idnits 2.17.1 draft-ietf-tsvwg-datagram-plpmtud-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The abstract seems to indicate that this document updates RFC8201, but the header doesn't have an 'Updates:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4821, updated by this document, for RFC5378 checks: 2003-10-21) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (23 March 2020) is 1495 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-27 ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) == Outdated reference: A later version (-13) exists of draft-ietf-intarea-tunnels-10 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force G. Fairhurst 3 Internet-Draft T. Jones 4 Updates: 4821, 4960, 6951, 8085, 8261 (if University of Aberdeen 5 approved) M. Tuexen 6 Intended status: Standards Track I. Ruengeler 7 Expires: 24 September 2020 T. Voelker 8 Muenster University of Applied Sciences 9 23 March 2020 11 Packetization Layer Path MTU Discovery for Datagram Transports 12 draft-ietf-tsvwg-datagram-plpmtud-17 14 Abstract 16 This document describes a robust method for Path MTU Discovery 17 (PMTUD) for datagram Packetization Layers (PLs). It describes an 18 extension to RFC 1191 and RFC 8201, which specifies ICMP-based Path 19 MTU Discovery for IPv4 and IPv6. The method allows a PL, or a 20 datagram application that uses a PL, to discover whether a network 21 path can support the current size of datagram. This can be used to 22 detect and reduce the message size when a sender encounters a packet 23 black hole (where packets are discarded). The method can probe a 24 network path with progressively larger packets to discover whether 25 the maximum packet size can be increased. This allows a sender to 26 determine an appropriate packet size, providing functionality for 27 datagram transports that is equivalent to the Packetization Layer 28 PMTUD specification for TCP, specified in RFC 4821. 30 The document updates RFC 4821 to specify the method for datagram PLs, 31 and updates RFC 8085 as the method to use in place of RFC 4821 with 32 UDP datagrams. Section 7.3 of RFC4960 recommends an endpoint apply 33 the techniques in RFC 4821 on a per-destination-address basis. RFC 34 4960, RFC 6951 and RFC 8261 are updated to recommend that SCTP, SCTP 35 encapsulated in UDP and SCTP encapsulated in DTLS use the method 36 specified in this document instead of the method in RFC 4821. 38 The document also provides implementation notes for incorporating 39 Datagram PMTUD into IETF datagram transports or applications that use 40 datagram transports. 42 When published, this specification updates RFC 4960, RFC 4821, RFC 43 8085 and RFC 8261. 45 Status of This Memo 47 This Internet-Draft is submitted in full conformance with the 48 provisions of BCP 78 and BCP 79. 50 Internet-Drafts are working documents of the Internet Engineering 51 Task Force (IETF). Note that other groups may also distribute 52 working documents as Internet-Drafts. The list of current Internet- 53 Drafts is at https://datatracker.ietf.org/drafts/current/. 55 Internet-Drafts are draft documents valid for a maximum of six months 56 and may be updated, replaced, or obsoleted by other documents at any 57 time. It is inappropriate to use Internet-Drafts as reference 58 material or to cite them other than as "work in progress." 60 This Internet-Draft will expire on 24 September 2020. 62 Copyright Notice 64 Copyright (c) 2020 IETF Trust and the persons identified as the 65 document authors. All rights reserved. 67 This document is subject to BCP 78 and the IETF Trust's Legal 68 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 69 license-info) in effect on the date of publication of this document. 70 Please review these documents carefully, as they describe your rights 71 and restrictions with respect to this document. Code Components 72 extracted from this document must include Simplified BSD License text 73 as described in Section 4.e of the Trust Legal Provisions and are 74 provided without warranty as described in the Simplified BSD License. 76 Table of Contents 78 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 79 1.1. Classical Path MTU Discovery . . . . . . . . . . . . . . 4 80 1.2. Packetization Layer Path MTU Discovery . . . . . . . . . 6 81 1.3. Path MTU Discovery for Datagram Services . . . . . . . . 7 82 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 83 3. Features Required to Provide Datagram PLPMTUD . . . . . . . . 10 84 4. DPLPMTUD Mechanisms . . . . . . . . . . . . . . . . . . . . . 13 85 4.1. PLPMTU Probe Packets . . . . . . . . . . . . . . . . . . 13 86 4.2. Confirmation of Probed Packet Size . . . . . . . . . . . 14 87 4.3. Black Hole Detection . . . . . . . . . . . . . . . . . . 15 88 4.4. The Maximum Packet Size (MPS) . . . . . . . . . . . . . . 16 89 4.5. Disabling the Effect of PMTUD . . . . . . . . . . . . . . 17 90 4.6. Response to PTB Messages . . . . . . . . . . . . . . . . 17 91 4.6.1. Validation of PTB Messages . . . . . . . . . . . . . 17 92 4.6.2. Use of PTB Messages . . . . . . . . . . . . . . . . . 18 93 5. Datagram Packetization Layer PMTUD . . . . . . . . . . . . . 20 94 5.1. DPLPMTUD Components . . . . . . . . . . . . . . . . . . . 20 95 5.1.1. Timers . . . . . . . . . . . . . . . . . . . . . . . 21 96 5.1.2. Constants . . . . . . . . . . . . . . . . . . . . . . 21 97 5.1.3. Variables . . . . . . . . . . . . . . . . . . . . . . 22 98 5.1.4. Overview of DPLPMTUD Phases . . . . . . . . . . . . . 23 99 5.2. State Machine . . . . . . . . . . . . . . . . . . . . . . 25 100 5.3. Search to Increase the PLPMTU . . . . . . . . . . . . . . 28 101 5.3.1. Probing for a larger PLPMTU . . . . . . . . . . . . . 28 102 5.3.2. Selection of Probe Sizes . . . . . . . . . . . . . . 29 103 5.3.3. Resilience to Inconsistent Path Information . . . . . 29 104 5.4. Robustness to Inconsistent Paths . . . . . . . . . . . . 30 105 6. Specification of Protocol-Specific Methods . . . . . . . . . 30 106 6.1. Application support for DPLPMTUD with UDP or UDP-Lite . . 30 107 6.1.1. Application Request . . . . . . . . . . . . . . . . . 31 108 6.1.2. Application Response . . . . . . . . . . . . . . . . 31 109 6.1.3. Sending Application Probe Packets . . . . . . . . . . 31 110 6.1.4. Initial Connectivity . . . . . . . . . . . . . . . . 31 111 6.1.5. Validating the Path . . . . . . . . . . . . . . . . . 31 112 6.1.6. Handling of PTB Messages . . . . . . . . . . . . . . 31 113 6.2. DPLPMTUD for SCTP . . . . . . . . . . . . . . . . . . . . 32 114 6.2.1. SCTP/IPv4 and SCTP/IPv6 . . . . . . . . . . . . . . . 32 115 6.2.1.1. Initial Connectivity . . . . . . . . . . . . . . 32 116 6.2.1.2. Sending SCTP Probe Packets . . . . . . . . . . . 32 117 6.2.1.3. Validating the Path with SCTP . . . . . . . . . . 33 118 6.2.1.4. PTB Message Handling by SCTP . . . . . . . . . . 33 119 6.2.2. DPLPMTUD for SCTP/UDP . . . . . . . . . . . . . . . . 33 120 6.2.2.1. Initial Connectivity . . . . . . . . . . . . . . 33 121 6.2.2.2. Sending SCTP/UDP Probe Packets . . . . . . . . . 34 122 6.2.2.3. Validating the Path with SCTP/UDP . . . . . . . . 34 123 6.2.2.4. Handling of PTB Messages by SCTP/UDP . . . . . . 34 124 6.2.3. DPLPMTUD for SCTP/DTLS . . . . . . . . . . . . . . . 34 125 6.2.3.1. Initial Connectivity . . . . . . . . . . . . . . 34 126 6.2.3.2. Sending SCTP/DTLS Probe Packets . . . . . . . . . 34 127 6.2.3.3. Validating the Path with SCTP/DTLS . . . . . . . 34 128 6.2.3.4. Handling of PTB Messages by SCTP/DTLS . . . . . . 35 129 6.3. DPLPMTUD for QUIC . . . . . . . . . . . . . . . . . . . . 35 130 6.3.1. Initial Connectivity . . . . . . . . . . . . . . . . 35 131 6.3.2. Sending QUIC Probe Packets . . . . . . . . . . . . . 35 132 6.3.3. Validating the Path with QUIC . . . . . . . . . . . . 36 133 6.3.4. Handling of PTB Messages by QUIC . . . . . . . . . . 36 134 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36 135 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 136 9. Security Considerations . . . . . . . . . . . . . . . . . . . 36 137 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 38 138 10.1. Normative References . . . . . . . . . . . . . . . . . . 38 139 10.2. Informative References . . . . . . . . . . . . . . . . . 39 140 Appendix A. Revision Notes . . . . . . . . . . . . . . . . . . . 40 141 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 143 1. Introduction 145 The IETF has specified datagram transport using UDP, SCTP, and DCCP, 146 as well as protocols layered on top of these transports (e.g., SCTP/ 147 UDP, DCCP/UDP, QUIC/UDP), and direct datagram transport over the IP 148 network layer. This document describes a robust method for Path MTU 149 Discovery (PMTUD) that can be used with these transport protocols (or 150 the applications that use their transport service) to discover an 151 appropriate size of packet to use across an Internet path. 153 1.1. Classical Path MTU Discovery 155 Classical Path Maximum Transmission Unit Discovery (PMTUD) can be 156 used with any transport that is able to process ICMP Packet Too Big 157 (PTB) messages (e.g., [RFC1191] and [RFC8201]). In this document, 158 the term PTB message is applied to both IPv4 ICMP Unreachable 159 messages (type 3) that carry the error Fragmentation Needed (Type 3, 160 Code 4) [RFC0792] and ICMPv6 Packet Too Big messages (Type 2) 161 [RFC4443]. When a sender receives a PTB message, it reduces the 162 effective MTU to the value reported as the Link MTU in the PTB 163 message. A method from time-to-time increases the packet size in 164 attempt to discover an increase in the supported PMTU. The packets 165 sent with a size larger than the current effective PMTU are known as 166 probe packets. 168 Packets not intended as probe packets are either fragmented to the 169 current effective PMTU, or the attempt to send fails with an error 170 code. Applications can be provided with a primitive to let them read 171 the Maximum Packet Size (MPS), derived from the current effective 172 PMTU. 174 Classical PMTUD is subject to protocol failures. One failure arises 175 when traffic using a packet size larger than the actual PMTU is 176 black-holed (all datagrams sent with this size, or larger, are 177 discarded). This could arise when the PTB messages are not delivered 178 back to the sender for some reason (see for example [RFC2923]). 180 Examples where PTB messages are not delivered include: 182 * The generation of ICMP messages is usually rate limited. This 183 could result in no PTB messages being generated to the sender (see 184 section 2.4 of [RFC4443]) 186 * ICMP messages can be filtered by middleboxes (including firewalls) 187 [RFC4890]. A stateful firewall could be configured with a policy 188 to block incoming ICMP messages, which would prevent reception of 189 PTB messages to a sending endpoint behind this firewall. 191 * When the router issuing the ICMP message drops a tunneled packet, 192 the resulting ICMP message will be directed to the tunnel ingress. 193 This tunnel endpoint is responsible for forwarding the ICMP 194 message and also processing the quoted packet within the payload 195 field to remove the effect of the tunnel, and return a correctly 196 formatted ICMP message to the sender [I-D.ietf-intarea-tunnels]. 197 Failure to do this prevents the PTB message reaching the original 198 sender. 200 * Asymmetry in forwarding can result in there being no return route 201 to the original sender, which would prevent an ICMP message being 202 delivered to the sender. This issue can also arise when policy- 203 based routing is used, Equal Cost Multipath (ECMP) routing is 204 used, or a middlebox acts as an application load balancer. An 205 example is where the path towards the server is chosen by ECMP 206 routing depending on bytes in the IP payload. In this case, when 207 a packet sent by the server encounters a problem after the ECMP 208 router, then any resulting ICMP message also needs to be directed 209 by the ECMP router towards the original sender. 