idnits 2.17.1 draft-ietf-tsvwg-gre-in-udp-encap-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 4, 2015) is 3190 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC6438' is defined on line 884, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2983 ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group E. Crabbe 2 Internet-Draft 3 Intended status: Standard Track L. Yong 4 Huawei USA 5 X. Xu 6 Huawei Technologies 7 T. Herbert 8 Google 10 Expires: January 2015 July 4, 2015 12 GRE-in-UDP Encapsulation 13 draft-ietf-tsvwg-gre-in-udp-encap-07 15 Abstract 17 This document describes a method of encapsulating network protocol 18 packets within GRE and UDP headers. In this encapsulation, the 19 source UDP port can be used as an entropy field for purposes of load 20 balancing, while the protocol of the encapsulated packet in the GRE 21 payload is identified by the GRE Protocol Type. Usage restrictions 22 apply to GRE-in-UDP usage for traffic that is not congestion 23 controlled and to UDP zero checksum usage with IPv6. 25 Status of This Document 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six 36 months and may be updated, replaced, or obsoleted by other documents 37 at any time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on January 4, 2015. 42 Copyright Notice 44 Copyright (c) 2015 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with 52 respect to this document. Code Components extracted from this 53 document must include Simplified BSD License text as described in 54 Section 4.e of the Trust Legal Provisions and are provided without 55 warranty as described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction...................................................3 60 1.1. Applicability Statement...................................3 61 2. Terminology....................................................4 62 2.1. Requirements Language.....................................4 63 3. Encapsulation in UDP...........................................4 64 3.1. IP Header.................................................7 65 3.2. UDP Header................................................7 66 3.2.1. Source Port..........................................7 67 3.2.2. Destination Port.....................................7 68 3.2.3. Checksum.............................................7 69 3.2.4. Length...............................................8 70 3.3. GRE Header................................................8 71 4. Encapsulation Process Procedures...............................8 72 4.1. MTU and Fragmentation.....................................9 73 4.2. Differentiated Services..................................10 74 5. UDP Checksum Handling.........................................10 75 5.1. UDP Checksum with IPv4...................................10 76 5.2. UDP Checksum with IPv6...................................10 77 5.2.1. Middlebox Considerations............................14 78 6. Congestion Considerations.....................................14 79 7. Backward Compatibility........................................16 80 8. IANA Considerations...........................................16 81 9. Security Considerations.......................................17 82 10. Acknowledgements.............................................18 83 11. Contributors.................................................18 84 12. References...................................................20 85 12.1. Normative References....................................20 86 12.2. Informative References..................................21 87 13. Authors' Addresses...........................................21 89 1. Introduction 91 Load balancing, or more specifically statistical multiplexing of 92 traffic using Equal Cost Multi-Path (ECMP) and/or Link Aggregation 93 Groups (LAGs) in IP networks is a widely used technique for creating 94 higher capacity networks out of lower capacity links. Most existing 95 routers in IP networks are already capable of distributing IP 96 traffic flows over ECMP paths and/or LAGs on the basis of a hash 97 function performed on flow invariant fields in IP packet headers and 98 their payload protocol headers. Specifically, when the IP payload is 99 a User Datagram Protocol (UDP)[RFC768] or Transmission Control 100 Protocol (TCP) [RFC793] packet, router hash functions frequently 101 operate on the five-tuple of source IP address, destination IP 102 address, source port, destination port, and protocol/next-header 104 Several encapsulation techniques are commonly used in IP networks, 105 such as Generic Routing Encapsulation (GRE) [RFC2784], MPLS 106 [RFC4023] and L2TPv3 [RFC3931]. GRE is an increasingly popular 107 encapsulation choice. Unfortunately, use of common GRE endpoints may 108 reduce the entropy available for use in load balancing, especially 109 in environments where the GRE Key field [RFC2890] is not readily 110 available for use as entropy in forwarding decisions. 