Encapsulating IP in UDPHuaweixuxiaohu@huawei.comBroadcomhamid.assarpour@broadcom.comJunipermashao@juniper.netComcastYiu_Lee@Cable.Comcast.comChina Telecomfanyb@gsta.com
Internet Area
INTAREA Working GroupSampleDraftExisting IP-in-IP encapsulation technologies are not adequate for
efficient load balancing of IP-in-IP traffic across IP networks. This
document specifies additional IP-in-IP encapsulation technology,
referred to as IP-in-UDP (User Datagram Protocol), which can facilitate
the load balancing of IP-in-IP traffic across IP networks.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.To fully utilize the bandwidth available in IP networks and/or
facilitate recovery from a link or node failure, load balancing of
traffic over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Group
(LAG) across IP networks is widely used. [RFC5640] describes a method
for improving the load balancing efficiency in a network carrying
IP-in-IP traffic [RFC5565] over Layer Two Tunneling Protocol - Version 3
(L2TPv3) [RFC3931] and Generic Routing Encapsulation (GRE) [RFC2784]
encapsulations. However, this method requires core routers to perform
hash calculation on the "load- balancing" field contained in tunnel
encapsulation headers (i.e., the Session ID field in L2TPv3 headers or
the Key field in GRE headers), which is not widely supported by existing
core routers.Most existing routers in IP networks are already capable of
distributing IP traffic "microflows" [RFC2474] over ECMP paths and/or
LAG based on the hash of the five-tuple of User Datagram Protocol (UDP)
[RFC0768] and Transmission Control Protocol (TCP) packets (i.e., source
IP address, destination IP address, source port, destination port, and
protocol). By encapsulating the IP traffic into an UDP tunnel and using
the source port of the UDP header as an entropy field, the existing
load-balancing capability as mentioned above can be leveraged to provide
fine-grained load-balancing of IP-in-IP traffic over IP networks. This
is similar to why LISP [RFC6830] , MPLS-in-UDP [RFC7510] and VXLAN
[RFC7348] use UDP encapsulation. Therefore, this specification defines
an IP-in-UDP encapsulation method which is an alternative encapsulation
used in [RFC5565] in addition to L2TPv3 and GRE.IPv6 flow label has been proposed as an entropy field for load
balancing in IPv6 network environment [RFC6438]. However, as stated in
[RFC6936], the end-to-end use of flow labels for load balancing is a
long-term solution and therefore the use of load balancing using the
transport header fields would continue until any widespread deployment
is finally achieved. As such, IP-in-UDP encapsulation would still have a
practical application value in the IPv6 networks during this transition
timeframe. Of course, it RECOMMENDED that the IPv6 flow label is filled
with an entropy value as well. In this way, core routers could perform
load-balancing of IP-in-IP traffic based on either the IPv6 flow label
or the UDP five tuple accordingly.Similarly, the IP-in-UDP encapsulation format defined in this
document by itself cannot ensure the integrity and privacy of data
packets being transported through the IP-in-UDP tunnels and cannot
enable the tunnel decapsulators to authenticate the tunnel encapsulator.
Therefore, in the case where any of the above security issues is
concerned, the IP-in-UDP SHOULD be secured with IPsec [RFC4301] or DTLS
[RFC6347]. For more details, please see Section 6 of Security
Considerations.This memo makes use of the terms defined in .IP-in-UDP encapsulation format is shown as follows: Source Port of UDP: This field contains a 16-bit entropy value that is generated
by the encapsulator to uniquely identify a flow. What
constitutes a flow is locally determined by the encapsulator and
therefore is outside the scope of this document. What algorithm
is actually used by the encapsulator to generate an entropy
value is outside the scope of this document. In case the tunnel does not need entropy, this field of all
packets belonging to a given flow SHOULD be set to a randomly
selected constant value so as to avoid packet reordering. To ensure that the source port number is always in the range
49152 to 65535 (Note that those ports less than 49152 are
reserved by IANA to identify specific applications/protocols)
which may be required in some cases, instead of calculating a
16-bit hash, the encapsulator SHOULD calculate a 14-bit hash and
use those 14 bits as the least significant bits of the source
port field while the most significant two bits SHOULD be set to
binary 11. That still conveys 14 bits of entropy information
which would be enough as well in practice.Destination Port of UDP:This field is set to a value (TBD1) allocated by IANA to
indicate that the UDP tunnel payload is an IP packet. As for
whether the encapsulated IP packet is IPv4 or IPv6, it would be
determined according to the Version field in the IP header of
the encapsulated IP packet.UDP Length:The usage of this field is in accordance with the current UDP
specification [RFC0768].UDP Checksum:For IPv4 UDP encapsulation, this field is RECOMMENDED to be
set to zero for performance or implementation reasons because
the IPv4 header includes a checksum and use of the UDP checksum
is optional with IPv4. For IPv6 UDP encapsulation, the IPv6
header does not include a checksum, so this field MUST contain a
UDP checksum that MUST be used as specified in [RFC0768] and
[RFC2460] unless one of the exceptions that allows use of UDP
zero-checksum mode (as specified in [RFC6935]) applies.IP Packet:This field contains one IP packet.This IP-in-UDP encapsulation causes E-IP [RFC5565] packets to be
forwarded across an I-IP [RFC5565] transit core via "UDP tunnels". While
performing IP-in-UDP encapsulation, an ingress AFBR (e.g. PE router)
would generate an entropy value and encode it in the Source Port field
of the UDP header. The Destination Port field is set to a value (TBD1)
allocated by IANA to indicate that the UDP tunnel payload is an IP
packet. Transit routers, upon receiving these UDP encapsulated IP
packets, could balance these packets based on the hash of the five-tuple
of UDP packets. Egress AFBRs receiving these UDP encapsulated IP packets
MUST decapsulate these packets by removing the UDP header and then
forward them accordingly (assuming that the Destination Port was set to
the reserved value pertaining to IP).Similar to all other IP-in-IP tunneling technologies, IP-in-UDP
encapsualtion introduces overheads and reduces the effective Maximum
Transmision Unit (MTU) size. IP-in-UDP encapsulation may also impact
Time-to-Live (TTL) or Hop Count (HC) and Differentiated Services (DSCP).
Hence, IP-in-UDP MUST follow the corresponding procedures defined in
[RFC2003].Ingress AFBRs MUST NOT fragment I-IP packets (i.e., UDP encapsulated
IP packets), and when the outer IP header is IPv4, ingress AFBRs MUST
set the DF bit in the outer IPv4 header. It is strongly RECOMMENDED that
I-IP transit core be configured to carry an MTU at least large enough to
accommodate the added encapsulation headers. Meanwhile, it is strongly
RECOMMENDED that Path MTU Discovery [RFC1191] [RFC1981] or Packetization
Layer Path MTU Discovery (PLPMTUD) [RFC4821] is used to prevent or
minimize fragmentation. Once an ingress AFBR needs to perform
fragmentation on an E-IP packet before encapsulating, it MUST use the
same source UDP port for all fragmented packets so as to ensures these
fragmented packets are always forwarded on the same path. Note that
fragmentation on E-IP packets is possible only when the E-IP packets are
IPv4 packets and the DF bit is not set.Section 3.1.3 of [RFC5405] discussed the congestion implications of
UDP tunnels. As discussed in [RFC5405], because other flows can share
the path with one or more UDP tunnels, congestion control [RFC2914]
needs to be considered. As specified in [RFC5405]:"IP-based traffic is generally assumed to be congestion- controlled,
i.e., it is assumed that the transport protocols generating IP-based
traffic at the sender already employ mechanisms that are sufficient to
address congestion on the path. Consequently, a tunnel carrying IP-based
traffic should already interact appropriately with other traffic sharing
the path, and specific congestion control mechanisms for the tunnel are
not necessary".Since IP-in-UDP is only used to carry IP traffic which is generally
assumed to be congestion controlled by the transport layer, it generally
does not need additional congestion control mechanisms. Furthermore, as
it is explicitly stated in the Application Statements (Section 1.2),
this IP-in-UDP encapsulation method MUST only be used within networks
that are well-managed, therefore, congestion controll mechanism is not
needed.This IP-in-UDP encapsulation technology MUST only be used within
networks which are well-managed by a service provider and MUST NOT be
used within the Internet. In the well-managed network, traffic is
well-managed to avoid congestion and fragementation on encapsulated
packets (i.e., I-IP packets) are not needed.Thanks to Vivek Kumar, Carlos Pignataro and Mark Townsley for their
valuable comments on the initial idea of this document. Thanks to Andrew
G. Malis, Joe Touch and Brian E Carpenter for their valuable comments on
this document.One UDP destination port number indicating IP needs to be allocated
by IANA:One UDP destination port number indicating IP with DTLS needs to be
allocated by IANA:The security problems faced with the IP-in-UDP tunnel are exactly the
same as those faced with IP-in-IP [RFC2003] and IP-in-GRE tunnels
[RFC2784]. In other words, the IP-in-UDP tunnel as defined in this
document by itself cannot ensure the integrity and privacy of data
packets being transported through the IP-in-UDP tunnel and cannot enable
the tunnel decapsulator to authenticate the tunnel encapsulator. In the
case where any of the above security issues is concerned, the IP-in-UDP
tunnel SHOULD be secured with IPsec or DTLS. IPsec was designed as a
network security mechanism and therefore it resides at the network
layer. As such, if the tunnel is secured with IPsec, the UDP header
would not be visible to intermediate routers anymore in either IPsec
tunnel or transport mode. As a result, the meaning of adopting the
IP-in-UDP tunnel as an alternative to the IP- in-GRE or IP-in-IP tunnel
is lost. By comparison, DTLS is better suited for application security
and can better preserve network and transport layer protocol
information. Specifically, if DTLS is used, the destination port of the
UDP header will be filled with a value (TBD2) indicating IP with DTLS
and the source port can still be used as an entropy field for
load-sharing purposes.If the tunnel is not secured with IPsec or DTLS, some other method
should be used to ensure that packets are decapsulated and forwarded by
the tunnel tail only if those packets were encapsulated by the tunnel
head. If the tunnel lies entirely within a single administrative domain,
address filtering at the boundaries can be used to ensure that no packet
with the IP source address of a tunnel endpoint or with the IP
destination address of a tunnel endpoint can enter the domain from
outside. However, when the tunnel head and the tunnel tail are not in
the same administrative domain, this may become difficult, and filtering
based on the destination address can even become impossible if the
packets must traverse the public Internet. Sometimes only source address
filtering (but not destination address filtering) is done at the
boundaries of an administrative domain. If this is the case, the
filtering does not provide effective protection at all unless the
decapsulator of an IP- in-UDP validates the IP source address of the
packet.