idnits 2.17.1 draft-ietf-roll-efficient-npdao-18.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 15, 2020) is 1471 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC8505' is mentioned on line 361, but not defined == Outdated reference: A later version (-30) exists of draft-ietf-roll-unaware-leaves-14 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ROLL R. Jadhav, Ed. 3 Internet-Draft Huawei 4 Intended status: Standards Track P. Thubert 5 Expires: October 17, 2020 Cisco 6 R. Sahoo 7 Z. Cao 8 Huawei 9 April 15, 2020 11 Efficient Route Invalidation 12 draft-ietf-roll-efficient-npdao-18 14 Abstract 16 This document explains the problems associated with the current use 17 of NPDAO messaging and also discusses the requirements for an 18 optimized route invalidation messaging scheme. Further a new 19 proactive route invalidation message called as "Destination Cleanup 20 Object" (DCO) is specified which fulfills requirements of an 21 optimized route invalidation messaging. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on October 17, 2020. 40 Copyright Notice 42 Copyright (c) 2020 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 1.1. Requirements Language and Terminology . . . . . . . . . . 3 59 1.2. Current NPDAO messaging . . . . . . . . . . . . . . . . . 4 60 1.3. Why Is NPDAO Important? . . . . . . . . . . . . . . . . . 5 61 2. Problems with current NPDAO messaging . . . . . . . . . . . . 6 62 2.1. Lost NPDAO due to link break to the previous parent . . . 6 63 2.2. Invalidate Routes of Dependent Nodes . . . . . . . . . . 6 64 2.3. Possible route downtime caused by asynchronous operation 65 of NPDAO and DAO . . . . . . . . . . . . . . . . . . . . 6 66 3. Requirements for the NPDAO Optimization . . . . . . . . . . . 6 67 3.1. Req#1: Remove messaging dependency on link to the 68 previous parent . . . . . . . . . . . . . . . . . . . . . 6 69 3.2. Req#2: Dependent nodes route invalidation on parent 70 switching . . . . . . . . . . . . . . . . . . . . . . . . 7 71 3.3. Req#3: Route invalidation should not impact data traffic 7 72 4. Changes to RPL signaling . . . . . . . . . . . . . . . . . . 7 73 4.1. Change in RPL route invalidation semantics . . . . . . . 7 74 4.2. Transit Information Option changes . . . . . . . . . . . 8 75 4.3. Destination Cleanup Object (DCO) . . . . . . . . . . . . 9 76 4.3.1. Secure DCO . . . . . . . . . . . . . . . . . . . . . 10 77 4.3.2. DCO Options . . . . . . . . . . . . . . . . . . . . . 10 78 4.3.3. Path Sequence number in the DCO . . . . . . . . . . . 11 79 4.3.4. Destination Cleanup Option Acknowledgment (DCO-ACK) . 11 80 4.3.5. Secure DCO-ACK . . . . . . . . . . . . . . . . . . . 12 81 4.4. DCO Base Rules . . . . . . . . . . . . . . . . . . . . . 12 82 4.5. Unsolicited DCO . . . . . . . . . . . . . . . . . . . . . 13 83 4.6. Other considerations . . . . . . . . . . . . . . . . . . 13 84 4.6.1. Dependent Nodes invalidation . . . . . . . . . . . . 13 85 4.6.2. NPDAO and DCO in the same network . . . . . . . . . . 14 86 4.6.3. Considerations for DCO retry . . . . . . . . . . . . 14 87 4.6.4. DCO with multiple preferred parents . . . . . . . . . 15 88 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 89 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 90 6.1. New Registry for the Destination Cleanup Object (DCO) 91 Flags . . . . . . . . . . . . . . . . . . . . . . . . . . 16 92 6.2. New Registry for the Destination Cleanup Object 93 Acknowledgment (DCO-ACK) Status field . . . . . . . . . . 17 94 6.3. New Registry for the Destination Cleanup Object (DCO) 95 Acknowledgment Flags . . . . . . . . . . . . . . . . . . 17 96 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 97 8. Normative References . . . . . . . . . . . . . . . . . . . . 19 98 Appendix A. Example Messaging . . . . . . . . . . . . . . . . . 20 99 A.1. Example DCO Messaging . . . . . . . . . . . . . . . . . . 20 100 A.2. Example DCO Messaging with multiple preferred parents . . 21 101 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 103 1. Introduction 105 RPL [RFC6550] (Routing Protocol for Low power and lossy networks) 106 specifies a proactive distance-vector based routing scheme. RPL has 107 optional messaging in the form of DAO (Destination Advertisement 108 Object) messages, which the 6LBR (6Lo Border Router) and 6LR (6Lo 109 Router) can use to learn a route towards the downstream nodes. In 110 storing mode, DAO messages would result in routing entries being 111 created on all intermediate 6LRs from the node's parent all the way 112 towards the 6LBR. 114 RPL allows the use of No-Path DAO (NPDAO) messaging to invalidate a 115 routing path corresponding to the given target, thus releasing 116 resources utilized on that path. A NPDAO is a DAO message with route 117 lifetime of zero, originates at the target node and always flows 118 upstream towards the 6LBR. This document explains the problems 119 associated with the current use of NPDAO messaging and also discusses 120 the requirements for an optimized route invalidation messaging 121 scheme. Further a new proactive route invalidation message called as 122 "Destination Cleanup Object" (DCO) is specified which fulfills 123 requirements of an optimized route invalidation messaging. 125 The document only caters to the RPL's storing mode of operation 126 (MOP). The non-storing MOP does not require use of NPDAO for route 127 invalidation since routing entries are not maintained on 6LRs. 129 1.1. Requirements Language and Terminology 131 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 132 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 133 "OPTIONAL" in this document are to be interpreted as described in BCP 134 14 [RFC2119] [RFC8174] when, and only when, they appear in all 135 capitals, as shown here. 137 This specification requires readers to be familiar with all the terms 138 and concepts that are discussed in "RPL: IPv6 Routing Protocol for 139 Low-Power and Lossy Networks" [RFC6550]. 