idnits 2.17.1 draft-ietf-hip-multihoming-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 22, 2015) is 3201 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-14) exists of draft-ietf-hip-rfc5206-bis-09 ** Obsolete normative reference: RFC 3484 (Obsoleted by RFC 6724) == Outdated reference: A later version (-20) exists of draft-ietf-hip-rfc4423-bis-12 == Outdated reference: A later version (-08) exists of draft-ietf-hip-rfc5204-bis-06 Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Henderson, Ed. 3 Internet-Draft University of Washington 4 Intended status: Standards Track C. Vogt 5 Expires: January 23, 2016 J. Arkko 6 Ericsson Research NomadicLab 7 July 22, 2015 9 Host Multihoming with the Host Identity Protocol 10 draft-ietf-hip-multihoming-06 12 Abstract 14 This document defines host multihoming extensions to the Host 15 Identity Protocol (HIP), by leveraging protocol components defined 16 for host mobility. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on January 23, 2016. 35 Copyright Notice 37 Copyright (c) 2015 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 This document may contain material from IETF Documents or IETF 51 Contributions published or made publicly available before November 52 10, 2008. The person(s) controlling the copyright in some of this 53 material may not have granted the IETF Trust the right to allow 54 modifications of such material outside the IETF Standards Process. 55 Without obtaining an adequate license from the person(s) controlling 56 the copyright in such materials, this document may not be modified 57 outside the IETF Standards Process, and derivative works of it may 58 not be created outside the IETF Standards Process, except to format 59 it for publication as an RFC or to translate it into languages other 60 than English. 62 Table of Contents 64 1. Introduction and Scope . . . . . . . . . . . . . . . . . . . 2 65 2. Terminology and Conventions . . . . . . . . . . . . . . . . . 3 66 3. Protocol Model . . . . . . . . . . . . . . . . . . . . . . . 4 67 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 68 4.1. Host Multihoming . . . . . . . . . . . . . . . . . . . . 5 69 4.2. Site Multihoming . . . . . . . . . . . . . . . . . . . . 6 70 4.3. Dual host multihoming . . . . . . . . . . . . . . . . . . 7 71 4.4. Combined Mobility and Multihoming . . . . . . . . . . . . 8 72 4.5. Initiating the Protocol in R1 or I2 . . . . . . . . . . . 8 73 4.6. Using LOCATOR_SETs across Addressing Realms . . . . . . . 9 74 5. Other Considerations . . . . . . . . . . . . . . . . . . . . 9 75 5.1. Address Verification . . . . . . . . . . . . . . . . . . 9 76 5.2. Preferred Locator . . . . . . . . . . . . . . . . . . . . 10 77 5.3. Interaction with Security Associations . . . . . . . . . 10 78 6. Processing Rules . . . . . . . . . . . . . . . . . . . . . . 12 79 6.1. Sending LOCATOR_SETs . . . . . . . . . . . . . . . . . . 12 80 6.2. Handling Received LOCATOR_SETs . . . . . . . . . . . . . 14 81 6.3. Verifying Address Reachability . . . . . . . . . . . . . 16 82 6.4. Changing the Preferred Locator . . . . . . . . . . . . . 16 83 7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 84 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 85 9. Authors and Acknowledgments . . . . . . . . . . . . . . . . . 17 86 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 87 10.1. Normative references . . . . . . . . . . . . . . . . . . 17 88 10.2. Informative references . . . . . . . . . . . . . . . . . 18 89 Appendix A. Document Revision History . . . . . . . . . . . . . 19 91 1. Introduction and Scope 93 The Host Identity Protocol [I-D.ietf-hip-rfc4423-bis] (HIP) supports 94 an architecture that decouples the transport layer (TCP, UDP, etc.) 95 from the internetworking layer (IPv4 and IPv6) by using public/ 96 private key pairs, instead of IP addresses, as host identities. When 97 a host uses HIP, the overlying protocol sublayers (e.g., transport 98 layer sockets and Encapsulating Security Payload (ESP) Security 99 Associations (SAs)) are instead bound to representations of these 100 host identities, and the IP addresses are only used for packet 101 forwarding. However, each host must also know at least one IP 102 address at which its peers are reachable. Initially, these IP 103 addresses are the ones used during the HIP base exchange [RFC7401]. 105 One consequence of such a decoupling is that new solutions to 106 network-layer mobility and host multihoming are possible. Basic host 107 mobility is defined in [I-D.ietf-hip-rfc5206-bis] and covers the case 108 in which a host has a single address and changes its network point- 109 of-attachment while desiring to preserve the HIP-enabled security 110 association. Host multihoming is somewhat of a dual case to host 111 mobility, in that a host may simultaneously have more than one 112 network point-of-attachment. There are potentially many variations 113 of host multihoming possible. The scope of this document encompasses 114 messaging and elements of procedure for some basic host multihoming 115 scenarios of interest. 117 Another variation of multihoming that has been heavily studied is 118 site multihoming. Solutions for site multihoming in IPv6 networks 119 have been specified by the IETF shim6 working group. The shim6 120 protocol [RFC5533] bears many architectural similarities to HIP but 121 there are differences in the security model and in the protocol. 