idnits 2.17.1 draft-ietf-hip-multihoming-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 31, 2016) is 3007 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-hip-rfc5204-bis' is defined on line 831, but no explicit reference was found in the text == Outdated reference: A later version (-14) exists of draft-ietf-hip-rfc5206-bis-09 ** Obsolete normative reference: RFC 3484 (Obsoleted by RFC 6724) == Outdated reference: A later version (-08) exists of draft-ietf-hip-rfc5204-bis-07 Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group T. Henderson, Ed. 3 Internet-Draft University of Washington 4 Intended status: Standards Track C. Vogt 5 Expires: August 3, 2016 J. Arkko 6 Ericsson Research NomadicLab 7 January 31, 2016 9 Host Multihoming with the Host Identity Protocol 10 draft-ietf-hip-multihoming-07 12 Abstract 14 This document defines host multihoming extensions to the Host 15 Identity Protocol (HIP), by leveraging protocol components defined 16 for host mobility. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on August 3, 2016. 35 Copyright Notice 37 Copyright (c) 2016 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 This document may contain material from IETF Documents or IETF 51 Contributions published or made publicly available before November 52 10, 2008. The person(s) controlling the copyright in some of this 53 material may not have granted the IETF Trust the right to allow 54 modifications of such material outside the IETF Standards Process. 55 Without obtaining an adequate license from the person(s) controlling 56 the copyright in such materials, this document may not be modified 57 outside the IETF Standards Process, and derivative works of it may 58 not be created outside the IETF Standards Process, except to format 59 it for publication as an RFC or to translate it into languages other 60 than English. 62 Table of Contents 64 1. Introduction and Scope . . . . . . . . . . . . . . . . . . . 2 65 2. Terminology and Conventions . . . . . . . . . . . . . . . . . 3 66 3. Protocol Model . . . . . . . . . . . . . . . . . . . . . . . 4 67 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 4 68 4.1. Host Multihoming . . . . . . . . . . . . . . . . . . . . 5 69 4.2. Site Multihoming . . . . . . . . . . . . . . . . . . . . 6 70 4.3. Dual host multihoming . . . . . . . . . . . . . . . . . . 7 71 4.4. Combined Mobility and Multihoming . . . . . . . . . . . . 7 72 4.5. Initiating the Protocol in R1 or I2 . . . . . . . . . . . 8 73 4.6. Using LOCATOR_SETs across Addressing Realms . . . . . . . 9 74 5. Other Considerations . . . . . . . . . . . . . . . . . . . . 9 75 5.1. Address Verification . . . . . . . . . . . . . . . . . . 9 76 5.2. Preferred Locator . . . . . . . . . . . . . . . . . . . . 10 77 5.3. Interaction with Security Associations . . . . . . . . . 10 78 6. Processing Rules . . . . . . . . . . . . . . . . . . . . . . 12 79 6.1. Sending LOCATOR_SETs . . . . . . . . . . . . . . . . . . 12 80 6.2. Handling Received LOCATOR_SETs . . . . . . . . . . . . . 14 81 6.3. Verifying Address Reachability . . . . . . . . . . . . . 16 82 6.4. Changing the Preferred Locator . . . . . . . . . . . . . 16 83 7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 84 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 85 9. Authors and Acknowledgments . . . . . . . . . . . . . . . . . 17 86 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 87 10.1. Normative references . . . . . . . . . . . . . . . . . . 17 88 10.2. Informative references . . . . . . . . . . . . . . . . . 18 89 Appendix A. Document Revision History . . . . . . . . . . . . . 19 90 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 92 1. Introduction and Scope 94 The Host Identity Protocol [RFC7401] (HIP) supports an architecture 95 that decouples the transport layer (TCP, UDP, etc.) from the 96 internetworking layer (IPv4 and IPv6) by using public/private key 97 pairs, instead of IP addresses, as host identities. When a host uses 98 HIP, the overlying protocol sublayers (e.g., transport layer sockets 99 and Encapsulating Security Payload (ESP) Security Associations (SAs)) 100 are instead bound to representations of these host identities, and 101 the IP addresses are only used for packet forwarding. However, each 102 host must also know at least one IP address at which its peers are 103 reachable. Initially, these IP addresses are the ones used during 104 the HIP base exchange. 106 One consequence of such a decoupling is that new solutions to 107 network-layer mobility and host multihoming are possible. Basic host 108 mobility is defined in [I-D.ietf-hip-rfc5206-bis] and covers the case 109 in which a host has a single address and changes its network point- 110 of-attachment while desiring to preserve the HIP-enabled security 111 association. Host multihoming is somewhat of a dual case to host 112 mobility, in that a host may simultaneously have more than one 113 network point-of-attachment. There are potentially many variations 114 of host multihoming possible. The scope of this document encompasses 115 messaging and elements of procedure for some basic host multihoming 116 scenarios of interest. 118 Another variation of multihoming that has been heavily studied is 119 site multihoming. Solutions for site multihoming in IPv6 networks 120 have been specified by the IETF shim6 working group. The shim6 121 protocol [RFC5533] bears many architectural similarities to HIP but 122 there are differences in the security model and in the protocol. 