idnits 2.17.1 draft-fuller-lisp-alt-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 768. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 779. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 786. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 792. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 23, 2008) is 5818 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2858 (Obsoleted by RFC 4760) == Outdated reference: A later version (-12) exists of draft-farinacci-lisp-07 Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Farinacci 3 Internet-Draft V. Fuller 4 Intended status: Experimental D. Meyer 5 Expires: October 25, 2008 Cisco 6 April 23, 2008 8 LISP Alternative Topology (LISP+ALT) 9 draft-fuller-lisp-alt-02.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on October 25, 2008. 36 Abstract 38 This document describes a method of building an alternative, logical 39 topology for managing Endpoint Identifier to Routing Locator mappings 40 using the Locator/ID Separation Protocol. The logical network is 41 built as an overlay on the public Internet using existing 42 technologies and tools, specifically the Border Gateway Protocol and 43 the Generic Routing Encapsulation. An important design goal for 44 LISP+ALT is to allow for the relatively easy deployment of an 45 efficient mapping system while minimizing changes to existing 46 hardware and software. 48 Table of Contents 50 1. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3 51 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 52 3. Definition of Terms . . . . . . . . . . . . . . . . . . . . . 5 53 4. The LISP 1.5 model . . . . . . . . . . . . . . . . . . . . . . 7 54 5. LISP+ALT: Overview . . . . . . . . . . . . . . . . . . . . . . 8 55 5.1. ITR traffic handling . . . . . . . . . . . . . . . . . . . 8 56 5.2. EID Assignment - Hierarchy and Topology . . . . . . . . . 9 57 5.3. LISP+ALT Router . . . . . . . . . . . . . . . . . . . . . 10 58 5.4. ITR and ETR in a LISP+ALT Environment . . . . . . . . . . 10 59 5.5. Use of GRE and BGP between LISP+ALT Routers . . . . . . . 10 60 6. EID-to-RLOC mapping propagation . . . . . . . . . . . . . . . 12 61 6.1. Changes to ITR behavior with LISP+ALT . . . . . . . . . . 12 62 6.2. Changes to ETR behavior with LISP+ALT . . . . . . . . . . 12 63 7. BGP configuration and protocol considerations . . . . . . . . 14 64 7.1. Autonomous System Numbers (ASNs) in LISP+ALT . . . . . . . 14 65 7.2. Sub-Address Family Identifier (SAFI) for LISP+ALT . . . . 14 66 8. EID-Prefix Aggregation . . . . . . . . . . . . . . . . . . . . 15 67 8.1. Traffic engineering with LISP and LISP+ALT . . . . . . . . 15 68 9. Connecting sites to the ALT network . . . . . . . . . . . . . 16 69 9.1. ETRs originating information into the ALT . . . . . . . . 16 70 9.2. ITRs Receiving Information from the ALT . . . . . . . . . 16 71 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 72 11. Security Considerations . . . . . . . . . . . . . . . . . . . 19 73 11.1. Apparent LISP+ALT Vulnerabilities . . . . . . . . . . . . 19 74 11.2. Survey of LISP+ALT Security Mechanisms . . . . . . . . . . 20 75 11.3. Using existing BGP Security mechanisms . . . . . . . . . . 20 76 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 77 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 78 13.1. Normative References . . . . . . . . . . . . . . . . . . . 22 79 13.2. Informative References . . . . . . . . . . . . . . . . . . 22 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 81 Intellectual Property and Copyright Statements . . . . . . . . . . 24 83 1. Requirements Notation 85 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 86 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 87 document are to be interpreted as described in [RFC2119]. 89 2. Introduction 91 This document describes a method of building an alternative logical 92 topology for managing Endpoint identifier to Routing Locator mappings 93 using the Locator/ID Separation Protocol [LISP]. This logical 94 topology uses existing technology and tools, specifically the Border 95 Gateway Protocol [RFC4271] and its multi-protocol extension 96 [RFC2858], along with the Generic Routing Encapsulation [RFC2784] 97 protocol to construct an overlay network of devices that advertise 98 EID-prefixes only. These Endpoint Identifier Prefix Aggregators hold 99 hierarchically-assigned pieces of the Endpoint Identifier space 100 (i.e., prefixes) and their next hops toward the network element which 101 is authoritative for Endpoint Identifier-to-Routing Locator mapping 102 for that prefix. Tunnel routers can use this overlay to make queries 103 against and respond to mapping requests made against the distributed 104 Endpoint Identifier-to-Routing Locator mapping database. Note the 105 database is distributed (as described in [LISP]) and is stored in the 106 ETRs. 108 Note that an important design goal of LISP+ALT is to minimize the 109 number of changes to existing hardware and/or software that are 110 required to deploy the mapping system. It is envisioned that in most 111 cases existing technology can be used to implement and deploy LISP+ 112 ALT. Since the deployment of LISP+ALT adds new devices to the 113 network, existing devices not need changes or upgrades. They can 114 function as they are to realize an underlying and robust physical 115 topology. 