idnits 2.17.1 draft-ietf-shim6-proto-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 5519. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 5530. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 5537. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 5543. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year == Line 3265 has weird spacing: '...payload exten...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 2007) is 6190 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'CGA' on line 4011 -- Looks like a reference, but probably isn't: 'FII' on line 2327 == Unused Reference: '4' is defined on line 5394, but no explicit reference was found in the text == Unused Reference: '5' is defined on line 5397, but no explicit reference was found in the text == Unused Reference: '12' is defined on line 5425, but no explicit reference was found in the text == Unused Reference: '24' is defined on line 5464, but no explicit reference was found in the text == Unused Reference: '25' is defined on line 5469, but no explicit reference was found in the text == Unused Reference: '27' is defined on line 5476, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2460 (ref. '2') (Obsoleted by RFC 8200) ** Obsolete normative reference: RFC 2461 (ref. '3') (Obsoleted by RFC 4861) ** Obsolete normative reference: RFC 2462 (ref. '4') (Obsoleted by RFC 4862) ** Obsolete normative reference: RFC 2463 (ref. '5') (Obsoleted by RFC 4443) == Outdated reference: A later version (-05) exists of draft-ietf-shim6-hba-02 == Outdated reference: A later version (-13) exists of draft-ietf-shim6-failure-detection-07 -- Obsolete informational reference (is this intentional?): RFC 3041 (ref. '12') (Obsoleted by RFC 4941) -- Obsolete informational reference (is this intentional?): RFC 3484 (ref. '13') (Obsoleted by RFC 6724) -- Obsolete informational reference (is this intentional?): RFC 3697 (ref. '17') (Obsoleted by RFC 6437) == Outdated reference: A later version (-08) exists of draft-ietf-shim6-applicability-02 == Outdated reference: A later version (-10) exists of draft-ietf-hip-base-07 == Outdated reference: A later version (-03) exists of draft-schuetz-tcpm-tcp-rlci-01 Summary: 5 errors (**), 0 flaws (~~), 15 warnings (==), 12 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SHIM6 WG E. Nordmark 3 Internet-Draft Sun Microsystems 4 Expires: November 2, 2007 M. Bagnulo 5 UC3M 6 May 2007 8 Shim6: Level 3 Multihoming Shim Protocol for IPv6 9 draft-ietf-shim6-proto-08.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on November 2, 2007. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2007). 40 Abstract 42 This document defines the Shim6 protocol, a layer 3 shim for 43 providing locator agility below the transport protocols, so that 44 multihoming can be provided for IPv6 with failover and load sharing 45 properties, without assuming that a multihomed site will have a 46 provider independent IPv6 address prefix which is announced in the 47 global IPv6 routing table. The hosts in a site which has multiple 48 provider allocated IPv6 address prefixes, will use the Shim6 protocol 49 specified in this document to setup state with peer hosts, so that 50 the state can later be used to failover to a different locator pair, 51 should the original one stop working. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 56 1.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 5 57 1.2. Non-Goals . . . . . . . . . . . . . . . . . . . . . . . . 6 58 1.3. Locators as Upper-layer IDentifiers (ULID) . . . . . . . 6 59 1.4. IP Multicast . . . . . . . . . . . . . . . . . . . . . . 7 60 1.5. Renumbering Implications . . . . . . . . . . . . . . . . 8 61 1.6. Placement of the shim . . . . . . . . . . . . . . . . . . 9 62 1.7. Traffic Engineering . . . . . . . . . . . . . . . . . . . 11 63 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 12 64 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 12 65 2.2. Notational Conventions . . . . . . . . . . . . . . . . . 15 66 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 16 67 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 17 68 4.1. Context Tags . . . . . . . . . . . . . . . . . . . . . . 19 69 4.2. Context Forking . . . . . . . . . . . . . . . . . . . . . 19 70 4.3. API Extensions . . . . . . . . . . . . . . . . . . . . . 20 71 4.4. Securing Shim6 . . . . . . . . . . . . . . . . . . . . . 20 72 4.5. Overview of Shim Control Messages . . . . . . . . . . . . 21 73 4.6. Extension Header Order . . . . . . . . . . . . . . . . . 22 74 5. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 24 75 5.1. Common Shim6 Message Format . . . . . . . . . . . . . . . 24 76 5.2. Payload Extension Header Format . . . . . . . . . . . . . 25 77 5.3. Common Shim6 Control header . . . . . . . . . . . . . . . 25 78 5.4. I1 Message Format . . . . . . . . . . . . . . . . . . . . 27 79 5.5. R1 Message Format . . . . . . . . . . . . . . . . . . . . 28 80 5.6. I2 Message Format . . . . . . . . . . . . . . . . . . . . 30 81 5.7. R2 Message Format . . . . . . . . . . . . . . . . . . . . 32 82 5.8. R1bis Message Format . . . . . . . . . . . . . . . . . . 33 83 5.9. I2bis Message Format . . . . . . . . . . . . . . . . . . 34 84 5.10. Update Request Message Format . . . . . . . . . . . . . . 36 85 5.11. Update Acknowledgement Message Format . . . . . . . . . . 38 86 5.12. Keepalive Message Format . . . . . . . . . . . . . . . . 39 87 5.13. Probe Message Format . . . . . . . . . . . . . . . . . . 39 88 5.14. Error Message Format . . . . . . . . . . . . . . . . . . 40 89 5.15. Option Formats . . . . . . . . . . . . . . . . . . . . . 41 90 5.15.1. Responder Validator Option Format . . . . . . . . . 43 91 5.15.2. Locator List Option Format . . . . . . . . . . . . . 44 92 5.15.3. Locator Preferences Option Format . . . . . . . . . 46 93 5.15.4. CGA Parameter Data Structure Option Format . . . . . 48 94 5.15.5. CGA Signature Option Format . . . . . . . . . . . . 48 95 5.15.6. ULID Pair Option Format . . . . . . . . . . . . . . 49 96 5.15.7. Forked Instance Identifier Option Format . . . . . . 50 97 5.15.8. Keepalive Timeout Option Format . . . . . . . . . . 50 98 6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 51 99 6.1. Conceptual Data Structures . . . . . . . . . . . . . . . 51 100 6.2. Context States . . . . . . . . . . . . . . . . . . . . . 52 101 7. Establishing ULID-Pair Contexts . . . . . . . . . . . . . . . 54 102 7.1. Uniqueness of Context Tags . . . . . . . . . . . . . . . 54 103 7.2. Locator Verification . . . . . . . . . . . . . . . . . . 54 104 7.3. Normal context establishment . . . . . . . . . . . . . . 55 105 7.4. Concurrent context establishment . . . . . . . . . . . . 55 106 7.5. Context recovery . . . . . . . . . . . . . . . . . . . . 57 107 7.6. Context confusion . . . . . . . . . . . . . . . . . . . . 59 108 7.7. Sending I1 messages . . . . . . . . . . . . . . . . . . . 60 109 7.8. Retransmitting I1 messages . . . . . . . . . . . . . . . 61 110 7.9. Receiving I1 messages . . . . . . . . . . . . . . . . . . 61 111 7.10. Sending R1 messages . . . . . . . . . . . . . . . . . . . 62 112 7.10.1. Generating the R1 Validator . . . . . . . . . . . . 63 113 7.11. Receiving R1 messages and sending I2 messages . . . . . . 63 114 7.12. Retransmitting I2 messages . . . . . . . . . . . . . . . 64 115 7.13. Receiving I2 messages . . . . . . . . . . . . . . . . . . 64 116 7.14. Sending R2 messages . . . . . . . . . . . . . . . . . . . 66 117 7.15. Match for Context Confusion . . . . . . . . . . . . . . . 66 118 7.16. Receiving R2 messages . . . . . . . . . . . . . . . . . . 67 119 7.17. Sending R1bis messages . . . . . . . . . . . . . . . . . 68 120 7.17.1. Generating the R1bis Validator . . . . . . . . . . . 69 121 7.18. Receiving R1bis messages and sending I2bis messages . . . 69 122 7.19. Retransmitting I2bis messages . . . . . . . . . . . . . . 70 123 7.20. Receiving I2bis messages and sending R2 messages . . . . 70 124 8. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 73 125 9. Teardown of the ULID-Pair Context . . . . . . . . . . . . . . 75 126 10. Updating the Peer . . . . . . . . . . . . . . . . . . . . . . 76 127 10.1. Sending Update Request messages . . . . . . . . . . . . . 76 128 10.2. Retransmitting Update Request messages . . . . . . . . . 76 129 10.3. Newer Information While Retransmitting . . . . . . . . . 77 130 10.4. Receiving Update Request messages . . . . . . . . . . . . 77 131 10.5. Receiving Update Acknowledgement messages . . . . . . . . 79 132 11. Sending ULP Payloads . . . . . . . . . . . . . . . . . . . . 80 133 11.1. Sending ULP Payload after a Switch . . . . . . . . . . . 80 134 12. Receiving Packets . . . . . . . . . . . . . . . . . . . . . . 82 135 12.1. Receiving payload without extension headers . . . . . . . 82 136 12.2. Receiving Payload Extension Headers . . . . . . . . . . . 82 137 12.3. Receiving Shim Control messages . . . . . . . . . . . . . 83 138 12.4. Context Lookup . . . . . . . . . . . . . . . . . . . . . 83 139 13. Initial Contact . . . . . . . . . . . . . . . . . . . . . . . 86 140 14. Protocol constants . . . . . . . . . . . . . . . . . . . . . 87 141 15. Implications Elsewhere . . . . . . . . . . . . . . . . . . . 88 142 15.1. Congestion Control Considerations . . . . . . . . . . . . 88 143 15.2. Middle-boxes considerations . . . . . . . . . . . . . . . 88 144 15.3. Other considerations . . . . . . . . . . . . . . . . . . 89 145 16. Security Considerations . . . . . . . . . . . . . . . . . . . 91 146 17. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 94 147 18. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 96 148 Appendix A. Possible Protocol Extensions . . . . . . . . . . 97 149 Appendix B. Simplified State Machine . . . . . . . . . . . . 99 150 Appendix B.1. Simplified State Machine diagram . . . . . . . . 104 151 Appendix C. Context Tag Reuse . . . . . . . . . . . . . . . . 106 152 Appendix C.1. Context Recovery . . . . . . . . . . . . . . . . 106 153 Appendix C.2. Context Confusion . . . . . . . . . . . . . . . . 106 154 Appendix C.3. Three Party Context Confusion . . . . . . . . . . 107 155 Appendix D. Design Alternatives . . . . . . . . . . . . . . . 108 156 Appendix D.1. Context granularity . . . . . . . . . . . . . . . 108 157 Appendix D.2. Demultiplexing of data packets in Shim6 158 communications . . . . . . . . . . . . . . . . . 108 159 Appendix D.2.1. Flow-label . . . . . . . . . . . . . . . . . . . 109 160 Appendix D.2.2. Extension Header . . . . . . . . . . . . . . . . 111 161 Appendix D.3. Context Loss Detection . . . . . . . . . . . . . 112 162 Appendix D.4. Securing locator sets . . . . . . . . . . . . . . 114 163 Appendix D.5. ULID-pair context establishment exchange . . . . 117 164 Appendix D.6. Updating locator sets . . . . . . . . . . . . . . 118 165 Appendix D.7. State Cleanup . . . . . . . . . . . . . . . . . . 118 166 Appendix E. Change Log . . . . . . . . . . . . . . . . . . . 121 167 19. References . . . . . . . . . . . . . . . . . . . . . . . . . 127 168 19.1. Normative References . . . . . . . . . . . . . . . . . . 127 169 19.2. Informative References . . . . . . . . . . . . . . . . . 127 170 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 130 171 Intellectual Property and Copyright Statements . . . . . . . . . 131 173 1. Introduction 175 This document describes a layer 3 shim approach and protocol for 176 providing locator agility below the transport protocols, so that 177 multihoming can be provided for IPv6 with failover and load sharing 178 properties [16], without assuming that a multihomed site will have a 179 provider independent IPv6 address which is announced in the global 180 IPv6 routing table. The hosts in a site which has multiple provider 181 allocated IPv6 address prefixes, will use the Shim6 protocol 182 specified in this document to setup state with peer hosts, so that 183 the state can later be used to failover to a different locator pair, 184 should the original one stop working (the term locator is defined in 185 Section 2). 187 The Shim6 protocol is a site multihoming solution in the sense that 188 it allows existing communication to continue when a site that has 189 multiple connections to the internet experiences an outage on a 190 subset of these connections or further upstream. However, Shim6 191 processing is performed in individual hosts rather than through site- 192 wide mechanisms. 194 We assume that redirection attacks are prevented using Hash Based 195 Addresses (HBA) as defined in [8]. 197 The reachability and failure detection mechanisms, including how a 198 new working locator pair is discovered after a failure, are specified 199 in a separate document [9]. This document allocates message types 200 and option types for that sub-protocol, and leaves the specification 201 of the message and option formats as well as the protocol behavior to 202 that document. 204 1.1. Goals 206 The goals for this approach are to: 208 o Preserve established communications in the presence of certain 209 classes of failures, for example, TCP connections and UDP streams. 211 o Have minimal impact on upper layer protocols in general and on 212 transport protocols and applications in particular. 214 o Address the security threats in [20] through the combination of 215 the HBA/CGA approach specified in a separate document [8] and 216 techniques described in this document. 218 o Not require extra roundtrip up front to setup shim specific state. 219 Instead allow the upper layer traffic (e.g., TCP) to flow as 220 normal and defer the setup of the shim state until some number of 221 packets have been exchanged. 223 o Take advantage of multiple locators/addresses for load spreading 224 so that different sets of communication to a host (e.g., different 225 connections) might use different locators of the host. Note that 226 this might cause load to be spread unevenly, thus we use the term 227 "load spreading" instead of "load balancing". This capability 228 might enable some forms of traffic engineering, but the details 229 for traffic engineering, including what requirements can be 230 satisfied, are not specified in this document, and form part of a 231 potential extensions to this protocol. 233 1.2. Non-Goals 235 The assumption is that the problem we are trying to solve is site 236 multihoming, with the ability to have the set of site prefixes change 237 over time due to site renumbering. Further, we assume that such 238 changes to the set of locator prefixes can be relatively slow and 239 managed; slow enough to allow updates to the DNS to propagate (since 240 the protocol defined in this document depends on the DNS to find the 241 appropriate locator sets). Note, however that it is an explicit non- 242 goal to make communication survive a renumbering event (which causes 243 all the locators of a host to change to a new set of locators). This 244 proposal does not attempt to solve the related problem of host 245 mobility. However, it might turn out that the Shim6 protocol can be 246 a useful component for future host mobility solutions, e.g., for 247 route optimization. 249 Finally, this proposal also does not try to provide a new network 250 level or transport level identifier name space distinct from the 251 current IP address name space. Even though such a concept would be 252 useful to Upper Layer Protocols (ULPs) and applications, especially 253 if the management burden for such a name space was negligible and 254 there was an efficient yet secure mechanism to map from identifiers 255 to locators, such a name space isn't necessary (and furthermore 256 doesn't seem to help) to solve the multihoming problem. 258 The Shim6 proposal doesn't fully separate the identifier and locator 259 functions that have traditionally been overloaded in the IP address. 260 However, throughout this document the term "identifier", or more 261 specifically, Upper Layer Identifier (ULID) refers to the identifying 262 function of an IPv6 address, and "locator" to the network layer 263 routing and forwarding properties of an IPv6 address. 265 1.3. Locators as Upper-layer IDentifiers (ULID) 267 The approach described in this document does not introduce a new 268 identifier name space but instead uses the locator that is selected 269 in the initial contact with the remote peer as the preserved Upper- 270 Layer Identifier (ULID). While there may be subsequent changes in 271 the selected network level locators over time in response to failures 272 in using the original locator, the upper level protocol stack 273 elements will continue to use this upper level identifier without 274 change. 276 This implies that the ULID selection is performed as today's default 277 address selection as specified in RFC 3484 [13]. Some extensions are 278 needed to RFC 3484 to try different source addresses, whether or not 279 the Shim6 protocol is used, as outlined in [14]. Underneath, and 280 transparently, the multihoming shim selects working locator pairs 281 with the initial locator pair being the ULID pair. If communication 282 subsequently fails the shim can test and select alternate locators. 283 A subsequent section discusses the issues when the selected ULID is 284 not initially working hence there is a need to switch locators up 285 front. 287 Using one of the locators as the ULID has certain benefits for 288 applications which have long-lived session state or performs 289 callbacks or referrals, because both the FQDN and the 128-bit ULID 290 work as handles for the applications. However, using a single 128- 291 bit ULID doesn't provide seamless communication when that locator is 292 unreachable. See [23] for further discussion of the application 293 implications. 295 There has been some discussion of using non-routable addresses, such 296 as Unique-Local Addresses (ULAs) [19], as ULIDs in a multihoming 297 solution. While this document doesn't specify all aspects of this, 298 it is believed that the approach can be extended to handle the non- 299 routable address case. For example, the protocol already needs to 300 handle ULIDs that are not initially reachable. Thus the same 301 mechanism can handle ULIDs that are permanently unreachable from 302 outside their site. The issue becomes how to make the protocol 303 perform well when the ULID is known a priori to be not reachable 304 (e.g. the ULID is a ULA), for instance, avoiding any timeout and 305 retries in this case. In addition one would need to understand how 306 the ULAs would be entered in the DNS to avoid a performance impact on 307 existing, non-Shim6 aware, IPv6 hosts potentially trying to 308 communicate to the (unreachable) ULA. 310 1.4. IP Multicast 312 IP Multicast requires that the IP source address field contain a 313 topologically correct locator for interface that is used to send the 314 packet, since IP multicast routing uses both the source address and 315 the destination group to determine where to forward the packet. In 316 particular, it need to be able to do the RPF check. (This isn't much 317 different than the situation with widely implemented ingress 318 filtering [11] for unicast.) 320 While in theory it would be possible to apply the shim re-mapping of 321 the IP address fields between ULIDs and locators, the fact that all 322 the multicast receivers would need to know the mapping to perform, 323 makes such an approach difficult in practice. Thus it makes sense to 324 have multicast ULPs operate directly on locators and not use the 325 shim. This is quite a natural fit for protocols which use RTP [15], 326 since RTP already has an explicit identifier in the form of the SSRC 327 field in the RTP headers. Thus the actual IP address fields are not 328 important to the application. 330 In summary, IP multicast will not need the shim to remap the IP 331 addresses. 333 This doesn't prevent the receiver of multicast to change its 334 locators, since the receiver is not explicitly identified; the 335 destination address is a multicast address and not the unicast 336 locator of the receiver. 338 1.5. Renumbering Implications 340 As stated above, this approach does not try to make communication 341 survive renumbering in the general case. 343 When a host is renumbered, the effect is that one or more locators 344 become invalid, and zero or more locators are added to the host's 345 network interface. This means that the set of locators that is used 346 in the shim will change, which the shim can handle as long as not all 347 the original locators become invalid at the same time and depending 348 on the time that is required to update the DNS and for those updates 349 to propagate. 351 But IP addresses are also used as ULIDs, and making the communication 352 survive locators becoming invalid can potentially cause some 353 confusion at the upper layers. The fact that a ULID might be used 354 with a different locator over time open up the possibility that 355 communication between two ULIDs might continue to work after one or 356 both of those ULIDs are no longer reachable as locators, for example 357 due to a renumbering event. This opens up the possibility that the 358 ULID (or at least the prefix on which it is based) is reassigned to 359 another site while it is still being used (with another locator) for 360 existing communication. 362 In the worst case we could end up with two separate hosts using the 363 same ULID while both of them are communicating with the same host. 365 This potential source for confusion is avoided requiring that any 366 communication using a ULID MUST be terminated when the ULID becomes 367 invalid (due to the underlying prefix becoming invalid). This 368 behaviour can be accomplished by explicitly discarding the shim state 369 when the ULID becomes invalid. The context recovery mechanism will 370 then make the peer aware that the context is gone, and that the ULID 371 is no longer present at the same locator(s). 373 1.6. Placement of the shim 375 ----------------------- 376 | Transport Protocols | 377 ----------------------- 379 ------ ------- -------------- ------------- IP endpoint 380 | AH | | ESP | | Frag/reass | | Dest opts | sub-layer 381 ------ ------- -------------- ------------- 383 --------------------- 384 | Shim6 shim layer | 385 --------------------- 387 ------ IP routing 388 | IP | sub-layer 389 ------ 391 Figure 1: Protocol stack 393 The proposal uses a multihoming shim layer within the IP layer, i.e., 394 below the ULPs, as shown in Figure 1, in order to provide ULP 395 independence. The multihoming shim layer behaves as if it is 396 associated with an extension header, which would be placed after any 397 routing-related headers in the packet (such as any hop-by-hop 398 options, or routing header). However, when the locator pair is the 399 ULID pair there is no data that needs to be carried in an extension 400 header, thus none is needed in that case. 402 Layering AH and ESP above the multihoming shim means that IPsec can 403 be made to be unaware of locator changes the same way that transport 404 protocols can be unaware. Thus the IPsec security associations 405 remain stable even though the locators are changing. This means that 406 the IP addresses specified in the selectors should be the ULIDs. 408 Layering the fragmentation header above the multihoming shim makes 409 reassembly robust in the case that there is broken multi-path routing 410 which results in using different paths, hence potentially different 411 source locators, for different fragments. Thus, effectively the 412 multihoming shim layer is placed between the IP endpoint sublayer, 413 which handles fragmentation, reassembly, and IPsec, and the IP 414 routing sublayer, which selects which next hop and interface to use 415 for sending out packets. 417 Applications and upper layer protocols use ULIDs which the Shim6 418 layer map to/from different locators. The Shim6 layer maintains 419 state, called ULID-pair context, per ULID pair (that is, applies to 420 all ULP connections between the ULID pair) in order to perform this 421 mapping. The mapping is performed consistently at the sender and the 422 receiver so that ULPs see packets that appear to be sent using ULIDs 423 from end to end. This property is maintained even though the packets 424 travel through the network containing locators in the IP address 425 fields, and even though those locators may be changed by the 426 transmitting Shim6 layer. 428 The context state is maintained per remote ULID i.e. approximately 429 per peer host, and not at any finer granularity. In particular, it 430 is independent of the ULPs and any ULP connections. However, the 431 forking capability enables shim-aware ULPs to use more than one 432 locator pair at a time for an single ULID pair. 434 ---------------------------- ---------------------------- 435 | Sender A | | Receiver B | 436 | | | | 437 | ULP | | ULP | 438 | | src ULID(A)=L1(A) | | ^ | 439 | | dst ULID(B)=L1(B) | | | src ULID(A)=L1(A) | 440 | v | | | dst ULID(B)=L1(B) | 441 | multihoming shim | | multihoming shim | 442 | | src L2(A) | | ^ | 443 | | dst L3(B) | | | src L2(A) | 444 | v | | | dst L3(B) | 445 | IP | | IP | 446 ---------------------------- ---------------------------- 447 | ^ 448 ------- cloud with some routers ------- 450 Figure 2: Mapping with changed locators 452 The result of this consistent mapping is that there is no impact on 453 the ULPs. In particular, there is no impact on pseudo-header 454 checksums and connection identification. 456 Conceptually, one could view this approach as if both ULIDs and 457 locators are being present in every packet, and with a header 458 compression mechanism applied that removes the need for the ULIDs to 459 be carried in the packets once the compression state has been 460 established. In order for the receiver to recreate a packet with the 461 correct ULIDs there is a need to include some "compression tag" in 462 the data packets. This serves to indicate the correct context to use 463 for decompression when the locator pair in the packet is insufficient 464 to uniquely identify the context. 466 1.7. Traffic Engineering 468 At the time of this writing it is not clear what requirements for 469 traffic engineering make sense for the Shim6 protocol, since the 470 requirements must both result in some useful behavior as well as be 471 implementable using a host-to-host locator agility mechanism like 472 Shim6. 474 Inherent in a scalable multihoming mechanism that separates the 475 locator function of the IP address from identifying function of the 476 IP address is that each host ends up with multiple locators. This 477 means that at least for initial contact, it is the remote peer 478 application (or layer working on its behalf) needs to select an 479 initial ULID, which automatically becomes the initial locator. In 480 the case of Shim6 this is performed by applying RFC 3484 address 481 selection. 483 This is quite different than the common case of IPv4 multihoming 484 where the site has a single IP address prefix, since in that case the 485 peer performs no destination address selection. 487 Thus in "single prefix multihoming" the site, and in many cases its 488 upstream ISPs, can use BGP to exert some control of the ingress path 489 used to reach the site. This capability can't easily be recreated in 490 "multiple prefix multihoming" such as Shim6. 492 The protocol provides a placeholder, in the form of the Locator 493 Preferences option, which can be used by hosts to express priority 494 and weight values for each locator. This is intentionally made 495 identical to the DNS SRV [10] specification of priority and weight, 496 so that DNS SRV records can be used for initial contact and the shim 497 for failover, and they can use the same way to describe the 498 preferences. But the Locator Preference option is merely a place 499 holder when it comes to providing traffic engineering; in order to 500 use this in a large site there would have to be a mechanism by which 501 the host can find out what preference values to use, either 502 statically (e.g., some new DHCPv6 option) or dynamically. 504 Thus traffic engineering is listed as a possible extension in 505 Appendix A. 507 2. Terminology 509 This document uses the terms MUST, SHOULD, RECOMMENDED, MAY, SHOULD 510 NOT and MUST NOT defined in RFC 2119 [1]. 512 2.1. Definitions 514 This document introduces the following terms: 516 upper layer protocol (ULP) 517 A protocol layer immediately above IP. Examples 518 are transport protocols such as TCP and UDP, 519 control protocols such as ICMP, routing protocols 520 such as OSPF, and internet or lower-layer 521 protocols being "tunneled" over (i.e., 522 encapsulated in) IP such as IPX, AppleTalk, or IP 523 itself. 525 interface A node's attachment to a link. 527 address An IP layer name that contains both topological 528 significance and acts as a unique identifier for 529 an interface. 128 bits. This document only uses 530 the "address" term in the case where it isn't 531 specific whether it is a locator or an 532 identifier. 534 locator An IP layer topological name for an interface or 535 a set of interfaces. 128 bits. The locators are 536 carried in the IP address fields as the packets 537 traverse the network. 539 identifier An IP layer name for an IP layer endpoint. The 540 transport endpoint name is a function of the 541 transport protocol and would typically include 542 the IP identifier plus a port number. 543 NOTE: This proposal does not specify any new form 544 of IP layer identifier, but still separates the 545 identifying and locating properties of the IP 546 addresses. 548 upper-layer identifier (ULID) 549 An IP address which has been selected for 550 communication with a peer to be used by the upper 551 layer protocol. 128 bits. This is used for 552 pseudo-header checksum computation and connection 553 identification in the ULP. Different sets of 554 communication to a host (e.g., different 555 connections) might use different ULIDs in order 556 to enable load spreading. 558 Since the ULID is just one of the IP locators/ 559 addresses of the node, there is no need for a 560 separate name space and allocation mechanisms. 562 address field The source and destination address fields in the 563 IPv6 header. As IPv6 is currently specified this 564 fields carry "addresses". If identifiers and 565 locators are separated these fields will contain 566 locators for packets on the wire. 568 FQDN Fully Qualified Domain Name 570 ULID-pair context The state that the multihoming shim maintains 571 between a pair of Upper-layer identifiers. The 572 context is identified by a context tag for each 573 direction of the communication, and also 574 identified by the pair of ULID and a Forked 575 Instance Identifier (see below). 577 Context tag Each end of the context allocates a context tag 578 for the context. This is used to uniquely 579 associate both received control packets and 580 payload extension headers as belonging to the 581 context. 583 Current locator pair 584 Each end of the context has a current locator 585 pair which is used to send packets to the peer. 586 The two ends might use different current locator 587 pairs though. 589 Default context At the sending end, the shim uses the ULID pair 590 (passed down from the ULP) to find the context 591 for that pair. Thus, normally, a host can have 592 at most one context for a ULID pair. We call 593 this the "default context". 