idnits 2.17.1 draft-ietf-intarea-ipv4-id-update-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 2 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The draft header indicates that this document updates RFC2003, but the abstract doesn't seem to directly say this. It does mention RFC2003 though, so this could be OK. -- The draft header indicates that this document updates RFC1122, but the abstract doesn't seem to directly say this. It does mention RFC1122 though, so this could be OK. -- The draft header indicates that this document updates RFC791, but the abstract doesn't seem to directly say this. It does mention RFC791 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC791, updated by this document, for RFC5378 checks: 1981-09-01) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 14, 2011) is 4792 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 2671 (Obsoleted by RFC 6891) -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Area WG J. Touch 2 Internet Draft USC/ISI 3 Updates: 791,1122,2003 March 14, 2011 4 Intended status: Proposed Standard 5 Expires: September 2011 7 Updated Specification of the IPv4 ID Field 8 draft-ietf-intarea-ipv4-id-update-02.txt 10 Status of this Memo 12 This Internet-Draft is submitted to IETF in full conformance with the 13 provisions of BCP 78 and BCP 79. 15 This document may contain material from IETF Documents or IETF 16 Contributions published or made publicly available before November 17 10, 2008. The person(s) controlling the copyright in some of this 18 material may not have granted the IETF Trust the right to allow 19 modifications of such material outside the IETF Standards Process. 20 Without obtaining an adequate license from the person(s) controlling 21 the copyright in such materials, this document may not be modified 22 outside the IETF Standards Process, and derivative works of it may 23 not be created outside the IETF Standards Process, except to format 24 it for publication as an RFC or to translate it into languages other 25 than English. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF), its areas, and its working groups. Note that 29 other groups may also distribute working documents as Internet- 30 Drafts. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 The list of current Internet-Drafts can be accessed at 38 http://www.ietf.org/ietf/1id-abstracts.txt 40 The list of Internet-Draft Shadow Directories can be accessed at 41 http://www.ietf.org/shadow.html 43 This Internet-Draft will expire on September 14, 2011. 45 Copyright Notice 47 Copyright (c) 2011 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Abstract 62 The IPv4 Identification (ID) field enables fragmentation and 63 reassembly, and as currently specified is required to be unique 64 within the maximum lifetime on all datagrams. If enforced, this 65 uniqueness requirement would limit all connections to 6.4 Mbps. 66 Because this is obviously not the case, it is clear that existing 67 systems violate the current specification. This document updates the 68 specification of the IPv4 ID field in RFC 791, RFC 1122, and RFC 2003 69 to more closely reflect current practice and to more closely match 70 IPv6 so that the field is defined only when a datagram is actually 71 fragmented. It also discusses the impact of these changes on how 72 datagrams are used. 74 Table of Contents 76 1. Introduction...................................................3 77 2. Conventions used in this document..............................3 78 3. The IPv4 ID Field..............................................3 79 4. Uses of the IPv4 ID Field......................................4 80 5. Background on IPv4 ID Reassembly Issues........................5 81 6. Updates to the IPv4 ID Specification...........................6 82 6.1. IPv4 ID Used Only for Fragmentation.......................7 83 6.2. Encourage Safe IPv4 ID Use................................8 84 6.3. IPv4 ID Requirements That Persist.........................9 85 7. Impact on Datagram Use.........................................9 86 8. Updates to Existing Standards.................................10 87 8.1. Updates to RFC 791.......................................10 88 8.2. Updates to RFC 1122......................................11 89 8.3. Updates to RFC 2003......................................11 90 9. Impact on NATs and Tunnel Ingresses...........................12 91 10. Impact on Header