Internet DRAFT - draft-generic-v6ops-tunmtu

draft-generic-v6ops-tunmtu







Network Working Group                                 F. L. Templin, Ed.
Internet-Draft                              Boeing Research & Technology
Intended status: Informational                            March 28, 2013
Expires: September 29, 2013


   Operational Considerations for Tunnel Fragmentation and Reassembly
                   draft-generic-v6ops-tunmtu-13.txt

Abstract

   The Maximum Transmission Unit (MTU) for popular IP-in-IP tunnels is
   currently recommended to be set to 1500 (or less) minus the length of
   the encapsulation headers when static MTU determination is used.
   This requires the tunnel ingress to either fragment any IP packet
   larger than the MTU or drop the packet and return an ICMP Packet Too
   Big (PTB) message.  Concerns for operational issues with Path MTU
   Discovery (PMTUD) point to the possibility of MTU-related black holes
   when a packet is dropped due to an MTU restriction.  The current
   "Internet cell size" is effectively 1500 bytes (i.e., the minimum MTU
   configured by the vast majority of links in the Internet) and should
   therefore also be the minimum MTU assigned to tunnels, but this has
   proven to be problematic in common operational practice.  This
   document therefore discusses operational considerations for tunnel
   fragmentation and reassembly necessary to accommodate this Internet
   cell size.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 29, 2013.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.



Templin                Expires September 29, 2013               [Page 1]

Internet-Draft             Tunnel MTU Issues                  March 2013


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Tunnel Fragmentation and Reassembly . . . . . . . . . . . . .   3
   3.  Jumbo Packet Accommodation  . . . . . . . . . . . . . . . . .   5
   4.  Common Tunneling Mechanisms . . . . . . . . . . . . . . . . .   5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   5
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   The Maximum Transmission Unit (MTU) for popular IP-in-IP tunnels is
   currently recommended to be set to 1500 (or less) minus the length of
   the encapsulation headers when static MTU determination is used.
   This requires the tunnel ingress to either fragment any IP packet
   larger than the MTU or drop the packet and return an ICMP Packet Too
   Big (PTB) message [RFC0791][RFC2460].  Concerns for operational
   issues with Path MTU Discovery (PMTUD) [RFC1191][RFC1981] point to
   the possibility of MTU-related black holes when a packet is dropped
   due to an MTU restriction.  The current "Internet cell size" is
   effectively 1500 bytes (i.e., the minimum MTU configured by the vast
   majority of links in the Internet) and should therefore also be the
   minimum MTU assigned to tunnels, but this has proven to be
   problematic in common operational practice.

   [RFC4459] discusses "MTU and Fragmentation Issues with In-the-Network
   Tunneling" and provides a comprehensive study of the various
   techniques that could be applied to alleviate the issues, including:

   1.  Fragmenting all too big encapsulated packets to fit in the paths,
       and reassembling them at the tunnel endpoints.





Templin                Expires September 29, 2013               [Page 2]

Internet-Draft             Tunnel MTU Issues                  March 2013


   2.  Signal to all the sources whose traffic must be encapsulated, and
       is larger than fits, to send smaller packets, e.g., using PMTUD.

   3.  Ensure that in the specific environment, the encapsulated packets
       will fit in all the paths in the network, e.g., by using MTU
       bigger than 1500 in the backbone used for encapsulation.

   4.  Fragmenting the original too big packets so that their fragments
       will fit, even encapsulated, in the paths, and reassembling them
       at the destination nodes.  Note that this approach is only
       available for IPv4 under certain assumptions.

   After considerable effort by many individuals since the publication
   of [RFC4459], these four alternatives continue to cover the domain of
   potential solutions - all of which have drawbacks and/or
   impracticalities.  In this document, we discuss further
   considerations within the framework of the only solution alternative
   that can be applied generically - namely, fragmentation and
   reassembly at the tunnel endpoints.

2.  Tunnel Fragmentation and Reassembly

   Pushing the tunnel MTU to 1500 bytes or beyond is met with the
   challenge that the addition of encapsulation headers would cause an
   inner IP packet that is 1500 bytes (or slightly smaller) to appear as
   a slightly larger than 1500 byte outer IP packet on the wire, where
   it may be too large to traverse the path in one piece.  When an IP
   tunnel configures an MTU smaller than 1500 bytes, packets that are
   small enough to traverse earlier links in the path toward the final
   destination may be dropped at the tunnel ingress which then returns a
   PTB message to the original source.  However, operational experience
   has shown that the PTB messages can be lost in the network [RFC2923],
   in which case the source does not receive notification of the loss.

   It is therefore highly desirable that the tunnel configure an MTU of
   at least 1500 bytes even though encapsulation would cause some
   tunneled packets to be slightly larger than 1500 bytes.  In that
   case, the tunnel ingress would need to make special adaptations to
   deliver packets that are no larger than 1500 bytes yet larger than
   can be accommodated in a single piece.











Templin                Expires September 29, 2013               [Page 3]

Internet-Draft             Tunnel MTU Issues                  March 2013


   One possibility is to use IP fragmentation of the inner IP layer
   protocol before encapsulation so that inner packet fragments can be
   delivered via the tunnel without loss due to a size restriction and
   then reassembled at the final destination.  This option removes the
   burden from the tunnel endpoints, but is only available for IPv4
   packets (since IPv6 deprecates router fragmentation [RFC2460]), and
   is further only available when the IPv4 header sets the Don't
   Fragment (DF) bit in the IPv4 header to 0.

   A second possibility is to use IP fragmentation of the outer IP layer
   protocol following encapsulation so that the outer packet fragments
   can be delivered via the tunnel without loss due to a size
   restriction and then reassembled at the tunnel egress.  This option
   is available for tunnels over both IPv4 and IPv6, and indeed the
   tunnel ingress is permitted to use IPv6 fragmentation since it is
   acting as a "host" (i.e., and not a router) for the encapsulated
   packets it produces.  While IPv6 fragmentation is assumed to be "safe
   at all speeds", IPv4 fragmentation can be dangerous at high data
   rates due to the possibility of Identification field wrapping while
   reassemblies are still active [RFC4963][RFC6864].  Also, if outer IP
   fragmentation were used the tunnel ingress has no assurance that the
   egress can reassemble packets larger than 1500 bytes, since the
   Minimum Reassembly Unit (MRU) is 1500 bytes for IPv6 [RFC2460] and
   only 576 bytes for IPv4 [RFC1122].  Finally, recent studies have
   shown that IPv6 fragments are sometimes dropped in the network due to
   middlebox misconfigurations [I-D.taylor-v6ops-fragdrop].

   A third possibility for accommodating inner packets that are slightly
   too large is the use of "tunnel fragmentation" based on a mid-layer
   encapsulation that is inserted between the inner and outer IP
   headers.  Tunnel fragmentation requires separate packet
   Identification and segmentation control bits in the mid-layer
   encapsulation that are distinct from those that appear in the inner
   and/or outer headers.  As for outer fragmentation, the tunnel egress
   is responsible for reassembly.  Tunnel fragmentation can be
   particularly useful for tunnels over IPv4, since the mid-layer
   encapsulation can include an extended Identification field that
   avoids the identification wrapping issue discussed above.  However,
   tunnel fragmentation is not used in common widely-deployed tunneling
   mechanisms at the time of this writing.  An example of tunnel
   fragmentation appears in SEAL [I-D.templin-intarea-seal].

   Following any inner, tunnel or outer fragmentation, the ingress must
   allow the encapsulated packets or fragments to be further fragmented
   by a router on the path that configures a link with a too-small MTU.
   These fragments would be reassembled by the tunnel egress the same as
   if the fragmentation occurred within the tunnel ingress.  This final
   form of fragmentation is undesirable and should be avoided if at all



Templin                Expires September 29, 2013               [Page 4]

Internet-Draft             Tunnel MTU Issues                  March 2013


   possible through the application of fragmentation at the tunnel
   ingress.  However, common widely-deployed tunneling mechanisms at the
   time of this writing make no such provisions.

3.  Jumbo Packet Accommodation

   In addition to failure to accommodate packets up to 1500 bytes in
   length, current tunneling solutions typically do not make provisions
   for delivering packets that are larger than 1500 bytes.  As long as
   they are no larger than the underlying link used for tunneling, the
   tunnel ingress should admit such "jumbo" packets into the tunnel and
   allow them to either be delivered to the egress in one piece or be
   dropped with the possibility of a PTB message being returned.  The
   original host will then be able to determine the correct packet sizes
   whether or not PTB messages are delivered if it is using [RFC4821].
   However, this approach is not used in common widely-deployed
   tunneling mechanisms at the time of this writing.

4.  Common Tunneling Mechanisms

   The operational issues discussed in this document apply to existing
   IPv6-in-IPv4 transition mechanisms, including configured tunnels
   [RFC4213], 6to4 [RFC3056], Teredo [RFC4380], ISATAP [RFC5214], DSMIP
   [RFC5555], 6rd [RFC5969], etc.

   The issues further apply to existing IP-in-IP tunneling mechanisms of
   all varieties, including GRE [RFC1701], IPv4-in-IPv4 [RFC2003], IPv6
   -in-IPv6 [RFC2473], IPv4-in-IPv6 [RFC6333], IPsec [RFC4301], etc.

5.  IANA Considerations

   There are no IANA considerations for this document.

6.  Security Considerations

   The security considerations for the various tunneling mechanisms
   apply also to this document.

7.  Acknowledgments

   This method was inspired through discussion on the IETF v6ops and
   NANOG mailing lists in the May/June 2012 timeframe.









Templin                Expires September 29, 2013               [Page 5]

Internet-Draft             Tunnel MTU Issues                  March 2013


8.  References

8.1.  Normative References

   [RFC0791]  Postel, J., "Internet Protocol", STD 5, RFC 791, September
              1981.

   [RFC2460]  Deering, S.E. and R.M. Hinden, "Internet Protocol, Version
              6 (IPv6) Specification", RFC 2460, December 1998.

   [RFC4459]  Savola, P., "MTU and Fragmentation Issues with In-the-
              Network Tunneling", RFC 4459, April 2006.

8.2.  Informative References

   [I-D.taylor-v6ops-fragdrop]
              Jaeggli, J., Colitti, L., Kumari, W., Vyncke, E., Kaeo,
              M., and T. Taylor, "Why Operators Filter Fragments and
              What It Implies", draft-taylor-v6ops-fragdrop-00 (work in
              progress), October 2012.

   [I-D.templin-intarea-seal]
              Templin, F., "The Subnetwork Encapsulation and Adaptation
              Layer (SEAL)", draft-templin-intarea-seal-52 (work in
              progress), March 2013.

   [RFC1122]  Braden, R., "Requirements for Internet Hosts -
              Communication Layers", STD 3, RFC 1122, October 1989.

   [RFC1191]  Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191,
              November 1990.

   [RFC1701]  Hanks, S., Li, T., Farinacci, D., and P. Traina, "Generic
              Routing Encapsulation (GRE)", RFC 1701, October 1994.

   [RFC1981]  McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery
              for IP version 6", RFC 1981, August 1996.

   [RFC2003]  Perkins, C., "IP Encapsulation within IP", RFC 2003,
              October 1996.

   [RFC2473]  Conta, A. and S. Deering, "Generic Packet Tunneling in
              IPv6 Specification", RFC 2473, December 1998.

   [RFC2923]  Lahey, K., "TCP Problems with Path MTU Discovery", RFC
              2923, September 2000.





Templin                Expires September 29, 2013               [Page 6]

Internet-Draft             Tunnel MTU Issues                  March 2013


   [RFC3056]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains
              via IPv4 Clouds", RFC 3056, February 2001.

   [RFC4213]  Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
              for IPv6 Hosts and Routers", RFC 4213, October 2005.

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, December 2005.

   [RFC4380]  Huitema, C., "Teredo: Tunneling IPv6 over UDP through
              Network Address Translations (NATs)", RFC 4380, February
              2006.

   [RFC4821]  Mathis, M. and J. Heffner, "Packetization Layer Path MTU
              Discovery", RFC 4821, March 2007.

   [RFC4963]  Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly
              Errors at High Data Rates", RFC 4963, July 2007.

   [RFC5214]  Templin, F., Gleeson, T., and D. Thaler, "Intra-Site
              Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214,
              March 2008.

   [RFC5555]  Soliman, H., "Mobile IPv6 Support for Dual Stack Hosts and
              Routers", RFC 5555, June 2009.

   [RFC5969]  Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4
              Infrastructures (6rd) -- Protocol Specification", RFC
              5969, August 2010.

   [RFC6333]  Durand, A., Droms, R., Woodyatt, J., and Y. Lee, "Dual-
              Stack Lite Broadband Deployments Following IPv4
              Exhaustion", RFC 6333, August 2011.

   [RFC6864]  Touch, J., "Updated Specification of the IPv4 ID Field",
              RFC 6864, February 2013.

Author's Address

   Fred L. Templin (editor)
   Boeing Research & Technology
   P.O. Box 3707
   Seattle, WA  98124
   USA

   Email: fltemplin@acm.org




Templin                Expires September 29, 2013               [Page 7]