595 Context forking A mechanism which allows ULPs that are aware of 596 multiple locators to use separate contexts for 597 the same ULID pair, in order to be able use 598 different locator pairs for different 599 communication to the same ULID. Context forking 600 causes more than just the default context to be 601 created for a ULID pair. 603 Forked Instance Identifier (FII) 604 In order to handle context forking, a context is 605 identified by a ULID-pair and a forked context 606 identifier. The default context has a FII of 607 zero. 609 Initial contact We use this term to refer to the pre-shim 610 communication when some ULP decides to start 611 communicating with a peer by sending and 612 receiving ULP packets. Typically this would not 613 invoke any operations in the shim, since the shim 614 can defer the context establishment until some 615 arbitrary later point in time. 617 Hash Based Addresses (HBA) 618 A form of IPv6 address where the interface ID is 619 derived from a cryptographic hash of all the 620 prefixes assigned to the host. See [8]. 622 Cryptographically Generated Addresses (CGA) 623 A form of IPv6 address where the interface ID is 624 derived from a cryptographic hash of the public 625 key. See [6]. 627 CGA Parameter Data Structure (PDS) 628 The information that CGA and HBA exchanges in 629 order to inform the peer of how the interface ID 630 was computed. See [6]., [8]. 632 2.2. Notational Conventions 634 A, B, and C are hosts. X is a potentially malicious host. 636 FQDN(A) is the Fully qualified Domain Name for A. 638 Ls(A) is the locator set for A, which consists of the locators L1(A), 639 L2(A), ... Ln(A). The locator set in not ordered in any particular 640 way other than maybe what is returned by the DNS. 642 ULID(A) is an upper-layer ID for A. In this proposal, ULID(A) is 643 always one member of A's locator set. 645 CT(X) is a context tag assigned by X. 647 This document also makes use of internal conceptual variables to 648 describe protocol behavior and external variables that an 649 implementation must allow system administrators to change. The 650 specific variable names, how their values change, and how their 651 settings influence protocol behavior are provided to demonstrate 652 protocol behavior. An implementation is not required to have them in 653 the exact form described here, so long as its external behavior is 654 consistent with that described in this document. See Section 6 for a 655 description of the conceptual data structures. 657 3. Assumptions 659 The design intent is to ensure that the Shim6 protocol is capable of 660 handling path failures independently of the number of IP addresses 661 (locators) available to the two communicating hosts, and 662 independently of which host detects the failure condition. 664 Consider, for example, the case in which both A and B have active 665 Shim6 state and where A has only one locator while B has multiple 666 locators. In this case, it might be that B is trying to send a 667 packet to A, and has detected a failure condition with the current 668 locator pair. Since B has multiple locators it presumably has 669 multiple ISPs, and consequently likely has alternate egress paths 670 toward A. However, B cannot vary the destination address (i.e., A's 671 locator), since A has only one locator. 673 The above scenario leads to the assumption that a host should be able 674 to cause different egress paths from its site to be used. The most 675 reasonable approach to accomplish this is to have the host use 676 different source addresses and have the source address affect the 677 selection of the site egress. The details of how this can be 678 accomplished is beyond the scope of this document, but without this 679 capability the ability of the shim to try different "paths" by trying 680 different locator pairs will have limited utility. 682 The above assumption applies whether or not the ISPs perform ingress 683 filtering. 685 In addition, when the site's ISPs perform ingress filtering based on 686 packet source addresses, Shim6 assumes that packets sent with 687 different source and destination combinations have a reasonable 688 chance of making it through the relevant ISP's ingress filters. This 689 can be accomplished in several ways (all outside the scope of this 690 document), such as having the ISPs relax their ingress filters, or 691 selecting the egress such that it matches the IP source address 692 prefix. 694 Further discussion of this issue is captured in [21]. 696 The Shim6 approach assumes that there are no IPv6-to-IPv6 NATs on the 697 paths, i.e., that the two ends can exchange their own notion of their 698 IPv6 addresses and that those addresses will also make sense to their 699 peer. 701 4. Protocol Overview 703 The Shim6 protocol operates in several phases over time. The 704 following sequence illustrates the concepts: 706 o An application on host A decides to contact an application on host 707 B using some upper-layer protocol. This results in the ULP on 708 host A sending packets to host B. We call this the initial 709 contact. Assuming the IP addresses selected by Default Address 710 Selection [13] and its extensions [14] work, then there is no 711 action by the shim at this point in time. Any shim context 712 establishment can be deferred until later. 714 o Some heuristic on A or B (or both) determine that it is 715 appropriate to pay the Shim6 overhead to make this host-to-host 716 communication robust against locator failures. For instance, this 717 heuristic might be that more than 50 packets have been sent or 718 received, or a timer expiration while active packet exchange is in 719 place. This makes the shim initiate the 4-way context 720 establishment exchange. The purpose of this heuristic is to avoid 721 setting up a shim context when only a small number of packets is 722 exchanged between two hosts. 724 As a result of this exchange, both A and B will know a list of 725 locators for each other. 727 If the context establishment exchange fails, the initiator will 728 then know that the other end does not support Shim6, and will 729 continue with standard (non-Shim6) behavior for the session. 731 o Communication continues without any change for the ULP packets. 732 In particular, there are no shim extension headers added to the 733 ULP packets, since the ULID pair is the same as the locator pair. 734 In addition, there might be some messages exchanged between the 735 shim sub-layers for (un)reachability detection. 737 o At some point in time something fails. Depending on the approach 738 to reachability detection, there might be some advice from the 739 ULP, or the shim (un)reachability detection might discover that 740 there is a problem. 742 At this point in time one or both ends of the communication need 743 to probe the different alternate locator pairs until a working 744 pair is found, and switch to using that locator pair. 746 o Once a working alternative locator pair has been found, the shim 747 will rewrite the packets on transmit, and tag the packets with 748 Shim6 Payload extension header, which contains the receiver's 749 context tag. The receiver will use the context tag to find the 750 context state which will indicate which addresses to place in the 751 IPv6 header before passing the packet up to the ULP. The result 752 is that from the perspective of the ULP the packet passes 753 unmodified end-to-end, even though the IP routing infrastructure 754 sends the packet to a different locator. 756 o The shim (un)reachability detection will monitor the new locator 757 pair as it monitored the original locator pair, so that subsequent 758 failures can be detected. 760 o In addition to failures detected based on end-to-end observations, 761 one endpoint might know for certain that one or more of its 762 locators is not working. For instance, the network interface 763 might have failed or gone down (at layer 2), or an IPv6 address 764 might have become deprecated or invalid. In such cases the host 765 can signal its peer that this address is no longer recommended to 766 try. This triggers something similar to a failure handling and a 767 new working locator pair must be found. 769 The protocol also has the ability to express other forms of 770 locator preferences. A change in any preferences can be signaled 771 to the peer, which will have made the peer record the new 772 preferences. A change in the preferences might optionally make 773 the peer want to use a different locator pair. In this case, the 774 peer follows the same locator switching procedure as after a 775 failure (by verifying that its peer is indeed present at the 776 alternate locator, etc). 778 o When the shim thinks that the context state is no longer used, it 779 can garbage collect the state; there is no coordination necessary 780 with the peer host before the state is removed. There is a 781 recovery message defined to be able to signal when there is no 782 context state, which can be used to detect and recover from both 783 premature garbage collection, as well as complete state loss 784 (crash and reboot) of a peer. 786 The exact mechanism to determine when the context state is no 787 longer used is implementation dependent. For example, an 788 implementation might use the existence of ULP state (where known 789 to the implementation) as an indication that the state is still 790 used, combined with a timer (to handle ULP state that might not be 791 known to the shim sub-layer) to determine when the state is likely 792 to no longer be used. 794 NOTE: The ULP packets in Shim6 can be carried completely unmodified 795 as long as the ULID pair is used as the locator pair. After a switch 796 to a different locator pair the packets are "tagged" with a Shim6 797 extension header, so that the receiver can always determine the 798 context to which they belong. This is accomplished by including an 799 8-octet Shim6 Payload Extension header before the (extension) headers 800 that are processed by the IP endpoint sublayer and ULPs. If 801 subsequently the original ULIDs are selected as the active locator 802 pair then the tagging of packets with the Shim6 extension header is 803 no longer necessary. 805 4.1. Context Tags 807 A context between two hosts is actually a context between two ULIDs. 808 The context is identified by a pair of context tags. Each end gets 809 to allocate a context tag, and once the context is established, most 810 Shim6 control messages contain the context tag that the receiver of 811 the message allocated. Thus at a minimum the combination of have to uniquely identify one 813 context. But since the Payload extension headers are demultiplexed 814 without looking at the locators in the packet, the receiver will need 815 to allocate context tags that are unique for all its contexts. The 816 context tag is a 47-bit number (the largest which can fit in an 817 8-octet extension header), while preserving one bit to differentiate 818 the Shim6 signalling messages from the Shim6 header included in data 819 packets, allowing both to use the same protocol number. 821 The mechanism for detecting a loss of context state at the peer 822 assumes that the receiver can tell the packets that need locator 823 rewriting, even after it has lost all state (e.g., due to a crash 824 followed by a reboot). This is achieved because after a rehoming 825 event the packets that need receive-side rewriting, carry the Payload 826 extension header. 828 4.2. Context Forking 830 It has been asserted that it will be important for future ULPs, in 831 particular, future transport protocols, to be able to control which 832 locator pairs are used for different communication. For instance, 833 host A and host B might communicate using both VoIP traffic and ftp 834 traffic, and those communications might benefit from using different 835 locator pairs. However, the basic Shim6 mechanism uses a single 836 current locator pair for each context, thus a single context cannot 837 accomplish this. 839 For this reason, the Shim6 protocol supports the notion of context 840 forking. This is a mechanism by which a ULP can specify (using some 841 API not yet defined) that a context for e.g., the ULID pair 842 should be forked into two contexts. In this case the forked-off 843 context will be assigned a non-zero Forked Instance Identifier, while 844 the default context has FII zero. 846 The Forked Instance Identifier (FII) is a 32-bit identifier which has 847 no semantics in the protocol other then being part of the tuple which 848 identifies the context. For example, a host might allocate FIIs as 849 sequential numbers for any given ULID pair. 851 No other special considerations are needed in the Shim6 protocol to 852 handle forked contexts. 854 Note that forking as specified does NOT allow A to be able to tell B 855 that certain traffic (a 5-tuple?) should be forked for the reverse 856 direction. The Shim6 forking mechanism as specified applies only to 857 the sending of ULP packets. If some ULP wants to fork for both 858 directions, it is up to the ULP to set this up, and then instruct the 859 shim at each end to transmit using the forked context. 861 4.3. API Extensions 863 Several API extensions have been discussed for Shim6, but their 864 actual specification is out of scope for this document. The simplest 865 one would be to add a socket option to be able to have traffic bypass 866 the shim (not create any state, and not use any state created by 867 other traffic). This could be an IPV6_DONTSHIM socket option. Such 868 an option would be useful for protocols, such as DNS, where the 869 application has its own failover mechanism (multiple NS records in 870 the case of DNS) and using the shim could potentially add extra 871 latency with no added benefits. 873 Some other API extensions are discussed in Appendix A 875 4.4. Securing Shim6 877 The mechanisms are secured using a combination of techniques: 879 o The HBA technique [8] for verifying the locators to prevent an 880 attacker from redirecting the packet stream to somewhere else. 882 o Requiring a Reachability Probe+Reply /defined in [9]) before a new 883 locator is used as the destination, in order to prevent 3rd party 884 flooding attacks. 886 o The first message does not create any state on the responder. 887 Essentially a 3-way exchange is required before the responder 888 creates any state. This means that a state-based DoS attack 889 (trying to use up all of memory on the responder) at least 890 provides an IPv6 address that the attacker was using. 892 o The context establishment messages use nonces to prevent replay 893 attacks, and to prevent off-path attackers from interfering with 894 the establishment. 896 o Every control message of the Shim6 protocol, past the context 897 establishment, carry the context tag assigned to the particular 898 context. This implies that an attacker needs to discover that 899 context tag before being able to spoof any Shim6 control message. 900 Such discovery probably requires any potential attacker to be 901 along the path in order to be sniff the context tag value. The 902 result is that through this technique, the Shim6 protocol is 903 protected against off-path attackers. 905 4.5. Overview of Shim Control Messages 907 The Shim6 context establishment is accomplished using four messages; 908 I1, R1, I2, R2. Normally they are sent in that order from initiator 909 and responder, respectively. Should both ends attempt to set up 910 context state at the same time (for the same ULID pair), then their 911 I1 messages might cross in flight, and result in an immediate R2 912 message. [The names of these messages are borrowed from HIP [26].] 914 R1bis and I2bis messages are defined, which are used to recover a 915 context after it has been lost. A R1bis message is sent when a Shim6 916 control or Payload extension header arrives and there is no matching 917 context state at the receiver. When such a message is received, it 918 will result in the re-creation of the Shim6 context using the I2bis 919 and R2 messages. 921 The peers' lists of locators are normally exchanged as part of the 922 context establishment exchange. But the set of locators might be 923 dynamic. For this reason there are Update Request and Update 924 Acknowledgement messages, and a Locator List option. 926 Even when the list of locators is fixed, a host might determine that 927 some preferences might have changed. For instance, it might 928 determine that there is a locally visible failure that implies that 929 some locator(s) are no longer usable. This uses a Locator 930 Preferences option in the Update Request message. 932 The mechanism for (un)reachability detection is called Forced 933 Bidirectional Communication (FBD). FBD uses a Keepalive message 934 which is sent when a host has received packets from its peer but has 935 not yet sent any packets from its ULP to the peer. The message type 936 is reserved in this document, but the message format and processing 937 rules are specified in [9]. 939 In addition, when the context is established and there is a 940 subsequent failure there needs to be a way to probe the set of 941 locator pairs to efficiently find a working pair. This document 942 reserves a Probe message type, with the packet format and processing 943 rules specified in [9]. 945 The above probe and keepalive messages assume we have an established 946 ULID-pair context. However, communication might fail during the 947 initial contact (that is, when the application or transport protocol 948 is trying to setup some communication). This is handled using the 949 mechanisms in the ULP to try different address pairs as specified in 950 [13] [14]. In the future versions of the protocol, and with a richer 951 API between the ULP and the shim, the shim might be help optimize 952 discovering a working locator pair during initial contact. This is 953 for further study. 955 4.6. Extension Header Order 957 Since the shim is placed between the IP endpoint sub-layer and the IP 958 routing sub-layer, the shim header will be placed before any endpoint 959 extension headers (fragmentation headers, destination options header, 960 AH, ESP), but after any routing related headers (hop-by-hop 961 extensions header, routing header, a destinations options header 962 which precedes a routing header). When tunneling is used, whether 963 IP-in-IP tunneling or the special form of tunneling that Mobile IPv6 964 uses (with Home Address Options and Routing header type 2), there is 965 a choice whether the shim applies inside the tunnel or outside the 966 tunnel, which affects the location of the Shim6 header. 968 In most cases IP-in-IP tunnels are used as a routing technique, thus 969 it makes sense to apply them on the locators which means that the 970 sender would insert the Shim6 header after any IP-in-IP 971 encapsulation; this is what occurs naturally when routers apply IP- 972 in-IP encapsulation. Thus the packets would have: 974 o Outer IP header 976 o Inner IP header 978 o Shim6 extension header (if needed) 980 o ULP 981 But the shim can also be used to create "shimmed tunnels" i.e., where 982 an IP-in-IP tunnel uses the shim to be able to switch the tunnel 983 endpoint addresses between different locators. In such a case the 984 packets would have: 986 o Outer IP header 988 o Shim6 extension header (if needed) 990 o Inner IP header 992 o ULP 994 In any case, the receiver behavior is well-defined; a receiver 995 processes the extension headers in order. However, the precise 996 interaction between Mobile IPv6 and Shim6 is for further study, but 997 it might make sense to have Mobile IPv6 operate on locators as well, 998 meaning that the shim would be layered on top of the MIPv6 mechanism. 1000 5. Message Formats 1002 The Shim6 messages are all carried using a new IP protocol number [to 1003 be assigned by IANA]. The Shim6 messages have a common header, 1004 defined below, with some fixed fields, followed by type specific 1005 fields. 1007 The Shim6 messages are structured as an IPv6 extension header since 1008 the Payload extension header is used to carry the ULP packets after a 1009 locator switch. The Shim6 control messages use the same extension 1010 header formats so that a single "protocol number" needs to be allowed 1011 through firewalls in order for Shim6 to function across the firewall. 1013 5.1. Common Shim6 Message Format 1015 The first 17 bits of the Shim6 header is common for the Payload 1016 extension header and the control messages and looks as follows: 1018 0 1 1019 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 1020 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1021 | Next Header | Hdr Ext Len |P| 1022 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1024 Fields: 1026 Next Header: The payload which follows this header. 1028 Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in 1029 8-octet units, not including the first 8 octets. 1031 P: A single bit to distinguish Payload extension headers 1032 from control messages. 1034 Shim6 signalling packets may not be larger than 1280 bytes, including 1035 the IPv6 header and any intermediate headers between the IPv6 header 1036 and the Shim6 header. One way to meet this requirement is to omit 1037 part of the locator address information if with this information 1038 included, the packet would become larger than 1280 bytes.Another 1039 option is to perform option engineering, dividing into different 1040 Shim6 messages the information to be transmitted. An implementation 1041 may impose administrative restrictions to avoid excessively large 1042 Shim6 packets, such as a limitation on the number of locators to be 1043 used. 1045 5.2. Payload Extension Header Format 1047 The payload extension headers is used to carry ULP packets where the 1048 receiver must replace the content of the source and/or destination 1049 fields in the IPv6 header before passing the packet to the ULP. Thus 1050 this extension header is required when the locators pair that is used 1051 is not the same as the ULID pair. 1053 0 1 2 3 1054 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1055 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1056 | Next Header | 0 |1| | 1057 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1058 | Receiver Context Tag | 1059 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1061 Fields: 1063 Next Header: The payload which follows this header. 1065 Hdr Ext Len: 0 (since the header is 8 octets). 1067 P: Set to one. A single bit to distinguish this from the 1068 Shim6 control messages. 1070 Receiver Context Tag: 47-bit unsigned integer. Allocated by the 1071 receiver for use to identify the context. 1073 5.3. Common Shim6 Control header 1075 The common part of the header has a next header and header extension 1076 length field which is consistent with the other IPv6 extension 1077 headers, even if the next header value is always "NO NEXT HEADER" for 1078 the control messages. 1080 The Shim6 headers must be a multiple of 8 octets, hence the minimum 1081 size is 8 octets. 1083 The common shim control message header is as follows: 1085 0 1 2 3 1086 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1087 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1088 | Next Header | Hdr Ext Len |0| Type |Type-specific|0| 1089 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1090 | Checksum | | 1091 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1092 | Type-specific format | 1093 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1095 Fields: 1097 Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59). 1099 Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in 1100 8-octet units, not including the first 8 octets. 1102 P: Set to zero. A single bit to distinguish this from 1103 the Shim6 payload extension header. 1105 Type: 7-bit unsigned integer. Identifies the actual message 1106 from the table below. Type codes 0-63 will not 1107 trigger R1bis messages on a missing context, while 64- 1108 127 will trigger R1bis. 1110 0: A single bit (set to zero) which allows Shim6 and HIP 1111 to have a common header format yet telling Shim6 and 1112 HIP messages apart. 1114 Checksum: 16-bit unsigned integer. The checksum is the 16-bit 1115 one's complement of the one's complement sum of the 1116 entire Shim6 header message starting with the Shim6 1117 next header field, and ending as indicated by the Hdr 1118 Ext Len. Thus when there is a payload following the 1119 Shim6 header, the payload is NOT included in the Shim6 1120 checksum. Note that unlike protocol like ICMPv6, 1121 there is no pseudo-header checksum part of the 1122 checksum, in order to provide locator agility without 1123 having to change the checksum. 1125 Type-specific: Part of message that is different for different 1126 message types. 1128 +------------+-----------------------------------------------------+ 1129 | Type Value | Message | 1130 +------------+-----------------------------------------------------+ 1131 | 1 | I1 (first establishment message from the initiator) | 1132 | | | 1133 | 2 | R1 (first establishment message from the responder) | 1134 | | | 1135 | 3 | I2 (2nd establishment message from the initiator) | 1136 | | | 1137 | 4 | R2 (2nd establishment message from the responder) | 1138 | | | 1139 | 5 | R1bis (Reply to reference to non-existent context) | 1140 | | | 1141 | 6 | I2bis (Reply to a R1bis message) | 1142 | | | 1143 | 64 | Update Request | 1144 | | | 1145 | 65 | Update Acknowledgement | 1146 | | | 1147 | 66 | Keepalive | 1148 | | | 1149 | 67 | Probe Message | 1150 | | | 1151 | 68 | Error Message | 1152 +------------+-----------------------------------------------------+ 1154 Table 1 1156 5.4. I1 Message Format 1158 The I1 message is the first message in the context establishment 1159 exchange. 1161 0 1 2 3 1162 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1163 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1164 | 59 | Hdr Ext Len |0| Type = 1 | Reserved1 |0| 1165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1166 | Checksum |R| | 1167 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1168 | Initiator Context Tag | 1169 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1170 | Initiator Nonce | 1171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1172 | | 1173 + Options + 1174 | | 1175 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1176 Fields: 1178 Next Header: NO_NXT_HDR (59). 1180 Hdr Ext Len: At least 1, since the header is 16 octets when there 1181 are no options. 1183 Type: 1 1185 Reserved1: 7-bit field. Reserved for future use. Zero on 1186 transmit. MUST be ignored on receipt. 1188 R: 1-bit field. Reserved for future use. Zero on 1189 transmit. MUST be ignored on receipt. 1191 Initiator Context Tag: 47-bit field. The Context Tag the initiator 1192 has allocated for the context. 1194 Initiator Nonce: 32-bit unsigned integer. A random number picked by 1195 the initiator which the responder will return in the 1196 R1 message. 1198 The following options are defined for this message: 1200 ULID pair: When the IPv6 source and destination addresses in the 1201 IPv6 header does not match the ULID pair, this option 1202 MUST be included. An example of this is when 1203 recovering from a lost context. 1205 Forked Instance Identifier: When another instance of an existent 1206 context with the same ULID pair is being created, a 1207 Forked Instance Identifier option is included to 1208 distinguish this new instance from the existent one. 1210 Future protocol extensions might define additional options for this 1211 message. The C-bit in the option format defines how such a new 1212 option will be handled by an implementation. See Section 5.15. 1214 5.5. R1 Message Format 1216 The R1 message is the second message in the context establishment 1217 exchange. The responder sends this in response to an I1 message, 1218 without creating any state specific to the initiator. 1220 0 1 2 3 1221 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1222 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1223 | 59 | Hdr Ext Len |0| Type = 2 | Reserved1 |0| 1224 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1225 | Checksum | Reserved2 | 1226 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1227 | Initiator Nonce | 1228 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1229 | Responder Nonce | 1230 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1231 | | 1232 + Options + 1233 | | 1234 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1236 Fields: 1238 Next Header: NO_NXT_HDR (59). 1240 Hdr Ext Len: At least 1, since the header is 16 octets when there 1241 are no options. 1243 Type: 2 1245 Reserved1: 7-bit field. Reserved for future use. Zero on 1246 transmit. MUST be ignored on receipt. 1248 Reserved2: 16-bit field. Reserved for future use. Zero on 1249 transmit. MUST be ignored on receipt. 1251 Initiator Nonce: 32-bit unsigned integer. Copied from the I1 1252 message. 1254 Responder Nonce: 32-bit unsigned integer. A number picked by the 1255 responder which the initiator will return in the I2 1256 message. 1258 The following options are defined for this message: 1260 Responder Validator: Variable length option. Typically a hash 1261 generated by the responder, which the responder uses 1262 together with the Responder Nonce value to verify that 1263 an I2 message is indeed sent in response to a R1 1264 message, and that the parameters in the I2 message are 1265 the same as those in the I1 message. 1267 Future protocol extensions might define additional options for this 1268 message. The C-bit in the option format defines how such a new 1269 option will be handled by an implementation. See Section 5.15. 1271 5.6. I2 Message Format 1273 The I2 message is the third message in the context establishment 1274 exchange. The initiator sends this in response to a R1 message, 1275 after checking the Initiator Nonce, etc. 1277 0 1 2 3 1278 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1279 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1280 | 59 | Hdr Ext Len |0| Type = 3 | Reserved1 |0| 1281 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1282 | Checksum |R| | 1283 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1284 | Initiator Context Tag | 1285 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1286 | Initiator Nonce | 1287 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1288 | Responder Nonce | 1289 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1290 | Reserved2 | 1291 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1292 | | 1293 + Options + 1294 | | 1295 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1297 Fields: 1299 Next Header: NO_NXT_HDR (59). 1301 Hdr Ext Len: At least 2, since the header is 24 octets when there 1302 are no options. 1304 Type: 3 1306 Reserved1: 7-bit field. Reserved for future use. Zero on 1307 transmit. MUST be ignored on receipt. 1309 R: 1-bit field. Reserved for future use. Zero on 1310 transmit. MUST be ignored on receipt. 1312 Initiator Context Tag: 47-bit field. The Context Tag the initiator 1313 has allocated for the context. 