idnits 2.17.1 draft-ietf-tsvwg-udp-options-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- == The document has an IETF Trust Provisions of 28 Dec 2009, Section 6.c(i) Publication Limitation clause. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 1551 has weird spacing: '...default mean...' == Line 1581 has weird spacing: '...enabled net.i...' == Line 1582 has weird spacing: '...enabled net....' == Line 1592 has weird spacing: '...default mean...' == Line 1598 has weird spacing: '... params mean...' == (1 more instance...) -- The document date (November 25, 2020) is 1246 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC8899' is mentioned on line 756, but not defined == Missing Reference: 'RFC2460' is mentioned on line 1273, but not defined ** Obsolete undefined reference: RFC 2460 (Obsoleted by RFC 8200) == Missing Reference: 'RFC-TBD' is mentioned on line 1308, but not defined == Missing Reference: 'RFC8724' is mentioned on line 1313, but not defined -- Duplicate reference: RFC2119, mentioned in 'RFC8174', was also mentioned in 'RFC2119'. -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 2140 (Obsoleted by RFC 9040) -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) -- Obsolete informational reference (is this intentional?): RFC 6347 (Obsoleted by RFC 9147) -- Obsolete informational reference (is this intentional?): RFC 6691 (Obsoleted by RFC 9293) Summary: 1 error (**), 0 flaws (~~), 12 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 TSVWG J. Touch 2 Internet Draft Independent consultant 3 Intended status: Standards Track November 25, 2020 4 Intended updates: 768, 3095 5 Expires: May 2021 7 Transport Options for UDP 8 draft-ietf-tsvwg-udp-options-09.txt 10 Status of this Memo 12 This Internet-Draft is submitted in full conformance with the 13 provisions of BCP 78 and BCP 79. This document may not be modified, 14 and derivative works of it may not be created, except to format it 15 for publication as an RFC or to translate it into languages other 16 than English. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six 24 months and may be updated, replaced, or obsoleted by other documents 25 at any time. It is inappropriate to use Internet-Drafts as 26 reference material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html 34 This Internet-Draft will expire on May 25, 2021. 36 Copyright Notice 38 Copyright (c) 2020 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with 46 respect to this document. Code Components extracted from this 47 document must include Simplified BSD License text as described in 48 Section 4.e of the Trust Legal Provisions and are provided without 49 warranty as described in the Simplified BSD License. 51 Abstract 53 Transport protocols are extended through the use of transport header 54 options. This document extends UDP by indicating the location, 55 syntax, and semantics for UDP transport layer options. 57 Table of Contents 59 1. Introduction...................................................3 60 2. Conventions used in this document..............................3 61 3. Background.....................................................3 62 4. The UDP Option Area............................................4 63 5. UDP Options....................................................8 64 5.1. End of Options List (EOL).................................9 65 5.2. No Operation (NOP).......................................10 66 5.3. Option Checksum (OCS)....................................10 67 5.4. Alternate Checksum (ACS).................................12 68 5.5. Fragmentation (FRAG).....................................13 69 5.6. Maximum Segment Size (MSS)...............................17 70 5.7. Unsafe (UNSAFE)..........................................17 71 5.8. Timestamps (TIME)........................................18 72 5.9. Authentication and Encryption (AE).......................19 73 5.10. Echo request (REQ) and echo response (RES)..............20 74 5.11. Experimental (EXP)......................................21 75 6. Rules for designing new options...............................21 76 7. Option inclusion and processing...............................22 77 8. UDP API Extensions............................................24 78 9. Whose options are these?......................................25 79 10. UDP options FRAG option vs. UDP-Lite.........................25 80 11. Interactions with Legacy Devices.............................26 81 12. Options in a Stateless, Unreliable Transport Protocol........27 82 13. UDP Option State Caching.....................................27 83 14. Updates to RFC 768...........................................28 84 15. Interactions with other RFCs (and drafts)....................28 85 16. Multicast Considerations.....................................29 86 17. Security Considerations......................................30 87 18. IANA Considerations..........................................31 88 19. References...................................................31 89 19.1. Normative References....................................31 90 19.2. Informative References..................................32 91 20. Acknowledgments..............................................34 92 Appendix A. Implementation Information...........................35 94 1. Introduction 96 Transport protocols use options as a way to extend their 97 capabilities. TCP [RFC793], SCTP [RFC4960], and DCCP [RFC4340] 98 include space for these options but UDP [RFC768] currently does not. 99 This document defines an extension to UDP that provides space for 100 transport options including their generic syntax and semantics for 101 their use in UDP's stateless, unreliable message protocol. 103 2. Conventions used in this document 105 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 106 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 107 "OPTIONAL" in this document are to be interpreted as described in 108 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 109 capitals, as shown here. 111 In this document, the characters ">>" preceding an indented line(s) 112 indicates a statement using the key words listed above. This 113 convention aids reviewers in quickly identifying or finding the 114 portions of this RFC covered by these key words. 116 3. Background 118 Many protocols include a default, invariant header and an area for 119 header options that varies from packet to packet. These options 120 enable the protocol to be extended for use in particular 121 environments or in ways unforeseen by the original designers. 122 Examples include TCP's Maximum Segment Size, Window Scale, 123 Timestamp, and Authentication Options [RFC793][RFC5925][RFC7323]. 125 These options are used both in stateful (connection-oriented, e.g., 126 TCP [RFC793], SCTP [RFC4960], DCCP [RFC4340]) and stateless 127 (connectionless, e.g., IPv4 [RFC791], IPv6 [RFC8200]) protocols. In 128 stateful protocols they can help extend the way in which state is 129 managed. In stateless protocols their effect is often limited to 130 individual packets, but they can have an aggregate effect on a 131 sequence of packets as well. This document is intended to provide an 132 out-of-band option area as an alternative to the in-band mechanism 133 currently proposed [Hi15]. 135 UDP is one of the most popular protocols that lacks space for 136 options [RFC768]. The UDP header was intended to be a minimal 137 addition to IP, providing only ports and a data checksum for 138 protection. This document extends UDP to provide a trailer area for 139 options located after the UDP data payload. 141 4. The UDP Option Area 143 The UDP transport header includes demultiplexing and service 144 identification (port numbers), a checksum, and a field that 145 indicates the UDP datagram length (including UDP header). The UDP 146 Length field is typically redundant with the size of the maximum 147 space available as a transport protocol payload (see also discussion 148 in Section 11). 150 For IPv4, IP Total Length field indicates the total IP datagram 151 length (including IP header), and the size of the IP options is 152 indicated in the IP header (in 4-byte words) as the "Internet Header 153 Length" (IHL), as shown in Figure 1 [RFC791]. As a result, the 154 typical (and largest valid) value for UDP Length is: 156 UDP_Length = IPv4_Total_Length - IPv4_IHL * 4 158 For IPv6, the IP Payload Length field indicates the datagram after 159 the base IPv6 header, which includes the IPv6 extension headers and 160 space available for the transport protocol, as shown in Figure 2 161 [RFC8200]. Note that the Next HDR field in IPv6 might not indicate 162 UDP (i.e., 17), e.g., when intervening IP extension headers are 163 present. For IPv6, the lengths of any additional IP extensions are 164 indicated within each extension [RFC8200], so the typical (and 165 largest valid) value for UDP Length is: 167 UDP_Length = IPv6_Payload_Length - sum(extension header lengths) 169 In both cases, the space available for the UDP transport protocol 170 data unit is indicated by IP, either completely in the base header 171 (for IPv4) or adding information in the extensions (for IPv6). In 172 either case, this document will refer to this available space as the 173 "IP transport payload". 