Internet Engineering Task Force (IETF) M. Boucadair
Request for Comments: 6970 France Telecom
Category: Standards Track R. Penno
ISSN: 2070-1721 D. Wing
Cisco
July 2013
Internet Engineering Task Force (IETF) M. Boucadair
Request for Comments: 6970 France Telecom
Category: Standards Track R. Penno
ISSN: 2070-1721 D. Wing
Cisco
July 2013
Universal Plug and Play (UPnP) Internet Gateway Device - Port Control Protocol Interworking Function (IGD-PCP IWF)
通用即插即用(UPnP)互联网网关设备-端口控制协议互通功能(IGD-PCP IWF)
Abstract
摘要
This document specifies the behavior of the Universal Plug and Play (UPnP) Internet Gateway Device - Port Control Protocol Interworking Function (IGD-PCP IWF). A UPnP IGD-PCP IWF is required to be embedded in Customer Premises (CP) routers to allow for transparent NAT control in environments where a UPnP IGD is used on the LAN side and PCP is used on the external side of the CP router.
本文件规定了通用即插即用(UPnP)互联网网关设备-端口控制协议互通功能(IGD-PCP IWF)的行为。UPnP IGD-PCP IWF需要嵌入到客户场所(CP)路由器中,以便在局域网侧使用UPnP IGD,CP路由器外部使用PCP的环境中实现透明的NAT控制。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6970.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6970.
Copyright Notice
版权公告
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3
1.1. Requirements Language ......................................3
2. Acronyms ........................................................4
3. Architecture Model ..............................................4
4. UPnP IGD-PCP IWF: Overview ......................................6
4.1. UPnP IGD-PCP: State Variables ..............................6
4.2. IGD-PCP: Methods ...........................................7
4.3. UPnP IGD-PCP: Errors .......................................8
5. Specification of the IGD-PCP IWF ................................9
5.1. PCP Server Discovery .......................................9
5.2. Control of the Firewall ...................................10
5.3. Port Mapping Table ........................................10
5.4. Interworking Function without NAT in the IGD ..............10
5.5. NAT Embedded in the IGD ...................................11
5.6. Creating a Mapping ........................................12
5.6.1. AddAnyPortMapping() ................................12
5.6.2. AddPortMapping() ...................................13
5.7. Listing One or a Set of Mappings ..........................16
5.8. Delete One or a Set of Mappings: DeletePortMapping() or
DeletePortMappingRange() ..................................16
5.9. Renewing a Mapping ........................................19
5.10. Rapid Recovery ...........................................20
6. Security Considerations ........................................21
7. Acknowledgments ................................................21
8. References .....................................................22
8.1. Normative References ......................................22
8.2. Informative References ....................................22
1. Introduction ....................................................3
1.1. Requirements Language ......................................3
2. Acronyms ........................................................4
3. Architecture Model ..............................................4
4. UPnP IGD-PCP IWF: Overview ......................................6
4.1. UPnP IGD-PCP: State Variables ..............................6
4.2. IGD-PCP: Methods ...........................................7
4.3. UPnP IGD-PCP: Errors .......................................8
5. Specification of the IGD-PCP IWF ................................9
5.1. PCP Server Discovery .......................................9
5.2. Control of the Firewall ...................................10
5.3. Port Mapping Table ........................................10
5.4. Interworking Function without NAT in the IGD ..............10
5.5. NAT Embedded in the IGD ...................................11
5.6. Creating a Mapping ........................................12
5.6.1. AddAnyPortMapping() ................................12
5.6.2. AddPortMapping() ...................................13
5.7. Listing One or a Set of Mappings ..........................16
5.8. Delete One or a Set of Mappings: DeletePortMapping() or
DeletePortMappingRange() ..................................16
5.9. Renewing a Mapping ........................................19
5.10. Rapid Recovery ...........................................20
6. Security Considerations ........................................21
7. Acknowledgments ................................................21
8. References .....................................................22
8.1. Normative References ......................................22
8.2. Informative References ....................................22
The Port Control Protocol (PCP) specification [RFC6887] discusses the implementation of NAT control features that rely upon Carrier Grade NAT devices such as a Dual-Stack Lite (DS-Lite) Address Family Transition Router (AFTR) [RFC6333] or NAT64 [RFC6146]. In environments where a Universal Plug and Play Internet Gateway Device (UPnP IGD) is used in the local network, an interworking function between the UPnP IGD and PCP is required to be embedded in the IGD (see the example illustrated in Figure 1).
端口控制协议(PCP)规范[RFC6887]讨论了依赖于载波级NAT设备的NAT控制功能的实现,如双栈Lite(DS Lite)地址系列转换路由器(AFTR)[RFC6333]或NAT64[RFC6146]。在本地网络中使用通用即插即用互联网网关设备(UPnP IGD)的环境中,需要在IGD中嵌入UPnP IGD和PCP之间的互通功能(参见图1中所示的示例)。
UPnP IGD-PCP
UPnP Control Interworking
Point Function PCP Server
| IGD |
| | |
| (1) AddPortMapping() | |
|----------------------->| |
| | (2) PCP MAP Request |
| |-------------------------->|
| | |
UPnP IGD-PCP
UPnP Control Interworking
Point Function PCP Server
| IGD |
| | |
| (1) AddPortMapping() | |
|----------------------->| |
| | (2) PCP MAP Request |
| |-------------------------->|
| | |
Figure 1: Flow Example
图1:流程示例
Two configurations are considered within this document:
本文件中考虑了两种配置:
o No NAT function is embedded in the IGD (Section 5.4). This is required, for instance, in DS-Lite or NAT64 deployments.
o IGD中未嵌入NAT功能(第5.4节)。例如,在DS Lite或NAT64部署中,这是必需的。
o The IGD embeds a NAT function (Section 5.5).
o IGD嵌入NAT功能(第5.5节)。
The UPnP IGD-PCP Interworking Function (UPnP IGD-PCP IWF) maintains a local mapping table that stores all active mappings constructed by internal IGD Control Points. This design choice restricts the amount of PCP messages to be exchanged with the PCP server.
UPnP IGD-PCP互通功能(UPnP IGD-PCP IWF)维护一个本地映射表,该表存储由内部IGD控制点构建的所有活动映射。此设计选择限制要与PCP服务器交换的PCP消息量。
Triggers for deactivating the UPnP IGD-PCP IWF from the IGD and relying on a PCP-only mode are out of scope for this document.
从IGD停用UPnP IGD-PCP IWF并依赖仅PCP模式的触发器不在本文件的范围内。
Considerations related to co-existence of the UPnP IGD-PCP Interworking Function and a PCP Proxy [PCP-PROXY] are out of scope.
与UPnP IGD-PCP互通功能和PCP代理[PCP-Proxy]共存相关的考虑超出范围。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
This document makes use of the following abbreviations:
本文件使用以下缩写:
DS-Lite - Dual-Stack Lite
IGD - Internet Gateway Device
IGD:1 - UPnP Forum's nomenclature for version 1 of IGD [IGD1]
IGD:2 - UPnP Forum's nomenclature for version 2 of IGD [IGD2]
IWF - Interworking Function
NAT - Network Address Translation
PCP - Port Control Protocol
UPnP - Universal Plug and Play
DS-Lite - Dual-Stack Lite
IGD - Internet Gateway Device
IGD:1 - UPnP Forum's nomenclature for version 1 of IGD [IGD1]
IGD:2 - UPnP Forum's nomenclature for version 2 of IGD [IGD2]
IWF - Interworking Function
NAT - Network Address Translation
PCP - Port Control Protocol
UPnP - Universal Plug and Play
As a reminder, Figure 2 illustrates the architecture model as adopted by the UPnP Forum [IGD2]. In Figure 2, the following UPnP terminology is used:
作为提醒,图2展示了UPnP论坛[IGD2]采用的架构模型。在图2中,使用了以下UPnP术语:
o 'Client' refers to a host located in the local network.
o “客户端”是指位于本地网络中的主机。
o 'IGD Control Point' is a device using UPnP to control an IGD (Internet Gateway Device).
o “IGD控制点”是一种使用UPnP控制IGD(互联网网关设备)的设备。
o 'IGD' is a router supporting a UPnP IGD. It is typically a NAT or a firewall.
o “IGD”是支持UPnP IGD的路由器。它通常是NAT或防火墙。
o 'Host' is a remote peer reachable in the Internet.
o “主机”是可在Internet上访问的远程对等机。
+-------------+
| IGD Control |
| Point |-----+
+-------------+ | +-----+ +------+
+---| | | |
| IGD |-------| Host |
+---| | | |
+-------------+ | +-----+ +------+
| Client |-----+
+-------------+
+-------------+
| IGD Control |
| Point |-----+
+-------------+ | +-----+ +------+
+---| | | |
| IGD |-------| Host |
+---| | | |
+-------------+ | +-----+ +------+
| Client |-----+
+-------------+
Figure 2: UPnP IGD Model
图2:UPnP IGD模型
This model is not valid when PCP is used to control, for instance, a Carrier Grade NAT (aka Provider NAT) while internal hosts continue to use a UPnP IGD. In such scenarios, Figure 3 shows the updated model.
