idnits 2.17.1 draft-ietf-lisp-alt-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 5 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 6, 2011) is 4497 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Outdated reference: A later version (-24) exists of draft-ietf-lisp-15 == Outdated reference: A later version (-16) exists of draft-ietf-lisp-ms-12 == Outdated reference: A later version (-06) exists of draft-ietf-lisp-interworking-02 Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group V. Fuller 3 Internet-Draft D. Farinacci 4 Intended status: Experimental D. Meyer 5 Expires: June 8, 2012 D. Lewis 6 Cisco 7 December 6, 2011 9 LISP Alternative Topology (LISP+ALT) 10 draft-ietf-lisp-alt-10.txt 12 Abstract 14 This document describes a simple distributed index system to be used 15 by a Locator/ID Separation Protocol (LISP) Ingress Tunnel Router 16 (ITR) or Map Resolver (MR) to find the Egress Tunnel Router (ETR) 17 which holds the mapping information for a particular Endpoint 18 Identifier (EID). The MR can then query that ETR to obtain the 19 actual mapping information, which consists of a list of Routing 20 Locators (RLOCs) for the EID. Termed the Alternative Logical 21 Topology (ALT), the index is built as an overlay network on the 22 public Internet using the Border Gateway Protocol (BGP) and the 23 Generic Routing Encapsulation (GRE). 25 Status of this Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on June 8, 2012. 42 Copyright Notice 44 Copyright (c) 2011 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 2. Definition of Terms . . . . . . . . . . . . . . . . . . . . . 6 61 3. The LISP+ALT model . . . . . . . . . . . . . . . . . . . . . . 9 62 3.1. Routeability of EIDs . . . . . . . . . . . . . . . . . . . 9 63 3.1.1. Mechanisms for an ETR to originate EID-prefixes . . . 10 64 3.1.2. Mechanisms for an ITR to forward to EID-prefixes . . . 10 65 3.1.3. Map Server Model preferred . . . . . . . . . . . . . . 10 66 3.2. Connectivity to non-LISP sites . . . . . . . . . . . . . . 10 67 3.3. Caveats on the use of Data Probes . . . . . . . . . . . . 11 68 4. LISP+ALT: Overview . . . . . . . . . . . . . . . . . . . . . . 12 69 4.1. ITR traffic handling . . . . . . . . . . . . . . . . . . . 13 70 4.2. EID Assignment - Hierarchy and Topology . . . . . . . . . 14 71 4.3. Use of GRE and BGP between LISP+ALT Routers . . . . . . . 15 72 5. EID-prefix Propagation and Map-Request Forwarding . . . . . . 16 73 5.1. Changes to ITR behavior with LISP+ALT . . . . . . . . . . 16 74 5.2. Changes to ETR behavior with LISP+ALT . . . . . . . . . . 17 75 5.3. ALT Datagram forwarding falure . . . . . . . . . . . . . . 17 76 6. BGP configuration and protocol considerations . . . . . . . . 19 77 6.1. Autonomous System Numbers (ASNs) in LISP+ALT . . . . . . . 19 78 6.2. Sub-Address Family Identifier (SAFI) for LISP+ALT . . . . 19 79 7. EID-prefix Aggregation . . . . . . . . . . . . . . . . . . . . 20 80 7.1. Stability of the ALT . . . . . . . . . . . . . . . . . . . 20 81 7.2. Traffic engineering using LISP . . . . . . . . . . . . . . 20 82 7.3. Edge aggregation and dampening . . . . . . . . . . . . . . 21 83 7.4. EID assignment flexibility vs. ALT scaling . . . . . . . . 21 84 8. Connecting sites to the ALT network . . . . . . . . . . . . . 23 85 8.1. ETRs originating information into the ALT . . . . . . . . 23 86 8.2. ITRs Using the ALT . . . . . . . . . . . . . . . . . . . . 23 87 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 88 10. Security Considerations . . . . . . . . . . . . . . . . . . . 26 89 10.1. Apparent LISP+ALT Vulnerabilities . . . . . . . . . . . . 26 90 10.2. Survey of LISP+ALT Security Mechanisms . . . . . . . . . . 27 91 10.3. Use of new IETF standard BGP Security mechanisms . . . . . 27 92 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 28 93 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29 94 12.1. Normative References . . . . . . . . . . . . . . . . . . . 29 95 12.2. Informative References . . . . . . . . . . . . . . . . . . 29 97 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30 99 1. Introduction 101 This document describes the LISP+ALT system, used by a [LISP] ITR or 102 MR to find the ETR that holds the RLOC mapping information for a 103 particular EID. The ALT network is built using the Border Gateway 104 Protocol (BGP, [RFC4271]), the BGP multi-protocol extension 105 [RFC4760], and the Generic Routing Encapsulation (GRE, [RFC2784]) to 106 construct an overlay network of devices (ALT Routers) which operate 107 on EID-prefixes and use EIDs as forwarding destinations. 109 ALT Routers advertise hierarchically-delegated segments of the EID 110 namespace (i.e., prefixes) toward the rest of the ALT; they also 111 forward traffic destined for an EID covered by one of those prefixes 112 toward the network element that is authoritative for that EID and is 113 the origin of the BGP advertisement for that EID-prefix. An Ingress 114 Tunnel Router (ITR) uses this overlay to send a LISP Map-Request 115 (defined in [LISP]) to the Egress Tunnel Router (ETR) that holds the 116 EID-to-RLOC mapping for a matching EID-prefix. In most cases, an ITR 117 does not connect directly to the overlay network but instead sends 118 Map-Requests via a Map-Resolver (described in [LISP-MS]) which does. 119 Likewise, in most cases, an ETR does not connect directly to the 120 overlay network but instead registers its EID-prefixes with a Map- 121 Server that advertises those EID-prefixes on to the ALT and forwards 122 Map-Requests for them to the ETR. 124 It is important to note that the ALT does not distribute actual EID- 125 to-RLOC mappings. What it does provide is a forwarding path from an 126 ITR (or MR) which requires an EID-to-RLOC mapping to an ETR which 127 holds that mapping. The ITR/MR uses this path to send an ALT 128 Datagram (see Section 3) to an ETR which then responds with a Map- 129 Reply containing the needed mapping information. 131 One design goal for LISP+ALT is to use existing technology wherever 132 possible. To this end, the ALT is intended to be built using off- 133 the-shelf routers which already implement the required protocols (BGP 134 and GRE); little, if any, LISP-specific modifications should be 135 needed for such devices to be deployed on the ALT (see Section 7 for 136 aggregation requirements). Note, though, that organizational and 137 operational considerations suggest that ALT Routers be both logically 138 and physically separate from the "native" Internet packet transport 139 system; deploying this overlay on those routers which are already 140 participating in the global routing system and actively forwarding 141 Internet traffic is not recommended. 