Port Control Protocol

Last updated May 07, 2024

Port Control Protocol (PCP) is a computer networking protocol that allows hosts on IPv4 or IPv6 networks to control how the incoming IPv4 or IPv6 packets are translated and forwarded by an upstream router that performs network address translation (NAT) or packet filtering. By allowing hosts to create explicit port forwarding rules, handling of the network traffic can be easily configured to make hosts placed behind NATs or firewalls reachable from the rest of the Internet (so they can also act as network servers), which is a requirement for many applications.^[1]^[2]

Additionally, explicit port forwarding rules available through PCP allow hosts to reduce the amount of generated traffic by eliminating workarounds in form of outgoing NAT keepalive messages, which are required for maintaining connections to servers and for various NAT traversal techniques such as TCP hole punching. At the same time, less generated traffic reduces the power consumption, directly improving the battery runtime for mobile devices.^[1]

PCP was standardized in 2013 as a successor to the NAT Port Mapping Protocol (NAT-PMP), with which it shares similar protocol concepts and packet formats.^[3] PCP adds support for IPv6 and additional NAT scenarios.

In environments where a UPnP IGD is used in the local network, an interworking function between the UPnP IGD and PCP is required to be embedded in the IGD. The UPnP IGD-PCP Interworking Function is specified in RFC6970.^[4]

DHCP (IPv4 and IPv6) options to configure hosts with Port Control Protocol (PCP) server IP addresses are specified in RFC7291.^[5] The procedure to follow for selecting a server among a list of PCP servers is discussed in RFC7488.^[6]

In environments where NAT64 is deployed, PCP allows to learn the IPv6 prefix(es) used by a PCP-controlled NAT64 device to build IPv4-converted IPv6 addresses by the NAT64 (RFC7225). ^[7]

Overview

Many applications and network equipment deployments require their network locations to be reachable from outside their local networks, following the originally envisioned model of IP end-to-end connectivity across the Internet, so they can operate as network servers and accept connections from remote clients. An example of such equipment is an IP camera, which includes a network server that provides remote surveillance over IP networks.

Usually, network equipment deployments place the devices behind routers or firewalls that perform NAT (to enable sharing of an IPv4 address, for example) or packet filtering (for improved network security and protection), ending up with breaking the end-to-end connectivity and rendering the equipment and applications inaccessible from the rest of the Internet.^[1]^[3]

The problem

Making the deployed equipment accessible, by extending its server role beyond the local network, requires either manual configuration of port forwarding at the network gateway (which is usually a CPE), or application-level workarounds that initiate connections from the deployed equipment to additional intermediate servers used for "merging" those "firewall punching" connections and connections from the actual clients. Both approaches have their downsides – manual CPE configuration is usually either inconvenient or not possible, while using additional intermediate servers increases complexity and cost.^[2]^[3]

For example, an online computer game (which acts as a client) requires communication with a game server for exchanging gameplay data. In order to make it possible for a game server to provide data to its clients, those clients must be made accessible to the server. Usually, clients initiate connections to the game server to open communication channels. However, such open connections can become idle and can subsequently be closed by network gateways, leading to the necessity of maintaining them by using a form of keepalive messages.^[3] Keepalive messages are small messages that are sent between client and server that create traffic over a communication channel and therefore prevent gateway servers from closing it. Thus, keeping a connection alive requires a constant exchange of empty messages between client and server. This increases network chatter, wastes network bandwidth and CPU cycles, and decreases the autonomy of battery-powered devices.

Additionally, some network applications (for example, FTP) require dynamic opening of multiple connections, which involves application-level gateways (ALGs) and additionally increases complexity.^[2]^[3]

PCP as a solution

PCP allows equipment and applications to create explicit mappings between an external IP address, protocol and port, and an internal IP address, protocol and port. With such explicit mappings in place, inbound communication can reach the hosts behind a NAT or firewall, which either expands their server roles beyond boundaries of local networks, or makes use of various services simplified and less resource-consuming. Created mappings are permanent to the extent of having a known lifetime that can be extended, which is similar to the way Dynamic Host Configuration Protocol (DHCP) implements its leases. At the same time, PCP allows applications to create additional mappings dynamically as required, which reduces or eliminates the need for having ALG-enabled NAT devices and firewalls.^[1]^[3]

