idnits 2.17.1 draft-ietf-lisp-6834bis-14.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 21, 2022) is 668 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 6834 (Obsoleted by RFC 9302) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group L. Iannone 3 Internet-Draft Huawei Technologies France 4 Obsoletes: 6834 (if approved) D. Saucez 5 Intended status: Standards Track INRIA 6 Expires: December 23, 2022 O. Bonaventure 7 Universite catholique de Louvain 8 June 21, 2022 10 Locator/ID Separation Protocol (LISP) Map-Versioning 11 draft-ietf-lisp-6834bis-14 13 Abstract 15 This document describes the LISP (Locator/ID Separation Protocol) 16 Map-Versioning mechanism, which provides in-packet information about 17 Endpoint ID to Routing Locator (EID-to-RLOC) mappings used to 18 encapsulate LISP data packets. This approach is based on associating 19 a version number to EID-to-RLOC mappings and the transport of such a 20 version number in the LISP-specific header of LISP-encapsulated 21 packets. LISP Map-Versioning is particularly useful to inform 22 communicating Ingress Tunnel Routers (ITRs) and Egress Tunnel Routers 23 (ETRs) about modifications of the mappings used to encapsulate 24 packets. The mechanism is optional and transparent to 25 implementations not supporting this feature, since in the LISP- 26 specific header and in the Map Records, bits used for Map-Versioning 27 can be safely ignored by ITRs and ETRs that do not support or do not 28 want to use the mechanism. 30 This document obsoletes RFC 6834 "Locator/ID Separation Protocol 31 (LISP) Map-Versioning", which is the initial experimental 32 specifications of the mechanisms updated by this document. 34 Status of This Memo 36 This Internet-Draft is submitted in full conformance with the 37 provisions of BCP 78 and BCP 79. 39 Internet-Drafts are working documents of the Internet Engineering 40 Task Force (IETF). Note that other groups may also distribute 41 working documents as Internet-Drafts. The list of current Internet- 42 Drafts is at https://datatracker.ietf.org/drafts/current/. 44 Internet-Drafts are draft documents valid for a maximum of six months 45 and may be updated, replaced, or obsoleted by other documents at any 46 time. It is inappropriate to use Internet-Drafts as reference 47 material or to cite them other than as "work in progress." 48 This Internet-Draft will expire on December 23, 2022. 50 Copyright Notice 52 Copyright (c) 2022 IETF Trust and the persons identified as the 53 document authors. All rights reserved. 55 This document is subject to BCP 78 and the IETF Trust's Legal 56 Provisions Relating to IETF Documents 57 (https://trustee.ietf.org/license-info) in effect on the date of 58 publication of this document. Please review these documents 59 carefully, as they describe your rights and restrictions with respect 60 to this document. Code Components extracted from this document must 61 include Simplified BSD License text as described in Section 4.e of 62 the Trust Legal Provisions and are provided without warranty as 63 described in the Simplified BSD License. 65 Table of Contents 67 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 68 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4 69 3. Definitions of Terms . . . . . . . . . . . . . . . . . . . . 4 70 4. LISP-specific Header and Map-Version Numbers . . . . . . . . 4 71 5. Map Record and Map-Version . . . . . . . . . . . . . . . . . 5 72 6. EID-to-RLOC Map-Version Number . . . . . . . . . . . . . . . 6 73 6.1. The Null Map-Version . . . . . . . . . . . . . . . . . . 7 74 7. Dealing with Map-Version Numbers . . . . . . . . . . . . . . 7 75 7.1. Handling Destination Map-Version Number . . . . . . . . . 8 76 7.2. Handling Source Map-Version Number . . . . . . . . . . . 9 77 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 78 9. Deployment Considerations . . . . . . . . . . . . . . . . . . 11 79 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 80 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 81 11.1. Normative References . . . . . . . . . . . . . . . . . . 12 82 11.2. Informative References . . . . . . . . . . . . . . . . . 12 83 Appendix A. Benefits and Case Studies for Map-Versioning . . . . 14 84 A.1. Map-Versioning and Unidirectional Traffic . . . . . . . . 14 85 A.2. Map-Versioning and Interworking . . . . . . . . . . . . . 