idnits 2.17.1 draft-ermagan-lisp-nat-traversal-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 24 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 11 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 274: '... nonce SHOULD be generated by a p...' RFC 2119 keyword, line 344: '... an xTR-ID, it MUST set the I bit to...' RFC 2119 keyword, line 353: '...ister with the I bit set, it MUST copy...' RFC 2119 keyword, line 376: '...). A Map-Server MUST set the I bit in...' RFC 2119 keyword, line 416: '... this specification MUST support HMAC-SHA-1-96 [RFC2404] and SHOULD...' Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 26, 2012) is 4414 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'RFC2404' is mentioned on line 416, but not defined == Missing Reference: 'RFC6234' is mentioned on line 417, but not defined == Unused Reference: 'RFC1918' is defined on line 965, but no explicit reference was found in the text == Unused Reference: 'RFC4632' is defined on line 969, but no explicit reference was found in the text == Outdated reference: A later version (-10) exists of draft-farinacci-lisp-lcaf-06 == Outdated reference: A later version (-24) exists of draft-ietf-lisp-14 Summary: 1 error (**), 0 flaws (~~), 9 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group V. Ermagan 3 Internet-Draft D. Farinacci 4 Intended status: Experimental D. Lewis 5 Expires: September 27, 2012 J. Skriver 6 F. Maino 7 Cisco Systems, Inc. 8 C. White 9 Logicalelegance, Inc. 10 March 26, 2012 12 NAT traversal for LISP 13 draft-ermagan-lisp-nat-traversal-01.txt 15 Abstract 17 This document describes a mechanism for IPv4 NAT traversal for LISP 18 tunnel routers (xTR) and LISP Mobile Nodes (LISP-MN) behind a NAT 19 device. A LISP device both detects the NAT and initializes its 20 state. Forwarding to the LISP device through a NAT is enabled by a 21 new network element, the LISP Re-encapsulating Tunnel Router (RTR), 22 which acts as an anchor point in the data plane, forwarding traffic 23 from unmodified LISP devices through the NAT. 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on September 27, 2012. 42 Copyright Notice 44 Copyright (c) 2012 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Definition of Terms . . . . . . . . . . . . . . . . . . . . . 4 61 3. Basic Overview . . . . . . . . . . . . . . . . . . . . . . . . 6 62 4. LISP RTR Message Details . . . . . . . . . . . . . . . . . . . 7 63 4.1. Info-Request Message . . . . . . . . . . . . . . . . . . . 7 64 4.2. LISP Info-Reply . . . . . . . . . . . . . . . . . . . . . 8 65 4.3. LISP Map-Register Message . . . . . . . . . . . . . . . . 9 66 4.4. LISP Map-Notify . . . . . . . . . . . . . . . . . . . . . 10 67 4.5. LISP Data-Map-Notify Message . . . . . . . . . . . . . . . 11 68 5. Protocol Operations . . . . . . . . . . . . . . . . . . . . . 13 69 5.1. xTR Processing . . . . . . . . . . . . . . . . . . . . . . 13 70 5.1.1. ETR Registration . . . . . . . . . . . . . . . . . . . 13 71 5.1.2. Map-Request and Map-Reply Handling . . . . . . . . . . 15 72 5.1.3. xTR Sending and Receiving Data . . . . . . . . . . . 16 73 5.2. Map-Server Processing . . . . . . . . . . . . . . . . . . 16 74 5.3. RTR Processing . . . . . . . . . . . . . . . . . . . . . . 17 75 5.3.1. RTR Data Forwarding . . . . . . . . . . . . . . . . . 18 76 5.4. Example . . . . . . . . . . . . . . . . . . . . . . . . . 19 77 6. Security Considerations . . . . . . . . . . . . . . . . . . . 23 78 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 79 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 80 9. Normative References . . . . . . . . . . . . . . . . . . . . . 26 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 83 1. Introduction 85 The Locator/ID Separation Protocol [LISP] defines a set of functions 86 for encapsulating routers to exchange information used to map from 87 Endpoint Identifiers (EIDs) to routable Routing Locators (RLOCs). 88 The assumption that the LISP Tunnel Routers are reachable at their 89 RLOC breaks when a LISP device is behind a NAT. LISP relies on the 90 xTR being able to receive traffic at its RLOC on destination port 91 4341. However nodes behind a NAT are only reachable through the 92 NAT's public address and in most cases only after the appropriate 93 mapping state is set up in the NAT. A NAT traversal mechanism is 94 needed to make the LISP device behind a NAT reachable. 96 This document introduces a NAT traversal mechanism for LISP. Two new 97 LISP control messages - LISP Info-Request and LISP Info-Reply - are 98 introduced in order to detect whether a LISP device is behind a NAT, 99 and discover the global IP address and global ephemeral port used by 100 the NAT to forward LISP packets sent by the LISP device. A new LISP 101 component, the LISP Re-encapsulating Tunnel Router (RTR), acts as a 102 re-encapsulating LISP tunnel router [LISP] to pass traffic through 103 the NAT, to and from the LISP device. A modification to how the LISP 104 Map-Register messages are sent allows LISP device to initialize NAT 105 state to use the RTR services. This mechanism addresses the scenario 106 where the LISP device is behind the NAT, but the associated Map- 107 Server is on the public side of the NAT. 109 2. Definition of Terms 111 LISP Info-Request: A LISP control packet sent by a LISP device to 112 its Map-Server. 114 LISP Info-Reply: A LISP control packet sent by a Map Server to a 115 LISP device in response to an Info-Request. 117 LISP Re-encapsulating Tunnel Router (RTR): An RTR is a re- 118 encapsulating LISP Router (see section 8 of the main LISP 119 specification) [LISP]. An RTR provides a LISP device the ability 120 to traverse NATs. 122 LISP Data-Map-Notify: A LISP Map-Notify message encapsulated in a 123 LISP data header. 125 LISP xTR-ID A 128 bit field that can be appended at the end of a 126 Map-Register or Map-Notify message. An xTR-ID is used as a unique 127 identifier of the xTR that is sending the Map-Register and is 128 especially useful for identifying multiple xTRs serving the same 129 site/EID-prefix. 131 NAT: "Network Address Translation is a method by which IP addresses 132 are mapped from one address realm to another, providing 133 transparent routing to end hosts". "Traditional NAT would allow 134 hosts within a private network to transparently access hosts in 135 the external network, in most cases. In a traditional NAT, 136 sessions are uni-directional, outbound from the private network." 