Compression.................................13 92 11. Security Considerations......................................13 93 12. IANA Considerations..........................................13 94 13. References...................................................14 95 13.1. Normative References....................................14 96 13.2. Informative References..................................14 97 14. Acknowledgments..............................................15 99 1. Introduction 101 In IPv4, the Identification (ID) field is a 16-bit value that is 102 unique for every datagram for a given source address, destination 103 address, and protocol, such that it does not repeat within the 104 Maximum Segment Lifetime (MSL) [RFC791][RFC1122]. As currently 105 specified, all datagrams between a source and destination of a given 106 protocol must have unique IPv4 ID values over a period of this MSL, 107 which is typically interpreted as two minutes (120 seconds). This 108 uniqueness is currently specified as for all datagrams, regardless of 109 fragmentation settings. 111 The uniqueness of the IPv4 ID is a known problem for high speed 112 devices; if strictly enforced, it would limit the speed of a single 113 protocol between two endpoints to 6.4 Mbps for typical MTUs of 1500 114 bytes [RFC4963]. It is common for a single protocol to operate far in 115 excess of these rates, which strongly indicates that the uniqueness 116 of the IPv4 ID as specified is already moot. 118 This document updates the specification of the IPv4 ID field to more 119 closely reflect current practice, and to include considerations taken 120 into account during the specification of the similar field in IPv6. 122 2. Conventions used in this document 124 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 125 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 126 document are to be interpreted as described in RFC-2119 [RFC2119]. 128 In this document, the characters ">>" proceeding an indented line(s) 129 indicates a requirement using the key words listed above. This 130 convention aids reviewers in quickly identifying or finding this 131 document's explicit requirements. 133 3. The IPv4 ID Field 135 IP supports datagram fragmentation, where large datagrams are split 136 into smaller components to traverse links with limited maximum 137 transmission units (MTUs). Fragments are indicated in different ways 138 in IPv4 and IPv6: 140 o In IPv4, fragments are indicated using four fields of the basic 141 header: Identification (ID), Fragment Offset, a "Don't Fragment" 142 flag (DF), and a "More Fragments" flag (MF) [RFC791] 144 o In IPv6, fragments are indicated in an extension header that 145 includes an ID, Fragment Offset, and MF flag similar to their 146 counterparts in IPv4 [RFC2460] 148 IPv4 and IPv6 fragmentation differs in a few important ways. IPv6 149 fragmentation occurs only at the source, so a DF bit is not needed to 150 prevent downstream devices from initiating fragmentation (i.e., IPv6 151 always acts as if DF=1). The IPv6 fragment header is present only 152 when a datagram has been fragmented, so the ID field is not present 153 for non-fragmented datagrams, and thus is meaningful only for 154 fragments. Finally, the IPv6 ID field is 32 bits, and required unique 155 per source/destination address pair for IPv6, whereas for IPv4 it is 156 only 16 bits and required unique per source/destination/protocol 157 triple. 159 This document focuses on the IPv4 ID field issues, because in IPv6 160 the field is larger and present only in fragments. 162 4. Uses of the IPv4 ID Field 164 The IPv4 ID field was originally intended for fragmentation and 165 reassembly [RFC791]. Within a given source address, destination 166 address, and protocol, fragments of an original datagram are matched 167 based on their IPv4 ID. This requires that IDs are unique within the 168 address/protocol triple when fragmentation is possible (e.g., DF=0) 169 or when it has already occurred (e.g., frag_offset>0 or MF=1). 171 The IPv4 ID field can be useful for other purposes. The field has 172 been suggested as a way to detect and remove duplicate datagrams, 173 e.g., at congested routers, although this has been noted and no 174 current deployments are known (see Sec. 3.2.1.5 of [RFC1122]). It can 175 similarly be used at end hosts to reduce the impact of duplication on 176 higher-layer protocols (e.g., additional processing in TCP, or the 177 need for application-layer duplicate suppression in UDP). 