idnits 2.17.1 draft-ietf-tsvwg-gre-in-udp-encap-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 11, 2015) is 3362 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC6438' is defined on line 813, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2983 ** Obsolete normative reference: RFC 5405 (Obsoleted by RFC 8085) -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) == Outdated reference: A later version (-14) exists of draft-ietf-intarea-gre-ipv6-02 Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group E. Crabbe 2 Internet-Draft 3 Intended status: Standard Track L. Yong 4 Huawei USA 5 X. Xu 6 Huawei Technologies 7 T. Herbert 8 Google 10 Expires: August 2015 February 11, 2015 12 GRE-in-UDP Encapsulation 13 draft-ietf-tsvwg-gre-in-udp-encap-04 15 Abstract 17 This document describes a method of encapsulating network protocol 18 packets within GRE and UDP headers. In this encapsulation, the 19 source UDP port can be used as an entropy field for purposes of load 20 balancing, while the protocol of the encapsulated packet in the GRE 21 payload is identified by the GRE Protocol Type. Usage restrictions 22 apply to GRE-in-UDP usage for traffic that is not congestion 23 controlled and to UDP zero checksum usage with IPv6. 25 Status of This Document 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six 36 months and may be updated, replaced, or obsoleted by other documents 37 at any time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on August 11, 2015. 42 Copyright Notice 44 Copyright (c) 2015 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with 52 respect to this document. Code Components extracted from this 53 document must include Simplified BSD License text as described in 54 Section 4.e of the Trust Legal Provisions and are provided without 55 warranty as described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction...................................................3 60 1.1. Applicability Statement...................................3 61 2. Terminology....................................................4 62 2.1. Requirements Language.....................................4 63 3. Encapsulation in UDP...........................................4 64 3.1. IP header.................................................7 65 3.2. UDP header................................................7 66 3.2.1. Source Port..........................................7 67 3.2.2. Destination port.....................................7 68 3.2.3. Checksum.............................................7 69 3.2.4. Length...............................................8 70 3.3. GRE header................................................8 71 4. UDP Checksum Handling..........................................8 72 4.1. UDP Checksum with IPv4....................................8 73 4.2. UDP Checksum with IPv6....................................9 74 4.2.1. Middlebox Considerations for IPv6 UDP Zero Checksums12 75 5. Encapsulation Process Procedures..............................12 76 5.1. Packet Fragmentation.....................................13 77 5.2. Differentiated services..................................13 78 6. Congestion Considerations.....................................14 79 7. Backward Compatibility........................................15 80 8. IANA Considerations...........................................16 81 9. Security Considerations.......................................16 82 9.1. Vulnerability............................................16 83 10. Acknowledgements.............................................17 84 11. Contributors.................................................17 85 12. References...................................................19 86 12.1. Normative References....................................19 87 12.2. Informative References..................................19 88 13. Authors' Addresses...........................................20 90 1. Introduction 92 Load balancing, or more specifically statistical multiplexing of 93 traffic using Equal Cost Multi-Path (ECMP) and/or Link Aggregation 94 Groups (LAGs) in IP networks is a widely used technique for creating 95 higher capacity networks out of lower capacity links. Most existing 96 routers in IP networks are already capable of distributing IP 97 traffic flows over ECMP paths and/or LAGs on the basis of a hash 98 function performed on flow invariant fields in IP packet headers and 99 their payload protocol headers. Specifically, when the IP payload is 100 a User Datagram Protocol (UDP)[RFC768] or Transmission Control 101 Protocol (TCP) [RFC793] packet, router hash functions frequently 102 operate on the five-tuple of source IP address, destination IP 103 address, source port, destination port, and protocol/next-header 105 Several encapsulation techniques are commonly used in IP networks, 106 such as Generic Routing Encapsulation (GRE) [RFC2784], MPLS 107 [RFC4023] and L2TPv3 [RFC3931]. GRE is an increasingly popular 108 encapsulation choice. Unfortunately, use of common GRE endpoints may 109 reduce the entropy available for use in load balancing, especially 110 in environments where the GRE Key field [RFC2890] is not readily 111 available for use as entropy in forwarding decisions. 