141 Low Power and Lossy Networks (LLN): 142 Network in which both the routers and their interconnect are 143 constrained. LLN routers typically operate with constraints on 144 processing power, memory, and energy (batter power). Their 145 interconnects are characterized by high loss rates, low data 146 rates, and instability. 147 6LoWPAN Router (6LR): 148 An intermediate router that is able to send and receive Router 149 Advertisements (RAs) and Router Solicitations (RSs) as well as 150 forward and route IPv6 packets. 151 Directed Acyclic Graph (DAG): 152 A directed graph having the property that all edges are oriented 153 in such a way that no cycles exist. 154 Destination-Oriented DAG (DODAG): 155 A DAG rooted at a single destination, i.e., at a single DAG root 156 with no outgoing edges. 157 6LoWPAN Border Router (6LBR): 158 A border router which is a DODAG root and is the edge node for 159 traffic flowing in and out of the 6LoWPAN network. 160 Destination Advertisement Object (DAO): 161 DAO messaging allows downstream routes to the nodes to be 162 established. 163 DODAG Information Object (DIO): 164 DIO messaging allows upstream routes to the 6LBR to be 165 established. DIO messaging is initiated at the DAO root. 166 Common Ancestor node 167 6LR/6LBR node which is the first common node between two paths of 168 a target node. 169 No-Path DAO (NPDAO): 170 A DAO message which has target with lifetime 0 used for the 171 purpose of route invalidation. 172 Destination Cleanup Object (DCO): 173 A new RPL control message code defined by this document. DCO 174 messaging improves proactive route invalidation in RPL. 175 Regular DAO: 176 A DAO message with non-zero lifetime. Routing adjacencies are 177 created or updated based on this message. 178 Target node: 179 The node switching its parent whose routing adjacencies are 180 updated (created/removed). 182 1.2. Current NPDAO messaging 184 RPL uses NPDAO messaging in the storing mode so that the node 185 changing its routing adjacencies can invalidate the previous route. 186 This is needed so that nodes along the previous path can release any 187 resources (such as the routing entry) they maintain on behalf of 188 target node. 190 For the rest of this document consider the following topology: 192 (6LBR) 193 | 194 | 195 | 196 (A) 197 / \ 198 / \ 199 / \ 200 (G) (H) 201 | | 202 | | 203 | | 204 (B) (C) 205 \ ; 206 \ ; 207 \ ; 208 (D) 209 / \ 210 / \ 211 / \ 212 (E) (F) 214 Figure 1: Sample topology 216 Node (D) is connected via preferred parent (B). (D) has an alternate 217 path via (C) towards the 6LBR. Node (A) is the common ancestor for 218 (D) for paths through (B)-(G) and (C)-(H). When (D) switches from 219 (B) to (C), RPL allows sending NPDAO to (B) and regular DAO to (C). 221 1.3. Why Is NPDAO Important? 223 Nodes in LLNs may be resource constrained. There is limited memory 224 available and routing entry records are one of the primary elements 225 occupying dynamic memory in the nodes. Route invalidation helps 6LR 226 nodes to decide which entries could be discarded to better optimize 227 resource utilization. Thus it becomes necessary to have an efficient 228 route invalidation mechanism. Also note that a single parent switch 229 may result in a "sub-tree" switching from one parent to another. 230 Thus the route invalidation needs to be done on behalf of the sub- 231 tree and not the switching node alone. In the above example, when 232 Node (D) switches parent, the route updates needs to be done for the 233 routing tables entries of (C),(H),(A),(G), and (B) with destination 234 (D),(E) and (F). Without efficient route invalidation, a 6LR may 235 have to hold a lot of stale route entries. 237 2. Problems with current NPDAO messaging 239 2.1. Lost NPDAO due to link break to the previous parent 241 When a node switches its parent, the NPDAO is to be sent to its 242 previous parent and a regular DAO to its new parent. In cases where 243 the node switches its parent because of transient or permanent parent 244 link/node failure then the NPDAO message is bound to fail. 246 2.2. Invalidate Routes of Dependent Nodes 248 RPL does not specify how route invalidation will work for dependent 249 nodes rooted at the switching node, resulting in stale routing 250 entries of the dependent nodes. The only way for 6LR to invalidate 251 the route entries for dependent nodes would be to use route lifetime 252 expiry which could be substantially high for LLNs. 254 In the example topology, when Node (D) switches its parent, Node (D) 255 generates an NPDAO on its behalf. There is no NPDAO generated by the 256 dependent child nodes (E) and (F), through the previous path via (D) 257 to (B) and (G), resulting in stale entries on nodes (B) and (G) for 258 nodes (E) and (F). 260 2.3. Possible route downtime caused by asynchronous operation of NPDAO 261 and DAO 263 A switching node may generate both an NPDAO and DAO via two different 264 paths at almost the same time. There is a possibility that an NPDAO 265 generated may invalidate the previous route and the regular DAO sent 266 via the new path gets lost on the way. This may result in route 267 downtime impacting downward traffic for the switching node. 269 In the example topology, consider Node (D) switches from parent (B) 270 to (C). An NPDAO sent via the previous route may invalidate the 271 previous route whereas there is no way to determine whether the new 272 DAO has successfully updated the route entries on the new path. 274 3. Requirements for the NPDAO Optimization 276 3.1. Req#1: Remove messaging dependency on link to the previous parent 278 When the switching node sends the NPDAO message to the previous 279 parent, it is normal that the link to the previous parent is prone to 280 failure (that's why the node decided to switch). Therefore, it is 281 required that the route invalidation does not depend on the previous 282 link which is prone to failure. The previous link referred here 283 represents the link between the node and its previous parent (from 284 whom the node is now disassociating). 