 and IPv4
 listeners, it sends a MAP request containing the all-zeros IPv6
 address in the Suggested External Address field, and sends a second
 MAP request containing the all-zeros IPv4 address in the Suggested
 External Address field).  If the PCP client has both an IPv4 and IPv6
 address, and only wants an IPv4 listener, it sends one MAP request
 from its IPv4 address (if the PCP server supports NAT44 or IPv4
 firewall) or one MAP request from its IPv6 address (if the PCP server
 supports NAT64).  The PCP client can simply request the desired
 mapping to determine if the PCP server supports the desired mapping.
 Applications that embed IP addresses in payloads (e.g., FTP, SIP)
 will find it beneficial to avoid address family translation, if
 possible.
 The MAP and PEER requests include a Suggested External IP Address
 field.  Some PCP-controlled devices, especially CGN but also multi-
 homed NPTv6 networks, have a pool of public-facing IP addresses.  PCP
 allows the client to indicate if it wants a mapping assigned on a
 specific address of that pool or any address of that pool.  Some
 applications will break if mappings are created on different IP
 addresses (e.g., active mode FTP), so applications should carefully
 consider the implications of using this capability.  Static mappings
 for that internal address (e.g., those created by a command-line
 interface on the PCP server or PCP-controlled device) may exist to a
 certain external address, and if the suggested external IP address is
 the IPv4 or IPv6 all-zeros address, PCP SHOULD assign its mappings to
 the same external address, as this can also help applications using a
 mix of both static mappings and PCP-created mappings.  If, on the
 other hand, the suggested external IP address contains a non-zero IP
 address the PCP server SHOULD create a mapping to that external
 address, even if there are other mappings from that same internal
 address to a different external address.  Once an internal address

Wing, et al. Standards Track [Page 31] RFC 6887 Port Control Protocol (PCP) April 2013

 has no implicit dynamic mappings and no explicit dynamic mappings in
 the PCP-controlled device, a subsequent implicit or explicit mapping
 for that internal address MAY be assigned to a different External
 address.  Generally, this reassignment would occur when a CGN device
 is load balancing newly seen internal addresses to its public pool of
 external addresses.
 The following table summarizes how various common PCP deployments use
 IPv6 and IPv4 addresses.
 The 'internal' address is implicitly the same as the source IP
 address of the PCP request, except when the THIRD_PARTY option is
 used.
 The 'external' address is the Suggested External Address field of the
 MAP or PEER request, and its address family is usually the same as
 the 'internal' address family, except when technologies like NAT64
 are used.
 The 'remote peer' address is the remote peer IP address of the PEER
 request or the FILTER option of the MAP request, and is always the
 same address family as the 'internal' address, even when NAT64 is
 used.  In NAT64, the IPv6 PCP client is not necessarily aware of the
 NAT64 or aware of the actual IPv4 address of the remote peer, so it
 expresses the IPv6 address from its perspective, as shown in Figure
 5.
               internal  external  PCP remote peer  actual remote peer
               --------  -------   ---------------  ------------------
 IPv4 firewall   IPv4      IPv4         IPv4              IPv4
 IPv6 firewall   IPv6      IPv6         IPv6              IPv6
         NAT44   IPv4      IPv4         IPv4              IPv4
         NAT46   IPv4      IPv6         IPv4              IPv6
         NAT64   IPv6      IPv4         IPv6              IPv4
         NPTv6   IPv6      IPv6         IPv6              IPv6
             Figure 5: Address Families with MAP and PEER
 Note that the internal address and the remote peer address are always
 the same address family, and the external address and the actual
 remote peer address are always the same address family.

Wing, et al. Standards Track [Page 32] RFC 6887 Port Control Protocol (PCP) April 2013

10.1. For Operating a Server

 A host operating a server (e.g., a web server) listens for traffic on
 a port, but the server never initiates traffic from that port.  For
 this to work across a NAT or a firewall, the host needs to (a) create
 a mapping from a public IP address, protocol, and port to itself
 using the MAP Opcode, as described in Section 11; (b) publish that
 public IP address, protocol, and port via some sort of rendezvous
 server (e.g., DNS, a SIP message, or a proprietary protocol); and
 (c) ensure that any other non-PCP-speaking packet filtering
 middleboxes on the path (e.g., host-based firewall, network-based
 firewall, or other NATs) will also allow the incoming traffic.
 Publishing the public IP address and port is out of scope of this
 specification.  To accomplish (a), the host follows the procedures
 described in this section.
 As normal, the application needs to begin listening on a port.  Then,
 the application constructs a PCP message with the MAP Opcode, with
 the external address set to the appropriate all-zeros address,
 depending on whether it wants a public IPv4 or IPv6 address.

Wing, et al. Standards Track [Page 33] RFC 6887 Port Control Protocol (PCP) April 2013

 The following pseudocode shows how PCP can be reliably used to
 operate a server:
  /* start listening on the local server port */
  int s = socket(...);
  bind(s, ...);
  listen(s, ...);
  getsockname(s, &internal_sockaddr, ...);
  bzero(&external_sockaddr, sizeof(external_sockaddr));
  while (1)
      {
      /* Note: The "time_to_send_pcp_request()" check below includes:
       * 1. Sending the first request
       * 2. Retransmitting requests due to packet loss
       * 3. Resending a request due to impending lease expiration
       * 4. Resending a request due to server state loss
       * The PCP packet sent is identical in all four cases; from
       * the PCP server's point of view they are the same operation.
       * The suggested external address and port may be updated
       * repeatedly during the lifetime of the mapping.
       * Other fields in the packet generally remain unchanged.
       */
      if (time_to_send_pcp_request())
          pcp_send_map_request(internal_sockaddr.sin_port,
              internal_sockaddr.sin_addr,
              &external_sockaddr, /* will be zero the first time */
              requested_lifetime, &assigned_lifetime);
      if (pcp_response_received())
          update_rendezvous_server("Client Ident", external_sockaddr);
      if (received_incoming_connection_or_packet())
          process_it(s);
      if (other_work_to_do())
          do_it();
      /* ... */
      block_until_we_need_to_do_something_else();
      }
        Figure 6: Pseudocode for Using PCP to Operate a Server

Wing, et al. Standards Track [Page 34] RFC 6887 Port Control Protocol (PCP) April 2013

10.2. For Operating a Symmetric Client/Server

 A host operating a client and server on the same port (e.g.,
 Symmetric RTP [RFC4961] or SIP Symmetric Response Routing (rport)
 [RFC3581]) first establishes a local listener, (usually) sends the
 local and public IP addresses, protocol, and ports to a rendezvous
 service (which is out of scope of this document), and initiates an
 outbound connection from that same source address and same port.  To
 accomplish this, the application uses the procedure described in this
 section.
 An application that is using the same port for outgoing connections
 as well as incoming connections MUST first signal its operation of a
 server using the PCP MAP Opcode, as described in Section 11, and
 receive a positive PCP response before it sends any packets from that
 port.
    Discussion: In general, a PCP client doesn't know in advance if it
    is behind a NAT or firewall.  On detecting that the host has
    connected to a new network, the PCP client can attempt to request
    a mapping using PCP; if that succeeds, then the client knows it
    has successfully created a mapping.  If, after multiple retries,
    it has received no PCP response, then either the client is *not*
    behind a NAT or firewall and has unfettered connectivity or the
    client *is* behind a NAT or firewall that doesn't support PCP (and
    the client may still have working connectivity by virtue of static
    mappings previously created manually by the user).  Retransmitting
    PCP requests multiple times before giving up and assuming
    unfettered connectivity adds delay in that case.  Initiating
    outbound TCP connections immediately without waiting for PCP
    avoids this delay, and will work if the NAT has endpoint-
    independent mapping (EIM) behavior, but may fail if the NAT has
    endpoint-dependent mapping (EDM) behavior.  Waiting enough time to
    allow an explicit PCP MAP mapping to be created (if possible)
    first ensures that the same external port will then be used for
    all subsequent implicit dynamic mappings (e.g., TCP SYNs) sent
    from the specified internal address, protocol, and port.  PCP
    supports both EIM and EDM NATs, so clients need to assume they may
    be dealing with an EDM NAT.  In this case, the client will
    experience more reliable connectivity if it attempts explicit PCP
    MAP requests first, before initiating any outbound TCP connections
    from that internal address and port.  For further information on
    using PCP with EDM NATs, see Section 16.1.

Wing, et al. Standards Track [Page 35] RFC 6887 Port Control Protocol (PCP) April 2013

 The following pseudocode shows how PCP can be used to operate a
 symmetric client and server:
  /* start listening on the local server port */
  int s = socket(...);
  bind(s, ...);
  listen(s, ...);
  getsockname(s, &internal_sockaddr, ...);
  bzero(&external_sockaddr, sizeof(external_sockaddr));
  while (1)
      {
      /* Note: The "time_to_send_pcp_request()" check below includes:
       * 1. Sending the first request
       * 2. Retransmitting requests due to packet loss
       * 3. Resending a request due to impending lease expiration
       * 4. Resending a request due to server state loss
       */
      if (time_to_send_pcp_request())
          pcp_send_map_request(internal_sockaddr.sin_port,
              internal_sockaddr.sin_addr,
              &external_sockaddr, /* will be zero the first time */
              requested_lifetime, &assigned_lifetime);
      if (pcp_response_received())
          update_rendezvous_server("Client Ident", external_sockaddr);
      if (received_incoming_connection_or_packet())
          process_it(s);
      if (need_to_make_outgoing_connection())
          make_outgoing_connection(s, ...);
      if (data_to_send())
          send_it(s);
      if (other_work_to_do())
          do_it();
      /* ... */
      block_until_we_need_to_do_something_else();
      }
            Figure 7: Pseudocode for Using PCP to Operate a
                        Symmetric Client/Server

Wing, et al. Standards Track [Page 36] RFC 6887 Port Control Protocol (PCP) April 2013

10.3. For Reducing NAT or Firewall Keepalive Messages

 A host operating a client (e.g., XMPP client, SIP client) sends from
 a port, and may receive responses, but never accepts incoming
 connections from other remote peers on this port.  It wants to ensure
 that the flow to its remote peer is not terminated (due to
 inactivity) by an on-path NAT or firewall.  To accomplish this, the
 application uses the procedure described in this section.
 Middleboxes, such as NATs or firewalls, generally need to see
 occasional traffic or they will terminate their session state,
 causing application failures.  To avoid this, many applications
 routinely generate keepalive traffic for the primary (or sole)
 purpose of maintaining state with such middleboxes.  Applications can
 reduce such application keepalive traffic by using PCP.
    Note: For reasons beyond NAT, an application may find it useful to
    perform application-level keepalives, such as to detect a broken
    path between the client and server, keep state alive on the remote
    peer, or detect a powered-down client.  These keepalives are not
    related to maintaining middlebox state, and PCP cannot do anything
    useful to reduce those keepalives.
 To use PCP for this function, the application first connects to its
 server, as normal.  Afterwards, it issues a PCP request with the PEER
 Opcode as described in Section 12 to learn and/or extend the lifetime
 of its mapping.

Wing, et al. Standards Track [Page 37] RFC 6887 Port Control Protocol (PCP) April 2013

 The following pseudocode shows how PCP can be reliably used with a
 dynamic socket, for the purposes of reducing application keepalive
 messages:
  /* make outgoing connection to server */
  int s = socket(...);
  connect(s, &remote_peer, ...);
  getsockname(s, &internal_sockaddr, ...);
  bzero(&external_sockaddr, sizeof(external_sockaddr));
  while (1)
      {
      /* Note: The "time_to_send_pcp_request()" check below includes:
       * 1. Sending the first request
       * 2. Retransmitting requests due to packet loss
       * 3. Resending a request due to impending lease expiration
       * 4. Resending a request due to server state loss
       */
      if (time_to_send_pcp_request())
          pcp_send_peer_request(internal_sockaddr.sin_port,
              internal_sockaddr.sin_addr,
              &external_sockaddr, /* will be zero the first time */
              remote_peer, requested_lifetime, &assigned_lifetime);
      if (data_to_send())
          send_it(s);
      if (received_incoming_data())
          process_it(s);
      if (other_work_to_do())
          do_it();
      /* ... */
      block_until_we_need_to_do_something_else();
      }
         Figure 8: Pseudocode Using PCP with a Dynamic Socket

10.4. For Restoring Lost Implicit TCP Dynamic Mapping State

 After a NAT loses state (e.g., because of a crash or power failure),
 it is useful for clients to re-establish TCP mappings on the NAT.
 This allows servers on the Internet to see traffic from the same IP
 address and port, so that sessions can be resumed exactly where they
 were left off.  This can be useful for long-lived connections

Wing, et al. Standards Track [Page 38] RFC 6887 Port Control Protocol (PCP) April 2013

 (e.g., instant messaging) or for connections transferring a lot of
 data (e.g., FTP).  This can be accomplished by first establishing a
 TCP connection normally and then sending a PEER request/response and
 remembering the external address and external port.  Later, when the
 NAT has lost state, the client can send a PEER request with the
 suggested external port and suggested external address remembered
 from the previous session, which will create a mapping in the NAT
 that functions exactly as an implicit dynamic mapping.  The client
 then resumes sending TCP data to the server.
    Note: This procedure works well for TCP, provided:
       (i) the NAT creates a new implicit dynamic outbound mapping
       only for outbound TCP segments with the SYN bit set (i.e., the
       newly booted NAT silently drops outbound data segments from the
       client when the NAT does not have an active mapping for those
       segments), and
       (ii) the newly booted NAT does not send a TCP RST in response
       to receiving unexpected inbound TCP segments.
    This procedure works less well for UDP, because as soon as
    outbound UDP traffic is seen by the NAT, a new UDP implicit
    dynamic outbound mapping will be created (probably on a different
    port).