113 This document defines a generic GRE-in-UDP encapsulation for 114 tunneling network protocol packets across an IP network. The GRE 115 header provides payload protocol type as an EtherType in the 116 protocol type field [RFC2784][GREIPV6], and the UDP header provides 117 additional entropy by way of its source port. 119 This encapsulation method requires no changes to the transit IP 120 network. Hash functions in most existing IP routers may utilize and 121 benefit from the use of a GRE-in-UDP tunnel without needing any 122 change or upgrade to their ECMP implementation. The encapsulation 123 mechanism is applicable to a variety of IP networks including Data 124 Center and wide area networks. 126 1.1. Applicability Statement 128 GRE encapsulation is widely used for many applications. For example, 129 to redirect IP traffic to traverse a different path instead of the 130 default path in an operator network, to tunnel private network 131 traffic over a public network by use of public IP network addresses, 132 or to tunnel IPv6 traffic over an IPv4 network, etc. 134 When encapsulating GRE in UDP, encapsulated traffic will be treated 135 as a UDP application, not as a GRE application, in an IP network. 137 Thus GRE-in-UDP applications must meet UDP tunnel requirements as 138 specified in [RFC5405]. This may constrain GRE-in-UDP tunnel usage 139 in certain applications and/or environments. See Section 6. 141 GRE-in-UDP encapsulation may be used to encapsulate already tunneled 142 traffic, i.e. tunnel-in-tunnel. The tunneled traffic may use GRE-in- 143 UDP or other tunnel encapsulation. In this case, GRE-in-UDP tunnel 144 end points treat other tunnel endpoints as of the end hosts for the 145 traffic and do not differentiate such end hosts from other end hosts. 147 2. Terminology 149 The terms defined in [RFC768][RFC2784] are used in this document. 151 2.1. Requirements Language 153 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 154 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 155 document are to be interpreted as described in [RFC2119]. 157 3. Encapsulation in UDP 159 GRE-in-UDP encapsulation format is shown as follows: 161 0 1 2 3 162 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 164 IPv4 Header: 165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 166 |Version| IHL |Type of Service| Total Length | 167 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 168 | Identification |Flags| Fragment Offset | 169 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 170 | Time to Live |Protcol=17(UDP)| Header Checksum | 171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 172 | Source IPv4 Address | 173 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 174 | Destination IPv4 Address | 175 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 177 UDP Header: 178 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 179 | Source Port = XXXX | Dest Port = TBD | 180 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 181 | UDP Length | UDP Checksum | 182 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 GRE Header: 185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 186 |C| |K|S| Reserved0 | Ver | Protocol Type | 187 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 188 | Checksum (optional) | Reserved1 (Optional) | 189 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 190 | Key (optional) | 191 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 192 | Sequence Number (Optional) | 193 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 195 Figure 1 UDP+GRE Headers in IPv4 197 0 1 2 3 198 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 200 IPv6 Header: 201 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 202 |Version| Traffic Class | Flow Label | 203 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 204 | Payload Length | NxtHdr=17(UDP)| Hop Limit | 205 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 206 | | 207 + + 208 | | 209 + Outer Source IPv6 Address + 210 | | 211 + + 212 | | 213 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 214 | | 215 + + 216 | | 217 + Outer Destination IPv6 Address + 218 | | 219 + + 220 | | 221 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 223 UDP Header: 