idnits 2.17.1 draft-ietf-tsvwg-datagram-plpmtud-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 2 characters in excess of 72. -- The abstract seems to indicate that this document updates RFC8201, but the header doesn't have an 'Updates:' line to match this. -- The abstract seems to indicate that this document updates RFC4821, but the header doesn't have an 'Updates:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (4 November 2019) is 1634 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-20 ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) == Outdated reference: A later version (-13) exists of draft-ietf-intarea-tunnels-09 Summary: 3 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force G. Fairhurst 3 Internet-Draft T. Jones 4 Updates4821 (if approved) University of Aberdeen 5 Intended status: Standards Track M. Tuexen 6 Expires: 7 May 2020 I. Ruengeler 7 T. Voelker 8 Muenster University of Applied Sciences 9 4 November 2019 11 Packetization Layer Path MTU Discovery for Datagram Transports 12 draft-ietf-tsvwg-datagram-plpmtud-09 14 Abstract 16 This document describes a robust method for Path MTU Discovery 17 (PMTUD) for datagram Packetization Layers (PLs). It describes an 18 extension to RFC 1191 and RFC 8201, which specifies ICMP-based Path 19 MTU Discovery for IPv4 and IPv6. The method allows a PL, or a 20 datagram application that uses a PL, to discover whether a network 21 path can support the current size of datagram. This can be used to 22 detect and reduce the message size when a sender encounters a network 23 black hole (where packets are discarded). The method can probe a 24 network path with progressively larger packets to discover whether 25 the maximum packet size can be increased. This allows a sender to 26 determine an appropriate packet size, providing functionally for 27 datagram transports that is equivalent to the Packetization Layer 28 PMTUD specification for TCP, specified in RFC 4821. 30 The document also provides implementation notes for incorporating 31 Datagram PMTUD into IETF datagram transports or applications that use 32 datagram transports. 34 When published, this specification updates RFC 4821. 36 Status of This Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at https://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on 7 May 2020. 53 Copyright Notice 55 Copyright (c) 2019 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 60 license-info) in effect on the date of publication of this document. 61 Please review these documents carefully, as they describe your rights 62 and restrictions with respect to this document. Code Components 63 extracted from this document must include Simplified BSD License text 64 as described in Section 4.e of the Trust Legal Provisions and are 65 provided without warranty as described in the Simplified BSD License. 67 Table of Contents 69 1. Introduction (name-introduction) . . . . . . . . . . . . . . 4 70 1.1. Classical Path MTU Discovery 71 (name-classical-path-mtu-discover) . . . . . . . . . . . 4 72 1.2. Packetization Layer Path MTU Discovery 73 (name-packetization-layer-path-mt) . . . . . . . . . . . 6 74 1.3. Path MTU Discovery for Datagram Services 75 (name-path-mtu-discovery-for-data) . . . . . . . . . . . 7 76 2. Terminology (name-terminology) . . . . . . . . . . . . . . . 8 77 3. Features Required to Provide Datagram PLPMTUD 78 (name-features-required-to-provid) . . . . . . . . . . . . . . 10 79 4. DPLPMTUD Mechanisms (name-dplpmtud-mechanisms) . . . . . . . 12 80 4.1. PLPMTU Probe Packets (name-plpmtu-probe-packets) . . . . 13 81 4.2. Confirmation of Probed Packet Size 82 (name-confirmation-of-probed-pack) . . . . . . . . . . . 14 83 4.3. Detection of Unsupported PLPMTU Size, aka Black Hole 84 Detection (name-detection-of-unsupported-pl) . . . . . . 14 85 4.4. Disabling the Effect of PMTUD 86 (name-disabling-the-effect-of-pmt) . . . . . . . . . . . 15 87 4.5. Response to PTB Messages 88 (name-response-to-ptb-messages) . . . . . . . . . . . . . 15 89 4.5.1. Validation of PTB Messages 90 (name-validation-of-ptb-messages) . . . . . . . . . . 16 91 4.5.2. Use of PTB Messages 92 (name-use-of-ptb-messages) . . . . . . . . . . . . . 17 93 5. Datagram Packetization Layer PMTUD 94 (name-datagram-packetization-laye) . . . . . . . . . . . . . . 18 95 5.1. DPLPMTUD Components (name-dplpmtud-components) . . . . . 18 96 5.1.1. Timers (name-timers) . . . . . . . . . . . . . . . . 19 97 5.1.2. Constants (name-constants) . . . . . . . . . . . . . 20 98 5.1.3. Variables (name-variables) . . . . . . . . . . . . . 20 99 5.1.4. Overview of DPLPMTUD Phases 100 (name-overview-of-dplpmtud-phases) . . . . . . . . . 21 101 5.2. State Machine (name-state-machine) . . . . . . . . . . . 23 102 5.3. Search to Increase the PLPMTU 103 (name-search-to-increase-the-plpm) . . . . . . . . . . . 26 104 5.3.1. Probing for a larger PLPMTU 105 (name-probing-for-a-larger-plpmtu) . . . . . . . . . 26 106 5.3.2. Selection of Probe Sizes 107 (name-selection-of-probe-sizes) . . . . . . . . . . . 27 108 5.3.3. Resilience to Inconsistent Path Information 109 (name-resilience-to-inconsistent-) . . . . . . . . . 28 110 5.4. Robustness to Inconsistent Paths 111 (name-robustness-to-inconsistent-) . . . . . . . . . . . 28 112 6. Specification of Protocol-Specific Methods 113 (name-specification-of-protocol-s) . . . . . . . . . . . . . . 28 114 6.1. Application support for DPLPMTUD with UDP or UDP-Lite 115 (name-application-support-for-dpl) . . . . . . . . . . . 28 116 6.1.1. Application Request 117 (name-application-request) . . . . . . . . . . . . . 29 118 6.1.2. Application Response 119 (name-application-response) . . . . . . . . . . . . . 29 120 6.1.3. Sending Application Probe Packets 121 (name-sending-application-probe-p) . . . . . . . . . 29 122 6.1.4. Initial Connectivity 123 (name-initial-connectivity) . . . . . . . . . . . . . 29 124 6.1.5. Validating the Path 125 (name-validating-the-path) . . . . . . . . . . . . . 30 126 6.1.6. Handling of PTB Messages 127 (name-handling-of-ptb-messages) . . . . . . . . . . . 30 128 6.2. DPLPMTUD for SCTP (name-dplpmtud-for-sctp) . . . . . . . 30 129 6.2.1. SCTP/IPv4 and SCTP/IPv6 130 (name-sctp-ipv4-and-sctp-ipv6) . . . . . . . . . . . 30 131 6.2.2. DPLPMTUD for SCTP/UDP 132 (name-dplpmtud-for-sctp-udp) . . . . . . . . . . . . 31 133 6.2.3. DPLPMTUD for SCTP/DTLS 134 (name-dplpmtud-for-sctp-dtls) . . . . . . . . . . . . 32 135 6.3. DPLPMTUD for QUIC (name-dplpmtud-for-quic) . . . . . . . 32 136 6.3.1. Initial Connectivity 137 (name-initial-connectivity-5) . . . . . . . . . . . . 33 138 6.3.2. Sending QUIC Probe Packets 139 (name-sending-quic-probe-packets) . . . . . . . . . . 33 140 6.3.3. Validating the Path with QUIC 141 (name-validating-the-path-with-qu) . . . . . . . . . 33 142 6.3.4. Handling of PTB Messages by QUIC 143 (name-handling-of-ptb-messages-by-q) . . . . . . . . 34 145 7. Acknowledgements (name-acknowledgements) . . . . . . . . . . 34 146 8. IANA Considerations (name-iana-considerations) . . . . . . . 34 147 9. Security Considerations (name-security-considerations) . . . 34 148 10. References (name-references) . . . . . . . . . . . . . . . . 35 149 10.1. Normative References (name-normative-references) . . . . 35 150 10.2. Informative References 151 (name-informative-references) . . . . . . . . . . . . . 36 152 A. Revision Notes (name-revision-notes) . . . . . . . . . . . . 37 153 B Authors' Addresses (name-authors-addresses) . . . . . . . . . 41 155 1. Introduction 157 The IETF has specified datagram transport using UDP, SCTP, and DCCP, 158 as well as protocols layered on top of these transports (e.g., SCTP/ 159 UDP, DCCP/UDP, QUIC/UDP), and direct datagram transport over the IP 160 network layer. This document describes a robust method for Path MTU 161 Discovery (PMTUD) that may be used with these transport protocols (or 162 the applications that use their transport service) to discover an 163 appropriate size of packet to use across an Internet path. 165 1.1. Classical Path MTU Discovery 167 Classical Path Maximum Transmission Unit Discovery (PMTUD) can be 168 used with any transport that is able to process ICMP Packet Too Big 169 (PTB) messages (e.g., [RFC1191] and [RFC8201]). In this document, 170 the term PTB message is applied to both IPv4 ICMP Unreachable 171 messages (type 3) that carry the error Fragmentation Needed (Type 3, 172 Code 4) [RFC0792] and ICMPv6 Packet Too Big messages (Type 2) 173 [RFC4443]. When a sender receives a PTB message, it reduces the 174 effective MTU to the value reported as the Link MTU in the PTB 175 message, and a method that from time-to-time increases the packet 176 size in attempt to discover an increase in the supported PMTU. The 177 packets sent with a size larger than the current effective PMTU are 178 known as probe packets. 180 Packets not intended as probe packets are either fragmented to the 181 current effective PMTU, or the attempt to send fails with an error 182 code. Applications are sometimes provided with a primitive to let 183 them read the Maximum Packet Size (MPS), derived from the current 184 effective PMTU. 186 Classical PMTUD is subject to protocol failures. One failure arises 187 when traffic using a packet size larger than the actual PMTU is 188 black-holed (all datagrams sent with this size, or larger, are 189 discarded). This could arise when the PTB messages are not delivered 190 back to the sender for some reason (see for example [RFC2923]). 192 Examples where PTB messages are not delivered include: 194 * The generation of ICMP messages is usually rate limited. This 195 could result in no PTB messages being generated to the sender (see 196 section 2.4 of [RFC4443]) 198 * ICMP messages can be filtered by middleboxes (including firewalls) 199 [RFC4890]. A stateful firewall could be configured with a policy 200 to block incoming ICMP messages, which would prevent reception of 201 PTB messages to a sending endpoint behind this firewall. 203 * When the router issuing the ICMP message drops a tunneled packet, 204 the resulting ICMP message will be directed to the tunnel ingress. 205 This tunnel endpoint is responsible for forwarding the ICMP 206 message and also processing the quoted packet within the payload 207 field to remove the effect of the tunnel, and return a correctly 208 formatted ICMP message to the sender [I-D.ietf-intarea-tunnels]. 