179 The IPv4 ID field can also be used to validate payloads of ICMP 180 responses as matching the originally transmitted datagram at a host 181 [RFC4963]. In this case, the ICMP payload - an IP datagram prefix - 182 is matched against a cache of recently transmitted IP headers to 183 check that the received ICMP reflects a transmitted datagram. At a 184 tunnel ingress, the IPv4 ID enables returning ICMP messages to be 185 matched to a cache of recently transmitted datagrams, to support ICMP 186 relaying, with similar challenges [RFC2003]. 188 Uses of the IPv4 ID field beyond fragmentation and reassembly require 189 that the IPv4 ID be unique across all datagrams, not only when 190 fragmentation is enabled. This document deprecates all such non- 191 fragmentation uses. 193 5. Background on IPv4 ID Reassembly Issues 195 The following is a summary of issues with IPv4 fragment reassembly in 196 high speed environments raised previously [RFC4963]. Readers are 197 encouraged to consult RFC 4963 for a more detailed discussion of 198 these issues. 200 With the maximum IPv4 datagram size of 64KB, a 16-bit ID field that 201 does not repeat within 120 seconds means that the aggregate of all 202 TCP connections of a given protocol between two endpoints is limited 203 to roughly 286 Mbps; at a more typical MTU of 1500 bytes, this speed 204 drops to 6.4 Mbps [RFC4963]. This limit currently applies for all 205 IPv4 datagrams within a single protocol (i.e., the IPv4 protocol 206 field) between two IP addresses, regardless of whether fragmentation 207 is enabled or inhibited, and whether a datagram is fragmented or not. 209 IPv6, even at typical MTUs, is capable of 18.7 Tbps with 210 fragmentation between two endpoints as an aggregate across all 211 protocols, due to the larger 32-bit ID field (and the fact that the 212 IPv6 next-header field, the equivalent of the IPv4 protocol field, is 213 not considered in differentiating fragments). When fragmentation is 214 not used the field is absent, and in that case IPv6 speeds are not 215 limited by the ID field uniqueness. 217 Note also that 120 seconds is only an estimate on the maximum 218 datagram lifetime. It is loosely based on half maximum value of the 219 IP TTL field (255), measured in seconds, because the TTL is 220 decremented not only for each hop, but also for each second a 221 datagram is held at a router (as implied in [RFC791]). Network delays 222 are incurred in other ways, e.g., satellite links, which can add 223 seconds of delay even though the TTL is often not decremented by a 224 corresponding amount. There is thus no enforcement mechanism to 225 ensure that datagrams older than 120 seconds are discarded. 227 Wireless Internet devices are frequently connected at speeds over 54 228 Mbps, and wired links of 1 Gbps have been the default for several 229 years. Although many end-to-end transport paths are congestion 230 limited, these devices easily achieve 100+ Mbps application-layer 231 throughput over LANs (e.g., disk-to-disk file transfer rates), and 232 numerous throughput demonstrations have been performed with COTS 233 systems over wide-area paths at these speeds for over a decade. This 234 strongly suggests that IPv4 ID uniqueness has been moot for a long 235 time. 237 6. Updates to the IPv4 ID Specification 239 This document updates the specification of the IPv4 ID field in three 240 distinct ways, as discussed in subsequent subsections: 242 o Use the IPv4 ID field only for fragmentation 244 o Avoiding a performance impact when the IPv4 ID field is used 246 o Encourage safe operation when the IPv4 ID field is used 248 There are two kinds of datagrams used in the following discussion, 249 named as follows: 251 o Atomic datagrams: datagrams not yet having been fragmented (MF=0 252 and fragment offset=0) and for which further fragmentation has 253 been inhibited (DF=1), i.e., as a C-code expression: 255 (DF==1)&&(MF==0)&&(frag_offset==0) 257 o Non-atomic datagrams: datagrams which have either already been 258 fragmented, i.e.: 260 (MF=1)||(frag_offset>0) 262 or for which fragmentation remains possible: 264 (DF=0) 266 I.e., non-atomic datagrams can be expressed in two equivalent 267 tests: 269 (DF==0)||(MF==1)||(frag_offset>0) 271 which can also be expressed as follows, using DeMorgan's Law and 272 other identities: 274 ~((DF==1)&&(MF==0)&&(frag_offset==0)) 276 Note that this final expression is the same as "not(atomic)". 