idnits 2.17.1 draft-ietf-mpls-in-udp-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 121 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 24, 2014) is 3444 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) -- Obsolete informational reference (is this intentional?): RFC 5405 (Obsoleted by RFC 8085) -- Obsolete informational reference (is this intentional?): RFC 6830 (Obsoleted by RFC 9300, RFC 9301) Summary: 3 errors (**), 0 flaws (~~), 1 warning (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group X. Xu 3 Internet-Draft Huawei Technologies 4 Intended status: Informational N. Sheth 5 Expires: April 27, 2015 Juniper Networks 6 L. Yong 7 Huawei USA 8 C. Pignataro 9 Cisco Systems 10 Y. Fan 11 China Telecom 12 R. Callon 13 Juniper Networks 14 D. Black 15 EMC Corporation 16 October 24, 2014 18 Encapsulating MPLS in UDP 19 draft-ietf-mpls-in-udp-06 21 Abstract 23 This document specifies an IP-based encapsulation for MPLS, called 24 MPLS-in-UDP (User Datagram Protocol). The MPLS-in-UDP encapsulation 25 technology MUST only be deployed within a service provider network or 26 networks of an adjacent set of co-operating service providers where 27 congestion control is not a concern. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at http://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on April 27, 2015. 46 Copyright Notice 48 Copyright (c) 2014 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (http://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 64 1.1. Existing Encapsulations . . . . . . . . . . . . . . . . . 3 65 1.2. Motivations for MPLS-in-UDP Encapsulation . . . . . . . . 3 66 1.3. Application Statements . . . . . . . . . . . . . . . . . 4 67 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 4 69 3.1. UDP Checksum Usage with IPv6 . . . . . . . . . . . . . . 6 70 3.2. Middlebox Considerations for IPv6 UDP Zero Checksums . . 9 71 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 9 72 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 9 73 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 74 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 75 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 13 76 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 77 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 78 10.1. Normative References . . . . . . . . . . . . . . . . . . 14 79 10.2. Informative References . . . . . . . . . . . . . . . . . 15 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 82 1. Introduction 84 This document specifies an IP-based encapsulation for MPLS, i.e. 85 MPLS-in-UDP (User Datagram Protocol), which is applicable in some 86 circumstances where IP-based encapsulation for MPLS is required and 87 further fine-grained load balancing of MPLS packets over IP networks 88 over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Groups 89 (LAG) is required as well. There are already IP-based encapsulations 90 for MPLS that allow for fine-grained load balancing by using some 91 special field in the encapsulation header as an entropy field. 92 However, MPLS-in-UDP can be advantageous since some networks have 93 used the UDP port number fields as a basis for load-balancing 94 solutions for some time. This is similar to why LISP [RFC6830] uses 95 UDP encapsulation. 97 Like other IP-based encapsulation methods for MPLS, this 98 encapsulation allows for two Label Switching Routers (LSR) to be 99 adjacent on a Label Switched Path (LSP), while separated by an IP 100 network. In order to support this encapsulation, each LSR needs to 101 know the capability to decapsulate MPLS-in-UDP by the remote LSRs. 102 This specification defines only the data plane encapsulation and does 103 not concern itself with how the knowledge to use this encapsulation 104 is conveyed. Specifically, this capability can be either manually 105 configured on each LSR or be dynamically advertised in manners that 106 are outside the scope of this document. 