[RFC Home] [TEXT|PDF|HTML] [Tracker] [IPR] [Errata] [Info page]
PROPOSED STANDARD
Errata ExistInternet Engineering Task Force (IETF) L. Yong, Ed.
Request for Comments: 8086 Huawei Technologies
Category: Standards Track E. Crabbe
ISSN: 2070-1721 Oracle
X. Xu
Huawei Technologies
T. Herbert
Facebook
March 2017
GRE-in-UDP Encapsulation
Abstract
This document specifies a method of encapsulating network protocol
packets within GRE and UDP headers. This GRE-in-UDP encapsulation
allows the UDP source port field to be used as an entropy field.
This may be used for load-balancing of GRE traffic in transit
networks using existing Equal-Cost Multipath (ECMP) mechanisms.
There are two applicability scenarios for GRE-in-UDP with different
requirements: (1) general Internet and (2) a traffic-managed
controlled environment. The controlled environment has less
restrictive requirements than the general Internet.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8086.
Yong, et al. Standards Track [Page 1]
RFC 8086 GRE-in-UDP Encapsulation March 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Yong, et al. Standards Track [Page 2]
RFC 8086 GRE-in-UDP Encapsulation March 2017
Table of Contents
1. Introduction ....................................................4
1.1. Terminology ................................................5
1.2. Requirements Language ......................................5
2. Applicability Statement .........................................6
2.1. GRE-in-UDP Tunnel Requirements .............................6
2.1.1. Requirements for Default GRE-in-UDP Tunnel ..........7
2.1.2. Requirements for TMCE GRE-in-UDP Tunnel .............8
3. GRE-in-UDP Encapsulation ........................................9
3.1. IP Header .................................................11
3.2. UDP Header ................................................11
3.2.1. Source Port ........................................11
3.2.2. Destination Port ...................................11
3.2.3. Checksum ...........................................12
3.2.4. Length .............................................12
3.3. GRE Header ................................................12
4. Encapsulation Procedures .......................................13
4.1. MTU and Fragmentation .....................................13
4.2. Differentiated Services and ECN Marking ...................14
5. Use of DTLS ....................................................14
6. UDP Checksum Handling ..........................................15
6.1. UDP Checksum with IPv4 ....................................15
6.2. UDP Checksum with IPv6 ....................................15
7. Middlebox Considerations .......................................18
7.1. Middlebox Considerations for Zero Checksums ...............19
8. Congestion Considerations ......................................19
9. Backward Compatibility .........................................20
10. IANA Considerations ...........................................21
11. Security Considerations .......................................21
12. References ....................................................22
12.1. Normative References .....................................22
12.2. Informative References ...................................23
Acknowledgements ..................................................25
Contributors ......................................................25
Authors' Addresses ................................................27
Yong, et al. Standards Track [Page 3]
RFC 8086 GRE-in-UDP Encapsulation March 2017
1. Introduction
This document specifies a generic GRE-in-UDP encapsulation for
tunneling network protocol packets across an IP network based on
Generic Routing Encapsulation (GRE) [RFC2784] [RFC7676] and User
Datagram Protocol (UDP) [RFC768] headers. The GRE header indicates
the payload protocol type via an EtherType [RFC7042] in the protocol
type field, and the source port field in the UDP header may be used
to provide additional entropy.
A GRE-in-UDP tunnel offers the possibility of better performance for
load-balancing GRE traffic in transit networks using existing Equal-
Cost Multipath (ECMP) mechanisms that use a hash of the five-tuple of
source IP address, destination IP address, UDP/TCP source port,
UDP/TCP destination port, and protocol number. While such hashing
distributes UDP and TCP [RFC793] traffic between a common pair of IP
addresses across paths, it uses a single path for corresponding GRE
traffic because only the two IP addresses and the Protocol or Next
Header field participate in the ECMP hash. Encapsulating GRE in UDP
enables use of the UDP source port to provide entropy to ECMP
hashing.
In addition, GRE-in-UDP enables extending use of GRE across networks
that otherwise disallow it; for example, GRE-in-UDP may be used to
bridge two islands where GRE is not supported natively across the
middleboxes.
GRE-in-UDP encapsulation may be used to encapsulate already tunneled
traffic, i.e., tunnel-in-tunnel traffic. In this case, GRE-in-UDP
tunnels treat the endpoints of the outer tunnel as the end hosts; the
presence of an inner tunnel does not change the outer tunnel's
handling of network traffic.
