MIDCOM WG R. Mahy Internet-Draft Airespace Expires: August 2, 2005 Feb 2005 Pre-Midcom Requirements for Traversal of NATs for traffic not supported by STUN draft-mahy-midcom-premidcom-relay-reqs-02.txt Status of this Memo This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 2, 2005. Copyright Notice Copyright (C) The Internet Society (2005). Abstract STUN (Simple Traversal of UDP for NATS) specifies a mechanism which enables nodes in a private network to determine if they are behind a NAT, to discover their remapped address and port, and for many types of NATs to send UDP traffic through them. In addition TCP connections initiated from the private side of NATs already works. This document specifies requirements for a mechanism that enables traversal of expected TCP traffic through all NATs, and traversal of Mahy Expires August 2, 2005 [Page 1] Internet-Draft Premidcom NAT Traversal Feb 2005 UDP traffic through symmetric NATs. Table of Contents 1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 4 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5.1 Normative References . . . . . . . . . . . . . . . . . . . . 4 5.2 Informative References . . . . . . . . . . . . . . . . . . . 4 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 5 Intellectual Property and Copyright Statements . . . . . . . . 6 Mahy Expires August 2, 2005 [Page 2] Internet-Draft Premidcom NAT Traversal Feb 2005 1. Overview STUN [1] (Simple Traversal of UDP for NATS) specifies a mechanism which enables nodes in a private network to determine if they are behind a NAT. It also allows STUN Clients to discover their address as viewed from a STUN Server. For full cone, address-restricted cone, and port-restricted cone NATs, this knowledge allows the STUN client to receive UDP traffic. (Nodes behind a NAT can initiate TCP connections and send UDP traffic without the need for any additional protocol). In order to allow nodes on the private side of a NAT to receive incoming TCP connections and to receive UDP traffic through a symmetric NAT, some type of simple relay-based solution is necessary. This document describes the requirements such a solution need to provide a useful service which does not prolong the life of IPv4. A proposal for a solution meeting these requirements is described in [3] 2. Requirements 1. Passes bidirectional UDP through one or two NATs, at least one of which may be symmetric or port-restricted 2. Allows "expected" TCP connection from a single source to be received by a user behind a NAT. 3. The implementation of the previous requirement (relay of TCP traffic) must not interfere with TLS 4. Prevents the node on the private network from running a server (can't receive multiple connections on the same well known port). 5. The implementation allows nodes to reference the relay session/stream/connection by an identifier which is unique to the stream and which is valid in the public Internet (i.e. globally unique) 6. Works where the endpoints and relay server are all IPv4 endpoints 7. Works where the private endpoint is IPv4 and another is IPv6, when the relay supports both IPv4 and IPv6. 8. The originator of the relay session can terminate the relay session 9. The originator of the relay session can determine the relay timeout interval 10. The relay should be able to open a port number such that the actual address and port of one end of the relay is not fixed until the first packet arrives from that end. 11. The relay can "passthrough" UDP traffic (in the case of a symmetric NAT) to a known IP address and UDP port number 12. The relay does not forward TCP connections originating from inside a NAT. Presumably, a node on the inside of the NAT can already originate outgoing connections. Mahy Expires August 2, 2005 [Page 3] Internet-Draft Premidcom NAT Traversal Feb 2005 13. Supports strong authentication and message integrity of control traffic 14. Does not attempt to protect data traffic 15. Does not require data traffic to be modified or escaped in any way 16. Existing end-to-end integrity and encryption of data traffic is encouraged and must still work through the solution 17. Needs the ability to reserve a port on the relay for future use 18. Needs the ability to promote a reserved port to a full mapping. When two nodes are behind different NATs, this allows one to obtain a port before use. It also enables nodes an opportunity to attempt allocation of contiguous ports for applications which require this behavior (for example RTP and RTCP). 19. Need ability to release a reserved port. 20. Supports a keepalive, so that the client does not have to send traffic to keep the mapping active 21. Does not increase packet sizes for data traffic. 22. Allows for the client to indicate how much bandwidth they expect to use, so that the server can do policing if needed. 23. Allows for the server to redirect the client to a different server. 3. Security Considerations Security-related requirements are discussed in the body of the document. 4. Acknowledgments Thanks to Jonathan Rosenberg for his comments. 5. References 5.1 Normative References [1] Rosenberg, J., Weinberger, J., Huitema, C. and R. Mahy, "STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)", RFC 3489, March 2003. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 5.2 Informative References [3] Rosenberg, J., "Traversal Using Relay NAT (TURN)", draft-rosenberg-midcom-turn-06 (work in progress), October 2004. Mahy Expires August 2, 2005 [Page 4] Internet-Draft Premidcom NAT Traversal Feb 2005 Author's Address Rohan Mahy Airespace 110 Nortech Pkwy San Jose, CA 95134 USA EMail: rohan@ekabal.com Mahy Expires August 2, 2005 [Page 5] Internet-Draft Premidcom NAT Traversal Feb 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Mahy Expires August 2, 2005 [Page 6]