例如,当PCP用于控制运营商级NAT(也称为提供商NAT)而内部主机继续使用UPnP IGD时,此模型无效。在这些场景中,图3显示了更新后的模型。
+-------------+
| IGD Control |
| Point |----+
+-------------+ | +-----+ +--------+ +------+
+---| IGD-| |Provider| |Remote|
| PCP |------| NAT |--<Internet>---| Host |
+---| IWF | | | | |
+-------------+ | +-----+ +--------+ +------+
| Local Host |----+
+-------------+
LAN Side External Side
<======UPnP IGD==============><=====PCP=====>
+-------------+
| IGD Control |
| Point |----+
+-------------+ | +-----+ +--------+ +------+
+---| IGD-| |Provider| |Remote|
| PCP |------| NAT |--<Internet>---| Host |
+---| IWF | | | | |
+-------------+ | +-----+ +--------+ +------+
| Local Host |----+
+-------------+
LAN Side External Side
<======UPnP IGD==============><=====PCP=====>
Figure 3: UPnP IGD-PCP Interworking Model
图3:UPnP IGD-PCP互通模型
In the updated model depicted in Figure 3, one or two levels of NAT can be encountered in the data path. Indeed, in addition to the Carrier Grade NAT, the IGD may embed a NAT function (Figure 4).
在图3所示的更新模型中,数据路径中可能会遇到一个或两个级别的NAT。实际上,除了载波级NAT之外,IGD还可以嵌入NAT功能(图4)。
+-------------+
| IGD Control |
| Point |----+
+-------------+ | +-----+ +--------+ +------+
+---| IGD-| |Provider| |Remote|
| PCP |------| NAT |--<Internet>---| Host |
+---| IWF | | | | |
+-------------+ | +-----+ +--------+ +------+
| Local Host |----+ NAT1 NAT2
+-------------+
+-------------+
| IGD Control |
| Point |----+
+-------------+ | +-----+ +--------+ +------+
+---| IGD-| |Provider| |Remote|
| PCP |------| NAT |--<Internet>---| Host |
+---| IWF | | | | |
+-------------+ | +-----+ +--------+ +------+
| Local Host |----+ NAT1 NAT2
+-------------+
Figure 4: Cascaded NAT Scenario
图4:级联NAT场景
To ensure successful interworking between a UPnP IGD and PCP, an interworking function is embedded in the IGD. In the model defined in Figure 3, all UPnP IGD server-oriented functions, a PCP client [RFC6887], and a UPnP IGD-PCP Interworking Function are embedded in the IGD. In the rest of the document, "IGD-PCP IWF" refers to the UPnP IGD-PCP Interworking Function, which includes PCP client functionality.
为了确保UPnP IGD和PCP之间的成功互通,IGD中嵌入了互通功能。在图3中定义的模型中,IGD中嵌入了所有面向UPnP IGD服务器的功能、PCP客户端[RFC6887]和UPnP IGD-PCP互通功能。在本文档的其余部分,“IGD-PCP IWF”是指UPnP IGD-PCP互通功能,包括PCP客户端功能。
Without the involvement of the IGD-PCP IWF, the IGD Control Point would retrieve an external IP address and port number that have limited scope and that cannot be used to communicate with hosts located beyond NAT2 (i.e., assigned by the IGD, and not those assigned by NAT2 as depicted in Figure 4).
在没有IGD-PCP IWF参与的情况下,IGD控制点将检索范围有限且无法用于与位于NAT2之外的主机通信的外部IP地址和端口号(即,由IGD分配,而不是如图4所示由NAT2分配)。
The UPnP IGD-PCP IWF is responsible for generating a well-formed PCP message from a received UPnP IGD message, and vice versa.
UPnP IGD-PCP IWF负责从接收到的UPnP IGD消息生成格式良好的PCP消息,反之亦然。
Three tables are provided to specify the correspondence between a UPnP IGD and PCP:
提供了三个表格来说明UPnP IGD和PCP之间的对应关系:
(1) Section 4.1 provides the mapping between WANIPConnection state variables and PCP parameters;
(1) 第4.1节提供了WANIConnection状态变量和PCP参数之间的映射;
(2) Section 4.2 focuses on the correspondence between supported methods;
(2) 第4.2节侧重于支持的方法之间的对应关系;
(3) Section 4.3 lists the PCP error messages and their corresponding IGD error messages.
(3) 第4.3节列出了PCP错误消息及其相应的IGD错误消息。
Note that some enhancements have been integrated in WANIPConnection, as documented in [IGD2].
请注意,如[IGD2]中所述,一些增强功能已集成到WANIPConnection中。
Below are listed only the UPnP IGD state variables applicable to the IGD-PCP IWF:
以下仅列出了适用于IGD-PCP IWF的UPnP IGD状态变量:
ExternalIPAddress: External IP Address Read-only variable with the value from the last PCP response, or the empty string if none was received yet. This state is stored on a per-IGD-Control-Point basis.
ExternalIPAddress:外部IP地址只读变量,具有来自上一个PCP响应的值,如果尚未收到任何响应,则为空字符串。该状态以每个IGD控制点为基础存储。
PortMappingNumberOfEntries: Managed locally by the UPnP IGD-PCP IWF.
PortMappingNumberOfEntries:由UPnP IGD-PCP IWF本地管理。
PortMappingEnabled: PCP does not support deactivating the dynamic NAT mapping, since the initial goal of PCP is to ease the traversal of Carrier Grade NAT. Supporting such per-subscriber function may overload the Carrier Grade NAT. Only "1" is allowed: i.e., the UPnP IGD-PCP Interworking Function MUST send back an error if a value different from 1 is signaled.
PortMappingEnabled:PCP不支持停用动态NAT映射,因为PCP的初始目标是简化运营商级NAT的遍历。支持这种每用户功能可能会使载波级NAT过载。仅允许“1”:即,如果发出与1不同的值的信号,UPnP IGD-PCP互通功能必须发回错误。
PortMappingLeaseDuration: Requested Mapping Lifetime In IGD:1 [IGD1], the value 0 means infinite; in IGD:2, it is remapped to the IGD maximum of 604800 seconds [IGD2]. PCP allows for a maximum value of 4294967296 seconds. The UPnP IGD-PCP Interworking Function simulates long and even infinite lifetimes using renewals (see Section 5.9). The behavior of the UPnP IGD-PCP IWF in the case of a failing renewal is currently undefined (see Section 5.9).
PortMappingLeaseDuration:IGD中请求的映射生存期:1[IGD1],值0表示无限;在IGD:2中,它被重新映射到最大为604800秒的IGD[IGD2]。PCP允许的最大值为4294967296秒。UPnP IGD-PCP互通功能使用更新模拟较长甚至无限的使用寿命(见第5.9节)。更新失败时UPnP IGD-PCP IWF的行为目前尚未定义(见第5.9节)。
IGD:1 doesn't define the behavior in the case of state loss; IGD:2 doesn't require that state be kept in stable storage, i.e., to allow the state to survive resets/reboots. The UPnP IGD-PCP Interworking Function MUST support IGD:2 behavior.