175 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 176 |Version| IHL |Type of Service| Total Length | 177 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 178 | Identification |Flags| Fragment Offset | 179 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 180 | Time to Live | Proto=17 (UDP)| Header Checksum | 181 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 182 | Source Address | 183 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 | Destination Address | 185 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 186 ... zero or more IP Options (using space as indicated by IHL) ... 187 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 188 | UDP Source Port | UDP Destination Port | 189 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 190 | UDP Length | UDP Checksum | 191 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 193 Figure 1 IPv4 datagram with UDP transport payload 195 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 196 |Version| Traffic Class | Flow Label | 197 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 198 | Payload Length | Next Hdr | Hop Limit | 199 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 200 ... 201 | Source Address (128 bits) | 202 ... 203 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 204 ... 205 | Destination Address (128 bits) | 206 ... 207 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 208 ... zero or more IP Extension headers (each indicating size) ... 209 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 210 | UDP Source Port | UDP Destination Port | 211 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 212 | UDP Length | UDP Checksum | 213 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 215 Figure 2 IPv6 datagram with UDP transport payload 217 As a result of this redundancy, there is an opportunity to use the 218 UDP Length field as a way to break up the IP transport payload into 219 two areas - that intended as UDP user data and an additional 220 "surplus area" (as shown in Figure 3). 222 IP transport payload 223 <-------------------------------------------------> 224 +--------+---------+----------------------+------------------+ 225 | IP Hdr | UDP Hdr | UDP user data | surplus area | 226 +--------+---------+----------------------+------------------+ 227 <------------------------------> 228 UDP Length 230 Figure 3 IP transport payload vs. UDP Length 232 In most cases, the IP transport payload and UDP Length point to the 233 same location, indicating that there is no surplus area. It is 234 important to note that this is not a requirement of UDP [RFC768] 235 (discussed further in Section 11). UDP-Lite used the difference in 236 these pointers to indicate the partial coverage of the UDP Checksum, 237 such that the UDP user data, UDP header, and UDP pseudoheader (a 238 subset of the IP header) are covered by the UDP checksum but 239 additional user data in the surplus area is not covered [RFC3828]. 240 This document uses the surplus area for UDP transport options. 242 The UDP option area is thus defined as the location between the end 243 of the UDP payload and the end of the IP datagram as a trailing 244 options area. This area can occur at any valid byte offset, i.e., it 245 need not be 16-bit or 32-bit aligned. In effect, this document 246 redefines the UDP "Length" field as a "trailer offset". 248 UDP options are defined using a TLV (type, length, and optional 249 value) syntax similar to that of TCP [RFC793]. They are typically a 250 minimum of two bytes in length as shown in Figure 4, excepting only 251 the one byte options "No Operation" (NOP) and "End of Options List" 252 (EOL) described below. 254 +--------+--------+------- 255 | Kind | Length | (remainder of option...) 256 +--------+--------+------- 258 Figure 4 UDP option default format 260 The Kind field is always one byte. The Length field is one byte for 261 all lengths below 255 (including the Kind and Length bytes). A 262 Length of 255 indicates use of the UDP option extended format shown 263 in Figure 5. The Extended Length field is a 16-bit field in network 264 standard byte order. 266 +--------+--------+--------+--------+ 267 | Kind | 255 | Extended Length | 268 +--------+--------+--------+--------+ 269 | (remainder of option...) 270 +--------+--------+--------+--------+ 272 Figure 5 UDP option extended default format 274 >> UDP options MAY begin at any UDP length offset. 276 >> The UDP length MUST be at least as large as the UDP header (8) 277 and no larger than the IP transport payload. Datagrams with length 278 values outside this range MUST be silently dropped as invalid and 279 logged where rate-limiting permits. 281 >> Option Lengths (or Extended Lengths, where applicable) smaller 282 than the minimum for the corresponding Kind and default format MUST 283 be treated as an error. Such errors call into question the remainder 284 of the option area and thus MUST result in all UDP options being 285 silently discarded. 287 >> Any UDP option whose length is only smaller than 255 MUST always 288 use the UDP option default format shown in Figure 4, excepting only 289 EOL and NOP. 291 >> Any UDP option whose length can be larger than 254 MUST always 292 use the UDP option extended default format shown in Figure 5, 293 including UNSAFE and EXP. 295 I.e., a UDP option always uses only the default format or the 296 extended default format, depending on whether its length is only 297 ever smaller than 255 or not. 299 Others have considered using values of the UDP Length that is larger 300 than the IP transport payload as an additional type of signal. Using 301 a value smaller than the IP transport payload is expected to be 302 backward compatible with existing UDP implementations, i.e., to 303 deliver the UDP Length of user data to the application and silently 304 ignore the additional surplus area data. Using a value larger than 305 the IP transport payload would either be considered malformed (and 306 be silently dropped) or could cause buffer overruns, and so is not 307 considered silently and safely backward compatible. Its use is thus 308 out of scope for the extension described in this document. 310 >> UDP options MUST be interpreted in the order in which they occur 311 in the UDP option area. 313 5. UDP Options 315 The following UDP options are currently defined: 317 Kind Length Meaning 318 ---------------------------------------------- 319 0* - End of Options List (EOL) 320 1* - No operation (NOP) 321 2* 3 Option checksum (OCS) 322 3* 6 Alternate checksum (ACS) 323 4* 10/12 Fragmentation (FRAG) 324 5* 4 Maximum segment size (MSS) 325 6* (varies) Unsafe to ignore (UNSAFE) options 326 7 10 Timestamps (TIME) 327 8 (varies) Authentication and Encryption (AE) 328 9 6 Request (REQ) 329 10 6 Response (RES) 330 11-126 (varies) UNASSIGNED (assignable by IANA) 331 127-253 RESERVED 332 254 (varies) RFC 3692-style experiments (EXP) 333 255 RESERVED 335 These options are defined in the following subsections. Options 0 336 and 1 use the same values as for TCP. 338 >> An endpoint supporting UDP options MUST support those marked with 339 a "*" above: EOL, NOP, OCS, ACS, FRAG, MSS, and UNSAFE. This 340 includes both recognizing and being able to generate these options 341 if configured to do so. These are called "must-support" options. 343 >> All other options (without a "*") MAY be implemented, and their 344 use SHOULD be determined either out-of-band or negotiated. 346 >> Receivers supporting UDP options MUST silently ignore unknown 347 options except UNSAFE. That includes options whose length does not 348 indicate the specified value(s). 350 >> Receivers supporting UDP options MUST silently drop the entire 351 datagram containing an UNSAFE option when any UNSAFE option it 352 contains is unknown. See Section 5.7 for further discussion of 353 UNSAFE options. 355 >> Except for NOP, each option SHOULD NOT occur more than once in a 356 single UDP datagram. If an option other than NOP occurs more than 357 once, a receiver MUST interpret only the first instance of that 358 option and MUST ignore all others. 360 >> Only the OCS and AE options depend on the contents of the option 361 area. AE is always computed as if the AE hash and OCS checksum are 362 zero; OCS is always computed as if the OCS checksum is zero and 363 after the AE hash has been computed. Future options MUST NOT be 364 defined as having a value dependent on the contents of the option 365 area. Otherwise, interactions between those values, OCS, and AE 366 could be unpredictable. 368 Receivers cannot treat unexpected option lengths as invalid, as this 369 would unnecessarily limit future revision of options (e.g., defining 370 a new ACS that is defined by having a different length). 