idnits 2.17.1 draft-ietf-roll-efficient-npdao-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 30, 2019) is 1754 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ROLL R. Jadhav, Ed. 3 Internet-Draft Huawei 4 Intended status: Standards Track P. Thubert 5 Expires: January 1, 2020 Cisco 6 R. Sahoo 7 Z. Cao 8 Huawei 9 June 30, 2019 11 Efficient Route Invalidation 12 draft-ietf-roll-efficient-npdao-13 14 Abstract 16 This document explains the problems associated with the current use 17 of NPDAO messaging and also discusses the requirements for an 18 optimized route invalidation messaging scheme. Further a new 19 proactive route invalidation message called as "Destination Cleanup 20 Object" (DCO) is specified which fulfills requirements of an 21 optimized route invalidation messaging. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 1, 2020. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 1.1. Requirements Language and Terminology . . . . . . . . . . 3 59 1.2. Current NPDAO messaging . . . . . . . . . . . . . . . . . 4 60 1.3. Why Is NPDAO Important? . . . . . . . . . . . . . . . . . 5 61 2. Problems with current NPDAO messaging . . . . . . . . . . . . 6 62 2.1. Lost NPDAO due to link break to the previous parent . . . 6 63 2.2. Invalidate Routes of Dependent Nodes . . . . . . . . . . 6 64 2.3. Possible route downtime caused by asynchronous operation 65 of NPDAO and DAO . . . . . . . . . . . . . . 6 66 3. Requirements for the NPDAO Optimization . . . . . . . . . . . 6 67 3.1. Req#1: Remove messaging dependency on link to the 68 previous parent . . . . . . . . . . . . . . . . . . . . . 6 69 3.2. Req#2: Dependent nodes route invalidation on parent 70 switching . . . . . . . . . . . . . . . . . . . . . . . . 7 71 3.3. Req#3: Route invalidation should not impact data traffic 7 72 4. Changes to RPL signaling . . . . . . . . . . . . . . . . . . 7 73 4.1. Change in RPL route invalidation semantics . . . . . . . 7 74 4.2. Transit Information Option changes . . . . . . . . . . . 8 75 4.3. Destination Cleanup Object (DCO) . . . . . . . . . . . . 9 76 4.3.1. Secure DCO . . . . . . . . . . . . . . . . . . . . . 10 77 4.3.2. DCO Options . . . . . . . . . . . . . . . . . . . . . 10 78 4.3.3. Path Sequence number in the DCO . . . . . . . . . . . 10 79 4.3.4. Destination Cleanup Option Acknowledgment (DCO-ACK) . 11 80 4.3.5. Secure DCO-ACK . . . . . . . . . . . . . . . . . . . 12 81 4.4. DCO Base Rules . . . . . . . . . . . . . . . . . . . . . 12 82 4.5. Unsolicited DCO . . . . . . . . . . . . . . . . . . . . . 12 83 4.6. Other considerations . . . . . . . . . . . . . . . . . . 13 84 4.6.1. Dependent Nodes invalidation . . . . . . . . . . . . 13 85 4.6.2. NPDAO and DCO in the same network . . . . . . . . . . 13 86 4.6.3. DCO with multiple preferred parents . . . . . . . . . 14 87 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 88 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 89 6.1. New Registry for the Destination Cleanup Object (DCO) 90 Flags . . . . . . . . . . . . . . . . . . . . . . . . . . 15 91 6.2. New Registry for the Destination Cleanup Object 92 Acknowledgment (DCO-ACK) Status field . . . . . . . . . . 16 93 6.3. New Registry for the Destination Cleanup Object (DCO) 94 Acknowledgment Flags . . . . . . . . . . . . . . . . . . 16 95 7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 96 8. Normative References . . . . . . . . . . . . . . . . . . . . 18 97 Appendix A. Example Messaging . . . . . . . . . . . . . . . . . 18 98 A.1. Example DCO Messaging . . . . . . . . . . . . . . . . . . 19 99 A.2. Example DCO Messaging with multiple preferred parents . . 20 100 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 102 1. Introduction 104 RPL [RFC6550] (Routing Protocol for Low power and lossy networks) 105 specifies a proactive distance-vector based routing scheme. RPL has 106 optional messaging in the form of DAO (Destination Advertisement 107 Object) messages, which the 6LBR (6Lo Border Router) and 6LR (6Lo 108 Router) can use to learn a route towards the downstream nodes. In 109 storing mode, DAO messages would result in routing entries being 110 created on all intermediate 6LRs from the node's parent all the way 111 towards the 6LBR. 113 RPL allows the use of No-Path DAO (NPDAO) messaging to invalidate a 114 routing path corresponding to the given target, thus releasing 115 resources utilized on that path. A NPDAO is a DAO message with route 116 lifetime of zero, originates at the target node and always flows 117 upstream towards the 6LBR. This document explains the problems 118 associated with the current use of NPDAO messaging and also discusses 119 the requirements for an optimized route invalidation messaging 120 scheme. Further a new proactive route invalidation message called as 121 "Destination Cleanup Object" (DCO) is specified which fulfills 122 requirements of an optimized route invalidation messaging. 124 The document only caters to the RPL's storing mode of operation 125 (MOP). The non-storing MOP does not require use of NPDAO for route 126 invalidation since routing entries are not maintained on 6LRs. 128 1.1. Requirements Language and Terminology 130 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 131 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 132 "OPTIONAL" in this document are to be interpreted as described in BCP 133 14 [RFC2119] [RFC8174] when, and only when, they appear in all 134 capitals, as shown here. 136 This specification requires readers to be familiar with all the terms 137 and concepts that are discussed in "RPL: IPv6 Routing Protocol for 138 Low-Power and Lossy Networks" [RFC6550]. 