idnits 2.17.1 draft-touch-tsvwg-udp-options-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- -- The document has an IETF Trust Provisions (28 Dec 2009) Section 6.c(ii) Publication Limitation clause. If this document is intended for submission to the IESG for publication, this constitutes an error. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 27, 2017) is 2615 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 1981 (Obsoleted by RFC 8201) -- Obsolete informational reference (is this intentional?): RFC 2140 (Obsoleted by RFC 9040) -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 4960 (Obsoleted by RFC 9260) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) -- Obsolete informational reference (is this intentional?): RFC 6691 (Obsoleted by RFC 9293) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 TSGWG J. Touch 2 Internet Draft USC/ISI 3 Intended status: Experimental February 27, 2017 4 Expires: August 2017 6 Transport Options for UDP 7 draft-touch-tsvwg-udp-options-05.txt 9 Status of this Memo 11 This Internet-Draft is submitted in full conformance with the 12 provisions of BCP 78 and BCP 79. This document may not be modified, 13 and derivative works of it may not be created, and it may not be 14 published except as an Internet-Draft. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six 22 months and may be updated, replaced, or obsoleted by other documents 23 at any time. It is inappropriate to use Internet-Drafts as 24 reference material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html 32 This Internet-Draft will expire on August 27, 2017. 34 Copyright Notice 36 Copyright (c) 2017 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with 44 respect to this document. 46 Abstract 48 Transport protocols are extended through the use of transport header 49 options. This document experimentally extends UDP by indicating the 50 location, syntax, and semantics for UDP transport layer options. 52 Table of Contents 54 1. Introduction...................................................2 55 2. Conventions used in this document..............................3 56 3. Background.....................................................3 57 4. The UDP Option Area............................................3 58 5. UDP Options....................................................6 59 5.1. End of Options List (EOL).................................7 60 5.2. No Operation (NOP)........................................8 61 5.3. Option Checksum (OCS).....................................8 62 5.4. Alternate Checksum (ACS)..................................9 63 5.5. Lite (LITE)...............................................9 64 5.6. Maximum Segment Size (MSS)...............................11 65 5.7. Timestamps (TIME)........................................11 66 5.8. Fragmentation (FRAG).....................................12 67 5.9. Authentication and Encryption (AE).......................13 68 5.10. Experimental (EXP)......................................14 69 6. Whose options are these?......................................14 70 7. UDP options vs. UDP-Lite......................................15 71 8. Interactions with Legacy Devices..............................15 72 9. Options in a Stateless, Unreliable Transport Protocol.........16 73 10. UDP Option State Caching.....................................17 74 11. Security Considerations......................................17 75 12. IANA Considerations..........................................17 76 13. References...................................................17 77 13.1. Normative References....................................17 78 13.2. Informative References..................................17 79 14. Acknowledgments..............................................19 81 1. Introduction 83 Transport protocols use options as a way to extend their 84 capabilities. TCP [RFC793], SCTP [RFC4960], and DCCP [RFC4340] 85 include space for these options but UDP [RFC768] currently does not. 86 This document defines an experimental extension to UDP that provides 87 space for transport options including their generic syntax and 88 semantics for their use in UDP's stateless, unreliable message 89 protocol. 91 2. Conventions used in this document 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 95 document are to be interpreted as described in RFC 2119 [RFC2119]. 97 In this document, these words will appear with that interpretation 98 only when in ALL CAPS. Lowercase uses of these words are not to be 99 interpreted as carrying significance described in RFC 2119. 101 In this document, the characters ">>" preceding an indented line(s) 102 indicates a statement using the key words listed above. This 103 convention aids reviewers in quickly identifying or finding the 104 portions of this RFC covered by these key words. 