11. MAP Opcode

 This section defines an Opcode that controls inbound forwarding from
 a NAT (or firewall) to an internal host.
 MAP:  Create an explicit dynamic mapping between an Internal Address
         + Port and an External Address + Port.
 PCP servers SHOULD provide a configuration option to allow
 administrators to disable MAP support if they wish.
 Mappings created by PCP MAP requests are, by definition, endpoint-
 independent mappings (EIMs) with endpoint-independent filtering (EIF)
 (unless the FILTER option is used), even on a NAT that usually
 creates endpoint-dependent mapping (EDM) or endpoint-dependent
 filtering (EDF) for outgoing connections, since the purpose of an
 (unfiltered) MAP mapping is to receive inbound traffic from any
 remote endpoint, not from only one specific remote endpoint.
 Note also that all NAT mappings (created by PCP or otherwise) are by
 necessity bidirectional and symmetric.  For any packet going in one
 direction (in or out) that is translated by the NAT, a reply going in

Wing, et al. Standards Track [Page 39] RFC 6887 Port Control Protocol (PCP) April 2013

 the opposite direction needs to have the corresponding opposite
 translation done so that the reply arrives at the right endpoint.
 This means that if a client creates a MAP mapping, and then later
 sends an outgoing packet using the mapping's internal address,
 protocol, and port, the NAT should translate that packet's internal
 address and port to the mapping's external address and port, so that
 replies addressed to the external address and port are correctly
 translated back to the mapping's internal address and port.
 On operating systems that allow multiple listening servers to bind to
 the same internal address, protocol, and port, servers MUST ensure
 that they have exclusive use of that internal address, protocol, and
 port (e.g., by binding the port using INADDR_ANY, or using
 SO_EXCLUSIVEADDRUSE or similar) before sending their PCP MAP request,
 to ensure that no other PCP clients on the same machine are also
 listening on the same internal protocol and internal port.
 As a side effect of creating a mapping, ICMP messages associated with
 the mapping MUST be forwarded (and also translated, if appropriate)
 for the duration of the mapping's lifetime.  This is done to ensure
 that ICMP messages can still be used by hosts, without application
 programmers or PCP client implementations needing to use PCP
 separately to create ICMP mappings for those flows.
 The operation of the MAP Opcode is described in this section.

11.1. MAP Operation Packet Formats

 The MAP Opcode has a similar packet layout for both requests and
 responses.  If the assigned external IP address and port in the PCP
 response always match the internal IP address and port from the PCP
 request, then the functionality is purely a firewall; otherwise, the
 functionality is a Network Address Translator that might also perform
 firewall-like functions.

Wing, et al. Standards Track [Page 40] RFC 6887 Port Control Protocol (PCP) April 2013

 The following diagram shows the format of the Opcode-specific
 information in a request for the MAP Opcode.
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                 Mapping Nonce (96 bits)                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Protocol    |          Reserved (24 bits)                   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |        Internal Port          |    Suggested External Port    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |           Suggested External IP Address (128 bits)            |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                     Figure 9: MAP Opcode Request
 These fields are described below:
 Requested lifetime (in common header):  Requested lifetime of this
    mapping, in seconds.  The value 0 indicates "delete".
 Mapping Nonce:  Random value chosen by the PCP client.  See
    Section 11.2, "Generating a MAP Request".  Zero is a legal value
    (but unlikely, occurring in roughly one in 2^96 requests).
 Protocol:  Upper-layer protocol associated with this Opcode.  Values
    are taken from the IANA protocol registry [proto_numbers].  For
    example, this field contains 6 (TCP) if the Opcode is intended to
    create a TCP mapping.  This field contains 17 (UDP) if the Opcode
    is intended to create a UDP mapping.  The value 0 has a special
    meaning for 'all protocols'.
 Reserved:  24 reserved bits, MUST be sent as 0 and MUST be ignored
    when received.
 Internal Port:  Internal port for the mapping.  The value 0 indicates
    'all ports', and is legal when the lifetime is zero (a delete
    request), if the protocol does not use 16-bit port numbers, or the
    client is requesting 'all ports'.  If the protocol is zero
    (meaning 'all protocols'), then internal port MUST be zero on
    transmission and MUST be ignored on reception.

Wing, et al. Standards Track [Page 41] RFC 6887 Port Control Protocol (PCP) April 2013

 Suggested External Port:  Suggested external port for the mapping.
    This is useful for refreshing a mapping, especially after the PCP
    server loses state.  If the PCP client does not know the external
    port, or does not have a preference, it MUST use 0.
 Suggested External IP Address:  Suggested external IPv4 or IPv6
    address.  This is useful for refreshing a mapping, especially
    after the PCP server loses state.  If the PCP client does not know
    the external address, or does not have a preference, it MUST use
    the address-family-specific all-zeros address (see Section 5).
 The internal address for the request is the source IP address of the
 PCP request message itself, unless the THIRD_PARTY option is used.
 The following diagram shows the format of Opcode-specific information
 in a response packet for the MAP Opcode:
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                 Mapping Nonce (96 bits)                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Protocol    |          Reserved (24 bits)                   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |        Internal Port          |    Assigned External Port     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |            Assigned External IP Address (128 bits)            |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                    Figure 10: MAP Opcode Response
 These fields are described below:
 Lifetime (in common header):  On an error response, this indicates
    how long clients should assume they'll get the same error response
    from the PCP server if they repeat the same request.  On a success
    response, this indicates the lifetime for this mapping, in
    seconds.
 Mapping Nonce:  Copied from the request.
 Protocol:  Copied from the request.

Wing, et al. Standards Track [Page 42] RFC 6887 Port Control Protocol (PCP) April 2013

 Reserved:  24 reserved bits, MUST be sent as 0 and MUST be ignored
    when received.
 Internal Port:  Copied from the request.
 Assigned External Port:  On a success response, this is the assigned
    external port for the mapping.  On an error response, the
    suggested external port is copied from the request.
 Assigned External IP Address:  On a success response, this is the
    assigned external IPv4 or IPv6 address for the mapping.  An IPv4
    address is encoded using IPv4-mapped IPv6 address.  On an error
    response, the suggested external IP address is copied from the
    request.

11.2. Generating a MAP Request

 This section describes the operation of a PCP client when sending
 requests with the MAP Opcode.
 The request MAY contain values in the Suggested External Port and
 Suggested External IP Address fields.  This allows the PCP client to
 attempt to rebuild lost state on the PCP server, which improves the
 chances of existing connections surviving, and helps the PCP client
 avoid having to change information maintained at its rendezvous
 server.  Of course, due to other activity on the network (e.g., by
 other users or network renumbering), the PCP server may not be able
 to grant the suggested external IP address, protocol, and port, and
 in that case it will assign a different external IP address and port.
 A PCP client MUST be written assuming that it may *never* be assigned
 the external port it suggests.  In the case of recreating state after
 a NAT gateway crash, the suggested external port, being one that was
 previously allocated to this client, is likely to be available for
 this client to continue using.  In all other cases, the client MUST
 assume that it is unlikely that its suggested external port will be
 granted.  For example, when many subscribers are sharing a Carrier-
 Grade NAT, popular ports such as 80, 443, and 8080 are likely to be
 in high demand.  At most one client can have each of those popular
 ports for each external IP address, and all the other clients will be
 assigned other, dynamically allocated, external ports.  Indeed, some
 ISPs may, by policy, choose not to grant those external ports to
 *anyone*, so that none of their clients are *ever* assigned external
 ports 80, 443, or 8080.
 If the protocol does not use 16-bit port numbers (e.g., RSVP, IP
 protocol number 46), the port number MUST be zero.  This will cause
 all traffic matching that protocol to be mapped.

Wing, et al. Standards Track [Page 43] RFC 6887 Port Control Protocol (PCP) April 2013

 If the client wants all protocols mapped, it uses protocol 0 (zero)
 and internal port 0 (zero).
 The Mapping Nonce value is randomly chosen by the PCP client,
 following accepted practices for generating unguessable random
 numbers [RFC4086], and is used as part of the validation of PCP
 responses (see below) by the PCP client, and validation for mapping
 refreshes by the PCP server.  The client MUST use a different mapping
 nonce for each PCP server it communicates with, and it is RECOMMENDED
 to choose a new random mapping nonce whenever the PCP client is
 initialized.  The client MAY use a different mapping nonce for every
 mapping.

11.2.1. Renewing a Mapping

 An existing mapping SHOULD have its lifetime extended by the PCP
 client for as long as the client wishes to have that mapping continue
 to exist.  To do this, the PCP client sends a new MAP request
 indicating the internal port.  The PCP MAP request SHOULD also
 include the currently assigned external IP address and port in the
 Suggested External IP Address and Suggested External Port fields, so
 if the PCP server has lost state it can recreate the lost mapping
 with the same parameters.
 The PCP client SHOULD renew the mapping before its expiry time;
 otherwise, it will be removed by the PCP server (see Section 15,
 "Mapping Lifetime and Deletion").  To reduce the risk of inadvertent
 synchronization of renewal requests, a random jitter component should
 be included.  It is RECOMMENDED that PCP clients send a single
 renewal request packet at a time chosen with uniform random
 distribution in the range 1/2 to 5/8 of expiration time.  If no
 SUCCESS response is received, then the next renewal request should be
 sent 3/4 to 3/4 + 1/16 to expiration, and then another 7/8 to 7/8 +
 1/32 to expiration, and so on, subject to the constraint that renewal
 requests MUST NOT be sent less than four seconds apart (a PCP client
 MUST NOT send a flood of ever-closer-together requests in the last
 few seconds before a mapping expires).

11.3. Processing a MAP Request

 This section describes the operation of a PCP server when processing
 a request with the MAP Opcode.  Processing SHOULD be performed in the
 order of the following paragraphs.
 The Protocol, Internal Port, and Mapping Nonce fields from the MAP
 request are copied into the MAP response.  The THIRD_PARTY option, if
 present, and processed by the PCP server, is also copied into the MAP
 response.

Wing, et al. Standards Track [Page 44] RFC 6887 Port Control Protocol (PCP) April 2013

 If the requested lifetime is non-zero, then:
 o  If both the protocol and internal port are non-zero, it indicates
    a request to create a mapping or extend the lifetime of an
    existing mapping.  If the PCP server or PCP-controlled device does
    not support the protocol, the UNSUPP_PROTOCOL error MUST be
    returned.
 o  If the protocol is non-zero and the internal port is zero, it
    indicates a request to create or extend a mapping for all incoming
    traffic for that entire protocol -- a 'wildcard' (all-ports)
    mapping for that protocol.  If this request cannot be fulfilled in
    its entirety, the UNSUPP_PROTOCOL error MUST be returned.
 o  If both the protocol and internal port are zero, it indicates a
    request to create or extend a mapping for all incoming traffic for
    all protocols (commonly called a 'DMZ host').  If this request
    cannot be fulfilled in its entirety, the UNSUPP_PROTOCOL error
    MUST be returned.
 o  If the protocol is zero and the internal port is non-zero, then
    the request is invalid and the PCP server MUST return a
    MALFORMED_REQUEST error to the client.
 If the requested lifetime is zero, it indicates a request to delete
 an existing mapping.
 Further processing of the lifetime is described in Section 15,
 "Mapping Lifetime and Deletion".
 If operating in the Simple Threat Model (Section 18.1), and the
 internal port, protocol, and internal address match an existing
 explicit dynamic mapping, but the mapping nonce does not match, the
 request MUST be rejected with a NOT_AUTHORIZED error with the
 lifetime of the error indicating duration of that existing mapping.
 The PCP server only needs to remember one Mapping Nonce value for
 each explicit dynamic mapping.  This specification makes no statement
 about mapping nonce with the Advanced Threat Model.
 If the internal port, protocol, and internal address match an
 existing static mapping (which will have no nonce), then a PCP reply
 is sent giving the external address and port of that static mapping,
 using the nonce from the PCP request.  The server does not record the
 nonce.

Wing, et al. Standards Track [Page 45] RFC 6887 Port Control Protocol (PCP) April 2013

 If an option with value less than 128 exists (i.e., mandatory to
 process) but that option does not make sense (e.g., the
 PREFER_FAILURE option is included in a request with lifetime=0), the
 request is invalid and generates a MALFORMED_OPTION error.
 If the PCP-controlled device is stateless (that is, it does not
 establish any per-flow state, and simply rewrites the address and/or
 port in a purely algorithmic fashion, including no rewriting), the
 PCP server simply returns an answer indicating the external IP
 address and port yielded by this stateless algorithmic translation.
 This allows the PCP client to learn its external IP address and port
 as seen by remote peers.  Examples of stateless translators include
 stateless NAT64, 1:1 NAT44, and NPTv6 [RFC6296], all of which modify
 addresses but not port numbers, and pure firewalls, which modify
 neither the address nor the port.
 It is possible that a mapping might already exist for a requested
 internal address, protocol, and port.  If so, the PCP server takes
 the following actions:
 1.  If the MAP request contains the PREFER_FAILURE option, but the
     suggested external address and port do not match the external
     address and port of the existing mapping, the PCP server MUST
     return CANNOT_PROVIDE_EXTERNAL.
 2.  If the existing mapping is static (created outside of PCP), the
     PCP server MUST return the external address and port of the
     existing mapping in its response and SHOULD indicate a lifetime
     of 2^32-1 seconds, regardless of the suggested external address
     and port in the request.
 3.  If the existing mapping is explicit dynamic inbound (created by a
     previous MAP request), the PCP server MUST return the existing
     external address and port in its response, regardless of the
     suggested external address and port in the request.
     Additionally, the PCP server MUST update the lifetime of the
     existing mapping, in accordance with Section 15, "Mapping
     Lifetime and Deletion".
 4.  If the existing mapping is dynamic outbound (created by outgoing
     traffic or a previous PEER request), the PCP server SHOULD create
     a new explicit inbound mapping, replicating the ports and
     addresses from the outbound mapping (but the outbound mapping
     continues to exist, and remains in effect if the explicit inbound
     mapping is later deleted).
 If no mapping exists for the internal address, protocol, and port,
 and the PCP server is able to create a mapping using the suggested

Wing, et al. Standards Track [Page 46] RFC 6887 Port Control Protocol (PCP) April 2013

 external address and port, it SHOULD do so.  This is beneficial for
 re-establishing state lost in the PCP server (e.g., due to a reboot).
 There are, however, cases where the PCP server is not able to create
 a new mapping using the suggested external address and port:
 o  The suggested external address, protocol, and port is already
    assigned to another existing explicit or implicit mapping
    (i.e., is already forwarding traffic to some other internal
    address and port).
 o  The suggested external address, protocol, and port is already used
    by the NAT gateway for one of its own services, for example, TCP
    port 80 for the NAT gateway's own configuration web pages, or UDP
    ports 5350 and 5351, used by PCP itself.  A PCP server MUST NOT
    create client mappings for external UDP ports 5350 or 5351.
 o  The suggested external address, protocol, and port is otherwise
    prohibited by the PCP server's policy.
 o  The suggested external IP address, protocol, or suggested port are
    invalid or invalid combinations (e.g., external address 127.0.0.1,
    ::1, a multicast address, or the suggested port is not valid for
    the protocol).
 o  The suggested external address does not belong to the NAT gateway.
 o  The suggested external address is not configured to be used as an
    external address of the firewall or NAT gateway.
 If the PCP server cannot assign the suggested external address,
 protocol, and port, then:
 o  If the request contained the PREFER_FAILURE option, then the PCP
    server MUST return CANNOT_PROVIDE_EXTERNAL.
 o  If the request did not contain the PREFER_FAILURE option, and the
    PCP server can assign some other external address and port for
    that protocol, then the PCP server MUST do so and return the newly
    assigned external address and port in the response.  In no case is
    the client penalized for a 'poor' choice of suggested external
    address and port.  The suggested external address and port may be
    used by the server to guide its choice of what external address
    and port to assign, but in no case do they cause the server to
    fail to allocate an external address and port where otherwise it
    would have succeeded.  The presence of a non-zero suggested
    external address or port is merely a hint; it never does any harm.