209 Failure to do this prevents the PTB message reaching the original 210 sender. 212 * Asymmetry in forwarding can result in there being no return route 213 to the original sender, which would prevent an ICMP message being 214 delivered to the sender. This issue can also arise when policy- 215 based routing is used, Equal Cost Multipath (ECMP) routing is 216 used, or a middlebox acts as an application load balancer. An 217 example is where the path towards the server is chosen by ECMP 218 routing depending on bytes in the IP payload. In this case, when 219 a packet sent by the server encounters a problem after the ECMP 220 router, then any resulting ICMP message needs to also be directed 221 by the ECMP router towards the original sender. 223 * There are additional cases where the next hop destination fails to 224 receive a packet because of its size. This could be due to 225 misconfiguration of the layer 2 path between nodes, for instance 226 the MTU configured in a layer 2 switch, or misconfiguration of the 227 Maximum Receive Unit (MRU). If the packet is dropped by the link, 228 this will not cause a PTB message to be sent to the original 229 sender. 231 Another failure could result if a node that is not on the network 232 path sends a PTB message that attempts to force a sender to change 233 the effective PMTU [RFC8201]. A sender can protect itself from 234 reacting to such messages by utilising the quoted packet within a PTB 235 message payload to validate that the received PTB message was 236 generated in response to a packet that had actually originated from 237 the sender. However, there are situations where a sender would be 238 unable to provide this validation. Examples where validation of the 239 PTB message is not possible include: 241 * When a router issuing the ICMP message implements RFC792 242 [RFC0792], it is only required to include the first 64 bits of the 243 IP payload of the packet within the quoted payload. There could 244 be insufficient bytes remaining for the sender to interpret the 245 quoted transport information. 247 Note: The recommendation in RFC1812 [RFC1812] is that IPv4 routers 248 return a quoted packet with as much of the original datagram as 249 possible without the length of the ICMP datagram exceeding 576 250 bytes. IPv6 routers include as much of the invoking packet as 251 possible without the ICMPv6 packet exceeding 1280 bytes [RFC4443]. 253 * The use of tunnels/encryption can reduce the size of the quoted 254 packet returned to the original source address, increasing the 255 risk that there could be insufficient bytes remaining for the 256 sender to interpret the quoted transport information. 258 * Even when the PTB message includes sufficient bytes of the quoted 259 packet, the network layer could lack sufficient context to 260 validate the message, because validation depends on information 261 about the active transport flows at an endpoint node (e.g., the 262 socket/address pairs being used, and other protocol header 263 information). 265 * When a packet is encapsulated/tunneled over an encrypted 266 transport, the tunnel/encapsulation ingress might have 267 insufficient context, or computational power, to reconstruct the 268 transport header that would be needed to perform validation. 270 1.2. Packetization Layer Path MTU Discovery 272 The term Packetization Layer (PL) has been introduced to describe the 273 layer that is responsible for placing data blocks into the payload of 274 IP packets and selecting an appropriate MPS. This function is often 275 performed by a transport protocol, but can also be performed by other 276 encapsulation methods working above the transport layer. 278 In contrast to PMTUD, Packetization Layer Path MTU Discovery 279 (PLPMTUD) [RFC4821] does not rely upon reception and validation of 280 PTB messages. It is therefore more robust than Classical PMTUD. 281 This has become the recommended approach for implementing PMTU 282 discovery with TCP. 284 It uses a general strategy where the PL sends probe packets to search 285 for the largest size of unfragmented datagram that can be sent over a 286 network path. Probe packets are sent with a progressively larger 287 packet size. If a probe packet is successfully delivered (as 288 determined by the PL), then the PLPMTU is raised to the size of the 289 successful probe. If no response is received to a probe packet, the 290 method reduces the probe size. The result of probing with the PLPMTU 291 is used to set the application MPS. 293 PLPMTUD introduces flexibility in the implementation of PMTU 294 discovery. At one extreme, it can be configured to only perform ICMP 295 Black Hole Detection and recovery to increase the robustness of 296 Classical PMTUD, or at the other extreme, all PTB processing can be 297 disabled and PLPMTUD can completely replace Classical PMTUD (see 298 Section 4.5). 300 PLPMTUD can also include additional consistency checks without 301 increasing the risk that data is lost when probing to discover the 302 path MTU. For example, information available at the PL, or higher 303 layers, enables received PTB messages to be validated before being 304 utilized. 306 1.3. Path MTU Discovery for Datagram Services 308 Section 5 of this document presents a set of algorithms for datagram 309 protocols to discover the largest size of unfragmented datagram that 310 can be sent over a network path. The method described relies on 311 features of the PL described in Section 3 and applies to transport 312 protocols operating over IPv4 and IPv6. It does not require 313 cooperation from the lower layers, although it can utilize PTB 314 messages when these received messages are made available to the PL. 316 The UDP Usage Guidelines [RFC8085] state "an application SHOULD 317 either use the Path MTU information provided by the IP layer or 318 implement Path MTU Discovery (PMTUD)", but does not provide a 319 mechanism for discovering the largest size of unfragmented datagram 320 that can be used on a network path. Prior to this document, PLPMTUD 321 had not been specified for UDP. 323 Section 10.2 of [RFC4821] recommends a PLPMTUD probing method for the 324 Stream Control Transport Protocol (SCTP). SCTP utilizes probe 325 packets consisting of a minimal sized HEARTBEAT chunk bundled with a 326 PAD chunk as defined in [RFC4820], but RFC4821 does not provide a 327 complete specification. The present document provides the details to 328 complete that specification. 330 The Datagram Congestion Control Protocol (DCCP) [RFC4340] requires 331 implementations to support Classical PMTUD and states that a DCCP 332 sender "MUST maintain the MPS allowed for each active DCCP session". 333 It also defines the current congestion control MPS (CCMPS) supported 334 by a network path. This recommends use of PMTUD, and suggests use of 335 control packets (DCCP-Sync) as path probe packets, because they do 336 not risk application data loss. The method defined in this 337 specification could be used with DCCP. 339 Section 6 specifies the method for a set of transports, and provides 340 information to enable the implementation of PLPMTUD with other 341 datagram transports and applications that use datagram transports. 343 2. Terminology 345 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 346 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 347 "OPTIONAL" in this document are to be interpreted as described in BCP 348 14 [RFC2119] [RFC8174] when, and only when, they appear in all 349 capitals, as shown here. 351 Other terminology is directly copied from [RFC4821], and the 352 definitions in [RFC1122]. 354 Actual PMTU: The Actual PMTU is the PMTU of a network path between a 355 sender PL and a destination PL, which the DPLPMTUD algorithm seeks 356 to determine. 358 Black Hole: A Black Hole is encountered when a sender is unaware 359 that packets are not being delivered to the destination end point. 360 Two types of Black Hole are relevant to DPLPMTUD: 362 Packet Black Hole: Packets encounter a Packet Black Hole when 363 packets are not delivered to the destination 364 endpoint (e.g., when the sender transmits 365 packets of a particular size with a previously 366 known effective PMTU and they are discarded by 367 the network). 369 ICMP Black Hole An ICMP Black Hole is encountered when the 370 sender is unaware that packets are not 371 delivered to the destination endpoint because 372 PTB messages are not received by the 373 originating PL sender. 375 Black holed : Traffic is black-holed when the sender is unaware that 376 packets are not being delivered. This could be due to a Packet 377 Black Hole or an ICMP Black Hole. 379 Classical Path MTU Discovery: Classical PMTUD is a process described 380 in [RFC1191] and [RFC8201], in which nodes rely on PTB messages to 381 learn the largest size of unfragmented datagram that can be used 382 across a network path. 384 Datagram: A datagram is a transport-layer protocol data unit, 385 transmitted in the payload of an IP packet. 387 Effective PMTU: The Effective PMTU is the current estimated value 388 for PMTU that is used by a PMTUD. This is equivalent to the 389 PLPMTU derived by PLPMTUD. 391 EMTU_S: The Effective MTU for sending (EMTU_S) is defined in 392 [RFC1122] as "the maximum IP datagram size that may be sent, for a 393 particular combination of IP source and destination addresses...". 395 EMTU_R: The Effective MTU for receiving (EMTU_R) is designated in 396 [RFC1122] as the largest datagram size that can be reassembled by 397 EMTU_R (Effective MTU to receive). 399 Link: A Link is a communication facility or medium over which nodes 400 can communicate at the link layer, i.e., a layer below the IP 401 layer. Examples are Ethernet LANs and Internet (or higher) layer 402 and tunnels. 404 Link MTU: The Link Maximum Transmission Unit (MTU) is the size in 405 bytes of the largest IP packet, including the IP header and 406 payload, that can be transmitted over a link. Note that this 407 could more properly be called the IP MTU, to be consistent with 408 how other standards organizations use the acronym. This includes 409 the IP header, but excludes link layer headers and other framing 410 that is not part of IP or the IP payload. Other standards 411 organizations generally define the link MTU to include the link 412 layer headers. 