224 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 225 | Source Port = XXXX | Dest Port = TBD | 226 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 227 | UDP Length | UDP Checksum | 228 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 230 GRE Header: 231 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 232 |C| |K|S| Reserved0 | Ver | Protocol Type | 233 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 234 | Checksum (optional) | Reserved1 (Optional) | 235 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 236 | Key (optional) | 237 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 238 | Sequence Number (Optional) | 239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 241 Figure 2 UDP+GRE Headers in IPv6 243 The contents of the IP, UDP, and GRE headers that are relevant in 244 this encapsulation are described below. 246 3.1. IP header 248 An encapsulator MUST encode its own IP address as the source IP 249 address and the decapsulator's IP address as the destination IP 250 address. The TTL field in the IP header must be set to a value 251 appropriate for delivery of the encapsulated packet to the peer of 252 the encapsulation. 254 3.2. UDP header 256 3.2.1. Source Port 258 The UDP source port contains a 16-bit entropy value that is 259 generated by the encapsulator to identify a flow for the 260 encapsulated packet. The port value SHOULD be within the ephemeral 261 port range. IANA suggests this range to be 49152 to 65535, where the 262 high order two bits of the port are set to one. This provides 263 fourteen bits of entropy for the inner flow identifier. In the case 264 that an encapsulator is unable to derive flow entropy from the 265 payload header, it should set a randomly selected constant value for 266 UDP source port to avoid payload packet flow reordering. 268 The source port value for a flow set by an encapsulator MAY change 269 over the lifetime of the encapsulated flow. For instance, an 270 encapsulator may change the assignment for Denial of Service (DOS) 271 mitigation or as a means to effect routing through the ECMP network. 272 An encapsulator SHOULD NOT change the source port selected for a 273 flow more than once every thirty seconds. 275 How an encapsulator generates entropy from the payload is outside 276 the scope of this document. 278 3.2.2. Destination port 280 The destination port of the UDP header is set the GRE/UDP port (TBD) 281 (see Section 8). 283 3.2.3. Checksum 285 The UDP checksum is set and processed per [RFC768] and [RFC1122] for 286 IPv4, and [RFC2460] for IPv6. Requirements for checksum handling and 287 use of zero UDP checksums are detailed in section 4. 289 3.2.4. Length 291 The usage of this field is in accordance with the current UDP 292 specification in [RFC768]. This length will include the UDP header 293 (eight bytes), GRE header, and the GRE payload (encapsulated packet). 295 3.3. GRE header 297 An encapsulator sets the protocol type (EtherType) of the packet 298 being encapsulated in the GRE Protocol Type field. 300 An encapsulator may set the GRE Key Present, Sequence Number Present, 301 and Checksum Present bits and associated fields in the GRE header as 302 defined by [RFC2784] and [RFC2890]. 304 The GRE checksum MAY be enabled to protect the GRE header and 305 payload. An encapsulator SHOULD NOT enable both the GRE checksum and 306 UDP checksum simultaneously as this would be mostly redundant. Since 307 the UDP checksum covers more of the packet including the GRE header 308 and payload, the UDP checksum SHOULD have preference to using GRE 309 checksum. 311 4. UDP Checksum Handling 313 4.1. UDP Checksum with IPv4 315 For UDP in IPv4, the UDP checksum MUST be processed as specified in 316 [RFC768] and [RFC1122] for both transmit and receive. An 317 encapsulator MAY set the UDP checksum to zero for performance or 318 implementation considerations. The IPv4 header includes a checksum 319 which protects against mis-delivery of the packet due to corruption 320 of IP addresses. The UDP checksum potentially provides protection 321 against corruption of the UDP header, GRE header, and GRE payload. 322 Enabling or disabling the use of checksums is a deployment 323 consideration that should take into account the risk and effects of 324 packet corruption, and whether the packets in the network are 325 already adequately protected by other, possibly stronger mechanisms 326 such as the Ethernet CRC. 328 When a decapsulator receives a packet, the UDP checksum field MUST 329 be processed. If the UDP checksum is non-zero, the decapsulator MUST 330 verify the checksum before accepting the packet. By default a 331 decapsularor SHOULD accept UDP packets with a zero checksum. A node 332 MAY be configured to disallow zero checksums per [RFC1122]; this may 333 be done selectively, for instance disallowing zero checksums from 334 certain hosts that are known to be sending over paths subject to 335 packet corruption. If verification of a non-zero checksum fails, a 336 decapsulator lacks the capability to verify a non-zero checksum, or 337 a packet with a zero-checksum was received and the decapsulator is 338 configured to disallow, the packet MUST be dropped and an event MAY 339 be logged. 