Transport Options for UDP
draft-ietf-tsvwg-udp-options-24
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
---|---|---|---|
Author | Dr. Joseph D. Touch | ||
Last updated | 2023-11-06 (Latest revision 2023-09-15) | ||
Replaces | draft-touch-tsvwg-udp-options | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
INTDIR Early review
(of
-19)
by Carlos Pignataro
Ready w/issues
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Associated WG milestone |
|
||
Document shepherd | Gorry Fairhurst | ||
IESG | IESG state | I-D Exists | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | Gorry Fairhurst <gorry@erg.abdn.ac.uk> |
draft-ietf-tsvwg-udp-options-24
Touch Expires May 6, 2024 [Page 21] Internet-Draft Transport Options for UDP November 2023 >> UDP reassembly space SHOULD be limited to reduce the impact of DOS attacks on resource use. >> UDP reassembly space limits SHOULD NOT be computed as a shared resource across multiple sockets, to avoid cross-socketpair DOS attacks. >> Individual UDP fragments MUST NOT be forwarded to the user. The reassembled datagram is received only after complete reassembly, checksum validation, and continued processing of the remaining UDP options. Per-datagram UDP options, if used, reside in the surplus area of the original UDP datagram. Processing of those options would commence after reassembly. This enables the safe use of UNSAFE options, which are required to result in discarding the entire UDP datagram if they are unknown to the receiver or otherwise fail (see Section 11). In general, UDP packets are fragmented as follows: 7. Create a UDP packet with data and UDP options. This is the original UDP datagram, which we will call "D". The UDP options follow the UDP user data and occur in the surplus area, just as in an unfragmented UDP datagram with UDP options. >> UDP options for the original packet MUST be fully prepared before the rest of the fragmentation steps that follow here. >> The UDP checksum of the original packet SHOULD be set to zero if protection is provided by use of a non-zero OCS in each fragment. Equivalent protection will be provided if each fragment has a non-zero OCS value, as will be the case if each fragment's UDP checksum is non-zero. Similarly, the OCS value of the original packet SHOULD be zero if each fragment will have a non- zero OCS value, as will be the case if each fragment's UDP checksum is non-zero. 8. Identify the desired fragment size, which we will call "S". This value should take into account the path MTU (if known) and allow space for per-fragment options. Touch Expires May 6, 2024 [Page 22] Internet-Draft Transport Options for UDP November 2023 9. Fragment "D" into chunks of size no larger than "S"-12 each (10 for the non-terminal FRAG option and 2 for OCS), with one final chunk no larger no larger than "S"-14 (12 for the terminal FRAG option and 2 for OCS). Note that all the per-datagram options in step #1 need not be limited to the terminal fragment, i.e., the RDOS pointer can indicate the start of the original surplus area anywhere in the reassembled datagram. Note: per packet options can occur either at the end of the original user data or be placed after the FRAG option of the first fragment, with the Reassembled Datagram Option Start (RDOS) in the terminal FRAG option set accordingly. This includes its use in atomic fragments, where the terminal option is the initial and only fragment. 10. For each chunk of "D" in step #3, create a UDP packet with no user data (UDP Length=8) followed by the word-aligned OCS, the FRAG option, and any additional per-fragment UDP options, followed by the FRAG data chunk. 11. Complete the processing associated with creating these additional per-fragment UDP options for each fragment. Receivers reverse the above sequence. They process all received options in each fragment. When the FRAG option is encountered, the FRAG data is used in reassembly. After all fragments are received, the entire UDP packet is processed with any trailing UDP options applying to the reassembled user data. >> Reassembly failures at the receiver result in silent discard of any per-fragment options and fragment contents. To emulate the behavior of a legacy host, any set of fragments received with the same Identification value but not successfully reassembled SHOULD each generate a zero-length UDP application message. >> Finally, because fragmentation processing can be expensive, the FRAG option SHOULD be avoided unless the original datagram requires fragmentation or it is needed for "safe" use of UNSAFE options. >> Users MAY also select the FRAG option to provide limited support for UDP options in systems that have access to only the initial portion of the data in incoming or outgoing packets, with the caveat that such packets would be silently ignored by legacy receivers (that do not support UDP options). Touch Expires May 6, 2024 [Page 23] Internet-Draft Transport Options for UDP November 2023 10.5. Maximum Datagram Size (MDS) The Maximum Datagram Size (MDS, Kind=4) option is a 16-bit hint of the largest unfragmented UDP packet that an endpoint believes can be received. As with the TCP Maximum Segment Size (MSS) option [RFC9293], the size indicated is the IP layer MTU decreased by the fixed IP and UDP headers only [RFC9293]. The space needed for IP and UDP options needs to be adjusted by the sender when using the value indicated. The value transmitted is based on EMTU_R, the largest IP datagram that can be received (i.e., reassembled at the receiver) [RFC1122]. However, as with TCP, this value is only a hint at what the receiver believes. >> MDS does not indicate a known path MTU and thus MUST NOT be used to limit transmissions. +--------+--------+--------+--------+ | Kind=4 | Len=4 | MDS size | +--------+--------+--------+--------+ Figure 13 UDP MDS option format >> The UDP MDS option MAY be used as a hint for path MTU discovery [RFC1191][RFC8201], but this may be difficult because of known issues with ICMP blocking [RFC2923] as well as UDP lacking automatic retransmission. MDS is more likely to be useful when coupled with IP source fragmentation or UDP fragmentation to limit the largest reassembled UDP message as indicated by MRDS (see Section 10.6), e.g., when EMTU_R is larger than the required minimums (576 for IPv4 [RFC791] and 1500 for IPv6 [RFC8200]). >> MSD can be used with DPLPMTUD [RFC8899] to provide a hint to maximum DPLPMTU, though it MUST NOT prohibit transmission of larger UDP packets (or fragments) used as DPLPMTU probes. 