idnits 2.17.1 draft-ietf-lisp-6834bis-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The abstract seems to contain references ([RFC6834]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 2, 2018) is 2126 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-19) exists of draft-ietf-lisp-gpe-03 == Outdated reference: A later version (-38) exists of draft-ietf-lisp-rfc6830bis-12 == Outdated reference: A later version (-31) exists of draft-ietf-lisp-rfc6833bis-10 -- Obsolete informational reference (is this intentional?): RFC 6834 (Obsoleted by RFC 9302) Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group L. Iannone 3 Internet-Draft Telecom ParisTech 4 Obsoletes: 6834 (if approved) D. Saucez 5 Intended status: Standards Track INRIA Sophia Antipolis 6 Expires: January 3, 2019 O. Bonaventure 7 Universite catholique de Louvain 8 July 2, 2018 10 Locator/ID Separation Protocol (LISP) Map-Versioning 11 draft-ietf-lisp-6834bis-00 13 Abstract 15 This document describes the LISP (Locator/ID Separation Protocol) 16 Map-Versioning mechanism, which provides in-packet information about 17 Endpoint ID to Routing Locator (EID-to-RLOC) mappings used to 18 encapsulate LISP data packets. The proposed approach is based on 19 associating a version number to EID-to-RLOC mappings and the 20 transport of such a version number in the LISP-specific header of 21 LISP-encapsulated packets. LISP Map-Versioning is particularly 22 useful to inform communicating Ingress Tunnel Routers (ITRs) and 23 Egress Tunnel Routers (ETRs) about modifications of the mappings used 24 to encapsulate packets. The mechanism is optional and transparent to 25 implementations not supporting this feature, since in the LISP- 26 specific header and in the Map Records, bits used for Map-Versioning 27 can be safely ignored by ITRs and ETRs that do not support or do not 28 want to use the mechanism. 30 This document obsoletes [RFC6834], which is the inital experimental 31 specifications of the mechanims updated by this document. 33 Status of This Memo 35 This Internet-Draft is submitted in full conformance with the 36 provisions of BCP 78 and BCP 79. 38 Internet-Drafts are working documents of the Internet Engineering 39 Task Force (IETF). Note that other groups may also distribute 40 working documents as Internet-Drafts. The list of current Internet- 41 Drafts is at https://datatracker.ietf.org/drafts/current/. 43 Internet-Drafts are draft documents valid for a maximum of six months 44 and may be updated, replaced, or obsoleted by other documents at any 45 time. It is inappropriate to use Internet-Drafts as reference 46 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on January 3, 2019. 50 Copyright Notice 52 Copyright (c) 2018 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (https://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4 69 3. Definitions of Terms . . . . . . . . . . . . . . . . . . . . 4 70 4. EID-to-RLOC Map-Version Number . . . . . . . . . . . . . . . 4 71 4.1. The Null Map-Version . . . . . . . . . . . . . . . . . . 5 72 5. Dealing with Map-Version Numbers . . . . . . . . . . . . . . 6 73 5.1. Handling Destination Map-Version Number . . . . . . . . . 7 74 5.2. Handling Source Map-Version Number . . . . . . . . . . . 9 75 6. LISP Header and Map-Version Numbers . . . . . . . . . . . . . 9 76 7. LISP Generic Protocol Encapsulation (GPE) Header and Map- 77 Version Numbers . . . . . . . . . . . . . . . . . . . . . . . 10 78 8. Map Record and Map-Version . . . . . . . . . . . . . . . . . 11 79 9. Benefits and Case Studies for Map-Versioning . . . . . . . . 12 80 9.1. Map-Versioning and Unidirectional Traffic . . . . . . . . 12 81 9.2. Map-Versioning and Interworking . . . . . . . . . . . . . 13 82 9.2.1. Map-Versioning and Proxy-ITRs . . . . . . . . . . . . 13 83 9.2.2. Map-Versioning and LISP-NAT . . . . . . . . . . . . . 14 84 9.2.3. Map-Versioning and Proxy-ETRs . . . . . . . . . . . . 14 85 9.3. RLOC Shutdown/Withdraw . . . . . . . . . . . . . . . . . 14 86 9.4. Map-Version Additional Use Cases . . . . . . . . . . . . 15 87 10. Security Considerations . . . . . . . . . . . . . . . . . . . 15 88 10.1. Map-Versioning against Traffic Disruption . . . . . . . 16 89 10.2. Map-Versioning against Reachability Information DoS . . 16 90 11. Considerations . . . . . . . . . . . . . . . . . . . . . . . 17 91 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 92 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 93 13.1. Normative References . . . . . . . . . . . . . . . . . . 18 94 13.2. Informative References . . . . . . . . . . . . . . . . . 19 95 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 97 1. Introduction 99 This document describes the Map-Versioning mechanism used to provide 100 information on changes in the EID-to-RLOC (Endpoint ID to Routing 101 Locator) mappings used in the LISP (Locator/ID Separation Protocol 102 [I-D.ietf-lisp-rfc6830bis][I-D.ietf-lisp-rfc6833bis]) context to 103 perform packet encapsulation. The mechanism is totally transparent 104 to xTRs (Ingress and Egress Tunnel Routers) not supporting or not 105 using such functionality. 107 This document obsoletes [RFC6834], which is the inital experimental 108 specifications of the mechanims updated by this document. 