Universal Plug and Play (UPnP)
Internet Gateway Device - Port Control Protocol
Interworking Function (IGD-PCP IWF)France TelecomRennes35000Francemohamed.boucadair@orange.comCisco Systems, Inc.170 West Tasman DriveSan JoseCalifornia95134USArepenno@cisco.comCisco Systems, Inc.170 West Tasman DriveSan JoseCalifornia95134USAdwing@cisco.comPCP Working GroupUPnP, pinhole, PCP, mapping, NAT control, interworkingThis document specifies the behavior of the Universal Plug and Play
(UPnP) Internet Gateway Device - Port Control Protocol Interworking
Function (IGD-PCP IWF). A UPnP IGD-PCP IWF is required to be embedded
in Customer Premises (CP) routers to allow for transparent NAT control in
environments where a UPnP IGD is used on the LAN side and PCP is used
on the external side of the CP router.The Port Control Protocol (PCP) specification
discusses the implementation of NAT control features that rely
upon Carrier Grade NAT devices such as a Dual-Stack Lite (DS-Lite)
Address Family Transition Router (AFTR)
or NAT64 . In
environments where a Universal Plug and Play Internet Gateway Device
(UPnP IGD) is used in the local network, an interworking function
between the UPnP IGD and PCP is required to be
embedded in the IGD (see the example illustrated in ).Two configurations are considered within this document:No NAT function is embedded in the IGD (). This is required, for instance, in
DS-Lite or NAT64 deployments.The IGD embeds a NAT function ().The UPnP IGD-PCP Interworking Function (UPnP IGD-PCP IWF) maintains a
local mapping table that stores all active mappings constructed by
internal IGD Control Points. This design choice restricts the amount of
PCP messages to be exchanged with the PCP server.Triggers for deactivating the UPnP IGD-PCP IWF from the IGD and
relying on a PCP-only mode are out of scope for this document.Considerations related to co-existence of the UPnP IGD-PCP
Interworking Function and a PCP Proxy
are out of scope.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.This document makes use of the following abbreviations:DS-Lite - Dual-Stack LiteIGD - Internet Gateway DeviceIGD:1 - UPnP Forum's nomenclature for version 1 of IGD IGD:2 - UPnP Forum's nomenclature for version 2 of IGD IWF - Interworking FunctionNAT - Network Address TranslationPCP - Port Control ProtocolUPnP - Universal Plug and PlayAs a reminder, illustrates the
architecture model as adopted by the UPnP Forum . In , the
following UPnP terminology is used:'Client' refers to a host located in the local network.'IGD Control Point' is a device using UPnP to control an IGD
(Internet Gateway Device).'IGD' is a router supporting a UPnP IGD. It is typically a NAT or
a firewall.'Host' is a remote peer reachable in the Internet.This model is not valid when PCP is used to control, for instance, a
Carrier Grade NAT (aka Provider NAT) while internal hosts continue
to use a UPnP IGD. In such
scenarios, shows the updated model.In the updated model depicted in , one
or two levels of NAT can be encountered in the data path. Indeed, in
addition to the Carrier Grade NAT, the IGD may embed a NAT function
().To ensure successful interworking between a UPnP IGD and PCP, an
interworking function is embedded in the IGD. In the model defined in
, all UPnP IGD server-oriented functions, a
PCP client , and a UPnP IGD-PCP
Interworking Function are embedded in the IGD. In the rest of the
document, "IGD-PCP IWF" refers to the UPnP IGD-PCP Interworking Function,
which includes PCP client functionality.Without the involvement of the IGD-PCP IWF, the IGD Control Point
would retrieve an external IP address and port number that have limited
scope and that cannot be used to communicate with hosts located beyond
NAT2 (i.e., assigned by the IGD, and not those assigned by NAT2 as
depicted in ).The UPnP IGD-PCP IWF is responsible for generating a well-formed PCP
message from a received UPnP IGD message, and vice versa.Three tables are provided to specify the correspondence between
a UPnP IGD and PCP: provides the mapping between
WANIPConnection state variables and PCP parameters; focuses on the correspondence
between supported methods; lists the PCP error messages and
their corresponding IGD error messages.Note that some enhancements have been integrated in WANIPConnection,
as documented in .Below are listed only the UPnP IGD state variables applicable to
the IGD-PCP IWF:External IP Address
Read-only variable with the value from the last PCP response, or
the empty string if none was received yet. This state is stored on
a per-IGD-Control-Point basis.Managed locally by the
UPnP IGD-PCP IWF. PCP does not support
deactivating the dynamic NAT mapping, since the initial goal of PCP
is to ease the traversal of Carrier Grade NAT. Supporting such
per-subscriber function may overload the Carrier Grade NAT.