117 The remainder of this document is organized as follows: Section 3 118 provides the definitions of terms used in this document. Section 4 119 outlines the basic LISP 1.5 model. Section 5 provides a basic 120 overview of the LISP Alternate Topology architecture, and Section 6 121 describes how the ALT uses BGP to propagate Endpoint Identifier 122 reachability over the overlay network. Section 8 describes the 123 construction of the ALT aggregation hierarchy, and Section 9 124 discusses how LISP+ALT elements are connected to form the overlay 125 network. 127 3. Definition of Terms 129 LISP+ALT operates on two name spaces and introduces a new network 130 element, the LISP+ALT Router (see below). This section provides 131 high-level definitions of the LISP+ALT name spaces, network elements, 132 and message types. 134 The Alternative Logical Topology (ALT): The virtual overlay network 135 made up of tunnels between EID Prefix Aggregators. The Border 136 Gateway Protocol (BGP) runs between LISP+ALT routers and is used 137 to carry reachability information for EID prefixes. 139 Legacy Internet: The portion of the Internet which does not run LISP 140 and does not participate in LISP+ALT. 142 LISP+ALT Router: The devices which run on the ALT. The ALT is a 143 static network built using tunnels between LISP+ALT routers. 144 These routers are deployed in a hierarchy in which routers at each 145 level in the this hierarchy are responsible for aggregating all 146 EID prefixes learned from those logically "below" them and 147 advertising summary prefixes to the routers logically "above" 148 them. All prefix learning and propagation between levels is done 149 using BGP. LISP+ALT routers at the lowest level, or "edge", of 150 the ALT learn EID prefixes either over a BGP session to ETRs or 151 through static routes (in the case of the "low-opex ETR"). See 152 Section 7 for details on how BGP is configured between the 153 different network elements. 155 The primary function of LISP+ALT routers is to provide a 156 lightweight forwarding infrastructure for LISP control-plane 157 messages (Map-Request and Map-Reply), and to transport data 158 packets when the packet has the same destination address in both 159 the inner (encapsulating) destination and outer destination 160 addresses ((i.e., a Data Probe packet). 162 Endpoint ID (EID): A 32-bit (for IPv4) or 128-bit (for ipv6) value 163 used in the source and destination address fields of the first 164 (most inner) LISP header of a packet. A packet that is emitted by 165 a system contains EIDs in its headers and LISP headers are 166 prepended only when the packet reaches an Ingress Tunnel Router 167 (ITR) on the data path to the destination EID. 169 In LISP+ALT, EID-prefixes MUST BE assigned in a hierarchical 170 manner (in power-of-two) such that they can be aggregated by LISP+ 171 ALT routers. In addition, a site may have site-local structure in 172 how EIDs are topologically organized (subnetting) for routing 173 within the site; this structure is not visible to the global 174 routing system. 176 EID-Prefix Aggregate: A set of EID-prefixes said to be aggregatable 177 in the [RFC4632] sense. That is, an EID-Prefix aggregate is 178 defined to be a single contiguous power-of-two EID-prefix block. 179 Such a block is characterized by a prefix and a length. 181 Routing Locator (RLOC): An IP address of an egress tunnel router 182 (ETR). It is the output of a EID-to-RLOC mapping lookup. An EID 183 maps to one or more RLOCs. Typically, RLOCs are numbered from 184 topologically-aggregatable blocks that are assigned to a site at 185 each point to which it attaches to the global Internet; where the 186 topology is defined by the connectivity of provider networks, 187 RLOCs can be thought of as Provider Aggregatable (PA) addresses. 188 Note that in LISP+ALT, RLOCs are not carried by LISP+ALT routers. 190 EID-to-RLOC Mapping: A binding between an EID and the RLOC-set that 191 can be used to reach the EID. The term "mapping" refers to an 192 EID-to-RLOC mapping. 194 EID Prefix Reachability: An EID prefix is said to be "reachable" if 195 one or more of its locators are reachable. That is, an EID prefix 196 is reachable if the ETR (or its proxy) that is authoritative for a 197 given EID-to-RLOC mapping is reachable. 