10.6. Maximum Reassembled Datagram Size (MRDS) The Maximum Reassembled Datagram Size (MRDS, Kind=5) option is a 16- bit indicator of the largest reassembled UDP datagram that can be received. MRDS is the UDP equivalent of IP's EMTU_R but the two are not related [RFC1122]. Using the FRAG option (Section 10.4), UDP packets can be transmitted as transport fragments, each in their own (presumably not fragmented) IP datagram and be reassembled at the UDP layer. Touch Expires May 6, 2024 [Page 24] Internet-Draft Transport Options for UDP November 2023 +--------+--------+--------+--------+ | Kind=5 | Len=4 | MRDS size | +--------+--------+--------+--------+ Figure 14 UDP MRDS option format >> Endpoints supporting UDP options MUST support a local MRDS of at least 3,000 bytes. 10.7. Echo request (REQ) and echo response (RES) The echo request (REQ, Kind=6) and echo response (RES, Kind=7) options provides UDP packet-level acknowledgements as a capability for use by upper layer protocols, e.g., user applications, libraries, operating systems, etc. Both the REQ and RES are under the control of these upper layers, i.e., UDP itself never automatically responds to a REQ with a RES. Instead, the REQ is delivered to the upper layer, which decides whether and when to issue a RES. One such use is described as part of the UDP options variant of packetization layer path MTU discovery (PLPMTUD) [Fa23]. The options both have the format indicated in Figure 15, in which the token has no internal structure or meaning. +--------+--------+------------------+ | Kind | Len=6 | token | +--------+--------+------------------+ 1 byte 1 byte 4 bytes Figure 15 UDP REQ and RES options format >> As advice to upper layer protocol/library designers, when supporting REQ/RES and responding with a RES, the upper layer SHOULD respond with the most recently received REQ token. >> REQ/RES MUST be disabled by default, i.e., arriving REQs are silently ignored and RES cannot be issued unless REQ/RES is actively enabled, e.g., for DLPLTUD or other known use by an upper layer mechanism. >> The token used in a RES option MUST be a token received in a REQ option. This ensures that the response is to a received request. REQ and RES option kinds appear at most once each in each UDP packet, as with most other options. Note also that the FRAG option Touch Expires May 6, 2024 [Page 25] Internet-Draft Transport Options for UDP November 2023 is not used when sending DPLPMTUD probes to determine a PLPMTU [Fa23]. 10.8. Timestamps (TIME) The Timestamp (TIME, Kind=8) option exchanges two four-byte unsigned timestamp fields. It serves a similar purpose to TCP's TS option [RFC7323], enabling UDP to estimate the round trip time (RTT) between hosts. For UDP, this RTT can be useful for establishing UDP fragment reassembly timeouts or transport-layer rate-limiting [RFC8085]. +--------+--------+------------------+------------------+ | Kind=8 | Len=10 | TSval | TSecr | +--------+--------+------------------+------------------+ 1 byte 1 byte 4 bytes 4 bytes Figure 16 UDP TIME option format TS Value (TSval) and TS Echo Reply (TSecr) are used in a similar manner to the TCP TS option [RFC7323]. On transmitted UDP packets using the option, TS Value is always set based on the local "time" value. Received TSval and TSecr values are provided to the application, which can pass the TSval value to be used as TSecr on UDP messages sent in response (i.e., to echo the received TSval). A received TSecr of zero indicates that the TSval was not echoed by the transmitter, i.e., from a previously received UDP packet. >> TIME MAY use an RTT estimate based on nonzero Timestamp values as a hint for fragmentation reassembly, rate limiting, or other mechanisms that benefit from such an estimate. >> an application MAY use TIME to compute this RTT estimate for further use by the user. UDP timestamps are modeled after TCP timestamps and have similar expectations. In particular, they are expected to be: o Values are monotonic and non-decreasing except for anticipated number-space rollover events o Values should "increase" (allowing for rollover, i.e., modulo the field size excepting zero) according to a typical 'tick' time o A request is defined as TSval being non-zero and a reply is defined as TSecr being non-zero. Touch Expires May 6, 2024 [Page 26] Internet-Draft Transport Options for UDP November 2023 o A receiver should always respond to a request with the highest TSval received (allowing for rollover), which is not necessarily the most recently received. Rollover can be handled as a special case or more completely using sequence number extension [RFC9187], however zero values need to be avoided explicitly. >> TIME values MUST NOT use zeros as valid time values, because they are used as indicators of requests and responses. 10.9. Authentication (AUTH) The Authentication (AUTH, Kind=9) option is intended to allow UDP to provide a similar type of authentication as the TCP Authentication Option (TCP-AO) [RFC5925]. AUTH covers the UDP user data. AUTH supports NAT traversal in a similar manner as TCP-AO [RFC6978]. Figure 17 shows the UDP AUTH format, whose contents are identical to that of the TCP-AO option, with the addition of a 32-bit unsigned sequence number. The sequence number is used to differentiate otherwise identical datagrams for cryptographic purposes; it is intended to not repeat during the lifetime of a security association, but are otherwise meaningless (e.g., they can be monotonically increased except during rollover). Because AUTH sequence numbers are not coordinated and not reliably transmitted, in contrast to TCP, they cannot be used to derive session traffic keys. During an association, the one-byte KeyID and ReceiveNextKeyID (RNKID) fields serve the same purpose as for TCP-AO, allowing the active keys used in either direction to change in a coordinated manner. +--------+--------+--------+--------+ | Kind=9 | Len | KeyID | RNKID | +--------+--------+--------+--------+ | Sequence Number | +--------+--------+--------+--------+ | MAC... | +--------+--------+--------+--------+ ... +--------+--------+--------+--------+ | ...MAC | +--------+--------+--------+--------+ Figure 17 UDP AUTH option