278 6.1. IPv4 ID Used Only for Fragmentation 280 Although RFC1122 suggests the IPv4 ID field has other uses, this 281 document asserts that this field is defined only for fragmentation 282 and reassembly. 284 o >> IPv4 ID field MUST NOT be used for purposes other than 285 fragmentation and reassembly. 287 This has a few implications. In atomic datagrams, the IPv4 ID field 288 has no meaning, and thus can be set to an arbitrary value, i.e., the 289 requirement for non-repeating IDs within the address/protocol triple 290 is no longer required for atomic datagrams: 292 o >> Originating sources MAY set the IPv4 ID field of atomic 293 datagrams to any value. 295 Second, all network nodes, whether at intermediate routers, 296 destination hosts, or other devices (e.g., NATs, firewalls, tunnel 297 egresses), cannot rely on the field: 299 o >> All devices that examine IPv4 headers MUST ignore the IPv4 ID 300 field of atomic datagrams. 302 The IPv4 ID field is thus meaningful only for non-atomic datagrams - 303 datagrams that have either already been fragmented, or those for 304 which fragmentation remains permitted. Atomic datagrams are detected 305 by their DF, MF, and fragmentation offset fields as explained in 306 Section 6, because such a test is completely backward compatible; 307 this document thus does not reserve any IPv4 ID values, including 0, 308 as distinguished. 310 Deprecating the use of the IPv4 ID field for non-reassembly uses 311 should have little - if any - impact. IPv4 IDs are already frequently 312 repeated, e.g., over even moderately fast connections. Duplicate 313 suppression was only suggested [RFC1122], and no impacts of IPv4 ID 314 reuse have been noted. Routers are not required to issue ICMPs on any 315 particular timescale, and so IPv4 ID repetition should not have been 316 used for validation, and again repetition occurs and probably could 317 have been noticed [RFC1812]. ICMP relaying at tunnel ingresses is 318 specified to use soft state rather than a datagram cache, and should 319 have been noted if the latter for similar reasons [RFC2003]. 321 6.2. Encourage Safe IPv4 ID Use 323 This document makes further changes to the specification of the IPv4 324 ID field and its use to encourage its safe use as corollary 325 requirements changes as follows. 327 RFC 1122 discusses that TCP retransmits a segment it may be possible 328 to reuse the IPv4 ID (see Section 8.2). This can make it difficult 329 for a source to avoid IPv4 ID repetition for received fragments. RFC 330 1122 concludes that this behavior "is not useful"; this document 331 formalizes that conclusion as follows: 333 o >> The IPv4 ID of non-atomic datagrams MUST NOT be reused when 334 sending a copy of an earlier non-atomic datagram. 336 RFC 1122 also suggests that fragments can overlap [RFC1122]. Such 337 overlap can occur if successive retransmissions are fragmented in 338 different ways but the same reassembly IPv4 ID. 340 This overlap is noted as the result of reusing IPv4 IDs when 341 retransmitting datagrams, which this document deprecates. Overlapping 342 fragments are themselves a hazard [RFC4963]. As a result: 344 o >> Overlapping datagrams MUST be silently ignored during 345 reassembly. 347 The IPv4 ID of non-atomic datagrams also needs to remain stable, to 348 ensure that existing fragments are not reassembled incorrectly, as 349 well as to ensure that the uniqueness of the IDs as generated by the 350 source is not undermined. 352 For atomic datagrams, because the IPv4 ID field is ignored on 353 receipt, it can be possible to rewrite the field. Rewriting can be 354 useful to prevent use of the field as a covert channel, or to enable 355 more efficient header compression. However, the IPv4 ID field needs 356 to remain immutable when it is validated by higher layer protocols, 357 such as IPsec. As a result: 359 o >> The IPv4 ID field of non-atomic datagrams, or protected atomic 360 datagrams MUST NOT change in transit; the IPv4 ID field of 361 unprotected atomic datagrams MAY be changed in transit. 363 Protected datagrams are defined as those whose header fields are 364 covered by integrity validation, such as IPsec AH [RFC4302]. 366 6.3. IPv4 ID Requirements That Persist 368 This document does not relax the IPv4 ID field uniqueness 369 requirements of [RFC791] for non-atomic datagrams, i.e.: 371 o >> Sources emitting non-atomic datagrams MUST NOT repeat IPv4 ID 372 values within one MSL for a given source address/destination 373 address/protocol triple. 