A GRE-in-UDP tunnel is capable of carrying arbitrary traffic and
behaves as a UDP application on an IP network. However, a GRE-in-UDP
tunnel carrying certain types of traffic does not satisfy the
requirements for UDP applications on the Internet [RFC8085].
GRE-in-UDP tunnels that do not satisfy these requirements MUST NOT be
deployed to carry such traffic over the Internet. For this reason,
this document specifies two deployment scenarios for GRE-in-UDP
tunnels with GRE-in-UDP tunnel requirements for each of them: (1)
general Internet and (2) a traffic-managed controlled environment
(TMCE). Compared to the general Internet scenario, the TMCE scenario
has less restrictive technical requirements for the protocol but more
restrictive management and operation requirements for the network.
Yong, et al. Standards Track [Page 4]
RFC 8086 GRE-in-UDP Encapsulation March 2017
To provide security for traffic carried by a GRE-in-UDP tunnel, this
document also specifies Datagram Transport Layer Security (DTLS) for
GRE-in-UDP tunnels, which SHOULD be used when security is a concern.
GRE-in-UDP encapsulation usage requires no changes to the transit IP
network. ECMP hash functions in most existing IP routers may utilize
and benefit from the additional entropy enabled by GRE-in-UDP tunnels
without any change or upgrade to their ECMP implementation. The
encapsulation mechanism is applicable to a variety of IP networks
including Data Center Networks and Wide Area Networks, as well as
both IPv4 and IPv6 networks.
1.1. Terminology
The terms defined in [RFC768] and [RFC2784] are used in this
document. Below are additional terms used in this document.
Decapsulator: a component performing packet decapsulation at tunnel
egress.
ECMP: Equal-Cost Multipath.
Encapsulator: a component performing packet encapsulation at tunnel
egress.
Flow Entropy: The information to be derived from traffic or
applications and to be used by network devices in the ECMP process
[RFC6438].
Default GRE-in-UDP Tunnel: A GRE-in-UDP tunnel that can apply to the
general Internet.
TMCE: A traffic-managed controlled environment, i.e., an IP network
that is traffic-engineered and/or otherwise managed (e.g., via use of
traffic rate limiters) to avoid congestion, as defined in Section 2.
TMCE GRE-in-UDP Tunnel: A GRE-in-UDP tunnel that can only apply to a
traffic-managed controlled environment that is defined in Section 2.
Tunnel Egress: A tunnel endpoint that performs packet decapsulation.
Tunnel Ingress: A tunnel endpoint that performs packet encapsulation.
1.2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Yong, et al. Standards Track [Page 5]
RFC 8086 GRE-in-UDP Encapsulation March 2017
2. Applicability Statement
GRE-in-UDP encapsulation applies to IPv4 and IPv6 networks; in both
cases, encapsulated packets are treated as UDP datagrams. Therefore,
a GRE-in-UDP tunnel needs to meet the UDP usage requirements
specified in [RFC8085]. These requirements depend on both the
delivery network and the nature of the encapsulated traffic. For
example, the GRE-in-UDP tunnel protocol does not provide any
congestion control functionality beyond that of the encapsulated
traffic. Therefore, a GRE-in-UDP tunnel MUST be used only with
congestion-controlled traffic (e.g., IP unicast traffic) and/or
within a network that is traffic managed to avoid congestion.
[RFC8085] describes two applicability scenarios for UDP applications:
(1) general internet and (2) a controlled environment. The
controlled environment means a single administrative domain or
bilaterally agreed connection between domains. A network forming a
controlled environment can be managed/operated to meet certain
conditions, while the general Internet cannot be; thus, the
requirements for a tunnel protocol operating under a controlled
environment can be less restrictive than the requirements in the
general Internet.
For the purpose of this document, a traffic-managed controlled
environment (TMCE) is defined as an IP network that is traffic-
engineered and/or otherwise managed (e.g., via use of traffic rate
limiters) to avoid congestion.
This document specifies GRE-in-UDP tunnel usage in the general
Internet and GRE-in-UDP tunnel usage in a traffic-managed controlled
environment and uses "default GRE-in-UDP tunnel" and "TMCE GRE-in-UDP
tunnel" terms to refer to each usage.