110 The basic mechanism is to associate a Map-Version number to each LISP 111 EID-to-RLOC mapping and transport such a version number in the LISP- 112 specific header. When a mapping changes, a new version number is 113 assigned to the updated mapping. A change in an EID-to-RLOC mapping 114 can be a change in the RLOCs set, by adding or removing one or more 115 RLOCs, but it can also be a change in the priority or weight of one 116 or more RLOCs. 118 When Map-Versioning is used, LISP-encapsulated data packets contain 119 the version number of the two mappings used to select the RLOCs in 120 the outer header (i.e., both source and destination). These version 121 numbers are encoded in the 24 low-order bits of the first longword of 122 the LISP header and indicated by a specific bit in the flags (first 8 123 high-order bits of the first longword of the LISP header). Note that 124 not all packets need to carry version numbers. 126 When an ITR (Ingress Tunnel Router) encapsulates a data packet, with 127 a LISP header containing the Map-Version numbers, it puts in the 128 LISP-specific header two version numbers: 130 1. The version number assigned to the mapping (contained in the EID- 131 to-RLOC Database) used to select the source RLOC. 133 2. The version number assigned to the mapping (contained in the EID- 134 to-RLOC Cache) used to select the destination RLOC. 136 This operation is two-fold. On the one hand, it enables the ETR 137 (Egress Tunnel Router) receiving the packet to know if the ITR is 138 using the latest mapping version that any ETR at the destination EID 139 site would provide to the ITR in a Map-Reply. If this is not the 140 case, the ETR can send to the ITR a Map-Request containing the 141 updated mapping or solicit a Map-Request from the ITR (both cases are 142 already defined in [I-D.ietf-lisp-rfc6833bis]). In this way, the ITR 143 can update its EID-to-RLOC Cache. On the other hand, it enables an 144 ETR receiving such a packet to know if it has in its EID-to-RLOC 145 Cache the latest mapping for the source EID (in the case of 146 bidirectional traffic). If this is not the case, a Map-Request can 147 be sent. 149 Considerations about the deployment of LISP Map-Versioning for 150 Internet traffic are discussed in Section 11. 152 2. Requirements Notation 154 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 155 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 156 document are to be interpreted as described in [RFC2119]. 158 3. Definitions of Terms 160 This document uses terms already defined in the main LISP 161 specification (, [I-D.ietf-lisp-rfc6830bis] 162 [I-D.ietf-lisp-rfc6833bis]). Here, we define the terms that are 163 specific to the Map-Versioning mechanism. Throughout the whole 164 document, Big Endian bit ordering is used. 166 Map-Version number: An unsigned 12-bit integer is assigned to an 167 EID-to-RLOC mapping, not including the value 0 (0x000). 169 Null Map-Version: The 12-bit null value of 0 (0x000) is not used as 170 a Map-Version number. It is used to signal that no Map-Version 171 number is assigned to the EID-to-RLOC mapping. 173 Source Map-Version number: This Map-Version number of the EID-to- 174 RLOC mapping is used to select the source address (RLOC) of the 175 outer IP header of LISP-encapsulated packets. 177 Destination Map-Version number: This Map-Version number of the EID- 178 to-RLOC mapping is used to select the destination address (RLOC) of 179 the outer IP header of LISP-encapsulated packets. 181 4. EID-to-RLOC Map-Version Number 183 The EID-to-RLOC Map-Version number consists of an unsigned 12-bit 184 integer. The version number is assigned on a per-mapping basis, 185 meaning that different mappings have a different version number, 186 which is also updated independently. An update in the version number 187 (i.e., a newer version) consists of incrementing by one the older 188 version number. 190 The space of version numbers has a circular order where half of the 191 version numbers are greater (i.e., newer) than the current Map- 192 Version number and the other half of the version numbers are smaller 193 (i.e., older) than the current Map-Version number. In a more formal 194 way, assuming that we have two version numbers V1 and V2 and that the 195 numbers are expressed in N bits, the following steps MUST be 196 performed (in the same order as shown below) to strictly define their 197 order: 199 1. V1 = V2 : The map-version numbers are the same. 201 2. V2 > V1 : if and only if 203 V2 > V1 AND (V2 - V1) <= 2**(N-1) 205 OR 207 V1 > V2 AND (V1 - V2) > 2**(N-1) 209 3. V1 > V2 : otherwise. 211 Using 12 bits, as defined in this document, and assuming a Map- 212 Version value of 69, Map-Version numbers in the range [70; 69 + 2048] 213 are greater than 69, while Map-Version numbers in the range [69 + 214 2049; (69 + 4096) mod 4096] are smaller than 69. 216 Map-version numbers are assigned to mappings by configuration. The 217 initial Map-Version number of a new EID-to-RLOC mapping SHOULD be 218 assigned randomly, but it MUST NOT be set to the Null Map-Version 219 value (0x000), because the Null Map-Version number has a special 220 meaning (see Section 4.1). 