Wing, et al. Standards Track [Page 47] RFC 6887 Port Control Protocol (PCP) April 2013

 A PCP-controlled device MUST NOT create mappings for a protocol not
 indicated in the request.  For example, if the request was for a TCP
 mapping, an additional corresponding UDP mapping MUST NOT be
 automatically created.
 Mappings typically consume state on the PCP-controlled device, and it
 is RECOMMENDED that a per-host and/or per-subscriber limit be
 enforced by the PCP server to prevent exhausting the mapping state.
 If this limit is exceeded, the result code USER_EX_QUOTA is returned.
 If all of the preceding operations were successful (did not generate
 an error response), then the requested mapping is created or
 refreshed as described in the request and a SUCCESS response is
 built.

11.4. Processing a MAP Response

 This section describes the operation of the PCP client when it
 receives a PCP response for the MAP Opcode.
 After performing common PCP response processing, the response is
 further matched with a previously sent MAP request by comparing the
 internal IP address (the destination IP address of the PCP response,
 or other IP address specified via the THIRD_PARTY option), the
 protocol, the internal port, and the mapping nonce.  Other fields are
 not compared, because the PCP server sets those fields.  The PCP
 server will send a Mapping Update (Section 14.2) if the mapping
 changes (e.g., due to IP renumbering).
 If the result code is NO_RESOURCES and the request was for the
 creation or renewal of a mapping, then the PCP client SHOULD NOT send
 further requests for any new mappings to that PCP server for the
 (limited) value of the lifetime.  If the result code is NO_RESOURCES
 and the request was for the deletion of a mapping, then the PCP
 client SHOULD NOT send further requests of *any kind* to that PCP
 server for the (limited) value of the lifetime.
 On a success response, the PCP client can use the external IP address
 and port as needed.  Typically, the PCP client will communicate the
 external IP address and port to another host on the Internet using an
 application-specific rendezvous mechanism such as DNS SRV records.
 After a success response, for as long as renewal is desired, the PCP
 client MUST set a timer or otherwise schedule an event to renew the
 mapping before its lifetime expires.  Renewing a mapping is performed
 by sending another MAP request, exactly as described in Section 11.2,
 except that the suggested external address and port SHOULD be set to
 the values received in the response.  From the PCP server's point of

Wing, et al. Standards Track [Page 48] RFC 6887 Port Control Protocol (PCP) April 2013

 view a MAP request to renew a mapping is identical to a MAP request
 to create a new mapping, and is handled identically.  Indeed, in the
 event of PCP server state loss, a renewal request from a PCP client
 will appear to the server to be a request to create a new mapping,
 with a particular suggested external address and port, which happen
 to be what the PCP server previously assigned.  See also
 Section 16.3.1, "Recreating Mappings".
 On an error response, the client SHOULD NOT repeat the same request
 to the same PCP server within the lifetime returned in the response.

11.5. Address Change Events

 A customer premises router might obtain a new external IP address,
 for a variety of reasons including a reboot, power outage, DHCP lease
 expiry, or other action by the ISP.  If this occurs, traffic
 forwarded to a host's previous address might be delivered to another
 host that now has that address.  This affects all mapping types,
 whether implicit or explicit.  This same problem already occurs today
 when a host's IP address is reassigned, without PCP and without an
 ISP-operated CGN.  The solution is the same as today: the problems
 associated with host renumbering are caused by host renumbering, and
 are eliminated if host renumbering is avoided.  PCP defined in this
 document does not provide machinery to reduce the host renumbering
 problem.
 When an internal host changes its internal IP address (e.g., by
 having a different address assigned by the DHCP server), the NAT (or
 firewall) will continue to send traffic to the old IP address.
 Typically, the internal host will no longer receive traffic sent to
 that old IP address.  Assuming the internal host wants to continue
 receiving traffic, it needs to install new mappings for its new IP
 address.  The Suggested External Port field will not be fulfilled by
 the PCP server, in all likelihood, because it is still being
 forwarded to the old IP address.  Thus, a mapping is likely to be
 assigned a new external port number and/or external IP address.  Note
 that such host renumbering is not expected to happen routinely on a
 regular basis for most hosts, since most hosts renew their DHCP
 leases before they expire (or re-request the same address after
 reboot) and most DHCP servers honor such requests and grant the host
 the same address it was previously using before the reboot.
 A host might gain or lose interfaces while existing mappings are
 active (e.g., Ethernet cable plugged in or removed, joining/leaving a
 WiFi network).  Because of this, if the PCP client is sending a PCP
 request to maintain state in the PCP server, it SHOULD ensure that
 those PCP requests continue to use the same interface (e.g., when
 refreshing mappings).  If the PCP client is sending a PCP request to

Wing, et al. Standards Track [Page 49] RFC 6887 Port Control Protocol (PCP) April 2013

 create new state in the PCP server, it MAY use a different source
 interface or different source address.

11.6. Learning the External IP Address Alone

 NAT-PMP [RFC6886] includes a mechanism to allow clients to learn the
 external IP address alone, without also requesting a port mapping.
 NAT-PMP was designed for residential NAT gateways, where such an
 operation makes sense because a typical residential NAT gateway has
 only one external IP address.  PCP has broader scope, and also
 supports Carrier-Grade NATs (CGNs) that may have a pool of external
 IP addresses, not just one.  A client may not be assigned any
 particular external IP address from that pool until it has at least
 one implicit, explicit, or static port mapping, and even then only
 for as long as that mapping remains valid.  Client software that just
 wishes to display the user's external IP address for cosmetic
 purposes can achieve that by requesting a short-lived mapping (e.g.,
 to the Discard service (TCP/9 or UDP/9) or some other port) and then
 displaying the resulting external IP address.  However, once that
 mapping expires a subsequent implicit or explicit dynamic mapping
 might be mapped to a different external IP address.

12. PEER Opcode

 This section defines an Opcode for controlling dynamic outbound
 mappings.
 PEER: Create a new dynamic outbound mapping to a remote peer's IP
       address and port, or extend the lifetime of an existing
       outbound mapping.
 The use of this Opcodes is described in this section.
 PCP servers SHOULD provide a configuration option to allow
 administrators to disable PEER support if they wish.
 Because a mapping created or managed by PEER behaves almost exactly
 like an implicit dynamic outbound mapping created as a side effect of
 a packet (e.g., TCP SYN) sent by the host, mappings created or
 managed using PCP PEER requests may be endpoint-independent mapping
 (EIM) or endpoint-dependent mapping (EDM), with endpoint-independent
 filtering (EIF) or endpoint-dependent filtering (EDF), consistent
 with the existing behavior of the NAT gateway or firewall in question
 for implicit outbound mappings it creates automatically as a result
 of observing outgoing traffic from internal hosts.

Wing, et al. Standards Track [Page 50] RFC 6887 Port Control Protocol (PCP) April 2013

12.1. PEER Operation Packet Formats

 The PEER Opcode allows a PCP client to create a new explicit dynamic
 outbound mapping (which functions similarly to an outbound mapping
 created implicitly when a host sends an outbound TCP SYN) or to
 extend the lifetime of an existing outbound mapping.
 The following diagram shows the Opcode layout for the PEER Opcode.
 The formats for the PEER request and response packets are aligned so
 that related fields fall at the same offsets in the packet.
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                 Mapping Nonce (96 bits)                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Protocol    |          Reserved (24 bits)                   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |        Internal Port          |    Suggested External Port    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |           Suggested External IP Address (128 bits)            |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Remote Peer Port        |     Reserved (16 bits)        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |               Remote Peer IP Address (128 bits)               |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                    Figure 11: PEER Opcode Request
 These fields are described below:
 Requested Lifetime (in common header):  Requested lifetime of this
    mapping, in seconds.  Note that it is not possible to reduce the
    lifetime of a mapping (or delete it, with requested lifetime=0)
    using PEER.
 Mapping Nonce:  Random value chosen by the PCP client.  See
    Section 12.2, "Generating a PEER Request".  Zero is a legal value
    (but unlikely, occurring in roughly one in 2^96 requests).

Wing, et al. Standards Track [Page 51] RFC 6887 Port Control Protocol (PCP) April 2013

 Protocol:  Upper-layer protocol associated with this Opcode.  Values
    are taken from the IANA protocol registry [proto_numbers].  For
    example, this field contains 6 (TCP) if the Opcode is describing a
    TCP mapping.  This field contains 17 (UDP) if the Opcode is
    describing a UDP mapping.  Protocol MUST NOT be zero.
 Reserved:  24 reserved bits, MUST be set to 0 on transmission and
    MUST be ignored on reception.
 Internal Port:  Internal port for the mapping.  Internal port MUST
    NOT be zero.
 Suggested External Port:  Suggested external port for the mapping.
    If the PCP client does not know the external port, or does not
    have a preference, it MUST use 0.
 Suggested External IP Address:  Suggested external IP address for the
    mapping.  If the PCP client does not know the external address, or
    does not have a preference, it MUST use the address-family-
    specific all-zeros address (see Section 5).
 Remote Peer Port:  Remote peer's port for the mapping.  Remote peer
    port MUST NOT be zero.
 Reserved:  16 reserved bits, MUST be set to 0 on transmission and
    MUST be ignored on reception.
 Remote Peer IP Address:  Remote peer's IP address.  This is from the
    perspective of the PCP client, so that the PCP client does not
    need to concern itself with NAT64 or NAT46 (which both cause the
    client's idea of the remote peer's IP address to differ from the
    remote peer's actual IP address).  This field allows the PCP
    client and PCP server to disambiguate multiple connections from
    the same port on the internal host to different servers.  An IPv6
    address is represented directly, and an IPv4 address is
    represented using the IPv4-mapped address syntax (Section 5).
 When attempting to re-create a lost mapping, the suggested external
 IP address and port are set to the External IP Address and Port
 fields received in a previous PEER response from the PCP server.  On
 an initial PEER request, the external IP address and port are set to
 zero.
 Note that semantics similar to the PREFER_FAILURE option are
 automatically implied by PEER requests.  If the Suggested External IP
 Address or Suggested External Port fields are non-zero, and the PCP
 server is unable to honor the suggested external IP address,
 protocol, or port, then the PCP server MUST return a

Wing, et al. Standards Track [Page 52] RFC 6887 Port Control Protocol (PCP) April 2013

 CANNOT_PROVIDE_EXTERNAL error response.  The PREFER_FAILURE option is
 neither required nor allowed in PEER requests, and if a PCP server
 receives a PEER request containing the PREFER_FAILURE option it MUST
 return a MALFORMED_REQUEST error response.
 The following diagram shows the Opcode response for the PEER Opcode:
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                 Mapping Nonce (96 bits)                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Protocol    |          Reserved (24 bits)                   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |        Internal Port          |    Assigned External Port     |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |            Assigned External IP Address (128 bits)            |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Remote Peer Port        |     Reserved (16 bits)        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |               Remote Peer IP Address (128 bits)               |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                    Figure 12: PEER Opcode Response
 Lifetime (in common header):  On a success response, this indicates
    the lifetime for this mapping, in seconds.  On an error response,
    this indicates how long clients should assume they'll get the same
    error response from the PCP server if they repeat the same
    request.
 Mapping Nonce:  Copied from the request.
 Protocol:  Copied from the request.
 Reserved:  24 reserved bits, MUST be set to 0 on transmission, MUST
    be ignored on reception.

Wing, et al. Standards Track [Page 53] RFC 6887 Port Control Protocol (PCP) April 2013

 Internal Port:  Copied from request.
 Assigned External Port:  On a success response, this is the assigned
    external port for the mapping.  On an error response, the
    suggested external port is copied from the request.
 Assigned External IP Address:  On a success response, this is the
    assigned external IPv4 or IPv6 address for the mapping.  On an
    error response, the suggested external IP address is copied from
    the request.
 Remote Peer Port:  Copied from request.
 Reserved:  16 reserved bits, MUST be set to 0 on transmission, MUST
    be ignored on reception.
 Remote Peer IP Address:  Copied from the request.

12.2. Generating a PEER Request

 This section describes the operation of a client when generating a
 message with the PEER Opcode.
 The PEER Opcode MAY be sent before or after establishing
 bidirectional communication with the remote peer.
 If sent before, this is considered a PEER-created mapping that
 creates a new dynamic outbound mapping in the PCP-controlled device.
 If sent after, this allows the PCP client to learn the IP address,
 port, and lifetime of the assigned external address and port for the
 existing implicit dynamic outbound mapping, and potentially to extend
 this lifetime (for reducing NAT or firewall keepalive messages, as
 described in Section 10.3).
 PEER requests are also useful for restoring mappings after a NAT has
 lost its mapping state (e.g., due to a crash).
 The Mapping Nonce value is randomly chosen by the PCP client,
 following accepted practices for generating unguessable random
 numbers [RFC4086], and is used as part of the validation of PCP
 responses (see below) by the PCP client, and validation for mapping
 refreshes by the PCP server.  The client MUST use a different mapping
 nonce for each PCP server it communicates with, and it is RECOMMENDED
 to choose a new random mapping nonce whenever the PCP client is
 initialized.  The client MAY use a different mapping nonce for every
 mapping.