108 Similarly, the MPLS-in-UDP encapsulation format defined in this 109 document by itself cannot ensure the integrity and privacy of data 110 packets being transported through the MPLS-in-UDP tunnels and cannot 111 enable the tunnel decapsulators to authenticate the tunnel 112 encapsulator. Therefore, in the case where any of the above security 113 issues is concerned, the MPLS-in-UDP SHOULD be secured with IPsec 114 [RFC4301] or DTLS [RFC6347]. For more details, please see Section 6 115 of Security Considerations. 117 1.1. Existing Encapsulations 119 Currently, there are several IP-based encapsulations for MPLS such as 120 MPLS-in-IP, MPLS-in-GRE (Generic Routing Encapsulation) [RFC4023], 121 and MPLS-in-L2TPv3 (Layer Two Tunneling Protocol - Version 3) 122 [RFC4817]. In all these methods, the IP addresses can be varied to 123 achieve load-balancing. 125 All these IP-based encapsulations for MPLS are specified for both 126 IPv4 and IPv6. In the case of IPv6-based encapsulations, the IPv6 127 Flow Label can be used for ECMP and LAGs [RFC6438]. However, there 128 is no such entropy field in the IPv4 header. 130 For MPLS-in-GRE as well as MPLS-in-L2TPv3, protocol fields (the GRE 131 Key and the L2TPv3 Session ID respectively) can be used as the load- 132 balancing key as described in [RFC5640]. For this, intermediate 133 routers need to understand these fields in the context of being used 134 as load-balancing keys. 136 1.2. Motivations for MPLS-in-UDP Encapsulation 138 Most existing routers in IP networks are already capable of 139 distributing IP traffic "microflows" [RFC2474] over ECMPs and/or LAG 140 based on the hash of the five-tuple of User Datagram Protocol (UDP) 141 [RFC0768] and Transmission Control Protocol (TCP) packets (i.e., 142 source IP address, destination IP address, source port, destination 143 port, and protocol). By encapsulating the MPLS packets into an UDP 144 tunnel and using the source port of the UDP header as an entropy 145 field, the existing load-balancing capability as mentioned above can 146 be leveraged to provide fine-grained load-balancing of MPLS traffic 147 over IP networks. 149 1.3. Application Statements 151 The MPLS-in-UDP encapsulation technology MUST only be deployed within 152 a Service Provider (SP) network or networks of an adjacent set of co- 153 operating SPs where congestion control is not a concern, rather than 154 over the Internet where congestion control is required. Furthermore, 155 packet filters SHOULD be added to prevent MPLS-in-UDP packets from 156 escaping from the service provider networks due to misconfiguation or 157 packet errors. 159 2. Terminology 161 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 162 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 163 document are to be interpreted as described in RFC 2119 [RFC2119].. 165 3. Encapsulation in UDP 167 MPLS-in-UDP encapsulation format is shown as follows: 169 0 1 2 3 170 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 172 | Source Port = Entropy | Dest Port = MPLS | 173 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 174 | UDP Length | UDP Checksum | 175 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 176 | | 177 ~ MPLS Label Stack ~ 178 | | 179 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | 180 ~ Message Body ~ 181 | | 182 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 Source Port of UDP 186 This field contains a 16-bit entropy value that is generated by 187 the encapsulator to uniquely identify a flow. What constitutes 188 a flow is locally determined by the encapsulator and therefore 189 is outside the scope of this document. What algorithm is 190 actually used by the encapsulator to generate an entropy value 191 is outside the scope of this document. 193 In case the tunnel does not need entropy, this field of all 194 packets belonging to a given flow SHOULD be set to a randomly 195 selected constant value so as to avoid packet reordering. 197 To ensure that the source port number is always in the range 198 49152 to 65535 (Note that those ports less than 49152 are 199 reserved by IANA to identify specific applications/protocols) 200 which may be required in some cases, instead of calculating a 201 16-bit hash, the encapsulator SHOULD calculate a 14-bit hash 202 and use those 14 bits as the least significant bits of the 203 source port field while the most significant two bits SHOULD be 204 set to binary 11. That still conveys 14 bits of entropy 205 information which would be enough as well in practice. 