14 86 A.2.1. Map-Versioning and Proxy-ITRs . . . . . . . . . . . . 14 87 A.2.2. Map-Versioning and LISP-NAT . . . . . . . . . . . . . 15 88 A.2.3. Map-Versioning and Proxy-ETRs . . . . . . . . . . . . 15 89 A.3. RLOC Shutdown/Withdraw . . . . . . . . . . . . . . . . . 16 90 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 92 1. Introduction 94 This document describes the Map-Versioning mechanism used to provide 95 information on changes in the EID-to-RLOC (Endpoint ID to Routing 96 Locator) mappings used in the LISP (Locator/ID Separation Protocol 97 [I-D.ietf-lisp-rfc6830bis][I-D.ietf-lisp-rfc6833bis]) context to 98 perform packet encapsulation. The mechanism is totally transparent 99 to xTRs (Ingress and Egress Tunnel Routers) not supporting or not 100 using such functionality. [I-D.ietf-lisp-introduction] describes the 101 architecture of the Locator/ID Separation Protocol. It is expected 102 that the reader is familiar with this introductory document. 104 This document obsoletes [RFC6834], which is the initial experimental 105 specifications of the mechanisms updated by this document. 107 The basic mechanism is to associate a Map-Version number to each LISP 108 EID-to-RLOC mapping and transport such a version number in the LISP- 109 specific header. When a mapping changes, a new version number is 110 assigned to the updated mapping. A change in an EID-to-RLOC mapping 111 can be a modification in the RLOCs set such as addition, removal, or 112 change in priority or weight of one or more RLOCs. 114 When Map-Versioning is used, LISP-encapsulated data packets contain 115 the version number of the two mappings used to select the RLOCs in 116 the outer header (i.e., both source and destination RLOCs). This 117 information has two uses. On the one hand, it enables the ETR 118 (Egress Tunnel Router) receiving the packet to know if the ITR 119 (Ingress Tunnel Router) is using the latest mapping version for the 120 destination EID. If this is not the case, the ETR can directly send 121 a Map-Request containing the updated mapping to the ITR, to notify it 122 of the latest version. The ETR can also solicit the ITR to trigger a 123 Map-Request to obtain the latest mapping by sending it a Solicit Map- 124 Request (SMR) message. Both cases are defined in 125 [I-D.ietf-lisp-rfc6833bis]. On the other hand, it enables an ETR 126 receiving such a packet to know if it has in its EID-to-RLOC Map- 127 Cache the latest mapping for the source EID. If this is not the 128 case, a Map-Request can be sent. 130 Considerations about the deployment of LISP Map-Versioning are 131 discussed in Section 9. 133 Benefits brought by Map-Versioning in some common LISP-related use 134 cases are discussed in Appendix A. 136 2. Requirements Notation 138 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 139 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 140 "OPTIONAL" in this document are to be interpreted as described in BCP 141 14 [RFC2119] [RFC8174] when, and only when, they appear in all 142 capitals, as shown here. 144 3. Definitions of Terms 146 This document uses terms already defined in the main LISP 147 specification ([I-D.ietf-lisp-rfc6830bis], 148 [I-D.ietf-lisp-rfc6833bis]). Here, we define the terms that are 149 specific to the Map-Versioning mechanism. Throughout the whole 150 document, Big Endian bit ordering is used. 152 Map-Version number: An unsigned 12-bit integer is assigned to an 153 EID-to-RLOC mapping, indicating its version number (Section 6). 155 Null Map-Version: A Map-Version number with a value of 0x000 (zero), 156 used to signal that the Map-Version feature is not used and no Map- 157 Version number is assigned to the EID-to-RLOC mapping 158 (Section 6.1). 160 Dest Map-Version number: Map-Version of the mapping in the EID-to- 161 RLOC Map-Cache used by the ITR to select the RLOC present in the 162 "Destination Routing Locator" field of the outer IP header of LISP- 163 encapsulated packets (Section 7.1). 165 Source Map-Version number: Map-Version of the mapping in the EID-to- 166 RLOC Database used by the ITR to select the RLOC present in the 167 "Source Routing Locator" field of the outer IP header of LISP- 168 encapsulated packets (Section 7.2). 170 4. LISP-specific Header and Map-Version Numbers 172 In order for the versioning approach to work, the LISP-specific 173 header has to carry both the Source Map-Version number and Dest Map- 174 Version number. This is done by setting the V-bit in the LISP- 175 specific header as specified in [I-D.ietf-lisp-rfc6830bis] and shown 176 in the example in Figure 1. All permissible combinations of the 177 flags when the V-bit is set to 1 are described in 178 [I-D.ietf-lisp-rfc6830bis]. Not all of the LISP-encapsulated packets 179 need to carry version numbers. When the V-bit is set, the LISP- 180 specific header has the following encoding: 182 0 1 2 3 183 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 184 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 185 |N|L|E|V|I|R|K|K| Source Map-Version | Dest Map-Version | 186 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 187 | Instance ID/Locator-Status-Bits | 188 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 190 Figure 1: LISP-Specific header example when Map-Versioning is in use. 192 Source Map-Version number (12 bits): See Section 3. 194 Dest Map-Version number (12 bits): See Section 3. 196 5. Map Record and Map-Version 198 To accommodate the mechanism, the Map Records that are transported in 199 Map-Request/Map-Reply/Map-Register messages need to carry the Map- 200 Version number as well. For reference, the Map Record (specified in 201 [I-D.ietf-lisp-rfc6833bis]) is reported here as an example in 202 Figure 2. This memo does not change the operation of Map-Request/ 203 Map-Reply/Map-Register messages, they continue to be used as 204 specified in [I-D.ietf-lisp-rfc6833bis]. 206 0 1 2 3 207 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 208 +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 209 | | Record TTL | 210 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 211 R | Locator Count | EID mask-len | ACT |A| Reserved | 212 e +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 213 c | Rsvd | Map-Version Number | EID-Prefix-AFI | 214 o +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 215 r | EID-Prefix | 216 d +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 217 | /| Priority | Weight | M Priority | M Weight | 218 | L +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 219 | o | Unused Flags |L|p|R| Loc-AFI | 220 | c +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 221 | \| Locator | 222 +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 224 Figure 2: Map-Record format example. 226 Map-Version Number: Map-Version of the mapping contained in the 227 Record. As explained in Section 6.1, this field can be zero (0), 228 meaning that no Map-Version is associated to the mapping. 230 This packet format is backward compatible with xTRs that do not 231 support Map-Versioning, since they can simply ignore those bits. 233 A Map-Server receiving a message with an unexpected Map-Version 234 number, like for instance an old one, MUST silently drop the message 235 and an appropriate log action SHOULD be taken. 237 6. EID-to-RLOC Map-Version Number 239 The EID-to-RLOC Map-Version number consists of an unsigned 12-bit 240 integer. The version number is assigned on a per-mapping basis, 241 meaning that different mappings have a different version number, 242 which is also updated independently. An update in the version number 243 (i.e., a newer version) MUST consist of an increment of the older 244 version number (only exception is for the Null Map-Version as 245 explained in at the end of Section 6.1). 247 The space of version numbers has a circular order where half of the 248 version numbers are considered greater (i.e., newer) than the current 249 Map-Version number and the other half of the version numbers are 250 considered smaller (i.e., older) than the current Map-Version number. 251 This is basically a serial number on which the arithmetic described 252 in [RFC1982] applies. The ordering enables reacting differently to 253 "older" and "newer" Map-Version number, discarding the packet in the 254 former case and triggering a Map-Request in the latter (see Section 7 255 for further details). In a formal way, assuming that we have two 256 version numbers V1 and V2, both different from the special value Null 257 Map-Version (see Section 6.1), and that the numbers are expressed on 258 12 bits, the following steps MUST be performed (in the same order as 259 shown below) to strictly define their order: 261 1. V1 = V2 : The Map-Version numbers are the same. 263 2. V2 > V1 : if and only if 265 V2 > V1 AND (V2 - V1) <= 2**(12-1) 267 OR 269 V1 > V2 AND (V1 - V2) > 2**(12-1) 271 3. V1 > V2 : otherwise. 273 Using 12 bits and assuming a Map-Version value of 69, Map-Version 274 numbers in the range [70; 69 + 2048] are greater than 69, while Map- 275 Version numbers in the range [69 + 2049; (69 + 4095) mod 4096] are 276 smaller than 69. 278 The initial Map-Version number of a new EID-to-RLOC mapping SHOULD be 279 assigned randomly, but it MUST NOT be set to the Null Map-Version 280 value (0x000), because the Null Map-Version number has a special 281 meaning (see Section 6.1). Optionally, the initial Map-version 282 number may be configured. 284 Upon reboot, an ETR will use mappings configured in its EID-to-RLOC 285 Database. If those mappings have a Map-Version number, it will be 286 used according to the mechanisms described in this document. ETRs 287 MUST NOT automatically generate and assign Map-Version numbers to 288 mappings in the EID-to-RLOC Database. 290 6.1. The Null Map-Version 292 The value 0x000 (zero) is a special Map-Version number indicating 293 that there is actually no version number associated to the EID-to- 294 RLOC mapping. Such a value is used for special purposes and is named 295 the Null Map-Version number. 297 Map Records that have a Null Map-Version number indicate that there 298 is no Map-Version number associated with the mapping. This means 299 that LISP-encapsulated packets destined to the EID-Prefix referred to 300 by the Map Record MUST NOT contain any Map-Version numbers (V bit set 301 to 0). If an ETR receives LISP-encapsulated packets with the V-bit 302 set, when the original mapping in the EID-to-RLOC Database has the 303 version number set to the Null Map-Version value, then those packets 304 MUST be silently dropped. 306 The Null Map-Version may appear in the LISP-specific header as a 307 Source Map-Version number (Section 7.2). When the Source Map-Version 308 number is set to the Null Map-Version value, it means that no map 309 version information is conveyed for the source site. This means that 310 if a mapping exists for the source EID in the EID-to-RLOC Map-Cache, 311 then the ETR MUST NOT compare the received Null Map-Version with the 312 content of the EID-to-RLOC Map-Cache (Section 7.2). 314 The fact that the 0 value has a special meaning for the Map-Version 315 number implies that, when updating a Map-Version number because of a 316 change in the mapping, if the next value is 0, then the Map-Version 317 number MUST be incremented by 2 (i.e., set to 1 (0x001), which is the 318 next valid value). 320 7. Dealing with Map-Version Numbers 322 The main idea of using Map-Version numbers is that whenever there is 323 a change in the mapping (e.g., adding/removing RLOCs, a change in the 324 weights due to Traffic Engineering policies, or a change in the 325 priorities) or a LISP site realizes that one or more of its own RLOCs 326 are not reachable anymore from a local perspective (e.g., through 327 IGP, or policy changes) the LISP site updates the mapping, also 328 assigning a new Map-Version number. Only the latest Map-Version 329 number has to be considered valid. Mapping updates, and their 330 corresponding Map Version Number must be managed so that a very old 331 version number will not be confused as a new version number (because 332 of the circular numbering space). To this end simple measures can be 333 taken, like updating a mapping only when all active traffic is using 334 the latest version, or waiting sufficient time to be sure that 335 mapping in LISP caches expire, which means waiting at least as much 336 as the mapping Time-To-Live (as defined in 337 [I-D.ietf-lisp-rfc6833bis]). 339 An ETR receiving a LISP packet with Map-Version numbers checks the 340 following predicates: 342 1. The ITR that has sent the packet has an up-to-date mapping in its 343 EID-to-RLOC Map-Cache for the destination EID and is performing 344 encapsulation correctly. See Section 7.1 for details. 346 2. In the case of bidirectional traffic, the mapping in the local 347 ETR EID-to-RLOC Map-Cache for the source EID is up-to-date. See 348 Section 7.2 for details. 