123 While HIP can potentially be used with transports other than the ESP 124 transport format [RFC7402], this document largely assumes the use of 125 ESP and leaves other transport formats for further study. 127 There are a number of situations where the simple end-to-end 128 readdressing functionality defined herein is not sufficient. These 129 include the initial reachability of a multihomed host, location 130 privacy, simultaneous mobility of both hosts, and some modes of NAT 131 traversal. In these situations, there is a need for some helper 132 functionality in the network, such as a HIP rendezvous server 133 [I-D.ietf-hip-rfc5204-bis]. Such functionality is out of the scope 134 of this document. Finally, making underlying IP multihoming 135 transparent to the transport layer has implications on the proper 136 response of transport congestion control, path MTU selection, and 137 Quality of Service (QoS). Transport-layer mobility triggers, and the 138 proper transport response to a HIP multihoming address change, are 139 outside the scope of this document. 141 2. Terminology and Conventions 143 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 144 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 145 document are to be interpreted as described in RFC 2119 [RFC2119]. 147 The following terms used in this document are defined in 148 [I-D.ietf-hip-rfc5206-bis]: LOCATOR_SET, Locator, Address, Preferred 149 locator, and Credit Based Authorization. 151 3. Protocol Model 153 The protocol model for HIP support of host multihoming extends the 154 model for host mobility described in Section 3 of 155 [I-D.ietf-hip-rfc5206-bis]. This section only highlights the 156 differences. 158 In host multihoming, a host has multiple locators simultaneously 159 rather than sequentially, as in the case of mobility. By using the 160 LOCATOR_SET parameter defined in [I-D.ietf-hip-rfc5206-bis], a host 161 can inform its peers of additional (multiple) locators at which it 162 can be reached. When multiple locators are available and announced 163 to the peer, a host can designate a particular locator as a 164 "preferred" locator, meaning that the host prefers that its peer send 165 packets to the designated address before trying an alternative 166 address. Although this document defines a basic mechanism for 167 multihoming, it does not define all possible policies and procedures, 168 such as which locators to choose when more than one pair is 169 available, the operation of simultaneous mobility and multihoming, 170 source address selection policies (beyond those specified in 171 [RFC3484]), and the implications of multihoming on transport 172 protocols and ESP anti-replay windows. 174 4. Protocol Overview 176 In this section, we briefly introduce a number of usage scenarios for 177 HIP multihoming. These scenarios assume that HIP is being used with 178 the ESP transform [RFC7402], although other scenarios may be defined 179 in the future. To understand these usage scenarios, the reader 180 should be at least minimally familiar with the HIP protocol 181 specification [RFC7401]. However, for the (relatively) uninitiated 182 reader, it is most important to keep in mind that in HIP the actual 183 payload traffic is protected with ESP, and that the ESP SPI acts as 184 an index to the right host-to-host context. 186 The scenarios below assume that the two hosts have completed a single 187 HIP base exchange with each other. Both of the hosts therefore have 188 one incoming and one outgoing SA. Further, each SA uses the same 189 pair of IP addresses, which are the ones used in the base exchange. 191 The readdressing protocol is an asymmetric protocol where a mobile or 192 multihomed host informs a peer host about changes of IP addresses on 193 affected SPIs. The readdressing exchange is designed to be 194 piggybacked on existing HIP exchanges. The majority of the packets 195 on which the LOCATOR_SET parameters are expected to be carried are 196 UPDATE packets. However, some implementations may want to experiment 197 with sending LOCATOR_SET parameters also on other packets, such as 198 R1, I2, and NOTIFY. 200 The scenarios below at times describe addresses as being in either an 201 ACTIVE, VERIFIED, or DEPRECATED state. From the perspective of a 202 host, newly-learned addresses of the peer must be verified before put 203 into active service, and addresses removed by the peer are put into a 204 deprecated state. Under limited conditions described in 205 [I-D.ietf-hip-rfc5206-bis], an UNVERIFIED address may be used. 207 Hosts that use link-local addresses as source addresses in their HIP 208 handshakes may not be reachable by a mobile peer. Such hosts SHOULD 209 provide a globally routable address either in the initial handshake 210 or via the LOCATOR_SET parameter. 212 4.1. Host Multihoming 214 A (mobile or stationary) host may sometimes have more than one 215 interface or global address. The host may notify the peer host of 216 the additional interface or address by using the LOCATOR_SET 217 parameter. To avoid problems with the ESP anti-replay window, a host 218 SHOULD use a different SA for each interface or address used to 219 receive packets from the peer host when multiple locator pairs are 220 being used simultaneously rather than sequentially. 