Wing, et al. Standards Track [Page 54] RFC 6887 Port Control Protocol (PCP) April 2013

 The PEER Opcode contains a Remote Peer Address field, which is always
 from the perspective of the PCP client.  Note that when the
 PCP-controlled device is performing address family translation (NAT46
 or NAT64), the remote peer address from the perspective of the PCP
 client is different from the remote peer address on the other side of
 the address family translation device.

12.3. Processing a PEER Request

 This section describes the operation of a server when receiving a
 request with the PEER Opcode.  Processing SHOULD be performed in the
 order of the following paragraphs.
 The following fields from a PEER request are copied into the
 response: Protocol, Internal Port, Remote Peer IP Address, Remote
 Peer Port, and Mapping Nonce.
 When an implicit dynamic mapping is created, some NATs and firewalls
 validate destination addresses and will not create an implicit
 dynamic mapping if the destination address is invalid (e.g.,
 127.0.0.1).  If a PCP-controlled device does such validation for
 implicit dynamic mappings, it SHOULD also do a similar validation of
 the remote peer IP address, protocol, and port for PEER-created
 explicit dynamic mappings.  If the validation determines the remote
 peer IP address of a PEER request is invalid, then no mapping is
 created, and a MALFORMED_REQUEST error result is returned.
 On receiving the PEER Opcode, the PCP server examines the mapping
 table for a matching five-tuple { Protocol, Internal Address,
 Internal Port, Remote Peer Address, Remote Peer Port }.
 If no matching mapping is found, and the suggested external address
 and port are either zero or can be honored for the specified
 Protocol, a new mapping is created.  By having the PEER create such a
 mapping, we avoid a race condition between the PEER request and the
 initial outgoing packet arriving at the NAT or firewall device first,
 and allow PEER to be used to recreate a lost outbound dynamic mapping
 (see Section 16.3.1, "Recreating Mappings").  Thereafter, this PEER-
 created mapping is treated as if it was an implicit dynamic outbound
 mapping (e.g., as if the PCP client sent a TCP SYN) and a lifetime
 appropriate to such a mapping is returned (note: on many NATs and
 firewalls, such mapping lifetimes are very short until bidirectional
 traffic is seen by the NAT or firewall).
 If no matching mapping is found, and the suggested external address
 and port cannot be honored, then no new state is created, and the
 error CANNOT_PROVIDE_EXTERNAL is returned.

Wing, et al. Standards Track [Page 55] RFC 6887 Port Control Protocol (PCP) April 2013

 If a matching mapping is found, and no previous PEER Opcode was
 successfully processed for this mapping, then the Suggested External
 Address and Port values in the request are ignored, the lifetime of
 that mapping is adjusted as described below, and information about
 the existing mapping is returned.  This allows a client to explicitly
 extend the lifetime of an existing mapping and/or to learn an
 existing mapping's external address, port, and lifetime.  The mapping
 nonce is remembered for this mapping.
 If operating in the Simple Threat Model (Section 18.1), and the
 internal port, protocol, and internal address match a mapping that
 already exists, but the mapping nonce does not match (that is, a
 previous PEER request was processed), the request MUST be rejected
 with a NOT_AUTHORIZED error with the lifetime of the error indicating
 duration of that existing mapping.  The PCP server only needs to
 remember one Mapping Nonce value for each mapping.  This
 specification makes no statement about mapping nonce with the
 Advanced Threat Model.
 Processing the Lifetime value of the PEER Opcode is described in
 Section 15, "Mapping Lifetime and Deletion".  Sending a PEER request
 with a very short requested lifetime can be used to query the
 lifetime of an existing mapping.  So that PCP clients can reduce the
 frequency of their NAT and firewall keepalive messages, it is
 RECOMMENDED that lifetimes of mappings created or lengthened with
 PEER be longer than the lifetimes of implicitly created mappings.
 If all of the preceding operations were successful (did not generate
 an error response), then a SUCCESS response is generated, with the
 Lifetime field containing the lifetime of the mapping.
 If a PEER-created or PEER-managed mapping is not renewed using PEER,
 then it reverts to the NAT's usual behavior for implicit mappings.
 For example, continued outbound traffic keeps the mapping alive, as
 per the NAT or firewall device's existing policy.  A PEER-created or
 PEER-managed mapping may be terminated at any time by action of the
 TCP client or server (e.g., due to TCP FIN or TCP RST), as per the
 NAT or firewall device's existing policy.

12.4. Processing a PEER Response

 This section describes the operation of a client when processing a
 response with the PEER Opcode.
 After performing common PCP response processing, the response is
 further matched with an outstanding PEER request by comparing the
 internal IP address (the destination IP address of the PCP response,
 or other IP address specified via the THIRD_PARTY option), the

Wing, et al. Standards Track [Page 56] RFC 6887 Port Control Protocol (PCP) April 2013

 protocol, the internal port, the remote peer address, the remote peer
 port, and the mapping nonce.  Other fields are not compared, because
 the PCP server sets those fields to provide information about the
 mapping created by the Opcode.  The PCP server will send a Mapping
 Update (Section 14.2) if the mapping changes (e.g., due to IP
 renumbering).
 If the result code is NO_RESOURCES and the request was for the
 creation or renewal of a mapping, then the PCP client SHOULD NOT send
 further requests for any new mappings to that PCP server for the
 (limited) value of the lifetime.
 On a successful response, the application can use the assigned
 Lifetime value to reduce its frequency of application keepalives for
 that particular NAT mapping.  Of course, there may be other reasons,
 specific to the application, to use more frequent application
 keepalives.  For example, the PCP assigned lifetime could be one hour
 but the application may want to maintain state on its server (e.g.,
 "busy" / "away") more frequently than once an hour.  If the response
 indicates an unexpected IP address or port (e.g., due to IP
 renumbering), the PCP client will want to re-establish its connection
 to its remote server.
 If the PCP client wishes to keep this mapping alive beyond the
 indicated lifetime, it MAY rely on continued inside-to-outside
 traffic to ensure that the mapping will continue to exist, or it MAY
 issue a new PCP request prior to the expiration.  The recommended
 timings for renewing PEER mappings are the same as for MAP mappings,
 as described in Section 11.2.1.
    Note: Implementations need to expect the PEER response may contain
    an external IP address with a different family than the remote
    peer IP address, e.g., when NAT64 or NAT46 are being used.

13. Options for MAP and PEER Opcodes

 This section describes options for the MAP and PEER Opcodes.  These
 options MUST NOT appear with other Opcodes, unless permitted by those
 other Opcodes.

13.1. THIRD_PARTY Option for MAP and PEER Opcodes

 This option is used when a PCP client wants to control a mapping to
 an internal host other than itself.  This is used with both MAP and
 PEER Opcodes.
 Due to security concerns with the THIRD_PARTY option, this option
 MUST NOT be implemented or used unless the network on which the PCP

Wing, et al. Standards Track [Page 57] RFC 6887 Port Control Protocol (PCP) April 2013

 messages are to be sent is fully trusted.  For example, if access
 control lists (ACLs) are installed on the PCP client, PCP server, and
 the network between them, so those ACLs allow only communications
 from a trusted PCP client to the PCP server.
 A management device would use this option to control a PCP server on
 behalf of users.  For example, a management device located in a
 network operations center, which presents a user interface to end
 users or to network operations staff, and issues PCP requests with
 the THIRD_PARTY option to the appropriate PCP server.
 The THIRD_PARTY option is formatted as follows:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Option Code=1 |  Reserved     |   Option Length=16            |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                                                               |
 |                Internal IP Address (128 bits)                 |
 |                                                               |
 |                                                               |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                     Figure 13: THIRD_PARTY Option
 The fields are described below:
 Internal IP Address:  Internal IP address for this mapping.
    Option Name: THIRD_PARTY
    Number: 1
    Purpose: Indicates the MAP or PEER request is for a host other
    than the host sending the PCP option.
    Valid for Opcodes: MAP, PEER
    Length: 16 octets
    May appear in: request.  May appear in response only if it
    appeared in the associated request.
    Maximum occurrences: 1
 A THIRD_PARTY option MUST NOT contain the same address as the source
 address of the packet.  This is because many PCP servers may not
 implement the THIRD_PARTY option at all, and with those servers a
 client redundantly using the THIRD_PARTY option to specify its own IP
 address would cause such mapping requests to fail where they would
 otherwise have succeeded.  A PCP server receiving a THIRD_PARTY
 option specifying the same address as the source address of the
 packet MUST return a MALFORMED_REQUEST result code.

Wing, et al. Standards Track [Page 58] RFC 6887 Port Control Protocol (PCP) April 2013

 A PCP server MAY be configured to permit or to prohibit the use of
 the THIRD_PARTY option.  If this option is permitted, properly
 authorized clients may perform these operations on behalf of other
 hosts.  If this option is prohibited, and a PCP server receives a PCP
 MAP request with a THIRD_PARTY option, it MUST generate a
 UNSUPP_OPTION response.
 It is RECOMMENDED that customer premises equipment implementing a PCP
 server be configured to prohibit third-party mappings by default.
 With this default, if a user wants to create a third-party mapping,
 the user needs to interact out-of-band with their customer premises
 router (e.g., using its HTTP administrative interface).
 It is RECOMMENDED that service provider NAT and firewall devices
 implementing a PCP server be configured to permit the THIRD_PARTY
 option, when sent by a properly authorized host.  If the packet
 arrives from an unauthorized host, the PCP server MUST generate an
 UNSUPP_OPTION error.
 Note that the THIRD_PARTY option is not needed for today's common
 scenario of an ISP offering a single IP address to a customer who is
 using NAT to share that address locally, since in this scenario all
 the customer's hosts appear, from the point of view of the ISP, to be
 a single host.
 When a PCP client is using the THIRD_PARTY option to make and
 maintain mappings on behalf of some other device, it may be
 beneficial if, where possible, the PCP client verifies that the other
 device is actually present and active on the network.  Otherwise, the
 PCP client risks maintaining those mappings forever, long after the
 device that required them has gone.  This would defeat the purpose of
 PCP mappings having a finite lifetime so that they can be
 automatically deleted after they are no longer needed.

13.2. PREFER_FAILURE Option for MAP Opcode

 This option is only used with the MAP Opcode.
 This option indicates that if the PCP server is unable to map both
 the suggested external port and suggested external address, the PCP
 server should not create a mapping.  This differs from the behavior
 without this option, which is to create a mapping.
 PREFER_FAILURE is never necessary for a PCP client to manage mappings
 for itself, and its use causes additional work in the PCP client and
 in the PCP server.  This option exists for interworking with non-PCP
 mapping protocols that have different semantics than PCP (e.g., UPnP
 IGDv1 interworking [PNP-IGD-PCP], where the semantics of UPnP IGDv1

Wing, et al. Standards Track [Page 59] RFC 6887 Port Control Protocol (PCP) April 2013

 only allow the UPnP IGDv1 client to dictate mapping a specific port),
 or separate port allocation systems that allocate ports to a
 subscriber (e.g., a subscriber-accessed web portal operated by the
 same ISP that operates the PCP server).  A PCP server MAY support
 this option, if its designers wish to support such downstream devices
 or separate port allocation systems.  PCP servers that are not
 intended to interface with such systems are not required to support
 this option.  PCP clients other than UPnP IGDv1 interworking clients
 or other than a separate port allocation system SHOULD NOT use this
 option because it results in inefficient operation, and they cannot
 safely assume that all PCP servers will implement it.  It is
 anticipated that this option will be deprecated in the future as more
 clients adopt PCP natively and the need for this option declines.
 The PREFER_FAILURE option is formatted as follows:
  0                   1                   2                   3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Option Code=2 |  Reserved     |   Option Length=0             |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                   Figure 14: PREFER_FAILURE Option
    Option Name: PREFER_FAILURE
    Number: 2
    Purpose: indicates that the PCP server should not create an
    alternative mapping if the suggested external port and address
    cannot be mapped.
    Valid for Opcodes: MAP
    Length: 0
    May appear in: request.  May appear in response only if it
    appeared in the associated request.
    Maximum occurrences: 1
 The result code CANNOT_PROVIDE_EXTERNAL is returned if the suggested
 external address, protocol, and port cannot be mapped.  This can
 occur because the external port is already mapped to another host's
 outbound dynamic mapping, an inbound dynamic mapping, a static
 mapping, or the same internal address, protocol, and port already
 have an outbound dynamic mapping that is mapped to a different
 external port than suggested.  This can also occur because the
 external address is no longer available (e.g., due to renumbering).
 The server MAY set the lifetime in the response to the remaining
 lifetime of the conflicting mapping + TIME_WAIT [RFC0793], rounded up
 to the next larger integer number of seconds.

Wing, et al. Standards Track [Page 60] RFC 6887 Port Control Protocol (PCP) April 2013

 If a PCP request contains the PREFER_FAILURE option and has zero in
 the Suggested External Port field, then it is invalid.  The PCP
 server MUST reject such a message with the MALFORMED_OPTION error
 code.
 PCP servers MAY choose to rate-limit their handling of PREFER_FAILURE
 requests, to protect themselves from a rapid flurry of 65535
 consecutive PREFER_FAILURE requests from clients probing to discover
 which external ports are available.
 There can exist a race condition between the MAP Opcode using the
 PREFER_FAILURE option and Mapping Update (Section 14.2).  For
 example, a previous host on the local network could have previously
 had the same internal address, with a mapping for the same internal
 port.  At about the same moment that the current host sends a MAP
 Request using the PREFER_FAILURE option, the PCP server could send a
 spontaneous Mapping Update for the old mapping due to an external
 configuration change, which could appear to be a reply to the new
 mapping request.  Because of this, the PCP client MUST validate that
 the external IP address, protocol, port, and nonce in a success
 response match the associated suggested values from the request.  If
 they do not match, it is because the Mapping Update was sent before
 the MAP request was processed.