Created explicit mappings have a known lifetime, commonly several hours, with no need for application-level keepalive messages to be exchanged between hosts and servers for the purpose of preserving the mapping. As a result, network usage and power consumption are reduced, and application-level keepalive logic no longer needs to be implemented at client and server sides. The PCP mapping response provides the application with associated externally visible parameters (IP address, protocol and port) that can then be announced to other clients in application-specific ways so incoming connections can be established. Additionally, PCP can inform applications when the external IP address is changed while a mapping is already established.^[1]^[3]

Various types of NAT can be handled by PCP, providing support for NAT64, NAT66, and NAT44; inclusion of PCP into IPv4 and IPv6 firewall devices is also supported. PCP is designed to be used on both large-scale aggregation points (for example, as part of carrier-grade NATs), and inside less expensive consumer-grade devices. Both long-term (for an IP camera or a temperature sensor acting as a server, for example) and short-term mappings (while playing an online computer game, for example) are supported.^[1]^[2]^[3]

PCP supports transport layer protocols that use 16-bit port numbers (for example, TCP, UDP, Stream Control Transmission Protocol (SCTP) or Datagram Congestion Control Protocol (DCCP). Protocols that do not use port numbers (for example, Resource Reservation Protocol (RSVP), Encapsulating Security Payload (ESP), ICMP or ICMPv6) are supported for IPv4 firewall, IPv6 firewall and NPTv6 (IPv6 prefix translation) functions, but cannot be supported by more than one client per external IP address in the case of NAT.^[3]

The PCP specification does not define a mechanism for dealing with multi-homed networks (which have multiple network gateways or default routes). It is nonetheless possible to implement PCP in such networks using a coordination mechanism such as conntrackd. However, if the different networks each have their own external IP address(es), a given PCP mapping can only use one or the other because the protocol requires one specific external IP address to be provided to the client. If that network should then become unavailable the PCP mapping would have to be updated to use an external IP address from the other network.^[3]

The PCP specification does not define a mechanism for dealing how to inform remote computers about the IP address, protocol, and port for the incoming connection. RFC6887 states, that PCP does not provide any rendezvous function and this has to been done in an application-specific manner, like using external nameservice servers.

History

PCP was standardized in 2013 as a successor to the NAT Port Mapping Protocol (NAT-PMP), sharing similar protocol concepts and packet formats with it. As one of the design differences, NAT-PMP is pretty much limited to the deployment on consumer-grade devices, while PCP is designed to also support carrier-grade equipment.^[3]^: 50, 87 Since 2005, NAT-PMP has been implemented in various Apple products.^[8]^: 1

PCP relates to the Internet Gateway Device Protocol (UPnP IGD), which was standardized in 2001 as part of the UPnP specification. While the UPnP IGD is complex and tailored toward manual configuration, PCP is designed for simplicity and automated use within software applications. The NAT-PMP specification contains a list of the problems with UPnP IGD that prompted the creation of NAT-PMP, and subsequently, its successor PCP.^[8]^: 26–32

PCP use

Apple devices with macOS and iOS ^[9]
OpenWrt, OPNsense and pfSense open-source router software
Discontinued Apple AirPort Wi-Fi routers
Internet service providers using Carrier-grade NAT for subscriber services, e.g. Dual-Stack Lite ^[10]

Security

Excluding the attackers capable of altering network packets exchanged while an explicit PCP mapping is created (packets that contain negotiation required for establishing an explicit mapping, which is exchanged between hosts and PCP-enabled NAT devices or firewalls), PCP is considered to be secure as long as created explicit mappings do not exceed the domain of implicit mappings. In other words, implicit mappings are created as a result of the way NAT devices and firewalls are handling regular outbound client connections, meaning that PCP is safe as long as no new mapping possibilities are introduced through the explicit mapping mechanism.^[3]

