idnits 2.17.1 draft-yong-tsvwg-gre-in-udp-encap-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 21, 2013) is 3841 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'TBD' is mentioned on line 294, but not defined == Missing Reference: 'RFC6056' is mentioned on line 326, but not defined == Unused Reference: 'RFC0791' is defined on line 375, but no explicit reference was found in the text == Unused Reference: 'RFC2983' is defined on line 388, but no explicit reference was found in the text == Unused Reference: 'RFC5405' is defined on line 391, but no explicit reference was found in the text == Unused Reference: 'RFC6335' is defined on line 398, but no explicit reference was found in the text == Unused Reference: 'RFC4364' is defined on line 430, but no explicit reference was found in the text == Unused Reference: 'RFC4884' is defined on line 433, but no explicit reference was found in the text == Unused Reference: 'RFC6790' is defined on line 437, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 2983 ** Obsolete normative reference: RFC 5405 (Obsoleted by RFC 8085) -- Obsolete informational reference (is this intentional?): RFC 2460 (Obsoleted by RFC 8200) Summary: 2 errors (**), 0 flaws (~~), 10 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group E. Crabbe, Ed. 3 Internet-Draft Google 4 Intended status: Standards Track L. Yong, Ed. 5 Expires: April 24, 2014 Huawei USA 6 X. Xu, Ed. 7 Huawei Technologies 8 October 21, 2013 10 Generic UDP Encapsulation for IP Tunneling 11 draft-yong-tsvwg-gre-in-udp-encap-02 13 Abstract 15 This document describes a method of encapsulating arbitrary protocols 16 within GRE and UDP headers. In this encapsulation, the source UDP 17 port may be used as an entropy field for purposes of loadbalancing 18 while the payload protocol may be identified by the GRE Protocol 19 Type. 21 Requirements Language 23 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 24 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 25 document are to be interpreted as described in [RFC2119]. 27 Status of This Memo 29 This Internet-Draft is submitted in full conformance with the 30 provisions of BCP 78 and BCP 79. 32 Internet-Drafts are working documents of the Internet Engineering 33 Task Force (IETF). Note that other groups may also distribute 34 working documents as Internet-Drafts. The list of current Internet- 35 Drafts is at http://datatracker.ietf.org/drafts/current/. 37 Internet-Drafts are draft documents valid for a maximum of six months 38 and may be updated, replaced, or obsoleted by other documents at any 39 time. It is inappropriate to use Internet-Drafts as reference 40 material or to cite them other than as "work in progress." 42 This Internet-Draft will expire on April 24, 2014. 44 Copyright Notice 46 Copyright (c) 2013 IETF Trust and the persons identified as the 47 document authors. All rights reserved. 49 This document is subject to BCP 78 and the IETF Trust's Legal 50 Provisions Relating to IETF Documents 51 (http://trustee.ietf.org/license-info) in effect on the date of 52 publication of this document. Please review these documents 53 carefully, as they describe your rights and restrictions with respect 54 to this document. Code Components extracted from this document must 55 include Simplified BSD License text as described in Section 4.e of 56 the Trust Legal Provisions and are provided without warranty as 57 described in the Simplified BSD License. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 62 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 63 3. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . 3 64 4. Encapsulation Considerations . . . . . . . . . . . . . . . . 6 65 5. Backward Compatibility . . . . . . . . . . . . . . . . . . . 7 66 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 67 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 68 7.1. Vulnerability . . . . . . . . . . . . . . . . . . . . . . 7 69 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 70 9. Contributing Authors . . . . . . . . . . . . . . . . . . . . 8 71 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 72 10.1. Normative References . . . . . . . . . . . . . . . . . . 9 73 10.2. Informative References . . . . . . . . . . . . . . . . . 10 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 76 1. Introduction 78 Load balancing, or more specifically, statistical multiplexing of 79 traffic using Equal Cost Multi-Path (ECMP) and/or Link Aggregation 80 Groups (LAGs) in IP networks is a widely used technique for creating 81 higher capacity networks out of lower capacity links. Most existing 82 routers in IP networks are already capable of distributing IP traffic 83 flows over ECMP paths and/or LAGs on the basis of a hash function 84 performed on flow invariant fields in IP packet headers and their 85 payload protocol headers. Specifically, when the IP payload is a 86 User Datagram Protocol (UDP)[RFC0768] or Transmission Control 87 Protocol (TCP) packet, router hash functions frequently operate on 88 the five-tuple of the source IP address, the destination IP address, 89 the source port, the destination port, and the protocol/next-header 90 Several tunneling techniques are in common use in IP networks, such 91 as Generic Routing Encapsulation (GRE) [RFC2784], MPLS [RFC4023] and 92 L2TPv3 [RFC3931]. GRE is an increasingly popular encapsulation 93 choice, especially in environments where MPLS is unavailable or 94 unnecessary. Unfortunately, use of common GRE endpoints may reduce 95 the entropy available for use in load balancing, especially in 96 environments where the GRE Key field [RFC2890] is not readilly 97 available for use as entropy in forwarding decisions. 99 This document defines a generic GRE-in-UDP encapsulation for 100 tunneling arbitrary network protocol payloads across an IP network 101 environment where ECMP or LAGs are used. The GRE header provides 102 payload protocol de-multiplexing by way of it's protocol type field 103 [RFC2784] while the UDP header provides additional entropy by way of 104 it's source port. 106 This encapsulation method requires no changes to the transit IP 107 network. Hash functions in most existing IP routers may utilize and 108 benefit from the use of a GRE-in-UDP tunnel without needing any 109 change or upgrade to to their ECMP implementations. The 110 encapsulation mechanism is applicable to a variety of IP networks 111 including Data Center and wide area networks. 113 2. Terminology 115 The terms defined in [RFC0768] are used in this document. 117 3. Procedures 119 When a tunnel ingress device conforming to this document receives a 120 packet, the ingress MUST encapsulate the packet in UDP and GRE 121 headers and set the destination port of the UDP header to [TBD] 122 Section 6. he ingress device must also insert the payload protocol 123 type in the GRE Protocol Type field. The ingress device SHOULD set 124 the UDP source port based on flow invariant fields from the payload 125 header, otherwise it should be set to a randomly selected constant 126 value, e.g. zero, to avoid packet flow reordering. How a tunnel 127 ingress generates entropy from the payload is outside the scope of 128 this document. The tunnel ingress MUST encode its own IP address as 129 the source IP address and the egress tunnel endpoint IP address. The 130 TTL field in the IP header must be set to a value appropriate for 131 delivery of the encapsulated packet to the tunnel egress endpoint. 133 When the tunnel egress receives a packet, it must remove the outer 134 UDP and GRE headers. Section 5 describes the error handling when 135 this entity is not instantiated at the tunnel egress. 137 To simplify packet processing at the tunnel egress, packets destined 138 to this assigned UDP destination port [TBD] SHOULD have their UDP 139 checksum and Sequence flags set to zero because the egress tunnel 140 only needs to identify this protocol. Although IPv6 [RFC2460] 141 restricts the processing a packet with the UDP checksum of zero, 142 [RFC6935] and [RFC6936] relax this constraint to allow the zero UDP 143 checksum. 145 The tunnel ingress may set the GRE Key Present, Sequence Number 146 Present, and Checksum Present bits and asscociated fields in the GRE 147 header defined by [RFC2784] and [RFC2890]. 149 In addition IPv6 nodes MUST conform to the following: 151 1. the IPv6 tunnel ingress and egress SHOULD follow the node 152 requirements specified in Section 4 of [RFC6936] and the usage 153 requirements specified in Section 5 of [RFC6936] 155 2. IPv6 transit nodes SHOULD follow the requirements 9, 10, 11 156 specified in Section 5 of [RFC6936]. 158 The format of the GRE-in-UDP encapsulation for both IPv4 and IPv6 159 outer headersis shown in the followingfigures: 161 0 1 2 3 162 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 164 IPv4 Header: 165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 166 |Version| IHL |Type of Service| Total Length | 167 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 168 | Identification |Flags| Fragment Offset | 169 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 170 | Time to Live |Protcol=17[UDP]| Header Checksum | 171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 172 | Source IPv4 Address | 173 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 174 | Destination IPv4 Address | 175 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 177 UDP Header: 178 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 179 | Source Port = XXXX | Dest Port = TBD | 180 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 181 | UDP Length | UDP Checksum | 182 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 184 GRE Header: 186 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 187 |C| |K|S| Reserved0 | Ver | Protocol Type | 188 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 189 | Checksum (optional) | Reserved1 (Optional) | 190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 191 | Key (optional) | 192 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 193 | Sequence Number (Optional) | 194 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 196 Figure 1: UDP+GRE IPv4 headers 198 0 1 2 3 199 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 201 IPv6 Header: 202 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 203 |Version| Traffic Class | Flow Label | 204 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 205 | Payload Length | NxtHdr=17[UDP]| Hop Limit | 206 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 207 | | 208 + + 209 | | 210 + Outer Source IPv6 Address + 211 | | 212 + + 213 | | 214 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 215 | | 216 + + 217 | | 218 + Outer Destination IPv6 Address + 219 | | 220 + + 221 | | 222 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 224 UDP Header: 225 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 226 | Source Port = XXXX | Dest Port = TBD | 227 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 228 | UDP Length | UDP Checksum | 229 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 230 GRE Header: 231 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 232 |C| |K|S| Reserved0 | Ver | Protocol Type | 233 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 234 | Checksum (optional) | Reserved1 (Optional) | 235 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 236 | Key (optional) | 237 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 238 | Sequence Number (Optional) | 239 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 241 Figure 2: UDP+GRE IPv6 headers 243 The total overhead increase for a UDP+GRE tunnel without use of 244 optional GRE fields, representing the lowest total overhead increase, 245 is 32 bytes in the case of IPv4 and 52 bytes in the case of IPv6. 246 The total overhead increase for a UDP+GRE tunnel with use of GRE Key, 247 Sequence and Checksum Fields, representing the highest total overhead 248 increase, is 44 bytes in the case of IPv4 and 64 bytes in the case of 249 IPv6. 251 4. Encapsulation Considerations 253 GRE-in-UDP encapsulation allows the tunneled traffic to be unicast, 254 broadcast, or multicast traffic. Entropy may be generated from the 255 header of tunneled unicast or broadcast/multicast packets at tunnel 256 ingress. The mapping mechanism between the tunneled multicast 257 traffic and the multicast capability in the IP network is transparent 258 and independent to the encapsulation and is outside the scope of this 259 document. 261 If tunnel ingress must perform fragmentation on a packet before 262 encapsulation, it MUST use the same source UDP port for all packet 263 fragments. This ensures that the transit routers will forward the 264 packet fragments on the same path. GRE-in-UDP encapsulation 265 introduces some overhead as mentioned in section 3, which reduces the 266 effective Maximum Transmission Unit (MTU) size. An operator should 267 factor in this addition overhead bytes when considering an MTU size 268 for the payload to reduce the likelihood of fragmentation. 270 To ensure the tunneled traffic gets the same treatment over the IP 271 network, prior to the encapsulation process, tunnel ingress should 272 process the payload to get the proper parameters to fill into the IP 273 header such as DiffServ [[RFC2983]]. Tunnel end points that support 274 ECN MUST use the method described in [RFC6040] for ECN marking 275 propagation. This process is outside of the scope of this document. 277 Note that the IPv6 header [RFC2460] contains a flow label field that 278 may be used for load balancing in an IPv6 network [RFC6438]. Thus in 279 an IPv6 network, either GRE-in-UDP or flow labels may be used in 280 order to improve load balancing performance. Use of GRE-in-UDP 281 encapsulation provides a unified hardware implementation for load 282 balancing in an IP network independent of the IP version(s) in use. 284 5. Backward Compatibility 286 It is assumed that tunnel ingress routers must be upgraded in order 287 to support the encapsulations described in this document. 289 No change is required at transit routers to support forwarding of the 290 encapsulation described in this document. 292 If a router that is intended for use as a tunnel egress does not 293 support the GRE-in-UDP encapsulation described in this document, it 294 will not be listening on destination port [TBD]. In these cases, the 295 router will conform to normal UDP processing and respond to the 296 tunnel ingress with an ICMP message indicating "port unreachable" 297 according to [RFC0792]. Upon receiving this ICMP message, the tunnel 298 ingress MUST NOT continue to use GRE-in-UDP encapsulation toward this 299 tunnel egress without management intervention. 301 6. IANA Considerations 303 IANA is requested to make the following allocation: Service Name: 304 GRE-in-UDP Transport Protocol(s): UDP Assignee: IESG iesg@ietf.org 305 Contact: IETF Chair chair@ietf.org Description: GRE-in-UDP 306 Encapsulation Reference: [This.I-D] Port Number: TBD Service Code: N/ 307 A Known Unauthorized Uses: N/A Assignment Notes: N/A 309 7. Security Considerations 311 7.1. Vulnerability 313 Neither UDP nor GRE encapsulation effects security for the payload 314 protocol. When using GRE-in-UDP, Network Security in a network is 315 similar to that of a network using GRE. 317 Use of ICMP for signaling of the GRE-in-UDP encapsulation capability 318 adds a security concern. Tunnel ingress devices may want to validate 319 the origin of ICMP Port Unreachable messages before taking action. 320 The mechanism for performing this validation is out of the scope of 321 this document. 323 In an instance where the UDP src port is not set based et the flow 324 invariant fields from the payload header, a random port SHOULD be 325 selected in order to minimize the vulnerability to off-path attacks. 326 [RFC6056] How the src port randomization occurs is outside scope of 327 this document. 329 8. Acknowledgements 331 The Authors would like to thank Vivek Kumar, Ron Bonica, Joe Touch, 332 Ruediger Geib, Gorry Fairhurst, and David Black for their review and 333 valuable input on this draft. 335 9. Contributing Authors 337 The following people all contributed significantly to this document 338 and are listed below in alphabetical order: 340 John E. Drake 341 Juniper Networks 343 Email: jdrake@juniper.net 345 Adrian Farrel 346 Juniper Networks 348 Email: adrian@olddog.co.uk 350 Vishwas Manral 351 Hewlett-Packard Corp. 352 3000 Hanover St, Palo Alto. 354 Email: vishwas.manral@hp.com 356 Carlos Pignataro 357 Cisco Systems 358 7200-12 Kit Creek Road 359 Research Triangle Park, NC 27709 USA 361 EMail: cpignata@cisco.com 363 Yongbing Fan 364 China Telecom 365 Guangzhou, China. 366 Phone: +86 20 38639121 368 10. References 370 10.1. Normative References 372 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 373 August 1980. 375 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 376 1981. 378 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 379 Requirement Levels", BCP 14, RFC 2119, March 1997. 381 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 382 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 383 March 2000. 385 [RFC2890] Dommety, G., "Key and Sequence Number Extensions to GRE", 386 RFC 2890, September 2000. 388 [RFC2983] Black, D., "Differentiated Services and Tunnels", RFC 389 2983, October 2000. 391 [RFC5405] Eggert, L. and G. Fairhurst, "Unicast UDP Usage Guidelines 392 for Application Designers", BCP 145, RFC 5405, November 393 2008. 395 [RFC6040] Briscoe, B., "Tunnelling of Explicit Congestion 396 Notification", RFC 6040, November 2010. 398 [RFC6335] Cotton, M., Eggert, L., Touch, J., Westerlund, M., and S. 399 Cheshire, "Internet Assigned Numbers Authority (IANA) 400 Procedures for the Management of the Service Name and 401 Transport Protocol Port Number Registry", BCP 165, RFC 402 6335, August 2011. 404 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 405 for Equal Cost Multipath Routing and Link Aggregation in 406 Tunnels", RFC 6438, November 2011. 408 [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and 409 UDP Checksums for Tunneled Packets", RFC 6935, April 2013. 411 [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement 412 for the Use of IPv6 UDP Datagrams with Zero Checksums", 413 RFC 6936, April 2013. 415 10.2. Informative References 417 [RFC0792] Postel, J., "Internet Control Message Protocol", STD 5, 418 RFC 792, September 1981. 420 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 421 (IPv6) Specification", RFC 2460, December 1998. 423 [RFC3931] Lau, J., Townsley, M., and I. Goyret, "Layer Two Tunneling 424 Protocol - Version 3 (L2TPv3)", RFC 3931, March 2005. 426 [RFC4023] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating 427 MPLS in IP or Generic Routing Encapsulation (GRE)", RFC 428 4023, March 2005. 430 [RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private 431 Networks (VPNs)", RFC 4364, February 2006. 433 [RFC4884] Bonica, R., Gan, D., Tappan, D., and C. Pignataro, 434 "Extended ICMP to Support Multi-Part Messages", RFC 4884, 435 April 2007. 437 [RFC6790] Kompella, K., Drake, J., Amante, S., Henderickx, W., and 438 L. Yong, "The Use of Entropy Labels in MPLS Forwarding", 439 RFC 6790, November 2012. 441 Authors' Addresses 443 Edward Crabbe (editor) 444 Google 445 1600 Amphitheatre Parkway 446 Mountain View, CA 94102 447 US 449 Email: edward.crabbe@gmail.com 451 Lucy Yong (editor) 452 Huawei USA 453 5340 Legacy Drive 454 San Jose, TX 75025 455 US 457 Email: lucy.yong@huawei.com 458 Xiaohu Xu (editor) 459 Huawei Technologies 460 Beijing 461 China 463 Email: xuxiaohu@huawei.com