341 4.2. UDP Checksum with IPv6 343 For UDP in IPv6, the UDP checksum MUST be processed as specified in 344 [RFC768] and [RFC2460] for both transmit and receive. 346 When UDP is used over IPv6, the UDP checksum is relied upon to 347 protect both the IPv6 and UDP headers from corruption, and so MUST 348 used with the following exceptions: 350 a. Use of GRE-in-UDP in networks under single administrative 351 control (such as within a single operator's network) where it 352 is known (perhaps through knowledge of equipment types and 353 lower layer checks) that packet corruption is exceptionally 354 unlikely and where the operator is willing to take the risk of 355 undetected packet corruption. 357 b. Use of GRE-in-UDP in networks under single administrative 358 control (such as within a single operator's network) where it 359 is judged through observational measurements (perhaps of 360 historic or current traffic flows that use a non-zero checksum) 361 that the level of packet corruption is tolerably low and where 362 the operator is willing to take the risk of undetected packet 363 corruption. 365 c. Use of GRE-in-UDP for traffic delivery for applications that 366 are tolerant of misdelivered or corrupted packets (perhaps 367 through higher layer checksum, validation, and retransmission 368 or transmission redundancy) where the operator is willing to 369 rely on the applications using the tunnel to survive any 370 corrupt packets. 372 For these exceptions, the UDP zero-checksum mode can be used. 373 However the use of the UDP zero-checksum mode must meet the 374 requirements specified in [RFC6935] and [RFC6936] as well at the 375 additional requirements stated below. 377 These exceptions may also be extended to the use of GRE-in-UDP 378 within a set of closely cooperating network administrations (such as 379 network operators who have agreed to work together in order to 380 jointly provide specific services). 382 As such, for IPv6, the UDP checksum for GRE-in-UDP MUST be used as 383 specified in [RFC768] and [RFC2460] for tunnels that span multiple 384 networks whose network administrations do not cooperate closely, 385 even if each non-cooperating network administration independently 386 satisfies one or more of the exceptions for UDP zero-checksum mode 387 usage with GRE-in-UDP over IPv6. 389 The following additional requirements apply to implementation and 390 use of UDP zero-checksum mode for GRE-in-UDP over IPv6: 392 a. Use of the UDP checksum with IPv6 MUST be the default 393 configuration of all GRE-in-UDP implementations. 395 b. The GRE-in-UDP implementation MUST comply with all requirements 396 specified in Section 4 of [RFC6936] and with requirement 1 397 specified in Section 5 of [RFC6936]. 399 c. A decapsulator SHOULD only allow the use of UDP zero-checksum 400 mode for IPv6 on a single received UDP Destination Port. The 401 motivation for this requirement is possible corruption of the UDP 402 destination port, which may cause packet delivery to the wrong 403 UDP port. If that other UDP port requires the UDP checksum, the 404 mis-delivered packet will be discarded 406 d. By default a decapsulator MUST disallow receipt of GRE-in-UDP 407 packets with zero UDP checksums with IPv6. Zero checksums May 408 selectively be enabled for certain source address. A decapsulator 409 MUST check that the source and destination IPv6 addresses are 410 valid for the GRE-in-UDP tunnel on which the packet was received 411 if that tunnel uses UDP zero-checksum mode and discard any packet 412 for which this check fails. 414 e. An encapsulator SHOULD use different IPv6 addresses for each GRE- 415 in-UDP tunnel that uses UDP zero-checksum mode regardless of the 416 decapsulator in order to strengthen the decapsulator's check of 417 the IPv6 source address (i.e., the same IPv6 source address 418 SHOULD NOT be used with more than one IPv6 destination address, 419 independent of whether that destination address is a unicast or 420 multicast address). When this is not possible, it is RECOMMENDED 421 to use each source IPv6 address for as few UDP zero-checksum mode 422 GRE-in-UDP tunnels as is feasible. 424 f. Any middlebox support for GRE-in-UDP with UDP zero-checksum mode 425 for IPv6 MUST comply with requirements 1 and 8-10 in Section 5 of 426 [RFC6936].