Network working group X. Xu
Internet Draft Huawei
Category: Standard Track N. Sheth
Juniper
L. Yong
Huawei
C. Pignataro
Cisco
Y. Fan
China Telecom
Expires: July 2014 January 24, 2014
Encapsulating MPLS in UDP
draft-ietf-mpls-in-udp-05
Abstract
This document specifies an IP-based encapsulation for MPLS, called
MPLS-in-UDP (User Datagram Protocol). Note that the MPLS-in-UDP
encapsulation technology MUST only be deployed within a service
provider network or networks of an adjacent set of co-operating
service providers where the congestion control is not a concern.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 24, 2014.
Xu, et al. Expires July 24, 2014 [Page 1]
Internet-Draft Encapsulating MPLS in UDP January 2014
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ................................................ 3
1.1. Existing Encapsulations ................................ 3
1.2. Motivations for MPLS-in-UDP Encapsulation .............. 4
1.3. Application Statements ................................. 4
2. Terminology ................................................. 4
3. Encapsulation in UDP ........................................ 4
4. Processing Procedures ....................................... 6
5. Congestion Considerations ................................... 7
6. Security Considerations ..................................... 7
7. IANA Considerations ......................................... 8
8. Contributors ................................................ 9
9. Acknowledgements ............................................ 9
10. References ................................................. 9
10.1. Normative References .................................. 9
10.2. Informative References ............................... 10
Authors' Addresses ............................................ 11
Xu, et al. Expires July 24, 2014 [Page 2]
Internet-Draft Encapsulating MPLS in UDP January 2014
1. Introduction
This document specifies an IP-based encapsulation for MPLS, i.e.
MPLS-in-UDP (User Datagram Protocol), which is applicable in some
circumstances where IP-based encapsulation for MPLS is required and
further fine-grained load balancing of MPLS packets over IP
networks over Equal Cost Multi-Path (ECMP) and/or Link Aggregation
Groups (LAG) is required as well. There are already IP-based
encapsulations for MPLS that allow for fine-grained load balancing
by using some special field in the encapsulation header as an
entropy field. However, MPLS-in-UDP can be advantageous since some
networks have used the UDP port number fields as a basis for load-
balancing solutions for some time. This is similar to why LISP [RFC
6830] uses UDP encapsulation.
Like other IP-based encapsulation methods for MPLS, this
encapsulation allows for two Label Switching Routers (LSR) to be
adjacent on a Label Switched Path (LSP), while separated by an IP
network. In order to support this encapsulation, each LSR needs to
know the capability to decapsulate MPLS-in-UDP by the remote LSRs.
This specification defines only the data plane encapsulation and
does not concern itself with how the knowledge to use this
encapsulation is conveyed. Specifically, this capability can be
either manually configured on each LSR or be dynamically advertised
in manners that are outside the scope of this document.
Similarly, the MPLS-in-UDP encapsulation format defined in this
document by itself cannot ensure the integrity and privacy of data
packets being transported through the MPLS-in-UDP tunnels and
cannot enable the tunnel decapsulators to authenticate the tunnel
encapsulator. Therefore, in the case where any of the above
security issues is concerned, the MPLS-in-UDP SHOULD be secured
with IPsec [RFC4301] or DTLS [RFC6347]. For more details, please
see Section 6 of Security Considerations.
1.1. Existing Encapsulations
Currently, there are several IP-based encapsulations for MPLS such
as MPLS-in-IP, MPLS-in-GRE (Generic Routing Encapsulation)
[RFC4023], and MPLS-in-L2TPv3 (Layer Two Tunneling Protocol -
Version 3) [RFC4817]. In all these methods, the IP addresses can be
varied to achieve load-balancing.
All these IP-based encapsulations for MPLS are specified for both
IPv4 and IPv6. In the case of IPv6-based encapsulations, the IPv6
Xu, et al. Expires July 24, 2014 [Page 3]
Internet-Draft Encapsulating MPLS in UDP January 2014
Flow Label can be used for ECMP and LAGs [RFC6438]. However, there
is no such entropy field in the IPv4 header.
For MPLS-in-GRE as well as MPLS-in-L2TPv3, protocol fields (the GRE
Key and the L2TPv3 Session ID respectively) can be used as the
load-balancing key as described in [RFC5640]. For this,
intermediate routers need to understand these fields in the context
of being used as load-balancing keys.
1.2. Motivations for MPLS-in-UDP Encapsulation
Currently, most existing routers in IP networks are already capable
of distributing IP traffic "microflows" [RFC2474] over ECMPs and/or
LAG based on the hash of the five-tuple of User Datagram Protocol
(UDP)[RFC768] and Transmission Control Protocol (TCP) packets (i.e.,
source IP address, destination IP address, source port, destination
port, and protocol). By encapsulating the MPLS packets into an UDP
tunnel and using the source port of the UDP header as an entropy
field, the existing load-balancing capability as mentioned above
can be leveraged to provide fine-grained load-balancing of MPLS
traffic over IP networks.
1.3. Application Statements
The MPLS-in-UDP encapsulation technology MUST only be deployed
within a Service Provider (SP) network or networks of an adjacent
set of co-operating SPs where the congestion control is not a
concern, rather than over the Internet where the congestion control
is a must. Furthermore, packet filters should be added so as to
prevent MPLS-in-UDP packets from escaping from the service provider
networks due to misconfiguation or packet errors.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC-2119
[RFC2119].
3. Encapsulation in UDP
MPLS-in-UDP encapsulation format is shown as follows:
Xu, et al. Expires July 24, 2014 [Page 4]
Internet-Draft Encapsulating MPLS in UDP January 2014
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port = Entropy | Dest Port = MPLS |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| UDP Length | UDP Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ MPLS Label Stack ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Message Body ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Source Port of UDP
This field contains a 16-bit entropy value that is
generated by the encapsulator to uniquely identify a
flow. What constitutes a flow is locally determined by
the encapsulator and therefore is outside the scope of
this document. What algorithm is actually used by the
encapsulator to generate an entropy value is outside
the scope of this document as well. In the case where
the tunnel does not need entropy, this field of all
packets belonging to a given flow SHOULD be set to a
randomly selected constant value so as to avoid packet
reordering.
Destination Port of UDP
This field is set to a value (TBD1) allocated by IANA
to indicate that the UDP tunnel payload is an MPLS
packet.
UDP Length
The usage of this field is in accordance with the
current UDP specification [RFC768].
UDP Checksum
The usage of this field is in accordance with the
current UDP specification [RFC768]. In the IPv4 UDP
encapsulation case, this field is RECOMMENDED to be set
to zero. In the IPv6 UDP encapsulation case, this field
Xu, et al. Expires July 24, 2014 [Page 5]
Internet-Draft Encapsulating MPLS in UDP January 2014
SHOULD NOT be set to zero. If the UDP checksum needs to
be disabled for performance or implementation reasons,
the considerations described in [RFC6935] [RFC6936]
MUST be examined.
MPLS Label Stack
This field contains an MPLS Label Stack as defined in
[RFC3032].
Message Body
This field contains one MPLS message body.
4. Processing Procedures
This MPLS-in-UDP encapsulation causes MPLS packets to be forwarded
through "UDP tunnels". When performing MPLS-in-UDP encapsulation by
the encapsulator, the entropy value would be generated by the
encapsulator and then be filled in the Source Port field of the UDP
header. The Destination Port field is set to a value (TBD1)
allocated by IANA to indicate that the UDP tunnel payload is an
MPLS packet. As for whether the top label in the MPLS label stack
is downstream-assigned or upstream-assigned, it SHOULD be
determined based on the tunnel destination IP address. That is to
say, if the destination IP address is a multicast address, the top
label SHOULD be upstream-assigned, otherwise if the destination IP
address is a unicast address, it SHOULD be downstream-assigned.
As such, intermediate routers, upon receiving these UDP
encapsulated packets, could balance these packets based on the hash
of the five-tuple of UDP packets.
Upon receiving these UDP encapsulated packets, the decapsulator
would decapsulate them by removing the UDP headers and then process
them accordingly.
As for other common processing procedures associated with tunneling
encapsulation technologies including but not limited to Maximum
Transmission Unit (MTU) and preventing fragmentation and reassembly,
Time to Live (TTL) and differentiated services, the corresponding
"Common Procedures" defined in [RFC4023] which are applicable for
MPLS-in-IP and MPLS-in-GRE encapsulation formats SHOULD be followed.