137 --RFC 2663[NAT]. Basic NAT and NAPT are two varieties of 138 traditional NAT. 140 Basic NAT: "With Basic NAT, a block of external addresses are set 141 aside for translating addresses of hosts in a private domain as 142 they originate sessions to the external domain. For packets 143 outbound from the private network, the source IP address and 144 related fields such as IP, TCP, UDP and ICMP header checksums are 145 translated. For inbound packets, the destination IP address and 146 the checksums as listed above are translated." --RFC 2663[NAT]. 148 NAPT: "NAPT extends the notion of translation one step further by 149 also translating transport identifier (e.g., TCP and UDP port 150 numbers, ICMP query identifiers). This allows the transport 151 identifiers of a number of private hosts to be multiplexed into 152 the transport identifiers of a single external address. NAPT 153 allows a set of hosts to share a single external address. Note 154 that NAPT can be combined with Basic NAT so that a pool of 155 external addresses are used in conjunction with port translation." 156 --RFC 2663[NAT]. Transport identifiers of the destination hosts 157 are not modified by the NAPT. 159 In this document the general term NAT is used to refer to both Basic 160 NAT and NAPT. 162 While this document specifies LISP NAT Traversal for LISP tunnel 163 routers, a LISP-MN can also use the same procedure for NAT traversal. 164 The modifications attributed to a LISP-Device, xTR, ETR, and ITR must 165 be supported by a LISP-MN where applicable, in order to achieve NAT 166 traversal for such a LISP node. A NAT traversal mechanism for 167 LISP-MN is also proposed in [NAT-MN]. 169 For definitions of other terms, notably Map-Request, Map-Reply, 170 Ingress Tunnel Router (ITR), and Egress Tunnel Router (ETR), please 171 consult the LISP specification [LISP]. 173 3. Basic Overview 175 There are two attributes of a LISP device behind a typical NAT that 176 requires special consideration in LISP protocol behavior in order to 177 make the device reachable. First, the RLOC assigned to the device is 178 typically not globally unique nor globally routable. Second, the NAT 179 likely has a restrictive translation table and forwarding policy, 180 requiring outbound packets to create state before the NAT accepts 181 inbound packets. This section provides an overview of the LISP NAT 182 traversal mechanism which deals with these conditions. The following 183 sections specify the mechanism in more detail. 185 When a LISP device receives a new RLOC and wants to register it with 186 the mapping system, it needs to first discover whether it is behind a 187 NAT. To do this, an ETR uses its Map-Server to discover its 188 translated global RLOC and port via the two new LISP messages: Info- 189 Request and Info-Reply. Once an ETR detects that it is behind a NAT, 190 it uses a new LISP entity, a LISP Re-encapsulating Tunnel Router 191 (RTR) as a data plane 'anchor point' to send and receive traffic 192 through the NAT device. The ETR registers the RTR RLOC(s) to its 193 Map-Server using the RTR as a proxy for the Map-Register message. 194 The ETR encapsulates the Map-Register message in a LISP ECM header 195 destined to the RTR's RLOC. The RTR strips the LISP ECM header, re- 196 originates the Map-Register message, and sends it to the Map-Server. 197 This initializes state in the NAT device so the ETR can receive 198 traffic on port 4341 from the RTR. It also registers the RTR RLOC as 199 the RLOC where the ETR EID prefix is reachable. As a result, all 200 packets destined to the ETR's EID will go to its RTR. The RTR will 201 then re-encapsulates and forwards the ETR's traffic via the existing 202 NAT state to the ETR. 204 Outbound LISP data traffic from the xTR is also encapsulated to the 205 RTR, where the RTR re-encapsulated the LISP packets based on their 206 destination EIDs. 208 In the next sections the procedure is discussed in more detail. 210 4. LISP RTR Message Details 212 The main modifications in the LISP protocol to enable LISP NAT 213 traversal via an RTR include: (1) two new messages used for NAT 214 discovery (Info-Request and Info-Reply), and (2) encapsulation of two 215 LISP control messages (Map-Register and Map-Notify) between the xTR 216 and the RTR. Map-Register is encapsulated in an ECM header while 217 Map-Notify is encapsulated in a LISP data header (Data-Map-Notify). 218 This section describes the message formats and details of the Info- 219 Request, Info-Reply, and Data-Map-Notify messages, as well as 220 encapsulation details and minor changes to Map-Register and Map- 221 Notify messages. 223 4.1. Info-Request Message 225 An ETR sends an Info-Request message to its Map-Server in order to 227 1. detect whether there is a NAT on the path to its Map-Server 229 2. obtain a list of RTR RLOCs that can be used for LISP data plane 230 NAT traversal. 232 An Info-Request message is a LISP control message, its source port is 233 chosen by the xTR and its destination port is set to 4342. 234 0 1 2 3 235 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 236 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 237 |Type=7 |R| Reserved | 238 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 239 | Nonce . . . | 240 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 241 | . . . Nonce | 242 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 243 | Key ID | Authentication Data Length | 244 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 245 ~ Authentication Data ~ 246 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 247 | TTL | 248 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 249 | Reserved | EID mask-len | EID-prefix-AFI | 250 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 251 | EID-prefix | 252 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 253 | AFI = 0 | | 254 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 256 LISP Info-Request Message Format 258 Type: 7 (Info-Request) 260 R: R bit indicates this is a reply to an Info-Request (Info- 261 Reply). R bit is set to 0 in an Info-Request. When R bit is set 262 to 0, the AFI field (following the EID-prefix field) must be set 263 to 0. When R bit is set to 1, the packet contents follow the 264 format for an Info-Reply as described below. 