[RFC6936]. 428 g. Measures SHOULD be taken to prevent IPv6 traffic with zero UDP 429 checksums from "escaping" to the general Internet; see Section 6 430 for examples of such measures. 432 h. IPv6 traffic with zero UDP checksums MUST be actively monitored 433 for errors by the network operator. 435 i. The use a zero UDP checksum should present the equivalent risk of 436 undetected packet corruption when sending similar packet using 437 GRE-in-IPv6 without UDP and without GRE checksums. 439 j. If a packet with a non-zero checksum is received, the checksum 440 MUST be verified before accepting the packet. This is regardless 441 of whether a tunnel encapsulator and decapsulator have been 442 configured with UDP zero-checksum mode. 444 The above requirements do not change either the requirements 445 specified in [RFC2460] as modified by [RFC6935] or the requirements 446 specified in [RFC6936]. 448 The requirement to check the source IPv6 address in addition to the 449 destination IPv6 address, plus the strong recommendation against 450 reuse of source IPv6 addresses among GRE-in-UDP tunnels collectively 451 provide some mitigation for the absence of UDP checksum coverage of 452 the IPv6 header. Additional assurance is provided by the 453 restrictions in the above exceptions that limit usage of IPv6 UDP 454 zero-checksum mode to well-managed networks for which GRE 455 encapsulated packet corruption has not been a problem in practice. 457 Hence GRE-in-UDP is suitable for transmission over lower layers in 458 the well-managed networks that are allowed by the exceptions stated 459 above and the rate of corruption of the inner IP packet on such 460 networks is not expected to increase by comparison to GRE traffic 461 that is not encapsulated in UDP. For these reasons, GRE-in-UDP does 462 not provide an additional integrity check except when GRE checksum 463 is used when UDP zero-checksum mode is used with IPv6, and this 464 design is in accordance with requirements 2, 3 and 5 specified in 465 Section 5 of [RFC6936]. 467 GRE does not accumulate incorrect state as a consequence of GRE 468 header corruption. A corrupt GRE results in either packet discard or 469 forwarding of the packet without accumulation of GRE state. GRE 470 checksum MAY be used for protecting GRE header and payload. Active 471 monitoring of GRE-in-UDP traffic for errors is REQUIRED as 472 occurrence of errors will result in some accumulation of error 473 information outside the protocol for operational and management 474 purposes. This design is in accordance with requirement 4 specified 475 in Section 5 of [RFC6936]. 477 The remaining requirements specified in Section 5 of [RFC6936] are 478 inapplicable to GRE-in-UDP. Requirements 6 and 7 do not apply 479 because GRE does not have a GRE-generic control feedback mechanism. 480 Requirements 8-10 are middlebox requirements that do not apply to 481 GRE-in-UDP tunnel endpoints, but see Section 3.2 for further 482 middlebox discussion. 484 In summary, UDP zero-checksum mode for IPv6 is allowed to be used 485 with GRE-in-UDP when one of the three exceptions specified above 486 applies, provided that additional requirements stated above are 487 complied with. Otherwise the UDP checksum MUST be used for IPv6 as 488 specified in [RFC768] and [RFC2460]. 490 4.2.1. Middlebox Considerations for IPv6 UDP Zero Checksums 492 IPv6 datagrams with a zero UDP checksum will not be passed by any 493 middlebox that validates the checksum based on [RFC2460] or that 494 updates the UDP checksum field, such as NATs or firewalls. Changing 495 this behavior would require such middleboxes to be updated to 496 correctly handle datagrams with zero UDP checksums. The GRE-in-UDP 497 encapsulation does not provide a mechanism to safely fall back to 498 using a checksum when a path change occurs redirecting a tunnel over 499 a path that includes a middlebox that discards IPv6 datagrams with a 500 zero UDP checksum. In this case the GRE-in-UDP tunnel will be 501 black-holed by that middlebox. Recommended changes to allow 502 firewalls, NATs and other middleboxes to support use of an IPv6 zero 503 UDP checksum are described in Section 5 of [RFC6936]. 505 5. Encapsulation Process Procedures 507 This GRE-in-UDP encapsulation allows packets to be forwarded through 508 "GRE-UDP tunnels". When performing GRE-in-UDP encapsulation by the 509 encapsulator, the entropy value would be generated by the 510 encapsulator and then be filled in the Source Port field of the UDP 511 header. The Destination Port field is set to a value (TBD) 512 allocated by IANA to indicate that the UDP tunnel payload is a GRE 513 packet. The Protocol Type header field in GRE header is set to the 514 EtherType value corresponding to the protocol of the encapsulated 515 packet. 