414 MAX_PMTU: The MAX_PMTU is the largest size of PLPMTU that DPLPMTUD 415 will attempt to use. 417 MPS: The Maximum Packet Size (MPS) is the largest size of 418 application data block that can be sent across a network path by a 419 PL. In DPLPMTUD this quantity is derived from the PLPMTU by 420 taking into consideration the size of the lower protocol layer 421 headers. Probe packets generated by DPLPMTUD can have a size 422 larger than the MPS. 424 MIN_PMTU: The MIN_PMTU is the smallest size of PLPMTU that DPLPMTUD 425 will attempt to use. 427 Packet: A Packet is the IP header plus the IP payload. 429 Packetization Layer (PL): The Packetization Layer (PL) is the layer 430 of the network stack that places data into packets and performs 431 transport protocol functions. 433 Path: The Path is the set of links and routers traversed by a packet 434 between a source node and a destination node by a particular flow. 436 Path MTU (PMTU): The Path MTU (PMTU) is the minimum of the Link MTU 437 of all the links forming a network path between a source node and 438 a destination node. 440 PTB_SIZE: The PTB_SIZE is a value reported in a validated PTB 441 message that indicates next hop link MTU of a router along the 442 path. 444 PLPMTU: The Packetization Layer PMTU is an estimate of the actual 445 PMTU provided by the DPLPMTUD algorithm. 447 PLPMTUD: Packetization Layer Path MTU Discovery (PLPMTUD), the 448 method described in this document for datagram PLs, which is an 449 extension to Classical PMTU Discovery. 451 Probe packet: A probe packet is a datagram sent with a purposely 452 chosen size (typically the current PLPMTU or larger) to detect if 453 packets of this size can be successfully sent end-to-end across 454 the network path. 456 3. Features Required to Provide Datagram PLPMTUD 458 TCP PLPMTUD has been defined using standard TCP protocol mechanisms. 459 All of the requirements in [RFC4821] also apply to the use of the 460 technique with a datagram PL. Unlike TCP, some datagram PLs require 461 additional mechanisms to implement PLPMTUD. 463 There are eight requirements for performing the datagram PLPMTUD 464 method described in this specification: 466 1. PMTU parameters: A DPLPMTUD sender is RECOMMENDED to provide 467 information about the maximum size of packet that can be 468 transmitted by the sender on the local link (the local Link MTU). 469 It MAY utilize similar information about the receiver when this 470 is supplied (note this could be less than EMTU_R). This avoids 471 implementations trying to send probe packets that can not be 472 transmitted by the local link. Too high of a value could reduce 473 the efficiency of the search algorithm. Some applications also 474 have a maximum transport protocol data unit (PDU) size, in which 475 case there is no benefit from probing for a size larger than this 476 (unless a transport allows multiplexing multiple applications 477 PDUs into the same datagram). 479 2. PLPMTU: A datagram application using a PL not supporting 480 fragmentation is REQUIRED to be able to choose the size of 481 datagrams sent to the network, up to the PLPMTU, or a smaller 482 value (such as the MPS) derived from this. This value is managed 483 by the DPLPMTUD method. The PLPMTU (specified as the effective 484 PMTU in Section 1 of [RFC1191]) is equivalent to the EMTU_S 485 (specified in [RFC1122]). 487 3. Probe packets: On request, a DPLPMTUD sender is REQUIRED to be 488 able to transmit a packet larger than the PLMPMTU. This is used 489 to send a probe packet. In IPv4, a probe packet MUST be sent 490 with the Don't Fragment (DF) bit set in the IP header, and 491 without network layer endpoint fragmentation. In IPv6, a probe 492 packet is always sent without source fragmentation (as specified 493 in section 5.4 of [RFC8201]). 495 4. Processing PTB messages: A DPLPMTUD sender MAY optionally utilize 496 PTB messages received from the network layer to help identify 497 when a network path does not support the current size of probe 498 packet. Any received PTB message MUST be validated before it is 499 used to update the PLPMTU discovery information [RFC8201]. This 500 validation confirms that the PTB message was sent in response to 501 a packet originating by the sender, and needs to be performed 502 before the PLPMTU discovery method reacts to the PTB message. A 503 PTB message MUST NOT be used to increase the PLPMTU [RFC8201]. 505 5. Reception feedback: The destination PL endpoint is REQUIRED to 506 provide a feedback method that indicates to the DPLPMTUD sender 507 when a probe packet has been received by the destination PL 508 endpoint. The mechanism needs to be robust to the possibility 509 that packets could be significantly delayed along a network path. 510 The local PL endpoint at the sending node is REQUIRED to pass 511 this feedback to the sender DPLPMTUD method. 513 6. Probe loss recovery: It is RECOMMENDED to use probe packets that 514 do not carry any user data. Most datagram transports permit 515 this. If a probe packet contains user data requiring 516 retransmission in case of loss, the PL (or layers above) are 517 REQUIRED to arrange any retransmission/repair of any resulting 518 loss. DPLPMTUD is REQUIRED to be robust in the case where probe 519 packets are lost due to other reasons (including link 520 transmission error, congestion). 522 7. Probing and congestion control: The DPLPMTUD sender treats 523 isolated loss of a probe packet (with or without a corresponding 524 PTB message) as a potential indication of a PMTU limit for the 525 path. Loss of a probe packet SHOULD NOT be treated as an 526 indication of congestion and the loss SHOULD NOT directly trigger 527 a congestion control reaction [RFC4821]. 529 8. Shared PLPMTU state: The PLPMTU value could also be stored with 530 the corresponding entry in the destination cache and used by 531 other PL instances. The specification of PLPMTUD [RFC4821] 532 states: "If PLPMTUD updates the MTU for a particular path, all 533 Packetization Layer sessions that share the path representation 534 (as described in Section 5.2 of [RFC4821]) SHOULD be notified to 535 make use of the new MTU". Such methods MUST be robust to the 536 wide variety of underlying network forwarding behaviors, PLPMTU 537 adjustments based on shared PLPMTU values should be incorporated 538 in the search algorithms. Section 5.2 of [RFC8201] provides 539 guidance on the caching of PMTU information and also the relation 540 to IPv6 flow labels. 542 In addition, the following principles are stated for design of a 543 DPLPMTUD method: 545 * MPS: A method is REQUIRED to signal an appropriate MPS to the 546 higher layer using the PL. The value of the MPS can change 547 following a change to the path. It is RECOMMENDED that methods 548 avoid forcing an application to use an arbitrary small MPS 549 (PLPMTU) for transmission while the method is searching for the 550 currently supported PLPMTU. Datagram PLs do not necessarily 551 support fragmentation of PDUs larger than the PLPMTU. A reduced 552 MPS can adversely impact the performance of a datagram 553 application. 555 * Path validation: It is RECOMMENDED that methods are robust to path 556 changes that could have occurred since the path characteristics 557 were last confirmed, and to the possibility of inconsistent path 558 information being received. 560 * Datagram reordering: A method is REQUIRED to be robust to the 561 possibility that a flow encounters reordering, or the traffic 562 (including probe packets) is divided over more than one network 563 path. 565 * When to probe: It is RECOMMENDED that methods determine whether 566 the path has changed since it last measured the path. This can 567 help determine when to probe the path again. 569 4. DPLPMTUD Mechanisms 571 This section lists the protocol mechanisms used in this 572 specification. 574 4.1. PLPMTU Probe Packets 576 The DPLPMTUD method relies upon the PL sender being able to generate 577 probe packets with a specific size. TCP is able to generate these 578 probe packets by choosing to appropriately segment data being sent 579 [RFC4821]. In contrast, a datagram PL that needs to construct a 580 probe packet has to either request an application to send a data 581 block that is larger than that generated by an application, or to 582 utilize padding functions to extend a datagram beyond the size of the 583 application data block. Protocols that permit exchange of control 584 messages (without an application data block) could alternatively 585 prefer to generate a probe packet by extending a control message with 586 padding data. 588 A receiver needs to be able to distinguish an in-band data block from 589 any added padding. This is needed to ensure that any added padding 590 is not passed on to an application at the receiver. 592 This results in three possible ways that a sender can create a probe 593 packet listed in order of preference: 595 Probing using padding data: A probe packet that contains only 596 control information together with any padding, which is needed to 597 be inflated to the size required for the probe packet. Since 598 these probe packets do not carry an application-supplied data 599 block, they do not typically require retransmission, although they 600 do still consume network capacity and incur endpoint processing. 602 Probing using application data and padding 603 data: A probe packet that 604 contains a data block supplied by an application that is combined 605 with padding to inflate the length of the datagram to the size 606 required for the probe packet. If the application/transport needs 607 protection from the loss of this probe packet, the application/ 608 transport could perform transport-layer retransmission/repair of 609 the data block (e.g., by retransmission after loss is detected or 610 by duplicating the data block in a datagram without the padding 611 data). 613 Probing using application data: A probe packet that contains a data 614 block supplied by an application that matches the size required 615 for the probe packet. This method requests the application to 616 issue a data block of the desired probe size. If the application/ 617 transport needs protection from the loss of an unsuccessful probe 618 packet, the application/transport needs then to perform transport- 619 layer retransmission/repair of the data block (e.g., by 620 retransmission after loss is detected). 