222 When more than one locator is provided to the peer host, the host 223 SHOULD indicate which locator is preferred (the locator on which the 224 host prefers to receive traffic). By default, the addresses used in 225 the base exchange are preferred until indicated otherwise. 227 In the multihoming case, the sender may also have multiple valid 228 locators from which to source traffic. In practice, a HIP 229 association in a multihoming configuration may have both a preferred 230 peer locator and a preferred local locator, although rules for source 231 address selection should ultimately govern the selection of the 232 source locator based on the destination locator. 234 Although the protocol may allow for configurations in which there is 235 an asymmetric number of SAs between the hosts (e.g., one host has two 236 interfaces and two inbound SAs, while the peer has one interface and 237 one inbound SA), it is RECOMMENDED that inbound and outbound SAs be 238 created pairwise between hosts. When an ESP_INFO arrives to rekey a 239 particular outbound SA, the corresponding inbound SA should be also 240 rekeyed at that time. Although asymmetric SA configurations might be 241 experimented with, their usage may constrain interoperability at this 242 time. However, it is recommended that implementations attempt to 243 support peers that prefer to use non-paired SAs. 245 Consider the case between two hosts, one single-homed and one 246 multihomed. The multihomed host may decide to inform the single- 247 homed host about its other address. It is RECOMMENDED that the 248 multihomed host set up a new SA pair for use on this new address. To 249 do this, the multihomed host sends a LOCATOR_SET with an ESP_INFO, 250 indicating the request for a new SA by setting the OLD SPI value to 251 zero, and the NEW SPI value to the newly created incoming SPI. A 252 Locator Type of "1" is used to associate the new address with the new 253 SPI. The LOCATOR_SET parameter also contains a second Type "1" 254 locator, that of the original address and SPI. To simplify parameter 255 processing and avoid explicit protocol extensions to remove locators, 256 each LOCATOR_SET parameter MUST list all locators in use on a 257 connection (a complete listing of inbound locators and SPIs for the 258 host). The multihomed host waits for an ESP_INFO (new outbound SA) 259 from the peer and an ACK of its own UPDATE. As in the mobility case, 260 the peer host must perform an address verification before actively 261 using the new address. Figure 1 illustrates this scenario. 263 Multi-homed Host Peer Host 265 UPDATE(ESP_INFO, LOCATOR_SET, SEQ, [DIFFIE_HELLMAN]) 266 -----------------------------------> 267 UPDATE(ESP_INFO, SEQ, ACK, [DIFFIE_HELLMAN,] ECHO_REQUEST) 268 <----------------------------------- 269 UPDATE(ACK, ECHO_RESPONSE) 270 -----------------------------------> 272 Figure 1: Basic Multihoming Scenario 274 In multihoming scenarios, it is important that hosts receiving 275 UPDATEs associate them correctly with the destination address used in 276 the packet carrying the UPDATE. When processing inbound LOCATOR_SETs 277 that establish new security associations on an interface with 278 multiple addresses, a host uses the destination address of the UPDATE 279 containing the LOCATOR_SET as the local address to which the 280 LOCATOR_SET plus ESP_INFO is targeted. This is because hosts may 281 send UPDATEs with the same (locator) IP address to different peer 282 addresses -- this has the effect of creating multiple inbound SAs 283 implicitly affiliated with different peer source addresses. 285 4.2. Site Multihoming 287 A host may have an interface that has multiple globally routable IP 288 addresses. Such a situation may be a result of the site having 289 multiple upper Internet Service Providers, or just because the site 290 provides all hosts with both IPv4 and IPv6 addresses. The host 291 should stay reachable at all or any subset of the currently available 292 global routable addresses, independent of how they are provided. 294 This case is handled the same as if there were different IP 295 addresses, described above in Section 4.1. Note that a single 296 interface may experience site multihoming while the host itself may 297 have multiple interfaces. 299 Note that a host may be multihomed and mobile simultaneously, and 300 that a multihomed host may want to protect the location of some of 301 its interfaces while revealing the real IP address of some others. 303 This document does not presently additional site multihoming 304 extensions to HIP; such extensions are for further study. 306 4.3. Dual host multihoming 308 Consider the case in which both hosts would like to add an additional 309 address after the base exchange completes. In Figure 2, consider 310 that host1, which used address addr1a in the base exchange to set up 311 SPI1a and SPI2a, wants to add address addr1b. It would send an 312 UPDATE with LOCATOR_SET (containing the address addr1b) to host2, 313 using destination address addr2a, and a new set of SPIs would be 314 added between hosts 1 and 2 (call them SPI1b and SPI2b -- not shown 315 in the figure). Next, consider host2 deciding to add addr2b to the 316 relationship. Host2 must select one of host1's addresses towards 317 which to initiate an UPDATE. It may choose to initiate an UPDATE to 318 addr1a, addr1b, or both. If it chooses to send to both, then a full 319 mesh (four SA pairs) of SAs would exist between the two hosts. This 320 is the most general case; it often may be the case that hosts 321 primarily establish new SAs only with the peer's Preferred locator. 