140 Low Power and Lossy Networks (LLN): 141 Network in which both the routers and their interconnect are 142 constrained. LLN routers typically operate with constraints on 143 processing power, memory, and energy (batter power). Their 144 interconnects are characterized by high loss rates, low data 145 rates, and instability. 146 6LoWPAN Router (6LR): 147 An intermediate router that is able to send and receive Router 148 Advertisements (RAs) and Router Solicitations (RSs) as well as 149 forward and route IPv6 packets. 150 Directed Acyclic Graph (DAG): 151 A directed graph having the property that all edges are oriented 152 in such a way that no cycles exist. 153 Destination-Oriented DAG (DODAG): 154 A DAG rooted at a single destination, i.e., at a single DAG root 155 with no outgoing edges. 156 6LoWPAN Border Router (6LBR): 157 A border router which is a DODAG root and is the edge node for 158 traffic flowing in and out of the 6LoWPAN network. 159 Destination Advertisement Object (DAO): 160 DAO messaging allows downstream routes to the nodes to be 161 established. 162 DODAG Information Object (DIO): 163 DIO messaging allows upstream routes to the 6LBR to be 164 established. DIO messaging is initiated at the DAO root. 165 Common Ancestor node 166 6LR/6LBR node which is the first common node between two paths of 167 a target node. 168 No-Path DAO (NPDAO): 169 A DAO message which has target with lifetime 0 used for the 170 purpose of route invalidation. 171 Destination Cleanup Object (DCO): 172 A new RPL control message code defined by this document. DCO 173 messaging improves proactive route invalidation in RPL. 174 Regular DAO: 175 A DAO message with non-zero lifetime. Routing adjacencies are 176 created or updated based on this message. 177 Target node: 178 The node switching its parent whose routing adjacencies are 179 updated (created/removed). 181 1.2. Current NPDAO messaging 183 RPL uses NPDAO messaging in the storing mode so that the node 184 changing its routing adjacencies can invalidate the previous route. 185 This is needed so that nodes along the previous path can release any 186 resources (such as the routing entry) they maintain on behalf of 187 target node. 189 For the rest of this document consider the following topology: 191 (6LBR) 192 | 193 | 194 | 195 (A) 196 / \ 197 / \ 198 / \ 199 (G) (H) 200 | | 201 | | 202 | | 203 (B) (C) 204 \ ; 205 \ ; 206 \ ; 207 (D) 208 / \ 209 / \ 210 / \ 211 (E) (F) 213 Figure 1: Sample topology 215 Node (D) is connected via preferred parent (B). (D) has an alternate 216 path via (C) towards the 6LBR. Node (A) is the common ancestor for 217 (D) for paths through (B)-(G) and (C)-(H). When (D) switches from 218 (B) to (C), RPL allows sending NPDAO to (B) and regular DAO to (C). 220 1.3. Why Is NPDAO Important? 222 Nodes in LLNs may be resource constrained. There is limited memory 223 available and routing entry records are one of the primary elements 224 occupying dynamic memory in the nodes. Route invalidation helps 6LR 225 nodes to decide which entries could be discarded to better optimize 226 resource utilization. Thus it becomes necessary to have an efficient 227 route invalidation mechanism. Also note that a single parent switch 228 may result in a "sub-tree" switching from one parent to another. 229 Thus the route invalidation needs to be done on behalf of the sub- 230 tree and not the switching node alone. In the above example, when 231 Node (D) switches parent, the route updates needs to be done for the 232 routing tables entries of (C),(H),(A),(G), and (B) with destination 233 (D),(E) and (F). Without efficient route invalidation, a 6LR may 234 have to hold a lot of stale route entries. 236 2. Problems with current NPDAO messaging 238 2.1. Lost NPDAO due to link break to the previous parent 240 When a node switches its parent, the NPDAO is to be sent to its 241 previous parent and a regular DAO to its new parent. In cases where 242 the node switches its parent because of transient or permanent parent 243 link/node failure then the NPDAO message is bound to fail. 245 2.2. Invalidate Routes of Dependent Nodes 247 RPL does not specify how route invalidation will work for dependent 248 nodes rooted at the switching node, resulting in stale routing 249 entries of the dependent nodes. The only way for 6LR to invalidate 250 the route entries for dependent nodes would be to use route lifetime 251 expiry which could be substantially high for LLNs. 253 In the example topology, when Node (D) switches its parent, Node (D) 254 generates an NPDAO on its behalf. There is no NPDAO generated by the 255 dependent child nodes (E) and (F), through the previous path via (D) 256 to (B) and (G), resulting in stale entries on nodes (B) and (G) for 257 nodes (E) and (F). 