375 Such sources include originating hosts, tunnel ingresses, and NATs 376 (see Section 9). 378 This document does not relax the requirement that all network devices 379 honor the DF bit, i.e.: 381 o >> IPv4 datagrams whose DF=1 MUST NOT be fragmented. 383 o >> IPv4 datagram transit devices MUST NOT clear the DF bit. 385 In specific, DF=1 prevents fragmenting datagrams that are integral. 386 DF=1 also prevents further fragmenting received fragments. 387 Fragmentation, either of an unfragmented datagram or of fragments, is 388 current permitted only where DF=0 in the original emitted datagram, 389 and this document does not change that requirement. 391 7. Impact on Datagram Use 393 The following is a summary of the recommendations that are the result 394 of the previous changes to the IPv4 ID field specification. 396 Because atomic datagrams can use arbitrary IPv4 ID values, the ID 397 field no longer imposes a performance impact in those cases. However, 398 the performance impact remains for non-atomic datagrams. As a result: 400 o >> Sources of non-atomic IPv4 datagrams MUST rate-limit their 401 output to comply with the ID uniqueness requirements. 403 Such sources include, in particular, DNS over UDP [RFC2671]. 405 Because there is no strict definition of the MSL, reassembly hazards 406 exist regardless of the IPv4 ID reuse interval or the reassembly 407 timeout. As a result: 409 o >> Higher layer protocols SHOULD verify the integrity of IPv4 410 datagrams, e.g., using a checksum or hash that can detect 411 reassembly errors (the UDP checksum is weak in this regard, but 412 better than nothing), as in SEAL [RFC5320]. 414 Additional integrity checks can be employed using tunnels, as in 415 SEAL, IPsec, or SCTP [RFC4301][RFC4960][RFC5320]. Such checks can 416 avoid the reassembly hazards that can occur when using UDP and TCP 417 checksums [RFC4963], or when using partial checksums as in UDP-Lite 418 [RFC3828]. Because such integrity checks can avoid the impact of 419 reassembly errors: 421 o >> Sources of non-atomic IPv4 datagrams using strong integrity 422 checks MAY reuse the ID within MSL values smaller than is typical. 424 Note, however, that such more frequent reuse can still result in 425 corrupted reassembly and poor throughput, although it would not 426 propagate reassembly errors to higher layer protocols. 428 8. Updates to Existing Standards 430 The following sections address the specific changes to existing 431 protocols indicated by this document. 433 8.1. Updates to RFC 791 435 RFC 791 states that: 437 The originating protocol module of an internet datagram sets the 438 identification field to a value that must be unique for that 439 source-destination pair and protocol for the time the datagram 440 will be active in the internet system. 442 And later that: 444 Thus, the sender must choose the Identifier to be unique for this 445 source, destination pair and protocol for the time the datagram 446 (or any fragment of it) could be alive in the internet. 448 It seems then that a sending protocol module needs to keep a table 449 of Identifiers, one entry for each destination it has communicated 450 with in the last maximum datagram lifetime for the internet. 452 However, since the Identifier field allows 65,536 different 453 values, some host may be able to simply use unique identifiers 454 independent of destination. 456 It is appropriate for some higher level protocols to choose the 457 identifier. For example, TCP protocol modules may retransmit an 458 identical TCP segment, and the probability for correct reception 459 would be enhanced if the retransmission carried the same 460 identifier as the original transmission since fragments of either 461 datagram could be used to construct a correct TCP segment. 463 This document changes RFC 791 as follows: 465 o IPv4 ID uniqueness applies to only non-atomic datagrams. 467 o Non-atomic IPv4 datagrams retransmitted by higher level protocols 468 are no longer permitted to reuse the ID value. 