idnits 2.17.1 draft-ietf-tsvwg-datagram-plpmtud-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The abstract seems to indicate that this document updates RFC8201, but the header doesn't have an 'Updates:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4821, updated by this document, for RFC5378 checks: 2003-10-21) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (12 February 2020) is 1535 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-20 ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) == Outdated reference: A later version (-13) exists of draft-ietf-intarea-tunnels-10 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force G. Fairhurst 3 Internet-Draft T. Jones 4 Updates: 4821, 4960, 8085 (if approved) University of Aberdeen 5 Intended status: Standards Track M. Tuexen 6 Expires: 15 August 2020 I. Ruengeler 7 T. Voelker 8 Muenster University of Applied Sciences 9 12 February 2020 11 Packetization Layer Path MTU Discovery for Datagram Transports 12 draft-ietf-tsvwg-datagram-plpmtud-14 14 Abstract 16 This document describes a robust method for Path MTU Discovery 17 (PMTUD) for datagram Packetization Layers (PLs). It describes an 18 extension to RFC 1191 and RFC 8201, which specifies ICMP-based Path 19 MTU Discovery for IPv4 and IPv6. The method allows a PL, or a 20 datagram application that uses a PL, to discover whether a network 21 path can support the current size of datagram. This can be used to 22 detect and reduce the message size when a sender encounters a packet 23 black hole (where packets are discarded). The method can probe a 24 network path with progressively larger packets to discover whether 25 the maximum packet size can be increased. This allows a sender to 26 determine an appropriate packet size, providing functionality for 27 datagram transports that is equivalent to the Packetization Layer 28 PMTUD specification for TCP, specified in RFC 4821. 30 The document updates RFC 4821 to specify the method for datagram PLs, 31 and updates RFC 8085 as the method to use in place of RFC 4821 with 32 UDP datagrams. Section 7.3 of RFC4960 recommends an endpoint apply 33 the techniques in RFC4821 on a per-destination-address basis. 34 RFC4960 is updated to recommend that SCTP uses the method specified 35 in this document instead of the method in RFC4821. 37 The document also provides implementation notes for incorporating 38 Datagram PMTUD into IETF datagram transports or applications that use 39 datagram transports. 41 When published, this specification updates RFC 4821 and RFC 8085. 43 Status of This Memo 45 This Internet-Draft is submitted in full conformance with the 46 provisions of BCP 78 and BCP 79. 48 Internet-Drafts are working documents of the Internet Engineering 49 Task Force (IETF). Note that other groups may also distribute 50 working documents as Internet-Drafts. The list of current Internet- 51 Drafts is at https://datatracker.ietf.org/drafts/current/. 53 Internet-Drafts are draft documents valid for a maximum of six months 54 and may be updated, replaced, or obsoleted by other documents at any 55 time. It is inappropriate to use Internet-Drafts as reference 56 material or to cite them other than as "work in progress." 58 This Internet-Draft will expire on 15 August 2020. 60 Copyright Notice 62 Copyright (c) 2020 IETF Trust and the persons identified as the 63 document authors. All rights reserved. 65 This document is subject to BCP 78 and the IETF Trust's Legal 66 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 67 license-info) in effect on the date of publication of this document. 68 Please review these documents carefully, as they describe your rights 69 and restrictions with respect to this document. Code Components 70 extracted from this document must include Simplified BSD License text 71 as described in Section 4.e of the Trust Legal Provisions and are 72 provided without warranty as described in the Simplified BSD License. 74 Table of Contents 76 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 77 1.1. Classical Path MTU Discovery . . . . . . . . . . . . . . 4 78 1.2. Packetization Layer Path MTU Discovery . . . . . . . . . 6 79 1.3. Path MTU Discovery for Datagram Services . . . . . . . . 7 80 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 81 3. Features Required to Provide Datagram PLPMTUD . . . . . . . . 10 82 4. DPLPMTUD Mechanisms . . . . . . . . . . . . . . . . . . . . . 13 83 4.1. PLPMTU Probe Packets . . . . . . . . . . . . . . . . . . 13 84 4.2. Confirmation of Probed Packet Size . . . . . . . . . . . 14 85 4.3. Black Hole Detection . . . . . . . . . . . . . . . . . . 15 86 4.4. The Maximum Packet Size (MPS) . . . . . . . . . . . . . . 15 87 4.5. Disabling the Effect of PMTUD . . . . . . . . . . . . . . 16 88 4.6. Response to PTB Messages . . . . . . . . . . . . . . . . 17 89 4.6.1. Validation of PTB Messages . . . . . . . . . . . . . 17 90 4.6.2. Use of PTB Messages . . . . . . . . . . . . . . . . . 18 91 5. Datagram Packetization Layer PMTUD . . . . . . . . . . . . . 19 92 5.1. DPLPMTUD Components . . . . . . . . . . . . . . . . . . . 20 93 5.1.1. Timers . . . . . . . . . . . . . . . . . . . . . . . 20 94 5.1.2. Constants . . . . . . . . . . . . . . . . . . . . . . 21 95 5.1.3. Variables . . . . . . . . . . . . . . . . . . . . . . 22 96 5.1.4. Overview of DPLPMTUD Phases . . . . . . . . . . . . . 23 97 5.2. State Machine . . . . . . . . . . . . . . . . . . . . . . 24 98 5.3. Search to Increase the PLPMTU . . . . . . . . . . . . . . 27 99 5.3.1. Probing for a larger PLPMTU . . . . . . . . . . . . . 27 100 5.3.2. Selection of Probe Sizes . . . . . . . . . . . . . . 28 101 5.3.3. Resilience to Inconsistent Path Information . . . . . 28 102 5.4. Robustness to Inconsistent Paths . . . . . . . . . . . . 29 103 6. Specification of Protocol-Specific Methods . . . . . . . . . 29 104 6.1. Application support for DPLPMTUD with UDP or UDP-Lite . . 29 105 6.1.1. Application Request . . . . . . . . . . . . . . . . . 30 106 6.1.2. Application Response . . . . . . . . . . . . . . . . 30 107 6.1.3. Sending Application Probe Packets . . . . . . . . . . 30 108 6.1.4. Initial Connectivity . . . . . . . . . . . . . . . . 30 109 6.1.5. Validating the Path . . . . . . . . . . . . . . . . . 30 110 6.1.6. Handling of PTB Messages . . . . . . . . . . . . . . 30 111 6.2. DPLPMTUD for SCTP . . . . . . . . . . . . . . . . . . . . 31 112 6.2.1. SCTP/IPv4 and SCTP/IPv6 . . . . . . . . . . . . . . . 31 113 6.2.1.1. Initial Connectivity . . . . . . . . . . . . . . 31 114 6.2.1.2. Sending SCTP Probe Packets . . . . . . . . . . . 31 115 6.2.1.3. Validating the Path with SCTP . . . . . . . . . . 32 116 6.2.1.4. PTB Message Handling by SCTP . . . . . . . . . . 32 117 6.2.2. DPLPMTUD for SCTP/UDP . . . . . . . . . . . . . . . . 32 118 6.2.2.1. Initial Connectivity . . . . . . . . . . . . . . 32 119 6.2.2.2. Sending SCTP/UDP Probe Packets . . . . . . . . . 32 120 6.2.2.3. Validating the Path with SCTP/UDP . . . . . . . . 32 121 6.2.2.4. Handling of PTB Messages by SCTP/UDP . . . . . . 33 122 6.2.3. DPLPMTUD for SCTP/DTLS . . . . . . . . . . . . . . . 33 123 6.2.3.1. Initial Connectivity . . . . . . . . . . . . . . 33 124 6.2.3.2. Sending SCTP/DTLS Probe Packets . . . . . . . . . 33 125 6.2.3.3. Validating the Path with SCTP/DTLS . . . . . . . 33 126 6.2.3.4. Handling of PTB Messages by SCTP/DTLS . . . . . . 33 127 6.3. DPLPMTUD for QUIC . . . . . . . . . . . . . . . . . . . . 33 128 6.3.1. Initial Connectivity . . . . . . . . . . . . . . . . 34 129 6.3.2. Sending QUIC Probe Packets . . . . . . . . . . . . . 34 130 6.3.3. Validating the Path with QUIC . . . . . . . . . . . . 34 131 6.3.4. Handling of PTB Messages by QUIC . . . . . . . . . . 34 132 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35 133 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 134 9. Security Considerations . . . . . . . . . . . . . . . . . . . 35 135 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 136 10.1. Normative References . . . . . . . . . . . . . . . . . . 36 137 10.2. Informative References . . . . . . . . . . . . . . . . . 38 138 Appendix A. Revision Notes . . . . . . . . . . . . . . . . . . . 39 139 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 43 141 1. Introduction 143 The IETF has specified datagram transport using UDP, SCTP, and DCCP, 144 as well as protocols layered on top of these transports (e.g., SCTP/ 145 UDP, DCCP/UDP, QUIC/UDP), and direct datagram transport over the IP 146 network layer. This document describes a robust method for Path MTU 147 Discovery (PMTUD) that can be used with these transport protocols (or 148 the applications that use their transport service) to discover an 149 appropriate size of packet to use across an Internet path. 151 1.1. Classical Path MTU Discovery 153 Classical Path Maximum Transmission Unit Discovery (PMTUD) can be 154 used with any transport that is able to process ICMP Packet Too Big 155 (PTB) messages (e.g., [RFC1191] and [RFC8201]). In this document, 156 the term PTB message is applied to both IPv4 ICMP Unreachable 157 messages (type 3) that carry the error Fragmentation Needed (Type 3, 158 Code 4) [RFC0792] and ICMPv6 Packet Too Big messages (Type 2) 159 [RFC4443]. When a sender receives a PTB message, it reduces the 160 effective MTU to the value reported as the Link MTU in the PTB 161 message. A method from time-to-time increases the packet size in 162 attempt to discover an increase in the supported PMTU. The packets 163 sent with a size larger than the current effective PMTU are known as 164 probe packets. 166 Packets not intended as probe packets are either fragmented to the 167 current effective PMTU, or the attempt to send fails with an error 168 code. Applications can be provided with a primitive to let them read 169 the Maximum Packet Size (MPS), derived from the current effective 170 PMTU. 172 Classical PMTUD is subject to protocol failures. One failure arises 173 when traffic using a packet size larger than the actual PMTU is 174 black-holed (all datagrams sent with this size, or larger, are 175 discarded). This could arise when the PTB messages are not delivered 176 back to the sender for some reason (see for example [RFC2923]). 178 Examples where PTB messages are not delivered include: 180 * The generation of ICMP messages is usually rate limited. This 181 could result in no PTB messages being generated to the sender (see 182 section 2.4 of [RFC4443]) 184 * ICMP messages can be filtered by middleboxes (including firewalls) 185 [RFC4890]. A stateful firewall could be configured with a policy 186 to block incoming ICMP messages, which would prevent reception of 187 PTB messages to a sending endpoint behind this firewall. 189 * When the router issuing the ICMP message drops a tunneled packet, 190 the resulting ICMP message will be directed to the tunnel ingress. 191 This tunnel endpoint is responsible for forwarding the ICMP 192 message and also processing the quoted packet within the payload 193 field to remove the effect of the tunnel, and return a correctly 194 formatted ICMP message to the sender [I-D.ietf-intarea-tunnels]. 195 Failure to do this prevents the PTB message reaching the original 196 sender. 