Internet Engineering Task Force (IETF) Q. Sun Request for Comments: 7753 China Telecom Category: Standards Track M. Boucadair ISSN: 2070-1721 France Telecom S. Sivakumar Cisco Systems C. Zhou Huawei Technologies T. Tsou Philips Lighting S. Perreault Jive Communications February 2016
Internet Engineering Task Force (IETF) Q. Sun Request for Comments: 7753 China Telecom Category: Standards Track M. Boucadair ISSN: 2070-1721 France Telecom S. Sivakumar Cisco Systems C. Zhou Huawei Technologies T. Tsou Philips Lighting S. Perreault Jive Communications February 2016
Port Control Protocol (PCP) Extension for Port-Set Allocation
用于端口集分配的端口控制协议(PCP)扩展
Abstract
摘要
In some use cases, e.g., Lightweight 4over6, the client may require not just one port, but a port set. This document defines an extension to the Port Control Protocol (PCP) that allows clients to manipulate a set of ports as a whole. This is accomplished using a new MAP option: PORT_SET.
在某些用例中,例如轻量级4over6,客户端可能不仅需要一个端口,还需要一个端口集。本文档定义了端口控制协议(PCP)的扩展,该扩展允许客户端作为一个整体操作一组端口。这是使用一个新的映射选项完成的:PORT_SET。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7753.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7753.
Copyright Notice
版权公告
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................4 1.1. Applications Using Port Sets ...............................4 1.2. Lightweight 4over6 .........................................4 1.3. Firewall Control ...........................................4 1.4. Discovering Stateless Port-Set Mappings ....................5 2. The Need for PORT_SET ...........................................5 3. Terminology .....................................................6 4. The PORT_SET Option .............................................6 4.1. Client Behavior ............................................8 4.2. Server Behavior ............................................8 4.3. Absence of Capability Discovery ............................9 4.4. Port-Set Renewal and Deletion .............................10 4.4.1. Overlap Conditions .................................10 5. Examples .......................................................10 5.1. Simple Request on Network Address Translator IPv4/IPv4 (NAT44) .........................................10 5.2. Stateless Mapping Discovery ...............................12 5.3. Resolving Overlap .........................................13 6. Operational Considerations .....................................13 6.1. Limits and Quotas .........................................13 6.2. High Availability .........................................13 6.3. Idempotence ...............................................13 6.4. What should a PCP client do when it receives fewer ports than requested? .....................................15 7. Security Considerations ........................................15 8. IANA Considerations ............................................16 9. References .....................................................16 9.1. Normative References ......................................16 9.2. Informative References ....................................16 Acknowledgements ..................................................17 Contributors ......................................................17 Authors' Addresses ................................................18
1. Introduction ....................................................4 1.1. Applications Using Port Sets ...............................4 1.2. Lightweight 4over6 .........................................4 1.3. Firewall Control ...........................................4 1.4. Discovering Stateless Port-Set Mappings ....................5 2. The Need for PORT_SET ...........................................5 3. Terminology .....................................................6 4. The PORT_SET Option .............................................6 4.1. Client Behavior ............................................8 4.2. Server Behavior ............................................8 4.3. Absence of Capability Discovery ............................9 4.4. Port-Set Renewal and Deletion .............................10 4.4.1. Overlap Conditions .................................10 5. Examples .......................................................10 5.1. Simple Request on Network Address Translator IPv4/IPv4 (NAT44) .........................................10 5.2. Stateless Mapping Discovery ...............................12 5.3. Resolving Overlap .........................................13 6. Operational Considerations .....................................13 6.1. Limits and Quotas .........................................13 6.2. High Availability .........................................13 6.3. Idempotence ...............................................13 6.4. What should a PCP client do when it receives fewer ports than requested? .....................................15 7. Security Considerations ........................................15 8. IANA Considerations ............................................16 9. References .....................................................16 9.1. Normative References ......................................16 9.2. Informative References ....................................16 Acknowledgements ..................................................17 Contributors ......................................................17 Authors' Addresses ................................................18
This document extends the Port Control Protocol (PCP) [RFC6887] with the ability to retrieve a set of ports using a single request. It does so by defining a new PORT_SET option.
本文档扩展了端口控制协议(PCP)[RFC6887],使其能够使用单个请求检索一组端口。它通过定义一个新的端口集选项来实现。
This section describes a few of the possible envisioned use cases. Note that the PCP extension defined in this document is generic and is expected to be applicable to other use cases.
本节描述了一些可能设想的用例。请注意,本文档中定义的PCP扩展是通用的,预计将适用于其他用例。
Some applications require not just one port, but a port set. One example is a Session Initiation Protocol (SIP) User Agent Server (UAS) [RFC3261] expecting to handle multiple concurrent calls, including media termination. When the UAS receives a call, it needs to signal media port numbers to its peer. Generating individual PCP MAP requests for each of the media ports during call setup would introduce unwanted latency and increased signaling load. Instead, the server can pre-allocate a set of ports such that no PCP exchange is needed during call setup.
有些应用程序不仅需要一个端口,还需要一个端口集。一个例子是会话发起协议(SIP)用户代理服务器(UAS)[RFC3261],它期望处理多个并发呼叫,包括媒体终止。当UAS收到呼叫时,它需要向其对等方发送媒体端口号信号。在呼叫设置期间为每个媒体端口生成单独的PCP映射请求将引入不必要的延迟和增加的信令负载。相反,服务器可以预先分配一组端口,以便在呼叫设置期间不需要PCP交换。
In the Lightweight 4over6 (lw4o6) [RFC7596] architecture, shared global addresses can be allocated to customers. This allows moving the Network Address Translation (NAT) function, otherwise accomplished by a Carrier-Grade NAT (CGN) [RFC6888], to the Customer Premises Equipment (CPE). This provides more control over the NAT function to the user, and more scalability to the Internet Service Provider (ISP).