From the security standpoint, an important PCP feature is the THIRD_PARTY mapping request option. When used, this option signifies that the IP address specified additionally as part of the mapping request should be used as the internal address for the created explicit mapping, rather than following the default behavior of using source IP address of the actual mapping request packet for that purpose. Such mapping requests can end up with a PCP-enabled NAT device or firewall granting explicit mapping privileges higher than allowed by implicit mappings due to unknown rules imposed elsewhere for the specified IP address, allowing that way an attacker to steal some traffic, or to conduct a denial-of-service (DoS) attack.^[3]

Additionally, explicit PCP security mechanisms are available as extensions to the PCP protocol, providing authentication and access control mechanisms by using an authenticated and integrity-protected in-band signalling channel, which relies on Extensible Authentication Protocol (EAP) to perform the authentication between devices involved in a PCP negotiation session. Such PCP-enabled NAT devices or firewalls may still accept unauthenticated mapping requests; at the same time, all previously described explicit mapping constraints still apply.^[1]^[3]^[11]

Internals

Internally, PCP works by exchanging control messages between hosts and PCP-enabled NAT devices or firewalls (referred to as servers), using User Datagram Protocol (UDP) as the underlying protocol. This communication consists of port mapping requests created by the hosts that result in responses once submitted to and processed by the servers. Following UDP's nature of unreliability, which means that UDP datagrams can be lost, duplicated or reordered, after submitting a request there is no guarantee for a response of any kind, thus host requests are also referred to as "hints". In addition to direct responses, servers also generate gratuitous notifications – for example, unicast notifications to inform hosts of changes in the external IP address.^[1]^[3]

Port Control Protocol opcodes^[3]
Opcode	Description
MAP	Creates or renews a mapping for inbound forwarding, allowing a host to act as a server and receive inbound communication.
PEER	Creates or renews an outbound mapping, allowing a host to maintain opened its communication with a single peer.
ANNOUNCE	Announces various changes to the hosts, including server restarts and changes to the external IP address.

Exchanged messages contain no means for determining either the transaction they belong to, or which stage of a "session" they represent. Such a simplified design is based on having all messages self-describing and complete, with no additional context required for each message to be successfully processed. Servers may decide to silently ignore host requests, in case they are unable to process them at the moment; in such cases, hosts need to retransmit the request. Also, hosts may safely decide to silently ignore any unwanted mapping responses.^[3]

For the purpose of creating PCP requests, IP address of the server is either manually configured on the host, found as part of the host's DHCP lease, or set to the host's configured default gateway. Host request messages are sent from any source UDP port on a client to the server's UDP port 5351 that it listens to; unsolicited multicast server notifications (such as server restart announcements) are sent from the server's UDP port 5351 to the UDP port 5350 on hosts which they listen to.^[3]

Maximum UDP payload length for all PCP messages is 1100 octets. Each PCP message consists of a request or response header containing an opcode that determines the associated operation, any relevant opcode-specific information (such as which ports are to be mapped), and zero or more options (such as the THIRD_PARTY option described above). Result codes are returned as part of server responses; each result code has an associated lifetime, which tells the hosts when certain operations may be retried or should be repeated. For example, result lifetimes can specify how long a failure condition is expected to persist, or how long the created mapping will last.^[3]

Related Research Articles

An Internet Protocol address is a numerical label such as 192.0.2.1 that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface identification, and location addressing.

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion, and was intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, which subsequently ratified it as an Internet Standard on 14 July 2017.

In computer networking, the User Datagram Protocol (UDP) is one of the core communication protocols of the Internet protocol suite used to send messages to other hosts on an Internet Protocol (IP) network. Within an IP network, UDP does not require prior communication to set up communication channels or data paths.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

Universal Plug and Play (UPnP) is a set of networking protocols on the Internet Protocol (IP) that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices, to seamlessly discover each other's presence on the network and establish functional network services. UPnP is intended primarily for residential networks without enterprise-class devices.

Zero-configuration networking (zeroconf) is a set of technologies that automatically creates a usable computer network based on the Internet Protocol Suite (TCP/IP) when computers or network peripherals are interconnected. It does not require manual operator intervention or special configuration servers. Without zeroconf, a network administrator must set up network services, such as Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS), or configure each computer's network settings manually.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

STUN is a standardized set of methods, including a network protocol, for traversal of network address translator (NAT) gateways in applications of real-time voice, video, messaging, and other interactive communications.