124 While HIP can potentially be used with transports other than the ESP 125 transport format [RFC7402], this document largely assumes the use of 126 ESP and leaves other transport formats for further study. 128 Finally, making underlying IP multihoming transparent to the 129 transport layer has implications on the proper response of transport 130 congestion control, path MTU selection, and Quality of Service (QoS). 131 Transport-layer mobility triggers, and the proper transport response 132 to a HIP multihoming address change, are outside the scope of this 133 document. 135 2. Terminology and Conventions 137 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 138 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 139 document are to be interpreted as described in RFC 2119 [RFC2119]. 141 The following terms used in this document are defined in 142 [I-D.ietf-hip-rfc5206-bis]: LOCATOR_SET, Locator, Address, Preferred 143 locator, and Credit Based Authorization. 145 3. Protocol Model 147 The protocol model for HIP support of host multihoming extends the 148 model for host mobility described in Section 3 of 149 [I-D.ietf-hip-rfc5206-bis]. This section only highlights the 150 differences. 152 In host multihoming, a host has multiple locators simultaneously 153 rather than sequentially, as in the case of mobility. By using the 154 LOCATOR_SET parameter defined in [I-D.ietf-hip-rfc5206-bis], a host 155 can inform its peers of additional (multiple) locators at which it 156 can be reached. When multiple locators are available and announced 157 to the peer, a host can designate a particular locator as a 158 "preferred" locator, meaning that the host prefers that its peer send 159 packets to the designated address before trying an alternative 160 address. Although this document defines a basic mechanism for 161 multihoming, it does not define all possible policies and procedures, 162 such as which locators to choose when more than one pair is 163 available, the operation of simultaneous mobility and multihoming, 164 source address selection policies (beyond those specified in 165 [RFC3484]), and the implications of multihoming on transport 166 protocols and ESP anti-replay windows. 168 4. Protocol Overview 170 In this section, we briefly introduce a number of usage scenarios for 171 HIP multihoming. These scenarios assume that HIP is being used with 172 the ESP transform [RFC7402], although other scenarios may be defined 173 in the future. To understand these usage scenarios, the reader 174 should be at least minimally familiar with the HIP protocol 175 specification [RFC7401]. However, for the (relatively) uninitiated 176 reader, it is most important to keep in mind that in HIP the actual 177 payload traffic is protected with ESP, and that the ESP SPI acts as 178 an index to the right host-to-host context. 180 The scenarios below assume that the two hosts have completed a single 181 HIP base exchange with each other. Both of the hosts therefore have 182 one incoming and one outgoing SA. Further, each SA uses the same 183 pair of IP addresses, which are the ones used in the base exchange. 185 The readdressing protocol is an asymmetric protocol where a mobile or 186 multihomed host informs a peer host about changes of IP addresses on 187 affected SPIs. The readdressing exchange is designed to be 188 piggybacked on existing HIP exchanges. The majority of the packets 189 on which the LOCATOR_SET parameters are expected to be carried are 190 UPDATE packets. However, some implementations may want to experiment 191 with sending LOCATOR_SET parameters also on other packets, such as 192 R1, I2, and NOTIFY. 194 The scenarios below at times describe addresses as being in either an 195 ACTIVE, VERIFIED, or DEPRECATED state. From the perspective of a 196 host, newly-learned addresses of the peer must be verified before put 197 into active service, and addresses removed by the peer are put into a 198 deprecated state. Under limited conditions described in 199 [I-D.ietf-hip-rfc5206-bis], an UNVERIFIED address may be used. 201 Hosts that use link-local addresses as source addresses in their HIP 202 handshakes may not be reachable by a mobile peer. Such hosts SHOULD 203 provide a globally routable address either in the initial handshake 204 or via the LOCATOR_SET parameter. 206 4.1. Host Multihoming 208 A (mobile or stationary) host may sometimes have more than one 209 interface or global address. The host may notify the peer host of 210 the additional interface or address by using the LOCATOR_SET 211 parameter. To avoid problems with the ESP anti-replay window, a host 212 SHOULD use a different SA for each interface or address used to 213 receive packets from the peer host when multiple locator pairs are 214 being used simultaneously rather than sequentially. 216 When more than one locator is provided to the peer host, the host 217 SHOULD indicate which locator is preferred (the locator on which the 218 host prefers to receive traffic). By default, the addresses used in 219 the base exchange are preferred until indicated otherwise. 