IGD:1未定义状态丢失情况下的行为;IGD:2不要求状态保持在稳定存储中,即允许状态在重置/重新启动后继续存在。UPnP IGD-PCP互通功能必须支持IGD:2行为。
RemoteHost: Remote Peer IP Address Note that IGD:2 allows a domain name, which has to be resolved to an IP address. Mapped to the Remote Peer IP Address field of the FILTER option.
远程主机:远程对等IP地址注意,IGD:2允许域名,必须将其解析为IP地址。映射到筛选器选项的远程对等IP地址字段。
ExternalPort: External Port Number Mapped to the Suggested External Port field in MAP messages.
ExternalPort:映射到映射消息中建议的外部端口字段的外部端口号。
InternalPort: Internal Port Number Mapped to the Internal Port field in MAP messages.
InternalPort:映射到映射消息中的内部端口字段的内部端口号。
PortMappingProtocol: Protocol Mapped to the Protocol field in MAP messages. Note that a UPnP IGD only supports TCP and UDP.
PortMappingProtocol:映射到映射消息中的协议字段的协议。请注意,UPnP IGD仅支持TCP和UDP。
InternalClient: Internal IP Address Note that IGD:2 allows a domain name, which has to be resolved to an IP address. Mapped to the Internal IP Address field of the THIRD_PARTY option.
InternalClient:内部IP地址请注意,IGD:2允许域名,该域名必须解析为IP地址。映射到第三方选项的内部IP地址字段。
PortMappingDescription: Not supported in base PCP. If the local PCP client supports a PCP option to convey the description (e.g., [PCP-DESCR-OPT]), this option SHOULD be used to relay the mapping description.
PortMappingDescription:在基本PCP中不受支持。如果本地PCP客户端支持PCP选项来传递描述(例如,[PCP-DESCR-OPT]),则应使用此选项来中继映射描述。
SystemUpdateID (IGD:2 only): Managed locally by the UPnP IGD-PCP IWF.
SystemUpdateID(仅IGD:2):由UPnP IGD-PCP IWF在本地管理。
A_ARG_TYPE_PortListing (IGD:2 only): Managed locally by the UPnP IGD-PCP IWF.
A_ARG_TYPE_端口列表(仅IGD:2):由UPnP IGD-PCP IWF本地管理。
IGD:1 and IGD:2 methods applicable to the UPnP IGD-PCP Interworking Function are both listed here.
此处列出了适用于UPnP IGD-PCP互通功能的IGD:1和IGD:2方法。
GetGenericPortMappingEntry(): This request is not relayed to the PCP server.
GetGenericPortMappingEntry():此请求不会中继到PCP服务器。
The IGD-PCP Interworking Function maintains a list of active mappings instantiated in the PCP server by internal hosts. See Section 5.7 for more information.
IGD-PCP互通功能维护由内部主机在PCP服务器中实例化的活动映射列表。详见第5.7节。
GetSpecificPortMappingEntry(): MAP with PREFER_FAILURE option.
GetSpecificPortMappingEntry():使用首选失败选项进行映射。
This request is relayed to the PCP server by issuing a MAP request with the PREFER_FAILURE option. It is RECOMMENDED to use a short lifetime (e.g., 60 seconds).
通过发出带有prefere_FAILURE选项的映射请求,将该请求中继到PCP服务器。建议使用较短的使用寿命(例如60秒)。
AddPortMapping(): MAP See Section 5.6.2.
AddPortMapping():映射见第5.6.2节。
AddAnyPortMapping() (IGD:2 only): MAP See Section 5.6.1.
AddAnyPortMapping()(仅限IGD:2):映射见第5.6.1节。
DeletePortMapping(): MAP with Requested Lifetime set to 0. See Section 5.8.
DeletePortMapping():请求的生存期设置为0的映射。见第5.8节。
DeletePortMappingRange() (IGD:2 only): MAP with Requested Lifetime set to 0. Individual requests are issued by the IGD-PCP IWF. See Section 5.8 for more details.
DeletePortMappingRange()(仅限IGD:2):将请求的生存期设置为0的映射。个别请求由IGD-PCP IWF发布。详见第5.8节。
GetExternalIPAddress(): MAP This can be learned from any active mapping. If there are no active mappings, the IGD-PCP IWF MAY request a short-lived mapping (e.g., to the Discard service (TCP/9 or UDP/9) or some other port). However, once that mapping expires, a subsequent implicit or explicit dynamic mapping might be mapped to a different external IP address. See Section 11.6 of [RFC6887] for more discussion.
GetExternalPaddress():映射可以从任何活动映射中学习。如果没有活动映射,IGD-PCP IWF可能会请求短期映射(例如,到丢弃服务(TCP/9或UDP/9)或某个其他端口)。但是,一旦映射过期,随后的隐式或显式动态映射可能会映射到不同的外部IP地址。更多讨论见[RFC6887]第11.6节。
GetListOfPortMappings(): See Section 5.7 for more information. The IGD-PCP Interworking Function maintains a list of active mappings instantiated in the PCP server. The IGD-PCP Interworking Function handles this request locally.
GetListOfPortMappings():有关更多信息,请参阅第5.7节。IGD-PCP互通功能维护PCP服务器中实例化的活动映射列表。IGD-PCP互通功能在本地处理该请求。
This section lists PCP error codes and the corresponding UPnP IGD codes. Error codes specific to IGD:2 are tagged accordingly.
本节列出了PCP错误代码和相应的UPnP IGD代码。IGD:2特定的错误代码会相应地进行标记。
1 UNSUPP_VERSION: 501 "ActionFailed"
1取消批准版本:501“操作失败”
2 NOT_AUTHORIZED: IGD:1 718 "ConflictInMappingEntry" / IGD:2 606
"Action not authorized"
2 NOT_AUTHORIZED: IGD:1 718 "ConflictInMappingEntry" / IGD:2 606
"Action not authorized"
3 MALFORMED_REQUEST: 501 "ActionFailed"
3格式错误的_请求:501“操作失败”
4 UNSUPP_OPCODE: 501 "ActionFailed" [RFC6887] allows the PCP server to be configured to disable support for the MAP Opcode, but the IGD-PCP IWF cannot work in this situation.
4 UNSUPP_操作码:501“ActionFailed”[RFC6887]允许将PCP服务器配置为禁用对MAP操作码的支持,但IGD-PCP IWF在这种情况下无法工作。
5 UNSUPP_OPTION: 501 "ActionFailed" This error code can be received if PREFER_FAILURE is not supported on the PCP server. Note that PREFER_FAILURE is not mandatory to support, but AddPortMapping() cannot be implemented without it.
5取消点击选项:501“ActionFailed”如果PCP服务器不支持点击失败,则可以接收此错误代码。请注意,Preference_FAILURE不是必须支持的,但是如果没有它,则无法实现AddPortMapping()。
6 MALFORMED_OPTION: 501 "ActionFailed"
6格式错误的_选项:501“操作失败”
7 NETWORK_FAILURE: 501 "ActionFailed"
7网络故障:501“操作失败”
8 NO_RESOURCES: IGD:1 501 "ActionFailed" / IGD:2 728 "NoPortMapsAvailable" Cannot be distinguished from USER_EX_QUOTA.
8无可用资源:IGD:1 501“ActionFailed”/IGD:2 728“NoPortMapsAvailable”无法与用户可用配额区分。
9 UNSUPP_PROTOCOL: 501 "ActionFailed"
9 UNSUPP_协议:501“操作失败”
10 USER_EX_QUOTA: IGD:1 501 "ActionFailed" / IGD:2 728 "NoPortMapsAvailable" Cannot be distinguished from NO_RESOURCES.
10用户可用配额:IGD:1 501“ActionFailed”/IGD:2 728“NoPortMapsAvailable”无法与无资源区分。
11 CANNOT_PROVIDE_EXTERNAL: 718 "ConflictInMappingEntry" (see Section 5.6.2) or 714 "NoSuchEntryInArray" (see Section 5.8).
11无法提供外部信息:718“信息冲突”(见第5.6.2节)或714“无信息中心阵列”(见第5.8节)。
12 ADDRESS_MISMATCH: 501 "ActionFailed"
12地址不匹配:501“操作失败”
13 EXCESSIVE_REMOTE_PEERS: 501 "ActionFailed"
13个远程对等点:501“操作失败”
This section covers scenarios with or without NAT in the IGD.
