Network Working Group | B. Trammell |
Internet-Draft | M. Kuehlewind |
Intended status: Experimental | ETH Zurich |
Expires: June 26, 2017 | December 23, 2016 |
Path Layer UDP Substrate Specification
draft-trammell-plus-spec-00
This document specifies a common Path Layer UDP Substrate (PLUS) wire image for encrypted transport protocols carried over UDP. The base PLUS header carries information for driving a minimal state machine at middleboxes described in [I-D.trammell-plus-statefulness], and provides optional exposure of additional information to devices along the path using the mechanism described in [I-D.trammell-plus-abstract-mech].
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 26, 2017.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document defines a wire image for a Path Layer UDP Substrate (PLUS), for limited exposure of information from encrypted, UDP-encapsulated transport protocols. The wire image implements signaling to drive the minimal state machine defined in [I-D.trammell-plus-statefulness] as well as optional exposure of additional information to devices along the path using the mechanism described in [I-D.trammell-plus-abstract-mech].
As discussed in [I-D.hardie-path-signals], basic information about flows currently exposed by TCP are missing from transport protocols that encrypt their headers. Given the ossification of protocol wire images due to the widespread deployment of stateful network devices that rely on header inspection, this header encryption is necessary to support transport protocol evolution. However, the loss of basic information for on-path state maintenance as well as network performance measurement, diagnostics, and troubleshooting via header encryption makes network management more difficult. The PLUS wire image defined by this document aims to mitigate this difficulty, allowing deployment of encrypted protocols without loss of essential in- network functionality.
This wire image is intended primarily to support state maintenance and measurement; the principles of measurement and primitives we aim to support are drawn from recent work on explicit measurability in protocol design [IPIM].
Every packet in each direction of a flow using PLUS MUST carry either a PLUS basic or PLUS extended header. The PLUS basic header supports multiplexing using a connection token; basic state maintenance using association and confirmation signals, packet serial numbers, and a two-way stop signal; and basic measurability using packet serial number echo. The format of the basic header, together with the UDP header, is shown in Figure 1.
The extended header is defined in Section 3.
3 2 1 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 +------------------------------+-------------------------------+ | UDP source port | UDP destination port | +------------------------------+-------------------------------+ | UDP length | UDP checksum | +------------------------------+-------------------------------+ | magic | +--------------------------------------------------------------+ | | +- connection/association token CAT -+ | | +--------------------------------------------------------------+ | packet serial number PSN | +--------------------------------------------------------------+ | packet serial echo PSE | +-+-+-+-+-------+-----------------------------------------------+ |S|0|L|R| ign | \ +-+-+-+-+-------+ / / \ \ transport protocol header/payload (encrypted) / / \
Figure 1: PLUS header with basic exposure
Fields are encoded in network byte order and are defined as follows:
Since PLUS is designed to be used for UDP-encapsulated, encrypted transport protocols, overlying transports are presumed to provide encryption and integrity protection for their own headers. For the sake of efficiency, it is also assumed that this integrity protection can be extended to the bits in the PLUS Basic Header.
When a sender has a packet ready to send using PLUS, it determines the values in the Basic Header as follows:
When a receiver receives a packet containing a PLUS Basic Header, it processes the values in the Basic Header as follows:
The basic header provides all the signals necessary to drive the transport- independent state machine described in [I-D.trammell-plus-statefulness], as shown in Figure 2.
`- - - - - - - - - - - - - - - - - - - - - - - - - - - -' ` +============+ a->b +============+ ' ` / \--------->/ \<-+ ' +--->( zero ) ( uniflow ) | a->b ' ^ ` \ /<---------\ /--+ ' | ` +============+ TO_IDLE +============+ ' | `- - - - - - - - - - - - - - - | b->a - - - - - - - - -' | V | +============+ | TO_IDLE / \ +<-----------------------( associating ) | \ / | +============+ | | a->b | V | +============+ | TO_ASSOCIATED / \<-+ +<-----------------------( associated ) | a<->b | \ /--+ | +============+ | | stop y->z | V | +============+ | TO_ASSOCIATED / \<-+ +<-----------------( half-close ) | a<->b | \ /--+ | +============+ | | stop z->y | V | +============+ | TO_CLOSING / \ +------------( closing ) \ / +============+
Figure 2: Transport-independent state machine as implemented by PLUS
A PLUS-aware on-path device forwarding a packet with a PLUS Basic Header with a 5-tuple and CAT it does not have state for moves that flow to the uniflow state. It will move the flow back to zero state after not seeing a packet on the same flow in the same direction with the same CAT within a timeout interval TO_IDLE, and continues forwarding packets in that direction (the a->b direction in Figure 2).
A PLUS-aware on-path device forwarding a packet with a PLUS Basic Header with a matching 5-tuple and CAT as a flow in the uniflow state, but in the opposite direction (the b->a direction in Figure 2), moves that flow to the associating state. It stores the PSN of the packet that caused this transition, and waits for a packet in the a->b direction containing a PSE indicating that that packet has been received. When it sees that packet, it transitions the flow to associated state. Otherwise, it drops state after a timeout interval TO_IDLE.
Once a flow has moved to the associated state, it will remain in that state for a timeout interval TO_ASSOCIATED. The on-path device forwards any packet with a PLUS Basic Header in either direction for this flow. It resets the TO_ASSOCIATED timer for every packet it forwards in this state.
A PLUS-aware on-path device forwarding a packet for a flow in the associated state with an S flag set moves that flow to half-close state. It stores the PSN on the packet causing the transition, and continues forwarding packets as if in associated state, dropping state on timeout interval TO_ASSOCIATED.
When it sees a packet in the opposite direction with the S flag set and the PSE set to exactly the stored PSN, it transitions the flow to closing state. The device will forward packets in both directions for flows in the closing state within a timeout interval TO_CLOSING; these packets will not reset the timer. See Section 2.3.2 for details.
Note that even though the S flag is integrity-protected end to end, a packet with the S flag set could be forged by one on-path device to drive the flow into half-close state on all downstream devices. However, this attack is of severely limited utility. First, it would require coordination between attackers on both sides of a given on-path device in order to forge a confirmation of the stop signal – a flag with the S bit set and a valid PSE corresponding to the PSN of the first stop signal to drive the flow into closing state. Second, the information in the Basic Header on each packet will drive the state machine into associated state even in the middle of a flow, enabling fast recovery even in the case of such a coordinated attack.
A PLUS-aware on-path device forwarding a packet for a flow in the zero state, where one of the endpoint identifiers (address and port) and the CAT, but not the other endpoint identifier, match a flow in a non-zero state, accounts that packet to the existing flow, updating the changed endpoint identifier. This allows fast rebinding of state in case of changes in network address translation or connectivity of the sender.
The basic header trivially supports passive two-way delay measurement as well as partial loss estimation at a single observation point.
To calculate two-way delay, an observation point calculates the delay between seeing a PSN and a corresponding PSE in each direction, then adds the delays from each direction together. The fact that the PSN increments by one for every packet, including packets carrying retransmitted data or only control traffic, makes this measurement much simpler than the equivalent measurement using TCP sequence and acknowledgment numbers.
To calculate loss upstream from an observation point in each direction, the observation point simply counts skips in the PSN number space. Since PLUS does not expose information about retransmissions (and, indeed, may not even carry a transport that uses retransmission for loss recovery), loss downstream from the observation point cannot be observed.
Additional facilities for communicating with on-path devices under endpoint control are provided by the PLUS Extended Header. The extended header shares the layout of its first 21 bytes with the PLUS Basic Header, except the Extended Header bit (0x40 on byte 20) is set. As with the Basic Header, overlying transports are presumed to provide encryption and integrity protection for the PLUS Extended Header.
The Extended Header shown in Figure 3 provides for a single Sender to Path or Path to Receiver information element, as in [I-D.trammell-plus-abstract-mech], to appear on the packet, within a Path Communication Field. PCF Type information is carried in Byte 21 of the header, with the length of the PCF value to be determined by its type.
Further details of PCF encoding are not yet defined in this revision of the specification; the remainder of this section discusses the types of information elements to be supported. The exact encoding of PCF type and value information are to be derived from an analysis of the requirements of these Information Elements.
3 2 1 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 +------------------------------+-------------------------------+ | UDP source port | UDP destination port | +------------------------------+-------------------------------+ | UDP length | UDP checksum | +------------------------------+-------------------------------+ | magic | +--------------------------------------------------------------+ | | +- connection/association token CAT -+ | | +--------------------------------------------------------------+ | packet serial number PSN | +--------------------------------------------------------------+ | packet serial echo PSE | +-+-+-+-+-------+---------------+------------------------------+ |S|1|L|R| ign | PCF Type | / +-+-+-+-+-------+---------------+ \ \ / / PCF value (variable-length) \ \ / +--------------------------------------------------------------+ / \ \ transport protocol header/payload (encrypted) / / \
Figure 3: PLUS extended header (conceptual; details TBD)
As described in [I-D.trammell-plus-abstract-mech], there are two types of signals: Path to Receiver signals, which allow devices along the path to provide information about the path or its treatment of the flow to the receiver; and Sender to Path signals, which allow the sender to expose information about itself or the flow to the path. Path to Receiver signals are treated specially by header integrity protection, as their values, but not length or type, may be changed by devices on path: the value of a given path- to-receiver signal is assumed to be an appropriately sized array of zero bytes by the integrity protection facility.
Path to Receiver signals generally take the form of accumulators: initialized to some value by the sender, and subject to some aggregation function by each on-path device that understands them. Sender to Path signals are generally used to expose information about the traffic for measurement or diagnostic purposes. In any case, the information sent and received is to be treated as advisory only.
We have identified the following sender to path signals as potentially useful for measurement and diagnostic purposes. These signals are advisory only, and should not be presumed by either the endpoints or devices along the path to affect forwarding behavior.
We have identified the following path to receiver signals as potentially useful. Note that accumulated values for use at the sender must be fed back to the sender by the overlying transport, and that the presence of non-PLUS aware devices on path at breaks in MTU mean that the accumulated value can only be used as a hint to processes for measurement and discovery of the accumulated values at the sender.
This document has no actions for IANA. Path communication field types and PLUS magic numbers may be moved to a Standards Action registry in a future revision.
[EDITOR’S NOTE: write me]
This work is partially supported by the European Commission under Horizon 2020 grant agreement no. 688421 Measurement and Architecture for a Middleboxed Internet (MAMI), and by the Swiss State Secretariat for Education, Research, and Innovation under contract no. 15.0268. This support does not imply endorsement.
[I-D.hardie-path-signals] | Hardie, T., "Path signals", Internet-Draft draft-hardie-path-signals-00, October 2016. |
[I-D.ietf-quic-transport] | Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed and Secure Transport", Internet-Draft draft-ietf-quic-transport-00, November 2016. |
[I-D.trammell-plus-abstract-mech] | Trammell, B., "Abstract Mechanisms for a Cooperative Path Layer under Endpoint Control", Internet-Draft draft-trammell-plus-abstract-mech-00, September 2016. |
[I-D.trammell-plus-statefulness] | Kuehlewind, M., Trammell, B. and J. Hildebrand, "Transport-Independent Path Layer State Management", Internet-Draft draft-trammell-plus-statefulness-02, December 2016. |
[IPIM] | Allman, M., Beverly, R. and B. Trammell, "In-Protocol Internet Measurement (arXiv preprint 1612.02902)", December 2016. |
[RFC0793] | Postel, J., "Transmission Control Protocol", STD 7, RFC 793, DOI 10.17487/RFC0793, September 1981. |
[RFC2474] | Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, DOI 10.17487/RFC2474, December 1998. |
[RFC7323] | Borman, D., Braden, B., Jacobson, V. and R. Scheffenegger, "TCP Extensions for High Performance", RFC 7323, DOI 10.17487/RFC7323, September 2014. |
[RFC7675] | Perumal, M., Wing, D., Ravindranath, R., Reddy, T. and M. Thomson, "Session Traversal Utilities for NAT (STUN) Usage for Consent Freshness", RFC 7675, DOI 10.17487/RFC7675, October 2015. |