350 7.1. Handling Destination Map-Version Number 352 When an ETR receives a packet, the Dest Map-Version number relates to 353 the mapping for the destination EID for which the ETR is an RLOC. 354 This mapping is part of the ETR EID-to-RLOC Database. Since the ETR 355 is authoritative for the mapping, it has the correct and up-to-date 356 Dest Map-Version number. A check on this version number MUST be 357 done, where the following cases can arise: 359 1. The packet arrives with the same Dest Map-Version number stored 360 in the EID-to-RLOC Database. This is the regular case. The ITR 361 sending the packet has in its EID-to-RLOC Map-Cache an up-to-date 362 mapping. No further actions are needed. 364 2. The packet arrives with a Dest Map-Version number newer (as 365 defined in Section 6) than the one stored in the EID-to-RLOC 366 Database. Since the ETR is authoritative on the mapping, meaning 367 that the Map-Version number of its mapping is the correct one, 368 the packet carries a version number that is not considered valid 369 and packet MUST be silently dropped and an appropriate log action 370 SHOULD be taken. 372 3. The packet arrives with a Dest Map-Version number older (as 373 defined in Section 6) than the one stored in the EID-to-RLOC 374 Database. This means that the ITR sending the packet has an old 375 mapping in its EID-to-RLOC Map-Cache containing stale 376 information. The ETR MAY choose to normally process the 377 encapsulated datagram according to [I-D.ietf-lisp-rfc6830bis]; 378 however, the ITR sending the packet MUST be informed that a newer 379 mapping is available, respecting rate-limitation policies 380 described in [I-D.ietf-lisp-rfc6833bis]. This is done with a 381 Map-Request message sent back to the ITR, as specified in 382 [I-D.ietf-lisp-rfc6833bis]. One feature introduced by Map- 383 Version numbers is the possibility of blocking traffic not using 384 the latest mapping. This can happen if an ITR is not updating 385 the mapping for which the ETR is authoritative, or it might be 386 some form of attack. According to rate limitation policy defined 387 in [I-D.ietf-lisp-rfc6833bis] for Map-Request messages, after 10 388 retries Map-Requests are sent every 30 seconds, if after the 389 first 10 retries the Dest Map-Version number in the packets is 390 not updated, the ETR SHOULD drop packets with a stale Map-Version 391 number. Operators can configure exceptions to this 392 recommendation, which are outside the scope of this document. 394 The rule in the third case MAY be more restrictive. If the Record 395 TTL of the previous mapping has already expired, all packets arriving 396 with an old Map-Version MUST be silently dropped right away without 397 issuing any Map-Request. Such action is permitted because if the new 398 mapping with the updated version number has been unchanged for at 399 least the same time as the Record TTL of the older mapping, all the 400 entries in the EID-to-RLOC Map-Caches of ITRs must have expired. 401 Indeed, all ITRs sending traffic should have refreshed the mapping 402 according to [I-D.ietf-lisp-rfc6833bis]. 404 It is a protocol violation for LISP-encapsulated packets to contain a 405 Dest Map-Version number equal to the Null Map-Version number, see 406 Section 6.1. 408 7.2. Handling Source Map-Version Number 410 When an ETR receives a packet, the Source Map-Version number relates 411 to the mapping for the source EID for which the ITR that sent the 412 packet is authoritative. If the ETR has an entry in its EID-to-RLOC 413 Map-Cache for the source EID, then a check MUST be performed and the 414 following cases can arise: 416 1. The packet arrives with the same Source Map-Version number as 417 that stored in the EID-to-RLOC Map-Cache. This is the regular 418 case. The ETR has in its EID-to-RLOC Map-Cache an up-to-date 419 copy of the mapping. No further actions are needed. 421 2. The packet arrives with a Source Map-Version number newer (as 422 defined in Section 6) than the one stored in the local EID-to- 423 RLOC Map-Cache. This means that the ETR has in its EID-to-RLOC 424 Map-Cache a mapping that is stale and needs to be updated. A 425 Map-Request MUST be sent to get the new mapping for the source 426 EID, respecting rate-limitation policies described in 427 [I-D.ietf-lisp-rfc6833bis]. 429 3. The packet arrives with a Source Map-Version number older (as 430 defined in Section 6) than the one stored in the local EID-to- 431 RLOC Map-Cache. Note that if the mapping is already present in 432 the EID-to-RLOC Map-Cache, this means that an explicit Map- 433 Request has been sent and a Map-Reply has been received from an 434 authoritative source. In this situation, the packet SHOULD be 435 silently dropped. Operators can configure exceptions to this 436 recommendation, which are outside the scope of this document. 438 If the ETR does not have an entry in the EID-to-RLOC Map-Cache for 439 the source EID, then the Source Map-Version number MUST be ignored. 440 See Appendix A.1 for an example of when this situation can arise. 442 8. Security Considerations 444 This document builds on the specification and operation of the LISP 445 control and data planes. The Security Considerations of 446 [I-D.ietf-lisp-rfc6830bis] and [I-D.ietf-lisp-rfc6833bis] apply and, 447 as such, Map-Versioning MUST NOT be used over the public Internet and 448 MUST only be used in trusted and closed deployments. A thorough 449 security analysis of LISP is documented in [RFC7835]. 451 Attackers can try to trigger a large number of Map-Requests by simply 452 forging packets with random Map-Versions. The Map-Requests are rate- 453 limited as described in [I-D.ietf-lisp-rfc6833bis]. With Map- 454 Versioning it is possible to filter packet carrying invalid version 455 numbers before triggering a Map-Request, thus helping to reduce the 456 effects of DoS attacks. However, it might not be enough to really 457 protect from a DDoS attack. 459 The present memo includes log action to be taken upon certains event. 460 It is recommended that implementations include mechanisms (which are 461 beyond the scope of this document) to avoid log resource exhaustion 462 attacks. 464 The specifications in the present memo are relatively conservative in 465 the sense that in several cases the packets are dropped. Such an 466 approach is the outcome of considerations made about the possible 467 risks that data-plane-triggered control-plane actions can be used to 468 carry out attacks. There exists corner cases where, even with an 469 invalid Map-Version number, forwarding the packet might be 470 potentially considered safe, however, system manageability has been 471 given priority with respect to having to put in place more machinery 472 to be able to identify leggitimate traffic. 474 9. Deployment Considerations 476 LISP requires multiple ETRs within the same site to provide identical 477 mappings for a given EID-Prefix. Map-Versioning does not require 478 additional synchronization mechanisms. Clearly, all the ETRs have to 479 reply with the same mapping including same Map-Version number; 480 otherwise, there can be an inconsistency that creates additional 481 control traffic, instabilities, and traffic disruptions. 483 There are two ways Map-Versioning is helpful with respect to 484 synchronization. On the one hand, assigning version numbers to 485 mappings helps in debugging, since quick checks on the consistency of 486 the mappings on different ETRs can be done by looking at the Map- 487 Version number. On the other hand, Map-Versioning can be used to 488 control the traffic toward ETRs that announce the latest mapping. 490 As an example, let's consider the topology of Figure 3 where ITR A.1 491 of Domain A is sending unidirectional traffic to Domain B, while A.2 492 of Domain A exchanges bidirectional traffic with Domain B. In 493 particular, ITR A.2 sends traffic to ETR B, and ETR A.2 receives 494 traffic from ITR B. 496 +-----------------+ +-----------------+ 497 | Domain A | | Domain B | 498 | +---------+ | | 499 | | ITR A.1 |--- | | 500 | +---------+ \ +---------+ | 501 | | ------->| ETR B | | 502 | | ------->| | | 503 | +---------+ / | | | 504 | | ITR A.2 |--- -----| ITR B | | 505 | | | / +---------+ | 506 | | ETR A.2 |<----- | | 507 | +---------+ | | 508 | | | | 509 +-----------------+ +-----------------+ 511 Figure 3: Example topology. 513 Obviously, in the case of Map-Versioning, both ITR A.1 and ITR A.2 of 514 Domain A must use the same value; otherwise, the ETR of Domain B will 515 start to send Map-Requests. 