--- 1/draft-ietf-shim6-proto-00.txt 2006-02-04 17:24:41.000000000 +0100 +++ 2/draft-ietf-shim6-proto-01.txt 2006-02-04 17:24:41.000000000 +0100 @@ -1,17 +1,17 @@ SHIM6 WG E. Nordmark Internet-Draft Sun Microsystems -Expires: March 31, 2006 September 27, 2005 +Expires: March 5, 2006 September 2005 Level 3 multihoming shim protocol - draft-ietf-shim6-proto-00.txt + draft-ietf-shim6-proto-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -22,21 +22,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on March 31, 2006. + This Internet-Draft will expire on March 5, 2006. Copyright Notice Copyright (C) The Internet Society (2005). Abstract The SHIM6 working group is exploring a layer 3 shim approach for providing locator agility below the transport protocols, so that multihoming can be provided for IPv6 with failover and load spreading @@ -51,168 +51,376 @@ This document picks a particular approach to such a protocol and tries to flush out a bunch of details, with the hope that the WG can better understand the details in this proposal as well as discovering and understanding alternative designs that might be better. Thus this proposal is my no means cast in stone as the direction; quite to the contrary it is a depth first exploration of the design space. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 - 1.1 Placement of the shim . . . . . . . . . . . . . . . . . . 4 - 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 5 - 2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . 5 - 2.2 Notational Conventions . . . . . . . . . . . . . . . . . . 6 - 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . 7 - 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . 8 - 4.1 Context Tags and Use of Flow Label . . . . . . . . . . . . 9 - 4.2 Protocol type overloading . . . . . . . . . . . . . . . . 10 - 4.3 Securing shim6 . . . . . . . . . . . . . . . . . . . . . . 11 - 4.4 Overview of Shim Control Messages . . . . . . . . . . . . 11 - 5. Message Formats . . . . . . . . . . . . . . . . . . . . . . 14 - 5.1 Common Shim6 header . . . . . . . . . . . . . . . . . . . 14 - 5.2 I1 Message Format . . . . . . . . . . . . . . . . . . . . 15 - 5.3 R1 Message Format . . . . . . . . . . . . . . . . . . . . 16 - 5.4 I2 Message Format . . . . . . . . . . . . . . . . . . . . 17 - 5.5 R2 Message Format . . . . . . . . . . . . . . . . . . . . 19 - 5.6 No Context Error Message Format . . . . . . . . . . . . . 20 - 5.7 Locator List Update Message Format . . . . . . . . . . . . 21 - 5.8 Locator List Update Acknowledgement Message Format . . . . 22 - 5.9 Rehome Request Message Format . . . . . . . . . . . . . . 23 - 5.10 Rehome Acknowledgement Message Format . . . . . . . . . 23 - 5.11 Reachability Probe Message Format . . . . . . . . . . . 23 - 5.12 Reachability Probe Reply Message Format . . . . . . . . 24 - 5.13 Payload Message Format . . . . . . . . . . . . . . . . . 25 - 5.14 Keepalive Message Format . . . . . . . . . . . . . . . . 26 - 5.15 Locator Pair Test Message Format . . . . . . . . . . . . 27 - 5.16 Locator Pair Test Reply Message Format . . . . . . . . . 28 - 5.17 Context Locator Pair Explore Message Format . . . . . . 29 - 6. Option Formats . . . . . . . . . . . . . . . . . . . . . . . 31 - 6.1 Validator Option Format . . . . . . . . . . . . . . . . . 32 - 6.2 Locator List Option Format . . . . . . . . . . . . . . . . 32 - 6.3 Locator Preferences Option Format . . . . . . . . . . . . 33 - 6.4 CGA Parameter Data Structure Option Format . . . . . . . . 34 - 6.5 CGA Signature Option Format . . . . . . . . . . . . . . . 35 - 6.6 ULID Pair Option Format . . . . . . . . . . . . . . . . . 35 - 6.7 Packet In Error Option Format . . . . . . . . . . . . . . 36 - 6.8 Explorer Results Option Format . . . . . . . . . . . . . . 36 - 7. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 38 - 7.1 Conceptual Data Structures . . . . . . . . . . . . . . . . 38 - 8. Establishing Host Pair Contexts . . . . . . . . . . . . . . 40 - 8.1 Sending I1 messages . . . . . . . . . . . . . . . . . . . 40 - 8.2 Receiving I1 messages . . . . . . . . . . . . . . . . . . 40 - 8.3 Receiving R1 messages . . . . . . . . . . . . . . . . . . 40 - 8.4 Retransmitting I1 messages . . . . . . . . . . . . . . . . 40 - 8.5 Receiving I2 messages . . . . . . . . . . . . . . . . . . 40 - 8.6 Retransmitting I2 messages . . . . . . . . . . . . . . . . 40 - 8.7 Concurrent context establishment . . . . . . . . . . . . . 40 - 9. No Such Content Errors . . . . . . . . . . . . . . . . . . . 41 - 10. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 42 - 11. Taredown of the Host Pair Context . . . . . . . . . . . . . 43 - 12. Updating the Locator Pairs . . . . . . . . . . . . . . . . . 44 - 13. Various Probe Mechanisms . . . . . . . . . . . . . . . . . . 45 - 14. Rehoming to a Different Locator Pair . . . . . . . . . . . . 46 - 15. Payload Packets before a Switch . . . . . . . . . . . . . . 47 - 16. Payload Packets after a Switch . . . . . . . . . . . . . . . 48 - 17. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . 50 - 18. Design Alternatives . . . . . . . . . . . . . . . . . . . . 52 - 18.1 State Cleanup . . . . . . . . . . . . . . . . . . . . . 52 - 18.2 Not Overloading the Flow Label . . . . . . . . . . . . . 52 - 18.3 Detecting Context Loss . . . . . . . . . . . . . . . . . 53 - 19. Implications Elsewhere . . . . . . . . . . . . . . . . . . . 55 - 20. Security Considerations . . . . . . . . . . . . . . . . . . 57 - 21. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 58 - 22. References . . . . . . . . . . . . . . . . . . . . . . . . . 59 - 22.1 Normative References . . . . . . . . . . . . . . . . . . 59 - 22.2 Informative References . . . . . . . . . . . . . . . . . 59 - Author's Address . . . . . . . . . . . . . . . . . . . . . . 60 - Intellectual Property and Copyright Statements . . . . . . . 61 + 1.1 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 1.2 Non-Goals . . . . . . . . . . . . . . . . . . . . . . . . 5 + 1.3 Locators as Upper-layer Identifiers . . . . . . . . . . . 5 + 1.4 IP Multicast . . . . . . . . . . . . . . . . . . . . . . . 6 + 1.5 Renumbering Implications . . . . . . . . . . . . . . . . . 6 + 1.6 Placement of the shim . . . . . . . . . . . . . . . . . . 7 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 9 + 2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . 9 + 2.2 Notational Conventions . . . . . . . . . . . . . . . . . . 10 + 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . 11 + 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . 11 + 4.1 Context Tags . . . . . . . . . . . . . . . . . . . . . . . 13 + 4.2 Securing shim6 . . . . . . . . . . . . . . . . . . . . . . 14 + 4.3 Overview of Shim Control Messages . . . . . . . . . . . . 14 + 5. Message Formats . . . . . . . . . . . . . . . . . . . . . . 15 + 5.1 Payload Message Format . . . . . . . . . . . . . . . . . . 15 + 5.2 Common Shim6 Control header . . . . . . . . . . . . . . . 16 + 5.3 I1 Message Format . . . . . . . . . . . . . . . . . . . . 17 + 5.4 R1 Message Format . . . . . . . . . . . . . . . . . . . . 18 + 5.5 I2 Message Format . . . . . . . . . . . . . . . . . . . . 19 + 5.6 R2 Message Format . . . . . . . . . . . . . . . . . . . . 21 + 5.7 No Context Error Message Format . . . . . . . . . . . . . 22 + 5.8 Update Request Message Format . . . . . . . . . . . . . . 23 + 5.9 Update Acknowledgement Message Format . . . . . . . . . . 24 + 5.10 Reachability Probe Message Format . . . . . . . . . . . 24 + 5.11 Reachability Reply Message Format . . . . . . . . . . . 25 + 5.12 Keepalive Message Format . . . . . . . . . . . . . . . . 26 + 5.13 Context Locator Pair Explore Message Format . . . . . . 27 + 5.14 Option Formats . . . . . . . . . . . . . . . . . . . . . 28 + 5.14.1 Validator Option Format . . . . . . . . . . . . . . 29 + 5.14.2 Locator List Option Format . . . . . . . . . . . . . 30 + 5.14.3 Locator Preferences Option Format . . . . . . . . . 31 + 5.14.4 CGA Parameter Data Structure Option Format . . . . . 32 + 5.14.5 CGA Signature Option Format . . . . . . . . . . . . 33 + 5.14.6 ULID Pair Option Format . . . . . . . . . . . . . . 33 + 5.14.7 Packet In Error Option Format . . . . . . . . . . . 34 + 5.14.8 Explorer Results Option Format . . . . . . . . . . . 34 + 6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 35 + 6.1 Conceptual Data Structures . . . . . . . . . . . . . . . . 36 + 7. Establishing Host Pair Contexts . . . . . . . . . . . . . . 36 + 7.1 Normal context establishment . . . . . . . . . . . . . . . 37 + 7.2 Concurrent context establishment . . . . . . . . . . . . . 37 + 7.3 Context recovery . . . . . . . . . . . . . . . . . . . . . 