198 * Asymmetry in forwarding can result in there being no return route 199 to the original sender, which would prevent an ICMP message being 200 delivered to the sender. This issue can also arise when policy- 201 based routing is used, Equal Cost Multipath (ECMP) routing is 202 used, or a middlebox acts as an application load balancer. An 203 example is where the path towards the server is chosen by ECMP 204 routing depending on bytes in the IP payload. In this case, when 205 a packet sent by the server encounters a problem after the ECMP 206 router, then any resulting ICMP message also needs to be directed 207 by the ECMP router towards the original sender. 209 * There are additional cases where the next hop destination fails to 210 receive a packet because of its size. This could be due to 211 misconfiguration of the layer 2 path between nodes, for instance 212 the MTU configured in a layer 2 switch, or misconfiguration of the 213 Maximum Receive Unit (MRU). If a packet is dropped by the link, 214 this will not cause a PTB message to be sent to the original 215 sender. 217 Another failure could result if a node that is not on the network 218 path sends a PTB message that attempts to force a sender to change 219 the effective PMTU [RFC8201]. A sender can protect itself from 220 reacting to such messages by utilising the quoted packet within a PTB 221 message payload to validate that the received PTB message was 222 generated in response to a packet that had actually originated from 223 the sender. However, there are situations where a sender would be 224 unable to provide this validation. Examples where validation of the 225 PTB message is not possible include: 227 * When a router issuing the ICMP message implements RFC792 228 [RFC0792], it is only required to include the first 64 bits of the 229 IP payload of the packet within the quoted payload. There could 230 be insufficient bytes remaining for the sender to interpret the 231 quoted transport information. 233 Note: The recommendation in RFC1812 [RFC1812] is that IPv4 routers 234 return a quoted packet with as much of the original datagram as 235 possible without the length of the ICMP datagram exceeding 576 236 bytes. IPv6 routers include as much of the invoking packet as 237 possible without the ICMPv6 packet exceeding 1280 bytes [RFC4443]. 239 * The use of tunnels/encryption can reduce the size of the quoted 240 packet returned to the original source address, increasing the 241 risk that there could be insufficient bytes remaining for the 242 sender to interpret the quoted transport information. 244 * Even when the PTB message includes sufficient bytes of the quoted 245 packet, the network layer could lack sufficient context to 246 validate the message, because validation depends on information 247 about the active transport flows at an endpoint node (e.g., the 248 socket/address pairs being used, and other protocol header 249 information). 251 * When a packet is encapsulated/tunneled over an encrypted 252 transport, the tunnel/encapsulation ingress might have 253 insufficient context, or computational power, to reconstruct the 254 transport header that would be needed to perform validation. 256 * A Network Addres Translation (NAT) device that translates a packet 257 header, ought to also translate ICMP messages and update the ICMP 258 quoted packet [RFC5508] in that message. If this is not correctly 259 translated then the sender would not be able to associate the 260 message with the PL that originated the packet, and hence this 261 ICMP message cannot be validated. 263 1.2. Packetization Layer Path MTU Discovery 265 The term Packetization Layer (PL) has been introduced to describe the 266 layer that is responsible for placing data blocks into the payload of 267 IP packets and selecting an appropriate MPS. This function is often 268 performed by a transport protocol (e.g., DCCP, RTP, SCTP, QUIC), but 269 can also be performed by other encapsulation methods working above 270 the transport layer. 272 In contrast to PMTUD, Packetization Layer Path MTU Discovery 273 (PLPMTUD) [RFC4821] introduced a method that does not rely upon 274 reception and validation of PTB messages. It is therefore more 275 robust than Classical PMTUD. This has become the recommended 276 approach for implementing discovery of the PMTU [RFC8085]. 278 It uses a general strategy where the PL sends probe packets to search 279 for the largest size of unfragmented datagram that can be sent over a 280 network path. Probe packets are sent to explore using a larger 281 packet size. If a probe packet is successfully delivered (as 282 determined by the PL), then the PLPMTU is raised to the size of the 283 successful probe. If no response is received to a probe packet, the 284 method then reduces the PLPMTU. 286 Datagram PLPMTUD introduces flexibility in implementation. At one 287 extreme, it can be configured to only perform Black Hole Detection 288 and recovery with increased robustness compared to Classical PMTUD. 289 At the other extreme, all PTB processing can be disabled, and PLPMTUD 290 replaces Classical PMTUD. 292 PLPMTUD can also include additional consistency checks without 293 increasing the risk that data is lost when probing to discover the 294 Path MTU. For example, information available at the PL, or higher 295 layers, enables received PTB messages to be validated before being 296 utilized. 298 1.3. Path MTU Discovery for Datagram Services 300 Section 5 of this document presents a set of algorithms for datagram 301 protocols to discover the largest size of unfragmented datagram that 302 can be sent over a network path. The method relies upon features of 303 the PL described in Section 3 and applies to transport protocols 304 operating over IPv4 and IPv6. It does not require cooperation from 305 the lower layers, although it can utilize PTB messages when these 306 received messages are made available to the PL. 308 The message size guidelines in section 3.2 of the UDP Usage 309 Guidelines [RFC8085] state "an application SHOULD either use the Path 310 MTU information provided by the IP layer or implement Path MTU 311 Discovery (PMTUD)", but does not provide a mechanism for discovering 312 the largest size of unfragmented datagram that can be used on a 313 network path. The present document updates RFC 8085 to specify this 314 method in place of PLPMTUD [RFC4821] and provides a mechanism for 315 sharing the discovered largest size as the Maximum Packet Size (MPS) 316 (see Section 4.4). 318 Section 10.2 of [RFC4821] recommended a PLPMTUD probing method for 319 the Stream Control Transport Protocol (SCTP). SCTP utilizes probe 320 packets consisting of a minimal sized HEARTBEAT chunk bundled with a 321 PAD chunk as defined in [RFC4820]. However, RFC 4821 did not provide 322 a complete specification. The present document replaces this by 323 providing a complete specification. 325 The Datagram Congestion Control Protocol (DCCP) [RFC4340] requires 326 implementations to support Classical PMTUD and states that a DCCP 327 sender "MUST maintain the MPS allowed for each active DCCP session". 328 It also defines the current congestion control MPS (CCMPS) supported 329 by a network path. This recommends use of PMTUD, and suggests use of 330 control packets (DCCP-Sync) as path probe packets, because they do 331 not risk application data loss. The method defined in this 332 specification can be used with DCCP. 334 Section 6 specifies the method for datagram transports and provides 335 information to enable the implementation of PLPMTUD with other 336 datagram transports and applications that use datagram transports. 338 2. Terminology 340 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 341 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 342 "OPTIONAL" in this document are to be interpreted as described in BCP 343 14 [RFC2119] [RFC8174] when, and only when, they appear in all 344 capitals, as shown here. 346 Other terminology is directly copied from [RFC4821], and the 347 definitions in [RFC1122]. 349 Actual PMTU: The Actual PMTU is the PMTU of a network path between a 350 sender PL and a destination PL, which the DPLPMTUD algorithm seeks 351 to determine. 353 Black Hole: A Black Hole is encountered when a sender is unaware 354 that packets are not being delivered to the destination end point. 355 Two types of Black Hole are relevant to DPLPMTUD: 357 * Packets encounter a packet Black Hole when packets are not 358 delivered to the destination endpoint (e.g., when the sender 359 transmits packets of a particular size with a previously known 360 effective PMTU and they are discarded by the network). 362 * An ICMP Black Hole is encountered when the sender is unaware 363 that packets are not delivered to the destination endpoint 364 because PTB messages are not received by the originating PL 365 sender. 367 Classical Path MTU Discovery: Classical PMTUD is a process described 368 in [RFC1191] and [RFC8201], in which nodes rely on PTB messages to 369 learn the largest size of unfragmented packet that can be used 370 across a network path. 372 Datagram: A datagram is a transport-layer protocol data unit, 373 transmitted in the payload of an IP packet. 375 Effective PMTU: The Effective PMTU is the current estimated value 376 for PMTU that is used by a PMTUD. This is equivalent to the 377 PLPMTU derived by PLPMTUD. 379 EMTU_S: The Effective MTU for sending (EMTU_S) is defined in 380 [RFC1122] as "the maximum IP datagram size that may be sent, for a 381 particular combination of IP source and destination addresses...". 383 EMTU_R: The Effective MTU for receiving (EMTU_R) is designated in 384 [RFC1122] as the largest datagram size that can be reassembled by 385 EMTU_R (Effective MTU to receive). 387 Link: A Link is a communication facility or medium over which nodes 388 can communicate at the link layer, i.e., a layer below the IP 389 layer. Examples are Ethernet LANs and Internet (or higher) layer 390 and tunnels. 392 Link MTU: The Link Maximum Transmission Unit (MTU) is the size in 393 bytes of the largest IP packet, including the IP header and 394 payload, that can be transmitted over a link. Note that this 395 could more properly be called the IP MTU, to be consistent with 396 how other standards organizations use the acronym. This includes 397 the IP header, but excludes link layer headers and other framing 398 that is not part of IP or the IP payload. Other standards 399 organizations generally define the link MTU to include the link 400 layer headers. This specification continues the requirement in 401 [RFC4821], that states "All links MUST enforce their MTU: links 402 that might non- deterministically deliver packets that are larger 403 than their rated MTU MUST consistently discard such packets." 405 MAX_PMTU: The MAX_PMTU is the largest size of PLPMTU that DPLPMTUD 406 will attempt to use. 408 MPS: The Maximum Packet Size (MPS) is the largest size of 409 application data block that can be sent across a network path by a 410 PL. In DPLPMTUD this quantity is derived from the PLPMTU by 411 taking into consideration the size of the lower protocol layer 412 headers. Probe packets generated by DPLPMTUD can have a size 413 larger than the MPS. 415 MIN_PMTU: The MIN_PMTU is the smallest size of PLPMTU that DPLPMTUD 416 will attempt to use. 418 Packet: A Packet is the IP header plus the IP payload. 