1315 Initiator Nonce: 32-bit unsigned integer. A random number picked by 1316 the initiator which the responder will return in the 1317 R2 message. 1319 Responder Nonce: 32-bit unsigned integer. Copied from the R1 1320 message. 1322 Reserved2: 32-bit field. Reserved for future use. Zero on 1323 transmit. MUST be ignored on receipt. (Needed to 1324 make the options start on a multiple of 8 octet 1325 boundary.) 1327 The following options are defined for this message: 1329 Responder Validator: Variable length option. Just a copy of the 1330 Responder Validator option in the R1 message. 1332 ULID pair: When the IPv6 source and destination addresses in the 1333 IPv6 header does not match the ULID pair, this option 1334 MUST be included. An example of this is when 1335 recovering from a lost context. 1337 Forked Instance Identifier: When another instance of an existent 1338 context with the same ULID pair is being created, a 1339 Forked Instance Identifier option is included to 1340 distinguish this new instance from the existent one. 1342 Locator list: Optionally sent when the initiator immediately wants 1343 to tell the responder its list of locators. When it 1344 is sent, the necessary HBA/CGA information for 1345 verifying the locator list MUST also be included. 1347 Locator Preferences: Optionally sent when the locators don't all 1348 have equal preference. 1350 CGA Parameter Data Structure: Included when the locator list is 1351 included so the receiver can verify the locator list. 1353 CGA Signature: Included when the some of the locators in the list use 1354 CGA (and not HBA) for verification. 1356 Future protocol extensions might define additional options for this 1357 message. The C-bit in the option format defines how such a new 1358 option will be handled by an implementation. See Section 5.15. 1360 5.7. R2 Message Format 1362 The R2 message is the fourth message in the context establishment 1363 exchange. The responder sends this in response to an I2 message. 1364 The R2 message is also used when both hosts send I1 messages at the 1365 same time and the I1 messages cross in flight. 1367 0 1 2 3 1368 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1369 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1370 | 59 | Hdr Ext Len |0| Type = 4 | Reserved1 |0| 1371 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1372 | Checksum |R| | 1373 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1374 | Responder Context Tag | 1375 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1376 | Initiator Nonce | 1377 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1378 | | 1379 + Options + 1380 | | 1381 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1383 Fields: 1385 Next Header: NO_NXT_HDR (59). 1387 Hdr Ext Len: At least 1, since the header is 16 octets when there 1388 are no options. 1390 Type: 4 1392 Reserved1: 7-bit field. Reserved for future use. Zero on 1393 transmit. MUST be ignored on receipt. 1395 R: 1-bit field. Reserved for future use. Zero on 1396 transmit. MUST be ignored on receipt. 1398 Responder Context Tag: 47-bit field. The Context Tag the responder 1399 has allocated for the context. 1401 Initiator Nonce: 32-bit unsigned integer. Copied from the I2 1402 message. 1404 The following options are defined for this message: 1406 Locator List: Optionally sent when the responder immediately wants 1407 to tell the initiator its list of locators. When it 1408 is sent, the necessary HBA/CGA information for 1409 verifying the locator list MUST also be included. 1411 Locator Preferences: Optionally sent when the locators don't all 1412 have equal preference. 1414 CGA Parameter Data Structure: Included when the locator list is 1415 included so the receiver can verify the locator list. 1417 CGA Signature: Included when the some of the locators in the list use 1418 CGA (and not HBA) for verification. 1420 Future protocol extensions might define additional options for this 1421 message. The C-bit in the option format defines how such a new 1422 option will be handled by an implementation. See Section 5.15. 1424 5.8. R1bis Message Format 1426 Should a host receive a packet with a shim Payload extension header 1427 or Shim6 control message with type code 64-127 (such as an Update or 1428 Probe message), and the host does not have any context state for the 1429 received context tag, then it will generate a R1bis message. 1431 This message allows the sender of the packet referring to the non- 1432 existent context to re-establish the context with a reduced context 1433 establishment exchange. Upon the reception of the R1bis message, the 1434 receiver can proceed reestablishing the lost context by directly 1435 sending an I2bis message. 1437 0 1 2 3 1438 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1439 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1440 | 59 | Hdr Ext Len |0| Type = 5 | Reserved1 |0| 1441 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1442 | Checksum |R| | 1443 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1444 | Packet Context Tag | 1445 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1446 | Responder Nonce | 1447 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1448 | | 1449 + Options + 1450 | | 1451 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1453 Fields: 1455 Next Header: NO_NXT_HDR (59). 1457 Hdr Ext Len: At least 1, since the header is 16 octets when there 1458 are no options. 1460 Type: 5 1462 Reserved1: 7-bit field. Reserved for future use. Zero on 1463 transmit. MUST be ignored on receipt. 1465 R: 1-bit field. Reserved for future use. Zero on 1466 transmit. MUST be ignored on receipt. 1468 Packet Context Tag: 47-bit unsigned integer. The context tag 1469 contained in the received packet that triggered the 1470 generation of the R1bis message. 1472 Responder Nonce: 32-bit unsigned integer. A number picked by the 1473 responder which the initiator will return in the I2bis 1474 message. 1476 The following options are defined for this message: 1478 Responder Validator: Variable length option. Typically a hash 1479 generated by the responder, which the responder uses 1480 together with the Responder Nonce value to verify that 1481 an I2bis message is indeed sent in response to a R1bis 1482 message. 1484 Future protocol extensions might define additional options for this 1485 message. The C-bit in the option format defines how such a new 1486 option will be handled by an implementation. See Section 5.15. 1488 5.9. I2bis Message Format 1490 The I2bis message is the third message in the context recovery 1491 exchange. This is sent in response to a R1bis message, after 1492 checking that the R1bis message refers to an existing context, etc. 1494 0 1 2 3 1495 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1496 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1497 | 59 | Hdr Ext Len |0| Type = 6 | Reserved1 |0| 1498 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1499 | Checksum |R| | 1500 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1501 | Initiator Context Tag | 1502 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1503 | Initiator Nonce | 1504 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1505 | Responder Nonce | 1506 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1507 | Reserved2 | 1508 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1509 | | | 1510 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1511 | Packet Context Tag | 1512 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1513 | | 1514 + Options + 1515 | | 1516 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1518 Fields: 1520 Next Header: NO_NXT_HDR (59). 1522 Hdr Ext Len: At least 3, since the header is 32 octets when there 1523 are no options. 1525 Type: 6 1527 Reserved1: 7-bit field. Reserved for future use. Zero on 1528 transmit. MUST be ignored on receipt. 1530 R: 1-bit field. Reserved for future use. Zero on 1531 transmit. MUST be ignored on receipt. 1533 Initiator Context Tag: 47-bit field. The Context Tag the initiator 1534 has allocated for the context. 1536 Initiator Nonce: 32-bit unsigned integer. A random number picked by 1537 the initiator which the responder will return in the 1538 R2 message. 1540 Responder Nonce: 32-bit unsigned integer. Copied from the R1bis 1541 message. 1543 Reserved2: 49-bit field. Reserved for future use. Zero on 1544 transmit. MUST be ignored on receipt. (Note that 17 1545 bits are not sufficient since the options need start 1546 on a multiple of 8 octet boundary.) 1548 Packet Context Tag: 47-bit unsigned integer. Copied from the Packet 1549 Context Tag contained in the received R1bis. 1551 The following options are defined for this message: 1553 Responder Validator: Variable length option. Just a copy of the 1554 Responder Validator option in the R1bis message. 1556 ULID pair: When the IPv6 source and destination addresses in the 1557 IPv6 header does not match the ULID pair, this option 1558 MUST be included. 1560 Forked Instance Identifier: When another instance of an existent 1561 context with the same ULID pair is being created, a 1562 Forked Instance Identifier option is included to 1563 distinguish this new instance from the existent one. 1565 Locator list: Optionally sent when the initiator immediately wants 1566 to tell the responder its list of locators. When it 1567 is sent, the necessary HBA/CGA information for 1568 verifying the locator list MUST also be included. 1570 Locator Preferences: Optionally sent when the locators don't all 1571 have equal preference. 1573 CGA Parameter Data Structure: Included when the locator list is 1574 included so the receiver can verify the locator list. 1576 CGA Signature: Included when the some of the locators in the list use 1577 CGA (and not HBA) for verification. 1579 Future protocol extensions might define additional options for this 1580 message. The C-bit in the option format defines how such a new 1581 option will be handled by an implementation. See Section 5.15. 1583 5.10. Update Request Message Format 1585 The Update Request Message is used to update either the list of 1586 locators, the locator preferences, and both. When the list of 1587 locators is updated, the message also contains the option(s) 1588 necessary for HBA/CGA to secure this. The basic sanity check that 1589 prevents off-path attackers from generating bogus updates is the 1590 context tag in the message. 1592 The update message contains options (the Locator List and the Locator 1593 Preferences) that, when included, completely replace the previous 1594 locator list and locator preferences, respectively. Thus there is no 1595 mechanism to just send deltas to the locator list. 1597 0 1 2 3 1598 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1599 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1600 | 59 | Hdr Ext Len |0| Type = 64 | Reserved1 |0| 1601 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1602 | Checksum |R| | 1603 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1604 | Receiver Context Tag | 1605 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1606 | Request Nonce | 1607 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1608 | | 1609 + Options + 1610 | | 1611 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1613 Fields: 1615 Next Header: NO_NXT_HDR (59). 1617 Hdr Ext Len: At least 1, since the header is 16 octets when there 1618 are no options. 1620 Type: 64 1622 Reserved1: 7-bit field. Reserved for future use. Zero on 1623 transmit. MUST be ignored on receipt. 1625 R: 1-bit field. Reserved for future use. Zero on 1626 transmit. MUST be ignored on receipt. 1628 Receiver Context Tag: 47-bit field. The Context Tag the receiver 1629 has allocated for the context. 1631 Request Nonce: 32-bit unsigned integer. A random number picked by 1632 the initiator which the peer will return in the 1633 acknowledgement message. 1635 The following options are defined for this message: 1637 Locator List: The list of the sender's (new) locators. The locators 1638 might be unchanged and only the preferences have 1639 changed. 1641 Locator Preferences: Optionally sent when the locators don't all 1642 have equal preference. 1644 CGA Parameter Data Structure (PDS): Included when the locator list 1645 is included and the PDS was not included in the I2/ 1646 I2bis/R2 messages, so the receiver can verify the 1647 locator list. 1649 CGA Signature: Included when the some of the locators in the list use 1650 CGA (and not HBA) for verification. 1652 Future protocol extensions might define additional options for this 1653 message. The C-bit in the option format defines how such a new 1654 option will be handled by an implementation. See Section 5.15. 1656 5.11. Update Acknowledgement Message Format 1658 This message is sent in response to a Update Request message. It 1659 implies that the Update Request has been received, and that any new 1660 locators in the Update Request can now be used as the source locators 1661 of packets. But it does not imply that the (new) locators have been 1662 verified to be used as a destination, since the host might defer the 1663 verification of a locator until it sees a need to use a locator as 1664 the destination. 1666 0 1 2 3 1667 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1668 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1669 | 59 | Hdr Ext Len |0| Type = 65 | Reserved1 |0| 1670 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1671 | Checksum |R| | 1672 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1673 | Receiver Context Tag | 1674 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1675 | Request Nonce | 1676 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1677 | | 1678 + Options + 1679 | | 1680 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1682 Fields: 1684 Next Header: NO_NXT_HDR (59). 1686 Hdr Ext Len: At least 1, since the header is 16 octets when there 1687 are no options. 1689 Type: 65 1691 Reserved1: 7-bit field. Reserved for future use. Zero on 1692 transmit. MUST be ignored on receipt. 1694 R: 1-bit field. Reserved for future use. Zero on 1695 transmit. MUST be ignored on receipt. 1697 Receiver Context Tag: 47-bit field. The Context Tag the receiver 1698 has allocated for the context. 1700 Request Nonce: 32-bit unsigned integer. Copied from the Update 1701 Request message. 1703 No options are currently defined for this message. 1705 Future protocol extensions might define additional options for this 1706 message. The C-bit in the option format defines how such a new 1707 option will be handled by an implementation. See Section 5.15. 1709 5.12. Keepalive Message Format 1711 This message format is defined in [9]. 1713 The message is used to ensure that when a peer is sending ULP packets 1714 on a context, it always receives some packets in the reverse 1715 direction. When the ULP is sending bidirectional traffic, no extra 1716 packets need to be inserted. But for a unidirectional ULP traffic 1717 pattern, the shim will send back some Keepalive messages when it is 1718 receiving ULP packets. 1720 5.13. Probe Message Format 1722 This message and its semantics are defined in [9]. 1724 The goal of this mechanism is to test whether locator pairs work or 1725 not in the general case. In particular, this mechanism is to be able 1726 to handle the case when one locator pair works in from A to B, and 1727 another locator pair works from B to A, but there is no locator pair 1728 which works in both directions. The protocol mechanism is that as A 1729 is sending probe messages to B, B will observe which locator pairs it 1730 has received from and report that back in probe messages it is 1731 sending to A. 1733 5.14. Error Message Format 1735 The Error Message is generated by a Shim6 receiver upon the reception 1736 of a Shim6 message containing critical information that cannot be 1737 processed properly. 1739 In the case that a Shim6 node receives a Shim6 packet which contains 1740 information that is critical for the Shim6 protocol that is not 1741 supported by the receiver, it sends an Error Message back to the 1742 originator of the Shim6 message. The Error Message is 1743 unacknowledged. 1745 In addition, Shim6 Error messages defined in this section can be used 1746 to identify problems with Shim6 implementations. In order to do 1747 that, a range of Error Code Types is reserved for that purpose. In 1748 particular, implementations may generate Shim6 Error messages with 1749 Code Type in that range instead of silently discarding Shim6 packets 1750 during the debugging process. 1752 0 1 2 3 1753 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1754 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1755 | 59 | Hdr Ext Len |0| Type = 68 | Error Code |0| 1756 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1757 | Checksum | Pointer | 1758 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1759 | | 1760 + Packet in error + 1761 | | 1762 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1764 Fields: 1766 Next Header: NO_NXT_HDR (59). 1768 Hdr Ext Len: At least 1, since the header is 16 octets. Depends on 1769 the specific Error Data. 1771 Type: 68 1773 Error Code: 7-bit field describing the error that generated the 1774 Error Message. See Error Code list below 1776 Pointer: 16-bit field.Identifies the octet offset within the 1777 invoking packet where the error was detected. 1779 Packet in error: As much of invoking packet as possible without the 1780 Error message packet exceeding the minimum IPv6 MTU. 1782 The following Error Codes are defined: 1784 +---------+---------------------------------------------------------+ 1785 | Code | Description | 1786 | Value | | 1787 +---------+---------------------------------------------------------+ 1788 | 0 | Unknown Shim6 message type | 1789 | | | 1790 | 1 | Critical Option not recognized | 1791 | | | 1792 | 2 | Locator verification method failed (Pointer to the | 1793 | | inconsistent Verification method octet) | 1794 | | | 1795 | 3 | Locator List Generation number out of sync. | 1796 | | | 1797 | 4 | Error in the number of locators in a Locator Preference | 1798 | | option | 1799 | | | 1800 | 120-127 | Reserved for debugging pruposes | 1801 +---------+---------------------------------------------------------+ 1803 Table 2 1805 5.15. Option Formats 1807 The format of the options is a snapshot of the current HIP option 1808 format [26]. However, there is no intention to track any changes to 1809 the HIP option format, nor is there an intent to use the same name 1810 space for the option type values. But using the same format will 1811 hopefully make it easier to import HIP capabilities into Shim6 as 1812 extensions to Shim6, should this turn out to be useful. 1814 All of the TLV parameters have a length (including Type and Length 1815 fields) which is a multiple of 8 bytes. When needed, padding MUST be 1816 added to the end of the parameter so that the total length becomes a 1817 multiple of 8 bytes. This rule ensures proper alignment of data. If 1818 padding is added, the Length field MUST NOT include the padding. Any 1819 added padding bytes MUST be zeroed by the sender, and their values 1820 SHOULD NOT be checked by the receiver. 1822 Consequently, the Length field indicates the length of the Contents 1823 field (in bytes). The total length of the TLV parameter (including 1824 Type, Length, Contents, and Padding) is related to the Length field 1825 according to the following formula: 1827 Total Length = 11 + Length - (Length + 3) mod 8; 1829 The Total Length of the option is the smallest multiple of 8 bytes 1830 that allows for the 4 bytes of option header and the option itself. 1831 The amount of padding required can be calculated as follows: 1833 padding = 7 - ((Length + 3) mod 8) 1835 And: 1837 Total Length = 4 + Length + padding 1839 0 1 2 3 1840 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1841 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1842 | Type |C| Length | 1843 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1844 ~ ~ 1845 ~ Contents ~ 1846 ~ +-+-+-+-+-+-+-+-+ 1847 ~ | Padding | 1848 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1850 Fields: 1852 Type: 15-bit identifier of the type of option. The options 1853 defined in this document are below. 1855 C: Critical. One if this parameter is critical, and MUST 1856 be recognized by the recipient, zero otherwise. An 1857 implementation might view the C bit as part of the 1858 Type field, by multiplying the type values in this 1859 specification by two. 1861 Length: Length of the Contents, in bytes. 1863 Contents: Parameter specific, defined by Type. 1865 Padding: Padding, 0-7 bytes, added if needed. 1867 +------+------------------------------+ 1868 | Type | Option Name | 1869 +------+------------------------------+ 1870 | 1 | Responder Validator | 1871 | | | 1872 | 2 | Locator List | 1873 | | | 1874 | 3 | Locator Preferences | 1875 | | | 1876 | 4 | CGA Parameter Data Structure | 1877 | | | 1878 | 5 | CGA Signature | 1879 | | | 1880 | 6 | ULID Pair | 1881 | | | 1882 | 7 | Forked Instance Identifier | 1883 | | | 1884 | 10 | Keepalive Timeout Option | 1885 +------+------------------------------+ 1887 Table 3 1889 Future protocol extensions might define additional options for the 1890 Shim6 messages. The C-bit in the option format defines how such a 1891 new option will be handled by an implementation. 1893 If a host receives an option that it does not understand (an option 1894 that was defined in some future extension to this protocol) or is not 1895 listed as a valid option for the different message types above, then 1896 the Critical bit in the option determines the outcome. 1898 o If C=0 then the option is silently ignored, and the rest of the 1899 message is processed. 1901 o If C=1 then the host SHOULD send back a Shim6 Error Message with 1902 Error Code=1, with the Pointer referencing the first octet in the 1903 Option Type field. When C=1 the rest of the message MUST NOT be 1904 processed. 1906 5.15.1. Responder Validator Option Format 1908 The responder can choose exactly what input is used to compute the 1909 validator, and what one-way function (such as MD5, SHA1) it uses, as 1910 long as the responder can check that the validator it receives back 1911 in the I2 or I2bis message is indeed one that: 1913 1)- it computed, 1915 2)- it computed for the particular context, and 1917 3)- that it isn't a replayed I2/I2bis message. 1919 Some suggestions on how to generate the validators are captured in 1920 Section 7.10.1 and Section 7.17.1. 1922 0 1 2 3 1923 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1924 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1925 | Type = 1 |0| Length | 1926 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1927 ~ Validator ~ 1928 ~ +-+-+-+-+-+-+-+-+ 1929 ~ | Padding | 1930 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1932 Fields: 1934 Validator: Variable length content whose interpretation is local 1935 to the responder. 1937 Padding: Padding, 0-7 bytes, added if needed. See 1938 Section 5.15. 1940 5.15.2. Locator List Option Format 1942 The Locator List Option is used to carry all the locators of the 1943 sender. Note that the order of the locators is important, since the 1944 Locator Preferences refers to the locators by using the index in the 1945 list. 1947 Note that we carry all the locators in this option even though some 1948 of them can be created automatically from the CGA Parameter Data 1949 Structure. 1951 0 1 2 3 1952 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1953 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1954 | Type = 2 |0| Length | 1955 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1956 | Locator List Generation | 1957 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1958 | Num Locators | N Octets of Verification Method | 1959 +-+-+-+-+-+-+-+-+ | 1960 ~ ~ 1961 ~ +-+-+-+-+-+-+-+-+ 1962 ~ | Padding | 1963 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1964 ~ Locators 1 through N ~ 1965 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1967 Fields: 1969 Locator List Generation: 32-bit unsigned integer. Indicates a 1970 generation number which is increased by one for each 1971 new locator list. This is used to ensure that the 1972 index in the Locator Preferences refer to the right 1973 version of the locator list. 1975 Num Locators: 8-bit unsigned integer. The number of locators that 1976 are included in the option. We call this number "N" 1977 below. 1979 Verification Method: N octets. The i'th octet specifies the 1980 verification method for the i'th locator. 1982 Padding: Padding, 0-7 bytes, added if needed so that the 1983 Locators start on a multiple of 8 octet boundary. 1984 NOTE that for this option there is never a need to pad 1985 at the end, since the locators are a multiple of 8 1986 octets in length. This internal padding is included 1987 in the length field. 1989 Locators: N 128-bit locators. 1991 The defined verification methods are: 1993 +-------+----------+ 1994 | Value | Method | 1995 +-------+----------+ 1996 | 0 | Reserved | 1997 | | | 1998 | 1 | HBA | 1999 | | | 2000 | 2 | CGA | 2001 | | | 2002 | 3-255 | Reserved | 2003 +-------+----------+ 2005 Table 4 2007 5.15.3. Locator Preferences Option Format 2009 The Locator Preferences option can have some flags to indicate 2010 whether or not a locator is known to work. In addition, the sender 2011 can include a notion of preferences. It might make sense to define 2012 "preferences" as a combination of priority and weight the same way 2013 that DNS SRV records has such information. The priority would 2014 provide a way to rank the locators, and within a given priority, the 2015 weight would provide a way to do some load sharing. See [10] for how 2016 SRV defines the interaction of priority and weight. 2018 The minimum notion of preferences we need is to be able to indicate 2019 that a locator is "dead". We can handle this using a single octet 2020 flag for each locator. 2022 We can extend that by carrying a larger "element" for each locator. 2023 This document presently also defines 2-octet and 3-octet elements, 2024 and we can add more information by having even larger elements if 2025 need be. 2027 The locators are not included in the preference list. Instead, the 2028 first element refers to locator that was in the first element in the 2029 Locator List option. The generation number carried in this option 2030 and the Locator List option is used to verify that they refer to the 2031 same version of the locator list. 2033 0 1 2 3 2034 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2035 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2036 | Type = 3 |0| Length | 2037 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2038 | Locator List Generation | 2039 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2040 | Element Len | Element[1] | Element[2] | Element[3] | 2041 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2042 ~ ... ~ 2043 ~ +-+-+-+-+-+-+-+-+ 2044 ~ | Padding | 2045 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2047 Case of Element Len = 1 is depicted. 2049 Fields: 2051 Locator List Generation: 32-bit unsigned integer. Indicates a 2052 generation number for the locator list to which the 2053 elements should apply. 2055 Element Len: 8-bit unsigned integer. The length in octets of each 2056 element. This specification defines the cases when 2057 the length is 1, 2, or 3. 2059 Element[i]: A field with a number of octets defined by the Element 2060 Len field. Provides preferences for the i'th locator 2061 in the Locator List option that is in use. 2063 Padding: Padding, 0-7 bytes, added if needed. See 2064 Section 5.15. 2066 When the Element length equals one, then the element consists of only 2067 a one octet flags field. The currently defined set of flags are: 2069 BROKEN: 0x01 2071 TRANSIENT: 0x02 2073 The intent of the BROKEN flag is to inform the peer that a given 2074 locator is known to be not working. The intent of TRANSIENT is to 2075 allow the distinction between more stable addresses and less stable 2076 addresses when Shim6 is combined with IP mobility, when we might have 2077 more stable home locators, and less stable care-of-locators. 2079 When the Element length equals two, then the element consists of a 1 2080 octet flags field followed by a 1 octet priority field. The priority 2081 has the same semantics as the priority in DNS SRV records. 2083 When the Element length equals three, then the element consists of a 2084 1 octet flags field followed by a 1 octet priority field, and a 1 2085 octet weight field. The weight has the same semantics as the weight 2086 in DNS SRV records. 2088 This document doesn't specify the format when the Element length is 2089 more than three, except that any such formats MUST be defined so that 2090 the first three octets are the same as in the above case, that is, a 2091 of a 1 octet flags field followed by a 1 octet priority field, and a 2092 1 octet weight field. 2094 5.15.4. CGA Parameter Data Structure Option Format 2096 This option contains the CGA Parameter Data Structure (PDS). When 2097 HBA is used to verify the locators, the PDS contains the HBA 2098 multiprefix extension. When CGA is used to verify the locators, in 2099 addition to the PDS option, the host also needs to include the 2100 signature in the form of a CGA Signature option. 2102 0 1 2 3 2103 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2104 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2105 | Type = 4 |0| Length | 2106 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2107 ~ CGA Parameter Data Structure ~ 2108 ~ +-+-+-+-+-+-+-+-+ 2109 ~ | Padding | 2110 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2112 Fields: 2114 CGA Parameter Data Structure: Variable length content. Content 2115 defined in [6] and [8]. 2117 Padding: Padding, 0-7 bytes, added if needed. See 2118 Section 5.15. 2120 5.15.5. CGA Signature Option Format 2122 When CGA is used for verification of one or more of the locators in 2123 the Locator List option, then the message in question will need to 2124 contain this option. 2126 0 1 2 3 2127 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2128 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2129 | Type = 5 |0| Length | 2130 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2131 ~ CGA Signature ~ 2132 ~ +-+-+-+-+-+-+-+-+ 2133 ~ | Padding | 2134 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2136 Fields: 2138 CGA Signature: A variable-length field containing a PKCS#1 v1.5 2139 signature, constructed by using the sender's private 2140 key over the following sequence of octets: 2142 1. The 128-bit CGA Message Type tag [CGA] value for 2143 Shim6, 0x4A 30 5662 4858 574B 3655 416F 506A 6D48. 2144 (The tag value has been generated randomly by the 2145 editor of this specification.). 2147 2. The Locator List Generation value of the 2148 correspondent Locator List Option. 2150 3. The subset of locators included in the 2151 correspondent Locator List Option which 2152 verification method is set to CGA. The locators 2153 MUST be included in the order they are listed in 2154 the Locator List Option. 2156 Padding: Padding, 0-7 bytes, added if needed. See 2157 Section 5.15. 