199 Default Mapping: A Default Mapping is a mapping entry for EID- 200 prefix 0.0.0.0/0. It maps to a locator-set used for all EIDs in 201 the Internet. If there is a more specific EID-prefix in the 202 mapping cache it overrides the Default Mapping entry. The Default 203 Mapping route can be learned by configuration or from a Map-Reply 204 message. 206 Default Route: A Default Route in the context of LISP+ALT is a EID- 207 prefix value of 0.0.0.0/0 which is advertised by BGP on top of the 208 ALT. The Default Route is used to realize a path for Data Probe 209 or Map-Request packets. 211 4. The LISP 1.5 model 213 As documented in [LISP], the LISP 1.5 model uses the same basic 214 query/response protocol machinery as LISP 1.0. In particular, LISP+ 215 ALT provides two mechanisms for an ITR to obtain EID-to-RLOC mappings 216 (both of these techniques are described in more detail in 217 Section 9.2): 219 Data Probe: An ITR may send the first few data packets into the ALT 220 to minimize packet loss and to probe for the mapping; the 221 authoritative ETR will respond to the ITR with a Map-Reply message 222 when it receives the data packet over the ALT. Note that in this 223 case, the inner Destination Address (DA), which is an EID, is 224 copied to the outer DA and is routed over the ALT. 226 Map-Request: An ITR may also send a Map-Request message into the ALT 227 to request the mapping. As in the Data Probe case, the 228 authoritative ETR will respond to the ITR with a Map-Reply 229 message. In this case, the DA of the Map-Request MUST be an EID. 230 See [LISP] for the format of Map-Request and Map-Reply packets. 232 Like LISP 1.0, EIDs are routable and can be used, unaltered, as the 233 source and destination addresses in IP datagrams. Unlike in LISP 234 1.0, LISP 1.5 EIDs are not routable on the public Internet; instead, 235 they are only routed over a separate, virtual topology referred to as 236 the LISP Alternative Virtual Network. This network is built as an 237 overlay on the public Internet using tunnels to interconnect LISP+ALT 238 routers. BGP is run over these tunnels to propagate the information 239 needed to route Data Probes and Map-Request/Replies. Importantly, 240 while the ETRs are the source(s) of the unaggregated EID prefix data, 241 LISP+ALT uses existing BGP mechanisms to aggressively aggregate this 242 information. Note that ETRs are not required to participate (or 243 prevented from participating) in LISP+ALT; they may choose 244 communicate their mappings to their serving LISP+ALT router(s) at 245 subscription time via configuration. ITRs are also not required to 246 participate in (nor prevented from participating in) LISP+ALT. 248 5. LISP+ALT: Overview 250 LISP+ALT is a hybrid push/pull architecture. Aggregated EID prefixes 251 are "pushed" among the LISP+ALT routers and, optionally, out to ITRs 252 (which may elect to receive the aggregated information, as opposed to 253 simply using a default mapping). Specific EID-to-RLOC mappings are 254 "pulled" by ITRs when they either send explicit LISP requests or data 255 packets on the alternate topology that result in triggered replies 256 being generated by ETRs. 258 The basic idea embodied in LISP+ALT is to use BGP, running over an 259 overlay network made up of Generic Routing Encapsulation (GRE) 260 tunnels, to establish reachability required to route Data Probes, 261 Map-Requests, and Map-Replies over the alternate topology (ALT). The 262 ALT RIB (BGP RIB) is comprised of EID prefixes (and associated next 263 hops). The LISP+ALT routers talk eBGP to each other in order to 264 propagate EID prefix update information, which is learned either over 265 eBGP connections from the authoritative ETR, or by configuration. 266 ITRs may also eBGP peer with one or more LISP+ALT routers in order to 267 route Data Probe packets or Map-Requests (more likely, an ITR will 268 have a default mapping pointing at one or more LISP+ALT routers). 270 Note that while this document explicitly specifies the use of GRE as 271 a tunneling mechanism, there is no reason that a ALT cannot be built 272 using other tunneling technologies. In cases where GRE does not meet 273 security, management, or other operational requirements, it is 274 reasonable to use another tunneling technology that does. References 275 to "GRE tunnel" in later sections of this document should therefore 276 not be taken as prohibiting or precluding the use of other, available 277 tunneling mechanisms. 279 In summary, LISP+ALT uses BGP to propagate EID-prefix update 280 information used by ITRs and ETRs to forward Map-Requests, Map- 281 Replies, and Data Probes. This reachability is carried as IPv4 or 282 IPv6 NLRI without modification (since the EID space has the same 283 syntax as IPv4 or IPv6). LISP+ALT routers eBGP peer with one 284 another, forming the ALT. An LISP+ALT router near the edge learns 285 EID prefixes which are originated by authoritative ETRs, either by 286 eBGP peering with them or by configuration. LISP+ALT routers 287 aggregate EID prefixes, and forward Data Probes, Map-Requests, and 288 Map-Replies. 290 5.1. ITR traffic handling 292 When an ITR receives a packet originated by an end system within its 293 site (i.e. a host for which the ITR is the exit path out of the site) 294 and the destination for that packet is not known in the ITR's mapping 295 cache, the ITR encapsulates the packet in a LISP header, copying the 296 inner destination address (EID) to the outer destination address 297 (RLOC), and transmits it through a GRE tunnel to a LISP+ALT router in 298 the ALT. This "first hop" LISP+ALT router uses EID-prefix routing 299 information learned from other LISP+ALT routers via BGP to guide the 300 packet to the ETR which "owns" the prefix. Upon receipt by the ETR, 301 normal LISP processing occurs: the ETR responds to the ITR with a 302 LISP Map-Reply that lists the RLOCs (and, thus, the ETRs to use) for 303 the EID prefix. The ETR also de-encapsulates the packet and 304 transmits it toward its destination. 306 Upon receipt of the Map-Reply, the ITR installs the RLOC information 307 for a given prefix into a local mapping database. With these mapping 308 entries stored, additional packets destined to the given EID prefix 309 are routed directly to a viable ETR without use of the ALT, until 310 either the entry's TTL has expired, or the ITR can otherwise find no 311 reachable ETR. Note that a valid mapping (not timed-out) may exist 312 that contains no reachable RLOCs (i.e. all paths to that ETR are 313 down); in this case, packets destined to the EID prefix are dropped, 314 not routed through the ALT. 316 Traffic routed over the ALT therefore consists of: 318 o EID prefix Map-Requests, and 320 o data packets destined for those EID prefixes while the ITR awaits 321 map replies 323 5.2. EID Assignment - Hierarchy and Topology 325 EID-prefixes will be allocated to a LISP site by Internet Registries. 326 Multiple allocations may not be in power-of-2 blocks. But when they 327 are, they will be aggregated into a single, advertised EID-prefix. 328 The ALT network is built in a tree-structured hierarchy to allow 329 proxy aggregation at merge points in the tree. Building such a 330 structure should minimize the number of EID-prefixes carried by LISP+ 331 ALT nodes near the top of the hierarchy. 333 Since the ALT will not need to change due to subscription or policy 334 reasons, the topology can remain relatively static and aggregation 335 can be sustained. Because routing on the ALT uses BGP, the same 336 rules apply for generating aggregates; in particular, a LISP+ALT 337 router should only be configured to generate an aggregate if it is 338 able to learn reachability information for all components (more- 339 specific prefixes) of that aggregate. This means, for example, that 340 two ALTs that share an overlapping set of prefixes must exchange 341 those prefixes if either is to generate and export a covering 342 aggregate for those prefixes. 344 Note: much is currently uncertain about the best way to build the ALT 345 network; as testing and prototype deployment proceeds, a guide to how 346 to best build the ALT network will be developed. 348 5.3. LISP+ALT Router 350 A LISP+ALT Router has the following functionality: 352 1. It runs, at a minimum, the eBGP part of the BGP protocol. 354 2. It supports a separate RIB which uses next-hop GRE tunnel 355 interfaces for forwarding Data Probes and Map-Requests. 357 3. It can act as a "proxy-ITR" to support non-LISP sites. 359 4. It can act as an ETR, or as a recursive or re-encapsulating ITR 360 to reduce mapping tables in site-based LISP routers. 362 5.4. ITR and ETR in a LISP+ALT Environment 364 An ITR using LISP+ALT may have additional functionality as follows: 366 1. If it is also acting as a LISP+ALT Router, it sends Data Probes 367 or Map-Requests on the BGP best path computed GRE tunnel for each 368 EID prefix. 370 2. When acting solely as a ITR, it sends Data Probes or Map-Requests 371 directly to a configured LISP+ALT router. 373 An ETR using LISP+ALT may also behave slightly differently: 375 1. If it is also acting as a LISP+ALT router, it advertises its 376 configured EID-prefixes into BGP for distribution through the 377 ALT. 379 2. It receives Data Probes and Map-Requests only over GRE tunnel(s) 380 to its "upstream" LISP+ALT router(s) and responds with Map- 381 Replies for the EID prefixes that it "owns". 