38 + 7.4 Context confusion . . . . . . . . . . . . . . . . . . . . 39 + 7.5 Sending I1 messages . . . . . . . . . . . . . . . . . . . 40 + 7.6 Receiving I1 messages . . . . . . . . . . . . . . . . . . 40 + 7.7 Receiving R1 messages . . . . . . . . . . . . . . . . . . 41 + 7.8 Retransmitting I2 messages . . . . . . . . . . . . . . . . 41 + 7.9 Receiving I2 messages . . . . . . . . . . . . . . . . . . 41 + 7.10 Receiving R2 messages . . . . . . . . . . . . . . . . . 42 + 8. No Such Content Errors . . . . . . . . . . . . . . . . . . . 42 + 9. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 42 + 10. Teardown of the Host Pair Context . . . . . . . . . . . . . 43 + 11. Updating the Locator Pairs . . . . . . . . . . . . . . . . . 43 + 12. Various Probe Mechanisms . . . . . . . . . . . . . . . . . . 43 + 13. Rehoming to a Different Locator Pair . . . . . . . . . . . . 43 + 14. Payload Packets before a Switch . . . . . . . . . . . . . . 43 + 15. Payload Packets after a Switch . . . . . . . . . . . . . . . 44 + 16. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . 45 + 17. Design Alternatives . . . . . . . . . . . . . . . . . . . . 46 + 17.1 State Cleanup . . . . . . . . . . . . . . . . . . . . . 46 + 17.2 Detecting Context Loss . . . . . . . . . . . . . . . . . 46 + 18. Implications Elsewhere . . . . . . . . . . . . . . . . . . . 47 + 19. Security Considerations . . . . . . . . . . . . . . . . . . 48 + 20. IANA Considerations . . . . . . . . . . . . . . . . . . . . 48 + 21. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 49 + 22. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 49 + 23. References . . . . . . . . . . . . . . . . . . . . . . . . . 49 + 23.1 Normative References . . . . . . . . . . . . . . . . . . 49 + 23.2 Informative References . . . . . . . . . . . . . . . . . 50 + Author's Address . . . . . . . . . . . . . . . . . . . . . . 51 + Intellectual Property and Copyright Statements . . . . . . . 52 1. Introduction The SHIM6 working group, and the MULTI6 WG that preceded it, is exploring a layer 3 shim approach for providing locator agility below the transport protocols, so that multihoming can be provided for IPv6 - with failover and load spreading properties, without assuming that a - multihomed site will have a provider independent IPv6 address which - is announced in the global IPv6 routing table. The hosts in a site - which has multiple provider allocated IPv6 address prefixes, will use - the shim6 protocol specified in this document to setup state with - peer hosts, so that the state can later be used to failover to a + with failover and load spreading properties [13], without assuming + that a multihomed site will have a provider independent IPv6 address + which is announced in the global IPv6 routing table. The hosts in a + site which has multiple provider allocated IPv6 address prefixes, + will use the shim6 protocol specified in this document to setup state + with peer hosts, so that the state can later be used to failover to a different locator pair, should the original one stop working. - This document takes the outlines contained in [16] and [15] and + This document takes the outlines contained in [21] and [20] and expands to an actual proposed protocol. We assume that redirection attacks are prevented using the mechanism - specified in HBA [4]. + specified in HBA [5]. The WG mailing list is discussing the scheme used for reachability - detection [5]. The schemes that are being discussed are Context + detection [6]. The schemes that are being discussed are Context Unreachability Detection (CUD) or Force Bidirectional communication Detection (FBD). This document doesn't discuss the tradeoffs between the two, but it does suggest a set of keepalive and probe messages that are sufficient to handle both. Once the WG has decided which approach to take, we can remove the unneeded messages. There is a related but slightly separate issue of how the hosts can find which of the locator pairs is working after a failure. This is - discussed in [6]. We don't yet know how these details will be done, + discussed in [7]. We don't yet know how these details will be done, but this draft specifies a separate "Explore" message as a placeholder for such a protocol mechanism. -1.1 Placement of the shim +1.1 Goals - TBD: Copy material from [16]. + The goals for this approach is to: + o Preserve established communications through failures, for example, + TCP connections and application communications using UDP. + o Have no impact on upper layer protocols in general and on + transport protocols in particular. + o Address the security threats in [16] through a separate document + [5], and techniques described in this document. + o No extra roundtrip for setup; deferred setup. + o Take advantage of multiple locators/addresses for load spreading + so that different sets of communication to a host (e.g., different + connections) might use different locators of the host. + +1.2 Non-Goals + + The assumption is that the problem we are trying to solve is site + multihoming, with the ability to have the set of site locator + prefixes change over time due to site renumbering. Further, we + assume that such changes to the set of locator prefixes can be + relatively slow and managed; slow enough to allow updates to the DNS + to propagate. But it is not a goal to try to make communication + survive a renumbering event (which causes all the locators of a host + to change to a new set of locators). This proposal does not attempt + to solve, perhaps related, problems such as host multihoming or host + mobility. + + This proposal also does not try to provide an IP identifier. Even + though such a concept would be useful to ULPs and applications, + especially if the management burden for such a name space was zero + and there was an efficient yet secure mechanism to map from + identifiers to locators, such a name space isn't necessary (and + furthermore doesn't seem to help) to solve the multihoming problem. + +1.3 Locators as Upper-layer Identifiers + + Central to this approach is to not introduce a new identifier name + space but instead use one of the locators as the upper-layer ID, + while allowing the locators used in the address fields to change over + time in response to failures of using the original locator. + + This implies that the ULID selection is performed as today's default + address selection as specified in [11]. Underneath, and + transparently, the multihoming shim selects working locator pairs + with the initial locator pair being the ULID pair. When + communication fails the shim can test and select alternate locators. + A subsequent section discusses the issues when the selected ULID is + not initially working hence there is a need to switch locators up + front. + + Using one of the locators as the ULID has certain benefits for + applications which have long-lived session state, or performs + callbacks or referrals, because both the FQDN and the 128-bit ULID + work as handles for the applications. However, using a single 128- + bit ULID doesn't provide seamless communication when that locator is + unreachable. See [17] for further discussion of the application + implications. + + There has been some discussion of using non-routable locators, such + as unique-local addresses [15], as ULIDs in a multihoming solution. + While this document doesn't specify all aspects of this, it is + believed that the approach can be extended to handle such a case. + + For example, the protocol already needs to handle ULIDs that are not + initially reachable. Thus the same mechanism can handle ULIDs that + are permanently unreachable from outside their site. The issue + becomes how to make the protocol perform well when the ULID is not + reachable, for instance, avoiding any timeout and retries in this + case. In addition one would need to understand how the ULAs would be + entered in the DNS to avoid a performance impact on existing, non- + shim6 aware, IPv6 hosts potentially trying to communicate to the + (unreachable) ULA. + +1.4 IP Multicast + + IP Multicast requires that the IP source address field contain a + topologically correct locator for interface that is used to send the + packet, since IP multicast routing uses both the source address and + the destination group to determine where to forward the packet. + (This isn't much different than the situation with widely implemented + ingress filtering [9] for unicast.) + + While in theory it would be possible to apply the shim re-mapping of + the IP address fields between ULIDs and locators, the fact that all + the multicast receivers would need to know the mapping to perform, + makes such an approach difficult