idnits 2.17.1 draft-ietf-tsvwg-rfc5405bis-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC5405, but the abstract doesn't seem to directly say this. It does mention RFC5405 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 16, 2016) is 2963 days in the past. Is this intentional? Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-15) exists of draft-ietf-tsvwg-circuit-breaker-13 ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Obsolete normative reference: RFC 1981 (Obsoleted by RFC 8201) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 5405 (Obsoleted by RFC 8085) == Outdated reference: A later version (-18) exists of draft-ietf-avtcore-rtp-circuit-breakers-13 == Outdated reference: A later version (-13) exists of draft-ietf-intarea-tunnels-02 == Outdated reference: A later version (-02) exists of draft-ietf-rtgwg-dt-encap-00 -- Obsolete informational reference (is this intentional?): RFC 896 (Obsoleted by RFC 7805) -- Obsolete informational reference (is this intentional?): RFC 2309 (Obsoleted by RFC 7567) -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) -- Obsolete informational reference (is this intentional?): RFC 5245 (Obsoleted by RFC 8445, RFC 8839) -- Obsolete informational reference (is this intentional?): RFC 5751 (Obsoleted by RFC 8551) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Transport Area Working Group L. Eggert 3 Internet-Draft NetApp 4 Obsoletes: 5405 (if approved) G. Fairhurst 5 Intended status: Best Current Practice University of Aberdeen 6 Expires: September 17, 2016 G. Shepherd 7 Cisco Systems 8 March 16, 2016 10 UDP Usage Guidelines 11 draft-ietf-tsvwg-rfc5405bis-09 13 Abstract 15 The User Datagram Protocol (UDP) provides a minimal message-passing 16 transport that has no inherent congestion control mechanisms. This 17 document provides guidelines on the use of UDP for the designers of 18 applications, tunnels and other protocols that use UDP. Congestion 19 control guidelines are a primary focus, but the document also 20 provides guidance on other topics, including message sizes, 21 reliability, checksums, middlebox traversal, the use of ECN, DSCPs, 22 and ports. 24 Because congestion control is critical to the stable operation of the 25 Internet, applications and other protocols that choose to use UDP as 26 an Internet transport must employ mechanisms to prevent congestion 27 collapse and to establish some degree of fairness with concurrent 28 traffic. They may also need to implement additional mechanisms, 29 depending on how they use UDP. 31 Some guidance is also applicable to the design of other protocols 32 (e.g., protocols layered directly on IP or via IP-based tunnels), 33 especially when these protocols do not themselves provide congestion 34 control. 36 If published as an RFC, this document will obsolete RFC5405. 38 Status of This Memo 40 This Internet-Draft is submitted in full conformance with the 41 provisions of BCP 78 and BCP 79. 43 Internet-Drafts are working documents of the Internet Engineering 44 Task Force (IETF). Note that other groups may also distribute 45 working documents as Internet-Drafts. The list of current Internet- 46 Drafts is at http://datatracker.ietf.org/drafts/current/. 48 Internet-Drafts are draft documents valid for a maximum of six months 49 and may be updated, replaced, or obsoleted by other documents at any 50 time. It is inappropriate to use Internet-Drafts as reference 51 material or to cite them other than as "work in progress." 53 This Internet-Draft will expire on September 17, 2016. 55 Copyright Notice 57 Copyright (c) 2016 IETF Trust and the persons identified as the 58 document authors. All rights reserved. 60 This document is subject to BCP 78 and the IETF Trust's Legal 61 Provisions Relating to IETF Documents 62 (http://trustee.ietf.org/license-info) in effect on the date of 63 publication of this document. Please review these documents 64 carefully, as they describe your rights and restrictions with respect 65 to this document. Code Components extracted from this document must 66 include Simplified BSD License text as described in Section 4.e of 67 the Trust Legal Provisions and are provided without warranty as 68 described in the Simplified BSD License. 70 Table of Contents 72 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 73 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 74 3. UDP Usage Guidelines . . . . . . . . . . . . . . . . . . . . 5 75 3.1. Congestion Control Guidelines . . . . . . . . . . . . . . 6 76 3.2. Message Size Guidelines . . . . . . . . . . . . . . . . . 17 77 3.3. Reliability Guidelines . . . . . . . . . . . . . . . . . 18 78 3.4. Checksum Guidelines . . . . . . . . . . . . . . . . . . . 19 79 3.5. Middlebox Traversal Guidelines . . . . . . . . . . . . . 23 80 3.6. Limited Applicability and Controlled Environments . . . . 25 81 4. Multicast UDP Usage Guidelines . . . . . . . . . . . . . . . 26 82 4.1. Multicast Congestion Control Guidelines . . . . . . . . . 27 83 4.2. Message Size Guidelines for Multicast . . . . . . . . . . 29 84 5. Programming Guidelines . . . . . . . . . . . . . . . . . . . 29 85 5.1. Using UDP Ports . . . . . . . . . . . . . . . . . . . . . 31 86 5.2. ICMP Guidelines . . . . . . . . . . . . . . . . . . . . . 34 87 6. Security Considerations . . . . . . . . . . . . . . . . . . . 35 88 7. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 89 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 90 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 39 91 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 39 92 10.1. Normative References . . . . . . . . . . . . . . . . . . 39 93 10.2. Informative References . . . . . . . . . . . . . . . . . 41 94 Appendix A. Case Study of the Use of IPv6 UDP Zero-Checksum Mode 49 95 Appendix B. Revision Notes . . . . . . . . . . . . . . . . . . . 50 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54 98 1. Introduction 100 The User Datagram Protocol (UDP) [RFC0768] provides a minimal, 101 unreliable, best-effort, message-passing transport to applications 102 and other protocols (such as tunnels) that desire to operate over 103 UDP. Both are simply called "applications" in the remainder of this 104 document. 106 Compared to other transport protocols, UDP and its UDP-Lite variant 107 [RFC3828] are unique in that they do not establish end-to-end 108 connections between communicating end systems. UDP communication 109 consequently does not incur connection establishment and teardown 110 overheads, and there is minimal associated end system state. Because 111 of these characteristics, UDP can offer a very efficient 112 communication transport to some applications. 114 A second unique characteristic of UDP is that it provides no inherent 115 congestion control mechanisms. On many platforms, applications can 116 send UDP datagrams at the line rate of the platform's link interface, 117 which is often much greater than the available end-to-end path 118 capacity, and doing so contributes to congestion along the path. 119 [RFC2914] describes the best current practice for congestion control 120 in the Internet. It identifies two major reasons why congestion 121 control mechanisms are critical for the stable operation of the 122 Internet: 124 1. The prevention of congestion collapse, i.e., a state where an 125 increase in network load results in a decrease in useful work 126 done by the network. 128 2. The establishment of a degree of fairness, i.e., allowing 129 multiple flows to share the capacity of a path reasonably 130 equitably. 132 Because UDP itself provides no congestion control mechanisms, it is 133 up to the applications that use UDP for Internet communication to 134 employ suitable mechanisms to prevent congestion collapse and 135 establish a degree of fairness. [RFC2309] discusses the dangers of 136 congestion-unresponsive flows and states that "all UDP-based 137 streaming applications should incorporate effective congestion 138 avoidance mechanisms." This is an important requirement, even for 139 applications that do not use UDP for streaming. In addition, 140 congestion-controlled transmission is of benefit to an application 141 itself, because it can reduce self-induced packet loss, minimize 142 retransmissions, and hence reduce delays. Congestion control is 143 essential even at relatively slow transmission rates. For example, 144 an application that generates five 1500-byte UDP datagrams in one 145 second can already exceed the capacity of a 56 Kb/s path. For 146 applications that can operate at higher, potentially unbounded data 147 rates, congestion control becomes vital to prevent congestion 148 collapse and establish some degree of fairness. Section 3 describes 149 a number of simple guidelines for the designers of such applications. 151 A UDP datagram is carried in a single IP packet and is hence limited 152 to a maximum payload of 65,507 bytes for IPv4 and 65,527 bytes for 153 IPv6. The transmission of large IP packets usually requires IP 154 fragmentation. Fragmentation decreases communication reliability and 155 efficiency and should be avoided. IPv6 allows the option of 156 transmitting large packets ("jumbograms") without fragmentation when 157 all link layers along the path support this [RFC2675]. Some of the 158 guidelines in Section 3 describe how applications should determine 159 appropriate message sizes. Other sections of this document provide 160 guidance on reliability, checksums, middlebox traversal and use of 161 multicast. 163 This document provides guidelines and recommendations. Although most 164 UDP applications are expected to follow these guidelines, there do 165 exist valid reasons why a specific application may decide not to 166 follow a given guideline. In such cases, it is RECOMMENDED that 167 application designers cite the respective section(s) of this document 168 in the technical specification of their application or protocol and 169 explain their rationale for their design choice. 171 [RFC5405] was scoped to provide guidelines for unicast applications 172 only, whereas this document also provides guidelines for UDP flows 173 that use IP anycast, multicast, broadcast, and applications that use 174 UDP tunnels to support IP flows. 176 Finally, although this document specifically refers to usage of UDP, 177 the spirit of some of its guidelines also applies to other message- 178 passing applications and protocols (specifically on the topics of 179 congestion control, message sizes, and reliability). Examples 180 include signaling, tunnel, or control applications that choose to run 181 directly over IP by registering their own IP protocol number with 182 IANA. This document is expected to provide useful background reading 183 to the designers of such applications and protocols. 185 2. Terminology 187 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 188 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 189 "OPTIONAL" in this document are to be interpreted as described in 190 [RFC2119]. 192 3. UDP Usage Guidelines 194 Internet paths can have widely varying characteristics, including 195 transmission delays, available bandwidths, congestion levels, 196 reordering probabilities, supported message sizes, or loss rates. 197 Furthermore, the same Internet path can have very different 198 conditions over time. Consequently, applications that may be used on 199 the Internet MUST NOT make assumptions about specific path 200 characteristics. They MUST instead use mechanisms that let them 201 operate safely under very different path conditions. Typically, this 202 requires conservatively probing the current conditions of the 203 Internet path they communicate over to establish a transmission 204 behavior that it can sustain and that is reasonably fair to other 205 traffic sharing the path. 207 These mechanisms are difficult to implement correctly. For most 208 applications, the use of one of the existing IETF transport protocols 209 is the simplest method of acquiring the required mechanisms. Doing 210 so also avoids issues that protocols using a new IP protocol number 211 face when being deployed over the Internet, where middleboxes that 212 only support TCP and UDP are not rare. Consequently, the RECOMMENDED 213 alternative to the UDP usage described in the remainder of this 214 section is the use of an IETF transport protocol such as TCP 215 [RFC0793], Stream Control Transmission Protocol (SCTP) [RFC4960], and 216 SCTP Partial Reliability Extension (SCTP-PR) [RFC3758], or Datagram 217 Congestion Control Protocol (DCCP) [RFC4340] with its different 218 congestion control types [RFC4341][RFC4342][RFC5622]. 220 If used correctly, these more fully-featured transport protocols are 221 not as "heavyweight" as often claimed. For example, the TCP 222 algorithms have been continuously improved over decades, and have 223 reached a level of efficiency and correctness that custom 224 application-layer mechanisms will struggle to easily duplicate. In 225 addition, many TCP implementations allow connections to be tuned by 226 an application to its purposes. For example, TCP's "Nagle" algorithm 227 [RFC0896] can be disabled, improving communication latency at the 228 expense of more frequent -- but still congestion-controlled -- packet 229 transmissions. Another example is the TCP SYN cookie mechanism 230 [RFC4987], which is available on many platforms. TCP with SYN 231 cookies does not require a server to maintain per-connection state 232 until the connection is established. TCP also requires the end that 233 closes a connection to maintain the TIME-WAIT state that prevents 234 delayed segments from one connection instance from interfering with a 235 later one. Applications that are aware of and designed for this 236 behavior can shift maintenance of the TIME-WAIT state to conserve 237 resources by controlling which end closes a TCP connection [FABER]. 238 Finally, TCP's built-in capacity-probing and awareness of the maximum 239 transmission unit supported by the path (PMTU) results in efficient 240 data transmission that quickly compensates for the initial connection 241 setup delay, in the case of transfers that exchange more than a few 242 segments. 244 3.1. Congestion Control Guidelines 246 If an application or protocol chooses not to use a congestion- 247 controlled transport protocol, it SHOULD control the rate at which it 248 sends UDP datagrams to a destination host, in order to fulfill the 249 requirements of [RFC2914]. It is important to stress that an 250 application SHOULD perform congestion control over all UDP traffic it 251 sends to a destination, independently from how it generates this 252 traffic. For example, an application that forks multiple worker 253 processes or otherwise uses multiple sockets to generate UDP 254 datagrams SHOULD perform congestion control over the aggregate 255 traffic. 257 Several approaches to perform congestion control are discussed in the 258 remainder of this section. The section describes generic topics with 259 an intended emphasis on unicast and anycast [RFC1546] usage. Not all 260 approaches discussed below are appropriate for all UDP-transmitting 261 applications. Section 3.1.1 discusses congestion control options for 262 applications that perform bulk transfers over UDP. Such applications 263 can employ schemes that sample the path over several subsequent RTTs 264 during which data is exchanged to determine a sending rate that the 265 path at its current load can support. Other applications only 266 exchange a few UDP datagrams with a destination. Section 3.1.2 267 discusses congestion control options for such "low data-volume" 268 applications. Because they typically do not transmit enough data to 269 iteratively sample the path to determine a safe sending rate, they 270 need to employ different kinds of congestion control mechanisms. 271 Section 3.1.9 discusses congestion control considerations when UDP is 272 used as a tunneling protocol. Section 4 provides additional 273 recommendations for broadcast and multicast usage. 