Internet Engineering Task Force (IETF) R. Bonica
Request for Comments: 7588 Juniper Networks
Category: Informational C. Pignataro
ISSN: 2070-1721 Cisco Systems
J. Touch
USC/ISI
July 2015
Internet Engineering Task Force (IETF) R. Bonica
Request for Comments: 7588 Juniper Networks
Category: Informational C. Pignataro
ISSN: 2070-1721 Cisco Systems
J. Touch
USC/ISI
July 2015
A Widely Deployed Solution to the Generic Routing Encapsulation (GRE) Fragmentation Problem
通用路由封装(GRE)分段问题的广泛部署解决方案
Abstract
摘要
This memo describes how many vendors have solved the Generic Routing Encapsulation (GRE) fragmentation problem. The solution described herein is configurable. It is widely deployed on the Internet in its default configuration.
本备忘录描述了有多少供应商解决了通用路由封装(GRE)碎片问题。本文描述的解决方案是可配置的。它以默认配置广泛部署在Internet上。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7588.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7588.
Copyright Notice
版权公告
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Requirements Language . . . . . . . . . . . . . . . . . . 5
2. Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. RFC 4459 Solutions . . . . . . . . . . . . . . . . . . . 5
2.2. A Widely Deployed Solution . . . . . . . . . . . . . . . 5
3. Implementation Details . . . . . . . . . . . . . . . . . . . 6
3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. GRE MTU (GMTU) Estimation and Discovery . . . . . . . . . 6
3.3. GRE Ingress Node Procedures . . . . . . . . . . . . . . . 7
3.3.1. Procedures Affecting the GRE Payload . . . . . . . . 7
3.3.2. Procedures Affecting the GRE Deliver Header . . . . . 8
3.4. GRE Egress Node Procedures . . . . . . . . . . . . . . . 9
4. Security Considerations . . . . . . . . . . . . . . . . . . . 9
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. Normative References . . . . . . . . . . . . . . . . . . 10
5.2. Informative References . . . . . . . . . . . . . . . . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Requirements Language . . . . . . . . . . . . . . . . . . 5
2. Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. RFC 4459 Solutions . . . . . . . . . . . . . . . . . . . 5
2.2. A Widely Deployed Solution . . . . . . . . . . . . . . . 5
3. Implementation Details . . . . . . . . . . . . . . . . . . . 6
3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. GRE MTU (GMTU) Estimation and Discovery . . . . . . . . . 6
3.3. GRE Ingress Node Procedures . . . . . . . . . . . . . . . 7
3.3.1. Procedures Affecting the GRE Payload . . . . . . . . 7
3.3.2. Procedures Affecting the GRE Deliver Header . . . . . 8
3.4. GRE Egress Node Procedures . . . . . . . . . . . . . . . 9
4. Security Considerations . . . . . . . . . . . . . . . . . . . 9
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. Normative References . . . . . . . . . . . . . . . . . . 10
5.2. Informative References . . . . . . . . . . . . . . . . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
Generic Routing Encapsulation (GRE) [RFC2784] [RFC2890] can be used to carry any network-layer protocol over any network-layer protocol. GRE has been implemented by many vendors and is widely deployed in the Internet.
通用路由封装(GRE)[RFC2784][RFC2890]可用于在任何网络层协议上承载任何网络层协议。GRE已被许多供应商实施,并广泛部署在互联网上。
The GRE specification does not describe fragmentation procedures. Lacking guidance from the specification, vendors have developed implementation-specific fragmentation solutions. A GRE tunnel will operate correctly only if its ingress and egress nodes support compatible fragmentation solutions. [RFC4459] describes several fragmentation solutions and evaluates their relative merits.
GRE规范没有描述分段过程。由于缺乏规范的指导,供应商开发了特定于实现的碎片化解决方案。GRE隧道只有在其入口和出口节点支持兼容的碎片解决方案时才能正常运行。[RFC4459]介绍了几种碎片解决方案,并评估了它们的相对优点。
This memo reviews the fragmentation solutions presented in [RFC4459]. It also describes how many vendors have solved the GRE fragmentation problem. The solution described herein is configurable and has been widely deployed in its default configuration.