在轻量级4over6(lw4o6)[RFC7596]体系结构中,可以将共享全局地址分配给客户。这允许将网络地址转换(NAT)功能(否则由载波级NAT(CGN)[RFC6888]完成)移动到客户场所设备(CPE)。这为用户提供了对NAT功能的更多控制,并为Internet服务提供商(ISP)提供了更大的可扩展性。
In the lw4o6 architecture, the PCP-controlled device corresponds to the Lightweight Address Family Transition Router (lwAFTR), and the PCP client corresponds to the Lightweight B4 (lwB4). The PCP client sends a PCP MAP request containing a PORT_SET option to trigger shared address allocation on the Lightweight AFTR (lwAFTR). The PCP response contains the shared address information, including the port set allocated to the Lightweight B4 (lwB4).
在lw4o6体系结构中,PCP控制的设备对应于轻型地址族转换路由器(lwAFTR),PCP客户端对应于轻型B4(lwB4)。PCP客户端发送一个包含端口设置选项的PCP映射请求,以触发轻型AFTR(lwAFTR)上的共享地址分配。PCP响应包含共享地址信息,包括分配给轻量级B4(lwB4)的端口集。
Port sets are often used in firewall rules. For example, defining a range for Real-time Transport Protocol (RTP) [RFC3550] traffic is common practice. The PCP MAP request can already be used for firewall control. The PORT_SET option brings the additional ability to manipulate firewall rules operating on port sets instead of single ports.
端口集通常用于防火墙规则中。例如,定义实时传输协议(RTP)[RFC3550]通信量的范围是常见的做法。PCP映射请求已可用于防火墙控制。PORT_SET选项带来了操作在端口集而不是单个端口上运行的防火墙规则的附加功能。
A PCP MAP request can be used to retrieve a mapping from a stateless device (i.e., one that does not establish any per-flow state, and simply rewrites the address and/or port in a purely algorithmic fashion, including no rewriting). Similarly, a PCP MAP request with a PORT_SET request can be used to discover a port-set mapping from a stateless device. See Section 5.2 for an example.
PCP映射请求可用于从无状态设备检索映射(即,不建立任何每流状态的设备,并且仅以纯算法方式重写地址和/或端口,包括不重写的设备)。类似地,带有端口集请求的PCP映射请求可用于从无状态设备发现端口集映射。有关示例,请参见第5.2节。
Multiple PCP MAP requests can be used to manipulate a set of ports; this has roughly the same effect as a single use of a PCP MAP request with a PORT_SET option. However, use of the PORT_SET option is more efficient when considering the following aspects:
多个PCP映射请求可用于操作一组端口;这与单独使用带有端口设置选项的PCP映射请求的效果大致相同。但是,在考虑以下方面时,使用PORT_SET选项更有效:
Network Traffic: A single request uses fewer network resources than multiple requests.
网络流量:单个请求比多个请求使用更少的网络资源。
Latency: Even though PCP MAP requests can be sent in parallel, we can expect the total processing time to be longer for multiple requests than for a single one.
延迟:尽管PCP MAP请求可以并行发送,但我们可以预期多个请求的总处理时间比单个请求的总处理时间更长。
Server-side efficiency: Some PCP-controlled devices can allocate port sets in a manner such that data passing through the device is processed much more efficiently than the equivalent using individual port allocations. For example, a CGN having a "bulk" port allocation scheme (see [RFC6888], Section 5) often has this property.
服务器端效率:一些PCP控制的设备可以以这样的方式分配端口集:通过设备的数据处理效率远远高于使用单个端口分配的等效设备。例如,具有“批量”端口分配方案的CGN(参见[RFC6888],第5节)通常具有此属性。
Server-side scalability: The number of state table entries in PCP-controlled devices is often a limiting factor. Allocating port sets in a single request can result in a single mapping entry being used, therefore allowing greater scalability.
服务器端可伸缩性:PCP控制设备中状态表条目的数量通常是一个限制因素。在单个请求中分配端口集可能导致使用单个映射条目,因此允许更大的可伸缩性。
Therefore, while it is functionally possible to obtain the same results using plain MAP, the extension proposed in this document allows greater efficiency, scalability, and simplicity, while lowering latency and necessary network traffic.
因此,虽然在功能上可以使用普通映射获得相同的结果,但本文中提出的扩展允许更高的效率、可扩展性和简单性,同时降低延迟和必要的网络流量。
In addition, PORT_SET supports parity preservation. Some protocols (e.g., RTP [RFC3550]) assign meaning to a port number's parity. When mapping sets of ports for the purpose of using such kind of protocol, preserving parity can be necessary.
此外,端口_集支持奇偶校验保留。一些协议(例如RTP[RFC3550])为端口号的奇偶校验分配意义。为了使用此类协议而映射端口集时,可能需要保留奇偶校验。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
Option Name: PORT_SET
选项名称:端口设置
Number: 130 (see Section 8)
编号:130(见第8节)
Purpose: To map sets of ports.
目的:映射端口集。
Valid for Opcodes: MAP
对操作码有效:MAP
Length: 5 bytes
长度:5字节
May appear in: Both requests and responses
可能出现在:请求和响应
Maximum occurrences: 1
最多发生次数:1次
The PORT_SET option indicates that the PCP client wishes to reserve a set of ports. The requested number of ports in that set is indicated in the option.