622 A PL that uses a probe packet carrying an application data block, 623 could need to retransmit this application data block if the probe 624 fails. This could need the PL to re-fragment the data block to a 625 smaller packet size that is expected to traverse the end-to-end path 626 (which could utilize endpoint network-layer or PL fragmentation when 627 these are available). 629 DPLPMTUD MAY choose to use only one of these methods to simplify the 630 implementation. 632 Probe messages sent by a PL MUST contain enough information to 633 uniquely identify the probe within Maximum Segment Lifetime, while 634 being robust to reordering and replay of probe response and PTB 635 messages. 637 4.2. Confirmation of Probed Packet Size 639 The PL needs a method to determine (confirm) when probe packets have 640 been successfully received end-to-end across a network path. 642 Transport protocols can include end-to-end methods that detect and 643 report reception of specific datagrams that they send (e.g., DCCP and 644 SCTP provide keep-alive/heartbeat features). When supported, this 645 mechanism SHOULD also be used by DPLPMTUD to acknowledge reception of 646 a probe packet. 648 A PL that does not acknowledge data reception (e.g., UDP and UDP- 649 Lite) is unable itself to detect when the packets that it sends are 650 discarded because their size is greater than the actual PMTU. These 651 PLs need to either rely on an application protocol to detect this 652 loss. 654 Section 6 specifies this function for a set of IETF-specified 655 protocols. 657 4.3. Detection of Unsupported PLPMTU Size, aka Black Hole Detection 659 A PL sender needs to reduce the PLPMTU when it discovers the actual 660 PMTU supported by a network path is less than the PLPMTU. This can 661 be triggered when a validated PTB message is received, or by another 662 event that indicates the network path no longer sustains the current 663 packet size, such as a loss report from the PL, or repeated lack of 664 response to probe packets sent to confirm the PLPMTU. Detection is 665 followed by a reduction of the PLPMTU. 667 This is performed by sending packet probes of size PLPMTU to verify 668 that a network path still supports the last acknowledged PLPMTU size. 669 There are two alternative mechanism: 671 * A PL can rely upon a mechanism implemented within the PL to detect 672 excessive loss of data sent with a specific packet size and then 673 conclude that this excessive loss could be a result of an invalid 674 PMTU (as in PLPMTUD for TCP [RFC4821]). 676 * A PL can use the DPLPMTUD probing mechanism to periodically 677 generate probe packets of the size of the current PLPMTU (e.g., 678 using the confirmation timer Section 5.1.1). A timer tracks 679 whether acknowledgments are received. Successive loss of probes 680 is an indication that the current path no longer supports the 681 PLPMTU (e.g., when the number of probe packets sent without 682 receiving an acknowledgement, PROBE_COUNT, becomes greater than 683 MAX_PROBES). 685 A PL MAY inhibit sending probe packets when no application data has 686 been sent since the previous probe packet. A PL preferring to use an 687 up-to-data PLPMTU once user data is sent again, MAY choose to 688 continue PLPMTU discovery for each path. However, this may result in 689 additional packets being sent. 691 When the method detects the current PLPMTU is not supported, DPLPMTUD 692 sets a lower MPS. The PL then confirms that the updated PLPMTU can 693 be successfully used across the path. The PL could need to send a 694 probe packet with a size less than the size of the data block 695 generated by an application. In this case, the PL could provide a 696 way to fragment a datagram at the PL, or use a control packet as the 697 packet probe. 699 4.4. Disabling the Effect of PMTUD 701 A PL implementing this specification MUST suspend network layer 702 processing of outgoing packets that enforces a PMTU 703 [RFC1191][RFC8201] for each flow utilising DPLPMTUD, and instead use 704 DPLPMTUD to control the size of packets that are sent by a flow. 705 This removes the need for the network layer to drop or fragment sent 706 packets that have a size greater than the PMTU. 708 4.5. Response to PTB Messages 710 This method requires the DPLPMTUD sender to validate any received PTB 711 message before using the PTB information. The response to a PTB 712 message depends on the PTB_SIZE indicated in the PTB message, the 713 state of the PLPMTUD state machine, and the IP protocol being used. 715 Section 4.5.1 first describes validation for both IPv4 ICMP 716 Unreachable messages (type 3) and ICMPv6 Packet Too Big messages, 717 both of which are referred to as PTB messages in this document. 719 4.5.1. Validation of PTB Messages 721 This section specifies utilization of PTB messages. 723 * A simple implementation MAY ignore received PTB messages and in 724 this case the PLPMTU is not updated when a PTB message is 725 received. 727 * An implementation that supports PTB messages MUST validate 728 messages before they are further processed. 730 A PL that receives a PTB message from a router or middlebox, performs 731 ICMP validation as specified in Section 5.2 of [RFC8085][RFC8201]. 732 Because DPLPMTUD operates at the PL, the PL needs to check that each 733 received PTB message is received in response to a packet transmitted 734 by the endpoint PL performing DPLPMTUD. 736 The PL MUST check the protocol information in the quoted packet 737 carried in an ICMP PTB message payload to validate the message 738 originated from the sending node. This validation includes 739 determining that the combination of the IP addresses, the protocol, 740 the source port and destination port match those returned in the 741 quoted packet - this is also necessary for the PTB message to be 742 passed to the corresponding PL. 744 The validation SHOULD utilize information that it is not simple for 745 an off-path attacker to determine [RFC8085]. For example, by 746 checking the value of a protocol header field known only to the two 747 PL endpoints. A datagram application that uses well-known source and 748 destination ports ought to also rely on other information to complete 749 this validation. 751 These checks are intended to provide protection from packets that 752 originate from a node that is not on the network path. A PTB message 753 that does not complete the validation MUST NOT be further utilized by 754 the DPLPMTUD method. 756 PTB messages that have been validated MAY be utilized by the DPLPMTUD 757 algorithm, but MUST NOT be used directly to set the PLPMTU. A method 758 that utilizes these PTB messages can improve the speed at the which 759 the algorithm detects an appropriate PLPMTU, compared to one that 760 relies solely on probing. Section 4.5.2 describes this processing. 762 4.5.2. Use of PTB Messages 764 A set of checks are intended to provide protection from a router that 765 reports an unexpected PTB_SIZE. The PL also needs to check that the 766 indicated PTB_SIZE is less than the size used by probe packets and 767 larger than minimum size accepted. 769 This section provides a summary of how PTB messages can be utilized. 770 This processing depends on the PTB_SIZE and the current value of a 771 set of variables: 773 MIN_PMTU < PTB_SIZE < BASE_PMTU 774 * A robust PL MAY enter an error state (see Section 5.2) for an 775 IPv4 path when the PTB_SIZE reported in the PTB message is 776 larger than or equal to 68 bytes and when this is less than the 777 BASE_PMTU. 779 * A robust PL MAY enter an error state (see Section 5.2) for an 780 IPv6 path when the PTB_SIZE reported in the PTB message is 781 larger than or equal to 1280 bytes and when this is less than 782 the BASE_PMTU. 784 PTB_SIZE = PLPMTU 785 * Completes the search for a larger PLPMTU. 787 PTB_SIZE > PROBED_SIZE 788 * Inconsistent network signal. 790 * PTB message ought to be discarded without further processing 791 (e. g. PLPMTU not modified). 793 * The information could be utilized as an input to trigger 794 enabling a resilience mode. 796 BASE_PMTU <= PTB_SIZE < PLPMTU 797 * Black Hole Detection is triggered and the PLPMTU ought to be 798 set to BASE_PMTU. 800 * The PL could use the PTB_SIZE reported in the PTB message to 801 initialize a search algorithm. 803 PLPMTU < PTB_SIZE < PROBED_SIZE 804 * The PLPMTU continues to be valid, but the last PROBED_SIZE 805 searched was larger than the actual PMTU. 807 * The PLPMTU is not updated. 809 * The PL can use the reported PTB_SIZE from the PTB message as 810 the next search point when it resumes the search algorithm. 812 5. Datagram Packetization Layer PMTUD 814 This section specifies Datagram PLPMTUD (DPLPMTUD). The method can 815 be introduced at various points (as indicated with * in the figure 816 below) in the IP protocol stack to discover the PLPMTU so that an 817 application can utilize an appropriate MPS for the current network 818 path. DPLPMTUD SHOULD NOT be used by an application if it is already 819 used in a lower layer. 821 +----------------------+ 822 | Application* | 823 +-+-------+----+----+--+ 824 | | | | 825 +---+--+ +--+--+ | +-+---+ 826 | QUIC*| |UDPO*| | |SCTP*| 827 +---+--+ +--+--+ | +--+--+ 828 | | | | | 829 +-------+--+ | | | 830 | | | | 831 +-+-+--+ | 832 | UDP | | 833 +---+--+ | 834 | | 835 +--------------+-----+-+ 836 | Network Interface | 837 +----------------------+ 839 Figure 1: Examples where DPLPMTUD can be implemented 841 The central idea of DPLPMTUD is probing by a sender. Probe packets 842 are sent to find the maximum size of a user message that can be 843 completely transferred across the network path from the sender to the 844 destination. 846 The following sections identify the components needed for 847 implementation, provides an overvoew of the phases of operation, and 848 specifies the state machine and search algorithm. 850 5.1. DPLPMTUD Components 852 This section describes the timers, constants, and variables of 853 DPLPMTUD. 855 5.1.1. Timers 857 The method utilizes up to three timers: 859 PROBE_TIMER: The PROBE_TIMER is configured to expire after a 860 period longer than the maximum time to receive 861 an acknowledgment to a probe packet. This value 862 MUST NOT be smaller than 1 second, and SHOULD be 863 larger than 15 seconds. Guidance on selection 864 of the timer value are provided in section 3.1.1 865 of the UDP Usage Guidelines [RFC8085]. 