420 Packetization Layer (PL): The Packetization Layer (PL) is a layer of 421 the network stack that places data into packets and performs 422 transport protocol functions. Examples of a PL include: TCP, 423 SCTP, SCTP over DTLS or QUIC. 425 Path: The Path is the set of links and routers traversed by a packet 426 between a source node and a destination node by a particular flow. 428 Path MTU (PMTU): The Path MTU (PMTU) is the minimum of the Link MTU 429 of all the links forming a network path between a source node and 430 a destination node. 432 PTB_SIZE: The PTB_SIZE is a value reported in a validated PTB 433 message that indicates next hop link MTU of a router along the 434 path. 436 PLPMTU: The Packetization Layer PMTU is an estimate of the actual 437 PMTU provided by the DPLPMTUD algorithm. 439 PLPMTUD: Packetization Layer Path MTU Discovery (PLPMTUD), the 440 method described in this document for datagram PLs, which is an 441 extension to Classical PMTU Discovery. 443 Probe packet: A probe packet is a datagram sent with a purposely 444 chosen size (typically the current PLPMTU or larger) to detect if 445 packets of this size can be successfully sent end-to-end across 446 the network path. 448 3. Features Required to Provide Datagram PLPMTUD 450 The principles expressed in [RFC4821] apply to the use of the 451 technique with any PL. TCP PLPMTUD has been defined using standard 452 TCP protocol mechanisms. Unlike TCP, datagram PLs require additional 453 mechanisms and considerations to implement PLPMTUD. 455 The requirements for datagram PLPMTUD are: 457 1. PLPMTU: The PLPMTU (specified as the effective PMTU in Section 1 458 of [RFC1191]) is equivalent to the EMTU_S (specified in 459 [RFC1122]). For datagram PLs,] the PLPMTU is managed by 460 DPLPMTUD. A PL MUST NOT send a packet (other than a probe 461 packet) with a size larger than the current PLPMTU at the 462 network layer. 464 2. Probe packets: On request, a DPLPMTUD sender is REQUIRED to be 465 able to transmit a packet larger than the PLMPMTU. This is used 466 to send a probe packet. In IPv4, a probe packet MUST be sent 467 with the Don't Fragment (DF) bit set in the IP header, and 468 without network layer endpoint fragmentation. In IPv6, a probe 469 packet is always sent without source fragmentation (as specified 470 in section 5.4 of [RFC8201]). 472 3. Reception feedback: The destination PL endpoint is REQUIRED to 473 provide a feedback method that indicates to the DPLPMTUD sender 474 when a probe packet has been received by the destination PL 475 endpoint. 477 4. Probe loss recovery: It is RECOMMENDED to use probe packets that 478 do not carry any user data that would require retransmission if 479 lost. Most datagram transports permit this. If a probe packet 480 contains user data requiring retransmission in case of loss, the 481 PL (or layers above) are REQUIRED to arrange any retransmission/ 482 repair of any resulting loss. The PL is REQUIRED to be robust 483 in the case where probe packets are lost due to other reasons 484 (including link transmission error, congestion). 486 5. PMTU parameters: A DPLPMTUD sender is RECOMMENDED to utilise 487 information about the maximum size of packet that can be 488 transmitted by the sender on the local link (e.g., the local 489 Link MTU). It MAY utilize similar information about the 490 receiver when this is supplied (note this could be less than 491 EMTU_R). This avoids implementations trying to send probe 492 packets that can not be transmitted by the local link. Too high 493 of a value could reduce the efficiency of the search algorithm. 494 Some applications also have a maximum transport protocol data 495 unit (PDU) size, in which case there is no benefit from probing 496 for a size larger than this (unless a transport allows 497 multiplexing multiple applications PDUs into the same datagram). 499 6. Processing PTB messages: A DPLPMTUD sender MAY optionally 500 utilize PTB messages received from the network layer to help 501 identify when a network path does not support the current size 502 of probe packet. Any received PTB message MUST be validated 503 before it is used to update the PLPMTU discovery information 504 [RFC8201]. This validation confirms that the PTB message was 505 sent in response to a packet originating by the sender, and 506 needs to be performed before the PLPMTU discovery method reacts 507 to the PTB message. A PTB message MUST NOT be used to increase 508 the PLPMTU [RFC8201], but could trigger a probe to test for a 509 larger PLPMTU. A PTB_SIZE greater than the currently probed 510 MUST be ignored. 512 7. Probing and congestion control: The decision about when to send 513 a probe packet does not need to be limited by the congestion 514 controller. When not controlled by the congestion controller, 515 the interval between probe packets MUST be at least one RTT. If 516 transmission of probe packets is limited by the congestion 517 controller, this could result in transmission of probe packets 518 being delayed. 520 8. Loss of a probe packet SHOULD NOT be treated as an indication of 521 congestion and SHOULD NOT trigger a congestion control reaction 522 [RFC4821], because this could result in unnecessary reduction of 523 the sending rate. 525 9. An update to the PLPMTU (or MPS) MUST NOT modify the congestion 526 window measured in bytes [RFC4821]. Therefore, an increase in 527 the packet size does not cause an increase the data rate in 528 bytes per second. 530 10. Probing and flow control: Flow control at the PL concerns the 531 end-to-end flow of data using the PL service. This does not 532 apply to DPLPMTU when probe packets use a design that does not 533 carry user data to the remote application. 535 11. Shared PLPMTU state: The PLPMTU value MAY also be stored with 536 the corresponding entry associated with the destination in the 537 IP layer cache, and used by other PL instances. The 538 specification of PLPMTUD [RFC4821] states: "If PLPMTUD updates 539 the MTU for a particular path, all Packetization Layer sessions 540 that share the path representation (as described in Section 5.2 541 of [RFC4821]) SHOULD be notified to make use of the new MTU". 542 Such methods MUST be robust to the wide variety of underlying 543 network forwarding behaviors. Section 5.2 of [RFC8201] provides 544 guidance on the caching of PMTU information and also the 545 relation to IPv6 flow labels. 547 In addition, the following principles are stated for design of a 548 DPLPMTUD method: 550 * Maximum Packet Size (MPS): A PL MAY be designed to segment data 551 blocks larger than the MPS into multiple datagrams. However, not 552 all datagram PLs support segmentation of data blocks. It is 553 RECOMMENDED that methods avoid forcing an application to use an 554 arbitrary small MPS for transmission while the method is searching 555 for the currently supported PLPMTU. A reduced MPS can adversely 556 impact the performance of an application. 558 * To assist applications in choosing a suitable data block size, the 559 PL is RECOMMENDED to provide a primitive that returns the MPS 560 derived from the PLPMTU to the higher layer using the PL. The 561 value of the MPS can change following a change in the path, or 562 loss of probe packets. 564 * Path validation: It is RECOMMENDED that methods are robust to path 565 changes that could have occurred since the path characteristics 566 were last confirmed, and to the possibility of inconsistent path 567 information being received. 569 * Datagram reordering: A method is REQUIRED to be robust to the 570 possibility that a flow encounters reordering, or the traffic 571 (including probe packets) is divided over more than one network 572 path. 574 * Datagram delay and duplication: The feedback mechanism is REQUIRED 575 to be robust to the possibility that packets could be 576 significantly delayed or duplicated along a network path. 578 * When to probe: It is RECOMMENDED that methods determine whether 579 the path has changed since it last measured the path. This can 580 help determine when to probe the path again. 582 4. DPLPMTUD Mechanisms 584 This section lists the protocol mechanisms used in this 585 specification. 587 4.1. PLPMTU Probe Packets 589 The DPLPMTUD method relies upon the PL sender being able to generate 590 probe packets with a specific size. TCP is able to generate these 591 probe packets by choosing to appropriately segment data being sent 592 [RFC4821]. In contrast, a datagram PL that constructs a probe packet 593 has to either request an application to send a data block that is 594 larger than that generated by an application, or to utilize padding 595 functions to extend a datagram beyond the size of the application 596 data block. Protocols that permit exchange of control messages 597 (without an application data block) can generate a probe packet by 598 extending a control message with padding data. 600 A receiver is REQUIRED to be able to distinguish an in-band data 601 block from any added padding. This is needed to ensure that any 602 added padding is not passed on to an application at the receiver. 604 This results in three possible ways that a sender can create a probe 605 packet: 607 Probing using padding data: A probe packet that contains only 608 control information together with any padding, which is needed to 609 be inflated to the size of the probe packet. Since these probe 610 packets do not carry an application-supplied data block, they do 611 not typically require retransmission, although they do still 612 consume network capacity and incur endpoint processing. 614 Probing using application data and padding data: A probe packet that 615 contains a data block supplied by an application that is combined 616 with padding to inflate the length of the datagram to the size of 617 the probe packet. If the application/transport needs protection 618 from the loss of this probe packet, the application/transport 619 could perform transport-layer retransmission/repair of the data 620 block (e.g., by retransmission after loss is detected or by 621 duplicating the data block in a datagram without the padding 622 data). 624 Probing using application data: A probe packet that contains a data 625 block supplied by an application that matches the size of the 626 probe packet. This method requests the application to issue a 627 data block of the desired probe size. If the application/ 628 transport needs protection from the loss of an unsuccessful probe 629 packet, the application/transport needs then to perform transport- 630 layer retransmission/repair of the data block (e.g., by 631 retransmission after loss is detected). 633 A PL that uses a probe packet carrying an application data block, 634 could need to retransmit this application data block if the probe 635 fails, possibly using a smaller PLPMTU. This could need the PL to to 636 use a smaller packet size to traverse the end-to-end path (which 637 could utilize endpoint network-layer or a PL that can re-segment the 638 data block into multiple datagrams). 640 DPLPMTUD MAY choose to use only one of these methods to simplify the 641 implementation. 643 Probe messages sent by a PL MUST contain enough information to 644 uniquely identify the probe within Maximum Segment Lifetime, while 645 being robust to reordering and replay of probe response and PTB 646 messages. 648 4.2. Confirmation of Probed Packet Size 650 The PL needs a method to determine (confirm) when probe packets have 651 been successfully received end-to-end across a network path. 653 Transport protocols can include end-to-end methods that detect and 654 report reception of specific datagrams that they send (e.g., DCCP and 655 SCTP provide keep-alive/heartbeat features). When supported, this 656 mechanism MAY also be used by DPLPMTUD to acknowledge reception of a 657 probe packet. 659 A PL that does not acknowledge data reception (e.g., UDP and UDP- 660 Lite) is unable itself to detect when the packets that it sends are 661 discarded because their size is greater than the actual PMTU. These 662 PLs need to rely on an application protocol to detect this loss. 664 Section 6 specifies this function for a set of IETF-specified 665 protocols. 667 4.3. Black Hole Detection 669 Black Hole Detection is triggered by an indication that the network 670 path could be unable to support the current PLPMTU size. 672 There are three ways to detect black holes: 674 * A validated PTB message can be received that indicates a PTB_SIZE 675 less than the current PLPMTU. A DPLPMTUD method MUST NOT rely 676 soley on this method. 678 * A PL can use the DPLPMTUD probing mechanism to periodically 679 generate probe packets of the size of the current PLPMTU (e.g., 680 using the confirmation timer Section 5.1.1). A timer tracks 681 whether acknowledgments are received. Successive loss of probes 682 is an indication that the current path no longer supports the 683 PLPMTU (e.g., when the number of probe packets sent without 684 receiving an acknowledgement, PROBE_COUNT, becomes greater than 685 MAX_PROBES). 687 * A PL can utilise an event that indicates the network path no 688 longer sustains the sender's PLPMTU size. This could use a 689 mechanism implemented within the PL to detect excessive loss of 690 data sent with a specific packet size and then conclude that this 691 excessive loss could be a result of an invalid PLPMTU (as in 692 PLPMTUD for TCP [RFC4821]). 694 A PL MAY inhibit sending probe packets when no application data has 695 been sent since the previous probe packet. A PL preferring to use an 696 up-to-data PLPMTU once user data is sent again, MAY choose to 697 continue PLPMTU discovery for each path. However, this could result 698 in additional packets being sent. 700 When the method detects the current PLPMTU is not supported, DPLPMTUD 701 sets a lower PLPMTU, and sets a lower MPS. The PL then confirms that 702 the new PLPMTU can be successfully used across the path. A probe 703 packet could need to have a size less than the size of the data block 704 generated by the application. 706 4.4. The Maximum Packet Size (MPS) 708 The result of probing determines a usable PLPMTU, which is used to 709 set the MPS used by the application. The MPS is smaller than the 710 PLPMTU because of the presence of PL headers and any IP options or 711 extensions added to the PL packet. The relationship between the MPS 712 and the PLPMTUD is illustrated in Figure 1. 714 any additional 715 headers .--- MPS -----. 716 | | | 717 v v v 718 +------------------------------+ 719 | IP | ** | PL | protocol data | 720 +------------------------------+ 722 <---------- PLPMTU ------------> 724 Figure 1: Relationship between MPS and PLPMTU 726 A PL is unable to send a packet (other than a probe packet) with a 727 size larger than the current PLPMTU at the network layer. To avoid 728 this, a PL MAY be designed to segment data blocks larger than the MPS 729 into multiple datagrams. 731 DPLPMTUD seeks to avoid IP fragmentation. An attempt to send a data 732 block larger than the MPS will therefore fail if a PL is unable to 733 segment data. To determine the largest data block that can be sent, 734 a PL SHOULD provide applications with a primitive that returns the 735 Maximum Packet Size (MPS), derived from the current PLPMTU. 737 If DPLPMTUD results in a change to the MPS, the application needs to 738 adapt to the new MPS. A particular case can arise when packets have 739 been sent with a size less than the MPS and the PLPMTU was 740 subsequently reduced. If these packets are lost, the PL MAY segment 741 the data using the new MPS. If a PL is unable to re-segment a 742 previously sent datagram (e.g., [RFC4960]), then the sender either 743 discards the datagram or could perform retransmission using network- 744 layer fragmentation to form multiple IP packets not larger than the 745 PLPMTU. For IPv4, the use of endpoint fragmentation by the sender is 746 preferred over clearing the DF-bit in the IPv4 header. Operational 747 experience reveals that IP fragmentation can reduce the reliability 748 of Internet communication [I-D.ietf-intarea-frag-fragile], which may 749 reduce the success of retransmission. 751 4.5. Disabling the Effect of PMTUD 753 A PL implementing this specification MUST suspend network layer 754 processing of outgoing packets that enforces a PMTU 755 [RFC1191][RFC8201] for each flow utilising DPLPMTUD, and instead use 756 DPLPMTUD to control the size of packets that are sent by a flow. 757 This removes the need for the network layer to drop or fragment sent 758 packets that have a size greater than the PMTU. 760 4.6. Response to PTB Messages 762 This method requires the DPLPMTUD sender to validate any received PTB 763 message before using the PTB information. The response to a PTB 764 message depends on the PTB_SIZE indicated in the PTB message, the 765 state of the PLPMTUD state machine, and the IP protocol being used. 767 Section 4.6.1 first describes validation for both IPv4 ICMP 768 Unreachable messages (type 3) and ICMPv6 Packet Too Big messages, 769 both of which are referred to as PTB messages in this document. 771 4.6.1. Validation of PTB Messages 773 This section specifies utilization of PTB messages. 775 * A simple implementation MAY ignore received PTB messages and in 776 this case the PLPMTU is not updated when a PTB message is 777 received. 779 * An implementation that supports PTB messages MUST validate 780 messages before they are further processed. 782 A PL that receives a PTB message from a router or middlebox, performs 783 ICMP validation as specified in Section 5.2 of [RFC8085][RFC8201]. 784 Because DPLPMTUD operates at the PL, the PL needs to check that each 785 received PTB message is received in response to a packet transmitted 786 by the endpoint PL performing DPLPMTUD. 788 The PL MUST check the protocol information in the quoted packet 789 carried in an ICMP PTB message payload to validate the message 790 originated from the sending node. This validation includes 791 determining that the combination of the IP addresses, the protocol, 792 the source port and destination port match those returned in the 793 quoted packet - this is also necessary for the PTB message to be 794 passed to the corresponding PL. 796 The validation SHOULD utilize information that it is not simple for 797 an off-path attacker to determine [RFC8085]. For example, by 798 checking the value of a protocol header field known only to the two 799 PL endpoints. A datagram application that uses well-known source and 800 destination ports ought to also rely on other information to complete 801 this validation. 803 These checks are intended to provide protection from packets that 804 originate from a node that is not on the network path. A PTB message 805 that does not complete the validation MUST NOT be further utilized by 806 the DPLPMTUD method. 808 PTB messages that have been validated MAY be utilized by the DPLPMTUD 809 algorithm, but MUST NOT be used directly to set the PLPMTU. A method 810 that utilizes these PTB messages can improve the speed at the which 811 the algorithm detects an appropriate PLPMTU by triggering an 812 immediate probe for the PTB_SIZE, compared to one that relies solely 813 on probing using a timer-based search algorithm. Section 4.6.2 814 describes this processing. 816 4.6.2. Use of PTB Messages 818 A set of checks are intended to provide protection from a router that 819 reports an unexpected PTB_SIZE. The PL also needs to check that the 820 indicated PTB_SIZE is less than the size used by probe packets and at 821 least the minimum size accepted. 823 This section provides a summary of how PTB messages can be utilized. 824 This processing depends on the PTB_SIZE and the current value of a 825 set of variables: 827 PTB_SIZE < MIN_PMTU 828 * Invalid PTB_SIZE see Section 4.6.1. 830 * PTB message ought to be discarded without further processing 831 (e. g. PLPMTU not modified). 833 * The information could be utilized as an input to trigger 834 enabling a resilience mode. 836 MIN_PMTU < PTB_SIZE < BASE_PMTU 837 * A robust PL MAY enter an error state (see Section 5.2) for an 838 IPv4 path when the PTB_SIZE reported in the PTB message is 839 larger than or equal to 68 bytes [RFC0791] and when this is 840 less than the BASE_PMTU. 842 * A robust PL MAY enter an error state (see Section 5.2) for an 843 IPv6 path when the PTB_SIZE reported in the PTB message is 844 larger than or equal to 1280 bytes [RFC8200] and when this is 845 less than the BASE_PMTU. 847 PTB_SIZE = PLPMTU 848 * Completes the search for a larger PLPMTU. 850 PTB_SIZE > PROBED_SIZE 851 * Inconsistent network signal. 853 * PTB message ought to be discarded without further processing 854 (e. g. PLPMTU not modified). 856 * The information could be utilized as an input to trigger 857 enabling a resilience mode. 859 BASE_PMTU <= PTB_SIZE < PLPMTU 860 * This could be an indication of a black hole. The PLPMTU SHOULD 861 be set to BASE_PMTU (the PLPMTU is reduced to the BASE_PMTU to 862 avoid unnecessary packet loss when a black hole is 863 encountered). 865 * The PL ought to start a search to quickly discover the new 866 PLPMTU. The PTB_SIZE reported in the PTB message can be used 867 to initialize a search algorithm. 869 PLPMTU < PTB_SIZE < PROBED_SIZE 870 * The PLPMTU continues to be valid, but the last PROBED_SIZE 871 searched was larger than the actual PMTU. 873 * The PLPMTU is not updated. 875 * The PL can use the reported PTB_SIZE from the PTB message as 876 the next search point when it resumes the search algorithm. 