322 The readdressing protocol is flexible enough to accommodate this 323 choice. 325 -<- SPI1a -- -- SPI2a ->- 326 host1 < > addr1a <---> addr2a < > host2 327 ->- SPI2a -- -- SPI1a -<- 329 addr1b <---> addr2a (second SA pair) 330 addr1a <---> addr2b (third SA pair) 331 addr1b <---> addr2b (fourth SA pair) 333 Figure 2: Dual Multihoming Case in Which Each Host Uses LOCATOR_SET 334 to Add a Second Address 336 4.4. Combined Mobility and Multihoming 338 It looks likely that in the future, many mobile hosts will be 339 simultaneously mobile and multihomed, i.e., have multiple mobile 340 interfaces. Furthermore, if the interfaces use different access 341 technologies, it is fairly likely that one of the interfaces may 342 appear stable (retain its current IP address) while some other(s) may 343 experience mobility (undergo IP address change). 345 The use of LOCATOR_SET plus ESP_INFO should be flexible enough to 346 handle most such scenarios, although more complicated scenarios have 347 not been studied so far. 349 4.5. Initiating the Protocol in R1 or I2 351 A Responder host MAY include a LOCATOR_SET parameter in the R1 packet 352 that it sends to the Initiator. This parameter MUST be protected by 353 the R1 signature. If the R1 packet contains LOCATOR_SET parameters 354 with a new Preferred locator, the Initiator SHOULD directly set the 355 new Preferred locator to status ACTIVE without performing address 356 verification first, and MUST send the I2 packet to the new Preferred 357 locator. The I1 destination address and the new Preferred locator 358 may be identical. All new non-preferred locators must still undergo 359 address verification once the base exchange completes. 361 Initiator Responder 363 R1 with LOCATOR_SET 364 <----------------------------------- 365 record additional addresses 366 change responder address 367 I2 sent to newly indicated preferred address 368 -----------------------------------> 369 (process normally) 370 R2 371 <----------------------------------- 372 (process normally, later verification of non-preferred locators) 374 Figure 3: LOCATOR_SET Inclusion in R1 376 An Initiator MAY include one or more LOCATOR_SET parameters in the I2 377 packet, independent of whether or not there was a LOCATOR_SET 378 parameter in the R1. These parameters MUST be protected by the I2 379 signature. Even if the I2 packet contains LOCATOR_SET parameters, 380 the Responder MUST still send the R2 packet to the source address of 381 the I2. The new Preferred locator SHOULD be identical to the I2 382 source address. If the I2 packet contains LOCATOR_SET parameters, 383 all new locators must undergo address verification as usual, and the 384 ESP traffic that subsequently follows should use the Preferred 385 locator. 387 Initiator Responder 389 I2 with LOCATOR_SET 390 -----------------------------------> 391 (process normally) 392 record additional addresses 393 R2 sent to source address of I2 394 <----------------------------------- 395 (process normally) 397 Figure 4: LOCATOR_SET Inclusion in I2 399 The I1 and I2 may be arriving from different source addresses if the 400 LOCATOR_SET parameter is present in R1. In this case, 401 implementations simultaneously using multiple pre-created R1s, 402 indexed by Initiator IP addresses, may inadvertently fail the puzzle 403 solution of I2 packets due to a perceived puzzle mismatch. See, for 404 instance, the example in Appendix A of [RFC7401]. As a solution, the 405 Responder's puzzle indexing mechanism must be flexible enough to 406 accommodate the situation when R1 includes a LOCATOR_SET parameter. 408 4.6. Using LOCATOR_SETs across Addressing Realms 410 It is possible for HIP associations to migrate to a state in which 411 both parties are only using locators in different addressing realms. 412 For example, the two hosts may initiate the HIP association when both 413 are using IPv6 locators, then one host may loose its IPv6 414 connectivity and obtain an IPv4 address. In such a case, some type 415 of mechanism for interworking between the different realms must be 416 employed; such techniques are outside the scope of the present text. 417 The basic problem in this example is that the host readdressing to 418 IPv4 does not know a corresponding IPv4 address of the peer. This 419 may be handled (experimentally) by possibly configuring this address 420 information manually or in the DNS, or the hosts exchange both IPv4 421 and IPv6 addresses in the locator. 423 5. Other Considerations 425 5.1. Address Verification 427 An address verification method is specified in 428 [I-D.ietf-hip-rfc5206-bis]. It is expected that addresses learned in 429 multihoming scenarios also are subject to the same verification 430 rules. 432 5.2. Preferred Locator 434 When a host has multiple locators, the peer host must decide which to 435 use for outbound packets. It may be that a host would prefer to 436 receive data on a particular inbound interface. HIP allows a 437 particular locator to be designated as a Preferred locator and 438 communicated to the peer. 440 In general, when multiple locators are used for a session, there is 441 the question of using multiple locators for failover only or for 442 load-balancing. Due to the implications of load-balancing on the 443 transport layer that still need to be worked out, this document 444 assumes that multiple locators are used primarily for failover. An 445 implementation may use ICMP interactions, reachability checks, or 446 other means to detect the failure of a locator. 