PORT_SET选项表示PCP客户端希望保留一组端口。选项中指示了该集合中请求的端口数。
The maximum occurrences of the PORT_SET option MUST be limited to 1. The reason is that the Suggested External Port Set depends on the data contained in the MAP Opcode header. Having two PORT_SET options with a single MAP Opcode header would imply having two overlapping Suggested External Port Sets.
端口设置选项的最大出现次数必须限制为1。原因是建议的外部端口集取决于MAP操作码标头中包含的数据。有两个端口集选项和一个MAP操作码头意味着有两个重叠的建议外部端口集。
Note that the option number is in the "optional to process" range (128-191), meaning that a PCP MAP request with a PORT_SET option will be interpreted by a PCP server that does not support PORT_SET as a single-port PCP MAP request, as if the PORT_SET option was absent.
请注意,选项号在“可选处理”范围(128-191)内,这意味着带有PORT_SET选项的PCP映射请求将被不支持PORT_SET作为单端口PCP映射请求的PCP服务器解释,就好像PORT_SET选项不存在一样。
The PORT_SET option is formatted as shown in Figure 1.
PORT_SET选项的格式如图1所示。
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Option Code=130| Reserved | Option Length=5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Port Set Size | First Internal Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved |P| +-+-+-+-+-+-+-+-+
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Option Code=130| Reserved | Option Length=5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Port Set Size | First Internal Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved |P| +-+-+-+-+-+-+-+-+
Figure 1: PORT_SET Option
图1:端口设置选项
The fields are as follows:
字段如下所示:
Port Set Size: A 16-bit unsigned integer. Number of ports requested. MUST NOT be zero.
端口集大小:16位无符号整数。请求的端口数。不能为零。
First Internal Port: In a request, this field MUST be set equal to the Internal Port field in the MAP Opcode by the PCP client. In a response, this field indicates the First Internal Port of the port set mapped by the PCP server, which may differ from the value sent in the request. That is to be contrasted to the Internal Port field, which by necessity is always identical in matched requests and responses.
第一个内部端口:在请求中,PCP客户端必须将此字段设置为MAP操作码中的内部端口字段。在响应中,此字段表示PCP服务器映射的端口集的第一个内部端口,该端口可能与请求中发送的值不同。这将与内部端口字段形成对比,内部端口字段在匹配的请求和响应中必然是相同的。
Reserved: MUST be set to zero when sending; MUST be ignored when receiving.
预留:发送时必须设置为零;接收时必须忽略。
P (parity bit): 1 if parity preservation is requested; 0 otherwise. See [RFC4787], Section 4.2.2.
P(奇偶校验位):如果请求奇偶校验保持,则为1;否则为0。见[RFC4787],第4.2.2节。
Note that Option Code, Reserved, and Option Length are as described in [RFC6887], Section 7.3.
注意,选项代码、保留和选项长度如[RFC6887]第7.3节所述。
The Internal Port Set is defined as being the range of Port Set Size ports starting from the First Internal Port. The Suggested External Port Set is defined as being the range of Port Set Size ports starting from the Suggested External Port. Similarly, the Assigned External Port Set is defined as being the range of Port Set Size ports starting from the Assigned External Port. The Internal Port Set returned in a response and the Assigned External Port Set have the same size.
内部端口集定义为从第一个内部端口开始的端口集大小端口的范围。建议的外部端口集定义为从建议的外部端口开始的端口集大小端口的范围。类似地,分配的外部端口集定义为从分配的外部端口开始的端口集大小端口的范围。响应中返回的内部端口集和分配的外部端口集大小相同。
The Suggested External Port corresponds to the first port in the Suggested External Port Set. Its purpose is for clients to be able to regenerate previous mappings after state loss. When such an event happens, clients may attempt to regenerate identical mappings by
建议的外部端口对应于建议的外部端口集中的第一个端口。其目的是使客户端能够在状态丢失后重新生成以前的映射。发生此类事件时,客户端可能会尝试通过以下方式重新生成相同的映射:
suggesting the same External Port Set as before the state loss. Note that there is no guarantee that the allocated External Port Set will be the one suggested by the client.
建议与状态丢失前设置相同的外部端口。请注意,不能保证分配的外部端口集是客户端建议的端口集。
To retrieve a set of ports, the PCP client adds a PORT_SET option to its PCP MAP request. If parity preservation is required (i.e., an even port to be mapped to an even port and an odd port to be mapped to an odd port), the PCP client MUST set the parity bit (to 1) to ask the PCP server to preserve the port parity.
要检索一组端口,PCP客户端将在其PCP映射请求中添加一个PORT_set选项。如果需要奇偶校验保留(即偶数端口映射到偶数端口,奇数端口映射到奇数端口),PCP客户端必须将奇偶校验位设置为1,以要求PCP服务器保留端口奇偶校验。
The PCP client MUST NOT include more than one PORT_SET option in a PCP MAP request. If several port sets are needed, the PCP client MUST issue separate PCP MAP requests, each potentially including a PORT_SET option. These individual PCP MAP requests MUST include distinct Internal Ports.
PCP客户端在PCP映射请求中不能包含多个端口集选项。如果需要多个端口集,PCP客户端必须发出单独的PCP映射请求,每个请求可能包括一个端口集选项。这些单独的PCP映射请求必须包括不同的内部端口。
If the PCP client does not know the exact number of ports it requires, it MAY then set the Port Set Size to 0xffff, indicating that it is willing to accept as many ports as the PCP server can offer.