470 8.2. Updates to RFC 1122 472 RFC 1122 states that: 474 3.2.1.5 Identification: RFC-791 Section 3.2 476 When sending an identical copy of an earlier datagram, a 477 host MAY optionally retain the same Identification field in 478 the copy. 480 DISCUSSION: 482 Some Internet protocol experts have maintained that when a 483 host sends an identical copy of an earlier datagram, the new 484 copy should contain the same Identification value as the 485 original. There are two suggested advantages: (1) if the 486 datagrams are fragmented and some of the fragments are lost, 487 the receiver may be able to reconstruct a complete datagram 488 from fragments of the original and the copies; (2) a 489 congested gateway might use the IP Identification field (and 490 Fragment Offset) to discard duplicate datagrams from the 491 queue. 493 This document changes RFC 1122 as follows: 495 o The IPv4 ID field is no longer permitted for duplicate detection. 497 o The IPv4 ID field is no longer repeatable for higher level 498 protocol retransmission. 500 o IPv4 datagram fragments no longer are permitted to overlap. 502 8.3. Updates to RFC 2003 504 This document updates how IPv4-in-IPv4 tunnels create IPv4 ID values 505 for the IPv4 outer header [RFC2003], but only in the same way as for 506 any other IPv4 datagram source. 508 9. Impact on NATs and Tunnel Ingresses 510 Network address translators (NATs) and address/port translators 511 (NAPTs) rewrite IP fields, and tunnel ingresses (using IPv4 512 encapsulation) copy and modify some IPv4 fields, so all are 513 considered sources, as do any devices that rewrite any portion of the 514 source address, destination address, protocol, and ID tuple for non- 515 atomic datagrams [RFC3022]. As a result, they are subject to all the 516 requirements of any source, as has been noted. 518 NATs present a particularly challenging situation for fragmentation. 519 Because NATs overwrite portions of the reassembly tuple in both 520 directions, they can destroy tuple uniqueness and result in a 521 reassembly hazard. Whenever IPv4 source address, destination address, 522 or protocol fields are modified, a NAT needs to ensure that the ID 523 field is generated appropriately, rather than simply copied from the 524 incoming datagram. In specific: 526 o >> NATs MUST ensure that the IPv4 ID field of datagrams whose 527 address or protocol are translated comply with requirements as if 528 the datagram were sourced by the NAT. 530 This compliance means that the IPv4 ID field of non-atomic datagrams 531 translated at a NAT need to obey the uniqueness requirements of any 532 IPv4 datagram source. Unfortunately, fragments already violate that 533 requirement, as they repeat an IPv4 ID within the MSL for a given 534 source address, destination address, and protocol triple. 536 Such problems with transmitting fragments through NATs are already 537 known; translation is based on the transport port number, which is 538 present in only the first fragment anyway [RFC3022]. This document 539 underscores the point that not only is reassembly (and possibly 540 subsequent fragmentation) required for translation, it can be used to 541 avoid issues with IPv4 ID uniqueness. 543 Note that NATs/NAPTs already need to exercise special care when 544 emitting datagrams on their public side, because merging datagrams 545 from many sources onto a single outgoing source address can result in 546 IPv4 ID collisions. This situation precedes this document, and is not 547 affected by it. It is exacerbated in large-scale, so-called "carrier 548 grade" NATs [Pe11]. 550 Tunnel ingresses act as sources for the outermost header, but tunnels 551 act as routers for the inner headers (i.e., the datagram as arriving 552 at the tunnel ingress). Ingresses can fragment as originating sources 553 of the outer header, because they control the uniqueness of that IPv4 554 ID field. They need to avoid fragmenting the datagram at the inner 555 header, for the same reasons as any intermediate device, as noted 556 elsewhere in this document. 558 10. Impact on Header Compression 560 Header compression algorithms already accommodate various ways in 561 which the IPv4 ID changes between sequential datagrams. Such 562 algorithms currently need to preserve the IPv4 ID. 564 When compression can assume a nonchanging IPv4 ID, efficiency can be 565 increased. However, when compression assumes a changing ID as a 566 default, having a non-changing ID can make compression less efficient 567 (see footnote 21 of [RFC1144], which is optimized for non-atomic 568 datagrams). This document thus does not recommend whether atomic IPv4 569 datagrams should use nonchanging or changing IDs, but rather allows 570 those IDs to be modified in transit (as per Sec. 6.2), which can be 571 used to accommodate more efficient compression as desired. 