Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Port Control Protocol

 

Port Control Protocol Overview

Port Control Protocol (PCP) provides a way to control the forwarding of incoming packets by upstream devices, such as NAT44 and firewall devices, and a way to reduce application keepalive traffic. PCP is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICs. Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC. Starting in Junos 20.2R1, PCP for CGNAT DS-Lite services are supported for Next Gen Services.Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite.

PCP is designed to be implemented in the context of both Carrier-Grade NATs (CGNs) and small NATs (for example, residential NATs). PCP enables hosts to operate servers for a long time (as in the case of a webcam) or a short time (for example, while playing a game or on a phone call) when behind a NAT device, including when behind a CGN operated by their ISP. PCP enables applications to create mappings from an external IP address and port to an internal IP address and port. These mappings are required for successful inbound communications destined to machines located behind a NAT or a firewall. After a mapping for incoming connections is created, remote computers must be informed about the IP address and port for the incoming connection. This is usually done in an application-specific manner.

Junos OS supports PCP version 2 and version 1.

PCP consists of the following components:

  • PCP client—A host or gateway that issues PCP requests to a PCP server in order to obtain and control resources.

  • PCP server—Typically a CGN gateway or co-located server that receives and processes PCP requests

Junos OS enables configuring PCP servers for mapping flows using NAPT44 capabilities such as port forwarding and port block allocation. Flows can be processed from these sources:

  • Traffic containing PCP requests received directly from user equipment, as shown in Figure 1.

    Figure 1: Basic PCP NAPT44 Topology
    Basic PCP NAPT44 Topology
  • Mapping of traffic containing PCP requests added by a router functioning as a DS-Lite softwire initiator (B4). This mode, known as DS-Lite plain mode, is shown in Figure 2.

    Figure 2: PCP with DS-Lite Plain Mode
    PCP with DS-Lite Plain Mode
Note

Junos OS does not support deterministic port block allocation for PCP-originated traffic.

Benefits of Port Control Protocol

Many NAT-friendly applications send frequent application-level messages to ensure their sessions are not being timed out by a NAT device. PCP is used to:

  • Reduce the frequency of these NAT keepalive messages

  • Reduce bandwidth on the subscriber's access network

  • Reduce traffic to the server

  • Reduce battery consumption on mobile devices

Port Control Protocol Version 2

Starting with Junos OS Release 15.1, Port Control Protocol (PCP) version 2 is supported, which is in compliance with RFC 6887. PCP provides a way to control the forwarding of incoming packets by upstream devices, such as NAT44, and firewall devices, and a way to reduce application keep-alive traffic. PCP version 2 supports nonce authentication. PCP allows applications to create mappings from an external IP address and port to an internal IP address and port. A nonce payload prevents a replay attack and it is sent by default unless it is explicitly disabled.

Client nonce verification for version 2 map requests (for refresh or delete) requires that the nonce received in the original map request that causes the PCP mapping to be created is preserved. The version of the initial request that enables the mapping to be created is also preserved. This behavior of saving the nonce and version parameters denotes that 13 bytes per PCP mapping are used. This slight increase in storage space is not significant when matched with the current memory usage of a system for a single requested mapping (taking into account the endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF) that are created along with it). In a customer deployment, PCP causes EIM and EIF mappings to represent a fraction of all such mappings.

Until Junos Release 15.1, services PICs support PCP servers on Juniper Networks routers in accordance with PCP draft version 22 with version 1 message encoding. With PCP being refined from the draft version as defined in Port Control Protocol (PCP) draft-ietf-pcp-base-22 (July 2012 expiration) to a finalized, standard version as defined in RFC 6887 -- Port Control Protocol (PCP), the message encoding changed to version 2 with the addition of a random nonce payload to authenticate peer and map requests as necessary. Version 1 does not decode messages compliant with version 2 format and nonce authentication is not supported. In a real-word network environment, with customer premises equipment (CPE) devices increasingly supporting version 2 only, it is required to parse and send version 2 messages. Backward compatibility with version 1-supporting CPE devices is maintained (version negotiation is part of the standard) and authenticates request nonce payload packets when v2 messages are in use.

The output of the show services pcp statistics command contains the PCP unsupported version field, which is incremented to indicate whenever the version is not 1 or 2. A new field, PCP request nonce does not match existing mapping, is introduced to indicate the number of PCP version 2 requests that were ignored because the nonce payload did not match the one recorded in the mapping (authentication failed). If version 2 is in use, the client nonce is used for authentication.

Configuring Port Control Protocol

This topic describes how to configure port control protocol (PCP). PCP is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICs. Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC. Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite. Starting in Junos OS release 20.2R1 PCP is supported on the MX-SPC3 security services card for CGNAT services.