266 Reserved: Must be set to 0 on transmit and must be ignored on 267 receipt. 269 TTL: The time in minutes the recipient of the Info-Reply will 270 store the RTR Information. 272 Nonce: An 8-byte random value created by the sender of the Info- 273 Request. This nonce will be returned in the Info-Reply. The 274 nonce SHOULD be generated by a properly seeded pseudo-random (or 275 strong random) source. 277 Descriptions for other fields can be found in the Map-Register 278 section of the main LISP draft [LISP]. Field descriptions for the 279 LCAF AFI = 0 can be found in the LISP LCAF draft [LCAF] . 281 4.2. LISP Info-Reply 283 When a Map-Server receives an Info-Request message, it responds with 284 an Info-Reply message. The Info-Reply message source port is 4342, 285 and destination port is taken from the source port of the triggering 286 Info-Request. Map-Server fills the NAT LCAF (LCAF Type = 7) fields 287 according to their description. The Map-Server uses AFI=0 for the 288 Private ETR RLOC Address field in the NAT LCAF. 290 0 1 2 3 291 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 292 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 293 |Type=7 |R| Reserved | 294 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 295 | Nonce . . . | 296 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 297 | . . . Nonce | 298 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 299 | Key ID | Authentication Data Length | 300 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 301 ~ Authentication Data ~ 302 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 303 | TTL | 304 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 305 | Reserved | EID mask-len | EID-prefix-AFI | 306 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 307 | EID-prefix | 308 +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 309 | | AFI = 16387 | Rsvd1 | Flags | 310 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 311 | | Type = 7 | Rsvd2 | 4 + n | 312 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 313 N | MS UDP Port Number | ETR UDP Port Number | 314 A +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 315 T | AFI = x | Global ETR RLOC Address ... | 316 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 317 L | AFI = x | MS RLOC Address ... | 318 C +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 319 A | AFI = x | Private ETR RLOC Address ... | 320 F +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 321 | | AFI = x | RTR RLOC Address 1 ... | 322 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 323 | | AFI = x | RTR RLOC Address n ... | 324 +->+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 326 LISP Info-Reply Message Format 328 Type: 7 , R = 1, (Info-Reply) 330 The format is similar to the Info-Request message. See Info-Request 331 section for field descriptions. Field descriptions for the NAT LCAF 332 section can be found in the LISP LCAF draft [LCAF] . 334 4.3. LISP Map-Register Message 336 The fourth bit after the Type field in the Map-Register message is 337 allocated as "R" bit. R bit indicates that the Map-Register is built 338 for an RTR. R bit must be set in a Map-Register that a LISP device 339 sends to an RTR. 341 The third bit after the Type field in the Map-Register message is 342 allocated as "I" bit. I bit indicates that a xTR-ID field is present 343 at the end of the Map-Register message. If an xTR is configured with 344 an xTR-ID, it MUST set the I bit to 1 and include its xTR-ID in the 345 Map-Register messages it generates. If the R bit in the Map-Register 346 is set to 1, the I bit must also be set to 1, and an xTR-ID must be 347 included in the Map-Register message sent to an RTR. 349 xTR-ID is a 128 bit field at the end of the Map-Register message, 350 starting after the final Record in the message. The xTR-ID is used 351 to identify the intended recipient xTR for a Map-Notify message, 352 especially in the case where a site has more than one xTR. When a 353 Map-Server receives a Map-Register with the I bit set, it MUST copy 354 the XTR-ID from the Map-Register to the associated Map-Notify 355 message. When a Map-Server is sending an unsolicited Map-Notify to 356 an xTR to notify the xTR of a change in locators, the Map-Server must 357 include the xTR-ID for the intended recipient xTR, if it has one 358 stored locally. 360 A LISP device that sends a Map-Register to an RTR must encapsulate 361 the Map-Register message using an Encapsulated Control Message (ECM) 362 [LISP]. The outer header source RLOC of the ECM is set to the LISP 363 device's local RLOC, and the outer header source port is set to 4341. 364 The outer header destination RLOC and port are set to RTR RLOC and 365 4342 respectively. The inner header source RLOC is set to LISP 366 device's local RLOC, and the inner source port is picked at random. 367 The inner header destination RLOC is set to the xTR's Map-Server 368 RLOC, and inner header destination port is set to 4342. 370 4.4. LISP Map-Notify 372 The first bit after the Type field in a Map-Notify message is 373 allocated as the "I" bit. I bit indicates that a 128 bit xTR-ID 374 field is present at the end of the Map-Notify message, following the 375 final Record in the Map-Notify (See Section 4.3 for details on 376 xTR-ID). A Map-Server MUST set the I bit in a Map-Notify and include 377 the xTR-ID of the intended recipient xTR if the associated Map- 378 Register has the I bit set, or when the Map-Server has previously 379 cached an xTR-ID for the destination xTR. 381 The second bit after the Type field in Map-Notify is allocated as the 382 "R" bit. R bit in Map-Notify indicates that additional 383 authentication data is appended at the end of the Map-Notify message. 384 If the I bit is also set in the Map-Notify, the additional MS-RTR 385 authentication data must be appended after the xTR-ID field. If a 386 Map-Server receiving a Map-Register with the R bit set, has a shared 387 key associated with the sending RTR, it must generate a Map-Notify 388 message with the R bit set to 1, and with the additional MS-RTR 389 authentication related fields described below. 