Stream Control Transmission Protocol (SCTP) Network Address Translation Support

Stream Control Transmission Protocol (SCTP) Network Address Translation Support Ericsson AB

Torshamnsgatan 21 16440 Stockholm SE claudio.porfiri@ericsson.com

Internet-Draft The Stream Control Transmission Protocol (SCTP) provides a reliable communications channel between two end-hosts in many ways similar to the Transmission Control Protocol (TCP). With the widespread deployment of Network Address Translators (NAT), specialized code has been added to NAT functions for TCP that allows multiple hosts to reside behind a NAT function and yet share a single IPv4 address, even when two hosts (behind a NAT function) choose the same port numbers for their connection. This additional code is sometimes classified as Network Address and Port Translation (NAPT). This document describes the protocol extensions needed for the SCTP endpoints and the mechanisms for NAT functions necessary to provide similar features of NAPT in the single point and multipoint traversal scenario.

Introduction Stream Control Transmission Protocol (SCTP) provides a reliable communications channel between two end-hosts in many ways similar to TCP . With the widespread deployment of Network Address Translators (NAT), specialized code has been added to NAT functions for TCP that allows multiple hosts to reside behind a NAT function using private-use addresses (see ) and yet share a single IPv4 address, even when two hosts (behind a NAT function) choose the same port numbers for their connection. This additional code is sometimes classified as Network Address and Port Translation (NAPT). Please note that this document focuses on the case where the NAT function maps a single or multiple internal addresses to a single external address and vice versa. To date, specialized code for SCTP has not yet been added to most NAT functions so that only a translation of IP addresses is supported. The end result of this is that only one SCTP-capable host can successfully operate behind such a NAT function and this host can only be single-homed. The only alternative for supporting legacy NAT functions is to use UDP encapsulation as specified in . The NAT function in the document refers to NAPT functions described in Section 2.2 of , NAT64 , or DS-Lite AFTR . This document specifies procedures allowing a NAT function to support SCTP by providing similar features to those provided by a NAPT for TCP (see and ), UDP (see and ), and ICMP (see and ). This document also specifies a set of data formats for SCTP packets and a set of SCTP endpoint procedures to support NAT traversal. An SCTP implementation supporting these procedures can assure that in both single-homed and multi-homed cases a NAT function will maintain the appropriate state without the NAT function needing to change port numbers. It is possible and desirable to make these changes for a number of reasons:

It is desirable for SCTP internal end-hosts on multiple platforms to be able to share a NAT function's external IP address in the same way that a TCP session can use a NAT function.
If a NAT function does not need to change any data within an SCTP packet, it will reduce the processing burden of NAT'ing SCTP by not needing to execute the CRC32c checksum used by SCTP.
Not having to touch the IP payload makes the processing of ICMP messages by NAT functions easier.

An SCTP-aware NAT function will need to follow these procedures for generating appropriate SCTP packet formats, this is needed under circumstances detailed in this document and only triggered by the detection of an SCTP packet containing an INIT chunk. When considering SCTP-aware NAT it is possible to have multiple levels of support. At each level, the Internal Host, Remote Host, and NAT function does or does not support the procedures described in this document. The reference configuration for NAT support is depicted in the following figure:

Basic Network Setup In the above the NAT hides Host A whereas Host B is directly connected to the public internet. Host A has a private IP address, NAT and Host B have public IP addresses. The following table illustrates the results of the various combinations of support and if communications can occur between two endpoints with reference to , the NAT adaptation is the one described in the current document. Communication possibilities

Internal Host	NAT Function	Remote Host	Communication
Support	Support	Support	Yes
Support	Support	No Support	Yes
Support	No Support	Support	None
Support	No Support	No Support	None
No Support	Support	Support	Limited
No Support	Support	No Support	Limited
No Support	No Support	Support	None
No Support	No Support	No Support	None

From the table it can be seen that no communication can occur when a NAT function does not support SCTP-aware NAT. This assumes that the NAT function does not handle SCTP packets at all and all SCTP packets sent from behind a NAT function are discarded by the NAT function. In some cases, where the NAT function supports SCTP-aware NAT but the local host does not support the feature, communication can possibly occur in a limited way. For example, only one host can have a connection when a collision case occurs. When a SCTP host is deployed behind a NAT and both support SCTP-aware NAT, the communication will suceed independently from the remote peer.

Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology This document uses the following terms, which are depicted in . Familiarity with the terminology used in and is assumed.