517 The same problem can, however, arise without Map-Versioning, for 518 instance, if the two ITRs of Domain A send different Locator-Status- 519 Bits. In this case, either the traffic is disrupted if ETR B does 520 not verify reachability, or if ETR B will start sending Map-Requests 521 to confirm each change in reachability. 523 So far, LISP does not provide any specific synchronization mechanism 524 but assumes that synchronization is provided by configuring the 525 different xTRs consistently. The same applies for Map-Versioning. 526 If in the future any synchronization mechanism is provided, Map- 527 Versioning will take advantage of it automatically, since it is 528 included in the Map Record format, as described in Section 5. 530 10. IANA Considerations 532 This document includes no request to IANA. 534 11. References 536 11.1. Normative References 538 [I-D.ietf-lisp-rfc6830bis] 539 Farinacci, D., Fuller, V., Meyer, D., Lewis, D., and A. 540 Cabellos-Aparicio, "The Locator/ID Separation Protocol 541 (LISP)", draft-ietf-lisp-rfc6830bis-38 (work in progress), 542 May 2022. 544 [I-D.ietf-lisp-rfc6833bis] 545 Farinacci, D., Maino, F., Fuller, V., and A. Cabellos- 546 Aparicio, "Locator/ID Separation Protocol (LISP) Control- 547 Plane", draft-ietf-lisp-rfc6833bis-31 (work in progress), 548 May 2022. 550 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 551 Requirement Levels", BCP 14, RFC 2119, 552 DOI 10.17487/RFC2119, March 1997, 553 . 555 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 556 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 557 May 2017, . 559 11.2. Informative References 561 [I-D.ietf-lisp-introduction] 562 Cabellos-Aparicio, A. and D. Saucez, "An Architectural 563 Introduction to the Locator/ID Separation Protocol 564 (LISP)", draft-ietf-lisp-introduction-15 (work in 565 progress), September 2021. 567 [RFC1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982, 568 DOI 10.17487/RFC1982, August 1996, 569 . 571 [RFC6832] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller, 572 "Interworking between Locator/ID Separation Protocol 573 (LISP) and Non-LISP Sites", RFC 6832, 574 DOI 10.17487/RFC6832, January 2013, 575 . 577 [RFC6834] Iannone, L., Saucez, D., and O. Bonaventure, "Locator/ID 578 Separation Protocol (LISP) Map-Versioning", RFC 6834, 579 DOI 10.17487/RFC6834, January 2013, 580 . 582 [RFC7835] Saucez, D., Iannone, L., and O. Bonaventure, "Locator/ID 583 Separation Protocol (LISP) Threat Analysis", RFC 7835, 584 DOI 10.17487/RFC7835, April 2016, 585 . 587 Appendix A. Benefits and Case Studies for Map-Versioning 589 In the following sections, we provide more discussion on various 590 aspects and uses of Map-Versioning. Security observations are 591 grouped in Section 8. 593 A.1. Map-Versioning and Unidirectional Traffic 595 When using Map-Versioning, the LISP-specific header carries two Map- 596 Version numbers, for both source and destination mappings. This can 597 raise the question on what will happen in the case of unidirectional 598 flows, for instance, in the case presented in Figure 4, since the 599 LISP specifications do not mandate that the ETR have a mapping from 600 the source EID. 602 +-----------------+ +-----------------+ 603 | Domain A | | Domain B | 604 | +---------+ +---------+ | 605 | | ITR A |----------->| ETR B | | 606 | +---------+ +---------+ | 607 | | | | 608 +-----------------+ +-----------------+ 610 Figure 4: Unidirectional traffic between LISP domains. 612 An ITR is able to put both the source and destination version numbers 613 in the LISP-specific header since the Source Map-Version number is in 614 its database while the Destination Map-Version number is in its 615 cache. 617 The ETR checks only the Dest Map-Version number, ignoring the Source 618 Map-Version number as specified in the final sentence of Section 7.2, 619 ignoring the Source Map-Version number. 621 A.2. Map-Versioning and Interworking 623 Map-Versioning is compatible with the LISP interworking between LISP 624 and non-LISP sites as defined in [RFC6832]. LISP interworking 625 defines three techniques to allow communication LISP sites and non- 626 LISP sites, namely: Proxy-ITR, LISP-NAT, and Proxy-ETR. The 627 following text describes how Map-Versioning relates to these three 628 mechanisms. 