idnits 2.17.1 draft-templin-intarea-seal-25.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 14, 2010) is 4880 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC3971' is defined on line 1676, but no explicit reference was found in the text == Unused Reference: 'RFC4987' is defined on line 1788, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) == Outdated reference: A later version (-07) exists of draft-ietf-intarea-ipv4-id-update-01 == Outdated reference: A later version (-40) exists of draft-templin-intarea-vet-19 == Outdated reference: A later version (-17) exists of draft-templin-iron-13 -- Obsolete informational reference (is this intentional?): RFC 1063 (Obsoleted by RFC 1191) -- Obsolete informational reference (is this intentional?): RFC 1981 (Obsoleted by RFC 8201) Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group F. Templin, Ed. 3 Internet-Draft Boeing Research & Technology 4 Intended status: Standards Track December 14, 2010 5 Expires: June 17, 2011 7 The Subnetwork Encapsulation and Adaptation Layer (SEAL) 8 draft-templin-intarea-seal-25.txt 10 Abstract 12 For the purpose of this document, a subnetwork is defined as a 13 virtual topology configured over a connected IP network routing 14 region and bounded by encapsulating border nodes. These virtual 15 topologies are manifested by tunnels that may span multiple IP and/or 16 sub-IP layer forwarding hops, and can introduce failure modes due to 17 packet duplication and/or links with diverse Maximum Transmission 18 Units (MTUs). This document specifies a Subnetwork Encapsulation and 19 Adaptation Layer (SEAL) that accommodates such virtual topologies 20 over diverse underlying link technologies. 22 Status of this Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on June 17, 2011. 39 Copyright Notice 41 Copyright (c) 2010 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 57 1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . 4 58 1.2. Approach . . . . . . . . . . . . . . . . . . . . . . . . . 6 59 2. Terminology and Requirements . . . . . . . . . . . . . . . . . 7 60 3. Applicability Statement . . . . . . . . . . . . . . . . . . . 9 61 4. SEAL Protocol Specification . . . . . . . . . . . . . . . . . 10 62 4.1. VET Interface Model . . . . . . . . . . . . . . . . . . . 10 63 4.2. SEAL Model of Operation . . . . . . . . . . . . . . . . . 11 64 4.3. SEAL Header Format . . . . . . . . . . . . . . . . . . . . 13 65 4.4. ITE Specification . . . . . . . . . . . . . . . . . . . . 14 66 4.4.1. Tunnel Interface MTU . . . . . . . . . . . . . . . . . 14 67 4.4.2. Tunnel Interface Soft State . . . . . . . . . . . . . 16 68 4.4.3. Admitting Packets into the Tunnel . . . . . . . . . . 17 69 4.4.4. Mid-Layer Encapsulation . . . . . . . . . . . . . . . 18 70 4.4.5. SEAL Segmentation . . . . . . . . . . . . . . . . . . 18 71 4.4.6. SEAL Encapsulation . . . . . . . . . . . . . . . . . . 18 72 4.4.7. Outer Encapsulation . . . . . . . . . . . . . . . . . 19 73 4.4.8. Sending SEAL Protocol Packets . . . . . . . . . . . . 20 74 4.4.9. Probing Strategy . . . . . . . . . . . . . . . . . . . 20 75 4.4.10. Processing ICMP Messages . . . . . . . . . . . . . . . 21 76 4.4.11. Black Hole Detection . . . . . . . . . . . . . . . . . 21 77 4.5. ETE Specification . . . . . . . . . . . . . . . . . . . . 21 78 4.5.1. Reassembly Buffer Requirements . . . . . . . . . . . . 21 79 4.5.2. Tunnel Interface Soft State . . . . . . . . . . . . . 22 80 4.5.3. IP-Layer Reassembly . . . . . . . . . . . . . . . . . 22 81 4.5.4. SEAL-Layer Reassembly . . . . . . . . . . . . . . . . 23 82 4.5.5. Decapsulation and Delivery to Upper Layers . . . . . . 24 83 4.6. The SEAL Control Message Protocol (SCMP) . . . . . . . . . 25 84 4.6.1. Generating SCMP Messages . . . . . . . . . . . . . . . 25 85 4.6.2. Processing SCMP Messages . . . . . . . . . . . . . . . 29 86 4.7. Tunnel Endpoint Synchronization . . . . . . . . . . . . . 32 87 5. Link Requirements . . . . . . . . . . . . . . . . . . . . . . 33 88 6. End System Requirements . . . . . . . . . . . . . . . . . . . 33 89 7. Router Requirements . . . . . . . . . . . . . . . . . . . . . 33 90 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 91 9. Security Considerations . . . . . . . . . . . . . . . . . . . 34 92 10. Related Work . . . . . . . . . . . . . . . . . . . . . . . . . 34 93 11. SEAL Advantages over Classical Methods . . . . . . . . . . . . 35 94 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36 95 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 36 96 13.1. Normative References . . . . . . . . . . . . . . . . . . . 36 97 13.2. Informative References . . . . . . . . . . . . . . . . . . 37 98 Appendix A. Reliability . . . . . . . . . . . . . . . . . . . . . 39 99 Appendix B. Integrity . . . . . . . . . . . . . . . . . . . . . . 40 100 Appendix C. Transport Mode . . . . . . . . . . . . . . . . . . . 41 101 Appendix D. Historic Evolution of PMTUD . . . . . . . . . . . . . 41 102 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 43 104 1. Introduction 106 As Internet technology and communication has grown and matured, many 107 techniques have developed that use virtual topologies (including 108 tunnels of one form or another) over an actual network that supports 109 the Internet Protocol (IP) [RFC0791][RFC2460]. Those virtual 110 topologies have elements that appear as one hop in the virtual 111 topology, but are actually multiple IP or sub-IP layer hops. These 112 multiple hops often have quite diverse properties that are often not 113 even visible to the endpoints of the virtual hop. This introduces 114 failure modes that are not dealt with well in current approaches. 116 The use of IP encapsulation (also known as "tunneling") has long been 117 considered as the means for creating such virtual topologies. 118 However, the insertion of an outer IP header reduces the effective 119 path MTU visible to the inner network layer. When IPv4 is used, this 120 reduced MTU can be accommodated through the use of IPv4 121 fragmentation, but unmitigated in-the-network fragmentation has been 122 found to be harmful through operational experience and studies 123 conducted over the course of many years [FRAG][FOLK][RFC4963]. 124 Additionally, classical path MTU discovery [RFC1191] has known 125 operational issues that are exacerbated by in-the-network tunnels 126 [RFC2923][RFC4459]. The following subsections present further 127 details on the motivation and approach for addressing these issues. 129 1.1. Motivation 131 Before discussing the approach, it is necessary to first understand 132 the problems. In both the Internet and private-use networks today, 133 IPv4 is ubiquitously deployed as the Layer 3 protocol. The two 134 primary functions of IPv4 are to provide for 1) addressing, and 2) a 135 fragmentation and reassembly capability used to accommodate links 136 with diverse MTUs. While it is well known that the IPv4 address 137 space is rapidly becoming depleted, there is a lesser-known but 138 growing consensus that other IPv4 protocol limitations have already 139 or may soon become problematic. 141 First, the IPv4 header Identification field is only 16 bits in 142 length, meaning that at most 2^16 unique packets with the same 143 (source, destination, protocol)-tuple may be active in the Internet 144 at a given time [I-D.ietf-intarea-ipv4-id-update]. Due to the 145 escalating deployment of high-speed links (e.g., 1Gbps Ethernet), 146 however, this number may soon become too small by several orders of 147 magnitude for high data rate packet sources such as tunnel endpoints 148 [RFC4963]. Furthermore, there are many well-known limitations 149 pertaining to IPv4 fragmentation and reassembly - even to the point 150 that it has been deemed "harmful" in both classic and modern-day 151 studies (see above). In particular, IPv4 fragmentation raises issues 152 ranging from minor annoyances (e.g., in-the-network router 153 fragmentation [RFC1981]) to the potential for major integrity issues 154 (e.g., mis-association of the fragments of multiple IP packets during 155 reassembly [RFC4963]). 157 As a result of these perceived limitations, a fragmentation-avoiding 158 technique for discovering the MTU of the forward path from a source 159 to a destination node was devised through the deliberations of the 160 Path MTU Discovery Working Group (PMTUDWG) during the late 1980's 161 through early 1990's (see Appendix D). In this method, the source 162 node provides explicit instructions to routers in the path to discard 163 the packet and return an ICMP error message if an MTU restriction is 164 encountered. However, this approach has several serious shortcomings 165 that lead to an overall "brittleness" [RFC2923]. 167 In particular, site border routers in the Internet are being 168 configured more and more to discard ICMP error messages coming from 169 the outside world. This is due in large part to the fact that 170 malicious spoofing of error messages in the Internet is trivial since 171 there is no way to authenticate the source of the messages [RFC5927]. 172 Furthermore, when a source node that requires ICMP error message 173 feedback when a packet is dropped due to an MTU restriction does not 174 receive the messages, a path MTU-related black hole occurs. This 175 means that the source will continue to send packets that are too 176 large and never receive an indication from the network that they are 177 being discarded. This behavior has been confirmed through documented 178 studies showing clear evidence of path MTU discovery failures in the 179 Internet today [TBIT][WAND][SIGCOMM]. 181 The issues with both IPv4 fragmentation and this "classical" method 182 of path MTU discovery are exacerbated further when IP tunneling is 183 used [RFC4459]. For example, ingress tunnel endpoints (ITEs) may be 184 required to forward encapsulated packets into the subnetwork on 185 behalf of hundreds, thousands, or even more original sources in the 186 end site. If the ITE allows IPv4 fragmentation on the encapsulated 187 packets, persistent fragmentation could lead to undetected data 188 corruption due to Identification field wrapping. If the ITE instead 189 uses classical IPv4 path MTU discovery, it may be inconvenienced by 190 excessive ICMP error messages coming from the subnetwork that may be 191 either suspect or contain insufficient information for translation 192 into error messages to be returned to the original sources. 194 Although recent works have led to the development of a robust end-to- 195 end MTU determination scheme [RFC4821], this approach requires 196 tunnels to present a consistent MTU the same as for ordinary links on 197 the end-to-end path. Moreover, in current practice existing 198 tunneling protocols mask the MTU issues by selecting a "lowest common 199 denominator" MTU that may be much smaller than necessary for most 200 paths and difficult to change at a later date. Due to these many 201 consideration, a new approach to accommodate tunnels over links with 202 diverse MTUs is necessary. 204 1.2. Approach 206 For the purpose of this document, a subnetwork is defined as a 207 virtual topology configured over a connected network routing region 208 and bounded by encapsulating border nodes. Example connected network 209 routing regions include Mobile Ad hoc Networks (MANETs), enterprise 210 networks and the global public Internet itself. Subnetwork border 211 nodes forward unicast and multicast packets over the virtual topology 212 across multiple IP and/or sub-IP layer forwarding hops that may 213 introduce packet duplication and/or traverse links with diverse 214 Maximum Transmission Units (MTUs). 216 This document introduces a Subnetwork Encapsulation and Adaptation 217 Layer (SEAL) for tunneling network layer protocols (e.g., IP, OSI, 218 etc.) over IP subnetworks that connect Ingress and Egress Tunnel 219 Endpoints (ITEs/ETEs) of border nodes. It provides a modular 220 specification designed to be tailored to specific associated 221 tunneling protocols. A transport-mode of operation is also possible, 222 and described in Appendix C. SEAL accommodates links with diverse 223 MTUs, protects against off-path denial-of-service attacks, and can be 224 configured to enable efficient duplicate packet detection through the 225 use of a minimal mid-layer encapsulation. 