idnits 2.17.1 draft-ietf-hip-multihoming-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 12, 2015) is 3389 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-14) exists of draft-ietf-hip-rfc5206-bis-07 ** Obsolete normative reference: RFC 3484 (Obsoleted by RFC 6724) == Outdated reference: A later version (-20) exists of draft-ietf-hip-rfc4423-bis-09 == Outdated reference: A later version (-08) exists of draft-ietf-hip-rfc5204-bis-05 Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Henderson, Ed. 3 Internet-Draft University of Washington 4 Intended status: Standards Track C. Vogt 5 Expires: July 16, 2015 J. Arkko 6 Ericsson Research NomadicLab 7 January 12, 2015 9 Host Multihoming with the Host Identity Protocol 10 draft-ietf-hip-multihoming-05 12 Abstract 14 This document defines host multihoming extensions to the Host 15 Identity Protocol (HIP), by leveraging protocol components defined 16 for host mobility. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on July 16, 2015. 35 Copyright Notice 37 Copyright (c) 2015 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 This document may contain material from IETF Documents or IETF 51 Contributions published or made publicly available before November 52 10, 2008. The person(s) controlling the copyright in some of this 53 material may not have granted the IETF Trust the right to allow 54 modifications of such material outside the IETF Standards Process. 55 Without obtaining an adequate license from the person(s) controlling 56 the copyright in such materials, this document may not be modified 57 outside the IETF Standards Process, and derivative works of it may 58 not be created outside the IETF Standards Process, except to format 59 it for publication as an RFC or to translate it into languages other 60 than English. 62 Table of Contents 64 1. Introduction and Scope . . . . . . . . . . . . . . . . . . . 2 65 2. Terminology and Conventions . . . . . . . . . . . . . . . . . 4 66 3. Protocol Model . . . . . . . . . . . . . . . . . . . . . . . 4 67 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 68 4.1. Host Multihoming . . . . . . . . . . . . . . . . . . . . 5 69 4.2. Site Multihoming . . . . . . . . . . . . . . . . . . . . 7 70 4.3. Dual host multihoming . . . . . . . . . . . . . . . . . . 7 71 4.4. Combined Mobility and Multihoming . . . . . . . . . . . . 8 72 4.5. Initiating the Protocol in R1 or I2 . . . . . . . . . . . 8 73 4.6. Using LOCATOR_SETs across Addressing Realms . . . . . . . 10 74 5. Other Considerations . . . . . . . . . . . . . . . . . . . . 10 75 5.1. Address Verification . . . . . . . . . . . . . . . . . . 10 76 5.2. Preferred Locator . . . . . . . . . . . . . . . . . . . . 10 77 5.3. Interaction with Security Associations . . . . . . . . . 10 78 6. Processing Rules . . . . . . . . . . . . . . . . . . . . . . 13 79 6.1. Sending LOCATOR_SETs . . . . . . . . . . . . . . . . . . 13 80 6.2. Handling Received LOCATOR_SETs . . . . . . . . . . . . . 14 81 6.3. Verifying Address Reachability . . . . . . . . . . . . . 16 82 6.4. Changing the Preferred Locator . . . . . . . . . . . . . 17 83 7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 84 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 85 9. Authors and Acknowledgments . . . . . . . . . . . . . . . . . 18 86 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 87 10.1. Normative references . . . . . . . . . . . . . . . . . . 18 88 10.2. Informative references . . . . . . . . . . . . . . . . . 18 89 Appendix A. Document Revision History . . . . . . . . . . . . . 20 91 1. Introduction and Scope 93 The Host Identity Protocol [I-D.ietf-hip-rfc4423-bis] (HIP) supports 94 an architecture that decouples the transport layer (TCP, UDP, etc.) 95 from the internetworking layer (IPv4 and IPv6) by using public/ 96 private key pairs, instead of IP addresses, as host identities. When 97 a host uses HIP, the overlying protocol sublayers (e.g., transport 98 layer sockets and Encapsulating Security Payload (ESP) Security 99 Associations (SAs)) are instead bound to representations of these 100 host identities, and the IP addresses are only used for packet 101 forwarding. However, each host must also know at least one IP 102 address at which its peers are reachable. Initially, these IP 103 addresses are the ones used during the HIP base exchange 104 [I-D.ietf-hip-rfc5201-bis]. 106 One consequence of such a decoupling is that new solutions to 107 network-layer mobility and host multihoming are possible. Basic host 108 mobility is defined in [I-D.ietf-hip-rfc5206-bis] and covers the case 109 in which a host has a single address and changes its network point- 110 of-attachment while desiring to preserve the HIP-enabled security 111 association. Host multihoming is somewhat of a dual case to host 112 mobility, in that a host may simultaneously have more than one 113 network point-of-attachment. There are potentially many variations 114 of host multihoming possible. The scope of this document encompasses 115 messaging and elements of procedure for some basic host multihoming 116 scenarios of interest. 118 Another variation of multihoming that has been heavily studied is 119 site multihoming. Solutions for site multihoming in IPv6 networks 120 have been specified by the IETF shim6 working group. The shim6 121 protocol [RFC5533] bears many architectural similarities to HIP but 122 there are differences in the security model and in the protocol. 