878 5. Datagram Packetization Layer PMTUD 880 This section specifies Datagram PLPMTUD (DPLPMTUD). The method can 881 be introduced at various points (as indicated with * in the figure 882 below) in the IP protocol stack to discover the PLPMTU so that an 883 application can utilize an appropriate MPS for the current network 884 path. 886 DPLPMTUD SHOULD NOT be used by an upper PL or application if it is 887 already used in a lower layer, DPLPMTUD SHOULD only be performed once 888 between a pair of endpoints. A PL MUST adjust the MPS indicated by 889 DPLPMTUD to account for any additional overhead introduced by the PL. 891 +----------------------+ 892 | Application* | 893 +-+-------+----+----+--+ 894 | | | | 895 +---+--+ +--+--+ | +-+---+ 896 | QUIC*| |UDPO*| | |SCTP*| 897 +---+--+ +--+--+ | +--+--+ 898 | | | | | 899 +-------+--+ | | | 900 | | | | 901 +-+-+--+ | 902 | UDP | | 903 +---+--+ | 904 | | 905 +--------------+-----+-+ 906 | Network Interface | 907 +----------------------+ 909 Figure 2: Examples where DPLPMTUD can be implemented 911 The central idea of DPLPMTUD is probing by a sender. Probe packets 912 are sent to find the maximum size of user message that can be 913 completely transferred across the network path from the sender to the 914 destination. 916 The following sections identify the components needed for 917 implementation, provides an overview of the phases of operation, and 918 specifies the state machine and search algorithm. 920 5.1. DPLPMTUD Components 922 This section describes the timers, constants, and variables of 923 DPLPMTUD. 925 5.1.1. Timers 927 The method utilizes up to three timers: 929 PROBE_TIMER: The PROBE_TIMER is configured to expire after a period 930 longer than the maximum time to receive an acknowledgment to a 931 probe packet. This value MUST NOT be smaller than 1 second, and 932 SHOULD be larger than 15 seconds. Guidance on selection of the 933 timer value are provided in section 3.1.1 of the UDP Usage 934 Guidelines [RFC8085]. 936 PMTU_RAISE_TIMER: The PMTU_RAISE_TIMER is configured to the period a 937 sender will continue to use the current PLPMTU, after which it re- 938 enters the Search phase. This timer has a period of 600 seconds, 939 as recommended by PLPMTUD [RFC4821]. 941 DPLPMTUD MAY inhibit sending probe packets when no application 942 data has been sent since the previous probe packet. A PL 943 preferring to use an up-to-data PMTU once user data is sent again, 944 can choose to continue PMTU discovery for each path. However, 945 this could result in sending additional packets. 947 CONFIRMATION_TIMER: When an acknowledged PL is used, this timer MUST 948 NOT be used. For other PLs, the CONFIRMATION_TIMER is configured 949 to the period a PL sender waits before confirming the current 950 PLPMTU is still supported. This is less than the PMTU_RAISE_TIMER 951 and used to decrease the PLPMTU (e.g., when a black hole is 952 encountered). Confirmation needs to be frequent enough when data 953 is flowing that the sending PL does not black hole extensive 954 amounts of traffic. Guidance on selection of the timer value are 955 provided in section 3.1.1 of the UDP Usage Guidelines [RFC8085]. 957 DPLPMTUD MAY inhibit sending probe packets when no application 958 data has been sent since the previous probe packet. A PL 959 preferring to use an up-to-data PMTU once user data is sent again, 960 can choose to continue PMTU discovery for each path. However, 961 this could result in sending additional packets. 963 An implementation could implement the various timers using a single 964 timer. 966 5.1.2. Constants 968 The following constants are defined: 970 MAX_PROBES: The MAX_PROBES is the maximum value of the PROBE_COUNT 971 counter (see Section 5.1.3). MAX_PROBES represents the limit for 972 the number of consecutive probe attempts of any size. Search 973 algorithms benefit from a MAX_PROBES value greater than 1 because 974 this can provide robustness to isolated packet loss. The default 975 value of MAX_PROBES is 3. 977 MIN_PMTU: The MIN_PMTU is the smallest allowed probe packet size. 978 For IPv6, this value is 1280 bytes, as specified in [RFC8200]. 979 For IPv4, the minimum value is 68 bytes. 981 Note: An IPv4 router is required to be able to forward a datagram 982 of 68 bytes without further fragmentation. This is the combined 983 size of an IPv4 header and the minimum fragment size of 8 bytes. 984 In addition, receivers are required to be able to reassemble 985 fragmented datagrams at least up to 576 bytes, as stated in 986 section 3.3.3 of [RFC1122]. 988 MAX_PMTU: The MAX_PMTU is the largest size of PLPMTU. This has to 989 be less than or equal to the minimum of the local MTU of the 990 outgoing interface and the destination PMTU for receiving. An 991 application, or PL, MAY choose a smaller MAX_PMTU when there is no 992 need to send packets larger than a specific size. 994 BASE_PMTU: The BASE_PMTU is a configured size expected to work for 995 most paths. The size is equal to or larger than the MIN_PMTU and 996 smaller than the MAX_PMTU. In the case of IPv6, this value is 997 1280 bytes [RFC8200]. When using IPv4, a size of 1200 bytes is 998 RECOMMENDED. 1000 5.1.3. Variables 1002 This method utilizes a set of variables: 1004 PROBED_SIZE: The PROBED_SIZE is the size of the current probe 1005 packet. This is a tentative value for the PLPMTU, which is 1006 awaiting confirmation by an acknowledgment. 1008 PROBE_COUNT: The PROBE_COUNT is a count of the number of successive 1009 unsuccessful probe packets that have been sent. Each time a probe 1010 packet is acknowledged, the value is set to zero. (Some probe 1011 loss is expected while searching, therefore loss of a single probe 1012 is not an indication of a PMTU problem.) 1014 The figure below illustrates the relationship between the packet size 1015 constants and variables at a point of time when the DPLPMTUD 1016 algorithm performs path probing to increase the size of the PLPMTU. 1017 A probe packet has been sent of size PROBED_SIZE. Once this is 1018 acknowledged, the PLPMTU will raise to PROBED_SIZE allowing the 1019 DPLPMTUD algorithm to further increase PROBED_SIZE towards the actual 1020 PMTU. 1022 MIN_PMTU MAX_PMTU 1023 <--------------------------------------------------> 1024 | | | | 1025 v | | v 1026 BASE_PMTU | v Actual PMTU 1027 | PROBED_SIZE 1028 v 1029 PLPMTU 1031 Figure 3: Relationships between packet size constants and variables 1033 5.1.4. Overview of DPLPMTUD Phases 1035 This section provides a high-level informative view of the DPLPMTUD 1036 method, by describing the movement of the method through several 1037 phases of operation. More detail is available in the state machine 1038 Section 5.2. 1040 +------+ 1041 +------->| Base |----------------+ Connectivity 1042 | +------+ | or BASE_PMTU 1043 | | | confirmation failed 1044 | | v 1045 | | Connectivity +-------+ 1046 | | and BASE_PMTU | Error | 1047 | | confirmed +-------+ 1048 | | | Consistent 1049 | v | connectivity 1050 PLPMTU | +--------+ | and BASE_PMTU 1051 confirmation | | Search |<--------------+ confirmed 1052 failed | +--------+ 1053 | ^ | 1054 | | | 1055 | Raise | | Search 1056 | timer | | algorithm 1057 | expired | | completed 1058 | | | 1059 | | v 1060 | +-----------------+ 1061 +---| Search Complete | 1062 +-----------------+ 1064 Figure 4: DPLPMTUD Phases 1066 Base: The Base Phase confirms connectivity to the remote peer using 1067 packets of the BASE_PMTU. This phase is implicit for a 1068 connection-oriented PL (where it can be performed in a PL 1069 connection handshake). A connectionless PL sends an acknowledged 1070 probe packet to confirm that the remote peer is reachable. The 1071 sender also confirms that BASE_PMTU is supported across the 1072 network path. 1074 A PL that does not wish to support a path with a PLPMTU less than 1075 BASE_PMTU can simplify the phase into a single step by performing 1076 the connectivity checks with a probe of the BASE_PMTU size. 1078 Once confirmed, DPLPMTUD enters the Search Phase. If this phase 1079 fails to confirm, DPLPMTUD enters the Error Phase. 1081 Search: The Search Phase utilizes a search algorithm to send probe 1082 packets to seek to increase the PLPMTU. The algorithm concludes 1083 when it has found a suitable PLPMTU, by entering the Search 1084 Complete Phase. 1086 A PL could respond to PTB messages using the PTB to advance or 1087 terminate the search, see Section 4.6. 1089 Search Complete: The Search Complete Phase is entered when the 1090 PLPMTU is supported across the network path. A PL can use a 1091 CONFIRMATION_TIMER to periodically repeat a probe packet for the 1092 current PLPMTU size. If the sender is unable to confirm 1093 reachability (e.g., if the CONFIRMATION_TIMER expires) or the PL 1094 signals a lack of reachability, DPLPMTUD enters the Base phase. 1096 The PMTU_RAISE_TIMER is used to periodically resume the search 1097 phase to discover if the PLPMTU can be raised. Black Hole 1098 Detection causes the sender to enter the Base Phase. 1100 Error: The Error Phase is entered when there is conflicting or 1101 invalid PLPMTU information for the path (e.g. a failure to support 1102 the BASE_PMTU) that cause DPLPMTUD to be unable to progress and 1103 the PLPMTU is lowered. 1105 DPLPMTUD remains in the Error Phase until a consistent view of the 1106 path can be discovered and it has also been confirmed that the 1107 path supports the BASE_PMTU (or DPLPMTUD is suspended). 1109 An implementation that only reduces the PLPMTU to a suitable size 1110 would be sufficient to ensure reliable operation, but can be very 1111 inefficient when the actual PMTU changes or when the method (for 1112 whatever reason) makes a suboptimal choice for the PLPMTU. 1114 A full implementation of DPLPMTUD provides an algorithm enabling the 1115 DPLPMTUD sender to increase the PLPMTU following a change in the 1116 characteristics of the path, such as when a link is reconfigured with 1117 a larger MTU, or when there is a change in the set of links traversed 1118 by an end-to-end flow (e.g., after a routing or path fail-over 1119 decision). 1121 5.2. State Machine 1123 A state machine for DPLPMTUD is depicted in Figure 5. If multipath 1124 or multihoming is supported, a state machine is needed for each path. 1126 Note: Not all changes are shown to simplify the diagram. 1128 | | 1129 | Start | PL indicates loss 1130 | | of connectivity 1131 v v 1132 +---------------+ +---------------+ 1133 | DISABLED | | ERROR | 1134 +---------------+ PROBE_TIMER expiry: +---------------+ 1135 | PL indicates PROBE_COUNT = MAX_PROBES or ^ | 1136 | connectivity PTB: PTB_SIZE < BASE_PMTU | | 1137 +--------------------+ +---------------+ | 1138 | | | 1139 v | BASE_PMTU Probe | 1140 +---------------+ acked | 1141 | BASE |----------------------+ 1142 +---------------+ | 1143 ^ | ^ ^ | 1144 Black hole detected | | | | Black hole detected | 1145 +--------------------+ | | +--------------------+ | 1146 | +----+ | | 1147 | PROBE_TIMER expiry: | | 1148 | PROBE_COUNT < MAX_PROBES | | 1149 | | | 1150 | PMTU_RAISE_TIMER expiry | | 1151 | +-----------------------------------------+ | | 1152 | | | | | 1153 | | v | v 1154 +---------------+ +---------------+ 1155 |SEARCH_COMPLETE| | SEARCHING | 1156 +---------------+ +---------------+ 1157 | ^ ^ | | ^ 1158 | | | | | | 1159 | | +-----------------------------------------+ | | 1160 | | MAX_PMTU Probe acked or | | 1161 | | PROBE_TIMER expiry: PROBE_COUNT = MAX_PROBES or | | 1162 +----+ PTB: PTB_SIZE = PLPMTU +----+ 1163 CONFIRMATION_TIMER expiry: PROBE_TIMER expiry: 1164 PROBE_COUNT < MAX_PROBES or PROBE_COUNT < MAX_PROBES or 1165 PLPMTU Probe acked Probe acked or PTB: 1166 PLPMTU < PTB_SIZE < PROBED_SIZE 1168 Figure 5: State machine for Datagram PLPMTUD 1170 The following states are defined: 1172 DISABLED: The DISABLED state is the initial state before probing has 1173 started. It is also entered from any other state, when the PL 1174 indicates loss of connectivity. This state is left, once the PL 1175 indicates connectivity to the remote PL. 1177 BASE: The BASE state is used to confirm that the BASE_PMTU size is 1178 supported by the network path and is designed to allow an 1179 application to continue working when there are transient 1180 reductions in the actual PMTU. It also seeks to avoid long 1181 periods when a sender searching for a larger PLPMTU is unaware 1182 that packets are not being delivered due to a packet or ICMP Black 1183 Hole. 1185 On entry, the PROBED_SIZE is set to the BASE_PMTU size and the 1186 PROBE_COUNT is set to zero. 1188 Each time a probe packet is sent, the PROBE_TIMER is started. The 1189 state is exited when the probe packet is acknowledged, and the PL 1190 sender enters the SEARCHING state. 