summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9601.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc9601.txt')
-rw-r--r--doc/rfc/rfc9601.txt1051
1 files changed, 1051 insertions, 0 deletions
diff --git a/doc/rfc/rfc9601.txt b/doc/rfc/rfc9601.txt
new file mode 100644
index 0000000..8e4e827
--- /dev/null
+++ b/doc/rfc/rfc9601.txt
@@ -0,0 +1,1051 @@
+
+
+
+
+Internet Engineering Task Force (IETF) B. Briscoe
+Request for Comments: 9601 Independent
+Updates: 2661, 2784, 3931, 4380, 6040, 7450 August 2024
+Category: Standards Track
+ISSN: 2070-1721
+
+
+ Propagating Explicit Congestion Notification across IP Tunnel Headers
+ Separated by a Shim
+
+Abstract
+
+ RFC 6040 on "Tunnelling of Explicit Congestion Notification" made the
+ rules for propagation of Explicit Congestion Notification (ECN)
+ consistent for all forms of IP-in-IP tunnel. This specification
+ updates RFC 6040 to clarify that its scope includes tunnels where two
+ IP headers are separated by at least one shim header that is not
+ sufficient on its own for wide-area packet forwarding. It surveys
+ widely deployed IP tunnelling protocols that use such shim headers
+ and updates the specifications of those that do not mention ECN
+ propagation (including RFCs 2661, 3931, 2784, 4380 and 7450, which
+ specify L2TPv2, L2TPv3, Generic Routing Encapsulation (GRE), Teredo,
+ and Automatic Multicast Tunneling (AMT), respectively). This
+ specification also updates RFC 6040 with configuration requirements
+ needed to make any legacy tunnel ingress safe.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc9601.
+
+Copyright Notice
+
+ Copyright (c) 2024 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Revised BSD License text as described in Section 4.e of the
+ Trust Legal Provisions and are provided without warranty as described
+ in the Revised BSD License.
+
+ This document may contain material from IETF Documents or IETF
+ Contributions published or made publicly available before November
+ 10, 2008. The person(s) controlling the copyright in some of this
+ material may not have granted the IETF Trust the right to allow
+ modifications of such material outside the IETF Standards Process.
+ Without obtaining an adequate license from the person(s) controlling
+ the copyright in such materials, this document may not be modified
+ outside the IETF Standards Process, and derivative works of it may
+ not be created outside the IETF Standards Process, except to format
+ it for publication as an RFC or to translate it into languages other
+ than English.
+
+Table of Contents
+
+ 1. Introduction
+ 2. Terminology
+ 3. Scope of RFC 6040
+ 3.1. Feasibility of ECN Propagation between Tunnel Headers
+ 3.2. Desirability of ECN Propagation between Tunnel Headers
+ 4. Making a Non-ECN Tunnel Ingress Safe by Configuration
+ 5. ECN Propagation and Fragmentation/Reassembly
+ 6. IP-in-IP Tunnels with Tightly Coupled Shim Headers
+ 6.1. Specific Updates to Protocols under IETF Change Control
+ 6.1.1. L2TP (v2 and v3) ECN Extension
+ 6.1.2. GRE
+ 6.1.3. Teredo
+ 6.1.4. AMT
+ 7. IANA Considerations
+ 8. Security Considerations
+ 9. References
+ 9.1. Normative References
+ 9.2. Informative References
+ Acknowledgements
+ Author's Address
+
+1. Introduction
+
+ [RFC6040] on "Tunnelling of Explicit Congestion Notification" made
+ the rules for propagation of Explicit Congestion Notification (ECN)
+ [RFC3168] consistent for all forms of IP-in-IP tunnel.
+
+ A common pattern for many tunnelling protocols is to encapsulate an
+ inner IP header (v4 or v6) with one or more shim headers then an
+ outer IP header (v4 or v6). Some of these shim headers are designed
+ as generic encapsulations, so they do not necessarily directly
+ encapsulate an inner IP header. Instead, they can encapsulate
+ headers such as link-layer (L2) protocols that, in turn, often
+ encapsulate IP. Thus, the abbreviation 'IP-shim-(L2)-IP' can be used
+ for tunnels that are in scope of this document.
+
+ To clear up confusion, this specification clarifies that the scope of
+ [RFC6040] includes any IP-in-IP tunnel, including those with one or
+ more shim headers and other encapsulations between the IP headers.
+ Where necessary, it updates the specifications of the relevant
+ encapsulation protocols with the specific text necessary to comply
+ with [RFC6040].
+
+ This specification also updates [RFC6040] to state how operators
+ ought to configure a legacy tunnel ingress to avoid unsafe system
+ configurations.
+
+2. Terminology
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+ This specification uses the terminology defined in [RFC6040].
+
+3. Scope of RFC 6040
+
+ In Section 1.1 of [RFC6040], its scope is defined as:
+
+ | ...ECN field processing at encapsulation and decapsulation for any
+ | IP-in-IP tunnelling, whether IPsec or non-IPsec tunnels. It
+ | applies irrespective of whether IPv4 or IPv6 is used for either
+ | the inner or outer headers.
+
+ There are two problems with the above scoping statement:
+
+ Problem 1: It was intended to include cases where one or more shim
+ headers sit between the IP headers. Many tunnelling implementers
+ have interpreted the scope of [RFC6040] as it was intended, but it is
+ ambiguous. Therefore, this specification updates [RFC6040] by adding
+ the following scoping text after the sentences quoted above:
+
+ | It applies in cases where an outer IP header encapsulates an inner
+ | IP header either directly or indirectly by encapsulating other
+ | headers that in turn encapsulate (or might encapsulate) an inner
+ | IP header.
+
+ Problem 2: Like many IETF specifications, [RFC6040] is written as a
+ specification that implementations can choose to claim compliance
+ with. This means it does not cover two important situations:
+
+ 1. Cases where it is infeasible for an implementation to access an
+ inner IP header when adding or removing an outer IP header
+
+ 2. Cases where implementations choose not to propagate ECN between
+ IP headers
+
+ However, the ECN field is a non-optional part of the IP header (v4
+ and v6), so any implementation that creates an outer IP header has to
+ give the ECN field some value. There is only one safe value a tunnel
+ ingress can use if it does not know whether the egress supports
+ propagation of the ECN field; it has to clear the ECN field in any
+ outer IP header to 0b00.
+
+ However, an RFC has no jurisdiction over implementations that choose
+ not to comply or cannot comply with the RFC, including all
+ implementations that predated it. Therefore, it would have been
+ unreasonable to add such a requirement to [RFC6040]. Nonetheless, to
+ ensure safe propagation of the ECN field over tunnels, it is
+ reasonable to add requirements on operators to ensure they configure
+ their tunnels safely (where possible). Before resolving 'Problem 2'
+ by stating these configuration requirements (in Section 4), the
+ factors that determine whether propagating ECN is feasible or
+ desirable will be briefly introduced.
+
+3.1. Feasibility of ECN Propagation between Tunnel Headers
+
+ In many cases, one or more shim headers and an outer IP header are
+ always added to (or removed from) an inner IP packet as part of the
+ same procedure. We call these tightly coupled shim headers.
+ Processing a shim and outer header together is often necessary
+ because a shim is not sufficient for packet forwarding in its own
+ right; not unless complemented by an outer header. In these cases,
+ it will often be feasible for an implementation to propagate the ECN
+ field between the IP headers.
+
+ In some cases, a tunnel adds an outer IP header and a tightly coupled
+ shim header to an inner header that is not an IP header, but that, in
+ turn, encapsulates an IP header (or might encapsulate an IP header).
+ For instance, an inner Ethernet (or other link-layer) header might
+ encapsulate an inner IP header as its payload. We call this a
+ tightly coupled shim over an encapsulating header.
+
+ Digging to arbitrary depths to find an inner IP header within an
+ encapsulation is strictly a layering violation, so it cannot be a
+ required behaviour. Nonetheless, some tunnel endpoints already look
+ within a Layer 2 (L2) header for an IP header, for instance, to map
+ the Diffserv codepoint between an encapsulated IP header and an outer
+ IP header [RFC2983]. In such cases at least, it should be feasible
+ to also (independently) propagate the ECN field between the same IP
+ headers. Thus, access to the ECN field within an encapsulating
+ header can be a useful and benign optimization. The guidelines in
+ Section 5 of [RFC9599] give the conditions for this layering
+ violation to be benign.
+
+3.2. Desirability of ECN Propagation between Tunnel Headers
+
+ Developers and network operators are encouraged to implement and
+ deploy tunnel endpoints compliant with [RFC6040] (as updated by the
+ present specification) in order to provide the benefits of wider ECN
+ deployment [RFC8087]. Nonetheless, propagation of ECN between IP
+ headers, whether separated by shim headers or not, has to be optional
+ to implement and to use, because:
+
+ * legacy implementations of tunnels without any ECN support already
+ exist;
+
+ * a network might be designed so that there is usually no bottleneck
+ within the tunnel; and
+
+ * if the tunnel endpoints would have to search within an L2 header
+ to find an encapsulated IP header, it might not be worth the
+ potential performance hit.
+
+4. Making a Non-ECN Tunnel Ingress Safe by Configuration
+
+ Even when no specific attempt has been made to implement propagation
+ of the ECN field at a tunnel ingress, it ought to be possible for the
+ operator to render a tunnel ingress safe by configuration. The main
+ safety concern is to disable (clear to zero) the ECN capability in
+ the outer IP header at the ingress if the egress of the tunnel does
+ not implement ECN logic to propagate any ECN markings into the packet
+ forwarded beyond the tunnel. Otherwise, the non-ECN egress could
+ discard any ECN marking introduced within the tunnel, which would
+ break all the ECN-based control loops that regulate the traffic load
+ over the tunnel.
+
+ Therefore, this specification updates Section 4.3 of [RFC6040] by
+ inserting the following text at the end of the section:
+
+ | Whether or not an ingress implementation claims compliance with
+ | [RFC6040], [RFC4301], or [RFC3168], when the outer tunnel header
+ | is IP (v4 or v6), if possible, the ingress MUST be configured to
+ | zero the outer ECN field in all of the following cases:
+ |
+ | * if it is known that the tunnel egress does not support any of
+ | the RFCs that define propagation of the ECN field ([RFC6040],
+ | [RFC4301], or the full functionality mode of [RFC3168]);
+ |
+ | * if the behaviour of the egress is not known or an egress with
+ | unknown behaviour might be dynamically paired with the ingress
+ | (one way for an operator of a tunnel ingress to determine the
+ | behaviour of an otherwise unknown egress is described in
+ | [decap-test]);
+ |
+ | * if an IP header might be encapsulated within a non-IP header
+ | that the tunnel ingress is encapsulating, but the ingress does
+ | not inspect within the encapsulation.
+ |
+ | For the avoidance of doubt, the above only concerns the outer IP
+ | header. The ingress MUST NOT alter the ECN field of the arriving
+ | IP header that will become the inner IP header.
+ |
+ | In order that the network operator can comply with the above
+ | safety rules, an implementation of a tunnel ingress:
+ |
+ | * MUST NOT treat the former Type of Service (ToS) octet (IPv4) or
+ | the former Traffic Class octet (IPv6) as a single 8-bit field.
+ | This is because the resulting linkage of ECN and Diffserv field
+ | propagation between inner and outer headers is not consistent
+ | with the definition of the 6-bit Diffserv field in [RFC2474]
+ | and [RFC3260].
+ |
+ | * SHOULD be able to be configured to zero the ECN field of the
+ | outer header.
+ |
+ | These last two rules apply even if an implementation of a tunnel
+ | ingress does not claim to support [RFC6040], [RFC4301], or the
+ | full functionality mode of [RFC3168]
+
+ For instance, if a tunnel ingress with no ECN-specific logic had a
+ configuration capability to refer to the last 2 bits of the old ToS
+ Byte of the outer (e.g., with a 0x3 mask) and set them to zero, while
+ also being able to allow the DSCP to be re-mapped independently, that
+ would be sufficient to satisfy both implementation requirements
+ above.
+
+ There might be concern that the above "MUST NOT" makes compliant
+ implementations non-compliant at a stroke. However, by definition,
+ it solely applies to equipment that provides Diffserv configuration.
+ Any such Diffserv equipment that is configuring treatment of the
+ former ToS octet (IPv4) or the former Traffic Class octet (IPv6) as a
+ single 8-bit field must have always been non-compliant with the
+ definition of the 6-bit Diffserv field in [RFC2474] and [RFC3260].
+ If a tunnel ingress does not have any ECN logic, copying the ECN
+ field as a side effect of copying the DSCP is a seriously unsafe bug
+ that risks breaking the feedback loops that regulate load on a
+ tunnel, because it omits to check the ECN capability of the tunnel
+ egress.
+
+ Zeroing the outer ECN field of all packets in all circumstances would
+ be safe, but it would not be sufficient to claim compliance with
+ [RFC6040] because it would not meet the aim of introducing ECN
+ support to tunnels (see Section 4.3 of [RFC6040]).
+
+5. ECN Propagation and Fragmentation/Reassembly
+
+ The following requirements update [RFC6040], which omitted handling
+ of the ECN field during fragmentation or reassembly. These changes
+ might alter how many ECN-marked packets are propagated by a tunnel
+ that fragments packets, but this would not raise any backward
+ compatibility issues.
+
+ If a tunnel ingress fragments a packet, it MUST set the outer ECN
+ field of all the fragments to the same value as it would have set if
+ it had not fragmented the packet.
+
+ Section 5.3 of [RFC3168] specifies ECN requirements for reassembly of
+ sets of 'outer fragments' into packets (in 'outer fragmentation', the
+ fragmentation is visible in the outer header so that the tunnel
+ egress can reassemble the fragments [INTAREA-TUNNELS]).
+ Additionally, the following requirements apply at a tunnel egress:
+
+ * During reassembly of outer fragments, the packet MUST be discarded
+ if the ECN fields of the outer headers being reassembled into a
+ single packet consist of a mixture of Not ECN-Capable Transport
+ (Not-ECT) and other ECN codepoints.
+
+ * If there is mix of ECT(0) and ECT(1) outer fragments, then the
+ reassembled packet MUST be set to ECT(1).
+
+ Reasoning: [RFC3168] originally defined ECT(0) and ECT(1) as
+ equivalent, but [RFC3168] has been updated by [RFC8311] to make
+ ECT(1) available for congestion marking differences. The rule is
+ independent of the current experimental use of ECT(1) for Low
+ Latency, Low Loss, and Scalable throughput (L4S) [RFC9331]. The
+ rule is compatible with Pre-Congestion Notification (PCN)
+ [RFC6660], which uses 2 levels of congestion severity, with the
+ ranking of severity from highest to lowest being Congestion
+ Experienced (CE), ECT(1), ECT(0). The decapsulation rules in
+ [RFC6040] take a similar approach.
+
+6. IP-in-IP Tunnels with Tightly Coupled Shim Headers
+
+ Below is a list of specifications of encapsulations with tightly
+ coupled shim header(s) in rough chronological order. This list is
+ confined to Standards Track or widely deployed protocols. So, for
+ the avoidance of doubt, the updated scope of [RFC6040] is defined in
+ Section 3 and is not limited to this list.
+
+ * Point-to-Point Tunneling Protocol (PPTP) [RFC2637]
+
+ * Layer Two Tunneling Protocol (L2TP), specifically L2TPv2 [RFC2661]
+ and L2TPv3 [RFC3931], which not only includes all the L2-specific
+ specializations of L2TP, but also derivatives such as the Keyed
+ IPv6 Tunnel [RFC8159]
+
+ * Generic Routing Encapsulation (GRE) [RFC2784] and Network
+ Virtualization using GRE (NVGRE) [RFC7637]
+
+ * GPRS Tunnelling Protocol (GTP), specifically GTPv1 [GTPv1], GTP v1
+ User Plane [GTPv1-U], and GTP v2 Control Plane [GTPv2-C]
+
+ * Teredo [RFC4380]
+
+ * Control And Provisioning of Wireless Access Points (CAPWAP)
+ [RFC5415]
+
+ * Locator/Identifier Separation Protocol (LISP) [RFC9300]
+
+ * Automatic Multicast Tunneling (AMT) [RFC7450]
+
+ * Virtual eXtensible Local Area Network (VXLAN) [RFC7348] and
+ Generic Protocol Extensions for VXLAN (VXLAN-GPE) [NVO3-VXLAN-GPE]
+
+ * The Network Service Header (NSH) [RFC8300] for Service Function
+ Chaining (SFC)
+
+ * Geneve [RFC8926]
+
+ * Direct tunnelling of an IP packet within a UDP/IP datagram (see
+ Section 3.1.11 of [RFC8085])
+
+ * TCP Encapsulation of Internet Key Exchange Protocol (IKE) and
+ IPsec Packets (see Section 9.5 of [RFC9329])
+
+ Some of the listed protocols enable encapsulation of a variety of
+ network layer protocols as inner and/or outer. This specification
+ applies to the cases where there is an inner and outer IP header as
+ described in Section 3. Otherwise, [RFC9599] gives guidance on how
+ to design propagation of ECN into other protocols that might
+ encapsulate IP.
+
+ Where protocols in the above list need to be updated to specify ECN
+ propagation and are under IETF change control, update text is given
+ in the following subsections. For those not under IETF control, it
+ is RECOMMENDED that implementations of encapsulation and
+ decapsulation comply with [RFC6040]. It is also RECOMMENDED that
+ their specifications are updated to add a requirement to comply with
+ [RFC6040] (as updated by the present document).
+
+ PPTP is not under the change control of the IETF, but it has been
+ documented in an Informational RFC [RFC2637]. However, there is no
+ need for the present specification to update PPTP because L2TP has
+ been developed as a standardized replacement.
+
+ NVGRE is not under the change control of the IETF, but it has been
+ documented in an Informational RFC [RFC7637]. NVGRE is a specific
+ use case of GRE (it re-purposes the key field from the initial
+ specification of GRE [RFC1701] as a Virtual Subnet ID). Therefore,
+ the text that updates GRE in Section 6.1.2 below is also intended to
+ update NVGRE.
+
+ Although the definition of the various GTP shim headers is under the
+ control of the Third Generation Partnership Project (3GPP), it is
+ hard to determine whether the 3GPP or the IETF controls
+ standardization of the _process_ of adding both a GTP and an IP
+ header to an inner IP header. Nonetheless, the present specification
+ is provided so that the 3GPP can refer to it from any of its own
+ specifications of GTP and IP header processing.
+
+ The specification of CAPWAP already specifies [RFC3168] ECN
+ propagation and ECN capability negotiation. Without modification,
+ the CAPWAP specification already interworks with the backward-
+ compatible updates to [RFC3168] in [RFC6040].
+
+ LISP made the ECN propagation procedures in [RFC3168] mandatory from
+ the start. [RFC3168] has since been updated by [RFC6040], but the
+ changes are backwards compatible, so there is still no need for LISP
+ tunnel endpoints to negotiate their ECN capabilities.
+
+ VXLAN is not under the change control of the IETF, but it has been
+ documented in an Informational RFC. It is RECOMMENDED that VXLAN
+ implementations comply with [RFC6040] when the VXLAN header is
+ inserted between (or removed from between) IP headers. The authors
+ of any future update of the VXLAN spec are also encouraged to add a
+ requirement to comply with [RFC6040] as updated by the present
+ specification. In contrast, VXLAN-GPE is being documented under IETF
+ change control and it does require compliance with [RFC6040].
+
+ The Network Service Header (NSH) [RFC8300] has been defined as a
+ shim-based encapsulation to identify the Service Function Path (SFP)
+ in the Service Function Chaining (SFC) architecture [RFC7665]. A
+ proposal has been made for the processing of ECN when handling
+ transport encapsulation [SFC-NSH-ECN].
+
+ The specification of Geneve already refers to [RFC6040] for ECN
+ encapsulation.
+
+ Section 3.1.11 of [RFC8085] already explains that a tunnel that
+ encapsulates an IP header within a UDP/IP datagram needs to follow
+ [RFC6040] when propagating the ECN field between inner and outer IP
+ headers. Section 3 of the present specification updates [RFC6040] to
+ clarify that its scope includes cases with a shim header between the
+ IP headers. So it indirectly updates the scope of [RFC8085] to
+ include cases with a shim header as well as a UDP header between the
+ IP headers.
+
+ The requirements in Section 4 update [RFC6040], and hence also
+ indirectly update the UDP usage guidelines in [RFC8085] to add the
+ important but previously unstated requirement that, if the UDP tunnel
+ egress does not, or might not, support ECN propagation, a UDP tunnel
+ ingress has to clear the outer IP ECN field to 0b00, e.g., by
+ configuration.
+
+ Section 9.5 of [RFC9329] already recommends the compatibility mode of
+ [RFC6040] in this case because there is not a one-to-one mapping
+ between inner and outer packets when TCP encapsulates IKE or IPsec.
+
+6.1. Specific Updates to Protocols under IETF Change Control
+
+6.1.1. L2TP (v2 and v3) ECN Extension
+
+ The L2TP terminology used here is defined in [RFC2661] and [RFC3931].
+
+ L2TPv3 [RFC3931] is used as a shim header between any packet-switched
+ network (PSN) header (e.g., IPv4, IPv6, and MPLS) and many types of
+ L2 headers. The L2TPv3 shim header encapsulates an L2-specific sub-
+ layer, then an L2 header that is likely to contain an inner IP header
+ (v4 or v6). Then this whole stack of headers can be encapsulated
+ within an optional outer UDP header and an outer PSN header that is
+ typically IP (v4 or v6).
+
+ L2TPv2 is used as a shim header between any PSN header and a PPP
+ header, which is in turn likely to encapsulate an IP header.
+
+ Even though these shims are rather fat (particularly in the case of
+ L2TPv3), they still fit the definition of a tightly coupled shim
+ header over an encapsulating header (Section 3.1) because all the
+ headers encapsulating the L2 header are added (or removed) together.
+ L2TPv2 and L2TPv3 are therefore within the scope of [RFC6040], as
+ updated by Section 3.
+
+ Implementation of the ECN extension to L2TPv2 and L2TPv3 defined in
+ Section 6.1.1.2 is RECOMMENDED in order to provide the benefits of
+ ECN [RFC8087] whenever a node within an L2TP tunnel becomes the
+ bottleneck for an end-to-end traffic flow.
+
+6.1.1.1. Safe Configuration of a "Non-ECN" Ingress LCCE
+
+ The following text is appended to both Section 5.3 of [RFC2661] and
+ Section 4.5 of [RFC3931] as an update to the base L2TPv2 and L2TPv3
+ specifications:
+
+ | The operator of an LCCE that does not support the ECN extension in
+ | Section 6.1.1.2 of RFC 9601 MUST follow the configuration
+ | requirements in Section 4 of RFC 9601 to ensure it clears the
+ | outer IP ECN field to 0b00 when the outer PSN header is IP (v4 or
+ | v6).
+
+ In particular, for an L2TP Control Connection Endpoint (LCCE)
+ implementation that does not support the ECN extension, this means
+ that configuration of how it propagates the ECN field between inner
+ and outer IP headers MUST be independent of any configuration of the
+ Diffserv extension of L2TP [RFC3308].
+
+6.1.1.2. ECN Extension for L2TP (v2 or v3)
+
+ When the outer PSN header and the payload inside the L2 header are
+ both IP (v4 or v6), an LCCE will propagate the ECN field at ingress
+ and egress by following the rules in Section 4 of [RFC6040].
+
+ Before encapsulating any data packets, [RFC6040] requires an ingress
+ LCCE to check that the egress LCCE supports ECN propagation as
+ defined in [RFC6040] or one of its compatible predecessors ([RFC4301]
+ or the full functionality mode of [RFC3168]). If the egress supports
+ ECN propagation, the ingress LCCE can use the normal mode of
+ encapsulation (copying the ECN field from inner to outer).
+ Otherwise, the ingress LCCE has to use compatibility mode [RFC6040]
+ (clearing the outer IP ECN field to 0b00).
+
+ An LCCE can determine the remote LCCE's support for ECN either
+ statically (by configuration) or by dynamic discovery during setup of
+ each control connection between the LCCEs using the ECN Capability
+ Attribute-Value Pair (AVP) defined in Section 6.1.1.2.1.
+
+ Where the outer PSN header is some protocol other than IP that
+ supports ECN, the appropriate ECN propagation specification will need
+ to be followed, e.g., [RFC5129] for MPLS. Where no specification
+ exists for ECN propagation by a particular PSN, [RFC9599] gives
+ general guidance on how to design ECN propagation into a protocol
+ that encapsulates IP.
+
+6.1.1.2.1. ECN Capability AVP for Negotiation between LCCEs
+
+ The ECN Capability AVP defined here has Attribute Type 103. The AVP
+ has the following format:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ |M|H|0|0|0|0| Length | Vendor ID |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 103 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 1: ECN Capability AVP for L2TP (v2 or v3)
+
+ This AVP MAY be present in the Start-Control-Connection-Request
+ (SCCRQ) and Start-Control-Connection-Reply (SCCRP) message types.
+ This AVP MAY be hidden (the H-bit is set to 0 or 1) and is optional
+ (the M-bit is not set). The length (before hiding) of this AVP is 6
+ octets. The Vendor ID is the IETF Vendor ID of 0.
+
+ When an LCCE sends an ECN Capability AVP, it indicates that it
+ supports ECN propagation. When no ECN Capability AVP is present, it
+ indicates that the sender does not support ECN propagation.
+
+ If an LCCE initiating a control connection supports ECN propagation,
+ it will send an SCCRQ containing an ECN Capability AVP. If the
+ tunnel terminator supports ECN, it will return an SCCRP that also
+ includes an ECN Capability AVP. Then, for any sessions created by
+ that control connection, both ends of the tunnel can use the normal
+ mode of [RFC6040]; i.e., they can copy the IP ECN field from inner to
+ outer when encapsulating data packets.
+
+ On the other hand, if the tunnel terminator does not support ECN, it
+ will ignore the ECN Capability AVP and send an SCCRP to the tunnel
+ initiator without an ECN Capability AVP. The tunnel initiator
+ interprets the absence of the ECN Capability flag in the SCCRP as an
+ indication that the tunnel terminator is incapable of supporting ECN.
+ When encapsulating data packets for any sessions created by that
+ control connection, the tunnel initiator will then use the
+ compatibility mode of [RFC6040] to clear the ECN field of the outer
+ IP header to 0b00.
+
+ If the tunnel terminator does not support this ECN extension, the
+ network operator is still expected to configure it to comply with the
+ safety provisions set out in Section 6.1.1.1 when it acts as an
+ ingress LCCE.
+
+ If ECN support by the ingress and egress LCCEs is configured
+ statically, as allowed in Section 6.1.1.2, they both ignore the
+ presence or absence of any ECN capability AVP.
+
+6.1.2. GRE
+
+ The GRE terminology used here is defined in [RFC2784]. GRE is often
+ used as a tightly coupled shim header between IP headers. Sometimes,
+ the GRE shim header encapsulates an L2 header, which might in turn
+ encapsulate an IP header. Therefore, GRE is within the scope of
+ [RFC6040] as updated by Section 3.
+
+ Implementation of support for [RFC6040] as updated by the present
+ specification is RECOMMENDED for GRE tunnel endpoints in order to
+ provide the benefits of ECN [RFC8087] whenever a node within a GRE
+ tunnel becomes the bottleneck for an end-to-end IP traffic flow
+ tunnelled over GRE using IP as the delivery protocol (outer header).
+
+ GRE itself does not support dynamic setup and configuration of
+ tunnels. However, control plane protocols, such as Next Hop
+ Resolution Protocol (NHRP) [RFC2332], Mobile IPv4 (MIP4) [RFC5944],
+ Mobile IPv6 (MIP6) [RFC6275], Proxy Mobile IP (PMIP) [RFC5845], and
+ IKEv2 [RFC7296], are sometimes used to set up GRE tunnels
+ dynamically.
+
+ When these control protocols set up IP-in-IP or IPsec tunnels, it is
+ likely that the resulting tunnels will propagate the ECN field as
+ defined in [RFC6040] or one of its compatible predecessors ([RFC4301]
+ or the full functionality mode of [RFC3168]). However, if they use a
+ GRE encapsulation, this presumption is less sound.
+
+ Therefore, if the outer delivery protocol is IP (v4 or v6), the
+ operator is obliged to follow the safe configuration requirements in
+ Section 4. Section 6.1.2.1 updates the base GRE specification with
+ this requirement to emphasize its importance.
+
+ Where the delivery protocol is some protocol other than IP that
+ supports ECN, the appropriate ECN propagation specification will need
+ to be followed, e.g., [RFC5129] for MPLS. Where no specification
+ exists for ECN propagation by a particular PSN, [RFC9599] gives more
+ general guidance on how to propagate ECN to and from protocols that
+ encapsulate IP.
+
+6.1.2.1. Safe Configuration of a "Non-ECN" GRE Ingress
+
+ The following text is appended to Section 3 of [RFC2784] as an update
+ to the base GRE specification:
+
+ | The operator of a GRE tunnel ingress MUST follow the configuration
+ | requirements in Section 4 of RFC 9601 when the outer delivery
+ | protocol is IP (v4 or v6).
+
+6.1.3. Teredo
+
+ Teredo [RFC4380] provides a way to tunnel IPv6 over an IPv4 network
+ with a UDP-based shim header between the two.
+
+ For Teredo tunnel endpoints to provide the benefits of ECN, the
+ Teredo specification would have to be updated to include negotiation
+ of the ECN capability between Teredo tunnel endpoints. Otherwise, it
+ would be unsafe for a Teredo tunnel ingress to copy the ECN field to
+ the IPv6 outer.
+
+ Those implementations known to the authors at the time of writing do
+ not support propagation of ECN, but they do safely zero the ECN field
+ in the outer IPv6 header. However, the specification does not
+ mention anything about this.
+
+ To make existing Teredo deployments safe, it would be possible to add
+ ECN capability negotiation to those that are subject to remote OS
+ update. However, for those implementations not subject to remote OS
+ update, it will not be feasible to require them to be configured
+ correctly because Teredo tunnel endpoints are generally deployed on
+ hosts.
+
+ Therefore, until ECN support is added to the specification of Teredo,
+ the only feasible further safety precaution available here is to
+ update the specification of Teredo implementations with the following
+ text as a new section:
+
+ | 5.1.3. Safe "Non-ECN" Teredo Encapsulation
+ |
+ | A Teredo tunnel ingress implementation that does not support ECN
+ | propagation as defined in [RFC6040] or one of its compatible
+ | predecessors ([RFC4301] or the full functionality mode of
+ | [RFC3168]) MUST zero the ECN field in the outer IPv6 header.
+
+6.1.4. AMT
+
+ AMT [RFC7450] is a tightly coupled shim header that encapsulates an
+ IP packet and is encapsulated within a UDP/IP datagram. Therefore,
+ AMT is within the scope of [RFC6040] as updated by Section 3.
+
+ Implementation of support for [RFC6040] as updated by the present
+ specification is RECOMMENDED for AMT tunnel endpoints in order to
+ provide the benefits of ECN [RFC8087] whenever a node within an AMT
+ tunnel becomes the bottleneck for an IP traffic flow tunnelled over
+ AMT.
+
+ To comply with [RFC6040], an AMT relay and gateway will follow the
+ rules for propagation of the ECN field at ingress and egress,
+ respectively, as described in Section 4 of [RFC6040].
+
+ Before encapsulating any data packets, [RFC6040] requires an ingress
+ AMT relay to check that the egress AMT gateway supports ECN
+ propagation as defined in [RFC6040] or one of its compatible
+ predecessors ([RFC4301] or the full functionality mode of [RFC3168]).
+ If the egress gateway supports ECN, the ingress relay can use the
+ normal mode of encapsulation (copying the IP ECN field from inner to
+ outer). Otherwise, the ingress relay has to use compatibility mode,
+ which means it has to clear the outer ECN field to zero [RFC6040].
+
+ An AMT tunnel is created dynamically (not manually), so the relay
+ will need to determine the remote gateway's support for ECN using the
+ ECN capability declaration defined in Section 6.1.4.2.
+
+6.1.4.1. Safe Configuration of a "Non-ECN" Ingress AMT Relay
+
+ The following text is appended to Section 4.2.2 of [RFC7450] as an
+ update to the AMT specification:
+
+ | The operator of an AMT relay that does not support [RFC6040] or
+ | one of its compatible predecessors ([RFC4301] or the full
+ | functionality mode of [RFC3168]) MUST follow the configuration
+ | requirements in Section 4 of RFC 9601 to ensure it clears the
+ | outer IP ECN field to zero.
+
+6.1.4.2. ECN Capability Declaration of an AMT Gateway
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | V=0 |Type=3 | Reserved |E|P| Reserved |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Request Nonce |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ Figure 2: Updated AMT Request Message Format
+
+ Bit 14 of the AMT Request Message counting from 0 (or bit 7 of the
+ Reserved field counting from 1) is defined here as the AMT Gateway
+ ECN Capability flag (E) as shown in Figure 2. The definitions of all
+ other fields in the AMT Request Message are unchanged from [RFC7450].
+
+ When the E flag is set to 1, it indicates that the sender of the
+ message supports [RFC6040] ECN propagation. When it is cleared to
+ zero, it indicates the sender of the message does not support
+ [RFC6040] ECN propagation. An AMT gateway "that supports [RFC6040]
+ ECN propagation" means one that propagates the ECN field to the
+ forwarded data packet based on the combination of arriving inner and
+ outer ECN fields as defined in Section 4 of [RFC6040].
+
+ The other bits of the Reserved field remain reserved. They will
+ continue to be cleared to zero when sent and ignored when either
+ received or forwarded as specified in Section 5.1.3.3 of [RFC7450].
+
+ An AMT gateway that does not support [RFC6040] MUST NOT set the E
+ flag of its Request Message to 1.
+
+ An AMT gateway that supports [RFC6040] ECN propagation MUST set the E
+ flag of its Relay Discovery Message to 1.
+
+ The action of the corresponding AMT relay that receives a Request
+ message with the E flag set to 1 depends on whether the relay itself
+ supports [RFC6040] ECN propagation:
+
+ * If the relay supports [RFC6040] ECN propagation, it will store the
+ ECN capability of the gateway along with its address. Then,
+ whenever it tunnels datagrams towards this gateway, it MUST use
+ the normal mode of [RFC6040] to propagate the ECN field when
+ encapsulating datagrams (i.e., it copies the IP ECN field from
+ inner to outer header).
+
+ * If the discovered AMT relay does not support [RFC6040] ECN
+ propagation, it will ignore the E flag in the Reserved field as
+ per Section 5.1.3.3 of [RFC7450].
+
+ If the AMT relay does not support [RFC6040] ECN propagation, the
+ network operator is still expected to configure it to comply with
+ the safety provisions set out in Section 6.1.4.1.
+
+7. IANA Considerations
+
+ IANA has assigned the following AVP in the L2TP "Control Message
+ Attribute Value Pairs" registry:
+
+ +================+================+===========+
+ | Attribute Type | Description | Reference |
+ +================+================+===========+
+ | 103 | ECN Capability | RFC 9601 |
+ +----------------+----------------+-----------+
+
+ Table 1
+
+8. Security Considerations
+
+ The Security Considerations in [RFC6040] and [RFC9599] apply equally
+ to the scope defined for the present specification.
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black,
+ "Definition of the Differentiated Services Field (DS
+ Field) in the IPv4 and IPv6 Headers", RFC 2474,
+ DOI 10.17487/RFC2474, December 1998,
+ <https://www.rfc-editor.org/info/rfc2474>.
+
+ [RFC2661] Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn,
+ G., and B. Palter, "Layer Two Tunneling Protocol "L2TP"",
+ RFC 2661, DOI 10.17487/RFC2661, August 1999,
+ <https://www.rfc-editor.org/info/rfc2661>.
+
+ [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P.
+ Traina, "Generic Routing Encapsulation (GRE)", RFC 2784,
+ DOI 10.17487/RFC2784, March 2000,
+ <https://www.rfc-editor.org/info/rfc2784>.
+
+ [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition
+ of Explicit Congestion Notification (ECN) to IP",
+ RFC 3168, DOI 10.17487/RFC3168, September 2001,
+ <https://www.rfc-editor.org/info/rfc3168>.
+
+ [RFC3931] Lau, J., Ed., Townsley, M., Ed., and I. Goyret, Ed.,
+ "Layer Two Tunneling Protocol - Version 3 (L2TPv3)",
+ RFC 3931, DOI 10.17487/RFC3931, March 2005,
+ <https://www.rfc-editor.org/info/rfc3931>.
+
+ [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
+ Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
+ December 2005, <https://www.rfc-editor.org/info/rfc4301>.
+
+ [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
+ Network Address Translations (NATs)", RFC 4380,
+ DOI 10.17487/RFC4380, February 2006,
+ <https://www.rfc-editor.org/info/rfc4380>.
+
+ [RFC5129] Davie, B., Briscoe, B., and J. Tay, "Explicit Congestion
+ Marking in MPLS", RFC 5129, DOI 10.17487/RFC5129, January
+ 2008, <https://www.rfc-editor.org/info/rfc5129>.
+
+ [RFC6040] Briscoe, B., "Tunnelling of Explicit Congestion
+ Notification", RFC 6040, DOI 10.17487/RFC6040, November
+ 2010, <https://www.rfc-editor.org/info/rfc6040>.
+
+ [RFC6660] Briscoe, B., Moncaster, T., and M. Menth, "Encoding Three
+ Pre-Congestion Notification (PCN) States in the IP Header
+ Using a Single Diffserv Codepoint (DSCP)", RFC 6660,
+ DOI 10.17487/RFC6660, July 2012,
+ <https://www.rfc-editor.org/info/rfc6660>.
+
+ [RFC7450] Bumgardner, G., "Automatic Multicast Tunneling", RFC 7450,
+ DOI 10.17487/RFC7450, February 2015,
+ <https://www.rfc-editor.org/info/rfc7450>.
+
+ [RFC9599] Briscoe, B. and J. Kaippallimalil, "Guidelines for Adding
+ Congestion Notification to Protocols that Encapsulate IP",
+ RFC 9599, DOI 10.17487/RFC9599, August 2024,
+ <https://www.rfc-editor.org/info/rfc9599>.
+
+9.2. Informative References
+
+ [decap-test]
+ Briscoe, B., "A Test for IP-ECN Propagation by a Remote
+ Tunnel Endpoint", Technical Report, TR-BB-2023-003,
+ DOI 10.48550/arXiv.2311.16825, November 2023,
+ <https://arxiv.org/abs/2311.16825>.
+
+ [GTPv1] 3GPP, "General Packet Radio Service (GPRS); GPRS
+ Tunnelling Protocol (GTP) across the Gn and Gp interface",
+ Technical Specification 29.060.
+
+ [GTPv1-U] 3GPP, "General Packet Radio System (GPRS) Tunnelling
+ Protocol User Plane (GTPv1-U)", Technical
+ Specification 29.281.
+
+ [GTPv2-C] 3GPP, "3GPP Evolved Packet System (EPS); Evolved General
+ Packet Radio Service (GPRS) Tunnelling Protocol for
+ Control plane (GTPv2-C); Stage 3", Technical
+ Specification 29.274.
+
+ [INTAREA-TUNNELS]
+ Touch, J. D. and M. Townsley, "IP Tunnels in the Internet
+ Architecture", Work in Progress, Internet-Draft, draft-
+ ietf-intarea-tunnels-13, 26 March 2023,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-intarea-
+ tunnels-13>.
+
+ [NVO3-VXLAN-GPE]
+ Maino, F., Kreeger, L., and U. Elzur, "Generic Protocol
+ Extension for VXLAN (VXLAN-GPE)", Work in Progress,
+ Internet-Draft, draft-ietf-nvo3-vxlan-gpe-13, 4 November
+ 2023, <https://datatracker.ietf.org/doc/html/draft-ietf-
+ nvo3-vxlan-gpe-13>.
+
+ [RFC1701] Hanks, S., Li, T., Farinacci, D., and P. Traina, "Generic
+ Routing Encapsulation (GRE)", RFC 1701,
+ DOI 10.17487/RFC1701, October 1994,
+ <https://www.rfc-editor.org/info/rfc1701>.
+
+ [RFC2332] Luciani, J., Katz, D., Piscitello, D., Cole, B., and N.
+ Doraswamy, "NBMA Next Hop Resolution Protocol (NHRP)",
+ RFC 2332, DOI 10.17487/RFC2332, April 1998,
+ <https://www.rfc-editor.org/info/rfc2332>.
+
+ [RFC2637] Hamzeh, K., Pall, G., Verthein, W., Taarud, J., Little,
+ W., and G. Zorn, "Point-to-Point Tunneling Protocol
+ (PPTP)", RFC 2637, DOI 10.17487/RFC2637, July 1999,
+ <https://www.rfc-editor.org/info/rfc2637>.
+
+ [RFC2983] Black, D., "Differentiated Services and Tunnels",
+ RFC 2983, DOI 10.17487/RFC2983, October 2000,
+ <https://www.rfc-editor.org/info/rfc2983>.
+
+ [RFC3260] Grossman, D., "New Terminology and Clarifications for
+ Diffserv", RFC 3260, DOI 10.17487/RFC3260, April 2002,
+ <https://www.rfc-editor.org/info/rfc3260>.
+
+ [RFC3308] Calhoun, P., Luo, W., McPherson, D., and K. Peirce, "Layer
+ Two Tunneling Protocol (L2TP) Differentiated Services
+ Extension", RFC 3308, DOI 10.17487/RFC3308, November 2002,
+ <https://www.rfc-editor.org/info/rfc3308>.
+
+ [RFC5415] Calhoun, P., Ed., Montemurro, M., Ed., and D. Stanley,
+ Ed., "Control And Provisioning of Wireless Access Points
+ (CAPWAP) Protocol Specification", RFC 5415,
+ DOI 10.17487/RFC5415, March 2009,
+ <https://www.rfc-editor.org/info/rfc5415>.
+
+ [RFC5845] Muhanna, A., Khalil, M., Gundavelli, S., and K. Leung,
+ "Generic Routing Encapsulation (GRE) Key Option for Proxy
+ Mobile IPv6", RFC 5845, DOI 10.17487/RFC5845, June 2010,
+ <https://www.rfc-editor.org/info/rfc5845>.
+
+ [RFC5944] Perkins, C., Ed., "IP Mobility Support for IPv4, Revised",
+ RFC 5944, DOI 10.17487/RFC5944, November 2010,
+ <https://www.rfc-editor.org/info/rfc5944>.
+
+ [RFC6275] Perkins, C., Ed., Johnson, D., and J. Arkko, "Mobility
+ Support in IPv6", RFC 6275, DOI 10.17487/RFC6275, July
+ 2011, <https://www.rfc-editor.org/info/rfc6275>.
+
+ [RFC7059] Steffann, S., van Beijnum, I., and R. van Rein, "A
+ Comparison of IPv6-over-IPv4 Tunnel Mechanisms", RFC 7059,
+ DOI 10.17487/RFC7059, November 2013,
+ <https://www.rfc-editor.org/info/rfc7059>.
+
+ [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
+ Kivinen, "Internet Key Exchange Protocol Version 2
+ (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
+ 2014, <https://www.rfc-editor.org/info/rfc7296>.
+
+ [RFC7348] Mahalingam, M., Dutt, D., Duda, K., Agarwal, P., Kreeger,
+ L., Sridhar, T., Bursell, M., and C. Wright, "Virtual
+ eXtensible Local Area Network (VXLAN): A Framework for
+ Overlaying Virtualized Layer 2 Networks over Layer 3
+ Networks", RFC 7348, DOI 10.17487/RFC7348, August 2014,
+ <https://www.rfc-editor.org/info/rfc7348>.
+
+ [RFC7637] Garg, P., Ed. and Y. Wang, Ed., "NVGRE: Network
+ Virtualization Using Generic Routing Encapsulation",
+ RFC 7637, DOI 10.17487/RFC7637, September 2015,
+ <https://www.rfc-editor.org/info/rfc7637>.
+
+ [RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function
+ Chaining (SFC) Architecture", RFC 7665,
+ DOI 10.17487/RFC7665, October 2015,
+ <https://www.rfc-editor.org/info/rfc7665>.
+
+ [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage
+ Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085,
+ March 2017, <https://www.rfc-editor.org/info/rfc8085>.
+
+ [RFC8087] Fairhurst, G. and M. Welzl, "The Benefits of Using
+ Explicit Congestion Notification (ECN)", RFC 8087,
+ DOI 10.17487/RFC8087, March 2017,
+ <https://www.rfc-editor.org/info/rfc8087>.
+
+ [RFC8159] Konstantynowicz, M., Ed., Heron, G., Ed., Schatzmayr, R.,
+ and W. Henderickx, "Keyed IPv6 Tunnel", RFC 8159,
+ DOI 10.17487/RFC8159, May 2017,
+ <https://www.rfc-editor.org/info/rfc8159>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC8300] Quinn, P., Ed., Elzur, U., Ed., and C. Pignataro, Ed.,
+ "Network Service Header (NSH)", RFC 8300,
+ DOI 10.17487/RFC8300, January 2018,
+ <https://www.rfc-editor.org/info/rfc8300>.
+
+ [RFC8311] Black, D., "Relaxing Restrictions on Explicit Congestion
+ Notification (ECN) Experimentation", RFC 8311,
+ DOI 10.17487/RFC8311, January 2018,
+ <https://www.rfc-editor.org/info/rfc8311>.
+
+ [RFC8926] Gross, J., Ed., Ganga, I., Ed., and T. Sridhar, Ed.,
+ "Geneve: Generic Network Virtualization Encapsulation",
+ RFC 8926, DOI 10.17487/RFC8926, November 2020,
+ <https://www.rfc-editor.org/info/rfc8926>.
+
+ [RFC9300] Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A.
+ Cabellos, Ed., "The Locator/ID Separation Protocol
+ (LISP)", RFC 9300, DOI 10.17487/RFC9300, October 2022,
+ <https://www.rfc-editor.org/info/rfc9300>.
+
+ [RFC9329] Pauly, T. and V. Smyslov, "TCP Encapsulation of Internet
+ Key Exchange Protocol (IKE) and IPsec Packets", RFC 9329,
+ DOI 10.17487/RFC9329, November 2022,
+ <https://www.rfc-editor.org/info/rfc9329>.
+
+ [RFC9331] De Schepper, K. and B. Briscoe, Ed., "The Explicit
+ Congestion Notification (ECN) Protocol for Low Latency,
+ Low Loss, and Scalable Throughput (L4S)", RFC 9331,
+ DOI 10.17487/RFC9331, January 2023,
+ <https://www.rfc-editor.org/info/rfc9331>.
+
+ [SFC-NSH-ECN]
+ Eastlake 3rd, D., Briscoe, B., Zhuang, S., Malis, A., and
+ X. Wei, "Explicit Congestion Notification (ECN) and
+ Congestion Feedback Using the Network Service Header (NSH)
+ and IPFIX", Work in Progress, Internet-Draft, draft-ietf-
+ sfc-nsh-ecn-support-13, 15 April 2024,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-sfc-nsh-
+ ecn-support-13>.
+
+Acknowledgements
+
+ Thanks to Ing-jyh (Inton) Tsang for initial discussions on the need
+ for ECN propagation in L2TP and its applicability. Thanks also to
+ Carlos Pignataro, Tom Herbert, Ignacio Goyret, Alia Atlas, Praveen
+ Balasubramanian, Joe Touch, Mohamed Boucadair, David Black, Jake
+ Holland, Sri Gundavelli, Gorry Fairhurst, and Martin Duke for helpful
+ advice and comments. [RFC7059] helped to identify a number of
+ tunnelling protocols to include within the scope of this document.
+
+ Bob Briscoe was part-funded by the Research Council of Norway through
+ the TimeIn project for early drafts, and he was funded by Apple Inc.
+ for later draft versions (from -17). The views expressed here are
+ solely those of the authors.
+
+Author's Address
+
+ Bob Briscoe
+ Independent
+ United Kingdom
+ Email: ietf@bobbriscoe.net
+ URI: https://bobbriscoe.net/