idnits 2.17.1 draft-ietf-tsvwg-datagram-plpmtud-21.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The abstract seems to indicate that this document updates RFC8201, but the header doesn't have an 'Updates:' line to match this. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4821, updated by this document, for RFC5378 checks: 2003-10-21) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (12 May 2020) is 1442 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-27 ** Obsolete normative reference: RFC 4960 (Obsoleted by RFC 9260) == Outdated reference: A later version (-13) exists of draft-ietf-intarea-tunnels-10 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force G. Fairhurst 3 Internet-Draft T. Jones 4 Updates: 4821, 4960, 6951, 8085, 8261 (if University of Aberdeen 5 approved) M. Tuexen 6 Intended status: Standards Track I. Ruengeler 7 Expires: 13 November 2020 T. Voelker 8 Muenster University of Applied Sciences 9 12 May 2020 11 Packetization Layer Path MTU Discovery for Datagram Transports 12 draft-ietf-tsvwg-datagram-plpmtud-21 14 Abstract 16 This document describes a robust method for Path MTU Discovery 17 (PMTUD) for datagram Packetization Layers (PLs). It describes an 18 extension to RFC 1191 and RFC 8201, which specifies ICMP-based Path 19 MTU Discovery for IPv4 and IPv6. The method allows a PL, or a 20 datagram application that uses a PL, to discover whether a network 21 path can support the current size of datagram. This can be used to 22 detect and reduce the message size when a sender encounters a packet 23 black hole (where packets are discarded). The method can probe a 24 network path with progressively larger packets to discover whether 25 the maximum packet size can be increased. This allows a sender to 26 determine an appropriate packet size, providing functionality for 27 datagram transports that is equivalent to the Packetization Layer 28 PMTUD specification for TCP, specified in RFC 4821. 30 This document updates RFC 4821 to specify the PLPMTUD method for 31 datagram PLs. It also updates RFC 8085 to refer to the method 32 specified in this document instead of the method in RFC 4821 for use 33 with UDP datagrams. Section 7.3 of RFC 4960 recommends an endpoint 34 apply the techniques in RFC 4821 on a per-destination-address basis. 35 RFC 4960, RFC 6951, and RFC 8261 are updated to recommend that SCTP, 36 SCTP encapsulated in UDP and SCTP encapsulated in DTLS use the method 37 specified in this document instead of the method in RFC 4821. 39 The document also provides implementation notes for incorporating 40 Datagram PMTUD into IETF datagram transports or applications that use 41 datagram transports. 43 When published, this specification updates RFC 4960, RFC 4821, RFC 44 8085 and RFC 8261. 46 Status of This Memo 48 This Internet-Draft is submitted in full conformance with the 49 provisions of BCP 78 and BCP 79. 51 Internet-Drafts are working documents of the Internet Engineering 52 Task Force (IETF). Note that other groups may also distribute 53 working documents as Internet-Drafts. The list of current Internet- 54 Drafts is at https://datatracker.ietf.org/drafts/current/. 56 Internet-Drafts are draft documents valid for a maximum of six months 57 and may be updated, replaced, or obsoleted by other documents at any 58 time. It is inappropriate to use Internet-Drafts as reference 59 material or to cite them other than as "work in progress." 61 This Internet-Draft will expire on 13 November 2020. 63 Copyright Notice 65 Copyright (c) 2020 IETF Trust and the persons identified as the 66 document authors. All rights reserved. 68 This document is subject to BCP 78 and the IETF Trust's Legal 69 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 70 license-info) in effect on the date of publication of this document. 71 Please review these documents carefully, as they describe your rights 72 and restrictions with respect to this document. Code Components 73 extracted from this document must include Simplified BSD License text 74 as described in Section 4.e of the Trust Legal Provisions and are 75 provided without warranty as described in the Simplified BSD License. 77 Table of Contents 79 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 80 1.1. Classical Path MTU Discovery . . . . . . . . . . . . . . 4 81 1.2. Packetization Layer Path MTU Discovery . . . . . . . . . 6 82 1.3. Path MTU Discovery for Datagram Services . . . . . . . . 7 83 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 84 3. Features Required to Provide Datagram PLPMTUD . . . . . . . . 11 85 4. DPLPMTUD Mechanisms . . . . . . . . . . . . . . . . . . . . . 14 86 4.1. PLPMTU Probe Packets . . . . . . . . . . . . . . . . . . 14 87 4.2. Confirmation of Probed Packet Size . . . . . . . . . . . 15 88 4.3. Black Hole Detection and Reducing the PLPMTU . . . . . . 16 89 4.4. The Maximum Packet Size (MPS) . . . . . . . . . . . . . . 17 90 4.5. Disabling the Effect of PMTUD . . . . . . . . . . . . . . 18 91 4.6. Response to PTB Messages . . . . . . . . . . . . . . . . 18 92 4.6.1. Validation of PTB Messages . . . . . . . . . . . . . 18 93 4.6.2. Use of PTB Messages . . . . . . . . . . . . . . . . . 19 95 5. Datagram Packetization Layer PMTUD . . . . . . . . . . . . . 20 96 5.1. DPLPMTUD Components . . . . . . . . . . . . . . . . . . . 21 97 5.1.1. Timers . . . . . . . . . . . . . . . . . . . . . . . 21 98 5.1.2. Constants . . . . . . . . . . . . . . . . . . . . . . 22 99 5.1.3. Variables . . . . . . . . . . . . . . . . . . . . . . 23 100 5.1.4. Overview of DPLPMTUD Phases . . . . . . . . . . . . . 24 101 5.2. State Machine . . . . . . . . . . . . . . . . . . . . . . 26 102 5.3. Search to Increase the PLPMTU . . . . . . . . . . . . . . 29 103 5.3.1. Probing for a larger PLPMTU . . . . . . . . . . . . . 29 104 5.3.2. Selection of Probe Sizes . . . . . . . . . . . . . . 30 105 5.3.3. Resilience to Inconsistent Path Information . . . . . 30 106 5.4. Robustness to Inconsistent Paths . . . . . . . . . . . . 31 107 6. Specification of Protocol-Specific Methods . . . . . . . . . 31 108 6.1. Application support for DPLPMTUD with UDP or UDP-Lite . . 31 109 6.1.1. Application Request . . . . . . . . . . . . . . . . . 32 110 6.1.2. Application Response . . . . . . . . . . . . . . . . 32 111 6.1.3. Sending Application Probe Packets . . . . . . . . . . 32 112 6.1.4. Initial Connectivity . . . . . . . . . . . . . . . . 32 113 6.1.5. Validating the Path . . . . . . . . . . . . . . . . . 32 114 6.1.6. Handling of PTB Messages . . . . . . . . . . . . . . 32 115 6.2. DPLPMTUD for SCTP . . . . . . . . . . . . . . . . . . . . 33 116 6.2.1. SCTP/IPv4 and SCTP/IPv6 . . . . . . . . . . . . . . . 33 117 6.2.1.1. Initial Connectivity . . . . . . . . . . . . . . 33 118 6.2.1.2. Sending SCTP Probe Packets . . . . . . . . . . . 33 119 6.2.1.3. Validating the Path with SCTP . . . . . . . . . . 34 120 6.2.1.4. PTB Message Handling by SCTP . . . . . . . . . . 34 121 6.2.2. DPLPMTUD for SCTP/UDP . . . . . . . . . . . . . . . . 34 122 6.2.2.1. Initial Connectivity . . . . . . . . . . . . . . 35 123 6.2.2.2. Sending SCTP/UDP Probe Packets . . . . . . . . . 35 124 6.2.2.3. Validating the Path with SCTP/UDP . . . . . . . . 35 125 6.2.2.4. Handling of PTB Messages by SCTP/UDP . . . . . . 35 126 6.2.3. DPLPMTUD for SCTP/DTLS . . . . . . . . . . . . . . . 35 127 6.2.3.1. Initial Connectivity . . . . . . . . . . . . . . 35 128 6.2.3.2. Sending SCTP/DTLS Probe Packets . . . . . . . . . 36 129 6.2.3.3. Validating the Path with SCTP/DTLS . . . . . . . 36 130 6.2.3.4. Handling of PTB Messages by SCTP/DTLS . . . . . . 36 131 6.3. DPLPMTUD for QUIC . . . . . . . . . . . . . . . . . . . . 36 132 6.3.1. Initial Connectivity . . . . . . . . . . . . . . . . 36 133 6.3.2. Sending QUIC Probe Packets . . . . . . . . . . . . . 37 134 6.3.3. Validating the Path with QUIC . . . . . . . . . . . . 37 135 6.3.4. Handling of PTB Messages by QUIC . . . . . . . . . . 37 136 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 137 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 138 9. Security Considerations . . . . . . . . . . . . . . . . . . . 38 139 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 39 140 10.1. Normative References . . . . . . . . . . . . . . . . . . 39 141 10.2. Informative References . . . . . . . . . . . . . . . . . 41 142 Appendix A. Revision Notes . . . . . . . . . . . . . . . . . . . 42 143 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47 145 1. Introduction 147 The IETF has specified datagram transport using UDP, SCTP, and DCCP, 148 as well as protocols layered on top of these transports (e.g., SCTP/ 149 UDP, DCCP/UDP, QUIC/UDP), and direct datagram transport over the IP 150 network layer. This document describes a robust method for Path MTU 151 Discovery (PMTUD) that can be used with these transport protocols (or 152 the applications that use their transport service) to discover an 153 appropriate size of packet to use across an Internet path. 155 1.1. Classical Path MTU Discovery 157 Classical Path Maximum Transmission Unit Discovery (PMTUD) can be 158 used with any transport that is able to process ICMP Packet Too Big 159 (PTB) messages (e.g., [RFC1191] and [RFC8201]). In this document, 160 the term PTB message is applied to both IPv4 ICMP Unreachable 161 messages (type 3) that carry the error Fragmentation Needed (Type 3, 162 Code 4) [RFC0792] and ICMPv6 Packet Too Big messages (Type 2) 163 [RFC4443]. When a sender receives a PTB message, it reduces the 164 effective MTU to the value reported as the Link MTU in the PTB 165 message. A method from time-to-time increases the packet size in 166 attempt to discover an increase in the supported PMTU. The packets 167 sent with a size larger than the current effective PMTU are known as 168 probe packets. 170 Packets not intended as probe packets are either fragmented to the 171 current effective PMTU, or the attempt to send fails with an error 172 code. Applications can be provided with a primitive to let them read 173 the Maximum Packet Size (MPS), derived from the current effective 174 PMTU. 176 Classical PMTUD is subject to protocol failures. One failure arises 177 when traffic using a packet size larger than the actual PMTU is 178 black-holed (all datagrams larger than the actual PMTU, are 179 discarded). This could arise when the PTB messages are not delivered 180 back to the sender for some reason (see for example [RFC2923]). 182 Examples where PTB messages are not delivered include: 184 * The generation of ICMP messages is usually rate limited. This 185 could result in no PTB messages being generated to the sender (see 186 section 2.4 of [RFC4443]) 188 * ICMP messages can be filtered by middleboxes (including firewalls) 189 [RFC4890]. A firewall could be configured with a policy to block 190 incoming ICMP messages, which would prevent reception of PTB 191 messages to a sending endpoint behind this firewall. 193 * When the router issuing the ICMP message drops a tunneled packet, 194 the resulting ICMP message will be directed to the tunnel ingress. 195 This tunnel endpoint is responsible for forwarding the ICMP 196 message and also processing the quoted packet within the payload 197 field to remove the effect of the tunnel, and return a correctly 198 formatted ICMP message to the sender [I-D.ietf-intarea-tunnels]. 199 Failure to do this prevents the PTB message reaching the original 200 sender. 202 * Asymmetry in forwarding can result in there being no return route 203 to the original sender, which would prevent an ICMP message being 204 delivered to the sender. This issue can also arise when policy- 205 based routing is used, Equal Cost Multipath (ECMP) routing is 206 used, or a middlebox acts as an application load balancer. An 207 example is where the path towards the server is chosen by ECMP 208 routing depending on bytes in the IP payload. In this case, when 209 a packet sent by the server encounters a problem after the ECMP 210 router, then any resulting ICMP message also needs to be directed 211 by the ECMP router towards the original sender. 213 * There are additional cases where the next hop destination fails to 214 receive a packet because of its size. This could be due to 215 misconfiguration of the layer 2 path between nodes, for instance 216 the MTU configured in a layer 2 switch, or misconfiguration of the 217 Maximum Receive Unit (MRU). If a packet is dropped by the link, 218 this will not cause a PTB message to be sent to the original 219 sender. 