Internet Engineering Task Force                             G. Fairhurst
Internet-Draft                                                  T. Jones
Updates: 4821 (if approved)                       University of Aberdeen
Intended status: Standards Track                  University of Aberdeen
Expires: September 6, 2018                               M. Tuexen
Expires: December 08, 2018                                  I. Ruengeler
                                 Muenster University of Applied Sciences
                                                          March 05,
                                                           June 08, 2018

     Packetization Layer Path MTU Discovery for Datagram Transports
                  draft-ietf-tsvwg-datagram-plpmtud-01
                  draft-ietf-tsvwg-datagram-plpmtud-02

Abstract

   This document describes a robust method for Path MTU Discovery
   (PMTUD) for datagram Packetization layers.  The document describes an
   extension to RFC 1191 and RFC 8201, which specifies ICMP-based Path
   MTU Discovery for IPv4 and IPv6. The method allows a Packetization
   Layer (PL), or a datagram application that uses a PL, to discover
   whether a network path can support the current size of datagram and
   to probe an a network path with progressively larger packets to
   determine find
   whether the maxium packet size can be increased.  This allows a maximum
   sender to determine an appropriate packet size.  The document describes an extension
   to RFC 1191 and RFC 8201, which specify ICMP-based Path MTU Discovery
   for IPv4 and IPv6.  This provides
   functionally for datagram transports that is equivalent to the
   Packetization layer PMTUD specification for TCP, specified in
   RFC4821.

   The document also provides implementation notes for incorporating
   Datagram PMTUD into IETF Datagram transports or applications that use
   transports.

   When published, this specification updates RFC4821.

Status of This this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."
   This Internet-Draft will expire on September 6, December 08, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) (http://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Classical Path MTU Discovery . . . . . . . . . . . . . . .  3
     1.2.  Packetization Layer Path MTU Discovery . . . . . . . . . .  4
     1.3.  Path MTU Discovery for Datagram Services . . . . . . . . .  5
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  6
   3.  Features Required to Provide Datagram PLPMTUD  . . . . . . . .   7  8
     3.1.  PMTU  PLPMTU Probe Packets . . . . . . . . . . . . . . . . . . . 10
     3.2.  Validation of the Current Effective PMTU Probe Packet Size  . . . . . . . . . . . . . 11
     3.3.  Reduction of  Reducing the Effective PMTU PLPMTU: Confirming Path Characteristics . . . 12
     3.4.  Increasing the PLPMTU: Supporting Path Changes . . . . . . 12
     3.5.  Robustness to inconsistent Path information  . . . . .  11 . . 12
   4.  Datagram Packetization Layer PMTUD . . . . . . . . . . . . .  12 . 13
     4.1.  PROBE_SEARCH: Probing for a larger PLPMTU  . . . . . . . . 13
     4.2.  The PROBE_DONE state . . . . . . . . . . . . . . . . . . .  12
     4.2. 14
     4.3.  Verification and Use of PTB Messages . . . . . . . . . .  13
     4.3. . 14
     4.4.  Timers . . . . . . . . . . . . . . . . . . . . . . . . .  13
     4.4. . 14
     4.5.  Constants  . . . . . . . . . . . . . . . . . . . . . . . .  14
     4.5. 15
     4.6.  Variables  . . . . . . . . . . . . . . . . . . . . . . . .  14
     4.6. 16
     4.7.  Selecting PROBED_SIZE  . . . . . . . . . . . . . . . . . .  15
     4.7. 16
     4.8.  Black Hole Detection . . . . . . . . . . . . . . . . . . . 17
     4.9.  State Machine  . . . . . . . . . . . . . . . . . . . . . .  15 17
   5.  Specification of Protocol-Specific Methods . . . . . . . . .  18 . 20
     5.1.  DPLPMTUD  Application support for DPLPMTUD with UDP and or UDP-Lite  . . 20
       5.1.1.  Application Request  . . . . . . . . . . . .  18
       5.1.1.  UDP Options . . . . . . . 20
       5.1.2.  Application Response . . . . . . . . . . . . . .  18
       5.1.2.  UDP Options Required for PLPMTUD . . . 20
       5.1.3.  Sending Application Probe Packets  . . . . . . .  18
         5.1.2.1.  Echo Request Option . . . 21
       5.1.4.  Validating the Path  . . . . . . . . . . . .  19
         5.1.2.2.  Echo Response Option . . . . . 21
       5.1.5.  Handling of PTB Messages . . . . . . . . .  19
       5.1.3.  Sending UDP-Option Probe Packets . . . . . . 21
     5.2.  DPLPMTUD with UDP Options  . . . .  19
       5.1.4.  Validating the Path with . . . . . . . . . . . . 21
       5.2.1.  UDP Options Request Option . . . . . . . .  20
       5.1.5.  Handling of PTB Messages by . . . . . . . . . . 22
       5.2.2.  UDP Response Option  . . . . . . . . . . .  20
     5.2. . . . . . . 22
     5.3.  DPLPMTUD for SCTP  . . . . . . . . . . . . . . . . . . . .  20
       5.2.1. 22
       5.3.1.  SCTP/IP4 and SCTP/IPv6 . . . . . . . . . . . . . . .  20
         5.2.1.1. . 22
         5.3.1.1.  Sending SCTP Probe Packets . . . . . . . . . . .  20
         5.2.1.2. . 22
         5.3.1.2.  Validating the Path with SCTP  . . . . . . . . . .  21
         5.2.1.3. 23
         5.3.1.3.  PTB Message Handling by SCTP . . . . . . . . . .  21
       5.2.2. . 23

       5.3.2.  DPLPMTUD for SCTP/UDP  . . . . . . . . . . . . . . . .  21
         5.2.2.1. 23
         5.3.2.1.  Sending SCTP/UDP Probe Packets . . . . . . . . .  21
         5.2.2.2. . 23
         5.3.2.2.  Validating the Path with SCTP/UDP  . . . . . . . .  21
         5.2.2.3. 23
         5.3.2.3.  Handling of PTB Messages by SCTP/UDP . . . . . .  21
       5.2.3. . 24
       5.3.3.  DPLPMTUD for SCTP/DTLS . . . . . . . . . . . . . . .  22
         5.2.3.1. . 24
         5.3.3.1.  Sending SCTP/DTLS Probe Packets  . . . . . . . . .  22
         5.2.3.2. 24
         5.3.3.2.  Validating the Path with SCTP/DTLS . . . . . . .  22
         5.2.3.3. . 24
         5.3.3.3.  Handling of PTB Messages by SCTP/DTLS  . . . . . .  22
     5.3.  PMTUD 24
     5.4.  DPLPMTUD for QUIC  . . . . . . . . . . . . . . . . . . . . .  22
       5.3.1. 24
       5.4.1.  Sending QUIC Probe Packets . . . . . . . . . . . . .  22
       5.3.2. . 24
       5.4.2.  Validating the Path with QUIC  . . . . . . . . . . . .  23
       5.3.3. 25
       5.4.3.  Handling of PTB Messages by QUIC . . . . . . . . . .  23
     5.4.  Other IETF Transports . . . . . . . . . . . . . . . . . .  23
     5.5.  DPLPMTUD by Applications  . . . . . . . . . . . . . . . .  23 25
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  24 . 25
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  24 25
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . .  24 26
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . .  24 . 26
     9.1.  Normative References . . . . . . . . . . . . . . . . . .  24 . 26
     9.2.  Informative References . . . . . . . . . . . . . . . . .  26 . 28
   Appendix A. Event-driven state changes . . . . . . . . . . . . .  26 . 28
   Appendix B. Revision Notes . . . . . . . . . . . . . . . . . . .  29 . 31
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .  30 . 32

1.  Introduction

   The IETF has specified datagram transport using UDP, SCTP, and DCCP,
   as well as protocols layered on top of these transports (e.g., SCTP/
   UDP, DCCP/UDP). DCCP/UDP) and directly over the IP network layer.  This document
   describes a robust method for Path MTU Discovery (PMTUD) that may be
   used with these transport protocols (or the applications that use
   their transport service) to discover an appropriate size of packet to
   use across an Internet path.

1.1.  Classical Path MTU Discovery

   Classical Path Maximum Transmission Unit Discovery (PMTUD) can be
   used with any transport that is able to process ICMP Packet Too Big
   (PTB) messages (e.g., [RFC1191] and [RFC8201]). The term PTB message
   is applied to both IPv4 ICMP Unreachable messages (type 3) that carry
   the error Fragmentation Needed (Type 3, Code 4) and ICMPv6 packet too
   big messages (Type 2). When a sender receives a PTB message, it
   reduces the effective Path MTU (PMTU) to the value reported as the Link MTU in
   the PTB message, and a method that from time-to-time increases the
   packet size in attempt to discover an increase in the supported PMTU.
   The packets sent with a size larger than the current effective PMTU
   are known as probe packets.

   Packets not intended as probe packets are either fragmented to the
   current effective PMTU, or the attempt to send fails with an error
   code.  Applications are sometimes provided with a primitive to let
   them read the maximum packet size, derived from the current effective
   PMTU.

   Classical PMTUD is subject to protocol failures.  One failure arises
   when traffic using a packet size larger than the actual supported PMTU is
   black-holed (all datagrams sent with this size size, or larger, are
   silently discarded without the sender receiving ICMP PTB messages. messages).
   This could arise when the ICMP PTB messages are not delivered back to the
   sender for some reason [RFC2923]). For example, ICMP messages are
   increasingly filtered by middleboxes (including firewalls) [RFC4890].  Also, in
   some
   A stateful firewall could be configured with a policy to block
   incoming ICMP messages, which would prevent reception of PTB messages
   to endpoints behind this firewall.  Other examples include cases
   where PTB messages are not correctly processed processed/generated by tunnel
   endpoints.