275 It is important to note that congestion control should not be viewed 276 as an add-on to a finished application. Many of the mechanisms 277 discussed in the guidelines below require application support to 278 operate correctly. Application designers need to consider congestion 279 control throughout the design of their application, similar to how 280 they consider security aspects throughout the design process. 282 In the past, the IETF has also investigated integrated congestion 283 control mechanisms that act on the traffic aggregate between two 284 hosts, i.e., a framework such as the Congestion Manager [RFC3124], 285 where active sessions may share current congestion information in a 286 way that is independent of the transport protocol. Such mechanisms 287 have currently failed to see deployment, but would otherwise simplify 288 the design of congestion control mechanisms for UDP sessions, so that 289 they fulfill the requirements in [RFC2914]. 291 3.1.1. Bulk Transfer Applications 293 Applications that perform bulk transmission of data to a peer over 294 UDP, i.e., applications that exchange more than a few UDP datagrams 295 per RTT, SHOULD implement TCP-Friendly Rate Control (TFRC) [RFC5348], 296 window-based TCP-like congestion control, or otherwise ensure that 297 the application complies with the congestion control principles. 299 TFRC has been designed to provide both congestion control and 300 fairness in a way that is compatible with the IETF's other transport 301 protocols. If an application implements TFRC, it need not follow the 302 remaining guidelines in Section 3.1.1, because TFRC already addresses 303 them, but SHOULD still follow the remaining guidelines in the 304 subsequent subsections of Section 3. 306 Bulk transfer applications that choose not to implement TFRC or TCP- 307 like windowing SHOULD implement a congestion control scheme that 308 results in bandwidth (capacity) use that competes fairly with TCP 309 within an order of magnitude. 311 Section 2 of [RFC3551] suggests that applications SHOULD monitor the 312 packet loss rate to ensure that it is within acceptable parameters. 313 Packet loss is considered acceptable if a TCP flow across the same 314 network path under the same network conditions would achieve an 315 average throughput, measured on a reasonable timescale, that is not 316 less than that of the UDP flow. The comparison to TCP cannot be 317 specified exactly, but is intended as an "order-of-magnitude" 318 comparison in timescale and throughput. 320 Finally, some bulk transfer applications may choose not to implement 321 any congestion control mechanism and instead rely on transmitting 322 across reserved path capacity (see Section 3.1.7). This might be an 323 acceptable choice for a subset of restricted networking environments, 324 but is by no means a safe practice for operation over the wider 325 Internet. When the UDP traffic of such applications leaks out into 326 unprovisioned Internet paths, it can significantly degrade the 327 performance of other traffic sharing the path and even result in 328 congestion collapse. Applications that support an uncontrolled or 329 unadaptive transmission behavior SHOULD NOT do so by default and 330 SHOULD instead require users to explicitly enable this mode of 331 operation, and they SHOULD verify that sufficient path capacity has 332 been reserved for them. 334 3.1.2. Low Data-Volume Applications 336 When applications that at any time exchange only a few UDP datagrams 337 with a destination implement TFRC or one of the other congestion 338 control schemes in Section 3.1.1, the network sees little benefit, 339 because those mechanisms perform congestion control in a way that is 340 only effective for longer transmissions. 342 Applications that at any time exchange only a few UDP datagrams with 343 a destination SHOULD still control their transmission behavior by not 344 sending on average more than one UDP datagram per round-trip time 345 (RTT) to a destination. Similar to the recommendation in [RFC1536], 346 an application SHOULD maintain an estimate of the RTT for any 347 destination with which it communicates. Applications SHOULD 348 implement the algorithm specified in [RFC6298] to compute a smoothed 349 RTT (SRTT) estimate. They SHOULD also detect packet loss and 350 exponentially back their retransmission timer off when a loss event 351 occurs. When implementing this scheme, applications need to choose a 352 sensible initial value for the RTT. This value SHOULD generally be 353 as conservative as possible for the given application. TCP specifies 354 an initial value of 3 seconds [RFC6298], which is also RECOMMENDED as 355 an initial value for UDP applications. SIP [RFC3261] and GIST 356 [RFC5971] use an initial value of 500 ms, and initial timeouts that 357 are shorter than this are likely problematic in many cases. It is 358 also important to note that the initial timeout is not the maximum 359 possible timeout -- the RECOMMENDED algorithm in [RFC6298] yields 360 timeout values after a series of losses that are much longer than the 361 initial value. 363 Some applications cannot maintain a reliable RTT estimate for a 364 destination. The first case is that of applications that exchange 365 too few UDP datagrams with a peer to establish a statistically 366 accurate RTT estimate. Such applications MAY use a predetermined 367 transmission interval that is exponentially backed-off when packets 368 are lost. TCP uses an initial value of 3 seconds [RFC6298], which is 369 also RECOMMENDED as an initial value for UDP applications. SIP 370 [RFC3261] and GIST [RFC5971] use an interval of 500 ms, and shorter 371 values are likely problematic in many cases. As in the previous 372 case, note that the initial timeout is not the maximum possible 373 timeout. 375 A second class of applications cannot maintain an RTT estimate for a 376 destination, because the destination does not send return traffic. 377 Such applications SHOULD NOT send more than one UDP datagram every 3 378 seconds, and SHOULD use an even less aggressive rate when possible. 379 The 3-second interval was chosen based on TCP's retransmission 380 timeout when the RTT is unknown [RFC6298], and shorter values are 381 likely problematic in many cases. Note that the sending rate in this 382 case must be more conservative than in the two previous cases, 383 because the lack of return traffic prevents the detection of packet 384 loss, i.e., congestion, and the application therefore cannot perform 385 exponential back-off to reduce load. 387 Applications that communicate bidirectionally SHOULD employ 388 congestion control for both directions of the communication. For 389 example, for a client-server, request-response-style application, 390 clients SHOULD congestion-control their request transmission to a 391 server, and the server SHOULD congestion-control its responses to the 392 clients. Congestion in the forward and reverse direction is 393 uncorrelated, and an application SHOULD either independently detect 394 and respond to congestion along both directions, or limit new and 395 retransmitted requests based on acknowledged responses across the 396 entire round-trip path. 398 3.1.3. Implications of RTT and Loss Measurements on Congestion Control 400 Transports such as TCP, SCTP and DCCP provide timely detection of 401 congestion that results in an immediate reduction of their maximum 402 sending rate when congestion is experienced. This reaction is 403 typically completed 1-2 RTTs after loss/congestion is encountered. 404 Applications using UDP SHOULD implement a congestion control scheme 405 that provides a prompt reaction to signals indicating congestion 406 (e.g., by reducing the rate within the next RTT following a 407 congestion signal). 409 The operation of a UDP Congestion Control algorithm can be very 410 different to the way TCP operates. This includes congestion controls 411 that respond on timescales that fit applications that cannot usefully 412 work within the "change rate every RTT" model of TCP. Applications 413 that experience a low or varying RTT are particularly vulnerable to 414 sampling errors (e.g., due to measurement noise, or timer accuracy). 415 This suggests the need to average loss/congestion and RTT 416 measurements over a longer interval, however this also can contribute 417 additional delay in detecting congestion. Some applications may not 418 react by reducing their sending rate immediately for various reasons, 419 including: RTT and loss measurements are only made periodically 420 (e.g., using RTCP), additional time is required to filter 421 information, or the application is only able to change its sending 422 rate at predetermined interval (e.g., some video codecs). 424 When designing a congestion control algorithm, the designer therefore 425 needs to consider the total time taken to reduce the load following a 426 lack of feedback or a congestion event. An application where the 427 most recent RTT measurement is smaller than the actual RTT or the 428 measured loss rate is smaller than the current rate, can result in 429 over estimating the available capacity. Such over estimation can 430 result in a sending rate that creates congestion to the application 431 or other flows sharing the path capacity, and can contribute to 432 congestion collapse - both of these need to be avoided. 434 A congestion control designed for UDP SHOULD respond as quickly as 435 possible when it experiences congestion, and SHOULD take into account 436 both the loss rate and the response time when choosing a new rate. 437 The implemented congestion control scheme SHOULD result in bandwidth 438 (capacity) use that is comparable to that of TCP within an order of 439 magnitude, so that it does not starve other flows sharing a common 440 bottleneck. 442 3.1.4. Burst Mitigation and Pacing 444 UDP applications SHOULD provide mechanisms to regulate the bursts of 445 transmission that the application may send to the network. Many TCP 446 and SCTP implementations provide mechanisms that prevent a sender 447 from generating long bursts at line-rate, since these are known to 448 induce early loss to applications sharing a common network 449 bottleneck. The use of pacing with TCP [ALLMAN] has also been shown 450 to improve the coexistence of TCP flows with other flows. The need 451 to avoid excessive transmission bursts is also noted in 452 specifications for applications (e.g., [RFC7143]). 454 Even low data-volume UDP flows may benefit from packet pacing, e.g., 455 an application that sends three copies of a packet to improve 456 robustness to loss is RECOMMENDED to pace out those three packets 457 over several RTTs, to reduce the probability that all three packets 458 will be lost due to the same congestion event (or other event, such 459 as burst corruption). 461 3.1.5. Explicit Congestion Notification 463 Internet applications can use Explicit Congestion Notification (ECN) 464 [RFC3168] to gain benefits for the services they support 465 [I-D.ietf-aqm-ecn-benefits]. 467 Internet transports, such as TCP, provide a set of mechanisms that 468 are needed to utilize ECN. ECN operates by setting an ECN-capable 469 codepoint (ECT(0) or ECT(1)) in the IP header of packets that are 470 sent. This indicates to ECN-capable network devices (routers, and 471 other devices) that they may mark (set the congestion experienced, CE 472 codepoint), rather than drop the IP packet as a signal of incipient 473 congestion. 475 UDP applications can also benefit from enabling ECN, providing that 476 the API supports ECN and that they implement the required protocol 477 mechanisms to support ECN. 479 The set of mechanisms requires for an application to use ECN over UDP 480 are: 482 o A sender MUST provide a method to determine (e.g., negotiate) that 483 the corresponding application is able to provide ECN feedback 484 using a compatible ECN method. 486 o A receiver that enables the use of ECN for a UDP port MUST check 487 the ECN field at the receiver for each UDP datagram that it 488 receives on this port. 490 o The receiving application needs to provide feedback of congestion 491 information to the sending application. This MUST report the 492 presence of datagrams received with a CE-mark by providing a 493 mechanism to feed this congestion information back to the sending 494 application. The feedback MAY also report the presence of ECT(1) 495 and ECT(0)/Not-ECT packets [RFC7560]. ([RFC3168] and [RFC7560] 496 specify methods for TCP.) 498 o An application sending ECN-capable datagrams MUST provide an 499 appropriate congestion reaction when it receives feedback 500 indicating that congestion has been experienced. This must result 501 in reduction of the sending rate by the UDP congestion control 502 method Section 3.1 that is not less than the reaction of TCP under 503 equivalent conditions. 505 o A sender SHOULD detect network paths that do not support the ECN 506 field correctly. When detected they need to either conservatively 507 react to congestion or even fall back to not using ECN 508 [I-D.ietf-aqm-ecn-benefits]. This method needs to be robust to 509 changes within the network path that may occur over the lifetime 510 of a session. 512 o A sender is encouraged to provide a mechanism to detect and react 513 appropriately to misbehaving receivers that fail to report CE- 514 marked packets [I-D.ietf-aqm-ecn-benefits]. 516 [RFC6679] provides guidance an example of this support, by describing 517 a method to allow ECN to be used for UDP-based applications using the 518 Real-Time Protocol (RTP). Applications that cannot provide this set 519 of mechanisms, but wish to gain the benefits of using ECN, are 520 encouraged to use a transport protocol that already supports ECN 521 (such as TCP). 523 3.1.6. Differentiated Services Model 525 An application using UDP can use the differentiated services 526 (Diffserv) Quality of Service (QoS) framework. To enable 527 differentiated services processing, a UDP sender sets the 528 Differentiated Services Code Point (DSCP) field [RFC2475] in packets 529 sent to the network. Normally, a UDP source/destination port pair 530 will set a single DSCP value for all packets belonging to a flow, but 531 multiple DSCPs can be used as described later in this section. A 532 DSCP may be chosen from a small set of fixed values (the class 533 selector code points), or from a set of recommended values defined in 534 the Per Hop Behavior (PHB) specifications, or from values that have 535 purely local meanings to a specific network that supports DiffServ. 536 In general, packets may be forwarded across multiple networks the 537 between source and destination. 539 In setting a non-default DSCP value, an application must be aware 540 that DSCP markings may be changed or removed between the traffic 541 source and destination. This has implications on the design of 542 applications that use DSCPs. Specifically, applications SHOULD be 543 designed to not rely on implementation of a specific network 544 treatment, they need instead to implement congestion control methods 545 to determine if their current sending rate is inducing congestion in 546 the network. 548 [I-D.ietf-dart-dscp-rtp] describes the implications of using DSCPs 549 and provides recommendations on using multiple DSCPs within a single 550 network five-tuple (source and destination addresses, source and 551 destination ports, and the transport protocol used, in this case, UDP 552 or UDP-Lite), and particularly the expected impact on transport 553 protocol interactions, with congestion control or reliability 554 functionality (e.g., retransmission, reordering). Use of multiple 555 DSCPs can result in reordering by increasing the set of network 556 forwarding resources used by a sender. It can also increase exposure 557 to resource depletion or failure. 