--- 1/draft-ietf-lisp-rfc6830bis-32.txt 2020-07-29 04:15:04.986992794 -0700 +++ 2/draft-ietf-lisp-rfc6830bis-33.txt 2020-07-29 04:15:05.082995233 -0700 @@ -1,25 +1,25 @@ Network Working Group D. Farinacci Internet-Draft lispers.net Obsoletes: 6830 (if approved) V. Fuller Intended status: Standards Track vaf.net Internet Consulting -Expires: September 6, 2020 D. Meyer +Expires: January 30, 2021 D. Meyer 1-4-5.net D. Lewis Cisco Systems A. Cabellos (Ed.) UPC/BarcelonaTech - March 5, 2020 + July 29, 2020 The Locator/ID Separation Protocol (LISP) - draft-ietf-lisp-rfc6830bis-32 + draft-ietf-lisp-rfc6830bis-33 Abstract This document describes the Data-Plane protocol for the Locator/ID Separation Protocol (LISP). LISP defines two namespaces, End-point Identifiers (EIDs) that identify end-hosts and Routing Locators (RLOCs) that identify network attachment points. With this, LISP effectively separates control from data, and allows routers to create overlay networks. LISP-capable routers exchange encapsulated packets according to EID-to-RLOC mappings stored in a local Map-Cache. @@ -38,104 +38,106 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 6, 2020. + This Internet-Draft will expire on January 30, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Scope of Applicability . . . . . . . . . . . . . . . . . 4 - 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4 + 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 5 3. Definition of Terms . . . . . . . . . . . . . . . . . . . . . 5 4. Basic Overview . . . . . . . . . . . . . . . . . . . . . . . 8 - 4.1. Packet Flow Sequence . . . . . . . . . . . . . . . . . . 10 - 5. LISP Encapsulation Details . . . . . . . . . . . . . . . . . 12 + 4.1. Deployment on the Public Internet . . . . . . . . . . . . 10 + 4.2. Packet Flow Sequence . . . . . . . . . . . . . . . . . . 11 + 5. LISP Encapsulation Details . . . . . . . . . . . . . . . . . 13 5.1. LISP IPv4-in-IPv4 Header Format . . . . . . . . . . . . . 13 5.2. LISP IPv6-in-IPv6 Header Format . . . . . . . . . . . . . 14 5.3. Tunnel Header Field Descriptions . . . . . . . . . . . . 15 - 6. LISP EID-to-RLOC Map-Cache . . . . . . . . . . . . . . . . . 19 + 6. LISP EID-to-RLOC Map-Cache . . . . . . . . . . . . . . . . . 20 7. Dealing with Large Encapsulated Packets . . . . . . . . . . . 20 - 7.1. A Stateless Solution to MTU Handling . . . . . . . . . . 20 - 7.2. A Stateful Solution to MTU Handling . . . . . . . . . . . 21 - 8. Using Virtualization and Segmentation with LISP . . . . . . . 22 - 9. Routing Locator Selection . . . . . . . . . . . . . . . . . . 22 - 10. Routing Locator Reachability . . . . . . . . . . . . . . . . 24 - 10.1. Echo Nonce Algorithm . . . . . . . . . . . . . . . . . . 26 - 11. EID Reachability within a LISP Site . . . . . . . . . . . . . 27 - 12. Routing Locator Hashing . . . . . . . . . . . . . . . . . . . 27 - 13. Changing the Contents of EID-to-RLOC Mappings . . . . . . . . 28 - 13.1. Locator-Status-Bits . . . . . . . . . . . . . . . . . . 29 - 13.2. Database Map-Versioning . . . . . . . . . . . . . . . . 29 - 14. Multicast Considerations . . . . . . . . . . . . . . . . . . 30 - 15. Router Performance Considerations . . . . . . . . . . . . . . 31 - 16. Security Considerations . . . . . . . . . . . . . . . . . . . 32 - 17. Network Management Considerations . . . . . . . . . . . . . . 33 - 18. Changes since RFC 6830 . . . . . . . . . . . . . . . . . . . 33 - 19. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 - 19.1. LISP UDP Port Numbers . . . . . . . . . . . . . . . . . 34 - 20. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 - 20.1. Normative References . . . . . . . . . . . . . . . . . . 34 - 20.2. Informative References . . . . . . . . . . . . . . . . . 36 - Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 39 - Appendix B. Document Change Log . . . . . . . . . . . . . . . . 40 - B.1. Changes to draft-ietf-lisp-rfc6830bis-27 . . . . . . . . 40 - B.2. Changes to draft-ietf-lisp-rfc6830bis-27 . . . . . . . . 40 - B.3. Changes to draft-ietf-lisp-rfc6830bis-26 . . . . . . . . 40 - B.4. Changes to draft-ietf-lisp-rfc6830bis-25 . . . . . . . . 41 - B.5. Changes to draft-ietf-lisp-rfc6830bis-24 . . . . . . . . 41 - B.6. Changes to draft-ietf-lisp-rfc6830bis-23 . . . . . . . . 41 - B.7. Changes to draft-ietf-lisp-rfc6830bis-22 . . . . . . . . 41 - B.8. Changes to draft-ietf-lisp-rfc6830bis-21 . . . . . . . . 41 - B.9. Changes to draft-ietf-lisp-rfc6830bis-20 . . . . . . . . 41 - B.10. Changes to draft-ietf-lisp-rfc6830bis-19 . . . . . . . . 41 - B.11. Changes to draft-ietf-lisp-rfc6830bis-18 . . . . . . . . 42 - B.12. Changes to draft-ietf-lisp-rfc6830bis-17 . . . . . . . . 42 - B.13. Changes to draft-ietf-lisp-rfc6830bis-16 . . . . . . . . 42 - B.14. Changes to draft-ietf-lisp-rfc6830bis-15 . . . . . . . . 42 - B.15. Changes to draft-ietf-lisp-rfc6830bis-14 . . . . . . . . 42 - B.16. Changes to draft-ietf-lisp-rfc6830bis-13 . . . . . . . . 42 - B.17. Changes to draft-ietf-lisp-rfc6830bis-12 . . . . . . . . 43 - B.18. Changes to draft-ietf-lisp-rfc6830bis-11 . . . . . . . . 43 - B.19. Changes to draft-ietf-lisp-rfc6830bis-10 . . . . . . . . 43 - B.20. Changes to draft-ietf-lisp-rfc6830bis-09 . . . . . . . . 43 - B.21. Changes to draft-ietf-lisp-rfc6830bis-08 . . . . . . . . 44 - B.22. Changes to draft-ietf-lisp-rfc6830bis-07 . . . . . . . . 44 - B.23. Changes to draft-ietf-lisp-rfc6830bis-06 . . . . . . . . 44 - B.24. Changes to draft-ietf-lisp-rfc6830bis-05 . . . . . . . . 44 - B.25. Changes to draft-ietf-lisp-rfc6830bis-04 . . . . . . . . 45 - B.26. Changes to draft-ietf-lisp-rfc6830bis-03 . . . . . . . . 45 - B.27. Changes to draft-ietf-lisp-rfc6830bis-02 . . . . . . . . 45 - B.28. Changes to draft-ietf-lisp-rfc6830bis-01 . . . . . . . . 45 - B.29. Changes to draft-ietf-lisp-rfc6830bis-00 . . . . . . . . 45 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 + 7.1. A Stateless Solution to MTU Handling . . . . . . . . . . 21 + 7.2. A Stateful Solution to MTU Handling . . . . . . . . . . . 22 + 8. Using Virtualization and Segmentation with LISP . . . . . . . 23 + 9. Routing Locator Selection . . . . . . . . . . . . . . . . . . 23 + 10. Routing Locator Reachability . . . . . . . . . . . . . . . . 25 + 10.1. Echo Nonce Algorithm . . . . . . . . . . . . . . . . . . 27 + 11. EID Reachability within a LISP Site . . . . . . . . . . . . . 28 + 12. Routing Locator Hashing . . . . . . . . . . . . . . . . . . . 28 + 13. Changing the Contents of EID-to-RLOC Mappings . . . . . . . . 30 + 13.1. Locator-Status-Bits . . . . . . . . . . . . . . . . . . 30 + 13.2. Database Map-Versioning . . . . . . . . . . . . . . . . 30 + 14. Multicast Considerations . . . . . . . . . . . . . . . . . . 31 + 15. Router Performance Considerations . . . . . . . . . . . . . . 32 + 16. Security Considerations . . . . . . . . . . . . . . . . . . . 33 + 17. Network Management Considerations . . . . . . . . . . . . . . 34 + 18. Changes since RFC 6830 . . . . . . . . . . . . . . . . . . . 34 + 19. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 + 19.1. LISP UDP Port Numbers . . . . . . . . . . . . . . . . . 35 + + 20. References . . . . . . . . . . . . . . . . . . . . . . . . . 35 + 20.1. Normative References . . . . . . . . . . . . . . . . . . 35 + 20.2. Informative References . . . . . . . . . . . . . . . . . 37 + Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 40 + Appendix B. Document Change Log . . . . . . . . . . . . . . . . 41 + B.1. Changes to draft-ietf-lisp-rfc6830bis-27 . . . . . . . . 41 + B.2. Changes to draft-ietf-lisp-rfc6830bis-27 . . . . . . . . 41 + B.3. Changes to draft-ietf-lisp-rfc6830bis-26 . . . . . . . . 41 + B.4. Changes to draft-ietf-lisp-rfc6830bis-25 . . . . . . . . 42 + B.5. Changes to draft-ietf-lisp-rfc6830bis-24 . . . . . . . . 42 + B.6. Changes to draft-ietf-lisp-rfc6830bis-23 . . . . . . . . 42 + B.7. Changes to draft-ietf-lisp-rfc6830bis-22 . . . . . . . . 42 + B.8. Changes to draft-ietf-lisp-rfc6830bis-21 . . . . . . . . 42 + B.9. Changes to draft-ietf-lisp-rfc6830bis-20 . . . . . . . . 42 + B.10. Changes to draft-ietf-lisp-rfc6830bis-19 . . . . . . . . 42 + B.11. Changes to draft-ietf-lisp-rfc6830bis-18 . . . . . . . . 43 + B.12. Changes to draft-ietf-lisp-rfc6830bis-17 . . . . . . . . 43 + B.13. Changes to draft-ietf-lisp-rfc6830bis-16 . . . . . . . . 43 + B.14. Changes to draft-ietf-lisp-rfc6830bis-15 . . . . . . . . 43 + B.15. Changes to draft-ietf-lisp-rfc6830bis-14 . . . . . . . . 43 + B.16. Changes to draft-ietf-lisp-rfc6830bis-13 . . . . . . . . 43 + B.17. Changes to draft-ietf-lisp-rfc6830bis-12 . . . . . . . . 44 + B.18. Changes to draft-ietf-lisp-rfc6830bis-11 . . . . . . . . 44 + B.19. Changes to draft-ietf-lisp-rfc6830bis-10 . . . . . . . . 44 + B.20. Changes to draft-ietf-lisp-rfc6830bis-09 . . . . . . . . 44 + B.21. Changes to draft-ietf-lisp-rfc6830bis-08 . . . . . . . . 45 + B.22. Changes to draft-ietf-lisp-rfc6830bis-07 . . . . . . . . 45 + B.23. Changes to draft-ietf-lisp-rfc6830bis-06 . . . . . . . . 45 + B.24. Changes to draft-ietf-lisp-rfc6830bis-05 . . . . . . . . 45 + B.25. Changes to draft-ietf-lisp-rfc6830bis-04 . . . . . . . . 46 + B.26. Changes to draft-ietf-lisp-rfc6830bis-03 . . . . . . . . 46 + B.27. Changes to draft-ietf-lisp-rfc6830bis-02 . . . . . . . . 46 + B.28. Changes to draft-ietf-lisp-rfc6830bis-01 . . . . . . . . 