   Another failure could result if a node that is not on the network
   path sends a PTB message that attempts to force the sender to change
   the effective PMTU [RFC8201].  A sender can protect itself from
   reacting to such messages by utilising the quoted packet within the a PTB
   message payload to verify that the received PTB message was generated
   in response to a packet that had actually been sent. originated from the sender.
   However, there are situations where a sender would be unable to
   provide this verification.

   Examples where verification is not possible include:

   o  When the router issuing the ICMP message is acting on a tunneled
      packet
      packet, the ICMP message is will be directed to the tunnel endpoint.
      This tunnel endpoint is responsible for processed in forwardiung the ICMP
      message and also processing the quoted packet in within the payload
      field to remove the effect of the tunnel, and return the a correctly
      fromatted ICMP message to the sender.  Failure to do this results
      in black-
      holing. black-holing.

   o  When the a router issuing the ICMP message implements RFC792
      [RFC0792], which it is only requires required the quoted payload to include the first 64 bits of
      the IP payload of the packet, and the ICMP
      message occurs packet within a tunnel. the quoted payload.This may be
      insufficient to perfom the tunnel processing described in the
      previous bullet.  Even if the decpasulated decapsulated message is processed by
      the tunnel endpoint, there could be insufficient bytes remaining
      for the sender to read interpret the quoted transport information.
      RFC1812 [RFC1812] requires routers to return the full packet if
      possible, often the case for IPv4 when used the path includes
      tunnels; or where the packet has been encapsulated/
      tunneled encapsulated/tunneled over
      an encrypted transport and it is not possible to determine the
      original transport header ).

   o  Even when the PTB message includes sufficient bytes of the quoted
      packet, the network layer could lack sufficient context to perform
      verification, because this depends on information about the active
      transport flows at an endpoint node (e.g., the socket/address
      pairs being used, and other protocol header information).

1.2.  Packetization Layer Path MTU Discovery
   The term Packetization Layer (PL) has been introduced to describe the
   layer that is responsible for placing data blocks into the payload of
   IP packets and selecting an appropriate maximum packet size. Maximum Packet Size (MPS).
   This function is often performed by a transport protocol, but can
   also be performed by other encapsulation methods working above the
   transport.
   PTB verification is more straight forward at the PL or at a higher
   layer.

   In contrast to PMTUD, Packetization Layer Path MTU Discovery
   (PLPMTUD) [RFC4821] does not rely upon reception and verification of
   PTB messages.  It is therefore more robust than Classical PMTUD. This
   has become the recommended approach for implementing PMTU discovery
   with TCP.

   It uses a general strategy where the PL sends probe packet to search
   for an appropriate PMTU. the largest size of unfragmented datagram that can be sent over a
   path.  The probe packets are sent with a progressively larger packet
   size.  If a probe packet is successfully delivered (as determined by
   the PL), then the effective Path MTU PLPMTU is raised to the size of the successful
   probe.  If no response is received to a probe packet, the method
   reduces the probe size.  This PLPMTU is used to set the application
   MPS.

   PLPMTUD introduces flexibility in the implementation of PMTU
   discovery.  At one extreme, it can be configured to only perform PTB
   black hole detection and recovery to increase the robustness of
   Classical PMTUD, or at the other extreme, all PTB processing can be
   disabled and PLPMTUD can completely replace Classical PMTUD.

   PLPMTUD can also include additional consistency checks without
   increasing the risk of increased black-holing.  For instance,the
   information available at the PL, or higher layers, makes PTB
   verification more straight forward.

1.3.  Path MTU Discovery for Datagram Services

   Section 4 of this document presents a set of algorithms for datagram
   protocols to discover a maximum size for the effective PMTU across largest size of unfragmented datagram that
   can be sent over a path.  The methods method described rely relies on features of
   the PL Section 3 and apply to transport protocols operating over IPv4
   and IPv6. It does not require cooperation from the lower layers (except that they are consistent
   about which packet sizes are acceptable).  A method layers,
   although it can utilise ICMP PTB messages when these received
   messages are made available to the PL.

   The UDP-Guidelines UDP Usage Guidelines [RFC8085] state "an application SHOULD
   either use the Path MTU information provided by the IP layer or
   implement Path MTU Discovery (PMTUD)", but does not provide a
   mechanism for discovering the largest size of unfragmented datagram
   than can be used on a path.  Prior to this document, PLPMTUD had not
   been specified for UDP.

   Section 10.2 of [RFC4821] recommends a PLPMTUD probing method for the
   Stream Control Transport Protocol (SCTP). SCTP utilises heartbeat
   messages as probe packets, but RFC4821 does not provide a complete
   specification.  This document provides the details to complete that
   specification.

   The Datagram Congestion Control Protocol (DCCP) [RFC4340] requires
   implementations to support Classical PMTUD and states that a DCCP
   sender "MUST maintain the maximum packet size (MPS) MPS allowed for each active DCCP session".
   It also defines the current congestion control
   maximum packet size MPS (CCMPS) supported
   by a path.  This recommends use of PMTUD, and suggests use of control
   packets (DCCP-Sync) as path probe packets, because they do not risk
   application data loss.  The method defined in this specification
   could be used with DCCP.

   Section 5 specifies the method for a set of transports, and provides
   information to enables the implementation of PLPMTUD with other
   datagram transports and applications that use datagram transports.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Other terminology is directly copied from [RFC4821], and the
   definitions in [RFC1122].

   Black-Holed: When the sender is unaware that packets are not
      delivered to the destination endpoint (e.g., when the sender
      transmits packets of a particular size with a previously known
      PMTU,
      effective PMTU (also refered to as the PLPMTU), but is unaware of
      a change to the path that resulted in a smaller PMTU). PLPMTU).

   Classical Path MTU Discovery: Classical PMTUD is a process described
      in [RFC1191] and [RFC8201], in which nodes rely on PTB messages to
      learn the largest size of unfragmented datagram than can be used
      across a path.

   Datagram: A datagram is a transport-layer protocol data unit,
      transmitted in the payload of an IP packet.

   Effective PMTU: The current estimated value for PMTU that is used by
      a Packetization Layer. PMTUD. This is equivalent to the PLPMTU derived by PLPMTUD.

   EMTU_S: The Effective MTU for sending (EMTU_S) is defined in
      [RFC1122] as "the maximum IP datagram size that may be sent, for a
      particular combination of IP source and destination addresses...".

   EMTU_R: The Effective MTU for receiving (EMTU_R) is designated in
      [RFC1122] as the largest datagram size that can be reassembled by
      EMTU_R ("Effective MTU to receive").

   Link: A communication facility or medium over which nodes can
      communicate at the link layer, i.e., a layer below the IP layer.
      Examples are Ethernet LANs and Internet (or higher) layer and
      tunnels.

   Link MTU: The Maximum Transmission Unit (MTU) is the size in bytes of
      the largest IP packet, including the IP header and payload, that
      can be transmitted over a link.  Note that this could more
      properly be called the IP MT, MTU, to be consistent with how other
      standards organizations use the acronym MT. This includes the IP
      header, but excludes link layer headers and other framing that is
      not part of IP or the IP payload.  Other standards organizations
      generally define link MTU to include the link layer headers.

   MPS: The Maximum Packet Size (MPS), (MPS) is the largest size of application
      data block that can be sent unfragmented across a path.  In
      PLPMTUD
      DPLPMTUD this quantity is derived from Effective PMTU PLPMTU by taking into
      consideration the size of the application and lower protocol layer headers, and can be limited by the application protocol.
      headers.

   Packet: An IP header plus the IP payload.

   Packetization Layer (PL): The layer of the network stack that places
      data into packets and performs transport protocol functions.

   Path: The set of link and routers traversed by a packet between a
      source node and a destination node. node by a particular flow.

   Path MTU (PMTU): The minimum of the link Link MTU of all the links forming
      a path between a source node and a destination node.

   PLPMTU: The estimate of the actual PMTU provided by the DPLPMTUD
      algorithm.

   PLPMTUD: Packetization Layer Path MTU Discovery, the method described
      in this document for datagram PLs, which is an extension to
      Classical PMTU Discovery.

   Probe packet: A datagram sent with a purposely chosen size (typically
      larger than the current Effective PMTU or MPS) PLPMTU) to detect if messages packets of this size
      can be successfully sent along end-toend across the
      end-to-end network path.

3.  Features Required to Provide Datagram PLPMTUD

   TCP PLPMTUD has been defined using standard TCP protocol mechanisms.
   All of the requirements in [RFC4821] also apply to use of the
   technique with a datagram PL. Unlike TCP, some datagram PLs require
   additional mechanisms to implement PLPMTUD.

   There are nine eight requirements for performing the datagram PLPMTUD
   method described in this specification:

   1.  PMTU parameters: A PLPMTUD DPLPMTUD sender is REQUIRED RECOMMENDED to provide
       information about the maximum size of packet that can be
       transmitted by the sender on the local link (the link MTU and local Link MTU).
       It MAY utilize similar information about the receiver when this
       is supplied (note this could be less than EMTU_R).  Some
       applications also have a maximum transport protocol data unit
       (PDU) size, in which case there This avoids
       implementations trying to send probe packets that can not be
       transmited by the local link.  Too high a value may reduce the
       efficiency of the search algorithm.  Some applications also have
       a maximum transport protocol data unit (PDU) size, in which case
       there is no benefit from probing for a size larger than this
       (unless a transport allows multiplexing multiple applications
       PDUs into the same datagram).

   2.  Effective PMTU:  PLPMTU: A datagram application MUST be able to choose the size of
       datagrams sent to the network, up to the effective PMTU, PLPMTU, or a smaller
       value (such as the MPS) derived from this.  This value is managed
       by the PMTUD DPLPMTUD method.  The PLPMTU (specified as the effective
       PMTU
       (specified in Section 1 of [RFC1191]) is equivalent to the EMTU_S
       (specified in [RFC1122]).

