idnits 2.17.1 draft-ietf-tsvwg-datagram-plpmtud-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 3) being 60 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 11 instances of too long lines in the document, the longest one being 2 characters in excess of 72. -- The abstract seems to indicate that this document updates RFC8201, but the header doesn't have an 'Updates:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4821, updated by this document, for RFC5378 checks: 2003-10-21) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 08, 2018) is 2150 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'CC' is mentioned on line 425, but not defined == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-04 == Outdated reference: A later version (-32) exists of draft-ietf-tsvwg-udp-options-01 ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force G. Fairhurst 3 Internet-Draft T. Jones 4 Updates: 4821 (if approved) University of Aberdeen 5 Intended status: Standards Track M. Tuexen 6 Expires: December 08, 2018 I. Ruengeler 7 Muenster University of Applied Sciences 8 June 08, 2018 10 Packetization Layer Path MTU Discovery for Datagram Transports 11 draft-ietf-tsvwg-datagram-plpmtud-02 13 Abstract 15 This document describes a robust method for Path MTU Discovery 16 (PMTUD) for datagram Packetization layers. The document describes an 17 extension to RFC 1191 and RFC 8201, which specifies ICMP-based Path 18 MTU Discovery for IPv4 and IPv6. The method allows a Packetization 19 Layer (PL), or a datagram application that uses a PL, to discover 20 whether a network path can support the current size of datagram and 21 to probe a network path with progressively larger packets to find 22 whether the maxium packet size can be increased. This allows a 23 sender to determine an appropriate packet size. This provides 24 functionally for datagram transports that is equivalent to the 25 Packetization layer PMTUD specification for TCP, specified in 26 RFC4821. 28 The document also provides implementation notes for incorporating 29 Datagram PMTUD into IETF Datagram transports or applications that use 30 transports. 32 When published, this specification updates RFC4821. 34 Status of this Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at http://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on December 08, 2018. 50 Copyright Notice 52 Copyright (c) 2018 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents (http://trustee.ietf.org/ 57 license-info) in effect on the date of publication of this document. 58 Please review these documents carefully, as they describe your rights 59 and restrictions with respect to this document. Code Components 60 extracted from this document must include Simplified BSD License text 61 as described in Section 4.e of the Trust Legal Provisions and are 62 provided without warranty as described in the Simplified BSD License. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 1.1. Classical Path MTU Discovery . . . . . . . . . . . . . . . 3 68 1.2. Packetization Layer Path MTU Discovery . . . . . . . . . . 4 69 1.3. Path MTU Discovery for Datagram Services . . . . . . . . . 5 70 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 71 3. Features Required to Provide Datagram PLPMTUD . . . . . . . . 8 72 3.1. PLPMTU Probe Packets . . . . . . . . . . . . . . . . . . . 10 73 3.2. Validation of Probe Packet Size . . . . . . . . . . . . . 11 74 3.3. Reducing the PLPMTU: Confirming Path Characteristics . . . 12 75 3.4. Increasing the PLPMTU: Supporting Path Changes . . . . . . 12 76 3.5. Robustness to inconsistent Path information . . . . . . . 12 77 4. Datagram Packetization Layer PMTUD . . . . . . . . . . . . . . 13 78 4.1. PROBE_SEARCH: Probing for a larger PLPMTU . . . . . . . . 13 79 4.2. The PROBE_DONE state . . . . . . . . . . . . . . . . . . . 14 80 4.3. Verification and Use of PTB Messages . . . . . . . . . . . 14 81 4.4. Timers . . . . . . . . . . . . . . . . . . . . . . . . . . 14 82 4.5. Constants . . . . . . . . . . . . . . . . . . . . . . . . 15 83 4.6. Variables . . . . . . . . . . . . . . . . . . . . . . . . 16 84 4.7. Selecting PROBED_SIZE . . . . . . . . . . . . . . . . . . 16 85 4.8. Black Hole Detection . . . . . . . . . . . . . . . . . . . 17 86 4.9. State Machine . . . . . . . . . . . . . . . . . . . . . . 17 87 5. Specification of Protocol-Specific Methods . . . . . . . . . . 20 88 5.1. Application support for DPLPMTUD with UDP or UDP-Lite . . 20 89 5.1.1. Application Request . . . . . . . . . . . . . . . . . 20 90 5.1.2. Application Response . . . . . . . . . . . . . . . . . 20 91 5.1.3. Sending Application Probe Packets . . . . . . . . . . 21 92 5.1.4. Validating the Path . . . . . . . . . . . . . . . . . 21 93 5.1.5. Handling of PTB Messages . . . . . . . . . . . . . . . 21 94 5.2. DPLPMTUD with UDP Options . . . . . . . . . . . . . . . . 21 95 5.2.1. UDP Request Option . . . . . . . . . . . . . . . . . . 22 96 5.2.2. UDP Response Option . . . . . . . . . . . . . . . . . 22 97 5.3. DPLPMTUD for SCTP . . . . . . . . . . . . . . . . . . . . 22 98 5.3.1. SCTP/IP4 and SCTP/IPv6 . . . . . . . . . . . . . . . . 22 99 5.3.1.1. Sending SCTP Probe Packets . . . . . . . . . . . . 22 100 5.3.1.2. Validating the Path with SCTP . . . . . . . . . . 23 101 5.3.1.3. PTB Message Handling by SCTP . . . . . . . . . . . 23 103 5.3.2. DPLPMTUD for SCTP/UDP . . . . . . . . . . . . . . . . 23 104 5.3.2.1. Sending SCTP/UDP Probe Packets . . . . . . . . . . 23 105 5.3.2.2. Validating the Path with SCTP/UDP . . . . . . . . 23 106 5.3.2.3. Handling of PTB Messages by SCTP/UDP . . . . . . . 24 107 5.3.3. DPLPMTUD for SCTP/DTLS . . . . . . . . . . . . . . . . 24 108 5.3.3.1. Sending SCTP/DTLS Probe Packets . . . . . . . . . 24 109 5.3.3.2. Validating the Path with SCTP/DTLS . . . . . . . . 24 110 5.3.3.3. Handling of PTB Messages by SCTP/DTLS . . . . . . 24 111 5.4. DPLPMTUD for QUIC . . . . . . . . . . . . . . . . . . . . 24 112 5.4.1. Sending QUIC Probe Packets . . . . . . . . . . . . . . 24 113 5.4.2. Validating the Path with QUIC . . . . . . . . . . . . 25 114 5.4.3. Handling of PTB Messages by QUIC . . . . . . . . . . . 25 115 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 116 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 117 8. Security Considerations . . . . . . . . . . . . . . . . . . . 26 118 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26 119 9.1. Normative References . . . . . . . . . . . . . . . . . . . 26 120 9.2. Informative References . . . . . . . . . . . . . . . . . . 28 121 Appendix A. Event-driven state changes . . . . . . . . . . . . . . 28 122 Appendix B. Revision Notes . . . . . . . . . . . . . . . . . . . . 31 123 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 32 125 1. Introduction 127 The IETF has specified datagram transport using UDP, SCTP, and DCCP, 128 as well as protocols layered on top of these transports (e.g., SCTP/ 129 UDP, DCCP/UDP) and directly over the IP network layer. This document 130 describes a robust method for Path MTU Discovery (PMTUD) that may be 131 used with these transport protocols (or the applications that use 132 their transport service) to discover an appropriate size of packet to 133 use across an Internet path. 135 1.1. Classical Path MTU Discovery 137 Classical Path Maximum Transmission Unit Discovery (PMTUD) can be 138 used with any transport that is able to process ICMP Packet Too Big 139 (PTB) messages (e.g., [RFC1191] and [RFC8201]). The term PTB message 140 is applied to both IPv4 ICMP Unreachable messages (type 3) that carry 141 the error Fragmentation Needed (Type 3, Code 4) and ICMPv6 packet too 142 big messages (Type 2). When a sender receives a PTB message, it 143 reduces the effective MTU to the value reported as the Link MTU in 144 the PTB message, and a method that from time-to-time increases the 145 packet size in attempt to discover an increase in the supported PMTU. 146 The packets sent with a size larger than the current effective PMTU 147 are known as probe packets. 149 Packets not intended as probe packets are either fragmented to the 150 current effective PMTU, or the attempt to send fails with an error 151 code. Applications are sometimes provided with a primitive to let 152 them read the maximum packet size, derived from the current effective 153 PMTU. 155 Classical PMTUD is subject to protocol failures. One failure arises 156 when traffic using a packet size larger than the actual PMTU is 157 black-holed (all datagrams sent with this size, or larger, are 158 silently discarded without the sender receiving ICMP PTB messages). 159 This could arise when the PTB messages are not delivered back to the 160 sender for some reason [RFC2923]). For example, ICMP messages are 161 increasingly filtered by middleboxes (including firewalls) [RFC4890]. 162 A stateful firewall could be configured with a policy to block 163 incoming ICMP messages, which would prevent reception of PTB messages 164 to endpoints behind this firewall. Other examples include cases 165 where PTB messages are not correctly processed/generated by tunnel 166 endpoints. 