Internal-Address (Int-Addr): An internal address that is known to the internal host.
Internal-Port (Int-Port): The port number that is in use by the host holding the Internal-Address.
Internal-VTag (Int-VTag): The SCTP Verification Tag (VTag) (see Section 3.1 of ) that the internal host has chosen for an association. The VTag is a unique 32-bit tag that accompanies any incoming SCTP packet for this association to the Internal-Address.
Remote-Address (Rem-Addr): The address that an internal host is attempting to contact.
Remote-Port (Rem-Port): The port number used by the host holding the Remote-Address.
Remote-VTag (Rem-VTag): The Verification Tag (VTag) (see Section 3.1 of ) that the host holding the Remote-Address has chosen for an association. The VTag is a unique 32-bit tag that accompanies any outgoing SCTP packet for this association to the Remote-Address.
External-Address (Ext-Addr): An external address assigned to the NAT function, that it uses as a source address when sending packets towards a Remote-Address.

Motivation and Overview

SCTP NAT Traversal Scenarios This section defines the notion of single and multipoint NAT traversal.

Single Point Traversal In this case, all packets in the SCTP association go through a single NAT function, as shown in .

Single NAT Function Scenario A variation of this case is shown in , i.e., multiple NAT functions in the forwarding path between two endpoints.

Serial NAT Functions Scenario Another case where the Endpoint is ditributed among SCTP Hosts is shown in where multiple Hosts behave as Server and share the same Internal Port. A Load Balancer node supports NAT when a new Association request comes. The description of the Load Balancer function and its interwork with NAT function is out of the scope of this document.

Distributed Endpoint Scenario Although one of the main benefits of SCTP multi-homing is redundant paths, in the single point traversal scenario the NAT function represents a single point of failure in the path of the SCTP multi-homed association. However, the rest of the path can still benefit from path diversity provided by SCTP multi-homing. The two SCTP endpoints in this case can be either single-homed or multi-homed. However, the important thing is that the NAT function in this case sees all the packets of the SCTP association.

Multipoint Traversal This case involves multiple NAT functions and each NAT function only sees some of the packets in the SCTP association. An example is shown in .

Parallel NAT Functions Scenario This case does not apply to a single-homed SCTP association (i.e., both endpoints in the association use only one IP address). The advantage here is that the existence of multiple NAT traversal points can preserve the path diversity of a multi-homed association for the entire path. This in turn can improve the robustness of the communication.

Limitations of Classical NAPT for SCTP Using classical NAPT possibly results in changing one of the SCTP port numbers during the processing, which requires the recomputation of the transport layer checksum by the NAPT function. Whereas for UDP and TCP this can be done very efficiently, for SCTP the checksum (CRC32c) over the entire packet needs to be recomputed (see Appendix B of for details of the CRC32c computation). This would considerably add to the NAT computational burden, even though hardware support can mitigate this in some implementations. An SCTP endpoint can have multiple addresses but only has a single port number to use. To make multipoint traversal work, all the NAT functions involved need to recognize the packets they see as belonging to the same SCTP association and perform port number translation in a consistent way. One possible way of doing this is to use a pre-defined table of port numbers and addresses configured within each NAT function. Other mechanisms could make use of NAT to NAT communication. Such mechanisms have not been deployed on a wide scale base and thus are not a preferred solution. Therefore an SCTP variant of NAT function has been developed and is described in draft-ietf-tsvwg-natsupp-23 that is the version at the current time. This document describes an alternative to that function exploiting most of the same principles. Rather than being radically different, it can be seen as a subset with some limitations but less complex and requiring minor computational effort at the SCTP Endpoints and at the NAT functions (see ).

