idnits 2.17.1 draft-xu-intarea-ip-in-udp-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 17, 2017) is 2382 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1981 (Obsoleted by RFC 8201) ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 5405 (Obsoleted by RFC 8085) ** Obsolete normative reference: RFC 6347 (Obsoleted by RFC 9147) -- Obsolete informational reference (is this intentional?): RFC 6830 (Obsoleted by RFC 9300, RFC 9301) Summary: 4 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTAREA Working Group X. Xu 3 Internet-Draft Huawei 4 Intended status: Standards Track H. Assarpour 5 Expires: April 20, 2018 Broadcom 6 S. Ma 7 Juniper 8 Y. Lee 9 Comcast 10 Y. Fan 11 China Telecom 12 October 17, 2017 14 Encapsulating IP in UDP 15 draft-xu-intarea-ip-in-udp-05 17 Abstract 19 Existing IP-in-IP encapsulation technologies are not adequate for 20 efficient load balancing of IP-in-IP traffic across IP networks. 21 This document specifies additional IP-in-IP encapsulation technology, 22 referred to as IP-in-UDP (User Datagram Protocol), which can 23 facilitate the load balancing of IP-in-IP traffic across IP networks. 25 Requirements Language 27 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 28 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 29 document are to be interpreted as described in RFC 2119 [RFC2119]. 31 Status of This Memo 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF). Note that other groups may also distribute 38 working documents as Internet-Drafts. The list of current Internet- 39 Drafts is at https://datatracker.ietf.org/drafts/current/. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 This Internet-Draft will expire on April 20, 2018. 48 Copyright Notice 50 Copyright (c) 2017 IETF Trust and the persons identified as the 51 document authors. All rights reserved. 53 This document is subject to BCP 78 and the IETF Trust's Legal 54 Provisions Relating to IETF Documents 55 (https://trustee.ietf.org/license-info) in effect on the date of 56 publication of this document. Please review these documents 57 carefully, as they describe your rights and restrictions with respect 58 to this document. Code Components extracted from this document must 59 include Simplified BSD License text as described in Section 4.e of 60 the Trust Legal Provisions and are provided without warranty as 61 described in the Simplified BSD License. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 66 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 67 3. Encapsulation in UDP . . . . . . . . . . . . . . . . . . . . 3 68 4. Processing Procedures . . . . . . . . . . . . . . . . . . . . 5 69 5. Congestion Considerations . . . . . . . . . . . . . . . . . . 6 70 6. Applicability Statements . . . . . . . . . . . . . . . . . . 6 71 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 72 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 73 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 74 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 75 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 76 10.2. Informative References . . . . . . . . . . . . . . . . . 9 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 79 1. Introduction 81 To fully utilize the bandwidth available in IP networks and/or 82 facilitate recovery from a link or node failure, load balancing of 83 traffic over Equal Cost Multi-Path (ECMP) and/or Link Aggregation 84 Group (LAG) across IP networks is widely used. [RFC5640] describes a 85 method for improving the load balancing efficiency in a network 86 carrying IP-in-IP traffic [RFC5565] over Layer Two Tunneling Protocol 87 - Version 3 (L2TPv3) [RFC3931] and Generic Routing Encapsulation 88 (GRE) [RFC2784] encapsulations. However, this method requires core 89 routers to perform hash calculation on the "load- balancing" field 90 contained in tunnel encapsulation headers (i.e., the Session ID field 91 in L2TPv3 headers or the Key field in GRE headers), which is not 92 widely supported by existing core routers. 94 Most existing routers in IP networks are already capable of 95 distributing IP traffic "microflows" [RFC2474] over ECMP paths and/or 96 LAG based on the hash of the five-tuple of User Datagram Protocol 97 (UDP) [RFC0768] and Transmission Control Protocol (TCP) packets 98 (i.e., source IP address, destination IP address, source port, 99 destination port, and protocol). By encapsulating the IP traffic 100 into an UDP tunnel and using the source port of the UDP header as an 101 entropy field, the existing load-balancing capability as mentioned 102 above can be leveraged to provide fine-grained load-balancing of IP- 103 in-IP traffic over IP networks. This is similar to why LISP 104 [RFC6830] , MPLS-in-UDP [RFC7510] and VXLAN [RFC7348] use UDP 105 encapsulation. Therefore, this specification defines an IP-in-UDP 106 encapsulation method which is an alternative encapsulation used in 107 [RFC5565] in addition to L2TPv3 and GRE. 109 IPv6 flow label has been proposed as an entropy field for load 110 balancing in IPv6 network environment [RFC6438]. However, as stated 111 in [RFC6936], the end-to-end use of flow labels for load balancing is 112 a long-term solution and therefore the use of load balancing using 113 the transport header fields would continue until any widespread 114 deployment is finally achieved. As such, IP-in-UDP encapsulation 115 would still have a practical application value in the IPv6 networks 116 during this transition timeframe. Of course, it RECOMMENDED that the 117 IPv6 flow label is filled with an entropy value as well. In this 118 way, core routers could perform load-balancing of IP-in-IP traffic 119 based on either the IPv6 flow label or the UDP five tuple 120 accordingly. 