391 0 1 2 3 392 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 393 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 394 | MS-RTR Key ID | MS-RTR Auth. Data Length | 395 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 396 ~ MS-RTR Authentication Data ~ 397 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 399 Changes to LISP Map-Notify Message 401 MS-RTR Key ID: A configured ID to find the configured Message 402 Authentication Code (MAC) algorithm and key value used for the 403 authentication function. See [LISP] section 14.4 for codepoint 404 assignments. 406 MS-RTR Authentication Data Length: The length in bytes of the MS-RTR 407 Authentication Data field that follows this field. The length of the 408 Authentication Data field is dependent on the Message Authentication 409 Code (MAC) algorithm used. The length field allows a device that 410 doesn't know the MAC algorithm to correctly parse the packet. 412 MS-RTR Authentication Data: The message digest used from the output 413 of the Message Authentication Code (MAC) algorithm. The entire Map- 414 Notify payload is authenticated with this field preset to 0. After 415 the MAC is computed, it is placed in this field. Implementations of 416 this specification MUST support HMAC-SHA-1-96 [RFC2404] and SHOULD 417 support HMAC-SHA-256-128 [RFC6234]. 419 For a full description of all fields in the Map-Notify message refer 420 to Map-Notify section in the main LISP draft [LISP]. 422 4.5. LISP Data-Map-Notify Message 424 When an RTR receives a Map-Notify message, it has to relay that 425 message to the registering LISP device. After processing the Map- 426 Notify message as described in Section 5.3, the RTR encapsulates the 427 Map-Notify in a LISP data header and sends it to the associated LISP 428 device. This Map-Notify inside a LISP data header is referred to as 429 a Data-Map-Notify message. 431 0 1 2 3 432 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 433 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 434 / | IPv4 or IPv6 Header | 435 OH | (uses RLOC addresses) | 436 \ | | 437 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 438 / | Source Port = 4342 | Dest Port = xxxx | 439 UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 440 \ | UDP Length | UDP Checksum | 441 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 442 L | LISP Header ~ | 443 I \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 444 S / | ~ LISP Header | 445 P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 446 / | IPv4 or IPv6 Header | 447 IH | (uses RLOC or EID addresses) | 448 \ | | 449 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 450 / | Source Port = 4342 | Dest Port = 4342 | 451 UDP +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 452 \ | UDP Length | UDP Checksum | 453 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 454 LCM | LISP Map-Notify Message ~ 455 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 457 LISP Data-Map-Notify Message 459 In a Data-Map-Notify, the outer header source RLOC is set to the 460 RTR's RLOC that was used in the associated Map-Register. This is 461 previously cached by the RTR. The outer header source port is set to 462 4342. The outer header destination RLOC and port are filled based on 463 the translated global RLOC and port of the registering LISP device 464 previously stored locally at the RTR. The inner header source 465 address is Map-Server's RLOC, and inner header source port is 4342. 466 The inner header destination address is set to the LISP device's 467 local RLOC also previously cached by the RTR (See Section 5.3 for 468 details.). The inner header destination port is 4342. 470 Since a Data-Map-Notify is a control message encapsulated in a LISP 471 data header, a special Instance ID is used as a signal for the xTR to 472 trigger processing of the control packet inside the data header. The 473 Instance ID value 0xFFFFFF is reserved for this purpose. The 474 Instance ID field in a Data-Map-Notify must be set to 0xFFFFFF. 476 5. Protocol Operations 478 There are two main steps in the NAT traversal procedure. First, the 479 ETR's translated global RLOC must be discovered. Second, the NAT 480 translation table must be primed to accept incoming connections. At 481 the same time, the Map-Server and the RTR must be informed of the 482 ETR's translated global RLOC including the translated ephemeral port 483 number(s) at which the Map-Server and RTR can reach the LISP device. 485 5.1. xTR Processing 487 Upon receiving a new RLOC, an ETR first has to detect whether the new 488 RLOC is behind a NAT device. For this purpose the ETR sends an Info- 489 Request message to its Map-Server in order to discover the ETR's 490 translated global RLOC visible to the Map-Server. The ETR uses the 491 new RLOC as the source RLOC of the message. The Map-Server, after 492 authenticating the message, responds with an Info-Reply message. The 493 Map-Server includes the source RLOC and port from the Info-Request 494 message in the Global ETR RLOC Address and ETR UDP Port Number fields 495 of the Info-Reply. The Map Server also includes the destination RLOC 496 and port number of the Info-Request message in the MS RLOC Address 497 and MS UDP Port Number fields of the Info-Reply. In addition, the 498 Map-Server provides a list of RTR RLOCs that the ETR may use in case 499 it needs NAT traversal services. The source port of the Info-Reply 500 is set to 4342 and the destination port is copied from the source 501 port of the triggering Info-Request message. 503 Upon receiving the Info-Reply message, the ETR compares the source 504 RLOC and source port used for the Info-Request message with the 505 Global ETR RLOC Address and ETR UDP Port Number fields of the Info- 506 Reply message. If the two are not identical, the ETR concludes that 507 the new RLOC is behind a NAT and that it requires an RTR for NAT 508 traversal services in order to be reachable at that RLOC. An ETR 509 behind other stateful devices (e.g. stateful firewalls) may also use 510 an RTR and the procedure specified here for traversing the stateful 511 device. Detecting existence of such devices are beyond scope of this 512 document. 