372 >> Option lengths MUST NOT exceed the IP length of the packet. If 373 this occurs, the packet MUST be treated as malformed and dropped, 374 and the event MAY be logged for diagnostics (logging SHOULD be rate 375 limited). 377 >> Options with fixed lengths MUST use the default option format. 379 >> Options with variable lengths MUST use the default option format 380 where their total length is 254 bytes or less. 382 >> Options using the extended option format MUST indicate extended 383 lengths of 255 or higher; smaller extended length values MUST be 384 treated as an error. 386 >> "Must-support" options other than NOP and EOL MUST come before 387 other options. 389 The requirement that must-support options come before others is 390 intended to allow for endpoints to implement DOS protection, as 391 discussed further in Section 17. 393 5.1. End of Options List (EOL) 395 The End of Options List (EOL) option indicates that there are no 396 more options. It is used to indicate the end of the list of options 397 without needing to pad the options to fill all available option 398 space. 400 +--------+ 401 | Kind=0 | 402 +--------+ 404 Figure 6 UDP EOL option format 406 >> When the UDP options do not consume the entire option area, the 407 last non-NOP option MUST be EOL. 409 >> All bytes in the surplus area after EOL MUST be zero. If these 410 bytes are non-zero, the entire surplus area MUST be silently ignored 411 and only the UDP data passed to the user with an adjusted UDP length 412 to indicate that no options were present. 414 Requiring the post-option surplus area to be zero prevents side- 415 channel uses of this area, requiring instead that all use of the 416 surplus area be UDP options supported by both endpoints. It is 417 useful to allow for such padding to increase the packet length 418 without affecting the payload length, e.g., for UDP DPLPMTUD [Fa20]. 420 5.2. No Operation (NOP) 422 The No Operation (NOP) option is a one byte placeholder, intended to 423 be used as padding, e.g., to align multi-byte options along 16-bit 424 or 32-bit boundaries. 426 +--------+ 427 | Kind=1 | 428 +--------+ 430 Figure 7 UDP NOP option format 432 >> If options longer than one byte are used, NOP options SHOULD be 433 used at the beginning of the UDP options area to achieve alignment 434 as would be more efficient for active (i.e., non-NOP) options. 436 >> Segments SHOULD NOT use more than three consecutive NOPs. NOPs 437 are intended to assist with alignment, not other padding or fill. 439 [NOTE: Tom Herbert suggested we declare "more than 3 consecutive 440 NOPs" a fatal error to reduce the potential of using NOPs as a DOS 441 attack, but IMO there are other equivalent ways (e.g., using 442 RESERVED or other UNASSIGNED values) and the "no more than 3" 443 creates its own DOS vulnerability) 445 5.3. Option Checksum (OCS) 447 The Option Checksum (OCS) option is conventional Internet checksum 448 [RFC791] that covers all of the surplus area and a pseudoheader 449 composed of the 16-bit length of the surplus area (Figure 8). The 450 primary purpose of OCS is to detect non-standard (i.e., non-option) 451 uses of that area. The surplus area pseudoheader is included to 452 enable traversal of errant middleboxes that incorrectly compute the 453 UDP checksum over the entire IP payload rather than only the UDP 454 payload [Fa18]. 456 The OCS is calculated by computing the Internet checksum over the 457 surplus area and surplus length pseudoheader. The OCS protects the 458 option area from errors in a similar way that the UDP checksum 459 protects the UDP user data (when not zero). 461 +--------+--------+ 462 | surplus length | 463 +--------+--------+ 465 Figure 8 UDP surplus length pseudoheader 467 +--------+--------+--------+ 468 | Kind=2 | checksum | 469 +--------+--------+--------+ 471 Figure 9 UDP OCS option format 473 >> The OCS MUST be included when the UDP checksum is nonzero and UDP 474 options are present. 476 >> When present, the OCS SHOULD occur as early as possible, preceded 477 by only NOP options for alignment and the FRAG option if present. 479 >> OCS MUST be half-word coordinated with the start of the UDP 480 options area and include the surplus length pseudoheader similarly 481 coordinated with the start of UDP Header. 483 This Internet checksum is computed over the surplus area (including 484 EOL, if present) prefixed by the surplus length pseudoheader (Figure 485 8) and then adjusting the result before storing it into the OCS 486 checksum field. If the OCS checksum field is aligned to the start of 487 the options area, then the checksum is inserted as-is, otherwise the 488 checksum bytes are swapped before inserting them into the field. The 489 effect of this "coordination" is the same is if the checksum were 490 computed as if the surplus area and pseudoheader were aligned to the 491 UDP header. 493 This feature is intended to potentially help the UDP options 494 traverse devices that incorrectly attempt to checksum the surplus 495 area (as originally proposed as the Checksum Compensation Option, 496 i.e., CCO [Fa18]). 498 The OCS covers the UDP option area as formatted for transmission and 499 immediately upon reception. 501 >> If the OCS fails, all options MUST be ignored and the surplus 502 area silently discarded. 504 >> UDP data that is validated by a correct UDP checksum MUST be 505 delivered to the application layer, even if the OCS fails, unless 506 the endpoints have negotiated otherwise for this segment's socket 507 pair. 509 As a reminder, use of the UDP checksum is optional when the UDP 510 checksum is zero. When not used, the OCS is assumed to be "correct" 511 for the purpose of accepting UDP packets at a receiver (see Section 512 7). 514 The OCS is intended to check for accidental errors, not for attacks. 516 5.4. Alternate Checksum (ACS) 518 The Alternate Checksum (ACS) option provides a stronger alternative 519 to the checksum in the UDP header, using a 32-bit CRC of the 520 conventional UDP payload only (excluding the IP pseudoheader, UDP 521 header, and surplus area). It is an "alternate" to the UDP checksum 522 (covering the UDP payload) - not the OCS (the latter covers the 523 surplus area) Unlike the UDP checksum, ACS does not include the IP 524 pseudoheader or UDP header, thus it does not need to be updated by 525 NATs when IP addresses or UDP ports are rewritten. Its purpose is to 526 detect UDP payload errors that the UDP checksum, when used, might 527 not detect. 529 A CRC32c has been chosen because of its ubiquity and use in other 530 Internet protocols, including iSCSI and SCTP. The option contains 531 the CRC32c in network standard byte order, as described in 532 [RFC3385]. 534 +--------+--------+--------+--------+ 535 | Kind=3 | Len=6 | CRC32c... | 536 +--------+--------+--------+--------+ 537 | CRC32c (cont.) | 538 +--------+--------+ 540 Figure 10 UDP ACS option format 542 When present, the ACS always contains a valid CRC checksum. There 543 are no reserved values, including the value of zero. If the CRC is 544 zero, this must indicate a valid checksum (i.e., it does not 545 indicate that the ACS is not used; instead, the option would simply 546 not be included if that were the desired effect). 548 ACS does not protect the UDP pseudoheader; only the current UDP 549 checksum provides that protection (when used). ACS cannot provide 550 that protection because it would need to be updated whenever the UDP 551 pseudoheader changed, e.g., during NAT address and port translation; 552 because this is not the case, ACS does not cover the pseudoheader. 554 >> Packets with incorrect ACS checksums MUST be passed to the 555 application by default, e.g., with a flag indicating ACS failure. 557 Like all non-UNSAFE UDP options, ACS need to be silently ignored 558 when failing. Although all UDP option-aware endpoints support ACS 559 (being in the required set), this silently-ignored behavior ensures 560 that option-aware receivers operate the same as legacy receivers 561 unless overridden. 563 5.5. Fragmentation (FRAG) 565 The Fragmentation option (FRAG) combines properties of IP 566 fragmentation and the UDP Lite transport protocol [RFC3828]. FRAG 567 provides transport-layer fragmentation and reassembly in which each 568 fragment includes a copy of the same UDP transport ports, enabling 569 the fragments to traverse Network Address (and port) Translation 570 (NAT) devices, in contrast to the behavior of IP fragments. FRAG 571 also allows the UDP checksum to cover only a prefix of the UDP data 572 payload, to avoid repeated checksums of data prior to reassembly. 574 The Fragmentation (FRAG) option supports UDP fragmentation and 575 reassembly, which can be used to transfer UDP messages larger than 576 limited by the IP receive MTU (EMTU_R [RFC1122]). It is typically 577 used with the UDP MSS option to enable more efficient use of large 578 messages, both at the UDP and IP layers. FRAG is designed similar to 579 the IPv6 Fragmentation Header [RFC8200], except that the UDP variant 580 uses a 16-bit Offset measured in bytes, rather than IPv6's 13-bit 581 Fragment Offset measured in 8-byte units. This UDP variant avoids 582 creating reserved fields. 