168 Another failure could result if a node that is not on the network 169 path sends a PTB message that attempts to force the sender to change 170 the effective PMTU [RFC8201]. A sender can protect itself from 171 reacting to such messages by utilising the quoted packet within a PTB 172 message payload to verify that the received PTB message was generated 173 in response to a packet that had actually originated from the sender. 174 However, there are situations where a sender would be unable to 175 provide this verification. 177 Examples where verification is not possible include: 179 o When the router issuing the ICMP message is acting on a tunneled 180 packet, the ICMP message will be directed to the tunnel endpoint. 181 This tunnel endpoint is responsible for forwardiung the ICMP 182 message and also processing the quoted packet within the payload 183 field to remove the effect of the tunnel, and return a correctly 184 fromatted ICMP message to the sender. Failure to do this results 185 in black-holing. 187 o When a router issuing the ICMP message implements RFC792 188 [RFC0792], it is only required the to include the first 64 bits of 189 the IP payload of the packet within the quoted payload.This may be 190 insufficient to perfom the tunnel processing described in the 191 previous bullet. Even if the decapsulated message is processed by 192 the tunnel endpoint, there could be insufficient bytes remaining 193 for the sender to interpret the quoted transport information. 194 RFC1812 [RFC1812] requires routers to return the full packet if 195 possible, often the case for IPv4 when used the path includes 196 tunnels; or where the packet has been encapsulated/tunneled over 197 an encrypted transport and it is not possible to determine the 198 original transport header ). 200 o Even when the PTB message includes sufficient bytes of the quoted 201 packet, the network layer could lack sufficient context to perform 202 verification, because this depends on information about the active 203 transport flows at an endpoint node (e.g., the socket/address 204 pairs being used, and other protocol header information). 206 1.2. Packetization Layer Path MTU Discovery 207 The term Packetization Layer (PL) has been introduced to describe the 208 layer that is responsible for placing data blocks into the payload of 209 IP packets and selecting an appropriate Maximum Packet Size (MPS). 210 This function is often performed by a transport protocol, but can 211 also be performed by other encapsulation methods working above the 212 transport. 214 In contrast to PMTUD, Packetization Layer Path MTU Discovery 215 (PLPMTUD) [RFC4821] does not rely upon reception and verification of 216 PTB messages. It is therefore more robust than Classical PMTUD. This 217 has become the recommended approach for implementing PMTU discovery 218 with TCP. 220 It uses a general strategy where the PL sends probe packet to search 221 for the largest size of unfragmented datagram that can be sent over a 222 path. The probe packets are sent with a progressively larger packet 223 size. If a probe packet is successfully delivered (as determined by 224 the PL), then the PLPMTU is raised to the size of the successful 225 probe. If no response is received to a probe packet, the method 226 reduces the probe size. This PLPMTU is used to set the application 227 MPS. 229 PLPMTUD introduces flexibility in the implementation of PMTU 230 discovery. At one extreme, it can be configured to only perform PTB 231 black hole detection and recovery to increase the robustness of 232 Classical PMTUD, or at the other extreme, all PTB processing can be 233 disabled and PLPMTUD can completely replace Classical PMTUD. 235 PLPMTUD can also include additional consistency checks without 236 increasing the risk of increased black-holing. For instance,the 237 information available at the PL, or higher layers, makes PTB 238 verification more straight forward. 240 1.3. Path MTU Discovery for Datagram Services 242 Section 4 of this document presents a set of algorithms for datagram 243 protocols to discover the largest size of unfragmented datagram that 244 can be sent over a path. The method described relies on features of 245 the PL Section 3 and apply to transport protocols operating over IPv4 246 and IPv6. It does not require cooperation from the lower layers, 247 although it can utilise ICMP PTB messages when these received 248 messages are made available to the PL. 250 The UDP Usage Guidelines [RFC8085] state "an application SHOULD 251 either use the Path MTU information provided by the IP layer or 252 implement Path MTU Discovery (PMTUD)", but does not provide a 253 mechanism for discovering the largest size of unfragmented datagram 254 than can be used on a path. Prior to this document, PLPMTUD had not 255 been specified for UDP. 257 Section 10.2 of [RFC4821] recommends a PLPMTUD probing method for the 258 Stream Control Transport Protocol (SCTP). SCTP utilises heartbeat 259 messages as probe packets, but RFC4821 does not provide a complete 260 specification. This document provides the details to complete that 261 specification. 263 The Datagram Congestion Control Protocol (DCCP) [RFC4340] requires 264 implementations to support Classical PMTUD and states that a DCCP 265 sender "MUST maintain the MPS allowed for each active DCCP session". 266 It also defines the current congestion control MPS (CCMPS) supported 267 by a path. This recommends use of PMTUD, and suggests use of control 268 packets (DCCP-Sync) as path probe packets, because they do not risk 269 application data loss. The method defined in this specification 270 could be used with DCCP. 272 Section 5 specifies the method for a set of transports, and provides 273 information to enables the implementation of PLPMTUD with other 274 datagram transports and applications that use datagram transports. 276 2. Terminology 278 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 279 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 280 document are to be interpreted as described in [RFC2119]. 282 Other terminology is directly copied from [RFC4821], and the 283 definitions in [RFC1122]. 285 Black-Holed: When the sender is unaware that packets are not 286 delivered to the destination endpoint (e.g., when the sender 287 transmits packets of a particular size with a previously known 288 effective PMTU (also refered to as the PLPMTU), but is unaware of 289 a change to the path that resulted in a smaller PLPMTU). 291 Classical Path MTU Discovery: Classical PMTUD is a process described 292 in [RFC1191] and [RFC8201], in which nodes rely on PTB messages to 293 learn the largest size of unfragmented datagram than can be used 294 across a path. 296 Datagram: A datagram is a transport-layer protocol data unit, 297 transmitted in the payload of an IP packet. 299 Effective PMTU: The current estimated value for PMTU that is used by 300 a PMTUD. This is equivalent to the PLPMTU derived by PLPMTUD. 302 EMTU_S: The Effective MTU for sending (EMTU_S) is defined in 303 [RFC1122] as "the maximum IP datagram size that may be sent, for a 304 particular combination of IP source and destination addresses...". 306 EMTU_R: The Effective MTU for receiving (EMTU_R) is designated in 307 [RFC1122] as the largest datagram size that can be reassembled by 308 EMTU_R ("Effective MTU to receive"). 310 Link: A communication facility or medium over which nodes can 311 communicate at the link layer, i.e., a layer below the IP layer. 312 Examples are Ethernet LANs and Internet (or higher) layer and 313 tunnels. 315 Link MTU: The Maximum Transmission Unit (MTU) is the size in bytes of 316 the largest IP packet, including the IP header and payload, that 317 can be transmitted over a link. Note that this could more 318 properly be called the IP MTU, to be consistent with how other 319 standards organizations use the acronym MT. This includes the IP 320 header, but excludes link layer headers and other framing that is 321 not part of IP or the IP payload. Other standards organizations 322 generally define link MTU to include the link layer headers. 324 MPS: The Maximum Packet Size (MPS) is the largest size of application 325 data block that can be sent unfragmented across a path. In 326 DPLPMTUD this quantity is derived from PLPMTU by taking into 327 consideration the size of the application and lower protocol layer 328 headers. 330 Packet: An IP header plus the IP payload. 332 Packetization Layer (PL): The layer of the network stack that places 333 data into packets and performs transport protocol functions. 335 Path: The set of link and routers traversed by a packet between a 336 source node and a destination node by a particular flow. 338 Path MTU (PMTU): The minimum of the Link MTU of all the links forming 339 a path between a source node and a destination node. 341 PLPMTU: The estimate of the actual PMTU provided by the DPLPMTUD 342 algorithm. 