514 If there is no NAT on the path, the ETR registers to its Map-Server 515 as described in the main LISP draft [LISP]. 517 5.1.1. ETR Registration 519 Once an ETR has detected that it is behind a NAT, based on local 520 policy the ETR selects one (or more) RTR(s) from the RTR RLOCs 521 provided in the Info-Reply and initializes state in the NAT device in 522 order to receive LISP data traffic on UDP port 4341 from the selected 523 RTR. To do so, the ETR sends a Map-Register encapsulated in an ECM 524 header to the selected RTR(s). The Map-Register message is created 525 as specified in [LISP]. More specifically, the source RLOC of the 526 Map-Register is set to ETR's local RLOC, while the destination RLOC 527 is set to the ETR's Map-Server RLOC, and destination port is set to 528 4342. The ETR sets both the R bit and M bit in Map-Register to 1, 529 and it includes the selected RTR RLOC(s) as the locators in the Map- 530 Register message. The ETR must also set the I bit in the Map- 531 Register message to 1 and include its xTR-ID in the corresponding 532 field. In the ECM header of this Map-Register the source RLOC is set 533 to ETR's local RLOC and the source port is set to 4341, while the 534 destination RLOC is the RTR's RLOC and the destination port is set to 535 LISP control port 4342. 537 This ECM-ed Map-Register is then sent to the RTR. The RTR 538 reoriginates the Map-Register message and sends it to the associated 539 Map-Server. The RTR then encapsulates the corresponding Map-Notify 540 message in a LISP data header (Data-Map-Notify) and sends it back to 541 the xTR. 543 Upon receiving a Data-Map-Notify from the RTR, the ETR must strip the 544 outer LISP data header, and process the inner Map-Notify message as 545 described in [LISP]. Since outer header destination port in Data- 546 Map-Notify is set to LISP data port 4341, the Instance ID 0xFFFFFF in 547 the LISP header of the Data-Map-Notify is used by the ETR to detect 548 and process the Data-Map-Notify as a control message encapsulated in 549 a LISP data header. While processing the Data-Map-Notify, the xTR 550 also stores the RTR RLOC(s) as its data plane proxy, by storing a 551 default map-cache entry with the RTR RLOC(s) as its locator set. The 552 xTR may map the EID prefix 0/0 to this RTR RLOC(s). This results in 553 the xTR encapsulating all LISP data plane traffic to this RTR. At 554 this point the registration and state initialization is complete and 555 the xTR can use the RTR services. The state created in the NAT 556 device based on the ECM-ed Map-Register and corresponding Data-Map- 557 Notify is used by the xTR behind the NAT to send and receive LISP 558 control packets to/from the RTR, as well as for receiving LISP data 559 packets form the RTR. 561 If ETR receives a Data-Map-Notify with the I bit set, but with an 562 xTR-ID that is not equal to its local xTR-ID, it must log this as an 563 error. The ETR should discard such Data-Map-Notify message. 565 The ETR must periodically send ECM-ed Map-Register messages to its 566 RTR in order to both refresh its registration to the RTR and the Map- 567 Server, and as a keepalive in order to preserve the state in the NAT 568 device. Per recommendation in RFC 2663 [NAT] the period for sending 569 the keepalives can be set to default value of two minutes, however 570 since shorter timeouts may exist in some NAT deployments, the 571 interval for sending periodic ECM-ed Map-Registers must be 572 configurable. 574 5.1.2. Map-Request and Map-Reply Handling 576 The ETR is in control of how to handle the Map-Requests and Map- 577 Replies. If the ETR wants the Map-Server to proxy-reply as described 578 in [LISP], it can register the RTR RLOC(s) as its locator via the 579 ECM-ed Map-Register message. In this case, if the proxy bit is set 580 in the Map-Register, the Map-Server will proxy reply with RTR's RLOC 581 to all Map-Requests for the ETR. As a result all traffic for the ETR 582 is encapsulated to its RTR(s). 584 If the proxy bit in the ECM-ed Map-Register message is not set, and 585 the ETR chooses to receive Map-Requests, the ETR must also initiate 586 and preserve state in the NAT device to receive LISP control packets 587 from its Map-Server. To do this, the ETR must periodically send 588 Info-Request messages to its Map-Server, and receive Info-Reply 589 messages from the Map-Server. Per recommendation in RFC 2663 [NAT] 590 the period for sending the keepalives can be set to default value of 591 two minutes, however since shorter timeouts may exist in some NAT 592 deployments, the interval for sending periodic Info-Requests must be 593 configurable. Furthermore, the ETR must also provide its Map-Server 594 with the ETR's translated global RLOC and port as visible to the Map- 595 Server. To do this, ETR includes a copy of the NAT LCAF section of 596 the Info-Reply message as one of the locators in its Map-Register 597 along with the RTR(s) RLOC(s). The ETR can set the priorities of RTR 598 RLOC(s) in this Map-Register to 255, resulting in the Map Server 599 encapsulating Map-Requests to the ETR's translated global RLOC and 600 port so it can receive them through the NAT device. 602 If an ETR behind a NAT chooses to receive Map-Requests from the Map- 603 Server, it must send Map-Replies to requesting ITRs. Note that this 604 configuration will result in excessive state in the NAT device and is 605 not recommended. ETR must include its RTR RLOC(s) as its locator set 606 in the Map-Reply in order to receive data through the NAT device. 608 When an ITR behind a NAT is encapsulating outbound LISP traffic, it 609 must use its RTR RLOC as the locator for all destination EIDs that it 610 wishes to send data to. As such, the ITR does not need to send Map- 611 Requests for the purpose of finding EID-to-RLOC mappings. For RLOC- 612 probing, the periodic ECM-ed Map-Register and Data-Map-Notify 613 messages between xTR and RTR can also serve the purpose of RLOC 614 probes. However, if RLOC-probing is used, no changes are required to 615 the RLOC-probing specification in [LISP], and the LISP device only 616 needs to probe the RTR's RLOC. 618 5.1.3. xTR Sending and Receiving Data 620 When a Map-Request for a LISP device behind a NAT is received by its 621 Map-Server or the LISP device itself, the Map-Server, or the LISP 622 device (ETR), responds with a Map-Reply including RTR's RLOC as the 623 locator for the requested EID. As a result, all LISP data traffic 624 destined for the ETR's EID behind the NAT is encapsulated to its RTR. 625 The RTR re-encapsulates the LISP data packets to the ETR's translated 626 global RLOC and port number so the data can pass through the NAT 627 device and reach the ETR. As a result the ETR receives LISP data 628 traffic with outer header destination port set to 4341 as specified 629 in [LISP]. 