本节介绍IGD中有无NAT的场景。
This specification assumes that the PCP server is configured to accept the MAP Opcode.
本规范假设PCP服务器配置为接受MAP操作码。
The IGD-PCP IWF handles the "Mapping Nonce" the same way as any PCP client [RFC6887].
IGD-PCP IWF以与任何PCP客户端相同的方式处理“映射Nonce”[RFC6887]。
The IGD-PCP IWF implements one of the discovery methods identified in [RFC6887] (e.g., DHCP [PCP-DHCP-OPT]). The IGD-PCP Interworking Function behaves as a PCP client when communicating with provisioned PCP server(s).
IGD-PCP IWF实现[RFC6887]中确定的发现方法之一(例如,DHCP[PCP-DHCP-OPT])。IGD-PCP互通功能在与配置的PCP服务器通信时充当PCP客户端。
If no IPv4 address/IPv6 prefix is assigned to the IGD or the IGD is unable to determine whether it should contact an upstream PCP server, the IGD-PCP Interworking Function MUST NOT be invoked.
如果未向IGD分配IPv4地址/IPv6前缀,或者IGD无法确定是否应联系上游PCP服务器,则不得调用IGD-PCP互通功能。
If the IGD determines that it should establish communication with an upstream PCP server (e.g., because of DHCP configuration or having previously communicated with a PCP server), a "501 ActionFailed" error message is returned to the requesting IGD Control Point if the IGD-PCP IWF fails to establish communication with that PCP server. Note that the IGD-PCP IWF proceeds to PCP message validation and retransmission the same way as any PCP client [RFC6887].
如果IGD确定应与上游PCP服务器建立通信(例如,由于DHCP配置或之前已与PCP服务器通信),如果IGD-PCP IWF未能与该PCP服务器建立通信,则向请求IGD控制点返回“501 ActionFailed”错误消息。请注意,IGD-PCP IWF以与任何PCP客户端相同的方式进行PCP消息验证和重新传输[RFC6887]。
In order to configure security policies to be applied to inbound and outbound traffic, a UPnP IGD can be used to control a local firewall engine. No IGD-PCP IWF is therefore required for that purpose.
为了配置应用于入站和出站流量的安全策略,可以使用UPnP IGD控制本地防火墙引擎。因此,该目的不需要IGD-PCP IWF。
The use of the IGD-PCP IWF to control an upstream PCP-controlled firewall is out of scope for this document.
使用IGD-PCP IWF控制上游PCP控制的防火墙不在本文件范围内。
The IGD-PCP IWF MUST store locally all the mappings instantiated by internal IGD Control Points in the PCP server. All mappings SHOULD be stored in permanent storage.
IGD-PCP IWF必须本地存储PCP服务器中内部IGD控制点实例化的所有映射。所有映射都应存储在永久存储中。
Upon receipt of a PCP MAP response from the PCP server, the IGD-PCP Interworking Function MUST extract the enclosed mapping and MUST store it in the local mapping table. The local mapping table is an image of the mapping table as maintained by the PCP server for a given subscriber.
收到来自PCP服务器的PCP映射响应后,IGD-PCP互通功能必须提取封闭映射,并将其存储在本地映射表中。本地映射表是由PCP服务器为给定订户维护的映射表的映像。
Each mapping entry stored in the local mapping table is associated with a lifetime as discussed in [RFC6887]. Additional considerations specific to the IGD-PCP Interworking Function are discussed in Section 5.9.
存储在本地映射表中的每个映射项都与[RFC6887]中讨论的生存期相关联。第5.9节讨论了特定于IGD-PCP互通功能的其他注意事项。
When no NAT is embedded in the IGD, the contents of received WANIPConnection and PCP messages are not altered by the IGD-PCP Interworking Function (i.e., the contents of WANIPConnection messages are mapped to PCP messages (and mapped back), according to Section 4.1).
当IGD中未嵌入NAT时,IGD-PCP互通功能不会改变接收到的WANPconnection和PCP消息的内容(即,根据第4.1节,WANPconnection消息的内容映射到PCP消息(并映射回)。
When NAT is embedded in the IGD, the IGD-PCP IWF updates the contents of mapping messages received from the IGD Control Point. These messages will contain an IP address and/or port number that belong to an internal host. The IGD-PCP IWF MUST update such messages with the IP address and/or port number belonging to the external interface of the IGD (i.e., after the NAT1 operation as depicted in Figure 4).
当NAT嵌入IGD时,IGD-PCP IWF更新从IGD控制点接收的映射消息的内容。这些消息将包含属于内部主机的IP地址和/或端口号。IGD-PCP IWF必须使用属于IGD外部接口的IP地址和/或端口号更新此类消息(即,在图4所示的NAT1操作之后)。
The IGD-PCP IWF intercepts all WANIPConnection messages issued by the IGD Control Point. For each such message, the IGD-PCP IWF then generates one or more corresponding requests (see Sections 4.1, 4.2, and 4.3) and sends them to the provisioned PCP server.
IGD-PCP IWF拦截IGD控制点发出的所有WANIConnect消息。对于每个这样的消息,IGD-PCP IWF随后生成一个或多个相应的请求(参见第4.1、4.2和4.3节),并将它们发送到已配置的PCP服务器。
Each request sent by the IGD-PCP IWF to the PCP server MUST reflect the mapping information as enforced in the first NAT. Particularly, the internal IP address and/or port number of the requests are replaced with the IP address and/or port number as assigned by the NAT of the IGD. For the reverse path, the IGD-PCP IWF intercepts PCP response messages and generates WANIPConnection response messages. The contents of the generated WANIPConnection response messages are set as follows:
IGD-PCP IWF发送到PCP服务器的每个请求必须反映第一个NAT中强制执行的映射信息。特别地,用IGD的NAT分配的IP地址和/或端口号替换请求的内部IP地址和/或端口号。对于反向路径,IGD-PCP IWF截获PCP响应消息并生成WANIConnection响应消息。生成的WANIConnection响应消息的内容设置如下:
o The internal IP address and/or port number as initially set by the IGD Control Point and stored in the IGD NAT are used to update the corresponding fields in received PCP responses.
o IGD控制点最初设置并存储在IGD NAT中的内部IP地址和/或端口号用于更新接收到的PCP响应中的相应字段。
o The external IP address and port number are not altered by the IGD-PCP Interworking Function.
o IGD-PCP互通功能不会改变外部IP地址和端口号。
o The NAT mapping entry in the IGD is updated with the result of each PCP request.
o IGD中的NAT映射条目将根据每个PCP请求的结果进行更新。
The lifetime of the mappings instantiated in the IGD SHOULD be the one assigned by the terminating PCP server. In any case, the lifetime MUST NOT be lower than the one assigned by the terminating PCP server.
IGD中实例化的映射的生存期应为终止PCP服务器分配的生存期。在任何情况下,生存期不得低于终止PCP服务器分配的生存期。
Two methods can be used to create a mapping: AddAnyPortMapping() and AddPortMapping().
可以使用两种方法创建映射:AddAnyPortMapping()和AddPortMapping()。
When an IGD Control Point issues an AddAnyPortMapping() call, this request is received by the IGD. The request is then relayed to the IGD-PCP IWF, which generates a PCP MAP request (see Section 4.1 for mapping between WANIPConnection and PCP parameters).
When an IGD Control Point issues an AddAnyPortMapping() call, this request is received by the IGD. The request is then relayed to the IGD-PCP IWF, which generates a PCP MAP request (see Section 4.1 for mapping between WANIPConnection and PCP parameters).translate error, please retry
If the IGD-PCP IWF fails to send the MAP request to its PCP server, it follows the behavior defined in Section 5.1.
如果IGD-PCP IWF未能向其PCP服务器发送MAP请求,则遵循第5.1节中定义的行为。
Upon receipt of a PCP MAP response from the PCP server, the corresponding UPnP IGD method is returned to the requesting IGD Control Point (the contents of the messages follow the recommendations listed in Section 5.5 or Section 5.4, according to the deployed scenario). A flow example is depicted in Figure 5.