517 Intermediate routers, upon receiving these UDP encapsulated packets, 518 could balance these packets based on the hash of the five-tuple of 519 UDP packets. 521 Upon receiving these UDP encapsulated packets, the decapsulator 522 would decapsulate them by removing the UDP headers and then process 523 them accordingly. 525 Note: Each UDP tunnel is unidirectional, as GRE-in-UDP traffic is 526 sent to the IANA-allocated UDP Destination Port, and in particular, 527 is never sent back to any port used as a UDP Source Port (which 528 serves solely as a source of entropy). This is at odds with a common 529 middlebox (e.g., firewall) assumption that bidirectional traffic 530 uses a common pair of UDP ports. As a result, arranging to pass 531 bidirectional GRE-in-UDP traffic through middleboxes may require 532 separate configuration for each direction of traffic. 534 GRE-in-UDP allows encapsulation of unicast, broadcast, or multicast 535 traffic. Entropy may be generated from the header of encapsulated 536 unicast or broadcast/multicast packets at an encapsulator. The 537 mapping mechanism between the encapsulated multicast traffic and the 538 multicast capability in the IP network is transparent and 539 independent to the encapsulation and is otherwise outside the scope 540 of this document. 542 5.1. Packet Fragmentation 544 Regarding Fragmentation, an encapsulator SHOULD perform 545 fragmentation [GREMTU] on a packet before encapsulation and factor 546 in both GRE and UDP header bytes in the effective Maximum 547 Transmission Unit (MTU) size. Not performing the fragmentation will 548 cause the packets exceeding network MTU size to be dropped or 549 fragmented in the network. An encapsulator MUST use the same source 550 UDP port for all packet fragments to ensure that the transit routers 551 will forward the packet fragments on the same path. An operator 552 should factor in the additional bytes of overhead when considering 553 an MTU size for the payload to reduce the likelihood of 554 fragmentation. 556 5.2. Differentiated services 558 To ensure that tunneled traffic gets the same treatment over the IP 559 network, prior to the encapsulation process, an encapsulator should 560 process the payload to get the proper parameters to fill into the IP 561 header such as DiffServ [RFC2983]. Encapsulation end points that 562 support ECN must use the method described in [RFC6040] for ECN 563 marking propagation. This process is outside of the scope of this 564 document. 566 6. Congestion Considerations 568 Section 3.1.3 of [RFC5405] discussed the congestion implications of 569 UDP tunnels. As discussed in [RFC5405], because other flows can 570 share the path with one or more UDP tunnels, congestion control 571 [RFC2914] needs to be considered. 573 A major motivation for GRE-in-UDP encapsulation is to tunnel a 574 network protocol over IP network and improve the use of multipath 575 (such as ECMP) in cases where traffic is to traverse routers which 576 are able to hash on UDP Port and IP address. As such, in many cases 577 this may reduce the occurrence of congestion and improve usage of 578 available network capacity. However, it is also necessary to ensure 579 that the network, including applications that use the network, 580 responds appropriately in more difficult cases, such as when link or 581 equipment failures have reduced the available capacity. 583 The impact of congestion must be considered both in terms of the 584 effect on the rest of the network over which packets are sent in UDP 585 tunnels, and in terms of the effect on the flows that are sent by 586 UDP tunnels. The potential impact of congestion from a UDP tunnel 587 depends upon what sort of traffic is carried over the tunnel, as 588 well as the path of the tunnel. 590 GRE encapsulation is widely used to carry a wide range of network 591 protocols and traffic. In many cases GRE encapsulation is used to 592 carry IP traffic. IP traffic is generally assumed to be congestion 593 controlled, and thus a tunnel carrying general IP traffic (as might 594 be expected to be carried across the Internet) generally does not 595 need additional congestion control mechanisms. As specified in RFC 596 5405: 598 "IP-based traffic is generally assumed to be congestion-controlled, 599 i.e., it is assumed that the transport protocols generating IP-based 600 traffic at the sender already employ mechanisms that are sufficient 601 to address congestion on the path. Consequently, a tunnel carrying 602 IP-based traffic should already interact appropriately with other 603 traffic sharing the path, and specific congestion control mechanisms 604 for the tunnel are not necessary." 