211 * There are additional cases where the next hop destination fails to 212 receive a packet because of its size. This could be due to 213 misconfiguration of the layer 2 path between nodes, for instance 214 the MTU configured in a layer 2 switch, or misconfiguration of the 215 Maximum Receive Unit (MRU). If a packet is dropped by the link, 216 this will not cause a PTB message to be sent to the original 217 sender. 219 Another failure could result if a node that is not on the network 220 path sends a PTB message that attempts to force a sender to change 221 the effective PMTU [RFC8201]. A sender can protect itself from 222 reacting to such messages by utilizing the quoted packet within a PTB 223 message payload to validate that the received PTB message was 224 generated in response to a packet that had actually originated from 225 the sender. However, there are situations where a sender would be 226 unable to provide this validation. Examples where validation of the 227 PTB message is not possible include: 229 * When a router issuing the ICMP message implements RFC792 230 [RFC0792], it is only required to include the first 64 bits of the 231 IP payload of the packet within the quoted payload. There could 232 be insufficient bytes remaining for the sender to interpret the 233 quoted transport information. 235 Note: The recommendation in RFC1812 [RFC1812] is that IPv4 routers 236 return a quoted packet with as much of the original datagram as 237 possible without the length of the ICMP datagram exceeding 576 238 bytes. IPv6 routers include as much of the invoking packet as 239 possible without the ICMPv6 packet exceeding 1280 bytes [RFC4443]. 241 * The use of tunnels/encryption can reduce the size of the quoted 242 packet returned to the original source address, increasing the 243 risk that there could be insufficient bytes remaining for the 244 sender to interpret the quoted transport information. 246 * Even when the PTB message includes sufficient bytes of the quoted 247 packet, the network layer could lack sufficient context to 248 validate the message, because validation depends on information 249 about the active transport flows at an endpoint node (e.g., the 250 socket/address pairs being used, and other protocol header 251 information). 253 * When a packet is encapsulated/tunneled over an encrypted 254 transport, the tunnel/encapsulation ingress might have 255 insufficient context, or computational power, to reconstruct the 256 transport header that would be needed to perform validation. 258 * A Network Address Translation (NAT) device that translates a 259 packet header, ought to also translate ICMP messages and update 260 the ICMP quoted packet [RFC5508] in that message. If this is not 261 correctly translated then the sender would not be able to 262 associate the message with the PL that originated the packet, and 263 hence this ICMP message cannot be validated. 265 1.2. Packetization Layer Path MTU Discovery 267 The term Packetization Layer (PL) has been introduced to describe the 268 layer that is responsible for placing data blocks into the payload of 269 IP packets and selecting an appropriate MPS. This function is often 270 performed by a transport protocol (e.g., DCCP, RTP, SCTP, QUIC), but 271 can also be performed by other encapsulation methods working above 272 the transport layer. 274 In contrast to PMTUD, Packetization Layer Path MTU Discovery 275 (PLPMTUD) [RFC4821] introduced a method that does not rely upon 276 reception and validation of PTB messages. It is therefore more 277 robust than Classical PMTUD. This has become the recommended 278 approach for implementing discovery of the PMTU [RFC8085]. 280 It uses a general strategy where the PL sends probe packets to search 281 for the largest size of unfragmented datagram that can be sent over a 282 network path. Probe packets are sent to explore using a larger 283 packet size. If a probe packet is successfully delivered (as 284 determined by the PL), then the PLPMTU is raised to the size of the 285 successful probe. If no response is received to a probe packet, the 286 method then reduces the PLPMTU. 288 Datagram PLPMTUD introduces flexibility in implementation. At one 289 extreme, it can be configured to only perform Black Hole Detection 290 and recovery with increased robustness compared to Classical PMTUD. 291 At the other extreme, all PTB processing can be disabled, and PLPMTUD 292 replaces Classical PMTUD. 294 PLPMTUD can also include additional consistency checks without 295 increasing the risk that data is lost when probing to discover the 296 Path MTU. For example, information available at the PL, or higher 297 layers, enables received PTB messages to be validated before being 298 utilized. 300 1.3. Path MTU Discovery for Datagram Services 302 Section 5 of this document presents a set of algorithms for datagram 303 protocols to discover the largest size of unfragmented datagram that 304 can be sent over a network path. The method relies upon features of 305 the PL described in Section 3 and applies to transport protocols 306 operating over IPv4 and IPv6. It does not require cooperation from 307 the lower layers, although it can utilize PTB messages when these 308 received messages are made available to the PL. 310 The message size guidelines in section 3.2 of the UDP Usage 311 Guidelines [RFC8085] state "an application SHOULD either use the Path 312 MTU information provided by the IP layer or implement Path MTU 313 Discovery (PMTUD)", but does not provide a mechanism for discovering 314 the largest size of unfragmented datagram that can be used on a 315 network path. The present document updates RFC 8085 to specify this 316 method in place of PLPMTUD [RFC4821] and provides a mechanism for 317 sharing the discovered largest size as the MPS (see Section 4.4). 319 Section 10.2 of [RFC4821] recommended a PLPMTUD probing method for 320 the Stream Control Transport Protocol (SCTP). SCTP utilizes probe 321 packets consisting of a minimal sized HEARTBEAT chunk bundled with a 322 PAD chunk as defined in [RFC4820]. However, RFC 4821 did not provide 323 a complete specification. The present document replaces this by 324 providing a complete specification. 326 The Datagram Congestion Control Protocol (DCCP) [RFC4340] requires 327 implementations to support Classical PMTUD and states that a DCCP 328 sender "MUST maintain the MPS allowed for each active DCCP session". 329 It also defines the current congestion control MPS (CCMPS) supported 330 by a network path. This recommends use of PMTUD, and suggests use of 331 control packets (DCCP-Sync) as path probe packets, because they do 332 not risk application data loss. The method defined in this 333 specification can be used with DCCP. 335 Section 6 specifies the method for datagram transports and provides 336 information to enable the implementation of PLPMTUD with other 337 datagram transports and applications that use datagram transports. 339 Section 6 also provides updated recommendations for [RFC6951] and 340 [RFC8261]. 342 2. Terminology 344 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 345 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 346 "OPTIONAL" in this document are to be interpreted as described in BCP 347 14 [RFC2119] [RFC8174] when, and only when, they appear in all 348 capitals, as shown here. 350 The following terminology is defined. Relevant terms are directly 351 copied from [RFC4821], and the definitions in [RFC1122]. 353 Acknowledged PL: A PL that includes a mechanism that can confirm 354 successful delivery of datagrams to the remote PL endpoint (e.g., 355 SCTP). Typically, the PL receiver returns acknowledgments 356 corresponding to the received datagrams, which can be utilised to 357 detect black-holing of packets (c.f., Unacknowledged PL). 359 Actual PMTU: The Actual PMTU is the PMTU of a network path between a 360 sender PL and a destination PL, which the DPLPMTUD algorithm seeks 361 to determine. 363 Black Hole: A Black Hole is encountered when a sender is unaware 364 that packets are not being delivered to the destination end point. 365 Two types of Black Hole are relevant to DPLPMTUD: 367 * Packets encounter a packet Black Hole when packets are not 368 delivered to the destination endpoint (e.g., when the sender 369 transmits packets of a particular size with a previously known 370 effective PMTU and they are discarded by the network). 372 * An ICMP Black Hole is encountered when the sender is unaware 373 that packets are not delivered to the destination endpoint 374 because PTB messages are not received by the originating PL 375 sender. 377 Classical Path MTU Discovery: Classical PMTUD is a process described 378 in [RFC1191] and [RFC8201], in which nodes rely on PTB messages to 379 learn the largest size of unfragmented packet that can be used 380 across a network path. 382 Datagram: A datagram is a transport-layer protocol data unit, 383 transmitted in the payload of an IP packet. 385 Effective PMTU: The Effective PMTU is the current estimated value 386 for PMTU that is used by a PMTUD. This is equivalent to the 387 PLPMTU derived by PLPMTUD plus the size of any headers added below 388 the PL, including the IP layer headers. 390 EMTU_S: The Effective MTU for sending (EMTU_S) is defined in 391 [RFC1122] as "the maximum IP datagram size that may be sent, for a 392 particular combination of IP source and destination addresses...". 394 EMTU_R: The Effective MTU for receiving (EMTU_R) is designated in 395 [RFC1122] as the largest datagram size that can be reassembled by 396 EMTU_R (Effective MTU to receive). 398 Link: A Link is a communication facility or medium over which nodes 399 can communicate at the link layer, i.e., a layer below the IP 400 layer. Examples are Ethernet LANs and Internet (or higher) layer 401 and tunnels. 403 Link MTU: The Link Maximum Transmission Unit (MTU) is the size in 404 bytes of the largest IP packet, including the IP header and 405 payload, that can be transmitted over a link. Note that this 406 could more properly be called the IP MTU, to be consistent with 407 how other standards organizations use the acronym. This includes 408 the IP header, but excludes link layer headers and other framing 409 that is not part of IP or the IP payload. Other standards 410 organizations generally define the link MTU to include the link 411 layer headers. This specification continues the requirement in 412 [RFC4821], that states "All links MUST enforce their MTU: links 413 that might non- deterministically deliver packets that are larger 414 than their rated MTU MUST consistently discard such packets." 416 MAX_PLPMTU: The MAX_PLPMTU is the largest size of PLPMTU that 417 DPLPMTUD will attempt to use. 419 MIN_PLPMTU: The MIN_PLPMTU is the smallest size of PLPMTU that 420 DPLPMTUD will attempt to use. 422 MPS: MPS: The Maximum Packet Size (MPS) is the largest size of 423 application data block that can be sent across a network path by a 424 PL using a single Datagram. 426 Packet: A Packet is the IP header plus the IP payload. 428 Packetization Layer (PL): The PL is a layer of the network stack 429 that places data into packets and performs transport protocol 430 functions. Examples of a PL include: TCP, SCTP, SCTP over DTLS or 431 QUIC. 433 Path: The Path is the set of links and routers traversed by a packet 434 between a source node and a destination node by a particular flow. 436 Path MTU (PMTU): The Path MTU (PMTU) is the minimum of the Link MTU 437 of all the links forming a network path between a source node and 438 a destination node, as used by PMTUD. 