106 3. Background 108 Many protocols include a default header and an area for header 109 options. These options enable the protocol to be extended for use in 110 particular environments or in ways unforeseen by the original 111 designers. Examples include TCP's Maximum Segment Size, Window 112 Scale, Timestamp, and Authentication Options 113 [RFC793][RFC5925][RFC7323]. 115 These options are used both in stateful (connection-oriented, e.g., 116 TCP [RFC793], SCTP [RFC4960], DCCP [RFC4340]) and stateless 117 (connectionless, e.g., IPv4 [RFC791], IPv6 [RFC2460] protocols. In 118 stateful protocols they can help extend the way in which state is 119 managed. In stateless protocols their effect is often limited to 120 individual packets, but they can have an aggregate effect on a 121 sequence as well. One example of such uses is Substrate Protocol for 122 User Datagrams (SPUD) [Tr15], and this document is intended to 123 provide an out-of-band option area as an alternative to the in-band 124 mechanism currently proposed [Hi15]. 126 UDP is one of the most popular protocols that lacks space for 127 options [RFC768]. The UDP header was intended to be a minimal 128 addition to IP, providing only ports and a data checksum for 129 protection. This document experimentally extends UDP to provide a 130 trailer area for options located after the UDP data payload. 132 4. The UDP Option Area 134 The UDP transport header includes demultiplexing and service 135 identification (port numbers), a checksum, and a field that 136 indicates the UDP datagram length (including UDP header). The UDP 137 Length length field is typically redundant with the size of the 138 maximum space available as a transport protocol payload (see also 139 discussion in Section 8). 141 For IPv4, IP Total Length field indicates the total IP datagram 142 length (including IP header), and the size of the IP options is 143 indicated in the IP header (in 4-byte words) as the "Internet Header 144 Length" (IHL), as shown in Figure 1 [RFC791]. As a result, the 145 typical (and largest valid) value for UDP Length is: 147 UDP_Length = IPv4_Total_Length - IPv4_IHL * 4 149 For IPv6, the IP Payload Length field indicates the datagram after 150 the base IPv6 header, which includes the IPv6 extension headers and 151 space available for the transport protocol, as shown in Figure 2 152 [RFC2460]. Note that the Next HDR field in IPv6 might not indicate 153 UDP (i.e., 17), e.g., when intervening IP extension headers are 154 present. For IPv6, the lengths of any additional IP extensions are 155 indicated within each extension [RFC2460], so the typical (and 156 largest valid) value for UDP Length is: 158 UDP_Length = IPv6_Payload_Length - sum(extension header lengths) 160 In both cases, the space available for the UDP transport protocol 161 data unit is indicated by IP, either completely in the base header 162 (for IPv4) or adding information in the extensions (for IPv6). In 163 either case, this document will refer to this available space as the 164 "IP transport payload". 166 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 167 |Version| IHL |Type of Service| Total Length | 168 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 169 | Identification |Flags| Fragment Offset | 170 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 171 | Time to Live | Proto=17 (UDP)| Header Checksum | 172 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 173 | Source Address | 174 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 175 | Destination Address | 176 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 177 ... zero or more IP Options (using space as indicated by IHL) ... 178 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 179 | UDP Source Port | UDP Destination Port | 180 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 181 | UDP Length | UDP Checksum | 182 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 Figure 1 IPv4 datagram with UDP transport payload 186 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 187 |Version| Traffic Class | Flow Label | 188 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 189 | Payload Length | Next Hdr | Hop Limit | 190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 191 ... 192 | Source Address (128 bits) | 193 ... 194 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 195 ... 196 | Destination Address (128 bits) | 197 ... 198 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 199 ... zero or more IP Extension headers (each indicating size) ... 