222 Upon reboot, an ETR will use mappings configured in its EID-to-RLOC 223 Database. If those mappings have a Map-Version number, it will be 224 used according to the mechanisms described in this document. ETRs 225 MUST NOT automatically generate and assign Map-Version numbers to 226 mappings in the EID-to-RLOC Database. 228 4.1. The Null Map-Version 230 The value 0x000 (zero) is not a valid Map-Version number indicating 231 the version of the EID-to-RLOC mapping. Such a value is used for 232 special purposes and is named the Null Map-Version number. 234 The Null Map-Version MAY appear in the LISP-specific header as either 235 a Source Map-Version number (cf. Section 5.2) or a Destination Map- 236 Version number (cf. Section 5.1). When the Source Map-Version 237 number is set to the Null Map-version value, it means that no map 238 version information is conveyed for the source site. This means that 239 if a mapping exists for the source EID in the EID-to-RLOC Cache, then 240 the ETR MUST NOT compare the received Null Map-Version with the 241 content of the EID-to-RLOC Cache. When the Destination Map-version 242 number is set to the Null Map-version value, it means that no map 243 version information is conveyed for the destination site. This means 244 that the ETR MUST NOT compare the value with the Map-Version number 245 of the mapping for the destination EID present in the EID-to-RLOC 246 Database. 248 The other use of the Null Map-Version number is in the Map Records, 249 which are part of the Map-Request, Map-Reply, and Map-Register 250 messages (defined in [I-D.ietf-lisp-rfc6833bis]). Map Records that 251 have a Null Map-Version number indicate that there is no Map-Version 252 number associated with the mapping. This means that LISP- 253 encapsulated packets destined to the EID-Prefix referred to by the 254 Map Record MUST either not contain any Map-Version numbers (V bit set 255 to 0) or, if they contain Map-Version numbers (V bit set to 1), then 256 the destination Map-Version number MUST be set to the Null Map- 257 Version number. Any value different from zero means that Map- 258 Versioning is supported and MAY be used. 260 The fact that the 0 value has a special meaning for the Map-Version 261 number implies that, when updating a Map-Version number because of a 262 change in the mapping, if the next value is 0, then the Map-Version 263 number MUST be incremented by 2 (i.e., set to 1, which is the next 264 valid value). 266 5. Dealing with Map-Version Numbers 268 The main idea of using Map-Version numbers is that whenever there is 269 a change in the mapping (e.g., adding/removing RLOCs, a change in the 270 weights due to Traffic Engineering policies, or a change in the 271 priorities) or a LISP site realizes that one or more of its own RLOCs 272 are not reachable anymore from a local perspective (e.g., through 273 IGP, or policy changes) the LISP site updates the mapping, also 274 assigning a new Map-Version number. 276 To each mapping, a version number is associated and changes each time 277 the mapping is changed. Note that Map-Versioning does not introduce 278 new problems concerning the coordination of different ETRs of a 279 domain. Indeed, ETRs belonging to the same LISP site must return for 280 a specific EID-prefix the same mapping, including the same Map- 281 Version number. This is orthogonal to whether or not Map-Versioning 282 is used. The synchronization problem and its implications on the 283 traffic are out of the scope of this document. 285 In order to announce in a data-driven fashion that the mapping has 286 been updated, Map-Version numbers used to create the outer IP header 287 of the LISP-encapsulated packet are embedded in the LISP-specific 288 header. This means that the header needs to contain two Map-Version 289 numbers: 291 o The Source Map-Version number of the EID-to-RLOC mapping in the 292 EID-to-RLOC Database used to select the source RLOC. 294 o The Destination Map-Version number of the EID-to-RLOC mapping in 295 the EID-to-RLOC Cache used to select the destination RLOC. 297 By embedding both the Source Map-Version number and the Destination 298 Map-Version number, an ETR receiving a LISP packet with Map-Version 299 numbers can perform the following checks: 301 1. The ITR that has sent the packet has an up-to-date mapping in its 302 EID-to-RLOC Cache for the destination EID and is performing 303 encapsulation correctly. 305 2. In the case of bidirectional traffic, the mapping in the local 306 ETR EID-to-RLOC Cache for the source EID is up to date. 308 If one or both of the above conditions do not hold, the ETR can send 309 a Map-Request either to make the ITR aware that a new mapping is 310 available (see Section 5.1) or to update the mapping in the local 311 EID-to-RLOC Cache (see Section 5.2). 313 5.1. Handling Destination Map-Version Number 315 When an ETR receives a packet, the Destination Map-Version number 316 relates to the mapping for the destination EID for which the ETR is 317 an RLOC. This mapping is part of the ETR EID-to-RLOC Database. 318 Since the ETR is authoritative for the mapping, it has the correct 319 and up-to-date Destination Map-Version number. A check on this 320 version number can be done, where the following cases can arise: 322 1. The packet arrives with the same Destination Map-Version number 323 stored in the EID-to-RLOC Database. This is the regular case. 324 The ITR sending the packet has in its EID-to-RLOC Cache an up-to- 325 date mapping. No further actions are needed. 