本备忘录回顾了[RFC4459]中介绍的碎片解决方案。它还描述了有多少供应商解决了GRE碎片化问题。本文描述的解决方案是可配置的,并已在其默认配置中广泛部署。
This memo addresses point-to-point unicast GRE tunnels that carry IPv4, IPv6, or MPLS payloads over IPv4 or IPv6. All other tunnel types are beyond the scope of this document.
本备忘录涉及通过IPv4或IPv6承载IPv4、IPv6或MPLS有效负载的点对点单播GRE隧道。所有其他隧道类型不在本文件范围内。
The following terms are specific to GRE:
以下术语适用于GRE:
o GRE delivery header - an IPv4 or IPv6 header whose source address represents the GRE ingress node and whose destination address represents the GRE egress node. The GRE delivery header encapsulates a GRE header.
o GRE传递头—一个IPv4或IPv6头,其源地址表示GRE入口节点,目标地址表示GRE出口节点。GRE交付标头封装GRE标头。
o GRE header - the GRE protocol header. The GRE header is encapsulated in the GRE delivery header and encapsulates the GRE payload.
o GRE头-GRE协议头。GRE报头封装在GRE交付报头中,并封装GRE有效负载。
o GRE payload - a network-layer packet that is encapsulated by the GRE header. The GRE payload can be IPv4, IPv6, or MPLS. Procedures for encapsulating IPv4 in GRE are described in [RFC2784] and [RFC2890]. Procedures for encapsulating IPv6 in GRE are described in [IPv6-GRE]. Procedures for encapsulating MPLS in GRE are described in [RFC4023]. While other protocols may be delivered over GRE, they are beyond the scope of this document.
o GRE有效载荷-由GRE报头封装的网络层数据包。GRE有效负载可以是IPv4、IPv6或MPLS。[RFC2784]和[RFC2890]中描述了在GRE中封装IPv4的过程。[IPv6 GRE]中描述了在GRE中封装IPv6的过程。[RFC4023]中描述了在GRE中封装MPLS的过程。虽然其他协议可能通过GRE交付,但它们超出了本文件的范围。
o GRE delivery packet - a packet containing a GRE delivery header, a GRE header, and the GRE payload.
o GRE交付数据包-包含GRE交付标头、GRE标头和GRE有效负载的数据包。
o GRE payload header - the IPv4, IPv6, or MPLS header of the GRE payload.
o GRE有效负载标头-GRE有效负载的IPv4、IPv6或MPLS标头。
o GRE overhead - the combined size of the GRE delivery header and the GRE header, measured in octets.
o GRE开销-GRE交付标头和GRE标头的组合大小,以八位字节为单位。
The following terms are specific to MTU discovery:
以下术语特定于MTU发现:
o Link MTU (LMTU) - the maximum transmission unit, i.e., maximum packet size in octets, that can be conveyed over a link. LMTU is a unidirectional metric. A bidirectional link may be characterized by one LMTU in the forward direction and another LMTU in the reverse direction.
o 链路MTU(LMTU)-可通过链路传输的最大传输单元,即以八位字节为单位的最大数据包大小。LMTU是一个单向度量。双向链路的特征是一个LMTU在正向,另一个LMTU在反向。
o Path MTU (PMTU) - the minimum LMTU of all the links in a path between a source node and a destination node. If the source and destination nodes are connected through an Equal-Cost Multipath (ECMP), the PMTU is equal to the minimum LMTU of all links contributing to the multipath.
o 路径MTU(PMTU)-源节点和目标节点之间路径中所有链路的最小LMTU。如果源节点和目标节点通过等成本多路径(ECMP)连接,则PMTU等于导致多路径的所有链路的最小LMTU。
o GRE MTU (GMTU) - the maximum transmission unit, i.e., maximum packet size in octets, that can be conveyed over a GRE tunnel without fragmentation of any kind. The GMTU is equal to the PMTU associated with the path between the GRE ingress and the GRE egress nodes minus the GRE overhead.