13.3. FILTER Option for MAP Opcode

 This option is only used with the MAP Opcode.
 This option indicates that filtering incoming packets is desired.
 The protocol being filtered is indicated by the Protocol field in the
 MAP Request, and the remote peer IP address and remote peer port of
 the FILTER option indicate the permitted remote peer's source IP
 address and source port for packets from the Internet; other traffic
 from other addresses is blocked.  The remote peer prefix length
 indicates the length of the remote peer's IP address that is
 significant; this allows a single option to permit an entire subnet.
 After processing this MAP request containing the FILTER option and
 generating a successful response, the PCP-controlled device will drop
 packets received on its public-facing interface that don't match the
 filter fields.  After dropping the packet, if its security policy
 allows, the PCP-controlled device MAY also generate an ICMP error in
 response to the dropped packet.
 The use of the FILTER option can be seen as a performance
 optimization.  Since all software using PCP to receive incoming
 connections also has to deal with the case where it may be directly
 connected to the Internet and receive unrestricted incoming TCP
 connections and UDP packets, if it wishes to restrict incoming

Wing, et al. Standards Track [Page 61] RFC 6887 Port Control Protocol (PCP) April 2013

 traffic to a specific source address or group of source addresses,
 such software already needs to check the source address of incoming
 traffic and reject unwanted traffic.  However, the FILTER option is a
 particularly useful performance optimization for battery powered
 wireless devices, because it can enable them to conserve battery
 power by not having to wake up just to reject unwanted traffic.
 The FILTER option is formatted as follows:
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Option Code=3 |  Reserved     |   Option Length=20            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Reserved   | Prefix Length |      Remote Peer Port         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |               Remote Peer IP address (128 bits)               |
   |                                                               |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                    Figure 15: FILTER Option Layout
 These fields are described below:
 Reserved:  8 reserved bits, MUST be sent as 0 and MUST be ignored
    when received.
 Prefix Length:  indicates how many bits of the IPv4 or IPv6 address
    are relevant for this filter.  The value 0 indicates "no filter",
    and will remove all previous filters.  See below for detail.
 Remote Peer Port:  the port number of the remote peer.  The value 0
    indicates "all ports".
 Remote Peer IP address:  The IP address of the remote peer.
    Option Name: FILTER
    Number: 3
    Purpose: specifies a filter for incoming packets
    Valid for Opcodes: MAP
    Length: 20 octets
    May appear in: request.  May appear in response only if it
    appeared in the associated request.
    Maximum occurrences: as many as fit within maximum PCP message
    size

Wing, et al. Standards Track [Page 62] RFC 6887 Port Control Protocol (PCP) April 2013

 The Prefix Length indicates how many bits of the address are used for
 the filter.  For IPv4 addresses (which are encoded using the
 IPv4-mapped address format (::FFFF:0:0/96)), this means valid prefix
 lengths are between 96 and 128 bits, inclusive.  That is, add 96 to
 the IPv4 prefix length.  For IPv6 addresses, valid prefix lengths are
 between 0 and 128 bits, inclusive.  Values outside those ranges cause
 the PCP server to return the MALFORMED_OPTION result code.
 If multiple occurrences of the FILTER option exist in the same MAP
 request, they are processed in the order received (as per normal PCP
 option processing), and they MAY overlap the filtering requested.  If
 there is an existing mapping (with or without a filter) and the
 server receives a MAP request with FILTER, the filters indicated in
 the new request are added to any existing filters.  If a MAP request
 has a lifetime of 0 and contains the FILTER option, the error
 MALFORMED_OPTION is returned.
 If any occurrences of the FILTER option in a request packet are not
 successfully processed then an error is returned (e.g.,
 MALFORMED_OPTION if one of the options was malformed) and as with
 other PCP errors, returning an error causes no state to be changed in
 the PCP server or in the PCP-controlled device.
 To remove all existing filters, the Prefix Length 0 is used.  There
 is no mechanism to remove a specific filter.
 To change an existing filter, the PCP client sends a MAP request
 containing two FILTER options, the first option containing a prefix
 length of 0 (to delete all existing filters) and the second
 containing the new remote peer's IP address, protocol, and port.
 Other FILTER options in that PCP request, if any, add more allowed
 remote peers.
 The PCP server or the PCP-controlled device is expected to have a
 limit on the number of remote peers it can support.  This limit might
 be as small as one.  If a MAP request would exceed this limit, the
 entire MAP request is rejected with the result code
 EXCESSIVE_REMOTE_PEERS, and the state on the PCP server is unchanged.
 All PCP servers MUST support at least one filter per MAP mapping.

14. Rapid Recovery

 PCP includes a rapid recovery feature, which allows PCP clients to
 repair failed mappings within seconds, rather than the minutes or
 hours it might take if they relied solely on waiting for the next
 routine renewal of the mapping.  Mapping failures may occur when a
 NAT gateway is rebooted and loses its mapping state, or when a NAT

Wing, et al. Standards Track [Page 63] RFC 6887 Port Control Protocol (PCP) April 2013

 gateway has its external IP address changed so that its current
 mapping state becomes invalid.
 The PCP rapid recovery feature enables users to, for example, connect
 to remote machines using ssh, and then reboot their NAT or firewall
 device (or even replace it with completely new hardware) without
 losing their established ssh connections.
 Use of PCP rapid recovery is a performance optimization to PCP's
 routine self-healing.  Without rapid recovery, PCP clients will still
 recreate their correct state when they next renew their mappings, but
 this routine self-healing process may take hours rather than seconds,
 and will probably not happen fast enough to prevent active TCP
 connections from timing out.
 There are two mechanisms to perform rapid recovery, described below.
 Failing to implement and deploy a rapid recovery mechanism will
 encourage application developers to feel the need to refresh their
 PCP state more frequently than necessary, causing more network
 traffic.  Therefore, a PCP server that can lose state (e.g., due to
 reboot) or might have a mapping change (e.g., due to IP renumbering)
 MUST implement either the Announce Opcode or the Mapping Update
 mechanism and SHOULD implement both mechanisms.

14.1. ANNOUNCE Opcode

 This rapid recovery mechanism uses the ANNOUNCE Opcode.  When the PCP
 server loses its state (e.g., it lost its state when rebooted), it
 resets its Epoch time to its initial starting value (usually zero)
 and sends the ANNOUNCE response to the link-scoped multicast address
 (specific address explained below) if a multicast network exists on
 its local interface, or, if configured with the IP address(es) and
 port(s) of PCP client(s), it sends unicast ANNOUNCE responses to
 those address(es) and port(s).  This means ANNOUNCE may not be
 available on all networks (such as networks without a multicast link
 between the PCP server and its PCP clients).  Additionally, an
 ANNOUNCE request can be sent (unicast) by a PCP client that elicits a
 unicast ANNOUNCE response like any other Opcode.
 Upon receiving PCP response packets with an anomalous Epoch time,
 clients deduce that the PCP server lost state and recreate their lost
 mappings.

Wing, et al. Standards Track [Page 64] RFC 6887 Port Control Protocol (PCP) April 2013

14.1.1. ANNOUNCE Operation

 The PCP ANNOUNCE Opcode requests and responses have no
 Opcode-specific payload (that is, the length of the Opcode-specific
 data is zero).  The Requested Lifetime field of requests and Lifetime
 field of responses are both set to 0 on transmission and ignored on
 reception.
 If a PCP server receives an ANNOUNCE request, it first parses it and
 generates a SUCCESS if parsing and processing of ANNOUNCE is
 successful.  An error is generated if the client's IP Address field
 does not match the packet source address, or the request packet is
 otherwise malformed, such as packet length less than 24 octets.  Note
 that, in the future, options MAY be sent with the PCP ANNOUNCE
 Opcode; PCP clients and servers need to be prepared to receive
 options with the ANNOUNCE Opcode.
    Discussion: Client-to-server request messages are sent, from any
    client source port, to listening UDP port 5351 on the server;
    server-to-client multicast notifications are sent from the
    server's UDP port (5351) to listening UDP port 5350 on the client.
    The reason the same listening UDP port is not used for both
    purposes is that a single device may have multiple roles.  For
    example, a multi-function home gateway that provides NAT service
    (PCP server) may also provide printer sharing (which wants a PCP
    client), or a home computer (PCP client) may also provide
    "Internet Sharing" (NAT) functionality (which needs to offer PCP
    service).  Such devices need to act as both a PCP server and a PCP
    client at the same time, and the software that implements the PCP
    server on the device may not be the same software component that
    implements the PCP client.  The software that implements the PCP
    server needs to listen for unicast client requests, whereas the
    software that implements the PCP client needs to listen for
    multicast restart announcements.  In many networking APIs it is
    difficult or impossible to have two independent clients listening
    for both unicasts and multicasts on the same port at the same
    time.  For this reason, two ports are used.

14.1.2. Generating and Processing a Solicited ANNOUNCE Message

 The PCP ANNOUNCE Opcode MAY be sent (unicast) by a PCP client.  The
 Requested Lifetime value MUST be set to zero.
 When the PCP server receives the ANNOUNCE Opcode and successfully
 parses and processes it, it generates SUCCESS response with an
 assigned lifetime of zero.

Wing, et al. Standards Track [Page 65] RFC 6887 Port Control Protocol (PCP) April 2013

 This functionality allows a PCP client to determine a server's Epoch,
 or to determine if a PCP server is running, without changing the
 server's state.

14.1.3. Generating and Processing an Unsolicited ANNOUNCE Message

 When sending unsolicited responses, the ANNOUNCE Opcode MUST have
 result code equal to zero (SUCCESS), and the packet MUST be sent from
 the unicast IP address and UDP port number on which PCP requests are
 received (so that the PCP response processing described in
 Section 8.3 will accept the message).  This message is most typically
 multicast, but can also be unicast.  Multicast PCP restart
 announcements are sent to 224.0.0.1:5350 and/or [ff02::1]:5350, as
 described below.  Sending PCP restart announcements via unicast
 requires that the PCP server know the IP address(es) and port(s) of
 its listening clients, which means that sending PCP restart
 announcements via unicast is only applicable to PCP servers that
 retain knowledge of the IP address(es) and port(s) of their clients
 even after they otherwise lose the rest of their state.
 When a PCP server device that implements this functionality reboots,
 restarts its NAT engine, or otherwise enters a state where it may
 have lost some or all of its previous mapping state (or enters a
 state where it doesn't even know whether it may have had prior state
 that it lost), it MUST inform PCP clients of this fact by unicasting
 or multicasting a gratuitous PCP ANNOUNCE Opcode response packet, as
 shown below, via paths over which it accepts PCP requests.  If
 sending a multicast ANNOUNCE message, a PCP server device that
 accepts PCP requests over IPv4 sends the Restart Announcement to the
 IPv4 multicast address 224.0.0.1:5350 (224.0.0.1 is the All Hosts
 multicast group address), and a PCP server device that accepts PCP
 requests over IPv6 sends the Restart Announcement to the IPv6
 multicast address [ff02::1]:5350 (ff02::1 is for all nodes on the
 local segment).  A PCP server device that accepts PCP requests over
 both IPv4 and IPv6 sends a pair of Restart Announcements, one to each
 multicast address.  If sending a unicast ANNOUNCE messages, it sends
 ANNOUNCE response message to the IP address(es) and port(s) of its
 PCP clients.  To accommodate packet loss, the PCP server device MAY
 transmit such packets (or packet pairs) up to ten times (with an
 appropriate Epoch Time value in each to reflect the passage of time
 between transmissions) provided that the interval between the first
 two notifications is at least 250 ms, and the interval between
 subsequent notification at least doubles.
 A PCP client that sends PCP requests to a PCP server via a multicast-
 capable path, and implements the Restart Announcement feature, and
 wishes to receive these announcements, MUST listen to receive these
 PCP Restart Announcements (gratuitous PCP ANNOUNCE Opcode response

Wing, et al. Standards Track [Page 66] RFC 6887 Port Control Protocol (PCP) April 2013

 packets) on the appropriate multicast-capable interfaces on which it
 sends PCP requests, and MAY also listen for unicast announcements
 from the server too, (using the UDP port it already uses to issue
 unicast PCP requests to, and receive unicast PCP responses from, that
 server).  A PCP client device that sends PCP requests using IPv4
 listens for packets sent to the IPv4 multicast address
 224.0.0.1:5350.  A PCP client device that sends PCP requests using
 IPv6 listens for packets sent to the IPv6 multicast address
 [ff02::1]:5350.  A PCP client device that sends PCP requests using
 both IPv4 and IPv6 listens for both types of Restart Announcement.
 The SO_REUSEPORT socket option or equivalent should be used for the
 multicast UDP port, if required by the host OS to permit multiple
 independent listeners on the same multicast UDP port.
 Upon receiving a unicasted or multicasted PCP ANNOUNCE Opcode
 response packet, a PCP client MUST (as it does with all received PCP
 response packets) inspect the announcement's source IP address, and
 if the Epoch Time value is outside the expected range for that
 server, it MUST wait a random amount of time between 0 and 5 seconds
 (to prevent synchronization of all PCP clients), then for all PCP
 mappings it made at that server address the client issues new PCP
 requests to recreate any lost mapping state.  The use of the
 Suggested External IP Address and Suggested External Port fields in
 the client's renewal requests allows the client to remind the
 restarted PCP server device of what mappings the client had
 previously been given, so that in many cases the prior state can be
 recreated.  For PCP server devices that reboot relatively quickly it
 is usually possible to reconstruct lost mapping state fast enough
 that existing TCP connections and UDP communications do not time out,
 and continue without failure.  As for all PCP response messages, if
 the Epoch Time value is within the expected range for that server,
 the PCP client does not recreate its mappings.  As for all PCP
 response messages, after receiving and validating the ANNOUNCE
 message, the client updates its own Epoch time for that server, as
 described in Section 8.5.

14.2. PCP Mapping Update

 This rapid recovery mechanism is used when the PCP server remembers
 its state and determines its existing mappings are invalid (e.g., IP
 renumbering changes the external IP address of a PCP-controlled NAT).
 It is anticipated that servers that are routinely reconfigured by an
 administrator or have their WAN address changed frequently will
 implement this feature (e.g., residential CPE routers).  It is
 anticipated that servers that are not routinely reconfigured will not
 implement this feature (e.g., service provider-operated CGN).

