Network working group                                           X.  Xu
Internet Draft                                                  Huawei
Category: Standard Track                                      N. Sheth
                                                               Juniper
                                                               L. Yong
                                                                Huawei
                                                          C. Pignataro
                                                                 Cisco
                                                                Y. Fan
                                                         China Telecom

Expires: July 2014                                   January 24, 2014


                         Encapsulating MPLS in UDP

                         draft-ietf-mpls-in-udp-05

Abstract

   This document specifies an IP-based encapsulation for MPLS, called
   MPLS-in-UDP (User Datagram Protocol). Note that the MPLS-in-UDP
   encapsulation technology MUST only be deployed within a service
   provider network or networks of an adjacent set of co-operating
   service providers where the congestion control is not a concern.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 24, 2014.










Xu, et al.              Expires July 24, 2014                 [Page 1]


Internet-Draft          Encapsulating MPLS in UDP          January 2014

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction ................................................ 3
      1.1. Existing Encapsulations ................................ 3
      1.2. Motivations for MPLS-in-UDP Encapsulation .............. 4
      1.3. Application Statements ................................. 4
   2. Terminology ................................................. 4
   3. Encapsulation in UDP ........................................ 4
   4. Processing Procedures ....................................... 6
   5. Congestion Considerations ................................... 7
   6. Security Considerations ..................................... 7
   7. IANA Considerations ......................................... 8
   8. Contributors ................................................ 9
   9. Acknowledgements ............................................ 9
   10. References ................................................. 9
      10.1. Normative References .................................. 9
      10.2. Informative References ............................... 10
   Authors' Addresses ............................................ 11

















Xu, et al.              Expires July 24, 2014                 [Page 2]


Internet-Draft          Encapsulating MPLS in UDP          January 2014


1. Introduction

   This document specifies an IP-based encapsulation for MPLS, i.e.
   MPLS-in-UDP (User Datagram Protocol), which is applicable in some
   circumstances where IP-based encapsulation for MPLS is required and
   further fine-grained load balancing of MPLS packets over IP
   networks over Equal Cost Multi-Path (ECMP) and/or Link Aggregation
   Groups (LAG) is required as well. There are already IP-based
   encapsulations for MPLS that allow for fine-grained load balancing
   by using some special field in the encapsulation header as an
   entropy field. However, MPLS-in-UDP can be advantageous since some
   networks have used the UDP port number fields as a basis for load-
   balancing solutions for some time. This is similar to why LISP [RFC
   6830] uses UDP encapsulation.

   Like other IP-based encapsulation methods for MPLS, this
   encapsulation allows for two Label Switching Routers (LSR) to be
   adjacent on a Label Switched Path (LSP), while separated by an IP
   network. In order to support this encapsulation, each LSR needs to
   know the capability to decapsulate MPLS-in-UDP by the remote LSRs.
   This specification defines only the data plane encapsulation and
   does not concern itself with how the knowledge to use this
   encapsulation is conveyed. Specifically, this capability can be
   either manually configured on each LSR or be dynamically advertised
   in manners that are outside the scope of this document.

   Similarly, the MPLS-in-UDP encapsulation format defined in this
   document by itself cannot ensure the integrity and privacy of data
   packets being transported through the MPLS-in-UDP tunnels and
   cannot enable the tunnel decapsulators to authenticate the tunnel
   encapsulator. Therefore, in the case where any of the above
   security issues is concerned, the MPLS-in-UDP SHOULD be secured
   with IPsec [RFC4301] or DTLS [RFC6347]. For more details, please
   see Section 6 of Security Considerations.

1.1. Existing Encapsulations

   Currently, there are several IP-based encapsulations for MPLS such
   as MPLS-in-IP, MPLS-in-GRE (Generic Routing Encapsulation)
   [RFC4023], and MPLS-in-L2TPv3 (Layer Two Tunneling Protocol -
   Version 3) [RFC4817]. In all these methods, the IP addresses can be
   varied to achieve load-balancing.

   All these IP-based encapsulations for MPLS are specified for both
   IPv4 and IPv6. In the case of IPv6-based encapsulations, the IPv6




Xu, et al.              Expires July 24, 2014                 [Page 3]


Internet-Draft          Encapsulating MPLS in UDP          January 2014

   Flow Label can be used for ECMP and LAGs [RFC6438]. However, there
   is no such entropy field in the IPv4 header.

   For MPLS-in-GRE as well as MPLS-in-L2TPv3, protocol fields (the GRE
   Key and the L2TPv3 Session ID respectively) can be used as the
   load-balancing key as described in [RFC5640]. For this,
   intermediate routers need to understand these fields in the context
   of being used as load-balancing keys.

