idnits 2.17.1 draft-ietf-tsvwg-gre-in-udp-encap-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 744 has weird spacing: '...hecksum in IP...' -- The document date (October 27, 2014) is 3468 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC0768' is mentioned on line 287, but not defined == Missing Reference: 'TBD' is mentioned on line 532, but not defined == Missing Reference: 'RFC6935' is mentioned on line 261, but not defined == Missing Reference: 'RFC 6935' is mentioned on line 184, but not defined == Missing Reference: 'RFC 6936' is mentioned on line 273, but not defined == Missing Reference: 'RFC6936' is mentioned on line 302, but not defined == Missing Reference: 'RFC2914' is mentioned on line 443, but not defined == Missing Reference: 'I-D.-tsvwg-circuit-breaker' is mentioned on line 517, but not defined == Unused Reference: 'RFC791' is defined on line 661, but no explicit reference was found in the text == Unused Reference: 'RFC4364' is defined on line 701, but no explicit reference was found in the text == Unused Reference: 'RFC4884' is defined on line 704, but no explicit reference was found in the text == Unused Reference: 'RFC6790' is defined on line 711, but no explicit reference was found in the text == Unused Reference: 'CB' is defined on line 719, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2983 ** Obsolete normative reference: RFC 5405 (Obsoleted by RFC 8085) -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- No information found for draft-bonica-intara-gre-mtu - is the name correct? Summary: 2 errors (**), 0 flaws (~~), 15 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group E. Crabbe, Ed. 2 Internet-Draft 3 Intended status: Standard Track L. Yong, Ed. 4 Huawei USA 5 X. Xu, Ed. 6 Huawei Technologies 8 Expires: April 2015 October 27, 2014 10 Generic UDP Encapsulation for IP Tunneling 11 draft-ietf-tsvwg-gre-in-udp-encap-03 13 Abstract 15 This document describes a method of encapsulating arbitrary 16 protocols within GRE and UDP headers. In this encapsulation, the 17 source UDP port may be used as an entropy field for purposes of load 18 balancing while the payload protocol may be identified by the GRE 19 Protocol Type. 21 Status of This Document 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six 32 months and may be updated, replaced, or obsoleted by other documents 33 at any time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on April 27, 2015. 38 Copyright Notice 40 Copyright (c) 2014 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with 48 respect to this document. Code Components extracted from this 49 document must include Simplified BSD License text as described in 50 Section 4.e of the Trust Legal Provisions and are provided without 51 warranty as described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction...................................................3 56 1.1. Applicability Statement...................................3 57 2. Terminology....................................................4 58 2.1. Requirements Language.....................................4 59 3. Procedures.....................................................4 60 3.1. UDP checksum usage with IPv6..............................5 61 3.2. Middlebox Considerations for IPv6 UDP Zero Checksums......7 62 3.3. GRE-in-UDP Encapsulation Format...........................8 63 4. Encapsulation Considerations..................................10 64 5. Congestion Considerations.....................................11 65 6. Backward Compatibility........................................13 66 7. IANA Considerations...........................................13 67 8. Security Considerations.......................................13 68 8.1. Vulnerability............................................13 69 9. Acknowledgements..............................................14 70 10. Contributors.................................................14 71 11. References...................................................16 72 11.1. Normative References....................................16 73 11.2. Informative References..................................16 74 12. Authors' Addresses...........................................17 76 1. Introduction 78 Load balancing, or more specifically, statistical multiplexing of 79 traffic using Equal Cost Multi-Path (ECMP) and/or Link Aggregation 80 Groups (LAGs) in IP networks is a widely used technique for creating 81 higher capacity networks out of lower capacity links. Most existing 82 routers in IP networks are already capable of distributing IP 83 traffic flows over ECMP paths and/or LAGs on the basis of a hash 84 function performed on flow invariant fields in IP packet headers and 85 their payload protocol headers. Specifically, when the IP payload is 86 a User Datagram Protocol (UDP)[RFC0768] or Transmission Control 87 Protocol (TCP) packet, router hash functions frequently operate on 88 the five-tuple of the source IP address, the destination IP address, 89 the source port, the destination port, and the protocol/next-header 91 Several tunneling techniques are in common use in IP networks, such 92 as Generic Routing Encapsulation (GRE) [RFC2784], MPLS [RFC4023] and 93 L2TPv3 [RFC3931]. GRE is an increasingly popular encapsulation 94 choice, especially in environments where MPLS is unavailable or 95 unnecessary. Unfortunately, use of common GRE endpoints may reduce 96 the entropy available for use in load balancing, especially in 97 environments where the GRE Key field [RFC2890] is not readily 98 available for use as entropy in forwarding decisions. 100 This document defines a generic GRE-in-UDP encapsulation for 101 tunneling arbitrary network protocol payloads across an IP network 102 environment where ECMP or LAGs are used. The GRE header provides 103 payload protocol de-multiplexing by way of it's protocol type field 104 [RFC2784] while the UDP header provides additional entropy by way of 105 it's source port. 107 This encapsulation method requires no changes to the transit IP 108 network. Hash functions in most existing IP routers may utilize and 109 benefit from the use of a GRE-in-UDP tunnel is without needing any 110 change or upgrade to their ECMP implementation. The encapsulation 111 mechanism is applicable to a variety of IP networks including Data 112 Center and wide area networks. 114 1.1. Applicability Statement 116 It is recommended to use GRE-in-UDP encapsulation within a Service 117 Provider (SP) network and/or DC network where the congestion control 118 is not a concern. However the encapsulation can apply to ISP 119 networks and/or Internet. Some environments request GRE-in-UDP 120 tunnel to run more functions than others. 122 GRE-in-UDP encapsulation may be used to tunnel the tunneled traffic, 123 i.e. tunnel-in-tunnel. The tunneled traffic may use GRE-in-UDP or 124 other tunnel encapsulation. In this case, GRE-in-UDP tunnel end 125 points treat other tunnel endpoints as of the end hosts for the 126 traffic and do not differentiate such end hosts from other end hosts. 127 The use case and applicability for a GRE-in-UDP tunnel egress and 128 stacked tunnel egress terminate on the same IP address is for 129 further study. 131 2. Terminology 133 The terms defined in [RFC768] are used in this document. 135 2.1. Requirements Language 137 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 138 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 139 document are to be interpreted as described in [RFC2119]. 141 3. Procedures 143 When a tunnel ingress device conforming to this document receives a 144 packet, the ingress MUST encapsulate the packet in UDP and GRE 145 headers and set the destination port of the UDP header to [TBD] 146 Section 6. The ingress device must also insert the payload protocol 147 type in the GRE Protocol Type field. The ingress device SHOULD set 148 the UDP source port based on flow invariant fields from the payload 149 header. In the case that ingress is unable to get the flow entropy 150 from the payload header, it should set a randomly selected constant 151 value for UDP source port to avoid payload packet flow reordering. 152 The value, for example, may be simply a result of boot-up time. How 153 a tunnel ingress generates entropy from the payload is outside the 154 scope of this document. The tunnel ingress MUST encode its own IP 155 address as the source IP address and the egress tunnel endpoint IP 156 address. The TTL field in the IP header must be set to a value 157 appropriate for delivery of the encapsulated packet to the tunnel 158 egress endpoint. 160 When the tunnel egress receives a packet, it must remove the outer 161 UDP and GRE headers. Section 5 describes the error handling when 162 this entity is not instantiated at the tunnel egress. 164 For IPv4 UDP encapsulation, this field is RECOMMENDED to be set to 165 zero because the IPv4 header includes a checksum, and use of the UDP 166 checksum is optional with IPv4, unless checksum protection of 167 tunneled payload is important, see Section 6. 169 For IPv6 UDP encapsulation, the IPv6 header does not include a 170 checksum, so this field MUST contain a UDP checksum that MUST be 171 used as specified in [RFC0768] and [RFC2460] unless one of the 172 exceptions that allows use of UDP zero-checksum mode (as specified 173 in [RFC6935]) applies. See Section 3.1 for specification of these 174 exceptions and additional requirements that apply when UDP zero- 175 checksum mode is used for GRE-in-UDP traffic over IPv6.The tunnel 176 ingress may set the GRE Key Present, Sequence Number Present, and 177 Checksum Present bits and associated fields in the GRE header 178 defined by [RFC2784] and [RFC2890]. 