440 PTB_SIZE: The PTB_SIZE is a value reported in a validated PTB 441 message that indicates next hop link MTU of a router along the 442 path. 444 PL_PTB_SIZE: The size reported in a validated PTB message, reduced 445 by the size of all headers added by layers below the PL. 447 PLPMTU: The Packetization Layer PMTU is an estimate of the largest 448 size of PL datagram that can be sent by a path, controled by 449 PLPMTUD. 451 PLPMTUD: Packetization Layer Path MTU Discovery (PLPMTUD), the 452 method described in this document for datagram PLs, which is an 453 extension to Classical PMTU Discovery. 455 Probe packet: A probe packet is a datagram sent with a purposely 456 chosen size (typically the current PLPMTU or larger) to detect if 457 packets of this size can be successfully sent end-to-end across 458 the network path. 460 Unacknowledged PL: A PL that does not itself provide a mechanism to 461 confirm delivery of datagrams to the remote PL endpoint (e.g., 462 UDP), and therefore requires DPLPMTUD to provide a mechanism to 463 detect black-holing of packets (c.f., Acknowledged PL). 465 3. Features Required to Provide Datagram PLPMTUD 467 The principles expressed in [RFC4821] apply to the use of the 468 technique with any PL. TCP PLPMTUD has been defined using standard 469 TCP protocol mechanisms. Unlike TCP, a datagram PL requires 470 additional mechanisms and considerations to implement PLPMTUD. 472 The requirements for datagram PLPMTUD are: 474 1. Managing the PLPMTU: For datagram PLs, the PLPMTU is managed by 475 DPLPMTUD. A PL MUST NOT send a datagram (other than a probe 476 packet) with a size at the PL layer that is larger than the 477 current PLPMTU. 479 2. Probe packets: On request, a DPLPMTUD sender is REQUIRED to be 480 able to transmit a packet larger than the PLMPMTU. This is used 481 to send a probe packet. In IPv4, a probe packet MUST be sent 482 with the Don't Fragment (DF) bit set in the IP header, and 483 without network layer endpoint fragmentation. In IPv6, a probe 484 packet is always sent without source fragmentation (as specified 485 in section 5.4 of [RFC8201]). 487 3. Reception feedback: The destination PL endpoint is REQUIRED to 488 provide a feedback method that indicates to the DPLPMTUD sender 489 when a probe packet has been received by the destination PL 490 endpoint. 492 4. Probe loss recovery: It is RECOMMENDED to use probe packets that 493 do not carry any user data that would require retransmission if 494 lost. Most datagram transports permit this. If a probe packet 495 contains user data requiring retransmission in case of loss, the 496 PL (or layers above) are REQUIRED to arrange any retransmission/ 497 repair of any resulting loss. The PL is REQUIRED to be robust 498 in the case where probe packets are lost due to other reasons 499 (including link transmission error, congestion). 501 5. PMTU parameters: A DPLPMTUD sender is RECOMMENDED to utilize 502 information about the maximum size of packet that can be 503 transmitted by the sender on the local link (e.g., the local 504 Link MTU). It MAY utilize similar information about the maximum 505 size a receiver can accept when this is supplied (note this 506 could be less than EMTU_R). This avoids implementations trying 507 to send probe packets that can not be transferred by the local 508 link. Too high of a value could reduce the efficiency of the 509 search algorithm. Some applications also have a maximum 510 transport protocol data unit (PDU) size, in which case there is 511 no benefit from probing for a size larger than this (unless a 512 transport allows multiplexing multiple applications PDUs into 513 the same datagram). 515 6. Processing PTB messages: A DPLPMTUD sender MAY optionally 516 utilize PTB messages received from the network layer to help 517 identify when a network path does not support the current size 518 of probe packet. Any received PTB message MUST be validated 519 before it is used to update the PLPMTU discovery information 520 [RFC8201]. This validation confirms that the PTB message was 521 sent in response to a packet originating by the sender, and 522 needs to be performed before the PLPMTU discovery method reacts 523 to the PTB message. A PTB message MUST NOT be used to increase 524 the PLPMTU [RFC8201], but could trigger a probe to test for a 525 larger PLPMTU. A PL_PTB_SIZE that is greater than that 526 currently probed MUST be ignored. A valid PTB_SIZE is converted 527 to a PL_PTB_SIZE before it is to be used in the DPLPMTUD state 528 machine. 530 7. Probing and congestion control: The decision about when to send 531 a probe packet does not need to be limited by the congestion 532 controller. When not controlled by the congestion controller, 533 the interval between probe packets MUST be at least one RTT. If 534 transmission of probe packets is limited by the congestion 535 controller, this could result in transmission of probe packets 536 being delayed or suspended during congestion. 538 8. Loss of a probe packet SHOULD NOT be treated as an indication of 539 congestion and SHOULD NOT trigger a congestion control reaction 540 [RFC4821], because this could result in unnecessary reduction of 541 the sending rate. 543 9. An update to the PLPMTU (or MPS) MUST NOT modify the congestion 544 window measured in bytes [RFC4821]. Therefore, an increase in 545 the packet size does not cause an increase the data rate in 546 bytes per second. 548 10. Probing and flow control: Flow control at the PL concerns the 549 end-to-end flow of data using the PL service. This does not 550 apply to DPLPMTU when probe packets use a design that does not 551 carry user data to the remote application. 553 11. Shared PLPMTU state: The PMTU value calculated from the PLPMTU 554 MAY also be stored with the corresponding entry associated with 555 the destination in the IP layer cache, and used by other PL 556 instances. The specification of PLPMTUD [RFC4821] states: "If 557 PLPMTUD updates the MTU for a particular path, all Packetization 558 Layer sessions that share the path representation (as described 559 in Section 5.2 of [RFC4821]) SHOULD be notified to make use of 560 the new MTU". Such methods MUST be robust to the wide variety 561 of underlying network forwarding behaviors. Section 5.2 of 562 [RFC8201] provides guidance on the caching of PMTU information 563 and also the relation to IPv6 flow labels. 565 In addition, the following principles are stated for design of a 566 DPLPMTUD method: 568 * A PL MAY be designed to segment data blocks larger than the MPS 569 into multiple datagrams. However, not all datagram PLs support 570 segmentation of data blocks. It is RECOMMENDED that methods avoid 571 forcing an application to use an arbitrary small MPS for 572 transmission while the method is searching for the currently 573 supported PLPMTU. A reduced MPS can adversely impact the 574 performance of an application. 576 * To assist applications in choosing a suitable data block size, the 577 PL is RECOMMENDED to provide a primitive that returns the MPS 578 derived from the PLPMTU to the higher layer using the PL. The 579 value of the MPS can change following a change in the path, or 580 loss of probe packets. 582 * Path validation: It is RECOMMENDED that methods are robust to path 583 changes that could have occurred since the path characteristics 584 were last confirmed, and to the possibility of inconsistent path 585 information being received. 587 * Datagram reordering: A method is REQUIRED to be robust to the 588 possibility that a flow encounters reordering, or the traffic 589 (including probe packets) is divided over more than one network 590 path. 592 * Datagram delay and duplication: The feedback mechanism is REQUIRED 593 to be robust to the possibility that packets could be 594 significantly delayed or duplicated along a network path. 596 * When to probe: It is RECOMMENDED that methods determine whether 597 the path has changed since it last measured the path. This can 598 help determine when to probe the path again. 600 4. DPLPMTUD Mechanisms 602 This section lists the protocol mechanisms used in this 603 specification. 605 4.1. PLPMTU Probe Packets 607 The DPLPMTUD method relies upon the PL sender being able to generate 608 probe packets with a specific size. TCP is able to generate these 609 probe packets by choosing to appropriately segment data being sent 610 [RFC4821]. In contrast, a datagram PL that constructs a probe packet 611 has to either request an application to send a data block that is 612 larger than that generated by an application, or to utilize padding 613 functions to extend a datagram beyond the size of the application 614 data block. Protocols that permit exchange of control messages 615 (without an application data block) can generate a probe packet by 616 extending a control message with padding data. The total size of a 617 probe packet includes all headers and padding added to the payload 618 data being sent (e.g., including protocol option fields, security- 619 related fields such as an AEAD tag and TLS record layer padding). 621 A receiver is REQUIRED to be able to distinguish an in-band data 622 block from any added padding. This is needed to ensure that any 623 added padding is not passed on to an application at the receiver. 625 This results in three possible ways that a sender can create a probe 626 packet: 628 Probing using padding data: A probe packet that contains only 629 control information together with any padding, which is needed to 630 be inflated to the size of the probe packet. Since these probe 631 packets do not carry an application-supplied data block, they do 632 not typically require retransmission, although they do still 633 consume network capacity and incur endpoint processing. 635 Probing using application data and padding data: A probe packet that 636 contains a data block supplied by an application that is combined 637 with padding to inflate the length of the datagram to the size of 638 the probe packet. 640 Probing using application data: A probe packet that contains a data 641 block supplied by an application that matches the size of the 642 probe packet. This method requests the application to issue a 643 data block of the desired probe size. 645 A PL that uses a probe packet carrying an application data and needs 646 protection from the loss of this probe packet, could perform 647 transport-layer retransmission/repair of the data block (e.g., by 648 retransmission after loss is detected or by duplicating the data 649 block in a datagram without the padding data). This retransmited 650 data block might possibly need to be sent using a smaller PLPMTU, 651 which could need the PL to to use a smaller packet size to traverse 652 the end-to-end path. (This could utilize endpoint network-layer or a 653 PL that can re-segment the data block into multiple datagrams). 655 DPLPMTUD MAY choose to use only one of these methods to simplify the 656 implementation. 658 Probe messages sent by a PL MUST contain enough information to 659 uniquely identify the probe within Maximum Segment Lifetime (e.g., 660 including a unique identifier from the PL or the DPLPMTUD 661 implementation), while being robust to reordering and replay of probe 662 response and PTB messages. 664 4.2. Confirmation of Probed Packet Size 666 The PL needs a method to determine (confirm) when probe packets have 667 been successfully received end-to-end across a network path. 669 Transport protocols can include end-to-end methods that detect and 670 report reception of specific datagrams that they send (e.g., DCCP and 671 SCTP provide keep-alive/heartbeat features). When supported, this 672 mechanism MAY also be used by DPLPMTUD to acknowledge reception of a 673 probe packet. 