   3.  Probe packets: On request, a PLPMTUD sender is REQUIRED to be
       able to transmit a packet larger than the current effective PMTU
       (but always with a total size less than the link MTU).  The
       method PLMPMTU. This can use this as be
       uses to send a probe packet.  In IPv4, a probe packet
       is always MUST be
       sent with the Don't Fragment (DF) bit set in the IP header, and
       without network layer endpoint fragmentation.  In IPv6, a probe
       packet is always sent without source fragmentation (as specified
       in section 5.4 of [RFC8201]).

   4.  Processing PTB messages: A PLPMTUD DPLPMTUD sender MAY optionally utilize
       PTB messages received from the network layer to help identify
       when a path does not support the current size of packet probe.
       Any received PTB message SHOULD/MUST MUST be verified before it is used to
       update the PMTU PLPMTU discovery information [RFC8201].  This
       verification confirms that the PTB message was sent in response
       to a packet originating by the sender, and needs to be performed
       before the PMTU PLPMTU discovery method reacts to the PTB message.
       When the router link MTU is indicated in the PTB message this MAY
       be used by datagram PLPMTUD DPLPMTUD to reduce the probe size of a probe, but MUST NOT be used
       to increase the effective PMTU PLPMTU ([RFC8201]). Verification SHOULD utilise
       information that can not be simply determined by an off-path
       attacker, for example, by checking the value of a protocol header
       field known only to the two PL endpoints.  (Some datagram
       applications use well-known source and destination ports and
       therefore this check needs to rely on other information.)

   5.  Reception feedback: The destination PL endpoint is REQUIRED to
       provide a feedback method that indicates to the PLPMTUD DPLPMTUD sender
       when a probe packet has been received by the destination PL
       endpoint.  The local PL endpoint at the sending node is REQUIRED
       to pass this feedback to the sender-side PLPMTUD DPLPMTUD method.

   6.  Probing and congestion control: The isolated loss of a probe
       packet SHOULD NOT be treated as an indication of congestion and
       its loss does not SHOULD NOT directly trigger a congestion control
       reaction [RFC4821].

   7.  Probe loss recovery: If the data block carried by a probe message
       needs to be sent reliably, the PL (or layers above) MUST arrange
       retransmission/repair of any resulting loss.  This method MUST be
       robust in the case where probe packets are lost due to other
       reasons (including link transmission error, congestion). The
       PLPMTUD
       DPLPMTUD method treats isolated loss of a probe packet (with or
       without an PTB message) as a potential indication of a PMTU limit
       on the path.  The PL MAY retransmit any data included in a lost
       probe packet without adjusting its congestion window [RFC4821].

   8.  Cached effective PMTU: The sender MUST cache the effective PMTU
       value used by an instance of the PL between probes and needs also
       to consider the disruption that could be incurred by path, but not as an
       unsuccessful probe - both upon the flow that incurs a probe loss,
       and other flows that experience the effect indictaion of additional probe
       traffic.

   9. congestion [CC].

   8.  Shared effective PMTU PLPMTU state: The PMTU PLPMTU value could also be stored with
       the corresponding entry in the destination cache and used by
       other PL instances.  The specification of PLPMTUD [RFC4821]
       states: "If PLPMTUD updates the MTU for a particular path, all
       Packetization Layer sessions that share the path representation
       (as described in Section 5.2 of [RFC4821]) SHOULD be notified to
       make use of the new MTU and make the required congestion control
       adjustments".  Such methods need to be robust to the wide variety
       of underlying network forwarding behaviours. behaviours, PLPMTU adjustments
       based on shared PLPMTU values should be incorporated in the
       search algorithms.  Section 5.2 of [RFC8201] provides guidance on
       the caching of PMTU information and also the relation to IPv6
       flow labels.

   In addition addition, the following design principles are stated: stated for design of a
   DPLPMTUD method:

   o  Suitable  MPS: The PLPMTUD A method SHOULD avoid forcing an
      application MUST signal appropriate MPS to the higher layer
      using the PL. This may change following a change to the path.  The
      method SHOULD avoid forcing an application to use an arbitrary
      small MPS (effective PMTU) (PLPMTU) for transmission while the method is searching
      for the currently supported PMTU. PLPMTU. Datagram PLs do not
      necessarily support fragmentation of PDUs larger than the PMTU. PLPMTU.
      A reduced MPS can adversely impact the performance of a datagram
      application.

   o  Path validation: The PLPMTUD A method MUST be robust to path changes that
      could have occurred since the path characteristics were last
      confirmed.
      confirmed, and to the possibility of inconsistent path information
      being received.

   o  Datagram reordering: A method MUST be robust to the possibility
      that a flow encounters reordering, or has the traffic (including
      probe packets) is divided over more than one network path.

   o  When to probe: The PLPMTUD A method SHOULD determine whether the path capacity
      has increased since it last measured the path.  This determines
      when the path should again be probed.

3.1.  PMTU  PLPMTU Probe Packets

   PMTU discovery

   The DPLPMTUD method relies upon the PL sender being able to generate
   probe messages with a specific size.  TCP is able to generate these
   probe packets by choosing to appropriately segment data being sent
   [RFC4821].

   In contrast, a datagram PL that needs to construct a probe packet has
   to either request an application to send a data block that is larger
   than that generated by an application, or to utilise padding
   functions to extend a datagram beyond the size of the application
   data block.  Protocols that permit exchange of control messages
   (without an application data block) could alternatively prefer to
   generate a probe packet by extending a control message with padding
   data.

   When the method fails to validate the PMTU for the path, PLPMTU, it may be required to
   send a probe packet with a size less than the size of the data block
   generated by an application.  In this case, the PL could provide a
   way to fragment a datagram at the PL, or could instead utilise a
   control packet with padding.

   A receiver needs to be able to distinguish an in-band data block from
   any added padding.  This is needed to ensure that any added padding
   is not passed on to an application at the receiver.

   This results in three possible ways that a sender can create a probe
   packet:
   packet listed in order of preference:

   Probing using appication padding data: A probe packet that contains a data
      block supplied by an application that matches only control
      information together with any padding needed to inflate the packet
      to the size required for the probe.  This method requests the application to issue a
      data block of the desired probe size.  If the application/
      transport needs protection from the loss of an unsuccessful packet.  Since these probe
      packet, the application/transport needs then to perform transport-
      layer retransmission/repair of the data block (e.g., by
      retransmission after loss is detected or by duplicating the
      packets do not carry an application-supplied data
      block in a datagram without the padding). block,they do
      not typically require retransmission, although they do still
      consume network capacity and incur endpoint processing.

   Probing using appication data and padding data: A probe packet that
      contains a data block supplied by an application that is combined
      with padding to inflate the length of the datagram to the size
      required for the probe. probe packet.  If the application/transport needs
      protection from the loss of this probe packet, the application/
      transport may perform transport-layer retransmission/repair of the
      data block (e.g., by retransmission after loss is detected or by
      duplicating the data block in a datagram without the padding
      data).

   Probing using padding appication data: A probe packet that contains only
      control information together with any padding needed to inflate
      the packet to a data
      block supplied by an application that matches the size required
      for the probe.  Since these probe
      packets do not carry an application-supplied data block,they do
      not typically require retransmission, although they do still
      consume network capacity and incur endpoint processing.

   A datagram PLPMTUD MAY choose packet.  This method requests the application to use only one
      issue a data block of these methods to
   simplify the implementation.

3.2.  Validation of desired probe size.  If the Current Effective PMTU

   The PL application/
      transport needs protection from the loss of an unsuccessful probe
      packet, the application/transport needs then to perform transport-
      layer retransmission/repair of the data block (e.g., by
      retransmission after loss is detected).

   A PL that uses a probe packet carrying an application data block,
   could need to retransmit this application data block if the probe
   fails.  This could need the PL to re-fragment the data block to a
   smaller packet size that is expected to traverse the end-to-end path
   (which could utilise network-layer or PL fragmentation when these are
   available).

   DLPMTUD MAY choose to use only one of these methods to simplify the
   implementation.

3.2.  Validation of Probe Packet Size

   The PL needs a method to determine when probe packets have been
   successfully received end-to-end across a network path.

   Transport protocols can include end-to-end methods that detect and
   report reception of specific datagrams that they send (e.g., DCCP and
   SCTP provide keep-alive/heartbeat features). When supported, this
   mechanism SHOULD also be used by PLPMTUD DPLPMTUD to acknowledge reception of
   a probe packet.

   A PL that does not acknowledge data reception (e.g., UDP and UDP-
   Lite) is unable to detect when the packets that it sends are
   discarded because their size is greater than the actual PMTUD. PMTU. These
   PLs need to either rely on an application protocol to detect this, this
   loss, or make use of an additional transport method such as UDP-Options UDP-
   Options [I-D.ietf-tsvwg-udp-options].  In addition, they might need
   to send reachability probes (e.g., periodically solicit a response
   from the destination) to determine whether the current effective PMTU last successfully
   probed PLPMTU is still supported by the network path.

   Section Section 4 specifies this function for a set of IETF-specified
   protocols.

3.3.  Reduction of  Reducing the Effective PMTU

   When PLPMTU: Confirming Path Characteristics

   If the current effective PMTU DPLPMTUD method detects that a packet with the PLPMTU size is
   no longer supported by the network path, then the transport DLPMTUD method needs to detect
   validate the PLPMTU. This can happen when a validated PTB message is
   received, or another event that indicates the network path no longer
   sustains this and reduce packet size, such as a loss report from the effective
   PMTU.

   o  A PL

   All implementations of DPLPMTUD are REQUIRED to provide support that sends a datagram larger than
   reduces the PLPMTU when the actual PMTU that
      includes no application data block, or one that does not attempt
      to provide any retransmission, can send supported by a new probe packet with an
      updated probe size.

   o  A PL that wishes to resend network path
   is less than the application data block, could then
      need to re-fragment PLPMTU.

3.4.  Increasing the data block PLPMTU: Supporting Path Changes

   An implementation that only reduces the PLPMTU to a smaller packet suitable size that is expected
   sufficient to traverse ensure reliable operation, but may be very inefficient
   when the end-to-end path.  This could utilise
      network-layer actual PMTU changes or PL fragmentation when these are available.  A
      fragmented datagram MUST NOT be used as the method (for whatever reason)
   makes a probe packet (see
      [RFC8201]). suboptimal choice for the PLPMTU.

