draft-ietf-tsvwg-udp-options-12.txt   draft-ietf-tsvwg-udp-options-13.txt 
TSVWG J. Touch TSVWG J. Touch
Internet Draft Independent consultant Internet Draft Independent consultant
Intended status: Standards Track May 2, 2021 Intended status: Standards Track June 19, 2021
Intended updates: 768 Intended updates: 768
Expires: November 2021 Expires: December 2021
Transport Options for UDP Transport Options for UDP
draft-ietf-tsvwg-udp-options-12.txt draft-ietf-tsvwg-udp-options-13.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. This document may not be modified, provisions of BCP 78 and BCP 79. This document may not be modified,
and derivative works of it may not be created, except to format it and derivative works of it may not be created, except to format it
for publication as an RFC or to translate it into languages other for publication as an RFC or to translate it into languages other
than English. than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
skipping to change at page 1, line 35 skipping to change at page 1, line 35
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on November 2, 2021. This Internet-Draft will expire on December 19, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 24 skipping to change at page 2, line 24
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................3
2. Conventions used in this document..............................3 2. Conventions used in this document..............................3
3. Background.....................................................3 3. Background.....................................................3
4. The UDP Option Area............................................4 4. The UDP Option Area............................................4
5. UDP Options....................................................8 5. UDP Options....................................................8
5.1. End of Options List (EOL).................................9 5.1. End of Options List (EOL).................................9
5.2. No Operation (NOP).......................................10 5.2. No Operation (NOP).......................................10
5.3. Option Checksum (OCS)....................................10 5.3. Option Checksum (OCS)....................................11
5.4. Alternate Checksum (ACS).................................12 5.4. Alternate Checksum (ACS).................................12
5.5. Fragmentation (FRAG).....................................13 5.5. Fragmentation (FRAG).....................................13
5.6. Maximum Segment Size (MSS)...............................16 5.6. Maximum Segment Size (MSS)...............................17
5.7. Maximum Reassembled Segment Size (MRSS)..................17 5.7. Maximum Reassembled Segment Size (MRSS)..................18
5.8. Unsafe (UNSAFE)..........................................17 5.8. Unsafe (UNSAFE)..........................................18
5.9. Timestamps (TIME)........................................18 5.9. Timestamps (TIME)........................................19
5.10. Authentication and Encryption (AE)......................19 5.10. Authentication (AUTH)...................................20
5.11. Echo request (REQ) and echo response (RES)..............21 5.11. Echo request (REQ) and echo response (RES)..............21
5.12. Experimental (EXP)......................................21 5.12. Experimental (EXP)......................................22
6. Rules for designing new options...............................22 6. Rules for designing new options...............................23
7. Option inclusion and processing...............................23 7. Option inclusion and processing...............................24
8. UDP API Extensions............................................24 8. UDP API Extensions............................................25
9. Whose options are these?......................................25 9. Whose options are these?............Error! Bookmark not defined.
10. UDP options FRAG option vs. UDP-Lite.........................26 10. UDP options FRAG option vs. UDP-Lite.........................27
11. Interactions with Legacy Devices.............................26 11. Interactions with Legacy Devices.............................27
12. Options in a Stateless, Unreliable Transport Protocol........27 12. Options in a Stateless, Unreliable Transport Protocol........28
13. UDP Option State Caching.....................................28 13. UDP Option State Caching.....................................28
14. Updates to RFC 768...........................................28 14. Updates to RFC 768...........................................29
15. Interactions with other RFCs (and drafts)....................28 15. Interactions with other RFCs (and drafts)....................29
16. Multicast Considerations.....................................29 16. Multicast Considerations.....................................30
17. Security Considerations......................................30 17. Security Considerations......................................30
18. IANA Considerations..........................................31 18. IANA Considerations..........................................32
19. References...................................................31 19. References...................................................32
19.1. Normative References....................................31 19.1. Normative References....................................32
19.2. Informative References..................................32 19.2. Informative References..................................33
20. Acknowledgments..............................................34 20. Acknowledgments..............................................35
Appendix A. Implementation Information...........................35 Appendix A. Implementation Information...........................36
1. Introduction 1. Introduction
Transport protocols use options as a way to extend their Transport protocols use options as a way to extend their
capabilities. TCP [RFC793], SCTP [RFC4960], and DCCP [RFC4340] capabilities. TCP [RFC793], SCTP [RFC4960], and DCCP [RFC4340]
include space for these options but UDP [RFC768] currently does not. include space for these options but UDP [RFC768] currently does not.
This document defines an extension to UDP that provides space for This document defines an extension to UDP that provides space for
transport options including their generic syntax and semantics for transport options including their generic syntax and semantics for
their use in UDP's stateless, unreliable message protocol. their use in UDP's stateless, unreliable message protocol.
skipping to change at page 7, line 26 skipping to change at page 7, line 26
and no larger than the IP transport payload. Datagrams with length and no larger than the IP transport payload. Datagrams with length
values outside this range MUST be silently dropped as invalid and values outside this range MUST be silently dropped as invalid and
logged where rate-limiting permits. logged where rate-limiting permits.
>> Option Lengths (or Extended Lengths, where applicable) smaller >> Option Lengths (or Extended Lengths, where applicable) smaller
than the minimum for the corresponding Kind and default format MUST than the minimum for the corresponding Kind and default format MUST
be treated as an error. Such errors call into question the remainder be treated as an error. Such errors call into question the remainder
of the option area and thus MUST result in all UDP options being of the option area and thus MUST result in all UDP options being
silently discarded. silently discarded.
>> Any UDP option whose length is only smaller than 255 MUST always >> Any UDP option whose length smaller than 255 MUST use the UDP
use the UDP option default format shown in Figure 4, excepting only option default format shown in Figure 4, excepting only EOL and NOP.
EOL and NOP.
>> Any UDP option whose length can be larger than 254 MUST always >> Any UDP option whose length is larger than 254 MUST use the UDP
use the UDP option extended default format shown in Figure 5, option extended default format shown in Figure 5.
including UNSAFE and EXP.
I.e., a UDP option always uses only the default format or the I.e., a UDP option always uses the smallest option format, based on
extended default format, depending on whether its length is only the length it uses in each instance.
ever smaller than 255 or not.
>> Options using the extended option format MUST indicate extended
lengths of 255 or higher; smaller extended length values MUST be
treated as an error.
Others have considered using values of the UDP Length that is larger Others have considered using values of the UDP Length that is larger
than the IP transport payload as an additional type of signal. Using than the IP transport payload as an additional type of signal. Using
a value smaller than the IP transport payload is expected to be a value smaller than the IP transport payload is expected to be
backward compatible with existing UDP implementations, i.e., to backward compatible with existing UDP implementations, i.e., to
deliver the UDP Length of user data to the application and silently deliver the UDP Length of user data to the application and silently
ignore the additional surplus area data. Using a value larger than ignore the additional surplus area data. Using a value larger than
the IP transport payload would either be considered malformed (and the IP transport payload would either be considered malformed (and
be silently dropped) or could cause buffer overruns, and so is not be silently dropped) or could cause buffer overruns, and so is not
considered silently and safely backward compatible. Its use is thus considered silently and safely backward compatible. Its use is thus
out of scope for the extension described in this document. out of scope for the extension described in this document.
>> UDP options MUST be interpreted in the order in which they occur >> UDP options MUST be interpreted in the order in which they occur
in the UDP option area. in the UDP option area.
Note that a receiver can compute the OCS checksum before processing
any UDP options, but that computation would assume OCS is used and
would not be verified until the OCS option is interpreted.
