Network working group X. Xu Internet Draft Huawei Category: Standard Track N. Sheth Juniper L. Yong Huawei C. Pignataro Cisco Y. Fan China Telecom Expires: July 2014 January 24, 2014 Encapsulating MPLS in UDP draft-ietf-mpls-in-udp-05 Abstract This document specifies an IP-based encapsulation for MPLS, called MPLS-in-UDP (User Datagram Protocol). Note that the MPLS-in-UDP encapsulation technology MUST only be deployed within a service provider network or networks of an adjacent set of co-operating service providers where the congestion control is not a concern. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 24, 2014. Xu, et al. Expires July 24, 2014 [Page 1] Internet-Draft Encapsulating MPLS in UDP January 2014 Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction ................................................ 3 1.1. Existing Encapsulations ................................ 3 1.2. Motivations for MPLS-in-UDP Encapsulation .............. 4 1.3. Application Statements ................................. 4 2. Terminology ................................................. 4 3. Encapsulation in UDP ........................................ 4 4. Processing Procedures ....................................... 6 5. Congestion Considerations ................................... 7 6. Security Considerations ..................................... 7 7. IANA Considerations ......................................... 8 8. Contributors ................................................ 9 9. Acknowledgements ............................................ 9 10. References ................................................. 9 10.1. Normative References .................................. 9 10.2. Informative References ............................... 10 Authors' Addresses ............................................ 11 Xu, et al. Expires July 24, 2014 [Page 2] Internet-Draft Encapsulating MPLS in UDP January 2014 1. Introduction This document specifies an IP-based encapsulation for MPLS, i.e. MPLS-in-UDP (User Datagram Protocol), which is applicable in some circumstances where IP-based encapsulation for MPLS is required and further fine-grained load balancing of MPLS packets over IP networks over Equal Cost Multi-Path (ECMP) and/or Link Aggregation Groups (LAG) is required as well. There are already IP-based encapsulations for MPLS that allow for fine-grained load balancing by using some special field in the encapsulation header as an entropy field. However, MPLS-in-UDP can be advantageous since some networks have used the UDP port number fields as a basis for load- balancing solutions for some time. This is similar to why LISP [RFC 6830] uses UDP encapsulation. Like other IP-based encapsulation methods for MPLS, this encapsulation allows for two Label Switching Routers (LSR) to be adjacent on a Label Switched Path (LSP), while separated by an IP network. In order to support this encapsulation, each LSR needs to know the capability to decapsulate MPLS-in-UDP by the remote LSRs. This specification defines only the data plane encapsulation and does not concern itself with how the knowledge to use this encapsulation is conveyed. Specifically, this capability can be either manually configured on each LSR or be dynamically advertised in manners that are outside the scope of this document. Similarly, the MPLS-in-UDP encapsulation format defined in this document by itself cannot ensure the integrity and privacy of data packets being transported through the MPLS-in-UDP tunnels and cannot enable the tunnel decapsulators to authenticate the tunnel encapsulator. Therefore, in the case where any of the above security issues is concerned, the MPLS-in-UDP SHOULD be secured with IPsec [RFC4301] or DTLS [RFC6347]. For more details, please see Section 6 of Security Considerations. 