675 A PL that does not acknowledge data reception (e.g., UDP and UDP- 676 Lite) is unable itself to detect when the packets that it sends are 677 discarded because their size is greater than the actual PMTU. These 678 PLs need to rely on an application protocol to detect this loss. 680 Section 6 specifies this function for a set of IETF-specified 681 protocols. 683 4.3. Black Hole Detection 685 Black Hole Detection is triggered by an indication that the network 686 path could be unable to support the current PLPMTU size. 688 There are three ways to detect black holes: 690 * A validated PTB message can be received that indicates a 691 PL_PTB_SIZE less than the current PLPMTU. A DPLPMTUD method MUST 692 NOT rely solely on this method. 694 * A PL can use the DPLPMTUD probing mechanism to periodically 695 generate probe packets of the size of the current PLPMTU (e.g., 696 using the confirmation timer Section 5.1.1). A timer tracks 697 whether acknowledgments are received. Successive loss of probes 698 is an indication that the current path no longer supports the 699 PLPMTU (e.g., when the number of probe packets sent without 700 receiving an acknowledgment, PROBE_COUNT, becomes greater than 701 MAX_PROBES). 703 * A PL can utilize an event that indicates the network path no 704 longer sustains the sender's PLPMTU size. This could use a 705 mechanism implemented within the PL to detect excessive loss of 706 data sent with a specific packet size and then conclude that this 707 excessive loss could be a result of an invalid PLPMTU (as in 708 PLPMTUD for TCP [RFC4821]). 710 A PL MAY inhibit sending probe packets when no application data has 711 been sent since the previous probe packet. A PL preferring to use an 712 up-to-data PLPMTU once user data is sent again, MAY choose to 713 continue PLPMTU discovery for each path. However, this could result 714 in additional packets being sent. 716 When the method detects the current PLPMTU is not supported, DPLPMTUD 717 sets a lower PLPMTU, and sets a lower MPS. The PL then confirms that 718 the new PLPMTU can be successfully used across the path. A probe 719 packet could need to have a size less than the size of the data block 720 generated by the application. 722 4.4. The Maximum Packet Size (MPS) 724 The result of probing determines a usable PLPMTU, which is used to 725 set the MPS used by the application. The MPS is smaller than the 726 PLPMTU because it is reduced by the size of PL headers (including the 727 overhead of security-related fields such as an AEAD tag and TLS 728 record layer padding). The relationship between the MPS and the 729 PLPMTUD is illustrated in Figure 1. 731 any additional 732 headers .--- MPS -----. 733 | | | 734 v v v 735 +------------------------------+ 736 | IP | ** | PL | protocol data | 737 +------------------------------+ 739 <----- PLPMTU -----> 740 <---------- PMTU --------------> 742 Figure 1: Relationship between MPS and PLPMTU 744 A PL is unable to send a packet (other than a probe packet) with a 745 size larger than the current PLPMTU at the network layer. To avoid 746 this, a PL MAY be designed to segment data blocks larger than the MPS 747 into multiple datagrams. 749 DPLPMTUD seeks to avoid IP fragmentation. An attempt to send a data 750 block larger than the MPS will therefore fail if a PL is unable to 751 segment data. To determine the largest data block that can be sent, 752 a PL SHOULD provide applications with a primitive that returns the 753 MPS, derived from the current PLPMTU. 755 If DPLPMTUD results in a change to the MPS, the application needs to 756 adapt to the new MPS. A particular case can arise when packets have 757 been sent with a size less than the MPS and the PLPMTU was 758 subsequently reduced. If these packets are lost, the PL MAY segment 759 the data using the new MPS. If a PL is unable to re-segment a 760 previously sent datagram (e.g., [RFC4960]), then the sender either 761 discards the datagram or could perform retransmission using network- 762 layer fragmentation to form multiple IP packets not larger than the 763 PLPMTU. For IPv4, the use of endpoint fragmentation by the sender is 764 preferred over clearing the DF-bit in the IPv4 header. Operational 765 experience reveals that IP fragmentation can reduce the reliability 766 of Internet communication [I-D.ietf-intarea-frag-fragile], which may 767 reduce the success of retransmission. 769 4.5. Disabling the Effect of PMTUD 771 A PL implementing this specification MUST suspend network layer 772 processing of outgoing packets that enforces a PMTU 773 [RFC1191][RFC8201] for each flow utilizing DPLPMTUD, and instead use 774 DPLPMTUD to control the size of packets that are sent by a flow. 775 This removes the need for the network layer to drop or fragment sent 776 packets that have a size greater than the PMTU. 778 4.6. Response to PTB Messages 780 This method requires the DPLPMTUD sender to validate any received PTB 781 message before using the PTB information. The response to a PTB 782 message depends on the PL_PTB_SIZE calculated from the PTB_SIZE in 783 the PTB message, the state of the PLPMTUD state machine, and the IP 784 protocol being used. 786 Section 4.6.1 first describes validation for both IPv4 ICMP 787 Unreachable messages (type 3) and ICMPv6 Packet Too Big messages, 788 both of which are referred to as PTB messages in this document. 790 4.6.1. Validation of PTB Messages 792 This section specifies utilization of PTB messages. 794 * A simple implementation MAY ignore received PTB messages and in 795 this case the PLPMTU is not updated when a PTB message is 796 received. 798 * An implementation that supports PTB messages MUST validate 799 messages before they are further processed. 801 A PL that receives a PTB message from a router or middlebox, performs 802 ICMP validation as specified in Section 5.2 of [RFC8085][RFC8201]. 803 Because DPLPMTUD operates at the PL, the PL needs to check that each 804 received PTB message is received in response to a packet transmitted 805 by the endpoint PL performing DPLPMTUD. 807 The PL MUST check the protocol information in the quoted packet 808 carried in an ICMP PTB message payload to validate the message 809 originated from the sending node. This validation includes 810 determining that the combination of the IP addresses, the protocol, 811 the source port and destination port match those returned in the 812 quoted packet - this is also necessary for the PTB message to be 813 passed to the corresponding PL. 815 The validation SHOULD utilize information that it is not simple for 816 an off-path attacker to determine [RFC8085]. For example, by 817 checking the value of a protocol header field known only to the two 818 PL endpoints. A datagram application that uses well-known source and 819 destination ports ought to also rely on other information to complete 820 this validation. 822 These checks are intended to provide protection from packets that 823 originate from a node that is not on the network path. A PTB message 824 that does not complete the validation MUST NOT be further utilized by 825 the DPLPMTUD method. 827 PTB messages that have been validated MAY be utilized by the DPLPMTUD 828 algorithm, but MUST NOT be used directly to set the PLPMTU. The 829 PL_PTB_SIZE is smaller than the PTB_SIZE because it is reduced by 830 headers below the PL including any IP options or extensions added to 831 the PL packet. A method that utilizes these PTB messages can improve 832 the speed at which the algorithm detects an appropriate PLPMTU by 833 triggering an immediate probe for the PL_PTB_SIZE (resulting in a 834 network-layer packet of size PTB_SIZE), compared to one that relies 835 solely on probing using a timer-based search algorithm. 836 Section 4.6.2 describes this processing. 838 4.6.2. Use of PTB Messages 840 Before using the size reported in the PTB message it must first be 841 converted to a PL_PTB_SIZE. A set of checks are intended to provide 842 protection from a router that reports an unexpected PTB_SIZE. The PL 843 also needs to check that the indicated PL_PTB_SIZE is less than the 844 size used by probe packets and at least the minimum size accepted. 846 This section provides a summary of how PTB messages can be utilized. 847 This processing depends on the PL_PTB_SIZE and the current value of a 848 set of variables: 850 PL_PTB_SIZE < MIN_PLPMTU 851 * Invalid PL_PTB_SIZE see Section 4.6.1. 853 * PTB message ought to be discarded without further processing 854 (i.e., PLPMTU is not modified). 856 * The information could be utilized as an input to a trigger that 857 would enable a resilience mode. 859 MIN_PLPMTU < PL_PTB_SIZE < BASE_PLPMTU 860 * A robust PL MAY enter an error state (see Section 5.2) for an 861 IPv4 path when the PL_PTB_SIZE reported in the PTB message is 862 larger than or equal to 68 bytes [RFC0791] and when this is 863 less than the BASE_PLPMTU. 865 * A robust PL MAY enter an error state (see Section 5.2) for an 866 IPv6 path when the PL_PTB_SIZE reported in the PTB message is 867 larger than or equal to 1280 bytes [RFC8200] and when this is 868 less than the BASE_PLPMTU. 870 PL_PTB_SIZE = PLPMTU 871 * Completes the search for a larger PLPMTU. 873 PL_PTB_SIZE > PROBED_SIZE 874 * Inconsistent network signal. 876 * PTB message ought to be discarded without further processing 877 (i.e., PLPMTU is not modified). 879 * The information could be utilized as an input to trigger 880 enabling a resilience mode. 882 BASE_PLPMTU <= PL_PTB_SIZE < PLPMTU 883 * This could be an indication of a black hole. The PLPMTU SHOULD 884 be set to BASE_PLPMTU (the PLPMTU is reduced to the BASE_PLPMTU 885 to avoid unnecessary packet loss when a black hole is 886 encountered). 888 * The PL ought to start a search to quickly discover the new 889 PLPMTU. The PL_PTB_SIZE reported in the PTB message can be 890 used to initialize a search algorithm. 892 PLPMTU < PL_PTB_SIZE < PROBED_SIZE 893 * The PLPMTU continues to be valid, but the size of a packet used 894 to search (PROBED_SIZE) was larger than the actual PMTU. 896 * The PLPMTU is not updated. 898 * The PL can use the reported PL_PTB_SIZE from the PTB message as 899 the next search point when it resumes the search algorithm. 901 5. Datagram Packetization Layer PMTUD 903 This section specifies Datagram PLPMTUD (DPLPMTUD). The method can 904 be introduced at various points (as indicated with * in the figure 905 below) in the IP protocol stack to discover the PLPMTU so that an 906 application can utilize an appropriate MPS for the current network 907 path. 909 DPLPMTUD SHOULD NOT be used by an upper PL or application if it is 910 already used in a lower layer, DPLPMTUD SHOULD only be performed once 911 between a pair of endpoints. A PL MUST adjust the MPS indicated by 912 DPLPMTUD to account for any additional overhead introduced by the PL. 914 +----------------------+ 915 | Application* | 916 +-----+------------+---+ 917 | | 918 +---+--+ +--+--+ 919 | QUIC*| |SCTP*| 920 +---+--+ +-+-+-+ 921 | | | 922 +---+ +----+ | 923 | | | 924 +-+--+-+ | 925 | UDP | | 926 +---+--+ | 927 | | 928 +-----------+-------+--+ 929 | Network Interface | 930 +----------------------+ 932 Figure 2: Examples where DPLPMTUD can be implemented 934 The central idea of DPLPMTUD is probing by a sender. Probe packets 935 are sent to find the maximum size of user message that can be 936 completely transferred across the network path from the sender to the 937 destination. 