MarketPort Control Protocol
Company Profile

Port Control Protocol

Port Control Protocol (PCP) is a computer networking protocol that allows hosts on IPv4 or IPv6 networks to control how the incoming IPv4 or IPv6 packets are translated and forwarded by an upstream router that performs network address translation (NAT) or packet filtering. By allowing hosts to create explicit port forwarding rules, handling of the network traffic can be easily configured to make hosts placed behind NATs or firewalls reachable from the rest of the Internet, which is a requirement for many applications.

Overview
Many applications and network equipment deployments require their network locations to be reachable from outside their local networks, following the originally envisioned model of IP end-to-end connectivity across the Internet, so they can operate as network servers and accept connections from remote clients. An example of such equipment is an IP camera, which includes a network server that provides remote surveillance over IP networks. Usually, network equipment deployments place the devices behind routers or firewalls that perform NAT (to enable sharing of an IPv4 address, for example) or packet filtering (for improved network security and protection), ending up with breaking the end-to-end connectivity and rendering the equipment and applications inaccessible from the rest of the Internet. The problem Making the deployed equipment accessible, by extending its server role beyond the local network, requires either manual configuration of port forwarding at the network gateway (which is usually a CPE), or application-level workarounds that initiate connections from the deployed equipment to additional intermediate servers used for "merging" those "firewall punching" connections and connections from the actual clients. Both approaches have their downsides manual CPE configuration is usually either inconvenient or not possible, while using additional intermediate servers increases complexity and cost. For example, an online computer game (which acts as a client) requires communication with a game server for exchanging gameplay data. In order to make it possible for a game server to provide data to its clients, those clients must be made accessible to the server. Usually, clients initiate connections to the game server to open communication channels. However, such open connections can become idle and can subsequently be closed by network gateways, leading to the necessity of maintaining them by using a form of keepalive messages. Keepalive messages are small messages that are sent between client and server that create traffic over a communication channel and therefore prevent gateway servers from closing it. Thus, keeping a connection alive requires a constant exchange of empty messages between client and server. This increases network chatter, wastes network bandwidth and CPU cycles, and decreases the autonomy of battery-powered devices. Additionally, some network applications (for example, FTP) require dynamic opening of multiple connections, which involves application-level gateways (ALGs) and additionally increases complexity. PCP as a solution PCP allows equipment and applications to create explicit mappings between an external IP address, protocol and port, and an internal IP address, protocol and port. With such explicit mappings in place, inbound communication can reach the hosts behind a NAT or firewall, which either expands their server roles beyond boundaries of local networks, or makes use of various services simplified and less resource-consuming. Created mappings are permanent to the extent of having a known lifetime that can be extended, which is similar to the way Dynamic Host Configuration Protocol (DHCP) implements its leases. At the same time, PCP allows applications to create additional mappings dynamically as required, which reduces or eliminates the need for having ALG-enabled NAT devices and firewalls. Created explicit mappings have a known lifetime, commonly several hours, with no need for application-level keepalive messages to be exchanged between hosts and servers for the purpose of preserving the mapping. As a result, network usage and power consumption are reduced, and application-level keepalive logic no longer needs to be implemented at client and server sides. The PCP mapping response provides the application with associated externally visible parameters (IP address, protocol and port) that can then be announced to other clients in application-specific ways so incoming connections can be established. Additionally, PCP can inform applications when the external IP address is changed while a mapping is already established. Various types of NAT can be handled by PCP, providing support for NAT64, NAT66, and NAT44; inclusion of PCP into IPv4 and IPv6 firewall devices is also supported. PCP is designed to be used on both large-scale aggregation points (for example, as part of carrier-grade NATs), and inside less expensive consumer-grade devices. Both long-term (for an IP camera or a temperature sensor acting as a server, for example) and short-term mappings (while playing an online computer game, for example) are supported. PCP supports transport layer protocols that use 16-bit port numbers (for example, TCP, UDP, Stream Control Transmission Protocol (SCTP) or Datagram Congestion Control Protocol (DCCP). Protocols that do not use port numbers (for example, Resource Reservation Protocol (RSVP), Encapsulating Security Payload (ESP), ICMP or ICMPv6) are supported for IPv4 firewall, IPv6 firewall and NPTv6 (IPv6 prefix translation) functions, but cannot be supported by more than one client per external IP address in the case of NAT. The PCP specification does not define a mechanism for dealing with multi-homed networks (which have multiple network gateways or default routes). It is nonetheless possible to implement PCP in such networks using a coordination mechanism such as conntrackd. However, if the different networks each have their own external IP address(es), a given PCP mapping can only use one or the other because the protocol requires one specific external IP address to be provided to the client. If that network should then become unavailable the PCP mapping would have to be updated to use an external IP address from the other network. The PCP specification does not define a mechanism for dealing with how to inform remote computers about the IP address, protocol, and port for the incoming connection. RFC6887 states, that PCP does not provide any rendezvous function and this has to been done in an application-specific manner, like using external nameservice servers. == History ==
History
PCP was standardized in 2013 as a successor to Apple's NAT Port Mapping Protocol (NAT-PMP), sharing similar protocol concepts and packet formats with it. As one of the design differences, NAT-PMP is pretty much limited to the deployment on consumer-grade devices, while PCP is designed to also support carrier-grade equipment. PCP relates to the Internet Gateway Device Protocol (UPnP IGD), which was standardized in 2001 as part of the UPnP specification. While the UPnP IGD is complex and tailored toward manual configuration, PCP is designed for simplicity and automated use within software applications. The NAT-PMP specification contains a list of the problems with UPnP IGD that prompted the creation of NAT-PMP, and subsequently, its successor PCP. ==Use scenarios==
Use scenarios
• Internet service providers using Carrier-grade NAT for subscriber services • A mode of operation has been specified for Dual-Stack Lite (IPv4 in CGNAT, IPv6 on public Internet) ==Implementations==
Implementations
Clients macOS and iOS, as part of the DNS Service Discovery implementation (IPv4 only) • C library and command-line program "libpcpnatpmp" (also implements NAT-PMP) • C library "libplum" (also implements NAT-PMP, and UPnP IGD IPv4 only) • Rust crate "pcp" • A MeeGo client and GUI, presented at the IETF 82 conference in 2011 for Internet Draft revision 13 NAT routers ASUS Wi-Fi routers • OpenWrt, OPNsense and pfSense open-source router software • Discontinued Apple AirPort Wi-Fi routers • Fortigate/FortiOS, router for CGNAT and other large-scale deployments • Juniper commercial routers • Huawei commercial routers • F5, Inc. commercial routers Carriers offering PCP-enabled NAT connections == Security ==
{{Anchor|SECURITY}}Security
Excluding the attackers capable of altering network packets exchanged while an explicit PCP mapping is created (packets that contain negotiation required for establishing an explicit mapping, which is exchanged between hosts and PCP-enabled NAT devices or firewalls), PCP is considered to be secure as long as created explicit mappings do not exceed the domain of implicit mappings. In other words, implicit mappings are created as a result of the way NAT devices and firewalls are handling regular outbound client connections, meaning that PCP is safe as long as no new mapping possibilities are introduced through the explicit mapping mechanism. == Internals ==
Internals
Internally, PCP works by exchanging control messages between hosts and PCP-enabled NAT devices or firewalls (referred to as servers), using User Datagram Protocol (UDP) as the underlying protocol. This communication consists of port mapping requests created by the hosts that result in responses once submitted to and processed by the servers. Following UDP's nature of unreliability, which means that UDP datagrams can be lost, duplicated or reordered, after submitting a request there is no guarantee for a response of any kind, thus host requests are also referred to as "hints". In addition to direct responses, servers also generate gratuitous notifications for example, unicast notifications to inform hosts of changes in the external IP address. Exchanged messages contain no means for determining either the transaction they belong to, or which stage of a "session" they represent. Such a simplified design is based on having all messages self-describing and complete, with no additional context required for each message to be successfully processed. Servers may decide to silently ignore host requests, in case they are unable to process them at the moment; in such cases, hosts need to retransmit the request. Also, hosts may safely decide to silently ignore any unwanted mapping responses. For the purpose of creating PCP requests, IP address of the server is either manually configured on the host, found as part of the host's DHCP lease, or set to the host's configured default gateway. Host request messages are sent from any source UDP port on a client to the server's UDP port 5351 that it listens to; unsolicited multicast server notifications (such as server restart announcements) are sent from the server's UDP port 5351 to the UDP port 5350 on hosts which they listen to. Maximum UDP payload length for all PCP messages is 1100 octets. Each PCP message consists of a request or response header containing an opcode that determines the associated operation, any relevant opcode-specific information (such as which ports are to be mapped), and zero or more options (such as the option described above). Result codes are returned as part of server responses; each result code has an associated lifetime, which tells the hosts when certain operations may be retried or should be repeated. For example, result lifetimes can specify how long a failure condition is expected to persist, or how long the created mapping will last. == See also ==
Source: Wikipedia ↗
tickerdossier.comtickerdossier.substack.com