The SCTP-Specific Variant of NAT In this section it is allowed that there are multiple SCTP capable hosts behind a NAT function that share one External-Address. This section focuses on the single point traversal scenario (see ) as well as on the multipoint trasversal NAT (see ). The modification of outgoing SCTP packets sent from an internal host is simple: the source address of the packets has to be replaced with the External-Address. It might also be necessary to establish some state in the NAT function to later handle incoming packets. Typically, the NAT function has to maintain a NAT binding table of Internal-Port, Remote-Port, Internal-Address, Remote-Address. An entry in that NAT binding table is called a NAT-State control block. The function Create() obtains the just mentioned parameters and returns a NAT-State control block. Create() instantiates a supervision timer on the NAT-State control block that has duration greather than 2 * HB.interval and lower than 4 * HB.interval (see section 15 of ). A NAT function MAY allow creating NAT-State control blocks via a management interface. For SCTP packets coming from the external realm of the NAT function the destination address of the packets has to be replaced with the Internal-Address of the host to which the packet has to be delivered, if a NAT state entry is found. The lookup of the Internal-Address is based on the Remote-Address, Remote-Port and the Internal-Port. The lookup function retarts the Nat-State control block supervision timer. The entries in the NAT binding table need to fulfill some uniqueness conditions. There can not be more than one entry NAT binding table with the same 4-tuple of Internal-Address, Remote-Address, Internal-Port and Remote-Port. NAT is able understanding that the SCTP packet transports an INIT chunk because the SCTP common header will have VTAG=0 (see section 3.1 of ) The processing of outgoing SCTP packets containing an INIT chunk is illustrated in the following figure. This scenario is valid for all message flows in this section. | NAT | <------> | Network | <------> | Host B | +--------+ +-----+ \ / +--------+ \--/\---/ INIT[Initiate-Tag] Int-Addr:Int-Port ------> Rem-Addr:Rem-Port Rem-VTag=0 if lookup(Int-Port, Rem-Port, Rem-Addr) == true if lookup(Int-Addr, Int-Port, Rem-Port, Rem-Addr) == false sendAbort(Rem-Addr, Rem-Port, Int-Addr, Int-Port, M-bit) else Returns(control block) forwardPkt(Ext-Addr, Int-Port, Rem-Addr, Rem-Port) else Create(Int-Port, Rem-Port, Int-Addr, Rem-Addr) Returns(control block) forwardPkt(Ext-Addr, Int-Port, Rem-Addr, Rem-Port) Translates To: INIT[Initiate-Tag] Ext-Addr:Int-Port ------> Rem-Addr:Rem-Port Rem-VTag=0 ]]> In the normal case a NAT binding table entry will be created. However, it is possible that there is already a NAT binding table entry with the same Remote-Address, Internal-Port and Remote-Port but different Internal-Address. In this case the packet containing the INIT chunk MUST be dropped by the NAT and a packet containing an ABORT chunk SHOULD be sent to the SCTP host that originated the packet with the M bit set and 'Port Number Collision' error cause (see for the format). The source address of the packet containing the ABORT chunk MUST be the destination address of the packet containing the INIT chunk. In case that there's already a a NAT binding table entry with the same Remote-Address, Internal-Port, Remote-Port and the same Internal-Address, meaning that the INIT chunk is a new attempt for the same Association, the NAT entry is reused. The processing of outgoing SCTP packets containing chunks other than INIT is described in the following figure. | NAT | <------> | Network | <------> | Host B | +--------+ +-----+ \ / +--------+ \--/\---/ Int-Addr:Int-Port ------> Rem-Addr:Rem-Port Rem-VTag if lookup(Int-Port, Rem-Port, Rem-Addr) == false Create(Int-Port, Rem-Port, Int-Addr, Rem-Addr) Returns(control block) forwardPkt(Ext-Addr, Int-Port, Rem-Addr, Rem-Port) Translates To: Ext-Addr:Int-Port ------> Rem-Addr:Rem-Port Rem-VTag ]]> The processing of incoming SCTP packets containing an INIT chunk is illustrated in the following figure. This scenario is valid for all message flows in this section. | NAT | <------> | Network | <------> | Host B | +--------+ +-----+ \ / +--------+ \--/\---/ INIT [Initiate-Tag] Ext-Addr:Int-Port <---- Rem-Addr:Rem-Port Int-VTag=0 if lookup(Int-Port, Rem-Port, Rem-Addr) == true Returns(control block) forwardPkt(Rem-Addr, Rem-Port, Int-Addr, Int-Port) else if INIT contains RJ option send INIT-ACK to the INIT source else Create(Int-Port, Rem-Port, Int-Addr, Rem-Addr) Returns(control block) forwardPkt(Rem-Addr, Rem-Port, Int-Addr, Int-Port) Translates To: INIT[Initiate-Tag] Int-Addr:Int-Port <------ Rem-Addr:Rem-Port Int-VTag=0 ]]> When INIT chunk contains the RJ option set, it's a duplicate of the INIT used for establishing the association. In such case the reason for RJ option is to be recognized by the NAT function that will reply to the sender instead of the SCTP Host. This allows the SCTP Endpoint to be distributed among hosts, and since the NAT function cannot arbitraly choose among hosts, it takes the role of the unknown host in answering to the INIT issuer so that it can proceed with the ASCONF handshake and extend the association. The final step of setting the path between the NAT function and the unknown host will be completed by the host receiving ASCONF and sending an INIT with RJ option towards the remote peer. The processing of incoming SCTP packets containing chunk different than INIT is illustrated in the following figure. The Lookup() function has as input the Remote-Address, Remote-Port and the Internal-Port. It returns the corresponding entry of the NAT binding table. | NAT | <------> | Network | <------> | Host B | +--------+ +-----+ \ / +--------+ \--/\---/ Ext-Addr:Int-Port <---- Rem-Addr:Rem-Port Int-VTag if lookup(Int-Port, Rem-Port, Rem-Addr) == true Returns(NAT-State control block containing Int-Addr) forwardPkt(Ext-Addr, Int-Port, Rem-Addr, Rem-Port) Translates To: Int-Addr:Int-Port <------ Rem-Addr:Rem-Port Int-VTag ]]> In the case where the Lookup function fails because it does not find an entry, the SCTP packet is dropped.