124 While HIP can potentially be used with transports other than the ESP 125 transport format [I-D.ietf-hip-rfc5202-bis], this document largely 126 assumes the use of ESP and leaves other transport formats for further 127 study. 129 There are a number of situations where the simple end-to-end 130 readdressing functionality defined herein is not sufficient. These 131 include the initial reachability of a multihomed host, location 132 privacy, simultaneous mobility of both hosts, and some modes of NAT 133 traversal. In these situations, there is a need for some helper 134 functionality in the network, such as a HIP rendezvous server 135 [I-D.ietf-hip-rfc5204-bis]. Such functionality is out of the scope 136 of this document. Finally, making underlying IP multihoming 137 transparent to the transport layer has implications on the proper 138 response of transport congestion control, path MTU selection, and 139 Quality of Service (QoS). Transport-layer mobility triggers, and the 140 proper transport response to a HIP multihoming address change, are 141 outside the scope of this document. 143 2. Terminology and Conventions 145 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 146 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 147 document are to be interpreted as described in RFC 2119 [RFC2119]. 149 The following terms used in this document are defined in 150 [I-D.ietf-hip-rfc5206-bis]: LOCATOR_SET, Locator, Address, Preferred 151 locator, and Credit Based Authorization. 153 3. Protocol Model 155 The protocol model for HIP support of host multihoming extends the 156 model for host mobility described in Section 3 of 157 [I-D.ietf-hip-rfc5206-bis]. This section only highlights the 158 differences. 160 In host multihoming, a host has multiple locators simultaneously 161 rather than sequentially, as in the case of mobility. By using the 162 LOCATOR_SET parameter defined in [I-D.ietf-hip-rfc5206-bis], a host 163 can inform its peers of additional (multiple) locators at which it 164 can be reached. When multiple locators are available and announced 165 to the peer, a host can designate a particular locator as a 166 "preferred" locator, meaning that the host prefers that its peer send 167 packets to the designated address before trying an alternative 168 address. Although this document defines a basic mechanism for 169 multihoming, it does not define all possible policies and procedures, 170 such as which locators to choose when more than one pair is 171 available, the operation of simultaneous mobility and multihoming, 172 source address selection policies (beyond those specified in 173 [RFC3484]), and the implications of multihoming on transport 174 protocols and ESP anti-replay windows. 176 4. Protocol Overview 178 In this section, we briefly introduce a number of usage scenarios for 179 HIP multihoming. These scenarios assume that HIP is being used with 180 the ESP transform [I-D.ietf-hip-rfc5202-bis], although other 181 scenarios may be defined in the future. To understand these usage 182 scenarios, the reader should be at least minimally familiar with the 183 HIP protocol specification [I-D.ietf-hip-rfc5201-bis]. However, for 184 the (relatively) uninitiated reader, it is most important to keep in 185 mind that in HIP the actual payload traffic is protected with ESP, 186 and that the ESP SPI acts as an index to the right host-to-host 187 context. 189 The scenarios below assume that the two hosts have completed a single 190 HIP base exchange with each other. Both of the hosts therefore have 191 one incoming and one outgoing SA. Further, each SA uses the same 192 pair of IP addresses, which are the ones used in the base exchange. 194 The readdressing protocol is an asymmetric protocol where a mobile or 195 multihomed host informs a peer host about changes of IP addresses on 196 affected SPIs. The readdressing exchange is designed to be 197 piggybacked on existing HIP exchanges. The majority of the packets 198 on which the LOCATOR_SET parameters are expected to be carried are 199 UPDATE packets. However, some implementations may want to experiment 200 with sending LOCATOR_SET parameters also on other packets, such as 201 R1, I2, and NOTIFY. 203 The scenarios below at times describe addresses as being in either an 204 ACTIVE, VERIFIED, or DEPRECATED state. From the perspective of a 205 host, newly-learned addresses of the peer must be verified before put 206 into active service, and addresses removed by the peer are put into a 207 deprecated state. Under limited conditions described in 208 [I-D.ietf-hip-rfc5206-bis], an UNVERIFIED address may be used. 210 Hosts that use link-local addresses as source addresses in their HIP 211 handshakes may not be reachable by a mobile peer. Such hosts SHOULD 212 provide a globally routable address either in the initial handshake 213 or via the LOCATOR_SET parameter. 215 4.1. Host Multihoming 217 A (mobile or stationary) host may sometimes have more than one 218 interface or global address. The host may notify the peer host of 219 the additional interface or address by using the LOCATOR_SET 220 parameter. To avoid problems with the ESP anti-replay window, a host 221 SHOULD use a different SA for each interface or address used to 222 receive packets from the peer host when multiple locator pairs are 223 being used simultaneously rather than sequentially. 225 When more than one locator is provided to the peer host, the host 226 SHOULD indicate which locator is preferred (the locator on which the 227 host prefers to receive traffic). By default, the addresses used in 228 the base exchange are preferred until indicated otherwise. 230 In the multihoming case, the sender may also have multiple valid 231 locators from which to source traffic. In practice, a HIP 232 association in a multihoming configuration may have both a preferred 233 peer locator and a preferred local locator, although rules for source 234 address selection should ultimately govern the selection of the 235 source locator based on the destination locator. 237 Although the protocol may allow for configurations in which there is 238 an asymmetric number of SAs between the hosts (e.g., one host has two 239 interfaces and two inbound SAs, while the peer has one interface and 240 one inbound SA), it is RECOMMENDED that inbound and outbound SAs be 241 created pairwise between hosts. When an ESP_INFO arrives to rekey a 242 particular outbound SA, the corresponding inbound SA should be also 243 rekeyed at that time. Although asymmetric SA configurations might be 244 experimented with, their usage may constrain interoperability at this 245 time. However, it is recommended that implementations attempt to 246 support peers that prefer to use non-paired SAs. 248 Consider the case between two hosts, one single-homed and one 249 multihomed. The multihomed host may decide to inform the single- 250 homed host about its other address. It is RECOMMENDED that the 251 multihomed host set up a new SA pair for use on this new address. To 252 do this, the multihomed host sends a LOCATOR_SET with an ESP_INFO, 253 indicating the request for a new SA by setting the OLD SPI value to 254 zero, and the NEW SPI value to the newly created incoming SPI. A 255 Locator Type of "1" is used to associate the new address with the new 256 SPI. The LOCATOR_SET parameter also contains a second Type "1" 257 locator, that of the original address and SPI. To simplify parameter 258 processing and avoid explicit protocol extensions to remove locators, 259 each LOCATOR_SET parameter MUST list all locators in use on a 260 connection (a complete listing of inbound locators and SPIs for the 261 host). The multihomed host waits for an ESP_INFO (new outbound SA) 262 from the peer and an ACK of its own UPDATE. As in the mobility case, 263 the peer host must perform an address verification before actively 264 using the new address. Figure 1 illustrates this scenario. 266 Multi-homed Host Peer Host 268 UPDATE(ESP_INFO, LOCATOR_SET, SEQ, [DIFFIE_HELLMAN]) 269 -----------------------------------> 270 UPDATE(ESP_INFO, SEQ, ACK, [DIFFIE_HELLMAN,] ECHO_REQUEST) 271 <----------------------------------- 272 UPDATE(ACK, ECHO_RESPONSE) 273 -----------------------------------> 275 Figure 1: Basic Multihoming Scenario 277 In multihoming scenarios, it is important that hosts receiving 278 UPDATEs associate them correctly with the destination address used in 279 the packet carrying the UPDATE. When processing inbound LOCATOR_SETs 280 that establish new security associations on an interface with 281 multiple addresses, a host uses the destination address of the UPDATE 282 containing the LOCATOR_SET as the local address to which the 283 LOCATOR_SET plus ESP_INFO is targeted. This is because hosts may 284 send UPDATEs with the same (locator) IP address to different peer 285 addresses -- this has the effect of creating multiple inbound SAs 286 implicitly affiliated with different peer source addresses. 288 4.2. Site Multihoming 290 A host may have an interface that has multiple globally routable IP 291 addresses. Such a situation may be a result of the site having 292 multiple upper Internet Service Providers, or just because the site 293 provides all hosts with both IPv4 and IPv6 addresses. The host 294 should stay reachable at all or any subset of the currently available 295 global routable addresses, independent of how they are provided. 297 This case is handled the same as if there were different IP 298 addresses, described above in Section 4.1. Note that a single 299 interface may experience site multihoming while the host itself may 300 have multiple interfaces. 302 Note that a host may be multihomed and mobile simultaneously, and 303 that a multihomed host may want to protect the location of some of 304 its interfaces while revealing the real IP address of some others. 306 This document does not presently additional site multihoming 307 extensions to HIP; such extensions are for further study. 309 4.3. Dual host multihoming 311 Consider the case in which both hosts would like to add an additional 312 address after the base exchange completes. In Figure 2, consider 313 that host1, which used address addr1a in the base exchange to set up 314 SPI1a and SPI2a, wants to add address addr1b. It would send an 315 UPDATE with LOCATOR_SET (containing the address addr1b) to host2, 316 using destination address addr2a, and a new set of SPIs would be 317 added between hosts 1 and 2 (call them SPI1b and SPI2b -- not shown 318 in the figure). Next, consider host2 deciding to add addr2b to the 319 relationship. Host2 must select one of host1's addresses towards 320 which to initiate an UPDATE. It may choose to initiate an UPDATE to 321 addr1a, addr1b, or both. If it chooses to send to both, then a full 322 mesh (four SA pairs) of SAs would exist between the two hosts. This 323 is the most general case; it often may be the case that hosts 324 primarily establish new SAs only with the peer's Preferred locator. 325 The readdressing protocol is flexible enough to accommodate this 326 choice. 328 -<- SPI1a -- -- SPI2a ->- 329 host1 < > addr1a <---> addr2a < > host2 330 ->- SPI2a -- -- SPI1a -<- 332 addr1b <---> addr2a (second SA pair) 333 addr1a <---> addr2b (third SA pair) 334 addr1b <---> addr2b (fourth SA pair) 336 Figure 2: Dual Multihoming Case in Which Each Host Uses LOCATOR_SET 337 to Add a Second Address 339 4.4. Combined Mobility and Multihoming 341 It looks likely that in the future, many mobile hosts will be 342 simultaneously mobile and multihomed, i.e., have multiple mobile 343 interfaces. Furthermore, if the interfaces use different access 344 technologies, it is fairly likely that one of the interfaces may 345 appear stable (retain its current IP address) while some other(s) may 346 experience mobility (undergo IP address change). 348 The use of LOCATOR_SET plus ESP_INFO should be flexible enough to 349 handle most such scenarios, although more complicated scenarios have 350 not been studied so far. 352 4.5. Initiating the Protocol in R1 or I2 354 A Responder host MAY include a LOCATOR_SET parameter in the R1 packet 355 that it sends to the Initiator. This parameter MUST be protected by 356 the R1 signature. If the R1 packet contains LOCATOR_SET parameters 357 with a new Preferred locator, the Initiator SHOULD directly set the 358 new Preferred locator to status ACTIVE without performing address 359 verification first, and MUST send the I2 packet to the new Preferred 360 locator. The I1 destination address and the new Preferred locator 361 may be identical. All new non-preferred locators must still undergo 362 address verification once the base exchange completes. 364 Initiator Responder 366 R1 with LOCATOR_SET 367 <----------------------------------- 368 record additional addresses 369 change responder address 370 I2 sent to newly indicated preferred address 371 -----------------------------------> 372 (process normally) 373 R2 374 <----------------------------------- 375 (process normally, later verification of non-preferred locators) 377 Figure 3: LOCATOR_SET Inclusion in R1 379 An Initiator MAY include one or more LOCATOR_SET parameters in the I2 380 packet, independent of whether or not there was a LOCATOR_SET 381 parameter in the R1. These parameters MUST be protected by the I2 382 signature. Even if the I2 packet contains LOCATOR_SET parameters, 383 the Responder MUST still send the R2 packet to the source address of 384 the I2. The new Preferred locator SHOULD be identical to the I2 385 source address. If the I2 packet contains LOCATOR_SET parameters, 386 all new locators must undergo address verification as usual, and the 387 ESP traffic that subsequently follows should use the Preferred 388 locator. 390 Initiator Responder 392 I2 with LOCATOR_SET 393 -----------------------------------> 394 (process normally) 395 record additional addresses 396 R2 sent to source address of I2 397 <----------------------------------- 398 (process normally) 400 Figure 4: LOCATOR_SET Inclusion in I2 402 The I1 and I2 may be arriving from different source addresses if the 403 LOCATOR_SET parameter is present in R1. In this case, 404 implementations simultaneously using multiple pre-created R1s, 405 indexed by Initiator IP addresses, may inadvertently fail the puzzle 406 solution of I2 packets due to a perceived puzzle mismatch. See, for 407 instance, the example in Appendix A of [I-D.ietf-hip-rfc5201-bis]. 408 As a solution, the Responder's puzzle indexing mechanism must be 409 flexible enough to accommodate the situation when R1 includes a 410 LOCATOR_SET parameter. 412 4.6. Using LOCATOR_SETs across Addressing Realms 414 It is possible for HIP associations to migrate to a state in which 415 both parties are only using locators in different addressing realms. 416 For example, the two hosts may initiate the HIP association when both 417 are using IPv6 locators, then one host may loose its IPv6 418 connectivity and obtain an IPv4 address. In such a case, some type 419 of mechanism for interworking between the different realms must be 420 employed; such techniques are outside the scope of the present text. 421 The basic problem in this example is that the host readdressing to 422 IPv4 does not know a corresponding IPv4 address of the peer. This 423 may be handled (experimentally) by possibly configuring this address 424 information manually or in the DNS, or the hosts exchange both IPv4 425 and IPv6 addresses in the locator. 427 5. Other Considerations 429 5.1. Address Verification 431 An address verification method is specified in 432 [I-D.ietf-hip-rfc5206-bis]. It is expected that addresses learned in 433 multihoming scenarios also are subject to the same verification 434 rules. 436 5.2. Preferred Locator 438 When a host has multiple locators, the peer host must decide which to 439 use for outbound packets. It may be that a host would prefer to 440 receive data on a particular inbound interface. HIP allows a 441 particular locator to be designated as a Preferred locator and 442 communicated to the peer. 444 In general, when multiple locators are used for a session, there is 445 the question of using multiple locators for failover only or for 446 load-balancing. Due to the implications of load-balancing on the 447 transport layer that still need to be worked out, this document 448 assumes that multiple locators are used primarily for failover. An 449 implementation may use ICMP interactions, reachability checks, or 450 other means to detect the failure of a locator. 452 5.3. Interaction with Security Associations 454 This document uses the HIP LOCATOR_SET protocol parameter, specified 455 in [I-D.ietf-hip-rfc5206-bis]), that allows the hosts to exchange 456 information about their locator(s) and any changes in their 457 locator(s). The logical structure created with LOCATOR_SET 458 parameters has three levels: hosts, Security Associations (SAs) 459 indexed by Security Parameter Indices (SPIs), and addresses. 461 The relation between these levels for an association constructed as 462 defined in the base specification [I-D.ietf-hip-rfc5201-bis] and ESP 463 transform [I-D.ietf-hip-rfc5202-bis] is illustrated in Figure 5. 465 -<- SPI1a -- -- SPI2a ->- 466 host1 < > addr1a <---> addr2a < > host2 467 ->- SPI2a -- -- SPI1a -<- 469 Figure 5: Relation between Hosts, SPIs, and Addresses (Base 470 Specification) 472 In Figure 5, host1 and host2 negotiate two unidirectional SAs, and 473 each host selects the SPI value for its inbound SA. The addresses 474 addr1a and addr2a are the source addresses that the hosts use in the 475 base HIP exchange. These are the "preferred" (and only) addresses 476 conveyed to the peer for use on each SA. That is, although packets 477 sent to any of the hosts' interfaces may be accepted on the inbound 478 SA, the peer host in general knows of only the single destination 479 address learned in the base exchange (e.g., for host1, it sends a 480 packet on SPI2a to addr2a to reach host2), unless other mechanisms 481 exist to learn of new addresses. 483 In general, the bindings that exist in an implementation 484 corresponding to this document can be depicted as shown in Figure 6. 485 In this figure, a host can have multiple inbound SPIs (and, not 486 shown, multiple outbound SPIs) associated with another host. 487 Furthermore, each SPI may have multiple addresses associated with it. 488 These addresses that are bound to an SPI are not used to lookup the 489 incoming SA. Rather, the addresses are those that are provided to 490 the peer host, as hints for which addresses to use to reach the host 491 on that SPI. The LOCATOR_SET parameter is used to change the set of 492 addresses that a peer associates with a particular SPI. 494 address11 495 / 496 SPI1 - address12 497 / 498 / address21 499 host -- SPI2 < 500 \ address22 501 \ 502 SPI3 - address31 503 \ 504 address32 506 Figure 6: Relation between Hosts, SPIs, and Addresses (General Case) 507 A host may establish any number of security associations (or SPIs) 508 with a peer. The main purpose of having multiple SPIs with a peer is 509 to group the addresses into collections that are likely to experience 510 fate sharing. For example, if the host needs to change its addresses 511 on SPI2, it is likely that both address21 and address22 will 512 simultaneously become obsolete. In a typical case, such SPIs may 513 correspond with physical interfaces; see below. Note, however, that 514 especially in the case of site multihoming, one of the addresses may 515 become unreachable while the other one still works. In the typical 516 case, however, this does not require the host to inform its peers 517 about the situation, since even the non-working address still 518 logically exists. 520 A basic property of HIP SAs is that the inbound IP address is not 521 used to lookup the incoming SA. Therefore, in Figure 6, it may seem 522 unnecessary for address31, for example, to be associated only with 523 SPI3 -- in practice, a packet may arrive to SPI1 via destination 524 address address31 as well. However, the use of different source and 525 destination addresses typically leads to different paths, with 526 different latencies in the network, and if packets were to arrive via 527 an arbitrary destination IP address (or path) for a given SPI, the 528 reordering due to different latencies may cause some packets to fall 529 outside of the ESP anti-replay window. For this reason, HIP provides 530 a mechanism to affiliate destination addresses with inbound SPIs, 531 when there is a concern that anti-replay windows might be violated. 532 In this sense, we can say that a given inbound SPI has an "affinity" 533 for certain inbound IP addresses, and this affinity is communicated 534 to the peer host. Each physical interface SHOULD have a separate SA, 535 unless the ESP anti-replay window is loose. 537 Moreover, even when the destination addresses used for a particular 538 SPI are held constant, the use of different source interfaces may 539 also cause packets to fall outside of the ESP anti-replay window, 540 since the path traversed is often affected by the source address or 541 interface used. A host has no way to influence the source interface 542 on which a peer sends its packets on a given SPI. A host SHOULD 543 consistently use the same source interface and address when sending 544 to a particular destination IP address and SPI. For this reason, a 545 host may find it useful to change its SPI or at least reset its ESP 546 anti-replay window when the peer host readdresses. 548 An address may appear on more than one SPI. This creates no 549 ambiguity since the receiver will ignore the IP addresses during SA 550 lookup anyway. However, this document does not specify such cases. 552 When the LOCATOR_SET parameter is sent in an UPDATE packet, then the 553 receiver will respond with an UPDATE acknowledgment. When the 554 LOCATOR_SET parameter is sent in an R1 or I2 packet, the base 555 exchange retransmission mechanism will confirm its successful 556 delivery. LOCATOR_SETs may experimentally be used in NOTIFY packets; 557 in this case, the recipient MUST consider the LOCATOR_SET as 558 informational and not immediately change the current preferred 559 address, but can test the additional locators when the need arises. 560 The use of the LOCATOR_SET in a NOTIFY message may not be compatible 561 with middleboxes. 563 6. Processing Rules 565 Basic processing rules for the LOCATOR_SET parameter are specified in 566 [I-D.ietf-hip-rfc5206-bis]. This document focuses on multihoming- 567 specific rules. 569 6.1. Sending LOCATOR_SETs 571 The decision of when to send a LOCATOR_SET, and which addresses to 572 include, is a local policy issue. [I-D.ietf-hip-rfc5206-bis] 573 recommends that a host send a LOCATOR_SET whenever it recognizes a 574 change of its IP addresses in use on an active HIP association, and 575 assumes that the change is going to last at least for a few seconds. 576 It is possible to delay the exposure of additional locators to the 577 peer, and to send data from previously unannounced locators, as might 578 arise in certain mobility or multihoming situations. 580 When a host decides to inform its peers about changes in its IP 581 addresses, it has to decide how to group the various addresses with 582 SPIs. The grouping should consider also whether middlebox 583 interaction requires sending the same LOCATOR_SET in separate UPDATEs 584 on different paths. Since each SPI is associated with a different 585 Security Association, the grouping policy may also be based on ESP 586 anti-replay protection considerations. In the typical case, simply 587 basing the grouping on actual kernel level physical and logical 588 interfaces may be the best policy. Grouping policy is outside of the 589 scope of this document. 591 Locators corresponding to tunnel interfaces (e.g. IPsec tunnel 592 interfaces or Mobile IP home addresses) or other virtual interfaces 593 MAY be announced in a LOCATOR_SET, but implementations SHOULD avoid 594 announcing such locators as preferred locators if more direct paths 595 may be obtained by instead preferring locators from non-tunneling 596 interfaces if such locators provide a more direct path to the HIP 597 peer. 599 Hosts MUST NOT announce broadcast or multicast addresses in 600 LOCATOR_SETs. Link-local addresses MAY be announced to peers that 601 are known to be neighbors on the same link, such as when the IP 602 destination address of a peer is also link-local. The announcement 603 of link-local addresses in this case is a policy decision; link-local 604 addresses used as Preferred locators will create reachability 605 problems when the host moves to another link. In any case, link- 606 local addresses MUST NOT be announced to a peer unless that peer is 607 known to be on the same link. 609 Once the host has decided on the groups and assignment of addresses 610 to the SPIs, it creates a LOCATOR_SET parameter that serves as a 611 complete representation of the addresses and affiliated SPIs intended 612 for active use. We now describe a few cases introduced in Section 4. 613 We assume that the Traffic Type for each locator is set to "0" (other 614 values for Traffic Type may be specified in documents that separate 615 the HIP control plane from data plane traffic). Other mobility and 616 multihoming cases are possible but are left for further 617 experimentation. 619 1. Host multihoming (addition of an address). We only describe the 620 simple case of adding an additional address to a (previously) 621 single-homed, non-mobile host. The host SHOULD set up a new SA 622 pair between this new address and the preferred address of the 623 peer host. To do this, the multihomed host creates a new inbound 624 SA and creates a new SPI. For the outgoing UPDATE message, it 625 inserts an ESP_INFO parameter with an OLD SPI field of "0", a NEW 626 SPI field corresponding to the new SPI, and a KEYMAT Index as 627 selected by local policy. The host adds to the UPDATE message a 628 LOCATOR_SET with two Type "1" Locators: the original address and 629 SPI active on the association, and the new address and new SPI 630 being added (with the SPI matching the NEW SPI contained in the 631 ESP_INFO). The Preferred bit SHOULD be set depending on the 632 policy to tell the peer host which of the two locators is 633 preferred. The UPDATE also contains a SEQ parameter and 634 optionally a DIFFIE_HELLMAN parameter, and follows rekeying 635 procedures with respect to this new address. The UPDATE message 636 SHOULD be sent to the peer's Preferred address with a source 637 address corresponding to the new locator. 639 The sending of multiple LOCATOR_SETs, locators with Locator Type "0", 640 and multiple ESP_INFO parameters is for further study. Note that the 641 inclusion of LOCATOR_SET in an R1 packet requires the use of Type "0" 642 locators since no SAs are set up at that point. 644 6.2. Handling Received LOCATOR_SETs 646 A host SHOULD be prepared to receive a LOCATOR_SET parameter in the 647 following HIP packets: R1, I2, UPDATE, and NOTIFY. 649 This document describes sending both ESP_INFO and LOCATOR_SET 650 parameters in an UPDATE. The ESP_INFO parameter is included when 651 there is a need to rekey or key a new SPI, and is otherwise included 652 for the possible benefit of HIP-aware middleboxes. The LOCATOR_SET 653 parameter contains a complete map of the locators that the host 654 wishes to make or keep active for the HIP association. 656 In general, the processing of a LOCATOR_SET depends upon the packet 657 type in which it is included. Here, we describe only the case in 658 which ESP_INFO is present and a single LOCATOR_SET and ESP_INFO are 659 sent in an UPDATE message; other cases are for further study. The 660 steps below cover each of the cases described in Section 6.1. 662 The processing of ESP_INFO and LOCATOR_SET parameters is intended to 663 be modular and support future generalization to the inclusion of 664 multiple ESP_INFO and/or multiple LOCATOR_SET parameters. A host 665 SHOULD first process the ESP_INFO before the LOCATOR_SET, since the 666 ESP_INFO may contain a new SPI value mapped to an existing SPI, while 667 a Type "1" locator will only contain a reference to the new SPI. 669 When a host receives a validated HIP UPDATE with a LOCATOR_SET and 670 ESP_INFO parameter, it processes the ESP_INFO as follows. The 671 ESP_INFO parameter indicates whether an SA is being rekeyed, created, 672 deprecated, or just identified for the benefit of middleboxes. The 673 host examines the OLD SPI and NEW SPI values in the ESP_INFO 674 parameter: 676 1. (no rekeying) If the OLD SPI is equal to the NEW SPI and both 677 correspond to an existing SPI, the ESP_INFO is gratuitous 678 (provided for middleboxes) and no rekeying is necessary. 680 2. (rekeying) If the OLD SPI indicates an existing SPI and the NEW 681 SPI is a different non-zero value, the existing SA is being 682 rekeyed and the host follows HIP ESP rekeying procedures by 683 creating a new outbound SA with an SPI corresponding to the NEW 684 SPI, with no addresses bound to this SPI. Note that locators in 685 the LOCATOR_SET parameter will reference this new SPI instead of 686 the old SPI. 688 3. (new SA) If the OLD SPI value is zero and the NEW SPI is a new 689 non-zero value, then a new SA is being requested by the peer. 690 This case is also treated like a rekeying event; the receiving 691 host must create a new SA and respond with an UPDATE ACK. 693 4. (deprecating the SA) If the OLD SPI indicates an existing SPI and 694 the NEW SPI is zero, the SA is being deprecated and all locators 695 uniquely bound to the SPI are put into the DEPRECATED state. 697 If none of the above cases apply, a protocol error has occurred and 698 the processing of the UPDATE is stopped. 700 Next, the locators in the LOCATOR_SET parameter are processed. For 701 each locator listed in the LOCATOR_SET parameter, check that the 702 address therein is a legal unicast or anycast address. That is, the 703 address MUST NOT be a broadcast or multicast address. Note that some 704 implementations MAY accept addresses that indicate the local host, 705 since it may be allowed that the host runs HIP with itself. 707 The below assumes that all locators are of Type "1" with a Traffic 708 Type of "0"; other cases are for further study. 710 For each Type "1" address listed in the LOCATOR_SET parameter, the 711 host checks whether the address is already bound to the SPI 712 indicated. If the address is already bound, its lifetime is updated. 713 If the status of the address is DEPRECATED, the status is changed to 714 UNVERIFIED. If the address is not already bound, the address is 715 added, and its status is set to UNVERIFIED. Mark all addresses 716 corresponding to the SPI that were NOT listed in the LOCATOR_SET 717 parameter as DEPRECATED. 719 As a result, at the end of processing, the addresses listed in the 720 LOCATOR_SET parameter have either a state of UNVERIFIED or ACTIVE, 721 and any old addresses on the old SA not listed in the LOCATOR_SET 722 parameter have a state of DEPRECATED. 724 Once the host has processed the locators, if the LOCATOR_SET 725 parameter contains a new Preferred locator, the host SHOULD initiate 726 a change of the Preferred locator. This requires that the host first 727 verifies reachability of the associated address, and only then 728 changes the Preferred locator; see Section 6.4. 730 If a host receives a locator with an unsupported Locator Type, and 731 when such a locator is also declared to be the Preferred locator for 732 the peer, the host SHOULD send a NOTIFY error with a Notify Message 733 Type of LOCATOR_TYPE_UNSUPPORTED, with the Notification Data field 734 containing the locator(s) that the receiver failed to process. 735 Otherwise, a host MAY send a NOTIFY error if a (non-preferred) 736 locator with an unsupported Locator Type is received in a LOCATOR_SET 737 parameter. 739 6.3. Verifying Address Reachability 741 Address verification is defined in [I-D.ietf-hip-rfc5206-bis]. 743 When address verification is in progress for a new Preferred locator, 744 the host SHOULD select a different locator listed as ACTIVE, if one 745 such locator is available, to continue communications until address 746 verification completes. Alternatively, the host MAY use the new 747 Preferred locator while in UNVERIFIED status to the extent Credit- 748 Based Authorization permits. Credit-Based Authorization is explained 749 in [I-D.ietf-hip-rfc5206-bis]. Once address verification succeeds, 750 the status of the new Preferred locator changes to ACTIVE. 752 6.4. Changing the Preferred Locator 754 A host MAY want to change the Preferred outgoing locator for 755 different reasons, e.g., because traffic information or ICMP error 756 messages indicate that the currently used preferred address may have 757 become unreachable. Another reason may be due to receiving a 758 LOCATOR_SET parameter that has the "P" bit set. 760 To change the Preferred locator, the host initiates the following 761 procedure: 763 1. If the new Preferred locator has ACTIVE status, the Preferred 764 locator is changed and the procedure succeeds. 766 2. If the new Preferred locator has UNVERIFIED status, the host 767 starts to verify its reachability. The host SHOULD use a 768 different locator listed as ACTIVE until address verification 769 completes if one such locator is available. Alternatively, the 770 host MAY use the new Preferred locator, even though in UNVERIFIED 771 status, to the extent Credit-Based Authorization permits. Once 772 address verification succeeds, the status of the new Preferred 773 locator changes to ACTIVE and its use is no longer governed by 774 Credit-Based Authorization. 776 3. If the peer host has not indicated a preference for any address, 777 then the host picks one of the peer's ACTIVE addresses randomly 778 or according to policy. This case may arise if, for example, 779 ICMP error messages that deprecate the Preferred locator arrive, 780 but the peer has not yet indicated a new Preferred locator. 782 4. If the new Preferred locator has DEPRECATED status and there is 783 at least one non-deprecated address, the host selects one of the 784 non-deprecated addresses as a new Preferred locator and 785 continues. If the selected address is UNVERIFIED, the address 786 verification procedure described above will apply. 788 7. Security Considerations 790 Security considerations are addressed in [I-D.ietf-hip-rfc5206-bis]. 792 8. IANA Considerations 794 This document has no new IANA considerations. 796 9. Authors and Acknowledgments 798 This document contains content that was originally included in 799 RFC5206. Pekka Nikander and Jari Arkko originated RFC5206, and 800 Christian Vogt and Thomas Henderson (editor) later joined as co- 801 authors. Also in RFC5206, Greg Perkins contributed the initial draft 802 of the security section, and Petri Jokela was a co-author of the 803 initial individual submission. 805 The authors thank Miika Komu, Mika Kousa, Jeff Ahrenholz, and Jan 806 Melen for many improvements to the document. 808 10. References 810 10.1. Normative references 812 [I-D.ietf-hip-rfc5201-bis] 813 Moskowitz, R., Heer, T., Jokela, P., and T. Henderson, 814 "Host Identity Protocol Version 2 (HIPv2)", draft-ietf- 815 hip-rfc5201-bis-20 (work in progress), October 2014. 817 [I-D.ietf-hip-rfc5202-bis] 818 Jokela, P., Moskowitz, R., and J. Melen, "Using the 819 Encapsulating Security Payload (ESP) Transport Format with 820 the Host Identity Protocol (HIP)", draft-ietf-hip- 821 rfc5202-bis-07 (work in progress), September 2014. 823 [I-D.ietf-hip-rfc5206-bis] 824 Henderson, T., Vogt, C., and J. Arkko, "Host Mobility with 825 the Host Identity Protocol", draft-ietf-hip-rfc5206-bis-07 826 (work in progress), December 2014. 828 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 829 Requirement Levels", BCP 14, RFC 2119, March 1997. 831 [RFC3484] Draves, R., "Default Address Selection for Internet 832 Protocol version 6 (IPv6)", RFC 3484, February 2003. 834 10.2. Informative references 836 [I-D.ietf-hip-rfc4423-bis] 837 Moskowitz, R. and M. Komu, "Host Identity Protocol 838 Architecture", draft-ietf-hip-rfc4423-bis-09 (work in 839 progress), October 2014. 841 [I-D.ietf-hip-rfc5204-bis] 842 Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) 843 Rendezvous Extension", draft-ietf-hip-rfc5204-bis-05 (work 844 in progress), December 2014. 846 [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming 847 Shim Protocol for IPv6", RFC 5533, June 2009. 849 Appendix A. Document Revision History 851 To be removed upon publication 853 +----------+--------------------------------------------------------+ 854 | Revision | Comments | 855 +----------+--------------------------------------------------------+ 856 | draft-00 | Initial version with multihoming text imported from | 857 | | RFC5206. | 858 | | | 859 | draft-01 | Document refresh; no other changes. | 860 | | | 861 | draft-02 | Document refresh; no other changes. | 862 | | | 863 | draft-03 | Document refresh; no other changes. | 864 | | | 865 | draft-04 | Document refresh; no other changes. | 866 | | | 867 | draft-05 | Move remaining multihoming material from RFC5206-bis | 868 | | to this document | 869 | | | 870 | | Update lingering references to LOCATOR parameter to | 871 | | LOCATOR_SET | 872 +----------+--------------------------------------------------------+ 874 Authors' Addresses 876 Thomas R. Henderson (editor) 877 University of Washington 878 Campus Box 352500 879 Seattle, WA 880 USA 882 EMail: tomhend@u.washington.edu 884 Christian Vogt 885 Ericsson Research NomadicLab 886 Hirsalantie 11 887 JORVAS FIN-02420 888 FINLAND 890 EMail: christian.vogt@ericsson.com 891 Jari Arkko 892 Ericsson Research NomadicLab 893 JORVAS FIN-02420 894 FINLAND 896 Phone: +358 40 5079256 897 EMail: jari.arkko@ericsson.com