--- 1/draft-ietf-tsvwg-datagram-plpmtud-19.txt 2020-05-07 05:13:50.338475022 -0700 +++ 2/draft-ietf-tsvwg-datagram-plpmtud-20.txt 2020-05-07 05:13:50.434477471 -0700 @@ -1,44 +1,45 @@ Internet Engineering Task Force G. Fairhurst Internet-Draft T. Jones Updates: 4821, 4960, 6951, 8085, 8261 (if University of Aberdeen approved) M. Tuexen Intended status: Standards Track I. Ruengeler -Expires: 5 October 2020 T. Voelker +Expires: 8 November 2020 T. Voelker Muenster University of Applied Sciences - 3 April 2020 + 7 May 2020 Packetization Layer Path MTU Discovery for Datagram Transports - draft-ietf-tsvwg-datagram-plpmtud-19 + draft-ietf-tsvwg-datagram-plpmtud-20 Abstract This document describes a robust method for Path MTU Discovery (PMTUD) for datagram Packetization Layers (PLs). It describes an extension to RFC 1191 and RFC 8201, which specifies ICMP-based Path MTU Discovery for IPv4 and IPv6. The method allows a PL, or a datagram application that uses a PL, to discover whether a network path can support the current size of datagram. This can be used to detect and reduce the message size when a sender encounters a packet black hole (where packets are discarded). The method can probe a network path with progressively larger packets to discover whether the maximum packet size can be increased. This allows a sender to determine an appropriate packet size, providing functionality for datagram transports that is equivalent to the Packetization Layer PMTUD specification for TCP, specified in RFC 4821. - This document updates RFC 4821 to specify the method for datagram - PLs, and updates RFC 8085 as the method to use in place of RFC 4821 + This document updates RFC 4821 to specify the PLPMTUD method for + datagram PLs. It also updates RFC 8085 to refer to the method + specified in this document instead of the method in RFC 4821 for use with UDP datagrams. Section 7.3 of RFC4960 recommends an endpoint apply the techniques in RFC 4821 on a per-destination-address basis. - RFC 4960, RFC 6951 and RFC 8261 are updated to recommend that SCTP, + RFC 4960, RFC 6951, and RFC 8261 are updated to recommend that SCTP, SCTP encapsulated in UDP and SCTP encapsulated in DTLS use the method specified in this document instead of the method in RFC 4821. The document also provides implementation notes for incorporating Datagram PMTUD into IETF datagram transports or applications that use datagram transports. When published, this specification updates RFC 4960, RFC 4821, RFC 8085 and RFC 8261. @@ -50,21 +51,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 5 October 2020. + This Internet-Draft will expire on 8 November 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -77,26 +78,27 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Classical Path MTU Discovery . . . . . . . . . . . . . . 4 1.2. Packetization Layer Path MTU Discovery . . . . . . . . . 6 1.3. Path MTU Discovery for Datagram Services . . . . . . . . 7 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Features Required to Provide Datagram PLPMTUD . . . . . . . . 11 4. DPLPMTUD Mechanisms . . . . . . . . . . . . . . . . . . . . . 14 4.1. PLPMTU Probe Packets . . . . . . . . . . . . . . . . . . 14 4.2. Confirmation of Probed Packet Size . . . . . . . . . . . 15 - 4.3. Black Hole Detection and Reducing the PLPMTU . . . . . . 15 - 4.4. The Maximum Packet Size (MPS) . . . . . . . . . . . . . . 16 - 4.5. Disabling the Effect of PMTUD . . . . . . . . . . . . . . 17 + 4.3. Black Hole Detection and Reducing the PLPMTU . . . . . . 16 + 4.4. The Maximum Packet Size (MPS) . . . . . . . . . . . . . . 17 + 4.5. Disabling the Effect of PMTUD . . . . . . . . . . . . . . 18 4.6. Response to PTB Messages . . . . . . . . . . . . . . . . 18 4.6.1. Validation of PTB Messages . . . . . . . . . . . . . 18 4.6.2. Use of PTB Messages . . . . . . . . . . . . . . . . . 19 + 5. Datagram Packetization Layer PMTUD . . . . . . . . . . . . . 20 5.1. DPLPMTUD Components . . . . . . . . . . . . . . . . . . . 21 5.1.1. Timers . . . . . . . . . . . . . . . . . . . . . . . 21 5.1.2. Constants . . . . . . . . . . . . . . . . . . . . . . 22 5.1.3. Variables . . . . . . . . . . . . . . . . . . . . . . 23 5.1.4. Overview of DPLPMTUD Phases . . . . . . . . . . . . . 24 5.2. State Machine . . . . . . . . . . . . . . . . . . . . . . 26 5.3. Search to Increase the PLPMTU . . . . . . . . . . . . . . 29 5.3.1. Probing for a larger PLPMTU . . . . . . . . . . . . . 29 5.3.2. Selection of Probe Sizes . . . . . . . . . . . . . . 30 @@ -102,48 +104,48 @@ 5.3.2. Selection of Probe Sizes . . . . . . . . . . . . . . 30 5.3.3. Resilience to Inconsistent Path Information . . . . . 30 5.4. Robustness to Inconsistent Paths . . . . . . . . . . . . 31 6. Specification of Protocol-Specific Methods . . . . . . . . . 31 6.1. Application support for DPLPMTUD with UDP or UDP-Lite . . 31 6.1.1. Application Request . . . . . . . . . . . . . . . . . 32 6.1.2. Application Response . . . . . . . . . . . . . . . . 32 6.1.3. Sending Application Probe Packets . . . . . . . . . . 32 6.1.4. Initial Connectivity . . . . . . . . . . . . . . . . 32 6.1.5. Validating the Path . . . . . . . . . . . . . . . . . 32 - 6.1.6. Handling of PTB Messages . . . . . . . . . . . . . . 33 + 6.1.6. Handling of PTB Messages . . . . . . . . . . . . . . 32 6.2. DPLPMTUD for SCTP . . . . . . . . . . . . . . . . . . . . 33 6.2.1. SCTP/IPv4 and SCTP/IPv6 . . . . . . . . . . . . . . . 33 6.2.1.1. Initial Connectivity . . . . . . . . . . . . . . 33 6.2.1.2. Sending SCTP Probe Packets . . . . . . . . . . . 33 6.2.1.3. Validating the Path with SCTP . . . . . . . . . . 34 6.2.1.4. PTB Message Handling by SCTP . . . . . . . . . . 34 6.2.2. DPLPMTUD for SCTP/UDP . . . . . . . . . . . . . . . . 34 6.2.2.1. Initial Connectivity . . . . . . . . . . . . . . 35 6.2.2.2. Sending SCTP/UDP Probe Packets . . . . . . . . . 35 6.2.2.3. Validating the Path with SCTP/UDP . . . . . . . . 35 6.2.2.4. Handling of PTB Messages by SCTP/UDP . . . . . . 35 6.2.3. DPLPMTUD for SCTP/DTLS . . . . . . . . . . . . . . . 35 6.2.3.1. Initial Connectivity . . . . . . . . . . . . . . 35 - 6.2.3.2. Sending SCTP/DTLS Probe Packets . . . . . . . . . 35 + 6.2.3.2. Sending SCTP/DTLS Probe Packets . . . . . . . . . 36 6.2.3.3. Validating the Path with SCTP/DTLS . . . . . . . 36 6.2.3.4. Handling of PTB Messages by SCTP/DTLS . . . . . . 36 6.3. DPLPMTUD for QUIC . . . . . . . . . . . . . . . . . . . . 36 6.3.1. Initial Connectivity . . . . . . . . . . . . . . . . 36 - 6.3.2. Sending QUIC Probe Packets . . . . . . . . . . . . . 36 + 6.3.2. Sending QUIC Probe Packets . . . . . . . . . . . . . 37 6.3.3. Validating the Path with QUIC . . . . . . . . . . . . 37 6.3.4. Handling of PTB Messages by QUIC . . . . . . . . . . 37 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 - 9. Security Considerations . . . . . . . . . . . . . . . . . . . 37 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 38 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 39 10.1. Normative References . . . . . . . . . . . . . . . . . . 39 - 10.2. Informative References . . . . . . . . . . . . . . . . . 40 + 10.2. Informative References . . . . . . . . . . . . . . . . . 41 Appendix A. Revision Notes . . . . . . . . . . . . . . . . . . . 42 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46 1. Introduction The IETF has specified datagram transport using UDP, SCTP, and DCCP, as well as protocols layered on top of these transports (e.g., SCTP/ UDP, DCCP/UDP, QUIC/UDP), and direct datagram transport over the IP network layer. This document describes a robust method for Path MTU Discovery (PMTUD) that can be used with these transport protocols (or @@ -166,34 +168,34 @@ probe packets. Packets not intended as probe packets are either fragmented to the current effective PMTU, or the attempt to send fails with an error code. Applications can be provided with a primitive to let them read the Maximum Packet Size (MPS), derived from the current effective PMTU. Classical PMTUD is subject to protocol failures. One failure arises when traffic using a packet size larger than the actual PMTU is - black-holed (all datagrams sent with this size, or larger, are + black-holed (all datagrams larger than the actual PMTU, are discarded). This could arise when the PTB messages are not delivered back to the sender for some reason (see for example [RFC2923]). Examples where PTB messages are not delivered include: * The generation of ICMP messages is usually rate limited. This could result in no PTB messages being generated to the sender (see section 2.4 of [RFC4443]) * ICMP messages can be filtered by middleboxes (including firewalls) - [RFC4890]. A stateful firewall could be configured with a policy - to block incoming ICMP messages, which would prevent reception of - PTB messages to a sending endpoint behind this firewall. + [RFC4890]. A firewall could be configured with a policy to block + incoming ICMP messages, which would prevent reception of PTB + messages to a sending endpoint behind this firewall. * When the router issuing the ICMP message drops a tunneled packet, the resulting ICMP message will be directed to the tunnel ingress. This tunnel endpoint is responsible for forwarding the ICMP message and also processing the quoted packet within the payload field to remove the effect of the tunnel, and return a correctly formatted ICMP message to the sender [I-D.ietf-intarea-tunnels]. Failure to do this prevents the PTB message reaching the original sender. @@ -275,21 +277,21 @@ layer that is responsible for placing data blocks into the payload of IP packets and selecting an appropriate MPS. This function is often performed by a transport protocol (e.g., DCCP, RTP, SCTP, QUIC), but can also be performed by other encapsulation methods working above the transport layer. In contrast to PMTUD, Packetization Layer Path MTU Discovery (PLPMTUD) [RFC4821] introduced a method that does not rely upon reception and validation of PTB messages. It is therefore more robust than Classical PMTUD. This has become the recommended - approach for implementing discovery of the PMTU [RFC8085]. + approach for implementing discovery of the PMTU [BCP145]. It uses a general strategy where the PL sends probe packets to search for the largest size of unfragmented datagram that can be sent over a network path. Probe packets are sent to explore using a larger packet size. If a probe packet is successfully delivered (as determined by the PL), then the PLPMTU is raised to the size of the successful probe. If a black hole is detected (e.g., where packets of size PLPMTU are consistently not received), the method reduces the PLPMTU. @@ -309,34 +311,34 @@ Section 5 of this document presents a set of algorithms for datagram protocols to discover the largest size of unfragmented datagram that can be sent over a network path. The method relies upon features of the PL described in Section 3 and applies to transport protocols operating over IPv4 and IPv6. It does not require cooperation from the lower layers, although it can utilize PTB messages when these received messages are made available to the PL. The message size guidelines in section 3.2 of the UDP Usage - Guidelines [RFC8085] state "an application SHOULD either use the Path + Guidelines [BCP145] state "an application SHOULD either use the Path MTU information provided by the IP layer or implement Path MTU Discovery (PMTUD)", but does not provide a mechanism for discovering the largest size of unfragmented datagram that can be used on a network path. The present document updates RFC 8085 to specify this method in place of PLPMTUD [RFC4821] and provides a mechanism for sharing the discovered largest size as the MPS (see Section 4.4). Section 10.2 of [RFC4821] recommended a PLPMTUD probing method for the Stream Control Transport Protocol (SCTP). SCTP utilizes probe packets consisting of a minimal sized HEARTBEAT chunk bundled with a PAD chunk as defined in [RFC4820]. However, RFC 4821 did not provide - a complete specification. The present document replaces this by - providing a complete specification. + a complete specification. The present document replaces that + description by providing a complete specification. The Datagram Congestion Control Protocol (DCCP) [RFC4340] requires implementations to support Classical PMTUD and states that a DCCP sender "MUST maintain the MPS allowed for each active DCCP session". It also defines the current congestion control MPS (CCMPS) supported by a network path. This recommends use of PMTUD, and suggests use of control packets (DCCP-Sync) as path probe packets, because they do not risk application data loss. The method defined in this specification can be used with DCCP. @@ -418,47 +420,54 @@ how other standards organizations use the acronym. This includes the IP header, but excludes link layer headers and other framing that is not part of IP or the IP payload. Other standards organizations generally define the link MTU to include the link layer headers. This specification continues the requirement in [RFC4821], that states "All links MUST enforce their MTU: links that might non- deterministically deliver packets that are larger than their rated MTU MUST consistently discard such packets." MAX_PLPMTU: The MAX_PLPMTU is the largest size of PLPMTU that - DPLPMTUD will attempt to use. + DPLPMTUD will attempt to use (see the constants defined in + Section 5.1.2). MIN_PLPMTU: The MIN_PLPMTU is the smallest size of PLPMTU that - DPLPMTUD will attempt to use. + DPLPMTUD will attempt to use (see the constants defined in + Section 5.1.2). MPS: The Maximum Packet Size (MPS) is the largest size of application data block that can be sent across a network path by a PL using a single Datagram. MSL: Maximum Segment Lifetime (MSL) The maximum delay a packet is - expected to experience across a path, taken as 2 minutes - [RFC8085]. + expected to experience across a path, taken as 2 minutes [BCP145]. - Packet: A Packet is the IP header plus the IP payload. + Packet: A Packet is the IP header(s) and any extension headers/ + options plus the IP payload. Packetization Layer (PL): The PL is a layer of the network stack that places data into packets and performs transport protocol - functions. Examples of a PL include: TCP, SCTP, SCTP over DTLS or - QUIC. + functions. Examples of a PL include: TCP, SCTP, SCTP over UDP, + SCTP over DTLS, or QUIC. Path: The Path is the set of links and routers traversed by a packet between a source node and a destination node by a particular flow. Path MTU (PMTU): The Path MTU (PMTU) is the minimum of the Link MTU of all the links forming a network path between a source node and a destination node, as used by PMTUD. + PTB: In this document, the term PTB message is applied to both IPv4 + ICMP Unreachable messages (type 3) that carry the error + Fragmentation Needed (Type 3, Code 4) [RFC0792] and ICMPv6 Packet + Too Big messages (Type 2) [RFC4443]. + PTB_SIZE: The PTB_SIZE is a value reported in a validated PTB message that indicates next hop link MTU of a router along the path. PL_PTB_SIZE: The size reported in a validated PTB message, reduced by the size of all headers added by layers below the PL. PLPMTU: The Packetization Layer PMTU is an estimate of the largest size of PL datagram that can be sent by a path, controled by PLPMTUD. @@ -486,106 +495,106 @@ The requirements for datagram PLPMTUD are: 1. Managing the PLPMTU: For datagram PLs, the PLPMTU is managed by DPLPMTUD. A PL MUST NOT send a datagram (other than a probe packet) with a size at the PL that is larger than the current PLPMTU. 2. Probe packets: The network interface below PL is REQUIRED to provide a way to transmit a probe packet that is larger than the - PLMPMTU. In IPv4, a probe packet MUST be sent with the Don't - Fragment (DF) bit set in the IP header, and without network - layer endpoint fragmentation. In IPv6, a probe packet is always - sent without source fragmentation (as specified in section 5.4 - of [RFC8201]). + PLPMTU. In IPv4, a probe packet MUST be sent with the Don't + Fragment (DF) bit set in the IP header, and without network layer + endpoint fragmentation. In IPv6, a probe packet is always sent + without source fragmentation (as specified in section 5.4 of + [RFC8201]). 3. Reception feedback: The destination PL endpoint is REQUIRED to provide a feedback method that indicates to the DPLPMTUD sender when a probe packet has been received by the destination PL endpoint. Section 6 provides examples of how a PL can provide this acknowledgment of received probe packets. 4. Probe loss recovery: It is RECOMMENDED to use probe packets that do not carry any user data that would require retransmission if lost. Most datagram transports permit this. If a probe packet contains user data requiring retransmission in case of loss, the PL (or layers above) are REQUIRED to arrange any retransmission/ - repair of any resulting loss. The PL is REQUIRED to be robust - in the case where probe packets are lost due to other reasons + repair of any resulting loss. The PL is REQUIRED to be robust in + the case where probe packets are lost due to other reasons (including link transmission error, congestion). 5. PMTU parameters: A DPLPMTUD sender is RECOMMENDED to utilize information about the maximum size of packet that can be - transmitted by the sender on the local link (e.g., the local - Link MTU). It MAY utilize similar information about the maximum - size a receiver can accept when this is supplied (note this - could be less than EMTU_R). This avoids implementations trying - to send probe packets that can not be transferred by the local - link. Too high of a value could reduce the efficiency of the - search algorithm. Some applications also have a maximum - transport protocol data unit (PDU) size, in which case there is - no benefit from probing for a size larger than this (unless a - transport allows multiplexing multiple applications PDUs into - the same datagram). + transmitted by the sender on the local link (e.g., the local Link + MTU). A PL sender MAY utilize similar information about the + maximum size of network layer packet that a receiver can accept + when this is supplied (note this could be less than EMTU_R). + This avoids implementations trying to send probe packets that can + not be transferred by the local link. Too high of a value could + reduce the efficiency of the search algorithm. Some applications + also have a maximum transport protocol data unit (PDU) size, in + which case there is no benefit from probing for a size larger + than this (unless a transport allows multiplexing multiple + applications PDUs into the same datagram). - 6. Processing PTB messages: A DPLPMTUD sender MAY optionally - utilize PTB messages received from the network layer to help - identify when a network path does not support the current size - of probe packet. Any received PTB message MUST be validated - before it is used to update the PLPMTU discovery information - [RFC8201]. This validation confirms that the PTB message was - sent in response to a packet originating by the sender, and - needs to be performed before the PLPMTU discovery method reacts - to the PTB message. A PTB message MUST NOT be used to increase - the PLPMTU [RFC8201], but could trigger a probe to test for a - larger PLPMTU. A PL_PTB_SIZE that is greater than that - currently probed MUST be ignored. A valid PTB_SIZE is converted - to a PL_PTB_SIZE before it is to be used in the DPLPMTUD state - machine. + 6. Processing PTB messages: A DPLPMTUD sender MAY optionally utilize + PTB messages received from the network layer to help identify + when a network path does not support the current size of probe + packet. Any received PTB message MUST be validated before it is + used to update the PLPMTU discovery information [RFC8201]. This + validation confirms that the PTB message was sent in response to + a packet originating by the sender, and needs to be performed + before the PLPMTU discovery method reacts to the PTB message. A + PTB message MUST NOT be used to increase the PLPMTU [RFC8201], + but could trigger a probe to test for a larger PLPMTU. A valid + PTB_SIZE is converted to a PL_PTB_SIZE before it is to be used in + the DPLPMTUD state machine. A PL_PTB_SIZE that is greater than + that currently probed SHOULD be ignored. (This PTB message ought + to be discarded without further processing, but could be utilized + as an input that enables a resilience mode). - 7. Probing and congestion control: The decision about when to send - a probe packet does not need to be limited by the congestion - controller. When not controlled by the congestion controller, - the interval between probe packets MUST be at least one RTT. If + 7. Probing and congestion control: A PL MAY use a congestion + controller to decide when to send a probe packet. If transmission of probe packets is limited by the congestion controller, this could result in transmission of probe packets - being delayed or suspended during congestion. - - 8. Loss of a probe packet SHOULD NOT be treated as an indication of - congestion and SHOULD NOT trigger a congestion control reaction - [RFC4821], because this could result in unnecessary reduction of - the sending rate. - - 9. An update to the PLPMTU (or MPS) MUST NOT increase the - congestion window measured in bytes [RFC4821]. Therefore, an - increase in the packet size does not cause an increase in the - data rate in bytes per second. - - 10. A PL that maintains the congestion window in terms of a limit to + being delayed or suspended during congestion. When the + transmission of probe packets is not controlled by the congestion + controller, the interval between probe packets MUST be at least + one RTT. Loss of a probe packet SHOULD NOT be treated as an + indication of congestion and SHOULD NOT trigger a congestion + control reaction [RFC4821], because this could result in + unnecessary reduction of the sending rate. An update to the + PLPMTU (or MPS) MUST NOT increase the congestion window measured + in bytes [RFC4821]. Therefore, an increase in the packet size + does not cause an increase in the data rate in bytes per second. + A PL that maintains the congestion window in terms of a limit to the number of outstanding fixed size packets SHOULD adapt this - limit to compensate for the size of the actual packets. + limit to compensate for the size of the actual packets. The + transmission of probe packets can interact with the operation of + a PL that performs burst mitigation or pacing and could need + transmission of probe packets to be regulated by these methods. - 11. Probing and flow control: Flow control at the PL concerns the - end-to-end flow of data using the PL service. This does not - apply to DPLPMTU when probe packets use a design that does not - carry user data to the remote application. + 8. Probing and flow control: Flow control at the PL concerns the + end-to-end flow of data using the PL service. Flow control + SHOULD NOT apply to DPLPMTU when probe packets use a design that + does not carry user data to the remote application. - 12. Shared PLPMTU state: The PMTU value calculated from the PLPMTU + 9. Shared PLPMTU state: The PMTU value calculated from the PLPMTU MAY also be stored with the corresponding entry associated with the destination in the IP layer cache, and used by other PL instances. The specification of PLPMTUD [RFC4821] states: "If PLPMTUD updates the MTU for a particular path, all Packetization Layer sessions that share the path representation (as described in Section 5.2 of [RFC4821]) SHOULD be notified to make use of - the new MTU". Such methods MUST be robust to the wide variety - of underlying network forwarding behaviors. Section 5.2 of + the new MTU". Such methods MUST be robust to the wide variety of + underlying network forwarding behaviors. Section 5.2 of [RFC8201] provides guidance on the caching of PMTU information and also the relation to IPv6 flow labels. In addition, the following principles are stated for design of a DPLPMTUD method: * A PL MAY be designed to segment data blocks larger than the MPS into multiple datagrams. However, not all datagram PLs support segmentation of data blocks. It is RECOMMENDED that methods avoid forcing an application to use an arbitrary small MPS for @@ -662,43 +671,44 @@ block supplied by an application that matches the size of the probe packet. This method requests the application to issue a data block of the desired probe size. A PL that uses a probe packet carrying application data and needs protection from the loss of this probe packet could perform transport-layer retransmission/repair of the data block (e.g., by retransmission after loss is detected or by duplicating the data block in a datagram without the padding data). This retransmitted data block might possibly need to be sent using a smaller PLPMTU, - which could need the PL to to use a smaller packet size to traverse - the end-to-end path. (This could utilize endpoint network-layer or a - PL that can re-segment the data block into multiple datagrams). + which could force the PL to to use a smaller packet size to traverse + the end-to-end path. (This could utilize endpoint network-layer + fragmentation or a PL that can re-segment the data block into + multiple datagrams). DPLPMTUD MAY choose to use only one of these methods to simplify the implementation. Probe messages sent by a PL MUST contain enough information to uniquely identify the probe within Maximum Segment Lifetime (e.g., including a unique identifier from the PL or the DPLPMTUD implementation), while being robust to reordering and replay of probe response and PTB messages. 4.2. Confirmation of Probed Packet Size The PL needs a method to determine (confirm) when probe packets have been successfully received end-to-end across a network path. Transport protocols can include end-to-end methods that detect and - report reception of specific datagrams that they send (e.g., DCCP and - SCTP provide keep-alive/heartbeat features). When supported, this - mechanism MAY also be used by DPLPMTUD to acknowledge reception of a - probe packet. + report reception of specific datagrams that they send (e.g., DCCP, + SCTP, and QUIC provide keep-alive/heartbeat features). When + supported, this mechanism MAY also be used by DPLPMTUD to acknowledge + reception of a probe packet. A PL that does not acknowledge data reception (e.g., UDP and UDP- Lite) is unable itself to detect when the packets that it sends are discarded because their size is greater than the actual PMTU. These PLs need to rely on an application protocol to detect this loss. Section 6 specifies this function for a set of IETF-specified protocols. 4.3. Black Hole Detection and Reducing the PLPMTU @@ -785,21 +795,21 @@ been sent with a size less than the MPS and the PLPMTU was subsequently reduced. If these packets are lost, the PL MAY segment the data using the new MPS. If a PL is unable to re-segment a previously sent datagram (e.g., [RFC4960]), then the sender either discards the datagram or could perform retransmission using network- layer fragmentation to form multiple IP packets not larger than the PLPMTU. For IPv4, the use of endpoint fragmentation by the sender is preferred over clearing the DF bit in the IPv4 header. Operational experience reveals that IP fragmentation can reduce the reliability of Internet communication [I-D.ietf-intarea-frag-fragile], which may - reduce the success of retransmission. + reduce the probability of successful retransmission. 4.5. Disabling the Effect of PMTUD A PL implementing this specification MUST suspend network layer processing of outgoing packets that enforces a PMTU [RFC1191][RFC8201] for each flow utilizing DPLPMTUD, and instead use DPLPMTUD to control the size of packets that are sent by a flow. This removes the need for the network layer to drop or fragment sent packets that have a size greater than the PMTU. @@ -820,67 +830,71 @@ This section specifies utilization and validation of PTB messages. * A simple implementation MAY ignore received PTB messages and in this case the PLPMTU is not updated when a PTB message is received. * A PL that supports PTB messages MUST validate these messages before they are further processed. A PL that receives a PTB message from a router or middlebox performs - ICMP validation as specified in Section 5.2 of [RFC8085][RFC8201]. - Because DPLPMTUD operates at the PL, the PL needs to check that each - received PTB message is received in response to a packet transmitted - by the endpoint PL performing DPLPMTUD. + ICMP validation (see Section 4 of [RFC8201] and Section 5.2 of + [BCP145]). Because DPLPMTUD operates at the PL, the PL needs to + check that each received PTB message is received in response to a + packet transmitted by the endpoint PL performing DPLPMTUD. The PL MUST check the protocol information in the quoted packet carried in an ICMP PTB message payload to validate the message originated from the sending node. This validation includes determining that the combination of the IP addresses, the protocol, the source port and destination port match those returned in the quoted packet - this is also necessary for the PTB message to be passed to the corresponding PL. The validation SHOULD utilize information that it is not simple for - an off-path attacker to determine [RFC8085]. For example, it could + an off-path attacker to determine [BCP145]. For example, it could check the value of a protocol header field known only to the two PL endpoints. A datagram application that uses well-known source and destination ports ought to also rely on other information to complete this validation. These checks are intended to provide protection from packets that originate from a node that is not on the network path. A PTB message that does not complete the validation MUST NOT be further utilized by the DPLPMTUD method, as discussed in the Security Considerations section. - PTB messages that have been validated MAY be utilized by the DPLPMTUD - algorithm, but MUST NOT be used directly to set the PLPMTU. The - PL_PTB_SIZE is smaller than the PTB_SIZE because it is reduced by - headers below the PL including any IP options or extensions added to - the PL packet. A method that utilizes these PTB messages can improve - the speed at which the algorithm detects an appropriate PLPMTU by - triggering an immediate probe for the PL_PTB_SIZE (resulting in a - network-layer packet of size PTB_SIZE), compared to one that relies - solely on probing using a timer-based search algorithm. - Section 4.6.2 describes this processing. + Section 4.6.2 describes this processing of PTB messages. 4.6.2. Use of PTB Messages + PTB messages that have been validated MAY be utilized by the DPLPMTUD + algorithm, but MUST NOT be used directly to set the PLPMTU. + Before using the size reported in the PTB message it must first be - converted to a PL_PTB_SIZE. A set of checks are intended to provide - protection from a router that reports an unexpected PTB_SIZE. The PL - also needs to check that the indicated PL_PTB_SIZE is less than the - size used by probe packets and at least the minimum size accepted. + converted to a PL_PTB_SIZE. The PL_PTB_SIZE is smaller than the + PTB_SIZE because it is reduced by headers below the PL including any + IP options or extensions added to the PL packet. + + A method that utilizes these PTB messages can improve the speed at + which the algorithm detects an appropriate PLPMTU by triggering an + immediate probe for the PL_PTB_SIZE (resulting in a network-layer + packet of size PTB_SIZE), compared to one that relies solely on + probing using a timer-based search algorithm. + + A set of checks are intended to provide protection from a router that + reports an unexpected PTB_SIZE. The PL also needs to check that the + indicated PL_PTB_SIZE is less than the size used by probe packets and + at least the minimum size accepted. This section provides a summary of how PTB messages can be utilized. - (This uses the set of constants defined in section 5.1.2). This + (This uses the set of constants defined in Section 5.1.2). This processing depends on the PL_PTB_SIZE and the current value of a set of variables: PL_PTB_SIZE < MIN_PLPMTU * Invalid PL_PTB_SIZE see Section 4.6.1. * PTB message ought to be discarded without further processing (i.e., PLPMTU is not modified). * The information could be utilized as an input that triggers @@ -900,53 +914,51 @@ BASE_PLPMTU <= PL_PTB_SIZE < PLPMTU * This could be an indication of a black hole. The PLPMTU SHOULD be set to BASE_PLPMTU (the PLPMTU is reduced to the BASE_PLPMTU to avoid unnecessary packet loss when a black hole is encountered). * The PL ought to start a search to quickly discover the new PLPMTU. The PL_PTB_SIZE reported in the PTB message can be used to initialize a search algorithm. - PL_PTB_SIZE = PLPMTU - * Completes the search for a larger PLPMTU. - PLPMTU < PL_PTB_SIZE < PROBED_SIZE * The PLPMTU continues to be valid, but the size of a packet used to search (PROBED_SIZE) was larger than the actual PMTU. * The PLPMTU is not updated. * The PL can use the reported PL_PTB_SIZE from the PTB message as the next search point when it resumes the search algorithm. - PL_PTB_SIZE > PROBED_SIZE + PL_PTB_SIZE >= PROBED_SIZE * Inconsistent network signal. * PTB message ought to be discarded without further processing (i.e., PLPMTU is not modified). * The information could be utilized as an input to trigger enabling a resilience mode. 5. Datagram Packetization Layer PMTUD This section specifies Datagram PLPMTUD (DPLPMTUD). The method can be introduced at various points (as indicated with * in the figure below) in the IP protocol stack to discover the PLPMTU so that an application can utilize an appropriate MPS for the current network path. - DPLPMTUD SHOULD NOT be used by an upper PL or application if it is - already used in a lower layer DPLPMTUD SHOULD only be performed once - between a pair of endpoints. A PL MUST adjust the MPS indicated by - DPLPMTUD to account for any additional overhead introduced by the PL. + DPLPMTUD SHOULD only be performed at one layer between a pair of + endpoints. Therefore, an upper PL or application should avoid using + DPLPMTUD when this is already enabled in a lower layer. A PL MUST + adjust the MPS indicated by DPLPMTUD to account for any additional + overhead introduced by the PL. +----------------------+ | Application* | +-----+------------+---+ | | +---+--+ +--+--+ | QUIC*| |SCTP*| +---+--+ +-+-+-+ | | | +---+ +----+ | @@ -976,98 +988,100 @@ DPLPMTUD. 5.1.1. Timers The method utilizes up to three timers: PROBE_TIMER: The PROBE_TIMER is configured to expire after a period longer than the maximum time to receive an acknowledgment to a probe packet. This value MUST NOT be smaller than 1 second, and SHOULD be larger than 15 seconds. Guidance on selection of the - timer value are provided in section 3.1.1 of the UDP Usage - Guidelines [RFC8085]. + timer value are provided in Section 3.1.1 of the UDP Usage + Guidelines [BCP145]. PMTU_RAISE_TIMER: The PMTU_RAISE_TIMER is configured to the period a sender will continue to use the current PLPMTU, after which it re- enters the Search phase. This timer has a period of 600 seconds, as recommended by PLPMTUD [RFC4821]. DPLPMTUD MAY inhibit sending probe packets when no application data has been sent since the previous probe packet. A PL preferring to use an up-to-date PMTU once user data is sent again, can choose to continue PMTU discovery for each path. However, - this could result in sending additional packets. + this will result in sending additional packets. CONFIRMATION_TIMER: When an acknowledged PL is used, this timer MUST NOT be used. For other PLs, the CONFIRMATION_TIMER is configured to the period a PL sender waits before confirming the current PLPMTU is still supported. This is less than the PMTU_RAISE_TIMER and used to decrease the PLPMTU (e.g., when a black hole is encountered). Confirmation needs to be frequent enough when data is flowing that the sending PL does not black hole extensive amounts of traffic. Guidance on selection of the timer value are - provided in section 3.1.1 of the UDP Usage Guidelines [RFC8085]. + provided in Section 3.1.1 of the UDP Usage Guidelines [BCP145]. DPLPMTUD MAY inhibit sending probe packets when no application data has been sent since the previous probe packet. A PL preferring to use an up-to-date PMTU once user data is sent again, can choose to continue PMTU discovery for each path. However, this could result in sending additional packets. - The various timers could be implemented using a single timer + DPLPMTD specifies various timers, however an implementation could + choose to realise these timer functions using a single timer. 5.1.2. Constants The following constants are defined: MAX_PROBES: The MAX_PROBES is the maximum value of the PROBE_COUNT counter (see Section 5.1.3). MAX_PROBES represents the limit for the number of consecutive probe attempts of any size. Search algorithms benefit from a MAX_PROBES value greater than 1 because this can provide robustness to isolated packet loss. The default value of MAX_PROBES is 3. - MIN_PLPMTU: The MIN_PLPMTU is the smallest allowed probe packet - size. For IPv6, this value is 1280 bytes, as specified in - [RFC8200]. For IPv4, the minimum value is 68 bytes. - - Note: An IPv4 router is required to be able to forward a datagram - of 68 bytes without further fragmentation. This is the combined - size of an IPv4 header and the minimum fragment size of 8 bytes. - In addition, receivers are required to be able to reassemble - fragmented datagrams at least up to 576 bytes, as stated in - section 3.3.3 of [RFC1122]. + MIN_PLPMTU: The MIN_PLPMTU is the smallest size of PLPMTU that + DPLPMTUD will attempt to use. For IPv6, this size is greater than + or equal to the size at the PL that results in an 1280 byte IPv6 + packet, as specified in [RFC8200]. For IPv4, this size is greater + than or equal to the size at the PL that results in an 68 byte + IPv4 packet. Note: An IPv4 router is required to be able to + forward a datagram of 68 bytes without further fragmentation. + This is the combined size of an IPv4 header and the minimum + fragment size of 8 bytes. In addition, receivers are required to + be able to reassemble fragmented datagrams at least up to 576 + bytes, as stated in section 3.3.3 of [RFC1122]. MAX_PLPMTU: The MAX_PLPMTU is the largest size of PLPMTU. This has to be less than or equal to the maximum size of the PL packet that can be sent on the outgoing interface (constrained by the local interface MTU). When known, this also ought to be less than the maximum size of PL packet that can be received by the remote endpoint (constrained by EMTU_R). It can be limited by the design or configuration of the PL being used. An application, or PL, MAY choose a smaller MAX_PLPMTU when there is no need to send packets larger than a specific size. BASE_PLPMTU: The BASE_PLPMTU is a configured size expected to work for most paths. The size is equal to or larger than the - MIN_PLPMTU and smaller than the MAX_PLPMTU. In the case of IPv6, - this value is derived from the IPv6 minimum link MTU of 1280 bytes - [RFC8200]. When using IPv4, there is no currently equivalent size - specified and a default BASE_PLPMTU of 1200 bytes is RECOMMENDED. + MIN_PLPMTU and smaller than the MAX_PLPMTU. For most PLs a + suitable BASE_PLPMTU will be larger than 1200 bytes. When using + IPv4, there is no currently equivalent size specified and a + default BASE_PLPMTU of 1200 bytes is RECOMMENDED. 5.1.3. Variables This method utilizes a set of variables: - PROBED_SIZE: The PROBED_SIZE is the size of the current probe - packet. This is a tentative value for the PLPMTU, which is - awaiting confirmation by an acknowledgment. + PROBED_SIZE: The PROBED_SIZE is the size of the current probe packet + as determined at the PL. This is a tentative value for the + PLPMTU, which is awaiting confirmation by an acknowledgment. PROBE_COUNT: The PROBE_COUNT is a count of the number of successive unsuccessful probe packets that have been sent. Each time a probe packet is acknowledged, the value is set to zero. (Some probe loss is expected while searching, therefore loss of a single probe is not an indication of a PMTU problem.) The figure below illustrates the relationship between the packet size constants and variables at a point of time when the DPLPMTUD algorithm performs path probing to increase the size of the PLPMTU. @@ -1114,25 +1128,25 @@ | expired | | completed | | | | | v | +-----------------+ +---| Search Complete | +-----------------+ Figure 4: DPLPMTUD Phases Base: The Base Phase confirms connectivity to the remote peer using - packets of the BASE_PLPMTU. This phase is implicit for a - connection-oriented PL (where it can be performed in a PL - connection handshake). A connectionless PL sends a probe packet - and uses acknowledgment of this probe packet to confirm that the - remote peer is reachable. + packets of the BASE_PLPMTU. The confirmation of connectivity is + implicit for a connection-oriented PL (where it can be performed + in a PL connection handshake). A connectionless PL sends a probe + packet and uses acknowledgment of this probe packet to confirm + that the remote peer is reachable. The sender also confirms that BASE_PLPMTU is supported across the network path. This may be achieved using a PL mechanism (e.g., using a handshake packet of size BASE_PLPMTU), or by sending a probe packet of size BASE_PLPMTU and confirming that this is received. A probe packet of size BASE_PLPMTU can be sent immediately on the initial entry to the Base Phase (following a connectivity check). A PL that does not wish to support a path with a PLPMTU less than @@ -1193,51 +1207,51 @@ Note: Not all changes are shown to simplify the diagram. | | | Start | PL indicates loss | | of connectivity v v +---------------+ +---------------+ | DISABLED | | ERROR | +---------------+ PROBE_TIMER expiry: +---------------+ | PL indicates PROBE_COUNT = MAX_PROBES or ^ | - | connectivity PTB: PLPTB_SIZE < BASE_PLPMTU | | + | connectivity PTB: PL_PTB_SIZE < BASE_PLPMTU | | +--------------------+ +---------------+ | | | | v | BASE_PLPMTU Probe | +---------------+ acked | - | BASE |----------------------+ + | BASE |--------------------->+ +---------------+ | ^ | ^ ^ | Black hole detected | | | | Black hole detected | +--------------------+ | | +--------------------+ | | +----+ | | | PROBE_TIMER expiry: | | | PROBE_COUNT < MAX_PROBES | | | | | | PMTU_RAISE_TIMER expiry | | | +-----------------------------------------+ | | | | | | | | | v | v +---------------+ +---------------+ |SEARCH_COMPLETE| | SEARCHING | +---------------+ +---------------+ | ^ ^ | | ^ | | | | | | | | +-----------------------------------------+ | | | | MAX_PLPMTU Probe acked or | | | | PROBE_TIMER expiry: PROBE_COUNT = MAX_PROBES or | | - +----+ PTB: PLPTB_SIZE = PLPMTU +----+ + +----+ PTB: PL_PTB_SIZE = PLPMTU +----+ CONFIRMATION_TIMER expiry: PROBE_TIMER expiry: PROBE_COUNT < MAX_PROBES or PROBE_COUNT < MAX_PROBES or PLPMTU Probe acked Probe acked or PTB: - PLPMTU < PLPTB_SIZE < PROBED_SIZE + PLPMTU < PL_PTB_SIZE < PROBED_SIZE Figure 5: State machine for Datagram PLPMTUD The following states are defined: DISABLED: The DISABLED state is the initial state before probing has started. It is also entered from any other state, when the PL indicates loss of connectivity. This state is left once the PL indicates connectivity to the remote PL. When transitioning to the BASE state, a probe packet of size BASE_PLPMTU can be sent @@ -1326,24 +1340,23 @@ path. The method discovers the search range by confirming the minimum PLPMTU and then using the probe method to select a PROBED_SIZE less than or equal to MAX_PLPMTU. MAX_PLPMTU is the minimum of the local MTU and EMTU_R (when this is learned from the remote endpoint). The MAX_PLPMTU MAY be reduced by an application that sets a maximum to the size of datagrams it will send. The PROBE_COUNT is initialized to zero when the first probe with a - size greater than or equal to PLPMTUD is sent. A timer is used to - trigger the sending of probe packets of size PROBED_SIZE, larger than - the PLPMTU. Each probe packet successfully sent to the remote peer - is confirmed by acknowledgment at the PL, see Section 4.1. + size greater than or equal to PLPMTUD is sent. Each probe packet + successfully sent to the remote peer is confirmed by acknowledgment + at the PL, see Section 4.1. Each time a probe packet is sent to the destination, the PROBE_TIMER is started. The timer is canceled when the PL receives acknowledgment that the probe packet has been successfully sent across the path Section 4.1. This confirms that the PROBED_SIZE is supported, and the PROBED_SIZE value is then assigned to the PLPMTU. The search algorithm can continue to send subsequent probe packets of an increasing size. If the timer expires before a probe packet is acknowledged, the probe @@ -1414,41 +1427,41 @@ 6.1. Application support for DPLPMTUD with UDP or UDP-Lite The current specifications of UDP [RFC0768] and UDP-Lite [RFC3828] do not define a method in the RFC-series that supports PLPMTUD. In particular, the UDP transport does not provide the transport features needed to implement datagram PLPMTUD. The DPLPMTUD method can be implemented as a part of an application built directly or indirectly on UDP or UDP-Lite, but relies on - higher-layer protocol features to implement the method [RFC8085]. + higher-layer protocol features to implement the method [BCP145]. Some primitives used by DPLPMTUD might not be available via the Datagram API (e.g., the ability to access the PLPMTU from the IP layer cache, or interpret received PTB messages). In addition, it is recommended that PMTU discovery is not performed by multiple protocol layers. An application SHOULD avoid using DPLPMTUD when the underlying transport system provides this - capability. To use common method for managing the PLPMTU has - benefits, both in the ability to share state between different - processes and opportunities to coordinate probing. + capability. A common method for managing the PLPMTU has benefits, + both in the ability to share state between different processes and + opportunities to coordinate probing for different PL instances. 6.1.1. Application Request An application needs an application-layer protocol mechanism (such as a message acknowledgment method) that solicits a response from a destination endpoint. The method SHOULD allow the sender to check the value returned in the response to provide additional protection - from off-path insertion of data [RFC8085]. Suitable methods include - a parameter known only to the two endpoints, such as a session ID or + from off-path insertion of data [BCP145]. Suitable methods include a + parameter known only to the two endpoints, such as a session ID or initialized sequence number. 6.1.2. Application Response An application needs an application-layer protocol mechanism to communicate the response from the destination endpoint. This response could indicate successful reception of the probe across the path, but could also indicate that some (or all packets) have failed to reach the destination. @@ -1470,82 +1483,89 @@ 6.1.5. Validating the Path An application that does not have other higher-layer information confirming correct delivery of datagrams SHOULD implement the CONFIRMATION_TIMER to periodically send probe packets while in the SEARCH_COMPLETE state. 6.1.6. Handling of PTB Messages An application that is able and wishes to receive PTB messages MUST - perform ICMP validation as specified in Section 5.2 of [RFC8085]. + perform ICMP validation as specified in Section 5.2 of [BCP145]. This requires that the application checks each received PTB message to validate that it was is received in response to transmitted traffic and that the reported PL_PTB_SIZE is less than the current probed size (see Section 4.6.2). A validated PTB message MAY be used as input to the DPLPMTUD algorithm, but MUST NOT be used directly to set the PLPMTU. 6.2. DPLPMTUD for SCTP Section 10.2 of [RFC4821] specified a recommended PLPMTUD probing - method for SCTP and Section 7.3 of [RFC4960] and recommended an - endpoint apply the techniques in RFC4821 on a per-destination-address - basis. The specification for DPLPMTUD continues the practice of - using the PL to discover the PMTU, but updates, RFC4960 with a - recommendation to use the method specified in this document: The - RECOMMENDED method for generating probes is to add a chunk consisting - only of padding to an SCTP message. The PAD chunk defined in - [RFC4820] SHOULD be attached to a minimum length HEARTBEAT (HB) chunk - to build a probe packet. This enables probing without affecting the - transfer of user messages and without being limited by congestion - control or flow control. This is preferred to using DATA chunks - (with padding as required) as path probes. + method for SCTP and Section 7.3 of [RFC4960] recommended an endpoint + apply the techniques in RFC4821 on a per-destination-address basis. + The specification for DPLPMTUD continues the practice of using the PL + to discover the PMTU, but updates, RFC4960 with a recommendation to + use the method specified in this document: The RECOMMENDED method for + generating probes is to add a chunk consisting only of padding to an + SCTP message. The PAD chunk defined in [RFC4820] SHOULD be attached + to a minimum length HEARTBEAT (HB) chunk to build a probe packet. + This enables probing without affecting the transfer of user messages + and without being limited by congestion control or flow control. + This is preferred to using DATA chunks (with padding as required) as + path probes. Section 6.9 of [RFC4960] describes dividing the user messages into data chunks sent by the PL when using SCTP. This notes that once an SCTP message has been sent, it cannot be re-segmented. [RFC4960] describes the method to retransmit data chunks when the MPS has - reduced, and the use of IP fragmentation for this case. + reduced, and the use of IP fragmentation for this case. This is + unchanged by this document. 6.2.1. SCTP/IPv4 and SCTP/IPv6 6.2.1.1. Initial Connectivity The base protocol is specified in [RFC4960]. This provides an acknowledged PL. A sender can therefore enter the BASE state as soon as connectivity has been confirmed. 6.2.1.2. Sending SCTP Probe Packets Probe packets consist of an SCTP common header followed by a HEARTBEAT chunk and a PAD chunk. The PAD chunk is used to control the length of the probe packet. The HEARTBEAT chunk is used to trigger the sending of a HEARTBEAT ACK chunk. The reception of the HEARTBEAT ACK chunk acknowledges reception of a successful probe. A successful probe updates the association and path counters, but an unsuccessful probe is discounted (assumed to be a result of choosing too large a PLPMTU). - The HEARTBEAT chunk carries a Heartbeat Information parameter which - includes, besides the information suggested in [RFC4960], the probe - size, which is the size of the complete datagram. The size of the - PAD chunk is therefore computed by reducing the probing size by the - IPv4 or IPv6 header size, the SCTP common header, the HEARTBEAT - request and the PAD chunk header. The payload of the PAD chunk - contains arbitrary data. + The SCTP sender needs to be able to determine the total size of a + probe packet. The HEARTBEAT chunk could carry a Heartbeat + Information parameter that includes, besides the information + suggested in [RFC4960], the probe size to help an implementation + associate a HEARTBEAT-ACK with the size of probe that was sent. The + sender could also use other methods, such as sending a nonce and + verifying the information returned also contains the corresponding + nonce. The length of the PAD chunk is computed by reducing the + probing size by the size of the SCTP common header and the HEARTBEAT + chunk. The payload of the PAD chunk contains arbitrary data. When + transmitted at the IP layer, the PMTU size also includes the IPv4 or + IPv6 header(s). - Probing starts directly after the PL handshake, before data is sent. - Assuming this behavior (i.e., the PMTU is smaller than or equal to - the interface MTU), this process will take several round trip time - periods, dependent on the number of DPLPMTUD probes sent. The - Heartbeat timer can be used to implement the PROBE_TIMER. + Probing can start directly after the PL handshake, this can be done + before data is sent. Assuming this behavior (i.e., the PMTU is + smaller than or equal to the interface MTU), this process will take + several round trip time periods, dependent on the number of DPLPMTUD + probes sent. The Heartbeat timer can be used to implement the + PROBE_TIMER. 6.2.1.3. Validating the Path with SCTP Since SCTP provides an acknowledged PL, a sender MUST NOT implement the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 6.2.1.4. PTB Message Handling by SCTP Normal ICMP validation MUST be performed as specified in Appendix C of [RFC4960]. This requires that the first 8 bytes of the SCTP @@ -1556,41 +1576,42 @@ from the PTB_SIZE reported in the PTB message SHOULD be used with the DPLPMTUD algorithm, providing that the reported PL_PTB_SIZE is less than the current probe size (see Section 4.6). 6.2.2. DPLPMTUD for SCTP/UDP The UDP encapsulation of SCTP is specified in [RFC6951]. This specification updates the reference to RFC 4821 in section 5.6 of RFC 6951 to refer to XXXTHISRFCXXX. RFC 6951 is updated by - addition of the following sentence is to be added at the end of - section 5.6: "The RECOMMENDED method for determining the MTU of the - path is specified in XXXTHISRFCXXX". + addition of the following sentence at the end of section 5.6: "The + RECOMMENDED method for determining the MTU of the path is specified + in XXXTHISRFCXXX". XXX RFC EDITOR - please replace XXXTHISRFCXXX when published XXX 6.2.2.1. Initial Connectivity A sender can enter the BASE state as soon as SCTP connectivity has been confirmed. 6.2.2.2. Sending SCTP/UDP Probe Packets Packet probing can be performed as specified in Section 6.2.1.2. The - maximum payload is reduced by 8 bytes, which has to be considered - when filling the PAD chunk. + size of the probe packet includes the 8 bytes of UDP Header. This + has to be considered when filling the probe packet with the PAD + chunk. 6.2.2.3. Validating the Path with SCTP/UDP - Since SCTP provides an acknowledged PL, a sender MUST NOT implement - the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. + SCTP provides an acknowledged PL, therefore a sender does not + implement the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 6.2.2.4. Handling of PTB Messages by SCTP/UDP ICMP validation MUST be performed for PTB messages as specified in Appendix C of [RFC4960]. This requires that the first 8 bytes of the SCTP common header are contained in the PTB message, which can be the case for ICMPv4 (but note the UDP header also consumes a part of the quoted packet header) and is normally the case for ICMPv6. When the validation is completed, the PL_PTB_SIZE calculated from the PTB_SIZE in the PTB message SHOULD be used with the DPLPMTUD providing that @@ -1605,31 +1626,36 @@ XXX RFC EDITOR - please replace XXXTHISRFCXXX when published XXX 6.2.3.1. Initial Connectivity A sender can enter the BASE state as soon as SCTP connectivity has been confirmed. 6.2.3.2. Sending SCTP/DTLS Probe Packets - Packet probing can be done, as specified in Section 6.2.1.2. + Packet probing can be done, as specified in Section 6.2.1.2. The + maximum payload is reduced by the size of the DTLS headers, which has + to be considered when filling the PAD chunk. The size of the probe + packet includes the DTLS PL headers. This has to be considered when + filling the probe packet with the PAD chunk. 6.2.3.3. Validating the Path with SCTP/DTLS Since SCTP provides an acknowledged PL, a sender MUST NOT implement the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 6.2.3.4. Handling of PTB Messages by SCTP/DTLS [RFC4960] does not specify a way to validate SCTP/DTLS ICMP message - payload. This can prevent processing of PTB messages at the PL. + payload and neither does this document. This can prevent processing + of PTB messages at the PL. 6.3. DPLPMTUD for QUIC QUIC [I-D.ietf-quic-transport] is a UDP-based transport that provides reception feedback. The UDP payload includes the QUIC packet header, protected payload, and any authentication fields. QUIC depends on a PMTU of at least 1280 bytes. Section 14 of [I-D.ietf-quic-transport] describes the path considerations when sending QUIC packets. It recommends the use of @@ -1647,41 +1673,43 @@ ceases to send QUIC packets on the affected path. This could result in termination of the connection if an alternative path cannot be found [I-D.ietf-quic-transport]. 6.3.1. Initial Connectivity The base protocol is specified in [I-D.ietf-quic-transport]. This provides an acknowledged PL. A sender can therefore enter the BASE state as soon as connectivity has been confirmed. + QUIC provides an acknowledged PL, a sender can therefore enter the + BASE state as soon as connectivity has been confirmed. + 6.3.2. Sending QUIC Probe Packets - A probe packet consists of a QUIC Header and a payload containing - PADDING Frames and a PING Frame. PADDING Frames are a single octet - (0x00) and several of these can be used to create a probe packet of - size PROBED_SIZE. QUIC provides an acknowledged PL, a sender can - therefore enter the BASE state as soon as connectivity has been - confirmed. + Probe packets consist of a QUIC Header and a payload containing a + PING Frame and multiple PADDING Frames. A PADDING Frame is + represented by a single octet (0x00). Several PADDING Frames are + used together to control the length of the probe packet. The PING + Frame is used to trigger generation of an acknowledgement. The current specification of QUIC sets the following: * BASE_PLPMTU: A QUIC sender pads initial packets to confirm the path can support packets of the required size, which sets the BASE_PLPMTU and MIN_PLPMTU. * MIN_PLPMTU: A QUIC sender that determines the MIN_PLPMTU has fallen MUST immediately stop sending on the affected path. 6.3.3. Validating the Path with QUIC - QUIC provides an acknowledged PL. A sender therefore MUST NOT + QUIC provides an acknowledged PL, therefore a sender does not implement the CONFIRMATION_TIMER while in the SEARCH_COMPLETE state. 6.3.4. Handling of PTB Messages by QUIC QUIC validates ICMP PTB messages. In addition to UDP Port validation, QUIC can validate an ICMP message by using other PL information (e.g., validation of connection identifiers (CIDs) in the quoted packet of any received ICMP message). 7. Acknowledgments @@ -1708,38 +1736,40 @@ To avoid excessive load, the interval between individual probe packets MUST be at least one RTT, and the interval between rounds of probing is determined by the PMTU_RAISE_TIMER. A PL sender needs to ensure that the method used to confirm reception of probe packets protects from off-path attackers injecting packets into the path. This protection is provided in IETF-defined protocols (e.g., TCP, SCTP) using a randomly-initialized sequence number. A description of one way to do this when using UDP is provided in - section 5.1 of [RFC8085]). + section 5.1 of [BCP145]). There are cases where ICMP Packet Too Big (PTB) messages are not delivered due to policy, configuration or equipment design (see Section 1.1). This method therefore does not rely upon PTB messages being received, but is able to utilize these when they are received by the sender. PTB messages could potentially be used to cause a node to inappropriately reduce the PLPMTU. A node supporting DPLPMTUD MUST therefore appropriately validate the payload of PTB messages to ensure these are received in response to transmitted traffic (i.e., a reported error condition that corresponds to a datagram actually sent by the path layer, see Section 4.6.1). An on-path attacker able to create a PTB message could forge PTB messages that include a valid quoted IP packet. Such an attack could - be used to drive down the PLPMTU. There are two ways this method can - be mitigated against such attacks: First, by ensuring that a PL - sender never reduces the PLPMTU below the base size, solely in + be used to drive down the PLPMTU. An on-path device could similarly + force a reduction of the PLPMTU by implementing a policy that drops + packets larger than a configured size. There are two ways this + method can be mitigated against such attacks: First, by ensuring that + a PL sender never reduces the PLPMTU below the base size, solely in response to receiving a PTB message. This is achieved by first entering the BASE state when such a message is received. Second, the design does not require processing of PTB messages, a PL sender could therefore suspend processing of PTB messages (e.g., in a robustness mode after detecting that subsequent probes actually confirm that a size larger than the PTB_SIZE is supported by a path). Parsing the quoted packet inside a PTB message can introduce addional per-packet processing at the PL sender. This processing SHOULD be limited to avoid a denial of service attack when arbitrary headers @@ -1753,44 +1783,42 @@ hole data by indicating a size larger than supported by the path. It is possible that the information about a path is not stable. This could be a result of forwarding across more than one path that has a different actual PMTU or a single path presents a varying PMTU. The design of a PLPMTUD implementation SHOULD consider how to mitigate the effects of varying path information. One possible mitigation is to provide robustness (see Section 5.4) in the method that avoids oscillation in the MPS. - A node performing DPLPMTUD could experience conflicting information - about the size of supported probe packets. This could occur when - multiple paths are concurrently in use and these exhibit a different - PMTU. If not considered, this could result in packets not being - delivered (black holed) when the PLPMTU results in a packet larger - than the smallest actual PMTU. - DPLPMTUD methods can introduce padding data to inflate the length of the datagram to the total size required for a probe packet. The total size of a probe packet includes all headers and padding added to the payload data being sent (e.g., including security-related fields such as an AEAD tag and TLS record layer padding). The value of the padding data does not influence the DPLPMTUD search algorithm, and therefore needs to be set consistent with the policy of the PL. If a PL can make use of cryptographic confidentiality or data- integrity mechanisms, then the design ought to avoid adding anything (e.g., padding) to DPLPMTUD probe packets that is not also protected by those cryptographic mechanisms. 10. References 10.1. Normative References + [BCP145] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage + Guidelines", BCP 145, RFC 8085, March 2017. + + + [I-D.ietf-quic-transport] Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed and Secure Transport", Work in Progress, Internet-Draft, draft-ietf-quic-transport-27, 21 February 2020, . [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, DOI 10.17487/RFC0768, August 1980, . @@ -1821,24 +1849,20 @@ [RFC4960] Stewart, R., Ed., "Stream Control Transmission Protocol", RFC 4960, DOI 10.17487/RFC4960, September 2007, . [RFC6951] Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream Control Transmission Protocol (SCTP) Packets for End-Host to End-Host Communication", RFC 6951, DOI 10.17487/RFC6951, May 2013, . - [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage - Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, - March 2017, . - [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", STD 86, RFC 8200, DOI 10.17487/RFC8200, July 2017, . [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., @@ -2116,20 +2141,28 @@ * Updated text and address nits from OPSDIR, ART and IESG reviews. * Order PTB processing based on PL_PTB_SIZE Working group draft -19: * Updated text and address nits based on comments from Tim Chown and Murray S. Kucherawy. + Working group draft -20: + + * Address nits and comments from IESG + + * Refer to BCP 145 rather than RFC 8085 in most places. + + * Update probing method text for SCTP and QUIC. + Authors' Addresses Godred Fairhurst University of Aberdeen School of Engineering Fraser Noble Building Aberdeen AB24 3UE United Kingdom