327 2. The packet arrives with a Destination Map-Version number greater 328 (i.e., newer) than the one stored in the EID-to-RLOC Database. 329 Since the ETR is authoritative on the mapping, meaning that the 330 Map-Version number of its mapping is the correct one, this 331 implies that someone is not behaving correctly with respect to 332 the specifications. In this case, the packet carries a version 333 number that is not valid; otherwise, the ETR would have the same 334 number, and the packet SHOULD be silently dropped. 336 3. The packets arrive with a Destination Map-Version number smaller 337 (i.e., older) than the one stored in the EID-to-RLOC Database. 338 This means that the ITR sending the packet has an old mapping in 339 its EID-to-RLOC Cache containing stale information. The ETR MAY 340 choose to normally process the encapsulated datagram according to 341 [I-D.ietf-lisp-rfc6830bis]; however, the ITR sending the packet 342 has to be informed that a newer mapping is available. This is 343 done with a Map-Request message sent back to the ITR. The Map- 344 Request will either trigger a Map-Request back using the Solicit- 345 Map-Request (SMR) bit or it will piggyback the newer mapping. 346 These are not new mechanisms; how to use the SMR bit or how to 347 piggyback mappings in Map-Request messages is already described 348 in [I-D.ietf-lisp-rfc6833bis]. One feature introduced by Map- 349 Version numbers is the possibility of blocking traffic not using 350 the latest mapping. Indeed, after a certain number of retries, 351 if the Destination Map-Version number in the packets is not 352 updated, the ETR MAY drop packets with a stale Map-Version number 353 while strongly reducing the rate of Map-Request messages. This 354 is because either the ITR is refusing to use the mapping for 355 which the ETR is authoritative, or (worse) it might be some form 356 of attack. 358 The rule in the third case MAY be more restrictive. If the mapping 359 has been the same for a period of time as long as the Time To Live 360 (TTL) (defined in [I-D.ietf-lisp-rfc6833bis]) of the previous version 361 of the mapping, all packets arriving with an old Map-Version SHOULD 362 be silently dropped right away without issuing any Map-Request. Such 363 action is permitted because if the new mapping with the updated 364 version number has been unchanged for at least the same time as the 365 TTL of the older mapping, all the entries in the EID-to-RLOC Caches 366 of ITRs must have expired. Hence, all ITRs sending traffic should 367 have refreshed the mapping according to [I-D.ietf-lisp-rfc6833bis]. 368 If packets with old Map-Version numbers are still received, then 369 either someone has not respected the TTL or it is a form of spoof/ 370 attack. In both cases, this is not valid behavior with respect to 371 the specifications and the packet SHOULD be silently dropped. 373 LISP-encapsulated packets with the V-bit set, when the original 374 mapping in the EID-to-RLOC Database has the version number set to the 375 Null Map-Version value, MAY be silently dropped. As explained in 376 Section 4.1, if an EID-to-RLOC mapping has a Null Map-Version, it 377 means that ITRs, using the mapping for encapsulation, MUST NOT use a 378 Map-Version number in the LISP-specific header. 380 For LISP-encapsulated packets with the V-bit set, when the original 381 mapping in the EID-to-RLOC Database has the version number set to a 382 value different from the Null Map-Version value, a Destination Map- 383 Version number equal to the Null Map-Version value means that the 384 Destination Map-Version number MUST be ignored. 386 5.2. Handling Source Map-Version Number 388 When an ETR receives a packet, the Source Map-Version number relates 389 to the mapping for the source EID for which the ITR that sent the 390 packet is authoritative. If the ETR has an entry in its EID-to-RLOC 391 Cache for the source EID, then a check can be performed and the 392 following cases can arise: 394 1. The packet arrives with the same Source Map-Version number as 395 that stored in the EID-to-RLOC Cache. This is the correct 396 regular case. The ITR has in its EID-to-RLOC Cache an up-to-date 397 copy of the mapping. No further actions are needed. 399 2. The packet arrives with a Source Map-Version number greater 400 (i.e., newer) than the one stored in the local EID-to-RLOC Cache. 401 This means that the ETR has in its EID-to-RLOC Cache a mapping 402 that is stale and needs to be updated. A Map-Request SHOULD be 403 sent to get the new mapping for the source EID. This is a normal 404 Map-Request message sent through the mapping system and MUST 405 respect the specifications in [I-D.ietf-lisp-rfc6833bis], 406 including rate-limitation policies. 408 3. The packet arrives with a Source Map-Version number smaller 409 (i.e., older) than the one stored in the local EID-to-RLOC Cache. 410 Such a case is not valid with respect to the specifications. 411 Indeed, if the mapping is already present in the EID-to-RLOC 412 Cache, this means that an explicit Map-Request has been sent and 413 a Map-Reply has been received from an authoritative source. 