如果PCP客户端不知道它需要的端口的确切数量,那么它可以将端口集大小设置为0xffff,这表明它愿意接受PCP服务器可以提供的尽可能多的端口。
A PCP client SHOULD NOT send a PORT_SET option for single-port PCP MAP requests (including creation, renewal, and deletion), because that needlessly increases processing on the server.
PCP客户端不应为单端口PCP映射请求(包括创建、续订和删除)发送端口设置选项,因为这会不必要地增加服务器上的处理。
PREFER_FAILURE MUST NOT appear in a request with a PORT_SET option. As a reminder, PREFER_FAILURE was specifically designed for the Universal Plug and Play (UPnP) Internet Gateway Device - Port Control Protocol Interworking Function (IGD-PCP IWF) [RFC6970]. The reasons for not recommending the use of PREFER_FAILURE are discussed in Section 13.2 of [RFC6887].
首选\u失败不能出现在带有端口\u设置选项的请求中。作为提醒,Preference_故障是专门为通用即插即用(UPnP)互联网网关设备-端口控制协议互通功能(IGD-PCP IWF)[RFC6970]设计的。[RFC6887]第13.2节讨论了不建议使用优先失效的原因。
When the PCP-controlled device supports delegation of multiple port sets for a given PCP client, the PCP client MAY re-initiate a PCP request to get another port set when it has exhausted all the ports within the port set.
当PCP控制的设备支持为给定PCP客户端委派多个端口集时,PCP客户端可在耗尽端口集内的所有端口时重新发起PCP请求以获得另一个端口集。
In addition to regular PCP MAP request processing, the following checks are made upon receipt of a PORT_SET option with a non-zero Requested Lifetime:
除了常规的PCP映射请求处理外,在收到具有非零请求生存期的PORT_SET选项时,还会进行以下检查:
o If multiple PORT_SET options are present in a single PCP MAP request, a MALFORMED_OPTION error is returned.
o 如果单个PCP映射请求中存在多个端口设置选项,则返回格式错误的选项错误。
o If the Port Set Size is zero, a MALFORMED_OPTION error is returned.
o 如果端口集大小为零,则返回格式错误的_选项错误。
o If a PREFER_FAILURE option is present, a MALFORMED_OPTION error is returned.
o 如果存在首选\u失败选项,则返回格式错误的\u选项错误。
The PCP server MAY map fewer ports than the value of Port Set Size from the request. It MUST NOT map more ports than the PCP client asked for. Internal Ports outside the range of Port Set Size ports starting from the Internal Port MUST NOT be mapped by the PCP server.
PCP服务器映射的端口可能少于请求中的端口集大小值。它映射的端口数不得超过PCP客户端要求的端口数。PCP服务器不得映射端口集大小范围之外的内部端口从内部端口开始的端口。
If the requested port set cannot be fully satisfied, the PCP server SHOULD map as many ports as possible and SHOULD map at least one port (which is the same behavior as if Port Set Size is set to 1).
如果无法完全满足请求的端口集,PCP服务器应映射尽可能多的端口,并至少映射一个端口(这与端口集大小设置为1时的行为相同)。
If the PCP server ends up mapping only a single port, for any reason, the PORT_SET option MUST NOT be present in the response. In particular, if the PCP server receives a single-port PCP MAP request that includes a PORT_SET option, the PORT_SET option is silently ignored, and the request is handled as a single-port PCP MAP request.
如果PCP服务器最终仅映射一个端口,则无论出于何种原因,响应中都不能出现port_SET选项。特别是,如果PCP服务器接收到包含port_SET选项的单端口PCP映射请求,则port_SET选项将被静默忽略,请求将作为单端口PCP映射请求处理。
If the port parity preservation is requested (P = 1), the PCP server MAY preserve port parity. In that case, the External Port is set to a value having the same parity as the First Internal Port.
如果请求端口奇偶校验保留(P=1),PCP服务器可能会保留端口奇偶校验。在这种情况下,外部端口设置为与第一个内部端口具有相同奇偶校验的值。
If the mapping is successful, the MAP response's Assigned External Port is set to the first port in the External Port Set, and the PORT_SET option's Port Set Size is set to the number of ports in the mapped port set. The First Internal Port field is set to the first port in the Internal Port Set.
如果映射成功,则映射响应分配的外部端口将设置为外部端口集中的第一个端口,而Port_set选项的端口集大小将设置为映射端口集中的端口数。第一个内部端口字段设置为内部端口集中的第一个端口。
A PCP client that wishes to make use of a port set includes the PORT_SET option. If no PORT_SET option is present in the response, the PCP client cannot conclude that the PCP server does not support the PORT_SET option. It may just be that the PCP server does support PORT_SET but decided to allocate only a single port, for reasons that are its own. If the client wishes to obtain more ports, it MAY send additional PCP MAP requests (see Section 6.4), which the PCP server may or may not grant according to local policy.
希望使用端口集的PCP客户端包括端口集选项。如果响应中不存在端口设置选项,则PCP客户端无法断定PCP服务器不支持端口设置选项。这可能只是因为PCP服务器确实支持PORT_SET,但出于自身原因,决定只分配一个端口。如果客户端希望获得更多端口,它可以发送额外的PCP映射请求(参见第6.4节),PCP服务器可以根据本地策略授予,也可以不授予。
If port-set capability is added to or removed from a running PCP server, the server MAY reset its Epoch time and send an ANNOUNCE message as described in the PCP specification ([RFC6887], Section 14.1). This causes PCP clients to retry, and those using PORT_SET will now receive a different response.