1192 The state is also left when the PROBE_COUNT reaches MAX_PROBES or 1193 a received PTB message is validated. This causes the PL sender to 1194 enter the ERROR state. 1196 SEARCHING: The SEARCHING state is the main probing state. This 1197 state is entered when probing for the BASE_PMTU was successful. 1199 Each time a probe packet is acknowledged, the PROBE_COUNT is set 1200 to zero, the PLPMTU is set to the PROBED_SIZE and then the 1201 PROBED_SIZE is increased using the search algorithm. 1203 When a probe packet is sent and not acknowledged within the period 1204 of the PROBE_TIMER, the PROBE_COUNT is incremented and a new probe 1205 packet is transmitted. 1207 The state is exited to enter SEARCH_COMPLETE when the PROBE_COUNT 1208 reaches MAX_PROBES, a validated PTB is received that corresponds 1209 to the last successfully probed size (PTB_SIZE = PLPMTU), or a 1210 probe of size MAX_PMTU is acknowledged (PLPMTU = MAX_PMTU). 1212 When a black hole is detected in the SEARCHING state, this causes 1213 the PL sender to enter the BASE state. 1215 SEARCH_COMPLETE: The SEARCH_COMPLETE state indicates a successful 1216 end to the SEARCHING state. DPLPMTUD remains in this state until 1217 either the PMTU_RAISE_TIMER expires or a black hole is detected. 1219 When DPLPMTUD uses an unacknowledged PL and is in the 1220 SEARCH_COMPLETE state, a CONFIRMATION_TIMER periodically resets 1221 the PROBE_COUNT and schedules a probe packet with the size of the 1222 PLPMTU. If MAX_PROBES successive PLPMTUD sized probes fail to be 1223 acknowledged the method enters the BASE state. When used with an 1224 acknowledged PL (e.g., SCTP), DPLPMTUD SHOULD NOT continue to 1225 generate PLPMTU probes in this state. 1227 ERROR: The ERROR state represents the case where either the network 1228 path is not known to support a PLPMTU of at least the BASE_PMTU 1229 size or when there is contradictory information about the network 1230 path that would otherwise result in excessive variation in the MPS 1231 signalled to the higher layer. The state implements a method to 1232 mitigate oscillation in the state-event engine. It signals a 1233 conservative value of the MPS to the higher layer by the PL. The 1234 state is exited when packet probes no longer detect the error. 1235 The PL sender then enters the SEARCHING state. 1237 Implementations are permitted to enable endpoint fragmentation if 1238 the DPLPMTUD is unable to validate MIN_PMTU within PROBE_COUNT 1239 probes. If DPLPMTUD is unable to validate MIN_PMTU the 1240 implementation will transition to the DISABLED state. 1242 Note: MIN_PMTU could be identical to BASE_PMTU, simplifying the 1243 actions in this state. 1245 5.3. Search to Increase the PLPMTU 1247 This section describes the algorithms used by DPLPMTUD to search for 1248 a larger PLPMTU. 1250 5.3.1. Probing for a larger PLPMTU 1252 Implementations use a search algorithm across the search range to 1253 determine whether a larger PLPMTU can be supported across a network 1254 path. 1256 The method discovers the search range by confirming the minimum 1257 PLPMTU and then using the probe method to select a PROBED_SIZE less 1258 than or equal to MAX_PMTU. MAX_PMTU is the minimum of the local MTU 1259 and EMTU_R (learned from the remote endpoint). The MAX_PMTU MAY be 1260 reduced by an application that sets a maximum to the size of 1261 datagrams it will send. 1263 The PROBE_COUNT is initialized to zero when the first probe with a 1264 size greater than or equal to PLPMTUD is sent. A timer is used to 1265 trigger the sending of probe packets of size PROBED_SIZE, larger than 1266 the PLPMTU. Each probe packet successfully sent to the remote peer 1267 is confirmed by acknowledgement at the PL, see Section 4.1. 1269 Each time a probe packet is sent to the destination, the PROBE_TIMER 1270 is started. The timer is canceled when the PL receives 1271 acknowledgment that the probe packet has been successfully sent 1272 across the path Section 4.1. This confirms that the PROBED_SIZE is 1273 supported, and the PROBED_SIZE value is then assigned to the PLPMTU. 1274 The search algorithm can continue to send subsequent probe packets of 1275 an increasing size. 1277 If the timer expires before a probe packet is acknowledged, the probe 1278 has failed to confirm the PROBED_SIZE. Each time the PROBE_TIMER 1279 expires, the PROBE_COUNT is incremented, the PROBE_TIMER is 1280 reinitialized, and a new probe of the same size or any other size 1281 (determined by the search algorithm) can be sent. The maximum number 1282 of consecutive failed probes is configured (MAX_PROBES). If the 1283 value of the PROBE_COUNT reaches MAX_PROBES, probing will stop, and 1284 the PL sender enters the SEARCH_COMPLETE state. 1286 5.3.2. Selection of Probe Sizes 1288 The search algorithm determines a minimum useful gain in PLPMTU. It 1289 would not be constructive for a PL sender to attempt to probe for all 1290 sizes. This would incur unnecessary load on the path. 1291 Implementations SHOULD select the set of probe packet sizes to 1292 maximize the gain in PLPMTU from each search step. 1294 Implementations could optimize the search procedure by selecting step 1295 sizes from a table of common PMTU sizes. When selecting the 1296 appropriate next size to search, an implementer ought to also 1297 consider that there can be common sizes of MPS that applications seek 1298 to use, and their could be common sizes of MTU used within the 1299 network. 1301 5.3.3. Resilience to Inconsistent Path Information 1303 A decision to increase the PLPMTU needs to be resilient to the 1304 possibility that information learned about the network path is 1305 inconsistent. A path is inconsistent, when, for example, probe 1306 packets are lost due to other reasons (i.e., not packet size) or due 1307 to frequent path changes. Frequent path changes could occur by 1308 unexpected "flapping" - where some packets from a flow pass along one 1309 path, but other packets follow a different path with different 1310 properties. 1312 A PL sender is able to detect inconsistency from the sequence of 1313 PLPMTU probes that are acknowledged or the sequence of PTB messages 1314 that it receives. When inconsistent path information is detected, a 1315 PL sender could use an alternate search mode that clamps the offered 1316 MPS to a smaller value for a period of time. This avoids unnecessary 1317 loss of packets. 1319 5.4. Robustness to Inconsistent Paths 1321 Some paths could be unable to sustain packets of the BASE_PMTU size. 1322 To be robust to these paths an implementation could implement the 1323 Error State. This allows fallback to a smaller than desired PLPMTU, 1324 rather than suffer connectivity failure. This could utilize methods 1325 such as endpoint IP fragmentation to enable the PL sender to 1326 communicate using packets smaller than the BASE_PMTU. 1328 6. Specification of Protocol-Specific Methods 1330 DPLPMTUD requires protocol-specific details to be specified for each 1331 PL that is used. 1333 The first subsection provides guidance on how to implement the 1334 DPLPMTUD method as a part of an application using UDP or UDP-Lite. 1335 The guidance also applies to other datagram services that do not 1336 include a specific transport protocol (such as a tunnel 1337 encapsulation). The following subsections describe how DPLPMTUD can 1338 be implemented as a part of the transport service, allowing 1339 applications using the service to benefit from discovery of the 1340 PLPMTU without themselves needing to implement this method when using 1341 SCTP and QUIC. 1343 6.1. Application support for DPLPMTUD with UDP or UDP-Lite 1345 The current specifications of UDP [RFC0768] and UDP-Lite [RFC3828] do 1346 not define a method in the RFC-series that supports PLPMTUD. In 1347 particular, the UDP transport does not provide the transport features 1348 needed to implement datagram PLPMTUD. 1350 The DPLPMTUD method can be implemented as a part of an application 1351 built directly or indirectly on UDP or UDP-Lite, but relies on 1352 higher-layer protocol features to implement the method [RFC8085]. 1354 Some primitives used by DPLPMTUD might not be available via the 1355 Datagram API (e.g., the ability to access the PLPMTU from the IP 1356 layer cache, or interpret received PTB messages). 1358 In addition, it is desirable that PMTU discovery is not performed by 1359 multiple protocol layers. An application SHOULD avoid using DPLPMTUD 1360 when the underlying transport system provides this capability. To 1361 use common method for managing the PLPMTU has benefits, both in the 1362 ability to share state between different processes and opportunities 1363 to coordinate probing. 1365 6.1.1. Application Request 1367 An application needs an application-layer protocol mechanism (such as 1368 a message acknowledgement method) that solicits a response from a 1369 destination endpoint. The method SHOULD allow the sender to check 1370 the value returned in the response to provide additional protection 1371 from off-path insertion of data [RFC8085], suitable methods include a 1372 parameter known only to the two endpoints, such as a session ID or 1373 initialized sequence number. 1375 6.1.2. Application Response 1377 An application needs an application-layer protocol mechanism to 1378 communicate the response from the destination endpoint. This 1379 response could indicate successful reception of the probe across the 1380 path, but could also indicate that some (or all packets) have failed 1381 to reach the destination. 1383 6.1.3. Sending Application Probe Packets 1385 A probe packet that could carry an application data block, but the 1386 successful transmission of this data is at risk when used for 1387 probing. Some applications might prefer to use a probe packet that 1388 does not carry an application data block to avoid disruption to data 1389 transfer. 1391 6.1.4. Initial Connectivity 1393 An application that does not have other higher-layer information 1394 confirming connectivity with the remote peer SHOULD implement a 1395 connectivity mechanism using acknowledged probe packets before 1396 entering the BASE state. 