286 3.2. Req#2: Dependent nodes route invalidation on parent switching 288 It should be possible to do route invalidation for dependent nodes 289 rooted at the switching node. 291 3.3. Req#3: Route invalidation should not impact data traffic 293 While sending the NPDAO and DAO messages, it is possible that the 294 NPDAO successfully invalidates the previous path, while the newly 295 sent DAO gets lost (new path not set up successfully). This will 296 result in downstream unreachability to the node switching paths. 297 Therefore, it is desirable that the route invalidation is 298 synchronized with the DAO to avoid the risk of route downtime. 300 4. Changes to RPL signaling 302 4.1. Change in RPL route invalidation semantics 304 As described in Section 1.2, the NPDAO originates at the node 305 changing to a new parent and traverses upstream towards the root. In 306 order to solve the problems as mentioned in Section 2, the document 307 adds a new proactive route invalidation message called "Destination 308 Cleanup Object" (DCO) that originates at a common ancestor node and 309 flows downstream between the new and old path. The common ancestor 310 node generates a DCO in response to the change in the next-hop on 311 receiving a regular DAO with updated Path Sequence for the target. 313 The 6LRs in the path for DCO take action such as route invalidation 314 based on the DCO information and subsequently send another DCO with 315 the same information downstream to the next hop. This operation is 316 similar to how the DAOs are handled on intermediate 6LRs in storing 317 MOP in [RFC6550]. Just like DAO in storing MOP, the DCO is sent 318 using link-local unicast source and destination IPv6 address. Unlike 319 DAO, which always travels upstream, the DCO always travels 320 downstream. 322 In Figure 1, when node D decides to switch the path from B to C, it 323 sends a regular DAO to node C with reachability information 324 containing the address of D as the target and an incremented Path 325 Sequence. Node C will update the routing table based on the 326 reachability information in the DAO and in turn generate another DAO 327 with the same reachability information and forward it to H. Node H 328 also follows the same procedure as Node C and forwards it to node A. 329 When node A receives the regular DAO, it finds that it already has a 330 routing table entry on behalf of the target address of node D. It 331 finds however that the next hop information for reaching node D has 332 changed i.e., node D has decided to change the paths. In this case, 333 Node A which is the common ancestor node for node D along the two 334 paths (previous and new), should generate a DCO which traverses 335 downwards in the network. Node A handles normal DAO forwarding to 336 6LBR as required by [RFC6550]. 338 4.2. Transit Information Option changes 340 Every RPL message is divided into base message fields and additional 341 Options as described in Section 6 of [RFC6550]. The base fields 342 apply to the message as a whole and options are appended to add 343 message/use-case specific attributes. As an example, a DAO message 344 may be attributed by one or more "RPL Target" options which specify 345 the reachability information for the given targets. Similarly, a 346 Transit Information option may be associated with a set of RPL Target 347 options. 349 This document specifies a change in the Transit Information Option to 350 contain the "Invalidate previous route" (I) flag. This 'I' flag 351 signals the common ancestor node to generate a DCO on behalf of the 352 target node with a RPL Status of 195 indicating that the address has 353 moved. The 'I' flag is carried in the Transit Information Option 354 which augments the reachability information for a given set of RPL 355 Target(s). Transit Information Option with 'I' flag set should be 356 carried in the DAO message when route invalidation is sought for the 357 corresponding target(s). 359 Value 195 represents 'E' and 'A' bit in RPL Status to be set as per 360 Figure 3 of [I-D.ietf-roll-unaware-leaves] with the lower 6 bits with 361 value 3 indicating 'Moved' as per Table 1 of [RFC8505]. 363 0 1 2 3 364 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 365 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 366 | Type = 0x06 | Option Length |E|I| Flags | Path Control | 367 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 368 | Path Sequence | Path Lifetime | 369 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 371 Figure 2: Updated Transit Information Option (New I flag added) 373 I (Invalidate previous route) flag: The 'I' flag is set by the target 374 node to indicate to the common ancestor node that it wishes to 375 invalidate any previous route between the two paths. 377 [RFC6550] allows the parent address to be sent in the Transit 378 Information Option depending on the mode of operation. In case of 379 storing mode of operation the field is usually not needed. In case 380 of DCO, the parent address field MUST NOT be included. 382 The common ancestor node SHOULD generate a DCO message in response to 383 this 'I' flag when it sees that the routing adjacencies have changed 384 for the target. The 'I' flag is intended to give the target node 385 control over its own route invalidation, serving as a signal to 386 request DCO generation. 388 4.3. Destination Cleanup Object (DCO) 390 A new ICMPv6 RPL control message code is defined by this 391 specification and is referred to as "Destination Cleanup Object" 392 (DCO), which is used for proactive cleanup of state and routing 393 information held on behalf of the target node by 6LRs. The DCO 394 message always traverses downstream and cleans up route information 395 and other state information associated with the given target. 