Internet DRAFT - draft-herbert-gue-encap-considerations

draft-herbert-gue-encap-considerations



 



INTERNET-DRAFT                                                T. Herbert
Intended Status: Informational                                  Facebook
Expires: September 27, 2015                                      L. Yong
                                                                  Huawei
                                                                  O. Zia
                                                               Microsoft
                                                          March 26, 2015


                  Encapsulation Considerations for GUE
               draft-herbert-gue-encap-considerations-01


Abstract

   This document provides a description of how Generic UDP Encapsulation
   addresses the encapsulation considerations that are described in the
   "Encapsulation Considerations" Internet Draft.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html


Copyright and License Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
 


Herbert, Yong, Zia      Expires September, 2015                 [Page 1]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document. Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Table of Contents

   1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2  Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3  Next-protocol indication  . . . . . . . . . . . . . . . . . . .  4
   4  MTU and Fragmentation . . . . . . . . . . . . . . . . . . . . .  4
   5  OAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  5
     5.1 Active OAM . . . . . . . . . . . . . . . . . . . . . . . . .  5
     5.2 Passive OAM  . . . . . . . . . . . . . . . . . . . . . . . .  5
   6  Security Considerations . . . . . . . . . . . . . . . . . . . .  5
     6.1 Integrity and authentication of the encapsulation  . . . . .  5
     6.2 Packet level security  . . . . . . . . . . . . . . . . . . .  6
   7  QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6
   8  Congestion Considerations . . . . . . . . . . . . . . . . . . .  6
   9  Header Protection . . . . . . . . . . . . . . . . . . . . . . .  7
   10 Extensibility Considerations  . . . . . . . . . . . . . . . . .  7
   11 Layering Considerations . . . . . . . . . . . . . . . . . . . .  8
   12 Service Model . . . . . . . . . . . . . . . . . . . . . . . . .  8
   13 Hardware Friendly . . . . . . . . . . . . . . . . . . . . . . .  8
     13.1 Switch friendliness . . . . . . . . . . . . . . . . . . . .  8
     13.2 Host friendliness . . . . . . . . . . . . . . . . . . . . .  9
   14 Middlebox Considerations  . . . . . . . . . . . . . . . . . . . 10
   15 Network virtualization  . . . . . . . . . . . . . . . . . . . . 10
   16  References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
     16.1  Normative References . . . . . . . . . . . . . . . . . . . 12
     16.2  Informative References . . . . . . . . . . . . . . . . . . 12
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13











 


Herbert, Yong, Zia      Expires September, 2015                 [Page 2]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


1  Introduction

   This document provides a description of how Generic UDP Encapsulation
   (GUE) [I.D.herbert-gue] addresses the encapsulation considerations
   that are described in [I.D.rtg-dt-encap]. That draft is the result of
   a design team that was chartered by the routing area director to
   investigate and report on the common issues across different
   encapsulations.

   The organization of this document follows that of the encapsulation
   considerations draft. There is a section for each of the main areas
   for consideration with encapsulation. These areas are:

     o Entropy

     o Next-protocol indication

     o MTU and fragmentation

     o OAM

     o Security considerations

     o QoS

     o Congestion considerations

     o Header protection

     o Extensibility considerations

     o Layering considerations

     o Service model

     o Hardware friendly

     o Middleboxes

   An additional section covers considerations specific to network
   virtualization.

2  Entropy

   Similar to other UDP encapsulation proposals, the UDP source port of
   a GUE packet may be set to a value that reflects the inner flow. In
   GUE parlance, this value based on the inner flow identifier which is
   often a hash over the 5-tuple of the inner packet's headers. The UDP
 


Herbert, Yong, Zia      Expires September, 2015                 [Page 3]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


   source port provides fourteen bits of entropy assuming that the
   selected value is restricted to the ephemeral port range. The source
   port used to indicate a given flow may also change over the lifetime
   of a flow.

   The outer IPv6 flow label may be used to provide additional entropy
   in the flow identifier when fourteen bits is insufficient.

   If the UDP port (and possibly IPv6 flow label) still does not provide
   enough entropy in the flow classification, then deep parsing of the
   GUE payload may be performed. See section 14.

3  Next-protocol indication

   The next protocol indication in GUE is in the proto/ctype field in
   the GUE header. For GUE data messages (as opposed to control
   messages, see section 5) the proto field holds an IP protocol number
   of the next header. An eight bit value is an efficient use of header
   space, and the lookup of IP protocol can be implemented as a simple
   256 entry array (as in Linux).

   The IP protocol number allows encapsulation of various layer 2 and
   layer 3 protocols. In particular, the most common protocols for
   tunnels are likely to be:

     o IPv4: number 4

     o IPv6: number 41

     o Ethernet: via EtherIP with number 97

   The encapsulated protocol may also be GRE (number 47) which allows
   encapsulation of protocols of any Ethertype in GUE with an additional
   four bytes of header.

   Layer 4 protocols may also be encapsulated within GUE (e.g. ESP, UDP,
   ICMP, etc.). In this case the UDP and GUE encapsulating headers are
   considered to be inserted between IP and the transport header. In
   this way, the outer UDP header for GUE and the encapsulated transport
   header logically header share the same IP header. For an encapsulated
   TCP or UDP header checksum calculation, the pseudo checksum is based
   on the outer IP header ignoring the encapsulation headers.

4  MTU and Fragmentation

   Similar to other encapsulation protocols, it is recommended in GUE
   that fragmentation over a tunnel is avoided by configuring tunnel
   MTUs and using Path MTU Discovery (PMTUD) as necessary. As described
 


Herbert, Yong, Zia      Expires September, 2015                 [Page 4]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


   in [I.D.rtg-dt-encap], detecting mis-configuration causing packets to
   be dropped due to MTU issues is desirable; having the encapsulator
   set the don't-fragment (DF) flag in the outer IPv4 header and logging
   any received ICMP "packet too big" (PTB) are compatible with GUE.

   As discussed in [RFC4459] it may not be possible to avoid the need
   for fragmentation in a all circumstances (for instance a link in a
   tunnels path may have the minimum MTU for IPv6 which is 1280). To
   accommodate this, a fragmentation option has been defined for GUE
   ([I.D.gue-fragmentation]). 

5  OAM

   Specific OAM support for GUE (and other encapsulation protocols) has
   not yet been defined. Due to the extensibility model of GUE and
   definition of control messages, there is a lot of flexibility in how
   OAM may be supported. GUE includes provisions to support both active
   OAM (OAM specific messages) and passive OAM (measurements of data
   messages).

5.1 Active OAM

   The GUE header includes a bit that indicates that the payload
   contains a control message as opposed to a data message. When this
   bit is set, the proto/ctype field is interpreted to be a control
   type. Various types of control messages may be defined, including
   those for OAM.

5.2 Passive OAM

   Options in the GUE header may be added to permit passive OAM
   measurements attached to data messages. This may accomplished by
   using be single bits of information, or by OAM measurement fields
   which could contain items such as sequence numbers, timestamps, etc.

6  Security Considerations

   Security is a very important consideration in GUE. This is  
   particularly motivated by the multi-tentant use case of network  
   virtualization where isolation between tenants is a critical  
   requirement. The GUE security model includes both considerations to  
   protect the headers and the whole packet. For both of these, we  
   assume that a "pluggable" secuirty model is desirable with the  
   assumption that stronger security may be implemented over time in  
   response to changing threats.

6.1 Integrity and authentication of the encapsulation

 


Herbert, Yong, Zia      Expires September, 2015                 [Page 5]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


   Addresses, port numbers, and various elements of a GUE header may
   need fairly strong assurances of integrity and authentication to
   protect against corruption or spoofing. This requirement is readily
   apparent in the use case of network virtualization where ensuring the
   integrity and authenticity of a virtual network identifier is
   paramount to guaranteeing isolation between virtual networks even in
   the presence of users with malicious intent.

   To provide for this security, an optional security field is defined
   in GUE ([I.D.hy-gue-4-secure-transport]). This field has three
   possible sizes of 64, 128, or 256 bits to allow for different levels
   of security. The simplest mechanism is a security cookie which is a
   shared value that is passed in the clear and must matched on receipt.
   More sophisticated mechanisms may use cryptographic hashes, nonce
   values, reply detection, etc.

6.2 Packet level security

   As GUE is contained in an IP packet, the packet itself may be
   encapsulated in something like ESP or DTLS to provide security. This
   is straightforward, however visibility of the encapsulation is lost
   in the network. This is problematic, for instance, if one wanted to
   establish firewalls to restrict packets for a certain virtual
   network.

   Security of a GUE payload may be accomplished by applying ESP or DTLS
   to the payload and encapsulating ESP within GUE. In this model the
   protocol stack may be something like IP|UDP|GUE|ESP|IP. The GUE next
   protocol would indicate ESP (number 50), and the UDP and GUE headers
   would be sent in the clear so that encapsulation is visible to the
   network. As described above, measures should be taken to ensure the
   integrity and authentication of addresses and GUE headers. One
   salient property of this method is that any bits created by an
   application or virtualization guest are covered by the packet level
   security mechanism.

7  QoS 

   There are no specific provisions or options to provide additional QoS
   facilities in GUE. The provisions of "Diffserv and Tunnels" [RFC2983]
   are assumed.

8  Congestion Considerations

   Congestions considerations that are generically specified for tunnels
   would be applicable to GUE. This would include mechanisms currently
   being defined such as circuit breaker [I.D.cirtuit-breaker] and
   common ECN handling for IP tunnels.
 


Herbert, Yong, Zia      Expires September, 2015                 [Page 6]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


   In certain cases, specific congestion control may be necessitated
   beyond what generic congestion control mechanisms may provide. In
   particular, this may be required in a data center whose native
   traffic and resources have been tuned to a very specific congestion
   control algorithm. When third party network stacks, such as those
   running in a VM's guest OS, are introduced into such an environment
   their congestion control model may substantially conflict with that
   of the native traffic. If traffic and resource isolation is not
   feasible, the only recourse may be to force third party traffic into
   compliance with the native congestion control.

   This can potentially be accommodated in GUE in two ways:

     1) Add an additional protocol layer to the encapsulation that
        provides congestion control. DCCP is a candidate. In this case,
        the protocol stack for a encapsulated packet may look like
        IP|UDP|GUE|DCCP|IP.

     2) Add an option to GUE which provides for congestion control. This
        would likely include an optional header field that would contain
        various values needed for congestion control-- sequence numbers,
        timestamps, ack numbers etc. Note that some of this information
        may also be in common with passive OAM data.

   Extending GUE with finer grained congestion is a topic for further
   exploration.

9  Header Protection

   As with other UDP encapsulation protocols, the UDP checksum may or
   may not be set transmit. The requirements for setting a zero UDP
   checksum with IPv6 to be compliant with [RFC6935] and [RFC6936] are
   enumerated in [I.D.herbert-gue]. In the case that a zero checksum is
   used (either for IPv4 or IPv6) the GUE specification recommends that
   the GUE header checksum be used (unless stronger protection such as
   security are present).

   The GUE header checksum is a UDP-lite like option in the GUE header
   ([I.D.herbert-guecsum]). This checksum covers the entire GUE header
   and a pseudo header containing the outer IP addresses and UDP port
   numbers. Optionally, the checksum may cover all or part of the
   encapsulated GUE payload.

10 Extensibility Considerations

   GUE is an extensible protocol that allows a variable length header.
   The extensibility mechanism in GUE is flag-fields. This is similar to
   the use of flags and fields in GRE, where if a flag is set a field of
 


Herbert, Yong, Zia      Expires September, 2015                 [Page 7]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


   a specific size is present. See section 13.1 for points about the
   efficiency of the flag-fields solution.

   The GUE header includes fifteen bit flags in the primary header and
   an additional thirty-two in an extension flags field. Up to 124 bytes
   of optional fields may be present.

   All flags are considered mandatory, in the sense that a decapsulator
   must drop a packet it receives with set flags that are unknown to it.
   This requirement ensures that new flags with non-trivial semantics
   can be added without breaking compatibility. A middlebox may ignore
   flags (see section 14).

11 Layering Considerations

   GUE does not include any specific provisions for layering of
   encapsulations other than the fact that it can encapsulate an
   encapsulated packet represented by an IP protocol. As described in
   section 3, encapsulation of GRE may be used to encapsulate packets of
   an arbitrary Ethertype.

   Conceptually, the GUE header could be disassociated from UDP and
   defined as its own IP protocol (similar to GRE being an IP protocol).
   In this manner GUE could effectively function as an IP extension
   header and layered encapsulations would essentially be equivalent to
   multiple extension headers.

12 Service Model

   The base service model of GUE is equivalent to that of IP. Packets
   can be lost, reordered, duplicated, etc. To enact a more elaborate
   service model over GUE, such as pseudo-wire semantics or reliable
   tunnels, could be done as a layered encapsulation of a protocol that
   provides the service.

   The exception to the above occurs when encapsulated traffic has the
   ability to negatively impact unrelated networking traffic. In this
   case, a service model that provides congestion control or DDOS
   protection is a candidate to implement within the encapsulation layer
   (e.g. see section 8).

13 Hardware Friendly

13.1 Switch friendliness

   GUE is mostly intended to be an end to end tunneling protocol.
   Switches may inspect fields as input to routing operation, however
   they should not modify GUE headers in flight (checksum and header
 


Herbert, Yong, Zia      Expires September, 2015                 [Page 8]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


   security likely make that infeasible). Encapsulation for the purposes
   affecting routing per hop or targeting networking services are better
   left to protocols dedicated to those functions such as BIER or SFC.

   In the case that a switch acts as tunnel endpoint (i.e. an NVE in
   NVO3 parlance), considerations can be made for efficient termination
   and processing of UDP.

   GUE has the following features to be friendly in switches:

     o For a given set of flags, field offsets are fixed

     o The number of possible flag combinations is 2^N for N supported
       flags. This is a much smaller number than for TLVs which are
       combinatorial.

     o Minimal overhead. Other than flags, there is no additional
       overhead associated with fields

     o Flag fields are amenable to hardware parallel parsing mechanisms
       such as TCAM (based on the above points)

     o The GUE header checksum obviates need for full packet checksum
       support

     o Hardware support of variable flag-fields has already be
       demonstrated in GRE

13.2 Host friendliness

   The first requirement of encapsulation in the host is that it works
   with existing NIC offloads. The five common offloads in question are
   RSS (Receive Side Scaling), TX-csum (transmit checksum offload), RX-
   csum (receive checksum offload), LSO (Large Segment Offload), and LRO
   (Large Receive Offload).

   RSS is already solved by enabling RSS for UDP which is available on
   most NICs. This works for any UDP encapsulation that uses source port
   for flow entropy.

   TX-csum and RX-csum offload for encapsulated checksums (no outer UDP
   checksum) are already generically supported by NICs that provide
   NETIF_HW_CSUM and CHECKSUM_UNNECESSARY (in Linux parlance). The outer
   UDP checksum may also be enabled, and this can be leveraged in GUE to
   provide checksum offload of inner transport checksums for legacy
   devices (via checksum-unnecessary conversion and remote checksum
   offload). The ability for NICs to support offload of multiple
   checksums in a packet may also become pertinent in time.
 


Herbert, Yong, Zia      Expires September, 2015                 [Page 9]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


   For LSO (TSO), the Linux stack already demonstrates a generic
   solution for segmentation with UDP encapsulation in GSO. This can be
   implemented in HW as method to provide LSO for any UDP encapsulation.

   For LRO, a device needs to do deep parsing of the GUE payload. This
   can be accomplished by skipping over any options using the Hlen
   field. Packets should only be considered to match if the GUE
   encapsulation, including any optional fields and private data, are
   identical.

   The implementation of GUE in a software stack is fairly straight
   forward and can be efficient. The UDP layer in the software stack
   should already handle the processing of the UDP/IP headers including
   that of the checksum. For the GUE headers, processing the flag-fields
   is likely the most difficult operation. Given the practical
   constraints on flag-fields, they can be processed without a loop and
   without the need to check lengths or duplicate fields. The check for
   unsupported set flags can be implemented with a simple masked
   comparison on the flags.

14 Middlebox Considerations

   The following GUE features facilitate middlebox handling:

     o The Hlen field allows middlebox to skip over optional fields to
       perform deep parsing

     o The meaning of proto/ctype field is invariant regardless of flags

     o Flag-fields permit random access for inspection

     o Middleboxes are not required to understand all possible fields. A
       principle in GUE is that new fields cannot cause reinterpretation
       of old fields.

15 Network virtualization

   The primary requirement for network virtualization is that a virtual
   network is indicated as part of the encapsulation (i.e. a virtual
   network identifier or VNI-ID).

   GUE defines a 32 bit VNI-ID in an optional field ([I.D.hy-nvo3-gue-4-
   nvo]). There is no predefined structure to this value. An
   implemention may apply a hierarchical structure (for instance a
   tenant might have virtual sub-networks), as well as allocating bits
   to indicate class or other attributes (such as a bit indicating a
   trusted or untrusted virtual network).

 


Herbert, Yong, Zia      Expires September, 2015                [Page 10]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


   A first order requirement of network virtualization is that isolation
   between virtual networks be ensured. As described in section 6, the
   GUE security option should be used to provide integrity and
   authentication.












































 


Herbert, Yong, Zia      Expires September, 2015                [Page 11]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


16  References

16.1  Normative References

              [I.D.rtg-dt-encap] Nordmark, E., Tian, A., Gross, J.,"
              Hudson, J., Kreeger, L., Garg, P., Thaler, P., Herbert,
              T., "Encapsulation Considerations", draft-rtg-dt-encap-01.

              [I.D.herbert-gue] Herbert, T., and Yong, L., "Generic UNP
              Encapsulation", draft-herbert-gue-03, work in progress.

16.2  Informative References

              [RFC4459] Savola, P., "MTU and Fragmentation Issues with
              In-the-Network Tunneling", RFC 4459, April 2006,
              <http://www.rfc-editor.org/info/rfc4459>.

              [RFC2983] Black, D., "Differentiated Services and
              Tunnels", RFC 2983, October 2000, <http://www.rfc-
              editor.org/info/rfc2983>.

              [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund,
              "IPv6 and UDP Checksums for Tunneled Packets", RFC 6935,
              April 2013, <http://www.rfc-editor.org/info/rfc6935>.

              [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability
              Statement for the Use of IPv6 UDP Datagrams with Zero
              Checksums", RFC 6936, April 2013, <http://www.rfc-
              editor.org/info/rfc6936>.

              [I.D.gue-fragmentation] Herbert, T. and Templin, F.,
              "Fragmentation option for Generic UDP Encapsulation",
              draft-herbert-gue-fragmentation-00, work in progress

              [I.D.hy-gue-4-secure-transport] Yong, L., Herbert, T.,
              "Generic UDP Encapsulation  (GUE) for Secure Transport",
              draft-hy-gue-4-secure-transport-00, work in progress.

              [I.D.tsvwg-circuit-breaker] Fairhurst, G., "Network
              Transport Circuit Breakers", draft-ietf-tsvwg-circuit-
              breaker-00

              [I.D.herbert-remotecsumoffload] Herbert, T., "Remote
              checksum offload for encapsulation", draft-herbert-
              remotecsumoffload-00, work in progress

              [I.D.hy-nvo3-gue-4-nvo] Yong, L., Herbert, T., "Generic
              UDP Encapsulation (GUE) for Network Virtualization
 


Herbert, Yong, Zia      Expires September, 2015                [Page 12]

INTERNET DRAFT    Encapsulation Considerations for GUE    March 26, 2015


              Overlay", work in progress



Authors' Addresses


   Tom Herbert
   Facebook
   Menlo Park, CA
   USA

   EMail: tom@herbertland.com

   Lucy Yong
   Huawei USA
   5340 Legacy Dr.
   Plano, TX  75024
   USA

   Osama Zia
   Microsoft

   EMail: osamaz@microsoft.com



























Herbert, Yong, Zia      Expires September, 2015                [Page 13]