idnits 2.17.1 

draft-ietf-lisp-alt-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** The document seems to lack a License Notice according IETF Trust
     Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009
     Section 6.b -- however, there's a paragraph with a matching beginning.
     Boilerplate error?

     (You're using the IETF Trust Provisions' Section 6.b License Notice from
     12 Feb 2009 rather than one of the newer Notices.  See
     https://trustee.ietf.org/license-info/.)


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 2 instances of lines with private range IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x,
     198.51.100.x or 203.0.113.x.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (May 26, 2009) is 5448 days in the past.  Is this
     intentional?


  Checking references for intended status: Experimental
  ----------------------------------------------------------------------------

  ** Obsolete normative reference: RFC 2858 (Obsoleted by RFC 4760)

  == Outdated reference: A later version (-06) exists of
     draft-ietf-lisp-interworking-00

  == Outdated reference: A later version (-24) exists of draft-ietf-lisp-00


     Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                          V. Fuller
3	Internet-Draft                                              D. Farinacci
4	Intended status: Experimental                                   D. Meyer
5	Expires: November 27, 2009                                      D. Lewis
6	                                                                   Cisco
7	                                                            May 26, 2009

9	                  LISP Alternative Topology (LISP+ALT)
10	                       draft-ietf-lisp-alt-01.txt

12	Status of this Memo

14	   This Internet-Draft is submitted to IETF in full conformance with the
15	   provisions of BCP 78 and BCP 79.

17	   Internet-Drafts are working documents of the Internet Engineering
18	   Task Force (IETF), its areas, and its working groups.  Note that
19	   other groups may also distribute working documents as Internet-
20	   Drafts.

22	   Internet-Drafts are draft documents valid for a maximum of six months
23	   and may be updated, replaced, or obsoleted by other documents at any
24	   time.  It is inappropriate to use Internet-Drafts as reference
25	   material or to cite them other than as "work in progress."

27	   The list of current Internet-Drafts can be accessed at
28	   http://www.ietf.org/ietf/1id-abstracts.txt.

30	   The list of Internet-Draft Shadow Directories can be accessed at
31	   http://www.ietf.org/shadow.html.

33	   This Internet-Draft will expire on November 27, 2009.

35	Copyright Notice

37	   Copyright (c) 2009 IETF Trust and the persons identified as the
38	   document authors.  All rights reserved.

40	   This document is subject to BCP 78 and the IETF Trust's Legal
41	   Provisions Relating to IETF Documents in effect on the date of
42	   publication of this document (http://trustee.ietf.org/license-info).
43	   Please review these documents carefully, as they describe your rights
44	   and restrictions with respect to this document.

46	Abstract

48	   This document describes a method of building an alternative, logical
49	   topology for managing Endpoint Identifier to Routing Locator mappings
50	   using the Locator/ID Separation Protocol.  The logical network is
51	   built as an overlay on the public Internet using existing
52	   technologies and tools, specifically the Border Gateway Protocol and
53	   the Generic Routing Encapsulation.  An important design goal for
54	   LISP+ALT is to allow for the relatively easy deployment of an
55	   efficient mapping system while minimizing changes to existing
56	   hardware and software.

58	Table of Contents

60	   1.  Requirements Notation  . . . . . . . . . . . . . . . . . . . .  4
61	   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
62	   3.  Definition of Terms  . . . . . . . . . . . . . . . . . . . . .  6
63	   4.  The LISP 1.5 model . . . . . . . . . . . . . . . . . . . . . .  8
64	     4.1.  Connectivity to non-LISP sites . . . . . . . . . . . . . .  8
65	     4.2.  Caveats on the use of Data Probes  . . . . . . . . . . . .  9
66	   5.  LISP+ALT: Overview . . . . . . . . . . . . . . . . . . . . . . 10
67	     5.1.  ITR traffic handling . . . . . . . . . . . . . . . . . . . 10
68	     5.2.  EID Assignment - Hierarchy and Topology  . . . . . . . . . 11
69	     5.3.  LISP+ALT Router  . . . . . . . . . . . . . . . . . . . . . 12
70	     5.4.  ITR and ETR in a LISP+ALT Environment  . . . . . . . . . . 12
71	     5.5.  Use of GRE and BGP between LISP+ALT Routers  . . . . . . . 13
72	   6.  EID Prefix Propagation and Map-Request Forwarding  . . . . . . 14
73	     6.1.  Changes to ITR behavior with LISP+ALT  . . . . . . . . . . 14
74	     6.2.  Changes to ETR behavior with LISP+ALT  . . . . . . . . . . 14
75	   7.  BGP configuration and protocol considerations  . . . . . . . . 16
76	     7.1.  Autonomous System Numbers (ASNs) in LISP+ALT . . . . . . . 16
77	     7.2.  Sub-Address Family Identifier (SAFI) for LISP+ALT  . . . . 16
78	   8.  EID-Prefix Aggregation . . . . . . . . . . . . . . . . . . . . 17
79	     8.1.  Traffic engineering with LISP and LISP+ALT . . . . . . . . 17
80	     8.2.  Edge aggregation and dampening . . . . . . . . . . . . . . 18
81	   9.  Connecting sites to the ALT network  . . . . . . . . . . . . . 19
82	     9.1.  ETRs originating information into the ALT  . . . . . . . . 19
83	     9.2.  ITRs Using the ALT . . . . . . . . . . . . . . . . . . . . 19
84	   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 21
85	   11. Security Considerations  . . . . . . . . . . . . . . . . . . . 22
86	     11.1. Apparent LISP+ALT Vulnerabilities  . . . . . . . . . . . . 22
87	     11.2. Survey of LISP+ALT Security Mechanisms . . . . . . . . . . 23
88	     11.3. Using existing BGP Security mechanisms . . . . . . . . . . 23
89	   12. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 24
90	   13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25
91	     13.1. Normative References . . . . . . . . . . . . . . . . . . . 25
92	     13.2. Informative References . . . . . . . . . . . . . . . . . . 25

94	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26

96	1.  Requirements Notation

98	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
99	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
100	   document are to be interpreted as described in [RFC2119].

