Network Working Group M. Eubanks
Internet-Draft AmericaFree.TV LLC
Updates: 2460 (if approved) P.F. Chimento
Intended status: Standards Track Johns Hopkins University Applied Physics Laboratory
Expires: March 07, 2013 M. Westerlund
Ericsson
September 5, 2012

UDP Checksums for Tunneled Packets
draft-ietf-6man-udpchecksums-04

Abstract

This document provides an update of the Internet Protocol version 6 (IPv6) specification (RFC2460) to improve the performance of IPv6 in the use case when a tunnel protocol uses UDP with IPv6 to tunnel packets. The performance improvement is obtained by relaxing the IPv6 UDP checksum requirement for suitable tunneling protocol where header information is protected on the "inner" packet being carried. This relaxation removes the overhead associated with the computation of UDP checksums on IPv6 packets used to carry tunnel protocols and thereby improves the efficiency of the traversal of firewalls and other network middleboxes by such protocols. We describe how the IPv6 UDP checksum requirement can be relaxed in the situation where the encapsulated packet itself contains a checksum, the limitations and risks of this approach, and defines restrictions on the use of this relaxation to mitigate these risks.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on March 07, 2013.

Copyright Notice

Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

This work constitutes an update of the Internet Protocol Version 6 (IPv6) Specification [RFC2460], in the use case when a tunnel protocol uses UDP with IPv6 to tunnel packets. With the rapid growth of the Internet, tunneling protocols have become increasingly important to enable the deployment of new protocols. Tunneled protocols can be deployed rapidly, while the time to upgrade and deploy a critical mass of routers, switches and end hosts on the global Internet for a new protocol is now measured in decades. At the same time, the increasing use of firewalls and other security related middleboxes means that truly new tunnel protocols, with new protocol numbers, are also unlikely to be deployable in a reasonable time frame, which has resulted in an increasing interest in and use of UDP-based tunneling protocols. In such protocols, there is an encapsulated "inner" packet, and the "outer" packet carrying the tunneled inner packet is a UDP packet, which can pass through firewalls and other middleboxes filtering that is a fact of life on the current Internet.

Tunnel endpoints may be routers or middleboxes aggregating traffic from a large number of tunnel users, therefore the computation of an additional checksum on the outer UDP packet, may be seen as an unwarranted burden on nodes that implement a tunneling protocol, especially if the inner packet(s) are already protected by a checksum. In IPv4, there is a checksum on the IP packet itself, and the checksum on the outer UDP packet can be set to zero. However in IPv6 there is not a checksum on the IP packet and RFC 2460 [RFC2460] explicitly states that IPv6 receivers MUST discard UDP packets with a zero checksum. So, while sending a UDP packet with a zero checksum is permitted in IPv4 packets, it is explicitly forbidden in IPv6 packets. To improve support for IPv6 UDP tunnels, this document updates RFC 2460 to allow tunnel endpoints to use a zero UDP checksum under constrained situations (IPv6 tunnel transports that carry checksum-protected packets), following the considerations in [I-D.ietf-6man-udpzero].

Unicast UDP Usage Guidelines for Application Designers [RFC5405] should be consulted when reading this specification. It discusses both UDP tunnels (Section 3.1.3) and the usage of Checksums (Section 3.4).

While the origin of this specification is the problem raised by the draft titled "Automatic IP Multicast Without Explicit Tunnels", also known as "AMT," [I-D.ietf-mboned-auto-multicast] we expect it to have wide applicability. Since the first version of this document, the need for an efficient UDP tunneling mechanism has increased. Other IETF Working Groups, notably LISP [I-D.ietf-lisp] and Softwires [RFC5619] have expressed a need to update the UDP checksum processing in RFC 2460. We therefore expect this update to be applicable in future to other tunneling protocols specified by these and other IETF Working Groups.

2. Some Terminology

For the remainder of this document, we discuss only IPv6, since this problem does not exist for IPv4. Therefore all reference to 'IP' should be understood as a reference to IPv6.

The document uses the terms "tunneling" and "tunneled" as adjectives when describing packets. When we refer to 'tunneling packets' we refer to the outer packet header that provides the tunneling function. When we refer to 'tunneled packets' we refer to the inner packet, i.e. the packet being carried in the tunnel.

2.1. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

3. Problem Statement

This document provides an update for the case where a tunnel protocol transports tunnelled packets that already have a UDP header with a checksum, there is both a benefit and a cost to compute and check the UDP checksum of the outer (encapsulating) UDP transport header. In certain cases, where reducing the forwarding cost is important, such as for systems that perform the check in software, the cost may outweigh the benefit; this document describes a means to avoid that cost, in the case where there is an inner header with a checksum.