939 The following sections identify the components needed for 940 implementation, provides an overview of the phases of operation, and 941 specifies the state machine and search algorithm. 943 5.1. DPLPMTUD Components 945 This section describes the timers, constants, and variables of 946 DPLPMTUD. 948 5.1.1. Timers 950 The method utilizes up to three timers: 952 PROBE_TIMER: The PROBE_TIMER is configured to expire after a period 953 longer than the maximum time to receive an acknowledgment to a 954 probe packet. This value MUST NOT be smaller than 1 second, and 955 SHOULD be larger than 15 seconds. Guidance on selection of the 956 timer value are provided in section 3.1.1 of the UDP Usage 957 Guidelines [RFC8085]. 959 PMTU_RAISE_TIMER: The PMTU_RAISE_TIMER is configured to the period a 960 sender will continue to use the current PLPMTU, after which it re- 961 enters the Search phase. This timer has a period of 600 seconds, 962 as recommended by PLPMTUD [RFC4821]. 964 DPLPMTUD MAY inhibit sending probe packets when no application 965 data has been sent since the previous probe packet. A PL 966 preferring to use an up-to-data PMTU once user data is sent again, 967 can choose to continue PMTU discovery for each path. However, 968 this could result in sending additional packets. 970 CONFIRMATION_TIMER: When an acknowledged PL is used, this timer MUST 971 NOT be used. For other PLs, the CONFIRMATION_TIMER is configured 972 to the period a PL sender waits before confirming the current 973 PLPMTU is still supported. This is less than the PMTU_RAISE_TIMER 974 and used to decrease the PLPMTU (e.g., when a black hole is 975 encountered). Confirmation needs to be frequent enough when data 976 is flowing that the sending PL does not black hole extensive 977 amounts of traffic. Guidance on selection of the timer value are 978 provided in section 3.1.1 of the UDP Usage Guidelines [RFC8085]. 980 DPLPMTUD MAY inhibit sending probe packets when no application 981 data has been sent since the previous probe packet. A PL 982 preferring to use an up-to-data PMTU once user data is sent again, 983 can choose to continue PMTU discovery for each path. However, 984 this could result in sending additional packets. 986 An implementation could implement the various timers using a single 987 timer. 989 5.1.2. Constants 991 The following constants are defined: 993 MAX_PROBES: The MAX_PROBES is the maximum value of the PROBE_COUNT 994 counter (see Section 5.1.3). MAX_PROBES represents the limit for 995 the number of consecutive probe attempts of any size. Search 996 algorithms benefit from a MAX_PROBES valugreater than 1 because 997 this can provide robustness to isolated packet loss. The default 998 value of MAX_PROBES is 3. 1000 MIN_PLPMTU: The MIN_PLPMTU is the smallest allowed probe packet 1001 size. For IPv6, this value is 1280 bytes, as specified in 1002 [RFC8200]. For IPv4, the minimum value is 68 bytes. 1004 Note: An IPv4 router is required to be able to forward a datagram 1005 of 68 bytes without further fragmentation. This is the combined 1006 size of an IPv4 header and the minimum fragment size of 8 bytes. 1007 In addition, receivers are required to be able to reassemble 1008 fragmented datagrams at least up to 576 bytes, as stated in 1009 section 3.3.3 of [RFC1122]. 1011 MAX_PLPMTU: The MAX_PLPMTU is the largest size of PLPMTU. This has 1012 to be less than or equal to the maximum size of the PL packet that 1013 can be sent on the outgoing interface (constrained by the local 1014 interface MTU). When known, this also ought to be less than the 1015 maximum size of PL packet that can be received by the remote 1016 endpoint (constrained by EMTU_R). It can be limited by the design 1017 or configuration of the PL being used. An application, or PL, MAY 1018 choose a smaller MAX_PLPMTU when there is no need to send packets 1019 larger than a specific size. 1021 BASE_PLPMTU: The BASE_PLPMTU is a configured size expected to work 1022 for most paths. The size is equal to or larger than the 1023 MIN_PLPMTU and smaller than the MAX_PLPMTU. In the case of IPv6, 1024 this value is 1280 bytes [RFC8200]. When using IPv4, a size of 1025 1200 bytes is RECOMMENDED. 1027 5.1.3. Variables 1029 This method utilizes a set of variables: 1031 PROBED_SIZE: The PROBED_SIZE is the size of the current probe 1032 packet. This is a tentative value for the PLPMTU, which is 1033 awaiting confirmation by an acknowledgment. 1035 PROBE_COUNT: The PROBE_COUNT is a count of the number of successive 1036 unsuccessful probe packets that have been sent. Each time a probe 1037 packet is acknowledged, the value is set to zero. (Some probe 1038 loss is expected while searching, therefore loss of a single probe 1039 is not an indication of a PMTU problem.) 1041 The figure below illustrates the relationship between the packet size 1042 constants and variables at a point of time when the DPLPMTUD 1043 algorithm performs path probing to increase the size of the PLPMTU. 1045 A probe packet has been sent of size PROBED_SIZE. Once this is 1046 acknowledged, the PLPMTU will raise to PROBED_SIZE allowing the 1047 DPLPMTUD algorithm to further increase PROBED_SIZE toward sending a 1048 probe with the size of the actual PMTU. 1050 MIN_PLPMTU MAX_PLPMTU 1051 <-------------------------------------------> 1052 | | | 1053 v | | 1054 BASE_PLPMTU | v 1055 | PROBED_SIZE 1056 v 1057 PLPMTU 1059 Figure 3: Relationships between packet size constants and variables 1061 5.1.4. Overview of DPLPMTUD Phases 1063 This section provides a high-level informative view of the DPLPMTUD 1064 method, by describing the movement of the method through several 1065 phases of operation. More detail is available in the state machine 1066 Section 5.2. 1068 +------+ 1069 +------->| Base |-----------------+ Connectivity 1070 | +------+ | or BASE_PLPMTU 1071 | | | confirmation failed 1072 | | v 1073 | | Connectivity +-------+ 1074 | | and BASE_PLPMTU | Error | 1075 | | confirmed +-------+ 1076 | | | Consistent 1077 | v | connectivity 1078 PLPMTU | +--------+ | and BASE_PLPMTU 1079 confirmation | | Search |<---------------+ confirmed 1080 failed | +--------+ 1081 | ^ | 1082 | | | 1083 | Raise | | Search 1084 | timer | | algorithm 1085 | expired | | completed 1086 | | | 1087 | | v 1088 | +-----------------+ 1089 +---| Search Complete | 1090 +-----------------+ 1092 Figure 4: DPLPMTUD Phases 1094 Base: The Base Phase confirms connectivity to the remote peer using 1095 packets of the BASE_PLPMTU. This phase is implicit for a 1096 connection-oriented PL (where it can be performed in a PL 1097 connection handshake). A connectionless PL sends a probe packet 1098 and uses acknowledgment of this probe packet to confirm that the 1099 remote peer is reachable. 1101 The sender also confirms that BASE_PLPMTU is supported across the 1102 network path. This may be achieved using a PL mechanism (e.g., 1103 using a handshake packet of size BASE_PLPMTU), or by sending a 1104 probe packet of size BASE_PLPMTU and confirming that this is 1105 received. 1107 A probe packet of size BASE_PLPMTU can be sent immediately on the 1108 initial entry to the Base Phase (following a connectivity check). 1109 A PL that does not wish to support a path with a PLPMTU less than 1110 BASE_PLPMTU can simplify the phase into a single step by 1111 performing the connectivity checks with a probe of the BASE_PLPMTU 1112 size. 1114 Once confirmed, DPLPMTUD enters the Search Phase. If this phase 1115 fails to confirm, DPLPMTUD enters the Error Phase. 1117 Search: The Search Phase utilizes a search algorithm to send probe 1118 packets to seek to increase the PLPMTU. The algorithm concludes 1119 when it has found a suitable PLPMTU, by entering the Search 1120 Complete Phase. 1122 A PL could respond to PTB messages using the PTB to advance or 1123 terminate the search, see Section 4.6. 1125 Search Complete: The Search Complete Phase is entered when the 1126 PLPMTU is supported across the network path. A PL can use a 1127 CONFIRMATION_TIMER to periodically repeat a probe packet for the 1128 current PLPMTU size. If the sender is unable to confirm 1129 reachability (e.g., if the CONFIRMATION_TIMER expires) or the PL 1130 signals a lack of reachability, DPLPMTUD enters the Base phase. 1132 The PMTU_RAISE_TIMER is used to periodically resume the search 1133 phase to discover if the PLPMTU can be raised. Black Hole 1134 Detection causes the sender to enter the Base Phase. 1136 Error: The Error Phase is entered when there is conflicting or 1137 invalid PLPMTU information for the path (e.g., a failure to 1138 support the BASE_PLPMTU) that cause DPLPMTUD to be unable to 1139 progress and the PLPMTU is lowered. 1141 DPLPMTUD remains in the Error Phase until a consistent view of the 1142 path can be discovered and it has also been confirmed that the 1143 path supports the BASE_PLPMTU (or DPLPMTUD is suspended). 1145 An implementation that only reduces the PLPMTU to a suitable size 1146 would be sufficient to ensure reliable operation, but can be very 1147 inefficient when the actual PMTU changes or when the method (for 1148 whatever reason) makes a suboptimal choice for the PLPMTU. 1150 A full implementation of DPLPMTUD provides an algorithm enabling the 1151 DPLPMTUD sender to increase the PLPMTU following a change in the 1152 characteristics of the path, such as when a link is reconfigured with 1153 a larger MTU, or when there is a change in the set of links traversed 1154 by an end-to-end flow (e.g., after a routing or path fail-over 1155 decision). 1157 5.2. State Machine 1159 A state machine for DPLPMTUD is depicted in Figure 5. If multipath 1160 or multihoming is supported, a state machine is needed for each path. 1162 Note: Not all changes are shown to simplify the diagram. 1164 | | 1165 | Start | PL indicates loss 1166 | | of connectivity 1167 v v 1168 +---------------+ +---------------+ 1169 | DISABLED | | ERROR | 1170 +---------------+ PROBE_TIMER expiry: +---------------+ 1171 | PL indicates PROBE_COUNT = MAX_PROBES or ^ | 1172 | connectivity PTB: PLPTB_SIZE < BASE_PLPMTU | | 1173 +--------------------+ +---------------+ | 1174 | | | 1175 v | BASE_PLPMTU Probe | 1176 +---------------+ acked | 1177 | BASE |----------------------+ 1178 +---------------+ | 1179 ^ | ^ ^ | 1180 Black hole detected | | | | Black hole detected | 1181 +--------------------+ | | +--------------------+ | 1182 | +----+ | | 1183 | PROBE_TIMER expiry: | | 1184 | PROBE_COUNT < MAX_PROBES | | 1185 | | | 1186 | PMTU_RAISE_TIMER expiry | | 1187 | +-----------------------------------------+ | | 1188 | | | | | 1189 | | v | v 1190 +---------------+ +---------------+ 1191 |SEARCH_COMPLETE| | SEARCHING | 1192 +---------------+ +---------------+ 1193 | ^ ^ | | ^ 1194 | | | | | | 1195 | | +-----------------------------------------+ | | 1196 | | MAX_PLPMTU Probe acked or | | 1197 | | PROBE_TIMER expiry: PROBE_COUNT = MAX_PROBES or | | 1198 +----+ PTB: PLPTB_SIZE = PLPMTU +----+ 1199 CONFIRMATION_TIMER expiry: PROBE_TIMER expiry: 1200 PROBE_COUNT < MAX_PROBES or PROBE_COUNT < MAX_PROBES or 1201 PLPMTU Probe acked Probe acked or PTB: 1202 PLPMTU < PLPTB_SIZE < PROBED_SIZE 1204 Figure 5: State machine for Datagram PLPMTUD 1206 The following states are defined: 1208 DISABLED: The DISABLED state is the initial state before probing has 1209 started. It is also entered from any other state, when the PL 1210 indicates loss of connectivity. This state is left once the PL 1211 indicates connectivity to the remote PL. When transitioning to 1212 the BASE state, a probe packet of size BASE_PLPMTU can be sent 1213 immediately. 