227 SEAL specifically treats tunnels that traverse the subnetwork as 228 ordinary links that must support network layer services. As for any 229 link, tunnels that use SEAL must provide suitable networking services 230 including best-effort datagram delivery, integrity and consistent 231 handling of packets of various sizes. As for any link whose media 232 cannot provide suitable services natively, tunnels that use SEAL 233 employ link-level adaptation functions to meet the legitimate 234 expectations of the network layer service. As this is essentially a 235 link level adaptation, SEAL is therefore permitted to alter packets 236 within the subnetwork as long as it restores them to their original 237 form when they exit the subnetwork. The mechanisms described within 238 this document are designed precisely for this purpose. 240 SEAL encapsulation introduces an extended Identification field for 241 per-packet and/or per-ETE identification as well as a mid-layer 242 segmentation and reassembly capability that allows simplified cutting 243 and pasting of packets. Moreover, SEAL engages both tunnel endpoints 244 in ensuring a functional path MTU on the path from the ITE to the 245 ETE. This is in contrast to "stateless" approaches which seek to 246 avoid MTU issues by selecting a lowest common denominator MTU value 247 that may be overly conservative for the vast majority of tunnel paths 248 and difficult to change even when larger MTUs become available. 250 The following sections provide the SEAL normative specifications, 251 while the appendices present non-normative additional considerations. 253 2. Terminology and Requirements 255 The following terms are defined within the scope of this document: 257 subnetwork 258 a virtual topology configured over a connected network routing 259 region and bounded by encapsulating border nodes. 261 Ingress Tunnel Endpoint 262 a virtual interface over which an encapsulating border node (host 263 or router) sends encapsulated packets into the subnetwork. 265 Egress Tunnel Endpoint 266 a virtual interface over which an encapsulating border node (host 267 or router) receives encapsulated packets from the subnetwork. 269 inner packet 270 an unencapsulated network layer protocol packet (e.g., IPv6 271 [RFC2460], IPv4 [RFC0791], OSI/CLNP [RFC1070], etc.) before any 272 mid-layer or outer encapsulations are added. Internet protocol 273 numbers that identify inner packets are found in the IANA Internet 274 Protocol registry [RFC3232]. 276 mid-layer packet 277 a packet resulting from adding mid-layer encapsulating headers to 278 an inner packet. 280 outer IP packet 281 a packet resulting from adding an outer IP header (and possibly 282 other outer headers) to a mid-layer packet. 284 packet-in-error 285 the leading portion of an invoking data packet encapsulated in the 286 body of an error control message (e.g., an ICMPv4 [RFC0792] error 287 message, an ICMPv6 [RFC4443] error message, etc.). 289 Packet Too Big (PTB) 290 a control plane message indicating an MTU restriction, e.g., an 291 ICMPv6 "Packet Too Big" message [RFC4443], an ICMPv4 292 "Fragmentation Needed" message [RFC0792], an SCMP "Packet Too Big" 293 message (see: Section 4.5), etc. 295 IP, IPvX, IPvY 296 used to generically refer to either IP protocol version, i.e., 297 IPv4 or IPv6. 299 The following abbreviations correspond to terms used within this 300 document and elsewhere in common Internetworking nomenclature: 302 DF - the IPv4 header "Don't Fragment" flag [RFC0791] 304 ETE - Egress Tunnel Endpoint 306 HLEN - the sum of MHLEN and OHLEN 308 ITE - Ingress Tunnel Endpoint 310 LINK_ID - a short integer that identifies an ITE's underlying link 312 MHLEN - the length of any mid-layer headers and trailers 314 MRU - Maximum Reassembly Unit 316 MTU - Maximum Transmission Unit 318 NONCE - a short integer nonce value that identifies an ETE 320 OHLEN - the length of any outer encapsulating headers and trailers 322 S_IFT - SEAL Inner Fragmentation Threshold 324 S_MRU - SEAL Maximum Reassembly Unit 326 S_MSS - SEAL Maximum Segment Size 328 SCMP - the SEAL Control Message Protocol 330 SEAL - Subnetwork Encapsulation and Adaptation Layer 332 SEAL_ID - a SEAL ETE identification value 334 SEAL_PORT - a TCP/UDP service port number used for SEAL 336 SEAL_PROTO - an IPv4 protocol number used for SEAL 338 TE - Tunnel Endpoint (i.e., either ingress or egress) 340 VET - Virtual Enterprise Traversal 342 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 343 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 344 document are to be interpreted as described in [RFC2119]. When used 345 in lower case (e.g., must, must not, etc.), these words MUST NOT be 346 interpreted as described in [RFC2119], but are rather interpreted as 347 they would be in common English. 349 3. Applicability Statement 351 SEAL was originally motivated by the specific case of subnetwork 352 abstraction for Mobile Ad hoc Networks (MANETs), however it soon 353 became apparent that the domain of applicability also extends to 354 subnetwork abstractions over enterprise networks, ISP networks, SOHO 355 networks, the global public Internet itself, and any other connected 356 network routing region. SEAL along with the Virtual Enterprise 357 Traversal (VET) [I-D.templin-intarea-vet] tunnel virtual interface 358 abstraction are the functional building blocks for a new 359 Internetworking architecture based on Routing and Addressing in 360 Networks with Global Enterprise Recursion (RANGER) 361 [RFC5720][I-D.russert-rangers] and the Internet Routing Overlay 362 Network (IRON) [I-D.templin-iron]. 364 SEAL provides a network sublayer for encapsulation of an inner 365 network layer packet within outer encapsulating headers. For 366 example, for IPvX in IPvY encapsulation (e.g., as IPv4/SEAL/IPv6), 367 the SEAL header appears as a subnetwork encapsulation as seen by the 368 inner IP layer. SEAL can also be used as a sublayer within a UDP 369 data payload (e.g., as IPv4/UDP/SEAL/IPv6 similar to Teredo 370 [RFC4380]), where UDP encapsulation is typically used for Network 371 Address Translator (NAT) traversal as well as operation over 372 subnetworks that give preferential treatment to the "core" Internet 373 protocols (i.e., TCP and UDP). The SEAL header is processed the same 374 as for IPv6 extension headers, i.e., it is not part of the outer IP 375 header but rather allows for the creation of an arbitrarily 376 extensible chain of headers in the same way that IPv6 does. 378 SEAL supports a segmentation and reassembly capability for adapting 379 the network layer to the underlying subnetwork characteristics, where 380 the Egress Tunnel Endpoint (ETE) determines how much or how little 381 reassembly it is willing to support. In the limiting case, the ETE 382 can avoid reassembly altogether and act as a passive observer that 383 simply informs the Ingress Tunnel Endpoint (ITE) of any MTU 384 limitations and otherwise discards all packets that arrive as 385 multiple fragments. This mode is useful for determining an 386 appropriate MTU for tunnels between performance-critical routers 387 connected to high data rate subnetworks such as the Internet DFZ, for 388 unidirectional tunnels in which the ETE is stateless, and for other 389 uses in which reassembly would present too great of a burden for the 390 routers or end systems. 392 When the ETE supports reassembly, the tunnel can be used to transport 393 packets that are too large to traverse the path without 394 fragmentation. In this mode, the ITE determines the tunnel MTU based 395 on the largest packet the ETE is capable of reassembling rather than 396 on the MTU of the smallest link in the path. Therefore, tunnel 397 endpoints that use SEAL can transport packets that are much larger 398 than the underlying subnetwork links themselves can carry in a single 399 piece. 401 SEAL tunnels may be configured over paths that include not only 402 ordinary physical links, but also virtual links that may include 403 other tunnels. An example application would be linking two 404 geographically remote supercomputer centers with large MTU links by 405 configuring a SEAL tunnel across the Internet. A second example 406 would be support for sub-IP segmentation over low-end links, i.e., 407 especially over wireless transmission media such as IEEE 802.15.4, 408 broadcast radio links in Mobile Ad-hoc Networks (MANETs), Very High 409 Frequency (VHF) civil aviation data links, etc. 411 Many other use case examples are anticipated, and will be identified 412 as further experience is gained. 414 4. SEAL Protocol Specification 416 The following sections specify the operation of the SEAL protocol. 418 4.1. VET Interface Model 420 SEAL is an encapsulation sublayer used within VET non-broadcast, 421 multiple access (NBMA) virtual interfaces. Each VET interface 422 connects an ITE to one or more ETE "neighbors" via tunneling across 423 an underlying enterprise network, or "subnetwork". The tunnel 424 neighbor relationship between the ITE and each ETE may be either 425 unidirectional or bidirectional. 427 A unidirectional tunnel neighbor relationship requires no prior 428 coordination between the ITE and ETE; it allows the ITE to send both 429 data and control messages forward to the ETE, but only allows the ETE 430 to send back control messages. A bidirectional tunnel neighbor 431 relationship requires prior coordination between the TEs (see: 432 Section 4.7), and is one over which both TEs can exchange both data 433 and control messages. 435 Implications of the VET unidirectional and bidirectional models for 436 SEAL will be discussed in the following sections. 438 4.2. SEAL Model of Operation 440 SEAL supports a multi-level segmentation and reassembly capability 441 for the transmission of unicast and multicast packets across an 442 underlying IP subnetwork with heterogeneous links. First, the ITE 443 can use IPv4 fragmentation to fragment inner IPv4 packets before SEAL 444 encapsulation if necessary. Secondly, the SEAL layer itself provides 445 a simple cutting-and-pasting capability for mid-layer packets that 446 can be used to avoid IP fragmentation on the outer packet. Finally, 447 ordinary IP fragmentation is permitted on the outer packet after SEAL 448 encapsulation and is used to detect and tune out any in-the-network 449 fragmentation. 451 SEAL-enabled ITEs encapsulate each inner packet in any mid-layer 452 headers and trailers, segment the resulting mid-layer packet into 453 multiple segments if necessary, then append a SEAL header and any 454 outer encapsulations to each segment. As an example, for IPv6 within 455 IPv4 encapsulation a single-segment inner IPv6 packet encapsulated in 456 any mid-layer headers and trailers, followed by the SEAL header, 457 followed by any outer headers and trailers, followed by an outer IPv4 458 header would appear as shown in Figure 1: 460 +--------------------+ 461 ~ outer IPv4 header ~ 462 +--------------------+ 463 I ~ other outer hdrs ~ 464 n +--------------------+ 465 n ~ SEAL Header ~ 466 e +--------------------+ +--------------------+ 467 r ~ mid-layer headers ~ ~ mid-layer headers ~ 468 +--------------------+ +--------------------+ 469 I --> | | --> | | 470 P --> ~ inner IPv6 ~ --> ~ inner IPv6 ~ 471 v --> ~ Packet ~ --> ~ Packet ~ 472 6 --> | | --> | | 473 +--------------------+ +--------------------+ 474 P ~ mid-layer trailers ~ ~ mid-layer trailers ~ 475 a +--------------------+ +--------------------+ 476 c ~ outer trailers ~ 477 k Mid-layer packet +--------------------+ 478 e after mid-layer encaps. 479 t Outer IPv4 packet 480 after SEAL and outer encaps. 