207 Destination Port of UDP 209 This field is set to a value (TBD1) allocated by IANA to 210 indicate that the UDP tunnel payload is an MPLS packet. 212 UDP Length 214 The usage of this field is in accordance with the current UDP 215 specification [RFC0768]. 217 UDP Checksum 219 For IPv4 UDP encapsulation, this field is RECOMMENDED to be set 220 to zero because the IPv4 header includes a checksum and use of 221 the UDP checksum is optional with IPv4, unless checksum 222 protection of VPN labels is important (See Section 6). For 223 IPv6 UDP encapsulation, the IPv6 header does not include a 224 checksum, so this field MUST contain a UDP checksum that MUST 225 be used as specified in [RFC0768] and [RFC2460] unless one of 226 the exceptions that allows use of UDP zero-checksum mode (as 227 specified in [RFC6935]) applies. See Section 3.1 for 228 specification of these exceptions and additional requirements 229 that apply when UDP zero-checksum mode is used for MPLS-in-UDP 230 traffic over IPv6. 232 MPLS Label Stack 234 This field contains an MPLS Label Stack as defined in 235 [RFC3032]. 237 Message Body 238 This field contains one MPLS message body. 240 3.1. UDP Checksum Usage with IPv6 242 When UDP is used over IPv6, the UDP checksum is relied upon to 243 protect the IPv6 header from corruption, and MUST be used unless the 244 requirements in [RFC6935] and [RFC6936] for use of UDP zero-checksum 245 mode with a tunnel protocol are satisfied. MPLS-in-UDP is a tunnel 246 protocol, and there is significant successful deployment of MPLS-in- 247 IPv6 without UDP (i.e., without a checksum that covers the IPv6 248 header or the MPLS label stack), as described in Section 3.1 of 249 [RFC6936]: 251 "There is extensive experience with deployments using tunnel 252 protocols in well-managed networks (e.g., corporate networks and 253 service provider core networks). This has shown the robustness of 254 methods such as Pseudowire Emulation Edge-to-Edge (PWE3) and MPLS 255 that do not employ a transport protocol checksum and that have not 256 specified mechanisms to protect from corruption of the unprotected 257 headers(such as the VPN Identifier in MPLS)". 259 This draft focuses on service provider core networks. The 260 requirements in Section 5 for use of MPLS-in-UDP to carry traffic 261 that is not necessarily congestion controlled involve significant 262 service provider traffic management and engineering - this is a 263 hallmark of the well-managed networks that the above [RFC6936] text 264 refers to. Therefore, the UDP checksum MUST be implemented and MUST 265 be used in accordance with [RFC0768] and [RFC2460] for MPLS-in-UDP 266 traffic over IPv6 unless one of the following exceptions applies and 267 the additional requirements stated below are complied with. There 268 are two exceptions that allow use of UDP zero-checksum mode for IPv6 269 with MPLS-in-UDP, subject to the additional requirements stated below 270 in this section. The two exceptions are: 272 a. Use of MPLS-in-UDP within a single service provider that utilizes 273 careful provisioning (e.g., rate limiting at the entries of the 274 network while over-provisioning network capacity) to ensure 275 against congestion and that actively monitors MPLS traffic for 276 errors; or 278 b. Use of MPLS-in-UDP within a limited number of service providers 279 who closely cooperate in order to jointly provide this same 280 careful provisioning and monitoring. 282 Even when one of the above exceptions applies, use of UDP checksums 283 may be appropriate when VPN services are provided over MPLS-in-UDP, 284 see Section 6. As such, for IPv6, the UDP checksum for MPLS-in-UDP 285 MUST be used as specified in [RFC0768] and [RFC2460] over the general 286 Internet, and over non-cooperating SPs, even if each non-cooperating 287 SP independently satisfies the first exception for UDP zero-checksum 288 mode usage with MPLS-in-UDP over IPv6 within the SP's own network. 289 Measures SHOULD be taken to prevent UDP zero checksum mode MPLS-in- 290 UDP over IPv6 traffic from "escaping" to the general Internet; see 291 Section 5 for examples of such measures. 