112 This document defines a generic GRE-in-UDP encapsulation for 113 tunneling network protocol packets across an IP network. The GRE 114 header provides payload protocol type as an EtherType in the 115 protocol type field [RFC2784][GREIPV6], and the UDP header provides 116 additional entropy by way of its source port. GRE-in-UDP offers the 117 additional possibility of using GRE across networks that might 118 otherwise disallow it; for instance GRE-in-UDP may be used to bridge 119 two islands where GRE is used natively across the Internet. 121 This encapsulation method requires no changes to the transit IP 122 network. Hash functions in most existing IP routers may utilize and 123 benefit from the use of a GRE-in-UDP tunnel without needing any 124 change or upgrade to their ECMP implementation. The encapsulation 125 mechanism is applicable to a variety of IP networks including Data 126 Center and wide area networks. 128 1.1. Applicability Statement 130 GRE encapsulation is widely used for many applications. For example, 131 to redirect IP traffic to traverse a different path instead of the 132 default path in an operator network, to tunnel private network 133 traffic over a public network by use of public IP network addresses, 134 to tunnel IPv6 traffic over an IPv4 network, tunnel Ethernet traffic 135 over IP networks, and etc. 137 When using GRE-in-UDP encapsulation, encapsulated traffic will be 138 treated as a UDP application in an IP network. Thus GRE-in-UDP 139 tunnel needs to meet UDP application guidelines specified in 140 [RFC5405bis], which constrains GRE-in-UDP tunnel usage. The concerns 141 of GRE-in-UDP as a UDP application are addressed in Section 5 and 6. 142 As a result, GRE-in-UDP encapsulation MUST be used when one of 143 following conditions is true: 145 1) Within a single operator network or networks of an adjacent set 146 of cooperating network operators where traffic is managed to 147 avoid congestion. 149 2) The payload type is IP or a type of network protocol that has 150 congestion control capability when the encapsulated traffic is 151 over the Internet. 153 GRE-in-UDP encapsulation may be used to encapsulate already tunneled 154 traffic, i.e. tunnel-in-tunnel. The tunneled traffic may use GRE-in- 155 UDP or other tunnel encapsulation. In this case, GRE-in-UDP tunnel 156 end points treat other tunnel endpoints as of the end hosts for the 157 traffic and do not differentiate such end hosts from other end hosts. 159 2. Terminology 161 The terms defined in [RFC768][RFC2784] are used in this document. 163 2.1. Requirements Language 165 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 166 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 167 document are to be interpreted as described in [RFC2119]. 169 3. Encapsulation in UDP 171 GRE-in-UDP encapsulation format is shown as follows: 173 0 1 2 3 174 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 176 IPv4 Header: 177 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 178 |Version| IHL |Type of Service| Total Length | 179 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 180 | Identification |Flags| Fragment Offset | 181 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 182 | Time to Live |Protcol=17(UDP)| Header Checksum | 183 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 | Source IPv4 Address | 185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 186 | Destination IPv4 Address | 187 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 189 UDP Header: 190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 191 | Source Port = XXXX | Dest Port = TBD | 192 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 193 | UDP Length | UDP Checksum | 194 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 196 GRE Header: 197 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 198 |C| |K|S| Reserved0 | Ver | Protocol Type | 199 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 200 | Checksum (optional) | Reserved1 (Optional) | 201 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 202 | Key (optional) | 203 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 204 | Sequence Number (optional) | 205 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 207 Figure 1 UDP+GRE Headers in IPv4 209 0 1 2 3 210 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 212 IPv6 Header: 213 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 214 |Version| Traffic Class | Flow Label | 215 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 216 | Payload Length | NxtHdr=17(UDP)| Hop Limit | 217 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 218 | | 219 + + 220 | | 221 + Outer Source IPv6 Address + 222 | | 223 + + 224 | | 225 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 226 | | 227 + + 228 | | 229 + Outer Destination IPv6 Address + 230 | | 231 + + 232 | | 233 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 235 UDP Header: 236 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 237 | Source Port = XXXX | Dest Port = TBD | 238 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 239 | UDP Length | UDP Checksum | 240 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 242 GRE Header: 243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 244 |C| |K|S| Reserved0 | Ver | Protocol Type | 245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 246 | Checksum (optional) | Reserved1 (Optional) | 247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 248 | Key (optional) | 249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 250 | Sequence Number (optional) | 251 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 253 Figure 2 UDP+GRE Headers in IPv6 255 The contents of the IP, UDP, and GRE headers that are relevant in 256 this encapsulation are described below. 258 3.1. IP Header 260 An encapsulator MUST encode its own IP address as the source IP 261 address and the decapsulator's IP address as the destination IP 262 address. The TTL field in the IP header must be set to a value 263 appropriate for delivery of the encapsulated packet to the peer of 264 the encapsulation. 266 3.2. UDP Header 268 3.2.1. Source Port 270 The UDP source port contains a 16-bit entropy value that is 271 generated by the encapsulator to identify a flow for the 272 encapsulated packet. The port value SHOULD be within the ephemeral 273 port range. IANA suggests this range to be 49152 to 65535, where the 274 high order two bits of the port are set to one. This provides 275 fourteen bits of entropy for the inner flow identifier. In the case 276 that an encapsulator is unable to derive flow entropy from the 277 payload header, it should set a randomly selected constant value for 278 UDP source port to avoid payload packet flow reordering. 280 The source port value for a flow set by an encapsulator MAY change 281 over the lifetime of the encapsulated flow. For instance, an 282 encapsulator may change the assignment for Denial of Service (DOS) 283 mitigation or as a means to effect routing through the ECMP network. 284 An encapsulator SHOULD NOT change the source port selected for a 285 flow more than once every thirty seconds. 287 How an encapsulator generates entropy from the payload is outside 288 the scope of this document. 290 3.2.2. Destination Port 292 The destination port of the UDP header is set the GRE/UDP port (TBD) 293 (see Section 8). 295 3.2.3. Checksum 297 The UDP checksum is set and processed per [RFC768] and [RFC1122] for 298 IPv4, and [RFC2460] for IPv6. Requirements for checksum handling and 299 use of zero UDP checksums are detailed in Section 5. 301 3.2.4. Length 303 The usage of this field is in accordance with the current UDP 304 specification in [RFC768]. This length will include the UDP header 305 (eight bytes), GRE header, and the GRE payload (encapsulated packet). 307 3.3. GRE Header 309 An encapsulator sets the protocol type (EtherType) of the packet 310 being encapsulated in the GRE Protocol Type field. 312 An encapsulator may set the GRE Key Present, Sequence Number Present, 313 and Checksum Present bits and associated fields in the GRE header as 314 defined by [RFC2784] and [RFC2890]. 316 The GRE checksum MAY be enabled to protect the GRE header and 317 payload. An encapsulator SHOULD NOT enable both the GRE checksum and 318 UDP checksum simultaneously as this would be mostly redundant. Since 319 the UDP checksum covers more of the packet including the GRE header 320 and payload, the UDP checksum SHOULD have preference to using GRE 321 checksum. 323 An implementation MAY use the GRE keyid to authenticate the 324 encapsulator. In this model, a shared value is either configured or 325 negotiated between an encapsulator and decapsulator. When a 326 encapsulated packet is received with the keyid present, it is 327 checked to see if it is valid for the source to have set for the 328 tunnel packet was sent on. An implementation MAY enforce that a 329 keyid be used for source authentication on selected tunnels. When a 330 decapsulator determines a presented keyid is not valid for the 331 source to send or the keyid is absent and is considered required for 332 authenticating the encapsulator for a tunnel, the packet MUST be 333 dropped. 335 4. Encapsulation Process Procedures 337 The GRE-in-UDP encapsulation allows encapsulated packets to be 338 forwarded through "GRE-UDP tunnels". When performing GRE-in-UDP 339 encapsulation by the encapsulator, the entropy value would be 340 generated by the encapsulator and then be filled in the Source Port 341 field of the UDP header. The Destination Port field is set to a 342 value (TBD) allocated by IANA to indicate that the UDP tunnel 343 payload is a GRE packet. The Protocol Type header field in GRE 344 header is set to the EtherType value corresponding to the protocol 345 of the encapsulated packet. 347 Intermediate routers, upon receiving these UDP encapsulated packets, 348 could balance these packets based on the hash of the five-tuple of 349 UDP packets. 351 Upon receiving these UDP encapsulated packets, the decapsulator 352 would decapsulate them by removing the UDP and GRE headers and then 353 process them accordingly. 355 Note: Each UDP tunnel is unidirectional, as GRE-in-UDP traffic is 356 sent to the IANA-allocated UDP Destination Port, and in particular, 357 is never sent back to any port used as a UDP Source Port (which 358 serves solely as a source of entropy). This is at odds with a common 359 middlebox (e.g., firewall) assumption that bidirectional traffic 360 uses a common pair of UDP ports. As a result, arranging to pass 361 bidirectional GRE-in-UDP traffic through middleboxes may require 362 separate configuration for each direction of traffic. 