344 PLPMTUD: Packetization Layer Path MTU Discovery, the method described 345 in this document for datagram PLs, which is an extension to 346 Classical PMTU Discovery. 348 Probe packet: A datagram sent with a purposely chosen size (typically 349 larger than the current PLPMTU) to detect if packets of this size 350 can be successfully sent end-toend across the network path. 352 3. Features Required to Provide Datagram PLPMTUD 354 TCP PLPMTUD has been defined using standard TCP protocol mechanisms. 355 All of the requirements in [RFC4821] also apply to use of the 356 technique with a datagram PL. Unlike TCP, some datagram PLs require 357 additional mechanisms to implement PLPMTUD. 359 There are eight requirements for performing the datagram PLPMTUD 360 method described in this specification: 362 1. PMTU parameters: A DPLPMTUD sender is RECOMMENDED to provide 363 information about the maximum size of packet that can be 364 transmitted by the sender on the local link (the local Link MTU). 365 It MAY utilize similar information about the receiver when this 366 is supplied (note this could be less than EMTU_R). This avoids 367 implementations trying to send probe packets that can not be 368 transmited by the local link. Too high a value may reduce the 369 efficiency of the search algorithm. Some applications also have 370 a maximum transport protocol data unit (PDU) size, in which case 371 there is no benefit from probing for a size larger than this 372 (unless a transport allows multiplexing multiple applications 373 PDUs into the same datagram). 375 2. PLPMTU: A datagram application MUST be able to choose the size of 376 datagrams sent to the network, up to the PLPMTU, or a smaller 377 value (such as the MPS) derived from this. This value is managed 378 by the DPLPMTUD method. The PLPMTU (specified as the effective 379 PMTU in Section 1 of [RFC1191]) is equivalent to the EMTU_S 380 (specified in [RFC1122]). 382 3. Probe packets: On request, a PLPMTUD sender is REQUIRED to be 383 able to transmit a packet larger than the PLMPMTU. This can be 384 uses to send a probe packet. In IPv4, a probe packet MUST be 385 sent with the Don't Fragment (DF) bit set in the IP header, and 386 without network layer endpoint fragmentation. In IPv6, a probe 387 packet is always sent without source fragmentation (as specified 388 in section 5.4 of [RFC8201]). 390 4. Processing PTB messages: A DPLPMTUD sender MAY optionally utilize 391 PTB messages received from the network layer to help identify 392 when a path does not support the current size of packet probe. 393 Any received PTB message MUST be verified before it is used to 394 update the PLPMTU discovery information [RFC8201]. This 395 verification confirms that the PTB message was sent in response 396 to a packet originating by the sender, and needs to be performed 397 before the PLPMTU discovery method reacts to the PTB message. 398 When the router link MTU is indicated in the PTB message this MAY 399 be used by DPLPMTUD to reduce the probe size but MUST NOT be used 400 to increase the PLPMTU ([RFC8201]). Verification SHOULD utilise 401 information that can not be simply determined by an off-path 402 attacker, for example, by checking the value of a protocol header 403 field known only to the two PL endpoints. (Some datagram 404 applications use well-known source and destination ports and 405 therefore this check needs to rely on other information.) 407 5. Reception feedback: The destination PL endpoint is REQUIRED to 408 provide a feedback method that indicates to the DPLPMTUD sender 409 when a probe packet has been received by the destination PL 410 endpoint. The local PL endpoint at the sending node is REQUIRED 411 to pass this feedback to the sender-side DPLPMTUD method. 413 6. Probing and congestion control: The isolated loss of a probe 414 packet SHOULD NOT be treated as an indication of congestion and 415 its loss SHOULD NOT directly trigger a congestion control 416 reaction [RFC4821]. 418 7. Probe loss recovery: If the data block carried by a probe message 419 needs to be sent reliably, the PL (or layers above) MUST arrange 420 retransmission/repair of any resulting loss. This method MUST be 421 robust in the case where probe packets are lost due to other 422 reasons (including link transmission error, congestion). The 423 DPLPMTUD method treats isolated loss of a probe packet (with or 424 without an PTB message) as a potential indication of a PMTU limit 425 on the path, but not as an indictaion of congestion [CC]. 427 8. Shared PLPMTU state: The PLPMTU value could also be stored with 428 the corresponding entry in the destination cache and used by 429 other PL instances. The specification of PLPMTUD [RFC4821] 430 states: "If PLPMTUD updates the MTU for a particular path, all 431 Packetization Layer sessions that share the path representation 432 (as described in Section 5.2 of [RFC4821]) SHOULD be notified to 433 make use of the new MTU and make the required congestion control 434 adjustments". Such methods need to be robust to the wide variety 435 of underlying network forwarding behaviours, PLPMTU adjustments 436 based on shared PLPMTU values should be incorporated in the 437 search algorithms. Section 5.2 of [RFC8201] provides guidance on 438 the caching of PMTU information and also the relation to IPv6 439 flow labels. 441 In addition, the following principles are stated for design of a 442 DPLPMTUD method: 444 o MPS: A method MUST signal appropriate MPS to the higher layer 445 using the PL. This may change following a change to the path. The 446 method SHOULD avoid forcing an application to use an arbitrary 447 small MPS (PLPMTU) for transmission while the method is searching 448 for the currently supported PLPMTU. Datagram PLs do not 449 necessarily support fragmentation of PDUs larger than the PLPMTU. 450 A reduced MPS can adversely impact the performance of a datagram 451 application. 453 o Path validation: A method MUST be robust to path changes that 454 could have occurred since the path characteristics were last 455 confirmed, and to the possibility of inconsistent path information 456 being received. 458 o Datagram reordering: A method MUST be robust to the possibility 459 that a flow encounters reordering, or has the traffic (including 460 probe packets) is divided over more than one network path. 462 o When to probe: A method SHOULD determine whether the path capacity 463 has increased since it last measured the path. This determines 464 when the path should again be probed. 466 3.1. PLPMTU Probe Packets 468 The DPLPMTUD method relies upon the PL sender being able to generate 469 probe messages with a specific size. TCP is able to generate these 470 probe packets by choosing to appropriately segment data being sent 471 [RFC4821]. 473 In contrast, a datagram PL that needs to construct a probe packet has 474 to either request an application to send a data block that is larger 475 than that generated by an application, or to utilise padding 476 functions to extend a datagram beyond the size of the application 477 data block. Protocols that permit exchange of control messages 478 (without an application data block) could alternatively prefer to 479 generate a probe packet by extending a control message with padding 480 data. 482 When the method fails to validate the PLPMTU, it may be required to 483 send a probe packet with a size less than the size of the data block 484 generated by an application. In this case, the PL could provide a 485 way to fragment a datagram at the PL, or could instead utilise a 486 control packet with padding. 488 A receiver needs to be able to distinguish an in-band data block from 489 any added padding. This is needed to ensure that any added padding 490 is not passed on to an application at the receiver. 492 This results in three possible ways that a sender can create a probe 493 packet listed in order of preference: 495 Probing using padding data: A probe packet that contains only control 496 information together with any padding needed to inflate the packet 497 to the size required for the probe packet. Since these probe 498 packets do not carry an application-supplied data block,they do 499 not typically require retransmission, although they do still 500 consume network capacity and incur endpoint processing. 502 Probing using appication data and padding data: A probe packet that 503 contains a data block supplied by an application that is combined 504 with padding to inflate the length of the datagram to the size 505 required for the probe packet. If the application/transport needs 506 protection from the loss of this probe packet, the application/ 507 transport may perform transport-layer retransmission/repair of the 508 data block (e.g., by retransmission after loss is detected or by 509 duplicating the data block in a datagram without the padding 510 data). 