收到来自PCP服务器的PCP MAP响应后,相应的UPnP IGD方法返回到请求的IGD控制点(根据部署的场景,消息内容遵循第5.5节或第5.4节中列出的建议)。流程示例如图5所示。
If a PCP error is received from the PCP server, a corresponding WANIPConnection error code (see Section 4.3) is generated by the IGD-PCP IWF and sent to the requesting IGD Control Point. If a short-lifetime error is returned (e.g., NETWORK_FAILURE, NO_RESOURCES), the PCP IWF MAY resend the same request to the PCP server after 30 seconds. If a negative answer is received, the error is then relayed to the requesting IGD Control Point.
如果从PCP服务器接收到PCP错误,IGD-PCP IWF将生成相应的WANICP连接错误代码(参见第4.3节),并发送到请求的IGD控制点。如果返回短生命周期错误(例如,网络故障、无资源),则PCP IWF可在30秒后向PCP服务器重新发送相同的请求。如果收到否定回答,则错误将转发至请求的IGD控制点。
Discussion: Some applications (e.g., uTorrent, Vuze, eMule) wait 90 seconds or more for a response after sending a UPnP request. If a short-lifetime error occurs, resending the request may lead to a positive response from the PCP server. IGD Control Points are therefore not aware of transient errors.
讨论:一些应用程序(例如,uTorrent、Vuze、eMule)在发送UPnP请求后等待90秒或更长时间以获得响应。如果发生短暂的生存期错误,重新发送请求可能会导致PCP服务器做出肯定的响应。因此,IGD控制点不知道瞬态误差。
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddAnyPortMapping() | |
| ExternalPort=8080 | |
|------------------------>| |
| | (2) PCP MAP Request |
| |Suggested External Port=8080 |
| |---------------------------->|
| | |
| | (3) PCP MAP Response |
| | Assigned External Port=6598 |
| |<----------------------------|
| (4) AddAnyPortMapping() | |
| ReservedPort=6598 | |
|<------------------------| |
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddAnyPortMapping() | |
| ExternalPort=8080 | |
|------------------------>| |
| | (2) PCP MAP Request |
| |Suggested External Port=8080 |
| |---------------------------->|
| | |
| | (3) PCP MAP Response |
| | Assigned External Port=6598 |
| |<----------------------------|
| (4) AddAnyPortMapping() | |
| ReservedPort=6598 | |
|<------------------------| |
Figure 5: Flow Example: AddAnyPortMapping()
Figure 5: Flow Example: AddAnyPortMapping()
A dedicated option called "PREFER_FAILURE" is defined in [RFC6887] to toggle the behavior in a PCP request message. This option is inserted by the IGD-PCP IWF when issuing its requests to the PCP server only if a specific external port is requested by the IGD Control Point.
[RFC6887]中定义了一个名为“首选失败”的专用选项,用于切换PCP请求消息中的行为。仅当IGD控制点请求特定外部端口时,IGD-PCP IWF才会在向PCP服务器发出请求时插入此选项。
Upon receipt of AddPortMapping() from an IGD Control Point, the IGD-PCP IWF MUST generate a PCP MAP request with all requested mapping information as indicated by the IGD Control Point if no NAT is embedded in the IGD or updated as specified in Section 5.5. In addition, the IGD-PCP IWF MUST insert a PREFER_FAILURE option in the generated PCP request.
收到来自IGD控制点的AddPortMapping()后,如果IGD中未嵌入NAT或未按照第5.5节的规定进行更新,则IGD-PCP IWF必须生成一个包含IGD控制点指示的所有请求映射信息的PCP映射请求。此外,IGD-PCP IWF必须在生成的PCP请求中插入首选失败选项。
If the IGD-PCP IWF fails to send the MAP request to its PCP server, it follows the behavior defined in Section 5.1.
如果IGD-PCP IWF未能向其PCP服务器发送MAP请求,则遵循第5.1节中定义的行为。
If the requested external port is not available, the PCP server will send a CANNOT_PROVIDE_EXTERNAL error response:
如果请求的外部端口不可用,PCP服务器将发送“无法提供”外部错误响应:
1. If a short-lifetime error is returned, the IGD-PCP IWF MAY resend the same request to the PCP server after 30 seconds without relaying the error to the IGD Control Point. The IGD-PCP IWF MAY repeat this process until a positive answer is received or some maximum retry limit is reached. When the maximum retry limit is reached, the IGD-PCP IWF relays a negative message to the IGD Control Point with ConflictInMappingEntry as the error code.
1. 如果返回短生存期错误,IGD-PCP IWF可在30秒后向PCP服务器重新发送相同的请求,而无需将错误中继到IGD控制点。IGD-PCP IWF可重复此过程,直到收到肯定答复或达到某个最大重试限制。当达到最大重试限制时,IGD-PCP IWF向IGD控制点转发一条否定消息,并将ConflictInMappingEntry作为错误代码。
The maximum retry limit is implementation-specific; its default value is 2.
最大重试限制是特定于实现的;其默认值为2。
2. If a long-lifetime error is returned, the IGD-PCP IWF relays a negative message to the IGD Control Point with ConflictInMappingEntry as the error code.
2. 如果返回长寿命错误,IGD-PCP IWF将向IGD控制点转发负面消息,并将ConflictInMappingEntry作为错误代码。
The IGD Control Point may issue a new request with a different requested external port number. This process is typically repeated by the IGD Control Point until a positive answer is received or some maximum retry limit is reached.
IGD控制点可发出具有不同请求外部端口号的新请求。IGD控制点通常会重复此过程,直到收到肯定答复或达到某个最大重试限制。
If the PCP server is able to create or renew a mapping with the requested external port, it sends a positive response to the IGD-PCP IWF. Upon receipt of the response from the PCP server, the IGD-PCP IWF stores the returned mapping in its local mapping table and sends the corresponding positive answer to the requesting IGD Control Point. This answer terminates the exchange.
如果PCP服务器能够使用请求的外部端口创建或续订映射,则会向IGD-PCP IWF发送肯定响应。收到来自PCP服务器的响应后,IGD-PCP IWF将返回的映射存储在其本地映射表中,并向请求IGD控制点发送相应的肯定应答。这个答案终止了交换。
Figure 6 shows an example of the flow exchange that occurs when the PCP server satisfies the request from the IGD-PCP IWF. Figure 7 shows the message exchange when the requested external port is not available.
图6显示了当PCP服务器满足IGD-PCP IWF的请求时发生的流交换示例。图7显示了请求的外部端口不可用时的消息交换。
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddPortMapping() | |
| ExternalPort=8080 | |
|----------------------->| |
| | (2) PCP MAP Request |
| |Suggested External Port=8080 |
| | PREFER_FAILURE |
| |---------------------------->|
| | |
| | (3) PCP MAP Response |
| | Assigned External Port=8080 |
| |<----------------------------|
| (4) AddPortMapping() | |
| ExternalPort=8080 | |
|<-----------------------| |
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddPortMapping() | |
| ExternalPort=8080 | |
|----------------------->| |
| | (2) PCP MAP Request |
| |Suggested External Port=8080 |
| | PREFER_FAILURE |
| |---------------------------->|
| | |
| | (3) PCP MAP Response |
| | Assigned External Port=8080 |
| |<----------------------------|
| (4) AddPortMapping() | |
| ExternalPort=8080 | |
|<-----------------------| |
Figure 6: Flow Example (Positive Answer)
图6:流程示例(肯定答案)
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddPortMapping() | |
| ExternalPort=8080 | |
|----------------------->| |
| | (2) PCP MAP Request |
| |Suggested External Port=8080 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (3) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (4) Error: | |
| ConflictInMappingEntry | |
|<-----------------------| |
| (5) AddPortMapping() | |
| ExternalPort=5485 | |
|----------------------->| |
| | (6) PCP MAP Request |
| |Suggested External Port=5485 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (7) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (8) Error: | |
| ConflictInMappingEntry | |
|<-----------------------| |
....