143 This specification is experimental, and there are areas where further 144 experience is needed to understand the best implementation strategy, 145 operational model, and effects on Internet operations. These areas 146 include: 148 o application effects of on-demand route map discovery 150 o tradeoff in connection setup time vs. ALT design and performance 151 when using a Map Request instead of carring initial user data in a 152 Data Probe 154 o best practical ways to build ALT hierarchies 156 o effects of route leakage from ALT to the current Internet, 157 particularly for LISP-to-non-LISP interworking 159 o effects of exceptional situations, such as denial-of-service 160 attacks 162 Experimentation, measurements, and deployment experience on these 163 aspects is appreciated. While these issues are conceptually well- 164 understood (e.g. an ALT lookup causes potential delay for the first 165 packet destined to a given network), the real-world operational 166 effects are much less clear. 168 The remainder of this document is organized as follows: Section 2 169 provides the definitions of terms used in this document. Section 3 170 outlines the LISP ALT model, where EID prefixes are routed across an 171 overlay network. Section 4 provides a basic overview of the LISP 172 Alternate Topology architecture, and Section 5 describes how the ALT 173 uses BGP to propagate Endpoint Identifier reachability over the 174 overlay network and Section 6 describes other considerations for 175 using BGP on the ALT. Section 7 describes the construction of the 176 ALT aggregation hierarchy, and Section 8 discusses how LISP+ALT 177 elements are connected to form the overlay network. 179 2. Definition of Terms 181 This section provides high-level definitions of LISP concepts and 182 components involved with and affected by LISP+ALT. 184 Alternative Logical Topology (ALT): The virtual overlay network 185 made up of tunnels between LISP+ALT Routers. The Border Gateway 186 Protocol (BGP) runs between ALT Routers and is used to carry 187 reachability information for EID-prefixes. The ALT provides a way 188 to forward Map-Requests (and, if supported, Data Probes) toward 189 the ETR that "owns" an EID-prefix. As a tunneled overlay, its 190 performance is expected to be quite limited so use of it to 191 forward high-bandwidth flows of Data Probes is strongly 192 discouraged (see Section 3.3 for additional discussion). 194 ALT Router: The devices which run on the ALT. The ALT is a static 195 network built using tunnels between ALT Routers. These routers 196 are deployed in a roughly-hierarchical mesh in which routers at 197 each level in the topology are responsible for aggregating EID- 198 prefixes learned from those logically "below" them and advertising 199 summary prefixes to those logically "above" them. Prefix learning 200 and propagation between ALT Routers is done using BGP. An ALT 201 Router at the lowest level, or "edge" of the ALT, learns EID- 202 prefixes from its "client" ETRs. See Section 3.1 for a 203 description of how EID-prefixes are learned at the "edge" of the 204 ALT. See also Section 6 for details on how BGP is configured 205 between the different network elements. When an ALT Router 206 receives an ALT Datagram, it looks up the destination EID in its 207 forwarding table (composed of EID prefix routes it learned from 208 neighboring ALT Routers) and forwards it to the logical next-hop 209 on the overlay network. 211 Endpoint ID (EID): A 32-bit (for IPv4) or 128-bit (for ipv6) value 212 used to identify the ultimate source or destination for a LISP- 213 encapsulated packet. See [LISP] for details. 215 EID-prefix: A set of EIDs delegated in a power-of-two block. EID- 216 prefixes are routed on the ALT (not on the global Internet) and 217 are expected to be assigned in a hierarchical manner such that 218 they can be aggregated by ALT Routers. Such a block is 219 characterized by a prefix and a length. Note that while the ALT 220 routing system considers an EID-prefix to be an opaque block of 221 EIDs, an end site may put site-local, topologically-relevant 222 structure (subnetting) into an EID-prefix for intra-site routing. 224 Aggregated EID-prefixes: A set of individual EID-prefixes that have 225 been aggregated in the [RFC4632] sense. 227 Map Server (MS): An edge ALT Router that provides a registration 228 function for non-ALT-connected ETRs, originates EID-prefixes into 229 the ALT on behalf of those ETRs, and forwards Map-Requests to 230 them. See [LISP-MS] for details. 232 Map Resolver (MR): An edge ALT Router that accepts an Encapsulated 233 Map-Request from a non-ALT-connected ITR, decapsulates it, and 234 forwards it on to the ALT toward the ETR which owns the requested 235 EID-prefix. See [LISP-MS] for details. 237 Ingress Tunnel Router (ITR): A router which sends LISP Map- 238 Requests or encapsulates IP datagrams with LISP headers, as 239 defined in [LISP]. In this document, the term refers to any 240 device implementing ITR functionality, including a Proxy-ITR (see 241 [LISP-IW]). Under some circumstances, a LISP Map Resolver may 242 also originate Map-Requests (see [LISP-MS]). 244 Egress Tunnel Router (ETR): A router which sends LISP Map-Replies 245 in response to LISP Map-Requests and decapsulates LISP- 246 encapsulated IP datagrams for delivery to end systems, as defined 247 in [LISP]. In this document, the term refers to any device 248 implementing ETR functionality, including a Proxy-ETR (see 249 [LISP-IW]). Under some circumstances, a LISP Map Server may also 250 respond to Map-Requests (see [LISP-MS]). 252 Routing Locator (RLOC): A routable IP address for a LISP tunnel 253 router (ITR or ETR). Interchangeably referred to as a "locator" 254 in this document. An RLOC is also the output of an EID-to-RLOC 255 mapping lookup; an EID-prefix maps to one or more RLOCs. 256 Typically, RLOCs are numbered from topologically-aggregatable 257 blocks that are assigned to a site at each point where it attaches 258 to the global Internet; where the topology is defined by the 259 connectivity of provider networks, RLOCs can be thought of as 260 Provider Aggregatable (PA) addresses. Routing for RLOCs is not 261 carried on the ALT. 263 EID-to-RLOC Mapping: A binding between an EID-prefix and the set of 264 RLOCs that can be used to reach it; sometimes referred to simply 265 as a "mapping". 267 EID-prefix Reachability: An EID-prefix is said to be "reachable" if 268 at least one of its locators is reachable. That is, an EID-prefix 269 is reachable if the ETR that is authoritative for a given EID-to- 270 RLOC mapping is reachable. 272 Default Mapping: A Default Mapping is a mapping entry for EID- 273 prefix 0.0.0.0/0 (::/0 for ipv6). It maps to a locator-set used 274 for all EIDs in the Internet. If there is a more specific EID- 275 prefix in the mapping cache it overrides the Default Mapping 276 entry. The Default Mapping can be learned by configuration or 277 from a Map-Reply message. 279 ALT Default Route: An EID-prefix value of 0.0.0.0/0 (or ::/0 for 280 ipv6) which may be learned from the ALT or statically configured 281 on an edge ALT Router. The ALT-Default Route defines a forwarding 282 path for a packet to be sent into the ALT on a router which does 283 not have a full ALT forwarding database. 