2159 5.15.6. ULID Pair Option Format 2161 I1, I2, and I2bis messages MUST contain the ULID pair; normally this 2162 is in the IPv6 source and destination fields. In case that the ULID 2163 for the context differ from the address pair included in the source 2164 and destination address fields of the IPv6 packet used to carry the 2165 I1/I2/I2bis message, the ULID pair option MUST be included in the I1/ 2166 I2/I2bis message. 2168 0 1 2 3 2169 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2170 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2171 | Type = 6 |0| Length = 36 | 2172 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2173 | Reserved2 | 2174 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2175 | | 2176 + Sender ULID + 2177 | | 2178 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2179 | | 2180 + Receiver ULID + 2181 | | 2182 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2184 Fields: 2186 Reserved2: 32-bit field. Reserved for future use. Zero on 2187 transmit. MUST be ignored on receipt. (Needed to 2188 make the ULIDs start on a multiple of 8 octet 2189 boundary.) 2191 Sender ULID: A 128-bit IPv6 address. 2193 Receiver ULID: A 128-bit IPv6 address. 2195 5.15.7. Forked Instance Identifier Option Format 2197 0 1 2 3 2198 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2199 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2200 | Type = 7 |0| Length = 4 | 2201 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2202 | Forked Instance Identifier | 2203 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2205 Fields: 2207 Forked Instance Identifier: 32-bit field containing the identifier 2208 of the particular forked instance. 2210 5.15.8. Keepalive Timeout Option Format 2212 This option is defined in [9]. 2214 6. Conceptual Model of a Host 2216 This section describes a conceptual model of one possible data 2217 structure organization that hosts will maintain for the purposes of 2218 Shim6. The described organization is provided to facilitate the 2219 explanation of how the Shim6 protocol should behave. This document 2220 does not mandate that implementations adhere to this model as long as 2221 their external behavior is consistent with that described in this 2222 document. 2224 6.1. Conceptual Data Structures 2226 The key conceptual data structure for the Shim6 protocol is the ULID 2227 pair context. This is a data structure which contains the following 2228 information: 2230 o The state of the context. See Section 6.2. 2232 o The peer ULID; ULID(peer) 2234 o The local ULID; ULID(local) 2236 o The Forked Instance Identifier; FII. This is zero for the default 2237 context i.e., when there is no forking. 2239 o The list of peer locators, with their preferences; Ls(peer) 2241 o The generation number for the most recently received, verified 2242 peer locator list. 2244 o For each peer locator, the verification method to use (from the 2245 Locator List option). 2247 o For each peer locator, a flag whether it has been verified using 2248 HBA or CGA, and a bit whether the locator has been probed to 2249 verify that the ULID is present at that location. 2251 o The preferred peer locator - used as destination; Lp(peer) 2253 o The set of local locators and the preferences; Ls(local) 2255 o The generation number for the most recently sent Locator List 2256 option. 2258 o The preferred local locator - used as source; Lp(local) 2260 o The context tag used to transmit control messages and payload 2261 extension headers - allocated by the peer; CT(peer) 2263 o The context to expect in received control messages and payload 2264 extension headers - allocated by the local host; CT(local) 2266 o Timers for retransmission of the messages during context 2267 establishment and update messages. 2269 o Depending how an implementation determines whether a context is 2270 still in use, there might be a need to track the last time a 2271 packet was sent/received using the context. 2273 o Reachability state for the locator pairs as specified in [9]. 2275 o During pair exploration, information about the probe messages that 2276 have been sent and received as specified in [9]. 2278 o During context establishment phase, Init Nonce, Responder Nonce, 2279 Responder Validator and timers related to the different packets 2280 sent (I1,I2, R2), as described in Section 7 2282 6.2. Context States 2284 The states that are used to describe the Shim6 protocol are as 2285 follows: 2287 +---------------------+---------------------------------------------+ 2288 | State | Explanation | 2289 +---------------------+---------------------------------------------+ 2290 | IDLE | State machine start | 2291 | | | 2292 | I1-SENT | Initiating context establishment exchange | 2293 | | | 2294 | I2-SENT | Waiting to complete context establishment | 2295 | | exchange | 2296 | | | 2297 | I2BIS-SENT | Potential context loss detected | 2298 | | | 2299 | | | 2300 | ESTABLISHED | SHIM context established | 2301 | | | 2302 | E-FAILED | Context establishment exchange failed | 2303 | | | 2304 | NO-SUPPORT | ICMP Unrecognized Next Header type | 2305 | | (type 4, code 1) received indicating | 2306 | | that Shim6 is not supported | 2307 +---------------------+---------------------------------------------+ 2308 In addition, in each of the aforementioned states, the following 2309 state information is stored: 2311 +---------------------+---------------------------------------------+ 2312 | State | Information | 2313 +---------------------+---------------------------------------------+ 2314 | IDLE | None | 2315 | | | 2316 | I1-SENT | ULID(peer), ULID(local), [FII], CT(local), | 2317 | | INIT nonce, Lp(local), Lp(peer), Ls(local) | 2318 | | | 2319 | I2-SENT | ULID(peer), ULID(local), [FII], CT(local), | 2320 | | INIT nonce, RESP nonce, Lp(local), Lp(peer),| 2321 | | Ls(local), Responder Validator | 2322 | | | 2323 | ESTABLISHED | ULID(peer), ULID(local), [FII], CT(local), | 2324 | | CT(peer), Lp(local), Lp(peer), Ls(local) | 2325 | | Ls(peer), INIT nonce?(to receive late R2) | 2326 | | | 2327 | I2BIS-SENT | ULID(peer), ULID(local), [FII], CT(local), | 2328 | | CT(peer), Lp(local), Lp(peer), Ls(local) | 2329 | | Ls(peer), CT(R1bis), RESP nonce, | 2330 | | INIT nonce, Responder validator | 2331 | | | 2332 | E-FAILED | ULID(peer), ULID(local) | 2333 | | | 2334 | NO-SUPPORT | ULID(peer), ULID(local) | 2335 +---------------------+---------------------------------------------+ 2337 7. Establishing ULID-Pair Contexts 2339 ULID-pair contexts are established using a 4-way exchange, which 2340 allows the responder to avoid creating state on the first packet. As 2341 part of this exchange each end allocates a context tag, and it shares 2342 this context tag and its set of locators with the peer. 2344 In some cases the 4-way exchange is not necessary, for instance when 2345 both ends try to setup the context at the same time, or when 2346 recovering from a context that has been garbage collected or lost at 2347 one of the hosts. 2349 7.1. Uniqueness of Context Tags 2351 As part of establishing a new context, each host has to assign a 2352 unique context tag. Since the Payload Extension headers are 2353 demultiplexed based solely on the context tag value (without using 2354 the locators), the context tag MUST be unique for each context. 2356 It is important that context tags are hard to guess for off-path 2357 attackers. Therefore, if an implementation uses structure in the 2358 context tag to facilitate efficient lookups, at least 30 bits of the 2359 context tag MUST be unstructured and populated by random or pseudo- 2360 random bits. 2362 In addition, in order to minimize the reuse of context tags, the host 2363 SHOULD randomly cycle through the unstrucutred tag name space 2364 reserved for randomly assigned context tag values,(e.g. following the 2365 guidelines described in [18]). 2367 7.2. Locator Verification 2369 The peer's locators might need to be verified during context 2370 establishment as well as when handling locator updates in Section 10. 2372 There are two separate aspects of locator verification. One is to 2373 verify that the locator is tied to the ULID, i.e., that the host 2374 which "owns" the ULID is also the one that is claiming the locator 2375 "ownership". The Shim6 protocol uses the HBA or CGA techniques for 2376 doing this verification. The other is to verify that the host is 2377 indeed reachable at the claimed locator. Such verification is needed 2378 both to make sure communication can proceed, but also to prevent 3rd 2379 party flooding attacks [20]. These different verifications happen at 2380 different times, since the first might need to be performed before 2381 packets can be received by the peer with the source locator in 2382 question, but the latter verification is only needed before packets 2383 are sent to the locator. 2385 Before a host can use a locator (different than the ULID) as the 2386 source locator, it must know that the peer will accept packets with 2387 that source locator as being part of this context. Thus the HBA/CGA 2388 verification SHOULD be performed by the host before the host 2389 acknowledges the new locator, by sending an Update Acknowledgement 2390 message, or an R2 message. 2392 Before a host can use a locator (different than the ULID) as the 2393 destination locator it MUST perform the HBA/CGA verification if this 2394 was not performed before upon the reception of the locator set. In 2395 addition, it MUST verify that the ULID is indeed present at that 2396 locator. This verification is performed by doing a return- 2397 routability test as part of the Probe sub-protocol [9]. 2399 If the verification method in the Locator List option is not 2400 supported by the host, or if the verification method is not 2401 consistent with the CGA Parameter Data Structure (e.g., the Parameter 2402 Data Structure doesn't contain the multiprefix extension, and the 2403 verification method says to use HBA), then the host MUST ignore the 2404 Locator List and the message in which it is contained, and the host 2405 SHOULD generate a Shim6 Error Message with Error Code=2, with the 2406 Pointer referencing the octet in the Verification method that was 2407 found inconsistent. 2409 7.3. Normal context establishment 2411 The normal context establishment consists of a 4 message exchange in 2412 the order of I1, R1, I2, R2 as can be seen in Figure 25. 2414 Initiator Responder 2416 IDLE IDLE 2417 ------------- I1 --------------> 2418 I1-SENT 2419 <------------ R1 --------------- 2420 IDLE 2421 ------------- I2 --------------> 2422 I2-SENT 2423 <------------ R2 --------------- 2424 ESTABLISHED ESTABLISHED 2426 Figure 25: Normal context establishment 2428 7.4. Concurrent context establishment 2430 When both ends try to initiate a context for the same ULID pair, then 2431 we might end up with crossing I1 messages. Alternatively, since no 2432 state is created when receiving the I1, a host might send a I1 after 2433 having sent a R1 message. 2435 Since a host remembers that it has sent an I1, it can respond to an 2436 I1 from the peer (for the same ULID-pair), with a R2, resulting in 2437 the message exchange shown in Figure 26. Such behavior is needed for 2438 other reasons such as to correctly respond to retransmitted I1 2439 messages, which occur when the R2 message has been lost. 2441 Host A Host B 2443 IDLE IDLE 2444 -\ 2445 I1-SENT---\ 2446 ---\ /--- 2447 --- I1 ---\ /--- I1-SENT 2448 ---\ 2449 /--- I1 ---/ ---\ 2450 /--- --> 2451 <--- 2453 -\ 2454 I1-SENT---\ 2455 ---\ /--- 2456 --- R2 ---\ /--- I1-SENT 2457 ---\ 2458 /--- R2 ---/ ---\ 2459 /--- --> 2460 <--- ESTABLISHED 2461 ESTABLISHED 2463 Figure 26: Crossing I1 messages 2465 If a host has received an I1 and sent an R1, it has no state to 2466 remember this. Thus if the ULP on the host sends down packets, this 2467 might trigger the host to send an I1 message itself. Thus while one 2468 end is sending an I1 the other is sending an I2 as can be seen in 2469 Figure 27. 2471 Host A Host B 2473 IDLE IDLE 2474 -\ 2475 ---\ 2476 I1-SENT ---\ 2477 --- I1 ---\ 2478 ---\ 2479 ---\ 2480 --> 2482 /--- 2483 /--- IDLE 2484 --- 2485 /--- R1--/ 2486 /--- 2487 <--- 2489 -\ 2490 I2-SENT---\ 2491 ---\ /--- 2492 --- I2---\ /--- I1-SENT 2493 ---\ 2494 /--- I1 ---/ ---\ 2495 /--- --> 2496 <--- ESTABLISHED 2498 -\ 2499 I2-SENT---\ 2500 ---\ /--- 2501 --- R2 ---\ /--- 2502 ---\ 2503 /--- R2 ---/ ---\ 2504 /--- --> 2505 <--- ESTABLISHED 2506 ESTABLISHED 2508 Figure 27: Crossing I2 and I1 2510 7.5. Context recovery 2512 Due to garbage collection, we can end up with one end having and 2513 using the context state, and the other end not having any state. We 2514 need to be able to recover this state at the end that has lost it, 2515 before we can use it. 2517 This need can arise in the following cases: 2519 o The communication is working using the ULID pair as the locator 2520 pair, but a problem arises, and the end that has retained the 2521 context state decides to probe alternate locator pairs. 2523 o The communication is working using a locator pair that is not the 2524 ULID pair, hence the ULP packets sent from a peer that has 2525 retained the context state use the Shim6 Payload extension header. 2527 o The host that retained the state sends a control message (e.g. an 2528 Update Request message). 2530 In all the cases the result is that the peer without state receives a 2531 shim message for which it has no context for the context tag. 2533 In all of those cases we can recover the context by having the node 2534 which doesn't have a context state, send back an R1bis message, and 2535 have then complete the recovery with a I2bis and R2 message as can be 2536 seen in Figure 28. 2538 Host A Host B 2540 Context for 2541 CT(peer)=X Discards context for 2542 CT(local)=X 2544 ESTABLISHED IDLE 2546 ---- payload, probe, etc. -----> No context state 2547 for CT(local)=X 2549 <------------ R1bis ------------ 2550 IDLE 2552 ------------- I2bis -----------> 2553 I2BIS_SENT 2554 <------------ R2 --------------- 2555 ESTABLISHED ESTABLISHED 2557 Figure 28: Context loss at receiver 2559 If one end has garbage collected or lost the context state, it might 2560 try to create a new context state (for the same ULID pair), by 2561 sending an I1 message. The peer (that still has the context state) 2562 will reply with an R1 message and the full 4-way exchange will be 2563 performed again in this case as can be seen in Figure 29. 2565 Host A Host B 2567 Context for 2568 CT(peer)=X Discards context for 2569 ULIDs A1, B1 CT(local)=X 2571 ESTABLISHED IDLE 2573 Finds <------------ I1 --------------- Tries to setup 2574 existing for ULIDs A1, B1 2575 context, 2576 but CT(peer) I1-SENT 2577 doesn't match 2578 ------------- R1 ---------------> 2579 Left old context 2580 in ESTABLISHED 2582 <------------ I2 --------------- 2583 Recreate context 2585 with new CT(peer) I2-SENT 2586 and Ls(peer). 2588 ESTABLISHED 2589 ------------- R2 --------------> 2590 ESTABLISHED ESTABLISHED 2592 Figure 29: Context loss at sender 2594 7.6. Context confusion 2596 Since each end might garbage collect the context state we can have 2597 the case when one end has retained the context state and tries to use 2598 it, while the other end has lost the state. We discussed this in the 2599 previous section on recovery. But for the same reasons, when one 2600 host retains context tag X as CT(peer) for ULID pair , the 2601 other end might end up allocating that context tag as CT(local) for 2602 another ULID pair, e.g., between the same hosts. In this 2603 case we can not use the recovery mechanisms since there need to be 2604 separate context tags for the two ULID pairs. 2606 This type of "confusion" can be observed in two cases (assuming it is 2607 A that has retained the state and B has dropped it): 2609 o B decides to create a context for ULID pair , and 2610 allocates X as its context tag for this, and sends an I1 to A. 2612 o A decides to create a context for ULID pair , and starts 2613 the exchange by sending I1 to B. When B receives the I2 message, 2614 it allocates X as the context tag for this context. 2616 In both cases, A can detect that B has allocated X for ULID pair even though that A still X as CT(peer) for ULID pair . 2618 Thus A can detect that B must have lost the context for . 2620 The confusion can be detected when I2/I2bis/R2 is received since we 2621 require that those messages MUST include a sufficiently large set of 2622 locators in a Locator List option that the peer can determine whether 2623 or not two contexts have the same host as the peer by comparing if 2624 there is any common locators in Ls(peer). 2626 The requirement is that the old context which used the context tag 2627 MUST be removed; it can no longer be used to send packets. Thus A 2628 would forcibly remove the context state for , so that it 2629 can accept the new context for . An implementation MAY 2630 re-create a context to replace the one that was removed; in this case 2631 for . The normal I1, R1, I2, R2 establishment exchange would 2632 then pick unique context tags for that replacement context. This re- 2633 creation is OPTIONAL, but might be useful when there is ULP 2634 communication which is using the ULID pair whose context was removed. 2636 Note that an I1 message with a duplicate context tag should not cause 2637 the removal of the old context state; this operation needs to be 2638 deferred until the reception of the I2 message. 2640 7.7. Sending I1 messages 2642 When the shim layer decides to setup a context for a ULID pair, it 2643 starts by allocating and initializing the context state for its end. 2644 As part of this it assigns a random context tag to the context that 2645 is not being used as CT(local) by any other context . In the case 2646 that a new API is used and the ULP requests a forked context, the 2647 Forked Instance Identifier value will be set to a non-zero value. 2648 Otherwise, the FII value is zero. Then the initiator can send an I1 2649 message and set the context state to I1-SENT. The I1 message MUST 2650 include the ULID pair; normally in the IPv6 source and destination 2651 fields. But if the ULID pair for the context is not used as locator 2652 pair for the I1 message, then a ULID option MUST be included in the 2653 I1 message. In addition, if a Forked Instance Identifier value is 2654 non-zero, the I1 message MUST include a Context Instance Identifier 2655 option containing the correspondent value. 2657 7.8. Retransmitting I1 messages 2659 If the host does not receive an I2 or R2 message in response to the 2660 I1 message after I1_TIMEOUT time, then it needs to retransmit the I1 2661 message. The retransmissions should use a retransmission timer with 2662 binary exponential backoff to avoid creating congestion issues for 2663 the network when lots of hosts perform I1 retransmissions. Also, the 2664 actual timeout value should be randomized between 0.5 and 1.5 of the 2665 nominal value to avoid self-synchronization. 2667 If, after I1_RETRIES_MAX retransmissions, there is no response, then 2668 most likely the peer does not implement the Shim6 protocol, or there 2669 could be a firewall that blocks the protocol. In this case it makes 2670 sense for the host to remember to not try again to establish a 2671 context with that ULID. However, any such negative caching should 2672 retained for at most NO_R1_HOLDDOWN_TIME, to be able to later setup a 2673 context should the problem have been that the host was not reachable 2674 at all when the shim tried to establish the context. 2676 If the host receives an ICMP error with "Unrecognized Next Header" 2677 type (type 4, code 1) and the included packet is the I1 message it 2678 just sent, then this is a more reliable indication that the peer ULID 2679 does not implement Shim6. Again, in this case, the host should 2680 remember to not try again to establish a context with that ULID. 2681 Such negative caching should retained for at most ICMP_HOLDDOWN_TIME, 2682 which should be significantly longer than the previous case. 2684 7.9. Receiving I1 messages 2686 A host MUST silently discard any received I1 messages that do not 2687 satisfy all of the following validity checks in addition to those 2688 specified in Section 12.3: 2690 o The Hdr Ext Len field is at least 1, i.e., the length is at least 2691 16 octets. 2693 Upon the reception of an I1 message, the host extracts the ULID pair 2694 and the Forked Instance Identifier from the message. If there is no 2695 ULID-pair option, then the ULID pair is taken from the source and 2696 destination fields in the IPv6 header. If there is no FII option in 2697 the message, then the FII value is taken to be zero. 2699 Next the host looks for an existing context which matches the ULID 2700 pair and the FII. 2702 If no state is found (i.e., the state is IDLE), then the host replies 2703 with a R1 message as specified below. 2705 If such a context exists in ESTABLISHED state, the host verifies that 2706 the locator of the Initiator is included in Ls(peer) (This check is 2707 unnecessary if there is no ULID-pair option in the I1 message). 2709 If the state exists in ESTABLISHED state and the locators do not fall 2710 in the locator sets, then the host replies with a R1 message as 2711 specified below. This completes the I1 processing, with the context 2712 state being unchanged. 2714 If the state exists in ESTABLISHED state and the locators do fall in 2715 the sets, then the host compares CT(peer) for the context with the CT 2716 contained in the I1 message. 2718 o If the context tags match, then this probably means that the R2 2719 message was lost and this I1 is a retransmission. In this case, 2720 the host replies with a R2 message containing the information 2721 available for the existent context. 2723 o If the context tags do not match, then it probably means that the 2724 Initiator has lost the context information for this context and it 2725 is trying to establish a new one for the same ULID-pair. In this 2726 case, the host replies with a R1 message as specified below. This 2727 completes the I1 processing, with the context state being 2728 unchanged. 2730 If the state exists in other state (I1-SENT, I2-SENT, I2BIS-SENT), we 2731 are in the situation of Concurrent context establishment described in 2732 Section 7.4. In this case, the host leaves CT(peer) unchanged, and 2733 replies with a R2 message. This completes the I1 processing, with 2734 the context state being unchanged. 2736 7.10. Sending R1 messages 2738 When the host needs to send a R1 message in response to the I1 2739 message, it copies the Initiator Nonce from the I1 message to the R1 2740 message, generates a Responder Nonce and calculates a Responder 2741 Validator option as suggested in the following section. No state is 2742 created on the host in this case.(Note that the information used to 2743 generate the R1 reply message is either contained in the received I1 2744 message or it is global information that is not associated with the 2745 particular requested context (the S and the Responder nonce values)). 2747 When the host needs to send a R2 message in response to the I1 2748 message, it copies the Initiator Nonce from the I1 message to the R2 2749 message, and otherwise follows the normal rules for forming an R2 2750 message (see Section 7.14). 2752 7.10.1. Generating the R1 Validator 2754 One way for the responder to properly generate validators is to 2755 maintain a single secret (S) and a running counter (C) for the 2756 Responder Nonce that is incremented in fixed periods of time (this 2757 allows the Responder to verify the age of a Responder Nonce, 2758 independently of the context in which it is used). 2760 In the case the validator is generated to be included in a R1 2761 message, for each I1 message. The responder use the current counter 2762 C value as the Responder Nonce, and use the following information 2763 concatenated as input to the one-way function: 2765 o The secret S 2767 o That Responder Nonce 2769 o The Initiator Context Tag from the I1 message 2771 o The ULIDs from the I1 message 2773 o The locators from the I1 message (strictly only needed if they are 2774 different from the ULIDs) 2776 o The forked instance identifier if such option was included in the 2777 I1 message 2779 and then the output of the hash function is used as the validator 2780 octet string. 2782 7.11. Receiving R1 messages and sending I2 messages 2784 A host MUST silently discard any received R1 messages that do not 2785 satisfy all of the following validity checks in addition to those 2786 specified in Section 12.3: 2788 o The Hdr Ext Len field is at least 1, i.e., the length is at least 2789 16 octets. 2791 Upon the reception of an R1 message, the host extracts the Initiator 2792 Nonce and the Locator Pair from the message (the latter from the 2793 source and destination fields in the IPv6 header). Next the host 2794 looks for an existing context which matches the Initiator Nonce and 2795 where the locators are contained in Ls(peer) and Ls(local), 2796 respectively. If no such context is found, then the R1 message is 2797 silently discarded. 2799 If such a context is found, then the host looks at the state: 2801 o If the state is I1-SENT, then it sends an I2 message as specified 2802 below. 2804 o In any other state (I2-SENT, I2BIS-SENT, ESTABLISHED) then the 2805 host has already sent an I2 message then this is probably a reply 2806 to a retransmitted I1 message, so this R1 message MUST be silently 2807 discarded. 2809 When the host sends an I2 message, then it includes the Responder 2810 Validator option that was in the R1 message. The I2 message MUST 2811 include the ULID pair; normally in the IPv6 source and destination 2812 fields. If a ULID-pair option was included in the I1 message then it 2813 MUST be included in the I2 message as well. In addition, if the 2814 Forked Instance Identifier value for this context is non-zero, the I2 2815 message MUST contain a Forked Instance Identifier Option carrying 2816 this value. Besides, the I2 message contains an Initiator Nonce. 2817 This is not required to be the same than the one included in the 2818 previous I1 message. 2820 The I2 message also includes the Initiator's locator list and the CGA 2821 parameter data structure. If CGA (and not HBA) is used to verify the 2822 locator list, then Initiator also signs the key parts of the message 2823 and includes a CGA signature option containing the signature. 2825 When the I2 message has been sent, the state is set to I2-SENT. 2827 7.12. Retransmitting I2 messages 2829 If the initiator does not receive an R2 message after I2_TIMEOUT time 2830 after sending an I2 message it MAY retransmit the I2 message, using 2831 binary exponential backoff and randomized timers. The Responder 2832 Validator option might have a limited lifetime, that is, the peer 2833 might reject Responder Validator options that are older than 2834 VALIDATOR_MIN_LIFETIME to avoid replay attacks. In the case that the 2835 initiator decides not to retransmit I2 messages or in the case that 2836 the initiator still does not recieve an R2 message after 2837 retransmitting I2 messages I2_RETRIES_MAX times, the initiator SHOULD 2838 fall back to retransmitting the I1 message. 2840 7.13. Receiving I2 messages 2842 A host MUST silently discard any received I2 messages that do not 2843 satisfy all of the following validity checks in addition to those 2844 specified in Section 12.3: 2846 o The Hdr Ext Len field is at least 2, i.e., the length is at least 2847 24 octets. 2849 Upon the reception of an I2 message, the host extracts the ULID pair 2850 and the Forked Instance identifier from the message. If there is no 2851 ULID-pair option, then the ULID pair is taken from the source and 2852 destination fields in the IPv6 header. If there is no FII option in 2853 the message, then the FII value is taken to be zero. 2855 Next the host verifies that the Responder Nonce is a recent one 2856 (Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be 2857 considered recent), and that the Responder Validator option matches 2858 the validator the host would have computed for the ULID, locators, 2859 responder nonce, initiator nonce and FII. 2861 If a CGA Parameter Data Structure (PDS) is included in the message, 2862 then the host MUST verify if the actual PDS contained in the message 2863 corresponds to the ULID(peer). 2865 If any of the above verifications fails, then the host silently 2866 discards the message and it has completed the I2 processing. 2868 If all the above verifications are successful, then the host proceeds 2869 to look for a context state for the Initiator. The host looks for a 2870 context with the extracted ULID pair and FII. If none exist then 2871 state of the (non-existing) context is viewed as being IDLE, thus the 2872 actions depend on the state as follows: 2874 o If the state is IDLE (i.e., the context does not exist) the host 2875 allocates a context tag (CT(local)), creates the context state for 2876 the context, and sets its state to ESTABLISHED. It records 2877 CT(peer), and the peer's locator set as well as its own locator 2878 set in the context. It SHOULD perform the HBA/CGA verification of 2879 the peer's locator set at this point in time, as specified in 2880 Section 7.2. Then the host sends an R2 message back as specified 2881 below. 2883 o If the state is I1-SENT, then the host verifies if the source 2884 locator is included in Ls(peer) or, it is included in the Locator 2885 List contained in the I2 message and the HBA/CGA verification for 2886 this specific locator is successful 2888 * If this is not the case, then the message is silently discarded 2889 and the context state remains unchanged. 2891 * If this is the case, then the host updates the context 2892 information (CT(peer), Ls(peer)) with the data contained in the 2893 I2 message and the host MUST send a R2 message back as 2894 specified below. Note that before updating Ls(peer) 2895 information, the host SHOULD perform the HBA/CGA validation of 2896 the peer's locator set at this point in time as specified in 2897 Section 7.2. The host moves to ESTABLISHED state. 2899 o If the state is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host 2900 verifies if the source locator is included in Ls(peer) or, it is 2901 included in the Locator List contained in the I2 message and the 2902 HBA/CGA verification for this specific locator is successful 2904 * If this is not the case, then the message is silently discarded 2905 and the context state remains unchanged. 2907 * If this is the case, then the host updates the context 2908 information (CT(peer), Ls(peer)) with the data contained in the 2909 I2 message and the host MUST send a R2 message back as 2910 specified in Section 7.14. Note that before updating Ls(peer) 2911 information, the host SHOULD perform the HBA/CGA validation of 2912 the peer's locator set at this point in time as specified in 2913 Section 7.2. The context state remains unchanged. 2915 7.14. Sending R2 messages 2917 Before the host sends the R2 message it MUST look for a possible 2918 context confusion i.e. where it would end up with multiple contexts 2919 using the same CT(peer) for the same peer host. See Section 7.15. 