| (a) AddPortMapping() | |
| ExternalPort=6591 | |
|----------------------->| |
| | (b) PCP MAP Request |
| |Suggested External Port=6591 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (c) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (d) Error: | |
| ConflictInMappingEntry | |
|<-----------------------| |
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) AddPortMapping() | |
| ExternalPort=8080 | |
|----------------------->| |
| | (2) PCP MAP Request |
| |Suggested External Port=8080 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (3) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (4) Error: | |
| ConflictInMappingEntry | |
|<-----------------------| |
| (5) AddPortMapping() | |
| ExternalPort=5485 | |
|----------------------->| |
| | (6) PCP MAP Request |
| |Suggested External Port=5485 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (7) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (8) Error: | |
| ConflictInMappingEntry | |
|<-----------------------| |
....
| (a) AddPortMapping() | |
| ExternalPort=6591 | |
|----------------------->| |
| | (b) PCP MAP Request |
| |Suggested External Port=6591 |
| | PREFER_FAILURE |
| |---------------------------->|
| | (c) PCP MAP Response |
| | CANNOT_PROVIDE_EXTERNAL |
| |<----------------------------|
| (d) Error: | |
| ConflictInMappingEntry | |
|<-----------------------| |
Figure 7: Flow Example (Negative Answer)
图7:流程示例(否定答案)
Note: According to some experiments, some UPnP 1.0 Control Point implementations, e.g., uTorrent, simply try the same external port a number of times (usually 4 times) and then fail if the port is in use. Also note that some applications use GetSpecificPortMappingEntry() to determine whether a mapping exists.
注意:根据一些实验,一些UPnP 1.0控制点实现,例如,uTorrent,只需尝试相同的外部端口多次(通常为4次),然后在使用该端口时失败。还请注意,一些应用程序使用GetSpecificPortMappingEntry()确定映射是否存在。
In order to list active mappings, an IGD Control Point may issue GetGenericPortMappingEntry(), GetSpecificPortMappingEntry(), or GetListOfPortMappings().
为了列出活动映射,IGD控制点可以发出GetGenericPortMappingEntry()、GetSpecificPortMappingEntry()或GetListOfPortMappings()。
GetGenericPortMappingEntry() and GetListOfPortMappings() methods MUST NOT be proxied to the PCP server, since a local mapping is maintained by the IGD-PCP IWF.
GetGenericPortMappingEntry()和GetListOfPortMappings()方法不能代理到PCP服务器,因为本地映射由IGD-PCP IWF维护。
Upon receipt of GetSpecificPortMappingEntry() from an IGD Control Point, the IGD-PCP IWF MUST check first to see if the external port number is used by the requesting IGD Control Point. If the external port is already in use by the requesting IGD Control Point, the IGD-PCP IWF MUST send back the mapping entry matching the request. If not, the IGD-PCP IWF MUST relay to the PCP server a MAP request, with short lifetime (e.g., 60 seconds), including a PREFER_FAILURE option. If the IGD-PCP IWF fails to send the MAP request to its PCP server, it follows the behavior defined in Section 5.1. If the requested external port is in use, a PCP error message will be sent by the PCP server to the IGD-PCP IWF indicating CANNOT_PROVIDE_EXTERNAL as the error cause. Then, the IGD-PCP IWF relays a negative message to the IGD Control Point. If the port is not in use, the mapping will be created by the PCP server and a positive response will be sent back to the IGD-PCP IWF. Once received by the IGD-PCP IWF, it MUST relay a negative message to the IGD Control Point indicating NoSuchEntryInArray as the error code so that the IGD Control Point knows the queried mapping doesn't exist.
收到来自IGD控制点的GetSpecificPortMappingEntry()后,IGD-PCP IWF必须首先检查请求IGD控制点是否使用了外部端口号。如果请求的IGD控制点已经在使用外部端口,IGD-PCP IWF必须发回与请求匹配的映射条目。如果没有,IGD-PCP IWF必须向PCP服务器中继一个MAP请求,该请求的生存期很短(例如60秒),包括一个首选失败选项。如果IGD-PCP IWF未能向其PCP服务器发送MAP请求,则遵循第5.1节中定义的行为。如果请求的外部端口正在使用,PCP服务器将向IGD-PCP IWF发送一条PCP错误消息,指示无法提供外部端口作为错误原因。然后,IGD-PCP IWF向IGD控制点转发负面消息。如果端口未被使用,PCP服务器将创建映射,并将肯定响应发送回IGD-PCP IWF。一旦IGD-PCP IWF接收到,它必须向IGD控制点转发一条否定消息,指示NOSCHENTRINARY作为错误代码,以便IGD控制点知道查询的映射不存在。
5.8. Delete One or a Set of Mappings: DeletePortMapping() or DeletePortMappingRange()
5.8. 删除一个或一组映射:DeletePortMapping()或DeletePortMappingRange()
An IGD Control Point requests the deletion of one or a list of mappings by issuing DeletePortMapping() or DeletePortMappingRange().
IGD控制点通过发出DeletePortMapping()或DeletePortMappingRange()请求删除一个或一个映射列表。
In IGD:2, we assume that the IGD applies the appropriate security policies to determine whether a Control Point has the rights to delete one or a set of mappings. When authorization fails, the "606 Action Not Authorized" error code is returned to the requesting Control Point.
在IGD:2中,我们假设IGD应用适当的安全策略来确定控制点是否有权删除一个或一组映射。授权失败时,“606操作未授权”错误代码返回到请求控制点。
When DeletePortMapping() or DeletePortMappingRange() is received by the IGD-PCP IWF, it first checks if the requested mappings to be removed are present in the local mapping table. If no mapping matching the request is found in the local table, an error code is sent back to the IGD Control Point: "714 NoSuchEntryInArray" for DeletePortMapping() or "730 PortMappingNotFound" for DeletePortMappingRange().
当IGD-PCP IWF接收到DeletePortMapping()或DeletePortMappingRange()时,它首先检查本地映射表中是否存在要删除的请求映射。如果在本地表中找不到与请求匹配的映射,则会将错误代码发送回IGD控制点:DeletePortMapping()的“714 NoSuchentryArray”或DeletePortMappingRange()的“730 PortMappingNotFound”。
Figure 8 shows an example of an IGD Control Point asking to delete a mapping that is not instantiated in the local table of the IWF.
图8显示了一个IGD控制点请求删除未在IWF的本地表中实例化的映射的示例。
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) DeletePortMapping() | |
|------------------------>| |
| | |
| (2) Error: | |
| NoSuchEntryInArray | |
|<------------------------| |
| | |
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) DeletePortMapping() | |
|------------------------>| |
| | |
| (2) Error: | |
| NoSuchEntryInArray | |
|<------------------------| |
| | |
Figure 8: Local Delete (IGD-PCP IWF)
图8:本地删除(IGD-PCP IWF)
If a mapping matches in the local table, a PCP MAP delete request is generated. If no NAT is enabled in the IGD, the IGD-PCP IWF uses the input arguments as included in DeletePortMapping(). If a NAT is enabled in the IGD, the IGD-PCP IWF instead uses the corresponding IP address and port number as assigned by the local NAT.
如果本地表中的映射匹配,则生成PCP映射删除请求。如果IGD中未启用NAT,IGD-PCP IWF将使用DeletePortMapping()中包含的输入参数。如果IGD中启用了NAT,则IGD-PCP IWF将使用本地NAT分配的相应IP地址和端口号。
If the IGD-PCP IWF fails to send the MAP request to its PCP server, it follows the behavior defined in Section 5.1.
如果IGD-PCP IWF未能向其PCP服务器发送MAP请求,则遵循第5.1节中定义的行为。
When a positive answer is received from the PCP server, the IGD-PCP IWF updates its local mapping table (i.e., removes the corresponding entry) and notifies the IGD Control Point of the result of the removal operation. Once the PCP MAP delete request is received by the PCP server, it removes the corresponding entry. A PCP MAP SUCCESS response is sent back if the removal of the corresponding entry was successful; if not, a PCP error message containing the corresponding error cause (see Section 4.3) is sent back to the IGD-PCP IWF.