482 Figure 1: SEAL Encapsulation - Single Segment 484 As a second example, for IPv4 within IPv6 encapsulation an inner IPv4 485 packet requiring three SEAL segments would appear as three separate 486 outer IPv6 packets, where the mid-layer headers are carried only in 487 segment 0 and the mid-layer trailers are carried in segment 2 as 488 shown in Figure 2: 489 +------------------+ +------------------+ 490 ~ outer IPv6 hdr ~ ~ outer IPv6 hdr ~ 491 +------------------+ +------------------+ +------------------+ 492 ~ other outer hdrs ~ ~ outer IPv6 hdr ~ ~ other outer hdrs ~ 493 +------------------+ +------------------+ +------------------+ 494 ~ SEAL hdr (SEG=0) ~ ~ other outer hdrs ~ ~ SEAL hdr (SEG=2) ~ 495 +------------------+ +------------------+ +------------------+ 496 ~ mid-layer hdrs ~ ~ SEAL hdr (SEG=1) ~ | inner IPv4 | 497 +------------------+ +------------------+ ~ Packet ~ 498 | inner IPv4 | | inner IPv4 | | (Segment 2) | 499 ~ Packet ~ ~ Packet ~ +------------------+ 500 | (Segment 0) | | (Segment 1) | ~ mid-layer trails ~ 501 +------------------+ +------------------+ +------------------+ 502 ~ outer trailers ~ ~ outer trailers ~ ~ outer trailers ~ 503 +------------------+ +------------------+ +------------------+ 505 Segment 0 (includes Segment 1 (no mid- Segment 2 (includes 506 mid-layer hdrs) layer encaps) mid-layer trails) 508 Figure 2: SEAL Encapsulation - Multiple Segments 510 The ITE inserts the SEAL header according to the specific tunneling 511 protocol. Examples include the following: 513 o For simple encapsulation of an inner network layer packet within 514 an outer IPvX header (e.g., [RFC1070][RFC2003][RFC2473][RFC4213], 515 etc.), the ITE inserts the SEAL header between the inner packet 516 and outer IPvX headers as: IPvX/SEAL/{inner packet}. 518 o For encapsulations over transports such as UDP (e.g., [RFC4380]), 519 the ITE inserts the SEAL header between the outer transport layer 520 header and the mid-layer packet, e.g., as IPvX/UDP/SEAL/{mid-layer 521 packet}. Here, the UDP header is seen as an "other outer header". 523 The SEAL header includes a (LINK_ID, NONCE, SEAL_ID)-tuple that the 524 ITE maintains as a per-ETE identifier. The ITE can also include an 525 extended packet Identification field in the SEAL header, which 526 routers within the subnetwork can use for duplicate packet detection 527 and both TEs can use for SEAL segmentation/reassembly. 529 The following sections specify the SEAL header format and SEAL- 530 related operations of the ITE and ETE. 532 4.3. SEAL Header Format 534 The SEAL header is formatted as follows: 536 0 1 2 3 537 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 538 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 539 |VER|C|A|I|R|F|M| NEXTHDR/SEG | LINK_ID | NONCE | 540 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 541 | SEAL_ID | 542 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 543 | Identification (when present) | 544 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 546 Figure 3: SEAL Header Format 548 where the header fields are defined as: 550 VER (2) 551 a 2-bit version field. This document specifies Version 0 of the 552 SEAL protocol, i.e., the VER field encodes the value 0. 554 C (1) 555 the "Control/Data" bit. Set to 1 by the ITE in SEAL Control 556 Message Protocol (SCMP) control messages, and set to 0 in ordinary 557 data packets. 559 A (1) 560 the "Acknowledgement Requested" bit. Set to 1 by the ITE in data 561 packets for which it wishes to receive an explicit acknowledgement 562 from the ETE. 564 I (1) 565 the "Identification Field Included" bit. Set to 1 if the SEAL 566 header includes a 32-bit packet Identification field (see below); 567 set to 0 otherwise. 569 R (1) 570 the "Redirects Permitted" bit. Set to 1 if the ITE is willing to 571 accept SCMP redirects (see: Section 4.6); set to 0 otherwise. 573 F (1) 574 the "First Segment" bit. Set to 1 if this SEAL protocol packet 575 contains the first segment (i.e., Segment #0) of a mid-layer 576 packet. 578 M (1) 579 the "More Segments" bit. Set to 1 if this SEAL protocol packet 580 contains a non-final segment of a multi-segment mid-layer packet. 582 NEXTHDR/SEG (8) an 8-bit field. When 'F'=1, encodes the next header 583 Internet Protocol number the same as for the IPv4 protocol and 584 IPv6 next header fields. When 'F'=0, encodes a segment number of 585 a multi-segment mid-layer packet. (The segment number 0 is 586 reserved.) 588 LINK_ID (8) 589 an 8-bit link identifier. An integer value between 1 and 255 used 590 by the ITE to identify the underlying link selected for tunneling 591 the current packet. The ITE may also use the value 0 to indicate 592 "underlying link unspecified", e.g., when the ETE does not keep 593 track of tunnel state. 595 NONCE (8) 596 an 8-bit nonce field. Set to a random value by the ITE when the 597 tunnel to the ETE is established, and used as a per-ETE 598 identification adjunct to the SEAL_ID. 600 SEAL_ID (32) 601 a 32-bit field that along with the NONCE identifies the ETE. 603 Identification (32) 604 a 32-bit per-packet identifier. Present only when the I bit is 605 set to 1 (see above). 607 Setting of the various bits and fields of the SEAL header is 608 specified in the following sections. 610 4.4. ITE Specification 612 4.4.1. Tunnel Interface MTU 614 The tunnel interface must present a fixed MTU to the inner network 615 layer as the size for admission of inner packets into the interface. 616 Since VET NBMA tunnel virtual interfaces may support a large set of 617 ETEs that accept widely varying maximum packet sizes, however, a 618 number of factors should be taken into consideration when selecting a 619 tunnel interface MTU. 621 Due to the ubiquitous deployment of standard Ethernet and similar 622 networking gear, the nominal Internet cell size has become 1500 623 bytes; this is the de facto size that end systems have come to expect 624 will either be delivered by the network without loss due to an MTU 625 restriction on the path or a suitable ICMP Packet Too Big (PTB) 626 message returned. When the 1500 byte packets sent by end systems 627 incur additional encapsulation at an ITE, however, they may be 628 dropped silently since the network may not always deliver the 629 necessary PTBs [RFC2923]. 631 The ITE should therefore set a tunnel interface MTU of at least 1500 632 bytes plus extra room to accommodate any additional encapsulations 633 that may occur on the path from the original source. The ITE can 634 also set smaller MTU values; however, care must be taken not to set 635 so small a value that original sources would experience an MTU 636 underflow. In particular, IPv6 sources must see a minimum path MTU 637 of 1280 bytes, and IPv4 sources should see a minimum path MTU of 576 638 bytes. 640 The ITE can alternatively set an indefinite MTU on the tunnel 641 interface such that all inner packets are admitted into the interface 642 without regard to size. For ITEs that host applications that use the 643 tunnel interface directly, this option must be carefully coordinated 644 with protocol stack upper layers since some upper layer protocols 645 (e.g., TCP) derive their packet sizing parameters from the MTU of the 646 outgoing interface and as such may select too large an initial size. 647 This is not a problem for upper layers that use conservative initial 648 maximum segment size estimates and/or when the tunnel interface can 649 reduce the upper layer's maximum segment size, e.g., by reducing the 650 size advertised in the MSS option of outgoing TCP messages. 652 The inner network layer protocol consults the tunnel interface MTU 653 when admitting a packet into the interface. For non-SEAL inner IPv4 654 packets with the IPv4 Don't Fragment (DF) bit set to 0, if the packet 655 is larger than the tunnel interface MTU the inner IPv4 layer uses 656 IPv4 fragmentation to break the packet into fragments no larger than 657 the tunnel interface MTU. The ITE then admits each fragment into the 658 interface as an independent packet. 660 For all other inner packets, the inner network layer admits the 661 packet if it is no larger than the tunnel interface MTU; otherwise, 662 it drops the packet and sends a PTB error message to the source with 663 the MTU value set to the tunnel interface MTU. The message must 664 contain as much of the invoking packet as possible without the entire 665 message exceeding the network layer minimum MTU (e.g., 576 bytes for 666 IPv4, 1280 bytes for IPv6, etc.). For SEAL packets that would 667 undergo recursive encapsulation, however, the inner layer must send a 668 SEAL PTB message instead of a PTB of the inner network layer (see: 669 Section 4.4.3). 671 In light of the above considerations, the ITE SHOULD configure an 672 indefinite MTU on tunnel *router* interfaces, since these may be 673 required to carry recursively-nested SEAL encapsulations. The ITE 674 MAY instead set a finite MTU on tunnel *host* interfaces. Any 675 necessary tunnel adaptations are then performed by the SEAL layer 676 within the tunnel interface as described in the following sections. 678 4.4.2. Tunnel Interface Soft State 680 The ITE maintains per-ETE soft state within the tunnel interface, 681 e.g., in a neighbor cache. (The ITE can instead maintain only per- 682 tunnel interface instead of per-ETE packet identification and sizing 683 variables if it is willing to use lowest-common-denominator values 684 that are acceptable for all ETEs.) The soft state includes the 685 following: 687 o a Mid-layer Header Length (MHLEN); set to the length of any mid- 688 layer encapsulation headers and trailers that must be added before 689 SEAL segmentation. 691 o an Outer Header Length (OHLEN); set to the length of the outer IP, 692 SEAL and other outer encapsulation headers and trailers. 694 o a total Header Length (HLEN); set to MHLEN plus OHLEN. 696 o a SEAL Maximum Segment Size (S_MSS). The ITE initializes S_MSS to 697 the minimum MTU of the underlying interfaces if the underlying 698 interface MTUs can be determined (otherwise, the ITE initializes 699 S_MSS to "infinity"). The ITE decreases or increased S_MSS based 700 on any SCMP "Packet Too Big (PTB)" messages received (see Section 701 4.6). 703 o a SEAL Maximum Reassembly Unit (S_MRU). If the ITE is not 704 configured to use SEAL segmentation, it initializes S_MRU to the 705 constant value 0 and ignores any S_MRU values reported by the ETE. 706 Otherwise, the ITE initializes S_MRU to "infinity" and decreases 707 or increases S_MRU based on any SCMP PTB messages received from 708 the ETE (see Section 4.6). When (S_MRU>(S_MSS*256)), the ITE uses 709 (S_MSS*256) as the effective S_MRU value. 711 o a SEAL Inner Fragmentation Threshold (S_IFT); used to determine a 712 maximum fragment size for fragmentable IPv4 packets. Required 713 only for tunnels that support encapsulation with IPv4 as the inner 714 network layer protocol. The ITE should use a "safe" estimate for 715 S_IFT that would be highly unlikely to trigger additional 716 fragmentation on the path to the ETE. In particular, it is 717 RECOMMENDED that the ITE set S_IFT to 512 unless it can determine 718 a more accurate safe value, e.g., via probing. 720 o a set of 8 bit LINK_IDs that identify the ITE's underlying links 721 and are used to fill the SEAL header field of the same name for 722 packets sent to this ETE. The ITE selects a separate randomly- 723 initialized LINK_ID for each underlying link, and the ETE uses the 724 LINK_ID to identify the ITE's underlying link of origin. 726 o an 8 bit NONCE that encodes a randomly-initialized constant value 727 and is used to fill the SEAL header field of the same name for 728 packets sent to this ETE. 730 o a 32 bit SEAL_ID that is randomly-initialized constant ETE 731 identifier used to fill the SEAL header field of the same name for 732 packets sent to this ETE. 734 o Optionally, a 32 bit Identification value that is randomly- 735 initialized and maintained as a monotonically-increasing packet 736 identifier. 738 Note that S_MSS and S_MRU include the length of the outer and mid- 739 layer encapsulating headers and trailers (i.e., HLEN), since the ETE 740 must retain the headers and trailers during reassembly. Note also 741 that the ITE maintains S_MSS and S_MRU as 32-bit values such that 742 inner packets larger than 64KB (e.g., IPv6 jumbograms [RFC2675]) can 743 be accommodated when appropriate for a given subnetwork. 745 4.4.3. Admitting Packets into the Tunnel 747 Once an inner packet/fragment has been admitted into the tunnel 748 interface, it transitions from the inner network layer and becomes 749 subject to SEAL layer processing. The ITE then examines each packet 750 to determine whether it is too large for SEAL encapsulation, then 751 prepares the packet for admission into the tunnel according to 752 whether it is "fragmentable" (discussed in the next paragraph) or 753 "unfragmentable" (discussed in the following paragraph). 