idnits 2.17.1 draft-ietf-lisp-6834bis-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 15, 2020) is 1288 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-38) exists of draft-ietf-lisp-rfc6830bis-35 == Outdated reference: A later version (-31) exists of draft-ietf-lisp-rfc6833bis-29 -- Obsolete informational reference (is this intentional?): RFC 6834 (Obsoleted by RFC 9302) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group L. Iannone 3 Internet-Draft Huawei Technologies France S.A.S.U 4 Obsoletes: 6834 (if approved) D. Saucez 5 Intended status: Standards Track INRIA 6 Expires: April 18, 2021 O. Bonaventure 7 Universite catholique de Louvain 8 October 15, 2020 10 Locator/ID Separation Protocol (LISP) Map-Versioning 11 draft-ietf-lisp-6834bis-07 13 Abstract 15 This document describes the LISP (Locator/ID Separation Protocol) 16 Map-Versioning mechanism, which provides in-packet information about 17 Endpoint ID to Routing Locator (EID-to-RLOC) mappings used to 18 encapsulate LISP data packets. The proposed approach is based on 19 associating a version number to EID-to-RLOC mappings and the 20 transport of such a version number in the LISP-specific header of 21 LISP-encapsulated packets. LISP Map-Versioning is particularly 22 useful to inform communicating Ingress Tunnel Routers (ITRs) and 23 Egress Tunnel Routers (ETRs) about modifications of the mappings used 24 to encapsulate packets. The mechanism is optional and transparent to 25 implementations not supporting this feature, since in the LISP- 26 specific header and in the Map Records, bits used for Map-Versioning 27 can be safely ignored by ITRs and ETRs that do not support or do not 28 want to use the mechanism. 30 This document obsoletes RFC 6834 "Locator/ID Separation Protocol 31 (LISP) Map-Versioning", which is the initial experimental 32 specifications of the mechanisms updated by this document. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at https://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on April 18, 2021. 50 Copyright Notice 52 Copyright (c) 2020 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (https://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4 69 3. Definitions of Terms . . . . . . . . . . . . . . . . . . . . 4 70 4. EID-to-RLOC Map-Version Number . . . . . . . . . . . . . . . 4 71 4.1. The Null Map-Version . . . . . . . . . . . . . . . . . . 5 72 5. Dealing with Map-Version Numbers . . . . . . . . . . . . . . 6 73 5.1. Handling Destination Map-Version Number . . . . . . . . . 7 74 5.2. Handling Source Map-Version Number . . . . . . . . . . . 9 75 6. LISP Header and Map-Version Numbers . . . . . . . . . . . . . 9 76 7. Map Record and Map-Version . . . . . . . . . . . . . . . . . 10 77 8. Benefits and Case Studies for Map-Versioning . . . . . . . . 11 78 8.1. Map-Versioning and Unidirectional Traffic . . . . . . . . 11 79 8.2. Map-Versioning and Interworking . . . . . . . . . . . . . 12 80 8.2.1. Map-Versioning and Proxy-ITRs . . . . . . . . . . . . 12 81 8.2.2. Map-Versioning and LISP-NAT . . . . . . . . . . . . . 13 82 8.2.3. Map-Versioning and Proxy-ETRs . . . . . . . . . . . . 13 83 8.3. RLOC Shutdown/Withdraw . . . . . . . . . . . . . . . . . 13 84 8.4. Map-Version Additional Use Cases . . . . . . . . . . . . 14 85 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 86 9.1. Map-Versioning against Traffic Disruption . . . . . . . . 14 87 9.2. Map-Versioning against Reachability Information DoS . . . 15 88 10. Deployment Considerations . . . . . . . . . . . . . . . . . . 15 89 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 90 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 91 12.1. Normative References . . . . . . . . . . . . . . . . . . 17 92 12.2. Informative References . . . . . . . . . . . . . . . . . 17 93 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 95 1. Introduction 97 This document describes the Map-Versioning mechanism used to provide 98 information on changes in the EID-to-RLOC (Endpoint ID to Routing 99 Locator) mappings used in the LISP (Locator/ID Separation Protocol 100 [I-D.ietf-lisp-rfc6830bis][I-D.ietf-lisp-rfc6833bis]) context to 101 perform packet encapsulation. The mechanism is totally transparent 102 to xTRs (Ingress and Egress Tunnel Routers) not supporting or not 103 using such functionality. 105 This document obsoletes [RFC6834], which is the initial experimental 106 specifications of the mechanisms updated by this document. 108 The basic mechanism is to associate a Map-Version number to each LISP 109 EID-to-RLOC mapping and transport such a version number in the LISP- 110 specific header. When a mapping changes, a new version number is 111 assigned to the updated mapping. A change in an EID-to-RLOC mapping 112 can be a change in the RLOCs set, by adding or removing one or more 113 RLOCs, but it can also be a change in the priority or weight of one 114 or more RLOCs. 