200 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 201 | UDP Source Port | UDP Destination Port | 202 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 203 | UDP Length | UDP Checksum | 204 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 206 Figure 2 IPv6 datagram with UDP transport payload 208 As a result of this redundancy, there is an opportunity to use the 209 UDP Length field as a way to break up the IP transport payload into 210 two areas - that intended as UDP user data and an additional 211 "surplus area" (as shown in Figure 3). 213 IP transport payload 214 <-------------------------------------------------> 215 +--------+---------+----------------------+------------------+ 216 | IP Hdr | UDP Hdr | UDP user data | surplus area | 217 +--------+---------+----------------------+------------------+ 218 <------------------------------> 219 UDP Length 221 Figure 3 IP transport payload vs. UDP Length 223 In most cases, the IP transport payload and UDP Length point to the 224 same location, indicating that there is no surplus area. It is 225 important to note that this is not a requirement of UDP [RFC768] 226 (discussed further in Section 8). UDP-Lite used the difference in 227 these pointers to indicate the partial coverage of the UDP Checksum, 228 such that the UDP user data, UDP header, and UDP pseudoheader (a 229 subset of the IP header) are covered by the UDP checksum but 230 additional user data in the surplus area is not covered [RFC3828]. 231 This document uses the surplus area for UDP transport options. 233 The UDP option area is thus defined as the location between the end 234 of the UDP payload and the end of the IP datagram as a trailing 235 options area. This area can occur at any valid byte offset, i.e., it 236 need not be 16-bit or 32-bit aligned. In effect, this document 237 redefines the UDP "Length" field as a "trailer offset". 239 UDP options are defined using a syntax similar to that of TCP 240 [RFC793]. They are typically a minimum of two bytes in length as 241 shown in Figure 4, excepting only the one byte options "No 242 Operation" (NOP) and "End of Options List" (EOL) described below. 244 +--------+--------+ 245 | Kind | Length | 246 +--------+--------+ 248 Figure 4 UDP option default format 250 >> UDP options MAY occur at any UDP length offset. 252 >> The UDP length MUST be at least as large as the UDP header (8) 253 and no larger than the IP transport payload. Values outside this 254 range MUST be silently discarded as invalid and logged where rate- 255 limiting permits. 257 Others have considered using values of the UDP Length that is larger 258 than the IP transport payload as an additional type of signal. Using 259 a value smaller than the IP transport payload is expected to be 260 backward compatible with existing UDP implementations, i.e., to 261 deliver the UDP Length of user data to the application and silently 262 ignore the additional surplus area data. Using a value larger than 263 the IP transport payload would either be considered malformed (and 264 be silently dropped) or could cause buffer overruns, and so is not 265 considered silently and safely backward compatible. Its use is thus 266 out of scope for the extension described in this document. 268 >> UDP options MUST be interpreted in the order in which they occur 269 in the UDP option area. 271 5. UDP Options 273 The following UDP options are currently defined: 275 Kind Length Meaning 276 ---------------------------------------------- 277 0* - End of Options List (EOL) 278 1* - No operation (NOP) 279 2* 2 Option checksum (OCS) 280 3 4 Alternate checksum (ACS) 281 4 4 Lite (LITE) 282 5 4 Maximum segment size (MSS) 283 6 10 Timestamps (TIME) 284 7 12 Fragmentation (FRAG) 285 8 (varies) Authentication and Encryption (AE) 286 128-253 RESERVED 287 254 N(>=4) RFC 3692-style experiments (EXP) 288 255 RESERVED 290 These options are defined in the following subsections. 292 >> An endpoint supporting UDP options MUST support those marked with 293 a "*" above: EOL, NOP, and OCS. 295 [QUESTION: Should we extend these through option #7?] 297 >> All other options (without a "*") MAY be implemented, and their 298 use SHOULD be determined either out-of-band or negotiated. 300 5.1. End of Options List (EOL) 302 The End of Options List (EOL) option indicates that there are no 303 more options. It is used to indicate the end of the list of options 304 without needing to pad the options to fill all available option 305 space. 307 +--------+ 308 | Kind=0 | 309 +--------+ 311 Figure 5 UDP EOL option format 313 >> When the UDP options do not consume the entire option area, the 314 last non-NOP option SHOULD be EOL (vs. filling the entire option 315 area with NOP values). 317 >> All bytes after EOL MUST be ignored by UDP option processing. 