o GRE MTU(GMTU)-最大传输单元,即以八位字节为单位的最大数据包大小,可在GRE隧道上传输,无任何碎片。GMTU等于与GRE入口和GRE出口节点之间的路径相关联的PMTU减去GRE开销。
o Path MTU Discovery (PMTUD) - a procedure for dynamically discovering the PMTU between two nodes on the Internet. PMTUD procedures for IPv4 are defined in [RFC1191]. PMTUD procedures for IPv6 are defined in [RFC1981].
o 路径MTU发现(PMTUD)-在Internet上的两个节点之间动态发现PMTU的过程。[RFC1191]中定义了IPv4的PMTUD过程。[RFC1981]中定义了IPv6的PMTUD过程。
The following terms are introduced by this memo:
本备忘录介绍了以下术语:
o Fragmentable Packet - a packet that can be fragmented by the GRE ingress node before being transported over a GRE tunnel. That is, an IPv4 packet with the Don't Fragment (DF) bit equal to 0 and whose payload is larger than 64 bytes. IPv6 packets are not fragmentable.
o 可分段数据包-在通过GRE隧道传输之前,GRE入口节点可对其进行分段的数据包。也就是说,不分段(DF)位等于0且有效负载大于64字节的IPv4数据包。IPv6数据包不可分割。
o ICMP Packet Too Big (PTB) message - an ICMPv4 [RFC792] Destination Unreachable message (Type = 3) with code equal to 4 (fragmentation needed and DF set) or an ICMPv6 [RFC4443] Packet Too Big message (Type = 2).
o ICMP数据包过大(PTB)消息-代码等于4(需要分段并设置DF)的ICMPv4[RFC792]目标不可访问消息(类型=3)或ICMPv6[RFC4443]数据包过大消息(类型=2)。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
Section 3 of [RFC4459] identifies several tunnel fragmentation solutions. These solutions define procedures to be invoked when the tunnel ingress router receives a packet so large that it cannot be forwarded through the tunnel without fragmentation of any kind. When applied to GRE, these procedures are:
[RFC4459]第3节确定了几种隧道碎片解决方案。这些解决方案定义了当隧道入口路由器接收到如此大的数据包时要调用的过程,该数据包在没有任何碎片的情况下无法通过隧道转发。适用于GRE时,这些程序包括:
1. Discard the incoming packet and send an ICMP PTB message to the incoming packet's source.
1. 丢弃传入数据包并向传入数据包的源发送ICMP PTB消息。
2. Fragment the incoming packet and encapsulate each fragment within a complete GRE header and GRE delivery header.
2. 对传入数据包进行分段,并将每个分段封装在完整的GRE头和GRE传递头中。
3. Encapsulate the incoming packet in a single GRE header and GRE delivery header. Perform source fragmentation on the resulting GRE delivery packet.
3. 将传入数据包封装在单个GRE头和GRE传递头中。对生成的GRE传递数据包执行源分段。
As per RFC 4459, Strategy 2 is applicable only when the incoming packet is fragmentable. Also as per RFC 4459, each strategy has its relative merits and costs.
根据RFC 4459,策略2仅在传入数据包可分割时适用。同样根据RFC 4459,每种策略都有其相对的优点和成本。
Many vendors have implemented a configurable GRE fragmentation solution. In its default configuration, the solution behaves as follows:
许多供应商已经实施了可配置的GRE碎片解决方案。在其默认配置中,解决方案的行为如下:
o When the GRE ingress node receives a fragmentable packet with length greater than the GMTU, it fragments the incoming packet and encapsulates each fragment within a complete GRE header and GRE delivery header. Fragmentation logic is as specified by the payload protocol.
o 当GRE入口节点接收到长度大于GMTU的可分段数据包时,它将对传入数据包进行分段,并将每个分段封装在完整的GRE报头和GRE传送报头中。碎片逻辑由有效负载协议指定。
o When the GRE ingress node receives a non-fragmentable packet with length greater than the GMTU, it discards the packet and sends an ICMP PTB message to the packet's source.
o 当GRE入口节点接收到长度大于GMTU的不可分段数据包时,它丢弃该数据包并向数据包的源发送ICMP PTB消息。
o When the GRE egress node receives a GRE delivery packet fragment, it silently discards the fragment without attempting to reassemble the GRE delivery packet to which the fragment belongs.
o 当GRE出口节点接收到GRE传递数据包片段时,它会自动丢弃该片段,而不尝试重新组装该片段所属的GRE传递数据包。
In non-default configurations, the GRE ingress node can execute any of the procedures defined in RFC 4459.
在非默认配置中,GRE入口节点可以执行RFC 4459中定义的任何过程。
The solution described above is widely deployed on the Internet in its default configuration. However, the default configuration is not always appropriate for GRE tunnels that carry IPv6.
上述解决方案以默认配置广泛部署在Internet上。但是,默认配置并不总是适用于承载IPv6的GRE隧道。
IPv6 requires that every link in the Internet have an MTU of 1280 octets or greater. On any link that cannot convey a 1280-octet packet in one piece, link-specific fragmentation and reassembly must be provided at a layer below IPv6.
IPv6要求Internet中的每条链路都有1280个八位字节或更大的MTU。在任何不能完整传输1280个八位组数据包的链路上,必须在IPv6下的一层提供特定于链路的分段和重组。
Therefore, the default configuration is appropriate for tunnels that carry IPv6 only if the network is engineered so that the GMTU is guaranteed to be 1280 bytes or greater. In all other scenarios, a non-default configuration is required.
因此,只有当网络设计为保证GMTU为1280字节或更大时,默认配置才适用于承载IPv6的隧道。在所有其他场景中,需要非默认配置。
In the non-default configuration, when the GRE ingress router receives a packet lager than the GMTU, the GRE ingress router encapsulates the entire packet in a single GRE and delivery header. It then fragments the delivery header and sends the resulting fragments to the GRE egress node, where they are reassembled.
在非默认配置中,当GRE入口路由器接收到大于GMTU的数据包时,GRE入口路由器将整个数据包封装在单个GRE和传送报头中。然后,它对交付头进行分段,并将生成的分段发送到GRE出口节点,在那里重新组装。
This section describes how many vendors have implemented the solution described in Section 2.2.
本节描述了有多少供应商实施了第2.2节所述的解决方案。
The GRE ingress nodes satisfy all of the requirements stated in [RFC2784].
GRE入口节点满足[RFC2784]中规定的所有要求。
GRE ingress nodes support a configuration option that associates a GMTU with a GRE tunnel. By default, GMTU is equal to the MTU associated with the next hop toward the GRE egress node minus the GRE overhead.
GRE入口节点支持将GMTU与GRE隧道关联的配置选项。默认情况下,GMTU等于与朝向GRE出口节点的下一跳相关联的MTU减去GRE开销。
Typically, GRE ingress nodes further refine their GMTU estimate by executing PMTUD procedures. However, if an implementation supports PMTUD for GRE tunnels, it also includes a configuration option that
通常,GRE入口节点通过执行PMTUD过程进一步细化其GMTU估计。但是,如果一个实现支持GRE隧道的PMTUD,它还包括一个配置选项
disables PMTUD. This configuration option is required to mitigate certain denial-of-service attacks (see Section 4).
禁用PMTUD。此配置选项是缓解某些拒绝服务攻击所必需的(请参阅第4节)。
The GRE ingress node's estimate of the GMTU will not always be accurate. It is only an estimate. When the GMTU changes, the GRE ingress node will not discover that change immediately. Likewise, if the GRE ingress node performs PMTUD procedures and interior nodes cannot deliver ICMP feedback to the GRE ingress node, GMTU estimates may be inaccurate.
GRE入口节点对GMTU的估计并不总是准确的。这只是一个估计。当GMTU更改时,GRE入口节点不会立即发现该更改。同样,如果GRE入口节点执行PMTUD过程,并且内部节点无法向GRE入口节点提供ICMP反馈,则GMTU估计可能不准确。
This section defines procedures that GRE ingress nodes execute when they receive a packet whose size is greater than the relevant GMTU.
本节定义了GRE入口节点在接收到大于相关GMTU的数据包时执行的过程。
By default, if the payload is fragmentable, the GRE ingress node fragments the incoming packet and encapsulates each fragment within a complete GRE header and GRE delivery header. Therefore, the GRE egress node receives several complete, non-fragmented delivery packets. Each delivery packet contains a fragment of the GRE payload. The GRE egress node forwards the payload fragments to their ultimate destination where they are reassembled.
默认情况下,如果有效负载是可分段的,GRE入口节点将对传入数据包进行分段,并将每个分段封装在完整的GRE报头和GRE交付报头中。因此,GRE出口节点接收几个完整的、非分段的递送分组。每个交付数据包包含GRE有效负载的一个片段。GRE出口节点将有效负载片段转发到它们的最终目的地,在那里重新组装它们。
Also by default, if the payload is not fragmentable, the GRE ingress node discards the packet and sends an ICMPv4 Destination Unreachable message to the packet's source. The ICMPv4 Destination Unreachable message code equals 4 (fragmentation needed and DF set). The ICMPv4 Destination Unreachable message also contains a next-hop MTU (as specified by [RFC1191]), and the next-hop MTU is equal to the GMTU associated with the tunnel.
此外,默认情况下,如果有效负载不可分割,GRE入口节点将丢弃该数据包,并向该数据包的源发送ICMPv4目的地不可访问消息。ICMPv4目标不可到达消息代码等于4(需要分段并设置DF)。ICMPv4目的地不可到达消息还包含下一跳MTU(由[RFC1191]指定),下一跳MTU等于与隧道关联的GMTU。
The GRE ingress node supports a non-default configuration option that invokes an alternative behavior. If that option is configured, the GRE ingress node fragments the delivery packet. See Section 3.3.2 for details.
GRE入口节点支持调用替代行为的非默认配置选项。如果配置了该选项,GRE入口节点将对传递数据包进行分段。详见第3.3.2节。
By default, the GRE ingress node discards the packet and sends an ICMPv6 [RFC4443] Packet Too Big message to the payload source. The MTU specified in the Packet Too Big message is equal to the GMTU associated with the tunnel.
默认情况下,GRE入口节点丢弃该数据包,并向有效负载源发送ICMPv6[RFC4443]数据包过大消息。数据包过大消息中指定的MTU等于与隧道关联的GMTU。
The GRE ingress node supports a non-default configuration option that invokes an alternative behavior. If that option is configured, the GRE ingress node fragments the delivery packet. See Section 3.3.2 for details.
GRE入口节点支持调用替代行为的非默认配置选项。如果配置了该选项,GRE入口节点将对传递数据包进行分段。详见第3.3.2节。
By default, the GRE ingress node discards the packet. As it is impossible to reliably identify the payload source, the GRE ingress node does not attempt to send an ICMP PTB message to the payload source.
默认情况下,GRE入口节点丢弃数据包。由于不可能可靠地识别有效负载源,GRE入口节点不尝试向有效负载源发送ICMP PTB消息。
The GRE ingress node supports a non-default configuration option that invokes an alternative behavior. If that option is configured, the GRE ingress node fragments the delivery packet. See Section 3.3.2 for details.
GRE入口节点支持调用替代行为的非默认配置选项。如果配置了该选项,GRE入口节点将对传递数据包进行分段。详见第3.3.2节。
By default, the GRE ingress node does not fragment delivery packets. However, the GRE ingress node includes a configuration option that allows delivery packet fragmentation.
默认情况下,GRE入口节点不会对交付数据包进行分段。然而,GRE入口节点包括允许传送分组分段的配置选项。
By default, the GRE ingress node sets the DF bit in the delivery header to 1 (Don't Fragment). However, the GRE ingress node also supports a configuration option that invokes the following behavior:
默认情况下,GRE入口节点将传递头中的DF位设置为1(不分段)。但是,GRE入口节点还支持调用以下行为的配置选项:
o When the GRE payload is IPv6, the DF bit on the delivery header is set to 0 (Fragments Allowed).
o 当GRE有效负载为IPv6时,传递头上的DF位设置为0(允许碎片)。
o When the GRE payload is IPv4, the DF bit is copied from the payload header to the delivery header.
o 当GRE有效负载为IPv4时,DF位从有效负载标头复制到传递标头。
When the DF bit on an IPv4 delivery header is set to 0, the GRE delivery packet can be fragmented by any router between the GRE ingress and egress nodes.
当IPv4传递头上的DF位设置为0时,GRE传递数据包可由GRE入口和出口节点之间的任何路由器分段。
If the GRE egress node is configured to support reassembly, it will reassemble fragmented delivery packets. Otherwise, the GRE egress node will discard delivery packet fragments.
如果GRE出口节点被配置为支持重新组装,则它将重新组装碎片传递数据包。否则,GRE出口节点将丢弃递送分组片段。
By default, the GRE ingress node does not fragment delivery packets. However, the GRE ingress node includes a configuration option that allows this.
默认情况下,GRE入口节点不会对交付数据包进行分段。但是,GRE入口节点包括允许此操作的配置选项。
If the GRE egress node is configured to support reassembly, it will reassemble fragmented delivery packets. Otherwise, the GRE egress node will discard delivery packet fragments.
如果GRE出口节点被配置为支持重新组装,则它将重新组装碎片传递数据包。否则,GRE出口节点将丢弃递送分组片段。
By default, the GRE egress node silently discards GRE delivery packet fragments without attempting to reassemble the GRE delivery packets to which the fragments belongs.
默认情况下,GRE出口节点无提示地丢弃GRE传递数据包片段,而不尝试重新组装片段所属的GRE传递数据包。
However, the GRE egress node supports a configuration option that allows it to reassemble GRE delivery packets.
但是,GRE出口节点支持一个配置选项,允许它重新组装GRE传递数据包。
In the GRE fragmentation solution described above, either the GRE payload or the GRE delivery packet can be fragmented. If the GRE payload is fragmented, it is typically reassembled at its ultimate destination. If the GRE delivery packet is fragmented, it is typically reassembled at the GRE egress node.
在上面描述的GRE分段解决方案中,GRE有效载荷或GRE递送分组都可以被分段。如果GRE有效载荷是碎片化的,通常在其最终目的地重新组装。如果GRE传递数据包是分段的,则通常在GRE出口节点重新组装。
The packet reassembly process is resource intensive and vulnerable to several denial-of-service attacks. In the simplest attack, the attacker sends fragmented packets more quickly than the victim can reassemble them. In a variation on that attack, the first fragment of each packet is missing so that no packet can ever be reassembled.
数据包重组过程是资源密集型的,容易受到几次拒绝服务攻击。在最简单的攻击中,攻击者发送碎片数据包的速度快于受害者重新组装数据包的速度。在该攻击的变体中,每个数据包的第一个片段丢失,因此无法重新组装数据包。
Given that the packet reassembly process is resource intensive and vulnerable to denial-of-service attacks, operators should decide where the reassembly process is best performed. Having made that decision, they should decide whether to fragment the GRE payload or GRE delivery packet accordingly.
考虑到数据包重组过程是资源密集型的,并且容易受到拒绝服务攻击,运营商应该决定重组过程最好在哪里执行。做出该决定后,他们应该决定是相应地分割GRE有效负载还是GRE交付数据包。
Some IP implementations are vulnerable to the Overlapping Fragment Attack [RFC1858]. This vulnerability is not specific to GRE and needs to be considered in all environments where IP fragmentation is present. [RFC3128] describes a procedure by which IPv4 implementations can partially mitigate the vulnerability. [RFC5722] mandates a procedure by which IPv6-compliant implementations are required to mitigate the vulnerability. The procedure described in
某些IP实现容易受到重叠碎片攻击[RFC1858]。此漏洞不是GRE特有的,需要在存在IP碎片的所有环境中考虑。[RFC3128]描述了IPv4实现可以部分缓解漏洞的过程。[RFC5722]强制执行一个过程,通过该过程,需要符合IPv6的实施来缓解该漏洞。中所述的步骤
RFC 5722 completely mitigates the vulnerability. Operators SHOULD ensure that the vulnerability is mitigated to their satisfaction on equipment that they deploy.
RFC 5722完全缓解了该漏洞。操作员应确保在其部署的设备上缓解漏洞,使其满意。
PMTUD is vulnerable to two denial-of-service attacks (see Section 8 of [RFC1191] for details). Both attacks are based upon on a malicious party sending forged ICMPv4 Destination Unreachable or ICMPv6 Packet Too Big messages to a host. In the first attack, the forged message indicates an inordinately small PMTU. In the second attack, the forged message indicates an inordinately large MTU. In both cases, throughput is adversely affected. In order to mitigate such attacks, GRE implementations include a configuration option to disable PMTUD on GRE tunnels. Also, they can include a configuration option that conditions the behavior of PMTUD to establish a minimum PMTU.
PMTUD容易受到两次拒绝服务攻击(有关详细信息,请参阅[RFC1191]第8节)。这两种攻击都基于恶意方向主机发送伪造的ICMPv4目的地不可访问或ICMPv6数据包过大消息。在第一次攻击中,伪造消息表示PMTU过小。在第二次攻击中,伪造消息表示MTU过大。在这两种情况下,吞吐量都会受到不利影响。为了减轻此类攻击,GRE实现包括一个配置选项,用于在GRE隧道上禁用PMTUD。此外,它们还可以包括一个配置选项,该选项对PMTUD的行为进行调节,以建立最小的PMTU。
[RFC792] Postel, J., "Internet Control Message Protocol", STD 5, RFC 792, DOI 10.17487/RFC0792, September 1981, <http://www.rfc-editor.org/info/rfc792>.
[RFC792]Postel,J.,“互联网控制消息协议”,STD 5,RFC 792,DOI 10.17487/RFC0792,1981年9月<http://www.rfc-editor.org/info/rfc792>.
[RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC 1191, DOI 10.17487/RFC1191, November 1990, <http://www.rfc-editor.org/info/rfc1191>.
[RFC1191]Mogul,J.和S.Deering,“MTU发现路径”,RFC 1191,DOI 10.17487/RFC1191,1990年11月<http://www.rfc-editor.org/info/rfc1191>.
[RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security Considerations for IP Fragment Filtering", RFC 1858, DOI 10.17487/RFC1858, October 1995, <http://www.rfc-editor.org/info/rfc1858>.
[RFC1858]Ziemba,G.,Reed,D.,和P.Trana,“IP片段过滤的安全考虑”,RFC 1858,DOI 10.17487/RFC1858,1995年10月<http://www.rfc-editor.org/info/rfc1858>.
[RFC1981] McCann, J., Deering, S., and J. Mogul, "Path MTU Discovery for IP version 6", RFC 1981, DOI 10.17487/RFC1981, August 1996, <http://www.rfc-editor.org/info/rfc1981>.
[RFC1981]McCann,J.,Deering,S.,和J.Mogul,“IP版本6的路径MTU发现”,RFC 1981,DOI 10.17487/RFC19811996年8月<http://www.rfc-editor.org/info/rfc1981>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, DOI 10.17487/RFC2784, March 2000, <http://www.rfc-editor.org/info/rfc2784>.
[RFC2784]Farinaci,D.,Li,T.,Hanks,S.,Meyer,D.,和P.Traina,“通用路由封装(GRE)”,RFC 2784,DOI 10.17487/RFC27842000年3月<http://www.rfc-editor.org/info/rfc2784>.
[RFC2890] Dommety, G., "Key and Sequence Number Extensions to GRE", RFC 2890, DOI 10.17487/RFC2890, September 2000, <http://www.rfc-editor.org/info/rfc2890>.
[RFC2890]Dommety,G.,“GRE的密钥和序列号扩展”,RFC 2890,DOI 10.17487/RFC2890,2000年9月<http://www.rfc-editor.org/info/rfc2890>.
[RFC3128] Miller, I., "Protection Against a Variant of the Tiny Fragment Attack (RFC 1858)", RFC 3128, DOI 10.17487/RFC3128, June 2001, <http://www.rfc-editor.org/info/rfc3128>.
[RFC3128]Miller,I.,“防止微小碎片攻击的变体(RFC 1858)”,RFC 3128,DOI 10.17487/RFC3128,2001年6月<http://www.rfc-editor.org/info/rfc3128>.
[RFC4023] Worster, T., Rekhter, Y., and E. Rosen, Ed., "Encapsulating MPLS in IP or Generic Routing Encapsulation (GRE)", RFC 4023, DOI 10.17487/RFC4023, March 2005, <http://www.rfc-editor.org/info/rfc4023>.
[RFC4023]Worster,T.,Rekhter,Y.,和E.Rosen,编辑,“在IP或通用路由封装(GRE)中封装MPLS”,RFC 4023,DOI 10.17487/RFC4023,2005年3月<http://www.rfc-editor.org/info/rfc4023>.
[RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification", RFC 4443, DOI 10.17487/RFC4443, March 2006, <http://www.rfc-editor.org/info/rfc4443>.
[RFC4443]Conta,A.,Deering,S.,和M.Gupta,Ed.,“互联网协议版本6(IPv6)规范的互联网控制消息协议(ICMPv6)”,RFC 4443,DOI 10.17487/RFC4443,2006年3月<http://www.rfc-editor.org/info/rfc4443>.
[RFC5722] Krishnan, S., "Handling of Overlapping IPv6 Fragments", RFC 5722, DOI 10.17487/RFC5722, December 2009, <http://www.rfc-editor.org/info/rfc5722>.
[RFC5722]Krishnan,S.,“重叠IPv6片段的处理”,RFC 5722,DOI 10.17487/RFC5722,2009年12月<http://www.rfc-editor.org/info/rfc5722>.
[IPv6-GRE] Pignataro, C., Bonica, R., and S. Krishnan, "IPv6 Support for Generic Routing Encapsulation (GRE)", Work in Progress, draft-ietf-intarea-gre-ipv6-10, June 2015.
[IPv6 GRE]Pignataro,C.,Bonica,R.,和S.Krishnan,“对通用路由封装(GRE)的IPv6支持”,正在进行的工作,草稿-ietf-intarea-GRE-IPv6-102015年6月。
[RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the-Network Tunneling", RFC 4459, DOI 10.17487/RFC4459, April 2006, <http://www.rfc-editor.org/info/rfc4459>.
[RFC4459]Savola,P.,“网络隧道中的MTU和碎片问题”,RFC 4459,DOI 10.17487/RFC4459,2006年4月<http://www.rfc-editor.org/info/rfc4459>.
Acknowledgements
致谢
The authors would like to thank Fred Baker, Fred Detienne, Jagadish Grandhi, Jeff Haas, Brian Haberman, Vanitha Neelamegam, Masataka Ohta, John Scudder, Mike Sullenberger, Tom Taylor, and Wen Zhang for their constructive comments. The authors also express their gratitude to Vanessa Ameen, without whom this memo could not have been written.
作者要感谢Fred Baker、Fred Detiene、Jagadish Grandhi、Jeff Haas、Brian Haberman、Vanitha Neelamgam、Masataka Ohta、John Scudder、Mike Sullenberger、Tom Taylor和Wen Zhang的建设性评论。作者还对瓦内萨·阿梅恩表示感谢,没有她,这份备忘录就不可能写成。
Authors' Addresses
作者地址
Ron Bonica Juniper Networks 2251 Corporate Park Drive Herndon, Virginia 20170 United States
Ron Bonica Juniper Networks 2251公司公园大道Herndon,弗吉尼亚州,20170
Email: rbonica@juniper.net
Email: rbonica@juniper.net
Carlos Pignataro Cisco Systems 7200-12 Kit Creek Road Research Triangle Park, North Carolina 27709 United States
Carlos Pignataro Cisco Systems 7200-12 Kit Creek Road Research Triangle Park,美国北卡罗来纳州27709
Email: cpignata@cisco.com
Email: cpignata@cisco.com
Joe Touch USC/ISI 4676 Admiralty Way Marina del Rey, California 90292-6695 United States
Joe Touch USC/ISI 4676美国加利福尼亚州Marina del Rey金钟路90292-6695号
Phone: +1 (310) 448-9151
Email: touch@isi.edu
URI: http://www.isi.edu/touch
Phone: +1 (310) 448-9151
Email: touch@isi.edu
URI: http://www.isi.edu/touch