Only "1" is allowed: i.e., the UPnP IGD-PCP
Interworking Function MUST send back an error if a value different
from 1 is signaled.Requested Mapping Lifetime
In IGD:1 , the value 0 means
infinite; in IGD:2, it is remapped to the IGD maximum of 604800
seconds . PCP allows for a maximum
value of 4294967296 seconds. The UPnP IGD-PCP
Interworking Function simulates long and even infinite lifetimes
using renewals (see ). The behavior
of the UPnP IGD-PCP IWF in the case of a failing renewal is
currently undefined (see ).
IGD:1 doesn't define the behavior in the case of state
loss; IGD:2 doesn't require that state be kept in stable storage,
i.e., to allow the state to survive resets/reboots. The UPnP
IGD-PCP Interworking Function MUST support IGD:2 behavior.Remote Peer IP Address Note
that IGD:2 allows a domain name, which has to be resolved to an IP
address. Mapped to the Remote Peer IP Address field of the FILTER
option.External Port Number Mapped
to the Suggested External Port field in MAP messages.Internal Port Number Mapped
to the Internal Port field in MAP messages.Protocol Mapped to
the Protocol field in MAP messages. Note that a UPnP IGD only
supports TCP and UDP.Internal IP Address Note
that IGD:2 allows a domain name, which has to be resolved to an IP
address. Mapped to the Internal IP Address field of the THIRD_PARTY
option.Not supported in base
PCP. If the local PCP client supports a PCP option to
convey the description (e.g., ), this option
SHOULD be used to relay the mapping description.Managed locally by the
UPnP IGD-PCP IWF.Managed locally
by the UPnP IGD-PCP IWF.IGD:1 and IGD:2 methods applicable to the UPnP IGD-PCP
Interworking Function are both listed here. This request is not
relayed to the PCP server. The IGD-PCP Interworking
Function maintains a list of active mappings instantiated in the
PCP server by internal hosts. See for
more information.MAP with
PREFER_FAILURE option.
This request is relayed to the PCP server by
issuing a MAP request with the PREFER_FAILURE option. It is
RECOMMENDED to use a short lifetime (e.g., 60 seconds).MAP See .MAP See
.MAP with Requested Lifetime set
to 0. See .MAP with
Requested Lifetime set to 0. Individual requests are
issued by the IGD-PCP IWF. See for
more details.MAP This can be
learned from any active mapping. If there are no active mappings,
the IGD-PCP IWF MAY request a short-lived mapping (e.g., to the
Discard service (TCP/9 or UDP/9) or some other port). However,
once that mapping expires, a subsequent implicit or explicit
dynamic mapping might be mapped to a different external IP
address. See Section 11.6 of
for more discussion.See for more information. The IGD-PCP
Interworking Function maintains a list of active mappings
instantiated in the PCP server. The IGD-PCP Interworking Function
handles this request locally.This section lists PCP error codes and the corresponding UPnP IGD
codes. Error codes specific to IGD:2 are tagged accordingly.501 "ActionFailed"IGD:1 718 "ConflictInMappingEntry"
/ IGD:2 606 "Action not authorized"501 "ActionFailed"501 "ActionFailed" allows the PCP server to be
configured to disable support for the MAP Opcode, but the IGD-PCP
IWF cannot work in this situation.501 "ActionFailed" This
error code can be received if PREFER_FAILURE is not supported on
the PCP server. Note that PREFER_FAILURE is not mandatory to
support, but AddPortMapping() cannot be implemented without
it.501 "ActionFailed"501 "ActionFailed"IGD:1 501 "ActionFailed" / IGD:2 728
"NoPortMapsAvailable" Cannot be
distinguished from USER_EX_QUOTA.501 "ActionFailed"IGD:1 501 "ActionFailed" / IGD:2
728 "NoPortMapsAvailable" Cannot be
distinguished from NO_RESOURCES.718
"ConflictInMappingEntry" (see )
or 714 "NoSuchEntryInArray" (see ).501 "ActionFailed"501 "ActionFailed" This section covers scenarios with or without NAT in the IGD.This specification assumes that the PCP server is configured to accept
the MAP Opcode.The IGD-PCP IWF handles the "Mapping Nonce" the same way as any
PCP client .The IGD-PCP IWF implements one of the discovery methods identified
in (e.g., DHCP ). The IGD-PCP Interworking Function
behaves as a PCP client when communicating with provisioned
PCP server(s).If no IPv4 address/IPv6 prefix is assigned to the IGD or the IGD