如果向正在运行的PCP服务器添加或删除端口集功能,则服务器可以重置其历元时间并发送PCP规范([RFC6887],第14.1节)中所述的公告消息。这会导致PCP客户端重试,而那些使用PORT_SET的客户端现在将收到不同的响应。
Port-set mappings are renewed and deleted as a single entity. That is, the lifetime of all port mappings in the set is set to the Assigned Lifetime at once.
端口集映射作为单个实体更新和删除。也就是说,集合中所有端口映射的生存期一次设置为分配的生存期。
A PCP client attempting to refresh or delete a port-set mapping MUST include the PORT_SET option in its request.
试图刷新或删除端口集映射的PCP客户端必须在其请求中包含端口集选项。
Port-set PCP MAP requests can overlap with existing single-port or port-set mappings. This can happen either by mistake or after a PCP client becomes out of sync with server state.
端口集PCP映射请求可能与现有的单端口或端口集映射重叠。这可能是由于错误或PCP客户端与服务器状态不同步之后发生的。
If a PCP server receives a PCP MAP request, with or without a PORT_SET option, that tries to map one or more Internal Ports or port sets belonging to already-existing mappings, then the request is considered to be a refresh request applying those mappings. Each of the matching port or port-set mappings is processed independently, as if a separate refresh request had been received. The processing is as described in Section 15 of [RFC6887]. The PCP server sends a Mapping Update message for each of the mappings.
如果PCP服务器接收到一个PCP映射请求(带或不带PORT_SET选项),该请求试图映射一个或多个属于现有映射的内部端口或端口集,则该请求被视为应用这些映射的刷新请求。每个匹配的端口或端口集映射都是独立处理的,就像收到了单独的刷新请求一样。处理如[RFC6887]第15节所述。PCP服务器为每个映射发送映射更新消息。
An application requires a range of 100 IPv4 UDP ports to be mapped to itself. The application running on the host has created sockets bound to IPv4 UDP ports 50,000 to 50,099 for this purpose. It does not care about which External Port numbers are allocated. The PCP client sends a PCP request with the following parameters over IPv4:
应用程序需要将100个IPv4 UDP端口映射到自身。为此,主机上运行的应用程序已创建绑定到IPv4 UDP端口50000到50099的套接字。它不关心分配了哪些外部端口号。PCP客户端通过IPv4发送具有以下参数的PCP请求:
o MAP Opcode
o 映射操作码
Mapping Nonce: <a random nonce>
Mapping Nonce: <a random nonce>
Protocol: 17
议定书:17
Internal Port: 50,000
内部端口:50000
Suggested External Port: 0
建议的外部端口:0
Suggested External IP Address: ::ffff:0.0.0.0
Suggested External IP Address: ::ffff:0.0.0.0
o PORT_SET Option
o 端口设置选项
Port Set Size: 100
端口集大小:100
First Internal Port: 50,000
第一个内部端口:50000
P: 0
P:0
The PCP server is unable to fulfill the request fully: it is configured by local policy to only allocate 32 ports per user. Since the PREFER_FAILURE option is absent from the request, it decides to map UDP ports 37,056 to 37,087 on external address 192.0.2.3 to Internal Ports 50,000 to 50,031. After setting up the mapping in the NAT44 device it controls, it replies with the following PCP response:
PCP服务器无法完全满足请求:本地策略将其配置为仅为每个用户分配32个端口。由于请求中没有prefere_FAILURE选项,因此它决定将外部地址192.0.2.3上的UDP端口37056到37087映射到内部端口50000到50031。在其控制的NAT44设备中设置映射后,它会以以下PCP响应进行响应:
o MAP Opcode
o 映射操作码
Mapping Nonce: <copied from the request>
Mapping Nonce: <copied from the request>
Protocol: 17
议定书:17
Internal Port: 50,000
内部端口:50000
Assigned External Port: 37,056
分配的外部端口:37056
Assigned External IP Address: ::ffff:192.0.2.3
Assigned External IP Address: ::ffff:192.0.2.3
o PORT_SET Option
o 端口设置选项
Port Set Size: 32
端口集大小:32
First Internal Port: 50,000
第一个内部端口:50000
P: 0
P:0
Upon receiving this response, the host decides that 32 ports is good enough for its purposes. It closes sockets bound to ports 50,032 to 50,099, sets up a refresh timer, and starts using the port range it has just been assigned.
收到此响应后,主机决定32个端口足以满足其用途。它关闭绑定到端口50032到50099的套接字,设置刷新计时器,并开始使用刚刚分配的端口范围。
A host wants to discover a stateless NAT44 mapping pointing to it. To do so, it sends the following request over IPv4:
主机希望发现指向它的无状态NAT44映射。为此,它通过IPv4发送以下请求:
o MAP Opcode
o 映射操作码
Mapping Nonce: <a random nonce>
Mapping Nonce: <a random nonce>
Protocol: 0
协议:0
Internal Port: 1
内部端口:1
Suggested External Port: 0
建议的外部端口:0
Suggested External IP Address: ::ffff:0.0.0.0
Suggested External IP Address: ::ffff:0.0.0.0
o PORT_SET Option
o 端口设置选项
Port Set Size: 65,535
端口集大小:65535
First Internal Port: 1
第一个内部端口:1
P: 0
P:0
The PCP server sends the following response:
PCP服务器发送以下响应:
o MAP Opcode
o 映射操作码
Mapping Nonce: <copied from the request>
Mapping Nonce: <copied from the request>
Protocol: 0
协议:0
Internal Port: 1
内部端口:1
Assigned External Port: 26,624
分配的外部端口:26624
Assigned External IP Address: ::ffff:192.0.2.5
Assigned External IP Address: ::ffff:192.0.2.5
o PORT_SET Option
o 端口设置选项
Port Set Size: 2048
端口集大小:2048
First Internal Port: 26,624
第一个内部端口:26624
P: 0
P:0
From this response, the host understands that a 2048-port stateless mapping is pointing to itself, starting from port 26,624 on external IP address 192.0.2.5.
