| draft-ietf-lisp-gpe-09.txt | draft-ietf-lisp-gpe-10.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force F. Maino, Ed. | Internet Engineering Task Force F. Maino, Ed. | |||
| Internet-Draft Cisco | Internet-Draft Cisco | |||
| Intended status: Standards Track J. Lemon | Intended status: Standards Track J. Lemon | |||
| Expires: April 27, 2020 Broadcom | Expires: May 7, 2020 Broadcom | |||
| P. Agarwal | P. Agarwal | |||
| Innovium | Innovium | |||
| D. Lewis | D. Lewis | |||
| M. Smith | M. Smith | |||
| Cisco | Cisco | |||
| October 25, 2019 | November 4, 2019 | |||
| LISP Generic Protocol Extension | LISP Generic Protocol Extension | |||
| draft-ietf-lisp-gpe-09 | draft-ietf-lisp-gpe-10 | |||
| Abstract | Abstract | |||
| This document describes extentions to the Locator/ID Separation | This document describes extentions to the Locator/ID Separation | |||
| Protocol (LISP) Data-Plane, via changes to the LISP header, to | Protocol (LISP) Data-Plane, via changes to the LISP header, to | |||
| support multi-protocol encapsulation. | support multi-protocol encapsulation. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 27, 2020. | This Internet-Draft will expire on May 7, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 16 ¶ | skipping to change at page 2, line 16 ¶ | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. Conventions . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 3 | 1.2. Definition of Terms . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. LISP Header Without Protocol Extensions . . . . . . . . . . . 3 | 2. LISP Header Without Protocol Extensions . . . . . . . . . . . 3 | |||
| 3. Generic Protocol Extension for LISP (LISP-GPE) . . . . . . . 4 | 3. Generic Protocol Extension for LISP (LISP-GPE) . . . . . . . 4 | |||
| 4. Implementation and Deployment Considerations . . . . . . . . 7 | 4. Implementation and Deployment Considerations . . . . . . . . 6 | |||
| 4.1. Applicability Statement . . . . . . . . . . . . . . . . . 7 | 4.1. Applicability Statement . . . . . . . . . . . . . . . . . 6 | |||
| 4.2. Congestion Control Functionality . . . . . . . . . . . . 7 | 4.2. Congestion Control Functionality . . . . . . . . . . . . 7 | |||
| 4.3. UDP Checksum . . . . . . . . . . . . . . . . . . . . . . 8 | 4.3. UDP Checksum . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.3.1. UDP Zero Checksum Handling with IPv6 . . . . . . . . 8 | 4.3.1. UDP Zero Checksum Handling with IPv6 . . . . . . . . 8 | |||
| 4.4. Ethernet Encapsulated Payloads . . . . . . . . . . . . . 10 | 4.4. Ethernet Encapsulated Payloads . . . . . . . . . . . . . 9 | |||
| 5. Backward Compatibility . . . . . . . . . . . . . . . . . . . 10 | 5. Backward Compatibility . . . . . . . . . . . . . . . . . . . 10 | |||
| 5.1. Use of "Multiple Data-Planes" LCAF to Determine ETR | 5.1. Use of "Multiple Data-Planes" LCAF to Determine ETR | |||
| Capabilities . . . . . . . . . . . . . . . . . . . . . . 10 | Capabilities . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6.1. LISP-GPE Next Protocol Registry . . . . . . . . . . . . . 11 | 6.1. LISP-GPE Next Protocol Registry . . . . . . . . . . . . . 10 | |||
| 6.2. Multiple Data-Planes Encapsulation Bitmap Registry . . . 11 | 6.2. Multiple Data-Planes Encapsulation Bitmap Registry . . . 11 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 8. Acknowledgements and Contributors . . . . . . . . . . . . . . 13 | 8. Acknowledgements and Contributors . . . . . . . . . . . . . . 13 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 13 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 14 | 9.2. Informative References . . . . . . . . . . . . . . . . . 14 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Introduction | 1. Introduction | |||
| The LISP Data-Plane is defined in [I-D.ietf-lisp-rfc6830bis]. It | The LISP Data-Plane is defined in [I-D.ietf-lisp-rfc6830bis]. It | |||
| specifies an encapsulation format that carries IPv4 or IPv6 packets | specifies an encapsulation format that carries IPv4 or IPv6 packets | |||
| (henceforth jointly referred to as IP) in a LISP header and outer | (henceforth jointly referred to as IP) in a LISP header and outer | |||
| UDP/IP transport. | UDP/IP transport. | |||
| The LISP Data-Plane header does not specify the protocol being | The LISP Data-Plane header does not specify the protocol being | |||
| encapsulated and therefore is currently limited to encapsulating only | encapsulated and therefore is currently limited to encapsulating only | |||
| skipping to change at page 3, line 9 ¶ | skipping to change at page 3, line 9 ¶ | |||
| format to LISP), are used to encapsulate Layer-2 (L2) protocols such | format to LISP), are used to encapsulate Layer-2 (L2) protocols such | |||
| as Ethernet. | as Ethernet. | |||
| This document defines an extension for the LISP header, as defined in | This document defines an extension for the LISP header, as defined in | |||
| [I-D.ietf-lisp-rfc6830bis], to indicate the inner protocol, enabling | [I-D.ietf-lisp-rfc6830bis], to indicate the inner protocol, enabling | |||
| the encapsulation of Ethernet, IP or any other desired protocol all | the encapsulation of Ethernet, IP or any other desired protocol all | |||
| the while ensuring compatibility with existing LISP deployments. | the while ensuring compatibility with existing LISP deployments. | |||
| A flag in the LISP header, called the P-bit, is used to signal the | A flag in the LISP header, called the P-bit, is used to signal the | |||
| presence of the 8-bit Next Protocol field. The Next Protocol field, | presence of the 8-bit Next Protocol field. The Next Protocol field, | |||
| when present, uses 8 bits of the field allocated to the echo-noncing | when present, uses 8 bits of the field that was allocated to the | |||
| and map-versioning features. The two features are still available, | echo-noncing and map-versioning features in | |||
| albeit with a reduced length of Nonce and Map-Version. | [I-D.ietf-lisp-rfc6830bis]. | |||
| Since all of the reserved bits of the LISP Data-Plane header have | Since all of the reserved bits of the LISP Data-Plane header have | |||
| been allocated, LISP-GPE can also be used to extend the LISP Data- | been allocated, LISP-GPE can also be used to extend the LISP Data- | |||
| Plane header by defining Next Protocol "shim" headers that implements | Plane header by defining Next Protocol "shim" headers that implements | |||
| new data plane functions not supported in the LISP header. For | new data plane functions not supported in the LISP header. For | |||
| example, the use of the Group-Based Policy (GBP) header | example, the use of the Group-Based Policy (GBP) header | |||
| [I-D.lemon-vxlan-lisp-gpe-gbp] or of the In-situ Operations, | [I-D.lemon-vxlan-lisp-gpe-gbp] or of the In-situ Operations, | |||
| Administration, and Maintenance (IOAM) header | Administration, and Maintenance (IOAM) header | |||
| [I-D.brockners-ippm-ioam-vxlan-gpe] with LISP-GPE, can be considered | [I-D.brockners-ippm-ioam-vxlan-gpe] with LISP-GPE, can be considered | |||
| an extension to add support in the Data-Plane for Group-Based Policy | an extension to add support in the Data-Plane for Group-Based Policy | |||
| functionalities or IOAM metadata. | functionalities or IOAM metadata. | |||
| Nonce, Map-Versioning and Locator Status Bit fields are not part of | ||||
| the LISP-GPE header. Shim headers can be used to specify features | ||||
| such as echo-noncing, map-versioning or reachability by defining | ||||
| fields of the same size, or larger, of those specified in | ||||
| [I-D.ietf-lisp-rfc6830bis]. | ||||
| 1.1. Conventions | 1.1. Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 1.2. Definition of Terms | 1.2. Definition of Terms | |||
| skipping to change at page 4, line 25 ¶ | skipping to change at page 4, line 27 ¶ | |||
| 3. Generic Protocol Extension for LISP (LISP-GPE) | 3. Generic Protocol Extension for LISP (LISP-GPE) | |||
| This document defines two changes to the LISP header in order to | This document defines two changes to the LISP header in order to | |||
| support multi-protocol encapsulation: the introduction of the P-bit | support multi-protocol encapsulation: the introduction of the P-bit | |||
| and the definition of a Next Protocol field. This is shown in | and the definition of a Next Protocol field. This is shown in | |||
| Figure 2 and described below. | Figure 2 and described below. | |||
| 0 1 2 3 | 0 1 2 3 | |||
| 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| |N|L|E|V|I|P|K|K| Nonce/Map-Version | Next Protocol | | | Res. |I|P|K|K| Nonce/Map-Version | Next Protocol | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Instance ID/Locator-Status-Bits | | | Instance ID | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 2: LISP-GPE Header | Figure 2: LISP-GPE Header | |||
| Bits 0-3: Bits 0-3 of the LISP-GPE header are Reserved. They MUST | ||||
| be set to zero on transmission and ignored on receipt. | ||||
| Features that were implemented with bits 0-3 in | ||||
| [I-D.ietf-lisp-rfc6830bis], such as echo-noncing, map-versioning | ||||
| and reachability, can be implemented by defining the appropriate | ||||
| shim headers. | ||||
| Instance ID When the I-Bit is set to 1 the high-order 24 bits of the | ||||
| Instance ID field are used as an Instance ID, as specified in | ||||
| [I-D.ietf-lisp-rfc6830bis]. The low-order 8 bits are set to zero, | ||||
| as the Locator-Status-Bits feature is not supported in LISP-GPE. | ||||
| P-Bit: Flag bit 5 is defined as the Next Protocol bit. | P-Bit: Flag bit 5 is defined as the Next Protocol bit. | |||
| If the P-bit is clear (0) the LISP header is bit-by-bit equivalent | If the P-bit is clear (0) the LISP header is bit-by-bit equivalent | |||
| to the definition in [I-D.ietf-lisp-rfc6830bis]. | to the definition in [I-D.ietf-lisp-rfc6830bis] with bits N, L, E | |||
| and V set to 0. | ||||
| The P-bit is set to 1 to indicate the presence of the 8 bit Next | The P-bit is set to 1 to indicate the presence of the 8 bit Next | |||
| Protocol field. The combinations of bits that are allowed when | Protocol field. The combinations of bits that are allowed when | |||
| the P-bit is set are the same allowed by | the P-bit is set are the same allowed by | |||
| [I-D.ietf-lisp-rfc6830bis]. | [I-D.ietf-lisp-rfc6830bis] when bits N, L, E and V are set to 0. | |||
| Nonce/Map-Version: In [I-D.ietf-lisp-6834bis], LISP uses the lower | ||||
| 24 bits of the first word for a nonce, an echo-nonce, or to | ||||
| support map- versioning. These are all optional capabilities that | ||||
| are indicated in the LISP header by setting the N, E, and V bits | ||||
| respectively. | ||||
| When the P-bit and the N-bit are set to 1, the Nonce field is the | ||||
| middle 16 bits (i.e., encoded in 16 bits, not 24 bits). Note that | ||||
| the E-bit only has meaning when the N-bit is set. | ||||
| When the P-bit and the V-bit are set to 1, the Version fields use | ||||
| the middle 16 bits: the Source Map-Version uses the high-order 8 | ||||
| bits, and the Dest Map-Version uses the low-order 8 bits. | ||||
| When the P-bit is set to 1 and the N-bit and the V-bit are both 0, | ||||
| the middle 16-bits MUST be set to 0 on transmission and ignored on | ||||
| receipt. | ||||
| The encoding of the Nonce field in LISP-GPE, compared with the one | ||||
| used in [I-D.ietf-lisp-rfc6830bis] for the LISP data plane | ||||
| encapsulation, reduces the length of the nonce from 24 to 16 bits. | ||||
| As per [I-D.ietf-lisp-rfc6830bis], Ingress Tunnel Routers (ITRs) | ||||
| are required to generate different nonces when sending to | ||||
| different Routing Locators (RLOCs), but the same nonce can be used | ||||
| for a period of time when encapsulating to the same Egress Tunnel | ||||
| Router (ETR). The use of 16 bits nonces still allows an ITR to | ||||
| determine to and from reachability for up to 64k RLOCs at the same | ||||
| time, but reduces the overall robustness of the nonce mechanism to | ||||
| off-path attackers. Please refer to Section Section 7 for | ||||
| security considerations that apply to the use of the Nonce field. | ||||
| Similarly, the encoding of the Source and Dest Map-Version fields, | ||||
| compared with [I-D.ietf-lisp-rfc6830bis], is reduced from 12 to 8 | ||||
| bits. This allows to associate only 256 different versions to | ||||
| each Endpoint Identifier to Routing Locator (EID-to-RLOC) mapping | ||||
| to inform commmunicating ITRs and ETRs about modifications of the | ||||
| mapping, reducing the Map-versioning wrap-around time. Please | ||||
| refer to Section Section 7 for security considerations that apply | ||||
| to the use of the Map-Versioning field. | ||||
| Next Protocol: The lower 8 bits of the first 32-bit word are used to | Next Protocol: The lower 8 bits of the first 32-bit word are used to | |||
| carry a Next Protocol. This Next Protocol field contains the | carry a Next Protocol. This Next Protocol field contains the | |||
| protocol of the encapsulated payload packet. | protocol of the encapsulated payload packet. | |||
| This document defines the following Next Protocol values: | This document defines the following Next Protocol values: | |||
| 0x01 : IPv4 | 0x01 : IPv4 | |||
| 0x02 : IPv6 | 0x02 : IPv6 | |||
| skipping to change at page 12, line 46 ¶ | skipping to change at page 12, line 43 ¶ | |||
| "Multiple Data-Planes Encapsulation Bitmap" registry assigning a | "Multiple Data-Planes Encapsulation Bitmap" registry assigning a | |||
| value to bit 24 for the LISP-GPE encapsulation, assigning bits 25-31 | value to bit 24 for the LISP-GPE encapsulation, assigning bits 25-31 | |||
| values that are conformant with RFC8060. This will allow future | values that are conformant with RFC8060. This will allow future | |||
| allocation of values 0-23. | allocation of values 0-23. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| LISP-GPE security considerations are similar to the LISP security | LISP-GPE security considerations are similar to the LISP security | |||
| considerations and mitigation techniques documented in [RFC7835]. | considerations and mitigation techniques documented in [RFC7835]. | |||
| The Echo Nonce Algorithm described in [I-D.ietf-lisp-rfc6830bis] | ||||
| relies on the nonce to detect reachability from ITR to ETR. In LISP- | ||||
| GPE the use of a 16-bit nonce, compared with the 24-bit nonce used in | ||||
| LISP, increases the probability of an off-path attacker to correctly | ||||
| guess the nonce and force the ITR to believe that a non-reachable | ||||
| RLOC is reachable. However, the use of common anti-spoofing | ||||
| mechanisms such as uRPF partially mitigates this form of attack. | ||||
| The considerations made in [I-D.ietf-lisp-rfc6830bis] that Echo | ||||
| Nonce, Map-Versioning, and Locator-Status-Bits SHOULD NOT be used | ||||
| over the public Internet and SHOULD only be used in trusted and | ||||
| closed deployments apply to LISP-GPE as well. These considerations | ||||
| are even more important for LISP-GPE, considering the reduced size of | ||||
| the Nonce/Map-versioning field. | ||||
| LISP-GPE, as many encapsulations that use optional extensions, is | LISP-GPE, as many encapsulations that use optional extensions, is | |||
| subject to on-path adversaries that by manipulating the g-Bit and the | subject to on-path adversaries that by manipulating the g-Bit and the | |||
| packet itself can remove part of the payload. Typical integrity | packet itself can remove part of the payload. Typical integrity | |||
| protection mechanisms (such as IPsec) SHOULD be used in combination | protection mechanisms (such as IPsec) SHOULD be used in combination | |||
| with LISP-GPE by those protocol extensions that want to protect from | with LISP-GPE by those protocol extensions that want to protect from | |||
| on-path attackers. | on-path attackers. | |||
| With LISP-GPE, issues such as data-plane spoofing, flooding, and | With LISP-GPE, issues such as data-plane spoofing, flooding, and | |||
| traffic redirection may depend on the particular protocol payload | traffic redirection may depend on the particular protocol payload | |||
| encapsulated. | encapsulated. | |||
| skipping to change at page 14, line 9 ¶ | skipping to change at page 13, line 37 ¶ | |||
| o Larry Kreeger | o Larry Kreeger | |||
| o John Lemon, Broadcom | o John Lemon, Broadcom | |||
| o Puneet Agarwal, Innovium | o Puneet Agarwal, Innovium | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [I-D.ietf-lisp-6834bis] | ||||
| Iannone, L., Saucez, D., and O. Bonaventure, "Locator/ID | ||||
| Separation Protocol (LISP) Map-Versioning", draft-ietf- | ||||
| lisp-6834bis-04 (work in progress), August 2019. | ||||
| [I-D.ietf-lisp-rfc6830bis] | [I-D.ietf-lisp-rfc6830bis] | |||
| Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A. | Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A. | |||
| Cabellos-Aparicio, "The Locator/ID Separation Protocol | Cabellos-Aparicio, "The Locator/ID Separation Protocol | |||
| (LISP)", draft-ietf-lisp-rfc6830bis-27 (work in progress), | (LISP)", draft-ietf-lisp-rfc6830bis-27 (work in progress), | |||
| June 2019. | June 2019. | |||
| [IEEE.802.1Q_2014] | [IEEE.802.1Q_2014] | |||
| IEEE, "IEEE Standard for Local and metropolitan area | IEEE, "IEEE Standard for Local and metropolitan area | |||
| networks--Bridges and Bridged Networks", IEEE 802.1Q-2014, | networks--Bridges and Bridged Networks", IEEE 802.1Q-2014, | |||
| DOI 10.1109/ieeestd.2014.6991462, December 2014, | DOI 10.1109/ieeestd.2014.6991462, December 2014, | |||
| End of changes. 19 change blocks. | ||||
| 80 lines changed or deleted | 40 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||