format Touch Expires May 6, 2024 [Page 27] Internet-Draft Transport Options for UDP November 2023 Like TCP-AO, AUTH is not negotiated in-band. Its use assumes both endpoints have populated Master Key Tuples (MKTs), used to exclude non-protected traffic. TCP-AO generates unique traffic keys from a hash of TCP connection parameters. UDP lacks a three-way handshake to coordinate connection-specific values, such as TCP's Initial Sequence Numbers (ISNs) [RFC9293], thus AUTH's Key Derivation Function (KDF) uses zeroes as the value for both ISNs. This means that the AUTH reuses keys when socket pairs are reused, unlike TCP-AO. >> UDP packets with incorrect AUTH HMACs MUST be passed to the application by default, e.g., with a flag indicating AUTH failure. >> UDP fragments with individual incorrect AUTH HMACs MUST be accumulated and passed to the application by default as part of the reassembled packet. >> If used with UDP fragments, AUTH MUST be configured to cover the UDP option area (because fragments have an empty UDP data area). Like all non-UNSAFE UDP options, AUTH needs to be silently ignored when failing. This silently-ignored behavior ensures that option- aware receivers operate the same as legacy receivers unless overridden. In addition to the UDP user data (which is always included), AUTH can be configured to either include or exclude the surplus area (again, the latter is not allowed for UDP fragments), in a similar way as can TCP-AO can optionally exclude TCP options. When UDP options are covered, the OCS value and AUTH (and later, UENC) hash areas are zeroed before computing the AUTH hash. It is important to consider that options not yet defined might yield unpredictable results if not confirmed as supported, e.g., if they were to contain other hashes or checksums that depend on the surplus area contents. This is why such dependencies are not permitted except as defined for the OCS and the AUTH (and later, UENC) option. Similar to TCP-AO-NAT, AUTH (and later, UENC) can be configured to support NAT traversal, excluding (by zeroing out) one or both of the UDP ports and corresponding IP addresses [RFC6978]. 10.10. Experimental (EXP) The Experimental option (EXP, Kind=127) is reserved for experiments [RFC3692]. Only one such value is reserved because experiments are expected to use an Experimental ID (ExIDs) to differentiate Touch Expires May 6, 2024 [Page 28] Internet-Draft Transport Options for UDP November 2023 concurrent use for different purposes, using UDP ExIDs registered with IANA according to the approach developed for TCP experimental options [RFC6994]. +----------+----------+----------+----------+ | Kind=127 | Len | UDP ExID | +----------+----------+----------+----------+ | (option contents, as defined)... | +----------+----------+----------+----------+ Figure 18 UDP EXP option format >> The length of the experimental option MUST be at least 4 to account for the Kind, Length, and the minimum 16-bit UDP ExID identifier (similar to TCP ExIDs [RFC6994]). The UDP EXP option also includes an extended length format, where the option LEN is 255 followed by two bytes of extended length. +----------+----------+----------+----------+ | Kind=127 | 255 | Extended Length | +----------+----------+----------+----------+ | UDP ExID. |(option contents...) | +----------+----------+----------+----------+ Figure 19 UDP EXP extended option format Assigned UDP experimental IDs (ExIDs) assigned from a single registry managed by IANA (see Section 24). Assigned ExIDs can be used in either the EXP or UEXP options (see Section 11.2 for the latter). 11. UNSAFE Options UNSAFE options are not safe to ignore and can be used unidirectionally or without soft-state confirmation of UDP option capability. They are always used only when the user data occurs inside a reassembled set of one or more UDP fragments, such that if UDP fragmentation is not supported, the enclosed UDP user data would be silently dropped anyway. >> Applications using UNSAFE options SHOULD NOT also use zero-length UDP packets as signals, because they will arrive when UNSAFE options fail. Those that choose to allow such packets MUST account for such events. Touch Expires May 6, 2024 [Page 29] Internet-Draft Transport Options for UDP November 2023 >> UNSAFE options MUST be used only as part of UDP fragments, used either per-fragment or after reassembly. >> Receivers supporting UDP options MUST silently drop the UDP user data of the reassembled datagram if any fragment or the entire datagram includes an UNSAFE option whose UKind is not supported or if an UNSAFE option appears outside the context of a fragment or reassembled fragments. Note that this still results in the receipt of a zero-length UDP datagram. 11.1. UNSAFE Encryption (UENC) UNSAFE encryption (UENC, Kind=192) has the same format as AUTH (Section 10.9), except that it encrypts (modifies) the user data. It provides a similar encryption capability as TCP-AO-ENC, in a similar manner [To18]. Its fields, coverage, and processing are the same as for AUTH, except that UENC encrypts the user data and (when configured to) the portion of the surplus area that occurs after UENC, although it can (optionally) depend on options that precede it (with certain fields zeroed, as per AUTH, e.g., providing authentication over the surplus area). Like AUTH, UENC can be configured to be compatible with NAT traversal. Because UDP lacks TCP's Initial Sequence Numbers (ISNs), those values are zero for the purposes of computing traffic keys based on the TCP-AO approach. 11.2. UNSAFE Experimental (UEXP) The UNSAFE Experimental option (UEXP, Kind=254) is reserved for experiments [RFC3692]. As with EXP, only one such UEXP value is reserved because experiments are expected to use an Experimental ID (ExIDs) to differentiate concurrent use for different purposes, using UDP ExIDs registered with IANA according to the approach developed for TCP experimental options [RFC6994]. Assigned ExIDs can be used with either the UEXP or EXP options. 