397 0 1 2 3 398 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 399 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 400 | RPLInstanceID |K|D| Flags | RPL Status | DCOSequence | 401 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 402 | | 403 + + 404 | | 405 + DODAGID(optional) + 406 | | 407 + + 408 | | 409 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 410 | Option(s)... 411 +-+-+-+-+-+-+-+-+ 413 Figure 3: DCO base object 415 RPLInstanceID: 8-bit field indicating the topology instance 416 associated with the DODAG, as learned from the DIO. 418 K: The 'K' flag indicates that the recipient of DCO message is 419 expected to send a DCO-ACK back. If the DCO-ACK is not received even 420 after setting the 'K' flag, an implementation may retry the DCO at a 421 later time. The number of retries are implementation and deployment 422 dependent and are expected to be kept similar with those used in DAO 423 retries in [RFC6550]. Section 4.6.3 specifies the considerations for 424 DCO retry. A node receiving a DCO message without the 'K' flag set 425 MAY respond with a DCO-ACK, especially to report an error condition. 426 An example error condition could be that the node sending the DCO-ACK 427 does not find the routing entry for the indicated target. When the 428 sender does not set the 'K' flag it is an indication that the sender 429 does not expect a response, and the sender SHOULD NOT retry the DCO. 431 D: The 'D' flag indicates that the DODAGID field is present. This 432 flag MUST be set when a local RPLInstanceID is used. 434 Flags: The 6 bits remaining unused in the Flags field are reserved 435 for future use. These bits MUST be initialized to zero by the sender 436 and MUST be ignored by the receiver. 438 RPL Status: As defined in [RFC6550] and updated in 439 [I-D.ietf-roll-unaware-leaves]. The root or common parent that 440 generates a DCO is authoritative for setting the status information 441 and the information is unchanged as propagated down the DODAG. This 442 document does not specify a differentiated action based on the RPL 443 status. 445 DCOSequence: 8-bit field incremented at each unique DCO message from 446 a node and echoed in the DCO-ACK message. The initial DCOSequence 447 can be chosen randomly by the node. Section 4.4 explains the 448 handling of the DCOSequence. 450 DODAGID (optional): 128-bit unsigned integer set by a DODAG root that 451 uniquely identifies a DODAG. This field MUST be present when the 'D' 452 flag is set and MUST NOT be present if 'D' flag is not set. DODAGID 453 is used when a local RPLInstanceID is in use, in order to identify 454 the DODAGID that is associated with the RPLInstanceID. 456 4.3.1. Secure DCO 458 A Secure DCO message follows the format in [RFC6550] Figure 7, where 459 the base message format is the DCO message shown in Figure 3. 461 4.3.2. DCO Options 463 The DCO message MUST carry at least one RPL Target and the Transit 464 Information Option and MAY carry other valid options. This 465 specification allows for the DCO message to carry the following 466 options: 468 0x00 Pad1 469 0x01 PadN 470 0x05 RPL Target 471 0x06 Transit Information 472 0x09 RPL Target Descriptor 474 Section 6.7 of [RFC6550] defines all the above mentioned options. 475 The DCO carries an RPL Target Option and an associated Transit 476 Information Option with a lifetime of 0x00000000 to indicate a loss 477 of reachability to that Target. 479 4.3.3. Path Sequence number in the DCO 481 A DCO message may contain a Path Sequence in the Transit Information 482 Option to identify the freshness of the DCO message. The Path 483 Sequence in the DCO MUST use the same Path Sequence number present in 484 the regular DAO message when the DCO is generated in response to a 485 DAO message. Thus if a DCO is received by a 6LR and subsequently a 486 DAO is received with an old sequence number, then the DAO MUST be 487 ignored. When the DCO is generated in response to a DCO from 488 upstream parent, the Path Sequence MUST be copied from the received 489 DCO. 491 4.3.4. Destination Cleanup Option Acknowledgment (DCO-ACK) 493 The DCO-ACK message SHOULD be sent as a unicast packet by a DCO 494 recipient in response to a unicast DCO message with 'K' flag set. If 495 'K' flag is not set then the receiver of the DCO message MAY send a 496 DCO-ACK, especially to report an error condition. 498 0 1 2 3 499 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 500 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 501 | RPLInstanceID |D| Flags | DCOSequence | DCO-ACK Status| 502 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 503 | | 504 + + 505 | | 506 + DODAGID(optional) + 507 | | 508 + + 509 | | 510 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 512 Figure 4: DCO-ACK base object 514 RPLInstanceID: 8-bit field indicating the topology instance 515 associated with the DODAG, as learned from the DIO. 517 D: The 'D' flag indicates that the DODAGID field is present. This 518 flag MUST be set when a local RPLInstanceID is used. 520 Flags: 7-bit unused field. The field MUST be initialized to zero by 521 the sender and MUST be ignored by the receiver. 523 DCOSequence: 8-bit field. The DCOSequence in DCO-ACK is copied from 524 the DCOSequence received in the DCO message. 526 DCO-ACK Status: Indicates the completion. A value of 0 is defined as 527 unqualified acceptance in this specification. A value of 1 is 528 defined as "No routing-entry for the Target found". The remaining 529 status values are reserved as rejection codes. 531 DODAGID (optional): 128-bit unsigned integer set by a DODAG root that 532 uniquely identifies a DODAG. This field MUST be present when the 'D' 533 flag is set and MUST NOT be present when 'D' flag is not set. 534 DODAGID is used when a local RPLInstanceID is in use, in order to 535 identify the DODAGID that is associated with the RPLInstanceID. 537 4.3.5. Secure DCO-ACK 539 A Secure DCO-ACK message follows the format in [RFC6550] Figure 7, 540 where the base message format is the DCO-ACK message shown in 541 Figure 4. 