584 >> When FRAG is present, it MUST come first in the UDP options list. 586 >> When FRAG is present, the UDP payload MUST be empty. If the 587 payload is not empty, all UDP options MUST be silently ignored and 588 the payload received to the user. 590 Legacy receivers interpret FRAG messages as zero-length payload 591 packets (i.e., UDP Length field is 8, the length of just the UDP 592 header), which would not affect the receiver unless the presence of 593 the packet itself were a signal. 595 The FRAG option has two formats; non-terminal fragments use the 596 shorter variant (Figure 11) and terminal fragments use the longer 597 (Figure 12). The latter includes stand-alone fragments, i.e., when 598 data is contained in the FRAG option but reassembly is not required. 600 +--------+--------+--------+--------+ 601 | Kind=4 | Len=10 | Offset | 602 +--------+--------+--------+--------+ 603 | Identification | 604 +--------+--------+--------+--------+ 605 | Frag. Offset | 606 +--------+--------+ 608 Figure 11 UDP non-terminal FRAG option format 610 The FRAG option does not need a "more fragments" bit because it 611 provides the same indication by using the longer, 12-byte variant, 612 which also includes an Internet checksum over the entire reassembled 613 UDP payload (omitting the IP pseudoheader and UDP header, as well as 614 UDP options), as shown in Figure 12. 616 >> The FRAG option MAY be used on a single fragment, in which case 617 the Offset would be zero and the option would have the 12-byte 618 format, including the reassembly checksum. 620 Use of the single fragment variant can be helpful in supporting use 621 of UNSAFE options without undesirable impact to receivers that do 622 not support either UDP options or the specific UNSAFE options. 624 >> The reassembly checksum SHOULD be used, but MAY be unused in the 625 same situations when the UDP checksum is unused (e.g., for transit 626 tunnels or applications that have their own integrity checks 627 [RFC8200]), and by the same mechanism (set the field to 0x0000). 629 +--------+--------+--------+--------+ 630 | Kind=4 | Len=12 | Offset | 631 +--------+--------+--------+--------+ 632 | Identification | 633 +--------+--------+--------+--------+ 634 | Frag. Offset | Reassy. Checksum| 635 +--------+--------+--------+--------+ 637 Figure 12 UDP terminal FRAG option format 639 >> During fragmentation, the UDP header checksum of each fragment 640 needs to be recomputed based on each datagram's pseudoheader. 642 Unlike the UDP checksum, the reassembly checksum does not need to be 643 updated if the UDP header changes because it covers only the 644 reassembled data. FRAG uses a comparatively weak checksum upon 645 reassembly because the fragments are already checked individually. 647 >> After reassembly is complete and validated using the checksum of 648 the terminal FRAG option, the UDP header checksum of the resulting 649 datagram needs to be recomputed based on the datagram's 650 pseudoheader. 652 The Fragment Offset is 16 bits and indicates the location of the UDP 653 payload fragment in bytes from the beginning of the original 654 unfragmented payload. The Len field indicates whether there are more 655 fragments (Len=10) or no more fragments (Len=12). 657 >> The Identification field is a 32-bit value that MUST be unique 658 over the expected fragment reassembly timeout. 660 >> The Identification field SHOULD be generated in a manner similar 661 to that of the IPv6 Fragment ID [RFC8200]. 663 >> UDP fragments MUST NOT overlap. 665 UDP fragmentation relies on a fragment expiration timer, which can 666 be preset or could use a value computed using the UDP Timestamp 667 option. 669 >> The default UDP reassembly SHOULD be no more than 2 minutes. 671 Implementers are advised to limit the space available for UDP 672 reassembly. 674 >> UDP reassembly space SHOULD be limited to reduce the impact of 675 DOS attacks on resource use. 677 >> UDP reassembly space limits SHOULD NOT be implemented as an 678 aggregate, to avoid cross-socketpair DOS attacks. 680 >> Individual UDP fragments MUST NOT be forwarded to the user. The 681 reassembled datagram is received only after complete reassembly, 682 checksum validation, and continued processing of the remaining UDP 683 options. 685 Any additional UDP options, if used, follow the FRAG option in the 686 final fragment and would be included in the reassembled packet. 687 Processing of those options would commence after reassembly. This is 688 especially important for UNSAFE options, which are interpreted only 689 after FRAG. 691 >> UDP options MUST NOT follow the FRAG header in non-terminal 692 fragments. Any data following the FRAG header in non-terminal 693 fragments MUST be silently dropped. All other options that apply to 694 a reassembled packet MUST follow the FRAG header in the terminal 695 fragment. 697 In general, UDP packets are fragmented as follows: 699 1. Create a datagram with data and any non-FRAG UDP options, which 700 we will call "D". Note that the options apply to the entire data 701 area and must follow the data. These options are processed before 702 the rest of the fragmentation steps below. 704 2. Identify the desired fragment size, which we will call "S". This 705 value should take into account the path MTU (if known) and allow 706 space for per-fragment options (e.g., OCS). 708 3. Fragment "D" into chunks of size no larger than "S"-10 each, with 709 one final chunk no larger than "S"-12. Note that all the non-FRAG 710 options in step #1 MUST appear in the terminal fragment. 712 4. For each chunk of "D" in step #3, create a zero-data UDP packet 713 followed by the per-fragment options, with the final option being 714 the FRAG option followed by the FRAG data chunk. 716 The last chunk includes the non-FRAG options noted in step #1 717 after the end of the FRAG data. These UDP options apply to the 718 reassembled data as a whole when received. 720 5. Process the UDP options of each fragment, e.g., computing its 721 OCS. 723 <> 726 Receivers reverse the above sequence. They process all received 727 options in each fragment. When the FRAG option is encountered, the 728 FRAG data is used in reassembly. After all fragments are received, 729 the entire packet is processed with any trailing UDP options 730 applying to the reassembled data. 732 5.6. Maximum Segment Size (MSS) 734 The Maximum Segment Size (MSS, Kind = 3) option is a 16-bit 735 indicator of the largest UDP segment that can be received. As with 736 the TCP MSS option [RFC793], the size indicated is the IP layer MTU 737 decreased by the fixed IP and UDP headers only [RFC6691]. The space 738 needed for IP and UDP options need to be adjusted by the sender when 739 using the value indicated. The value transmitted is based on EMTU_R, 740 the largest IP datagram that can be received (i.e., reassembled at 741 the receiver) [RFC1122]. 743 +--------+--------+--------+--------+ 744 | Kind=5 | Len=4 | MSS size | 745 +--------+--------+--------+--------+ 747 Figure 13 UDP MSS option format 749 The UDP MSS option MAY be used for path MTU discovery 750 [RFC1191][RFC8201], but this may be difficult because of known 751 issues with ICMP blocking [RFC2923] as well as UDP lacking automatic 752 retransmission. It is more likely to be useful when coupled with IP 753 source fragmentation to limit the largest reassembled UDP message, 754 e.g., when EMTU_R is larger than the required minimums (576 for IPv4 755 [RFC791] and 1500 for IPv6 [RFC8200]). It can also be used with 756 DPLPMTUD [RFC8899] to set a maximum DPLPMTU. 758 5.7. Unsafe (UNSAFE) 760 The Unsafe option (UNSAFE) extends the UDP option space to allow for 761 options that are not safe to ignore and can be used unidirectionally 762 or without soft-state confirmation of UDP option capability. They 763 are always used only when the entire UDP payload occurs inside a 764 reassembled set of UDP fragments, such that if UDP fragmentation is 765 not supported, the entire fragment would be silently dropped anyway. 767 UNSAFE options are an extended option space, with its own additional 768 option types. These are indicated in the first byte after the option 769 Kind as shown in ?, which is followed by the Length. Length is 1 770 byte for UKinds whose total length (including Kind, UKind, and 771 Length fields) is less than 255 or 2 bytes for larger lengths (in 772 the similar style as the extended option format). 774 +--------+--------+--------+ 775 | Kind=6 | UKind | Length |... 776 +--------+--------+--------+ 777 1 byte 1 byte 1-2 bytes 779 Figure 14 UDP UNSAFE option format 781 >> UNSAFE options MUST be used only as part of UDP fragments, used 782 either per-fragment or after reassembly. 