383 5.5. Use of GRE and BGP between LISP+ALT Routers 385 The ALT network is built using GRE tunnels between LISP+ALT routers. 386 eBGP sessions are configured over those tunnels, with each LISP+ALT 387 router acting as a separate AS "hop" in a Path Vector for BGP. For 388 the purposes of LISP+ALT, the AS-path is used solely as a shortest- 389 path determination and loop-avoidance mechanism. Because all next- 390 hops are on tunnel interfaces, no IGP is required to resolve those 391 next-hops to exit interfaces. 393 LISP+ALT's use of GRE and BGP reduces provider Operational Expense 394 (OPEX) because no new protocols need to be either defined or used on 395 the overlay topology. Also, since tunnel IP addresses are local in 396 scope, no coordination is needed for their assignment; any addressing 397 scheme (including private addressing) can be used for tunnel 398 addressing. 400 6. EID-to-RLOC mapping propagation 402 As described in Section 9.2, an ITR may send either a Map-Request or 403 a data probe to find a given EID-to-RLOC mapping. The ALT provides 404 the infrastructure that allows these requests to reach the 405 authoritative ETR, and possibly for the reply to find its way back to 406 the requesting ITR (the ETR might choose to send the Map-Reply to the 407 requesting ITR's source-RLOC, bypassing the ALT). 409 LISP+ALT routers propagate mapping information for use by ITRs (when 410 making Map-Requests or sending Data Probes), and ETRs (if the ETR is 411 configured to send Map-Replies back to the requesting ITR over the 412 ALT) using eBGP [RFC4271]. eBGP is run on the inter-LISP+ALT router 413 links, and and possibly between an edge LISP+ALT router and an ETR or 414 between an edge LISP+ALT router and an ITR. The ALT eBGP RIB 415 consists of aggregated EID prefixes and their next hops toward the 416 authoritative ETR for that EID prefix. 418 6.1. Changes to ITR behavior with LISP+ALT 420 When using LISP+ALT, an ITR always sends either Data Probes or Map- 421 Requests to one of its "upstream" LISP+ALT routers. As in basic 422 LISP, it should use one of its RLOCs as the source address of these 423 queries; it should explicitly not use a tunnel interface as the 424 source address as doing so will cause replies to be forwarded over 425 the tunneled topology and may be problematic if the tunnel interface 426 address is not explicitly routed throughout the ALT. If the ITR is 427 running BGP with the LISP+ALT router(s), it selects the appropriate 428 LISP+ALT router based on the BGP information received. If it is not 429 running BGP, it uses static configuration to select a LISP+ALT 430 router; in the general case, this will effectively be an "EID-prefix 431 default route". 433 6.2. Changes to ETR behavior with LISP+ALT 435 If an ETR connects using BGP to one or more LISP+ALT router(s), it 436 simply announces its EID-prefix to those LISP+ALT routers. In the 437 "low-opex" case, where the ETR does not use BGP, it will still have a 438 GRE tunnel to one or more LISP+ALT routers; these LISP+ALT router(s) 439 the ETR must route Map-Requests and Data Probes to the ETR and 440 contain configuration (in effect, static routes) for the ETR's EID- 441 prefixes. Note that in either case, when an ETR generates a Map- 442 Reply message to return to a querying ITR, it sends it to the ITR's 443 source-RLOC (i.e., on the underlying Internet topology, not on the 444 ALT; this avoids any latency penalty that might be incurred by 445 routing over the ALT). 447 See also Section 9 for more details about the "low-opex" ETR and ITR 448 configurations. 450 7. BGP configuration and protocol considerations 452 7.1. Autonomous System Numbers (ASNs) in LISP+ALT 454 The primary use of BGP today is to define the global Internet routing 455 topology in terms of its participants, known as Autonomous Systems. 456 LISP+ALT specifies the use of BGP to create a global EID-to-RLOC 457 mapping database which, while related to the global routing database, 458 serves a very different purpose and is organized into a very 459 different hierarchy. Because LISP+ALT does use BGP, however, it uses 460 ASNs in the paths that are propagated among LISP+ALT routers. To 461 avoid confusion, it needs to be stressed that that these LISP+ALT 462 ASNs use a new numbering space that is unrelated to the ASNs used by 463 the global routing system. Exactly how this new space will be 464 assigned and managed will be determined during experimental 465 deployment of LISP+ALT. 467 Note that the LISP+ALT routers that make up the "core" of the ALT 468 will not be associated with any existing core-Internet ASN because 469 topology, hierarchy, and aggregation boundaries are completely 470 separate from and independent of the global Internet routing system. 