867 If the PL has a path Round Trip Time (RTT) 868 estimate and timely acknowledgements the 869 PROBE_TIMER can be derived from the PL RTT 870 estimate. 872 PMTU_RAISE_TIMER: The PMTU_RAISE_TIMER is configured to the period 873 a sender will continue to use the current 874 PLPMTU, after which it re-enters the Search 875 phase. This timer has a period of 600 seconds, 876 as recommended by PLPMTUD [RFC4821]. 878 DPLPMTUD MAY inhibit sending probe packets when 879 no application data has been sent since the 880 previous probe packet. A PL preferring to use 881 an up-to-data PMTU once user data is sent again, 882 can choose to continue PMTU discovery for each 883 path. However, this may result in sending 884 additional packets. 886 CONFIRMATION_TIMER: When an acknowledged PL is used, this timer MUST 887 NOT be used. For other PLs, the 888 CONFIRMATION_TIMER is configured to the period a 889 PL sender waits before confirming the current 890 PLPMTU is still supported. This is less than 891 the PMTU_RAISE_TIMER and used to decrease the 892 PLPMTU (e.g., when a black hole is encountered). 893 Confirmation needs to be frequent enough when 894 data is flowing that the sending PL does not 895 black hole extensive amounts of traffic. 896 Guidance on selection of the timer value are 897 provided in section 3.1.1 of the UDP Usage 898 Guidelines [RFC8085]. 900 DPLPMTUD MAY inhibit sending probe packets when 901 no application data has been sent since the 902 previous probe packet. A PL preferring to use 903 an up-to-data PMTU once user data is sent again, 904 can choose to continue PMTU discovery for each 905 path. However, this may result in sending 906 additional packets. 908 An implementation could implement the various timers using a single 909 timer. 911 5.1.2. Constants 913 The following constants are defined: 915 MAX_PROBES: The MAX_PROBES is the maximum value of the PROBE_COUNT 916 counter (see Section 5.1.3). MAX_PROBES represents the 917 limit for the number of consecutive probe attempts of 918 any size. The default value of MAX_PROBES is 10. 920 MIN_PMTU: The MIN_PMTU is the smallest allowed probe packet size. 921 For IPv6, this value is 1280 bytes, as specified in 922 [RFC2460]. For IPv4, the minimum value is 68 bytes. 924 Note: An IPv4 router is required to be able to forward a 925 datagram of 68 bytes without further fragmentation. 926 This is the combined size of an IPv4 header and the 927 minimum fragment size of 8 bytes. In addition, 928 receivers are required to be able to reassemble 929 fragmented datagrams at least up to 576 bytes, as stated 930 in section 3.3.3 of [RFC1122]. 932 MAX_PMTU: The MAX_PMTU is the largest size of PLPMTU. This has to 933 be less than or equal to the minimum of the local MTU of 934 the outgoing interface and the destination PMTU for 935 receiving. An application, or PL, MAY reduce the 936 MAX_PMTU when there is no need to send packets larger 937 than a specific size. 939 BASE_PMTU: The BASE_PMTU is a configured size expected to work for 940 most paths. The size is equal to or larger than the 941 MIN_PMTU and smaller than the MAX_PMTU. In the case of 942 IPv6, this value is 1280 bytes [RFC2460]. When using 943 IPv4, a size of 1200 bytes is RECOMMENDED. 945 5.1.3. Variables 947 This method utilizes a set of variables: 949 PROBED_SIZE: The PROBED_SIZE is the size of the current probe 950 packet. This is a tentative value for the PLPMTU, 951 which is awaiting confirmation by an acknowledgment. 953 PROBE_COUNT: The PROBE_COUNT is a count of the number of 954 unsuccessful probe packets that have been sent with a 955 size of PROBED_SIZE. The value is initialized to zero 956 when a particular size of PROBED_SIZE is first 957 attempted. 959 The figure below illustrates the relationship between the packet size 960 constants and variables at a point of time when the DPLPMTUD 961 algorithm performs path probing to increase the size of the PLPMTU. 962 A probe packet has been sent of size PROBED_SIZE. Once this is 963 acknowledged, the PLPMTU will raise to PROBED_SIZE allowing the 964 DPLPMTUD algorithm to further increase PROBED_SIZE towards the actual 965 PMTU. 967 MIN_PMTU MAX_PMTU 968 <--------------------------------------------------> 969 | | | | 970 v | | v 971 BASE_PMTU | v Actual PMTU 972 | PROBED_SIZE 973 v 974 PLPMTU 976 Figure 2: Relationships between packet size constants and variables 978 5.1.4. Overview of DPLPMTUD Phases 980 This section provides a high-level informative view of the DPLPMTUD 981 method, by describing the movement of the method through several 982 phases of operation. More detail is available in the state machine 983 Section 5.2. 985 +------+ 986 +------->| Base |----------------+ Connectivity 987 | +------+ | or BASE_PMTU 988 | | | confirmation failed 989 | | v 990 | | Connectivity +-------+ 991 | | and BASE_PMTU | Error | 992 | | confirmed +-------+ 993 | | | 994 | v | Consistent connectivity 995 PLPMTU | +--------+ | and BASE_PMTU 996 confirmation | | Search |<--------------+ confirmed 997 failed | +--------+ 998 | ^ | 999 | | | 1000 | Raise | | Search 1001 | timer | | algorithm 1002 | expired | | completed 1003 | | | 1004 | | v 1005 | +-----------------+ 1006 +---| Search Complete | 1007 +-----------------+ 1009 Figure 3: DPLPMTUD Phases 1011 Base: The Base Phase confirms connectivity to the remote 1012 peer. This phase is implicit for a connection- 1013 oriented PL (where it can be performed in a PL 1014 connection handshake). A connectionless PL needs 1015 to send an acknowledged probe packet to confirm 1016 that the remote peer is reachable. The sender also 1017 confirms that BASE_PMTU is supported across the 1018 network path. 1020 A PL that does not wish to support a path with a 1021 PLPMTU less than BASE_PMTU can simplify the phase 1022 into a single step by performing the connectivity 1023 checks with a probe of the BASE_PMTU size. 1025 Once confirmed, DPLPMTUD enters the Search Phase. 1026 If this phase fails to confirm, DPLPMTUD enters the 1027 Error Phase. 1029 Search: The Search Phase utilizes a search algorithm to 1030 send probe packets to seek to increase the PLPMTU. 1031 The algorithm concludes when it has found a 1032 suitable PLPMTU, by entering the Search Complete 1033 Phase. 1035 A PL could respond to PTB messages using the PTB to 1036 advance or terminate the search, see Section 4.5. 1038 Search Complete: The Search Complete Phase is entered when the 1039 PLPMTU is supported across the network path. A PL 1040 can use a CONFIRMATION_TIMER to periodically repeat 1041 a probe packet for the current PLPMTU size. If the 1042 sender is unable to confirm reachability (e.g., if 1043 the CONFIRMATION_TIMER expires) or the PL signals a 1044 lack of reachability, DPLPMTUD enters the Base 1045 phase. 1047 The PMTU_RAISE_TIMER is used to periodically resume 1048 the search phase to discover if the PLPMTU can be 1049 raised. Black Hole Detection or receipt of a 1050 validated PTB message (see Section 4.5.1) can cause 1051 the sender to enter the Base Phase. 1053 Error: The Error Phase is entered when there is 1054 conflicting or invalid PLPMTU information for the 1055 path (e.g. a failure to support the BASE_PMTU) that 1056 cause DPLPMTUD to be unable to progress and the 1057 PLPMTU is lowered. 1059 DPLPMTUD remains in the Error Phase until a 1060 consistent view of the path can be discovered and 1061 it has also been confirmed that the path supports 1062 the BASE_PMTU (or DPLPMTUD is suspended). 1064 An implementation that only reduces the PLPMTU to a suitable size 1065 would be sufficient to ensure reliable operation, but can be very 1066 inefficient when the actual PMTU changes or when the method (for 1067 whatever reason) makes a suboptimal choice for the PLPMTU. 1069 A full implementation of DPLPMTUD provides an algorithm enabling the 1070 DPLPMTUD sender to increase the PLPMTU following a change in the 1071 characteristics of the path, such as when a link is reconfigured with 1072 a larger MTU, or when there is a change in the set of links traversed 1073 by an end-to-end flow (e.g., after a routing or path fail-over 1074 decision). 1076 5.2. State Machine 1078 A state machine for DPLPMTUD is depicted in Figure 4. If multipath 1079 or multihoming is supported, a state machine is needed for each path. 1081 Note: Some state changes are not shown to simplify the diagram. 1083 | | 1084 | Start | PL indicates loss 1085 | | of connectivity 1086 v v 1087 +---------------+ +---------------+ 1088 | DISABLED | | ERROR | 1089 +---------------+ PROBE_TIMER expiry: +---------------+ 1090 | PL indicates PROBE_COUNT = MAX_PROBES or ^ | 1091 | connectivity PTB: PTB_SIZE < BASE_PMTU | | 1092 +--------------------+ +---------------+ | 1093 | | | 1094 v | BASE_PMTU Probe | 1095 +---------------+ acked | 1096 | BASE |----------------------+ 1097 +---------------+ | 1098 Black hole detected or ^ | ^ ^ Black hole detected or | 1099 PTB: PTB_SIZE < PLPMTU | | | | PTB: PTB_SIZE < PLPMTU | 1100 +--------------------+ | | +--------------------+ | 1101 | +----+ | | 1102 | PROBE_TIMER expiry: | | 1103 | PROBE_COUNT < MAX_PROBES | | 1104 | | | 1105 | PMTU_RAISE_TIMER expiry | | 1106 | +-----------------------------------------+ | | 1107 | | | | | 1108 | | v | v 1109 +---------------+ +---------------+ 1110 |SEARCH_COMPLETE| | SEARCHING | 1111 +---------------+ +---------------+ 1112 | ^ ^ | | ^ 1113 | | | | | | 1114 | | +-----------------------------------------+ | | 1115 | | MAX_PMTU Probe acked or PROBE_TIMER | | 1116 | | expiry: PROBE_COUNT = MAX_PROBES or | | 1117 +----+ PTB: PTB_SIZE = PLPMTU +----+ 1118 CONFIRMATION_TIMER expiry: PROBE_TIMER expiry: 1119 PROBE_COUNT < MAX_PROBES or PROBE_COUNT < MAX_PROBES or 1120 PLPMTU Probe acked Probe acked or PTB: 1121 PLPMTU < PTB_SIZE < PROBED_SIZE 1123 Figure 4: State machine for Datagram PLPMTUD 1125 The following states are defined: 1127 DISABLED: The DISABLED state is the initial state before 1128 probing has started. It is also entered from any 1129 other state, when the PL indicates loss of 1130 connectivity. This state is left, once the PL 1131 indicates connectivity to the remote PL. 1133 BASE: The BASE state is used to confirm that the 1134 BASE_PMTU size is supported by the network path and 1135 is designed to allow an application to continue 1136 working when there are transient reductions in the 1137 actual PMTU. It also seeks to avoid long periods 1138 where traffic is black holed while searching for a 1139 larger PLPMTU. 