1.2. Motivations for MPLS-in-UDP Encapsulation

   Currently, most existing routers in IP networks are already capable
   of distributing IP traffic "microflows" [RFC2474] over ECMPs and/or
   LAG based on the hash of the five-tuple of User Datagram Protocol
   (UDP)[RFC768] and Transmission Control Protocol (TCP) packets (i.e.,
   source IP address, destination IP address, source port, destination
   port, and protocol). By encapsulating the MPLS packets into an UDP
   tunnel and using the source port of the UDP header as an entropy
   field, the existing load-balancing capability as mentioned above
   can be leveraged to provide fine-grained load-balancing of MPLS
   traffic over IP networks.

1.3. Application Statements

   The MPLS-in-UDP encapsulation technology MUST only be deployed
   within a Service Provider (SP) network or networks of an adjacent
   set of co-operating SPs where the congestion control is not a
   concern, rather than over the Internet where the congestion control
   is a must. Furthermore, packet filters should be added so as to
   prevent MPLS-in-UDP packets from escaping from the service provider
   networks due to misconfiguation or packet errors.

2. Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
   this document are to be interpreted as described in RFC-2119
   [RFC2119].

3. Encapsulation in UDP

   MPLS-in-UDP encapsulation format is shown as follows:








Xu, et al.              Expires July 24, 2014                 [Page 4]


Internet-Draft          Encapsulating MPLS in UDP          January 2014

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Source Port = Entropy      |       Dest Port = MPLS        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           UDP Length          |        UDP Checksum           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                       MPLS Label Stack                        ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   ~                         Message Body                          ~
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

            Source Port of UDP

                This field contains a 16-bit entropy value that is
                generated by the encapsulator to uniquely identify a
                flow. What constitutes a flow is locally determined by
                the encapsulator and therefore is outside the scope of
                this document. What algorithm is actually used by the
                encapsulator to generate an entropy value is outside
                the scope of this document as well. In the case where
                the tunnel does not need entropy, this field of all
                packets belonging to a given flow SHOULD be set to a
                randomly selected constant value so as to avoid packet
                reordering.

            Destination Port of UDP

                This field is set to a value (TBD1) allocated by IANA
                to indicate that the UDP tunnel payload is an MPLS
                packet.

            UDP Length

                The usage of this field is in accordance with the
                current UDP specification [RFC768].

            UDP Checksum

                The usage of this field is in accordance with the
                current UDP specification [RFC768]. In the IPv4 UDP
                encapsulation case, this field is RECOMMENDED to be set
                to zero. In the IPv6 UDP encapsulation case, this field



Xu, et al.              Expires July 24, 2014                 [Page 5]


Internet-Draft          Encapsulating MPLS in UDP          January 2014

                SHOULD NOT be set to zero. If the UDP checksum needs to
                be disabled for performance or implementation reasons,
                the considerations described in [RFC6935] [RFC6936]
                MUST be examined.

            MPLS Label Stack

                This field contains an MPLS Label Stack as defined in
                [RFC3032].

            Message Body

                This field contains one MPLS message body.

4. Processing Procedures

   This MPLS-in-UDP encapsulation causes MPLS packets to be forwarded
   through "UDP tunnels". When performing MPLS-in-UDP encapsulation by
   the encapsulator, the entropy value would be generated by the
   encapsulator and then be filled in the Source Port field of the UDP
   header. The Destination Port field is set to a value (TBD1)
   allocated by IANA to indicate that the UDP tunnel payload is an
   MPLS packet. As for whether the top label in the MPLS label stack
   is downstream-assigned or upstream-assigned, it SHOULD be
   determined based on the tunnel destination IP address. That is to
   say, if the destination IP address is a multicast address, the top
   label SHOULD be upstream-assigned, otherwise if the destination IP
   address is a unicast address, it SHOULD be downstream-assigned.

   As such, intermediate routers, upon receiving these UDP
   encapsulated packets, could balance these packets based on the hash
   of the five-tuple of UDP packets.

   Upon receiving these UDP encapsulated packets, the decapsulator
   would decapsulate them by removing the UDP headers and then process
   them accordingly.

   As for other common processing procedures associated with tunneling
   encapsulation technologies including but not limited to Maximum
   Transmission Unit (MTU) and preventing fragmentation and reassembly,
   Time to Live (TTL) and differentiated services, the corresponding
   "Common Procedures" defined in [RFC4023] which are applicable for
   MPLS-in-IP and MPLS-in-GRE encapsulation formats SHOULD be followed.