573 11. Security Considerations 575 This document attempts to address the security considerations 576 associated with fragmentation in IPv4 [RFC4459]. 578 When the IPv4 ID is ignored on receipt (e.g., for atomic datagrams), 579 its value becomes unconstrained; that field then can more easily be 580 used as a covert channel. For some atomic datagrams - notably those 581 not protected by IPsec Authentication Header (AH) [RFC4302] - it is 582 now possible, and may be desirable, to rewrite the IPv4 ID field to 583 avoid its use as such a channel. 585 The IPv4 ID also now adds much less entropy of the header of a 586 datagram. The IPv4 ID had previously been unique (for a given 587 source/address pair, and protocol field) within one MSL, although 588 this requirement was not enforced and clearly is typically ignored. 589 IDs of non-atomic datagrams are now required unique only within the 590 expected reordering of fragments, which could substantially reduce 591 the amount of entropy in that field. The IPv4 ID of atomic datagrams 592 is not required unique, and so contributes no entropy to the header. 594 The deprecation of the IPv4 ID field's uniqueness for atomic 595 datagrams can defeat the ability to count devices behind a NAT 596 [Be02]. This is not intended as a security feature, however. 598 12. IANA Considerations 600 There are no IANA considerations in this document. 602 The RFC Editor should remove this section prior to publication 604 13. References 606 13.1. Normative References 608 [RFC791] Postel, J., "Internet Protocol", RFC 791 / STD 5, September 609 1981. 611 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - 612 Communication Layers", RFC 1122 / STD 3, October 1989. 614 [RFC1812] Baker, F. (Ed.), "Requirements for IP Version 4 Routers", 615 RFC 1812 / STD 4, Jun. 1995. 617 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 618 Requirement Levels", RFC 2119 / BCP 14, March 1997. 620 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, 621 October 1996. 623 13.2. Informative References 625 [Be02] Bellovin, S., "A Technique for Counting NATted Hosts", 626 Internet Measurement Conference, Proceedings of the 2nd ACM 627 SIGCOMM Workshop on Internet Measurement, November 2002. 629 [Pe11] Perreault, S., (Ed.), I. Yamagata, S. Miyakawa, A. 630 Nakagawa, H. Ashida, "Common requirements of IP address 631 sharing schemes", (work in progress), draft-ietf-behave- 632 lsn-requirements, March 2011. 634 [RFC1144] Jacobson, V., "Compressing TCP/IP Headers", RFC 1144, Feb. 635 1990. 637 [RFC2460] Deering, S., R. Hinden, "Internet Protocol, Version 6 638 (IPv6) Specification", RFC 2460, December 1998. 640 [RFC2671] Vixie,P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, 641 August 1999. 643 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 644 Address Translator (Traditional NAT)", RFC 3022, January 645 2001. 647 [RFC3828] Larzon, L-A., M. Degermark, S. Pink, L-E. Jonsson, Ed., G. 648 Fairhurst, Ed., "The Lightweight User Datagram Protocol 649 (UDP-Lite)", RFC 3828, July 2004. 651 [RFC4301] Kent, S., K. Seo, "Security Architecture for the Internet 652 Protocol", RFC 4301, Dec. 2005. 654 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, Dec. 2005. 656 [RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the- 657 Network Tunneling", RFC 4459, April 2006. 659 [RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol", 660 RFC 4960, Sep. 2007. 662 [RFC4963] Heffner, J., M. Mathis, B. Chandler, "IPv4 Reassembly 663 Errors at High Data Rates," RFC 4963, July 2007. 665 [RFC5320] Templin, F., Ed., "The Subnetwork Encapsulation and 666 Adaptation Layer (SEAL)", RFC 5320, Feb. 2010. 668 14. Acknowledgments 670 This document was inspired by of numerous discussions among the 671 authors, Jari Arkko, Lars Eggert, Dino Farinacci, and Fred Templin, 672 as well as members participating in the Internet Area Working Group. 673 Detailed feedback was provided by Carlos Pignataro and Gorry 674 Fairhurst. This document originated as an Independent Stream draft 675 co-authored by Matt Mathis, PSC, and his contributions are greatly 676 appreciated. 678 This document was prepared using 2-Word-v2.0.template.dot. 680 Author's Address 682 Joe Touch 683 USC/ISI 684 4676 Admiralty Way 685 Marina del Rey, CA 90292-6695 686 U.S.A. 688 Phone: +1 (310) 448-9151 689 Email: touch@isi.edu