In computer networking, Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no native connection to an IPv6 network. Unlike similar protocols such as 6to4, it can perform its function even from behind network address translation (NAT) devices such as home routers.

UDP hole punching is a commonly used technique employed in network address translation (NAT) applications for maintaining User Datagram Protocol (UDP) packet streams that traverse the NAT. NAT traversal techniques are typically required for client-to-client networking applications on the Internet involving hosts connected in private networks, especially in peer-to-peer, Direct Client-to-Client (DCC) and Voice over Internet Protocol (VoIP) deployments.

Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across gateways that implement network address translation (NAT).

Interactive Connectivity Establishment (ICE) is a technique used in computer networking to find ways for two computers to talk to each other as directly as possible in peer-to-peer networking. This is most commonly used for interactive media such as Voice over Internet Protocol (VoIP), peer-to-peer communications, video, and instant messaging. In such applications, communicating through a central server would be slow and expensive, but direct communication between client applications on the Internet is very tricky due to network address translators (NATs), firewalls, and other network barriers.

Internet Gateway DeviceControl Protocol is a protocol based on UPnP for mapping ports in network address translation (NAT) setups, supported by some NAT-enabled routers. It is a common communications protocol for automatically configuring port forwarding, and is part of an ISO/IEC Standard rather than an Internet Engineering Task Force standard.

In computer networking, a firewall pinhole is a port that is not protected by a firewall to allow a particular application to gain access to a service on a host in the network protected by the firewall.

NAT Port Mapping Protocol (NAT-PMP) is a network protocol for establishing network address translation (NAT) settings and port forwarding configurations automatically without user effort. The protocol automatically determines the external IPv4 address of a NAT gateway, and provides means for an application to communicate the parameters for communication to peers. Apple introduced NAT-PMP in 2005 by as part of the Bonjour specification, as an alternative to the more common ISO Standard Internet Gateway Device Protocol implemented in many NAT routers. The protocol was published as an informational Request for Comments (RFC) by the Internet Engineering Task Force (IETF) in RFC 6886.

Hole punching is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side.

An application-level gateway is a security component that augments a firewall or NAT employed in a mobile network. It allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, BitTorrent, SIP, RTSP, file transfer in IM applications. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria.

In computer networking, the Tunnel Setup Protocol (TSP) is an experimental networking control protocol used to negotiate IP tunnel setup parameters between a tunnel client host and a tunnel broker server, the tunnel end-points. A major use of TSP is in IPv6 transition mechanisms.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

NAT64 is an IPv6 transition mechanism that facilitates communication between IPv6 and IPv4 hosts by using a form of network address translation (NAT). The NAT64 gateway is a translator between IPv4 and IPv6 protocols, for which function it needs at least one IPv4 address and an IPv6 network segment comprising a 32-bit address space. The "well-known prefix" reserved for this service is 64:ff9b::/96.