102	2.  Introduction

104	   This document describes a method of building an alternative logical
105	   topology for managing Endpoint identifier to Routing Locator mappings
106	   using the Locator/ID Separation Protocol [LISP].  This logical
107	   topology uses existing technology and tools, specifically the Border
108	   Gateway Protocol [RFC4271] and its multi-protocol extension
109	   [RFC2858], along with the Generic Routing Encapsulation [RFC2784]
110	   protocol to construct an overlay network of devices that advertise
111	   EID-prefixes only.  These Endpoint Identifier Prefix Aggregators hold
112	   hierarchically-assigned pieces of the Endpoint Identifier space
113	   (i.e., prefixes) and their next hops toward the network element which
114	   is authoritative for Endpoint Identifier-to-Routing Locator mapping
115	   for that prefix.  Tunnel routers can use this overlay to make queries
116	   against and respond to mapping requests made against the distributed
117	   Endpoint Identifier-to-Routing Locator mapping database.  Note the
118	   database is distributed (as described in [LISP]) and is stored in the
119	   ETRs.

121	   Note that an important design goal of LISP+ALT is to minimize the
122	   number of changes to existing hardware and/or software that are
123	   required to deploy the mapping system.  It is envisioned that in most
124	   cases existing technology can be used to implement and deploy LISP+
125	   ALT.  Since the deployment of LISP+ALT adds new devices to the
126	   network, existing devices not need changes or upgrades.  They can
127	   function as they are to realize an underlying and robust physical
128	   topology.

130	   The remainder of this document is organized as follows: Section 3
131	   provides the definitions of terms used in this document.  Section 4
132	   outlines the basic LISP 1.5 model.  Section 5 provides a basic
133	   overview of the LISP Alternate Topology architecture, and Section 6
134	   describes how the ALT uses BGP to propagate Endpoint Identifier
135	   reachability over the overlay network.  Section 8 describes the
136	   construction of the ALT aggregation hierarchy, and Section 9
137	   discusses how LISP+ALT elements are connected to form the overlay
138	   network.

140	3.  Definition of Terms

142	   LISP+ALT operates on two name spaces and introduces a new network
143	   element, the LISP+ALT Router (see below).  This section provides
144	   high-level definitions of the LISP+ALT name spaces, network elements,
145	   and message types.

147	   The Alternative Logical Topology (ALT):  The virtual overlay network
148	      made up of tunnels between EID Prefix Aggregators.  The Border
149	      Gateway Protocol (BGP) runs between LISP+ALT routers and is used
150	      to carry reachability information for EID prefixes.

152	   Legacy Internet:  The portion of the Internet which does not run LISP
153	      and does not participate in LISP+ALT.

155	   LISP+ALT Router:  The devices which run on the ALT.  The ALT is a
156	      static network built using tunnels between LISP+ALT routers.
157	      These routers are deployed in a hierarchy in which routers at each
158	      level in the this hierarchy are responsible for aggregating all
159	      EID prefixes learned from those logically "below" them and
160	      advertising summary prefixes to the routers logically "above"
161	      them.  All prefix learning and propagation between levels is done
162	      using BGP.  LISP+ALT routers at the lowest level, or "edge", of
163	      the ALT learn EID prefixes either over a BGP session to ETRs or
164	      through static routes (in the case of the "low-opex ETR").  See
165	      Section 7 for details on how BGP is configured between the
166	      different network elements.

168	      The primary function of LISP+ALT routers is to provide a
169	      lightweight forwarding infrastructure for LISP control-plane
170	      messages (Map-Request and Map-Reply), and to transport data
171	      packets when the packet has the same destination address in both
172	      the inner (encapsulating) destination and outer destination
173	      addresses ((i.e., a Data Probe packet).

175	    Endpoint ID (EID):  A 32-bit (for IPv4) or 128-bit (for ipv6) value
176	      used in the source and destination address fields of the first
177	      (most inner) LISP header of a packet.  A packet that is emitted by
178	      a system contains EIDs in its headers and LISP headers are
179	      prepended only when the packet reaches an Ingress Tunnel Router
180	      (ITR) on the data path to the destination EID.

182	      In LISP+ALT, EID-prefixes MUST BE assigned in a hierarchical
183	      manner (in power-of-two) such that they can be aggregated by LISP+
184	      ALT routers.  In addition, a site may have site-local structure in
185	      how EIDs are topologically organized (subnetting) for routing
186	      within the site; this structure is not visible to the global
187	      routing system.