512 Probing using appication data: A probe packet that contains a data 513 block supplied by an application that matches the size required 514 for the probe packet. This method requests the application to 515 issue a data block of the desired probe size. If the application/ 516 transport needs protection from the loss of an unsuccessful probe 517 packet, the application/transport needs then to perform transport- 518 layer retransmission/repair of the data block (e.g., by 519 retransmission after loss is detected). 521 A PL that uses a probe packet carrying an application data block, 522 could need to retransmit this application data block if the probe 523 fails. This could need the PL to re-fragment the data block to a 524 smaller packet size that is expected to traverse the end-to-end path 525 (which could utilise network-layer or PL fragmentation when these are 526 available). 528 DLPMTUD MAY choose to use only one of these methods to simplify the 529 implementation. 531 3.2. Validation of Probe Packet Size 533 The PL needs a method to determine when probe packets have been 534 successfully received end-to-end across a network path. 536 Transport protocols can include end-to-end methods that detect and 537 report reception of specific datagrams that they send (e.g., DCCP and 538 SCTP provide keep-alive/heartbeat features). When supported, this 539 mechanism SHOULD also be used by DPLPMTUD to acknowledge reception of 540 a probe packet. 542 A PL that does not acknowledge data reception (e.g., UDP and UDP- 543 Lite) is unable to detect when the packets that it sends are 544 discarded because their size is greater than the actual PMTU. These 545 PLs need to either rely on an application protocol to detect this 546 loss, or make use of an additional transport method such as UDP- 547 Options [I-D.ietf-tsvwg-udp-options]. In addition, they might need 548 to send reachability probes (e.g., periodically solicit a response 549 from the destination) to determine whether the last successfully 550 probed PLPMTU is still supported by the network path. 552 Section Section 4 specifies this function for a set of IETF-specified 553 protocols. 555 3.3. Reducing the PLPMTU: Confirming Path Characteristics 557 If the DPLPMTUD method detects that a packet with the PLPMTU size is 558 no supported by the network path, then the DLPMTUD method needs to 559 validate the PLPMTU. This can happen when a validated PTB message is 560 received, or another event that indicates the network path no longer 561 sustains this packet size, such as a loss report from the PL 563 All implementations of DPLPMTUD are REQUIRED to provide support that 564 reduces the PLPMTU when the actual PMTU supported by a network path 565 is less than the PLPMTU. 567 3.4. Increasing the PLPMTU: Supporting Path Changes 569 An implementation that only reduces the PLPMTU to a suitable size is 570 sufficient to ensure reliable operation, but may be very inefficient 571 when the actual PMTU changes or when the method (for whatever reason) 572 makes a suboptimal choice for the PLPMTU. 574 A full implementation of the DPLPMTUD method is RECOMMENDED to 575 provide a way for the sending PL endpoint to detect when the PLPMTU 576 is smaller than the actual PMTU size. This allows the sender to 577 increase the PLPMTU following a change in the characteristics of the 578 path, such as when a link is reconfigured with a larger MTU, or when 579 there is a change in the set of links traversed by an end-to-end flow 580 (e.g. after a routing or fail-over decision). 582 3.5. Robustness to inconsistent Path information 584 The decision to increase the PLPMTU needs to be robust to the 585 possibility that information learned about the path is inconsistent 586 (this could happen when probe packets are lost due to other reasons, 587 or some of the packets in a flow are forwarded along a portion of the 588 path that supports a different PMTU). 590 Frequent path changes could occur due to unexpected "flapping" - 591 where some packets from a flow pass along one path, but other packets 592 follow a different path with different properties. DPLPMTUD can be 593 made robust to these anomalies by introducing hysteresis into the 594 decision to increase the Maximum Packet Size. 596 XXX A future revision of this section will include recommend 597 appropriate methods to provide robustness. XXX 599 4. Datagram Packetization Layer PMTUD 601 This section specifies Datagram PLPMTUD (DPLPMTUD). This method can 602 be introduced at various points in the IP protocol stack, to discover 603 the PLPMTU so that the application can use an MPS appropriate to the 604 current network path. 606 (preamble) 608 +-----------+ 609 | APP* | 610 +-----------+ 611 __|| | | |___ 612 ___/ | | | \ 613 __/ | | | \__ 614 +------++-----+ | +------+ | 615 | QUIC*||UDPO*| | | SCTP*| | 616 +------++-----+ | +-+-----+ | 617 +-----+ +------+ 618 | UDP | | SCTP*| 619 +-----+ +------+ 620 | | 621 +----------------------+ 622 | Network Interface | 623 +----------------------+ 625 (postamble) 627 The central idea of DPLPMTUD is probing by a sender. Probe packets 628 of increasing size are sent to find out the maximum size of user 629 message that is completely transferred across the network path from 630 the sender to the destination. 632 4.1. PROBE_SEARCH: Probing for a larger PLPMTU 634 The DPLPMTUD method utilises probe packets to confirm that a packet 635 of size PROBE_SIZE can travere the network path. The PROBE_COUNT is 636 initialised to zero when a probe packet is first sent with a 637 particular size. 639 A timer is used to trigger the generation of probe packets. The 640 probe_timer is started each time a probe packet is sent to the 641 destination and is cancelled when receipt of the probe packet is 642 acknowledged. THE PROBE_SIZE is confirmed, and this value is then 643 assignmed to PLPMTU. The DPLPMTUD method may send subsequent probes 644 of an increasing size. Increasing probes follows a search strategy 645 as discussed in Section 4.7. 647 Each time the probe_timer expires, the PROBE_COUNT is incremented, 648 teh probe_timer is reinitialised, and a probe packet of the same size 649 is retransmitted. 651 The maximum number of retransmissions for a PROBE_SIZE is configured 652 (MAX_PROBES). If the value of the PROBE_COUNT reaches MAX_PROBES, 653 probing will stop. 655 4.2. The PROBE_DONE state 657 When the PL sender complete probing for a larger PLPMTU, it enters 658 the PROBE_DONE state. This starts the PMTU_RAISE_TIMER. While this 659 running, the PLPMTU remains at the value set in the last succesful 660 probe packet. 662 If the PL is designed in a way that is unable to verify reachability 663 to the destination endpoint after probing has completed, the method 664 uses a REACHABILITY_TIMER to periodically repeat a probe packet for 665 the current PLPMTU size, while the PMTU_RAISE_TIMER is running. If 666 the REACHABILITY_TIMER expires, the method exits the PROBE_DONE 667 state. The done state is also exited when a verified PTB message is 668 received. 670 If the PMTU_RAISE_TIMER expires, the PL sender also exits the 671 PROBE_DONE state, but in this case resumes probing from the size of 672 the PLPMTU. 674 4.3. Verification and Use of PTB Messages 676 This section describes processing for both IPv4 ICMP Unreachable 677 messages (type 3) and ICMPv6 packet too big messages. 679 A node that receives a PTB message from a router or middlebox, MUST 680 verify the PTB message. The node checks the protocol information in 681 the quoted payload to verify that the message originated from the 682 sending node. The node also checks that the reported MTU size is 683 less than the size used by packet probes. PTB messages are discarded 684 if they fail to pass these checks, or where there is insufficient 685 ICMP payload to perform these checks. The checks are intended to 686 provide protection from packets that originate from a node that is 687 not on the network path or a node that attempts to report a larger 688 MTU than the current probe size. 690 PTB messages that have been verified can be utilised by the DPLPMTUD 691 algorithm. A method that utilises these PTB messages can improve 692 performance compared to one that relies solely on probing. 694 4.4. Timers 696 The method in the previous subsections utilises three timers: 698 PROBE_TIMER: Configured to expire after a period longer than the 699 maximum time to receive an acknowledgment to a probe packet. This 700 value MUST be larger than 1 second, and SHOULD be larger than 15 701 seconds. Guidance on selection of the timer value are provide in 702 section 3.1.1 of the UDP Usage Guidelines [RFC8085]. 704 If the PL has an RTT estimate and timely acknowedgements the 705 PROBE_TIMER can be derrived from the PL RTT estimate. 707 PMTU_RAISE_TIMER: Configured to the period a sender ought to continue 708 use the current PLPMTU, after which it re-commences probing for a 709 higher PMTU. This timer has a period of 600 secs, as recommended 710 by DPLPMTUD [RFC4821]. 