| Internet Engineering Task Force | G. Fairhurst |
| Internet-Draft | T. Jones |
| Intended status: Standards Track | University of Aberdeen |
| Expires: May 3, 2018 | M. Tuexen |
| I. Ruengeler | |
| Muenster University of Applied Sciences | |
| October 30, 2017 |
Packetization Layer Path MTU Discovery for Datagram Transports
draft-fairhurst-tsvwg-datagram-plpmtud-01.txt
This document describes a robust method for Path MTU Discovery (PMTUD) for datagram packetization layers. It allows these layers to probe an Internet path with progressively larger packets to determine a maximum packet size This method is described as an extension to RFC 1191 and RFC 8201, which specify ICMP-based Path MTU Discovery for IP versions 4 and 6. The document provides functionally for datagram transports that is equivalent to the packetization layer PMTUD specification for TCP, specified in RFC4821.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 3, 2018.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The IETF has specified datagram transport using UDP, SCTP, SCTP/UDP, DCCP, and DCCP/UDP, as well as protocols layered on top of these transports.
Classical Path Maximum Transmission Unit Discovery (PMTUD) can be used with any transport that is able to process ICMP Packet Too Big (PTB) messages (e.g., [RFC1191] and [RFC8201]). It adjusts the effective Path MTU (PMTU), based on reception of ICMP Path too Big (PTB) messages to decrease the PMTU when a packet is sent with a size larger than the value supported along a path, and a method that from time-to-time increases the packet size in attempt to discover an increase in the supported PMTU.
However, Classical PMTUD is subject to protocol failures. One failure arises when traffic using a packet size larger than the actual supported PMTU is blackholed (silently discarded). This may happen when ICMP PTB messages are not delivered back to the sender for some reason [RFC2923]). For example, ICMP messages are increasingly filtered by middleboxes (including Firewalls) [RFC4890], and may not be correctly processed by tunnel endpoints.
Another failure could result if a system not on the path sends a PTB that attempts to force the sender to change the effective PMTU [RFC8201]. A sender could protect itself by using the quoted packet within the PTB message payload to verify that the received PTB message was generated in response to a packet that had actually been sent. However, there are situations where a sender is unable to provide this verification (e.g., when the PTB message does not include sufficient information, often the case for IPv4; or where the information corresponds to an encrypted packet). At the network layer there also could be insufficient context to perform this verification, which depends on information about the active transport flows (e.g., the socket/address pairs being used, and other protocol header information). This verification is more straight forward at a the Packetization Layer (PL) or a higher layer.
The term Packetization Layer has been introduced to describe the layer that is responsible for placing data blocks into the payload of packets and selecting an appropriate maximum packet size. This function is often performed by a transport protocol, but can also be performed by other encapsulation methods working below the application.
In contrast to PMTUD, Packetization Layer Path MTU Discovery (PLPMTUD) [RFC4821] does not rely upon reception and verification of PTB messages. It is therefore more robust than Classical PMTUD. This has become the recommended approach for implementing PMTU discovery with TCP. It uses a general strategy where the PL searches for an appropriate PMTU by sending probe packets along the network path with a progressively larger packet size. If a probe packet is successfully delivered (as determined by the PL), then the effective Path MTU is raised to the probe size.
PLPMTUD introduces flexibility in the implementation of PMTU discovery. At one extreme, it can be configured to only perform PTB black hole recovery to increase the robustness of Classical PMTUD, or at the other extreme, all PTB processing can be disabled and PLPMTUD can completely replace Classical PMTUD. PLPMTUD can also include additional consistency checks without increasing the risk of blackholing.
The UDP-Guidelines [RFC8085] state "an application SHOULD either use the path MTU information provided by the IP layer or implement Path MTU Discovery (PMTUD)", but does not provide a mechanism for discovering the largest size of unfragmented datagram than can be used on a path. PLPMTUD has not currently been specified for UDP, while Section 10.2 of [RFC4821] recommends a PLPMTUD probing method for SCTP that utilises heartbeat messages as packet probes, but does not provide a complete specification. This document provides the details to complete that specification. Similarly, the method defined in this specification could be used with the Datagram Congestion Control Protocol (DCCP) [RFC4340] requires implementations to support Classical PMTUD and states that a DCCP sender "MUST maintain the maximum packet size (MPS) allowed for each active DCCP session". It also defines the current congestion control maximum packet size (CCMPS) supported by a path. This recommends use of PMTUD, and suggests use of control packets (DCCP-Sync) as path probe packets, because they do not risk application data loss. The document also contains information that enables the implementation of PLPMTUD with other datagram transports
Section Section 4 of this document presents a set of algorithms for datagram protocols to discover a maximum size for the effective PMTU across a path. The methods described rely on features of the PL Section 3 and apply to transport protocols over IPv4 and IPv6. It does not require cooperation from the lower layers (except that they are consistent about which packet sizes are acceptable). It can utilise PTB messages when these are available.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Other terminology is directly copied from [RFC4821], and the definitions in [RFC1122].
TCP PLPMTUD has been defined using standard TCP protocol mechanisms. All of the requirements in [RFC4821] also apply to use of the technique with a datagram PL. Unlike TCP, some datagram PLs require additional mechanisms to implement PLPMTUD.
There are ten requirements for performing the datagram PLPMTUD method described in this specification:
In addition the following design principles are stated:
PMTU discovery relies upon the sender being able to generate probe messages with a specific size. TCP is able to generate probe packets by choosing to appropriately segment data being sent [RFC4821].
In contrast, datagram PLs either have to request an application to send a data block with a specified size, or to utilise padding functions to extend the datagram beyond the size of the application data block. Protocols that permit exchange of control messages (without an application data block) could alternatively prefer to generate a probe packet by extending a control message with padding data.
When the method fails to validate the PMTU for the path, the required size of probe packet can need to be less than the size of the data block generated by an application. In this case, the PL could provide a wat to fragment a datagram at the PL, or could instead utilise a control packet with padding.
A receiver needs to be able to be able to distinguish in-band data from any added padding, and ensure that any added padding is not passed to an application at the receiver.
This results in three ways that a sender can create a probe packet:
The PL needs a method to determine when packet probes have been successfully received end-to-end across a network path.
Transport protocols can include end-to-end methods that detect and report reception of specific datagrams that they send (e.g., DCCP and SCTP provide keep-alive/heartbeat features). This can also be used by PLPMTUD to acknowledge reception of a probe packet.
A PL that does not acknowledge data reception (e.g., UDP and UDP-Lite) is unable to detect when the packets it sends are discarded because their size is greater than the actual PMTUD. These PLs need to either reply on application protocol to detect this, or use of an additional transport method such as UDP-Options [I-D.ietf-tsvwg-udp-options], and then need to send a reachability probe (e.g., periodically solicit a response) to determine if the current effective PMTU is still supported by the network path.
PMTU discovery can also utilise PTB messages to detect when the actual PMTU supported by a network path is less than the current size of datagrams that are being sent.
When the current effective PMTU is no longer supported by the network path, the transport needs to detect this and reduce the effective PMTU.
This section specifies Datagram PLPMTUD.
The central idea of PLPMTU discovery is probing by a sender. Probe packets of increasing size are sent to find out the maximum size of a user message that is completely transferred across the network path from the sender to the destination. If a PTB message is received from a router or middlebox, this information ought to be verified and SHOULD used. The PTB messages can improve performance compared to one that relies solely on probing.
The PLPMTUD method utilises a timer to trigger the generation of probe packets. The probe_timer is started each time a probe packet is sent to the destination and is cancelled when receipt of the probe packet is acknowledged. Each time the probe_timer expires, the probe_error_counter is incremented, and the probe packet is retransmitted. The counter is initialised to zero when a probe packet is first sent with a particular size. The maximum number of retransmissions per probing size is configured (MAX_PROBES). If the value of the PROBE_COUNT exceeds MAX_PROBES, probing will be stopped and the last successfully probed PMTU is set as the effective PMTU.
Once probing is completed, the sender continues to use the effective PMTU until either a PTB message is received or the PMTU_RAISE_TIMER expires. If the PL is unable to verify reachability to the destination endpoint after probing has completed, the method uses a REACHABILITY_TIMER to periodically repeat a probe packet for the current effective PMTU size, while the PMTU_RAISE_TIMER is running. If the resulting probe packet is not acknowledged (i.e. the PROBE_TIMER expires), the method re-starts probing for the PMTU.
This method utilises three timers:
An implementation could implement the various timers using a single timer process.