472 7.2. Sub-Address Family Identifier (SAFI) for LISP+ALT 474 As defined by this document, LISP+ALT may be implemented using BGP 475 without modification. Given the fundamental operational difference 476 between propagating global Internet routing information (the current, 477 dominant use of BGP) and managing the global EID-to-RLOC database 478 (the use of BGP proposed by this document), it may be desirable to 479 assign a new SAFI [RFC2858] to prevent operational confusion and 480 difficulties, including the inadvertent leaking of information from 481 one domain to the other. At present, this document does not require 482 the assignment of a new SAFI but the authors anticipate that 483 experimentation may suggest the need for one in the future. 485 8. EID-Prefix Aggregation 487 The ALT BGP peering topology should be arranged in a tree-like 488 fashion (with some meshiness), with redundancy to deal with node and 489 link failures. A basic assumption is that as long as the routers are 490 up and running, the underlying topology will provide alternative 491 routes to maintain BGP connectivity among LISP+ALT routers. 493 Note that, as mentioned in Section 5.2, the use of BGP by LISP+ALT 494 requires that information can only be aggregated where all active 495 more-specific prefixes of a generated aggregate prefix are known. 496 This implies, for example, that if a given set of prefixes is used by 497 multiple, ALT networks, those networks must interconnect and share 498 information about all of the prefixes if either were to generate an 499 aggregate prefix that covered all of them. This is no different than 500 the way that BGP route aggregation works in the existing global 501 routing system: a service provider only generates an aggregate route 502 if it has connectivity to all prefixes that make up that aggregate. 504 8.1. Traffic engineering with LISP and LISP+ALT 506 It is worth noting that LISP+ALT does not directly propagate EID-to- 507 RLOC mappings. What it does is provide a mechanism for a LISP ITR to 508 find the ETR that holds the mapping for a particular EID prefix. 509 This distinction is important for several reasons. First, it means 510 that the reachability of RLOCs is learned through the LISP ITR-ETR 511 exchange so "flapping" of state information through BGP is not likely 512 nor can mapping information become "stale" by slow propagation 513 through the ALT BGP mesh. Second, by deferring EID-to-RLOC mapping 514 to an ITR-ETR exchange, it is possible to perform site-to-site 515 traffic engineering through a combination of setting the preference 516 and weight fields and by returning more-specific EID-to-RLOC 517 information in LISP Map-Reply messages. This is a powerful mechanism 518 that can conceivably replace the traditional practice of routing 519 prefix deaggregation for traffic engineering purposes. Rather than 520 propagating more-specific information into the global routing system 521 for local- or regional-optimization of traffic flows, such more- 522 specific information can be exchanged, through LISP (not LISP+ALT), 523 on an as-needed basis between only those ITRs/ETRs (and, thus, site 524 pairs) that need it; should a receiving ITR decide that it does not 525 wish to store such more-specific information, it has the option of 526 discarding it as long as a shorter, covering EID prefix exists. Not 527 only does this greatly improve the scalability of the global routing 528 system but it also allows improved traffic engineering techniques by 529 allowing richer and more fine-grained policies to be applied. 531 9. Connecting sites to the ALT network 533 9.1. ETRs originating information into the ALT 535 EID prefix information is originated into the ALT by two different 536 mechanisms: 538 eBGP: An ETR may participate in the LISP+ALT overlay network by 539 running eBGP to one or more LISP+ALT router(s) over GRE tunnel(s). 540 In this case, the ETR advertises reachability for its EID prefixes 541 over these eBGP connection(s). The LISP+ALT router(s) that 542 receive(s) these prefixes then propagate(s) them into the ALT. 543 Here the ETR is simply an eBGP peer of LISP+ALT router(s) at the 544 edge of the ALT. Where possible, a LISP+ALT router that receives 545 EID prefixes from an ETR via eBGP should aggregate that 546 information. 