712 REACHABILITY_TIMER: Configured to the period a sender ought to wait 713 before confirming the current PLPMTU is still supported. This is 714 less than the PMTU_RAISE_TIMER and used to decrease the PLPMTU 715 (e.g. when a black hole is encountered). 717 DPLPMTUD ought to suspend reachability probes when no application 718 data has been sent since the previous probe packet. Guidance on 719 selection of the timer value are provide in section 3.1.1 of the 720 UDP Usage Guidelines[RFC8085]. DPLPMTUD ought to be suspended or 721 only sent in conjuction with out traffic during periods of 722 dormancy. This verification needs to be frequent enough when data 723 is flowing that you do not black hole extensive amounts of traffic 725 An implementation could implement the various timers using a single 726 timer process. 728 4.5. Constants 730 The following constants are defined: 732 MAX_PROBES: The maximum value of the PROBE_ERROR_COUNTER. The default 733 value of MAX_PROBES is 10. 735 MIN_PMTU: The smallest allowed probe packet size. For IPv6, this 736 value is 1280 bytes, as specified in [RFC2460]. For IPv4, the 737 minimum value is 68 bytes. (An IPv4 routed is required to be able 738 to forward a datagram of 68 octets without further fragmentation. 739 This is the combined size of an IPv4 header and the minimum 740 fragment size of 8 octets.) 742 BASE_PMTU: The BASE_PMTU is a considered a size that ought to work in 743 most cases. The size is equal to or larger than the minimum 744 permitted and smaller than the maximum allowed. In the case of 745 IPv6, this value is 1280 bytes [RFC2460]. When using IPv4, a size 746 of 1200 bytes is RECOMMENDED. 748 MAX_PMTU: The MAX_PMTU is the largest size of PLPMTU that is probed. 749 This has to be less than or equal to the minimum of the local MTU 750 of the outgoing interface and the destination PLMTU for receiving. 751 An application or PL may reduce this when it knows there is no 752 need to send packets above a specific size. 754 4.6. Variables 756 This method utilises a set of variables: 758 PROBE_TIMER: Configured to expire after a period longer than the 759 maximum time to receive an acknowledgment to a probe packet. This 760 value MUST be larger than 1 second, and SHOULD be larger than 15 761 seconds. Guidance on selection of the timer value are provide in 762 section 3.1.1 of the UDP Usage Guidelines [RFC8085]. 764 PL with RTT estimates may use values smaller than 1 seconded 765 derrived from their RTT estimate to speed up detection of 766 connectivity issues on the path. 768 PROBED_SIZE: The PROBED_SIZE is the size of the current probe packet. 769 This is a tentative value for the PLPMTU, which is awaiting 770 confirmation by an acknowledgment. 772 PROBE_COUNT: This is a count of the number of unsuccessful probe 773 packets that have been sent with size PROBED_SIZE. The value is 774 initialised to zero when a particular size of PROBED_SIZE is first 775 attempted. 777 PTB_SIZE: The PTB_Size is value returned by a verified PTB message 778 indicating the local MTU size of a router along the path. 780 4.7. Selecting PROBED_SIZE 782 Implementations discover the search range by validating the minimum 783 path MTU and then using the probe method to select a PROBED_SIZE less 784 than or equal to the maximum PMTU_MAX. Where PMTU_MAX is the minimum 785 of the local link MTU and EMTU_R (learned from the remote endpoint). 786 The PMTU_MAX MAY be constrained by an application that has a maximum 787 to the size of datagrams it wishes to send. 789 Implementations use a search algorithm to choose probe sizes within 790 the search range. 792 xxx A future version of this section will detail example methods for 793 selecting probe size values, but does not plan to mandate a single 794 method. xxx 795 Implementations MAY optimizse the search procedure by selecting step 796 sizes from a table of common PMTU sizes. 798 Implementations SHOULD select probe sizes to maximise the gain in 799 PLPMTU each search step. Implementations ought to take into 800 consideration useful probe size steps and a minimum useful gain in 801 PLPMTU. 803 4.8. Black Hole Detection 805 The DPLPMTUD method can be used to detect paths that fail to support 806 a packet size, but return no PTB message. The black hole detection 807 function detects such cases and responds by reducing the PLPMTU, 808 allowing the endpoint to inform the application of the reduced MPS 809 and accordingly send smaller packets. Black Hole detection is 810 triggered by the reachability function. 812 4.9. State Machine 814 A state machine for DPLPMTUD is depicted in Figure 2. If multihoming 815 is supported, a state machine is needed for each active path. 817 PROBE_TIMER expiry 818 (PROBE_COUNT = MAX_PROBES) 819 +-------------+ +--------------+ 820 =->| PROBE_START |--------------->|PROBE_DISABLED| 821 PROBE_TIMER expiry | +-------------+ +--------------+ 822 (PROBE_COUNT = | | | 823 MAX_PROBES) ------- | Connectivity confirmed 824 v 825 ----------- +------------+ -- PROBE_TIMER expiry 826 MAX_PMTU acked or | | PROBE_BASE | | (PROBE_COUNT < 827 PTB (>= BASE_PMTU)| -----> +------------+ <- MAX_PROBES) 828 ---------------- | /\ | | 829 | | | | | PTB 830 | PMTU_RAISE_TIMER| | | | (PTB_SIZE < BASE_PMTU) 831 | or reachability | | | | or 832 | (PROBE_COUNT | | | | PROBE_TIMER expiry 833 | = MAX_PROBES) | | | | (PROBE_COUNT = MAX_PROBES) 834 | ------------- | | \ 835 | | PTB | | \ 836 | | (< PROBED_SIZE)| | \ 837 | | | | ---------------- 838 | | | | | 839 | | | | Probe | 840 | | | | acked | 841 v | | v v 842 +------------+ +--------------+ Probe +-------------+ 843 | PROBE_DONE |<-------------- | PROBE_SEARCH |<-------| PROBE_ERROR | 844 +------------+ MAX_PMTU acked +--------------+ acked +-------------+ 845 /\ | or /\ | 846 | | PROBE_TIMER expiry | | 847 | |(PROBE_COUNT = MAX_PROBES) | | 848 | | | | 849 ------ -------- 850 Reachability probe acked PROBE_TIMER expiry 851 or PROBE_TIMER expiry (PROBE_COUNT < MAX_PROBES) 852 (PROBE_COUNT < MAX_PROBES) or 853 Probe acked 855 XXX A future version of this document will update the state machine 856 to describe handling of validated PTB messages. XXX 858 The following states are defined to reflect the probing process: 860 PROBE_START: The PROBE_START state is the initial state before 861 probing has started. PLPMTUD is not performed in this state. The 862 state transitions to PROBE_BASE, when a path has been confirmed, 863 i.e. when a sent packet has been acknowledged on this path. Any 864 transport method may be used to exit PROBE_BASE as long as the 865 send packet is acknowledge by the other side. The PLPMTU is set 866 to the BASE_PMTU size. Probing ought to start immediately after 867 connection setup to prevent the prevent the loss of user data. 869 PROBE_BASE: The PROBE_BASE state is the starting point for probing 870 with datagram PLPMTUD. It is used to confirm whether the BASE_PMTU 871 size is supported by the network path. On entry, the PROBED_SIZE 872 is set to the BASE_PMTU size and the PROBE_COUNT is set to zero. 873 A probe packet is sent, and the PROBE_TIMER is started. The state 874 is left when the PROBE_COUNT reaches MAX_PROBES; a PTB message is 875 verified, or a probe packet is acknowledged. 877 PROBE_SEARCH: The PROBE_SEARCH state is the main probing state. This 878 state is entered either when probing for the BASE_PMTU was 879 successful or when there is a successful reachability test in the 880 PROBE_ERROR state. On entry, the PLPMTU is set to the last 881 acknowledged PROBED_SIZE. 883 The PROBE_COUNT is set to zero when the first probe packet is sent 884 for each probe size. Each time a probe packet is acknowledged, 885 the PLPMTU is set to the PROBED_SIZE, and then the PROBED_SIZE is 886 increased. 888 When a probe packet is sent and not acknowledged within the period 889 of the PROBE_TIMER, the PROBE_COUNT is incremented and the probe 890 packet is retransmitted. The state is exited when the PROBE_COUNT 891 reaches MAX_PROBES; a PTB message is verified; or a probe of size 892 PMTU_MAX is acknowledged. 894 PROBE_ERROR: The PROBE_ERROR state represents the case where the 895 network path is not known to support an PLPMTU of at least the 896 BASE_PMTU size. It is entered when either a probe of size 897 BASE_PMTU has not been acknowledged or a verified PTB message 898 indicates a smaller link MTU than the BASE_PMTU. On entry, the 899 PROBE_COUNT is set to zero and the PROBED_SIZE is set to the 900 MIN_PMTU size, and the PLPMTU is reset to MIN_PMTU size. In this 901 state, a probe packet is sent, and the PROBE_TIMER is started. 902 The state transitions to the PROBE_SEARCH state when a probe 903 packet is acknowledged. 905 PROBE_DONE: The PROBE_DONE state indicates a successful end to a 906 probing phase. DPLPMTUD remains in this state until either the 907 PMTU_RAISE_TIMER expires or a received PTB message is verified. 