2921 When the host needs to send an R2 message, the host forms the message 2922 using its locators and its context tag, copies the Initiator Nonce 2923 from the triggering message (I2, I2bis, or I1), and includes the 2924 necessary options so that the peer can verify the locators. In 2925 particular, the R2 message includes the Responder's locator list and 2926 the PDS option. If CGA (and not HBA) is used to verify the locator 2927 list, then the Responder also signs the key parts of the message and 2928 includes a CGA Signature option containing the signature. 2930 R2 messages are never retransmitted. If the R2 message is lost, then 2931 the initiator will retransmit either the I2/I2bis or I1 message. 2932 Either retransmission will cause the responder to find the context 2933 state and respond with an R2 message. 2935 7.15. Match for Context Confusion 2937 When the host receives an I2, I2bis, or R2 it MUST look for a 2938 possible context confusion i.e. where it would end up with multiple 2939 contexts using the same CT(peer) for the same peer host. This can 2940 happen when it has received the above messages since they create a 2941 new context with a new CT(peer). Same issue applies when CT(peer) is 2942 updated for an existing context. 2944 The host takes CT(peer) for the newly created or updated context, and 2945 looks for other contexts which: 2947 o Are in state ESTABLISHED or I2BIS-SENT. 2949 o Have the same CT(peer). 2951 o Where Ls(peer) has at least one locator in common with the newly 2952 created or updated context. 2954 If such a context is found, then the host checks if the ULID pair or 2955 the Forked Instance Identifier different than the ones in the newly 2956 created or updated context: 2958 o If either or both are different, then the peer is reusing the 2959 context tag for the creation of a context with different ULID pair 2960 or FII, which is an indication that the peer has lost the original 2961 context. In this case, we are in the Context confusion situation, 2962 and the host MUST NOT use the old context to send any packets. It 2963 MAY just discard the old context (after all, the peer has 2964 discarded it), or it MAY attempt to re-establish the old context 2965 by sending a new I1 message and moving its state to I1-SENT. In 2966 any case, once that this situation is detected, the host MUST NOT 2967 keep two contexts with overlapping Ls(peer) locator sets and the 2968 same context tag in ESTABLISHED state, since this would result in 2969 demultiplexing problems on the peer. 2971 o If both are the same, then this context is actually the context 2972 that is created or updated, hence there is no confusion. 2974 7.16. Receiving R2 messages 2976 A host MUST silently discard any received R2 messages that do not 2977 satisfy all of the following validity checks in addition to those 2978 specified in Section 12.3: 2980 o The Hdr Ext Len field is at least 1, i.e., the length is at least 2981 16 octets. 2983 Upon the reception of an R2 message, the host extracts the Initiator 2984 Nonce and the Locator Pair from the message (the latter from the 2985 source and destination fields in the IPv6 header). Next the host 2986 looks for an existing context which matches the Initiator Nonce and 2987 where the locators are Lp(peer) and Lp(local), respectively. Based 2988 on the state: 2990 o If no such context is found, i.e., the state is IDLE, then the 2991 message is silently dropped. 2993 o If state is I1-SENT, I2-SENT, or I2BIS-SENT then the host performs 2994 the following actions: If a CGA Parameter Data Structure (PDS) is 2995 included in the message, then the host MUST verify that the actual 2996 PDS contained in the message corresponds to the ULID(peer) as 2997 specified in Section 7.2. If the verification fails, then the 2998 message is silently dropped. If the verification succeeds, then 2999 the host records the information from the R2 message in the 3000 context state; it records the peer's locator set and CT(peer). 3001 The host SHOULD perform the HBA/CGA verification of the peer's 3002 locator set at this point in time, as specified in Section 7.2. 3003 The host sets its state to ESTABLISHED. 3005 o If the state is ESTABLISHED, the R2 message is silently ignored, 3006 (since this is likely to be a reply to a retransmitted I2 3007 message). 3009 Before the host completes the R2 processing it MUST look for a 3010 possible context confusion i.e. where it would end up with multiple 3011 contexts using the same CT(peer) for the same peer host. See 3012 Section 7.15. 3014 7.17. Sending R1bis messages 3016 Upon the receipt of a Shim6 payload extension header where there is 3017 no current Shim6 context at the receiver, the receiver is to respond 3018 with an R1bis message in order to enable a fast re-establishment of 3019 the lost Shim6 context. 3021 Also a host is to respond with a R1bis upon receipt of any control 3022 messages that has a message type in the range 64-127 (i.e., excluding 3023 the context setup messages such as I1, R1, R1bis, I2, I2bis, R2 and 3024 future extensions), where the control message refers to a non 3025 existent context. 3027 We assume that all the incoming packets that trigger the generation 3028 of an R1bis message contain a locator pair (in the address fields of 3029 the IPv6 header) and a Context Tag. 3031 Upon reception of any of the packets described above, the host will 3032 reply with an R1bis including the following information: 3034 o The Responder Nonce is a number picked by the responder which the 3035 initiator will return in the I2bis message. 3037 o Packet Context Tag is the context tag contained in the received 3038 packet that triggered the generation of the R1bis message. 3040 o The Responder Validator option is included, with a validator that 3041 is computed as suggested in the next section. 3043 7.17.1. Generating the R1bis Validator 3045 One way for the responder to properly generate validators is to 3046 maintain a single secret (S) and a running counter C for the 3047 Responder Nonce that is incremented in fixed periods of time (this 3048 allows the Responder to verify the age of a Responder Nonce, 3049 independently of the context in which it is used). 3051 In the case the validator is generated to be included in a R1bis 3052 message, for each received payload extension header or control 3053 message, the responder use the counter C value as the Responder 3054 Nonce, and use the following information concatenated as input to the 3055 one-way function: 3057 o The secret S 3059 o That Responder Nonce 3061 o The Receiver Context tag included in the received packet 3063 o The locators from the received packet 3065 and then the output of the hash function is used as the validator 3066 octet string. 3068 7.18. Receiving R1bis messages and sending I2bis messages 3070 A host MUST silently discard any received R1bis messages that do not 3071 satisfy all of the following validity checks in addition to those 3072 specified in Section 12.3: 3074 o The Hdr Ext Len field is at least 1, i.e., the length is at least 3075 16 octets. 3077 Upon the reception of an R1bis message, the host extracts the Packet 3078 Context Tag and the Locator Pair from the message (the latter from 3079 the source and destination fields in the IPv6 header). Next the host 3080 looks for an existing context where the Packet Context Tag matches 3081 CT(peer) and where the locators match Lp(peer) and Lp(local), 3082 respectively. 3084 o If no such context is not found, i.e., the state is IDLE, then the 3085 R1bis message is silently discarded. 3087 o If the state is I1-SENT, I2-SENT, or I2BIS-SENT, then the R1bis 3088 message is silently discarded. 3090 o If the state is ESTABLISHED, then we are in the case where the 3091 peer has lost the context and the goal is to try to re-establish 3092 it. For that, the host leaves CT(peer) unchanged in the context 3093 state, transitions to I2BIS-SENT state, and sends a I2bis message, 3094 including the computed Responder Validator option, the Packet 3095 Context Tag, and the Responder Nonce received in the R1bis 3096 message. This I2bis message is sent using the locator pair 3097 included in the R1bis message. In the case that this locator pair 3098 differs from the ULID pair defined for this context, then an ULID 3099 option MUST be included in the I2bis message. In addition, if the 3100 Forked Instance Identifier for this context is non-zero, then a 3101 Forked Instance Identifier option carrying the instance identifier 3102 value for this context MUST be included in the I2bis message. 3104 7.19. Retransmitting I2bis messages 3106 If the initiator does not receive an R2 message after I2bis_TIMEOUT 3107 time after sending an I2bis message it MAY retransmit the I2bis 3108 message, using binary exponential backoff and randomized timers. The 3109 Responder Validator option might have a limited lifetime, that is, 3110 the peer might reject Responder Validator options that are older than 3111 VALIDATOR_MIN_LIFETIME to avoid replay attacks. In the case that the 3112 initiator decides not to retransmit I2bis messages or in the case 3113 that the initiator still does not recieve an R2 message after 3114 retransmitting I2bis messages I2bis_RETRIES_MAX times, the initiator 3115 SHOULD fallback to retransmitting the I1 message. 3117 7.20. Receiving I2bis messages and sending R2 messages 3119 A host MUST silently discard any received I2bis messages that do not 3120 satisfy all of the following validity checks in addition to those 3121 specified in Section 12.3: 3123 o The Hdr Ext Len field is at least 3, i.e., the length is at least 3124 32 octets. 3126 Upon the reception of an I2bis message, the host extracts the ULID 3127 pair and the Forked Instance identifier from the message. If there 3128 is no ULID-pair option, then the ULID pair is taken from the source 3129 and destination fields in the IPv6 header. If there is no FII option 3130 in the message, then the FII value is taken to be zero. 3132 Next the host verifies that the Responder Nonce is a recent one 3133 (Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be 3134 considered recent), and that the Responder Validator option matches 3135 the validator the host would have computed for the locators, 3136 Responder Nonce, and Receiver Context tag as part of sending an R1bis 3137 message. 3139 If a CGA Parameter Data Structure (PDS) is included in the message, 3140 then the host MUST verify if the actual PDS contained in the message 3141 corresponds to the ULID(peer). 3143 If any of the above verifications fails, then the host silently 3144 discard the message and it has completed the I2bis processing. 3146 If both verifications are successful, then the host proceeds to look 3147 for a context state for the Initiator. The host looks for a context 3148 with the extracted ULID pair and FII. If none exist then state of 3149 the (non-existing) context is viewed as being IDLE, thus the actions 3150 depend on the state as follows: 3152 o If the state is IDLE (i.e., the context does not exist) the host 3153 allocates a context tag (CT(local)), creates the context state for 3154 the context, and sets its state to ESTABLISHED. The host SHOULD 3155 NOT use the Packet Context Tag in the I2bis message for CT(local); 3156 instead it should pick a new random context tag just as when it 3157 processes an I2 message. It records CT(peer), and the peer's 3158 locator set as well as its own locator set in the context. It 3159 SHOULD perform the HBA/CGA verification of the peer's locator set 3160 at this point in time as specified in Section 7.2. Then the host 3161 sends an R2 message back as specified in Section 7.14. 3163 o If the state is I1-SENT, then the host verifies if the source 3164 locator is included in Ls(peer) or, it is included in the Locator 3165 List contained in the I2 message and the HBA/CGA verification for 3166 this specific locator is successful 3168 * If this is not the case, then the message is silently 3169 discarded. The the context state remains unchanged. 3171 * If this is the case, then the host updates the context 3172 information (CT(peer), Ls(peer)) with the data contained in the 3173 I2 message and the host MUST send a R2 message back as 3174 specified below. Note that before updating Ls(peer) 3175 information, the host SHOULD perform the HBA/CGA validation of 3176 the peer's locator set at this point in time as specified in 3177 Section 7.2. The host moves to ESTABLISHED state. 3179 o If the state is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host 3180 verifies if the source locator is included in Ls(peer) or, it is 3181 included in the Locator List contained in the I2 message and the 3182 HBA/CGA verification for this specific locator is successful 3183 * If this is not the case, then the message is silently 3184 discarded. The the context state remains unchanged. 3186 * If this is the case, then the host updates the context 3187 information (CT(peer), Ls(peer)) with the data contained in the 3188 I2 message and the host MUST send a R2 message back as 3189 specified in Section 7.14. Note that before updating Ls(peer) 3190 information, the host SHOULD perform the HBA/CGA validation of 3191 the peer's locator set at this point in time as specified in 3192 Section 7.2. The context state remains unchanged. 3194 8. Handling ICMP Error Messages 3196 The routers in the path as well as the destination might generate 3197 various ICMP error messages, such as host unreachable, packet too 3198 big, and Unrecognized Next Header type. It is critical that these 3199 packets make it back up to the ULPs so that they can take appropriate 3200 action. 3202 This is an implementation issue in the sense that the mechanism is 3203 completely local to the host itself. But the issue of how ICMP 3204 errors are correctly dispatched to the ULP on the host are important, 3205 hence this section specifies the issue. 3207 +--------------+ 3208 | IPv6 Header | 3209 | | 3210 +--------------+ 3211 | ICMPv6 | 3212 | Header | 3213 - - +--------------+ - - 3214 | IPv6 Header | 3215 | src, dst as | Can be dispatched 3216 IPv6 | sent by ULP | unmodified to ULP 3217 | on host | ICMP error handler 3218 Packet +--------------+ 3219 | ULP | 3220 in | Header | 3221 +--------------+ 3222 Error | | 3223 ~ Data ~ 3224 | | 3225 - - +--------------+ - - 3227 Figure 30: ICMP error handling without payload extension header 3229 When the ULP packets are sent without the payload extension header, 3230 that is, while the initial locators=ULIDs are working, this 3231 introduces no new concerns; an implementation's existing mechanism 3232 for delivering these errors to the ULP will work. See Figure 30. 3234 But when the shim on the transmitting side inserts the payload 3235 extension header and replaces the ULIDs in the IP address fields with 3236 some other locators, then an ICMP error coming back will have a 3237 "packet in error" which is not a packet that the ULP sent. Thus the 3238 implementation will have to apply the reverse mapping to the "packet 3239 in error" before passing the ICMP error up to the ULP. See 3240 Figure 31. 3242 +--------------+ 3243 | IPv6 Header | 3244 | | 3245 +--------------+ 3246 | ICMPv6 | 3247 | Header | 3248 - - +--------------+ - - 3249 | IPv6 Header | 3250 | src, dst as | Needs to be 3251 IPv6 | modified by | transformed to 3252 | shim on host | have ULIDs 3253 +--------------+ in src, dst fields, 3254 Packet | Shim6 ext. | and Shim6 ext. 3255 | Header | header removed 3256 in +--------------+ before it can be 3257 | Transport | dispatched to the ULP 3258 Error | Header | ICMP error handler. 3259 +--------------+ 3260 | | 3261 ~ Data ~ 3262 | | 3263 - - +--------------+ - - 3265 Figure 31: ICMP error handling with payload extension header 3267 Note that this mapping is different than when receiving packets from 3268 the peer with a payload extension headers, because in that case the 3269 packets contain CT(local). But the ICMP errors have a "packet in 3270 error" with an payload extension header containing CT(peer). This is 3271 because they were intended to be received by the peer. In any case, 3272 since the has to be 3273 unique when received by the peer, the local host should also only be 3274 able to find one context that matches this tuple. 3276 If the ICMP error is a Packet Too Big, the reported MTU must be 3277 adjusted to be 8 octets less, since the shim will add 8 octets when 3278 sending packets. 3280 After the "packet in error" has had the original ULIDs inserted, then 3281 this payload extension header can be removed. The result is a 3282 "packet in error" that is passed to the ULP which looks as if the 3283 shim did not exist. 3285 9. Teardown of the ULID-Pair Context 3287 Each host can unilaterally decide when to tear down a ULID-pair 3288 context. It is RECOMMENDED that hosts do not tear down the context 3289 when they know that there is some upper layer protocol that might use 3290 the context. For example, an implementation might know this if there 3291 is an open socket which is connected to the ULID(peer). However, 3292 there might be cases when the knowledge is not readily available to 3293 the shim layer, for instance for UDP applications which do not 3294 connect their sockets, or any application which retains some higher 3295 level state across (TCP) connections and UDP packets. 3297 Thus it is RECOMMENDED that implementations minimize premature 3298 teardown by observing the amount of traffic that is sent and received 3299 using the context, and only after it appears quiescent, tear down the 3300 state. A reasonable approach would be not to tear down a context 3301 until at least 5 minutes have passed since the last message was sent 3302 or received using the context. (Note that packets that use the ULID 3303 pair as locator pair and that do not require address rewriting by the 3304 Shim6 layer are also considered as packets using the associated Shim6 3305 context) 3307 Since there is no explicit, coordinated removal of the context state, 3308 there are potential issues around context tag reuse. One end might 3309 remove the state, and potentially reuse that context tag for some 3310 other communication, and the peer might later try to use the old 3311 context (which it didn't remove). The protocol has mechanisms to 3312 recover from this, which work whether the state removal was total and 3313 accidental (e.g., crash and reboot of the host), or just a garbage 3314 collection of shim state that didn't seem to be used. However, the 3315 host should try to minimize the reuse of context tags by trying to 3316 randomly cycle through the 2^47 context tag values. (See Appendix C 3317 for a summary how the recovery works in the different cases.) 3319 10. Updating the Peer 3321 The Update Request and Acknowledgement are used both to update the 3322 list of locators (only possible when CGA is used to verify the 3323 locator(s)), as well as updating the preferences associated with each 3324 locator. 3326 10.1. Sending Update Request messages 3328 When a host has a change in the locator set, then it can communicate 3329 this to the peer by sending an Update Request. When a host has a 3330 change in the preferences for its locator set, it can also 3331 communicate this to the peer. The Update Request message can include 3332 just a Locator List option, to convey the new set of locators (which 3333 requires a CGA signature option as well), just a Locator Preferences 3334 option, or both a new Locator List and new Locator Preferences. 3336 Should the host send a new Locator List, the host picks a new random 3337 local generation number, records this in the context, and puts it in 3338 the Locator List option. Any Locator Preference option, whether send 3339 in the same Update Request or in some future Update Request, will use 3340 that generation number to make sure the preferences get applied to 3341 the correct version of the locator list. 3343 The host picks a random Request Nonce for each update, and keeps the 3344 same nonce for any retransmissions of the Update Request. The nonce 3345 is used to match the acknowledgement with the request. 3347 10.2. Retransmitting Update Request messages 3349 If the host does not receive an Update Acknowledgement R2 message in 3350 response to the Update Request message after UPDATE_TIMEOUT time, 3351 then it needs to retransmit the Update Request message. The 3352 retransmissions should use a retransmission timer with binary 3353 exponential backoff to avoid creating congestion issues for the 3354 network when lots of hosts perform Update Request retransmissions. 3355 Also, the actual timeout value should be randomized between 0.5 and 3356 1.5 of the nominal value to avoid self-synchronization. 3358 Should there be no response, the retransmissions continue forever. 3359 The binary exponential backoff stops at MAX_UPDATE_TIMEOUT. But the 3360 only way the retransmissions would stop when there is no 3361 acknowledgement, is when the shim, through the Probe protocol or some 3362 other mechanism, decides to discard the context state due to lack of 3363 ULP usage in combination with no responses to the Probes. 3365 10.3. Newer Information While Retransmitting 3367 There can be at most one outstanding Update Request message at any 3368 time. Thus until e.g. an update with a new Locator List has been 3369 acknowledged, any even newer Locator List or new Locator Preferences 3370 can not just be sent. However, when there is newer information and 3371 the older information has not yet been acknowledged, the host can 3372 instead of waiting for an acknowledgement, abandon the previous 3373 update and construct a new Update Request (with a new Request Nonce) 3374 which includes the new information as well as the information that 3375 hadn't yet been acknowledged. 3377 For example, if the original locator list was just (A1, A2), and if 3378 an Update Request with the Locator List (A1, A3) is outstanding, and 3379 the host determines that it should both add A4 to the locator list, 3380 and mark A1 as BROKEN, then it would need to: 3382 o Pick a new random Request Nonce for the new Update Request. 3384 o Pick a new random Generation number for the new locator list. 3386 o Form the new locator list - (A1, A3, A4) 3388 o Form a Locator Preference option which uses the new generation 3389 number and has the BROKEN flag for the first locator. 3391 o Send the Update Request and start a retransmission timer. 3393 Any Update Acknowledgement which doesn't match the current request 3394 nonce, for instance an acknowledgement for the abandoned Update 3395 Request, will be silently ignored. 3397 10.4. Receiving Update Request messages 3399 A host MUST silently discard any received Update Request messages 3400 that do not satisfy all of the following validity checks in addition 3401 to those specified in Section 12.3: 3403 o The Hdr Ext Len field is at least 1, i.e., the length is at least 3404 16 octets. 3406 Upon the reception of an Update Request message, the host extracts 3407 the Context Tag from the message. It then looks for a context which 3408 has a CT(local) that matches the context tag. If no such context is 3409 found, it sends a R1bis message as specified in Section 7.17. 3411 Since context tags can be reused, the host MUST verify that the IPv6 3412 source address field is part of Ls(peer) and that the IPv6 3413 destination address field is part of Ls(local). If this is not the 3414 case, the sender of the Update Request has a stale context which 3415 happens to match the CT(local) for this context. In this case the 3416 host MUST send a R1bis message, and otherwise ignore the Update 3417 Request message. 3419 If a CGA Parameter Data Structure (PDS) is included in the message, 3420 then the host MUST verify if the actual PDS contained in the packet 3421 corresponds to the ULID(peer). If this verification fails, the 3422 message is silently discarded. 3424 Then, depending on the state of the context: 3426 o If ESTABLISHED: Proceed to process message. 3428 o If I1-SENT, discard the message and stay in I1-SENT. 3430 o If I2-SENT, then send I2 and proceed to process the message. 3432 o If I2BIS-SENT, then send I2bis and proceed to process the message. 3434 The verification issues for the locators carried in the Locator 3435 Update message are specified in Section 7.2. If the locator list can 3436 not be verified, this procedure should send a Shim6 Error message 3437 with Error Code=2. In any case, if it can not be verified, there is 3438 no further processing of the Update Request. 3440 Once any Locator List option in the Update Request has been verified, 3441 the peer generation number in the context is updated to be the one in 3442 the Locator List option. 3444 If the Update message contains a Locator Preference option, then the 3445 Generation number in the preference option is compared with the peer 3446 generation number in the context. If they do not match, then the 3447 host generates a Shim6 Error Message with Error Code=3 with the 3448 Pointer field referring to the first octet in the Generation number 3449 in the Locator Preference option. In addition, if the number of 3450 elements in the Locator Preference option does not match the number 3451 of locators in Ls(peer), then a Shim6 Error Message with Error Code=4 3452 is sent with the Pointer referring to the first octet of the Length 3453 field in the Locator Preference option. In both cases of failures, 3454 no further processing is performed for the Locator Update message. 3456 If the generation number matches, the locator preferences are 3457 recorded in the context. 3459 Once the Locator List option (if present) has been verified and any 3460 new locator list or locator preferences have been recorded, the host 3461 sends an Update Acknowledgement message, copying the nonce from the 3462 request, and using the CT(peer) in as the Receiver Context Tag. 3464 Any new locators, or more likely new locator preferences, might 3465 result in the host wanting to select a different locator pair for the 3466 context. For instance, if the Locator Preferences lists the current 3467 Lp(peer) as BROKEN. The host uses the Probe message in [9] to verify 3468 that the new locator is reachable before changing Lp(peer). 3470 10.5. Receiving Update Acknowledgement messages 3472 A host MUST silently discard any received Update Acknowledgement 3473 messages that do not satisfy all of the following validity checks in 3474 addition to those specified in Section 12.3: 3476 o The Hdr Ext Len field is at least 1, i.e., the length is at least 3477 16 octets. 3479 Upon the reception of an Update Acknowledgement message, the host 3480 extracts the Context Tag and the Request Nonce from the message. It 3481 then looks for a context which has a CT(local) that matches the 3482 context tag. If no such context is found, it sends a R1bis message 3483 as specified in Section 7.17. 3485 Since context tags can be reused, the host MUST verify that the IPv6 3486 source address field is part of Ls(peer) and that the IPv6 3487 destination address field is part of Ls(local). If this is not the 3488 case, the sender of the Update Acknowledgement has a stale context 3489 which happens to match the CT(local) for this context. In this case 3490 the host MUST send a R1bis message, and otherwise ignore the Update 3491 Acknowledgement message. 3493 Then, depending on the state of the context: 3495 o If ESTABLISHED: Proceed to process message. 3497 o If I1-SENT, discard the message and stay in I1-SENT. 3499 o If I2-SENT, then send R2 and proceed to process the message. 3501 o If I2BIS-SENT, then send R2 and proceed to process the message. 3503 If the Request Nonce doesn't match the Nonce for the last sent Update 3504 Request for the context, then the Update Acknowledgement is silently 3505 ignored. If the nonce matches, then the update has been completed 3506 and the Update retransmit timer can be reset. 3508 11. Sending ULP Payloads 3510 When there is no context state for the ULID pair on the sender, there 3511 is no effect on how ULP packets are sent. If the host is using some 3512 heuristic for determining when to perform a deferred context 3513 establishment, then the host might need to do some accounting (count 3514 the number of packets sent and received) even before there is a ULID- 3515 pair context. 3517 If the context is not in ESTABLISHED or I2BIS-SENT state, then it 3518 there is also no effect on how the ULP packets are sent. Only in the 3519 ESTABLISHED and I2BIS-SENT states does the host have CT(peer) and 3520 Ls(peer) set. 3522 If there is a ULID-pair context for the ULID pair, then the sender 3523 needs to verify whether context uses the ULIDs as locators, that is, 3524 whether Lp(peer) == ULID(peer) and Lp(local) == ULID(local). 3526 If this is the case, then packets can be sent unmodified by the shim. 3527 If it is not the case, then the logic in Section 11.1 will need to be 3528 used. 3530 There will also be some maintenance activity relating to 3531 (un)reachability detection, whether packets are sent with the 3532 original locators or not. The details of this is out of scope for 3533 this document and is specified in [9]. 3535 11.1. Sending ULP Payload after a Switch 3537 When sending packets, if there is a ULID-pair context for the ULID 3538 pair, and the ULID pair is no longer used as the locator pair, then 3539 the sender needs to transform the packet. Apart from replacing the 3540 IPv6 source and destination fields with a locator pair, an 8-octet 3541 header is added so that the receiver can find the context and inverse 3542 the transformation. 3544 If there has been a failure causing a switch, and later the context 3545 switches back to sending things using the ULID pair as the locator 3546 pair, then there is no longer a need to do any packet transformation 3547 by the sender, hence there is no need to include the 8-octet 3548 extension header. 3550 First, the IP address fields are replaced. The IPv6 source address 3551 field is set to Lp(local) and the destination address field is set to 3552 Lp(peer). NOTE that this MUST NOT cause any recalculation of the ULP 3553 checksums, since the ULP checksums are carried end-to-end and the ULP 3554 pseudo-header contains the ULIDs which are preserved end-to-end. 3556 The sender skips any "routing sub-layer extension headers" that the 3557 ULP might have included, thus it skips any hop-by-hop extension 3558 header, any routing header, and any destination options header that 3559 is followed by a routing header. After any such headers the Shim6 3560 extension header will be added. This might be before a Fragment 3561 header, a Destination Options header, an ESP or AH header, or a ULP 3562 header. 3564 The inserted Shim6 Payload extension header includes the peer's 3565 context tag. It takes on the next header value from the preceding 3566 extension header, since that extension header will have a next header 3567 value of Shim6. 3569 12. Receiving Packets 3571 The receive side of the communication can receive packets associated 3572 to a Shim6 context with or without the Shim6 extenson header. In 3573 case that the ULID pair is being used as locator pair, the packets 3574 received will not have the Shim6 extension header and will be 3575 processed by the Shim6 layer as described below. If the received 3576 packet does carry the Shim6 extension header, as in normal IPv6 3577 receive side packet processing the receiver parses the (extension) 3578 headers in order. Should it find a Shim6 extension header it will 3579 look at the "P" field in that header. If this bit is zero, then the 3580 packet must be passed to the Shim6 payload handling for rewriting. 