is unable to determine whether it should contact an upstream
PCP server, the IGD-PCP Interworking Function MUST NOT be invoked.If the IGD determines that it should establish communication with
an upstream PCP server (e.g., because of DHCP configuration or having
previously communicated with a PCP server), a "501 ActionFailed" error
message is returned to the requesting IGD Control Point if the
IGD-PCP IWF fails to establish communication with that PCP server.
Note that the IGD-PCP IWF proceeds to PCP message validation and
retransmission the same way as any PCP client .In order to configure security policies to be applied to inbound
and outbound traffic, a UPnP IGD can be used to control a local
firewall engine. No IGD-PCP IWF is therefore required for that
purpose.The use of the IGD-PCP IWF to control an upstream PCP-controlled
firewall is out of scope for this document.The IGD-PCP IWF MUST store locally all the mappings instantiated by
internal IGD Control Points in the PCP server. All mappings SHOULD be
stored in permanent storage.Upon receipt of a PCP MAP response from the PCP server, the IGD-PCP
Interworking Function MUST extract the enclosed mapping and MUST store
it in the local mapping table. The local mapping table is an image of
the mapping table as maintained by the PCP server for a given
subscriber.Each mapping entry stored in the local mapping table is associated
with a lifetime as discussed in . Additional considerations specific
to the IGD-PCP Interworking Function are discussed in .When no NAT is embedded in the IGD, the contents of received
WANIPConnection and PCP messages are not altered by the IGD-PCP
Interworking Function (i.e., the contents of WANIPConnection messages
are mapped to PCP messages (and mapped back), according to ).When NAT is embedded in the IGD, the IGD-PCP IWF updates the
contents of mapping messages received from the IGD Control Point. These
messages will contain an IP address and/or port number that belong to
an internal host. The IGD-PCP IWF MUST update such messages with the
IP address and/or port number belonging to the external interface of
the IGD (i.e., after the NAT1 operation as depicted in ).The IGD-PCP IWF intercepts all WANIPConnection messages issued by
the IGD Control Point. For each such message, the IGD-PCP IWF then
generates one or more corresponding requests
(see Sections ,
, and ) and sends them to the
provisioned PCP server.Each request sent by the IGD-PCP IWF to the PCP server MUST reflect
the mapping information as enforced in the first NAT. Particularly,
the internal IP address and/or port number of the requests are
replaced with the IP address and/or port number as assigned by the NAT
of the IGD. For the reverse path, the IGD-PCP IWF intercepts PCP
response messages and generates WANIPConnection response messages. The
contents of the generated WANIPConnection response messages are set as
follows:The internal IP address and/or port number as initially set by
the IGD Control Point and stored in the IGD NAT are used to update
the corresponding fields in received PCP responses.The external IP address and port number are not altered by the
IGD-PCP Interworking Function.The NAT mapping entry in the IGD is updated with the result of
each PCP request.The lifetime of the mappings instantiated in the IGD SHOULD be the
one assigned by the terminating PCP server. In any case, the lifetime
MUST NOT be lower than the one assigned by the terminating
PCP server.Two methods can be used to create a mapping: AddAnyPortMapping() and
AddPortMapping().When an IGD Control Point issues an AddAnyPortMapping() call, this
request is received by the IGD. The request is then relayed to the
IGD-PCP IWF, which generates a PCP MAP request (see for mapping between WANIPConnection and
PCP parameters).If the IGD-PCP IWF fails to send the MAP request to its
PCP server, it follows the behavior defined in .Upon receipt of a PCP MAP response from the PCP server, the
corresponding UPnP IGD method is returned to the requesting IGD
Control Point (the contents of the messages follow the
recommendations listed in or , according to the deployed scenario). A
flow example is depicted in .If a PCP error is received from the PCP server, a corresponding
WANIPConnection error code (see ) is
