draft-ietf-tsvwg-udp-options-08.txt   draft-ietf-tsvwg-udp-options-09.txt 
TSVWG J. Touch TSVWG J. Touch
Internet Draft Independent consultant Internet Draft Independent consultant
Intended status: Standards Track September 12, 2019 Intended status: Standards Track November 25, 2020
Intended updates: 768 Intended updates: 768, 3095
Expires: March 2020 Expires: May 2021
Transport Options for UDP Transport Options for UDP
draft-ietf-tsvwg-udp-options-08.txt draft-ietf-tsvwg-udp-options-09.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. This document may not be modified, provisions of BCP 78 and BCP 79. This document may not be modified,
and derivative works of it may not be created, except to format it and derivative works of it may not be created, except to format it
for publication as an RFC or to translate it into languages other for publication as an RFC or to translate it into languages other
than English. than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
skipping to change at page 1, line 35 skipping to change at page 1, line 35
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on March 12, 2020. This Internet-Draft will expire on May 25, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without Section 4.e of the Trust Legal Provisions and are provided without
skipping to change at page 2, line 21 skipping to change at page 2, line 21
Transport protocols are extended through the use of transport header Transport protocols are extended through the use of transport header
options. This document extends UDP by indicating the location, options. This document extends UDP by indicating the location,
syntax, and semantics for UDP transport layer options. syntax, and semantics for UDP transport layer options.
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................3
2. Conventions used in this document..............................3 2. Conventions used in this document..............................3
3. Background.....................................................3 3. Background.....................................................3
4. The UDP Option Area............................................4 4. The UDP Option Area............................................4
5. UDP Options....................................................7 5. UDP Options....................................................8
5.1. End of Options List (EOL).................................9 5.1. End of Options List (EOL).................................9
5.2. No Operation (NOP).......................................10 5.2. No Operation (NOP).......................................10
5.3. Option Checksum (OCS)....................................10 5.3. Option Checksum (OCS)....................................10
5.4. Alternate Checksum (ACS).................................11 5.4. Alternate Checksum (ACS).................................12
5.5. Lite (LITE)..............................................12 5.5. Fragmentation (FRAG).....................................13
5.6. Maximum Segment Size (MSS)...............................14 5.6. Maximum Segment Size (MSS)...............................17
5.7. Fragmentation (FRAG).....................................15 5.7. Unsafe (UNSAFE)..........................................17
5.8. Coupling FRAG with LITE..................................17 5.8. Timestamps (TIME)........................................18
5.9. Timestamps (TIME)........................................18 5.9. Authentication and Encryption (AE).......................19
5.10. Authentication and Encryption (AE)......................19 5.10. Echo request (REQ) and echo response (RES)..............20
6. Echo request (REQ) and echo response (RES)....................20 5.11. Experimental (EXP)......................................21
6.1. Experimental (EXP).......................................20 6. Rules for designing new options...............................21
7. Rules for designing new options...............................21 7. Option inclusion and processing...............................22
8. Option inclusion and processing...............................22 8. UDP API Extensions............................................24
9. UDP API Extensions............................................24 9. Whose options are these?......................................25
10. Whose options are these?.....................................24 10. UDP options FRAG option vs. UDP-Lite.........................25
11. UDP options LITE option vs. UDP-Lite.........................25 11. Interactions with Legacy Devices.............................26
12. Interactions with Legacy Devices.............................26 12. Options in a Stateless, Unreliable Transport Protocol........27
13. Options in a Stateless, Unreliable Transport Protocol........26 13. UDP Option State Caching.....................................27
14. UDP Option State Caching.....................................27 14. Updates to RFC 768...........................................28
15. Updates to RFC 768...........................................27 15. Interactions with other RFCs (and drafts)....................28
16. Multicast Considerations.....................................27 16. Multicast Considerations.....................................29
17. Security Considerations......................................28 17. Security Considerations......................................30
18. IANA Considerations..........................................28 18. IANA Considerations..........................................31
19. References...................................................29 19. References...................................................31
19.1. Normative References....................................29 19.1. Normative References....................................31
19.2. Informative References..................................29 19.2. Informative References..................................32
20. Acknowledgments..............................................31 20. Acknowledgments..............................................34
Appendix A. Implementation Information...........................32 Appendix A. Implementation Information...........................35
1. Introduction 1. Introduction
Transport protocols use options as a way to extend their Transport protocols use options as a way to extend their
capabilities. TCP [RFC793], SCTP [RFC4960], and DCCP [RFC4340] capabilities. TCP [RFC793], SCTP [RFC4960], and DCCP [RFC4340]
include space for these options but UDP [RFC768] currently does not. include space for these options but UDP [RFC768] currently does not.
This document defines an extension to UDP that provides space for This document defines an extension to UDP that provides space for
transport options including their generic syntax and semantics for transport options including their generic syntax and semantics for
their use in UDP's stateless, unreliable message protocol. their use in UDP's stateless, unreliable message protocol.
skipping to change at page 3, line 30 skipping to change at page 3, line 30
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
In this document, the characters ">>" preceding an indented line(s) In this document, the characters ">>" preceding an indented line(s)
indicates a statement using the key words listed above. This indicates a statement using the key words listed above. This
convention aids reviewers in quickly identifying or finding the convention aids reviewers in quickly identifying or finding the
portions of this RFC covered by these key words. portions of this RFC covered by these key words.
3. Background 3. Background
Many protocols include a default header and an area for header Many protocols include a default, invariant header and an area for
options. These options enable the protocol to be extended for use in header options that varies from packet to packet. These options
particular environments or in ways unforeseen by the original enable the protocol to be extended for use in particular
designers. Examples include TCP's Maximum Segment Size, Window environments or in ways unforeseen by the original designers.
Scale, Timestamp, and Authentication Options Examples include TCP's Maximum Segment Size, Window Scale,
[RFC793][RFC5925][RFC7323]. Timestamp, and Authentication Options [RFC793][RFC5925][RFC7323].
These options are used both in stateful (connection-oriented, e.g., These options are used both in stateful (connection-oriented, e.g.,
TCP [RFC793], SCTP [RFC4960], DCCP [RFC4340]) and stateless TCP [RFC793], SCTP [RFC4960], DCCP [RFC4340]) and stateless
(connectionless, e.g., IPv4 [RFC791], IPv6 [RFC8200]) protocols. In (connectionless, e.g., IPv4 [RFC791], IPv6 [RFC8200]) protocols. In
stateful protocols they can help extend the way in which state is stateful protocols they can help extend the way in which state is
managed. In stateless protocols their effect is often limited to managed. In stateless protocols their effect is often limited to
individual packets, but they can have an aggregate effect on a individual packets, but they can have an aggregate effect on a
sequence as well. One example of such uses is Substrate Protocol for sequence of packets as well. This document is intended to provide an
User Datagrams (SPUD) [Tr16], and this document is intended to out-of-band option area as an alternative to the in-band mechanism
provide an out-of-band option area as an alternative to the in-band currently proposed [Hi15].
mechanism currently proposed [Hi15].
UDP is one of the most popular protocols that lacks space for UDP is one of the most popular protocols that lacks space for
options [RFC768]. The UDP header was intended to be a minimal options [RFC768]. The UDP header was intended to be a minimal
addition to IP, providing only ports and a data checksum for addition to IP, providing only ports and a data checksum for
protection. This document extends UDP to provide a trailer area for protection. This document extends UDP to provide a trailer area for
options located after the UDP data payload. options located after the UDP data payload.
4. The UDP Option Area 4. The UDP Option Area
The UDP transport header includes demultiplexing and service The UDP transport header includes demultiplexing and service
identification (port numbers), a checksum, and a field that identification (port numbers), a checksum, and a field that
indicates the UDP datagram length (including UDP header). The UDP indicates the UDP datagram length (including UDP header). The UDP
Length field is typically redundant with the size of the maximum Length field is typically redundant with the size of the maximum
space available as a transport protocol payload (see also discussion space available as a transport protocol payload (see also discussion
in Section 12). in Section 11).
For IPv4, IP Total Length field indicates the total IP datagram For IPv4, IP Total Length field indicates the total IP datagram
length (including IP header), and the size of the IP options is length (including IP header), and the size of the IP options is
indicated in the IP header (in 4-byte words) as the "Internet Header indicated in the IP header (in 4-byte words) as the "Internet Header
Length" (IHL), as shown in Figure 1 [RFC791]. As a result, the Length" (IHL), as shown in Figure 1 [RFC791]. As a result, the
typical (and largest valid) value for UDP Length is: typical (and largest valid) value for UDP Length is:
UDP_Length = IPv4_Total_Length - IPv4_IHL * 4 UDP_Length = IPv4_Total_Length - IPv4_IHL * 4
For IPv6, the IP Payload Length field indicates the datagram after For IPv6, the IP Payload Length field indicates the datagram after
skipping to change at page 6, line 18 skipping to change at page 6, line 18
| IP Hdr | UDP Hdr | UDP user data | surplus area | | IP Hdr | UDP Hdr | UDP user data | surplus area |
+--------+---------+----------------------+------------------+ +--------+---------+----------------------+------------------+
<------------------------------> <------------------------------>
UDP Length UDP Length
Figure 3 IP transport payload vs. UDP Length Figure 3 IP transport payload vs. UDP Length
In most cases, the IP transport payload and UDP Length point to the In most cases, the IP transport payload and UDP Length point to the
same location, indicating that there is no surplus area. It is same location, indicating that there is no surplus area. It is
important to note that this is not a requirement of UDP [RFC768] important to note that this is not a requirement of UDP [RFC768]
(discussed further in Section 12). UDP-Lite used the difference in (discussed further in Section 11). UDP-Lite used the difference in
these pointers to indicate the partial coverage of the UDP Checksum, these pointers to indicate the partial coverage of the UDP Checksum,
such that the UDP user data, UDP header, and UDP pseudoheader (a such that the UDP user data, UDP header, and UDP pseudoheader (a
subset of the IP header) are covered by the UDP checksum but subset of the IP header) are covered by the UDP checksum but
additional user data in the surplus area is not covered [RFC3828]. additional user data in the surplus area is not covered [RFC3828].
This document uses the surplus area for UDP transport options. This document uses the surplus area for UDP transport options.
The UDP option area is thus defined as the location between the end The UDP option area is thus defined as the location between the end
of the UDP payload and the end of the IP datagram as a trailing of the UDP payload and the end of the IP datagram as a trailing
options area. This area can occur at any valid byte offset, i.e., it options area. This area can occur at any valid byte offset, i.e., it
need not be 16-bit or 32-bit aligned. In effect, this document need not be 16-bit or 32-bit aligned. In effect, this document
redefines the UDP "Length" field as a "trailer offset". redefines the UDP "Length" field as a "trailer offset".
UDP options are defined using a TLV (type, length, and optional UDP options are defined using a TLV (type, length, and optional
value) syntax similar to that of TCP [RFC793]. They are typically a value) syntax similar to that of TCP [RFC793]. They are typically a
minimum of two bytes in length as shown in Figure 4, excepting only minimum of two bytes in length as shown in Figure 4, excepting only
the one byte options "No Operation" (NOP) and "End of Options List" the one byte options "No Operation" (NOP) and "End of Options List"
(EOL) described below. (EOL) described below.
+--------+--------+ +--------+--------+-------
| Kind | Length | | Kind | Length | (remainder of option...)
+--------+--------+ +--------+--------+-------
Figure 4 UDP option default format Figure 4 UDP option default format
The Kind field is always one byte. The Length field is one byte for The Kind field is always one byte. The Length field is one byte for
all lengths below 255 (including the Kind and Length bytes). A all lengths below 255 (including the Kind and Length bytes). A
Length of 255 indicates use of the UDP option extended format shown Length of 255 indicates use of the UDP option extended format shown
in Figure 5. The Extended Length field is a 16-bit field in network in Figure 5. The Extended Length field is a 16-bit field in network
standard byte order. standard byte order.