364 GRE-in-UDP allows encapsulation of unicast, broadcast, or multicast 365 traffic. Entropy may be generated from the header of encapsulated 366 unicast or broadcast/multicast packets at an encapsulator. The 367 mapping mechanism between the encapsulated multicast traffic and the 368 multicast capability in the IP network is transparent and 369 independent to the encapsulation and is otherwise outside the scope 370 of this document. 372 To provide entropy for ECMP, GRE-in-UDP does not rely on GRE keep- 373 alive. It is RECOMMENED no use of GRE keep-alive in the GRE-in-UDP 374 tunnel. This aligns with middlebox traversal guidelines in Section 375 3.5 of [RFC5405bis]. 377 4.1. MTU and Fragmentation 379 Regarding fragmentation, an encapsulator SHOULD perform 380 fragmentation [GREMTU] on a packet before encapsulation and factor 381 in both GRE and UDP header bytes in the effective Maximum 382 Transmission Unit (MTU) size. Not performing the fragmentation will 383 cause the packets exceeding network MTU size to be dropped or 384 fragmented in the network. An encapsulator MUST use the same source 385 UDP port for all packet fragments to ensure that the transit routers 386 will forward the packet fragments on the same path. An operator 387 should factor in the additional bytes of overhead when considering 388 an MTU size for the payload to avoid the likelihood of fragmentation. 390 Fragmented packets MUST be reassembled at the decapsulator prior to 391 being sent to a (payload) application. Packet fragmentation and 392 reassembling process is outside the scope of the document. 394 4.2. Differentiated Services 396 To ensure that tunneled traffic gets the same treatment over the IP 397 network, prior to the encapsulation process, an encapsulator should 398 process the payload to get the proper parameters to fill into the IP 399 header such as DiffServ [RFC2983]. Encapsulation end points that 400 support ECN must use the method described in [RFC6040] for ECN 401 marking propagation. This process is outside of the scope of this 402 document. 404 5. UDP Checksum Handling 406 5.1. UDP Checksum with IPv4 408 For UDP in IPv4, the UDP checksum MUST be processed as specified in 409 [RFC768] and [RFC1122] for both transmit and receive. An 410 encapsulator MAY set the UDP checksum to zero for performance or 411 implementation considerations. The IPv4 header includes a checksum 412 which protects against mis-delivery of the packet due to corruption 413 of IP addresses. The UDP checksum potentially provides protection 414 against corruption of the UDP header, GRE header, and GRE payload. 415 Enabling or disabling the use of checksums is a deployment 416 consideration that should take into account the risk and effects of 417 packet corruption, and whether the packets in the network are 418 protected by other, possibly stronger mechanisms such as the 419 Ethernet CRC. 421 When a decapsulator receives a packet, the UDP checksum field MUST 422 be processed. If the UDP checksum is non-zero, the decapsulator MUST 423 verify the checksum before accepting the packet. By default a 424 decapsulator SHOULD accept UDP packets with a zero checksum. A node 425 MAY be configured to disallow zero checksums per [RFC1122]; this may 426 be done selectively, for instance disallowing zero checksums from 427 certain hosts that are known to be sending over paths subject to 428 packet corruption. If verification of a non-zero checksum fails, a 429 decapsulator lacks the capability to verify a non-zero checksum, or 430 a packet with a zero-checksum was received and the decapsulator is 431 configured to disallow, the packet MUST be dropped and an event MAY 432 be logged. 434 5.2. UDP Checksum with IPv6 436 For UDP in IPv6, the UDP checksum MUST be processed as specified in 437 [RFC768] and [RFC2460] for both transmit and receive. 439 When UDP is used over IPv6, the UDP checksum is relied upon to 440 protect both the IPv6 and UDP headers from corruption, and so MUST 441 used with the following exceptions: 443 a. Use of GRE-in-UDP in networks under single administrative 444 control (such as within a single operator's network) where it 445 is known (perhaps through knowledge of equipment types and 446 lower layer checks) that packet corruption is exceptionally 447 unlikely and where the operator is willing to take the risk of 448 undetected packet corruption. 450 b. Use of GRE-in-UDP in networks under single administrative 451 control (such as within a single operator's network) where it 452 is judged through observational measurements (perhaps of 453 historic or current traffic flows that use a non-zero checksum) 454 that the level of packet corruption is tolerably low and where 455 the operator is willing to take the risk of undetected packet 456 corruption. 458 c. Use of GRE-in-UDP for traffic delivery for applications that 459 are tolerant of mis-delivered or corrupted packets (perhaps 460 through higher layer checksum, validation, and retransmission 461 or transmission redundancy) where the operator is willing to 462 rely on the applications using the tunnel to survive any 463 corrupt packets. 