285 3. The LISP+ALT model 287 The LISP+ALT model uses the same basic query/response protocol that 288 is documented in [LISP]. In particular, LISP+ALT provides two types 289 of packet that an ITR can originate to obtain EID-to-RLOC mappings: 291 Map-Request: A Map-Request message is sent into the ALT to request 292 an EID-to-RLOC mapping. The ETR which owns the mapping will 293 respond to the ITR with a Map-Reply message. Since the ALT only 294 forwards on EID destinations, the destination address of the Map- 295 Request sent on the ALT must be an EID. 297 Data Probe: Alternatively, an ITR may encapsulate and send the first 298 data packet destined for an EID with no known RLOCs into the ALT 299 as a Data Probe. This might be done to minimize packet loss and 300 to probe for the mapping. As above, the authoritative ETR for the 301 EID-prefix will respond to the ITR with a Map-Reply message when 302 it receives the data packet over the ALT. As a side-effect, the 303 encapsulated data packet is delivered to the end-system at the ETR 304 site. Note that the Data Probe's inner IP destination address, 305 which is an EID, is copied to the outer IP destination address so 306 that the resulting packet can be routed over the ALT. See 307 Section 3.3 for caveats on the usability of Data Probes. 309 The term "ALT Datagram" is short-hand for a Map-Request or Data Probe 310 to be sent into or forwarded on the ALT. Note that such packets use 311 an RLOC as the outer header source IP address and an EID as the outer 312 header destination IP address. 314 Detailed descriptions of the LISP packet types referenced by this 315 document may be found in [LISP]. 317 3.1. Routeability of EIDs 319 A LISP EID has the same syntax as IP address and can be used, 320 unaltered, as the source or destination of an IP datagram. In 321 general, though, EIDs are not routable on the public Internet; LISP+ 322 ALT provides a separate, virtual network, known as the LISP 323 Alternative Logical Topology (ALT) on which a datagram using an EID 324 as an IP destination address may be transmitted. This network is 325 built as an overlay on the public Internet using tunnels to 326 interconnect ALT Routers. BGP runs over these tunnels to propagate 327 path information needed to forward ALT Datagrams. Importantly, while 328 the ETRs are the source(s) of the unaggregated EID-prefixes, LISP+ALT 329 uses existing BGP mechanisms to aggregate this information. 331 3.1.1. Mechanisms for an ETR to originate EID-prefixes 333 There are three ways that an ETR may originate its mappings into the 334 ALT: 336 1. By registration with a Map Server as documented in [LISP-MS]. 337 This is the common case and is expected to be used by the 338 majority of ETRs. 340 2. Using a "static route" on the ALT. Where no Map-Server is 341 available, an edge ALT Router may be configured with a "static 342 EID-prefix route" pointing to an ETR. 344 3. Edge connection to the ALT. If a site requires fine- grained 345 control over how its EID-prefixes are advertised into the ALT, it 346 may configure its ETR(s) with tunnel and BGP connections to edge 347 ALT Routers. 349 3.1.2. Mechanisms for an ITR to forward to EID-prefixes 351 There are three ways that an ITR may send ALT Datagrams: 353 1. Through a Map Resolver as documented in [LISP-MS]. This is the 354 common case and is expected to be used by the majority of ITRs. 356 2. Using a "default route". Where a Map Resolver is not available, 357 an ITR may be configured with a static ALT Default Route pointing 358 to an edge ALT Router. 360 3. Edge connection to the ALT. If a site requires fine-grained 361 knowledge of what prefixes exist on the ALT, it may configure its 362 ITR(s) with tunnel and BGP connections to edge ALT Routers. 364 3.1.3. Map Server Model preferred 366 The ALT-connected ITR and ETR cases are expected to be rare, as the 367 Map Server/Map Resolver model is both simpler for an ITR/ETR operator 368 to use, and provides a more general service interface to not only the 369 ALT, but also to other mapping databases that may be developed in the 370 future. 372 3.2. Connectivity to non-LISP sites 374 As stated above, EIDs used as IP addresses by LISP sites are not 375 routable on the public Internet. This implies that, absent a 376 mechanism for communication between LISP and non-LISP sites, 377 connectivity between them is not possible. To resolve this problem, 378 an "interworking" technology has been defined; see [LISP-IW] for 379 details. 381 3.3. Caveats on the use of Data Probes 383 It is worth noting that there has been a great deal of discussion and 384 controversy about whether Data Probes are a good idea. On the one 385 hand, using them offers a method of avoiding the "first packet drop" 386 problem when an ITR does not have a mapping for a particular EID- 387 prefix. On the other hand, forwarding data packets on the ALT would 388 require that it either be engineered to support relatively high 389 traffic rates, which is not generally feasible for a tunneled 390 network, or that it be carefully designed to aggressively rate-limit 391 traffic to avoid congestion or DoS attacks. There may also be issues 392 caused by different latency or other performance characteristics 393 between the ALT path taken by an initial Data Probe and the 394 "Internet" path taken by subsequent packets on the same flow once a 395 mapping is in place on an ITR. For these reasons, the use of Data 396 Probes is not recommended at this time; they should only be 397 originated an ITR when explicitly configured to do so and such 398 configuration should only be enabled when performing experiments 399 intended to test the viability of using Data Probes. 401 4. LISP+ALT: Overview 403 LISP+ALT is a hybrid push/pull architecture. Aggregated EID-prefixes 404 are advertised among the ALT Routers and to those (rare) ITRs that 405 are directly connected via a tunnel and BGP to the ALT. Specific 406 EID-to-RLOC mappings are requested by an ITR (and returned by an ETR) 407 using LISP when it sends a request either via a Map Resolver or to an 408 edge ALT Router. 410 The basic idea embodied in LISP+ALT is to use BGP, running on a 411 tunneled overlay network (the ALT), to establish reachability between 412 ALT Routers. The ALT BGP Route Information Base (RIB) is comprised 413 of EID-prefixes and associated next hops. ALT Routers interconnect 414 using BGP and propagate EID-prefix updates among themselves. EID- 415 prefix information is learned from ETRs at the "edge" of the ALT 416 either through the use of the Map Server interface (the commmon 417 case), static configuration, or by BGP-speaking ETRs. 419 Map Resolvers learns paths through the ALT to Map Servers for EID- 420 prefixes. An ITR will normally use a Map Resolver to send its ALT 421 Datagrams on to the ALT but may, in unusual cases (see 422 Section 3.1.2), use a static ALT Default Route or connect to the ALT 423 using BGP. Likewise, an ETR will normally register its prefixes in 424 the mapping database using a Map Server can sometimes (see 425 Section 3.1.1) connect directly to the ALT using BGP. See [LISP-MS] 426 for details on Map Servers and Map Resolvers. 