548 Configuration: One or more LISP+ALT router(s) may be configured to 549 originate an EID prefix on behalf of the non-BGP-speaking ETR that 550 is authoritative for a prefix. As in the case above, the ETR is 551 connected to LISP+ALT router(s) using GRE tunnel(s) but rather 552 than BGP being used, the LISP+ALT router(s) are configured with 553 what are in effect "static routes" for the EID prefixes "owned" by 554 the ETR. The GRE tunnel is used to route Map-Requests to the ETR 555 (if necessary), and for the ETR to respond with Map-Replies. Of 556 course, the LISP+ALT router could also serve as a proxy for its 557 TCP-connected ETRs. 559 Note: in both cases, an ETR may have connections to to multiple 560 LISP+ALT routers for the following reasons: 562 * redundancy, so that a particular ETR is still reachable through 563 the ALT even if one path or tunnel is unavailable. 565 * to connect to different parts of the ALT hierarchy if the ETR 566 "owns" multiple EID-to-RLOC mappings for EID prefixes that 567 cannot be aggregated by the same LISP+ALT router (i.e. are not 568 topologically "close" to each other in the ALT). 570 9.2. ITRs Receiving Information from the ALT 572 In order to source Map-Requests to the ALT and receive Map-Replies 573 from the ALT, or to route a Data Probe packet over the ALT, each ITR 574 participating in the ALT establishes a connection to one or more 575 LISP+ALT routers. These connections can be either eBGP or TCP (as 576 described above). 578 In the case in which the ITR is running eBGP, the peer LISP+ALT 579 routers use these connections to advertise highly aggregated EID- 580 prefixes to the peer ITRs. The ITR then installs the received 581 prefixes into a forwarding table that is used to to send LISP Map- 582 Requests to the appropriate LISP+ALT router. In most cases, a LISP+ 583 ALT router will send a default mapping to its client ITRs so that 584 they can send request for any EID prefix into the ALT. 586 In the case in which the ITR is connected to some set of LISP+ALT 587 routers without eBGP, the ITR sends Map-Requests to any of its 588 connected LISP+ALT routers, and receives Map-Replies from the LISP+ 589 ALT router that has the "shortest path" to the authoritative ETR. 591 An ITR may also choose to send the first few data packets over the 592 ALT to minimize packet loss and reduce mapping latency. In this 593 case, the data packet serves as a mapping probe (Data Probe) and the 594 ETR which receives the data packet (over the ALT) responds with a 595 Map-Reply that is either routed back over the ALT or send to the 596 ITR's source-RLOC over the underlying topology. 598 In general, an ITR will establish connections only to LISP+ALT 599 routers at the "edge" of the ALT (typically two for redundancy) but 600 there may also be situations where an ITR would connect to other 601 LISP+ALT routers to receive additional, shorter path information 602 about a portion of the ALT of interest to it. This can be 603 accomplished by establishing GRE tunnels between the ITR and the set 604 of LISP+ALT routers with the additional information. This is a 605 purely local policy issue between the ITR and the LISP+ALT routers in 606 question. 608 10. IANA Considerations 610 This document makes no request of the IANA. 612 11. Security Considerations 614 LISP+ALT shares many of the security characteristics of BGP. Its 615 security mechanisms are comprised of existing technologies in wide 616 operational use today. Securing LISP+ALT is much simpler than 617 securing BGP. 619 Compared to BGP, LISP+ALT routers are not topologically bound, 620 allowing them to be put in locations away from the vulnerable AS 621 border (unlike eBGP speakers). 623 11.1. Apparent LISP+ALT Vulnerabilities 625 This section briefly lists of the apparent vulnerabilities of LISP+ 626 ALT. 628 Mapping Integrity: Can an attacker insert bogus mappings to black- 629 hole (create a DoS) or intercept LISP data-plane packets? 631 LISP+ALT router Availability: Can an attacker DoS the LISP+ALT 632 routers connected to a given ETR? without access to its mappings, 633 a site is essentially unavailable. 635 ITR Mapping/Resources: Can an attacker force an ITR or LISP+ALT 636 router to drop legitimate mapping requests by flooding it with 637 random destinations that it will have to query for. Further study 638 is required to see the impact of admission control on the overlay 639 network. 641 EID Map-Request Exploits for Reconnaissance: Can an attacker learn 642 about a LISP destination sites' TE policy by sending legitimate 643 mapping requests messages and then observing the RLOC mapping 644 replies? Is this information useful in attacking or subverting 645 peer relationships? Note that LISP 1.0 has a similar data-plane 646 reconnaissance issue. 648 Scaling of LISP+ALT router Resources: Paths through the ALT may be 649 of lesser bandwidth than more "direct" paths; this may make them 650 more prone to high-volume denial-of-service attacks. 652 UDP Map-Reply from ETR: If Map-Replies packets are sent directly 653 from the ETR to the ITR's RLOC, the ITR's RLOC may be vulnerable 654 to various types of DoS attacks. 