Compatibility and increamental deployment The current proposal for adding SCTP-capable NAT function is meant to provide backwards compatibility in both involved functionality and being compatible with legacy SCTP remote terminations that doesn't implement it. The compatibility at NAT tracking mechanism allows the NAT functionto be able hiding also SCTP stack that doesn't implement the current specfication, at the same time an SCTP stack implementing the current specification canbe deployed in a NAT scenario where the NAT doesn't implement it. In either cases the SCTP termination will be accomplished with limitations as described earlier. The compatibility at network level is proposed in a way that makes it possible deploying a cluster of SCTP termination behind a NAT function still with full compatibility towards legacy networking. As an example, the scenario described in shows Host A being hidden by NAT and Host B being directly connected to the internet. In such case only Host A and NAT need to implement the current specification whilst Host B can neglect it. The same applies to more complex scenarios such as the ones shown in or in .

Differences with Current NAT Support Draft This section describes the differences with the existing draft-ietf-tsvwg-natsupp. From a functional perspective, the major difference between is in the compatibility towards legacy SCTP hosts. The NAT-adaptation specified in this document allows interoperability between SCTP hosts even when the remote peer hasn't implemented it. Not even is mandatory that all the NAT devices in the path do implement it as long as they allow SCTP packets to pass through transparently. On the existing draft-ietf-tsvwg-natsupp, the specification needs to be implemented on all SCTP Hosts and all NAT devices in the network in order to work. The main technical difference is that the NAT function is simpler and doesn't require explicit handling of NAT missing states. Actually in this proposal NAT doesn't need to parse all the SCTP payloads. NAT only parses INIT chunks, filtering of SCTP packets containing INIT chunks is based on checking the SCTP Common Header and discriminate the behavior based on Verification Tag = 0, that indicates the SCTP packet contains an INIT chunk. The NAT supervises the association by means of a timer, if no SCTP packets are seen within a certain time, NAT assumes that the association is closed and will remove the related NAT-entry. The other difference is in the role of the SCTP User. In the current proposal it's up to the SCTP User to change the originating Endpoint (i.e. choose a different port number) if collision is detected. The current proposal guarantees that at each node being in a path belonging to an association, there will be only one 4-uple describing that association, that means the NAT doesn't need to take care of VTAG.

Data Formats This section defines the formats used to support NAT traversal. and describe chunks and error causes sent by NAT functions and received by SCTP endpoints. describes parameters sent by SCTP endpoints and used by NAT functions and SCTP endpoints.

Modified Chunks This section presents existing chunks defined in for which additional flags are specified by this document.

Extended ABORT Chunk 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 6 | Reserved |M|T| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ \ / zero or more Error Causes / \ \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The ABORT chunk is extended to add the new 'M bit'. The M bit indicates to the receiver of the ABORT chunk that the chunk was not generated by the peer SCTP endpoint, but instead by a middle box (e.g., NAT). [NOTE to RFC-Editor: Assignment of M bit to be confirmed by IANA.]

Extended ERROR Chunk 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 9 | Reserved |M|T| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ \ / zero or more Error Causes / \ \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The ERROR chunk defined in is extended to add the new 'M bit'. The M bit indicates to the receiver of the ERROR chunk that the chunk was not generated by the peer SCTP endpoint, but instead by a middle box. [NOTE to RFC-Editor: Assignment of M bit to be confirmed by IANA.]

Extended INIT-ACK Chunk 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 2 | Reserved |M|T| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ \ / zero or more Error Causes / \ \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The INIT ACK chunk defined in is extended to add the new 'M bit'. The M bit indicates to the receiver of the INIT-ACK chunk that the chunk was not generated by the peer SCTP endpoint, but instead by a middle box. [NOTE to RFC-Editor: Assignment of M bit to be confirmed by IANA.]

New Error Causes This section defines the new error causes added by this document.

Port Number Collision Error Cause 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Cause Code = 0x00B2 | Cause Length = Variable | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ Chunk / / \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Cause Code: 2 bytes (unsigned integer): This field holds the IANA defined cause code for the 'Port Number Collision' Error Cause. IANA is requested to assign the value 0x00B2 for this cause code.
Cause Length: 2 bytes (unsigned integer): This field holds the length in bytes of the error cause. The value MUST be the length of the Cause-Specific Information plus 4.
Chunk: variable length: The Cause-Specific Information is filled with the chunk that caused this error. This can be an INIT, INIT ACK, or ASCONF chunk. Note that if the entire chunk will not fit in the ERROR chunk or ABORT chunk being sent then the bytes that do not fit are truncated.