3581 Otherwise, the packet is passed to the Shim6 control handling. 3583 12.1. Receiving payload without extension headers 3585 The receiver extracts the IPv6 source and destination fields, and 3586 uses this to find a ULID-pair context, such that the IPv6 address 3587 fields match the ULID(local) and ULID(peer). If such a context is 3588 found, the context appears not to be quiescent and this should be 3589 remembered in order to avoid tearing down the context and for 3590 reachability detection porpuses as described in [9]. The host 3591 continues with the normal processing of the IP packet. 3593 12.2. Receiving Payload Extension Headers 3595 The receiver extracts the context tag from the payload extension 3596 header, and uses this to find a ULID-pair context. If no context is 3597 found, the receiver SHOULD generate a R1bis message (see 3598 Section 7.17). 3600 Then, depending on the state of the context: 3602 o If ESTABLISHED: Proceed to process message. 3604 o If I1-SENT, discard the message and stay in I1-SENT. 3606 o If I2-SENT, then send I2 and proceed to process the message. 3608 o If I2BIS-SENT, then send I2bis and proceed to process the message. 3610 With the context in hand, the receiver can now replace the IP address 3611 fields with the ULIDs kept in the context. Finally, the Payload 3612 extension header is removed from the packet (so that the ULP doesn't 3613 get confused by it), and the next header value in the preceding 3614 header is set to be the actual protocol number for the payload. Then 3615 the packet can be passed to the protocol identified by the next 3616 header value (which might be some function associated with the IP 3617 endpoint sublayer, or a ULP). 3619 If the host is using some heuristic for determining when to perform a 3620 deferred context establishment, then the host might need to do some 3621 accounting (count the number of packets sent and received) for 3622 packets that does not have a Shim6 extension header and for which 3623 there is no context. But the need for this depends on what 3624 heuristics the implementation has chosen. 3626 12.3. Receiving Shim Control messages 3628 A shim control message has the checksum field verified. The Shim 3629 header length field is also verified against the length of the IPv6 3630 packet to make sure that the shim message doesn't claim to end past 3631 the end of the IPv6 packet. Finally, it checks that the neither the 3632 IPv6 destination field nor the IPv6 source field is a multicast 3633 address. If any of those checks fail, the packet is silently 3634 dropped. 3636 The message is then dispatched based on the shim message type. Each 3637 message type is then processed as described elsewhere in this 3638 document. If the packet contains a shim message type which is 3639 unknown to the receiver, then a Shim6 Error Message with Error Code=0 3640 is generated and sent back. The Pointer field is set to point at the 3641 first octet of the shim message type. 3643 All the control messages can contain any options with C=0. If there 3644 is any option in the message with C=1 that isn't known to the host, 3645 then the host MUST send a Shim6 Error Message with Error Code=1, with 3646 the Pointer field referencing the first octet of the Option Type. 3648 12.4. Context Lookup 3650 We assume that each shim context has its own state machine. We 3651 assume that a dispatcher delivers incoming packets to the state 3652 machine that it belongs to. Here we describe the rules used for the 3653 dispatcher to deliver packets to the correct shim context state 3654 machine. 3656 There is one state machine per context identified that is 3657 conceptually identified by ULID pair and Forked Instance Identifier 3658 (which is zero by default), or identified by CT(local). However, the 3659 detailed lookup rules are more complex, especially during context 3660 establishment. 3662 Clearly, if the required context is not established, it will be in 3663 IDLE state. 3665 During context establishment, the context is identified as follows: 3667 o I1 packets: Deliver to the context associated with the ULID pair 3668 and the Forked Instance Identifier. 3670 o I2 packets: Deliver to the context associated with the ULID pair 3671 and the Forked Instance Identifier. 3673 o R1 packets: Deliver to the context with the locator pair included 3674 in the packet and the Initiator nonce included in the packet (R1 3675 does not contain ULID pair nor the CT(local)). If no context 3676 exist with this locator pair and Initiator nonce, then silently 3677 discard. 3679 o R2 packets: Deliver to the context with the locator pair included 3680 in the packet and the Initiator nonce included in the packet (R2 3681 does not contain ULID pair nor the CT(local)). If no context 3682 exists with this locator pair and INIT nonce, then silently 3683 discard. 3685 o R1bis packet: deliver to the context that has the locator pair and 3686 the CT(peer) equal to the Packet Context Tag included in the R1bis 3687 packet. 3689 o I2bis packets: Deliver to the context associated with the ULID 3690 pair and the Forked Instance Identifier. 3692 o Payload extension headers: Deliver to the context with CT(local) 3693 equal to the Receiver Context Tag included in the packet. 3695 o Other control messages (Update, Keepalive, Probe): Deliver to the 3696 context with CT(local) equal to the Receiver Context Tag included 3697 in the packet. Verify that the IPv6 source address field is part 3698 of Ls(peer) and that the IPv6 destination address field is part of 3699 Ls(local). If not, send a R1bis message. 3701 o Shim6 Error Messages and ICMP errors which contain a Shim6 payload 3702 extension header or other shim control packet in the "packet in 3703 error": Use the "packet in error" for dispatching as follows. 3704 Deliver to the context with CT(peer) equal to the Receiver Context 3705 Tag, Lp(local) being the IPv6 source address, and Lp(peer) being 3706 the IPv6 destination address. 3708 In addition, the shim on the sending side needs to be able to find 3709 the context state when a ULP packet is passed down from the ULP. In 3710 that case the lookup key is the pair of ULIDs and FII=0. If we have 3711 a ULP API that allows the ULP to do context forking, then presumably 3712 the ULP would pass down the Forked Instance Identifier. 3714 13. Initial Contact 3716 The initial contact is some non-shim communication between two ULIDs, 3717 as described in Section 2. At that point in time there is no 3718 activity in the shim. 3720 Whether the shim ends up being used or not (e.g., the peer might not 3721 support Shim6) it is highly desirable that the initial contact can be 3722 established even if there is a failure for one or more IP addresses. 3724 The approach taken is to rely on the applications and the transport 3725 protocols to retry with different source and destination addresses, 3726 consistent with what is already specified in Default Address 3727 Selection [13], and some fixes to that specification [14] to make it 3728 try different source addresses and not only different destination 3729 addresses. 3731 The implementation of such an approach can potentially result in long 3732 timeouts. For instance, a naive implementation at the socket API 3733 which uses getaddrinfo() to retrieve all destination addresses and 3734 then tries to bind() and connect() to try all source and destination 3735 address combinations waiting for TCP to time out for each combination 3736 before trying the next one. 3738 However, if implementations encapsulate this in some new connect-by- 3739 name() API, and use non-blocking connect calls, it is possible to 3740 cycle through the available combinations in a more rapid manner until 3741 a working source and destination pair is found. Thus the issues in 3742 this domain are issues of implementations and the current socket API, 3743 and not issues of protocol specification. In all honesty, while 3744 providing an easy to use connect-by-name() API for TCP and other 3745 connection-oriented transports is easy; providing a similar 3746 capability at the API for UDP is hard due to the protocol itself not 3747 providing any "success" feedback. But even the UDP issue is one of 3748 APIs and implementation. 3750 14. Protocol constants 3752 The protocol uses the following constants: 3754 I1_RETRIES_MAX = 4 3756 I1_TIMEOUT = 4 seconds 3758 NO_R1_HOLDDOWN_TIME = 1 min 3760 ICMP_HOLDDOWN_TIME = 10 min 3762 I2_TIMEOUT = 4 seconds 3764 I2_RETRIES_MAX = 2 3766 I2bis_TIMEOUT = 4 seconds 3768 I2bis_RETRIES_MAX = 2 3770 VALIDATOR_MIN_LIFETIME = 30 seconds 3772 UPDATE_TIMEOUT = 4 seconds 3774 The retransmit timers (I1_TIMEOUT, I2_TIMEOUT, UPDATE_TIMEOUT) are 3775 subject to binary exponential backoff, as well as randomization 3776 across a range of 0.5 and 1.5 times the nominal (backed off) value. 3777 This removes any risk of synchronization between lots of hosts 3778 performing independent shim operations at the same time. 3780 The randomization is applied after the binary exponential backoff. 3781 Thus the first retransmission would happen based on a uniformly 3782 distributed random number in the range [0.5*4, 1.5*4] seconds, the 3783 second retransmission [0.5*8, 1.5*8] seconds after the first one, 3784 etc. 3786 15. Implications Elsewhere 3788 15.1. Congestion Control Considerations 3790 When the locator pair currently used for exchanging packets in a 3791 Shim6 context becomes unreachable, the Shim6 layer will divert the 3792 communication through an alternative locator pair, which in most 3793 cases will result in redirecting the packet flow through an 3794 alternative network path. In this case, it reccomended that the 3795 Shim6 follows the reccomendation defined in [28] and it informs the 3796 upper layers about the path change, in order to allow the congestion 3797 control mechanisms of the upper layers can react accordingly. 3799 15.2. Middle-boxes considerations 3801 Data packets belonging to a Shim6 context carrying the Shim6 Payload 3802 Header contain alternative locators other than the ULIDs in the 3803 source and destination address fields of the IPv6 header. On the 3804 other hand, the upper layers of the peers involved in the 3805 communication operate on the ULID pair presented by the Shim6 layer 3806 to them, rather on the locator pair contained in the IPv6 header of 3807 the actual packets. It should be noted that the Shim6 layer does not 3808 modify the data packets, but because a constant ULID pair is 3809 presented to upper layers irrespective of the locator pair changes, 3810 the relation between the upper layer header (such as TCP, UDP, ICMP, 3811 ESP, etc) and the IPv6 header is modified. In particular, when the 3812 Shim6 Extension header is present in the packet, if those data 3813 packets are TCP, UDP or ICMP packets, the presudoheader used for the 3814 checksum calculation will contain the ULID pair, rather than the 3815 locator pair contained in the data packet. 3817 It is possible that some firewalls or other middle boxes try to 3818 verify the validity of upper layer sanity checks of the packet on the 3819 fly. If they do that based on the actual source and destination 3820 addresses contained in the IPv6 header without considering the Shim6 3821 context information (in particular without replacing the locator pair 3822 by the ULID pair used by the Shim6 context) such verifications may 3823 fail. Those middle-boxes need to be updated in order to be able to 3824 parse the Shim6 payload header and find the next header header after 3825 that. It is recommended that firewalls and other middle-boxes do not 3826 drop packets that carry the Shim6 Payload header with apparently 3827 incorrect upper layer validity checks that involve the addresses in 3828 the IPv6 header for their computation, unless they are able to 3829 determine the ULID pair of the Shim6 context associated to the data 3830 packet and use the ULID pair for the verification of the validity 3831 check. 3833 In the particular case of TCP, UDP and ICMP checksums, it is 3834 recommended that firewalls and other middle-boxes do not drop TCP, 3835 UDP and ICMP packets that carry the Shim6 Payload header with 3836 apparently incorrect checksums when using the addresses in the IPv6 3837 header for the pseudoheader computation, unless they implement are 3838 able to determine the ULID pair of the Shim6 context associated to 3839 the data packet and use the ULID pair to determine the checksum that 3840 must be present in a packet with addresses rewritten by Shim6. 3842 In addition, firewalls that today pass limited traffic, e.g., 3843 outbound TCP connections, would presumably block the Shim6 protocol. 3844 This means that even when Shim6 capable hosts are communicating, the 3845 I1 messages would be dropped, hence the hosts would not discover that 3846 their peer is Shim6 capable. This is in fact a feature, since if the 3847 hosts managed to establish a ULID-pair context, then the firewall 3848 would probably drop the "different" packets that are sent after a 3849 failure (those using the Shim6 payload extension header with a TCP 3850 packet inside it). Thus stateful firewalls that are modified to pass 3851 Shim6 messages should also be modified to pass the payload extension 3852 header, so that the shim can use the alternate locators to recover 3853 from failures. This presumably implies that the firewall needs to 3854 track the set of locators in use by looking at the Shim6 control 3855 exchanges. Such firewalls might even want to verify the locators 3856 using the HBA/CGA verification themselves, which they can do without 3857 modifying any of the Shim6 packets they pass through. 3859 15.3. Other considerations 3861 The general Shim6 approach, as well as the specifics of this proposed 3862 solution, has implications elsewhere, including: 3864 o Applications that perform referrals, or callbacks using IP 3865 addresses as the 'identifiers' can still function in limited ways, 3866 as described in [23]. But in order for such applications to be 3867 able to take advantage of the multiple locators for redundancy, 3868 the applications need to be modified to either use fully qualified 3869 domain names as the 'identifiers', or they need to pass all the 3870 locators as the 'identifiers' i.e., the 'identifier' from the 3871 applications perspective becomes a set of IP addresses instead of 3872 a single IP address. 3874 o Signaling protocols for QoS or other things that involve having 3875 devices in the network path look at IP addresses and port numbers, 3876 or IP addresses and Flow Labels, need to be invoked on the hosts 3877 when the locator pair changes due to a failure. At that point in 3878 time those protocols need to inform the devices that a new pair of 3879 IP addresses will be used for the flow. Note that this is the 3880 case even though this protocol, unlike some earlier proposals, 3881 does not overload the flow label as a context tag; the in-path 3882 devices need to know about the use of the new locators even though 3883 the flow label stays the same. 3885 o MTU implications. The path MTU mechanisms we use are robust 3886 against different packets taking different paths through the 3887 Internet, by computing a minimum over the recently observed path 3888 MTUs. When Shim6 fails over from using one locator pair to 3889 another pair, this means that packets might travel over a 3890 different path through the Internet, hence the path MTU might be 3891 quite different. Perhaps such a path change would be a good hint 3892 to the path MTU mechanism to try a larger MTU? 3894 The fact that the shim will add an 8 octet Payload Extension 3895 header to the ULP packets after a locator switch, can also affect 3896 the usable path MTU for the ULPs. In this case the MTU change is 3897 local to the sending host, thus conveying the change to the ULPs 3898 is an implementation matter. 3900 16. Security Considerations 3902 This document satisfies the concerns specified in [20] as follows: 3904 o The HBA [6] and CGA technique [8] for verifying the locators to 3905 prevent an attacker from redirecting the packet stream to 3906 somewhere else. The minimum acceptable key length for public keys 3907 used in the generation of CGAs SHOULD be 1024 bits. Any 3908 implementation should follow prudent cryptographic practice in 3909 determining the appropriate key lengths. 3911 o Requiring a Reachability Probe+Reply before a new locator is used 3912 as the destination, in order to prevent 3rd party flooding 3913 attacks. 3915 o The first message does not create any state on the responder. 3916 Essentially a 3-way exchange is required before the responder 3917 creates any state. This means that a state-based DoS attack 3918 (trying to use up all of memory on the responder) at least 3919 requires the attacker to create state, consuming his own resources 3920 and also it provides an IPv6 address that the attacker was using. 3922 o The context establishment messages use nonces to prevent replay 3923 attacks, and to prevent off-path attackers from interfering with 3924 the establishment. 3926 o Every control message of the Shim6 protocol, past the context 3927 establishment, carry the context tag assigned to the particular 3928 context. This implies that an attacker needs to discover that 3929 context tag before being able to spoof any Shim6 control message. 3930 Such discovery probably requires to be along the path in order to 3931 be sniff the context tag value. The result is that through this 3932 technique, the Shim6 protocol is protected against off-path 3933 attackers. 3935 Interaction with IPSec 3937 The Shim6 sub-layer is implemented below the IPSec layer within the 3938 IP layer. This deserves some additional considerations for a couple 3939 of specific cases: First, it should be noted that the Shim6 approach 3940 does not preclude using IPSEC tunnels on Shim6 packets within the 3941 network transit path. Second, in case that IPSec is implemented as 3942 Bump-In-The-Wire (BITW) [7], either the shim MUST be disabled, or the 3943 shim MUST also be implemented as Bump-In-The-Wire, in order to 3944 satisfy the requirement that IPsec is layered above the shim. 3946 Some of the residual threats in this proposal are: 3948 o An attacker which arrives late on the path (after the context has 3949 been established) can use the R1bis message to cause one peer to 3950 recreate the context, and at that point in time the attacker can 3951 observe all of the exchange. But this doesn't seem to open any 3952 new doors for the attacker since such an attacker can observe the 3953 context tags that are being used, and once known it can use those 3954 to send bogus messages. 3956 o An attacker which is present on the path so that it can find out 3957 the context tags, can generate a R1bis message after it has moved 3958 off the path. For this packet to be effective it needs to have a 3959 source locator which belongs to the context, thus there can not be 3960 "too much" ingress filtering between the attackers new location 3961 and the communicating peers. But this doesn't seem to be that 3962 severe, because once the R1bis causes the context to be re- 3963 established, a new pair of context tags will be used, which will 3964 not be known to the attacker. If this is still a concern, we 3965 could require a 2-way handshake "did you really lose the state?" 3966 in response to the error message. 3968 o It might be possible for an attacker to try random 47-bit context 3969 tags and see if they can cause disruption for communication 3970 between two hosts. In particular, in the case of payload packets, 3971 the effects of such attack would be similar of those of an 3972 attacker sending packets with spoofed source address. In the case 3973 of control packets, it is not enough to find the correct context 3974 tag, but additional information is required (e.g. nonces, proper 3975 source addresses) (see previous bullet for the case of R1bis). If 3976 a 47-bit tag, which is the largest that fits in an 8-octet 3977 extension header, isn't sufficient, one could use an even larger 3978 tag in the Shim6 control messages, and use the low-order 47 bits 3979 in the payload extension header. 3981 o When the payload extension header is used, an attacker that can 3982 guess the 47-bit random context tag, can inject packets into the 3983 context with any source locator. Thus if there is ingress 3984 filtering between the attacker, this could potentially allow to 3985 bypass the ingress filtering. However, in addition to guessing 3986 the 47-bit context tag, the attacker also needs to find a context 3987 where, after the receiver's replacement of the locators with the 3988 ULIDs, the the ULP checksum is correct. But even this wouldn't be 3989 sufficient with ULPs like TCP, since the TCP port numbers and 3990 sequence numbers must match an existing connection. Thus, even 3991 though the issues for off-path attackers injecting packets are 3992 different than today with ingress filtering, it is still very hard 3993 for an off-path attacker to guess. If IPsec is applied then the 3994 issue goes away completely. 3996 o The validator included in the R1 and R1bis packets are generated 3997 as a hash of several input parameters. While most of the inputs 3998 are actually determined by the sender, and only the secret value S 3999 is unknown to the sender, the resulting protection is deemed to be 4000 enough since it would be easier for the attacker to just obtain a 4001 new validator sending a I1 packet than performing all the 4002 computations required to determine the secret S. Nevertheless, it 4003 is recommended that the host changes the secret S periodically. 4005 17. IANA Considerations 4007 IANA is directed to allocate a new IP Protocol Number value for the 4008 Shim6 Protocol. 4010 IANA is directed to record a CGA message type for the Shim6 Protocol 4011 in the [CGA] namespace registry with the value 0x4A30 5662 4858 574B 4012 3655 416F 506A 6D48. 4014 IANA is directed to establish a Shim6 Parameter Registry with three 4015 components: Shim6 Type registrations, Shim6 Options registrations 4016 Shim6 Error Code registrations. 4018 The initial contents of the Shim6 Type registry are as follows: 4020 +------------+-----------------------------------------------------+ 4021 | Type Value | Message | 4022 +------------+-----------------------------------------------------+ 4023 | 0 | RESERVED | 4024 | | | 4025 | 1 | I1 (first establishment message from the initiator) | 4026 | | | 4027 | 2 | R1 (first establishment message from the responder) | 4028 | | | 4029 | 3 | I2 (2nd establishment message from the initiator) | 4030 | | | 4031 | 4 | R2 (2nd establishment message from the responder) | 4032 | | | 4033 | 5 | R1bis (Reply to reference to non-existent context) | 4034 | | | 4035 | 6 | I2bis (Reply to a R1bis message) | 4036 | | | 4037 | 7-59 | Can be allocated using Standards Action | 4038 | | | 4039 | 60-63 | For Experimental use | 4040 | | | 4041 | 64 | Update Request | 4042 | | | 4043 | 65 | Update Acknowledgement | 4044 | | | 4045 | 66 | Keepalive | 4046 | | | 4047 | 67 | Probe Message | 4048 | | | 4049 | 68-123 | Can be allocated using Standards Action | 4050 | | | 4051 | 124-127 | For Experimental use | 4052 +------------+-----------------------------------------------------+ 4053 The initial contents of the Shim6 Options registry are as follows: 4055 +-------------+----------------------------------+ 4056 | Type | Option Name | 4057 +-------------+----------------------------------+ 4058 | 0 | RESERVED | 4059 | | | 4060 | 1 | Responder Validator | 4061 | | | 4062 | 2 | Locator List | 4063 | | | 4064 | 3 | Locator Preferences | 4065 | | | 4066 | 4 | CGA Parameter Data Structure | 4067 | | | 4068 | 5 | CGA Signature | 4069 | | | 4070 | 6 | ULID Pair | 4071 | | | 4072 | 7 | Forked Instance Identifier | 4073 | | | 4074 | 8-9 | Allocated using Standards action | 4075 | | | 4076 | 10 | Keepalive Timeout Option | 4077 | | | 4078 | 11-16383 | Allocated using Standards action | 4079 | | | 4080 | 16384-32767 | For Experimental use | 4081 +-------------+----------------------------------+ 4083 The initial contents of the Shim6 Error Code registry are as follows: 4085 +------------+--------------------------------------------+ 4086 | Code Value | Description | 4087 +------------+--------------------------------------------+ 4088 | 0 | Unknown Shim6 message type | 4089 | | | 4090 | 1 | Critical Option not recognized | 4091 | | | 4092 | 2 | Locator verification method failed | 4093 | | | 4094 | 3 | Locator List Generation number out of sync | 4095 | | | 4096 | 4 | Error in the number of locators | 4097 | | | 4098 | 120-127 | Reserved for debugging pruposes | 4099 +------------+--------------------------------------------+ 4101 18. Acknowledgements 4103 Over the years many people active in the multi6 and shim6 WGs have 4104 contributed ideas a suggestions that are reflected in this 4105 specification. Special thanks to the careful comments from Geoff 4106 Huston, Shinta Sugimoto, Pekka Savola, Dave Meyer, Deguang Le, Jari 4107 Arkko, Iljitsch van Beijnum, Jim Bound, Brian Carpenter, Sebastien 4108 Barre, Matthijs Mekking, Dave Thaler, Bob Braden Wesley Eddy and Tom 4109 Henderson on earlier versions of this document. 4111 Appendix A. Possible Protocol Extensions 4113 During the development of this protocol, several issues have been 4114 brought up as important one to address, but are ones that do not need 4115 to be in the base protocol itself but can instead be done as 4116 extensions to the protocol. The key ones are: 4118 o As stated in the assumptions in Section 3, the in order for the 4119 Shim6 protocol to be able to recover from a wide range of 4120 failures, for instance when one of the communicating hosts is 4121 singly-homed, and cope with a site's ISPs that do ingress 4122 filtering based on the source IPv6 address, there is a need for 4123 the host to be able to influence the egress selection from its 4124 site. Further discussion of this issue is captured in [21]. 4126 o Is there need for keeping the list of locators private between the 4127 two communicating endpoints? We can potentially accomplish that 4128 when using CGA but not with HBA, but it comes at the cost of doing 4129 some public key encryption and decryption operations as part of 4130 the context establishment. The suggestion is to leave this for a 4131 future extension to the protocol. 4133 o Defining some form of end-to-end "compression" mechanism that 4134 removes the need for including the Shim6 Payload extension header 4135 when the locator pair is not the ULID pair. 4137 o Supporting the dynamic setting of locator preferences on a site- 4138 wide basis, and use the Locator Preference option in the Shim6 4139 protocol to convey these preferences to remote communicating 4140 hosts. This could mirror the DNS SRV record's notion of priority 4141 and weight. 4143 o Potentially recommend that more application protocols use DNS SRV 4144 records to allow a site some influence on load spreading for the 4145 initial contact (before the Shim6 context establishment) as well 4146 as for traffic which does not use the shim. 4148 o Specifying APIs for the ULPs to be aware of the locators the shim 4149 is using, and be able to influence the choice of locators 4150 (controlling preferences as well as triggering a locator pair 4151 switch). This includes providing APIs the ULPs can use to fork a 4152 shim context. 4154 o Whether it is feasible to relax the suggestions for when context 4155 state is removed, so that one can end up with an asymmetric 4156 distribution of the context state and still get (most of) the shim 4157 benefits. For example, the busy server would go through the 4158 context setup but would quickly remove the context state after 4159 this (in order to save memory) but the not-so-busy client would 4160 retain the context state. The context recovery mechanism 4161 presented in Section 7.5 would then be recreate the state should 4162 the client send either a shim control message (e.g., probe message 4163 because it sees a problem), or a ULP packet in an payload 4164 extension header (because it had earlier failed over to an 4165 alternative locator pair, but had been silent for a while). This 4166 seems to provide the benefits of the shim as long as the client 4167 can detect the failure. If the client doesn't send anything, and 4168 it is the server that tries to send, then it will not be able to 4169 recover because the shim on the server has no context state, hence 4170 doesn't know any alternate locator pairs. 4172 o Study what it would take to make the Shim6 control protocol not 4173 rely at all on a stable source locator in the packets. This can 4174 probably be accomplished by having all the shim control messages 4175 include the ULID-pair option. 4177 o If each host might have lots of locators, then the currently 4178 requirement to include essentially all of them in the I2 and R2 4179 messages might be constraining. If this is the case we can look 4180 into using the CGA Parameter Data Structure for the comparison, 4181 instead of the prefix sets, to be able to detect context 4182 confusion. This would place some constraint on a (logical) only 4183 using e.g., one CGA public key, and would require some carefully 4184 crafted rules on how two PDSs are compared for "being the same 4185 host". But if we don't expect more than a handful locators per 4186 host, then we don't need this added complexity. 4188 o ULP specified timers for the reachability detection mechanism 4189 (which can be useful particularly when there are forked contexts). 4191 o Pre-verify some "backup" locator pair, so that the failover time 4192 can be shorter. 4194 o Study how Shim6 and Mobile IPv6 might interact. There existing an 4195 initial draft on this topic [22]. 4197 Appendix B. Simplified State Machine 4199 The states are defined in Section 6.2. The intent is that the 4200 stylized description below be consistent with the textual description 4201 in the specification, but should they conflict, the textual 4202 description is normative. 4204 The following table describes the possible actions in state IDLE and 4205 their respective triggers: 4207 +---------------------+---------------------------------------------+ 4208 | Trigger | Action | 4209 +---------------------+---------------------------------------------+ 4210 | Receive I1 | Send R1 and stay in IDLE | 4211 | | | 4212 | Heuristics trigger | Send I1 and move to I1-SENT | 4213 | a new context | | 4214 | establishment | | 4215 | | | 4216 | Receive I2, verify | If successful, send R2 and move to | 4217 | validator and | ESTABLISHED | 4218 | RESP nonce | | 4219 | | If fail, stay in IDLE | 4220 | | | 4221 | Receive I2bis, | If successful, send R2 and move to | 4222 | verify validator | ESTABLISHED | 4223 | and RESP nonce | | 4224 | | If fail, stay in IDLE | 4225 | | | 4226 | R1, R1bis, R2 | N/A (This context lacks the required info | 4227 | | for the dispatcher to deliver them) | 4228 | | | 4229 | Receive payload | Send R1bis and stay in IDLE | 4230 | extension header | | 4231 | or other control | | 4232 | packet | | 4233 +---------------------+---------------------------------------------+ 4234 The following table describes the possible actions in state I1-SENT 4235 and their respective triggers: 4237 +---------------------+---------------------------------------------+ 4238 | Trigger | Action | 4239 +---------------------+---------------------------------------------+ 4240 | Receive R1, verify | If successful, send I2 and move to I2-SENT | 4241 | INIT nonce | | 4242 | | If fail, discard and stay in I1-SENT | 4243 | | | 4244 | Receive I1 | Send R2 and stay in I1-SENT | 4245 | | | 4246 | Receive R2, verify | If successful, move to ESTABLISHED | 4247 | INIT nonce | | 4248 | | If fail, discard and stay in I1-SENT | 4249 | | | 4250 | Receive I2, verify | If successful, send R2 and move to | 4251 | validator and RESP | ESTABLISHED | 4252 | nonce | | 4253 | | If fail, discard and stay in I1-SENT | 4254 | | | 4255 | Receive I2bis, | If successful, send R2 and move to | 4256 | verify validator | ESTABLISHED | 4257 | and RESP nonce | | 4258 | | If fail, discard and stay in I1-SENT | 4259 | | | 4260 | Timeout, increment | If counter =< I1_RETRIES_MAX, send I1 and | 4261 | timeout counter | stay in I1-SENT | 4262 | | | 4263 | | If counter > I1_RETRIES_MAX, go to E-FAILED | 4264 | | | 4265 | Receive ICMP payload| Move to E-FAILED | 4266 | unknown error | | 4267 | | | 4268 | R1bis | N/A (Dispatcher doesn't deliver since | 4269 | | CT(peer) is not set) | 4270 | | | 4271 | Receive Payload or | Discard and stay in I1-SENT | 4272 | extension header | | 4273 | or other control | | 4274 | packet | | 4275 +---------------------+---------------------------------------------+ 4276 The following table describes the possible actions in state I2-SENT 4277 and their respective triggers: 4279 +---------------------+---------------------------------------------+ 4280 | Trigger | Action | 4281 +---------------------+---------------------------------------------+ 4282 | Receive R2, verify | If successful move to ESTABLISHED | 4283 | INIT nonce | | 4284 | | If fail, stay in I2-SENT | 4285 | | | 4286 | Receive I1 | Send R2 and stay in I2-SENT | 4287 | | | 4288 | Receive I2 | Send R2 and stay in I2-SENT | 4289 | verify validator | | 4290 | and RESP nonce | | 4291 | | | 4292 | Receive I2bis | Send R2 and stay in I2-SENT | 4293 | verify validator | | 4294 | and RESP nonce | | 4295 | | | 4296 | Receive R1 | Discard and stay in I2-SENT | 4297 | | | 4298 | Timeout, increment | If counter =< I2_RETRIES_MAX, send I2 and | 4299 | timeout counter | stay in I2-SENT | 4300 | | | 4301 | | If counter > I2_RETRIES_MAX, send I1 and go | 4302 | | to I1-SENT | 4303 | | | 4304 | R1bis | N/A (Dispatcher doesn't deliver since | 4305 | | CT(peer) is not set) | 4306 | | | 4307 | Receive payload or | Accept and send I2 (probably R2 was sent | 4308 | extension header | by peer and lost) | 4309 | other control | | 4310 | packet | | 4311 +---------------------+---------------------------------------------+ 4312 The following table describes the possible actions in state I2BIS- 4313 SENT and their respective triggers: 4315 +---------------------+---------------------------------------------+ 4316 | Trigger | Action | 4317 +---------------------+---------------------------------------------+ 4318 | Receive R2, verify | If successful move to ESTABLISHED | 4319 | INIT nonce | | 4320 | | If fail, stay in I2BIS-SENT | 4321 | | | 4322 | Receive I1 | Send R2 and stay in I2BIS-SENT | 4323 | | | 4324 | Receive I2 | Send R2 and stay in I2BIS-SENT | 4325 | verify validator | | 4326 | and RESP nonce | | 4327 | | | 4328 | Receive I2bis | Send R2 and stay in I2BIS-SENT | 4329 | verify validator | | 4330 | and RESP nonce | | 4331 | | | 4332 | Receive R1 | Discard and stay in I2BIS-SENT | 4333 | | | 4334 | Timeout, increment | If counter =< I2_RETRIES_MAX, send I2bis | 4335 | timeout counter | and stay in I2BIS-SENT | 4336 | | | 4337 | | If counter > I2_RETRIES_MAX, send I1 and | 4338 | | go to I1-SENT | 4339 | | | 4340 | R1bis | N/A (Dispatcher doesn't deliver since | 4341 | | CT(peer) is not set) | 4342 | | | 4343 | Receive payload or | Accept and send I2bis (probably R2 was | 4344 | extension header | sent by peer and lost) | 4345 | other control | | 4346 | packet | | 4347 +---------------------+---------------------------------------------+ 4348 The following table describes the possible actions in state 4349 ESTABLISHED and their respective triggers: 4351 +---------------------+---------------------------------------------+ 4352 | Trigger | Action | 4353 +---------------------+---------------------------------------------+ 4354 | Receive I1, compare | If no match, send R1 and stay in ESTABLISHED| 4355 | CT(peer) with | | 4356 | received CT | If match, send R2 and stay in ESTABLISHED | 4357 | | | 4358 | | | 4359 | Receive I2, verify | If successful, then send R2 and stay in | 4360 | validator and RESP | ESTABLISHED | 4361 | nonce | | 4362 | | Otherwise, discard and stay in ESTABLISHED | 4363 | | | 4364 | Receive I2bis, | If successful, then send R2 and stay in | 4365 | verify validator | ESTABLISHED | 4366 | and RESP nonce | | 4367 | | Otherwise, discard and stay in ESTABLISHED | 4368 | | | 4369 | Receive R2 | Discard and stay in ESTABLISHED | 4370 | | | 4371 | Receive R1 | Discard and stay in ESTABLISHED | 4372 | | | 4373 | Receive R1bis | Send I2bis and move to I2BIS-SENT | 4374 | | | 4375 | | | 4376 | Receive payload or | Process and stay in ESTABLISHED | 4377 | extension header | | 4378 | other control | | 4379 | packet | | 4380 | | | 4381 | Implementation | Discard state and go to IDLE | 4382 | specific heuristic | | 4383 | (E.g., No open ULP | | 4384 | sockets and idle | | 4385 | for some time ) | | 4386 +---------------------+---------------------------------------------+ 4387 The following table describes the possible actions in state E-FAILED 4388 and their respective triggers: 4390 +---------------------+---------------------------------------------+ 4391 | Trigger | Action | 4392 +---------------------+---------------------------------------------+ 4393 | Wait for | Go to IDLE | 4394 | NO_R1_HOLDDOWN_TIME | | 4395 | | | 4396 | Any packet | Process as in IDLE | 4397 +---------------------+---------------------------------------------+ 4399 The following table describes the possible actions in state NO- 4400 SUPPORT and their respective triggers: 4402 +---------------------+---------------------------------------------+ 4403 | Trigger | Action | 4404 +---------------------+---------------------------------------------+ 4405 | Wait for | Go to IDLE | 4406 | ICMP_HOLDDOWN_TIME | | 4407 | | | 4408 | Any packet | Process as in IDLE | 4409 +---------------------+---------------------------------------------+ 4411 Appendix B.1. Simplified State Machine diagram 4412 Timeout/Null +------------+ 4413 I1/R1 +------------------| NO SUPPORT | 4414 Payload or Control/R1bis | +------------+ 4415 +---------+ | ^ 4416 | | | ICMP Error/Null| 4417 | V V | 4418 +-----------------+ Timeout/Null +----------+ | 4419 | |<---------------| E-FAILED | | 4420 +-| IDLE | +----------+ | 4421 I2 or I2bis/R2 | | | ^ | 4422 | +-----------------+ (Tiemout#>MAX)/Null| | 4423 | ^ | | | 4424 | | +------+ | | 4425 I2 or I2bis/R2 | | Heuristic/I1| I1/R2 | | 4426 Payload/Null | | | Control/Null | | 4427 I1/R1 or R2 | +--+ | Payload/Null | | 4428 R1 or R2/Null | |Heuristic/Null | (Tiemout#| | 4433 | ESTABLISHED |<----------------------------| I1-SENT | 4434 | | | | 4435 +-------------------+ +----------------+ 4436 | ^ ^ | ^ ^ 4437 | | |R2/Null +-------------+ | | 4438 | | +----------+ |R1/I2 | | 4439 | | | V | | 4440 | | +------------------+ | | 4441 | | | |-------------+ | 4442 | | | I2-SENT | (Timeout#>Max)/I1 | 4443 | | | | | 4444 | | +------------------+ | 4445 | | | ^ | 4446 | | +--------------+ | 4447 | | I1 or I2bis or I2/R2 | 4448 | | (Timeout#Max)/I1 | 4451 | R2/Null| +------------------------------------------+ 4452 | V | 4453 | +-------------------+ 4454 | | |<-+ (Timeout#| I2bis-SENT | | I1 or I2 or I2bis/R2 4456 R1bis/I2bis | |--+ R1 or R1bis/Null 4457 +-------------------+ Payload/I2bis 4459 Appendix C. Context Tag Reuse 4461 The Shim6 protocol doesn't have a mechanism for coordinated state 4462 removal between the peers, because such state removal doesn't seem to 4463 help given that a host can crash and reboot at any time. A result of 4464 this is that the protocol needs to be robust against a context tag 4465 being reused for some other context. This section summarizes the 4466 different cases in which a tag can be reused, and how the recovery 4467 works. 4469 The different cases are exemplified by the following case. Assume 4470 host A and B were communicating using a context with the ULID pair 4471 , and that B had assigned context tag X to this context. We 4472 assume that B uses only the context tag to demultiplex the received 4473 payload extension headers, since this is the more general case. 4474 Further we assume that B removes this context state, while A retains 4475 it. B might then at a later time assign CT(local)=X to some other 4476 context, and we have several cases: 4478 o The context tag is reassigned to a context for the same ULID pair 4479 . We've called this "Context Recovery" in this document. 4481 o The context tag is reassigned to a context for a different ULID 4482 pair between the same to hosts, e.g., . We've called this 4483 "Context Confusion" in this document. 4485 o The context tag is reassigned to a context between B and other 4486 host C, for instance for the ULID pair . That is a form 4487 of three party context confusion. 4489 Appendix C.1. Context Recovery 4491 This case is relatively simple, and is discussed in Section 7.5. The 4492 observation is that since the ULID pair is the same, when either A or 4493 B tries to establish the new context, A can keep the old context 4494 while B re-creates the context with the same context tag CT(B) = X. 4496 Appendix C.2. Context Confusion 4498 This cases is a bit more complex, and is discussed in Section 7.6. 4499 When the new context is created, whether A or B initiates it, host A 4500 can detect when it receives B's locator set (in the I2, or R2 4501 message), that it ends up with two contexts to the same peer host 4502 (overlapping Ls(peer) locator sets) that have the same context tag 4503 CT(peer) = X. At this point in time host A can clear up any 4504 possibility of causing confusion by not using the old context to send 4505 any more packets. It either just discards the old context (it might 4506 not be used by any ULP traffic, since B had discarded it), or it 4507 recreates a different context for the old ULID pair (), for 4508 which B will assign a unique CT(B) as part of the normal context 4509 establishment mechanism. 4511 Appendix C.3. Three Party Context Confusion 4513 The third case does not have a place where the old state on A can be 4514 verified, since the new context is established between B and C. Thus 4515 when B receives payload extension headers with X as the context tag, 4516 it will find the context for , hence rewrite the packets to 4517 have C3 in the source address field and B2 in the destination address 4518 field before passing them up to the ULP. This rewriting is correct 4519 when the packets are in fact sent by host C, but if host A ever 4520 happens to send a packet using the old context, then the ULP on A 4521 sends a packet with ULIDs and the packet arrives at the ULP 4522 on B with ULIDs . 4524 This is clearly an error, and the packet will most likely be rejected 4525 by the ULP on B due to a bad pseudo-header checksum. Even if the 4526 checksum is ok (probability 2^-16), the ULP isn't likely to have a 4527 connection for those ULIDs and port numbers. And if the ULP is 4528 connection-less, processing the packet is most likely harmless; such 4529 a ULP must be able to copy with random packets being sent by random 4530 peers in any case. 4532 This broken state, where packets sent from A to B using the old 4533 context on host A might persist for some time, but it will not remain 4534 for very long. The unreachability detection on host A will kick in, 4535 because it does not see any return traffic (payload or Keepalive 4536 messages) for the context. This will result in host A sending Probe 4537 messages to host B to find a working locator pair. The effect of 4538 this is that host B will notice that it does not have a context for 4539 the ULID pair and CT(B) = X, which will make host B send an 4540 R1bis packet to re-establish that context. The re-established 4541 context, just like in the previous section, will get a unique CT(B) 4542 assigned by host B, thus there will no longer be any confusion. 4544 In summary, there are cases where a context tag might be reused while 4545 some peer retains the state, but the protocol can recover from it. 4546 The probability of these events is low given the 47 bit context tag 4547 size. However, it is important that these recovery mechanisms be 4548 tested. Thus during development and testing it is recommended that 4549 implementations not use the full 47 bit space, but instead keep e.g. 4550 the top 40 bits as zero, only leaving the host with 128 unique 4551 context tags. This will help test the recovery mechanisms. 4553 Appendix D. Design Alternatives 4555 This document has picked a certain set of design choices in order to 4556 try to work out a bunch of the details, and stimulate discussion. 4557 But as has been discussed on the mailing list, there are other 4558 choices that make sense. This appendix tries to enumerate some 4559 alternatives. 4561 Appendix D.1. Context granularity 4563 Over the years various suggestions have been made whether the shim 4564 should, even if it operates at the IP layer, be aware of ULP 4565 connections and sessions, and as a result be able to make separate 4566 shim contexts for separate ULP connections and sessions. A few 4567 different options have been discussed: 4569 o Each ULP connection maps to its own shim context. 4571 o The shim is unaware of the ULP notion of connections and just 4572 operates on a host-to-host (IP address) granularity. 4574 o Hybrids where the shim is aware of some ULPs (such as TCP) and 4575 handles other ULPs on a host-to-host basis. 4577 Having shim state for every ULP connection potentially means higher 4578 overhead since the state setup overhead might become significant; 4579 there is utility in being able to amortize this over multiple 4580 connections. 4582 But being completely unaware of the ULP connections might hamper ULPs 4583 that want different communication to use different locator pairs, for 4584 instance for quality or cost reasons. 4586 The protocol has a shim which operates with host-level granularity 4587 (strictly speaking, with ULID-pair granularity, to be able to 4588 amortize the context establishment over multiple ULP connections. 4589 This is combined with the ability for shim-aware ULPs to request 4590 context forking so that different ULP traffic can use different 4591 locator pairs. 4593 Appendix D.2. Demultiplexing of data packets in Shim6 communications 4595 Once a ULID-pair context is established between two hosts, packets 4596 may carry locators that differ from the ULIDs presented to the ULPs 4597 using the established context. One of main functions of the Shim6 4598 layer is to perform the mapping between the locators used to forward 4599 packets through the network and the ULIDs presented to the ULP. In 4600 order to perform that translation for incoming packets, the Shim6 4601 layer needs to first identify which of the incoming packets need to 4602 be translated and then perform the mapping between locators and ULIDs 4603 using the associated context. Such operation is called 4604 demultiplexing. It should be noted that because any address can be 4605 used both as a locator and as a ULID, additional information other 4606 than the addresses carried in packets, need to be taken into account 4607 for this operation. 4609 For example, if a host has address A1 and A2 and starts communicating 4610 with a peer with addresses B1 and B2, then some communication 4611 (connections) might use the pair as ULID and others might 4612 use e.g., . Initially there are no failures so these address 4613 pairs are used as locators i.e. in the IP address fields in the 4614 packets on the wire. But when there is a failure the Shim6 layer on 4615 A might decide to send packets that used as ULIDs using as the locators. In this case B needs to be able to rewrite the 4617 IP address field for some packets and not others, but the packets all 4618 have the same locator pair. 4620 In order to accomplish the demultiplexing operation successfully, 4621 data packets carry a context tag that allows the receiver of the 4622 packet to determine the shim context to be used to perform the 4623 operation. 4625 Two mechanisms for carrying the context tag information have been 4626 considered in depth during the shim protocol design. Those carrying 4627 the context tag in the flow label field of the IPv6 header and the 4628 usage of a new extension header to carry the context tag. In this 4629 appendix we will describe the pros and cons of each approach and 4630 justify the selected option. 4632 Appendix D.2.1. Flow-label 4634 A possible approach is to carry the context tag in the Flow Label 4635 field of the IPv6 header. This means that when a Shim6 context is 4636 established, a Flow Label value is associated with this context (and 4637 perhaps a separate flow label for each direction). 4639 The simplest approach that does this is to have the triple identify the context at 4641 the receiver. 4643 The problem with this approach is that because the locator sets are 4644 dynamic, it is not possible at any given moment to be sure that two 4645 contexts for which the same context tag is allocated will have 4646 disjoint locator sets during the lifetime of the contexts. 4648 Suppose that Node A has addresses IPA1, IPA2, IPA3 and IPA4 and that 4649 Host B has addresses IPB1 and IPB2. 4651 Suppose that two different contexts are established between HostA and 4652 HostB. 4654 Context #1 is using IPA1 and IPB1 as ULIDs. The locator set 4655 associated to IPA1 is IPA1 and IPA2 while the locator set associated 4656 to IPB1 is just IPB1. 4658 Context #2 uses IPA3 and IPB2 as ULIDs. The locator set associated 4659 to IPA3 is IPA3 and IPA4 and the locator set associated to IPB2 is 4660 just IPB2. 4662 Because the locator sets of the Context #1 and Context #2 are 4663 disjoint, hosts could think that the same context tag value can be 4664 assigned to both of them. The problem arrives when later on IPA3 is 4665 added as a valid locator for IPA1 and IPB2 is added as a valid 4666 locator for IPB1 in Context #1. In this case, the triple would not identify a 4668 unique context anymore and correct demultiplexing is no longer 4669 possible. 4671 A possible approach to overcome this limitation is simply not to 4672 repeat the Flow Label values for any communication established in a 4673 host. This basically means that each time a new communication that 4674 is using different ULIDs is established, a new Flow Label value is 4675 assigned to it. By this mean, each communication that is using 4676 different ULIDs can be differentiated because it has a different Flow 4677 Label value. 4679 The problem with such approach is that it requires that the receiver 4680 of the communication allocates the Flow Label value used for incoming 4681 packets, in order to assign them uniquely. For this, a shim 4682 negotiation of the Flow Label value to use in the communication is 4683 needed before exchanging data packets. This poses problems with non- 4684 shim capable hosts, since they would not be able to negotiate an 4685 acceptable value for the Flow Label. This limitation can be lifted 4686 by marking the packets that belong to shim sessions from those that 4687 do not. These marking would require at least a bit in the IPv6 4688 header that is not currently available, so more creative options 4689 would be required, for instance using new Next Header values to 4690 indicate that the packet belongs to a Shim6 enabled communication and 4691 that the Flow Label carries context information as proposed in the 4692 now expired NOID draft. However, even if this is done, this approach 4693 is incompatible with the deferred establishment capability of the 4694 shim protocol, which is a preferred function, since it suppresses the 4695 delay due to the shim context establishment prior to initiation of 4696 the communication and it also allows nodes to define at which stage 4697 of the communication they decide, based on their own policies, that a 4698 given communication requires to be protected by the shim. 4700 In order to cope with the identified limitations, an alternative 4701 approach that does not constraints the flow label values used by 4702 communications that are using ULIDs equal to the locators (i.e. no 4703 shim translation) is to only require that different flow label values 4704 are assigned to different shim contexts. In such approach 4705 communications start with unmodified flow label usage (could be zero, 4706 or as suggested in [17]). The packets sent after a failure when a 4707 different locator pair is used would use a completely different flow 4708 label, and this flow label could be allocated by the receiver as part 4709 of the shim context establishment. Since it is allocated during the 4710 context establishment, the receiver of the "failed over" packets can 4711 pick a flow label of its choosing (that is unique in the sense that 4712 no other context is using it as a context tag), without any 4713 performance impact, and respecting that for each locator pair, the 4714 flow label value used for a given locator pair doesn't change due to 4715 the operation of the multihoming shim. 4717 In this approach, the constraint is that Flow Label values being used 4718 as context identifiers cannot be used by other communications that 4719 use non-disjoint locator sets. This means that once that a given 4720 Flow Label value has been assigned to a shim context that has a 4721 certain locator sets associated, the same value cannot be used for 4722 other communications that use an address pair that is contained in 4723 the locator sets of the context. This is a constraint in the 4724 potential Flow Label allocation strategies. 4726 A possible workaround to this constraint is to mark shim packets that 4727 require translation, in order to differentiate them from regular IPv6 4728 packets, using the artificial Next Header values described above. In 4729 this case, the Flow Label values constrained are only those of the 4730 packets that are being translated by the shim. This last approach 4731 would be the preferred approach if the context tag is to be carried 4732 in the Flow Label field. This is not only because it imposes the 4733 minimum constraints to the Flow Label allocation strategies, limiting 4734 the restrictions only to those packets that need to be translated by 4735 the shim, but also because Context Loss detection mechanisms greatly 4736 benefit from the fact that shim data packets are identified as such, 4737 allowing the receiving end to identify if a shim context associated 4738 to a received packet is suppose to exist, as it will be discussed in 4739 the Context Loss detection appendix below. 4741 Appendix D.2.2. Extension Header 4743 Another approach, which is the one selected for this protocol, is to 4744 carry the context tag in a new Extension Header. These context tags 4745 are allocated by the receiving end during the Shim6 protocol initial 4746 negotiation, implying that each context will have two context tags, 4747 one for each direction. Data packets will be demultiplexed using the 4748 context tag carried in the Extension Header. This seems a clean 4749 approach since it does not overload existing fields. However, it 4750 introduces additional overhead in the packet due to the additional 4751 header. The additional overhead introduced is 8 octets. However, it 4752 should be noted that the context tag is only required when a locator 4753 other than the one used as ULID is contained in the packet. Packets 4754 where both the source and destination address fields contain the 4755 ULIDs do not require a context tag, since no rewriting is necessary 4756 at the receiver. This approach would reduce the overhead, because 4757 the additional header is only required after a failure. On the other 4758 hand, this approach would cause changes in the available MTU for some 4759 packets, since packets that include the Extension Header will have an 4760 MTU 8 octets shorter. However, path changes through the network can 4761 result in different MTU in any case, thus having a locator change, 4762 which implies a path change, affect the MTU doesn't introduce any new 4763 issues. 4765 Appendix D.3. Context Loss Detection 4767 In this appendix we will present different approaches considered to 4768 detect context loss and potential context recovery strategies. The 4769 scenario being considered is the following: Node A and Node B are 4770 communicating using IPA1 and IPB1. Sometime later, a shim context is 4771 established between them, with IPA1 and IPB1 as ULIDs and 4772 IPA1,...,IPAn and IPB1,...,IPBm as locator set respectively. 4774 It may happen, that later on, one of the hosts, e.g. Host A loses 4775 the shim context. The reason for this can be that Host A has a more 4776 aggressive garbage collection policy than HostB or that an error 4777 occurred in the shim layer at host A resulting in the loss of the 4778 context state. 4780 The mechanisms considered in this appendix are aimed to deal with 4781 this problem. There are essentially two tasks that need to be 4782 performed in order to cope with this problem: first, the context loss 4783 must be detected and second the context needs to be recovered/ 4784 reestablished. 4786 Mechanisms for detecting context loss. 4788 These mechanisms basically consist in that each end of the context 4789 periodically sends a packet containing context-specific information 4790 to the other end. Upon reception of such packets, the receiver 4791 verifies that the required context exists. In case that the context 4792 does not exist, it sends a packet notifying the problem to the 4793 sender. 4795 An obvious alternative for this would be to create a specific context 4796 keepalive exchange, which consists in periodically sending packets 4797 with this purpose. This option was considered and discarded because 4798 it seemed an overkill to define a new packet exchange to deal with 4799 this issue. 4801 An alternative is to piggyback the context loss detection function in 4802 other existent packet exchanges. In particular, both shim control 4803 and data packets can be used for this. 4805 Shim control packets can be trivially used for this, because they 4806 carry context specific information, so that when a node receives one 4807 of such packets, it will verify if the context exists. However, shim 4808 control frequency may not be adequate for context loss detection 4809 since control packet exchanges can be very limited for a session in 4810 certain scenarios. 4812 Data packets, on the other hand, are expected to be exchanged with a 4813 higher frequency but they do not necessarily carry context specific 4814 information. In particular, packets flowing before a locator change 4815 (i.e. packet carrying the ULIDs in the address fields) do not need 4816 context information since they do not need any shim processing. 4817 Packets that carry locators that differ from the ULIDs carry context 4818 information. 4820 However, we need to make a distinction here between the different 4821 approaches considered to carry the context tag, in particular between 4822 those approaches where packets are explicitly marked as shim packets 4823 and those approaches where packets are not marked as such. For 4824 instance, in the case where the context tag is carried in the Flow 4825 Label and packets are not marked as shim packets (i.e. no new Next 4826 Header values are defined for shim), a receiver that has lost the 4827 associated context is not able to detect that the packet is 4828 associated with a missing context. The result is that the packet 4829 will be passed unchanged to the upper layer protocol, which in turn 4830 will probably silently discard it due to a checksum error. The 4831 resulting behavior is that the context loss is undetected. This is 4832 one additional reason to discard an approach that carries the context 4833 tag in the Flow Label field and does not explicitly mark the shim 4834 packets as such. On the other hand, approaches that mark shim data 4835 packets (like the Extension Header or the Flow Label with new Next 4836 Header values approaches) allow the receiver to detect if the context 4837 associated to the received packet is missing. In this case, data 4838 packets also perform the function of a context loss detection 4839 exchange. However, it must be noted that only those packets that 4840 carry a locator that differs form the ULID are marked. This 4841 basically means that context loss will be detected after an outage 4842 has occurred i.e. alternative locators are being used. 4844 Summarizing, the proposed context loss detection mechanisms uses shim 4845 control packets and payload extension headers to detect context loss. 4846 Shim control packets detect context loss during the whole lifetime of 4847 the context, but the expected frequency in some cases is very low. 4848 On the other hand, payload extension headers have a higher expected 4849 frequency in general, but they only detect context loss after an 4850 outage. This behavior implies that it will be common that context 4851 loss is detected after a failure i.e. once that it is actually 4852 needed. Because of that, a mechanism for recovering from context 4853 loss is required if this approach is used. 4855 Overall, the mechanism for detecting lost context would work as 4856 follows: the end that still has the context available sends a message 4857 referring to the context. Upon the reception of such message, the 4858 end that has lost the context identifies the situation and notifies 4859 the context loss event to the other end by sending a packet 4860 containing the lost context information extracted from the received 4861 packet. 4863 One option is to simply send an error message containing the received 4864 packets (or at least as much of the received packet that the MTU 4865 allows to fit in). One of the goals of this notification is to allow 4866 the other end that still retains context state, to reestablish the 4867 lost context. The mechanism to reestablish the loss context consists 4868 in performing the 4-way initial handshake. This is a time consuming 4869 exchange and at this point time may be critical since we are 4870 reestablishing a context that is currently needed (because context 4871 loss detection may occur after a failure). So, another option, which 4872 is the one used in this protocol, is to replace the error message by 4873 a modified R1 message, so that the time required to perform the 4874 context establishment exchange can be reduced. Upon the reception of 4875 this modified R1 message, the end that still has the context state 4876 can finish the context establishment exchange and restore the lost 4877 context. 