448 5.3. Interaction with Security Associations 450 This document uses the HIP LOCATOR_SET protocol parameter, specified 451 in [I-D.ietf-hip-rfc5206-bis]), that allows the hosts to exchange 452 information about their locator(s) and any changes in their 453 locator(s). The logical structure created with LOCATOR_SET 454 parameters has three levels: hosts, Security Associations (SAs) 455 indexed by Security Parameter Indices (SPIs), and addresses. 457 The relation between these levels for an association constructed as 458 defined in the base specification [RFC7401] and ESP transform 459 [RFC7402] is illustrated in Figure 5. 461 -<- SPI1a -- -- SPI2a ->- 462 host1 < > addr1a <---> addr2a < > host2 463 ->- SPI2a -- -- SPI1a -<- 465 Figure 5: Relation between Hosts, SPIs, and Addresses (Base 466 Specification) 468 In Figure 5, host1 and host2 negotiate two unidirectional SAs, and 469 each host selects the SPI value for its inbound SA. The addresses 470 addr1a and addr2a are the source addresses that the hosts use in the 471 base HIP exchange. These are the "preferred" (and only) addresses 472 conveyed to the peer for use on each SA. That is, although packets 473 sent to any of the hosts' interfaces may be accepted on the inbound 474 SA, the peer host in general knows of only the single destination 475 address learned in the base exchange (e.g., for host1, it sends a 476 packet on SPI2a to addr2a to reach host2), unless other mechanisms 477 exist to learn of new addresses. 479 In general, the bindings that exist in an implementation 480 corresponding to this document can be depicted as shown in Figure 6. 481 In this figure, a host can have multiple inbound SPIs (and, not 482 shown, multiple outbound SPIs) associated with another host. 483 Furthermore, each SPI may have multiple addresses associated with it. 484 These addresses that are bound to an SPI are not used to lookup the 485 incoming SA. Rather, the addresses are those that are provided to 486 the peer host, as hints for which addresses to use to reach the host 487 on that SPI. The LOCATOR_SET parameter is used to change the set of 488 addresses that a peer associates with a particular SPI. 490 address11 491 / 492 SPI1 - address12 493 / 494 / address21 495 host -- SPI2 < 496 \ address22 497 \ 498 SPI3 - address31 499 \ 500 address32 502 Figure 6: Relation between Hosts, SPIs, and Addresses (General Case) 504 A host may establish any number of security associations (or SPIs) 505 with a peer. The main purpose of having multiple SPIs with a peer is 506 to group the addresses into collections that are likely to experience 507 fate sharing. For example, if the host needs to change its addresses 508 on SPI2, it is likely that both address21 and address22 will 509 simultaneously become obsolete. In a typical case, such SPIs may 510 correspond with physical interfaces; see below. Note, however, that 511 especially in the case of site multihoming, one of the addresses may 512 become unreachable while the other one still works. In the typical 513 case, however, this does not require the host to inform its peers 514 about the situation, since even the non-working address still 515 logically exists. 517 A basic property of HIP SAs is that the inbound IP address is not 518 used to lookup the incoming SA. Therefore, in Figure 6, it may seem 519 unnecessary for address31, for example, to be associated only with 520 SPI3 -- in practice, a packet may arrive to SPI1 via destination 521 address address31 as well. However, the use of different source and 522 destination addresses typically leads to different paths, with 523 different latencies in the network, and if packets were to arrive via 524 an arbitrary destination IP address (or path) for a given SPI, the 525 reordering due to different latencies may cause some packets to fall 526 outside of the ESP anti-replay window. For this reason, HIP provides 527 a mechanism to affiliate destination addresses with inbound SPIs, 528 when there is a concern that anti-replay windows might be violated. 529 In this sense, we can say that a given inbound SPI has an "affinity" 530 for certain inbound IP addresses, and this affinity is communicated 531 to the peer host. Each physical interface SHOULD have a separate SA, 532 unless the ESP anti-replay window is loose. 534 Moreover, even when the destination addresses used for a particular 535 SPI are held constant, the use of different source interfaces may 536 also cause packets to fall outside of the ESP anti-replay window, 537 since the path traversed is often affected by the source address or 538 interface used. A host has no way to influence the source interface 539 on which a peer sends its packets on a given SPI. A host SHOULD 540 consistently use the same source interface and address when sending 541 to a particular destination IP address and SPI. For this reason, a 542 host may find it useful to change its SPI or at least reset its ESP 543 anti-replay window when the peer host readdresses. 545 An address may appear on more than one SPI. This creates no 546 ambiguity since the receiver will ignore the IP addresses during SA 547 lookup anyway. However, this document does not specify such cases. 