46 + B.29. Changes to draft-ietf-lisp-rfc6830bis-00 . . . . . . . . 46 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46 1. Introduction This document describes the Locator/Identifier Separation Protocol (LISP). LISP is an encapsulation protocol built around the fundamental idea of separating the topological location of a network attachment point from the node's identity [CHIAPPA]. As a result LISP creates two namespaces: Endpoint Identifiers (EIDs), that are used to identify end-hosts (e.g., nodes or Virtual Machines) and routable Routing Locators (RLOCs), used to identify network @@ -400,21 +402,21 @@ typically IP addresses assigned to hosts (other types of EID are supported by LISP, see [RFC8060] for further information). End- systems don't know that addresses are EIDs versus RLOCs but assume that packets get to their intended destinations. In a system where LISP is deployed, LISP routers intercept EID-addressed packets and assist in delivering them across the network core where EIDs cannot be routed. The procedure a host uses to send IP packets does not change. o LISP routers mostly deal with Routing Locator addresses. See - details in Section 4.1 to clarify what is meant by "mostly". + details in Section 4.2 to clarify what is meant by "mostly". o RLOCs are always IP addresses assigned to routers, preferably topologically oriented addresses from provider CIDR (Classless Inter-Domain Routing) blocks. o When a router originates packets, it MAY use as a source address either an EID or RLOC. When acting as a host (e.g., when terminating a transport session such as Secure SHell (SSH), TELNET, or the Simple Network Management Protocol (SNMP)), it MAY use an EID that is explicitly assigned for that purpose. An EID @@ -438,47 +440,65 @@ use-case for this would be an ISP router that needs to perform Traffic Engineering for packets flowing through its network. In such a situation, termed "Recursive Tunneling", an ISP transit acts as an additional ITR, and the destination RLOC it uses for the new prepended header would be either a TE-ETR within the ISP (along an intra-ISP traffic engineered path) or a TE-ETR within another ISP (an inter-ISP traffic engineered path, where an agreement to build such a path exists). In order to avoid excessive packet overhead as well as possible - encapsulation loops, this document recommends that a maximum of two + encapsulation loops, this document RECOMMENDS that a maximum of two LISP headers can be prepended to a packet. For initial LISP deployments, it is assumed that two headers is sufficient, where the first prepended header is used at a site for Location/Identity separation and the second prepended header is used inside a service provider for Traffic Engineering purposes. Tunnel Routers can be placed fairly flexibly in a multi-AS topology. For example, the ITR for a particular end-to-end packet exchange might be the first-hop or default router within a site for the source host. Similarly, the ETR might be the last-hop router directly connected to the destination host. Another example, perhaps for a VPN service outsourced to an ISP by a site, the ITR could be the site's border router at the service provider attachment point. Mixing and matching of site-operated, ISP-operated, and other Tunnel Routers is allowed for maximum flexibility. -4.1. Packet Flow Sequence +4.1. Deployment on the Public Internet + + Several of the mechanisms in this document are intended for + deployment in controlled, trusted environments, and are insecure for + use over the public Internet. In particular, on the public internet + xTRs: + + o MUST set the N, L, E, and V bits in the LISP header (Section 5.1) + to zero. + + o MUST NOT use Locator-Status-Bits and echo-nonce, as described in + Section 10 for Routing Locator Reachability. Instead MUST rely + solely on control-plane methods. + + o MUST NOT use Gleaning or Locator-Status-Bits and Map-Versioning, + as described in Section 13 to update the EID-to-RLOC Mappings. + Instead relying solely on control-plane methods. + +4.2. Packet Flow Sequence This section provides an example of the unicast packet flow, including also Control-Plane information as specified in [I-D.ietf-lisp-rfc6833bis]. The example also assumes the following conditions: o Source host "host1.abc.example.com" is sending a packet to - "host2.xyz.example.com", exactly what host1 would do if the site - was not using LISP. + "host2.xyz.example.com", exactly as it would if the site was not + not using LISP. o Each site is multihomed, so each Tunnel Router has an address (RLOC) assigned from the service provider address block for each provider to which that particular Tunnel Router is attached. o The ITR(s) and ETR(s) are directly connected to the source and destination, respectively, but the source and destination can be located anywhere in the LISP site. o A Map-Request is sent for an external destination when the @@ -767,27 +785,25 @@ MUST be set to 0 on transmit and MUST be ignored on receipt. KK: The KK-bits are a 2-bit field used when encapsulated packets are encrypted. The field is set to 00 when the packet is not encrypted. See [RFC8061] for further information. LISP Nonce: The LISP 'Nonce' field is a 24-bit value that is randomly generated by an ITR when the N-bit is set to 1. Nonce generation algorithms are an implementation matter but are required to generate different nonces when sending to different - RLOCs. However, the same nonce can be used for a period of time - when encapsulating to the same ETR. The nonce is also used when - the E-bit is set to request the nonce value to be echoed by the - other side when packets are returned. When the E-bit is clear but - the N-bit is set, a remote ITR is either echoing a previously - requested echo-nonce or providing a random nonce. See - Section 10.1 for more details. + RLOCs. The nonce is also used when the E-bit is set to request + the nonce value to be echoed by the other side when packets are + returned. When the E-bit is clear but the N-bit is set, a remote + ITR is either echoing a previously requested echo-nonce or + providing a random nonce. See Section 10.1 for more details. LISP Locator-Status-Bits (LSBs): When the L-bit is also set, the 'Locator-Status-Bits' field in the LISP header is set by an ITR to indicate to an ETR the up/down status of the Locators in the source site. Each RLOC in a Map-Reply is assigned an ordinal value from 0 to n-1 (when there are n RLOCs in a mapping entry). The Locator-Status-Bits are numbered from 0 to n-1 from the least significant bit of the field. The field is 32 bits when the I-bit is set to 0 and is 8 bits when the I-bit is set to 1. When a Locator-Status-Bit is set to 1, the ITR is indicating to the ETR @@ -803,21 +819,22 @@ When doing ITR/PITR encapsulation: o The outer-header 'Time to Live' field (or 'Hop Limit' field, in the case of IPv6) SHOULD be copied from the inner-header 'Time to Live' field. o The outer-header IPv4 'Differentiated Services Code Point' (DSCP) field or the 'Traffic Class' field, in the case of IPv6, SHOULD be copied from the inner-header IPv4 DSCP field or 'Traffic Class' - field in the case of IPv6, to the outer-header. + field in the case of IPv6, to the outer-header. Guidelines for + this can be found at [RFC2983]. o The IPv4 'Explicit Congestion Notification' (ECN) field and bits 6 and 7 of the IPv6 'Traffic Class' field requires special treatment in order to avoid discarding indications of congestion as specified in [RFC6040]. When doing ETR/PETR decapsulation: o The inner-header IPv4 'Time to Live' field or 'Hop Limit' field in the case of IPv6, MUST be copied from the outer-header 'Time to @@ -825,21 +842,22 @@ of the outer header is less than the 'Time to Live'/'Hop Limit' value of the inner header. Failing to perform this check can cause the 'Time to Live'/'Hop Limit' of the inner header to increment across encapsulation/decapsulation cycles. This check is also performed when doing initial encapsulation, when a packet comes to an ITR or PITR destined for a LISP site. o The outer-header IPv4 'Differentiated Services Code Point' (DSCP) field or the 'Traffic Class' field in the case of IPv6, SHOULD be copied from the outer-header IPv4 DSCP field or 'Traffic Class' - field in the case of IPv6, to the inner-header. + field in the case of IPv6, to the inner-header. Guidelines for + this can be found at [RFC2983]. o The IPv4 'Explicit Congestion Notification' (ECN) field and bits 6 and 7 of the IPv6 'Traffic Class' field, requires special treatment in order to avoid discarding indications of congestion as specified in [RFC6040]. Note that implementations exist that copy the 'ECN' field from the outer header to the inner header even though [RFC6040] does not recommend this behavior. It is RECOMMENDED that implementations change to support the behavior in [RFC6040]. @@ -909,20 +927,24 @@ It is left to the implementor to decide if the stateless or stateful mechanism SHOULD be implemented. Both or neither can be used, since it is a local decision in the ITR regarding how to deal with MTU issues, and sites can interoperate with differing mechanisms. Both stateless and stateful mechanisms also apply to Re-encapsulating and Recursive Tunneling, so any actions below referring to an ITR also apply to a TE-ITR. + Both stateless and stateful mechanisms also apply to Re-encapsulating + and Recursive Tunneling, so any actions below referring to an ITR + also apply to a TE-ITR. + 7.1. A Stateless Solution to MTU Handling An ITR stateless solution to handle MTU issues is described as follows: 1. Define H to be the size, in octets, of the outer header an ITR prepends to a packet. This includes the UDP and LISP header lengths. 2. Define L to be the size, in octets, of the maximum-sized packet @@ -960,48 +982,49 @@ is greater than L and send an ICMPv4 ICMP Unreachable/Fragmentation- Needed or ICMPv6 "Packet Too Big" message to the source with a value of S, where S is (L - H). When the outer-header encapsulation uses an IPv4 header, an implementation SHOULD set the DF bit to 1 so ETR fragment reassembly can be avoided. An implementation MAY set the DF bit in such headers to 0 if it has good reason to believe there are unresolvable path MTU issues between the sending ITR and the receiving ETR. - This specification RECOMMENDS that L be defined as 1500. + This specification RECOMMENDS that L be defined as 1500. Additional + information about in-network MTU and fragmentation issues can be + found at [RFC4459]. 7.2. A Stateful Solution to MTU Handling An ITR stateful solution to handle MTU issues is described as - follows: + follows, this solution can only be used with IPv4-encapsulated + packets: 1. The ITR will keep state of the effective MTU for each Locator per Map-Cache entry. The effective MTU is what the core network can deliver along the path between the ITR and ETR. - 2. When an IPv6-encapsulated packet, or an IPv4-encapsulated packet - with the DF bit set to 1, exceeds what the core network can - deliver, one of the intermediate routers on the path will send an - ICMPv6 "Packet Too Big" message or an ICMPv4 Unreachable/ - Fragmentation-Needed to the ITR, respectively. The ITR will - parse the ICMP message to determine which Locator is affected by - the effective MTU change and then record the new effective MTU - value in the Map-Cache entry. + 2. When an IPv4-encapsulated packet with the DF bit set to 1, + exceeds what the core network can deliver, one of the + intermediate routers on the path will send an an ICMPv4 + Unreachable/Fragmentation-Needed to the ITR, respectively. The + ITR will parse the ICMP message to determine which Locator is + affected by the effective MTU change and then record the new + effective MTU value in the Map-Cache entry. 3. When a packet is received by the ITR from a source inside of the site and the size of the packet is greater than the effective MTU stored with the Map-Cache entry associated with the destination EID the packet is for, the ITR will send an ICMPv4 ICMP - Unreachable/Fragmentation-Needed or ICMPv6 "Packet Too Big" - message back to the source. The packet size advertised by the - ITR in the ICMP message is the effective MTU minus the LISP - encapsulation length. + Unreachable/Fragmentation-Needed message back to the source. The + packet size advertised by the ITR in the ICMP message is the + effective MTU minus the LISP encapsulation length. Even though this mechanism is stateful, it has advantages over the stateless IP fragmentation mechanism, by not involving the destination host with reassembly of ITR fragmented packets. 8. Using Virtualization and Segmentation with LISP There are several cases where segregation is needed at the EID level. For instance, this is the case for deployments containing overlapping addresses, traffic isolation policies or multi-tenant virtualization. @@ -1019,37 +1042,39 @@ to use for the inner destination EID lookup. For example, an 802.1Q VLAN tag or VPN identifier could be used as a 24-bit Instance ID. See [I-D.ietf-lisp-vpn] for LISP VPN use-case details. Participants within a LISP deployment must agree on the meaning of Instance ID values. The source and destination EIDs MUST belong to the same Instance ID. + Instance ID SHOULD NOT be used with overlapping IPv6 EID addresses. + 9. Routing Locator Selection The Map-Cache contains the state used by ITRs and PITRs to encapsulate packets. When an ITR/PITR receives a packet from inside the LISP site to a destination outside of the site a longest-prefix match lookup of the EID is done to the Map-Cache (see Section 6). The lookup returns a single Locator-Set containing a list of RLOCs corresponding to the EID's topological location. Each RLOC in the Locator-Set is associated with a 'Priority' and 'Weight', this information is used to select the RLOC to encapsulate. The RLOC with the lowest 'Priority' is selected. An RLOC with 'Priority' 255 means that MUST NOT be used for forwarding. When - multiple RLOC have the same 'Priority' then the 'Weight' states how + multiple RLOCs have the same 'Priority' then the 'Weight' states how to load balance traffic among them. The value of the 'Weight' represents the relative weight of the total packets that match the - maping entry. + mapping entry. The following are different scenarios for choosing RLOCs and the controls that are available: o The server-side returns one RLOC. The client-side can only use one RLOC. The server-side has complete control of the selection. o The server-side returns a list of RLOCs where a subset of the list has the same best Priority. The client can only use the subset list according to the weighting assigned by the server-side. In @@ -1078,33 +1103,34 @@ inner-header source EID and the outer-header source RLOC of received packets. The client-side ITR controls how traffic is returned and can alternate using an outer-header source RLOC, which then can be added to the list the server-side ETR uses to return traffic. Since no Priority or Weights are provided using this method, the server-side ETR MUST assume that each client-side ITR RLOC uses the same best Priority with a Weight of zero. In addition, since EID-Prefix encoding cannot be conveyed in data packets, the EID-to-RLOC Cache on Tunnel Routers can grow to be very large. Gleaning has several important considerations. A - "gleaned" Map-Cache entry is only stored and used for a few - seconds, pending verification. Verification is performed by - sending a Map-Request to the source EID (the inner-header IP - source address) of the received encapsulated packet. A reply to - this "verifying Map-Request" is used to fully populate the Map- - Cache entry for the "gleaned" EID and is stored and used for the - time indicated from the 'TTL' field of a received Map-Reply. When - a verified Map- Cache entry is stored, data gleaning no longer - occurs for subsequent packets that have a source EID that matches - the EID-Prefix of the verified entry. This "gleaning" mechanism - SHOULD NOT be used over the public Internet and SHOULD only be - used in trusted and closed deployments. Refer to Section 16 for - security issues regarding this mechanism. + "gleaned" Map-Cache entry is only stored and used for a + RECOMMENDED period of 3 seconds, pending verification. + Verification MUST be performed by sending a Map-Request to the + source EID (the inner-header IP source address) of the received + encapsulated packet. A reply to this "verifying Map-Request" is + used to fully populate the Map-Cache entry for the "gleaned" EID + and is stored and used for the time indicated from the 'TTL' field + of a received Map-Reply. When a verified Map- Cache entry is + stored, data gleaning no longer occurs for subsequent packets that + have a source EID that matches the EID-Prefix of the verified + entry. This "gleaning" mechanism MUST NOT be used over the public + Internet and SHOULD only be used in trusted and closed + deployments. Refer to Section 16 for security issues regarding + this mechanism. RLOCs that appear in EID-to-RLOC Map-Reply messages are assumed to be reachable when the R-bit [I-D.ietf-lisp-rfc6833bis] for the Locator record is set to 1. When the R-bit is set to 0, an ITR or PITR MUST NOT encapsulate to the RLOC. Neither the information contained in a Map-Reply nor that stored in the mapping database system provides reachability information for RLOCs. Note that reachability is not part of the mapping system and is determined using one or more of the Routing Locator reachability algorithms described in the next section. @@ -1164,21 +1190,21 @@ packet will check for any change in the 'Locator-Status-Bits' field. When a bit goes from 1 to 0, the ETR, if acting also as an ITR, will refrain from encapsulating packets to an RLOC that is indicated as down. It will only resume using that RLOC if the corresponding Locator-Status-Bit returns to a value of 1. Locator-Status-Bits are associated with a Locator-Set per EID-Prefix. Therefore, when a Locator becomes unreachable, the Locator-Status-Bit that corresponds to that Locator's position in the list returned by the last Map-Reply will be set to zero for that particular EID-Prefix. - Locator-Status-Bits SHOULD NOT be used over the public Internet and + Locator-Status-Bits MUST NOT be used over the public Internet and SHOULD only be used in trusted and closed deployments. In addition Locator-Status-Bits SHOULD be coupled with Map-Versioning (Section 13.2) to prevent race conditions where Locator-Status-Bits are interpreted as referring to different RLOCs than intended. Refer to Section 16 for security issues regarding this mechanism. If an ITR encapsulates a packet to an ETR and the packet is received and decapsulated by the ETR, it is implied but not confirmed by the ITR that the ETR's RLOC is reachable. In most cases, the ETR can also reach the ITR but cannot assume this to be true, due to the @@ -1243,22 +1269,22 @@ echoing of the nonce does not occur and the requesting side may erroneously consider the Locator unreachable. An ITR SHOULD set the E-bit in an encapsulated data packet when it knows the ETR is enabled for echo-noncing. This is conveyed by the E-bit in the Map-Reply message. Many implementations default to not advertising they are echo-nonce capable in Map-Reply messages and so RLOC-probing tends to be used for RLOC reachability. - The echo-nonce mechanism SHOULD NOT be used over the public Internet - and SHOULD only be used in trusted and closed deployments. Refer to + The echo-nonce mechanism MUST NOT be used over the public Internet + and MUST only be used in trusted and closed deployments. Refer to Section 16 for security issues regarding this mechanism. 11. EID Reachability within a LISP Site A site MAY be multihomed using two or more ETRs. The hosts and infrastructure within a site will be addressed using one or more EID- Prefixes that are mapped to the RLOCs of the relevant ETRs in the mapping system. One possible failure mode is for an ETR to lose reachability to one or more of the EID-Prefixes within its own site. When this occurs when the ETR sends Map-Replies, it can clear the @@ -1316,21 +1342,24 @@ suggested setting for the source port number computed by an ITR is a 5-tuple hash function on the inner header, as described above. The source port SHOULD be the same for all packets belonging to the same flow. Many core router implementations use a 5-tuple hash to decide how to balance packet load across members of a LAG. The 5-tuple hash includes the source and destination addresses of the packet and the source and destination ports when the protocol number in the packet is TCP or UDP. For this reason, UDP encoding is used for LISP - encapsulation. + encapsulation. In this scenario, when the outer header is IPv6, the + flow label MAY also be set following the procedures specified in + [RFC6438]. When the inner header is IPv6 then the flow label is not + zero, it MAY be used to compute the hash. 13. Changing the Contents of EID-to-RLOC Mappings Since the LISP architecture uses a caching scheme to retrieve and store EID-to-RLOC mappings, the only way an ITR can get a more up-to- date mapping is to re-request the mapping. However, the ITRs do not know when the mappings change, and the ETRs do not keep track of which ITRs requested its mappings. For scalability reasons, it is desirable to maintain this approach but need to provide a way for ETRs to change their mappings and inform the sites that are currently @@ -1397,25 +1426,25 @@ comparison with previously received Map-Version Numbers. A Map-Version Number can be included in Map-Register messages as well. This is a good way for the Map-Server to assure that all ETRs for a site registering to it will be synchronized according to Map- Version Number. Map-Version requires that ETRs within the LISP site are synchronized with respect to the Map-Version Number, EID-prefix and the set and status (up/down) of the RLOCs. The use of Map-Versioning without - proper synzhronization may cause traffic disruption. The + proper synchronization may cause traffic disruption. The synchronization protocol is out-of-the-scope of this document, but MUST keep ETRs synchronized within a 1 minute window. - Map-Versioning SHOULD NOT be used over the public Internet and SHOULD + Map-Versioning MUST NOT be used over the public Internet and SHOULD only be used in trusted and closed deployments. Refer to Section 16 for security issues regarding this mechanism. See [I-D.ietf-lisp-6834bis] for a more detailed analysis and description of Database Map-Versioning. 14. Multicast Considerations A multicast group address, as defined in the original Internet architecture, is an identifier of a grouping of topologically @@ -1513,28 +1542,32 @@ reachable even when it may not be reachable. If the attack is successful, the ITR believes the wrong reachability status of the ETR's RLOC until RLOC-probing detects the correct status. This time frame is on the order of 10s of seconds. This specific attack can be mitigated by preventing RLOC spoofing in the network by deploying uRPF BCP 38 [RFC2827]. In addition and in order to exploit this vulnerability, the off-path attacker must send echo-nonce packets at high rate. If the nonces have never been requested by the ITR, it can protect itself from erroneous reachability attacks. + A LISP-specific uRPF check is also possible. When decapsulating, an + ETR can check that the source EID and RLOC are valid EID-to-RLOC + mappings by checking the Mapping System. + Map-Versioning is a Data-Plane mechanism used to signal a peering xTR that a local EID-to-RLOC mapping has been updated, so that the peering xTR uses LISP Control-Plane signaling message to retrieve a fresh mapping. This can be used by an attacker to forge the map- versioning field of a LISP encapsulated header and force an excessive amount of signaling between xTRs that may overload them. - Locator-Status-Bits, echo-nonce and map-versioning SHOULD NOT be used + Locator-Status-Bits, echo-nonce and map-versioning MUST NOT be used over the public Internet and SHOULD only be used in trusted and closed deployments. In addition Locator-Status-Bits SHOULD be coupled with map-versioning to prevent race conditions where Locator- Status-Bits are interpreted as referring to different RLOCs than intended. LISP implementations and deployments which permit outer header fragments of IPv6 LISP encapsulated packets as a means of dealing with MTU issues should also use implementation techniques in ETRs to prevent this from being a DoS attack vector. Limits on the number of @@ -1620,24 +1653,33 @@ "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, DOI 10.17487/RFC2474, December 1998, . [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827, May 2000, . + [RFC2983] Black, D., "Differentiated Services and Tunnels", + RFC 2983, DOI 10.17487/RFC2983, October 2000, + . + [RFC6040] Briscoe, B., "Tunnelling of Explicit Congestion Notification", RFC 6040, DOI 10.17487/RFC6040, November 2010, . + [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label + for Equal Cost Multipath Routing and Link Aggregation in + Tunnels", RFC 6438, DOI 10.17487/RFC6438, November 2011, + . + [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The Locator/ID Separation Protocol (LISP)", RFC 6830, DOI 10.17487/RFC6830, January 2013, . [RFC6831] Farinacci, D., Meyer, D., Zwiebel, J., and S. Venaas, "The Locator/ID Separation Protocol (LISP) for Multicast Environments", RFC 6831, DOI 10.17487/RFC6831, January 2013, . @@ -1706,20 +1748,24 @@ A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, . [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005, . + [RFC4459] Savola, P., "MTU and Fragmentation Issues with In-the- + Network Tunneling", RFC 4459, DOI 10.17487/RFC4459, April + 2006, . + [RFC4984] Meyer, D., Ed., Zhang, L., Ed., and K. Fall, Ed., "Report from the IAB Workshop on Routing and Addressing", RFC 4984, DOI 10.17487/RFC4984, September 2007, . [RFC6832] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller, "Interworking between Locator/ID Separation Protocol (LISP) and Non-LISP Sites", RFC 6832, DOI 10.17487/RFC6832, January 2013, . @@ -1743,50 +1789,33 @@ Separation Protocol (LISP) MIB", RFC 7052, DOI 10.17487/RFC7052, October 2013, . [RFC7215] Jakab, L., Cabellos-Aparicio, A., Coras, F., Domingo- Pascual, J., and D. Lewis, "Locator/Identifier Separation Protocol (LISP) Network Element Deployment Considerations", RFC 7215, DOI 10.17487/RFC7215, April 2014, . - [RFC7833] Howlett, J., Hartman, S., and A. Perez-Mendez, Ed., "A - RADIUS Attribute, Binding, Profiles, Name Identifier - Format, and Confirmation Methods for the Security - Assertion Markup Language (SAML)", RFC 7833, - DOI 10.17487/RFC7833, May 2016, - . - - [RFC7835] Saucez, D., Iannone, L., and O. Bonaventure, "Locator/ID - Separation Protocol (LISP) Threat Analysis", RFC 7835, - DOI 10.17487/RFC7835, April 2016, - . - [RFC8060] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical Address Format (LCAF)", RFC 8060, DOI 10.17487/RFC8060, February 2017, . [RFC8061] Farinacci, D. and B. Weis, "Locator/ID Separation Protocol (LISP) Data-Plane Confidentiality", RFC 8061, DOI 10.17487/RFC8061, February 2017, . [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, March 2017, . - [RFC8111] Fuller, V., Lewis, D., Ermagan, V., Jain, A., and A. - Smirnov, "Locator/ID Separation Protocol Delegated - Database Tree (LISP-DDT)", RFC 8111, DOI 10.17487/RFC8111, - May 2017, . - Appendix A. Acknowledgments An initial thank you goes to Dave Oran for planting the seeds for the initial ideas for LISP. His consultation continues to provide value to the LISP authors. A special and appreciative thank you goes to Noel Chiappa for providing architectural impetus over the past decades on separation of location and identity, as well as detailed reviews of the LISP architecture and documents, coupled with enthusiasm for making LISP a