Senin, 11 Juni 2018

Sponsored Links

PORT CONTROL PROTOCOL - YouTube
src: i.ytimg.com

Port Control Protocol (PCP ) is a computer network protocol that allows hosts on an IPv4 or IPv6 network to control how IPv4 or IPv6 packets entered are translated and forwarded by upstream routers that translate network address (NAT) or packet filtering. By allowing hosts to create explicit port forwarding rules, network traffic handling can be easily configured to make hosts placed behind a NAT or firewall that can be reached from across the Internet (so they can also act as network servers), which is a requirement for many applications.

Additionally, explicit port forwarding rules available via PCP allow the host to reduce the amount of traffic generated by removing the solution in the form of outgoing NAT keepalive messages, which are required to maintain connection to the server and various NAT traversal techniques such as punching TCP holes. At the same time, less traffic generated reduces power consumption, directly raising the battery runtime for mobile devices.

PCP is standardized in 2013 as the successor of the NAT Port Mapping Protocol (NAT-PMP), with which it shares the same protocol and packet format concepts.


Video Port Control Protocol



Overview

Many applications and deployment of network equipment require their network location to be accessible from outside their local network, following the initial model of end-to-end IP connectivity across the Internet, allowing them to operate as network servers and receive connections from remote clients. An example of such equipment is an IP camera, which includes a network server that provides remote control over an IP network.

Typically, deployment of network equipment puts the device behind a router or firewall running NAT (to allow IPv4 address sharing, for example) or packet filtering (to improve network security and protection), ends by disconnecting end-to-end connectivity and rendering tools and apps can not be accessed from all over the Internet.

The problem is

Making available equipment accessible, by extending its server role outside of the local network, requires manual configuration of port forwarding in a network gateway (which is usually a CPE), or application-level problem solving that initiates connections from equipment deployed to additional server intermediaries used to " combining "connection and connection" firewall punching "from the actual client. Both approaches have disadvantages - manual CPE configuration is usually either uncomfortable or impossible, while using additional intermediary servers increases complexity and cost.

For example, online computer games (acting as clients) require communication with game servers to exchange game data such as player movements, different related parameters, etc. To allow the game server to provide such an updated game data to an online client, the client must be accessible by the server. Typically, the client initiates a connection to the game server, creating an implicit mapping mode, which provides the server with the necessary communication channels. However, such connections can become inactive and then shut down by network gateways, leading to the need to maintain them using the keepalive message form.

Maintaining an implicit mapping initiated by a surviving client is necessary because the network gateway removes such mappings when they are idle, as a result of treating them as ordinary client connections; such implicit mappings are preserved by forwarding keepalive messages via NAT or firewall devices. Thus, keeping such connections alive requires constant exchange of useless keepalive messages between clients and servers, as solutions that increase network chats, remove network bandwidth and CPU cycles, and reduce the autonomy of battery-powered devices. In addition, some network applications (eg, FTP) require dynamic opening of multiple connections, involving application level gateways (ALGs) and also increase complexity.

PCP as a solution

PCP allows tools and applications to create explicit mappings between external IP addresses, protocols and ports, and internal IP addresses, protocols and ports. With such explicit mappings in place, incoming communications can reach hosts behind a NAT or firewall, which either extend their server role beyond local network boundaries, or use simplified and less resource consuming services. The mapping that is created is permanently limited to having a known extended lifespan, similar to the way Dynamic Host Configuration Protocol (DHCP) implements the lease. At the same time, PCP allows applications to create additional mappings dynamically as needed, which reduce or eliminate the need to have ALG-enabled NAT devices and firewalls.

The explicit mapping created has a known life span, usually several hours, without the need for keepalive messages of application level to be exchanged between host and server for the purpose of preserving the mapping. As a result, network usage and power consumption are reduced, and application-level keepalive logic no longer needs to be implemented on the client and server side. PCP mapping responses provide applications with visible external parameters (IP addresses, protocols and ports) which can then be announced to other clients in an application-specific way so that incoming connections can be set. In addition, PCP can inform the application when the external IP address is changed when the mapping is already set.

Different types of NAT can be handled by PCP, providing support for NAT64, NAT66, and NAT44; the inclusion of PCP into IPv4 and IPv6 firewall devices is also supported. The PCP is designed to be used on both large-scale aggregation points (for example, as part of a carrier class NAT), and in consumer-grade devices that are less expensive. Good long term (for IP camera or temperature sensor acting as a server, for example) and short term mapping (when playing online computer games, for example) is supported.

PCP supports transport layer protocols that use 16-bit port numbers (eg, TCP, UDP, Streaming Transmission Control Protocol (SCTP) or Datagram Congestion Control Protocol (DCCP) protocols that do not use port numbers (eg, Resource Reservation Protocol (RSVP) , Encapsulating Security Payload (ESP), ICMP or ICMPv6) are supported for IPv4 firewall, IPv6 firewall and NPTv6 (translation prefix) IPv6 functions, but can not be supported by more than one client per external IP address in the case of NAT.