319 5.2. No Operation (NOP) 321 The No Operation (NOP) option is a one byte placeholder, intended to 322 be used as padding, e.g., to align multi-byte options along 16-bit 323 or 32-bit boundaries. 325 +--------+ 326 | Kind=1 | 327 +--------+ 329 Figure 6 UDP NOP option format 331 >> If options longer than one byte are used, NOP options SHOULD be 332 used at the beginning of the UDP options area to achieve alignment 333 as would be more efficient for active (i.e., non-NOP) options. 335 5.3. Option Checksum (OCS) 337 The Option Checksum (OCS) is an 8-bit ones-complement sum (Ones8) 338 that covers only the UDP options, from the first option as indicated 339 by the UDP Length to the last option as indicated by EOL (where 340 present) or the IP Payload Length. OCS can be calculated by 341 computing the 16-bit ones-complement sum and "folding over" the 342 result (using carry wraparound). Note that OCS is direct, i.e., it 343 is not negated or adjusted if zero (unlike the Internet checksum as 344 used in IPv4, TCP, and UDP headers). OCS protects the option area 345 from errors in a similar way that the UDP checksum protects the UDP 346 user data. 348 +--------+--------+ 349 | Kind=2 | Ones8 | 350 +--------+--------+ 352 Figure 7 UDP OCS option format 354 >> When present, the option checksum SHOULD occur as early as 355 possible, preferably preceded by only NOP options for alignment and 356 the LITE option if present. 358 >> If the option checksum fails, all options MUST be ignored and any 359 trailing surplus data silently discarded. 361 >> UDP data that is validated by a correct UDP checksum MUST be 362 delivered to the application layer, even if the UDP option checksum 363 fails, unless the endpoints have negotiated otherwise for this 364 segment's socket pair. 366 5.4. Alternate Checksum (ACS) 368 The Alternate Checksum (ACS) is a CRC16 of the UDP payload only. It 369 does not include the IP pseudoheader or UDP header, and so need not 370 be updated by NATs when IP addresses or UDP ports are rewritten. Its 371 purpose is to detect errors that the UDP checksum might not detect. 373 +--------+--------+--------+--------+ 374 | Kind=3 | Len=4 | CRC16sum | 375 +--------+--------+--------+--------+ 377 Figure 8 UDP ACS option format 379 5.5. Lite (LITE) 381 The Lite option (LITE) is intended to provide equivalent capability 382 to the UDP Lite transport protocol [RFC3828]. UDP Lite allows the 383 UDP checksum to cover only a prefix of the UDP data payload, to 384 protect critical information (e.g., application headers) but allow 385 potentially erroneous data to be passed to the user. This feature 386 helps protect application headers but allows for application data 387 errors. Some applications are impacted more by a lack of data than 388 errors in data, e.g., voice and video. 390 >> When the Lite option is active, it MUST come first in the UDP 391 options list. 393 The Lite option is intended to support the same API as for UDP Lite 394 to allow applications to send and receive data that has a marker 395 indicating the portion protected by the UDP checksum and the portion 396 not protected by the UDP checksum. 398 The option includes a 2-byte offset that indicates the length of the 399 portion of the UDP data that is not covered by the UDP checksum. 401 +--------+--------+--------+--------+ 402 | Kind=5 | Len=4 | Offset | 403 +--------+--------+--------+--------+ 405 Figure 9 UDP LITE option format 407 At the sender, the option is formed using the following steps: 409 1. Create a LITE option, ordered as the first UDP option (Figure 410 10). 412 2. Calculate the location of the start of the options as an absolute 413 offset from the start of the UDP header and place that length in 414 the last two bytes of the LITE option. 416 3. Swap all four bytes of the LITE option with the first 4 bytes of 417 the LITE data area (Figure 11). 419 +---------+--------------+--------------+------------------+ 420 | UDP Hdr | user data | Lite data |LITE| other opts | 421 +---------+--------------+--------------+------------------+ 422 <----------------------> 423 UDP Length 425 Figure 10 Lite option formation - LITE goes first 427 +---------+--------------+--------------+------------------+ 428 | UDP Hdr | user data | Lite data |LITE| other opts | 429 +---------+--------------+--------------+------------------+ 430 ^^^^ ^^^^ 431 | | 432 +--------------+ 434 Figure 11 Lite option before transmission - swap LITE and front of 435 LITE data 437 The resulting packet has the format shown in Figure 12. Note that 438 the UDP length now points to the LITE option, and the LITE option 439 points to the start of the option area. 441 +---------+--------------+----------------+------------------+ 442 | UDP Hdr | user data |LITE| Lite data |Ldat| other opts | 443 +---------+--------------+----------------+------------------+ 444 <----------------------> | ^ 445 UDP Length +-------------+ 447 Figure 12 Lite option as transmitted 449 A legacy endpoint receiving this packet will discard the LITE option 450 and everything that follows, including the lite data and remainder 451 of the UDP options. The UDP checksum will protect only the user 452 data, not the LITE option or lite data. 454 Receiving endpoints capable of processing UDP options will do the 455 following: 457 1. Process options as usual. This will start at the LITE option. 