414 Assuming that the mapping system is not corrupted, the Map- 415 Version in the EID-to-RLOC Cache is the correct one, while the 416 one carried by the packet is stale. In this situation, the 417 packet MAY be silently dropped. 419 If the ETR does not have an entry in the EID-to-RLOC Cache for the 420 source EID, then the Source Map-Version number can be safely ignored. 422 For LISP-encapsulated packets with the V-bit set, if the Source Map- 423 Version number is the Null Map-Version value, it means that the 424 Source Map-Version number MUST be ignored. 426 6. LISP Header and Map-Version Numbers 428 In order for the versioning approach to work, the LISP-specific 429 header has to carry both the Source Map-Version number and 430 Destination Map-Version number. This is done by setting the V-bit in 431 the LISP-specific header as defined in [I-D.ietf-lisp-rfc6830bis]. 432 When the V-bit is set and the P bit is reset (0), the low-order 24 433 bits of the first longword are used to transport both the source and 434 destination Map-Version numbers. In particular, the first 12 bits 435 are used for the Source Map-Version number and the second 12 bits for 436 the Destination Map-Version number. 438 Below is an example of a LISP header carrying version numbers. 440 0 1 2 3 441 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 442 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 443 / |N|L|E|V|I|P|K|K| Source Map-Version |Destination Map-Version| 444 LISP+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 445 \ | Instance ID/Locator Status Bits | 446 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 448 Source Map-Version number (12 bits): Map-Version of the mapping used 449 by the ITR to select the RLOC present in the "Source Routing 450 Locator" field. Section 5.2 describes how to set this value on 451 transmission and handle it on reception. 453 Destination Map-Version number (12 bits): Map-Version of the mapping 454 used by the ITR to select the RLOC present in the "Destination 455 Routing Locator" field. Section 5.1 describes how to set this 456 value on transmission and handle it on reception. 458 Not all of the LISP-encapsulated packets need to carry version 459 numbers. When Map-Version numbers are carried in these packets, the 460 V-bit MUST be set to 1. All permissible combinations of the flags 461 when the V-bit is set to 1 are described in 462 [I-D.ietf-lisp-rfc6830bis] and [I-D.ietf-lisp-gpe]. 464 7. LISP Generic Protocol Encapsulation (GPE) Header and Map-Version 465 Numbers 467 [I-D.ietf-lisp-gpe] extends the Locator/ID Separation Protocol (LISP) 468 Data-Plane, changing the LISP header, to support multi-protocol 469 encapsulation. A flag in the LISP header, called the P-bit, is used 470 to signal the presence of the Next Protocol field in the low-order 8 471 bits of the first longword. When the V-bit and P-bit are both set, 472 the middle-order 16 bits of the first longword are used to transport 473 both the source and destination Map-Version numbers. In particular, 474 the first 8 bits are used for the Source Map-Version number and the 475 second 8 bits for the Destination Map-Version number. 477 Below is an example of a LISP header carrying version numbers. 479 0 1 2 3 480 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 481 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 482 / |N|L|E|V|I|P|K|K|Src Map-Version|Dst Map-Version| Next Protocol | 483 LISP+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 484 \ | Instance ID/Locator Status Bits | 485 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 487 The Source Map-Version number and the Destination Map-Version number 488 are used exactly in the same way previously described. There are 489 only three differences: 491 o When filling the LISP-GPE-specific header only the low order 8 492 bits are copied in the Source and Destination Map-Version Number 493 (out of the original 12 bits). 495 o When comparing a Map-Version retrieved from the LISP-GPE-specific 496 header (either Source or Destination Map-Version number) with the 497 version number of a mapping (stored in the LISP Cache or LISP 498 Database) only the low-order 8 bits of the latter are used for the 499 comparison. 501 o When trimming a Map-Version number from 12 to 8 bits it may happen 502 that it is converted to a Null Map-Version number, which will 503 change the way Map-Version number is interpreted as described in 504 Section 4.1. To avoid such wrong behavior, Map-Version number 505 with the low-order 8 bits all equal to zero SHOULD be avoided on 506 xTRs using LISP-GPE. 508 8. Map Record and Map-Version 510 To accommodate the proposed mechanism, the Map Records that are 511 transported in Map-Request/Map-Reply/Map-Register messages need to 512 carry the Map-Version number as well. For this purpose, the 12 bits 513 before the EID-AFI field in the Record that describes a mapping are 514 used (see [I-D.ietf-lisp-rfc6833bis] and reported here as an example. 