idnits 2.17.1 draft-xu-intarea-ip-in-udp-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 20, 2016) is 2678 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1981 (Obsoleted by RFC 8201) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 5405 (Obsoleted by RFC 8085) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) -- Obsolete informational reference (is this intentional?): RFC 6830 (Obsoleted by RFC 9300, RFC 9301) Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTAREA Working Group X. Xu 3 Internet-Draft Huawei 4 Intended status: Standards Track Y. Lee 5 Expires: June 23, 2017 Comcast 6 Y. Fan 7 China Telecom 8 December 20, 2016 10 Encapsulating IP in UDP 11 draft-xu-intarea-ip-in-udp-04 13 Abstract 15 Existing Softwire encapsulation technologies are not adequate for 16 efficient load balancing of Softwire service traffic across IP 17 networks. This document specifies additional Softwire encapsulation 18 technology, referred to as IP-in-UDP (User Datagram Protocol), which 19 can facilitate the load balancing of Softwire service traffic across 20 IP networks. 22 Requirements Language 24 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 25 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 26 document are to be interpreted as described in RFC 2119 [RFC2119]. 28 Status of This Memo 30 This Internet-Draft is submitted in full conformance with the 31 provisions of BCP 78 and BCP 79. 33 Internet-Drafts are working documents of the Internet Engineering 34 Task Force (IETF). Note that other groups may also distribute 35 working documents as Internet-Drafts. The list of current Internet- 36 Drafts is at http://datatracker.ietf.org/drafts/current/. 38 Internet-Drafts are draft documents valid for a maximum of six months 39 and may be updated, replaced, or obsoleted by other documents at any 40 time. It is inappropriate to use Internet-Drafts as reference 41 material or to cite them other than as "work in progress." 43 This Internet-Draft will expire on June 23, 2017. 45 Copyright Notice 47 Copyright (c) 2016 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 3 65 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 66 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 6 67 6. Applicability Statements . . . . . . . . . . . . . . . . . . 6 68 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 69 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 70 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 71 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 72 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 73 10.2. Informative References . . . . . . . . . . . . . . . . . 9 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 76 1. Introduction 78 To fully utilize the bandwidth available in IP networks and/or 79 facilitate recovery from a link or node failure, load balancing of 80 traffic over Equal Cost Multi-Path (ECMP) and/or Link Aggregation 81 Group (LAG) across IP networks is widely used. [RFC5640] describes a 82 method for improving the load balancing efficiency in a network 83 carrying Softwire Mesh service [RFC5565] over Layer Two Tunneling 84 Protocol - Version 3 (L2TPv3) [RFC3931] and Generic Routing 85 Encapsulation (GRE) [RFC2784] encapsulations. However, this method 86 requires core routers to perform hash calculation on the "load- 87 balancing" field contained in tunnel encapsulation headers (i.e., the 88 Session ID field in L2TPv3 headers or the Key field in GRE headers), 89 which is not widely supported by existing core routers. 91 Most existing routers in IP networks are already capable of 92 distributing IP traffic "microflows" [RFC2474] over ECMP paths and/or 93 LAG based on the hash of the five-tuple of User Datagram Protocol 94 (UDP) [RFC0768] and Transmission Control Protocol (TCP) packets 95 (i.e., source IP address, destination IP address, source port, 96 destination port, and protocol). By encapsulating the Softwire 97 service traffic into an UDP tunnel and using the source port of the 98 UDP header as an entropy field, the existing load-balancing 99 capability as mentioned above can be leveraged to provide fine- 100 grained load-balancing of Softwire service traffic over IP networks. 101 This is similar to why LISP [RFC6830] , MPLS-in-UDP [RFC7510] and 102 VXLAN [RFC7348] use UDP encapsulation. Therefore, this specification 103 defines an IP-in-UDP encapsulation method dedicated for Softwires 104 service. In other words, the IP-in-UDP encapsulation method 105 described in this draft is an alternative encapsulation used in 106 [RFC5565] in addition to L2TPv3 and GRE. 108 IPv6 flow label has been proposed as an entropy field for load 109 balancing in IPv6 network environment [RFC6438]. However, as stated 110 in [RFC6936], the end-to-end use of flow labels for load balancing is 111 a long-term solution and therefore the use of load balancing using 112 the transport header fields would continue until any widespread 113 deployment is finally achieved. As such, IP-in-UDP encapsulation 114 would still have a practical application value in the IPv6 networks 115 during this transition timeframe. Of course, it RECOMMENDED that the 116 IPv6 flow label is filled with an entropy value as well. In this 117 way, core routers could perform load-balancing of Softwires service 118 traffic based on either the IPv6 flow label or the UDP five tuple 119 accordingly. 121 Similarly, the IP-in-UDP encapsulation format defined in this 122 document by itself cannot ensure the integrity and privacy of data 123 packets being transported through the IP-in-UDP tunnels and cannot 124 enable the tunnel decapsulators to authenticate the tunnel 125 encapsulator. Therefore, in the case where any of the above security 126 issues is concerned, the IP-in-UDP SHOULD be secured with IPsec 127 [RFC4301] or DTLS [RFC6347]. For more details, please see Section 6 128 of Security Considerations. 130 2. Terminology 132 This memo makes use of the terms defined in [RFC5565]. 134 3. Encapsulation in UDP 136 IP-in-UDP encapsulation format is shown as follows: 138 0 1 2 3 139 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 140 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 141 | Source Port = Entropy | Dest Port = TBD1 | 142 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 143 | UDP Length | UDP Checksum | 144 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 145 | | 146 ~ IP Packet ~ 147 | | 148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 149 Figure 1: IP-in-UDP Encapsulation Format 151 Source Port of UDP: 153 This field contains a 16-bit entropy value that is generated by 154 the encapsulator to uniquely identify a flow. What constitutes 155 a flow is locally determined by the encapsulator and therefore 156 is outside the scope of this document. What algorithm is 157 actually used by the encapsulator to generate an entropy value 158 is outside the scope of this document. In case the tunnel does 159 not need entropy, this field of all packets belonging to a 160 given flow SHOULD be set to a randomly selected constant value 161 so as to avoid packet reordering. To ensure that the source 162 port number is always in the range 49152 to 65535 (Note that 163 those ports less than 49152 are reserved by IANA to identify 164 specific applications/protocols) which may be required in some 165 cases, instead of calculating a 16-bit hash, the encapsulator 166 SHOULD calculate a 14-bit hash and use those 14 bits as the 167 least significant bits of the source port field while the most 168 significant two bits SHOULD be set to binary 11. That still 169 conveys 14 bits of entropy information which would be enough as 170 well in practice. 172 Destination Port of UDP: 174 This field is set to a value (TBD1) allocated by IANA to 175 indicate that the UDP tunnel payload is an IP packet. As for 176 whether the encapsulated IP packet is IPv4 or IPv6, it would be 177 determined according to the Version field in the IP header of 178 the encapsulated IP packet. 180 UDP Length: 182 The usage of this field is in accordance with the current UDP 183 specification [RFC0768]. 185 UDP Checksum 187 For IPv4 UDP encapsulation, this field is RECOMMENDED to be set 188 to zero for performance or implementation reasons because the 189 IPv4 header includes a checksum and use of the UDP checksum is 190 optional with IPv4. For IPv6 UDP encapsulation, the IPv6 191 header does not include a checksum, so this field MUST contain 192 a UDP checksum that MUST be used as specified in [RFC0768] and 193 [RFC2460] unless one of the exceptions that allows use of UDP 194 zero-checksum mode (as specified in [RFC6935]) applies. 196 IP Packet 198 This field contains one IP packet. 200 4. Processing Procedures 202 This IP-in-UDP encapsulation causes E-IP[RFC5565] packets to be 203 forwarded across an I-IP [RFC5565] transit core via "UDP tunnels". 204 While performing IP-in-UDP encapsulation, an ingress AFBR (e.g. PE 205 router) would generate an entropy value and encode it in the Source 206 Port field of the UDP header. The Destination Port field is set to a 207 value (TBD1) allocated by IANA to indicate that the UDP tunnel 208 payload is an IP packet. Transit routers, upon receiving these UDP 209 encapsulated IP packets, could balance these packets based on the 210 hash of the five-tuple of UDP packets. Egress AFBRs receiving these 211 UDP encapsulated IP packets MUST decapsulate these packets by 212 removing the UDP header and then forward them accordingly (assuming 213 that the Destination Port was set to the reserved value pertaining to 214 IP). 216 Similar to all other Softwire tunneling technologies, IP-in-UDP 217 encapsualtion introduces overheads and reduces the effective Maximum 218 Transmision Unit (MTU) size. IP-in-UDP encapsulation may also impact 219 Time-to-Live (TTL) or Hop Count (HC) and Differentiated Services 220 (DSCP). Hence, IP-in-UDP MUST follow the corresponding procedures 221 defined in [RFC2003]. 223 Ingress AFBRs MUST NOT fragment I-IP packets (i.e., UDP encapsulated 224 IP packets), and when the outer IP header is IPv4, ingress AFBRs MUST 225 set the DF bit in the outer IPv4 header. It is strongly RECOMMENDED 226 that I-IP transit core be configured to carry an MTU at least large 227 enough to accommodate the added encapsulation headers. Meanwhile, it 228 is strongly RECOMMENDED that Path MTU Discovery [RFC1191] [RFC1981] 229 or Packetization Layer Path MTU Discovery (PLPMTUD) [RFC4821] is used 230 to prevent or minimize fragmentation. Once an ingress AFBR needs to 231 perform fragmentation on an E-IP packet before encapsulating, it MUST 232 use the same source UDP port for all fragmented packets so as to 233 ensures these fragmented packets are always forwarded on the same 234 path. Note that fragmentation on E-IP packets is possible only when 235 the E-IP packets are IPv4 packets and the DF bit is not set. 237 5. Congestion Considerations 239 Section 3.1.3 of [RFC5405] discussed the congestion implications of 240 UDP tunnels. As discussed in [RFC5405], because other flows can 241 share the path with one or more UDP tunnels, congestion control 242 [RFC2914] needs to be considered. As specified in [RFC5405]: 244 "IP-based traffic is generally assumed to be congestion- controlled, 245 i.e., it is assumed that the transport protocols generating IP-based 246 traffic at the sender already employ mechanisms that are sufficient 247 to address congestion on the path. Consequently, a tunnel carrying 248 IP-based traffic should already interact appropriately with other 249 traffic sharing the path, and specific congestion control mechanisms 250 for the tunnel are not necessary". 252 Since IP-in-UDP is only used to carry IP traffic which is generally 253 assumed to be congestion controlled by the transport layer, it 254 generally does not need additional congestion control mechanisms. 255 Furthermore, as it is explicitly stated in the Application Statements 256 (Section 1.2), this IP-in-UDP encapsulation method MUST only be used 257 within Softwires networks that are well-managed, therefore, 258 congestion controll mechanism is not needed. 260 6. Applicability Statements 262 This IP-in-UDP encapsulation technology MUST only be used within 263 Softwires networks which are well-managed by a service provider and 264 MUST NOT be used within the Internet. In the well-managed Softwires 265 network, traffic is well-managed to avoid congestion and 266 fragementation on encapsulated packets (i.e., I-IP packets) are not 267 needed. 269 7. Acknowledgements 271 Thanks to Vivek Kumar, Carlos Pignataro and Mark Townsley for their 272 valuable comments on the initial idea of this document. Thanks to 273 Andrew G. Malis for their valuable comments on this document. 275 8. IANA Considerations 277 One UDP destination port number indicating IP needs to be allocated 278 by IANA: 280 Service Name: IP-in-UDP Transport Protocol(s):UDP 281 Assignee: IESG 282 Contact: IETF Chair . 283 Description: Encapsulate IP packets in UDP tunnels. 284 Reference: This document. 285 Port Number: TBD1 -- To be assigned by IANA. 287 One UDP destination port number indicating IP with DTLS needs to be 288 allocated by IANA: 290 Service Name: IP-in-UDP-with-DTLS 291 Transport Protocol(s): UDP 292 Assignee: IESG 293 Contact: IETF Chair . 294 Description: Encapsulate IP packets in UDP tunnels with DTLS. 295 Reference: This document. 296 Port Number: TBD2 -- To be assigned by IANA. 298 9. Security Considerations 300 The security problems faced with the IP-in-UDP tunnel are exactly the 301 same as those faced with IP-in-IP [RFC2003] and IP-in-GRE tunnels 302 [RFC2784]. In other words, the IP-in-UDP tunnel as defined in this 303 document by itself cannot ensure the integrity and privacy of data 304 packets being transported through the IP-in-UDP tunnel and cannot 305 enable the tunnel decapsulator to authenticate the tunnel 306 encapsulator. In the case where any of the above security issues is 307 concerned, the IP-in-UDP tunnel SHOULD be secured with IPsec or DTLS. 308 IPsec was designed as a network security mechanism and therefore it 309 resides at the network layer. As such, if the tunnel is secured with 310 IPsec, the UDP header would not be visible to intermediate routers 311 anymore in either IPsec tunnel or transport mode. As a result, the 312 meaning of adopting the IP-in-UDP tunnel as an alternative to the IP- 313 in-GRE or IP-in-IP tunnel is lost. By comparison, DTLS is better 314 suited for application security and can better preserve network and 315 transport layer protocol information. Specifically, if DTLS is used, 316 the destination port of the UDP header will be filled with a value 317 (TBD2) indicating IP with DTLS and the source port can still be used 318 as an entropy field for load-sharing purposes. 320 If the tunnel is not secured with IPsec or DTLS, some other method 321 should be used to ensure that packets are decapsulated and forwarded 322 by the tunnel tail only if those packets were encapsulated by the 323 tunnel head. If the tunnel lies entirely within a single 324 administrative domain, address filtering at the boundaries can be 325 used to ensure that no packet with the IP source address of a tunnel 326 endpoint or with the IP destination address of a tunnel endpoint can 327 enter the domain from outside. However, when the tunnel head and the 328 tunnel tail are not in the same administrative domain, this may 329 become difficult, and filtering based on the destination address can 330 even become impossible if the packets must traverse the public 331 Internet. Sometimes only source address filtering (but not 332 destination address filtering) is done at the boundaries of an 333 administrative domain. If this is the case, the filtering does not 334 provide effective protection at all unless the decapsulator of an IP- 335 in-UDP validates the IP source address of the packet.. 337 10. References 339 10.1. Normative References 341 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 342 DOI 10.17487/RFC0768, August 1980, 343 . 345 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 346 DOI 10.17487/RFC1191, November 1990, 347 . 349 [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery 350 for IP version 6", RFC 1981, DOI 10.17487/RFC1981, August 351 1996, . 353 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, 354 DOI 10.17487/RFC2003, October 1996, 355 . 357 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 358 Requirement Levels", BCP 14, RFC 2119, 359 DOI 10.17487/RFC2119, March 1997, 360 . 362 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 363 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 364 December 1998, . 366 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 367 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 368 DOI 10.17487/RFC2784, March 2000, 369 . 371 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 372 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 373 December 2005, . 375 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 376 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 377 . 379 [RFC5405] Eggert, L. and G. Fairhurst, "Unicast UDP Usage Guidelines 380 for Application Designers", BCP 145, RFC 5405, 381 DOI 10.17487/RFC5405, November 2008, 382 . 384 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 385 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 386 January 2012, . 388 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and 389 UDP Checksums for Tunneled Packets", RFC 6935, 390 DOI 10.17487/RFC6935, April 2013, 391 . 393 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 394 for the Use of IPv6 UDP Datagrams with Zero Checksums", 395 RFC 6936, DOI 10.17487/RFC6936, April 2013, 396 . 398 10.2. Informative References 400 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 401 "Definition of the Differentiated Services Field (DS 402 Field) in the IPv4 and IPv6 Headers", RFC 2474, 403 DOI 10.17487/RFC2474, December 1998, 404 . 406 [RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, 407 RFC 2914, DOI 10.17487/RFC2914, September 2000, 408 . 410 [RFC3931] Lau, J., Ed., Townsley, M., Ed., and I. Goyret, Ed., 411 "Layer Two Tunneling Protocol - Version 3 (L2TPv3)", 412 RFC 3931, DOI 10.17487/RFC3931, March 2005, 413 . 415 [RFC5565] Wu, J., Cui, Y., Metz, C., and E. Rosen, "Softwire Mesh 416 Framework", RFC 5565, DOI 10.17487/RFC5565, June 2009, 417 . 419 [RFC5640] Filsfils, C., Mohapatra, P., and C. Pignataro, "Load- 420 Balancing for Mesh Softwires", RFC 5640, 421 DOI 10.17487/RFC5640, August 2009, 422 . 424 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 425 for Equal Cost Multipath Routing and Link Aggregation in 426 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, 427 . 429 [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The 430 Locator/ID Separation Protocol (LISP)", RFC 6830, 431 DOI 10.17487/RFC6830, January 2013, 432 . 434 [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 435 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 436 eXtensible Local Area Network (VXLAN): A Framework for 437 Overlaying Virtualized Layer 2 Networks over Layer 3 438 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014, 439 . 441 [RFC7510] Xu, X., Sheth, N., Yong, L., Callon, R., and D. Black, 442 "Encapsulating MPLS in UDP", RFC 7510, 443 DOI 10.17487/RFC7510, April 2015, 444 . 446 Authors' Addresses 448 Xiaohu Xu 449 Huawei 451 Email: xuxiaohu@huawei.com 453 Yiu Lee 454 Comcast 456 Email: Yiu_Lee@Cable.Comcast.com 458 Yongbing Fan 459 China Telecom 461 Email: fanyb@gsta.com