180 3.1. UDP checksum usage with IPv6 182 When UDP is used over IPv6, the UDP checksum is relied upon to 183 protect the IPv6 header from corruption, and MUST be used unless the 184 requirements in [RFC 6935] and [RFC 6936] for use of UDP zero- 185 checksum mode with a tunnel protocol are satisfied. Therefore, the 186 UDP checksum MUST be implemented and MUST be used in accordance with 187 [RFC0768] and [RFC2460] for GRE in UDP traffic over 189 IPv6 unless one of the following exceptions applies and the 190 additional requirements stated below are complied with. In addition, 191 use of the UDP checksum with IPv6 MUST be the default configuration 192 of all GRE-in-UDP implementations. 194 There are two exceptions that allow use of UDP zero-checksum mode 195 for IPv6 with GRE-in-UDP, subject to the additional requirements 196 stated below in this section. The two exceptions are: 198 o Use of GRE-in-UDP within a single service provider that utilizes 199 careful provisioning (e.g., rate limiting at the entries of the 200 network while over-provisioning network capacity) to ensure 201 against congestion and that actively monitors encapsulated 202 traffic for errors; or 204 o Use of GRE-in-UDP within a limited number of service providers 205 who closely cooperate in order to jointly provide this same 206 careful provisioning and monitoring. 208 As such, for IPv6, the UDP checksum for GRE-in-UDP MUST be used as 209 specified in [RFC0768] and [RFC2460] over the general Internet, and 210 over non-cooperating ISPs, even if each non-cooperating ISP 211 independently satisfies the first exception for UDP zero-checksum 212 mode usage with GRE-in-UDP over IPv6 within the ISP's own network. 214 Section 5 of RFC6936 [RFC6936] specifies the additional requirements 215 that implementation of UDP zero-checksum over IPv6 MUST compliant 216 with. To compliant with it, the following additional requirements 217 apply to GRE-in-UDP implementation and use of UDP zero-checksum mode 218 over IPv6: 220 a. A GRE-in-UDP implementation MUST comply with all requirements 221 specified in Section 4 of [RFC6936] and with requirement 1 222 specified in Section 5 of [RFC6936]. 224 b. A GRE-in-UDP receiver MUST check that the source and destination 225 IPv6 addresses are valid for the GRE-in-UDP tunnel and discard 226 any packet for which this check fails. 228 c. A GRE-in-UDP sender SHOULD use different IPv6 addresses for each 229 GRE-in-UDP tunnel that uses UDP zero-checksum mode in order to 230 strengthen the receiver's check of the IPv6 source address. When 231 this is not possible, it is RECOMMENDED to use each source IPv6 232 address for as few UDP zero-checksum mode MPLS-in-UDP tunnels as 233 is feasible. 235 d. GRE-in-UDP sender and receiver MUST agree the key(s) used over 236 the tunnel. The sender MUST insert a key on GRE header, and the 237 receiver MUST check if the key in GRE header is valid for the 238 tunnel and drop invalid packet. 240 e. A GRE-in-UDP receiver node SHOULD only enable the use of UDP 241 zero-checksum mode on a single UDP port and SHOULD NOT support 242 any other use UDP zero-checksum mode on any other UDP port. 244 f. A GRE-in-UDP sender SHOULD send GRE keepalive messages with a 245 zero UDP checksum. GRE-in-UDP receiver that discovers an 246 appreciable loss rate for keepalive packets MAY terminate the 247 tunnel. 249 g. GRE keepalive messages SHOULD include both UDP datagrams with a 250 checksum and datagrams with a zero UDP checksum. This will 251 enable the remote endpoint to distinguish between a path failure 252 and the dropping of datagrams with a zero UDP checksum. 254 h. Any middlebox support for MPLS-in-UDP with UDP zero-checksum mode 255 for IPv6 MUST comply with requirements 1 and 8-10 in Section 5 of 256 RFC 6936. 258 (Editor note: the design team and authors need further discuss above 259 requirements text) 260 The above requirements are intended to be in addition to the 261 requirements specified in [RFC2460] as modified by [RFC6935] and the 262 requirements specified in [RFC6936]. 264 GRE-in-UDP over IPv6 does not include an additional integrity check 265 because the above requirements in combination with the exceptions 266 that restrict use of UDP zero-checksum mode to well-managed networks 267 should not significantly increase the rate of corruption of UDP/GRE- 268 encapsulated traffic by comparison to GRE-encapsulated traffic over 269 similar well-managed networks and because GRE does not accumulate 270 incorrect state as a consequence of GRE header corruption. 272 Editor Note: The preceding paragraph addresses requirements 2-4 in 273 Section 5 of [RFC 6936]. Requirement 5 in that section is addressed 274 by the requirement e in this section. Requirements 6 and 7 in that 275 section are covered by the requirements f and g in this section. 