559 3.1.7. QoS, Preprovisioned or Reserved Capacity 561 The IETF usually specifies protocols for use within the Best Effort 562 General Internet. Sometimes it is relevant to specify protocols with 563 a different applicability. An application using UDP can use the 564 integrated services QoS framework. This framework is usually made 565 available within controlled environments (e.g., within a single 566 administrative domain or bilaterally agreed connection between 567 domains). Applications intended for the Internet SHOULD NOT assume 568 that QoS mechanisms are supported by the networks they use, and 569 therefore need to provide congestion control, error recovery, etc. in 570 case the actual network path does not provide provisioned service. 572 Some UDP applications are only expected to be deployed over network 573 paths that use pre-provisioned capacity or capacity reserved using 574 dynamic provisioning, e.g., through the Resource Reservation Protocol 575 (RSVP). Multicast applications are also used with pre-provisioned 576 capacity (e.g., IPTV deployments within access networks). These 577 applications MAY choose not to implement any congestion control 578 mechanism and instead rely on transmitting only on paths where the 579 capacity is provisioned and reserved for this use. This might be an 580 acceptable choice for a subset of restricted networking environments, 581 but is by no means a safe practice for operation over the wider 582 Internet. Applications that chose this option SHOULD carefully and 583 in detail describe the provisioning and management procedures that 584 result in the desired containment. 586 Applications that support an uncontrolled or unadaptive transmission 587 behavior SHOULD NOT do so by default and SHOULD instead require users 588 to explicitly enable this mode of operation. 590 Applications designed for use within a controlled environment (see 591 section Section 3.6 ) may be able to exploit network management 592 functions to detect whether they are causing congestion, and react 593 accordingly. If the traffic of such applications leaks out into 594 unprovisioned Internet paths, it can significantly degrade the 595 performance of other traffic sharing the path and even result in 596 congestion collapse. Protocols designed for such networks SHOULD 597 provide mechanisms at the network edge to prevent leakage of traffic 598 into unprovisioned Internet paths (e.g., [RFC7510]) To protect other 599 applications sharing the same path, applications SHOULD also deploy 600 an appropriate circuit breaker, as described in Section 3.1.8. 602 An IETF specification targeting a controlled environment is expected 603 to provide an applicability statement that restricts the application 604 to the controlled environment (see Section 3.6). 606 3.1.8. Circuit Breaker Mechanisms 608 A transport circuit breaker is an automatic mechanism that is used to 609 estimate the congestion caused by a flow, and to terminate (or 610 significantly reduce the rate of) the flow when excessive congestion 611 is detected [I-D.ietf-tsvwg-circuit-breaker]. This is a safety 612 measure to prevent congestion collapse (starvation of resources 613 available to other flows), essential for an Internet that is 614 heterogeneous and for traffic that is hard to predict in advance. 616 A circuit breaker is intended as a protection mechanism of last 617 resort. Under normal circumstances, a circuit breaker should not be 618 triggered; it is designed to protect things when there is severe 619 overload. The goal is usually to limit the maximum transmission rate 620 that reflects the available capacity of a network path. Circuit 621 breakers can operate on individual UDP flows or traffic aggregates, 622 e.g., traffic sent using a network tunnel. 624 [I-D.ietf-tsvwg-circuit-breaker] provides guidance and examples on 625 the use of circuit breakers. The use of a circuit breaker in RTP is 626 specified in [I-D.ietf-avtcore-rtp-circuit-breakers]. 628 Applications used in the general Internet SHOULD implement a 629 transport circuit breaker if they do not implement congestion control 630 or operate a low volume data service (see Section 3.6). All 631 applications MAY implement a transport circuit breaker 632 [I-D.ietf-tsvwg-circuit-breaker] and are encouraged to consider 633 implementing at least a slow-acting transport circuit breaker to 634 provide a protection of last resort for their network traffic. 636 3.1.9. UDP Tunnels 638 One increasingly popular use of UDP is as a tunneling protocol 639 [I-D.ietf-intarea-tunnels], where a tunnel endpoint encapsulates the 640 packets of another protocol inside UDP datagrams and transmits them 641 to another tunnel endpoint, which decapsulates the UDP datagrams and 642 forwards the original packets contained in the payload. Tunnels 643 establish virtual links that appear to directly connect locations 644 that are distant in the physical Internet topology and can be used to 645 create virtual (private) networks. Using UDP as a tunneling protocol 646 is attractive when the payload protocol is not supported by 647 middleboxes that may exist along the path, because many middleboxes 648 support transmission using UDP. 650 Well-implemented tunnels are generally invisible to the endpoints 651 that happen to transmit over a path that includes tunneled links. On 652 the other hand, to the routers along the path of a UDP tunnel, i.e., 653 the routers between the two tunnel endpoints, the traffic that a UDP 654 tunnel generates is a regular UDP flow, and the encapsulator and 655 decapsulator appear as regular UDP-sending and -receiving 656 applications. Because other flows can share the path with one or 657 more UDP tunnels, congestion control needs to be considered. 659 Two factors determine whether a UDP tunnel needs to employ specific 660 congestion control mechanisms -- first, whether the payload traffic 661 is IP-based; second, whether the tunneling scheme generates UDP 662 traffic at a volume that corresponds to the volume of payload traffic 663 carried within the tunnel. 665 IP-based traffic is generally assumed to be congestion-controlled, 666 i.e., it is assumed that the transport protocols generating IP-based 667 traffic at the sender already employ mechanisms that are sufficient 668 to address congestion on the path. Consequently, a tunnel carrying 669 IP-based traffic should already interact appropriately with other 670 traffic sharing the path, and specific congestion control mechanisms 671 for the tunnel are not necessary. 673 However, if the IP traffic in the tunnel is known to not be 674 congestion-controlled, additional measures are RECOMMENDED to limit 675 the impact of the tunneled traffic on other traffic sharing the path. 677 The following guidelines define these possible cases in more detail: 679 1. A tunnel generates UDP traffic at a volume that corresponds to 680 the volume of payload traffic, and the payload traffic is IP- 681 based and congestion-controlled. 683 This is arguably the most common case for Internet tunnels. In 684 this case, the UDP tunnel SHOULD NOT employ its own congestion 685 control mechanism, because congestion losses of tunneled traffic 686 will already trigger an appropriate congestion response at the 687 original senders of the tunneled traffic. A circuit breaker 688 mechanism may provide benefit by controlling the envelope of the 689 aggregated traffic. 691 Note that this guideline is built on the assumption that most IP- 692 based communication is congestion-controlled. If a UDP tunnel is 693 used for IP-based traffic that is known to not be congestion- 694 controlled, the next set of guidelines applies. 696 2. A tunnel generates UDP traffic at a volume that corresponds to 697 the volume of payload traffic, and the payload traffic is not 698 known to be IP-based, or is known to be IP-based but not 699 congestion-controlled. 701 This can be the case, for example, when some link-layer protocols 702 are encapsulated within UDP (but not all link-layer protocols; 703 some are congestion-controlled). Because it is not known that 704 congestion losses of tunneled non-IP traffic will trigger an 705 appropriate congestion response at the senders, the UDP tunnel 706 SHOULD employ an appropriate congestion control mechanism or 707 circuit breaker mechanism designed for the traffic it carries. 708 Because tunnels are usually bulk-transfer applications as far as 709 the intermediate routers are concerned, the guidelines in 710 Section 3.1.1 apply. 712 3. A tunnel generates UDP traffic at a volume that does not 713 correspond to the volume of payload traffic, independent of 714 whether the payload traffic is IP-based or congestion-controlled. 716 Examples of this class include UDP tunnels that send at a 717 constant rate, increase their transmission rates under loss, for 718 example, due to increasing redundancy when Forward Error 719 Correction is used, or are otherwise unconstrained in their 720 transmission behavior. These specialized uses of UDP for 721 tunneling go beyond the scope of the general guidelines given in 722 this document. The implementer of such specialized tunnels 723 SHOULD carefully consider congestion control in the design of 724 their tunneling mechanism and SHOULD consider use of a circuit 725 breaker mechanism. 727 The type of encapsulated payload might be identified by a UDP port; 728 identified by an Ethernet Type or IP protocol number. A tunnel 729 SHOULD provide mechanisms to restrict the types of flows that may be 730 carried by the tunnel. For instance, a UDP tunnel designed to carry 731 IP needs to filter out non-IP traffic at the ingress. This is 732 particularly important when a generic tunnel encapsulation is used 733 (e.g., one that encapsulates using an EtherType value). Such tunnels 734 SHOULD provide a mechanism to restrict the types of traffic that are 735 allowed to be encapsulated for a given deployment (see 736 [I-D.ietf-intarea-tunnels]). 738 Designing a tunneling mechanism requires significantly more expertise 739 than needed for many other UDP applications, because tunnels are 740 usually intended to be transparent to the endpoints transmitting over 741 them, so they need to correctly emulate the behavior of an IP link 742 [I-D.ietf-intarea-tunnels], e.g.: 744 o Requirements for tunnels that carry or encapsulate using ECN code 745 points [RFC6040]. 747 o Usage of the IP DSCP field by tunnel endpoints [RFC2983]. 749 o Encapsulation considerations in the design of tunnels 750 [I-D.ietf-rtgwg-dt-encap]. 752 o Usage of ICMP messages [I-D.ietf-intarea-tunnels]. 754 o Handling of fragmentation and packet size for tunnels 755 [I-D.ietf-intarea-tunnels]. 757 o Source port usage for tunnels designed to support equal cost 758 multipath (ECMP) routing Section 5.1.1. 760 o Guidance on the need to protect headers [I-D.ietf-intarea-tunnels] 761 and the use of checksums for IPv6 tunnels Section 3.4.1. 763 o Support for operations and maintenance [I-D.ietf-intarea-tunnels]. 765 At the same time, the tunneled traffic is application traffic like 766 any other from the perspective of the networks the tunnel transmits 767 over. This document only touches upon the congestion control 768 considerations for implementing UDP tunnels; a discussion of other 769 required tunneling behavior is out of scope. 771 3.2. Message Size Guidelines 773 IP fragmentation lowers the efficiency and reliability of Internet 774 communication. The loss of a single fragment results in the loss of 775 an entire fragmented packet, because even if all other fragments are 776 received correctly, the original packet cannot be reassembled and 777 delivered. This fundamental issue with fragmentation exists for both 778 IPv4 and IPv6. 780 In addition, some network address translators (NATs) and firewalls 781 drop IP fragments. The network address translation performed by a 782 NAT only operates on complete IP packets, and some firewall policies 783 also require inspection of complete IP packets. Even with these 784 being the case, some NATs and firewalls simply do not implement the 785 necessary reassembly functionality, and instead choose to drop all 786 fragments. Finally, [RFC4963] documents other issues specific to 787 IPv4 fragmentation. 789 Due to these issues, an application SHOULD NOT send UDP datagrams 790 that result in IP packets that exceed the Maximum Transmission Unit 791 (MTU) along the path to the destination. Consequently, an 792 application SHOULD either use the path MTU information provided by 793 the IP layer or implement Path MTU Discovery (PMTUD) itself 794 [RFC1191][RFC1981][RFC4821] to determine whether the path to a 795 destination will support its desired message size without 796 fragmentation. However, the ICMP messages that enable path MTU 797 discovery are being increasingly filtered by middleboxes (including 798 Firewalls) fail to forward ICMP messages. When the path includes a 799 tunnel, some devices acting as a tunnel ingress discard ICMP messages 800 that originate from network devices over which the tunnel passes, 801 preventing these reaching the UDP endpoint. 803 Packetization Layer Path MTU Discovery (PLPMTUD) [RFC4821] does not 804 rely upon network support for ICMP messages and is therefore 805 considered more robust than standard PMTUD. It is not susceptible to 806 "black holing" of ICMP message. To operate, PLPMTUD requires changes 807 to the way the transport is used, both to transmit probe packets, and 808 to account for the loss or success of these probes. This updates not 809 only the PMTU algorithm, it also impacts loss recovery, congestion 810 control, etc. These updated mechanisms can be implemented within a 811 connection-oriented transport (e.g., TCP, SCTP, DCCP), but are not a 812 part of UDP, but this type of feedback is not typically present for 813 unidirectional applications. 815 PLPMTUD therefore places additional design requirements on a UDP 816 application that wishes to use this method. This is especially true 817 for UDP tunnels, because the overhead of sending probe packets needs 818 to be accounted for and may require adding a congestion control 819 mechanism to the tunnel (see Section 3.1.9) as well as complicating 820 the data path at a tunnel decapsulator. 822 Applications that do not follow this recommendation to do PMTU/ 823 PLPMTUD discovery SHOULD still avoid sending UDP datagrams that would 824 result in IP packets that exceed the path MTU. Because the actual 825 path MTU is unknown, such applications SHOULD fall back to sending 826 messages that are shorter than the default effective MTU for sending 827 (EMTU_S in [RFC1122]). For IPv4, EMTU_S is the smaller of 576 bytes 828 and the first-hop MTU [RFC1122]. For IPv6, EMTU_S is 1280 bytes 829 [RFC2460]. The effective PMTU for a directly connected destination 830 (with no routers on the path) is the configured interface MTU, which 831 could be less than the maximum link payload size. Transmission of 832 minimum-sized UDP datagrams is inefficient over paths that support a 833 larger PMTU, which is a second reason to implement PMTU discovery. 835 To determine an appropriate UDP payload size, applications MUST 836 subtract the size of the IP header (which includes any IPv4 optional 837 headers or IPv6 extension headers) as well as the length of the UDP 838 header (8 bytes) from the PMTU size. This size, known as the Maximum 839 Segment Size (MSS), can be obtained from the TCP/IP stack [RFC1122]. 841 Applications that do not send messages that exceed the effective PMTU 842 of IPv4 or IPv6 need not implement any of the above mechanisms. Note 843 that the presence of tunnels can cause an additional reduction of the 844 effective PMTU [I-D.ietf-intarea-tunnels], so implementing PMTU 845 discovery may be beneficial. 847 Applications that fragment an application-layer message into multiple 848 UDP datagrams SHOULD perform this fragmentation so that each datagram 849 can be received independently, and be independently retransmitted in 850 the case where an application implements its own reliability 851 mechanisms. 853 3.3. Reliability Guidelines 855 Application designers are generally aware that UDP does not provide 856 any reliability, e.g., it does not retransmit any lost packets. 857 Often, this is a main reason to consider UDP as a transport protocol. 