909 When PLPMTUD uses an unacknowledged PL and is in the PROBE_DONE 910 state, a REACHABILITY_TIMER periodically resets the PROBE_COUNT 911 and schedules a probe packet with the size of the PLPMTU. If the 912 probe packet fails to be acknowledged after MAX_PROBES attempts, 913 the method enters the PROBE_BASE state. When used with an 914 acknowledged PL (e.g., SCTP), DPLPMTUD SHOULD NOT continue to 915 probe in this state. 917 PROBE_DISABLED: The PROBE_DISABLED state indicates that connectivity 918 could not be established. DPLPMTUD MUST NOT probe in this state. 920 Appendix Appendix A contains an informative description of key 921 events. 923 5. Specification of Protocol-Specific Methods 925 This section specifies protocol-specific details for datagram PLPMTUD 926 for IETF-specified transports. 928 The first subsection provides guidance on how to implement the 929 DPLPMTUD method as a part of an application using UDP or UDP-Lite. 930 The guidance also applies to other datagram services that do not 931 include a specific transport protocol (such as a tunnel 932 encapsulation). The following subsection describe how DPLPMTUD can be 933 implemented as a part of the transport service, allowing applications 934 using the service to benefit from discovery of the PLPMTU without 935 themselves needing to implement this method. 937 5.1. Application support for DPLPMTUD with UDP or UDP-Lite 939 The current specifications of UDP [RFC0768] and UDP-Lite [RFC3828] do 940 not define a method in the RFC-series that supports PLPMTUD. In 941 particular, the UDP transport does not provide the transport layer 942 features needed to implement datagram PLPMTUD. 944 The DPLPMTUD method can be implemented as a part of an application 945 built directly or indirectly on UDP or UDP-Lite, but relies on 946 higher-layer protocol features to implement the method [RFC8085]. 948 Some primitives used by DPLPMTUD might not be available via the 949 Datagram API (e.g., the ability to access the PLPMTU cache, or 950 interpret received ICMP PTB messages). 952 In addition, it is desirable that PMTU discovery is not performed by 953 multiple protocol layers. An application SHOULD avoid implementing 954 DPLPMTUD when the underlying transport system provides this 955 capability. Using a common method for manging the PLPMTU has 956 benefits, both in the ability to share state between different 957 processes and opportunities to coordinate probing. 959 5.1.1. Application Request 961 An application needs an application-layer protocol mechanism (such as 962 a message acknowledgement method) that solicits a response from a 963 destination endpoint. The method SHOULD allow the sender to check 964 the value returned in the response to provide additional protection 965 from off-path insertion of data [RFC8085], suitable methods include a 966 parameter known only to the two endpoints, such as a session ID or 967 initialised sequence number. 969 5.1.2. Application Response 970 An application needs an application-layer protocol mechanism to 971 communicate the response from the destination endpoint. This 972 response may indicate successful reception of the probe across the 973 path, but could also indicate that some (or all packets) have failed 974 to reach the destination. 976 5.1.3. Sending Application Probe Packets 978 A probe packet that may carry an application data block, but the 979 successful transmission of this data is at risk when used for 980 probing. Some applications may prefer to use a probe packet that 981 does not carry an application data block to avoid disruption to 982 normal data transfer. 984 5.1.4. Validating the Path 986 An application that does not have other higher-layer information 987 confirming correct delivery of datagrams SHOULD implement the 988 REACHABILITY_TIMER to periodically send probe packets while in the 989 PROBE_DONE state. 991 5.1.5. Handling of PTB Messages 993 An application that is able and wishes to receive PTB messages MUST 994 perform ICMP verification as specified in Section 5.2 of [RFC8085]. 995 This requires that the application verifies each received PTB 996 messages to verify these are received in response to transmitted 997 traffic and that the reported link MTU is less than the current probe 998 size. A verified PTB message MAY be used as input to the DPLPMTUD 999 algorithm, but MUST NOT be used directly to set the PLPMTU. 1001 5.2. DPLPMTUD with UDP Options 1003 UDP-Options [I-D.ietf-tsvwg-udp-options] can supply the additional 1004 functionality required to implement DPLPMTUD within the UDP transport 1005 service. This avoids the need for applications to implement the 1006 DPLPMTUD method. 1008 This enables padding to be added to UDP datagrams and can be used to 1009 provide feedback acknowledgement of received probe packets. 1011 The specification also defines two UDP Options to support DPLMTUD. 1013 Section 5.6 of [I-D.ietf-tsvwg-udp-options] defines the MSS option 1014 which allows the local sender to indicate the EMTU_R to the peer. 1015 This option can be used to initialise PMTU_MAX. An application 1016 wishing to avoid the effects of MSS-Clamping (where a middlebox 1017 changes the advertised TCP maximum sending size) ought to use a 1018 cryptographic method to encrypt this parameter. 1020 5.2.1. UDP Request Option 1022 The Request Option allows a sending endpoint to solicit a response 1023 from a destination endpoint. 1025 The Request Option carries a four byte token set by the sender. This 1026 token can be set to a value that is likely to be known only to the 1027 sender (and becomes known to nodes along the end-to-end path). The 1028 sender can then check the value returned in the response to provide 1029 additional protection from off-path insertion of data [RFC8085]. 1031 +---------+--------+-----------------+ 1032 | Kind=9 | Len=6 | Token | 1033 +---------+--------+-----------------+ 1034 1 byte 1 byte 4 bytes 1036 5.2.2. UDP Response Option 1038 The Response Option is generated by the PL in response to reception 1039 of a previously received Echo Request. The Token field associates 1040 the response with the Token value carried in the most recently- 1041 received Echo Request. The rate of generation of UDP packets 1042 carrying a Response Option MAY be rate-limited. 1044 +---------+--------+-----------------+ 1045 | Kind=10 | Len=6 | Token | 1046 +---------+--------+-----------------+ 1047 1 byte 1 byte 4 bytes 1049 5.3. DPLPMTUD for SCTP 1051 Section 10.2 of [RFC4821] specifies a recommended PLPMTUD probing 1052 method for SCTP. It recommends the use of the PAD chunk, defined in 1053 [RFC4820] to be attached to a minimum length HEARTBEAT chunk to build 1054 a probe packet. This enables probing without affecting the transfer 1055 of user messages and without interfering with congestion control. 1056 This is preferred to using DATA chunks (with padding as required) as 1057 path probes. 1059 XXX Future versions of this document might define a parameter 1060 contained in the INIT and INIT ACK chunk to indicate the remote peer 1061 MTU to the local peer. However, multihoming makes this a bit 1062 complex, so it might not be worth doing. XXX 1064 5.3.1. SCTP/IP4 and SCTP/IPv6 1066 The base protocol is specified in [RFC4960]. This provides an 1067 acknowledged PL. A sender can therefore enter the PROBE_BASE state as 1068 soon as connectivity has been confirmed. 1070 5.3.1.1. Sending SCTP Probe Packets 1071 Probe packets consist of an SCTP common header followed by a 1072 HEARTBEAT chunk and a PAD chunk. The PAD chunk is used to control 1073 the length of the probe packet. The HEARTBEAT chunk is used to 1074 trigger the sending of a HEARTBEAT ACK chunk. The reception of the 1075 HEARTBEAT ACK chunk acknowledges reception of a successful probe. 1077 The HEARTBEAT chunk carries a Heartbeat Information parameter which 1078 should include, besides the information suggested in [RFC4960], the 1079 probe size, which is the size of the complete datagram. The size of 1080 the PAD chunk is therefore computed by reducing the probing size by 1081 the IPv4 or IPv6 header size, the SCTP common header, the HEARTBEAT 1082 request and the PAD chunk header. The payload of the PAD chunk 1083 contains arbitrary data. 1085 To avoid fragmentation of retransmitted data, probing starts right 1086 after the handshake, before data is sent. Assuming normal behaviour 1087 (i.e., the PMTU is smaller than or equal to the interface MTU), this 1088 process will take a few round trip time periods depending on the 1089 number of PMTU sizes probed. The Heartbeat timer can be used to 1090 implement the PROBE_TIMER. 1092 5.3.1.2. Validating the Path with SCTP 1094 Since SCTP provides an acknowledged PL, a sender does MUST NOT 1095 implement the REACHABILITY_TIMER while in the PROBE_DONE state. 1097 5.3.1.3. PTB Message Handling by SCTP 1099 Normal ICMP verification MUST be performed as specified in Appendix C 1100 of [RFC4960]. This requires that the first 8 bytes of the SCTP 1101 common header are quoted in the payload of the PTB message, which can 1102 be the case for ICMPv4 and is normally the case for ICMPv6. 