Network Working Group R. Denis-Courmont Request for Comments: 5597 VideoLAN project BCP: 150 September 2009 Category: Best Current Practice Network Address Translation (NAT) Behavioral Requirements for the Datagram Congestion Control Protocol
AbstractThis document defines a set of requirements for NATs handling the Datagram Congestion Control Protocol (DCCP). These requirements allow DCCP applications, such as streaming applications, to operate consistently, and they are very similar to the TCP requirements for NATs, which have already been published by the IETF. Ensuring that NATs meet this set of requirements will greatly increase the likelihood that applications using DCCP will function properly. Status of This Memo This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. Copyright and License Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Applicability Statement . . . . . . . . . . . . . . . . . . . . 3 4. DCCP Connection Initiation . . . . . . . . . . . . . . . . . . 4 5. NAT Session Refresh . . . . . . . . . . . . . . . . . . . . . . 5 6. Application-Level Gateways . . . . . . . . . . . . . . . . . . 5 7. Other Requirements Applicable to DCCP . . . . . . . . . . . . . 5 8. Requirements Specific to DCCP . . . . . . . . . . . . . . . . . 6 9. DCCP without NAT Support . . . . . . . . . . . . . . . . . . . 7 10. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 8 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 RFC4340]. This memo discusses the technical issues involved and proposes a set of requirements for NAT devices to handle DCCP in a way that enables communications when either or both of the DCCP endpoints are located behind one or more NAT devices. All definitions and requirements in [RFC4787] are inherited here. The requirements are otherwise designed similarly to those in [RFC5382], from which this memo borrows its structure and much of its content. Note however that, if both endpoints are hindered by NAT devices, the normal model for DCCP of asymmetric connection will not work. A simultaneous-open must be performed, as in [RFC5596]. Also, a separate, unspecified mechanism may be needed, such as Unilateral Self Address Fixing (UNSAF) [RFC3424] protocols, if an endpoint needs to learn its own external NAT mappings. RFC2119].
This document uses the term "DCCP connection" to refer to individual DCCP flows, as uniquely identified by the quadruple (source and destination IP addresses and DCCP ports) at a given time. This document uses the term "NAT mapping" to refer to a state at the NAT that is necessary for network address and port translation of DCCP connections. This document also uses the terms "endpoint- independent mapping", "address-dependent mapping", "address and port- dependent mapping", "filtering behavior", "endpoint-independent filtering", "address-dependent filtering", "address and port- dependent filtering", "port assignment", "port overloading", "hairpinning", and "external source IP address and port" as defined in [RFC4787]. RFC5382]. These justifications are not reproduced here for the sake of brevity. In addition to the usual changes to the IP header (in particular, the IP addresses), NAT devices need to mangle: o the DCCP source port for outgoing packets, depending on the NAT mapping, o the DCCP destination port for incoming packets, depending on the NAT mapping, and o the DCCP checksum, to compensate for IP address and port number modifications. Because changing the source or destination IP address of a DCCP packet will normally invalidate the DCCP checksum, it is not possible to use DCCP through a NAT without dedicated support. Some NAT devices are known to provide "generic" transport-protocol support, whereby only the IP header is mangled. That scheme is not sufficient to support DCCP.
RFC4787]. REQ-1: A NAT MUST have an "Endpoint-Independent Mapping" behavior for DCCP. RFC4340] and its updates) for connections initiated both internally as well as externally when the connection is permitted by the NAT. In particular, in addition to handling the DCCP 3-way handshake mode of connection initiation, A NAT MUST handle the DCCP simultaneous-open mode of connection initiation, defined in [RFC5596]. That mode updates DCCP by adding a new packet type: DCCP- Listen. The DCCP-Listen packet communicates the information necessary to uniquely identify a DCCP session. NATs may utilise the connection information (address, port, Service Code) to establish local forwarding state.
connection, the NAT MUST silently drop the original unsolicited, inbound DCCP-Listen packet. Otherwise, the NAT SHOULD send an ICMP Port Unreachable error (Type 3, Code 3) for the original DCCP-Listen unless the security policy forbids it. RFC5382]. RFC4787]. A list of ICMP-specific NAT behavioral requirements are described in [RFC5508]. The requirements listed
below reiterate the requirements from these two documents that directly affect DCCP. The following requirements do not relax any requirements in [RFC4787] or [RFC5508]. Section 9.2 of [RFC4340]. REQ-11: If a NAT translates a DCCP packet with a valid DCCP checksum, it MUST ensure that the DCCP checksum is translated such that it is valid after the translation. REQ-12: A NAT MUST NOT modify the value of the DCCP Checksum Coverage. The Checksum Coverage field in the DCCP header determines the parts of the packet that are covered by the Checksum field. This always includes the DCCP header and options, but some or all of the application data may be excluded as determined on a packet-by-packet basis by the application. Changing the Checksum Coverage in the network violates the integrity assumptions at the receiver and may result in unpredictable or incorrect application behaviour.
RFC4340]. REQ-13: If a NAT translates a DCCP packet, it MUST NOT modify its DCCP Service Code value. Further guidance on the use of Service Codes by middleboxes, including NATs, can be found in [RFC5595]. RFC4787] discusses security considerations for NATs that handle IP and unicast (UDP) traffic, all of which apply equally to this document. Security concerns specific to handling DCCP packets are discussed in this section. REQ-1 and REQ-6 through REQ-13 do not introduce any new known security concerns. REQ-2 does not introduce any new known security concerns. While a NAT may elect to keep track of some DCCP-specific, per-flow state (compared to UDP), it has no obligations to do so. REQ-3 allows a NAT to adopt either a more secure or a more application-transparent filtering policy. This is already addressed in [RFC4787] and [RFC5382]. Similar to [RFC5382], REQ-4 of this document recommends that a NAT respond to unsolicited, inbound Listen and Sync packets with an ICMP error delayed by a few seconds. Doing so may reveal the presence of a NAT to an external attacker. Silently dropping the Listen makes it harder to diagnose network problems and forces applications to wait for the DCCP stack to finish several retransmissions before reporting an error. An implementer must therefore understand and carefully weigh the effects of not sending an ICMP error or rate-limiting such ICMP errors to a very small number.
REQ-5 recommends that a NAT that passively monitors DCCP state keep idle sessions alive for at least 124 minutes or 4 minutes, depending on the state of the connection. To protect against denial-of-service attacks filling its state storage capacity, a NAT may attempt to actively determine the liveliness of a DCCP connection, or the NAT administrator could configure more conservative timeouts. RFC5382] by S. Guha (editor), K. Biswas, B. Ford, S. Sivakumar, and P. Srisuresh. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram Congestion Control Protocol (DCCP)", RFC 4340, March 2006. [RFC4787] Audet, F. and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, January 2007. [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT Behavioral Requirements for ICMP", BCP 148, RFC 5508, April 2009. [RFC5596] Fairhurst, G., "Datagram Congestion Control Protocol (DCCP) Simultaneous-Open Technique to Facilitate NAT/ Middlebox Traversal", RFC 5596, September 2009. [RFC3424] Daigle, L. and IAB, "IAB Considerations for UNilateral Self-Address Fixing (UNSAF) Across Network Address Translation", RFC 3424, November 2002. [RFC5382] Guha, S., Biswas, K., Ford, B., Sivakumar, S., and P. Srisuresh, "NAT Behavioral Requirements for TCP", BCP 142, RFC 5382, October 2008.