631 For sending outbound LISP data, an ITR behind a NAT must use the RTR 632 RLOC as the locator for all EIDs that it wishes to send data to 633 according to the installed default map-cache entry. The ITR then 634 encapsulates the LISP traffic in a LISP data header with outer header 635 destination set to RTR RLOC and outer header destination port set to 636 4341. This may create a secondary state in the NAT device. ITR must 637 set the outer header source port in all egress LISP data packets to a 638 random but static port number in order to avoid creating excessive 639 state in the NAT device. 641 If the ITR and ETR of a site are not collocated, the RTR RLOC must be 642 configured in the ITR via an out-of-band mechanism. Other procedures 643 specified here would still apply. 645 5.2. Map-Server Processing 647 Upon receiving an Info-Request message a Map-Server first verifies 648 the authenticity of the message. Next the Map-Server creates an 649 Info-Reply message and copies the source RLOC and port number of the 650 Info-Request message to the Global ETR RLOC Address and ETR UDP Port 651 Number fields of the Info-Reply message. The Map-Server also 652 includes a list of RTR RLOCs that the ETR may use for NAT traversal 653 services. The Map-Server sends the Info-Reply message to the ETR, by 654 setting the destination RLOC and port of the Info-Reply to the source 655 RLOC and port of the triggering Info-Request. The Map-Server sets 656 the source port of the Info-Reply to 4342. 658 Upon receiving a Map-Register message with the M bit set, the Map- 659 Server processes the Map-Register message and generates the resulting 660 Map-Notify as described in [LISP]. If the R bit is set in the Map- 661 Register message and the Map-Server has a shared secret configured 662 with the RTR sending the Map-Register, the Map-Server also sets the R 663 bit in the Map-Notify and includes the MS-RTR authentication data. 664 See Security Considerations Section for more details. If the I bit 665 is set in the Map-Register message, the Map-Server also locally 666 stores the xTR-ID from the Map-Register, and sets the I bit in the 667 corresponding Map-Notify message and includes the same xTR-ID in the 668 Map-Notify. The Map-Notify is sent to the RTR sending the 669 corresponding Map-Register. 671 If a Map-Server is forwarding Map-Requests to an ETR which has 672 registered its RLOC in a NAT LCAF, Map-Server must use the ETR Global 673 RLOC Address and ETR UDP Port as the destination RLOC and port for 674 outer header of the encapsulated Map-Requests. If more than one NAT 675 LCAF is registered for the same EID prefix, the Map-Server must use 676 the NAT LCAF corresponding to the RLOC of this Map-Server. 678 5.3. RTR Processing 680 Upon receiving an ECM-encapsulated Map-Register, the RTR creates a 681 map-cache entry for the EID-prefix that was specified in the Map- 682 Register message. The RTR stores the outer header source RLOC and 683 outer header source port, the outer header destination RLOC (RTR's 684 own RLOC), the inner header source RLOC (xTR's local RLOC), the 685 xTR-ID, and the nonce field of the Map-Register in this local map- 686 cache entry. The outer header source RLOC and outer header source 687 port is the ETR's translated global RLOC and port number visible to 688 the RTR. Once the registration process is complete, this map-cache 689 entry can be used to send LISP data traffic to the ETR. The inner 690 header destination RLOC is the RTR's RLOC, and the inner header 691 source RLOC is the ETR's local RLOC behind the NAT, and the RTR can 692 later use these fields as the inner header source RLOC and 693 destination RLOC correspondingly, for sending data-encapsulated 694 control messages (Data-Map-Notify) back to the ETR. The nonce field 695 is used for security purposes and is matched with the nonce field in 696 the corresponding Map-Notify message. This map-cache entry is stored 697 as an "unverified" mapping, until the corresponding Map-Notify 698 message is received. 700 After filling the local map-cache entry, the RTR strips the outer 701 header and extracts the Map-Register message, re-originates the 702 message by rewriting the source RLOC of the Map-Register to RTR's 703 RLOC, and sends the Map-Register to destination Map-Server. 705 Map-Server responds with a Map-Notify message to the RTR. 707 Upon receiving a Map-Notify message from the Map-Server, if the R bit 708 in Map-Notify is set to 1, RTR uses the MS-RTR Key ID to verify the 709 MS-RTR Authentication Data included in the Map-Notify. If the MS-RTR 710 authentication fails, the RTR must drop the packet. Once the 711 authenticity of the message is verified, RTR can confirm that the 712 Map-Register message for the ETR with the matching xTR-ID was 713 accepted by the Map-Server. At this point the RTR can change the 714 state of the associated map-cache entry to verified for the duration 715 of the Map-Register TTL. 717 The RTR then uses the information in the associated map-cache entry 718 to create a Data-Map-Notify message according to the following 719 procedure: RTR rewrites the inner header destination RLOC of the Map- 720 Notify message to ETR's local RLOC. Inner header destination port is 721 4342. The RTR encapsulates the Map-Notify in a LISP data header, 722 where the outer header destination RLOC and port number are set to 723 the ETR's translated global RLOC and port number. If more than one 724 ETR translated RLOC and port exists in the map-cache entry for the 725 same EID prefix specified in the Map-Notify, the RTR can use the 726 xTR-ID from the Map-Notify to identify which ETR is the correct 727 destination for the Data-Map-Notify. The RTR sets the outer header 728 source RLOC to RTR's RLOC from the map-cache entry and the outer 729 header source port is set to 4342. The RTR also sets the Instance ID 730 field in the LISP header of the Data-Map-Notify to 0xFFFFFF. The RTR 731 then sends the Data-Map-Notify to the ETR. 733 If the R bit is set to 0, and the RTR has a shared key configured 734 locally with the sending Map-Server, the RTR must drop the packet. 