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Kind | 255 | Extended Length | | Kind | 255 | Extended Length |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| (remainder of option...)
+--------+--------+--------+--------+
Figure 5 UDP option extended default format Figure 5 UDP option extended default format
>> UDP options MAY begin at any UDP length offset. >> UDP options MAY begin at any UDP length offset.
>> The UDP length MUST be at least as large as the UDP header (8) >> The UDP length MUST be at least as large as the UDP header (8)
and no larger than the IP transport payload. Values outside this and no larger than the IP transport payload. Datagrams with length
range MUST be silently discarded as invalid and logged where rate- values outside this range MUST be silently dropped as invalid and
limiting permits. logged where rate-limiting permits.
>> Option Lengths (or Extended Lengths, where applicable) smaller >> Option Lengths (or Extended Lengths, where applicable) smaller
than the minimum for the corresponding Kind and default format MUST than the minimum for the corresponding Kind and default format MUST
be treated as an error. be treated as an error. Such errors call into question the remainder
of the option area and thus MUST result in all UDP options being
silently discarded.
>> Any UDP option whose length is only smaller than 255 MUST always
use the UDP option default format shown in Figure 4, excepting only
EOL and NOP.
>> Any UDP option whose length can be larger than 254 MUST always
use the UDP option extended default format shown in Figure 5,
including UNSAFE and EXP.
I.e., a UDP option always uses only the default format or the
extended default format, depending on whether its length is only
ever smaller than 255 or not.
Others have considered using values of the UDP Length that is larger Others have considered using values of the UDP Length that is larger
than the IP transport payload as an additional type of signal. Using than the IP transport payload as an additional type of signal. Using
a value smaller than the IP transport payload is expected to be a value smaller than the IP transport payload is expected to be
backward compatible with existing UDP implementations, i.e., to backward compatible with existing UDP implementations, i.e., to
deliver the UDP Length of user data to the application and silently deliver the UDP Length of user data to the application and silently
ignore the additional surplus area data. Using a value larger than ignore the additional surplus area data. Using a value larger than
the IP transport payload would either be considered malformed (and the IP transport payload would either be considered malformed (and
be silently dropped) or could cause buffer overruns, and so is not be silently dropped) or could cause buffer overruns, and so is not
considered silently and safely backward compatible. Its use is thus considered silently and safely backward compatible. Its use is thus
skipping to change at page 8, line 11 skipping to change at page 8, line 15
5. UDP Options 5. UDP Options
The following UDP options are currently defined: The following UDP options are currently defined:
Kind Length Meaning Kind Length Meaning
---------------------------------------------- ----------------------------------------------
0* - End of Options List (EOL) 0* - End of Options List (EOL)
1* - No operation (NOP) 1* - No operation (NOP)
2* 3 Option checksum (OCS) 2* 3 Option checksum (OCS)
3* 6 Alternate checksum (ACS) 3* 6 Alternate checksum (ACS)
4* 4 Lite (LITE) 4* 10/12 Fragmentation (FRAG)
5* 4 Maximum segment size (MSS) 5* 4 Maximum segment size (MSS)
6* 8/10 Fragmentation (FRAG) 6* (varies) Unsafe to ignore (UNSAFE) options
7 10 Timestamps (TIME) 7 10 Timestamps (TIME)
8 (varies) Authentication and Encryption (AE) 8 (varies) Authentication and Encryption (AE)
9 6 Request (REQ) 9 6 Request (REQ)
10 6 Response (RES) 10 6 Response (RES)
11-126 (varies) UNASSIGNED (assignable by IANA) 11-126 (varies) UNASSIGNED (assignable by IANA)
127-253 RESERVED 127-253 RESERVED
254 N(>=4) RFC 3692-style experiments (EXP) 254 (varies) RFC 3692-style experiments (EXP)
255 Reserved 255 RESERVED
These options are defined in the following subsections. Options 0 These options are defined in the following subsections. Options 0
and 1 use the same values as for TCP. and 1 use the same values as for TCP.
>> An endpoint supporting UDP options MUST support those marked with >> An endpoint supporting UDP options MUST support those marked with
a "*" above: EOL, NOP, OCS, ACS, LITE, FRAG, and MSS. This includes a "*" above: EOL, NOP, OCS, ACS, FRAG, MSS, and UNSAFE. This
both recognizing and being able to generate these options if includes both recognizing and being able to generate these options
configured to do so. if configured to do so. These are called "must-support" options.
>> All other options (without a "*") MAY be implemented, and their >> All other options (without a "*") MAY be implemented, and their
use SHOULD be determined either out-of-band or negotiated. use SHOULD be determined either out-of-band or negotiated.
>> Receivers MUST silently ignore unknown options. That includes >> Receivers supporting UDP options MUST silently ignore unknown
options whose length does not indicate the specified value. options except UNSAFE. That includes options whose length does not
indicate the specified value(s).
>> Receivers supporting UDP options MUST silently drop the entire
datagram containing an UNSAFE option when any UNSAFE option it
contains is unknown. See Section 5.7 for further discussion of
UNSAFE options.
>> Except for NOP, each option SHOULD NOT occur more than once in a >> Except for NOP, each option SHOULD NOT occur more than once in a
single UDP datagram. If a non-NOP option occurs more than once, a single UDP datagram. If an option other than NOP occurs more than
receiver MUST interpret only the first instance of that option and once, a receiver MUST interpret only the first instance of that
MUST ignore all others. option and MUST ignore all others.
>> Only the OCS and AE options depend on the contents of the option >> Only the OCS and AE options depend on the contents of the option
area. AE is always computed as if the AE hash and OCS checksum are area. AE is always computed as if the AE hash and OCS checksum are
zero; OCS is always computed as if the OCS checksum is zero and zero; OCS is always computed as if the OCS checksum is zero and
after the AE hash has been computed. Future options MUST NOT be after the AE hash has been computed. Future options MUST NOT be
defined as having a value dependent on the contents of the option defined as having a value dependent on the contents of the option
area. Otherwise, interactions between those values, OCS, and AE area. Otherwise, interactions between those values, OCS, and AE
could be unpredictable. could be unpredictable.
Receivers cannot treat unexpected option lengths as invalid, as this Receivers cannot treat unexpected option lengths as invalid, as this
skipping to change at page 9, line 23 skipping to change at page 9, line 31
>> Options with fixed lengths MUST use the default option format. >> Options with fixed lengths MUST use the default option format.
>> Options with variable lengths MUST use the default option format >> Options with variable lengths MUST use the default option format
where their total length is 254 bytes or less. where their total length is 254 bytes or less.
>> Options using the extended option format MUST indicate extended >> Options using the extended option format MUST indicate extended
lengths of 255 or higher; smaller extended length values MUST be lengths of 255 or higher; smaller extended length values MUST be
treated as an error. treated as an error.
>> Required options MUST come before other options. Each required >> "Must-support" options other than NOP and EOL MUST come before
option MUST NOT occur more than once (if they are repeated in a other options.
received segment, all except the first MUST be silently ignored).
The requirement that required options come before others is intended The requirement that must-support options come before others is
to allow for endpoints to implement DOS protection, as discussed intended to allow for endpoints to implement DOS protection, as
further in Section 17. discussed further in Section 17.
5.1. End of Options List (EOL) 5.1. End of Options List (EOL)
The End of Options List (EOL) option indicates that there are no The End of Options List (EOL) option indicates that there are no
more options. It is used to indicate the end of the list of options more options. It is used to indicate the end of the list of options
without needing to pad the options to fill all available option without needing to pad the options to fill all available option
space. space.
+--------+ +--------+
| Kind=0 | | Kind=0 |
+--------+ +--------+
Figure 6 UDP EOL option format Figure 6 UDP EOL option format
>> When the UDP options do not consume the entire option area, the >> When the UDP options do not consume the entire option area, the
last non-NOP option MUST be EOL. last non-NOP option MUST be EOL.
>> All bytes in the surplus area after EOL MUST be zero. >> All bytes in the surplus area after EOL MUST be zero. If these
bytes are non-zero, the entire surplus area MUST be silently ignored
and only the UDP data passed to the user with an adjusted UDP length
to indicate that no options were present.
Requiring the post-option surplus area to be zero prevents side- Requiring the post-option surplus area to be zero prevents side-
channel uses of this area, requiring instead that all use of the channel uses of this area, requiring instead that all use of the
surplus area be UDP options supported by both endpoints. It is surplus area be UDP options supported by both endpoints. It is
useful to allow for such padding to increase the packet length useful to allow for such padding to increase the packet length
without affecting the payload length, e.g., for UDP PLPMTUD [Fa19]. without affecting the payload length, e.g., for UDP DPLPMTUD [Fa20].
5.2. No Operation (NOP) 5.2. No Operation (NOP)
The No Operation (NOP) option is a one byte placeholder, intended to The No Operation (NOP) option is a one byte placeholder, intended to
be used as padding, e.g., to align multi-byte options along 16-bit be used as padding, e.g., to align multi-byte options along 16-bit
or 32-bit boundaries. or 32-bit boundaries.
+--------+ +--------+
| Kind=1 | | Kind=1 |
+--------+ +--------+
skipping to change at page 10, line 35 skipping to change at page 10, line 47
[NOTE: Tom Herbert suggested we declare "more than 3 consecutive [NOTE: Tom Herbert suggested we declare "more than 3 consecutive
NOPs" a fatal error to reduce the potential of using NOPs as a DOS NOPs" a fatal error to reduce the potential of using NOPs as a DOS
attack, but IMO there are other equivalent ways (e.g., using attack, but IMO there are other equivalent ways (e.g., using
RESERVED or other UNASSIGNED values) and the "no more than 3" RESERVED or other UNASSIGNED values) and the "no more than 3"
creates its own DOS vulnerability) creates its own DOS vulnerability)
5.3. Option Checksum (OCS) 5.3. Option Checksum (OCS)
The Option Checksum (OCS) option is conventional Internet checksum The Option Checksum (OCS) option is conventional Internet checksum
[RFC791] that covers all of the surplus area. The primary purpose of [RFC791] that covers all of the surplus area and a pseudoheader
OCS is to detect non-standard (i.e., non-option) uses of that area. composed of the 16-bit length of the surplus area (Figure 8). The
primary purpose of OCS is to detect non-standard (i.e., non-option)
uses of that area. The surplus area pseudoheader is included to
enable traversal of errant middleboxes that incorrectly compute the
UDP checksum over the entire IP payload rather than only the UDP
payload [Fa18].
OCS is calculated by computing the Internet checksum over the The OCS is calculated by computing the Internet checksum over the
surplus area. OCS protects the option area from errors in a similar surplus area and surplus length pseudoheader. The OCS protects the
way that the UDP checksum protects the UDP user data (when not option area from errors in a similar way that the UDP checksum
zero). protects the UDP user data (when not zero).
+--------+--------+
| surplus length |
+--------+--------+
Figure 8 UDP surplus length pseudoheader
+--------+--------+--------+ +--------+--------+--------+
| Kind=2 | checksum | | Kind=2 | checksum |
+--------+--------+--------+ +--------+--------+--------+
Figure 8 UDP OCS option format Figure 9 UDP OCS option format
>> OCS is REQUIRED when the UDP checksum is nonzero and UDP options >> The OCS MUST be included when the UDP checksum is nonzero and UDP
are present. options are present.
>> When present, OCS SHOULD occur as early as possible, preceded by >> When present, the OCS SHOULD occur as early as possible, preceded
only NOP options for alignment and the LITE option if present. by only NOP options for alignment and the FRAG option if present.
>> OCS MUST be half-word coordinated with the start of the UDP >> OCS MUST be half-word coordinated with the start of the UDP
options area. options area and include the surplus length pseudoheader similarly
coordinated with the start of UDP Header.
This coordination is accomplished by computing the Internet checksum This Internet checksum is computed over the surplus area (including
over the surplus area (including EOL, if present) and then adjusting EOL, if present) prefixed by the surplus length pseudoheader (Figure
the result before storing it into the OCS checksum field. If that 8) and then adjusting the result before storing it into the OCS
field is aligned to the start of the options area, then the checksum checksum field. If the OCS checksum field is aligned to the start of
is inserted as-is, otherwise the checksum bytes are swapped before the options area, then the checksum is inserted as-is, otherwise the
inserting them into the field. checksum bytes are swapped before inserting them into the field. The
effect of this "coordination" is the same is if the checksum were
computed as if the surplus area and pseudoheader were aligned to the
UDP header.
The adjustment above helps enable that OCS, together with the other This feature is intended to potentially help the UDP options
options, result in an overall zero ones-complement sum. This feature traverse devices that incorrectly attempt to checksum the surplus
is intended to potentially help the UDP options traverse devices area (as originally proposed as the Checksum Compensation Option,
that incorrectly attempt to checksum the surplus area (as originally i.e., CCO [Fa18]).
proposed as the Checksum Compensation Option, i.e., CCO [Fa18]).
Note that this incorrect checksum traversal feature is defeated by
the use of LITE, whether alone or with FRAG, because the LITE area
is deliberately not covered by OCS. It also is defeated by the use
of a zero UDP checksum (i.e., UDP checksum disabled).
OCS covers the UDP option area, including the Lite option (but not The OCS covers the UDP option area as formatted for transmission and
LITE data area) as formatted before swapping (or relocation) for immediately upon reception.
transmission (or, equivalently, after the swap/relocation after
reception), as the LITE option would occur at the beginning of the
original (prior to rearrangement for transmission) or restored
(after rearrangement upon reception) UDP option area.
>> If OCS fails, all options MUST be ignored and any trailing >> If the OCS fails, all options MUST be ignored and the surplus
surplus data (and Lite data, if used) silently discarded. area silently discarded.
>> UDP data that is validated by a correct UDP checksum MUST be >> UDP data that is validated by a correct UDP checksum MUST be
delivered to the application layer, even if OCS fails, unless the delivered to the application layer, even if the OCS fails, unless
endpoints have negotiated otherwise for this segment's socket pair. the endpoints have negotiated otherwise for this segment's socket
pair.
As a reminder, use of the UDP checksum is optional when the UDP As a reminder, use of the UDP checksum is optional when the UDP
checksum is zero. When not used, OCS is assumed to be "correct" for checksum is zero. When not used, the OCS is assumed to be "correct"
the purpose of accepting UDP packets at a receiver (see Section 8). for the purpose of accepting UDP packets at a receiver (see Section
7).
OCS is intended to check for accidental errors, not for attacks. The OCS is intended to check for accidental errors, not for attacks.
5.4. Alternate Checksum (ACS) 5.4. Alternate Checksum (ACS)
The Alternate Checksum (ACS) option provides a stronger alternative The Alternate Checksum (ACS) option provides a stronger alternative
to the checksum in the UDP header, using a 32-bit CRC of the to the checksum in the UDP header, using a 32-bit CRC of the
conventional UDP payload only (excluding the IP pseudoheader, UDP conventional UDP payload only (excluding the IP pseudoheader, UDP
header, and UDP options, and not include the LITE area). Because it header, and surplus area). It is an "alternate" to the UDP checksum
does not include the IP pseudoheader or UDP header, it need not be (covering the UDP payload) - not the OCS (the latter covers the
updated by NATs when IP addresses or UDP ports are rewritten. Its surplus area) Unlike the UDP checksum, ACS does not include the IP
purpose is to detect errors that the UDP checksum, when used, might pseudoheader or UDP header, thus it does not need to be updated by
NATs when IP addresses or UDP ports are rewritten. Its purpose is to
detect UDP payload errors that the UDP checksum, when used, might
not detect. not detect.
CRC32c has been chosen because of its ubiquity and use in other A CRC32c has been chosen because of its ubiquity and use in other
Internet protocols, including iSCSI and SCTP. The option contains Internet protocols, including iSCSI and SCTP. The option contains
CRC32c in network standard byte order, as described in [RFC3385]. the CRC32c in network standard byte order, as described in
[RFC3385].
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Kind=3 | Len=6 | CRC32c... | | Kind=3 | Len=6 | CRC32c... |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| CRC32c (cont.) | | CRC32c (cont.) |
+--------+--------+ +--------+--------+
Figure 9 UDP ACS option format Figure 10 UDP ACS option format
When present, the ACS always contains a valid CRC checksum. There When present, the ACS always contains a valid CRC checksum. There
are no reserved values, including the value of zero. If the CRC is are no reserved values, including the value of zero. If the CRC is
zero, this must indicate a valid checksum (i.e., it does not zero, this must indicate a valid checksum (i.e., it does not
indicate that the ACS is not used; instead, the option would simply indicate that the ACS is not used; instead, the option would simply
not be included if that were the desired effect). not be included if that were the desired effect).
ACS does not protect the UDP pseudoheader; only the current UDP ACS does not protect the UDP pseudoheader; only the current UDP
checksum provides that protection (when used). ACS cannot provide checksum provides that protection (when used). ACS cannot provide
that protection because it would need to be updated whenever the UDP that protection because it would need to be updated whenever the UDP
pseudoheader changed, e.g., during NAT address and port translation; pseudoheader changed, e.g., during NAT address and port translation;
because this is not the case, ACS does not cover the pseudoheader. because this is not the case, ACS does not cover the pseudoheader.
5.5. Lite (LITE) >> Packets with incorrect ACS checksums MUST be passed to the
application by default, e.g., with a flag indicating ACS failure.
The Lite option (LITE) is intended to provide equivalent capability
to the UDP Lite transport protocol [RFC3828]. UDP Lite allows the
UDP checksum to cover only a prefix of the UDP data payload, to
protect critical information (e.g., application headers) but allow
potentially erroneous data to be passed to the user. This feature
helps protect application headers but allows for application data
errors. Some applications are impacted more by a lack of data than
errors in data, e.g., voice and video.
>> When LITE is active, it MUST come first in the UDP options list.
LITE is intended to support the same API as for UDP Lite to allow
applications to send and receive data that has a marker indicating
the portion protected by the UDP checksum and the portion not
protected by the UDP checksum.
LITE includes a 2-byte offset that indicates the length of the
portion of the UDP data that is not covered by the UDP checksum.
+--------+--------+--------+--------+
| Kind=4 | Len=4 | Offset |
+--------+--------+--------+--------+
Figure 10 UDP LITE option format
At the sender, the option is formed using the following steps:
1. Create a LITE option, ordered as the first UDP option (Figure
11).
2. Calculate the location of the start of the options as an absolute
offset from the start of the UDP header and place that length in
the last two bytes of the LITE option.
3. If the LITE data area is 4 bytes or longer, swap all four bytes
of the LITE option with the first 4 bytes of the LITE data area
(Figure 12). If the LITE data area is 0-3 bytes long, slide the
LITE option to the front of the LITE data area (i.e., placing the
0-3 bytes of LITE data after the LITE option).
+---------+--------------+--------------+------------------+
| UDP Hdr | user data | LITE data |LITE| other opts |
+---------+--------------+--------------+------------------+
<---------------------->
UDP Length
Figure 11 LITE option formation - LITE goes first
+---------+--------------+--------------+------------------+
| UDP Hdr | user data | LITE data |LITE| other opts |
+---------+--------------+--------------+------------------+
^^^^ ^^^^
| |
+--------------+
Figure 12 Before sending swap LITE option and front of LITE data
The resulting packet has the format shown in Figure 13. Note that
the UDP length now points to the LITE option, and the LITE option
points to the start of the option area.
+---------+--------------+----------------+------------------+
| UDP Hdr | user data |LITE| LITE data |Ldat| other opts |
+---------+--------------+----------------+------------------+
<----------------------> | ^
UDP Length +-------------+
Figure 13 Lite option as sent
A legacy endpoint receiving this packet will discard the LITE option
and everything that follows, including the lite data and remainder
of the UDP options. The UDP checksum will protect only the user
data, not the LITE option or lite data.
Receiving endpoints capable of processing UDP options will do the
following:
1. Process options as usual. This will start at the LITE option.
2. When the LITE option is encountered, record its location as the
start of the LITE data area and (if the LITE offset indicates a
LITE data length of at least 4 bytes) swap the four bytes there
with the four bytes at the location indicated inside the LITE
option, which indicates the start of all of the options,
including the LITE one (one past the end of the lite data area).
If the LITE offset indicates a LITE data area of 0-3 bytes, then
slide the LITE option forward that amount and slide the
corresponding bytes after the LITE option to where the LITE
option originally began. In either case, this restores the format
of the option as it was prior to being sent, as per Figure 11.
3. Continue processing the remainder of the options, which are now
in the format shown in Figure 12.
The purpose of this swap (or slide) is to support the equivalent of
UDP Lite operation together with other UDP options without requiring
the entire LITE data area to be moved after the UDP option area.
5.6. Maximum Segment Size (MSS)
The Maximum Segment Size (MSS, Kind = 3) option is a 16-bit
indicator of the largest UDP segment that can be received. As with
the TCP MSS option [RFC793], the size indicated is the IP layer MTU
decreased by the fixed IP and UDP headers only [RFC6691]. The space
needed for IP and UDP options need to be adjusted by the sender when
using the value indicated. The value transmitted is based on EMTU_R,
the largest IP datagram that can be received (i.e., reassembled at
the receiver) [RFC1122].
+--------+--------+--------+--------+
| Kind=5 | Len=4 | MSS size |
+--------+--------+--------+--------+
Figure 14 UDP MSS option format Like all non-UNSAFE UDP options, ACS need to be silently ignored
when failing. Although all UDP option-aware endpoints support ACS
(being in the required set), this silently-ignored behavior ensures
that option-aware receivers operate the same as legacy receivers
unless overridden.
The UDP MSS option MAY be used for path MTU discovery 5.5. Fragmentation (FRAG)
[RFC1191][RFC8201], but this may be difficult because of known
issues with ICMP blocking [RFC2923] as well as UDP lacking automatic
retransmission. It is more likely to be useful when coupled with IP
source fragmentation to limit the largest reassembled UDP message,
e.g., when EMTU_R is larger than the required minimums (576 for IPv4
[RFC791] and 1500 for IPv6 [RFC8200]).
5.7. Fragmentation (FRAG) The Fragmentation option (FRAG) combines properties of IP
fragmentation and the UDP Lite transport protocol [RFC3828]. FRAG
provides transport-layer fragmentation and reassembly in which each
fragment includes a copy of the same UDP transport ports, enabling
the fragments to traverse Network Address (and port) Translation
(NAT) devices, in contrast to the behavior of IP fragments. FRAG
also allows the UDP checksum to cover only a prefix of the UDP data
payload, to avoid repeated checksums of data prior to reassembly.
The Fragmentation (FRAG) option supports UDP fragmentation and The Fragmentation (FRAG) option supports UDP fragmentation and
reassembly, which can be used to transfer UDP messages larger than reassembly, which can be used to transfer UDP messages larger than
limited by the IP receive MTU (EMTU_R [RFC1122]). It is typically limited by the IP receive MTU (EMTU_R [RFC1122]). It is typically
used with the UDP MSS option to enable more efficient use of large used with the UDP MSS option to enable more efficient use of large
messages, both at the UDP and IP layers. FRAG is designed similar to messages, both at the UDP and IP layers. FRAG is designed similar to
the IPv6 Fragmentation Header [RFC8200], except that the UDP variant the IPv6 Fragmentation Header [RFC8200], except that the UDP variant
uses a 16-bit Offset measured in bytes, rather than IPv6's 13-bit uses a 16-bit Offset measured in bytes, rather than IPv6's 13-bit
Fragment Offset measured in 8-byte units. This UDP variant avoids Fragment Offset measured in 8-byte units. This UDP variant avoids
creating reserved fields. creating reserved fields.