293 The following additional requirements apply to implementation and use 294 of UDP zero-checksum mode for MPLS-in-UDP over IPv6: 296 a. Use of the UDP checksum with IPv6 MUST be the default 297 configuration of all MPLS-in-UDP implementations. 299 b. An MPLS-in-UDP implementation MUST comply with all requirements 300 specified in Section 4 of [RFC6936] and with requirement 1 301 specified in Section 5 of [RFC6936]. 303 c. An MPLS-in-UDP receiver MUST check that the source and 304 destination IPv6 addresses are valid for the MPLS-in-UDP tunnel 305 and discard any packet for which this check fails. 307 d. An MPLS-in-UDP sender SHOULD use different IPv6 addresses for 308 each MPLS-in-UDP tunnel that uses UDP zero-checksum mode in order 309 to strengthen the receiver's check of the IPv6 source address. 310 When this is not possible, it is RECOMMENDED to use each source 311 IPv6 address for as few UDP zero-checksum mode MPLS-in-UDP 312 tunnels as is feasible. 314 e. An MPLS-in-UDP receiver MUST check that the top label of the MPLS 315 label stack is valid for the tunnel. This check will often be 316 part of the MPLS LSR forwarding logic, but MUST be scoped to the 317 specific tunnel. 319 f. An MPLS-in-UDP receiver node SHOULD only enable the use of UDP 320 zero-checksum mode on a single UDP port and SHOULD NOT support 321 any other use UDP zero-checksum mode on any other UDP port. 323 g. Any middlebox support for MPLS-in-UDP with UDP zero-checksum mode 324 for IPv6 MUST comply with requirements 1 and 8-10 in Section 5 of 325 [RFC6936]. 327 The above requirements do not change the requirements specified in 328 [RFC2460] as modified by [RFC6935] and the requirements specified in 329 [RFC6936]. 331 The requirements to check the source IPv6 address and top label of 332 the MPLS stack (in addition to the destination IPv6 address), plus 333 the strong recommendation against reuse of source IPv6 addresses 334 among MPLS-in-UDP tunnels collectively provide some offset for the 335 absence of UDP checksum coverage of the IPv6 header. The expected 336 result for IPv6 UDP zero-checksum mode for MPLS-in-UDP is that 337 corruption of the destination IPv6 address will usually cause packet 338 discard, as offsetting corruptions to the source IPv6 and/or MPLS top 339 label are unlikely. Additional assurance is provided by the 340 restrictions in the above exceptions that limit usage of IPv6 UDP 341 zero-checksum mode to specific types of well-managed networks for 342 which MPLS packet corruption has not been a problem in practice. 344 Hence MPLS-in-UDP is suitable for transmission over lower layers in 345 the well-managed networks that are allowed by the two exceptions 346 stated above and is not expected to increase the rate of corruption 347 of the inner IP packet on such networks by comparison to MPLS traffic 348 that is not encapsulated in UDP. For these reasons, MPLS-in-UDP does 349 not provide an additional integrity check when UDP zero-checksum mode 350 is used with IPv6, and this design is in accordance with requirements 351 2, 3 and 5 specified in Section 5 of [RFC6936]. 353 MPLS does not accumulate incorrect state as a consequence of label 354 stack corruption. A corrupt MPLS label results in either packet 355 discard or forwarding (and forgetting) of the packet without 356 accumulation of MPLS protocol state. Active monitoring of MPLS-in- 357 UDP traffic for errors is REQUIRED as occurrence of errors will 358 result in some accumulation of error information outside the MPLS 359 protocol for operational and management purposes. This design is in 360 accordance with requirement 4 specified in Section 5 of [RFC6936]. 362 The remaining requirements specified in Section 5 of [RFC6936] are 363 inapplicable to MPLS-in-UDP. Requirements 6 and 7 do not apply 364 because MPLS does not have an MPLS-generic control feedback 365 mechanism. Requirements 8-10 are middlebox requirements that do not 366 apply to MPLS-in-UDP tunnel endpoints, but see Section 3.2 for 367 further middlebox discussion. 