The following constants are defined:
This method utilises a set of variables:
A state machine for Datagram PLPMTUD is depicted in Figure 1. If multihoming is supported, a state machine is needed for each active path.
+------------+
| PROBE_NONE |
+------------+
| Connectivity confirmed
v
---------- +------------+ -- PROBE_TIMER expiry
MAX_PMTU acked | | PROBE_BASE | | (PROBE_COUNT < MAX_PROBES)
PTB (>= BASE_PMTU)| -----> +------------+ <-
---------------- | /\ | |
| | | | | PTB
| PMTU_RAISE_TIMER| | | | (PTB_SIZE < BASE_PMTU)
| or reachability | | | | or
| (PROBE_COUNT | | | | PROBE_TIMER expiry
| = MAX_PROBES) | | | | (PROBE_COUNT = MAX_PROBES)
| ------------- | | \
| | PTB | | \
| | (< PROBED_SIZE)| | \
| | | | ---------------
| | | | |
| | | | Probe |
| | | | acked |
v | | v v
+------------+ +--------------+ Probe +-------------+
| PROBE_DONE |<-------------- | PROBE_SEARCH |<-------| PROBE_ERROR |
+------------+ MAX_PMTU acked +--------------+ acked +-------------+
/\ | or /\ |
| | PROBE_TIMER expiry | |
| |(PROBE_COUNT = MAX_PROBES) | |
| | | |
----- ------
Reachability probe acked PROBE_TIMER expiry
or PROBE_TIMER expiry (PROBE_COUNT < MAX_PROBES)
(PROBE_COUNT < MAX_PROBES)
Figure 1: State machine for Datagram PLPMTUD
The following states are defined to reflect the probing process.
Appendix A contains an informative description of key events:
This section specifies protocol-specific details for datagram PLPMTUD for IETF-specified transport protocols.
The current specifications of UDP and UDP-LIte [RFC3828] do not define a method in the RFC-series that supports PLPMTUD. In particular, these transport do not provide the transport layer features needed to implement datagram PLPMTUD.
UDP-Options [I-D.ietf-tsvwg-udp-options] supply the additional functionality required to implement datagram PLPMTUD. This enables padding to be added to UDP datagrams and can be used to provide feedback acknowledgement of received probe packets.
This subsection proposes two new UDP-Options that add support for requesting a datagram response be sent and to mark this datagram as a response to a request.
<< We may define a parameter in an Option to indicate the EMTU_R to the peer.>>
The Echo Request Option allows a sending endpoint to solicit a response from a destination endpoint. The Echo Request carries a four byte token set by the sender.
+---------+--------+-----------------+
| Kind=9 | Len=6 | Token |
+---------+--------+-----------------+
1 byte 1 byte 4 bytes
Figure 2: UDP ECHOREQ Option Format
The Echo Response Option is generated by the PL in response to reception of a previously received Echo Request. The Token field is associates the response with the Token value carried in the most recently-received Echo Request. The rate of generation of UDP packets carrying an Echo Response Option MAY be rate-limited.
+---------+--------+-----------------+
| Kind=10 | Len=6 | Token |
+---------+--------+-----------------+
1 byte 1 byte 4 bytes
Figure 3: UDP ECHORES Option Format
This method specifies a probe packet that does not carry an application data block. The probe packet consists of a UDP datagram header followed by a UDP Option containing the ECHOREQ option, which is followed by NOP Options to pad the remainder of the datagram payload. The NOP padding is used to control the length of the probe packet.
A UDP Option carrying the ECHORES option is used to provide feedback when the probe packet is received at the destination endpoint.
Since UDP is an unacknowledged PL, a sender that does not have higher-layer information confirming correct delivery of datagrams SHOULD implement the REACHABILITY_TIMER to periodically send probe packets while in the PROBE_DONE state.
Normal ICMP verification MUST be performed as specified in Section 5.2 of [RFC8085]. This requires that the PL verifies each received PTB messages to verify these are received in response to transmitted traffic. A verified PTB message MAY be used as input to the PLPMTUD algorithm.
Section 10.2 of [RFC4821] specifies a recommended PLPMTUD probing method for SCTP. It recommends the use of the PAD chunk, defined in [RFC4820] to be attached to a minimum length HEARTBEAT chunk to build a probe packet. This enables probing without affecting the transfer of user messages and without interfering with congestion control. This is preferred to the use of DATA chunks (with padding as required) to serve as path probes.
<< We might define a parameter contained in the INIT and INIT ACK chunk to indicate the MTU to the peer. However, multihoming makes this a bit complex, so it might not be worth doing.>>
The base protocol is specified in [RFC4960].
Probe packets consist of an SCTP common header followed by a HEARTBEAT chunk and a PAD chunk. The PAD chunk is used to control the length of the probe packet. The HEARTBEAT chunk is used to trigger the sending of a HEARTBEAT ACK chunk. The reception of the HEARTBEAT ACK chunk acknowledges reception of a successful probe.
The HEARTBEAT chunk carries a Heartbeat Information parameter which should include, besides the information suggested in [RFC4960], the probing size, which is the MTU size the complete datagram will add up to. The size of the PAD chunk is therefore computed by reducing the probing size by the IPv4 or IPv6 header size, the SCTP common header, the HEARTBEAT request and the PAD chunk header. The payload of the PAD chunk contains arbitrary data.
To avoid the fragmentation of retransmitted data, probing starts right after the handshake before data is sent. Assuming normal behaviour (i.e., the PMTU is smaller than or equal to the interface MTU), this process will take a few RTTs depending on the number of PMTU sizes probed. The Heartbeat timer can be used to implement the PROBE_TIMER.
Since SCTP provides an acknowledged PL, a sender does MUST NOT implement the REACHABILITY_TIMER while in the PROBE_DONE state.
Normal ICMP verification MUST be performed as specified in Appendix C of [RFC4960]. This requires that the first 8 bytes of the SCTP common header are quoted in the payload of the PTB message , which can be the case for ICMPv4 and is normally the case for ICMPv6. When the verification is completed, the router Link MTU indicated in the PTB message SHOULD be used with the PLPMTUD algorithm.
The UDP encapsulation of SCTP is specified in [RFC6951].
Packet probing can be performed as specified in Section 5.2.1.1. The maximum payload is reduced by 8 bytes, which has to be considered when filling the PAD chunk.
Since SCTP provides an acknowledged PL, a sender does MUST NOT implement the REACHABILITY_TIMER while in the PROBE_DONE state.
Normal ICMP verification MUST be performed for PTB messages as specified in Appendix C of [RFC4960]. This requires that the first 8 bytes of the SCTP common header are contained in the PTB message, which can be the case for ICMPv4 (but note the UDP header also consumes a part of the quoted packet header) and is normally the case for ICMPv6. When the verification is completed, the router Link MTU size indicated in the PTB message SHOULD be used with the PLPMTUD algorithm.
The DTLS encapsulation of SCTP is specified in [I-D.ietf-tsvwg-sctp-dtls-encaps]. It is used for data channels in WebRTC implementations.
Packet probing can be done as specified in Section 5.2.1.1.
Since SCTP provides an acknowledged PL, a sender does MUST NOT implement the REACHABILITY_TIMER while in the PROBE_DONE state.
It is not possible to perform normal ICMP verification as specified in [RFC4960], since even if the ICMP contains enough information, the reflected SCTP common header would be encrypted. Therefore it is not possible to process PTB messages at the PL.
QUIC is a UDP-based transport that provides reception feedback [I-D.ietf-quic-transport].
<< This section will be completed in a future revision of this ID >>
This work was partially funded by the European Union's Horizon 2020 research and innovation programme under grant agreement No. 644334 (NEAT). The views expressed are solely those of the author(s).
This memo includes no request to IANA.
If there are no requirements for IANA, the section will be removed during conversion into an RFC by the RFC Editor.
The security considerations for the use of UDP and SCTP are provided in the references RFCs. Security guidance for applications using UDP is provided in the UDP-Guidelines [RFC8085].
PTB messages could potentially be used to cause a node to inappropriately reduce the effective PMTU. A node supporting PLPMTUD SHOULD appropriately verify the payload of PTB messages to ensure these are received in response to transmitted traffic (i.e., a reported error condition that corresponds to a datagram actually sent by the path layer.
| [I-D.ietf-quic-transport] | Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed and Secure Transport", Internet-Draft draft-ietf-quic-transport-04, June 2017. |
| [I-D.ietf-tsvwg-sctp-dtls-encaps] | Tuexen, M., Stewart, R., Jesup, R. and S. Loreto, "DTLS Encapsulation of SCTP Packets", Internet-Draft draft-ietf-tsvwg-sctp-dtls-encaps-09, January 2015. |
| [I-D.ietf-tsvwg-udp-options] | Touch, J., "Transport Options for UDP", Internet-Draft draft-ietf-tsvwg-udp-options-01, June 2017. |
| [RFC1122] | Braden, R., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, DOI 10.17487/RFC1122, October 1989. |
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
| [RFC2460] | Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, December 1998. |
| [RFC3828] | Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E. and G. Fairhurst, "The Lightweight User Datagram Protocol (UDP-Lite)", RFC 3828, DOI 10.17487/RFC3828, July 2004. |
| [RFC4820] | Tuexen, M., Stewart, R. and P. Lei, "Padding Chunk and Parameter for the Stream Control Transmission Protocol (SCTP)", RFC 4820, DOI 10.17487/RFC4820, March 2007. |
| [RFC4960] | Stewart, R., "Stream Control Transmission Protocol", RFC 4960, DOI 10.17487/RFC4960, September 2007. |
| [RFC6951] | Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream Control Transmission Protocol (SCTP) Packets for End-Host to End-Host Communication", RFC 6951, DOI 10.17487/RFC6951, May 2013. |
| [RFC8085] | Eggert, L., Fairhurst, G. and G. Shepherd, "UDP Usage Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, March 2017. |
| [RFC8201] | McCann, J., Deering, S., Mogul, J. and R. Hinden, "Path MTU Discovery for IP version 6", STD 87, RFC 8201, DOI 10.17487/RFC8201, July 2017. |
| [RFC1191] | Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, DOI 10.17487/RFC1191, November 1990. |
| [RFC2923] | Lahey, K., "TCP Problems with Path MTU Discovery", RFC 2923, DOI 10.17487/RFC2923, September 2000. |
| [RFC4340] | Kohler, E., Handley, M. and S. Floyd, "Datagram Congestion Control Protocol (DCCP)", RFC 4340, DOI 10.17487/RFC4340, March 2006. |
| [RFC4821] | Mathis, M. and J. Heffner, "Packetization Layer Path MTU Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007. |
| [RFC4890] | Davies, E. and J. Mohacsi, "Recommendations for Filtering ICMPv6 Messages in Firewalls", RFC 4890, DOI 10.17487/RFC4890, May 2007. |
This appendix contains an informative description of key events:
+--------------+
| PROBE_NONE | --------------
+--------------+ \
\
+--------------+ \
| PROBE_ERROR | --------------- \
+--------------+ \ \
\ \
+--------------+ \ \ +--------------+
| PROBE_BASE | --1---------- \ ------------> | PROBE_BASE |
+--------------+ --2----- \ \ +--------------+
\ \ \
+--------------+ \ \ ------------> +--------------+
| PROBE_SEARCH | --2--- \ -----------------> | PROBE_SEARCH |
+--------------+ --1---\----\---------------------> +--------------+
\ \
+--------------+ \ \ +--------------+
| PROBE_DONE | \ -------------------> | PROBE_DONE |
+--------------+ -----------------------> +--------------+
Condition 1: The maximum PMTU size has not yet been reached. Condition 2: The maximum PMTU size has been reached.
Figure 4: State changes at the arrival of an acknowledgment
+--------------+
| PROBE_NONE |
+--------------+
+--------------+ +--------------+
| PROBE_ERROR | -----------------> | PROBE_ERROR |
+--------------+ / +--------------+
/
+--------------+ --2----------/ +--------------+
| PROBE_BASE | --1------------------------------> | PROBE_BASE |
+--------------+ +--------------+
+--------------+ +--------------+
| PROBE_SEARCH | --1------------------------------> | PROBE_SEARCH |
+--------------+ --2--------- +--------------+
\
+--------------+ \ +--------------+
| PROBE_DONE | -------------------> | PROBE_DONE |
+--------------+ +--------------+
Condition 1: The maximum number of probe packets has not been reached. Condition 2: The maximum number of probe packets has been reached.
Figure 5: State changes at the expiration of the probe timer
Note to RFC-Editor: please remove this entire section prior to publication.
Individual draft -00:
Individual draft -01: