idnits 2.17.1 draft-ietf-shim6-proto-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? -- It seems you're using the 'non-IETF stream' Licence Notice instead Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 3400 has weird spacing: '...payload exten...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 15, 2008) is 5603 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: 'CGA' on line 2226 -- Looks like a reference, but probably isn't: 'FII' on line 2413 -- Obsolete informational reference (is this intentional?): RFC 3484 (ref. '7') (Obsoleted by RFC 6724) -- Obsolete informational reference (is this intentional?): RFC 3697 (ref. '11') (Obsoleted by RFC 6437) == Outdated reference: A later version (-08) exists of draft-ietf-shim6-applicability-03 == Outdated reference: A later version (-17) exists of draft-ietf-shim6-multihome-shim-api-07 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SHIM6 WG E. Nordmark 3 Internet-Draft Sun Microsystems 4 Intended status: Standards Track M. Bagnulo 5 Expires: June 18, 2009 UC3M 6 December 15, 2008 8 Shim6: Level 3 Multihoming Shim Protocol for IPv6 9 draft-ietf-shim6-proto-11.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on June 18, 2009. 34 Copyright Notice 36 Copyright (c) 2008 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (http://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. 46 Abstract 48 This document defines the Shim6 protocol, a layer 3 shim for 49 providing locator agility below the transport protocols, so that 50 multihoming can be provided for IPv6 with failover and load sharing 51 properties, without assuming that a multihomed site will have a 52 provider independent IPv6 address prefix which is announced in the 53 global IPv6 routing table. The hosts in a site which has multiple 54 provider allocated IPv6 address prefixes, will use the Shim6 protocol 55 specified in this document to setup state with peer hosts, so that 56 the state can later be used to failover to a different locator pair, 57 should the original one stop working. 59 Table of Contents 61 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 62 1.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 1.2. Non-Goals . . . . . . . . . . . . . . . . . . . . . . . . 6 64 1.3. Locators as Upper-layer IDentifiers (ULID) . . . . . . . 6 65 1.4. IP Multicast . . . . . . . . . . . . . . . . . . . . . . 7 66 1.5. Renumbering Implications . . . . . . . . . . . . . . . . 8 67 1.6. Placement of the shim . . . . . . . . . . . . . . . . . . 9 68 1.7. Traffic Engineering . . . . . . . . . . . . . . . . . . . 11 69 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 14 70 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 14 71 2.2. Notational Conventions . . . . . . . . . . . . . . . . . 17 72 2.3. Conceptual . . . . . . . . . . . . . . . . . . . . . . . 17 73 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 18 74 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 20 75 4.1. Context Tags . . . . . . . . . . . . . . . . . . . . . . 22 76 4.2. Context Forking . . . . . . . . . . . . . . . . . . . . . 22 77 4.3. API Extensions . . . . . . . . . . . . . . . . . . . . . 23 78 4.4. Securing Shim6 . . . . . . . . . . . . . . . . . . . . . 23 79 4.5. Overview of Shim Control Messages . . . . . . . . . . . . 24 80 4.6. Extension Header Order . . . . . . . . . . . . . . . . . 25 81 5. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 27 82 5.1. Common Shim6 Message Format . . . . . . . . . . . . . . . 27 83 5.2. Payload Extension Header Format . . . . . . . . . . . . . 28 84 5.3. Common Shim6 Control header . . . . . . . . . . . . . . . 28 85 5.4. I1 Message Format . . . . . . . . . . . . . . . . . . . . 30 86 5.5. R1 Message Format . . . . . . . . . . . . . . . . . . . . 31 87 5.6. I2 Message Format . . . . . . . . . . . . . . . . . . . . 33 88 5.7. R2 Message Format . . . . . . . . . . . . . . . . . . . . 35 89 5.8. R1bis Message Format . . . . . . . . . . . . . . . . . . 36 90 5.9. I2bis Message Format . . . . . . . . . . . . . . . . . . 38 91 5.10. Update Request Message Format . . . . . . . . . . . . . . 40 92 5.11. Update Acknowledgement Message Format . . . . . . . . . . 41 93 5.12. Keepalive Message Format . . . . . . . . . . . . . . . . 42 94 5.13. Probe Message Format . . . . . . . . . . . . . . . . . . 43 95 5.14. Error Message Format . . . . . . . . . . . . . . . . . . 43 96 5.15. Option Formats . . . . . . . . . . . . . . . . . . . . . 44 97 5.15.1. Responder Validator Option Format . . . . . . . . . 47 98 5.15.2. Locator List Option Format . . . . . . . . . . . . . 47 99 5.15.3. Locator Preferences Option Format . . . . . . . . . 49 100 5.15.4. CGA Parameter Data Structure Option Format . . . . . 51 101 5.15.5. CGA Signature Option Format . . . . . . . . . . . . 51 102 5.15.6. ULID Pair Option Format . . . . . . . . . . . . . . 52 103 5.15.7. Forked Instance Identifier Option Format . . . . . . 53 104 5.15.8. Keepalive Timeout Option Format . . . . . . . . . . 53 105 6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 54 106 6.1. Conceptual Data Structures . . . . . . . . . . . . . . . 54 107 6.2. Context STATES . . . . . . . . . . . . . . . . . . . . . 56 108 7. Establishing ULID-Pair Contexts . . . . . . . . . . . . . . . 58 109 7.1. Uniqueness of Context Tags . . . . . . . . . . . . . . . 58 110 7.2. Locator Verification . . . . . . . . . . . . . . . . . . 58 111 7.3. Normal context establishment . . . . . . . . . . . . . . 59 112 7.4. Concurrent context establishment . . . . . . . . . . . . 59 113 7.5. Context recovery . . . . . . . . . . . . . . . . . . . . 61 114 7.6. Context confusion . . . . . . . . . . . . . . . . . . . . 63 115 7.7. Sending I1 messages . . . . . . . . . . . . . . . . . . . 64 116 7.8. Retransmitting I1 messages . . . . . . . . . . . . . . . 65 117 7.9. Receiving I1 messages . . . . . . . . . . . . . . . . . . 65 118 7.10. Sending R1 messages . . . . . . . . . . . . . . . . . . . 66 119 7.10.1. Generating the R1 Validator . . . . . . . . . . . . 67 120 7.11. Receiving R1 messages and sending I2 messages . . . . . . 67 121 7.12. Retransmitting I2 messages . . . . . . . . . . . . . . . 68 122 7.13. Receiving I2 messages . . . . . . . . . . . . . . . . . . 69 123 7.14. Sending R2 messages . . . . . . . . . . . . . . . . . . . 70 124 7.15. Match for Context Confusion . . . . . . . . . . . . . . . 71 125 7.16. Receiving R2 messages . . . . . . . . . . . . . . . . . . 71 126 7.17. Sending R1bis messages . . . . . . . . . . . . . . . . . 72 127 7.17.1. Generating the R1bis Validator . . . . . . . . . . . 73 128 7.18. Receiving R1bis messages and sending I2bis messages . . . 73 129 7.19. Retransmitting I2bis messages . . . . . . . . . . . . . . 74 130 7.20. Receiving I2bis messages and sending R2 messages . . . . 75 131 8. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 77 132 9. Teardown of the ULID-Pair Context . . . . . . . . . . . . . . 80 133 10. Updating the Peer . . . . . . . . . . . . . . . . . . . . . . 81 134 10.1. Sending Update Request messages . . . . . . . . . . . . . 81 135 10.2. Retransmitting Update Request messages . . . . . . . . . 81 136 10.3. Newer Information While Retransmitting . . . . . . . . . 82 137 10.4. Receiving Update Request messages . . . . . . . . . . . . 82 138 10.5. Receiving Update Acknowledgement messages . . . . . . . . 84 139 11. Sending ULP Payloads . . . . . . . . . . . . . . . . . . . . 86 140 11.1. Sending ULP Payload after a Switch . . . . . . . . . . . 86 142 12. Receiving Packets . . . . . . . . . . . . . . . . . . . . . . 88 143 12.1. Receiving payload without extension headers . . . . . . . 88 144 12.2. Receiving Payload Extension Headers . . . . . . . . . . . 88 145 12.3. Receiving Shim Control messages . . . . . . . . . . . . . 89 146 12.4. Context Lookup . . . . . . . . . . . . . . . . . . . . . 89 147 13. Initial Contact . . . . . . . . . . . . . . . . . . . . . . . 92 148 14. Protocol constants . . . . . . . . . . . . . . . . . . . . . 93 149 15. Implications Elsewhere . . . . . . . . . . . . . . . . . . . 94 150 15.1. Congestion Control Considerations . . . . . . . . . . . . 94 151 15.2. Middle-boxes considerations . . . . . . . . . . . . . . . 94 152 15.3. Operation and Management Considerations . . . . . . . . . 95 153 15.4. Other considerations . . . . . . . . . . . . . . . . . . 96 154 16. Security Considerations . . . . . . . . . . . . . . . . . . . 98 155 16.1. Interaction with IPsec . . . . . . . . . . . . . . . . . 99 156 16.2. Residual Threats . . . . . . . . . . . . . . . . . . . . 101 157 17. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 103 158 18. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 105 159 Appendix A. Possible Protocol Extensions . . . . . . . . . . 106 160 Appendix B. Simplified STATE Machine . . . . . . . . . . . . 108 161 Appendix B.1. Simplified STATE Machine diagram . . . . . . . . 113 162 Appendix C. Context Tag Reuse . . . . . . . . . . . . . . . . 115 163 Appendix C.1. Context Recovery . . . . . . . . . . . . . . . . 115 164 Appendix C.2. Context Confusion . . . . . . . . . . . . . . . . 115 165 Appendix C.3. Three Party Context Confusion . . . . . . . . . . 116 166 Appendix C.4. Summary . . . . . . . . . . . . . . . . . . . . . 116 167 Appendix D. Design Alternatives . . . . . . . . . . . . . . . 117 168 Appendix D.1. Context granularity . . . . . . . . . . . . . . . 117 169 Appendix D.2. Demultiplexing of data packets in Shim6 170 communications . . . . . . . . . . . . . . . . . 117 171 Appendix D.2.1. Flow-label . . . . . . . . . . . . . . . . . . . 118 172 Appendix D.2.2. Extension Header . . . . . . . . . . . . . . . . 120 173 Appendix D.3. Context Loss Detection . . . . . . . . . . . . . 121 174 Appendix D.4. Securing locator sets . . . . . . . . . . . . . . 123 175 Appendix D.5. ULID-pair context establishment exchange . . . . 126 176 Appendix D.6. Updating locator sets . . . . . . . . . . . . . . 127 177 Appendix D.7. State Cleanup . . . . . . . . . . . . . . . . . . 127 178 Appendix E. Change Log . . . . . . . . . . . . . . . . . . . 130 179 19. References . . . . . . . . . . . . . . . . . . . . . . . . . 137 180 19.1. Normative References . . . . . . . . . . . . . . . . . . 137 181 19.2. Informative References . . . . . . . . . . . . . . . . . 137 182 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 139 184 1. Introduction 186 This document describes a layer 3 shim approach and protocol for 187 providing locator agility below the transport protocols, so that 188 multihoming can be provided for IPv6 with failover and load sharing 189 properties [10], without assuming that a multihomed site will have a 190 provider independent IPv6 address which is announced in the global 191 IPv6 routing table. The hosts in a site which has multiple provider 192 allocated IPv6 address prefixes, will use the Shim6 protocol 193 specified in this document to setup state with peer hosts, so that 194 the state can later be used to failover to a different locator pair, 195 should the original one stop working (the term locator is defined in 196 Section 2). 198 The Shim6 protocol is a site multihoming solution in the sense that 199 it allows existing communication to continue when a site that has 200 multiple connections to the internet experiences an outage on a 201 subset of these connections or further upstream. However, Shim6 202 processing is performed in individual hosts rather than through site- 203 wide mechanisms. 205 We assume that redirection attacks are prevented using Hash Based 206 Addresses (HBA) as defined in [3]. 208 The reachability and failure detection mechanisms, including how a 209 new working locator pair is discovered after a failure, are specified 210 in a separate document [4]. This document allocates message types 211 and option types for that sub-protocol, and leaves the specification 212 of the message and option formats as well as the protocol behavior to 213 that document. 215 1.1. Goals 217 The goals for this approach are to: 219 o Preserve established communications in the presence of certain 220 classes of failures, for example, TCP connections and UDP streams. 222 o Have minimal impact on upper layer protocols in general and on 223 transport protocols and applications in particular. 225 o Address the security threats in [14] through the combination of 226 the HBA/CGA approach specified in a separate document [3] and 227 techniques described in this document. 229 o Not require extra roundtrip up front to setup shim specific state. 230 Instead allow the upper layer traffic (e.g., TCP) to flow as 231 normal and defer the setup of the shim state until some number of 232 packets have been exchanged. 234 o Take advantage of multiple locators/addresses for load spreading 235 so that different sets of communication to a host (e.g., different 236 connections) might use different locators of the host. Note that 237 this might cause load to be spread unevenly, thus we use the term 238 "load spreading" instead of "load balancing". This capability 239 might enable some forms of traffic engineering, but the details 240 for traffic engineering, including what requirements can be 241 satisfied, are not specified in this document, and form part of a 242 potential extensions to this protocol. 244 1.2. Non-Goals 246 The assumption is that the problem we are trying to solve is site 247 multihoming, with the ability to have the set of site prefixes change 248 over time due to site renumbering. Further, we assume that such 249 changes to the set of locator prefixes can be relatively slow and 250 managed; slow enough to allow updates to the DNS to propagate (since 251 the protocol defined in this document depends on the DNS to find the 252 appropriate locator sets). Note, however that it is an explicit non- 253 goal to make communication survive a renumbering event (which causes 254 all the locators of a host to change to a new set of locators). This 255 proposal does not attempt to solve the related problem of host 256 mobility. However, it might turn out that the Shim6 protocol can be 257 a useful component for future host mobility solutions, e.g., for 258 route optimization. 260 Finally, this proposal also does not try to provide a new network 261 level or transport level identifier name space distinct from the 262 current IP address name space. Even though such a concept would be 263 useful to Upper Layer Protocols (ULPs) and applications, especially 264 if the management burden for such a name space was negligible and 265 there was an efficient yet secure mechanism to map from identifiers 266 to locators, such a name space isn't necessary (and furthermore 267 doesn't seem to help) to solve the multihoming problem. 269 The Shim6 proposal doesn't fully separate the identifier and locator 270 functions that have traditionally been overloaded in the IP address. 271 However, throughout this document the term "identifier", or more 272 specifically, Upper Layer Identifier (ULID) refers to the identifying 273 function of an IPv6 address, and "locator" to the network layer 274 routing and forwarding properties of an IPv6 address. 276 1.3. Locators as Upper-layer IDentifiers (ULID) 278 The approach described in this document does not introduce a new 279 identifier name space but instead uses the locator that is selected 280 in the initial contact with the remote peer as the preserved Upper- 281 Layer Identifier (ULID). While there may be subsequent changes in 282 the selected network level locators over time in response to failures 283 in using the original locator, the upper level protocol stack 284 elements will continue to use this upper level identifier without 285 change. 287 This implies that the ULID selection is performed as today's default 288 address selection as specified in RFC 3484 [7]. Some extensions are 289 needed to RFC 3484 to try different source addresses, whether or not 290 the Shim6 protocol is used, as outlined in [8]. Underneath, and 291 transparently, the multihoming shim selects working locator pairs 292 with the initial locator pair being the ULID pair. If communication 293 subsequently fails the shim can test and select alternate locators. 294 A subsequent section discusses the issues when the selected ULID is 295 not initially working hence there is a need to switch locators up 296 front. 298 Using one of the locators as the ULID has certain benefits for 299 applications which have long-lived session state or performs 300 callbacks or referrals, because both the FQDN and the 128-bit ULID 301 work as handles for the applications. However, using a single 128- 302 bit ULID doesn't provide seamless communication when that locator is 303 unreachable. See [17] for further discussion of the application 304 implications. 306 There has been some discussion of using non-routable addresses, such 307 as Unique-Local Addresses (ULAs) [13], as ULIDs in a multihoming 308 solution. While this document doesn't specify all aspects of this, 309 it is believed that the approach can be extended to handle the non- 310 routable address case. For example, the protocol already needs to 311 handle ULIDs that are not initially reachable. Thus the same 312 mechanism can handle ULIDs that are permanently unreachable from 313 outside their site. The issue becomes how to make the protocol 314 perform well when the ULID is known a priori to be not reachable 315 (e.g. the ULID is a ULA), for instance, avoiding any timeout and 316 retries in this case. In addition one would need to understand how 317 the ULAs would be entered in the DNS to avoid a performance impact on 318 existing, non-Shim6 aware, IPv6 hosts potentially trying to 319 communicate to the (unreachable) ULA. 321 1.4. IP Multicast 323 IP Multicast requires that the IP source address field contain a 324 topologically correct locator for interface that is used to send the 325 packet, since IP multicast routing uses both the source address and 326 the destination group to determine where to forward the packet. In 327 particular, it need to be able to do the RPF check. (This isn't much 328 different than the situation with widely implemented ingress 329 filtering [6] for unicast.) 331 While in theory it would be possible to apply the shim re-mapping of 332 the IP address fields between ULIDs and locators, the fact that all 333 the multicast receivers would need to know the mapping to perform, 334 makes such an approach difficult in practice. Thus it makes sense to 335 have multicast ULPs operate directly on locators and not use the 336 shim. This is quite a natural fit for protocols which use RTP [9], 337 since RTP already has an explicit identifier in the form of the SSRC 338 field in the RTP headers. Thus the actual IP address fields are not 339 important to the application. 341 In summary, IP multicast will not need the shim to remap the IP 342 addresses. 344 This doesn't prevent the receiver of multicast to change its 345 locators, since the receiver is not explicitly identified; the 346 destination address is a multicast address and not the unicast 347 locator of the receiver. 349 1.5. Renumbering Implications 351 As stated above, this approach does not try to make communication 352 survive renumbering in the general case. 354 When a host is renumbered, the effect is that one or more locators 355 become invalid, and zero or more locators are added to the host's 356 network interface. This means that the set of locators that is used 357 in the shim will change, which the shim can handle as long as not all 358 the original locators become invalid at the same time and depending 359 on the time that is required to update the DNS and for those updates 360 to propagate. 362 But IP addresses are also used as ULIDs, and making the communication 363 survive locators becoming invalid can potentially cause some 364 confusion at the upper layers. The fact that a ULID might be used 365 with a different locator over time open up the possibility that 366 communication between two ULIDs might continue to work after one or 367 both of those ULIDs are no longer reachable as locators, for example 368 due to a renumbering event. This opens up the possibility that the 369 ULID (or at least the prefix on which it is based) is reassigned to 370 another site while it is still being used (with another locator) for 371 existing communication. 373 In the worst case we could end up with two separate hosts using the 374 same ULID while both of them are communicating with the same host. 376 This potential source for confusion is avoided requiring that any 377 communication using a ULID MUST be terminated when the ULID becomes 378 invalid (due to the underlying prefix becoming invalid). This 379 behavior can be accomplished by explicitly discarding the shim state 380 when the ULID becomes invalid. The context recovery mechanism will 381 then make the peer aware that the context is gone, and that the ULID 382 is no longer present at the same locator(s). 384 1.6. Placement of the shim 386 ----------------------- 387 | Transport Protocols | 388 ----------------------- 390 ------ ------- -------------- ------------- IP endpoint 391 | AH | | ESP | | Frag/reass | | Dest opts | sub-layer 392 ------ ------- -------------- ------------- 394 --------------------- 395 | Shim6 shim layer | 396 --------------------- 398 ------ IP routing 399 | IP | sub-layer 400 ------ 402 Figure 1: Protocol stack 404 The proposal uses a multihoming shim layer within the IP layer, i.e., 405 below the ULPs, as shown in Figure 1, in order to provide ULP 406 independence. The multihoming shim layer behaves as if it is 407 associated with an extension header, which would be placed after any 408 routing-related headers in the packet (such as any hop-by-hop 409 options, or routing header). However, when the locator pair is the 410 ULID pair there is no data that needs to be carried in an extension 411 header, thus none is needed in that case. 413 For the relative layering of the shim and ESP/AH there are two 414 choices. 416 With a "bump-in-the-stack" or "bump-in-the-wire" IPsec implementation 417 as well as the case of IPsec communication between a host and a 418 security gateway the layering naturally becomes shim6 over ESP/AH. 419 This implies that when the shim on the sender changes the ULIDs to 420 locators after a failure then a different IPsec security assocation 421 would be used since the SA is tied to the IP addresses in the packet. 422 But that approach is of low complexity. 424 With a native IPsec implementation that communicates end-to-end it is 425 possible to layer IPsec above the shim. That avoids any key 426 management actions when the locators change after a failure, and it 427 fits better with the architectural picture above with IPsec in the 428 endpoint sublayer. The downside is that it requires some care on the 429 sender to ensure that the change of the ULIDs to locators underneath 430 IPsec doesn't cause any violations of IPsec policies. The 431 implementation of such checks would add some complexity. The details 432 of needed care is specified in Section 16.1. 434 A receiver handles either order of AH/ESP and the shim since the 435 sender's order of processing is reflected in the order of the shim6 436 vs. AH/ESP headers in the packet. 438 Layering the fragmentation header above the multihoming shim makes 439 reassembly robust in the case that there is broken multi-path routing 440 which results in using different paths, hence potentially different 441 source locators, for different fragments. Thus, the multihoming shim 442 layer is placed between the IP endpoint sublayer, which handles 443 fragmentation, reassembly, and the IP routing sublayer, which selects 444 which next hop and interface to use for sending out packets. 446 Applications and upper layer protocols use ULIDs which the Shim6 447 layer map to/from different locators. The Shim6 layer maintains 448 state, called ULID-pair context, per ULID pair (that is, applies to 449 all ULP connections between the ULID pair) in order to perform this 450 mapping. The mapping is performed consistently at the sender and the 451 receiver so that ULPs see packets that appear to be sent using ULIDs 452 from end to end. This property is maintained even though the packets 453 travel through the network containing locators in the IP address 454 fields, and even though those locators may be changed by the 455 transmitting Shim6 layer. 457 The context state is maintained per remote ULID i.e. approximately 458 per peer host, and not at any finer granularity. In particular, it 459 is independent of the ULPs and any ULP connections. However, the 460 forking capability enables shim-aware ULPs to use more than one 461 locator pair at a time for an single ULID pair. 463 ---------------------------- ---------------------------- 464 | Sender A | | Receiver B | 465 | | | | 466 | ULP | | ULP | 467 | | src ULID(A)=L1(A) | | ^ | 468 | | dst ULID(B)=L1(B) | | | src ULID(A)=L1(A) | 469 | v | | | dst ULID(B)=L1(B) | 470 | multihoming shim | | multihoming shim | 471 | | src L2(A) | | ^ | 472 | | dst L3(B) | | | src L2(A) | 473 | v | | | dst L3(B) | 474 | IP | | IP | 475 ---------------------------- ---------------------------- 476 | ^ 477 ------- cloud with some routers ------- 479 Figure 2: Mapping with changed locators 481 The result of this consistent mapping is that there is no impact on 482 the ULPs. In particular, there is no impact on pseudo-header 483 checksums and connection identification. 485 Conceptually, one could view this approach as if both ULIDs and 486 locators are being present in every packet, and with a header 487 compression mechanism applied that removes the need for the ULIDs to 488 be carried in the packets once the compression state has been 489 established. In order for the receiver to recreate a packet with the 490 correct ULIDs there is a need to include some "compression tag" in 491 the data packets. This serves to indicate the correct context to use 492 for decompression when the locator pair in the packet is insufficient 493 to uniquely identify the context. 495 There are different types of interactions between the Shim6 layer and 496 other protocols. Those intereactions are influenced by the usage of 497 the addresses that these other protocols do and the impact of the 498 Shim6 mapping on these usages. A detailed analysis of the 499 interactions of different portocols, including SCTP, MIP and HIP can 500 be found in [18]. Moreover, some applications may need to have a 501 richer interaction with the Shim6 sub-layer. In order to enable 502 that, a API [22] has been defined to enable greater control and 503 information exchange for those applications that need it. 505 1.7. Traffic Engineering 507 At the time of this writing it is not clear what requirements for 508 traffic engineering make sense for the Shim6 protocol, since the 509 requirements must both result in some useful behavior as well as be 510 implementable using a host-to-host locator agility mechanism like 511 Shim6. 513 Inherent in a scalable multihoming mechanism that separates the 514 locator function of the IP address from identifying function of the 515 IP address is that each host ends up with multiple locators. This 516 means that at least for initial contact, it is the remote peer 517 application (or layer working on its behalf) needs to select an 518 initial ULID, which automatically becomes the initial locator. In 519 the case of Shim6 this is performed by applying RFC 3484 address 520 selection. 522 This is quite different than the common case of IPv4 multihoming 523 where the site has a single IP address prefix, since in that case the 524 peer performs no destination address selection. 526 Thus in "single prefix multihoming" the site, and in many cases its 527 upstream ISPs, can use BGP to exert some control of the ingress path 528 used to reach the site. This capability does not by itself exist 529 "multiple prefix multihoming" such as Shim6. It is conceivable that 530 extensions allowing site or provider guidance of host-based 531 mechanisms could be developed. But t should be noted that traffic 532 engineering via BGP, MPLS or other similar techniques can still be 533 applied for traffic on each individual prefix; Shim6 does not remove 534 the capability for this. It does provide some additional 535 capabilities for hosts to choose between prefixes. 537 These capabilities also carry some risk for non-optimal behaviour 538 when more than one mechanism attempts to correct problems at the same 539 time. However, it should be noted that this is not necessarily a 540 situation brought about by Shim6. A more constrained form of this 541 capability already exists in IPv6 itself via its support of multiple 542 prefixes and address selection rules for starting new communications. 543 Even IPv4 hosts with multiple interfaces may have limited 544 capabilities to choose interfaces on which they communicate. 545 Similarly, upper layers may choose different addresses. 547 In general, it is expected that Shim6 is applicable in relatively 548 small sites and individual hosts where BGP-style traffic engineering 549 operations are unavailable, unlikely or, if run with provider 550 independent addressing, might even be harmful considering the growth 551 rates in the global routing table. 553 The protocol provides a placeholder, in the form of the Locator 554 Preferences option, which can be used by hosts to express priority 555 and weight values for each locator. This option is merely a place 556 holder when it comes to providing traffic engineering; in order to 557 use this in a large site there would have to be a mechanism by which 558 the host can find out what preference values to use, either 559 statically (e.g., some new DHCPv6 option) or dynamically. 561 Thus traffic engineering is listed as a possible extension in 562 Appendix A. 564 2. Terminology 566 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 567 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 568 document are to be interpreted as described in RFC 2119 [1]. 570 2.1. Definitions 572 This document introduces the following terms: 574 upper layer protocol (ULP) 575 A protocol layer immediately above IP. Examples 576 are transport protocols such as TCP and UDP, 577 control protocols such as ICMP, routing protocols 578 such as OSPF, and internet or lower-layer 579 protocols being "tunneled" over (i.e., 580 encapsulated in) IP such as IPX, AppleTalk, or IP 581 itself. 583 interface A node's attachment to a link. 585 address An IP layer name that contains both topological 586 significance and acts as a unique identifier for 587 an interface. 128 bits. This document only uses 588 the "address" term in the case where it isn't 589 specific whether it is a locator or an 590 identifier. 592 locator An IP layer topological name for an interface or 593 a set of interfaces. 128 bits. The locators are 594 carried in the IP address fields as the packets 595 traverse the network. 597 identifier An IP layer name for an IP layer endpoint. The 598 transport endpoint name is a function of the 599 transport protocol and would typically include 600 the IP identifier plus a port number. 601 NOTE: This proposal does not specify any new form 602 of IP layer identifier, but still separates the 603 identifying and locating properties of the IP 604 addresses. 606 upper-layer identifier (ULID) 607 An IP address which has been selected for 608 communication with a peer to be used by the upper 609 layer protocol. 128 bits. This is used for 610 pseudo-header checksum computation and connection 611 identification in the ULP. Different sets of 612 communication to a host (e.g., different 613 connections) might use different ULIDs in order 614 to enable load spreading. 616 Since the ULID is just one of the IP locators/ 617 addresses of the node, there is no need for a 618 separate name space and allocation mechanisms. 620 address field The source and destination address fields in the 621 IPv6 header. As IPv6 is currently specified this 622 fields carry "addresses". If identifiers and 623 locators are separated these fields will contain 624 locators for packets on the wire. 626 FQDN Fully Qualified Domain Name 628 ULID-pair context The state that the multihoming shim maintains 629 between a pair of Upper-layer identifiers. The 630 context is identified by a context tag for each 631 direction of the communication, and also 632 identified by the pair of ULID and a Forked 633 Instance Identifier (see below). 635 Context tag Each end of the context allocates a context tag 636 for the context. This is used to uniquely 637 associate both received control packets and 638 payload extension headers as belonging to the 639 context. 641 Current locator pair 642 Each end of the context has a current locator 643 pair which is used to send packets to the peer. 644 The two ends might use different current locator 645 pairs though. 647 Default context At the sending end, the shim uses the ULID pair 648 (passed down from the ULP) to find the context 649 for that pair. Thus, normally, a host can have 650 at most one context for a ULID pair. We call 651 this the "default context". 653 Context forking A mechanism which allows ULPs that are aware of 654 multiple locators to use separate contexts for 655 the same ULID pair, in order to be able use 656 different locator pairs for different 657 communication to the same ULID. Context forking 658 causes more than just the default context to be 659 created for a ULID pair. 661 Forked Instance Identifier (FII) 662 In order to handle context forking, a context is 663 identified by a ULID-pair and a forked context 664 identifier. The default context has a FII of 665 zero. 667 Initial contact We use this term to refer to the pre-shim 668 communication when some ULP decides to start 669 communicating with a peer by sending and 670 receiving ULP packets. Typically this would not 671 invoke any operations in the shim, since the shim 672 can defer the context establishment until some 673 arbitrary later point in time. 675 Hash Based Addresses (HBA) 676 A form of IPv6 address where the interface ID is 677 derived from a cryptographic hash of all the 678 prefixes assigned to the host. See [3]. 680 Cryptographically Generated Addresses (CGA) 681 A form of IPv6 address where the interface ID is 682 derived from a cryptographic hash of the public 683 key. See [2]. 685 CGA Parameter Data Structure (PDS) 686 The information that CGA and HBA exchanges in 687 order to inform the peer of how the interface ID 688 was computed. See [2], [3]. 690 2.2. Notational Conventions 692 A, B, and C are hosts. X is a potentially malicious host. 694 FQDN(A) is the Fully qualified Domain Name for A. 696 Ls(A) is the locator set for A, which consists of the locators L1(A), 697 L2(A), ... Ln(A). The locator set in not ordered in any particular 698 way other than maybe what is returned by the DNS. A host might form 699 different locators sets containing different subnets of the hosts IP 700 addresses. This is necessary in some cases for security reasons. 701 See Section 16.1. 703 ULID(A) is an upper-layer ID for A. In this proposal, ULID(A) is 704 always one member of A's locator set. 706 CT(A) is a context tag assigned by A. 708 STATE (in uppercase) refers to the the specific state of the state 709 machine described in Section 6.2 711 2.3. Conceptual 713 This document also makes use of internal conceptual variables to 714 describe protocol behavior and external variables that an 715 implementation must allow system administrators to change. The 716 specific variable names, how their values change, and how their 717 settings influence protocol behavior are provided to demonstrate 718 protocol behavior. An implementation is not required to have them in 719 the exact form described here, so long as its external behavior is 720 consistent with that described in this document. See Section 6 for a 721 description of the conceptual data structures. 723 3. Assumptions 725 The design intent is to ensure that the Shim6 protocol is capable of 726 handling path failures independently of the number of IP addresses 727 (locators) available to the two communicating hosts, and 728 independently of which host detects the failure condition. 730 Consider, for example, the case in which both A and B have active 731 Shim6 state and where A has only one locator while B has multiple 732 locators. In this case, it might be that B is trying to send a 733 packet to A, and has detected a failure condition with the current 734 locator pair. Since B has multiple locators it presumably has 735 multiple ISPs, and consequently likely has alternate egress paths 736 toward A. B cannot vary the destination address (i.e., A's locator), 737 since A has only one locator. However, B may need to vary the source 738 address in order to ensure packet delivery. 740 In many cases normal operation of IP routing may cause the packets to 741 follow a path towards the correct (currently operational) egress. In 742 some cases it is possible that a path may be selected based on the 743 source address, implying that B will need to select a source address 744 corresponding to the currently operating egress. The details of how 745 routing can be accomplished is beyond the scope of this document 747 Also, when the site's ISPs perform ingress filtering based on packet 748 source addresses, Shim6 assumes that packets sent with different 749 source and destination combinations have a reasonable chance of 750 making it through the relevant ISP's ingress filters. This can be 751 accomplished in several ways (all outside the scope of this 752 document), such as having the ISPs relax their ingress filters, or 753 selecting the egress such that it matches the IP source address 754 prefix. In the case that one egress path has failed but another is 755 operating correctly, it may be necessary for the packet's source 756 (node B in the previous paragraph) to select a source address that 757 corresponds to the operational egress, in order to pass the ISP's 758 ingress filters. 760 The Shim6 approach assumes that there are no IPv6-to-IPv6 NATs on the 761 paths, i.e., that the two ends can exchange their own notion of their 762 IPv6 addresses and that those addresses will also make sense to their 763 peer. 765 The security of the Shim6 protocol relies on the usage of Hash Based 766 Addresses (HBA) [3] and/or Cryptographically Generated Addresses 767 (CGA) [2]. In the case that HBAs are used, all the addresses 768 assigned to the host that are included in the Shim6 protocol (either 769 as a locator or as a ULID) must be part of the same HBA set. In the 770 case that CGAs are used, the address used as ULID must be a CGA but 771 the other addresses that are used as locators do not need to be 772 neither CGAs nor HBAs. It should be noted that it is perfectly 773 acceptable to run the Shim6 protocol between a host that has multiple 774 locators and another host that has a single IP address. In this 775 case, the address of the host with a single address does not need to 776 be an HBA nor a CGA. 778 4. Protocol Overview 780 The Shim6 protocol operates in several phases over time. The 781 following sequence illustrates the concepts: 783 o An application on host A decides to contact an application on host 784 B using some upper-layer protocol. This results in the ULP on 785 host A sending packets to host B. We call this the initial 786 contact. Assuming the IP addresses selected by Default Address 787 Selection [7] and its extensions [8] work, then there is no action 788 by the shim at this point in time. Any shim context establishment 789 can be deferred until later. 791 o Some heuristic on A or B (or both) determine that it is 792 appropriate to pay the Shim6 overhead to make this host-to-host 793 communication robust against locator failures. For instance, this 794 heuristic might be that more than 50 packets have been sent or 795 received, or a timer expiration while active packet exchange is in 796 place. This makes the shim initiate the 4-way context 797 establishment exchange. The purpose of this heuristic is to avoid 798 setting up a shim context when only a small number of packets is 799 exchanged between two hosts. 801 As a result of this exchange, both A and B will know a list of 802 locators for each other. 804 If the context establishment exchange fails, the initiator will 805 then know that the other end does not support Shim6, and will 806 continue with standard (non-Shim6) behavior for the session. 808 o Communication continues without any change for the ULP packets. 809 In particular, there are no shim extension headers added to the 810 ULP packets, since the ULID pair is the same as the locator pair. 811 In addition, there might be some messages exchanged between the 812 shim sub-layers for (un)reachability detection. 814 o At some point in time something fails. Depending on the approach 815 to reachability detection, there might be some advice from the 816 ULP, or the shim (un)reachability detection might discover that 817 there is a problem. 819 At this point in time one or both ends of the communication need 820 to probe the different alternate locator pairs until a working 821 pair is found, and switch to using that locator pair. 823 o Once a working alternative locator pair has been found, the shim 824 will rewrite the packets on transmit, and tag the packets with 825 Shim6 Payload extension header, which contains the receiver's 826 context tag. The receiver will use the context tag to find the 827 context state which will indicate which addresses to place in the 828 IPv6 header before passing the packet up to the ULP. The result 829 is that from the perspective of the ULP the packet passes 830 unmodified end-to-end, even though the IP routing infrastructure 831 sends the packet to a different locator. 833 o The shim (un)reachability detection will monitor the new locator 834 pair as it monitored the original locator pair, so that subsequent 835 failures can be detected. 837 o In addition to failures detected based on end-to-end observations, 838 one endpoint might know for certain that one or more of its 839 locators is not working. For instance, the network interface 840 might have failed or gone down (at layer 2), or an IPv6 address 841 might have become deprecated or invalid. In such cases the host 842 can signal its peer that this address is no longer recommended to 843 try. This triggers something similar to a failure handling and a 844 new working locator pair must be found. 846 The protocol also has the ability to express other forms of 847 locator preferences. A change in any preferences can be signaled 848 to the peer, which will have made the peer record the new 849 preferences. A change in the preferences might optionally make 850 the peer want to use a different locator pair. In this case, the 851 peer follows the same locator switching procedure as after a 852 failure (by verifying that its peer is indeed present at the 853 alternate locator, etc). 855 o When the shim thinks that the context state is no longer used, it 856 can garbage collect the state; there is no coordination necessary 857 with the peer host before the state is removed. There is a 858 recovery message defined to be able to signal when there is no 859 context state, which can be used to detect and recover from both 860 premature garbage collection, as well as complete state loss 861 (crash and reboot) of a peer. 863 The exact mechanism to determine when the context state is no 864 longer used is implementation dependent. For example, an 865 implementation might use the existence of ULP state (where known 866 to the implementation) as an indication that the state is still 867 used, combined with a timer (to handle ULP state that might not be 868 known to the shim sub-layer) to determine when the state is likely 869 to no longer be used. 871 NOTE 1: The ULP packets in Shim6 can be carried completely unmodified 872 as long as the ULID pair is used as the locator pair. After a switch 873 to a different locator pair the packets are "tagged" with a Shim6 874 extension header, so that the receiver can always determine the 875 context to which they belong. This is accomplished by including an 876 8-octet Shim6 Payload Extension header before the (extension) headers 877 that are processed by the IP endpoint sublayer and ULPs. If 878 subsequently the original ULIDs are selected as the active locator 879 pair then the tagging of packets with the Shim6 extension header is 880 no longer necessary. 882 4.1. Context Tags 884 A context between two hosts is actually a context between two ULIDs. 885 The context is identified by a pair of context tags. Each end gets 886 to allocate a context tag, and once the context is established, most 887 Shim6 control messages contain the context tag that the receiver of 888 the message allocated. Thus at a minimum the combination of have to uniquely identify one 890 context. But since the Payload extension headers are demultiplexed 891 without looking at the locators in the packet, the receiver will need 892 to allocate context tags that are unique for all its contexts. The 893 context tag is a 47-bit number (the largest which can fit in an 894 8-octet extension header), while preserving one bit to differentiate 895 the Shim6 signalling messages from the Shim6 header included in data 896 packets, allowing both to use the same protocol number. 898 The mechanism for detecting a loss of context state at the peer 899 assumes that the receiver can tell the packets that need locator 900 rewriting, even after it has lost all state (e.g., due to a crash 901 followed by a reboot). This is achieved because after a rehoming 902 event the packets that need receive-side rewriting, carry the Payload 903 extension header. 905 4.2. Context Forking 907 It has been asserted that it will be important for future ULPs, in 908 particular, future transport protocols, to be able to control which 909 locator pairs are used for different communication. For instance, 910 host A and host B might communicate using both VoIP traffic and ftp 911 traffic, and those communications might benefit from using different 912 locator pairs. However, the basic Shim6 mechanism uses a single 913 current locator pair for each context, thus a single context cannot 914 accomplish this. 916 For this reason, the Shim6 protocol supports the notion of context 917 forking. This is a mechanism by which a ULP can specify (using some 918 API not yet defined) that a context for e.g., the ULID pair 919 should be forked into two contexts. In this case the forked-off 920 context will be assigned a non-zero Forked Instance Identifier, while 921 the default context has FII zero. 923 The Forked Instance Identifier (FII) is a 32-bit identifier which has 924 no semantics in the protocol other then being part of the tuple which 925 identifies the context. For example, a host might allocate FIIs as 926 sequential numbers for any given ULID pair. 928 No other special considerations are needed in the Shim6 protocol to 929 handle forked contexts. 931 Note that forking as specified does NOT allow A to be able to tell B 932 that certain traffic (a 5-tuple?) should be forked for the reverse 933 direction. The Shim6 forking mechanism as specified applies only to 934 the sending of ULP packets. If some ULP wants to fork for both 935 directions, it is up to the ULP to set this up, and then instruct the 936 shim at each end to transmit using the forked context. 938 4.3. API Extensions 940 Several API extensions have been discussed for Shim6, but their 941 actual specification is out of scope for this document. The simplest 942 one would be to add a socket option to be able to have traffic bypass 943 the shim (not create any state, and not use any state created by 944 other traffic). This could be an IPV6_DONTSHIM socket option. Such 945 an option would be useful for protocols, such as DNS, where the 946 application has its own failover mechanism (multiple NS records in 947 the case of DNS) and using the shim could potentially add extra 948 latency with no added benefits. 950 Some other API extensions are discussed in Appendix A. The actual 951 API extensions are defined in [22]. 953 4.4. Securing Shim6 955 The mechanisms are secured using a combination of techniques: 957 o The HBA technique [3] for verifying the locators to prevent an 958 attacker from redirecting the packet stream to somewhere else. 960 o Requiring a Reachability Probe+Reply /defined in [4]) before a new 961 locator is used as the destination, in order to prevent 3rd party 962 flooding attacks. 964 o The first message does not create any state on the responder. 965 Essentially a 3-way exchange is required before the responder 966 creates any state. This means that a state-based DoS attack 967 (trying to use up all of memory on the responder) at least 968 provides an IPv6 address that the attacker was using. 970 o The context establishment messages use nonces to prevent replay 971 attacks, and to prevent off-path attackers from interfering with 972 the establishment. 974 o Every control message of the Shim6 protocol, past the context 975 establishment, carry the context tag assigned to the particular 976 context. This implies that an attacker needs to discover that 977 context tag before being able to spoof any Shim6 control message. 978 Such discovery probably requires any potential attacker to be 979 along the path in order to be sniff the context tag value. The 980 result is that through this technique, the Shim6 protocol is 981 protected against off-path attackers. 983 4.5. Overview of Shim Control Messages 985 The Shim6 context establishment is accomplished using four messages; 986 I1, R1, I2, R2. Normally they are sent in that order from initiator 987 and responder, respectively. Should both ends attempt to set up 988 context state at the same time (for the same ULID pair), then their 989 I1 messages might cross in flight, and result in an immediate R2 990 message. [The names of these messages are borrowed from HIP [19].] 992 R1bis and I2bis messages are defined, which are used to recover a 993 context after it has been lost. A R1bis message is sent when a Shim6 994 control or Payload extension header arrives and there is no matching 995 context state at the receiver. When such a message is received, it 996 will result in the re-creation of the Shim6 context using the I2bis 997 and R2 messages. 999 The peers' lists of locators are normally exchanged as part of the 1000 context establishment exchange. But the set of locators might be 1001 dynamic. For this reason there are Update Request and Update 1002 Acknowledgement messages, and a Locator List option. 1004 Even when the list of locators is fixed, a host might determine that 1005 some preferences might have changed. For instance, it might 1006 determine that there is a locally visible failure that implies that 1007 some locator(s) are no longer usable. This uses a Locator 1008 Preferences option in the Update Request message. 1010 The mechanism for (un)reachability detection is called Forced 1011 Bidirectional Communication (FBD). FBD uses a Keepalive message 1012 which is sent when a host has received packets from its peer but has 1013 not yet sent any packets from its ULP to the peer. The message type 1014 is reserved in this document, but the message format and processing 1015 rules are specified in [4]. 1017 In addition, when the context is established and there is a 1018 subsequent failure there needs to be a way to probe the set of 1019 locator pairs to efficiently find a working pair. This document 1020 reserves a Probe message type, with the packet format and processing 1021 rules specified in [4]. 1023 The above probe and keepalive messages assume we have an established 1024 ULID-pair context. However, communication might fail during the 1025 initial contact (that is, when the application or transport protocol 1026 is trying to setup some communication). This is handled using the 1027 mechanisms in the ULP to try different address pairs as specified in 1028 [7] [8]. In the future versions of the protocol, and with a richer 1029 API between the ULP and the shim, the shim might be help optimize 1030 discovering a working locator pair during initial contact. This is 1031 for further study. 1033 4.6. Extension Header Order 1035 Since the shim is placed between the IP endpoint sub-layer and the IP 1036 routing sub-layer, the shim header will be placed before any endpoint 1037 extension headers (fragmentation headers, destination options header, 1038 AH, ESP), but after any routing related headers (hop-by-hop 1039 extensions header, routing header, a destinations options header 1040 which precedes a routing header). When tunneling is used, whether 1041 IP-in-IP tunneling or the special form of tunneling that Mobile IPv6 1042 uses (with Home Address Options and Routing header type 2), there is 1043 a choice whether the shim applies inside the tunnel or outside the 1044 tunnel, which affects the location of the Shim6 header. 1046 In most cases IP-in-IP tunnels are used as a routing technique, thus 1047 it makes sense to apply them on the locators which means that the 1048 sender would insert the Shim6 header after any IP-in-IP 1049 encapsulation; this is what occurs naturally when routers apply IP- 1050 in-IP encapsulation. Thus the packets would have: 1052 o Outer IP header 1054 o Inner IP header 1056 o Shim6 extension header (if needed) 1058 o ULP 1059 But the shim can also be used to create "shimmed tunnels" i.e., where 1060 an IP-in-IP tunnel uses the shim to be able to switch the tunnel 1061 endpoint addresses between different locators. In such a case the 1062 packets would have: 1064 o Outer IP header 1066 o Shim6 extension header (if needed) 1068 o Inner IP header 1070 o ULP 1072 In any case, the receiver behavior is well-defined; a receiver 1073 processes the extension headers in order. However, the precise 1074 interaction between Mobile IPv6 and Shim6 is for further study, but 1075 it might make sense to have Mobile IPv6 operate on locators as well, 1076 meaning that the shim would be layered on top of the MIPv6 mechanism. 1078 5. Message Formats 1080 The Shim6 messages are all carried using a new IP protocol number [to 1081 be assigned by IANA]. The Shim6 messages have a common header, 1082 defined below, with some fixed fields, followed by type specific 1083 fields. 1085 The Shim6 messages are structured as an IPv6 extension header since 1086 the Payload extension header is used to carry the ULP packets after a 1087 locator switch. The Shim6 control messages use the same extension 1088 header formats so that a single "protocol number" needs to be allowed 1089 through firewalls in order for Shim6 to function across the firewall. 1091 5.1. Common Shim6 Message Format 1093 The first 17 bits of the Shim6 header is common for the Payload 1094 extension header and the control messages and looks as follows: 1096 0 1 1097 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 1098 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1099 | Next Header | Hdr Ext Len |P| 1100 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1102 Fields: 1104 Next Header: The payload which follows this header. 1106 Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in 1107 8-octet units, not including the first 8 octets. 1109 P: A single bit to distinguish Payload extension headers 1110 from control messages. 1112 Shim6 signalling packets may not be larger than 1280 bytes, including 1113 the IPv6 header and any intermediate headers between the IPv6 header 1114 and the Shim6 header. One way to meet this requirement is to omit 1115 part of the locator address information if with this information 1116 included, the packet would become larger than 1280 bytes. Another 1117 option is to perform option engineering, dividing into different 1118 Shim6 messages the information to be transmitted. An implementation 1119 may impose administrative restrictions to avoid excessively large 1120 Shim6 packets, such as a limitation on the number of locators to be 1121 used. 1123 5.2. Payload Extension Header Format 1125 The payload extension headers is used to carry ULP packets where the 1126 receiver must replace the content of the source and/or destination 1127 fields in the IPv6 header before passing the packet to the ULP. Thus 1128 this extension header is required when the locators pair that is used 1129 is not the same as the ULID pair. 1131 0 1 2 3 1132 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1133 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1134 | Next Header | 0 |1| | 1135 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1136 | Receiver Context Tag | 1137 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1139 Fields: 1141 Next Header: The payload which follows this header. 1143 Hdr Ext Len: 0 (since the header is 8 octets). 1145 P: Set to one. A single bit to distinguish this from the 1146 Shim6 control messages. 1148 Receiver Context Tag: 47-bit unsigned integer. Allocated by the 1149 receiver for use to identify the context. 1151 5.3. Common Shim6 Control header 1153 The common part of the header has a next header and header extension 1154 length field which is consistent with the other IPv6 extension 1155 headers, even if the next header value is always "NO NEXT HEADER" for 1156 the control messages. 1158 The Shim6 headers must be a multiple of 8 octets, hence the minimum 1159 size is 8 octets. 1161 The common shim control message header is as follows: 1163 0 1 2 3 1164 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1165 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1166 | Next Header | Hdr Ext Len |P| Type |Type-specific|S| 1167 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1168 | Checksum | | 1169 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1170 | Type-specific format | 1171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1173 Fields: 1175 Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59). 1177 Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in 1178 8-octet units, not including the first 8 octets. 1180 P: Set to zero. A single bit to distinguish this from 1181 the Shim6 payload extension header. 1183 Type: 7-bit unsigned integer. Identifies the actual message 1184 from the table below. Type codes 0-63 will not 1185 trigger R1bis messages on a missing context, while 64- 1186 127 will trigger R1bis. 1188 S: A single bit set to zero which allows Shim6 and HIP to 1189 have a common header format yet telling Shim6 and HIP 1190 messages apart. 1192 Checksum: 16-bit unsigned integer. The checksum is the 16-bit 1193 one's complement of the one's complement sum of the 1194 entire Shim6 header message starting with the Shim6 1195 next header field, and ending as indicated by the Hdr 1196 Ext Len. Thus when there is a payload following the 1197 Shim6 header, the payload is NOT included in the Shim6 1198 checksum. Note that unlike protocol like ICMPv6, 1199 there is no pseudo-header checksum part of the 1200 checksum, in order to provide locator agility without 1201 having to change the checksum. 1203 Type-specific: Part of message that is different for different 1204 message types. 1206 +------------+-----------------------------------------------------+ 1207 | Type Value | Message | 1208 +------------+-----------------------------------------------------+ 1209 | 1 | I1 (first establishment message from the initiator) | 1210 | | | 1211 | 2 | R1 (first establishment message from the responder) | 1212 | | | 1213 | 3 | I2 (2nd establishment message from the initiator) | 1214 | | | 1215 | 4 | R2 (2nd establishment message from the responder) | 1216 | | | 1217 | 5 | R1bis (Reply to reference to non-existent context) | 1218 | | | 1219 | 6 | I2bis (Reply to a R1bis message) | 1220 | | | 1221 | 64 | Update Request | 1222 | | | 1223 | 65 | Update Acknowledgement | 1224 | | | 1225 | 66 | Keepalive | 1226 | | | 1227 | 67 | Probe Message | 1228 | | | 1229 | 68 | Error Message | 1230 +------------+-----------------------------------------------------+ 1232 Table 1 1234 5.4. I1 Message Format 1236 The I1 message is the first message in the context establishment 1237 exchange. 1239 0 1 2 3 1240 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1241 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1242 | 59 | Hdr Ext Len |0| Type = 1 | Reserved1 |0| 1243 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1244 | Checksum |R| | 1245 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1246 | Initiator Context Tag | 1247 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1248 | Initiator Nonce | 1249 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1250 | | 1251 + Options + 1252 | | 1253 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1254 Fields: 1256 Next Header: NO_NXT_HDR (59). 1258 Hdr Ext Len: At least 1, since the header is 16 octets when there 1259 are no options. 1261 Type: 1 1263 Reserved1: 7-bit field. Reserved for future use. Zero on 1264 transmit. MUST be ignored on receipt. 1266 R: 1-bit field. Reserved for future use. Zero on 1267 transmit. MUST be ignored on receipt. 1269 Initiator Context Tag: 47-bit field. The Context Tag the initiator 1270 has allocated for the context. 1272 Initiator Nonce: 32-bit unsigned integer. A random number picked by 1273 the initiator which the responder will return in the 1274 R1 message. 1276 The following options are defined for this message: 1278 ULID pair: When the IPv6 source and destination addresses in the 1279 IPv6 header does not match the ULID pair, this option 1280 MUST be included. An example of this is when 1281 recovering from a lost context. 1283 Forked Instance Identifier: When another instance of an existent 1284 context with the same ULID pair is being created, a 1285 Forked Instance Identifier option MUST be included to 1286 distinguish this new instance from the existent one. 1288 Future protocol extensions might define additional options for this 1289 message. The C-bit in the option format defines how such a new 1290 option will be handled by an implementation. See Section 5.15. 1292 5.5. R1 Message Format 1294 The R1 message is the second message in the context establishment 1295 exchange. The responder sends this in response to an I1 message, 1296 without creating any state specific to the initiator. 1298 0 1 2 3 1299 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1300 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1301 | 59 | Hdr Ext Len |0| Type = 2 | Reserved1 |0| 1302 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1303 | Checksum | Reserved2 | 1304 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1305 | Initiator Nonce | 1306 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1307 | Responder Nonce | 1308 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1309 | | 1310 + Options + 1311 | | 1312 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1314 Fields: 1316 Next Header: NO_NXT_HDR (59). 1318 Hdr Ext Len: At least 1, since the header is 16 octets when there 1319 are no options. 1321 Type: 2 1323 Reserved1: 7-bit field. Reserved for future use. Zero on 1324 transmit. MUST be ignored on receipt. 1326 Reserved2: 16-bit field. Reserved for future use. Zero on 1327 transmit. MUST be ignored on receipt. 1329 Initiator Nonce: 32-bit unsigned integer. Copied from the I1 1330 message. 1332 Responder Nonce: 32-bit unsigned integer. A number picked by the 1333 responder which the initiator will return in the I2 1334 message. 1336 The following options are defined for this message: 1338 Responder Validator: Variable length option. This option MUST be 1339 included in the R1 message. Typically it contains a 1340 hash generated by the responder, which the responder 1341 uses together with the Responder Nonce value to verify 1342 that an I2 message is indeed sent in response to a R1 1343 message, and that the parameters in the I2 message are 1344 the same as those in the I1 message. 1346 Future protocol extensions might define additional options for this 1347 message. The C-bit in the option format defines how such a new 1348 option will be handled by an implementation. See Section 5.15. 1350 5.6. I2 Message Format 1352 The I2 message is the third message in the context establishment 1353 exchange. The initiator sends this in response to a R1 message, 1354 after checking the Initiator Nonce, etc. 1356 0 1 2 3 1357 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1358 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1359 | 59 | Hdr Ext Len |0| Type = 3 | Reserved1 |0| 1360 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1361 | Checksum |R| | 1362 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1363 | Initiator Context Tag | 1364 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1365 | Initiator Nonce | 1366 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1367 | Responder Nonce | 1368 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1369 | Reserved2 | 1370 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1371 | | 1372 + Options + 1373 | | 1374 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1376 Fields: 1378 Next Header: NO_NXT_HDR (59). 1380 Hdr Ext Len: At least 2, since the header is 24 octets when there 1381 are no options. 1383 Type: 3 1385 Reserved1: 7-bit field. Reserved for future use. Zero on 1386 transmit. MUST be ignored on receipt. 1388 R: 1-bit field. Reserved for future use. Zero on 1389 transmit. MUST be ignored on receipt. 1391 Initiator Context Tag: 47-bit field. The Context Tag the initiator 1392 has allocated for the context. 1394 Initiator Nonce: 32-bit unsigned integer. A random number picked by 1395 the initiator which the responder will return in the 1396 R2 message. 1398 Responder Nonce: 32-bit unsigned integer. Copied from the R1 1399 message. 1401 Reserved2: 32-bit field. Reserved for future use. Zero on 1402 transmit. MUST be ignored on receipt. (Needed to 1403 make the options start on a multiple of 8 octet 1404 boundary.) 1406 The following options are defined for this message: 1408 Responder Validator: Variable length option. This option MUST be 1409 included in the I2 message and MUST be generated 1410 copying the Responder Validator option received in the 1411 R1 message. 1413 ULID pair: When the IPv6 source and destination addresses in the 1414 IPv6 header does not match the ULID pair, this option 1415 MUST be included. An example of this is when 1416 recovering from a lost context. 1418 Forked Instance Identifier: When another instance of an existent 1419 context with the same ULID pair is being created, a 1420 Forked Instance Identifier option MUST be included to 1421 distinguish this new instance from the existent one. 1423 Locator list: Optionally sent when the initiator immediately wants 1424 to tell the responder its list of locators. When it 1425 is sent, the necessary HBA/CGA information for 1426 verifying the locator list MUST also be included. 1428 Locator Preferences: Optionally sent when the locators don't all 1429 have equal preference. 1431 CGA Parameter Data Structure: This option MUST be included in the I2 1432 message when the locator list is included so the 1433 receiver can verify the locator list. 1435 CGA Signature: This option MUST be included in the I2 message when 1436 some of the locators in the list use CGA (and not HBA) 1437 for verification. 1439 Future protocol extensions might define additional options for this 1440 message. The C-bit in the option format defines how such a new 1441 option will be handled by an implementation. See Section 5.15. 1443 5.7. R2 Message Format 1445 The R2 message is the fourth message in the context establishment 1446 exchange. The responder sends this in response to an I2 message. 1447 The R2 message is also used when both hosts send I1 messages at the 1448 same time and the I1 messages cross in flight. 1450 0 1 2 3 1451 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1452 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1453 | 59 | Hdr Ext Len |0| Type = 4 | Reserved1 |0| 1454 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1455 | Checksum |R| | 1456 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1457 | Responder Context Tag | 1458 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1459 | Initiator Nonce | 1460 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1461 | | 1462 + Options + 1463 | | 1464 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1466 Fields: 1468 Next Header: NO_NXT_HDR (59). 1470 Hdr Ext Len: At least 1, since the header is 16 octets when there 1471 are no options. 1473 Type: 4 1475 Reserved1: 7-bit field. Reserved for future use. Zero on 1476 transmit. MUST be ignored on receipt. 1478 R: 1-bit field. Reserved for future use. Zero on 1479 transmit. MUST be ignored on receipt. 1481 Responder Context Tag: 47-bit field. The Context Tag the responder 1482 has allocated for the context. 1484 Initiator Nonce: 32-bit unsigned integer. Copied from the I2 1485 message. 1487 The following options are defined for this message: 1489 Locator List: Optionally sent when the responder immediately wants 1490 to tell the initiator its list of locators. When it 1491 is sent, the necessary HBA/CGA information for 1492 verifying the locator list MUST also be included. 1494 Locator Preferences: Optionally sent when the locators don't all 1495 have equal preference. 1497 CGA Parameter Data Structure: Included when the locator list is 1498 included so the receiver can verify the locator list. 1500 CGA Signature: Included when the some of the locators in the list use 1501 CGA (and not HBA) for verification. 1503 Future protocol extensions might define additional options for this 1504 message. The C-bit in the option format defines how such a new 1505 option will be handled by an implementation. See Section 5.15. 1507 5.8. R1bis Message Format 1509 Should a host receive a packet with a shim Payload extension header 1510 or Shim6 control message with type code 64-127 (such as an Update or 1511 Probe message), and the host does not have any context state for the 1512 received context tag, then it will generate a R1bis message. 1514 This message allows the sender of the packet referring to the non- 1515 existent context to re-establish the context with a reduced context 1516 establishment exchange. Upon the reception of the R1bis message, the 1517 receiver can proceed reestablishing the lost context by directly 1518 sending an I2bis message. 1520 0 1 2 3 1521 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1522 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1523 | 59 | Hdr Ext Len |0| Type = 5 | Reserved1 |0| 1524 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1525 | Checksum |R| | 1526 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1527 | Packet Context Tag | 1528 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1529 | Responder Nonce | 1530 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1531 | | 1532 + Options + 1533 | | 1534 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1536 Fields: 1538 Next Header: NO_NXT_HDR (59). 1540 Hdr Ext Len: At least 1, since the header is 16 octets when there 1541 are no options. 1543 Type: 5 1545 Reserved1: 7-bit field. Reserved for future use. Zero on 1546 transmit. MUST be ignored on receipt. 1548 R: 1-bit field. Reserved for future use. Zero on 1549 transmit. MUST be ignored on receipt. 1551 Packet Context Tag: 47-bit unsigned integer. The context tag 1552 contained in the received packet that triggered the 1553 generation of the R1bis message. 1555 Responder Nonce: 32-bit unsigned integer. A number picked by the 1556 responder which the initiator will return in the I2bis 1557 message. 1559 The following options are defined for this message: 1561 Responder Validator: Variable length option. Typically a hash 1562 generated by the responder, which the responder uses 1563 together with the Responder Nonce value to verify that 1564 an I2bis message is indeed sent in response to a R1bis 1565 message. 1567 Future protocol extensions might define additional options for this 1568 message. The C-bit in the option format defines how such a new 1569 option will be handled by an implementation. See Section 5.15. 1571 5.9. I2bis Message Format 1573 The I2bis message is the third message in the context recovery 1574 exchange. This is sent in response to a R1bis message, after 1575 checking that the R1bis message refers to an existing context, etc. 1577 0 1 2 3 1578 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1579 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1580 | 59 | Hdr Ext Len |0| Type = 6 | Reserved1 |0| 1581 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1582 | Checksum |R| | 1583 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1584 | Initiator Context Tag | 1585 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1586 | Initiator Nonce | 1587 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1588 | Responder Nonce | 1589 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1590 | Reserved2 | 1591 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1592 | | | 1593 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1594 | Packet Context Tag | 1595 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1596 | | 1597 + Options + 1598 | | 1599 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1601 Fields: 1603 Next Header: NO_NXT_HDR (59). 1605 Hdr Ext Len: At least 3, since the header is 32 octets when there 1606 are no options. 1608 Type: 6 1610 Reserved1: 7-bit field. Reserved for future use. Zero on 1611 transmit. MUST be ignored on receipt. 1613 R: 1-bit field. Reserved for future use. Zero on 1614 transmit. MUST be ignored on receipt. 1616 Initiator Context Tag: 47-bit field. The Context Tag the initiator 1617 has allocated for the context. 1619 Initiator Nonce: 32-bit unsigned integer. A random number picked by 1620 the initiator which the responder will return in the 1621 R2 message. 1623 Responder Nonce: 32-bit unsigned integer. Copied from the R1bis 1624 message. 1626 Reserved2: 49-bit field. Reserved for future use. Zero on 1627 transmit. MUST be ignored on receipt. (Note that 17 1628 bits are not sufficient since the options need start 1629 on a multiple of 8 octet boundary.) 1631 Packet Context Tag: 47-bit unsigned integer. Copied from the Packet 1632 Context Tag contained in the received R1bis. 1634 The following options are defined for this message: 1636 Responder Validator: Variable length option. Just a copy of the 1637 Responder Validator option in the R1bis message. 1639 ULID pair: When the IPv6 source and destination addresses in the 1640 IPv6 header does not match the ULID pair, this option 1641 MUST be included. 1643 Forked Instance Identifier: When another instance of an existent 1644 context with the same ULID pair is being created, a 1645 Forked Instance Identifier option is included to 1646 distinguish this new instance from the existent one. 1648 Locator list: Optionally sent when the initiator immediately wants 1649 to tell the responder its list of locators. When it 1650 is sent, the necessary HBA/CGA information for 1651 verifying the locator list MUST also be included. 1653 Locator Preferences: Optionally sent when the locators don't all 1654 have equal preference. 1656 CGA Parameter Data Structure: Included when the locator list is 1657 included so the receiver can verify the locator list. 1659 CGA Signature: Included when the some of the locators in the list use 1660 CGA (and not HBA) for verification. 1662 Future protocol extensions might define additional options for this 1663 message. The C-bit in the option format defines how such a new 1664 option will be handled by an implementation. See Section 5.15. 1666 5.10. Update Request Message Format 1668 The Update Request Message is used to update either the list of 1669 locators, the locator preferences, and both. When the list of 1670 locators is updated, the message also contains the option(s) 1671 necessary for HBA/CGA to secure this. The basic sanity check that 1672 prevents off-path attackers from generating bogus updates is the 1673 context tag in the message. 1675 The update message contains options (the Locator List and the Locator 1676 Preferences) that, when included, completely replace the previous 1677 locator list and locator preferences, respectively. Thus there is no 1678 mechanism to just send deltas to the locator list. 1680 0 1 2 3 1681 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1682 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1683 | 59 | Hdr Ext Len |0| Type = 64 | Reserved1 |0| 1684 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1685 | Checksum |R| | 1686 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1687 | Receiver Context Tag | 1688 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1689 | Request Nonce | 1690 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1691 | | 1692 + Options + 1693 | | 1694 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1696 Fields: 1698 Next Header: NO_NXT_HDR (59). 1700 Hdr Ext Len: At least 1, since the header is 16 octets when there 1701 are no options. 1703 Type: 64 1704 Reserved1: 7-bit field. Reserved for future use. Zero on 1705 transmit. MUST be ignored on receipt. 1707 R: 1-bit field. Reserved for future use. Zero on 1708 transmit. MUST be ignored on receipt. 1710 Receiver Context Tag: 47-bit field. The Context Tag the receiver 1711 has allocated for the context. 1713 Request Nonce: 32-bit unsigned integer. A random number picked by 1714 the initiator which the peer will return in the 1715 acknowledgement message. 1717 The following options are defined for this message: 1719 Locator List: The list of the sender's (new) locators. The locators 1720 might be unchanged and only the preferences have 1721 changed. 1723 Locator Preferences: Optionally sent when the locators don't all 1724 have equal preference. 1726 CGA Parameter Data Structure (PDS): Included when the locator list 1727 is included and the PDS was not included in the I2/ 1728 I2bis/R2 messages, so the receiver can verify the 1729 locator list. 1731 CGA Signature: Included when the some of the locators in the list use 1732 CGA (and not HBA) for verification. 1734 Future protocol extensions might define additional options for this 1735 message. The C-bit in the option format defines how such a new 1736 option will be handled by an implementation. See Section 5.15. 1738 5.11. Update Acknowledgement Message Format 1740 This message is sent in response to a Update Request message. It 1741 implies that the Update Request has been received, and that any new 1742 locators in the Update Request can now be used as the source locators 1743 of packets. But it does not imply that the (new) locators have been 1744 verified to be used as a destination, since the host might defer the 1745 verification of a locator until it sees a need to use a locator as 1746 the destination. 1748 0 1 2 3 1749 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1750 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1751 | 59 | Hdr Ext Len |0| Type = 65 | Reserved1 |0| 1752 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1753 | Checksum |R| | 1754 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 1755 | Receiver Context Tag | 1756 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1757 | Request Nonce | 1758 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1759 | | 1760 + Options + 1761 | | 1762 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1764 Fields: 1766 Next Header: NO_NXT_HDR (59). 1768 Hdr Ext Len: At least 1, since the header is 16 octets when there 1769 are no options. 1771 Type: 65 1773 Reserved1: 7-bit field. Reserved for future use. Zero on 1774 transmit. MUST be ignored on receipt. 1776 R: 1-bit field. Reserved for future use. Zero on 1777 transmit. MUST be ignored on receipt. 1779 Receiver Context Tag: 47-bit field. The Context Tag the receiver 1780 has allocated for the context. 1782 Request Nonce: 32-bit unsigned integer. Copied from the Update 1783 Request message. 1785 No options are currently defined for this message. 1787 Future protocol extensions might define additional options for this 1788 message. The C-bit in the option format defines how such a new 1789 option will be handled by an implementation. See Section 5.15. 1791 5.12. Keepalive Message Format 1793 This message format is defined in [4]. 1795 The message is used to ensure that when a peer is sending ULP packets 1796 on a context, it always receives some packets in the reverse 1797 direction. When the ULP is sending bidirectional traffic, no extra 1798 packets need to be inserted. But for a unidirectional ULP traffic 1799 pattern, the shim will send back some Keepalive messages when it is 1800 receiving ULP packets. 1802 5.13. Probe Message Format 1804 This message and its semantics are defined in [4]. 1806 The goal of this mechanism is to test whether locator pairs work or 1807 not in the general case. In particular, this mechanism is to be able 1808 to handle the case when one locator pair works in from A to B, and 1809 another locator pair works from B to A, but there is no locator pair 1810 which works in both directions. The protocol mechanism is that as A 1811 is sending probe messages to B, B will observe which locator pairs it 1812 has received from and report that back in probe messages it is 1813 sending to A. 1815 5.14. Error Message Format 1817 The Error Message is generated by a Shim6 receiver upon the reception 1818 of a Shim6 message containing critical information that cannot be 1819 processed properly. 1821 In the case that a Shim6 node receives a Shim6 packet which contains 1822 information that is critical for the Shim6 protocol that is not 1823 supported by the receiver, it sends an Error Message back to the 1824 originator of the Shim6 message. The Error Message is 1825 unacknowledged. 1827 In addition, Shim6 Error messages defined in this section can be used 1828 to identify problems with Shim6 implementations. In order to do 1829 that, a range of Error Code Types is reserved for that purpose. In 1830 particular, implementations may generate Shim6 Error messages with 1831 Code Type in that range instead of silently discarding Shim6 packets 1832 during the debugging process. 1834 0 1 2 3 1835 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1836 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1837 | 59 | Hdr Ext Len |0| Type = 68 | Error Code |0| 1838 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1839 | Checksum | Pointer | 1840 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1841 | | 1842 + Packet in error + 1843 | | 1844 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1846 Fields: 1848 Next Header: NO_NXT_HDR (59). 1850 Hdr Ext Len: At least 1, since the header is 16 octets. Depends on 1851 the specific Error Data. 1853 Type: 68 1855 Error Code: 7-bit field describing the error that generated the 1856 Error Message. See Error Code list below 1858 Pointer: 16-bit field.Identifies the octet offset within the 1859 invoking packet where the error was detected. 1861 Packet in error: As much of invoking packet as possible without the 1862 Error message packet exceeding the minimum IPv6 MTU. 1864 The following Error Codes are defined: 1866 +---------+---------------------------------------------------------+ 1867 | Code | Description | 1868 | Value | | 1869 +---------+---------------------------------------------------------+ 1870 | 0 | Unknown Shim6 message type | 1871 | | | 1872 | 1 | Critical Option not recognized | 1873 | | | 1874 | 2 | Locator verification method failed (Pointer to the | 1875 | | inconsistent Verification method octet) | 1876 | | | 1877 | 3 | Locator List Generation number out of sync. | 1878 | | | 1879 | 4 | Error in the number of locators in a Locator Preference | 1880 | | option | 1881 | | | 1882 | 120-127 | Reserved for debugging purposes | 1883 +---------+---------------------------------------------------------+ 1885 Table 2 1887 5.15. Option Formats 1889 The format of the options is a snapshot of the current HIP option 1890 format [19]. However, there is no intention to track any changes to 1891 the HIP option format, nor is there an intent to use the same name 1892 space for the option type values. But using the same format will 1893 hopefully make it easier to import HIP capabilities into Shim6 as 1894 extensions to Shim6, should this turn out to be useful. 1896 All of the TLV parameters have a length (including Type and Length 1897 fields) which is a multiple of 8 bytes. When needed, padding MUST be 1898 added to the end of the parameter so that the total length becomes a 1899 multiple of 8 bytes. This rule ensures proper alignment of data. If 1900 padding is added, the Length field MUST NOT include the padding. Any 1901 added padding bytes MUST be zeroed by the sender, and their values 1902 SHOULD NOT be checked by the receiver. 1904 Consequently, the Length field indicates the length of the Contents 1905 field (in bytes). The total length of the TLV parameter (including 1906 Type, Length, Contents, and Padding) is related to the Length field 1907 according to the following formula: 1909 Total Length = 11 + Length - (Length + 3) mod 8; 1911 The Total Length of the option is the smallest multiple of 8 bytes 1912 that allows for the 4 bytes of option header and the option itself. 1913 The amount of padding required can be calculated as follows: 1915 padding = 7 - ((Length + 3) mod 8) 1917 And: 1919 Total Length = 4 + Length + padding 1921 0 1 2 3 1922 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 1923 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1924 | Type |C| Length | 1925 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1926 ~ ~ 1927 ~ Contents ~ 1928 ~ +-+-+-+-+-+-+-+-+ 1929 ~ | Padding | 1930 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 1932 Fields: 1934 Type: 15-bit identifier of the type of option. The options 1935 defined in this document are below. 1937 C: Critical. One if this parameter is critical, and MUST 1938 be recognized by the recipient, zero otherwise. An 1939 implementation might view the C bit as part of the 1940 Type field, by multiplying the type values in this 1941 specification by two. 1943 Length: Length of the Contents, in bytes. 1945 Contents: Parameter specific, defined by Type. 1947 Padding: Padding, 0-7 bytes, added if needed. 1949 +------+------------------------------+ 1950 | Type | Option Name | 1951 +------+------------------------------+ 1952 | 1 | Responder Validator | 1953 | | | 1954 | 2 | Locator List | 1955 | | | 1956 | 3 | Locator Preferences | 1957 | | | 1958 | 4 | CGA Parameter Data Structure | 1959 | | | 1960 | 5 | CGA Signature | 1961 | | | 1962 | 6 | ULID Pair | 1963 | | | 1964 | 7 | Forked Instance Identifier | 1965 | | | 1966 | 10 | Keepalive Timeout Option | 1967 +------+------------------------------+ 1969 Table 3 1971 Future protocol extensions might define additional options for the 1972 Shim6 messages. The C-bit in the option format defines how such a 1973 new option will be handled by an implementation. 1975 If a host receives an option that it does not understand (an option 1976 that was defined in some future extension to this protocol) or is not 1977 listed as a valid option for the different message types above, then 1978 the Critical bit in the option determines the outcome. 1980 o If C=0 then the option is silently ignored, and the rest of the 1981 message is processed. 1983 o If C=1 then the host SHOULD send back a Shim6 Error Message with 1984 Error Code=1, with the Pointer referencing the first octet in the 1985 Option Type field. When C=1 the rest of the message MUST NOT be 1986 processed. 1988 5.15.1. Responder Validator Option Format 1990 The responder can choose exactly what input is used to compute the 1991 validator, and what one-way function (such as MD5, SHA1) it uses, as 1992 long as the responder can check that the validator it receives back 1993 in the I2 or I2bis message is indeed one that: 1995 1)- it computed, 1997 2)- it computed for the particular context, and 1999 3)- that it isn't a replayed I2/I2bis message. 2001 Some suggestions on how to generate the validators are captured in 2002 Section 7.10.1 and Section 7.17.1. 2004 0 1 2 3 2005 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2006 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2007 | Type = 1 |0| Length | 2008 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2009 ~ Validator ~ 2010 ~ +-+-+-+-+-+-+-+-+ 2011 ~ | Padding | 2012 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2014 Fields: 2016 Validator: Variable length content whose interpretation is local 2017 to the responder. 2019 Padding: Padding, 0-7 bytes, added if needed. See 2020 Section 5.15. 2022 5.15.2. Locator List Option Format 2024 The Locator List Option is used to carry all the locators of the 2025 sender. Note that the order of the locators is important, since the 2026 Locator Preferences refers to the locators by using the index in the 2027 list. 2029 Note that we carry all the locators in this option even though some 2030 of them can be created automatically from the CGA Parameter Data 2031 Structure. 2033 0 1 2 3 2034 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2035 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2036 | Type = 2 |0| Length | 2037 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2038 | Locator List Generation | 2039 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2040 | Num Locators | N Octets of Verification Method | 2041 +-+-+-+-+-+-+-+-+ | 2042 ~ ~ 2043 ~ +-+-+-+-+-+-+-+-+ 2044 ~ | Padding | 2045 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2046 ~ Locators 1 through N ~ 2047 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2049 Fields: 2051 Locator List Generation: 32-bit unsigned integer. Indicates a 2052 generation number which is increased by one for each 2053 new locator list. This is used to ensure that the 2054 index in the Locator Preferences refer to the right 2055 version of the locator list. 2057 Num Locators: 8-bit unsigned integer. The number of locators that 2058 are included in the option. We call this number "N" 2059 below. 2061 Verification Method: N octets. The i'th octet specifies the 2062 verification method for the i'th locator. 2064 Padding: Padding, 0-7 bytes, added if needed so that the 2065 Locators start on a multiple of 8 octet boundary. 2066 NOTE that for this option there is never a need to pad 2067 at the end, since the locators are a multiple of 8 2068 octets in length. This internal padding is included 2069 in the length field. 2071 Locators: N 128-bit locators. 2073 The defined verification methods are: 2075 +-------+----------+ 2076 | Value | Method | 2077 +-------+----------+ 2078 | 0 | Reserved | 2079 | | | 2080 | 1 | HBA | 2081 | | | 2082 | 2 | CGA | 2083 | | | 2084 | 3-255 | Reserved | 2085 +-------+----------+ 2087 Table 4 2089 5.15.3. Locator Preferences Option Format 2091 The Locator Preferences option can have some flags to indicate 2092 whether or not a locator is known to work. In addition, the sender 2093 can include a notion of preferences. It might make sense to define 2094 "preferences" as a combination of priority and weight the same way 2095 that DNS SRV records has such information. The priority would 2096 provide a way to rank the locators, and within a given priority, the 2097 weight would provide a way to do some load sharing. See [5] for how 2098 SRV defines the interaction of priority and weight. 2100 The minimum notion of preferences we need is to be able to indicate 2101 that a locator is "dead". We can handle this using a single octet 2102 flag for each locator. 2104 We can extend that by carrying a larger "element" for each locator. 2105 This document presently also defines 2-octet and 3-octet elements, 2106 and we can add more information by having even larger elements if 2107 need be. 2109 The locators are not included in the preference list. Instead, the 2110 first element refers to locator that was in the first element in the 2111 Locator List option. The generation number carried in this option 2112 and the Locator List option is used to verify that they refer to the 2113 same version of the locator list. 2115 0 1 2 3 2116 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2117 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2118 | Type = 3 |0| Length | 2119 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2120 | Locator List Generation | 2121 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2122 | Element Len | Element[1] | Element[2] | Element[3] | 2123 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2124 ~ ... ~ 2125 ~ +-+-+-+-+-+-+-+-+ 2126 ~ | Padding | 2127 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2129 Case of Element Len = 1 is depicted. 2131 Fields: 2133 Locator List Generation: 32-bit unsigned integer. Indicates a 2134 generation number for the locator list to which the 2135 elements should apply. 2137 Element Len: 8-bit unsigned integer. The length in octets of each 2138 element. This specification defines the cases when 2139 the length is 1, 2, or 3. 2141 Element[i]: A field with a number of octets defined by the Element 2142 Len field. Provides preferences for the i'th locator 2143 in the Locator List option that is in use. 2145 Padding: Padding, 0-7 bytes, added if needed. See 2146 Section 5.15. 2148 When the Element length equals one, then the element consists of only 2149 a one octet flags field. The currently defined set of flags are: 2151 BROKEN: 0x01 2153 TRANSIENT: 0x02 2155 The intent of the BROKEN flag is to inform the peer that a given 2156 locator is known to be not working. The intent of TRANSIENT is to 2157 allow the distinction between more stable addresses and less stable 2158 addresses when Shim6 is combined with IP mobility, when we might have 2159 more stable home locators, and less stable care-of-locators. 2161 When the Element length equals two, then the element consists of a 1 2162 octet flags field followed by a 1 octet priority field. The priority 2163 has the same semantics as the priority in DNS SRV records. 2165 When the Element length equals three, then the element consists of a 2166 1 octet flags field followed by a 1 octet priority field, and a 1 2167 octet weight field. The weight has the same semantics as the weight 2168 in DNS SRV records. 2170 This document doesn't specify the format when the Element length is 2171 more than three, except that any such formats MUST be defined so that 2172 the first three octets are the same as in the above case, that is, a 2173 of a 1 octet flags field followed by a 1 octet priority field, and a 2174 1 octet weight field. 2176 5.15.4. CGA Parameter Data Structure Option Format 2178 This option contains the CGA Parameter Data Structure (PDS). When 2179 HBA is used to verify the locators, the PDS contains the HBA 2180 multiprefix extension in addition to the PDS mandatory fields and 2181 other extensions unrelated to Shim6 that the PDS might have. When 2182 CGA is used to verify the locators, in addition to the PDS option, 2183 the host also needs to include the signature in the form of a CGA 2184 Signature option. 2186 0 1 2 3 2187 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2188 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2189 | Type = 4 |0| Length | 2190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2191 ~ CGA Parameter Data Structure ~ 2192 ~ +-+-+-+-+-+-+-+-+ 2193 ~ | Padding | 2194 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2196 Fields: 2198 CGA Parameter Data Structure: Variable length content. Content 2199 defined in [2] and [3]. 2201 Padding: Padding, 0-7 bytes, added if needed. See 2202 Section 5.15. 2204 5.15.5. CGA Signature Option Format 2206 When CGA is used for verification of one or more of the locators in 2207 the Locator List option, then the message in question will need to 2208 contain this option. 2210 0 1 2 3 2211 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2212 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2213 | Type = 5 |0| Length | 2214 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2215 ~ CGA Signature ~ 2216 ~ +-+-+-+-+-+-+-+-+ 2217 ~ | Padding | 2218 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2220 Fields: 2222 CGA Signature: A variable-length field containing a PKCS#1 v1.5 2223 signature, constructed by using the sender's private 2224 key over the following sequence of octets: 2226 1. The 128-bit CGA Message Type tag [CGA] value for 2227 Shim6, 0x4A 30 5662 4858 574B 3655 416F 506A 6D48. 2228 (The tag value has been generated randomly by the 2229 editor of this specification.). 2231 2. The Locator List Generation value of the 2232 correspondent Locator List Option. 2234 3. The subset of locators included in the 2235 correspondent Locator List Option which 2236 verification method is set to CGA. The locators 2237 MUST be included in the order they are listed in 2238 the Locator List Option. 2240 Padding: Padding, 0-7 bytes, added if needed. See 2241 Section 5.15. 2243 5.15.6. ULID Pair Option Format 2245 I1, I2, and I2bis messages MUST contain the ULID pair; normally this 2246 is in the IPv6 source and destination fields. In case that the ULID 2247 for the context differ from the address pair included in the source 2248 and destination address fields of the IPv6 packet used to carry the 2249 I1/I2/I2bis message, the ULID pair option MUST be included in the I1/ 2250 I2/I2bis message. 2252 0 1 2 3 2253 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2254 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2255 | Type = 6 |0| Length = 36 | 2256 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2257 | Reserved2 | 2258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2259 | | 2260 + Sender ULID + 2261 | | 2262 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2263 | | 2264 + Receiver ULID + 2265 | | 2266 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2268 Fields: 2270 Reserved2: 32-bit field. Reserved for future use. Zero on 2271 transmit. MUST be ignored on receipt. (Needed to 2272 make the ULIDs start on a multiple of 8 octet 2273 boundary.) 2275 Sender ULID: A 128-bit IPv6 address. 2277 Receiver ULID: A 128-bit IPv6 address. 2279 5.15.7. Forked Instance Identifier Option Format 2281 0 1 2 3 2282 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2283 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2284 | Type = 7 |0| Length = 4 | 2285 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2286 | Forked Instance Identifier | 2287 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 2289 Fields: 2291 Forked Instance Identifier: 32-bit field containing the identifier 2292 of the particular forked instance. 2294 5.15.8. Keepalive Timeout Option Format 2296 This option is defined in [4]. 2298 6. Conceptual Model of a Host 2300 This section describes a conceptual model of one possible data 2301 structure organization that hosts will maintain for the purposes of 2302 Shim6. The described organization is provided to facilitate the 2303 explanation of how the Shim6 protocol should behave. This document 2304 does not mandate that implementations adhere to this model as long as 2305 their external behavior is consistent with that described in this 2306 document. 2308 6.1. Conceptual Data Structures 2310 The key conceptual data structure for the Shim6 protocol is the ULID 2311 pair context. This is a data structure which contains the following 2312 information: 2314 o The state of the context. See Section 6.2. 2316 o The peer ULID; ULID(peer) 2318 o The local ULID; ULID(local) 2320 o The Forked Instance Identifier; FII. This is zero for the default 2321 context i.e., when there is no forking. 2323 o The list of peer locators, with their preferences; Ls(peer) 2325 o The generation number for the most recently received, verified 2326 peer locator list. 2328 o For each peer locator, the verification method to use (from the 2329 Locator List option). 2331 o For each peer locator, a flag whether it has been verified using 2332 HBA or CGA, and a bit whether the locator has been probed to 2333 verify that the ULID is present at that location. 2335 o The current peer locator, is the locator used as destination 2336 address when sending packets; Lp(peer) 2338 o The set of local locators and the preferences; Ls(local) 2340 o The generation number for the most recently sent Locator List 2341 option. 2343 o The current local locator, is the locator used as source address 2344 when sending packets; Lp(local) 2346 o The context tag used to transmit control messages and payload 2347 extension headers - allocated by the peer; CT(peer) 2349 o The context to expect in received control messages and payload 2350 extension headers - allocated by the local host; CT(local) 2352 o Timers for retransmission of the messages during context 2353 establishment and update messages. 2355 o Depending how an implementation determines whether a context is 2356 still in use, there might be a need to track the last time a 2357 packet was sent/received using the context. 2359 o Reachability state for the locator pairs as specified in [4]. 2361 o During pair exploration, information about the probe messages that 2362 have been sent and received as specified in [4]. 2364 o During context establishment phase, Init Nonce, Responder Nonce, 2365 Responder Validator and timers related to the different packets 2366 sent (I1,I2, R2), as described in Section 7 2368 6.2. Context STATES 2370 The STATES that are used to describe the Shim6 protocol are as 2371 follows: 2373 +---------------------+---------------------------------------------+ 2374 | STATE | Explanation | 2375 +---------------------+---------------------------------------------+ 2376 | IDLE | State machine start | 2377 | | | 2378 | I1-SENT | Initiating context establishment exchange | 2379 | | | 2380 | I2-SENT | Waiting to complete context establishment | 2381 | | exchange | 2382 | | | 2383 | I2BIS-SENT | Potential context loss detected | 2384 | | | 2385 | | | 2386 | ESTABLISHED | SHIM context established | 2387 | | | 2388 | E-FAILED | Context establishment exchange failed | 2389 | | | 2390 | NO-SUPPORT | ICMP Unrecognized Next Header type | 2391 | | (type 4, code 1) received indicating | 2392 | | that Shim6 is not supported | 2393 +---------------------+---------------------------------------------+ 2394 In addition, in each of the aforementioned STATES, the following 2395 state information is stored: 2397 +---------------------+---------------------------------------------+ 2398 | STATE | Information | 2399 +---------------------+---------------------------------------------+ 2400 | IDLE | None | 2401 | | | 2402 | I1-SENT | ULID(peer), ULID(local), [FII], CT(local), | 2403 | | INIT nonce, Lp(local), Lp(peer), Ls(local) | 2404 | | | 2405 | I2-SENT | ULID(peer), ULID(local), [FII], CT(local), | 2406 | | INIT nonce, RESP nonce, Lp(local), Lp(peer),| 2407 | | Ls(local), Responder Validator | 2408 | | | 2409 | ESTABLISHED | ULID(peer), ULID(local), [FII], CT(local), | 2410 | | CT(peer), Lp(local), Lp(peer), Ls(local) | 2411 | | Ls(peer), INIT nonce?(to receive late R2) | 2412 | | | 2413 | I2BIS-SENT | ULID(peer), ULID(local), [FII], CT(local), | 2414 | | CT(peer), Lp(local), Lp(peer), Ls(local) | 2415 | | Ls(peer), CT(R1bis), RESP nonce, | 2416 | | INIT nonce, Responder validator | 2417 | | | 2418 | E-FAILED | ULID(peer), ULID(local) | 2419 | | | 2420 | NO-SUPPORT | ULID(peer), ULID(local) | 2421 +---------------------+---------------------------------------------+ 2423 7. Establishing ULID-Pair Contexts 2425 ULID-pair contexts are established using a 4-way exchange, which 2426 allows the responder to avoid creating state on the first packet. As 2427 part of this exchange each end allocates a context tag, and it shares 2428 this context tag and its set of locators with the peer. 2430 In some cases the 4-way exchange is not necessary, for instance when 2431 both ends try to setup the context at the same time, or when 2432 recovering from a context that has been garbage collected or lost at 2433 one of the hosts. 2435 7.1. Uniqueness of Context Tags 2437 As part of establishing a new context, each host has to assign a 2438 unique context tag. Since the Payload Extension headers are 2439 demultiplexed based solely on the context tag value (without using 2440 the locators), the context tag MUST be unique for each context. 2442 It is important that context tags are hard to guess for off-path 2443 attackers. Therefore, if an implementation uses structure in the 2444 context tag to facilitate efficient lookups, at least 30 bits of the 2445 context tag MUST be unstructured and populated by random or pseudo- 2446 random bits. 2448 In addition, in order to minimize the reuse of context tags, the host 2449 SHOULD randomly cycle through the unstructured tag name space 2450 reserved for randomly assigned context tag values,(e.g. following the 2451 guidelines described in [12]). 2453 7.2. Locator Verification 2455 The peer's locators might need to be verified during context 2456 establishment as well as when handling locator updates in Section 10. 2458 There are two separate aspects of locator verification. One is to 2459 verify that the locator is tied to the ULID, i.e., that the host 2460 which "owns" the ULID is also the one that is claiming the locator 2461 "ownership". The Shim6 protocol uses the HBA or CGA techniques for 2462 doing this verification. The other is to verify that the host is 2463 indeed reachable at the claimed locator. Such verification is needed 2464 both to make sure communication can proceed, but also to prevent 3rd 2465 party flooding attacks [14]. These different verifications happen at 2466 different times, since the first might need to be performed before 2467 packets can be received by the peer with the source locator in 2468 question, but the latter verification is only needed before packets 2469 are sent to the locator. 2471 Before a host can use a locator (different than the ULID) as the 2472 source locator, it must know that the peer will accept packets with 2473 that source locator as being part of this context. Thus the HBA/CGA 2474 verification SHOULD be performed by the host before the host 2475 acknowledges the new locator, by sending an Update Acknowledgement 2476 message, or an R2 message. 2478 Before a host can use a locator (different than the ULID) as the 2479 destination locator it MUST perform the HBA/CGA verification if this 2480 was not performed before upon the reception of the locator set. In 2481 addition, it MUST verify that the ULID is indeed present at that 2482 locator. This verification is performed by doing a return- 2483 routability test as part of the Probe sub-protocol [4]. 2485 If the verification method in the Locator List option is not 2486 supported by the host, or if the verification method is not 2487 consistent with the CGA Parameter Data Structure (e.g., the Parameter 2488 Data Structure doesn't contain the multiprefix extension, and the 2489 verification method says to use HBA), then the host MUST ignore the 2490 Locator List and the message in which it is contained, and the host 2491 SHOULD generate a Shim6 Error Message with Error Code=2, with the 2492 Pointer referencing the octet in the Verification method that was 2493 found inconsistent. 2495 7.3. Normal context establishment 2497 The normal context establishment consists of a 4 message exchange in 2498 the order of I1, R1, I2, R2 as can be seen in Figure 3. 2500 Initiator Responder 2502 IDLE IDLE 2503 ------------- I1 --------------> 2504 I1-SENT 2505 <------------ R1 --------------- 2506 IDLE 2507 ------------- I2 --------------> 2508 I2-SENT 2509 <------------ R2 --------------- 2510 ESTABLISHED ESTABLISHED 2512 Figure 3: Normal context establishment 2514 7.4. Concurrent context establishment 2516 When both ends try to initiate a context for the same ULID pair, then 2517 we might end up with crossing I1 messages. Alternatively, since no 2518 state is created when receiving the I1, a host might send a I1 after 2519 having sent a R1 message. 2521 Since a host remembers that it has sent an I1, it can respond to an 2522 I1 from the peer (for the same ULID-pair), with a R2, resulting in 2523 the message exchange shown in Figure 4. Such behavior is needed for 2524 other reasons such as to correctly respond to retransmitted I1 2525 messages, which occur when the R2 message has been lost. 2527 Host A Host B 2529 IDLE IDLE 2530 -\ 2531 I1-SENT---\ 2532 ---\ /--- 2533 --- I1 ---\ /--- I1-SENT 2534 ---\ 2535 /--- I1 ---/ ---\ 2536 /--- --> 2537 <--- 2539 -\ 2540 I1-SENT---\ 2541 ---\ /--- 2542 --- R2 ---\ /--- I1-SENT 2543 ---\ 2544 /--- R2 ---/ ---\ 2545 /--- --> 2546 <--- ESTABLISHED 2547 ESTABLISHED 2549 Figure 4: Crossing I1 messages 2551 If a host has received an I1 and sent an R1, it has no state to 2552 remember this. Thus if the ULP on the host sends down packets, this 2553 might trigger the host to send an I1 message itself. Thus while one 2554 end is sending an I1 the other is sending an I2 as can be seen in 2555 Figure 5. 2557 Host A Host B 2559 IDLE IDLE 2560 -\ 2561 ---\ 2562 I1-SENT ---\ 2563 --- I1 ---\ 2564 ---\ 2565 ---\ 2566 --> 2568 /--- 2569 /--- IDLE 2570 --- 2571 /--- R1--/ 2572 /--- 2573 <--- 2575 -\ 2576 I2-SENT---\ 2577 ---\ /--- 2578 --- I2---\ /--- I1-SENT 2579 ---\ 2580 /--- I1 ---/ ---\ 2581 /--- --> 2582 <--- ESTABLISHED 2584 -\ 2585 I2-SENT---\ 2586 ---\ /--- 2587 --- R2 ---\ /--- 2588 ---\ 2589 /--- R2 ---/ ---\ 2590 /--- --> 2591 <--- ESTABLISHED 2592 ESTABLISHED 2594 Figure 5: Crossing I2 and I1 2596 7.5. Context recovery 2598 Due to garbage collection, we can end up with one end having and 2599 using the context state, and the other end not having any state. We 2600 need to be able to recover this state at the end that has lost it, 2601 before we can use it. 2603 This need can arise in the following cases: 2605 o The communication is working using the ULID pair as the locator 2606 pair, but a problem arises, and the end that has retained the 2607 context state decides to probe alternate locator pairs. 2609 o The communication is working using a locator pair that is not the 2610 ULID pair, hence the ULP packets sent from a peer that has 2611 retained the context state use the Shim6 Payload extension header. 2613 o The host that retained the state sends a control message (e.g. an 2614 Update Request message). 2616 In all the cases the result is that the peer without state receives a 2617 shim message for which it has no context for the context tag. 2619 In all of those cases we can recover the context by having the node 2620 which doesn't have a context state, send back an R1bis message, and 2621 have then complete the recovery with a I2bis and R2 message as can be 2622 seen in Figure 6. 2624 Host A Host B 2626 Context for 2627 CT(peer)=X Discards context for 2628 CT(local)=X 2630 ESTABLISHED IDLE 2632 ---- payload, probe, etc. -----> No context state 2633 for CT(local)=X 2635 <------------ R1bis ------------ 2636 IDLE 2638 ------------- I2bis -----------> 2639 I2BIS_SENT 2640 <------------ R2 --------------- 2641 ESTABLISHED ESTABLISHED 2643 Figure 6: Context loss at receiver 2645 If one end has garbage collected or lost the context state, it might 2646 try to create a new context state (for the same ULID pair), by 2647 sending an I1 message. The peer (that still has the context state) 2648 will reply with an R1 message and the full 4-way exchange will be 2649 performed again in this case as can be seen in Figure 7. 2651 Host A Host B 2653 Context for 2654 CT(peer)=X Discards context for 2655 ULIDs A1, B1 CT(local)=X 2657 ESTABLISHED IDLE 2659 Finds <------------ I1 --------------- Tries to setup 2660 existing for ULIDs A1, B1 2661 context, 2662 but CT(peer) I1-SENT 2663 doesn't match 2664 ------------- R1 ---------------> 2665 Left old context 2666 in ESTABLISHED 2668 <------------ I2 --------------- 2669 Recreate context 2671 with new CT(peer) I2-SENT 2672 and Ls(peer). 2674 ESTABLISHED 2675 ------------- R2 --------------> 2676 ESTABLISHED ESTABLISHED 2678 Figure 7: Context loss at sender 2680 7.6. Context confusion 2682 Since each end might garbage collect the context state we can have 2683 the case when one end has retained the context state and tries to use 2684 it, while the other end has lost the state. We discussed this in the 2685 previous section on recovery. But for the same reasons, when one 2686 host retains context tag X as CT(peer) for ULID pair , the 2687 other end might end up allocating that context tag as CT(local) for 2688 another ULID pair, e.g., between the same hosts. In this 2689 case we can not use the recovery mechanisms since there need to be 2690 separate context tags for the two ULID pairs. 2692 This type of "confusion" can be observed in two cases (assuming it is 2693 A that has retained the state and B has dropped it): 2695 o B decides to create a context for ULID pair , and 2696 allocates X as its context tag for this, and sends an I1 to A. 2698 o A decides to create a context for ULID pair , and starts 2699 the exchange by sending I1 to B. When B receives the I2 message, 2700 it allocates X as the context tag for this context. 2702 In both cases, A can detect that B has allocated X for ULID pair even though that A still X as CT(peer) for ULID pair . 2704 Thus A can detect that B must have lost the context for . 2706 The confusion can be detected when I2/I2bis/R2 is received since we 2707 require that those messages MUST include a sufficiently large set of 2708 locators in a Locator List option that the peer can determine whether 2709 or not two contexts have the same host as the peer by comparing if 2710 there is any common locators in Ls(peer). 2712 The requirement is that the old context which used the context tag 2713 MUST be removed; it can no longer be used to send packets. Thus A 2714 would forcibly remove the context state for , so that it 2715 can accept the new context for . An implementation MAY 2716 re-create a context to replace the one that was removed; in this case 2717 for . The normal I1, R1, I2, R2 establishment exchange would 2718 then pick unique context tags for that replacement context. This re- 2719 creation is OPTIONAL, but might be useful when there is ULP 2720 communication which is using the ULID pair whose context was removed. 2722 Note that an I1 message with a duplicate context tag should not cause 2723 the removal of the old context state; this operation needs to be 2724 deferred until the reception of the I2 message. 2726 7.7. Sending I1 messages 2728 When the shim layer decides to setup a context for a ULID pair, it 2729 starts by allocating and initializing the context state for its end. 2730 As part of this it assigns a random context tag to the context that 2731 is not being used as CT(local) by any other context . In the case 2732 that a new API is used and the ULP requests a forked context, the 2733 Forked Instance Identifier value will be set to a non-zero value. 2734 Otherwise, the FII value is zero. Then the initiator can send an I1 2735 message and set the context STATE to I1-SENT. The I1 message MUST 2736 include the ULID pair; normally in the IPv6 source and destination 2737 fields. But if the ULID pair for the context is not used as locator 2738 pair for the I1 message, then a ULID option MUST be included in the 2739 I1 message. In addition, if a Forked Instance Identifier value is 2740 non-zero, the I1 message MUST include a Context Instance Identifier 2741 option containing the correspondent value. 2743 7.8. Retransmitting I1 messages 2745 If the host does not receive an I2 or R2 message in response to the 2746 I1 message after I1_TIMEOUT time, then it needs to retransmit the I1 2747 message. The retransmissions should use a retransmission timer with 2748 binary exponential backoff to avoid creating congestion issues for 2749 the network when lots of hosts perform I1 retransmissions. Also, the 2750 actual timeout value should be randomized between 0.5 and 1.5 of the 2751 nominal value to avoid self-synchronization. 2753 If, after I1_RETRIES_MAX retransmissions, there is no response, then 2754 most likely the peer does not implement the Shim6 protocol, or there 2755 could be a firewall that blocks the protocol. In this case it makes 2756 sense for the host to remember to not try again to establish a 2757 context with that ULID. However, any such negative caching should 2758 retained for at most NO_R1_HOLDDOWN_TIME, to be able to later setup a 2759 context should the problem have been that the host was not reachable 2760 at all when the shim tried to establish the context. 2762 If the host receives an ICMP error with "Unrecognized Next Header" 2763 type (type 4, code 1) and the included packet is the I1 message it 2764 just sent, then this is a more reliable indication that the peer ULID 2765 does not implement Shim6. Again, in this case, the host should 2766 remember to not try again to establish a context with that ULID. 2767 Such negative caching should retained for at most ICMP_HOLDDOWN_TIME, 2768 which should be significantly longer than the previous case. 2770 7.9. Receiving I1 messages 2772 A host MUST silently discard any received I1 messages that do not 2773 satisfy all of the following validity checks in addition to those 2774 specified in Section 12.3: 2776 o The Hdr Ext Len field is at least 1, i.e., the length is at least 2777 16 octets. 2779 Upon the reception of an I1 message, the host extracts the ULID pair 2780 and the Forked Instance Identifier from the message. If there is no 2781 ULID-pair option, then the ULID pair is taken from the source and 2782 destination fields in the IPv6 header. If there is no FII option in 2783 the message, then the FII value is taken to be zero. 2785 Next the host looks for an existing context which matches the ULID 2786 pair and the FII. 2788 If no state is found (i.e., the STATE is IDLE), then the host replies 2789 with a R1 message as specified below. 2791 If such a context exists in ESTABLISHED STATE, the host verifies that 2792 the locator of the Initiator is included in Ls(peer) (This check is 2793 unnecessary if there is no ULID-pair option in the I1 message). 2795 If the state exists in ESTABLISHED STATE and the locators do not fall 2796 in the locator sets, then the host replies with a R1 message as 2797 specified below. This completes the I1 processing, with the context 2798 STATE being unchanged. 2800 If the state exists in ESTABLISHED STATE and the locators do fall in 2801 the sets, then the host compares CT(peer) for the context with the CT 2802 contained in the I1 message. 2804 o If the context tags match, then this probably means that the R2 2805 message was lost and this I1 is a retransmission. In this case, 2806 the host replies with a R2 message containing the information 2807 available for the existent context. 2809 o If the context tags do not match, then it probably means that the 2810 Initiator has lost the context information for this context and it 2811 is trying to establish a new one for the same ULID-pair. In this 2812 case, the host replies with a R1 message as specified below. This 2813 completes the I1 processing, with the context STATE being 2814 unchanged. 2816 If the state exists in other STATE (I1-SENT, I2-SENT, I2BIS-SENT), we 2817 are in the situation of Concurrent context establishment described in 2818 Section 7.4. In this case, the host leaves CT(peer) unchanged, and 2819 replies with a R2 message. This completes the I1 processing, with 2820 the context STATE being unchanged. 2822 7.10. Sending R1 messages 2824 When the host needs to send a R1 message in response to the I1 2825 message, it copies the Initiator Nonce from the I1 message to the R1 2826 message, generates a Responder Nonce and calculates a Responder 2827 Validator option as suggested in the following section. No state is 2828 created on the host in this case.(Note that the information used to 2829 generate the R1 reply message is either contained in the received I1 2830 message or it is global information that is not associated with the 2831 particular requested context (the S and the Responder nonce values)). 2833 When the host needs to send a R2 message in response to the I1 2834 message, it copies the Initiator Nonce from the I1 message to the R2 2835 message, and otherwise follows the normal rules for forming an R2 2836 message (see Section 7.14). 2838 7.10.1. Generating the R1 Validator 2840 As it is stated in Section 5.15.1, the Validator generation mechanism 2841 is a local choice since the validator is generated and verified by 2842 the same node i.e. the responder. However, in order to provide the 2843 required protection, the Validator needs to be generated fullflling 2844 the conditions described in Section 5.15.1. One way for the 2845 responder to properly generate validators is to maintain a single 2846 secret (S) and a running counter (C) for the Responder Nonce that is 2847 incremented in fixed periods of time (this allows the Responder to 2848 verify the age of a Responder Nonce, independently of the context in 2849 which it is used). 2851 When the validator is generated to be included in a R1 message, that 2852 is sent in respose to a specific I1 message, the responder can 2853 perform the following procedure to generate the validator value: 2855 First, the responder uses the current counter C value as the 2856 Responder Nonce. 2858 Second, it uses the following information (concatenated) as input to 2859 the one-way function: 2861 o The secret S 2863 o That Responder Nonce 2865 o The Initiator Context Tag from the I1 message 2867 o The ULIDs from the I1 message 2869 o The locators from the I1 message (strictly only needed if they are 2870 different from the ULIDs) 2872 o The forked instance identifier if such option was included in the 2873 I1 message 2875 Third, it uses the output of the hash function as the validator value 2876 included in the R1 message. 2878 7.11. Receiving R1 messages and sending I2 messages 2880 A host MUST silently discard any received R1 messages that do not 2881 satisfy all of the following validity checks in addition to those 2882 specified in Section 12.3: 2884 o The Hdr Ext Len field is at least 1, i.e., the length is at least 2885 16 octets. 2887 Upon the reception of an R1 message, the host extracts the Initiator 2888 Nonce and the Locator Pair from the message (the latter from the 2889 source and destination fields in the IPv6 header). Next the host 2890 looks for an existing context which matches the Initiator Nonce and 2891 where the locators are contained in Ls(peer) and Ls(local), 2892 respectively. If no such context is found, then the R1 message is 2893 silently discarded. 2895 If such a context is found, then the host looks at the STATE: 2897 o If the STATE is I1-SENT, then it sends an I2 message as specified 2898 below. 2900 o In any other STATE (I2-SENT, I2BIS-SENT, ESTABLISHED) then the 2901 host has already sent an I2 message then this is probably a reply 2902 to a retransmitted I1 message, so this R1 message MUST be silently 2903 discarded. 2905 When the host sends an I2 message, then it includes the Responder 2906 Validator option that was in the R1 message. The I2 message MUST 2907 include the ULID pair; normally in the IPv6 source and destination 2908 fields. If a ULID-pair option was included in the I1 message then it 2909 MUST be included in the I2 message as well. In addition, if the 2910 Forked Instance Identifier value for this context is non-zero, the I2 2911 message MUST contain a Forked Instance Identifier Option carrying 2912 this value. Besides, the I2 message contains an Initiator Nonce. 2913 This is not required to be the same than the one included in the 2914 previous I1 message. 2916 The I2 message may also include the Initiator's locator list. If 2917 this is the the case, then it must also include the CGA Parameter 2918 Data Structure. If CGA (and not HBA) is used to verify one or more 2919 of the locators included in the locator list, then Initiator must 2920 also include a CGA signature option containing the signature. 2922 When the I2 message has been sent, the STATE is set to I2-SENT. 2924 7.12. Retransmitting I2 messages 2926 If the initiator does not receive an R2 message after I2_TIMEOUT time 2927 after sending an I2 message it MAY retransmit the I2 message, using 2928 binary exponential backoff and randomized timers. The Responder 2929 Validator option might have a limited lifetime, that is, the peer 2930 might reject Responder Validator options that are older than 2931 VALIDATOR_MIN_LIFETIME to avoid replay attacks. In the case that the 2932 initiator decides not to retransmit I2 messages or in the case that 2933 the initiator still does not receive an R2 message after 2934 retransmitting I2 messages I2_RETRIES_MAX times, the initiator SHOULD 2935 fall back to retransmitting the I1 message. 2937 7.13. Receiving I2 messages 2939 A host MUST silently discard any received I2 messages that do not 2940 satisfy all of the following validity checks in addition to those 2941 specified in Section 12.3: 2943 o The Hdr Ext Len field is at least 2, i.e., the length is at least 2944 24 octets. 2946 Upon the reception of an I2 message, the host extracts the ULID pair 2947 and the Forked Instance identifier from the message. If there is no 2948 ULID-pair option, then the ULID pair is taken from the source and 2949 destination fields in the IPv6 header. If there is no FII option in 2950 the message, then the FII value is taken to be zero. 2952 Next the host verifies that the Responder Nonce is a recent one 2953 (Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be 2954 considered recent), and that the Responder Validator option matches 2955 the validator the host would have computed for the ULID, locators, 2956 responder nonce, initiator nonce and FII. 2958 If a CGA Parameter Data Structure (PDS) is included in the message, 2959 then the host MUST verify if the actual PDS contained in the message 2960 corresponds to the ULID(peer). 2962 If any of the above verifications fails, then the host silently 2963 discards the message and it has completed the I2 processing. 2965 If all the above verifications are successful, then the host proceeds 2966 to look for a context state for the Initiator. The host looks for a 2967 context with the extracted ULID pair and FII. If none exist then 2968 STATE of the (non-existing) context is viewed as being IDLE, thus the 2969 actions depend on the STATE as follows: 2971 o If the STATE is IDLE (i.e., the context does not exist) the host 2972 allocates a context tag (CT(local)), creates the context state for 2973 the context, and sets its STATE to ESTABLISHED. It records 2974 CT(peer), and the peer's locator set as well as its own locator 2975 set in the context. It SHOULD perform the HBA/CGA verification of 2976 the peer's locator set at this point in time, as specified in 2977 Section 7.2. Then the host sends an R2 message back as specified 2978 below. 2980 o If the STATE is I1-SENT, then the host verifies if the source 2981 locator is included in Ls(peer) or, it is included in the Locator 2982 List contained in the I2 message and the HBA/CGA verification for 2983 this specific locator is successful 2985 * If this is not the case, then the message is silently discarded 2986 and the context STATE remains unchanged. 2988 * If this is the case, then the host updates the context 2989 information (CT(peer), Ls(peer)) with the data contained in the 2990 I2 message and the host MUST send a R2 message back as 2991 specified below. Note that before updating Ls(peer) 2992 information, the host SHOULD perform the HBA/CGA validation of 2993 the peer's locator set at this point in time as specified in 2994 Section 7.2. The host moves to ESTABLISHED STATE. 2996 o If the STATE is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host 2997 verifies if the source locator is included in Ls(peer) or, it is 2998 included in the Locator List contained in the I2 message and the 2999 HBA/CGA verification for this specific locator is successful 3001 * If this is not the case, then the message is silently discarded 3002 and the context STATE remains unchanged. 3004 * If this is the case, then the host updates the context 3005 information (CT(peer), Ls(peer)) with the data contained in the 3006 I2 message and the host MUST send a R2 message back as 3007 specified in Section 7.14. Note that before updating Ls(peer) 3008 information, the host SHOULD perform the HBA/CGA validation of 3009 the peer's locator set at this point in time as specified in 3010 Section 7.2. The context STATE remains unchanged. 3012 7.14. Sending R2 messages 3014 Before the host sends the R2 message it MUST look for a possible 3015 context confusion i.e. where it would end up with multiple contexts 3016 using the same CT(peer) for the same peer host. See Section 7.15. 3018 When the host needs to send an R2 message, the host forms the message 3019 its context tag, copies the Initiator Nonce from the triggering 3020 message (I2, I2bis, or I1). In addition, it may include alternative 3021 locators and the the necessary options so that the peer can verify 3022 them. In particular, the R2 message may include the Responder's 3023 locator list and the PDS option. If CGA (and not HBA) is used to 3024 verify the locator list, then the Responder also signs the key parts 3025 of the message and includes a CGA Signature option containing the 3026 signature. 3028 R2 messages are never retransmitted. If the R2 message is lost, then 3029 the initiator will retransmit either the I2/I2bis or I1 message. 3030 Either retransmission will cause the responder to find the context 3031 state and respond with an R2 message. 3033 7.15. Match for Context Confusion 3035 When the host receives an I2, I2bis, or R2 it MUST look for a 3036 possible context confusion i.e. where it would end up with multiple 3037 contexts using the same CT(peer) for the same peer host. This can 3038 happen when it has received the above messages since they create a 3039 new context with a new CT(peer). Same issue applies when CT(peer) is 3040 updated for an existing context. 3042 The host takes CT(peer) for the newly created or updated context, and 3043 looks for other contexts which: 3045 o Are in STATE ESTABLISHED or I2BIS-SENT. 3047 o Have the same CT(peer). 3049 o Where Ls(peer) has at least one locator in common with the newly 3050 created or updated context. 3052 If such a context is found, then the host checks if the ULID pair or 3053 the Forked Instance Identifier different than the ones in the newly 3054 created or updated context: 3056 o If either or both are different, then the peer is reusing the 3057 context tag for the creation of a context with different ULID pair 3058 or FII, which is an indication that the peer has lost the original 3059 context. In this case, we are in the Context confusion situation, 3060 and the host MUST NOT use the old context to send any packets. It 3061 MAY just discard the old context (after all, the peer has 3062 discarded it), or it MAY attempt to re-establish the old context 3063 by sending a new I1 message and moving its STATE to I1-SENT. In 3064 any case, once that this situation is detected, the host MUST NOT 3065 keep two contexts with overlapping Ls(peer) locator sets and the 3066 same context tag in ESTABLISHED STATE, since this would result in 3067 demultiplexing problems on the peer. 3069 o If both are the same, then this context is actually the context 3070 that is created or updated, hence there is no confusion. 3072 7.16. Receiving R2 messages 3074 A host MUST silently discard any received R2 messages that do not 3075 satisfy all of the following validity checks in addition to those 3076 specified in Section 12.3: 3078 o The Hdr Ext Len field is at least 1, i.e., the length is at least 3079 16 octets. 3081 Upon the reception of an R2 message, the host extracts the Initiator 3082 Nonce and the Locator Pair from the message (the latter from the 3083 source and destination fields in the IPv6 header). Next the host 3084 looks for an existing context which matches the Initiator Nonce and 3085 where the locators are Lp(peer) and Lp(local), respectively. Based 3086 on the STATE: 3088 o If no such context is found, i.e., the STATE is IDLE, then the 3089 message is silently dropped. 3091 o If STATE is I1-SENT, I2-SENT, or I2BIS-SENT then the host performs 3092 the following actions: If a CGA Parameter Data Structure (PDS) is 3093 included in the message, then the host MUST verify that the actual 3094 PDS contained in the message corresponds to the ULID(peer) as 3095 specified in Section 7.2. If the verification fails, then the 3096 message is silently dropped. If the verification succeeds, then 3097 the host records the information from the R2 message in the 3098 context state; it records the peer's locator set and CT(peer). 3099 The host SHOULD perform the HBA/CGA verification of the peer's 3100 locator set at this point in time, as specified in Section 7.2. 3101 The host sets its STATE to ESTABLISHED. 3103 o If the STATE is ESTABLISHED, the R2 message is silently ignored, 3104 (since this is likely to be a reply to a retransmitted I2 3105 message). 3107 Before the host completes the R2 processing it MUST look for a 3108 possible context confusion i.e. where it would end up with multiple 3109 contexts using the same CT(peer) for the same peer host. See 3110 Section 7.15. 3112 7.17. Sending R1bis messages 3114 Upon the receipt of a Shim6 payload extension header where there is 3115 no current Shim6 context at the receiver, the receiver is to respond 3116 with an R1bis message in order to enable a fast re-establishment of 3117 the lost Shim6 context. 3119 Also a host is to respond with a R1bis upon receipt of any control 3120 messages that has a message type in the range 64-127 (i.e., excluding 3121 the context setup messages such as I1, R1, R1bis, I2, I2bis, R2 and 3122 future extensions), where the control message refers to a non 3123 existent context. 3125 We assume that all the incoming packets that trigger the generation 3126 of an R1bis message contain a locator pair (in the address fields of 3127 the IPv6 header) and a Context Tag. 3129 Upon reception of any of the packets described above, the host will 3130 reply with an R1bis including the following information: 3132 o The Responder Nonce is a number picked by the responder which the 3133 initiator will return in the I2bis message. 3135 o Packet Context Tag is the context tag contained in the received 3136 packet that triggered the generation of the R1bis message. 3138 o The Responder Validator option is included, with a validator that 3139 is computed as suggested in the next section. 3141 7.17.1. Generating the R1bis Validator 3143 One way for the responder to properly generate validators is to 3144 maintain a single secret (S) and a running counter C for the 3145 Responder Nonce that is incremented in fixed periods of time (this 3146 allows the Responder to verify the age of a Responder Nonce, 3147 independently of the context in which it is used). 3149 When the validator is generated to be included in a R1bis message, 3150 that is sent in respose to a specific controls packet or packet 3151 containing the Shim6 payload extension header message, the responder 3152 can perform the following procedure to generate the validator value: 3154 First, the responder uses the counter C value as the Responder Nonce. 3156 Second, it uses the following information (concatenated) as input to 3157 the one-way function: 3159 o The secret S 3161 o That Responder Nonce 3163 o The Receiver Context tag included in the received packet 3165 o The locators from the received packet 3167 Third, it uses the output of the hash function as the validator 3168 string. 3170 7.18. Receiving R1bis messages and sending I2bis messages 3172 A host MUST silently discard any received R1bis messages that do not 3173 satisfy all of the following validity checks in addition to those 3174 specified in Section 12.3: 3176 o The Hdr Ext Len field is at least 1, i.e., the length is at least 3177 16 octets. 3179 Upon the reception of an R1bis message, the host extracts the Packet 3180 Context Tag and the Locator Pair from the message (the latter from 3181 the source and destination fields in the IPv6 header). Next the host 3182 looks for an existing context where the Packet Context Tag matches 3183 CT(peer) and where the locators match Lp(peer) and Lp(local), 3184 respectively. 3186 o If no such context is not found, i.e., the STATE is IDLE, then the 3187 R1bis message is silently discarded. 3189 o If the STATE is I1-SENT, I2-SENT, or I2BIS-SENT, then the R1bis 3190 message is silently discarded. 3192 o If the STATE is ESTABLISHED, then we are in the case where the 3193 peer has lost the context and the goal is to try to re-establish 3194 it. For that, the host leaves CT(peer) unchanged in the context 3195 state, transitions to I2BIS-SENT STATE, and sends a I2bis message, 3196 including the computed Responder Validator option, the Packet 3197 Context Tag, and the Responder Nonce received in the R1bis 3198 message. This I2bis message is sent using the locator pair 3199 included in the R1bis message. In the case that this locator pair 3200 differs from the ULID pair defined for this context, then an ULID 3201 option MUST be included in the I2bis message. In addition, if the 3202 Forked Instance Identifier for this context is non-zero, then a 3203 Forked Instance Identifier option carrying the instance identifier 3204 value for this context MUST be included in the I2bis message. The 3205 I2bis message may also include a locator list. If this is the the 3206 case, then it must also include the CGA Parameter Data Structure. 3207 If CGA (and not HBA) is used to verify one or more of the locators 3208 included in the locator list, then Initiator must also include a 3209 CGA signature option containing the signature. 3211 7.19. Retransmitting I2bis messages 3213 If the initiator does not receive an R2 message after I2bis_TIMEOUT 3214 time after sending an I2bis message it MAY retransmit the I2bis 3215 message, using binary exponential backoff and randomized timers. The 3216 Responder Validator option might have a limited lifetime, that is, 3217 the peer might reject Responder Validator options that are older than 3218 VALIDATOR_MIN_LIFETIME to avoid replay attacks. In the case that the 3219 initiator decides not to retransmit I2bis messages or in the case 3220 that the initiator still does not receive an R2 message after 3221 retransmitting I2bis messages I2bis_RETRIES_MAX times, the initiator 3222 SHOULD fallback to retransmitting the I1 message. 3224 7.20. Receiving I2bis messages and sending R2 messages 3226 A host MUST silently discard any received I2bis messages that do not 3227 satisfy all of the following validity checks in addition to those 3228 specified in Section 12.3: 3230 o The Hdr Ext Len field is at least 3, i.e., the length is at least 3231 32 octets. 3233 Upon the reception of an I2bis message, the host extracts the ULID 3234 pair and the Forked Instance identifier from the message. If there 3235 is no ULID-pair option, then the ULID pair is taken from the source 3236 and destination fields in the IPv6 header. If there is no FII option 3237 in the message, then the FII value is taken to be zero. 3239 Next the host verifies that the Responder Nonce is a recent one 3240 (Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be 3241 considered recent), and that the Responder Validator option matches 3242 the validator the host would have computed for the locators, 3243 Responder Nonce, and Receiver Context tag as part of sending an R1bis 3244 message. 3246 If a CGA Parameter Data Structure (PDS) is included in the message, 3247 then the host MUST verify if the actual PDS contained in the message 3248 corresponds to the ULID(peer). 3250 If any of the above verifications fails, then the host silently 3251 discard the message and it has completed the I2bis processing. 3253 If both verifications are successful, then the host proceeds to look 3254 for a context state for the Initiator. The host looks for a context 3255 with the extracted ULID pair and FII. If none exist then STATE of 3256 the (non-existing) context is viewed as being IDLE, thus the actions 3257 depend on the STATE as follows: 3259 o If the STATE is IDLE (i.e., the context does not exist) the host 3260 allocates a context tag (CT(local)), creates the context state for 3261 the context, and sets its STATE to ESTABLISHED. The host SHOULD 3262 NOT use the Packet Context Tag in the I2bis message for CT(local); 3263 instead it should pick a new random context tag just as when it 3264 processes an I2 message. It records CT(peer), and the peer's 3265 locator set as well as its own locator set in the context. It 3266 SHOULD perform the HBA/CGA verification of the peer's locator set 3267 at this point in time as specified in Section 7.2. Then the host 3268 sends an R2 message back as specified in Section 7.14. 3270 o If the STATE is I1-SENT, then the host verifies if the source 3271 locator is included in Ls(peer) or, it is included in the Locator 3272 List contained in the I2 message and the HBA/CGA verification for 3273 this specific locator is successful 3275 * If this is not the case, then the message is silently 3276 discarded. The the context STATE remains unchanged. 3278 * If this is the case, then the host updates the context 3279 information (CT(peer), Ls(peer)) with the data contained in the 3280 I2 message and the host MUST send a R2 message back as 3281 specified below. Note that before updating Ls(peer) 3282 information, the host SHOULD perform the HBA/CGA validation of 3283 the peer's locator set at this point in time as specified in 3284 Section 7.2. The host moves to ESTABLISHED STATE. 3286 o If the STATE is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host 3287 whther at least one of the two following conditions hold: i) if 3288 the source locator is included in Ls(peer) or, ii) if the source 3289 locator is included in the Locator List contained in the I2 3290 message and the HBA/CGA verification for this specific locator is 3291 successful 3293 * If none of the two aforementioned conditions hold, then the 3294 message is silently discarded. The the context STATE remains 3295 unchanged. 3297 * If at least one of the two aforementioned conditions hold, then 3298 the host updates the context information (CT(peer), Ls(peer)) 3299 with the data contained in the I2 message and the host MUST 3300 send a R2 message back as specified in Section 7.14. Note that 3301 before updating Ls(peer) information, the host SHOULD perform 3302 the HBA/CGA validation of the peer's locator set at this point 3303 in time as specified in Section 7.2. The context STATE remains 3304 unchanged. 3306 8. Handling ICMP Error Messages 3308 The routers in the path as well as the destination might generate 3309 ICMP error messages. In some cases, the Shim6 can take action and 3310 solve the solve the problem that resulted in the error. In other 3311 cases, the Shim6 layer can not solve the problem and it is critical 3312 that these packets make it back up to the ULPs so that they can take 3313 appropriate action. 3315 This is an implementation issue in the sense that the mechanism is 3316 completely local to the host itself. But the issue of how ICMP 3317 errors are correctly dispatched to the ULP on the host are important, 3318 hence this section specifies the issue. 3320 All ICMP messages MUST be delivered to the ULP in all cases except 3321 when Shim6 successfully acts on the message (e.g. selects a new 3322 path). There SHOULD be a configuration option to unconditionally 3323 deliver all ICMP messages (including ones acted on by shim6) to the 3324 ULP. 3326 According to that recommendation, the following ICMP error messages 3327 should be processed by the Shim6 layer and not passed to the ULP: 3328 ICMP error Destination unreachable with codes 0 (No route to 3329 destination), 1 (Communication with destination administratively 3330 prohibited), 2 (Beyond scope of source address), 3 (Address 3331 unreachable), 5 (Source address failed ingress/egress policy), 6 3332 (Reject route to destination), ICMP Time exceeded error, ICMP 3333 Parameter problem error with the parameter that caused the error 3334 being a Shim6 parameter. 3336 The following ICMP error messages report problems that cannot be 3337 addressed by the Shim6 layer and that should be passed to the ULP (as 3338 described below): ICMP Packet too big error, ICMP Destination 3339 Unreachable with Code 4 (Port unreachable) ICMP Parameter problem (if 3340 the parameter that caused the problem is not a Shim6 parameter). 3342 +--------------+ 3343 | IPv6 Header | 3344 | | 3345 +--------------+ 3346 | ICMPv6 | 3347 | Header | 3348 - - +--------------+ - - 3349 | IPv6 Header | 3350 | src, dst as | Can be dispatched 3351 IPv6 | sent by ULP | unmodified to ULP 3352 | on host | ICMP error handler 3353 Packet +--------------+ 3354 | ULP | 3355 in | Header | 3356 +--------------+ 3357 Error | | 3358 ~ Data ~ 3359 | | 3360 - - +--------------+ - - 3362 Figure 8: ICMP error handling without payload extension header 3364 When the ULP packets are sent without the payload extension header, 3365 that is, while the initial locators=ULIDs are working, this 3366 introduces no new concerns; an implementation's existing mechanism 3367 for delivering these errors to the ULP will work. See Figure 8. 3369 But when the shim on the transmitting side inserts the payload 3370 extension header and replaces the ULIDs in the IP address fields with 3371 some other locators, then an ICMP error coming back will have a 3372 "packet in error" which is not a packet that the ULP sent. Thus the 3373 implementation will have to apply the reverse mapping to the "packet 3374 in error" before passing the ICMP error up to the ULP, including the 3375 ICMP extensions defined in [24]. See Figure 9. 3377 +--------------+ 3378 | IPv6 Header | 3379 | | 3380 +--------------+ 3381 | ICMPv6 | 3382 | Header | 3383 - - +--------------+ - - 3384 | IPv6 Header | 3385 | src, dst as | Needs to be 3386 IPv6 | modified by | transformed to 3387 | shim on host | have ULIDs 3388 +--------------+ in src, dst fields, 3389 Packet | Shim6 ext. | and Shim6 ext. 3390 | Header | header removed 3391 in +--------------+ before it can be 3392 | Transport | dispatched to the ULP 3393 Error | Header | ICMP error handler. 3394 +--------------+ 3395 | | 3396 ~ Data ~ 3397 | | 3398 - - +--------------+ - - 3400 Figure 9: ICMP error handling with payload extension header 3402 Note that this mapping is different than when receiving packets from 3403 the peer with a payload extension headers, because in that case the 3404 packets contain CT(local). But the ICMP errors have a "packet in 3405 error" with an payload extension header containing CT(peer). This is 3406 because they were intended to be received by the peer. In any case, 3407 since the has to be 3408 unique when received by the peer, the local host should also only be 3409 able to find one context that matches this tuple. 3411 If the ICMP error is a Packet Too Big, the reported MTU must be 3412 adjusted to be 8 octets less, since the shim will add 8 octets when 3413 sending packets. 3415 After the "packet in error" has had the original ULIDs inserted, then 3416 this payload extension header can be removed. The result is a 3417 "packet in error" that is passed to the ULP which looks as if the 3418 shim did not exist. 3420 9. Teardown of the ULID-Pair Context 3422 Each host can unilaterally decide when to tear down a ULID-pair 3423 context. It is RECOMMENDED that hosts do not tear down the context 3424 when they know that there is some upper layer protocol that might use 3425 the context. For example, an implementation might know this if there 3426 is an open socket which is connected to the ULID(peer). However, 3427 there might be cases when the knowledge is not readily available to 3428 the shim layer, for instance for UDP applications which do not 3429 connect their sockets, or any application which retains some higher 3430 level state across (TCP) connections and UDP packets. 3432 Thus it is RECOMMENDED that implementations minimize premature 3433 teardown by observing the amount of traffic that is sent and received 3434 using the context, and only after it appears quiescent, tear down the 3435 state. A reasonable approach would be not to tear down a context 3436 until at least 5 minutes have passed since the last message was sent 3437 or received using the context. (Note that packets that use the ULID 3438 pair as locator pair and that do not require address rewriting by the 3439 Shim6 layer are also considered as packets using the associated Shim6 3440 context) 3442 Since there is no explicit, coordinated removal of the context state, 3443 there are potential issues around context tag reuse. One end might 3444 remove the state, and potentially reuse that context tag for some 3445 other communication, and the peer might later try to use the old 3446 context (which it didn't remove). The protocol has mechanisms to 3447 recover from this, which work whether the state removal was total and 3448 accidental (e.g., crash and reboot of the host), or just a garbage 3449 collection of shim state that didn't seem to be used. However, the 3450 host should try to minimize the reuse of context tags by trying to 3451 randomly cycle through the 2^47 context tag values. (See Appendix C 3452 for a summary how the recovery works in the different cases.) 3454 10. Updating the Peer 3456 The Update Request and Acknowledgement are used both to update the 3457 list of locators (only possible when CGA is used to verify the 3458 locator(s)), as well as updating the preferences associated with each 3459 locator. 3461 10.1. Sending Update Request messages 3463 When a host has a change in the locator set, then it can communicate 3464 this to the peer by sending an Update Request. When a host has a 3465 change in the preferences for its locator set, it can also 3466 communicate this to the peer. The Update Request message can include 3467 just a Locator List option, to convey the new set of locators, just a 3468 Locator Preferences option, or both a new Locator List and new 3469 Locator Preferences. 3471 Should the host send a new Locator List, the host picks a new random 3472 local generation number, records this in the context, and puts it in 3473 the Locator List option. Any Locator Preference option, whether send 3474 in the same Update Request or in some future Update Request, will use 3475 that generation number to make sure the preferences get applied to 3476 the correct version of the locator list. 3478 The host picks a random Request Nonce for each update, and keeps the 3479 same nonce for any retransmissions of the Update Request. The nonce 3480 is used to match the acknowledgement with the request. 3482 The UPDATE message can also include a CGA Parameter Data Structure 3483 (this is needed if the CGA PDS was not previously exchanged,). If 3484 CGA (and not HBA) is used to verify one or more of the locators 3485 included in the locator list, then a CGA signature option containing 3486 the signature must also be included in the UPDATE message. 3488 10.2. Retransmitting Update Request messages 3490 If the host does not receive an Update Acknowledgement R2 message in 3491 response to the Update Request message after UPDATE_TIMEOUT time, 3492 then it needs to retransmit the Update Request message. The 3493 retransmissions should use a retransmission timer with binary 3494 exponential backoff to avoid creating congestion issues for the 3495 network when lots of hosts perform Update Request retransmissions. 3496 Also, the actual timeout value should be randomized between 0.5 and 3497 1.5 of the nominal value to avoid self-synchronization. 3499 Should there be no response, the retransmissions continue forever. 3500 The binary exponential backoff stops at MAX_UPDATE_TIMEOUT. But the 3501 only way the retransmissions would stop when there is no 3502 acknowledgement, is when the shim, through the Probe protocol or some 3503 other mechanism, decides to discard the context state due to lack of 3504 ULP usage in combination with no responses to the Probes. 3506 10.3. Newer Information While Retransmitting 3508 There can be at most one outstanding Update Request message at any 3509 time. Thus until e.g. an update with a new Locator List has been 3510 acknowledged, any even newer Locator List or new Locator Preferences 3511 can not just be sent. However, when there is newer information and 3512 the older information has not yet been acknowledged, the host can 3513 instead of waiting for an acknowledgement, abandon the previous 3514 update and construct a new Update Request (with a new Request Nonce) 3515 which includes the new information as well as the information that 3516 hadn't yet been acknowledged. 3518 For example, if the original locator list was just (A1, A2), and if 3519 an Update Request with the Locator List (A1, A3) is outstanding, and 3520 the host determines that it should both add A4 to the locator list, 3521 and mark A1 as BROKEN, then it would need to: 3523 o Pick a new random Request Nonce for the new Update Request. 3525 o Pick a new random Generation number for the new locator list. 3527 o Form the new locator list - (A1, A3, A4) 3529 o Form a Locator Preference option which uses the new generation 3530 number and has the BROKEN flag for the first locator. 3532 o Send the Update Request and start a retransmission timer. 3534 Any Update Acknowledgement which doesn't match the current request 3535 nonce, for instance an acknowledgement for the abandoned Update 3536 Request, will be silently ignored. 3538 10.4. Receiving Update Request messages 3540 A host MUST silently discard any received Update Request messages 3541 that do not satisfy all of the following validity checks in addition 3542 to those specified in Section 12.3: 3544 o The Hdr Ext Len field is at least 1, i.e., the length is at least 3545 16 octets. 3547 Upon the reception of an Update Request message, the host extracts 3548 the Context Tag from the message. It then looks for a context which 3549 has a CT(local) that matches the context tag. If no such context is 3550 found, it sends a R1bis message as specified in Section 7.17. 3552 Since context tags can be reused, the host MUST verify that the IPv6 3553 source address field is part of Ls(peer) and that the IPv6 3554 destination address field is part of Ls(local). If this is not the 3555 case, the sender of the Update Request has a stale context which 3556 happens to match the CT(local) for this context. In this case the 3557 host MUST send a R1bis message, and otherwise ignore the Update 3558 Request message. 3560 If a CGA Parameter Data Structure (PDS) is included in the message, 3561 then the host MUST verify if the actual PDS contained in the packet 3562 corresponds to the ULID(peer). If this verification fails, the 3563 message is silently discarded. 3565 Then, depending on the STATE of the context: 3567 o If ESTABLISHED: Proceed to process message. 3569 o If I1-SENT, discard the message and stay in I1-SENT. 3571 o If I2-SENT, then send I2 and proceed to process the message. 3573 o If I2BIS-SENT, then send I2bis and proceed to process the message. 3575 The verification issues for the locators carried in the Locator 3576 Update message are specified in Section 7.2. If the locator list can 3577 not be verified, this procedure should send a Shim6 Error message 3578 with Error Code=2. In any case, if it can not be verified, there is 3579 no further processing of the Update Request. 3581 Once any Locator List option in the Update Request has been verified, 3582 the peer generation number in the context is updated to be the one in 3583 the Locator List option. 3585 If the Update message contains a Locator Preference option, then the 3586 Generation number in the preference option is compared with the peer 3587 generation number in the context. If they do not match, then the 3588 host generates a Shim6 Error Message with Error Code=3 with the 3589 Pointer field referring to the first octet in the Generation number 3590 in the Locator Preference option. In addition, if the number of 3591 elements in the Locator Preference option does not match the number 3592 of locators in Ls(peer), then a Shim6 Error Message with Error Code=4 3593 is sent with the Pointer referring to the first octet of the Length 3594 field in the Locator Preference option. In both cases of failures, 3595 no further processing is performed for the Locator Update message. 3597 If the generation number matches, the locator preferences are 3598 recorded in the context. 3600 Once the Locator List option (if present) has been verified and any 3601 new locator list or locator preferences have been recorded, the host 3602 sends an Update Acknowledgement message, copying the nonce from the 3603 request, and using the CT(peer) in as the Receiver Context Tag. 3605 Any new locators, or more likely new locator preferences, might 3606 result in the host wanting to select a different locator pair for the 3607 context. For instance, if the Locator Preferences lists the current 3608 Lp(peer) as BROKEN. The host uses the reachability exploration 3609 procedure described in [4] to verify that the new locator is 3610 reachable before changing Lp(peer). 3612 10.5. Receiving Update Acknowledgement messages 3614 A host MUST silently discard any received Update Acknowledgement 3615 messages that do not satisfy all of the following validity checks in 3616 addition to those specified in Section 12.3: 3618 o The Hdr Ext Len field is at least 1, i.e., the length is at least 3619 16 octets. 3621 Upon the reception of an Update Acknowledgement message, the host 3622 extracts the Context Tag and the Request Nonce from the message. It 3623 then looks for a context which has a CT(local) that matches the 3624 context tag. If no such context is found, it sends a R1bis message 3625 as specified in Section 7.17. 3627 Since context tags can be reused, the host MUST verify that the IPv6 3628 source address field is part of Ls(peer) and that the IPv6 3629 destination address field is part of Ls(local). If this is not the 3630 case, the sender of the Update Acknowledgement has a stale context 3631 which happens to match the CT(local) for this context. In this case 3632 the host MUST send a R1bis message, and otherwise ignore the Update 3633 Acknowledgement message. 3635 Then, depending on the STATE of the context: 3637 o If ESTABLISHED: Proceed to process message. 3639 o If I1-SENT, discard the message and stay in I1-SENT. 3641 o If I2-SENT, then send R2 and proceed to process the message. 3643 o If I2BIS-SENT, then send R2 and proceed to process the message. 3645 If the Request Nonce doesn't match the Nonce for the last sent Update 3646 Request for the context, then the Update Acknowledgement is silently 3647 ignored. If the nonce matches, then the update has been completed 3648 and the Update retransmit timer can be reset. 3650 11. Sending ULP Payloads 3652 When there is no context state for the ULID pair on the sender, there 3653 is no effect on how ULP packets are sent. If the host is using some 3654 heuristic for determining when to perform a deferred context 3655 establishment, then the host might need to do some accounting (count 3656 the number of packets sent and received) even before there is a ULID- 3657 pair context. 3659 If the context is not in ESTABLISHED or I2BIS-SENT STATE, then it 3660 there is also no effect on how the ULP packets are sent. Only in the 3661 ESTABLISHED and I2BIS-SENT STATES does the host have CT(peer) and 3662 Ls(peer) set. 3664 If there is a ULID-pair context for the ULID pair, then the sender 3665 needs to verify whether context uses the ULIDs as locators, that is, 3666 whether Lp(peer) == ULID(peer) and Lp(local) == ULID(local). 3668 If this is the case, then packets can be sent unmodified by the shim. 3669 If it is not the case, then the logic in Section 11.1 will need to be 3670 used. 3672 There will also be some maintenance activity relating to 3673 (un)reachability detection, whether packets are sent with the 3674 original locators or not. The details of this is out of scope for 3675 this document and is specified in [4]. 3677 11.1. Sending ULP Payload after a Switch 3679 When sending packets, if there is a ULID-pair context for the ULID 3680 pair, and the ULID pair is no longer used as the locator pair, then 3681 the sender needs to transform the packet. Apart from replacing the 3682 IPv6 source and destination fields with a locator pair, an 8-octet 3683 header is added so that the receiver can find the context and inverse 3684 the transformation. 3686 If there has been a failure causing a switch, and later the context 3687 switches back to sending things using the ULID pair as the locator 3688 pair, then there is no longer a need to do any packet transformation 3689 by the sender, hence there is no need to include the 8-octet 3690 extension header. 3692 First, the IP address fields are replaced. The IPv6 source address 3693 field is set to Lp(local) and the destination address field is set to 3694 Lp(peer). NOTE that this MUST NOT cause any recalculation of the ULP 3695 checksums, since the ULP checksums are carried end-to-end and the ULP 3696 pseudo-header contains the ULIDs which are preserved end-to-end. 3698 The sender skips any "routing sub-layer extension headers" that the 3699 ULP might have included, thus it skips any hop-by-hop extension 3700 header, any routing header, and any destination options header that 3701 is followed by a routing header. After any such headers the Shim6 3702 extension header will be added. This might be before a Fragment 3703 header, a Destination Options header, an ESP or AH header, or a ULP 3704 header. 3706 The inserted Shim6 Payload extension header includes the peer's 3707 context tag. It takes on the next header value from the preceding 3708 extension header, since that extension header will have a next header 3709 value of Shim6. 3711 12. Receiving Packets 3713 The receive side of the communication can receive packets associated 3714 to a Shim6 context with or without the Shim6 extension header. In 3715 case that the ULID pair is being used as locator pair, the packets 3716 received will not have the Shim6 extension header and will be 3717 processed by the Shim6 layer as described below. If the received 3718 packet does carry the Shim6 extension header, as in normal IPv6 3719 receive side packet processing the receiver parses the (extension) 3720 headers in order. Should it find a Shim6 extension header it will 3721 look at the "P" field in that header. If this bit is zero, then the 3722 packet must be passed to the Shim6 payload handling for rewriting. 3723 Otherwise, the packet is passed to the Shim6 control handling. 3725 12.1. Receiving payload without extension headers 3727 The receiver extracts the IPv6 source and destination fields, and 3728 uses this to find a ULID-pair context, such that the IPv6 address 3729 fields match the ULID(local) and ULID(peer). If such a context is 3730 found, the context appears not to be quiescent and this should be 3731 remembered in order to avoid tearing down the context and for 3732 reachability detection purposes as described in [4]. The host 3733 continues with the normal processing of the IP packet. 3735 12.2. Receiving Payload Extension Headers 3737 The receiver extracts the context tag from the payload extension 3738 header, and uses this to find a ULID-pair context. If no context is 3739 found, the receiver SHOULD generate a R1bis message (see 3740 Section 7.17). 3742 Then, depending on the STATE of the context: 3744 o If ESTABLISHED: Proceed to process message. 3746 o If I1-SENT, discard the message and stay in I1-SENT. 3748 o If I2-SENT, then send I2 and proceed to process the message. 3750 o If I2BIS-SENT, then send I2bis and proceed to process the message. 3752 With the context in hand, the receiver can now replace the IP address 3753 fields with the ULIDs kept in the context. Finally, the Payload 3754 extension header is removed from the packet (so that the ULP doesn't 3755 get confused by it), and the next header value in the preceding 3756 header is set to be the actual protocol number for the payload. Then 3757 the packet can be passed to the protocol identified by the next 3758 header value (which might be some function associated with the IP 3759 endpoint sublayer, or a ULP). 3761 If the host is using some heuristic for determining when to perform a 3762 deferred context establishment, then the host might need to do some 3763 accounting (count the number of packets sent and received) for 3764 packets that does not have a Shim6 extension header and for which 3765 there is no context. But the need for this depends on what 3766 heuristics the implementation has chosen. 3768 12.3. Receiving Shim Control messages 3770 A shim control message has the checksum field verified. The Shim 3771 header length field is also verified against the length of the IPv6 3772 packet to make sure that the shim message doesn't claim to end past 3773 the end of the IPv6 packet. Finally, it checks that the neither the 3774 IPv6 destination field nor the IPv6 source field is a multicast 3775 address nor the unspecified address. If any of those checks fail, 3776 the packet is silently dropped. 3778 The message is then dispatched based on the shim message type. Each 3779 message type is then processed as described elsewhere in this 3780 document. If the packet contains a shim message type which is 3781 unknown to the receiver, then a Shim6 Error Message with Error Code=0 3782 is generated and sent back. The Pointer field is set to point at the 3783 first octet of the shim message type. 3785 All the control messages can contain any options with C=0. If there 3786 is any option in the message with C=1 that isn't known to the host, 3787 then the host MUST send a Shim6 Error Message with Error Code=1, with 3788 the Pointer field referencing the first octet of the Option Type. 3790 12.4. Context Lookup 3792 We assume that each shim context has its own STATE machine. We 3793 assume that a dispatcher delivers incoming packets to the STATE 3794 machine that it belongs to. Here we describe the rules used for the 3795 dispatcher to deliver packets to the correct shim context STATE 3796 machine. 3798 There is one STATE machine per context identified that is 3799 conceptually identified by ULID pair and Forked Instance Identifier 3800 (which is zero by default), or identified by CT(local). However, the 3801 detailed lookup rules are more complex, especially during context 3802 establishment. 3804 Clearly, if the required context is not established, it will be in 3805 IDLE STATE. 3807 During context establishment, the context is identified as follows: 3809 o I1 packets: Deliver to the context associated with the ULID pair 3810 and the Forked Instance Identifier. 3812 o I2 packets: Deliver to the context associated with the ULID pair 3813 and the Forked Instance Identifier. 3815 o R1 packets: Deliver to the context with the locator pair included 3816 in the packet and the Initiator nonce included in the packet (R1 3817 does not contain ULID pair nor the CT(local)). If no context 3818 exist with this locator pair and Initiator nonce, then silently 3819 discard. 3821 o R2 packets: Deliver to the context with the locator pair included 3822 in the packet and the Initiator nonce included in the packet (R2 3823 does not contain ULID pair nor the CT(local)). If no context 3824 exists with this locator pair and INIT nonce, then silently 3825 discard. 3827 o R1bis packet: deliver to the context that has the locator pair and 3828 the CT(peer) equal to the Packet Context Tag included in the R1bis 3829 packet. 3831 o I2bis packets: Deliver to the context associated with the ULID 3832 pair and the Forked Instance Identifier. 3834 o Payload extension headers: Deliver to the context with CT(local) 3835 equal to the Receiver Context Tag included in the packet. 3837 o Other control messages (Update, Keepalive, Probe): Deliver to the 3838 context with CT(local) equal to the Receiver Context Tag included 3839 in the packet. Verify that the IPv6 source address field is part 3840 of Ls(peer) and that the IPv6 destination address field is part of 3841 Ls(local). If not, send a R1bis message. 3843 o Shim6 Error Messages and ICMP errors which contain a Shim6 payload 3844 extension header or other shim control packet in the "packet in 3845 error": Use the "packet in error" for dispatching as follows. 3846 Deliver to the context with CT(peer) equal to the Receiver Context 3847 Tag, Lp(local) being the IPv6 source address, and Lp(peer) being 3848 the IPv6 destination address. 3850 In addition, the shim on the sending side needs to be able to find 3851 the context state when a ULP packet is passed down from the ULP. In 3852 that case the lookup key is the pair of ULIDs and FII=0. If we have 3853 a ULP API that allows the ULP to do context forking, then presumably 3854 the ULP would pass down the Forked Instance Identifier. 3856 13. Initial Contact 3858 The initial contact is some non-shim communication between two ULIDs, 3859 as described in Section 2. At that point in time there is no 3860 activity in the shim. 3862 Whether the shim ends up being used or not (e.g., the peer might not 3863 support Shim6) it is highly desirable that the initial contact can be 3864 established even if there is a failure for one or more IP addresses. 3866 The approach taken is to rely on the applications and the transport 3867 protocols to retry with different source and destination addresses, 3868 consistent with what is already specified in Default Address 3869 Selection [7], and some fixes to that specification [8] to make it 3870 try different source addresses and not only different destination 3871 addresses. 3873 The implementation of such an approach can potentially result in long 3874 timeouts. For instance, a naive implementation at the socket API 3875 which uses getaddrinfo() to retrieve all destination addresses and 3876 then tries to bind() and connect() to try all source and destination 3877 address combinations waiting for TCP to time out for each combination 3878 before trying the next one. 3880 However, if implementations encapsulate this in some new connect-by- 3881 name() API, and use non-blocking connect calls, it is possible to 3882 cycle through the available combinations in a more rapid manner until 3883 a working source and destination pair is found. Thus the issues in 3884 this domain are issues of implementations and the current socket API, 3885 and not issues of protocol specification. In all honesty, while 3886 providing an easy to use connect-by-name() API for TCP and other 3887 connection-oriented transports is easy; providing a similar 3888 capability at the API for UDP is hard due to the protocol itself not 3889 providing any "success" feedback. But even the UDP issue is one of 3890 APIs and implementation. 3892 14. Protocol constants 3894 The protocol uses the following constants: 3896 I1_RETRIES_MAX = 4 3898 I1_TIMEOUT = 4 seconds 3900 NO_R1_HOLDDOWN_TIME = 1 min 3902 ICMP_HOLDDOWN_TIME = 10 min 3904 I2_TIMEOUT = 4 seconds 3906 I2_RETRIES_MAX = 2 3908 I2bis_TIMEOUT = 4 seconds 3910 I2bis_RETRIES_MAX = 2 3912 VALIDATOR_MIN_LIFETIME = 30 seconds 3914 UPDATE_TIMEOUT = 4 seconds 3916 MAX_UPDATE_TIMEOUT = 120 seconds 3918 The retransmit timers (I1_TIMEOUT, I2_TIMEOUT, UPDATE_TIMEOUT) are 3919 subject to binary exponential backoff, as well as randomization 3920 across a range of 0.5 and 1.5 times the nominal (backed off) value. 3921 This removes any risk of synchronization between lots of hosts 3922 performing independent shim operations at the same time. 3924 The randomization is applied after the binary exponential backoff. 3925 Thus the first retransmission would happen based on a uniformly 3926 distributed random number in the range [0.5*4, 1.5*4] seconds, the 3927 second retransmission [0.5*8, 1.5*8] seconds after the first one, 3928 etc. 3930 15. Implications Elsewhere 3932 15.1. Congestion Control Considerations 3934 When the locator pair currently used for exchanging packets in a 3935 Shim6 context becomes unreachable, the Shim6 layer will divert the 3936 communication through an alternative locator pair, which in most 3937 cases will result in redirecting the packet flow through an 3938 alternative network path. In this case, it recommended that the 3939 Shim6 follows the recommendation defined in [20] and it informs the 3940 upper layers about the path change, in order to allow the congestion 3941 control mechanisms of the upper layers to react accordingly. 3943 15.2. Middle-boxes considerations 3945 Data packets belonging to a Shim6 context carrying the Shim6 Payload 3946 Header contain alternative locators other than the ULIDs in the 3947 source and destination address fields of the IPv6 header. On the 3948 other hand, the upper layers of the peers involved in the 3949 communication operate on the ULID pair presented by the Shim6 layer 3950 to them, rather on the locator pair contained in the IPv6 header of 3951 the actual packets. It should be noted that the Shim6 layer does not 3952 modify the data packets, but because a constant ULID pair is 3953 presented to upper layers irrespective of the locator pair changes, 3954 the relation between the upper layer header (such as TCP, UDP, ICMP, 3955 ESP, etc) and the IPv6 header is modified. In particular, when the 3956 Shim6 Extension header is present in the packet, if those data 3957 packets are TCP, UDP or ICMP packets, the pseudoheader used for the 3958 checksum calculation will contain the ULID pair, rather than the 3959 locator pair contained in the data packet. 3961 It is possible that some firewalls or other middle boxes try to 3962 verify the validity of upper layer sanity checks of the packet on the 3963 fly. If they do that based on the actual source and destination 3964 addresses contained in the IPv6 header without considering the Shim6 3965 context information (in particular without replacing the locator pair 3966 by the ULID pair used by the Shim6 context) such verifications may 3967 fail. Those middle-boxes need to be updated in order to be able to 3968 parse the Shim6 payload header and find the next header header after 3969 that. It is recommended that firewalls and other middle-boxes do not 3970 drop packets that carry the Shim6 Payload header with apparently 3971 incorrect upper layer validity checks that involve the addresses in 3972 the IPv6 header for their computation, unless they are able to 3973 determine the ULID pair of the Shim6 context associated to the data 3974 packet and use the ULID pair for the verification of the validity 3975 check. 3977 In the particular case of TCP, UDP and ICMP checksums, it is 3978 recommended that firewalls and other middle-boxes do not drop TCP, 3979 UDP and ICMP packets that carry the Shim6 Payload header with 3980 apparently incorrect checksums when using the addresses in the IPv6 3981 header for the pseudoheader computation, unless they implement are 3982 able to determine the ULID pair of the Shim6 context associated to 3983 the data packet and use the ULID pair to determine the checksum that 3984 must be present in a packet with addresses rewritten by Shim6. 3986 In addition, firewalls that today pass limited traffic, e.g., 3987 outbound TCP connections, would presumably block the Shim6 protocol. 3988 This means that even when Shim6 capable hosts are communicating, the 3989 I1 messages would be dropped, hence the hosts would not discover that 3990 their peer is Shim6 capable. This is in fact a feature, since if the 3991 hosts managed to establish a ULID-pair context, then the firewall 3992 would probably drop the "different" packets that are sent after a 3993 failure (those using the Shim6 payload extension header with a TCP 3994 packet inside it). Thus stateful firewalls that are modified to pass 3995 Shim6 messages should also be modified to pass the payload extension 3996 header, so that the shim can use the alternate locators to recover 3997 from failures. This presumably implies that the firewall needs to 3998 track the set of locators in use by looking at the Shim6 control 3999 exchanges. Such firewalls might even want to verify the locators 4000 using the HBA/CGA verification themselves, which they can do without 4001 modifying any of the Shim6 packets they pass through. 4003 15.3. Operation and Management Considerations 4005 This section considers some aspects related to the operations and 4006 management of the Shim6 protocol. 4008 Deployment of th Shim6 protocol: The Shim6 protocol is a host based 4009 solution, so, in order to be deployed, the stacks of the hosts using 4010 the Shim6 protocol need to be updated to support it. This enables an 4011 incremental deployment of the protocol, since it does not requires a 4012 flag day for the deployment, just single host updates. If the Shim6 4013 solution will be deployed in a site, host can be gradually updated to 4014 support the solution. Moreover, for supporting the Shim6 protocol, 4015 only end hosts need to be updated and no router changes are required. 4016 However, it should be noted that in order to benefit from the Shim6 4017 protocol, both ends of a communication should support the protocol, 4018 meaning that both hosts must be updated to be able to use the Shim6 4019 protocol. Nevertheless, the Shim6 protocol uses a deferred context 4020 setup capability, that allows to establish normal IPv6 communications 4021 and later on, if both endpoints are Shim6-capable, protect the 4022 communication with the Shim6 protocol. This has an important 4023 deployment benefit, since Shim6 enabled nodes can perfectly talk to 4024 non-Shim6 capable nodes wihtout introducing any problem in the 4025 communication. 4027 Configuration of Shim6-capable nodes: The Shim6 protocol itself does 4028 not requires any spcific configuration to provide its basic features. 4029 The Shim6 protocol is designed to provide a default service to upper 4030 layers that should satisfy general applications. Th Shim6 layer 4031 would automatically attempt to protect long lived communications, by 4032 triggering the establishment of the Shim6 context using some 4033 predefined heuristics. Of course, if some special tunning is 4034 required by some applications, this may required additional 4035 configuration. Similar considerations apply to a site attempting to 4036 perform some forms of traffic engineering using different preferences 4037 for different locators. 4039 Address and prefix configuration: The Shim6 protocol assumes that in 4040 a multihomed site multiple prefixes will be available. Such 4041 configuration can increase the operation work in a network. However, 4042 it should be noted that the capability of having multiupl prefixes in 4043 a site and multiple addresses assigned to an interface is an IPv6 4044 capability that goes beyond the Shim6 case and it is expected to be 4045 widely used. So, even though this is the case for Shim6, we consider 4046 that the implications of such a configuration is beyond the 4047 particular case of Shim6 and must be addressed for the generic IPv6 4048 case. Nevertheless, Shim6 also assumes the usage of CGA/HBA 4049 addresses by Shim6 hosts. this implies that Shim6 capable hosts 4050 should configure addresses using HBA/CGA generation mechanims. 4051 Additional consideration about this issue can be found at [18] 4053 15.4. Other considerations 4055 The general Shim6 approach, as well as the specifics of this proposed 4056 solution, has implications elsewhere, including: 4058 o Applications that perform referrals, or callbacks using IP 4059 addresses as the 'identifiers' can still function in limited ways, 4060 as described in [17]. But in order for such applications to be 4061 able to take advantage of the multiple locators for redundancy, 4062 the applications need to be modified to either use fully qualified 4063 domain names as the 'identifiers', or they need to pass all the 4064 locators as the 'identifiers' i.e., the 'identifier' from the 4065 applications perspective becomes a set of IP addresses instead of 4066 a single IP address. 4068 o Signaling protocols for QoS or other things that involve having 4069 devices in the network path look at IP addresses and port numbers, 4070 or IP addresses and Flow Labels, need to be invoked on the hosts 4071 when the locator pair changes due to a failure. At that point in 4072 time those protocols need to inform the devices that a new pair of 4073 IP addresses will be used for the flow. Note that this is the 4074 case even though this protocol, unlike some earlier proposals, 4075 does not overload the flow label as a context tag; the in-path 4076 devices need to know about the use of the new locators even though 4077 the flow label stays the same. 4079 o MTU implications. The path MTU mechanisms we use are robust 4080 against different packets taking different paths through the 4081 Internet, by computing a minimum over the recently observed path 4082 MTUs. When Shim6 fails over from using one locator pair to 4083 another pair, this means that packets might travel over a 4084 different path through the Internet, hence the path MTU might be 4085 quite different. In order to deal with this changes in the MTU, 4086 the usage of Packetization Layer Path MTU Discovery as defined in 4087 [23] is reccommended. 4089 The fact that the shim will add an 8 octet Payload Extension 4090 header to the ULP packets after a locator switch, can also affect 4091 the usable path MTU for the ULPs. In this case the MTU change is 4092 local to the sending host, thus conveying the change to the ULPs 4093 is an implementation matter. By conveying the information to the 4094 transport layer, it can adapt and reduce the MSS accordingly. 4096 16. Security Considerations 4098 This document satisfies the concerns specified in [14] as follows: 4100 o The HBA [2] and CGA technique [3] for verifying the locators to 4101 prevent an attacker from redirecting the packet stream to 4102 somewhere else, preventing threats described in sections 4.1.1, 4103 4.1.2, 4.1.3 and 4.2 of [14]. These two approaches provide a 4104 similar level of protection but they provide different 4105 functionality with a different computational cost. The HBA 4106 mechanism relies on the capability of generating all the addresses 4107 of a multihomed host as an unalterable set of intrinsically bound 4108 IPv6 addresses, known as an HBA set. In this approach, addresses 4109 incorporate a cryptographic one-way hash of the prefix-set 4110 available into the interface identifier part. The result is that 4111 the binding between all the available addresses is encoded within 4112 the addresses themselves, providing hijacking protection. Any 4113 peer using the shim protocol node can efficiently verify that the 4114 alternative addresses proposed for continuing the communication 4115 are bound to the initial address through a simple hash 4116 calculation. In a CGA based approach the address used as ULID is 4117 a CGA that contains a hash of a public key in its interface 4118 identifier. The result is a secure binding between the ULID and 4119 the associated key pair. This allows each peer to use the 4120 corresponding private key to sign the shim messages that convey 4121 locator set information. The trust chain in this case is the 4122 following: the ULID used for the communication is securely bound 4123 to the key pair because it contains the hash of the public key, 4124 and the locator set is bound to the public key through the 4125 signature. Any of these two mechanisms HBA and CGA provide time- 4126 shifted attack protection (as described in section 4.1.2 of [14]), 4127 since the ULID is securely bound to a locator set that can only be 4128 defined by the owner of the ULID. The minimum acceptable key 4129 length for RSA keys used in the generation of CGAs MUST be at 4130 least 1024 bits. Any implementation should follow prudent 4131 cryptographic practice in determining the appropriate key lengths. 4133 o 3rd party flooding attacks described in section 4.3 of [14] are 4134 prevented by requiring a Shim6 peer to perform a successful 4135 Reachability probe + reply exchange before accepting a new locator 4136 for use as a packet destination.. 4138 o The first message does not create any state on the responder. 4139 Essentially a 3-way exchange is required before the responder 4140 creates any state. This means that a state-based DoS attack 4141 (trying to use up all of memory on the responder) at least 4142 requires the attacker to create state, consuming his own resources 4143 and also it provides an IPv6 address that the attacker was using. 4145 o The context establishment messages use nonces to prevent replay 4146 attacks as described in section 4.1.4 of [14], and to prevent off- 4147 path attackers from interfering with the establishment. 4149 o Every control message of the Shim6 protocol, past the context 4150 establishment, carry the context tag assigned to the particular 4151 context. This implies that an attacker needs to discover that 4152 context tag before being able to spoof any Shim6 control message 4153 as described in section 4.4 of [14]. Such discovery probably 4154 requires to be along the path in order to be sniff the context tag 4155 value. The result is that through this technique, the Shim6 4156 protocol is protected against off-path attackers. 4158 16.1. Interaction with IPsec 4160 The Shim6 sub-layer can be implemented either below IPsec sublayer, 4161 or above the IPsec sub-layer, or both. (The latter can occur when 4162 e.g., IPsec is used both end-to-end as well as for IPsec tunnels.) 4164 In a "bump-in-the-stack" (BITS) IPsec implementation, IPsec is 4165 implemented "underneath" an existing implementation of an IP protocol 4166 stack, between the native IP and the local network drivers. In that 4167 case it is not possible to make IPsec benefit from the failover 4168 capabilities of shim6; when shim6 fails over to a different locator 4169 pair then the BITS IPsec would end up using a different (and possibly 4170 establish a new) security association for that pair of IP addresses. 4171 Same thing applies to a "bump-in-the-wire" (BITW) IPsec 4172 implementation. In those cases shim6 and IPsec still work, but it is 4173 less efficient to have to use separate security associations as a 4174 result of a shim6 failover. 4176 In order for a BITS and BITW IPsec implementation on the node as well 4177 as a security gateway to be able to look at the same selectors before 4178 and after a failover, their implementation needs to skip the SHIM6 4179 extension header to find the selectors for the next layer protocols 4180 (e.g., TCP, UDP, Stream Control Transmission Protocol (SCTP)) 4182 When the Shim6 sub-layer is implemented below the IPsec sub-layer 4183 within the IP layer we avoid any extra IPsec work due to locator 4184 changes, but the implementation needs to make sure that the locator 4185 changes doesn't cause any violations of the inteded IPsec policy. It 4186 is easiest to explain this issue using an example: 4188 o Assume a pair of hosts, A and B, in different parts of a company. 4189 The hosts do not implement shim6. 4191 o H1 has to IP addresses IP1(A) and IP2(A). Ditto IP1(B) and 4192 IP2(B). 4194 o The routing and firewalls used might be setup so that the path 4195 between IP1(A) and IP1(B) uses a communication path that is 4196 internal to the company. The path between IP2(A) and IP2(B) might 4197 be a fallback path where packets are sent over the public 4198 Internet. 4200 o In such a case it might make sense to have an IPsec policy on A 4201 and B that all packets between IP1(A) and IP1(B) to be in the 4202 clear while packets between IP2(A) and IP2(B) must be encrypted. 4204 Should we introduce the shim below ESP/AH on host A and B then 4205 potentially we could have Ls(A) include IP1(A) and IP2(B) and 4206 likewise for B. This means that some communication might start out 4207 between the ULID pair IP1(A) and IP1(B), and IPsec will see those 4208 ULIDs and, based on the policy, send things in the clear. Should 4209 there be a failure then the shim, transparently to IPsec, might fail 4210 over to using the locator pair IP2(A),IP2(B) while still sending the 4211 packets in the clear. That MUST be avoided. 4213 This implies that when the shim forms a locator set for the host it 4214 MUST NOT include locators for which there exists any differences in 4215 the IPsec policy. And since the shim is independent of any higher 4216 level selectors (protocols, port numbers, ICMP fields), this check 4217 for differences must treat those fields as wildcards. This IPx(A) 4218 and IPy(A) MUST NOT be included in the same locator set if there 4219 exists any IPsec policy in the SPD onthe host that is different 4220 should the local address change between IPx(A) and IPy(A). 4222 This check MUST be performed for the locators sets that are used 4223 locally as well as the locator sets that are sent to the peer in the 4224 shim6 control messages. In the case that there are such differences 4225 it might make sense to form different locator sets. In the above 4226 example should host A have multiple addresses that can be routed over 4227 the public Internet it can form a locator set with those and use that 4228 locator set for communication that uses a ULID that belongs to the 4229 set. 4231 The notion of having separate locator sets that have different 4232 security properties is useful in cases that does not involve IPsec. 4233 For instance, a firewall which has a black network interface and a 4234 red network interface, each having some set of assigned IP addresses, 4235 SHOULD form a Lblacks(local) and a Lreds(local) so that the shim 4236 doesn't attempt to use a red locator assigned to the host for a 4237 context pair that has a local black ULID, and vice versa. 4239 The same constraint applies to shim6 hosts which have interfaces 4240 attached to networks where there are different security 4241 considerations, for instance a host with some interfaces attached to 4242 the public Internet and some interfaces attached to an intranet. 4244 16.2. Residual Threats 4246 Some of the residual threats in this proposal are: 4248 o An attacker which arrives late on the path (after the context has 4249 been established) can use the R1bis message to cause one peer to 4250 recreate the context, and at that point in time the attacker can 4251 observe all of the exchange. But this doesn't seem to open any 4252 new doors for the attacker since such an attacker can observe the 4253 context tags that are being used, and once known it can use those 4254 to send bogus messages. 4256 o An attacker which is present on the path so that it can find out 4257 the context tags, can generate a R1bis message after it has moved 4258 off the path. For this packet to be effective it needs to have a 4259 source locator which belongs to the context, thus there can not be 4260 "too much" ingress filtering between the attackers new location 4261 and the communicating peers. But this doesn't seem to be that 4262 severe, because once the R1bis causes the context to be re- 4263 established, a new pair of context tags will be used, which will 4264 not be known to the attacker. If this is still a concern, we 4265 could require a 2-way handshake "did you really lose the state?" 4266 in response to the error message. 4268 o It might be possible for an attacker to try random 47-bit context 4269 tags and see if they can cause disruption for communication 4270 between two hosts. In particular, in the case of payload packets, 4271 the effects of such attack would be similar of those of an 4272 attacker sending packets with spoofed source address. In the case 4273 of control packets, it is not enough to find the correct context 4274 tag, but additional information is required (e.g. nonces, proper 4275 source addresses) (see previous bullet for the case of R1bis). If 4276 a 47-bit tag, which is the largest that fits in an 8-octet 4277 extension header, isn't sufficient, one could use an even larger 4278 tag in the Shim6 control messages, and use the low-order 47 bits 4279 in the payload extension header. 4281 o When the payload extension header is used, an attacker that can 4282 guess the 47-bit random context tag, can inject packets into the 4283 context with any source locator. Thus if there is ingress 4284 filtering between the attacker, this could potentially allow to 4285 bypass the ingress filtering. However, in addition to guessing 4286 the 47-bit context tag, the attacker also needs to find a context 4287 where, after the receiver's replacement of the locators with the 4288 ULIDs, the the ULP checksum is correct. But even this wouldn't be 4289 sufficient with ULPs like TCP, since the TCP port numbers and 4290 sequence numbers must match an existing connection. Thus, even 4291 though the issues for off-path attackers injecting packets are 4292 different than today with ingress filtering, it is still very hard 4293 for an off-path attacker to guess. If IPsec is applied then the 4294 issue goes away completely. 4296 o The validator included in the R1 and R1bis packets are generated 4297 as a hash of several input parameters. While most of the inputs 4298 are actually determined by the sender, and only the secret value S 4299 is unknown to the sender, the resulting protection is deemed to be 4300 enough since it would be easier for the attacker to just obtain a 4301 new validator sending a I1 packet than performing all the 4302 computations required to determine the secret S. Nevertheless, it 4303 is recommended that the host changes the secret S periodically. 4305 17. IANA Considerations 4307 IANA is directed to allocate a new IP Protocol Number value for the 4308 Shim6 Protocol. 4310 IANA is directed to record a CGA message type for the Shim6 Protocol 4311 in the CGA Extension Type Tags registry with the value 0x4A30 5662 4312 4858 574B 3655 416F 506A 6D48. 4314 IANA is directed to establish a Shim6 Parameter Registry with three 4315 components: Shim6 Type registrations, Shim6 Options registrations 4316 Shim6 Error Code registrations. 4318 The initial contents of the Shim6 Type registry are as follows: 4320 +------------+-----------------------------------------------------+ 4321 | Type Value | Message | 4322 +------------+-----------------------------------------------------+ 4323 | 0 | RESERVED | 4324 | | | 4325 | 1 | I1 (first establishment message from the initiator) | 4326 | | | 4327 | 2 | R1 (first establishment message from the responder) | 4328 | | | 4329 | 3 | I2 (2nd establishment message from the initiator) | 4330 | | | 4331 | 4 | R2 (2nd establishment message from the responder) | 4332 | | | 4333 | 5 | R1bis (Reply to reference to non-existent context) | 4334 | | | 4335 | 6 | I2bis (Reply to a R1bis message) | 4336 | | | 4337 | 7-59 | Can be allocated using Standards Action | 4338 | | | 4339 | 60-63 | For Experimental use | 4340 | | | 4341 | 64 | Update Request | 4342 | | | 4343 | 65 | Update Acknowledgement | 4344 | | | 4345 | 66 | Keepalive | 4346 | | | 4347 | 67 | Probe Message | 4348 | | | 4349 | 68-123 | Can be allocated using Standards Action | 4350 | | | 4351 | 124-127 | For Experimental use | 4352 +------------+-----------------------------------------------------+ 4353 The initial contents of the Shim6 Options registry are as follows: 4355 +-------------+----------------------------------+ 4356 | Type | Option Name | 4357 +-------------+----------------------------------+ 4358 | 0 | RESERVED | 4359 | | | 4360 | 1 | Responder Validator | 4361 | | | 4362 | 2 | Locator List | 4363 | | | 4364 | 3 | Locator Preferences | 4365 | | | 4366 | 4 | CGA Parameter Data Structure | 4367 | | | 4368 | 5 | CGA Signature | 4369 | | | 4370 | 6 | ULID Pair | 4371 | | | 4372 | 7 | Forked Instance Identifier | 4373 | | | 4374 | 8-9 | Allocated using Standards action | 4375 | | | 4376 | 10 | Keepalive Timeout Option | 4377 | | | 4378 | 11-16383 | Allocated using Standards action | 4379 | | | 4380 | 16384-32767 | For Experimental use | 4381 +-------------+----------------------------------+ 4383 The initial contents of the Shim6 Error Code registry are as follows: 4385 +------------+--------------------------------------------+ 4386 | Code Value | Description | 4387 +------------+--------------------------------------------+ 4388 | 0 | Unknown Shim6 message type | 4389 | | | 4390 | 1 | Critical Option not recognized | 4391 | | | 4392 | 2 | Locator verification method failed | 4393 | | | 4394 | 3 | Locator List Generation number out of sync | 4395 | | | 4396 | 4 | Error in the number of locators | 4397 | | | 4398 | 120-127 | Reserved for debugging purposes | 4399 +------------+--------------------------------------------+ 4401 18. Acknowledgements 4403 Over the years many people active in the multi6 and shim6 WGs have 4404 contributed ideas a suggestions that are reflected in this 4405 specification. Special thanks to the careful comments from Sam 4406 Hartman, Cullen Jennings, Magnus Nystrom, Stephen Kent, Geoff Huston, 4407 Shinta Sugimoto, Pekka Savola, Dave Meyer, Deguang Le, Jari Arkko, 4408 Iljitsch van Beijnum, Jim Bound, Brian Carpenter, Sebastien Barre, 4409 Matthijs Mekking, Dave Thaler, Bob Braden Wesley Eddy and Tom 4410 Henderson on earlier versions of this document. 4412 Appendix A. Possible Protocol Extensions 4414 During the development of this protocol, several issues have been 4415 brought up as important one to address, but are ones that do not need 4416 to be in the base protocol itself but can instead be done as 4417 extensions to the protocol. The key ones are: 4419 o As stated in the assumptions in Section 3, the in order for the 4420 Shim6 protocol to be able to recover from a wide range of 4421 failures, for instance when one of the communicating hosts is 4422 single-homed, and cope with a site's ISPs that do ingress 4423 filtering based on the source IPv6 address, there is a need for 4424 the host to be able to influence the egress selection from its 4425 site. Further discussion of this issue is captured in [15]. 4427 o Is there need for keeping the list of locators private between the 4428 two communicating endpoints? We can potentially accomplish that 4429 when using CGA but not with HBA, but it comes at the cost of doing 4430 some public key encryption and decryption operations as part of 4431 the context establishment. The suggestion is to leave this for a 4432 future extension to the protocol. 4434 o Defining some form of end-to-end "compression" mechanism that 4435 removes the need for including the Shim6 Payload extension header 4436 when the locator pair is not the ULID pair. 4438 o Supporting the dynamic setting of locator preferences on a site- 4439 wide basis, and use the Locator Preference option in the Shim6 4440 protocol to convey these preferences to remote communicating 4441 hosts. This could mirror the DNS SRV record's notion of priority 4442 and weight. 4444 o Specifying APIs for the ULPs to be aware of the locators the shim 4445 is using, and be able to influence the choice of locators 4446 (controlling preferences as well as triggering a locator pair 4447 switch). This includes providing APIs the ULPs can use to fork a 4448 shim context. 4450 o Whether it is feasible to relax the suggestions for when context 4451 state is removed, so that one can end up with an asymmetric 4452 distribution of the context state and still get (most of) the shim 4453 benefits. For example, the busy server would go through the 4454 context setup but would quickly remove the context state after 4455 this (in order to save memory) but the not-so-busy client would 4456 retain the context state. The context recovery mechanism 4457 presented in Section 7.5 would then be recreate the state should 4458 the client send either a shim control message (e.g., probe message 4459 because it sees a problem), or a ULP packet in an payload 4460 extension header (because it had earlier failed over to an 4461 alternative locator pair, but had been silent for a while). This 4462 seems to provide the benefits of the shim as long as the client 4463 can detect the failure. If the client doesn't send anything, and 4464 it is the server that tries to send, then it will not be able to 4465 recover because the shim on the server has no context state, hence 4466 doesn't know any alternate locator pairs. 4468 o Study what it would take to make the Shim6 control protocol not 4469 rely at all on a stable source locator in the packets. This can 4470 probably be accomplished by having all the shim control messages 4471 include the ULID-pair option. 4473 o If each host might have lots of locators, then the currently 4474 requirement to include essentially all of them in the I2 and R2 4475 messages might be constraining. If this is the case we can look 4476 into using the CGA Parameter Data Structure for the comparison, 4477 instead of the prefix sets, to be able to detect context 4478 confusion. This would place some constraint on a (logical) only 4479 using e.g., one CGA public key, and would require some carefully 4480 crafted rules on how two PDSs are compared for "being the same 4481 host". But if we don't expect more than a handful locators per 4482 host, then we don't need this added complexity. 4484 o ULP specified timers for the reachability detection mechanism 4485 (which can be useful particularly when there are forked contexts). 4487 o Pre-verify some "backup" locator pair, so that the failover time 4488 can be shorter. 4490 o Study how Shim6 and Mobile IPv6 might interact. There existing an 4491 initial draft on this topic [16]. 4493 Appendix B. Simplified STATE Machine 4495 The STATES are defined in Section 6.2. The intent is that the 4496 stylized description below be consistent with the textual description 4497 in the specification, but should they conflict, the textual 4498 description is normative. 4500 The following table describes the possible actions in STATE IDLE and 4501 their respective triggers: 4503 +---------------------+---------------------------------------------+ 4504 | Trigger | Action | 4505 +---------------------+---------------------------------------------+ 4506 | Receive I1 | Send R1 and stay in IDLE | 4507 | | | 4508 | Heuristics trigger | Send I1 and move to I1-SENT | 4509 | a new context | | 4510 | establishment | | 4511 | | | 4512 | Receive I2, verify | If successful, send R2 and move to | 4513 | validator and | ESTABLISHED | 4514 | RESP nonce | | 4515 | | If fail, stay in IDLE | 4516 | | | 4517 | Receive I2bis, | If successful, send R2 and move to | 4518 | verify validator | ESTABLISHED | 4519 | and RESP nonce | | 4520 | | If fail, stay in IDLE | 4521 | | | 4522 | R1, R1bis, R2 | N/A (This context lacks the required info | 4523 | | for the dispatcher to deliver them) | 4524 | | | 4525 | Receive payload | Send R1bis and stay in IDLE | 4526 | extension header | | 4527 | or other control | | 4528 | packet | | 4529 +---------------------+---------------------------------------------+ 4530 The following table describes the possible actions in STATE I1-SENT 4531 and their respective triggers: 4533 +---------------------+---------------------------------------------+ 4534 | Trigger | Action | 4535 +---------------------+---------------------------------------------+ 4536 | Receive R1, verify | If successful, send I2 and move to I2-SENT | 4537 | INIT nonce | | 4538 | | If fail, discard and stay in I1-SENT | 4539 | | | 4540 | Receive I1 | Send R2 and stay in I1-SENT | 4541 | | | 4542 | Receive R2, verify | If successful, move to ESTABLISHED | 4543 | INIT nonce | | 4544 | | If fail, discard and stay in I1-SENT | 4545 | | | 4546 | Receive I2, verify | If successful, send R2 and move to | 4547 | validator and RESP | ESTABLISHED | 4548 | nonce | | 4549 | | If fail, discard and stay in I1-SENT | 4550 | | | 4551 | Receive I2bis, | If successful, send R2 and move to | 4552 | verify validator | ESTABLISHED | 4553 | and RESP nonce | | 4554 | | If fail, discard and stay in I1-SENT | 4555 | | | 4556 | Timeout, increment | If counter =< I1_RETRIES_MAX, send I1 and | 4557 | timeout counter | stay in I1-SENT | 4558 | | | 4559 | | If counter > I1_RETRIES_MAX, go to E-FAILED | 4560 | | | 4561 | Receive ICMP payload| Move to E-FAILED | 4562 | unknown error | | 4563 | | | 4564 | R1bis | N/A (Dispatcher doesn't deliver since | 4565 | | CT(peer) is not set) | 4566 | | | 4567 | Receive Payload or | Discard and stay in I1-SENT | 4568 | extension header | | 4569 | or other control | | 4570 | packet | | 4571 +---------------------+---------------------------------------------+ 4572 The following table describes the possible actions in STATE I2-SENT 4573 and their respective triggers: 4575 +---------------------+---------------------------------------------+ 4576 | Trigger | Action | 4577 +---------------------+---------------------------------------------+ 4578 | Receive R2, verify | If successful move to ESTABLISHED | 4579 | INIT nonce | | 4580 | | If fail, stay in I2-SENT | 4581 | | | 4582 | Receive I1 | Send R2 and stay in I2-SENT | 4583 | | | 4584 | Receive I2 | Send R2 and stay in I2-SENT | 4585 | verify validator | | 4586 | and RESP nonce | | 4587 | | | 4588 | Receive I2bis | Send R2 and stay in I2-SENT | 4589 | verify validator | | 4590 | and RESP nonce | | 4591 | | | 4592 | Receive R1 | Discard and stay in I2-SENT | 4593 | | | 4594 | Timeout, increment | If counter =< I2_RETRIES_MAX, send I2 and | 4595 | timeout counter | stay in I2-SENT | 4596 | | | 4597 | | If counter > I2_RETRIES_MAX, send I1 and go | 4598 | | to I1-SENT | 4599 | | | 4600 | R1bis | N/A (Dispatcher doesn't deliver since | 4601 | | CT(peer) is not set) | 4602 | | | 4603 | Receive payload or | Accept and send I2 (probably R2 was sent | 4604 | extension header | by peer and lost) | 4605 | other control | | 4606 | packet | | 4607 +---------------------+---------------------------------------------+ 4608 The following table describes the possible actions in STATE I2BIS- 4609 SENT and their respective triggers: 4611 +---------------------+---------------------------------------------+ 4612 | Trigger | Action | 4613 +---------------------+---------------------------------------------+ 4614 | Receive R2, verify | If successful move to ESTABLISHED | 4615 | INIT nonce | | 4616 | | If fail, stay in I2BIS-SENT | 4617 | | | 4618 | Receive I1 | Send R2 and stay in I2BIS-SENT | 4619 | | | 4620 | Receive I2 | Send R2 and stay in I2BIS-SENT | 4621 | verify validator | | 4622 | and RESP nonce | | 4623 | | | 4624 | Receive I2bis | Send R2 and stay in I2BIS-SENT | 4625 | verify validator | | 4626 | and RESP nonce | | 4627 | | | 4628 | Receive R1 | Discard and stay in I2BIS-SENT | 4629 | | | 4630 | Timeout, increment | If counter =< I2_RETRIES_MAX, send I2bis | 4631 | timeout counter | and stay in I2BIS-SENT | 4632 | | | 4633 | | If counter > I2_RETRIES_MAX, send I1 and | 4634 | | go to I1-SENT | 4635 | | | 4636 | R1bis | N/A (Dispatcher doesn't deliver since | 4637 | | CT(peer) is not set) | 4638 | | | 4639 | Receive payload or | Accept and send I2bis (probably R2 was | 4640 | extension header | sent by peer and lost) | 4641 | other control | | 4642 | packet | | 4643 +---------------------+---------------------------------------------+ 4644 The following table describes the possible actions in STATE 4645 ESTABLISHED and their respective triggers: 4647 +---------------------+---------------------------------------------+ 4648 | Trigger | Action | 4649 +---------------------+---------------------------------------------+ 4650 | Receive I1, compare | If no match, send R1 and stay in ESTABLISHED| 4651 | CT(peer) with | | 4652 | received CT | If match, send R2 and stay in ESTABLISHED | 4653 | | | 4654 | | | 4655 | Receive I2, verify | If successful, then send R2 and stay in | 4656 | validator and RESP | ESTABLISHED | 4657 | nonce | | 4658 | | Otherwise, discard and stay in ESTABLISHED | 4659 | | | 4660 | Receive I2bis, | If successful, then send R2 and stay in | 4661 | verify validator | ESTABLISHED | 4662 | and RESP nonce | | 4663 | | Otherwise, discard and stay in ESTABLISHED | 4664 | | | 4665 | Receive R2 | Discard and stay in ESTABLISHED | 4666 | | | 4667 | Receive R1 | Discard and stay in ESTABLISHED | 4668 | | | 4669 | Receive R1bis | Send I2bis and move to I2BIS-SENT | 4670 | | | 4671 | | | 4672 | Receive payload or | Process and stay in ESTABLISHED | 4673 | extension header | | 4674 | other control | | 4675 | packet | | 4676 | | | 4677 | Implementation | Discard state and go to IDLE | 4678 | specific heuristic | | 4679 | (E.g., No open ULP | | 4680 | sockets and idle | | 4681 | for some time ) | | 4682 +---------------------+---------------------------------------------+ 4683 The following table describes the possible actions in STATE E-FAILED 4684 and their respective triggers: 4686 +---------------------+---------------------------------------------+ 4687 | Trigger | Action | 4688 +---------------------+---------------------------------------------+ 4689 | Wait for | Go to IDLE | 4690 | NO_R1_HOLDDOWN_TIME | | 4691 | | | 4692 | Any packet | Process as in IDLE | 4693 +---------------------+---------------------------------------------+ 4695 The following table describes the possible actions in STATE NO- 4696 SUPPORT and their respective triggers: 4698 +---------------------+---------------------------------------------+ 4699 | Trigger | Action | 4700 +---------------------+---------------------------------------------+ 4701 | Wait for | Go to IDLE | 4702 | ICMP_HOLDDOWN_TIME | | 4703 | | | 4704 | Any packet | Process as in IDLE | 4705 +---------------------+---------------------------------------------+ 4707 Appendix B.1. Simplified STATE Machine diagram 4708 Timeout/Null +------------+ 4709 I1/R1 +------------------| NO SUPPORT | 4710 Payload or Control/R1bis | +------------+ 4711 +---------+ | ^ 4712 | | | ICMP Error/Null| 4713 | V V | 4714 +-----------------+ Timeout/Null +----------+ | 4715 | |<---------------| E-FAILED | | 4716 +-| IDLE | +----------+ | 4717 I2 or I2bis/R2 | | | ^ | 4718 | +-----------------+ (Tiemout#>MAX)/Null| | 4719 | ^ | | | 4720 | | +------+ | | 4721 I2 or I2bis/R2 | | Heuristic/I1| I1/R2 | | 4722 Payload/Null | | | Control/Null | | 4723 I1/R1 or R2 | +--+ | Payload/Null | | 4724 R1 or R2/Null | |Heuristic/Null | (Tiemout#| | 4729 | ESTABLISHED |<----------------------------| I1-SENT | 4730 | | | | 4731 +-------------------+ +----------------+ 4732 | ^ ^ | ^ ^ 4733 | | |R2/Null +-------------+ | | 4734 | | +----------+ |R1/I2 | | 4735 | | | V | | 4736 | | +------------------+ | | 4737 | | | |-------------+ | 4738 | | | I2-SENT | (Timeout#>Max)/I1 | 4739 | | | | | 4740 | | +------------------+ | 4741 | | | ^ | 4742 | | +--------------+ | 4743 | | I1 or I2bis or I2/R2 | 4744 | | (Timeout#Max)/I1 | 4747 | R2/Null| +------------------------------------------+ 4748 | V | 4749 | +-------------------+ 4750 | | |<-+ (Timeout#| I2bis-SENT | | I1 or I2 or I2bis/R2 4752 R1bis/I2bis | |--+ R1 or R1bis/Null 4753 +-------------------+ Payload/I2bis 4755 Appendix C. Context Tag Reuse 4757 The Shim6 protocol doesn't have a mechanism for coordinated state 4758 removal between the peers, because such state removal doesn't seem to 4759 help given that a host can crash and reboot at any time. A result of 4760 this is that the protocol needs to be robust against a context tag 4761 being reused for some other context. This section summarizes the 4762 different cases in which a tag can be reused, and how the recovery 4763 works. 4765 The different cases are exemplified by the following case. Assume 4766 host A and B were communicating using a context with the ULID pair 4767 , and that B had assigned context tag X to this context. We 4768 assume that B uses only the context tag to demultiplex the received 4769 payload extension headers, since this is the more general case. 4770 Further we assume that B removes this context state, while A retains 4771 it. B might then at a later time assign CT(local)=X to some other 4772 context, and we have several cases: 4774 o The context tag is reassigned to a context for the same ULID pair 4775 . We've called this "Context Recovery" in this document. 4777 o The context tag is reassigned to a context for a different ULID 4778 pair between the same to hosts, e.g., . We've called this 4779 "Context Confusion" in this document. 4781 o The context tag is reassigned to a context between B and other 4782 host C, for instance for the ULID pair . That is a form 4783 of three party context confusion. 4785 Appendix C.1. Context Recovery 4787 This case is relatively simple, and is discussed in Section 7.5. The 4788 observation is that since the ULID pair is the same, when either A or 4789 B tries to establish the new context, A can keep the old context 4790 while B re-creates the context with the same context tag CT(B) = X. 4792 Appendix C.2. Context Confusion 4794 This cases is a bit more complex, and is discussed in Section 7.6. 4795 When the new context is created, whether A or B initiates it, host A 4796 can detect when it receives B's locator set (in the I2, or R2 4797 message), that it ends up with two contexts to the same peer host 4798 (overlapping Ls(peer) locator sets) that have the same context tag 4799 CT(peer) = X. At this point in time host A can clear up any 4800 possibility of causing confusion by not using the old context to send 4801 any more packets. It either just discards the old context (it might 4802 not be used by any ULP traffic, since B had discarded it), or it 4803 recreates a different context for the old ULID pair (), for 4804 which B will assign a unique CT(B) as part of the normal context 4805 establishment mechanism. 4807 Appendix C.3. Three Party Context Confusion 4809 The third case does not have a place where the old state on A can be 4810 verified, since the new context is established between B and C. Thus 4811 when B receives payload extension headers with X as the context tag, 4812 it will find the context for , hence rewrite the packets to 4813 have C3 in the source address field and B2 in the destination address 4814 field before passing them up to the ULP. This rewriting is correct 4815 when the packets are in fact sent by host C, but if host A ever 4816 happens to send a packet using the old context, then the ULP on A 4817 sends a packet with ULIDs and the packet arrives at the ULP 4818 on B with ULIDs . 4820 This is clearly an error, and the packet will most likely be rejected 4821 by the ULP on B due to a bad pseudo-header checksum. Even if the 4822 checksum is ok (probability 2^-16), the ULP isn't likely to have a 4823 connection for those ULIDs and port numbers. And if the ULP is 4824 connection-less, processing the packet is most likely harmless; such 4825 a ULP must be able to copy with random packets being sent by random 4826 peers in any case. 4828 This broken state, where packets sent from A to B using the old 4829 context on host A might persist for some time, but it will not remain 4830 for very long. The unreachability detection on host A will kick in, 4831 because it does not see any return traffic (payload or Keepalive 4832 messages) for the context. This will result in host A sending Probe 4833 messages to host B to find a working locator pair. The effect of 4834 this is that host B will notice that it does not have a context for 4835 the ULID pair and CT(B) = X, which will make host B send an 4836 R1bis packet to re-establish that context. The re-established 4837 context, just like in the previous section, will get a unique CT(B) 4838 assigned by host B, thus there will no longer be any confusion. 4840 Appendix C.4. Summary 4842 In summary, there are cases where a context tag might be reused while 4843 some peer retains the state, but the protocol can recover from it. 4844 The probability of these events is low given the 47 bit context tag 4845 size. However, it is important that these recovery mechanisms be 4846 tested. Thus during development and testing it is recommended that 4847 implementations not use the full 47 bit space, but instead keep e.g. 4848 the top 40 bits as zero, only leaving the host with 128 unique 4849 context tags. This will help test the recovery mechanisms. 4851 Appendix D. Design Alternatives 4853 This document has picked a certain set of design choices in order to 4854 try to work out a bunch of the details, and stimulate discussion. 4855 But as has been discussed on the mailing list, there are other 4856 choices that make sense. This appendix tries to enumerate some 4857 alternatives. 4859 Appendix D.1. Context granularity 4861 Over the years various suggestions have been made whether the shim 4862 should, even if it operates at the IP layer, be aware of ULP 4863 connections and sessions, and as a result be able to make separate 4864 shim contexts for separate ULP connections and sessions. A few 4865 different options have been discussed: 4867 o Each ULP connection maps to its own shim context. 4869 o The shim is unaware of the ULP notion of connections and just 4870 operates on a host-to-host (IP address) granularity. 4872 o Hybrids where the shim is aware of some ULPs (such as TCP) and 4873 handles other ULPs on a host-to-host basis. 4875 Having shim state for every ULP connection potentially means higher 4876 overhead since the state setup overhead might become significant; 4877 there is utility in being able to amortize this over multiple 4878 connections. 4880 But being completely unaware of the ULP connections might hamper ULPs 4881 that want different communication to use different locator pairs, for 4882 instance for quality or cost reasons. 4884 The protocol has a shim which operates with host-level granularity 4885 (strictly speaking, with ULID-pair granularity, to be able to 4886 amortize the context establishment over multiple ULP connections. 4887 This is combined with the ability for shim-aware ULPs to request 4888 context forking so that different ULP traffic can use different 4889 locator pairs. 4891 Appendix D.2. Demultiplexing of data packets in Shim6 communications 4893 Once a ULID-pair context is established between two hosts, packets 4894 may carry locators that differ from the ULIDs presented to the ULPs 4895 using the established context. One of main functions of the Shim6 4896 layer is to perform the mapping between the locators used to forward 4897 packets through the network and the ULIDs presented to the ULP. In 4898 order to perform that translation for incoming packets, the Shim6 4899 layer needs to first identify which of the incoming packets need to 4900 be translated and then perform the mapping between locators and ULIDs 4901 using the associated context. Such operation is called 4902 demultiplexing. It should be noted that because any address can be 4903 used both as a locator and as a ULID, additional information other 4904 than the addresses carried in packets, need to be taken into account 4905 for this operation. 4907 For example, if a host has address A1 and A2 and starts communicating 4908 with a peer with addresses B1 and B2, then some communication 4909 (connections) might use the pair as ULID and others might 4910 use e.g., . Initially there are no failures so these address 4911 pairs are used as locators i.e. in the IP address fields in the 4912 packets on the wire. But when there is a failure the Shim6 layer on 4913 A might decide to send packets that used as ULIDs using as the locators. In this case B needs to be able to rewrite the 4915 IP address field for some packets and not others, but the packets all 4916 have the same locator pair. 4918 In order to accomplish the demultiplexing operation successfully, 4919 data packets carry a context tag that allows the receiver of the 4920 packet to determine the shim context to be used to perform the 4921 operation. 4923 Two mechanisms for carrying the context tag information have been 4924 considered in depth during the shim protocol design. Those carrying 4925 the context tag in the flow label field of the IPv6 header and the 4926 usage of a new extension header to carry the context tag. In this 4927 appendix we will describe the pros and cons of each approach and 4928 justify the selected option. 4930 Appendix D.2.1. Flow-label 4932 A possible approach is to carry the context tag in the Flow Label 4933 field of the IPv6 header. This means that when a Shim6 context is 4934 established, a Flow Label value is associated with this context (and 4935 perhaps a separate flow label for each direction). 4937 The simplest approach that does this is to have the triple identify the context at 4939 the receiver. 4941 The problem with this approach is that because the locator sets are 4942 dynamic, it is not possible at any given moment to be sure that two 4943 contexts for which the same context tag is allocated will have 4944 disjoint locator sets during the lifetime of the contexts. 4946 Suppose that Node A has addresses IPA1, IPA2, IPA3 and IPA4 and that 4947 Host B has addresses IPB1 and IPB2. 4949 Suppose that two different contexts are established between HostA and 4950 HostB. 4952 Context #1 is using IPA1 and IPB1 as ULIDs. The locator set 4953 associated to IPA1 is IPA1 and IPA2 while the locator set associated 4954 to IPB1 is just IPB1. 4956 Context #2 uses IPA3 and IPB2 as ULIDs. The locator set associated 4957 to IPA3 is IPA3 and IPA4 and the locator set associated to IPB2 is 4958 just IPB2. 4960 Because the locator sets of the Context #1 and Context #2 are 4961 disjoint, hosts could think that the same context tag value can be 4962 assigned to both of them. The problem arrives when later on IPA3 is 4963 added as a valid locator for IPA1 and IPB2 is added as a valid 4964 locator for IPB1 in Context #1. In this case, the triple would not identify a 4966 unique context anymore and correct demultiplexing is no longer 4967 possible. 4969 A possible approach to overcome this limitation is simply not to 4970 repeat the Flow Label values for any communication established in a 4971 host. This basically means that each time a new communication that 4972 is using different ULIDs is established, a new Flow Label value is 4973 assigned to it. By this mean, each communication that is using 4974 different ULIDs can be differentiated because it has a different Flow 4975 Label value. 4977 The problem with such approach is that it requires that the receiver 4978 of the communication allocates the Flow Label value used for incoming 4979 packets, in order to assign them uniquely. For this, a shim 4980 negotiation of the Flow Label value to use in the communication is 4981 needed before exchanging data packets. This poses problems with non- 4982 shim capable hosts, since they would not be able to negotiate an 4983 acceptable value for the Flow Label. This limitation can be lifted 4984 by marking the packets that belong to shim sessions from those that 4985 do not. These marking would require at least a bit in the IPv6 4986 header that is not currently available, so more creative options 4987 would be required, for instance using new Next Header values to 4988 indicate that the packet belongs to a Shim6 enabled communication and 4989 that the Flow Label carries context information as proposed in the 4990 now expired NOID draft. However, even if this is done, this approach 4991 is incompatible with the deferred establishment capability of the 4992 shim protocol, which is a preferred function, since it suppresses the 4993 delay due to the shim context establishment prior to initiation of 4994 the communication and it also allows nodes to define at which stage 4995 of the communication they decide, based on their own policies, that a 4996 given communication requires to be protected by the shim. 4998 In order to cope with the identified limitations, an alternative 4999 approach that does not constraints the flow label values used by 5000 communications that are using ULIDs equal to the locators (i.e. no 5001 shim translation) is to only require that different flow label values 5002 are assigned to different shim contexts. In such approach 5003 communications start with unmodified flow label usage (could be zero, 5004 or as suggested in [11]). The packets sent after a failure when a 5005 different locator pair is used would use a completely different flow 5006 label, and this flow label could be allocated by the receiver as part 5007 of the shim context establishment. Since it is allocated during the 5008 context establishment, the receiver of the "failed over" packets can 5009 pick a flow label of its choosing (that is unique in the sense that 5010 no other context is using it as a context tag), without any 5011 performance impact, and respecting that for each locator pair, the 5012 flow label value used for a given locator pair doesn't change due to 5013 the operation of the multihoming shim. 5015 In this approach, the constraint is that Flow Label values being used 5016 as context identifiers cannot be used by other communications that 5017 use non-disjoint locator sets. This means that once that a given 5018 Flow Label value has been assigned to a shim context that has a 5019 certain locator sets associated, the same value cannot be used for 5020 other communications that use an address pair that is contained in 5021 the locator sets of the context. This is a constraint in the 5022 potential Flow Label allocation strategies. 5024 A possible workaround to this constraint is to mark shim packets that 5025 require translation, in order to differentiate them from regular IPv6 5026 packets, using the artificial Next Header values described above. In 5027 this case, the Flow Label values constrained are only those of the 5028 packets that are being translated by the shim. This last approach 5029 would be the preferred approach if the context tag is to be carried 5030 in the Flow Label field. This is not only because it imposes the 5031 minimum constraints to the Flow Label allocation strategies, limiting 5032 the restrictions only to those packets that need to be translated by 5033 the shim, but also because Context Loss detection mechanisms greatly 5034 benefit from the fact that shim data packets are identified as such, 5035 allowing the receiving end to identify if a shim context associated 5036 to a received packet is suppose to exist, as it will be discussed in 5037 the Context Loss detection appendix below. 5039 Appendix D.2.2. Extension Header 5041 Another approach, which is the one selected for this protocol, is to 5042 carry the context tag in a new Extension Header. These context tags 5043 are allocated by the receiving end during the Shim6 protocol initial 5044 negotiation, implying that each context will have two context tags, 5045 one for each direction. Data packets will be demultiplexed using the 5046 context tag carried in the Extension Header. This seems a clean 5047 approach since it does not overload existing fields. However, it 5048 introduces additional overhead in the packet due to the additional 5049 header. The additional overhead introduced is 8 octets. However, it 5050 should be noted that the context tag is only required when a locator 5051 other than the one used as ULID is contained in the packet. Packets 5052 where both the source and destination address fields contain the 5053 ULIDs do not require a context tag, since no rewriting is necessary 5054 at the receiver. This approach would reduce the overhead, because 5055 the additional header is only required after a failure. On the other 5056 hand, this approach would cause changes in the available MTU for some 5057 packets, since packets that include the Extension Header will have an 5058 MTU 8 octets shorter. However, path changes through the network can 5059 result in different MTU in any case, thus having a locator change, 5060 which implies a path change, affect the MTU doesn't introduce any new 5061 issues. 5063 Appendix D.3. Context Loss Detection 5065 In this appendix we will present different approaches considered to 5066 detect context loss and potential context recovery strategies. The 5067 scenario being considered is the following: Node A and Node B are 5068 communicating using IPA1 and IPB1. Sometime later, a shim context is 5069 established between them, with IPA1 and IPB1 as ULIDs and 5070 IPA1,...,IPAn and IPB1,...,IPBm as locator set respectively. 5072 It may happen, that later on, one of the hosts, e.g. Host A loses 5073 the shim context. The reason for this can be that Host A has a more 5074 aggressive garbage collection policy than HostB or that an error 5075 occurred in the shim layer at host A resulting in the loss of the 5076 context state. 5078 The mechanisms considered in this appendix are aimed to deal with 5079 this problem. There are essentially two tasks that need to be 5080 performed in order to cope with this problem: first, the context loss 5081 must be detected and second the context needs to be recovered/ 5082 reestablished. 5084 Mechanisms for detecting context loss. 5086 These mechanisms basically consist in that each end of the context 5087 periodically sends a packet containing context-specific information 5088 to the other end. Upon reception of such packets, the receiver 5089 verifies that the required context exists. In case that the context 5090 does not exist, it sends a packet notifying the problem to the 5091 sender. 5093 An obvious alternative for this would be to create a specific context 5094 keepalive exchange, which consists in periodically sending packets 5095 with this purpose. This option was considered and discarded because 5096 it seemed an overkill to define a new packet exchange to deal with 5097 this issue. 5099 An alternative is to piggyback the context loss detection function in 5100 other existent packet exchanges. In particular, both shim control 5101 and data packets can be used for this. 5103 Shim control packets can be trivially used for this, because they 5104 carry context specific information, so that when a node receives one 5105 of such packets, it will verify if the context exists. However, shim 5106 control frequency may not be adequate for context loss detection 5107 since control packet exchanges can be very limited for a session in 5108 certain scenarios. 5110 Data packets, on the other hand, are expected to be exchanged with a 5111 higher frequency but they do not necessarily carry context specific 5112 information. In particular, packets flowing before a locator change 5113 (i.e. packet carrying the ULIDs in the address fields) do not need 5114 context information since they do not need any shim processing. 5115 Packets that carry locators that differ from the ULIDs carry context 5116 information. 5118 However, we need to make a distinction here between the different 5119 approaches considered to carry the context tag, in particular between 5120 those approaches where packets are explicitly marked as shim packets 5121 and those approaches where packets are not marked as such. For 5122 instance, in the case where the context tag is carried in the Flow 5123 Label and packets are not marked as shim packets (i.e. no new Next 5124 Header values are defined for shim), a receiver that has lost the 5125 associated context is not able to detect that the packet is 5126 associated with a missing context. The result is that the packet 5127 will be passed unchanged to the upper layer protocol, which in turn 5128 will probably silently discard it due to a checksum error. The 5129 resulting behavior is that the context loss is undetected. This is 5130 one additional reason to discard an approach that carries the context 5131 tag in the Flow Label field and does not explicitly mark the shim 5132 packets as such. On the other hand, approaches that mark shim data 5133 packets (like the Extension Header or the Flow Label with new Next 5134 Header values approaches) allow the receiver to detect if the context 5135 associated to the received packet is missing. In this case, data 5136 packets also perform the function of a context loss detection 5137 exchange. However, it must be noted that only those packets that 5138 carry a locator that differs form the ULID are marked. This 5139 basically means that context loss will be detected after an outage 5140 has occurred i.e. alternative locators are being used. 5142 Summarizing, the proposed context loss detection mechanisms uses shim 5143 control packets and payload extension headers to detect context loss. 5144 Shim control packets detect context loss during the whole lifetime of 5145 the context, but the expected frequency in some cases is very low. 5146 On the other hand, payload extension headers have a higher expected 5147 frequency in general, but they only detect context loss after an 5148 outage. This behavior implies that it will be common that context 5149 loss is detected after a failure i.e. once that it is actually 5150 needed. Because of that, a mechanism for recovering from context 5151 loss is required if this approach is used. 5153 Overall, the mechanism for detecting lost context would work as 5154 follows: the end that still has the context available sends a message 5155 referring to the context. Upon the reception of such message, the 5156 end that has lost the context identifies the situation and notifies 5157 the context loss event to the other end by sending a packet 5158 containing the lost context information extracted from the received 5159 packet. 5161 One option is to simply send an error message containing the received 5162 packets (or at least as much of the received packet that the MTU 5163 allows to fit in). One of the goals of this notification is to allow 5164 the other end that still retains context state, to reestablish the 5165 lost context. The mechanism to reestablish the loss context consists 5166 in performing the 4-way initial handshake. This is a time consuming 5167 exchange and at this point time may be critical since we are 5168 reestablishing a context that is currently needed (because context 5169 loss detection may occur after a failure). So, another option, which 5170 is the one used in this protocol, is to replace the error message by 5171 a modified R1 message, so that the time required to perform the 5172 context establishment exchange can be reduced. Upon the reception of 5173 this modified R1 message, the end that still has the context state 5174 can finish the context establishment exchange and restore the lost 5175 context. 5177 Appendix D.4. Securing locator sets 5179 The adoption of a protocol like SHIM that allows the binding of a 5180 given ULID with a set of locators opens the doors for different types 5181 of redirection attacks as described in [14]. The goal in terms of 5182 security for the design of the shim protocol is not to introduce any 5183 new vulnerability in the Internet architecture. It is a non-goal to 5184 provide additional protection than the currently available in the 5185 single-homed IPv6 Internet. 5187 Multiple security mechanisms were considered to protect the shim 5188 protocol. In this appendix we will present some of them. 5190 The simplest option to protect the shim protocol was to use cookies 5191 i.e. a randomly generated bit string that is negotiated during the 5192 context establishment phase and then it is included in following 5193 signaling messages. By this mean, it would be possible to verify 5194 that the party that was involved in the initial handshake is the same 5195 party that is introducing new locators. Moreover, before using a new 5196 locator, an exchange is performed through the new locator, verifying 5197 that the party located at the new locator knows the cookie i.e. that 5198 it is the same party that performed the initial handshake. 5200 While this security mechanisms does indeed provide a fair amount of 5201 protection, it does leave the door open for the so-called time 5202 shifted attacks. In these attacks, an attacker that once was on the 5203 path, it discovers the cookie by sniffing any signaling message. 5204 After that, the attacker can leave the path and still perform a 5205 redirection attack, since as he is in possession of the cookie, he 5206 can introduce a new locator in the locator set and he can also 5207 successfully perform the reachability exchange if he is able to 5208 receive packets at the new locator. The difference with the current 5209 single-homed IPv6 situation is that in the current situation the 5210 attacker needs to be on-path during the whole lifetime of the attack, 5211 while in this new situation where only cookie protection if provided, 5212 an attacker that once was on the path can perform attacks after he 5213 has left the on-path location. 5215 Moreover, because the cookie is included in signaling messages, the 5216 attacker can discover the cookie by sniffing any of them, making the 5217 protocol vulnerable during the whole lifetime of the shim context. A 5218 possible approach to increase the security was to use a shared secret 5219 i.e. a bit string that is negotiated during the initial handshake but 5220 that is used as a key to protect following messages. With this 5221 technique, the attacker must be present on the path sniffing packets 5222 during the initial handshake, since it is the only moment where the 5223 shared secret is exchanged. While this improves the security, it is 5224 still vulnerable to time shifted attacks, even though it imposes that 5225 the attacker must be on path at a very specific moment (the 5226 establishment phase) to actually be able to launch the attack. While 5227 this seems to substantially improve the situation, it should be noted 5228 that, depending on protocol details, an attacker may be able to force 5229 the recreation of the initial handshake (for instance by blocking 5230 messages and making the parties think that the context has been 5231 lost), so the resulting situation may not differ that much from the 5232 cookie based approach. 5234 Another option that was discussed during the design of the protocol 5235 was the possibility of using IPsec for protecting the shim protocol. 5236 Now, the problem under consideration in this scenario is how to 5237 securely bind an address that is being used as ULID with a locator 5238 set that can be used to exchange packets. The mechanism provided by 5239 IPsec to securely bind the address used with the cryptographic keys 5240 is the usage of digital certificates. This implies that an IPsec 5241 based solution would require that the generation of digital 5242 certificates that bind the key and the ULID by a common third trusted 5243 party for both parties involved in the communication. Considering 5244 that the scope of application of the shim protocol is global, this 5245 would imply a global public key infrastructure. The major issues 5246 with this approach are the deployment difficulties associated with a 5247 global PKI. The other possibility would be to use some form of 5248 opportunistic IPSec, like BTNS [21]. However, this would still 5249 present some issues, in particular, this approach requires a leap-of- 5250 faith in order to bind a given address to the public ky that is being 5251 used, which would actually prevent from providing the most critical 5252 security feature that a Shim6 security solution needs to achieve, 5253 i.e. proving identifier ownership. On top of that, using IPsec would 5254 require to turn on per-packet AH/ESP just for multihoming to occur. 5256 Finally two different technologies were selected to protect the shim 5257 protocol: HBA [3] and CGA [2]. These two approaches provide a 5258 similar level of protection but they provide different functionality 5259 with a different computational cost. 5261 The HBA mechanism relies on the capability of generating all the 5262 addresses of a multihomed host as an unalterable set of intrinsically 5263 bound IPv6 addresses, known as an HBA set. In this approach, 5264 addresses incorporate a cryptographic one-way hash of the prefix-set 5265 available into the interface identifier part. The result is that the 5266 binding between all the available addresses is encoded within the 5267 addresses themselves, providing hijacking protection. Any peer using 5268 the shim protocol node can efficiently verify that the alternative 5269 addresses proposed for continuing the communication are bound to the 5270 initial address through a simple hash calculation. A limitation of 5271 the HBA technique is that once generated the address set is fixed and 5272 cannot be changed without also changing all the addresses of the HBA 5273 set. In other words, the HBA technique does not support dynamic 5274 addition of address to a previously generated HBA set. An advantage 5275 of this approach is that it requires only hash operations to verify a 5276 locator set, imposing very low computational cost to the protocol. 5278 In a CGA based approach the address used as ULID is a CGA that 5279 contains a hash of a public key in its interface identifier. The 5280 result is a secure binding between the ULID and the associated key 5281 pair. This allows each peer to use the corresponding private key to 5282 sign the shim messages that convey locator set information. The 5283 trust chain in this case is the following: the ULID used for the 5284 communication is securely bound to the key pair because it contains 5285 the hash of the public key, and the locator set is bound to the 5286 public key through the signature. The CGA approach then supports 5287 dynamic addition of new locators in the locator set, since in order 5288 to do that, the node only needs to sign the new locator with the 5289 private key associated with the CGA used as ULID. A limitation of 5290 this approach is that it imposes systematic usage of public key 5291 cryptography with its associate computational cost. 5293 Any of these two mechanisms HBA and CGA provide time-shifted attack 5294 protection, since the ULID is securely bound to a locator set that 5295 can only be defined by the owner of the ULID. 5297 So, the design decision adopted was that both mechanisms HBA and CGA 5298 are supported, so that when only stable address sets are required, 5299 the nodes can benefit from the low computational cost offered by HBA 5300 while when dynamic locator sets are required, this can be achieved 5301 through CGAs with an additional cost. Moreover, because HBAs are 5302 defined as a CGA extension, the addresses available in a node can 5303 simultaneously be CGAs and HBAs, allowing the usage of the HBA and 5304 CGA functionality when needed without requiring a change in the 5305 addresses used. 5307 Appendix D.5. ULID-pair context establishment exchange 5309 Two options were considered for the ULID-pair context establishment 5310 exchange: a 2-way handshake and a 4-way handshake. 5312 A key goal for the design of this exchange was that protection 5313 against DoS attacks. The attack under consideration was basically a 5314 situation where an attacker launches a great amount of ULID-pair 5315 establishment request packets, exhausting victim's resources, similar 5316 to TCP SYN flooding attacks. 5318 A 4 way-handshake exchange protects against these attacks because the 5319 receiver does not creates any state associate to a given context 5320 until the reception of the second packet which contains a prior 5321 contact proof in the form of a token. At this point the receiver can 5322 verify that at least the address used by the initiator is at some 5323 extent valid, since the initiator is able to receive packets at this 5324 address. In the worse case, the responder can track down the 5325 attacker using this address. The drawback of this approach is that 5326 it imposes a 4 packet exchange for any context establishment. This 5327 would be a great deal if the shim context needed to be established up 5328 front, before the communication can proceed. However, thanks to 5329 deferred context establishment capability of the shim protocol, this 5330 limitation has a reduced impact in the performance of the protocol. 5332 (It may however have a greater impact in the situation of context 5333 recover as discussed earlier, but in this case, it is possible to 5334 perform optimizations to reduce the number of packets as described 5335 above) 5337 The other option considered was a 2-way handshake with the 5338 possibility to fall back to a 4-way handshake in case of attack. In 5339 this approach, the ULID-pair establishment exchange normally consists 5340 in a 2-packet exchange and it does not verify that the initiator has 5341 performed a prior contact before creating context state. In case 5342 that a DoS attack is detected, the responder falls back to a 4-way 5343 handshake similar to the one described previously in order to prevent 5344 the detected attack to proceed. The main difficulty with this attack 5345 is how to detect that a responder is currently under attack. It 5346 should be noted, that because this is 2-way exchange, it is not 5347 possible to use the number of half open sessions (as in TCP) to 5348 detect an ongoing attack and different heuristics need to be 5349 considered. 5351 The design decision taken was that considering the current impact of 5352 DoS attacks and the low impact of the 4-way exchange in the shim 5353 protocol thanks to the deferred context establishment capability, a 5354 4-way exchange would be adopted for the base protocol. 5356 Appendix D.6. Updating locator sets 5358 There are two possible approaches to the addition and removal of 5359 locators: atomic and differential approaches. The atomic approach 5360 essentially send the complete locators set each time that a variation 5361 in the locator set occurs. The differential approach send the 5362 differences between the existing locator set and the new one. The 5363 atomic approach imposes additional overhead, since all the locator 5364 set has to be exchanged each time while the differential approach 5365 requires re-synchronization of both ends through changes i.e. that 5366 both ends have the same idea about what the current locator set is. 5368 Because of the difficulties imposed by the synchronization 5369 requirement, the atomic approach was selected. 5371 Appendix D.7. State Cleanup 5373 There are essentially two approaches for discarding an existing state 5374 about locators, keys and identifiers of a correspondent node: a 5375 coordinated approach and an unilateral approach. 5377 In the unilateral approach, each node discards the information about 5378 the other node without coordination with the other node based on some 5379 local timers and heuristics. No packet exchange is required for 5380 this. In this case, it would be possible that one of the nodes has 5381 discarded the state while the other node still hasn't. In this case, 5382 a No-Context error message may be required to inform about the 5383 situation and possibly a recovery mechanism is also needed. 5385 A coordinated approach would use an explicit CLOSE mechanism, akin to 5386 the one specified in HIP [19]. If an explicit CLOSE handshake and 5387 associated timer is used, then there would no longer be a need for 5388 the No Context Error message due to a peer having garbage collected 5389 its end of the context. However, there is still potentially a need 5390 to have a No Context Error message in the case of a complete state 5391 loss of the peer (also known as a crash followed by a reboot). Only 5392 if we assume that the reboot takes at least the CLOSE timer, or that 5393 it is ok to not provide complete service until CLOSE timer minutes 5394 after the crash, can we completely do away with the No Context Error 5395 message. 5397 In addition, other aspect that is relevant for this design choice is 5398 the context confusion issue. In particular, using an unilateral 5399 approach to discard context state clearly opens the possibility of 5400 context confusion, where one of the ends unilaterally discards the 5401 context state, while the peer does not. In this case, the end that 5402 has discarded the state can re-use the context tag value used for the 5403 discarded state for a another context, creating a potential context 5404 confusion situation. In order to illustrate the cases where problems 5405 would arise consider the following scenario: 5407 o Hosts A and B establish context 1 using CTA and CTB as context 5408 tags. 5410 o Later on, A discards context 1 and the context tag value CTA 5411 becomes available for reuse. 5413 o However, B still keeps context 1. 5415 This would become a context confusion situation in the following two 5416 cases: 5418 o A new context 2 is established between A and B with a different 5419 ULID pair (or Forked Instance Identifier), and A uses CTA as 5420 context tag, If the locator sets used for both contexts are not 5421 disjoint, we are in a context confusion situation. 5423 o A new context is established between A and C and A uses CTA as 5424 context tag value for this new context. Later on, B sends Payload 5425 extension header and/or control messages containing CTA, which 5426 could be interpreted by A as belonging to context 2 (if no proper 5427 care is taken). Again we are in a context confusion situation. 5429 One could think that using a coordinated approach would eliminate 5430 these context confusion situations, making the protocol much simpler. 5431 However, this is not the case, because even in the case of a 5432 coordinated approach using a CLOSE/CLOSE ACK exchange, there is still 5433 the possibility of a host rebooting without having the time to 5434 perform the CLOSE exchange. So, it is true that the coordinated 5435 approach eliminates the possibility of a context confusion situation 5436 because premature garbage collection, but it does not prevent the 5437 same situations due to a crash and reboot of one of the involved 5438 hosts. The result is that even if we went for a coordinated 5439 approach, we would still need to deal with context confusion and 5440 provide the means to detect and recover from this situations. 5442 Appendix E. Change Log 5444 [RFC Editor: please remove this section] 5446 The following changes have been made since draft-ietf-shim6-proto-10: 5448 o Reworded the placement of shim6 w.r.t. IPsec 5450 o Updated text on the IPsec considerations 5452 The following changes have been made since draft-ietf-shim6-proto-09: 5454 o Explicitly added a reference to the applicability document 5456 o Added text on why oportunistic IPSec was not used for securing 5457 locator sets 5459 o Reowrded the Validator generation text to make it clearer 5461 o Reworded security considerations to explicitly address RFC 4218 5462 threats 5464 o Added OandM section 5466 o Added text on TE considerations 5468 o Added requirement to properly support RFC4884 icmp messages 5470 o Added th usage of Packetization Layer Path MTU Discovery 5472 o Reworded the placement of shim6 w.r.t. IPsec 5474 o Added text on the IPsec considerations 5476 The following changes have been made since draft-ietf-shim6-proto-08: 5478 o Clarified that the validator option must be included in R1 and I2 5479 messages 5481 o changed preferred peer/local locator to current peer/local locator 5482 to align it with faliure detection draft 5484 o Reworded sections describing the generation and reception of 5485 I2,I2bis, R2 and Update message to clarify that the CGA PDS may be 5486 included in them 5488 o ruled out the unspcified address as posible address to be used in 5489 shim6 control messages 5491 o added clarifyig note that explains that is possible that one of 5492 the peers is not multiaddrssed and does not have CGA/HBA 5494 o added assumption explaining that ULIDs are HBAs or CGAs 5496 o Editorial changes 5498 The following changes have been made since draft-ietf-shim6-proto-07: 5500 o New Error Message format added in the Format section 5502 o Added new registry for Error codes in the IANA considerations 5503 section 5505 o Changed the Format section so a Shim6 error message is sent back 5506 when a crtical option is not recognized (instead of an ICMP error 5507 message) 5509 o Changed the ULID estbalishment section so that a Shim6 error 5510 message is sent back when the locator verification is not 5511 recgnized or not consistent with the current CGA PDS 5513 o Changed the Locator Update section so that Shim6 error messages 5514 are sent instead of ICMP error messages 5516 o Changed the receiving packet section so that Shim6 error messages 5517 are generated instead of ICMP error messages 5519 o added new section about middle box consideration in the 5520 implication elsewhere section 5522 o added text for allowing strcuture in context tag name space, while 5523 still randomly cycling though part of the tag name space 5525 o changed the name of TEMPORARY flag for the TRANSIENT flag 5527 o clarified option length calculation 5529 o Editorial commnets from Iljitsch review 5531 o added new sub-section in the introduction about congestion 5532 notification to upper layer and include a reference to 5533 I-D.schuetz-tcpm-tcp-rlci 5535 o added reccomendation to keep the shim6 message length below 1280 5536 bytes 5538 o added the init nonce in the description of the verification of the 5539 validator when receiving I2 messages 5541 o removed FII and ULID in the verification of the validator when 5542 receiving I2BIS meesages, and added receiver context tag. 5544 o Clarified section about retransmision of I2 and I2bis messages, in 5545 case that the initiator decides not to retransmit I2/I2bis 5546 messages and retransmits I1 message 5548 o Clarified the effect of packets associated with a context but 5549 without the shim6 header when considering tearing down a context 5551 o Added new section in section 12 about how to process packets 5552 associated with a context that do not carry the shim6 ext header 5554 o Added respon der validator as information stored in I2-SENT and 5555 Responder validator, init nonce and RESP nonce as information 5556 available in I2BISSENT 5558 o Added Init Nonce, Responder Nonce, and Responder validator as 5559 information available for a shim6 context in the conceptual model 5560 during establishment phase. 5562 o Clarified how the Responder Validator is calculated based on a 5563 running counter that is independent of any received message 5565 o Editorial corrections resulting from Dave Thaler and Bob Braden 5566 reviews. 5568 The following changes have been made since draft-ietf-shim6-proto-06: 5570 o Changed wording in the renumberin considerations section, so that 5571 a shim6 context using a ULID that has been renumbered, MUST be 5572 discarded 5574 o Included text in the security considerations about IPSec BITW and 5575 IPSec tunnels. 5577 o Added text about the minimum key length of CGA in the security 5578 considerations section 5580 o fixed Payload/update message processing 5582 o synchonized with READ draft 5584 The following changes have been made since draft-ietf-shim6-proto-05: 5586 o Removed the possibility to keep on using the ULID after a 5587 renumbering event 5589 o Editorial corrections resulting from Dave Meyer's and Jim Bound's 5590 reviews. 5592 The following changes have been made since draft-ietf-shim6-proto-04: 5594 o Defined I1_RETRIES_MAX as 4. 5596 o Added text in section 7.9 clarifying the no per context state is 5597 stored at the receiver in order to reply an I1 message. 5599 o Added text in section 5 and in section 5.14 in particular, on 5600 defining additional options (including critical and non critical 5601 options). 5603 o Added text in the security considerations about threats related to 5604 secret S for generating the validators and recommendation to 5605 change S periodically. 5607 o Added text in the security considerations about the effects of 5608 attacks based on guessing the context tag being similar to 5609 spoofing source addresses in the case of payload packets. 5611 o Added clarification on what a recent nonce is in I2 and I2bis. 5613 o Removed (empty) open issues section. 5615 o Editorial corrections. 5617 The following changes have been made since draft-ietf-shim6-proto-03: 5619 o Editorial clarifications based on comments from Geoff, Shinta, 5620 Jari. 5622 o Added "no IPv6 NATs as an explicit assumption. 5624 o Moving some things out of the Introduction and Overview sections 5625 to remove all SHOULDs and MUSTs from there. 5627 o Added requirement that any Locator Preference options which use an 5628 element length greater than 3 octets have the already defined 5629 first 3 octets of flags, priority and weight. 5631 o Fixed security hole where a single message (I1) could cause 5632 CT(peer) to be updated. Now a three-way handshake is required 5633 before CT(peer) is updated for an existing context. 5635 The following changes have been made since draft-ietf-shim6-proto-02: 5637 o Replaced the Context Error message with the R1bis message. 5639 o Removed the Packet In Error option, since it was only used in the 5640 Context Error message. 5642 o Introduced a I2bis message which is sent in response to an I1bis 5643 message, since the responders processing is quite in this case 5644 than in the regular R1 case. 5646 o Moved the packet formats for the Keepalive and Probe message types 5647 and Event option to [4]. Only the message type values and option 5648 type value are specified for those in this document. 5650 o Removed the unused message types. 5652 o Added a state machine description as an appendix. 5654 o Filled in all the TBDs - except the IANA assignment of the 5655 protocol number. 5657 o Specified how context recovery and forked contexts work together. 5658 This required the introduction of a Forked Instance option to be 5659 able to tell which of possibly forked instances is being 5660 recovered. 5662 o Renamed the "host-pair context" to be "ULID-pair context". 5664 o Picked some initial retransmit timers for I1 and I2; 4 seconds. 5666 o Added timer values as protocol constants. The retransmit timers 5667 use binary exponential backoff and randomization (between .5 and 5668 1.5 of the nominal value). 5670 o Require that the R1/R1bis verifiers be usable for some minimum 5671 time so that the initiator knows for how long time it can safely 5672 retransmit I2 before it needs to go back to sending I1 again. 5673 Picked 30 seconds. 5675 o Split the message type codes into 0-63, which will not generate 5676 R1bis messages, and 64-127 which will generate R1bis messages. 5677 This allows extensibility of the protocol with new message types 5678 while being able to control when R1bis is generated. 5680 o Expanded the context tag from 32 to 47 bits. 5682 o Specified that enough locators need to be included in I2 and R2 5683 messages. Specified that the HBA/CGA verification must be 5684 performed when the locator set is received. 5686 o Specified that ICMP parameter problem errors are sent in certain 5687 error cases, for instance when the verification method is unknown 5688 to the receiver, or there is an unknown message type or option 5689 type. 5691 o Renamed "payload message" to be "payload extension header". 5693 o Many editorial clarifications suggested by Geoff Huston. 5695 o Modified the dispatching of payload extension header to only 5696 compare CT(local) i.e., not compare the source and destination 5697 IPv6 address fields. 5699 The following changes have been made since draft-ietf-shim6-proto-00: 5701 o Removed the use of the flow label and the overloading of the IP 5702 protocol numbers. Instead, when the locator pair is not the ULID 5703 pair, the ULP payloads will be carried with an 8 octet extension 5704 header. The belief is that it is possible to remove these extra 5705 bytes by defining future Shim6 extensions that exchange more 5706 information between the hosts, without having to overload the flow 5707 label or the IP protocol numbers. 5709 o Grew the context tag from 20 bits to 32 bits, with the possibility 5710 to grow it to 47 bits. This implies changes to the message 5711 formats. 5713 o Almost by accident, the new Shim6 message format is very close to 5714 the HIP message format. 5716 o Adopted the HIP format for the options, since this makes it easier 5717 to describe variable length options. The original, ND-style, 5718 option format requires internal padding in the options to make 5719 them 8 octet length in total, while the HIP format handles that 5720 using the option length field. 5722 o Removed some of the control messages, and renamed the other ones. 5724 o Added a "generation" number to the Locator List option, so that 5725 the peers can ensure that the preferences refer to the right 5726 "version" of the Locator List. 5728 o In order for FBD and exploration to work when there the use of the 5729 context is forked, that is different ULP messages are sent over 5730 different locator pairs, things are a lot easier if there is only 5731 one current locator pair used for each context. Thus the forking 5732 of the context is now causing a new context to be established for 5733 the same ULID; the new context having a new context tag. The 5734 original context is referred to as the "default" context for the 5735 ULID pair. 5737 o Added more background material and textual descriptions. 5739 19. References 5741 19.1. Normative References 5743 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 5744 Levels", BCP 14, RFC 2119, March 1997. 5746 [2] Aura, T., "Cryptographically Generated Addresses (CGA)", 5747 RFC 3972, March 2005. 5749 [3] Bagnulo, M., "Hash Based Addresses (HBA)", 5750 draft-ietf-shim6-hba-05 (work in progress), December 2007. 5752 [4] Arkko, J. and I. Beijnum, "Failure Detection and Locator Pair 5753 Exploration Protocol for IPv6 Multihoming", 5754 draft-ietf-shim6-failure-detection-13 (work in progress), 5755 June 2008. 5757 19.2. Informative References 5759 [5] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for 5760 specifying the location of services (DNS SRV)", RFC 2782, 5761 February 2000. 5763 [6] Ferguson, P. and D. Senie, "Network Ingress Filtering: 5764 Defeating Denial of Service Attacks which employ IP Source 5765 Address Spoofing", BCP 38, RFC 2827, May 2000. 5767 [7] Draves, R., "Default Address Selection for Internet Protocol 5768 version 6 (IPv6)", RFC 3484, February 2003. 5770 [8] Bagnulo, M., "Updating RFC 3484 for multihoming support", 5771 draft-bagnulo-ipv6-rfc3484-update-00 (work in progress), 5772 December 2005. 5774 [9] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, 5775 "RTP: A Transport Protocol for Real-Time Applications", STD 64, 5776 RFC 3550, July 2003. 5778 [10] Abley, J., Black, B., and V. Gill, "Goals for IPv6 Site- 5779 Multihoming Architectures", RFC 3582, August 2003. 5781 [11] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, "IPv6 5782 Flow Label Specification", RFC 3697, March 2004. 5784 [12] Eastlake, D., Schiller, J., and S. Crocker, "Randomness 5785 Requirements for Security", BCP 106, RFC 4086, June 2005. 5787 [13] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast 5788 Addresses", RFC 4193, October 2005. 5790 [14] Nordmark, E. and T. Li, "Threats Relating to IPv6 Multihoming 5791 Solutions", RFC 4218, October 2005. 5793 [15] Huitema, C., "Ingress filtering compatibility for IPv6 5794 multihomed sites", draft-huitema-shim6-ingress-filtering-00 5795 (work in progress), September 2005. 5797 [16] Bagnulo, M. and E. Nordmark, "SHIM - MIPv6 Interaction", 5798 draft-bagnulo-shim6-mip-00 (work in progress), July 2005. 5800 [17] Nordmark, E., "Shim6 Application Referral Issues", 5801 draft-ietf-shim6-app-refer-00 (work in progress), July 2005. 5803 [18] Bagnulo, M. and J. Abley, "Applicability Statement for the 5804 Level 3 Multihoming Shim Protocol (Shim6)", 5805 draft-ietf-shim6-applicability-03 (work in progress), 5806 July 2007. 5808 [19] Moskowitz, R., Nikander, P., Jokela, P., and T. Henderson, 5809 "Host Identity Protocol", draft-ietf-hip-base-10 (work in 5810 progress), October 2007. 5812 [20] Schuetz, S., Koutsianas, N., Eggert, L., Eddy, W., Swami, Y., 5813 and K. Le, "TCP Response to Lower-Layer Connectivity-Change 5814 Indications", draft-schuetz-tcpm-tcp-rlci-03 (work in 5815 progress), February 2008. 5817 [21] Williams, N. and M. Richardson, "Better-Than-Nothing-Security: 5818 An Unauthenticated Mode of IPsec", draft-ietf-btns-core-07 5819 (work in progress), August 2008. 5821 [22] Komu, M., Bagnulo, M., Slavov, K., and S. Sugimoto, "Socket 5822 Application Program Interface (API) for Multihoming Shim", 5823 draft-ietf-shim6-multihome-shim-api-07 (work in progress), 5824 November 2008. 5826 [23] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 5827 Discovery", RFC 4821, March 2007. 5829 [24] Bonica, R., Gan, D., Tappan, D., and C. Pignataro, "Extended 5830 ICMP to Support Multi-Part Messages", RFC 4884, April 2007. 5832 Authors' Addresses 5834 Erik Nordmark 5835 Sun Microsystems 5836 17 Network Circle 5837 Menlo Park, CA 94025 5838 USA 5840 Phone: +1 650 786 2921 5841 Email: erik.nordmark@sun.com 5843 Marcelo Bagnulo 5844 Universidad Carlos III de Madrid 5845 Av. Universidad 30 5846 Leganes, Madrid 28911 5847 SPAIN 5849 Phone: +34 91 6248814 5850 Email: marcelo@it.uc3m.es 5851 URI: http://www.it.uc3m.es