1.1. Existing Encapsulations Currently, there are several IP-based encapsulations for MPLS such as MPLS-in-IP, MPLS-in-GRE (Generic Routing Encapsulation) [RFC4023], and MPLS-in-L2TPv3 (Layer Two Tunneling Protocol - Version 3) [RFC4817]. In all these methods, the IP addresses can be varied to achieve load-balancing. All these IP-based encapsulations for MPLS are specified for both IPv4 and IPv6. In the case of IPv6-based encapsulations, the IPv6 Xu, et al. Expires July 24, 2014 [Page 3] Internet-Draft Encapsulating MPLS in UDP January 2014 Flow Label can be used for ECMP and LAGs [RFC6438]. However, there is no such entropy field in the IPv4 header. For MPLS-in-GRE as well as MPLS-in-L2TPv3, protocol fields (the GRE Key and the L2TPv3 Session ID respectively) can be used as the load-balancing key as described in [RFC5640]. For this, intermediate routers need to understand these fields in the context of being used as load-balancing keys. 1.2. Motivations for MPLS-in-UDP Encapsulation Currently, most existing routers in IP networks are already capable of distributing IP traffic "microflows" [RFC2474] over ECMPs and/or LAG based on the hash of the five-tuple of User Datagram Protocol (UDP)[RFC768] and Transmission Control Protocol (TCP) packets (i.e., source IP address, destination IP address, source port, destination port, and protocol). By encapsulating the MPLS packets into an UDP tunnel and using the source port of the UDP header as an entropy field, the existing load-balancing capability as mentioned above can be leveraged to provide fine-grained load-balancing of MPLS traffic over IP networks. 1.3. Application Statements The MPLS-in-UDP encapsulation technology MUST only be deployed within a Service Provider (SP) network or networks of an adjacent set of co-operating SPs where the congestion control is not a concern, rather than over the Internet where the congestion control is a must. Furthermore, packet filters should be added so as to prevent MPLS-in-UDP packets from escaping from the service provider networks due to misconfiguation or packet errors. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [RFC2119]. 3. Encapsulation in UDP MPLS-in-UDP encapsulation format is shown as follows: Xu, et al. Expires July 24, 2014 [Page 4] Internet-Draft Encapsulating MPLS in UDP January 2014 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port = Entropy | Dest Port = MPLS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | UDP Length | UDP Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ MPLS Label Stack ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ Message Body ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Source Port of UDP This field contains a 16-bit entropy value that is generated by the encapsulator to uniquely identify a flow. What constitutes a flow is locally determined by the encapsulator and therefore is outside the scope of this document. What algorithm is actually used by the encapsulator to generate an entropy value is outside the scope of this document as well. In the case where the tunnel does not need entropy, this field of all packets belonging to a given flow SHOULD be set to a randomly selected constant value so as to avoid packet reordering. Destination Port of UDP This field is set to a value (TBD1) allocated by IANA to indicate that the UDP tunnel payload is an MPLS packet. UDP Length The usage of this field is in accordance with the current UDP specification [RFC768]. UDP Checksum The usage of this field is in accordance with the current UDP specification [RFC768]. In the IPv4 UDP encapsulation case, this field is RECOMMENDED to be set to zero. In the IPv6 UDP encapsulation case, this field Xu, et al. Expires July 24, 2014 [Page 5] Internet-Draft Encapsulating MPLS in UDP January 2014 SHOULD NOT be set to zero. If the UDP checksum needs to be disabled for performance or implementation reasons, the considerations described in [RFC6935] [RFC6936] MUST be examined. MPLS Label Stack This field contains an MPLS Label Stack as defined in [RFC3032]. Message Body This field contains one MPLS message body. 4. Processing Procedures This MPLS-in-UDP encapsulation causes MPLS packets to be forwarded through "UDP tunnels". When performing MPLS-in-UDP encapsulation by the encapsulator, the entropy value would be generated by the encapsulator and then be filled in the Source Port field of the UDP header. The Destination Port field is set to a value (TBD1) allocated by IANA to indicate that the UDP tunnel payload is an MPLS packet. As for whether the top label in the MPLS label stack is downstream-assigned or upstream-assigned, it SHOULD be determined based on the tunnel destination IP address. That is to say, if the destination IP address is a multicast address, the top label SHOULD be upstream-assigned, otherwise if the destination IP address is a unicast address, it