259 2.3. Possible route downtime caused by asynchronous operation of NPDAO 260 and DAO 262 A switching node may generate both an NPDAO and DAO via two different 263 paths at almost the same time. There is a possibility that an NPDAO 264 generated may invalidate the previous route and the regular DAO sent 265 via the new path gets lost on the way. This may result in route 266 downtime impacting downward traffic for the switching node. 268 In the example topology, consider Node (D) switches from parent (B) 269 to (C). An NPDAO sent via the previous route may invalidate the 270 previous route whereas there is no way to determine whether the new 271 DAO has successfully updated the route entries on the new path. 273 3. Requirements for the NPDAO Optimization 275 3.1. Req#1: Remove messaging dependency on link to the previous parent 277 When the switching node sends the NPDAO message to the previous 278 parent, it is normal that the link to the previous parent is prone to 279 failure (that's why the node decided to switch). Therefore, it is 280 required that the route invalidation does not depend on the previous 281 link which is prone to failure. The previous link referred here 282 represents the link between the node and its previous parent (from 283 whom the node is now disassociating). 285 3.2. Req#2: Dependent nodes route invalidation on parent switching 287 It should be possible to do route invalidation for dependent nodes 288 rooted at the switching node. 290 3.3. Req#3: Route invalidation should not impact data traffic 292 While sending the NPDAO and DAO messages, it is possible that the 293 NPDAO successfully invalidates the previous path, while the newly 294 sent DAO gets lost (new path not set up successfully). This will 295 result in downstream unreachability to the node switching paths. 296 Therefore, it is desirable that the route invalidation is 297 synchronized with the DAO to avoid the risk of route downtime. 299 4. Changes to RPL signaling 301 4.1. Change in RPL route invalidation semantics 303 As described in Section 1.2, the NPDAO originates at the node 304 changing to a new parent and traverses upstream towards the root. In 305 order to solve the problems as mentioned in Section 2, the document 306 adds a new proactive route invalidation message called "Destination 307 Cleanup Object" (DCO) that originates at a common ancestor node and 308 flows downstream between the new and old path. The common ancestor 309 node generates a DCO in response to the change in the next-hop on 310 receiving a regular DAO with updated Path Sequence for the target. 312 The 6LRs in the path for DCO take action such as route invalidation 313 based on the DCO information and subsequently send another DCO with 314 the same information downstream to the next hop. This operation is 315 similar to how the DAOs are handled on intermediate 6LRs in storing 316 MOP in [RFC6550]. Just like DAO in storing MOP, the DCO is sent 317 using link-local unicast source and destination IPv6 address. Unlike 318 DAO, which always travels upstream, the DCO always travels 319 downstream. 321 In Figure 1, when node D decides to switch the path from B to C, it 322 sends a regular DAO to node C with reachability information 323 containing the address of D as the target and an incremented Path 324 Sequence. Node C will update the routing table based on the 325 reachability information in the DAO and in turn generate another DAO 326 with the same reachability information and forward it to H. Node H 327 also follows the same procedure as Node C and forwards it to node A. 328 When node A receives the regular DAO, it finds that it already has a 329 routing table entry on behalf of the target address of node D. It 330 finds however that the next hop information for reaching node D has 331 changed i.e., node D has decided to change the paths. In this case, 332 Node A which is the common ancestor node for node D along the two 333 paths (previous and new), should generate a DCO which traverses 334 downwards in the network. Node A handles normal DAO forwarding to 335 6LBR as required by [RFC6550]. 337 4.2. Transit Information Option changes 339 Every RPL message is divided into base message fields and additional 340 Options as described in Section 6 of [RFC6550]. The base fields 341 apply to the message as a whole and options are appended to add 342 message/use-case specific attributes. As an example, a DAO message 343 may be attributed by one or more "RPL Target" options which specify 344 the reachability information for the given targets. Similarly, a 345 Transit Information option may be associated with a set of RPL Target 346 options. 348 This document specifies a change in the Transit Information Option to 349 contain the "Invalidate previous route" (I) flag. This I-flag 350 signals the common ancestor node to generate a DCO on behalf of the 351 target node. The I-flag is carried in the Transit Information Option 352 which augments the reachability information for a given set of RPL 353 Target(s). Transit Information Option with I-flag set should be 354 carried in the DAO message when route invalidation is sought for the 355 corresponding target(s). 357 0 1 2 3 358 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 359 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 360 | Type = 0x06 | Option Length |E|I| Flags | Path Control | 361 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 362 | Path Sequence | Path Lifetime | 363 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 365 Figure 2: Updated Transit Information Option (New I flag added) 367 I (Invalidate previous route) flag: The 'I' flag is set by the target 368 node to indicate to the common ancestor node that it wishes to 369 invalidate any previous route between the two paths. 371 [RFC6550] allows the parent address to be sent in the Transit 372 Information Option depending on the mode of operation. In case of 373 storing mode of operation the field is usually not needed. In case 374 of DCO, the parent address field MUST NOT be included. 