122 Similarly, the IP-in-UDP encapsulation format defined in this 123 document by itself cannot ensure the integrity and privacy of data 124 packets being transported through the IP-in-UDP tunnels and cannot 125 enable the tunnel decapsulators to authenticate the tunnel 126 encapsulator. Therefore, in the case where any of the above security 127 issues is concerned, the IP-in-UDP SHOULD be secured with IPsec 128 [RFC4301] or DTLS [RFC6347]. For more details, please see Section 6 129 of Security Considerations. 131 2. Terminology 133 This memo makes use of the terms defined in [RFC5565]. 135 3. Encapsulation in UDP 137 IP-in-UDP encapsulation format is shown as follows: 139 0 1 2 3 140 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 141 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 142 | Source Port = Entropy | Dest Port = TBD1 | 143 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 | UDP Length | UDP Checksum | 145 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 146 | | 147 ~ IP Packet ~ 148 | | 149 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 150 Figure 1: IP-in-UDP Encapsulation Format 152 Source Port of UDP: 154 This field contains a 16-bit entropy value that is generated by 155 the encapsulator to uniquely identify a flow. What constitutes 156 a flow is locally determined by the encapsulator and therefore 157 is outside the scope of this document. What algorithm is 158 actually used by the encapsulator to generate an entropy value 159 is outside the scope of this document. 161 In case the tunnel does not need entropy, this field of all 162 packets belonging to a given flow SHOULD be set to a randomly 163 selected constant value so as to avoid packet reordering. 165 To ensure that the source port number is always in the range 166 49152 to 65535 (Note that those ports less than 49152 are 167 reserved by IANA to identify specific applications/protocols) 168 which may be required in some cases, instead of calculating a 169 16-bit hash, the encapsulator SHOULD calculate a 14-bit hash 170 and use those 14 bits as the least significant bits of the 171 source port field while the most significant two bits SHOULD be 172 set to binary 11. That still conveys 14 bits of entropy 173 information which would be enough as well in practice. 175 Destination Port of UDP: 177 This field is set to a value (TBD1) allocated by IANA to 178 indicate that the UDP tunnel payload is an IP packet. As for 179 whether the encapsulated IP packet is IPv4 or IPv6, it would be 180 determined according to the Version field in the IP header of 181 the encapsulated IP packet. 183 UDP Length: 185 The usage of this field is in accordance with the current UDP 186 specification [RFC0768]. 188 UDP Checksum: 190 For IPv4 UDP encapsulation, this field is RECOMMENDED to be set 191 to zero for performance or implementation reasons because the 192 IPv4 header includes a checksum and use of the UDP checksum is 193 optional with IPv4. For IPv6 UDP encapsulation, the IPv6 194 header does not include a checksum, so this field MUST contain 195 a UDP checksum that MUST be used as specified in [RFC0768] and 196 [RFC2460] unless one of the exceptions that allows use of UDP 197 zero-checksum mode (as specified in [RFC6935]) applies. 199 IP Packet: 201 This field contains one IP packet. 203 4. Processing Procedures 205 This IP-in-UDP encapsulation causes E-IP [RFC5565] packets to be 206 forwarded across an I-IP [RFC5565] transit core via "UDP tunnels". 207 While performing IP-in-UDP encapsulation, an ingress AFBR (e.g. PE 208 router) would generate an entropy value and encode it in the Source 209 Port field of the UDP header. The Destination Port field is set to a 210 value (TBD1) allocated by IANA to indicate that the UDP tunnel 211 payload is an IP packet. Transit routers, upon receiving these UDP 212 encapsulated IP packets, could balance these packets based on the 213 hash of the five-tuple of UDP packets. Egress AFBRs receiving these 214 UDP encapsulated IP packets MUST decapsulate these packets by 215 removing the UDP header and then forward them accordingly (assuming 216 that the Destination Port was set to the reserved value pertaining to 217 IP). 219 Similar to all other IP-in-IP tunneling technologies, IP-in-UDP 220 encapsualtion introduces overheads and reduces the effective Maximum 221 Transmision Unit (MTU) size. IP-in-UDP encapsulation may also impact 222 Time-to-Live (TTL) or Hop Count (HC) and Differentiated Services 223 (DSCP). Hence, IP-in-UDP MUST follow the corresponding procedures 224 defined in [RFC2003]. 226 Ingress AFBRs MUST NOT fragment I-IP packets (i.e., UDP encapsulated 227 IP packets), and when the outer IP header is IPv4, ingress AFBRs MUST 228 set the DF bit in the outer IPv4 header. It is strongly RECOMMENDED 229 that I-IP transit core be configured to carry an MTU at least large 230 enough to accommodate the added encapsulation headers. Meanwhile, it 231 is strongly RECOMMENDED that Path MTU Discovery [RFC1191] [RFC1981] 232 or Packetization Layer Path MTU Discovery (PLPMTUD) [RFC4821] is used 233 to prevent or minimize fragmentation. Once an ingress AFBR needs to 234 perform fragmentation on an E-IP packet before encapsulating, it MUST 235 use the same source UDP port for all fragmented packets so as to 236 ensures these fragmented packets are always forwarded on the same 237 path. Note that fragmentation on E-IP packets is possible only when 238 the E-IP packets are IPv4 packets and the DF bit is not set. 240 5. Congestion Considerations 242 Section 3.1.3 of [RFC5405] discussed the congestion implications of 243 UDP tunnels. As discussed in [RFC5405], because other flows can 244 share the path with one or more UDP tunnels, congestion control 245 [RFC2914] needs to be considered. As specified in [RFC5405]: 247 "IP-based traffic is generally assumed to be congestion- controlled, 248 i.e., it is assumed that the transport protocols generating IP-based 249 traffic at the sender already employ mechanisms that are sufficient 250 to address congestion on the path. Consequently, a tunnel carrying 251 IP-based traffic should already interact appropriately with other 252 traffic sharing the path, and specific congestion control mechanisms 253 for the tunnel are not necessary". 255 Since IP-in-UDP is only used to carry IP traffic which is generally 256 assumed to be congestion controlled by the transport layer, it 257 generally does not need additional congestion control mechanisms. 258 Furthermore, as it is explicitly stated in the Application Statements 259 (Section 1.2), this IP-in-UDP encapsulation method MUST only be used 260 within networks that are well-managed, therefore, congestion controll 261 mechanism is not needed. 263 6. Applicability Statements 265 This IP-in-UDP encapsulation technology MUST only be used within 266 networks which are well-managed by a service provider and MUST NOT be 267 used within the Internet. In the well-managed network, traffic is 268 well-managed to avoid congestion and fragementation on encapsulated 269 packets (i.e., I-IP packets) are not needed. 271 7. Acknowledgements 273 Thanks to Vivek Kumar, Carlos Pignataro and Mark Townsley for their 274 valuable comments on the initial idea of this document. Thanks to 275 Andrew G. Malis, Joe Touch and Brian E Carpenter for their valuable 276 comments on this document. 278 8. IANA Considerations 280 One UDP destination port number indicating IP needs to be allocated 281 by IANA: 283 Service Name: IP-in-UDP Transport Protocol(s):UDP 284 Assignee: IESG 285 Contact: IETF Chair . 286 Description: Encapsulate IP packets in UDP tunnels. 287 Reference: This document. 288 Port Number: TBD1 -- To be assigned by IANA. 290 One UDP destination port number indicating IP with DTLS needs to be 291 allocated by IANA: 293 Service Name: IP-in-UDP-with-DTLS 294 Transport Protocol(s): UDP 295 Assignee: IESG 296 Contact: IETF Chair . 297 Description: Encapsulate IP packets in UDP tunnels with DTLS. 298 Reference: This document. 299 Port Number: TBD2 -- To be assigned by IANA. 301 9. Security Considerations 303 The security problems faced with the IP-in-UDP tunnel are exactly the 304 same as those faced with IP-in-IP [RFC2003] and IP-in-GRE tunnels 305 [RFC2784]. In other words, the IP-in-UDP tunnel as defined in this 306 document by itself cannot ensure the integrity and privacy of data 307 packets being transported through the IP-in-UDP tunnel and cannot 308 enable the tunnel decapsulator to authenticate the tunnel 309 encapsulator. In the case where any of the above security issues is 310 concerned, the IP-in-UDP tunnel SHOULD be secured with IPsec or DTLS. 311 IPsec was designed as a network security mechanism and therefore it 312 resides at the network layer. As such, if the tunnel is secured with 313 IPsec, the UDP header would not be visible to intermediate routers 314 anymore in either IPsec tunnel or transport mode. As a result, the 315 meaning of adopting the IP-in-UDP tunnel as an alternative to the IP- 316 in-GRE or IP-in-IP tunnel is lost. By comparison, DTLS is better 317 suited for application security and can better preserve network and 318 transport layer protocol information. Specifically, if DTLS is used, 319 the destination port of the UDP header will be filled with a value 320 (TBD2) indicating IP with DTLS and the source port can still be used 321 as an entropy field for load-sharing purposes. 323 If the tunnel is not secured with IPsec or DTLS, some other method 324 should be used to ensure that packets are decapsulated and forwarded 325 by the tunnel tail only if those packets were encapsulated by the 326 tunnel head. If the tunnel lies entirely within a single 327 administrative domain, address filtering at the boundaries can be 328 used to ensure that no packet with the IP source address of a tunnel 329 endpoint or with the IP destination address of a tunnel endpoint can 330 enter the domain from outside. However, when the tunnel head and the 331 tunnel tail are not in the same administrative domain, this may 332 become difficult, and filtering based on the destination address can 333 even become impossible if the packets must traverse the public 334 Internet. Sometimes only source address filtering (but not 335 destination address filtering) is done at the boundaries of an 336 administrative domain. If this is the case, the filtering does not 337 provide effective protection at all unless the decapsulator of an IP- 338 in-UDP validates the IP source address of the packet. 340 10. References 342 10.1. Normative References 344 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 345 DOI 10.17487/RFC0768, August 1980, 346 . 348 [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, 349 DOI 10.17487/RFC1191, November 1990, 350 . 352 [RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery 353 for IP version 6", RFC 1981, DOI 10.17487/RFC1981, August 354 1996, . 356 [RFC2003] Perkins, C., "IP Encapsulation within IP", RFC 2003, 357 DOI 10.17487/RFC2003, October 1996, 358 . 360 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 361 Requirement Levels", BCP 14, RFC 2119, 362 DOI 10.17487/RFC2119, March 1997, 363 . 365 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 366 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, 367 December 1998, . 369 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 370 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 371 DOI 10.17487/RFC2784, March 2000, 372 . 374 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 375 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 376 December 2005, . 378 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 379 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 380 . 382 [RFC5405] Eggert, L. and G. Fairhurst, "Unicast UDP Usage Guidelines 383 for Application Designers", RFC 5405, 384 DOI 10.17487/RFC5405, November 2008, 385 . 387 [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer 388 Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, 389 January 2012, . 391 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and 392 UDP Checksums for Tunneled Packets", RFC 6935, 393 DOI 10.17487/RFC6935, April 2013, 394 . 396 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 397 for the Use of IPv6 UDP Datagrams with Zero Checksums", 398 RFC 6936, DOI 10.17487/RFC6936, April 2013, 399 . 401 10.2. Informative References 403 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 404 "Definition of the Differentiated Services Field (DS 405 Field) in the IPv4 and IPv6 Headers", RFC 2474, 406 DOI 10.17487/RFC2474, December 1998, 407 . 409 [RFC2914] Floyd, S., "Congestion Control Principles", BCP 41, 410 RFC 2914, DOI 10.17487/RFC2914, September 2000, 411 . 413 [RFC3931] Lau, J., Ed., Townsley, M., Ed., and I. Goyret, Ed., 414 "Layer Two Tunneling Protocol - Version 3 (L2TPv3)", 415 RFC 3931, DOI 10.17487/RFC3931, March 2005, 416 . 418 [RFC5565] Wu, J., Cui, Y., Metz, C., and E. Rosen, "Softwire Mesh 419 Framework", RFC 5565, DOI 10.17487/RFC5565, June 2009, 420 . 422 [RFC5640] Filsfils, C., Mohapatra, P., and C. Pignataro, "Load- 423 Balancing for Mesh Softwires", RFC 5640, 424 DOI 10.17487/RFC5640, August 2009, 425 . 427 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 428 for Equal Cost Multipath Routing and Link Aggregation in 429 Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, 430 . 432 [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The 433 Locator/ID Separation Protocol (LISP)", RFC 6830, 434 DOI 10.17487/RFC6830, January 2013, 435 . 437 [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger, 438 L., Sridhar, T., Bursell, M., and C. Wright, "Virtual 439 eXtensible Local Area Network (VXLAN): A Framework for 440 Overlaying Virtualized Layer 2 Networks over Layer 3 441 Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014, 442 . 444 [RFC7510] Xu, X., Sheth, N., Yong, L., Callon, R., and D. Black, 445 "Encapsulating MPLS in UDP", RFC 7510, 446 DOI 10.17487/RFC7510, April 2015, 447 . 449 Authors' Addresses 451 Xiaohu Xu 452 Huawei 454 Email: xuxiaohu@huawei.com 456 Hamid Assarpour 457 Broadcom 459 Email: hamid.assarpour@broadcom.com 461 Shaowen Ma 462 Juniper 464 Email: mashao@juniper.net 465 Yiu Lee 466 Comcast 468 Email: Yiu_Lee@Cable.Comcast.com 470 Yongbing Fan 471 China Telecom 473 Email: fanyb@gsta.com