630 A.2.1. Map-Versioning and Proxy-ITRs 632 The purpose of the Proxy-ITR (PITR) is to encapsulate traffic 633 originating in a non-LISP site in order to deliver the packet to one 634 of the ETRs of the LISP site (cf. Figure 5). This case is very 635 similar to the unidirectional traffic case described in Appendix A.1; 636 hence, similar rules apply. 638 +----------+ +-------------+ 639 | LISP | | non-LISP | 640 | Domain A | | Domain B | 641 | +-------+ +-----------+ | | 642 | | ETR A |<-------| Proxy ITR |<-------| | 643 | +-------+ +-----------+ | | 644 | | | | 645 +----------+ +-------------+ 647 Figure 5: Unidirectional traffic from non-LISP domain to LISP domain. 649 The main difference is that a Proxy-ITR does not have any mapping, 650 since it just encapsulates packets arriving from the non-LISP site, 651 and thus cannot provide a Source Map-Version. In this case, the 652 proxy-ITR will just put the Null Map-Version value as the Source Map- 653 Version number, while the receiving ETR will ignore the field. 655 With this setup, LISP Domain A is able to check whether the PITR is 656 using the latest mapping. The Proxy ITR will put in the Dest Map- 657 Version Number, of the LISP-specific header, the version number of 658 the mapping it is using for encapsulation, the ETR A can use such 659 value as defined in Section 7.1. 661 A.2.2. Map-Versioning and LISP-NAT 663 The LISP-NAT mechanism is based on address translation from non- 664 routable EIDs to routable EIDs and does not involve any form of 665 encapsulation. As such, Map-Versioning does not apply in this case. 667 A.2.3. Map-Versioning and Proxy-ETRs 669 The purpose of the Proxy-ETR (PETR) is to decapsulate traffic 670 originating in a LISP site in order to deliver the packet to the non- 671 LISP site (cf. Figure 6). One of the main reasons to deploy PETRs 672 is to bypass Unicast Reverse Path Forwarding checks on the domain. 674 +----------+ +-------------+ 675 | LISP | | non-LISP | 676 | Domain A | | Domain B | 677 | +-------+ +-----------+ | | 678 | | ITR A |------->| Proxy ETR |------->| | 679 | +-------+ +-----------+ | | 680 | | | | 681 +----------+ +-------------+ 683 Figure 6: Unidirectional traffic from LISP domain to non-LISP domain. 685 A Proxy-ETR does not have any mapping, since it just decapsulates 686 packets arriving from the LISP site. In this case, the ITR can 687 interchangeably put a Map-Version value or the Null Map-Version value 688 as the Dest Map-Version number since the receiving Proxy-ETR will 689 ignore the field. 691 With this setup, the Proxy-ETR, by looking at the Source Map-Version 692 Number, is able to check whether the mapping of the source EID has 693 changed. This is useful to perform source RLOC validation. In the 694 example above, traffic coming from LISP domain has to be LISP- 695 encapsulated with a source address being an RLOC of the domain. The 696 Proxy ETR can retrieve the mapping associated to the LISP domain and 697 check if incoming LISP-encapsulated traffic is arriving from a valid 698 RLOC. A change in the RLOC set that can be used as source addresses 699 can be signaled via the version number, with the Proxy ETR able to 700 request the latest mapping if necessary as described in Section 7.2. 702 A.3. RLOC Shutdown/Withdraw 704 Map-Versioning can also be used to perform a graceful shutdown or 705 withdraw of a specific RLOC. This is achieved by simply issuing a 706 new mapping, with an updated Map-Version number where the specific 707 RLOC to be shut down is withdrawn or announced as unreachable (via 708 the R bit in the Map Record; see [I-D.ietf-lisp-rfc6833bis]), but 709 without actually turning it off. 711 Upon updating the mapping, the RLOC will receive less and less 712 traffic because remote LISP sites will request the updated mapping 713 and see that it is disabled. At least one TTL, plus a little time 714 for traffic transit, after the mapping is updated, it should be safe 715 to shut down the RLOC gracefully, because all sites actively using 716 the mapping should have been updated. 718 Note that a change in ETR for a flow can result in the re-ordering of 719 the packet in the flow just as any other routing change could cause 720 re-ordering. 722 Authors' Addresses 724 Luigi Iannone 725 Huawei Technologies France 727 EMail: luigi.iannone@huawei.com 729 Damien Saucez 730 INRIA 732 EMail: damien.saucez@inria.fr 734 Olivier Bonaventure 735 Universite catholique de Louvain 737 EMail: olivier.bonaventure@uclouvain.be