1104 When a PTB message has been verified, the router Link MTU indicated 1105 in the PTB message SHOULD be used with the DPLPMTUD algorithm, 1106 providing that the reported Link MTU is less than the current probe 1107 size. 1109 5.3.2. DPLPMTUD for SCTP/UDP 1111 The UDP encapsulation of SCTP is specified in [RFC6951]. 1113 5.3.2.1. Sending SCTP/UDP Probe Packets 1115 Packet probing can be performed as specified in Section 5.3.1.1. The 1116 maximum payload is reduced by 8 bytes, which has to be considered 1117 when filling the PAD chunk. 1119 5.3.2.2. Validating the Path with SCTP/UDP 1121 Since SCTP provides an acknowledged PL, a sender does MUST NOT 1122 implement the REACHABILITY_TIMER while in the PROBE_DONE state. 1124 5.3.2.3. Handling of PTB Messages by SCTP/UDP 1126 Normal ICMP verification MUST be performed for PTB messages as 1127 specified in Appendix C of [RFC4960]. This requires that the first 8 1128 bytes of the SCTP common header are contained in the PTB message, 1129 which can be the case for ICMPv4 (but note the UDP header also 1130 consumes a part of the quoted packet header) and is normally the case 1131 for ICMPv6. When the verification is completed, the router Link MTU 1132 size indicated in the PTB message SHOULD be used with the DPLPMTUD 1133 providing that the reported link MTU is less than the current probe 1134 size. 1136 5.3.3. DPLPMTUD for SCTP/DTLS 1138 The Datagram Transport Layer Security (DTLS) encapsulation of SCTP is 1139 specified in [I-D.ietf-tsvwg-sctp-dtls-encaps]. It is used for data 1140 channels in WebRTC implementations. 1142 5.3.3.1. Sending SCTP/DTLS Probe Packets 1144 Packet probing can be done as specified in Section 5.3.1.1. 1146 5.3.3.2. Validating the Path with SCTP/DTLS 1148 Since SCTP provides an acknowledged PL, a sender does MUST NOT 1149 implement the REACHABILITY_TIMER while in the PROBE_DONE state. 1151 5.3.3.3. Handling of PTB Messages by SCTP/DTLS 1153 It is not possible to perform normal ICMP verification as specified 1154 in [RFC4960], since even if the ICMP message payload contains 1155 sufficient information, the reflected SCTP common header would be 1156 encrypted. Therefore it is not possible to process PTB messages at 1157 the PL. 1159 5.4. DPLPMTUD for QUIC 1161 Quick UDP Internet Connection (QUIC) [I-D.ietf-quic-transport] is a 1162 UDP-based transport that provides reception feedback. 1164 Section 9.2 of [I-D.ietf-quic-transport] describes the path 1165 considerations when sending QUIC packets. It recommends the use of 1166 PADDING frames to build the probe packet. This enables probing the 1167 without affecting the transfer of other QUIC frames. 1169 This provides an acknowledged PL. A sender can therefore enter the 1170 PROBE_BASE state as soon as connectivity has been confirmed. 1172 5.4.1. Sending QUIC Probe Packets 1173 A probe packet consists of a QUIC Header and a payload containing 1174 only PADDING Frames. PADDING Frames are a single octet (0x00) and 1175 several of these can be used to create a probe packet of size 1176 PROBED_SIZE. QUIC provides an acknowledged PL. A sender can therefore 1177 enter the PROBE_BASE state as soon as connectivity has been 1178 confirmed. 1180 The current specification of QUIC sets the following: 1182 o BASE_PMTU: 1200. A QUIC sender needs to pad initial packets to 1183 1200 bytes to validate the path can support packets of a useful 1184 size. 1186 o MIN_PMTU: 1200 bytes. A QUIC sender that determines the PMTU has 1187 fallen below 1200 bytes MUST immediately stop sending on the 1188 affected path. 1190 5.4.2. Validating the Path with QUIC 1192 QUIC provides an acknowledged PL. A sender therefore MUST NOT 1193 implement the REACHABILITY_TIMER while in the PROBE_DONE state. 1195 5.4.3. Handling of PTB Messages by QUIC 1197 QUIC operates over the UDP transport, and the guidelines on ICMP 1198 verification as specified in Section 5.2 of [RFC8085] therefore 1199 apply. Although QUIC does not currently specify a method for 1200 validating ICMP responses, it does provide some guidelines to make it 1201 harder for an off-path attacker to inject ICMP messages. 1203 o Set the IPv4 Don't Fragment (DF) bit on a small proportion of 1204 packets, so that most invalid ICMP messages arrive when there are 1205 no DF packets outstanding, and can therefore be identified as 1206 spurious. 1208 o Store additional information from the IP or UDP headers from DF 1209 packets (for example, the IP ID or UDP checksum) to further 1210 authenticate incoming Datagram Too Big messages. 1212 o Any reduction in PMTU due to a report contained in an ICMP packet 1213 is provisional until QUIC's loss detection algorithm determines 1214 that the packet is actually lost. 1216 XXX The above list was pulled whole from quic-transport - input is 1217 invited from QUIC contributors. XXX 1219 6. Acknowledgements 1221 This work was partially funded by the European Union's Horizon 2020 1222 research and innovation programme under grant agreement No. 644334 1223 (NEAT). The views expressed are solely those of the author(s). 1225 7. IANA Considerations 1226 This memo includes no request to IANA. 1228 XXX If new UDP Options are specified in this document, a request to 1229 IANA will be included here. XXX 1231 If there are no requirements for IANA, the section will be removed 1232 during conversion into an RFC by the RFC Editor. 1234 8. Security Considerations 1236 The security considerations for the use of UDP and SCTP are provided 1237 in the references RFCs. Security guidance for applications using UDP 1238 is provided in the UDP Usage Guidelines [RFC8085]. 1240 There are cases where PTB messages are not delivered due to policy, 1241 configuration or equipment design (see Section 1.1), this method 1242 therefore does not rely upon PTB messages being received, but is able 1243 to utilise these when they are received by the sender. PTB messages 1244 could potentially be used to cause a node to inappropriately reduce 1245 the PLPMTU. A node supporting DPLPMTUD MUST therefore appropriately 1246 verify the payload of PTB messages to ensure these are received in 1247 response to transmitted traffic (i.e., a reported error condition 1248 that corresponds to a datagram actually sent by the path layer. 1250 Parallel forwarding paths may need to be considered. Section 3.5 1251 identifies the need for robustness in the method when the path 1252 information may be inconsistent. 1254 A node performing DPLPMTUD could experience conflicting information 1255 about the size of supported probe packets. This could occur when 1256 there are multiple paths are concurrently in use and these exhibit a 1257 different PMTU. If not considered, this could result in data being 1258 black holed when the PLPMTU is larger than the smallest PMTU across 1259 the current paths. 1261 An on-path attacker could forge PTB messages to drive down the PLPMTU 1263 9. References 1265 9.1. Normative References 1267 [I-D.ietf-quic-transport] 1268 Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed 1269 and Secure Transport", Internet-Draft draft-ietf-quic- 1270 transport-04, June 2017. 1272 [I-D.ietf-tsvwg-sctp-dtls-encaps] 1273 Tuexen, M., Stewart, R., Jesup, R. and S. Loreto, "DTLS 1274 Encapsulation of SCTP Packets", Internet-Draft draft-ietf- 1275 tsvwg-sctp-dtls-encaps-09, January 2015. 1277 [I-D.ietf-tsvwg-udp-options] 1278 Touch, J., "Transport Options for UDP", Internet-Draft 1279 draft-ietf-tsvwg-udp-options-01, June 2017. 1281 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1282 August 1980. 1284 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1285 RFC 792, DOI 10.17487/RFC0792, September 1981, . 1288 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - 1289 Communication Layers", STD 3, RFC 1122, DOI 10.17487/ 1290 RFC1122, October 1989, . 1293 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1294 RFC 1812, DOI 10.17487/RFC1812, June 1995, . 1297 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1298 Requirement Levels", BCP 14, RFC 2119, March 1997. 1300 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1301 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 1302 December 1998, . 1304 [RFC3828] Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E.Ed., 1305 and G. Fairhurst, Ed., "The Lightweight User Datagram 1306 Protocol (UDP-Lite)", RFC 3828, DOI 10.17487/RFC3828, July 1307 2004, . 1309 [RFC4820] Tuexen, M., Stewart, R. and P. Lei, "Padding Chunk and 1310 Parameter for the Stream Control Transmission Protocol 1311 (SCTP)", RFC 4820, DOI 10.17487/RFC4820, March 2007, 1312 . 1314 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 1315 RFC 4960, DOI 10.17487/RFC4960, September 2007, . 1318 [RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream 1319 Control Transmission Protocol (SCTP) Packets for End-Host 1320 to End-Host Communication", RFC 6951, DOI 10.17487/ 1321 RFC6951, May 2013, . 1324 [RFC8085] Eggert, L., Fairhurst, G. and G. Shepherd, "UDP Usage 1325 Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, 1326 March 2017, . 