1141 On entry, the PROBED_SIZE is set to the BASE_PMTU 1142 size and the PROBE_COUNT is set to zero. 1144 Each time a probe packet is sent, the PROBE_TIMER 1145 is started. The state is exited when the probe 1146 packet is acknowledged, and the PL sender enters 1147 the SEARCHING state. 1149 The state is also left when the PROBE_COUNT reaches 1150 MAX_PROBES or a received PTB message is validated. 1151 This causes the PL sender to enter the ERROR state. 1153 SEARCHING: The SEARCHING state is the main probing state. 1154 This state is entered when probing for the 1155 BASE_PMTU was successful. 1157 The PROBE_COUNT is set to zero when the first probe 1158 packet is sent for each probe size. Each time a 1159 probe packet is acknowledged, the PLPMTU is set to 1160 the PROBED_SIZE, and then the PROBED_SIZE is 1161 increased using the search algorithm. 1163 When a probe packet is sent and not acknowledged 1164 within the period of the PROBE_TIMER, the 1165 PROBE_COUNT is incremented and the probe packet is 1166 retransmitted. The state is exited when the 1167 PROBE_COUNT reaches MAX_PROBES, a received PTB 1168 message is validated, a probe of size MAX_PMTU is 1169 acknowledged, or a black hole is detected. 1171 SEARCH_COMPLETE: The SEARCH_COMPLETE state indicates a successful 1172 end to the SEARCHING state. DPLPMTUD remains in 1173 this state until either the PMTU_RAISE_TIMER 1174 expires, a received PTB message is validated, or a 1175 black hole is detected. 1177 When DPLPMTUD uses an unacknowledged PL and is in 1178 the SEARCH_COMPLETE state, a CONFIRMATION_TIMER 1179 periodically resets the PROBE_COUNT and schedules a 1180 probe packet with the size of the PLPMTU. If the 1181 probe packet fails to be acknowledged after 1182 MAX_PROBES attempts, the method enters the BASE 1183 state. When used with an acknowledged PL (e.g., 1184 SCTP), DPLPMTUD SHOULD NOT continue to generate 1185 PLPMTU probes in this state. 1187 ERROR: The ERROR state represents the case where either 1188 the network path is not known to support a PLPMTU 1189 of at least the BASE_PMTU size or when there is 1190 contradictory information about the network path 1191 that would otherwise result in excessive variation 1192 in the MPS signalled to the higher layer. The 1193 state implements a method to mitigate oscillation 1194 in the state-event engine. It signals a 1195 conservative value of the MPS to the higher layer 1196 by the PL. The state is exited when packet probes 1197 no longer detect the error or when the PL indicates 1198 that connectivity has been lost. 1200 Implementations are permitted to enable endpoint 1201 fragmentation if the DPLPMTUD is unable to validate 1202 MIN_PMTU within PROBE_COUNT probes. If DPLPMTUD is 1203 unable to validate MIN_PMTU the implementation 1204 should transition to the DISABLED state. 1206 Note: MIN_PMTU may be identical to BASE_PMTU, 1207 simplifying the actions in this state. 1209 5.3. Search to Increase the PLPMTU 1211 This section describes the algorithms used by DPLPMTUD to search for 1212 a larger PLPMTU. 1214 5.3.1. Probing for a larger PLPMTU 1216 Implementations use a search algorithm across the search range to 1217 determine whether a larger PLPMTU can be supported across a network 1218 path. 1220 The method discovers the search range by confirming the minimum 1221 PLPMTU and then using the probe method to select a PROBED_SIZE less 1222 than or equal to MAX_PMTU. MAX_PMTU is the minimum of the local MTU 1223 and EMTU_R (learned from the remote endpoint). The MAX_PMTU MAY be 1224 reduced by an application that sets a maximum to the size of 1225 datagrams it will send. 1227 The PROBE_COUNT is initialized to zero when a probe packet is first 1228 sent with a particular size. A timer is used by the search algorithm 1229 to trigger the sending of probe packets of size PROBED_SIZE, larger 1230 than the PLPMTU. Each probe packet successfully sent to the remote 1231 peer is confirmed by acknowledgement at the PL, see Section 4.1. 1233 Each time a probe packet is sent to the destination, the PROBE_TIMER 1234 is started. The timer is canceled when the PL receives 1235 acknowledgment that the probe packet has been successfully sent 1236 across the path Section 4.1. This confirms that the PROBED_SIZE is 1237 supported, and the PROBED_SIZE value is then assigned to the PLPMTU. 1238 The search algorithm can continue to send subsequent probe packets of 1239 an increasing size. 1241 If the timer expires before a probe packet is acknowledged, the probe 1242 has failed to confirm the PROBED_SIZE. Each time the PROBE_TIMER 1243 expires, the PROBE_COUNT is incremented, the PROBE_TIMER is 1244 reinitialized, and a probe packet of the same size is retransmitted 1245 (the replicated probe improve the resilience to loss). The maximum 1246 number of retransmissions for a particular size is configured 1247 (MAX_PROBES). If the value of the PROBE_COUNT reaches MAX_PROBES, 1248 probing will stop, and the PL sender enters the SEARCH_COMPLETE 1249 state. 1251 5.3.2. Selection of Probe Sizes 1253 The search algorithm needs to determine a minimum useful gain in 1254 PLPMTU. It would not be constructive for a PL sender to attempt to 1255 probe for all sizes. This would incur unnecessary load on the path 1256 and has the undesirable effect of slowing the time to reach a more 1257 optimal MPS. Implementations SHOULD select the set of probe packet 1258 sizes to maximize the gain in PLPMTU from each search step. 1260 Implementations could optimize the search procedure by selecting step 1261 sizes from a table of common PMTU sizes. When selecting the 1262 appropriate next size to search, an implementer ought to also 1263 consider that there can be common sizes of MPS that applications seek 1264 to use, and their could be common sizes of MTU used within the 1265 network. 1267 5.3.3. Resilience to Inconsistent Path Information 1269 A decision to increase the PLPMTU needs to be resilient to the 1270 possibility that information learned about the network path is 1271 inconsistent. A path is inconsistent, when, for example, probe 1272 packets are lost due to other reasons (i. e. not packet size) or due 1273 to frequent path changes. Frequent path changes could occur by 1274 unexpected "flapping" - where some packets from a flow pass along one 1275 path, but other packets follow a different path with different 1276 properties. 1278 A PL sender is able to detect inconsistency from the sequence of 1279 PLPMTU probes that it sends or the sequence of PTB messages that it 1280 receives. When inconsistent path information is detected, a PL 1281 sender could use an alternate search mode that clamps the offered MPS 1282 to a smaller value for a period of time. This avoids unnecessary 1283 loss of packets due to MTU limitation. 1285 5.4. Robustness to Inconsistent Paths 1287 Some paths could be unable to sustain packets of the BASE_PMTU size. 1288 To be robust to these paths an implementation could implement the 1289 Error State. This allows fallback to a smaller than desired PLPMTU, 1290 rather than suffer connectivity failure. This could utilize methods 1291 such as endpoint IP fragmentation to enable the PL sender to 1292 communicate using packets smaller than the BASE_PMTU. 1294 6. Specification of Protocol-Specific Methods 1296 This section specifies protocol-specific details for datagram PLPMTUD 1297 for IETF-specified transports. 1299 The first subsection provides guidance on how to implement the 1300 DPLPMTUD method as a part of an application using UDP or UDP-Lite. 1301 The guidance also applies to other datagram services that do not 1302 include a specific transport protocol (such as a tunnel 1303 encapsulation). The following subsections describe how DPLPMTUD can 1304 be implemented as a part of the transport service, allowing 1305 applications using the service to benefit from discovery of the 1306 PLPMTU without themselves needing to implement this method. 1308 6.1. Application support for DPLPMTUD with UDP or UDP-Lite 1310 The current specifications of UDP [RFC0768] and UDP-Lite [RFC3828] do 1311 not define a method in the RFC-series that supports PLPMTUD. In 1312 particular, the UDP transport does not provide the transport layer 1313 features needed to implement datagram PLPMTUD. 1315 The DPLPMTUD method can be implemented as a part of an application 1316 built directly or indirectly on UDP or UDP-Lite, but relies on 1317 higher-layer protocol features to implement the method [RFC8085]. 1319 Some primitives used by DPLPMTUD might not be available via the 1320 Datagram API (e.g., the ability to access the PLPMTU cache, or 1321 interpret received PTB messages). 1323 In addition, it is desirable that PMTU discovery is not performed by 1324 multiple protocol layers. An application SHOULD avoid using DPLPMTUD 1325 when the underlying transport system provides this capability. To 1326 use common method for managing the PLPMTU has benefits, both in the 1327 ability to share state between different processes and opportunities 1328 to coordinate probing. 1330 6.1.1. Application Request 1332 An application needs an application-layer protocol mechanism (such as 1333 a message acknowledgement method) that solicits a response from a 1334 destination endpoint. The method SHOULD allow the sender to check 1335 the value returned in the response to provide additional protection 1336 from off-path insertion of data [RFC8085], suitable methods include a 1337 parameter known only to the two endpoints, such as a session ID or 1338 initialized sequence number. 1340 6.1.2. Application Response 1342 An application needs an application-layer protocol mechanism to 1343 communicate the response from the destination endpoint. This 1344 response may indicate successful reception of the probe across the 1345 path, but could also indicate that some (or all packets) have failed 1346 to reach the destination. 1348 6.1.3. Sending Application Probe Packets 1350 A probe packet that may carry an application data block, but the 1351 successful transmission of this data is at risk when used for 1352 probing. Some applications may prefer to use a probe packet that 1353 does not carry an application data block to avoid disruption to data 1354 transfer. 