428 Note that while this document specifies the use of Generic Routing 429 Encapsulation (GRE) as a tunneling mechanism, there is no reason that 430 parts of the ALT cannot be built using other tunneling technologies, 431 particularly in cases where GRE does not meet security, management, 432 or other operational requirements. References to "GRE tunnel" in 433 later sections of this document should therefore not be taken as 434 prohibiting or precluding the use of other tunneling mechanisms. 435 Note also that two ALT Routers that are directly adjacent (with no 436 layer-3 router hops between them) need not use a tunnel between them; 437 in this case, BGP may be configured across the interfaces that 438 connect to their common subnet and that subnet is then considered to 439 be part of the ALT topology. Use of techniques such as "eBGP 440 multihop" to connect ALT Routers that do not share a tunnel or common 441 subnet is not recommended as the non-ALT Routers in between the ALT 442 Routers in such a configuration may not have information necessary to 443 forward ALT Datagrams destined to EID-prefixes exchanged across that 444 BGP session. 446 In summary, LISP+ALT uses BGP to build paths through ALT Routers so 447 that an ALT Datagram sent into the ALT can be forwarded to the ETR 448 that holds the EID-to-RLOC mapping for that EID-prefix. This 449 reachability is carried as IPv4 or ipv6 NLRI without modification 450 (since an EID-prefix has the same syntax as IPv4 or ipv6 address 451 prefix). ALT Routers establish BGP sessions with one another, 452 forming the ALT. An ALT Router at the "edge" of the topology learns 453 EID-prefixes originated by authoritative ETRs. Learning may be 454 though the Map Server interface, by static configuration, or via BGP 455 with the ETRs. An ALT Router may also be configured to aggregate 456 EID-prefixes received from ETRs or from other LISP+ALT Routers that 457 are topologically "downstream" from it. 459 4.1. ITR traffic handling 461 When an ITR receives a packet originated by an end system within its 462 site (i.e. a host for which the ITR is the exit path out of the site) 463 and the destination EID for that packet is not known in the ITR's 464 mapping cache, the ITR creates either a Map-Request for the 465 destination EID or the original packet encapsulated as a Data Probe 466 (see Section 3.3 for caveats on the usability of Data Probes). The 467 result, known as an ALT Datagram, is then sent to an ALT Router (see 468 also [LISP-MS] for non-ALT-connected ITRs, noting that Data Probes 469 cannot be sent to a Map-Resolver). This "first hop" ALT Router uses 470 EID-prefix routing information learned from other ALT Routers via BGP 471 to guide the packet to the ETR which "owns" the prefix. Upon receipt 472 by the ETR, normal LISP processing occurs: the ETR responds to the 473 ITR with a LISP Map-Reply that lists the RLOCs (and, thus, the ETRs 474 to use) for the EID-prefix. For Data Probes, the ETR also 475 decapsulates the packet and transmits it toward its destination. 477 Upon receipt of the Map-Reply, the ITR installs the RLOC information 478 for a given prefix into a local mapping database. With these mapping 479 entries stored, additional packets destined to the given EID-prefix 480 are routed directly to an RLOC without use of the ALT, until either 481 the entry's TTL has expired, or the ITR can otherwise find no 482 reachable ETR. Note that a current mapping may exist that contains 483 no reachable RLOCs; this is known as a Negative Cache Entry and it 484 indicates that packets destined to the EID-prefix are to be dropped. 486 Full details on Map-Request/Map-Reply processing may be found in 487 [LISP]. 489 Traffic routed on to the ALT consists solely of ALT Datagrams, i.e. 490 Map-Requests and Data Probes (if supported). Given the relatively 491 low performance expected of a tunneled topology, ALT Routers (and Map 492 Resolvers) should aggressively rate-limit the ingress of ALT 493 Datagrams from ITRs and, if possible, should be configured to not 494 accept packets that are not ALT Datagrams. 496 4.2. EID Assignment - Hierarchy and Topology 498 The ALT database is organized in a herarchical manner with EID- 499 prefixs aggregated on power-of-2 block boundaries. Where a LISP site 500 has multiple EID-prefixes that are aligned on apower-of-2 block 501 boundary, they should be aggregated into a single EID-prefix for 502 advertisement. The ALT network is built in a roughly hierarchical, 503 partial mesh which is intended to allow aggregation where clearly- 504 defined hierarchical boundaries exist. Building such a structure 505 should minimize the number of EID-prefixes carried by LISP+ALT nodes 506 near the top of the hierarchy. 508 Routes on the ALT do not need to respond to changes in policy, 509 subscription, or underlying physical connectivity, so the topology 510 can remain relatively static and aggregation can be sustained. 511 Because routing on the ALT uses BGP, the same rules apply for 512 generating aggregates; in particular, a ALT Router should only be 513 configured to generate an aggregate if it is configured with BGP 514 sessions to all of the originators of components (more-specific 515 prefixes) of that aggregate. Not all of the components of need to be 516 present for the aggregate to be originated (some may be holes in the 517 covering prefix and some may be down) but the aggregating router must 518 be configured to learn the state of all of the components. 520 Under what circumstances the ALT Router actually generates the 521 aggregate is a matter of local policy: in some cases, it will be 522 statically configured to do so at all times with a "static discard" 523 route. In other cases, it may be configured to only generate the 524 aggregate prefix if at least one of the components of the aggregate 525 is learned via BGP. 527 An ALT Router must not generate an aggregate that includes a non- 528 LISP-speaking hole unless it can be configured to return a Negative 529 Map-Reply with action="Natively-Forward" (see [LISP]) if it receives 530 an ALT Datagram that matches that hole. If it receives an ALT 531 Datagram that matches a LISP-speaking hole that is currently not 532 reachable, it should return a Negative Map-Reply with action="drop". 533 Negative Map-Replies should be returned with a short TTL, as 534 specified in [LISP-MS]. Note that an off-the-shelf, non-LISP- 535 speaking router configured as an aggregating ALT Router cannot send 536 Negative Map-Replies, so such a router must never originate an 537 aggregate that includes a non-LISP-speaking hole. 539 This implies that two ALT Routers that share an overlapping set of 540 prefixes must exchange those prefixes if either is to generate and 541 export a covering aggregate for those prefixes. It also implies that 542 an ETR which connects to the ALT using BGP must maintain BGP sessions 543 with all of the ALT Routers that are configured to originate an 544 aggregate which covers that prefix and that each of those ALT Routers 545 must be explicitly configured to know the set of EID-prefixes that 546 make up any aggregate that it originates. See also [LISP-MS] for an 547 example of other ways that prefix origin consistency and aggregation 548 can be maintained. 550 As an example, consider ETRs that are originating EID-prefixes for 551 10.1.0.0/24, 10.1.64.0/24, 10.1.128.0/24, and 10.1.192.0/24. An ALT 552 Router should only be configured to generate an aggregate for 553 10.1.0.0/16 if it has BGP sessions configured with all of these ETRs, 554 in other words, only if it has sufficient knowledge about the state 555 of those prefixes to summarize them. If the Router originating 556 10.1.0.0/16 receives an ALT Datagram destined for 10.1.77.88, a non- 557 LISP destination covered by the aggregate, it returns a Negative Map- 558 Reply with action "Natively-Forward". If it receives an ALT Datagram 559 destined for 10.1.128.199 but the configured LISP prefix 560 10.1.128.0/24 is unreachable, it returns a Negative Map-Reply with 561 action "drop". 563 Note: much is currently uncertain about the best way to build the ALT 564 network; as testing and prototype deployment proceeds, a guide to how 565 to best build the ALT network will be developed. 567 4.3. Use of GRE and BGP between LISP+ALT Routers 569 The ALT network is built using GRE tunnels between ALT Routers. BGP 570 sessions are configured over those tunnels, with each ALT Router 571 acting as a separate AS "hop" in a Path Vector for BGP. For the 572 purposes of LISP+ALT, the AS-path is used solely as a shortest-path 573 determination and loop-avoidance mechanism. Because all next-hops 574 are on tunnel interfaces, no IGP is required to resolve those next- 575 hops to exit interfaces. 577 LISP+ALT's use of GRE and BGP facilities deployment and operation of 578 LISP because no new protocols need to be defined, implemented, or 579 used on the overlay topology; existing BGP/GRE tools and operational 580 expertise are also re-used. Tunnel address assignment is also easy: 581 since the addresses on an ALT tunnel are only used by the pair of 582 routers connected to the tunnel, the only requirement of the IP 583 addresses used to establish that tunnel is that the attached routers 584 be reachable by each other; any addressing plan, including private 585 addressing, can therefore be used for ALT tunnels. 587 5. EID-prefix Propagation and Map-Request Forwarding 589 As described in Section 8.2, an ITR sends an ALT Datagram to a given 590 EID-to-RLOC mapping. The ALT provides the infrastructure that allows 591 these requests to reach the authoritative ETR. 593 Note that under normal circumstances Map-Replies are not sent over 594 the ALT; an ETR sends a Map-Reply to one of the ITR RLOCs learned 595 from the original Map-Request. See sections 6.1.2 and 6.2 of [LISP] 596 for more information on the use of the Map-Request ITR RLOC field. 597 Keep in mind that the ITR RLOC field supports mulitple RLOCs in 598 multiple address families, so a Map-Reply sent in response to a Map- 599 Request is not necessarily sent to back to the Map-Request RLOC 600 source. 602 There may be scenarios, perhaps to encourage caching of EID-to-RLOC 603 mappings by ALT Routers, where Map-Replies could be sent over the ALT 604 or where a "first-hop" ALT Router might modify the originating RLOC 605 on a Map-Request received from an ITR to force the Map-Reply to be 606 returned to the "first-hop" ALT Router. These cases will not be 607 supported by initial LISP+ALT implementations but may be subject to 608 future experimentation. 610 ALT Routers propagate path information via BGP ([RFC4271]) that is 611 used by ITRs to send ALT Datagrams toward the appropriate ETR for 612 each EID-prefix. BGP is run on the inter-ALT Router links, and 613 possibly between an edge ("last hop") ALT Router and an ETR or 614 between an edge ("first hop") ALT Router and an ITR. The ALT BGP RIB 615 consists of aggregated EID-prefixes and their next hops toward the 616 authoritative ETR for that EID-prefix. 618 5.1. Changes to ITR behavior with LISP+ALT 620 As previously described, an ITR will usually use the Map Resolver 621 interface and will send its Map Requests to a Map Resolver. When an 622 ITR instead connects via tunnels and BGP to the ALT, it sends ALT 623 Datagrams to one of its "upstream" ALT Routers; these are sent only 624 to obtain new EID-to-RLOC mappings - RLOC probe and cache TTL refresh 625 Map-Requests are not sent on the ALT. As in basic LISP, it should 626 use one of its RLOCs as the source address of these queries; it 627 should not use a tunnel interface as the source address as doing so 628 will cause replies to be forwarded over the tunneled topology and may 629 be problematic if the tunnel interface address is not routed 630 throughout the ALT. If the ITR is running BGP with the LISP+ALT 631 router(s), it selects the appropriate ALT Router based on the BGP 632 information received. If it is not running BGP, it uses a 633 statically-configued ALT Default Route to select an ALT Router. 635 5.2. Changes to ETR behavior with LISP+ALT 637 As previously described, an ETR will usually use the Map Server 638 interface (see [LISP-MS]) and will register its EID-prefixes with its 639 configured Map Servers. When an ETR instead connects using BGP to 640 one or more ALT Routers, it announces its EID-prefix(es) to those ALT 641 Routers. 643 As documented in [LISP], when an ETR generates a Map-Reply message to 644 return to a querying ITR, it sets the outer header IP destination 645 address to one of the requesting ITR's RLOCs so that the Map-Reply 646 will be sent on the underlying Internet topology, not on the ALT; 647 this avoids any latency penalty (or "stretch") that might be incurred 648 by sending the Map-Reply via the ALT, reduces load on the ALT, and 649 ensures that the Map-Reply can be routed even if the original ITR 650 does not have an ALT-routed EID. For details on how an ETR selects 651 which ITR RLOC to use, see section 6.1.5 of [LISP]. 653 5.3. ALT Datagram forwarding falure 655 Intermediate ALT Routers, forward ALT Datagrams using normal, hop-by- 656 hop routing on the ALT overlay network. Should an ALT router not be 657 able to forward an ALT Datagram, whether due to an unreachable next- 658 hop, TTL exceeded, or other problem, it has several choices: 660 o If the ALT Router understands the LISP protocol, as is the case 661 for a Map Resolver or Map Server, it may respond to a forwarding 662 failure by returning a negative Map-Reply, as described in 663 Section 4.2 and [LISP-MS]. 665 o If the ALT Router does not understand LISP, it may attempt to 666 return an ICMP message to the source IP address of the packet that 667 cannot be forwarded. Since the source address is an RLOC, an ALT 668 Router would send this ICMP message using "native" Internet 669 connectivity, not via the ALT overlay. 671 o A non-LISP-capable ALT Router may also choose to silently drop the 672 non-forwardable ALT Datagram. 674 [LISP] and [LISP-MS] define how the source of an ALT Datagram should 675 handle each of these cases. The last case, where an ALT Datagram is 676 silently discarded, will generally result in several retransmissions 677 by the source, followed by treating the destination as unreachable 678 via LISP when no Map-Reply is received. If a problem on the ALT is 679 severe enough to prevent ALT Datagrams from being delivered to a 680 specific EID, this is probably the only sensible way to handle this 681 case. 683 Note that the use of GRE tunnels should prevent MTU problems from 684 ever occurring on the ALT; an ALT Datagram that exceeds an 685 intermediate MTU will be fragmented at that point and will be 686 reassembled by the target of the GRE tunnel. 688 6. BGP configuration and protocol considerations 690 6.1. Autonomous System Numbers (ASNs) in LISP+ALT 692 The primary use of BGP today is to define the global Internet routing 693 topology in terms of its participants, known as Autonomous Systems. 694 LISP+ALT specifies the use of BGP to create a global overlay network 695 (the ALT) for finding EID-to-RLOC mappings. While related to the 696 global routing database, the ALT serves a very different purpose and 697 is organized into a very different hierarchy. Because LISP+ALT does 698 use BGP, however, it uses ASNs in the paths that are propagated among 699 ALT Routers. To avoid confusion, LISP+ALT should use newly-assigned 700 AS numbers that are unrelated to the ASNs used by the global routing 701 system. Exactly how this new space will be assigned and managed will 702 be determined during the deployment of LISP+ALT. 704 Note that the ALT Routers that make up the "core" of the ALT will not 705 be associated with any existing core-Internet ASN because the ALT 706 topology is completely separate from, and independent of, the global 707 Internet routing system. 709 6.2. Sub-Address Family Identifier (SAFI) for LISP+ALT 711 As defined by this document, LISP+ALT may be implemented using BGP 712 without modification. Given the fundamental operational difference 713 between propagating global Internet routing information (the current 714 dominant use of BGP) and creating an overlay network for finding EID- 715 to-RLOC mappings (the use of BGP proposed by this document), it may 716 be desirable to assign a new SAFI [RFC4760] to prevent operational 717 confusion and difficulties, including the inadvertent leaking of 718 information from one domain to the other. Use of a separate SAFI 719 would make it easier to debug many operational problems but would 720 come at a significant cost: unmodified, off-the-shelf routers which 721 do not understand the new SAFI could not be used to build any part of 722 the ALT network. At present, this document does not request the 723 assignment of a new SAFI; additional experimentation may suggest the 724 need for one in the future. 726 7. EID-prefix Aggregation 728 The ALT BGP peering topology should be arranged in a tree-like 729 fashion (with some meshiness), with redundancy to deal with node and 730 link failures. A basic assumption is that as long as the routers are 731 up and running, the underlying Internet will provide alternative 732 routes to maintain BGP connectivity among ALT Routers. 734 Note that, as mentioned in Section 4.2, the use of BGP by LISP+ALT 735 requires that information only be aggregated where all active more- 736 specific prefixes of a generated aggregate prefix are known. This is 737 no different than the way that BGP route aggregation works in the 738 existing global routing system: a service provider only generates an 739 aggregate route if it is configured to learn to all prefixes that 740 make up that aggregate. 742 7.1. Stability of the ALT 744 It is worth noting that LISP+ALT does not directly propagate EID-to- 745 RLOC mappings. What it does is provide a mechanism for an ITR to 746 commonicate with the ETR that holds the mapping for a particular EID- 747 prefix. This distinction is important when considering the stability 748 of BGP on the ALT network as compared to the global routing system. 749 It also has implications for how site-specific EID-prefix information 750 may be used by LISP but not propagated by LISP+ALT (see Section 7.2 751 below). 753 RLOC prefixes are not propagated through the ALT so their 754 reachability is not determined through use of LISP+ALT. Instead, 755 reachability of RLOCs is learned through the LISP ITR-ETR exchange. 756 This means that link failures or other service disruptions that may 757 cause the reachability of an RLOC to change are not known to the ALT. 758 Changes to the presence of an EID-prefix on the ALT occur much less 759 frequently: only at subscription time or in the event of a failure of 760 the ALT infrastructure itself. This means that "flapping" (frequent 761 BGP updates and withdrawals due to prefix state changes) is not 762 likely and mapping information cannot become "stale" due to slow 763 propagation through the ALT BGP mesh. 765 7.2. Traffic engineering using LISP 767 Since an ITR learns an EID-to-RLOC mapping directly from the ETR that 768 owns it, it is possible to perform site-to-site traffic engineering 769 by setting the preference and/or weight fields, and by including 770 more-specific EID-to-RLOC information in Map-Reply messages. 772 This is a powerful mechanism that can conceivably replace the 773 traditional practice of routing prefix deaggregation for traffic 774 engineering purposes. Rather than propagating more-specific 775 information into the global routing system for local- or regional- 776 optimization of traffic flows, such more-specific information can be 777 exchanged, through LISP (not LISP+ALT), on an as-needed basis between 778 only those ITRs/ETRs (and, thus, site pairs) that need it. Such an 779 exchange of "more-specifics" between sites facilitates traffic 780 engineering, by allowing richer and more fine-grained policies to be 781 applied without advertising additional prefixes into either the ALT 782 or the global routing system. 784 Note that these new traffic engineering capabilities are an attribute 785 of LISP and are not specific to LISP+ALT; discussion is included here 786 because the BGP-based global routing system has traditionally used 787 propagation of more-specific routes as a crude form of traffic 788 engineering. 790 7.3. Edge aggregation and dampening 792 Normal BGP best common practices apply to the ALT network. In 793 particular, first-hop ALT Routers will aggregate EID prefixes and 794 dampen changes to them in the face of excessive updates. Since EID- 795 prefix assignments are not expected to change as frequently as global 796 routing BGP prefix reachability, such dampening should be very rare, 797 and might be worthy of logging as an exceptional event. It is again 798 worth noting that the ALT carries only EID-prefixes, used to a 799 construct BGP path to each ETR (or Map-Server) that originates each 800 prefix; the ALT does not carry reachability about RLOCs. In 801 addition, EID-prefix information may be aggregated as the topology 802 and address assignment hierarchy allow. Since the topology is all 803 tunneled and can be modified as needed, reasonably good aggregation 804 should be possible. In addition, since most ETRs are expected to 805 connect to the ALT using the Map Server interface, Map Servers will 806 implement a natural "edge" for the ALT where dampening and 807 aggregation can be applied. For these reasons, the set of prefix 808 information on the ALT can be expected to be both better aggregated 809 and considerably less volatile than the actual EID-to-RLOC mappings. 811 7.4. EID assignment flexibility vs. ALT scaling 813 There are major open questions regarding how the ALT will be deployed 814 and what organization(s) will operate it. In a simple, non- 815 distributed world, centralized administration of EID prefix 816 assignment and ALT network design would facilitate a well- aggregated 817 ALT routing system. Business and other realities will likely result 818 in a more complex, distributed system involving multiple levels of 819 prefix delegation, multiple operators of parts of the ALT 820 infrastructure, and a combination of competition and cooperation 821 among the participants. In addition, re-use of existing IP address 822 assignments, both provider-independent ("PI") and provider-assigned 823 ("PA"), to avoid renumbering when sites transition to LISP will 824 further complicate the processes of building and operating the ALT. 826 A number of conflicting considerations need to be kept in mind when 827 designing and building the ALT. Among them are: 829 1. Target ALT routing state size and level of aggregation. As 830 described in Section 7.1, the ALT should not suffer from some of 831 the performance constraints or stability issues as the Internet 832 global routing system, so some reasonable level of deaggregation 833 and increased number of EID prefixes beyond what might be 834 considered ideal should be acceptable. That said, measures, such 835 as tunnel rehoming to preserve aggregation when sites move from 836 one mapping provider to another and implementing aggregation at 837 multiple levels in the hierarchy to collapse de-aggregation at 838 lower levels, should be taken to reduce unnecessary explosion of 839 ALT routing state. 841 2. Number of operators of parts of the ALT and how they will be 842 organized (hierarchical delegation vs. shared administration). 843 This will determine not only how EID prefixes are assigned but 844 also how tunnels are configured and how EID prefixes can be 845 aggregated between different parts of the ALT. 847 3. Number of connections between different parts of the ALT. Trade- 848 offs will need to be made among resilience, performance, and 849 placement of aggregation boundaries. 851 4. EID prefix portability between competing operators of the ALT 852 infrastructure. A significant benefit for an end-site to adopt 853 LISP is the availability of EID space that is not tied to a 854 specific connectivity provider; it is important to ensure that an 855 end site doesn't trade lock-in to a connectivity provider for 856 lock-in to a provider of its EID assignment, ALT connectivity, or 857 Map Server facilities. 859 This is, by no means, an exhaustive list. 861 While resolving these issues is beyond the scope of this document, 862 the authors recommend that existing distributed resource structures, 863 such as the IANA/Regional Internet Registries and the ICANN/Domain 864 Registrar, be carefully considered when designing and deploying the 865 ALT infrastructure. 867 8. Connecting sites to the ALT network 869 8.1. ETRs originating information into the ALT 871 EID-prefix information is originated into the ALT by three different 872 mechanisms: 874 Map Server: In most cases, a site will configure its ETR(s) to 875 register with one or more Map Servers (see [LISP-MS]), and does 876 not participate directly in the ALT. 878 BGP: For a site requiring complex control over their EID-prefix 879 origination into the ALT, an ETR may connect to the LISP+ALT 880 overlay network by running BGP to one or more ALT Router(s) over 881 tunnel(s). The ETR advertises reachability for its EID-prefixes 882 over these BGP connection(s). The edge ALT Router(s) that 883 receive(s) these prefixes then propagate(s) them into the ALT. 884 Here the ETR is simply an BGP peer of ALT Router(s) at the edge of 885 the ALT. Where possible, an ALT Router that receives EID-prefixes 886 from an ETR via BGP should aggregate that information. 888 Configuration: One or more ALT Router(s) may be configured to 889 originate an EID-prefix on behalf of the non-BGP-speaking ETR that 890 is authoritative for a prefix. As in the case above, the ETR is 891 connected to ALT Router(s) using GRE tunnel(s) but rather than BGP 892 being used, the ALT Router(s) are configured with what are in 893 effect "static routes" for the EID-prefixes "owned" by the ETR. 894 The GRE tunnel is used to route Map-Requests to the ETR. 896 Note: in all cases, an ETR may register to multiple Map Servers or 897 connect to multiple ALT Routers for the following reasons: 899 * redundancy, so that a particular ETR is still reachable even if 900 one path or tunnel is unavailable. 902 * to connect to different parts of the ALT hierarchy if the ETR 903 "owns" multiple EID-to-RLOC mappings for EID-prefixes that 904 cannot be aggregated by the same ALT Router (i.e. are not 905 topologically "close" to each other in the ALT). 907 8.2. ITRs Using the ALT 909 In the common configuration, an ITR does not need to know anything 910 about the ALT, since it sends Map-Requests to one of its configured 911 Map-Resolvers (see [LISP-MS]). There are two exceptional cases: 913 Static default: If a Map Resolver is not available but an ITR is 914 adjacent to an ALT Router (either over a common subnet or through 915 the use of a tunnel), it can use an ALT Default Route route to 916 cause all ALT Datagrams to be sent that ALT Router. This case is 917 expected to be rare. 919 Connection to ALT: A site with complex Internet connectivity needs 920 may need more fine-grained distinction between traffic to LISP- 921 capable and non-LISP-capable sites. Such a site may configure 922 each of its ITRs to connect directly to the ALT, using a tunnel 923 and BGP connection. In this case, the ITR will receive EID-prefix 924 routes from its BGP connection to the ALT Router and will LISP- 925 encapsulate and send ALT Datagrams through the tunnel to the ALT 926 Router. Traffic to other destinations may be forwarded (without 927 LISP encapsulation) to non-LISP next-hop routers that the ITR 928 knows. 930 In general, an ITR that connects to the ALT does so only to to ALT 931 Routers at the "edge" of the ALT (typically two for redundancy). 