116 When Map-Versioning is used, LISP-encapsulated data packets contain 117 the version number of the two mappings used to select the RLOCs in 118 the outer header (i.e., both source and destination). These version 119 numbers are encoded in the 24 low-order bits of the first longword of 120 the LISP header and indicated by a specific bit in the flags (first 8 121 high-order bits of the first longword of the LISP header). Note that 122 not all packets need to carry version numbers. 124 When an ITR (Ingress Tunnel Router) encapsulates a data packet, with 125 a LISP header containing the Map-Version numbers, it puts in the 126 LISP-specific header two version numbers: 128 1. The version number assigned to the mapping (contained in the EID- 129 to-RLOC Database) used to select the source RLOC. 131 2. The version number assigned to the mapping (contained in the EID- 132 to-RLOC Cache) used to select the destination RLOC. 134 This operation is two-fold. On the one hand, it enables the ETR 135 (Egress Tunnel Router) receiving the packet to know if the ITR is 136 using the latest mapping version that any ETR at the destination EID 137 site would provide to the ITR in a Map-Reply. If this is not the 138 case, the ETR can send to the ITR a Map-Request containing the 139 updated mapping or solicit a Map-Request from the ITR (both cases are 140 already defined in [I-D.ietf-lisp-rfc6833bis]). In this way, the ITR 141 can update its EID-to-RLOC Cache. On the other hand, it enables an 142 ETR receiving such a packet to know if it has in its EID-to-RLOC 143 Cache the latest mapping for the source EID. If this is not the 144 case, a Map-Request can be sent. 146 Considerations about the deployment of LISP Map-Versioning are 147 discussed in Section 10. 149 2. Requirements Notation 151 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 152 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 153 "OPTIONAL" in this document are to be interpreted as described in BCP 154 14 [RFC2119] [RFC8174] when, and only when, they appear in all 155 capitals, as shown here. 157 3. Definitions of Terms 159 This document uses terms already defined in the main LISP 160 specification ([I-D.ietf-lisp-rfc6830bis], 161 [I-D.ietf-lisp-rfc6833bis]). Here, we define the terms that are 162 specific to the Map-Versioning mechanism. Throughout the whole 163 document, Big Endian bit ordering is used. 165 Map-Version number: An unsigned 12-bit integer is assigned to an 166 EID-to-RLOC mapping, not including the value 0 (0x000). 168 Null Map-Version: The 12-bit null value of 0 (0x000) is not used as 169 a Map-Version number. It is used to signal that no Map-Version 170 number is assigned to the EID-to-RLOC mapping. 172 Source Map-Version number: This Map-Version number of the EID-to- 173 RLOC mapping is used to select the source address (RLOC) of the 174 outer IP header of LISP-encapsulated packets. 176 Destination Map-Version number: This Map-Version number of the EID- 177 to-RLOC mapping is used to select the destination address (RLOC) of 178 the outer IP header of LISP-encapsulated packets. 180 4. EID-to-RLOC Map-Version Number 182 The EID-to-RLOC Map-Version number consists of an unsigned 12-bit 183 integer. The version number is assigned on a per-mapping basis, 184 meaning that different mappings have a different version number, 185 which is also updated independently. An update in the version number 186 (i.e., a newer version) consists of incrementing by one the older 187 version number. 189 The space of version numbers has a circular order where half of the 190 version numbers are greater (i.e., newer) than the current Map- 191 Version number and the other half of the version numbers are smaller 192 (i.e., older) than the current Map-Version number. In a more formal 193 way, assuming that we have two version numbers V1 and V2 and that the 194 numbers are expressed on N bits, the following steps MUST be 195 performed (in the same order as shown below) to strictly define their 196 order: 198 1. V1 = V2 : The Map-Version numbers are the same. 200 2. V2 > V1 : if and only if 202 V2 > V1 AND (V2 - V1) <= 2**(N-1) 204 OR 206 V1 > V2 AND (V1 - V2) > 2**(N-1) 208 3. V1 > V2 : otherwise. 210 Using 12 bits, as defined in this document, and assuming a Map- 211 Version value of 69, Map-Version numbers in the range [70; 69 + 2048] 212 are greater than 69, while Map-Version numbers in the range [69 + 213 2049; (69 + 4096) mod 4096] are smaller than 69. 215 Map-version numbers are assigned to mappings by configuration. The 216 initial Map-Version number of a new EID-to-RLOC mapping SHOULD be 217 assigned randomly, but it MUST NOT be set to the Null Map-Version 218 value (0x000), because the Null Map-Version number has a special 219 meaning (see Section 4.1). 221 Upon reboot, an ETR will use mappings configured in its EID-to-RLOC 222 Database. If those mappings have a Map-Version number, it will be 223 used according to the mechanisms described in this document. ETRs 224 MUST NOT automatically generate and assign Map-Version numbers to 225 mappings in the EID-to-RLOC Database. 227 4.1. The Null Map-Version 229 The value 0x000 (zero) is not a valid Map-Version number indicating 230 the version of the EID-to-RLOC mapping. Such a value is used for 231 special purposes and is named the Null Map-Version number. 233 The Null Map-Version MAY appear in the LISP-specific header as either 234 a Source Map-Version number (cf. Section 5.2) or a Destination Map- 235 Version number (cf. Section 5.1). When the Source Map-Version 236 number is set to the Null Map-Version value, it means that no map 237 version information is conveyed for the source site. This means that 238 if a mapping exists for the source EID in the EID-to-RLOC Cache, then 239 the ETR MUST NOT compare the received Null Map-Version with the 240 content of the EID-to-RLOC Cache. When the Destination Map-Version 241 number is set to the Null Map-Version value, it means that no map 242 version information is conveyed for the destination site. This means 243 that the ETR MUST NOT compare the value with the Map-Version number 244 of the mapping for the destination EID present in the EID-to-RLOC 245 Database. 247 The other use of the Null Map-Version number is in the Map Records, 248 which are part of the Map-Request, Map-Reply, and Map-Register 249 messages (defined in [I-D.ietf-lisp-rfc6833bis]). Map Records that 250 have a Null Map-Version number indicate that there is no Map-Version 251 number associated with the mapping. This means that LISP- 252 encapsulated packets destined to the EID-Prefix referred to by the 253 Map Record MUST either not contain any Map-Version numbers (V bit set 254 to 0) or, if they contain Map-Version numbers (V bit set to 1), then 255 the destination Map-Version number MUST be set to the Null Map- 256 Version number. Any value different from zero means that Map- 257 Versioning is supported and MAY be used. 259 The fact that the 0 value has a special meaning for the Map-Version 260 number implies that, when updating a Map-Version number because of a 261 change in the mapping, if the next value is 0, then the Map-Version 262 number MUST be incremented by 2 (i.e., set to 1, which is the next 263 valid value). 265 5. Dealing with Map-Version Numbers 267 The main idea of using Map-Version numbers is that whenever there is 268 a change in the mapping (e.g., adding/removing RLOCs, a change in the 269 weights due to Traffic Engineering policies, or a change in the 270 priorities) or a LISP site realizes that one or more of its own RLOCs 271 are not reachable anymore from a local perspective (e.g., through 272 IGP, or policy changes) the LISP site updates the mapping, also 273 assigning a new Map-Version number. 275 To each mapping, a version number is associated and changes each time 276 the mapping is changed. Note that Map-Versioning does not introduce 277 new problems concerning the coordination of different ETRs of a 278 domain. Indeed, ETRs belonging to the same LISP site must return for 279 a specific EID-prefix the same mapping, including the same Map- 280 Version number. This is orthogonal to whether or not Map-Versioning 281 is used. The synchronization problem and its implications on the 282 traffic are out of the scope of this document. 284 In order to announce in a data-driven fashion that the mapping has 285 been updated, Map-Version numbers used to create the outer IP header 286 of the LISP-encapsulated packet are embedded in the LISP-specific 287 header. This means that the header needs to contain two Map-Version 288 numbers: 290 o The Source Map-Version number of the EID-to-RLOC mapping in the 291 EID-to-RLOC Database used to select the source RLOC. 293 o The Destination Map-Version number of the EID-to-RLOC mapping in 294 the EID-to-RLOC Cache used to select the destination RLOC. 296 By embedding both the Source Map-Version number and the Destination 297 Map-Version number, an ETR receiving a LISP packet with Map-Version 298 numbers can perform the following checks: 300 1. The ITR that has sent the packet has an up-to-date mapping in its 301 EID-to-RLOC Cache for the destination EID and is performing 302 encapsulation correctly. 304 2. In the case of bidirectional traffic, the mapping in the local 305 ETR EID-to-RLOC Cache for the source EID is up to date. 307 If one or both of the above conditions do not hold, the ETR can send 308 a Map-Request either to make the ITR aware that a new mapping is 309 available (see Section 5.1) or to update the mapping in the local 310 EID-to-RLOC Cache (see Section 5.2). 