[NOTE to RFC-Editor: Assignment of cause code to be confirmed by IANA.]

New Parameters This section defines new parameters and their valid appearance defined by this document.

Repetita Juvant Parameter Repetita Juvant is a latin phase standing for "repeating does good". It's sually said as a jocular remark to defend the speaker's (or writer's) choice to repeat some important piece of information to ensure reception by the audience. The RJ Parameter is used as Optional Parameter in the INIT chunk. The RJ parameter is used to indicate that INIT chunk is the repetition of an already sent one even if it comes from a different source address. It's used from either peers before sending ASCONF in order to setup the NATs in the path. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 0xXXXX | Length = 8 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Procedures for SCTP Endpoints and NAT Functions If an SCTP endpoint is behind an SCTP-aware NAT, a number of problems can arise as it tries to communicate with its peers:

IP addresses can not be included in the SCTP packet. This is discussed in .
More than one host behind a NAT function could select the same source port number when initiating an association with the same peer server. This creates a situation where the NAT function will not be able to forward the INIT chunk. This situation is discussed in .
A restart of a NAT function during a conversation could cause a loss of its state. This problem and its solution is discussed in .
NAT functions need to deal with SCTP packets being fragmented at the IP layer. This is discussed in .
An SCTP endpoint can be behind two NAT functions in parallel providing redundancy. The method to set up this scenario is discussed in .

The mechanisms to solve these problems require additional chunks and parameters, defined in this document, and modified handling procedures from those specified in as described below.

Association Setup Considerations for Endpoints The association setup procedure defined in allows multi-homed SCTP endpoints to exchange its IP-addresses by using IPv4 or IPv6 address parameters in the INIT and INIT ACK chunks. However, this does not work when NAT functions are present. Every association setup from a host behind a NAT function MUST NOT use multiple internal addresses. The INIT chunk MUST NOT contain an IPv4 Address parameter, IPv6 Address parameter, or Supported Address Types parameter. The INIT ACK chunk MUST NOT contain any IPv4 Address parameter or IPv6 Address parameter using non-global addresses. The INIT chunk and the INIT ACK chunk MUST NOT contain any Host Name parameters. If the association is intended to be finally multi-homed, the procedure in MUST be used.

Association Setup Considerations for NAT When Endpoint is Distributed, NAT needs the cooperation of a Load Balancer function for handling incoming and outgoing Association Requests. It's up to the Load Balancer internal design the strategy for permitting a Distributed Endpoint to handle the traffic. Functionally, it's important that Load Balancer provides NAT a way for assigning Associations to multiple SCTP Hosts.

Handling of Internal Port Number Collisions Consider the case where two hosts in the Internal-Address space want to set up an SCTP association with the same service provided by some remote host. This means that the Remote-Port is the same. If they both choose the same Internal-Port the NAT function will experience collision when receiving the INIT and trying to create an Entry in the NAT Tables. In such case NAT will send an ABORT chunk with M-bit set to the SCTP Client. Since it's up to the SCTP User Application to choose the Internal Port, it may be that an Association chooses the Internal Port from the ephemeral port range at random (see ), this would make the probability for Port Number Collision low. At the Association initialization, the Client will experience one out of three alternative answers from the network:

INIT-ACK from the peer, this means a viable path exists between peers, all the involved NATs have NAT tables properly configured and the Association can be established.
ABORT with M-bit set from one of the NATs within the path, this means that the Association cannot be established. The SCTP User application SHOULD decide whether to retry with a different Internal Port or to give up. The way SCTP and the SCTP User interact in this case is implementation dependent.
ABORT from the remote peer.

The way SCTP and SCTP User Application interact can be either:

An application can request a specific local port number (in the socket API, using bind() with a non-zero port number) and in case of a local port number collision, the connection setup has to fail. It is up to the application to close() the socket and restart from the beginning.
An application leaves the local port number selection up to the SCTP stack (in the socket socket API by either calling bind() with a zero port number or not calling bind() at all before calling connect() or sendto()). However, once the port number is chosen, it can not be changed. So in case of a local port number collision, the association setup has to fail. It is up to the application to close() the socket and restart from the beginning.
An application leaves the local port number selection up to the SCTP stack (in the socket socket API by either calling bind() with a zero port number or not calling bind() at all before calling connect() or sendto()). In addition, it indicates that the SCTP can change the local port number over time (in the socket API this would be calling an IPPROTO_SCTP level new socket option). In this case, the SCTP stack can automatically retry a connection setup in case of an local port number collision.