549 When the LOCATOR_SET parameter is sent in an UPDATE packet, then the 550 receiver will respond with an UPDATE acknowledgment. When the 551 LOCATOR_SET parameter is sent in an R1 or I2 packet, the base 552 exchange retransmission mechanism will confirm its successful 553 delivery. LOCATOR_SETs may experimentally be used in NOTIFY packets; 554 in this case, the recipient MUST consider the LOCATOR_SET as 555 informational and not immediately change the current preferred 556 address, but can test the additional locators when the need arises. 557 The use of the LOCATOR_SET in a NOTIFY message may not be compatible 558 with middleboxes. 560 6. Processing Rules 562 Basic processing rules for the LOCATOR_SET parameter are specified in 563 [I-D.ietf-hip-rfc5206-bis]. This document focuses on multihoming- 564 specific rules. 566 6.1. Sending LOCATOR_SETs 568 The decision of when to send a LOCATOR_SET, and which addresses to 569 include, is a local policy issue. [I-D.ietf-hip-rfc5206-bis] 570 recommends that a host send a LOCATOR_SET whenever it recognizes a 571 change of its IP addresses in use on an active HIP association, and 572 assumes that the change is going to last at least for a few seconds. 573 It is possible to delay the exposure of additional locators to the 574 peer, and to send data from previously unannounced locators, as might 575 arise in certain mobility or multihoming situations. 577 When a host decides to inform its peers about changes in its IP 578 addresses, it has to decide how to group the various addresses with 579 SPIs. The grouping should consider also whether middlebox 580 interaction requires sending the same LOCATOR_SET in separate UPDATEs 581 on different paths. Since each SPI is associated with a different 582 Security Association, the grouping policy may also be based on ESP 583 anti-replay protection considerations. In the typical case, simply 584 basing the grouping on actual kernel level physical and logical 585 interfaces may be the best policy. Grouping policy is outside of the 586 scope of this document. 588 Locators corresponding to tunnel interfaces (e.g. IPsec tunnel 589 interfaces or Mobile IP home addresses) or other virtual interfaces 590 MAY be announced in a LOCATOR_SET, but implementations SHOULD avoid 591 announcing such locators as preferred locators if more direct paths 592 may be obtained by instead preferring locators from non-tunneling 593 interfaces if such locators provide a more direct path to the HIP 594 peer. 596 Hosts MUST NOT announce broadcast or multicast addresses in 597 LOCATOR_SETs. Link-local addresses MAY be announced to peers that 598 are known to be neighbors on the same link, such as when the IP 599 destination address of a peer is also link-local. The announcement 600 of link-local addresses in this case is a policy decision; link-local 601 addresses used as Preferred locators will create reachability 602 problems when the host moves to another link. In any case, link- 603 local addresses MUST NOT be announced to a peer unless that peer is 604 known to be on the same link. 606 Once the host has decided on the groups and assignment of addresses 607 to the SPIs, it creates a LOCATOR_SET parameter that serves as a 608 complete representation of the addresses and affiliated SPIs intended 609 for active use. We now describe a few cases introduced in Section 4. 610 We assume that the Traffic Type for each locator is set to "0" (other 611 values for Traffic Type may be specified in documents that separate 612 the HIP control plane from data plane traffic). Other mobility and 613 multihoming cases are possible but are left for further 614 experimentation. 616 1. Host multihoming (addition of an address). We only describe the 617 simple case of adding an additional address to a (previously) 618 single-homed, non-mobile host. The host SHOULD set up a new SA 619 pair between this new address and the preferred address of the 620 peer host. To do this, the multihomed host creates a new inbound 621 SA and creates a new SPI. For the outgoing UPDATE message, it 622 inserts an ESP_INFO parameter with an OLD SPI field of "0", a NEW 623 SPI field corresponding to the new SPI, and a KEYMAT Index as 624 selected by local policy. The host adds to the UPDATE message a 625 LOCATOR_SET with two Type "1" Locators: the original address and 626 SPI active on the association, and the new address and new SPI 627 being added (with the SPI matching the NEW SPI contained in the 628 ESP_INFO). The Preferred bit SHOULD be set depending on the 629 policy to tell the peer host which of the two locators is 630 preferred. The UPDATE also contains a SEQ parameter and 631 optionally a DIFFIE_HELLMAN parameter, and follows rekeying 632 procedures with respect to this new address. The UPDATE message 633 SHOULD be sent to the peer's Preferred address with a source 634 address corresponding to the new locator. 636 The sending of multiple LOCATOR_SETs, locators with Locator Type "0", 637 and multiple ESP_INFO parameters is for further study. Note that the 638 inclusion of LOCATOR_SET in an R1 packet requires the use of Type "0" 639 locators since no SAs are set up at that point. 641 6.2. Handling Received LOCATOR_SETs 643 A host SHOULD be prepared to receive a LOCATOR_SET parameter in the 644 following HIP packets: R1, I2, UPDATE, and NOTIFY. 