TSVWG                                                          J. Touch
Internet Draft                                   Independent consultant
Intended status: Standards Track                     September 12, 2019                      November 25, 2020
Intended updates: 768 768, 3095
Expires: March 2020 May 2021

                         Transport Options for UDP
                    draft-ietf-tsvwg-udp-options-08.txt
                    draft-ietf-tsvwg-udp-options-09.txt

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79. This document may not be modified,
   and derivative works of it may not be created, except to format it
   for publication as an RFC or to translate it into languages other
   than English.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on March 12, 2020. May 25, 2021.

Copyright Notice

   Copyright (c) 2019 2020 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.

Abstract

   Transport protocols are extended through the use of transport header
   options. This document extends UDP by indicating the location,
   syntax, and semantics for UDP transport layer options.

Table of Contents

   1. Introduction...................................................3
   2. Conventions used in this document..............................3
   3. Background.....................................................3
   4. The UDP Option Area............................................4
   5. UDP Options....................................................7 Options....................................................8
      5.1. End of Options List (EOL).................................9
      5.2. No Operation (NOP).......................................10
      5.3. Option Checksum (OCS)....................................10
      5.4. Alternate Checksum (ACS).................................11 (ACS).................................12
      5.5. Lite (LITE)..............................................12 Fragmentation (FRAG).....................................13
      5.6. Maximum Segment Size (MSS)...............................14 (MSS)...............................17
      5.7. Fragmentation (FRAG).....................................15 Unsafe (UNSAFE)..........................................17
      5.8. Coupling FRAG with LITE..................................17
      5.9. Timestamps (TIME)........................................18
      5.10.
      5.9. Authentication and Encryption (AE)......................19
   6. (AE).......................19
      5.10. Echo request (REQ) and echo response (RES)....................20
      6.1. (RES)..............20
      5.11. Experimental (EXP).......................................20
   7. (EXP)......................................21
   6. Rules for designing new options...............................21
   8.
   7. Option inclusion and processing...............................22
   9.
   8. UDP API Extensions............................................24
   10.
   9. Whose options are these?.....................................24
   11. these?......................................25
   10. UDP options LITE FRAG option vs. UDP-Lite.........................25
   12.
   11. Interactions with Legacy Devices.............................26
   13.
   12. Options in a Stateless, Unreliable Transport Protocol........26
   14. Protocol........27
   13. UDP Option State Caching.....................................27
   15.
   14. Updates to RFC 768...........................................27 768...........................................28
   15. Interactions with other RFCs (and drafts)....................28
   16. Multicast Considerations.....................................27 Considerations.....................................29
   17. Security Considerations......................................28 Considerations......................................30
   18. IANA Considerations..........................................28 Considerations..........................................31
   19. References...................................................29 References...................................................31
      19.1. Normative References....................................29 References....................................31
      19.2. Informative References..................................29 References..................................32
   20. Acknowledgments..............................................31 Acknowledgments..............................................34
   Appendix A. Implementation Information...........................32 Information...........................35

1. Introduction

   Transport protocols use options as a way to extend their
   capabilities. TCP [RFC793], SCTP [RFC4960], and DCCP [RFC4340]
   include space for these options but UDP [RFC768] currently does not.
   This document defines an extension to UDP that provides space for
   transport options including their generic syntax and semantics for
   their use in UDP's stateless, unreliable message protocol.

2. Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   In this document, the characters ">>" preceding an indented line(s)
   indicates a statement using the key words listed above. This
   convention aids reviewers in quickly identifying or finding the
   portions of this RFC covered by these key words.

3. Background

   Many protocols include a default default, invariant header and an area for
   header
   options. options that varies from packet to packet. These options
   enable the protocol to be extended for use in particular
   environments or in ways unforeseen by the original designers.
   Examples include TCP's Maximum Segment Size, Window Scale,
   Timestamp, and Authentication Options [RFC793][RFC5925][RFC7323].

   These options are used both in stateful (connection-oriented, e.g.,
   TCP [RFC793], SCTP [RFC4960], DCCP [RFC4340]) and stateless
   (connectionless, e.g., IPv4 [RFC791], IPv6 [RFC8200]) protocols. In
   stateful protocols they can help extend the way in which state is
   managed. In stateless protocols their effect is often limited to
   individual packets, but they can have an aggregate effect on a
   sequence of packets as well. One example of such uses is Substrate Protocol for
   User Datagrams (SPUD) [Tr16], and this This document is intended to provide an
   out-of-band option area as an alternative to the in-band mechanism
   currently proposed [Hi15].

   UDP is one of the most popular protocols that lacks space for
   options [RFC768]. The UDP header was intended to be a minimal
   addition to IP, providing only ports and a data checksum for
   protection. This document extends UDP to provide a trailer area for
   options located after the UDP data payload.

4. The UDP Option Area

   The UDP transport header includes demultiplexing and service
   identification (port numbers), a checksum, and a field that
   indicates the UDP datagram length (including UDP header). The UDP
   Length field is typically redundant with the size of the maximum
   space available as a transport protocol payload (see also discussion
   in Section 12). 11).

   For IPv4, IP Total Length field indicates the total IP datagram
   length (including IP header), and the size of the IP options is
   indicated in the IP header (in 4-byte words) as the "Internet Header
   Length" (IHL), as shown in Figure 1 [RFC791]. As a result, the
   typical (and largest valid) value for UDP Length is:

       UDP_Length = IPv4_Total_Length - IPv4_IHL * 4

   For IPv6, the IP Payload Length field indicates the datagram after
   the base IPv6 header, which includes the IPv6 extension headers and
   space available for the transport protocol, as shown in Figure 2
   [RFC8200]. Note that the Next HDR field in IPv6 might not indicate
   UDP (i.e., 17), e.g., when intervening IP extension headers are
   present. For IPv6, the lengths of any additional IP extensions are
   indicated within each extension [RFC8200], so the typical (and
   largest valid) value for UDP Length is:

       UDP_Length = IPv6_Payload_Length - sum(extension header lengths)

   In both cases, the space available for the UDP transport protocol
   data unit is indicated by IP, either completely in the base header
   (for IPv4) or adding information in the extensions (for IPv6). In
   either case, this document will refer to this available space as the
   "IP transport payload".

      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Version|  IHL  |Type of Service|          Total Length         |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |         Identification        |Flags|      Fragment Offset    |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |  Time to Live | Proto=17 (UDP)|        Header Checksum        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                       Source Address                          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                    Destination Address                        |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ... zero or more IP Options (using space as indicated by IHL) ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |         UDP Source Port       |     UDP Destination Port      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          UDP Length           |         UDP Checksum          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

             Figure 1 IPv4 datagram with UDP transport payload

      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |Version| Traffic Class |             Flow Label                |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |         Payload Length        |   Next Hdr    |   Hop Limit   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ...
      |                       Source Address (128 bits)               |
      ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ...
      |                    Destination Address (128 bits)             |
      ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      ... zero or more IP Extension headers (each indicating size)  ...
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |         UDP Source Port       |     UDP Destination Port      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          UDP Length           |         UDP Checksum          |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

             Figure 2 IPv6 datagram with UDP transport payload

   As a result of this redundancy, there is an opportunity to use the
   UDP Length field as a way to break up the IP transport payload into
   two areas - that intended as UDP user data and an additional
   "surplus area" (as shown in Figure 3).

                             IP transport payload
                <------------------------------------------------->
      +--------+---------+----------------------+------------------+
      | IP Hdr | UDP Hdr |     UDP user data    |   surplus area   |
      +--------+---------+----------------------+------------------+
                <------------------------------>
                           UDP Length

               Figure 3 IP transport payload vs. UDP Length

   In most cases, the IP transport payload and UDP Length point to the
   same location, indicating that there is no surplus area. It is
   important to note that this is not a requirement of UDP [RFC768]
   (discussed further in Section 12). 11). UDP-Lite used the difference in
   these pointers to indicate the partial coverage of the UDP Checksum,
   such that the UDP user data, UDP header, and UDP pseudoheader (a
   subset of the IP header) are covered by the UDP checksum but
   additional user data in the surplus area is not covered [RFC3828].
   This document uses the surplus area for UDP transport options.

   The UDP option area is thus defined as the location between the end
   of the UDP payload and the end of the IP datagram as a trailing
   options area. This area can occur at any valid byte offset, i.e., it
   need not be 16-bit or 32-bit aligned. In effect, this document
   redefines the UDP "Length" field as a "trailer offset".

   UDP options are defined using a TLV (type, length, and optional
   value) syntax similar to that of TCP [RFC793]. They are typically a
   minimum of two bytes in length as shown in Figure 4, excepting only
   the one byte options "No Operation" (NOP) and "End of Options List"
   (EOL) described below.

                        +--------+--------+

                +--------+--------+-------
                |  Kind  | Length |
                        +--------+--------+ (remainder of option...)
                +--------+--------+-------

                    Figure 4 UDP option default format

   The Kind field is always one byte. The Length field is one byte for
   all lengths below 255 (including the Kind and Length bytes). A
   Length of 255 indicates use of the UDP option extended format shown
   in Figure 5. The Extended Length field is a 16-bit field in network
   standard byte order.

                   +--------+--------+--------+--------+
                   |  Kind  |  255   | Extended Length |
                   +--------+--------+--------+--------+
                   | (remainder of option...)
                   +--------+--------+--------+--------+

                Figure 5 UDP option extended default format

   >> UDP options MAY begin at any UDP length offset.

   >> The UDP length MUST be at least as large as the UDP header (8)
   and no larger than the IP transport payload. Values Datagrams with length
   values outside this range MUST be silently discarded dropped as invalid and
   logged where rate-
   limiting rate-limiting permits.

   >> Option Lengths (or Extended Lengths, where applicable) smaller
   than the minimum for the corresponding Kind and default format MUST
   be treated as an error. Such errors call into question the remainder
   of the option area and thus MUST result in all UDP options being
   silently discarded.

   >> Any UDP option whose length is only smaller than 255 MUST always
   use the UDP option default format shown in Figure 4, excepting only
   EOL and NOP.

   >> Any UDP option whose length can be larger than 254 MUST always
   use the UDP option extended default format shown in Figure 5,
   including UNSAFE and EXP.

   I.e., a UDP option always uses only the default format or the
   extended default format, depending on whether its length is only
   ever smaller than 255 or not.

   Others have considered using values of the UDP Length that is larger
   than the IP transport payload as an additional type of signal. Using
   a value smaller than the IP transport payload is expected to be
   backward compatible with existing UDP implementations, i.e., to
   deliver the UDP Length of user data to the application and silently
   ignore the additional surplus area data. Using a value larger than
   the IP transport payload would either be considered malformed (and
   be silently dropped) or could cause buffer overruns, and so is not
   considered silently and safely backward compatible. Its use is thus
   out of scope for the extension described in this document.

   >> UDP options MUST be interpreted in the order in which they occur
   in the UDP option area.

5. UDP Options

   The following UDP options are currently defined:

             Kind    Length    Meaning
             ----------------------------------------------
             0*      -         End of Options List (EOL)
             1*      -         No operation (NOP)
             2*      3         Option checksum (OCS)
             3*      6         Alternate checksum (ACS)
             4*      4         Lite (LITE)      10/12     Fragmentation (FRAG)
             5*      4         Maximum segment size (MSS)
             6*      8/10      Fragmentation (FRAG)      (varies)  Unsafe to ignore (UNSAFE) options
             7       10        Timestamps (TIME)
             8       (varies)  Authentication and Encryption (AE)
             9       6         Request (REQ)
             10      6         Response (RES)
             11-126  (varies)  UNASSIGNED (assignable by IANA)
             127-253           RESERVED
             254     N(>=4)     (varies)  RFC 3692-style experiments (EXP)
             255               Reserved               RESERVED

   These options are defined in the following subsections. Options 0
   and 1 use the same values as for TCP.

   >> An endpoint supporting UDP options MUST support those marked with
   a "*" above: EOL, NOP, OCS, ACS, LITE, FRAG, MSS, and MSS. UNSAFE. This
   includes both recognizing and being able to generate these options
   if configured to do so. These are called "must-support" options.

   >> All other options (without a "*") MAY be implemented, and their
   use SHOULD be determined either out-of-band or negotiated.

   >> Receivers supporting UDP options MUST silently ignore unknown options.
   options except UNSAFE. That includes options whose length does not
   indicate the specified value. value(s).

   >> Receivers supporting UDP options MUST silently drop the entire
   datagram containing an UNSAFE option when any UNSAFE option it
   contains is unknown. See Section 5.7 for further discussion of
   UNSAFE options.

   >> Except for NOP, each option SHOULD NOT occur more than once in a
   single UDP datagram. If a non-NOP an option other than NOP occurs more than
   once, a receiver MUST interpret only the first instance of that
   option and MUST ignore all others.

   >> Only the OCS and AE options depend on the contents of the option
   area. AE is always computed as if the AE hash and OCS checksum are
   zero; OCS is always computed as if the OCS checksum is zero and
   after the AE hash has been computed. Future options MUST NOT be
   defined as having a value dependent on the contents of the option
   area. Otherwise, interactions between those values, OCS, and AE
   could be unpredictable.

   Receivers cannot treat unexpected option lengths as invalid, as this
   would unnecessarily limit future revision of options (e.g., defining
   a new ACS that is defined by having a different length).

   >> Option lengths MUST NOT exceed the IP length of the packet. If
   this occurs, the packet MUST be treated as malformed and dropped,
   and the event MAY be logged for diagnostics (logging SHOULD be rate
   limited).

   >> Options with fixed lengths MUST use the default option format.

   >> Options with variable lengths MUST use the default option format
   where their total length is 254 bytes or less.

   >> Options using the extended option format MUST indicate extended
   lengths of 255 or higher; smaller extended length values MUST be
   treated as an error.

   >> Required "Must-support" options other than NOP and EOL MUST come before
   other options. Each required
   option MUST NOT occur more than once (if they are repeated in a
   received segment, all except the first MUST be silently ignored).

   The requirement that required must-support options come before others is
   intended to allow for endpoints to implement DOS protection, as
   discussed further in Section 17.

5.1. End of Options List (EOL)

   The End of Options List (EOL) option indicates that there are no
   more options. It is used to indicate the end of the list of options
   without needing to pad the options to fill all available option
   space.

                                 +--------+
                                 | Kind=0 |
                                 +--------+

                      Figure 6 UDP EOL option format

   >> When the UDP options do not consume the entire option area, the
   last non-NOP option MUST be EOL.

   >> All bytes in the surplus area after EOL MUST be zero. If these
   bytes are non-zero, the entire surplus area MUST be silently ignored
   and only the UDP data passed to the user with an adjusted UDP length
   to indicate that no options were present.

   Requiring the post-option surplus area to be zero prevents side-
   channel uses of this area, requiring instead that all use of the
   surplus area be UDP options supported by both endpoints. It is
   useful to allow for such padding to increase the packet length
   without affecting the payload length, e.g., for UDP PLPMTUD [Fa19]. DPLPMTUD [Fa20].

5.2. No Operation (NOP)

   The No Operation (NOP) option is a one byte placeholder, intended to
   be used as padding, e.g., to align multi-byte options along 16-bit
   or 32-bit boundaries.

                                 +--------+
                                 | Kind=1 |
                                 +--------+

                      Figure 7 UDP NOP option format

   >> If options longer than one byte are used, NOP options SHOULD be
   used at the beginning of the UDP options area to achieve alignment
   as would be more efficient for active (i.e., non-NOP) options.

   >> Segments SHOULD NOT use more than three consecutive NOPs. NOPs
   are intended to assist with alignment, not other padding or fill.

   [NOTE: Tom Herbert suggested we declare "more than 3 consecutive
   NOPs" a fatal error to reduce the potential of using NOPs as a DOS
   attack, but IMO there are other equivalent ways (e.g., using
   RESERVED or other UNASSIGNED values) and the "no more than 3"
   creates its own DOS vulnerability)

5.3. Option Checksum (OCS)

   The Option Checksum (OCS) option is conventional Internet checksum
   [RFC791] that covers all of the surplus area. area and a pseudoheader
   composed of the 16-bit length of the surplus area (Figure 8). The
   primary purpose of OCS is to detect non-standard (i.e., non-option)
   uses of that area. The surplus area pseudoheader is included to
   enable traversal of errant middleboxes that incorrectly compute the
   UDP checksum over the entire IP payload rather than only the UDP
   payload [Fa18].

   The OCS is calculated by computing the Internet checksum over the
   surplus area. area and surplus length pseudoheader. The OCS protects the
   option area from errors in a similar way that the UDP checksum
   protects the UDP user data (when not zero).

                           +--------+--------+
                           | surplus length  |
                           +--------+--------+

                 Figure 8 UDP surplus length pseudoheader

                       +--------+--------+--------+
                       | Kind=2 |     checksum    |
                       +--------+--------+--------+

                      Figure 8 9 UDP OCS option format

   >> The OCS is REQUIRED MUST be included when the UDP checksum is nonzero and UDP
   options are present.

   >> When present, the OCS SHOULD occur as early as possible, preceded
   by only NOP options for alignment and the LITE FRAG option if present.

   >> OCS MUST be half-word coordinated with the start of the UDP
   options area.

   This coordination is accomplished by computing area and include the surplus length pseudoheader similarly
   coordinated with the start of UDP Header.

   This Internet checksum is computed over the surplus area (including
   EOL, if present) prefixed by the surplus length pseudoheader (Figure
   8) and then adjusting the result before storing it into the OCS
   checksum field. If that the OCS checksum field is aligned to the start of
   the options area, then the checksum is inserted as-is, otherwise the
   checksum bytes are swapped before inserting them into the field. The adjustment above helps enable that OCS, together with
   effect of this "coordination" is the other
   options, result in an overall zero ones-complement sum. same is if the checksum were
   computed as if the surplus area and pseudoheader were aligned to the
   UDP header.

   This feature is intended to potentially help the UDP options
   traverse devices that incorrectly attempt to checksum the surplus
   area (as originally proposed as the Checksum Compensation Option,
   i.e., CCO [Fa18]).
   Note that this incorrect checksum traversal feature is defeated by
   the use of LITE, whether alone or with FRAG, because the LITE area
   is deliberately not covered by OCS. It also is defeated by the use
   of a zero UDP checksum (i.e., UDP checksum disabled).

   The OCS covers the UDP option area, including the Lite option (but not
   LITE data area) area as formatted before swapping (or relocation) for transmission (or, equivalently, after and
   immediately upon reception.

   >> If the swap/relocation after
   reception), as OCS fails, all options MUST be ignored and the LITE option would occur at the beginning of the
   original (prior to rearrangement for transmission) or restored
   (after rearrangement upon reception) UDP option area.

   >> If OCS fails, all options MUST be ignored and any trailing surplus data (and Lite data, if used)
   area silently discarded.

   >> UDP data that is validated by a correct UDP checksum MUST be
   delivered to the application layer, even if the OCS fails, unless
   the endpoints have negotiated otherwise for this segment's socket
   pair.

   As a reminder, use of the UDP checksum is optional when the UDP
   checksum is zero. When not used, the OCS is assumed to be "correct"
   for the purpose of accepting UDP packets at a receiver (see Section 8).
   7).

   The OCS is intended to check for accidental errors, not for attacks.

5.4. Alternate Checksum (ACS)

   The Alternate Checksum (ACS) option provides a stronger alternative
   to the checksum in the UDP header, using a 32-bit CRC of the
   conventional UDP payload only (excluding the IP pseudoheader, UDP
   header, and surplus area). It is an "alternate" to the UDP options, and checksum
   (covering the UDP payload) - not include the LITE area). Because it OCS (the latter covers the
   surplus area) Unlike the UDP checksum, ACS does not include the IP
   pseudoheader or UDP header, thus it need does not need to be updated by
   NATs when IP addresses or UDP ports are rewritten. Its purpose is to
   detect UDP payload errors that the UDP checksum, when used, might
   not detect.

   A CRC32c has been chosen because of its ubiquity and use in other
   Internet protocols, including iSCSI and SCTP. The option contains
   the CRC32c in network standard byte order, as described in
   [RFC3385].

                   +--------+--------+--------+--------+
                   | Kind=3 | Len=6  |    CRC32c...    |
                   +--------+--------+--------+--------+
                   |  CRC32c (cont.) |
                   +--------+--------+

                     Figure 9 10   UDP ACS option format

   When present, the ACS always contains a valid CRC checksum. There
   are no reserved values, including the value of zero. If the CRC is
   zero, this must indicate a valid checksum (i.e., it does not
   indicate that the ACS is not used; instead, the option would simply
   not be included if that were the desired effect).

   ACS does not protect the UDP pseudoheader; only the current UDP
   checksum provides that protection (when used). ACS cannot provide
   that protection because it would need to be updated whenever the UDP
   pseudoheader changed, e.g., during NAT address and port translation;
   because this is not the case, ACS does not cover the pseudoheader.

   >> Packets with incorrect ACS checksums MUST be passed to the
   application by default, e.g., with a flag indicating ACS failure.

   Like all non-UNSAFE UDP options, ACS need to be silently ignored
   when failing. Although all UDP option-aware endpoints support ACS
   (being in the required set), this silently-ignored behavior ensures
   that option-aware receivers operate the same as legacy receivers
   unless overridden.

5.5. Lite (LITE) Fragmentation (FRAG)

   The Lite Fragmentation option (LITE) is intended to provide equivalent capability
   to (FRAG) combines properties of IP
   fragmentation and the UDP Lite transport protocol [RFC3828]. FRAG
   provides transport-layer fragmentation and reassembly in which each
   fragment includes a copy of the same UDP Lite transport ports, enabling
   the fragments to traverse Network Address (and port) Translation
   (NAT) devices, in contrast to the behavior of IP fragments. FRAG
   also allows the UDP checksum to cover only a prefix of the UDP data
   payload, to
   protect critical information (e.g., application headers) but allow
   potentially erroneous avoid repeated checksums of data prior to reassembly.

   The Fragmentation (FRAG) option supports UDP fragmentation and
   reassembly, which can be passed used to the user. This feature
   helps protect application headers but allows for application data
   errors. Some applications are impacted more by a lack of data transfer UDP messages larger than
   errors in data, e.g., voice and video.

   >> When LITE is active, it MUST come first in
   limited by the UDP options list.

   LITE IP receive MTU (EMTU_R [RFC1122]). It is intended to support typically
   used with the same API as for UDP Lite to allow
   applications MSS option to send enable more efficient use of large
   messages, both at the UDP and receive data IP layers. FRAG is designed similar to
   the IPv6 Fragmentation Header [RFC8200], except that has the UDP variant
   uses a marker indicating 16-bit Offset measured in bytes, rather than IPv6's 13-bit
   Fragment Offset measured in 8-byte units. This UDP variant avoids
   creating reserved fields.

   >> When FRAG is present, it MUST come first in the portion protected by UDP options list.

   >> When FRAG is present, the UDP checksum and payload MUST be empty. If the portion
   payload is not
   protected by empty, all UDP options MUST be silently ignored and
   the payload received to the user.

   Legacy receivers interpret FRAG messages as zero-length payload
   packets (i.e., UDP checksum.

   LITE includes a 2-byte offset that indicates Length field is 8, the length of just the
   portion UDP
   header), which would not affect the receiver unless the presence of
   the UDP packet itself were a signal.

   The FRAG option has two formats; non-terminal fragments use the
   shorter variant (Figure 11) and terminal fragments use the longer
   (Figure 12). The latter includes stand-alone fragments, i.e., when
   data that is not covered by contained in the UDP checksum. FRAG option but reassembly is not required.

                   +--------+--------+--------+--------+
                   | Kind=4 | Len=4 Len=10 |      Offset     |
                   +--------+--------+--------+--------+
                   |           Identification          |
                   +--------+--------+--------+--------+
                   |  Frag. Offset   |
                   +--------+--------+

              Figure 10 11   UDP LITE non-terminal FRAG option format

   At the sender, the

   The FRAG option is formed using the following steps:

   1. Create does not need a LITE option, ordered as the first UDP option (Figure
      11).

   2. Calculate the location of "more fragments" bit because it
   provides the start of same indication by using the options as longer, 12-byte variant,
   which also includes an absolute
      offset from the start of Internet checksum over the entire reassembled
   UDP header and place that length in
      the last two bytes of the LITE option.

   3. If the LITE data area is 4 bytes or longer, swap all four bytes
      of payload (omitting the LITE IP pseudoheader and UDP header, as well as
   UDP options), as shown in Figure 12.

   >> The FRAG option with MAY be used on a single fragment, in which case
   the first 4 bytes of Offset would be zero and the LITE data area
      (Figure 12). If option would have the LITE data area is 0-3 bytes long, slide 12-byte
   format, including the
      LITE option to reassembly checksum.

   Use of the front single fragment variant can be helpful in supporting use
   of UNSAFE options without undesirable impact to receivers that do
   not support either UDP options or the LITE data area (i.e., placing specific UNSAFE options.

   >> The reassembly checksum SHOULD be used, but MAY be unused in the
      0-3 bytes of LITE data after
   same situations when the LITE option).

      +---------+--------------+--------------+------------------+
      | UDP Hdr |  user data checksum is unused (e.g., for transit
   tunnels or applications that have their own integrity checks
   [RFC8200]), and by the same mechanism (set the field to 0x0000).

                   +--------+--------+--------+--------+
                   |  LITE data   |LITE| other opts Kind=4 |
      +---------+--------------+--------------+------------------+
       <---------------------->
              UDP Length

            Figure 11   LITE option formation - LITE goes first

      +---------+--------------+--------------+------------------+ Len=12 | UDP Hdr      Offset     |  user data
                   +--------+--------+--------+--------+
                   |  LITE data   |LITE| other opts           Identification          |
      +---------+--------------+--------------+------------------+
                                ^^^^           ^^^^
                   +--------+--------+--------+--------+
                   |  Frag. Offset   |
                                  +--------------+ Reassy. Checksum|
                   +--------+--------+--------+--------+

                Figure 12   Before sending swap LITE   UDP terminal FRAG option and front of LITE data

   The resulting packet has the format shown in Figure 13. Note that

   >> During fragmentation, the UDP length now points header checksum of each fragment
   needs to be recomputed based on each datagram's pseudoheader.

   Unlike the LITE option, and UDP checksum, the LITE option
   points reassembly checksum does not need to be
   updated if the start of the option area.

      +---------+--------------+----------------+------------------+
      | UDP Hdr |  user data   |LITE| LITE data |Ldat| other opts  |
      +---------+--------------+----------------+------------------+
       <---------------------->    |             ^
              UDP Length           +-------------+

                      Figure 13   Lite option as sent

   A legacy endpoint receiving this packet will discard header changes because it covers only the LITE option
   and everything that follows, including
   reassembled data. FRAG uses a comparatively weak checksum upon
   reassembly because the lite data fragments are already checked individually.

   >> After reassembly is complete and remainder
   of validated using the UDP options. The UDP checksum will protect only of
   the user
   data, not terminal FRAG option, the LITE option or lite data.

   Receiving endpoints capable of processing UDP options will do the
   following:

   1. Process options as usual. This will start at header checksum of the LITE option.

   2. When resulting
   datagram needs to be recomputed based on the LITE option datagram's
   pseudoheader.

   The Fragment Offset is encountered, record its location as the
      start of the LITE data area 16 bits and (if the LITE offset indicates a
      LITE data length of at least 4 bytes) swap the four bytes there
      with the four bytes at the location indicated inside the LITE
      option, which indicates the start of all of the options,
      including the LITE one (one past UDP
   payload fragment in bytes from the end beginning of the lite data area).
      If the LITE offset original
   unfragmented payload. The Len field indicates whether there are more
   fragments (Len=10) or no more fragments (Len=12).

   >> The Identification field is a LITE data area of 0-3 bytes, then
      slide the LITE option forward 32-bit value that amount and slide the
      corresponding bytes after MUST be unique
   over the LITE option expected fragment reassembly timeout.

   >> The Identification field SHOULD be generated in a manner similar
   to where the LITE
      option originally began. In either case, this restores the format that of the option as it was prior to being sent, as per Figure 11.

   3. Continue processing the remainder of the options, IPv6 Fragment ID [RFC8200].

   >> UDP fragments MUST NOT overlap.

   UDP fragmentation relies on a fragment expiration timer, which are now
      in can
   be preset or could use a value computed using the format shown in Figure 12. UDP Timestamp
   option.

   >> The purpose of this swap (or slide) is default UDP reassembly SHOULD be no more than 2 minutes.

   Implementers are advised to support limit the equivalent of space available for UDP Lite operation together with other
   reassembly.

   >> UDP options without requiring reassembly space SHOULD be limited to reduce the entire LITE data area impact of
   DOS attacks on resource use.

   >> UDP reassembly space limits SHOULD NOT be implemented as an
   aggregate, to avoid cross-socketpair DOS attacks.

   >> Individual UDP fragments MUST NOT be moved after forwarded to the UDP option area.

5.6. Maximum Segment Size (MSS) user. The Maximum Segment Size (MSS, Kind = 3) option
   reassembled datagram is a 16-bit
   indicator received only after complete reassembly,
   checksum validation, and continued processing of the largest remaining UDP segment that can be received. As with
   options.

   Any additional UDP options, if used, follow the TCP MSS FRAG option [RFC793], the size indicated is the IP layer MTU
   decreased by in the fixed IP
   final fragment and UDP headers only [RFC6691]. The space
   needed would be included in the reassembled packet.
   Processing of those options would commence after reassembly. This is
   especially important for IP and UNSAFE options, which are interpreted only
   after FRAG.

   >> UDP options need to be adjusted by the sender when
   using MUST NOT follow the value indicated. The value transmitted is based on EMTU_R, FRAG header in non-terminal
   fragments. Any data following the largest IP datagram that can FRAG header in non-terminal
   fragments MUST be received (i.e., silently dropped. All other options that apply to
   a reassembled at packet MUST follow the receiver) [RFC1122].

                   +--------+--------+--------+--------+
                   | Kind=5 | Len=4  |    MSS size     |
                   +--------+--------+--------+--------+

                     Figure 14   UDP MSS option format

   The FRAG header in the terminal
   fragment.

   In general, UDP MSS option MAY be used for path MTU discovery
   [RFC1191][RFC8201], but this may be difficult because of known
   issues with ICMP blocking [RFC2923] as well packets are fragmented as follows:

   1. Create a datagram with data and any non-FRAG UDP lacking automatic
   retransmission. It is more likely options, which
      we will call "D". Note that the options apply to be useful when coupled with IP
   source the entire data
      area and must follow the data. These options are processed before
      the rest of the fragmentation to limit steps below.

   2. Identify the largest reassembled UDP message,
   e.g., when EMTU_R is larger than desired fragment size, which we will call "S". This
      value should take into account the required minimums (576 for IPv4
   [RFC791] path MTU (if known) and 1500 allow
      space for IPv6 [RFC8200]).

5.7. Fragmentation (FRAG)

   The Fragmentation (FRAG) option supports UDP fragmentation and
   reassembly, which can be used to transfer UDP messages per-fragment options (e.g., OCS).

   3. Fragment "D" into chunks of size no larger than
   limited "S"-10 each, with
      one final chunk no larger than "S"-12. Note that all the non-FRAG
      options in step #1 MUST appear in the terminal fragment.

   4. For each chunk of "D" in step #3, create a zero-data UDP packet
      followed by the IP receive MTU (EMTU_R [RFC1122]). It is typically
   used per-fragment options, with the UDP MSS final option to enable more efficient use of large
   messages, both at being
      the UDP and IP layers. FRAG is designed similar to option followed by the IPv6 Fragmentation Header [RFC8200], except that the UDP variant
   uses a 16-bit Offset measured in bytes, rather than IPv6's 13-bit
   Fragment Offset measured in 8-byte units. This UDP variant avoids
   creating reserved fields.

                   +--------+--------+--------+--------+
                   | Kind=6 | Len=8  |  Frag. Offset   |
                   +--------+--------+--------+--------+
                   |          Identification           |
                   +--------+--------+--------+--------+

              Figure 15   UDP non-terminal FRAG option format data chunk.

      The last chunk includes the non-FRAG options noted in step #1
      after the end of the FRAG option also lacks data. These UDP options apply to the
      reassembled data as a "more" bit, zeroed for whole when received.

   5. Process the terminal
   fragment UDP options of a set. This each fragment, e.g., computing its
      OCS.

   <<TBD: decide whether it is possible because useful to encode fragments so they can
   be zero-copied>>

   Receivers reverse the above sequence. They process all received
   options in each fragment. When the terminal FRAG option is indicated as a longer, 10-byte variant, which includes an
   Internet checksum over encountered, the
   FRAG data is used in reassembly. After all fragments are received,
   the entire packet is processed with any trailing UDP options
   applying to the reassembled data.

5.6. Maximum Segment Size (MSS)

   The Maximum Segment Size (MSS, Kind = 3) option is a 16-bit
   indicator of the largest UDP payload (omitting segment that can be received. As with
   the TCP MSS option [RFC793], the size indicated is the IP pseudoheader layer MTU
   decreased by the fixed IP and UDP header, as well as UDP options), as
   shown in Figure 16.

   >> headers only [RFC6691]. The reassembly checksum SHOULD be used, but MAY space
   needed for IP and UDP options need to be unused in adjusted by the
   same situations sender when
   using the UDP checksum value indicated. The value transmitted is unused (e.g., for transit
   tunnels or applications that have their own integrity checks
   [RFC8200]), and by based on EMTU_R,
   the same mechanism (set largest IP datagram that can be received (i.e., reassembled at
   the field to 0x0000). receiver) [RFC1122].

                   +--------+--------+--------+--------+
                   | Kind=6 | Len=10 |  Frag. Offset Kind=5 |
                   +--------+--------+--------+--------+ Len=4  |          Identification    MSS size     |
                   +--------+--------+--------+--------+
                   |    Checksum     |
                   +--------+--------+

                     Figure 16 13   UDP terminal FRAG MSS option format

   >> During fragmentation, the

   The UDP header checksum of each fragment
   needs to MSS option MAY be recomputed based on each datagram's pseudoheader.

   >> After reassembly is complete and validated using the checksum used for path MTU discovery
   [RFC1191][RFC8201], but this may be difficult because of
   the terminal FRAG option, the known
   issues with ICMP blocking [RFC2923] as well as UDP header checksum of the resulting
   datagram needs lacking automatic
   retransmission. It is more likely to be recomputed based on useful when coupled with IP
   source fragmentation to limit the datagram's
   pseudoheader.

   The Fragment Offset largest reassembled UDP message,
   e.g., when EMTU_R is 16 bits larger than the required minimums (576 for IPv4
   [RFC791] and indicates 1500 for IPv6 [RFC8200]). It can also be used with
   DPLPMTUD [RFC8899] to set a maximum DPLPMTU.

5.7. Unsafe (UNSAFE)

   The Unsafe option (UNSAFE) extends the location UDP option space to allow for
   options that are not safe to ignore and can be used unidirectionally
   or without soft-state confirmation of UDP option capability. They
   are always used only when the entire UDP payload fragment in bytes from the beginning of the original
   unfragmented payload. The Len field indicates whether there are more
   fragments (Len=8) or no more fragments (Len=12).

   >> The Identification field is occurs inside a 32-bit value
   reassembled set of UDP fragments, such that MUST be unique
   over if UDP fragmentation is
   not supported, the expected entire fragment reassembly timeout.

   >> The Identification field SHOULD be generated in a manner similar
   to that of the IPv6 Fragment ID [RFC8200].

   >> UDP fragments MUST NOT overlap.

   FRAG needs to would be used with extreme care because it will present
   incorrect datagram boundaries to a legacy receiver, unless encoded
   as LITE data (see Section 5.8).

   >> A host SHOULD indicate FRAG support by transmitting silently dropped anyway.

   UNSAFE options are an
   unfragmented datagram using the Fragmentation extended option (e.g., space, with
   Offset zero and length 12, i.e., including its own additional
   option types. These are indicated in the checksum area),
   except when encoded as LITE.

   >> A host MUST NOT transmit a UDP fragment before receiving recent
   confirmation from first byte after the remote host, except when FRAG is encoded option
   Kind as
   LITE.

   UDP fragmentation relies on a fragment expiration timer, shown in ?, which can
   be preset or could use a value computed using is followed by the UDP Timestamp
   option.

   >> The default UDP reassembly SHOULD be no more Length. Length is 1
   byte for UKinds whose total length (including Kind, UKind, and
   Length fields) is less than 255 or 2 minutes.

   Implementers are advised to limit the space available bytes for larger lengths (in
   the similar style as the extended option format).

                        +--------+--------+--------+
                        | Kind=6 | UKind  | Length |...
                        +--------+--------+--------+
                          1 byte   1 byte  1-2 bytes

                   Figure 14   UDP
   reassembly. UNSAFE option format

   >> UDP reassembly space SHOULD UNSAFE options MUST be limited to reduce the impact used only as part of
   DOS attacks on resource use.

   >> UDP reassembly space limits SHOULD NOT be implemented as an
   aggregate, to avoid cross-socketpair DOS attacks. fragments, used
   either per-fragment or after reassembly.

   >> Individual Receivers supporting UDP fragments options MUST NOT be forwarded to silently drop the user. The entire
   reassembled datagram is received only after complete reassembly,
   checksum validation, and continued processing of the remaining
   options.

   Any additional UDP options would follow if any fragment or the FRAG entire datagram includes
   an UNSAFE option in whose UKind is not supported.

   The following UKind values are defined:

             UKind   Length    Meaning
             ----------------------------------------------
             0                 RESERVED
             1-253   (varies)  UNASSIGNED (assignable by IANA)
             254     (varies)  RFC 3692-style experiments (UEXP)
             255               RESERVED

   Experimental UKind EXP ExID values indicate the final
   fragment, and would be included ExID in the reassembled packet.
   Processing of those options would commence after reassembly.

   >> UDP options MUST NOT follow the FRAG header in non-terminal
   fragments. Any data
   following the FRAG header in non-terminal
   fragments MUST be silently dropped. All other options that apply 2 (or 4) bytes, similar to
   a reassembled packet MUST follow the FRAG header in the terminal
   fragment.

5.8. Coupling FRAG with LITE

   FRAG can be coupled with LITE to avoid impacting legacy receivers.
   Each fragment is sent as LITE un-checksummed data, where each UDP
   packet contains no legacy-compatible data. Legacy receivers
   interpret these EXP option as zero-length payload packets (i.e., discussed
   in Section 5.11.  Assigned UDP Length
   field is 8, the length of just the EXP ExIDs and UDP header), which would not
   affect UNSAFE UKind UEXP
   ExIDs are assigned from the receiver unless same registry and can be used either in
   the presence of EXP option (Section 5.11) or within the packet itself were a
   signal. UKind UEXP.

5.8. Timestamps (TIME)

   The header of such Timestamp (TIME) option exchanges two four-byte timestamp
   fields. It serves a packet would appear as shown in Figure
   17 and Figure 18.

                 +---------+--------------+---------+
                 | similar purpose to TCP's TS option [RFC7323],
   enabling UDP Hdr |   LiteFrag   |LITE|FRAG|
                 +---------+--------------+----+----+
                  <-------> ^^^^           ^^^^
               UDP Length=8  |              |
                             +--------------+

                 Figure 17   Preparing  FRAG as Lite data

                 +---------+--------------+----+
                 | UDP Hdr |LITE|LiteFrag |FRAG|
                 +---------+--------------+----+
                  <------->  |             ^
               UDP Length=8  |             |
                             +-------------+

                Figure 18   Lite option before transmission

   When a packet is reassembled, it appears as a complete LITE data
   region. The UDP header of the reassembled packet is adjusted
   accordingly, so that the reassembled region now appears as
   conventional UDP user data, and processing of the UDP options
   continues, as with the non-LITE FRAG variant.

5.9. Timestamps (TIME)

   The Timestamp (TIME) option exchanges two four-byte timestamp
   fields. It serves a similar purpose to TCP's TS option [RFC7323],
   enabling UDP to estimate the round trip time (RTT) between hosts.
   For UDP, this RTT can be useful for establishing to estimate the round trip time (RTT) between hosts.
   For UDP, this RTT can be useful for establishing UDP fragment
   reassembly timeouts or transport-layer rate-limiting [RFC8085].

        +--------+--------+------------------+------------------+
        | Kind=7 | Len=10 |      TSval       |      TSecr       |
        +--------+--------+------------------+------------------+
          1 byte   1 byte       4 bytes            4 bytes

                    Figure 19 15   UDP TIME option format

   TS Value (TSval) and TS Echo Reply (TSecr) are used in a similar
   manner to the TCP TS option [RFC7323]. On transmitted segments using
   the option, TS Value is always set based on the local "time" value.

   Received TSval and TSecr values are provided to the application,
   which can pass the TSval value to be used as TSecr on UDP messages
   sent in response (i.e., to echo the received TSval). A received
   TSecr of zero indicates that the TSval was not echoed by the
   transmitter, i.e., from a previously received UDP packet.

   >> TIME MAY use an RTT estimate based on nonzero Timestamp values as
   a hint for fragmentation reassembly, rate limiting, or other
   mechanisms that benefit from such an estimate.

   >> TIME SHOULD make this RTT estimate available to the user
   application.

   UDP timestamps are modeled after TCP timestamps and have similar
   expectations. In particular, they are expected to be:

   o  Values are monotonic and non-decreasing except for anticipated
      number-space rollover events

   o  Values should increase "increase" (allowing for rollover) according to a
      typical 'tick' time

   o  A request is defined as "reply=0" and a reply is defined as both
      fields being non-zero.

   o  A receiver should always respond to a request with the highest
      TSval received, received (allowing for rollover), which is not necessarily
      the most recently received.

5.10.

   Rollover can be handled as a special case or more completely using
   sequence number extension [RFC5925].

5.9. Authentication and Encryption (AE)

   The Authentication and Encryption (AE) option is intended to allow
   UDP to provide a similar type of authentication as the TCP
   Authentication Option (TCP-AO) [RFC5925]. AE the conventional UDP
   payload and may also cover the surplus area, depending on
   configuration. It uses the same format as specified for TCP-AO,
   except that it uses a Kind of 8. AE supports NAT traversal in a
   similar manner as TCP-AO [RFC6978]. AE can also be extended to
   provide a similar encryption capability as TCP-AO-
   ENC, TCP-AO-ENC, in a similar
   manner [To18ao].

                   +--------+--------+--------+--------+
                   | Kind=8 |  Len   |     Digest...   |
                   +--------+--------+--------+--------+
                   |          Digest (con't)...        |
                   +--------+--------+--------+--------+

                     Figure 20 16   UDP AE option format

   Like TCP-AO, AE is not negotiated in-band. Its use assumes both
   endpoints have populated Master Key Tuples (MKTs), used to exclude
   non-protected traffic.

   TCP-AO generates unique traffic keys from a hash of TCP connection
   parameters. UDP lacks a three-way handshake to coordinate
   connection-specific values, such as TCP's Initial Sequence Numbers
   (ISNs) [RFC793], thus AE's Key Derivation Function (KDF) uses zeroes
   as the value for both ISNs. This means that the AE reuses keys when
   socket pairs are reused, unlike TCP-AO.

   >> Packets with incorrect AE HMACs MUST be passed to the application
   by default, e.g., with a flag indicating AE failure.

   Like all non-UNSAFE UDP options, AE needs to be silently ignored
   when failing. This silently-ignored behavior ensures that option-
   aware receivers operate the same as legacy receivers unless
   overridden.

   In addition to the UDP payload (which is always included), AE can be
   configured to either include or exclude UDP options, the
   same surplus area, in a
   similar way as can TCP-AO. TCP-AO can optionally exclude TCP options. When
   UDP options are covered, the OCS option area checksum and AE hash
   areas are zeroed before computing the AE hash. It is important to
   consider that options not yet defined might yield unpredictable
   results if not confirmed as supported, e.g., if they were to contain
   other hashes or checksums that depend on the option area contents.
   This is why such dependencies are not permitted except as defined
   for OCS and UDP-AE.

   Similar to TCP-AO-NAT, AE can be configured to support NAT
   traversal, excluding (by zeroing out) one or both of the UDP ports
   and corresponding IP addresses [RFC6978].

6.

5.10. Echo request (REQ) and echo response (RES)

   The echo request (REQ, kind=9) and echo response (RES, kind=10)
   options provide a means for UDP options to be used to provide
   packet-level acknowledgements. Their use is described as part of the
   UDP variant of packetization layer path MTU discovery (PLPMTUD)
   [Fa19].
   [Fa20]. The options both have the format indicated in Figure 21. 17.

                  +--------+--------+------------------+
                  |  Kind  | Len=6  |      nonce       |
                  +--------+--------+------------------+
                    1 byte   1 byte       4 bytes

                Figure 21 17   UDP REQ and RES options format

6.1.

5.11. Experimental (EXP)

   The Experimental option (EXP) is reserved for experiments [RFC3692].
   It uses a Kind value of 254. Only one such value is reserved because
   experiments are expected to use an Experimental ID (ExIDs) to
   differentiate concurrent use for different purposes, using UDP ExIDs
   registered with IANA according to the approach developed for TCP
   experimental options [RFC6994].

               +----------+----------+----------+----------+
               | Kind=254 |   Len    |      UDP ExID       |
               +----------+----------+----------+----------+
               |  (option contents, as defined)...         |
               +----------+----------+----------+----------+

                     Figure 22 18   UDP EXP option format

   >> The length of the experimental option MUST be at least 4 to
   account for the Kind, Length, and the minimum 16-bit UDP ExID
   identifier (similar to TCP ExIDs [RFC6994]).

7.

   Assigned UDP EXP ExIDs and UDP UNSAFE UKind UEXP ExIDs are assigned
   from the same registry and can be used either in the EXP option or
   within the UKind UEXP (Section 5.7).

6. Rules for designing new options

   The UDP option Kind space allows for the definition of new options,
   however the currently defined options do not allow for arbitrary new
   options. For example, LITE FRAG needs to come first if present; new
   options cannot declare that they need to precede it. The following
   is a summary of rules for new options and their rationales:

   >> New options MUST NOT depend on option space content. content, excepting
   only those contained within the UNSAFE option. Only OCS and AE
   depend on the content of the options themselves and their order is
   fixed (on transmission, AE is computed first using a zero-
   checksum zero-checksum
   OCS if present, and OCS is computed last before transmission, over
   the entire option area, including AE).

   >> New UNSAFE options MUST NOT declare their order relative to other
   options, whether new can both depend on and vary option space content
   because they are contained only inside UDP fragments and thus are
   processed only by UDP option capable receivers.

   >> New options MUST NOT declare their order relative to other
   options, whether new or old.

   >> At the sender, new options MUST NOT modify UDP packet content
   anywhere except within their option field; field, excepting only those
   contained within the UNSAFE option; areas that need to remain
   unmodified include the IP header, IP options, the UDP body, the UDP
   option area (i.e., other options), and the post-option area.

   >> Options MUST NOT be modified in transit. This includes those
   already defined as well as new options. New options MUST NOT require
   or intend optionally for modification of any UDP options, including
   their new areas, in transit.

   >> New options with fixed lengths smaller than 255 or variable
   lengths that are always smaller than 255 MUST use only the default
   option format.

   Note that only certain of the initially defined options violate
   these rules:

   o  >> LITE FRAG MUST be first, if present, and MUST be processed when
      encountered (e.g., even before security options).

   o  >> LITE is the only option that modifies Only FRAG and UNSAFE options are permitted to modify the UDP
      body or option areas.

   o  >> OCS SHOULD be the first option, except in the presence of
      LITE,
      FRAG, in which case it SHOULD be the first option after LITE.

8. FRAG.

7. Option inclusion and processing

   The following rules apply to option inclusion by senders and
   processing by receivers.

   >> Senders MAY add any option, as configured by the API.

   >> All mandatory options MUST be processed by receivers, if present
   (presuming UDP options are supported at that receiver).

   >> Non-mandatory options MAY be ignored by receivers, if present,
   e.g., based on API settings.

   >> All options MUST be processed by receivers in the order
   encountered in the options list.

   >> All options except UNSAFE options MUST result in the UDP payload
   being passed to the application layer, regardless of whether all
   options are processed, supported, or succeed.

   The basic premise is that that, for options-aware endpoints, the sender
   decides what options to add and the receiver decides what options to
   handle. Simply adding an option does not force work upon a receiver,
   with the exception of the mandatory options.

   Upon receipt, the receiver checks various properties of the UDP
   packet and its options to decide whether to accept or drop the
   packet and whether to accept or ignore some its options as follows
   (in order):

           if the UDP checksum fails then
               silently drop (per RFC1122)
           if the UDP checksum passes then
               if OCS is present and fails then
                   deliver the UDP payload but ignore all other options
                   (this is required to emulate legacy behavior)
               if OCS is present and passes then
                   deliver the UDP payload after parsing
                   and processing the rest of the options

           (for other options 'OPT' when encountered in sequence):
           if both sender and receiver choose to use OPT then
               if OPT passes then
                   deliver the UDP payload after parsing
                   and processing the rest options,
                   regardless of the options
               if OPT fails then
                   silently drop the packet
               if OPT whether each is not present when received then
                   silently drop the packet
           if the sender includes OPT
           and the receiver does not indicate OPT supported or succeeds
                   (again, this is required then to emulate legacy behavior)

   The design of the receiver accepts all UDP payloads UNSAFE options as used only inside the FRAG area
   ensures that pass the resulting UDP checksum data will be silently dropped in both
   legacy and indicate for each packet
                   whether OPT succeeded, but never options-aware receivers.

   Options-aware receivers can either drop when OPT fails packets with option
   processing errors via an override of the default or at the
   application layer.

   I.e., all options other than OCS are treated the same, in that the
   transmitter can add it as desired and the receiver has the option to
   require it or not. Only if it is required (by (e.g., by API
   configuration) should the receiver require it being present and
   correct.

   I.e., for all options other than OCS:

   o  if the option is not required by the receiver, then packets
      missing the option are accepted.

   o  if the option is required (e.g., by override of the default
      behavior at the receiver) and missing or incorrectly formed,
      silently drop the packet.

   o  if the packet is accepted (either because the option is not
      required or because it was required and correct), then pass the
      option with the packet via the API.

   Any options whose length exceeds that of the UDP packet (i.e.,
   intending to use data that would have been beyond the surplus area)
   should be silently ignored (again to model legacy behavior).

9.

8. UDP API Extensions

   UDP currently specifies an application programmer interface (API),
   summarized as follows (with Unix-style command as an example)
   [RFC768]:

   o  Method to create new receive ports

       o E.g., bind(handle, recvaddr(optional), recvport)

   o  Receive, which returns data octets, source port, and source
      address

       o E.g., recvfrom(handle, srcaddr, srcport, data)

   o  Send, which specifies data, source and destination addresses, and
      source and destination ports

       o E.g., sendto(handle, destaddr, destport, data)

   This API is extended to support options as follows:

   o  Extend the method to create receive ports to include receive
      options that are required. Datagrams not containing these
      required options MUST be silently dropped and MAY MUST be silently dropped and MAY be logged.

   o  Extend the receive function to indicate the options and their
      parameters as received with the corresponding received datagram.

   o  Extend the send function to indicate the options to be added to
      the corresponding sent datagram.

   Examples of API instances for Linux and FreeBSD are provided in
   Appendix A, to encourage uniform cross-platform implementations.

9. Whose options are these?

   UDP options are indicated in an area of the IP payload that is not
   used by UDP. That area is really part of the IP payload, not the UDP
   payload, and as such, it might be tempting to consider whether this
   is a generally useful approach to extending IP.

   Unfortunately, the surplus area exists only for transports that
   include their own transport layer payload length indicator. TCP and
   SCTP include header length fields that already provide space for
   transport options by indicating the total length of the header area,
   such that the entire remaining area indicated in the network layer
   (IP) is transport payload. UDP-Lite already uses the UDP Length
   field to indicate the boundary between data covered by the transport
   checksum and data not covered, and so there is no remaining area
   where the length of the UDP-Lite payload as a whole can be indicated
   [RFC3828].

   UDP options are intended for use only by the transport endpoints.
   They are no more (or less) appropriate to be modified in-transit
   than any other portion of the transport datagram.

   UDP options are transport options. Generally, transport datagrams
   are not intended to be modified in-transit. UDP options are no
   exception and here are specified as "MUST NOT" be altered in
   transit. However, the UDP option mechanism provides no specific
   protection against in-transit modification of the UDP header, UDP
   payload, or UDP option area, except as provided by the options
   selected (e.g., OCS or AE).

10. UDP options FRAG option vs. UDP-Lite

   UDP-Lite provides partial checksum coverage, so that packets with
   errors in some locations can be logged.

   o  Extend delivered to the receive function user [RFC3828]. It
   uses a different transport protocol number (136) than UDP (17) to indicate
   interpret the options and their
      parameters UDP Length field as received with the corresponding received datagram.

   o  Extend prefix covered by the send function to indicate UDP
   checksum.

   UDP (protocol 17) already defines the options to be added to UDP Length field as the corresponding sent datagram.

   Examples limit
   of API instances for Linux and FreeBSD are the UDP checksum, but by default also limits the data provided in
   Appendix A, to encourage uniform cross-platform implementations.

10. Whose options are these?
   the application as that which precedes the UDP options are indicated in an area Length. A goal of
   UDP-Lite is to deliver data beyond UDP Length as a default, which is
   why a separate transport protocol number was required.

   UDP options do not use or need a separate transport protocol number
   because the IP payload that data beyond the UDP Length offset (surplus data) is not
   used
   provided to the application by UDP. default. That area data is really part of the IP payload, not interpreted
   exclusively within the UDP
   payload, and as such, it might be tempting transport layer.

   The UDP FRAG options option supports a similar service to consider whether this UDP-Lite.
   The main difference is a generally useful approach that UDP-Lite provides the un-checksummed
   user data to extending IP.

   Unfortunately, the surplus area exists application by default, whereas the UDP FRAG option
   can safely provide that service only for transports between endpoints that
   include their own transport layer payload length indicator. TCP and
   SCTP include header length fields
   negotiate that already provide space for
   transport capability in advance. An endpoint that does not
   implement UDP options by indicating the total length of would silently discard this non-checksummed
   user data, along with the header area,
   such that UDP options as well.

   UDP-Lite cannot support UDP options, either as proposed here or in
   any other form, because the entire remaining area indicated in payload of the network layer
   (IP) UDP packet is transport payload. UDP-Lite
   already uses the defined as user data and there is no additional field in
   which to indicate a separate area for options. The UDP Length field
   in UDP-Lite is already used to indicate the boundary between user
   data covered by the transport checksum and user data not covered, and so there is no remaining area
   where the length of the UDP-Lite payload as a whole can be indicated
   [RFC3828].

   UDP options are intended covered.

11. Interactions with Legacy Devices

   It has always been permissible for use only by the transport endpoints.
   They are no more (or less) appropriate UDP Length to be modified in-transit
   than any other portion of inconsistent
   with the IP transport datagram.

   UDP options are transport options. Generally, payload length [RFC768]. Such inconsistency
   has been utilized in UDP-Lite using a different transport datagrams
   are not intended to be modified in-transit. UDP options number.
   There are no
   exception and here are specified as "MUST NOT" be altered in
   transit. However, the known systems that use this inconsistency for UDP option mechanism provides no specific
   protection against in-transit modification of the
   [RFC3828]. It is possible that such use might interact with UDP
   options, i.e., where legacy systems might generate UDP header, datagrams
   that appear to have UDP
   payload, or options. The UDP option area, except as provided by the options
   selected (e.g., OCS or AE).

11. provides protection
   against such events and is stronger than a static "magic number".

   UDP options LITE option vs. UDP-Lite

   UDP-Lite provides partial checksum coverage, so that packets have been tested as interoperable with
   errors in some locations can be Linux, macOS, and
   Windows Cygwin, and worked through NAT devices. These systems
   successfully delivered to only the user [RFC3828]. It
   uses a different transport protocol number (136) than UDP (17) to
   interpret data indicated by the UDP
   Length field as and silently discarded the prefix covered by surplus area.

   One reported embedded device passes the entire IP datagram to the
   UDP
   checksum. application layer. Although this feature could enable
   application-layer UDP (protocol 17) already defines the option processing, it would require that
   conventional UDP Length field as the limit
   of user applications examine only the UDP checksum, but by default payload.
   This feature is also limits the data provided to inconsistent with the UDP application interface
   [RFC768] [RFC1122].

   It has been reported that Alcatel-Lucent's "Brick" Intrusion
   Detection System has a default configuration that interprets
   inconsistencies between UDP Length and IP Length as an attack to be
   reported. Note that which precedes the other firewall systems, e.g., CheckPoint, use a
   default "relaxed UDP Length. A goal length verification" to avoid falsely
   interpreting this inconsistency as an attack.

   (TBD: test with UDP checksum offload and UDP fragmentation offload)

12. Options in a Stateless, Unreliable Transport Protocol

   There are two ways to interpret options for a stateless, unreliable
   protocol -- an option is either local to the message or intended to
   affect a stream of
   UDP-Lite messages in a soft-state manner. Either
   interpretation is to deliver data beyond valid for defined UDP Length as a default, which options.

   It is
   why impossible to know in advance whether an endpoint supports a separate transport protocol number was required.
   UDP option.

   >> All UDP options do other than UNSAFE ones MUST be ignored if not use
   supported or need a separate transport protocol number
   because the data beyond upon failure (e.g., ACS).

   >> All UDP options that fail MUST result in the UDP Length offset (surplus data) is not
   provided data still being
   sent to the application layer by default. That data is interpreted
   exclusively within the UDP transport layer.

   The LITE default, to ensure equivalence with
   legacy devices.

   >> UDP options option supports a similar service to UDP-Lite. that rely on soft-state exchange MUST allow for
   message reordering and loss.

   The main difference is above requirements prevent using any option that UDP-Lite provides cannot be
   safely ignored unless it is hidden inside the un-checksummed
   user data FRAG area (i.e.,
   UNSAFE options). Legacy systems also always need to be able to
   interpret the application by default, whereas the LITE transport payload fragments as individual transport
   datagrams.

13. UDP option Option State Caching

   Some TCP connection parameters, stored in the TCP Control Block, can safely provide that service only
   be usefully shared either among concurrent connections or between endpoints that
   negotiate that capability
   connections in advance. An endpoint that does not
   implement sequence, known as TCP Sharing [RFC2140][To20cb].
   Although UDP is stateless, some of the options would silently discard proposed herein may
   have similar benefit in being shared or cached. We call this UCB
   Sharing, or UDP Control Block Sharing, by analogy.

   [TBD: extend this non-checksummed
   user data, section to indicate which options MAY vs. MUST NOT
   be shared and how, e.g., along with the UDP options as well.

   UDP-Lite cannot support UDP options, either lines of To20cb]

14. Updates to RFC 768

   This document updates RFC 768 as proposed here or in
   any other form, because follows:

   o  This document defines the entire payload meaning of the UDP packet is
   already defined as user data and there is no additional field in
   which to indicate a separate IP payload area for options. The UDP Length field
   in UDP-Lite is already used to indicate beyond
      the boundary between user
   data covered by UDP length but within the checksum and user data not covered.

12. Interactions with Legacy Devices

   It has always been permissible for IP length.

   o  This document extends the UDP Length API to be inconsistent support the use of options.

15. Interactions with other RFCs (and drafts)

   This document clarifies the interaction between UDP length and IP transport payload
   length [RFC768]. Such inconsistency
   has been utilized in UDP-Lite using a different transport number.
   There are no known systems that use this inconsistency for UDP
   [RFC3828]. It is possible that such use might interact with UDP
   options, i.e., where legacy systems might generate UDP datagrams
   that appear to have UDP options. The not explicitly constrained in either UDP OCS provides protection
   against such events and is stronger than or the host
   requirements [RFC768] [RFC1122].

   Teredo extensions (TE) define use of a static "magic number". similar surplus area for
   trailers [RFC6081]. TE defines the UDP options have been tested as interoperable with Linux, macOS, and
   Windows Cygwin, and worked through NAT devices. These systems
   successfully delivered only length pointing beyond
   (larger) than the user data location indicated by the UDP IP length rather than
   shorter (as used herein):

      "..the IPv6 packet length (i.e., the Payload Length field and silently discarded value in
       the surplus area.

   One reported embedded device passes IPv6 header plus the entire IP datagram IPv6 header size) is less than or
       equal to the UDP application layer. Although this feature could enable
   application-layer UDP option processing, it would require that
   conventional payload length (i.e., the Length value in
       the UDP user applications examine only header minus the UDP payload.
   This feature header size)"

   As a result, UDP options are not compatible with TE, but that is
   also inconsistent with why this document does not update TE. Additionally, it is not
   at all clear how TE operates, as it requires network processing of
   the UDP application interface
   [RFC768] [RFC1122].

   It has been reported that Alcatel-Lucent's "Brick" Intrusion
   Detection System has a default configuration that interprets
   inconsistencies between length field to understand the total message including TE
   trailers.

   TE updates Teredo NAT traversal [RFC4380]. The NAT traversal
   document defined "consistency" of UDP Length length and IP Length as an attack to be
   reported. Note that other firewall systems, e.g., CheckPoint, use a
   default "relaxed UDP length verification" as:

      "An IPv6 packet is deemed valid if it conforms to avoid falsely
   interpreting this inconsistency as [RFC2460]:
       the protocol identifier should indicate an attack.

   (TBD: test with UDP checksum offload IPv6 packet and
       the payload length should be consistent with the length of
       the UDP fragmentation offload)

13. Options datagram in a Stateless, Unreliable Transport Protocol

   There are two ways to interpret options which the packet is encapsulated."

   IPv6 is clear on the meaning of this consistency, in which the
   pseudoheader used for a stateless, unreliable
   protocol -- an option UDP checksums is based on the UDP length, not
   inferred from the IP length, using the same text in the current
   specification [RFC8200]:

      "The Upper-Layer Packet Length in the pseudo-header is either local to the message or intended to
   affect a stream
       length of messages the upper-layer header and data (e.g., TCP header
       plus TCP data).  Some upper-layer protocols carry their own
       length information (e.g., the Length field in a soft-state manner. Either
   interpretation is valid for defined the UDP options.

   It header);
       for such protocols, that is impossible to know the length used in advance whether an endpoint supports a
   UDP option.

   >> UDP options MUST allow for silent failure on first receipt.

   >> the pseudo-
       header."

   This document hereby deprecates the requirement asserted in the UDP options that rely on soft-state exchange MUST allow
   profile for
   message reordering and loss.

   >> A Robust Header Compression (ROHC)[RFC3095], noted here:

      "The Length field of the UDP option header MUST match the Length
       field(s) of the preceding subheaders, i.e., there must not
       be silently optional until confirmed by
   exchange with an endpoint.

   The above requirements prevent using any option that cannot be
   safely ignored unless padding after the UDP payload that capability has been negotiated with an
   endpoint in advance for a socket pair. Legacy systems would need is covered by the
       IP Length."

   ROHC relies on this "matching" of values to
   be able avoid needing to interpret the transport payload fragments as individual
   transport datagrams.

14. UDP Option State Caching

   Some TCP connection parameters, stored in
   transmit both the TCP Control Block, can
   be usefully shared either among concurrent connections or between
   connections in sequence, known as TCP Sharing [RFC2140][To19cb].
   Although IP length and UDP length fields, even though this
   is stateless, some not a strict requirement of UDP [RFC768] or host requirements
   [RFC1122] and these preexisting standards were not updated by the options proposed herein may
   have similar benefit
   ROHC specification. Section A.1.3 of that document is hereby updated
   to allow for UDP length to vary per packet, so that the UDP length
   in being shared or cached. We call the table is "CHANGING" rather than "INFERRED". The text that
   describes the UDP length field this UCB
   Sharing, or is updated to:

         This field is changing as allowed by UDP Control Block Sharing, [RFC768] and used
         by analogy.

   [TBD: extend this section to indicate which both UDP options MAY vs. MUST NOT
   be shared [RFC-TBD] and how, e.g., along the lines of To19cb]

15. Updates to RFC 768

   This document updates RFC 768 Teredo extensions [RFC6081]
         and is therefore classified as follows:

   o  This document defines the meaning CHANGING.

   The issue of the IP payload area beyond handling UDP header compression has already been
   correctly described in more recent specifications, e.g., Sec. 10.10
   of Static Context Header Compression [RFC8724]. In that description,
   the UDP length but within can be compressed out of a packet only when it can be
   correctly inferred from the IP length.

   o  This document extends UDP length, i.e., when neither UDP
   options nor Teredo extensions are present:

      "The parser MUST NOT label this field unless the UDP API to support Length value
       matches the use of options. Payload Length value from the IPv6 header."

16. Multicast Considerations

   UDP options are primarily intended for unicast use. Using these
   options over multicast IP requires careful consideration, e.g., to
   ensure that the options used are safe for different endpoints to
   interpret differently (e.g., either to support or silently ignore)
   or to ensure that all receivers of a multicast group confirm support
   for the options in use.

17. Security Considerations

   The use of UDP packets with inconsistent IP and UDP Length fields
   has the potential to trigger a buffer overflow error if not properly
   handled, e.g., if space is allocated based on the smaller field and
   copying is based on the larger. However, there have been no reports
   of such vulnerability and it would rely on inconsistent use of the
   two fields for memory allocation and copying.

   UDP options are not covered by DTLS (datagram transport-layer
   security). Despite the name, neither TLS [RFC8446] (transport layer
   security, for TCP) nor DTLS [RFC6347] (TLS for UDP) protect the
   transport layer. Both operate as a shim layer solely on the payload
   of transport packets, protecting only their contents. Just as TLS
   does not protect the TCP header or its options, DTLS does not
   protect the UDP header or the new options introduced by this
   document. Transport security is provided in TCP by the TCP
   Authentication Option (TCP-AO [RFC5925]) or in UDP by the
   Authentication Extension option (Section 5.10). 5.9). Transport headers are
   also protected as payload when using IP security (IPsec) [RFC4301].

   UDP options use the TLV syntax similar to that of TCP. This syntax
   is known to require serial processing and may pose a DOS risk, e.g.,
   if an attacker adds large numbers of unknown options that must be
   parsed in their entirety. Implementations concerned with the
   potential for this vulnerability MAY implement only the required
   options and MAY also limit processing of TLVs. Because required
   options come first and at most once each (with the exception of
   NOPs, which should never need to come in sequences of more than
   three in a row), this limits their DOS impact. Note

   UDP security should never rely solely on transport layer processing
   of options. UNSAFE options are the only type that when a
   packet's share fate with
   the UDP data, because of the way that data is hidden in the surplus
   area until after those options cannot are processed. All other options
   default to being silently ignored at the transport layer but may be processed,
   dropped either if that default is overridden (e.g., by
   configuration) or discarded at the application layer (e.g., using
   information about the options processed that are passed along with
   the packet).

   UDP fragmentation introduces its own set of security concerns, which
   can be handled in a manner similar to IP fragmentation. In
   particular, the number of packets pending reassembly and effort used
   for reassembly is typically limited. In addition, it MUST may be discarded; the
   packet and its options useful
   to assume a reasonable minimum fragment size, e.g., that non-
   terminal fragments should always share the same fate. never be smaller than 500 bytes.