Perform the following configuration tasks:

Configuring PCP Server Options

  1. Specify a PCP server name.
  2. Set the IPv4 or IPv6 addresses of the server. For PCP DS-Lite, the ipv6-address must match the address of the AFTR (Address Family Transition Router or softwire concentrator). Note

    Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite. In Junos OS Release 18.1 and earlier releases, PCP on the MS-MPC and MS-MIC does not support DS-Lite.

    or

  3. For PCP DS-Lite, provide the name of the DS-Lite softwire concentrator configuration.
  4. Specify the minimum and maximum mapping lifetimes for the server.
  5. Specify the time limits for generating short lifetime or long lifetime errors.
  6. (Optional)—Enable PCP options on the specified PCP server. The following options are available—third-party and prefer-failure. The third-party option is required to enable third-party requests by the PCP client. DS-Lite requires the third-party option. The prefer-failure option requests generation of an error message when the PCP client requests a specific IP address/port that is not available, rather than assigning another available address from the NAT pool. If prefer-failure is not specified NAPT44 assigns an available address/port from the NAT pool based on the configured NAT options.
  7. (Optional)—Specify which NAT pool to use for mapping.
    Note

    When you do not explicitly specify a NAT pool for mapping, the Junos OS performs a partial rule match based on source IP, source port, and protocol, and the Junos OS uses the NAT pool configured for the first matching rule to allocate mappings for PCP.

    You must use explicit configuration in order to use multiple NAT pools.

    For the MX-SPC3 security services card and Next Gen Services, the nat-options statement supports only one pool name to attach to a PCP server.

  8. (Optional)—Configure the maximum number of mappings per client. The default is 32 and maximum is 128.

Configuring a PCP Rule

A PCP rule has the same basic options as all service set rules:

  • A term option that allows a single rule to have multiple applications.

    A term is not required when running the MX-SPC3 security services card for Next Gen Services.

  • A from option that identifies the traffic that is subject to the rule.

  • A then option that identifies what action is to be taken. In the case of a PCP rule, this option Identifies the pcp server that handles selected traffic

  1. Go to the [edit services pcp rule rule-name] hierarchy level and specify match-direction input.
  2. Go to the [edit services pcp rule rule-name term term-name] hierarchy level and provide a term name.

    This step is not required when running the MX-SPC3 security services card for Next Gen Services.

  3. (Optional)—Provide a from option to filter the traffic to be selected for processing by the rule. When you omit the from option, all traffic handled by the service set’s service interface is subject to the rule. The following options are available at the [edit services pcp rule rule-name term term-name from] hierarchy level:
    application-sets set-name Traffic for the application set is processed by the PCP rule.

    This step is not required when running the MX-SPC3 security services card for Next Gen Services.

    applications [ application-name ]Traffic for the application is processed by the PCP rule.

    This option is not required when running the MX-SPC3 security services card for Next Gen Services.

    destination-address address <except>Traffic for the destination address or prefix is processed by the PCP rule. If you include the except option, traffic for the destination address or prefix is not processed by the PCP rule.
    destination-address-range high maximum-value low minimum-value <except>Traffic for the destination address range is processed by the PCP rule. If you include the except option, traffic for the destination address range is not processed by the PCP rule.
    destination-port high maximum-value low minimum-valueTraffic for the destination port range is processed by the PCP rule.
    destination-prefix-list list-name <except>Traffic for a destination address in the prefix list is processed by the PCP rule. If you include the except option, traffic for a destination address in the prefix list is not processed by the PCP rule.
    source-address address <except>Traffic from the source address or prefix is processed by the PCP rule. If you include the except option, traffic from the source address or prefix is not processed by the PCP rule.
    source-address-range high maximum-value low minimum-value <except>Traffic from the source address range is processed by the PCP rule. If you include the except option, traffic from the source address range is not processed by the PCP rule.
    source-prefix-list list-name <except>Traffic from a source address in the prefix list is processed by the PCP rule. If you include the except option, traffic from a source address in the prefix list is not processed by the PCP rule.
  4. Set the then option to identify the target PCP server.

Configuring a NAT Rule

To configure a NAT rule:

  1. Configure the NAT rule name and the match direction.
  2. Specify the NAT pool to use:
  3. Configure the translation type.
  4. If you are using PCP with IPv4-to-IPv4 NAT or with DS-Lite, configure endpoint-independent mapping (EIM) and endpoint-independent filtering (EIF).
    Note

    The PCP mappings are not created if you do not configure EIM and EIF with PCP for IPv4-to-IPv4 NAT or for DS-Lite.

Configuring a Service Set to Apply PCP

To use PCP, you must provide the rule name (or name of a list of rule names) in the pcp-rule rule-name option.

  1. Go to the [edit services service-set service-set-name hierarchy level.
  2. If this is a new service set, provide basic service set information, including interface information and any other rules that may apply.
  3. Specify the name of the PCP rule or rule list used to send traffic to the specified PCP server.
Note

Your service set must also identify any required nat-rule and softwire-rule.

SYSLOG Message Configuration

A new syslog class, configuration option, pcp-logs, has been provided to control PCP log generation. It provides the following levels of logging:

  • protocol—All logs related to mapping creation, deletion are included at this level of logging.

  • protocol-error—–All protocol error related logs (such as mapping refresh failed, PCP look up failed, mapping creation failed). are included in this level of logging.

  • system-error—Memory and infrastructure errors are included in this level of logging.

Monitoring Port Control Protocol Operations

You can monitor Port Control Protocol (PCP) operations with the following operational commands:

  • For MS-MPCs use the show services nat mappings pcp command.

    Note

    PCP is not supported for Next Gen Services in Junos OS Release 19.3R2

  • For MS-MPCs use the show services nat mappings endpoint-independent command.

    For Next Gen Services use the show services nat source mappings endpoint-independent command.

  • show services pcp statistics protocol

The following are examples of the output of these commands.

user@host> show services nat mappings pcp
user@host> show services nat mappings endpoint-independent
user@host> show services pcp statistics protocol

Example: Configuring Port Control Protocol with NAPT44

Note

PCP is supported on the MS-DPC, MS-100, MS-400, and MS-500 MultiServices PICS. Starting in Junos OS Release 17.4R1, PCP for NATP44 is also supported on the MS-MPC and MS-MIC.

Requirements

Hardware Requirements

  • UEs with PCP clients.

  • An MX 3D Router with an MS-DPC services PIC.

  • Software Requirements

  • Junos OS 13.2

  • Layer-3 Services Package

Overview

An ISP wants to enable UEs with PCP clients to maintain connections to servers without timing out. The PCP clients generate PCP requests for the type and duration of the connection they require. Connections may be of a long duration, such as applications using a webcam, or a shorter duration, such as online games. An MX 3D router provides a PCP server to interpret PCP client requests, and NAPT44. Figure 3 shows the basic topology for this example.

Figure 3: PCP with NAPT44
PCP with NAPT44

PCP Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Chassis Configuration

Step-by-Step Procedure

To configure the service PIC (FPC 2 Slot 0) with the Layer 3 service package:

  1. Go to the [edit chassis] hierarchy level.
  2. Configure the Layer 3 service package.

Results

user@host# show chassis fpc 2 pic 0

Interface Configuration

Step-by-Step Procedure

  1. Configure the services MS-DPC.
  2. Configure the customer-facing interface used for NAT and PCP services.
  3. Configure the Internet-facing interface.

Results

user@host#

NAT Configuration

Step-by-Step Procedure

  1. Go the [edit services nat] hierarchy.
  2. Configure a NAT pool called pcp-pool.
  3. Configure a NAT rule called pcp-rule.

Results

user@host# show services nat

PCP Configuration

Step-by-Step Procedure

To configure the PCP server and PCP rule options.

  1. Go to the edit services pcp hierarchy level for server pcp-s1
  2. Configure the PCP server options.
  3. Create the PCP rule.
  4. Configure the PCP rule options.

Results

user@host# show services pcp

Service Set Configuration

Step-by-Step Procedure

  1. Create a service set, sset_0, at the edit services service-set hierarchy level.
  2. Identify the NAT rule associated with the service set.
  3. Identify the PCP rule associated with the service set.
  4. Identify the service interface associated with the service set.

Results

user@host# show
Release History Table
Release
Description
Starting in Junos 20.2R1, PCP for CGNAT DS-Lite services are supported for Next Gen Services.
Starting in Junos OS release 20.2R1 PCP is supported on the MX-SPC3 security services card for CGNAT services.
Starting in Junos OS Release 18.2R1, PCP on the MS-MPC and MS-MIC supports DS-Lite.
Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC.
Starting in Junos OS Release 17.4R1, PCP for NAPT44 is also supported on the MS-MPC and MS-MIC.
Starting in Junos OS Release 17.4R1, PCP for NATP44 is also supported on the MS-MPC and MS-MIC.
Starting with Junos OS Release 15.1, Port Control Protocol (PCP) version 2 is supported, which is in compliance with RFC 6887.