755 If the packet is a non-SEAL IPv4 packet with DF=0 in the IPv4 header 756 (*), and the packet is larger than S_IFT, the ITE uses fragmentation 757 to break the packet into IPv4 fragments no larger than S_IFT bytes 758 then submits each fragment for encapsulation separately. 760 For all other packets, if the packet is larger than (MAX(S_MRU, 761 S_MSS) - HLEN), the ITE drops it and sends a PTB message to the 762 source (**) with an MTU value of (MAX(S_MRU, S_MSS) - HLEN); 763 otherwise, it submits the packet for encapsulation. The ITE must 764 include the length of the uncompressed headers and trailers when 765 calculating HLEN even if the tunnel is using header compression. The 766 ITE is also permitted to admit inner packets into the tunnel that can 767 be accommodated in a single SEAL segment (i.e., no larger than S_MSS) 768 even if they are larger than the ETE would be willing to reassemble 769 if fragmented (i.e., larger than S_MRU) - see: Section 4.5.1. 771 (*) In order to support nested encapsulations, inner SEAL-protocol 772 IPv4 packets with DF=0 must be treated as unfragmentable and subject 773 to drop due to an MTU restriction as for all other packets. 775 (**) When the ITE needs to drop a packet and send a PTB message, it 776 sends an SCMP PTB message if the packet itself is a SEAL encapsulated 777 packet (see: Section 4.6.1.1). Otherwise, it sends a PTB 778 corresponding to the inner network layer protocol packet. 780 4.4.4. Mid-Layer Encapsulation 782 After inner IP fragmentation (if necessary), the ITE next 783 encapsulates each inner packet/fragment in the MHLEN bytes of mid- 784 layer headers and trailers. The ITE then submits the mid-layer 785 packet for SEAL segmentation and encapsulation. 787 4.4.5. SEAL Segmentation 789 If the ITE is configured to use SEAL segmentation, it checks the 790 length of the resulting packet after mid-layer encapsulation to 791 determine whether segmentation is needed. If the length of the 792 resulting mid-layer packet plus OHLEN is larger than S_MSS but no 793 larger than S_MRU the ITE performs SEAL segmentation by breaking the 794 mid-layer packet into N segments (N <= 256) that are no larger than 795 (S_MSS - OHLEN) bytes each. Each segment, except the final one, MUST 796 be of equal length. The first byte of each segment MUST begin 797 immediately after the final byte of the previous segment, i.e., the 798 segments MUST NOT overlap. The ITE SHOULD generate the smallest 799 number of segments possible, e.g., it SHOULD NOT generate 6 smaller 800 segments when the packet could be accommodated with 4 larger 801 segments. 803 This SEAL segmentation process ignores the fact that the mid-layer 804 packet may be unfragmentable outside of the subnetwork. The process 805 is a mid-layer (not an IP layer) operation employed by the ITE to 806 adapt the mid-layer packet to the subnetwork path characteristics, 807 and the ETE will restore the packet to its original form during 808 reassembly. Therefore, the fact that the packet may have been 809 segmented within the subnetwork is not observable outside of the 810 subnetwork. 812 4.4.6. SEAL Encapsulation 814 Following SEAL segmentation, the ITE next encapsulates each segment 815 in a SEAL header formatted as specified in Section 4.3. For the 816 first segment, the ITE sets F=1, then sets NEXTHDR to the Internet 817 Protocol number of the encapsulated inner packet, and finally sets 818 M=1 if there are more segments or sets M=0 otherwise. For each non- 819 initial segment of an N-segment mid-layer packet (N <= 256), the ITE 820 sets (F=0; M=1; SEG=1) in the SEAL header of the first non-initial 821 segment, sets (F=0; M=1; SEG=2) in the next non-initial segment, 822 etc., and sets (F=0; M=0; SEG=N-1) in the final segment. (Note that 823 the value SEG=0 is not used, since the initial segment encodes a 824 NEXTHDR value and not a SEG value.) 826 For each segment, the ITE then sets C=0, sets R=1 if it is willing to 827 accept SCMP redirects (see Section 4.6) and sets A=1 if explicit 828 probing is desired (see Section 4.4.9). The ITE then sets the 829 LINK_ID field to an integer between 1 and 255 that identifies the 830 underlying link over which this packet will be tunneled. (The ITE 831 may instead set LINK_ID to 0 if the ETE is not tracking state, e.g., 832 if the tunnel neighbor relationship is unidirectional.) The ITE next 833 sets both the NONCE and SEAL_ID fields to randomly-initialized 834 constant values for this ETE. 836 Finally, the ITE maintains a randomly-initialized Identification 837 value as per-ETE soft state (e.g., in the neighbor cache). For each 838 SEAL packet that requires SEAL segmentation, the ITE then sets I=1 839 and includes the current Identification value in a trailing 32-bit 840 field in the SEAL header of the current segment. The ITE then 841 monotonically increments the Identification value for each successive 842 SEAL segment it sends to the ETE. For each SEAL packet that will be 843 sent as a single segment, however, the ITE MAY set I=0 and omit the 844 trailing 32-bit Identification field. 846 4.4.7. Outer Encapsulation 848 Following SEAL encapsulation, the ITE next encapsulates each SEAL 849 segment in the requisite outer headers and trailers according to the 850 specific encapsulation format (e.g., [RFC1070], [RFC2003], [RFC2473], 851 [RFC4213], etc.), except that it writes 'SEAL_PROTO' in the protocol 852 field of the outer IP header (when simple IP encapsulation is used) 853 or writes 'SEAL_PORT' in the outer destination service port field 854 (e.g., when IP/UDP encapsulation is used). 856 When IPv4 is used as the outer encapsulation layer, the ITE finally 857 sets the DF flag in the IPv4 header of each segment. If the path to 858 the ETE correctly implements IP fragmentation (see: Section 4.4.9), 859 the ITE sets DF=0; otherwise, it sets DF=1. 861 When IPv6 is used as the outer encapsulation layer, the "DF" flag is 862 absent but the packet will not be fragmented within the subnetwork 863 since IPv6 deprecates in-the-network fragmentation. 865 4.4.8. Sending SEAL Protocol Packets 867 Following outer encapsulation, the ITE sends each outer packet that 868 encapsulates a segment of the same mid-layer packet over the same 869 underlying link in canonical order, i.e., segment 0 first, followed 870 by segment 1, etc., and finally segment N-1. 872 4.4.9. Probing Strategy 874 When IPv4 is used as the outer encapsulation layer, the ITE should 875 perform a qualification exchange over each underlying link to 876 determine whether each subnetwork path to the ETE correctly 877 implements IPv4 fragmentation. The qualification exchange can be 878 performed either as an initial probe or in-band with real data 879 packets, and should be repeated periodically since the subnetwork 880 paths may change due to dynamic routing. 882 To perform this qualification, the ITE prepares a probe packet that 883 is no larger than 576 bytes (e.g., a NULL packet with A=1 and 884 NEXTHDR="No Next Header" [RFC2460] in the SEAL header), then splits 885 the packet into two outer IPv4 fragments and sends both fragments to 886 the ETE over the same underlying link. If the ETE returns an SCMP 887 PTB message with Code=1 (see Section 4.6.1.1), then the subnetwork 888 path correctly implements IPv4 fragmentation and subsequent data 889 packets can be sent with DF=0 in the outer header to enable the 890 preferred method of probing. If the ETE returns an SCMP PTB message 891 with Code=2, however, the ITE is obliged to set DF=1 for future 892 packets sent over that underlying link since a middlebox in the 893 network is reassembling the IPv4 fragments before they are delivered 894 to the ETE. 896 In addition to any control plane probing, all SEAL encapsulated data 897 packets sent by the ITE are considered implicit probes. SEAL 898 encapsulated packets that use IPv4 as the outer layer of 899 encapsulation with DF=0 will elicit SCMP PTB messages from the ETE if 900 any IPv4 fragmentation occurs in the path. SEAL encapsulated packets 901 that use either IPv6 or IPv4 with DF=1 as the outer layer of 902 encapsulation may be dropped by a router on the path to the ETE which 903 will also return an ICMP PTB message to the ITE. If the message 904 includes enough information (see Section 4.4.10), the ITE can then 905 use the (LINK_ID, NONCE, SEAL_ID)-tuple within the packet-in-error to 906 determine whether the PTB message corresponds to one of its recent 907 packet transmissions. 909 The ITE should also send explicit probes, periodically, to verify 910 that the ETE is still reachable. The ITE sets A=1 in the SEAL header 911 of a segment to be used as an explicit probe, where the probe can be 912 either an ordinary data packet segment or a NULL packet (see above). 914 The probe will elicit an SCMP PTB message from the ETE as an 915 acknowledgement (see Section 4.6.1). 917 4.4.10. Processing ICMP Messages 919 When the ITE sends outer IP packets, it may receive ICMP error 920 messages [RFC0792][RFC4443] from either the ETE or routers within the 921 subnetwork. The ICMP messages include an outer IP header, followed 922 by an ICMP header, followed by a portion of the outer IP packet that 923 generated the error (also known as the "packet-in-error"). The ITE 924 can use the (LINK_ID, NONCE, SEAL_ID)-tuple encoded in the SEAL 925 header within the packet-in-error to confirm that the ICMP message 926 came from either the ETE or an on-path router, and can use any 927 additional information to determine whether to accept or discard the 928 message. 930 The ITE should specifically process raw ICMPv4 Protocol Unreachable 931 messages and ICMPv6 Parameter Problem messages with Code 932 "Unrecognized Next Header type encountered" as a hint that the ETE 933 does not implement the SEAL protocol; specific actions that the ITE 934 may take in this case are out of scope. 936 4.4.11. Black Hole Detection 938 In some subnetwork paths, ICMP error messages may be lost due to 939 filtering or may not contain enough information due to a router in 940 the path not observing the recommendations of [RFC1812]. The ITE can 941 use explicit probing as described in Section 4.4.9 to determine 942 whether the path to the ETE is silently dropping packets (also known 943 as a "black hole"). For example, when the ITE is obliged to set DF=1 944 in the outer headers of data packets it should send explicit probe 945 packets, periodically, in order to detect path MTU increases or 946 decreases. 948 4.5. ETE Specification 950 4.5.1. Reassembly Buffer Requirements 952 The ETE SHOULD support the minimum IP-layer reassembly requirements 953 specified for IPv4 (i.e., 576 bytes [RFC1812]) and IPv6 (i.e., 1500 954 bytes [RFC2460]). The ETE SHOULD also support SEAL-layer reassembly 955 for inner packets of at least 1280 bytes in length and MAY support 956 reassembly for larger inner packets. The ETE records the SEAL-layer 957 reassembly buffer size in a soft-state variable "S_MRU" (see: Section 958 4.5.2). 960 The ETE may instead omit the reassembly function altogether and set 961 S_MRU=0, but this may cause tunnel MTU underruns in some environments 962 resulting in an unusable link. When reassembly is supported, the ETE 963 must retain the outer IP, SEAL and other outer headers and trailers 964 during both IP-layer and SEAL-layer reassembly for the purpose of 965 associating the fragments/segments of the same packet, and must also 966 configure a SEAL-layer reassembly buffer that is no smaller than the 967 IP-layer reassembly buffer. Hence, the ETE: 969 o SHOULD configure an outer IP-layer reassembly buffer of at least 970 the minimum specified for the outer IP protocol version. 972 o SHOULD configure a SEAL-layer reassembly buffer S_MRU size of at 973 least (1280 + HELN) bytes, and 975 o MUST be capable of discarding inner packets that require IP-layer 976 and/or SEAL-layer reassembly and that are larger than (S_MRU - 977 HLEN). 979 The ETE is permitted to accept inner packets that did not undergo IP- 980 layer and/or SEAL-layer reassembly even if they are larger than 981 (S_MRU - HELN) bytes. Hence, S_MRU is a maximum *reassembly* size, 982 and may be less than the largest packet size the ETE is able to 983 receive when no reassembly is required. 