当从PCP服务器接收到肯定回答时,IGD-PCP IWF更新其本地映射表(即,删除相应条目),并将删除操作的结果通知IGD控制点。一旦PCP服务器接收到PCP映射删除请求,它将删除相应的条目。如果成功删除相应条目,则返回PCP MAP成功响应;否则,包含相应错误原因的PCP错误消息(见第4.3节)将发送回IGD-PCP IWF。
If DeletePortMappingRange() is used, the IGD-PCP IWF does a lookup in its local mapping table to retrieve individual mappings, instantiated by the requesting Control Point (i.e., authorization checks), that match the signaled port range (i.e., the external port is within the "StartPort" and "EndPort" arguments of DeletePortMappingRange()). If no mapping is found, the "730 PortMappingNotFound" error code is sent to the IGD Control Point (Figure 9). If one or more mappings are found, the IGD-PCP IWF generates individual PCP MAP delete requests corresponding to these mappings (see the example shown in Figure 10).
如果使用DeletePortMappingRange(),IGD-PCP IWF将在其本地映射表中进行查找,以检索由请求控制点实例化的与信号端口范围(即外部端口在DeletePortMappingRange()的“StartPort”和“EndPort”参数内)匹配的单个映射(即授权检查)。如果未找到映射,则将“730 PortMappingNotFound”错误代码发送到IGD控制点(图9)。如果找到一个或多个映射,IGD-PCP IWF将生成与这些映射对应的单个PCP映射删除请求(参见图10中所示的示例)。
The IGD-PCP IWF MAY send a positive answer to the requesting IGD Control Point without waiting to receive all the answers from the PCP server.
IGD-PCP IWF可向请求IGD控制点发送肯定应答,而无需等待从PCP服务器接收所有应答。
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) DeletePortMappingRange() | |
| StartPort=8596 | |
| EndPort =9000 | |
| Protocol =UDP | |
|----------------------------->| |
| | |
| (2) Error: | |
| PortMappingNotFound | |
|<-----------------------------| |
| | |
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) DeletePortMappingRange() | |
| StartPort=8596 | |
| EndPort =9000 | |
| Protocol =UDP | |
|----------------------------->| |
| | |
| (2) Error: | |
| PortMappingNotFound | |
|<-----------------------------| |
| | |
Figure 9: Flow Example: Error Encountered when Processing DeletePortMappingRange()
图9:流示例:处理DeletePortMappingRange()时遇到错误
Figure 10 illustrates the exchanges that occur when the IWF receives DeletePortMappingRange(). In this example, only two mappings having the external port number in the 6000-6050 range are maintained in the local table. The IWF issues two MAP requests to delete these mappings.
图10说明了IWF接收DeletePortMappingRange()时发生的交换。在本例中,本地表中仅维护两个外部端口号在6000-6050范围内的映射。IWF发出两个映射请求来删除这些映射。
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) DeletePortMappingRange() | |
| StartPort=6000 | |
| EndPort =6050 | |
| Protocol =UDP | |
|----------------------------->| |
| | |
| | (2a) PCP MAP Request |
| | Protocol=UDP |
| | internal-ip-address |
| | internal-port |
| | external-ip-address |
| | external-port=6030 |
| | Requested-lifetime=0 |
| |------------------------->|
| | |
| | (2b) PCP MAP Request |
| | Protocol=UDP |
| | internal-ip-address |
| | internal-port |
| | external-ip-address |
| | external-port=6045 |
| | Requested-lifetime=0 |
| |------------------------->|
| | |
| (3) Positive answer | |
|<-----------------------------| |
| | |
UPnP-PCP
UPnP Control Interworking
Point Function PCP Server
| | |
| (1) DeletePortMappingRange() | |
| StartPort=6000 | |
| EndPort =6050 | |
| Protocol =UDP | |
|----------------------------->| |
| | |
| | (2a) PCP MAP Request |
| | Protocol=UDP |
| | internal-ip-address |
| | internal-port |
| | external-ip-address |
| | external-port=6030 |
| | Requested-lifetime=0 |
| |------------------------->|
| | |
| | (2b) PCP MAP Request |
| | Protocol=UDP |
| | internal-ip-address |
| | internal-port |
| | external-ip-address |
| | external-port=6045 |
| | Requested-lifetime=0 |
| |------------------------->|
| | |
| (3) Positive answer | |
|<-----------------------------| |
| | |
Figure 10: Example of DeletePortMappingRange()
图10:DeletePortMappingRange()的示例
Because of the incompatibility of mapping lifetimes between a UPnP IGD and PCP, the IGD-PCP IWF MUST simulate long and even infinite lifetimes. Indeed, for requests having a requested infinite PortMappingLeaseDuration, the IGD-PCP IWF MUST set the Requested Lifetime of the corresponding PCP request to 4294967296. If PortMappingLeaseDuration is not infinite, the IGD-PCP IWF MUST set
由于UPnP IGD和PCP之间映射寿命的不兼容性,IGD-PCP IWF必须模拟较长甚至无限的寿命。实际上,对于具有请求的无限PortMappingLeaseDuration的请求,IGD-PCP IWF必须将相应PCP请求的请求生存期设置为4294967296。如果PortMappingLeaseDuration不是无限的,则必须设置IGD-PCP IWF
the Requested Lifetime of the corresponding PCP request to the same value as PortMappingLeaseDuration. Furthermore, the IGD-PCP Interworking Function MUST maintain an additional timer set to the initial requested PortMappingLeaseDuration. Upon receipt of a positive answer from the PCP server, the IGD-PCP IWF relays the corresponding UPnP IGD response to the requesting IGD Control Point with PortMappingLeaseDuration set to the same value as that of the initial request. Then, the IGD-PCP IWF MUST periodically renew the constructed PCP mapping until the expiry of PortMappingLeaseDuration. Responses received when renewing the mapping MUST NOT be relayed to the IGD Control Point.
对应PCP请求的请求生存期与PortMappingLeaseDuration的值相同。此外,IGD-PCP互通功能必须为初始请求的PortMappingLeaseDuration保留额外的计时器设置。收到来自PCP服务器的肯定回答后,IGD-PCP IWF将相应的UPnP IGD响应中继到请求IGD控制点,并将PortMappingLeaseDuration设置为与初始请求相同的值。然后,IGD-PCP IWF必须定期更新构建的PCP映射,直到PortMappingLeaseDuration到期。更新映射时收到的响应不得中继到IGD控制点。
If an error is encountered during mapping renewal, the IGD-PCP Interworking Function has no means of informing the IGD Control Point of the error.
如果在映射更新期间遇到错误,IGD-PCP互通功能无法将错误通知IGD控制点。
When the IGD-PCP IWF is co-located with the DHCP server, the state maintained by the IGD-PCP IWF MUST be updated using the state in the local DHCP server. Particularly, if an IP address expires or is released by an internal host, the IGD-PCP IWF MUST delete all the mappings bound to that internal IP address.
当IGD-PCP IWF与DHCP服务器位于同一位置时,必须使用本地DHCP服务器中的状态更新IGD-PCP IWF维护的状态。特别是,如果IP地址过期或由内部主机释放,IGD-PCP IWF必须删除绑定到该内部IP地址的所有映射。
Upon change of the external IP address of the IGD-PCP IWF, the IGD-PCP IWF MAY renew the mappings it maintained. This can be achieved only if a full state table is maintained by the IGD-PCP IWF. If the port quota is not exceeded in the PCP server, the IGD-PCP IWF will receive a new external IP address and port numbers. The IGD-PCP IWF has no means of notifying internal IGD Control Points of the change of the external IP address and port numbers. Stale mappings will be maintained by the PCP server until their lifetime expires.
当IGD-PCP IWF的外部IP地址发生变化时,IGD-PCP IWF可更新其维护的映射。这只有在IGD-PCP IWF维护完整状态表时才能实现。如果PCP服务器中未超过端口配额,IGD-PCP IWF将接收新的外部IP地址和端口号。IGD-PCP IWF无法通知内部IGD控制点外部IP地址和端口号的变化。旧映射将由PCP服务器维护,直到其生存期到期。
Note: If an address change occurs, protocols that are sensitive to address changes (e.g., TCP) will experience disruption.
注意:如果发生地址更改,对地址更改敏感的协议(如TCP)将发生中断。
[RFC6887] defines a procedure for the PCP server to notify PCP clients of changes related to the mappings it maintains. When an unsolicited ANNOUNCE is received, the IGD-PCP IWF makes one or more MAP requests with the PREFER_FAILURE option to re-install its mappings. If the PCP server cannot create the requested mappings (signaled with the CANNOT_PROVIDE_EXTERNAL error response), the IGD-PCP IWF has no means of notifying internal IGD Control Points of any changes of the external IP address and port numbers.