189	   EID-Prefix Aggregate:  A set of EID-prefixes said to be aggregatable
190	      in the [RFC4632] sense.  That is, an EID-Prefix aggregate is
191	      defined to be a single contiguous power-of-two EID-prefix block.
192	      Such a block is characterized by a prefix and a length.

194	   Routing Locator (RLOC):  An IP address of an egress tunnel router
195	      (ETR).  It is the output of a EID-to-RLOC mapping lookup.  An EID
196	      maps to one or more RLOCs.  Typically, RLOCs are numbered from
197	      topologically-aggregatable blocks that are assigned to a site at
198	      each point to which it attaches to the global Internet; where the
199	      topology is defined by the connectivity of provider networks,
200	      RLOCs can be thought of as Provider Aggregatable (PA) addresses.
201	      Note that in LISP+ALT, RLOCs are not carried by LISP+ALT routers.

203	    EID-to-RLOC Mapping:  A binding between an EID and the RLOC-set that
204	      can be used to reach the EID.  The term "mapping" refers to an
205	      EID-to-RLOC mapping.

207	    EID Prefix Reachability:  An EID prefix is said to be "reachable" if
208	      one or more of its locators are reachable.  That is, an EID prefix
209	      is reachable if the ETR (or its proxy) that is authoritative for a
210	      given EID-to-RLOC mapping is reachable.

212	    Default Mapping:  A Default Mapping is a mapping entry for EID-
213	      prefix 0.0.0.0/0.  It maps to a locator-set used for all EIDs in
214	      the Internet.  If there is a more specific EID-prefix in the
215	      mapping cache it overrides the Default Mapping entry.  The Default
216	      Mapping route can be learned by configuration or from a Map-Reply
217	      message.

219	    Default Route:  A Default Route in the context of LISP+ALT is a EID-
220	      prefix value of 0.0.0.0/0 which is advertised by BGP on top of the
221	      ALT.  The Default Route is used to realize a path for Data Probe
222	      or Map-Request packets.

224	4.  The LISP 1.5 model

226	   As documented in [LISP], the LISP 1.5 model uses the same basic
227	   query/response protocol machinery as LISP 1.0.  In particular, LISP+
228	   ALT provides two mechanisms for an ITR to obtain EID-to-RLOC mappings
229	   (both of these techniques are described in more detail in
230	   Section 9.2):

232	   Data Probe:  An ITR may send the first few data packets into the ALT
233	      to minimize packet loss and to probe for the mapping; the
234	      authoritative ETR will respond to the ITR with a Map-Reply message
235	      when it receives the data packet over the ALT.  Note that in this
236	      case, the inner Destination Address (DA), which is an EID, is
237	      copied to the outer DA and is routed over the ALT.

239	   Map-Request:  An ITR may also send a Map-Request message into the ALT
240	      to request the mapping.  As in the Data Probe case, the
241	      authoritative ETR will respond to the ITR with a Map-Reply
242	      message.  In this case, the DA of the Map-Request MUST be an EID.
243	      See [LISP] for the format of Map-Request and Map-Reply packets.

245	   As with LISP 1.0, EIDs are routable and can be used, unaltered, as
246	   the source and destination addresses in IP datagrams.  Unlike in LISP
247	   1.0, LISP 1.5 EIDs are not routable on the public Internet; instead,
248	   they are only routed over a separate, virtual topology referred to as
249	   the LISP Alternative Virtual Network.  This network is built as an
250	   overlay on the public Internet using tunnels to interconnect LISP+ALT
251	   routers.  BGP is run over these tunnels to propagate the information
252	   needed to route Data Probes and Map-Request/Replies.  Importantly,
253	   while the ETRs are the source(s) of the unaggregated EID prefix data,
254	   LISP+ALT uses existing BGP mechanisms to aggressively aggregate this
255	   information.  Note that ETRs are not required to participate (or
256	   prevented from participating) in LISP+ALT; they may choose
257	   communicate their mappings to their serving LISP+ALT router(s) at
258	   subscription time via configuration.  ITRs are also not required to
259	   participate in (nor prevented from participating in) LISP+ALT.

261	4.1.  Connectivity to non-LISP sites

263	   As stated above, EIDs used as IP addresses by LISP sites are not
264	   routable on the public Internet.  This implies that, absent a
265	   mechanism for communication between LISP and non-LISP sites,
266	   connectivity between them is not possible.  To resolve this problem,
267	   an "interworking" technology has been defined; see [Interworking] for
268	   details.

270	4.2.  Caveats on the use of Data Probes

272	   It is worth noting that there has been a great deal of discussion and
273	   controversy about whether Data Probes are a good idea.  On the one
274	   hand, using them offers a method of avoiding the "first packet drop"
275	   problem when an ITR does not have a mapping for a particular EID-
276	   prefix.  On the other hand, forwarding data packets on the ALT would
277	   require that it either be engineered to support relatively high
278	   traffic rates, which is not generally feasible for a tunneled
279	   network, or that it be carefully designed to aggressively rate- limit
280	   traffic to avoid congestion or DoS attacks.  There are also other
281	   issues involving latency or other differences between the ALT path
282	   that initial a Data Probe would take and the path that subsequent
283	   packets on the same flow would take once a mapping were in place on
284	   an ITR.  For these and other reasons use of Data Probes should be
285	   considered experimental and should be disabled by default in all ITR
286	   implementations.

288	5.  LISP+ALT: Overview

290	   LISP+ALT is a hybrid push/pull architecture.  Aggregated EID prefixes
291	   are "pushed" among the LISP+ALT routers and, optionally, out to ITRs
292	   (which may elect to receive the aggregated information, as opposed to
293	   simply using a default mapping).  Specific EID-to-RLOC mappings are
294	   "pulled" by ITRs when they either send explicit LISP requests or data
295	   packets on the alternate topology that result in triggered replies
296	   being generated by ETRs.

298	   The basic idea embodied in LISP+ALT is to use BGP, running over
299	   tunneled overlay network, to establish reachability required to route
300	   Data Probes and Map-Requests over an alternate logical topology
301	   (ALT).  The ALT BGPRoute Information Base (RIB) is comprised of EID
302	   prefixes and associated next hops.  LISP+ALT routers interconnect
303	   using eBGP and propagate EID prefix updates, which are learned over
304	   eBGP connections to authoritative ETRs, or by static configuration.
305	   ITRs may also eBGP peer with one or more LISP+ALT to learn the best
306	   ALT router to use to forward a Data Proble or Map-Request for a
307	   particular prefix; in most cases, an ITR will have a default EID
308	   mapping pointing to one or more LISP+ALT routers.

310	   Note that while this document specifies the use of Generic Routing
311	   Encapsulation (GRE) as a tunneling mechanism, there is no reason that
312	   an ALT cannot be built using other tunneling technologies.  In cases
313	   where GRE does not meet security, management, or other operational
314	   requirements, it is reasonable to use another tunneling technology
315	   that does.  References to "GRE tunnel" in later sections of this
316	   document should therefore not be taken as prohibiting or precluding
317	   the use of other, available tunneling mechanisms.

319	   In summary, LISP+ALT uses BGP to propagate EID-prefix update
320	   information to facilitate forwarding a Map-Reqeusts or Data Probe to
321	   the ETR that holds the EID-to-RLOC mapping for that EID-prefix.  This
322	   reachability is carried as IPv4 or IPv6 NLRI without modification
323	   (since an EID prefix has the same syntax as IPv4 or IPv6 address
324	   prefix).  LISP+ALT routers eBGP peer with one another, forming the
325	   ALT.  A LISP+ALT router near the edge learns EID prefixes originated
326	   by authoritative ETRs, either by eBGP peering with them or by
327	   configuration.  LISP+ALT routers aggregate EID prefixes, and forward
328	   Data Probes and Map-Requests.

330	5.1.  ITR traffic handling

332	   When an ITR receives a packet originated by an end system within its
333	   site (i.e. a host for which the ITR is the exit path out of the site)
334	   and the destination for that packet is not known in the ITR's mapping
335	   cache, the ITR encapsulates the packet in a LISP header, copying the
336	   inner destination address (EID) to the outer destination address
337	   (RLOC), and transmits it through a GRE tunnel to a LISP+ALT router in
338	   the ALT.  This "first hop" LISP+ALT router uses EID-prefix routing
339	   information learned from other LISP+ALT routers via BGP to guide the
340	   packet to the ETR which "owns" the prefix.  Upon receipt by the ETR,
341	   normal LISP processing occurs: the ETR responds to the ITR with a
342	   LISP Map-Reply that lists the RLOCs (and, thus, the ETRs to use) for
343	   the EID prefix.  The ETR also de-encapsulates the packet and
344	   transmits it toward its destination.

346	   Upon receipt of the Map-Reply, the ITR installs the RLOC information
347	   for a given prefix into a local mapping database.  With these mapping
348	   entries stored, additional packets destined to the given EID prefix
349	   are routed directly to a viable ETR without use of the ALT, until
350	   either the entry's TTL has expired, or the ITR can otherwise find no
351	   reachable ETR.  Note that a valid mapping (not timed-out) may exist
352	   that contains no reachable RLOCs (i.e. all paths to that ETR are
353	   down); in this case, packets destined to the EID prefix are dropped,
354	   not routed through the ALT.

356	   Traffic routed over the ALT therefore consists of:

358	   o  EID prefix Map-Requests, and

360	   o  data packets destined for those EID prefixes while the ITR awaits
361	      map replies

363	5.2.  EID Assignment - Hierarchy and Topology

365	   EID-prefixes will be allocated to a LISP site by Internet Registries.
366	   Multiple allocations may not be in power-of-2 blocks.  But when they
367	   are, they will be aggregated into a single, advertised EID-prefix.
368	   The ALT network is built in a tree-structured hierarchy to allow
369	   aggregation at merge points in the tree.  Building such a structure
370	   should minimize the number of EID-prefixes carried by LISP+ALT nodes
371	   near the top of the hierarchy.

373	   Since the ALT will not need to change due to subscription or policy
374	   reasons, the topology can remain relatively static and aggregation
375	   can be sustained.  Because routing on the ALT uses BGP, the same
376	   rules apply for generating aggregates; in particular, a LISP+ALT
377	   router should only be configured to generate an aggregate if it is
378	   configured with BGP sessions to all of the originators of components
379	   (more-specifics prefixes) of that aggregae; not all of the components
380	   of need to be present for the aggregate to be originated (some may be
381	   holes in the covering prefix and some may be down) but the
382	   aggregating router must be configured to learn the state of all of
383	   the components.