985 4.5.2. Tunnel Interface Soft State 987 The ETE maintains a single per-interface S_MRU value to be applied 988 for all unidirectional tunnel neighbors, and can also maintain per- 989 ITE S_MRU values for any bidirectional tunnel neighbors (see: Section 990 4.7). For each bidirectional ITE neighbor, the ETE also maintains 991 per-ITE soft state to track the (LINK_ID, NONCE, SEAL_ID)-tuple used 992 by the ITE. 994 For each bidirectional tunnel neighbor, the ETE also tracks the outer 995 IP source addresses (and also port numbers when outer UDP 996 encapsulation is used) of packets received from the ITE and 997 associates the most recent values received with the corresponding 998 (LINK_ID, NONCE, SEAL_ID)-tuple. In this way, the tuple provides a 999 stable handle for the tunnel near end to use for return traffic to 1000 the tunnel far end even if the outer IP source address and port 1001 numbers in packets received from the tunnel far end change. 1003 4.5.3. IP-Layer Reassembly 1005 The ETE submits unfragmented SEAL protocol IP packets for SEAL-layer 1006 reassembly as specified in Section 4.5.4. The ETE instead performs 1007 standard IP-layer reassembly for multi-fragment SEAL protocol IP 1008 packets as follows. 1010 The ETE should maintain conservative IP-layer reassembly cache high- 1011 and low-water marks. When the size of the reassembly cache exceeds 1012 this high-water mark, the ETE should actively discard incomplete 1013 reassemblies (e.g., using an Active Queue Management (AQM) strategy) 1014 until the size falls below the low-water mark. The ETE should also 1015 actively discard any pending reassemblies that clearly have no 1016 opportunity for completion, e.g., when a considerable number of new 1017 fragments have been received before a fragment that completes a 1018 pending reassembly has arrived. Following successful IP-layer 1019 reassembly, the ETE submits the reassembled packet for SEAL-layer 1020 reassembly as specified in Section 4.5.4. 1022 When the ETE processes the IP first fragment (i.e., one with MF=1 and 1023 Offset=0 in the IP header) of a fragmented SEAL packet, it sends an 1024 SCMP PTB message back to the ITE (see Section 4.6.1.1). When the ETE 1025 processes an IP fragment that would cause the reassembled outer 1026 packet to be larger than the IP-layer reassembly buffer following 1027 reassembly, it discontinues the reassembly and discards any further 1028 fragments of the same packet. 1030 4.5.4. SEAL-Layer Reassembly 1032 Following IP reassembly (if necessary), the ETE examines each mid- 1033 layer data packet (i.e., those with C=0 in the SEAL header) packet) 1034 to determine whether an SCMP error message is required. If the mid- 1035 layer data packet has an incorrect value in the SEAL header the ETE 1036 discards the packet and returns an SCMP "Parameter Problem" message 1037 (see Section 4.6.1). Next, if the SEAL header has A=1 and the packet 1038 did not arrive as multiple outer IP fragments, the ETE sends an SCMP 1039 PTB message with Code=2 back to the ITE (see Section 4.6.1.1). The 1040 ETE next submits single-segment mid-layer packets for decapsulation 1041 and delivery to upper layers (see Section 4.5.5). The ETE instead 1042 performs SEAL-layer reassembly for multi-segment mid-layer packets 1043 with I=1 in the SEAL header as follows. 1045 The ETE adds each segment of a multi-segment mid-layer packet with 1046 I=1 in the SEAL header to a SEAL-layer pending-reassembly queue 1047 according to the (LINK_ID, NONCE, SEAL_ID)-tuple and Identification 1048 value found in the SEAL header. The ETE performs SEAL-layer 1049 reassembly through simple in-order concatenation of the encapsulated 1050 segments of the same mid-layer packet from N consecutive SEAL 1051 segments. SEAL-layer reassembly requires the ETE to maintain a cache 1052 of recently received segments for a hold time that would allow for 1053 nominal inter-segment delays. When a SEAL reassembly times out, the 1054 ETE discards the incomplete reassembly and returns an SCMP "Time 1055 Exceeded" message to the ITE (see Section 4.6.1). As for IP-layer 1056 reassembly, the ETE should also maintain a conservative reassembly 1057 cache high- and low-water mark and should actively discard any 1058 pending reassemblies that clearly have no opportunity for completion, 1059 e.g., when a considerable number of new SEAL packets have been 1060 received before a packet that completes a pending reassembly has 1061 arrived. 1063 If the ETE receives a SEAL packet for which a segment with the same 1064 (LINK_ID, NONCE, SEAL_ID)-tuple and Identification value is already 1065 in the queue, it must determine whether to accept the new segment and 1066 release the old, or drop the new segment. If accepting the new 1067 segment would cause an inconsistency with other segments already in 1068 the queue (e.g., differing segment lengths), the ETE drops the 1069 segment that is least likely to complete the reassembly. When the 1070 ETE has already received the SEAL first segment (i.e., one with F=1 1071 and M=1 in the SEAL header) of a SEAL protocol packet that arrived as 1072 multiple SEAL segments, and accepting the current segment would cause 1073 the size of the reassembled packet to exceed S_MRU, the ETE schedules 1074 the reassembly resources for garbage collection and sends an SCMP PTB 1075 message with Code=3 back to the ITE (see Section 4.6.1.1). 1077 After all segments are gathered, the ETE reassembles the packet by 1078 concatenating the segments encapsulated in the N consecutive SEAL 1079 packets beginning with the initial segment (i.e., SEG=0) and followed 1080 by any non-initial segments 1 through N-1. That is, for an N-segment 1081 mid-layer packet, reassembly entails the concatenation of the SEAL- 1082 encapsulated packet segments with (F=1, M=1, Identification=j) in the 1083 first SEAL header, followed by (F=0, M=1, SEG=1, 1084 Identification=(j+1)) in the next SEAL header, followed by (F=0, M=1, 1085 SEG=2, Identification=(j+2)), etc., up to (F=0, M=0, SEG=(N-1), 1086 Identification=(j + N-1)) in the final SEAL header, where modulo 1087 arithmetic based on the length of the Identification field is used. 1088 Following successful SEAL-layer reassembly, the ETE submits the 1089 reassembled mid-layer packet for decapsulation and delivery to upper 1090 layers as specified in Section 4.5.5. 1092 The ETE must not perform SEAL-layer reassembly for multi-segment mid- 1093 layer packets with I=0 in the SEAL header. The ETE instead silently 1094 drops all segments with I=0 and either F=0 or (F=1; M=1) in the SEAL 1095 header and sends an SCMP Parameter Problem message back to the ITE. 1097 4.5.5. Decapsulation and Delivery to Upper Layers 1099 Following any necessary IP- and SEAL-layer reassembly, the ETE 1100 discards the outer headers and trailers and performs any mid-layer 1101 transformations on the mid-layer packet. The ETE next discards the 1102 mid-layer headers and trailers, and delivers the inner packet to the 1103 upper-layer protocol indicated either in the SEAL NEXTHDR field or 1104 the next header field of the mid-layer packet (i.e., if the packet 1105 included mid-layer encapsulations). The ETE instead silently 1106 discards the inner packet if it was a NULL packet (see Section 1107 4.4.9). 1109 4.6. The SEAL Control Message Protocol (SCMP) 1111 SEAL uses a companion SEAL Control Message Protocol (SCMP) based on 1112 the same message format as the Internet Control Message Protocol for 1113 IPv6 (ICMPv6) [RFC4443]. Each SCMP message is embedded within an 1114 SCMP packet which begins with the same outer header format as would 1115 be used for outer encapsulation of a SEAL data packet (see: Section 1116 4.4.7). The following sections specify the generation and processing 1117 of SCMP messages: 1119 4.6.1. Generating SCMP Messages 1121 SCMP messages may be generated by either ITEs or ETEs (i.e., by any 1122 TE) using the same message Type and Code values specified for 1123 ordinary ICMPv6 messages in [RFC4443]. SCMP is also used to carry 1124 other ICMPv6 message types and their associated options as specified 1125 in other documents (e.g., [RFC4191][RFC4861], etc.). The general 1126 format for SCMP messages is shown in Figure 4: 1128 0 1 2 3 1129 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1131 | Type | Code | Checksum | 1132 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1133 | | 1134 ~ Message Body ~ 1135 | | 1136 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1137 | As much of invoking SEAL data | 1138 ~ packet as possible without the SCMP ~ 1139 | packet exceeding 576 bytes (*) | 1140 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1142 (*) also known as the "packet-in-error" 1144 Figure 4: SCMP Message Format 1146 TEs generate solicitation messages (e.g., an SCMP echo request, an 1147 SCMP router/neighbor solicitation, a SEAL data packet with A=1, etc.) 1148 for the purpose of triggering an SCMP response. TEs generate 1149 solicited SCMP messages (e.g., an SCMP echo reply, an SCMP router/ 1150 neighbor advertisement, an SCMP PTB message, etc.) in response to 1151 explicit solicitations, and also generate SCMP error messages in 1152 response to errored SEAL data packets. As for ICMP, TEs must not 1153 generate SCMP error message in response to other SCMP messages. 1155 As for ordinary ICMPv6 messages, the SCMP message begins with a 4 1156 byte header that includes 8-bit Type and Code fields followed by a 1157 16-bit Checksum field followed by a variable-length Message Body. 1158 The TE sets the Type and Code fields to the same values that would 1159 appear in the corresponding ICMPv6 message and also formats the 1160 Message Body the same as for the corresponding ICMPv6 message. 1162 The Message Body is followed by the leading portion of the invoking 1163 SEAL data packet (i.e., the "packet-in-error") IFF the packet-in- 1164 error would also be included in the corresponding ICMPv6 message. If 1165 the SCMP message will include a packet-in-error, the TE includes as 1166 much of the leading portion of the invoking SEAL data packet as 1167 possible beginning with the outer IP header and extending to a length 1168 that would not cause the entire SCMP packet following outer 1169 encapsulation to exceed 576 bytes (see: Figure 5). 1171 The TE then calculates the SCMP message Checksum the same as 1172 specified for ICMPv6 messages except that it does not prepend a 1173 pseudo-header of the outer IP header since the (LINK_ID, NONCE, 1174 SEAL_ID)-tuple already gives sufficient assurance against mis- 1175 delivery. (The Checksum calculation procedure is therefore identical 1176 to that used for ICMPv4 [RFC0792].) The TE then encapsulates the 1177 SCMP message in the outer headers as shown in Figure 5: 1179 +--------------------+ 1180 ~ outer IPv4 header ~ 1181 +--------------------+ 1182 ~ other outer hdrs ~ 1183 +--------------------+ 1184 ~ SEAL Header ~ 1185 +--------------------+ +--------------------+ 1186 ~ SCMP message header~ --> ~ SCMP message header~ 1187 +--------------------+ --> +--------------------+ 1188 ~ SCMP message body ~ --> ~ SCMP message body ~ 1189 +--------------------+ --> +--------------------+ 1190 ~ packet-in-error ~ --> ~ packet-in-error ~ 1191 +--------------------+ +--------------------+ 1192 ~ outer trailers ~ 1193 SCMP Message +--------------------+ 1194 before encapsulation 1195 SCMP Packet 1196 after encapsulation 1198 Figure 5: SCMP Message Encapsulation 1200 When a TE generates an SCMP message in response to an SCMP 1201 solicitation or an ordinary SEAL data packet (i.e., a "solicitation 1202 packet"), it sets the outer IP destination and source addresses of 1203 the SCMP packet to the solicitation's source and destination 1204 addresses (respectively). (If the destination address in the 1205 solicitation was multicast, the TE instead sets the outer IP source 1206 address of the SCMP packet to an address assigned to the underlying 1207 IP interface.) The TE then sets the (LINK_ID, NONCE, SEAL_ID)-tuple 1208 and I flag in the SEAL header of the SCMP packet to the same values 1209 that appeared in the solicitation. If the I flag is set to 1, the TE 1210 also includes the Identification field that it received in the 1211 solicitation. 