Xu, et al.              Expires July 24, 2014                 [Page 6]


Internet-Draft          Encapsulating MPLS in UDP          January 2014

5. Congestion Considerations

   Since the MPLS-in-UDP encapsulation causes MPLS packets to be
   forwarded through "UDP tunnels", the congestion control guidelines
   for UDP tunnels as defined in Section 3.1.3 of [RFC5405] SHOULD be
   followed. Specifically, as stated in Section 3.1.3 of [RFC5405],
   "some bulk transfer applications may choose not to implement any
   congestion control mechanism and instead rely on transmitting
   across reserved path capacity. This might be an acceptable choice
   for a subset of restricted networking environments, but is by no
   means a safe practice for operation in the Internet."Given the
   fact that the MPLS-in-GRE and MPLS-in-IP [RFC4023] encapsulation
   technologies have been successfully deployed within a SP network or
   networks of an adjacent set of co-operating SPs which is a
   restricted network environment without any congestion control
   mechanism and the fact that the current MPLS technology couldn't
   provide congestion control without major changes, the MPLS-in-UDP
   encapsulation MUST only be deployed within a SP network or networks
   of an adjacent set of co-operating SPs as well.

6. Security Considerations

   The security problems faced with the MPLS-in-UDP tunnel are exactly
   the same as those faced with MPLS-in-IP and MPLS-in-GRE tunnels
   [RFC4023]. In other words,, the MPLS-in-UDP tunnel as defined in
   this document by itself cannot ensure the integrity and privacy of
   data packets being transported through the MPLS-in-UDP tunnel and
   cannot enable the tunnel decapsulator to authenticate the tunnel
   encapsulator. In the case where any of the above security issues is
   concerned, the MPLS-in-UDP tunnel SHOULD be secured with IPsec or
   DTLS. IPsec was designed as a network security mechanism and
   therefore it resides at the network layer. As such, if the tunnel
   is secured with IPsec, the UDP header would not be visible to
   intermediate routers anymore in either IPsec tunnel or transport
   mode. As a result, the meaning of adopting the MPLS-in-UDP tunnel
   as an alternative to the MPLS-in-GRE or MPLS-in-IP tunnel is lost.
   By comparison, DTLS is better suited for application security and
   can better preserve network and transport layer protocol
   information. Specifically, if DTLS is used, the destination port of
   the UDP header will be filled with a value (TBD2) indicating MPLS
   with DTLS and the source port can still be used as an entropy field
   for load-sharing purposes.

   If the tunnel is not secured with IPsec or DTLS, some other method
   should be used to ensure that packets are decapsulated and
   forwarded by the tunnel tail only if those packets were
   encapsulated by the tunnel head. If the tunnel lies entirely within



Xu, et al.              Expires July 24, 2014                 [Page 7]


Internet-Draft          Encapsulating MPLS in UDP          January 2014

   a single administrative domain, address filtering at the boundaries
   can be used to ensure that no packet with the IP source address of
   a tunnel endpoint or with the IP destination address of a tunnel
   endpoint can enter the domain from outside. However, when the
   tunnel head and the tunnel tail are not in the same administrative
   domain, this may become difficult, and filtering based on the
   destination address can even become impossible if the packets must
   traverse the public Internet. Sometimes only source address
   filtering (but not destination address filtering) is done at the
   boundaries of an administrative domain. If this is the case, the
   filtering does not provide effective protection at all unless the
   decapsulator of an MPLS-in-UDP validates the IP source address of
   the packet. This document does not require that the decapsulator
   validate the IP source address of the tunneled packets, but it
   should be understood that failure to do so presupposes that there
   is effective destination-based (or a combination of source-based
   and destination-based) filtering at the boundaries.

7. IANA Considerations

   One UDP destination port number indicating MPLS needs to be
   allocated by IANA.

     Service Name : MPLS-in-UDP

     Transport Protocol(s) : UDP

     Assignee: IESG <iesg@ietf.org>

     Contact : IETF Chair <chair@ietf.org>.

     Description : Encapsulate MPLS packets in UDP tunnels.

     Reference : This document -- draft-ietf-mpls-in-udp (MPLS WG
   document).

     Port Number : TBD1 -- To be assigned by IANA.

   One UDP destination port number indicating MPLS with DTLS needs to
   be allocated by IANA.

     Service Name : MPLS-in-UDP-with-DTLS

     Transport Protocol(s) : UDP

     Assignee: IESG <iesg@ietf.org>




Xu, et al.              Expires July 24, 2014                 [Page 8]


Internet-Draft          Encapsulating MPLS in UDP          January 2014

     Contact : IETF Chair <chair@ietf.org>.

     Description : Encapsulate MPLS packets in UDP tunnels with DTLS.

     Reference : This document -- draft-ietf-mpls-in-udp (MPLS WG
   document).

     Port Number : TBD2 -- To be assigned by IANA.

8. Contributors

   Zhenbin Li
   Huawei Technologies,
   Beijing, China
   Phone: +86-10-60613676
   Email: lizhenbin@huawei.com

9. Acknowledgements

   Thanks to Shane Amante, Dino Farinacci, Keshava A K, Ivan Pepelnjak,
   Eric Rosen, Andrew G. Malis, Kireeti Kompella, Marshall Eubanks,
   George Swallow, Loa Andersson, Ross Callon, Vivek Kumar, Stewart
   Bryant, Wen Zhang, Curtis Villamizar, Joel M. Halpern, Scott Brim,
   Alia Atlas, Alexander Vainshtein, Joel Jaeggli, Edward Crabbe, Lars
   Eggert, Joe Touch, Lloyd Wood, Weiguo Hao, Mark Szczesniak,
   Zhenxiao Liu and Xing Tong for their valuable comments and
   suggestions on this document. Thanks to Daniel King, Gregory Mirsky
   and Eric Osborne for their valuable MPLS-RT reviews on this
   document. Special thanks to Adrian Farrel for his conscientious AD
   review and insightful suggestion of using DTLS for securing the
   MPLS-in-UDP tunnels. Thanks to Charlie Kaufman for his SecDir
   review of this document. Thanks to Nevil Brownlee for the OPSDir
   review of this document. Thanks to Roni Even for the Gen-ART review
   of this document. Thanks to Pearl Liang for the IANA review of this
   documents.

10. References

10.1. Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC768]  Postel, J., "User Datagram Protocol", STD 6, RFC 768,
             August 1980.





Xu, et al.              Expires July 24, 2014                 [Page 9]


Internet-Draft          Encapsulating MPLS in UDP          January 2014

   [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y.,
             Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack
             Encoding", RFC 3032, January 2001.

   [RFC4023] Worster, T., Rekhter, Y., and E. Rosen, "Encapsulating
             MPLS in IP or GRE", RFC4023, March 2005.

   [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
             Internet Protocol", RFC 4301, December 2005.

   [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
             Security Version 1.2", RFC 6347, January 2012.

10.2. Informative References

   [RFC4817] M. Townsley, C. Pignataro, S. Wainner, T. Seely and J.
             Young, "Encapsulation of MPLS over Layer 2 Tunneling
             Protocol Version 3", RFC4817, March 2007.

   [RFC5640] Filsfils, C., Mohapatra, P., and C. Pignataro, "Load-
             Balancing for Mesh Softwires", RFC 5640, August 2009.

   [RFC6935] Eubanks, M., Chimento, P., and M. Westerlund, "UDP
             Checksums for Tunneled Packets", RFC6935, Feburary 2013.

   [RFC6936] Fairhurst, G. and M. Westerlund, "Applicability Statement
             for the use of IPv6 UDP Datagrams with Zero Checksums",
             RFC6936, Feburary 2013.

   [RFC5405] Eggert, L. and G. Fairhurst, "Unicast UDP Usage
             Guidelines for Application Designers", RFC 5405, November
             2008.

   [RFC2474] Nichols, K., Blake, S., Baker, F. and D. Black,
             "Definition of the Differentiated Services Field (DS
             Field) in the IPv4 and IPv6 Headers", RFC2474, December
             1998.

   [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label
             for Equal Cost Multipath Routing and Link Aggregation
             in Tunnels", RFC 6438, November 2011.

   [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
             Locator/ID Separation Protocol (LISP)", RFC 6830,
             January 2013.





Xu, et al.              Expires July 24, 2014                [Page 10]

Internet-Draft          Encapsulating MPLS in UDP          January 2014

Authors' Addresses

   Xiaohu Xu
   Huawei Technologies
   Beijing, China
   Phone: +86-10-60610041
   Email: xuxiaohu@huawei.com

   Nischal Sheth
   Juniper Networks
   1194 N. Mathilda Ave
   Sunnyvale, CA 94089
   Email: nsheth@juniper.net

   Lucy Yong
   Huawei USA
   5340 Legacy Dr.
   Plano TX75025
   Phone: 469-277-5837
   Email: Lucy.yong@huawei.com

   Carlos Pignataro
   Cisco Systems
   7200-12 Kit Creek Road
   Research Triangle Park, NC 27709
   USA
   Email: cpignata@cisco.com

   Yongbing Fan
   China Telecom
   Guangzhou, China.
   Phone: +86 20 38639121
   Email: fanyb@gsta.com