735 If the R bit is set to 0, and the RTR does not have a shared key 736 configured with the associated Map-Server, according to local policy, 737 the RTR may drop the packet. If the Map-Notify with R bit set to 0 738 is processed, the RTR must match the nonce field from this Map-Notify 739 with the nonce stored in the local map-cache entry with the matching 740 xTR-ID. If the nonces do not match, the RTR must drop the packet. 742 5.3.1. RTR Data Forwarding 744 For all LISP data packets encapsulated to RTR's RLOC and outer header 745 destination port 4341, the RTR first verifies whether the source or 746 destination EID is a previously registered EID. If so, the RTR must 747 process the packet according to the following. If the destination or 748 source EID is not a registered EID, the RTR can drop or process the 749 packet based on local policy. 751 In the case where the destination EID is a previously registered EID, 752 the RTR must strip the LISP data header and re-encapsulate the packet 753 in a new LISP data header. The outer header RLOCs and UDP ports are 754 then filled based on the matching map-cache entry for the associated 755 destination EID prefix. The RTR uses the RTR RLOC from the map-cache 756 entry as the outer header source RLOC. The outer header source port 757 is set to 4342. The RTR sets the outer header destination RLOC and 758 outer header destination port based on the ETR translated global RLOC 759 and port stored in the map-cache entry. Then the RTR forwards the 760 LISP data packet. 762 In the case where the source EID is a previously registered EID, the 763 RTR process the packet as if it is a Proxy ETR (PETR). The RTR must 764 strip the LISP data header, and process the packet based on its inner 765 header destination address. The packet may be forwarded natively, it 766 may be LISP encapsulated to the destination ETR, or it may trigger 767 the RTR to send a LISP Map-Request. 769 5.4. Example 771 What follows is an example of an ETR initiating a registration of a 772 new RLOC to its Map-Server, when there is a NAT device on the path 773 between the ETR and the Map-Server. 775 In this example, the ETR (site1-ETR) is configured with the local 776 RLOC of 192.168.1.2. The NAT's global (external) addresses are from 777 2.0.0.1/24 prefix. The Map-Server is at 3.0.0.1. And one potential 778 RTR has an IP address of 1.0.0.1. The site1-ETR has an EID Prefix of 779 128.1.0.0/16. 781 An example of the registration process follows: 783 1. The Site1-ETR receives the private IP address, 192.168.1.2 as 784 its RLOC via DHCP. 786 2. The Site1-ETR sends an Info-Request message with the destination 787 RLOC of the Map-Server, 3.0.0.1, and source RLOC of 192.168.1.2. 788 This packet has the destination port set to 4342 and the source 789 port is set to (for example) 5001. 791 3. The NAT device translates the source IP from 192.168.1.2 to 792 2.0.0.1, and source port to (for example) 20001 global ephemeral 793 source port. 795 4. The Map-Server receives and responds to this Info-Request with 796 an Info-Reply message. This Info-Reply has the destination 797 address set to ETR's translated address of 2.0.0.1 and the 798 source address is the Map-Server's RLOC, namely 3.0.0.1. The 799 destination port is 20001 and the source port is 4342. Map- 800 Server includes a copy of the source address and port of the 801 Info-Request message (2.0.0.1:20001), and a list of RTR RLOCs 802 including RTR RLOC 1.0.0.1 in the Info-Reply contents. 804 5. The NAT translates the Info-Reply packet's destination IP from 805 2.0.0.1 to 192.168.1.2, and translates the destination port from 806 20001 to 5001, and forwards the Info-Reply to site1-ETR at 807 192.168.1.2. 809 6. The Site1-ETR detects that it is behind a NAT by comparing its 810 local RLOC (192.168.1.2) with the Global ETR RLOC Address in the 811 Info-Reply (2.0.0.2) . Then site1-ETR picks the RTR 1.0.0.1 812 from the list of RTR RLOCs in the Info-Reply. ETR stores the 813 RTR RLOC in a default map-cache entry to periodically send 814 ECM-ed Map-Registers to. 816 7. The ETR sends an ECM encapsulated Map-Register to RTR at 817 1.0.0.1. The outer header source RLOC of this Map-Register is 818 set to 192.168.1.2 and the outer header source port is set to 819 4341. The outer header destination RLOC and port are set to RTR 820 RLOC at 1.0.0.1 and 4342 respectively. The inner header 821 destination RLOC is set to ETR's Map-Server 3.0.0.1, and the 822 inner header destination port is set to 4342. The inner header 823 source RLOC is set to ETR's local RLOC 192.168.1.2. In the Map- 824 Register message the R bit is set to 1, and the RTR RLOC 1.0.0.1 825 appears as the locator set for the ETR's EID prefix 826 (128.1.0.0/16). In this example ETR also sets the Proxy bit in 827 the Map-Register to 1, and sets I bit to 1, and includes its 828 xTR-ID in the Map-Register. 830 8. The NAT translates the source RLOC in the ECM header of the Map- 831 Register, by changing it from 192.168.1.2 to 2.0.0.2, and 832 translates the source port in the ECM header from 4341 to (for 833 example) 20002, and forwards the Map-Register to RTR. 835 9. The RTR receives the Map-Register and creates a map-cache entry 836 with the ETR's xTR-ID, EID prefix, and the source RLOC and port 837 of the ECM header of the Map-Register as the locator 838 (128.1.0.0/16 is mapped to 2.0.0.2:20002). RTR also caches the 839 inner header source RLOC of the Map-Register namely 192.168.1.2, 840 and the outer header destination RLOC of the ECM header in the 841 Map-Register (this would be RTR's RLOC 1.0.0.1 ) to use for 842 sending back a Data-Map-Notify. RTR then removes the outer 843 header, re-writes the source RLOC of the Map-Register message to 844 its own RLOC 1.0.0.1 and forwards the Map-Register to the 845 destination Map-Server. 