Internet DRAFT - draft-xu-softwire-ip-in-udp

draft-xu-softwire-ip-in-udp







Network Working Group                                              X. Xu
Internet-Draft                                       Huawei Technologies
Intended status: Standards Track                                R. Asati
Expires: June 6, 2015                                      Cisco Systems
                                                                 L. Yong
                                                              Huawei USA
                                                                  Y. Lee
                                                                 Comcast
                                                                  Y. Fan
                                                           China Telecom
                                                              I. Beijnum
                                                Institute IMDEA Networks
                                                        December 3, 2014


                        Encapsulating IP in UDP
                     draft-xu-softwire-ip-in-udp-03

Abstract

   Existing Softwire encapsulation technologies are not adequate for
   efficient load balancing of Softwire service traffic across IP
   networks.  This document specifies additional Softwire encapsulation
   technology, referred to as IP-in-User Datagram Protocol (UDP), which
   can facilitate the load balancing of Softwire service traffic across
   IP networks.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 6, 2015.








Xu, et al.                Expires June 6, 2015                  [Page 1]

Internet-Draft           Encapsulating IP in UDP           December 2014


Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Conventions . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Encapsulation in UDP  . . . . . . . . . . . . . . . . . . . .   3
   4.  Processing Procedures . . . . . . . . . . . . . . . . . . . .   5
   5.  Congestion Considerations . . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   To fully utilize the bandwidth available in IP networks and/or
   facilitate recovery from a link or node failure, load balancing of
   traffic over Equal Cost Multi-Path (ECMP) and/or Link Aggregation
   Group (LAG) across IP networks is widely used.  [RFC5640] describes a
   method for improving the load balancing efficiency in a network
   carrying Softwire Mesh service [RFC5565] over Layer Two Tunneling
   Protocol - Version 3 (L2TPv3) [RFC3931] and Generic Routing
   Encapsulation (GRE) [RFC2784] encapsulations.  However, this method
   requires core routers to perform hash calculation on the "load-
   balancing" field contained in tunnel encapsulation headers (i.e., the
   Session ID field in L2TPv3 headers or the Key field in GRE headers),
   which is not widely supported by existing core routers.

   Most existing routers in IP networks are already capable of
   distributing IP traffic "microflows" [RFC2474] over ECMP paths and/or



Xu, et al.                Expires June 6, 2015                  [Page 2]

Internet-Draft           Encapsulating IP in UDP           December 2014


   LAG based on the hash of the five-tuple of User Datagram Protocol
   (UDP) [RFC0768] and Transmission Control Protocol (TCP) packets
   (i.e., source IP address, destination IP address, source port,
   destination port, and protocol).  By encapsulating the Softwire
   service traffic into an UDP tunnel and using the source port of the
   UDP header as an entropy field, the existing load-balancing
   capability as mentioned above can be leveraged to provide fine-
   grained load-balancing of Softwire service traffic traffic over IP
   networks.  This is similar to why LISP [RFC6830] uses UDP
   encapsulation.  Therefore, this specification defines an IP-in-UDP
   encapsulation method for Software service (including both mesh and
   hub-spoke modes).

   IPv6 flow label has been proposed as an entropy field for load
   balancing in IPv6 network environment [RFC6438].  However, as stated
   in [RFC6936], the end-to-end use of flow labels for load balancing is
   a long-term solution and therefore the use of load balancing using
   the transport header fields would continue until any widespread
   deployment is finally achieved.  As such, IP-in-UDP encapsulation
   would still have a practical application value in the IPv6 networks
   during this transition timeframe.

   Similarly, the IP-in-UDP encapsulation format defined in this
   document by itself cannot ensure the integrity and privacy of data
   packets being transported through the IP-in-UDP tunnels and cannot
   enable the tunnel decapsulators to authenticate the tunnel
   encapsulator.  Therefore, in the case where any of the above security
   issues is concerned, the IP-in-UDP SHOULD be secured with IPsec
   [RFC4301] or DTLS [RFC6347].  For more details, please see Section 6
   of Security Considerations.

1.1.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

2.  Terminology

   This memo makes use of the terms defined in [RFC5565].

3.  Encapsulation in UDP

   IP-in-UDP encapsulation format is shown as follows:







Xu, et al.                Expires June 6, 2015                  [Page 3]

Internet-Draft           Encapsulating IP in UDP           December 2014


      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |    Source Port = Entropy      |       Dest Port = TBD1        |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |           UDP Length          |        UDP Checksum           |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     ~                           IP Packet                           ~
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Source Port of UDP

         This field contains a 16-bit entropy value that is generated by
         the encapsulator to uniquely identify a flow.  What constitutes
         a flow is locally determined by the encapsulator and therefore
         is outside the scope of this document.  What algorithm is
         actually used by the encapsulator to generate an entropy value
         is outside the scope of this document.

         In case the tunnel does not need entropy, this field of all
         packets belonging to a given flow SHOULD be set to a randomly
         selected constant value so as to avoid packet reordering.

         To ensure that the source port number is always in the range
         49152 to 65535 (Note that those ports less than 49152 are
         reserved by IANA to identify specific applications/protocols)
         which may be required in some cases, instead of calculating a
         16-bit hash, the encapsulator SHOULD calculate a 14-bit hash
         and use those 14 bits as the least significant bits of the
         source port field while the most significant two bits SHOULD be
         set to binary 11.  That still conveys 14 bits of entropy
         information which would be enough as well in practice.

      Destination Port of UDP

         This field is set to a value (TBD1) allocated by IANA to
         indicate that the UDP tunnel payload is an IP packet.  As for
         whether the encapsulated IP packet is IPv4 or IPv6, it would be
         determined according to the Version field in the IP header of
         the encapsulated IP packet.

      UDP Length

         The usage of this field is in accordance with the current UDP
         specification [RFC0768].




Xu, et al.                Expires June 6, 2015                  [Page 4]

Internet-Draft           Encapsulating IP in UDP           December 2014


      UDP Checksum

         For IPv4 UDP encapsulation, this field is RECOMMENDED to be set
         to zero because the IPv4 header includes a checksum and use of
         the UDP checksum is optional with IPv4.  For IPv6 UDP
         encapsulation, the IPv6 header does not include a checksum, so
         this field MUST contain a UDP checksum that MUST be used as
         specified in [RFC0768] and [RFC2460] unless one of the
         exceptions that allows use of UDP zero-checksum mode (as
         specified in [RFC6935]) applies.

      IP Packet

         This field contains one IP packet.

4.  Processing Procedures

   This IP-in-UDP encapsulation causes E-IP[RFC5565] packets to be
   forwarded across an I-IP [RFC5565] transit core via "UDP tunnels".
   While performing IP-in-UDP encapsulation, an ingress AFBR (e.g.  PE
   router) would generate an entropy value and encode it in the Source
   Port field of the UDP header.  The Destination Port field is set to a
   value (TBD1) allocated by IANA to indicate that the UDP tunnel
   payload is an IP packet.  Transit routers, upon receiving these UDP
   encapsulated IP packets, could balance these packets based on the
   hash of the five-tuple of UDP packets.  Egress AFBRs receiving these
   UDP encapsulated IP packets MUST decapsulate these packets by
   removing the UDP header and then forward them accordingly (assuming
   that the Destination Port was set to the reserved value pertaining to
   IP).

   Similar to all other Softwire tunneling technologies, IP-in-UDP
   encapsualtion introduces overheads and reduces the effective Maximum
   Transmision Unit (MTU) size.  IP-in-UDP encapsulation may also impact
   Time-to-Live (TTL) or Hop Count (HC) and Differentiated Services
   (DSCP).  Hence, IP-in-UDP MUST follow the corresponding procedures
   defined in [RFC2003].  If an ingress AFBR performs fragmentation on
   an E-IP packet before encapsulating, it MUST use the same source UDP
   port for all fragmented packets so as to ensures these fragmented
   packets are always forwarded on the same path.

5.  Congestion Considerations

   Section 3.1.3 of [RFC5405] discussed the congestion implications of
   UDP tunnels.  As discussed in [RFC5405], because other flows can
   share the path with one or more UDP tunnels, congestion control
   [RFC2914] needs to be considered.  As specified in [RFC5405]:




Xu, et al.                Expires June 6, 2015                  [Page 5]

Internet-Draft           Encapsulating IP in UDP           December 2014


      "IP-based traffic is generally assumed to be congestion-
      controlled, i.e., it is assumed that the transport protocols
      generating IP-based traffic at the sender already employ
      mechanisms that are sufficient to address congestion on the path.
      Consequently, a tunnel carrying IP-based traffic should already
      interact appropriately with other traffic sharing the path, and
      specific congestion control mechanisms for the tunnel are not
      necessary".

   Since IP-in-UDP is only used to carry IP traffic which is generally
   assumed to be congestion controlled, it generally does not need
   additional congestion control mechanisms.

6.  Security Considerations

   The security problems faced with the IP-in-UDP tunnel are exactly the
   same as those faced with IP-in-IP [RFC2003] and IP-in-GRE tunnels
   [RFC2784].  In other words, the IP-in-UDP tunnel as defined in this
   document by itself cannot ensure the integrity and privacy of data
   packets being transported through the IP-in-UDP tunnel and cannot
   enable the tunnel decapsulator to authenticate the tunnel
   encapsulator.  In the case where any of the above security issues is
   concerned, the IP-in-UDP tunnel SHOULD be secured with IPsec or DTLS.
   IPsec was designed as a network security mechanism and therefore it
   resides at the network layer.  As such, if the tunnel is secured with
   IPsec, the UDP header would not be visible to intermediate routers
   anymore in either IPsec tunnel or transport mode.  As a result, the
   meaning of adopting the IP-in-UDP tunnel as an alternative to the IP-
   in-GRE or IP-in-IP tunnel is lost.  By comparison, DTLS is better
   suited for application security and can better preserve network and
   transport layer protocol information.  Specifically, if DTLS is used,
   the destination port of the UDP header will be filled with a value
   (TBD2) indicating IP with DTLS and the source port can still be used
   as an entropy field for load-sharing purposes.

   If the tunnel is not secured with IPsec or DTLS, some other method
   should be used to ensure that packets are decapsulated and forwarded
   by the tunnel tail only if those packets were encapsulated by the
   tunnel head.  If the tunnel lies entirely within a single
   administrative domain, address filtering at the boundaries can be
   used to ensure that no packet with the IP source address of a tunnel
   endpoint or with the IP destination address of a tunnel endpoint can
   enter the domain from outside.  However, when the tunnel head and the
   tunnel tail are not in the same administrative domain, this may
   become difficult, and filtering based on the destination address can
   even become impossible if the packets must traverse the public
   Internet.  Sometimes only source address filtering (but not
   destination address filtering) is done at the boundaries of an



Xu, et al.                Expires June 6, 2015                  [Page 6]

Internet-Draft           Encapsulating IP in UDP           December 2014


   administrative domain.  If this is the case, the filtering does not
   provide effective protection at all unless the decapsulator of an IP-
   in-UDP validates the IP source address of the packet.

7.  IANA Considerations

   One UDP destination port number indicating IP needs to be allocated
   by IANA:

      Service Name: IP-in-UDP

      Transport Protocol(s): UDP

      Assignee: IESG <iesg@ietf.org>

      Contact: IETF Chair <chair@ietf.org>.

      Description: Encapsulate IP packets in UDP tunnels.

      Reference: This document.

      Port Number: TBD1 -- To be assigned by IANA.

   One UDP destination port number indicating IP with DTLS needs to be
   allocated by IANA:

      Service Name: IP-in-UDP-with-DTLS

      Transport Protocol(s): UDP

      Assignee: IESG <iesg@ietf.org>

      Contact: IETF Chair <chair@ietf.org>.

      Description: Encapsulate IP packets in UDP tunnels with DTLS.

      Reference: This document.

      Port Number: TBD2 -- To be assigned by IANA.

8.  Acknowledgements

   Thanks to Vivek Kumar, Carlos Pignataro and Mark Townsley for their
   valuable comments on the initial idea of this document.  Thanks to
   Andrew G.  Malis for his valuable comments on this document.






Xu, et al.                Expires June 6, 2015                  [Page 7]

Internet-Draft           Encapsulating IP in UDP           December 2014


9.  References

9.1.  Normative References

   [RFC0768]  Postel, J., "User Datagram Protocol", STD 6, RFC 768,
              August 1980.

   [RFC2003]  Perkins, C., "IP Encapsulation within IP", RFC 2003,
              October 1996.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", RFC 2460, December 1998.

   [RFC2784]  Farinacci, D., Li, T., Hanks, S., Meyer, D., and P.
              Traina, "Generic Routing Encapsulation (GRE)", RFC 2784,
              March 2000.

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, December 2005.

   [RFC5405]  Eggert, L. and G. Fairhurst, "Unicast UDP Usage Guidelines
              for Application Designers", BCP 145, RFC 5405, November
              2008.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

   [RFC6935]  Eubanks, M., Chimento, P., and M. Westerlund, "IPv6 and
              UDP Checksums for Tunneled Packets", RFC 6935, April 2013.

   [RFC6936]  Fairhurst, G. and M. Westerlund, "Applicability Statement
              for the Use of IPv6 UDP Datagrams with Zero Checksums",
              RFC 6936, April 2013.

9.2.  Informative References

   [RFC2474]  Nichols, K., Blake, S., Baker, F., and D. Black,
              "Definition of the Differentiated Services Field (DS
              Field) in the IPv4 and IPv6 Headers", RFC 2474, December
              1998.

   [RFC2914]  Floyd, S., "Congestion Control Principles", BCP 41, RFC
              2914, September 2000.





Xu, et al.                Expires June 6, 2015                  [Page 8]

Internet-Draft           Encapsulating IP in UDP           December 2014


   [RFC3931]  Lau, J., Townsley, M., and I. Goyret, "Layer Two Tunneling
              Protocol - Version 3 (L2TPv3)", RFC 3931, March 2005.

   [RFC5565]  Wu, J., Cui, Y., Metz, C., and E. Rosen, "Softwire Mesh
              Framework", RFC 5565, June 2009.

   [RFC5640]  Filsfils, C., Mohapatra, P., and C. Pignataro, "Load-
              Balancing for Mesh Softwires", RFC 5640, August 2009.

   [RFC6438]  Carpenter, B. and S. Amante, "Using the IPv6 Flow Label
              for Equal Cost Multipath Routing and Link Aggregation in
              Tunnels", RFC 6438, November 2011.

   [RFC6830]  Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
              Locator/ID Separation Protocol (LISP)", RFC 6830, January
              2013.

Authors' Addresses

   Xiaohu Xu
   Huawei Technologies
   No.156 Beiqing Rd
   Beijing  100095
   CHINA

   Phone: +86-10-60610041
   Email: xuxiaohu@huawei.com


   Rajiv Asati
   Cisco Systems
   7200 Kit Creek Road
   Research Triangle Park,, NC  27709
   USA

   Email: rajiva@cisco.com


   Lucy Yong
   Huawei USA
   5340 Legacy Dr
   Plano, TX  75025
   USA

   Email: Lucy.yong@huawei.com






Xu, et al.                Expires June 6, 2015                  [Page 9]

Internet-Draft           Encapsulating IP in UDP           December 2014


   Yiu Lee
   Comcast
   One Comcast Center
   Philadelphia, PA
   USA

   Phone: Email: Yiu_Lee@Cable.Comcast.com
   Email: cpignata@cisco.com


   Yongbing Fan
   China Telecom
   Guangzhou
   CHINA

   Email: fanyb@gsta.com


   Iljitsch van Beijnum
   Institute IMDEA Networks
   Avda. del Mar Mediterraneo, 22
   Leganes,, Madrid  28918
   Spain

   Email: iljitsch@muada.com


























Xu, et al.                Expires June 6, 2015                 [Page 10]