1215 BASE: The BASE state is used to confirm that the BASE_PLPMTU size is 1216 supported by the network path and is designed to allow an 1217 application to continue working when there are transient 1218 reductions in the actual PMTU. It also seeks to avoid long 1219 periods when a sender searching for a larger PLPMTU is unaware 1220 that packets are not being delivered due to a packet or ICMP Black 1221 Hole. 1223 On entry, the PROBED_SIZE is set to the BASE_PLPMTU size and the 1224 PROBE_COUNT is set to zero. 1226 Each time a probe packet is sent, the PROBE_TIMER is started. The 1227 state is exited when the probe packet is acknowledged, and the PL 1228 sender enters the SEARCHING state. 1230 The state is also left when the PROBE_COUNT reaches MAX_PROBES or 1231 a received PTB message is validated. This causes the PL sender to 1232 enter the ERROR state. 1234 SEARCHING: The SEARCHING state is the main probing state. This 1235 state is entered when probing for the BASE_PLPMTU was successful. 1237 Each time a probe packet is acknowledged, the PROBE_COUNT is set 1238 to zero, the PLPMTU is set to the PROBED_SIZE and then the 1239 PROBED_SIZE is increased using the search algorithm. 1241 When a probe packet is sent and not acknowledged within the period 1242 of the PROBE_TIMER, the PROBE_COUNT is incremented and a new probe 1243 packet is transmitted. 1245 The state is exited to enter SEARCH_COMPLETE when the PROBE_COUNT 1246 reaches MAX_PROBES, a validated PTB is received that corresponds 1247 to the last successfully probed size (PL_PTB_SIZE = PLPMTU), or a 1248 probe of size MAX_PLPMTU is acknowledged (PLPMTU = MAX_PLPMTU). 1250 When a black hole is detected in the SEARCHING state, this causes 1251 the PL sender to enter the BASE state. 1253 SEARCH_COMPLETE: The SEARCH_COMPLETE state indicates a successful 1254 end to the SEARCHING state. DPLPMTUD remains in this state until 1255 either the PMTU_RAISE_TIMER expires or a black hole is detected. 1257 When DPLPMTUD uses an unacknowledged PL and is in the 1258 SEARCH_COMPLETE state, a CONFIRMATION_TIMER periodically resets 1259 the PROBE_COUNT and schedules a probe packet with the size of the 1260 PLPMTU. If MAX_PROBES successive PLPMTUD sized probes fail to be 1261 acknowledged the method enters the BASE state. When used with an 1262 acknowledged PL (e.g., SCTP), DPLPMTUD SHOULD NOT continue to 1263 generate PLPMTU probes in this state. 1265 ERROR: The ERROR state represents the case where either the network 1266 path is not known to support a PLPMTU of at least the BASE_PLPMTU 1267 size or when there is contradictory information about the network 1268 path that would otherwise result in excessive variation in the MPS 1269 signaled to the higher layer. The state implements a method to 1270 mitigate oscillation in the state-event engine. It signals a 1271 conservative value of the MPS to the higher layer by the PL. The 1272 state is exited when packet probes no longer detect the error. 1273 The PL sender then enters the SEARCHING state. 1275 Implementations are permitted to enable endpoint fragmentation if 1276 the DPLPMTUD is unable to validate MIN_PLPMTU within PROBE_COUNT 1277 probes. If DPLPMTUD is unable to validate MIN_PLPMTU the 1278 implementation will transition to the DISABLED state. 1280 Note: MIN_PLPMTU could be identical to BASE_PLPMTU, simplifying 1281 the actions in this state. 1283 5.3. Search to Increase the PLPMTU 1285 This section describes the algorithms used by DPLPMTUD to search for 1286 a larger PLPMTU. 1288 5.3.1. Probing for a larger PLPMTU 1290 Implementations use a search algorithm across the search range to 1291 determine whether a larger PLPMTU can be supported across a network 1292 path. 1294 The method discovers the search range by confirming the minimum 1295 PLPMTU and then using the probe method to select a PROBED_SIZE less 1296 than or equal to MAX_PLPMTU. MAX_PLPMTU is the minimum of the local 1297 MTU and EMTU_R (when this is learned from the remote endpoint). The 1298 MAX_PLPMTU MAY be reduced by an application that sets a maximum to 1299 the size of datagrams it will send. 1301 The PROBE_COUNT is initialized to zero when the first probe with a 1302 size greater than or equal to PLPMTUD is sent. A timer is used to 1303 trigger the sending of probe packets of size PROBED_SIZE, larger than 1304 the PLPMTU. Each probe packet successfully sent to the remote peer 1305 is confirmed by acknowledgment at the PL, see Section 4.1. 1307 Each time a probe packet is sent to the destination, the PROBE_TIMER 1308 is started. The timer is canceled when the PL receives 1309 acknowledgment that the probe packet has been successfully sent 1310 across the path Section 4.1. This confirms that the PROBED_SIZE is 1311 supported, and the PROBED_SIZE value is then assigned to the PLPMTU. 1312 The search algorithm can continue to send subsequent probe packets of 1313 an increasing size. 1315 If the timer expires before a probe packet is acknowledged, the probe 1316 has failed to confirm the PROBED_SIZE. Each time the PROBE_TIMER 1317 expires, the PROBE_COUNT is incremented, the PROBE_TIMER is 1318 reinitialized, and a new probe of the same size or any other size 1319 (determined by the search algorithm) can be sent. The maximum number 1320 of consecutive failed probes is configured (MAX_PROBES). If the 1321 value of the PROBE_COUNT reaches MAX_PROBES, probing will stop, and 1322 the PL sender enters the SEARCH_COMPLETE state. 1324 5.3.2. Selection of Probe Sizes 1326 The search algorithm determines a minimum useful gain in PLPMTU. It 1327 would not be constructive for a PL sender to attempt to probe for all 1328 sizes. This would incur unnecessary load on the path. 1329 Implementations SHOULD select the set of probe packet sizes to 1330 maximize the gain in PLPMTU from each search step. 1332 Implementations could optimize the search procedure by selecting step 1333 sizes from a table of common PMTU sizes. When selecting the 1334 appropriate next size to search, an implementer ought to also 1335 consider that there can be common sizes of MPS that applications seek 1336 to use, and their could be common sizes of MTU used within the 1337 network. 1339 5.3.3. Resilience to Inconsistent Path Information 1341 A decision to increase the PLPMTU needs to be resilient to the 1342 possibility that information learned about the network path is 1343 inconsistent. A path is inconsistent, when, for example, probe 1344 packets are lost due to other reasons (i.e., not packet size) or due 1345 to frequent path changes. Frequent path changes could occur by 1346 unexpected "flapping" - where some packets from a flow pass along one 1347 path, but other packets follow a different path with different 1348 properties. 1350 A PL sender is able to detect inconsistency from the sequence of 1351 PLPMTU probes that are acknowledged or the sequence of PTB messages 1352 that it receives. When inconsistent path information is detected, a 1353 PL sender could use an alternate search mode that clamps the offered 1354 MPS to a smaller value for a period of time. This avoids unnecessary 1355 loss of packets. 1357 5.4. Robustness to Inconsistent Paths 1359 Some paths could be unable to sustain packets of the BASE_PLPMTU 1360 size. To be robust to these paths an implementation could implement 1361 the Error State. This allows fallback to a smaller than desired 1362 PLPMTU, rather than suffer connectivity failure. This could utilize 1363 methods such as endpoint IP fragmentation to enable the PL sender to 1364 communicate using packets smaller than the BASE_PLPMTU. 1366 6. Specification of Protocol-Specific Methods 1368 DPLPMTUD requires protocol-specific details to be specified for each 1369 PL that is used. 1371 The first subsection provides guidance on how to implement the 1372 DPLPMTUD method as a part of an application using UDP or UDP-Lite. 1373 The guidance also applies to other datagram services that do not 1374 include a specific transport protocol (such as a tunnel 1375 encapsulation). The following subsections describe how DPLPMTUD can 1376 be implemented as a part of the transport service, allowing 1377 applications using the service to benefit from discovery of the 1378 PLPMTU without themselves needing to implement this method when using 1379 SCTP and QUIC. 1381 6.1. Application support for DPLPMTUD with UDP or UDP-Lite 1383 The current specifications of UDP [RFC0768] and UDP-Lite [RFC3828] do 1384 not define a method in the RFC-series that supports PLPMTUD. In 1385 particular, the UDP transport does not provide the transport features 1386 needed to implement datagram PLPMTUD. 1388 The DPLPMTUD method can be implemented as a part of an application 1389 built directly or indirectly on UDP or UDP-Lite, but relies on 1390 higher-layer protocol features to implement the method [RFC8085]. 1392 Some primitives used by DPLPMTUD might not be available via the 1393 Datagram API (e.g., the ability to access the PLPMTU from the IP 1394 layer cache, or interpret received PTB messages). 1396 In addition, it is desirable that PMTU discovery is not performed by 1397 multiple protocol layers. An application SHOULD avoid using DPLPMTUD 1398 when the underlying transport system provides this capability. To 1399 use common method for managing the PLPMTU has benefits, both in the 1400 ability to share state between different processes and opportunities 1401 to coordinate probing. 1403 6.1.1. Application Request 1405 An application needs an application-layer protocol mechanism (such as 1406 a message acknowledgment method) that solicits a response from a 1407 destination endpoint. The method SHOULD allow the sender to check 1408 the value returned in the response to provide additional protection 1409 from off-path insertion of data [RFC8085], suitable methods include a 1410 parameter known only to the two endpoints, such as a session ID or 1411 initialized sequence number. 1413 6.1.2. Application Response 1415 An application needs an application-layer protocol mechanism to 1416 communicate the response from the destination endpoint. This 1417 response could indicate successful reception of the probe across the 1418 path, but could also indicate that some (or all packets) have failed 1419 to reach the destination. 1421 6.1.3. Sending Application Probe Packets 1423 A probe packet can carry an application data block, but the 1424 successful transmission of this data is at risk when used for 1425 probing. Some applications might prefer to use a probe packet that 1426 does not carry an application data block to avoid disruption to data 1427 transfer. 1429 6.1.4. Initial Connectivity 1431 An application that does not have other higher-layer information 1432 confirming connectivity with the remote peer SHOULD implement a 1433 connectivity mechanism using acknowledged probe packets before 1434 entering the BASE state. 1436 6.1.5. Validating the Path 1438 An application that does not have other higher-layer information 1439 confirming correct delivery of datagrams SHOULD implement the 1440 CONFIRMATION_TIMER to periodically send probe packets while in the 1441 SEARCH_COMPLETE state. 1443 6.1.6. Handling of PTB Messages 1445 An application that is able and wishes to receive PTB messages MUST 1446 perform ICMP validation as specified in Section 5.2 of [RFC8085]. 1447 This requires that the application checks each received PTB message 1448 to validate that it was is received in response to transmitted 1449 traffic and that the reported PL_PTB_SIZE is less than the current 1450 probed size (see Section 4.6.2). A validated PTB message MAY be used 1451 as input to the DPLPMTUD algorithm, but MUST NOT be used directly to 1452 set the PLPMTU. 