SHOULD be downstream-assigned. As such, intermediate routers, upon receiving these UDP encapsulated packets, could balance these packets based on the hash of the five-tuple of UDP packets. Upon receiving these UDP encapsulated packets, the decapsulator would decapsulate them by removing the UDP headers and then process them accordingly. As for other common processing procedures associated with tunneling encapsulation technologies including but not limited to Maximum Transmission Unit (MTU) and preventing fragmentation and reassembly, Time to Live (TTL) and differentiated services, the corresponding "Common Procedures" defined in [RFC4023] which are applicable for MPLS-in-IP and MPLS-in-GRE encapsulation formats SHOULD be followed. Xu, et al. Expires July 24, 2014 [Page 6] Internet-Draft Encapsulating MPLS in UDP January 2014 5. Congestion Considerations Since the MPLS-in-UDP encapsulation causes MPLS packets to be forwarded through "UDP tunnels", the congestion control guidelines for UDP tunnels as defined in Section 3.1.3 of [RFC5405] SHOULD be followed. Specifically, as stated in Section 3.1.3 of [RFC5405], "some bulk transfer applications may choose not to implement any congestion control mechanism and instead rely on transmitting across reserved path capacity. This might be an acceptable choice for a subset of restricted networking environments, but is by no means a safe practice for operation in the Internet."Given the fact that the MPLS-in-GRE and MPLS-in-IP [RFC4023] encapsulation technologies have been successfully deployed within a SP network or networks of an adjacent set of co-operating SPs which is a restricted network environment without any congestion control mechanism and the fact that the current MPLS technology couldn't provide congestion control without major changes, the MPLS-in-UDP encapsulation MUST only be deployed within a SP network or networks of an adjacent set of co-operating SPs as well. 6. Security Considerations The security problems faced with the MPLS-in-UDP tunnel are exactly the same as those faced with MPLS-in-IP and MPLS-in-GRE tunnels [RFC4023]. In other words,, the MPLS-in-UDP tunnel as defined in this document by itself cannot ensure the integrity and privacy of data packets being transported through the MPLS-in-UDP tunnel and cannot enable the tunnel decapsulator to authenticate the tunnel encapsulator. In the case where any of the above security issues is concerned, the MPLS-in-UDP tunnel SHOULD be secured with IPsec or DTLS. IPsec was designed as a network security mechanism and therefore it resides at the network layer. As such, if the tunnel is secured with IPsec, the UDP header would not be visible to intermediate routers anymore in either IPsec tunnel or transport mode. As a result, the meaning of adopting the MPLS-in-UDP tunnel as an alternative to the MPLS-in-GRE or MPLS-in-IP tunnel is lost. By comparison, DTLS is better suited for application security and can better preserve network and transport layer protocol information. Specifically, if DTLS is used, the destination port of the UDP header will be filled with a value (TBD2) indicating MPLS with DTLS and the source port can still be used as an entropy field for load-sharing purposes. If the tunnel is not secured with IPsec or DTLS, some other method should be used to ensure that packets are decapsulated and forwarded by the tunnel tail only if those packets were encapsulated by the tunnel head. If the tunnel lies entirely within Xu, et al. Expires July 24, 2014 [Page 7] Internet-Draft Encapsulating MPLS in UDP January 2014 a single administrative domain, address filtering at the boundaries can be used to ensure that no packet with the IP source address of a tunnel endpoint or with the IP destination address of a tunnel endpoint can enter the domain from outside. However, when the tunnel head and the tunnel tail are not in the same administrative domain, this may become difficult, and filtering based on the destination address can even become impossible if the packets must traverse the public Internet. Sometimes only source address filtering (but not destination address filtering) is done at the boundaries of an administrative domain. If this is the case, the filtering does not provide effective protection at all unless the decapsulator of an MPLS-in-UDP validates the IP source address of the packet. This document does not require that the decapsulator validate the IP source address of the tunneled packets, but it should be understood that failure to do so presupposes that there is effective destination-based (or a combination of source-based and destination-based) filtering at the boundaries. 