376 The common ancestor node SHOULD generate a DCO message in response to 377 this I-flag when it sees that the routing adjacencies have changed 378 for the target. The I-flag is intended to give the target node 379 control over its own route invalidation, serving as a signal to 380 request DCO generation. 382 4.3. Destination Cleanup Object (DCO) 384 A new ICMPv6 RPL control message code is defined by this 385 specification and is referred to as "Destination Cleanup Object" 386 (DCO), which is used for proactive cleanup of state and routing 387 information held on behalf of the target node by 6LRs. The DCO 388 message always traverses downstream and cleans up route information 389 and other state information associated with the given target. 391 0 1 2 3 392 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 393 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 394 | RPLInstanceID |K|D| Flags | Reserved | DCOSequence | 395 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 396 | | 397 + + 398 | | 399 + DODAGID(optional) + 400 | | 401 + + 402 | | 403 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 404 | Option(s)... 405 +-+-+-+-+-+-+-+-+ 407 Figure 3: DCO base object 409 RPLInstanceID: 8-bit field indicating the topology instance 410 associated with the DODAG, as learned from the DIO. 412 K: The 'K' flag indicates that the recipient of DCO message is 413 expected to send a DCO-ACK back. If the DCO-ACK is not received even 414 after setting the 'K' flag, an implementation may retry the DCO at a 415 later time. The number of retries are implementation and deployment 416 dependent and are expected to be kept similar with those used in DAO 417 retries in [RFC6550]. A node receiving a DCO message without the 'K' 418 flag set MAY respond with a DCO-ACK, especially to report an error 419 condition. An example error condition could be that the node sending 420 the DCO-ACK does not find the routing entry for the indicated target. 421 When the sender does not set the 'K' flag it is an indication that 422 the sender does not expect a response, and the sender SHOULD NOT 423 retry the DCO. 425 D: The 'D' flag indicates that the DODAGID field is present. This 426 flag MUST be set when a local RPLInstanceID is used. 428 Flags: The 6 bits remaining unused in the Flags field are reserved 429 for future use. These bits MUST be initialized to zero by the sender 430 and MUST be ignored by the receiver. 432 Reserved: 8-bit unused field. The field MUST be initialized to zero 433 by the sender and MUST be ignored by the receiver. 435 DCOSequence: 8-bit field incremented at each unique DCO message from 436 a node and echoed in the DCO-ACK message. The initial DCOSequence 437 can be chosen randomly by the node. Section 4.4 explains the 438 handling of the DCOSequence. 440 DODAGID (optional): 128-bit unsigned integer set by a DODAG root that 441 uniquely identifies a DODAG. This field MUST be present when the 'D' 442 flag is set and MUST NOT be present if 'D' flag is not set. DODAGID 443 is used when a local RPLInstanceID is in use, in order to identify 444 the DODAGID that is associated with the RPLInstanceID. 446 4.3.1. Secure DCO 448 A Secure DCO message follows the format in [RFC6550] Figure 7, where 449 the base message format is the DCO message shown in Figure 3. 451 4.3.2. DCO Options 453 The DCO message MUST carry at least one RPL Target and the Transit 454 Information Option and MAY carry other valid options. This 455 specification allows for the DCO message to carry the following 456 options: 458 0x00 Pad1 459 0x01 PadN 460 0x05 RPL Target 461 0x06 Transit Information 462 0x09 RPL Target Descriptor 464 Section 6.7 of [RFC6550] defines all the above mentioned options. 465 The DCO carries an RPL Target Option and an associated Transit 466 Information Option with a lifetime of 0x00000000 to indicate a loss 467 of reachability to that Target. 469 4.3.3. Path Sequence number in the DCO 471 A DCO message may contain a Path Sequence in the Transit Information 472 Option to identify the freshness of the DCO message. The Path 473 Sequence in the DCO MUST use the same Path Sequence number present in 474 the regular DAO message when the DCO is generated in response to a 475 DAO message. Thus if a DCO is received by a 6LR and subsequently a 476 DAO is received with an old sequence number, then the DAO MUST be 477 ignored. When the DCO is generated in response to a DCO from 478 upstream parent, the Path Sequence MUST be copied from the received 479 DCO. 481 4.3.4. Destination Cleanup Option Acknowledgment (DCO-ACK) 483 The DCO-ACK message SHOULD be sent as a unicast packet by a DCO 484 recipient in response to a unicast DCO message with 'K' flag set. If 485 'K' flag is not set then the receiver of the DCO message MAY send a 486 DCO-ACK, especially to report an error condition. 488 0 1 2 3 489 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 490 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 491 | RPLInstanceID |D| Flags | DCOSequence | Status | 492 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 493 | | 494 + + 495 | | 496 + DODAGID(optional) + 497 | | 498 + + 499 | | 500 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 502 Figure 4: DCO-ACK base object 504 RPLInstanceID: 8-bit field indicating the topology instance 505 associated with the DODAG, as learned from the DIO. 507 D: The 'D' flag indicates that the DODAGID field is present. This 508 flag MUST be set when a local RPLInstanceID is used. 510 Flags: 7-bit unused field. The field MUST be initialized to zero by 511 the sender and MUST be ignored by the receiver. 