12. Rules for designing new options The UDP option Kind space allows for the definition of new options, however the currently defined options do not allow for arbitrary new options. The following is a summary of rules for new options and their rationales: >> New options MUST NOT modify other option content. Touch Expires May 6, 2024 [Page 30] Internet-Draft Transport Options for UDP November 2023 >> New options MUST NOT depend on the content of other options. UNSAFE options can both depend on and vary user data content because they are contained only inside UDP fragments and thus are processed only by UDP option capable receivers. >> New options MUST NOT declare their order relative to other options, whether new or old. >> At the sender, new options MUST NOT modify UDP packet content anywhere except within their option field, excepting only those contained within the UNSAFE option; areas that need to remain unmodified include the IP header, IP options, the UDP user data, and the surplus area (i.e., other options). >> Options MUST NOT be modified in transit. This includes those already defined as well as new options. >> New options MUST NOT require or allow that any UDP options (including themselves) or the remaining surplus area be modified in transit. Note that only certain of the initially defined options violate these rules: o >> The FRAG option modifies UDP user data, splitting it across multiple IP packets. UNSAFE options MAY modify the UDP user data, e.g., by encryption, compression, or other transformations. All other options MUST NOT modify the UDP user data. The following recommendation helps enable efficient zero-copy processing: o >> FRAG SHOULD be the first option, when present. 13. Option inclusion and processing The following rules apply to option inclusion by senders and processing by receivers. >> Senders MAY add any option, as configured by the API. >> All "must-support" options MUST be processed by receivers, if present (presuming UDP options are supported at that receiver). >> Non-"must-support" options MAY be ignored by receivers, if present, e.g., based on API settings. Touch Expires May 6, 2024 [Page 31] Internet-Draft Transport Options for UDP November 2023 >> All options MUST be processed by receivers in the order encountered in the options area. >> All options except UNSAFE options MUST result in the UDP user data being passed to the application layer, regardless of whether all options are processed, supported, or succeed. The basic premise is that, for options-aware endpoints, the sender decides what options to add and the receiver decides what options to handle. Simply adding an option does not force work upon a receiver, with the exception of the "must-support" options. Upon receipt, the receiver checks various properties of the UDP packet and its options to decide whether to accept or drop the UDP packet and whether to accept or ignore some its options as follows (in order): if the UDP checksum fails then silently drop the entire UDP packet (per RFC1122) if the UDP checksum passes or is zero then if ((OCS != 0 and fails or OCS == 0) and UDP CS != 0) or ((OCS != 0 and passes) and UDP CS == 0) then deliver the UDP user data but ignore other options (this is required to emulate legacy behavior) if (OCS != 0 and passes) or (OCS == 0 and UDP CS == 0) then deliver the UDP user data after parsing and processing the rest of the options, regardless of whether each is supported or succeeds (again, this is required to emulate legacy behavior) The design of the UNSAFE options as used only inside the FRAG area ensures that the resulting UDP data will be silently dropped in both legacy and options-aware receivers. Again, note that this still results in the delivery of a zero-length UDP packet. Options-aware receivers can drop UDP packets with option processing errors via either an override of the default UDP processing or at the application layer. I.e., all options are treated the same, in that the transmitter can add it as desired and the receiver has the option to require it or not. Only if it is required (e.g., by API configuration) should the receiver require it being present and correct. I.e., for all options: Touch Expires May 6, 2024 [Page 32] Internet-Draft Transport Options for UDP November 2023 o if the option is not required by the receiver, then UDP packets missing the option are accepted. o if the option is required (e.g., by override of the default behavior at the receiver) and missing or incorrectly formed, silently drop the UDP packet. o if the UDP packet is accepted (either because the option is not required or because it was required and correct), then pass the option with the UDP packet via the API. Any options whose length exceeds that of the UDP packet (i.e., intending to use data that would have been beyond the surplus area) should be silently ignored (again to model legacy behavior). 14. UDP API Extensions UDP currently specifies an application programmer interface (API), summarized as follows (with Unix-style command as an example) [RFC768]: o Method to create new receive ports o E.g., bind(handle, recvaddr(optional), recvport) o Receive, which returns data octets, source port, and source address o E.g., recvfrom(handle, srcaddr, srcport, data) o Send, which specifies data, source and destination addresses, and source and destination ports o E.g., sendto(handle, destaddr, destport, data) This API is extended to support options as follows: o Extend the method to create receive ports to include per-packet and per-fragment receive options that are required as indicated by the application. >> Datagrams not containing these required options MUST be silently dropped and MAY be logged. Touch Expires May 6, 2024 [Page 33] Internet-Draft Transport Options for UDP November 2023 o Extend the receive function to indicate the per-packet options and their parameters as received with the corresponding received datagram. Note that per-fragment options are handled within the processing of each fragment. o >> SAFE options associated with fragments are accumulated when associated with the reassembled packet; values MAY be coalesced, e.g., to indicate only that an AUTH failure of a fragment occurred or not rather than indicating the AUTH status of each fragment. o Extend the send function to indicate the options to be added to the corresponding sent datagram. This includes indicating which options apply to individual fragments vs. which apply to the UDP packet prior to fragmentation, if fragmentation is enabled. This includes a minimum datagram length, such that the options list ends in EOL and additional space is zero-filled as needed. It also includes a maximum fragment size, e.g., as discovered by DPLPMTUD, whether implemented at the application layer per [RFC8899] or in conjunction with other UDP options [Fa23]. Examples of API instances for Linux and FreeBSD are provided in Appendix A, to encourage uniform cross-platform implementations. 