465 For these exceptions, the UDP zero-checksum mode can be used. 466 However the use of the UDP zero-checksum mode must meet the 467 requirements specified in [RFC6935] and [RFC6936] as well at the 468 additional requirements stated below. 470 These exceptions may also be extended to the use of GRE-in-UDP 471 within a set of closely cooperating network administrations (such as 472 network operators who have agreed to work together in order to 473 jointly provide specific services). 475 As such, for IPv6, the UDP checksum for GRE-in-UDP MUST be used as 476 specified in [RFC768] and [RFC2460] for tunnels that span multiple 477 networks whose network administrations do not cooperate closely, 478 even if each non-cooperating network administration independently 479 satisfies one or more of the exceptions for UDP zero-checksum mode 480 usage with GRE-in-UDP over IPv6. 482 The following additional requirements apply to implementation and 483 use of UDP zero-checksum mode for GRE-in-UDP over IPv6: 485 a. Use of the UDP checksum with IPv6 MUST be the default 486 configuration of all GRE-in-UDP implementations. 488 b. The GRE-in-UDP implementation MUST comply with all requirements 489 specified in Section 4 of [RFC6936] and with requirement 1 490 specified in Section 5 of [RFC6936]. 492 c. By default a decapsulator MUST disallow receipt of GRE-in-UDP 493 packets with zero UDP checksums with IPv6. Zero checksums May 494 selectively be enabled for certain source address. A decapsulator 495 MUST check that the source and destination IPv6 addresses are 496 valid for the GRE-in-UDP tunnel on which the packet was received 497 if that tunnel uses UDP zero-checksum mode and discard any packet 498 for which this check fails. 500 d. An encapsulator SHOULD use different IPv6 addresses for each GRE- 501 in-UDP tunnel that uses UDP zero-checksum mode regardless of the 502 decapsulator in order to strengthen the decapsulator's check of 503 the IPv6 source address (i.e., the same IPv6 source address 504 SHOULD NOT be used with more than one IPv6 destination address, 505 independent of whether that destination address is a unicast or 506 multicast address). When this is not possible, it is RECOMMENDED 507 to use each source IPv6 address for as few UDP zero-checksum mode 508 GRE-in-UDP tunnels as is feasible. 510 e. Any middlebox support for GRE-in-UDP with UDP zero-checksum mode 511 for IPv6 MUST comply with requirements 1 and 8-10 in Section 5 of 512 [RFC6936].[RFC6936]. 514 f. Measures SHOULD be taken to prevent IPv6 traffic with zero UDP 515 checksums from "escaping" to the general Internet; see Section 6 516 for examples of such measures. 518 g. IPv6 traffic with zero UDP checksums MUST be actively monitored 519 for errors by the network operator. 521 h. If a packet with a non-zero checksum is received, the checksum 522 MUST be verified before accepting the packet. This is regardless 523 of whether a tunnel encapsulator and decapsulator have been 524 configured with UDP zero-checksum mode. 526 The above requirements do not change either the requirements 527 specified in [RFC2460] as modified by [RFC6935] or the requirements 528 specified in [RFC6936]. 530 The requirement to check the source IPv6 address in addition to the 531 destination IPv6 address, plus the strong recommendation against 532 reuse of source IPv6 addresses among GRE-in-UDP tunnels collectively 533 provide some mitigation for the absence of UDP checksum coverage of 534 the IPv6 header. Additional assurance is provided by the 535 restrictions in the above exceptions that limit usage of IPv6 UDP 536 zero-checksum mode to well-managed networks for which GRE 537 encapsulated packet corruption has not been a problem in practice. 539 Hence GRE-in-UDP is suitable for transmission over lower layers in 540 the well-managed networks that are allowed by the exceptions stated 541 above and the rate of corruption of the inner IP packet on such 542 networks is not expected to increase by comparison to GRE traffic 543 that is not encapsulated in UDP. For these reasons, GRE-in-UDP does 544 not provide an additional integrity check except when GRE checksum 545 is used when UDP zero-checksum mode is used with IPv6, and this 546 design is in accordance with requirements 2, 3 and 5 specified in 547 Section 5 of [RFC6936]. 549 GRE does not accumulate incorrect state as a consequence of GRE 550 header corruption. A corrupt GRE results in either packet discard or 551 forwarding of the packet without accumulation of GRE state. GRE 552 checksum MAY be used for protecting GRE header and payload. Active 553 monitoring of GRE-in-UDP traffic for errors is REQUIRED as 554 occurrence of errors will result in some accumulation of error 555 information outside the protocol for operational and management 556 purposes. This design is in accordance with requirement 4 specified 557 in Section 5 of [RFC6936]. 559 The remaining requirements specified in Section 5 of [RFC6936] are 560 inapplicable to GRE-in-UDP. Requirements 6 and 7 do not apply 561 because GRE does not have a GRE-generic control feedback mechanism. 