[RFC6887]为PCP服务器定义了一个过程,用于通知PCP客户端与其维护的映射相关的更改。当收到未经请求的公告时,IGD-PCP IWF会发出一个或多个MAP请求,并使用Preference_FAILURE选项重新安装其映射。如果PCP服务器无法创建请求的映射(用cannot_PROVIDE_外部错误响应发出信号),IGD-PCP IWF无法将外部IP地址和端口号的任何更改通知内部IGD控制点。
Unsolicited PCP MAP responses received from a PCP server are handled as any normal MAP response. If a response indicates that the external IP address or port has changed, the IGD-PCP IWF has no means of notifying the internal IGD Control Point of this change.
从PCP服务器接收的未经请求的PCP映射响应将作为任何正常映射响应处理。如果响应表明外部IP地址或端口已更改,则IGD-PCP IWF无法将此更改通知内部IGD控制点。
Further analysis of PCP failure scenarios for the IGD-PCP Interworking Function are discussed in [PCP-FAILURE].
IGD-PCP互通功能的PCP故障场景的进一步分析在[PCP-failure]中讨论。
IGD:2 access control requirements and authorization levels SHOULD be applied by default [IGD2]. When IGD:2 is used, operation on behalf of a third party SHOULD be allowed only if authentication and authorization are used [IGD2]. When only IGD:1 is available, operation on behalf of a third party SHOULD NOT be allowed.
IGD:2默认情况下应应用访问控制要求和授权级别[IGD2]。使用IGD:2时,仅当使用身份验证和授权时,才允许代表第三方进行操作[IGD2]。当只有IGD:1可用时,不允许代表第三方进行操作。
This document defines a procedure to create PCP mappings for third-party devices belonging to the same subscriber. The means for preventing a malicious user from creating mappings on behalf of a third party must be enabled as discussed in Section 13.1 of [RFC6887]. In particular, the THIRD_PARTY option MUST NOT be enabled unless the network on which the PCP messages are to be sent is fully trusted -- for example, access control lists (ACLs) installed on the PCP client, the PCP server, and the network between them, so that those ACLs allow only communications from a trusted PCP client to the PCP server.
本文档定义了为属于同一订阅服务器的第三方设备创建PCP映射的过程。如[RFC6887]第13.1节所述,必须启用防止恶意用户代表第三方创建映射的方法。特别是,除非要发送PCP消息的网络完全受信任,否则不得启用第三方选项,例如,安装在PCP客户端、PCP服务器以及它们之间的网络上的访问控制列表(ACL),以便这些ACL仅允许从受信任的PCP客户端到PCP服务器的通信。
An IGD Control Point that issues AddPortMapping(), AddAnyPortMapping(), or GetSpecificPortMappingEntry() requests in a shorter time frame will create a lot of mapping entries on the PCP server. The means for avoiding the exhaustion of port resources (e.g., port quota, as discussed in Section 17.2 of [RFC6887]) SHOULD be enabled.
在较短时间内发出AddPortMapping()、AddAnyPortMapping()或GetSpecificPortMappingEntry()请求的IGD控制点将在PCP服务器上创建大量映射项。应启用避免耗尽港口资源的方法(如[RFC6887]第17.2节所述的港口配额)。
The security considerations discussed in [RFC6887] and [Sec_DCP] should be taken into account.
应考虑[RFC6887]和[Sec_DCP]中讨论的安全注意事项。
The authors would like to thank F. Fontaine, C. Jacquenet, X. Deng, G. Montenegro, D. Thaler, R. Tirumaleswar, P. Selkirk, T. Lemon, V. Gurbani, and P. Yee for their review and comments.
作者感谢F.Fontaine、C.Jacquenet、X.Deng、G.黑山、D.Thaler、R.Tirumaleswar、P.Selkirk、T.Lemon、V.Gurbani和P.Yee的评论和评论。
F. Dupont contributed to previous versions of this document. Thanks go to him for his thorough reviews and contributions.
F.杜邦对本文件以前的版本作出了贡献。感谢他透彻的评论和贡献。
[IGD1] UPnP Forum, "WANIPConnection:1 Service Template Version 1.01", November 2001, <http://upnp.org/specs/ gw/UPnP-gw-WANIPConnection-v1-Service.pdf>.
[IGD1]UPnP论坛,“WANIConnection:1服务模板版本1.01”,2001年11月<http://upnp.org/specs/ gw/UPnP-gw-WANIPConnection-v1-Service.pdf>。
[IGD2] UPnP Forum, "WANIPConnection:2 Service", September 2010, <http://upnp.org/specs/gw/ UPnP-gw-WANIPConnection-v2-Service.pdf>.
[IGD2]UPnP论坛,“WANIConnect:2服务”,2010年9月<http://upnp.org/specs/gw/ UPnP-gw-WANIPConnection-v2-Service.pdf>。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC6887] Wing, D., Cheshire, S., Boucadair, M., Penno, R., and P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, April 2013.
[RFC6887]南柴郡Wing,D.,布卡达尔,M.,佩诺,R.,和P.Selkirk,“港口控制协议(PCP)”,RFC 6887,2013年4月。
[PCP-DESCR-OPT] Boucadair, M., Penno, R., and D. Wing, "PCP Description Option", Work in Progress, May 2013.
[PCP-DESCR-OPT]Boucadair,M.,Penno,R.,和D.Wing,“PCP描述选项”,正在进行的工作,2013年5月。
[PCP-DHCP-OPT] Boucadair, M., Penno, R., and D. Wing, "DHCP Options for the Port Control Protocol (PCP)", Work in Progress, March 2013.
[PCP-DHCP-OPT]Boucadair,M.,Penno,R.,和D.Wing,“端口控制协议(PCP)的DHCP选项”,正在进行的工作,2013年3月。
[PCP-FAILURE] Boucadair, M. and R. Penno, "Analysis of Port Control Protocol (PCP) Failure Scenarios", Work in Progress, May 2013.
[PCP-FAILURE]Boucadair,M.和R.Penno,“端口控制协议(PCP)故障场景分析”,正在进行的工作,2013年5月。
[PCP-PROXY] Boucadair, M., Penno, R., and D. Wing, "Port Control Protocol (PCP) Proxy Function", Work in Progress, June 2013.
[PCP-PROXY]Boucadair,M.,Penno,R.,和D.Wing,“端口控制协议(PCP)代理功能”,正在进行的工作,2013年6月。
[RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers", RFC 6146, April 2011.
[RFC6146]Bagnulo,M.,Matthews,P.,和I.van Beijnum,“有状态NAT64:从IPv6客户端到IPv4服务器的网络地址和协议转换”,RFC 61462011年4月。
[RFC6333] Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion", RFC 6333, August 2011.
[RFC6333]Durand,A.,Droms,R.,Woodyatt,J.,和Y.Lee,“IPv4耗尽后的双栈Lite宽带部署”,RFC 63332011年8月。
[Sec_DCP] UPnP Forum, "Device Protection:1 Service", February 2011, <http://upnp.org/specs/gw/ UPnP-gw-DeviceProtection-v1-Service.pdf>.
[Sec_DCP]UPnP论坛,“设备保护:1项服务”,2011年2月<http://upnp.org/specs/gw/ UPnP-gw-DeviceProtection-v1-Service.pdf>。
Authors' Addresses
作者地址
Mohamed Boucadair France Telecom Rennes 35000 France
穆罕默德·布卡达尔法国电信雷恩35000法国
EMail: mohamed.boucadair@orange.com
EMail: mohamed.boucadair@orange.com
Reinaldo Penno Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134 USA
美国加利福尼亚州圣何塞市西塔斯曼大道170号雷纳尔多·佩诺思科系统公司,邮编:95134
EMail: repenno@cisco.com
EMail: repenno@cisco.com
Dan Wing Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134 USA
Dan Wing Cisco Systems,Inc.美国加利福尼亚州圣何塞西塔斯曼大道170号,邮编95134
EMail: dwing@cisco.com
EMail: dwing@cisco.com