369 In summary, UDP zero-checksum mode for IPv6 is allowed to be used 370 with MPLS-in-UDP when one of the two exceptions specified above 371 applies, provided that the five additional requirements (six for 372 middlebox implementations) stated above are complied with. Otherwise 373 the UDP checksum MUST be used for IPv6 as specified in [RFC0768] and 374 [RFC2460]. 376 This entire section and its requirements apply only to use of UDP 377 zero-checksum mode for IPv6; they can be avoided by using the UDP 378 checksum as specified in [RFC0768] and [RFC2460]. 380 3.2. Middlebox Considerations for IPv6 UDP Zero Checksums 382 IPv6 datagrams with a zero UDP checksum will not be passed by any 383 middlebox that validates the checksum based on [RFC2460] or that 384 updates the UDP checksum field, such as NATs or firewalls. Changing 385 this behavior would require such middleboxes to be updated to 386 correctly handle datagrams with zero UDP checksums. The MPLS-in-UDP 387 encapsulation does not provide a mechanism to safely fall back to 388 using a checksum when a path change occurs redirecting a tunnel over 389 a path that includes a middlebox that discards IPv6 datagrams with a 390 zero UDP checksum. In this case the MPLS-in-UDP tunnel will be 391 black-holed by that middlebox. Recommended changes to allow 392 firewalls, NATs and other middleboxes to support use of an IPv6 zero 393 UDP checksum are described in Section 5 of [RFC6936]. 395 4. Processing Procedures 397 This MPLS-in-UDP encapsulation causes MPLS packets to be forwarded 398 through "UDP tunnels". When performing MPLS-in-UDP encapsulation by 399 the encapsulator, the entropy value would be generated by the 400 encapsulator and then be filled in the Source Port field of the UDP 401 header. The Destination Port field is set to a value (TBD1) 402 allocated by IANA to indicate that the UDP tunnel payload is an MPLS 403 packet. As for whether the top label in the MPLS label stack is 404 downstream-assigned or upstream-assigned, it SHOULD be determined 405 based on the tunnel destination IP address. That is to say, if the 406 destination IP address is a multicast address, the top label SHOULD 407 be upstream-assigned, otherwise if the destination IP address is a 408 unicast address, it SHOULD be downstream-assigned. Intermediate 409 routers, upon receiving these UDP encapsulated packets, could balance 410 these packets based on the hash of the five-tuple of UDP packets. 411 Upon receiving these UDP encapsulated packets, the decapsulator would 412 decapsulate them by removing the UDP headers and then process them 413 accordingly. For other common processing procedures associated with 414 tunneling encapsulation technologies including but not limited to 415 Maximum Transmission Unit (MTU) and preventing fragmentation and 416 reassembly, Time to Live (TTL) and differentiated services, the 417 corresponding "Common Procedures" defined in [RFC4023] which are 418 applicable for MPLS-in-IP and MPLS-in-GRE encapsulation formats 419 SHOULD be followed. 421 5. Congestion Considerations 423 Section 3.1.3 of [RFC5405] discussed the congestion implications of 424 UDP tunnels. As discussed in [RFC5405], because other flows can 425 share the path with one or more UDP tunnels, congestion control 426 [RFC2914] needs to be considered. 428 A major motivation for encapsulating MPLS in UDP is to improve the 429 use of multipath (such as ECMP) in cases where traffic is to traverse 430 routers which are able to hash on UDP Port and IP address. As such, 431 in many cases this may reduce the occurrence of congestion and 432 improve usage of available network capacity. However, it is also 433 necessary to ensure that the network, including applications that use 434 the network, responds appropriately in more difficult cases, such as 435 when link or equipment failures have reduced the available capacity. 437 The impact of congestion must be considered both in terms of the 438 effect on the rest of the network of a UDP tunnel that is consuming 439 excessive capacity, and in terms of the effect on the flows using the 440 UDP tunnels. The potential impact of congestion from a UDP tunnel 441 depends upon what sort of traffic is carried over the tunnel, as well 442 as the path of the tunnel. 