221 Another failure could result if a node that is not on the network 222 path sends a PTB message that attempts to force a sender to change 223 the effective PMTU [RFC8201]. A sender can protect itself from 224 reacting to such messages by utilizing the quoted packet within a PTB 225 message payload to validate that the received PTB message was 226 generated in response to a packet that had actually originated from 227 the sender. However, there are situations where a sender would be 228 unable to provide this validation. Examples where validation of the 229 PTB message is not possible include: 231 * When a router issuing the ICMP message implements RFC792 232 [RFC0792], it is only required to include the first 64 bits of the 233 IP payload of the packet within the quoted payload. There could 234 be insufficient bytes remaining for the sender to interpret the 235 quoted transport information. 237 Note: The recommendation in RFC1812 [RFC1812] is that IPv4 routers 238 return a quoted packet with as much of the original datagram as 239 possible without the length of the ICMP datagram exceeding 576 240 bytes. IPv6 routers include as much of the invoking packet as 241 possible without the ICMPv6 packet exceeding 1280 bytes [RFC4443]. 243 * The use of tunnels/encryption can reduce the size of the quoted 244 packet returned to the original source address, increasing the 245 risk that there could be insufficient bytes remaining for the 246 sender to interpret the quoted transport information. 248 * Even when the PTB message includes sufficient bytes of the quoted 249 packet, the network layer could lack sufficient context to 250 validate the message, because validation depends on information 251 about the active transport flows at an endpoint node (e.g., the 252 socket/address pairs being used, and other protocol header 253 information). 255 * When a packet is encapsulated/tunneled over an encrypted 256 transport, the tunnel/encapsulation ingress might have 257 insufficient context, or computational power, to reconstruct the 258 transport header that would be needed to perform validation. 260 * When an ICMP message is generated by a router in a network segment 261 that has inserted a header into a packet, the quoted packet could 262 contain additional protocol header information that was not 263 included in the original sent packet, and which the PL sender does 264 not process or may not know how to process. This could disrupt 265 the ability of the sender to validate this PTB message. 267 * A Network Address Translation (NAT) device that translates a 268 packet header, ought to also translate ICMP messages and update 269 the ICMP quoted packet [RFC5508] in that message. If this is not 270 correctly translated then the sender would not be able to 271 associate the message with the PL that originated the packet, and 272 hence this ICMP message cannot be validated. 274 1.2. Packetization Layer Path MTU Discovery 276 The term Packetization Layer (PL) has been introduced to describe the 277 layer that is responsible for placing data blocks into the payload of 278 IP packets and selecting an appropriate MPS. This function is often 279 performed by a transport protocol (e.g., DCCP, RTP, SCTP, QUIC), but 280 can also be performed by other encapsulation methods working above 281 the transport layer. 283 In contrast to PMTUD, Packetization Layer Path MTU Discovery 284 (PLPMTUD) [RFC4821] introduced a method that does not rely upon 285 reception and validation of PTB messages. It is therefore more 286 robust than Classical PMTUD. This has become the recommended 287 approach for implementing discovery of the PMTU [BCP145]. 289 It uses a general strategy where the PL sends probe packets to search 290 for the largest size of unfragmented datagram that can be sent over a 291 network path. Probe packets are sent to explore using a larger 292 packet size. If a probe packet is successfully delivered (as 293 determined by the PL), then the PLPMTU is raised to the size of the 294 successful probe. If a black hole is detected (e.g., where packets 295 of size PLPMTU are consistently not received), the method reduces the 296 PLPMTU. 298 Datagram PLPMTUD introduces flexibility in implementation. At one 299 extreme, it can be configured to only perform Black Hole Detection 300 and recovery with increased robustness compared to Classical PMTUD. 301 At the other extreme, all PTB processing can be disabled, and PLPMTUD 302 replaces Classical PMTUD. 304 PLPMTUD can also include additional consistency checks without 305 increasing the risk that data is lost when probing to discover the 306 Path MTU. For example, information available at the PL, or higher 307 layers, enables received PTB messages to be validated before being 308 utilized. 310 1.3. Path MTU Discovery for Datagram Services 312 Section 5 of this document presents a set of algorithms for datagram 313 protocols to discover the largest size of unfragmented datagram that 314 can be sent over a network path. The method relies upon features of 315 the PL described in Section 3 and applies to transport protocols 316 operating over IPv4 and IPv6. It does not require cooperation from 317 the lower layers, although it can utilize PTB messages when these 318 received messages are made available to the PL. 320 The message size guidelines in section 3.2 of the UDP Usage 321 Guidelines [BCP145] state "an application SHOULD either use the Path 322 MTU information provided by the IP layer or implement Path MTU 323 Discovery (PMTUD)", but does not provide a mechanism for discovering 324 the largest size of unfragmented datagram that can be used on a 325 network path. The present document updates RFC 8085 to specify this 326 method in place of PLPMTUD [RFC4821] and provides a mechanism for 327 sharing the discovered largest size as the MPS (see Section 4.4). 329 Section 10.2 of [RFC4821] recommended a PLPMTUD probing method for 330 the Stream Control Transport Protocol (SCTP). SCTP utilizes probe 331 packets consisting of a minimal sized HEARTBEAT chunk bundled with a 332 PAD chunk as defined in [RFC4820]. However, RFC 4821 did not provide 333 a complete specification. The present document replaces that 334 description by providing a complete specification. 336 The Datagram Congestion Control Protocol (DCCP) [RFC4340] requires 337 implementations to support Classical PMTUD and states that a DCCP 338 sender "MUST maintain the MPS allowed for each active DCCP session". 339 It also defines the current congestion control MPS (CCMPS) supported 340 by a network path. This recommends use of PMTUD, and suggests use of 341 control packets (DCCP-Sync) as path probe packets, because they do 342 not risk application data loss. The method defined in this 343 specification can be used with DCCP. 345 Section 4 and Section 5 define the protocol mechanisms and 346 specification for Datagram Packetization Layer Path MTU Discovery 347 (DPLPMTUD). 349 Section 6 specifies the method for datagram transports and provides 350 information to enable the implementation of PLPMTUD with other 351 datagram transports and applications that use datagram transports. 353 Section 6 also provides updated recommendations for [RFC6951] and 354 [RFC8261]. 356 2. Terminology 358 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 359 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 360 "OPTIONAL" in this document are to be interpreted as described in BCP 361 14 [RFC2119] [RFC8174] when, and only when, they appear in all 362 capitals, as shown here. 364 The following terminology is defined. Relevant terms are directly 365 copied from [RFC4821], and the definitions in [RFC1122]. 367 Acknowledged PL: A PL that includes a mechanism that can confirm 368 successful delivery of datagrams to the remote PL endpoint (e.g., 369 SCTP). Typically, the PL receiver returns acknowledgments 370 corresponding to the received datagrams, which can be utilised to 371 detect black-holing of packets (c.f., Unacknowledged PL). 373 Actual PMTU: The Actual PMTU is the PMTU of a network path between a 374 sender PL and a destination PL, which the DPLPMTUD algorithm seeks 375 to determine. 377 Black Hole: A Black Hole is encountered when a sender is unaware 378 that packets are not being delivered to the destination end point. 379 Two types of Black Hole are relevant to DPLPMTUD: 381 * Packets encounter a packet Black Hole when packets are not 382 delivered to the destination endpoint (e.g., when the sender 383 transmits packets of a particular size with a previously known 384 effective PMTU and they are discarded by the network). 386 * An ICMP Black Hole is encountered when the sender is unaware 387 that packets are not delivered to the destination endpoint 388 because PTB messages are not received by the originating PL 389 sender. 391 Classical Path MTU Discovery: Classical PMTUD is a process described 392 in [RFC1191] and [RFC8201], in which nodes rely on PTB messages to 393 learn the largest size of unfragmented packet that can be used 394 across a network path. 396 Datagram: A datagram is a transport-layer protocol data unit, 397 transmitted in the payload of an IP packet. 399 Effective PMTU: The Effective PMTU is the current estimated value 400 for PMTU that is used by a PMTUD. This is equivalent to the 401 PLPMTU derived by PLPMTUD plus the size of any headers added below 402 the PL, including the IP layer headers. 404 EMTU_S: The Effective MTU for sending (EMTU_S) is defined in 405 [RFC1122] as "the maximum IP datagram size that may be sent, for a 406 particular combination of IP source and destination addresses...". 408 EMTU_R: The Effective MTU for receiving (EMTU_R) is designated in 409 [RFC1122] as "the largest datagram size that can be reassembled". 411 Link: A Link is a communication facility or medium over which nodes 412 can communicate at the link layer, i.e., a layer below the IP 413 layer. Examples are Ethernet LANs and Internet (or higher) layer 414 tunnels. 416 Link MTU: The Link Maximum Transmission Unit (MTU) is the size in 417 bytes of the largest IP packet, including the IP header and 418 payload, that can be transmitted over a link. Note that this 419 could more properly be called the IP MTU, to be consistent with 420 how other standards organizations use the acronym. This includes 421 the IP header, but excludes link layer headers and other framing 422 that is not part of IP or the IP payload. Other standards 423 organizations generally define the link MTU to include the link 424 layer headers. This specification continues the requirement in 425 [RFC4821], that states "All links MUST enforce their MTU: links 426 that might non- deterministically deliver packets that are larger 427 than their rated MTU MUST consistently discard such packets." 429 MAX_PLPMTU: The MAX_PLPMTU is the largest size of PLPMTU that 430 DPLPMTUD will attempt to use (see the constants defined in 431 Section 5.1.2). 433 MIN_PLPMTU: The MIN_PLPMTU is the smallest size of PLPMTU that 434 DPLPMTUD will attempt to use (see the constants defined in 435 Section 5.1.2). 437 MPS: The Maximum Packet Size (MPS) is the largest size of 438 application data block that can be sent across a network path by a 439 PL using a single Datagram. 441 MSL: Maximum Segment Lifetime (MSL) The maximum delay a packet is 442 expected to experience across a path, taken as 2 minutes [BCP145]. 444 Packet: A Packet is the IP header(s) and any extension headers/ 445 options plus the IP payload. 447 Packetization Layer (PL): The PL is a layer of the network stack 448 that places data into packets and performs transport protocol 449 functions. Examples of a PL include: TCP, SCTP, SCTP over UDP, 450 SCTP over DTLS, or QUIC. 452 Path: The Path is the set of links and routers traversed by a packet 453 between a source node and a destination node by a particular flow. 455 Path MTU (PMTU): The Path MTU (PMTU) is the minimum of the Link MTU 456 of all the links forming a network path between a source node and 457 a destination node, as used by PMTUD. 