606 For this reason, where GRE-in-UDP tunneling is used to carry IP 607 traffic that is known to be congestion controlled, the UDP tunnels 608 MAY be used within a single network or across multiple networks, 609 with cooperating network operators. Internet IP traffic is 610 generally assumed to be congestion-controlled. 612 However, GRE-in-UDP tunneling can be also used to carry traffic that 613 is not necessarily congestion controlled. In such cases network 614 operators may avoid congestion by careful provisioning of their 615 networks, by rate limiting of user data traffic, and/or by using 616 Traffic Engineering tools to monitor the network segments and 617 dynamically steers traffic away from potentially congested links. 619 For this reason, where the GRE payload traffic is not congestion 620 controlled, GRE-in-UDP tunnels MUST only be used within a single 621 operator's network that utilizes careful provisioning (e.g., rate 622 limiting at the entries of the network while over-provisioning 623 network capacity) to ensure against congestion, or within a limited 624 number of networks whose operators closely cooperate in order to 625 jointly provide this same careful provisioning. 627 As such, GRE-in-UDP MUST NOT be used over the general Internet, or 628 over non-cooperating network operators, to carry traffic that is not 629 congestion-controlled. 631 Measures SHOULD be taken to prevent non-congestion-controlled GRE- 632 in-UDP traffic from "escaping" to the general Internet, e.g.: 634 o Physical or logical isolation of the links carrying GRE-in-UDP 635 from the general Internet. 637 o Deployment of packet filters that block the UDP ports assigned 638 for GRE-in-UDP. 640 o Imposition of restrictions on GRE-in-UDP traffic by software 641 tools used to set up GRE-in-UDP tunnels between specific end 642 systems (as might be used within a single data center). 644 o Use of a "Managed Circuit Breaker" for the tunneled traffic as 645 described in [CB]. 647 7. Backward Compatibility 649 It is assumed that tunnel ingress routers must be upgraded in order 650 to support the encapsulations described in this document. 652 No change is required at transit routers to support forwarding of 653 the encapsulation described in this document. 655 If a router that is intended for use as a decapsulator does not 656 support or enable GRE-in-UDP encapsulation described in this 657 document, it will not be listening on destination port (TBD). In 658 these cases, the router will conform to normal UDP processing and 659 respond to an encapsulator with an ICMP message indicating "port 660 unreachable" according to [RFC792]. Upon receiving this ICMP 661 message, the node MUST NOT continue to use GRE-in-UDP encapsulation 662 toward this peer without management intervention. 664 8. IANA Considerations 666 IANA is requested to make the following allocation: 668 Service Name: GRE-in-UDP 669 Transport Protocol(s): UDP 670 Assignee: IESG 671 Contact: IETF Chair 672 Description: GRE-in-UDP Encapsulation 673 Reference: [This.I-D] 674 Port Number: TBD 675 Service Code: N/A 676 Known Unauthorized Uses: N/A 677 Assignment Notes: N/A 679 9. Security Considerations 681 9.1. Vulnerability 683 Neither UDP nor GRE encapsulation effects security for the payload 684 protocol. When using GRE-in-UDP, Network Security in a network is 685 mostly equivalent to that of a network using GRE. 687 Use of ICMP for signaling of the GRE-in-UDP encapsulation capability 688 adds a security concern. Upon receiving an ICMP message and before 689 taking an action on it, the ingress MUST validate the IP address 690 originating against tunnel egress address and MUST evaluate the 691 packet header returned in the ICMP payload to ensure the source port 692 is the one used for this tunnel. The mechanism for performing this 693 validation is out of the scope of this document. 695 In an instance where the UDP source port is not set based on the 696 flow invariant fields from the payload header, a random port SHOULD 697 be selected in order to minimize the vulnerability to off-path 698 attacks. [RFC6056]. The random port may also be periodically changed 699 to mitigate certain denial of service attacks. How the source port 700 randomization occurs is outside scope of this document. 702 Using one standardized value in UDP destination port for an 703 encapsulation indication may increase the vulnerability of off-path 704 attack. To overcome this, an alternate port may be agreed upon to 705 use between an encapsulator and decapsulator [RFC6056]. How the 706 encapsulator end points communicate the value is outside scope of 707 this document. 