1213 When a TE generates an unsolicited SCMP message, it sets the outer IP 1214 destination and source addresses of the SCMP packet the same as it 1215 would for ordinary SEAL data packets. The TE then sets the (LINK_ID, 1216 NONCE, SEAL_ID)-tuple and I flag in the SEAL header of the SCMP 1217 packet to the same values that it would use to send an ordinary SEAL 1218 data packet. 1220 For all SCMP messages, the TE then sets the other flag bits in the 1221 SEAL header to C=1, A=0, R=0, F=1, and M=0. It next sets the 1222 NEXTHDR/SEG field to 0 and sends the SCMP packet to the tunnel 1223 neighbor. 1225 4.6.1.1. Generating SCMP Packet Too Big (PTB) Messages 1227 An ETE generates an SCMP PTB message under one of the following 1228 cases: 1230 o Case 1: when it receives the IP first fragment (i.e., one with 1231 MF=1 and Offset=0 in the outer IP header) of a SEAL protocol 1232 packet that arrived as multiple IP fragments, or: 1234 o Case 2: when it receives a SEAL protocol data packet with A=1 in 1235 the SEAL header that did not arrive as multiple IP fragments 1236 (i.e., one that does not also match Case 1), or: 1238 o Case 3: when it has already received the SEAL first segment (i.e., 1239 one with F=1 and M=1 in the SEAL header) of a SEAL protocol packet 1240 that arrived as multiple SEAL segments, and accepting the current 1241 segment would cause the size of the reassembled packet to exceed 1242 S_MRU. 1244 The ETE prepares an SCMP PTB message the same as for the 1245 corresponding ICMPv6 PTB message, except that it writes the S_MRU 1246 value for this ITE in the MTU field (i.e., even if the S_MRU value is 1247 0). For cases 1 and 2 above, the packet-in-error field includes the 1248 leading portion of the IP packet or fragment that triggered the 1249 condition. For case 3 above, the packet-in-error field includes the 1250 leading portion of the SEAL first segment, beginning with the 1251 encapsulating outer IP header. 1253 Finally, the ETE writes the value 1, 2 or 3 in the Code field of the 1254 PTB message according to whether the reason for generating the 1255 message was due to the corresponding case number from the list of 1256 cases above. 1258 NOTE CAREFULLY that, unlike cases 1 and 3 above, case 2 is not an 1259 error condition and does not necessarily signify packet loss. 1260 Instead, it is a control plane acknowledgement of a data plane probe. 1261 NOTE ALSO that the ETE MUST NOT generate both a Case 1 and a Case 2 1262 SCMP PTB message on behalf of the same SEAL segment. 1264 4.6.1.2. Generating SCMP Neighbor Discovery Messages 1266 An ITE generates an SCMP "Neighbor Solicitation" (SNS) or "Router 1267 Solicitation" (SRS) message when it needs to solicit a response from 1268 an ETE. An ETE generates a solicited SCMP "Neighbor Advertisement" 1269 (SNA) or "Router Advertisement" (SRA) message when it receives an 1270 SNS/SRS message. Any TE may also generate unsolicited SNA/SRA 1271 messages that are not triggered by a specific solicitation event. 1273 The TE generates SNS, SNA, SRS and SRA messages the same as described 1274 for the corresponding IPv6 Neighbor Discovery (ND) messages (see: 1275 [RFC4861]). 1277 4.6.1.3. Generating SCMP Redirect Messages 1279 An ETE generates an SCMP "Redirect" message when it receives a SEAL 1280 data packet with R=1 in the SEAL header and needs to inform the ITE 1281 of a better next hop. The ETE generates SCMP Redirect messages the 1282 same as described for IPv6 ND Redirects in [RFC4861], except that it 1283 includes Route Information Options (RIOs) [RFC4191] to inform the ITE 1284 of a better next hop for an entire IP prefix instead of only a single 1285 destination. The SCMP Redirect message therefore supports both 1286 network and host redirection instead of only host redirection. 1288 4.6.1.4. Generating Other SCMP Messages 1290 An ETE generates an SCMP "Destination Unreachable - Communication 1291 with Destination Administratively Prohibited" message when its 1292 association with the ITE is bidirectional and it receives a SEAL 1293 packet with a (LINK_ID, NONCE, SEAL_ID)-tuple that does not 1294 correspond to this ITE (see: Section 4.7). 1296 An ETE generates an SCMP "Destination Unreachable" message with an 1297 appropriate code under the same circumstances that an IPv6 system 1298 would generate an ICMPv6 Destination Unreachable message using the 1299 same code. The SCMP Destination Unreachable message is formatted the 1300 same as for ICMPv6 Destination Unreachable messages. 1302 An ETE generates an SCMP "Parameter Problem" message when it receives 1303 a SEAL packet with an incorrect value in the SEAL header, and 1304 generates an SCMP "Time Exceeded" message when it garbage collects an 1305 incomplete SEAL data packet reassembly. The message formats used are 1306 the same as for the corresponding ICMPv6 messages. 1308 Generation of all other SCMP message types is outside the scope of 1309 this document. 1311 4.6.2. Processing SCMP Messages 1313 An ITE processes any solicited and error SCMP message it receives as 1314 long as it can verify that the corresponding SCMP packet was sent 1315 from an on-path ETE. The ITE can verify that the SCMP packet came 1316 from an on-path ETE by checking that the (LINK_ID, NONCE, SEAL_ID)- 1317 tuple and Identification value in the SEAL header of the packet 1318 corresponds to one of its recently-sent SEAL data packets or SCMP 1319 solicitation packets. 1321 For each solicited and error SCMP message it receives, the ITE first 1322 verifies that the identifying information is acceptable, then 1323 verifies that the Checksum in the SCMP message header is correct. If 1324 the identifying information and/or checksum are incorrect, the ITE 1325 discards the message; otherwise, it processes the message the same as 1326 for ordinary ICMPv6 messages. 1328 Any TE may also receive unsolicited SCMP messages (e.g., SNS, SRS, 1329 SNA, SRA, etc.) from the tunnel neighbor. The TE sends SCMP response 1330 messages in response to solicitations, but does not otherwise process 1331 the unsolicited SCMP messages as an indication of tunnel neighbor 1332 liveness. 1334 Finally, TEs process solicited and error SCMP messages as an 1335 indication that the tunnel neighbor is responsive, i.e., in the same 1336 manner implied for IPv6 Neighbor Unreachability Detection "hints of 1337 forward progress" (see: [RFC4861]). 1339 4.6.2.1. Processing SCMP PTB Messages 1341 An ITE may receive an SCMP PTB message after it sends a SEAL data 1342 packet to an ETE (see: Section 4.6.1). The packet-in-error within 1343 the PTB message consists of the encapsulating IP/*/SEAL headers 1344 followed by the inner packet in the form in which the ITE received it 1345 prior to SEAL encapsulation. 1347 If the PTB message has Code=2 in the SCMP header the ITE processes 1348 the message as a response to an explicit probe request and discards 1349 the message. If the PTB has Code=1 or Code=3 in the SCMP header, 1350 however, the ITE processes the message as an indication of an MTU 1351 limitation. 1353 if the PTB has Code =1, the ITE first verifies that the outer IP 1354 header in the packet-in-error encodes an IP first fragment, then 1355 examines the outer IP header length field to determine a new S_MSS 1356 value as follows: 1358 o If the length is no less than 1280, the ITE records the length as 1359 the new S_MSS value. 1361 o If the length is less than the current S_MSS value and also less 1362 than 1280, the ITE can discern that IP fragmentation is occurring 1363 but it cannot determine the true MTU of the restricting link due 1364 to the possibility that a router on the path is generating runt 1365 first fragments. 1367 In this latter case, the ITE may need to search for a reduced S_MSS 1368 value through an iterative searching strategy that parallels the IPv4 1369 Path MTU Discovery "plateau table" procedure in a similar fashion as 1370 described in Section 5 of [RFC1191]. This searching strategy may 1371 entail multiple iterations in which the ITE sends additional SEAL 1372 data packets using a reduced S_MSS and receives additional SCMP PTB 1373 messages, but the process should quickly converge. During this 1374 process, it is essential that the ITE reduce S_MSS based on the first 1375 SCMP PTB message received under the current S_MSS size, and refrain 1376 from further reducing S_MSS until SCMP PTB messages pertaining to 1377 packets sent under the new S_MSS are received. 1379 For both Code=1 and Code=3 PTB messages, the ITE next records the 1380 value in the MTU field of the SCMP PTB message as the new S_MRU value 1381 for this ETE and examines the inner packet within the packet-in- 1382 error. If the inner packet was unfragmentable (see: Section 4.4.3) 1383 and larger than (MAX(S_MRU, S_MSS) - HLEN), the ITE then sends a 1384 transcribed PTB message appropriate for the inner packet to the 1385 original source with MTU set to (MAX(S_MRU, S_MSS) - HLEN). (In the 1386 case of nested SEAL encapsulations, the transcribed PTB message will 1387 itself be an SCMP PTB message). If the inner packet is fragmentable, 1388 however, the ITE instead reduces its inner fragmentation THRESH 1389 estimate to a size no larger than S_MSS for this ETE (see: Section 1390 4.4.3) and does not send a transcribed PTB. In that case, some 1391 fragmentable packets may be silently discarded but future 1392 fragmentable packets will subsequently undergo inner fragmentation 1393 based on this new THRESH estimate. 1395 The ITE may alternatively ignore the S_MSS and S_MRU values, thus 1396 disabling SEAL-layer segmentation. In that case, the ITE sends all 1397 SEAL-encapsulated packets as single segments and implements stateless 1398 MTU discovery. In that case, if the ITE receives an SCMP PTB message 1399 from the ETE with Code=1 and with a too-small length value in the 1400 outer IP header, it can send a translated PTB message back to the 1401 source listing a slightly smaller MTU size than the length value in 1402 the inner IP header. For example, if the ITE receives an SCMP PTB 1403 message with Code=1, outer IP length 256 and inner IP length 1500, it 1404 can send a PTB message listing an MTU of 1400 back to the source. If 1405 the ITE subsequently receives an SCMP PTB message with Code=1, outer 1406 IP length 256 and inner IP length 1400, it can send a PTB message 1407 listing an MTU of 1300 back to the source, etc. 1409 Actual plateau table values for this "step-down" MTU determination 1410 procedure are up to the implementation, which may consult Section 7 1411 of [RFC1191] for non-normative example guidance. 1413 4.6.2.2. Processing SCMP Neighbor Discovery Messages 1415 An ETE may receive SNS/SRS messages from an ITE as the initial leg in 1416 a neighbor discovery exchange. An ITE may also receive both 1417 solicited and unsolicited SNA/SRA messages from an ETE. 1419 The TE processes SNS/SRS and SNA/SRA messages the same as described 1420 for the corresponding IPv6 Neighbor Discovery (ND) messages (see: 1421 [RFC4861]). 1423 4.6.2.3. Processing SCMP Redirect Messages 1425 An ITE may receive SCMP redirect messages after sending a SEAL data 1426 packet with R=1 in the SEAL header to an ETE. The ITE processes any 1427 RIO options in the SCMP redirect message and updates its Forwarding 1428 Information Base (FIB) accordingly. 1430 4.6.2.4. Processing Other SCMP Messages 1432 An ITE may receive an SCMP "Destination Unreachable - Communication 1433 with Destination Administratively Prohibited" message after it sends 1434 a SEAL data packet. The ITE processes the message as an indication 1435 that it needs to (re)synchronize with the ETE (see: Section 4.7). 1437 An ITE may receive an SCMP "Destination Unreachable" message with an 1438 appropriate code under the same circumstances that an IPv6 node would 1439 receive an ICMPv6 Destination Unreachable message. The ITE processes 1440 the message the same as for the corresponding ICMPv6 Destination 1441 Unreachable messages. 1443 An ITE may receive an SCMP "Parameter Problem" message when the ETE 1444 receives a SEAL packet with an incorrect value in the SEAL header. 1445 The ITE should examine the incorrect SEAL header field setting to 1446 determine whether a different setting should be used in subsequent 1447 packets. 1449 .An ITE may receive an SCMP "Time Exceeded" message when the ETE 1450 garbage collects an incomplete SEAL data packet reassembly. The ITE 1451 should consider the message as an indication of congestion. 