444 MPLS is widely used to carry a wide range of traffic. In many cases 445 MPLS is used to carry IP traffic. IP traffic is generally assumed to 446 be congestion controlled, and thus a tunnel carrying general IP 447 traffic (as might be expected to be carried across the Internet) 448 generally does not need additional congestion control mechanisms. As 449 specified in [RFC5405]: 451 "IP-based traffic is generally assumed to be congestion- 452 controlled, i.e., it is assumed that the transport protocols 453 generating IP-based traffic at the sender already employ 454 mechanisms that are sufficient to address congestion on the path. 455 Consequently, a tunnel carrying IP-based traffic should already 456 interact appropriately with other traffic sharing the path, and 457 specific congestion control mechanisms for the tunnel are not 458 necessary". 460 For this reason, where MPLS-in-UDP tunneling is used to carry IP 461 traffic that is known to be congestion controlled, the UDP tunnels 462 MAY be used across any combination of a single service provider, 463 multiple cooperating service providers, or across the general 464 Internet. Internet IP traffic is generally assumed to be congestion- 465 controlled. Similarly, in general Layer 3 VPNs are carrying IP 466 traffic that is similarly assumed to be congestion controlled. 468 Whether or not Layer 2 VPN traffic is congestion controlled may 469 depend upon the specific services being offered and what use is being 470 made of the layer 2 services. 472 However, MPLS is also used in many cases to carry traffic that is not 473 necessarily congestion controlled. For example, MPLS may be used to 474 carry pseudowire or VPN traffic where specific bandwidth guarantees 475 are provided to each pseudowire, or to each VPN. 477 In such cases service providers may avoid congestion by careful 478 provisioning of their networks, by rate limiting of user data 479 traffic, and/or by using MPLS Traffic Engineering (MPLS-TE) to assign 480 specific bandwidth guarantees to each LSP. Where MPLS is carried 481 over UDP over IP, the identity of each individual MPLS flow is in 482 general lost and MPLS-TE cannot be used to guarantee bandwidth to 483 specific flows (since many LSPs may be multiplexed over a single UDP 484 tunnel, and many UDP tunnels may be mixed in an IP network). 486 For this reason, where the MPLS traffic is not congestion controlled, 487 MPLS-in-UDP tunnels MUST only be used within a single service 488 provider that utilizes careful provisioning (e.g., rate limiting at 489 the entries of the network while over-provisioning network capacity) 490 to ensure against congestion, or within a limited number of service 491 providers who closely cooperate in order to jointly provide this same 492 careful provisioning. 494 As such, MPLS-in-UDP MUST NOT be used over the general Internet, or 495 over non-cooperating SPs, to carry traffic that is not congestion- 496 controlled. 498 Measures SHOULD be taken to prevent non-congestion-controlled MPLS- 499 in-UDP traffic from "escaping" to the general Internet, e.g.: 501 a. Physical or logical isolation of the links carrying MPLS-over-UDP 502 from the general Internet. 504 b. Deployment of packet filters that block the UDP ports assigned 505 for MPLS-over-UDP. 507 c. Imposition of restrictions on MPLS-in-UDP traffic by software 508 tools used to set up MPLS-in-UDP tunnels between specific end 509 systems (as might be used within a single data center). 511 d. Use of a "Managed Circuit Breaker" for the MPLS traffic as 512 described in [I-D.fairhurst-tsvwg-circuit-breaker]. 