generated by the IGD&nbhy;PCP IWF and sent to the requesting IGD
Control Point. If a short-lifetime error is returned (e.g.,
NETWORK_FAILURE, NO_RESOURCES), the PCP IWF MAY resend the same
request to the PCP server after 30 seconds. If a negative answer
is received, the error is then relayed to the requesting IGD
Control Point.Discussion: Some applications (e.g., uTorrent, Vuze, eMule)
wait 90 seconds or more for a response after sending a UPnP
request. If a short-lifetime error occurs, resending the request
may lead to a positive response from the PCP server. IGD Control
Points are therefore not aware of transient errors.A dedicated option called "PREFER_FAILURE" is defined in to toggle the behavior in a PCP
request message. This option is inserted by the IGD-PCP IWF when
issuing its requests to the PCP server only if a specific external
port is requested by the IGD Control Point.Upon receipt of AddPortMapping() from an IGD Control Point, the
IGD&nbhy;PCP IWF MUST generate a PCP MAP request with all requested
mapping information as indicated by the IGD Control Point if no NAT
is embedded in the IGD or updated as specified in . In addition, the IGD-PCP IWF MUST insert
a PREFER_FAILURE option in the generated PCP request.If the IGD-PCP IWF fails to send the MAP request to its
PCP server, it follows the behavior defined in .If the requested external port is not available, the PCP server
will send a CANNOT_PROVIDE_EXTERNAL error response: If a short-lifetime error is returned, the IGD-PCP IWF MAY
resend the same request to the PCP server after 30 seconds
without relaying the error to the IGD Control Point. The IGD-PCP
IWF MAY repeat this process until a positive answer is received
or some maximum retry limit is reached. When the maximum retry
limit is reached, the IGD-PCP IWF relays a negative message to
the IGD Control Point with ConflictInMappingEntry as the error
code. The maximum retry limit is implementation-specific; its
default value is 2.If a long-lifetime error is returned, the IGD-PCP IWF relays
a negative message to the IGD Control Point with
ConflictInMappingEntry as the error code.The IGD Control Point may issue a new request with a different
requested external port number. This process is typically repeated
by the IGD Control Point until a positive answer is received or some
maximum retry limit is reached.If the PCP server is able to create or renew a mapping with the
requested external port, it sends a positive response to the IGD-PCP
IWF. Upon receipt of the response from the PCP server, the IGD-PCP
IWF stores the returned mapping in its local mapping table and
sends the corresponding positive answer to the requesting IGD
Control Point. This answer terminates the exchange. shows an example of the flow
exchange that occurs when the PCP server satisfies the request from
the IGD-PCP IWF. shows the message
exchange when the requested external port is not available.Note: According to some experiments, some UPnP 1.0 Control
Point implementations, e.g., uTorrent, simply try the same
external port a number of times (usually 4 times) and then fail
if the port is in use. Also note that some applications use
GetSpecificPortMappingEntry() to determine whether a mapping
exists.In order to list active mappings, an IGD Control Point may issue
GetGenericPortMappingEntry(), GetSpecificPortMappingEntry(), or
GetListOfPortMappings().GetGenericPortMappingEntry() and GetListOfPortMappings() methods
MUST NOT be proxied to the PCP server, since a local mapping is
maintained by the IGD-PCP IWF.Upon receipt of GetSpecificPortMappingEntry() from an IGD Control
Point, the IGD-PCP IWF MUST check first to see if the external
port number is
used by the requesting IGD Control Point. If the external port is
already in use by the requesting IGD Control Point, the IGD&nbhy;PCP
IWF MUST send back the mapping entry matching the request. If not, the
IGD-PCP IWF MUST relay to the PCP server a MAP request, with short
lifetime (e.g., 60 seconds), including a PREFER_FAILURE option. If the
IGD-PCP IWF fails to send the MAP request to its PCP server, it
follows the behavior defined in . If
the requested external port is in use, a PCP error message will be
sent by the PCP server to the IGD-PCP IWF indicating
CANNOT_PROVIDE_EXTERNAL as the error cause. Then, the IGD-PCP IWF