646 This document describes sending both ESP_INFO and LOCATOR_SET 647 parameters in an UPDATE. The ESP_INFO parameter is included when 648 there is a need to rekey or key a new SPI, and is otherwise included 649 for the possible benefit of HIP-aware middleboxes. The LOCATOR_SET 650 parameter contains a complete map of the locators that the host 651 wishes to make or keep active for the HIP association. 653 In general, the processing of a LOCATOR_SET depends upon the packet 654 type in which it is included. Here, we describe only the case in 655 which ESP_INFO is present and a single LOCATOR_SET and ESP_INFO are 656 sent in an UPDATE message; other cases are for further study. The 657 steps below cover each of the cases described in Section 6.1. 659 The processing of ESP_INFO and LOCATOR_SET parameters is intended to 660 be modular and support future generalization to the inclusion of 661 multiple ESP_INFO and/or multiple LOCATOR_SET parameters. A host 662 SHOULD first process the ESP_INFO before the LOCATOR_SET, since the 663 ESP_INFO may contain a new SPI value mapped to an existing SPI, while 664 a Type "1" locator will only contain a reference to the new SPI. 666 When a host receives a validated HIP UPDATE with a LOCATOR_SET and 667 ESP_INFO parameter, it processes the ESP_INFO as follows. The 668 ESP_INFO parameter indicates whether an SA is being rekeyed, created, 669 deprecated, or just identified for the benefit of middleboxes. The 670 host examines the OLD SPI and NEW SPI values in the ESP_INFO 671 parameter: 673 1. (no rekeying) If the OLD SPI is equal to the NEW SPI and both 674 correspond to an existing SPI, the ESP_INFO is gratuitous 675 (provided for middleboxes) and no rekeying is necessary. 677 2. (rekeying) If the OLD SPI indicates an existing SPI and the NEW 678 SPI is a different non-zero value, the existing SA is being 679 rekeyed and the host follows HIP ESP rekeying procedures by 680 creating a new outbound SA with an SPI corresponding to the NEW 681 SPI, with no addresses bound to this SPI. Note that locators in 682 the LOCATOR_SET parameter will reference this new SPI instead of 683 the old SPI. 685 3. (new SA) If the OLD SPI value is zero and the NEW SPI is a new 686 non-zero value, then a new SA is being requested by the peer. 687 This case is also treated like a rekeying event; the receiving 688 host must create a new SA and respond with an UPDATE ACK. 690 4. (deprecating the SA) If the OLD SPI indicates an existing SPI and 691 the NEW SPI is zero, the SA is being deprecated and all locators 692 uniquely bound to the SPI are put into the DEPRECATED state. 694 If none of the above cases apply, a protocol error has occurred and 695 the processing of the UPDATE is stopped. 697 Next, the locators in the LOCATOR_SET parameter are processed. For 698 each locator listed in the LOCATOR_SET parameter, check that the 699 address therein is a legal unicast or anycast address. That is, the 700 address MUST NOT be a broadcast or multicast address. Note that some 701 implementations MAY accept addresses that indicate the local host, 702 since it may be allowed that the host runs HIP with itself. 704 The below assumes that all locators are of Type "1" with a Traffic 705 Type of "0"; other cases are for further study. 707 For each Type "1" address listed in the LOCATOR_SET parameter, the 708 host checks whether the address is already bound to the SPI 709 indicated. If the address is already bound, its lifetime is updated. 710 If the status of the address is DEPRECATED, the status is changed to 711 UNVERIFIED. If the address is not already bound, the address is 712 added, and its status is set to UNVERIFIED. Mark all addresses 713 corresponding to the SPI that were NOT listed in the LOCATOR_SET 714 parameter as DEPRECATED. 716 As a result, at the end of processing, the addresses listed in the 717 LOCATOR_SET parameter have either a state of UNVERIFIED or ACTIVE, 718 and any old addresses on the old SA not listed in the LOCATOR_SET 719 parameter have a state of DEPRECATED. 721 Once the host has processed the locators, if the LOCATOR_SET 722 parameter contains a new Preferred locator, the host SHOULD initiate 723 a change of the Preferred locator. This requires that the host first 724 verifies reachability of the associated address, and only then 725 changes the Preferred locator; see Section 6.4. 727 If a host receives a locator with an unsupported Locator Type, and 728 when such a locator is also declared to be the Preferred locator for 729 the peer, the host SHOULD send a NOTIFY error with a Notify Message 730 Type of LOCATOR_TYPE_UNSUPPORTED, with the Notification Data field 731 containing the locator(s) that the receiver failed to process. 732 Otherwise, a host MAY send a NOTIFY error if a (non-preferred) 733 locator with an unsupported Locator Type is received in a LOCATOR_SET 734 parameter. 736 6.3. Verifying Address Reachability 738 Address verification is defined in [I-D.ietf-hip-rfc5206-bis]. 740 When address verification is in progress for a new Preferred locator, 741 the host SHOULD select a different locator listed as ACTIVE, if one 742 such locator is available, to continue communications until address 743 verification completes. Alternatively, the host MAY use the new 744 Preferred locator while in UNVERIFIED status to the extent Credit- 745 Based Authorization permits. Credit-Based Authorization is explained 746 in [I-D.ietf-hip-rfc5206-bis]. Once address verification succeeds, 747 the status of the new Preferred locator changes to ACTIVE. 