The PCP specification does not define a mechanism for handling multi-homed networks (which have multiple network gateways or default routes). It is however possible to implement PCP in a network such as using a coordination mechanism such as conntrackd. However, if each network has its own external IP address, certain PCP mappings can only use one or the other because the protocol requires one special external IP address to be assigned to the client. If the network then becomes unavailable, the PCP mapping must be updated to use the external IP address of the other network.

Maps Port Control Protocol



History

PCP is standardized in 2013 as the successor of NAT Port Mapping Protocol (NAT-PMP), sharing the same protocol concepts and packet formats with it. As one design difference, NAT-PMP is quite limited to deployment on consumer-grade devices, while PCP is designed to also support carrier class equipment. Since 2005, NAT-PMP has been implemented in various Apple products.

NAT-PMP is associated with the Gateway Internet Device Protocol (IGDP), which was standardized in 2001 as part of the Universal Plug and Play (UPnP) specification. While IGDP is complex and adapted to manual configuration, NAT-PMP is designed for simplicity and usage in software applications.

The IP Header Checksum - YouTube
src: i.ytimg.com


Security

Excludes attackers who are able to change network packets exchanged while explicit PCP mappings are created (packets containing negotiations required to create explicit mappings, exchanged between hosts and NAT devices or PCP enabled firewalls), PCP is considered safe as during the creation of an explicit mapping not exceeding implicit mapping domains. In other words, an implicit mapping is created as a result of the way NAT devices and firewalls handle regular outgoing client connections, which means that PCP is safe as long as there is no possibility of new mappings being introduced through an explicit mapping mechanism.

From a security standpoint, an important PCP feature is the THIRD_PARTY mapping request option. When used, this option signifies that the IP address specified as part of the mapping request should be used as the internal address for the explicit mapping that was created, rather than following the default behavior using the source IP address of the actual mapping request packet for that purpose. Such mapping requests can end with a PCP-enabled NAT device or firewall that gives explicit mapping rights higher than permitted by implicit mapping because unknown rules are enforced elsewhere for specified IP addresses, allowing the attacker to steal traffic, or conduct denial-of-service (DoS) attacks.

In addition, an explicit PCP security mechanism is available as an extension to the PCP protocol, providing authentication and access control mechanisms using an authenticated and integrity-protected in-band signal channel, which relies on Extensible Authentication Protocol (EAP) to authenticate between devices. involved in PCP negotiation sessions. Such PCP-enabled NAT devices or firewalls may still receive unauthenticated mapping requests; at the same time, all of the explicit mapping limits described previously still apply.

EtherChannel Port Option | Best Cisco CCNA CCNP and Linux/CentOS ...
src: 3.bp.blogspot.com


Internal

Internally, PCP works by exchanging control messages between hosts and PCP-enabled NAT devices or firewalls (called servers), using User Datagram Protocol (UDP) as the underlying protocol. This communication consists of a port mapping request created by a host that generates responses after being sent to and processed by the server. Following unreliable UDP properties, meaning that UDP datagrams can be lost, duplicated or reordered, after submitting a request there is no guarantee for any response, so the host request is also referred to as "hint". In addition to direct responses, the server also generates gratuitous notifications - for example, unicast notifications to notify hosts about changes in external IP addresses.

Exchange messages do not contain the means to determine which transactions they are in, or which stage of "sessions" they represent. The simplified design is based on having all self-described and complete messages, with no additional context required for each message to be successfully processed. The server may decide to ignore the host request secretly, if they can not process it at this time; in this case, the host needs to resend the request. Also, the host can safely decide to silently ignore the unwanted mapping response.

For the purpose of making a PCP request, the IP address of the server is manually configured on the host, found as part of the host's DHCP lease, or set to the default gateway that the host is configured. The host request message is sent from any source UDP ports on the client to the 5351 UDP server port it is listening to; unsolicited server multicast notifications (such as server restart announcements) are sent from the UDP server port 5351 to the UDP 5350 port on the host they are listening to.

The maximum UDP payload length for all PCP messages is 1100 octets. Each PCP message consists of a request or response header containing an opcode that specifies associated operations, relevant opcode-specific information (such as which ports to map), and zero or more options (such as the THIRD_PARTY above). The result code is returned as part of the server response; each result code has an associated lifetime, which informs the occupants when certain operations may be retried or must be repeated. For example, the lifetime results can determine how long a failure condition is expected to last, or how long a mapping is created will take place.

How to pull IP Addresses using Wireshark! *2017* - YouTube
src: i.ytimg.com


See also

  • DMZ (computing) Ã, - a subnet containing and showing external services facing a larger and untrusted network
  • Hole punching (network) Ã, - establish a direct connection between two sides of the network that is behind a firewall or NAT-enabled router
  • Universal Plug and Play
  • Internet Gateway Device Protocol

How to filter all Http Traffic in Wireshark - Capture and display ...
src: i.ytimg.com


References


Workspot Network Port Requirements and Security â€
src: workspot.zendesk.com


External links

  • Port Control Protocol (PCP): Related document (IETF)
  • Port Control Protocol (PCP): Charter for Working Groups (IETF)

Source of the article : Wikipedia

Comments
0 Comments