Network Working Group                                        P. Tsuchiya
Request for Comments: 1326                                      Bellcore
                                                                May 1992


               Mutual Encapsulation Considered Dangerous

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard.  Distribution of this memo is
   unlimited.

Abstract

   This memo describes a packet explosion problem that can occur with
   mutual encapsulation of protocols (A encapsulates B and B
   encapsulates A).

The Current Environment

   In spite of international standardization efforts to the contrary, we
   are these days seeing a plethora of different protocols, both
   standard and proprietary, each designed to fill a technical or
   marketing niche.  The end result is that they eventually butt up
   against each other and are expected to interwork in some fashion.

   One approach to this interworking is to encapsulate one protocol
   within another.  This has resulted in cases of mutual encapsulation,
   where protocol A runs over protocol B in some cases, and protocol B
   runs over protocol A in other cases.  For example, there exists cases
   of both IP over AppleTalk and AppleTalk over IP.  (The term mutual
   encapsulation comes from the paper by Shoch, Cohen, and Taft, called
   Mutual Encapsulation of Internetwork Protocols", Computer Networks 5,
   North-Holland, 1981, 287-300.  The problem identified in this RFC is
   not mentioned in the Shoch et. al. paper.)

   If there are not already other instances of mutual encapsulation,
   there will likely be more in the future.  This is particularly true
   with respect to the various internet protocols, such as IP, CLNP,
   AppleTalk, IPX, DECNET, and so on.

The Problem

   The problem with mutual encapsulation is the following.  Consider the
   topology shown in Figure 1.  We see two backbones and four stubs.
   Backbone B(X) uses a native protocol of X (that is, it expects to
   receive packets with a header for protocol X).  B(Y) uses a native



Tsuchiya                                                        [Page 1]

RFC 1326                Encapsulation Dangerous                 May 1992


   protocol of Y.  Likewise, the right and left S(Y) stubs use protocol
   Y, and the right and left S(X) stubs use protocol X.

          :::  :::::          :::::   :::          :::
 +------+ :Y   :X:Y  +------+ :X:Y    :Y  +------+ :Y   +------+
 |      | :::  ::::: |      | :::::   ::: |      | :::  |      |
 | S(Y) |-----Ra-----|      |-------Rb----|      |------| S(Y) |
 |      |            |      |             |      |      |      |
 +------+            |      |             |      |      +------+
                     | B(X) |             | B(Y) |
                     |      |             |      |
                :::  |      | :::   ::::: |      | :::::  :::
       +------+  X:  |      |  X:    X:Y: |      |  X:Y:   X: +------+
       |      | :::  |      | :::   ::::: |      | :::::  ::: |      |
       | S(X) |------|      |-----Rc------|      |------Rd----| S(X) |
       |      |      |      |             |      |            |      |
       +------+      |      |-----Re------|      |            +------+
                     +------+             +------+


   LEGEND:

        :::::
         X:Y:  A packet with protocol X encapsulated in protocol
        :::::  Y, moving left to right

           Rx  Router x

         S(Y)  A stub network whose native protocol is protocol Y

         B(X)  A backbone network whose native protocol is protocol X


             FIGURE 1:  MUTUAL ENCAPSULATION

   Figure 1 shows how packets would travel from left S(X) to right S(X),
   and from right S(Y) to left S(Y).  Consider a packet from left S(X)
   to right S(X).  The packet from left S(X) has just a header of X up
   to the point where it reaches router Rc.  Since B(Y) cannot forward
   header X, Rc encapsulates the packet into a Y header with a
   destination address of Rd.  When Rd receives the packet from B(Y), it
   strips off the Y header and forwards the X header packet to right
   S(X).  The reverse situation exists for packets from right S(Y) to
   left S(Y).

   In this example Rc and Rd treat B(Y) as a lower-level subnetwork in
   exactly the same way that an IP router currently treats an Ethernet
   as a lower-level subnetwork.  Note that Rc considers Rd to be the



Tsuchiya                                                        [Page 2]

RFC 1326                Encapsulation Dangerous                 May 1992


   appropriate "exit router" for packets destined for right S(X), and Rb
   considers Ra to be the appropriate "exit router" for packets destined
   for left S(Y).

   Now, assume that somehow a routing loop forms such that routers in
   B(Y) think that Rd is reachable via Rb, Rb thinks that Rd is
   reachable via Re, and routers in B(X) think that Re is reachable via
   Rc.  (This could result as a transient condition in the routing
   algorithm if Rd and Re crashed at the same time.) When the initial
   packet from left S(X) reaches Rc, it is encapsulated with Y and sent
   to B(Y), which forwards it onto Rb.  (The notation for this packet is
   Y<X>, meaning that X in encapsulated in Y.)

   When Rb receives Y<X> from B(Y), it encapsulates the packet in an X
   header to get it to Re through B(X).  Now the packet has headers
   X<Y<X>>.  In other words, the packet has two X encapsulates.  When Rc
   receives X<Y<X>>, it again encapsulates the packet, resulting in
   Y<X<Y<X>>>.  The packet is growing with each encapsulation.

   Now, if we assume that each successive encapsulation does not
   preserve the hop count information in the previous header, then the
   packet will never expire.  Worse, the packet will eventually reach
   the Maximum Transmission Unit (MTU) size, and will fragment.  Each
   fragment will continue around the loop, getting successively larger
   until those fragments also fragment.  The result is an exponential
   explosion in the number of looping packets!

   The explosion will persist until the links are saturated, and the
   links will remain saturated until the loop is broken.  If the looping
   packets dominate the link to the point where other packets, such as
   routing update packets or management packets, are thrown away, then
   the loop may not automatically break itself, thus requiring manual
   intervention.  Once the loop is broken, the packets will quickly be
   flushed from the network.

Potential Fixes

   The first potential fix that comes to mind is to always preserve the
   hop count information in the new header.  Since hop count information
   is preserved in fragments, the explosion will not occur even if some
   fragmentation occurs before the hop count expires.  Not all headers,
   however, have hop count information in them (for instance, X.25 and
   SMDS).

   And the hop counts ranges for different protocols are different,
   making direct translation not always possible.  For instance,
   AppleTalk has a maximum hop count of 16, whereas IP has up to 256.
   One could define a mapping whereby the hop count is lowered to fit



Tsuchiya                                                        [Page 3]

RFC 1326                Encapsulation Dangerous                 May 1992


   into the smaller range when necessary.  This, however, might often
   result in unnecessary black holes because of overly small hop counts.
   There are for instance many IP paths that are longer than 16 hops.

   It is worth noting that the current IP over AppleTalk Internet Draft
   does not preserve hop counts ("A Standard for the Transmission of
   Internet Packets Over AppleTalk Networks").

   Another potential fix is to have routers peek into network layer
   headers to see if the planned encapsulation already exists.  For
   instance, in the example of Figure 1, when Rb receives Y<X>, it would
   see what Y had encapsulated (for instance by looking at the protocol
   id field of X's header), notice that X has already been encapsulated,
   and throw away the packet.  If the encapsulation loop involves more
   than two protocols, then the router may have to peek into successive
   network layer headers.  It would quit when it finally got to a
   transport layer header.

   There are several pitfalls with this approach.  First, it is always
   possible that a network layer protocol is being encapsulated within a
   transport layer protocol, thus I suppose requiring that the router
   continue to peek even above the transport layer.

   Second, the router may not recognize one of the network layer
   headers, thus preventing it from peeking any further.  For instance,
   consider a loop involving three routers Rxy, Ryz, and Rzx, and three
   protocols X, Y, and Z (the subscripts on the routers R denote which
   protocols the router recognizes).  After the first loop, Rxy receives
   X<Z<Y<X>>>.  Since Rxy does not recognize Z, it cannot peek beyond Z
   to discover the embedded Y header.

   Third, a router may be encrypting the packet that it sends to its
   peer, such as is done with Blacker routers.  For instance, Rc might
   be encrypting packets that it encapsulates for Rd, expecting Rd to
   decrypt it.  When Rb receives this packet (because of the loop), it
   cannot peek beyond the Y header.

   Finally, there may be situations where it is appropriate to have
   multiple instances of the same header.  For instance, in the nested
   mutual encapsulation of Figure 2, Ra will encapsulate Y in X to get
   it to Rd, but Rb will encapsulate X<Y> in Y to get it to Rc.  In this
   case, it is appropriate for Rb to transmit a packet with two Y
   headers.

   A third (somewhat hybrid) solution is to outlaw nested mutual
   encapsulation, employ both hop count preservation and header peeking
   where appropriate, and generally discourage the use of mutual
   encapsulation (or at least adopt the attitude that those who engage



Tsuchiya                                                        [Page 4]

RFC 1326                Encapsulation Dangerous                 May 1992


   in mutual encapsulation deserve what they get).

                     +--------------------+
                     |                    |
                     |               B(X) |
       +------+      |      +------+      |      +------+
       |      |      |      |      |      |      |      |
       | S(Y) |--Ra--+   Rb-| B(Y) |-Rc   +--Rd--| S(Y) |
       |      |      |      |      |      |      |      |
       +------+      |      +------+      |      +------+
                     |                    |
                     |                    |
                     +--------------------+

                FIGURE 2:  NESTED MUTUAL ENCAPSULATION

Security Considerations

   Security issues are not discussed in this memo.

Author's Address

   Paul Tsuchiya
   Bellcore
   435 South St.
   MRE 2L-281
   Morristown, NJ 07960

   Phone: (908) 829-4484
   EMail:  tsuchiya@thumper.bellcore.com





















Tsuchiya                                                        [Page 5]