NAT Function Considerations NAT function checks for collision only on packets containing INIT chunk. If the NAT function detects a collision of internal port numbers, it SHOULD send a packet containing an ABORT chunk with the M bit set. The M bit is a new bit defined by this document to express to SCTP that the source of this packet is a "middle" box, not the peer SCTP endpoint (see ). the source and destination address and port numbers MUST be swapped. The sender of the packet containing an ERROR or ABORT chunk MUST include the error cause with cause code 'Port Number Collision' (see ). If the INIT chunk contains the RJ option the NAT function MUST NOT forward the INIT chunk to the SCTP Host but it MUST reply to the remote peer with INIT-ACK chunk with the M bit set. The M bit is a new bit defined by this document to express to SCTP that the source of this packet is a "middle" box (see ). The information contained in INIT-ACK chunk SHOULD be copied from the INIT chunk. The value for Initiate Tag and Initial TSN MAY be chosen random.

Endpoint Considerations The sender of the packet containing the INIT chunk upon reception of a packet containing an ABORT chunk with M bit set and the appropriate error cause code for colliding NAT binding table state is included, SHOULD evaluate the reason for ABORT. If the reason is "Port Number Collision" it SHOULD reinitiate the association setup procedure after choosing a new Internal Port.

Handling of Missing State

NAT Function Considerations When experiencing a restart, the NAT function will start handling SCTP packets with time difference between the ones containing INIT chunks and all the other ones. Handling of SCTP packets containing INIT chunks will start at least 4 * HB.interval after handling other SCTP packets (see section 15 of ). This avoids race condition between the recreation of existing Entries in the NAT Table and the creation of new ones from new Association requests. If the NAT function receives a packet not containing an INIT chunk from the internal network for which the lookup procedure does not find an entry in the NAT binding table, it must create an Entry for that packet and forward it. If the NAT function receives a packet not containing an INIT chunk from the external network for which the lookup procedure does not find an entry in the NAT binding table, it must silently drop it.

Endpoint Considerations Upon restart of a NAT function, the endpoint will experience connectivity interruption, depending on the Association state it will keep on retrying sending SCTP packets containint DATA chunks or HB chunks. Since the longest interval between SCTP packets is HB.interval, it will be able restoring the connectivity at most 2 * HB.interval after NAT function is back at work. If the Endpoint is trying to establish an Association, it will experience a longer connectivity unavalilability of more than 4 * HB.interval as NAT needs to rebuild the NAT Table with the existing Associations first.

Handling of Fragmented SCTP Packets by NAT Functions SCTP minimizes the use of IP-level fragmentation. However, it can happen that using IP-level fragmentation is needed to continue an SCTP association. For example, if the path MTU is reduced and there are still some DATA chunk in flight, which require packets larger than the new path MTU. If IP-level fragmentation can not be used, the SCTP association will be terminated in a non-graceful way. See for more information about IP fragmentation. Therefore, a NAT function MUST be able to handle IP-level fragmented SCTP packets. The fragments MAY arrive in any order. When an SCTP packet can not be forwarded by the NAT function due to MTU issues and the IP header forbids fragmentation, the NAT MUST send back a "Fragmentation needed and DF set" ICMPv4 or PTB ICMPv6 message to the internal host. This allows for a faster recovery from this packet drop.

Multipoint Traversal Considerations for Endpoints If a multi-homed SCTP endpoint behind a NAT function connects to a peer, it MUST first set up the association single-homed with only one destination address causing the first NAT function to populate its state. Once an Association has been created, it's possible to add further external IP addresses for the peer to use, but before adding each IP address it must be created the needed set of Entries in all NAT functions towards all the peer's IP addresses. An INIT chunk containing a RJ option (see ) SHOULD be sent towards all peers IP addresses using a path selector that is expected to result in another external addres than association creation. The reason why an INIT chunk with RJ option set is to be used is for permitting the remote to be able discriminating between a request for a new Association in case of Distributed Endpoint. The result from that INIT is according to the given rules for Association setup (see ) and can cause collision. The reception of INIT ACK confirms that the path from the new IP address and the remote one is available and that all the NATs involved are properly configured. In case INIT ACK has M-bit set, the remote Endpoint is distributed. After succefull confirmation, the Endpoint SHOULD add each IP address using packets containing ASCONF chunks sent via their respective NAT functions. The address used in the Add IP address parameter is the wildcard address (0.0.0.0 or ::0) and the address parameter in the ASCONF chunk SHOULD also contain the VTags parameter. When an Endpoint gets a new Remote IP Address added to an Association, it SHOULD send INIT chunks with RJ option towards from all its own IP Addresses towards that address in order to properly set all the NATs in the path.