5. UDP Options 5. UDP Options
The following UDP options are currently defined: The following UDP options are currently defined:
Kind Length Meaning Kind Length Meaning
---------------------------------------------- ----------------------------------------------
0* - End of Options List (EOL) 0* - End of Options List (EOL)
1* - No operation (NOP) 1* - No operation (NOP)
2* 3 Option checksum (OCS) 2* 4 Option checksum (OCS)
3* 6 Alternate checksum (ACS) 3* 6 Alternate checksum (ACS)
4* 10/12 Fragmentation (FRAG) 4* 10/12 Fragmentation (FRAG)
5* 4 Maximum segment size (MSS) 5* 4 Maximum segment size (MSS)
6* 4 Maximum reassembled segment size (MRSS) 6* 4 Maximum reassembled segment size (MRSS)
7* (varies) Unsafe to ignore (UNSAFE) options 7* (varies) Unsafe to ignore (UNSAFE) options
8 10 Timestamps (TIME) 8 10 Timestamps (TIME)
9 (varies) Authentication and Encryption (AE) 9 (varies) Authentication (AUTH)
10 6 Request (REQ) 10 6 Request (REQ)
11 6 Response (RES) 11 6 Response (RES)
12-126 (varies) UNASSIGNED (assignable by IANA) 12-126 (varies) UNASSIGNED (assignable by IANA)
127-253 RESERVED 127-253 RESERVED
254 (varies) RFC 3692-style experiments (EXP) 254 (varies) RFC 3692-style experiments (EXP)
255 RESERVED 255 RESERVED
These options are defined in the following subsections. Options 0 These options are defined in the following subsections. Options 0
and 1 use the same values as for TCP. and 1 use the same values as for TCP.
skipping to change at page 9, line 5 skipping to change at page 9, line 10
>> Receivers supporting UDP options MUST silently drop the entire >> Receivers supporting UDP options MUST silently drop the entire
datagram containing an UNSAFE option when any UNSAFE option it datagram containing an UNSAFE option when any UNSAFE option it
contains is unknown. See Section 5.8 for further discussion of contains is unknown. See Section 5.8 for further discussion of
UNSAFE options. UNSAFE options.
>> Except for NOP, each option SHOULD NOT occur more than once in a >> Except for NOP, each option SHOULD NOT occur more than once in a
single UDP datagram. If an option other than NOP occurs more than single UDP datagram. If an option other than NOP occurs more than
once, a receiver MUST interpret only the first instance of that once, a receiver MUST interpret only the first instance of that
option and MUST ignore all others. option and MUST ignore all others.
>> Only the OCS and AE options depend on the contents of the option >> Only the OCS, AUTH, and ENCR options depend on the contents of
area. AE is always computed as if the AE hash and OCS checksum are the option area. AUTH and ENCR are never used together. AUTH/ENCR
zero; OCS is always computed as if the OCS checksum is zero and are always computed as if their hash and OCS checksum are zero; OCS
after the AE hash has been computed. Future options MUST NOT be is always computed as if the OCS checksum is zero and after the
defined as having a value dependent on the contents of the option AUTH/ENCR hash has been computed. Future options MUST NOT be defined
area. Otherwise, interactions between those values, OCS, and AE as having a value dependent on the contents of the option area.
Otherwise, interactions between those values, OCS, and AUTH/ENCR
could be unpredictable. could be unpredictable.
Receivers cannot treat unexpected option lengths as invalid, as this Receivers cannot generally treat unexpected option lengths as
would unnecessarily limit future revision of options (e.g., defining invalid, as this would unnecessarily limit future revision of
a new ACS that is defined by having a different length). options (e.g., defining a new ACS that is defined by having a
different length). The exception is only for lengths that imply a
physical impossibility, e.g., smaller than two for conventional
options and four for extended length options. Impossible lengths
should indicate a malformed option area and all options silently
discarded. Lengths other than expected should result in safe options
being ignored and that length skipped over, as with any other
unknown safe option.
>> Option lengths MUST NOT exceed the IP length of the packet. If >> Option lengths MUST NOT exceed the IP length of the packet. If
this occurs, the packet MUST be treated as malformed and dropped, this occurs, the packet MUST be treated as malformed and dropped,
and the event MAY be logged for diagnostics (logging SHOULD be rate and the event MAY be logged for diagnostics (logging SHOULD be rate
limited). limited).
>> Options with fixed lengths MUST use the default option format.
>> Options with variable lengths MUST use the default option format
where their total length is 254 bytes or less.
>> Options using the extended option format MUST indicate extended
lengths of 255 or higher; smaller extended length values MUST be
treated as an error.
>> "Must-support" options other than NOP and EOL MUST come before >> "Must-support" options other than NOP and EOL MUST come before
other options. other options.
The requirement that must-support options come before others is The requirement that must-support options come before others is
intended to allow for endpoints to implement DOS protection, as intended to allow for endpoints to implement DOS protection, as
discussed further in Section 17. discussed further in Section 17.
5.1. End of Options List (EOL) 5.1. End of Options List (EOL)
The End of Options List (EOL) option indicates that there are no The End of Options List (EOL) option indicates that there are no
skipping to change at page 10, line 8 skipping to change at page 10, line 14
+--------+ +--------+
| Kind=0 | | Kind=0 |
+--------+ +--------+
Figure 6 UDP EOL option format Figure 6 UDP EOL option format
>> When the UDP options do not consume the entire option area, the >> When the UDP options do not consume the entire option area, the
last non-NOP option MUST be EOL. last non-NOP option MUST be EOL.
>> All bytes in the surplus area after EOL MUST be zero. If these >> All bytes in the surplus area after EOL MUST be set to zero on
bytes are non-zero, the entire surplus area MUST be silently ignored transmit.
and only the UDP data passed to the user with an adjusted UDP length
to indicate that no options were present. >> Bytes after EOL in the surplus area MAY be checked as being zero
on receipt but MUST be treated as zero regardless of their content
and are not passed to the user (e.g., as part of the UDP option
area).
Requiring the post-option surplus area to be zero prevents side- Requiring the post-option surplus area to be zero prevents side-
channel uses of this area, requiring instead that all use of the channel uses of this area, requiring instead that all use of the
surplus area be UDP options supported by both endpoints. It is surplus area be UDP options supported by both endpoints. It is
useful to allow for such padding to increase the packet length useful to allow for such padding to increase the packet length
without affecting the payload length, e.g., for UDP DPLPMTUD [Fa21]. without affecting the payload length, e.g., for UDP DPLPMTUD [Fa21].
5.2. No Operation (NOP) 5.2. No Operation (NOP)
The No Operation (NOP) option is a one byte placeholder, intended to The No Operation (NOP) option is a one byte placeholder, intended to
skipping to change at page 10, line 35 skipping to change at page 10, line 44
+--------+ +--------+
| Kind=1 | | Kind=1 |
+--------+ +--------+
Figure 7 UDP NOP option format Figure 7 UDP NOP option format
>> If options longer than one byte are used, NOP options SHOULD be >> If options longer than one byte are used, NOP options SHOULD be
used at the beginning of the UDP options area to achieve alignment used at the beginning of the UDP options area to achieve alignment
as would be more efficient for active (i.e., non-NOP) options. as would be more efficient for active (i.e., non-NOP) options.
>> Segments SHOULD NOT use more than three consecutive NOPs. NOPs >> Segments SHOULD NOT use more than seven consecutive NOPs, i.e.,
are intended to assist with alignment, not other padding or fill. to support alignment up to 8-byte boundaries. NOPs are intended to
assist with alignment, not as other padding or fill.