221 In the multihoming case, the sender may also have multiple valid 222 locators from which to source traffic. In practice, a HIP 223 association in a multihoming configuration may have both a preferred 224 peer locator and a preferred local locator, although rules for source 225 address selection should ultimately govern the selection of the 226 source locator based on the destination locator. 228 Although the protocol may allow for configurations in which there is 229 an asymmetric number of SAs between the hosts (e.g., one host has two 230 interfaces and two inbound SAs, while the peer has one interface and 231 one inbound SA), it is RECOMMENDED that inbound and outbound SAs be 232 created pairwise between hosts. When an ESP_INFO arrives to rekey a 233 particular outbound SA, the corresponding inbound SA should be also 234 rekeyed at that time. Although asymmetric SA configurations might be 235 experimented with, their usage may constrain interoperability at this 236 time. However, it is recommended that implementations attempt to 237 support peers that prefer to use non-paired SAs. 239 Consider the case between two hosts, one single-homed and one 240 multihomed. The multihomed host may decide to inform the single- 241 homed host about its other address. It is RECOMMENDED that the 242 multihomed host set up a new SA pair for use on this new address. To 243 do this, the multihomed host sends a LOCATOR_SET with an ESP_INFO, 244 indicating the request for a new SA by setting the OLD SPI value to 245 zero, and the NEW SPI value to the newly created incoming SPI. A 246 Locator Type of "1" is used to associate the new address with the new 247 SPI. The LOCATOR_SET parameter also contains a second Type "1" 248 locator, that of the original address and SPI. To simplify parameter 249 processing and avoid explicit protocol extensions to remove locators, 250 each LOCATOR_SET parameter MUST list all locators in use on a 251 connection (a complete listing of inbound locators and SPIs for the 252 host). The multihomed host waits for an ESP_INFO (new outbound SA) 253 from the peer and an ACK of its own UPDATE. As in the mobility case, 254 the peer host must perform an address verification before actively 255 using the new address. Figure 1 illustrates this scenario. 257 Multi-homed Host Peer Host 259 UPDATE(ESP_INFO, LOCATOR_SET, SEQ, [DIFFIE_HELLMAN]) 260 -----------------------------------> 261 UPDATE(ESP_INFO, SEQ, ACK, [DIFFIE_HELLMAN,] ECHO_REQUEST) 262 <----------------------------------- 263 UPDATE(ACK, ECHO_RESPONSE) 264 -----------------------------------> 266 Figure 1: Basic Multihoming Scenario 268 In multihoming scenarios, it is important that hosts receiving 269 UPDATEs associate them correctly with the destination address used in 270 the packet carrying the UPDATE. When processing inbound LOCATOR_SETs 271 that establish new security associations on an interface with 272 multiple addresses, a host uses the destination address of the UPDATE 273 containing the LOCATOR_SET as the local address to which the 274 LOCATOR_SET plus ESP_INFO is targeted. This is because hosts may 275 send UPDATEs with the same (locator) IP address to different peer 276 addresses -- this has the effect of creating multiple inbound SAs 277 implicitly affiliated with different peer source addresses. 279 4.2. Site Multihoming 281 A host may have an interface that has multiple globally routable IP 282 addresses. Such a situation may be a result of the site having 283 multiple upper Internet Service Providers, or just because the site 284 provides all hosts with both IPv4 and IPv6 addresses. The host 285 should stay reachable at all or any subset of the currently available 286 global routable addresses, independent of how they are provided. 288 This case is handled the same as if there were different IP 289 addresses, described above in Section 4.1. Note that a single 290 interface may experience site multihoming while the host itself may 291 have multiple interfaces. 293 Note that a host may be multihomed and mobile simultaneously, and 294 that a multihomed host may want to protect the location of some of 295 its interfaces while revealing the real IP address of some others. 297 This document does not presently additional site multihoming 298 extensions to HIP; such extensions are for further study. 300 4.3. Dual host multihoming 302 Consider the case in which both hosts would like to add an additional 303 address after the base exchange completes. In Figure 2, consider 304 that host1, which used address addr1a in the base exchange to set up 305 SPI1a and SPI2a, wants to add address addr1b. It would send an 306 UPDATE with LOCATOR_SET (containing the address addr1b) to host2, 307 using destination address addr2a, and a new set of SPIs would be 308 added between hosts 1 and 2 (call them SPI1b and SPI2b -- not shown 309 in the figure). Next, consider host2 deciding to add addr2b to the 310 relationship. Host2 must select one of host1's addresses towards 311 which to initiate an UPDATE. It may choose to initiate an UPDATE to 312 addr1a, addr1b, or both. If it chooses to send to both, then a full 313 mesh (four SA pairs) of SAs would exist between the two hosts. This 314 is the most general case; it often may be the case that hosts 315 primarily establish new SAs only with the peer's Preferred locator. 316 The readdressing protocol is flexible enough to accommodate this 317 choice. 