513 DCOSequence: 8-bit field. The DCOSequence in DCO-ACK is copied from 514 the DCOSequence received in the DCO message. 516 Status: Indicates the completion. Status 0 is defined as unqualified 517 acceptance in this specification. Status 1 is defined as "No 518 routing-entry for the Target found". The remaining status values are 519 reserved as rejection codes. 521 DODAGID (optional): 128-bit unsigned integer set by a DODAG root that 522 uniquely identifies a DODAG. This field MUST be present when the 'D' 523 flag is set and MUST NOT be present when 'D' flag is not set. 525 DODAGID is used when a local RPLInstanceID is in use, in order to 526 identify the DODAGID that is associated with the RPLInstanceID. 528 4.3.5. Secure DCO-ACK 530 A Secure DCO-ACK message follows the format in [RFC6550] Figure 7, 531 where the base message format is the DCO-ACK message shown in 532 Figure 4. 534 4.4. DCO Base Rules 536 1. If a node sends a DCO message with newer or different information 537 than the prior DCO message transmission, it MUST increment the 538 DCOSequence field by at least one. A DCO message transmission 539 that is identical to the prior DCO message transmission MAY 540 increment the DCOSequence field. The DCOSequence counter follows 541 the sequence counter operation as defined in Section 7.2 of 542 [RFC6550]. 543 2. The RPLInstanceID and DODAGID fields of a DCO message MUST be the 544 same value as that of the DAO message in response to which the 545 DCO is generated on the common ancestor node. 546 3. A node MAY set the 'K' flag in a unicast DCO message to solicit a 547 unicast DCO-ACK in response in order to confirm the attempt. 548 4. A node receiving a unicast DCO message with the 'K' flag set 549 SHOULD respond with a DCO-ACK. A node receiving a DCO message 550 without the 'K' flag set MAY respond with a DCO-ACK, especially 551 to report an error condition. 552 5. A node receiving a unicast DCO message MUST verify the stored 553 Path Sequence in context to the given target. If the stored Path 554 Sequence is more fresh, newer than the Path Sequence received in 555 the DCO, then the DCO MUST be dropped. 556 6. A node that sets the 'K' flag in a unicast DCO message but does 557 not receive DCO-ACK in response MAY reschedule the DCO message 558 transmission for another attempt, up until an implementation 559 specific number of retries. 560 7. A node receiving a unicast DCO message with its own address in 561 the RPL Target Option MUST strip-off that Target Option. If this 562 Target Option is the only one in the DCO message then the DCO 563 message MUST be dropped. 565 The scope of DCOSequence values is unique to the node which generates 566 it. 568 4.5. Unsolicited DCO 570 A 6LR may generate an unsolicited DCO to unilaterally cleanup the 571 path on behalf of the target entry. The 6LR has all the state 572 information, namely, the Target address and the Path Sequence, 573 required for generating DCO in its routing table. The conditions why 574 6LR may generate an unsolicited DCO are beyond the scope of this 575 document but some possible reasons could be: 577 1. On route expiry of an entry, a 6LR may decide to graciously 578 cleanup the entry by initiating DCO. 579 2. 6LR needs to entertain higher priority entries in case the 580 routing table is full, thus resulting in eviction of an existing 581 routing entry. In this case the eviction can be handled 582 graciously using DCO. 584 Note that if the 6LR initiates a unilateral path cleanup using DCO 585 and if it has the latest state for the target then the DCO would 586 finally reach the target node. Thus the target node would be 587 informed of its invalidation. 589 4.6. Other considerations 591 4.6.1. Dependent Nodes invalidation 593 Current RPL [RFC6550] does not provide a mechanism for route 594 invalidation for dependent nodes. This document allows the dependent 595 nodes invalidation. Dependent nodes will generate their respective 596 DAOs to update their paths, and the previous route invalidation for 597 those nodes should work in the similar manner described for switching 598 node. The dependent node may set the I-flag in the Transit 599 Information Option as part of regular DAO so as to request 600 invalidation of previous route from the common ancestor node. 602 Dependent nodes do not have any indication regarding if any of their 603 parents in turn have decided to switch their parent. Thus for route 604 invalidation the dependent nodes may choose to always set the 'I' 605 flag in all its DAO message's Transit Information Option. Note that 606 setting the I-flag is not counterproductive even if there is no 607 previous route to be invalidated. 609 4.6.2. NPDAO and DCO in the same network 611 The current NPDAO mechanism in [RFC6550] can still be used in the 612 same network where DCO is used. The NPDAO messaging can be used, for 613 example, on route lifetime expiry of the target or when the node 614 simply decides to gracefully terminate the RPL session on graceful 615 node shutdown. Moreover, a deployment can have a mix of nodes 616 supporting the DCO and the existing NPDAO mechanism. It is also 617 possible that the same node supports both the NPDAO and DCO signaling 618 for route invalidation. 