in practice. Thus it makes sense to + have multicast ULPs operate directly on locators and not use the + shim. This is quite a natural fit for protocols which use RTP [12], + since RTP already has an explicit identifier in the form of the SSRC + field in the RTP headers. Thus the actual IP address fields are not + important to the application. + +1.5 Renumbering Implications + + As stated above, this approach does not try to make communication + survive renumbering. However, the fact that a ULID might be used + with a different locator over time open up the possibility that + communication between two ULIDs might continue to work after one or + both of those ULIDs are no longer reachable as locators, for example + due to a renumbering event. This opens up the possibility that the + ULID (or at least the prefix on which it is based) is reassigned to + another site while it is still being used (with another locator) for + existing communication. + + Worst case we could end up with two separate hosts using the same + ULID while both of them are communicating with the same host. + + This potential source for confusion can be avoided if we require that + any communication using a ULID must be terminated when the ULID + becomes invalid (due to the underlying prefix becoming invalid). + + However, this might be an overkill. Even when an IPv6 prefix is + retired and reassigned to some other site, there is still a very + small probability that another host in that site picks the same 128 + bit address (whether using DHCPv6, stateless address + autoconfiguration, or picking a random interface ID [10]). Should + the identical address be used by another host, then there still + wouldn't be a problem until that host attempts to communicate with + the same host with which the initial user of the IPv6 address was + communicating. + +1.6 Placement of the shim + + ----------------------- + | Transport Protocols | + ----------------------- + + ------ ------- -------------- ------------- IP endpoint + | AH | | ESP | | Frag/reass | | Dest opts | sub-layer + ------ ------- -------------- ------------- + + --------------------- + | shim6 shim layer | + --------------------- + + ------ IP routing + | IP | sub-layer + ------ + + Figure 1: Protocol stack + + The proposal uses an multihoming shim layer within the IP layer, + i.e., below the ULPs, as shown in Figure 1, in order to provide ULP + independence. The multihoming shim layer behaves as if it is + associated with an extension header, which would be ordered + immediately after any hop-by-hop options in the packet. However, + when the locator pair is the ULID pair there is no data that needs to + be carried in an extension header, thus none is needed in that case. + + Layering AH and ESP above the multihoming shim means that IPsec can + be made to be unaware of locator changes the same way that transport + protocols can be unaware. Thus the IPsec security associations + remain stable even though the locators are changing. The MOBIKE WG + is looking at ways to have IPsec security associations survive even + though the IP addresses changes, which is a different approach. + + Layering the fragmentation header above the multihoming shim makes + reassembly robust in the case that there is broken multi-path routing + which results in using different paths, hence potentially different + source locators, for different fragments. Thus, effectively the + multihoming shim layer is placed between the IP endpoint sublayer, + which handles fragmentation, reassembly, and IPsec, and the IP + routing sublayer, which on a host selects which default router to use + etc. + + Applications and upper layer protocols use ULIDs which the shim6 + layer will map to/from different locators. The shim6 layer maintains + state, called host-pair context, per ULID pairs (that is, applies to + all ULP connections between the ULID pair) in order to perform this + mapping. The mapping is performed consistently at the sender and the + receiver, thus from the perspective of the upper layer protocols, + packets appear to be sent using ULIDs from end to end, even though + the packets travel through the network containing locators in the IP + address fields, and even though those locators might be changed by + the transmitting shim6 layer. + + The context state in this approach is maintained per remote ULID i.e. + approximately per peer host, and not at any finer granularity. In + particular, it is independent of the ULPs and any ULP connections. + However, the forking capability enables shim-aware ULPs to use more + than one locator pair at a time for an single ULID pair. + + ---------------------------- ---------------------------- + | Sender A | | Receiver B | + | | | | + | ULP | | ULP | + | | src ULID(A)=L1(A) | | ^ | + | | dst ULID(B)=L1(B) | | | src ULID(A)=L1(A) | + | v | | | dst ULID(B)=L1(B) | + | multihoming shim | | multihoming shim | + | | src L2(A) | | ^ | + | | dst L3(B) | | | src L2(A) | + | v | | | dst L3(B) | + | IP | | IP | + ---------------------------- ---------------------------- + | ^ + ------- cloud with some routers ------- + + Figure 2: Mapping with changed locators + + The result of this consistent mapping is that there is no impact on + the ULPs. In particular, there is no impact on pseudo-header + checksums and connection identification. + + Conceptually one could view this approach as if both ULIDs and + locators are being present in every packet, but with a header + compression mechanism applied that removes the need for the ULIDs + once the state has been established. In order for the receiver to + recreate a packet with the correct ULIDs there might be a need to + include some "compression tag" in the data packets. This would serve + to indicate the correct context to use for decompression when the + locator pair in the packet is insufficient to uniquely identify the + context. 2. Terminology This document uses the terms MUST, SHOULD, RECOMMENDED, MAY, SHOULD - NOT and MUST NOT defined in RFC 2119 [7]. The terms defined in RFC - 2460 [1] are also used. + NOT and MUST NOT defined in RFC 2119 [1]. The terms defined in RFC + 2460 [2] are also used. 2.1 Definitions - This document introduces the following terms (taken from [16]): - + This document introduces the following terms (taken from [21]): upper layer protocol (ULP) A protocol layer immediately above IP. Examples are transport protocols such as TCP and UDP, control protocols such as ICMP, routing protocols such as OSPF, and internet or lower-layer protocols being "tunneled" over (i.e., encapsulated in) IP such as IPX, AppleTalk, or IP itself. - interface A node's attachment to a link. - address An IP layer name that contains both topological significance and acts as a unique identifier for an interface. 128 bits. This document only uses the "address" term in the case where it isn't specific whether it is a locator or a identifier. - locator An IP layer topological name for an interface or a set of interfaces. 128 bits. The locators are carried in the IP address fields as the packets traverse the network. - identifier An IP layer name for an IP layer endpoint (stack - name in [18]). The transport endpoint name is a + name in [23]). The transport endpoint name is a function of the transport protocol and would typically include the IP identifier plus a port number. NOTE: This proposal does not specify any new form of IP layer identifier, but still separates the identifying and locating properties of the IP addresses. - upper-layer identifier (ULID) An IP locator which has been selected for communication with a peer to be used by the upper layer protocol. 128 bits. This is used for pseudo-header checksum computation and connection identification in the ULP. Different sets of communication to a host (e.g., different connections) might use different ULIDs in order to enable load spreading. @@ -212,70 +420,87 @@ layer protocol. 