>> When FRAG is present, it MUST come first in the UDP options list.
>> When FRAG is present, the UDP payload MUST be empty. If the
payload is not empty, all UDP options MUST be silently ignored and
the payload received to the user.
Legacy receivers interpret FRAG messages as zero-length payload
packets (i.e., UDP Length field is 8, the length of just the UDP
header), which would not affect the receiver unless the presence of
the packet itself were a signal.
The FRAG option has two formats; non-terminal fragments use the
shorter variant (Figure 11) and terminal fragments use the longer
(Figure 12). The latter includes stand-alone fragments, i.e., when
data is contained in the FRAG option but reassembly is not required.
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Kind=6 | Len=8 | Frag. Offset | | Kind=4 | Len=10 | Offset |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Identification | | Identification |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Frag. Offset |
+--------+--------+
Figure 15 UDP non-terminal FRAG option format Figure 11 UDP non-terminal FRAG option format
The FRAG option also lacks a "more" bit, zeroed for the terminal The FRAG option does not need a "more fragments" bit because it
fragment of a set. This is possible because the terminal FRAG option provides the same indication by using the longer, 12-byte variant,
is indicated as a longer, 10-byte variant, which includes an which also includes an Internet checksum over the entire reassembled
Internet checksum over the entire reassembled UDP payload (omitting UDP payload (omitting the IP pseudoheader and UDP header, as well as
the IP pseudoheader and UDP header, as well as UDP options), as UDP options), as shown in Figure 12.
shown in Figure 16.
>> The FRAG option MAY be used on a single fragment, in which case
the Offset would be zero and the option would have the 12-byte
format, including the reassembly checksum.
Use of the single fragment variant can be helpful in supporting use
of UNSAFE options without undesirable impact to receivers that do
not support either UDP options or the specific UNSAFE options.
>> The reassembly checksum SHOULD be used, but MAY be unused in the >> The reassembly checksum SHOULD be used, but MAY be unused in the
same situations when the UDP checksum is unused (e.g., for transit same situations when the UDP checksum is unused (e.g., for transit
tunnels or applications that have their own integrity checks tunnels or applications that have their own integrity checks
[RFC8200]), and by the same mechanism (set the field to 0x0000). [RFC8200]), and by the same mechanism (set the field to 0x0000).
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Kind=6 | Len=10 | Frag. Offset | | Kind=4 | Len=12 | Offset |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Identification | | Identification |
+--------+--------+--------+--------+
| Frag. Offset | Reassy. Checksum|
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Checksum |
+--------+--------+
Figure 16 UDP terminal FRAG option format Figure 12 UDP terminal FRAG option format
>> During fragmentation, the UDP header checksum of each fragment >> During fragmentation, the UDP header checksum of each fragment
needs to be recomputed based on each datagram's pseudoheader. needs to be recomputed based on each datagram's pseudoheader.
Unlike the UDP checksum, the reassembly checksum does not need to be
updated if the UDP header changes because it covers only the
reassembled data. FRAG uses a comparatively weak checksum upon
reassembly because the fragments are already checked individually.
>> After reassembly is complete and validated using the checksum of >> After reassembly is complete and validated using the checksum of
the terminal FRAG option, the UDP header checksum of the resulting the terminal FRAG option, the UDP header checksum of the resulting
datagram needs to be recomputed based on the datagram's datagram needs to be recomputed based on the datagram's
pseudoheader. pseudoheader.
The Fragment Offset is 16 bits and indicates the location of the UDP The Fragment Offset is 16 bits and indicates the location of the UDP
payload fragment in bytes from the beginning of the original payload fragment in bytes from the beginning of the original
unfragmented payload. The Len field indicates whether there are more unfragmented payload. The Len field indicates whether there are more
fragments (Len=8) or no more fragments (Len=12). fragments (Len=10) or no more fragments (Len=12).
>> The Identification field is a 32-bit value that MUST be unique >> The Identification field is a 32-bit value that MUST be unique
over the expected fragment reassembly timeout. over the expected fragment reassembly timeout.
>> The Identification field SHOULD be generated in a manner similar >> The Identification field SHOULD be generated in a manner similar
to that of the IPv6 Fragment ID [RFC8200]. to that of the IPv6 Fragment ID [RFC8200].
>> UDP fragments MUST NOT overlap. >> UDP fragments MUST NOT overlap.
FRAG needs to be used with extreme care because it will present
incorrect datagram boundaries to a legacy receiver, unless encoded
as LITE data (see Section 5.8).
>> A host SHOULD indicate FRAG support by transmitting an
unfragmented datagram using the Fragmentation option (e.g., with
Offset zero and length 12, i.e., including the checksum area),
except when encoded as LITE.
>> A host MUST NOT transmit a UDP fragment before receiving recent
confirmation from the remote host, except when FRAG is encoded as
LITE.
UDP fragmentation relies on a fragment expiration timer, which can UDP fragmentation relies on a fragment expiration timer, which can
be preset or could use a value computed using the UDP Timestamp be preset or could use a value computed using the UDP Timestamp
option. option.
>> The default UDP reassembly SHOULD be no more than 2 minutes. >> The default UDP reassembly SHOULD be no more than 2 minutes.
Implementers are advised to limit the space available for UDP Implementers are advised to limit the space available for UDP
reassembly. reassembly.
>> UDP reassembly space SHOULD be limited to reduce the impact of >> UDP reassembly space SHOULD be limited to reduce the impact of
DOS attacks on resource use. DOS attacks on resource use.
>> UDP reassembly space limits SHOULD NOT be implemented as an >> UDP reassembly space limits SHOULD NOT be implemented as an
aggregate, to avoid cross-socketpair DOS attacks. aggregate, to avoid cross-socketpair DOS attacks.
>> Individual UDP fragments MUST NOT be forwarded to the user. The >> Individual UDP fragments MUST NOT be forwarded to the user. The
reassembled datagram is received only after complete reassembly, reassembled datagram is received only after complete reassembly,
checksum validation, and continued processing of the remaining checksum validation, and continued processing of the remaining UDP
options. options.
Any additional UDP options would follow the FRAG option in the final Any additional UDP options, if used, follow the FRAG option in the
fragment, and would be included in the reassembled packet. final fragment and would be included in the reassembled packet.
Processing of those options would commence after reassembly. Processing of those options would commence after reassembly. This is
especially important for UNSAFE options, which are interpreted only
after FRAG.
>> UDP options MUST NOT follow the FRAG header in non-terminal >> UDP options MUST NOT follow the FRAG header in non-terminal
fragments. Any data following the FRAG header in non-terminal fragments. Any data following the FRAG header in non-terminal
fragments MUST be silently dropped. All other options that apply to fragments MUST be silently dropped. All other options that apply to
a reassembled packet MUST follow the FRAG header in the terminal a reassembled packet MUST follow the FRAG header in the terminal
fragment. fragment.
5.8. Coupling FRAG with LITE In general, UDP packets are fragmented as follows:
FRAG can be coupled with LITE to avoid impacting legacy receivers. 1. Create a datagram with data and any non-FRAG UDP options, which
Each fragment is sent as LITE un-checksummed data, where each UDP we will call "D". Note that the options apply to the entire data
packet contains no legacy-compatible data. Legacy receivers area and must follow the data. These options are processed before
interpret these as zero-length payload packets (i.e., UDP Length the rest of the fragmentation steps below.
field is 8, the length of just the UDP header), which would not
affect the receiver unless the presence of the packet itself were a
signal. The header of such a packet would appear as shown in Figure
17 and Figure 18.
+---------+--------------+---------+ 2. Identify the desired fragment size, which we will call "S". This
| UDP Hdr | LiteFrag |LITE|FRAG| value should take into account the path MTU (if known) and allow
+---------+--------------+----+----+ space for per-fragment options (e.g., OCS).
<-------> ^^^^ ^^^^
UDP Length=8 | |
+--------------+
Figure 17 Preparing FRAG as Lite data 3. Fragment "D" into chunks of size no larger than "S"-10 each, with
one final chunk no larger than "S"-12. Note that all the non-FRAG
options in step #1 MUST appear in the terminal fragment.
+---------+--------------+----+ 4. For each chunk of "D" in step #3, create a zero-data UDP packet
| UDP Hdr |LITE|LiteFrag |FRAG| followed by the per-fragment options, with the final option being
+---------+--------------+----+ the FRAG option followed by the FRAG data chunk.
<-------> | ^
UDP Length=8 | |
+-------------+
Figure 18 Lite option before transmission The last chunk includes the non-FRAG options noted in step #1
after the end of the FRAG data. These UDP options apply to the
reassembled data as a whole when received.
When a packet is reassembled, it appears as a complete LITE data 5. Process the UDP options of each fragment, e.g., computing its
region. The UDP header of the reassembled packet is adjusted OCS.
accordingly, so that the reassembled region now appears as
conventional UDP user data, and processing of the UDP options
continues, as with the non-LITE FRAG variant.
5.9. Timestamps (TIME) <<TBD: decide whether it is useful to encode fragments so they can
be zero-copied>>
Receivers reverse the above sequence. They process all received
options in each fragment. When the FRAG option is encountered, the
FRAG data is used in reassembly. After all fragments are received,
the entire packet is processed with any trailing UDP options
applying to the reassembled data.
5.6. Maximum Segment Size (MSS)
The Maximum Segment Size (MSS, Kind = 3) option is a 16-bit
indicator of the largest UDP segment that can be received. As with
the TCP MSS option [RFC793], the size indicated is the IP layer MTU
decreased by the fixed IP and UDP headers only [RFC6691]. The space
needed for IP and UDP options need to be adjusted by the sender when
using the value indicated. The value transmitted is based on EMTU_R,
the largest IP datagram that can be received (i.e., reassembled at
the receiver) [RFC1122].
+--------+--------+--------+--------+
| Kind=5 | Len=4 | MSS size |
+--------+--------+--------+--------+
Figure 13 UDP MSS option format
The UDP MSS option MAY be used for path MTU discovery
[RFC1191][RFC8201], but this may be difficult because of known
issues with ICMP blocking [RFC2923] as well as UDP lacking automatic
retransmission. It is more likely to be useful when coupled with IP
source fragmentation to limit the largest reassembled UDP message,
e.g., when EMTU_R is larger than the required minimums (576 for IPv4
[RFC791] and 1500 for IPv6 [RFC8200]). It can also be used with
DPLPMTUD [RFC8899] to set a maximum DPLPMTU.
5.7. Unsafe (UNSAFE)
The Unsafe option (UNSAFE) extends the UDP option space to allow for
options that are not safe to ignore and can be used unidirectionally
or without soft-state confirmation of UDP option capability. They
are always used only when the entire UDP payload occurs inside a
reassembled set of UDP fragments, such that if UDP fragmentation is
not supported, the entire fragment would be silently dropped anyway.
UNSAFE options are an extended option space, with its own additional
option types. These are indicated in the first byte after the option
Kind as shown in ?, which is followed by the Length. Length is 1
byte for UKinds whose total length (including Kind, UKind, and
Length fields) is less than 255 or 2 bytes for larger lengths (in
the similar style as the extended option format).
+--------+--------+--------+
| Kind=6 | UKind | Length |...
+--------+--------+--------+
1 byte 1 byte 1-2 bytes
Figure 14 UDP UNSAFE option format
>> UNSAFE options MUST be used only as part of UDP fragments, used
either per-fragment or after reassembly.
>> Receivers supporting UDP options MUST silently drop the entire
reassembled datagram if any fragment or the entire datagram includes
an UNSAFE option whose UKind is not supported.
The following UKind values are defined:
UKind Length Meaning
----------------------------------------------
0 RESERVED
1-253 (varies) UNASSIGNED (assignable by IANA)
254 (varies) RFC 3692-style experiments (UEXP)
255 RESERVED
Experimental UKind EXP ExID values indicate the ExID in the
following 2 (or 4) bytes, similar to the UDP EXP option as discussed
in Section 5.11. Assigned UDP EXP ExIDs and UDP UNSAFE UKind UEXP
ExIDs are assigned from the same registry and can be used either in
the EXP option (Section 5.11) or within the UKind UEXP.
5.8. Timestamps (TIME)
The Timestamp (TIME) option exchanges two four-byte timestamp The Timestamp (TIME) option exchanges two four-byte timestamp
fields. It serves a similar purpose to TCP's TS option [RFC7323], fields. It serves a similar purpose to TCP's TS option [RFC7323],
enabling UDP to estimate the round trip time (RTT) between hosts. enabling UDP to estimate the round trip time (RTT) between hosts.
For UDP, this RTT can be useful for establishing UDP fragment For UDP, this RTT can be useful for establishing UDP fragment
reassembly timeouts or transport-layer rate-limiting [RFC8085]. reassembly timeouts or transport-layer rate-limiting [RFC8085].
+--------+--------+------------------+------------------+ +--------+--------+------------------+------------------+
| Kind=7 | Len=10 | TSval | TSecr | | Kind=7 | Len=10 | TSval | TSecr |
+--------+--------+------------------+------------------+ +--------+--------+------------------+------------------+
1 byte 1 byte 4 bytes 4 bytes 1 byte 1 byte 4 bytes 4 bytes
Figure 19 UDP TIME option format Figure 15 UDP TIME option format
TS Value (TSval) and TS Echo Reply (TSecr) are used in a similar TS Value (TSval) and TS Echo Reply (TSecr) are used in a similar
manner to the TCP TS option [RFC7323]. On transmitted segments using manner to the TCP TS option [RFC7323]. On transmitted segments using
the option, TS Value is always set based on the local "time" value. the option, TS Value is always set based on the local "time" value.
Received TSval and TSecr values are provided to the application, Received TSval and TSecr values are provided to the application,
which can pass the TSval value to be used as TSecr on UDP messages which can pass the TSval value to be used as TSecr on UDP messages
sent in response (i.e., to echo the received TSval). A received sent in response (i.e., to echo the received TSval). A received
TSecr of zero indicates that the TSval was not echoed by the TSecr of zero indicates that the TSval was not echoed by the
transmitter, i.e., from a previously received UDP packet. transmitter, i.e., from a previously received UDP packet.
>> TIME MAY use an RTT estimate based on nonzero Timestamp values as >> TIME MAY use an RTT estimate based on nonzero Timestamp values as
a hint for fragmentation reassembly, rate limiting, or other a hint for fragmentation reassembly, rate limiting, or other
mechanisms that benefit from such an estimate. mechanisms that benefit from such an estimate.
skipping to change at page 19, line 15 skipping to change at page 19, line 21
>> TIME MAY use an RTT estimate based on nonzero Timestamp values as >> TIME MAY use an RTT estimate based on nonzero Timestamp values as
a hint for fragmentation reassembly, rate limiting, or other a hint for fragmentation reassembly, rate limiting, or other
mechanisms that benefit from such an estimate. mechanisms that benefit from such an estimate.
>> TIME SHOULD make this RTT estimate available to the user >> TIME SHOULD make this RTT estimate available to the user
application. application.
UDP timestamps are modeled after TCP timestamps and have similar UDP timestamps are modeled after TCP timestamps and have similar
expectations. In particular, they are expected to be: expectations. In particular, they are expected to be:
o Values are monotonic and non-decreasing o Values are monotonic and non-decreasing except for anticipated
number-space rollover events
o Values should increase according to a typical 'tick' time o Values should "increase" (allowing for rollover) according to a
typical 'tick' time
o A request is defined as "reply=0" and a reply is defined as both o A request is defined as "reply=0" and a reply is defined as both
fields being non-zero. fields being non-zero.
o A receiver should always respond to a request with the highest o A receiver should always respond to a request with the highest
TSval received, which is not necessarily the most recently TSval received (allowing for rollover), which is not necessarily
received. the most recently received.
5.10. Authentication and Encryption (AE) Rollover can be handled as a special case or more completely using
sequence number extension [RFC5925].
5.9. Authentication and Encryption (AE)
The Authentication and Encryption (AE) option is intended to allow The Authentication and Encryption (AE) option is intended to allow
UDP to provide a similar type of authentication as the TCP UDP to provide a similar type of authentication as the TCP
Authentication Option (TCP-AO) [RFC5925]. It uses the same format as Authentication Option (TCP-AO) [RFC5925]. AE the conventional UDP
specified for TCP-AO, except that it uses a Kind of 8. AE supports payload and may also cover the surplus area, depending on
NAT traversal in a similar manner as TCP-AO [RFC6978]. AE can also configuration. It uses the same format as specified for TCP-AO,
be extended to provide a similar encryption capability as TCP-AO- except that it uses a Kind of 8. AE supports NAT traversal in a
ENC, in a similar manner [To18ao]. similar manner as TCP-AO [RFC6978]. AE can also be extended to
provide a similar encryption capability as TCP-AO-ENC, in a similar
manner [To18ao].
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Kind=8 | Len | Digest... | | Kind=8 | Len | Digest... |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Digest (con't)... | | Digest (con't)... |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
Figure 20 UDP AE option format Figure 16 UDP AE option format
Like TCP-AO, AE is not negotiated in-band. Its use assumes both Like TCP-AO, AE is not negotiated in-band. Its use assumes both
endpoints have populated Master Key Tuples (MKTs), used to exclude endpoints have populated Master Key Tuples (MKTs), used to exclude
non-protected traffic. non-protected traffic.
TCP-AO generates unique traffic keys from a hash of TCP connection TCP-AO generates unique traffic keys from a hash of TCP connection
parameters. UDP lacks a three-way handshake to coordinate parameters. UDP lacks a three-way handshake to coordinate
connection-specific values, such as TCP's Initial Sequence Numbers connection-specific values, such as TCP's Initial Sequence Numbers
(ISNs) [RFC793], thus AE's Key Derivation Function (KDF) uses zeroes (ISNs) [RFC793], thus AE's Key Derivation Function (KDF) uses zeroes
as the value for both ISNs. This means that the AE reuses keys when as the value for both ISNs. This means that the AE reuses keys when
socket pairs are reused, unlike TCP-AO. socket pairs are reused, unlike TCP-AO.
AE can be configured to either include or exclude UDP options, the >> Packets with incorrect AE HMACs MUST be passed to the application
same way as can TCP-AO. When UDP options are covered, the OCS option by default, e.g., with a flag indicating AE failure.
area checksum and AE hash areas are zeroed before computing the AE
hash. It is important to consider that options not yet defined might Like all non-UNSAFE UDP options, AE needs to be silently ignored
yield unpredictable results if not confirmed as supported, e.g., if when failing. This silently-ignored behavior ensures that option-
they were to contain other hashes or checksums that depend on the aware receivers operate the same as legacy receivers unless
option area contents. This is why such dependencies are not overridden.
permitted except as defined for OCS and UDP-AE.
In addition to the UDP payload (which is always included), AE can be
configured to either include or exclude the surplus area, in a
similar way as can TCP-AO can optionally exclude TCP options. When
UDP options are covered, the OCS option area checksum and AE hash
areas are zeroed before computing the AE hash. It is important to
consider that options not yet defined might yield unpredictable
results if not confirmed as supported, e.g., if they were to contain
other hashes or checksums that depend on the option area contents.
This is why such dependencies are not permitted except as defined
for OCS and UDP-AE.
Similar to TCP-AO-NAT, AE can be configured to support NAT Similar to TCP-AO-NAT, AE can be configured to support NAT
traversal, excluding one or both of the UDP ports [RFC6978]. traversal, excluding (by zeroing out) one or both of the UDP ports
and corresponding IP addresses [RFC6978].
6. Echo request (REQ) and echo response (RES) 5.10. Echo request (REQ) and echo response (RES)
The echo request (REQ, kind=9) and echo response (RES, kind=10) The echo request (REQ, kind=9) and echo response (RES, kind=10)
options provide a means for UDP options to be used to provide options provide a means for UDP options to be used to provide
packet-level acknowledgements. Their use is described as part of the packet-level acknowledgements. Their use is described as part of the
UDP variant of packetization layer path MTU discovery (PLPMTUD) UDP variant of packetization layer path MTU discovery (PLPMTUD)
[Fa19]. The options both have the format indicated in Figure 21. [Fa20]. The options both have the format indicated in Figure 17.
+--------+--------+------------------+ +--------+--------+------------------+
| Kind | Len=6 | nonce | | Kind | Len=6 | nonce |
+--------+--------+------------------+ +--------+--------+------------------+
1 byte 1 byte 4 bytes 1 byte 1 byte 4 bytes
Figure 21 UDP REQ and RES options format Figure 17 UDP REQ and RES options format
6.1. Experimental (EXP) 5.11. Experimental (EXP)
The Experimental option (EXP) is reserved for experiments [RFC3692]. The Experimental option (EXP) is reserved for experiments [RFC3692].
It uses a Kind value of 254. Only one such value is reserved because It uses a Kind value of 254. Only one such value is reserved because
experiments are expected to use an Experimental ID (ExIDs) to experiments are expected to use an Experimental ID (ExIDs) to
differentiate concurrent use for different purposes, using UDP ExIDs differentiate concurrent use for different purposes, using UDP ExIDs
registered with IANA according to the approach developed for TCP registered with IANA according to the approach developed for TCP
experimental options [RFC6994]. experimental options [RFC6994].
+----------+----------+----------+----------+ +----------+----------+----------+----------+
| Kind=254 | Len | UDP ExID | | Kind=254 | Len | UDP ExID |
+----------+----------+----------+----------+ +----------+----------+----------+----------+
| (option contents, as defined)... | | (option contents, as defined)... |
+----------+----------+----------+----------+ +----------+----------+----------+----------+
Figure 22 UDP EXP option format Figure 18 UDP EXP option format
>> The length of the experimental option MUST be at least 4 to >> The length of the experimental option MUST be at least 4 to
account for the Kind, Length, and the minimum 16-bit UDP ExID account for the Kind, Length, and the minimum 16-bit UDP ExID
identifier (similar to TCP ExIDs [RFC6994]). identifier (similar to TCP ExIDs [RFC6994]).
7. Rules for designing new options Assigned UDP EXP ExIDs and UDP UNSAFE UKind UEXP ExIDs are assigned
from the same registry and can be used either in the EXP option or
within the UKind UEXP (Section 5.7).
6. Rules for designing new options
The UDP option Kind space allows for the definition of new options, The UDP option Kind space allows for the definition of new options,
however the currently defined options do not allow for arbitrary new however the currently defined options do not allow for arbitrary new
options. For example, LITE needs to come first if present; new options. For example, FRAG needs to come first if present; new
options cannot declare that they need to precede it. The following options cannot declare that they need to precede it. The following
is a summary of rules for new options and their rationales: is a summary of rules for new options and their rationales:
>> New options MUST NOT depend on option space content. Only OCS and >> New options MUST NOT depend on option space content, excepting
AE depend on the content of the options themselves and their order only those contained within the UNSAFE option. Only OCS and AE
is fixed (on transmission, AE is computed first using a zero- depend on the content of the options themselves and their order is
checksum OCS if present, and OCS is computed last before fixed (on transmission, AE is computed first using a zero-checksum
transmission, over the entire option area, including AE). OCS if present, and OCS is computed last before transmission, over
the entire option area, including AE).
>> UNSAFE options can both depend on and vary option space content
because they are contained only inside UDP fragments and thus are
processed only by UDP option capable receivers.
>> New options MUST NOT declare their order relative to other >> New options MUST NOT declare their order relative to other
options, whether new or old. options, whether new or old.
>> At the sender, new options MUST NOT modify UDP packet content >> At the sender, new options MUST NOT modify UDP packet content
anywhere except within their option field; areas that need to remain anywhere except within their option field, excepting only those
contained within the UNSAFE option; areas that need to remain
unmodified include the IP header, IP options, the UDP body, the UDP unmodified include the IP header, IP options, the UDP body, the UDP
option area (i.e., other options), and the post-option area. option area (i.e., other options), and the post-option area.
>> Options MUST NOT be modified in transit. This includes those >> Options MUST NOT be modified in transit. This includes those
already defined as well as new options. New options MUST NOT require already defined as well as new options. New options MUST NOT require
or intend optionally for modification of any UDP options, including or intend optionally for modification of any UDP options, including
their new areas, in transit. their new areas, in transit.
>> New options with fixed lengths smaller than 255 or variable >> New options with fixed lengths smaller than 255 or variable
lengths that are always smaller than 255 MUST use only the default lengths that are always smaller than 255 MUST use only the default
option format. option format.
Note that only certain of the initially defined options violate Note that only certain of the initially defined options violate
these rules: these rules:
o >> LITE MUST be first, if present, and MUST be processed when o >> FRAG MUST be first, if present, and MUST be processed when
encountered (e.g., even before security options). encountered (e.g., even before security options).
o >> LITE is the only option that modifies the UDP body or option o >> Only FRAG and UNSAFE options are permitted to modify the UDP
areas. body or option areas.
o >> OCS SHOULD be the first option, except in the presence of o >> OCS SHOULD be the first option, except in the presence of
LITE, in which case it SHOULD be the first option after LITE. FRAG, in which case it SHOULD be the first option after FRAG.
8. Option inclusion and processing 7. Option inclusion and processing
The following rules apply to option inclusion by senders and The following rules apply to option inclusion by senders and
processing by receivers. processing by receivers.
>> Senders MAY add any option, as configured by the API. >> Senders MAY add any option, as configured by the API.
>> All mandatory options MUST be processed by receivers, if present >> All mandatory options MUST be processed by receivers, if present
(presuming UDP options are supported at that receiver). (presuming UDP options are supported at that receiver).
>> Non-mandatory options MAY be ignored by receivers, if present, >> Non-mandatory options MAY be ignored by receivers, if present,
based on API settings. e.g., based on API settings.
>> All options MUST be processed by receivers in the order >> All options MUST be processed by receivers in the order
encountered in the options list. encountered in the options list.
The basic premise is that the sender decides what options to add and >> All options except UNSAFE options MUST result in the UDP payload
the receiver decides what options to handle. Simply adding an option being passed to the application layer, regardless of whether all
does not force work upon a receiver, with the exception of the options are processed, supported, or succeed.
mandatory options.
The basic premise is that, for options-aware endpoints, the sender
decides what options to add and the receiver decides what options to
handle. Simply adding an option does not force work upon a receiver,
with the exception of the mandatory options.
Upon receipt, the receiver checks various properties of the UDP Upon receipt, the receiver checks various properties of the UDP
packet and its options to decide whether to accept or drop the packet and its options to decide whether to accept or drop the
packet and whether to accept or ignore some its options as follows packet and whether to accept or ignore some its options as follows
(in order): (in order):
if the UDP checksum fails then if the UDP checksum fails then
silently drop (per RFC1122) silently drop (per RFC1122)
if the UDP checksum passes then if the UDP checksum passes then
if OCS is present and fails then if OCS is present and fails then
deliver the UDP payload but ignore all options deliver the UDP payload but ignore all other options
(this is required to emulate legacy behavior) (this is required to emulate legacy behavior)
if OCS is present and passes then if OCS is present and passes then
deliver the UDP payload after parsing deliver the UDP payload after parsing
and processing the rest of the options and processing the rest of the options,
regardless of whether each is supported or succeeds
(again, this is required to emulate legacy behavior)
(for other options 'OPT' when encountered in sequence): The design of the UNSAFE options as used only inside the FRAG area
if both sender and receiver choose to use OPT then ensures that the resulting UDP data will be silently dropped in both
if OPT passes then legacy and options-aware receivers.
deliver the UDP payload after parsing
and processing the rest of the options Options-aware receivers can either drop packets with option
if OPT fails then processing errors via an override of the default or at the
silently drop the packet application layer.
if OPT is not present when received then
silently drop the packet
if the sender includes OPT
and the receiver does not indicate OPT is required then
the receiver accepts all UDP payloads that pass
the UDP checksum and indicate for each packet
whether OPT succeeded, but never drop when OPT fails
I.e., all options other than OCS are treated the same, in that the I.e., all options other than OCS are treated the same, in that the
transmitter can add it as desired and the receiver has the option to transmitter can add it as desired and the receiver has the option to
require it or not. Only if it is required (by API configuration) require it or not. Only if it is required (e.g., by API
should the receiver require it being present and correct. configuration) should the receiver require it being present and
correct.
I.e., for all options other than OCS: I.e., for all options other than OCS:
o if the option is not required by the receiver, then packets o if the option is not required by the receiver, then packets
missing the option are accepted. missing the option are accepted.
o if the option is required and missing or incorrectly formed, o if the option is required (e.g., by override of the default
behavior at the receiver) and missing or incorrectly formed,
silently drop the packet. silently drop the packet.
o if the packet is accepted (either because the option is not o if the packet is accepted (either because the option is not
required or because it was required and correct), then pass the required or because it was required and correct), then pass the
option with the packet via the API. option with the packet via the API.
Any options whose length exceeds that of the UDP packet (i.e., Any options whose length exceeds that of the UDP packet (i.e.,
intending to use data that would have been beyond the surplus area) intending to use data that would have been beyond the surplus area)
should be silently ignored (again to model legacy behavior). should be silently ignored (again to model legacy behavior).
9. UDP API Extensions 8. UDP API Extensions
UDP currently specifies an application programmer interface (API), UDP currently specifies an application programmer interface (API),
summarized as follows (with Unix-style command as an example) summarized as follows (with Unix-style command as an example)
[RFC768]: [RFC768]:
o Method to create new receive ports o Method to create new receive ports
o E.g., bind(handle, recvaddr(optional), recvport) o E.g., bind(handle, recvaddr(optional), recvport)
o Receive, which returns data octets, source port, and source o Receive, which returns data octets, source port, and source
skipping to change at page 24, line 40 skipping to change at page 25, line 11
o Extend the receive function to indicate the options and their o Extend the receive function to indicate the options and their
parameters as received with the corresponding received datagram. parameters as received with the corresponding received datagram.
o Extend the send function to indicate the options to be added to o Extend the send function to indicate the options to be added to
the corresponding sent datagram. the corresponding sent datagram.
Examples of API instances for Linux and FreeBSD are provided in Examples of API instances for Linux and FreeBSD are provided in
Appendix A, to encourage uniform cross-platform implementations. Appendix A, to encourage uniform cross-platform implementations.
10. Whose options are these? 9. Whose options are these?
UDP options are indicated in an area of the IP payload that is not UDP options are indicated in an area of the IP payload that is not
used by UDP. That area is really part of the IP payload, not the UDP used by UDP. That area is really part of the IP payload, not the UDP
payload, and as such, it might be tempting to consider whether this payload, and as such, it might be tempting to consider whether this
is a generally useful approach to extending IP. is a generally useful approach to extending IP.
Unfortunately, the surplus area exists only for transports that Unfortunately, the surplus area exists only for transports that
include their own transport layer payload length indicator. TCP and include their own transport layer payload length indicator. TCP and
SCTP include header length fields that already provide space for SCTP include header length fields that already provide space for
transport options by indicating the total length of the header area, transport options by indicating the total length of the header area,
skipping to change at page 25, line 22 skipping to change at page 25, line 41
than any other portion of the transport datagram. than any other portion of the transport datagram.
UDP options are transport options. Generally, transport datagrams UDP options are transport options. Generally, transport datagrams
are not intended to be modified in-transit. UDP options are no are not intended to be modified in-transit. UDP options are no
exception and here are specified as "MUST NOT" be altered in exception and here are specified as "MUST NOT" be altered in
transit. However, the UDP option mechanism provides no specific transit. However, the UDP option mechanism provides no specific
protection against in-transit modification of the UDP header, UDP protection against in-transit modification of the UDP header, UDP
payload, or UDP option area, except as provided by the options payload, or UDP option area, except as provided by the options
selected (e.g., OCS or AE). selected (e.g., OCS or AE).
11. UDP options LITE option vs. UDP-Lite 10. UDP options FRAG option vs. UDP-Lite
UDP-Lite provides partial checksum coverage, so that packets with UDP-Lite provides partial checksum coverage, so that packets with
errors in some locations can be delivered to the user [RFC3828]. It errors in some locations can be delivered to the user [RFC3828]. It
uses a different transport protocol number (136) than UDP (17) to uses a different transport protocol number (136) than UDP (17) to
interpret the UDP Length field as the prefix covered by the UDP interpret the UDP Length field as the prefix covered by the UDP
checksum. checksum.
UDP (protocol 17) already defines the UDP Length field as the limit UDP (protocol 17) already defines the UDP Length field as the limit
of the UDP checksum, but by default also limits the data provided to of the UDP checksum, but by default also limits the data provided to
the application as that which precedes the UDP Length. A goal of the application as that which precedes the UDP Length. A goal of
UDP-Lite is to deliver data beyond UDP Length as a default, which is UDP-Lite is to deliver data beyond UDP Length as a default, which is
why a separate transport protocol number was required. why a separate transport protocol number was required.
UDP options do not use or need a separate transport protocol number UDP options do not use or need a separate transport protocol number
because the data beyond the UDP Length offset (surplus data) is not because the data beyond the UDP Length offset (surplus data) is not
provided to the application by default. That data is interpreted provided to the application by default. That data is interpreted
exclusively within the UDP transport layer. exclusively within the UDP transport layer.
The LITE UDP options option supports a similar service to UDP-Lite. The UDP FRAG options option supports a similar service to UDP-Lite.
The main difference is that UDP-Lite provides the un-checksummed The main difference is that UDP-Lite provides the un-checksummed
user data to the application by default, whereas the LITE UDP option user data to the application by default, whereas the UDP FRAG option
can safely provide that service only between endpoints that can safely provide that service only between endpoints that
negotiate that capability in advance. An endpoint that does not negotiate that capability in advance. An endpoint that does not
implement UDP options would silently discard this non-checksummed implement UDP options would silently discard this non-checksummed
user data, along with the UDP options as well. user data, along with the UDP options as well.
UDP-Lite cannot support UDP options, either as proposed here or in UDP-Lite cannot support UDP options, either as proposed here or in
any other form, because the entire payload of the UDP packet is any other form, because the entire payload of the UDP packet is
already defined as user data and there is no additional field in already defined as user data and there is no additional field in
which to indicate a separate area for options. The UDP Length field which to indicate a separate area for options. The UDP Length field
in UDP-Lite is already used to indicate the boundary between user in UDP-Lite is already used to indicate the boundary between user
data covered by the checksum and user data not covered. data covered by the checksum and user data not covered.
12. Interactions with Legacy Devices 11. Interactions with Legacy Devices
It has always been permissible for the UDP Length to be inconsistent It has always been permissible for the UDP Length to be inconsistent
with the IP transport payload length [RFC768]. Such inconsistency with the IP transport payload length [RFC768]. Such inconsistency
has been utilized in UDP-Lite using a different transport number. has been utilized in UDP-Lite using a different transport number.
There are no known systems that use this inconsistency for UDP There are no known systems that use this inconsistency for UDP
[RFC3828]. It is possible that such use might interact with UDP [RFC3828]. It is possible that such use might interact with UDP
options, i.e., where legacy systems might generate UDP datagrams options, i.e., where legacy systems might generate UDP datagrams
that appear to have UDP options. The UDP OCS provides protection that appear to have UDP options. The UDP OCS provides protection
against such events and is stronger than a static "magic number". against such events and is stronger than a static "magic number".
skipping to change at page 26, line 41 skipping to change at page 27, line 14
It has been reported that Alcatel-Lucent's "Brick" Intrusion It has been reported that Alcatel-Lucent's "Brick" Intrusion
Detection System has a default configuration that interprets Detection System has a default configuration that interprets
inconsistencies between UDP Length and IP Length as an attack to be inconsistencies between UDP Length and IP Length as an attack to be
reported. Note that other firewall systems, e.g., CheckPoint, use a reported. Note that other firewall systems, e.g., CheckPoint, use a
default "relaxed UDP length verification" to avoid falsely default "relaxed UDP length verification" to avoid falsely
interpreting this inconsistency as an attack. interpreting this inconsistency as an attack.
(TBD: test with UDP checksum offload and UDP fragmentation offload) (TBD: test with UDP checksum offload and UDP fragmentation offload)
13. Options in a Stateless, Unreliable Transport Protocol 12. Options in a Stateless, Unreliable Transport Protocol
There are two ways to interpret options for a stateless, unreliable There are two ways to interpret options for a stateless, unreliable
protocol -- an option is either local to the message or intended to protocol -- an option is either local to the message or intended to
affect a stream of messages in a soft-state manner. Either affect a stream of messages in a soft-state manner. Either
interpretation is valid for defined UDP options. interpretation is valid for defined UDP options.
It is impossible to know in advance whether an endpoint supports a It is impossible to know in advance whether an endpoint supports a
UDP option. UDP option.
>> UDP options MUST allow for silent failure on first receipt. >> All UDP options other than UNSAFE ones MUST be ignored if not
supported or upon failure (e.g., ACS).
>> All UDP options that fail MUST result in the UDP data still being
sent to the application layer by default, to ensure equivalence with
legacy devices.
>> UDP options that rely on soft-state exchange MUST allow for >> UDP options that rely on soft-state exchange MUST allow for
message reordering and loss. message reordering and loss.
>> A UDP option MUST be silently optional until confirmed by
exchange with an endpoint.
The above requirements prevent using any option that cannot be The above requirements prevent using any option that cannot be
safely ignored unless that capability has been negotiated with an safely ignored unless it is hidden inside the FRAG area (i.e.,
endpoint in advance for a socket pair. Legacy systems would need to UNSAFE options). Legacy systems also always need to be able to
be able to interpret the transport payload fragments as individual interpret the transport payload fragments as individual transport
transport datagrams. datagrams.
14. UDP Option State Caching 13. UDP Option State Caching
Some TCP connection parameters, stored in the TCP Control Block, can Some TCP connection parameters, stored in the TCP Control Block, can
be usefully shared either among concurrent connections or between be usefully shared either among concurrent connections or between
connections in sequence, known as TCP Sharing [RFC2140][To19cb]. connections in sequence, known as TCP Sharing [RFC2140][To20cb].
Although UDP is stateless, some of the options proposed herein may Although UDP is stateless, some of the options proposed herein may
have similar benefit in being shared or cached. We call this UCB have similar benefit in being shared or cached. We call this UCB
Sharing, or UDP Control Block Sharing, by analogy. Sharing, or UDP Control Block Sharing, by analogy.
[TBD: extend this section to indicate which options MAY vs. MUST NOT [TBD: extend this section to indicate which options MAY vs. MUST NOT
be shared and how, e.g., along the lines of To19cb] be shared and how, e.g., along the lines of To20cb]
15. Updates to RFC 768 14. Updates to RFC 768
This document updates RFC 768 as follows: This document updates RFC 768 as follows:
o This document defines the meaning of the IP payload area beyond o This document defines the meaning of the IP payload area beyond
the UDP length but within the IP length. the UDP length but within the IP length.
o This document extends the UDP API to support the use of options. o This document extends the UDP API to support the use of options.
15. Interactions with other RFCs (and drafts)
This document clarifies the interaction between UDP length and IP
length that is not explicitly constrained in either UDP or the host
requirements [RFC768] [RFC1122].
Teredo extensions (TE) define use of a similar surplus area for
trailers [RFC6081]. TE defines the UDP length pointing beyond
(larger) than the location indicated by the IP length rather than
shorter (as used herein):
"..the IPv6 packet length (i.e., the Payload Length value in
the IPv6 header plus the IPv6 header size) is less than or
equal to the UDP payload length (i.e., the Length value in
the UDP header minus the UDP header size)"
As a result, UDP options are not compatible with TE, but that is
also why this document does not update TE. Additionally, it is not
at all clear how TE operates, as it requires network processing of
the UDP length field to understand the total message including TE
trailers.
TE updates Teredo NAT traversal [RFC4380]. The NAT traversal
document defined "consistency" of UDP length and IP length as:
"An IPv6 packet is deemed valid if it conforms to [RFC2460]:
the protocol identifier should indicate an IPv6 packet and
the payload length should be consistent with the length of
the UDP datagram in which the packet is encapsulated."
IPv6 is clear on the meaning of this consistency, in which the
pseudoheader used for UDP checksums is based on the UDP length, not
inferred from the IP length, using the same text in the current
specification [RFC8200]:
"The Upper-Layer Packet Length in the pseudo-header is the
length of the upper-layer header and data (e.g., TCP header
plus TCP data). Some upper-layer protocols carry their own
length information (e.g., the Length field in the UDP header);
for such protocols, that is the length used in the pseudo-
header."
This document hereby deprecates the requirement asserted in the UDP
profile for Robust Header Compression (ROHC)[RFC3095], noted here:
"The Length field of the UDP header MUST match the Length
field(s) of the preceding subheaders, i.e., there must not
be any padding after the UDP payload that is covered by the
IP Length."
ROHC relies on this "matching" of values to avoid needing to
transmit both the IP length and UDP length fields, even though this
is not a strict requirement of UDP [RFC768] or host requirements
[RFC1122] and these preexisting standards were not updated by the
ROHC specification. Section A.1.3 of that document is hereby updated
to allow for UDP length to vary per packet, so that the UDP length
in the table is "CHANGING" rather than "INFERRED". The text that
describes the UDP length field this is updated to:
This field is changing as allowed by UDP [RFC768] and used
by both UDP options [RFC-TBD] and Teredo extensions [RFC6081]
and is therefore classified as CHANGING.
The issue of handling UDP header compression has already been
correctly described in more recent specifications, e.g., Sec. 10.10
of Static Context Header Compression [RFC8724]. In that description,
the UDP length can be compressed out of a packet only when it can be
correctly inferred from the UDP length, i.e., when neither UDP
options nor Teredo extensions are present:
"The parser MUST NOT label this field unless the UDP Length value
matches the Payload Length value from the IPv6 header."
16. Multicast Considerations 16. Multicast Considerations
UDP options are primarily intended for unicast use. Using these UDP options are primarily intended for unicast use. Using these
options over multicast IP requires careful consideration, e.g., to options over multicast IP requires careful consideration, e.g., to
ensure that the options used are safe for different endpoints to ensure that the options used are safe for different endpoints to
interpret differently (e.g., either to support or silently ignore) interpret differently (e.g., either to support or silently ignore)
or to ensure that all receivers of a multicast group confirm support or to ensure that all receivers of a multicast group confirm support
for the options in use. for the options in use.
17. Security Considerations 17. Security Considerations
skipping to change at page 28, line 23 skipping to change at page 30, line 23
UDP options are not covered by DTLS (datagram transport-layer UDP options are not covered by DTLS (datagram transport-layer
security). Despite the name, neither TLS [RFC8446] (transport layer security). Despite the name, neither TLS [RFC8446] (transport layer
security, for TCP) nor DTLS [RFC6347] (TLS for UDP) protect the security, for TCP) nor DTLS [RFC6347] (TLS for UDP) protect the
transport layer. Both operate as a shim layer solely on the payload transport layer. Both operate as a shim layer solely on the payload
of transport packets, protecting only their contents. Just as TLS of transport packets, protecting only their contents. Just as TLS
does not protect the TCP header or its options, DTLS does not does not protect the TCP header or its options, DTLS does not
protect the UDP header or the new options introduced by this protect the UDP header or the new options introduced by this
document. Transport security is provided in TCP by the TCP document. Transport security is provided in TCP by the TCP
Authentication Option (TCP-AO [RFC5925]) or in UDP by the Authentication Option (TCP-AO [RFC5925]) or in UDP by the
Authentication Extension option (Section 5.10). Transport headers Authentication Extension option (Section 5.9). Transport headers are
are also protected as payload when using IP security (IPsec) also protected as payload when using IP security (IPsec) [RFC4301].
[RFC4301].
UDP options use the TLV syntax similar to that of TCP. This syntax UDP options use the TLV syntax similar to that of TCP. This syntax
is known to require serial processing and may pose a DOS risk, e.g., is known to require serial processing and may pose a DOS risk, e.g.,
if an attacker adds large numbers of unknown options that must be if an attacker adds large numbers of unknown options that must be
parsed in their entirety. Implementations concerned with the parsed in their entirety. Implementations concerned with the
potential for this vulnerability MAY implement only the required potential for this vulnerability MAY implement only the required
options and MAY also limit processing of TLVs. Because required options and MAY also limit processing of TLVs. Because required
options come first and at most once each (with the exception of options come first and at most once each (with the exception of
NOPs, which should never need to come in sequences of more than NOPs, which should never need to come in sequences of more than
three in a row), this limits their DOS impact. Note that when a three in a row), this limits their DOS impact.
packet's options cannot be processed, it MUST be discarded; the
packet and its options should always share the same fate. UDP security should never rely solely on transport layer processing
of options. UNSAFE options are the only type that share fate with
the UDP data, because of the way that data is hidden in the surplus
area until after those options are processed. All other options
default to being silently ignored at the transport layer but may be
dropped either if that default is overridden (e.g., by
configuration) or discarded at the application layer (e.g., using
information about the options processed that are passed along with
the packet).
UDP fragmentation introduces its own set of security concerns, which
can be handled in a manner similar to IP fragmentation. In
particular, the number of packets pending reassembly and effort used
for reassembly is typically limited. In addition, it may be useful
to assume a reasonable minimum fragment size, e.g., that non-
terminal fragments should never be smaller than 500 bytes.
18. IANA Considerations 18. IANA Considerations
Upon publication, IANA is hereby requested to create a new registry Upon publication, IANA is hereby requested to create a new registry
for UDP Option Kind numbers, similar to that for TCP Option Kinds. for UDP Option Kind numbers, similar to that for TCP Option Kinds.
Initial values of this registry are as listed in Section 5. Initial values of this registry are as listed in Section 5.
Additional values in this registry are to be assigned from the Additional values in this registry are to be assigned from the
UNASSIGNED values Section 5 in by IESG Approval or Standards Action UNASSIGNED values in Section 5 by IESG Approval or Standards Action
[RFC8126]. Those assignments are subject to the conditions set forth [RFC8126]. Those assignments are subject to the conditions set forth
in this document, particularly (but not limited to) those in Section in this document, particularly (but not limited to) those in Section
7. 6.
Upon publication, IANA is hereby requested to create a new registry Upon publication, IANA is hereby requested to create a new registry
for UDP Experimental Option Experiment Identifiers (UDP ExIDs) for for UDP Experimental Option Experiment Identifiers (UDP ExIDs) for
use in a similar manner as TCP ExIDs [RFC6994]. This registry is use in a similar manner as TCP ExIDs [RFC6994]. UDP ExIDs can be
initially empty. Values in this registry are to be assigned by IANA used in either the UDP EXP option or the UDP UNSAFE option when
using first-come, first-served (FCFS) rules [RFC8126]. Options using using UKind=UEXP. This registry is initially empty. Values in this
these ExIDs are subject to the same conditions as new options, i.e., registry are to be assigned by IANA using first-come, first-served
they too are subject to the conditions set forth in this document, (FCFS) rules [RFC8126]. Options using these ExIDs are subject to the
particularly (but not limited to) those in Section 7. same conditions as new options, i.e., they too are subject to the
conditions set forth in this document, particularly (but not limited
to) those in Section 6.
