idnits 2.17.1 draft-ietf-mpls-in-udp-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (December 12, 2013) is 3786 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC6830' is defined on line 412, but no explicit reference was found in the text ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) -- Obsolete informational reference (is this intentional?): RFC 6830 (Obsoleted by RFC 9300, RFC 9301) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network working group X. Xu 2 Internet Draft Huawei 3 Category: Standard Track N. Sheth 4 Juniper 5 L. Yong 6 Huawei 7 C. Pignataro 8 Cisco 9 Y. Fan 10 China Telecom 12 Expires: June 2014 December 12, 2013 14 Encapsulating MPLS in UDP 16 draft-ietf-mpls-in-udp-04 18 Abstract 20 This document specifies an IP-based encapsulation for MPLS, called 21 MPLS-in-UDP (User Datagram Protocol). 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on June 12, 2014. 40 Copyright Notice 42 Copyright (c) 2013 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction ................................................ 3 58 1.1. Existing Encapsulations ................................ 3 59 1.2. Motivations for MPLS-in-UDP Encapsulation .............. 4 60 2. Terminology ................................................. 4 61 3. Encapsulation in UDP......................................... 4 62 4. Processing Procedures ....................................... 6 63 5. Congestion Considerations ................................... 6 64 6. Security Considerations ..................................... 7 65 7. IANA Considerations ......................................... 8 66 8. Contributors ................................................ 8 67 9. Acknowledgements ............................................ 9 68 10. References ................................................. 9 69 10.1. Normative References .................................. 9 70 10.2. Informative References ................................ 9 71 Authors' Addresses ............................................ 10 73 1. Introduction 75 This document specifies an IP-based encapsulation for MPLS, i.e. 76 MPLS-in-UDP (User Datagram Protocol), which is applicable in some 77 circumstances where IP-based encapsulation for MPLS is required and 78 further fine-grained load balancing of MPLS packets over IP 79 networks over Equal Cost Multi-Path (ECMP) and/or Link Aggregation 80 Groups (LAG) is required as well. There are already IP-based 81 encapsulations for MPLS that allow for fine-grained load balancing 82 by using some special field in the encapsulation header as an 83 entropy field. However, MPLS-in-UDP can be advantageous since some 84 networks have used the UDP port number fields as a basis for load- 85 balancing solutions for some time. This is similar to why LISP [RFC 86 6830] uses UDP encapsulation. 88 Like other IP-based encapsulation methods for MPLS, this 89 encapsulation allows for two Label Switching Routers (LSR) to be 90 adjacent on a Label Switched Path (LSP), while separated by an IP 91 network. In order to support this encapsulation, each LSR needs to 92 know the capability to decapsulate MPLS-in-UDP by the remote LSRs. 93 This specification defines only the data plane encapsulation and 94 does not concern itself with how the knowledge to use this 95 encapsulation is conveyed. Specifically, this capability can be 96 either manually configured on each LSR or be dynamically advertised 97 in manners that are outside the scope of this document. 99 Similarly, the MPLS-in-UDP encapsulation format defined in this 100 document by itself cannot ensure the integrity and privacy of data 101 packets being transported through the MPLS-in-UDP tunnels and 102 cannot enable the tunnel decapsulators to authenticate the tunnel 103 encapsulator. Therefore, in the case where any of the above 104 security issues is concerned, the MPLS-in-UDP SHOULD be secured 105 with IPsec [RFC4301] or DTLS [RFC6347]. For more details, please 106 see section 6 of Security Considerations. 108 1.1. Existing Encapsulations 110 Currently, there are several IP-based encapsulations for MPLS such 111 as MPLS-in-IP, MPLS-in-GRE (Generic Routing Encapsulation) 112 [RFC4023], and MPLS-in-L2TPv3 (Layer Two Tunneling Protocol - 113 Version 3) [RFC4817]. In all these methods, the IP addresses can be 114 varied to achieve load-balancing. 