459 2. When the LITE option is encountered, record its location as the 460 start of the LITE data area and swap the four bytes there with 461 the four bytes at the location indicated inside the LITE option, 462 which indicates the start of all of the options, including the 463 LITE one (one past the end of the lite data area). 465 3. Continue processing the remainder of the options, which are now 466 in the format shown in Figure 11. 468 The purpose of this swap is to support UDP Lite operation and UDP 469 options without requiring the entire lite data area to be moved 470 after the UDP option area. 472 5.6. Maximum Segment Size (MSS) 474 The Maximum Segment Size (MSS, Kind = 3) is a 16-bit indicator of 475 the largest UDP segment that can be received. As with the TCP MSS 476 option [RFC793], the size indicated is the IP layer MTU decreased by 477 the fixed IP and UDP headers only [RFC6691]. The space needed for IP 478 and UDP options need to be adjusted by the sender when using the 479 value indicated. The value transmitted is based on EMTU_R, the 480 largest IP datagram that can be received (i.e., reassembled at the 481 receiver) [RFC1122]. 483 +--------+--------+--------+--------+ 484 | Kind=5 | Len=4 | MSS size | 485 +--------+--------+--------+--------+ 487 Figure 13 UDP MSS option format 489 The UDP MSS option MAY be used for path MTU discovery 490 [RFC1191][RFC1981], but this may be difficult because of known 491 issues with ICMP blocking [RFC2923] as well as UDP lacking automatic 492 retransmission. It is more likely to be useful when coupled with IP 493 source fragmentation to limit the largest reassembled UDP message, 494 e.g., when EMTU_R is larger than the required minimums (576 for IPv4 495 [RFC791] and 1500 for IPv6 [RFC2460]). 497 5.7. Timestamps (TIME) 499 The UDP Timestamp option (TIME) exchanges two four-byte timestamp 500 fields. It serves a similar purpose to TCP's TS option [RFC7323], 501 enabling UDP to estimate the round trip time (RTT) between hosts. 502 For UDP, this RTT can be useful for establishing UDP fragment 503 reassembly timeouts or transport-layer rate-limiting [RFC8085]. 505 +--------+--------+------------------+------------------+ 506 | Kind=6 | Len=10 | TS Value | TS Echo Reply | 507 +--------+--------+------------------+------------------+ 508 Figure 14 UDP TIME option format 510 TS Value (TSval) and TS Echo (TSecr) are used in a similar manner to 511 the TCP TS option [RFC7323]. A host using the Timestamp option sets 512 TS Value on all UDP segments issued. Received TSval values are 513 provided to the application, which passes this value as TSecr on UDP 514 messages sent in response to such a message. 516 >> UDP MAY use an RTT estimate based on nonzero Timestamp values as 517 a hint for fragmentation reassembly, rate limiting, or other 518 mechanisms that benefit from such an estimate. 520 >> UDP SHOULD make this RTT estimate available to the user 521 application. 523 5.8. Fragmentation (FRAG) 525 The Fragmentation option (FRAG) supports UDP fragmentation and 526 reassembly, which can be used to transfer UDP messages larger than 527 limited by the IP receive MTU (EMTU_R [RFC1122]). It is typically 528 used with the UDP MSS option to enable more efficient use of large 529 messages, both at the UDP and IP layers. The Fragmentation option is 530 designed similar to the IPv6 Fragmentation Header [RFC2460], except 531 that the UDP variant uses a 15-bit Offset measured in 16-bit words, 532 rather than IPv6's 13-bit Fragment Offset measured in 8-byte units. 533 This UDP variant avoids creating reserved fields. 535 +--------+--------+--------+--------+ 536 | Kind=8 | Len=12 | Offset |M| 537 +--------+--------+--------+--------+ 538 | Identification | 539 +--------+--------+--------+--------+ 540 | Identification (con't) | 541 +--------+--------+--------+--------+ 543 Figure 15 UDP LITE option format 545 The Offset is 15 bits and indicates the location of the UDP payload 546 fragment in 16-bit units from the beginning of the original 547 unfragmented payload. The M flag indicates whether there are more 548 fragments (1) or no more fragments (0). 