1454 6.2. DPLPMTUD for SCTP 1456 Section 10.2 of [RFC4821] specified a recommended PLPMTUD probing 1457 method for SCTP and Section 7.3 of [RFC4960] and recommended an 1458 endpoint apply the techniques in RFC4821 on a per-destination-address 1459 basis. The specification for DPLPMTUD continues the practice of 1460 using the PL to discover the PMTU, but updates, RFC4960 with a 1461 recommendation to use the method specified in this document: The 1462 RECOMMENDED method for generating probes is to add a chunk consisting 1463 only of padding to an SCTP message. The PAD chunk defined in 1464 [RFC4820] SHOULD be attached to a minimum length HEARTBEAT (HB) chunk 1465 to build a probe packet. This enables probing without affecting the 1466 transfer of user messages and without being limited by congestion 1467 control or flow control. This is preferred to using DATA chunks 1468 (with padding as required) as path probes. 1470 Section 6.9 of [RFC4960] describes dividing the user messages into 1471 data chunks sent by the PL when using SCTP. This notes that once an 1472 SCTP message has been sent, it cannot be re-segmented. [RFC4960] 1473 describes the method to retransmit data chunks when the MPS has 1474 reduced, and the use of IP fragmentation for this case. 1476 6.2.1. SCTP/IPv4 and SCTP/IPv6 1478 6.2.1.1. Initial Connectivity 1480 The base protocol is specified in [RFC4960]. This provides an 1481 acknowledged PL. A sender can therefore enter the BASE state as soon 1482 as connectivity has been confirmed. 1484 6.2.1.2. Sending SCTP Probe Packets 1486 Probe packets consist of an SCTP common header followed by a 1487 HEARTBEAT chunk and a PAD chunk. The PAD chunk is used to control 1488 the length of the probe packet. The HEARTBEAT chunk is used to 1489 trigger the sending of a HEARTBEAT ACK chunk. The reception of the 1490 HEARTBEAT ACK chunk acknowledges reception of a successful probe. A 1491 successful probe updates the association and path counters, but an 1492 unsuccessful probe is discounted (assumed to be a result of choosing 1493 too large a PLPMTU). 1495 The HEARTBEAT chunk carries a Heartbeat Information parameter which 1496 includes, besides the information suggested in [RFC4960], the probe 1497 size, which is the size of the complete datagram. The size of the 1498 PAD chunk is therefore computed by reducing the probing size by the 1499 IPv4 or IPv6 header size, the SCTP common header, the HEARTBEAT 1500 request and the PAD chunk header. The payload of the PAD chunk 1501 contains arbitrary data. 1503 Probing starts directly after the PL handshake, before data is sent. 1504 Assuming this behavior (i.e., the PMTU is smaller than or equal to 1505 the interface MTU), this process will take several round trip time 1506 periods, dependent on the number of DPLPMTUD probes sent. The 1507 Heartbeat timer can be used to implement the PROBE_TIMER. 1509 6.2.1.3. Validating the Path with SCTP 1511 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1512 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1514 6.2.1.4. PTB Message Handling by SCTP 1516 Normal ICMP validation MUST be performed as specified in Appendix C 1517 of [RFC4960]. This requires that the first 8 bytes of the SCTP 1518 common header are quoted in the payload of the PTB message, which can 1519 be the case for ICMPv4 and is normally the case for ICMPv6. 1521 When a PTB message has been validated, the PL_PTB_SIZE calculated 1522 from the PTB_SIZE reported in the PTB message SHOULD be used with the 1523 DPLPMTUD algorithm, providing that the reported PL_PTB_SIZE is less 1524 than the current probe size (see Section 4.6). 1526 6.2.2. DPLPMTUD for SCTP/UDP 1528 The UDP encapsulation of SCTP is specified in [RFC6951]. 1530 This specification updates the reference to RFC 4821 in section 5.6 1531 of RFC 6951 to refer to XXXTHISRFCXXX. RFC 6951 is updated by 1532 addition of the following sentence is to be added at the end of 1533 section 5.6: "The RECOMMENDED method for determining the MTU of the 1534 path is specified in XXXTHISRFCXXX". 1536 XXX RFC EDITOR - please replace XXXTHISRFCXXX when published XXX 1538 6.2.2.1. Initial Connectivity 1540 A sender can enter the BASE state as soon as SCTP connectivity has 1541 been confirmed. 1543 6.2.2.2. Sending SCTP/UDP Probe Packets 1545 Packet probing can be performed as specified in Section 6.2.1.2. The 1546 maximum payload is reduced by 8 bytes, which has to be considered 1547 when filling the PAD chunk. 1549 6.2.2.3. Validating the Path with SCTP/UDP 1551 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1552 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1554 6.2.2.4. Handling of PTB Messages by SCTP/UDP 1556 ICMP validation MUST be performed for PTB messages as specified in 1557 Appendix C of [RFC4960]. This requires that the first 8 bytes of the 1558 SCTP common header are contained in the PTB message, which can be the 1559 case for ICMPv4 (but note the UDP header also consumes a part of the 1560 quoted packet header) and is normally the case for ICMPv6. When the 1561 validation is completed, the PL_PTB_SIZE calculated from the PTB_SIZE 1562 in the PTB message SHOULD be used with the DPLPMTUD providing that 1563 the reported PL_PTB_SIZE is less than the current probe size. 1565 6.2.3. DPLPMTUD for SCTP/DTLS 1567 The Datagram Transport Layer Security (DTLS) encapsulation of SCTP is 1568 specified in [RFC8261]. This is used for data channels in WebRTC 1569 implementations. This specification updates the reference to RFC 1570 4821 in section 5 of RFC 8261 to refer to XXXTHISRFCXXX. 1572 XXX RFC EDITOR - please replace XXXTHISRFCXXX when published XXX 1574 6.2.3.1. Initial Connectivity 1576 A sender can enter the BASE state as soon as SCTP connectivity has 1577 been confirmed. 1579 6.2.3.2. Sending SCTP/DTLS Probe Packets 1581 Packet probing can be done, as specified in Section 6.2.1.2. 1583 6.2.3.3. Validating the Path with SCTP/DTLS 1585 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1586 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1588 6.2.3.4. Handling of PTB Messages by SCTP/DTLS 1590 [RFC4960] does not specify a way to validate SCTP/DTLS ICMP message 1591 payload. This can prevent processing of PTB messages at the PL. 1593 6.3. DPLPMTUD for QUIC 1595 QUIC [I-D.ietf-quic-transport] is a UDP-based transport that provides 1596 reception feedback. The UDP payload includes the QUIC packet header, 1597 protected payload, and any authentication fields. QUIC depends on a 1598 PMTU of at least 1280 bytes. 1600 Section 14 of [I-D.ietf-quic-transport] describes the path 1601 considerations when sending QUIC packets. It recommends the use of 1602 PADDING frames to build the probe packet. Pure probe-only packets 1603 are constructed with PADDING frames and PING frames to create a 1604 padding only packet that will elicit an acknowledgment. Such padding 1605 only packets enable probing without affecting the transfer of other 1606 QUIC frames. 1608 The recommendation for QUIC endpoints implementing DPLPMTUD is that a 1609 MPS is maintained for each combination of local and remote IP 1610 addresses [I-D.ietf-quic-transport]. If a QUIC endpoint determines 1611 that the PMTU between any pair of local and remote IP addresses has 1612 fallen below the size required for an acceptable MPS, it immediately 1613 ceases to send QUIC packets on the affected path. This could result 1614 in termination of the connection if an alternative path cannot be 1615 found [I-D.ietf-quic-transport]. 1617 6.3.1. Initial Connectivity 1619 The base protocol is specified in [I-D.ietf-quic-transport]. This 1620 provides an acknowledged PL. A sender can therefore enter the BASE 1621 state as soon as connectivity has been confirmed. 1623 6.3.2. Sending QUIC Probe Packets 1625 A probe packet consists of a QUIC Header and a payload containing 1626 PADDING Frames and a PING Frame. PADDING Frames are a single octet 1627 (0x00) and several of these can be used to create a probe packet of 1628 size PROBED_SIZE. QUIC provides an acknowledged PL, a sender can 1629 therefore enter the BASE state as soon as connectivity has been 1630 confirmed. 1632 The current specification of QUIC sets the following: 1634 * BASE_PLPMTU: A QUIC sender pads initial packets to confirm the 1635 path can support packets of the required size, this sets the 1636 BASE_PLPMTU and MIN_PLPMTU. 1638 * MIN_PLPMTU: A QUIC sender that determines the MIN_PLPMTU has 1639 fallen MUST immediately stop sending on the affected path. 1641 6.3.3. Validating the Path with QUIC 1643 QUIC provides an acknowledged PL. A sender therefore MUST NOT 1644 implement the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1646 6.3.4. Handling of PTB Messages by QUIC 1648 QUIC validates ICMP PTB messages. In addition to UDP Port 1649 validation, QUIC can validate an ICMP message by using other PL 1650 information (e.g., validation of connection identifiers (CIDs) in the 1651 quoted packet of any received ICMP message). 1653 7. Acknowledgments 1655 This work was partially funded by the European Union's Horizon 2020 1656 research and innovation programme under grant agreement No. 644334 1657 (NEAT). The views expressed are solely those of the author(s). 1659 Thanks to all that have commented or contributed, the TSVWG and QUIC 1660 working groups, and Mathew Calder and Julius Flohr for providing 1661 early implementations. 1663 8. IANA Considerations 1665 This memo includes no request to IANA. 1667 If there are no requirements for IANA, the section will be removed 1668 during conversion into an RFC by the RFC Editor. 1670 9. Security Considerations 1672 The security considerations for the use of UDP and SCTP are provided 1673 in the referenced RFCs. 1675 To avoid excessive load, the interval between individual probe 1676 packets MUST be at least one RTT, and the interval between rounds of 1677 probing is determined by the PMTU_RAISE_TIMER. 1679 A PL sender needs to ensure that the method used to confirm reception 1680 of probe packets protects from off-path attackers injecting packets 1681 into the path. This protection if provided in IETF-defined protocols 1682 (e.g., TCP, SCTP) using a randomly-initialized sequence number. A 1683 description of one way to do this when using UDP is provided in 1684 section 5.1 of [RFC8085]). 1686 There are cases where ICMP Packet Too Big (PTB) messages are not 1687 delivered due to policy, configuration or equipment design (see 1688 Section 1.1), this method therefore does not rely upon PTB messages 1689 being received, but is able to utilize these when they are received 1690 by the sender. PTB messages could potentially be used to cause a 1691 node to inappropriately reduce the PLPMTU. A node supporting 1692 DPLPMTUD MUST therefore appropriately validate the payload of PTB 1693 messages to ensure these are received in response to transmitted 1694 traffic (i.e., a reported error condition that corresponds to a 1695 datagram actually sent by the path layer, see Section 4.6.1). 1697 An on-path attacker, able to create a PTB message could forge PTB 1698 messages that include a valid quoted IP packet. Such an attack could 1699 be used to drive down the PLPMTU. There are two ways this method can 1700 be mitigated against such attacks: First, by ensuring that a PL 1701 sender never reduces the PLPMTU below the base size, solely in 1702 response to receiving a PTB message. This is achieved by first 1703 entering the BASE state when such a message is received. Second, the 1704 design does not require processing of PTB messages, a PL sender could 1705 therefore suspend processing of PTB messages (e.g., in a robustness 1706 mode after detecting that subsequent probes actually confirm that a 1707 size larger than the PTB_SIZE is supported by a path). 