15. UDP Options are for Transport, Not Transit UDP options are indicated in the surplus area of the IP payload that is not used by UDP. That area is really part of the IP payload, not the UDP payload, and as such, it might be tempting to consider whether this is a generally useful approach to extending IP. Unfortunately, the surplus area exists only for transports that include their own transport layer payload length indicator. TCP and SCTP include header length fields that already provide space for transport options by indicating the total length of the header area, such that the entire remaining area indicated in the network layer (IP) is transport payload. UDP-Lite already uses the UDP Length field to indicate the boundary between data covered by the transport checksum and data not covered, and so there is no remaining area where the length of the UDP-Lite payload as a whole can be indicated [RFC3828]. UDP options are intended for use only by the transport endpoints. They are no more (or less) appropriate to be modified in-transit than any other portion of the transport datagram. Touch Expires May 6, 2024 [Page 34] Internet-Draft Transport Options for UDP November 2023 >> UDP options are transport options. Generally, transport headers, options, and data are not intended to be modified in-transit. UDP options are no exception and here are specified as "MUST NOT" be altered in transit. However, note that the UDP option mechanism provides no specific protection against in-transit modification of the UDP header, UDP payload, or surplus area, except as provided by the OCS or the options selected (e.g., AUTH, or UENC). 16. UDP options vs. UDP-Lite UDP-Lite provides partial checksum coverage, so that UDP packets with errors in some locations can be delivered to the user [RFC3828]. It uses a different transport protocol number (136) than UDP (17) to interpret the UDP Length field as the prefix covered by the UDP checksum. UDP (protocol 17) already defines the UDP Length field as the limit of the UDP checksum, but by default also limits the data provided to the application as that which precedes the UDP Length. A goal of UDP-Lite is to deliver data beyond UDP Length as a default, which is why a separate transport protocol number was required. UDP options do not use or need a separate transport protocol number because the data beyond the UDP Length offset (surplus data) is not provided to the application by default. That data is interpreted exclusively within the UDP transport layer. UDP-Lite cannot support UDP options, either as proposed here or in any other form, because the entire payload of the UDP packet is already defined as user data and there is no additional field in which to indicate a surplus area for options. The UDP Length field in UDP-Lite is already used to indicate the boundary between user data covered by the checksum and user data not covered. 17. Interactions with Legacy Devices It has always been permissible for the UDP Length to be inconsistent with the IP transport payload length [RFC768]. Such inconsistency has been utilized in UDP-Lite using a different transport number. There are no known systems that use this inconsistency for UDP [RFC3828]. It is possible that such use might interact with UDP options, i.e., where legacy systems might generate UDP datagrams that appear to have UDP options. The OCS provides protection against such events and is stronger than a static "magic number". Touch Expires May 6, 2024 [Page 35] Internet-Draft Transport Options for UDP November 2023 UDP options have been tested as interoperable with Linux, macOS, and Windows Cygwin, and worked through NAT devices. These systems successfully delivered only the user data indicated by the UDP Length field and silently discarded the surplus area. One reported embedded device passes the entire IP datagram to the UDP application layer. Although this feature could enable application-layer UDP option processing, it would require that conventional UDP user applications examine only the UDP user data. This feature is also inconsistent with the UDP application interface [RFC768] [RFC1122]. It has been reported that Alcatel-Lucent's "Brick" Intrusion Detection System has a default configuration that interprets inconsistencies between UDP Length and IP Length as an attack to be reported. Note that other firewall systems, e.g., CheckPoint, use a default "relaxed UDP length verification" to avoid falsely interpreting this inconsistency as an attack. 18. Options in a Stateless, Unreliable Transport Protocol There are two ways to interpret options for a stateless, unreliable protocol -- an option is either local to the message or intended to affect a stream of messages in a soft-state manner. Either interpretation is valid for defined UDP options. It is impossible to know in advance whether an endpoint supports a UDP option. >> All UDP options other than UNSAFE ones MUST be ignored if not supported or upon failure (e.g., APC). >> All UDP options that fail MUST result in the UDP data still being sent to the application layer by default, to ensure equivalence with legacy devices. UDP options that rely on soft-state exchange need allow for message reordering and loss, in the same way as UDP applications [RFC8085]. The above requirements prevent using any option that cannot be safely ignored unless it is hidden inside the FRAG area (i.e., UNSAFE options). Legacy systems also always need to be able to interpret the transport fragments as individual UDP packets. Touch Expires May 6, 2024 [Page 36] Internet-Draft Transport Options for UDP November 2023 19. UDP Option State Caching Some TCP connection parameters, stored in the TCP Control Block, can be usefully shared either among concurrent connections or between connections in sequence, known as TCP Sharing [RFC9040]. Although UDP is stateless, some of the options proposed herein may have similar benefit in being shared or cached. We call this UCB Sharing, or UDP Control Block Sharing, by analogy. Just as TCB sharing is not a standard because it is consistent with existing TCP specifications, UCB sharing would be consistent with existing UDP specifications, including this one. Both are implementation issues that are outside the scope of their respective specifications, and so UCB sharing is outside the scope of this document. 