This issue is discussed further in Section 17. This issue is discussed further in Section 17.
5.3. Option Checksum (OCS) 5.3. Option Checksum (OCS)
The Option Checksum (OCS) option is conventional Internet checksum The Option Checksum (OCS) option is conventional Internet checksum
[RFC791] that covers all of the surplus area and a pseudoheader [RFC791] that covers all of the surplus area and a pseudoheader
composed of the 16-bit length of the surplus area (Figure 8). The composed of the 16-bit length of the surplus area (Figure 8). The
primary purpose of OCS is to detect non-standard (i.e., non-option) primary purpose of OCS is to detect non-standard (i.e., non-option)
uses of that area. The surplus area pseudoheader is included to uses of that area. The surplus area pseudoheader is included to
enable traversal of errant middleboxes that incorrectly compute the enable traversal of errant middleboxes that incorrectly compute the
UDP checksum over the entire IP payload rather than only the UDP UDP checksum over the entire IP payload rather than only the UDP
payload [Fa18]. payload [Fa18].
The OCS is calculated by computing the Internet checksum over the The OCS is calculated by computing the Internet checksum over the
surplus area and surplus length pseudoheader. The OCS protects the entire surplus area and surplus length pseudoheader. The OCS
option area from errors in a similar way that the UDP checksum protects the option area from errors in a similar way that the UDP
protects the UDP user data (when not zero). checksum protects the UDP user data (when not zero).
+--------+--------+ +--------+--------+
| surplus length | | surplus length |
+--------+--------+ +--------+--------+
Figure 8 UDP surplus length pseudoheader Figure 8 UDP surplus length pseudoheader
+--------+--------+--------+ +--------+--------+--------+--------+
| Kind=2 | checksum | | Kind=2 | Len=4 | checksum |
+--------+--------+--------+ +--------+--------+--------+--------+
Figure 9 UDP OCS option format Figure 9 UDP OCS option format
>> The OCS MUST be included when the UDP checksum is nonzero and UDP >> The OCS MUST be included when the UDP checksum is nonzero and UDP
options are present. options are present.
UDP checksums can be zero for IPv4 [RFC791], but not typically when
used with IPv6 [RFC8200]. Even for IPv6 use, there remains an
exception for cases where UDP is a payload already covered by a
checksum, as might occur for tunnels [RFC6935], notably to reduce
the need for checksum computation that does not provide additional
protection, which is why the same exception applies to OCS.
>> When present, the OCS SHOULD occur as early as possible, preceded >> When present, the OCS SHOULD occur as early as possible, preceded
by only NOP options for alignment and the FRAG option if present. by only NOP options for alignment.
>> OCS MUST be half-word coordinated with the start of the UDP >> OCS MUST be half-word coordinated with the start of the UDP
options area and include the surplus length pseudoheader similarly options area and include the surplus length pseudoheader similarly
coordinated with the start of UDP Header. coordinated with the start of UDP Header.
This Internet checksum is computed over the surplus area (including This Internet checksum is computed over the entire surplus area
EOL, if present) prefixed by the surplus length pseudoheader (Figure prefixed by the surplus length pseudoheader (Figure 8) and then
8) and then adjusting the result before storing it into the OCS adjusting the result before storing it into the OCS checksum field.
checksum field. If the OCS checksum field is aligned to the start of
the options area, then the checksum is inserted as-is, otherwise the If the OCS checksum field is aligned to the start of the options
checksum bytes are swapped before inserting them into the field. The area, then the checksum is inserted as-is, otherwise the checksum
effect of this "coordination" is the same is if the checksum were bytes are swapped before inserting them into the field. The effect
computed as if the surplus area and pseudoheader were aligned to the of this "coordination" is the same is if the checksum were computed
UDP header. as if the surplus area and pseudoheader were aligned to the UDP
header.
This feature is intended to potentially help the UDP options This feature is intended to potentially help the UDP options
traverse devices that incorrectly attempt to checksum the surplus traverse devices that incorrectly attempt to checksum the surplus
area (as originally proposed as the Checksum Compensation Option, area (as originally proposed as the Checksum Compensation Option,
i.e., CCO [Fa18]). i.e., CCO [Fa18]).
The OCS covers the UDP option area as formatted for transmission and The OCS covers the UDP option area as formatted for transmission and
immediately upon reception. immediately upon reception.
>> If the OCS fails, all options MUST be ignored and the surplus >> If the OCS fails, all options MUST be ignored and the surplus
skipping to change at page 13, line 14 skipping to change at page 13, line 28
ACS does not protect the UDP pseudoheader; only the current UDP ACS does not protect the UDP pseudoheader; only the current UDP
checksum provides that protection (when used). ACS cannot provide checksum provides that protection (when used). ACS cannot provide
that protection because it would need to be updated whenever the UDP that protection because it would need to be updated whenever the UDP
pseudoheader changed, e.g., during NAT address and port translation; pseudoheader changed, e.g., during NAT address and port translation;
because this is not the case, ACS does not cover the pseudoheader. because this is not the case, ACS does not cover the pseudoheader.
>> Packets with incorrect ACS checksums MUST be passed to the >> Packets with incorrect ACS checksums MUST be passed to the
application by default, e.g., with a flag indicating ACS failure. application by default, e.g., with a flag indicating ACS failure.
Like all non-UNSAFE UDP options, ACS need to be silently ignored Like all non-UNSAFE UDP options, ACS needs to be silently ignored
when failing. Although all UDP option-aware endpoints support ACS when failing by default, unless the receiver has been configured to
do otherwise. Although all UDP option-aware endpoints support ACS
(being in the required set), this silently-ignored behavior ensures (being in the required set), this silently-ignored behavior ensures
that option-aware receivers operate the same as legacy receivers that option-aware receivers operate the same as legacy receivers
unless overridden. unless overridden.
>> Packets with unrecognized ACS lengths MUST be receive the same
treatment as packets with incorrect ACS checksums.
Ensuring that unrecognized ACS lengths are treated as incorrect
checksums enables future variants of ACS to be treated as ACS-like.
5.5. Fragmentation (FRAG) 5.5. Fragmentation (FRAG)
The Fragmentation option (FRAG) combines properties of IP The Fragmentation option (FRAG) combines properties of IP
fragmentation and the UDP Lite transport protocol [RFC3828]. FRAG fragmentation and the UDP Lite transport protocol [RFC3828]. FRAG
provides transport-layer fragmentation and reassembly in which each provides transport-layer fragmentation and reassembly in which each
fragment includes a copy of the same UDP transport ports, enabling fragment includes a copy of the same UDP transport ports, enabling
the fragments to traverse Network Address (and port) Translation the fragments to traverse Network Address (and port) Translation
(NAT) devices, in contrast to the behavior of IP fragments. FRAG (NAT) devices, in contrast to the behavior of IP fragments. FRAG
also allows the UDP checksum to cover only a prefix of the UDP data also allows the UDP checksum to cover only a prefix of the UDP data
payload, to avoid repeated checksums of data prior to reassembly. payload, to avoid repeated checksums of data prior to reassembly.