516 0 1 2 3 517 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 518 +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 519 | | Record TTL | 520 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 521 R | Locator Count | EID mask-len | ACT |A| Reserved | 522 e +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 523 c | Rsvd | Map-Version Number | EID-Prefix-AFI | 524 o +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 525 r | EID-Prefix | 526 d +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 527 | /| Priority | Weight | M Priority | M Weight | 528 | L +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 529 | o | Unused Flags |L|p|R| Loc-AFI | 530 | c +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 531 | \| Locator | 532 +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 534 Map-Version Number: Map-Version of the mapping contained in the 535 Record. As explained in Section 4.1, this field can be zero (0), 536 meaning that no Map-Version is associated to the mapping; hence, 537 packets that are LISP encapsulated using this mapping MUST NOT 538 contain Map-Version numbers in the LISP-specific header, and the 539 V-bit MUST be set to 0. 541 This packet format works perfectly with xTRs that do not support Map- 542 Versioning, since they can simply ignore those bits. 544 9. Benefits and Case Studies for Map-Versioning 546 In the following sections, we provide more discussion on various 547 aspects and uses of Map-Versioning. Security observations are 548 grouped in Section 10. 550 9.1. Map-Versioning and Unidirectional Traffic 552 When using Map-Versioning, the LISP-specific header carries two Map- 553 Version numbers, for both source and destination mappings. This can 554 raise the question on what will happen in the case of unidirectional 555 flows, for instance, in the case presented in Figure 1, since the 556 LISP specification does not mandate that the ETR have a mapping for 557 the source EID. 559 +-----------------+ +-----------------+ 560 | Domain A | | Domain B | 561 | +---------+ +---------+ | 562 | | ITR A |----------->| ETR B | | 563 | +---------+ +---------+ | 564 | | | | 565 +-----------------+ +-----------------+ 567 Figure 1: Unidirectional traffic between LISP domains. 569 In the case of the ITR, the ITR is able to put both the source and 570 destination version number in the LISP header, since the Source Map- 571 Version number is in the ITR's database, while the Destination Map- 572 Version number is in the ITR's cache. 574 In the case of the ETR, the ETR simply checks only the Destination 575 Map-Version number in the same way as that described in Section 5, 576 ignoring the Source Map-Version number. 578 9.2. Map-Versioning and Interworking 580 Map-Versioning is compatible with the LISP interworking between LISP 581 and non-LISP sites as defined in [RFC6832]. LISP interworking 582 defines three techniques to make LISP sites and non-LISP sites, 583 namely Proxy-ITR, LISP-NAT, and Proxy-ETR. The following text 584 describes how Map-Versioning relates to these three mechanisms. 586 9.2.1. Map-Versioning and Proxy-ITRs 588 The purpose of the Proxy-ITR (PITR) is to encapsulate traffic 589 originating in a non-LISP site in order to deliver the packet to one 590 of the ETRs of the LISP site (cf. Figure 2). This case is very 591 similar to the unidirectional traffic case described in Section 9.1; 592 hence, similar rules apply. 594 +----------+ +-------------+ 595 | LISP | | non-LISP | 596 | Domain A | | Domain B | 597 | +-------+ +-----------+ | | 598 | | ETR A |<-------| Proxy ITR |<-------| | 599 | +-------+ +-----------+ | | 600 | | | | 601 +----------+ +-------------+ 603 Figure 2: Unidirectional traffic from non-LISP domain to LISP domain. 605 The main difference is that a Proxy-ITR does not have any mapping, 606 since it just encapsulates packets arriving from the non-LISP site, 607 and thus cannot provide a Source Map-Version. In this case, the 608 proxy-ITR will just put the Null Map-Version value as the Source Map- 609 Version number, while the receiving ETR will ignore the field. 611 With this setup, LISP Domain A is able to check whether or not the 612 PITR is using the latest mapping. 614 9.2.2. Map-Versioning and LISP-NAT 616 The LISP-NAT mechanism is based on address translation from non- 617 routable EIDs to routable EIDs and does not involve any form of 618 encapsulation. As such, Map-Versioning does not apply in this case. 620 9.2.3. Map-Versioning and Proxy-ETRs 622 The purpose of the Proxy-ETR (PETR) is to decapsulate traffic 623 originating in a LISP site in order to deliver the packet to the non- 624 LISP site (cf. Figure 3). One of the main reasons to deploy PETRs 625 is to bypass uRPF (Unicast Reverse Path Forwarding) checks on the 626 provider edge. 628 +----------+ +-------------+ 629 | LISP | | non-LISP | 630 | Domain A | | Domain B | 631 | +-------+ +-----------+ | | 632 | | ITR A |------->| Proxy ETR |------->| | 633 | +-------+ +-----------+ | | 634 | | | | 635 +----------+ +-------------+ 637 Figure 3: Unidirectional traffic from LISP domain to non-LISP domain. 639 A Proxy-ETR does not have any mapping, since it just decapsulates 640 packets arriving from the LISP site. In this case, the ITR will just 641 put the Null Map-Version value as the Destination Map-Version number, 642 while the receiving Proxy-ETR will ignore the field. 644 With this setup, the Proxy-ETR is able to check whether or not the 645 mapping has changed. 