relays a negative message to the IGD Control Point. If the port is not
in use, the mapping will be created by the PCP server and a positive
response will be sent back to the IGD-PCP IWF. Once received by the
IGD-PCP IWF, it MUST relay a negative message to the IGD Control Point
indicating NoSuchEntryInArray as the error code so that the IGD
Control Point knows the queried mapping doesn't exist. An IGD Control Point requests the deletion of one or a list of
mappings by issuing DeletePortMapping() or
DeletePortMappingRange().In IGD:2, we assume that the IGD applies the appropriate security
policies to determine whether a Control Point has the rights to delete
one or a set of mappings. When authorization fails, the "606 Action
Not Authorized" error code is returned to the requesting Control
Point.When DeletePortMapping() or DeletePortMappingRange() is received by
the IGD-PCP IWF, it first checks if the requested mappings to be
removed are present in the local mapping table. If no mapping matching
the request is found in the local table, an error code is sent back to
the IGD Control Point: "714 NoSuchEntryInArray" for
DeletePortMapping() or "730 PortMappingNotFound" for
DeletePortMappingRange(). shows an example of an IGD
Control Point asking to delete a mapping that is not instantiated in
the local table of the IWF.If a mapping matches in the local table, a PCP MAP delete request
is generated. If no NAT is enabled in the IGD, the IGD-PCP IWF uses
the input arguments as included in DeletePortMapping(). If a NAT is
enabled in the IGD, the IGD-PCP IWF instead uses the corresponding IP
address and port number as assigned by the local NAT.If the IGD-PCP IWF fails to send the MAP request to its PCP server,
it follows the behavior defined in .When a positive answer is received from the PCP server, the IGD-PCP
IWF updates its local mapping table (i.e., removes the corresponding
entry) and notifies the IGD Control Point of the result of the
removal operation. Once the PCP MAP delete request is received by the
PCP server, it removes the corresponding entry. A PCP MAP SUCCESS
response is sent back if the removal of the corresponding entry was
successful; if not, a PCP error message containing the corresponding
error cause (see ) is sent back to the
IGD&nbhy;PCP IWF.If DeletePortMappingRange() is used, the IGD-PCP IWF does a lookup
in its local mapping table to retrieve individual mappings,
instantiated by the requesting Control Point (i.e., authorization
checks), that match the signaled port range (i.e., the external port
is within the "StartPort" and "EndPort" arguments of
DeletePortMappingRange()). If no mapping is found, the "730
PortMappingNotFound" error code is sent to the IGD Control Point
(). If one or more mappings
are found, the IGD-PCP IWF generates individual PCP MAP delete
requests corresponding to these mappings (see the example shown in
).The IGD-PCP IWF MAY send a positive answer to the requesting IGD
Control Point without waiting to receive all the answers from the
PCP server. illustrates the exchanges that occur when
the IWF receives DeletePortMappingRange(). In this example, only
two mappings having the external port number in the 6000-6050
range are maintained in the local table. The IWF issues two MAP
requests to delete these mappings.
Because of the incompatibility of mapping lifetimes between
a UPnP IGD and PCP, the IGD-PCP IWF MUST simulate long and even
infinite lifetimes. Indeed, for requests having a requested infinite
PortMappingLeaseDuration, the IGD-PCP IWF MUST set the Requested
Lifetime of the corresponding PCP request to 4294967296. If
PortMappingLeaseDuration is not infinite, the IGD-PCP IWF MUST set the
Requested Lifetime of the corresponding PCP request to the same value
as PortMappingLeaseDuration. Furthermore, the IGD-PCP Interworking
Function MUST maintain an additional timer set to the initial
requested PortMappingLeaseDuration. Upon receipt of a positive answer
from the PCP server, the IGD-PCP IWF relays the corresponding UPnP IGD
response to the requesting IGD Control Point with
PortMappingLeaseDuration set to the same value as that of the
initial request. Then, the IGD-PCP IWF MUST periodically renew the
constructed PCP mapping until the expiry of PortMappingLeaseDuration.