1398 6.1.5. Validating the Path 1400 An application that does not have other higher-layer information 1401 confirming correct delivery of datagrams SHOULD implement the 1402 CONFIRMATION_TIMER to periodically send probe packets while in the 1403 SEARCH_COMPLETE state. 1405 6.1.6. Handling of PTB Messages 1407 An application that is able and wishes to receive PTB messages MUST 1408 perform ICMP validation as specified in Section 5.2 of [RFC8085]. 1409 This requires that the application to check each received PTB 1410 messages to validate it is received in response to transmitted 1411 traffic and that the reported PTB_SIZE is less than the current 1412 probed size (see Section 4.6.2). A validated PTB message MAY be used 1413 as input to the DPLPMTUD algorithm, but MUST NOT be used directly to 1414 set the PLPMTU. 1416 6.2. DPLPMTUD for SCTP 1418 Section 10.2 of [RFC4821] specified a recommended PLPMTUD probing 1419 method for SCTP and Section 7.3 of [RFC4960] and recommended an 1420 endpoint apply the techniques in RFC4821 on a per-destination-address 1421 basis. The specification for DPLPMTUD continues the practice of 1422 using the PL to discover the PMTU, but updates, RFC4960 with a 1423 recommendation to use the method specified in this document: The 1424 RECOMMENDED method for generating probes is to add a chunk consisting 1425 only of padding to an SCTP message. The PAD chunk defined in 1426 [RFC4820] SHOULD be attached to a minimum length HEARTBEAT (HB) chunk 1427 to build a probe packet. This enables probing without affecting the 1428 transfer of user messages and without being limited by congestion 1429 control or flow control. This is preferred to using DATA chunks 1430 (with padding as required) as path probes. 1432 Section 6.9 of [RFC4960] describes dividing the user messages into 1433 data chunks sent by the PL when using SCTP. This notes that once an 1434 SCTP message has been sent, it cannot be re-segmented. [RFC4960] 1435 describes the method to retransmit data chunks when the MPS has 1436 reduced, and the use of IP fragmentation for this case. 1438 6.2.1. SCTP/IPv4 and SCTP/IPv6 1440 6.2.1.1. Initial Connectivity 1442 The base protocol is specified in [RFC4960]. This provides an 1443 acknowledged PL. A sender can therefore enter the BASE state as soon 1444 as connectivity has been confirmed. 1446 6.2.1.2. Sending SCTP Probe Packets 1448 Probe packets consist of an SCTP common header followed by a 1449 HEARTBEAT chunk and a PAD chunk. The PAD chunk is used to control 1450 the length of the probe packet. The HEARTBEAT chunk is used to 1451 trigger the sending of a HEARTBEAT ACK chunk. The reception of the 1452 HEARTBEAT ACK chunk acknowledges reception of a successful probe. A 1453 successful probe updates the association and path counters, but an 1454 unsuccessful probe is discounted (assumed to be a result of choosing 1455 too large a PLPMTU). 1457 The HEARTBEAT chunk carries a Heartbeat Information parameter which 1458 includes, besides the information suggested in [RFC4960], the probe 1459 size, which is the size of the complete datagram. The size of the 1460 PAD chunk is therefore computed by reducing the probing size by the 1461 IPv4 or IPv6 header size, the SCTP common header, the HEARTBEAT 1462 request and the PAD chunk header. The payload of the PAD chunk 1463 contains arbitrary data. 1465 Probing starts directly after the PL handshake, before data is sent. 1466 Assuming this behavior (i.e., the PMTU is smaller than or equal to 1467 the interface MTU), this process will take a few round trip time 1468 periods, dependent on the number of PMTU probes sent. The Heartbeat 1469 timer can be used to implement the PROBE_TIMER. 1471 6.2.1.3. Validating the Path with SCTP 1473 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1474 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1476 6.2.1.4. PTB Message Handling by SCTP 1478 Normal ICMP validation MUST be performed as specified in Appendix C 1479 of [RFC4960]. This requires that the first 8 bytes of the SCTP 1480 common header are quoted in the payload of the PTB message, which can 1481 be the case for ICMPv4 and is normally the case for ICMPv6. 1483 When a PTB message has been validated, the PTB_SIZE reported in the 1484 PTB message SHOULD be used with the DPLPMTUD algorithm, providing 1485 that the reported PTB_SIZE is less than the current probe size (see 1486 Section 4.6). 1488 6.2.2. DPLPMTUD for SCTP/UDP 1490 The UDP encapsulation of SCTP is specified in [RFC6951]. 1492 6.2.2.1. Initial Connectivity 1494 A sender can enter the BASE state as soon as SCTP connectivity has 1495 been confirmed. 1497 6.2.2.2. Sending SCTP/UDP Probe Packets 1499 Packet probing can be performed as specified in Section 6.2.1.2. The 1500 maximum payload is reduced by 8 bytes, which has to be considered 1501 when filling the PAD chunk. 1503 6.2.2.3. Validating the Path with SCTP/UDP 1505 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1506 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1508 6.2.2.4. Handling of PTB Messages by SCTP/UDP 1510 ICMP validation MUST be performed for PTB messages as specified in 1511 Appendix C of [RFC4960]. This requires that the first 8 bytes of the 1512 SCTP common header are contained in the PTB message, which can be the 1513 case for ICMPv4 (but note the UDP header also consumes a part of the 1514 quoted packet header) and is normally the case for ICMPv6. When the 1515 validation is completed, the PTB_SIZE indicated in the PTB message 1516 SHOULD be used with the DPLPMTUD providing that the reported PTB_SIZE 1517 is less than the current probe size. 1519 6.2.3. DPLPMTUD for SCTP/DTLS 1521 The Datagram Transport Layer Security (DTLS) encapsulation of SCTP is 1522 specified in [RFC8261]. This is used for data channels in WebRTC 1523 implementations. 1525 6.2.3.1. Initial Connectivity 1527 A sender can enter the BASE state as soon as SCTP connectivity has 1528 been confirmed. 1530 6.2.3.2. Sending SCTP/DTLS Probe Packets 1532 Packet probing can be done, as specified in Section 6.2.1.2. 1534 6.2.3.3. Validating the Path with SCTP/DTLS 1536 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1537 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1539 6.2.3.4. Handling of PTB Messages by SCTP/DTLS 1541 [RFC4960] does not specify a way to validate SCTP/DTLS ICMP message 1542 payload. This can prevent processing of PTB messages at the PL. 1544 6.3. DPLPMTUD for QUIC 1546 QUIC [I-D.ietf-quic-transport] is a UDP-based transport that provides 1547 reception feedback. The UDP payload includes the QUIC packet header, 1548 protected payload, and any authentication fields. QUIC depends on a 1549 PMTU of at least 1280 bytes. 1551 Section 14 of [I-D.ietf-quic-transport] describes the path 1552 considerations when sending QUIC packets. It recommends the use of 1553 PADDING frames to build the probe packet. Pure probe-only packets 1554 are constructed with PADDING frames and PING frames to create a 1555 padding only packet that will elicit an acknowledgement. Such 1556 padding only packets enable probing without affecting the transfer of 1557 other QUIC frames. 1559 The recommendation for QUIC endpoints implementing DPLPMTUD is that a 1560 MPS is maintained for each combination of local and remote IP 1561 addresses [I-D.ietf-quic-transport]. If a QUIC endpoint determines 1562 that the PMTU between any pair of local and remote IP addresses has 1563 fallen below an acceptable MPS, it immediately ceases to send QUIC 1564 packets on the affected path. This could result in termination of 1565 the connection if an alternative path cannot be found 1566 [I-D.ietf-quic-transport]. 1568 6.3.1. Initial Connectivity 1570 The base protocol is specified in [I-D.ietf-quic-transport]. This 1571 provides an acknowledged PL. A sender can therefore enter the BASE 1572 state as soon as connectivity has been confirmed. 1574 6.3.2. Sending QUIC Probe Packets 1576 A probe packet consists of a QUIC Header and a payload containing 1577 PADDING Frames and a PING Frame. PADDING Frames are a single octet 1578 (0x00) and several of these can be used to create a probe packet of 1579 size PROBED_SIZE. QUIC provides an acknowledged PL, a sender can 1580 therefore enter the BASE state as soon as connectivity has been 1581 confirmed. 1583 The current specification of QUIC sets the following: 1585 * BASE_PMTU: 1280. A QUIC sender pads initial packets to confirm 1586 the path can support packets of the required size. 1588 * MIN_PMTU: 1280 bytes. A QUIC sender that determines the PLPMTU 1589 has fallen below 1280 bytes MUST immediately stop sending on the 1590 affected path. 1592 6.3.3. Validating the Path with QUIC 1594 QUIC provides an acknowledged PL. A sender therefore MUST NOT 1595 implement the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1597 6.3.4. Handling of PTB Messages by QUIC 1599 QUIC validates ICMP PTB messages. In addition to UDP Port 1600 validation, QUIC can validate an ICMP message by using other PL 1601 information (e.g., validation of connection IDs in the quoted packet 1602 of any received ICMP message). 1604 7. Acknowledgements 1606 This work was partially funded by the European Union's Horizon 2020 1607 research and innovation programme under grant agreement No. 644334 1608 (NEAT). The views expressed are solely those of the author(s). 1610 Thanks to all that have commented or contributed, the TSVWG and QUIC 1611 working groups, and Mathew Calder and Julius Flohr for providing 1612 early implementations. 1614 8. IANA Considerations 1616 This memo includes no request to IANA. 1618 If there are no requirements for IANA, the section will be removed 1619 during conversion into an RFC by the RFC Editor. 1621 9. Security Considerations 1623 The security considerations for the use of UDP and SCTP are provided 1624 in the referenced RFCs. 1626 To avoid excessive load, the interval between individual probe 1627 packets MUST be at least one RTT, and the interval between rounds of 1628 probing is determined by the PMTU_RAISE_TIMER. 1630 A PL sender needs to ensure that the method used to confirm reception 1631 of probe packets protects from off-path attackers injecting packets 1632 into the path. This protection if provided in IETF-defined protocols 1633 (e.g., TCP, SCTP) using a randomly-initialized sequence number. A 1634 description of one way to do this when using UDP is provided in 1635 section 5.1 of [RFC8085]). 1637 There are cases where ICMP Packet Too Big (PTB) messages are not 1638 delivered due to policy, configuration or equipment design (see 1639 Section 1.1), this method therefore does not rely upon PTB messages 1640 being received, but is able to utilize these when they are received 1641 by the sender. PTB messages could potentially be used to cause a 1642 node to inappropriately reduce the PLPMTU. A node supporting 1643 DPLPMTUD MUST therefore appropriately validate the payload of PTB 1644 messages to ensure these are received in response to transmitted 1645 traffic (i.e., a reported error condition that corresponds to a 1646 datagram actually sent by the path layer, see Section 4.6.1). 