562 Requirements 8-10 are middlebox requirements that do not apply to 563 GRE-in-UDP tunnel endpoints, but see Section 5.2.1 for further 564 middle box discussion. 566 It is worth to mention that the use of a zero UDP checksum should 567 present the equivalent risk of undetected packet corruption when 568 sending similar packet using GRE-in-IPv6 without UDP and without GRE 569 checksums. 571 In summary, UDP zero-checksum mode for IPv6 is allowed to be used 572 with GRE-in-UDP when one of the three exceptions specified above 573 applies, provided that additional requirements stated above are 574 complied with. Otherwise the UDP checksum MUST be used for IPv6 as 575 specified in [RFC768] and [RFC2460]. Use of GRE checksum favors non- 576 use of the UDP checksum. 578 5.2.1. Middlebox Considerations 580 IPv6 datagrams with a zero UDP checksum will not be passed by any 581 middlebox that validates the checksum based on [RFC2460] or that 582 updates the UDP checksum field, such as NATs or firewalls. Changing 583 this behavior would require such middleboxes to be updated to 584 correctly handle datagrams with zero UDP checksums. The GRE-in-UDP 585 encapsulation does not provide a mechanism to safely fall back to 586 using a checksum when a path change occurs redirecting a tunnel over 587 a path that includes a middlebox that discards IPv6 datagrams with a 588 zero UDP checksum. In this case the GRE-in-UDP tunnel will be 589 black-holed by that middlebox. Recommended changes to allow 590 firewalls, NATs and other middleboxes to support use of an IPv6 zero 591 UDP checksum are described in Section 5 of [RFC6936]. 593 6. Congestion Considerations 595 Section 3.1.7 of [RFC5405bis] discussed the congestion implications 596 of UDP tunnels. As discussed in [RFC5405bis], because other flows 597 can share the path with one or more UDP tunnels, congestion control 598 [RFC2914] needs to be considered. 600 A major motivation for GRE-in-UDP encapsulation is to tunnel a 601 network protocol over IP network and improve the use of multipath 602 (such as ECMP) in cases where traffic is to traverse routers which 603 are able to hash on UDP Port and IP address. As such, in many cases 604 this may reduce the occurrence of congestion and improve usage of 605 available network capacity. However, it is also necessary to ensure 606 that the network, including applications that use the network, 607 responds appropriately in more difficult cases, such as when link or 608 equipment failures have reduced the available capacity. 610 The impact of congestion must be considered both in terms of the 611 effect on the rest of the network over which packets are sent in UDP 612 tunnels, and in terms of the effect on the flows that are sent by 613 UDP tunnels. The potential impact of congestion from a UDP tunnel 614 depends upon what sort of traffic is carried over the tunnel, as 615 well as the path of the tunnel. 617 GRE encapsulation is widely used to carry a wide range of network 618 protocols and traffic. In many cases GRE encapsulation is used to 619 carry IP traffic. IP traffic is generally assumed to be congestion 620 controlled, and thus a tunnel carrying general IP traffic (as might 621 be expected to be carried across the Internet) generally does not 622 need additional congestion control mechanisms. As specified in RFC 623 5405: 625 "IP-based traffic is generally assumed to be congestion-controlled, 626 i.e., it is assumed that the transport protocols generating IP-based 627 traffic at the sender already employ mechanisms that are sufficient 628 to address congestion on the path. Consequently, a tunnel carrying 629 IP-based traffic should already interact appropriately with other 630 traffic sharing the path, and specific congestion control mechanisms 631 for the tunnel are not necessary." 633 For this reason, where GRE-in-UDP tunneling is used to carry IP 634 traffic that is known to be congestion controlled, the UDP tunnels 635 MAY be used within a single network or across multiple networks, 636 with cooperating network operators. Internet IP traffic is 637 generally assumed to be congestion-controlled. 639 However, GRE-in-UDP tunneling can be also used to carry traffic that 640 is not necessarily congestion controlled. In such cases network 641 operators may avoid congestion by careful provisioning of their 642 networks, by rate limiting of user data traffic, and/or by using 643 Traffic Engineering tools to monitor the network segments and 644 dynamically steers traffic away from potentially congested links. 646 For this reason, where the GRE payload traffic is not congestion 647 controlled, GRE-in-UDP tunnels MUST only be used within a single 648 operator's network that utilizes careful provisioning (e.g., rate 649 limiting at the entries of the network while over-provisioning 650 network capacity) to ensure against congestion, or within a limited 651 number of networks whose operators closely cooperate in order to 652 jointly provide this same careful provisioning. 