1328 [RFC8201] McCann, J., Deering, S., Mogul, J. and R. Hinden, Ed., 1329 "Path MTU Discovery for IP version 6", STD 87, RFC 8201, 1330 DOI 10.17487/RFC8201, July 2017, . 1333 9.2. Informative References 1335 [RFC1191] Mogul, J.C. and S.E. Deering, "Path MTU discovery", RFC 1336 1191, DOI 10.17487/RFC1191, November 1990, . 1339 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", RFC 1340 2923, DOI 10.17487/RFC2923, September 2000, . 1343 [RFC4340] Kohler, E., Handley, M. and S. Floyd, "Datagram Congestion 1344 Control Protocol (DCCP)", RFC 4340, March 2006. 1346 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 1347 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 1348 . 1350 [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering 1351 ICMPv6 Messages in Firewalls", RFC 4890, DOI 10.17487/ 1352 RFC4890, May 2007, . 1355 Appendix A. Event-driven state changes 1357 This appendix contains an informative description of key events: 1359 Path Setup: When a new path is initiated, the state is set to 1360 PROBE_START. As soon as the path is confirmed, the state changes 1361 to PROBE_BASE and the probing mechanism for this path is started. 1362 the first probe packet is sent with the size of the BASE_PMTU. 1364 Arrival of an Acknowledgment: Depending on the probing state, the 1365 reaction differs according to Figure 5, which is just a 1366 simplification of Figure 2 focusing on this event. 1368 +--------------+ +----------------+ 1369 | PROBE_START | --3------------------------------->| PROBE_DISABLED | 1370 +--------------+ --4-----------\ +----------------+ 1371 \ 1372 +--------------+ \ 1373 | PROBE_ERROR | --------------- \ 1374 +--------------+ \ \ 1375 \ \ 1376 +--------------+ \ \ +--------------+ 1377 | PROBE_BASE | --1---------- \ ------------> | PROBE_BASE | 1378 +--------------+ --2----- \ \ +--------------+ 1379 \ \ \ 1380 +--------------+ \ \ ------------> +--------------+ 1381 | PROBE_SEARCH | --2--- \ -----------------> | PROBE_SEARCH | 1382 +--------------+ --1---\----\---------------------> +--------------+ 1383 \ \ 1384 +--------------+ \ \ +--------------+ 1385 | PROBE_DONE | \ -------------------> | PROBE_DONE | 1386 +--------------+ -----------------------> +--------------+ 1388 Condition 1: The maximum PMTU size has not yet been reached. 1389 Condition 2: The maximum PMTU size has been reached. Conition 3: 1390 Probe Timer expires and PROBE_COUNT = MAX_PROBEs. Condition 4: 1391 PROBE_ACK received. 1393 Probing timeout: The PROBE_COUNT is initialised to zero each time the 1394 value of PROBED_SIZE is changed. The PROBE_TIMER is started each 1395 time a probe packet is sent. It is stopped when an acknowledgment 1396 arrives that confirms delivery of a probe packet. If the probe 1397 packet is not acknowledged before the PROBE_TIMER expires, the 1398 PROBE_ERROR_COUNTER is incremented. When the PROBE_COUNT equals 1399 the value MAX_PROBES, the state is changed, otherwise a new probe 1400 packet of the same size (PROBED_SIZE) is resent. The state 1401 transitions are illustrated in Figure 6. This shows a 1402 simplification of Figure 2 with a focus only on this event. 1404 +--------------+ +----------------+ 1405 | PROBE_START |----------------------------------->| PROBE_DISABLED | 1406 +--------------+ +----------------+ 1408 +--------------+ +--------------+ 1409 | PROBE_ERROR | -----------------> | PROBE_ERROR | 1410 +--------------+ / +--------------+ 1411 / 1412 +--------------+ --2----------/ +--------------+ 1413 | PROBE_BASE | --1------------------------------> | PROBE_BASE | 1414 +--------------+ +--------------+ 1416 +--------------+ +--------------+ 1417 | PROBE_SEARCH | --1------------------------------> | PROBE_SEARCH | 1418 +--------------+ --2--------- +--------------+ 1419 \ 1420 +--------------+ \ +--------------+ 1421 | PROBE_DONE | -------------------> | PROBE_DONE | 1422 +--------------+ +--------------+ 1424 Condition 1: The maximum number of probe packets has not been 1425 reached. Condition 2: The maximum number of probe packets has been 1426 reached. 1428 PMTU raise timer timeout: The path through the network can change 1429 over time. It impossible to discover whether a path change has 1430 increased the actual PMTU by exchanging packets less than or equal 1431 to the PLPMTU. This requires PLPMTUD to periodically send a probe 1432 packet to detect whether a larger PMTU is possible. This probe 1433 packet is generated by the PMTU_RAISE_TIMER. When the timer 1434 expires, probing is restarted with the BASE_PMTU and the state is 1435 changed to PROBE_BASE. 1437 Arrival of an ICMP message: The active probing of the path can be 1438 supported by the arrival of PTB messages sent by routers or 1439 middleboxes with a link MTU that is smaller than the probe packet 1440 size. If the PTB message includes the router link MTU, three 1441 cases can be distinguished: 1443 1. The indicated link MTU in the PTB message is between the 1444 already probed and PLMTU and the probe that triggered the PTB 1445 message. 1447 2. The indicated link MTU in the PTB message is smaller than the 1448 PLPMTU. 1450 3. The indicated link MTU in the PTB message is equal to the 1451 BASE_PMTU. 1453 In first case, the PROBE_BASE state transitions to the PROBE_ERROR 1454 state. In the PROBE_SEARCH state, a new probe packet is sent with 1455 the sized reported by the PTB message. Its result is handled 1456 according to the former events. 1458 The second case could be a result of a network re-configuration. 1459 If the reported link MTU in the PTB message is greater than the 1460 BASE_MTU, the probing starts again with a value of PROBE_BASE. 1461 Otherwise, the method enters the state PROBE_ERROR. 1463 In the third case, the maximum possible PMTU has been reached. 1464 This ought to be probed again, because there could be a link 1465 further along the path with a still smaller MTU. 1467 Note: Not all routers include the link MTU size when they send a 1468 PTB message. If the PTB message does not indicate the link MTU, 1469 the probe is handled in the same way as condition 2 of Figure 6. 1471 Appendix B. Revision Notes 1473 Note to RFC-Editor: please remove this entire section prior to 1474 publication. 1476 Individual draft -00: 1478 o Comments and corrections are welcome directly to the authors or 1479 via the IETF TSVWG working group mailing list. 1481 o This update is proposed for WG comments. 1483 Individual draft -01: 1485 o Contains the first representation of the algorithm, showing the 1486 states and timers 1488 o This update is proposed for WG comments. 1490 Individual draft -02: 1492 o Contains updated representation of the algorithm, and textual 1493 corrections. 1495 o The text describing when to set the effective PMTU has not yet 1496 been verified by the authors 1498 o To determine security to off-path-attacks: We need to decide 1499 whether a received PTB message SHOULD/MUST be verified? The text 1500 on how to handle a PTB message indicating a link MTU larger than 1501 the probe has yet not been verified by the authors 1503 o No text currently describes how to handle inconsistent results 1504 from arbitrary re-routing along different parallel paths 1506 o This update is proposed for WG comments. 1508 Working Group draft -00: 1510 o This draft follows a successful adoption call for TSVWG 1512 o There is still work to complete, please comment on this draft. 1514 Working Group draft -01: 1516 o This draft includes improved introduction. 1518 o The draft is updated to require ICMP validation prior to accepting 1519 PTB messages - this to be confirmed by WG 1521 o Section added to discuss Selection of Probe Size - methods to be 1522 evlauated and recommendations to be considered 1524 o Section added to align with work proposed in the QUIC WG. 1526 Working Group draft -02: 1528 o The draft was updated based on feedback from the WG, and a 1529 detailed review by Magnus Westerlund. 1531 o The document updates RFC 4821. 1533 o Requirements list updated. 1535 o Added more explicit discussion of a simpler black-hole detection 1536 mode. 1538 o This draft includes reorganisation of the section on IETF 1539 protocols. 1541 o Added more discussion of implementation within an application. 1543 o Added text on flapping paths. 1545 o Replaced 'effective MTU' with new term PLPMTU. 1547 Authors' Addresses 1549 Godred Fairhurst 1550 University of Aberdeen 1551 School of Engineering 1552 Fraser Noble Building 1553 Aberdeen, AB24 3U 1554 UK 1556 Email: gorry@erg.abdn.ac.uk 1557 Tom Jones 1558 University of Aberdeen 1559 School of Engineering 1560 Fraser Noble Building 1561 Aberdeen, AB24 3U 1562 UK 1564 Email: tom@erg.abdn.ac.uk 1566 Michael Tuexen 1567 Muenster University of Applied Sciences 1568 Stegerwaldstrasse 39 1569 Stein fart, 48565 1570 DE 1572 Email: tuexen@fh-muenster.de 1574 Irene Ruengeler 1575 Muenster University of Applied Sciences 1576 Stegerwaldstrasse 39 1577 Stein fart, 48565 1578 DE 1580 Email: i.ruengeler@fh-muenster.de