Xu, et al. Expires July 24, 2014 [Page 6]
Internet-Draft Encapsulating MPLS in UDP January 2014
5. Congestion Considerations
Since the MPLS-in-UDP encapsulation causes MPLS packets to be
forwarded through "UDP tunnels", the congestion control guidelines
for UDP tunnels as defined in Section 3.1.3 of [RFC5405] SHOULD be
followed. Specifically, as stated in Section 3.1.3 of [RFC5405],
"some bulk transfer applications may choose not to implement any
congestion control mechanism and instead rely on transmitting
across reserved path capacity. This might be an acceptable choice
for a subset of restricted networking environments, but is by no
means a safe practice for operation in the Internet."Given the
fact that the MPLS-in-GRE and MPLS-in-IP [RFC4023] encapsulation
technologies have been successfully deployed within a SP network or
networks of an adjacent set of co-operating SPs which is a
restricted network environment without any congestion control
mechanism and the fact that the current MPLS technology couldn't
provide congestion control without major changes, the MPLS-in-UDP
encapsulation MUST only be deployed within a SP network or networks
of an adjacent set of co-operating SPs as well.
6. Security Considerations
The security problems faced with the MPLS-in-UDP tunnel are exactly
the same as those faced with MPLS-in-IP and MPLS-in-GRE tunnels
[RFC4023]. In other words,, the MPLS-in-UDP tunnel as defined in
this document by itself cannot ensure the integrity and privacy of
data packets being transported through the MPLS-in-UDP tunnel and
cannot enable the tunnel decapsulator to authenticate the tunnel
encapsulator. In the case where any of the above security issues is
concerned, the MPLS-in-UDP tunnel SHOULD be secured with IPsec or
DTLS. IPsec was designed as a network security mechanism and
therefore it resides at the network layer. As such, if the tunnel
is secured with IPsec, the UDP header would not be visible to
intermediate routers anymore in either IPsec tunnel or transport
mode. As a result, the meaning of adopting the MPLS-in-UDP tunnel
as an alternative to the MPLS-in-GRE or MPLS-in-IP tunnel is lost.
By comparison, DTLS is better suited for application security and
can better preserve network and transport layer protocol
information. Specifically, if DTLS is used, the destination port of
the UDP header will be filled with a value (TBD2) indicating MPLS
with DTLS and the source port can still be used as an entropy field
for load-sharing purposes.
If the tunnel is not secured with IPsec or DTLS, some other method
should be used to ensure that packets are decapsulated and
forwarded by the tunnel tail only if those packets were
encapsulated by the tunnel head. If the tunnel lies entirely within
Xu, et al. Expires July 24, 2014 [Page 7]
Internet-Draft Encapsulating MPLS in UDP January 2014
a single administrative domain, address filtering at the boundaries
can be used to ensure that no packet with the IP source address of
a tunnel endpoint or with the IP destination address of a tunnel
endpoint can enter the domain from outside. However, when the
tunnel head and the tunnel tail are not in the same administrative
domain, this may become difficult, and filtering based on the
destination address can even become impossible if the packets must
traverse the public Internet. Sometimes only source address
filtering (but not destination address filtering) is done at the
boundaries of an administrative domain. If this is the case, the
filtering does not provide effective protection at all unless the
decapsulator of an MPLS-in-UDP validates the IP source address of
the packet. This document does not require that the decapsulator
validate the IP source address of the tunneled packets, but it
should be understood that failure to do so presupposes that there
is effective destination-based (or a combination of source-based
and destination-based) filtering at the boundaries.
7. IANA Considerations
One UDP destination port number indicating MPLS needs to be
allocated by IANA.
Service Name : MPLS-in-UDP
Transport Protocol(s) : UDP
Assignee: IESG <iesg@ietf.org>
Contact : IETF Chair <chair@ietf.org>.
Description : Encapsulate MPLS packets in UDP tunnels.
Reference : This document -- draft-ietf-mpls-in-udp (MPLS WG
document).
Port Number : TBD1 -- To be assigned by IANA.
One UDP destination port number indicating MPLS with DTLS needs to
be allocated by IANA.
Service Name : MPLS-in-UDP-with-DTLS
Transport Protocol(s) : UDP
Assignee: IESG <iesg@ietf.org>
Xu, et al. Expires July 24, 2014 [Page 8]
Internet-Draft Encapsulating MPLS in UDP January 2014
Contact : IETF Chair <chair@ietf.org>.
Description : Encapsulate MPLS packets in UDP tunnels with DTLS.
Reference : This document -- draft-ietf-mpls-in-udp (MPLS WG
document).
Port Number : TBD2 -- To be assigned by IANA.
8. Contributors
Zhenbin Li
Huawei Technologies,
Beijing, China
Phone: +86-10-60613676
Email: lizhenbin@huawei.com
9. Acknowledgements
Thanks to Shane Amante, Dino Farinacci, Keshava A K, Ivan Pepelnjak,
Eric Rosen, Andrew G. Malis, Kireeti Kompella, Marshall Eubanks,
George Swallow, Loa Andersson, Ross Callon, Vivek Kumar, Stewart
Bryant, Wen Zhang, Curtis Villamizar, Joel M. Halpern, Scott Brim,
Alia Atlas, Alexander Vainshtein, Joel Jaeggli, Edward Crabbe, Lars
Eggert, Joe Touch, Lloyd Wood, Weiguo Hao, Mark Szczesniak,
Zhenxiao Liu and Xing Tong for their valuable comments and
suggestions on this document. Thanks to Daniel King, Gregory Mirsky
and Eric Osborne for their valuable MPLS-RT reviews on this
document. Special thanks to Adrian Farrel for his conscientious AD
review and insightful suggestion of using DTLS for securing the
MPLS-in-UDP tunnels. Thanks to Charlie Kaufman for his SecDir
review of this document. Thanks to Nevil Brownlee for the OPSDir
review of this document. Thanks to Roni Even for the Gen-ART review
of this document. Thanks to Pearl Liang for the IANA review of this
documents.
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
August 1980.
Xu, et al. Expires July 24, 2014 [Page 9]
Internet-Draft Encapsulating MPLS in UDP January 2014
[RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y.,
Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack
Encoding", RFC 3032, January 2001.
[RFC4023] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating
MPLS in IP or GRE", RFC4023, March 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012.
10.2. Informative References
[RFC4817] M. Townsley, C. Pignataro, S. Wainner, T. Seely and J.
Young, "Encapsulation of MPLS over Layer 2 Tunneling
Protocol Version 3", RFC4817, March 2007.
[RFC5640] Filsfils, C., Mohapatra, P., and C. Pignataro, "Load-
Balancing for Mesh Softwires", RFC 5640, August 2009.
[RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "UDP
Checksums for Tunneled Packets", RFC6935, Feburary 2013.
[RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement
for the use of IPv6 UDP Datagrams with Zero Checksums",
RFC6936, Feburary 2013.
[RFC5405] Eggert, L. and G. Fairhurst, "Unicast UDP Usage
Guidelines for Application Designers", RFC 5405, November
2008.
[RFC2474] Nichols, K., Blake, S., Baker, F. and D. Black,
"Definition of the Differentiated Services Field (DS
Field) in the IPv4 and IPv6 Headers", RFC2474, December
1998.
[RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label
for Equal Cost Multipath Routing and Link Aggregation
in Tunnels", RFC 6438, November 2011.
[RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
Locator/ID Separation Protocol (LISP)", RFC 6830,
January 2013.
Xu, et al. Expires July 24, 2014 [Page 10]
Internet-Draft Encapsulating MPLS in UDP January 2014
Authors' Addresses
Xiaohu Xu
Huawei Technologies
Beijing, China
Phone: +86-10-60610041
Email: xuxiaohu@huawei.com
Nischal Sheth
Juniper Networks
1194 N. Mathilda Ave
Sunnyvale, CA 94089
Email: nsheth@juniper.net
Lucy Yong
Huawei USA
5340 Legacy Dr.
Plano TX75025
Phone: 469-277-5837
Email: Lucy.yong@huawei.com
Carlos Pignataro
Cisco Systems
7200-12 Kit Creek Road
Research Triangle Park, NC 27709
USA
Email: cpignata@cisco.com
Yongbing Fan
China Telecom
Guangzhou, China.
Phone: +86 20 38639121
Email: fanyb@gsta.com