319 -<- SPI1a -- -- SPI2a ->- 320 host1 < > addr1a <---> addr2a < > host2 321 ->- SPI2a -- -- SPI1a -<- 323 addr1b <---> addr2a (second SA pair) 324 addr1a <---> addr2b (third SA pair) 325 addr1b <---> addr2b (fourth SA pair) 327 Figure 2: Dual Multihoming Case in Which Each Host Uses LOCATOR_SET 328 to Add a Second Address 330 4.4. Combined Mobility and Multihoming 332 It looks likely that in the future, many mobile hosts will be 333 simultaneously mobile and multihomed, i.e., have multiple mobile 334 interfaces. Furthermore, if the interfaces use different access 335 technologies, it is fairly likely that one of the interfaces may 336 appear stable (retain its current IP address) while some other(s) may 337 experience mobility (undergo IP address change). 339 The use of LOCATOR_SET plus ESP_INFO should be flexible enough to 340 handle most such scenarios, although more complicated scenarios have 341 not been studied so far. 343 4.5. Initiating the Protocol in R1 or I2 345 A Responder host MAY include a LOCATOR_SET parameter in the R1 packet 346 that it sends to the Initiator. This parameter MUST be protected by 347 the R1 signature. If the R1 packet contains LOCATOR_SET parameters 348 with a new Preferred locator, the Initiator SHOULD directly set the 349 new Preferred locator to status ACTIVE without performing address 350 verification first, and MUST send the I2 packet to the new Preferred 351 locator. The I1 destination address and the new Preferred locator 352 may be identical. All new non-preferred locators must still undergo 353 address verification once the base exchange completes. 355 Initiator Responder 357 R1 with LOCATOR_SET 358 <----------------------------------- 359 record additional addresses 360 change responder address 361 I2 sent to newly indicated preferred address 362 -----------------------------------> 363 (process normally) 364 R2 365 <----------------------------------- 366 (process normally, later verification of non-preferred locators) 368 Figure 3: LOCATOR_SET Inclusion in R1 370 An Initiator MAY include one or more LOCATOR_SET parameters in the I2 371 packet, independent of whether or not there was a LOCATOR_SET 372 parameter in the R1. These parameters MUST be protected by the I2 373 signature. Even if the I2 packet contains LOCATOR_SET parameters, 374 the Responder MUST still send the R2 packet to the source address of 375 the I2. The new Preferred locator SHOULD be identical to the I2 376 source address. If the I2 packet contains LOCATOR_SET parameters, 377 all new locators must undergo address verification as usual, and the 378 ESP traffic that subsequently follows should use the Preferred 379 locator. 381 Initiator Responder 383 I2 with LOCATOR_SET 384 -----------------------------------> 385 (process normally) 386 record additional addresses 387 R2 sent to source address of I2 388 <----------------------------------- 389 (process normally) 391 Figure 4: LOCATOR_SET Inclusion in I2 393 The I1 and I2 may be arriving from different source addresses if the 394 LOCATOR_SET parameter is present in R1. In this case, 395 implementations simultaneously using multiple pre-created R1s, 396 indexed by Initiator IP addresses, may inadvertently fail the puzzle 397 solution of I2 packets due to a perceived puzzle mismatch. See, for 398 instance, the example in Appendix A of [RFC7401]. As a solution, the 399 Responder's puzzle indexing mechanism must be flexible enough to 400 accommodate the situation when R1 includes a LOCATOR_SET parameter. 402 4.6. Using LOCATOR_SETs across Addressing Realms 404 It is possible for HIP associations to migrate to a state in which 405 both parties are only using locators in different addressing realms. 406 For example, the two hosts may initiate the HIP association when both 407 are using IPv6 locators, then one host may loose its IPv6 408 connectivity and obtain an IPv4 address. In such a case, some type 409 of mechanism for interworking between the different realms must be 410 employed; such techniques are outside the scope of the present text. 411 The basic problem in this example is that the host readdressing to 412 IPv4 does not know a corresponding IPv4 address of the peer. This 413 may be handled (experimentally) by possibly configuring this address 414 information manually or in the DNS, or the hosts exchange both IPv4 415 and IPv6 addresses in the locator. 417 5. Other Considerations 419 5.1. Address Verification 421 An address verification method is specified in 422 [I-D.ietf-hip-rfc5206-bis]. It is expected that addresses learned in 423 multihoming scenarios also are subject to the same verification 424 rules. 426 5.2. Preferred Locator 428 When a host has multiple locators, the peer host must decide which to 429 use for outbound packets. It may be that a host would prefer to 430 receive data on a particular inbound interface. HIP allows a 431 particular locator to be designated as a Preferred locator and 432 communicated to the peer. 434 In general, when multiple locators are used for a session, there is 435 the question of using multiple locators for failover only or for 436 load-balancing. Due to the implications of load-balancing on the 437 transport layer that still need to be worked out, this document 438 assumes that multiple locators are used primarily for failover. An 439 implementation may use ICMP interactions, reachability checks, or 440 other means to detect the failure of a locator. 