1648 An on-path attacker, able to create a PTB message could forge PTB 1649 messages that include a valid quoted IP packet. Such an attack could 1650 be used to drive down the PLPMTU. There are two ways this method can 1651 be mitigated against such attacks: First, by ensuring that a PL 1652 sender never reduces the PLPMTU below the base size, solely in 1653 response to receiving a PTB message. This is achieved by first 1654 entering the BASE state when such a message is received. Second, the 1655 design does not require processing of PTB messages, a PL sender could 1656 therefore suspend processing of PTB messages (e.g., in a robustness 1657 mode after detecting that subsequent probes actually confirm that a 1658 size larger than the PTB_SIZE is supported by a path). 1660 The successful processing of an ICMP message can trigger a probe when 1661 the reported PTB size is valid, but this does not directly update the 1662 PLPMTU for the path. This prevents a message attempting to black 1663 hole data by indicating a size larger than supported by the path. 1665 Parallel forwarding paths SHOULD be considered. Section 5.4 1666 identifies the need for robustness in the method because the path 1667 information might be inconsistent. 1669 A node performing DPLPMTUD could experience conflicting information 1670 about the size of supported probe packets. This could occur when 1671 there are multiple paths are concurrently in use and these exhibit a 1672 different PMTU. If not considered, this could result in packets not 1673 being delivered (black holed) when the PLPMTU is larger than the 1674 smallest actual PMTU. 1676 10. References 1678 10.1. Normative References 1680 [I-D.ietf-quic-transport] 1681 Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed 1682 and Secure Transport", Work in Progress, Internet-Draft, 1683 draft-ietf-quic-transport-20, 23 April 2019, 1684 . 1687 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1688 DOI 10.17487/RFC0768, August 1980, 1689 . 1691 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1692 DOI 10.17487/RFC0791, September 1981, 1693 . 1695 [RFC1191] Mogul, J.C. and S.E. Deering, "Path MTU discovery", 1696 RFC 1191, DOI 10.17487/RFC1191, November 1990, 1697 . 1699 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1700 Requirement Levels", BCP 14, RFC 2119, 1701 DOI 10.17487/RFC2119, March 1997, 1702 . 1704 [RFC3828] Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E., Ed., 1705 and G. Fairhurst, Ed., "The Lightweight User Datagram 1706 Protocol (UDP-Lite)", RFC 3828, DOI 10.17487/RFC3828, July 1707 2004, . 1709 [RFC4820] Tuexen, M., Stewart, R., and P. Lei, "Padding Chunk and 1710 Parameter for the Stream Control Transmission Protocol 1711 (SCTP)", RFC 4820, DOI 10.17487/RFC4820, March 2007, 1712 . 1714 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 1715 RFC 4960, DOI 10.17487/RFC4960, September 2007, 1716 . 1718 [RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream 1719 Control Transmission Protocol (SCTP) Packets for End-Host 1720 to End-Host Communication", RFC 6951, 1721 DOI 10.17487/RFC6951, May 2013, 1722 . 1724 [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage 1725 Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, 1726 March 2017, . 1728 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1729 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1730 May 2017, . 1732 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1733 (IPv6) Specification", STD 86, RFC 8200, 1734 DOI 10.17487/RFC8200, July 2017, 1735 . 1737 [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., 1738 "Path MTU Discovery for IP version 6", STD 87, RFC 8201, 1739 DOI 10.17487/RFC8201, July 2017, 1740 . 1742 [RFC8261] Tuexen, M., Stewart, R., Jesup, R., and S. Loreto, 1743 "Datagram Transport Layer Security (DTLS) Encapsulation of 1744 SCTP Packets", RFC 8261, DOI 10.17487/RFC8261, November 1745 2017, . 1747 10.2. Informative References 1749 [I-D.ietf-intarea-frag-fragile] 1750 Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., 1751 and F. Gont, "IP Fragmentation Considered Fragile", Work 1752 in Progress, Internet-Draft, draft-ietf-intarea-frag- 1753 fragile-17, 30 September 2019, . 1756 [I-D.ietf-intarea-tunnels] 1757 Touch, J. and M. Townsley, "IP Tunnels in the Internet 1758 Architecture", Work in Progress, Internet-Draft, draft- 1759 ietf-intarea-tunnels-10, 12 September 2019, 1760 . 1763 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1764 RFC 792, DOI 10.17487/RFC0792, September 1981, 1765 . 1767 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - 1768 Communication Layers", STD 3, RFC 1122, 1769 DOI 10.17487/RFC1122, October 1989, 1770 . 1772 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1773 RFC 1812, DOI 10.17487/RFC1812, June 1995, 1774 . 1776 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", 1777 RFC 2923, DOI 10.17487/RFC2923, September 2000, 1778 . 1780 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 1781 Congestion Control Protocol (DCCP)", RFC 4340, 1782 DOI 10.17487/RFC4340, March 2006, 1783 . 1785 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 1786 Control Message Protocol (ICMPv6) for the Internet 1787 Protocol Version 6 (IPv6) Specification", STD 89, 1788 RFC 4443, DOI 10.17487/RFC4443, March 2006, 1789 . 1791 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 1792 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 1793 . 1795 [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering 1796 ICMPv6 Messages in Firewalls", RFC 4890, 1797 DOI 10.17487/RFC4890, May 2007, 1798 . 1800 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 1801 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 1802 DOI 10.17487/RFC5508, April 2009, 1803 . 1805 Appendix A. Revision Notes 1807 Note to RFC-Editor: please remove this entire section prior to 1808 publication. 1810 Individual draft -00: 1812 * Comments and corrections are welcome directly to the authors or 1813 via the IETF TSVWG working group mailing list. 1815 * This update is proposed for WG comments. 1817 Individual draft -01: 1819 * Contains the first representation of the algorithm, showing the 1820 states and timers 1822 * This update is proposed for WG comments. 1824 Individual draft -02: 1826 * Contains updated representation of the algorithm, and textual 1827 corrections. 1829 * The text describing when to set the effective PMTU has not yet 1830 been validated by the authors 1832 * To determine security to off-path-attacks: We need to decide 1833 whether a received PTB message SHOULD/MUST be validated? The text 1834 on how to handle a PTB message indicating a link MTU larger than 1835 the probe has yet not been validated by the authors 1837 * No text currently describes how to handle inconsistent results 1838 from arbitrary re-routing along different parallel paths 1840 * This update is proposed for WG comments. 1842 Working Group draft -00: 1844 * This draft follows a successful adoption call for TSVWG 1846 * There is still work to complete, please comment on this draft. 1848 Working Group draft -01: 1850 * This draft includes improved introduction. 1852 * The draft is updated to require ICMP validation prior to accepting 1853 PTB messages - this to be confirmed by WG 1855 * Section added to discuss Selection of Probe Size - methods to be 1856 evaluated and recommendations to be considered 1858 * Section added to align with work proposed in the QUIC WG. 1860 Working Group draft -02: 1862 * The draft was updated based on feedback from the WG, and a 1863 detailed review by Magnus Westerlund. 1865 * The document updates RFC 4821. 1867 * Requirements list updated. 1869 * Added more explicit discussion of a simpler black-hole detection 1870 mode. 1872 * This draft includes reorganisation of the section on IETF 1873 protocols. 1875 * Added more discussion of implementation within an application. 1877 * Added text on flapping paths. 1879 * Replaced 'effective MTU' with new term PLPMTU. 1881 Working Group draft -03: 1883 * Updated figures 1885 * Added more discussion on blackhole detection 1887 * Added figure describing just blackhole detection 1889 * Added figure relating MPS sizes 1891 Working Group draft -04: 1893 * Described phases and named these consistently. 1895 * Corrected transition from confirmation directly to the search 1896 phase (Base has been checked). 1898 * Redrawn state diagrams. 1900 * Renamed BASE_MTU to BASE_PMTU (because it is a base for the PMTU). 1902 * Clarified Error state. 1904 * Clarified suspending DPLPMTUD. 1906 * Verified normative text in requirements section. 1908 * Removed duplicate text. 1910 * Changed all text to refer to /packet probe/probe packet/ 1911 /validation/verification/ added term /Probe Confirmation/ and 1912 clarified BlackHole detection. 1914 Working Group draft -05: 1916 * Updated security considerations. 1918 * Feedback after speaking with Joe Touch helped improve UDP-Options 1919 description. 1921 Working Group draft -06: 1923 * Updated description of ICMP issues in section 1.1 1925 * Update to description of QUIC. 1927 Working group draft -07: 1929 * Moved description of the PTB processing method from the PTB 1930 requirements section. 1932 * Clarified what is performed in the PTB validation check. 1934 * Updated security consideration to explain PTB security without 1935 needing to read the rest of the document. 1937 * Reformatted state machine diagram 1939 Working group draft -08: 1941 * Moved to rfcxml v3+ 1943 * Rendered diagrams to svg in html version. 1945 * Removed Appendix A. Event-driven state changes. 1947 * Removed section on DPLPMTUD with UDP Options. 1949 * Shortened the description of phases. 1951 Working group draft -09: 1953 * Remove final mention of UDP Options 1955 * Add Initial Connectivity sections to each PL 1957 * Add to disable outgoing pmtu enforcement of packets 1959 Working group draft -10: 1961 * Address comments from Lars Eggert 1963 * Reinforce that PROBE_COUNT is successive attempts to probe for any 1964 size 1966 * Redefine MAx_PROBES to 3 1968 * Address PTB_SIZE of 0 or less that MIN_PMTU 1970 Working group draft -11: 1972 * Restore a sentence removed in previous rev 1974 * De-acronymise QUIC 1976 * Address some nits 1978 Working group draft -12: 1980 * Add TSVWG, QUIC and implementers to acknowledgements 1982 * Shorten a diagram line. 1984 * Address nits from Julius and Wes. 1986 * Be clearer when talking about IP layer caches 1988 Authors' Addresses 1990 Godred Fairhurst 1991 University of Aberdeen 1992 School of Engineering 1993 Fraser Noble Building 1994 Aberdeen 1995 AB24 3UE 1996 United Kingdom 1998 Email: gorry@erg.abdn.ac.uk 2000 Tom Jones 2001 University of Aberdeen 2002 School of Engineering 2003 Fraser Noble Building 2004 Aberdeen 2005 AB24 3UE 2006 United Kingdom 2008 Email: tom@erg.abdn.ac.uk 2010 Michael Tuexen 2011 Muenster University of Applied Sciences 2012 Stegerwaldstrasse 39 2013 48565 Steinfurt 2014 Germany 2016 Email: tuexen@fh-muenster.de 2018 Irene Ruengeler 2019 Muenster University of Applied Sciences 2020 Stegerwaldstrasse 39 2021 48565 Steinfurt 2022 Germany 2024 Email: i.ruengeler@fh-muenster.de 2026 Timo Voelker 2027 Muenster University of Applied Sciences 2028 Stegerwaldstrasse 39 2029 48565 Steinfurt 2030 Germany 2031 Email: timo.voelker@fh-muenster.de