847 10. The Map-Server receives the Map-Register and processes it 848 according to [LISP]. Since the R bit is set in the Map-Register 849 and Map-Server has a shared secret with the sending RTR, after 850 registering the ETR, Map-Server responds with a Map-Notify with 851 the R bit set and including the MS-RTR authentication data. 852 Since the I bit is set in the Map-Register, the Map-Server also 853 sets the I bit in the Map-Notify and copies the xTR-ID from the 854 Map-Register to the Map-Notify. The source address of this Map- 855 Notify is set to 3.0.0.1. The destination is RTR 1.0.0.1, and 856 both source and destination ports are set to 4342. 858 11. The RTR receives the Map-Notify and verifies the MS-RTR 859 authentication data. The RTR data-encapsulates the Map-Notify 860 and sends the resulting Data-Map-Notify to site1-ETR with a 861 matching xTR-ID. The outer header source RLOC and port of the 862 Data-Map-Notify are set to 1.0.0.1:4342. The outer header 863 destination RLOC and port are retrieved from previously cached 864 map-cache entry in step 9 namely 2.0.0.2:20002. RTR also sets 865 the inner header destination address to site1-ETR's local 866 address namely 192.168.1.2. RTR sets the Instance ID in the 867 LISP header to 0xFFFFFF. At this point RTR marks ETR's EID 868 prefix as "Registered" status and forwards the Data-Map-Notify 869 to ETR. 871 12. The NAT device translates the destination RLOC and port of the 872 Data-Map-Notify to 192.168.1.2:4341 and forwards the packet to 873 ETR. 875 13. The Site1-ETR receives the packet with a destination port 4341, 876 and processes the packet as a control packet after observing the 877 Instance ID value 0xFFFFFF in the LISP header. At this point 878 ETR's registration to the RTR is complete. 880 Assume a requesting ITR in a second LISP (site2-ITR) site has an RLOC 881 of 74.0.0.1. The following is an example process of an EID behind 882 site2-ITR sending a data packet to an EID behind the site1-ETR: 884 1. The ITR sends a Map-Request which arrives via the LISP mapping 885 system to the ETR's Map Server. 887 2. The Map-Server sends a Map-Reply on behalf of the ETR, using the 888 RTR's RLOC (1.0.0.1) in the Map-Reply's Locator Set. 890 3. The ITR encapsulates a LISP data packet with ITR's local RLOC 891 (74.0.0.1) as the source RLOC and the RTR as the destination RLOC 892 (1.0.0.1) in the outer header. 894 4. The RTR decapsulates the packet, evaluates the inner header 895 against its map-cache and then re-encapsulates the packet. The 896 new outer header's source RLOC is the RTR's RLOC 1.0.0.1 and the 897 new outer header's destination RLOC is the Global NAT address 898 2.0.0.2. The destination port of the packet is set to 20002 899 (discovered above during the registration phase) and the source 900 port is 4342. 902 5. The NAT translates the LISP data packet's destination IP from to 903 2.0.0.2 to 192.168.1.2, and translates the destination port from 904 20002 to 4341, and forwards the LISP data packet to the ETR at 905 192.168.1.2. 907 6. For the reverse path the ITR uses its local map-cache entry with 908 the RTR RLOC as the default locator and encapsulates the LISP 909 data packets using RTR RLOC, and 4341 as destination RLOC and 910 port. The ITR must pick a random source port to use for all 911 outbound LISP data traffic in order to avoid creating excessive 912 state in the NAT. 914 6. Security Considerations 916 By having the RTR relay the ECM-ed Map-Register message from an ETR 917 to its Map-Server, the RTR can restrict access to the RTR services, 918 only to those ETRs that are registered with a given Map-Server. To 919 do so, the RTR and the Map-Server may be configured with a shared key 920 that is used to authenticate the origin and to protect the integrity 921 of the Map-Notify messages sent by the Map Server to the RTR. This 922 prevents an on-path attacker from impersonating the Map-Server to the 923 RTR, and allows the RTR to cryptographically verify that the ETR is 924 properly registered with the Map-Server. 926 Having the RTR re-encapsulate traffic only when the source or the 927 destination are registered EIDs, protects against the adverse use of 928 an RTR for EID spoofing. 930 Upon receiving a Data-Map-Notify, an xTR can authenticate the origin 931 of the Map-Notify message using the key that the ETR shares with the 932 Map-Server. This enables the ETR to verify that the ECM-ed Map- 933 Register was indeed forwarded by the RTR to the Map-Server, and was 934 accepted by the Map-Server. 936 7. Acknowledgments 938 The authors would like to thank Noel Chiappa, Alberto Rodriguez 939 Natal, Lorand Jakab, Albert Cabellos, Dominik Klein, Matthias 940 Hartmann, and Michael Menth for their previous work, feedback and 941 helpful suggestions. 943 8. IANA Considerations 945 This document does not request any IANA actions. 947 9. Normative References 949 [LCAF] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical 950 Address Format (LCAF)", draft-farinacci-lisp-lcaf-06 (work 951 in progress), October 2011. 953 [LISP] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, 954 "Locator/ID Separation Protocol (LISP)", 955 draft-ietf-lisp-14 (work in progress), June 2011. 957 [NAT] Srisuresh, P. and M. Holdrege, "IP Network Address 958 Translator (NAT) Terminology and Considerations", Request 959 for Comments: 2663, August 1999. 961 [NAT-MN] Klein, D., Hartmann, M., and M. Menth, "NAT traversal for 962 LISP mobile node, In Proceedings of the Re-Architecting 963 the Internet Workshop (ReARCH '10).", 2010. 965 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 966 E. Lear, "Address Allocation for Private Internets", 967 BCP 5, RFC 1918, February 1996. 969 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 970 (CIDR): The Internet Address Assignment and Aggregation 971 Plan", BCP 122, RFC 4632, August 2006. 973 Authors' Addresses 975 Vina Ermagan 976 Cisco Systems, Inc. 978 Email: vermagan@cisco.com 980 Dino Farinacci 981 Cisco Systems, Inc. 983 Email: dino@cisco.com 985 Darrel Lewis 986 Cisco Systems, Inc. 988 Email: darlewis@cisco.com 990 Jesper Skriver 991 Cisco Systems, Inc. 993 Email: jesper@cisco.com 995 Fabio Maino 996 Cisco Systems, Inc. 998 Email: fmaino@cisco.com 1000 Chris White 1001 Logicalelegance, Inc. 1003 Email: chris@logicalelegance.com