1453 Processing of all other SCMP message types is outside the scope of 1454 this document. 1456 4.7. Tunnel Endpoint Synchronization 1458 By default, the SEAL ITE retains per-ETE soft state, but the ETE does 1459 not retain per-ITE soft state. In that case, the tunnel neighbor 1460 relationship between the ITE and ETE is said to be "unidirectional", 1461 and the ETE unconditionally accepts any packets coming from the ITE. 1462 When peer TEs need to establish a closer coordination with one 1463 another, however, they can establish a bidirectional tunnel neighbor 1464 relationship to establish both ITE and ETE soft state within both 1465 TEs. 1467 In order to establish a bidirectional tunnel neighbor relationship, 1468 the initiating TE (call it "A") initiates a short transaction with 1469 the responding TE (call it "B") carried by a reliable transport 1470 protocol such as TCP. The protocol details of the transaction are 1471 out of scope for this document, and indeed need not be standardized 1472 as long as both TEs observe the same specifications. 1474 In the transaction, "A" and "B" first authenticate themselves to each 1475 other. "A" then selects randomly-generated NONCE(A) and SEAL_ID(A) 1476 values and registers them with "B", while "B" in turn selects 1477 randomly-generated NONCE(B) and SEAL_ID(B) values and registers them 1478 with "A". Both TEs then further select one or more randomly- 1479 generated LINK_IDs (e.g., LINK_ID(A1), LINK_ID(A2), etc.), where each 1480 LINK_ID represents a different underlying link over which the ITE 1481 function of "A" will send tunneled packets to the ETE function of "B" 1482 (and vice-versa). Both TEs then use each such (LINK_ID(i), NONCE, 1483 SEAL_ID)-tuple to establish the appropriate bidirectional tunnel 1484 neighbor soft state (see Sections 4.4.2 and 4.5.2). 1486 Following this bidirectional tunnel neighbor establishment, the 1487 reliable transport transaction between the TEs concludes since the 1488 status of the underlying links is opaque to the transport protocol 1489 and the transport protocol therefore has no means for selecting 1490 alternate underlying links should the path through the primary 1491 underlying link fail. The soft state is then kept alive by the 1492 continued flow of SEAL data packets and/or SCMP messages between the 1493 TEs rather than by higher-layer keepalives of the transport protocol. 1495 Outbound and inbound traffic engineering between bidirectional tunnel 1496 neighbors is therefore coordinated by SCMP from within the tunnel 1497 interface and can remain continuous even if the paths through one or 1498 more of the underlying links has failed. When one TE detects that 1499 most/all underlying link paths to the other TE have failed, however, 1500 it schedules the bidirectional state for garbage collection. 1502 This bidirectional tunnel neighbor establishment is most commonly 1503 initiated by a client TE in establishing a "connection" with a 1504 serving TE, e.g., when a customer router within a home network 1505 established a connection with a serving router in a provider network. 1507 5. Link Requirements 1509 Subnetwork designers are expected to follow the recommendations in 1510 Section 2 of [RFC3819] when configuring link MTUs. 1512 6. End System Requirements 1514 SEAL provides robust mechanisms for returning PTB messages; however, 1515 end systems that send unfragmentable IP packets larger than 1500 1516 bytes are strongly encouraged to implement their own end-to-end MTU 1517 assurance, e.g., using Packetization Layer Path MTU Discovery per 1518 [RFC4821]. 1520 7. Router Requirements 1522 IPv4 routers within the subnetwork are strongly encouraged to 1523 implement IPv4 fragmentation such that the first fragment is the 1524 largest and approximately the size of the underlying link MTU, i.e., 1525 they should avoid generating runt first fragments. 1527 IPv6 routers within the subnetwork are required to generate the 1528 necessary PTB messages when they drop outer IPv6 packets due to an 1529 MTU restriction. 1531 8. IANA Considerations 1533 The IANA is instructed to allocate an IP protocol number for 1534 'SEAL_PROTO' in the 'protocol-numbers' registry. 1536 The IANA is instructed to allocate a Well-Known Port number for 1537 'SEAL_PORT' in the 'port-numbers' registry. 1539 The IANA is instructed to establish a "SEAL Protocol" registry to 1540 record SEAL Version values. This registry should be initialized to 1541 include the initial SEAL Version number, i.e., Version 0. 1543 9. Security Considerations 1545 Unlike IPv4 fragmentation, overlapping fragment attacks are not 1546 possible due to the requirement that SEAL segments be non- 1547 overlapping. This condition is naturally enforced due to the fact 1548 that each consecutive SEAL segment begins at offset 0 with respect to 1549 the previous SEAL segment. 1551 An amplification/reflection attack is possible when an attacker sends 1552 IP first fragments with spoofed source addresses to an ETE, resulting 1553 in a stream of SCMP messages returned to a victim ITE. The (LINK_ID, 1554 NONCE, SEAL_ID)-tuple in the encapsulated segment of the spoofed IP 1555 first fragment provides mitigation for the ITE to detect and discard 1556 spurious SCMP messages. 1558 The SEAL header is sent in-the-clear (outside of any IPsec/ESP 1559 encapsulations) the same as for the outer IP and other outer headers. 1560 In this respect, the threat model is no different than for IPv6 1561 extension headers. As for IPv6 extension headers, the SEAL header is 1562 protected only by L2 integrity checks and is not covered under any L3 1563 integrity checks. 1565 SCMP messages carry the (LINK_ID, NONCE, SEAL_ID)-tuple of the 1566 packet-in-error. Therefore, when an ITE receives an SCMP message it 1567 can unambiguously associate it with the SEAL data packet that 1568 triggered the error. When the TEs are synchronized, the ETE can also 1569 detect off-path spoofing attacks. 1571 Security issues that apply to tunneling in general are discussed in 1572 [I-D.ietf-v6ops-tunnel-security-concerns]. 1574 10. Related Work 1576 Section 3.1.7 of [RFC2764] provides a high-level sketch for 1577 supporting large tunnel MTUs via a tunnel-level segmentation and 1578 reassembly capability to avoid IP level fragmentation, which is in 1579 part the same approach used by SEAL. SEAL could therefore be 1580 considered as a fully functioned manifestation of the method 1581 postulated by that informational reference. 1583 Section 3 of [RFC4459] describes inner and outer fragmentation at the 1584 tunnel endpoints as alternatives for accommodating the tunnel MTU; 1585 however, the SEAL protocol specifies a mid-layer segmentation and 1586 reassembly capability that is distinct from both inner and outer 1587 fragmentation. 1589 Section 4 of [RFC2460] specifies a method for inserting and 1590 processing extension headers between the base IPv6 header and 1591 transport layer protocol data. The SEAL header is inserted and 1592 processed in exactly the same manner. 1594 The concepts of path MTU determination through the report of 1595 fragmentation and extending the IP Identification field were first 1596 proposed in deliberations of the TCP-IP mailing list and the Path MTU 1597 Discovery Working Group (MTUDWG) during the late 1980's and early 1598 1990's. SEAL supports a report fragmentation capability using bits 1599 in an extension header (the original proposal used a spare bit in the 1600 IP header) and supports ID extension through a 16-bit field in an 1601 extension header (the original proposal used a new IP option). A 1602 historical analysis of the evolution of these concepts, as well as 1603 the development of the eventual path MTU discovery mechanism for IP, 1604 appears in Appendix D of this document. 1606 11. SEAL Advantages over Classical Methods 1608 The SEAL approach offers a number of distinct advantages over the 1609 classical path MTU discovery methods [RFC1191] [RFC1981]: 1611 1. Classical path MTU discovery always results in packet loss when 1612 an MTU restriction is encountered. Using SEAL, IP fragmentation 1613 provides a short-term interim mechanism for ensuring that packets 1614 are delivered while SEAL adjusts its packet sizing parameters. 1616 2. Classical path MTU may require several iterations of dropping 1617 packets and returning PTB messages until an acceptable path MTU 1618 value is determined. Under normal circumstances, SEAL determines 1619 the correct packet sizing parameters in a single iteration. 1621 3. Using SEAL, ordinary packets serve as implicit probes without 1622 exposing data to unnecessary loss. SEAL also provides an 1623 explicit probing mode not available in the classic methods. 1625 4. Using SEAL, ETEs encapsulate SCMP error messages in outer and 1626 mid-layer headers such that packet-filtering network middleboxes 1627 will not filter them the same as for "raw" ICMP messages that may 1628 be generated by an attacker. 1630 5. The SEAL approach ensures that the tunnel either delivers or 1631 deterministically drops packets according to their size, which is 1632 a required characteristic of any IP link. 1634 6. Most importantly, all SEAL packets have an Identification field 1635 that is sufficiently long to be used for duplicate packet 1636 detection purposes and to associate ICMP error messages with 1637 actual packets sent without requiring per-packet state; hence, 1638 SEAL avoids certain denial-of-service attack vectors open to the 1639 classical methods. 1641 12. Acknowledgments 1643 The following individuals are acknowledged for helpful comments and 1644 suggestions: Jari Arkko, Fred Baker, Iljitsch van Beijnum, Oliver 1645 Bonaventure, Teco Boot, Bob Braden, Brian Carpenter, Steve Casner, 1646 Ian Chakeres, Noel Chiappa, Remi Denis-Courmont, Remi Despres, Ralph 1647 Droms, Aurnaud Ebalard, Gorry Fairhurst, Washam Fan, Dino Farinacci, 1648 Joel Halpern, Sam Hartman, John Heffner, Thomas Henderson, Bob 1649 Hinden, Christian Huitema, Eliot Lear, Darrel Lewis, Joe Macker, Matt 1650 Mathis, Erik Nordmark, Dan Romascanu, Dave Thaler, Joe Touch, Mark 1651 Townsley, Ole Troan, Margaret Wasserman, Magnus Westerlund, Robin 1652 Whittle, James Woodyatt, and members of the Boeing Research & 1653 Technology NST DC&NT group. 1655 Path MTU determination through the report of fragmentation was first 1656 proposed by Charles Lynn on the TCP-IP mailing list in 1987. 1657 Extending the IP identification field was first proposed by Steve 1658 Deering on the MTUDWG mailing list in 1989. 1660 13. References 1662 13.1. Normative References 1664 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, 1665 September 1981. 1667 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 1668 RFC 792, September 1981. 1670 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1671 Requirement Levels", BCP 14, RFC 2119, March 1997. 1673 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1674 (IPv6) Specification", RFC 2460, December 1998. 1676 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure 1677 Neighbor Discovery (SEND)", RFC 3971, March 2005. 1679 [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control 1680 Message Protocol (ICMPv6) for the Internet Protocol 1681 Version 6 (IPv6) Specification", RFC 4443, March 2006. 1683 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 1684 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 1685 September 2007. 1687 13.2. Informative References 1689 [FOLK] Shannon, C., Moore, D., and k. claffy, "Beyond Folklore: 1690 Observations on Fragmented Traffic", December 2002. 1692 [FRAG] Kent, C. and J. Mogul, "Fragmentation Considered Harmful", 1693 October 1987. 1695 [I-D.ietf-intarea-ipv4-id-update] 1696 Touch, J., "Updated Specification of the IPv4 ID Field", 1697 draft-ietf-intarea-ipv4-id-update-01 (work in progress), 1698 October 2010. 1700 [I-D.ietf-v6ops-tunnel-security-concerns] 1701 Krishnan, S., Thaler, D., and J. Hoagland, "Security 1702 Concerns With IP Tunneling", 1703 draft-ietf-v6ops-tunnel-security-concerns-04 (work in 1704 progress), October 2010. 1706 [I-D.russert-rangers] 1707 Russert, S., Fleischman, E., and F. Templin, "RANGER 1708 Scenarios", draft-russert-rangers-05 (work in progress), 1709 July 2010. 