Network Working Group | M. Eubanks |
Internet-Draft | AmericaFree.TV LLC |
Updates: 2460 (if approved) | P.F. Chimento |
Intended status: Standards Track | Johns Hopkins University Applied Physics Laboratory |
Expires: June 14, 2013 | M. Westerlund |
Ericsson | |
December 11, 2012 |
IPv6 and UDP Checksums for Tunneled Packets
draft-ietf-6man-udpchecksums-06
This document provides an update of the Internet Protocol version 6 (IPv6) specification (RFC2460) to improve the performance in the use case when a tunnel protocol uses UDP with IPv6 to tunnel packets. The performance improvement is obtained by relaxing the IPv6 UDP checksum requirement for suitable tunneling protocol where header information is protected on the "inner" packet being carried. This relaxation removes the overhead associated with the computation of UDP checksums on IPv6 packets used to carry tunnel protocols. The specification describes how the IPv6 UDP checksum requirement can be relaxed for the situation where the encapsulated packet itself contains a checksum. The limitations and risks of this approach are described, and restrictions specified on the use of the method.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 14, 2013.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This work constitutes an update of the Internet Protocol Version 6 (IPv6) Specification [RFC2460], in the use case when a tunnel protocol uses UDP with IPv6 to tunnel packets. With the rapid growth of the Internet, tunneling protocols have become increasingly important to enable the deployment of new protocols. Tunneled protocols can be deployed rapidly, while the time to upgrade and deploy a critical mass of routers, middleboxes and hosts on the global Internet for a new protocol is now measured in decades. At the same time, the increasing use of firewalls and other security-related middleboxes means that truly new tunnel protocols, with new protocol numbers, are also unlikely to be deployable in a reasonable time frame, which has resulted in an increasing interest in and use of UDP-based tunneling protocols. In such protocols, there is an encapsulated "inner" packet, and the "outer" packet carrying the tunneled inner packet is a UDP packet, which can pass through firewalls and other middleboxes that perform filtering that is a fact of life on the current Internet.
Tunnel endpoints may be routers or middleboxes aggregating traffic from a number of tunnel users, therefore the computation of an additional checksum on the outer UDP packet, may be seen as an unwarranted burden on nodes that implement a tunneling protocol, especially if the inner packet(s) are already protected by a checksum. In IPv4, there is a checksum over the IP packet header, and the checksum on the outer UDP packet may be set to zero. However in IPv6 there is no checksum in the IP header and RFC 2460 [RFC2460] explicitly states that IPv6 receivers MUST discard UDP packets with a zero checksum. So, while sending a UDP datagram with a zero checksum is permitted in IPv4 packets, it is explicitly forbidden in IPv6 packets. To improve support for IPv6 UDP tunnels, this document updates RFC 2460 to allow endpoints to use a zero UDP checksum under constrained situations (primarily IPv6 tunnel transports that carry checksum-protected packets), following the applicability statements and constraints in [I-D.ietf-6man-udpzero].
Unicast UDP Usage Guidelines for Application Designers [RFC5405] should be consulted when reading this specification. It discusses both UDP tunnels (Section 3.1.3) and the usage of checksums (Section 3.4).
While the origin of this specification is the problem raised by the draft titled "Automatic IP Multicast Without Explicit Tunnels", also known as "AMT," [I-D.ietf-mboned-auto-multicast] we expect it to have wide applicability. Since the first version of this document, the need for an efficient UDP tunneling mechanism has increased. Other IETF Working Groups, notably LISP [I-D.ietf-lisp] and Softwires [RFC5619] have expressed a need to update the UDP checksum processing in RFC 2460. We therefore expect this update to be applicable in future to other tunneling protocols specified by these and other IETF Working Groups.
This document discusses only IPv6, since this problem does not exist for IPv4. Therefore all reference to 'IP' should be understood as a reference to IPv6.
The document uses the terms "tunneling" and "tunneled" as adjectives when describing packets. When we refer to 'tunneling packets' we refer to the outer packet header that provides the tunneling function. When we refer to 'tunneled packets' we refer to the inner packet, i.e., the packet being carried in the tunnel.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
When using tunnel protocols based on UDP, there can be both a benefit and a cost to computing and checking the UDP checksum of the outer (encapsulating) UDP transport header. In certain cases, where reducing the forwarding cost is important, such as for nodes that perform the checksum in software, where the cost may outweigh the benefit. This document provides an update for usage of the UDP checksum with IPv6. The update is specified for use by a tunnel protocol that transports packets that are themselves protected by a checksum.
Applicability Statement for the use of IPv6 UDP Datagrams with Zero Checksums [I-D.ietf-6man-udpzero] describes issues related to allowing UDP over IPv6 to have a valid zero UDP checksum and is the starting point for this discussion. Section 4 and 5 of [I-D.ietf-6man-udpzero], respectively identify node implementation and usage requirements for datagrams sent and received with a zero UDP checksum. These introduce constraints on the usage of a zero checksum for UDP over IPv6. The remainder of this section analyses the use of general tunnels and motivates why tunnel protocols are being permitted to use the method described in this update. Issues with middleboxes are also discussed.
This section analyzes the impact of the different corruption modes in the context of a tunnel protocol. It indicates what needs to be considered by the designer and user of a tunnel protocol to be robust. It also summarizes why use of a zero UDP checksum is thought safe for deployment.
When only the source information is corrupted, the datagram could arrive at the intended applications/protocol which will process it and try to match it against an existing tunnel context. If the protocol restricts processing to only the source addresses with established contexts the likelihood that a corrupted packet enters a valid context is reduced. When both source and destination fields are corrupted, this increases the likelihood of failing to match a context, with the exception of errors replacing one packet header with another one. In this case it is possible that both are tunnels and thus the corrupted packet can match a previously defined context.
These different examples each help to significantly reduce the likelihood that a corrupted inner tunneled packet is finally delivered to a protocol listener that can be affected by the packet. While the methods do not guarantee correctness, they can reduce the risk of relaxing the UDP checksum requirement for a tunnel application using IPv6.
This document describes the applicability of using a zero UDP checksum to support tunnel protocols. There are good motivations behind this and the arguments are provided here.
Tunnel protocols encapsulating IP this will generally be safe, since all IPv4 and IPv6 packets include at least one checksum at either the network or transport layer and the network delivery of the inner packet will further reduce the effects of corruption. Tunnel protocols carrying non-IP packets may provide equivalent protection due to the non-IP networks reducing the risk of delivery to applications. However, there is need for further analysis to understand the implications of mis-delievery of corrupted packets for that each non-IP protocol. The analysis above suggests that non-tunnel protocols can be expected to have significantly more cases where a zero checksum would result in mis-delivery or negative side-effects.
One unfortunate side-effect of increased use of a zero-checksum is that it also increases the likelihood of acceptance when a datagram with a zero UDP checksum is mis-delivered. This requires all tunnel protocols using this method to be designed to be robust to mis-delivery.
Applicability Statement for the use of IPv6 UDP Datagrams with Zero Checksums [I-D.ietf-6man-udpzero] notes that middlebox devices that conform to RFC 2460 will discard datagrams with a zero UDP checksum and should log this as an error. Thus tunnel protocols intending to use a zero UDP checksum needs to ensure that they have defined a method for handling cases when a middlebox prevents the path between the tunnel ingress and egress from supporting transmission of datagrams with a zero UDP checksum.
This specification updates IPv6 to allow a zero UDP checksum in the outer encapsulating datagram of a tunneling protocol. UDP endpoints that implement this update MUST follow the node requirements "Applicability Statement for the use of IPv6 UDP Datagrams with Zero Checksums" [I-D.ietf-6man-udpzero].
The following text in [RFC2460] Section 8.1, 4th bullet should be deleted:
"Unlike IPv4, when UDP packets are originated by an IPv6 node, the UDP checksum is not optional. That is, whenever originating a UDP packet, an IPv6 node must compute a UDP checksum over the packet and the pseudo-header, and, if that computation yields a result of zero, it must be changed to hex FFFF for placement in the UDP header. IPv6 receivers must discard UDP packets containing a zero checksum, and should log the error."
This text should be replaced by:
This update was motivated by the existence of a number of protocols being developed in the IETF that are expected to benefit from the change. The following observations are made:
This document makes no request of IANA.
Note to RFC Editor: this section may be removed on publication as an RFC.
Less work is required required to generate an attack using a zero UDP checksum than one using a standard full UDP checksum. However, this does not lead to significant new vulnerabilities because checksums are not a security measure and can be easily generated by any attacker. Properly configured tunnels should check the validity of the inner packet and perform security checks.
We would like to thank Brian Haberman, Dan Wing, Joel Halpern and the IESG of 2012 for discussions and reviews. Gorry Fairhurst has been very diligent in reviewing and help ensuring alignment between this document and [I-D.ietf-6man-udpzero].
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC2460] | Deering, S.E. and R.M. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. |
[I-D.ietf-6man-udpzero] | Fairhurst, G and M Westerlund, "Applicability Statement for the use of IPv6 UDP Datagrams with Zero Checksums", Internet-Draft draft-ietf-6man-udpzero-07, October 2012. |
[I-D.ietf-mboned-auto-multicast] | Bumgardner, G, "Automatic Multicast Tunneling", Internet-Draft draft-ietf-mboned-auto-multicast-14, June 2012. |
[I-D.ietf-lisp] | Farinacci, D, Fuller, V, Meyer, D and D Lewis, "Locator/ID Separation Protocol (LISP)", Internet-Draft draft-ietf-lisp-24, November 2012. |
[RFC2827] | Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000. |
[RFC3828] | Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E. and G. Fairhurst, "The Lightweight User Datagram Protocol (UDP-Lite)", RFC 3828, July 2004. |
[RFC5405] | Eggert, L. and G. Fairhurst, "Unicast UDP Usage Guidelines for Application Designers", BCP 145, RFC 5405, November 2008. |
[RFC5619] | Yamamoto, S., Williams, C., Yokota, H. and F. Parent, "Softwire Security Analysis and Requirements", RFC 5619, August 2009. |