diff options
Diffstat (limited to 'doc/rfc/rfc9268.txt')
-rw-r--r-- | doc/rfc/rfc9268.txt | 1086 |
1 files changed, 1086 insertions, 0 deletions
diff --git a/doc/rfc/rfc9268.txt b/doc/rfc/rfc9268.txt new file mode 100644 index 0000000..127af78 --- /dev/null +++ b/doc/rfc/rfc9268.txt @@ -0,0 +1,1086 @@ + + + + +Internet Engineering Task Force (IETF) R. Hinden +Request for Comments: 9268 Check Point Software +Category: Experimental G. Fairhurst +ISSN: 2070-1721 University of Aberdeen + August 2022 + + + IPv6 Minimum Path MTU Hop-by-Hop Option + +Abstract + + This document specifies a new IPv6 Hop-by-Hop Option that is used to + record the Minimum Path MTU (PMTU) along the forward path between a + source host to a destination host. The recorded value can then be + communicated back to the source using the return Path MTU field in + the Option. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for examination, experimental implementation, and + evaluation. + + This document defines an Experimental Protocol for the Internet + community. This document is a product of the Internet Engineering + Task Force (IETF). It represents the consensus of the IETF + community. It has received public review and has been approved for + publication by the Internet Engineering Steering Group (IESG). Not + all documents approved by the IESG are candidates for any level of + Internet Standard; see Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc9268. + +Copyright Notice + + Copyright (c) 2022 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Revised BSD License text as described in Section 4.e of the + Trust Legal Provisions and are provided without warranty as described + in the Revised BSD License. + +Table of Contents + + 1. Introduction + 1.1. Example Operation + 1.2. Use of the IPv6 Hop-by-Hop Options Header + 2. Motivation and Problem Solved + 3. Requirements Language + 4. Applicability Statements + 5. IPv6 Minimum Path MTU Hop-by-Hop Option + 6. Router, Host, and Transport Layer Behaviors + 6.1. Router Behavior + 6.2. Host Operating System Behavior + 6.3. Transport Layer Behavior + 6.3.1. Including the Option in an Outgoing Packet + 6.3.2. Validation of the Packet that Includes the Option + 6.3.3. Receiving the Option + 6.3.4. Using the Rtn-PMTU Field + 6.3.5. Detecting Path Changes + 6.3.6. Detection of Dropping Packets that Include the Option + 7. IANA Considerations + 8. Security Considerations + 8.1. Router Option Processing + 8.2. Network-Layer Host Processing + 8.3. Validating Use of the Option Data + 8.4. Direct Use of the Rtn-PMTU Value + 8.5. Using the Rtn-PMTU Value as a Hint for Probing + 8.6. Impact of Middleboxes + 9. Experiment Goals + 10. Implementation Status + 11. References + 11.1. Normative References + 11.2. Informative References + Appendix A. Examples of Usage + Acknowledgments + Authors' Addresses + +1. Introduction + + This document specifies a new IPv6 Hop-by-Hop (HBH) Option to record + the minimum Maximum Transmission Unit (MTU) along the forward path + between a source and a destination host. The source host creates a + packet with this Option and initializes the Min-PMTU field with the + value of the MTU for the outbound link that will be used to forward + the packet towards the destination host. + + At each subsequent hop where the Option is processed, the router + compares the value of the Min-PMTU field in the Option and the MTU of + its outgoing link. If the MTU of the link is less than the Min-PMTU, + it rewrites the value in the Option Data with the smaller value. + When the packet arrives at the destination host, the host can send + the value of the minimum Reported MTU for the path back to the source + host using the Rtn-PMTU field in the Option. The source host can + then use this value as input to the method that sets the Path MTU + (PMTU) used by upper-layer protocols. + + The IPv6 Minimum Path MTU Hop-by-Hop (MinPMTU HBH) Option is designed + to work with packet sizes that can be specified in the IPv6 header. + The maximum packet size that can be specified in an IPv6 header is + 65,535 octets (2^16). + + This method has the potential to complete Path MTU Discovery (PMTUD) + in a single round-trip time, even over paths that have successive + links, each with a lower MTU. + + The mechanism defined in this document is focused on unicast; it does + not describe multicast. That is left for future work. + +1.1. Example Operation + + The figure below illustrates the operation of the method. In this + case, the path between the source host and the destination host + comprises three links: the source has a link MTU of size MTU-S, the + link between routers R1 and R2 has an MTU of size 9000 bytes, and the + final link to the destination has an MTU of size MTU-D. + + +--------+ +----+ +----+ +-------+ + | | | | | | | | + | Sender +---------+ R1 +--------+ R2 +-------- + Dest. | + | | | | | | | | + +--------+ MTU-S +----+ 9000B +----+ MTU-D +-------+ + + Figure 1: An Example Path between the Source Host and the + Destination Host + + Three scenarios are described: + + * Scenario 1 considers all links to have a 9000 byte MTU, and the + method is supported by both routers. The initial Min-PMTU is not + modified along the path. Therefore, the PMTU is 9000 bytes. + + * Scenario 2 considers the link between R2 and the destination host + (MTU-D) to have an MTU of 1500 bytes. This is the smallest MTU. + Router R2 updates the Min-PMTU to 1500 bytes, and the method + correctly updates the PMTU to 1500 bytes. Had there been another + smaller MTU at a link further along the path that also supports + the method, the lower MTU would also have been detected. + + * Scenario 3 considers the case where the router preceding the + smallest link (R2) does not support the method, and the link to + the destination host (MTU-D) has an MTU of 1500 bytes. Therefore, + router R2 does not update the Min-PMTU to 1500 bytes. The method + then fails to detect the actual PMTU. + + In Scenarios 2 and 3, a lower PMTU would also fail to be detected in + the case where PMTUD had been used and an ICMPv6 Packet Too Big (PTB) + message had not been delivered to the sender [RFC8201]. + + These scenarios are summarized in the table below. "H" in R1 and/or + R2 columns means the router understands the MinPMTU HBH Option. + + +===+========+========+====+====+==========+=======================+ + | | MTU-S | MTU-D | R1 | R2 | Rec PMTU | Note | + +===+========+========+====+====+==========+=======================+ + | 1 | 9000 B | 9000 B | H | H | 9000 B | Endpoints attempt to | + | | | | | | | use a 9000 B PMTU. | + +---+--------+--------+----+----+----------+-----------------------+ + | 2 | 9000 B | 1500 B | H | H | 1500 B | Endpoints attempt to | + | | | | | | | use a 1500 B PMTU. | + +---+--------+--------+----+----+----------+-----------------------+ + | 3 | 9000 B | 1500 B | H | - | 9000 B | Endpoints attempt to | + | | | | | | | use a 9000 B PMTU but | + | | | | | | | need to implement a | + | | | | | | | method to fall back | + | | | | | | | to discover and use a | + | | | | | | | 1500 B PMTU. | + +---+--------+--------+----+----+----------+-----------------------+ + + Table 1: Three Scenarios That Arise from Using the Path Shown in + Figure 1 + +1.2. Use of the IPv6 Hop-by-Hop Options Header + + As specified in [RFC8200], IPv6 allows nodes to optionally process + the Hop-by-Hop header. Specifically, from Section 4 of [RFC8200]: + + | The Hop-by-Hop Options header is not inserted or deleted, but may + | be examined or processed by any node along a packet's delivery + | path, until the packet reaches the node (or each of the set of + | nodes, in the case of multicast) identified in the Destination + | Address field of the IPv6 header. The Hop-by-Hop Options header, + | when present, must immediately follow the IPv6 header. Its + | presence is indicated by the value zero in the Next Header field + | of the IPv6 header. + | + | NOTE: While [RFC2460] required that all nodes must examine and + | process the Hop-by-Hop Options header, it is now expected that + | nodes along a packet's delivery path only examine and process the + | Hop-by-Hop Options header if explicitly configured to do so. + + The Hop-by-Hop Option defined in this document is designed to take + advantage of this property of how Hop-by-Hop Options are processed. + Nodes that do not support this Option SHOULD ignore them. This can + mean that the Min-PMTU value does not account for all links along a + path. + +2. Motivation and Problem Solved + + The current state of Path MTU Discovery on the Internet is + problematic. The mechanisms defined in [RFC8201] are known to not + work well in all environments. It fails to work in various cases, + including when nodes in the middle of the network do not send ICMPv6 + PTB messages or rate-limited ICMPv6 messages or do not have a return + path to the source host. This results in many transport-layer + connections being configured to use smaller packets (e.g., 1280 + bytes) by default and makes it difficult to take advantage of paths + with a larger PMTU where they do exist. Applications that send large + packets are forced to use IPv6 fragmentation [RFC8200], which can + reduce the reliability of Internet communication [RFC8900]. + + Encapsulations and network-layer tunnels further reduce the payload + size available for a transport protocol to use. Also, some use cases + increase packet overhead, for example, Network Virtualization Using + Generic Routing Encapsulation (NVGRE) [RFC7637] encapsulates Layer 2 + (L2) packets in an outer IP header and does not allow IP + fragmentation. + + Sending larger packets can improve host performance, e.g., avoiding + limits to packet processing by the packet rate. An example of this + is how the packet-per-second rate required to reach wire speed on a + 10G link with 1280 byte packets is about 977K packets per second + (pps) vs. 139K pps for 9000 byte packets. + + The purpose of this document is to improve the situation by defining + a mechanism that does not rely on reception of ICMPv6 PTB messages + from nodes in the middle of the network. Instead, this provides + information to the destination host about the Minimum Path MTU and + sends this information back to the source host. This is expected to + work better than the current mechanisms based on [RFC8201]. + + A similar mechanism was proposed in 1988 for IPv4 in [RFC1063] by + Jeff Mogul, C. Kent, Craig Partridge, and Keith McCloghire. It was + later obsoleted in 1990 by [RFC1191], which is the current deployed + approach to Path MTU Discovery. In contrast, the method described in + this document uses the Hop-by-Hop Option of IPv6. It does not + replace PMTUD [RFC8201], Packetization Layer Path MTU Discovery + (PLPMTUD) [RFC4821], or Datagram Packetization Layer PMTU Discovery + (DPLPMTUD) [RFC8899] but rather is designed to compliment these + methods. + +3. Requirements Language + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +4. Applicability Statements + + The Path MTU Option is designed for environments where there is + control over the hosts and nodes that connect them and where there is + more than one MTU size in use, for example, in data centers and on + paths between data centers to allow hosts to better take advantage of + a path that is able to support a large PMTU. + + The design of the Option is so sufficiently simple that it can be + executed on a router's fast path. A successful experiment depends on + both implementation by host and router vendors and deployment by + operators. The contained use case of connections within and between + data centers could be a driver for deployment. + + The method could also be useful in other environments, including the + general Internet, and offers an advantage when this Hop-by-Hop Option + is supported on all paths. The method is more robust when used to + probe the path using packets that do not carry application data and + when also paired with a method like Packetization Layer PMTUD + [RFC4821] or Datagram Packetization Layer PMTU Discovery (DPLPMTUD) + [RFC8899]. + +5. IPv6 Minimum Path MTU Hop-by-Hop Option + + The Minimum Path MTU Hop-by-Hop Option has the following format: + + Option Option Option + Type Data Len Data + +--------+--------+--------+--------+---------+-------+-+ + |BBCTTTTT|00000100| Min-PMTU | Rtn-PMTU |R| + +--------+--------+--------+--------+---------+-------+-+ + + Figure 2: Format of the Minimum Path MTU Hop-by-Hop Option + + Option Type (see Section 4.2 of [RFC8200]): + + BB 00 Skip over this Option and continue processing. + + C 1 Option Data can change en route to the packet's final + destination. + + TTTTT 10000 Option Type assigned from IANA [IANA-HBH]. + + Length: 4 The size of the value field in Option Data + field supports PMTU values from 0 to 65,534 + octets, the maximum size represented by the + Path MTU Option. + + + Min-PMTU: n 16-bits. The minimum MTU recorded along the path + in octets, reflecting the smallest link MTU that + the packet experienced along the path. + A value less than the IPv6 minimum link + MTU [RFC8200] MUST be ignored. + + Rtn-PMTU: n 15-bits. The returned Path MTU field, carrying the 15 + most significant bits of the latest received Min-PMTU + field for the forward path. The value zero means that + no Reported MTU is being returned. + + R n 1-bit. R-Flag. Set by the source to signal that + the destination host should include the received + Rtn-PMTU field updated by the reported Min-PMTU value + when the destination host is to send a PMTU Option back + to the source host. + + NOTE: The encoding of the final two octets (Rtn-PMTU and R-Flag) + could be implemented by a mask of the latest received Min-PMTU value + with 0xFFFE, discarding the right-most bit and then performing a + logical 'OR' with the R-Flag value of the sender. This encoding fits + in the minimum-sized Hop-by-Hop Option header. + +6. Router, Host, and Transport Layer Behaviors + +6.1. Router Behavior + + Routers that are not configured to support Hop-by-Hop Options are not + expected to examine or process the contents of this Option [RFC8200]. + + Routers that support Hop-by-Hop Options but are not configured to + support this Option SHOULD skip over this Option and continue to + process the header [RFC8200]. + + Routers that support this Option MUST compare the value of the Min- + PMTU field with the MTU configured for the outgoing link. If the MTU + of the outgoing link is less than the Min-PMTU, the router rewrites + the Min-PMTU in the Option to use the smaller value. (The router + processing is performed without checking the valid range of the Min- + PMTU or the Rtn-PMTU fields.) + + A router MUST ignore and MUST NOT change the Rtn-PMTU field or the + R-Flag in the Option. + +6.2. Host Operating System Behavior + + The PMTU entry associated with the destination in the host's + destination cache [RFC4861] SHOULD be updated after detecting a + change using the IPv6 Minimum Path MTU Hop-by-Hop Option. This + cached value can be used by other flows that share the host's + destination cache. + + The value in the host destination cache SHOULD be used by PLPMTUD to + select an initial PMTU for a flow. The cached PMTU is only increased + by PLPMTUD when the Packetization Layer determines the path actually + supports a larger PMTU [RFC4821] [RFC8899]. + + When requested to send an IPv6 packet with the MinPMTU HBH Option, + the source host includes the Option in an outgoing packet. The + source host MUST fill the Min-PMTU field with the MTU configured for + the link over which it will send the packet on the next hop towards + the destination host. + + When a host includes the Option in a packet it sends, the host SHOULD + set the Rtn-PMTU field to the previously cached value of the received + Minimum Path MTU for the flow in the Rtn-PMTU field (see + Section 6.3.3). If this value is not set (for example, because there + is no cached reported Min-PMTU value), the Rtn-PMTU field value MUST + be set to zero. + + The source host MAY request the destination host to return the + reported Min-PMTU value by setting the R-Flag in the Option of an + outgoing packet. The R-Flag SHOULD NOT be set when the MinPMTU HBH + Option was sent solely to provide requested feedback on the return + Path MTU to avoid each response generating another response. + + The destination host controls when to send a packet with this Option + in response to an R-Flag, as well as which packets to include it in. + The destination host MAY limit the rate at which it sends these + packets. + + A destination host only sets the R-Flag if it wishes the source host + to also return the discovered PMTU value for the path from the + destination to the source. + + The normal sequence of operation of the R-Flag using the terminology + from the diagram in Figure 1 is: + + 1. The source sends a probe to the destination. The sender sets the + R-Flag. + + 2. The destination responds by sending a probe including the + received Min-PMTU as the Rtn-PMTU. A destination that does not + wish to probe the return path sets the R-Flag to 0. + +6.3. Transport Layer Behavior + + This Hop-by-Hop Option is intended to be used with a Path MTU + Discovery method. + + PLPMTUD [RFC8899] uses probe packets for two distinct functions: + + * Probe packets are used to confirm connectivity. Such probes can + be of any size up to the Packetization Layer Path MTU (PLPMTU). + These probe packets are sent to solicit a response using the path + to the remote node. These probe packets can carry the Hop-by-Hop + PMTU Option, providing the final size of the packet does not + exceed the current PLPMTU. After validating that the packet + originates from the path (Section 4.6.1 of [RFC8899]), the PLPMTUD + method can use the reported size from the Hop-by-Hop Option as the + next search point when it resumes the search algorithm. (This use + resembles the use of the PTB_SIZE information in Section 4.6.2 of + [RFC8899].) + + * A second use of probe packets is to explore if a path supports a + packet size greater than the current PLPMTU. If this probe packet + is successfully delivered (as determined by the source host), then + the PLPMTU is raised to the size of the successful probe. These + probe packets do not usually set the Path MTU Hop-by-Hop Option. + See Section 1.2 of [RFC8899]. Section 4.1 of [RFC8899] also + describes ways that a probe packet can be constructed, depending + on whether the probe packets carry application data. + + The PMTU Hop-by-Hop Option probe can be sent on packets that include + application data but needs to be robust to potential loss of the + packet (i.e., with the possibility that retransmission might be + needed if the packet is lost). + + Using a PMTU probe on packets that do not carry application data will + avoid the need for loss recovery if a router on the path drops + packets that set this Option. (This avoids the transport needing to + retransmit a lost packet that includes this Option.) This is the + normal default format for both uses of probes. + +6.3.1. Including the Option in an Outgoing Packet + + The upper-layer protocol can request the MinPMTU HBH Option to be + included in an outgoing IPv6 packet. A transport protocol (or upper- + layer protocol) can include this Option only on specific packets used + to test the path. This Option does not need to be included in all + packets belonging to a flow. + + NOTE: Including this Option in a large packet (e.g., one larger than + the present PMTU) is not likely to be useful, since the large packet + would itself be dropped by any link along the path with a smaller + MTU, preventing the Min-PMTU information from reaching the + destination host. + + Discussion: + + * In the case of TCP, the Option could be included in a packet that + carries a TCP segment sent after the connection is established. A + segment without data could be used to avoid the need to retransmit + this data if the probe packet is lost. The discovered value can + be used to inform PLPMTUD [RFC4821]. + + NOTE: A TCP SYN can also negotiate the Maximum Segment Size (MSS), + which acts as an upper limit to the packet size that can be sent + by a TCP sender. If this Option were to be included in a TCP SYN, + it could increase the probability that the SYN segment is lost + when routers on the path drop packets with this Option (see + Section 6.3.6), which could have an unwanted impact on the result + of racing Options [TAPS-ARCH] or feature negotiation. + + * The use with datagram transport protocols (e.g., UDP) is harder to + characterize because applications using datagram transports range + from very short-lived (low data-volume applications) exchanges to + longer (bulk) exchanges of packets between the source and + destination hosts [RFC8085]. + + * Simple-exchange protocols (i.e., low data-volume applications + [RFC8085] that only send one or a few packets per transaction) + might assume that the PMTU is symmetrical. That is, the PMTU is + the same in both directions or at least not smaller for the return + path. This optimization does not hold when the paths are not + symmetric. + + * The MinPMTU HBH Option can be used with ICMPv6 [RFC4443]. This + requires a response from the remote node and therefore is + restricted to use with ICMPv6 echo messages. The MinPMTU HBH + Option could provide additional information about the PMTU that + might be supported by a path. This could be used as a diagnostic + tool to measure the PMTU of a path. As with other uses, the + actual supported PMTU is only confirmed after receiving a response + to a subsequent probe of the PMTU size. + + * A datagram transport can utilize DPLPMTUD [RFC8899]. For example, + QUIC (see Section 14.3 of [RFC9000]) can use DPLPMTUD to determine + whether the path to a destination will support a desired maximum + datagram size. When using the IPv6 MinPMTU HBH Option, the Option + could be added to an additional QUIC PMTU probe that is of minimal + size (or one no larger than the currently supported PMTU size). + Once the return Path MTU value in the MinPMTU HBH Option has been + learned, DPLPMTUD can be triggered to test for a larger PLPMTU + using an appropriately sized PLPMTU probe packet (see + Section 5.3.1 of [RFC8899]). + + * The use of this Option with DNS and DNSSEC over UDP is expected to + work for paths where the PMTU is symmetric. The DNS server will + learn the PMTU from the DNS query messages. If the Rtn-PMTU value + is smaller, then a large DNSSEC response might be dropped and the + known problems with PMTUD will then occur. DNS and DNSSEC over + transport protocols that can carry the PMTU ought to work. + + * This method also can be used with anycast to discover the PMTU of + the path, but the use needs to be aware that the anycast binding + might change. + +6.3.2. Validation of the Packet that Includes the Option + + An upper-layer protocol (e.g., transport endpoint) using this Option + needs to provide protection from data injection attacks by off-path + devices [RFC8085]. This requires a method to assure that the + information in the Option Data is provided by a node on the path. + This validates that the packet forms a part of an existing flow, + using context available at the upper layer. For example, a TCP + connection or UDP application that maintains the related state and + uses a randomized ephemeral port would provide this basic validation + to protect from off-path data injection; see Section 5.1 of + [RFC8085]. IPsec [RFC4301] and TLS [RFC8446] provide greater + assurance. + + The upper layer discards any received packet when the packet + validation fails. When packet validation fails, the upper layer MUST + also discard the associated Option Data from the MinPMTU HBH Option + without further processing. + +6.3.3. Receiving the Option + + For a connection-oriented upper-layer protocol, caching of the + received Min-PMTU could be implemented by saving the value in the + connection context at the transport layer. A connectionless upper + layer (e.g., one using UDP) requires the upper-layer protocol to + cache the value for each flow it uses. + + A destination host that receives a MinPMTU HBH Option with the R-Flag + SHOULD include the MinPMTU HBH Option in the next outgoing IPv6 + packet for the corresponding flow. + + A simple mechanism could only include this Option (with the Rtn-PMTU + field set) the first time this Option is received or when it notifies + a change in the Minimum Path MTU. This limits the number of packets, + including the Option packets, that are sent. However, this does not + provide robustness to packet loss or recovery after a sender loses + state. + + Discussion: + + * Some upper-layer protocols send packets less frequently than the + rate at which the host receives packets. This provides less + frequent feedback of the received Rtn-PMTU value. However, a host + always sends the most recent Rtn-PMTU value. + +6.3.4. Using the Rtn-PMTU Field + + The Rtn-PMTU field provides an indication of the PMTU from on-path + routers. It does not necessarily reflect the actual PMTU between the + source and destination hosts. Care therefore needs to be exercised + in using the Rtn-PMTU value. Specifically: + + * The actual PMTU can be lower than the Rtn-PMTU value because the + Min-PMTU field was not updated by a router on the path that did + not process the Option. + + * The actual PMTU may be lower than the Rtn-PMTU value because there + is a Layer 2 device with a lower MTU. + + * The actual PMTU may be larger than the Rtn-PMTU value because of a + corrupted, delayed, or misordered response. A source host MUST + ignore a Rtn-PMTU value larger than the MTU configured for the + outgoing link. + + * The path might have changed between the time when the probe was + sent and when the Rtn-PMTU value received. + + IPv6 requires that every link in the Internet have an MTU of 1280 + octets or greater. A node MUST ignore a Rtn-PMTU value less than + 1280 octets [RFC8200]. + + To avoid unintentional dropping of packets that exceed the actual + PMTU (e.g., Scenario 3 in Section 1.1), the source host can delay + increasing the PMTU until a probe packet with the size of the Rtn- + PMTU value has been successfully acknowledged by the upper layer, + confirming that the path supports the larger PMTU. This probing + increases robustness but adds one additional path round-trip time + before the PMTU is updated. This use resembles that of PTB messages + in Section 4.6 of DPLPMTUD [RFC8899] (with the important difference + being that a PTB message can only seek to lower the PMTU, whereas + this Option could trigger a probe packet to seek to increase the + PMTU). + + Section 5.2 of [RFC8201] provides guidance on the caching of PMTU + information and also the relation to IPv6 flow labels. + Implementations should consider the impact of Equal-Cost Multipath + (ECMP) [RFC6438], specifically, whether a PMTU ought to be maintained + for each transport endpoint or for each network address. + +6.3.5. Detecting Path Changes + + Path characteristics can change, and the actual PMTU could increase + or decrease over time, for instance, following a path change when + packets are forwarded over a link with a different MTU than that + previously used. To bound the delay in discovering an increase in + the actual PMTU, a host with a link MTU larger than the current PMTU + SHOULD periodically send the MinPMTU HBH Option with the R-bit set. + DPLPMTUD provides recommendations concerning how this could be + implemented (see Section 5.3 of [RFC8899]). Since the Option + consumes less capacity than a full-sized probe packet, there can be + an advantage in using this to detect a change in the path + characteristics. + +6.3.6. Detection of Dropping Packets that Include the Option + + There is evidence that some middleboxes drop packets that include + Hop-by-Hop Options. For example, a firewall might drop a packet that + carries an unknown extension header or Option. This practice is + expected to decrease as an Option becomes more widely used. It could + result in the generation of an ICMPv6 message that indicates the + problem. This could be used to (temporarily) suspend use of this + Option. + + A middlebox that silently discards a packet with this Option results + in the dropping of any packet using the Option. This dropping can be + avoided by appropriate configuration in a controlled environment, + such as within a data center, but it needs to be considered for + Internet usage. Section 6.2 recommends that this Option is not used + on packets where loss might adversely impact performance. + +7. IANA Considerations + + IANA has registered an IPv6 Hop-by-Hop Option type in the + "Destination Options and Hop-by-Hop Options" registry within the + "Internet Protocol Version 6 (IPv6) Parameters" registry group + [IANA-HBH]. This assignment is shown in Section 5. + +8. Security Considerations + + This section discusses the security considerations. It first reviews + router Option processing. It then reviews host processing when + receiving this Option at the network layer. It then considers two + ways in which the Option Data can be processed, followed by two + approaches for using the Option Data. Finally, it discusses + middlebox implications related to use in the general Internet. + +8.1. Router Option Processing + + This Option shares the characteristics of all other IPv6 Hop-by-Hop + Options, in that, if not supported at line rate, it could be used to + degrade the performance of a router. This Option, while simple, is + no different than other uses of IPv6 Hop-by-Hop Options. + + It is common for routers to ignore the Hop-by-Hop Option header or to + drop packets containing a Hop-by-Hop Option header. Routers + implementing IPv6 according to [RFC8200] only examine and process the + Hop-by-Hop Options header if explicitly configured to do so. + +8.2. Network-Layer Host Processing + + A malicious attacker can forge a packet directed at a host that + carries the MinPMTU HBH Option. By design, the fields of this IP + Option can be modified by the network. + + For comparison, the ICMPv6 PTB message used in Path MTU Discovery + [RFC8201] and the source host have an inherent trust relationship + with the destination host including this Option. This trust + relationship can be used to help verify the Option. ICMPv6 PTB + messages are sent from any router on the path to the destination + host. The source host has no prior knowledge of these routers + (except for the first hop router). + + Reception of this packet will require processing as the network stack + parses the packet before the packet is delivered to the upper-layer + protocol. This network-layer Option processing is normally completed + before any upper-layer protocol delivery checks are performed. + + The network layer does not normally have sufficient information to + validate that the packet carrying an Option originated from the + destination (or an on-path node). It also does not typically have + sufficient context to demultiplex the packet to identify the related + transport flow. This can mean that any changes resulting from + reception of the Option applies to all flows between a pair of + endpoints. + + These considerations are no different than other uses of Hop-by-Hop + Options, and this is the use case for PMTUD. The following section + describes a mitigation for this attack. + +8.3. Validating Use of the Option Data + + Transport protocols should be designed to provide protection from + data injection attacks by off-path devices, and mechanisms should be + described in the Security Considerations section for each transport + specification (see Section 5.1 of "UDP Usage Guidelines" [RFC8085]). + For example, a TCP or UDP application that maintains the related + state and uses a randomized ephemeral port would provide basic + protection. TLS [RFC8446] or IPsec [RFC4301] provide cryptographic + authentication. An upper-layer protocol that validates each received + packet discards any packet when this validation fails. In this case, + the host MUST also discard the associated Option Data from the + MinPMTU HBH Option without further processing (Section 6.3). + + A network node on the path has visibility of all packets it forwards. + By observing the network packet payload, the node might be able to + construct a packet that might be validated by the destination host. + Such a node would also be able to drop or limit the flow in other + ways that could be potentially more disruptive. Authenticating the + packet, for example, using IPsec [RFC4301] or TLS [RFC8446] mitigates + this attack. Note that the authentication style of the + Authentication Header (AH) [RFC4302], while authenticating the + payload and outer IPv6 header, does not check Hop-by-Hop Options that + change on route. + +8.4. Direct Use of the Rtn-PMTU Value + + The simplest way to utilize the Rtn-PMTU value is to directly use + this to update the PMTU. This approach results in a set of security + issues when the Option carries malicious data: + + * A direct update of the PMTU using the Rtn-PMTU value could result + in an attacker inflating or reducing the size of the host PMTU for + the destination. Forcing a reduction in the PMTU can decrease the + efficiency of network use, might increase the number of packets/ + fragments required to send the same volume of payload data, and + can prevent sending an unfragmented datagram larger than the PMTU. + Increasing the PMTU can result in a path silently dropping packets + (described as a black hole in [RFC8899]) when the source host + sends packets larger than the actual PMTU. This persists until + the PMTU is next updated. + + * The method can be used to solicit a response from the destination + host. A malicious attacker could forge a packet that causes the + destination to add the Option to a packet sent to the source host. + A forged value of Rtn-PMTU in the Option Data might also impact + the remote endpoint, as described in the previous bullet. This + persists until a valid MinPMTU HBH Option is received. This + attack could be mitigated by limiting the sending of the MinPMTU + HBH Option in reply to incoming packets that carry the Option. + +8.5. Using the Rtn-PMTU Value as a Hint for Probing + + Another way to utilize the Rtn-PMTU value is to indirectly trigger a + probe to determine if the path supports a PMTU of size Rtn-PMTU. + This approach needs context for the flow and hence assumes an upper- + layer protocol that validates the packet that carries the Option (see + Section 8.3). This is the case when used in combination with + DPLPMTUD [RFC8899]. A set of security considerations result when an + Option carries malicious data: + + * If the forged packet carries a validated Option with a non-zero + Rtn-PMTU field, the upper-layer protocol could utilize the + information in the Rtn-PMTU field. A Rtn-PMTU larger than the + current PMTU can trigger a probe for a new size. + + * If the forged packet carries a non-zero Min-PMTU field, the upper- + layer protocol would change the cached information about the path + from the source. The cached information at the destination host + will be overwritten when the host receives another packet that + includes a MinPMTU HBH Option corresponding to the flow. + + * Processing of the Option could cause a destination host to add the + MinPMTU HBH Option to a packet sent to the source host. This + Option will carry a Rtn-PMTU value that could have been updated by + the forged packet. The impact of the source host receiving this + resembles that discussed previously. + +8.6. Impact of Middleboxes + + There is evidence that some middleboxes drop packets that include + Hop-by-Hop Options. For example, a firewall might drop a packet that + carries an unknown extension header or Option. This practice is + expected to decrease as the Option becomes more widely used. Methods + to address this are discussed in Section 6.3.6. + + When a forged packet causes a packet that includes the MinPMTU HBH + Option to be sent and the return path does not forward packets with + this Option, the packet will be dropped (see Section 6.3.6). This + attack is mitigated by validating the Option Data before use and by + limiting the rate of responses generated. An upper layer could + further mitigate the impact by responding to an R-Flag by including + the Option in a packet that does not carry application data. + +9. Experiment Goals + + This section describes the experimental goals of this specification. + + A successful deployment of the method depends upon several components + being implemented and deployed: + + * Support in the sending node (see Section 6.2). This also requires + corresponding support in upper-layer protocols (see Section 6.3). + + * Router support in nodes (see Section 6.1). The IETF continues to + provide recommendations on the use of IPv6 Hop-by-Hop Options, for + example, see Section 2.2.2 of [RFC9099]. This document does not + update the way router implementations configure support for Hop- + by-Hop Options. + + * Support in the receiving node (see Section 6.3.3). + + Experience from deployment is an expected input to any decision to + progress this specification from Experimental to IETF Standards + Track. Appropriate inputs might include: + + * reports of implementation experience, + + * measurements of the number paths where the method can be used, or + + * measurements showing the benefit realized or the implications of + using specific methods over specific paths. + +10. Implementation Status + + At the time this document was published, there are two known + implementations of the Path MTU Hop-by-Hop Option. These are: + + * Wireshark dissector. This is shipping in production in Wireshark + version 3.2 [WIRESHARK]. + + * A prototype in the open source version of the FD.io Vector Packet + Processing (VPP) technology [VPP]. At the time this document was + published, the source code can be found [VPP_SRC]. + +11. References + +11.1. Normative References + + [IANA-HBH] IANA, "Destination Options and Hop-by-Hop Options", + <https://www.iana.org/assignments/ipv6-parameters/>. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <https://www.rfc-editor.org/info/rfc2119>. + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, <https://www.rfc-editor.org/info/rfc8174>. + + [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", STD 86, RFC 8200, + DOI 10.17487/RFC8200, July 2017, + <https://www.rfc-editor.org/info/rfc8200>. + + [RFC8201] McCann, J., Deering, S., Mogul, J., and R. Hinden, Ed., + "Path MTU Discovery for IP version 6", STD 87, RFC 8201, + DOI 10.17487/RFC8201, July 2017, + <https://www.rfc-editor.org/info/rfc8201>. + +11.2. Informative References + + [RFC1063] Mogul, J., Kent, C., Partridge, C., and K. McCloghrie, "IP + MTU discovery options", RFC 1063, DOI 10.17487/RFC1063, + July 1988, <https://www.rfc-editor.org/info/rfc1063>. + + [RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, + DOI 10.17487/RFC1191, November 1990, + <https://www.rfc-editor.org/info/rfc1191>. + + [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 + (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, + December 1998, <https://www.rfc-editor.org/info/rfc2460>. + + [RFC4301] Kent, S. and K. Seo, "Security Architecture for the + Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, + December 2005, <https://www.rfc-editor.org/info/rfc4301>. + + [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, + DOI 10.17487/RFC4302, December 2005, + <https://www.rfc-editor.org/info/rfc4302>. + + [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet + Control Message Protocol (ICMPv6) for the Internet + Protocol Version 6 (IPv6) Specification", STD 89, + RFC 4443, DOI 10.17487/RFC4443, March 2006, + <https://www.rfc-editor.org/info/rfc4443>. + + [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU + Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, + <https://www.rfc-editor.org/info/rfc4821>. + + [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, + "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, + DOI 10.17487/RFC4861, September 2007, + <https://www.rfc-editor.org/info/rfc4861>. + + [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label + for Equal Cost Multipath Routing and Link Aggregation in + Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, + <https://www.rfc-editor.org/info/rfc6438>. + + [RFC7637] Garg, P., Ed. and Y. Wang, Ed., "NVGRE: Network + Virtualization Using Generic Routing Encapsulation", + RFC 7637, DOI 10.17487/RFC7637, September 2015, + <https://www.rfc-editor.org/info/rfc7637>. + + [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage + Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, + March 2017, <https://www.rfc-editor.org/info/rfc8085>. + + [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol + Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, + <https://www.rfc-editor.org/info/rfc8446>. + + [RFC8899] Fairhurst, G., Jones, T., Tüxen, M., Rüngeler, I., and T. + Völker, "Packetization Layer Path MTU Discovery for + Datagram Transports", RFC 8899, DOI 10.17487/RFC8899, + September 2020, <https://www.rfc-editor.org/info/rfc8899>. + + [RFC8900] Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., + and F. Gont, "IP Fragmentation Considered Fragile", + BCP 230, RFC 8900, DOI 10.17487/RFC8900, September 2020, + <https://www.rfc-editor.org/info/rfc8900>. + + [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based + Multiplexed and Secure Transport", RFC 9000, + DOI 10.17487/RFC9000, May 2021, + <https://www.rfc-editor.org/info/rfc9000>. + + [RFC9099] Vyncke, É., Chittimaneni, K., Kaeo, M., and E. Rey, + "Operational Security Considerations for IPv6 Networks", + RFC 9099, DOI 10.17487/RFC9099, August 2021, + <https://www.rfc-editor.org/info/rfc9099>. + + [TAPS-ARCH] + Pauly, T., Ed., Trammell, B., Ed., Brunstrom, A., + Fairhurst, G., and C. Perkins, "An Architecture for + Transport Services", Work in Progress, Internet-Draft, + draft-ietf-taps-arch-12, June 2022, + <https://datatracker.ietf.org/doc/bibxml3/draft-ietf-taps- + arch.xml>. + + [VPP] FD.io, "VPP/What is VPP?", + <https://wiki.fd.io/view/VPP/What_is_VPP%3F>. + + [VPP_SRC] "vpp", commit 21948, ip: HBH MTU recording for IPv6, + <https://gerrit.fd.io/r/c/vpp/+/21948>. + + [WIRESHARK] + "Wireshark Network Protocol Analyzer", + <https://www.wireshark.org>. + +Appendix A. Examples of Usage + + This section provides examples that illustrate a use of the MinPMTU + HBH Option by a source using DPLPMTUD to discover the PLPMTU + supported by a path. They consider a path where the on-path router + has been configured with an outgoing MTU of d'. The source starts by + transmission of packets of size a and then uses DPLPMTUD to seek to + increase the size in steps resulting in sizes of b, c, d, e, etc. + (chosen by the search algorithm used by DPLPMTUD). The search + algorithm terminates with a PLPMTU that is at least d and is less + than or equal to d'. + + The first example considers DPLPMTUD without using the MinPMTU HBH + Option. In this case, DPLPMTUD searches using a probe packet that + increases in size. Probe packets of size e are sent, which are + larger than the actual PMTU. In this example, PTB messages are not + received from the routers, and repeated unsuccessful probes result in + the search phase completing. Packets of data are never sent with a + size larger than the size of the last confirmed probe packet. + Acknowledgments (ACKs) of data packets are not shown. + + ----Packets of data size a ------------------------------> + ----Probe size b ----------------------------------------> + <---------------------------------- ACK of probe -------- + ----Packets of data size b ------------------------------> + ----Probe size c ----------------------------------------> + <---------------------------------- ACK of probe -------- + ----Packets of data size c ------------------------------> + ----Probe size d ----------------------------------------> + <---------------------------------- ACK of probe -------- + ----Packets of data size d ------------------------------> + <---------------------------------- ACK of probe -------- + ... + ----Probe size e --------------X + X----ICMPv6 PTB d' ----| + ----Packets of data size d ------------------------------> + ----Probe size e --------------X (again) + X----ICMPv6 PTB d' ----| + ----Packets of data size d ------------------------------> + ... + etc. until MaxProbes are unsuccessful and search phase completes. + ----Packets of data size d ------------------------------> + + Figure 3 + + The second example considers DPLPMTUD with the MinPMTU HBH Option set + on a connectivity probe packet. + + The IPv6 Option is sent end to end, and the Min-PMTU is updated by a + router on the path to d', which is returned in a response that also + sets the MinPMTU HBH Option. Upon receiving the Rtn-PMTU value, + DPLPMTUD immediately sends a probe packet of the target size d'. If + the probe packet is confirmed for the path, the PLPMTU is updated, + allowing the source to use data packets up to size d'. (The search + algorithm is allowed to continue to probe to see if the path supports + a larger size.) Packets of data are never sent with a size larger + than the last confirmed probe size d'. + + ----Packets of data size a ------------------------------> + ----Connectivity probe with MinPMTU- + +--updated to minPMTU=d'-----> + <-----------------ACK with Rtn-PMTU=d'-------------------- + ----Packets of data size a ------------------------------> + ----Probe size d' ---------------------------------------> + <---------------------------------- ACK of probe --------- + -----Packets of data size d' ----------------------------> + Search phase completes. + -----Packets of data size d' ----------------------------> + + Figure 4 + + The final example considers DPLPMTUD with the MinPMTU HBH Option set + on a connectivity probe packet but shows the effect when this + connectivity probe packet is dropped. + + In this case, the packet with the MinPMTU HBH Option is not received. + DPLPMTUD searches using probe packets of increasing size, increasing + the PLPMTU when the probes are confirmed. An ICMPv6 PTB message is + received when the probed size exceeds the actual PMTU, indicating a + PTB_SIZE of d'. DPLPMTUD immediately sends a probe packet of the + target size d'. If the probe packet is confirmed for the path, the + PLPMTU is updated, allowing the source to use data packets up to size + d'. If the ICMPv6 PTB message is not received, the DPLPMTU will be + the last confirmed probe size, which is d. + + ----Packets of data size a -------------------------------> + ----Connectivity probe with MinPMTU --------X + ----Packets of data size a -------------------------------> + ----Probe size b -----------------------------------------> + <---------------------------------- ACK of probe -------- + ----Packets of data size b -------------------------------> + ----Probe size c -----------------------------------------> + <---------------------------------- ACK of probe -------- + ----Packets of data size c -------------------------------> + ----Probe size d -----------------------------------------> + <---------------------------------- ACK of probe -------- + ----Packets of data size d -------------------------------> + ----Probe size e ------------X + <--ICMPv6 PTB PTB_SIZE d' --| + ----Packets of data size d -------------------------------> + ----Probe size d' using target set by PTB_SIZE -----------> + <---------------------------------- ACK of probe -------- + Search phase completes. + ----Packets of data size d' ------------------------------> + + Figure 5 + + The number of probe rounds depends on the number of steps needed by + the search algorithm and is typically larger for a larger PMTU. + +Acknowledgments + + Helpful comments were received from Tom Herbert, Tom Jones, Fred + Templin, Ole Troan, Tianran Zhou, Jen Linkova, Brian Carpenter, Peng + Shuping, Mark Smith, Fernando Gont, Michael Dougherty, Erik Kline, + and other members of the 6MAN Working Group. + +Authors' Addresses + + Robert M. Hinden + Check Point Software + 959 Skyway Road + San Carlos, CA 94070 + United States of America + Email: bob.hinden@gmail.com + + + Godred Fairhurst + University of Aberdeen + School of Engineering + Fraser Noble Building + Aberdeen + AB24 3UE + United Kingdom + Email: gorry@erg.abdn.ac.uk |