459 PTB: In this document, the term PTB message is applied to both IPv4 460 ICMP Unreachable messages (type 3) that carry the error 461 Fragmentation Needed (Type 3, Code 4) [RFC0792] and ICMPv6 Packet 462 Too Big messages (Type 2) [RFC4443]. 464 PTB_SIZE: The PTB_SIZE is a value reported in a validated PTB 465 message that indicates next hop link MTU of a router along the 466 path. 468 PL_PTB_SIZE: The size reported in a validated PTB message, reduced 469 by the size of all headers added by layers below the PL. 471 PLPMTU: The Packetization Layer PMTU is an estimate of the largest 472 size of PL datagram that can be sent by a path, controled by 473 PLPMTUD. 475 PLPMTUD: Packetization Layer Path MTU Discovery (PLPMTUD), the 476 method described in this document for datagram PLs, which is an 477 extension to Classical PMTU Discovery. 479 Probe packet: A probe packet is a datagram sent with a purposely 480 chosen size (typically the current PLPMTU or larger) to detect if 481 packets of this size can be successfully sent end-to-end across 482 the network path. 484 Unacknowledged PL: A PL that does not itself provide a mechanism to 485 confirm delivery of datagrams to the remote PL endpoint (e.g., 486 UDP), and therefore requires DPLPMTUD to provide a mechanism to 487 detect black-holing of packets (c.f., Acknowledged PL). 489 3. Features Required to Provide Datagram PLPMTUD 491 The principles expressed in [RFC4821] apply to the use of the 492 technique with any PL. TCP PLPMTUD has been defined using standard 493 TCP protocol mechanisms. Unlike TCP, a datagram PL requires 494 additional mechanisms and considerations to implement PLPMTUD. 496 The requirements for datagram PLPMTUD are: 498 1. Managing the PLPMTU: For datagram PLs, the PLPMTU is managed by 499 DPLPMTUD. A PL MUST NOT send a datagram (other than a probe 500 packet) with a size at the PL that is larger than the current 501 PLPMTU. 503 2. Probe packets: The network interface below PL is REQUIRED to 504 provide a way to transmit a probe packet that is larger than the 505 PLPMTU. In IPv4, a probe packet MUST be sent with the Don't 506 Fragment (DF) bit set in the IP header, and without network layer 507 endpoint fragmentation. In IPv6, a probe packet is always sent 508 without source fragmentation (as specified in section 5.4 of 509 [RFC8201]). 511 3. Reception feedback: The destination PL endpoint is REQUIRED to 512 provide a feedback method that indicates to the DPLPMTUD sender 513 when a probe packet has been received by the destination PL 514 endpoint. Section 6 provides examples of how a PL can provide 515 this acknowledgment of received probe packets. 517 4. Probe loss recovery: It is RECOMMENDED to use probe packets that 518 do not carry any user data that would require retransmission if 519 lost. Most datagram transports permit this. If a probe packet 520 contains user data requiring retransmission in case of loss, the 521 PL (or layers above) are REQUIRED to arrange any retransmission/ 522 repair of any resulting loss. The PL is REQUIRED to be robust in 523 the case where probe packets are lost due to other reasons 524 (including link transmission error, congestion). 526 5. PMTU parameters: A DPLPMTUD sender is RECOMMENDED to utilize 527 information about the maximum size of packet that can be 528 transmitted by the sender on the local link (e.g., the local Link 529 MTU). A PL sender MAY utilize similar information about the 530 maximum size of network layer packet that a receiver can accept 531 when this is supplied (note this could be less than EMTU_R). 532 This avoids implementations trying to send probe packets that can 533 not be transferred by the local link. Too high of a value could 534 reduce the efficiency of the search algorithm. Some applications 535 also have a maximum transport protocol data unit (PDU) size, in 536 which case there is no benefit from probing for a size larger 537 than this (unless a transport allows multiplexing multiple 538 applications PDUs into the same datagram). 540 6. Processing PTB messages: A DPLPMTUD sender MAY optionally utilize 541 PTB messages received from the network layer to help identify 542 when a network path does not support the current size of probe 543 packet. Any received PTB message MUST be validated before it is 544 used to update the PLPMTU discovery information [RFC8201]. This 545 validation confirms that the PTB message was sent in response to 546 a packet originating by the sender, and needs to be performed 547 before the PLPMTU discovery method reacts to the PTB message. A 548 PTB message MUST NOT be used to increase the PLPMTU [RFC8201], 549 but could trigger a probe to test for a larger PLPMTU. A valid 550 PTB_SIZE is converted to a PL_PTB_SIZE before it is to be used in 551 the DPLPMTUD state machine. A PL_PTB_SIZE that is greater than 552 that currently probed SHOULD be ignored. (This PTB message ought 553 to be discarded without further processing, but could be utilized 554 as an input that enables a resilience mode). 556 7. Probing and congestion control: A PL MAY use a congestion 557 controller to decide when to send a probe packet. If 558 transmission of probe packets is limited by the congestion 559 controller, this could result in transmission of probe packets 560 being delayed or suspended during congestion. When the 561 transmission of probe packets is not controlled by the congestion 562 controller, the interval between probe packets MUST be at least 563 one RTT. Loss of a probe packet SHOULD NOT be treated as an 564 indication of congestion and SHOULD NOT trigger a congestion 565 control reaction [RFC4821], because this could result in 566 unnecessary reduction of the sending rate. An update to the 567 PLPMTU (or MPS) MUST NOT increase the congestion window measured 568 in bytes [RFC4821]. Therefore, an increase in the packet size 569 does not cause an increase in the data rate in bytes per second. 570 A PL that maintains the congestion window in terms of a limit to 571 the number of outstanding fixed size packets SHOULD adapt this 572 limit to compensate for the size of the actual packets. The 573 transmission of probe packets can interact with the operation of 574 a PL that performs burst mitigation or pacing and could need 575 transmission of probe packets to be regulated by these methods. 577 8. Probing and flow control: Flow control at the PL concerns the 578 end-to-end flow of data using the PL service. Flow control 579 SHOULD NOT apply to DPLPMTU when probe packets use a design that 580 does not carry user data to the remote application. 582 9. Shared PLPMTU state: The PMTU value calculated from the PLPMTU 583 MAY also be stored with the corresponding entry associated with 584 the destination in the IP layer cache, and used by other PL 585 instances. The specification of PLPMTUD [RFC4821] states: "If 586 PLPMTUD updates the MTU for a particular path, all Packetization 587 Layer sessions that share the path representation (as described 588 in Section 5.2 of [RFC4821]) SHOULD be notified to make use of 589 the new MTU". Such methods MUST be robust to the wide variety of 590 underlying network forwarding behaviors. Section 5.2 of 591 [RFC8201] provides guidance on the caching of PMTU information 592 and also the relation to IPv6 flow labels. 594 In addition, the following principles are stated for design of a 595 DPLPMTUD method: 597 * A PL MAY be designed to segment data blocks larger than the MPS 598 into multiple datagrams. However, not all datagram PLs support 599 segmentation of data blocks. It is RECOMMENDED that methods avoid 600 forcing an application to use an arbitrary small MPS for 601 transmission while the method is searching for the currently 602 supported PLPMTU. A reduced MPS can adversely impact the 603 performance of an application. 605 * To assist applications in choosing a suitable data block size, the 606 PL is RECOMMENDED to provide a primitive that returns the MPS 607 derived from the PLPMTU to the higher layer using the PL. The 608 value of the MPS can change following a change in the path, or 609 loss of probe packets. 611 * Path validation: It is RECOMMENDED that methods are robust to path 612 changes that could have occurred since the path characteristics 613 were last confirmed, and to the possibility of inconsistent path 614 information being received. 616 * Datagram reordering: A method is REQUIRED to be robust to the 617 possibility that a flow encounters reordering, or the traffic 618 (including probe packets) is divided over more than one network 619 path. 621 * Datagram delay and duplication: The feedback mechanism is REQUIRED 622 to be robust to the possibility that packets could be 623 significantly delayed or duplicated along a network path. 625 * When to probe: It is RECOMMENDED that methods determine whether 626 the path has changed since it last measured the path. This can 627 help determine when to probe the path again. 629 4. DPLPMTUD Mechanisms 631 This section lists the protocol mechanisms used in this 632 specification. 634 4.1. PLPMTU Probe Packets 636 The DPLPMTUD method relies upon the PL sender being able to generate 637 probe packets with a specific size. TCP is able to generate these 638 probe packets by choosing to appropriately segment data being sent 639 [RFC4821]. In contrast, a datagram PL that constructs a probe packet 640 has to either request an application to send a data block that is 641 larger than that generated by an application, or to utilize padding 642 functions to extend a datagram beyond the size of the application 643 data block. Protocols that permit exchange of control messages 644 (without an application data block) can generate a probe packet by 645 extending a control message with padding data. The total size of a 646 probe packet includes all headers and padding added to the payload 647 data being sent (e.g., including protocol option fields, security- 648 related fields such as an Authenticated Encryption with Associated 649 Data (AEAD) tag and TLS record layer padding). 651 A receiver is REQUIRED to be able to distinguish an in-band data 652 block from any added padding. This is needed to ensure that any 653 added padding is not passed on to an application at the receiver. 655 This results in three possible ways that a sender can create a probe 656 packet: 658 Probing using padding data: A probe packet that contains only 659 control information together with any padding, which is needed to 660 be inflated to the size of the probe packet. Since these probe 661 packets do not carry an application-supplied data block, they do 662 not typically require retransmission, although they do still 663 consume network capacity and incur endpoint processing. 665 Probing using application data and padding data: A probe packet that 666 contains a data block supplied by an application that is combined 667 with padding to inflate the length of the datagram to the size of 668 the probe packet. 670 Probing using application data: A probe packet that contains a data 671 block supplied by an application that matches the size of the 672 probe packet. This method requests the application to issue a 673 data block of the desired probe size. 675 A PL that uses a probe packet carrying application data and needs 676 protection from the loss of this probe packet could perform 677 transport-layer retransmission/repair of the data block (e.g., by 678 retransmission after loss is detected or by duplicating the data 679 block in a datagram without the padding data). This retransmitted 680 data block might possibly need to be sent using a smaller PLPMTU, 681 which could force the PL to to use a smaller packet size to traverse 682 the end-to-end path. (This could utilize endpoint network-layer 683 fragmentation or a PL that can re-segment the data block into 684 multiple datagrams). 686 DPLPMTUD MAY choose to use only one of these methods to simplify the 687 implementation. 689 Probe messages sent by a PL MUST contain enough information to 690 uniquely identify the probe within Maximum Segment Lifetime (e.g., 691 including a unique identifier from the PL or the DPLPMTUD 692 implementation), while being robust to reordering and replay of probe 693 response and PTB messages. 