Upon publication, IANA is hereby requested to create a new registry
for UDP UNSAFE UKind numbers. There are no initial assignments in
this registry. Values in this registry are to be assigned from the
UNASSIGNED values in Section 5.7 by IESG Approval or Standards
Action [RFC8126]. Those assignments are subject to the conditions
set forth in this document, particularly (but not limited to) those
in Section 6.
19. References 19. References
19.1. Normative References 19.1. Normative References
[Fa19] Fairhurst, G., T. Jones, M. Tuexen, I. Ruengeler, T. [Fa20] Fairhurst, G., T. Jones, "Datagram PLPMTUD for UDP
Voelker, "Packetization Layer Path MTU Discovery for Options," draft-fairhurst-tsvwg-udp-options-dplpmtud, Mar.
Datagram Transports," draft-ietf-tsvwg-datagram-plpmtud, 2020.
Feb. 2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels," BCP 14, RFC 2119, March 1997.
[RFC768] Postel, J., "User Datagram Protocol," RFC 768, August [RFC768] Postel, J., "User Datagram Protocol," RFC 768, August
1980. 1980.
[RFC791] Postel, J., "Internet Protocol," RFC 791, Sept. 1981. [RFC791] Postel, J., "Internet Protocol," RFC 791, Sept. 1981.
[RFC1122] Braden, R., Ed., "Requirements for Internet Hosts -- [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts --
Communication Layers," RFC 1122, Oct. 1989. Communication Layers," RFC 1122, Oct. 1989.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels," BCP 14, RFC 2119, March 1997.
[RFC3095] Bormann, C. (Ed), et al., "RObust Header Compression
(ROHC): Framework and four profiles: RTP, UDP, ESP, and
uncompressed," RFC 3095, July 2001.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words," RFC 2119, May 2017.
19.2. Informative References 19.2. Informative References
[Fa18] Fairhurst, G., T. Jones, R. Zullo, "Checksum Compensation [Fa18] Fairhurst, G., T. Jones, R. Zullo, "Checksum Compensation
Options for UDP Options", draft-fairhurst-udp-options-cco, Options for UDP Options", draft-fairhurst-udp-options-cco,
Oct. 2018. Oct. 2018.
[Hi15] Hildebrand, J., B. Trammel, "Substrate Protocol for User [Hi15] Hildebrand, J., B. Trammel, "Substrate Protocol for User
Datagrams (SPUD) Prototype," draft-hildebrand-spud- Datagrams (SPUD) Prototype," draft-hildebrand-spud-
prototype-03, Mar. 2015. prototype-03, Mar. 2015.
skipping to change at page 30, line 26 skipping to change at page 33, line 8
[RFC3828] Larzon, L-A., M. Degermark, S. Pink, L-E. Jonsson (Ed.), [RFC3828] Larzon, L-A., M. Degermark, S. Pink, L-E. Jonsson (Ed.),
G. Fairhurst (Ed.), "The Lightweight User Datagram G. Fairhurst (Ed.), "The Lightweight User Datagram
Protocol (UDP-Lite)," RFC 3828, July 2004. Protocol (UDP-Lite)," RFC 3828, July 2004.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, Dec. 2005. Internet Protocol", RFC 4301, Dec. 2005.
[RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion [RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion
Control Protocol (DCCP)", RFC 4340, March 2006. Control Protocol (DCCP)", RFC 4340, March 2006.
[RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
Network Address Translations (NATs)," RFC 4380, Feb. 2006.
[RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol", [RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol",
RFC 4960, September 2007. RFC 4960, September 2007.
[RFC5925] Touch, J., A. Mankin, R. Bonica, "The TCP Authentication [RFC5925] Touch, J., A. Mankin, R. Bonica, "The TCP Authentication
Option," RFC 5925, June 2010. Option," RFC 5925, June 2010.
[RFC6081] Thaler, D., "Teredo Extensions," RFC 6081, Jan 2011.
[RFC6347] Rescorla, E., N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E., N. Modadugu, "Datagram Transport Layer
Security Version 1.2," RFC 6347, Jan. 2012. Security Version 1.2," RFC 6347, Jan. 2012.
[RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS)," [RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS),"
RFC 6691, July 2012. RFC 6691, July 2012.
[RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT
Traversal", RFC 6978, July 2013. Traversal", RFC 6978, July 2013.
[RFC6994] Touch, J., "Shared Use of Experimental TCP Options," RFC [RFC6994] Touch, J., "Shared Use of Experimental TCP Options," RFC
skipping to change at page 31, line 9 skipping to change at page 33, line 42
(Ed.), "TCP Extensions for High Performance," RFC 7323, (Ed.), "TCP Extensions for High Performance," RFC 7323,
Sep. 2014. Sep. 2014.
[RFC8085] Eggert, L., G. Fairhurst, G. Shepherd, "UDP Usage [RFC8085] Eggert, L., G. Fairhurst, G. Shepherd, "UDP Usage
Guidelines," RFC 8085, Feb. 2017. Guidelines," RFC 8085, Feb. 2017.
[RFC8126] Cotton, M., B. Leiba, T. Narten, "Guidelines for Writing [RFC8126] Cotton, M., B. Leiba, T. Narten, "Guidelines for Writing
an IANA Considerations Section in RFCs," RFC 8126, June an IANA Considerations Section in RFCs," RFC 8126, June
2017. 2017.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words," RFC 2119, May 2017.
[RFC8200] Deering, S., R. Hinden, "Internet Protocol Version 6 [RFC8200] Deering, S., R. Hinden, "Internet Protocol Version 6
(IPv6) Specification," RFC 8200, Jul. 2017. (IPv6) Specification," RFC 8200, Jul. 2017.
[RFC8201] McCann, J., S. Deering, J. Mogul, R. Hinden (Ed.), "Path [RFC8201] McCann, J., S. Deering, J. Mogul, R. Hinden (Ed.), "Path
MTU Discovery for IP version 6," RFC 8201, Jul. 2017. MTU Discovery for IP version 6," RFC 8201, Jul. 2017.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3," RFC 8446, Aug. 2018. Version 1.3," RFC 8446, Aug. 2018.
[To18ao] Touch, J., "A TCP Authentication Option Extension for [To18ao] Touch, J., "A TCP Authentication Option Extension for
Payload Encryption," draft-touch-tcp-ao-encrypt, Jul. Payload Encryption," draft-touch-tcp-ao-encrypt, Jul.
2018. 2018.
[To19cb] Touch, J., M. Welzl, S. Islam, J. You, "TCP Control Block [To20cb] Touch, J., M. Welzl, S. Islam, J. You, "TCP Control Block
Interdependence," draft-touch-tcpm-2140bis, Jan. 2019. Interdependence," draft-touch-tcpm-2140bis, Apr. 2020.
[Tr16] Trammel, B. (Ed.), M. Kuelewind (Ed.), "Requirements for
the design of a Substrate Protocol for User Datagrams
(SPUD)," draft-trammell-spud-req-04, May 2016.
20. Acknowledgments 20. Acknowledgments
This work benefitted from feedback from Bob Briscoe, Ken Calvert, This work benefitted from feedback from Bob Briscoe, Ken Calvert,
Ted Faber, Gorry Fairhurst, C. M. Heard (including the FRAG/LITE Ted Faber, Gorry Fairhurst (including OCS for misbehaving middlebox
combination), Tom Herbert, and Mark Smith, as well as discussions on traversal), C. M. Heard (including combining previous FRAG and LITE
the IETF TSVWG and SPUD email lists. options into the new FRAG), Tom Herbert, and Mark Smith, as well as
discussions on the IETF TSVWG and SPUD email lists.
This work was partly supported by USC/ISI's Postel Center. This work was partly supported by USC/ISI's Postel Center.
This document was prepared using 2-Word-v2.0.template.dot. This document was prepared using 2-Word-v2.0.template.dot.
Authors' Addresses Authors' Addresses
Joe Touch Joe Touch
Manhattan Beach, CA 90266 USA Manhattan Beach, CA 90266 USA
Phone: +1 (310) 560-0334 Phone: +1 (310) 560-0334
Email: touch@strayalpha.com Email: touch@strayalpha.com
Appendix A. Implementation Information Appendix A. Implementation Information
The following information is provided to encourage interoperable API The following information is provided to encourage interoperable API
implementations. implementations.
System-level variables (sysctl): System-level variables (sysctl):
Name default meaning Name default meaning
---------------------------------------------------- ----------------------------------------------------
net.ipv4.udp_opt 0 UDP options available net.ipv4.udp_opt 0 UDP options available
net.ipv4.udp_opt_ocs 1 Default include OCS net.ipv4.udp_opt_ocs 1 Default include OCS
net.ipv4.udp_opt_acs 0 Default include ACS net.ipv4.udp_opt_acs 0 Default include ACS
net.ipv4.udp_opt_lite 0 Default include LITE
net.ipv4.udp_opt_mss 0 Default include MSS net.ipv4.udp_opt_mss 0 Default include MSS
net.ipv4.udp_opt_time 0 Default include TIME net.ipv4.udp_opt_time 0 Default include TIME
net.ipv4.udp_opt_frag 0 Default include FRAG net.ipv4.udp_opt_frag 0 Default include FRAG
net.ipv4.udp_opt_ae 0 Default include AE net.ipv4.udp_opt_ae 0 Default include AE
Socket options (sockopt), cached for outgoing datagrams: Socket options (sockopt), cached for outgoing datagrams:
Name meaning Name meaning
---------------------------------------------------- ----------------------------------------------------
UDP_OPT Enable UDP options (at all) UDP_OPT Enable UDP options (at all)
UDP_OPT_OCS Enable UDP OCS option UDP_OPT_OCS Enable UDP OCS option
UDP_OPT_ACS Enable UDP ACS option UDP_OPT_ACS Enable UDP ACS option
UDP_OPT_LITE Enable UDP LITE option
UDP_OPT_MSS Enable UDP MSS option UDP_OPT_MSS Enable UDP MSS option
UDP_OPT_TIME Enable UDP TIME option UDP_OPT_TIME Enable UDP TIME option
UDP_OPT_FRAG Enable UDP FRAG option UDP_OPT_FRAG Enable UDP FRAG option
UDP_OPT_AE Enable UDP AE option UDP_OPT_AE Enable UDP AE option
Send/sendto parameters: Send/sendto parameters:
(TBD - currently using cached parameters) (TBD - currently using cached parameters)
Connection parameters (per-socketpair cached state, part UCB): Connection parameters (per-socketpair cached state, part UCB):
Name Initial value Name Initial value
---------------------------------------------------- ----------------------------------------------------
opts_enabled net.ipv4.udp_opt opts_enabled net.ipv4.udp_opt
ocs_enabled net.ipv4.udp_opt_ocs ocs_enabled net.ipv4.udp_opt_ocs
The following option is included for debugging purposes, and MUST The following option is included for debugging purposes, and MUST
NOT be enabled otherwise. NOT be enabled otherwise.
System variables System variables
net.ipv4.udp_opt_junk 0
net.ipv4.udp_opt_junk 0
System-level variables (sysctl): System-level variables (sysctl):
Name default meaning Name default meaning
---------------------------------------------------- ----------------------------------------------------
net.ipv4.udp_opt_junk 0 Default use of junk net.ipv4.udp_opt_junk 0 Default use of junk
Socket options (sockopt): Socket options (sockopt):
Name params meaning Name params meaning
------------------------------------------------------ ------------------------------------------------------
 End of changes. 130 change blocks. 
422 lines changed or deleted 571 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/