442 5.3. Interaction with Security Associations 444 This document uses the HIP LOCATOR_SET protocol parameter, specified 445 in [I-D.ietf-hip-rfc5206-bis]), that allows the hosts to exchange 446 information about their locator(s) and any changes in their 447 locator(s). The logical structure created with LOCATOR_SET 448 parameters has three levels: hosts, Security Associations (SAs) 449 indexed by Security Parameter Indices (SPIs), and addresses. 451 The relation between these levels for an association constructed as 452 defined in the base specification [RFC7401] and ESP transform 453 [RFC7402] is illustrated in Figure 5. 455 -<- SPI1a -- -- SPI2a ->- 456 host1 < > addr1a <---> addr2a < > host2 457 ->- SPI2a -- -- SPI1a -<- 459 Figure 5: Relation between Hosts, SPIs, and Addresses (Base 460 Specification) 462 In Figure 5, host1 and host2 negotiate two unidirectional SAs, and 463 each host selects the SPI value for its inbound SA. The addresses 464 addr1a and addr2a are the source addresses that the hosts use in the 465 base HIP exchange. These are the "preferred" (and only) addresses 466 conveyed to the peer for use on each SA. That is, although packets 467 sent to any of the hosts' interfaces may be accepted on the inbound 468 SA, the peer host in general knows of only the single destination 469 address learned in the base exchange (e.g., for host1, it sends a 470 packet on SPI2a to addr2a to reach host2), unless other mechanisms 471 exist to learn of new addresses. 473 In general, the bindings that exist in an implementation 474 corresponding to this document can be depicted as shown in Figure 6. 475 In this figure, a host can have multiple inbound SPIs (and, not 476 shown, multiple outbound SPIs) associated with another host. 477 Furthermore, each SPI may have multiple addresses associated with it. 478 These addresses that are bound to an SPI are not used to lookup the 479 incoming SA. Rather, the addresses are those that are provided to 480 the peer host, as hints for which addresses to use to reach the host 481 on that SPI. The LOCATOR_SET parameter is used to change the set of 482 addresses that a peer associates with a particular SPI. 484 address11 485 / 486 SPI1 - address12 487 / 488 / address21 489 host -- SPI2 < 490 \ address22 491 \ 492 SPI3 - address31 493 \ 494 address32 496 Figure 6: Relation between Hosts, SPIs, and Addresses (General Case) 498 A host may establish any number of security associations (or SPIs) 499 with a peer. The main purpose of having multiple SPIs with a peer is 500 to group the addresses into collections that are likely to experience 501 fate sharing. For example, if the host needs to change its addresses 502 on SPI2, it is likely that both address21 and address22 will 503 simultaneously become obsolete. In a typical case, such SPIs may 504 correspond with physical interfaces; see below. Note, however, that 505 especially in the case of site multihoming, one of the addresses may 506 become unreachable while the other one still works. In the typical 507 case, however, this does not require the host to inform its peers 508 about the situation, since even the non-working address still 509 logically exists. 511 A basic property of HIP SAs is that the inbound IP address is not 512 used to lookup the incoming SA. Therefore, in Figure 6, it may seem 513 unnecessary for address31, for example, to be associated only with 514 SPI3 -- in practice, a packet may arrive to SPI1 via destination 515 address address31 as well. However, the use of different source and 516 destination addresses typically leads to different paths, with 517 different latencies in the network, and if packets were to arrive via 518 an arbitrary destination IP address (or path) for a given SPI, the 519 reordering due to different latencies may cause some packets to fall 520 outside of the ESP anti-replay window. For this reason, HIP provides 521 a mechanism to affiliate destination addresses with inbound SPIs, 522 when there is a concern that anti-replay windows might be violated. 523 In this sense, we can say that a given inbound SPI has an "affinity" 524 for certain inbound IP addresses, and this affinity is communicated 525 to the peer host. Each physical interface SHOULD have a separate SA, 526 unless the ESP anti-replay window is loose. 528 Moreover, even when the destination addresses used for a particular 529 SPI are held constant, the use of different source interfaces may 530 also cause packets to fall outside of the ESP anti-replay window, 531 since the path traversed is often affected by the source address or 532 interface used. A host has no way to influence the source interface 533 on which a peer sends its packets on a given SPI. A host SHOULD 534 consistently use the same source interface and address when sending 535 to a particular destination IP address and SPI. For this reason, a 536 host may find it useful to change its SPI or at least reset its ESP 537 anti-replay window when the peer host readdresses. 539 An address may appear on more than one SPI. This creates no 540 ambiguity since the receiver will ignore the IP addresses during SA 541 lookup anyway. However, this document does not specify such cases. 543 When the LOCATOR_SET parameter is sent in an UPDATE packet, then the 544 receiver will respond with an UPDATE acknowledgment. When the 545 LOCATOR_SET parameter is sent in an R1 or I2 packet, the base 546 exchange retransmission mechanism will confirm its successful 547 delivery. LOCATOR_SETs may experimentally be used in NOTIFY packets; 548 in this case, the recipient MUST consider the LOCATOR_SET as 549 informational and not immediately change the current preferred 550 address, but can test the additional locators when the need arises. 551 The use of the LOCATOR_SET in a NOTIFY message may not be compatible 552 with middleboxes. 554 6. Processing Rules 556 Basic processing rules for the LOCATOR_SET parameter are specified in 557 [I-D.ietf-hip-rfc5206-bis]. This document focuses on multihoming- 558 specific rules. 560 6.1. Sending LOCATOR_SETs 562 The decision of when to send a LOCATOR_SET, and which addresses to 563 include, is a local policy issue. [I-D.ietf-hip-rfc5206-bis] 564 recommends that a host send a LOCATOR_SET whenever it recognizes a 565 change of its IP addresses in use on an active HIP association, and 566 assumes that the change is going to last at least for a few seconds. 567 It is possible to delay the exposure of additional locators to the 568 peer, and to send data from previously unannounced locators, as might 569 arise in certain mobility or multihoming situations. 571 When a host decides to inform its peers about changes in its IP 572 addresses, it has to decide how to group the various addresses with 573 SPIs. The grouping should consider also whether middlebox 574 interaction requires sending the same LOCATOR_SET in separate UPDATEs 575 on different paths. Since each SPI is associated with a different 576 Security Association, the grouping policy may also be based on ESP 577 anti-replay protection considerations. In the typical case, simply 578 basing the grouping on actual kernel level physical and logical 579 interfaces may be the best policy. Grouping policy is outside of the 580 scope of this document. 582 Locators corresponding to tunnel interfaces (e.g. IPsec tunnel 583 interfaces or Mobile IP home addresses) or other virtual interfaces 584 MAY be announced in a LOCATOR_SET, but implementations SHOULD avoid 585 announcing such locators as preferred locators if more direct paths 586 may be obtained by instead preferring locators from non-tunneling 587 interfaces if such locators provide a more direct path to the HIP 588 peer. 590 Hosts MUST NOT announce broadcast or multicast addresses in 591 LOCATOR_SETs. Link-local addresses MAY be announced to peers that 592 are known to be neighbors on the same link, such as when the IP 593 destination address of a peer is also link-local. The announcement 594 of link-local addresses in this case is a policy decision; link-local 595 addresses used as Preferred locators will create reachability 596 problems when the host moves to another link. In any case, link- 597 local addresses MUST NOT be announced to a peer unless that peer is 598 known to be on the same link. 600 Once the host has decided on the groups and assignment of addresses 601 to the SPIs, it creates a LOCATOR_SET parameter that serves as a 602 complete representation of the addresses and affiliated SPIs intended 603 for active use. We now describe a few cases introduced in Section 4. 604 We assume that the Traffic Type for each locator is set to "0" (other 605 values for Traffic Type may be specified in documents that separate 606 the HIP control plane from data plane traffic). Other mobility and 607 multihoming cases are possible but are left for further 608 experimentation. 610 1. Host multihoming (addition of an address). We only describe the 611 simple case of adding an additional address to a (previously) 612 single-homed, non-mobile host. The host SHOULD set up a new SA 613 pair between this new address and the preferred address of the 614 peer host. To do this, the multihomed host creates a new inbound 615 SA and creates a new SPI. For the outgoing UPDATE message, it 616 inserts an ESP_INFO parameter with an OLD SPI field of "0", a NEW 617 SPI field corresponding to the new SPI, and a KEYMAT Index as 618 selected by local policy. The host adds to the UPDATE message a 619 LOCATOR_SET with two Type "1" Locators: the original address and 620 SPI active on the association, and the new address and new SPI 621 being added (with the SPI matching the NEW SPI contained in the 622 ESP_INFO). The Preferred bit SHOULD be set depending on the 623 policy to tell the peer host which of the two locators is 624 preferred. The UPDATE also contains a SEQ parameter and 625 optionally a DIFFIE_HELLMAN parameter, and follows rekeying 626 procedures with respect to this new address. The UPDATE message 627 SHOULD be sent to the peer's Preferred address with a source 628 address corresponding to the new locator. 630 The sending of multiple LOCATOR_SETs, locators with Locator Type "0", 631 and multiple ESP_INFO parameters is for further study. Note that the 632 inclusion of LOCATOR_SET in an R1 packet requires the use of Type "0" 633 locators since no SAs are set up at that point. 635 6.2. Handling Received LOCATOR_SETs 637 A host SHOULD be prepared to receive a LOCATOR_SET parameter in the 638 following HIP packets: R1, I2, UPDATE, and NOTIFY. 640 This document describes sending both ESP_INFO and LOCATOR_SET 641 parameters in an UPDATE. The ESP_INFO parameter is included when 642 there is a need to rekey or key a new SPI, and is otherwise included 643 for the possible benefit of HIP-aware middleboxes. The LOCATOR_SET 644 parameter contains a complete map of the locators that the host 645 wishes to make or keep active for the HIP association. 647 In general, the processing of a LOCATOR_SET depends upon the packet 648 type in which it is included. Here, we describe only the case in 649 which ESP_INFO is present and a single LOCATOR_SET and ESP_INFO are 650 sent in an UPDATE message; other cases are for further study. The 651 steps below cover each of the cases described in Section 6.1. 653 The processing of ESP_INFO and LOCATOR_SET parameters is intended to 654 be modular and support future generalization to the inclusion of 655 multiple ESP_INFO and/or multiple LOCATOR_SET parameters. A host 656 SHOULD first process the ESP_INFO before the LOCATOR_SET, since the 657 ESP_INFO may contain a new SPI value mapped to an existing SPI, while 658 a Type "1" locator will only contain a reference to the new SPI. 660 When a host receives a validated HIP UPDATE with a LOCATOR_SET and 661 ESP_INFO parameter, it processes the ESP_INFO as follows. The 662 ESP_INFO parameter indicates whether an SA is being rekeyed, created, 663 deprecated, or just identified for the benefit of middleboxes. The 664 host examines the OLD SPI and NEW SPI values in the ESP_INFO 665 parameter: 667 1. (no rekeying) If the OLD SPI is equal to the NEW SPI and both 668 correspond to an existing SPI, the ESP_INFO is gratuitous 669 (provided for middleboxes) and no rekeying is necessary. 671 2. (rekeying) If the OLD SPI indicates an existing SPI and the NEW 672 SPI is a different non-zero value, the existing SA is being 673 rekeyed and the host follows HIP ESP rekeying procedures by 674 creating a new outbound SA with an SPI corresponding to the NEW 675 SPI, with no addresses bound to this SPI. Note that locators in 676 the LOCATOR_SET parameter will reference this new SPI instead of 677 the old SPI. 679 3. (new SA) If the OLD SPI value is zero and the NEW SPI is a new 680 non-zero value, then a new SA is being requested by the peer. 681 This case is also treated like a rekeying event; the receiving 682 host must create a new SA and respond with an UPDATE ACK. 684 4. (deprecating the SA) If the OLD SPI indicates an existing SPI and 685 the NEW SPI is zero, the SA is being deprecated and all locators 686 uniquely bound to the SPI are put into the DEPRECATED state. 688 If none of the above cases apply, a protocol error has occurred and 689 the processing of the UPDATE is stopped. 691 Next, the locators in the LOCATOR_SET parameter are processed. For 692 each locator listed in the LOCATOR_SET parameter, check that the 693 address therein is a legal unicast or anycast address. That is, the 694 address MUST NOT be a broadcast or multicast address. Note that some 695 implementations MAY accept addresses that indicate the local host, 696 since it may be allowed that the host runs HIP with itself. 698 The below assumes that all locators are of Type "1" with a Traffic 699 Type of "0"; other cases are for further study. 701 For each Type "1" address listed in the LOCATOR_SET parameter, the 702 host checks whether the address is already bound to the SPI 703 indicated. If the address is already bound, its lifetime is updated. 704 If the status of the address is DEPRECATED, the status is changed to 705 UNVERIFIED. If the address is not already bound, the address is 706 added, and its status is set to UNVERIFIED. Mark all addresses 707 corresponding to the SPI that were NOT listed in the LOCATOR_SET 708 parameter as DEPRECATED. 710 As a result, at the end of processing, the addresses listed in the 711 LOCATOR_SET parameter have either a state of UNVERIFIED or ACTIVE, 712 and any old addresses on the old SA not listed in the LOCATOR_SET 713 parameter have a state of DEPRECATED. 715 Once the host has processed the locators, if the LOCATOR_SET 716 parameter contains a new Preferred locator, the host SHOULD initiate 717 a change of the Preferred locator. This requires that the host first 718 verifies reachability of the associated address, and only then 719 changes the Preferred locator; see Section 6.4. 721 If a host receives a locator with an unsupported Locator Type, and 722 when such a locator is also declared to be the Preferred locator for 723 the peer, the host SHOULD send a NOTIFY error with a Notify Message 724 Type of LOCATOR_TYPE_UNSUPPORTED, with the Notification Data field 725 containing the locator(s) that the receiver failed to process. 726 Otherwise, a host MAY send a NOTIFY error if a (non-preferred) 727 locator with an unsupported Locator Type is received in a LOCATOR_SET 728 parameter. 730 6.3. Verifying Address Reachability 732 Address verification is defined in [I-D.ietf-hip-rfc5206-bis]. 734 When address verification is in progress for a new Preferred locator, 735 the host SHOULD select a different locator listed as ACTIVE, if one 736 such locator is available, to continue communications until address 737 verification completes. Alternatively, the host MAY use the new 738 Preferred locator while in UNVERIFIED status to the extent Credit- 739 Based Authorization permits. Credit-Based Authorization is explained 740 in [I-D.ietf-hip-rfc5206-bis]. Once address verification succeeds, 741 the status of the new Preferred locator changes to ACTIVE. 743 6.4. Changing the Preferred Locator 745 A host MAY want to change the Preferred outgoing locator for 746 different reasons, e.g., because traffic information or ICMP error 747 messages indicate that the currently used preferred address may have 748 become unreachable. Another reason may be due to receiving a 749 LOCATOR_SET parameter that has the "P" bit set. 751 To change the Preferred locator, the host initiates the following 752 procedure: 754 1. If the new Preferred locator has ACTIVE status, the Preferred 755 locator is changed and the procedure succeeds. 757 2. If the new Preferred locator has UNVERIFIED status, the host 758 starts to verify its reachability. The host SHOULD use a 759 different locator listed as ACTIVE until address verification 760 completes if one such locator is available. Alternatively, the 761 host MAY use the new Preferred locator, even though in UNVERIFIED 762 status, to the extent Credit-Based Authorization permits. Once 763 address verification succeeds, the status of the new Preferred 764 locator changes to ACTIVE and its use is no longer governed by 765 Credit-Based Authorization. 767 3. If the peer host has not indicated a preference for any address, 768 then the host picks one of the peer's ACTIVE addresses randomly 769 or according to policy. This case may arise if, for example, 770 ICMP error messages that deprecate the Preferred locator arrive, 771 but the peer has not yet indicated a new Preferred locator. 773 4. If the new Preferred locator has DEPRECATED status and there is 774 at least one non-deprecated address, the host selects one of the 775 non-deprecated addresses as a new Preferred locator and 776 continues. If the selected address is UNVERIFIED, the address 777 verification procedure described above will apply. 779 7. Security Considerations 781 Security considerations are addressed in [I-D.ietf-hip-rfc5206-bis]. 783 8. IANA Considerations 785 This document has no new IANA considerations. 787 9. Authors and Acknowledgments 789 This document contains content that was originally included in 790 RFC5206. Pekka Nikander and Jari Arkko originated RFC5206, and 791 Christian Vogt and Thomas Henderson (editor) later joined as co- 792 authors. Also in RFC5206, Greg Perkins contributed the initial draft 793 of the security section, and Petri Jokela was a co-author of the 794 initial individual submission. 796 The authors thank Miika Komu, Mika Kousa, Jeff Ahrenholz, and Jan 797 Melen for many improvements to the document. 799 10. References 801 10.1. Normative references 803 [I-D.ietf-hip-rfc5206-bis] 804 Henderson, T., Vogt, C., and J. Arkko, "Host Mobility with 805 the Host Identity Protocol", draft-ietf-hip-rfc5206-bis-09 806 (work in progress), July 2015. 808 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 809 Requirement Levels", BCP 14, RFC 2119, 810 DOI 10.17487/RFC2119, March 1997, 811 . 813 [RFC3484] Draves, R., "Default Address Selection for Internet 814 Protocol version 6 (IPv6)", RFC 3484, 815 DOI 10.17487/RFC3484, February 2003, 816 . 818 [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. 819 Henderson, "Host Identity Protocol Version 2 (HIPv2)", 820 RFC 7401, DOI 10.17487/RFC7401, April 2015, 821 . 823 [RFC7402] Jokela, P., Moskowitz, R., and J. Melen, "Using the 824 Encapsulating Security Payload (ESP) Transport Format with 825 the Host Identity Protocol (HIP)", RFC 7402, 826 DOI 10.17487/RFC7402, April 2015, 827 . 829 10.2. Informative references 831 [I-D.ietf-hip-rfc5204-bis] 832 Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) 833 Rendezvous Extension", draft-ietf-hip-rfc5204-bis-07 (work 834 in progress), December 2015. 836 [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming 837 Shim Protocol for IPv6", RFC 5533, DOI 10.17487/RFC5533, 838 June 2009, . 840 Appendix A. Document Revision History 842 To be removed upon publication 844 +----------+--------------------------------------------------------+ 845 | Revision | Comments | 846 +----------+--------------------------------------------------------+ 847 | draft-00 | Initial version with multihoming text imported from | 848 | | RFC5206. | 849 | | | 850 | draft-01 | Document refresh; no other changes. | 851 | | | 852 | draft-02 | Document refresh; no other changes. | 853 | | | 854 | draft-03 | Document refresh; no other changes. | 855 | | | 856 | draft-04 | Document refresh; no other changes. | 857 | | | 858 | draft-05 | Move remaining multihoming material from RFC5206-bis | 859 | | to this document | 860 | | | 861 | | Update lingering references to LOCATOR parameter to | 862 | | LOCATOR_SET | 863 | | | 864 | draft-06 | Document refresh with updated references. | 865 | | | 866 | draft-07 | Document refresh; no other changes. | 867 +----------+--------------------------------------------------------+ 869 Authors' Addresses 871 Thomas R. Henderson (editor) 872 University of Washington 873 Campus Box 352500 874 Seattle, WA 875 USA 877 EMail: tomhend@u.washington.edu 879 Christian Vogt 880 Ericsson Research NomadicLab 881 Hirsalantie 11 882 JORVAS FIN-02420 883 FINLAND 885 EMail: christian.vogt@ericsson.com 886 Jari Arkko 887 Ericsson Research NomadicLab 888 JORVAS FIN-02420 889 FINLAND 891 Phone: +358 40 5079256 892 EMail: jari.arkko@ericsson.com