550 >> The Identification field is a 32-bit value that MUST be unique 551 over the expected fragment reassembly timeout. 553 >> The Identification field SHOULD be generated in a manner similar 554 to that of the IP Fragment ID [RFC2460]. 556 >> UDP fragments MUST NOT overlap. 558 The Fragmentation option needs to be used with extreme care because 559 it will present incorrect datagram boundaries to a legacy receiver. 561 >> A host SHOULD indicate Fragmentation option support by 562 transmitting an unfragmented datagram using the Fragmentation option 563 (e.g., with Offset and M both zero) 565 >> A host MUST NOT transmit a UDP fragment (e.g., with either Offset 566 or M not zero) before receiving recent confirmation from the remote 567 host. 569 UDP fragmentation relies on a fragment expiration timer, which can 570 be preset or could use a value computed using the UDP Timestamp 571 option. 573 >> The default UDP reassembly SHOULD be no more than 2 minutes. 575 Implementers are advised to limit the space available for UDP 576 reassembly. 578 >> UDP reassembly space SHOULD be limited to reduce the impact of 579 DOS attacks on resource use. 581 >> UDP reassembly space limits SHOULD NOT be implemented as an 582 aggregate, to avoid cross-socketpair DOS attacks. 584 5.9. Authentication and Encryption (AE) 586 The Authentication and Encryption option (AE) is intended to allow 587 UDP to provide a similar type of authentication as the TCP 588 Authentication Option (TCP-AO)_[RFC5925]. It uses the same format as 589 specified for TCP-AO, except that it uses a Kind of 8. UDP-AO 590 supports NAT traversal in a similar manner as TCP-AO [RFC6978]. UDP- 591 AO can also be extended to provide a similar encryption capability 592 as TCP-AO-ENC, in a similar manner [To16]. For these reasons, the 593 option is known as UDP-AE. 595 Like TCP-AO, UDP-AE is not negotiated in-band. Its use assumes both 596 endpoints have populated Master Key Tuples (MKTs), used to exclude 597 non-protected traffic. 599 TCP-AO generates unique traffic keys from a hash of TCP connection 600 parameters. UDP lacks a three-way handshake to coordinate 601 connection-specific values, such as TCP's Initial Sequence Numbers 602 (ISNs) [RFC793], thus UDP-AE's Key Derivation Function (KDF) uses 603 zeroes as the value for both ISNs. This means that the UDP-AE reuses 604 keys when socket pairs are reused, unlike TCP-AO. 606 5.10. Experimental (EXP) 608 The Experimental option (EXP) is reserved for experiments [RFC3692]. 609 Only one such value is reserved because experiments are expected to 610 use an Experimental ID (ExIDs) to differentiate concurrent use for 611 different purposes, using UDP ExIDs registered with IANA according 612 to the approach developed for TCP experimental options [RFC6994]. 614 >> The length of the experimental option MUST be at least 4 to 615 account for the Kind, Length, and the minimum 16-bit UDP ExID 616 identifier (similar to TCP ExIDs [RFC6994]). 618 6. Whose options are these? 620 UDP options are indicated in an area of the IP payload that is not 621 used by UDP. That area is really part of the IP payload, not the UDP 622 payload, and as such, it might be tempting to consider whether this 623 is a generally useful approach to extending IP. 625 Unfortunately, the surplus area exists only for transports that 626 include their own transport layer payload length indicator. TCP and 627 SCTP include header length fields that already provide space for 628 transport options by indicating the total length of the header area, 629 such that the entire remaining area indicated in the network layer 630 (IP) is transport payload. UDP-Lite already uses the UDP Length 631 field to indicate the boundary between data covered by the transport 632 checksum and data not covered, and so there is no remaining area 633 where the length of the UDP-Lite payload as a whole can be indicated 634 [RFC3828]. 636 >> UDP options are intended for use only by the transport endpoints. 637 They are no more (or less) appropriate to be modified in-transit 638 than any other portion of the transport datagram. 640 UDP options are are transport options. Generally, transport 641 datagrams are not intended to be modified in-transit. However, the 642 UDP option mechanism provides no specific protection against in- 643 transit modification of the UDP header, UDP payload, or UDP option 644 area. 646 7. UDP options vs. UDP-Lite 648 UDP-Lite provides partial checksum coverage, so that packets with 649 errors in some locations can be delivered to the user [RFC3828]. It 650 uses a different transport protocol number (136) than UDP (17) to 651 interpret the UDP Length field as the prefix covered by the UDP 652 checksum. 654 UDP (protocol 17) already defines the UDP Length field as the limit 655 of the UDP checksum, but by default also limits the data provided to 656 the application as that which precedes the UDP Length. A goal of 657 UDP-Lite is to deliver data beyond UDP Length as a default, which is 658 why a separate transport protocol number was required. 660 UDP options do not need a separate transport protocol number because 661 the data beyond the UDP Length offset (surplus data) is not provided 662 to the application by default. That data is interpreted exclusively 663 within the UDP transport layer. 665 UDP options support a similar service to UDP-Lite by terminating the 666 UDP options with an EOL option. The additional data not covered by 667 the UDP checksum follows that EOL option, and is passed to the user 668 separately. The difference is that UDP-Lite provides the un- 669 checksummed user data to the application by default, whereas UDP 670 options can provide the same capability only for endpoints that are 671 negotiated in advance (i.e., by default, UDP options would silently 672 discard this non-checksummed data). Additionally, in UDP-Lite the 673 checksummed and non-checksummed payload components are adjacent, 674 whereas in UDP options they are separated by the option area - 675 which, minimally, must consist of at least one EOL option. 677 UDP-Lite cannot support UDP options, either as proposed here or in 678 any other form, because the entire payload of the UDP packet is 679 already defined as user data and there is no additional field in 680 which to indicate a separate area for options. The UDP Length field 681 in UDP-Lite is already used to indicate the boundary between user 682 data covered by the checksum and user data not covered. 684 8. Interactions with Legacy Devices 686 It has always been permissible for the UDP Length to be inconsistent 687 with the IP transport payload length [RFC768]. Such inconsistency 688 has been utilized in UDP-Lite using a different transport number. 689 There are no known systems that use this inconsistency for UDP 690 [RFC3828]. It is possible that such use might interact with UDP 691 options, i.e., where legacy systems might generate UDP datagrams 692 that appear to have UDP options. The UDP OCS provides protection 693 against such events and is stronger than a static "magic number". 695 UDP options have been tested as interoperable with Linux, Max OS-X, 696 and Windows Cygwin, and worked through NAT devices. These systems 697 successfully delivered only the user data indicated by the UDP 698 Length field and silently discarded the surplus area. 700 One reported embedded device passes the entire IP datagram to the 701 UDP application layer. Although this feature could enable 702 application-layer UDP option processing, it would require that 703 conventional UDP user applications examine only the UDP payload. 704 This feature is also inconsistent with the UDP application interface 705 [RFC768] [RFC1122]. 707 It has been reported that Alcatel-Lucent's "Brick" Intrusion 708 Detection System has a default configuration that interprets 709 inconsistencies between UDP Length and IP Length as an attack to be 710 reported. Note that other firewall systems, e.g., CheckPoint, use a 711 default "relaxed UDP length verification" to avoid falsely 712 interpreting this inconsistency as an attack. 714 (TBD: test with UDP checksum offload and UDP fragmentation offload) 716 9. Options in a Stateless, Unreliable Transport Protocol 718 There are two ways to interpret options for a stateless, unreliable 719 protocol -- an option is either local to the message or intended to 720 affect a stream of messages in a soft-state manner. Either 721 interpretation is valid for defined UDP options. 723 It is impossible to know in advance whether an endpoint supports a 724 UDP option. 726 >> UDP options MUST allow for silent failure on first receipt. 728 >> UDP options that rely on soft-state exchange MUST allow for 729 message reordering and loss. 731 >> A UDP option MUST be silently optional until confirmed by 732 exchange with an endpoint. 734 It is useful that the above requirements prevent using UDP options 735 to implement transport-layer fragmentation and reassembly unless 736 that capability has been negotiated with an endpoint in advance for 737 a socket pair. Legacy systems would need to be able to interpret the 738 transport payload fragments as individual transport datagrams. 740 10. UDP Option State Caching 742 Some TCP connection parameters, stored in the TCP Control Block, can 743 be usefully shared either among concurrent connections or between 744 connections in sequence, known as TCP Sharing [RFC2140][To17]. 745 Although UDP is stateless, some of the options proposed herein may 746 have similar benefit in being shared or cached. We call this UCB 747 Sharing, or UDP Control Block Sharing, by analogy. 749 [TBD: extend this section to indicate which options MAY vs. MUST NOT 750 be shared and how, e.g., along the lines of To17] 752 11. Security Considerations 754 The use of UDP packets with inconsistent IP and UDP Length fields 755 has the potential to trigger a buffer overflow error if not properly 756 handled, e.g., if space is allocated based on the smaller field and 757 copying is based on the larger. However, there have been no reports 758 of such a vulnerability and it would rely on inconsistent use of the 759 two fields for memory allocation and copying. 761 12. IANA Considerations 763 Upon publication, IANA is hereby requested to create a new registry 764 for UDP Option Kind numbers, similar to that for TCP Option Kinds. 765 Initial values of this registry are as listed in Section 5. 766 Additional values in this registry are to be assigned by IESG 767 Approval or Standards Action [RFC5226]. 769 Upon publication, IANA is hereby requested to create a new registry 770 for UDP Experimental Option Experiment Identifiers (UDP ExIDs) for 771 use in a similar manner as TCP ExIDs [RFC6994]. This registry is 772 initially empty. Values in this registry are to be assigned by IANA 773 using first-come, first-served (FCFS) rules [RFC5226]. 775 13. References 777 13.1. Normative References 779 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 780 Requirement Levels", BCP 14, RFC 2119, March 1997. 782 13.2. Informative References 784 [Hi15] Hildebrand, J., B. Trammel, "Substrate Protocol for User 785 Datagrams (SPUD) Prototype," draft-hildebrand-spud- 786 prototype-03, Mar. 2015. 788 [RFC768] Postel, J., "User Datagram Protocol", RFC 768, August 789 1980. 791 [RFC791] Postel, J., "Internet Protocol," RFC 791, Sept. 1981. 793 [RFC793] Postel, J., "Transmission Control Protocol" RFC 793, 794 September 1981. 796 [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts -- 797 Communication Layers," RFC 1122, Oct. 1989. 799 [RFC1191] Mogul, J., S. Deering, "Path MTU discovery," RFC 1191, 800 November 1990. 802 [RFC1981] McCann, J., S. Deering, J. Mogul, "Path MTU Discovery for 803 IP version 6," RFC 1981, Aug. 1996. 805 [RFC2140] Touch, J., "TCP Control Block Interdependence," RFC 2140, 806 Apr. 1997. 808 [RFC2460] Deering, S., R. Hinden, "Internet Protocol Version 6 809 (IPv6) Specification," RFC 2460, Dec. 1998. 811 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery," RFC 812 2923, September 2000. 814 [RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion 815 Control Protocol (DCCP)", RFC 4340, March 2006. 817 [RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol", 818 RFC 4960, September 2007. 820 [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers 821 Considered Useful," RFC 3692, Jan. 2004. 823 [RFC3828] Larzon, L-A., M. Degermark, S. Pink, L-E. Jonsson (Ed.), 824 G. Fairhurst (Ed.), "The Lightweight User Datagram 825 Protocol (UDP-Lite)," RFC 3828, July 2004. 827 [RFC5226] Narten, T., H. Alvestrand, "Guidelines for Writing an IANA 828 Considerations Section in RFCs," RFC 5226, May 2008. 830 [RFC5925] Touch, J., A. Mankin, R. Bonica, "The TCP Authentication 831 Option," RFC 5925, June 2010. 833 [RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS)," 834 RFC 6691, July 2012. 836 [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT 837 Traversal", RFC 6978, July 2013. 839 [RFC6994] Touch, J., "Shared Use of Experimental TCP Options," RFC 840 6994, Aug. 2013. 842 [RFC7323] Borman, D., R. Braden, V. Jacobson, R. Scheffenegger 843 (Ed.), "TCP Extensions for High Performance," RFC 7323, 844 Sep. 2014. 846 [RFC8085] Eggert, L., G. Fairhurst, G. Shepherd, "UDP Usage 847 Guidelines," RFC 8085, Feb. 2017. 849 [To16] Touch, J., "A TCP Authentication Option Extension for 850 Payload Encryption", Oct. 2016. 852 [To17] Touch, J., M. Welzl, S. Islam, J. You, "TCP Control Block 853 Interdependence," draft-touch-tcpm-2140bis, Jan. 2017. 855 [Tr15] Trammel, B. (Ed.), M. Kuelewind (Ed.), "Requirements for 856 the design of a Substrate Protocol for User Datagrams 857 (SPUD)," draft-trammell-spud-req-04, May 2016. 859 14. Acknowledgments 861 This work benefitted from feedback from Bob Briscoe, Ken Calvert, 862 Ted Faber, Gorry Fairhurst, C. M. Heard, Tom Herbert, and Mark 863 Smith, as well as discussions on the IETF SPUD email list. 865 This document was prepared using 2-Word-v2.0.template.dot. 867 Authors' Addresses 869 Joe Touch 870 USC/ISI 871 4676 Admiralty Way 872 Marina del Rey, CA 90292 USA 874 Phone: +1 (310) 448-9151 875 Email: touch@isi.edu