620 Section 9.8 of [RFC6550] states, "When a node removes a node from its 621 DAO parent set, it SHOULD send a No-Path DAO message to that removed 622 DAO parent to invalidate the existing router". This document 623 introduces an alternative and more optimized way of route 624 invalidation but it also allows existing NPDAO messaging to work. 625 Thus an implementation has two choices to make when a route 626 invalidation is to be initiated: 628 1. Use NPDAO to invalidate the previous route and send regular DAO 629 on the new path. 630 2. Send regular DAO on the new path with the 'I' flag set in the 631 Transit Information Option such that the common ancestor node 632 initiates the DCO message downstream to invalidate the previous 633 route. 635 This document recommends using option 2 for reasons specified in 636 Section 3 in this document. 638 4.6.3. DCO with multiple preferred parents 640 [RFC6550] allows a node to select multiple preferred parents for 641 route establishment. Section 9.2.1 of [RFC6550] specifies, "All DAOs 642 generated at the same time for the same Target MUST be sent with the 643 same Path Sequence in the Transit Information". Subsequently when 644 route invalidation has to be initiated, RPL mentions use of NPDAO 645 which can be initiated with an updated Path Sequence to all the 646 parent nodes through which the route is to be invalidated. 648 With DCO, the Target node itself does not initiate the route 649 invalidation and it is left to the common ancestor node. A common 650 ancestor node when it discovers an updated DAO from a new next-hop, 651 it initiates a DCO. With multiple preferred parents, this handling 652 does not change. But in this case it is recommended that an 653 implementation initiates a DCO after a time period (DelayDCO) such 654 that the common ancestor node may receive updated DAOs from all 655 possible next-hops. This will help to reduce DCO control overhead 656 i.e., the common ancestor can wait for updated DAOs from all possible 657 directions before initiating a DCO for route invalidation. After 658 timeout, the DCO needs to be generated for all the next-hops for whom 659 the route invalidation needs to be done. 661 This document recommends using a DelayDCO timer value of 1sec. This 662 value is inspired by the default DelayDAO value of 1sec in [RFC6550]. 663 Here the hypothesis is that the DAOs from all possible parent sets 664 would be received on the common ancestor within this time period. 666 Note that there is no requirement for synchronization between DCO and 667 DAOs. The DelayDCO timer simply ensures that the DCO control 668 overhead can be reduced and is only needed when the network contains 669 nodes using multiple preferred parent. 671 5. Acknowledgments 673 Many thanks to Alvaro Retana, Cenk Gundogan, Simon Duquennoy, 674 Georgios Papadopoulous, Peter Van Der Stok for their review and 675 comments. Alvaro Retana helped shape this document's final version 676 with critical review comments. 678 6. IANA Considerations 680 IANA is requested to allocate new codes for the DCO and DCO-ACK 681 messages from the RPL Control Codes registry. 683 +------+---------------------------------------------+--------------+ 684 | Code | Description | Reference | 685 +------+---------------------------------------------+--------------+ 686 | TBD1 | Destination Cleanup Object | This | 687 | | | document | 688 | TBD2 | Destination Cleanup Object Acknowledgment | This | 689 | | | document | 690 | TBD3 | Secure Destination Cleanup Object | This | 691 | | | document | 692 | TBD4 | Secure Destination Cleanup Object | This | 693 | | Acknowledgment | document | 694 +------+---------------------------------------------+--------------+ 696 IANA is requested to allocate bit 1 from the Transit Information 697 Option Flags registry for the I-flag (Section 4.2) 699 6.1. New Registry for the Destination Cleanup Object (DCO) Flags 701 IANA is requested to create a registry for the 8-bit Destination 702 Cleanup Object (DCO) Flags field. This registry should be located in 703 existing category of "Routing Protocol for Low Power and Lossy 704 Networks (RPL)". 706 New bit numbers may be allocated only by an IETF Review. Each bit is 707 tracked with the following qualities: 709 o Bit number (counting from bit 0 as the most significant bit) 710 o Capability description 711 o Defining RFC 713 The following bits are currently defined: 715 +------------+------------------------------+---------------+ 716 | Bit number | Description | Reference | 717 +------------+------------------------------+---------------+ 718 | 0 | DCO-ACK request (K) | This document | 719 | 1 | DODAGID field is present (D) | This document | 720 +------------+------------------------------+---------------+ 722 DCO Base Flags 724 6.2. New Registry for the Destination Cleanup Object Acknowledgment 725 (DCO-ACK) Status field 727 IANA is requested to create a registry for the 8-bit Destination 728 Cleanup Object Acknowledgment (DCO-ACK) Status field. This registry 729 should be located in existing category of "Routing Protocol for Low 730 Power and Lossy Networks (RPL)". 732 New Status values may be allocated only by an IETF Review. Each 733 value is tracked with the following qualities: 735 o Status Code 736 o Description 737 o Defining RFC 739 The following values are currently defined: 741 +------------+----------------------------------------+-------------+ 742 | Status | Description | Reference | 743 | Code | | | 744 +------------+----------------------------------------+-------------+ 745 | 0 | Unqualified acceptance | This | 746 | | | document | 747 | 1 | No routing-entry for the indicated | This | 748 | | Target found | document | 749 +------------+----------------------------------------+-------------+ 751 DCO Status Codes 753 6.3. New Registry for the Destination Cleanup Object (DCO) 754 Acknowledgment Flags 756 IANA is requested to create a registry for the 8-bit Destination 757 Cleanup Object (DCO) Acknowledgment Flags field. This registry 758 should be located in existing category of "Routing Protocol for Low 759 Power and Lossy Networks (RPL)". 