7. IANA Considerations One UDP destination port number indicating MPLS needs to be allocated by IANA. Service Name : MPLS-in-UDP Transport Protocol(s) : UDP Assignee: IESG Contact : IETF Chair . Description : Encapsulate MPLS packets in UDP tunnels. Reference : This document -- draft-ietf-mpls-in-udp (MPLS WG document). Port Number : TBD1 -- To be assigned by IANA. One UDP destination port number indicating MPLS with DTLS needs to be allocated by IANA. Service Name : MPLS-in-UDP-with-DTLS Transport Protocol(s) : UDP Assignee: IESG Xu, et al. Expires July 24, 2014 [Page 8] Internet-Draft Encapsulating MPLS in UDP January 2014 Contact : IETF Chair . Description : Encapsulate MPLS packets in UDP tunnels with DTLS. Reference : This document -- draft-ietf-mpls-in-udp (MPLS WG document). Port Number : TBD2 -- To be assigned by IANA. 8. Contributors Zhenbin Li Huawei Technologies, Beijing, China Phone: +86-10-60613676 Email: lizhenbin@huawei.com 9. Acknowledgements Thanks to Shane Amante, Dino Farinacci, Keshava A K, Ivan Pepelnjak, Eric Rosen, Andrew G. Malis, Kireeti Kompella, Marshall Eubanks, George Swallow, Loa Andersson, Ross Callon, Vivek Kumar, Stewart Bryant, Wen Zhang, Curtis Villamizar, Joel M. Halpern, Scott Brim, Alia Atlas, Alexander Vainshtein, Joel Jaeggli, Edward Crabbe, Lars Eggert, Joe Touch, Lloyd Wood, Weiguo Hao, Mark Szczesniak, Zhenxiao Liu and Xing Tong for their valuable comments and suggestions on this document. Thanks to Daniel King, Gregory Mirsky and Eric Osborne for their valuable MPLS-RT reviews on this document. Special thanks to Adrian Farrel for his conscientious AD review and insightful suggestion of using DTLS for securing the MPLS-in-UDP tunnels. Thanks to Charlie Kaufman for his SecDir review of this document. Thanks to Nevil Brownlee for the OPSDir review of this document. Thanks to Roni Even for the Gen-ART review of this document. Thanks to Pearl Liang for the IANA review of this documents. 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980. Xu, et al. Expires July 24, 2014 [Page 9] Internet-Draft Encapsulating MPLS in UDP January 2014 [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack Encoding", RFC 3032, January 2001. [RFC4023] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating MPLS in IP or GRE", RFC4023, March 2005. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012. 10.2. Informative References [RFC4817] M. Townsley, C. Pignataro, S. Wainner, T. Seely and J. Young, "Encapsulation of MPLS over Layer 2 Tunneling Protocol Version 3", RFC4817, March 2007. [RFC5640] Filsfils, C., Mohapatra, P., and C. Pignataro, "Load- Balancing for Mesh Softwires", RFC 5640, August 2009. [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "UDP Checksums for Tunneled Packets", RFC6935, Feburary 2013. [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement for the use of IPv6 UDP Datagrams with Zero Checksums", RFC6936, Feburary 2013. [RFC5405] Eggert, L. and G. Fairhurst, "Unicast UDP Usage Guidelines for Application Designers", RFC 5405, November 2008. [RFC2474] Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC2474, December 1998. [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label for Equal Cost Multipath Routing and Link Aggregation in Tunnels", RFC 6438, November 2011. [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The Locator/ID Separation Protocol (LISP)", RFC 6830, January 2013. Xu, et al. Expires July 24, 2014 [Page 10] Internet-Draft Encapsulating MPLS in UDP January 2014 Authors' Addresses Xiaohu Xu Huawei Technologies Beijing, China Phone: +86-10-60610041 Email: xuxiaohu@huawei.com Nischal Sheth Juniper Networks 1194 N. Mathilda Ave Sunnyvale, CA 94089 Email: nsheth@juniper.net Lucy Yong Huawei USA 5340 Legacy Dr. Plano TX75025 Phone: 469-277-5837 Email: Lucy.yong@huawei.com Carlos Pignataro Cisco Systems 7200-12 Kit Creek Road Research Triangle Park, NC 27709 USA Email: cpignata@cisco.com Yongbing Fan China Telecom Guangzhou, China. Phone: +86 20 38639121 Email: fanyb@gsta.com