276 Requirement 8-10 in that section is addressed by the requirement h 277 in this section. 279 In summary, UDP zero-checksum mode for IPv6 is allowed to be used 280 with GRE-in-UDP when one of the two exceptions specified above 281 applies, provided that additional requirements stated above are 282 complied with. Otherwise the UDP checksum MUST be used for IPv6 as 283 specified in [RFC0768] and [RFC2460]. 285 This entire section and its requirements apply only to use of UDP 286 zero-checksum mode for IPv6; they can be avoided by using the UDP 287 checksum as specified in [RFC0768] and [RFC2460]. 289 3.2. Middlebox Considerations for IPv6 UDP Zero Checksums 291 IPv6 datagrams with a zero UDP checksum will not be passed by any 292 middlebox that validates the checksum based on [RFC2460] or that 293 updates the UDP checksum field, such as NATs or firewalls. Changing 294 this behavior would require such middleboxes to be updated to 295 correctly handle datagrams with zero UDP checksums. The GRE-in-UDP 296 encapsulation does not provide a mechanism to safely fall back to 297 using a checksum when a path change occurs redirecting a tunnel over 298 a path that includes a middlebox that discards IPv6 datagrams with a 299 zero UDP checksum. In this case the GRE-in-UDP tunnel will be 300 black-holed by that middlebox. Recommended changes to allow 301 firewalls, NATs and other middleboxes to support use of an IPv6 zero 302 UDP checksum are described in Section 5 of [RFC6936]. 304 3.3. GRE-in-UDP Encapsulation Format 306 The format of the GRE-in-UDP encapsulation for both IPv4 and IPv6 307 outer headers is shown in the following figures: 309 0 1 2 3 310 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 312 IPv4 Header: 313 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 314 |Version| IHL |Type of Service| Total Length | 315 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 316 | Identification |Flags| Fragment Offset | 317 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 318 | Time to Live |Protcol=17(UDP)| Header Checksum | 319 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 320 | Source IPv4 Address | 321 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 322 | Destination IPv4 Address | 323 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 325 UDP Header: 326 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 327 | Source Port = XXXX | Dest Port = TBD | 328 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 329 | UDP Length | UDP Checksum | 330 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 332 GRE Header: 333 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 334 |C| |K|S| Reserved0 | Ver | Protocol Type | 335 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 336 | Checksum (optional) | Reserved1 (Optional) | 337 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 338 | Key (optional) | 339 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 340 | Sequence Number (Optional) | 341 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 343 Figure 1 UDP+GRE IPv4 headers 345 0 1 2 3 346 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 348 IPv6 Header: 349 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 350 |Version| Traffic Class | Flow Label | 351 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 352 | Payload Length | NxtHdr=17(UDP)| Hop Limit | 353 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 354 | | 355 + + 356 | | 357 + Outer Source IPv6 Address + 358 | | 359 + + 360 | | 361 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 362 | | 363 + + 364 | | 365 + Outer Destination IPv6 Address + 366 | | 367 + + 368 | | 369 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 371 UDP Header: 372 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 373 | Source Port = XXXX | Dest Port = TBD | 374 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 375 | UDP Length | UDP Checksum | 376 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 378 GRE Header: 379 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 380 |C| |K|S| Reserved0 | Ver | Protocol Type | 381 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 382 | Checksum (optional) | Reserved1 (Optional) | 383 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 384 | Key (optional) | 385 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 386 | Sequence Number (Optional) | 387 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 389 Figure 2 UDP+GRE IPv6 headers 391 The total overhead increase for a UDP+GRE tunnel without use of 392 optional GRE fields, representing the lowest total overhead increase, 393 is 32 bytes in the case of IPv4 and 52 bytes in the case of IPv6. 394 The total overhead increase for a UDP+GRE tunnel with use of GRE Key, 395 Sequence and Checksum Fields, representing the highest total 396 overhead increase, is 44 bytes in the case of IPv4 and 64 bytes in 397 the case of IPv6. 399 4. Encapsulation Considerations 401 GRE-in-UDP encapsulation is used for single tunnel mechanism where 402 both GRE and UDP header are required. The mechanism allows the 403 tunneled traffic to be unicast, broadcast, or multicast traffic. 404 Entropy may be generated from the header of tunneled unicast or 405 broadcast/multicast packets at tunnel ingress. The mapping mechanism 406 between the tunneled multicast traffic and the multicast capability 407 in the IP network is transparent and independent to the 408 encapsulation and is outside the scope of this document. 410 The tunnel ingress SHOULD perform the fragmentation [GREMTU] on a 411 packet before the encapsulation and factor in both GRE and UDP 412 header bytes in the effective Maximum Transmission Unit (MTU) size. 413 Not performing the fragmentation will cause the packets exceeding 414 network MTU size to be dropped in the network. The tunnel ingress 415 MUST use the same source UDP port for all packet fragments to ensure 416 that the transit routers will forward the packet fragments on the 417 same path. An operator should factor in the addition overhead bytes 418 when considering an MTU size for the payload to reduce the 419 likelihood of fragmentation. 421 To ensure the tunneled traffic gets the same treatment over the IP 422 network, prior to the encapsulation process, tunnel ingress should 423 process the payload to get the proper parameters to fill into the IP 424 header such as DiffServ [RFC2983]. Tunnel end points that support 425 ECN MUST use the method described in [RFC6040] for ECN marking 426 propagation. This process is outside of the scope of this document. 428 Note that the IPv6 header [RFC2460] contains a flow label field that 429 may be used for load balancing in an IPv6 network [RFC6438]. Thus 430 in an IPv6 network, either GRE-in-UDP or flow labels may be used for 431 improving load balancing performance. Use of GRE-in-UDP 432 encapsulation provides a unified hardware implementation for load 433 balancing in an IP network independent of the IP version(s) in use. 434 However IPv6 network require performing the UDP checksum, which may 435 impact network performance and user experience. Thus, a flow label 436 based load balancing may be a better approach in an IPv6 network. 438 5. Congestion Considerations 440 Section 3.1.3 of RFC 5405 [RFC5405] discussed the congestion 441 implications of UDP tunnels. As discussed in RFC 5405, because other 442 flows can share the path with one or more UDP tunnels, congestion 443 control [RFC2914] needs to be considered. 445 A major motivation for encapsulating GRE in UDP is to provide a 446 generic UDP tunnel protocol to tunnel a network protocol over IP 447 network and improve the use of multipath (such as Equal Cost 448 MultiPath, ECMP) in cases where traffic is to traverse routers which 449 are able to hash on UDP Port and IP address. As such, in many cases 450 this may reduce the occurrence of congestion and improve usage of 451 available network capacity. However, it is also necessary to ensure 452 that the network, including applications that use the network, 453 responds appropriately in more difficult cases, such as when link or 454 equipment failures have reduced the available capacity. 456 The impact of congestion must be considered both in terms of the 457 effect on the rest of the network of a UDP tunnel that is consuming 458 excessive capacity, and in terms of the effect on the flows using 459 the UDP tunnels. The potential impact of congestion from a UDP 460 tunnel depends upon what sort of traffic is carried over the tunnel, 461 as well as the path of the tunnel. 463 GRE in UDP as a generic UDP tunnel mechanism can be used to carry a 464 network protocol and traffic. If tunneled traffic is already 465 congestion controlled, GRE in UDP tunnel generally does not need 466 additional congestion control mechanisms. As specified in RFC 5405: 468 IP-based traffic is generally assumed to be congestion-controlled, 469 i.e., it is assumed that the transport protocols generating IP-based 470 traffic at the sender already employ mechanisms that are sufficient 471 to address congestion on the path. Consequently, a tunnel carrying. 473 IP-based traffic should already interact appropriately with other 474 traffic sharing the path, and specific congestion control mechanisms 475 for the tunnel are not necessary. 477 For this reason, where GRE in UDP tunneling is used to carry IP 478 traffic that is known to be congestion controlled, the tunnel MAY be 479 used across any combination of a single service provider, multiple 480 cooperating service providers, or across the general Internet. 