385	   As an example, consider ETRs that are originating EID prefixes for
386	   10.1.0.0/24, 10.1.64.0/24, 10.1.128.0/24, and 10.1.192.0/24.  An ALT
387	   router should only be configured to generate an aggregate for
388	   10.1.0.0/16 if it has BGP sessions configured with all of these ETRs,
389	   in other words, only if it has sufficient knowledge about the state
390	   of those prefixes to summarize them.

392	   Under what circumstances the ALT router actually generates the
393	   aggregate is a matter of local policy: in some cases, it will be
394	   statically configured to do so at all times with a "static discard"
395	   route.  In other cases, it may be configured to only generate the
396	   aggregate prefix if at least one of the components of the aggregate
397	   is learned via BGP.

399	   This implies that two ALTs that share an overlapping set of prefixes
400	   must exchange those prefixes if either is to generate and export a
401	   covering aggregate for those prefixes.  It also implies that an ETR
402	   that originates a prefix must maintain BGP sessions with all ALT
403	   routers that are configured to originate an aggregate which covers
404	   that prefix.

406	   Note: much is currently uncertain about the best way to build the ALT
407	   network; as testing and prototype deployment proceeds, a guide to how
408	   to best build the ALT network will be developed.

410	5.3.  LISP+ALT Router

412	   A LISP+ALT Router has the following functionality:

414	   1.  It runs, at a minimum, the eBGP part of the BGP protocol.

416	   2.  It supports a separate RIB which uses next-hop GRE tunnel
417	       interfaces for forwarding Data Probes and Map-Requests.

419	   3.  It can act as a "proxy-ITR" to support non-LISP sites.

421	   4.  It can act as an ETR, or as a recursive or re-encapsulating ITR
422	       to reduce mapping tables in site-based LISP routers.

424	5.4.  ITR and ETR in a LISP+ALT Environment

426	   An ITR using LISP+ALT may have additional functionality as follows:

428	   1.  If it is also acting as a LISP+ALT Router, it sends Data Probes
429	       or Map-Requests on the BGP best path computed GRE tunnel for each
430	       EID prefix.

432	   2.  When acting solely as a ITR, it sends Data Probes or Map-Requests
433	       directly to a configured LISP+ALT router.

435	   An ETR using LISP+ALT may also behave slightly differently:

437	   1.  If it is also acting as a LISP+ALT router, it advertises its
438	       configured EID-prefixes into BGP for distribution through the
439	       ALT.

441	   2.  It receives Data Probes and Map-Requests only over GRE tunnel(s)
442	       to its "upstream" LISP+ALT router(s) and responds with Map-
443	       Replies for the EID prefixes that it "owns".

445	5.5.  Use of GRE and BGP between LISP+ALT Routers

447	   The ALT network is built using GRE tunnels between LISP+ALT routers.
448	   eBGP sessions are configured over those tunnels, with each LISP+ALT
449	   router acting as a separate AS "hop" in a Path Vector for BGP.  For
450	   the purposes of LISP+ALT, the AS-path is used solely as a shortest-
451	   path determination and loop-avoidance mechanism.  Because all next-
452	   hops are on tunnel interfaces, no IGP is required to resolve those
453	   next-hops to exit interfaces.

455	   LISP+ALT's use of GRE and BGP reduces provider Operational Expense
456	   (OPEX) because no new protocols need to be either defined or used on
457	   the overlay topology.  Also, since tunnel IP addresses are local in
458	   scope, no coordination is needed for their assignment; any addressing
459	   scheme (including private addressing) can be used for tunnel
460	   addressing.

462	6.  EID Prefix Propagation and Map-Request Forwarding

464	   As described in Section 9.2, an ITR may send either a Map-Request or
465	   a data probe to find a given EID-to-RLOC mapping.  The ALT provides
466	   the infrastructure that allows these requests to reach the
467	   authoritative ETR.

469	   Note that, under normal circumstances, Map-Replies are not sent over
470	   the ALT - an ETR sends a Map-Reply to the source RLOC learned from
471	   the original Map-Request.  There may be scenarios, perhaps to
472	   encourage caching of EID-to-RLOC mappings by ALT routers, where Map-
473	   Replies could be sent over the ALT or where a "first-hop" ALT router
474	   might modify the originating RLOC on a Map-Request received from an
475	   ITR to force the Map-Reply to be sent to it; these cases will not be
476	   supported by initial LISP+ALT implementations but may be subject to
477	   future experimentation.

479	   LISP+ALT routers propagate mapping information for use by ITRs (when
480	   making Map-Requests or sending Data Probes) using eBGP [RFC4271].
481	   eBGP is run on the inter-LISP+ALT router links, and and possibly
482	   between an edge ("last hop") LISP+ALT router and an ETR or between an
483	   edge ("first hop") LISP+ALT router and an ITR.  The ALT eBGP RIB
484	   consists of aggregated EID prefixes and their next hops toward the
485	   authoritative ETR for that EID prefix.

487	6.1.  Changes to ITR behavior with LISP+ALT

489	   When using LISP+ALT, an ITR always sends either Data Probes or Map-
490	   Requests to one of its "upstream" LISP+ALT routers.  As in basic
491	   LISP, it should use one of its RLOCs as the source address of these
492	   queries; it should explicitly not use a tunnel interface as the
493	   source address as doing so will cause replies to be forwarded over
494	   the tunneled topology and may be problematic if the tunnel interface
495	   address is not explicitly routed throughout the ALT.  If the ITR is
496	   running BGP with the LISP+ALT router(s), it selects the appropriate
497	   LISP+ALT router based on the BGP information received.  If it is not
498	   running BGP, it uses static configuration to select a LISP+ALT
499	   router; in the general case, this will effectively be an "EID-prefix
500	   default route".