Responses received when renewing the mapping MUST NOT be relayed to
the IGD Control Point.If an error is encountered during mapping renewal, the IGD-PCP
Interworking Function has no means of informing the IGD Control
Point of the error.When the IGD-PCP IWF is co-located with the DHCP server, the state
maintained by the IGD-PCP IWF MUST be updated using the state in the
local DHCP server. Particularly, if an IP address expires or is
released by an internal host, the IGD-PCP IWF MUST delete all the
mappings bound to that internal IP address.Upon change of the external IP address of the IGD-PCP IWF, the
IGD&nbhy;PCP IWF MAY renew the mappings it maintained. This can be
achieved
only if a full state table is maintained by the IGD-PCP IWF. If the
port quota is not exceeded in the PCP server, the IGD-PCP IWF will
receive a new external IP address and port numbers. The IGD-PCP IWF
has no means of notifying internal IGD Control Points of the change
of the external IP address and port numbers. Stale mappings will be maintained
by the PCP server until their lifetime expires. Note: If an address change occurs, protocols that are sensitive
to address changes (e.g., TCP) will experience disruption. defines a procedure for
the PCP server to notify PCP clients of changes related to the
mappings it maintains. When an unsolicited ANNOUNCE is received, the
IGD-PCP IWF makes one or more MAP requests with the PREFER_FAILURE
option to re-install its mappings. If the PCP server cannot create the
requested mappings (signaled with the CANNOT_PROVIDE_EXTERNAL error
response), the IGD&nbhy;PCP IWF has no means of notifying internal IGD
Control Points of any changes of the external IP address and port
numbers.Unsolicited PCP MAP responses received from a PCP server are
handled as any normal MAP response. If a response indicates that the
external IP address or port has changed, the IGD-PCP IWF has no means
of notifying the internal IGD Control Point of this change.Further analysis of PCP failure scenarios for the IGD-PCP
Interworking Function are discussed in .IGD:2 access control requirements and authorization levels SHOULD be
applied by default . When IGD:2 is used,
operation on behalf of a third party SHOULD be allowed only if
authentication and authorization are used .
When only IGD:1 is available, operation on behalf of a third party
SHOULD NOT be allowed.This document defines a procedure to create PCP mappings for
third-party devices belonging to the same subscriber. The means for
preventing a malicious user from creating mappings on behalf of a third
party must be enabled as discussed in
Section 13.1 of . In particular, the
THIRD_PARTY option MUST NOT be enabled unless the network on which the
PCP messages are to be sent is fully trusted -- for example,
access control lists (ACLs) installed on the PCP client, the PCP server,
and the network between them, so that those ACLs allow only
communications from a trusted PCP client to the PCP server.An IGD Control Point that issues AddPortMapping(),
AddAnyPortMapping(), or GetSpecificPortMappingEntry() requests in a
shorter time frame will create a lot of mapping entries on the PCP
server. The means for avoiding the exhaustion of port resources
(e.g., port quota, as discussed in Section 17.2 of ) SHOULD be enabled.The security considerations discussed in and
should be taken into account.The authors would like to thank F. Fontaine, C. Jacquenet,
X. Deng, G. Montenegro, D. Thaler, R. Tirumaleswar,
P. Selkirk, T. Lemon, V. Gurbani, and P. Yee
for their review and comments.F. Dupont contributed to previous versions of this document.
Thanks go to him for his thorough reviews and contributions.WANIPConnection:2 ServiceUPnP ForumWANIPConnection:1 Service Template Version 1.01UPnP ForumAnalysis of Port Control Protocol (PCP) Failure ScenariosPCP Description OptionPort Control Protocol (PCP) Proxy FunctionDHCP Options for the Port Control Protocol (PCP)Device Protection:1 ServiceUPnP Forum