784 >> Receivers supporting UDP options MUST silently drop the entire 785 reassembled datagram if any fragment or the entire datagram includes 786 an UNSAFE option whose UKind is not supported. 788 The following UKind values are defined: 790 UKind Length Meaning 791 ---------------------------------------------- 792 0 RESERVED 793 1-253 (varies) UNASSIGNED (assignable by IANA) 794 254 (varies) RFC 3692-style experiments (UEXP) 795 255 RESERVED 797 Experimental UKind EXP ExID values indicate the ExID in the 798 following 2 (or 4) bytes, similar to the UDP EXP option as discussed 799 in Section 5.11. Assigned UDP EXP ExIDs and UDP UNSAFE UKind UEXP 800 ExIDs are assigned from the same registry and can be used either in 801 the EXP option (Section 5.11) or within the UKind UEXP. 803 5.8. Timestamps (TIME) 805 The Timestamp (TIME) option exchanges two four-byte timestamp 806 fields. It serves a similar purpose to TCP's TS option [RFC7323], 807 enabling UDP to estimate the round trip time (RTT) between hosts. 808 For UDP, this RTT can be useful for establishing UDP fragment 809 reassembly timeouts or transport-layer rate-limiting [RFC8085]. 811 +--------+--------+------------------+------------------+ 812 | Kind=7 | Len=10 | TSval | TSecr | 813 +--------+--------+------------------+------------------+ 814 1 byte 1 byte 4 bytes 4 bytes 816 Figure 15 UDP TIME option format 818 TS Value (TSval) and TS Echo Reply (TSecr) are used in a similar 819 manner to the TCP TS option [RFC7323]. On transmitted segments using 820 the option, TS Value is always set based on the local "time" value. 822 Received TSval and TSecr values are provided to the application, 823 which can pass the TSval value to be used as TSecr on UDP messages 824 sent in response (i.e., to echo the received TSval). A received 825 TSecr of zero indicates that the TSval was not echoed by the 826 transmitter, i.e., from a previously received UDP packet. 828 >> TIME MAY use an RTT estimate based on nonzero Timestamp values as 829 a hint for fragmentation reassembly, rate limiting, or other 830 mechanisms that benefit from such an estimate. 832 >> TIME SHOULD make this RTT estimate available to the user 833 application. 835 UDP timestamps are modeled after TCP timestamps and have similar 836 expectations. In particular, they are expected to be: 838 o Values are monotonic and non-decreasing except for anticipated 839 number-space rollover events 841 o Values should "increase" (allowing for rollover) according to a 842 typical 'tick' time 844 o A request is defined as "reply=0" and a reply is defined as both 845 fields being non-zero. 847 o A receiver should always respond to a request with the highest 848 TSval received (allowing for rollover), which is not necessarily 849 the most recently received. 851 Rollover can be handled as a special case or more completely using 852 sequence number extension [RFC5925]. 854 5.9. Authentication and Encryption (AE) 856 The Authentication and Encryption (AE) option is intended to allow 857 UDP to provide a similar type of authentication as the TCP 858 Authentication Option (TCP-AO) [RFC5925]. AE the conventional UDP 859 payload and may also cover the surplus area, depending on 860 configuration. It uses the same format as specified for TCP-AO, 861 except that it uses a Kind of 8. AE supports NAT traversal in a 862 similar manner as TCP-AO [RFC6978]. AE can also be extended to 863 provide a similar encryption capability as TCP-AO-ENC, in a similar 864 manner [To18ao]. 866 +--------+--------+--------+--------+ 867 | Kind=8 | Len | Digest... | 868 +--------+--------+--------+--------+ 869 | Digest (con't)... | 870 +--------+--------+--------+--------+ 872 Figure 16 UDP AE option format 874 Like TCP-AO, AE is not negotiated in-band. Its use assumes both 875 endpoints have populated Master Key Tuples (MKTs), used to exclude 876 non-protected traffic. 878 TCP-AO generates unique traffic keys from a hash of TCP connection 879 parameters. UDP lacks a three-way handshake to coordinate 880 connection-specific values, such as TCP's Initial Sequence Numbers 881 (ISNs) [RFC793], thus AE's Key Derivation Function (KDF) uses zeroes 882 as the value for both ISNs. This means that the AE reuses keys when 883 socket pairs are reused, unlike TCP-AO. 885 >> Packets with incorrect AE HMACs MUST be passed to the application 886 by default, e.g., with a flag indicating AE failure. 888 Like all non-UNSAFE UDP options, AE needs to be silently ignored 889 when failing. This silently-ignored behavior ensures that option- 890 aware receivers operate the same as legacy receivers unless 891 overridden. 893 In addition to the UDP payload (which is always included), AE can be 894 configured to either include or exclude the surplus area, in a 895 similar way as can TCP-AO can optionally exclude TCP options. When 896 UDP options are covered, the OCS option area checksum and AE hash 897 areas are zeroed before computing the AE hash. It is important to 898 consider that options not yet defined might yield unpredictable 899 results if not confirmed as supported, e.g., if they were to contain 900 other hashes or checksums that depend on the option area contents. 901 This is why such dependencies are not permitted except as defined 902 for OCS and UDP-AE. 904 Similar to TCP-AO-NAT, AE can be configured to support NAT 905 traversal, excluding (by zeroing out) one or both of the UDP ports 906 and corresponding IP addresses [RFC6978]. 908 5.10. Echo request (REQ) and echo response (RES) 910 The echo request (REQ, kind=9) and echo response (RES, kind=10) 911 options provide a means for UDP options to be used to provide 912 packet-level acknowledgements. Their use is described as part of the 913 UDP variant of packetization layer path MTU discovery (PLPMTUD) 914 [Fa20]. The options both have the format indicated in Figure 17. 916 +--------+--------+------------------+ 917 | Kind | Len=6 | nonce | 918 +--------+--------+------------------+ 919 1 byte 1 byte 4 bytes 921 Figure 17 UDP REQ and RES options format 923 5.11. Experimental (EXP) 925 The Experimental option (EXP) is reserved for experiments [RFC3692]. 926 It uses a Kind value of 254. Only one such value is reserved because 927 experiments are expected to use an Experimental ID (ExIDs) to 928 differentiate concurrent use for different purposes, using UDP ExIDs 929 registered with IANA according to the approach developed for TCP 930 experimental options [RFC6994]. 932 +----------+----------+----------+----------+ 933 | Kind=254 | Len | UDP ExID | 934 +----------+----------+----------+----------+ 935 | (option contents, as defined)... | 936 +----------+----------+----------+----------+ 938 Figure 18 UDP EXP option format 940 >> The length of the experimental option MUST be at least 4 to 941 account for the Kind, Length, and the minimum 16-bit UDP ExID 942 identifier (similar to TCP ExIDs [RFC6994]). 944 Assigned UDP EXP ExIDs and UDP UNSAFE UKind UEXP ExIDs are assigned 945 from the same registry and can be used either in the EXP option or 946 within the UKind UEXP (Section 5.7). 948 6. Rules for designing new options 950 The UDP option Kind space allows for the definition of new options, 951 however the currently defined options do not allow for arbitrary new 952 options. For example, FRAG needs to come first if present; new 953 options cannot declare that they need to precede it. The following 954 is a summary of rules for new options and their rationales: 956 >> New options MUST NOT depend on option space content, excepting 957 only those contained within the UNSAFE option. Only OCS and AE 958 depend on the content of the options themselves and their order is 959 fixed (on transmission, AE is computed first using a zero-checksum 960 OCS if present, and OCS is computed last before transmission, over 961 the entire option area, including AE). 963 >> UNSAFE options can both depend on and vary option space content 964 because they are contained only inside UDP fragments and thus are 965 processed only by UDP option capable receivers. 967 >> New options MUST NOT declare their order relative to other 968 options, whether new or old. 970 >> At the sender, new options MUST NOT modify UDP packet content 971 anywhere except within their option field, excepting only those 972 contained within the UNSAFE option; areas that need to remain 973 unmodified include the IP header, IP options, the UDP body, the UDP 974 option area (i.e., other options), and the post-option area. 976 >> Options MUST NOT be modified in transit. This includes those 977 already defined as well as new options. New options MUST NOT require 978 or intend optionally for modification of any UDP options, including 979 their new areas, in transit. 981 >> New options with fixed lengths smaller than 255 or variable 982 lengths that are always smaller than 255 MUST use only the default 983 option format. 