654 As such, GRE-in-UDP MUST NOT be used over the general Internet, or 655 over non-cooperating network operators, to carry traffic that is not 656 congestion-controlled. 658 Measures SHOULD be taken to prevent non-congestion-controlled GRE- 659 in-UDP traffic from "escaping" to the general Internet, e.g.: 661 o Physical or logical isolation of the links carrying GRE-in-UDP 662 from the general Internet. 664 o Deployment of packet filters that block the UDP ports assigned 665 for GRE-in-UDP. 667 o Imposition of restrictions on GRE-in-UDP traffic by software 668 tools used to set up GRE-in-UDP tunnels between specific end 669 systems (as might be used within a single data center). 671 o Use of a "Managed Circuit Breaker" for the tunneled traffic as 672 described in [CB]. 674 7. Backward Compatibility 676 It is assumed that tunnel ingress routers must be upgraded in order 677 to support the encapsulations described in this document. 679 No change is required at transit routers to support forwarding of 680 the encapsulation described in this document. 682 If a router that is intended for use as a decapsulator does not 683 support or enable GRE-in-UDP encapsulation described in this 684 document, it will not be listening on destination port (TBD). In 685 these cases, the router will conform to normal UDP processing and 686 respond to an encapsulator with an ICMP message indicating "port 687 unreachable" according to [RFC792]. Upon receiving this ICMP 688 message, the node MUST NOT continue to use GRE-in-UDP encapsulation 689 toward this peer without management intervention. 691 8. IANA Considerations 693 IANA is requested to make the following allocations: 695 One UDP destination port number for the indication of GRE 697 Service Name: GRE-in-UDP 698 Transport Protocol(s): UDP 699 Assignee: IESG 700 Contact: IETF Chair 701 Description: GRE-in-UDP Encapsulation 702 Reference: [This.I-D] 703 Port Number: TBD 704 Service Code: N/A 705 Known Unauthorized Uses: N/A 706 Assignment Notes: N/A 708 One UDP destination port number for the indication of GRE with DTLS 710 Service Name: GRE-UDP-DTLS 711 Transport Protocol(s): UDP 712 Assignee: IESG 713 Contact: IETF Chair 714 Description: GRE-in-UDP Encapsulation with DTLS 715 Reference: [This.I-D] 716 Port Number: TBD 717 Service Code: N/A 718 Known Unauthorized Uses: N/A 719 Assignment Notes: N/A 721 9. Security Considerations 723 UDP and GRE encapsulation does not effect security for the payload 724 protocol. When using GRE-in-UDP, Network Security in a network is 725 mostly equivalent to that of a network using GRE. 727 Datagram Transport Layer Security (DTLS) [RFC6347] can be used for 728 application security and can preserve network and transport layer 729 protocol information. Specifically, if DTLS is used to secure the 730 GRE-in-UDP tunnel, the destination port of the UDP header MUST be 731 set to an IANA-assigned value (TBD2) indicating GRE-in-UDP with DTLS, 732 and that UDP port MUST NOT be used for other traffic. The UDP 733 source port field can still be used to add entropy, e.g., for load- 734 sharing purposes. DTLS usage is limited to a single DTLS session 735 for any specific tunnel encapsulator/ decapsulator pair (identified 736 by source and destination IP addresses). Both IP addresses MUST be 737 unicast addresses - multicast traffic is not supported when DTLS is 738 used. A GRE-in-UDP tunnel decapsulator implementation that supports 739 DTLS is expected to be able to establish DTLS sessions with multiple 740 tunnel encapsulators, and likewise an GRE-in-UDP tunnel encapsulator 741 implementation is expected to be able to establish DTLS sessions 742 with multiple decapsulators (although different source and/or 743 destination IP addresses may be involved -see Section 5.2 for 744 discussion of one situation where use of different source IP 745 addresses is important). 747 Use of ICMP for signaling of the GRE-in-UDP encapsulation capability 748 adds a security concern. Upon receiving an ICMP message and before 749 taking an action on it, the ingress MUST validate the IP address 750 originating against tunnel egress address and MUST evaluate the 751 packet header returned in the ICMP payload to ensure the source port 752 is the one used for this tunnel. The mechanism for performing this 753 validation is out of the scope of this document. 755 In an instance where the UDP source port is not set based on the 756 flow invariant fields from the payload header, a random port SHOULD 757 be selected in order to minimize the vulnerability to off-path 758 attacks. [RFC6056]. The random port may also be periodically changed 759 to mitigate certain denial of service attacks. How the source port 760 randomization occurs is outside scope of this document. 762 Using one standardized value in UDP destination port for an 763 encapsulation indication may increase the vulnerability of off-path 764 attack. To overcome this, an alternate port may be agreed upon to 765 use between an encapsulator and decapsulator [RFC6056]. How the 766 encapsulator end points communicate the value is outside scope of 767 this document. 769 This document does not require that decapsulator validates the IP 770 source address of the tunneled packets (with the exception that the 771 IPv6 source address MUST be validated when UDP zero-checksum mode is 772 used with IPv6), but it should be understood that failure to do so 773 presupposes that there is effective destination-based (or a 774 combination of source-based and destination-based) filtering at the 775 boundaries. 777 Corruption of GRE header can cause a privacy and security concern 778 for some applications that rely on the key field for traffic 779 segregation. When GRE key field is used for privacy and security, 780 ether UDP checksum or GRE checksum SHOULD be used for GRE-in-UDP 781 with both IPv4 and IPv6, and in particular, when UDP zero-checksum 782 mode is used, GRE checksum SHOULD be used. 784 10. Acknowledgements 786 Authors like to thank Vivek Kumar, Ron Bonica, Joe Touch, Ruediger 787 Geib, Lar Edds, Lloyd, and many others for their review and valuable 788 input on this draft. 790 Thank the design team led by David Black (members: Ross Callon, 791 Gorry Fairhurst, Xiaohu Xu, Lucy Yong) to efficiently work out the 792 descriptions for the congestion considerations and IPv6 UDP zero 793 checksum. 795 11. Contributors 797 The following people all contributed significantly to this document 798 and are listed below in alphabetical order: 800 David Black 801 EMC Corporation 802 176 South Street 803 Hopkinton, MA 01748 804 USA 806 Email: david.black@emc.com 808 Ross Callon 809 Juniper Networks 810 10 Technology Park Drive 811 Westford, MA 01886 812 USA 814 Email: rcallon@juniper.net 816 John E. Drake 817 Juniper Networks 819 Email: jdrake@juniper.net 821 Gorry Fairhurst 822 University of Aberdeen 824 Email: gorry@erg.abdn.ac.uk 826 Yongbing Fan 827 China Telecom 828 Guangzhou, China. 829 Phone: +86 20 38639121 831 Email: fanyb@gsta.com 833 Adrian Farrel 834 Juniper Networks 836 Email: adrian@olddog.co.uk 838 Vishwas Manral 839 Hewlett-Packard Corp. 840 3000 Hanover St, Palo Alto. 842 Email: vishwas.manral@hp.com 844 Carlos Pignataro 845 Cisco Systems 846 7200-12 Kit Creek Road 847 Research Triangle Park, NC 27709 USA 849 EMail: cpignata@cisco.com 851 12. References 853 12.1. Normative References 855 [RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 856 August 1980. 858 [RFC1122] Braden, R., "Requirements for Internet Hosts -- 859 Communication Layers", RFC1122, October 1989. 861 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 862 Requirement Levels", BCP 14, RFC2119, March 1997. 864 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 865 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 866 March 2000. 868 [RFC2890] Dommety, G., "Key and Sequence Number Extensions to GRE", 869 RFC2890, September 2000. 871 [RFC2983] Black, D., "Differentiated Services and Tunnels", RFC2983, 872 October 2000. 874 [RFC5405bis] Eggert, L., "Unicast UDP Usage Guideline for 875 Application Designers", draft-ietf-tsvwg-rfc5405bis, work 876 in progress. 878 [RFC6040] Briscoe, B., "Tunneling of Explicit Congestion 879 Notification", RFC6040, November 2010. 881 [RFC6347] Rescoria, E., Modadugu, N., "Datagram Transport Layer 882 Security Version 1.2", RFC6347, 2012. 884 [RFC6438] Carpenter, B., Amante, S., "Using the IPv6 Flow Label for 885 Equal Cost Multipath Routing and Link Aggregation in 886 tunnels", RFC6438, November, 2011. 888 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and 889 UDP Checksums for Tunneled Packets", RFC 6935, April 2013. 891 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 892 for the Use of IPv6 UDP Datagrams with Zero Checksums", 893 RFC 6936, April 2013. 895 12.2. Informative References 897 [RFC792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 898 792, September 1981. 900 [RFC793] DARPA, "Transmission Control Protocol", RFC793, September 901 1981. 903 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 904 (IPv6) Specification", RFC 2460, December 1998. 906 [RFC2914] Floyd, S.,"Congestion Control Principles", RFC2914, 907 September 2000. 909 [RFC3931] Lau, J., Townsley, M., and I. Goyret, "Layer Two Tunneling 910 Protocol - Version 3 (L2TPv3)", RFC 3931, March 2005. 912 [RFC4023] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating 913 MPLS in IP or Generic Routing Encapsulation (GRE)", RFC 914 4023, March 2005. 916 [RFC6056] Larsen, M. and Gont, F., "Recommendations for Transport- 917 Protocol Port Randomization", RFC6056, January 2011. 919 [GREMTU] Bonica, R., "A Fragmentation Strategy for Generic Routing 920 Encapsulation (GRE)", draft-ietf-intarea-gre-mtu, work in 921 progress. 923 [CB] Fairhurst, G., "Network Transport Circuit Breakers", 924 draft-fairhurst-tsvwg-circuit-breaker-01, work in 925 progress. 927 [GREIPV6] Pignataro, C., Bonica, R., Krishnan, S., "IPv6 Support for 928 Generic Routing Encapsulation (GRE)", draft-ietf-intarea- 929 gre-ipv6, work in progress. 931 13. Authors' Addresses 933 Edward Crabbe 935 Email: edward.crabbe@gmail.com 937 Lucy Yong 938 Huawei Technologies, USA 940 Email: lucy.yong@huawei.com 942 Xiaohu Xu 943 Huawei Technologies, 944 Beijing, China 946 Email: xuxiaohu@huawei.com 948 Tom Herbert 949 Google 950 1600 Amphitheatre Parkway 951 Mountain View, CA 952 Email : tom@herbertland.com