从该响应中,主机了解到2048端口无状态映射指向自身,从外部IP地址192.0.2.5上的端口26624开始。
This example relates to Section 4.4.1.
本示例涉及第4.4.1节。
Suppose Internal Port 100 is mapped to External Port 100 and port set 101-199 is mapped to External Port Set 201-299. The PCP server receives a PCP MAP request with Internal Port = 100, External Port = 0, and a PORT_SET option with Port Set Size = 100. The request's Mapping Nonce is equal to those of the existing single-port and port-set mappings. This request is therefore treated as two refresh requests, the first one applying to the single-port mapping and the second one applying to the port-set mapping. The PCP server updates the lifetimes of both mappings as usual and then sends two responses: the first one contains Internal Port = 100, External Port = 100, and no PORT_SET option, while the second one contains Internal Port = 101, External Port = 201, and a PORT_SET option with Port Set Size = 99.
假设内部端口100映射到外部端口100,端口集101-199映射到外部端口集201-299。PCP服务器接收内部端口为100、外部端口为0的PCP映射请求和端口集大小为100的端口集选项。请求的映射Nonce等于现有的单端口映射和端口集映射。因此,此请求被视为两个刷新请求,第一个应用于单端口映射,第二个应用于端口集映射。PCP服务器照常更新两个映射的生存期,然后发送两个响应:第一个包含内部端口=100、外部端口=100和无端口集选项,而第二个包含内部端口=101、外部端口=201和端口集大小=99的端口集选项。
It is up to the PCP server to determine the port-set quota, if any, for each PCP client.
由PCP服务器确定每个PCP客户端的端口集配额(如果有)。
If the PCP server is configured to allocate multiple port-set allocations for one subscriber, the same Assigned External IP Address SHOULD be assigned to the subscriber in multiple port-set responses.
如果PCP服务器配置为为为一个订阅服务器分配多个端口集分配,则应在多个端口集响应中将相同的分配外部IP地址分配给订阅服务器。
To optimize the number of mapping entries maintained by the PCP server, it is RECOMMENDED to configure the PCP server to assign the maximum allowed Port Set Size in a single response. This policy SHOULD be configurable.
要优化由PCP服务器维护的映射项的数量,建议将PCP服务器配置为在单个响应中分配允许的最大端口集大小。此策略应该是可配置的。
The failover mechanism in MAP (Section 14 of [RFC6887]) can also be applied to port sets.
MAP(RFC6887)中的故障切换机制(第14节)也可以应用于端口集。
A core, desirable property of PCP is idempotence. In a nutshell, requests produce the same results whether they are executed once or multiple times. This property is preserved with the PORT_SET option,
PCP的一个核心、理想性质是幂等性。简而言之,请求无论执行一次还是多次,都会产生相同的结果。此属性与PORT_SET选项一起保留,
with the following caveat: the order in which the PCP server receives requests with overlapping Internal Port Sets will affect the mappings being created and the responses received.
需要注意的是:PCP服务器接收具有重叠内部端口集的请求的顺序将影响正在创建的映射和接收的响应。
For example, suppose these two requests are sent by a PCP client:
例如,假设这两个请求由PCP客户端发送:
Request A: Internal Port Set 1-10
请求A:内部端口集1-10
Request B: Internal Port Set 5-14
请求B:内部端口组5-14
The PCP server's actions will depend on which request is received first. Suppose that A is received before B:
PCP服务器的操作将取决于首先接收的请求。假设在B之前收到A:
Upon reception of A: Internal Ports 1-10 are mapped. A success response containing the following fields is sent:
接收A时:映射内部端口1-10。将发送包含以下字段的成功响应:
Internal Port: 1
内部端口:1
First Internal Port: 1
第一个内部端口:1
Port Set Size: 10
端口集大小:10
Upon reception of B: The request matches mapping A. The request is interpreted as a refresh request for mapping A, and a response containing the following fields is sent:
接收到B时:请求与映射A匹配。该请求被解释为映射A的刷新请求,并发送包含以下字段的响应:
Internal Port: 5
内部端口:5
First Internal Port: 1
第一个内部端口:1
Port Set Size: 10
端口集大小:10
If the order of reception is reversed (B before A), the created mapping will be different, and the First Internal Port in both responses would then be 5.
如果接收顺序颠倒(B在A之前),则创建的映射将不同,两个响应中的第一个内部端口将是5。
To avoid surprises, PCP clients MUST ensure that port-set mapping requests do not inadvertently overlap. For example, a host's operating system could include a central PCP client process through which port-set mapping requests would be arbitrated. Alternatively, individual PCP clients running on the same host would be required to acquire the Internal Ports from the operating system (e.g., a call to the bind() function from the BSD API) before trying to map them with PCP.
