idnits 2.17.1 

draft-ietf-lisp-alt-08.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 5 instances of lines with private range IPv4 addresses in the
     document.  If these are generic example addresses, they should be changed
     to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x,
     198.51.100.x or 203.0.113.x.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (September 8, 2011) is 4614 days in the past.  Is this
     intentional?


  Checking references for intended status: Experimental
  ----------------------------------------------------------------------------

  == Outdated reference: A later version (-24) exists of draft-ietf-lisp-15

  == Outdated reference: A later version (-16) exists of draft-ietf-lisp-ms-11

  == Outdated reference: A later version (-06) exists of
     draft-ietf-lisp-interworking-02


     Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	Network Working Group                                          V. Fuller
3	Internet-Draft                                              D. Farinacci
4	Intended status: Experimental                                   D. Meyer
5	Expires: March 11, 2012                                         D. Lewis
6	                                                                   Cisco
7	                                                       September 8, 2011

9	                  LISP Alternative Topology (LISP+ALT)
10	                       draft-ietf-lisp-alt-08.txt

12	Abstract

14	   This document describes a simple distributed index system to be used
15	   by a Locator/ID Separation Protocol (LISP) Ingress Tunnel Router
16	   (ITR) or Map Resolver (MR) to find the Egress Tunnel Router (ETR)
17	   which holds the mapping information for a particular Endpoint
18	   Identifier (EID).  The MR can then query that ETR to obtain the
19	   actual mapping information, which consists of a list of Routing
20	   Locators (RLOCs) for the EID.  Termed the Alternative Logical
21	   Topology (ALT), the index is built as an overlay network on the
22	   public Internet using the Border Gateway Protocol (BGP) and the
23	   Generic Routing Encapsulation (GRE).  Using these proven protocols,
24	   the ALT can be built and deployed relatively quickly without any
25	   changes to the existing routing infrastructure.

27	Status of this Memo

29	   This Internet-Draft is submitted in full conformance with the
30	   provisions of BCP 78 and BCP 79.

32	   Internet-Drafts are working documents of the Internet Engineering
33	   Task Force (IETF).  Note that other groups may also distribute
34	   working documents as Internet-Drafts.  The list of current Internet-
35	   Drafts is at http://datatracker.ietf.org/drafts/current/.

37	   Internet-Drafts are draft documents valid for a maximum of six months
38	   and may be updated, replaced, or obsoleted by other documents at any
39	   time.  It is inappropriate to use Internet-Drafts as reference
40	   material or to cite them other than as "work in progress."

42	   This Internet-Draft will expire on March 11, 2012.

44	Copyright Notice

46	   Copyright (c) 2011 IETF Trust and the persons identified as the
47	   document authors.  All rights reserved.

49	   This document is subject to BCP 78 and the IETF Trust's Legal
50	   Provisions Relating to IETF Documents
51	   (http://trustee.ietf.org/license-info) in effect on the date of
52	   publication of this document.  Please review these documents
53	   carefully, as they describe your rights and restrictions with respect
54	   to this document.  Code Components extracted from this document must
55	   include Simplified BSD License text as described in Section 4.e of
56	   the Trust Legal Provisions and are provided without warranty as
57	   described in the Simplified BSD License.

59	Table of Contents

61	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
62	   2.  Definition of Terms  . . . . . . . . . . . . . . . . . . . . .  6
63	   3.  The LISP+ALT model . . . . . . . . . . . . . . . . . . . . . .  9
64	     3.1.  Routeability of EIDs . . . . . . . . . . . . . . . . . . .  9
65	       3.1.1.  Mechanisms for an ETR to originate EID-prefixes  . . . 10
66	       3.1.2.  Mechanisms for an ITR to forward to EID-prefixes . . . 10
67	       3.1.3.  Map Server Model preferred . . . . . . . . . . . . . . 10
68	     3.2.  Connectivity to non-LISP sites . . . . . . . . . . . . . . 10
69	     3.3.  Caveats on the use of Data Probes  . . . . . . . . . . . . 11
70	   4.  LISP+ALT: Overview . . . . . . . . . . . . . . . . . . . . . . 12
71	     4.1.  ITR traffic handling . . . . . . . . . . . . . . . . . . . 13
72	     4.2.  EID Assignment - Hierarchy and Topology  . . . . . . . . . 13
73	     4.3.  Use of GRE and BGP between LISP+ALT Routers  . . . . . . . 15
74	   5.  EID-prefix Propagation and Map-Request Forwarding  . . . . . . 16
75	     5.1.  Changes to ITR behavior with LISP+ALT  . . . . . . . . . . 16
76	     5.2.  Changes to ETR behavior with LISP+ALT  . . . . . . . . . . 17
77	   6.  BGP configuration and protocol considerations  . . . . . . . . 18
78	     6.1.  Autonomous System Numbers (ASNs) in LISP+ALT . . . . . . . 18
79	     6.2.  Sub-Address Family Identifier (SAFI) for LISP+ALT  . . . . 18
80	   7.  EID-prefix Aggregation . . . . . . . . . . . . . . . . . . . . 19
81	     7.1.  Stability of the ALT . . . . . . . . . . . . . . . . . . . 19
82	     7.2.  Traffic engineering using LISP . . . . . . . . . . . . . . 19
83	     7.3.  Edge aggregation and dampening . . . . . . . . . . . . . . 20
84	     7.4.  EID assignment flexibility vs. ALT scaling . . . . . . . . 20
85	   8.  Connecting sites to the ALT network  . . . . . . . . . . . . . 22
86	     8.1.  ETRs originating information into the ALT  . . . . . . . . 22
87	     8.2.  ITRs Using the ALT . . . . . . . . . . . . . . . . . . . . 22
88	   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 24
89	   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 25
90	     10.1. Apparent LISP+ALT Vulnerabilities  . . . . . . . . . . . . 25
91	     10.2. Survey of LISP+ALT Security Mechanisms . . . . . . . . . . 26
92	     10.3. Use of new IETF standard BGP Security mechanisms . . . . . 26
93	   11. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 27
94	   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28
95	     12.1. Normative References . . . . . . . . . . . . . . . . . . . 28
96	     12.2. Informative References . . . . . . . . . . . . . . . . . . 28
97	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29

99	1.  Introduction

101	   This document describes the LISP+ALT system, used by a [LISP] ITR or
102	   MR to find the ETR that holds the RLOC mapping information for a
103	   particular EID.  The ALT network is built using the Border Gateway
104	   Protocol (BGP, [RFC4271]), the BGP multi-protocol extension
105	   [RFC4760], and the Generic Routing Encapsulation (GRE, [RFC2784]) to
106	   construct an overlay network of devices (ALT Routers) which operate
107	   on EID-prefixes and use EIDs as forwarding destinations.

109	   ALT Routers advertise hierarchically-delegated segments of the EID
110	   namespace (i.e., prefixes) toward the rest of the ALT; they also
111	   forward traffic destined for an EID covered by one of those prefixes
112	   toward the network element that is authoritative for that EID and is
113	   the origin of the BGP advertisement for that EID-prefix.  An Ingress
114	   Tunnel Router (ITR) uses this overlay to send a LISP Map-Request
115	   (defined in [LISP]) to the Egress Tunnel Router (ETR) that holds the
116	   EID-to-RLOC mapping for a matching EID-prefix.  In most cases, an ITR
117	   does not connect directly to the overlay network but instead sends
118	   Map-Requests via a Map-Resolver (described in [LISP-MS]) which does.
119	   Likewise, in most cases, an ETR does not connect directly to the
120	   overlay network but instead registers its EID-prefixes with a Map-
121	   Server that advertises those EID-prefixes on to the ALT and forwards
122	   Map-Requests for them to the ETR.

124	   It is important to note that the ALT does not distribute actual EID-
125	   to-RLOC mappings.  What it does provide is a forwarding path from an
126	   ITR (or MR) which requires an EID-to-RLOC mapping to an ETR which
127	   holds that mapping.  The ITR/MR uses this path to send an ALT
128	   Datagram (see Section 3) to an ETR which then responds with a Map-
129	   Reply containing the needed mapping information.

131	   One design goal for LISP+ALT is to use existing technology wherever
132	   possible.  To this end, the ALT is intended to be built using off-
133	   the-shelf routers which already implement the required protocols (BGP
134	   and GRE); little, if any, LISP-specific modifications should be
135	   needed for such devices to be deployed on the ALT (see Section 7 for
136	   aggregation requirements).  Note, though, that organizational and
137	   operational considerations suggest that ALT Routers be both logically
138	   and physically separate from the "native" Internet packet transport
139	   system; deploying this overlay on those routers which are already
140	   participating in the global routing system and actively forwarding
141	   Internet traffic is not recommended.

143	   This specification is experimental, and there are areas where further
144	   experience is needed to understand the best implementation strategy,
145	   operational model, and effects on Internet operations.  These areas
146	   include:

148	   o  application effects of on-demand route map discovery

150	   o  tradeoff in connection setup time vs. ALT design and performance
151	      when using a Map Request instead of carring initial user data in a
152	      Data Probe

154	   o  best practical ways to build ALT hierarchies

156	   o  effects of route leakage from ALT to the current Internet,
157	      particularly for LISP-to-non-LISP interworking

159	   o  effects of exceptional situations, such as denial-of-service
160	      attacks

162	   Experimentation, measurements, and deployment experience on these
163	   aspects is appreciated.  While these issues are conceptually well-
164	   understood (e.g. an ALT lookup causes potential delay for the first
165	   packet destined to a given network), the real-world operational
166	   effects are much less clear.

168	   The remainder of this document is organized as follows: Section 2
169	   provides the definitions of terms used in this document.  Section 3
170	   outlines the LISP ALT model, where EID prefixes are routed across an
171	   overlay network.  Section 4 provides a basic overview of the LISP
172	   Alternate Topology architecture, and Section 5 describes how the ALT
173	   uses BGP to propagate Endpoint Identifier reachability over the
174	   overlay network and Section 6 describes other considerations for
175	   using BGP on the ALT.  Section 7 describes the construction of the
176	   ALT aggregation hierarchy, and Section 8 discusses how LISP+ALT
177	   elements are connected to form the overlay network.

179	2.  Definition of Terms

181	   This section provides high-level definitions of LISP concepts and
182	   components involved with and affected by LISP+ALT.

184	    Alternative Logical Topology (ALT):  The virtual overlay network
185	      made up of tunnels between LISP+ALT Routers.  The Border Gateway
186	      Protocol (BGP) runs between ALT Routers and is used to carry
187	      reachability information for EID-prefixes.  The ALT provides a way
188	      to forward Map-Requests (and, if supported, Data Probes) toward
189	      the ETR that "owns" an EID-prefix.  As a tunneled overlay, its
190	      performance is expected to be quite limited so use of it to
191	      forward high-bandwidth flows of Data Probes is strongly
192	      discouraged (see Section 3.3 for additional discussion).

194	    Legacy Internet:  The portion of the Internet which does not run
195	      LISP and does not participate in LISP+ALT.

197	    ALT Router:  The devices which run on the ALT.  The ALT is a static
198	      network built using tunnels between ALT Routers.  These routers
199	      are deployed in a roughly-hierarchical mesh in which routers at
200	      each level in the topology are responsible for aggregating EID-
201	      prefixes learned from those logically "below" them and advertising
202	      summary prefixes to those logically "above" them.  Prefix learning
203	      and propagation between ALT Routers is done using BGP.  An ALT
204	      Router at the lowest level, or "edge" of the ALT, learns EID-
205	      prefixes from its "client" ETRs.  See Section 3.1 for a
206	      description of how EID-prefixes are learned at the "edge" of the
207	      ALT.  See also Section 6 for details on how BGP is configured
208	      between the different network elements.  When an ALT Router
209	      receives an ALT Datagram, it looks up the destination EID in its
210	      forwarding table (composed of EID prefix routes it learned from
211	      neighboring ALT Routers) and forwards it to the logical next-hop
212	      on the overlay network.

214	    Endpoint ID (EID):  A 32-bit (for IPv4) or 128-bit (for ipv6) value
215	      used to identify the ultimate source or destination for a LISP-
216	      encapsulated packet.  See [LISP] for details.

218	    EID-prefix:  A set of EIDs delegated in a power-of-two block.  EID-
219	      prefixes are routed on the ALT (not on the global Internet) and
220	      are expected to be assigned in a hierarchical manner such that
221	      they can be aggregated by ALT Routers.  Such a block is
222	      characterized by a prefix and a length.  Note that while the ALT
223	      routing system considers an EID-prefix to be an opaque block of
224	      EIDs, an end site may put site-local, topologically-relevant
225	      structure (subnetting) into an EID-prefix for intra-site routing.

227	    Aggregated EID-prefixes:  A set of individual EID-prefixes that have
228	      been aggregated in the [RFC4632] sense.

230	    Map Server (MS):   An edge ALT Router that provides a registration
231	      function for non-ALT-connected ETRs, originates EID-prefixes into
232	      the ALT on behalf of those ETRs, and forwards Map-Requests to
233	      them.  See [LISP-MS] for details.

235	    Map Resolver (MR):   An edge ALT Router that accepts an Encapsulated
236	      Map-Request from a non-ALT-connected ITR, decapsulates it, and
237	      forwards it on to the ALT toward the ETR which owns the requested
238	      EID-prefix.  See [LISP-MS] for details.

240	    Ingress Tunnel Router (ITR):   A router which sends LISP Map-
241	      Requests or encapsulates IP datagrams with LISP headers, as
242	      defined in [LISP].  In this document, the term refers to any
243	      device implementing ITR functionality, including a Proxy-ITR (see
244	      [LISP-IW]).  Under some circumstances, a LISP Map Resolver may
245	      also originate Map-Requests (see [LISP-MS]).

247	    Egress Tunnel Router (ETR):   A router which sends LISP Map-Replies
248	      in response to LISP Map-Requests and decapsulates LISP-
249	      encapsulated IP datagrams for delivery to end systems, as defined
250	      in [LISP].  In this document, the term refers to any device
251	      implementing ETR functionality, including a Proxy-ETR (see
252	      [LISP-IW]).  Under some circumstances, a LISP Map Server may also
253	      respond to Map-Requests (see [LISP-MS]).

255	    Routing Locator (RLOC):  A routable IP address for a LISP tunnel
256	      router (ITR or ETR).  Interchangeably referred to as a "locator"
257	      in this document.  An RLOC is also the output of an EID-to-RLOC
258	      mapping lookup; an EID-prefix maps to one or more RLOCs.
259	      Typically, RLOCs are numbered from topologically-aggregatable
260	      blocks that are assigned to a site at each point where it attaches
261	      to the global Internet; where the topology is defined by the
262	      connectivity of provider networks, RLOCs can be thought of as
263	      Provider Aggregatable (PA) addresses.  Routing for RLOCs is not
264	      carried on the ALT.

266	    EID-to-RLOC Mapping:  A binding between an EID-prefix and the set of
267	      RLOCs that can be used to reach it; sometimes referred to simply
268	      as a "mapping".

270	    EID-prefix Reachability:  An EID-prefix is said to be "reachable" if
271	      at least one of its locators is reachable.  That is, an EID-prefix
272	      is reachable if the ETR that is authoritative for a given EID-to-
273	      RLOC mapping is reachable.

275	    Default Mapping:  A Default Mapping is a mapping entry for EID-
276	      prefix 0.0.0.0/0 (0::/0 for ipv6).  It maps to a locator-set used
277	      for all EIDs in the Internet.  If there is a more specific EID-
278	      prefix in the mapping cache it overrides the Default Mapping
279	      entry.  The Default Mapping can be learned by configuration or
280	      from a Map-Reply message.

282	    ALT Default Route:  An EID-prefix value of 0.0.0.0/0 (or 0::/0 for
283	      ipv6) which may be learned from the ALT or statically configured
284	      on an edge ALT Router.  The ALT-Default Route defines a forwarding
285	      path for a packet to be sent into the ALT on a router which does
286	      not have a full ALT forwarding database.

288	3.  The LISP+ALT model

290	   The LISP+ALT model uses the same basic query/response protocol that
291	   is documented in [LISP].  In particular, LISP+ALT provides two types
292	   of packet that an ITR can originate to obtain EID-to-RLOC mappings:

294	   Map-Request:  A Map-Request message is sent into the ALT to request
295	      an EID-to-RLOC mapping.  The ETR which owns the mapping will
296	      respond to the ITR with a Map-Reply message.  Since the ALT only
297	      forwards on EID destinations, the destination address of the Map-
298	      Request sent on the ALT must be an EID.

300	   Data Probe:  Alternatively, an ITR may encapsulate and send the first
301	      data packet destined for an EID with no known RLOCs into the ALT
302	      as a Data Probe.  This might be done to minimize packet loss and
303	      to probe for the mapping.  As above, the authoritative ETR for the
304	      EID-prefix will respond to the ITR with a Map-Reply message when
305	      it receives the data packet over the ALT.  As a side-effect, the
306	      encapsulated data packet is delivered to the end-system at the ETR
307	      site.  Note that the Data Probe's inner IP destination address,
308	      which is an EID, is copied to the outer IP destination address so
309	      that the resulting packet can be routed over the ALT.  See
310	      Section 3.3 for caveats on the usability of Data Probes.

312	   The term "ALT Datagram" is short-hand for a Map-Request or Data Probe
313	   to be sent into or forwarded on the ALT.  Note that such packets use
314	   an RLOC as the outer header source IP address and an EID as the outer
315	   header destination IP address.

317	   Detailed descriptions of the LISP packet types referenced by this
318	   document may be found in [LISP].

320	3.1.  Routeability of EIDs

322	   A LISP EID has the same syntax as IP address and can be used,
323	   unaltered, as the source or destination of an IP datagram.  In
324	   general, though, EIDs are not routable on the public Internet; LISP+
325	   ALT provides a separate, virtual network, known as the LISP
326	   Alternative Logical Topology (ALT) on which a datagram using an EID
327	   as an IP destination address may be transmitted.  This network is
328	   built as an overlay on the public Internet using tunnels to
329	   interconnect ALT Routers.  BGP runs over these tunnels to propagate
330	   path information needed to forward ALT Datagrams.  Importantly, while
331	   the ETRs are the source(s) of the unaggregated EID-prefixes, LISP+ALT
332	   uses existing BGP mechanisms to aggregate this information.

334	3.1.1.  Mechanisms for an ETR to originate EID-prefixes

336	   There are three ways that an ETR may originate its mappings into the
337	   ALT:

339	   1.  By registration with a Map Server as documented in [LISP-MS].
340	       This is the common case and is expected to be used by the
341	       majority of ETRs.

343	   2.  Using a "static route" on the ALT.  Where no Map-Server is
344	       available, an edge ALT Router may be configured with a "static
345	       EID-prefix route" pointing to an ETR.

347	   3.  Edge connection to the ALT.  If a site requires fine- grained
348	       control over how its EID-prefixes are advertised into the ALT, it
349	       may configure its ETR(s) with tunnel and BGP connections to edge
350	       ALT Routers.

352	3.1.2.  Mechanisms for an ITR to forward to EID-prefixes

354	   There are three ways that an ITR may send ALT Datagrams:

356	   1.  Through a Map Resolver as documented in [LISP-MS].  This is the
357	       common case and is expected to be used by the majority of ITRs.

359	   2.  Using a "default route".  Where a Map Resolver is not available,
360	       an ITR may be configured with a static ALT Default Route pointing
361	       to an edge ALT Router.

363	   3.  Edge connection to the ALT.  If a site requires fine-grained
364	       knowledge of what prefixes exist on the ALT, it may configure its
365	       ITR(s) with tunnel and BGP connections to edge ALT Routers.

367	3.1.3.  Map Server Model preferred

369	   The ALT-connected ITR and ETR cases are expected to be rare, as the
370	   Map Server/Map Resolver model is both simpler for an ITR/ETR operator
371	   to use, and provides a more general service interface to not only the
372	   ALT, but also to other mapping databases that may be developed in the
373	   future.

375	3.2.  Connectivity to non-LISP sites

377	   As stated above, EIDs used as IP addresses by LISP sites are not
378	   routable on the public Internet.  This implies that, absent a
379	   mechanism for communication between LISP and non-LISP sites,
380	   connectivity between them is not possible.  To resolve this problem,
381	   an "interworking" technology has been defined; see [LISP-IW] for
382	   details.

384	3.3.  Caveats on the use of Data Probes

386	   It is worth noting that there has been a great deal of discussion and
387	   controversy about whether Data Probes are a good idea.  On the one
388	   hand, using them offers a method of avoiding the "first packet drop"
389	   problem when an ITR does not have a mapping for a particular EID-
390	   prefix.  On the other hand, forwarding data packets on the ALT would
391	   require that it either be engineered to support relatively high
392	   traffic rates, which is not generally feasible for a tunneled
393	   network, or that it be carefully designed to aggressively rate-limit
394	   traffic to avoid congestion or DoS attacks.  There may also be issues
395	   caused by different latency or other performance characteristics
396	   between the ALT path taken by an initial Data Probe and the
397	   "Internet" path taken by subsequent packets on the same flow once a
398	   mapping is in place on an ITR.  For these reasons, the use of Data
399	   Probes is not recommended at this time; they should only be
400	   originated an ITR when explicitly configured to do so and such
401	   configuration should only be enabled when performing experiments
402	   intended to test the viability of using Data Probes.

404	4.  LISP+ALT: Overview

406	   LISP+ALT is a hybrid push/pull architecture.  Aggregated EID-prefixes
407	   are advertised among the ALT Routers and to those (rare) ITRs that
408	   are directly connected via a tunnel and BGP to the ALT.  Specific
409	   EID-to-RLOC mappings are requested by an ITR (and returned by an ETR)
410	   using LISP when it sends a request either via a Map Resolver or to an
411	   edge ALT Router.

413	   The basic idea embodied in LISP+ALT is to use BGP, running on a
414	   tunneled overlay network (the ALT), to establish reachability between
415	   ALT Routers.  The ALT BGP Route Information Base (RIB) is comprised
416	   of EID-prefixes and associated next hops.  ALT Routers interconnect
417	   using BGP and propagate EID-prefix updates among themselves.  EID-
418	   prefix information is learned from ETRs at the "edge" of the ALT
419	   either through the use of the Map Server interface (the commmon
420	   case), static configuration, or by BGP-speaking ETRs.

422	   An ITR uses the ALT to learn the best path for forwarding an ALT
423	   Datagram destined to a particular EID-prefix.  An ITR will normally
424	   use a Map Resolver to send its ALT Datagrams on to the ALT but may,
425	   in unusual circumstances, use a static ALT Default Route or connect
426	   to the ALT using BGP.

428	   Note that while this document specifies the use of Generic Routing
429	   Encapsulation (GRE) as a tunneling mechanism, there is no reason that
430	   parts of the ALT cannot be built using other tunneling technologies,
431	   particularly in cases where GRE does not meet security, management,
432	   or other operational requirements.  References to "GRE tunnel" in
433	   later sections of this document should therefore not be taken as
434	   prohibiting or precluding the use of other tunneling mechanisms.
435	   Note also that two ALT Routers that are directly adjacent (with no
436	   layer-3 router hops between them) need not use a tunnel between them;
437	   in this case, BGP may be configured across the interfaces that
438	   connect to their common subnet and that subnet is then considered to
439	   be part of the ALT topology.  Use of techniques such as "eBGP
440	   multihop" to connect ALT Routers that do not share a tunnel or common
441	   subnet is not recommended as the non-ALT Routers in between the ALT
442	   Routers in such a configuration may not have information necessary to
443	   forward ALT Datagrams destined to EID-prefixes exchanged across that
444	   BGP session.

446	   In summary, LISP+ALT uses BGP to build paths through ALT Routers so
447	   that an ALT Datagram sent into the ALT can be forwarded to the ETR
448	   that holds the EID-to-RLOC mapping for that EID-prefix.  This
449	   reachability is carried as IPv4 or ipv6 NLRI without modification
450	   (since an EID-prefix has the same syntax as IPv4 or ipv6 address
451	   prefix).  ALT Routers establish BGP sessions with one another,
452	   forming the ALT.  An ALT Router at the "edge" of the topology learns
453	   EID-prefixes originated by authoritative ETRs.  Learning may be
454	   though the Map Server interface, by static configuration, or via BGP
455	   with the ETRs.  An ALT Router may also be configured to aggregate
456	   EID-prefixes received from ETRs or from other LISP+ALT routers that
457	   are topologically "downstream" from it.

459	4.1.  ITR traffic handling

461	   When an ITR receives a packet originated by an end system within its
462	   site (i.e. a host for which the ITR is the exit path out of the site)
463	   and the destination EID for that packet is not known in the ITR's
464	   mapping cache, the ITR creates either a Map-Request for the
465	   destination EID or the original packet encapsulated as a Data Probe
466	   (see Section 3.3 for caveats on the usability of Data Probes).  The
467	   result, known as an ALT Datagram, is then sent to an ALT Router (see
468	   also [LISP-MS] for non-ALT-connected ITRs, noting that Data Probes
469	   cannot be sent to a Map-Resolver).  This "first hop" ALT Router uses
470	   EID-prefix routing information learned from other ALT Routers via BGP
471	   to guide the packet to the ETR which "owns" the prefix.  Upon receipt
472	   by the ETR, normal LISP processing occurs: the ETR responds to the
473	   ITR with a LISP Map-Reply that lists the RLOCs (and, thus, the ETRs
474	   to use) for the EID-prefix.  For Data Probes, the ETR also
475	   decapsulates the packet and transmits it toward its destination.

477	   Upon receipt of the Map-Reply, the ITR installs the RLOC information
478	   for a given prefix into a local mapping database.  With these mapping
479	   entries stored, additional packets destined to the given EID-prefix
480	   are routed directly to an RLOC without use of the ALT, until either
481	   the entry's TTL has expired, or the ITR can otherwise find no
482	   reachable ETR.  Note that a current mapping may exist that contains
483	   no reachable RLOCs; this is known as a Negative Cache Entry and it
484	   indicates that packets destined to the EID-prefix are to be dropped.

486	   Full details on Map-Request/Map-Reply processing may be found in
487	   [LISP].

489	   Traffic routed on to the ALT consists solely of ALT Datagrams, i.e.
490	   Map-Requests and Data Probes (if supported).  Given the relatively
491	   low performance expected of a tunneled topology, ALT Routers (and Map
492	   Resolvers) should aggressively rate-limit the ingress of ALT
493	   Datagrams from ITRs and, if possible, should be configured to not
494	   accept packets that are not ALT Datagrams.

496	4.2.  EID Assignment - Hierarchy and Topology

498	   EID-prefixes are expected to be allocated to a LISP site by Internet
499	   Registries.  Where a site has multiple allocations which are aligned
500	   on a power-of-2 block boundary, they should be aggregated into a
501	   single EID-prefix for advertisement.  The ALT network is built in a
502	   roughly hierarchical, partial mesh which is intended to allow
503	   aggregation where clearly-defined hierarchical boundaries exist.
504	   Building such a structure should minimize the number of EID-prefixes
505	   carried by LISP+ALT nodes near the top of the hierarchy.