858 Applications that do require reliable message delivery MUST implement 859 an appropriate mechanism themselves. 861 UDP also does not protect against datagram duplication, i.e., an 862 application may receive multiple copies of the same UDP datagram, 863 with some duplicates arriving potentially much later than the first. 864 Application designers SHOULD handle such datagram duplication 865 gracefully, and may consequently need to implement mechanisms to 866 detect duplicates. Even if UDP datagram reception triggers only 867 idempotent operations, applications may want to suppress duplicate 868 datagrams to reduce load. 870 Applications that require ordered delivery MUST reestablish datagram 871 ordering themselves. The Internet can significantly delay some 872 packets with respect to others, e.g., due to routing transients, 873 intermittent connectivity, or mobility. This can cause reordering, 874 where UDP datagrams arrive at the receiver in an order different from 875 the transmission order. 877 Applications that use multiple transport ports need to be robust to 878 reordering between sessions. Load-balancing techniques within the 879 network, such as Equal Cost Multipath (ECMP) forwarding can also 880 result in a lack of ordering between different transport sessions, 881 even between the same two network endpoints. 883 It is important to note that the time by which packets are reordered 884 or after which duplicates can still arrive can be very large. Even 885 more importantly, there is no well-defined upper boundary here. 886 [RFC0793] defines the maximum delay a TCP segment should experience 887 -- the Maximum Segment Lifetime (MSL) -- as 2 minutes. No other RFC 888 defines an MSL for other transport protocols or IP itself. The MSL 889 value defined for TCP is conservative enough that it SHOULD be used 890 by other protocols, including UDP. Therefore, applications SHOULD be 891 robust to the reception of delayed or duplicate packets that are 892 received within this 2-minute interval. 894 Instead of implementing these relatively complex reliability 895 mechanisms by itself, an application that requires reliable and 896 ordered message delivery SHOULD whenever possible choose an IETF 897 standard transport protocol that provides these features. 899 3.4. Checksum Guidelines 901 The UDP header includes an optional, 16-bit one's complement checksum 902 that provides an integrity check. These checks are not strong from a 903 coding or cryptographic perspective, and are not designed to detect 904 physical-layer errors or malicious modification of the datagram 905 [RFC3819]. Application developers SHOULD implement additional checks 906 where data integrity is important, e.g., through a Cyclic Redundancy 907 Check (CRC) or keyed or non-keyed cryptographic hash included with 908 the data to verify the integrity of an entire object/file sent over 909 the UDP service. 911 The UDP checksum provides a statistical guarantee that the payload 912 was not corrupted in transit. It also allows the receiver to verify 913 that it was the intended destination of the packet, because it covers 914 the IP addresses, port numbers, and protocol number, and it verifies 915 that the packet is not truncated or padded, because it covers the 916 size field. It therefore protects an application against receiving 917 corrupted payload data in place of, or in addition to, the data that 918 was sent. More description of the set of checks performed using the 919 checksum field is provided in Section 3.1 of [RFC6396]. 921 Applications SHOULD enable UDP checksums [RFC1122]. For IPv4, 922 [RFC0768] permits an option to disable their use, by setting a zero 923 checksum value. An application MAY optionally discard UDP datagrams 924 with a zero checksum [RFC1122]. 926 When UDP is used over IPv6, the UDP checksum is relied upon to 927 protect both the IPv6 and UDP headers from corruption, and MUST be 928 used as specified in [RFC2460]. Under specific conditions a UDP 929 application is allowed to use a zero UDP zero-checksum mode with a 930 tunnel protocol (see Section 3.4.1). 932 Applications that choose to disable UDP checksums MUST NOT make 933 assumptions regarding the correctness of received data and MUST 934 behave correctly when a UDP datagram is received that was originally 935 sent to a different destination or is otherwise corrupted. 937 3.4.1. IPv6 Zero UDP Checksum 939 [RFC6935] defines a method that enables use of a zero UDP zero- 940 checksum mode with a tunnel protocol, providing that the method 941 satisfies the requirements in [RFC6936]. The application MUST 942 implement mechanisms and/or usage restrictions when enabling this 943 mode. This includes defining the scope for usage and measures to 944 prevent leakage of traffic to other UDP applications (see Appendix A 945 Section 3.6). These additional design requirements for using a zero 946 IPv6 UDP checksum are not present for IPv4, since the IPv4 header 947 validates information that is not protected in an IPv6 packet. Key 948 requirements are: 950 o Use of the UDP checksum with IPv6 MUST be the default 951 configuration for all implementations [RFC6935]. The receiving 952 endpoint MUST only allow the use of UDP zero-checksum mode for 953 IPv6 on a UDP destination port that is specifically enabled. 955 o An application that support a checksum different to that in 956 [RFC2460] MUST comply with all implementation requirements 957 specified in Section 4 of [RFC6936] and with the usage 958 requirements specified in Section 5 of [RFC6936]. 960 o A UDP application MUST check that the source and destination IPv6 961 addresses are valid for any packets with a UDP zero-checksum and 962 MUST discard any packet for which this check fails. To protect 963 from misdelivery, new encapsulation designs SHOULD include an 964 integrity check at the transport layer that includes at least the 965 IPv6 header, the UDP header and the shim header for the 966 encapsulation, if any [RFC6936]. 968 o One way to help satisfy the requirements of [RFC6936] may be to 969 limit the usage (e.g., to constrain traffic to an operator network 970 Section 3.6, as in [RFC7510]). 972 As in IPv4, IPv6 applications that choose to disable UDP checksums 973 MUST NOT make assumptions regarding the correctness of received data 974 and MUST behave correctly when a UDP datagram is received that was 975 originally sent to a different destination or is otherwise corrupted. 977 IPv6 datagrams with a zero UDP checksum will not be passed by any 978 middlebox that validates the checksum based on [RFC2460] or that 979 updates the UDP checksum field, such as NATs or firewalls. Changing 980 this behavior would require such middleboxes to be updated to 981 correctly handle datagrams with zero UDP checksums To ensure end-to- 982 end robustness, applications that may be deployed in the general 983 Internet MUST provide a mechanism to safely fall back to using a 984 checksum when a path change occurs that redirects a zero UDP checksum 985 flow over a path that includes a middlebox that discards IPv6 986 datagrams with a zero UDP checksum. 988 3.4.2. UDP-Lite 990 A special class of applications can derive benefit from having 991 partially-damaged payloads delivered, rather than discarded, when 992 using paths that include error-prone links. Such applications can 993 tolerate payload corruption and MAY choose to use the Lightweight 994 User Datagram Protocol (UDP-Lite) [RFC3828] variant of UDP instead of 995 basic UDP. Applications that choose to use UDP-Lite instead of UDP 996 should still follow the congestion control and other guidelines 997 described for use with UDP in Section 3. 999 UDP-Lite changes the semantics of the UDP "payload length" field to 1000 that of a "checksum coverage length" field. Otherwise, UDP-Lite is 1001 semantically identical to UDP. The interface of UDP-Lite differs 1002 from that of UDP by the addition of a single (socket) option that 1003 communicates the checksum coverage length: at the sender, this 1004 specifies the intended checksum coverage, with the remaining 1005 unprotected part of the payload called the "error-insensitive part." 1006 By default, the UDP-Lite checksum coverage extends across the entire 1007 datagram. If required, an application may dynamically modify this 1008 length value, e.g., to offer greater protection to some messages. 1009 UDP-Lite always verifies that a packet was delivered to the intended 1010 destination, i.e., always verifies the header fields. Errors in the 1011 insensitive part will not cause a UDP datagram to be discarded by the 1012 destination. Applications using UDP-Lite therefore MUST NOT make 1013 assumptions regarding the correctness of the data received in the 1014 insensitive part of the UDP-Lite payload. 1016 A UDP-Lite sender SHOULD select the minimum checksum coverage to 1017 include all sensitive payload information. For example, applications 1018 that use the Real-Time Protocol (RTP) [RFC3550] will likely want to 1019 protect the RTP header against corruption. Applications, where 1020 appropriate, MUST also introduce their own appropriate validity 1021 checks for protocol information carried in the insensitive part of 1022 the UDP-Lite payload (e.g., internal CRCs). 1024 A UDP-Lite receiver MUST set a minimum coverage threshold for 1025 incoming packets that is not smaller than the smallest coverage used 1026 by the sender [RFC3828]. The receiver SHOULD select a threshold that 1027 is sufficiently large to block packets with an inappropriately short 1028 coverage field. This may be a fixed value, or may be negotiated by 1029 an application. UDP-Lite does not provide mechanisms to negotiate 1030 the checksum coverage between the sender and receiver. This 1031 therefore needs to be performed by the application. 1033 Applications can still experience packet loss when using UDP-Lite. 1034 The enhancements offered by UDP-Lite rely upon a link being able to 1035 intercept the UDP-Lite header to correctly identify the partial 1036 coverage required. When tunnels and/or encryption are used, this can 1037 result in UDP-Lite datagrams being treated the same as UDP datagrams, 1038 i.e., result in packet loss. Use of IP fragmentation can also 1039 prevent special treatment for UDP-Lite datagrams, and this is another 1040 reason why applications SHOULD avoid IP fragmentation (Section 3.2). 1042 UDP-Lite is supported in some endpoint protocol stacks. Current 1043 support for middlebox traversal using UDP-Lite is poor, because UDP- 1044 Lite uses a different IPv4 protocol number or IPv6 "next header" 1045 value than that used for UDP; therefore, few middleboxes are 1046 currently able to interpret UDP-Lite and take appropriate actions 1047 when forwarding the packet. This makes UDP-Lite less suited for 1048 applications needing general Internet support, until such time as 1049 UDP-Lite has achieved better support in middleboxes. 1051 3.5. Middlebox Traversal Guidelines 1053 Network address translators (NATs) and firewalls are examples of 1054 intermediary devices ("middleboxes") that can exist along an end-to- 1055 end path. A middlebox typically performs a function that requires it 1056 to maintain per-flow state. For connection-oriented protocols, such 1057 as TCP, middleboxes snoop and parse the connection-management 1058 information, and create and destroy per-flow state accordingly. For 1059 a connectionless protocol such as UDP, this approach is not possible. 1060 Consequently, middleboxes can create per-flow state when they see a 1061 packet that -- according to some local criteria -- indicates a new 1062 flow, and destroy the state after some time during which no packets 1063 belonging to the same flow have arrived. 1065 Depending on the specific function that the middlebox performs, this 1066 behavior can introduce a time-dependency that restricts the kinds of 1067 UDP traffic exchanges that will be successful across the middlebox. 1068 For example, NATs and firewalls typically define the partial path on 1069 one side of them to be interior to the domain they serve, whereas the 1070 partial path on their other side is defined to be exterior to that 1071 domain. Per-flow state is typically created when the first packet 1072 crosses from the interior to the exterior, and while the state is 1073 present, NATs and firewalls will forward return traffic. Return 1074 traffic that arrives after the per-flow state has timed out is 1075 dropped, as is other traffic that arrives from the exterior. 1077 Many applications that use UDP for communication operate across 1078 middleboxes without needing to employ additional mechanisms. One 1079 example is the Domain Name System (DNS), which has a strict request- 1080 response communication pattern that typically completes within 1081 seconds. 1083 Other applications may experience communication failures when 1084 middleboxes destroy the per-flow state associated with an application 1085 session during periods when the application does not exchange any UDP 1086 traffic. Applications SHOULD be able to gracefully handle such 1087 communication failures and implement mechanisms to re-establish 1088 application-layer sessions and state. 1090 For some applications, such as media transmissions, this re- 1091 synchronization is highly undesirable, because it can cause user- 1092 perceivable playback artifacts. Such specialized applications MAY 1093 send periodic keep-alive messages to attempt to refresh middlebox 1094 state (e.g., [RFC7675]). It is important to note that keep-alive 1095 messages are not recommended for general use -- they are unnecessary 1096 for many applications and can consume significant amounts of system 1097 and network resources. 1099 An application that needs to employ keep-alives to deliver useful 1100 service over UDP in the presence of middleboxes SHOULD NOT transmit 1101 them more frequently than once every 15 seconds and SHOULD use longer 1102 intervals when possible. No common timeout has been specified for 1103 per-flow UDP state for arbitrary middleboxes. NATs require a state 1104 timeout of 2 minutes or longer [RFC4787]. However, empirical 1105 evidence suggests that a significant fraction of currently deployed 1106 middleboxes unfortunately use shorter timeouts. The timeout of 15 1107 seconds originates with the Interactive Connectivity Establishment 1108 (ICE) protocol [RFC5245]. When an application is deployed in a 1109 controlled environment, the deployer SHOULD investigate whether the 1110 target environment allows applications to use longer intervals, or 1111 whether it offers mechanisms to explicitly control middlebox state 1112 timeout durations, for example, using the Port Control Protocol (PCP) 1113 [RFC6887], Middlebox Communications (MIDCOM) [RFC3303], Next Steps in 1114 Signaling (NSIS) [RFC5973], or Universal Plug and Play (UPnP) [UPnP]. 1115 It is RECOMMENDED that applications apply slight random variations 1116 ("jitter") to the timing of keep-alive transmissions, to reduce the 1117 potential for persistent synchronization between keep-alive 1118 transmissions from different hosts [RFC7675]. 1120 Sending keep-alives is not a substitute for implementing a mechanism 1121 to recover from broken sessions. Like all UDP datagrams, keep-alives 1122 can be delayed or dropped, causing middlebox state to time out. In 1123 addition, the congestion control guidelines in Section 3.1 cover all 1124 UDP transmissions by an application, including the transmission of 1125 middlebox keep-alives. Congestion control may thus lead to delays or 1126 temporary suspension of keep-alive transmission. 1128 Keep-alive messages are NOT RECOMMENDED for general use. They are 1129 unnecessary for many applications and may consume significant 1130 resources. For example, on battery-powered devices, if an 1131 application needs to maintain connectivity for long periods with 1132 little traffic, the frequency at which keep-alives are sent can 1133 become the determining factor that governs power consumption, 1134 depending on the underlying network technology. 1136 Because many middleboxes are designed to require keep-alives for TCP 1137 connections at a frequency that is much lower than that needed for 1138 UDP, this difference alone can often be sufficient to prefer TCP over 1139 UDP for these deployments. On the other hand, there is anecdotal 1140 evidence that suggests that direct communication through middleboxes, 1141 e.g., by using ICE [RFC5245], does succeed less often with TCP than 1142 with UDP. The trade-offs between different transport protocols -- 1143 especially when it comes to middlebox traversal -- deserve careful 1144 analysis. 1146 UDP applications that could be deployed in the Internet need to be 1147 designed understanding that there are many variants of middlebox 1148 behavior, and although UDP is connectionless, middleboxes often 1149 maintain state for each UDP flow. Using multiple UDP flows can 1150 consume available state space and also can lead to changes in the way 1151 the middlebox handles subsequent packets (either to protect its 1152 internal resources, or to prevent perceived misuse). The probability 1153 of path failure can increase when applications use multiple UDP flows 1154 in parallel (see Section 5.1.2 for recommendations on usage of 1155 multiple ports). 1157 3.6. Limited Applicability and Controlled Environments 1159 Two different types of applicability have been identified for the 1160 specification of IETF applications that utilize UDP: 1162 General Internet. By default, IETF specifications target deployment 1163 on the general Internet. Experience has shown that successful 1164 protocols developed in one specific context or for a particular 1165 application tends to become used in a wider range of contexts. 1166 For example, a protocol with an initial deployment within a local 1167 area network may subsequently be used over a virtual network that 1168 traverses the Internet, or in the Internet in general. 1169 Applications designed for general Internet use may experience a 1170 range of network device behaviors, and in particular should 1171 consider whether applications need to operate over paths that may 1172 include middleboxes. 1174 Controlled Environment A protocol/encapsulation/tunnel could be 1175 designed to be used only within a controlled environment. For 1176 example, an application designed for use by a network operator 1177 might only be deployed within the network of that single network 1178 operator or on networks of an adjacent set of cooperating network 1179 operators. The application traffic may then be managed to avoid 1180 congestion, rather than relying on built-in mechanisms, which are 1181 required when operating over the general. Applications that 1182 target a limited applicability use case may be able to take 1183 advantage of specific hardware (e.g., carrier-grade equipment) or 1184 underlying protocol features of the subnetwork over which they are 1185 used. 1187 Specifications addressing a limited applicability use case or a 1188 controlled environment SHOULD identify how in their restricted 1189 deployment a level of safety is provided that is equivalent to that 1190 of a protocol designed for operation over the general Internet (e.g., 1191 a design based on extensive experience with deployments of particular 1192 methods that provide features that cannot be expected in general 1193 Internet equipment and the robustness of the design of MPLS to 1194 corruption of headers both helped justify use of an alternate UDP 1195 integrity check [RFC7510].) 1197 An IETF specification targeting a controlled environment is expected 1198 to provide an applicability statement that restricts the application 1199 traffic to the controlled environment, and would be expected to 1200 describe how methods can be provided to discourage or prevent escape 1201 of corrupted packets from the environment (for example, section 5 of 1202 [RFC7510]). 1204 4. Multicast UDP Usage Guidelines 1206 This section complements Section 3 by providing additional guidelines 1207 that are applicable to multicast and broadcast usage of UDP. 1209 Multicast and broadcast transmission [RFC1112] usually employ the UDP 1210 transport protocol, although they may be used with other transport 1211 protocols (e.g., UDP-Lite). 1213 There are currently two models of multicast delivery: the Any-Source 1214 Multicast (ASM) model as defined in [RFC1112] and the Source-Specific 1215 Multicast (SSM) model as defined in [RFC4607]. ASM group members 1216 will receive all data sent to the group by any source, while SSM 1217 constrains the distribution tree to only one single source. 1219 Specialized classes of applications also use UDP for IP multicast or 1220 broadcast [RFC0919]. The design of such specialized applications 1221 requires expertise that goes beyond simple, unicast-specific 1222 guidelines, since these senders may transmit to potentially very many 1223 receivers across potentially very heterogeneous paths at the same 1224 time, which significantly complicates congestion control, flow 1225 control, and reliability mechanisms. 1227 This section provides guidance on multicast and broadcast UDP usage. 1228 Use of broadcast by an application is normally constrained by routers 1229 to the local subnetwork. However, use of tunneling techniques and 1230 proxies can and does result in some broadcast traffic traversing 1231 Internet paths. These guidelines therefore also apply to broadcast 1232 traffic. 1234 The IETF has defined a reliable multicast framework [RFC3048] and 1235 several building blocks to aid the designers of multicast 1236 applications, such as [RFC3738] or [RFC4654]. 1238 Anycast senders must be aware that successive messages sent to the 1239 same anycast IP address may be delivered to different anycast nodes, 1240 i.e., arrive at different locations in the topology. 1242 Most UDP tunnels that carry IP multicast traffic use a tunnel 1243 encapsulation with a unicast destination address. These MUST follow 1244 the same requirements as a tunnel carrying unicast data (see 1245 Section 3.1.9). There are deployment cases and solutions where the 1246 outer header of a UDP tunnel contains a multicast destination 1247 address, such as [RFC6513]. These cases are primarily deployed in 1248 controlled environments over reserved capacity, often operating 1249 within a single administrative domain, or between two domains over a 1250 bi-laterally agreed upon path with reserved capacity, and so 1251 congestion control is OPTIONAL, but circuit breaker techniques are 1252 still RECOMMENDED in order to restore some degree of service should 1253 the offered load exceed the reserved capacity (e.g., due to 1254 misconfiguration). 1256 4.1. Multicast Congestion Control Guidelines 1258 Unicast congestion-controlled transport mechanisms are often not 1259 applicable to multicast distribution services, or simply do not scale 1260 to large multicast trees, since they require bi-directional 1261 communication and adapt the sending rate to accommodate the network 1262 conditions to a single receiver. In contrast, multicast distribution 1263 trees may fan out to massive numbers of receivers, which limits the 1264 scalability of an in-band return channel to control the sending rate, 1265 and the one-to-many nature of multicast distribution trees prevents 1266 adapting the rate to the requirements of an individual receiver. For 1267 this reason, generating TCP-compatible aggregate flow rates for 1268 Internet multicast data, either native or tunneled, is the 1269 responsibility of the application implementing the congestion 1270 control. 1272 Applications using multicast SHOULD provide appropriate congestion 1273 control. Multicast congestion control needs to be designed using 1274 mechanisms that are robust to the potential heterogeneity of both the 1275 multicast distribution tree and the receivers belonging to a group. 1276 Heterogeneity may manifest itself in some receivers experiencing more 1277 loss that others, higher delay, and/or less ability to respond to 1278 network conditions. Congestion control is particularly important for 1279 any multicast session were all or part of the multicast distribution 1280 tree spans an access network (e.g., a home gateway). Two styles of 1281 congestion control have been defined in the RFC-series: 1283 o Feedback-based congestion control, in which the sender receives 1284 multicast or unicast UDP messages from the receivers allowing it 1285 to assess the level of congestion and then adjust the sender 1286 rate(s) (e.g., [RFC5740],[RFC4654]). Multicast methods may 1287 operate on longer timescales than for unicast (e.g., due to the 1288 higher group RTT of a heterogeneous group). A control method 1289 could decide not to reduce the rate of the entire multicast group 1290 in response to a control message received from a single receiver 1291 (e.g., a sender could set a minimum rate and decide to request a 1292 congested receiver to leave the multicast group and could also 1293 decide to distribute content to these congested receivers at a 1294 lower rate using unicast congestion control). 1296 o Receiver-driven congestion control, which does not require a 1297 receiver to send explicit UDP control messages for congestion 1298 control (e.g., [RFC3738], [RFC5775]). Instead, the sender 1299 distributes the data across multiple IP multicast groups (e.g., 1300 using a set of {S,G} channels). Each receiver determines its own 1301 level of congestion and controls its reception rate using only 1302 multicast join/leave messages sent in the network control plane. 1303 This method scales to arbitrary large groups of receivers. 1305 Any multicast-enabled receiver may attempt to join and receive 1306 traffic from any group. This may imply the need for rate limits on 1307 individual receivers or the aggregate multicast service. Note there 1308 is no way at the transport layer to prevent a join message 1309 propagating to the next-hop router. 1311 Some classes of multicast applications support applications that can 1312 monitor the user-level quality of the transfer at the receiver. 1313 Applications that can detect a significant reduction in user quality 1314 SHOULD regard this as a congestion signal (e.g., to leave a group 1315 using layered multicast encoding) or, if not, SHOULD use this signal 1316 to provide a circuit breaker to terminate the flow by leaving the 1317 multicast group. 1319 4.1.1. Bulk Transfer Multicast Applications 1321 Applications that perform bulk transmission of data over a multicast 1322 distribution tree, i.e., applications that exchange more than a few 1323 UDP datagrams per RTT, SHOULD implement a method for congestion 1324 control. The currently RECOMMENDED IETF methods are: Asynchronous 1325 Layered Coding (ALC) [RFC5775], TCP-Friendly Multicast Congestion 1326 Control (TFMCC) [RFC4654], Wave and Equation Based Rate Control 1327 (WEBRC) [RFC3738], NACK-Oriented Reliable Multicast (NORM) transport 1328 protocol [RFC5740], File Delivery over Unidirectional Transport 1329 (FLUTE) [RFC6726], Real Time Protocol/Control Protocol (RTP/RTCP) 1330 [RFC3550]. 1332 An application can alternatively implement another congestion control 1333 schemes following the guidelines of [RFC2887] and utilizing the 1334 framework of [RFC3048]. Bulk transfer applications that choose not 1335 to implement [RFC4654], [RFC5775], [RFC3738], [RFC5740], [RFC6726], 1336 or [RFC3550] SHOULD implement a congestion control scheme that 1337 results in bandwidth use that competes fairly with TCP within an 1338 order of magnitude. 1340 Section 2 of [RFC3551] states that multimedia applications SHOULD 1341 monitor the packet loss rate to ensure that it is within acceptable 1342 parameters. Packet loss is considered acceptable if a TCP flow 1343 across the same network path under the same network conditions would 1344 achieve an average throughput, measured on a reasonable timescale, 1345 that is not less than that of the UDP flow. The comparison to TCP 1346 cannot be specified exactly, but is intended as an "order-of- 1347 magnitude" comparison in timescale and throughput. 1349 4.1.2. Low Data-Volume Multicast Applications 1351 All the recommendations in Section 3.1.2 are also applicable to low 1352 data-volume multicast applications. 1354 4.2. Message Size Guidelines for Multicast 1356 A multicast application SHOULD NOT send UDP datagrams that result in 1357 IP packets that exceed the effective MTU as described in section 3 of 1358 [RFC6807]. Consequently, an application SHOULD either use the 1359 effective MTU information provided by the Population Count Extensions 1360 to Protocol Independent Multicast [RFC6807] or implement path MTU 1361 discovery itself (see Section 3.2) to determine whether the path to 1362 each destination will support its desired message size without 1363 fragmentation. 1365 5. Programming Guidelines 1367 The de facto standard application programming interface (API) for 1368 TCP/IP applications is the "sockets" interface [POSIX]. Some 1369 platforms also offer applications the ability to directly assemble 1370 and transmit IP packets through "raw sockets" or similar facilities. 1371 This is a second, more cumbersome method of using UDP. The 1372 guidelines in this document cover all such methods through which an 1373 application may use UDP. Because the sockets API is by far the most 1374 common method, the remainder of this section discusses it in more 1375 detail. 1377 Although the sockets API was developed for UNIX in the early 1980s, a 1378 wide variety of non-UNIX operating systems also implement it. The 1379 sockets API supports both IPv4 and IPv6 [RFC3493]. The UDP sockets 1380 API differs from that for TCP in several key ways. Because 1381 application programmers are typically more familiar with the TCP 1382 sockets API, this section discusses these differences. [STEVENS] 1383 provides usage examples of the UDP sockets API. 1385 UDP datagrams may be directly sent and received, without any 1386 connection setup. Using the sockets API, applications can receive 1387 packets from more than one IP source address on a single UDP socket. 1388 Some servers use this to exchange data with more than one remote host 1389 through a single UDP socket at the same time. Many applications need 1390 to ensure that they receive packets from a particular source address; 1391 these applications MUST implement corresponding checks at the 1392 application layer or explicitly request that the operating system 1393 filter the received packets. 1395 Many operating systems also allow a UDP socket to be connected, i.e., 1396 to bind a UDP socket to a specific pair of addresses and ports. This 1397 is similar to the corresponding TCP sockets API functionality. 1398 However, for UDP, this is only a local operation that serves to 1399 simplify the local send/receive functions and to filter the traffic 1400 for the specified addresses and ports. Binding a UDP socket does not 1401 establish a connection -- UDP does not notify the remote end when a 1402 local UDP socket is bound. Binding a socket also allows configuring 1403 options that affect the UDP or IP layers, for example, use of the UDP 1404 checksum or the IP Timestamp option. On some stacks, a bound socket 1405 also allows an application to be notified when ICMP error messages 1406 are received for its transmissions [RFC1122]. 1408 If a client/server application executes on a host with more than one 1409 IP interface, the application SHOULD send any UDP responses with an 1410 IP source address that matches the IP destination address of the UDP 1411 datagram that carried the request (see [RFC1122], Section 4.1.3.5). 1412 Many middleboxes expect this transmission behavior and drop replies 1413 that are sent from a different IP address, as explained in 1414 Section 3.5. 1416 A UDP receiver can receive a valid UDP datagram with a zero-length 1417 payload. Note that this is different from a return value of zero 1418 from a read() socket call, which for TCP indicates the end of the 1419 connection. 1421 UDP provides no flow-control, i.e., the sender at any given time does 1422 not know whether the receiver is able to handle incoming 1423 transmissions. This is another reason why UDP-based applications 1424 need to be robust in the presence of packet loss. This loss can also 1425 occur within the sending host, when an application sends data faster 1426 than the line rate of the outbound network interface. It can also 1427 occur at the destination, where receive calls fail to return all the 1428 data that was sent when the application issues them too infrequently 1429 (i.e., such that the receive buffer overflows). Robust flow control 1430 mechanisms are difficult to implement, which is why applications that 1431 need this functionality SHOULD consider using a full-featured 1432 transport protocol such as TCP. 1434 When an application closes a TCP, SCTP or DCCP socket, the transport 1435 protocol on the receiving host is required to maintain TIME-WAIT 1436 state. This prevents delayed packets from the closed connection 1437 instance from being mistakenly associated with a later connection 1438 instance that happens to reuse the same IP address and port pairs. 1439 The UDP protocol does not implement such a mechanism. Therefore, 1440 UDP-based applications need to be robust to reordering and delay. 1441 One application may close a socket or terminate, followed in time by 1442 another application receiving on the same port. This later 1443 application may then receive packets intended for the first 1444 application that were delayed in the network. 1446 5.1. Using UDP Ports 1448 The rules procedures for the management of the Service Name and 1449 Transport Protocol Port Number Registry are specified in [RFC6335]. 1450 Recommendations for use of UDP ports are provided in [RFC7605]. 1452 A UDP sender SHOULD NOT use a source port value of zero. A source 1453 port number that cannot be easily determined from the address or 1454 payload type provides protection at the receiver from data injection 1455 attacks by off-path devices. A UDP receiver SHOULD NOT bind to port 1456 zero. 1458 Applications SHOULD implement receiver port and address checks at the 1459 application layer or explicitly request that the operating system 1460 filter the received packets to prevent receiving packets with an 1461 arbitrary port. This measure is designed to provide additional 1462 protection from data injection attacks from an off-path source (where 1463 the port values may not be known). 1465 Applications SHOULD provide a check that protects from off-path data 1466 injection, avoiding an application receiving packets that were 1467 created by an unauthorized third party. TCP stacks commonly use a 1468 randomized source port to provide this protection [RFC6056]; UDP 1469 applications should follow the same technique. Middleboxes and end 1470 systems often make assumptions about the system ports or user ports, 1471 hence it is recommended to use randomized ports in the Dynamic and/or 1472 Private Port range. Setting a "randomized" source port also provides 1473 greater assurance that reported ICMP errors originate from network 1474 systems on the path used by a particular flow. Some UDP applications 1475 choose to use a predetermined value for the source port (including 1476 some multicast applications), these applications need to therefore 1477 employ a different technique. Protection from off-path data attacks 1478 can also be provided by randomizing the initial value of another 1479 protocol field within the datagram payload, and checking the validity 1480 of this field at the receiver (e.g., RTP has random initial sequence 1481 number and random media timestamp offsets [RFC3550]). 1483 When using multicast, IP routers perform a reverse-path forwarding 1484 (RPF) check for each multicast packet. This provides protection from 1485 off-path data injection. When a receiver joins a multicast group and 1486 filters based on the source address the filter verifies the sender's 1487 IP address. This is always the case when using a SSM {S,G} channel. 1489 5.1.1. Usage of UDP for source port entropy and the IPv6 Flow Label 1491 Some application use the UDP datagram header as a source of entropy 1492 for network devices that implement ECMP [RFC6438]. A UDP tunnel 1493 application targeting this usage, encapsulates an inner packet using 1494 UDP, where the UDP source port value forms a part of the entropy that 1495 can be used to balance forwarding of network traffic by the devices 1496 that use ECMP. A sending tunnel endpoint selects a source port value 1497 in the UDP datagram header that is computed from the inner flow 1498 information (e.g., the encapsulated packet headers). To provide 1499 sufficient entropy the sending tunnel endpoint maps the encapsulated 1500 traffic to one of a range of UDP source values. The value SHOULD be 1501 within the ephemeral port range, i.e., 49152 to 65535, where the high 1502 order two bits of the port are set to one. The available source port 1503 entropy of 14 bits (using the ephemeral port range) plus the outer IP 1504 addresses seems sufficient for entropy for most ECMP applications 1505 [I-D.ietf-rtgwg-dt-encap]. 1507 To avoid reordering within an IP flow, the same UDP source port value 1508 SHOULD be used for all packets assigned to an encapsulated flow 1509 (e.g., using a hash of the relevant headers). The entropy mapping 1510 for a flow MAY change over the lifetime of the encapsulated flow 1511 [I-D.ietf-rtgwg-dt-encap]. For instance, this could be changed as a 1512 Denial of Service (DOS) mitigation, or as a means to effect routing 1513 through the ECMP network. However, the source port selected for a 1514 flow SHOULD NOT change more than once in every thirty seconds (e.g., 1515 as in [ID.ietf-tsvwg-gre-in-udp-enca]). 1517 The use of the source port field for entropy has several side-effects 1518 that need to be considered, including: 1520 o It can increase the probability of misdelivery of corrupted 1521 packets, which increases the need for checksum computation or an 1522 equivalent mechanism to protect other UDP applications from 1523 misdelivery errors Section 3.4. 1525 o It is expected to reduce the probability of successful middlebox 1526 traversal Section 3.5. This use of the source port field will 1527 often not be suitable for applications targeting deployment in the 1528 general Internet. 1530 o It can prevent the field being usable to protect from off-path 1531 attacks (described inSection 5.1). Designers therefore need to 1532 consider other mechanisms to provide equivalent protection (e.g., 1533 to restrict use to a controlled environment [RFC7510] 1534 Section 3.6). 1536 The UDP source port number field has also been leveraged to produce 1537 entropy with IPv6. However, in the case of IPv6, the "flow label" 1538 [RFC6437] may also alternatively be used as entropy for load 1539 balancing [RFC6438]. This use of the flow label for load balancing 1540 is consistent with the definition of the field, although further 1541 clarity was needed to ensure the field can be consistently used for 1542 this purpose. Therefore, an updated IPv6 flow label [RFC6437] and 1543 ECMP routing [RFC6438] usage was specified. 1545 To ensure future opportunities to use the flow label, UDP 1546 applications SHOULD set the flow label field, even when an entropy 1547 value is also set in the source port field (e.g., An IPv6 tunnel 1548 endpoint could copy the source port flow entropy value to the IPv6 1549 flow label field [ID.ietf-tsvwg-gre-in-udp-enca]). Router vendors 1550 are encouraged to start using the IPv6 flow label as a part of the 1551 flow hash, providing support for IP-level ECMP without requiring use 1552 of UDP. The end-to-end use of flow labels for load balancing is a 1553 long-term solution. Even if the usage of the flow label has been 1554 clarified, there will be a transition time before a significant 1555 proportion of endpoints start to assign a good quality flow label to 1556 the flows that they originate. The use of load balancing using the 1557 transport header fields will likely continue until widespread 1558 deployment is finally achieved. 1560 5.1.2. Applications using Multiple UDP Ports 1562 A single application may exchange several types of data. In some 1563 cases, this may require multiple UDP flows (e.g., multiple sets of 1564 flows, identified by different five-tuples). [RFC6335] recommends 1565 application developers not to apply to IANA to be assigned multiple 1566 well-known ports (user or system). This does not discuss the 1567 implications of using multiple flows with the same well-known port or 1568 pairs of dynamic ports (e.g., identified by a service name or 1569 signaling protocol). 1571 Use of multiple flows can affect the network in several ways: 1573 o Starting a series of successive connections can increase the 1574 number of state bindings in middleboxes (e.g., NAPT or Firewall) 1575 along the network path. UDP-based middlebox traversal usually 1576 relies on timeouts to remove old state, since middleboxes are 1577 unaware when a particular flow ceases to be used by an 1578 application. 1580 o Using several flows at the same time may result in seeing 1581 different network characteristics for each flow. It cannot be 1582 assumed both follow the same path (e.g., when ECMP is used, 1583 traffic is intentionally hashed onto different parallel paths 1584 based on the port numbers). 1586 o Using several flows can also increase the occupancy of a binding 1587 or lookup table in a middlebox (e.g., NAPT or Firewall), which may 1588 cause the device to change the way it manages the flow state. 1590 o Further, using excessive numbers of flows can degrade the ability 1591 of a unicast congestion control to react to congestion events, 1592 unless the congestion state is shared between all flows in a 1593 session. A receiver-driven multicast congestion control requires 1594 the sending application to distribute its data over a set of IP 1595 multicast groups, each receiver is therefore expected to receive 1596 data from a modest number of simultaneously active UDP ports. 1598 Therefore, applications MUST NOT assume consistent behavior of 1599 middleboxes when multiple UDP flows are used; many devices respond 1600 differently as the number of used ports increases. Using multiple 1601 flows with different QoS requirements requires applications to verify 1602 that the expected performance is achieved using each individual flow 1603 (five-tuple), see Section 3.1.7. 1605 5.2. ICMP Guidelines 1607 Applications can utilize information about ICMP error messages that 1608 the UDP layer passes up for a variety of purposes [RFC1122]. 1609 Applications SHOULD appropriately validate the payload of ICMP 1610 messages to ensure these are received in response to transmitted 1611 traffic (i.e., a reported error condition that corresponds to a UDP 1612 datagram actually sent by the application). This requires context, 1613 such as local state about communication instances to each 1614 destination, that although readily available in connection-oriented 1615 transport protocols is not always maintained by UDP-based 1616 applications. Note that not all platforms have the necessary APIs to 1617 support this validation, and some platforms already perform this 1618 validation internally before passing ICMP information to the 1619 application. 1621 Any application response to ICMP error messages SHOULD be robust to 1622 temporary routing failures (sometimes called "soft errors"), e.g., 1623 transient ICMP "unreachable" messages ought to not normally cause a 1624 communication abort. 1626 As mentioned above, ICMP messages are being increasingly filtered by 1627 middleboxes. A UDP application therefore SHOULD NOT rely on their 1628 delivery for correct and safe operation. 1630 6. Security Considerations 1632 UDP does not provide communications security. Applications that need 1633 to protect their communications against eavesdropping, tampering, or 1634 message forgery SHOULD employ end-to-end security services provided 1635 by other IETF protocols. 1637 UDP applications SHOULD provide protection from off-path data 1638 injection attacks using a randomized source port or equivalent 1639 technique (see Section 5.1). 1641 Applications that respond to short requests with potentially large 1642 responses are vulnerable to amplification attacks, and SHOULD 1643 authenticate the sender before responding. The source IP address of 1644 a request is not a useful authenticator, because it can easily be 1645 spoofed. 1647 One option for securing UDP communications is with IPsec [RFC4301], 1648 which can provide authentication for flows of IP packets through the 1649 Authentication Header (AH) [RFC4302] and encryption and/or 1650 authentication through the Encapsulating Security Payload (ESP) 1651 [RFC4303]. Applications use the Internet Key Exchange (IKE) 1652 [RFC7296] to configure IPsec for their sessions. Depending on how 1653 IPsec is configured for a flow, it can authenticate or encrypt the 1654 UDP headers as well as UDP payloads. If an application only requires 1655 authentication, ESP with no encryption but with authentication is 1656 often a better option than AH, because ESP can operate across 1657 middleboxes. An application that uses IPsec requires the support of 1658 an operating system that implements the IPsec protocol suite. 1660 Although it is possible to use IPsec to secure UDP communications, 1661 not all operating systems support IPsec or allow applications to 1662 easily configure it for their flows. A second option for securing 1663 UDP communications is through Datagram Transport Layer Security 1664 (DTLS) [RFC6347]. DTLS provides communication privacy by encrypting 1665 UDP payloads. It does not protect the UDP headers. Applications can 1666 implement DTLS without relying on support from the operating system. 1668 Many other options for authenticating or encrypting UDP payloads 1669 exist. For example, the GSS-API security framework [RFC2743] or 1670 Cryptographic Message Syntax (CMS) [RFC5652] could be used to protect 1671 UDP payloads. There exist a number of security options for RTP 1672 [RFC3550] over UDP, especially to accomplish key-management, see 1673 [RFC7201]. These options covers many usages, including point-to- 1674 point, centralized group communication as well as multicast. In some 1675 applications, a better solution is to protect larger stand-alone 1676 objects, such as files or messages, instead of individual UDP 1677 payloads. In these situations, CMS [RFC5652], S/MIME [RFC5751] or 1678 OpenPGP [RFC4880] could be used. In addition, there are many non- 1679 IETF protocols in this area. 1681 Like congestion control mechanisms, security mechanisms are difficult 1682 to design and implement correctly. It is hence RECOMMENDED that 1683 applications employ well-known standard security mechanisms such as 1684 DTLS or IPsec, rather than inventing their own. 1686 The Generalized TTL Security Mechanism (GTSM) [RFC5082] may be used 1687 with UDP applications when the intended endpoint is on the same link 1688 as the sender. This lightweight mechanism allows a receiver to 1689 filter unwanted packets. 1691 In terms of congestion control, [RFC2309] and [RFC2914] discuss the 1692 dangers of congestion-unresponsive flows to the Internet. 1693 [I-D.ietf-tsvwg-circuit-breaker] describes methods that can be used 1694 to set a performance envelope that can assist in preventing 1695 congestion collapse in the absence of congestion control or when the 1696 congestion control fails to react to congestion events. This 1697 document provides guidelines to designers of UDP-based applications 1698 to congestion-control their transmissions, and does not raise any 1699 additional security concerns. 1701 Some network operators have experienced surges of UDP attack traffic 1702 that are multiple orders of magnitude above the baseline traffic rate 1703 for UDP. This can motivate operators to limit the data rate or 1704 packet rate of UDP traffic. This may in turn limit the throughput 1705 that an application can achieve using UDP and could also result in 1706 higher packet loss for UDP traffic that would not be experienced if 1707 other transport protocols had been used. 1709 A UDP application with a long-lived association between the sender 1710 and receiver, ought to be designed so that the sender periodically 1711 checks that the receiver still wants ("consents") to receive traffic 1712 and need to be designed to stop if there is no explicit confirmation 1713 of this [RFC7675]. Applications that require communications in two 1714 directions to implement protocol functions (such as reliability or 1715 congestion control) will need to independently check both directions 1716 of communication, and may have to exchange keep-alive packets to 1717 traverse middleboxes (see Section 3.5). 1719 7. Summary 1721 This section summarizes the key guidelines made in Sections 3 - 6 in 1722 a tabular format (Table 1) for easy referencing. 1724 +---------------------------------------------------------+---------+ 1725 | Recommendation | Section | 1726 +---------------------------------------------------------+---------+ 1727 | MUST tolerate a wide range of Internet path conditions | 3 | 1728 | SHOULD use a full-featured transport (TCP, SCTP, DCCP) | | 1729 | | | 1730 | SHOULD control rate of transmission | 3.1 | 1731 | SHOULD perform congestion control over all traffic | | 1732 | | | 1733 | for bulk transfers, | 3.1.1 | 1734 | SHOULD consider implementing TFRC | | 1735 | else, SHOULD in other ways use bandwidth similar to TCP | | 1736 | | | 1737 | for non-bulk transfers, | 3.1.2 | 1738 | SHOULD measure RTT and transmit max. 1 datagram/RTT | | 1739 | else, SHOULD send at most 1 datagram every 3 seconds | | 1740 | SHOULD back-off retransmission timers following loss | | 1741 | | | 1742 | SHOULD provide mechanisms to regulate the bursts of | 3.1.4 | 1743 | transmission | | 1744 | | | 1745 | MAY implement ECN; a specific set of application | 3.1.5 | 1746 | mechanisms are REQUIRED if ECN is used. | | 1747 | | | 1748 | for DiffServ, SHOULD NOT rely on implementation of PHBs | 3.1.6 | 1749 | | | 1750 | for QoS-enabled paths, MAY choose not to use CC | 3.1.7 | 1751 | | | 1752 | SHOULD NOT rely solely on QoS for their capacity | 3.1.8 | 1753 | non-CC controlled flows SHOULD implement a transport | | 1754 | circuit breaker | | 1755 | MAY implement a circuit breaker for other applications | | 1756 | | | 1757 | for tunnels carrying IP Traffic, | 3.1.9 | 1758 | SHOULD NOT perform congestion control | | 1759 | MUST correctly process the IP ECN field | | 1760 | | | 1761 | for non-IP tunnels or rate not determined by traffic, | | 1762 | SHOULD perform CC or use circuit breaker | 3.1.9 | 1763 | SHOULD restrict types of traffic transported by the | | 1764 | tunnel | | 1765 | | | 1766 | SHOULD NOT send datagrams that exceed the PMTU, i.e., | 3.2 | 1767 | SHOULD discover PMTU or send datagrams < minimum PMTU; | | 1768 | Specific application mechanisms are REQUIRED if PLPMTUD | | 1769 | is used. | | 1770 | | | 1771 | SHOULD handle datagram loss, duplication, reordering | 3.3 | 1772 | SHOULD be robust to delivery delays up to 2 minutes | | 1773 | | | 1774 | SHOULD enable IPv4 UDP checksum | 3.4 | 1775 | SHOULD enable IPv6 UDP checksum; Specific application | 3.4.1 | 1776 | mechanisms are REQUIRED if a zero IPv6 UDP checksum is | | 1777 | used. | | 1778 | | | 1779 | SHOULD provide protection from off-path attacks | 5.1 | 1780 | else, MAY use UDP-Lite with suitable checksum coverage | 3.4.2 | 1781 | | | 1782 | SHOULD NOT always send middlebox keep-alives | 3.5 | 1783 | MAY use keep-alives when needed (min. interval 15 sec) | | 1784 | | | 1785 | Applications specifyied for use in limited use (or | 3.6 | 1786 | controlled environments) SHOULD identify equivalent | | 1787 | mechanisms and describe their use-case. | | 1788 | | | 1789 | Bulk multicast apps SHOULD implement congestion control | 4.1.1 | 1790 | | | 1791 | Low volume multicast apps SHOULD implement congestion | 4.1.2 | 1792 | control | | 1793 | | | 1794 | Multicast apps SHOULD use a safe PMTU | 4.2 | 1795 | | | 1796 | SHOULD avoid using multiple ports | 5.1 | 1797 | MUST check received IP source address | | 1798 | | | 1799 | SHOULD use a randomized source port or equivalent | 5.2 | 1800 | technique, and, for client/server applications, SHOULD | | 1801 | send responses from source address matching request | | 1802 | | | 1803 | SHOULD validate payload in ICMP messages | 5.2 | 1804 | | | 1805 | SHOULD use standard IETF security protocols when needed | 6 | 1806 +---------------------------------------------------------+---------+ 1808 Table 1: Summary of recommendations 1810 8. IANA Considerations 1812 Note to RFC-Editor: please remove this entire section prior to 1813 publication. 1815 This document raises no IANA considerations. 1817 9. Acknowledgments 1819 The middlebox traversal guidelines in Section 3.5 incorporate ideas 1820 from Section 5 of [I-D.ford-behave-app] by Bryan Ford, Pyda 1821 Srisuresh, and Dan Kegel. G. Fairhurst received funding from the 1822 European Union's Horizon 2020 research and innovation program 1823 2014-2018 under grant agreement No. 644334 (NEAT). Lars Eggert has 1824 received funding from the European Union's Horizon 2020 research and 1825 innovation program 2014-2018 under grant agreement No. 644866 1826 ("SSICLOPS"). This document reflects only the authors' views and the 1827 European Commission is not responsible for any use that may be made 1828 of the information it contains. 1830 10. References 1832 10.1. Normative References 1834 [I-D.ietf-tsvwg-circuit-breaker] 1835 Fairhurst, G., "Network Transport Circuit Breakers", 1836 draft-ietf-tsvwg-circuit-breaker-13 (work in progress), 1837 February 2016. 1839 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 1840 DOI 10.17487/RFC0768, August 1980, 1841 . 1843 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 1844 RFC 793, DOI 10.17487/RFC0793, September 1981, 1845 . 1847 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts - 1848 Communication Layers", STD 3, RFC 1122, 1849 DOI 10.17487/RFC1122, October 1989, 1850 . 1852 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 1853 DOI 10.17487/RFC1191, November 1990, 1854 . 1856 [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery 1857 for IP version 6", RFC 1981, DOI 10.17487/RFC1981, August 1858 1996, . 1860 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1861 Requirement Levels", BCP 14, RFC 2119, 1862 DOI 10.17487/RFC2119, March 1997, 1863 . 1865 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1866 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 1867 December 1998, . 1869 [RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, 1870 RFC 2914, DOI 10.17487/RFC2914, September 2000, 1871 . 1873 [RFC3828] Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E., Ed., 1874 and G. Fairhurst, Ed., "The Lightweight User Datagram 1875 Protocol (UDP-Lite)", RFC 3828, DOI 10.17487/RFC3828, July 1876 2004, . 1878 [RFC4787] Audet, F., Ed. and C. Jennings, "Network Address 1879 Translation (NAT) Behavioral Requirements for Unicast 1880 UDP", BCP 127, RFC 4787, DOI 10.17487/RFC4787, January 1881 2007, . 1883 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 1884 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 1885 . 1887 [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP 1888 Friendly Rate Control (TFRC): Protocol Specification", 1889 RFC 5348, DOI 10.17487/RFC5348, September 2008, 1890 . 1892 [RFC5405] Eggert, L. and G. Fairhurst, "Unicast UDP Usage Guidelines 1893 for Application Designers", BCP 145, RFC 5405, 1894 DOI 10.17487/RFC5405, November 2008, 1895 . 1897 [RFC6040] Briscoe, B., "Tunnelling of Explicit Congestion 1898 Notification", RFC 6040, DOI 10.17487/RFC6040, November 1899 2010, . 1901 [RFC6298] Paxson, V., Allman, M., Chu, J., and M. Sargent, 1902 "Computing TCP's Retransmission Timer", RFC 6298, 1903 DOI 10.17487/RFC6298, June 2011, 1904 . 1906 10.2. Informative References 1908 [ALLMAN] Allman, M. and E. Blanton, "Notes on burst mitigation for 1909 transport protocols", March 2005. 1911 [FABER] Faber, T., Touch, J., and W. Yue, "The TIME-WAIT State in 1912 TCP and Its Effect on Busy Servers", Proc. IEEE Infocom, 1913 March 1999. 1915 [I-D.ford-behave-app] 1916 Ford, B., "Application Design Guidelines for Traversal 1917 through Network Address Translators", draft-ford-behave- 1918 app-05 (work in progress), March 2007. 1920 [I-D.ietf-aqm-ecn-benefits] 1921 Fairhurst, G. and M. Welzl, "The Benefits of using 1922 Explicit Congestion Notification (ECN)", draft-ietf-aqm- 1923 ecn-benefits-08 (work in progress), November 2015. 1925 [I-D.ietf-avtcore-rtp-circuit-breakers] 1926 Perkins, C. and V. Varun, "Multimedia Congestion Control: 1927 Circuit Breakers for Unicast RTP Sessions", draft-ietf- 1928 avtcore-rtp-circuit-breakers-13 (work in progress), 1929 February 2016. 1931 [I-D.ietf-dart-dscp-rtp] 1932 Black, D. and P. Jones, "Differentiated Services 1933 (DiffServ) and Real-time Communication", draft-ietf-dart- 1934 dscp-rtp-10 (work in progress), November 2014. 1936 [I-D.ietf-intarea-tunnels] 1937 Touch, J. and W. Townsley, "IP Tunnels in the Internet 1938 Architecture", draft-ietf-intarea-tunnels-02 (work in 1939 progress), January 2016. 1941 [I-D.ietf-rtgwg-dt-encap] 1942 Nordmark, E., Tian, A., Gross, J., Hudson, J., Kreeger, 1943 L., Garg, P., Thaler, P., and T. Herbert, "Encapsulation 1944 Considerations", draft-ietf-rtgwg-dt-encap-00 (work in 1945 progress), July 2015. 1947 [ID.ietf-tsvwg-gre-in-udp-enca] 1948 Yong, L., Crabbe, E., Xu, X., and T. Herbert, "GRE-in-UDP 1949 Encapsulation", 2016. 1951 [POSIX] IEEE Std. 1003.1-2001, , "Standard for Information 1952 Technology - Portable Operating System Interface (POSIX)", 1953 Open Group Technical Standard: Base Specifications Issue 1954 6, ISO/IEC 9945:2002, December 2001. 1956 [RFC0896] Nagle, J., "Congestion Control in IP/TCP Internetworks", 1957 RFC 896, DOI 10.17487/RFC0896, January 1984, 1958 . 1960 [RFC0919] Mogul, J., "Broadcasting Internet Datagrams", STD 5, 1961 RFC 919, DOI 10.17487/RFC0919, October 1984, 1962 . 1964 [RFC1112] Deering, S., "Host extensions for IP multicasting", STD 5, 1965 RFC 1112, DOI 10.17487/RFC1112, August 1989, 1966 . 1968 [RFC1536] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. 1969 Miller, "Common DNS Implementation Errors and Suggested 1970 Fixes", RFC 1536, DOI 10.17487/RFC1536, October 1993, 1971 . 1973 [RFC1546] Partridge, C., Mendez, T., and W. Milliken, "Host 1974 Anycasting Service", RFC 1546, DOI 10.17487/RFC1546, 1975 November 1993, . 1977 [RFC2309] Braden, B., Clark, D., Crowcroft, J., Davie, B., Deering, 1978 S., Estrin, D., Floyd, S., Jacobson, V., Minshall, G., 1979 Partridge, C., Peterson, L., Ramakrishnan, K., Shenker, 1980 S., Wroclawski, J., and L. Zhang, "Recommendations on 1981 Queue Management and Congestion Avoidance in the 1982 Internet", RFC 2309, DOI 10.17487/RFC2309, April 1998, 1983 . 1985 [RFC2475] Blake, S., Black, D., Carlson, M., Davies, E., Wang, Z., 1986 and W. Weiss, "An Architecture for Differentiated 1987 Services", RFC 2475, DOI 10.17487/RFC2475, December 1998, 1988 . 1990 [RFC2675] Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms", 1991 RFC 2675, DOI 10.17487/RFC2675, August 1999, 1992 . 1994 [RFC2743] Linn, J., "Generic Security Service Application Program 1995 Interface Version 2, Update 1", RFC 2743, 1996 DOI 10.17487/RFC2743, January 2000, 1997 . 1999 [RFC2887] Handley, M., Floyd, S., Whetten, B., Kermode, R., 2000 Vicisano, L., and M. Luby, "The Reliable Multicast Design 2001 Space for Bulk Data Transfer", RFC 2887, 2002 DOI 10.17487/RFC2887, August 2000, 2003 . 2005 [RFC2983] Black, D., "Differentiated Services and Tunnels", October 2006 2000. 2008 [RFC3048] Whetten, B., Vicisano, L., Kermode, R., Handley, M., 2009 Floyd, S., and M. Luby, "Reliable Multicast Transport 2010 Building Blocks for One-to-Many Bulk-Data Transfer", 2011 RFC 3048, DOI 10.17487/RFC3048, January 2001, 2012 . 2014 [RFC3124] Balakrishnan, H. and S. Seshan, "The Congestion Manager", 2015 RFC 3124, DOI 10.17487/RFC3124, June 2001, 2016 . 2018 [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 2019 of Explicit Congestion Notification (ECN) to IP", 2020 RFC 3168, DOI 10.17487/RFC3168, September 2001, 2021 . 2023 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 2024 A., Peterson, J., Sparks, R., Handley, M., and E. 2025 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 2026 DOI 10.17487/RFC3261, June 2002, 2027 . 2029 [RFC3303] Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A., and 2030 A. Rayhan, "Middlebox communication architecture and 2031 framework", RFC 3303, DOI 10.17487/RFC3303, August 2002, 2032 . 2034 [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and W. 2035 Stevens, "Basic Socket Interface Extensions for IPv6", 2036 RFC 3493, DOI 10.17487/RFC3493, February 2003, 2037 . 2039 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 2040 Jacobson, "RTP: A Transport Protocol for Real-Time 2041 Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, 2042 July 2003, . 2044 [RFC3551] Schulzrinne, H. and S. Casner, "RTP Profile for Audio and 2045 Video Conferences with Minimal Control", STD 65, RFC 3551, 2046 DOI 10.17487/RFC3551, July 2003, 2047 . 2049 [RFC3738] Luby, M. and V. Goyal, "Wave and Equation Based Rate 2050 Control (WEBRC) Building Block", RFC 3738, 2051 DOI 10.17487/RFC3738, April 2004, 2052 . 2054 [RFC3758] Stewart, R., Ramalho, M., Xie, Q., Tuexen, M., and P. 2055 Conrad, "Stream Control Transmission Protocol (SCTP) 2056 Partial Reliability Extension", RFC 3758, 2057 DOI 10.17487/RFC3758, May 2004, 2058 . 2060 [RFC3819] Karn, P., Ed., Bormann, C., Fairhurst, G., Grossman, D., 2061 Ludwig, R., Mahdavi, J., Montenegro, G., Touch, J., and L. 2062 Wood, "Advice for Internet Subnetwork Designers", BCP 89, 2063 RFC 3819, DOI 10.17487/RFC3819, July 2004, 2064 . 2066 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 2067 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 2068 December 2005, . 2070 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, 2071 DOI 10.17487/RFC4302, December 2005, 2072 . 2074 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 2075 RFC 4303, DOI 10.17487/RFC4303, December 2005, 2076 . 2078 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 2079 Congestion Control Protocol (DCCP)", RFC 4340, 2080 DOI 10.17487/RFC4340, March 2006, 2081 . 2083 [RFC4341] Floyd, S. and E. Kohler, "Profile for Datagram Congestion 2084 Control Protocol (DCCP) Congestion Control ID 2: TCP-like 2085 Congestion Control", RFC 4341, DOI 10.17487/RFC4341, March 2086 2006, . 2088 [RFC4342] Floyd, S., Kohler, E., and J. Padhye, "Profile for 2089 Datagram Congestion Control Protocol (DCCP) Congestion 2090 Control ID 3: TCP-Friendly Rate Control (TFRC)", RFC 4342, 2091 DOI 10.17487/RFC4342, March 2006, 2092 . 2094 [RFC4607] Holbrook, H. and B. Cain, "Source-Specific Multicast for 2095 IP", RFC 4607, DOI 10.17487/RFC4607, August 2006, 2096 . 2098 [RFC4654] Widmer, J. and M. Handley, "TCP-Friendly Multicast 2099 Congestion Control (TFMCC): Protocol Specification", 2100 RFC 4654, DOI 10.17487/RFC4654, August 2006, 2101 . 2103 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 2104 Thayer, "OpenPGP Message Format", RFC 4880, 2105 DOI 10.17487/RFC4880, November 2007, 2106 . 2108 [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", 2109 RFC 4960, DOI 10.17487/RFC4960, September 2007, 2110 . 2112 [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly 2113 Errors at High Data Rates", RFC 4963, 2114 DOI 10.17487/RFC4963, July 2007, 2115 . 2117 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 2118 Mitigations", RFC 4987, DOI 10.17487/RFC4987, August 2007, 2119 . 2121 [RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., Ed., and C. 2122 Pignataro, "The Generalized TTL Security Mechanism 2123 (GTSM)", RFC 5082, DOI 10.17487/RFC5082, October 2007, 2124 . 2126 [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment 2127 (ICE): A Protocol for Network Address Translator (NAT) 2128 Traversal for Offer/Answer Protocols", RFC 5245, 2129 DOI 10.17487/RFC5245, April 2010, 2130 . 2132 [RFC5622] Floyd, S. and E. Kohler, "Profile for Datagram Congestion 2133 Control Protocol (DCCP) Congestion ID 4: TCP-Friendly Rate 2134 Control for Small Packets (TFRC-SP)", RFC 5622, 2135 DOI 10.17487/RFC5622, August 2009, 2136 . 2138 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 2139 RFC 5652, DOI 10.17487/RFC5652, September 2009, 2140 . 2142 [RFC5740] Adamson, B., Bormann, C., Handley, M., and J. Macker, 2143 "NACK-Oriented Reliable Multicast (NORM) Transport 2144 Protocol", RFC 5740, DOI 10.17487/RFC5740, November 2009, 2145 . 2147 [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet 2148 Mail Extensions (S/MIME) Version 3.2 Message 2149 Specification", RFC 5751, DOI 10.17487/RFC5751, January 2150 2010, . 2152 [RFC5775] Luby, M., Watson, M., and L. Vicisano, "Asynchronous 2153 Layered Coding (ALC) Protocol Instantiation", RFC 5775, 2154 DOI 10.17487/RFC5775, April 2010, 2155 . 2157 [RFC5971] Schulzrinne, H. and R. Hancock, "GIST: General Internet 2158 Signalling Transport", RFC 5971, DOI 10.17487/RFC5971, 2159 October 2010, . 2161 [RFC5973] Stiemerling, M., Tschofenig, H., Aoun, C., and E. Davies, 2162 "NAT/Firewall NSIS Signaling Layer Protocol (NSLP)", 2163 RFC 5973, DOI 10.17487/RFC5973, October 2010, 2164 . 2166 [RFC6056] Larsen, M. and F. Gont, "Recommendations for Transport- 2167 Protocol Port Randomization", BCP 156, RFC 6056, 2168 DOI 10.17487/RFC6056, January 2011, 2169 . 2171 [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S. 2172 Cheshire, "Internet Assigned Numbers Authority (IANA) 2173 Procedures for the Management of the Service Name and 2174 Transport Protocol Port Number Registry", BCP 165, 2175 RFC 6335, DOI 10.17487/RFC6335, August 2011, 2176 . 2178 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 2179 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 2180 January 2012, . 2182 [RFC6396] Blunk, L., Karir, M., and C. Labovitz, "Multi-Threaded 2183 Routing Toolkit (MRT) Routing Information Export Format", 2184 RFC 6396, DOI 10.17487/RFC6396, October 2011, 2185 . 2187 [RFC6437] Amante, S., Carpenter, B., Jiang, S., and J. Rajahalme, 2188 "IPv6 Flow Label Specification", RFC 6437, 2189 DOI 10.17487/RFC6437, November 2011, 2190 . 2192 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 2193 for Equal Cost Multipath Routing and Link Aggregation in 2194 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, 2195 . 2197 [RFC6513] Rosen, E., Ed. and R. Aggarwal, Ed., "Multicast in MPLS/ 2198 BGP IP VPNs", RFC 6513, DOI 10.17487/RFC6513, February 2199 2012, . 2201 [RFC6679] Westerlund, M., Johansson, I., Perkins, C., O'Hanlon, P., 2202 and K. Carlberg, "Explicit Congestion Notification (ECN) 2203 for RTP over UDP", RFC 6679, DOI 10.17487/RFC6679, August 2204 2012, . 2206 [RFC6726] Paila, T., Walsh, R., Luby, M., Roca, V., and R. Lehtonen, 2207 "FLUTE - File Delivery over Unidirectional Transport", 2208 RFC 6726, DOI 10.17487/RFC6726, November 2012, 2209 . 2211 [RFC6807] Farinacci, D., Shepherd, G., Venaas, S., and Y. Cai, 2212 "Population Count Extensions to Protocol Independent 2213 Multicast (PIM)", RFC 6807, DOI 10.17487/RFC6807, December 2214 2012, . 2216 [RFC6887] Wing, D., Ed., Cheshire, S., Boucadair, M., Penno, R., and 2217 P. Selkirk, "Port Control Protocol (PCP)", RFC 6887, 2218 DOI 10.17487/RFC6887, April 2013, 2219 . 2221 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and 2222 UDP Checksums for Tunneled Packets", RFC 6935, 2223 DOI 10.17487/RFC6935, April 2013, 2224 . 2226 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 2227 for the Use of IPv6 UDP Datagrams with Zero Checksums", 2228 RFC 6936, DOI 10.17487/RFC6936, April 2013, 2229 . 2231 [RFC7143] Chadalapaka, M., Satran, J., Meth, K., and D. Black, 2232 "Internet Small Computer System Interface (iSCSI) Protocol 2233 (Consolidated)", RFC 7143, DOI 10.17487/RFC7143, April 2234 2014, . 2236 [RFC7201] Westerlund, M. and C. Perkins, "Options for Securing RTP 2237 Sessions", RFC 7201, DOI 10.17487/RFC7201, April 2014, 2238 . 2240 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 2241 Kivinen, "Internet Key Exchange Protocol Version 2 2242 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 2243 2014, . 2245 [RFC7510] Xu, X., Sheth, N., Yong, L., Callon, R., and D. Black, 2246 "Encapsulating MPLS in UDP", RFC 7510, 2247 DOI 10.17487/RFC7510, April 2015, 2248 . 2250 [RFC7560] Kuehlewind, M., Ed., Scheffenegger, R., and B. Briscoe, 2251 "Problem Statement and Requirements for Increased Accuracy 2252 in Explicit Congestion Notification (ECN) Feedback", 2253 RFC 7560, DOI 10.17487/RFC7560, August 2015, 2254 . 2256 [RFC7605] Touch, J., "Recommendations on Using Assigned Transport 2257 Port Numbers", BCP 165, RFC 7605, DOI 10.17487/RFC7605, 2258 August 2015, . 2260 [RFC7675] Perumal, M., Wing, D., Ravindranath, R., Reddy, T., and M. 2261 Thomson, "Session Traversal Utilities for NAT (STUN) Usage 2262 for Consent Freshness", RFC 7675, DOI 10.17487/RFC7675, 2263 October 2015, . 2265 [STEVENS] Stevens, W., Fenner, B., and A. Rudoff, "UNIX Network 2266 Programming, The sockets Networking API", Addison-Wesley, 2267 2004. 2269 [UPnP] UPnP Forum, , "Internet Gateway Device (IGD) Standardized 2270 Device Control Protocol V 1.0", November 2001. 2272 Appendix A. Case Study of the Use of IPv6 UDP Zero-Checksum Mode 2274 This appendix provides a brief review of MPLS-in-UDP as an example of 2275 a UDP Tunnel Encapsulation that defines a UDP encapsulation. The 2276 purpose of the appendix is to provide a concrete example of which 2277 mechanisms were required in order to safely use UDP zero-checksum 2278 mode for MPLS-in-UDP tunnels over IPv6. 2280 By default, UDP requires a checksum for use with IPv6. An option has 2281 been specified that permits a zero IPv6 UDP checksum when used in 2282 specific environments, specified in [RFC7510], and defines a set of 2283 operational constraints for use of this mode. These are summarized 2284 below: 2286 A UDP tunnel or encapsulation using a zero-checksum mode with IPv6 2287 must only be deployed within a single network (with a single network 2288 operator) or networks of an adjacent set of co-operating network 2289 operators where traffic is managed to avoid congestion, rather than 2290 over the Internet where congestion control is required. MPLS-in-UDP 2291 has been specified for networks under single administrative control 2292 (such as within a single operator's network) where it is known 2293 (perhaps through knowledge of equipment types and lower layer checks) 2294 that packet corruption is exceptionally unlikely and where the 2295 operator is willing to take the risk of undetected packet corruption. 2297 The tunnel encapsulator SHOULD use different IPv6 addresses for each 2298 UDP tunnel that uses the UDP zero-checksum mode, regardless of the 2299 decapsulator, to strengthen the decapsulator's check of the IPv6 2300 source address (i.e., the same IPv6 source address SHOULD NOT be used 2301 with more than one IPv6 destination address, independent of whether 2302 that destination address is a unicast or multicast address). Use of 2303 MPLS-in-UDP may be extended to networks within a set of closely 2304 cooperating network administrations (such as network operators who 2305 have agreed to work together to jointly provide specific services) 2306 [RFC7510]. 2308 MPLS-in-UDP endpoints must check the source IPv6 address in addition 2309 to the destination IPv6 address, plus the strong recommendation 2310 against reuse of source IPv6 addresses among MPLS-in-UDP tunnels 2311 collectively provide some mitigation for the absence of UDP checksum 2312 coverage of the IPv6 header. In addition, the MPLS data plane only 2313 forwards packets with valid labels (i.e., labels that have been 2314 distributed by the tunnel egress Label Switched Router, LSR), 2315 providing some additional opportunity to detect MPLS-in-UDP packet 2316 misdelivery when the misdelivered packet contains a label that is not 2317 valid for forwarding at the receiving LSR. The expected result for 2318 IPv6 UDP zero-checksum mode for MPLS-in-UDP is that corruption of the 2319 destination IPv6 address will usually cause packet discard, as 2320 offsetting corruptions to the source IPv6 and/or MPLS top label are 2321 unlikely. 2323 Additional assurance is provided by the restrictions in the above 2324 exceptions that limit usage of IPv6 UDP zero-checksum mode to well- 2325 managed networks for which MPLS packet corruption has not been a 2326 problem in practice. Hence, MPLS-in-UDP is suitable for transmission 2327 over lower layers in well-managed networks that are allowed by the 2328 exceptions stated above and the rate of corruption of the inner IP 2329 packet on such networks is not expected to increase by comparison to 2330 MPLS traffic that is not encapsulated in UDP. For these reasons, 2331 MPLS-in-UDP does not provide an additional integrity check when UDP 2332 zero-checksum mode is used with IPv6, and this design is in 2333 accordance with requirements 2, 3 and 5 specified in Section 5 of 2334 [RFC6936]. 2336 The MPLS-in-UDP encapsulation does not provide a mechanism to safely 2337 fall back to using a checksum when a path change occurs that 2338 redirects a tunnel over a path that includes a middlebox that 2339 discards IPv6 datagrams with a zero UDP checksum. In this case, the 2340 MPLS-in-UDP tunnel will be black-holed by that middlebox. 2341 Recommended changes to allow firewalls, NATs and other middleboxes to 2342 support use of an IPv6 zero UDP checksum are described in Section 5 2343 of [RFC6936]. MPLS does not accumulate incorrect state as a 2344 consequence of label stack corruption. A corrupt MPLS label results 2345 in either packet discard or forwarding (and forgetting) of the packet 2346 without accumulation of MPLS protocol state. Active monitoring of 2347 MPLS-in-UDP traffic for errors is REQUIRED as occurrence of errors 2348 will result in some accumulation of error information outside the 2349 MPLS protocol for operational and management purposes. This design 2350 is in accordance with requirement 4 specified in Section 5 of 2351 [RFC6936]. In addition, IPv6 traffic with a zero UDP checksum MUST 2352 be actively monitored for errors by the network operator. 2354 Operators SHOULD also deploy packet filters to prevent IPv6 packets 2355 with a zero UDP checksum from escaping from the network due to 2356 misconfiguration or packet errors. In addition, IPv6 traffic with a 2357 zero UDP checksum MUST be actively monitored for errors by the 2358 network operator. 2360 Appendix B. Revision Notes 2362 Note to RFC-Editor: please remove this entire section prior to 2363 publication. 2365 Changes in draft-ietf-tsvwg-rfc5405bis-09: 2367 Fix to cross reference in summary table. 2369 Changes in draft-ietf-tsvwg-rfc5405bis-08: 2371 This update introduces new text in the following sections: 2373 o The ID from RTGWG on encap Section 7 makes recommendations on 2374 entropy. Section 5.1 of the 5405bis draft had a single sentence 2375 on use of the UDP source port to inject entropy. Related work 2376 such as UDP-in-MPLS and GRE-in-UDP have also made recommendations 2377 on entropy usage. A new section has been added to address this. 2379 o Added reference to RFC2983 on DSCP with tunnels. 2381 o New text after comment from David Black on needing to improve the 2382 header protection text. 2384 o Replaced replace /controlled network environment/ with /controlled 2385 environment/ to be more consistent with other drafts. 2387 o Section 3.1.7 now explicitly refers to the applicability 2388 subsection describing controlled environments. 2390 o PLPTMUD section updated. 2392 o Reworded checksum text to place IPv6 UDP zero checksum text in a 2393 separate subsection (this became too long in the main section) 2395 o Updated summary table 2397 Changes in draft-ietf-tsvwg-rfc5405bis-07: 2399 This update introduces new text in the following sections: 2401 o Addressed David Black's review during WG LC. 2403 Changes in draft-ietf-tsvwg-rfc5405bis-06: 2405 This update introduces new text in the following sections: 2407 o Multicast Congestion Control Guidelines (Section rewritten by Greg 2408 and Gorry to differentiate sender-driven and receiver-driven CC) 2410 o Using UDP Ports (Added a short para on RPF checks protecting from 2411 off-path attacks) 2413 o Applications using Multiple UDP Ports (Added text on layered 2414 multicast) 2416 Changes in draft-ietf-tsvwg-rfc5405bis-05: 2418 o Amended text in section discussing RTT for CC (feedback from 2419 Colin) 2421 Changes in draft-ietf-tsvwg-rfc5405bis-04: 2423 o Added text on consent freshness (STUN) - (From Colin) 2425 o Reworked text on ECN (From David) 2427 o Reworked text on RTT with CC (with help from Mirja) 2429 o Added references to [RFC7675], [I-D.ietf-rtgwg-dt-encap], 2430 [I-D.ietf-intarea-tunnels] and [RFC7510] 2432 Changes in draft-ietf-tsvwg-rfc5405bis-03: 2434 o Mention crypto hash in addition to CRC for integrity protection. 2435 (From Magnus.) 2437 o Mention PCP. (From Magnus.) 2439 o More accurate text on secure RTP (From Magnus.) 2441 o Reordered abstract to reflect .bis focus (Gorry) 2443 o Added a section on ECN, with actual ECN requirements (Gorry, help 2444 from Mirja) 2446 o Added section on Implications of RTT on Congestion Control (Gorry) 2448 o Added note that this refers to other protocols over IP (E 2449 Nordmark, rtg encaps guidance) 2451 o Added reordering text between sessions (consistent with use of 2452 ECMP, rtg encaps guidance) 2454 o Reworked text on off-path data protection (port usage) 2456 o Updated summary table 2458 Changes in draft-ietf-tsvwg-rfc5405bis-02: 2460 o Added note that guidance may be applicable beyond UDP to abstract 2461 (from Erik Nordmark). 2463 o Small editorial changes to fix English nits. 2465 o Added a circuit may provide benefit to CC tunnels by controlling 2466 envelope. 2468 o Added tunnels should ingress-filter by packet type (from Erik 2469 Nordmark). 2471 o Added tunnels should perform IETF ECN processing when supporting 2472 ECN. 2474 o Multicast apps may employ CC or a circuit breaker. 2476 o Added programming guidance on off-path attacks (with C. Perkins). 2478 o Added reference to ECN benefits. 2480 Changes in draft-ietf-tsvwg-rfc5405bis-01: 2482 o Added text on DSCP-usage. 2484 o More guidance on use of the checksum, including an example of how 2485 MPLS/UDP allowed support of a zero IPv6 UDP Checksum in some 2486 cases. 2488 o Added description of diffuse usage. 2490 o Clarified usage of the source port field. 2492 draft-eggert-tsvwg-rfc5405bis-01 was adopted by the TSVWG and 2493 resubmitted as draft-ietf-tsvwg-rfc5405bis-00. There were no 2494 technical changes. 2496 Changes in draft-eggert-tsvwg-rfc5405bis-01: 2498 o Added Greg Shepherd as a co-author, based on the multicast 2499 guidelines that originated with him. 2501 Changes in draft-eggert-tsvwg-rfc5405bis-00 (relative to RFC5405): 2503 o The words "application designers" were removed from the draft 2504 title and the wording of the abstract was clarified abstract. 2506 o New text to clarify various issues and set new recommendations not 2507 previously included in RFC 5405. These include new 2508 recommendations for multicast, the use of checksums with IPv6, 2509 ECMP, recommendations on port usage, use of ECN, use of DiffServ, 2510 circuit breakers (initial text), etc. 2512 Authors' Addresses 2514 Lars Eggert 2515 NetApp 2516 Sonnenallee 1 2517 Kirchheim 85551 2518 Germany 2520 Phone: +49 151 120 55791 2521 EMail: lars@netapp.com 2522 URI: https://eggert.org/ 2524 Godred Fairhurst 2525 University of Aberdeen 2526 Department of Engineering 2527 Fraser Noble Building 2528 Aberdeen AB24 3UE 2529 Scotland 2531 EMail: gorry@erg.abdn.ac.uk 2532 URI: http://www.erg.abdn.ac.uk/ 2534 Greg Shepherd 2535 Cisco Systems 2536 Tasman Drive 2537 San Jose 2538 USA 2540 EMail: gjshep@gmail.com