Wing, et al. Standards Track [Page 67] RFC 6887 Port Control Protocol (PCP) April 2013

 If a PCP server device has not forgotten its mapping state, but for
 some other reason has determined that some or all of its mappings
 have become unusable (e.g., when a home gateway is assigned a
 different external IPv4 address by the upstream DHCP server), then
 the PCP server device automatically repairs its mappings and notifies
 its clients by following the procedure described below.
 For PCP-managed mappings, for each one the PCP server device should
 update the external IP address and external port to appropriate
 available values, and then send unicast PCP MAP or PEER responses (as
 appropriate for the mapping) to inform the PCP client of the new
 external IP address and external port.  Such unsolicited responses
 are identical to the MAP or PEER responses normally returned in
 response to client MAP or PEER requests, containing newly updated
 External IP Address and External Port values, and are sent to the
 same client IP address and port that the PCP server used to send the
 prior response for that mapping.  If the earlier associated request
 contained the THIRD_PARTY option, the THIRD_PARTY option MUST also
 appear in the Mapping Update as it is necessary for the PCP client to
 disambiguate the response.  If the earlier associated request
 contained the PREFER_FAILURE option, and the same external IP
 address, protocol, and port cannot be provided, the error
 CANNOT_PROVIDE_EXTERNAL SHOULD be sent.  If the earlier associated
 request contained the FILTER option, the filters are moved to the new
 mapping and the FILTER option is sent in the Mapping Update response.
 Non-mandatory options SHOULD NOT be sent in the Mapping Update
 response.
    Discussion: It could have been possible to design this so that the
    PCP server (1) sent an ANNOUNCE Opcode to the PCP client, the PCP
    client reacted by (2) sending a new MAP request and (3) receiving
    a MAP response.  Instead, the server can create a shortcut for
    that design by simply sending the message it would have sent in
    (3).
 To accommodate packet loss, the PCP server device SHOULD transmit
 such packets three times, with an appropriate Epoch Time value in
 each to reflect the passage of time between transmissions.  The
 interval between the first two notifications MUST be at least 250 ms,
 and the third packet after a 500-ms interval.  Once the PCP server
 has received a refreshed state for that mapping, the PCP server
 SHOULD cease those retransmissions for that mapping, as it serves no
 further purpose to continue sending messages regarding that mapping.
 Upon receipt of such an updated MAP or PEER response, a PCP client
 uses the information in the response to adjust rendezvous servers or
 reconnect to servers, respectively.  For MAP, this would mean
 updating the DNS entries or other address and port information

Wing, et al. Standards Track [Page 68] RFC 6887 Port Control Protocol (PCP) April 2013

 recorded with some kind of application-specific rendezvous server.
 For PEER responses giving a CANNOT_PROVIDE_EXTERNAL error, this would
 typically mean establishing new connections to servers.  Anytime the
 external address or port changes, existing TCP and UDP connections
 will be lost; PCP can't avoid that, but does provide immediate
 notification of the event to lessen the impact.

15. Mapping Lifetime and Deletion

 The PCP client requests a certain lifetime, and the PCP server
 responds with the assigned lifetime.  The PCP server MAY grant a
 lifetime smaller or larger than the requested lifetime.  The PCP
 server SHOULD be configurable for permitted minimum and maximum
 lifetime, and the minimum value SHOULD be 120 seconds.  The maximum
 value SHOULD be the remaining lifetime of the IP address assigned to
 the PCP client if that information is available (e.g., from the DHCP
 server), or half the lifetime of IP address assignments on that
 network if the remaining lifetime is not available, or 24 hours.
 Excessively long lifetimes can cause consumption of ports even if the
 internal host is no longer interested in receiving the traffic or is
 no longer connected to the network.  These recommendations are not
 strict, and deployments should evaluate the trade-offs to determine
 their own minimum and maximum Lifetime values.
 Once a PCP server has responded positively to a MAP request for a
 certain lifetime, the port mapping is active for the duration of the
 lifetime unless the lifetime is reduced by the PCP client (to a
 shorter lifetime or to zero) or until the PCP server loses its state
 (e.g., crashes).  Mappings created by PCP MAP requests are not
 special or different from mappings created in other ways.  In
 particular, it is implementation-dependent if outgoing traffic
 extends the lifetime of such mappings beyond the PCP-assigned
 lifetime.  PCP clients MUST NOT depend on this behavior to keep
 mappings active, and MUST explicitly renew their mappings as required
 by the Lifetime field in PCP response messages.
 Upon receipt of a PCP response with an absurdly long assigned
 lifetime, the PCP client SHOULD behave as if it received a more sane
 value (e.g., 24 hours), and renew the mapping accordingly, to ensure
 that if the static mapping is removed, the client will continue to
 maintain the mapping it desires.
 An application that forgets its PCP-assigned mappings (e.g., the
 application or OS crashes) will request new PCP mappings.  This may
 consume port mappings, if the application binds to a different
 internal port every time it runs.  The application will also likely
 initiate new outbound TCP connections, which create implicit dynamic
 outbound mappings without using PCP, which will also consume port

Wing, et al. Standards Track [Page 69] RFC 6887 Port Control Protocol (PCP) April 2013

 mappings.  If there is a port mapping quota for the internal host,
 frequent restarts such as this may exhaust the quota.
 To help clean PCP state, when the PCP-controlled device is collocated
 with the address assignment (DHCP) server, such as in a typical
 residential CPE, it is RECOMMENDED that when an IP address becomes
 invalid (e.g., the DHCP lease expires, or the DHCP client sends an
 explicit DHCP RELEASE) the PCP-controlled device SHOULD also discard
 any dynamic mapping state relating to that expired IP address.
 When using NAT, the same external port may be assigned for use by
 different internal hosts at different times.  For example, if an
 internal host using an external port ceases sending traffic using
 that port, then its mapping may expire, and then later the same
 external port may be assigned to a new internal host.  The new
 internal host could then receive incoming traffic that was intended
 for the previous internal host.  This generally happens
 inadvertently, and this reassignment of the external port only
 happens after the current holder of the external port has ceased
 using it for some period of time.  It would be unacceptable if an
 attacker could use PCP to intentionally speed up this reassignment of
 the external port in order to deliberately steal traffic intended for
 the current holder, by (i) spoofing PCP requests using the current
 holder's source IP address and mapping nonce to fraudulently delete
 the mapping or shorten its lifetime, and then (ii) subsequently
 claiming the external port for itself.
 Therefore, in the simple security model, to protect against this
 attack, PCP MUST NOT allow a PCP request (even a PCP request that
 appears to come from the current holder of the mapping) to cause a
 mapping to expire sooner than it would naturally have expired
 otherwise by virtue of outbound traffic keeping the mapping active.
 A PCP server MUST set the lifetime of a mapping to no less than the
 remaining time before the mapping would expire if no further outbound
 traffic is seen for that mapping.  This means a MAP or PEER request
 with lifetime of 0 will only set the assigned lifetime to 0 (i.e.,
 delete the mapping) if the internal host had not sent a packet using
 that mapping for the idle-timeout time, otherwise the assigned
 lifetime will be the remaining idle-timeout time.
 Finally, to reduce unwanted traffic and data corruption for both TCP
 and UDP, the assigned external port created by the MAP Opcode or PEER
 Opcode SHOULD NOT be reused for an interval equal to the reuse time
 limit enforced by the NAT for its implicit dynamic mappings
 (typically, the maximum TCP segment lifetime of 2 minutes [RFC0793]).
 Furthermore, to reduce port stealing attacks, the assigned external
 port also SHOULD NOT be reused for an interval equal to the time the
 PCP- controlled device would normally maintain an idle (no traffic)

Wing, et al. Standards Track [Page 70] RFC 6887 Port Control Protocol (PCP) April 2013

 implicit dynamic mapping (e.g., 2 minutes for UDP [RFC4787] and 124
 minutes for TCP [RFC5382]).  However, within these time windows, the
 PCP server SHOULD allow an external port to be reclaimed by the same
 client, where "same client" means "same internal IP address, internal
 port, and mapping nonce".

15.1. Lifetime Processing for the MAP Opcode

 If the requested lifetime is zero then:
 o  If both the protocol and internal port are non-zero, it indicates
    a request to delete the indicated mapping immediately.
 o  If the protocol is non-zero and the internal port is zero, it
    indicates a request to delete a previous 'wildcard' (all-ports)
    mapping for that protocol.  The nonce MUST match the nonce used to
    create the 'wildcard' mapping.
 o  If both the protocol and internal port are zero, it indicates a
    request to delete a previous 'DMZ host' (all incoming traffic for
    all protocols) mapping.  The nonce MUST match the nonce used to
    create the 'DMZ host' mapping.
 o  If the protocol is zero and the internal port is non-zero, then
    the request is invalid and the PCP server MUST return a
    MALFORMED_REQUEST error to the client.
 In requests where the requested Lifetime is 0, the Suggested External
 Address and Suggested External Port fields MUST be set to zero on
 transmission and MUST be ignored on reception, and these fields MUST
 be copied into the assigned external IP address and assigned external
 port of the response.
 PCP MAP requests can only delete or shorten lifetimes of MAP-created
 mappings.  If the PCP client attempts to delete a static mapping
 (i.e., a mapping created outside of PCP itself), or an outbound
 (implicit or PEER-created) mapping, the PCP server MUST return
 NOT_AUTHORIZED.  If the PCP client attempts to delete a mapping that
 does not exist, the SUCCESS result code is returned (this is
 necessary for PCP to return the same response for retransmissions or
 duplications of the same request).  If the deletion request was
 properly formatted and successfully processed, a SUCCESS response is
 generated with the protocol and internal port number copied from the
 request, and the response lifetime set to zero.  An inbound mapping
 (i.e., static mapping or MAP-created dynamic mapping) MUST NOT have
 its lifetime reduced by transport protocol messages (e.g., TCP RST,
 TCP FIN).  Note the THIRD_PARTY option (Section 13.1), if authorized,
 can also delete PCP-created MAP mappings.

Wing, et al. Standards Track [Page 71] RFC 6887 Port Control Protocol (PCP) April 2013

16. Implementation Considerations

 Section 16 provides non-normative guidance that may be useful to
 implementers.

16.1. Implementing MAP with EDM Port-Mapping NAT

 For implicit dynamic outbound mappings, some existing NAT devices
 have endpoint-independent mapping (EIM) behavior while other NAT
 devices have endpoint-dependent mapping (EDM) behavior.  NATs that
 have EIM behavior do not suffer from the problem described in this
 section.  The IETF strongly encourages EIM behavior
 [RFC4787][RFC5382].
 In EDM NAT devices, the same external port may be used by an outbound
 dynamic mapping and an inbound dynamic mapping (from the same
 internal host or from a different internal host).  This complicates
 the interaction with the MAP Opcode.  With such NAT devices, there
 are two ways envisioned to implement the MAP Opcode:
 1.  Have outbound mappings use a different set of external ports than
     inbound mappings (e.g., those created with MAP), thus reducing
     the interaction problem between them; or
 2.  On arrival of a packet (inbound from the Internet or outbound
     from an internal host), first attempt to use a dynamic outbound
     mapping to process that packet.  If none match, attempt to use an
     inbound mapping to process that packet.  This effectively
     'prioritizes' outbound mappings above inbound mappings.

16.2. Lifetime of Explicit and Implicit Dynamic Mappings

 No matter if a NAT is EIM or EDM, it is possible that one (or more)
 outbound mappings, using the same internal port on the internal host,
 might be created before or after a MAP request.  When this occurs, it
 is important that the NAT honor the lifetime returned in the MAP
 response.  Specifically, if an inbound mapping was created with the
 MAP Opcode, the implementation needs to ensure that termination of an
 outbound mapping (e.g., via a TCP FIN handshake) does not prematurely
 destroy the MAP-created inbound mapping.

16.3. PCP Failure Recovery

 If an event occurs that causes the PCP server to lose dynamic mapping
 state (such as a crash or power outage), the mappings created by PCP
 are lost.  Occasional loss of state may be unavoidable in a
 residential NAT device that does not write transient information to
 non-volatile memory.  Loss of state is expected to be rare in a

Wing, et al. Standards Track [Page 72] RFC 6887 Port Control Protocol (PCP) April 2013

 service provider environment (due to redundant power, disk drives for
 storage, etc.).  Of course, due to outright failure of service
 provider equipment (e.g., software malfunction), state may still be
 lost.
 The Epoch time allows a client to deduce when a PCP server may have
 lost its state.  When the Epoch Time value is observed to be outside
 the expected range, the PCP client can attempt to recreate the
 mappings following the procedures described in this section.
 Further analysis of PCP failure scenarios is planned for a future
 document [PCP-FAIL].

16.3.1. Recreating Mappings

 A mapping renewal packet is formatted identically to an original
 mapping request; from the point of view of the client, it is a
 renewal of an existing mapping; however, from the point of view of a
 newly rebooted PCP server, it appears as a new mapping request.  In
 the normal process of routinely renewing its mappings before they
 expire, a PCP client will automatically recreate all its lost
 mappings.
 When the PCP server loses state and begins processing new PCP
 messages, its Epoch time is reset and begins counting again.  As the
 result of receiving a packet where the Epoch Time field is outside
 the expected range (Section 8.5), indicating that a reboot or similar
 loss of state has occurred, the client can renew its port mappings
 sooner, without waiting for the normal routine renewal time.

16.3.2. Maintaining Mappings

 A PCP client refreshes a mapping by sending a new PCP request
 containing information learned from the earlier PCP response.  The
 PCP server will respond indicating the new lifetime.  It is possible,
 due to reconfiguration or failure of the PCP server, that the
 external IP address and/or external port, or the PCP server itself,
 has changed (due to a new route to a different PCP server).  Such
 events are rare, but not an error.  The PCP server will simply return
 a new external address and/or external port to the client, and the
 client should record this new external address and port with its
 rendezvous service.  To detect such events more quickly, a server
 that requires extremely high availability may find it beneficial to
 use shorter lifetimes in its PCP mappings requests, so that it
 communicates with the PCP server more often.  This is an engineering
 trade-off based on (i) the acceptable downtime for the service in
 question, (ii) the expected likelihood of NAT or firewall state loss,
 and (iii) the amount of PCP maintenance traffic that is acceptable.

Wing, et al. Standards Track [Page 73] RFC 6887 Port Control Protocol (PCP) April 2013

 If the PCP client has several mappings, the Epoch Time value only
 needs to be retrieved for one of them to determine whether or not it
 appears the PCP server may have suffered a catastrophic loss of
 state.  If the client wishes to check the PCP server's Epoch time, it
 sends a PCP request for any one of the client's mappings.  This will
 return the current Epoch Time value.  In that request, the PCP client
 could extend the mapping lifetime (by asking for more time) or
 maintain the current lifetime (by asking for the same number of
 seconds that it knows are remaining of the lifetime).
 If a PCP client changes its internal IP address (e.g., because the
 internal host has moved to a new network), and the PCP client wishes
 to still receive incoming traffic, it needs create new mappings on
 that new network.  New mappings will typically also require an update
 to the application-specific rendezvous server if the external address
 or port is different from the previous values (see Sections 10.1 and
 11.5).

16.3.3. SCTP

 Although SCTP has port numbers like TCP and UDP, SCTP works
 differently when behind an address-sharing NAT, in that SCTP port
 numbers are not changed [SCTPNAT].  Outbound dynamic SCTP mappings
 use the verification tag of the association instead of the local and
 remote peer port numbers.  As with TCP, explicit outbound mappings
 can be made to reduce keepalive intervals, and explicit inbound
 mappings can be made by passive listeners expecting to receive new
 associations at the external port.
 Because an SCTP-aware NAT does not (currently) rewrite SCTP port
 numbers, it will not be able to assign an external port that is
 different from the client's internal port.  A PCP client making a MAP
 request for SCTP should be aware of this restriction.  The PCP client
 SHOULD make its SCTP MAP request just as it would for a TCP MAP
 request: in its initial PCP MAP request it SHOULD specify zero for
 the external address and port, and then in subsequent renewals it
 SHOULD echo the assigned external address and port.  However, since a
 current SCTP-aware NAT can only assign an external port that is the
 same as the internal port, it may not be able to do that if the
 external port is already assigned to a different PCP client.  This is
 likely if there is more than one instance of a given SCTP service on
 the local network, since both instances are likely to listen on the
 same well-known SCTP port for that service on their respective hosts,
 but they can't both have the same external port on the NAT gateway's
 external address.  A particular external port may not be assignable
 for other reasons, such as when it is already in use by the NAT
 device itself, or otherwise prohibited by policy, as described in
 Section 11.3, "Processing a MAP Request".  In the event that the

Wing, et al. Standards Track [Page 74] RFC 6887 Port Control Protocol (PCP) April 2013

 external port matching the internal port cannot be assigned (and the
 SCTP-aware NAT does not perform SCTP port rewriting), the SCTP-aware
 NAT MUST return a CANNOT_PROVIDE_EXTERNAL error to the requesting PCP
 client.  Note that this restriction places an extra burden on the
 SCTP server whose MAP request failed, because it then has to tear
 down its exiting listening socket and try again with a different
 internal port, repeatedly until it is successful in finding an
 external port it can use.
 The SCTP complications described above occur because of address
 sharing.  The SCTP complications are avoided when address sharing is
 avoided (e.g., 1:1 NAT, firewall).

16.4. Source Address Replicated in PCP Header

 All PCP requests include the PCP client's IP address replicated in
 the PCP header.  This is used to detect unexpected address rewriting
 (NAT) on the path between the PCP client and its PCP server.  On
 operating systems that support the sockets API, the following steps
 are RECOMMENDED for a PCP client to insert the correct source address
 in the PCP header:
 1.  Create a UDP socket.
 2.  Call "connect" on this UDP socket using the address and port of
     the desired PCP server.
 3.  Call the getsockname() function to retrieve a sockaddr containing
     the source address the kernel will use for UDP packets sent
     through this socket.
 4.  If the IP address is an IPv4 address, encode the address into an
     IPv4-mapped IPv6 address.  Place the IPv4-mapped IPv6 address or
     the native IPv6 address into the PCP Client's IP Address field in
     the PCP header.
 5.  Send PCP requests using this connected UDP socket.

Wing, et al. Standards Track [Page 75] RFC 6887 Port Control Protocol (PCP) April 2013

16.5. State Diagram

 Each mapping entry of the PCP-controlled device would go through the
 state machine shown below.  This state diagram is non-normative.
     CLOSE_MSG or
    (NO_TRAFFIC and EXPIRY)   +---------+  NO_TRAFFIC and EXPIRY
              +-------------->|         |<------------+
              |               |NO_ENTRY |             |
              |   +-----------|         |---------+   |
              |   |           +---------+         |   |
              |   |              ^  |             |   |
              |   |   NO_TRAFFIC |  |             |   |
              |   |           or |  |             |   |
              |   |   CLOSE_MSGS |  |             |   |
              |   |              |  |             |   |
              |   |PEER request  |  |  MAP request|   |
              |   V              |  |             V   |
           +---------+           |  |         +---------+
       +-->|  "P",   |           |  |    M-R  |  "M",   |<--+
   P-R |   | PEER    |-----------|--|-------->| MAP     |   | M-R or
       +---|  mapping|           |  |         |  mapping|---+ P-R or
           +---------+           |  |         +---------+  CLOSE_MSGS
              |   ^              |  |             ^   |
              |   |PEER request  |  |  MAP request|   |
              |   |              |  |             |   |
              |   |              |  |             |   |
              |   |              |  |             |   |
              |   |              |  | outbound    |   |
              |   |              |  | TRAFFIC     |   |
              |   |              |  V             |   |
              |   |           +---------+         |   |
              |   +-----------| "I",    |---------+   |
              |               | implicit|             |
              +-------------->| mapping |<------------+
          TRAFFIC and EXPIRY  +---------+  TRAFFIC and EXPIRY
                     Figure 16: PCP State Diagram
 The meanings of the states and events are:
    NO_ENTRY:  Invalid state represents Entry does not exist.  This is
          the only possible start state.
    M-R:  MAP request
    P-R:  PEER request

Wing, et al. Standards Track [Page 76] RFC 6887 Port Control Protocol (PCP) April 2013

    M:    Mapping entry when created by MAP request
    P:    Mapping entry when created/managed by PEER request
    I:    Implicit mapping created by an outgoing packet from the
          client (e.g., TCP SYN), and also the state when a
          PCP-created mapping's lifetime expires while there is still
          active traffic.
    EXPIRY: PEER or MAP lifetime expired
    TRAFFIC:  Traffic seen by PCP-controlled device using this entry
          within the expiry time for that entry.  This traffic may be
          inbound or outbound.
    NO_TRAFFIC:  Indicates that there is no TRAFFIC.
    CLOSE_MSG:  Protocol messages from the client or server to close
          the session (e.g., TCP FIN or TCP RST), as per the NAT or
          firewall device's handling of such protocol messages.
 Notes on the diagram:
 1.  The 'and' clause indicates the events on either side of 'and' are
     required for the state-transition.  The 'or' clause indicates
     either one of the events are enough for the state-transition.
 2.  Transition from state M to state I is implementation dependent.

17. Deployment Considerations

17.1. Ingress Filtering

 As with implicit dynamic mappings created by outgoing TCP SYN
 packets, explicit dynamic mappings created via PCP use the source IP
 address of the packet as the internal address for the mappings.
 Therefore, ingress filtering [RFC2827] SHOULD be used on the path
 between the internal host and the PCP server to prevent the injection
 of spoofed packets onto that path.

17.2. Mapping Quota

 On PCP-controlled devices that create state when a mapping is created
 (e.g., NAT), the PCP server SHOULD maintain per-host and/or per-
 subscriber quotas for mappings.  It is implementation specific
 whether the PCP server uses a separate quotas for implicit, explicit,
 and static mappings, a combined quota for all of them, or some other
 policy.

Wing, et al. Standards Track [Page 77] RFC 6887 Port Control Protocol (PCP) April 2013

18. Security Considerations

 The goal of the PCP protocol is to improve the ability of end nodes
 to control their associated NAT state, and to improve the efficiency
 and error handling of NAT mappings when compared to existing implicit
 mapping mechanisms in NAT boxes and stateful firewalls.  It is the
 security goal of the PCP protocol to limit any new denial-of-service
 opportunities, and to avoid introducing new attacks that can result
 in unauthorized changes to mapping state.  One of the most serious
 consequences of unauthorized changes in mapping state is traffic
 theft.  All mappings that could be created by a specific host using
 implicit mapping mechanisms are inherently considered to be
 authorized.  Confidentiality of mappings is not a requirement, even
 in cases where the PCP messages may transit paths that would not be
 traveled by the mapped traffic.

18.1. Simple Threat Model

 PCP servers are secure against off-path attackers who cannot spoof a
 packet that the PCP server will view as a packet received from the
 internal network.  PCP clients are secure against off-path attackers
 who can spoof the PCP server's IP address.
 Defending against attackers who can modify or drop packets between
 the internal network and the PCP server, or who can inject spoofed
 packets that appear to come from the internal network is out of
 scope.  Such an attacker can redirect traffic to a host of their
 choosing.
 A PCP server is secure under this threat model if the PCP server is
 constrained so that it does not configure any explicit mapping that
 it would not configure implicitly.  In most cases, this means that
 PCP servers running on NAT boxes or stateful firewalls that support
 the PEER and MAP Opcodes can be secure under this threat model if
 (1) all of their hosts are within a single administrative domain (or
 if the internal hosts can be securely partitioned into separate
 administrative domains, as in the DS-Lite B4 case), (2) explicit
 mappings are created with the same lifetime as implicit mappings, and
 (3) the THIRD_PARTY option is not supported.  PCP servers can also
 securely support the MAP Opcode under this threat model if the
 security policy on the device running the PCP server would permit
 endpoint-independent filtering of implicit mappings.
 PCP servers that comply with the Simple Threat Model and do not
 implement a PCP security mechanism described in Section 18.2 MUST
 enforce the constraints described in the paragraph above.

Wing, et al. Standards Track [Page 78] RFC 6887 Port Control Protocol (PCP) April 2013

18.1.1. Attacks Considered

 o  If you allow multiple administrative domains to send PCP requests
    to a single PCP server that does not enforce a boundary between
    the domains, it is possible for a node in one domain to perform a
    denial-of-service attack on other domains or to capture traffic
    that is intended for a node in another domain.
 o  If explicit mappings have longer lifetimes than implicit mappings,
    it makes it easier to perpetrate a denial-of-service attack than
    it would be if the PCP server was not present.
 o  If the PCP server supports deleting or reducing the lifetime of
    existing mappings, this allows an attacking node to steal an
    existing mapping and receive traffic that was intended for another
    node.
 o  If the THIRD_PARTY option is supported, this also allows an
    attacker to open a window for an external node to attack an
    internal node, allows an attacker to steal traffic that was
    intended for another node, or may facilitate a denial-of-service
    attack.  One example of how the THIRD_PARTY option could grant an
    attacker more capability than a spoofed implicit mapping is that
    the PCP server (especially if it is running in a service
    provider's network) may not be aware of internal filtering that
    would prevent spoofing an equivalent implicit mapping, such as
    filtering between a guest and corporate network.
 o  If the MAP Opcode is supported by the PCP server in cases where
    the security policy would not support endpoint-independent
    filtering of implicit mappings, then the MAP Opcode changes the
    security properties of the device running the PCP server by
    allowing explicit mappings that violate the security policy.

18.1.2. Deployment Examples Supporting the Simple Threat Model

 This section offers two examples of how the Simple Threat Model can
 be supported in real-world deployment scenarios.

18.1.2.1. Residential Gateway Deployment

 Parity with many currently deployed residential gateways can be
 achieved using a PCP server that is constrained as described in
 Section 18.1 above.

Wing, et al. Standards Track [Page 79] RFC 6887 Port Control Protocol (PCP) April 2013

18.2. Advanced Threat Model

 In the Advanced Threat Model, the PCP protocol ensures that attackers
 (on- or off-path) cannot create unauthorized mappings or make
 unauthorized changes to existing mappings.  The protocol must also
 limit the opportunity for on- or off-path attackers to perpetrate
 denial-of-service attacks.
 The Advanced Threat Model security model will be needed in the
 following cases:
 o  Security infrastructure equipment, such as corporate firewalls,
    that does not create implicit mappings.
 o  Equipment (such as CGNs or service provider firewalls) that serves
    multiple administrative domains and does not have a mechanism to
    securely partition traffic from those domains.
 o  Any implementation that wants to be more permissive in authorizing
    explicit mappings than it is in authorizing implicit mappings.
 o  Implementations that wish to support any deployment scenario that
    does not meet the constraints described in Section 18.1.
 To protect against attacks under this threat model, a PCP security
 mechanism that provides an authenticated, integrity-protected
 signaling channel would need to be specified.
 PCP servers that implement a PCP security mechanism MAY accept
 unauthenticated requests.  In their default configuration, PCP
 servers implementing the PCP security mechanism MUST still enforce
 the constraints described in Section 18.1 when processing
 unauthenticated requests.

18.3. Residual Threats

 This section describes some threats that are not addressed in either
 of the above threat models and recommends appropriate mitigation
 strategies.

18.3.1. Denial of Service

 Because of the state created in a NAT or firewall, a per-host and/or
 per-subscriber quota will likely exist for both implicit dynamic
 mappings and explicit dynamic mappings.  A host might make an
 excessive number of implicit or explicit dynamic mappings, consuming

Wing, et al. Standards Track [Page 80] RFC 6887 Port Control Protocol (PCP) April 2013

 an inordinate number of ports, causing a denial of service to other
 hosts.  Thus, Section 17.2 recommends that hosts be limited to a
 reasonable number of explicit dynamic mappings.
 An attacker, on the path between the PCP client and PCP server, can
 drop PCP requests, drop PCP responses, or spoof a PCP error, all of
 which will effectively deny service.  Through such actions, the PCP
 client might not be aware the PCP server might have actually
 processed the PCP request.  An attacker sending a NO_RESOURCES error
 can cause the PCP client to not send messages to that server for a
 while.  There is no mitigation to this on-path attacker.