543 4.4. DCO Base Rules 545 1. If a node sends a DCO message with newer or different information 546 than the prior DCO message transmission, it MUST increment the 547 DCOSequence field by at least one. A DCO message transmission 548 that is identical to the prior DCO message transmission MAY 549 increment the DCOSequence field. The DCOSequence counter follows 550 the sequence counter operation as defined in Section 7.2 of 551 [RFC6550]. 552 2. The RPLInstanceID and DODAGID fields of a DCO message MUST be the 553 same value as that of the DAO message in response to which the 554 DCO is generated on the common ancestor node. 555 3. A node MAY set the 'K' flag in a unicast DCO message to solicit a 556 unicast DCO-ACK in response in order to confirm the attempt. 557 4. A node receiving a unicast DCO message with the 'K' flag set 558 SHOULD respond with a DCO-ACK. A node receiving a DCO message 559 without the 'K' flag set MAY respond with a DCO-ACK, especially 560 to report an error condition. 561 5. A node receiving a unicast DCO message MUST verify the stored 562 Path Sequence in context to the given target. If the stored Path 563 Sequence is more fresh, newer than the Path Sequence received in 564 the DCO, then the DCO MUST be dropped. 565 6. A node that sets the 'K' flag in a unicast DCO message but does 566 not receive DCO-ACK in response MAY reschedule the DCO message 567 transmission for another attempt, up until an implementation 568 specific number of retries. 569 7. A node receiving a unicast DCO message with its own address in 570 the RPL Target Option MUST strip-off that Target Option. If this 571 Target Option is the only one in the DCO message then the DCO 572 message MUST be dropped. 574 The scope of DCOSequence values is unique to the node which generates 575 it. 577 4.5. Unsolicited DCO 579 A 6LR may generate an unsolicited DCO to unilaterally cleanup the 580 path on behalf of the target entry. The 6LR has all the state 581 information, namely, the Target address and the Path Sequence, 582 required for generating DCO in its routing table. The conditions why 583 6LR may generate an unsolicited DCO are beyond the scope of this 584 document but some possible reasons could be: 586 1. On route expiry of an entry, a 6LR may decide to graciously 587 cleanup the entry by initiating DCO. 588 2. 6LR needs to entertain higher priority entries in case the 589 routing table is full, thus resulting in eviction of an existing 590 routing entry. In this case the eviction can be handled 591 graciously using DCO. 593 Note that if the 6LR initiates a unilateral path cleanup using DCO 594 and if it has the latest state for the target then the DCO would 595 finally reach the target node. Thus the target node would be 596 informed of its invalidation. 598 4.6. Other considerations 600 4.6.1. Dependent Nodes invalidation 602 Current RPL [RFC6550] does not provide a mechanism for route 603 invalidation for dependent nodes. This document allows the dependent 604 nodes invalidation. Dependent nodes will generate their respective 605 DAOs to update their paths, and the previous route invalidation for 606 those nodes should work in the similar manner described for switching 607 node. The dependent node may set the 'I' flag in the Transit 608 Information Option as part of regular DAO so as to request 609 invalidation of previous route from the common ancestor node. 611 Dependent nodes do not have any indication regarding if any of their 612 parents in turn have decided to switch their parent. Thus for route 613 invalidation the dependent nodes may choose to always set the 'I' 614 flag in all its DAO message's Transit Information Option. Note that 615 setting the 'I' flag is not counterproductive even if there is no 616 previous route to be invalidated. 618 4.6.2. NPDAO and DCO in the same network 620 The current NPDAO mechanism in [RFC6550] can still be used in the 621 same network where DCO is used. The NPDAO messaging can be used, for 622 example, on route lifetime expiry of the target or when the node 623 simply decides to gracefully terminate the RPL session on graceful 624 node shutdown. Moreover, a deployment can have a mix of nodes 625 supporting the DCO and the existing NPDAO mechanism. It is also 626 possible that the same node supports both the NPDAO and DCO signaling 627 for route invalidation. 629 Section 9.8 of [RFC6550] states, "When a node removes a node from its 630 DAO parent set, it SHOULD send a No-Path DAO message to that removed 631 DAO parent to invalidate the existing router". This document 632 introduces an alternative and more optimized way of route 633 invalidation but it also allows existing NPDAO messaging to work. 634 Thus an implementation has two choices to make when a route 635 invalidation is to be initiated: 637 1. Use NPDAO to invalidate the previous route and send regular DAO 638 on the new path. 639 2. Send regular DAO on the new path with the 'I' flag set in the 640 Transit Information Option such that the common ancestor node 641 initiates the DCO message downstream to invalidate the previous 642 route. 644 This document recommends using option 2 for reasons specified in 645 Section 3 in this document. 647 This document assumes that all the 6LRs in the network support this 648 specification. If there are 6LRs en-route DCO message path which do 649 not support this document, then the route invalidation for 650 corresponding targets may not work or may work partially i.e., only 651 part of the path supporting DCO may be invalidated. Alternatively, a 652 node could generate an NPDAO if it does not receive a DCO with itself 653 as target within specified time limit. The specified time limit is 654 deployment specific and depends upon the maximum depth of the network 655 and per hop average latency. Note that sending NPDAO and DCO for the 656 same operation would not result in unwanted side-effects because the 657 acceptability of NPDAO or DCO depends upon the Path Sequence 658 freshness. 660 4.6.3. Considerations for DCO retry 662 A DCO message could be retried by a sender if it sets the 'K' flag 663 and does not receive a DCO-ACK. The DCO retry time could be 664 dependent on the maximum depth of the network and average per hop 665 latency. This could range from 2 seconds to 120 seconds depending on 666 the deployment. In case the latency limits are not known, an 667 implementation MUST NOT retry more than once in 3 seconds and MUST 668 NOT retry more than 3 times. 670 The number of retries could also be set depending on how critical the 671 route invalidation could be for the deployment and the link layer 672 retry configuration. For networks supporting only MP2P and P2MP 673 flows, such as in AMI and telemetry applications, the 6LRs may not be 674 very keen to invalidate routes, unless they are highly memory- 675 constrained. For home and building automation networks which may 676 have substantial P2P traffic, the 6LRs might be keen to invalidate 677 efficiently because it may additionally impact the forwarding 678 efficiency. 680 4.6.4. DCO with multiple preferred parents 682 [RFC6550] allows a node to select multiple preferred parents for 683 route establishment. Section 9.2.1 of [RFC6550] specifies, "All DAOs 684 generated at the same time for the same Target MUST be sent with the 685 same Path Sequence in the Transit Information". Subsequently when 686 route invalidation has to be initiated, RPL mentions use of NPDAO 687 which can be initiated with an updated Path Sequence to all the 688 parent nodes through which the route is to be invalidated. 690 With DCO, the Target node itself does not initiate the route 691 invalidation and it is left to the common ancestor node. A common 692 ancestor node when it discovers an updated DAO from a new next-hop, 693 it initiates a DCO. With multiple preferred parents, this handling 694 does not change. But in this case it is recommended that an 695 implementation initiates a DCO after a time period (DelayDCO) such 696 that the common ancestor node may receive updated DAOs from all 697 possible next-hops. This will help to reduce DCO control overhead 698 i.e., the common ancestor can wait for updated DAOs from all possible 699 directions before initiating a DCO for route invalidation. After 700 timeout, the DCO needs to be generated for all the next-hops for whom 701 the route invalidation needs to be done. 703 This document recommends using a DelayDCO timer value of 1sec. This 704 value is inspired by the default DelayDAO value of 1sec in [RFC6550]. 705 Here the hypothesis is that the DAOs from all possible parent sets 706 would be received on the common ancestor within this time period. 708 It is still possible that a DCO is generated before all the updated 709 DAOs from all the paths are received. In this case, the ancestor 710 node would start the invalidation procedure for paths from which the 711 updated DAO is not received. The DCO generated in this case would 712 start invalidating the segments along these paths on which the 713 updated DAOs are not received. But once the DAO reaches these 714 segments, the routing state would be updated along these segments and 715 should not lead to any inconsistent routing state. 717 Note that there is no requirement for synchronization between DCO and 718 DAOs. The DelayDCO timer simply ensures that the DCO control 719 overhead can be reduced and is only needed when the network contains 720 nodes using multiple preferred parent. 722 5. Acknowledgments 724 Many thanks to Alvaro Retana, Cenk Gundogan, Simon Duquennoy, 725 Georgios Papadopoulous, Peter Van Der Stok for their review and 726 comments. Alvaro Retana helped shape this document's final version 727 with critical review comments. 729 6. IANA Considerations 731 IANA is requested to allocate new codes for the DCO and DCO-ACK 732 messages from the RPL Control Codes registry. 734 +------+---------------------------------------------+--------------+ 735 | Code | Description | Reference | 736 +------+---------------------------------------------+--------------+ 737 | TBD1 | Destination Cleanup Object | This | 738 | | | document | 739 | TBD2 | Destination Cleanup Object Acknowledgment | This | 740 | | | document | 741 | TBD3 | Secure Destination Cleanup Object | This | 742 | | | document | 743 | TBD4 | Secure Destination Cleanup Object | This | 744 | | Acknowledgment | document | 745 +------+---------------------------------------------+--------------+ 747 IANA is requested to allocate bit 1 from the Transit Information 748 Option Flags registry for the 'I' flag (Section 4.2) 750 6.1. New Registry for the Destination Cleanup Object (DCO) Flags 752 IANA is requested to create a registry for the 8-bit Destination 753 Cleanup Object (DCO) Flags field. This registry should be located in 754 existing category of "Routing Protocol for Low Power and Lossy 755 Networks (RPL)". 757 New bit numbers may be allocated only by an IETF Review. Each bit is 758 tracked with the following qualities: 760 o Bit number (counting from bit 0 as the most significant bit) 761 o Capability description 762 o Defining RFC 764 The following bits are currently defined: 766 +------------+------------------------------+---------------+ 767 | Bit number | Description | Reference | 768 +------------+------------------------------+---------------+ 769 | 0 | DCO-ACK request (K) | This document | 770 | 1 | DODAGID field is present (D) | This document | 771 +------------+------------------------------+---------------+ 773 DCO Base Flags 775 6.2. New Registry for the Destination Cleanup Object Acknowledgment 776 (DCO-ACK) Status field 778 IANA is requested to create a registry for the 8-bit Destination 779 Cleanup Object Acknowledgment (DCO-ACK) Status field. This registry 780 should be located in existing category of "Routing Protocol for Low 781 Power and Lossy Networks (RPL)". 783 New Status values may be allocated only by an IETF Review. Each 784 value is tracked with the following qualities: 786 o Status Code 787 o Description 788 o Defining RFC 790 The following values are currently defined: 792 +------------+----------------------------------------+-------------+ 793 | Status | Description | Reference | 794 | Code | | | 795 +------------+----------------------------------------+-------------+ 796 | 0 | Unqualified acceptance | This | 797 | | | document | 798 | 1 | No routing-entry for the indicated | This | 799 | | Target found | document | 800 +------------+----------------------------------------+-------------+ 802 DCO-ACK Status Codes 804 6.3. New Registry for the Destination Cleanup Object (DCO) 805 Acknowledgment Flags 807 IANA is requested to create a registry for the 8-bit Destination 808 Cleanup Object (DCO) Acknowledgment Flags field. This registry 809 should be located in existing category of "Routing Protocol for Low 810 Power and Lossy Networks (RPL)". 812 New bit numbers may be allocated only by an IETF Review. Each bit is 813 tracked with the following qualities: 815 o Bit number (counting from bit 0 as the most significant bit) 816 o Capability description 817 o Defining RFC 819 The following bits are currently defined: 821 +------------+------------------------------+---------------+ 822 | Bit number | Description | Reference | 823 +------------+------------------------------+---------------+ 824 | 0 | DODAGID field is present (D) | This document | 825 +------------+------------------------------+---------------+ 827 DCO-ACK Base Flags 829 7. Security Considerations 831 This document introduces the ability for a common ancestor node to 832 invalidate a route on behalf of the target node. The common ancestor 833 node could be directed to do so by the target node using the 'I' flag 834 in DCO's Transit Information Option. However, the common ancestor 835 node is in a position to unilaterally initiate the route invalidation 836 since it possesses all the required state information, namely, the 837 Target address and the corresponding Path Sequence. Thus a rogue 838 common ancestor node could initiate such an invalidation and impact 839 the traffic to the target node. 841 The DCO carries a RPL Status value, which is informative. New Status 842 values may be created over time and a node will ignore an unknown 843 Status value. This enables RPL Status field to be used as a cover 844 channel. But the channel only works once since the message destroys 845 its own medium, that is the existing route that it is removing. 847 This document also introduces an 'I' flag which is set by the target 848 node and used by the ancestor node to initiate a DCO if the ancestor 849 sees an update in the route adjacency. However, this flag could be 850 spoofed by a malicious 6LR in the path and can cause invalidation of 851 an existing active path. Note that invalidation will happen only if 852 the other conditions such as Path Sequence condition is also met. 853 Having said that, such a malicious 6LR may spoof a DAO on behalf of 854 the (sub) child with the 'I' flag set and can cause route 855 invalidation on behalf of the (sub) child node. Note that, using 856 existing mechanisms offered by [RFC6550], a malicious 6LR might also 857 spoof a DAO with lifetime of zero or otherwise cause denial of 858 service by dropping traffic entirely, so the new mechanism described 859 in this document does not present a substantially increased risk of 860 disruption. 862 This document assumes that the security mechanisms as defined in 863 [RFC6550] are followed, which means that the common ancestor node and 864 all the 6LRs are part of the RPL network because they have the 865 required credentials. A non-secure RPL network needs to take into 866 consideration the risks highlighted in this section as well as those 867 highlighted in [RFC6550]. 869 All RPL messages support a secure version of messages which allows 870 integrity protection using either a MAC or a signature. Optionally, 871 secured RPL messages also have encryption protection for 872 confidentiality. 874 The document adds new messages (DCO, DCO-ACK) which are syntactically 875 similar to existing RPL messages such as DAO, DAO-ACK. Secure 876 versions of DCO and DCO-ACK are added similar to other RPL messages 877 (such as DAO, DAO-ACK). 879 RPL supports three security modes as mentioned in Section 10.1 of 880 [RFC6550]: 882 1. Unsecured: In this mode, it is expected that the RPL control 883 messages are secured by other security mechanisms, such as link- 884 layer security. In this mode, the RPL control messages, 885 including DCO, DCO-ACK, do not have Security sections. Also note 886 that unsecured mode does not imply that all messages are sent 887 without any protection. 888 2. Preinstalled: In this mode, RPL uses secure messages. Thus 889 secure versions of DCO, DCO-ACK MUST be used in this mode. 890 3. Authenticated: In this mode, RPL uses secure messages. Thus 891 secure versions of DCO, DCO-ACK MUST be used in this mode. 893 8. Normative References 895 [I-D.ietf-roll-unaware-leaves] 896 Thubert, P. and M. Richardson, "Routing for RPL Leaves", 897 draft-ietf-roll-unaware-leaves-14 (work in progress), 898 April 2020. 900 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 901 Requirement Levels", BCP 14, RFC 2119, 902 DOI 10.17487/RFC2119, March 1997, 903 . 905 [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., 906 Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, 907 JP., and R. Alexander, "RPL: IPv6 Routing Protocol for 908 Low-Power and Lossy Networks", RFC 6550, 909 DOI 10.17487/RFC6550, March 2012, 910 . 912 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 913 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 914 May 2017, . 