1356 6.1.4. Initial Connectivity 1358 An application that does not have other higher-layer information 1359 confirming connectivity with the remote peer SHOULD implement a 1360 connectivity mechanism using acknowledged probe packets before 1361 entering the BASE state. 1363 6.1.5. Validating the Path 1365 An application that does not have other higher-layer information 1366 confirming correct delivery of datagrams SHOULD implement the 1367 CONFIRMATION_TIMER to periodically send probe packets while in the 1368 SEARCH_COMPLETE state. 1370 6.1.6. Handling of PTB Messages 1372 An application that is able and wishes to receive PTB messages MUST 1373 perform ICMP validation as specified in Section 5.2 of [RFC8085]. 1374 This requires that the application to check each received PTB 1375 messages to validate it is received in response to transmitted 1376 traffic and that the reported PTB_SIZE is less than the current 1377 probed size (see Section 4.5.2). A validated PTB message MAY be used 1378 as input to the DPLPMTUD algorithm, but MUST NOT be used directly to 1379 set the PLPMTU. 1381 6.2. DPLPMTUD for SCTP 1383 Section 10.2 of [RFC4821] specifies a recommended PLPMTUD probing 1384 method for SCTP. It recommends the use of the PAD chunk, defined in 1385 [RFC4820] to be attached to a minimum length HEARTBEAT chunk to build 1386 a probe packet. This enables probing without affecting the transfer 1387 of user messages and without interfering with congestion control. 1388 This is preferred to using DATA chunks (with padding as required) as 1389 path probes. 1391 6.2.1. SCTP/IPv4 and SCTP/IPv6 1393 6.2.1.1. Initial Connectivity 1395 The base protocol is specified in [RFC4960]. This provides an 1396 acknowledged PL. A sender can therefore enter the BASE state as soon 1397 as connectivity has been confirmed. 1399 6.2.1.2. Sending SCTP Probe Packets 1401 Probe packets consist of an SCTP common header followed by a 1402 HEARTBEAT chunk and a PAD chunk. The PAD chunk is used to control 1403 the length of the probe packet. The HEARTBEAT chunk is used to 1404 trigger the sending of a HEARTBEAT ACK chunk. The reception of the 1405 HEARTBEAT ACK chunk acknowledges reception of a successful probe. 1407 The HEARTBEAT chunk carries a Heartbeat Information parameter which 1408 should include, besides the information suggested in [RFC4960], the 1409 probe size, which is the size of the complete datagram. The size of 1410 the PAD chunk is therefore computed by reducing the probing size by 1411 the IPv4 or IPv6 header size, the SCTP common header, the HEARTBEAT 1412 request and the PAD chunk header. The payload of the PAD chunk 1413 contains arbitrary data. 1415 To avoid fragmentation of retransmitted data, probing starts right 1416 after the PL handshake, before data is sent. Assuming this behavior 1417 (i.e., the PMTU is smaller than or equal to the interface MTU), this 1418 process will take a few round trip time periods depending on the 1419 number of PMTU sizes probed. The Heartbeat timer can be used to 1420 implement the PROBE_TIMER. 1422 6.2.1.3. Validating the Path with SCTP 1424 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1425 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1427 6.2.1.4. PTB Message Handling by SCTP 1429 Normal ICMP validation MUST be performed as specified in Appendix C 1430 of [RFC4960]. This requires that the first 8 bytes of the SCTP 1431 common header are quoted in the payload of the PTB message, which can 1432 be the case for ICMPv4 and is normally the case for ICMPv6. 1434 When a PTB message has been validated, the PTB_SIZE reported in the 1435 PTB message SHOULD be used with the DPLPMTUD algorithm, providing 1436 that the reported PTB_SIZE is less than the current probe size (see 1437 Section 4.5). 1439 6.2.2. DPLPMTUD for SCTP/UDP 1441 The UDP encapsulation of SCTP is specified in [RFC6951]. 1443 6.2.2.1. Initial Connectivity 1445 A sender can enter the BASE state as soon as SCTP connectivity has 1446 been confirmed. 1448 6.2.2.2. Sending SCTP/UDP Probe Packets 1450 Packet probing can be performed as specified in Section 6.2.1.2. The 1451 maximum payload is reduced by 8 bytes, which has to be considered 1452 when filling the PAD chunk. 1454 6.2.2.3. Validating the Path with SCTP/UDP 1456 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1457 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1459 6.2.2.4. Handling of PTB Messages by SCTP/UDP 1461 ICMP validation MUST be performed for PTB messages as specified in 1462 Appendix C of [RFC4960]. This requires that the first 8 bytes of the 1463 SCTP common header are contained in the PTB message, which can be the 1464 case for ICMPv4 (but note the UDP header also consumes a part of the 1465 quoted packet header) and is normally the case for ICMPv6. When the 1466 validation is completed, the PTB_SIZE indicated in the PTB message 1467 SHOULD be used with the DPLPMTUD providing that the reported PTB_SIZE 1468 is less than the current probe size. 1470 6.2.3. DPLPMTUD for SCTP/DTLS 1472 The Datagram Transport Layer Security (DTLS) encapsulation of SCTP is 1473 specified in [RFC8261]. It is used for data channels in WebRTC 1474 implementations. 1476 6.2.3.1. Initial Connectivity 1478 A sender can enter the BASE state as soon as SCTP connectivity has 1479 been confirmed. 1481 6.2.3.2. Sending SCTP/DTLS Probe Packets 1483 Packet probing can be done as specified in Section 6.2.1.2. 1485 6.2.3.3. Validating the Path with SCTP/DTLS 1487 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1488 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1490 6.2.3.4. Handling of PTB Messages by SCTP/DTLS 1492 It is not possible to perform ICMP validation as specified in 1493 [RFC4960], since even if the ICMP message payload contains sufficient 1494 information, the reflected SCTP common header would be encrypted. 1495 Therefore it is not possible to process PTB messages at the PL. 1497 6.3. DPLPMTUD for QUIC 1499 Quick UDP Internet Connection (QUIC) [I-D.ietf-quic-transport] is a 1500 UDP-based transport that provides reception feedback. The UDP 1501 payload includes the QUIC packet header, protected payload, and any 1502 authentication fields. QUIC depends on a PMTU of at least 1280 1503 bytes. 1505 Section 14.1 of [I-D.ietf-quic-transport] describes the path 1506 considerations when sending QUIC packets. It recommends the use of 1507 PADDING frames to build the probe packet. Pure probe-only packets 1508 are constructed with PADDING frames and PING frames to create a 1509 padding only packet that will elicit an acknowledgement. Such 1510 padding only packets enable probing without affecting the transfer of 1511 other QUIC frames. 1513 The recommendation for QUIC endpoints implementing DPLPMTUD is that a 1514 MPS is maintained for each combination of local and remote IP 1515 addresses [I-D.ietf-quic-transport]. If a QUIC endpoint determines 1516 that the PMTU between any pair of local and remote IP addresses has 1517 fallen below an acceptable MPS, it needs to immediately cease sending 1518 QUIC packets on the affected path. This could result in termination 1519 of the connection if an alternative path cannot be found 1520 [I-D.ietf-quic-transport]. 1522 6.3.1. Initial Connectivity 1524 The base protocol is specified in [I-D.ietf-quic-transport]. This 1525 provides an acknowledged PL. A sender can therefore enter the BASE 1526 state as soon as connectivity has been confirmed. 1528 6.3.2. Sending QUIC Probe Packets 1530 A probe packet consists of a QUIC Header and a payload containing 1531 PADDING Frames and a PING Frame. PADDING Frames are a single octet 1532 (0x00) and several of these can be used to create a probe packet of 1533 size PROBED_SIZE. QUIC provides an acknowledged PL, a sender can 1534 therefore enter the BASE state as soon as connectivity has been 1535 confirmed. 1537 The current specification of QUIC sets the following: 1539 * BASE_PMTU: 1200. A QUIC sender needs to pad initial packets to 1540 1200 bytes to confirm the path can support packets of a useful 1541 size. 1543 * MIN_PMTU: 1200 bytes. A QUIC sender that determines the PMTU has 1544 fallen below 1200 bytes MUST immediately stop sending on the 1545 affected path. 1547 6.3.3. Validating the Path with QUIC 1549 QUIC provides an acknowledged PL. A sender therefore MUST NOT 1550 implement the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1552 6.3.4. Handling of PTB Messages by QUIC 1554 QUIC operates over the UDP transport, and the guidelines on ICMP 1555 validation as specified in Section 5.2 of [RFC8085] therefore apply. 1556 In addition to UDP Port validation QUIC can validate an ICMP message 1557 by looking for valid Connection IDs in the quoted packet. 1559 7. Acknowledgements 1561 This work was partially funded by the European Union's Horizon 2020 1562 research and innovation programme under grant agreement No. 644334 1563 (NEAT). The views expressed are solely those of the author(s). 1565 8. IANA Considerations 1567 This memo includes no request to IANA. 1569 If there are no requirements for IANA, the section will be removed 1570 during conversion into an RFC by the RFC Editor. 1572 9. Security Considerations 1574 The security considerations for the use of UDP and SCTP are provided 1575 in the references RFCs. Security guidance for applications using UDP 1576 is provided in the UDP Usage Guidelines [RFC8085], specifically the 1577 generation of probe packets is regarded as a "Low Data-Volume 1578 Application", described in section 3.1.3 of this document. This 1579 recommends that sender limits generation of probe packets to an 1580 average rate lower than one probe per 3 seconds. 1582 A PL sender needs to ensure that the method used to confirm reception 1583 of probe packets offers protection from off-path attackers injecting 1584 packets into the path. This protection if provided in IETF-defined 1585 protocols (e.g., TCP, SCTP) using a randomly-initialized sequence 1586 number. A description of one way to do this when using UDP is 1587 provided in section 5.1 of [RFC8085]). 