514 6. Security Considerations 516 The security problems faced with the MPLS-in-UDP tunnel are exactly 517 the same as those faced with MPLS-in-IP and MPLS-in-GRE tunnels 518 [RFC4023] . In other words, the MPLS-in-UDP tunnel as defined in this 519 document by itself cannot ensure the integrity and privacy of data 520 packets being transported through the MPLS-in-UDP tunnel and cannot 521 enable the tunnel decapsulator to authenticate the tunnel 522 encapsulator. In the case where any of the above security issues is 523 concerned, the MPLS-in-UDP tunnel SHOULD be secured with IPsec or 524 DTLS. IPsec was designed as a network security mechanism and 525 therefore it resides at the network layer. As such, if the tunnel is 526 secured with IPsec, the UDP header would not be visible to 527 intermediate routers anymore in either IPsec tunnel or transport 528 mode. As a result, the meaning of adopting the MPLS-in-UDP tunnel as 529 an alternative to the MPLS-in-GRE or MPLS-in-IP tunnel is lost. By 530 comparison, DTLS is better suited for application security and can 531 better preserve network and transport layer protocol information. 532 Specifically, if DTLS is used, the destination port of the UDP header 533 will be filled with a value (TBD2) indicating MPLS with DTLS and the 534 source port can still be used as an entropy field for load-sharing 535 purposes. 537 If the tunnel is not secured with IPsec or DTLS, some other method 538 should be used to ensure that packets are decapsulated and forwarded 539 by the tunnel tail only if those packets were encapsulated by the 540 tunnel head. If the tunnel lies entirely within a single 541 administrative domain, address filtering at the boundaries can be 542 used to ensure that no packet with the IP source address of a tunnel 543 endpoint or with the IP destination address of a tunnel endpoint can 544 enter the domain from outside. However, when the tunnel head and the 545 tunnel tail are not in the same administrative domain, this may 546 become difficult, and filtering based on the destination address can 547 even become impossible if the packets must traverse the public 548 Internet. Sometimes only source address filtering (but not 549 destination address filtering) is done at the boundaries of an 550 administrative domain. If this is the case, the filtering does not 551 provide effective protection at all unless the decapsulator of an 552 MPLS-in-UDP validates the IP source address of the packet. 554 This document does not require that the decapsulator validate the IP 555 source address of the tunneled packets (with the exception that the 556 IPv6 source address MUST be validated when UDP zero-checksum mode is 557 used with IPv6), but it should be understood that failure to do so 558 presupposes that there is effective destination-based (or a 559 combination of source-based and destination-based) filtering at the 560 boundaries. MPLS-based VPN services rely on a VPN label in the MPLS 561 label stack to identify the VPN. Corruption of that label could leak 562 traffic across VPN boundaries. Such leakage is highly undesirable 563 when inter-VPN isolation is used for privacy or security reasons. 564 When that is the case, UDP checksums SHOULD be used for MPLS-in-UDP 565 with both IPv4 and IPv6, and in particular, UDP zero-checksum mode 566 SHOULD NOT be used with IPv6. Each UDP checksum covers the VPN 567 label, thereby providing increased assurance of isolation among VPNs. 569 7. IANA Considerations 571 One UDP destination port number indicating MPLS needs to be allocated 572 by IANA.: 574 Service Name: MPLS-in-UDP 576 Transport Protocol(s): UDP 578 Assignee: IESG 580 Contact: IETF Chair . 582 Description: Encapsulate MPLS packets in UDP tunnels. 584 Reference: This document -- draft-ietf-mpls-in-udp (MPLS WG 585 document). 587 Port Number: TBD1 -- To be assigned by IANA. 589 One UDP destination port number indicating MPLS with DTLS needs to be 590 allocated by IANA: 592 Service Name: MPLS-in-UDP-with-DTLS 594 Transport Protocol(s): UDP 596 Assignee: IESG 598 Contact: IETF Chair . 600 Description: Encapsulate MPLS packets in UDP tunnels with DTLS. 602 Reference: This document -- draft-ietf-mpls-in-udp (MPLS WG 603 document). 605 Port Number: TBD2 -- To be assigned by IANA. 607 8. Contributors 609 Zhenbin Li 611 Huawei Technologies, 613 Beijing, China 615 Email: lizhenbin@huawei.com 616 Curtis Villamizar 618 Outer Cape Cod Network Consulting, LLC 620 Email: curtis@occnc.com 622 9. Acknowledgements 624 Thanks to Shane Amante, Dino Farinacci, Keshava A K, Ivan Pepelnjak, 625 Eric Rosen, Andrew G. Malis, Kireeti Kompella, Marshall Eubanks, 626 George Swallow, Loa Andersson, Vivek Kumar, Stewart Bryant, Wen 627 Zhang, Joel M. Halpern, Noel Chiappa, Scott Brim, Alia Atlas, 628 Alexander Vainshtein, Joel Jaeggli, Edward Crabbe, Mark Tinka, Lars 629 Eggert, Joe Touch, Lloyd Wood, Weiguo Hao, Mark Szczesniak, Zhenxiao 630 Liu and Xing Tong for their valuable comments and suggestions on this 631 document. 