NAT Function Considerations NAT function differentiates the behavior towards INIT chunk depending on the RJ option. If the RJ option exists and the packet contains an incoming INIT chunk, the NAT function SHOULD NOT forward the INIT chunk towards the SCTP Host, it shall reply instead with an INIT ACK chunk with the M-bit set. ). NAT function SHOULD create INIT ACK data by using the parameters from the received INIT chunk.

Endpoint Considerations When the Endpoint receives an INIT chunk with RJ option set, it will ignore the RJ option and handle INIT as in the legacy case. The Endpoint originating INIT chunk with RJ option set can receive different answers:

When receiving INIT ACK, it will assume the NATs on the path are properly set and the Endpoint can continue with the ASCONF procedure.
When receiving as ABORT with M-bit set, it shall assume that a path is not possible to be established. The Endpoint SHOULD retry after a time greather than 4 * HB.interval.
When receiving an ABORT without M-bit set, it shall assume that some temporary NAT configuration has led the INIT towards the wrong SCTP Host. The Endpoint SHOULD retry after a time greather than 4 * HB.interval.

Path Probing considerations The SCTP protocol relies on continous path probing by means of data sending or using the Heartbeat mechanism as specified in section 5.4 of The adoption of the NAT mechanisms as described in this document introduces a criticality in the Path Probing mechanism of SCTP. The problem happens when, due to network problem, one or more secondary paths belonging to an Association will experience timeout in Path probing so than in some of the NAT functions used in the path there's no SCTP traffic for the given Association, causing the NAT entry to be canceled because of supervision timeout. It is recommended that before sending HEARTBEAT to an UNCONFIRMED address, an INIT chunk with RJ paramter set is sent so that NAT functions in the path can setup entries in the NAT tables properly.

Examples of Operation This section describes examples of Association Establishements using the reference scenario depicted in . Hosts A1 and A2 implement a distributed client towards the same remote Host. Hosts B1 and B2 implement a distributed Endpoint 'B' acting as Server. The Load Balancer functionality is not shown as it doesn't affect SCTP protocol.

Parallel NAT with distributed endpoints Scenario Internal | External | Internal +------+ +------+ +==|NAT A |==\ /--\/--\ /==|NAT C |==+ +--------+ | +------+ \ / \ / +------+ | +--------+ |Host A1 +---+ | \/ \/ | +-----|Host B1 | | +-+ | | | Network | | | +--+ | +--------+ | | | /\ /\ | | | +--------+ | | +------+ / \ / \ +------+ | | +====|NAT B |==/ \--\/--/ \==|NAT D |=====+ | | +------+ +------+ | | +--------+ | | | | | | +--------+ |Host A2 +-|-+ | | +--|--+Host B2 | | +-+ | | +--+ | +--------+ | | +--------+

Single Homed Association Setup This section describes a successfull Association Establishment from A1 towards the distributed endpoint B. The sequence chart is shown in .

Single Homed successfull Association Setup A1 A2 NAT A NAT B NAT C NAT D B1 B2 | | | | | | | | +--------------}| INIT | | | | | | | +----------------------}| | | | | | | | +----------------------}| | | | | | | | | | | | | | |{----------------------+ | | | |{----------------------+ | | | |{--------------+ INIT ACK | | | | | | | | | | | | |

Single Homed Association Setup with Collision This section describes a successfull Association Establishment from A2 towards the distributed endpoint B. The collision happens at NAT A. The sequence chart is shown in .

Single Homed successfull Association Setup after congestion A1 A2 NAT A NAT B NAT C NAT D B1 B2 | | | | | | | | | +------}| INIT | | | | | | |{------+ ABORT | | | | | | | | | | | | | | +------}| INIT | | | | | | | +----------------------}| | | | | | | | +----------------------------}| | | | | | | | | | | | | |{----------------------------+ | | |{----------------------+ | | | | {-------+ INIT ACK | | | | | | | | | | | | |

Multi Homed Association Setup This section describes how the single homed established at becomes multihomed. Note that the decision for what peer has to handle the INIT message requires support of Load Balancer. It's assumed that a Load Balancer exists and provides NAT with the right information. Success happens at all steps. .

Multi Homed successfull Association Setup A1 A2 NAT A NAT B NAT C NAT D B1 B2 | | | | | | | | +--------------------------}| INIT RJ | | | | | | | +----------}| | | | | | | |{----------+ | | | |{--------------------------+ INIT ACK | | | | | | | | | | | | +--------------------------}| ASCONF | | | | | | | +----------}| | | | | | | | +----------------------}| | | | | | |{----------------------+ | | | | |{----------+ | | | |{--------------------------+ ASCONF ACK| | | | | | | | | | | | | | | | INIT RJ |{----------------------+ | | | | |{----------+ | | | | | | +----------}| | | | | | | | INIT ACK +----------------------}| | | | | | | | | |

Multi Homed Association Setup This section describes how the multihome homed established at becomes multihomed from the other peer. Success happens at all steps. .