985 Note that only certain of the initially defined options violate 986 these rules: 988 o >> FRAG MUST be first, if present, and MUST be processed when 989 encountered (e.g., even before security options). 991 o >> Only FRAG and UNSAFE options are permitted to modify the UDP 992 body or option areas. 994 o >> OCS SHOULD be the first option, except in the presence of 995 FRAG, in which case it SHOULD be the first option after FRAG. 997 7. Option inclusion and processing 999 The following rules apply to option inclusion by senders and 1000 processing by receivers. 1002 >> Senders MAY add any option, as configured by the API. 1004 >> All mandatory options MUST be processed by receivers, if present 1005 (presuming UDP options are supported at that receiver). 1007 >> Non-mandatory options MAY be ignored by receivers, if present, 1008 e.g., based on API settings. 1010 >> All options MUST be processed by receivers in the order 1011 encountered in the options list. 1013 >> All options except UNSAFE options MUST result in the UDP payload 1014 being passed to the application layer, regardless of whether all 1015 options are processed, supported, or succeed. 1017 The basic premise is that, for options-aware endpoints, the sender 1018 decides what options to add and the receiver decides what options to 1019 handle. Simply adding an option does not force work upon a receiver, 1020 with the exception of the mandatory options. 1022 Upon receipt, the receiver checks various properties of the UDP 1023 packet and its options to decide whether to accept or drop the 1024 packet and whether to accept or ignore some its options as follows 1025 (in order): 1027 if the UDP checksum fails then 1028 silently drop (per RFC1122) 1029 if the UDP checksum passes then 1030 if OCS is present and fails then 1031 deliver the UDP payload but ignore all other options 1032 (this is required to emulate legacy behavior) 1033 if OCS is present and passes then 1034 deliver the UDP payload after parsing 1035 and processing the rest of the options, 1036 regardless of whether each is supported or succeeds 1037 (again, this is required to emulate legacy behavior) 1039 The design of the UNSAFE options as used only inside the FRAG area 1040 ensures that the resulting UDP data will be silently dropped in both 1041 legacy and options-aware receivers. 1043 Options-aware receivers can either drop packets with option 1044 processing errors via an override of the default or at the 1045 application layer. 1047 I.e., all options other than OCS are treated the same, in that the 1048 transmitter can add it as desired and the receiver has the option to 1049 require it or not. Only if it is required (e.g., by API 1050 configuration) should the receiver require it being present and 1051 correct. 1053 I.e., for all options other than OCS: 1055 o if the option is not required by the receiver, then packets 1056 missing the option are accepted. 1058 o if the option is required (e.g., by override of the default 1059 behavior at the receiver) and missing or incorrectly formed, 1060 silently drop the packet. 1062 o if the packet is accepted (either because the option is not 1063 required or because it was required and correct), then pass the 1064 option with the packet via the API. 1066 Any options whose length exceeds that of the UDP packet (i.e., 1067 intending to use data that would have been beyond the surplus area) 1068 should be silently ignored (again to model legacy behavior). 1070 8. UDP API Extensions 1072 UDP currently specifies an application programmer interface (API), 1073 summarized as follows (with Unix-style command as an example) 1074 [RFC768]: 1076 o Method to create new receive ports 1078 o E.g., bind(handle, recvaddr(optional), recvport) 1080 o Receive, which returns data octets, source port, and source 1081 address 1083 o E.g., recvfrom(handle, srcaddr, srcport, data) 1085 o Send, which specifies data, source and destination addresses, and 1086 source and destination ports 1088 o E.g., sendto(handle, destaddr, destport, data) 1090 This API is extended to support options as follows: 1092 o Extend the method to create receive ports to include receive 1093 options that are required. Datagrams not containing these 1094 required options MUST be silently dropped and MAY be logged. 1096 o Extend the receive function to indicate the options and their 1097 parameters as received with the corresponding received datagram. 1099 o Extend the send function to indicate the options to be added to 1100 the corresponding sent datagram. 1102 Examples of API instances for Linux and FreeBSD are provided in 1103 Appendix A, to encourage uniform cross-platform implementations. 1105 9. Whose options are these? 1107 UDP options are indicated in an area of the IP payload that is not 1108 used by UDP. That area is really part of the IP payload, not the UDP 1109 payload, and as such, it might be tempting to consider whether this 1110 is a generally useful approach to extending IP. 1112 Unfortunately, the surplus area exists only for transports that 1113 include their own transport layer payload length indicator. TCP and 1114 SCTP include header length fields that already provide space for 1115 transport options by indicating the total length of the header area, 1116 such that the entire remaining area indicated in the network layer 1117 (IP) is transport payload. UDP-Lite already uses the UDP Length 1118 field to indicate the boundary between data covered by the transport 1119 checksum and data not covered, and so there is no remaining area 1120 where the length of the UDP-Lite payload as a whole can be indicated 1121 [RFC3828]. 1123 UDP options are intended for use only by the transport endpoints. 1124 They are no more (or less) appropriate to be modified in-transit 1125 than any other portion of the transport datagram. 1127 UDP options are transport options. Generally, transport datagrams 1128 are not intended to be modified in-transit. UDP options are no 1129 exception and here are specified as "MUST NOT" be altered in 1130 transit. However, the UDP option mechanism provides no specific 1131 protection against in-transit modification of the UDP header, UDP 1132 payload, or UDP option area, except as provided by the options 1133 selected (e.g., OCS or AE). 1135 10. UDP options FRAG option vs. UDP-Lite 1137 UDP-Lite provides partial checksum coverage, so that packets with 1138 errors in some locations can be delivered to the user [RFC3828]. It 1139 uses a different transport protocol number (136) than UDP (17) to 1140 interpret the UDP Length field as the prefix covered by the UDP 1141 checksum. 1143 UDP (protocol 17) already defines the UDP Length field as the limit 1144 of the UDP checksum, but by default also limits the data provided to 1145 the application as that which precedes the UDP Length. A goal of 1146 UDP-Lite is to deliver data beyond UDP Length as a default, which is 1147 why a separate transport protocol number was required. 1149 UDP options do not use or need a separate transport protocol number 1150 because the data beyond the UDP Length offset (surplus data) is not 1151 provided to the application by default. That data is interpreted 1152 exclusively within the UDP transport layer. 1154 The UDP FRAG options option supports a similar service to UDP-Lite. 1155 The main difference is that UDP-Lite provides the un-checksummed 1156 user data to the application by default, whereas the UDP FRAG option 1157 can safely provide that service only between endpoints that 1158 negotiate that capability in advance. An endpoint that does not 1159 implement UDP options would silently discard this non-checksummed 1160 user data, along with the UDP options as well. 1162 UDP-Lite cannot support UDP options, either as proposed here or in 1163 any other form, because the entire payload of the UDP packet is 1164 already defined as user data and there is no additional field in 1165 which to indicate a separate area for options. The UDP Length field 1166 in UDP-Lite is already used to indicate the boundary between user 1167 data covered by the checksum and user data not covered. 1169 11. Interactions with Legacy Devices 1171 It has always been permissible for the UDP Length to be inconsistent 1172 with the IP transport payload length [RFC768]. Such inconsistency 1173 has been utilized in UDP-Lite using a different transport number. 1174 There are no known systems that use this inconsistency for UDP 1175 [RFC3828]. It is possible that such use might interact with UDP 1176 options, i.e., where legacy systems might generate UDP datagrams 1177 that appear to have UDP options. The UDP OCS provides protection 1178 against such events and is stronger than a static "magic number". 1180 UDP options have been tested as interoperable with Linux, macOS, and 1181 Windows Cygwin, and worked through NAT devices. These systems 1182 successfully delivered only the user data indicated by the UDP 1183 Length field and silently discarded the surplus area. 1185 One reported embedded device passes the entire IP datagram to the 1186 UDP application layer. Although this feature could enable 1187 application-layer UDP option processing, it would require that 1188 conventional UDP user applications examine only the UDP payload. 