633 Special thanks to Adrian Farrel for his conscientious AD review and 634 insightful suggestion of using DTLS for securing the MPLS-in-UDP 635 tunnels. Special thanks to Alia Atlas for her insightful suggestion 636 of adding an applicability statement. 638 Thanks to Daniel King, Gregory Mirsky and Eric Osborne for their 639 valuable MPLS-RT reviews on this document. Thanks to Charlie Kaufman 640 for his SecDir review of this document. Thanks to Nevil Brownlee for 641 the OPSDir review of this document. Thanks to Roni Even for the Gen- 642 ART review of this document. Thanks to Pearl Liang for the IANA 643 review of this documents. 645 10. References 647 10.1. Normative References 649 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 650 August 1980. 652 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 653 Requirement Levels", BCP 14, RFC 2119, March 1997. 655 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 656 (IPv6) Specification", RFC 2460, December 1998. 658 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., 659 Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack 660 Encoding", RFC 3032, January 2001. 662 [RFC4023] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating 663 MPLS in IP or Generic Routing Encapsulation (GRE)", RFC 664 4023, March 2005. 666 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 667 Internet Protocol", RFC 4301, December 2005. 669 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 670 Security Version 1.2", RFC 6347, January 2012. 672 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and 673 UDP Checksums for Tunneled Packets", RFC 6935, April 2013. 675 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 676 for the Use of IPv6 UDP Datagrams with Zero Checksums", 677 RFC 6936, April 2013. 679 10.2. Informative References 681 [I-D.fairhurst-tsvwg-circuit-breaker] 682 Fairhurst, G., "Network Transport Circuit Breakers", 683 draft-fairhurst-tsvwg-circuit-breaker-01 (work in 684 progress), May 2014. 686 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 687 "Definition of the Differentiated Services Field (DS 688 Field) in the IPv4 and IPv6 Headers", RFC 2474, December 689 1998. 691 [RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, RFC 692 2914, September 2000. 694 [RFC4817] Townsley, M., Pignataro, C., Wainner, S., Seely, T., and 695 J. Young, "Encapsulation of MPLS over Layer 2 Tunneling 696 Protocol Version 3", RFC 4817, March 2007. 698 [RFC5405] Eggert, L. and G. Fairhurst, "Unicast UDP Usage Guidelines 699 for Application Designers", BCP 145, RFC 5405, November 700 2008. 702 [RFC5640] Filsfils, C., Mohapatra, P., and C. Pignataro, "Load- 703 Balancing for Mesh Softwires", RFC 5640, August 2009. 705 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 706 for Equal Cost Multipath Routing and Link Aggregation in 707 Tunnels", RFC 6438, November 2011. 709 [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The 710 Locator/ID Separation Protocol (LISP)", RFC 6830, January 711 2013. 713 Authors' Addresses 715 Xiaohu Xu 716 Huawei Technologies 717 No.156 Beiqing Rd 718 Beijing 100095 719 CHINA 721 Phone: +86-10-60610041 722 Email: xuxiaohu@huawei.com 724 Nischal Sheth 725 Juniper Networks 726 1194 N. Mathilda Ave 727 Sunnyvale, CA 94089 728 USA 730 Email: nsheth@juniper.net 732 Lucy Yong 733 Huawei USA 734 5340 Legacy Dr 735 Plano, TX 75025 736 USA 738 Email: Lucy.yong@huawei.com 740 Carlos Pignataro 741 Cisco Systems 742 7200-12 Kit Creek Road 743 Research Triangle Park, NC 27709 744 USA 746 Email: cpignata@cisco.com 747 Yongbing Fan 748 China Telecom 749 Guangzhou 750 CHINA 752 Email: fanyb@gsta.com 754 Ross Callon 755 Juniper Networks 756 10 Technology Park Drive 757 Westford, MA 01886 758 USA 760 Email: rcallon@juniper.net 762 David Black 763 EMC Corporation 764 176 South Street 765 Hopkinton, MA 01748 766 USA 768 Email: david.black@emc.com