761 New bit numbers may be allocated only by an IETF Review. Each bit is 762 tracked with the following qualities: 764 o Bit number (counting from bit 0 as the most significant bit) 765 o Capability description 766 o Defining RFC 768 The following bits are currently defined: 770 +------------+------------------------------+---------------+ 771 | Bit number | Description | Reference | 772 +------------+------------------------------+---------------+ 773 | 0 | DODAGID field is present (D) | This document | 774 +------------+------------------------------+---------------+ 776 DCO-ACK Base Flags 778 7. Security Considerations 780 This document introduces the ability for a common ancestor node to 781 invalidate a route on behalf of the target node. The common ancestor 782 node could be directed to do so by the target node using the I-flag 783 in DCO's Transit Information Option. However, the common ancestor 784 node is in a position to unilaterally initiate the route invalidation 785 since it possesses all the required state information, namely, the 786 Target address and the corresponding Path Sequence. Thus a rogue 787 common ancestor node could initiate such an invalidation and impact 788 the traffic to the target node. 790 This document also introduces an I-flag which is set by the target 791 node and used by the ancestor node to initiate a DCO if the ancestor 792 sees an update in the route adjacency. However, this flag could be 793 spoofed by a malicious 6LR in the path and can cause invalidation of 794 an existing active path. Note that invalidation will happen only if 795 the other conditions such as Path Sequence condition is also met. 796 Having said that, such a malicious 6LR may spoof a DAO on behalf of 797 the (sub) child with the I-flag set and can cause route invalidation 798 on behalf of the (sub) child node. Note that, using existing 799 mechanisms offered by [RFC6550], a malicious 6LR might also spoof a 800 DAO with lifetime of zero or otherwise cause denial of service by 801 dropping traffic entirely, so the new mechanism described in this 802 document does not present a substantially increased risk of 803 disruption. 805 This document assumes that the security mechanisms as defined in 806 [RFC6550] are followed, which means that the common ancestor node and 807 all the 6LRs are part of the RPL network because they have the 808 required credentials. A non-secure RPL network needs to take into 809 consideration the risks highlighted in this section as well as those 810 highlighted in [RFC6550]. 812 All RPL messages support a secure version of messages which allows 813 integrity protection using either a MAC or a signature. Optionally, 814 secured RPL messages also have encryption protection for 815 confidentiality. 817 The document adds new messages (DCO, DCO-ACK) which are syntactically 818 similar to existing RPL messages such as DAO, DAO-ACK. Secure 819 versions of DCO and DCO-ACK are added similar to other RPL messages 820 (such as DAO, DAO-ACK). 822 RPL supports three security modes as mentioned in Section 10.1 of 823 [RFC6550]: 825 1. Unsecured: In this mode, it is expected that the RPL control 826 messages are secured by other security mechanisms, such as link- 827 layer security. In this mode, the RPL control messages, 828 including DCO, DCO-ACK, do not have Security sections. Also note 829 that unsecured mode does not imply that all messages are sent 830 without any protection. 831 2. Preinstalled: In this mode, RPL uses secure messages. Thus 832 secure versions of DCO, DCO-ACK MUST be used in this mode. 833 3. Authenticated: In this mode, RPL uses secure messages. Thus 834 secure versions of DCO, DCO-ACK MUST be used in this mode. 836 8. Normative References 838 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 839 Requirement Levels", BCP 14, RFC 2119, 840 DOI 10.17487/RFC2119, March 1997, 841 . 843 [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., 844 Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, 845 JP., and R. Alexander, "RPL: IPv6 Routing Protocol for 846 Low-Power and Lossy Networks", RFC 6550, 847 DOI 10.17487/RFC6550, March 2012, 848 . 850 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 851 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 852 May 2017, . 854 Appendix A. Example Messaging 855 A.1. Example DCO Messaging 857 In Figure 1, node (D) switches its parent from (B) to (C). This 858 example assumes that Node D has already established its own route via 859 Node B-G-A-6LBR using pathseq=x. The example uses DAO and DCO 860 messaging convention and specifies only the required parameters to 861 explain the example namely, the parameter 'tgt', which stands for 862 Target Option and value of this parameter specifies the address of 863 the target node. The parameter 'pathseq', which specifies the Path 864 Sequence value carried in the Transit Information Option. The 865 parameter 'I_flag' specifies the 'I' flag in the Transit Information 866 Option. sequence of actions is as follows: 868 1. Node D switches its parent from node B to node C 869 2. D sends a regular DAO(tgt=D,pathseq=x+1,I_flag=1) in the updated 870 path to C 871 3. C checks for a routing entry on behalf of D, since it cannot find 872 an entry on behalf of D it creates a new routing entry and 873 forwards the reachability information of the target D to H in a 874 DAO(tgt=D,pathseq=x+1,I_flag=1). 