18.3.2. Ingress Filtering

 It is important to prevent a host from fraudulently creating,
 deleting, or refreshing a mapping (or filtering) for another host,
 because this can expose the other host to unwanted traffic, prevent
 it from receiving wanted traffic, or consume the other host's mapping
 quota.  Both implicit and explicit dynamic mappings are created based
 on the source IP address in the packet, and hence depend on ingress
 filtering to guard against spoof source IP addresses.

18.3.3. Mapping Theft

 In the time between when a PCP server loses state and the PCP client
 notices the lower-than-expected Epoch Time value, it is possible that
 the PCP client's mapping will be acquired by another host (via an
 explicit dynamic mapping or implicit dynamic mapping).  This means
 incoming traffic will be sent to a different host ("theft").  Rapid
 recovery reduces this interval, but does not completely eliminate
 this threat.  The PCP client can reduce this interval by using a
 relatively short lifetime; however, this increases the amount of PCP
 chatter.  This threat is reduced by using persistent storage of
 explicit dynamic mappings in the PCP server (so it does not lose
 explicit dynamic mapping state), or by ensuring that the previous
 external IP address, protocol, and port cannot be used by another
 host (e.g., by using a different IP address pool).

18.3.4. Attacks against Server Discovery

 This document does not specify server discovery, beyond contacting
 the default gateway.

Wing, et al. Standards Track [Page 81] RFC 6887 Port Control Protocol (PCP) April 2013

19. IANA Considerations

 IANA has performed the following actions.

19.1. Port Number

 PCP uses ports 5350 and 5351, previously assigned by IANA to NAT-PMP
 [RFC6886].  IANA has reassigned those ports to PCP.

19.2. Opcodes

 IANA has created a new protocol registry for PCP Opcodes, numbered
 0-127, initially populated with the values:
         Value            Opcode
         -----            -------------------------
         0                ANNOUNCE
         1                MAP
         2                PEER
         3-31             Standards Action [RFC5226]
         32-63            Specification Required [RFC5226]
         96-126           Reserved for Private Use [RFC5226]
         127              Reserved, Standards Action [RFC5226]
 The value 127 is Reserved and may be assigned via Standards Action
 [RFC5226].  The values in the range 3-31 can be assigned via
 Standards Action [RFC5226], 32-63 via Specification Required
 [RFC5226], and the range 96-126 is for Private Use [RFC5226].

19.3. Result Codes

 IANA has created a new registry for PCP result codes, numbered 0-255,
 initially populated with the result codes from Section 7.4.  The
 value 255 is Reserved and may be assigned via Standards Action
 [RFC5226].
 The values in the range 14-127 can be assigned via Standards Action
 [RFC5226], 128-191 via Specification Required [RFC5226], and the
 range 191-254 is for Private Use [RFC5226].

19.4. Options

 IANA has created a new registry for PCP options, numbered 0-255, each
 with an associated mnemonic.  The values 0-127 are mandatory to
 process, and 128-255 are optional to process.  The initial registry
 contains the options described in Section 13.  The option values 0,
 127, and 255 are Reserved and may be assigned via Standards Action
 [RFC5226].

Wing, et al. Standards Track [Page 82] RFC 6887 Port Control Protocol (PCP) April 2013

 Additional PCP option codes in the ranges 4-63 and 128-191 can be
 created via Standards Action [RFC5226], the ranges 64-95 and 192-223
 are for Specification Required [RFC5226], and the ranges 96-126 and
 224-254 are for Private Use [RFC5226].
 Documents describing an option should describe the processing for
 both the PCP client and server, and the information below:
    Option Name: <mnemonic>
    Number: <value>
    Purpose: <textual description>
    Valid for Opcodes: <list of Opcodes>
    Length: <rules for length>
    May appear in: <requests/responses/both>
    Maximum occurrences: <count>

20. Acknowledgments

 Thanks to Xiaohong Deng, Alain Durand, Christian Jacquenet, Jacni
 Qin, Simon Perreault, James Yu, Tina TSOU (Ting ZOU), Felipe Miranda
 Costa, James Woodyatt, Dave Thaler, Masataka Ohta, Vijay K. Gurbani,
 Loa Andersson, Richard Barnes, Russ Housley, Adrian Farrel, Pete
 Resnick, Pasi Sarolahti, Robert Sparks, Wesley Eddy, Dan Harkins,
 Peter Saint-Andre, Stephen Farrell, Ralph Droms, Felipe Miranda
 Costa, Amit Jain, and Wim Henderickx for their comments and review.
 Thanks to Simon Perreault for highlighting the interaction of dynamic
 connections with PCP-created mappings and for many other review
 comments.
 Thanks to Francis Dupont for his several thorough reviews of the
 specification, which improved the protocol significantly.
 Thanks to T. S. Ranganathan for the state diagram.
 Thanks to Peter Lothberg for clock skew information, which guided the
 choice of tolerance levels for deciding when an Epoch time should be
 considered to be anomalous.
 Thanks to Margaret Wasserman and Sam Hartman for writing the Security
 Considerations section.
 Thanks to authors of DHCPv6 for retransmission text.

Wing, et al. Standards Track [Page 83] RFC 6887 Port Control Protocol (PCP) April 2013

21. References

21.1. Normative References

 [RFC0768]        Postel, J., "User Datagram Protocol", STD 6,
                  RFC 768, August 1980.
 [RFC2119]        Bradner, S., "Key words for use in RFCs to Indicate
                  Requirement Levels", BCP 14, RFC 2119, March 1997.
 [RFC2827]        Ferguson, P. and D. Senie, "Network Ingress
                  Filtering: Defeating Denial of Service Attacks which
                  employ IP Source Address Spoofing", BCP 38,
                  RFC 2827, May 2000.
 [RFC4086]        Eastlake, D., Schiller, J., and S. Crocker,
                  "Randomness Requirements for Security", BCP 106,
                  RFC 4086, June 2005.
 [RFC4193]        Hinden, R. and B. Haberman, "Unique Local IPv6
                  Unicast Addresses", RFC 4193, October 2005.
 [RFC4291]        Hinden, R. and S. Deering, "IP Version 6 Addressing
                  Architecture", RFC 4291, February 2006.
 [RFC5226]        Narten, T. and H. Alvestrand, "Guidelines for
                  Writing an IANA Considerations Section in RFCs",
                  BCP 26, RFC 5226, May 2008.
 [RFC6056]        Larsen, M. and F. Gont, "Recommendations for
                  Transport-Protocol Port Randomization", BCP 156,
                  RFC 6056, January 2011.
 [proto_numbers]  IANA, "Protocol Numbers", 2011,
                  <http://www.iana.org/assignments/protocol-numbers>.

21.2. Informative References

 [IGDv1]          UPnP Gateway Committee, "WANIPConnection:1",
                  November 2001, <http://upnp.org/specs/gw/
                  UPnP-gw-WANIPConnection-v1-Service.pdf>.
 [L2NAT]          Miles, D. and M. Townsley, "Layer2-Aware NAT", Work
                  in Progress, March 2009.
 [PCP-FAIL]       Boucadair, M., Dupont, F., and R. Penno, "Port
                  Control Protocol (PCP) Failure Scenarios", Work
                  in Progress, August 2012.

Wing, et al. Standards Track [Page 84] RFC 6887 Port Control Protocol (PCP) April 2013

 [PNP-IGD-PCP]    Boucadair, M., Penno, R., and D. Wing, "Universal
                  Plug and Play (UPnP) Internet Gateway Device (IGD)-
                  Port Control Protocol (PCP) Interworking Function",
                  Work in Progress, December 2012.
 [RFC0793]        Postel, J., "Transmission Control Protocol", STD 7,
                  RFC 793, September 1981.
 [RFC1918]        Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot,
                  G., and E. Lear, "Address Allocation for Private
                  Internets", BCP 5, RFC 1918, February 1996.
 [RFC2136]        Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
                  "Dynamic Updates in the Domain Name System (DNS
                  UPDATE)", RFC 2136, April 1997.
 [RFC3007]        Wellington, B., "Secure Domain Name System (DNS)
                  Dynamic Update", RFC 3007, November 2000.
 [RFC3022]        Srisuresh, P. and K. Egevang, "Traditional IP
                  Network Address Translator (Traditional NAT)",
                  RFC 3022, January 2001.
 [RFC3581]        Rosenberg, J. and H. Schulzrinne, "An Extension to
                  the Session Initiation Protocol (SIP) for Symmetric
                  Response Routing", RFC 3581, August 2003.
 [RFC3587]        Hinden, R., Deering, S., and E. Nordmark, "IPv6
                  Global Unicast Address Format", RFC 3587,
                  August 2003.
 [RFC4303]        Kent, S., "IP Encapsulating Security Payload (ESP)",
                  RFC 4303, December 2005.
 [RFC4340]        Kohler, E., Handley, M., and S. Floyd, "Datagram
                  Congestion Control Protocol (DCCP)", RFC 4340,
                  March 2006.
 [RFC4787]        Audet, F. and C. Jennings, "Network Address
                  Translation (NAT) Behavioral Requirements for
                  Unicast UDP", BCP 127, RFC 4787, January 2007.
 [RFC4941]        Narten, T., Draves, R., and S. Krishnan, "Privacy
                  Extensions for Stateless Address Autoconfiguration
                  in IPv6", RFC 4941, September 2007.
 [RFC4960]        Stewart, R., "Stream Control Transmission Protocol",
                  RFC 4960, September 2007.

Wing, et al. Standards Track [Page 85] RFC 6887 Port Control Protocol (PCP) April 2013

 [RFC4961]        Wing, D., "Symmetric RTP / RTP Control Protocol
                  (RTCP)", BCP 131, RFC 4961, July 2007.
 [RFC5382]        Guha, S., Biswas, K., Ford, B., Sivakumar, S., and
                  P. Srisuresh, "NAT Behavioral Requirements for TCP",
                  BCP 142, RFC 5382, October 2008.
 [RFC6092]        Woodyatt, J., "Recommended Simple Security
                  Capabilities in Customer Premises Equipment (CPE)
                  for Providing Residential IPv6 Internet Service",
                  RFC 6092, January 2011.
 [RFC6145]        Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
                  Algorithm", RFC 6145, April 2011.
 [RFC6146]        Bagnulo, M., Matthews, P., and I. van Beijnum,
                  "Stateful NAT64: Network Address and Protocol
                  Translation from IPv6 Clients to IPv4 Servers",
                  RFC 6146, April 2011.
 [RFC6296]        Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network
                  Prefix Translation", RFC 6296, June 2011.
 [RFC6333]        Durand, A., Droms, R., Woodyatt, J., and Y. Lee,
                  "Dual-Stack Lite Broadband Deployments Following
                  IPv4 Exhaustion", RFC 6333, August 2011.
 [RFC6619]        Arkko, J., Eggert, L., and M. Townsley, "Scalable
                  Operation of Address Translators with Per-Interface
                  Bindings", RFC 6619, June 2012.
 [RFC6763]        Cheshire, S. and M. Krochmal, "DNS-Based Service
                  Discovery", RFC 6763, February 2013.
 [RFC6886]        Cheshire, S. and M. Krochmal, "NAT Port Mapping
                  Protocol (NAT-PMP)", RFC 6886, April 2013.
 [RFC6888]        Perreault, S., Ed., Yamagata, I., Miyakawa, S.,
                  Nakagawa, A., and H. Ashida, "Common Requirements
                  for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888,
                  April 2013.
 [SCTPNAT]        Stewart, R., Tuexen, M., and I. Ruengeler, "Stream
                  Control Transmission Protocol (SCTP) Network Address
                  Translation", Work in Progress, February 2013.

Wing, et al. Standards Track [Page 86] RFC 6887 Port Control Protocol (PCP) April 2013

Appendix A. NAT-PMP Transition

 The Port Control Protocol (PCP) is a successor to the NAT Port
 Mapping Protocol, NAT-PMP [RFC6886], and shares similar semantics,
 concepts, and packet formats.  Because of this, NAT-PMP and PCP both
 use the same port and use NAT-PMP and PCP's version negotiation
 capabilities to determine which version to use.  This section
 describes how an orderly transition from NAT-PMP to PCP may be
 achieved.
 A client supporting both NAT-PMP and PCP SHOULD send its request
 using the PCP packet format.  This will be received by a NAT-PMP
 server or a PCP server.  If received by a NAT-PMP server, the
 response will be UNSUPP_VERSION, as indicated by the NAT-PMP
 specification [RFC6886], which will cause the client to downgrade to
 NAT-PMP and resend its request in NAT-PMP format.  If received by a
 PCP server, the response will be as described by this document and
 processing continues as expected.
 A PCP server supporting both NAT-PMP and PCP can handle requests in
 either format.  The first octet of the packet indicates if it is
 NAT-PMP (first octet zero) or PCP (first octet non-zero).
 A PCP-only gateway receiving a NAT-PMP request (identified by the
 first octet being zero) will interpret the request as a version
 mismatch.  Normal PCP processing will emit a PCP response that is
 compatible with NAT-PMP, without any special handling by the PCP
 server.

Wing, et al. Standards Track [Page 87] RFC 6887 Port Control Protocol (PCP) April 2013

Authors' Addresses

 Dan Wing (editor)
 Cisco Systems, Inc.
 170 West Tasman Drive
 San Jose, California  95134
 USA
 EMail: dwing@cisco.com
 Stuart Cheshire
 Apple Inc.
 1 Infinite Loop
 Cupertino, California  95014
 USA
 Phone: +1 408 974 3207
 EMail: cheshire@apple.com
 Mohamed Boucadair
 France Telecom
 Rennes  35000
 France
 EMail: mohamed.boucadair@orange.com
 Reinaldo Penno
 Cisco Systems, Inc.
 170 West Tasman Drive
 San Jose, California  95134
 USA
 EMail: repenno@cisco.com
 Paul Selkirk
 Internet Systems Consortium
 950 Charter Street
 Redwood City, California  94063
 USA
 EMail: pselkirk@isc.org

Wing, et al. Standards Track [Page 88]

/data/webs/external/dokuwiki/data/pages/rfc/rfc6887.txt · Last modified: 2013/04/29 22:11 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki