Internet Engineering Task Force | G. Fairhurst |
Internet-Draft | T. Jones |
Updates: 4821 (if approved) | University of Aberdeen |
Intended status: Standards Track | M. Tuexen |
Expires: January 3, 2019 | I. Ruengeler |
Muenster University of Applied Sciences | |
July 02, 2018 |
Packetization Layer Path MTU Discovery for Datagram Transports
draft-ietf-tsvwg-datagram-plpmtud-03
This document describes a robust method for Path MTU Discovery (PMTUD) for datagram Packetization layers. The document describes an extension to RFC 1191 and RFC 8201, which specifies ICMP-based Path MTU Discovery for IPv4 and IPv6. The method allows a Packetization Layer (PL), or a datagram application that uses a PL, to discover whether a network path can support the current size of datagram. This can be used to detect and reduce the message size when a sender encounters a network black hole (where packets are discarded, and no ICMP message is received). The method can also probe a network path with progressively larger packets to find whether the maximum packet size can be increased. This allows a sender to determine an appropriate packet size, providing functionally for datagram transports that is equivalent to the Packetization layer PMTUD specification for TCP, specified in RFC4821.
The document also provides implementation notes for incorporating Datagram PMTUD into IETF Datagram transports or applications that use transports.
When published, this specification updates RFC4821.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The IETF has specified datagram transport using UDP, SCTP, and DCCP, as well as protocols layered on top of these transports (e.g., SCTP/UDP, DCCP/UDP) and directly over the IP network layer. This document describes a robust method for Path MTU Discovery (PMTUD) that may be used with these transport protocols (or the applications that use their transport service) to discover an appropriate size of packet to use across an Internet path.
Classical Path Maximum Transmission Unit Discovery (PMTUD) can be used with any transport that is able to process ICMP Packet Too Big (PTB) messages (e.g., [RFC1191] and [RFC8201]). The term PTB message is applied to both IPv4 ICMP Unreachable messages (type 3) that carry the error Fragmentation Needed (Type 3, Code 4) and ICMPv6 packet too big messages (Type 2). When a sender receives a PTB message, it reduces the effective MTU to the value reported as the Link MTU in the PTB message, and a method that from time-to-time increases the packet size in attempt to discover an increase in the supported PMTU. The packets sent with a size larger than the current effective PMTU are known as probe packets.
Packets not intended as probe packets are either fragmented to the current effective PMTU, or the attempt to send fails with an error code. Applications are sometimes provided with a primitive to let them read the maximum packet size, derived from the current effective PMTU.
Classical PMTUD is subject to protocol failures. One failure arises when traffic using a packet size larger than the actual PMTU is black-holed (all datagrams sent with this size, or larger, are silently discarded without the sender receiving ICMP PTB messages). This could arise when the PTB messages are not delivered back to the sender for some reason [RFC2923]). For example, ICMP messages are increasingly filtered by middleboxes (including firewalls) [RFC4890]. A stateful firewall could be configured with a policy to block incoming ICMP messages, which would prevent reception of PTB messages to endpoints behind this firewall. Other examples include cases where PTB messages are not correctly processed/generated by tunnel endpoints.
Another failure could result if a node that is not on the network path sends a PTB message that attempts to force the sender to change the effective PMTU [RFC8201]. A sender can protect itself from reacting to such messages by utilising the quoted packet within a PTB message payload to validate that the received PTB message was generated in response to a packet that had actually originated from the sender. However, there are situations where a sender would be unable to provide this validation.
Examples where validation of the PTB message is not possible include:
The term Packetization Layer (PL) has been introduced to describe the layer that is responsible for placing data blocks into the payload of IP packets and selecting an appropriate Maximum Packet Size (MPS). This function is often performed by a transport protocol, but can also be performed by other encapsulation methods working above the transport.
In contrast to PMTUD, Packetization Layer Path MTU Discovery (PLPMTUD) [RFC4821] does not rely upon reception and validation of PTB messages. It is therefore more robust than Classical PMTUD. This has become the recommended approach for implementing PMTU discovery with TCP.
It uses a general strategy where the PL sends probe packet to search for the largest size of unfragmented datagram that can be sent over a path. The probe packets are sent with a progressively larger packet size. If a probe packet is successfully delivered (as determined by the PL), then the PLPMTU is raised to the size of the successful probe. If no response is received to a probe packet, the method reduces the probe size. This PLPMTU is used to set the application MPS.