916 Appendix A. Example Messaging 918 A.1. Example DCO Messaging 920 In Figure 1, node (D) switches its parent from (B) to (C). This 921 example assumes that Node D has already established its own route via 922 Node B-G-A-6LBR using pathseq=x. The example uses DAO and DCO 923 messaging convention and specifies only the required parameters to 924 explain the example namely, the parameter 'tgt', which stands for 925 Target Option and value of this parameter specifies the address of 926 the target node. The parameter 'pathseq', which specifies the Path 927 Sequence value carried in the Transit Information Option. The 928 parameter 'I_flag' specifies the 'I' flag in the Transit Information 929 Option. sequence of actions is as follows: 931 1. Node D switches its parent from node B to node C 932 2. D sends a regular DAO(tgt=D,pathseq=x+1,I_flag=1) in the updated 933 path to C 934 3. C checks for a routing entry on behalf of D, since it cannot find 935 an entry on behalf of D it creates a new routing entry and 936 forwards the reachability information of the target D to H in a 937 DAO(tgt=D,pathseq=x+1,I_flag=1). 938 4. Similar to C, node H checks for a routing entry on behalf of D, 939 cannot find an entry and hence creates a new routing entry and 940 forwards the reachability information of the target D to A in a 941 DAO(tgt=D,pathseq=x+1,I_flag=1). 942 5. Node A receives the DAO(tgt=D,pathseq=x+1,I_flag=1), and checks 943 for a routing entry on behalf of D. It finds a routing entry but 944 checks that the next hop for target D is different (i.e., Node 945 G). Node A checks the I_flag and generates 946 DCO(tgt=D,pathseq=x+1) to previous next hop for target D which is 947 G. Subsequently, Node A updates the routing entry and forwards 948 the reachability information of target D upstream 949 DAO(tgt=D,pathseq=x+1,I_flag=1). 950 6. Node G receives the DCO(tgt=D,pathseq=x+1). It checks if the 951 received path sequence is later than the stored path sequence. 952 If it is later, Node G invalidates the routing entry of target D 953 and forwards the (un)reachability information downstream to B in 954 DCO(tgt=D,pathseq=x+1). 955 7. Similarly, B processes the DCO(tgt=D,pathseq=x+1) by invalidating 956 the routing entry of target D and forwards the (un)reachability 957 information downstream to D. 958 8. D ignores the DCO(tgt=D,pathseq=x+1) since the target is itself. 959 9. The propagation of the DCO will stop at any node where the node 960 does not have an routing information associated with the target. 961 If cached routing information is present and the cached Path 962 Sequence is higher than the value in the DCO, then the DCO is 963 dropped. 965 A.2. Example DCO Messaging with multiple preferred parents 967 (6LBR) 968 | 969 | 970 | 971 (N11) 972 / \ 973 / \ 974 / \ 975 (N21) (N22) 976 / / \ 977 / / \ 978 / / \ 979 (N31) (N32) (N33) 980 : | / 981 : | / 982 : | / 983 (N41) 985 Figure 5: Sample topology 2 987 In Figure 5, node (N41) selects multiple preferred parents (N32) and 988 (N33). The sequence of actions is as follows: 990 1. (N41) sends DAO(tgt=N41,PS=x,I_flag=1) to (N32) and (N33). Here 991 I_flag refers to the Invalidation flag and PS refers to Path 992 Sequence in Transit Information option. 993 2. (N32) sends DAO(tgt=N41,PS=x,I_flag=1) to (N22). (N33) also 994 sends DAO(tgt=N41,PS=x,I_flag=1) to (N22). (N22) learns 995 multiple routes for the same destination (N41) through multiple 996 next-hops. (N22) may receive the DAOs from (N32) and (N33) in 997 any order with the I_flag set. The implementation should use 998 the DelayDCO timer to wait to initiate the DCO. If (N22) 999 receives an updated DAO from all the paths then the DCO need not 1000 be initiated in this case. Thus the route table at N22 should 1001 contain (Dst,NextHop,PS): { (N41,N32,x), (N41,N33,x) }. 1002 3. (N22) sends DAO(tgt=N41,PS=x,I_flag=1) to (N11). 1003 4. (N11) sends DAO(tgt=N41,PS=x,I_flag=1) to (6LBR). Thus the 1004 complete path is established. 1005 5. (N41) decides to change preferred parent set from { N32, N33 } 1006 to { N31, N32 }. 1007 6. (N41) sends DAO(tgt=N41,PS=x+1,I_flag=1) to (N32). (N41) sends 1008 DAO(tgt=N41,PS=x+1,I_flag=1) to (N31). 1009 7. (N32) sends DAO(tgt=N41,PS=x+1,I_flag=1) to (N22). (N22) has 1010 multiple routes to destination (N41). It sees that a new Path 1011 Sequence for Target=N41 is received and thus it waits for pre- 1012 determined time period (DelayDCO time period) to invalidate 1013 another route {(N41),(N33),x}. After time period, (N22) sends 1014 DCO(tgt=N41,PS=x+1) to (N33). Also (N22) sends the regular 1015 DAO(tgt=N41,PS=x+1,I_flag=1) to (N11). 1016 8. (N33) receives DCO(tgt=N41,PS=x+1). The received Path Sequence 1017 is latest and thus it invalidates the entry associated with 1018 target (N41). (N33) then sends the DCO(tgt=N41,PS=x+1) to 1019 (N41). (N41) sees itself as the target and drops the DCO. 1020 9. From Step 6 above, (N31) receives the 1021 DAO(tgt=N41,PS=x+1,I_flag=1). It creates a routing entry and 1022 sends the DAO(tgt=N41,PS=x+1,I_flag=1) to (N21). Similarly 1023 (N21) receives the DAO and subsequently sends the 1024 DAO(tgt=N41,PS=x+1,I_flag=1) to (N11). 1025 10. (N11) receives DAO(tgt=N41,PS=x+1,I_flag=1) from (N21). It 1026 waits for DelayDCO timer since it has multiple routes to (N41). 1027 (N41) will receive DAO(tgt=N41,PS=x+1,I_flag=1) from (N22) from 1028 Step 7 above. Thus (N11) has received regular 1029 DAO(tgt=N41,PS=x+1,I_flag=1) from all paths and thus does not 1030 initiate DCO. 1031 11. (N11) forwards the DAO(tgt=N41,PS=x+1,I_flag=1) to 6LBR and the 1032 full path is established. 1034 Authors' Addresses 1036 Rahul Arvind Jadhav (editor) 1037 Huawei 1038 Kundalahalli Village, Whitefield, 1039 Bangalore, Karnataka 560037 1040 India 1042 Phone: +91-080-49160700 1043 Email: rahul.ietf@gmail.com 1044 Pascal Thubert 1045 Cisco Systems, Inc 1046 Building D 1047 45 Allee des Ormes - BP1200 1048 MOUGINS - Sophia Antipolis 06254 1049 France 1051 Phone: +33 497 23 26 34 1052 Email: pthubert@cisco.com 1054 Rabi Narayan Sahoo 1055 Huawei 1056 Kundalahalli Village, Whitefield, 1057 Bangalore, Karnataka 560037 1058 India 1060 Phone: +91-080-49160700 1061 Email: rabinarayans@huawei.com 1063 Zhen Cao 1064 Huawei 1065 W Chang'an Ave 1066 Beijing 1067 P.R. China 1069 Email: zhencao.ietf@gmail.com