为了避免意外,PCP客户端必须确保端口集映射请求不会无意中重叠。例如,主机的操作系统可以包括一个中央PCP客户端进程,通过该进程可以仲裁端口集映射请求。或者,在同一主机上运行的单个PCP客户端需要先从操作系统获取内部端口(例如,从BSD API调用bind()函数),然后再尝试将其映射到PCP。
6.4. What should a PCP client do when it receives fewer ports than requested?
6.4. 当PCP客户端接收的端口数少于请求的端口数时,它应该做什么?
Suppose a PCP client asks for 16 ports and receives 8. What should it do? Should it consider this a final answer? Should it try a second request, asking for 8 more ports? Should it fall back to 8 individual PCP MAP requests? This document leaves the answers to be implementation specific but describes issues to be considered when answering them.
假设一个PCP客户端请求16个端口并接收8个端口。它应该做什么?它应该认为这是最终的答案吗?它是否应该尝试第二个请求,请求另外8个端口?是否应该退回到8个单独的PCP MAP请求?本文件将答案保留为具体实施的答案,但描述了在回答时需要考虑的问题。
First, the PCP server has decided to allocate 8 ports for some reason. It may be that allocation sizes have been limited by the PCP server's administrator. It may be that the PCP client has reached a quota. It may be that these 8 ports were the last contiguous ones available. Depending on the reason, asking for more ports may or may not be likely to actually yield more ports. However, the PCP client has no way of knowing.
首先,出于某种原因,PCP服务器决定分配8个端口。可能是PCP服务器的管理员限制了分配大小。可能是PCP客户端已达到配额。这8个端口可能是最后可用的连续端口。根据原因,请求更多端口可能会或不可能实际产生更多端口。但是,PCP客户无法知道。
Second, not all PCP clients asking for N ports actually need all N ports to function correctly. For example, a DNS resolver could ask for N ports to be used for source-port randomization. If fewer than N ports are received, the DNS resolver will still work correctly, but source-port randomization will be slightly less efficient, having fewer bits to play with. In that case, it would not make much sense to ask for more ports.
其次,并非所有要求N个端口的PCP客户端都需要所有N个端口才能正常工作。例如,DNS解析器可以请求N个端口用于源端口随机化。如果接收到的端口少于N个,DNS解析程序仍将正常工作,但源端口随机化的效率将稍低,可以使用的位更少。在这种情况下,要求增加港口就没有多大意义了。
Finally, asking for more ports could be considered abuse. External Ports are a resource that is to be shared among multiple PCP clients. A PCP client trying to obtain more than its fair share could trigger countermeasures according to local policy.
最后,要求更多的端口可能被视为滥用。外部端口是要在多个PCP客户端之间共享的资源。PCP客户试图获得超过其公平份额的股份,可能会根据当地政策触发对策。
In conclusion, it is expected that, for most applications, asking for more ports would not yield benefits justifying the additional costs.
总之,对于大多数应用程序,要求更多的端口不会产生证明额外成本合理的好处。
The security considerations discussed in [RFC6887] apply to this extension.
[RFC6887]中讨论的安全注意事项适用于此扩展。
As described in Section 4.4.1, a single PCP request using the PORT_SET option may result in multiple responses. For this to happen, it is necessary that the request contain the nonce associated with multiple mappings on the server. Therefore, an on-path attacker could use an eavesdropped nonce to mount an amplification attack. Use of PCP authentication ([RFC6887], Section 18) eliminates this attack vector.
如第4.4.1节所述,使用PORT_SET选项的单个PCP请求可能会导致多个响应。要实现这一点,请求必须包含与服务器上的多个映射关联的nonce。因此,路径上的攻击者可以使用被窃听的nonce发起放大攻击。使用PCP认证([RCF687],第18节)消除了这种攻击向量。
In order to prevent a PCP client from controlling all ports bound to a shared IP address, port quotas should be configured on the PCP server (Section 17.2 of [RFC6887]).
为了防止PCP客户端控制绑定到共享IP地址的所有端口,应在PCP服务器上配置端口配额(RFC6887第17.2节)。
IANA has allocated value 130 in the "PCP Options" registry at <http://www.iana.org/assignments/pcp-parameters> for the new PCP option defined in Section 4.
IANA已在“PCP选项”注册表中的<http://www.iana.org/assignments/pcp-parameters>对于第4节中定义的新PCP选项。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, DOI 10.17487/RFC6887, April 2013, <http://www.rfc-editor.org/info/rfc6887>.
[RFC6887]Wing,D.,Ed.,Cheshire,S.,Boucadair,M.,Penno,R.,和P.Selkirk,“港口控制协议(PCP)”,RFC 6887,DOI 10.17487/RFC6887,2013年4月<http://www.rfc-editor.org/info/rfc6887>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, <http://www.rfc-editor.org/info/rfc3261>.
[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,DOI 10.17487/RFC3261,2002年6月<http://www.rfc-editor.org/info/rfc3261>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, July 2003, <http://www.rfc-editor.org/info/rfc3550>.
[RFC3550]Schulzrinne,H.,Casner,S.,Frederick,R.,和V.Jacobson,“RTP:实时应用的传输协议”,STD 64,RFC 3550,DOI 10.17487/RFC3550,2003年7月<http://www.rfc-editor.org/info/rfc3550>.
[RFC4787] Audet, F., Ed. and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 2007, <http://www.rfc-editor.org/info/rfc4787>.
[RFC4787]Audet,F.,Ed.和C.Jennings,“单播UDP的网络地址转换(NAT)行为要求”,BCP 127,RFC 4787,DOI 10.17487/RFC4787,2007年1月<http://www.rfc-editor.org/info/rfc4787>.