PLPMTUD introduces flexibility in the implementation of PMTU discovery. At one extreme, it can be configured to only perform PTB black hole detection and recovery to increase the robustness of Classical PMTUD, or at the other extreme, all PTB processing can be disabled and PLPMTUD can completely replace Classical PMTUD.
PLPMTUD can also include additional consistency checks without increasing the risk of increased black-holing. For instance,the information available at the PL, or higher layers, makes PTB validation more straight forward.
Section 4 of this document presents a set of algorithms for datagram protocols to discover the largest size of unfragmented datagram that can be sent over a path. The method described relies on features of the PL Section 3 and apply to transport protocols operating over IPv4 and IPv6. It does not require cooperation from the lower layers, although it can utilise ICMP PTB messages when these received messages are made available to the PL.
The UDP Usage Guidelines [RFC8085] state "an application SHOULD either use the Path MTU information provided by the IP layer or implement Path MTU Discovery (PMTUD)", but does not provide a mechanism for discovering the largest size of unfragmented datagram than can be used on a path. Prior to this document, PLPMTUD had not been specified for UDP.
Section 10.2 of [RFC4821] recommends a PLPMTUD probing method for the Stream Control Transport Protocol (SCTP). SCTP utilises heartbeat messages as probe packets, but RFC4821 does not provide a complete specification. This document provides the details to complete that specification.
The Datagram Congestion Control Protocol (DCCP) [RFC4340] requires implementations to support Classical PMTUD and states that a DCCP sender "MUST maintain the MPS allowed for each active DCCP session". It also defines the current congestion control MPS (CCMPS) supported by a path. This recommends use of PMTUD, and suggests use of control packets (DCCP-Sync) as path probe packets, because they do not risk application data loss. The method defined in this specification could be used with DCCP.
Section 5 specifies the method for a set of transports, and provides information to enables the implementation of PLPMTUD with other datagram transports and applications that use datagram transports.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Other terminology is directly copied from [RFC4821], and the definitions in [RFC1122].
TCP PLPMTUD has been defined using standard TCP protocol mechanisms. All of the requirements in [RFC4821] also apply to use of the technique with a datagram PL. Unlike TCP, some datagram PLs require additional mechanisms to implement PLPMTUD.
There are eight requirements for performing the datagram PLPMTUD method described in this specification:
In addition, the following principles are stated for design of a DPLPMTUD method:
The DPLPMTUD method relies upon the PL sender being able to generate probe packets with a specific size. TCP is able to generate these probe packets by choosing to appropriately segment data being sent [RFC4821].
In contrast, a datagram PL that needs to construct a probe packet has to either request an application to send a data block that is larger than that generated by an application, or to utilise padding functions to extend a datagram beyond the size of the application data block. Protocols that permit exchange of control messages (without an application data block) could alternatively prefer to generate a probe packet by extending a control message with padding data.
When the method fails to validate the PLPMTU, it may be required to send a probe packet with a size less than the size of the data block generated by an application. In this case, the PL could provide a way to fragment a datagram at the PL, or could instead utilise a control packet with padding.
A receiver needs to be able to distinguish an in-band data block from any added padding. This is needed to ensure that any added padding is not passed on to an application at the receiver.
This results in three possible ways that a sender can create a probe packet listed in order of preference:
A PL that uses a probe packet carrying an application data block, could need to retransmit this application data block if the probe fails. This could need the PL to re-fragment the data block to a smaller packet size that is expected to traverse the end-to-end path (which could utilise network-layer or PL fragmentation when these are available).
DLPMTUD MAY choose to use only one of these methods to simplify the implementation.
The PL needs a method to determine when probe packets have been successfully received end-to-end across a network path.
Transport protocols can include end-to-end methods that detect and report reception of specific datagrams that they send (e.g., DCCP and SCTP provide keep-alive/heartbeat features). When supported, this mechanism SHOULD also be used by DPLPMTUD to acknowledge reception of a probe packet.
A PL that does not acknowledge data reception (e.g., UDP and UDP-Lite) is unable to detect when the packets that it sends are discarded because their size is greater than the actual PMTU. These PLs need to either rely on an application protocol to detect this loss, or make use of an additional transport method such as UDP-Options [I-D.ietf-tsvwg-udp-options]. In addition, they might need to send reachability probes (e.g., periodically solicit a response from the destination) to determine whether the last successfully probed PLPMTU is still supported by the network path.
Section Section 4 specifies this function for a set of IETF-specified protocols.
If the DPLPMTUD method detects that a packet with the PLPMTU size is no supported by the network path, then the DLPMTUD method needs to validate the PLPMTU. This can happen when a validated PTB message is received, or another event that indicates the network path no longer sustains this packet size, such as a loss report from the PL
All implementations of DPLPMTUD are REQUIRED to provide support that reduces the PLPMTU when the actual PMTU supported by a network path is less than the PLPMTU.
An implementation that only reduces the PLPMTU to a suitable size is sufficient to ensure reliable operation, but may be very inefficient when the actual PMTU changes or when the method (for whatever reason) makes a suboptimal choice for the PLPMTU.
A full implementation of the DPLPMTUD method is RECOMMENDED to provide a way for the sending PL endpoint to detect when the PLPMTU is smaller than the actual PMTU size. This allows the sender to increase the PLPMTU following a change in the characteristics of the path, such as when a link is reconfigured with a larger MTU, or when there is a change in the set of links traversed by an end-to-end flow (e.g. after a routing or fail-over decision).
The decision to increase the PLPMTU needs to be robust to the possibility that information learned about the path is inconsistent (this could happen when probe packets are lost due to other reasons, or some of the packets in a flow are forwarded along a portion of the path that supports a different PMTU).
Frequent path changes could occur due to unexpected "flapping" - where some packets from a flow pass along one path, but other packets follow a different path with different properties. DPLPMTUD can be made robust to these anomalies by introducing hysteresis into the decision to increase the Maximum Packet Size.
XXX A future revision of this section will include recommend appropriate methods to provide robustness. XXX
This section specifies Datagram PLPMTUD (DPLPMTUD). This method can be introduced at various points in the IP protocol stack, to discover the PLPMTU so that the application can use an MPS appropriate to the current network path.
+----------------------+ | APP* | +-+-------+----+---+---+ | | | | +---+--+ +--+--+ | +-+---+ | QUIC*| |UDPO*| | |SCTP*| +---+--+ +--+--+ | ++--+-+ | | | | | +-------++ | | | | | | | ++-+--++ | | UDP | | +---+--+ | | | +--------------+-----+-+ | Network Interface | +----------------------+
Figure 1: Examples where DPLPMTUD can be implemented
The central idea of DPLPMTUD is probing by a sender. Probe packets are sent to find out the maximum size of user message that is completely transferred across the network path from the sender to the destination.
The are various functions performed by the algorithm:
The DPLPMTUD method utilises probe packets to confirm that a packet of size PROBED_SIZE can traverse the network path. The PROBE_COUNT is initialised to zero when a probe packet is first sent with a particular size.
A timer is used to trigger the generation of probe packets. The probe_timer is started each time a probe packet is sent to the destination and is cancelled when receipt of the probe packet is acknowledged. The PROBED_SIZE is confirmed, and this value is then assignmed to PLPMTU. The DPLPMTUD method may send subsequent probes of an increasing size. Increasing probes follow a search strategy as discussed in Section 4.7.
Each time the probe_timer expires, the PROBE_COUNT is incremented, the probe_timer is reinitialised, and a probe packet of the same size is retransmitted.
The maximum number of retransmissions for a PROBED_SIZE is configured (MAX_PROBES). If the value of the PROBE_COUNT reaches MAX_PROBES, probing will stop and enters the PROBE_DONE state.
When the PL sender completes probing for a larger PLPMTU, it enters the PROBE_DONE state. This starts the PMTU_RAISE_TIMER. While this running, the PLPMTU remains at the value set in the last succesful probe packet.
If the PL is designed in a way that is unable to validate reachability to the destination endpoint after probing has completed, the method uses a REACHABILITY_TIMER to periodically repeat a probe packet for the current PLPMTU size, while the PMTU_RAISE_TIMER is running. If the REACHABILITY_TIMER expires, the method exits the PROBE_DONE state. The done state is also exited when a validated PTB message is received.
If the PMTU_RAISE_TIMER expires, the PL sender also exits the PROBE_DONE state, but in this case resumes probing from the size of the PLPMTU.
This section describes processing for both IPv4 ICMP Unreachable messages (type 3) and ICMPv6 packet too big messages.
A PL that receives a PTB message from a router or middlebox, MUST validate the PTB message. The PL checks the protocol information in the quoted payload to validate the message originated from the sending node. The node also checks that the reported link MTU size is less than the size used by packet probes. PTB messages are discarded if they fail to pass these checks, or where there is insufficient ICMP payload to perform these checks. The checks are intended to provide protection from packets that originate from a node that is not on the network path or a node that attempts to report a larger link MTU than the current probe size.
PTB messages that have been validated can be utilised by the DPLPMTUD algorithm. A method that utilises these PTB messages can improve the speed at the which the algorithm detects an appropriate PLPMTU compared to one that relies solely on probing.
The method in the previous subsections utilises three timers:
An implementation could implement the various timers using a single timer process.
The following constants are defined:
The figure below illustrates the relationship between some of these variables, in this case when the DPLPMTUD algorithm performs path probing to increase the size of the PLPMTU. The MPS is less than the PLPMTU. A probe packet has been sent of size PROBED_SIZE. When this is acknowledged, the PLPMTU will be raised to PROBED_SIZE allowing the PROBED_SIZE to be increased towards the actual PMTU.
MIN_PMTU PMTU_MAX <------------------------------------------------------> | | | | | V | | | V BASE_PMTU V | V Actual PMTU MPS | PROBED_SIZE V PLPMTU
Figure 2: Relationships between probe and packet sizes
This method utilises a set of variables:
Implementations discover the search range by validating the minimum path MTU and then using the probe method to select a PROBED_SIZE less than or equal to the maximum PMTU_MAX. Where PMTU_MAX is the minimum of the local link MTU and EMTU_R (learned from the remote endpoint). The PMTU_MAX MAY be constrained by an application that has a maximum to the size of datagrams it wishes to send.
Implementations use a search algorithm to choose probe sizes within the search range.
xxx A future version of this section will detail example methods for selecting probe size values, but does not plan to mandate a single method. xxx
Implementations MAY optimizse the search procedure by selecting step sizes from a table of common PMTU sizes.
Implementations SHOULD select probe sizes to maximise the gain in PLPMTU each search step. Implementations ought to take into consideration useful probe size steps and a minimum useful gain in PLPMTU.
The DPLPMTUD method can be used to provide black hole detection. This enables a reduction of the PLPMTU when a PL sender encounters a path that fails to support the current MPS and also fails to return a PTB message to the sender.
The simple method starts by setting the PLPMTU to the BASE_PMTU. When the method detects that communication is not possible with this size of packet, the PLPMTU is reduced, until an operable message size is reached or the PLPMTU reaches the BASE_MTU size. The method enables a sending PL to inform an application of the reduced MPS and accordingly send smaller packets.
The simple black hole detetction method does not seek to increase the PLPMTU. This makes it vulneable to transient reductions in the actual PLPMTU, which could result in a PLPMTU lower than the actual PMTU.
The full methiod is specified in Section 4.9.
The PL sender starts with the PLPMTU and PROBED_SIZE set to the BASE_PMTU.
While a PL has a PLPMTU greater than the BASE_MTU, the PL needs to send probe packets at the PROBED_SIZE to revalidate the PLPMTU. Black hole detection is also triggered by lack of reachability at the PL. When the PL sender detects that multiple transmissions of packets of PROBED_SIZE are no longer being acknowledged (e.g., When the number of probe packets sent without receiving an acknowledgement (PROBE_COUNT) becomes greater than the MAX_PROBES), the PL concludes that it has detected a black hole and reduces PLPMTU.
The connectivity check may be performened by the protocol implementing the PL (as in PLPMTUD for TCP [RFC4821]). When the application using the PL does not regularly send packets of size PROBED_SIZE, additional probe packets need to be sent by PL using the reachability timer Section 4.4.
If method does reduces the PLPMTU to the MIN_PMTU, the method concludes the path does not support the MIN_PMTU.
If multihoming is supported, a state machine is needed for each active path.
The state machine for a simple black hole detection mechanism is depicted in Figure 3.
XXX a future version of the simple black hole detection state machine might consider icmp PTB messages XXX
+------------+ | PROBE_START| +-----+------+ | Connectivity confirmed | (reachability tests start) PROBE_COUNT >= V MAX_PROBES +------------+ +---------------| PROBE_BASE +->-+ | +-----+------+ | | | ^ | PROBE_COUNT < MAX_PROBES | | +-----+ | V | | PROBE_ACK | PROBE_COUNT | | = MAX_PROBES +------------+ | (reduce +-<-+ PROBE_DONE +->-+ | PLPMTU) | +------+-----+ | | | ^ | ^ | PROBE_COUNT < MAX_PROBES | | | | | | (Contine probing) | +-----+ | +-----+ V V +------------+ | | PROBE_ERROR|<------------+ +------------+
Figure 3: State machine for detecting black holes
A full state machine for DPLPMTUD is depicted in Figure 4. If multihoming is supported, a state machine is needed for each active path.
PROBE_TIMER expiry (PROBE_COUNT = MAX_PROBES) +-------------+ +--------------+ +->| PROBE_START +--------------->|PROBE_DISABLED| PROBE_TIMER expiry | +--+-------+--+ +--------------+ (PROBE_COUNT = | | | MAX_PROBES) +-----+ | Connectivity confirmed v +---------- +------------+ -+ PROBE_TIMER expiry MAX_PMTU acked or | | PROBE_BASE | | (PROBE_COUNT < PTB (>= BASE_PMTU)| +----> +--------+---+ <+ MAX_PROBES) +---------------+ | /\ | | | | | | | PTB | PMTU_RAISE_TIMER| | | | (PTB_SIZE < BASE_PMTU) | or reachability | | | | or | (PROBE_COUNT | | | | PROBE_TIMER expiry | = MAX_PROBES) | | | | (PROBE_COUNT = MAX_PROBES) | +-----------+ | | \ | | PTB | | \ | | (< PROBED_SIZE)| | \ | | | | ---------------+ | | | | | | | | | Probe | | | | | acked | v | | v v +----------+-+ +----+---------+ Probe +-------------+ | PROBE_DONE |<-------------- | PROBE_SEARCH |<-------| PROBE_ERROR | +------+-----+ MAX_PMTU acked +------------+-+ acked +-------------+ /\ | or /\ | | | PROBE_TIMER expiry | | | |(PROBE_COUNT = MAX_PROBES) | | | | | | +----+ +------+ Reachability probe acked PROBE_TIMER expiry or PROBE_TIMER expiry (PROBE_COUNT < MAX_PROBES) (PROBE_COUNT < MAX_PROBES) or Probe acked
Figure 4: State machine for Datagram PLPMTUD
XXX A future version of this document will update the state machine to describe handling of validated PTB messages. XXX
The following states are defined to reflect the probing process:
Appendix A contains an informative description of key events.
This section specifies protocol-specific details for datagram PLPMTUD for IETF-specified transports.
The first subsection provides guidance on how to implement the DPLPMTUD method as a part of an application using UDP or UDP-Lite. The guidance also applies to other datagram services that do not include a specific transport protocol (such as a tunnel encapsulation). The following subsection describe how DPLPMTUD can be implemented as a part of the transport service, allowing applications using the service to benefit from discovery of the PLPMTU without themselves needing to implement this method.
The current specifications of UDP [RFC0768] and UDP-Lite [RFC3828] do not define a method in the RFC-series that supports PLPMTUD. In particular, the UDP transport does not provide the transport layer features needed to implement datagram PLPMTUD.
The DPLPMTUD method can be implemented as a part of an application built directly or indirectly on UDP or UDP-Lite, but relies on higher-layer protocol features to implement the method [RFC8085].
Some primitives used by DPLPMTUD might not be available via the Datagram API (e.g., the ability to access the PLPMTU cache, or interpret received ICMP PTB messages).
In addition, it is desirable that PMTU discovery is not performed by multiple protocol layers. An application SHOULD avoid implementing DPLPMTUD when the underlying transport system provides this capability. Using a common method for manging the PLPMTU has benefits, both in the ability to share state between different processes and opportunities to coordinate probing.
An application needs an application-layer protocol mechanism (such as a message acknowledgement method) that solicits a response from a destination endpoint. The method SHOULD allow the sender to check the value returned in the response to provide additional protection from off-path insertion of data [RFC8085], suitable methods include a parameter known only to the two endpoints, such as a session ID or initialised sequence number.
An application needs an application-layer protocol mechanism to communicate the response from the destination endpoint. This response may indicate successful reception of the probe across the path, but could also indicate that some (or all packets) have failed to reach the destination.
A probe packet that may carry an application data block, but the successful transmission of this data is at risk when used for probing. Some applications may prefer to use a probe packet that does not carry an application data block to avoid disruption to normal data transfer.
An application that does not have other higher-layer information confirming correct delivery of datagrams SHOULD implement the REACHABILITY_TIMER to periodically send probe packets while in the PROBE_DONE state.
An application that is able and wishes to receive PTB messages MUST perform ICMP validation as specified in Section 5.2 of [RFC8085]. This requires that the application to check each received PTB messages to validate it is received in response to transmitted traffic and that the reported link MTU is less than the current probe size. A validated PTB message MAY be used as input to the DPLPMTUD algorithm, but MUST NOT be used directly to set the PLPMTU.
UDP-Options [I-D.ietf-tsvwg-udp-options] can supply the additional functionality required to implement DPLPMTUD within the UDP transport service. This avoids the need for applications to implement the DPLPMTUD method.
This enables padding to be added to UDP datagrams and can be used to provide feedback acknowledgement of received probe packets.
The specification also defines two UDP Options to support DPLMTUD.
Section 5.6 of [I-D.ietf-tsvwg-udp-options] defines the MSS option which allows the local sender to indicate the EMTU_R to the peer. This option can be used to initialise PMTU_MAX. An application wishing to avoid the effects of MSS-Clamping (where a middlebox changes the advertised TCP maximum sending size) ought to use a cryptographic method to encrypt this parameter.
The Request Option allows a sending endpoint to solicit a response from a destination endpoint.
The Request Option carries a four byte token set by the sender. This token can be set to a value that is likely to be known only to the sender (and becomes known to nodes along the end-to-end path). The sender can then check the value returned in the response to provide additional protection from off-path insertion of data [RFC8085].
+---------+--------+-----------------+ | Kind=9 | Len=6 | Token | +---------+--------+-----------------+ 1 byte 1 byte 4 bytes
Figure 5: UDP REQ Option Format
The Response Option is generated by the PL in response to reception of a previously received Echo Request. The Token field associates the response with the Token value carried in the most recently-received Echo Request. The rate of generation of UDP packets carrying a Response Option MAY be rate-limited.
+---------+--------+-----------------+ | Kind=10 | Len=6 | Token | +---------+--------+-----------------+ 1 byte 1 byte 4 bytes
Figure 6: UDP RES Option Format
Section 10.2 of [RFC4821] specifies a recommended PLPMTUD probing method for SCTP. It recommends the use of the PAD chunk, defined in [RFC4820] to be attached to a minimum length HEARTBEAT chunk to build a probe packet. This enables probing without affecting the transfer of user messages and without interfering with congestion control. This is preferred to using DATA chunks (with padding as required) as path probes.
XXX Future versions of this document might define a parameter contained in the INIT and INIT ACK chunk to indicate the remote peer MTU to the local peer. However, multihoming makes this a bit complex, so it might not be worth doing. XXX
The base protocol is specified in [RFC4960]. This provides an acknowledged PL. A sender can therefore enter the PROBE_BASE state as soon as connectivity has been confirmed.
Probe packets consist of an SCTP common header followed by a HEARTBEAT chunk and a PAD chunk. The PAD chunk is used to control the length of the probe packet. The HEARTBEAT chunk is used to trigger the sending of a HEARTBEAT ACK chunk. The reception of the HEARTBEAT ACK chunk acknowledges reception of a successful probe.
The HEARTBEAT chunk carries a Heartbeat Information parameter which should include, besides the information suggested in [RFC4960], the probe size, which is the size of the complete datagram. The size of the PAD chunk is therefore computed by reducing the probing size by the IPv4 or IPv6 header size, the SCTP common header, the HEARTBEAT request and the PAD chunk header. The payload of the PAD chunk contains arbitrary data.
To avoid fragmentation of retransmitted data, probing starts right after the handshake, before data is sent. Assuming normal behaviour (i.e., the PMTU is smaller than or equal to the interface MTU), this process will take a few round trip time periods depending on the number of PMTU sizes probed. The Heartbeat timer can be used to implement the PROBE_TIMER.
Since SCTP provides an acknowledged PL, a sender does MUST NOT implement the REACHABILITY_TIMER while in the PROBE_DONE state.
Normal ICMP validation MUST be performed as specified in Appendix C of [RFC4960]. This requires that the first 8 bytes of the SCTP common header are quoted in the payload of the PTB message, which can be the case for ICMPv4 and is normally the case for ICMPv6.
When a PTB message has been validated, the router Link MTU indicated in the PTB message SHOULD be used with the DPLPMTUD algorithm, providing that the reported Link MTU is less than the current probe size.
The UDP encapsulation of SCTP is specified in [RFC6951].
Packet probing can be performed as specified in Section 5.3.1.1. The maximum payload is reduced by 8 bytes, which has to be considered when filling the PAD chunk.
Since SCTP provides an acknowledged PL, a sender does MUST NOT implement the REACHABILITY_TIMER while in the PROBE_DONE state.
Normal ICMP validation MUST be performed for PTB messages as specified in Appendix C of [RFC4960]. This requires that the first 8 bytes of the SCTP common header are contained in the PTB message, which can be the case for ICMPv4 (but note the UDP header also consumes a part of the quoted packet header) and is normally the case for ICMPv6. When the validation is completed, the router Link MTU size indicated in the PTB message SHOULD be used with the DPLPMTUD providing that the reported link MTU is less than the current probe size.
The Datagram Transport Layer Security (DTLS) encapsulation of SCTP is specified in [RFC8261]. It is used for data channels in WebRTC implementations.
Packet probing can be done as specified in Section 5.3.1.1.
Since SCTP provides an acknowledged PL, a sender does MUST NOT implement the REACHABILITY_TIMER while in the PROBE_DONE state.
It is not possible to perform normal ICMP validation as specified in [RFC4960], since even if the ICMP message payload contains sufficient information, the reflected SCTP common header would be encrypted. Therefore it is not possible to process PTB messages at the PL.
Quick UDP Internet Connection (QUIC) [I-D.ietf-quic-transport] is a UDP-based transport that provides reception feedback.
Section 9.2 of [I-D.ietf-quic-transport] describes the path considerations when sending QUIC packets. It recommends the use of PADDING frames to build the probe packet. This enables probing the without affecting the transfer of other QUIC frames.
This provides an acknowledged PL. A sender can therefore enter the PROBE_BASE state as soon as connectivity has been confirmed.
A probe packet consists of a QUIC Header and a payload containing only PADDING Frames. PADDING Frames are a single octet (0x00) and several of these can be used to create a probe packet of size PROBED_SIZE. QUIC provides an acknowledged PL. A sender can therefore enter the PROBE_BASE state as soon as connectivity has been confirmed.
The current specification of QUIC sets the following:
QUIC provides an acknowledged PL. A sender therefore MUST NOT implement the REACHABILITY_TIMER while in the PROBE_DONE state.
QUIC operates over the UDP transport, and the guidelines on ICMP validation as specified in Section 5.2 of [RFC8085] therefore apply. Although QUIC does not currently specify a method for validating ICMP responses, it does provide some guidelines to make it harder for an off-path attacker to inject ICMP messages.
XXX The above list was pulled whole from quic-transport - input is invited from QUIC contributors. XXX
This work was partially funded by the European Union's Horizon 2020 research and innovation programme under grant agreement No. 644334 (NEAT). The views expressed are solely those of the author(s).
This memo includes no request to IANA.
XXX If new UDP Options are specified in this document, a request to IANA will be included here. XXX
If there are no requirements for IANA, the section will be removed during conversion into an RFC by the RFC Editor.
The security considerations for the use of UDP and SCTP are provided in the references RFCs. Security guidance for applications using UDP is provided in the UDP Usage Guidelines [RFC8085].
There are cases where PTB messages are not delivered due to policy, configuration or equipment design (see Section 1.1), this method therefore does not rely upon PTB messages being received, but is able to utilise these when they are received by the sender. PTB messages could potentially be used to cause a node to inappropriately reduce the PLPMTU. A node supporting DPLPMTUD MUST therefore appropriately validate the payload of PTB messages to ensure these are received in response to transmitted traffic (i.e., a reported error condition that corresponds to a datagram actually sent by the path layer.
Parallel forwarding paths may need to be considered. Section 3.5 identifies the need for robustness in the method when the path information may be inconsistent.
A node performing DPLPMTUD could experience conflicting information about the size of supported probe packets. This could occur when there are multiple paths are concurrently in use and these exhibit a different PMTU. If not considered, this could result in data being black holed when the PLPMTU is larger than the smallest PMTU across the current paths.
An on-path attacker could forge PTB messages to drive down the PLPMTU
[I-D.ietf-quic-transport] | Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed and Secure Transport", Internet-Draft draft-ietf-quic-transport-13, June 2018. |
[I-D.ietf-tsvwg-udp-options] | Touch, J., "Transport Options for UDP", Internet-Draft draft-ietf-tsvwg-udp-options-04, July 2018. |
[RFC0768] | Postel, J., "User Datagram Protocol", STD 6, RFC 768, DOI 10.17487/RFC0768, August 1980. |
[RFC0792] | Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, DOI 10.17487/RFC0792, September 1981. |
[RFC1122] | Braden, R., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, DOI 10.17487/RFC1122, October 1989. |
[RFC1812] | Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, DOI 10.17487/RFC1812, June 1995. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC2460] | Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, December 1998. |
[RFC3828] | Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E. and G. Fairhurst, "The Lightweight User Datagram Protocol (UDP-Lite)", RFC 3828, DOI 10.17487/RFC3828, July 2004. |
[RFC4820] | Tuexen, M., Stewart, R. and P. Lei, "Padding Chunk and Parameter for the Stream Control Transmission Protocol (SCTP)", RFC 4820, DOI 10.17487/RFC4820, March 2007. |
[RFC4960] | Stewart, R., "Stream Control Transmission Protocol", RFC 4960, DOI 10.17487/RFC4960, September 2007. |
[RFC6951] | Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream Control Transmission Protocol (SCTP) Packets for End-Host to End-Host Communication", RFC 6951, DOI 10.17487/RFC6951, May 2013. |
[RFC8085] | Eggert, L., Fairhurst, G. and G. Shepherd, "UDP Usage Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, March 2017. |
[RFC8201] | McCann, J., Deering, S., Mogul, J. and R. Hinden, "Path MTU Discovery for IP version 6", STD 87, RFC 8201, DOI 10.17487/RFC8201, July 2017. |
[RFC8261] | Tuexen, M., Stewart, R., Jesup, R. and S. Loreto, "Datagram Transport Layer Security (DTLS) Encapsulation of SCTP Packets", RFC 8261, DOI 10.17487/RFC8261, November 2017. |
[RFC1191] | Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, DOI 10.17487/RFC1191, November 1990. |
[RFC2923] | Lahey, K., "TCP Problems with Path MTU Discovery", RFC 2923, DOI 10.17487/RFC2923, September 2000. |
[RFC4340] | Kohler, E., Handley, M. and S. Floyd, "Datagram Congestion Control Protocol (DCCP)", RFC 4340, DOI 10.17487/RFC4340, March 2006. |
[RFC4821] | Mathis, M. and J. Heffner, "Packetization Layer Path MTU Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007. |
[RFC4890] | Davies, E. and J. Mohacsi, "Recommendations for Filtering ICMPv6 Messages in Firewalls", RFC 4890, DOI 10.17487/RFC4890, May 2007. |
This appendix contains an informative description of key events:
+--------------+ +----------------+ | PROBE_START | --3------------------------------->| PROBE_DISABLED | +--------------+ --4-----------\ +----------------+ \ +--------------+ \ | PROBE_ERROR | --------------- \ +--------------+ \ \ \ \ +--------------+ \ \ +--------------+ | PROBE_BASE | --1---------- \ ------------> | PROBE_BASE | +--------------+ --2----- \ \ +--------------+ \ \ \ +--------------+ \ \ ------------> +--------------+ | PROBE_SEARCH | --2--- \ -----------------> | PROBE_SEARCH | +--------------+ --1---\----\---------------------> +--------------+ \ \ +--------------+ \ \ +--------------+ | PROBE_DONE | \ -------------------> | PROBE_DONE | +--------------+ -----------------------> +--------------+
Condition 1: The maximum PMTU size has not yet been reached. Condition 2: The maximum PMTU size has been reached. Conition 3: Probe Timer expires and PROBE_COUNT = MAX_PROBEs. Condition 4: PROBE_ACK received.
Figure 7: State changes at the arrival of an acknowledgment
+--------------+ +----------------+ | PROBE_START |----------------------------------->| PROBE_DISABLED | +--------------+ +----------------+ +--------------+ +--------------+ | PROBE_ERROR | -----------------> | PROBE_ERROR | +--------------+ / +--------------+ / +--------------+ --2----------/ +--------------+ | PROBE_BASE | --1------------------------------> | PROBE_BASE | +--------------+ +--------------+ +--------------+ +--------------+ | PROBE_SEARCH | --1------------------------------> | PROBE_SEARCH | +--------------+ --2--------- +--------------+ \ +--------------+ \ +--------------+ | PROBE_DONE | -------------------> | PROBE_DONE | +--------------+ +--------------+
Condition 1: The maximum number of probe packets has not been reached. Condition 2: The maximum number of probe packets has been reached.
Figure 8: State changes at the expiration of the probe timer
Note to RFC-Editor: please remove this entire section prior to publication.
Individual draft -00:
Individual draft -01:
Individual draft -02:
Working Group draft -00:
Working Group draft -01:
Working Group draft -02:
Working Group draft -03: