< draft-ietf-mpls-ldp-ipv6-07.txt   draft-ietf-mpls-ldp-ipv6-08.txt >
MPLS Working Group Rajiv Asati MPLS Working Group Rajiv Asati
Internet Draft Cisco Internet Draft Cisco
Updates: 5036 (if approved) Updates: 5036 (if approved)
Intended status: Standards Track Vishwas Manral Intended status: Standards Track Vishwas Manral
Expires: December 8, 2012 Hewlett-Packard, Inc. Expires: August 25, 2013 Hewlett-Packard, Inc.
Rajiv Papneja Rajiv Papneja
Huawei Huawei
Carlos Pignataro Carlos Pignataro
Cisco Cisco
June 8, 2012 February 25, 2013
Updates to LDP for IPv6 Updates to LDP for IPv6
draft-ietf-mpls-ldp-ipv6-07 draft-ietf-mpls-ldp-ipv6-08
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress." reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 8, 2012. This Internet-Draft will expire on August 25, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License. warranty as described in the Simplified BSD License.
Abstract Abstract
The Label Distribution Protocol (LDP) specification defines The Label Distribution Protocol (LDP) specification defines
procedures to exchange label bindings over either IPv4, IPv6 or both procedures to exchange label bindings over either IPv4, or IPv6 or
networks. This document corrects and clarifies the LDP behavior when both networks. This document corrects and clarifies the LDP behavior
IPv6 network is used (with or without IPv4). This document updates when IPv6 network is used (with or without IPv4). This document
RFC 5036. updates RFC 5036.
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................3
1.1. Scope.....................................................4 1.1. Scope.....................................................4
1.1.1. Topology Scenarios...................................4 1.1.1. Topology Scenarios...................................4
1.1.2. LDP TTL Security.....................................5 1.1.2. LDP TTL Security.....................................5
2. Specification Language.........................................5 2. Specification Language.........................................5
3. LSP Mapping....................................................6 3. LSP Mapping....................................................6
4. LDP Identifiers................................................6 4. LDP Identifiers................................................6
5. Peer Discovery.................................................7 5. Peer Discovery.................................................7
5.1. Basic Discovery Mechanism.................................7 5.1. Basic Discovery Mechanism.................................7
5.2. Extended Discovery Mechanism..............................8 5.2. Extended Discovery Mechanism..............................8
6. LDP Session Establishment and Maintenance......................8 6. LDP Session Establishment and Maintenance......................8
6.1. Transport connection establishment........................9 6.1. Transport connection establishment........................9
6.2. Maintaining Hello Adjacencies............................10 6.2. Maintaining Hello Adjacencies............................10
6.3. Maintaining LDP Sessions.................................11 6.3. Maintaining LDP Sessions.................................11
7. Label Distribution............................................11 7. Label Distribution............................................11
8. LDP Identifiers and Next Hop Addresses........................12 8. LDP Identifiers and Next Hop Addresses........................12
9. LDP TTL Security..............................................13 9. LDP TTL Security..............................................13
10. IANA Considerations..........................................14 10. IANA Considerations..........................................13
11. Security Considerations......................................14 11. Security Considerations......................................13
12. Acknowledgments..............................................14 12. Acknowledgments..............................................14
13. Additional Contributors......................................15 13. Additional Contributors......................................14
14. References...................................................16 14. References...................................................15
14.1. Normative References....................................16 14.1. Normative References....................................15
14.2. Informative References..................................16 14.2. Informative References..................................15
Author's Addresses...............................................17 Author's Addresses...............................................16
1. Introduction 1. Introduction
The LDP [RFC5036] specification defines procedures and messages for The LDP [RFC5036] specification defines procedures and messages for
exchanging FEC-label bindings over either IPv4 or IPv6 or both (e.g. exchanging FEC-label bindings over either IPv4 or IPv6 or both (e.g.
dual-stack) networks. dual-stack) networks.
However, RFC5036 specification has the following deficiencies in However, RFC5036 specification has the following deficiencies in
regards to IPv6 usage: regards to IPv6 usage:
skipping to change at page 3, line 40 skipping to change at page 3, line 40
existence of IPv4 and IPv6 FEC Elements in the same FEC TLV existence of IPv4 and IPv6 FEC Elements in the same FEC TLV
6) Next Hop Address & LDP Identifier: No rule for accommodating the 6) Next Hop Address & LDP Identifier: No rule for accommodating the
usage of duplicate link-local IPv6 addresses usage of duplicate link-local IPv6 addresses
7) LDP TTL Security: No rule for built-in Generalized TTL Security 7) LDP TTL Security: No rule for built-in Generalized TTL Security
Mechanism (GTSM) in LDP Mechanism (GTSM) in LDP
This document addresses the above deficiencies by specifying the This document addresses the above deficiencies by specifying the
desired behavior/rules/details for using LDP in IPv6 enabled desired behavior/rules/details for using LDP in IPv6 enabled
networks. It also clarifies the scope (section 1.1). networks (IPv6-only or Dual-stack networks).
Note that this document updates RFC5036. Note that this document updates RFC5036.
1.1. Scope 1.1. Scope
1.1.1. Topology Scenarios 1.1.1. Topology Scenarios
The following scenarios in which the LSRs may be inter-connected via The following scenarios in which the LSRs may be inter-connected via
one or more dual-stack interfaces (figure 1), or two or more single- one or more dual-stack interfaces (figure 1), or one or more single-
stack interfaces (figure 2 and figure 3) are addressed by this stack interfaces (figure 2 and figure 3) are addressed by this
document: document:
R1------------------R2 R1------------------R2
IPv4+IPv6 IPv4+IPv6
Figure 1 LSRs connected via a Dual-stack Interface Figure 1 LSRs connected via a Dual-stack Interface
IPv4 IPv4
R1=================R2 R1=================R2
skipping to change at page 4, line 32 skipping to change at page 4, line 32
Figure 2 LSRs connected via two single-stack Interfaces Figure 2 LSRs connected via two single-stack Interfaces
R1------------------R2---------------R3 R1------------------R2---------------R3
IPv4 IPv6 IPv4 IPv6
Figure 3 LSRs connected via a single-stack Interface Figure 3 LSRs connected via a single-stack Interface
Note that the topology scenario illustrated in figure 1 also covers Note that the topology scenario illustrated in figure 1 also covers
the case of a single-stack interface (IPv4, say) being converted to the case of a single-stack interface (IPv4, say) being converted to
a dual-stacked interface by enabling IPv6 as well as IPv6 LDP, even a dual-stacked interface by enabling IPv6 routing as well as IPv6
though the IPv4 LDP session may already be established between the LDP, even though the IPv4 LDP session may already be established
LSRs. between the LSRs.
Note that the topology scenario illustrated in figure 2 also covers Note that the topology scenario illustrated in figure 2 also covers
the case of two routers getting connected via an additional single- the case of two routers getting connected via an additional single-
stack interface (IPv6, say), even though the IPv4 LDP session may stack interface (IPv6 routing and IPv6 LDP), even though the IPv4
already be established between the LSRs over the existing interface. LDP session may already be established between the LSRs over the
existing interface(s).
1.1.2. LDP TTL Security 1.1.2. LDP TTL Security
LDP TTL Security mechanism specified by this document applies only LDP TTL Security mechanism specified by this document applies only
to single-hop LDP peering sessions, but not to multi-hop LDP peering to single-hop LDP peering sessions, but not to multi-hop LDP peering
sessions, in line with Section 5.5 of [RFC5082] that describes sessions, in line with Section 5.5 of [RFC5082] that describes
Generalized TTL Security Mechanism (GTSM). Generalized TTL Security Mechanism (GTSM).
As a consequence, any LDP feature that relies on multi-hop LDP As a consequence, any LDP feature that relies on multi-hop LDP
peering session would not work with GTSM and will warrant peering session would not work with GTSM and will warrant
skipping to change at page 6, line 29 skipping to change at page 6, line 29
This document proposes to modify this rule by also including a /128 This document proposes to modify this rule by also including a /128
address (for IPv6). In fact, it should be reasonable to just say address (for IPv6). In fact, it should be reasonable to just say
IPv4 or IPv6 address instead of /32 or /128 addresses as shown below IPv4 or IPv6 address instead of /32 or /128 addresses as shown below
in the updated rule: in the updated rule:
"If it is known that a packet must traverse a particular egress "If it is known that a packet must traverse a particular egress
router, and there is an LSP that has an Address Prefix FEC element router, and there is an LSP that has an Address Prefix FEC element
that is an IPv4 or IPv6 address of that router, then the packet is that is an IPv4 or IPv6 address of that router, then the packet is
mapped to that LSP." mapped to that LSP."
Additionally, it is desirable that a packet is forwarded to an LSP
of an egress router, only if LSP's address-family (e.g. LSPv4 or
LSPv6) matches with that of the LDP hello adjacency on the next-hop
interface.
4. LDP Identifiers 4. LDP Identifiers
Section 2.2.2 of [RFC5036] specifies formulating at least one LDP Section 2.2.2 of [RFC5036] specifies formulating at least one LDP
Identifier, however, it doesn't provide any consideration in case of Identifier, however, it doesn't provide any consideration in case of
IPv6 (with or without dual-stacking). Additionally, section 2.5.2 of IPv6 (with or without dual-stacking).
[RFC5036] implicitly prohibits using the same label space for both
IPv4 and IPv6 FEC-label bindings.
The first four octets of the LDP identifier, the 32-bit LSR Id (e.g. The first four octets of the LDP identifier, the 32-bit LSR Id (e.g.
(i.e. LDP Router Id), identify the LSR and is a globally unique (i.e. LDP Router Id), identify the LSR and is a globally unique
value within the MPLS network. This is regardless of the address value within the MPLS network. This is regardless of the address
family used for the LDP session. Hence, this document preserves the family used for the LDP session. Hence, this document preserves the
usage of 32-bit (unsigned non-zero integer) LSR Id on an IPv6 only usage of 32-bit (unsigned non-zero integer) LSR Id on an IPv6 only
LSR (note that BGP has also mandated using 32-bit BGP Router ID on LSR (note that BGP has also mandated using 32-bit BGP Router ID on
an IPv6 only Router [RFC6286]). an IPv6 only Router [RFC6286]).
Please note that 32-bit LSR Id value would not map to any IPv4- Please note that 32-bit LSR Id value would not map to any IPv4-
skipping to change at page 9, line 34 skipping to change at page 9, line 29
1. An LSR MUST NOT send a Hello containing both IPv4 and IPv6 1. An LSR MUST NOT send a Hello containing both IPv4 and IPv6
transport address optional objects. In other words, there MUST transport address optional objects. In other words, there MUST
be at most one optional Transport Address object in a Hello be at most one optional Transport Address object in a Hello
message. An LSR MUST include only the transport address whose message. An LSR MUST include only the transport address whose
address family is the same as that of the IP packet carrying address family is the same as that of the IP packet carrying
Hello. Hello.
2. An LSR SHOULD accept the Hello message that contains both IPv4 2. An LSR SHOULD accept the Hello message that contains both IPv4
and IPv6 transport address optional objects, but MUST use only and IPv6 transport address optional objects, but MUST use only
the transport address whose address family is the same as that the transport address whose address family is the same as that
of the IP packet carrying Hello. of the IP packet carrying Hello. An LSR SHOULD accept only the
first transport object for a given Address family in the
received Hello message, and ignore the rest, if the LSR
receives more than one transport object.
3. An LSR MUST send separate Hellos (each containing either IPv4 3. An LSR MUST send separate Hellos (each containing either IPv4
or IPv6 transport address optional object) for each IP address- or IPv6 transport address optional object) for each IP address
family, if LDP was enabled for both IP address-families. family, if LDP was enabled for both IP address-families.
4. An LSR MUST use a global unicast IPv6 address in IPv6 transport 4. An LSR MUST use a global unicast IPv6 address in IPv6 transport
address optional object of outgoing targeted hellos, and check address optional object of outgoing targeted hellos, and check
for the same in incoming targeted hellos (i.e. MUST discard the for the same in incoming targeted hellos (i.e. MUST discard the
hello, if it failed the check). hello, if it failed the check).
5. An LSR MUST prefer using global unicast IPv6 address for an LDP 5. An LSR MUST prefer using global unicast IPv6 address for an LDP
session with a remote LSR, if it had to choose between global session with a remote LSR, if it had to choose between global
unicast IPv6 address and link-local IPv6 address (pertaining to unicast IPv6 address and unique-local or link-local IPv6
the same LDP Identifier) for the transport connection. address (pertaining to the same LDP Identifier) for the
transport connection.
6. An LSR SHOULD NOT create (or honor the request for creating) a 6. An LSR SHOULD NOT create (or honor the request for creating) a
TCP connection for a new LDP session with a remote LSR, if they TCP connection for a new LDP session with a remote LSR, if they
already have an LDP session (for the same LDP Identifier) already have an LDP session (for the same LDP Identifier)
established over whatever IP version transport. established over whatever IP version transport.
This means that only one transport connection is established, This means that only one transport connection is established,
even if there are two Hello adjacencies (one for IPv4 and even if there are two Hello adjacencies (one for IPv4 and
another for IPv6). This is independent of whether the Hello another for IPv6). This is independent of whether the Hello
Adjacencies are created over a single interface (scenario 1 in Adjacencies are created over a single interface (scenario 1 in
section 1.1) or multiple interfaces (scenario 2 in section 1.1) section 1.1) or multiple interfaces (scenario 2 in section 1.1)
between two LSRs. between two LSRs.
7. An LSR SHOULD prefer the LDP/TCP connection over IPv6 for a new 7. An LSR SHOULD prefer the LDP/TCP connection over IPv6 for a new
LDP session with a remote LSR, if it has both IPv4 and IPv6 LDP session with a remote LSR, if it has both IPv4 and IPv6
hello adjacencies for the same LDP Identifier (over a dual- hello adjacencies for the same LDP Identifier (over a dual-
stack interface, or two or more single-stack IPv4 and IPv6 stack interface, or two or more single-stack IPv4 and IPv6
interfaces). This applies to the section 2.5.2 of RFC5036. interfaces). This applies to the section 2.5.2 of RFC5036.
Each LSR, assuming an active role for whichever address
family(s), should enforce this LDP/TCP connection over IPv6
preference for a time-period (default value is 15 seconds),
after which LDP/TCP connection over IPv4 should be attempted.
This enforcement is independent of whether the LSR is assuming
the active role for IPv4 This timer is started upon receiving
the first hello from the neighbor.
8. An LSR SHOULD prefer the LDP/TCP connection over IPv6 for a new 8. An LSR SHOULD prefer the LDP/TCP connection over IPv6 for a new
LDP session with a remote LSR, if they attempted two TCP LDP session with a remote LSR, if they attempted two TCP
connections using IPv4 and IPv6 transport addresses connections using IPv4 and IPv6 transport addresses
simultaneously. simultaneously.
An implementation may provide an option to favor one AFI (IPv4, say) An implementation may provide an option to favor one AFI (IPv4, say)
over another AFI (IPv6, say) for the TCP transport connection, so as over another AFI (IPv6, say) for the TCP transport connection, so as
to use the preferred IP version for the LDP session, and derive to use the favored IP version for the LDP session, and force
deterministic active/passive roles. deterministic active/passive roles.
6.2. Maintaining Hello Adjacencies 6.2. Maintaining Hello Adjacencies
As outlined in section 2.5.5 of RFC5036, this draft describes that As outlined in section 2.5.5 of RFC5036, this draft describes that
if an LSR has a dual-stack interface, which is enabled with both if an LSR has a dual-stack interface, which is enabled with both
IPv4 and IPv6 LDP, then the LSR must periodically send both IPv4 and IPv4 and IPv6 LDP, then the LSR must periodically send both IPv4 and
IPv6 LDP Link Hellos and must separately maintain the Hello IPv6 LDP Link Hellos and must separately maintain the Hello
adjacency for IPv4 and IPv6 on that interface. adjacency for IPv4 and IPv6 on that interface.
skipping to change at page 11, line 22 skipping to change at page 11, line 28
- a single-stack interface is converted to a dual-stack interface - a single-stack interface is converted to a dual-stack interface
(e.g. figure 1) on either LSR; (e.g. figure 1) on either LSR;
- an additional single-stack or dual-stack interface is added or - an additional single-stack or dual-stack interface is added or
removed between two LSRs (e.g. figure 2). removed between two LSRs (e.g. figure 2).
Needless to say that the procedures defined in section 6.1 should Needless to say that the procedures defined in section 6.1 should
result in preferring LDPoIPv6 session only after the loss of an result in preferring LDPoIPv6 session only after the loss of an
existing LDP session (because of link failure, node failure, reboot existing LDP session (because of link failure, node failure, reboot
etc.). etc.).
On the other hand, if a dual-stack interface is converted to a If the last hello adjacency for a given address family goes down
single-stack interface (by disabling IPv4 or IPv6 routing), then the (e.g. due to dual-stack interfaces being converted into a single-
LDP session should be torn down ONLY if the disabled IP version was stack interfaces on one LSR etc.), and that address family is the
the same as that of the transport connection. Otherwise, the LDP same as the one used in the transport connection, then the transport
session should stay intact. connection (LDP session) SHOULD be reset. Otherwise, the LDP session
should stay intact.
If the LDP session is torn down for whatever reason (LDP disabled If the LDP session is torn down for whatever reason (LDP disabled
for the corresponding transport, hello adjacency expiry etc.), then for the corresponding transport, hello adjacency expiry etc.), then
the LSRs should initiate establishing a new LDP session as per the the LSRs should initiate establishing a new LDP session as per the
procedures described in section 6.1 of this document along with procedures described in section 6.1 of this document along with
RFC5036. RFC5036.
7. Label Distribution 7. Label Distribution
An LSR SHOULD NOT advertise both IPv4 and IPv6 FEC-label bindings
(as well as interface addresses via ADDRESS message) from/to the
peer over an LDP session (using whatever transport), unless it has
valid IPv4 and IPv6 Hello Adjacencies for that peer, as specified in
section 6.2.
Another solution for getting the same result as above is by
negotiating the IP Capability for a given AFI, as specified in
[IPPWCap].
An LSR MUST NOT allocate and advertise FEC-Label bindings for link- An LSR MUST NOT allocate and advertise FEC-Label bindings for link-
local IPv6 address, and ignore such bindings, if ever received. An local IPv6 address, and ignore such bindings, if ever received. An
LSR MUST treat the IPv4-mapped IPv6 address, defined in section LSR MUST treat the IPv4-mapped IPv6 address, defined in section
2.5.5.2 of [RFC4291], the same as that of a global IPv6 address and 2.5.5.2 of [RFC4291], the same as that of a global IPv6 address and
not mix it with the 'corresponding' IPv4 address. not mix it with the 'corresponding' IPv4 address.
Additionally, to ensure backward compatibility (and interoperability Additionally, to ensure backward compatibility (and interoperability
with IPv4-only LDP implementations), this document specifies that - with IPv4-only LDP implementations) in light of section 3.4.1.1 of
RFC5036, as rationalized in the Appendix A.1, this document
specifies that -
1. An LSR MUST NOT send a label mapping message with a FEC TLV 1. An LSR MUST NOT send a label mapping message with a FEC TLV
containing FEC Elements of different address-family. In other containing FEC Elements of different address family. In other
words, a FEC TLV in the label mapping message MUST contain the words, a FEC TLV in the label mapping message MUST contain the
FEC Elements belonging to the same address-family. FEC Elements belonging to the same address family.
2. An LSR MUST NOT send an Address message (or Address Withdraw 2. An LSR MUST NOT send an Address message (or Address Withdraw
message) with an Address List TLV containing IP addresses of message) with an Address List TLV containing IP addresses of
different address-family. In other words, an Address List TLV different address family. In other words, an Address List TLV
in the Address (or Address Withdraw) message MUST contain the in the Address (or Address Withdraw) message MUST contain the
addresses belonging to the same address-family. addresses belonging to the same address family.
An LSR MAY constrain the advertisement of FEC-label bindings for a
particular address family by negotiating the IP Capability for a
given AFI, as specified in [IPPWCap] document.
8. LDP Identifiers and Next Hop Addresses 8. LDP Identifiers and Next Hop Addresses
RFC5036 section 2.7 specifies logic for mapping between a peer LDP RFC5036 section 2.7 specifies the logic for mapping the IP routing
Identifier and the peer's addresses to find the correct LIB entry next-hop (of a given FEC) to an LDP peer so as to find the correct
for any prefix by using a database populated by the Address message. label entry for that FEC. The logic involves using the IP routing
However, this logic is insufficient to deal with overlapping IPv6 next-hop address as an index into the (peer Address) database (which
(link-local) addresses used by two or more peers. One may note that is populated by the Address message containing mapping between each
all interior IP routing protocols specify using link-local IPv6 peer's local addresses and its LDP Identifier) to determine the LDP
addresses as the next-hops. peer.
This document specifies that the logic is enhanced with the usage of However, this logic is insufficient to deal with duplicate IPv6
(Hello Adjacency) database populated by the Hello messages. This (link-local) next-hop addresses used by two or more peers. The
additional database lookup is useful if/when two or more peers use reason is that all interior IPv6 routing protocols (can) use link-
the same link-local IPv6 address as the IP routing next-hops local IPv6 addresses as the IP routing next-hops, and 'IPv6
(causing duplicate next-hop entries). Addressing Architecture [RFC4291]' allows a link-local IPv6 address
to be used on more than one links.
Specifically, this document specifies that an LSR should (continue Hence, this logic is extended by this specification to involve not
to) use the machinery described in RFC5036 section 2.7 to map only the IP routing next-hop address, but also the IP routing next-
between a peer LDP Identifier and the peer's addresses (learned via hop interface to uniquely determine the LDP peer(s). The next-hop
ADDRESS message) for any prefix. However, if this mapping fails (for address-based LDP peer mapping is to be done through LDP peer
reasons such as the one described earlier), then an LSR can find the address database (populated by Address messages received from the
peer LDP Identifier by checking for the particular link-local IPv6 LDP peers), whereas next-hop interface-based LDP peer mapping is to
address and interface (corresponding to the next-hop in the unicast be done through LDP hello adjacency/interface database (populated by
routing table) in the hello adjacency database. hello messages from the LDP peers).
If an LSR can't find such a mapping in either database, then LSR This extension solves the problem of two or more peers using the
should follow procedures specified in RFC5036 (e.g. not resolve the same link-local IPv6 address (in other words, duplicate addresses)
label). as the IP routing next-hops.
Lastly, for better scale and optimization, an LSR may advertise only Lastly, for better scale and optimization, an LSR may advertise only
the link-local IPv6 addresses in the Address message, assuming that the link-local IPv6 addresses in the Address message, assuming that
the peer uses only the link-local IPv6 addresses as static and/or the peer uses only the link-local IPv6 addresses as static and/or
dynamic IP routing next-hops. dynamic IP routing next-hops.
9. LDP TTL Security 9. LDP TTL Security
This document also specifies that the LDP/TCP transport connection This document recommends enabling Generalized TTL Security Mechanism
over IPv6 (i.e. LDPoIPv6) must follow the Generalized TTL Security (GTSM) for LDP, as specified in [RFC6720], for the LDP/TCP transport
Mechanism (GTSM) procedures (Section 3 of [RFC5082]) for an LDP connection over IPv6 (i.e. LDPoIPv6).
session peering established between the adjacent LSRs using Basic
Discovery, by default.
In other words, GTSM is enabled by default for an IPv6 LDP peering
session using Basic Discovery. This means that the 'IP Hop Limit' in
IPv6 packet is set to 255 upon sending, and checked to be 255 upon
receipt. The IPv6 packet must be dropped failing such a check upon
receipt.
The reason GTSM is enabled for Basic Discovery by default, but not
for Extended Discovery is that the usage of Basic Discovery
typically results in a single-hop LDP peering session, whereas the
usage of Extended Discovery typically results in a multi-hop LDP
peering session. While the latter is deemed out of scope (section
1.2), in line with GTSM [RFC5082], it is worth clarifying the
following exceptions that may occur with Basic or Extended Discovery
usage:
a) Two adjacent LSRs (i.e. back-to-back PE routers) forming a
single-hop LDP peering session after doing an Extended Discovery
(for Pseudowire, say)
b) Two adjacent LSRs forming a multi-hop LDP peering session after
doing a Basic Discovery, due to the way IP routing changes
between them (temporarily (e.g. session protection) or
permanently)
c) Two adjacent LSRs (i.e. back-to-back PE routers) forming a
single-hop LDP peering session after doing both Basic and
Extended Discovery
In (a), GTSM is not enabled for the LDP peering session by default,
hence, it would not do any harm or good.
In (b), GTSM is enabled by default for the LDP peering session by
default and enforced, hence, it would prohibit the LDP peering
session from getting established.
In (c), GTSM is enabled by default for Basic Discovery and enforced
on the subsequent LDP peering. However, if each LSR uses the same
IPv6 transport address object value in both Basic and Extended
discoveries, then it would result in a single LDP peering session
and that would be enabled with GTSM. Otherwise, GTSM would not be
enforced on the 2nd LDP peering session corresponding to the
Extended Discovery.
This document allows for the implementation to provide an option to [RFC6720] allows for the implementation to statically
statically (configuration) and/or dynamically override the default (configuration) and/or dynamically override the default behavior
behavior (enable/disable GTSM) on a per-peer basis. This would also (enable/disable GTSM) on a per-peer basis. Suffice to say that such
address the exception (b) above. Suffice to say that such an option an option could be set on either LSR (since GTSM negotiation would
could be set on either LSR (since GTSM negotiation would ultimately ultimately disable GTSM between LSR and its peer(s)).
disable GTSM between LSR and its peer(s)).
The built-in GTSM inclusion is intended to automatically protect The GTSM inclusion is intended to automatically protect IPv6 LDP
IPv6 LDP peering session from off-link attacks. peering session from off-link attacks.
10. IANA Considerations 10. IANA Considerations
None. None.
11. Security Considerations 11. Security Considerations
The extensions defined in this document only clarify the behavior of The extensions defined in this document only clarify the behavior of
LDP, they do not define any new protocol procedures. Hence, this LDP, they do not define any new protocol procedures. Hence, this
document does not add any new security issues to LDP. document does not add any new security issues to LDP.
skipping to change at page 15, line 7 skipping to change at page 14, line 16
protection, hence, LDP can benefit from the additional security as protection, hence, LDP can benefit from the additional security as
specified in [RFC4835] as well as [RFC5920]. specified in [RFC4835] as well as [RFC5920].
12. Acknowledgments 12. Acknowledgments
We acknowledge the authors of [RFC5036], since the text in this We acknowledge the authors of [RFC5036], since the text in this
document is borrowed from [RFC5036]. document is borrowed from [RFC5036].
Thanks to Bob Thomas for providing critical feedback to improve this Thanks to Bob Thomas for providing critical feedback to improve this
document early on. Thanks to Eric Rosen, Lizhong Jin, Bin Mo, Mach document early on. Thanks to Eric Rosen, Lizhong Jin, Bin Mo, Mach
Chen, and Kishore Tiruveedhula for reviewing this document. The Chen, Shane Amante, Pranjal Dutta, Mustapha Aissaoui, Mark Tinka,
Tom Petch and Kishore Tiruveedhula for reviewing this document. The
authors also acknowledge the help of Manoj Dutta and Vividh Siddha. authors also acknowledge the help of Manoj Dutta and Vividh Siddha.
Also, thanks to Andre Pelletier (who brought up the issue about Also, thanks to Andre Pelletier (who brought up the issue about
active/passive determination, and helped us craft the appropriate active/passive determination, and helped us craft the appropriate
solutions. solutions).
This document was prepared using 2-Word-v2.0.template.dot. This document was prepared using 2-Word-v2.0.template.dot.
13. Additional Contributors 13. Additional Contributors
The following individuals contributed to this document: The following individuals contributed to this document:
Kamran Raza Kamran Raza
Cisco Systems, Inc. Cisco Systems, Inc.
2000 Innovation Drive 2000 Innovation Drive
skipping to change at page 17, line 5 skipping to change at page 16, line 5
[RFC5920] Fang, L., "Security Framework for MPLS and GMPLS [RFC5920] Fang, L., "Security Framework for MPLS and GMPLS
Networks", RFC 5920, July 2010. Networks", RFC 5920, July 2010.
[RFC4798] De Clercq, et al., "Connecting IPv6 Islands over IPv4 MPLS [RFC4798] De Clercq, et al., "Connecting IPv6 Islands over IPv4 MPLS
Using IPv6 Provider Edge Routers (6PE)", RFC 4798, Using IPv6 Provider Edge Routers (6PE)", RFC 4798,
February 2007. February 2007.
[IPPWCap] Raza, K., "LDP IP and PW Capability", draft-ietf-mpls-ldp- [IPPWCap] Raza, K., "LDP IP and PW Capability", draft-ietf-mpls-ldp-
ip-pw-capability, June 2011. ip-pw-capability, June 2011.
15. Appendix
15.1. A.1
It is naive to assume that RFC5036 compliant implementations have
supported IPv6 address family (IPv6 FEC processing, in particular)
in label advertisement all along. And if that assumption turned out
to be not true, then section 3.4.1.1 of RFC5036 would cause LSRs to
abort processing the entire label mapping message and generate an
error.
This would result in LDPv6 to be somewhat undeployable in existing
production networks.
The change proposed in section 7 of this document provides a good
safety net and makes LDPv6 incrementally deployable without making
any such assumption on the routers' support for IPv6 FEC processing
in current production networks.
Author's Addresses Author's Addresses
Vishwas Manral Vishwas Manral
Hewlet-Packard, Inc. Hewlet-Packard, Inc.
19111 Pruneridge Ave., Cupertino, CA, 95014 19111 Pruneridge Ave., Cupertino, CA, 95014
Phone: 408-447-1497 Phone: 408-447-1497
Email: vishwas.manral@hp.com Email: vishwas.manral@hp.com
Rajiv Papneja Rajiv Papneja
Huawei Technologies Huawei Technologies
 End of changes. 36 change blocks. 
135 lines changed or deleted 115 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/