116 All these IP-based encapsulations for MPLS are specified for both 117 IPv4 and IPv6. In the case of IPv6-based encapsulations, the IPv6 118 Flow Label can be used for ECMP and LAGs [RFC6438]. However, there 119 is no such entropy field in the IPv4 header. 121 For MPLS-in-GRE as well as MPLS-in-L2TPv3, protocol fields (the GRE 122 Key and the L2TPv3 Session ID respectively) can be used as the 123 load-balancing key as described in [RFC5640]. For this, core 124 routers need to understand these fields in the context of being 125 used as load-balancing keys. 127 1.2. Motivations for MPLS-in-UDP Encapsulation 129 Currently, most existing routers in IP networks are already capable 130 of distributing IP traffic "microflows" [RFC2474] over ECMPs and/or 131 LAG based on the hash of the five-tuple of User Datagram Protocol 132 (UDP)[RFC768] and Transmission Control Protocol (TCP) packets (i.e., 133 source IP address, destination IP address, source port, destination 134 port, and protocol). By encapsulating the MPLS packets into an UDP 135 tunnel and using the source port of the UDP header as an entropy 136 field, the existing load-balancing capability as mentioned above 137 can be leveraged to provide fine-grained load-balancing of MPLS 138 traffic over IP networks. 140 2. Terminology 142 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 143 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in 144 this document are to be interpreted as described in RFC-2119 145 [RFC2119]. 147 3. Encapsulation in UDP 149 MPLS-in-UDP encapsulation format is shown as follows: 151 0 1 2 3 152 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 153 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 154 | Source Port = Entropy | Dest Port = MPLS | 155 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 156 | UDP Length | UDP Checksum | 157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 158 | | 159 ~ MPLS Label Stack ~ 160 | | 161 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 162 | | 163 ~ Message Body ~ 164 | | 165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 167 Source Port of UDP 169 This field contains a 16-bit entropy value that is 170 generated by the ingress PE router. What algorithm is 171 actually used by the ingress PE router to generate an 172 entropy value is outside the scope of this doc. In the 173 case where the flow does not need entropy, this field 174 SHOULD be set to a randomly selected constant value to 175 avoid packet reordering. 177 Destination Port of UDP 179 This field is set to a value allocated by 180 IANA) indicating that the UDP tunnel payload is an MPLS 181 packet using MPLS-in-UDP (TBD1). 183 UDP Length 185 The usage of this field is in accordance with the 186 current UDP specification [RFC768]. 188 UDP Checksum 190 The usage of this field is in accordance with the 191 current UDP specification [RFC768]. To simplify the 192 operation on egress PE routers, this field is 193 RECOMMENDED to be set to zero in IPv4 UDP encapsulation 194 case. In the IPv6 UDP encapsulation case, if 195 appropriate according to the requirements defined in 196 [RFC6935] [RFC6936], this field is also RECOMMENDED to 197 be set to zero. Specifically, if the MPLS payload is 198 Internet Protocol (IPv4 or IPv6) packets, it is 199 RECOMMENDED to be set to zero when the inner packet 200 integrity checks is available. In addition, if the MPLS 201 payload is non-IP packet which is specifically designed 202 for transmission over a lower layer that does not 203 provide a packet integrity guarantee, it is RECOMMENDED 204 to be set to zero as well. Otherwise, using zero 205 checksum is NOT RECOMMENDED. Note that other IP 206 encapsulations for MPLS do not have a checksum in the 207 transport header. 209 MPLS Label Stack 210 This field contains an MPLS Label Stack as defined in 211 [RFC3032]. 