4879 Appendix D.4. Securing locator sets 4881 The adoption of a protocol like SHIM that allows the binding of a 4882 given ULID with a set of locators opens the doors for different types 4883 of redirection attacks as described in [20]. The goal in terms of 4884 security for the design of the shim protocol is not to introduce any 4885 new vulnerability in the Internet architecture. It is a non-goal to 4886 provide additional protection than the currently available in the 4887 single-homed IPv6 Internet. 4889 Multiple security mechanisms were considered to protect the shim 4890 protocol. In this appendix we will present some of them. 4892 The simplest option to protect the shim protocol was to use cookies 4893 i.e. a randomly generated bit string that is negotiated during the 4894 context establishment phase and then it is included in following 4895 signaling messages. By this mean, it would be possible to verify 4896 that the party that was involved in the initial handshake is the same 4897 party that is introducing new locators. Moreover, before using a new 4898 locator, an exchange is performed through the new locator, verifying 4899 that the party located at the new locator knows the cookie i.e. that 4900 it is the same party that performed the initial handshake. 4902 While this security mechanisms does indeed provide a fair amount of 4903 protection, it does leave the door open for the so-called time 4904 shifted attacks. In these attacks, an attacker that once was on the 4905 path, it discovers the cookie by sniffing any signaling message. 4906 After that, the attacker can leave the path and still perform a 4907 redirection attack, since as he is in possession of the cookie, he 4908 can introduce a new locator in the locator set and he can also 4909 successfully perform the reachability exchange if he is able to 4910 receive packets at the new locator. The difference with the current 4911 single-homed IPv6 situation is that in the current situation the 4912 attacker needs to be on-path during the whole lifetime of the attack, 4913 while in this new situation where only cookie protection if provided, 4914 an attacker that once was on the path can perform attacks after he 4915 has left the on-path location. 4917 Moreover, because the cookie is included in signaling messages, the 4918 attacker can discover the cookie by sniffing any of them, making the 4919 protocol vulnerable during the whole lifetime of the shim context. A 4920 possible approach to increase the security was to use a shared secret 4921 i.e. a bit string that is negotiated during the initial handshake but 4922 that is used as a key to protect following messages. With this 4923 technique, the attacker must be present on the path sniffing packets 4924 during the initial handshake, since it is the only moment where the 4925 shared secret is exchanged. While this improves the security, it is 4926 still vulnerable to time shifted attacks, even though it imposes that 4927 the attacker must be on path at a very specific moment (the 4928 establishment phase) to actually be able to launch the attack. While 4929 this seems to substantially improve the situation, it should be noted 4930 that, depending on protocol details, an attacker may be able to force 4931 the recreation of the initial handshake (for instance by blocking 4932 messages and making the parties think that the context has been 4933 lost), so the resulting situation may not differ that much from the 4934 cookie based approach. 4936 Another option that was discussed during the design of the protocol 4937 was the possibility of using IPsec for protecting the shim protocol. 4938 Now, the problem under consideration in this scenario is how to 4939 securely bind an address that is being used as ULID with a locator 4940 set that can be used to exchange packets. The mechanism provided by 4941 IPsec to securely bind the address used with the cryptographic keys 4942 is the usage of digital certificates. This implies that an IPsec 4943 based solution would require that the generation of digital 4944 certificates that bind the key and the ULID by a common third trusted 4945 party for both parties involved in the communication. Considering 4946 that the scope of application of the shim protocol is global, this 4947 would imply a global public key infrastructure. The major issues 4948 with this approach are the deployment difficulties associated with a 4949 global PKI. 4951 Finally two different technologies were selected to protect the shim 4952 protocol: HBA [8] and CGA [6]. These two approaches provide a 4953 similar level of protection but they provide different functionality 4954 with a different computational cost. 4956 The HBA mechanism relies on the capability of generating all the 4957 addresses of a multihomed host as an unalterable set of intrinsically 4958 bound IPv6 addresses, known as an HBA set. In this approach, 4959 addresses incorporate a cryptographic one-way hash of the prefix-set 4960 available into the interface identifier part. The result is that the 4961 binding between all the available addresses is encoded within the 4962 addresses themselves, providing hijacking protection. Any peer using 4963 the shim protocol node can efficiently verify that the alternative 4964 addresses proposed for continuing the communication are bound to the 4965 initial address through a simple hash calculation. A limitation of 4966 the HBA technique is that once generated the address set is fixed and 4967 cannot be changed without also changing all the addresses of the HBA 4968 set. In other words, the HBA technique does not support dynamic 4969 addition of address to a previously generated HBA set. An advantage 4970 of this approach is that it requires only hash operations to verify a 4971 locator set, imposing very low computational cost to the protocol. 4973 In a CGA based approach the address used as ULID is a CGA that 4974 contains a hash of a public key in its interface identifier. The 4975 result is a secure binding between the ULID and the associated key 4976 pair. This allows each peer to use the corresponding private key to 4977 sign the shim messages that convey locator set information. The 4978 trust chain in this case is the following: the ULID used for the 4979 communication is securely bound to the key pair because it contains 4980 the hash of the public key, and the locator set is bound to the 4981 public key through the signature. The CGA approach then supports 4982 dynamic addition of new locators in the locator set, since in order 4983 to do that, the node only needs to sign the new locator with the 4984 private key associated with the CGA used as ULID. A limitation of 4985 this approach is that it imposes systematic usage of public key 4986 cryptography with its associate computational cost. 4988 Any of these two mechanisms HBA and CGA provide time-shifted attack 4989 protection, since the ULID is securely bound to a locator set that 4990 can only be defined by the owner of the ULID. 4992 So, the design decision adopted was that both mechanisms HBA and CGA 4993 are supported, so that when only stable address sets are required, 4994 the nodes can benefit from the low computational cost offered by HBA 4995 while when dynamic locator sets are required, this can be achieved 4996 through CGAs with an additional cost. Moreover, because HBAs are 4997 defined as a CGA extension, the addresses available in a node can 4998 simultaneously be CGAs and HBAs, allowing the usage of the HBA and 4999 CGA functionality when needed without requiring a change in the 5000 addresses used. 5002 Appendix D.5. ULID-pair context establishment exchange 5004 Two options were considered for the ULID-pair context establishment 5005 exchange: a 2-way handshake and a 4-way handshake. 5007 A key goal for the design of this exchange was that protection 5008 against DoS attacks. The attack under consideration was basically a 5009 situation where an attacker launches a great amount of ULID-pair 5010 establishment request packets, exhausting victim's resources, similar 5011 to TCP SYN flooding attacks. 5013 A 4 way-handshake exchange protects against these attacks because the 5014 receiver does not creates any state associate to a given context 5015 until the reception of the second packet which contains a prior 5016 contact proof in the form of a token. At this point the receiver can 5017 verify that at least the address used by the initiator is at some 5018 extent valid, since the initiator is able to receive packets at this 5019 address. In the worse case, the responder can track down the 5020 attacker using this address. The drawback of this approach is that 5021 it imposes a 4 packet exchange for any context establishment. This 5022 would be a great deal if the shim context needed to be established up 5023 front, before the communication can proceed. However, thanks to 5024 deferred context establishment capability of the shim protocol, this 5025 limitation has a reduced impact in the performance of the protocol. 5026 (It may however have a greater impact in the situation of context 5027 recover as discussed earlier, but in this case, it is possible to 5028 perform optimizations to reduce the number of packets as described 5029 above) 5031 The other option considered was a 2-way handshake with the 5032 possibility to fall back to a 4-way handshake in case of attack. In 5033 this approach, the ULID-pair establishment exchange normally consists 5034 in a 2-packet exchange and it does not verify that the initiator has 5035 performed a prior contact before creating context state. In case 5036 that a DoS attack is detected, the responder falls back to a 4-way 5037 handshake similar to the one described previously in order to prevent 5038 the detected attack to proceed. The main difficulty with this attack 5039 is how to detect that a responder is currently under attack. It 5040 should be noted, that because this is 2-way exchange, it is not 5041 possible to use the number of half open sessions (as in TCP) to 5042 detect an ongoing attack and different heuristics need to be 5043 considered. 5045 The design decision taken was that considering the current impact of 5046 DoS attacks and the low impact of the 4-way exchange in the shim 5047 protocol thanks to the deferred context establishment capability, a 5048 4-way exchange would be adopted for the base protocol. 5050 Appendix D.6. Updating locator sets 5052 There are two possible approaches to the addition and removal of 5053 locators: atomic and differential approaches. The atomic approach 5054 essentially send the complete locators set each time that a variation 5055 in the locator set occurs. The differential approach send the 5056 differences between the existing locator set and the new one. The 5057 atomic approach imposes additional overhead, since all the locator 5058 set has to be exchanged each time while the differential approach 5059 requires re-synchronization of both ends through changes i.e. that 5060 both ends have the same idea about what the current locator set is. 5062 Because of the difficulties imposed by the synchronization 5063 requirement, the atomic approach was selected. 5065 Appendix D.7. State Cleanup 5067 There are essentially two approaches for discarding an existing state 5068 about locators, keys and identifiers of a correspondent node: a 5069 coordinated approach and an unilateral approach. 5071 In the unilateral approach, each node discards the information about 5072 the other node without coordination with the other node based on some 5073 local timers and heuristics. No packet exchange is required for 5074 this. In this case, it would be possible that one of the nodes has 5075 discarded the state while the other node still hasn't. In this case, 5076 a No-Context error message may be required to inform about the 5077 situation and possibly a recovery mechanism is also needed. 5079 A coordinated approach would use an explicit CLOSE mechanism, akin to 5080 the one specified in HIP [26]. If an explicit CLOSE handshake and 5081 associated timer is used, then there would no longer be a need for 5082 the No Context Error message due to a peer having garbage collected 5083 its end of the context. However, there is still potentially a need 5084 to have a No Context Error message in the case of a complete state 5085 loss of the peer (also known as a crash followed by a reboot). Only 5086 if we assume that the reboot takes at least the CLOSE timer, or that 5087 it is ok to not provide complete service until CLOSE timer minutes 5088 after the crash, can we completely do away with the No Context Error 5089 message. 5091 In addition, other aspect that is relevant for this design choice is 5092 the context confusion issue. In particular, using an unilateral 5093 approach to discard context state clearly opens the possibility of 5094 context confusion, where one of the ends unilaterally discards the 5095 context state, while the peer does not. In this case, the end that 5096 has discarded the state can re-use the context tag value used for the 5097 discarded state for a another context, creating a potential context 5098 confusion situation. In order to illustrate the cases where problems 5099 would arise consider the following scenario: 5101 o Hosts A and B establish context 1 using CTA and CTB as context 5102 tags. 5104 o Later on, A discards context 1 and the context tag value CTA 5105 becomes available for reuse. 5107 o However, B still keeps context 1. 5109 This would become a context confusion situation in the following two 5110 cases: 5112 o A new context 2 is established between A and B with a different 5113 ULID pair (or Forked Instance Identifier), and A uses CTA as 5114 context tag, If the locator sets used for both contexts are not 5115 disjoint, we are in a context confusion situation. 5117 o A new context is established between A and C and A uses CTA as 5118 context tag value for this new context. Later on, B sends Payload 5119 extension header and/or control messages containing CTA, which 5120 could be interpreted by A as belonging to context 2 (if no proper 5121 care is taken). Again we are in a context confusion situation. 5123 One could think that using a coordinated approach would eliminate 5124 these context confusion situations, making the protocol much simpler. 5125 However, this is not the case, because even in the case of a 5126 coordinated approach using a CLOSE/CLOSE ACK exchange, there is still 5127 the possibility of a host rebooting without having the time to 5128 perform the CLOSE exchange. So, it is true that the coordinated 5129 approach eliminates the possibility of a context confusion situation 5130 because premature garbage collection, but it does not prevent the 5131 same situations due to a crash and reboot of one of the involved 5132 hosts. The result is that even if we went for a coordinated 5133 approach, we would still need to deal with context confusion and 5134 provide the means to detect and recover from this situations. 5136 Appendix E. Change Log 5138 [RFC Editor: please remove this section] 5140 The following changes have been made since draft-ietf-shim6-proto-07: 5142 o New Error Message format added in the Format section 5144 o Added new registry for Error codes in the IANA considerations 5145 section 5147 o Changed the Format section so a Shim6 error message is sent back 5148 when a crtical option is not recognized (instead of an ICMP error 5149 message) 5151 o Changed the ULID estbalishment section so that a Shim6 error 5152 message is sent back when the locator verification is not 5153 recgnized or not consistent with the current CGA PDS 5155 o Changed the Locator Update section so that Shim6 error messages 5156 are sent instead of ICMP error messages 5158 o Changed the receiving packet section so that Shim6 error messages 5159 are generated instead of ICMP error messages 5161 o added new section about middle box consideration in the 5162 implication elsewhere section 5164 o added text for allowing strcuture in context tag name space, while 5165 still randomly cycling though part of the tag name space 5167 o changed the name of TEMPORARY flag for the TRANSIENT flag 5169 o clarified option length calculation 5171 o Editorial commnets from Iljitsch review 5173 o added new sub-section in the introduction about congestion 5174 notification to upper layer and include a reference to 5175 I-D.schuetz-tcpm-tcp-rlci 5177 o added reccomendation to keep the shim6 message length below 1280 5178 bytes 5180 o added the init nonce in the description of the verification of the 5181 validator when receiving I2 messages 5183 o removed FII and ULID in the verification of the validator when 5184 receiving I2BIS meesages, and added receiver context tag. 5186 o Clarified section about retransmision of I2 and I2bis messages, in 5187 case that the initiator decides not to retransmit I2/I2bis 5188 messages and retransmits I1 message 5190 o Clarified the effect of packets associated with a context but 5191 without the shim6 header when considering tearing down a context 5193 o Added new section in section 12 about how to process packets 5194 associated with a context that do not carry the shim6 ext header 5196 o Added respon der validator as information stored in I2-SENT and 5197 Responder validator, init nonce and RESP nonce as information 5198 available in I2BISSENT 5200 o Added Init Nonce, Responder Nonce, and Responder validator as 5201 information available for a shim6 context in the conceptual model 5202 during establishment phase. 5204 o Clarified how the Responder Validator is calculated based on a 5205 running counter that is independent of any received message 5207 o Editorial corrections resulting from Dave Thaler and Bob Braden 5208 reviews. 5210 The following changes have been made since draft-ietf-shim6-proto-06: 5212 o Changed wording in the renumberin considerations section, so that 5213 a shim6 context using a ULID that has been renumbered, MUST be 5214 discarded 5216 o Included text in the security considerations about IPSec BITW and 5217 IPSec tunnels. 5219 o Added text about the minimum key length of CGA in the security 5220 considerations section 5222 o fixed Payload/update message processing 5224 o synchonized with READ draft 5226 The following changes have been made since draft-ietf-shim6-proto-05: 5228 o Removed the possibility to keep on using the ULID after a 5229 renumbering event 5231 o Editorial corrections resulting from Dave Meyer's and Jim Bound's 5232 reviews. 5234 The following changes have been made since draft-ietf-shim6-proto-04: 5236 o Defined I1_RETRIES_MAX as 4. 5238 o Added text in section 7.9 clarifying the no per context state is 5239 stored at the receiver in order to reply an I1 message. 5241 o Added text in section 5 and in section 5.14 in particular, on 5242 defining additional options (including critical and non critical 5243 options). 5245 o Added text in the security considerations about threats related to 5246 secret S for generating the validators and recommendation to 5247 change S periodically. 5249 o Added text in the security considerations about the effects of 5250 attacks based on guessing the context tag being similar to 5251 spoofing source addresses in the case of payload packets. 5253 o Added clarification on what a recent nonce is in I2 and I2bis. 5255 o Removed (empty) open issues section. 5257 o Editorial corrections. 5259 The following changes have been made since draft-ietf-shim6-proto-03: 5261 o Editorial clarifications based on comments from Geoff, Shinta, 5262 Jari. 5264 o Added "no IPv6 NATs as an explicit assumption. 5266 o Moving some things out of the Introduction and Overview sections 5267 to remove all SHOULDs and MUSTs from there. 5269 o Added requirement that any Locator Preference options which use an 5270 element length greater than 3 octets have the already defined 5271 first 3 octets of flags, priority and weight. 5273 o Fixed security hole where a single message (I1) could cause 5274 CT(peer) to be updated. Now a three-way handshake is required 5275 before CT(peer) is updated for an existing context. 5277 The following changes have been made since draft-ietf-shim6-proto-02: 5279 o Replaced the Context Error message with the R1bis message. 5281 o Removed the Packet In Error option, since it was only used in the 5282 Context Error message. 5284 o Introduced a I2bis message which is sent in response to an I1bis 5285 message, since the responders processing is quite in this case 5286 than in the regular R1 case. 5288 o Moved the packet formats for the Keepalive and Probe message types 5289 and Event option to [9]. Only the message type values and option 5290 type value are specified for those in this document. 5292 o Removed the unused message types. 5294 o Added a state machine description as an appendix. 5296 o Filled in all the TBDs - except the IANA assignment of the 5297 protocol number. 5299 o Specified how context recovery and forked contexts work together. 5300 This required the introduction of a Forked Instance option to be 5301 able to tell which of possibly forked instances is being 5302 recovered. 5304 o Renamed the "host-pair context" to be "ULID-pair context". 5306 o Picked some initial retransmit timers for I1 and I2; 4 seconds. 5308 o Added timer values as protocol constants. The retransmit timers 5309 use binary exponential backoff and randomization (between .5 and 5310 1.5 of the nominal value). 5312 o Require that the R1/R1bis verifiers be usable for some minimum 5313 time so that the initiator knows for how long time it can safely 5314 retransmit I2 before it needs to go back to sending I1 again. 5315 Picked 30 seconds. 5317 o Split the message type codes into 0-63, which will not generate 5318 R1bis messages, and 64-127 which will generate R1bis messages. 5319 This allows extensibility of the protocol with new message types 5320 while being able to control when R1bis is generated. 5322 o Expanded the context tag from 32 to 47 bits. 5324 o Specified that enough locators need to be included in I2 and R2 5325 messages. Specified that the HBA/CGA verification must be 5326 performed when the locator set is received. 5328 o Specified that ICMP parameter problem errors are sent in certain 5329 error cases, for instance when the verification method is unknown 5330 to the receiver, or there is an unknown message type or option 5331 type. 5333 o Renamed "payload message" to be "payload extension header". 5335 o Many editorial clarifications suggested by Geoff Huston. 5337 o Modified the dispatching of payload extension header to only 5338 compare CT(local) i.e., not compare the source and destination 5339 IPv6 address fields. 5341 The following changes have been made since draft-ietf-shim6-proto-00: 5343 o Removed the use of the flow label and the overloading of the IP 5344 protocol numbers. Instead, when the locator pair is not the ULID 5345 pair, the ULP payloads will be carried with an 8 octet extension 5346 header. The belief is that it is possible to remove these extra 5347 bytes by defining future Shim6 extensions that exchange more 5348 information between the hosts, without having to overload the flow 5349 label or the IP protocol numbers. 5351 o Grew the context tag from 20 bits to 32 bits, with the possibility 5352 to grow it to 47 bits. This implies changes to the message 5353 formats. 5355 o Almost by accident, the new Shim6 message format is very close to 5356 the HIP message format. 5358 o Adopted the HIP format for the options, since this makes it easier 5359 to describe variable length options. The original, ND-style, 5360 option format requires internal padding in the options to make 5361 them 8 octet length in total, while the HIP format handles that 5362 using the option length field. 5364 o Removed some of the control messages, and renamed the other ones. 5366 o Added a "generation" number to the Locator List option, so that 5367 the peers can ensure that the preferences refer to the right 5368 "version" of the Locator List. 5370 o In order for FBD and exploration to work when there the use of the 5371 context is forked, that is different ULP messages are sent over 5372 different locator pairs, things are a lot easier if there is only 5373 one current locator pair used for each context. Thus the forking 5374 of the context is now causing a new context to be established for 5375 the same ULID; the new context having a new context tag. The 5376 original context is referred to as the "default" context for the 5377 ULID pair. 5379 o Added more background material and textual descriptions. 5381 19. References 5383 19.1. Normative References 5385 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 5386 Levels", BCP 14, RFC 2119, March 1997. 5388 [2] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) 5389 Specification", RFC 2460, December 1998. 5391 [3] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery 5392 for IP Version 6 (IPv6)", RFC 2461, December 1998. 5394 [4] Thomson, S. and T. Narten, "IPv6 Stateless Address 5395 Autoconfiguration", RFC 2462, December 1998. 5397 [5] Conta, A. and S. Deering, "Internet Control Message Protocol 5398 (ICMPv6) for the Internet Protocol Version 6 (IPv6) 5399 Specification", RFC 2463, December 1998. 5401 [6] Aura, T., "Cryptographically Generated Addresses (CGA)", 5402 RFC 3972, March 2005. 5404 [7] Kent, S. and K. Seo, "Security Architecture for the Internet 5405 Protocol", RFC 4301, December 2005. 5407 [8] Bagnulo, M., "Hash Based Addresses (HBA)", 5408 draft-ietf-shim6-hba-02 (work in progress), October 2006. 5410 [9] Arkko, J. and I. Beijnum, "Failure Detection and Locator Pair 5411 Exploration Protocol for IPv6 Multihoming", 5412 draft-ietf-shim6-failure-detection-07 (work in progress), 5413 December 2006. 5415 19.2. Informative References 5417 [10] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 5418 specifying the location of services (DNS SRV)", RFC 2782, 5419 February 2000. 5421 [11] Ferguson, P. and D. Senie, "Network Ingress Filtering: 5422 Defeating Denial of Service Attacks which employ IP Source 5423 Address Spoofing", BCP 38, RFC 2827, May 2000. 5425 [12] Narten, T. and R. Draves, "Privacy Extensions for Stateless 5426 Address Autoconfiguration in IPv6", RFC 3041, January 2001. 5428 [13] Draves, R., "Default Address Selection for Internet Protocol 5429 version 6 (IPv6)", RFC 3484, February 2003. 5431 [14] Bagnulo, M., "Updating RFC 3484 for multihoming support", 5432 draft-bagnulo-ipv6-rfc3484-update-00 (work in progress), 5433 December 2005. 5435 [15] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, 5436 "RTP: A Transport Protocol for Real-Time Applications", STD 64, 5437 RFC 3550, July 2003. 5439 [16] Abley, J., Black, B., and V. Gill, "Goals for IPv6 Site- 5440 Multihoming Architectures", RFC 3582, August 2003. 5442 [17] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, "IPv6 5443 Flow Label Specification", RFC 3697, March 2004. 5445 [18] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 5446 Requirements for Security", BCP 106, RFC 4086, June 2005. 5448 [19] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 5449 Addresses", RFC 4193, October 2005. 5451 [20] Nordmark, E. and T. Li, "Threats Relating to IPv6 Multihoming 5452 Solutions", RFC 4218, October 2005. 5454 [21] Huitema, C., "Ingress filtering compatibility for IPv6 5455 multihomed sites", draft-huitema-shim6-ingress-filtering-00 5456 (work in progress), September 2005. 5458 [22] Bagnulo, M. and E. Nordmark, "SHIM - MIPv6 Interaction", 5459 draft-bagnulo-shim6-mip-00 (work in progress), July 2005. 5461 [23] Nordmark, E., "Shim6 Application Referral Issues", 5462 draft-ietf-shim6-app-refer-00 (work in progress), July 2005. 5464 [24] Bagnulo, M. and J. Abley, "Applicability Statement for the 5465 Level 3 Multihoming Shim Protocol (Shim6)", 5466 draft-ietf-shim6-applicability-02 (work in progress), 5467 October 2006. 5469 [25] Huston, G., "Architectural Commentary on Site Multi-homing 5470 using a Level 3 Shim", draft-ietf-shim6-arch-00 (work in 5471 progress), July 2005. 5473 [26] Moskowitz, R., "Host Identity Protocol", draft-ietf-hip-base-07 5474 (work in progress), February 2007. 5476 [27] Eronen, P., "IKEv2 Mobility and Multihoming Protocol (MOBIKE)", 5477 draft-ietf-mobike-protocol-08 (work in progress), 5478 February 2006. 5480 [28] Schuetz, S., "TCP Response to Lower-Layer Connectivity-Change 5481 Indications", draft-schuetz-tcpm-tcp-rlci-01 (work in 5482 progress), March 2007. 5484 Authors' Addresses 5486 Erik Nordmark 5487 Sun Microsystems 5488 17 Network Circle 5489 Menlo Park, CA 94025 5490 USA 5492 Phone: +1 650 786 2921 5493 Email: erik.nordmark@sun.com 5495 Marcelo Bagnulo 5496 Universidad Carlos III de Madrid 5497 Av. Universidad 30 5498 Leganes, Madrid 28911 5499 SPAIN 5501 Phone: +34 91 6248814 5502 Email: marcelo@it.uc3m.es 5503 URI: http://www.it.uc3m.es 5505 Full Copyright Statement 5507 Copyright (C) The IETF Trust (2007). 5509 This document is subject to the rights, licenses and restrictions 5510 contained in BCP 78, and except as set forth therein, the authors 5511 retain all their rights. 5513 This document and the information contained herein are provided on an 5514 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 5515 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 5516 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 5517 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 5518 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 5519 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 5521 Intellectual Property 5523 The IETF takes no position regarding the validity or scope of any 5524 Intellectual Property Rights or other rights that might be claimed to 5525 pertain to the implementation or use of the technology described in 5526 this document or the extent to which any license under such rights 5527 might or might not be available; nor does it represent that it has 5528 made any independent effort to identify any such rights. Information 5529 on the procedures with respect to rights in RFC documents can be 5530 found in BCP 78 and BCP 79. 5532 Copies of IPR disclosures made to the IETF Secretariat and any 5533 assurances of licenses to be made available, or the result of an 5534 attempt made to obtain a general license or permission for the use of 5535 such proprietary rights by implementers or users of this 5536 specification can be obtained from the IETF on-line IPR repository at 5537 http://www.ietf.org/ipr. 5539 The IETF invites any interested party to bring to its attention any 5540 copyrights, patents or patent applications, or other proprietary 5541 rights that may cover technology that may be required to implement 5542 this standard. Please address the information to the IETF at 5543 ietf-ipr@ietf.org. 5545 Acknowledgment 5547 Funding for the RFC Editor function is provided by the IETF 5548 Administrative Support Activity (IASA).