507	   Routes on the ALT do not need to respond to changes in policy,
508	   subscription, or underlying physical connectivity, so the topology
509	   can remain relatively static and aggregation can be sustained.
510	   Because routing on the ALT uses BGP, the same rules apply for
511	   generating aggregates; in particular, a ALT Router should only be
512	   configured to generate an aggregate if it is configured with BGP
513	   sessions to all of the originators of components (more-specific
514	   prefixes) of that aggregate.  Not all of the components of need to be
515	   present for the aggregate to be originated (some may be holes in the
516	   covering prefix and some may be down) but the aggregating router must
517	   be configured to learn the state of all of the components.

519	   Under what circumstances the ALT Router actually generates the
520	   aggregate is a matter of local policy: in some cases, it will be
521	   statically configured to do so at all times with a "static discard"
522	   route.  In other cases, it may be configured to only generate the
523	   aggregate prefix if at least one of the components of the aggregate
524	   is learned via BGP.

526	   An ALT Router must not generate an aggregate that includes a non-
527	   LISP-speaking hole unless it can be configured to return a Negative
528	   Map-Reply with action="Natively-Forward" (see [LISP]) if it receives
529	   an ALT Datagram that matches that hole.  If it receives an ALT
530	   Datagram that matches a LISP-speaking hole that is currently not
531	   reachable, it should return a Negative Map-Reply with action="drop".
532	   Negative Map-Replies should be returned with a short TTL, as
533	   specified in [LISP-MS].  Note that an off-the-shelf, non-LISP-
534	   speaking router configured as an aggregating ALT Router cannot send
535	   Negative Map-Replies, so such a router must never originate an
536	   aggregate that includes a non-LISP-speaking hole.

538	   This implies that two ALT Routers that share an overlapping set of
539	   prefixes must exchange those prefixes if either is to generate and
540	   export a covering aggregate for those prefixes.  It also implies that
541	   an ETR which connects to the ALT using BGP must maintain BGP sessions
542	   with all of the ALT Routers that are configured to originate an
543	   aggregate which covers that prefix and that each of those ALT Routers
544	   must be explicitly configured to know the set of EID-prefixes that
545	   make up any aggregate that it originates.  See also [LISP-MS] for an
546	   example of other ways that prefix origin consistency and aggregation
547	   can be maintained.

549	   As an example, consider ETRs that are originating EID-prefixes for
550	   10.1.0.0/24, 10.1.64.0/24, 10.1.128.0/24, and 10.1.192.0/24.  An ALT
551	   Router should only be configured to generate an aggregate for
552	   10.1.0.0/16 if it has BGP sessions configured with all of these ETRs,
553	   in other words, only if it has sufficient knowledge about the state
554	   of those prefixes to summarize them.  If the Router originating
555	   10.1.0.0/16 receives an ALT Datagram destined for 10.1.77.88, a non-
556	   LISP destination covered by the aggregate, it returns a Negative Map-
557	   Reply with action "Natively-Forward".  If it receives an ALT Datagram
558	   destined for 10.1.128.199 but the configured LISP prefix
559	   10.1.128.0/24 is unreachable, it returns a Negative Map-Reply with
560	   action "drop".

562	   Note: much is currently uncertain about the best way to build the ALT
563	   network; as testing and prototype deployment proceeds, a guide to how
564	   to best build the ALT network will be developed.

566	4.3.  Use of GRE and BGP between LISP+ALT Routers

568	   The ALT network is built using GRE tunnels between ALT Routers.  BGP
569	   sessions are configured over those tunnels, with each ALT Router
570	   acting as a separate AS "hop" in a Path Vector for BGP.  For the
571	   purposes of LISP+ALT, the AS-path is used solely as a shortest-path
572	   determination and loop-avoidance mechanism.  Because all next-hops
573	   are on tunnel interfaces, no IGP is required to resolve those next-
574	   hops to exit interfaces.

576	   LISP+ALT's use of GRE and BGP facilities deployment and operation of
577	   LISP because no new protocols need to be defined, implemented, or
578	   used on the overlay topology; existing BGP/GRE tools and operational
579	   expertise are also re-used.  Tunnel address assignment is also easy:
580	   since the addresses on an ALT tunnel are only used by the pair of
581	   routers connected to the tunnel, the only requirement of the IP
582	   addresses used to establish that tunnel is that the attached routers
583	   be reachable by each other; any addressing plan, including private
584	   addressing, can therefore be used for ALT tunnels.

586	5.  EID-prefix Propagation and Map-Request Forwarding

588	   As described in Section 8.2, an ITR sends an ALT Datagram to a given
589	   EID-to-RLOC mapping.  The ALT provides the infrastructure that allows
590	   these requests to reach the authoritative ETR.

592	   Note that under normal circumstances Map-Replies are not sent over
593	   the ALT; an ETR sends a Map-Reply to one of the ITR RLOCs learned
594	   from the original Map-Request.  See sections 6.1.2 and 6.2 of [LISP]
595	   for more information on the use of the Map-Request ITR RLOC field.
596	   Keep in mind that the ITR RLOC field supports mulitple RLOCs in
597	   multiple address families, so a Map-Reply sent in response to a Map-
598	   Request is not necessarily sent to back to the Map-Request RLOC
599	   source.

601	   There may be scenarios, perhaps to encourage caching of EID-to-RLOC
602	   mappings by ALT Routers, where Map-Replies could be sent over the ALT
603	   or where a "first-hop" ALT router might modify the originating RLOC
604	   on a Map-Request received from an ITR to force the Map-Reply to be
605	   returned to the "first-hop" ALT Router.  These cases will not be
606	   supported by initial LISP+ALT implementations but may be subject to
607	   future experimentation.

609	   ALT Routers propagate path information via BGP ([RFC4271]) that is
610	   used by ITRs to send ALT Datagrams toward the appropriate ETR for
611	   each EID-prefix.  BGP is run on the inter-ALT Router links, and
612	   possibly between an edge ("last hop") ALT Router and an ETR or
613	   between an edge ("first hop") ALT Router and an ITR.  The ALT BGP RIB
614	   consists of aggregated EID-prefixes and their next hops toward the
615	   authoritative ETR for that EID-prefix.

617	5.1.  Changes to ITR behavior with LISP+ALT

619	   As previously described, an ITR will usually use the Map Resolver
620	   interface and will send its Map Requests to a Map Resolver.  When an
621	   ITR instead connects via tunnels and BGP to the ALT, it sends ALT
622	   Datagrams to one of its "upstream" ALT Routers; these are sent only
623	   to obtain new EID-to-RLOC mappings - RLOC probe and cache TTL refresh
624	   Map-Requests are not sent on the ALT.  As in basic LISP, it should
625	   use one of its RLOCs as the source address of these queries; it
626	   should not use a tunnel interface as the source address as doing so
627	   will cause replies to be forwarded over the tunneled topology and may
628	   be problematic if the tunnel interface address is not routed
629	   throughout the ALT.  If the ITR is running BGP with the LISP+ALT
630	   router(s), it selects the appropriate ALT Router based on the BGP
631	   information received.  If it is not running BGP, it uses a
632	   statically-configued ALT Default Route to select an ALT Router.

634	5.2.  Changes to ETR behavior with LISP+ALT

636	   As previously described, an ETR will usually use the Map Server
637	   interface (see [LISP-MS]) and will register its EID-prefixes with its
638	   configured Map Servers.  When an ETR instead connects using BGP to
639	   one or more ALT Routers, it announces its EID-prefix(es) to those ALT
640	   Routers.

642	   As documented in [LISP], when an ETR generates a Map-Reply message to
643	   return to a querying ITR, it sets the outer header IP destination
644	   address to one of the requesting ITR's RLOCs so that the Map-Reply
645	   will be sent on the underlying Internet topology, not on the ALT;
646	   this avoids any latency penalty (or "stretch") that might be incurred
647	   by sending the Map-Reply via the ALT, reduces load on the ALT, and
648	   ensures that the Map-Reply can be routed even if the original ITR
649	   does not have an ALT-routed EID.  For details on how an ETR selects
650	   which ITR RLOC to use, see section 6.1.5 of [LISP].

652	6.  BGP configuration and protocol considerations

654	6.1.  Autonomous System Numbers (ASNs) in LISP+ALT

656	   The primary use of BGP today is to define the global Internet routing
657	   topology in terms of its participants, known as Autonomous Systems.
658	   LISP+ALT specifies the use of BGP to create a global overlay network
659	   (the ALT) for finding EID-to-RLOC mappings.  While related to the
660	   global routing database, the ALT serves a very different purpose and
661	   is organized into a very different hierarchy.  Because LISP+ALT does
662	   use BGP, however, it uses ASNs in the paths that are propagated among
663	   ALT Routers.  To avoid confusion, LISP+ALT should use newly-assigned
664	   AS numbers that are unrelated to the ASNs used by the global routing
665	   system.  Exactly how this new space will be assigned and managed will
666	   be determined during the deployment of LISP+ALT.

668	   Note that the ALT Routers that make up the "core" of the ALT will not
669	   be associated with any existing core-Internet ASN because the ALT
670	   topology is completely separate from, and independent of, the global
671	   Internet routing system.

673	6.2.  Sub-Address Family Identifier (SAFI) for LISP+ALT

675	   As defined by this document, LISP+ALT may be implemented using BGP
676	   without modification.  Given the fundamental operational difference
677	   between propagating global Internet routing information (the current
678	   dominant use of BGP) and creating an overlay network for finding EID-
679	   to-RLOC mappings (the use of BGP proposed by this document), it may
680	   be desirable to assign a new SAFI [RFC4760] to prevent operational
681	   confusion and difficulties, including the inadvertent leaking of
682	   information from one domain to the other.  Use of a separate SAFI
683	   would make it easier to debug many operational problems but would
684	   come at a significant cost: unmodified, off-the-shelf routers which
685	   do not understand the new SAFI could not be used to build any part of
686	   the ALT network.  At present, this document does not request the
687	   assignment of a new SAFI; additional experimentation may suggest the
688	   need for one in the future.

690	7.  EID-prefix Aggregation

692	   The ALT BGP peering topology should be arranged in a tree-like
693	   fashion (with some meshiness), with redundancy to deal with node and
694	   link failures.  A basic assumption is that as long as the routers are
695	   up and running, the underlying Internet will provide alternative
696	   routes to maintain BGP connectivity among ALT Routers.

698	   Note that, as mentioned in Section 4.2, the use of BGP by LISP+ALT
699	   requires that information only be aggregated where all active more-
700	   specific prefixes of a generated aggregate prefix are known.  This is
701	   no different than the way that BGP route aggregation works in the
702	   existing global routing system: a service provider only generates an
703	   aggregate route if it is configured to learn to all prefixes that
704	   make up that aggregate.

706	7.1.  Stability of the ALT

708	   It is worth noting that LISP+ALT does not directly propagate EID-to-
709	   RLOC mappings.  What it does is provide a mechanism for an ITR to
710	   commonicate with the ETR that holds the mapping for a particular EID-
711	   prefix.  This distinction is important when considering the stability
712	   of BGP on the ALT network as compared to the global routing system.
713	   It also has implications for how site-specific EID-prefix information
714	   may be used by LISP but not propagated by LISP+ALT (see Section 7.2
715	   below).

717	   RLOC prefixes are not propagated through the ALT so their
718	   reachability is not determined through use of LISP+ALT.  Instead,
719	   reachability of RLOCs is learned through the LISP ITR-ETR exchange.
720	   This means that link failures or other service disruptions that may
721	   cause the reachability of an RLOC to change are not known to the ALT.
722	   Changes to the presence of an EID-prefix on the ALT occur much less
723	   frequently: only at subscription time or in the event of a failure of
724	   the ALT infrastructure itself.  This means that "flapping" (frequent
725	   BGP updates and withdrawals due to prefix state changes) is not
726	   likely and mapping information cannot become "stale" due to slow
727	   propagation through the ALT BGP mesh.

729	7.2.  Traffic engineering using LISP

731	   Since an ITR learns an EID-to-RLOC mapping directly from the ETR that
732	   owns it, it is possible to perform site-to-site traffic engineering
733	   by setting the preference and/or weight fields, and by including
734	   more-specific EID-to-RLOC information in Map-Reply messages.

736	   This is a powerful mechanism that can conceivably replace the
737	   traditional practice of routing prefix deaggregation for traffic
738	   engineering purposes.  Rather than propagating more-specific
739	   information into the global routing system for local- or regional-
740	   optimization of traffic flows, such more-specific information can be
741	   exchanged, through LISP (not LISP+ALT), on an as-needed basis between
742	   only those ITRs/ETRs (and, thus, site pairs) that need it.  Such an
743	   exchange of "more-specifics" between sites facilitates traffic
744	   engineering, by allowing richer and more fine-grained policies to be
745	   applied without advertising additional prefixes into either the ALT
746	   or the global routing system.

748	   Note that these new traffic engineering capabilities are an attribute
749	   of LISP and are not specific to LISP+ALT; discussion is included here
750	   because the BGP-based global routing system has traditionally used
751	   propagation of more-specific routes as a crude form of traffic
752	   engineering.

754	7.3.  Edge aggregation and dampening

756	   Normal BGP best common practices apply to the ALT network.  In
757	   particular, first-hop ALT Routers will aggregate EID prefixes and
758	   dampen changes to them in the face of excessive updates.  Since EID-
759	   prefix assignments are not expected to change as frequently as global
760	   routing BGP prefix reachability, such dampening should be very rare,
761	   and might be worthy of logging as an exceptional event.  It is again
762	   worth noting that the ALT carries only EID-prefixes, used to a
763	   construct BGP path to each ETR (or Map-Server) that originates each
764	   prefix; the ALT does not carry reachability about RLOCs.  In
765	   addition, EID-prefix information may be aggregated as the topology
766	   and address assignment hierarchy allow.  Since the topology is all
767	   tunneled and can be modified as needed, reasonably good aggregation
768	   should be possible.  In addition, since most ETRs are expected to
769	   connect to the ALT using the Map Server interface, Map Servers will
770	   implement a natural "edge" for the ALT where dampening and
771	   aggregation can be applied.  For these reasons, the set of prefix
772	   information on the ALT can be expected to be both better aggregated
773	   and considerably less volatile than the actual EID-to-RLOC mappings.

775	7.4.  EID assignment flexibility vs. ALT scaling

777	   There are major open questions regarding how the ALT will be deployed
778	   and what organization(s) will operate it.  In a simple, non-
779	   distributed world, centralized administration of EID prefix
780	   assignment and ALT network design would facilitate a well- aggregated
781	   ALT routing system.  Business and other realities will likely result
782	   in a more complex, distributed system involving multiple levels of
783	   prefix delegation, multiple operators of parts of the ALT
784	   infrastructure, and a combination of competition and cooperation
785	   among the participants.  In addition, re-use of existing IP address
786	   assignments, both "PI" and "PA", to avoid renumbering when sites
787	   transition to LISP will further complicate the processes of building
788	   and operating the ALT.

790	   A number of conflicting considerations need to be kept in mind when
791	   designing and building the ALT.  Among them are:

793	   1.  Target ALT routing state size and level of aggregation.  As
794	       described in Section 7.1, the ALT should not suffer from some of
795	       the performance constraints or stability issues as the Internet
796	       global routing system, so some reasonable level of deaggregation
797	       and increased number of EID prefixes beyond what might be
798	       considered ideal should be acceptable.  That said, measures, such
799	       as tunnel rehoming to preserve aggregation when sites move from
800	       one mapping provider to another and implementing aggregation at
801	       multiple levels in the hierarchy to collapse de-aggregation at
802	       lower levels, should be taken to reduce unnecessary explosion of
803	       ALT routing state.

805	   2.  Number of operators of parts of the ALT and how they will be
806	       organized (hierarchical delegation vs. shared administration).
807	       This will determine not only how EID prefixes are assigned but
808	       also how tunnels are configured and how EID prefixes can be
809	       aggregated between different parts of the ALT.

811	   3.  Number of connections between different parts of the ALT.  Trade-
812	       offs will need to be made among resilience, performance, and
813	       placement of aggregation boundaries.

815	   4.  EID prefix portability between competing operators of the ALT
816	       infrastructure.  A significant benefit for an end-site to adopt
817	       LISP is the availability of EID space that is not tied to a
818	       specific connectivity provider; it is important to ensure that an
819	       end site doesn't trade lock-in to a connectivity provider for
820	       lock-in to a provider of its EID assignment, ALT connectivity, or
821	       Map Server facilities.

823	   This is, by no means, an exhaustive list.

825	   While resolving these issues is beyond the scope of this document,
826	   the authors recommend that existing distributed resource structures,
827	   such as the IANA/Regional Internet Registries and the ICANN/Domain
828	   Registrar, be carefully considered when designing and deploying the
829	   ALT infrastructure.

831	8.  Connecting sites to the ALT network

833	8.1.  ETRs originating information into the ALT

835	   EID-prefix information is originated into the ALT by three different
836	   mechanisms:

838	   Map Server:  In most cases, a site will configure its ETR(s) to
839	      register with one or more Map Servers (see [LISP-MS]), and does
840	      not participate directly in the ALT.

842	   BGP:  For a site requiring complex control over their EID-prefix
843	      origination into the ALT, an ETR may connect to the LISP+ALT
844	      overlay network by running BGP to one or more ALT Router(s) over
845	      tunnel(s).  The ETR advertises reachability for its EID-prefixes
846	      over these BGP connection(s).  The edge ALT Router(s) that
847	      receive(s) these prefixes then propagate(s) them into the ALT.
848	      Here the ETR is simply an BGP peer of ALT Router(s) at the edge of
849	      the ALT.  Where possible, an ALT Router that receives EID-prefixes
850	      from an ETR via BGP should aggregate that information.

852	   Configuration:  One or more ALT Router(s) may be configured to
853	      originate an EID-prefix on behalf of the non-BGP-speaking ETR that
854	      is authoritative for a prefix.  As in the case above, the ETR is
855	      connected to ALT Router(s) using GRE tunnel(s) but rather than BGP
856	      being used, the ALT Router(s) are configured with what are in
857	      effect "static routes" for the EID-prefixes "owned" by the ETR.
858	      The GRE tunnel is used to route Map-Requests to the ETR.

860	   Note:  in all cases, an ETR may register to multiple Map Servers or
861	      connect to multiple ALT Routers for the following reasons:

863	      *  redundancy, so that a particular ETR is still reachable even if
864	         one path or tunnel is unavailable.

866	      *  to connect to different parts of the ALT hierarchy if the ETR
867	         "owns" multiple EID-to-RLOC mappings for EID-prefixes that
868	         cannot be aggregated by the same ALT Router (i.e. are not
869	         topologically "close" to each other in the ALT).

871	8.2.  ITRs Using the ALT

873	   In the common configuration, an ITR does not need to know anything
874	   about the ALT, since it sends Map-Requests to one of its configured
875	   Map-Resolvers (see [LISP-MS]).  There are two exceptional cases:

877	   Static default:  If a Map Resolver is not available but an ITR is
878	      adjacent to an ALT Router (either over a common subnet or through
879	      the use of a tunnel), it can use an ALT Default Route route to
880	      cause all ALT Datagrams to be sent that ALT Router.  This case is
881	      expected to be rare.

883	   Connection to ALT:  A site with complex Internet connectivity needs
884	      may need more fine-grained distinction between traffic to LISP-
885	      capable and non-LISP-capable sites.  Such a site may configure
886	      each of its ITRs to connect directly to the ALT, using a tunnel
887	      and BGP connection.  In this case, the ITR will receive EID-prefix
888	      routes from its BGP connection to the ALT Router and will LISP-
889	      encapsulate and send ALT Datagrams through the tunnel to the ALT
890	      Router.  Traffic to other destinations may be forwarded (without
891	      LISP encapsulation) to non-LISP next-hop routers that the ITR
892	      knows.

894	      In general, an ITR that connects to the ALT does so only to to ALT
895	      Routers at the "edge" of the ALT (typically two for redundancy).
896	      There may, though, be situations where an ITR would connect to
897	      other ALT Routers to receive additional, shorter path information
898	      about a portion of the ALT of interest to it.  This can be
899	      accomplished by establishing GRE tunnels between the ITR and the
900	      set of ALT Routers with the additional information.  This is a
901	      purely local policy issue between the ITR and the ALT Routers in
902	      question.

904	   As described in [LISP-MS], Map-Resolvers do not accept or forward
905	   Data Probes; in the rare scenario that an ITR does support and
906	   originate Data Probes, it must do so using one of the exceptional
907	   configurations described above.  Note that the use of Data Probes is
908	   discouraged at this time (see Section 3.3).

910	9.  IANA Considerations

912	   This document makes no request of the IANA.

914	10.  Security Considerations

916	   LISP+ALT shares many of the security characteristics of BGP.  Its
917	   security mechanisms are comprised of existing technologies in wide
918	   operational use today, so securing the ALT should be mostly a matter
919	   of applying the same technology that is used to secure the BGP-based
920	   global routing system (see Section 10.3 below).

922	10.1.  Apparent LISP+ALT Vulnerabilities

924	   This section briefly lists the known potential vulnerabilities of
925	   LISP+ALT.

927	   Mapping Integrity:  Can an attacker insert bogus mappings to black-
928	      hole (create Denial-of-Service, or DoS attack) or intercept LISP
929	      data-plane packets?

931	   ALT Router Availability:  Can an attacker DoS the ALT Routers
932	      connected to a given ETR?  If a site's ETR cannot advertise its
933	      EID-to-RLOC mappings, the site is essentially unavailable.

935	   ITR Mapping/Resources:  Can an attacker force an ITR or ALT Router to
936	      drop legitimate mapping requests by flooding it with random
937	      destinations for which it will generate large numbers of Map-
938	      Requests and fill its mapping cache?  Further study is required to
939	      see the impact of admission control on the overlay network.

941	   EID Map-Request Exploits for Reconnaissance:  Can an attacker learn
942	      about a LISP site's TE policy by sending legitimate mapping
943	      requests and then observing the RLOC mapping replies?  Is this
944	      information useful in attacking or subverting peer relationships?
945	      Note that any public LISP mapping database will have similar data-
946	      plane reconnaissance issue.

948	   Scaling of ALT Router Resources:  Paths through the ALT may be of
949	      lesser bandwidth than more "direct" paths; this may make them more
950	      prone to high-volume denial-of-service attacks.  For this reason,
951	      all components of the ALT (ETRs and ALT Routers) should be
952	      prepared to rate-limit traffic (ALT Datagrams) that could be
953	      received across the ALT.

955	   UDP Map-Reply from ETR:  Since Map-Replies are sent directly from the
956	      ETR to the ITR's RLOC, the ITR's RLOC may be vulnerable to various
957	      types of DoS attacks (this is a general property of LISP, not an
958	      LISP+ALT vulnerability).

960	   More-specific prefix leakage:  Because EID-prefixes on the ALT are
961	      expected to be fairly well-aggregated and EID-prefixes propagated
962	      out to the global Internet (see [LISP-IW] much more so, accidental
963	      leaking or malicious advertisement of an EID-prefix into the
964	      global routing system could cause traffic redirection away from a
965	      LISP site.  This is not really a new problem, though, and its
966	      solution can only be achieved by much more strict prefix filtering
967	      and authentication on the global routing system.

969	10.2.  Survey of LISP+ALT Security Mechanisms

971	   Explicit peering:  The devices themselves can both prioritize
972	      incoming packets, as well as potentially do key checks in hardware
973	      to protect the control plane.

975	   Use of TCP to connect elements:  This makes it difficult for third
976	      parties to inject packets.

978	   Use of HMAC Protected BGP/TCP Connections:  HMAC is used to verify
979	      message integrity and authenticity, making it nearly impossible
980	      for third party devices to either insert or modify messages.

982	   Message Sequence Numbers and Nonce Values in Messages:  This allows
983	      an ITR to verify that the Map-Reply from an ETR is in response to
984	      a Map-Request originated by that ITR (this is a general property
985	      of LISP; LISP+ALT does not change this behavior).

987	10.3.  Use of new IETF standard BGP Security mechanisms

989	   LISP+ALT's use of BGP allows the ALT to take advantage of BGP
990	   security features designed for existing Internet BGP use.  Should the
991	   Internet community converge on the work currently being done in the
992	   IETF SIDR working group or should either S-BGP [I-D.murphy-bgp-secr]
993	   or soBGP [I-D.white-sobgparchitecture] be implemented and widely-
994	   deployed, LISP+ALT can readily use these mechanisms to provide
995	   authentication of EID-prefix origination and EID-to-RLOC mappings.

997	11.  Acknowledgments

999	   The authors would like to specially thank J. Noel Chiappa who was a
1000	   key contributer to the design of the LISP-CONS mapping database (many
1001	   ideas from which made their way into LISP+ALT) and who has continued
1002	   to provide invaluable insight as the LISP effort has evolved.  Others
1003	   who have provided valuable contributions include John Zwiebel, Hannu
1004	   Flinck, Amit Jain, John Scudder, and Scott Brim.

1006	12.  References

1008	12.1.  Normative References

1010	   [LISP]     Farinacci, D., Fuller, V., Meyer, D., and D. Lewis,
1011	              "Locator/ID Separation Protocol (LISP)",
1012	              draft-ietf-lisp-15.txt (work in progress), July 2011.

1014	   [LISP-MS]  Fuller, V. and D. Farinacci, "LISP Map Server",
1015	              draft-ietf-lisp-ms-11.txt (work in progress), August 2011.

1017	   [RFC2784]  Farinacci, D., Li, T., Hanks, S., Meyer, D., and P.
1018	              Traina, "Generic Routing Encapsulation (GRE)", RFC 2784,
1019	              March 2000.

1021	   [RFC4271]  Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
1022	              Protocol 4 (BGP-4)", RFC 4271, January 2006.

1024	   [RFC4632]  Fuller, V. and T. Li, "Classless Inter-domain Routing
1025	              (CIDR): The Internet Address Assignment and Aggregation
1026	              Plan", BCP 122, RFC 4632, August 2006.

1028	   [RFC4760]  Bates, T., Chandra, R., Katz, D., and Y. Rekhter,
1029	              "Multiprotocol Extensions for BGP-4", RFC 4760,
1030	              January 2007.

1032	12.2.  Informative References

1034	   [I-D.murphy-bgp-secr]
1035	              Murphy, S., "BGP Security Analysis",
1036	              draft-murphy-bgp-secr-04 (work in progress),
1037	              November 2001.

1039	   [I-D.white-sobgparchitecture]
1040	              White, R., "Architecture and Deployment Considerations for
1041	              Secure Origin BGP (soBGP)",
1042	              draft-white-sobgparchitecture-00 (work in progress),
1043	              May 2004.

1045	   [LISP-IW]  Lewis, D., Meyer, D., Farinacci, D., and V. Fuller,
1046	              "Interworking LISP with IPv4 and ipv6",
1047	              draft-ietf-lisp-interworking-02.txt (work in progress),
1048	              March 2011.

1050	Authors' Addresses

1052	   Vince Fuller
1053	   Cisco
1054	   Tasman Drive
1055	   San Jose, CA  95134
1056	   USA

1058	   Email: vaf@cisco.com

1060	   Dino Farinacci
1061	   Cisco
1062	   Tasman Drive
1063	   San Jose, CA  95134
1064	   USA

1066	   Email: dino@cisco.com

1068	   Dave Meyer
1069	   Cisco
1070	   Tasman Drive
1071	   San Jose, CA  95134
1072	   USA

1074	   Email: dmm@cisco.com

1076	   Darrel Lewis
1077	   Cisco
1078	   Tasman Drive
1079	   San Jose, CA  95134
1080	   USA

1082	   Email: darlewis@cisco.com