502	6.2.  Changes to ETR behavior with LISP+ALT

504	   If an ETR connects using BGP to one or more LISP+ALT router(s), it
505	   simply announces its EID-prefix to those LISP+ALT routers.  In the
506	   "low-opex" case, where the ETR does not use BGP, it will still have a
507	   GRE tunnel to one or more LISP+ALT routers; these LISP+ALT router(s)
508	   the ETR must route Map-Requests and Data Probes to the ETR and
509	   contain configuration (in effect, static routes) for the ETR's EID-
510	   prefixes.  Note that in either case, when an ETR generates a Map-
511	   Reply message to return to a querying ITR, it sends it to the ITR's
512	   source-RLOC (i.e., on the underlying Internet topology, not on the
513	   ALT; this avoids any latency penalty that might be incurred by
514	   routing over the ALT).

516	   See also Section 9 for more details about the "low-opex" ETR and ITR
517	   configurations.

519	7.  BGP configuration and protocol considerations

521	7.1.  Autonomous System Numbers (ASNs) in LISP+ALT

523	   The primary use of BGP today is to define the global Internet routing
524	   topology in terms of its participants, known as Autonomous Systems.
525	   LISP+ALT specifies the use of BGP to create a global EID-to-RLOC
526	   mapping database which, while related to the global routing database,
527	   serves a very different purpose and is organized into a very
528	   different hierarchy.  Because LISP+ALT does use BGP, however, it uses
529	   ASNs in the paths that are propagated among LISP+ALT routers.  To
530	   avoid confusion, it needs to be stressed that that these LISP+ALT
531	   ASNs use a new numbering space that is unrelated to the ASNs used by
532	   the global routing system.  Exactly how this new space will be
533	   assigned and managed will be determined during experimental
534	   deployment of LISP+ALT.

536	   Note that the LISP+ALT routers that make up the "core" of the ALT
537	   will not be associated with any existing core-Internet ASN because
538	   topology, hierarchy, and aggregation boundaries are completely
539	   separate from and independent of the global Internet routing system.

541	7.2.  Sub-Address Family Identifier (SAFI) for LISP+ALT

543	   As defined by this document, LISP+ALT may be implemented using BGP
544	   without modification.  Given the fundamental operational difference
545	   between propagating global Internet routing information (the current,
546	   dominant use of BGP) and managing the global EID-to-RLOC database
547	   (the use of BGP proposed by this document), it may be desirable to
548	   assign a new SAFI [RFC2858] to prevent operational confusion and
549	   difficulties, including the inadvertent leaking of information from
550	   one domain to the other.  At present, this document does not require
551	   the assignment of a new SAFI but the authors anticipate that
552	   experimentation may suggest the need for one in the future.

554	8.  EID-Prefix Aggregation

556	   The ALT BGP peering topology should be arranged in a tree-like
557	   fashion (with some meshiness), with redundancy to deal with node and
558	   link failures.  A basic assumption is that as long as the routers are
559	   up and running, the underlying topology will provide alternative
560	   routes to maintain BGP connectivity among LISP+ALT routers.

562	   Note that, as mentioned in Section 5.2, the use of BGP by LISP+ALT
563	   requires that information can only be aggregated where all active
564	   more-specific prefixes of a generated aggregate prefix are known.
565	   This implies, for example, that if a given set of prefixes is used by
566	   multiple, ALT networks, those networks must interconnect and share
567	   information about all of the prefixes if either were to generate an
568	   aggregate prefix that covered all of them.  This is no different than
569	   the way that BGP route aggregation works in the existing global
570	   routing system: a service provider only generates an aggregate route
571	   if it is configured to learn to all prefixes that make up that
572	   aggregate.

574	8.1.  Traffic engineering with LISP and LISP+ALT

576	   It is worth noting that LISP+ALT does not directly propagate EID-to-
577	   RLOC mappings.  What it does is provide a mechanism for a LISP ITR to
578	   find the ETR that holds the mapping for a particular EID prefix.
579	   This distinction is important for several reasons.  First, it means
580	   that the reachability of RLOCs is learned through the LISP ITR-ETR
581	   exchange so "flapping" of state information through BGP is not likely
582	   nor can mapping information become "stale" by slow propagation
583	   through the ALT BGP mesh.  Second, by deferring EID-to-RLOC mapping
584	   to an ITR-ETR exchange, it is possible to perform site-to-site
585	   traffic engineering through a combination of setting the preference
586	   and weight fields and by returning more-specific EID-to-RLOC
587	   information in LISP Map-Reply messages.  This is a powerful mechanism
588	   that can conceivably replace the traditional practice of routing
589	   prefix deaggregation for traffic engineering purposes.  Rather than
590	   propagating more-specific information into the global routing system
591	   for local- or regional-optimization of traffic flows, such more-
592	   specific information can be exchanged, through LISP (not LISP+ALT),
593	   on an as-needed basis between only those ITRs/ETRs (and, thus, site
594	   pairs) that need it; should a receiving ITR decide that it does not
595	   wish to store such more-specific information, it has the option of
596	   discarding it as long as a shorter, covering EID prefix exists.  Not
597	   only does this greatly improve the scalability of the global routing
598	   system but it also allows improved traffic engineering techniques by
599	   allowing richer and more fine-grained policies to be applied.