20. Updates to RFC 768 This document updates RFC 768 as follows: o This document defines the meaning of the IP payload area beyond the UDP length but within the IP length as the surplus area used herein for UDP options. o This document extends the UDP API to support the use of UDP options. 21. Interactions with other RFCs (and drafts) This document clarifies the interaction between UDP Length and IP length that is not explicitly constrained in either UDP or the host requirements [RFC768] [RFC1122]. Teredo extensions (TE) define use of a similar difference between these lengths for trailers [RFC4380][RFC6081]. TE defines the length of an IPv6 payload inside UDP as pointing to less than the end of the UDP payload, enabling trailing options for that IPv6 packet: "..the IPv6 packet length (i.e., the Payload Length value in the IPv6 header plus the IPv6 header size) is less than or equal to the UDP payload length (i.e., the Length value in the UDP header minus the UDP header size)" UDP options are not affected by the difference between the UDP user payload end and the payload IPv6 end; both would end at the UDP user payload, which could end before the enclosing IPv4 or IPv6 header indicates - allowing UDP options in addition to the trailer options of the IPv6 payload. The result, if UDP options were used, is shown in Figure 20. Touch Expires May 6, 2024 [Page 37] Internet-Draft Transport Options for UDP November 2023 Outer IP Length <----------------------------------------------------------> +--------+---------+------------------------------+----------+ | IP Hdr | UDP Hdr | IPv6 packet/len | TE trailer | surplus | +--------+---------+------------------------------+----------+ <---------------> Inner IPv6 Length <--------------------------------------> UDP Length Figure 20 TE trailers and UDP options used concurrently This document is consistent the UDP profile for Robust Header Compression (ROHC)[RFC3095], noted here: "The Length field of the UDP header MUST match the Length field(s) of the preceding subheaders, i.e., there must not be any padding after the UDP payload that is covered by the IP Length." ROHC compresses UDP headers only when this match succeeds. It does not prohibit UDP headers where the match fails; in those cases, ROHC default rules (Section 5.10) would cause the UDP header to remain uncompressed. Upon receipt of a compressed UDP header, Section A.1.3 of that document indicates that the UDP length is "INFERRED"; in uncompressed packets, it would simply be explicitly provided. This issue of handling UDP header compression is more explicitly described in more recent specifications, e.g., Sec. 10.10 of Static Context Header Compression [RFC8724]. 22. Multicast Considerations UDP options are primarily intended for unicast use. Using these options over multicast IP requires careful consideration, e.g., to ensure that the options used are safe for different endpoints to interpret differently (e.g., either to support or silently ignore) or to ensure that all receivers of a multicast group confirm support for the options in use. 23. Security Considerations There are a number of security issues raised by the introduction of options to UDP. Some are specific to this variant, but others are associated with any packet processing mechanism; all are discussed in this section further. Touch Expires May 6, 2024 [Page 38] Internet-Draft Transport Options for UDP November 2023 Note that any user application that considers UDP options to affect security need not enable them. However, their use does not impact security in a way substantially different than TCP options; both enable the use of a control channel that has the potential for abuse. Similar to TCP, there are many options that, if unprotected, could be used by an attacker to interfere with communication. UDP options create new potential opportunities for DDOS attacks, notably through the use of fragmentation. When enabled, UDP options cause additional work at the receiver, however, of the "must- support" options, only REQ (e.g., when used with DLPMTUD [Fa23]) will cause the upper layer to initiate a UDP response in the absence of user transmission. The use of UDP packets with inconsistent IP and UDP Length fields has the potential to trigger a buffer overflow error if not properly handled, e.g., if space is allocated based on the smaller field and copying is based on the larger. However, there have been no reports of such vulnerability and it would rely on inconsistent use of the two fields for memory allocation and copying. UDP options are not covered by DTLS (datagram transport-layer security). Despite the name, neither TLS [RFC8446] (transport layer security, for TCP) nor DTLS [RFC9147] (TLS for UDP) protect the transport layer. Both operate as a shim layer solely on the user data of transport packets, protecting only their contents. Just as TLS does not protect the TCP header or its options, DTLS does not protect the UDP header or the new options introduced by this document. Transport security is provided in TCP by the TCP Authentication Option (TCP-AO [RFC5925]) or in UDP by the Authentication (AUTH) option (Section 10.9) and UNSAFE Encryption (UENC) option (Section 11). Transport headers are also protected as payload when using IP security (IPsec) [RFC4301]. UDP options use the TLV syntax similar to that of TCP. This syntax is known to require serial processing and may pose a DOS risk, e.g., if an attacker adds large numbers of unknown options that must be parsed in their entirety, as is the case for IPv6 [RFC8504]. >> Implementations concerned with the potential for UDP options introducing a vulnerability MAY implement only the required UDP options and SHOULD also limit processing of TLVs, either in number of non-padding options or total length, or both. The number of non- zero TLVs allowed in such cases MUST be at least as many as the number of concurrent options supported with an additional few to account for unexpected unknown options, but should also consider Touch Expires May 6, 2024 [Page 39] Internet-Draft Transport Options for UDP November 2023 being adaptive and based