References

1 2 3 4 5 6 7 8 Dan Wing (December 2011). "Port Control Protocol". The Internet Protocol Journal. Cisco Systems . Retrieved January 31, 2014.
1 2 3 4 "Port Control Protocol Overview (Junos OS 13.3)". Juniper Networks. August 14, 2013. Retrieved January 31, 2014.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 D. Wing; S. Cheshire; M. Boucadair; R. Penno; P. Selkirk (April 2013). Wing, D. (ed.). "RFC 6887: Port Control Protocol (PCP)". Internet Engineering Task Force (IETF). doi: 10.17487/RFC6887 . Retrieved June 5, 2023.{{cite journal}}: Cite journal requires |journal= (help)
↑ Boucadair, M.; Penno, R.; Wing, D. (July 2013). "Universal Plug and Play (UPnP) Internet Gateway Device - Port Control Protocol Interworking Function (IGD-PCP IWF)". doi: 10.17487/rfc6970 .{{cite journal}}: Cite journal requires |journal= (help)
↑ Boucadair, M.; Penno, R.; Wing, D. (July 2014). "DHCP Options for the Port Control Protocol (PCP)". doi: 10.17487/rfc7291 .{{cite journal}}: Cite journal requires |journal= (help)
↑ Boucadair, M.; Penno, R.; Wing, D.; Patil, P.; Reddy, T. (March 2015). "Port Control Protocol (PCP) Server Selection". doi: 10.17487/rfc7488 .{{cite journal}}: Cite journal requires |journal= (help)
↑ Boucadair, M. (May 2014). "Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)". doi: 10.17487/rfc7225 .{{cite journal}}: Cite journal requires |journal= (help)
1 2 S. Cheshire; M. Krochmal (April 2013). "RFC 6886: NAT Port Mapping Protocol (NAT-PMP)". Internet Engineering Task Force (IETF). doi: 10.17487/RFC6886 . Retrieved August 8, 2014.{{cite journal}}: Cite journal requires |journal= (help)
↑ https://developer.apple.com/documentation/dnssd/kdnsserviceerr_natportmappingunsupported/
↑ https://datatracker.ietf.org/doc/html/draft-ietf-pcp-dslite-00
↑ M. Cullen; S. Hartman; D. Zhang; T. Reddy (September 2015). "RFC 7652: Port Control Protocol (PCP) Authentication Mechanism". Internet Engineering Task Force (IETF). doi:10.17487/RFC7652 . Retrieved April 29, 2016.{{cite journal}}: Cite journal requires |journal= (help)

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[ipj-14-4-1] 1 2 3 4 5 6 7 8 Dan Wing (December 2011). "Port Control Protocol". The Internet Protocol Journal. Cisco Systems . Retrieved January 31, 2014.

[juniper-pcp-2] 1 2 3 4 "Port Control Protocol Overview (Junos OS 13.3)". Juniper Networks. August 14, 2013. Retrieved January 31, 2014.

[rfc-6887-3] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 D. Wing; S. Cheshire; M. Boucadair; R. Penno; P. Selkirk (April 2013). Wing, D. (ed.). "RFC 6887: Port Control Protocol (PCP)". Internet Engineering Task Force (IETF). doi: 10.17487/RFC6887 . Retrieved June 5, 2023.{{cite journal}}: Cite journal requires |journal= (help)

[4] Boucadair, M.; Penno, R.; Wing, D. (July 2013). "Universal Plug and Play (UPnP) Internet Gateway Device - Port Control Protocol Interworking Function (IGD-PCP IWF)". doi: 10.17487/rfc6970 .{{cite journal}}: Cite journal requires |journal= (help)

[5] Boucadair, M.; Penno, R.; Wing, D. (July 2014). "DHCP Options for the Port Control Protocol (PCP)". doi: 10.17487/rfc7291 .{{cite journal}}: Cite journal requires |journal= (help)

[6] Boucadair, M.; Penno, R.; Wing, D.; Patil, P.; Reddy, T. (March 2015). "Port Control Protocol (PCP) Server Selection". doi: 10.17487/rfc7488 .{{cite journal}}: Cite journal requires |journal= (help)

[7] Boucadair, M. (May 2014). "Discovering NAT64 IPv6 Prefixes Using the Port Control Protocol (PCP)". doi: 10.17487/rfc7225 .{{cite journal}}: Cite journal requires |journal= (help)

[rfc-6886-8] 1 2 S. Cheshire; M. Krochmal (April 2013). "RFC 6886: NAT Port Mapping Protocol (NAT-PMP)". Internet Engineering Task Force (IETF). doi: 10.17487/RFC6886 . Retrieved August 8, 2014.{{cite journal}}: Cite journal requires |journal= (help)

[9] ttps://developer.apple.com/documentation/dnssd/kdnsserviceerr_natportmappingunsupported/

[10] ttps://datatracker.ietf.org/doc/html/draft-ietf-pcp-dslite-00

[11] M. Cullen; S. Hartman; D. Zhang; T. Reddy (September 2015). "RFC 7652: Port Control Protocol (PCP) Authentication Mechanism". Internet Engineering Task Force (IETF). doi:10.17487/RFC7652 . Retrieved April 29, 2016.{{cite journal}}: Cite journal requires |journal= (help)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]