1711 [I-D.templin-intarea-vet] 1712 Templin, F., "Virtual Enterprise Traversal (VET)", 1713 draft-templin-intarea-vet-19 (work in progress), 1714 December 2010. 1716 [I-D.templin-iron] 1717 Templin, F., "The Internet Routing Overlay Network 1718 (IRON)", draft-templin-iron-13 (work in progress), 1719 October 2010. 1721 [MTUDWG] "IETF MTU Discovery Working Group mailing list, 1722 gatekeeper.dec.com/pub/DEC/WRL/mogul/mtudwg-log, November 1723 1989 - February 1995.". 1725 [RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP 1726 MTU discovery options", RFC 1063, July 1988. 1728 [RFC1070] Hagens, R., Hall, N., and M. Rose, "Use of the Internet as 1729 a subnetwork for experimentation with the OSI network 1730 layer", RFC 1070, February 1989. 1732 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 1733 November 1990. 1735 [RFC1812] Baker, F., "Requirements for IP Version 4 Routers", 1736 RFC 1812, June 1995. 1738 [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery 1739 for IP version 6", RFC 1981, August 1996. 1741 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, 1742 October 1996. 1744 [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in 1745 IPv6 Specification", RFC 2473, December 1998. 1747 [RFC2675] Borman, D., Deering, S., and R. Hinden, "IPv6 Jumbograms", 1748 RFC 2675, August 1999. 1750 [RFC2764] Gleeson, B., Heinanen, J., Lin, A., Armitage, G., and A. 1751 Malis, "A Framework for IP Based Virtual Private 1752 Networks", RFC 2764, February 2000. 1754 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", 1755 RFC 2923, September 2000. 1757 [RFC3232] Reynolds, J., "Assigned Numbers: RFC 1700 is Replaced by 1758 an On-line Database", RFC 3232, January 2002. 1760 [RFC3366] Fairhurst, G. and L. Wood, "Advice to link designers on 1761 link Automatic Repeat reQuest (ARQ)", BCP 62, RFC 3366, 1762 August 2002. 1764 [RFC3819] Karn, P., Bormann, C., Fairhurst, G., Grossman, D., 1765 Ludwig, R., Mahdavi, J., Montenegro, G., Touch, J., and L. 1766 Wood, "Advice for Internet Subnetwork Designers", BCP 89, 1767 RFC 3819, July 2004. 1769 [RFC4191] Draves, R. and D. Thaler, "Default Router Preferences and 1770 More-Specific Routes", RFC 4191, November 2005. 1772 [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms 1773 for IPv6 Hosts and Routers", RFC 4213, October 2005. 1775 [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through 1776 Network Address Translations (NATs)", RFC 4380, 1777 February 2006. 1779 [RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the- 1780 Network Tunneling", RFC 4459, April 2006. 1782 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 1783 Discovery", RFC 4821, March 2007. 1785 [RFC4963] Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly 1786 Errors at High Data Rates", RFC 4963, July 2007. 1788 [RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common 1789 Mitigations", RFC 4987, August 2007. 1791 [RFC5445] Watson, M., "Basic Forward Error Correction (FEC) 1792 Schemes", RFC 5445, March 2009. 1794 [RFC5720] Templin, F., "Routing and Addressing in Networks with 1795 Global Enterprise Recursion (RANGER)", RFC 5720, 1796 February 2010. 1798 [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010. 1800 [SIGCOMM] Luckie, M. and B. Stasiewicz, "Measuring Path MTU 1801 Discovery Behavior", November 2010. 1803 [TBIT] Medina, A., Allman, M., and S. Floyd, "Measuring 1804 Interactions Between Transport Protocols and Middleboxes", 1805 October 2004. 1807 [TCP-IP] "Archive/Hypermail of Early TCP-IP Mail List, 1808 http://www-mice.cs.ucl.ac.uk/multimedia/misc/tcp_ip/, May 1809 1987 - May 1990.". 1811 [WAND] Luckie, M., Cho, K., and B. Owens, "Inferring and 1812 Debugging Path MTU Discovery Failures", October 2005. 1814 Appendix A. Reliability 1816 Although a SEAL tunnel may span an arbitrarily-large subnetwork 1817 expanse, the IP layer sees the tunnel as a simple link that supports 1818 the IP service model. Since SEAL supports segmentation at a layer 1819 below IP, SEAL therefore presents a case in which the link unit of 1820 loss (i.e., a SEAL segment) is smaller than the end-to-end 1821 retransmission unit (e.g., a TCP segment). 1823 Links with high bit error rates (BERs) (e.g., IEEE 802.11) use 1824 Automatic Repeat-ReQuest (ARQ) mechanisms [RFC3366] to increase 1825 packet delivery ratios, while links with much lower BERs typically 1826 omit such mechanisms. Since SEAL tunnels may traverse arbitrarily- 1827 long paths over links of various types that are already either 1828 performing or omitting ARQ as appropriate, it would therefore often 1829 be inefficient to also require the tunnel to perform ARQ. 1831 When the SEAL ITE has knowledge that the tunnel will traverse a 1832 subnetwork with non-negligible loss due to, e.g., interference, link 1833 errors, congestion, etc., it can solicit Segment Reports from the ETE 1834 periodically to discover missing segments for retransmission within a 1835 single round-trip time. However, retransmission of missing segments 1836 may require the ITE to maintain considerable state and may also 1837 result in considerable delay variance and packet reordering. 1839 SEAL may also use alternate reliability mechanisms such as Forward 1840 Error Correction (FEC). A simple FEC mechanism may merely entail 1841 gratuitous retransmissions of duplicate data, however more efficient 1842 alternatives are also possible. Basic FEC schemes are discussed in 1843 [RFC5445]. 1845 The use of ARQ and FEC mechanisms for improved reliability are for 1846 further study. 1848 Appendix B. Integrity 1850 Each link in the path over which a SEAL tunnel is configured is 1851 responsible for link layer integrity verification for packets that 1852 traverse the link. As such, when a multi-segment SEAL packet with N 1853 segments is reassembled, its segments will have been inspected by N 1854 independent link layer integrity check streams instead of a single 1855 stream that a single segment SEAL packet of the same size would have 1856 received. Intuitively, a reassembled packet subjected to N 1857 independent integrity check streams of shorter-length segments would 1858 seem to have integrity assurance that is no worse than a single- 1859 segment packet subjected to only a single integrity check steam, 1860 since the integrity check strength diminishes in inverse proportion 1861 with segment length. In any case, the link-layer integrity assurance 1862 for a multi-segment SEAL packet is no different than for a multi- 1863 fragment IPv6 packet. 1865 Fragmentation and reassembly schemes must also consider packet- 1866 splicing errors, e.g., when two segments from the same packet are 1867 concatenated incorrectly, when a segment from packet X is reassembled 1868 with segments from packet Y, etc. The primary sources of such errors 1869 include implementation bugs and wrapping IP ID fields. In terms of 1870 implementation bugs, the SEAL segmentation and reassembly algorithm 1871 is much simpler than IP fragmentation resulting in simplified 1872 implementations. In terms of wrapping ID fields, when IPv4 is used 1873 as the outer IP protocol, the 16-bit IP ID field can wrap with only 1874 64K packets with the same (src, dst, protocol)-tuple alive in the 1875 system at a given time [RFC4963] increasing the likelihood of 1876 reassembly mis-associations. However, SEAL ensures that any outer 1877 IPv4 fragmentation and reassembly will be short-lived and tuned out 1878 as soon as the ITE receives a Reassembly Repot, and SEAL segmentation 1879 and reassembly uses a much longer ID field. Therefore, reassembly 1880 mis-associations of IP fragments nor of SEAL segments should be 1881 prohibitively rare. 1883 Appendix C. Transport Mode 1885 SEAL can also be used in "transport-mode", e.g., when the inner layer 1886 comprises upper-layer protocol data rather than an encapsulated IP 1887 packet. For instance, TCP peers can negotiate the use of SEAL for 1888 the carriage of protocol data encapsulated as IPv4/SEAL/TCP. In this 1889 sense, the "subnetwork" becomes the entire end-to-end path between 1890 the TCP peers and may potentially span the entire Internet. 1892 Section specifies the operation of SEAL in "tunnel mode", i.e., when 1893 there are both an inner and outer IP layer with a SEAL encapsulation 1894 layer between. However, the SEAL protocol can also be used in a 1895 "transport mode" of operation within a subnetwork region in which the 1896 inner-layer corresponds to a transport layer protocol (e.g., UDP, 1897 TCP, etc.) instead of an inner IP layer. 1899 For example, two TCP endpoints connected to the same subnetwork 1900 region can negotiate the use of transport-mode SEAL for a connection 1901 by inserting a 'SEAL_OPTION' TCP option during the connection 1902 establishment phase. If both TCPs agree on the use of SEAL, their 1903 protocol messages will be carried as TCP/SEAL/IPv4 and the connection 1904 will be serviced by the SEAL protocol using TCP (instead of an 1905 encapsulating tunnel endpoint) as the transport layer protocol. The 1906 SEAL protocol for transport mode otherwise observes the same 1907 specifications as for Section 4. 1909 Appendix D. Historic Evolution of PMTUD 1911 The topic of Path MTU discovery (PMTUD) saw a flurry of discussion 1912 and numerous proposals in the late 1980's through early 1990. The 1913 initial problem was posed by Art Berggreen on May 22, 1987 in a 1914 message to the TCP-IP discussion group [TCP-IP]. The discussion that 1915 followed provided significant reference material for [FRAG]. An IETF 1916 Path MTU Discovery Working Group [MTUDWG] was formed in late 1989 1917 with charter to produce an RFC. Several variations on a very few 1918 basic proposals were entertained, including: 1920 1. Routers record the PMTUD estimate in ICMP-like path probe 1921 messages (proposed in [FRAG] and later [RFC1063]) 1923 2. The destination reports any fragmentation that occurs for packets 1924 received with the "RF" (Report Fragmentation) bit set (Steve 1925 Deering's 1989 adaptation of Charles Lynn's Nov. 1987 proposal) 1927 3. A hybrid combination of 1) and Charles Lynn's Nov. 1987 (straw 1928 RFC draft by McCloughrie, Fox and Mogul on Jan 12, 1990) 1930 4. Combination of the Lynn proposal with TCP (Fred Bohle, Jan 30, 1931 1990) 1933 5. Fragmentation avoidance by setting "IP_DF" flag on all packets 1934 and retransmitting if ICMPv4 "fragmentation needed" messages 1935 occur (Geof Cooper's 1987 proposal; later adapted into [RFC1191] 1936 by Mogul and Deering). 1938 Option 1) seemed attractive to the group at the time, since it was 1939 believed that routers would migrate more quickly than hosts. Option 1940 2) was a strong contender, but repeated attempts to secure an "RF" 1941 bit in the IPv4 header from the IESG failed and the proponents became 1942 discouraged. 3) was abandoned because it was perceived as too 1943 complicated, and 4) never received any apparent serious 1944 consideration. Proposal 5) was a late entry into the discussion from 1945 Steve Deering on Feb. 24th, 1990. The discussion group soon 1946 thereafter seemingly lost track of all other proposals and adopted 1947 5), which eventually evolved into [RFC1191] and later [RFC1981]. 1949 In retrospect, the "RF" bit postulated in 2) is not needed if a 1950 "contract" is first established between the peers, as in proposal 4) 1951 and a message to the MTUDWG mailing list from jrd@PTT.LCS.MIT.EDU on 1952 Feb 19. 1990. These proposals saw little discussion or rebuttal, and 1953 were dismissed based on the following the assertions: 1955 o routers upgrade their software faster than hosts 1957 o PCs could not reassemble fragmented packets 1959 o Proteon and Wellfleet routers did not reproduce the "RF" bit 1960 properly in fragmented packets 1962 o Ethernet-FDDI bridges would need to perform fragmentation (i.e., 1963 "translucent" not "transparent" bridging) 1965 o the 16-bit IP_ID field could wrap around and disrupt reassembly at 1966 high packet arrival rates 1968 The first four assertions, although perhaps valid at the time, have 1969 been overcome by historical events. The final assertion is addressed 1970 by the mechanisms specified in SEAL. 1972 Author's Address 1974 Fred L. Templin (editor) 1975 Boeing Research & Technology 1976 P.O. Box 3707 1977 Seattle, WA 98124 1978 USA 1980 Email: fltemplin@acm.org