128 bits. This is used for pseudo-header checksum computation and connection identification in the ULP. Different sets of communication to a host (e.g., different connections) might use different ULIDs in order to enable load spreading. Since the ULID is just one of the IP locators/ addresses of the node, there is no need for a separate name space and allocation mechanisms. - address field The source and destination address fields in the IPv6 header. As IPv6 is currently specified this fields carry "addresses". If identifiers and locators are separated these fields will contain locators for packets on the wire. - FQDN Fully Qualified Domain Name - Host-pair context The state that the multihoming shim maintains for - a particular peer. The peer is identified by one - or more ULIDs. + a particular peer. The context is for a ULID + pair, as is identified by a context tag for each + direction. + Context tag Each end of the context allocates a context tag + for the context. This is used to uniquely + associate both received control packets and + payload packets with the shim6 Payload extension + header as belonging to the context. + Current locator pair Each end of the context has a current locator + pair which is used to send packets to be peer. + The two ends might use different locator pairs + though. + Default context At the sending end, the shim uses the ULID pair + (passed down from the ULP) to find the context + for that pair. Thus, normally, a host can have + at most one context for a ULID pair. We call + this the "default context". + Context forking A mechanism which allows ULPs that are aware of + multiple locators to use separate contexts for + the same ULID pair, in order to be able use + different locator pairs for different + communication to the same ULID. Context forking + causes more than just the default context to be + created for a ULID pair. 2.2 Notational Conventions A, B, and C are hosts. X is a potentially malicious host. FQDN(A) is the domain name for A. Ls(A) is the locator set for A, which consists of the locators L1(A), L2(A), ... Ln(A). ULID(A) is an upper-layer ID for A. In this proposal, ULID(A) is always one member of A's locator set. This document also makes use of internal conceptual variables to describe protocol behavior and external variables that an implementation must allow system administrators to change. The specific variable names, how their values change, and how their settings influence protocol behavior are provided to demonstrate protocol behavior. An implementation is not required to have them in the exact form described here, so long as its external behavior is - consistent with that described in this document. See Section 7 for a + consistent with that described in this document. See Section 6 for a description of the conceptual data structures. 3. Assumptions The general approach of a level3 shim as well as this specific proposal makes the following assumptions: - o When there is ingress filtering in the ISPs, that the use of all - {source, destination} locator pairs will cause the packets to exit + locator pairs will cause the packets to exit using different ISPs so that all exit ISPs can be tried. Since there might be only one destination locator, when the peer supports shim6 but is not multihomed, this implies that the selection of the exit ISP should be related to the source address in the packets. - o Even without ingress filtering, there is the assumption that if - the host tries all {source, destination} locator pairs, that it + the host tries all locator pairs, that it has done a good enough job of trying to find a working path to the peer. Since we want the protocol to provide benefits even if the peer has a single locator, this seems to imply that the choice of source locator needs to somehow affect the exit path from the site. 4. Protocol Overview The shim6 protocol operates in several phases over time. The following sequence illustrates the concepts: @@ -272,232 +497,171 @@ has done a good enough job of trying to find a working path to the peer. Since we want the protocol to provide benefits even if the peer has a single locator, this seems to imply that the choice of source locator needs to somehow affect the exit path from the site. 4. Protocol Overview The shim6 protocol operates in several phases over time. The following sequence illustrates the concepts: - o An application on host A decides to contact B using some upper- layer protocol. This results in the ULP on A sending packets to B. We call this the initial contact. Assuming the IP addresses - selected by Default Address Selection [9] work, then there is no + selected by Default Address Selection [11] work, then there is no action by the shim at this point in time. Any shim context establishment can be deferred until later. - o Some heuristic on A or B (or both) determine that it might make sense to make this communication robust against locator failures. For instance, this heuristic might be that more than 50 packets have been sent or received. This makes the shim initiate the 4-way context establishment exchange. As a result of this exchange, both A and B will know a list of locators for each other. + If the context establishment exchange fails, the initiator will + then know that the other end does not support shim6, and will + revert to standard unicast behavior for the session. o Communication continues without any change for the ULP packets. In addition, there might be some messages exchanged between the shim sub-layers for (un)reachability detection. - o At some point in time something fails. Depending on the approach to reachability detection, there might be some advise from the ULP, or the shim (un)reachability detection might discover that there is a problem. At this point in time one or both ends of the communication need to explore the different alternate locator pairs until a working pair is found, and rehome to using that pair. - o Once a working alternative locator pair has been found, the shim - will rewrite the packets on transmit, and tag the packets with a - shim context tag, and send them on the wire. The receiver will - use the to find - the context state which will indicate which addresses to place in - the IPv6 header before passing the packet up to the ULP. The - result is that from the perspective of the ULP the packet passes - unmodified end-to-end, even though the IP routing infrastructure - sends the packet to a different locator. - + will rewrite the packets on transmit, and tag the packets with + shim6 Payload message as an extension header, which contains the + receiver's context tag. The receiver will use the to find the context + state which will indicate which addresses to place in the IPv6 + header before passing the packet up to the ULP. The result is + that from the perspective of the ULP the packet passes unmodified + end-to-end, even though the IP routing infrastructure sends the + packet to a different locator. o The shim (un)reachability detection will monitor the new locator pair as it monitored the original locator pair, so that subsequent failures can be detected. + o In addition to failures detected based on end-to-end observations, + one endpoint might be know for certain that one or more of its + locators is not working. For instance, the network interface + might have failed or gone down (at layer 2), or an IPv6 address + might have become invalid. In such cases the host can signal its + peer that this address is no longer recommended to try. Thus this + triggers something similar to a failure handling in that a new, + working locator pair must be found. + The Working Group has discussed whether or not hosts can express + other forms of locator preferences. If this is the case, a change + in the preferences can be signaled to the peer, which might make + the peer choose to try a different locator pair. Thus, this can + also be treated similarly to a failure. o When the shim thinks that the context state is no longer used, it can garbage collect the state; there is no coordination necessary with the peer host before the state is removed. There is an error message defined to be able to signal when there is no context state, which can be used to detect and recover from both premature garbage collection, as well as complete state loss (crash and reboot) of a peer. - The data packets in shim6 are carried completely unmodified as long - as the ULID pair is used as the locator pair. After a switch to a - different locator pair the packets are "tagged" so that the receiver - can always determine the context to which they belong. For commonly - used IP protocols this is done by using a different value in the Flow - Label field, that is, there is no additional header added to the - packets. But for other IP protocol types there is an extra 8 byte - header inserted, which carries the next header value. + The ULP packets in shim6 are carried completely unmodified as long as + the ULID pair is used as the locator pair. After a switch to a + different locator pair the packets are "tagged" with a shim6 + extension header, so that the receiver can always determine the + context to which they belong. This is accomplished by including an + 8-octet "shim payload" extension header before the (extension) + headers that are processed by the IP endpoint sublayer and ULPs. -4.1 Context Tags and Use of Flow Label +4.1 Context Tags - A context between to hosts is actually a context between two ULIDs. + A context between two hosts is actually a context between two ULIDs. The context is identified by a pair of context tags. Each end gets to allocate a context tag, and once the context is established, the shim6 control messages contain the context tag that the receiver of the message allocated. Thus at a minimum the combination of tag MUST uniquely identify one context. In addition, the non-shim6 messages, which we call payload packets, will not contain the ULIDs after a failure. This introduces the requirement that the MUST uniquely identify the context. Since the peer's set of locators might be dynamic the simplest form of unique allocation of the local context tag is to pick a number that is unique on the host. Hosts which serve multiple ULIDs using disjoint sets of locators can maintain the context tag allocation per such disjoint set. - As an optimization, to ensure that payload packets, even after the - locators have been switched from being the original ones, do not - require an extra shim extension header, the proposal uses the Flow - Label field in the IPv6 header to carry the context tag for common - upper layer protocols such as TCP and UDP. This works as follows: - - o The allocation and usage of the flow label during the initial - communication is unchanged. Thus the TCP, UDP, etc packets are - sent with a flow label which is allocated according to [11]. - - o When the context is created, each endpoint picks an unused context - tag based on the constraints above, which is also not used as a - flow label for the set of locators. - - o The context tag is used by the shim to refer to the shim state in - the control messages (such as probes, and locator updates. - - o The payload traffic (TCP, UDP, etc.) continue to flow unchanged. - - o Should there be a need to switch to a different locator pair, then - the TCP, UDP, etc packets will be sent using an alternate locator - pair, and with a flow label that is the same as the (20 bit) - context tag. - The mechanism for detecting a loss of context state at the peer that is currently proposed in this document assumes that the receiver can tell the packets that need locator rewriting, even after it has lost - all state (e.g., due to a crash followed by a reboot). The next - section specifies how this can be done. - - Note that there is no need for a single context to have more than one - context tag; whether the locator pair is , or the same context tag is used in the flow label field. Only the - payload packets using the original locator pair use the flow - label (which is different than the context tag). - - Whether we overload the flow label field to carry the context tag or - not, any protocol (such as RSVP or NSIS) which signals information - about flows from the host stack to devices in the path, need to be - made aware of the locator agility introduced by a layer 3 shim, so - that the signaling can be performed for the locator pairs that are - currently being used. - -4.2 Protocol type overloading - - The mechanism for detecting a loss of context state at the peer that - is currently proposed in this document assumes that the receiver can - tell the packets that need locator rewriting, even after it has lost - all state (e.g., due to a crash followed by a reboot). There is an - alternative to detection of lost state outlined in Section 18. - - The idea is to steal a partial bit from the protocol type fields that - are used in the Next Header values, so that the common upper layer - protocols can be identified. - - For example: - - o TCP has protocol 6; TCP using alternate locators has protocol P. - - o UDP has protocol 17; TCP using alternate locators has protocol - P+1. - - o ICMPv6 has protocol 58; ICMPv6 using alternate locators has - protocol P+2. - - o SCTP has protocol 132; SCTP using alternate locators has protocol - P+3. - - o DCCP has protocol ??; DCCP using alternate locators has protocol - P+4. - - o ESP has protocol 50; ESP using alternate locators has protocol - P+5. - - o AH has protocol 51; AH using alternate locators has protocol P+6. + all state (e.g., due to a crash followed by a reboot). - o FRAG has protocol 44; FRAG using alternate locators has protocol - P+7. + Even though we do not overload the flow label field to carry the + context tag, any protocol (such as RSVP or NSIS) which signals + information about flows from the host stack to devices in the path, + need to be made aware of the locator agility introduced by a layer 3 + shim, so that the signaling can be performed for the locator pairs + that are currently being used. - Thus with 7 or so additional protocol field values we can do a - reasonable job of overloading the flow label field and get detection - of lost context state. + TBD: add forking - multiple contexts between ULID pairs, default + context, etc -4.3 Securing shim6 +4.2 Securing shim6 The mechanisms are secured using a combination of techniques: - - o The HBA technique [4] for validating the locators to prevent an + o The HBA technique [5] for validating the locators to prevent an attacker from redirecting the packet stream to somewhere else. - o Requiring a Reachability Probe+Reply before a new locator is used as the destination, in order to prevent 3rd party flooding attacks. - o The first message does not create any state on the responder. Essentially a 3-way exchange is required before the responder creates any state. This means that a state-based DoS attack (trying to use up all of memory on the responder) at least provides an IPv6 address that the attacker was using. - o The context establishment messages use nonces to prevent replay attacks. -4.4 Overview of Shim Control Messages +4.3 Overview of Shim Control Messages The shim context establishment is accomplished using four messages; I1, R1, I2, R2. Normally they are sent in that order from initiator and responder, respectively. Should both ends attempt to set up context state at the same time (for the same ULID pair), then their I1 messages might cross in flight, and result in an immediate R2 - message. [The names of these messages are borrowed from HIP [17].] + message. [The names of these messages are borrowed from HIP [22].] - There is a No Contex error message defined, when a control or payload - packet arrives and there is no matching context state at the + There is a No Context error message defined, when a control or + payload packet arrives and there is no matching context state at the receiver. When such a message is received, it will result in the destruction of the shim context and a re-establishment. The peers' lists of locators are normally exchanged as part of the context establishment exchange. But the set of locators might be dynamic. For this reason there is a Locator List Update message and acknowledgement. Even though the list of locators is fixed, a host might determine that some preferences might have changed. For instance, it might determine that there is a locally visible failure that implies that some locator(s) are no longer usable. Currently this mechanism has a separate message pair (Rehome Request and acknowledgement), but perhaps this can be encoded using the Locator List Update message pair with a preference option and no change to the list of locators. At least two approaches (CUD and FBD) have been discussed for the - shim (un)reachability detection [5]. This document attempt to define + shim (un)reachability detection [6]. This document attempt to define messages for both cases; once the WG has picked an approach we can delete any unneeded messages. The CUD approach uses a probe message and acknowledgement, which can be suppressed e.g. using positive advise from the ULP. This message pair also seems needed to verify that the host is indeed present at a new locator before the data stream is redirected to that locator, in order to prevent 3rd party DoS attacks. The FBD approach uses a keepalive message, which is sent when a host @@ -510,163 +674,178 @@ is trying to setup some communication). If we want the shim to be able to optimize discovering a working locator pair in that case, we need a mechanism to test the reachability of locators independent of some context. We define a locator pair test message and acknowledgement for this purpose, even though it isn't yet clear whether we need such a thing. Finally, when the context is established and there is a failure there needs to be a way to explore the set of locator pairs to efficiently find a working pair. We define an explore message as a placeholder - for some mechanism in this space [6]. + for some mechanism in this space [7]. 