601	8.2.  Edge aggregation and dampening

603	   Note also that normal BGP best common practices apply to the ALT
604	   network.  In particular, first-hop ALT routers will aggregate EID
605	   prefixes and dampen changes to them in the face of excessive updates.
606	   Since EID prefix assignments are not expected to change with anywhere
607	   as frequently BGP prefix reachability on the Internet, such dampening
608	   should be very rare and might be worthy of logging as an exceptional
609	   event.  It is again worth noting that the ALT carries only EID
610	   prefixes, along with BGP-generated paths to the ETRs that source
611	   those prefixes as advertisements travel over the logical topology;
612	   this set of information is considerablly less volitile than the
613	   actual EID-to-RLOC mappings.

615	9.  Connecting sites to the ALT network

617	9.1.  ETRs originating information into the ALT

619	   EID prefix information is originated into the ALT by two different
620	   mechanisms:

622	   eBGP:  An ETR may participate in the LISP+ALT overlay network by
623	      running eBGP to one or more LISP+ALT router(s) over GRE tunnel(s).
624	      In this case, the ETR advertises reachability for its EID prefixes
625	      over these eBGP connection(s).  The LISP+ALT router(s) that
626	      receive(s) these prefixes then propagate(s) them into the ALT.
627	      Here the ETR is simply an eBGP peer of LISP+ALT router(s) at the
628	      edge of the ALT.  Where possible, a LISP+ALT router that receives
629	      EID prefixes from an ETR via eBGP should aggregate that
630	      information.

632	   Configuration:  One or more LISP+ALT router(s) may be configured to
633	      originate an EID prefix on behalf of the non-BGP-speaking ETR that
634	      is authoritative for a prefix.  As in the case above, the ETR is
635	      connected to LISP+ALT router(s) using GRE tunnel(s) but rather
636	      than BGP being used, the LISP+ALT router(s) are configured with
637	      what are in effect "static routes" for the EID prefixes "owned" by
638	      the ETR.  The GRE tunnel is used to route Map-Requests to the ETR.
639	      Note that the LISP+ALT router could also serve as a proxy for its
640	      TCP-connected ETRs.

642	   Note:  in both cases, an ETR may have connections to to multiple
643	      LISP+ALT routers for the following reasons:

645	      *  redundancy, so that a particular ETR is still reachable through
646	         the ALT even if one path or tunnel is unavailable.

648	      *  to connect to different parts of the ALT hierarchy if the ETR
649	         "owns" multiple EID-to-RLOC mappings for EID prefixes that
650	         cannot be aggregated by the same LISP+ALT router (i.e. are not
651	         topologically "close" to each other in the ALT).

653	9.2.  ITRs Using the ALT

655	   In order to source Map-Requests to the ALT or to route a Data Probe
656	   packet over the ALT, each ITR participating in the ALT establishes a
657	   connection to one or more LISP+ALT routers.  These connections can be
658	   either eBGP or TCP (as described above).

660	   In the case in which the ITR is running eBGP, the peer LISP+ALT
661	   routers use these connections to advertise highly aggregated EID-
662	   prefixes to the peer ITRs.  The ITR then installs the received
663	   prefixes into a forwarding table that is used to to send LISP Map-
664	   Requests to the appropriate LISP+ALT router.  In most cases, a LISP+
665	   ALT router will send a default mapping to its client ITRs so that
666	   they can send request for any EID prefix into the ALT.

668	   In the case in which the ITR is connected to some set of LISP+ALT
669	   routers without eBGP, the ITR sends Map-Requests to any of its
670	   connected LISP+ALT routers.

672	   An ITR may also choose to send the first few data packets over the
673	   ALT to minimize packet loss and reduce mapping latency.  In this
674	   case, the data packet serves as a mapping probe (Data Probe) and the
675	   ETR which receives the data packet (over the ALT) responds with a
676	   Map-Reply is sent to the ITR's source-RLOC using the underlying
677	   topology.  Note that the use of Data Probes is discouraged at this
678	   time (see Section 4.2).

680	   In general, an ITR will establish connections only to LISP+ALT
681	   routers at the "edge" of the ALT (typically two for redundancy) but
682	   there may also be situations where an ITR would connect to other
683	   LISP+ALT routers to receive additional, shorter path information
684	   about a portion of the ALT of interest to it.  This can be
685	   accomplished by establishing GRE tunnels between the ITR and the set
686	   of LISP+ALT routers with the additional information.  This is a
687	   purely local policy issue between the ITR and the LISP+ALT routers in
688	   question.

690	10.  IANA Considerations

692	   This document makes no request of the IANA.

694	11.  Security Considerations

696	   LISP+ALT shares many of the security characteristics of BGP.  Its
697	   security mechanisms are comprised of existing technologies in wide
698	   operational use today.  Securing LISP+ALT is much simpler than
699	   securing BGP.

701	   Compared to BGP, LISP+ALT routers are not topologically bound,
702	   allowing them to be put in locations away from the vulnerable AS
703	   border (unlike eBGP speakers).