213 Message Body 215 This field contains one MPLS message body. 217 4. Processing Procedures 219 This MPLS-in-UDP encapsulation causes MPLS packets to be forwarded 220 through "UDP tunnels". When performing MPLS-in-UDP encapsulation by 221 an ingress PE router, the entropy value would be generated by the 222 ingress PE router and then be filled in the Source Port field of 223 the UDP header. The Destination Port field is set to a value (TBD1 224 for MPLS-in-UDP or TBD2 for MPLS-in-UDP with DTLS) allocated by 225 IANA to indicate that the UDP tunnel payload is an MPLS packet. As 226 for whether the top label in the MPLS label stack is downstream- 227 assigned or upstream-assigned, it SHOULD be determined based on the 228 tunnel destination IP address. That is to say, if the destination 229 IP address is a multicast address, the top label SHOULD be 230 upstream-assigned, otherwise if the destination IP address is a 231 unicast address, it SHOULD be downstream-assigned. 233 As such, P routers, upon receiving these UDP encapsulated packets, 234 could balance these packets based on the hash of the five-tuple of 235 UDP packets. 237 Upon receiving these UDP encapsulated packets, egress PE routers 238 would decapsulate them by removing the UDP headers and then process 239 them accordingly. 241 As for other common processing procedures associated with tunneling 242 encapsulation technologies including but not limited to Maximum 243 Transmission Unit (MTU) and preventing fragmentation and reassembly, 244 Time to Live (TTL) and differentiated services, the corresponding 245 "Common Procedures" defined in [RFC4023] which are applicable for 246 MPLS-in-IP and MPLS-in-GRE encapsulation formats SHOULD be followed. 248 5. Congestion Considerations 250 MPLS can carry a number of different protocols as payloads. When an 251 MPLS/UDP flow carries IP-based traffic, the aggregate traffic is 252 assumed to be TCP friendly due to the congestion control mechanisms 253 used by the payload traffic. Packet loss will trigger the necessary 254 reduction in offered load, and no additional congestion avoidance 255 action is necessary. When an MPLS/UDP flow carries payload traffic 256 that is not known to be TCP friendly and the flow runs across an 257 unprovisioned path that could potentially become congested, the 258 application that uses the encapsulation specified in this document 259 MUST employ additional mechanisms to ensure that the offered load 260 is reduced appropriately during periods of congestion. This is not 261 necessary in the case of an unprovisioned path through an over- 262 provisioned network, where the potential for congestion is avoided 263 through the over-provisioning of the network. 265 6. Security Considerations 267 Just like other IP-based encapsulations of MPLS, the MPLS-in-UDP 268 encapsulation format defined in this document by itself cannot 269 ensure the integrity and privacy of data packets being transported 270 through the MPLS-in-UDP tunnels and cannot enable the tunnel 271 decapsulators to authenticate the tunnel encapsulator. In the case 272 where any of the above security issues is concerned, the MPLS-in- 273 UDP tunnels SHOULD be secured with IPsec or DTLS. If the tunnel is 274 secured with IPsec, the UDP header would not be visible to P 275 routers anymore. As a result, the meaning of adopting MPLS-in-UDP 276 encapsulation format as an alternative to MPLS-in-GRE and MPLS-in- 277 IP encapsulation formats is lost. If DTLS is used, the destination 278 port of the UDP header will be filled with a value (TBD2) 279 indicating MPLS with DTLS and the source port can still be used as 280 an entropy field. 282 If the tunnels are not secured with IPsec or DTLS, some other 283 method should be used to ensure that packets are decapsulated and 284 forwarded by the tunnel tail only if those packets were 285 encapsulated by the tunnel head. If the tunnel lies entirely within 286 a single administrative domain, address filtering at the boundaries 287 can be used to ensure that no packet with the IP source address of 288 a tunnel endpoint or with the IP destination address of a tunnel 289 endpoint can enter the domain from outside. However, when the 290 tunnel head and the tunnel tail are not in the same administrative 291 domain, this may become difficult, and filtering based on the 292 destination address can even become impossible if the packets must 293 traverse the public Internet. Sometimes only source address 294 filtering (but not destination address filtering) is done at the 295 boundaries of an administrative domain. If this is the case, the 296 filtering does not provide effective protection at all unless the 297 decapsulator of an MPLS-in-UDP validates the IP source address of 298 the packet. This document does not require that the decapsulator 299 validate the IP source address of the tunneled packets, but it 300 should be understood that failure to do so presupposes that there 301 is effective destination-based (or a combination of source-based 302 and destination-based) filtering at the boundaries. 