709 This document does not require that decapsulator validates the IP 710 source address of the tunneled packets (with the exception that the 711 IPv6 source address MUST be validated when UDP zero-checksum mode is 712 used with IPv6), but it should be understood that failure to do so 713 presupposes that there is effective destination-based (or a 714 combination of source-based and destination-based) filtering at the 715 boundaries. 717 10. Acknowledgements 719 Authors like to thank Vivek Kumar, Ron Bonica, Joe Touch, Ruediger 720 Geib, Lar Edds, Lloyd, and many others for their review and valuable 721 input on this draft. 723 Thank the design team led by David Black (members: Ross Callon, 724 Gorry Fairhurst, Xiaohu Xu, Lucy Yong) to efficiently work out the 725 descriptions for the congestion considerations and IPv6 UDP zero 726 checksum. 728 11. Contributors 730 The following people all contributed significantly to this document 731 and are listed below in alphabetical order: 733 David Black 734 EMC Corporation 735 176 South Street 736 Hopkinton, MA 01748 737 USA 739 Email: david.black@emc.com 741 Ross Callon 742 Juniper Networks 743 10 Technology Park Drive 744 Westford, MA 01886 745 USA 747 Email: rcallon@juniper.net 749 John E. Drake 750 Juniper Networks 752 Email: jdrake@juniper.net 754 Gorry Fairhurst 755 University of Aberdeen 757 Email: gorry@erg.abdn.ac.uk 759 Yongbing Fan 760 China Telecom 761 Guangzhou, China. 762 Phone: +86 20 38639121 764 Email: fanyb@gsta.com 766 Adrian Farrel 767 Juniper Networks 769 Email: adrian@olddog.co.uk 771 Vishwas Manral 772 Hewlett-Packard Corp. 773 3000 Hanover St, Palo Alto. 775 Email: vishwas.manral@hp.com 777 Carlos Pignataro 778 Cisco Systems 779 7200-12 Kit Creek Road 780 Research Triangle Park, NC 27709 USA 782 EMail: cpignata@cisco.com 784 12. References 786 12.1. Normative References 788 [RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 789 August 1980. 791 [RFC1122] Braden, R., "Requirements for Internet Hosts -- 792 Communication Layers", RFC1122, October 1989. 794 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 795 Requirement Levels", BCP 14, RFC2119, March 1997. 797 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 798 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 799 March 2000. 801 [RFC2890] Dommety, G., "Key and Sequence Number Extensions to GRE", 802 RFC2890, September 2000. 804 [RFC2983] Black, D., "Differentiated Services and Tunnels", RFC2983, 805 October 2000. 807 [RFC5405] Eggert, L., "Unicast UDP Usage Guideline for Application 808 Designers", RFC5405, November 2008. 810 [RFC6040] Briscoe, B., "Tunneling of Explicit Congestion 811 Notification", RFC6040, November 2010. 813 [RFC6438] Carpenter, B., Amante, S., "Using the IPv6 Flow Label for 814 Equal Cost Multipath Routing and Link Aggregation in 815 tunnels", RFC6438, November, 2011. 817 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and 818 UDP Checksums for Tunneled Packets", RFC 6935, April 2013. 820 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 821 for the Use of IPv6 UDP Datagrams with Zero Checksums", 822 RFC 6936, April 2013. 824 12.2. Informative References 826 [RFC792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 827 792, September 1981. 829 [RFC793] DARPA, "Transmission Control Protocol", RFC793, September 830 1981. 832 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 833 (IPv6) Specification", RFC 2460, December 1998. 835 [RFC2914] Floyd, S.,"Congestion Control Principles", RFC2914, 836 September 2000. 838 [RFC3931] Lau, J., Townsley, M., and I. Goyret, "Layer Two Tunneling 839 Protocol - Version 3 (L2TPv3)", RFC 3931, March 2005. 841 [RFC4023] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating 842 MPLS in IP or Generic Routing Encapsulation (GRE)", RFC 843 4023, March 2005. 845 [RFC6056] Larsen, M. and Gont, F., "Recommendations for Transport- 846 Protocol Port Randomization", RFC6056, January 2011. 848 [GREIPV6] Pignataro, C., el al, "IPv6 Support for Generic Routing 849 Encapsulation (GRE)", draft-ietf-intarea-gre-ipv6-02, work 850 in progress. 852 [GREMTU] Bonica, R., "A Fragmentation Strategy for Generic Routing 853 Encapsulation (GRE)", draft-ietf-intarea-gre-mtu, work in 854 progress. 856 [CB] Fairhurst, G., "Network Transport Circuit Breakers", 857 draft-fairhurst-tsvwg-circuit-breaker-01, work in 858 progress. 860 13. Authors' Addresses 862 Edward Crabbe 864 Email: edward.crabbe@gmail.com 866 Lucy Yong 867 Huawei Technologies, USA 869 Email: lucy.yong@huawei.com 871 Xiaohu Xu 872 Huawei Technologies, 873 Beijing, China 875 Email: xuxiaohu@huawei.com 877 Tom Herbert 878 Google 879 1600 Amphitheatre Parkway 880 Mountain View, CA 881 Email : therbert@google.com