705	11.1.  Apparent LISP+ALT Vulnerabilities

707	   This section briefly lists of the apparent vulnerabilities of LISP+
708	   ALT.

710	   Mapping Integrity:  Can an attacker insert bogus mappings to black-
711	      hole (create a DoS) or intercept LISP data-plane packets?

713	   LISP+ALT router Availability:  Can an attacker DoS the LISP+ALT
714	      routers connected to a given ETR? without access to its mappings,
715	      a site is essentially unavailable.

717	   ITR Mapping/Resources:  Can an attacker force an ITR or LISP+ALT
718	      router to drop legitimate mapping requests by flooding it with
719	      random destinations that it will have to query for.  Further study
720	      is required to see the impact of admission control on the overlay
721	      network.

723	   EID Map-Request Exploits for Reconnaissance:  Can an attacker learn
724	      about a LISP destination sites' TE policy by sending legitimate
725	      mapping requests messages and then observing the RLOC mapping
726	      replies?  Is this information useful in attacking or subverting
727	      peer relationships?  Note that LISP 1.0 has a similar data-plane
728	      reconnaissance issue.

730	   Scaling of LISP+ALT router Resources:  Paths through the ALT may be
731	      of lesser bandwidth than more "direct" paths; this may make them
732	      more prone to high-volume denial-of-service attacks.  For this
733	      reason, all components of the ALT (ETRs and ALT routers) should be
734	      prepared to rate-limit traffic that could be received across the
735	      ALT (Map-Requests and Data Probes).

737	   UDP Map-Reply from ETR:  Since Map-Replies packets are sent directly
738	      from the ETR to the ITR's RLOC, the ITR's RLOC may be vulnerable
739	      to various types of DoS attacks.

741	11.2.  Survey of LISP+ALT Security Mechanisms

743	   Explicit peering:  The devices themselves can both prioritize
744	      incoming packets as well as potentially do key checks in hardware
745	      to protect the control plane.

747	   Use of TCP to connect elements:  This makes it difficult for third
748	      parties to inject packets.

750	   Use of HMAC Protected TCP Connections:  HMAC is used to verify
751	      message integrity and authenticity, making it nearly impossible
752	      for third party devices to either insert or modify messages.

754	   Message Sequence Numbers and Nonce Values in Messages:  This allows
755	      for devices to verify that the mapping-reply packet was in
756	      response to the mapping-request that they sent.

758	11.3.  Using existing BGP Security mechanisms

760	   LISP+ALT's use of BGP allows for the ALT to take advantage of BGP
761	   security features designed for existing Internet BGP use.

763	   For example, should either sBGP [I-D.murphy-bgp-secr] or soBGP
764	   [I-D.white-sobgparchitecture] become widely deployed it expected that
765	   LISP+ALT could use these mechanisms to provide authentication of EID-
766	   to-RLOC mappings, and EID origination.

768	12.  Acknowledgments

770	   Many of the ideas described in this document were developed during
771	   detailed discussions with Scott Brim and Darrel Lewis, who made many
772	   insightful comments on earlier versions of this document.

774	13.  References

776	13.1.  Normative References

778	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
779	              Requirement Levels", BCP 14, RFC 2119, March 1997.

781	   [RFC2784]  Farinacci, D., Li, T., Hanks, S., Meyer, D., and P.
782	              Traina, "Generic Routing Encapsulation (GRE)", RFC 2784,
783	              March 2000.

785	   [RFC2858]  Bates, T., Rekhter, Y., Chandra, R., and D. Katz,
786	              "Multiprotocol Extensions for BGP-4", RFC 2858, June 2000.

788	   [RFC4271]  Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
789	              Protocol 4 (BGP-4)", RFC 4271, January 2006.

791	   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
792	              (CIDR): The Internet Address Assignment and Aggregation
793	              Plan", BCP 122, RFC 4632, August 2006.

795	13.2.  Informative References

797	   [I-D.murphy-bgp-secr]
798	              Murphy, S., "BGP Security Analysis",
799	              draft-murphy-bgp-secr-04 (work in progress),
800	              November 2001.

802	   [I-D.white-sobgparchitecture]
803	              White, R., "Architecture and Deployment Considerations for
804	              Secure Origin BGP (soBGP)",
805	              draft-white-sobgparchitecture-00 (work in progress),
806	              May 2004.

808	   [Interworking]
809	              Lewis, D., Meyer, D., Farinacci, D., and V. Fuller,
810	              "Interworking LISP with IPv4 and ipv6",
811	              draft-ietf-lisp-interworking-00.txt (work in progress),
812	              May 2009.

814	   [LISP]     Farinacci, D., Fuller, V., Meyer, D., and D. Lewis,
815	              "Locator/ID Separation Protocol (LISP)",
816	              draft-ietf-lisp-00.txt (work in progress), May 2009.

818	Authors' Addresses

820	   Vince Fuller
821	   Cisco
822	   Tasman Drive
823	   San Jose, CA  95134
824	   USA

826	   Email: vaf@cisco.com

828	   Dino Farinacci
829	   Cisco
830	   Tasman Drive
831	   San Jose, CA  95134
832	   USA

834	   Email: dino@cisco.com

836	   Dave Meyer
837	   Cisco
838	   Tasman Drive
839	   San Jose, CA  95134
840	   USA

842	   Email: dmm@cisco.com

844	   Darrel Lewis
845	   Cisco
846	   Tasman Drive
847	   San Jose, CA  95134
848	   USA

850	   Email: darlewis@cisco.com