1189 This feature is also inconsistent with the UDP application interface 1190 [RFC768] [RFC1122]. 1192 It has been reported that Alcatel-Lucent's "Brick" Intrusion 1193 Detection System has a default configuration that interprets 1194 inconsistencies between UDP Length and IP Length as an attack to be 1195 reported. Note that other firewall systems, e.g., CheckPoint, use a 1196 default "relaxed UDP length verification" to avoid falsely 1197 interpreting this inconsistency as an attack. 1199 (TBD: test with UDP checksum offload and UDP fragmentation offload) 1201 12. Options in a Stateless, Unreliable Transport Protocol 1203 There are two ways to interpret options for a stateless, unreliable 1204 protocol -- an option is either local to the message or intended to 1205 affect a stream of messages in a soft-state manner. Either 1206 interpretation is valid for defined UDP options. 1208 It is impossible to know in advance whether an endpoint supports a 1209 UDP option. 1211 >> All UDP options other than UNSAFE ones MUST be ignored if not 1212 supported or upon failure (e.g., ACS). 1214 >> All UDP options that fail MUST result in the UDP data still being 1215 sent to the application layer by default, to ensure equivalence with 1216 legacy devices. 1218 >> UDP options that rely on soft-state exchange MUST allow for 1219 message reordering and loss. 1221 The above requirements prevent using any option that cannot be 1222 safely ignored unless it is hidden inside the FRAG area (i.e., 1223 UNSAFE options). Legacy systems also always need to be able to 1224 interpret the transport payload fragments as individual transport 1225 datagrams. 1227 13. UDP Option State Caching 1229 Some TCP connection parameters, stored in the TCP Control Block, can 1230 be usefully shared either among concurrent connections or between 1231 connections in sequence, known as TCP Sharing [RFC2140][To20cb]. 1232 Although UDP is stateless, some of the options proposed herein may 1233 have similar benefit in being shared or cached. We call this UCB 1234 Sharing, or UDP Control Block Sharing, by analogy. 1236 [TBD: extend this section to indicate which options MAY vs. MUST NOT 1237 be shared and how, e.g., along the lines of To20cb] 1239 14. Updates to RFC 768 1241 This document updates RFC 768 as follows: 1243 o This document defines the meaning of the IP payload area beyond 1244 the UDP length but within the IP length. 1246 o This document extends the UDP API to support the use of options. 1248 15. Interactions with other RFCs (and drafts) 1250 This document clarifies the interaction between UDP length and IP 1251 length that is not explicitly constrained in either UDP or the host 1252 requirements [RFC768] [RFC1122]. 1254 Teredo extensions (TE) define use of a similar surplus area for 1255 trailers [RFC6081]. TE defines the UDP length pointing beyond 1256 (larger) than the location indicated by the IP length rather than 1257 shorter (as used herein): 1259 "..the IPv6 packet length (i.e., the Payload Length value in 1260 the IPv6 header plus the IPv6 header size) is less than or 1261 equal to the UDP payload length (i.e., the Length value in 1262 the UDP header minus the UDP header size)" 1264 As a result, UDP options are not compatible with TE, but that is 1265 also why this document does not update TE. Additionally, it is not 1266 at all clear how TE operates, as it requires network processing of 1267 the UDP length field to understand the total message including TE 1268 trailers. 1270 TE updates Teredo NAT traversal [RFC4380]. The NAT traversal 1271 document defined "consistency" of UDP length and IP length as: 1273 "An IPv6 packet is deemed valid if it conforms to [RFC2460]: 1274 the protocol identifier should indicate an IPv6 packet and 1275 the payload length should be consistent with the length of 1276 the UDP datagram in which the packet is encapsulated." 1278 IPv6 is clear on the meaning of this consistency, in which the 1279 pseudoheader used for UDP checksums is based on the UDP length, not 1280 inferred from the IP length, using the same text in the current 1281 specification [RFC8200]: 1283 "The Upper-Layer Packet Length in the pseudo-header is the 1284 length of the upper-layer header and data (e.g., TCP header 1285 plus TCP data). Some upper-layer protocols carry their own 1286 length information (e.g., the Length field in the UDP header); 1287 for such protocols, that is the length used in the pseudo- 1288 header." 1290 This document hereby deprecates the requirement asserted in the UDP 1291 profile for Robust Header Compression (ROHC)[RFC3095], noted here: 1293 "The Length field of the UDP header MUST match the Length 1294 field(s) of the preceding subheaders, i.e., there must not 1295 be any padding after the UDP payload that is covered by the 1296 IP Length." 1298 ROHC relies on this "matching" of values to avoid needing to 1299 transmit both the IP length and UDP length fields, even though this 1300 is not a strict requirement of UDP [RFC768] or host requirements 1301 [RFC1122] and these preexisting standards were not updated by the 1302 ROHC specification. Section A.1.3 of that document is hereby updated 1303 to allow for UDP length to vary per packet, so that the UDP length 1304 in the table is "CHANGING" rather than "INFERRED". The text that 1305 describes the UDP length field this is updated to: 1307 This field is changing as allowed by UDP [RFC768] and used 1308 by both UDP options [RFC-TBD] and Teredo extensions [RFC6081] 1309 and is therefore classified as CHANGING. 1311 The issue of handling UDP header compression has already been 1312 correctly described in more recent specifications, e.g., Sec. 10.10 1313 of Static Context Header Compression [RFC8724]. In that description, 1314 the UDP length can be compressed out of a packet only when it can be 1315 correctly inferred from the UDP length, i.e., when neither UDP 1316 options nor Teredo extensions are present: 1318 "The parser MUST NOT label this field unless the UDP Length value 1319 matches the Payload Length value from the IPv6 header." 1321 16. Multicast Considerations 1323 UDP options are primarily intended for unicast use. Using these 1324 options over multicast IP requires careful consideration, e.g., to 1325 ensure that the options used are safe for different endpoints to 1326 interpret differently (e.g., either to support or silently ignore) 1327 or to ensure that all receivers of a multicast group confirm support 1328 for the options in use. 1330 17. Security Considerations 1332 The use of UDP packets with inconsistent IP and UDP Length fields 1333 has the potential to trigger a buffer overflow error if not properly 1334 handled, e.g., if space is allocated based on the smaller field and 1335 copying is based on the larger. However, there have been no reports 1336 of such vulnerability and it would rely on inconsistent use of the 1337 two fields for memory allocation and copying. 1339 UDP options are not covered by DTLS (datagram transport-layer 1340 security). Despite the name, neither TLS [RFC8446] (transport layer 1341 security, for TCP) nor DTLS [RFC6347] (TLS for UDP) protect the 1342 transport layer. Both operate as a shim layer solely on the payload 1343 of transport packets, protecting only their contents. Just as TLS 1344 does not protect the TCP header or its options, DTLS does not 1345 protect the UDP header or the new options introduced by this 1346 document. Transport security is provided in TCP by the TCP 1347 Authentication Option (TCP-AO [RFC5925]) or in UDP by the 1348 Authentication Extension option (Section 5.9). Transport headers are 1349 also protected as payload when using IP security (IPsec) [RFC4301]. 1351 UDP options use the TLV syntax similar to that of TCP. This syntax 1352 is known to require serial processing and may pose a DOS risk, e.g., 1353 if an attacker adds large numbers of unknown options that must be 1354 parsed in their entirety. Implementations concerned with the 1355 potential for this vulnerability MAY implement only the required 1356 options and MAY also limit processing of TLVs. Because required 1357 options come first and at most once each (with the exception of 1358 NOPs, which should never need to come in sequences of more than 1359 three in a row), this limits their DOS impact. 1361 UDP security should never rely solely on transport layer processing 1362 of options. UNSAFE options are the only type that share fate with 1363 the UDP data, because of the way that data is hidden in the surplus 1364 area until after those options are processed. All other options 1365 default to being silently ignored at the transport layer but may be 1366 dropped either if that default is overridden (e.g., by 1367 configuration) or discarded at the application layer (e.g., using 1368 information about the options processed that are passed along with 1369 the packet). 