[RFC6888] Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa, A., and H. Ashida, "Common Requirements for Carrier-Grade NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888, April 2013, <http://www.rfc-editor.org/info/rfc6888>.
[RFC6888]Perreault,S.,Ed.,Yamagata,I.,Miyakawa,S.,Nakagawa,A.,和H.Ashida,“载体级NAT(CGN)的通用要求”,BCP 127,RFC 6888,DOI 10.17487/RFC6888,2013年4月<http://www.rfc-editor.org/info/rfc6888>.
[RFC6970] Boucadair, M., Penno, R., and D. Wing, "Universal Plug and Play (UPnP) Internet Gateway Device - Port Control Protocol Interworking Function (IGD-PCP IWF)", RFC 6970, DOI 10.17487/RFC6970, July 2013, <http://www.rfc-editor.org/info/rfc6970>.
[RFC6970]Boucadair,M.,Penno,R.,和D.Wing,“通用即插即用(UPnP)互联网网关设备-端口控制协议互通功能(IGD-PCP IWF)”,RFC 6970,DOI 10.17487/RFC6970,2013年7月<http://www.rfc-editor.org/info/rfc6970>.
[RFC7596] Cui, Y., Sun, Q., Boucadair, M., Tsou, T., Lee, Y., and I. Farrer, "Lightweight 4over6: An Extension to the Dual-Stack Lite Architecture", RFC 7596, DOI 10.17487/RFC7596, July 2015, <http://www.rfc-editor.org/info/rfc7596>.
[RFC7596]Cui,Y.,Sun,Q.,Boucadair,M.,Tsou,T.,Lee,Y.,和I.Farrer,“轻量级4over6:双栈精简架构的扩展”,RFC 7596,DOI 10.17487/RFC75962015年7月<http://www.rfc-editor.org/info/rfc7596>.
Acknowledgements
致谢
The authors would like to express sincere appreciation to Alain Durand, Cong Liu, Dan Wing, Dave Thaler, Peter Koch, Reinaldo Penno, Sam Hartman, Stuart Cheshire, Ted Lemon, Yoshihiro Ohba, Meral Shirazipour, Jouni Korhonen, and Ben Campbell for their useful comments and suggestions.
作者衷心感谢阿兰·杜兰德、刘聪、丹荣、戴夫·泰勒、彼得·科赫、雷纳尔多·佩诺、萨姆·哈特曼、斯图尔特·切希尔、泰德·莱蒙、大叶吉弘、梅拉尔·西拉齐普尔、朱尼·科霍宁和本·坎贝尔提出的有用意见和建议。
Contributors
贡献者
The following individuals contributed to this document:
以下个人对本文件作出了贡献:
Yunqing Chen China Telecom Room 502, No.118, Xizhimennei Street Beijing 100035 China
中国电信北京西直门内大街118号502室,邮编100035
Chongfeng Xie China Telecom Room 502, No.118, Xizhimennei Street Beijing 100035 China
中国北京西直门内大街118号崇丰谢电信502室,邮编100035
Yong Cui Tsinghua University Beijing 100084 China
清华大学崔勇中国北京100084
Phone: +86-10-62603059 Email: yong@csnet1.cs.tsinghua.edu.cn
Phone: +86-10-62603059 Email: yong@csnet1.cs.tsinghua.edu.cn
Qi Sun Tsinghua University Beijing 100084 China
齐孙清华大学北京100084
Phone: +86-10-62785822 Email: sunqibupt@gmail.com
Phone: +86-10-62785822 Email: sunqibupt@gmail.com
Gabor Bajko Mediatek Inc.
Gabor Bajko联发科公司。
Email: gabor.bajko@mediatek.com
Email: gabor.bajko@mediatek.com
Xiaohong Deng France Telecom
邓晓红法国电信
Email: xiaohong.deng@orange-ftgroup.com
Email: xiaohong.deng@orange-ftgroup.com
Authors' Addresses
作者地址
Qiong Sun China Telecom China
琼孙中国电信
Phone: 86 10 58552936 Email: sunqiong@ctbri.com.cn
电话:86 10 58552936电子邮件:sunqiong@ctbri.com.cn
Mohamed Boucadair France Telecom Rennes 35000 France
穆罕默德·布卡达尔法国电信雷恩35000法国
Email: mohamed.boucadair@orange.com
Email: mohamed.boucadair@orange.com
Senthil Sivakumar Cisco Systems 7100-8 Kit Creek Road Research Triangle Park, NC 27709 United States
美国北卡罗来纳州Kit Creek Road研究三角公园Senthil Sivakumar Cisco Systems 7100-8号,邮编:27709
Phone: +1 919 392 5158 Email: ssenthil@cisco.com
Phone: +1 919 392 5158 Email: ssenthil@cisco.com
Cathy Zhou Huawei Technologies Bantian, Longgang District Shenzhen 518129 China
中国深圳市龙岗区华为技术有限公司坂田区周凯茜518129
Email: cathy.zhou@huawei.com
Email: cathy.zhou@huawei.com
Tina Tsou Philips Lighting 3 Burlington Woods Dr #4t Burlington, MA 01803 United States
Tina Tsou Philips Lighting 3 Burlington Woods Dr#4t Burlington,MA 01803美国
Phone: +1 617-423-9999 Email: tina.tsou@philips.com
Phone: +1 617-423-9999 Email: tina.tsou@philips.com
Simon Perreault Jive Communications Quebec, QC Canada
Simon Perreault Jive Communications魁北克,加拿大QC
Email: sperreault@jive.com
Email: sperreault@jive.com