312 5.1. Handling Destination Map-Version Number 314 When an ETR receives a packet, the Destination Map-Version number 315 relates to the mapping for the destination EID for which the ETR is 316 an RLOC. This mapping is part of the ETR EID-to-RLOC Database. 317 Since the ETR is authoritative for the mapping, it has the correct 318 and up to-date Destination Map-Version number. A check on this 319 version number can be done, where the following cases can arise: 321 1. The packet arrives with the same Destination Map-Version number 322 stored in the EID-to-RLOC Database. This is the regular case. 323 The ITR sending the packet has in its EID-to-RLOC Cache an up-to- 324 date mapping. No further actions are needed. 326 2. The packet arrives with a Destination Map-Version number greater 327 (i.e., newer) than the one stored in the EID-to-RLOC Database. 328 Since the ETR is authoritative on the mapping, meaning that the 329 Map-Version number of its mapping is the correct one, this 330 implies that someone is not behaving correctly with respect to 331 the specifications. In this case, the packet carries a version 332 number that is not valid; otherwise, the ETR would have the same 333 number, and the packet SHOULD be silently dropped. 335 3. The packets arrive with a Destination Map-Version number smaller 336 (i.e., older) than the one stored in the EID-to-RLOC Database. 337 This means that the ITR sending the packet has an old mapping in 338 its EID-to-RLOC Cache containing stale information. The ETR MAY 339 choose to normally process the encapsulated datagram according to 340 [I-D.ietf-lisp-rfc6830bis]; however, the ITR sending the packet 341 has to be informed that a newer mapping is available. This is 342 done with a Map-Request message sent back to the ITR. The Map- 343 Request will either trigger a Map-Request back using the Solicit- 344 Map-Request (SMR) bit or it will piggyback the newer mapping. 345 These are not new mechanisms; how to use the SMR bit or how to 346 piggyback mappings in Map-Request messages is already described 347 in [I-D.ietf-lisp-rfc6833bis]. One feature introduced by Map- 348 Version numbers is the possibility of blocking traffic not using 349 the latest mapping. Indeed, after a certain number of retries, 350 if the Destination Map-Version number in the packets is not 351 updated, the ETR MAY drop packets with a stale Map-Version number 352 while strongly reducing the rate of Map-Request messages. This 353 is because either the ITR is refusing to use the mapping for 354 which the ETR is authoritative, or (worse) it might be some form 355 of attack. 357 The rule in the third case MAY be more restrictive. If the mapping 358 has been the same for a period of time as long as the Time To Live 359 (TTL) (defined in [I-D.ietf-lisp-rfc6833bis]) of the previous version 360 of the mapping, all packets arriving with an old Map-Version SHOULD 361 be silently dropped right away without issuing any Map-Request. Such 362 action is permitted because if the new mapping with the updated 363 version number has been unchanged for at least the same time as the 364 TTL of the older mapping, all the entries in the EID-to-RLOC Caches 365 of ITRs must have expired. Hence, all ITRs sending traffic should 366 have refreshed the mapping according to [I-D.ietf-lisp-rfc6833bis]. 367 If packets with old Map-Version numbers are still received, then 368 either someone has not respected the TTL or it is a form of spoof/ 369 attack. In both cases, this is not valid behavior with respect to 370 the specifications and the packet SHOULD be silently dropped. 372 LISP-encapsulated packets with the V-bit set, when the original 373 mapping in the EID-to-RLOC Database has the version number set to the 374 Null Map-Version value, MAY be silently dropped. As explained in 375 Section 4.1, if an EID-to-RLOC mapping has a Null Map-Version, it 376 means that ITRs, using the mapping for encapsulation, MUST NOT use a 377 Map-Version number in the LISP-specific header. 379 For LISP-encapsulated packets with the V-bit set, when the original 380 mapping in the EID-to-RLOC Database has the version number set to a 381 value different from the Null Map-Version value, a Destination Map- 382 Version number equal to the Null Map-Version value means that the 383 Destination Map-Version number MUST be ignored. 385 5.2. Handling Source Map-Version Number 387 When an ETR receives a packet, the Source Map-Version number relates 388 to the mapping for the source EID for which the ITR that sent the 389 packet is authoritative. If the ETR has an entry in its EID-to-RLOC 390 Cache for the source EID, then a check can be performed and the 391 following cases can arise: 393 1. The packet arrives with the same Source Map-Version number as 394 that stored in the EID-to-RLOC Cache. This is the correct 395 regular case. The ITR has in its EID-to-RLOC Cache an up-to-date 396 copy of the mapping. No further actions are needed. 398 2. The packet arrives with a Source Map-Version number greater 399 (i.e., newer) than the one stored in the local EID-to-RLOC Cache. 400 This means that the ETR has in its EID-to-RLOC Cache a mapping 401 that is stale and needs to be updated. A Map-Request SHOULD be 402 sent to get the new mapping for the source EID. This is a normal 403 Map-Request message sent through the mapping system and MUST 404 respect the specifications in [I-D.ietf-lisp-rfc6833bis], 405 including rate-limitation policies. 407 3. The packet arrives with a Source Map-Version number smaller 408 (i.e., older) than the one stored in the local EID-to-RLOC Cache. 409 Such a case is not valid with respect to the specifications. 410 Indeed, if the mapping is already present in the EID-to-RLOC 411 Cache, this means that an explicit Map-Request has been sent and 412 a Map-Reply has been received from an authoritative source. 413 Assuming that the mapping system is not corrupted, the Map- 414 Version in the EID-to-RLOC Cache is the correct one, while the 415 one carried by the packet is stale. In this situation, the 416 packet MAY be silently dropped. 418 If the ETR does not have an entry in the EID-to-RLOC Cache for the 419 source EID, then the Source Map-Version number can be ignored. 421 For LISP-encapsulated packets with the V-bit set, if the Source Map- 422 Version number is the Null Map-Version value, it means that the 423 Source Map-Version number MUST be ignored. 425 6. LISP Header and Map-Version Numbers 427 In order for the versioning approach to work, the LISP-specific 428 header has to carry both the Source Map-Version number and 429 Destination Map-Version number. This is done by setting the V-bit in 430 the LISP-specific header as defined in [I-D.ietf-lisp-rfc6830bis]. 431 When the V-bit is set and the P bit is reset (0), the low-order 24 432 bits of the first longword are used to transport both the source and 433 destination Map-Version numbers. In particular, the first 12 bits 434 are used for the Source Map-Version number and the second 12 bits for 435 the Destination Map-Version number. 437 Below is an example of a LISP header carrying version numbers. 439 0 1 2 3 440 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 441 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 442 / |N|L|E|V|I|P|K|K| Source Map-Version |Destination Map-Version| 443 LISP+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 444 \ | Instance ID/Locator Status Bits | 445 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 447 Source Map-Version number (12 bits): Map-Version of the mapping used 448 by the ITR to select the RLOC present in the "Source Routing 449 Locator" field. Section 5.2 describes how to set this value on 450 transmission and handle it on reception. 452 Destination Map-Version number (12 bits): Map-Version of the mapping 453 used by the ITR to select the RLOC present in the "Destination 454 Routing Locator" field. Section 5.1 describes how to set this 455 value on transmission and handle it on reception. 457 Not all of the LISP-encapsulated packets need to carry version 458 numbers. When Map-Version numbers are carried, the V-bit MUST be set 459 to 1. All permissible combinations of the flags when the V-bit is 460 set to 1 are described in [I-D.ietf-lisp-rfc6830bis]. 462 7. Map Record and Map-Version 464 To accommodate the proposed mechanism, the Map Records that are 465 transported in Map-Request/Map-Reply/Map-Register messages need to 466 carry the Map-Version number as well. For this purpose, the 12 bits 467 before the EID-AFI field in the Record that describes a mapping are 468 used (see [I-D.ietf-lisp-rfc6833bis] and reported here as an example. 470 0 1 2 3 471 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 472 +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 473 | | Record TTL | 474 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 475 R | Locator Count | EID mask-len | ACT |A| Reserved | 476 e +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 477 c | Rsvd | Map-Version Number | EID-Prefix-AFI | 478 o +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 479 r | EID-Prefix | 480 d +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 481 | /| Priority | Weight | M Priority | M Weight | 482 | L +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 483 | o | Unused Flags |L|p|R| Loc-AFI | 484 | c +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 485 | \| Locator | 486 +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 488 Map-Version Number: Map-Version of the mapping contained in the 489 Record. As explained in Section 4.1, this field can be zero (0), 490 meaning that no Map-Version is associated to the mapping; hence, 491 packets that are LISP encapsulated using this mapping MUST NOT 492 contain Map-Version numbers in the LISP-specific header, and the 493 V-bit MUST be set to 0. 495 This packet format works perfectly with xTRs that do not support Map- 496 Versioning, since they can simply ignore those bits. 498 8. Benefits and Case Studies for Map-Versioning 500 In the following sections, we provide more discussion on various 501 aspects and uses of Map-Versioning. Security observations are 502 grouped in Section 9. 504 8.1. Map-Versioning and Unidirectional Traffic 506 When using Map-Versioning, the LISP-specific header carries two Map- 507 Version numbers, for both source and destination mappings. This can 508 raise the question on what will happen in the case of unidirectional 509 flows, for instance, in the case presented in Figure 1, since the 510 LISP specification does not mandate that the ETR have a mapping for 511 the source EID. 513 +-----------------+ +-----------------+ 514 | Domain A | | Domain B | 515 | +---------+ +---------+ | 516 | | ITR A |----------->| ETR B | | 517 | +---------+ +---------+ | 518 | | | | 519 +-----------------+ +-----------------+ 521 Figure 1: Unidirectional traffic between LISP domains. 523 In the case of the ITR, the ITR is able to put both the source and 524 destination version number in the LISP header, since the Source Map- 525 Version number is in the ITR's database, while the Destination Map- 526 Version number is in the ITR's cache. 528 In the case of the ETR, the ETR simply checks only the Destination 529 Map-Version number in the same way as that described in Section 5, 530 ignoring the Source Map-Version number. 532 8.2. Map-Versioning and Interworking 534 Map-Versioning is compatible with the LISP interworking between LISP 535 and non-LISP sites as defined in [RFC6832]. LISP interworking 536 defines three techniques to make LISP sites and non-LISP sites, 537 namely Proxy-ITR, LISP-NAT, and Proxy-ETR. The following text 538 describes how Map-Versioning relates to these three mechanisms. 540 8.2.1. Map-Versioning and Proxy-ITRs 542 The purpose of the Proxy-ITR (PITR) is to encapsulate traffic 543 originating in a non-LISP site in order to deliver the packet to one 544 of the ETRs of the LISP site (cf. Figure 2). This case is very 545 similar to the unidirectional traffic case described in Section 8.1; 546 hence, similar rules apply. 548 +----------+ +-------------+ 549 | LISP | | non-LISP | 550 | Domain A | | Domain B | 551 | +-------+ +-----------+ | | 552 | | ETR A |<-------| Proxy ITR |<-------| | 553 | +-------+ +-----------+ | | 554 | | | | 555 +----------+ +-------------+ 557 Figure 2: Unidirectional traffic from non-LISP domain to LISP domain. 559 The main difference is that a Proxy-ITR does not have any mapping, 560 since it just encapsulates packets arriving from the non-LISP site, 561 and thus cannot provide a Source Map-Version. In this case, the 562 proxy-ITR will just put the Null Map-Version value as the Source Map- 563 Version number, while the receiving ETR will ignore the field. 565 With this setup, LISP Domain A is able to check whether or not the 566 PITR is using the latest mapping. 568 8.2.2. Map-Versioning and LISP-NAT 570 The LISP-NAT mechanism is based on address translation from non- 571 routable EIDs to routable EIDs and does not involve any form of 572 encapsulation. As such, Map-Versioning does not apply in this case. 574 8.2.3. Map-Versioning and Proxy-ETRs 576 The purpose of the Proxy-ETR (PETR) is to decapsulate traffic 577 originating in a LISP site in order to deliver the packet to the non- 578 LISP site (cf. Figure 3). One of the main reasons to deploy PETRs 579 is to bypass uRPF (Unicast Reverse Path Forwarding) checks on the 580 provider edge. 582 +----------+ +-------------+ 583 | LISP | | non-LISP | 584 | Domain A | | Domain B | 585 | +-------+ +-----------+ | | 586 | | ITR A |------->| Proxy ETR |------->| | 587 | +-------+ +-----------+ | | 588 | | | | 589 +----------+ +-------------+ 591 Figure 3: Unidirectional traffic from LISP domain to non-LISP domain. 593 A Proxy-ETR does not have any mapping, since it just decapsulates 594 packets arriving from the LISP site. In this case, the ITR will just 595 put the Null Map-Version value as the Destination Map-Version number, 596 while the receiving Proxy-ETR will ignore the field. 598 With this setup, the Proxy-ETR is able to check whether or not the 599 mapping has changed. 601 8.3. RLOC Shutdown/Withdraw 603 Map-Versioning can also be used to perform a graceful shutdown or 604 withdraw of a specific RLOC. This is achieved by simply issuing a 605 new mapping, with an updated Map-Version number where the specific 606 RLOC to be shut down is withdrawn or announced as unreachable (via 607 the R bit in the Map Record; see [I-D.ietf-lisp-rfc6833bis]), but 608 without actually turning it off. 610 Once no more traffic is received by the RLOC, it can be shut down 611 gracefully, because all sites actively using the mapping have updated 612 it. 614 8.4. Map-Version Additional Use Cases 616 The use of Map-Versioning can help in developing a lightweight 617 implementation of LISP. However, this comes with the price of not 618 supporting the Loc-Status-Bit, which may be useful in some contexts. 620 In the current LISP specifications, the set of RLOCs must always be 621 maintained ordered and consistent with the content of the Loc Status 622 Bits ([I-D.ietf-lisp-rfc6830bis]). With Map-Versioning, such types 623 of mechanisms can be avoided. When a new RLOC is added to a mapping, 624 it is not necessary to "append" new locators to the existing ones as 625 explained in [I-D.ietf-lisp-rfc6830bis]. A new mapping with a new 626 Map-Version number will be issued, and since the old locators are 627 still valid, the transition will occur with no disruptions. The same 628 applies for the case where an RLOC is withdrawn. There is no need to 629 maintain holes in the list of locators, as is the case when using 630 Locator Status Bits, for sites that are not using the RLOC that has 631 been withdrawn; in this case, the transition will occur with no 632 disruptions. 634 All of these operations, as already stated, do not need to maintain 635 any consistency among Locator Status Bits and in the way that the 636 RLOCs are stored in the EID-to-RLOC Cache. 638 9. Security Considerations 640 Map-Versioning does not introduce any security issues concerning both 641 the data plane and the control plane. On the contrary, as described 642 below, if Map-Versioning may also be used to update mappings in the 643 case of change in the reachability information (i.e., instead of the 644 Locator Status Bits), it is possible to reduce the effects of some 645 DoS or spoofing attacks that can happen in an untrusted environment. 647 Robustness of the Map-Versioning mechanism leverages on a trusted 648 Mapping Distribution System. A thorough security analysis of LISP is 649 documented in [RFC7835]. 651 9.1. Map-Versioning against Traffic Disruption 653 An attacker can try to disrupt ongoing communications by creating 654 LISP-encapsulated packets with wrong Locator Status Bits. If the xTR 655 blindly trusts the Locator Status Bits, it will change the 656 encapsulation accordingly, which can result in traffic disruption. 658 This does not happen in the case of Map-Versioning. As described in 659 Section 5, upon a version number change the xTR first issues a Map- 660 Request. The assumption is that the mapping distribution system is 661 sufficiently secure that Map-Request and Map-Reply messages and their 662 content can be trusted. Security issues concerning specific mapping 663 distribution systems are out of the scope of this document. In the 664 case of Map-Versioning, the attacker should "guess" a valid version 665 number that triggers a Map-Request as described in Section 5; 666 otherwise, the packet is simply dropped. Nevertheless, guessing a 667 version number that generates a Map-Request is easy; hence, it is 668 important to follow the rate-limitation policies described in 669 [I-D.ietf-lisp-rfc6833bis] in order to avoid DoS attacks. 671 Note that a similar level of security can be obtained with Loc Status 672 Bits by simply making it mandatory to verify any change through a 673 Map-Request. However, in this case Locator Status Bits lose their 674 meaning, because it does not matter anymore which specific bits have 675 changed; the xTR will query the mapping system and trust the content 676 of the received Map-Reply. Furthermore, there is no way to perform 677 filtering as in Map-Versioning in order to drop packets that do not 678 carry a valid Map-Version number. In the case of Locator Status 679 Bits, any random change can trigger a Map-Request (unless rate 680 limitation is enabled, which raises another type of attack as 681 discussed in Section 9.2). 683 9.2. Map-Versioning against Reachability Information DoS 685 Attackers can try to trigger a large number of Map-Requests by simply 686 forging packets with random Map-Versions or random Locator Status 687 Bits. In both cases, the Map-Requests are rate-limited as described 688 in [I-D.ietf-lisp-rfc6833bis]. However, in contrast to the Locator 689 Status Bit, where there is no filtering possible, in the case of Map- 690 Versioning it is possible to filter invalid version numbers before 691 triggering a Map-Request, thus helping to reduce the effects of DoS 692 attacks. In other words, the use of Map-Versioning enables a fine 693 control on when to update a mapping or when to notify someone that a 694 mapping has been updated. 696 It is clear that Map-Versioning does not protect against DoS and DDoS 697 attacks, where an xTR loses processing power when doing checks on the 698 LISP header of packets sent by attackers. This is independent of 699 Map-Versioning and is the same for Loc Status Bits. 701 10. Deployment Considerations 703 Even without Map-Versioning, LISP requires ETRs to announce the same 704 mapping for the same EID-Prefix to a requester. Map-Versioning does 705 not require additional synchronization mechanisms as compared to the 706 normal functioning of LISP without Map-Versioning. Clearly, all the 707 ETRs have to reply with the same Map-Version number; otherwise, there 708 can be an inconsistency that creates additional control traffic, 709 instabilities, and traffic disruptions. It is the same without Map- 710 Versioning, with ETRs that have to reply with the same mapping; 711 otherwise, the same problems arise. 713 There are two ways Map-Versioning is helpful with respect to the 714 synchronization problem. On the one hand, assigning version numbers 715 to mappings helps in debugging, since quick checks on the consistency 716 of the mappings on different ETRs can be done by looking at the Map- 717 Version number. On the other hand, Map-Versioning can be used to 718 control the traffic toward ETRs that announce the latest mapping. 720 As an example, let's consider the topology of Figure 4 where ITR A.1 721 of Domain A is sending unidirectional traffic to Domain B, while A.2 722 of Domain A exchanges bidirectional traffic with Domain B. In 723 particular, ITR A.2 sends traffic to ETR B, and ETR A.2 receives 724 traffic from ITR B. 726 +-----------------+ +-----------------+ 727 | Domain A | | Domain B | 728 | +---------+ | | 729 | | ITR A.1 |--- | | 730 | +---------+ \ +---------+ | 731 | | ------->| ETR B | | 732 | | ------->| | | 733 | +---------+ / | | | 734 | | ITR A.2 |--- -----| ITR B | | 735 | | | / +---------+ | 736 | | ETR A.2 |<----- | | 737 | +---------+ | | 738 | | | | 739 +-----------------+ +-----------------+ 741 Figure 4: Example topology. 743 Obviously, in the case of Map-Versioning, both ITR A.1 and ITR A.2 of 744 Domain A must use the same value; otherwise, the ETR of Domain B will 745 start to send Map-Requests. 747 The same problem can, however, arise without Map-Versioning, for 748 instance, if the two ITRs of Domain A send different Locator Status 749 Bits. In this case, either the traffic is disrupted if ETR B trusts 750 the Locator Status Bits, or if ETR B does not trust the Locator 751 Status Bits it will start sending Map-Requests to confirm each change 752 in reachability. 754 So far, LISP does not provide any specific synchronization mechanism 755 but assumes that synchronization is provided by configuring the 756 different xTRs consistently. The same applies for Map-Versioning. 757 If in the future any synchronization mechanism is provided, Map- 758 Versioning will take advantage of it automatically, since it is 759 included in the Record format, as described in Section 7. 761 11. IANA Considerations 763 This document includes no request to IANA. 765 12. References 767 12.1. Normative References 769 [I-D.ietf-lisp-rfc6830bis] 770 Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A. 771 Cabellos-Aparicio, "The Locator/ID Separation Protocol 772 (LISP)", draft-ietf-lisp-rfc6830bis-35 (work in progress), 773 September 2020. 775 [I-D.ietf-lisp-rfc6833bis] 776 Farinacci, D., Maino, F., Fuller, V., and A. Cabellos- 777 Aparicio, "Locator/ID Separation Protocol (LISP) Control- 778 Plane", draft-ietf-lisp-rfc6833bis-29 (work in progress), 779 September 2020. 781 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 782 Requirement Levels", BCP 14, RFC 2119, 783 DOI 10.17487/RFC2119, March 1997, 784 . 786 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 787 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 788 May 2017, . 790 12.2. Informative References 792 [RFC6832] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller, 793 "Interworking between Locator/ID Separation Protocol 794 (LISP) and Non-LISP Sites", RFC 6832, 795 DOI 10.17487/RFC6832, January 2013, 796 . 798 [RFC6834] Iannone, L., Saucez, D., and O. Bonaventure, "Locator/ID 799 Separation Protocol (LISP) Map-Versioning", RFC 6834, 800 DOI 10.17487/RFC6834, January 2013, 801 . 803 [RFC7835] Saucez, D., Iannone, L., and O. Bonaventure, "Locator/ID 804 Separation Protocol (LISP) Threat Analysis", RFC 7835, 805 DOI 10.17487/RFC7835, April 2016, 806 . 808 Authors' Addresses 810 Luigi Iannone 811 Huawei Technologies France S.A.S.U 813 EMail: luigi.iannone@huawei.com 815 Damien Saucez 816 INRIA 818 EMail: damien.saucez@gmail.com 820 Olivier Bonaventure 821 Universite catholique de Louvain 823 EMail: olivier.bonaventure@uclouvain.be