1371 UDP fragmentation introduces its own set of security concerns, which 1372 can be handled in a manner similar to IP fragmentation. In 1373 particular, the number of packets pending reassembly and effort used 1374 for reassembly is typically limited. In addition, it may be useful 1375 to assume a reasonable minimum fragment size, e.g., that non- 1376 terminal fragments should never be smaller than 500 bytes. 1378 18. IANA Considerations 1380 Upon publication, IANA is hereby requested to create a new registry 1381 for UDP Option Kind numbers, similar to that for TCP Option Kinds. 1382 Initial values of this registry are as listed in Section 5. 1383 Additional values in this registry are to be assigned from the 1384 UNASSIGNED values in Section 5 by IESG Approval or Standards Action 1385 [RFC8126]. Those assignments are subject to the conditions set forth 1386 in this document, particularly (but not limited to) those in Section 1387 6. 1389 Upon publication, IANA is hereby requested to create a new registry 1390 for UDP Experimental Option Experiment Identifiers (UDP ExIDs) for 1391 use in a similar manner as TCP ExIDs [RFC6994]. UDP ExIDs can be 1392 used in either the UDP EXP option or the UDP UNSAFE option when 1393 using UKind=UEXP. This registry is initially empty. Values in this 1394 registry are to be assigned by IANA using first-come, first-served 1395 (FCFS) rules [RFC8126]. Options using these ExIDs are subject to the 1396 same conditions as new options, i.e., they too are subject to the 1397 conditions set forth in this document, particularly (but not limited 1398 to) those in Section 6. 1400 Upon publication, IANA is hereby requested to create a new registry 1401 for UDP UNSAFE UKind numbers. There are no initial assignments in 1402 this registry. Values in this registry are to be assigned from the 1403 UNASSIGNED values in Section 5.7 by IESG Approval or Standards 1404 Action [RFC8126]. Those assignments are subject to the conditions 1405 set forth in this document, particularly (but not limited to) those 1406 in Section 6. 1408 19. References 1410 19.1. Normative References 1412 [Fa20] Fairhurst, G., T. Jones, "Datagram PLPMTUD for UDP 1413 Options," draft-fairhurst-tsvwg-udp-options-dplpmtud, Mar. 1414 2020. 1416 [RFC768] Postel, J., "User Datagram Protocol," RFC 768, August 1417 1980. 1419 [RFC791] Postel, J., "Internet Protocol," RFC 791, Sept. 1981. 1421 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts -- 1422 Communication Layers," RFC 1122, Oct. 1989. 1424 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1425 Requirement Levels," BCP 14, RFC 2119, March 1997. 1427 [RFC3095] Bormann, C. (Ed), et al., "RObust Header Compression 1428 (ROHC): Framework and four profiles: RTP, UDP, ESP, and 1429 uncompressed," RFC 3095, July 2001. 1431 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1432 2119 Key Words," RFC 2119, May 2017. 1434 19.2. Informative References 1436 [Fa18] Fairhurst, G., T. Jones, R. Zullo, "Checksum Compensation 1437 Options for UDP Options", draft-fairhurst-udp-options-cco, 1438 Oct. 2018. 1440 [Hi15] Hildebrand, J., B. Trammel, "Substrate Protocol for User 1441 Datagrams (SPUD) Prototype," draft-hildebrand-spud- 1442 prototype-03, Mar. 2015. 1444 [RFC793] Postel, J., "Transmission Control Protocol" RFC 793, 1445 September 1981. 1447 [RFC1191] Mogul, J., S. Deering, "Path MTU discovery," RFC 1191, 1448 November 1990. 1450 [RFC2140] Touch, J., "TCP Control Block Interdependence," RFC 2140, 1451 Apr. 1997. 1453 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery," RFC 1454 2923, September 2000. 1456 [RFC3385] Sheinwald, D., J. Satran, P. Thaler, V. Cavanna, "Internet 1457 Protocol Small Computer System Interface (iSCSI) Cyclic 1458 Redundancy Check (CRC)/Checksum Considerations," RFC 3385, 1459 Sep. 2002. 1461 [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers 1462 Considered Useful," RFC 3692, Jan. 2004. 1464 [RFC3828] Larzon, L-A., M. Degermark, S. Pink, L-E. Jonsson (Ed.), 1465 G. Fairhurst (Ed.), "The Lightweight User Datagram 1466 Protocol (UDP-Lite)," RFC 3828, July 2004. 1468 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1469 Internet Protocol", RFC 4301, Dec. 2005. 1471 [RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion 1472 Control Protocol (DCCP)", RFC 4340, March 2006. 1474 [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through 1475 Network Address Translations (NATs)," RFC 4380, Feb. 2006. 1477 [RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol", 1478 RFC 4960, September 2007. 1480 [RFC5925] Touch, J., A. Mankin, R. Bonica, "The TCP Authentication 1481 Option," RFC 5925, June 2010. 1483 [RFC6081] Thaler, D., "Teredo Extensions," RFC 6081, Jan 2011. 1485 [RFC6347] Rescorla, E., N. Modadugu, "Datagram Transport Layer 1486 Security Version 1.2," RFC 6347, Jan. 2012. 1488 [RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS)," 1489 RFC 6691, July 2012. 1491 [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT 1492 Traversal", RFC 6978, July 2013. 1494 [RFC6994] Touch, J., "Shared Use of Experimental TCP Options," RFC 1495 6994, Aug. 2013. 1497 [RFC7323] Borman, D., R. Braden, V. Jacobson, R. Scheffenegger 1498 (Ed.), "TCP Extensions for High Performance," RFC 7323, 1499 Sep. 2014. 1501 [RFC8085] Eggert, L., G. Fairhurst, G. Shepherd, "UDP Usage 1502 Guidelines," RFC 8085, Feb. 2017. 1504 [RFC8126] Cotton, M., B. Leiba, T. Narten, "Guidelines for Writing 1505 an IANA Considerations Section in RFCs," RFC 8126, June 1506 2017. 1508 [RFC8200] Deering, S., R. Hinden, "Internet Protocol Version 6 1509 (IPv6) Specification," RFC 8200, Jul. 2017. 1511 [RFC8201] McCann, J., S. Deering, J. Mogul, R. Hinden (Ed.), "Path 1512 MTU Discovery for IP version 6," RFC 8201, Jul. 2017. 1514 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1515 Version 1.3," RFC 8446, Aug. 2018. 1517 [To18ao] Touch, J., "A TCP Authentication Option Extension for 1518 Payload Encryption," draft-touch-tcp-ao-encrypt, Jul. 1519 2018. 1521 [To20cb] Touch, J., M. Welzl, S. Islam, J. You, "TCP Control Block 1522 Interdependence," draft-touch-tcpm-2140bis, Apr. 2020. 1524 20. Acknowledgments 1526 This work benefitted from feedback from Bob Briscoe, Ken Calvert, 1527 Ted Faber, Gorry Fairhurst (including OCS for misbehaving middlebox 1528 traversal), C. M. Heard (including combining previous FRAG and LITE 1529 options into the new FRAG), Tom Herbert, and Mark Smith, as well as 1530 discussions on the IETF TSVWG and SPUD email lists. 1532 This work was partly supported by USC/ISI's Postel Center. 1534 This document was prepared using 2-Word-v2.0.template.dot. 1536 Authors' Addresses 1538 Joe Touch 1539 Manhattan Beach, CA 90266 USA 1541 Phone: +1 (310) 560-0334 1542 Email: touch@strayalpha.com 1544 Appendix A. Implementation Information 1546 The following information is provided to encourage interoperable API 1547 implementations. 1549 System-level variables (sysctl): 1551 Name default meaning 1552 ---------------------------------------------------- 1553 net.ipv4.udp_opt 0 UDP options available 1554 net.ipv4.udp_opt_ocs 1 Default include OCS 1555 net.ipv4.udp_opt_acs 0 Default include ACS 1556 net.ipv4.udp_opt_mss 0 Default include MSS 1557 net.ipv4.udp_opt_time 0 Default include TIME 1558 net.ipv4.udp_opt_frag 0 Default include FRAG 1559 net.ipv4.udp_opt_ae 0 Default include AE 1561 Socket options (sockopt), cached for outgoing datagrams: 1563 Name meaning 1564 ---------------------------------------------------- 1565 UDP_OPT Enable UDP options (at all) 1566 UDP_OPT_OCS Enable UDP OCS option 1567 UDP_OPT_ACS Enable UDP ACS option 1568 UDP_OPT_MSS Enable UDP MSS option 1569 UDP_OPT_TIME Enable UDP TIME option 1570 UDP_OPT_FRAG Enable UDP FRAG option 1571 UDP_OPT_AE Enable UDP AE option 1573 Send/sendto parameters: 1575 (TBD - currently using cached parameters) 1577 Connection parameters (per-socketpair cached state, part UCB): 1579 Name Initial value 1580 ---------------------------------------------------- 1581 opts_enabled net.ipv4.udp_opt 1582 ocs_enabled net.ipv4.udp_opt_ocs 1584 The following option is included for debugging purposes, and MUST 1585 NOT be enabled otherwise. 1587 System variables 1589 net.ipv4.udp_opt_junk 0 1590 System-level variables (sysctl): 1592 Name default meaning 1593 ---------------------------------------------------- 1594 net.ipv4.udp_opt_junk 0 Default use of junk 1596 Socket options (sockopt): 1598 Name params meaning 1599 ------------------------------------------------------ 1600 UDP_JUNK - Enable UDP junk option 1601 UDP_JUNK_VAL fillval Value to use as junk fill 1602 UDP_JUNK_LEN length Length of junk payload in bytes 1604 Connection parameters (per-socketpair cached state, part UCB): 1606 Name Initial value 1607 ---------------------------------------------------- 1608 junk_enabled net.ipv4.udp_opt_junk 1609 junk_value 0xABCD 1610 junk_len 4