1589 There are cases where ICMP Packet Too Big (PTB) messages are not 1590 delivered due to policy, configuration or equipment design (see 1591 Section 1.1), this method therefore does not rely upon PTB messages 1592 being received, but is able to utilize these when they are received 1593 by the sender. PTB messages could potentially be used to cause a 1594 node to inappropriately reduce the PLPMTU. A node supporting 1595 DPLPMTUD MUST therefore appropriately validate the payload of PTB 1596 messages to ensure these are received in response to transmitted 1597 traffic (i.e., a reported error condition that corresponds to a 1598 datagram actually sent by the path layer, see Section 4.5.1). 1600 An on-path attacker, able to create a PTB message could forge PTB 1601 messages that include a valid quoted IP packet. Such an attack could 1602 be used to drive down the PLPMTU. There are two ways this method can 1603 be mitigated against such attacks: First, by ensuring that a PL 1604 sender never reduces the PLPMTU below the base size, solely in 1605 response to receiving a PTB message. This is achieved by first 1606 entering the BASE state when such a message is received. Second, the 1607 design does not require processing of PTB messages, a PL sender could 1608 therefore suspend processing of PTB messages (e.g., in a robustness 1609 mode after detecting that subsequent probes actually confirm that a 1610 size larger than the PTB_SIZE is supported by a path). 1612 Parallel forwarding paths SHOULD be considered. Section 5.4 1613 identifies the need for robustness in the method when the path 1614 information may be inconsistent. 1616 A node performing DPLPMTUD could experience conflicting information 1617 about the size of supported probe packets. This could occur when 1618 there are multiple paths are concurrently in use and these exhibit a 1619 different PMTU. If not considered, this could result in data being 1620 black holed when the PLPMTU is larger than the smallest PMTU across 1621 the current paths. 1623 10. References 1625 10.1. Normative References 1627 [I-D.ietf-quic-transport] 1628 Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed 1629 and Secure Transport", draft-ietf-quic-transport-20 (work 1630 in progress), 23 April 2019, 1631 . 1634 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1635 DOI 10.17487/RFC0768, August 1980, 1636 . 1638 [RFC1191] Mogul, J.C. and S.E. Deering, "Path MTU discovery", 1639 RFC 1191, DOI 10.17487/RFC1191, November 1990, 1640 . 1642 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1643 Requirement Levels", BCP 14, RFC 2119, 1644 DOI 10.17487/RFC2119, March 1997, 1645 . 1647 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1648 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 1649 December 1998, . 1651 [RFC3828] Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E., Ed., 1652 and G. Fairhurst, Ed., "The Lightweight User Datagram 1653 Protocol (UDP-Lite)", RFC 3828, DOI 10.17487/RFC3828, July 1654 2004, . 1656 [RFC4820] Tuexen, M., Stewart, R., and P. Lei, "Padding Chunk and 1657 Parameter for the Stream Control Transmission Protocol 1658 (SCTP)", RFC 4820, DOI 10.17487/RFC4820, March 2007, 1659 . 1661 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 1662 RFC 4960, DOI 10.17487/RFC4960, September 2007, 1663 . 1665 [RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream 1666 Control Transmission Protocol (SCTP) Packets for End-Host 1667 to End-Host Communication", RFC 6951, 1668 DOI 10.17487/RFC6951, May 2013, 1669 . 1671 [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage 1672 Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, 1673 March 2017, . 1675 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1676 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1677 May 2017, . 1679 [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., 1680 "Path MTU Discovery for IP version 6", STD 87, RFC 8201, 1681 DOI 10.17487/RFC8201, July 2017, 1682 . 1684 [RFC8261] Tuexen, M., Stewart, R., Jesup, R., and S. Loreto, 1685 "Datagram Transport Layer Security (DTLS) Encapsulation of 1686 SCTP Packets", RFC 8261, DOI 10.17487/RFC8261, November 1687 2017, . 1689 10.2. Informative References 1691 [I-D.ietf-intarea-tunnels] 1692 Touch, J. and M. Townsley, "IP Tunnels in the Internet 1693 Architecture", draft-ietf-intarea-tunnels-09 (work in 1694 progress), 19 July 2018, 1695 . 1698 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1699 RFC 792, DOI 10.17487/RFC0792, September 1981, 1700 . 1702 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - 1703 Communication Layers", STD 3, RFC 1122, 1704 DOI 10.17487/RFC1122, October 1989, 1705 . 1707 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1708 RFC 1812, DOI 10.17487/RFC1812, June 1995, 1709 . 1711 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", 1712 RFC 2923, DOI 10.17487/RFC2923, September 2000, 1713 . 1715 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 1716 Congestion Control Protocol (DCCP)", RFC 4340, 1717 DOI 10.17487/RFC4340, March 2006, 1718 . 1720 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 1721 Control Message Protocol (ICMPv6) for the Internet 1722 Protocol Version 6 (IPv6) Specification", STD 89, 1723 RFC 4443, DOI 10.17487/RFC4443, March 2006, 1724 . 1726 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 1727 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 1728 . 1730 [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering 1731 ICMPv6 Messages in Firewalls", RFC 4890, 1732 DOI 10.17487/RFC4890, May 2007, 1733 . 1735 Appendix A. Revision Notes 1737 Note to RFC-Editor: please remove this entire section prior to 1738 publication. 1740 Individual draft -00: 1742 * Comments and corrections are welcome directly to the authors or 1743 via the IETF TSVWG working group mailing list. 1745 * This update is proposed for WG comments. 1747 Individual draft -01: 1749 * Contains the first representation of the algorithm, showing the 1750 states and timers 1752 * This update is proposed for WG comments. 1754 Individual draft -02: 1756 * Contains updated representation of the algorithm, and textual 1757 corrections. 1759 * The text describing when to set the effective PMTU has not yet 1760 been validated by the authors 1762 * To determine security to off-path-attacks: We need to decide 1763 whether a received PTB message SHOULD/MUST be validated? The text 1764 on how to handle a PTB message indicating a link MTU larger than 1765 the probe has yet not been validated by the authors 1767 * No text currently describes how to handle inconsistent results 1768 from arbitrary re-routing along different parallel paths 1770 * This update is proposed for WG comments. 1772 Working Group draft -00: 1774 * This draft follows a successful adoption call for TSVWG 1776 * There is still work to complete, please comment on this draft. 1778 Working Group draft -01: 1780 * This draft includes improved introduction. 1782 * The draft is updated to require ICMP validation prior to accepting 1783 PTB messages - this to be confirmed by WG 1785 * Section added to discuss Selection of Probe Size - methods to be 1786 evaluated and recommendations to be considered 1788 * Section added to align with work proposed in the QUIC WG. 1790 Working Group draft -02: 1792 * The draft was updated based on feedback from the WG, and a 1793 detailed review by Magnus Westerlund. 1795 * The document updates RFC 4821. 1797 * Requirements list updated. 1799 * Added more explicit discussion of a simpler black-hole detection 1800 mode. 1802 * This draft includes reorganisation of the section on IETF 1803 protocols. 1805 * Added more discussion of implementation within an application. 1807 * Added text on flapping paths. 1809 * Replaced 'effective MTU' with new term PLPMTU. 1811 Working Group draft -03: 1813 * Updated figures 1815 * Added more discussion on blackhole detection 1817 * Added figure describing just blackhole detection 1819 * Added figure relating MPS sizes 1821 Working Group draft -04: 1823 * Described phases and named these consistently. 1825 * Corrected transition from confirmation directly to the search 1826 phase (Base has been checked). 1828 * Redrawn state diagrams. 1830 * Renamed BASE_MTU to BASE_PMTU (because it is a base for the PMTU). 1832 * Clarified Error state. 1834 * Clarified suspending DPLPMTUD. 1836 * Verified normative text in requirements section. 1838 * Removed duplicate text. 1840 * Changed all text to refer to /packet probe/probe packet/ 1841 /validation/verification/ added term /Probe Confirmation/ and 1842 clarified BlackHole detection. 1844 Working Group draft -05: 1846 * Updated security considerations. 1848 * Feedback after speaking with Joe Touch helped improve UDP-Options 1849 description. 1851 Working Group draft -06: 1853 * Updated description of ICMP issues in section 1.1 1855 * Update to description of QUIC. 1857 Working group draft -07: 1859 * Moved description of the PTB processing method from the PTB 1860 requirements section. 1862 * Clarified what is performed in the PTB validation check. 1864 * Updated security consideration to explain PTB security without 1865 needing to read the rest of the document. 1867 * Reformatted state machine diagram 1869 Working group draft -08: 1871 * Moved to rfcxml v3+ 1873 * Rendered diagrams to svg in html version. 1875 * Removed Appendix A. Event-driven state changes. 1877 * Removed section on DPLPMTUD with UDP Options. 1879 * Shortened the description of phases. 1881 Working group draft -09: 1883 * Remove final mention of UDP Options 1885 * Add Initial Connectivity sections to each PL 1886 * Add to disable outgoing pmtu enforcement of packets 1888 Authors' Addresses 1890 Godred Fairhurst 1891 University of Aberdeen 1892 School of Engineering, Fraser Noble Building 1893 Aberdeen 1894 AB24 3UE 1895 United Kingdom 1897 Email: gorry@erg.abdn.ac.uk 1899 Tom Jones 1900 University of Aberdeen 1901 School of Engineering, Fraser Noble Building 1902 Aberdeen 1903 AB24 3UE 1904 United Kingdom 1906 Email: tom@erg.abdn.ac.uk 1908 Michael Tuexen 1909 Muenster University of Applied Sciences 1910 Stegerwaldstrasse 39 1911 48565 Steinfurt 1912 Germany 1914 Email: tuexen@fh-muenster.de 1916 Irene Ruengeler 1917 Muenster University of Applied Sciences 1918 Stegerwaldstrasse 39 1919 48565 Steinfurt 1920 Germany 1922 Email: i.ruengeler@fh-muenster.de 1924 Timo Voelker 1925 Muenster University of Applied Sciences 1926 Stegerwaldstrasse 39 1927 48565 Steinfurt 1928 Germany 1929 Email: timo.voelker@fh-muenster.de