695 4.2. Confirmation of Probed Packet Size 697 The PL needs a method to determine (confirm) when probe packets have 698 been successfully received end-to-end across a network path. 700 Transport protocols can include end-to-end methods that detect and 701 report reception of specific datagrams that they send (e.g., DCCP, 702 SCTP, and QUIC provide keep-alive/heartbeat features). When 703 supported, this mechanism MAY also be used by DPLPMTUD to acknowledge 704 reception of a probe packet. 706 A PL that does not acknowledge data reception (e.g., UDP and UDP- 707 Lite) is unable itself to detect when the packets that it sends are 708 discarded because their size is greater than the actual PMTU. These 709 PLs need to rely on an application protocol to detect this loss. 711 Section 6 specifies this function for a set of IETF-specified 712 protocols. 714 4.3. Black Hole Detection and Reducing the PLPMTU 716 The description that follows uses the set of constants defined in 717 Section 5.1.2 and variables defined in Section 5.1.3. 719 Black Hole Detection is triggered by an indication that the network 720 path could be unable to support the current PLPMTU size. 722 There are three indicators that can detect black holes: 724 * A validated PTB message can be received that indicates a 725 PL_PTB_SIZE less than the current PLPMTU. A DPLPMTUD method MUST 726 NOT rely solely on this method. 728 * A PL can use the DPLPMTUD probing mechanism to periodically 729 generate probe packets of the size of the current PLPMTU (e.g., 730 using the confirmation timer Section 5.1.1). A timer tracks 731 whether acknowledgments are received. Successive loss of probes 732 is an indication that the current path no longer supports the 733 PLPMTU (e.g., when the number of probe packets sent without 734 receiving an acknowledgment, PROBE_COUNT, becomes greater than 735 MAX_PROBES). 737 * A PL can utilize an event that indicates the network path no 738 longer sustains the sender's PLPMTU size. This could use a 739 mechanism implemented within the PL to detect excessive loss of 740 data sent with a specific packet size and then conclude that this 741 excessive loss could be a result of an invalid PLPMTU (as in 742 PLPMTUD for TCP [RFC4821]). 744 The three methods can result in different transmission patterns for 745 packet probes and are expected to result in different responsiveness 746 following a change in the actual PMTU. 748 A PL MAY inhibit sending probe packets when no application data has 749 been sent since the previous probe packet. A PL that resumes sending 750 user data MAY continue PLPMTU discovery for each path. This allows 751 it to use an up-to-date PLPMTU. However, this could result in 752 additional packets being sent. 754 When the method detects the current PLPMTU is not supported, DPLPMTUD 755 sets a lower PLPMTU, and sets a lower MPS. The PL then confirms that 756 the new PLPMTU can be successfully used across the path. A probe 757 packet could need to have a size less than the size of the data block 758 generated by the application. 760 4.4. The Maximum Packet Size (MPS) 762 The result of probing determines a usable PLPMTU, which is used to 763 set the MPS used by the application. The MPS is smaller than the 764 PLPMTU because it is reduced by the size of PL headers (including the 765 overhead of security-related fields such as an AEAD tag and TLS 766 record layer padding). The relationship between the MPS and the 767 PLPMTUD is illustrated in Figure 1. 769 any additional 770 headers .--- MPS -----. 771 | | | 772 v v v 773 +------------------------------+ 774 | IP | ** | PL | protocol data | 775 +------------------------------+ 777 <----- PLPMTU -----> 778 <---------- PMTU --------------> 780 Figure 1: Relationship between MPS and PLPMTU 782 A PL is unable to send a packet (other than a probe packet) with a 783 size larger than the current PLPMTU at the network layer. To avoid 784 this, a PL MAY be designed to segment data blocks larger than the MPS 785 into multiple datagrams. 787 DPLPMTUD seeks to avoid IP fragmentation. An attempt to send a data 788 block larger than the MPS will therefore fail if a PL is unable to 789 segment data. To determine the largest data block that can be sent, 790 a PL SHOULD provide applications with a primitive that returns the 791 MPS, derived from the current PLPMTU. 793 If DPLPMTUD results in a change to the MPS, the application needs to 794 adapt to the new MPS. A particular case can arise when packets have 795 been sent with a size less than the MPS and the PLPMTU was 796 subsequently reduced. If these packets are lost, the PL MAY segment 797 the data using the new MPS. If a PL is unable to re-segment a 798 previously sent datagram (e.g., [RFC4960]), then the sender either 799 discards the datagram or could perform retransmission using network- 800 layer fragmentation to form multiple IP packets not larger than the 801 PLPMTU. For IPv4, the use of endpoint fragmentation by the sender is 802 preferred over clearing the DF bit in the IPv4 header. Operational 803 experience reveals that IP fragmentation can reduce the reliability 804 of Internet communication [I-D.ietf-intarea-frag-fragile], which may 805 reduce the probability of successful retransmission. 807 4.5. Disabling the Effect of PMTUD 809 A PL implementing this specification MUST suspend network layer 810 processing of outgoing packets that enforces a PMTU 811 [RFC1191][RFC8201] for each flow utilizing DPLPMTUD, and instead use 812 DPLPMTUD to control the size of packets that are sent by a flow. 813 This removes the need for the network layer to drop or fragment sent 814 packets that have a size greater than the PMTU. 816 4.6. Response to PTB Messages 818 This method requires the DPLPMTUD sender to validate any received PTB 819 message before using the PTB information. The response to a PTB 820 message depends on the PL_PTB_SIZE calculated from the PTB_SIZE in 821 the PTB message, the state of the PLPMTUD state machine, and the IP 822 protocol being used. 824 Section 4.6.1 first describes validation for both IPv4 ICMP 825 Unreachable messages (type 3) and ICMPv6 Packet Too Big messages, 826 both of which are referred to as PTB messages in this document. 828 4.6.1. Validation of PTB Messages 830 This section specifies utilization and validation of PTB messages. 832 * A simple implementation MAY ignore received PTB messages and in 833 this case the PLPMTU is not updated when a PTB message is 834 received. 836 * A PL that supports PTB messages MUST validate these messages 837 before they are further processed. 839 A PL that receives a PTB message from a router or middlebox performs 840 ICMP validation (see Section 4 of [RFC8201] and Section 5.2 of 841 [BCP145]). Because DPLPMTUD operates at the PL, the PL needs to 842 check that each received PTB message is received in response to a 843 packet transmitted by the endpoint PL performing DPLPMTUD. 845 The PL MUST check the protocol information in the quoted packet 846 carried in an ICMP PTB message payload to validate the message 847 originated from the sending node. This validation includes 848 determining that the combination of the IP addresses, the protocol, 849 the source port and destination port match those returned in the 850 quoted packet - this is also necessary for the PTB message to be 851 passed to the corresponding PL. 853 The validation SHOULD utilize information that it is not simple for 854 an off-path attacker to determine [BCP145]. For example, it could 855 check the value of a protocol header field known only to the two PL 856 endpoints. A datagram application that uses well-known source and 857 destination ports ought to also rely on other information to complete 858 this validation. 860 These checks are intended to provide protection from packets that 861 originate from a node that is not on the network path. A PTB message 862 that does not complete the validation MUST NOT be further utilized by 863 the DPLPMTUD method, as discussed in the Security Considerations 864 section. 866 Section 4.6.2 describes this processing of PTB messages. 868 4.6.2. Use of PTB Messages 870 PTB messages that have been validated MAY be utilized by the DPLPMTUD 871 algorithm, but MUST NOT be used directly to set the PLPMTU. 873 Before using the size reported in the PTB message it must first be 874 converted to a PL_PTB_SIZE. The PL_PTB_SIZE is smaller than the 875 PTB_SIZE because it is reduced by headers below the PL including any 876 IP options or extensions added to the PL packet. 878 A method that utilizes these PTB messages can improve the speed at 879 which the algorithm detects an appropriate PLPMTU by triggering an 880 immediate probe for the PL_PTB_SIZE (resulting in a network-layer 881 packet of size PTB_SIZE), compared to one that relies solely on 882 probing using a timer-based search algorithm. 884 A set of checks are intended to provide protection from a router that 885 reports an unexpected PTB_SIZE. The PL also needs to check that the 886 indicated PL_PTB_SIZE is less than the size used by probe packets and 887 at least the minimum size accepted. 889 This section provides a summary of how PTB messages can be utilized. 890 (This uses the set of constants defined in Section 5.1.2). This 891 processing depends on the PL_PTB_SIZE and the current value of a set 892 of variables: 894 PL_PTB_SIZE < MIN_PLPMTU 895 * Invalid PL_PTB_SIZE see Section 4.6.1. 897 * PTB message ought to be discarded without further processing 898 (i.e., PLPMTU is not modified). 900 * The information could be utilized as an input that triggers 901 enabling a resilience mode (see Section 5.3.3). 903 MIN_PLPMTU < PL_PTB_SIZE < BASE_PLPMTU 904 * A robust PL MAY enter an error state (see Section 5.2) for an 905 IPv4 path when the PL_PTB_SIZE reported in the PTB message is 906 larger than or equal to 68 bytes [RFC0791] and when this is 907 less than the BASE_PLPMTU. 909 * A robust PL MAY enter an error state (see Section 5.2) for an 910 IPv6 path when the PL_PTB_SIZE reported in the PTB message is 911 larger than or equal to 1280 bytes [RFC8200] and when this is 912 less than the BASE_PLPMTU. 914 BASE_PLPMTU <= PL_PTB_SIZE < PLPMTU 915 * This could be an indication of a black hole. The PLPMTU SHOULD 916 be set to BASE_PLPMTU (the PLPMTU is reduced to the BASE_PLPMTU 917 to avoid unnecessary packet loss when a black hole is 918 encountered). 920 * The PL ought to start a search to quickly discover the new 921 PLPMTU. The PL_PTB_SIZE reported in the PTB message can be 922 used to initialize a search algorithm. 924 PLPMTU < PL_PTB_SIZE < PROBED_SIZE 925 * The PLPMTU continues to be valid, but the size of a packet used 926 to search (PROBED_SIZE) was larger than the actual PMTU. 928 * The PLPMTU is not updated. 930 * The PL can use the reported PL_PTB_SIZE from the PTB message as 931 the next search point when it resumes the search algorithm. 933 PL_PTB_SIZE >= PROBED_SIZE 934 * Inconsistent network signal. 936 * PTB message ought to be discarded without further processing 937 (i.e., PLPMTU is not modified). 939 * The information could be utilized as an input to trigger 940 enabling a resilience mode. 942 5. Datagram Packetization Layer PMTUD 944 This section specifies Datagram PLPMTUD (DPLPMTUD). The method can 945 be introduced at various points (as indicated with * in the figure 946 below) in the IP protocol stack to discover the PLPMTU so that an 947 application can utilize an appropriate MPS for the current network 948 path. 950 DPLPMTUD SHOULD only be performed at one layer between a pair of 951 endpoints. Therefore, an upper PL or application should avoid using 952 DPLPMTUD when this is already enabled in a lower layer. A PL MUST 953 adjust the MPS indicated by DPLPMTUD to account for any additional 954 overhead introduced by the PL. 956 +----------------------+ 957 | Application* | 958 +-----+------------+---+ 959 | | 960 +---+--+ +--+--+ 961 | QUIC*| |SCTP*| 962 +---+--+ +-+-+-+ 963 | | | 964 +---+ +----+ | 965 | | | 966 +-+--+-+ | 967 | UDP | | 968 +---+--+ | 969 | | 970 +-----------+-------+--+ 971 | Network Interface | 972 +----------------------+ 974 Figure 2: Examples where DPLPMTUD can be implemented 976 The central idea of DPLPMTUD is probing by a sender. Probe packets 977 are sent to find the maximum size of user message that can be 978 completely transferred across the network path from the sender to the 979 destination. 981 The following sections identify the components needed for 982 implementation, provides an overview of the phases of operation, and 983 specifies the state machine and search algorithm. 985 5.1. DPLPMTUD Components 987 This section describes the timers, constants, and variables of 988 DPLPMTUD. 990 5.1.1. Timers 992 The method utilizes up to three timers: 994 PROBE_TIMER: The PROBE_TIMER is configured to expire after a period 995 longer than the maximum time to receive an acknowledgment to a 996 probe packet. This value MUST NOT be smaller than 1 second, and 997 SHOULD be larger than 15 seconds. Guidance on selection of the 998 timer value are provided in Section 3.1.1 of the UDP Usage 999 Guidelines [BCP145]. 1001 PMTU_RAISE_TIMER: The PMTU_RAISE_TIMER is configured to the period a 1002 sender will continue to use the current PLPMTU, after which it re- 1003 enters the Search phase. This timer has a period of 600 seconds, 1004 as recommended by PLPMTUD [RFC4821]. 1006 DPLPMTUD MAY inhibit sending probe packets when no application 1007 data has been sent since the previous probe packet. A PL 1008 preferring to use an up-to-date PMTU once user data is sent again, 1009 can choose to continue PMTU discovery for each path. However, 1010 this will result in sending additional packets. 1012 CONFIRMATION_TIMER: When an acknowledged PL is used, this timer MUST 1013 NOT be used. For other PLs, the CONFIRMATION_TIMER is configured 1014 to the period a PL sender waits before confirming the current 1015 PLPMTU is still supported. This is less than the PMTU_RAISE_TIMER 1016 and used to decrease the PLPMTU (e.g., when a black hole is 1017 encountered). Confirmation needs to be frequent enough when data 1018 is flowing that the sending PL does not black hole extensive 1019 amounts of traffic. Guidance on selection of the timer value are 1020 provided in Section 3.1.1 of the UDP Usage Guidelines [BCP145]. 1022 DPLPMTUD MAY inhibit sending probe packets when no application 1023 data has been sent since the previous probe packet. A PL 1024 preferring to use an up-to-date PMTU once user data is sent again, 1025 can choose to continue PMTU discovery for each path. However, 1026 this could result in sending additional packets. 1028 DPLPMTD specifies various timers, however an implementation could 1029 choose to realise these timer functions using a single timer. 1031 5.1.2. Constants 1033 The following constants are defined: 1035 MAX_PROBES: The MAX_PROBES is the maximum value of the PROBE_COUNT 1036 counter (see Section 5.1.3). MAX_PROBES represents the limit for 1037 the number of consecutive probe attempts of any size. Search 1038 algorithms benefit from a MAX_PROBES value greater than 1 because 1039 this can provide robustness to isolated packet loss. The default 1040 value of MAX_PROBES is 3. 1042 MIN_PLPMTU: The MIN_PLPMTU is the smallest size of PLPMTU that 1043 DPLPMTUD will attempt to use. For IPv6, this size is greater than 1044 or equal to the size at the PL that results in an 1280 byte IPv6 1045 packet, as specified in [RFC8200]. For IPv4, this size is greater 1046 than or equal to the size at the PL that results in an 68 byte 1047 IPv4 packet. Note: An IPv4 router is required to be able to 1048 forward a datagram of 68 bytes without further fragmentation. 1049 This is the combined size of an IPv4 header and the minimum 1050 fragment size of 8 bytes. In addition, receivers are required to 1051 be able to reassemble fragmented datagrams at least up to 576 1052 bytes, as stated in section 3.3.3 of [RFC1122]. 1054 MAX_PLPMTU: The MAX_PLPMTU is the largest size of PLPMTU. This has 1055 to be less than or equal to the maximum size of the PL packet that 1056 can be sent on the outgoing interface (constrained by the local 1057 interface MTU). When known, this also ought to be less than the 1058 maximum size of PL packet that can be received by the remote 1059 endpoint (constrained by EMTU_R). It can be limited by the design 1060 or configuration of the PL being used. An application, or PL, MAY 1061 choose a smaller MAX_PLPMTU when there is no need to send packets 1062 larger than a specific size. 1064 BASE_PLPMTU: The BASE_PLPMTU is a configured size expected to work 1065 for most paths. The size is equal to or larger than the 1066 MIN_PLPMTU and smaller than the MAX_PLPMTU. For most PLs a 1067 suitable BASE_PLPMTU will be larger than 1200 bytes. When using 1068 IPv4, there is no currently equivalent size specified and a 1069 default BASE_PLPMTU of 1200 bytes is RECOMMENDED. 1071 5.1.3. Variables 1073 This method utilizes a set of variables: 1075 PROBED_SIZE: The PROBED_SIZE is the size of the current probe packet 1076 as determined at the PL. This is a tentative value for the 1077 PLPMTU, which is awaiting confirmation by an acknowledgment. 1079 PROBE_COUNT: The PROBE_COUNT is a count of the number of successive 1080 unsuccessful probe packets that have been sent. Each time a probe 1081 packet is acknowledged, the value is set to zero. (Some probe 1082 loss is expected while searching, therefore loss of a single probe 1083 is not an indication of a PMTU problem.) 1085 The figure below illustrates the relationship between the packet size 1086 constants and variables at a point of time when the DPLPMTUD 1087 algorithm performs path probing to increase the size of the PLPMTU. 1088 A probe packet has been sent of size PROBED_SIZE. Once this is 1089 acknowledged, the PLPMTU will raise to PROBED_SIZE allowing the 1090 DPLPMTUD algorithm to further increase PROBED_SIZE toward sending a 1091 probe with the size of the actual PMTU. 1093 MIN_PLPMTU MAX_PLPMTU 1094 <-------------------------------------------> 1095 | | | 1096 v | | 1097 BASE_PLPMTU | v 1098 | PROBED_SIZE 1099 v 1100 PLPMTU 1102 Figure 3: Relationships between packet size constants and variables 1104 5.1.4. Overview of DPLPMTUD Phases 1106 This section provides a high-level informative view of the DPLPMTUD 1107 method, by describing the movement of the method through several 1108 phases of operation. More detail is available in the state machine 1109 Section 5.2. 1111 +------+ 1112 +------->| Base |-----------------+ Connectivity 1113 | +------+ | or BASE_PLPMTU 1114 | | | confirmation failed 1115 | | v 1116 | | Connectivity +-------+ 1117 | | and BASE_PLPMTU | Error | 1118 | | confirmed +-------+ 1119 | | | Consistent 1120 | v | connectivity 1121 Black Hole | +--------+ | and BASE_PLPMTU 1122 detected | | Search |<---------------+ confirmed 1123 | +--------+ 1124 | ^ | 1125 | | | 1126 | Raise | | Search 1127 | timer | | algorithm 1128 | expired | | completed 1129 | | | 1130 | | v 1131 | +-----------------+ 1132 +---| Search Complete | 1133 +-----------------+ 1135 Figure 4: DPLPMTUD Phases 1137 Base: The Base Phase confirms connectivity to the remote peer using 1138 packets of the BASE_PLPMTU. The confirmation of connectivity is 1139 implicit for a connection-oriented PL (where it can be performed 1140 in a PL connection handshake). A connectionless PL sends a probe 1141 packet and uses acknowledgment of this probe packet to confirm 1142 that the remote peer is reachable. 1144 The sender also confirms that BASE_PLPMTU is supported across the 1145 network path. This may be achieved using a PL mechanism (e.g., 1146 using a handshake packet of size BASE_PLPMTU), or by sending a 1147 probe packet of size BASE_PLPMTU and confirming that this is 1148 received. 1150 A probe packet of size BASE_PLPMTU can be sent immediately on the 1151 initial entry to the Base Phase (following a connectivity check). 1152 A PL that does not wish to support a path with a PLPMTU less than 1153 BASE_PLPMTU can simplify the phase into a single step by 1154 performing the connectivity checks with a probe of the BASE_PLPMTU 1155 size. 1157 Once confirmed, DPLPMTUD enters the Search Phase. If the Base 1158 Phase fails to confirm the BASE_PLPMTU, DPLPMTUD enters the Error 1159 Phase. 1161 Search: The Search Phase utilizes a search algorithm to send probe 1162 packets to seek to increase the PLPMTU. The algorithm concludes 1163 when it has found a suitable PLPMTU, by entering the Search 1164 Complete Phase. 1166 A PL could respond to PTB messages using the PTB to advance or 1167 terminate the search, see Section 4.6. 1169 Search Complete: The Search Complete Phase is entered when the 1170 PLPMTU is supported across the network path. A PL can use a 1171 CONFIRMATION_TIMER to periodically repeat a probe packet for the 1172 current PLPMTU size. If the sender is unable to confirm 1173 reachability (e.g., if the CONFIRMATION_TIMER expires) or the PL 1174 signals a lack of reachability, a black hole has been detected and 1175 DPLPMTUD enters the Base phase. 1177 The PMTU_RAISE_TIMER is used to periodically resume the search 1178 phase to discover if the PLPMTU can be raised. Black Hole 1179 Detection causes the sender to enter the Base Phase. 1181 Error: The Error Phase is entered when there is conflicting or 1182 invalid PLPMTU information for the path (e.g., a failure to 1183 support the BASE_PLPMTU) that cause DPLPMTUD to be unable to 1184 progress and the PLPMTU is lowered. 1186 DPLPMTUD remains in the Error Phase until a consistent view of the 1187 path can be discovered and it has also been confirmed that the 1188 path supports the BASE_PLPMTU (or DPLPMTUD is suspended). 1190 A method that only reduces the PLPMTU to a suitable size would be 1191 sufficient to ensure reliable operation, but can be very inefficient 1192 when the actual PMTU changes or when the method (for whatever reason) 1193 makes a suboptimal choice for the PLPMTU. 1195 A full implementation of DPLPMTUD provides an algorithm enabling the 1196 DPLPMTUD sender to increase the PLPMTU following a change in the 1197 characteristics of the path, such as when a link is reconfigured with 1198 a larger MTU, or when there is a change in the set of links traversed 1199 by an end-to-end flow (e.g., after a routing or path fail-over 1200 decision). 1202 5.2. State Machine 1204 A state machine for DPLPMTUD is depicted in Figure 5. If multipath 1205 or multihoming is supported, a state machine is needed for each path. 1207 Note: Not all changes are shown to simplify the diagram. 1209 | | 1210 | Start | PL indicates loss 1211 | | of connectivity 1212 v v 1213 +---------------+ +---------------+ 1214 | DISABLED | | ERROR | 1215 +---------------+ PROBE_TIMER expiry: +---------------+ 1216 | PL indicates PROBE_COUNT = MAX_PROBES or ^ | 1217 | connectivity PTB: PL_PTB_SIZE < BASE_PLPMTU | | 1218 +--------------------+ +---------------+ | 1219 | | | 1220 v | BASE_PLPMTU Probe | 1221 +---------------+ acked | 1222 | BASE |--------------------->+ 1223 +---------------+ | 1224 ^ | ^ ^ | 1225 Black hole detected | | | | Black hole detected | 1226 +--------------------+ | | +--------------------+ | 1227 | +----+ | | 1228 | PROBE_TIMER expiry: | | 1229 | PROBE_COUNT < MAX_PROBES | | 1230 | | | 1231 | PMTU_RAISE_TIMER expiry | | 1232 | +-----------------------------------------+ | | 1233 | | | | | 1234 | | v | v 1235 +---------------+ +---------------+ 1236 |SEARCH_COMPLETE| | SEARCHING | 1237 +---------------+ +---------------+ 1238 | ^ ^ | | ^ 1239 | | | | | | 1240 | | +-----------------------------------------+ | | 1241 | | MAX_PLPMTU Probe acked or | | 1242 | | PROBE_TIMER expiry: PROBE_COUNT = MAX_PROBES or | | 1243 +----+ PTB: PL_PTB_SIZE = PLPMTU +----+ 1244 CONFIRMATION_TIMER expiry: PROBE_TIMER expiry: 1245 PROBE_COUNT < MAX_PROBES or PROBE_COUNT < MAX_PROBES or 1246 PLPMTU Probe acked Probe acked or PTB: 1247 PLPMTU < PL_PTB_SIZE < PROBED_SIZE 1249 Figure 5: State machine for Datagram PLPMTUD 1251 The following states are defined: 1253 DISABLED: The DISABLED state is the initial state before probing has 1254 started. It is also entered from any other state, when the PL 1255 indicates loss of connectivity. This state is left once the PL 1256 indicates connectivity to the remote PL. When transitioning to 1257 the BASE state, a probe packet of size BASE_PLPMTU can be sent 1258 immediately. 1260 BASE: The BASE state is used to confirm that the BASE_PLPMTU size is 1261 supported by the network path and is designed to allow an 1262 application to continue working when there are transient 1263 reductions in the actual PMTU. It also seeks to avoid long 1264 periods when a sender searching for a larger PLPMTU is unaware 1265 that packets are not being delivered due to a packet or ICMP Black 1266 Hole. 1268 On entry, the PROBED_SIZE is set to the BASE_PLPMTU size and the 1269 PROBE_COUNT is set to zero. 1271 Each time a probe packet is sent, the PROBE_TIMER is started. The 1272 state is exited when the probe packet is acknowledged, and the PL 1273 sender enters the SEARCHING state. 1275 The state is also left when the PROBE_COUNT reaches MAX_PROBES or 1276 a received PTB message is validated. This causes the PL sender to 1277 enter the ERROR state. 1279 SEARCHING: The SEARCHING state is the main probing state. This 1280 state is entered when probing for the BASE_PLPMTU completes. 1282 Each time a probe packet is acknowledged, the PROBE_COUNT is set 1283 to zero, the PLPMTU is set to the PROBED_SIZE and then the 1284 PROBED_SIZE is increased using the search algorithm (as described 1285 in Section 5.3. 1287 When a probe packet is sent and not acknowledged within the period 1288 of the PROBE_TIMER, the PROBE_COUNT is incremented and a new probe 1289 packet is transmitted. 1291 The state is exited to enter SEARCH_COMPLETE when the PROBE_COUNT 1292 reaches MAX_PROBES, a validated PTB is received that corresponds 1293 to the last successfully probed size (PL_PTB_SIZE = PLPMTU), or a 1294 probe of size MAX_PLPMTU is acknowledged (PLPMTU = MAX_PLPMTU). 1296 When a black hole is detected in the SEARCHING state, this causes 1297 the PL sender to enter the BASE state. 1299 SEARCH_COMPLETE: The SEARCH_COMPLETE state indicates that a search 1300 has completed. This is the normal maintenance state, where the PL 1301 is not probing to update the PLPMTU. DPLPMTUD remains in this 1302 state until either the PMTU_RAISE_TIMER expires or a black hole is 1303 detected. 1305 When DPLPMTUD uses an unacknowledged PL and is in the 1306 SEARCH_COMPLETE state, a CONFIRMATION_TIMER periodically resets 1307 the PROBE_COUNT and schedules a probe packet with the size of the 1308 PLPMTU. If MAX_PROBES successive PLPMTUD sized probes fail to be 1309 acknowledged the method enters the BASE state. When used with an 1310 acknowledged PL (e.g., SCTP), DPLPMTUD SHOULD NOT continue to 1311 generate PLPMTU probes in this state. 1313 ERROR: The ERROR state represents the case where either the network 1314 path is not known to support a PLPMTU of at least the BASE_PLPMTU 1315 size or when there is contradictory information about the network 1316 path that would otherwise result in excessive variation in the MPS 1317 signaled to the higher layer. The state implements a method to 1318 mitigate oscillation in the state-event engine. It signals a 1319 conservative value of the MPS to the higher layer by the PL. The 1320 state is exited when packet probes no longer detect the error. 1321 The PL sender then enters the SEARCHING state. 1323 Implementations are permitted to enable endpoint fragmentation if 1324 the DPLPMTUD is unable to validate MIN_PLPMTU within PROBE_COUNT 1325 probes. If DPLPMTUD is unable to validate MIN_PLPMTU the 1326 implementation will transition to the DISABLED state. 1328 Note: MIN_PLPMTU could be identical to BASE_PLPMTU, simplifying 1329 the actions in this state. 1331 5.3. Search to Increase the PLPMTU 1333 This section describes the algorithms used by DPLPMTUD to search for 1334 a larger PLPMTU. 1336 5.3.1. Probing for a larger PLPMTU 1338 Implementations use a search algorithm across the search range to 1339 determine whether a larger PLPMTU can be supported across a network 1340 path. 1342 The method discovers the search range by confirming the minimum 1343 PLPMTU and then using the probe method to select a PROBED_SIZE less 1344 than or equal to MAX_PLPMTU. MAX_PLPMTU is the minimum of the local 1345 MTU and EMTU_R (when this is learned from the remote endpoint). The 1346 MAX_PLPMTU MAY be reduced by an application that sets a maximum to 1347 the size of datagrams it will send. 1349 The PROBE_COUNT is initialized to zero when the first probe with a 1350 size greater than or equal to PLPMTUD is sent. Each probe packet 1351 successfully sent to the remote peer is confirmed by acknowledgment 1352 at the PL, see Section 4.1. 1354 Each time a probe packet is sent to the destination, the PROBE_TIMER 1355 is started. The timer is canceled when the PL receives 1356 acknowledgment that the probe packet has been successfully sent 1357 across the path Section 4.1. This confirms that the PROBED_SIZE is 1358 supported, and the PROBED_SIZE value is then assigned to the PLPMTU. 1359 The search algorithm can continue to send subsequent probe packets of 1360 an increasing size. 1362 If the timer expires before a probe packet is acknowledged, the probe 1363 has failed to confirm the PROBED_SIZE. Each time the PROBE_TIMER 1364 expires, the PROBE_COUNT is incremented, the PROBE_TIMER is 1365 reinitialized, and a new probe of the same size or any other size 1366 (determined by the search algorithm) can be sent. The maximum number 1367 of consecutive failed probes is configured (MAX_PROBES). If the 1368 value of the PROBE_COUNT reaches MAX_PROBES, probing will stop, and 1369 the PL sender enters the SEARCH_COMPLETE state. 1371 5.3.2. Selection of Probe Sizes 1373 The search algorithm determines a minimum useful gain in PLPMTU. It 1374 would not be constructive for a PL sender to attempt to probe for all 1375 sizes. This would incur unnecessary load on the path. 1376 Implementations SHOULD select the set of probe packet sizes to 1377 maximize the gain in PLPMTU from each search step. 1379 Implementations could optimize the search procedure by selecting step 1380 sizes from a table of common PMTU sizes. When selecting the 1381 appropriate next size to search, an implementer ought to also 1382 consider that there can be common sizes of MPS that applications seek 1383 to use, and their could be common sizes of MTU used within the 1384 network. 1386 5.3.3. Resilience to Inconsistent Path Information 1388 A decision to increase the PLPMTU needs to be resilient to the 1389 possibility that information learned about the network path is 1390 inconsistent. A path is inconsistent when, for example, probe 1391 packets are lost due to other reasons (i.e., not packet size) or due 1392 to frequent path changes. Frequent path changes could occur by 1393 unexpected "flapping" - where some packets from a flow pass along one 1394 path, but other packets follow a different path with different 1395 properties. 1397 A PL sender is able to detect inconsistency from the sequence of 1398 PLPMTU probes that are acknowledged or the sequence of PTB messages 1399 that it receives. When inconsistent path information is detected, a 1400 PL sender could use an alternate search mode that clamps the offered 1401 MPS to a smaller value for a period of time. This avoids unnecessary 1402 loss of packets. 1404 5.4. Robustness to Inconsistent Paths 1406 Some paths could be unable to sustain packets of the BASE_PLPMTU 1407 size. The Error State could be implemented to provide rubustness to 1408 such paths. This allows fallback to a smaller than desired PLPMTU, 1409 rather than suffer connectivity failure. This could utilize methods 1410 such as endpoint IP fragmentation to enable the PL sender to 1411 communicate using packets smaller than the BASE_PLPMTU. 1413 6. Specification of Protocol-Specific Methods 1415 DPLPMTUD requires protocol-specific details to be specified for each 1416 PL that is used. 1418 The first subsection provides guidance on how to implement the 1419 DPLPMTUD method as a part of an application using UDP or UDP-Lite. 1420 The guidance also applies to other datagram services that do not 1421 include a specific transport protocol (such as a tunnel 1422 encapsulation). The following subsections describe how DPLPMTUD can 1423 be implemented as a part of the transport service, allowing 1424 applications using the service to benefit from discovery of the 1425 PLPMTU without themselves needing to implement this method when using 1426 SCTP and QUIC. 1428 6.1. Application support for DPLPMTUD with UDP or UDP-Lite 1430 The current specifications of UDP [RFC0768] and UDP-Lite [RFC3828] do 1431 not define a method in the RFC-series that supports PLPMTUD. In 1432 particular, the UDP transport does not provide the transport features 1433 needed to implement datagram PLPMTUD. 1435 The DPLPMTUD method can be implemented as a part of an application 1436 built directly or indirectly on UDP or UDP-Lite, but relies on 1437 higher-layer protocol features to implement the method [BCP145]. 1439 Some primitives used by DPLPMTUD might not be available via the 1440 Datagram API (e.g., the ability to access the PLPMTU from the IP 1441 layer cache, or interpret received PTB messages). 1443 In addition, it is recommended that PMTU discovery is not performed 1444 by multiple protocol layers. An application SHOULD avoid using 1445 DPLPMTUD when the underlying transport system provides this 1446 capability. A common method for managing the PLPMTU has benefits, 1447 both in the ability to share state between different processes and 1448 opportunities to coordinate probing for different PL instances. 1450 6.1.1. Application Request 1452 An application needs an application-layer protocol mechanism (such as 1453 a message acknowledgment method) that solicits a response from a 1454 destination endpoint. The method SHOULD allow the sender to check 1455 the value returned in the response to provide additional protection 1456 from off-path insertion of data [BCP145]. Suitable methods include a 1457 parameter known only to the two endpoints, such as a session ID or 1458 initialized sequence number. 1460 6.1.2. Application Response 1462 An application needs an application-layer protocol mechanism to 1463 communicate the response from the destination endpoint. This 1464 response could indicate successful reception of the probe across the 1465 path, but could also indicate that some (or all packets) have failed 1466 to reach the destination. 1468 6.1.3. Sending Application Probe Packets 1470 A probe packet can carry an application data block, but the 1471 successful transmission of this data is at risk when used for 1472 probing. Some applications might prefer to use a probe packet that 1473 does not carry an application data block to avoid disruption to data 1474 transfer. 1476 6.1.4. Initial Connectivity 1478 An application that does not have other higher-layer information 1479 confirming connectivity with the remote peer SHOULD implement a 1480 connectivity mechanism using acknowledged probe packets before 1481 entering the BASE state. 1483 6.1.5. Validating the Path 1485 An application that does not have other higher-layer information 1486 confirming correct delivery of datagrams SHOULD implement the 1487 CONFIRMATION_TIMER to periodically send probe packets while in the 1488 SEARCH_COMPLETE state. 1490 6.1.6. Handling of PTB Messages 1492 An application that is able and wishes to receive PTB messages MUST 1493 perform ICMP validation as specified in Section 5.2 of [BCP145]. 1494 This requires that the application checks each received PTB message 1495 to validate that it was is received in response to transmitted 1496 traffic and that the reported PL_PTB_SIZE is less than the current 1497 probed size (see Section 4.6.2). A validated PTB message MAY be used 1498 as input to the DPLPMTUD algorithm, but MUST NOT be used directly to 1499 set the PLPMTU. 1501 6.2. DPLPMTUD for SCTP 1503 Section 10.2 of [RFC4821] specified a recommended PLPMTUD probing 1504 method for SCTP and Section 7.3 of [RFC4960] recommended an endpoint 1505 apply the techniques in RFC4821 on a per-destination-address basis. 1506 The specification for DPLPMTUD continues the practice of using the PL 1507 to discover the PMTU, but updates, RFC4960 with a recommendation to 1508 use the method specified in this document: The RECOMMENDED method for 1509 generating probes is to add a chunk consisting only of padding to an 1510 SCTP message. The PAD chunk defined in [RFC4820] SHOULD be attached 1511 to a minimum length HEARTBEAT (HB) chunk to build a probe packet. 1512 This enables probing without affecting the transfer of user messages 1513 and without being limited by congestion control or flow control. 1514 This is preferred to using DATA chunks (with padding as required) as 1515 path probes. 1517 Section 6.9 of [RFC4960] describes dividing the user messages into 1518 data chunks sent by the PL when using SCTP. This notes that once an 1519 SCTP message has been sent, it cannot be re-segmented. [RFC4960] 1520 describes the method to retransmit data chunks when the MPS has 1521 reduced, and the use of IP fragmentation for this case. This is 1522 unchanged by this document. 1524 6.2.1. SCTP/IPv4 and SCTP/IPv6 1526 6.2.1.1. Initial Connectivity 1528 The base protocol is specified in [RFC4960]. This provides an 1529 acknowledged PL. A sender can therefore enter the BASE state as soon 1530 as connectivity has been confirmed. 1532 6.2.1.2. Sending SCTP Probe Packets 1534 Probe packets consist of an SCTP common header followed by a 1535 HEARTBEAT chunk and a PAD chunk. The PAD chunk is used to control 1536 the length of the probe packet. The HEARTBEAT chunk is used to 1537 trigger the sending of a HEARTBEAT ACK chunk. The reception of the 1538 HEARTBEAT ACK chunk acknowledges reception of a successful probe. A 1539 successful probe updates the association and path counters, but an 1540 unsuccessful probe is discounted (assumed to be a result of choosing 1541 too large a PLPMTU). 1543 The SCTP sender needs to be able to determine the total size of a 1544 probe packet. The HEARTBEAT chunk could carry a Heartbeat 1545 Information parameter that includes, besides the information 1546 suggested in [RFC4960], the probe size to help an implementation 1547 associate a HEARTBEAT-ACK with the size of probe that was sent. The 1548 sender could also use other methods, such as sending a nonce and 1549 verifying the information returned also contains the corresponding 1550 nonce. The length of the PAD chunk is computed by reducing the 1551 probing size by the size of the SCTP common header and the HEARTBEAT 1552 chunk. The payload of the PAD chunk contains arbitrary data. When 1553 transmitted at the IP layer, the PMTU size also includes the IPv4 or 1554 IPv6 header(s). 1556 Probing can start directly after the PL handshake, this can be done 1557 before data is sent. Assuming this behavior (i.e., the PMTU is 1558 smaller than or equal to the interface MTU), this process will take 1559 several round trip time periods, dependent on the number of DPLPMTUD 1560 probes sent. The Heartbeat timer can be used to implement the 1561 PROBE_TIMER. 1563 6.2.1.3. Validating the Path with SCTP 1565 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1566 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1568 6.2.1.4. PTB Message Handling by SCTP 1570 Normal ICMP validation MUST be performed as specified in Appendix C 1571 of [RFC4960]. This requires that the first 8 bytes of the SCTP 1572 common header are quoted in the payload of the PTB message, which can 1573 be the case for ICMPv4 and is normally the case for ICMPv6. 1575 When a PTB message has been validated, the PL_PTB_SIZE calculated 1576 from the PTB_SIZE reported in the PTB message SHOULD be used with the 1577 DPLPMTUD algorithm, providing that the reported PL_PTB_SIZE is less 1578 than the current probe size (see Section 4.6). 1580 6.2.2. DPLPMTUD for SCTP/UDP 1582 The UDP encapsulation of SCTP is specified in [RFC6951]. 1584 This specification updates the reference to RFC 4821 in section 5.6 1585 of RFC 6951 to refer to XXXTHISRFCXXX. RFC 6951 is updated by 1586 addition of the following sentence at the end of section 5.6: "The 1587 RECOMMENDED method for determining the MTU of the path is specified 1588 in XXXTHISRFCXXX". 1590 XXX RFC EDITOR - please replace XXXTHISRFCXXX when published XXX 1592 6.2.2.1. Initial Connectivity 1594 A sender can enter the BASE state as soon as SCTP connectivity has 1595 been confirmed. 1597 6.2.2.2. Sending SCTP/UDP Probe Packets 1599 Packet probing can be performed as specified in Section 6.2.1.2. The 1600 size of the probe packet includes the 8 bytes of UDP Header. This 1601 has to be considered when filling the probe packet with the PAD 1602 chunk. 1604 6.2.2.3. Validating the Path with SCTP/UDP 1606 SCTP provides an acknowledged PL, therefore a sender does not 1607 implement the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1609 6.2.2.4. Handling of PTB Messages by SCTP/UDP 1611 ICMP validation MUST be performed for PTB messages as specified in 1612 Appendix C of [RFC4960]. This requires that the first 8 bytes of the 1613 SCTP common header are contained in the PTB message, which can be the 1614 case for ICMPv4 (but note the UDP header also consumes a part of the 1615 quoted packet header) and is normally the case for ICMPv6. When the 1616 validation is completed, the PL_PTB_SIZE calculated from the PTB_SIZE 1617 in the PTB message SHOULD be used with the DPLPMTUD providing that 1618 the reported PL_PTB_SIZE is less than the current probe size. 1620 6.2.3. DPLPMTUD for SCTP/DTLS 1622 The Datagram Transport Layer Security (DTLS) encapsulation of SCTP is 1623 specified in [RFC8261]. This is used for data channels in WebRTC 1624 implementations. This specification updates the reference to RFC 1625 4821 in section 5 of RFC 8261 to refer to XXXTHISRFCXXX. 1627 XXX RFC EDITOR - please replace XXXTHISRFCXXX when published XXX 1629 6.2.3.1. Initial Connectivity 1631 A sender can enter the BASE state as soon as SCTP connectivity has 1632 been confirmed. 1634 6.2.3.2. Sending SCTP/DTLS Probe Packets 1636 Packet probing can be done, as specified in Section 6.2.1.2. The 1637 maximum payload is reduced by the size of the DTLS headers, which has 1638 to be considered when filling the PAD chunk. The size of the probe 1639 packet includes the DTLS PL headers. This has to be considered when 1640 filling the probe packet with the PAD chunk. 1642 6.2.3.3. Validating the Path with SCTP/DTLS 1644 Since SCTP provides an acknowledged PL, a sender MUST NOT implement 1645 the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1647 6.2.3.4. Handling of PTB Messages by SCTP/DTLS 1649 [RFC4960] does not specify a way to validate SCTP/DTLS ICMP message 1650 payload and neither does this document. This can prevent processing 1651 of PTB messages at the PL. 1653 6.3. DPLPMTUD for QUIC 1655 QUIC [I-D.ietf-quic-transport] is a UDP-based transport that provides 1656 reception feedback. The UDP payload includes the QUIC packet header, 1657 protected payload, and any authentication fields. QUIC depends on a 1658 PMTU of at least 1280 bytes. 1660 Section 14 of [I-D.ietf-quic-transport] describes the path 1661 considerations when sending QUIC packets. It recommends the use of 1662 PADDING frames to build the probe packet. Pure probe-only packets 1663 are constructed with PADDING frames and PING frames to create a 1664 padding only packet that will elicit an acknowledgment. Such padding 1665 only packets enable probing without affecting the transfer of other 1666 QUIC frames. 1668 The recommendation for QUIC endpoints implementing DPLPMTUD is that a 1669 MPS is maintained for each combination of local and remote IP 1670 addresses [I-D.ietf-quic-transport]. If a QUIC endpoint determines 1671 that the PMTU between any pair of local and remote IP addresses has 1672 fallen below the size required for an acceptable MPS, it immediately 1673 ceases to send QUIC packets on the affected path. This could result 1674 in termination of the connection if an alternative path cannot be 1675 found [I-D.ietf-quic-transport]. 1677 6.3.1. Initial Connectivity 1679 The base protocol is specified in [I-D.ietf-quic-transport]. This 1680 provides an acknowledged PL. A sender can therefore enter the BASE 1681 state as soon as connectivity has been confirmed. 1683 QUIC provides an acknowledged PL, a sender can therefore enter the 1684 BASE state as soon as the connection handshake has been completed and 1685 the endpoint has an 1-RTT key established. 1687 6.3.2. Sending QUIC Probe Packets 1689 Probe packets consist of a QUIC Header and a payload containing a 1690 PING Frame and multiple PADDING Frames. A PADDING Frame is 1691 represented by a single octet (0x00). Several PADDING Frames are 1692 used together to control the length of the probe packet. The PING 1693 Frame is used to trigger generation of an acknowledgement. 1695 The current specification of QUIC sets the following: 1697 * BASE_PLPMTU: A QUIC sender pads initial packets to confirm the 1698 path can support packets of the required size, which sets the 1699 BASE_PLPMTU and MIN_PLPMTU. 1701 * MIN_PLPMTU: A QUIC sender that determines the MIN_PLPMTU has 1702 fallen MUST immediately stop sending on the affected path. 1704 6.3.3. Validating the Path with QUIC 1706 QUIC provides an acknowledged PL, therefore a sender does not 1707 implement the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 1709 6.3.4. Handling of PTB Messages by QUIC 1711 QUIC validates ICMP PTB messages. In addition to UDP Port 1712 validation, QUIC can validate an ICMP message by using other PL 1713 information (e.g., validation of connection identifiers (CIDs) in the 1714 quoted packet of any received ICMP message). 1716 7. Acknowledgments 1718 This work was partially funded by the European Union's Horizon 2020 1719 research and innovation programme under grant agreement No. 644334 1720 (NEAT). The views expressed are solely those of the author(s). 1722 Thanks to all that have commented or contributed, the TSVWG and QUIC 1723 working groups, and Mathew Calder and Julius Flohr for providing 1724 early implementations. 1726 8. IANA Considerations 1728 This memo includes no request to IANA. 1730 If there are no requirements for IANA, the section will be removed 1731 during conversion into an RFC by the RFC Editor. 1733 9. Security Considerations 1735 The security considerations for the use of UDP and SCTP are provided 1736 in the referenced RFCs. 1738 To avoid excessive load, the interval between individual probe 1739 packets MUST be at least one RTT, and the interval between rounds of 1740 probing is determined by the PMTU_RAISE_TIMER. 1742 A PL sender needs to ensure that the method used to confirm reception 1743 of probe packets protects from off-path attackers injecting packets 1744 into the path. This protection is provided in IETF-defined protocols 1745 (e.g., TCP, SCTP) using a randomly-initialized sequence number. A 1746 description of one way to do this when using UDP is provided in 1747 section 5.1 of [BCP145]). 1749 There are cases where ICMP Packet Too Big (PTB) messages are not 1750 delivered due to policy, configuration or equipment design (see 1751 Section 1.1). This method therefore does not rely upon PTB messages 1752 being received, but is able to utilize these when they are received 1753 by the sender. PTB messages could potentially be used to cause a 1754 node to inappropriately reduce the PLPMTU. A node supporting 1755 DPLPMTUD MUST therefore appropriately validate the payload of PTB 1756 messages to ensure these are received in response to transmitted 1757 traffic (i.e., a reported error condition that corresponds to a 1758 datagram actually sent by the path layer, see Section 4.6.1). 1760 An on-path attacker able to create a PTB message could forge PTB 1761 messages that include a valid quoted IP packet. Such an attack could 1762 be used to drive down the PLPMTU. An on-path device could similarly 1763 force a reduction of the PLPMTU by implementing a policy that drops 1764 packets larger than a configured size. There are two ways this 1765 method can be mitigated against such attacks: First, by ensuring that 1766 a PL sender never reduces the PLPMTU below the base size, solely in 1767 response to receiving a PTB message. This is achieved by first 1768 entering the BASE state when such a message is received. Second, the 1769 design does not require processing of PTB messages, a PL sender could 1770 therefore suspend processing of PTB messages (e.g., in a robustness 1771 mode after detecting that subsequent probes actually confirm that a 1772 size larger than the PTB_SIZE is supported by a path). 1774 Parsing the quoted packet inside a PTB message can introduce addional 1775 per-packet processing at the PL sender. This processing SHOULD be 1776 limited to avoid a denial of service attack when arbitrary headers 1777 are included. Rate-limiting the processing could result in PTB 1778 messages not being received by a PL, however the DPLPMTUD method is 1779 robust to such loss. 1781 The successful processing of an ICMP message can trigger a probe when 1782 the reported PTB size is valid, but this does not directly update the 1783 PLPMTU for the path. This prevents a message attempting to black 1784 hole data by indicating a size larger than supported by the path. 1786 It is possible that the information about a path is not stable. This 1787 could be a result of forwarding across more than one path that has a 1788 different actual PMTU or a single path presents a varying PMTU. The 1789 design of a PLPMTUD implementation SHOULD consider how to mitigate 1790 the effects of varying path information. One possible mitigation is 1791 to provide robustness (see Section 5.4) in the method that avoids 1792 oscillation in the MPS. 1794 DPLPMTUD methods can introduce padding data to inflate the length of 1795 the datagram to the total size required for a probe packet. The 1796 total size of a probe packet includes all headers and padding added 1797 to the payload data being sent (e.g., including security-related 1798 fields such as an AEAD tag and TLS record layer padding). The value 1799 of the padding data does not influence the DPLPMTUD search algorithm, 1800 and therefore needs to be set consistent with the policy of the PL. 1802 If a PL can make use of cryptographic confidentiality or data- 1803 integrity mechanisms, then the design ought to avoid adding anything 1804 (e.g., padding) to DPLPMTUD probe packets that is not also protected 1805 by those cryptographic mechanisms. 1807 10. References 1809 10.1. Normative References 1811 [BCP145] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage 1812 Guidelines", BCP 145, RFC 8085, March 2017. 1814 1816 [I-D.ietf-quic-transport] 1817 Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed 1818 and Secure Transport", Work in Progress, Internet-Draft, 1819 draft-ietf-quic-transport-27, 21 February 2020, 1820 . 1823 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1824 DOI 10.17487/RFC0768, August 1980, 1825 . 1827 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1828 DOI 10.17487/RFC0791, September 1981, 1829 . 1831 [RFC1191] Mogul, J.C. and S.E. Deering, "Path MTU discovery", 1832 RFC 1191, DOI 10.17487/RFC1191, November 1990, 1833 . 1835 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1836 Requirement Levels", BCP 14, RFC 2119, 1837 DOI 10.17487/RFC2119, March 1997, 1838 . 1840 [RFC3828] Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E., Ed., 1841 and G. Fairhurst, Ed., "The Lightweight User Datagram 1842 Protocol (UDP-Lite)", RFC 3828, DOI 10.17487/RFC3828, July 1843 2004, . 1845 [RFC4820] Tuexen, M., Stewart, R., and P. Lei, "Padding Chunk and 1846 Parameter for the Stream Control Transmission Protocol 1847 (SCTP)", RFC 4820, DOI 10.17487/RFC4820, March 2007, 1848 . 1850 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 1851 RFC 4960, DOI 10.17487/RFC4960, September 2007, 1852 . 1854 [RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream 1855 Control Transmission Protocol (SCTP) Packets for End-Host 1856 to End-Host Communication", RFC 6951, 1857 DOI 10.17487/RFC6951, May 2013, 1858 . 1860 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1861 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1862 May 2017, . 1864 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1865 (IPv6) Specification", STD 86, RFC 8200, 1866 DOI 10.17487/RFC8200, July 2017, 1867 . 1869 [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., 1870 "Path MTU Discovery for IP version 6", STD 87, RFC 8201, 1871 DOI 10.17487/RFC8201, July 2017, 1872 . 1874 [RFC8261] Tuexen, M., Stewart, R., Jesup, R., and S. Loreto, 1875 "Datagram Transport Layer Security (DTLS) Encapsulation of 1876 SCTP Packets", RFC 8261, DOI 10.17487/RFC8261, November 1877 2017, . 1879 10.2. Informative References 1881 [I-D.ietf-intarea-frag-fragile] 1882 Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., 1883 and F. Gont, "IP Fragmentation Considered Fragile", Work 1884 in Progress, Internet-Draft, draft-ietf-intarea-frag- 1885 fragile-17, 30 September 2019, . 1888 [I-D.ietf-intarea-tunnels] 1889 Touch, J. and M. Townsley, "IP Tunnels in the Internet 1890 Architecture", Work in Progress, Internet-Draft, draft- 1891 ietf-intarea-tunnels-10, 12 September 2019, 1892 . 1895 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1896 RFC 792, DOI 10.17487/RFC0792, September 1981, 1897 . 1899 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - 1900 Communication Layers", STD 3, RFC 1122, 1901 DOI 10.17487/RFC1122, October 1989, 1902 . 1904 [RFC1812] Baker, F., Ed., "Requirements for IP Version 4 Routers", 1905 RFC 1812, DOI 10.17487/RFC1812, June 1995, 1906 . 1908 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", 1909 RFC 2923, DOI 10.17487/RFC2923, September 2000, 1910 . 1912 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 1913 Congestion Control Protocol (DCCP)", RFC 4340, 1914 DOI 10.17487/RFC4340, March 2006, 1915 . 1917 [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet 1918 Control Message Protocol (ICMPv6) for the Internet 1919 Protocol Version 6 (IPv6) Specification", STD 89, 1920 RFC 4443, DOI 10.17487/RFC4443, March 2006, 1921 . 1923 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 1924 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 1925 . 1927 [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering 1928 ICMPv6 Messages in Firewalls", RFC 4890, 1929 DOI 10.17487/RFC4890, May 2007, 1930 . 1932 [RFC5508] Srisuresh, P., Ford, B., Sivakumar, S., and S. Guha, "NAT 1933 Behavioral Requirements for ICMP", BCP 148, RFC 5508, 1934 DOI 10.17487/RFC5508, April 2009, 1935 . 1937 Appendix A. Revision Notes 1939 Note to RFC-Editor: please remove this entire section prior to 1940 publication. 1942 Individual draft -00: 1944 * Comments and corrections are welcome directly to the authors or 1945 via the IETF TSVWG working group mailing list. 1947 * This update is proposed for WG comments. 1949 Individual draft -01: 1951 * Contains the first representation of the algorithm, showing the 1952 states and timers 1954 * This update is proposed for WG comments. 1956 Individual draft -02: 1958 * Contains updated representation of the algorithm, and textual 1959 corrections. 1961 * The text describing when to set the effective PMTU has not yet 1962 been validated by the authors 1964 * To determine security to off-path-attacks: We need to decide 1965 whether a received PTB message SHOULD/MUST be validated? The text 1966 on how to handle a PTB message indicating a link MTU larger than 1967 the probe has yet not been validated by the authors 1969 * No text currently describes how to handle inconsistent results 1970 from arbitrary re-routing along different parallel paths 1972 * This update is proposed for WG comments. 1974 Working Group draft -00: 1976 * This draft follows a successful adoption call for TSVWG 1978 * There is still work to complete, please comment on this draft. 1980 Working Group draft -01: 1982 * This draft includes improved introduction. 1984 * The draft is updated to require ICMP validation prior to accepting 1985 PTB messages - this to be confirmed by WG 1987 * Section added to discuss Selection of Probe Size - methods to be 1988 evaluated and recommendations to be considered 1990 * Section added to align with work proposed in the QUIC WG. 1992 Working Group draft -02: 1994 * The draft was updated based on feedback from the WG, and a 1995 detailed review by Magnus Westerlund. 1997 * The document updates RFC 4821. 1999 * Requirements list updated. 2001 * Added more explicit discussion of a simpler black-hole detection 2002 mode. 2004 * This draft includes reorganisation of the section on IETF 2005 protocols. 2007 * Added more discussion of implementation within an application. 2009 * Added text on flapping paths. 2011 * Replaced 'effective MTU' with new term PLPMTU. 2013 Working Group draft -03: 2015 * Updated figures 2017 * Added more discussion on blackhole detection 2019 * Added figure describing just blackhole detection 2020 * Added figure relating MPS sizes 2022 Working Group draft -04: 2024 * Described phases and named these consistently. 2026 * Corrected transition from confirmation directly to the search 2027 phase (Base has been checked). 2029 * Redrawn state diagrams. 2031 * Renamed BASE_MTU to BASE_PMTU (because it is a base for the PMTU). 2033 * Clarified Error state. 2035 * Clarified suspending DPLPMTUD. 2037 * Verified normative text in requirements section. 2039 * Removed duplicate text. 2041 * Changed all text to refer to /packet probe/probe packet/ 2042 /validation/verification/ added term /Probe Confirmation/ and 2043 clarified BlackHole detection. 2045 Working Group draft -05: 2047 * Updated security considerations. 2049 * Feedback after speaking with Joe Touch helped improve UDP-Options 2050 description. 2052 Working Group draft -06: 2054 * Updated description of ICMP issues in section 1.1 2056 * Update to description of QUIC. 2058 Working group draft -07: 2060 * Moved description of the PTB processing method from the PTB 2061 requirements section. 2063 * Clarified what is performed in the PTB validation check. 2065 * Updated security consideration to explain PTB security without 2066 needing to read the rest of the document. 2068 * Reformatted state machine diagram 2070 Working group draft -08: 2072 * Moved to rfcxml v3+ 2074 * Rendered diagrams to svg in html version. 2076 * Removed Appendix A. Event-driven state changes. 2078 * Removed section on DPLPMTUD with UDP Options. 2080 * Shortened the description of phases. 2082 Working group draft -09: 2084 * Remove final mention of UDP Options 2086 * Add Initial Connectivity sections to each PL 2088 * Add to disable outgoing pmtu enforcement of packets 2090 Working group draft -10: 2092 * Address comments from Lars Eggert 2094 * Reinforce that PROBE_COUNT is successive attempts to probe for any 2095 size 2097 * Redefine MAX_PROBES to 3 2099 * Address PTB_SIZE of 0 or less that MIN_PLPMTU 2101 Working group draft -11: 2103 * Restore a sentence removed in previous rev 2105 * De-acronymise QUIC 2107 * Address some nits 2109 Working group draft -12: 2111 * Add TSVWG, QUIC and implementers to acknowledgments 2113 * Shorten a diagram line. 2115 * Address nits from Julius and Wes. 2117 * Be clearer when talking about IP layer caches 2119 Working group draft -13, -14: 2121 * Updated after WGLC. 2123 Working group draft -15: 2125 * Updated after AD evaluation and prepared for IETF-LC. 2127 Working group draft -16: 2129 * Updated text after SECDIR review. 2131 Working group draft -17: 2133 * Updated text after GENART and IETF-LC. 2135 * Renamed BASE_MTU to BASE_PLPMTU, and MIN and MAX PMTU to PLPMTU 2136 (because these are about a base for the PLPMTU), and ensured 2137 consistent separation of PMTU and PLPMTU. 2139 * Adopted US-style English throughout. 2141 Working group draft -18: 2143 * Updated text and address nits from OPSDIR, ART and IESG reviews. 2145 * Order PTB processing based on PL_PTB_SIZE 2147 Working group draft -19: 2149 * Updated text and address nits based on comments from Tim Chown and 2150 Murray S. Kucherawy. 2152 Working group draft -20: 2154 * Address nits and comments from IESG 2156 * Refer to BCP 145 rather than RFC 8085 in most places. 2158 * Update probing method text for SCTP and QUIC. 2160 Working group draft -21: 2162 * Update QUIC text for skipping into BASE state. 2164 Authors' Addresses 2166 Godred Fairhurst 2167 University of Aberdeen 2168 School of Engineering 2169 Fraser Noble Building 2170 Aberdeen 2171 AB24 3UE 2172 United Kingdom 2174 Email: gorry@erg.abdn.ac.uk 2176 Tom Jones 2177 University of Aberdeen 2178 School of Engineering 2179 Fraser Noble Building 2180 Aberdeen 2181 AB24 3UE 2182 United Kingdom 2184 Email: tom@erg.abdn.ac.uk 2186 Michael Tuexen 2187 Muenster University of Applied Sciences 2188 Stegerwaldstrasse 39 2189 48565 Steinfurt 2190 Germany 2192 Email: tuexen@fh-muenster.de 2194 Irene Ruengeler 2195 Muenster University of Applied Sciences 2196 Stegerwaldstrasse 39 2197 48565 Steinfurt 2198 Germany 2200 Email: i.ruengeler@fh-muenster.de 2202 Timo Voelker 2203 Muenster University of Applied Sciences 2204 Stegerwaldstrasse 39 2205 48565 Steinfurt 2206 Germany 2207 Email: timo.voelker@fh-muenster.de