875 4. Similar to C, node H checks for a routing entry on behalf of D, 876 cannot find an entry and hence creates a new routing entry and 877 forwards the reachability information of the target D to A in a 878 DAO(tgt=D,pathseq=x+1,I_flag=1). 879 5. Node A receives the DAO(tgt=D,pathseq=x+1,I_flag=1), and checks 880 for a routing entry on behalf of D. It finds a routing entry but 881 checks that the next hop for target D is different (i.e., Node 882 G). Node A checks the I_flag and generates 883 DCO(tgt=D,pathseq=x+1) to previous next hop for target D which is 884 G. Subsequently, Node A updates the routing entry and forwards 885 the reachability information of target D upstream 886 DAO(tgt=D,pathseq=x+1,I_flag=1). 887 6. Node G receives the DCO(tgt=D,pathseq=x+1). It checks if the 888 received path sequence is later than the stored path sequence. 889 If it is later, Node G invalidates the routing entry of target D 890 and forwards the (un)reachability information downstream to B in 891 DCO(tgt=D,pathseq=x+1). 892 7. Similarly, B processes the DCO(tgt=D,pathseq=x+1) by invalidating 893 the routing entry of target D and forwards the (un)reachability 894 information downstream to D. 895 8. D ignores the DCO(tgt=D,pathseq=x+1) since the target is itself. 896 9. The propagation of the DCO will stop at any node where the node 897 does not have an routing information associated with the target. 898 If cached routing information is present and the cached Path 899 Sequence is higher than the value in the DCO, then the DCO is 900 dropped. 902 A.2. Example DCO Messaging with multiple preferred parents 904 (6LBR) 905 | 906 | 907 | 908 (N11) 909 / \ 910 / \ 911 / \ 912 (N21) (N22) 913 / / \ 914 / / \ 915 / / \ 916 (N31) (N32) (N33) 917 : | / 918 : | / 919 : | / 920 (N41) 922 Figure 5: Sample topology 2 924 In Figure 5, node (N41) selects multiple preferred parents (N32) and 925 (N33). The sequence of actions is as follows: 927 1. (N41) sends DAO(tgt=N41,PS=x,I_flag=1) to (N32) and (N33). Here 928 I_flag refers to the Invalidation flag and PS refers to Path 929 Sequence in Transit Information option. 930 2. (N32) sends DAO(tgt=N41,PS=x,I_flag=1) to (N22). (N33) also 931 sends DAO(tgt=N41,PS=x,I_flag=1) to (N22). (N22) learns 932 multiple routes for the same destination (N41) through multiple 933 next-hops. (N22) may receive the DAOs from (N32) and (N33) in 934 any order with the I_flag set. The implementation should use 935 the DelayDCO timer to wait to initiate the DCO. If (N22) 936 receives an updated DAO from all the paths then the DCO need not 937 be initiated in this case. Thus the route table at N22 should 938 contain (Dst,NextHop,PS): { (N41,N32,x), (N41,N33,x) }. 939 3. (N22) sends DAO(tgt=N41,PS=x,I_flag=1) to (N11). 940 4. (N11) sends DAO(tgt=N41,PS=x,I_flag=1) to (6LBR). Thus the 941 complete path is established. 942 5. (N41) decides to change preferred parent set from { N32, N33 } 943 to { N31, N32 }. 944 6. (N41) sends DAO(tgt=N41,PS=x+1,I_flag=1) to (N32). (N41) sends 945 DAO(tgt=N41,PS=x+1,I_flag=1) to (N31). 946 7. (N32) sends DAO(tgt=N41,PS=x+1,I_flag=1) to (N22). (N22) has 947 multiple routes to destination (N41). It sees that a new Path 948 Sequence for Target=N41 is received and thus it waits for pre- 949 determined time period (DelayDCO time period) to invalidate 950 another route {(N41),(N33),x}. After time period, (N22) sends 951 DCO(tgt=N41,PS=x+1) to (N33). Also (N22) sends the regular 952 DAO(tgt=N41,PS=x+1,I_flag=1) to (N11). 953 8. (N33) receives DCO(tgt=N41,PS=x+1). The received Path Sequence 954 is latest and thus it invalidates the entry associated with 955 target (N41). (N33) then sends the DCO(tgt=N41,PS=x+1) to 956 (N41). (N41) sees itself as the target and drops the DCO. 957 9. From Step 6 above, (N31) receives the 958 DAO(tgt=N41,PS=x+1,I_flag=1). It creates a routing entry and 959 sends the DAO(tgt=N41,PS=x+1,I_flag=1) to (N21). Similarly 960 (N21) receives the DAO and subsequently sends the 961 DAO(tgt=N41,PS=x+1,I_flag=1) to (N11). 962 10. (N11) receives DAO(tgt=N41,PS=x+1,I_flag=1) from (N21). It 963 waits for DelayDCO timer since it has multiple routes to (N41). 964 (N41) will receive DAO(tgt=N41,PS=x+1,I_flag=1) from (N22) from 965 Step 7 above. Thus (N11) has received regular 966 DAO(tgt=N41,PS=x+1,I_flag=1) from all paths and thus does not 967 initiate DCO. 968 11. (N11) forwards the DAO(tgt=N41,PS=x+1,I_flag=1) to 6LBR and the 969 full path is established. 971 Authors' Addresses 973 Rahul Arvind Jadhav (editor) 974 Huawei 975 Kundalahalli Village, Whitefield, 976 Bangalore, Karnataka 560037 977 India 979 Phone: +91-080-49160700 980 Email: rahul.ietf@gmail.com 982 Pascal Thubert 983 Cisco Systems, Inc 984 Building D 985 45 Allee des Ormes - BP1200 986 MOUGINS - Sophia Antipolis 06254 987 France 989 Phone: +33 497 23 26 34 990 Email: pthubert@cisco.com 991 Rabi Narayan Sahoo 992 Huawei 993 Kundalahalli Village, Whitefield, 994 Bangalore, Karnataka 560037 995 India 997 Phone: +91-080-49160700 998 Email: rabinarayans@huawei.com 1000 Zhen Cao 1001 Huawei 1002 W Chang'an Ave 1003 Beijing 1004 P.R. China 1006 Email: zhencao.ietf@gmail.com