749 6.4. Changing the Preferred Locator 751 A host MAY want to change the Preferred outgoing locator for 752 different reasons, e.g., because traffic information or ICMP error 753 messages indicate that the currently used preferred address may have 754 become unreachable. Another reason may be due to receiving a 755 LOCATOR_SET parameter that has the "P" bit set. 757 To change the Preferred locator, the host initiates the following 758 procedure: 760 1. If the new Preferred locator has ACTIVE status, the Preferred 761 locator is changed and the procedure succeeds. 763 2. If the new Preferred locator has UNVERIFIED status, the host 764 starts to verify its reachability. The host SHOULD use a 765 different locator listed as ACTIVE until address verification 766 completes if one such locator is available. Alternatively, the 767 host MAY use the new Preferred locator, even though in UNVERIFIED 768 status, to the extent Credit-Based Authorization permits. Once 769 address verification succeeds, the status of the new Preferred 770 locator changes to ACTIVE and its use is no longer governed by 771 Credit-Based Authorization. 773 3. If the peer host has not indicated a preference for any address, 774 then the host picks one of the peer's ACTIVE addresses randomly 775 or according to policy. This case may arise if, for example, 776 ICMP error messages that deprecate the Preferred locator arrive, 777 but the peer has not yet indicated a new Preferred locator. 779 4. If the new Preferred locator has DEPRECATED status and there is 780 at least one non-deprecated address, the host selects one of the 781 non-deprecated addresses as a new Preferred locator and 782 continues. If the selected address is UNVERIFIED, the address 783 verification procedure described above will apply. 785 7. Security Considerations 787 Security considerations are addressed in [I-D.ietf-hip-rfc5206-bis]. 789 8. IANA Considerations 791 This document has no new IANA considerations. 793 9. Authors and Acknowledgments 795 This document contains content that was originally included in 796 RFC5206. Pekka Nikander and Jari Arkko originated RFC5206, and 797 Christian Vogt and Thomas Henderson (editor) later joined as co- 798 authors. Also in RFC5206, Greg Perkins contributed the initial draft 799 of the security section, and Petri Jokela was a co-author of the 800 initial individual submission. 802 The authors thank Miika Komu, Mika Kousa, Jeff Ahrenholz, and Jan 803 Melen for many improvements to the document. 805 10. References 807 10.1. Normative references 809 [I-D.ietf-hip-rfc5206-bis] 810 Henderson, T., Vogt, C., and J. Arkko, "Host Mobility with 811 the Host Identity Protocol", draft-ietf-hip-rfc5206-bis-09 812 (work in progress), July 2015. 814 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 815 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 816 RFC2119, March 1997, 817 . 819 [RFC3484] Draves, R., "Default Address Selection for Internet 820 Protocol version 6 (IPv6)", RFC 3484, DOI 10.17487/ 821 RFC3484, February 2003, 822 . 824 [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. 825 Henderson, "Host Identity Protocol Version 2 (HIPv2)", RFC 826 7401, DOI 10.17487/RFC7401, April 2015, 827 . 829 [RFC7402] Jokela, P., Moskowitz, R., and J. Melen, "Using the 830 Encapsulating Security Payload (ESP) Transport Format with 831 the Host Identity Protocol (HIP)", RFC 7402, DOI 10.17487/ 832 RFC7402, April 2015, 833 . 835 10.2. Informative references 837 [I-D.ietf-hip-rfc4423-bis] 838 Moskowitz, R. and M. Komu, "Host Identity Protocol 839 Architecture", draft-ietf-hip-rfc4423-bis-12 (work in 840 progress), June 2015. 842 [I-D.ietf-hip-rfc5204-bis] 843 Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) 844 Rendezvous Extension", draft-ietf-hip-rfc5204-bis-06 (work 845 in progress), June 2015. 847 [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming 848 Shim Protocol for IPv6", RFC 5533, DOI 10.17487/RFC5533, 849 June 2009, . 851 Appendix A. Document Revision History 853 To be removed upon publication 855 +----------+--------------------------------------------------------+ 856 | Revision | Comments | 857 +----------+--------------------------------------------------------+ 858 | draft-00 | Initial version with multihoming text imported from | 859 | | RFC5206. | 860 | | | 861 | draft-01 | Document refresh; no other changes. | 862 | | | 863 | draft-02 | Document refresh; no other changes. | 864 | | | 865 | draft-03 | Document refresh; no other changes. | 866 | | | 867 | draft-04 | Document refresh; no other changes. | 868 | | | 869 | draft-05 | Move remaining multihoming material from RFC5206-bis | 870 | | to this document | 871 | | | 872 | | Update lingering references to LOCATOR parameter to | 873 | | LOCATOR_SET | 874 +----------+--------------------------------------------------------+ 876 Authors' Addresses 878 Thomas R. Henderson (editor) 879 University of Washington 880 Campus Box 352500 881 Seattle, WA 882 USA 884 EMail: tomhend@u.washington.edu 886 Christian Vogt 887 Ericsson Research NomadicLab 888 Hirsalantie 11 889 JORVAS FIN-02420 890 FINLAND 892 EMail: christian.vogt@ericsson.com 893 Jari Arkko 894 Ericsson Research NomadicLab 895 JORVAS FIN-02420 896 FINLAND 898 Phone: +358 40 5079256 899 EMail: jari.arkko@ericsson.com