481 Internet IP traffic is generally assumed to be congestion-controlled. 483 However, GRE in UDP tunneling is also used in many cases to carry 484 traffic that is not necessarily congestion controlled. In such cases 485 service providers and data center operators may avoid congestion by 486 careful provisioning of their networks, by rate limiting of user 487 data traffic, and/or by using Traffic Engineering tools to monitor 488 the network segments and dynamically steers traffic away from the 489 potential congested link in time. 491 For this reason, where the GRE payload traffic is not congestion 492 controlled, GRE in UDP tunnels MUST only be used within a single 493 service provider that utilizes careful provisioning (e.g., rate 494 limiting at the entries of the network while over-provisioning 495 network capacity) to ensure against congestion, or within a limited 496 number of service providers who closely cooperate in order to 497 jointly provide this same careful provisioning. 499 As such, GRE in UDP MUST NOT be used over the general Internet, or 500 over non-cooperating ISPs, to carry traffic that is not congestion- 501 controlled. 503 Measures SHOULD be taken to prevent non-congestion-controlled GRE- 504 over-UDP traffic from "escaping" to the general Internet, e.g.: 506 o physical or logical isolation of the links carrying GRE-over-UDP 507 from the general Internet, 509 o deployment of packet filters that block the UDP ports assigned 510 for GRE-over-UDP, 512 o imposition of restrictions on GRE-over-UDP traffic by software 513 tools used to set up GRE-over-UDP tunnels between specific end 514 systems (as might be used within a single data center), and 516 o use of a "Managed Circuit Breaker" for the tunneled traffic as 517 described in [I-D.-tsvwg-circuit-breaker]. 519 [Editor: the text in this section was derived from the text for 520 mpls-in-udp. More work necessary to make general for this] 522 6. Backward Compatibility 524 It is assumed that tunnel ingress routers must be upgraded in order 525 to support the encapsulations described in this document. 527 No change is required at transit routers to support forwarding of 528 the encapsulation described in this document. 530 If a router that is intended for use as a tunnel egress does not 531 support the GRE-in-UDP encapsulation described in this document, it 532 will not be listening on destination port [TBD]. In these cases, 533 the router will conform to normal UDP processing and respond to the 534 tunnel ingress with an ICMP message indicating "port unreachable" 535 according to [RFC792]. Upon receiving this ICMP message, the tunnel 536 ingress MUST NOT continue to use GRE-in-UDP encapsulation toward 537 this tunnel egress without management intervention. 539 7. IANA Considerations 541 IANA is requested to make the following allocation: 543 Service Name: GRE-in-UDP 544 Transport Protocol(s): UDP 545 Assignee: IESG 546 Contact: IETF Chair 547 Description: GRE-in-UDP Encapsulation 548 Reference: [This.I-D] 549 Port Number: TBD 550 Service Code: N/A 551 Known Unauthorized Uses: N/A 552 Assignment Notes: N/A 554 8. Security Considerations 556 8.1. Vulnerability 558 Neither UDP nor GRE encapsulation effects security for the payload 559 protocol. When using GRE-in-UDP, Network Security in a network is 560 the same as that of a network using GRE. 562 Use of ICMP for signaling of the GRE-in-UDP encapsulation capability 563 adds a security concern. Upon receiving an ICMP message and before 564 taking an action on it, the ingress MUST validate the IP address 565 originating against tunnel egress address and MUST evaluate the 566 packet header returned in the ICMP payload to ensure the source port 567 is the one used for this tunnel. The mechanism for performing this 568 validation is out of the scope of this document. 570 In an instance where the UDP src port is not set based on the flow 571 invariant fields from the payload header, a random port SHOULD be 572 selected in order to minimize the vulnerability to off-path attacks. 573 [RFC6056] How the src port randomization occurs is outside scope of 574 this document. 576 Using one standardized value in UDP destination port for an 577 encapsulation indication may increase the vulnerability of off-path 578 attack. To overcome this, tunnel egress may request tunnel ingress 579 using a different and specific value [RFC6056] in UDP destination 580 port for the GRE-in-UDP encapsulation indication. How the tunnel end 581 points communicate the value is outside scope of this document. 