1709 The successful processing of an ICMP message can trigger a probe when 1710 the reported PTB size is valid, but this does not directly update the 1711 PLPMTU for the path. This prevents a message attempting to black 1712 hole data by indicating a size larger than supported by the path. 1714 Parallel forwarding paths SHOULD be considered. Section 5.4 1715 identifies the need for robustness in the method because the path 1716 information might be inconsistent. 1718 A node performing DPLPMTUD could experience conflicting information 1719 about the size of supported probe packets. This could occur when 1720 there are multiple paths are concurrently in use and these exhibit a 1721 different PMTU. If not considered, this could result in packets not 1722 being delivered (black holed) when the PLPMTU results in a packet 1723 larger than the smallest actual PMTU. 1725 DPLPMTUD methods can introduce padding data to inflate the length of 1726 the datagram to the total size required for a probe packet. The 1727 total size of a probe packet includes all headers and padding added 1728 to the payload data being sent (e.g., including security-related 1729 fields such as an AEAD tag and TLS record layer padding). The value 1730 of the padding data does not influence the DPLPMTUD search algorithm, 1731 and therefore needs to be set consistent with the policy of the PL. 1733 If a PL can make use of cryptographic confidentiality or data- 1734 integrity mechanisms, then the design ought to avoid adding anything 1735 (e.g., padding) to DPLPMTUD probe packets that is not also protected 1736 by those cryptographic mechanisms. 1738 10. References 1740 10.1. Normative References 1742 [I-D.ietf-quic-transport] 1743 Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed 1744 and Secure Transport", Work in Progress, Internet-Draft, 1745 draft-ietf-quic-transport-27, 21 February 2020, 1746 . 1749 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1750 DOI 10.17487/RFC0768, August 1980, 1751 . 1753 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1754 DOI 10.17487/RFC0791, September 1981, 1755 . 1757 [RFC1191] Mogul, J.C. and S.E. Deering, "Path MTU discovery", 1758 RFC 1191, DOI 10.17487/RFC1191, November 1990, 1759 . 1761 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1762 Requirement Levels", BCP 14, RFC 2119, 1763 DOI 10.17487/RFC2119, March 1997, 1764 . 1766 [RFC3828] Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E., Ed., 1767 and G. Fairhurst, Ed., "The Lightweight User Datagram 1768 Protocol (UDP-Lite)", RFC 3828, DOI 10.17487/RFC3828, July 1769 2004, . 1771 [RFC4820] Tuexen, M., Stewart, R., and P. Lei, "Padding Chunk and 1772 Parameter for the Stream Control Transmission Protocol 1773 (SCTP)", RFC 4820, DOI 10.17487/RFC4820, March 2007, 1774 . 1776 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 1777 RFC 4960, DOI 10.17487/RFC4960, September 2007, 1778 . 1780 [RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream 1781 Control Transmission Protocol (SCTP) Packets for End-Host 1782 to End-Host Communication", RFC 6951, 1783 DOI 10.17487/RFC6951, May 2013, 1784 . 1786 [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage 1787 Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, 1788 March 2017, . 1790 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1791 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1792 May 2017, . 1794 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1795 (IPv6) Specification", STD 86, RFC 8200, 1796 DOI 10.17487/RFC8200, July 2017, 1797 . 1799 [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., 1800 "Path MTU Discovery for IP version 6", STD 87, RFC 8201, 1801 DOI 10.17487/RFC8201, July 2017, 1802 . 1804 [RFC8261] Tuexen, M., Stewart, R., Jesup, R., and S. Loreto, 1805 "Datagram Transport Layer Security (DTLS) Encapsulation of 1806 SCTP Packets", RFC 8261, DOI 10.17487/RFC8261, November 1807 2017, . 1809 10.2. Informative References 1811 [I-D.ietf-intarea-frag-fragile] 1812 Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., 1813 and F. Gont, "IP Fragmentation Considered Fragile", Work 1814 in Progress, Internet-Draft, draft-ietf-intarea-frag- 1815 fragile-17, 30 September 2019, . 1818 [I-D.ietf-intarea-tunnels] 1819 Touch, J. and M. Townsley, "IP Tunnels in the Internet 1820 Architecture", Work in Progress, Internet-Draft, draft- 1821 ietf-intarea-tunnels-10, 12 September 2019, 1822 . 1825 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1826 RFC 792, DOI 10.17487/RFC0792, September 1981, 1827 . 1829 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - 1830 Communication Layers", STD 3, RFC 1122, 1831 DOI 10.17487/RFC1122, October 1989, 1832 . 1834 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1835 RFC 1812, DOI 10.17487/RFC1812, June 1995, 1836 . 1838 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", 1839 RFC 2923, DOI 10.17487/RFC2923, September 2000, 1840 . 1842 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 1843 Congestion Control Protocol (DCCP)", RFC 4340, 1844 DOI 10.17487/RFC4340, March 2006, 1845 . 1847 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 1848 Control Message Protocol (ICMPv6) for the Internet 1849 Protocol Version 6 (IPv6) Specification", STD 89, 1850 RFC 4443, DOI 10.17487/RFC4443, March 2006, 1851 . 1853 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 1854 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 1855 . 1857 [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering 1858 ICMPv6 Messages in Firewalls", RFC 4890, 1859 DOI 10.17487/RFC4890, May 2007, 1860 . 1862 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 1863 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 1864 DOI 10.17487/RFC5508, April 2009, 1865 . 1867 Appendix A. Revision Notes 1869 Note to RFC-Editor: please remove this entire section prior to 1870 publication. 1872 Individual draft -00: 1874 * Comments and corrections are welcome directly to the authors or 1875 via the IETF TSVWG working group mailing list. 1877 * This update is proposed for WG comments. 1879 Individual draft -01: 1881 * Contains the first representation of the algorithm, showing the 1882 states and timers 1884 * This update is proposed for WG comments. 1886 Individual draft -02: 1888 * Contains updated representation of the algorithm, and textual 1889 corrections. 1891 * The text describing when to set the effective PMTU has not yet 1892 been validated by the authors 1894 * To determine security to off-path-attacks: We need to decide 1895 whether a received PTB message SHOULD/MUST be validated? The text 1896 on how to handle a PTB message indicating a link MTU larger than 1897 the probe has yet not been validated by the authors 1899 * No text currently describes how to handle inconsistent results 1900 from arbitrary re-routing along different parallel paths 1902 * This update is proposed for WG comments. 1904 Working Group draft -00: 1906 * This draft follows a successful adoption call for TSVWG 1908 * There is still work to complete, please comment on this draft. 1910 Working Group draft -01: 1912 * This draft includes improved introduction. 1914 * The draft is updated to require ICMP validation prior to accepting 1915 PTB messages - this to be confirmed by WG 1917 * Section added to discuss Selection of Probe Size - methods to be 1918 evaluated and recommendations to be considered 1920 * Section added to align with work proposed in the QUIC WG. 1922 Working Group draft -02: 1924 * The draft was updated based on feedback from the WG, and a 1925 detailed review by Magnus Westerlund. 1927 * The document updates RFC 4821. 1929 * Requirements list updated. 1931 * Added more explicit discussion of a simpler black-hole detection 1932 mode. 1934 * This draft includes reorganisation of the section on IETF 1935 protocols. 1937 * Added more discussion of implementation within an application. 1939 * Added text on flapping paths. 1941 * Replaced 'effective MTU' with new term PLPMTU. 1943 Working Group draft -03: 1945 * Updated figures 1947 * Added more discussion on blackhole detection 1949 * Added figure describing just blackhole detection 1951 * Added figure relating MPS sizes 1953 Working Group draft -04: 1955 * Described phases and named these consistently. 1957 * Corrected transition from confirmation directly to the search 1958 phase (Base has been checked). 1960 * Redrawn state diagrams. 1962 * Renamed BASE_MTU to BASE_PMTU (because it is a base for the PMTU). 1964 * Clarified Error state. 1966 * Clarified suspending DPLPMTUD. 1968 * Verified normative text in requirements section. 1970 * Removed duplicate text. 1972 * Changed all text to refer to /packet probe/probe packet/ 1973 /validation/verification/ added term /Probe Confirmation/ and 1974 clarified BlackHole detection. 1976 Working Group draft -05: 1978 * Updated security considerations. 1980 * Feedback after speaking with Joe Touch helped improve UDP-Options 1981 description. 1983 Working Group draft -06: 1985 * Updated description of ICMP issues in section 1.1 1987 * Update to description of QUIC. 1989 Working group draft -07: 1991 * Moved description of the PTB processing method from the PTB 1992 requirements section. 1994 * Clarified what is performed in the PTB validation check. 1996 * Updated security consideration to explain PTB security without 1997 needing to read the rest of the document. 1999 * Reformatted state machine diagram 2001 Working group draft -08: 2003 * Moved to rfcxml v3+ 2005 * Rendered diagrams to svg in html version. 2007 * Removed Appendix A. Event-driven state changes. 2009 * Removed section on DPLPMTUD with UDP Options. 2011 * Shortened the description of phases. 2013 Working group draft -09: 2015 * Remove final mention of UDP Options 2017 * Add Initial Connectivity sections to each PL 2018 * Add to disable outgoing pmtu enforcement of packets 2020 Working group draft -10: 2022 * Address comments from Lars Eggert 2024 * Reinforce that PROBE_COUNT is successive attempts to probe for any 2025 size 2027 * Redefine MAX_PROBES to 3 2029 * Address PTB_SIZE of 0 or less that MIN_PLPMTU 2031 Working group draft -11: 2033 * Restore a sentence removed in previous rev 2035 * De-acronymise QUIC 2037 * Address some nits 2039 Working group draft -12: 2041 * Add TSVWG, QUIC and implementers to acknowledgments 2043 * Shorten a diagram line. 2045 * Address nits from Julius and Wes. 2047 * Be clearer when talking about IP layer caches 2049 Working group draft -13, -14: 2051 * Updated after WGLC. 2053 Working group draft -15: 2055 * Updated after AD evaluation and prepared for IETF-LC. 2057 Working group draft -16: 2059 * Updated text after SECDIR review. 2061 Working group draft -17: 2063 * Updated text after GENART and IETF-LC. 2065 * Renamed BASE_MTU to BASE_PLPMTU, and MIN and MAX PMTU to PLPMTU 2066 (because these are about a base for the PLPMTU), and ensured 2067 consistent separation of PMTU and PLPMTU. 2069 * Adopted US-style English throughout. 2071 Authors' Addresses 2073 Godred Fairhurst 2074 University of Aberdeen 2075 School of Engineering 2076 Fraser Noble Building 2077 Aberdeen 2078 AB24 3UE 2079 United Kingdom 2081 Email: gorry@erg.abdn.ac.uk 2083 Tom Jones 2084 University of Aberdeen 2085 School of Engineering 2086 Fraser Noble Building 2087 Aberdeen 2088 AB24 3UE 2089 United Kingdom 2091 Email: tom@erg.abdn.ac.uk 2093 Michael Tuexen 2094 Muenster University of Applied Sciences 2095 Stegerwaldstrasse 39 2096 48565 Steinfurt 2097 Germany 2099 Email: tuexen@fh-muenster.de 2101 Irene Ruengeler 2102 Muenster University of Applied Sciences 2103 Stegerwaldstrasse 39 2104 48565 Steinfurt 2105 Germany 2107 Email: i.ruengeler@fh-muenster.de 2108 Timo Voelker 2109 Muenster University of Applied Sciences 2110 Stegerwaldstrasse 39 2111 48565 Steinfurt 2112 Germany 2114 Email: timo.voelker@fh-muenster.de