304 7. IANA Considerations 306 One UDP destination port number indicating MPLS needs to be 307 allocated by IANA. 309 Service Name : MPLS-in-UDP 311 Transport Protocol(s) : UDP 313 Assignee: IESG 315 Contact : IETF Chair . 317 Description : Encapsulate MPLS packets in UDP tunnels. 319 Reference : This document -- draft-ietf-mpls-in-udp (MPLS WG 320 document). 322 Port Number : TBD1 -- To be assigned by IANA. 324 One UDP destination port number indicating MPLS with DTLS needs to 325 be allocated by IANA. 327 Service Name : MPLS-in-UDP with DTLS 329 Transport Protocol(s) : UDP 331 Assignee: IESG 333 Contact : IETF Chair . 335 Description : Encapsulate MPLS packets in UDP tunnels with DTLS. 337 Reference : This document -- draft-ietf-mpls-in-udp (MPLS WG 338 document). 340 Port Number : TBD2 -- To be assigned by IANA. 342 8. Contributors 344 Zhenbin Li 345 Huawei Technologies, 346 Beijing, China 347 Phone: +86-10-60613676 348 Email: lizhenbin@huawei.com 350 9. Acknowledgements 352 Thanks to Shane Amante, Dino Farinacci, Keshava A K, Ivan Pepelnjak, 353 Eric Rosen, Andrew G. Malis, Kireeti Kompella, Marshall Eubanks, 354 George Swallow, Loa Andersson, Ross Callon, Vivek Kumar, Weiguo Hao, 355 Mark Szczesniak, Zhenxiao Liu and Xing Tong for their valuable 356 comments and suggestions on this document. Thanks to Daniel King, 357 Gregory Mirsky and Eric Osborne for their valuable reviews on this 358 document. Special thanks to Adrian Farrel for his conscientious AD 359 review and insightful suggestion of using DTLS for securing the 360 MPLS-in-UDP tunnels. Thanks to Charlie Kaufman for his Secdir 361 review of this document. 363 10. References 365 10.1. Normative References 367 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 368 Requirement Levels", BCP 14, RFC 2119, March 1997. 370 [RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 371 August 1980. 373 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 374 Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack 375 Encoding", RFC 3032, January 2001. 377 [RFC4023] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating 378 MPLS in IP or GRE", RFC4023, March 2005. 380 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 381 Internet Protocol", RFC 4301, December 2005. 383 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 384 Security Version 1.2", RFC 6347, January 2012. 386 10.2. Informative References 388 [RFC4817] M. Townsley, C. Pignataro, S. Wainner, T. Seely and J. 389 Young, "Encapsulation of MPLS over Layer 2 Tunneling 390 Protocol Version 3, March 2007. 392 [RFC5640] Filsfils, C., Mohapatra, P., and C. Pignataro, "Load- 393 Balancing for Mesh Softwires", RFC 5640, August 2009. 395 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "UDP 396 Checksums for Tunneled Packets", RFC6935, 397 Feburary 2013. 399 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 400 for the use of IPv6 UDP Datagrams with Zero Checksums", 401 RFC6936, Feburary 2013. 403 [RFC2474] Nichols, K., Blake, S., Baker, F. and D. Black, 404 "Definition of the Differentiated Services Field (DS 405 Field) in the IPv4 and IPv6 Headers", RFC2474, December 406 1998. 408 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 409 for Equal Cost Multipath Routing and Link Aggregation 410 in Tunnels", RFC 6438, November 2011. 412 [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The 413 Locator/ID Separation Protocol (LISP)", RFC 6830, 414 January 2013. 416 Authors' Addresses 418 Xiaohu Xu 419 Huawei Technologies 420 Beijing, China 421 Phone: +86-10-60610041 422 Email: xuxiaohu@huawei.com 424 Nischal Sheth 425 Juniper Networks 426 1194 N. Mathilda Ave 427 Sunnyvale, CA 94089 428 Email: nsheth@juniper.net 430 Lucy Yong 431 Huawei USA 432 5340 Legacy Dr. 433 Plano TX75025 434 Phone: 469-277-5837 435 Email: Lucy.yong@huawei.com 437 Carlos Pignataro 438 Cisco Systems 439 7200-12 Kit Creek Road 440 Research Triangle Park, NC 27709 441 USA 442 Email: cpignata@cisco.com 444 Yongbing Fan 445 China Telecom 446 Guangzhou, China. 447 Phone: +86 20 38639121 448 Email: fanyb@gsta.com