   A full implementation of the DPLPMTUD method can additionally utilise PTB messages is RECOMMENDED to
   provide a way for the sending PL endpoint to detect when the
   actual PMTU supported by a network path PLPMTU
   is less smaller than the current size
   of datagrams (or probe messages) that are being sent.

4.  Datagram Packetization Layer PMTUD actual PMTU size.  This section specifies Datagram PLPMTUD.

   The central idea of allows the sender to
   increase the PLPMTU discovery is probing by following a sender.  Probe
   packets of increasing size are sent to find out change in the maximum size characteristics of the
   path, such as when a
   user message that link is completely transferred across the network path
   from reconfigured with a larger MTU, or when
   there is a change in the sender set of links traversed by an end-to-end flow
   (e.g.  after a routing or fail-over decision).

3.5.  Robustness to the destination.

4.1.  Probing inconsistent Path information

   The PLPMTUD method utilises a timer decision to trigger increase the generation of
   probe packets.  The probe_timer is started each time a probe packet
   is sent PLPMTU needs to be robust to the destination and is cancelled when receipt of
   possibility that information learned about the probe
   packet is acknowledged.

   The PROBE_COUNT path is initialised to zero inconsistent
   (this could happen when a probe packet is first
   sent with a particular size.  Each time the probe_timer expires, packets are lost due to other reasons,
   or some of the
   PROBE_COUNT is incremented, and packets in a probe packet flow are forwarded along a portion of the same size is
   retransmitted.  The maximum number of retransmissions per probing
   size is configured (MAX_PROBES).  If
   path that supports a different PMTU).

   Frequent path changes could occur due to unexpected "flapping" -
   where some packets from a flow pass along one path, but other packets
   follow a different path with different properties.  DPLPMTUD can be
   made robust to these anomalies by introducing hysteresis into the value of
   decision to increase the PROBE_COUNT
   reaches MAX_PROBES, probing Maximum Packet Size.

   XXX A future revision of this section will include recommend
   appropriate methods to provide robustness.  XXX

4.  Datagram Packetization Layer PMTUD

   This section specifies Datagram PLPMTUD (DPLPMTUD). This method can
   be stopped and introduced at various points in the last successfully
   probed PMTU is set as IP protocol stack, to discover
   the effective PMTU.

   Once probing is completed, PLPMTU so that the sender continues to application can use an MPS appropriate to the effective
   PMTU until either
   current network path.

   (preamble)

               +-----------+
               |   APP*    |
               +-----------+
              __||  |   | |___
          ___/   |  |   |     \
       __/       |  |   |      \__
   +------++-----+ | +------+    |
   | QUIC*||UDPO*| | | SCTP*|    |
   +------++-----+ | +-+-----+    |
                 +-----+        +------+
                 | UDP |        | SCTP*|
                 +-----+        +------+
                    |              |
             +----------------------+
             |  Network Interface   |
             +----------------------+

   (postamble)

   The central idea of DPLPMTUD is probing by a PTB sender.  Probe packets
   of increasing size are sent to find out the maximum size of user
   message that is received or completely transferred across the PMTU_RAISE_TIMER
   expires.  If network path from
   the PL is unable to verify reachability sender to the
   destination endpoint after probing has completed, the method uses destination.

4.1.  PROBE_SEARCH: Probing for a
   REACHABILITY_TIMER larger PLPMTU

   The DPLPMTUD method utilises probe packets to periodically repeat confirm that a probe packet for the
   current effective PMTU size, while
   of size PROBE_SIZE can travere the PMTU_RAISE_TIMER network path.  The PROBE_COUNT is running.
   If the resulting
   initialised to zero when a probe packet is not acknowledged (i.e. the
   PROBE_TIMER expires), the first sent with a
   particular size.

   A timer is used to trigger the generation of probe packets.  The
   probe_timer is started each time a probe packet is sent to the
   destination and is cancelled when receipt of the probe packet is
   acknowledged.  THE PROBE_SIZE is confirmed, and this value is then
   assignmed to PLPMTU. The DPLPMTUD method re-starts probing may send subsequent probes
   of an increasing size.  Increasing probes follows a search strategy
   as discussed in Section 4.7.

   Each time the probe_timer expires, the PROBE_COUNT is incremented,
   teh probe_timer is reinitialised, and a probe packet of the same size
   is retransmitted.

   The maximum number of retransmissions for a PROBE_SIZE is configured
   (MAX_PROBES). If the PMTU. value of the PROBE_COUNT reaches MAX_PROBES,
   probing will stop.

4.2.  The PROBE_DONE state

   When the PL sender complete probing for a larger PLPMTU, it enters
   the PROBE_DONE state.  This starts the PMTU_RAISE_TIMER. While this
   running, the PLPMTU remains at the value set in the last succesful
   probe packet.

   If the PL is designed in a way that is unable to verify reachability
   to the destination endpoint after probing has completed, the method
   uses a REACHABILITY_TIMER to periodically repeat a probe packet for
   the current PLPMTU size, while the PMTU_RAISE_TIMER is running.  If
   the REACHABILITY_TIMER expires, the method exits the PROBE_DONE
   state.  The done state is also exited when a verified PTB message is
   received.

   If the PMTU_RAISE_TIMER expires, the PL sender also exits the
   PROBE_DONE state, but in this case resumes probing from the size of
   the PLPMTU.

4.3.  Verification and Use of PTB Messages

   This section describes processing for both IPv4 ICMP Unreachable
   messages (type 3) and ICMPv6 packet too big messages.

   A node that receives a PTB message from a router or middlebox, MUST
   verify the PTB message.  The node checks the protocol information in
   the quoted payload to verify that the message originated from the
   sending node.  The node also checks that the reported MTU size is
   less than the size used by packet probes.  PTB messages are discarded
   if they fail to pass these checks, or where there is insufficient
   ICMP payload to perform these checks.  The checks are intended to
   provide protection from packets that originate from a node that is
   not on the network path or a node that attempts to report a larger
   MTU than the current probe size.

   PTB messages that have been verified can be utilised by the DPLPMTUD
   algorithm.  A method that utilises these PTB messages can improve
   performance compared to one that relies solely on probing.

4.3.

4.4.  Timers

   This

   The method in the previous subsections utilises three timers:

   PROBE_TIMER: Configured to expire after a period longer than the
      maximum time to receive an acknowledgment to a probe packet.  This
      value MUST be larger than 1 second, and SHOULD be larger than 15
      seconds.  Guidance on selection of the timer value are provide in
      section 3.1.1 of the UDP Usage Guidelines [RFC8085].

      If the PL has an RTT estimate and timely acknowedgements the
      PROBE_TIMER can be derrived from the PL RTT estimate.

   PMTU_RAISE_TIMER: Configured to the period a sender ought to continue
      use the current effective PMTU, PLPMTU, after which it re-
      commences re-commences probing for a
      higher PMTU. This timer has a period of 600 secs, as recommended
      by PLPMTUD DPLPMTUD [RFC4821].

   REACHABILITY_TIMER: Configured to the period a sender ought to wait
      before confirming the current effective PMTU PLPMTU is still supported.  This is
      less than the PMTU_RAISE_TIMER.

      An application that needs to employ keep-alive messages to deliver
      useful service over UDP SHOULD NOT transmit them more frequently
      than once every 15 seconds PMTU_RAISE_TIMER and SHOULD use longer intervals used to decrease the PLPMTU
      (e.g.  when
      possible. a black hole is encountered).

      DPLPMTUD ought to suspend reachability probes when no application
      data has been sent since the previous probe packet.  Guidance on
      selection of the timer value are provide in section 3.1.1 of the
      UDP Usage Guidelines[RFC8085].  DPLPMTUD ought to be suspended or
      only sent in conjuction with out traffic during periods of
      dormancy.  This verification needs to be frequent enough when data
      is flowing that you do not black hole extensive amounts of traffic

   An implementation could implement the various timers using a single
   timer process.

4.4.

4.5.  Constants

   The following constants are defined:

   MAX_PROBES: The maximum value of the PROBE_ERROR_COUNTER. The default
      value of MAX_PROBES is 10.

   MIN_PMTU: The smallest allowed probe packet size.  This  For IPv6, this
      value is 1280 bytes, as specified in [RFC2460].  For IPv4, the
      minimum value is 68 bytes.  (An IPv4 routed is required to be able
      to forward a datagram of 68 octets without further fragmentation.
      This is the combined size of an IPv4 header and the minimum
      fragment size of 8 octets.)

   BASE_PMTU: The BASE_PMTU is a considered a size that ought to work in
      most cases.  The size is equal to or larger than the minimum
      permitted and smaller than the maximum allowed.  In the case of
      IPv6, this value is 1280 bytes [RFC2460].  When using IPv4, a size
      of 1200 bytes is RECOMMENDED.

   MAX_PMTU: The MAX_PMTU is the largest size of PMTU PLPMTU that is probed.
      This has to be less than or equal to the minimum of the local MTU
      of the outgoing interface and the destination effective MTU PLMTU for receiving.
      An application or PL may reduce this when it knows there is no
      need to send packets above a specific size.

4.5.

4.6.  Variables

   This method utilises a set of variables:

   effective PMTU:  The effective PMTU is

   PROBE_TIMER: Configured to expire after a period longer than the
      maximum size time to receive an acknowledgment to a probe packet.  This
      value MUST be larger than 1 second, and SHOULD be larger than 15
      seconds.  Guidance on selection of datagram
      that the method has currently determined can be supported along timer value are provide in
      section 3.1.1 of the UDP Usage Guidelines [RFC8085].

      PL with RTT estimates may use values smaller than 1 seconded
      derrived from their RTT estimate to speed up detection of
      connectivity issues on the entire path.

   PROBED_SIZE: The PROBED_SIZE is the size of the current probe packet.
      This is a tentative value for the effective PMTU, PLPMTU, which is awaiting
      confirmation by an acknowledgment.

   PROBE_COUNT: This is a count of the number of unsuccessful probe
      packets that have been sent with size PROBED_SIZE. The value is
      initialised to zero when a particular size of PROBED_SIZE is first
      attempted.

   PTB_SIZE: The PTB_Size is value returned by a verified PTB message
      indicating the local MTU size of a router along the path.

4.6.

4.7.  Selecting PROBED_SIZE

   Implementations discover the search range by validating the minimum
   path MTU and then using the probe method to select a PROBED_SIZE less
   than or equal to the maximum PMTU_MAX. Where PMTU_MAX is the minimum
   of the the local link MTU and EMTU_R (learned from the remote endpoint).
   The PMTU_MAX MAY be constrained by an application that has a maximum
   to the size of datagrams it wishes to send.

   Implementations use a search algorithm to choose probe sizes within
   the search range.  XXX The current method does not specify or
   recommend a specific

   xxx A future version of this section will detail example methods for
   selecting a probe size.  One simple
   method is to increase the size of probe in increments until it fails,
   other methods may use tables to select probe sizes, or search
   algorithms - this part values, but does not plan to be expanded based on experience and
   consideration of methods XXX mandate a single
   method.  xxx
   Implementations MAY optimizse the search procedure by selecting step
   sizes from a table of common MTU PMTU sizes.

   Implementations SHOULD select probe sizes to maximise the gain in
   PMTU
   PLPMTU each search step.  Implementations ought to take into
   consideration useful probe size steps and a minimum useful gain in
   PMTU.

4.7.  State Machine

   A state machine for Datagram PLPMTUD is depicted in Figure 1.  If
   multihoming is supported,
   PLPMTU.

4.8.  Black Hole Detection

   The DPLPMTUD method can be used to detect paths that fail to support
   a packet size, but return no PTB message.  The black hole detection
   function detects such cases and responds by reducing the PLPMTU,
   allowing the endpoint to inform the application of the reduced MPS
   and accordingly send smaller packets.  Black Hole detection is
   triggered by the reachability function.

4.9.  State Machine

   A state machine for DPLPMTUD is depicted in Figure 2. If multihoming
   is supported, a state machine is needed for each active path.

                                         PROBE_TIMER expiry
                                      (PROBE_COUNT = MAX_PROBES)
                           +-------------+                +--------------+
                        =->| PROBE_START |--------------->|PROBE_DISABLED|
     PROBE_TIMER expiry |  +-------------+                +--------------+
    (PROBE_COUNT =      |     |       |
            MAX_PROBES) -------       |  Connectivity confirmed
                                      v
                     ----------- +------------+ -- PROBE_TIMER expiry
   MAX_PMTU acked or |           | PROBE_BASE |  | (PROBE_COUNT <
   PTB (>= BASE_PMTU)|    -----> +------------+ <-             MAX_PROBES)
     ----------------     |          /\   |  |
     |                    |           |   |  | PTB
     |    PMTU_RAISE_TIMER|           |   |  | (PTB_SIZE < BASE_PMTU)
     |    or reachability |           |   |  |        or
     |     (PROBE_COUNT   |           |   |  |    PROBE_TIMER expiry
     |      = MAX_PROBES) |           |   |  | (PROBE_COUNT = MAX_PROBES)
     |        -------------           |   |   \
     |        |                   PTB |   |    \
     |        |        (< PROBED_SIZE)|   |     \
     |        |                       |   |      ----------------
     |        |                       |   |                     |
     |        |                       |   | Probe               |
     |        |                       |   | acked               |
     v        |                       |   v                     v
   +------------+                +--------------+  Probe +-------------+
   | PROBE_DONE |<-------------- | PROBE_SEARCH |<-------| PROBE_ERROR |
   +------------+ MAX_PMTU acked +--------------+  acked +-------------+
    /\    |             or            /\      |
     |    |      PROBE_TIMER expiry    |      |
     |    |(PROBE_COUNT = MAX_PROBES)  |      |
     |    |                            |      |
     ------                            --------
   Reachability probe acked      PROBE_TIMER expiry
    or PROBE_TIMER expiry      (PROBE_COUNT < MAX_PROBES)
   (PROBE_COUNT < MAX_PROBES)            or
                                   Probe acked

               Figure 1: State machine for Datagram PLPMTUD

   XXX State A future version of this document will update the state machine
   to be updated to describe handling of validated PTB
   messages XXX

   XXX Method may be updated to clarify how probe sizes are used during
   probing messages.  XXX

   The following states are defined to reflect the probing process:

   PROBE_START: The PROBE_START state is the initial state before
      probing has started.  PLPMTUD is not performed in this state.  The
      state transitions to PROBE_BASE, when a path has been confirmed,
      i.e.  when a sent packet has been acknowledged on this path.  Any
      transport method may be used to exit PROBE_BASE as long as the
      send packet is acknowledge by the other side.  The
      effective PMTU PLPMTU is set
      to the BASE_PMTU size.  Probing ought to start immediately after
      connection setup to prevent the prevent the loss of user data.

   PROBE_BASE: The PROBE_BASE state is the starting point for probing
      with datagram PLPMTUD. It is used to confirm whether the BASE_PMTU
      size is supported by the network path.  On entry, the PROBED_SIZE
      is set to the BASE_PMTU size and the PROBE_COUNT is set to zero.
      A probe packet is sent, and the PROBE_TIMER is started.  The state
      is left when the PROBE_COUNT reaches MAX_PROBES; a PTB message is
      verified, or a probe packet is acknowledged.

   PROBE_SEARCH: The PROBE_SEARCH state is the main probing state.  This
      state is entered either when probing for the BASE_PMTU was
      successful or when there is a successful reachability test in the
      PROBE_ERROR state.  On entry, the effective PMTU PLPMTU is set to the last
      acknowledged PROBED_SIZE.

      The PROBE_COUNT is set to zero when the first probe packet is sent
      for each probed probe size.  Each time a probe packet is acknowledged,
      the effective PMTU PLPMTU is set to the PROBED_SIZE, and then the PROBED_SIZE is
      increased.

      When a probe packet is sent and not acknowledged within the period
      of the PROBE_TIMER, the PROBE_COUNT is incremented and the probe
      packet is retransmitted.  The state is exited when the PROBE_COUNT
      reaches MAX_PROBES; a PTB message is verified; or a probe of size
      PMTU_MAX is acknowledged.

   PROBE_ERROR: The PROBE_ERROR state represents the case where the
      network path is not known to support an effective PMTU PLPMTU of at least the
      BASE_PMTU size.  It is entered when either a probe of size
      BASE_PMTU has not been acknowledged or a verified PTB message
      indicates a smaller link MTU than smaller link MTU than the BASE_PMTU. On entry, the
      PROBE_COUNT is set to zero and the PROBED_SIZE is set to the
      MIN_PMTU size, and the PLPMTU is reset to MIN_PMTU size.  In this
      state, a probe packet is sent, and the PROBE_TIMER is started.
      The state transitions to the PROBE_SEARCH state when a probe
      packet is acknowledged.

   PROBE_DONE: The PROBE_DONE state indicates a successful end to a
      probing phase.  DPLPMTUD remains in this state until either the
      PMTU_RAISE_TIMER expires or a received PTB message is verified.

      When PLPMTUD uses an unacknowledged PL and is in the PROBE_DONE
      state, a REACHABILITY_TIMER periodically resets the PROBE_COUNT
      and schedules a probe packet with the size of the PLPMTU. If the
      probe packet fails to be acknowledged after MAX_PROBES attempts,
      the method enters the PROBE_BASE state.  When used with an
      acknowledged PL (e.g., SCTP), DPLPMTUD SHOULD NOT continue to
      probe in this state.

   PROBE_DISABLED: The PROBE_DISABLED state indicates that connectivity
      could not be established.  DPLPMTUD MUST NOT probe in this state.

   Appendix Appendix A contains an informative description of key
   events.

5.  Specification of Protocol-Specific Methods

   This section specifies protocol-specific details for datagram PLPMTUD
   for IETF-specified transports.

   The first subsection provides guidance on how to implement the
   DPLPMTUD method as a part of an application using UDP or UDP-Lite.
   The guidance also applies to other datagram services that do not
   include a specific transport protocol (such as a tunnel
   encapsulation). The following subsection describe how DPLPMTUD can be
   implemented as a part of the transport service, allowing applications
   using the service to benefit from discovery of the PLPMTU without
   themselves needing to implement this method.

5.1.  Application support for DPLPMTUD with UDP or UDP-Lite

   The current specifications of UDP [RFC0768] and UDP-Lite [RFC3828] do
   not define a method in the RFC-series that supports PLPMTUD. In
   particular, the UDP transport does not provide the transport layer
   features needed to implement datagram PLPMTUD.

   The DPLPMTUD method can be implemented as a part of an application
   built directly or indirectly on UDP or UDP-Lite, but relies on
   higher-layer protocol features to implement the method [RFC8085].

   Some primitives used by DPLPMTUD might not be available via the
   Datagram API (e.g., the ability to access the PLPMTU cache, or
   interpret received ICMP PTB messages).

   In addition, it is desirable that PMTU discovery is not performed by
   multiple protocol layers.  An application SHOULD avoid implementing
   DPLPMTUD when the underlying transport system provides this
   capability.  Using a common method for manging the BASE_PMTU.  On entry, PLPMTU has
   benefits, both in the
      PROBE_COUNT is set ability to zero share state between different
   processes and opportunities to coordinate probing.

5.1.1.  Application Request

   An application needs an application-layer protocol mechanism (such as
   a message acknowledgement method) that solicits a response from a
   destination endpoint.  The method SHOULD allow the PROBED_SIZE is set sender to check
   the
      MIN_PMTU size, and value returned in the effective PMTU is reset response to MIN_PMTU size.
      In this state, provide additional protection
   from off-path insertion of data [RFC8085], suitable methods include a probe packet is sent, and the PROBE_TIMER is
      started.  The state transitions
   parameter known only to the PROBE_SEARCH state when a
      probe packet is acknowledged.

   PROBE_DONE:  The PROBE_DONE state indicates a successful end to two endpoints, such as a
      probing phase.  Datagram PLPMTUD remains in this state until
      either the PMTU_RAISE_TIMER expires session ID or a received PTB message is
      verified.

      When PLPMTUD uses
   initialised sequence number.

5.1.2.  Application Response
   An application needs an unacknowledged PL and is in application-layer protocol mechanism to
   communicate the PROBE_DONE
      state, a REACHABILITY_TIMER periodically resets response from the destination endpoint.  This
   response may indicate successful reception of the PROBE_COUNT
      and schedules a probe packet with across the size of
   path, but could also indicate that some (or all packets) have failed
   to reach the effective PMTU.
      If destination.

5.1.3.  Sending Application Probe Packets

   A probe packet that may carry an application data block, but the
   successful transmission of this data is at risk when used for
   probing.  Some applications may prefer to use a probe packet fails that
   does not carry an application data block to be acknowledged after MAX_PROBES
      attempts, the method enters avoid disruption to
   normal data transfer.

5.1.4.  Validating the PROBE_BASE state.  When used with
      an acknowledged PL (e.g., SCTP), DPLPMTUD Path

   An application that does not have other higher-layer information
   confirming correct delivery of datagrams SHOULD NOT continue implement the
   REACHABILITY_TIMER to periodically send probe packets while in this the
   PROBE_DONE state.

   PROBE_DISABLED:  The PROBE_DISABLED state indicates

5.1.5.  Handling of PTB Messages

   An application that connectivity
      could not be established.  DPLPMTUD is able and wishes to receive PTB messages MUST NOT probe
   perform ICMP verification as specified in this state.

   Appendix A contains an informative description of key events.

5.  Specification Section 5.2 of Protocol-Specific Methods [RFC8085].
   This section specifies protocol-specific details for datagram PLPMTUD
   for IETF-specified transports.

5.1.  DPLPMTUD for UDP and UDP-Lite

   The current specifications of UDP [RFC0768] and UDP-LIte [RFC3828] do
   not define a method in the RFC-series requires that supports PLPMTUD.  In
   particular, these transports do not provide the transport layer
   features needed application verifies each received PTB
   messages to implement datagram PLPMTUD, verify these are received in response to transmitted
   traffic and any support for
   Datagram PLPMTUD would therefore need that the reported link MTU is less than the current probe
   size.  A verified PTB message MAY be used as input to rely on higher-layer
   protocol features [RFC8085].

5.1.1. the DPLPMTUD
   algorithm, but MUST NOT be used directly to set the PLPMTU.

5.2.  DPLPMTUD with UDP Options

   UDP-Options [I-D.ietf-tsvwg-udp-options] can supply the additional
   functionality required to implement datagram PLPMTUD. DPLPMTUD within the UDP transport
   service.  This avoids the need for applications to implement the
   DPLPMTUD method.

   This enables padding to be added to UDP datagrams and can be used to
   provide feedback acknowledgement of received probe packets.

5.1.2.

   The specification also defines two UDP Options Required for PLPMTUD

   This subsection proposes two new UDP-Options that add support for
   requesting a datagram response be sent and to mark this datagram as a
   response to a request.

   XXX Future versions support DPLMTUD.

   Section 5.6 of [I-D.ietf-tsvwg-udp-options] defines the spec may define a parameter in an Option MSS option
   which allows the local sender to indicate the EMTU_R to the peer that peer.
   This option can be used to initialise PMTU_MAX.  XXX

5.1.2.1.  Echo An application
   wishing to avoid the effects of MSS-Clamping (where a middlebox
   changes the advertised TCP maximum sending size) ought to use a
   cryptographic method to encrypt this parameter.

5.2.1.  UDP Request Option

   The Echo Request Option allows a sending endpoint to solicit a response
   from a destination endpoint.

   The Echo Request Option carries a four byte token set by the sender.  This
   token can be set to a value that is likely to be known only to the
   sender (and becomes known to nodes along the end-to-end path).  The
   sender can then check the value returned in the response to provide
   additional protection from off-path insertion of data [RFC8085].

        +---------+--------+-----------------+
        | Kind=9  | Len=6  |     Token       |
        +---------+--------+-----------------+
          1 byte    1 byte       4 bytes

                    Figure 2:

5.2.2.  UDP ECHOREQ Option Format

5.1.2.2.  Echo Response Option

   The Echo Response Option is generated by the PL in response to reception
   of a previously received Echo Request.  The Token field associates
   the response with the Token value carried in the most
   recently-received recently-
   received Echo Request.  The rate of generation of UDP packets
   carrying an Echo a Response Option MAY be rate-limited.

        +---------+--------+-----------------+
        | Kind=10 | Len=6  |     Token       |
        +---------+--------+-----------------+
                        1 byte    1 byte       4 bytes

                    Figure 3: UDP ECHORES Option Format

5.1.3.  Sending UDP-Option Probe Packets

   This method specifies a probe packet that does not carry an
   application data block.  The probe packet consists of a UDP datagram
   header followed by a UDP Option containing the ECHOREQ option, which
   is followed by NOP Options to pad the remainder of the datagram
   payload to the probe size.  NOP padding is used to control the length
   of the probe packet.

   A UDP Option carrying the ECHORES option is used to provide feedback
   when a probe packet is received at the destination endpoint.

5.1.4.  Validating the Path with UDP Options

   Since UDP is an unacknowledged PL, a sender that does not have
   higher-layer information confirming correct delivery of datagrams
   SHOULD implement the REACHABILITY_TIMER to periodically send probe
   packets while in the PROBE_DONE state.

5.1.5.  Handling of PTB Messages by UDP

   Normal ICMP verification MUST be performed as specified in
   Section 5.2 of [RFC8085].  This requires that the PL verifies each
   received PTB messages to verify these are received in response to
   transmitted traffic and that the reported LInk MTU is less than the
   current probe size.  A verified PTB message MAY be used as input to
   the PLPMTUD algorithm.

5.2.
          1 byte    1 byte       4 bytes

5.3.  DPLPMTUD for SCTP

   Section 10.2 of [RFC4821] specifies a recommended PLPMTUD probing
   method for SCTP. It recommends the use of the PAD chunk, defined in
   [RFC4820] to be attached to a minimum length HEARTBEAT chunk to build
   a probe packet.  This enables probing without affecting the transfer
   of user messages and without interfering with congestion control.
   This is preferred to using DATA chunks (with padding as required) as
   path probes.

   XXX Future versions of this specification document might define a parameter
   contained in the INIT and INIT ACK chunk to indicate the remote peer
   MTU to the local peer.  However, multihoming makes this a bit
   complex, so it might not be worth doing.  XXX

5.2.1.

5.3.1.  SCTP/IP4 and SCTP/IPv6

   The base protocol is specified in [RFC4960].

5.2.1.1.  This provides an
   acknowledged PL. A sender can therefore enter the PROBE_BASE state as
   soon as connectivity has been confirmed.

5.3.1.1.  Sending SCTP Probe Packets
   Probe packets consist of an SCTP common header followed by a
   HEARTBEAT chunk and a PAD chunk.  The PAD chunk is used to control
   the length of the probe packet.  The HEARTBEAT chunk is used to
   trigger the sending of a HEARTBEAT ACK chunk.  The reception of the
   HEARTBEAT ACK chunk acknowledges reception of a successful probe.

   The HEARTBEAT chunk carries a Heartbeat Information parameter which
   should include, besides the information suggested in [RFC4960], the
   probing
   probe size, which is the MTU size of the complete datagram will add up
   to. datagram.  The size of
   the PAD chunk is therefore computed by reducing the probing size by
   the IPv4 or IPv6 header size, the SCTP common header, the HEARTBEAT
   request and the PAD chunk header.  The payload of the PAD chunk
   contains arbitrary data.

   To avoid fragmentation of retransmitted data, probing starts right
   after the handshake, before data is sent.  Assuming normal behaviour
   (i.e., the PMTU is smaller than or equal to the interface MTU), this
   process will take a few round trip time periods depending on the
   number of PMTU sizes probed.  The Heartbeat timer can be used to
   implement the PROBE_TIMER.

5.2.1.2.

5.3.1.2.  Validating the Path with SCTP

   Since SCTP provides an acknowledged PL, a sender does MUST NOT
   implement the REACHABILITY_TIMER while in the PROBE_DONE state.

5.2.1.3.

5.3.1.3.  PTB Message Handling by SCTP

   Normal ICMP verification MUST be performed as specified in Appendix C
   of [RFC4960].  This requires that the first 8 bytes of the SCTP
   common header are quoted in the payload of the PTB message, which can
   be the case for ICMPv4 and is normally the case for ICMPv6.

   When a PTB message has been verified, the router Link MTU indicated
   in the PTB message SHOULD be used with the PLPMTUD DPLPMTUD algorithm,
   providing that the reported Link MTU is less than the current probe
   size.

5.2.2.

5.3.2.  DPLPMTUD for SCTP/UDP

   The UDP encapsulation of SCTP is specified in [RFC6951].

5.2.2.1.

5.3.2.1.  Sending SCTP/UDP Probe Packets

   Packet probing can be performed as specified in Section 5.2.1.1. 5.3.1.1. The
   maximum payload is reduced by 8 bytes, which has to be considered
   when filling the PAD chunk.

5.2.2.2.

5.3.2.2.  Validating the Path with SCTP/UDP

   Since SCTP provides an acknowledged PL, a sender does MUST NOT
   implement the REACHABILITY_TIMER while in the PROBE_DONE state.

5.2.2.3.

5.3.2.3.  Handling of PTB Messages by SCTP/UDP

   Normal ICMP verification MUST be performed for PTB messages as
   specified in Appendix C of [RFC4960].  This requires that the first 8
   bytes of the SCTP common header are contained in the PTB message,
   which can be the case for ICMPv4 (but note the UDP header also
   consumes a part of the quoted packet header) and is normally the case
   for ICMPv6. When the verification is completed, the router Link MTU
   size indicated in the PTB message SHOULD be used with the PLPMTUD
   algorithm DPLPMTUD
   providing that the reported LInk link MTU is less than the current probe
   size.

5.2.3.

5.3.3.  DPLPMTUD for SCTP/DTLS

   The Datagram Transport Layer Security (DTLS) encapsulation of SCTP is
   specified in [I-D.ietf-tsvwg-sctp-dtls-encaps].  It is used for data
   channels in WebRTC implementations.

5.2.3.1.

5.3.3.1.  Sending SCTP/DTLS Probe Packets

   Packet probing can be done as specified in Section 5.2.1.1.

5.2.3.2. 5.3.1.1.

5.3.3.2.  Validating the Path with SCTP/DTLS

   Since SCTP provides an acknowledged PL, a sender does MUST NOT
   implement the REACHABILITY_TIMER while in the PROBE_DONE state.

5.2.3.3.

5.3.3.3.  Handling of PTB Messages by SCTP/DTLS

   It is not possible to perform normal ICMP verification as specified
   in [RFC4960], since even if the ICMP message payload contains
   sufficient information, the reflected SCTP common header would be
   encrypted.  Therefore it is not possible to process PTB messages at
   the PL.

5.3.  PMTUD

5.4.  DPLPMTUD for QUIC

   XXX New section XXX

   Quick UDP Internet Connection (QUIC) [I-D.ietf-quic-transport] is a
   UDP-based transport that provides reception feedback [I-D.ietf-quic-transport]. feedback.

   Section 9.2 of [I-D.ietf-quic-transport] details describes the path
   considerations when sending QUIC packets.  It reccomends recommends the use of
   PADDING frames to buld build the probe packet.  This enables probing the
   without affecting the transfer of other QUIC frames.

5.3.1.

   This provides an acknowledged PL. A sender can therefore enter the
   PROBE_BASE state as soon as connectivity has been confirmed.

5.4.1.  Sending QUIC Probe Packets

   Probe packets consist
   A probe packet consists of a QUIC Header and a payload containing
   only PADDING Frames.  PADDING Frames are a single octet (0x00) and
   serveral
   several of these can be used to create a probe packet of size
   PROBED_SIZE. QUIC provides an acknowledged PL. A sender can therefore
   enter the PROBE_BASE state as soon as connectivity has been
   confirmed.

   The current specification of QUIC sets the following:

   o  BASE_PMTU: 1200. A QUIC sender needs to pad initial packets to
      1200 bytes to validate the path can support packets of a useful
      size.  If a

   o  MIN_PMTU: 1200 bytes.  A QUIC sender that determines the PMTU on a path has
      fallen below 1280 octets it 1200 bytes MUST immediately stop sending on the
      affected path.

5.3.2.

5.4.2.  Validating the Path with QUIC

   Since

   QUIC provides an acknowledged PL, a PL. A sender does therefore MUST NOT
   implement the REACHABILITY_TIMER while in the PROBE_DONE state.

5.3.3.

5.4.3.  Handling of PTB Messages by QUIC

   QUIC operates over the UDP transport, and the guidelines on ICMP
   verification as specified in Section 5.2 of [RFC8085] therefore
   apply.  Although QUIC does not currently specify any methods a method for
   validating ICMP responses, but it does provide some guidlines guidelines to make it
   harder for an off path off-path attacker to inject ICMP messages.

   o  Set the IPv4 Don't Fragment (DF) bit on a small proportion of
      packets, so that most invalid ICMP messages arrive when there are
      no DF packets outstanding, and can therefore be identified as
      spurious.

   o  Store additional information from the IP or UDP headers from DF
      packets (for example, the IP ID or UDP checksum) to further
      authenticate incoming Datagram Too Big messages.

   o  Any reduction in PMTU due to a report contained in an ICMP packet
      is provisional until QUIC's loss detection algorithm determines
      that the packet is actually lost.

   XXX The above list was pulled whole from quic-transport XXX

5.4.  Other IETF Transports

   XXX This section to be updated in a later revision.  XXX

5.5.  DPLPMTUD by Applications

   Applications that use the Datagram API (e.g., applications built
   directly or indirectly on UDP) can implement DPLPMTUD.  Some
   primitives used by DPLPMTUD might not be available via this interface
   (e.g., the ability to access the PMTU cache, or interpret received PMTU due to a report contained in an ICMP PTB messages).

   In addition, it packet
      is important provisional until QUIC's loss detection algorithm determines
      that PMTUD the packet is not performed by multiple
   protocol layers. actually lost.

   XXX This section will be completed in a future revision of this ID The above list was pulled whole from quic-transport - input is
   invited from QUIC contributors.  XXX

6.  Acknowledgements

   This work was partially funded by the European Union's Horizon 2020
   research and innovation programme under grant agreement No.  644334
   (NEAT). The views expressed are solely those of the author(s).

7.  IANA Considerations
   This memo includes no request to IANA.

   XXX If new UDP Options are specified in this document, a request to
   IANA will be included here.  XXX

   If there are no requirements for IANA, the section will be removed
   during conversion into an RFC by the RFC Editor.

8.  Security Considerations

   The security considerations for the use of UDP and SCTP are provided
   in the references RFCs.  Security guidance for applications using UDP
   is provided in the UDP-Guidelines UDP Usage Guidelines [RFC8085].

   There are cases where PTB messages are not delivered due to policy,
   configuration or equipment design (see Section 1.1), this method
   therefore does not rely upon PTB messages being received, but is able
   to utilise these when they are received by the sender.  PTB messages
   could potentially be used to cause a node to inappropriately reduce
   the effective PMTU. PLPMTU. A node supporting PLPMTUD DPLPMTUD MUST therefore appropriately
   verify the payload of PTB messages to ensure these are received in
   response to transmitted traffic (i.e., a reported error condition
   that corresponds to a datagram actually sent by the path layer.

   XXX Determine if parallel

   Parallel forwarding paths needs may need to be considered.
   XXX  Section 3.5
   identifies the need for robustness in the method when the path
   information may be inconsistent.

   A node performing PLPMTUD DPLPMTUD could experience conflicting information
   about the size of supported probe packets.  This could occur when
   there are multiple paths are concurrently in use and these exhibit a
   different PMTU. If not considered, this could result in data being
   blackholed
   black holed when the effective PMTU PLPMTU is larger than the smallest PMTU across
   the current paths.

   An on-path attacker could forge PTB messages to drive down the PLPMTU

9.  References

9.1.  Normative References

   [I-D.ietf-quic-transport]
              Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed
              and Secure Transport", draft-ietf-quic-transport-04 (work
              in progress), Internet-Draft draft-ietf-quic-
              transport-04, June 2017.

   [I-D.ietf-tsvwg-sctp-dtls-encaps]
              Tuexen, M., Stewart, R., Jesup, R., R. and S. Loreto, "DTLS
              Encapsulation of SCTP Packets", draft-ietf-tsvwg-sctp-
              dtls-encaps-09 (work in progress), Internet-Draft draft-ietf-
              tsvwg-sctp-dtls-encaps-09, January 2015.

   [I-D.ietf-tsvwg-udp-options]
              Touch, J., "Transport Options for UDP", draft-ietf-tsvwg-
              udp-options-01 (work in progress), Internet-Draft
              draft-ietf-tsvwg-udp-options-01, June 2017.

   [RFC0768]  Postel, J., "User Datagram Protocol", STD 6, RFC 768,
              DOI 10.17487/RFC0768,
              August 1980, <https://www.rfc-
              editor.org/info/rfc768>. 1980.

   [RFC0792]  Postel, J., "Internet Control Message Protocol", STD 5,
              RFC 792, DOI 10.17487/RFC0792, September 1981,
              <https://www.rfc-editor.org/info/rfc792>. <https://
              www.rfc-editor.org/info/rfc792>.

   [RFC1122]  Braden, R., Ed., "Requirements for Internet Hosts -
              Communication Layers", STD 3, RFC 1122, DOI 10.17487/RFC1122, 10.17487/
              RFC1122, October 1989, <https://www.rfc-
              editor.org/info/rfc1122>. <https://www.rfc-editor.org/info/
              rfc1122>.

   [RFC1812]  Baker, F., Ed., "Requirements for IP Version 4 Routers",
              RFC 1812, DOI 10.17487/RFC1812, June 1995,
              <https://www.rfc-editor.org/info/rfc1812>. <https://www
              .rfc-editor.org/info/rfc1812>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
              editor.org/info/rfc2119>. 1997.

   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460,
              December 1998, <https://www.rfc-editor.org/info/rfc2460>.

   [RFC3828]  Larzon, L-A., Degermark, M., Pink, S., Jonsson, L-E., Ed., L-E.Ed.,
              and G. Fairhurst, Ed., "The Lightweight User Datagram
              Protocol (UDP-Lite)", RFC 3828, DOI 10.17487/RFC3828, July
              2004, <https://www.rfc-editor.org/info/rfc3828>.

   [RFC4820]  Tuexen, M., Stewart, R., R. and P. Lei, "Padding Chunk and
              Parameter for the Stream Control Transmission Protocol
              (SCTP)", RFC 4820, DOI 10.17487/RFC4820, March 2007,
              <https://www.rfc-editor.org/info/rfc4820>.

   [RFC4960]  Stewart, R., Ed., "Stream Control Transmission Protocol",
              RFC 4960, DOI 10.17487/RFC4960, September 2007,
              <https://www.rfc-editor.org/info/rfc4960>. <https://
              www.rfc-editor.org/info/rfc4960>.

   [RFC6951]  Tuexen, M. and R. Stewart, "UDP Encapsulation of Stream
              Control Transmission Protocol (SCTP) Packets for End-Host
              to End-Host Communication", RFC 6951, DOI 10.17487/RFC6951, 10.17487/
              RFC6951, May 2013, <https://www.rfc-
              editor.org/info/rfc6951>. <https://www.rfc-editor.org/info/
              rfc6951>.

   [RFC8085]  Eggert, L., Fairhurst, G., G. and G. Shepherd, "UDP Usage
              Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085,
              March 2017, <https://www.rfc-editor.org/info/rfc8085>.

   [RFC8201]  McCann, J., Deering, S., Mogul, J., J. and R. Hinden, Ed.,
              "Path MTU Discovery for IP version 6", STD 87, RFC 8201,
              DOI 10.17487/RFC8201, July 2017, <https://www.rfc-
              editor.org/info/rfc8201>.

9.2.  Informative References

   [RFC1191]  Mogul, J. J.C. and S. S.E. Deering, "Path MTU discovery", RFC
              1191, DOI 10.17487/RFC1191, November 1990, <https://www.rfc-
              editor.org/info/rfc1191>. <https://www
              .rfc-editor.org/info/rfc1191>.

   [RFC2923]  Lahey, K., "TCP Problems with Path MTU Discovery", RFC
              2923, DOI 10.17487/RFC2923, September 2000,
              <https://www.rfc-editor.org/info/rfc2923>. <https://www
              .rfc-editor.org/info/rfc2923>.

   [RFC4340]  Kohler, E., Handley, M., M. and S. Floyd, "Datagram Congestion
              Control Protocol (DCCP)", RFC 4340,
              DOI 10.17487/RFC4340, March 2006, <https://www.rfc-
              editor.org/info/rfc4340>. 2006.

   [RFC4821]  Mathis, M. and J. Heffner, "Packetization Layer Path MTU
              Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007,
              <https://www.rfc-editor.org/info/rfc4821>.

   [RFC4890]  Davies, E. and J. Mohacsi, "Recommendations for Filtering
              ICMPv6 Messages in Firewalls", RFC 4890, DOI 10.17487/RFC4890, 10.17487/
              RFC4890, May 2007, <https://www.rfc-
              editor.org/info/rfc4890>. <https://www.rfc-editor.org/info/
              rfc4890>.

Appendix A.  Event-driven state changes

   This appendix contains an informative description of key events:

   Path Setup: When a new path is initiated, the state is set to
      PROBE_START. As soon as the path is confirmed, the state changes
      to PROBE_BASE and the probing mechanism for this path is started.
      the first probe packet is sent with the size of the BASE_PMTU.

   Arrival of an Acknowledgment: Depending on the probing state, the
      reaction differs according to Figure 4, 5, which is just a
      simplification of Figure 1 2 focusing on this event.

   +--------------+                                    +----------------+
   |  PROBE_START | --3------------------------------->| PROBE_DISABLED |
   +--------------+ --4-----------\                    +----------------+
                                   \
   +--------------+                 \
   | PROBE_ERROR  | ---------------  \
   +--------------+                \  \
                                    \  \
   +--------------+                  \  \              +--------------+
   |  PROBE_BASE  | --1----------     \  ------------> |  PROBE_BASE  |
   +--------------+ --2-----     \     \               +--------------+
                            \     \     \
   +--------------+          \     \     ------------> +--------------+
   | PROBE_SEARCH | --2---    \     -----------------> | PROBE_SEARCH |
   +--------------+ --1---\----\---------------------> +--------------+
                           \    \
   +--------------+         \    \                     +--------------+
   |  PROBE_DONE  |          \    -------------------> |  PROBE_DONE  |
   +--------------+           -----------------------> +--------------+

   Condition 1: The maximum PMTU size has not yet been reached.
   Condition 2: The maximum PMTU size has been reached.  Conition 3:
   Probe Timer expires and PROBE_COUNT = MAX_PROBEs.  Condition 4:
   PROBE_ACK received.

        Figure 4: State changes at the arrival of an acknowledgment

   Probing timeout: The PROBE_COUNT is initialised to zero each time the
      value of PROBED_SIZE is changed.  The PROBE_TIMER is started each
      time a probe packet is sent.  It is stopped when an acknowledgment
      arrives that confirms delivery of a probe packet.  If the probe
      packet is not acknowledged before the PROBE_TIMER expires, the
      PROBE_ERROR_COUNTER is incremented.  When the PROBE_COUNT equals
      the value MAX_PROBES, the state is changed, otherwise a new probe
      packet of the same size (PROBED_SIZE) is resent.  The state
      transitions are illustrated in Figure 5. 6. This shows a
      simplification of Figure 1 2 with a focus only on this event.

   +--------------+                                    +----------------+
   |  PROBE_START |----------------------------------->| PROBE_DISABLED |
   +--------------+                                    +----------------+

   +--------------+                                    +--------------+
   | PROBE_ERROR  |                 -----------------> | PROBE_ERROR  |
   +--------------+                /                   +--------------+
                                  /
   +--------------+ --2----------/                     +--------------+
   |  PROBE_BASE  | --1------------------------------> |  PROBE_BASE  |
   +--------------+                                    +--------------+

   +--------------+                                    +--------------+
   | PROBE_SEARCH | --1------------------------------> | PROBE_SEARCH |
   +--------------+ --2---------                       +--------------+
                                \
   +--------------+              \                     +--------------+
   |  PROBE_DONE  |               -------------------> |  PROBE_DONE  |
   +--------------+                                    +--------------+

   Condition 1: The maximum number of probe packets has not been
   reached.  Condition 2: The maximum number of probe packets has been
   reached.

       Figure 5: State changes at the expiration of the probe timer

   PMTU raise timer timeout: The path through the network can change
      over time.  It impossible to discover whether a path change has
      increased the actual PMTU by exchanging packets less than or equal
      to the effective PMTU. PLPMTU. This requires PLPMTUD to periodically send a probe
      packet to detect whether a larger PMTU is possible.  This probe
      packet is generated by the PMTU_RAISE_TIMER. When the timer
      expires, probing is restarted with the BASE_PMTU and the state is
      changed to PROBE_BASE.

   Arrival of an ICMP message: The active probing of the path can be
      supported by the arrival of PTB messages sent by routers or
      middleboxes with a link MTU that is smaller than the probe packet
      size.  If the PTB message includes the router link MTU, three
      cases can be distinguished:

      1.  The indicated link MTU in the PTB message is between the
          already probed and effective MTU PLMTU and the probe that triggered the PTB
          message.

      2.  The indicated link MTU in the PTB message is smaller than the
          effective PMTU.
          PLPMTU.

      3.  The indicated link MTU in the PTB message is equal to the
          BASE_PMTU.

      In first case, the PROBE_BASE state transitions to the PROBE_ERROR
      state.  In the PROBE_SEARCH state, a new probe packet is sent with
      the sized reported by the PTB message.  Its result is handled
      according to the former events.

      The second case could be a result of a network re-configuration.
      If the reported link MTU in the PTB message is greater than the
      BASE_MTU, the probing starts again with a value of PROBE_BASE.
      Otherwise, the method enters the state PROBE_ERROR.

      In the third case, the maximum possible PMTU has been reached.
      This ought to be probed again, because there could be a link
      further along the path with a still smaller MTU.

      Note: Not all routers include the link MTU size when they send a
      PTB message.  If the PTB message does not indicate the link MTU,
      the probe is handled in the same way as condition 2 of Figure 5. 6.

Appendix B.  Revision Notes

   Note to RFC-Editor: please remove this entire section prior to
   publication.

   Individual draft -00:

   o  Comments and corrections are welcome directly to the authors or
      via the IETF TSVWG working group mailing list.

   o  This update is proposed for WG comments.

   Individual draft -01:

   o  Contains the first representation of the algorithm, showing the
      states and timers

   o  This update is proposed for WG comments.

   Individual draft -02:

   o  Contains updated representation of the algorithm, and textual
      corrections.

   o  The text describing when to set the effective PMTU has not yet
      been verified by the authors

   o  To determine security to off-path-attacks: We need to decide
      whether a received PTB message SHOULD/MUST be verified?  The text
      on how to handle a PTB message indicating a link MTU larger than
      the probe has yet not been verified by the authors

   o  No text currently describes how to handle inconsistent results
      from arbitrary re-routing along different parallel paths

   o  This update is proposed for WG comments.

   Working Group draft -00:

   o  This draft follows a successful adoption call for TSVWG

   o  There is still work to complete, please comment on this draft.

   Working Group draft -01:

   o  This draft includes improved introduction.

   o  The draft is updated to require ICMP validation prior to accepting
      PTB messages - this to be confirmed by WG

   o  Section added to discuss Selection of Probe Size - methods to be
      evlauated and recommendations to be considered

   o  Section added to align with work proposed in the QUIC WG.

   Working Group draft -02:

   o  The draft was updated based on feedback from the WG, and a
      detailed review by Magnus Westerlund.

   o  The document updates RFC 4821.

   o  Requirements list updated.

   o  Added more explicit discussion of a simpler black-hole detection
      mode.

   o  This draft includes reorganisation of the section on IETF
      protocols.

   o  Added more discussion of implementation within an application.

   o  Added text on flapping paths.

   o  Replaced 'effective MTU' with new term PLPMTU.

Authors' Addresses

   Godred Fairhurst
   University of Aberdeen
   School of Engineering
   Fraser Noble Building
   Aberdeen
   Aberdeen, AB24 3U
   UK

   Email: gorry@erg.abdn.ac.uk
   Tom Jones
   University of Aberdeen
   School of Engineering
   Fraser Noble Building
   Aberdeen
   Aberdeen, AB24 3U
   UK

   Email: tom@erg.abdn.ac.uk

   Michael Tuexen
   Muenster University of Applied Sciences
   Stegerwaldstrasse 39
   Stein fart fart, 48565
   DE

   Email: tuexen@fh-muenster.de

   Irene Ruengeler
   Muenster University of Applied Sciences
   Stegerwaldstrasse 39
   Stein fart fart, 48565
   DE

   Email: i.ruengeler@fh-muenster.de