The Fragmentation (FRAG) option supports UDP fragmentation and The Fragmentation (FRAG) option supports UDP fragmentation and
reassembly, which can be used to transfer UDP messages larger than reassembly, which can be used to transfer UDP messages larger than
limited by the IP receive MTU (EMTU_R [RFC1122]). It is typically limited by the IP receive MTU (EMTU_R [RFC1122]). It is typically
used with the UDP MSS option to enable more efficient use of large used with the UDP MSS and MRSS options to enable more efficient use
messages, both at the UDP and IP layers. FRAG is designed similar to of large messages, both at the UDP and IP layers. FRAG is designed
the IPv6 Fragmentation Header [RFC8200], except that the UDP variant similar to the IPv6 Fragmentation Header [RFC8200], except that the
uses a 16-bit Offset measured in bytes, rather than IPv6's 13-bit UDP variant uses a 16-bit Offset measured in bytes, rather than
Fragment Offset measured in 8-byte units. This UDP variant avoids IPv6's 13-bit Fragment Offset measured in 8-byte units. This UDP
creating reserved fields. variant avoids creating reserved fields.
>> When FRAG is present, it MUST come first in the UDP options list. >> When FRAG is present, it SHOULD come as early as possible in the
UDP options list after OCS.
>> When FRAG is present, the UDP payload MUST be empty. If the >> When FRAG is present, the UDP payload MUST be empty. If the
payload is not empty, all UDP options MUST be silently ignored and payload is not empty, all UDP options MUST be silently ignored and
the payload received to the user. the payload received sent to the user.
Legacy receivers interpret FRAG messages as zero-length payload Legacy receivers interpret FRAG messages as zero-length payload
packets (i.e., UDP Length field is 8, the length of just the UDP packets (i.e., UDP Length field is 8, the length of just the UDP
header), which would not affect the receiver unless the presence of header), which would not affect the receiver unless the presence of
the packet itself were a signal. the packet itself were a signal.
The FRAG option has two formats; non-terminal fragments use the The FRAG option has two formats; non-terminal fragments use the
shorter variant (Figure 11) and terminal fragments use the longer shorter variant (Figure 11) and terminal fragments use the longer
(Figure 12). The latter includes stand-alone fragments, i.e., when (Figure 12). The latter includes stand-alone fragments, i.e., when
data is contained in the FRAG option but reassembly is not required. data is contained in the FRAG option but reassembly is not required.
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Kind=4 | Len=10 | Offset | | Kind=4 | Len=10 | Frag. Start |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Identification | | Identification |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Frag. Offset | | Frag. Offset |
+--------+--------+ +--------+--------+
Figure 11 UDP non-terminal FRAG option format Figure 11 UDP non-terminal FRAG option format
In the non-terminal FRAG option format, Frag. Start indicates the
location of the beginning of the fragment data, measured from the
beginning of the UDP header, which always follows the remainder of
the UDP options. Those options are applied to this segment. The
fragment data begins at Frag. Start and ends at the end of the IP
datagram. Non-terminal fragments never have options after the
fragment.
The FRAG option does not need a "more fragments" bit because it The FRAG option does not need a "more fragments" bit because it
provides the same indication by using the longer, 12-byte variant, provides the same indication by using the longer, 12-byte variant,
which also includes an Internet checksum over the entire reassembled as shown in Figure 12.
UDP payload (omitting the IP pseudoheader and UDP header, as well as
UDP options), as shown in Figure 12.
>> The FRAG option MAY be used on a single fragment, in which case >> The FRAG option MAY be used on a single fragment, in which case
the Offset would be zero and the option would have the 12-byte the Frag. Offset would be zero and the option would have the 12-byte
format, including the reassembly checksum. format.
Use of the single fragment variant can be helpful in supporting use Use of the single fragment variant can be helpful in supporting use
of UNSAFE options without undesirable impact to receivers that do of UNSAFE options without undesirable impact to receivers that do
not support either UDP options or the specific UNSAFE options. not support either UDP options or the specific UNSAFE options.
>> The reassembly checksum SHOULD be used, but MAY be unused in the
same situations when the UDP checksum is unused (e.g., for transit
tunnels or applications that have their own integrity checks
[RFC8200]), and by the same mechanism (set the field to 0x0000).
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Kind=4 | Len=12 | Offset | | Kind=4 | Len=12 | Frag. Start |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Identification | | Identification |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Frag. Offset | Reassy. Checksum| | Frag. Offset | Frag. End |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
Figure 12 UDP terminal FRAG option format Figure 12 UDP terminal FRAG option format
The terminal FRAG option format adds a Frag. End pointer, measured
from the start of the UDP header, as with Frag. Start. In this
variant, UDP options continue after the terminal fragment data. UDP
options that occur before the FRAG data are processed on the
fragment; UDP options after the FRAG data are processed after
reassembly, such that the reassembled data represents the original
UDP user data. This allows either pre-reassembly or post-reassembly
UDP option effects.
>> During fragmentation, the UDP header checksum of each fragment >> During fragmentation, the UDP header checksum of each fragment
needs to be recomputed based on each datagram's pseudoheader. needs to be recomputed based on each datagram's pseudoheader.
Unlike the UDP checksum, the reassembly checksum does not need to be
updated if the UDP header changes because it covers only the
reassembled data. FRAG uses a comparatively weak checksum upon
reassembly because the fragments are already checked individually.
>> After reassembly is complete and validated using the checksum of
the terminal FRAG option, the UDP header checksum of the resulting
datagram needs to be recomputed based on the datagram's
pseudoheader.
The Fragment Offset is 16 bits and indicates the location of the UDP The Fragment Offset is 16 bits and indicates the location of the UDP
payload fragment in bytes from the beginning of the original payload fragment in bytes from the beginning of the original
unfragmented payload. The Len field indicates whether there are more unfragmented payload. The option Len field indicates whether there
fragments (Len=10) or no more fragments (Len=12). are more fragments (Len=10) or no more fragments (Len=12).
>> The Identification field is a 32-bit value that MUST be unique >> The Identification field is a 32-bit value that MUST be unique
over the expected fragment reassembly timeout. over the expected fragment reassembly timeout.
>> The Identification field SHOULD be generated in a manner similar >> The Identification field SHOULD be generated in a manner similar
to that of the IPv6 Fragment ID [RFC8200]. to that of the IPv6 Fragment ID [RFC8200].
>> UDP fragments MUST NOT overlap. >> UDP fragments MUST NOT overlap.
UDP fragmentation relies on a fragment expiration timer, which can UDP fragmentation relies on a fragment expiration timer, which can
skipping to change at page 16, line 7 skipping to change at page 16, line 31
reassembled datagram is received only after complete reassembly, reassembled datagram is received only after complete reassembly,
checksum validation, and continued processing of the remaining UDP checksum validation, and continued processing of the remaining UDP
options. options.
Any additional UDP options, if used, follow the FRAG option in the Any additional UDP options, if used, follow the FRAG option in the
final fragment and would be included in the reassembled packet. final fragment and would be included in the reassembled packet.
Processing of those options would commence after reassembly. This is Processing of those options would commence after reassembly. This is
especially important for UNSAFE options, which are interpreted only especially important for UNSAFE options, which are interpreted only
after FRAG. after FRAG.
>> UDP options MUST NOT follow the FRAG header in non-terminal
fragments. Any data following the FRAG header in non-terminal
fragments MUST be silently dropped. All other options that apply to
a reassembled packet MUST follow the FRAG header in the terminal
fragment.
In general, UDP packets are fragmented as follows: In general, UDP packets are fragmented as follows:
1. Create a datagram with data and any non-FRAG UDP options, which 1. Create a datagram with data and UDP options, which we will call
we will call "D". Note that the options apply to the entire data "D". Note that the UDP options treat the data area as UDP user
area and must follow the data. These options are processed before data and thus must follow that data.
the rest of the fragmentation steps below.
Process these UDP options before the rest of the fragmentation
steps below.
2. Identify the desired fragment size, which we will call "S". This 2. Identify the desired fragment size, which we will call "S". This
value should take into account the path MTU (if known) and allow value should take into account the path MTU (if known) and allow
space for per-fragment options (e.g., OCS). space for per-fragment options (e.g., OCS).
3. Fragment "D" into chunks of size no larger than "S"-10 each, with 3. Fragment "D" into chunks of size no larger than "S"-10 each, with
one final chunk no larger than "S"-12. Note that all the non-FRAG one final chunk no larger than "S"-12. Note that all the non-FRAG
options in step #1 MUST appear in the terminal fragment. options in step #1 MUST appear in the terminal fragment.
4. For each chunk of "D" in step #3, create a zero-data UDP packet 4. For each chunk of "D" in step #3, create a zero-data UDP packet
followed by the per-fragment options, with the final option being followed by OCS (if used), FRAG, and any additional UDP options,
the FRAG option followed by the FRAG data chunk. followed by the FRAG data chunk.
The last chunk includes the non-FRAG options noted in step #1 The last chunk includes the non-FRAG options noted in step #1
after the end of the FRAG data. These UDP options apply to the after the end of the FRAG data. These UDP options apply to the
reassembled data as a whole when received. reassembled data as a whole when received.
5. Process the UDP options of each fragment, e.g., computing its 5. Process the pre-reassembly UDP options of each fragment.
OCS.
Receivers reverse the above sequence. They process all received Receivers reverse the above sequence. They process all received
options in each fragment. When the FRAG option is encountered, the options in each fragment. When the FRAG option is encountered, the
FRAG data is used in reassembly. After all fragments are received, FRAG data is used in reassembly. After all fragments are received,
the entire packet is processed with any trailing UDP options the entire packet is processed with any trailing UDP options
applying to the reassembled data. applying to the reassembled data.
5.6. Maximum Segment Size (MSS) 5.6. Maximum Segment Size (MSS)
The Maximum Segment Size (MSS, Kind = 5) option is a 16-bit hint of The Maximum Segment Size (MSS, Kind = 5) option is a 16-bit hint of
skipping to change at page 17, line 36 skipping to change at page 18, line 11
[RFC8200]). It can also be used with DPLPMTUD [RFC8899] to provide a [RFC8200]). It can also be used with DPLPMTUD [RFC8899] to provide a
hint to maximum DPLPMTU, though it MUST NOT prohibit transmission of hint to maximum DPLPMTU, though it MUST NOT prohibit transmission of
larger UDP packets (or fragments) used as DPLPMTU probes. larger UDP packets (or fragments) used as DPLPMTU probes.
5.7. Maximum Reassembled Segment Size (MRSS) 5.7. Maximum Reassembled Segment Size (MRSS)
The Maximum Reassembled Segment Size (MRSS, Kind=6) option is a 16- The Maximum Reassembled Segment Size (MRSS, Kind=6) option is a 16-
bit indicator of the largest reassembled UDP segment that can be bit indicator of the largest reassembled UDP segment that can be
received. MRSS is the UDP equivalent of IP's EMTU_R but the two are received. MRSS is the UDP equivalent of IP's EMTU_R but the two are
not related [RFC1122]. Using the FRAG option (Section 5.5), UDP not related [RFC1122]. Using the FRAG option (Section 5.5), UDP
segments can be transmitted as fragments in multiple IP datagrams segments can be transmitted as transport fragments, each in their
and be reassembled larger than the IP layer allows. own (presumably not fragmented) IP datagram and be reassembled at
the UDP layer.
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Kind=6 | Len=4 | MRSS size | | Kind=6 | Len=4 | MRSS size |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
Figure 14 UDP MRSS option format Figure 14 UDP MRSS option format
5.8. Unsafe (UNSAFE) 5.8. Unsafe (UNSAFE)
The Unsafe option (UNSAFE) extends the UDP option space to allow for The Unsafe option (UNSAFE) extends the UDP option space to allow for
skipping to change at page 18, line 18 skipping to change at page 18, line 40
UNSAFE options are an extended option space, with its own additional UNSAFE options are an extended option space, with its own additional
option types. These are indicated in the first byte after the option option types. These are indicated in the first byte after the option
Kind as shown in Figure 15, which is followed by the Length. Length Kind as shown in Figure 15, which is followed by the Length. Length
is 1 byte for UKinds whose total length (including Kind, UKind, and is 1 byte for UKinds whose total length (including Kind, UKind, and
Length fields) is less than 255 or 2 bytes for larger lengths (in Length fields) is less than 255 or 2 bytes for larger lengths (in
the similar style as the extended option format). the similar style as the extended option format).
+--------+--------+--------+ +--------+--------+--------+
| Kind=7 | UKind | Length |... | Kind=7 | UKind | Length |...
+--------+--------+--------+ +--------+--------+--------+
1 byte 1 byte 1-2 bytes 1 byte 1 byte 1-3 bytes
Figure 15 UDP UNSAFE option format Figure 15 UDP UNSAFE option format
The UNSAFE option format supports extended lengths in the same
manner as the other UDP options, i.e., using a Length of 255 and two
additional bytes of extended length.
>> UNSAFE options MUST be used only as part of UDP fragments, used >> UNSAFE options MUST be used only as part of UDP fragments, used
either per-fragment or after reassembly. either per-fragment or after reassembly.
>> Receivers supporting UDP options MUST silently drop the entire >> Receivers supporting UDP options MUST silently drop the entire
reassembled datagram if any fragment or the entire datagram includes reassembled datagram if any fragment or the entire datagram includes
an UNSAFE option whose UKind is not supported. an UNSAFE option whose UKind is not supported.
The following UKind values are defined: The following UKind values are defined:
UKind Length Meaning UKind Length Meaning
---------------------------------------------- ----------------------------------------------
0 RESERVED 0 RESERVED
1-253 (varies) UNASSIGNED (assignable by IANA) 1 Encryption (ENCR)
2-253 (varies) UNASSIGNED (assignable by IANA)
254 (varies) RFC 3692-style experiments (UEXP) 254 (varies) RFC 3692-style experiments (UEXP)
255 RESERVED 255 RESERVED
ENCR has the same format as AUTH (Section 5.10), except that it
encrypts (modifies) the user data. It provides a similar encryption
capability as TCP-AO-ENC, in a similar manner [To18ao]. Its fields,
coverage, and processing are the same as for AUTH, except that ENCR
encrypts only the user data, although it can (optionally) depend on
the option area (with certain fields zeroed, as per AUTH, e.g.,
providing authentication over the option area). Like AUTH, ENCR can
be configured to be compatible with NAT traversal.
Experimental UKind EXP ExID values indicate the ExID in the Experimental UKind EXP ExID values indicate the ExID in the
following 2 (or 4) bytes, similar to the UDP EXP option as discussed following 2 (or 4) bytes, similar to the UDP EXP option as discussed
in Section 5.12. Assigned UDP EXP ExIDs and UDP UNSAFE UKind UEXP in Section 5.12. Assigned UDP EXP ExIDs and UDP UNSAFE UKind UEXP
ExIDs are assigned from the same registry and can be used either in ExIDs are assigned from the same registry and can be used either in
the EXP option (Section 5.12) or within the UKind UEXP. the EXP option (Section 5.12) or within the UKind UEXP.
5.9. Timestamps (TIME) 5.9. Timestamps (TIME)
The Timestamp (TIME) option exchanges two four-byte timestamp The Timestamp (TIME) option exchanges two four-byte timestamp
fields. It serves a similar purpose to TCP's TS option [RFC7323], fields. It serves a similar purpose to TCP's TS option [RFC7323],
skipping to change at page 19, line 47 skipping to change at page 20, line 37
o A request is defined as "reply=0" and a reply is defined as both o A request is defined as "reply=0" and a reply is defined as both
fields being non-zero. fields being non-zero.
o A receiver should always respond to a request with the highest o A receiver should always respond to a request with the highest
TSval received (allowing for rollover), which is not necessarily TSval received (allowing for rollover), which is not necessarily
the most recently received. the most recently received.
Rollover can be handled as a special case or more completely using Rollover can be handled as a special case or more completely using
sequence number extension [RFC5925]. sequence number extension [RFC5925].
5.10. Authentication and Encryption (AE) 5.10. Authentication (AUTH)
The Authentication and Encryption (AE) option is intended to allow The Authentication (AUTH) option is intended to allow UDP to provide
UDP to provide a similar type of authentication as the TCP a similar type of authentication as the TCP Authentication Option
Authentication Option (TCP-AO) [RFC5925]. AE the conventional UDP (TCP-AO) [RFC5925]. AUTH covers the conventional UDP payload. It
payload and may also cover the surplus area, depending on uses the same format as specified for TCP-AO, except that it uses a
configuration. It uses the same format as specified for TCP-AO, Kind of 9. AUTH supports NAT traversal in a similar manner as TCP-AO
except that it uses a Kind of 9. AE supports NAT traversal in a [RFC6978].
similar manner as TCP-AO [RFC6978]. AE can also be extended to
provide a similar encryption capability as TCP-AO-ENC, in a similar
manner [To18ao].
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Kind=9 | Len | Digest... | | Kind=9 | Len | Digest... |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
| Digest (con't)... | | Digest (con't)... |
+--------+--------+--------+--------+ +--------+--------+--------+--------+
Figure 17 UDP AE option format Figure 17 UDP AUTH option format
Like TCP-AO, AE is not negotiated in-band. Its use assumes both Like TCP-AO, AUTH is not negotiated in-band. Its use assumes both
endpoints have populated Master Key Tuples (MKTs), used to exclude endpoints have populated Master Key Tuples (MKTs), used to exclude
non-protected traffic. non-protected traffic.
TCP-AO generates unique traffic keys from a hash of TCP connection TCP-AO generates unique traffic keys from a hash of TCP connection
parameters. UDP lacks a three-way handshake to coordinate parameters. UDP lacks a three-way handshake to coordinate
connection-specific values, such as TCP's Initial Sequence Numbers connection-specific values, such as TCP's Initial Sequence Numbers
(ISNs) [RFC793], thus AE's Key Derivation Function (KDF) uses zeroes (ISNs) [RFC793], thus AUTH's Key Derivation Function (KDF) uses
as the value for both ISNs. This means that the AE reuses keys when zeroes as the value for both ISNs. This means that the AUTH reuses
socket pairs are reused, unlike TCP-AO. keys when socket pairs are reused, unlike TCP-AO.
>> Packets with incorrect AE HMACs MUST be passed to the application >> Packets with incorrect AUTH HMACs MUST be passed to the
by default, e.g., with a flag indicating AE failure. application by default, e.g., with a flag indicating AUTH failure.
Like all non-UNSAFE UDP options, AE needs to be silently ignored Like all non-UNSAFE UDP options, AUTH needs to be silently ignored
when failing. This silently-ignored behavior ensures that option- when failing. This silently-ignored behavior ensures that option-
aware receivers operate the same as legacy receivers unless aware receivers operate the same as legacy receivers unless
overridden. overridden.
In addition to the UDP payload (which is always included), AE can be In addition to the UDP payload (which is always included), AUTH can
configured to either include or exclude the surplus area, in a be configured to either include or exclude the surplus area, in a
similar way as can TCP-AO can optionally exclude TCP options. When similar way as can TCP-AO can optionally exclude TCP options. When
UDP options are covered, the OCS option area checksum and AE hash UDP options are covered, the OCS option area checksum and AUTH hash
areas are zeroed before computing the AE hash. It is important to areas are zeroed before computing the AUTH hash. It is important to
consider that options not yet defined might yield unpredictable consider that options not yet defined might yield unpredictable
results if not confirmed as supported, e.g., if they were to contain results if not confirmed as supported, e.g., if they were to contain
other hashes or checksums that depend on the option area contents. other hashes or checksums that depend on the option area contents.
This is why such dependencies are not permitted except as defined This is why such dependencies are not permitted except as defined
for OCS and UDP-AE. for OCS and AUTH.
Similar to TCP-AO-NAT, AE can be configured to support NAT Similar to TCP-AO-NAT, AUTH can be configured to support NAT
traversal, excluding (by zeroing out) one or both of the UDP ports traversal, excluding (by zeroing out) one or both of the UDP ports
and corresponding IP addresses [RFC6978]. and corresponding IP addresses [RFC6978].
5.11. Echo request (REQ) and echo response (RES) 5.11. Echo request (REQ) and echo response (RES)
The echo request (REQ, kind=10) and echo response (RES, kind=11) The echo request (REQ, kind=10) and echo response (RES, kind=11)
options provide a means for UDP options to be used to provide options provide a means for UDP options to be used to provide
packet-level acknowledgements. One such use is described as part of packet-level acknowledgements. One such use is described as part of
the UDP variant of packetization layer path MTU discovery (PLPMTUD) the UDP variant of packetization layer path MTU discovery (PLPMTUD)
[Fa21]. The options both have the format indicated in Figure 18. [Fa21]. The options both have the format indicated in Figure 18.
skipping to change at page 21, line 45 skipping to change at page 22, line 35
+----------+----------+----------+----------+ +----------+----------+----------+----------+
| (option contents, as defined)... | | (option contents, as defined)... |
+----------+----------+----------+----------+ +----------+----------+----------+----------+
Figure 19 UDP EXP option format Figure 19 UDP EXP option format
>> The length of the experimental option MUST be at least 4 to >> The length of the experimental option MUST be at least 4 to
account for the Kind, Length, and the minimum 16-bit UDP ExID account for the Kind, Length, and the minimum 16-bit UDP ExID
identifier (similar to TCP ExIDs [RFC6994]). identifier (similar to TCP ExIDs [RFC6994]).
The UDP EXP option also includes an extended length format, where
the option LEN is 255 followed by two bytes of extended length.
+----------+----------+----------+----------+
| Kind=254 | 255 | Extended Length |
+----------+----------+----------+----------+
| UDP ExID. |(option contents...) |
+----------+----------+----------+----------+
Figure 20 UDP EXP option format
Assigned UDP EXP ExIDs and UDP UNSAFE UKind UEXP ExIDs are assigned Assigned UDP EXP ExIDs and UDP UNSAFE UKind UEXP ExIDs are assigned
from the same registry and can be used either in the EXP option or from the same registry and can be used either in the EXP option or
within the UKind UEXP (Section 5.8). within the UKind UEXP (Section 5.8).
6. Rules for designing new options 6. Rules for designing new options
The UDP option Kind space allows for the definition of new options, The UDP option Kind space allows for the definition of new options,
however the currently defined options do not allow for arbitrary new however the currently defined options do not allow for arbitrary new
options. For example, FRAG needs to come first if present; new options. The following is a summary of rules for new options and
options cannot declare that they need to precede it. The following their rationales:
is a summary of rules for new options and their rationales:
>> New options MUST NOT depend on option space content, excepting >> New options MUST NOT depend on or modify option space content.
only those contained within the UNSAFE option. Only OCS and AE Only OCS, AUTH, and ENCR depend on the content of the options.
depend on the content of the options themselves and their order is
fixed (on transmission, AE is computed first using a zero-checksum
OCS if present, and OCS is computed last before transmission, over
the entire option area, including AE).
>> UNSAFE options can both depend on and vary option space content >> UNSAFE options can both depend on and vary user data content
because they are contained only inside UDP fragments and thus are because they are contained only inside UDP fragments and thus are
processed only by UDP option capable receivers. processed only by UDP option capable receivers.
>> New options MUST NOT declare their order relative to other >> New options MUST NOT declare their order relative to other
options, whether new or old. options, whether new or old.
>> At the sender, new options MUST NOT modify UDP packet content >> At the sender, new options MUST NOT modify UDP packet content
anywhere except within their option field, excepting only those anywhere except within their option field, excepting only those
contained within the UNSAFE option; areas that need to remain contained within the UNSAFE option; areas that need to remain
unmodified include the IP header, IP options, the UDP body, the UDP unmodified include the IP header, IP options, the UDP body, the UDP
skipping to change at page 22, line 45 skipping to change at page 23, line 40
or intend optionally for modification of any UDP options, including or intend optionally for modification of any UDP options, including
their new areas, in transit. their new areas, in transit.
>> New options with fixed lengths smaller than 255 or variable >> New options with fixed lengths smaller than 255 or variable
lengths that are always smaller than 255 MUST use only the default lengths that are always smaller than 255 MUST use only the default
option format. option format.
Note that only certain of the initially defined options violate Note that only certain of the initially defined options violate
these rules: these rules:
o >> FRAG MUST be first, if present, and MUST be processed when
encountered (e.g., even before security options).
o >> Only FRAG and UNSAFE options are permitted to modify the UDP o >> Only FRAG and UNSAFE options are permitted to modify the UDP
body or option areas. body.
o >> OCS SHOULD be the first option, except in the presence of The following recommendation helps ensure that only valid options
FRAG, in which case it SHOULD be the first option after FRAG. are processed:
o >> OCS SHOULD be the first option, when present.
The following recommendation helps enable efficient zero-copy
processing:
o >> FRAG SHOULD be the first option after OCS, when present.
7. Option inclusion and processing 7. Option inclusion and processing
The following rules apply to option inclusion by senders and The following rules apply to option inclusion by senders and
processing by receivers. processing by receivers.
>> Senders MAY add any option, as configured by the API. >> Senders MAY add any option, as configured by the API.
>> All mandatory options MUST be processed by receivers, if present >> All mandatory options MUST be processed by receivers, if present
(presuming UDP options are supported at that receiver). (presuming UDP options are supported at that receiver).
skipping to change at page 25, line 25 skipping to change at page 26, line 20
o Extend the receive function to indicate the options and their o Extend the receive function to indicate the options and their
parameters as received with the corresponding received datagram. parameters as received with the corresponding received datagram.
o Extend the send function to indicate the options to be added to o Extend the send function to indicate the options to be added to
the corresponding sent datagram. the corresponding sent datagram.
Examples of API instances for Linux and FreeBSD are provided in Examples of API instances for Linux and FreeBSD are provided in
Appendix A, to encourage uniform cross-platform implementations. Appendix A, to encourage uniform cross-platform implementations.
9. Whose options are these? 9. UDP Options are for Transport, Not Transit
UDP options are indicated in an area of the IP payload that is not UDP options are indicated in an area of the IP payload that is not
used by UDP. That area is really part of the IP payload, not the UDP used by UDP. That area is really part of the IP payload, not the UDP
payload, and as such, it might be tempting to consider whether this payload, and as such, it might be tempting to consider whether this
is a generally useful approach to extending IP. is a generally useful approach to extending IP.
Unfortunately, the surplus area exists only for transports that Unfortunately, the surplus area exists only for transports that
include their own transport layer payload length indicator. TCP and include their own transport layer payload length indicator. TCP and
SCTP include header length fields that already provide space for SCTP include header length fields that already provide space for
transport options by indicating the total length of the header area, transport options by indicating the total length of the header area,
skipping to change at page 26, line 7 skipping to change at page 27, line 5
than any other portion of the transport datagram. than any other portion of the transport datagram.
UDP options are transport options. Generally, transport datagrams UDP options are transport options. Generally, transport datagrams
are not intended to be modified in-transit. UDP options are no are not intended to be modified in-transit. UDP options are no
exception and here are specified as "MUST NOT" be altered in exception and here are specified as "MUST NOT" be altered in
transit. However, the UDP option mechanism provides no specific transit. However, the UDP option mechanism provides no specific
protection against in-transit modification of the UDP header, UDP protection against in-transit modification of the UDP header, UDP
payload, or UDP option area, except as provided by the options payload, or UDP option area, except as provided by the options
selected (e.g., OCS or AE). selected (e.g., OCS or AE).
10. UDP options FRAG option vs. UDP-Lite 10. UDP options vs. UDP-Lite
UDP-Lite provides partial checksum coverage, so that packets with UDP-Lite provides partial checksum coverage, so that packets with
errors in some locations can be delivered to the user [RFC3828]. It errors in some locations can be delivered to the user [RFC3828]. It
uses a different transport protocol number (136) than UDP (17) to uses a different transport protocol number (136) than UDP (17) to
interpret the UDP Length field as the prefix covered by the UDP interpret the UDP Length field as the prefix covered by the UDP
checksum. checksum.
UDP (protocol 17) already defines the UDP Length field as the limit UDP (protocol 17) already defines the UDP Length field as the limit
of the UDP checksum, but by default also limits the data provided to of the UDP checksum, but by default also limits the data provided to
the application as that which precedes the UDP Length. A goal of the application as that which precedes the UDP Length. A goal of
UDP-Lite is to deliver data beyond UDP Length as a default, which is UDP-Lite is to deliver data beyond UDP Length as a default, which is
why a separate transport protocol number was required. why a separate transport protocol number was required.
UDP options do not use or need a separate transport protocol number UDP options do not use or need a separate transport protocol number
because the data beyond the UDP Length offset (surplus data) is not because the data beyond the UDP Length offset (surplus data) is not
provided to the application by default. That data is interpreted provided to the application by default. That data is interpreted
exclusively within the UDP transport layer. exclusively within the UDP transport layer.
The UDP FRAG options option supports a similar service to UDP-Lite.
The main difference is that UDP-Lite provides the un-checksummed
user data to the application by default, whereas the UDP FRAG option
can safely provide that service only between endpoints that
negotiate that capability in advance. An endpoint that does not
implement UDP options would silently discard this non-checksummed
user data, along with the UDP options as well.
UDP-Lite cannot support UDP options, either as proposed here or in UDP-Lite cannot support UDP options, either as proposed here or in
any other form, because the entire payload of the UDP packet is any other form, because the entire payload of the UDP packet is
already defined as user data and there is no additional field in already defined as user data and there is no additional field in
which to indicate a separate area for options. The UDP Length field which to indicate a separate area for options. The UDP Length field
in UDP-Lite is already used to indicate the boundary between user in UDP-Lite is already used to indicate the boundary between user
data covered by the checksum and user data not covered. data covered by the checksum and user data not covered.
11. Interactions with Legacy Devices 11. Interactions with Legacy Devices
It has always been permissible for the UDP Length to be inconsistent It has always been permissible for the UDP Length to be inconsistent
skipping to change at page 29, line 33 skipping to change at page 30, line 23
Compression (ROHC)[RFC3095], noted here: Compression (ROHC)[RFC3095], noted here:
"The Length field of the UDP header MUST match the Length "The Length field of the UDP header MUST match the Length
field(s) of the preceding subheaders, i.e., there must not field(s) of the preceding subheaders, i.e., there must not
be any padding after the UDP payload that is covered by the be any padding after the UDP payload that is covered by the
IP Length." IP Length."
ROHC compresses UDP headers only when this match succeeds. It does ROHC compresses UDP headers only when this match succeeds. It does
not prohibit UDP headers where the match fails; in those cases, ROHC not prohibit UDP headers where the match fails; in those cases, ROHC
default rules (Section 5.10) would cause the UDP header to remain default rules (Section 5.10) would cause the UDP header to remain
uncompressed. Upon receivep of a compressed UDP header, Section uncompressed. Upon receipt of a compressed UDP header, Section A.1.3
A.1.3 of that document indicates that the UDP length is "INFERRED"; of that document indicates that the UDP length is "INFERRED"; in
in uncompressed packets, it would simply be explicitly provided. uncompressed packets, it would simply be explicitly provided.
This issue of handling UDP header compression is more explicitly This issue of handling UDP header compression is more explicitly
described in more recent specifications, e.g., Sec. 10.10 of Static described in more recent specifications, e.g., Sec. 10.10 of Static
Context Header Compression [RFC8724]. Context Header Compression [RFC8724].
16. Multicast Considerations 16. Multicast Considerations
UDP options are primarily intended for unicast use. Using these UDP options are primarily intended for unicast use. Using these
options over multicast IP requires careful consideration, e.g., to options over multicast IP requires careful consideration, e.g., to
ensure that the options used are safe for different endpoints to ensure that the options used are safe for different endpoints to
skipping to change at page 30, line 28 skipping to change at page 31, line 16
UDP options are not covered by DTLS (datagram transport-layer UDP options are not covered by DTLS (datagram transport-layer
security). Despite the name, neither TLS [RFC8446] (transport layer security). Despite the name, neither TLS [RFC8446] (transport layer
security, for TCP) nor DTLS [RFC6347] (TLS for UDP) protect the security, for TCP) nor DTLS [RFC6347] (TLS for UDP) protect the
transport layer. Both operate as a shim layer solely on the payload transport layer. Both operate as a shim layer solely on the payload
of transport packets, protecting only their contents. Just as TLS of transport packets, protecting only their contents. Just as TLS
does not protect the TCP header or its options, DTLS does not does not protect the TCP header or its options, DTLS does not
protect the UDP header or the new options introduced by this protect the UDP header or the new options introduced by this
document. Transport security is provided in TCP by the TCP document. Transport security is provided in TCP by the TCP
Authentication Option (TCP-AO [RFC5925]) or in UDP by the Authentication Option (TCP-AO [RFC5925]) or in UDP by the
Authentication Extension option (Section 5.10). Transport headers Authentication (AUTH) option (Section 5.10) and UNSAFE Encryption
are also protected as payload when using IP security (IPsec) (ENCR) option (5.8). Transport headers are also protected as payload
[RFC4301]. when using IP security (IPsec) [RFC4301].
UDP options use the TLV syntax similar to that of TCP. This syntax UDP options use the TLV syntax similar to that of TCP. This syntax
is known to require serial processing and may pose a DOS risk, e.g., is known to require serial processing and may pose a DOS risk, e.g.,
if an attacker adds large numbers of unknown options that must be if an attacker adds large numbers of unknown options that must be
parsed in their entirety. Implementations concerned with the parsed in their entirety. Implementations concerned with the
potential for this vulnerability MAY implement only the required potential for this vulnerability MAY implement only the required
options and MAY also limit processing of TLVs. Because required options and MAY also limit processing of TLVs, either in number of
options come first and at most once each (with the exception of options or total length, or both. Because required options come
NOPs, which should never need to come in sequences of more than first and at most once each (with the exception of NOPs, which
three in a row), this limits their DOS impact. Note that TLV formats should never need to come in sequences of more than seven in a row),
for options does require serial processing, but any format that this limits their DOS impact. Note that TLV formats for options does
allows future options, whether ignored or not, could introduce a require serial processing, but any format that allows future
similar DOS vulnerability. options, whether ignored or not, could introduce a similar DOS
vulnerability.
UDP security should never rely solely on transport layer processing UDP security should never rely solely on transport layer processing
of options. UNSAFE options are the only type that share fate with of options. UNSAFE options are the only type that share fate with
the UDP data, because of the way that data is hidden in the surplus the UDP data, because of the way that data is hidden in the surplus
area until after those options are processed. All other options area until after those options are processed. All other options
default to being silently ignored at the transport layer but may be default to being silently ignored at the transport layer but may be
dropped either if that default is overridden (e.g., by dropped either if that default is overridden (e.g., by
configuration) or discarded at the application layer (e.g., using configuration) or discarded at the application layer (e.g., using
information about the options processed that are passed along with information about the options processed that are passed along with
the packet). the packet).
skipping to change at page 33, line 35 skipping to change at page 34, line 22
Option," RFC 5925, June 2010. Option," RFC 5925, June 2010.
[RFC6081] Thaler, D., "Teredo Extensions," RFC 6081, Jan 2011. [RFC6081] Thaler, D., "Teredo Extensions," RFC 6081, Jan 2011.
[RFC6347] Rescorla, E., N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E., N. Modadugu, "Datagram Transport Layer
Security Version 1.2," RFC 6347, Jan. 2012. Security Version 1.2," RFC 6347, Jan. 2012.
[RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS)," [RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS),"
RFC 6691, July 2012. RFC 6691, July 2012.
[RFC6935] Eubanks, M., P. Chimento, M. Westerlund, "IPv6 and UDP
Checksums for Tunneled Packets," RFC 6935, April 2013.
[RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT [RFC6978] Touch, J., "A TCP Authentication Option Extension for NAT
Traversal", RFC 6978, July 2013. Traversal", RFC 6978, July 2013.
[RFC6994] Touch, J., "Shared Use of Experimental TCP Options," RFC [RFC6994] Touch, J., "Shared Use of Experimental TCP Options," RFC
6994, Aug. 2013. 6994, Aug. 2013.
[RFC7323] Borman, D., R. Braden, V. Jacobson, R. Scheffenegger [RFC7323] Borman, D., R. Braden, V. Jacobson, R. Scheffenegger
(Ed.), "TCP Extensions for High Performance," RFC 7323, (Ed.), "TCP Extensions for High Performance," RFC 7323,
Sep. 2014. Sep. 2014.
skipping to change at page 35, line 5 skipping to change at page 36, line 5
This document was prepared using 2-Word-v2.0.template.dot. This document was prepared using 2-Word-v2.0.template.dot.
Authors' Addresses Authors' Addresses
Joe Touch Joe Touch
Manhattan Beach, CA 90266 USA Manhattan Beach, CA 90266 USA
Phone: +1 (310) 560-0334 Phone: +1 (310) 560-0334
Email: touch@strayalpha.com Email: touch@strayalpha.com
Appendix A. Implementation Information Appendix A. Implementation Information
The following information is provided to encourage interoperable API The following information is provided to encourage interoperable API
implementations. implementations.
System-level variables (sysctl): System-level variables (sysctl):
Name default meaning Name default meaning
---------------------------------------------------- ----------------------------------------------------
net.ipv4.udp_opt 0 UDP options available net.ipv4.udp_opt 0 UDP options available
net.ipv4.udp_opt_ocs 1 Default include OCS net.ipv4.udp_opt_ocs 1 Default include OCS
 End of changes. 76 change blocks. 
196 lines changed or deleted 232 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/