4. Discussion

IPv6 UDP Checksum Considerations [I-D.ietf-6man-udpzero] describes the issues related to allowing UDP over IPv6 to have a valid checksum of zero and is not repeated here.

Section 5.1 of [I-D.ietf-6man-udpzero], identifies 9 requirements that introduce constraints on the usage of a zero checksum for UDP over IPv6. This document is intended to satisfy these requirements.

[I-D.ietf-6man-udpzero] and mailing list discussions have noted there is still the possibility of deep-inspection firewall devices or other middleboxes checking the UDP checksum field of the outer packet and thereby discarding the tunneling packets. This would be an issue also for any legacy IPv6 system that has not implemented this update to the IPv6 specification. In this case, the system (according to RFC 2460) will discard the zero-checksum UDP packets, and should log this as an error.

The below discuss how path errors can be detected and handled in an UDP tunneling protocol when the checksum protection is disabled. Note that other (non-tunneling) protocols may have different approaches, but these are not the topic of this update. We propose the following approach to handle this problem:

While they do not guarantee correctness, these mechanism can reduce the risks of relaxing the UDP checksum requirement for IPv6.

5. The Zero-Checksum Update

This specification updates IPv6 to allow a UDP checksum of zero for the outer encapsulating packet of a tunneling protocol. UDP endpoints that implement this update MUST change their behavior for any destination port explicitly configured for zero checksum and not discard UDP packets received with a checksum value of zero on the outer packet. When this is done, it requires the constraints in Section 5.1 of [I-D.ietf-6man-udpzero].

Specifically, the text in [RFC2460] Section 8.1, 4th bullet is updated. We refer to the following text:

"Unlike IPv4, when UDP packets are originated by an IPv6 node, the UDP checksum is not optional. That is, whenever originating a UDP packet, an IPv6 node must compute a UDP checksum over the packet and the pseudo-header, and, if that computation yields a result of zero, it must be changed to hex FFFF for placement in the UDP header. IPv6 receivers must discard UDP packets containing a zero checksum, and should log the error."

This item should be taken out of the bullet list and should be replaced by:

6. Additional Observations

The existence of this issue among a significant number of protocols being developed in the IETF motivates this specified change. The authors would also like to make the following observations:

7. IANA Considerations

This document makes no request of IANA.

Note to RFC Editor: this section may be removed on publication as an RFC.

8. Security Considerations

It requires less work to generate zero-checksum attack packets than ones with full UDP checksums. However, this does not lead to any significant new vulnerabilities as checksums are not a security measure and can be easily generated by any attacker, as properly configured tunnels should check the validity of the inner packet and perform any needed security checks, regardless of the checksum status, and finally as most attacks are generated from compromised hosts which automatically create checksummed packets (in other words, it would generally be more, not less, effort for most attackers to generate zero UDP checksums on the host).

9. Acknowledgements

We would like to thank Brian Haberman and Gorry Fairhurst for discussions and reviews.

10. References

10.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2460] Deering, S.E. and R.M. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998.
[RFC3828] Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E. and G. Fairhurst, "The Lightweight User Datagram Protocol (UDP-Lite)", RFC 3828, July 2004.
[RFC5619] Yamamoto, S., Williams, C., Yokota, H. and F. Parent, "Softwire Security Analysis and Requirements", RFC 5619, August 2009.

10.2. Informative References

[I-D.ietf-mboned-auto-multicast] Thaler, D, Talwar, M, Aggarwal, A, Vicisano, L, Pusateri, T and T Morin, "Automatic IP Multicast Tunneling", Internet-Draft draft-ietf-mboned-auto-multicast-11, July 2011.
[I-D.ietf-lisp] Farinacci, D, Fuller, V, Meyer, D and D Lewis, "Locator/ID Separation Protocol (LISP)", Internet-Draft draft-ietf-lisp-15, July 2011.
[I-D.ietf-6man-udpzero] Fairhurst, G and M Westerlund, "IPv6 UDP Checksum Considerations", Internet-Draft draft-ietf-6man-udpzero-03, April 2011.
[RFC5405] Eggert, L. and G. Fairhurst, "Unicast UDP Usage Guidelines for Application Designers", BCP 145, RFC 5405, November 2008.

Authors' Addresses

Marshall Eubanks AmericaFree.TV LLC P.O. Box 141 Clifton, Virginia 20124 USA Phone: +1-703-501-4376 EMail: marshall.eubanks@gmail.com
P.F. Chimento Johns Hopkins University Applied Physics Laboratory 11100 Johns Hopkins Road Laurel, MD 20723 USA Phone: +1-443-778-1743 EMail: Philip.Chimento@jhuapl.edu
Magnus Westerlund Ericsson Farogatan 6 SE-164 80 Kista, Sweden Phone: +46 10 714 82 87 EMail: magnus.westerlund@ericsson.com