647 9.3. RLOC Shutdown/Withdraw 649 Map-Versioning can also be used to perform a graceful shutdown or 650 withdraw of a specific RLOC. This is achieved by simply issuing a 651 new mapping, with an updated Map-Version number where the specific 652 RLOC to be shut down is withdrawn or announced as unreachable (via 653 the R bit in the Map Record; see [I-D.ietf-lisp-rfc6833bis]), but 654 without actually turning it off. 656 Once no more traffic is received by the RLOC, it can be shut down 657 gracefully, because all sites actively using the mapping have updated 658 it. 660 9.4. Map-Version Additional Use Cases 662 The use of Map-Versioning can help in developing a lightweight 663 implementation of LISP. However, this comes with the price of not 664 supporting the Loc-Status-Bit, which is useful in some contexts. 666 In the current LISP specifications, the set of RLOCs must always be 667 maintained ordered and consistent with the content of the Loc Status 668 Bits ([I-D.ietf-lisp-rfc6830bis]). With Map-Versioning, such types 669 of mechanisms can be avoided. When a new RLOC is added to a mapping, 670 it is not necessary to "append" new locators to the existing ones as 671 explained in [I-D.ietf-lisp-rfc6830bis]. A new mapping with a new 672 Map-Version number will be issued, and since the old locators are 673 still valid, the transition will occur with no disruptions. The same 674 applies for the case where an RLOC is withdrawn. There is no need to 675 maintain holes in the list of locators, as is the case when using 676 Locator Status Bits, for sites that are not using the RLOC that has 677 been withdrawn; in this case, the transition will occur with no 678 disruptions. 680 All of these operations, as already stated, do not need to maintain 681 any consistency among Locator Status Bits and in the way that the 682 RLOCs are stored in the EID-to-RLOC Cache. 684 Map-Versioning can be used as a substitute for the "clock sweep" 685 operation described in Section 6.6.1 of [I-D.ietf-lisp-rfc6833bis]. 686 Indeed, every LISP site communicating to a specific LISP site that 687 has updated the mapping will be informed of the available new mapping 688 in a data-driven manner. 690 10. Security Considerations 692 Map-Versioning does not introduce any security issues concerning both 693 the data plane and the control plane. On the contrary, as described 694 below, if Map-Versioning may also be used to update mappings in the 695 case of change in the reachability information (i.e., instead of the 696 Locator Status Bits), it is possible to reduce the effects of some 697 DoS or spoofing attacks that can happen in an untrusted environment. 699 Robustness of the Map-Versioning mechanism leverages on a trusted 700 Mapping Distribution System. A thorough security analysis of LISP is 701 documented in [RFC7835]. 703 10.1. Map-Versioning against Traffic Disruption 705 An attacker can try to disrupt ongoing communications by creating 706 LISP-encapsulated packets with wrong Locator Status Bits. If the xTR 707 blindly trusts the Locator Status Bits, it will change the 708 encapsulation accordingly, which can result in traffic disruption. 710 This does not happen in the case of Map-Versioning. As described in 711 Section 5, upon a version number change the xTR first issues a Map- 712 Request. The assumption is that the mapping distribution system is 713 sufficiently secure that Map-Request and Map-Reply messages and their 714 content can be trusted. Security issues concerning specific mapping 715 distribution systems are out of the scope of this document. In the 716 case of Map-Versioning, the attacker should "guess" a valid version 717 number that triggers a Map-Request as described in Section 5; 718 otherwise, the packet is simply dropped. Nevertheless, guessing a 719 version number that generates a Map-Request is easy; hence, it is 720 important to follow the rate-limitation policies described in 721 [I-D.ietf-lisp-rfc6833bis] in order to avoid DoS attacks. 723 Note that a similar level of security can be obtained with Loc Status 724 Bits by simply making it mandatory to verify any change through a 725 Map-Request. However, in this case Locator Status Bits lose their 726 meaning, because it does not matter anymore which specific bits have 727 changed; the xTR will query the mapping system and trust the content 728 of the received Map-Reply. Furthermore, there is no way to perform 729 filtering as in Map-Versioning in order to drop packets that do not 730 carry a valid Map-Version number. In the case of Locator Status 731 Bits, any random change can trigger a Map-Request (unless rate 732 limitation is enabled, which raises another type of attack as 733 discussed in Section 10.2). 735 10.2. Map-Versioning against Reachability Information DoS 737 Attackers can try to trigger a large number of Map-Requests by simply 738 forging packets with random Map-Versions or random Locator Status 739 Bits. In both cases, the Map-Requests are rate-limited as described 740 in [I-D.ietf-lisp-rfc6833bis]. However, in contrast to the Locator 741 Status Bit, where there is no filtering possible, in the case of Map- 742 Versioning it is possible to filter invalid version numbers before 743 triggering a Map-Request, thus helping to reduce the effects of DoS 744 attacks. In other words, the use of Map-Versioning enables a fine 745 control on when to update a mapping or when to notify someone that a 746 mapping has been updated. 748 It is clear that Map-Versioning does not protect against DoS and DDoS 749 attacks, where an xTR loses processing power when doing checks on the 750 LISP header of packets sent by attackers. This is independent of 751 Map-Versioning and is the same for Loc Status Bits. 753 11. Considerations 755 Even without Map-Versioning, LISP requires ETRs to announce the same 756 mapping for the same EID-Prefix to a requester. The implications 757 that a temporary lack of synchronization may have on the traffic are 758 yet to be fully explored. 760 Map-Versioning does not require additional synchronization mechanisms 761 as compared to the normal functioning of LISP without Map-Versioning. 762 Clearly, all the ETRs have to reply with the same Map-Version number; 763 otherwise, there can be an inconsistency that creates additional 764 control traffic, instabilities, and traffic disruptions. It is the 765 same without Map-Versioning, with ETRs that have to reply with the 766 same mapping; otherwise, the same problems can arise. 768 There are two ways Map-Versioning is helpful with respect to the 769 synchronization problem. On the one hand, assigning version numbers 770 to mappings helps in debugging, since quick checks on the consistency 771 of the mappings on different ETRs can be done by looking at the Map- 772 Version number. On the other hand, Map-Versioning can be used to 773 control the traffic toward ETRs that announce the latest mapping. 775 As an example, let's consider the topology of Figure 4 where ITR A.1 776 of Domain A is sending unidirectional traffic to Domain B, while A.2 777 of Domain A exchanges bidirectional traffic with Domain B. In 778 particular, ITR A.2 sends traffic to ETR B, and ETR A.2 receives 779 traffic from ITR B. 781 +-----------------+ +-----------------+ 782 | Domain A | | Domain B | 783 | +---------+ | | 784 | | ITR A.1 |--- | | 785 | +---------+ \ +---------+ | 786 | | ------->| ETR B | | 787 | | ------->| | | 788 | +---------+ / | | | 789 | | ITR A.2 |--- -----| ITR B | | 790 | | | / +---------+ | 791 | | ETR A.2 |<----- | | 792 | +---------+ | | 793 | | | | 794 +-----------------+ +-----------------+ 796 Figure 4: Example topology. 798 Obviously, in the case of Map-Versioning, both ITR A.1 and ITR A.2 of 799 Domain A must use the same value; otherwise, the ETR of Domain B will 800 start to send Map-Requests. 802 The same problem can, however, arise without Map-Versioning, for 803 instance, if the two ITRs of Domain A send different Locator Status 804 Bits. In this case, either the traffic is disrupted if ETR B trusts 805 the Locator Status Bits, or if ETR B does not trust the Locator 806 Status Bits it will start sending Map-Requests to confirm each change 807 in reachability. 809 So far, LISP does not provide any specific synchronization mechanism 810 but assumes that synchronization is provided by configuring the 811 different xTRs consistently. The same applies for Map-Versioning. 812 If in the future any synchronization mechanism is provided, Map- 813 Versioning will take advantage of it automatically, since it is 814 included in the Record format, as described in Section 8. 816 12. Acknowledgments 818 This work benefited support from NewNet@Paris, Cisco's Chair 819 "Networks for the Future" at Telecom ParisTech 820 (http://newnet.telecom-paristech.fr). Any opinions, findings or 821 recommendations expressed in this material are those of the author(s) 822 and do not necessarily reflect the views of partners of the Chair. 824 13. References 826 13.1. Normative References 828 [I-D.ietf-lisp-gpe] 829 Maino, F., Lemon, J., Agarwal, P., Lewis, D., and M. 830 Smith, "LISP Generic Protocol Extension", draft-ietf-lisp- 831 gpe-03 (work in progress), April 2018. 833 [I-D.ietf-lisp-rfc6830bis] 834 Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A. 835 Cabellos-Aparicio, "The Locator/ID Separation Protocol 836 (LISP)", draft-ietf-lisp-rfc6830bis-12 (work in progress), 837 March 2018. 839 [I-D.ietf-lisp-rfc6833bis] 840 Fuller, V., Farinacci, D., and A. Cabellos-Aparicio, 841 "Locator/ID Separation Protocol (LISP) Control-Plane", 842 draft-ietf-lisp-rfc6833bis-10 (work in progress), March 843 2018. 845 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 846 Requirement Levels", BCP 14, RFC 2119, 847 DOI 10.17487/RFC2119, March 1997, 848 . 850 13.2. Informative References 852 [RFC6832] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller, 853 "Interworking between Locator/ID Separation Protocol 854 (LISP) and Non-LISP Sites", RFC 6832, 855 DOI 10.17487/RFC6832, January 2013, 856 . 858 [RFC6834] Iannone, L., Saucez, D., and O. Bonaventure, "Locator/ID 859 Separation Protocol (LISP) Map-Versioning", RFC 6834, 860 DOI 10.17487/RFC6834, January 2013, 861 . 863 [RFC7835] Saucez, D., Iannone, L., and O. Bonaventure, "Locator/ID 864 Separation Protocol (LISP) Threat Analysis", RFC 7835, 865 DOI 10.17487/RFC7835, April 2016, 866 . 868 Authors' Addresses 870 Luigi Iannone 871 Telecom ParisTech 873 EMail: ggx@gigix.net 875 Damien Saucez 876 INRIA Sophia Antipolis 878 EMail: damien.saucez@inria.fr 880 Olivier Bonaventure 881 Universite catholique de Louvain 883 EMail: olivier.bonaventure@uclouvain.be