on the implementation, to avoid locking in that limit globally. E.g., if a system supports 10 different option types that could concurrently be used, it is expected to allow up to around 13-14 different options in the same packet. This document avoids specifying a fixed minimum, but recognizes that a given system should not expect to receive more than a few unknown option types per packet. Because required options come first and at most once each (with the exception of NOPs, which should never need to come in sequences of more than seven in a row), this limits their DOS impact. Note that TLV formats for options does require serial processing, but any format that allows future options, whether ignored or not, could introduce a similar DOS vulnerability. >> Implementations concerned with the potential for DOS attacks involving large numbers of UDP options, either implemented or unknown, or excessive sequences of valid repeating options (e.g., NOPs) SHOULD detect excessive numbers of such occurrences and limit resources they use, either through silent packet drops. Such responses MUST be logged. Specific thresholds for such limits will vary based on implementation and are thus not included here. >> Implementations concerned with the potential for UDP fragmentation introducing a vulnerability SHOULD implement limits on the number of pending fragments. UDP security should never rely solely on transport layer processing of options. UNSAFE options are the only type that share fate with the UDP data, because of the way that data is hidden in the surplus area until after those options are processed. All other options default to being silently ignored at the transport layer but may be dropped either if that default is overridden (e.g., by configuration) or discarded at the application layer (e.g., using information about the options processed that are passed along with the UDP packet). UDP fragmentation introduces its own set of security concerns, which can be handled in a manner similar to IP reassembly or TCP segment reordering [CERT18]. In particular, the number of UDP packets pending reassembly and effort used for reassembly is typically limited. In addition, it may be useful to assume a reasonable minimum fragment size, e.g., that non-terminal fragments should never be smaller than 500 bytes. Touch Expires May 6, 2024 [Page 40] Internet-Draft Transport Options for UDP November 2023 UDP options, like any options, have the potential to expose option information to on-path attackers, unless the options themselves are encrypted (as might be the case with some configurations of UENC, when defined). Application protocol designers should ensure that information in UDP options is not used with the assumption of privacy unless UENC provides that capability. Application protocol designers using secure payload contents (e.g., via DTLS) should be aware that UDP options add information that is not inside the UDP payload and thus not protected by the same mechanism, and that alternate mechanisms (again, as might be the case with some configurations of UENC) may be additionally required to protect against information disclosure. 24. IANA Considerations Upon publication, IANA is hereby requested to create a new registry for UDP Option Kind numbers, similar to that for TCP Option Kinds; this assumes the creation of a new UDP registry group in which UDP Option Kinds would be the only entry. Initial values of the UDP Option Kind registry are as listed in Section 9. Additional values in this registry are to be assigned from the UNASSIGNED values in Section 9 by IESG Approval or Standards Action [RFC8126]. Those assignments are subject to the conditions set forth in this document, particularly (but not limited to) those in Section 12. >> Although option nicknames are not used in-band, new UNSAFE safe option names SHOULD commence with the capital letter "U" and avoid either uppercase or lowercase "U" as commencing safe options. Upon publication, IANA is hereby requested to create a new registry for UDP Experimental Option Experiment Identifiers (UDP ExIDs) for use in a similar manner as TCP ExIDs [RFC6994]. UDP ExIDs can be used in either (or both) the EXP or UEXP options. This registry is initially empty. Values in this registry are to be assigned by IANA using first-come, first-served (FCFS) rules [RFC8126]. Options using these ExIDs are subject to the same conditions as new options, i.e., they too are subject to the conditions set forth in this document, particularly (but not limited to) those in Section 12. Touch Expires May 6, 2024 [Page 41] Internet-Draft Transport Options for UDP November 2023 25. References 25.1. Normative References [Fa23] Fairhurst, G., T. Jones, "Datagram PLPMTUD for UDP Options," draft-ietf-tsvwg-udp-options-dplpmtud, Jun. 2023. [RFC768] Postel, J., "User Datagram Protocol," RFC 768, August 1980. [RFC791] Postel, J., "Internet Protocol," RFC 791, Sept. 1981. [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts -- Communication Layers," RFC 1122, Oct. 1989. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels," BCP 14, RFC 2119, March 1997. [RFC5925] Touch, J., A. Mankin, R. Bonica, "The TCP Authentication Option," RFC 5925, June 2010. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words," RFC 2119, May 2017. 25.2. Informative References [Fa18] Fairhurst, G., T. Jones, R. Zullo, "Checksum Compensation Options for UDP Options", draft-fairhurst-udp-options-cco, Oct. 2018. [Hi15] Hildebrand, J., B. Trammel, "Substrate Protocol for User Datagrams (SPUD) Prototype," draft-hildebrand-spud- prototype-03, Mar. 2015. [RFC1071] Braden, R., D. Borman, C. Partridge, "Computing the Internet Checksum," RFC 1071, Sept. 1988. [RFC1191] Mogul, J., S. Deering, "Path MTU discovery," RFC 1191, November 1990. [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery," RFC 2923, September 2000. [RFC3095] Bormann, C. (Ed), et al., "RObust Header Compression (ROHC): Framework and four profiles: RTP, UDP, ESP, and uncompressed," RFC 3095, July 2001. Touch Expires May 6, 2024 [Page 42] Internet-Draft Transport Options for UDP November 2023 [RFC3385] Sheinwald, D., J. Satran, P. Thaler, V. Cavanna, "Internet Protocol Small Computer System Interface (iSCSI) Cyclic Redundancy Check (CRC)/Checksum Considerations," RFC 3385, Sep. 2002. [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers Considered Useful," RFC 3692, Jan. 2004. [RFC3828] Larzon, L-A., M. Degermark, S. Pink, L-E. Jonsson (Ed.), G. Fairhurst (Ed.), "The Lightweight User Datagram Protocol (UDP-Lite)," RFC 3828, July 2004. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, Dec. 2005. [RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion Control Protocol (DCCP)", RFC 4340, March 2006. [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)," RFC 4380, Feb. 2006. [RFC6081] Thaler, D., "Teredo Extensions," RFC 6081, Jan 2011. [RFC6864] Touch, J., "Updated Specification of the IPv4 ID Field," RFC 6864, Feb. 2013. [RFC6935] Eubanks, M., P. Chimento, M. Westerlund, "IPv6 and UDP Checksums for Tunneled Packets," RFC 6935, April 2013. [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT Traversal", RFC 6978, July 2013. [RFC6994] Touch, J., "Shared Use of Experimental TCP Options," RFC 6994, Aug. 2013. [RFC7323] Borman, D., R. Braden, V. Jacobson, R. Scheffenegger (Ed.), "TCP Extensions for High Performance," RFC 7323, Sep. 2014. [RFC8085] Eggert, L., G. Fairhurst, G. Shepherd, "UDP Usage Guidelines," RFC 8085, Feb. 2017. [RFC8126] Cotton, M., B. Leiba, T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs," RFC 8126, June 2017. Touch Expires May 6, 2024 [Page 43] Internet-Draft Transport Options for UDP November 2023 [RFC8200] Deering, S., R. Hinden, "Internet Protocol Version 6 (IPv6) Specification," RFC 8200, Jul. 2017. [RFC8201] McCann, J., S. Deering, J. Mogul, R. Hinden (Ed.), "Path MTU Discovery for IP version 6," RFC 8201, Jul. 2017. [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3," RFC 8446, Aug. 2018. [RFC8504] Chown, T., J. Loughney, T. Winters, "IPv6 Node Requirements," RFC 8504, Jan. 2019. [RFC8724] Minaburo, A., L. Toutain, C. Gomez, D. Barthel, JC., "SCHC: Generic Framework for Static Context Header Compression and Fragmentation," RFC 8724, Apr. 2020. [RFC8899] Fairhurst, G., T. Jones, M. Tuxen, I. Rungeler, T. Volker, "Packetization Layer Path MTU Discovery for Datagram Transports," RFC 8899, Sep. 2020. [RFC9040] Touch, J., M. Welzl, S. Islam, "TCP Control Block Interdependence," RFC 9040, Jul. 2021. [RFC9147] Rescorla, E., H. Tschofenig, N. Modadugu, "Datagram Transport Layer Security Version 1.3," RFC 9147, Apr. 2022. [RFC9187] Touch, J., "Sequence Number Extension for Windowed Protocols," RFC 9187, Jan. 2022. [RFC9260] Stewart, R., M. Tuxen, K. Nielsen, "Stream Control Transmission Protocol", RFC 9260, June 2022. [RFC9293] Eddy, W. (Ed.), "Transmission Control Protocol," STD 7, RFC 9293, Aug. 2022. [CERT18] CERT Coordination Center, "TCP implementations vulnerable to Denial of Service,", Vulnerability Note VU 962459, Software Engineering Institute, CMU, 2018, https://www.kb.cert.org/vuls/id/962459. [To18] Touch, J., "A TCP Authentication Option Extension for Payload Encryption," draft-touch-tcp-ao-encrypt, Jul. 2018. Touch Expires May 6, 2024 [Page 44] Internet-Draft Transport Options for UDP November 2023 [Zu20] Zullo, R., T. Jones, and G. Fairhurst, "Overcoming the Sorrows of the Young UDP Options," 2020 Network Traffic Measurement and Analysis Conference (TMA), IEEE, 2020. 26. Acknowledgments This work benefitted from feedback from Erik Auerswald, Bob Briscoe, Ken Calvert, Ted Faber, Gorry Fairhurst (including OCS for errant middlebox traversal), C. M. Heard (including combining previous FRAG and LITE options into the new FRAG, as well as Figure 12), Tom Herbert, Mark Smith, and Raffaele Zullo, as well as discussions on the IETF TSVWG and SPUD email lists. This work was partly supported by USC/ISI's Postel Center. This document was prepared using 2-Word-v2.0.template.dot. Authors' Addresses Joe Touch Manhattan Beach, CA 90266 USA Phone: +1 (310) 560-0334 Email: touch@strayalpha.com Touch Expires May 6, 2024 [Page 45] Internet-Draft Transport Options for UDP November 2023 Appendix A.Implementation Information The following information is provided to encourage interoperable API implementations. System-level variables (sysctl): Name default meaning ---------------------------------------------------- net.ipv4.udp_opt 0 UDP options available net.ipv4.udp_opt_ocs 1 Default use OCS net.ipv4.udp_opt_apc 0 Default include APC net.ipv4.udp_opt_frag 0 Default fragment net.ipv4.udp_opt_mds 0 Default include MDS net.ipv4.udp_opt_mrds 0 Default include MRDS net.ipv4.udp_opt_req 0 Default include REQ net.ipv4.udp_opt_resp 0 Default include RES net.ipv4.udp_opt_time 0 Default include TIME net.ipv4.udp_opt_auth 0 Default include AUTH net.ipv4.udp_opt_exp 0 Default include EXP net.ipv4.udp_opt_uenc 0 Default include UENC net.ipv4.udp_opt_uexp 0 Default include UEXP Socket options (sockopt), cached for outgoing datagrams: Name meaning ---------------------------------------------------- UDP_OPT Enable UDP options (at all) UDP_OPT_OCS Use UDP OCS UDP_OPT_APC Enable UDP APC option UDP_OPT_FRAG Enable UDP fragmentation UDP OPT MDS Enable UDP MDS option UDP OPT MRDS Enable UDP MRDS option UDP OPT REQ Enable UDP REQ option UDP OPT RES Enable UDP RES option UDP_OPT_TIME Enable UDP TIME option UDP OPT AUTH Enable UDP AUTH option UDP OPT EXP Enable UDP EXP option UDP_OPT_UENC Enable UDP UENC option UDP OPT UEXP Enable UDP UEXP option Send/sendto parameters: Connection parameters (per-socketpair cached state, part UCB): Touch Expires May 6, 2024 [Page 46] Internet-Draft Transport Options for UDP November 2023 Name Initial value ---------------------------------------------------- opts_enabled net.ipv4.udp_opt ocs_enabled net.ipv4.udp_opt_ocs >> The JUNK option is included for debugging purposes, and MUST NOT be enabled otherwise. System variables net.ipv4.udp_opt_junk 0 Touch Expires May 6, 2024 [Page 47] Internet-Draft Transport Options for UDP November 2023 System-level variables (sysctl): Name default meaning ---------------------------------------------------- net.ipv4.udp_opt_junk 0 Default use of junk Socket options (sockopt): Name params meaning ------------------------------------------------------ UDP_JUNK - Enable UDP junk option UDP_JUNK_VAL fillval Value to use as junk fill UDP_JUNK_LEN length Length of junk payload in bytes Connection parameters (per-socketpair cached state, part UCB): Name Initial value ---------------------------------------------------- junk_enabled net.ipv4.udp_opt_junk junk_value 0xABCD junk_len 4 Touch Expires May 6, 2024 [Page 48]