583 This document does not require that the tunnel egress validates the 584 IP source address of the tunneled packets (with the exception that 585 the IPv6 source address MUST be validated when UDP zero-checksum 586 mode is used with IPv6), but it should be understood that failure to 587 do so presupposes that there is effective destination-based (or a 588 combination of source-based and destination-based) filtering at the 589 boundaries. 591 9. Acknowledgements 593 Authors like to thank Vivek Kumar, Ron Bonica, Joe Touch, Ruediger 594 Geib, Gorry Fairhurst, David Black, Lar Edds, Lloyd, and many others 595 for their review and valuable input on this draft. 597 Thank the design team led by David Black (members: Ross Callon, 598 Gorry Fairhurst, Xiaohu Xu, Lucy Yong) to efficiently work out the 599 descriptions for the congestion considerations and IPv6 UDP zero 600 checksum. 602 10. Contributors 604 The following people all contributed significantly to this document 605 and are listed below in alphabetical order: 607 Ross Callon 608 Juniper Networks 609 10 Technology Park Drive 610 Westford, MA 01886 611 USA 613 Email: rcallon@juniper.net 615 David Black 616 EMC Corporation 617 176 South Street 618 Hopkinton, MA 01748 619 USA 621 Email: david.black@emc.com 623 John E. Drake 624 Juniper Networks 626 Email: jdrake@juniper.net 628 Adrian Farrel 629 Juniper Networks 631 Email: adrian@olddog.co.uk 633 Vishwas Manral 634 Hewlett-Packard Corp. 635 3000 Hanover St, Palo Alto. 637 Email: vishwas.manral@hp.com 639 Carlos Pignataro 640 Cisco Systems 641 7200-12 Kit Creek Road 642 Research Triangle Park, NC 27709 USA 644 EMail: cpignata@cisco.com 646 Yongbing Fan 647 China Telecom 648 Guangzhou, China. 650 Phone: +86 20 38639121 652 Email: fanyb@gsta.com 654 11. References 656 11.1. Normative References 658 [RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 659 August 1980. 661 [RFC791] DARPA, "Internet Protocol", RFC791, September 1981 663 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 664 Requirement Levels", BCP 14, RFC2119, March 1997. 666 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 667 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 668 March 2000. 670 [RFC2890] Dommety, G., "Key and Sequence Number Extensions to GRE", 671 RFC2890, September 2000. 673 [RFC2983] Black, D., "Differentiated Services and Tunnels", RFC2983, 674 October 2000. 676 [RFC5405] Eggert, L., "Unicast UDP Usage Guideline for Application 677 Designers", RFC5405, November 2008. 679 [RFC6040] Briscoe, B., "Tunneling of Explicit Congestion 680 Notification", RFC6040, November 2010 682 [RFC6438] Carpenter, B., Amante, S., "Using the IPv6 Flow Label for 683 Equal Cost Multipath Routing and Link Aggregation in 684 tunnels", RFC6438, November, 2011 686 11.2. Informative References 688 [RFC792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 689 792, September 1981. 691 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 692 (IPv6) Specification", RFC 2460, December 1998. 694 [RFC3931] Lau, J., Townsley, M., and I. Goyret, "Layer Two Tunneling 695 Protocol - Version 3 (L2TPv3)", RFC 3931, March 2005. 697 [RFC4023] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating 698 MPLS in IP or Generic Routing Encapsulation (GRE)", RFC 699 4023, March 2005. 701 [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 702 Networks (VPNs)", RFC 4364, February 2006. 704 [RFC4884] Bonica, R., Gan, D., Tappan, D., and C. Pignataro, 705 "Extended ICMP to Support Multi-Part Messages", RFC 4884, 706 April 2007. 708 [RFC6056] Larsen, M. and Gont, F., "Recommendations for Transport- 709 Protocol Port Randomization", RFC6056, January 2011 711 [RFC6790] Kompella, K., Drake, J., Amante, S., Henderickx, W., and 712 L. Yong, "The Use of Entropy Labels in MPLS Forwarding", 713 RFC 6790, November 2012. 715 [GREMTU] Bonica, R., "A Fragmentation Strategy for Generic Routing 716 Encapsulation (GRE)", draft-bonica-intara-gre-mtu, work in 717 progress 719 [CB] Fairhurst, G., "Network Transport Circuit Breakers", 720 draft-fairhurst-tsvwg-circuit-breaker-01, work in progress 722 12. Authors' Addresses 724 Edward Crabbe (editor) 726 Email: edward.crabbe@gmail.com 728 Lucy Yong (editor) 729 Huawei Technologies, USA 731 Email: lucy.yong@huawei.com 733 Xiaohu Xu (editor) 734 Huawei Technologies, 735 Beijing, China 737 Email: xuxiaohu@huawei.com 739 Gorry's comments 740 - give an example of random constant value selection for UDP 741 source port in the case where tunnel ingress can't get flow 742 entropy 743 - use "MUST" instead of "SHOULD" for requesting use of UDP 744 checksum in IPv6 network 745 - more concise text for congestion description; use some text 746 in [RFC5405] 747 - State what consequence without doing fragmentation 748 - tunnel ingress actions upon receiving an ICMP msg 749 - tunnel-in-tunnel case 750 - CB does not describe the protocol to support CB, only the 751 mechanism. UDP report protocol may be good fit.