Multi Homed successfull Association Setup A1 A2 NAT A NAT B NAT C NAT D B1 B2 | | | | | | | | | | | | INIT RJ | |{----------+ | | | |{----------------------------------+ | | | | +----------------------------------}| | | | | | | INIT ACK | +----------}| | | | | | INIT RJ | |{----------+ | | | | |{----------------------+ | | | | | +----------------------}| | | | | | | INIT ACK | +----------}| | | | | | | | | | | | | | ASCONF | |{----------+ | | | |{----------------------------------+ | | |{--------------+ | | | | | +--------------}| | ASCONF ACK| | | | | | +----------------------------------}| | | | | | | | +----------}| | | | | | | | | | +--------------}| | INIT RJ | | | | | | +----------------------------------}| | | | | |{----------------------------------+ | | |{--------------+ | INIT ACK | | | | | | | | | | | | +--------------------------}| INIT RJ | | | | | | | +----------------------}| | | | | | |{----------------------+ | | |{--------------------------+ INIT ACK | | | | | | | | | | | |

IANA Considerations [NOTE to RFC-Editor: "RFCXXXX" is to be replaced by the RFC number you assign this document.] [NOTE to RFC-Editor: The requested values for the chunk type and the chunk parameter types are tentative and to be confirmed by IANA.] This document (RFCXXXX) is the reference for all registrations described in this section. The requested changes are described below.

New Chunk Flags for Two Existing Chunk Types As defined in two chunk flags have to be assigned by IANA for the ERROR chunk. The requested value for the T bit is 0x01 and for the M bit is 0x02. This requires an update of the "ERROR Chunk Flags" registry for SCTP: ERROR Chunk Flags

Chunk Flag Value	Chunk Flag Name	Reference
0x01	T bit	[RFCXXXX]
0x02	M bit	[RFCXXXX]
0x04	Unassigned
0x08	Unassigned
0x10	Unassigned
0x20	Unassigned
0x40	Unassigned
0x80	Unassigned

As defined in one chunk flag has to be assigned by IANA for the ABORT chunk. The requested value of the M bit is 0x02. This requires an update of the "ABORT Chunk Flags" registry for SCTP: ABORT Chunk Flags

Chunk Flag Value	Chunk Flag Name	Reference
0x01	T bit	[RFC4960]
0x02	M bit	[RFCXXXX]
0x04	Unassigned
0x08	Unassigned
0x10	Unassigned
0x20	Unassigned
0x40	Unassigned
0x80	Unassigned

Four New Error Causes Four error causes have to be assigned by IANA. It is requested to use the values given below. This requires Four additional lines in the "Error Cause Codes" registry for SCTP: Error Cause Codes

Value	Cause Code	Reference
176	VTag and Port Number Collision	[RFCXXXX]
177	Missing State	[RFCXXXX]
178	Port Number Collision	[RFCXXXX]
179	VTag Not Found	[RFCXXXX]

Two New Chunk Parameter Types Two chunk parameter types have to be assigned by IANA. IANA is requested to assign these values from the pool of parameters with the upper two bits set to '11' and to use the values given below. This requires two additional lines in the "Chunk Parameter Types" registry for SCTP: Chunk Parameter Types

ID Value	Chunk Parameter Type	Reference
49159	Disable Restart (0xC007)	[RFCXXXX]
49160	VTags (0xC008)	[RFCXXXX]

Security Considerations State maintenance within a NAT function is always a subject of possible Denial Of Service attacks. This document recommends that at a minimum a NAT function runs a timer on any SCTP state so that old association state can be cleaned up. Generic issues related to address sharing are discussed in and apply to SCTP as well. For SCTP endpoints not disabling the restart procedure, this document does not add any additional security considerations to the ones given in , , and . SCTP endpoints disabling the restart procedure, need to monitor the status of all associations to mitigate resource exhaustion attacks by establishing a lot of associations sharing the same IP addresses and port numbers. In any case, SCTP is protected by the verification tags and the usage of against off-path attackers. For IP-level fragmentation and reassembly related issues see .

Setting a low timeout for SCTP mapping entries to cause failures to deliver incoming SCTP packets.
Instantiating mapping entries to cause NAT collision.

Normative References Informative References

Acknowledgments The author wishes to thank , and for their invaluable comments. In addition, the author wishes to thank , for their suggestions. The author also wishes to thank the authors of draft-ietf-tsvwg-natsupp-22 which this document is based.