656 11.2. Survey of LISP+ALT Security Mechanisms 658 Explicit peering: The devices themselves can both prioritize 659 incoming packets as well as potentially do key checks in hardware 660 to protect the control plane. 662 Use of TCP to connect elements: This makes it difficult for third 663 parties to inject packets. 665 Use of HMAC Protected TCP Connections: HMAC is used to verify 666 message integrity and authenticity, making it nearly impossible 667 for third party devices to either insert or modify messages. 669 Message Sequence Numbers and Nonce Values in Messages: This allows 670 for devices to verify that the mapping-reply packet was in 671 response to the mapping-request that they sent. 673 11.3. Using existing BGP Security mechanisms 675 LISP+ALT's use of BGP allows for the ALT to take advantage of BGP 676 security features designed for existing Internet BGP use. 678 For example, should either sBGP [I-D.murphy-bgp-secr] or soBGP 679 [I-D.white-sobgparchitecture] become widely deployed it expected that 680 LISP+ALT could use these mechanisms to provide authentication of EID- 681 to-RLOC mappings, and EID origination. 683 12. Acknowledgments 685 Many of the ideas described in this document were developed during 686 detailed discussions with Scott Brim and Darrel Lewis, who made many 687 insightful comments on earlier versions of this document. 689 13. References 691 13.1. Normative References 693 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 694 Requirement Levels", BCP 14, RFC 2119, March 1997. 696 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 697 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 698 March 2000. 700 [RFC2858] Bates, T., Rekhter, Y., Chandra, R., and D. Katz, 701 "Multiprotocol Extensions for BGP-4", RFC 2858, June 2000. 703 [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway 704 Protocol 4 (BGP-4)", RFC 4271, January 2006. 706 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 707 (CIDR): The Internet Address Assignment and Aggregation 708 Plan", BCP 122, RFC 4632, August 2006. 710 13.2. Informative References 712 [I-D.murphy-bgp-secr] 713 Murphy, S., "BGP Security Analysis", 714 draft-murphy-bgp-secr-04 (work in progress), 715 November 2001. 717 [I-D.white-sobgparchitecture] 718 White, R., "Architecture and Deployment Considerations for 719 Secure Origin BGP (soBGP)", 720 draft-white-sobgparchitecture-00 (work in progress), 721 May 2004. 723 [LISP] Farinacci, D., Oran, D., Fuller, V., and D. Meyer, 724 "Locator/ID Separation Protocol (LISP)", 725 draft-farinacci-lisp-07.txt (work in progress), 726 November 2007. 728 Authors' Addresses 730 Dino Farinacci 731 Cisco 732 Tasman Drive 733 San Jose, CA 95134 734 USA 736 Email: dino@cisco.com 738 Vince Fuller 739 Cisco 740 Tasman Drive 741 San Jose, CA 95134 742 USA 744 Email: vaf@cisco.com 746 Dave Meyer 747 Cisco 748 Tasman Drive 749 San Jose, CA 95134 750 USA 752 Email: dmm@cisco.com 754 Full Copyright Statement 756 Copyright (C) The IETF Trust (2008). 758 This document is subject to the rights, licenses and restrictions 759 contained in BCP 78, and except as set forth therein, the authors 760 retain all their rights. 762 This document and the information contained herein are provided on an 763 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 764 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 765 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 766 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 767 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 768 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 770 Intellectual Property 772 The IETF takes no position regarding the validity or scope of any 773 Intellectual Property Rights or other rights that might be claimed to 774 pertain to the implementation or use of the technology described in 775 this document or the extent to which any license under such rights 776 might or might not be available; nor does it represent that it has 777 made any independent effort to identify any such rights. Information 778 on the procedures with respect to rights in RFC documents can be 779 found in BCP 78 and BCP 79. 781 Copies of IPR disclosures made to the IETF Secretariat and any 782 assurances of licenses to be made available, or the result of an 783 attempt made to obtain a general license or permission for the use of 784 such proprietary rights by implementers or users of this 785 specification can be obtained from the IETF on-line IPR repository at 786 http://www.ietf.org/ipr. 788 The IETF invites any interested party to bring to its attention any 789 copyrights, patents or patent applications, or other proprietary 790 rights that may cover technology that may be required to implement 791 this standard. Please address the information to the IETF at 792 ietf-ipr@ietf.org.