NOTE: Although this document specifies two different sets of GRE-in-
UDP tunnel requirements based on tunnel usage, the tunnel
implementation itself has no ability to detect how and where it is
deployed. Therefore, it is the responsibility of the user or
operator who deploys a GRE-in-UDP tunnel to ensure that it meets the
appropriate requirements.
2.1. GRE-in-UDP Tunnel Requirements
This section states the requirements for a GRE-in-UDP tunnel.
Section 2.1.1 describes the requirements for a default GRE-in-UDP
tunnel that is suitable for the general Internet; Section 2.1.2
describes a set of relaxed requirements for a TMCE GRE-in-UDP tunnel
used in a traffic-managed controlled environment. Both Sections
2.1.1 and 2.1.2 are applicable to an IPv4 or IPv6 delivery network.
Yong, et al. Standards Track [Page 6]
RFC 8086 GRE-in-UDP Encapsulation March 2017
2.1.1. Requirements for Default GRE-in-UDP Tunnel
The following is a summary of the default GRE-in-UDP tunnel
requirements:
1. A UDP checksum SHOULD be used when encapsulating in IPv4.
2. A UDP checksum MUST be used when encapsulating in IPv6.
3. GRE-in-UDP tunnel MUST NOT be deployed or configured to carry
traffic that is not congestion controlled. As stated in
[RFC8085], IP-based unicast traffic is generally assumed to be
congestion controlled, i.e., it is assumed that the transport
protocols generating IP-based traffic at the sender already
employ mechanisms that are sufficient to address congestion on
the path. A default GRE-in-UDP tunnel is not appropriate for
traffic that is not known to be congestion controlled (e.g., most
IP multicast traffic).
4. UDP source port values that are used as a source of flow entropy
SHOULD be chosen from the ephemeral port range (49152-65535)
[RFC8085].
5. The use of the UDP source port MUST be configurable so that a
single value can be set for all traffic within the tunnel (this
disables use of the UDP source port to provide flow entropy).
When a single value is set, a random port taken from the
ephemeral port range SHOULD be selected in order to minimize the
vulnerability to off-path attacks [RFC6056].
6. For IPv6 delivery networks, the flow entropy SHOULD also be
placed in the flow label field for ECMP per [RFC6438].
7. At the tunnel ingress, any fragmentation of the incoming packet
(e.g., because the tunnel has a Maximum Transmission Unit (MTU)
that is smaller than the packet) SHOULD be performed before
encapsulation. In addition, the tunnel ingress MUST apply the
UDP checksum to all encapsulated fragments so that the tunnel
egress can validate reassembly of the fragments; it MUST set the
same Differentiated Services Code Point (DSCP) value as in the
Differentiated Services (DS) field of the payload packet in all
fragments [RFC2474]. To avoid unwanted forwarding over multiple
paths, the same source UDP port value SHOULD be set in all packet
fragments.
Yong, et al. Standards Track [Page 7]
RFC 8086 GRE-in-UDP Encapsulation March 2017
2.1.2. Requirements for TMCE GRE-in-UDP Tunnel
The section contains the TMCE GRE-in-UDP tunnel requirements. It
lists the changed requirements, compared with a Default GRE-in-UDP
tunnel, for a TMCE GRE-in-UDP tunnel, which corresponds to
requirements 1-3 listed in Section 2.1.1.
1. A UDP checksum SHOULD be used when encapsulating in IPv4. A
tunnel endpoint sending GRE-in-UDP MAY disable the UDP checksum,
since GRE has been designed to work without a UDP checksum
[RFC2784]. However, a checksum also offers protection from
misdelivery to another port.
2. Use of the UDP checksum MUST be the default when encapsulating in
IPv6. This default MAY be overridden via configuration of UDP
zero-checksum mode. All usage of UDP zero-checksum mode with
IPv6 is subject to the additional requirements specified in
Section 6.2.
3. A GRE-in-UDP tunnel MAY encapsulate traffic that is not
congestion controlled.
Requirements 4-7 listed in Section 2.1.1 also apply to a TMCE GRE-in-
UDP tunnel.
Yong, et al. Standards Track [Page 8]
RFC 8086 GRE-in-UDP Encapsulation March 2017
3. GRE-in-UDP Encapsulation
The GRE-in-UDP encapsulation format contains a UDP header [