18. IANA Considerations

   Upon publication, IANA is hereby requested to create a new registry
   for UDP Option Kind numbers, similar to that for TCP Option Kinds.
   Initial values of this registry are as listed in Section 5.
   Additional values in this registry are to be assigned from the
   UNASSIGNED values in Section 5 in by IESG Approval or Standards Action
   [RFC8126]. Those assignments are subject to the conditions set forth
   in this document, particularly (but not limited to) those in Section
   7.
   6.

   Upon publication, IANA is hereby requested to create a new registry
   for UDP Experimental Option Experiment Identifiers (UDP ExIDs) for
   use in a similar manner as TCP ExIDs [RFC6994]. UDP ExIDs can be
   used in either the UDP EXP option or the UDP UNSAFE option when
   using UKind=UEXP. This registry is initially empty. Values in this
   registry are to be assigned by IANA using first-come, first-served
   (FCFS) rules [RFC8126]. Options using these ExIDs are subject to the
   same conditions as new options, i.e., they too are subject to the
   conditions set forth in this document, particularly (but not limited
   to) those in Section 7. 6.

   Upon publication, IANA is hereby requested to create a new registry
   for UDP UNSAFE UKind numbers. There are no initial assignments in
   this registry. Values in this registry are to be assigned from the
   UNASSIGNED values in Section 5.7 by IESG Approval or Standards
   Action [RFC8126]. Those assignments are subject to the conditions
   set forth in this document, particularly (but not limited to) those
   in Section 6.

19. References

19.1. Normative References

   [Fa19]

   [Fa20]    Fairhurst, G., T. Jones, M. Tuexen, I. Ruengeler, T.
             Voelker, "Packetization Layer Path MTU Discovery for
             Datagram Transports," draft-ietf-tsvwg-datagram-plpmtud,
             Feb. 2019.

   [RFC2119] Bradner, S., "Key words "Datagram PLPMTUD for use in RFCs to Indicate
             Requirement Levels," BCP 14, RFC 2119, March 1997. UDP
             Options," draft-fairhurst-tsvwg-udp-options-dplpmtud, Mar.
             2020.

   [RFC768]  Postel, J., "User Datagram Protocol," RFC 768, August
             1980.

   [RFC791]  Postel, J., "Internet Protocol," RFC 791, Sept. 1981.

   [RFC1122] Braden, R., Ed., "Requirements for Internet Hosts --
             Communication Layers," RFC 1122, Oct. 1989.

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels," BCP 14, RFC 2119, March 1997.

   [RFC3095] Bormann, C. (Ed), et al., "RObust Header Compression
             (ROHC): Framework and four profiles: RTP, UDP, ESP, and
             uncompressed," RFC 3095, July 2001.

   [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
             2119 Key Words," RFC 2119, May 2017.

19.2. Informative References

   [Fa18]    Fairhurst, G., T. Jones, R. Zullo, "Checksum Compensation
             Options for UDP Options", draft-fairhurst-udp-options-cco,
             Oct. 2018.

   [Hi15]    Hildebrand, J., B. Trammel, "Substrate Protocol for User
             Datagrams (SPUD) Prototype," draft-hildebrand-spud-
             prototype-03, Mar. 2015.

   [RFC793]  Postel, J., "Transmission Control Protocol" RFC 793,
             September 1981.

   [RFC1191] Mogul, J., S. Deering, "Path MTU discovery," RFC 1191,
             November 1990.

   [RFC2140] Touch, J., "TCP Control Block Interdependence," RFC 2140,
             Apr. 1997.

   [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery," RFC
             2923, September 2000.

   [RFC3385] Sheinwald, D., J. Satran, P. Thaler, V. Cavanna, "Internet
             Protocol Small Computer System Interface (iSCSI) Cyclic
             Redundancy Check (CRC)/Checksum Considerations," RFC 3385,
             Sep. 2002.

   [RFC3692] Narten, T., "Assigning Experimental and Testing Numbers
             Considered Useful," RFC 3692, Jan. 2004.

   [RFC3828] Larzon, L-A., M. Degermark, S. Pink, L-E. Jonsson (Ed.),
             G. Fairhurst (Ed.), "The Lightweight User Datagram
             Protocol (UDP-Lite)," RFC 3828, July 2004.

   [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
             Internet Protocol", RFC 4301, Dec. 2005.

   [RFC4340] Kohler, E., M. Handley, and S. Floyd, "Datagram Congestion
             Control Protocol (DCCP)", RFC 4340, March 2006.

   [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
             Network Address Translations (NATs)," RFC 4380, Feb. 2006.

   [RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol",
             RFC 4960, September 2007.

   [RFC5925] Touch, J., A. Mankin, R. Bonica, "The TCP Authentication
             Option," RFC 5925, June 2010.

   [RFC6081] Thaler, D., "Teredo Extensions," RFC 6081, Jan 2011.

   [RFC6347] Rescorla, E., N. Modadugu, "Datagram Transport Layer
             Security Version 1.2," RFC 6347, Jan. 2012.

   [RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS),"
             RFC 6691, July 2012.

   [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT
             Traversal", RFC 6978, July 2013.

   [RFC6994] Touch, J., "Shared Use of Experimental TCP Options," RFC
             6994, Aug. 2013.

   [RFC7323] Borman, D., R. Braden, V. Jacobson, R. Scheffenegger
             (Ed.), "TCP Extensions for High Performance," RFC 7323,
             Sep. 2014.

   [RFC8085] Eggert, L., G. Fairhurst, G. Shepherd, "UDP Usage
             Guidelines," RFC 8085, Feb. 2017.

   [RFC8126] Cotton, M., B. Leiba, T. Narten, "Guidelines for Writing
             an IANA Considerations Section in RFCs," RFC 8126, June
             2017.

   [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
             2119 Key Words," RFC 2119, May 2017.

   [RFC8200] Deering, S., R. Hinden, "Internet Protocol Version 6
             (IPv6) Specification," RFC 8200, Jul. 2017.

   [RFC8201] McCann, J., S. Deering, J. Mogul, R. Hinden (Ed.), "Path
             MTU Discovery for IP version 6," RFC 8201, Jul. 2017.

   [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
             Version 1.3," RFC 8446, Aug. 2018.

   [To18ao]  Touch, J., "A TCP Authentication Option Extension for
             Payload Encryption," draft-touch-tcp-ao-encrypt, Jul.
             2018.

   [To19cb]

   [To20cb]  Touch, J., M. Welzl, S. Islam, J. You, "TCP Control Block
             Interdependence," draft-touch-tcpm-2140bis, Jan. 2019.

   [Tr16]    Trammel, B. (Ed.), M. Kuelewind (Ed.), "Requirements for
             the design of a Substrate Protocol for User Datagrams
             (SPUD)," draft-trammell-spud-req-04, May 2016. Apr. 2020.

20. Acknowledgments

   This work benefitted from feedback from Bob Briscoe, Ken Calvert,
   Ted Faber, Gorry Fairhurst, Fairhurst (including OCS for misbehaving middlebox
   traversal), C. M. Heard (including combining previous FRAG and LITE
   options into the FRAG/LITE
   combination), new FRAG), Tom Herbert, and Mark Smith, as well as
   discussions on the IETF TSVWG and SPUD email lists.

   This work was partly supported by USC/ISI's Postel Center.

   This document was prepared using 2-Word-v2.0.template.dot.

Authors' Addresses

   Joe Touch
   Manhattan Beach, CA 90266 USA

   Phone: +1 (310) 560-0334
   Email: touch@strayalpha.com

Appendix A. Implementation Information

   The following information is provided to encourage interoperable API
   implementations.

   System-level variables (sysctl):

           Name                   default   meaning
           ----------------------------------------------------
           net.ipv4.udp_opt       0         UDP options available
           net.ipv4.udp_opt_ocs   1         Default include OCS
           net.ipv4.udp_opt_acs   0         Default include ACS
           net.ipv4.udp_opt_lite  0         Default include LITE
           net.ipv4.udp_opt_mss   0         Default include MSS
           net.ipv4.udp_opt_time  0         Default include TIME
           net.ipv4.udp_opt_frag  0         Default include FRAG
           net.ipv4.udp_opt_ae    0         Default include AE

   Socket options (sockopt), cached for outgoing datagrams:

           Name           meaning
           ----------------------------------------------------
           UDP_OPT        Enable UDP options (at all)
           UDP_OPT_OCS    Enable UDP OCS option
           UDP_OPT_ACS    Enable UDP ACS option
           UDP_OPT_LITE   Enable UDP LITE option
           UDP_OPT_MSS    Enable UDP MSS option
           UDP_OPT_TIME   Enable UDP TIME option
           UDP_OPT_FRAG   Enable UDP FRAG option
           UDP_OPT_AE     Enable UDP AE option

   Send/sendto parameters:

   (TBD - currently using cached parameters)

   Connection parameters (per-socketpair cached state, part UCB):

           Name          Initial value
           ----------------------------------------------------
           opts_enabled  net.ipv4.udp_opt
           ocs_enabled   net.ipv4.udp_opt_ocs

   The following option is included for debugging purposes, and MUST
   NOT be enabled otherwise.

   System variables

   net.ipv4.udp_opt_junk   0
   System-level variables (sysctl):

           Name                   default   meaning
           ----------------------------------------------------
           net.ipv4.udp_opt_junk  0         Default use of junk

   Socket options (sockopt):

           Name          params   meaning
           ------------------------------------------------------
           UDP_JUNK      -        Enable UDP junk option
           UDP_JUNK_VAL  fillval  Value to use as junk fill
           UDP_JUNK_LEN  length   Length of junk payload in bytes

   Connection parameters (per-socketpair cached state, part UCB):

           Name          Initial value
           ----------------------------------------------------
           junk_enabled  net.ipv4.udp_opt_junk
           junk_value    0xABCD
           junk_len      4