Port Control Protocol (PCP) Authentication Mechanism

The information below is for an old version of the document
Document Type Expired Internet-Draft (pcp WG)
Last updated 2013-04-22 (latest revision 2012-10-19)
Stream IETF
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream WG state WG Document
Document shepherd None
IESG IESG state Expired
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


An IPv4 or IPv6 host can use the Port Control Protocol (PCP) to flexibly manage the IP address and port mapping information on Network Address Translators (NATs) or firewalls, to facilitate communications with remote hosts. However, the un-controlled generation or deletion of IP address mappings on such network devices may cause security risks and should be avoided. In some cases the client may need to prove that it is authorized to modify, create or delete PCP mappings. This document proposes an in-band authentication mechanism for PCP that can be used in those cases. The Extensible Authentication Protocol (EAP) is used to perform authentication between PCP devices.


Margaret Cullen (mrw@painless-security.com)
Sam Hartman (hartmans@painless-security.com)
Dacheng Zhang (zhangdacheng@huawei.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)