932 There may, though, be situations where an ITR would connect to 933 other ALT Routers to receive additional, shorter path information 934 about a portion of the ALT of interest to it. This can be 935 accomplished by establishing GRE tunnels between the ITR and the 936 set of ALT Routers with the additional information. This is a 937 purely local policy issue between the ITR and the ALT Routers in 938 question. 940 As described in [LISP-MS], Map-Resolvers do not accept or forward 941 Data Probes; in the rare scenario that an ITR does support and 942 originate Data Probes, it must do so using one of the exceptional 943 configurations described above. Note that the use of Data Probes is 944 discouraged at this time (see Section 3.3). 946 9. IANA Considerations 948 This document makes no request of the IANA. 950 10. Security Considerations 952 LISP+ALT shares many of the security characteristics of BGP. Its 953 security mechanisms are comprised of existing technologies in wide 954 operational use today, so securing the ALT should be mostly a matter 955 of applying the same technology that is used to secure the BGP-based 956 global routing system (see Section 10.3 below). 958 10.1. Apparent LISP+ALT Vulnerabilities 960 This section briefly lists the known potential vulnerabilities of 961 LISP+ALT. 963 Mapping Integrity: Potential for an attacker to insert bogus 964 mappings to black-hole (create Denial-of-Service, or DoS attack) 965 or intercept LISP data-plane packets. 967 ALT Router Availability: Can an attacker DoS the ALT Routers 968 connected to a given ETR? If a site's ETR cannot advertise its 969 EID-to-RLOC mappings, the site is essentially unavailable. 971 ITR Mapping/Resources: Can an attacker force an ITR or ALT Router to 972 drop legitimate mapping requests by flooding it with random 973 destinations for which it will generate large numbers of Map- 974 Requests and fill its mapping cache? Further study is required to 975 see the impact of admission control on the overlay network. 977 EID Map-Request Exploits for Reconnaissance: Can an attacker learn 978 about a LISP site's TE policy by sending legitimate mapping 979 requests and then observing the RLOC mapping replies? Is this 980 information useful in attacking or subverting peer relationships? 981 Note that any public LISP mapping database will have similar data- 982 plane reconnaissance issue. 984 Scaling of ALT Router Resources: Paths through the ALT may be of 985 lesser bandwidth than more "direct" paths; this may make them more 986 prone to high-volume denial-of-service attacks. For this reason, 987 all components of the ALT (ETRs and ALT Routers) should be 988 prepared to rate-limit traffic (ALT Datagrams) that could be 989 received across the ALT. 991 UDP Map-Reply from ETR: Since Map-Replies are sent directly from the 992 ETR to the ITR's RLOC, the ITR's RLOC may be vulnerable to various 993 types of DoS attacks (this is a general property of LISP, not an 994 LISP+ALT vulnerability). 996 More-specific prefix leakage: Because EID-prefixes on the ALT are 997 expected to be fairly well-aggregated and EID-prefixes propagated 998 out to the global Internet (see [LISP-IW]) much more so, 999 accidental leaking or malicious advertisement of an EID-prefix 1000 into the global routing system could cause traffic redirection 1001 away from a LISP site. This is not really a new problem, though, 1002 and its solution can only be achieved by much more strict prefix 1003 filtering and authentication on the global routing system. 1004 Section Section 10.3 describes an existingapproach to solving this 1005 problem. 1007 10.2. Survey of LISP+ALT Security Mechanisms 1009 Explicit peering: The devices themselves can both prioritize 1010 incoming packets, as well as potentially do key checks in hardware 1011 to protect the control plane. 1013 Use of TCP to connect elements: This makes it difficult for third 1014 parties to inject packets. 1016 Use of HMAC to protect BGP/TCP connections: HMAC [RFC5925] is used 1017 to verify the integrity and authenticity of TCP connections used 1018 to exchange BGP messages, making it nearly impossible for third 1019 party devices to either insert or modify messages. 1021 Message sequence numbers and nonce values in messages: This allows 1022 an ITR to verify that the Map-Reply from an ETR is in response to 1023 a Map-Request originated by that ITR (this is a general property 1024 of LISP; LISP+ALT does not change this behavior). 1026 10.3. Use of new IETF standard BGP Security mechanisms 1028 LISP+ALT's use of BGP allows it to take advantage of BGP security 1029 features designed for existing Internet BGP use. This means that 1030 LISP+ALT can and should use technology developed for adding security 1031 to BGP (in the IETF SIDR working group or elsewhere) to provide 1032 authentication of EID-prefix origination and EID-to-RLOC mappings. 1034 11. Acknowledgments 1036 The authors would like to specially thank J. Noel Chiappa who was a 1037 key contributer to the design of the LISP-CONS mapping database (many 1038 ideas from which made their way into LISP+ALT) and who has continued 1039 to provide invaluable insight as the LISP effort has evolved. Others 1040 who have provided valuable contributions include John Zwiebel, Hannu 1041 Flinck, Amit Jain, John Scudder, Scott Brim, and Jari Arkko. 1043 12. References 1045 12.1. Normative References 1047 [LISP] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, 1048 "Locator/ID Separation Protocol (LISP)", 1049 draft-ietf-lisp-15.txt (work in progress), July 2011. 1051 [LISP-MS] Fuller, V. and D. Farinacci, "LISP Map Server", 1052 draft-ietf-lisp-ms-12.txt (work in progress), 1053 October 2011. 1055 [RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. 1056 Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, 1057 March 2000. 1059 [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway 1060 Protocol 4 (BGP-4)", RFC 4271, January 2006. 1062 [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing 1063 (CIDR): The Internet Address Assignment and Aggregation 1064 Plan", BCP 122, RFC 4632, August 2006. 1066 [RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter, 1067 "Multiprotocol Extensions for BGP-4", RFC 4760, 1068 January 2007. 1070 12.2. Informative References 1072 [LISP-IW] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller, 1073 "Interworking LISP with IPv4 and ipv6", 1074 draft-ietf-lisp-interworking-02.txt (work in progress), 1075 March 2011. 1077 [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP 1078 Authentication Option", RFC 5925, June 2010. 1080 Authors' Addresses 1082 Vince Fuller 1083 Cisco 1084 Tasman Drive 1085 San Jose, CA 95134 1086 USA 1088 Email: vaf@cisco.com 1090 Dino Farinacci 1091 Cisco 1092 Tasman Drive 1093 San Jose, CA 95134 1094 USA 1096 Email: dino@cisco.com 1098 Dave Meyer 1099 Cisco 1100 Tasman Drive 1101 San Jose, CA 95134 1102 USA 1104 Email: dmm@cisco.com 1106 Darrel Lewis 1107 Cisco 1108 Tasman Drive 1109 San Jose, CA 95134 1110 USA 1112 Email: darlewis@cisco.com