5. Message Formats The shim6 messages are all carried using a new IP protocol number TBD [to be assigned by IANA]. The shim6 messages have a common header, defined below, with some fixed fields, followed by type specific fields. -5.1 Common Shim6 header +5.1 Payload Message Format + + The payload message is used to carry ULP packets where the receiver + must replace the content of the source and or destination fields in + the IPv6 header before passing the packet to the ULP. Thus this + extension header is included when the locators pair that is used is + not the same as the ULID pair. + + Since the shim is placed between the IP endpoint sub-layer and the IP + routing sub-layer in the host, the shim header will be placed before + any endpoint extension headers (fragmentation headers, destination + options header, AH, ESP), but after any routing related headers (hop- + by-hop extensions header, routing header, a destinations options + header which precedes a routing header). When tunneling is used, + whether IP-in-IP tunneling or the special form of tunneling that + Mobile IPv6 uses (with Home Address Options and Routing header type + 2), there is a choice whether the shim applies inside the tunnel or + outside the tunnel, which effects the location of the shim6 header. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Next Header | 0 |1| Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiver Context Tag | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Fields: + Next Header: The payload which follows this header. + Hdr Ext Len: 0 (since the header is 8 octets). + Reserved: Reserved for future use. Zero on transmit. MUST be + ignored on receipt. + Receiver Context Tag: 32-bit unsigned integer. Allocated by the + receiver for use to identify the context (together + with the source and destination locators). + +5.2 Common Shim6 Control header The common part of the header has a next header and header extension length field which is consistent with the other IPv6 extension - headers, even if the next header value is only used for data payload - which is carried with a shim6 header on the front. + headers, even if the next header value is always "NO NEXT HEADER" for + the control messages; only the payload messages use the Next Header + field. The shim6 headers must be a multiple of 8 octets, hence the minimum size is 8 octets. The common message header is as follows: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Next Header | Hdr Ext Len | Checksum | + | Next Header | Hdr Ext Len |0| Type |Type specific|0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type | | - +-+-+-+-+-+-+-+-+ | + | Checksum | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Type specific format | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59). Indicates the next header value for the shim6 payload messages. - Hdr Ext Len: 8-bit unsigned integer. Length of the shim6 header in 8-octet units, not including the first 8 octets. - + Type: 7-bit unsigned integer. Identifies the actual message + from the table below. + 0: A single bit (set to zero) which allows shim6 and HIP + to have a common header format yet telling shim6 and + HIP messages apart. Checksum: 16-bit unsigned integer. The checksum is the 16-bit one's complement of the one's complement sum of the entire shim6 header message starting with the shim6 next header field, and ending as indicated by the Hdr Ext Len. Thus when there is a payload following the shim6 header, the payload is NOT included in the shim6 checksum. - Type: 8-bit unsigned integer. Identifies the actual message - from the table below. - +------------+-----------------------------------------------------+ | Type Value | Message | +------------+-----------------------------------------------------+ | 1 | I1 (first establishment message from the initiator) | - | | | | 2 | R1 (first establishment message from the responder) | - | | | | 3 | I2 (2nd establishment message from the initiator) | - | | | | 4 | R2 (2nd establishment message from the responder) | - | | | | 5 | No Context Error | - | | | - | 6 | Locator List Update | - | | | - | 7 | Locator List Update Acknowledgement | - | | | - | 8 | Rehome Request | - | | | - | 9 | Rehome Acknowledgement | - | | | - | 10 | Reachability Probe | - | | | - | 11 | Reachability Probe Reply | - | | | - | 12 | Payload | - | | | - | 13 | Keepalive | - | | | - | 14 | Locator Pair Test | - | | | - | 15 | Locator Pair Test Reply | - | | | - | 16 | Context Locator pair explore | + | 6 | Update Request | + | 7 | Update Acknowledgement | + | 8 | Reachability Probe | + | 9 | Reachability Reply | + | 10 | Keepalive | + | 11 | Context Locator Pair Explore | +------------+-----------------------------------------------------+ Table 1 -5.2 I1 Message Format +5.3 I1 Message Format The I1 message is the first message in the context establishment exchange. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | 59 | Hdr Ext Len |0| Type = 1 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 1 | Res | Initiator Context Tag | + | Checksum | Reserved2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Initiator Context Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initiator Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - Type: 1 - - Res: 4-bit field. Reserved for future use. Zero on + Reserved1: 7-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. - - Initiator Context Tag: 20-bit field. The Context Tag the initiator + Reserved2: 16-bit field. Reserved for future use. Zero on + transmit. MUST be ignored on receipt. + Initiator Context Tag: 32-bit field. The Context Tag the initiator has allocated for the context. - Initiator Nonce: 32-bit unsigned integer. A random number picked by the initiator which the responder will return in the R1 message. The following options are allowed in the message: - ULID pair: TBD Do we need to carry the ULIDs, or assume they are the same as the address fields in the IPv6 header? Depends on how we handle failures during initial contact. -5.3 R1 Message Format +5.4 R1 Message Format The R1 message is the second message in the context establishment exchange. The responder sends this in response to an I1 message, without creating any state specific to the initiator. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | 59 | Hdr Ext Len |0| Type = 2 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 2 | Reserved | + | Checksum | Reserved2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initiator Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Responder Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -664,56 +843,54 @@ | Initiator Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Responder Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - Type: 2 - - Reserved: 24-bit field. Reserved for future use. Zero on + Reserved1: 7-bit field. Reserved for future use. Zero on + transmit. MUST be ignored on receipt. + Reserved2: 16-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. - Initiator Nonce: 32-bit unsigned integer. Copied from the I1 message. - Responder Nonce: 32-bit unsigned integer. A number picked by the - initiator which the initiator will return in the I2 + responder which the initiator will return in the I2 message. The following options are allowed in the message: - - Responder Validator: Variable length mandatory option. Typically a - hash generated by the responder, which the responder - uses together with the Responder Nonce value to verify - that an I2 message is indeed sent in response to a R1 + Responder Validator: Variable length option. Typically a hash + generated by the responder, which the responder uses + together with the Responder Nonce value to verify that + an I2 message is indeed sent in response to a R1 message, and that the parameters in the I2 message are the same as those in the I1 message. -5.4 I2 Message Format +5.5 I2 Message Format The I2 message is the third message in the context establishment exchange. The initiator sends this in response to a R1 message, after checking the Initiator Nonce, etc. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | 59 | Hdr Ext Len |0| Type = 3 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 3 | Res | Initiator Context Tag | + | Checksum | Reserved2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Initiator Context Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initiator Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Responder Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -711,787 +888,634 @@ | Initiator Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Responder Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - Type: 3 - - Res: 4-bit field. Reserved for future use. Zero on + Reserved1: 7-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. - - Initiator Context Tag: 20-bit field. The Context Tag the initiator - has allocated for the context - + Reserved2: 16-bit field. Reserved for future use. Zero on + transmit. MUST be ignored on receipt. + Initiator Context Tag: 32-bit field. The Context Tag the initiator + has allocated for the context. Initiator Nonce: 32-bit unsigned integer. A random number picked by the initiator which the responder will return in the R2 message. - Responder Nonce: 32-bit unsigned integer. Copied from the R1 message. The following options are allowed in the message: - - Responder Validator: Variable length mandatory option. Copied from - the Validator in the R1 message. - + Responder Validator: Variable length option. Just a copy of the + Validator option in the R1 message. ULID pair: TBD Do we need to carry the ULIDs, or assume they are the same as the address fields in the IPv6 header? - Locator list: Optionally sent when the initiator immediately wants to tell the responder its list of locators. When it is sent, the necessary HBA/CGA information for validating the locator list MUST also be included. - Locator Preferences: Optionally sent when the locators don't all have equal preference. CGA Parameter Data Structure: Included when the locator list is included so the receiver can verify the locator list. - CGA Signature: Included when the some of the locators in the list use CGA (and not HBA) for validation. -5.5 R2 Message Format +5.6 R2 Message Format The R2 message is the fourth message in the context establishment exchange. The responder sends this in response to an I2 message. The R2 message is also used when both hosts send I1 messages at the same time and the I1 messages cross in flight. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | 59 | Hdr Ext Len |0| Type = 4 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 4 | Res | Responder Context Tag | + | Checksum | Reserved2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Responder Context Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Initiator Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - Type: 4 - - Res: 4-bit field. Reserved for future use. Zero on + Reserved1: 7-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. - - Responder Context Tag: 20-bit field. The Context Tag the responder - has allocated for the context - + Reserved2: 16-bit field. Reserved for future use. Zero on + transmit. MUST be ignored on receipt. + Responder Context Tag: 32-bit field. The Context Tag the responder + has allocated for the context. Initiator Nonce: 32-bit unsigned integer. Copied from the I2 message. The following options are allowed in the message: - Locator List: Optionally sent when the responder immediately wants to tell the initiator its list of locators. When it is sent, the necessary HBA/CGA information for validating the locator list MUST also be included. Locator Preferences: Optionally sent when the locators don't all have equal preference. - CGA Parameter Data Structure: Included when the locator list is - included so the receiver can verify the locator list. - + included and the PDS was not included in the context + establishment messages, so the receiver can verify the + locator list. CGA Signature: Included when the some of the locators in the list use CGA (and not HBA) for validation. -5.6 No Context Error Message Format +5.7 No Context Error Message Format - Should a host receive a packet (payload packet or shim6 control - message such a a locator update) and the host does not have any - context state for the locators (in the IPv6 source and destination - fields) and the context tag, then it will generate a No Context - Error. The error includes the packet that was received, subject to - the packet not exceeding 1280 octets. + Should a host receive a packet with a shim Payload message or shim6 + control message, such a a locator update, and the host does not have + any context state for the locators (in the IPv6 source and + destination fields) and the context tag, then it will generate a No + Context Error. The error includes the packet that was received, + subject to the packet not exceeding 1280 octets. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | 59 | Hdr Ext Len |0| Type = 5 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 5 | Reserved | + | Checksum | Reserved2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - Type: 5 - - Reserved: 24-bit field. Reserved for future use. Zero on + Reserved1: 7-bit field. Reserved for future use. Zero on + transmit. MUST be ignored on receipt. + Reserved2: 16-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. The following options are allowed in the message: + Packet in Error: Variable length option containing the IPv6 packet + that was in error, starting with the IPv6 header, and + normally containing the full packet. If the resulting + No Context Error message would exceed 1280 octets, the + Packet In Error option will not include the full + packet in error in order to limit the error to 1280 + octets. - Packet in Error: Variable length mandatory option containing the IPv6 - packet that was in error, starting with the IPv6 - header, and normally containing the full packet. If - the resulting No Context Error message would exceed - 1280 octets, the Packet In Error option will not - include the full packet in error in order to limit the - error to 1280 octets. - -5.7 Locator List Update Message Format +5.8 Update Request Message Format - The Locator List Update (LLU) Message contains a complete replacement - of the senders locator list, and the options necessary for HBA/CGA to - secure this. The basic sanity check that prevents off-path attackers - from generating bogus updates is the context tag in the message. + The Update Request Message is used to update either the list or + locators, the locator preferences, and both. When the list of + locators is updated, the message also contains the option(s) + necessary for HBA/CGA to secure this. The basic sanity check that + prevents off-path attackers from generating bogus updates is the + context tag in the message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | 59 | Hdr Ext Len |0| Type = 6 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 6 | Res | Initiator Context Tag | + | Checksum | Reserved2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiver Context Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Request Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - Type: 6 - - Res: 4-bit field. Reserved for future use. Zero on + Reserved1: 7-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. - - Initiator Context Tag: 20-bit field. The Context Tag the initiator - has allocated for the context. - + Reserved2: 16-bit field. Reserved for future use. Zero on + transmit. MUST be ignored on receipt. + Receiver Context Tag: 32-bit field. The Context Tag the receiver has + allocated for the context. Request Nonce: 32-bit unsigned integer. A random number picked by - the initiator which the responder will return in the + the initiator which the peer will return in the acknowledgement message. The following options are allowed in the message: - Locator List: The list of the senders (new) locators. The locators might be unchanged and only the preferences have changed. - Locator Preferences: Optionally sent when the locators don't all have equal preference. - CGA Parameter Data Structure: Included so the receiver can verify the - locator list. - CGA Signature: Included when the some of the locators in the list use CGA (and not HBA) for validation. -5.8 Locator List Update Acknowledgement Message Format +5.9 Update Acknowledgement Message Format - This message is sent in response to a LLU message. + This message is sent in response to a Update Request message. It + implies that the Update Request has been received, and that any new + locators in the Update Request can now be used as the source locators + of packets. But it does not imply that the (new) locators have been + verified and will be used as a destination, since the host might + defer the verification of a locator until it is used as a + destination. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | 59 | Hdr Ext Len |0| Type = 7 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 7 | Res | Responder Context Tag | + | Checksum | Reserved2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiver Context Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Request Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - Type: 7 - - Res: 4-bit field. Reserved for future use. Zero on + Reserved1: 7-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. + Reserved2: 16-bit field. Reserved for future use. Zero on + transmit. MUST be ignored on receipt. + Receiver Context Tag: 32-bit field. The Context Tag the receiver has + allocated for the context. + Request Nonce: 32-bit unsigned integer. Copied from the Update + Request message. - Initiator Context Tag: 20-bit field. The Context Tag the responder - has allocated for the context. - - Request Nonce: 32-bit unsigned integer. Copied from the LLU message. - - The following options are allowed in the message: - - TBD any options?: - -5.9 Rehome Request Message Format - - TBD Is there any use to have a separate Rehome pair of messages? The - sender can indicates its new knowledge of one of its locators (such - as it no longer working) using the LLU message. Would it be useful - to be able to specify just failure or preference changes without - listing the actual locators? This would require that the locator - list is ordered so that a Rehome Request can refer to the locators by - some short index. - - Perhaps this functionality can be accomplished by sending a Locator - Update message and only including new Locator Preferences, without - including any Locator List option? If so, we don't need a separate - message. - -5.10 Rehome Acknowledgement Message Format - - TBD: See above. + No options are currently defined for this message. -5.11 Reachability Probe Message Format +5.10 Reachability Probe Message Format The Reachability Probe message is used to prevent 3rd party DoS attacks, and can also be used to verify whether a context is reachable at a given locator should that be needed for the general reachability detection mechanism (e.g., if we pick the CUD mechanism where one end sends probes and expects a reply). Before a host uses a locator for the peer that is different than the ULID, it needs to verify that the peer is indeed present at that locator by sending a Context Verify and receiving an acknowledgement. This message includes the ULID pair as well as the context tag, so that the peer can indeed verify that it has that ULID and that the context tag is correct. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | 59 | Hdr Ext Len |0| Type = 8 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 10 | Res | Receiver Context Tag | + | Checksum | Reserved2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiver Context Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Request Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - - Type: 10 - - Res: 4-bit field. Reserved for future use. Zero on + Type: 8 + Reserved1: 7-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. - - Receiver Context Tag: 20-bit field. The Context Tag the peer has + Reserved2: 16-bit field. Reserved for future use. Zero on + transmit. MUST be ignored on receipt. + Receiver Context Tag: 32-bit field. The Context Tag the receiver has allocated for the context. - Request Nonce: 32-bit unsigned integer. A random number picked by the initiator which the responder will return in the acknowledgement message. The following options are allowed in the message: - ULID pair: The ULID pair that is being probed. -5.12 Reachability Probe Reply Message Format +5.11 Reachability Reply Message Format This is sent in response to a Reachability Probe message. Although, - if the receiver of the RT does not have a matching context it will - send a No Context Error message. + if the receiver of the Reachability Probe does not have a matching + context it will send a No Context Error message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | 59 | Hdr Ext Len |0| Type = 9 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 11 | Res | Receiver Context Tag | + | Checksum | Reserved2 | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiver Context Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Request Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - - Type: 11 - - Res: 4-bit field. Reserved for future use. Zero on + Type: 9 + Reserved1: 7-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. - - Receiver Context Tag: 20-bit field. The Context Tag the peer has + Reserved2: 16-bit field. Reserved for future use. Zero on + transmit. MUST be ignored on receipt. + Receiver Context Tag: 32-bit field. The Context Tag the receiver has allocated for the context. - Request Nonce: 32-bit unsigned integer. Copied from the request message. The following options are allowed in the message: - ULID pair: The ULID pair that is being probed. Copied from the Probe message. -5.13 Payload Message Format - - The payload message is used for payload which do not have a - designated "foo-inside-shim6" protocol type, as specified in - Section 4.2. - - Since the shim is placed between the IP endpoint sub-layer and the IP - routing sub-layer in the host, the shim header will be placed before - any endpoint extension headers (fragmentation headers, destination - options header, AH, ESP), but after any routing related headers (hop- - by-hop extensions header, routing header, a destinations options - header which precedes a routing header). When tunneling is used, - whether IP-in-IP tunneling or the special form of tunneling that - Mobile IPv6 uses (with Home Address Options and Routing header type - 2), there is a choice whether the shim applies inside the tunnel or - outside the tunnel, which effects the location of the shim6 header. - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Next Header | 0 | Checksum | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 12 | Reserved | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - Fields: - - Next Header: The payload which follows this header. - - Hdr Ext Len: 0 (since the header is 8 octets). - - Checksum: The checksum of the 8 octets. - - Type: 12 - - Reserved: Reserved for future use. Zero on transmit. MUST be - ignored on receipt. - -5.14 Keepalive Message Format +5.12 Keepalive Message Format The keepalive message would be used if we decide to do the Force Bidirectional communication as a way to get verification that the locator pair continues to work. If we are not going to do FBD we probably will not need this message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 13 | Res | Receiver Context Tag | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - + Options + - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - Fields: - - Next Header: NO_NXT_HDR (59). - - Type: 13 - - Res: 4-bit field. Reserved for future use. Zero on - transmit. MUST be ignored on receipt. - - Receiver Context Tag: 20-bit field. The Context Tag the peer has - allocated for the context. - - The following options are allowed in the message: - - TBD any options?: - -5.15 Locator Pair Test Message Format - - The above Reachability Probe message probes a context. This message - just probes a locator. If we are going to handle failure during - initial contact using the shim, then the shim needs to be able to - find out what locators are working (and that they correspond to a - desirable ULID) without assuming there is a context setup, and - without knowing the actual ULID. The latter is needed so that we can - handle the case when the AAAA RRset contains any combination of - multiple hosts and multiple IP addresses for a given host. Having - the responder send back the ULID that corresponds to a particular - locator allows the initiator to take the AAAA RRset and determine - which IPv6 addresses therein are for different hosts. - - Once we understand how the shim will be involved in locator failures - during initial contact, then we can determine whether we need this - mechanism, and whether it can be overloaded on the Probe Message - (e.g., by making the Receiver Context tag optional in the - Reachability Probe message). - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + | 59 | Hdr Ext Len |0| Type = 10 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | Checksum | Reserved2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 14 | Reserved | + | Receiver Context Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Request Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | - + Target ULID + - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - - Type: 14 - - Reserved: 24-bit field. Reserved for future use. Zero on + Type: 10 + Reserved1: 7-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. - - Request Nonce: 32-bit unsigned integer. A random number picked by - the sender which the target will return in the reply - message. - - Target ULID: 128-bit IPv6 address. - - The following options are allowed in the message: - - TBD any options?: - -5.16 Locator Pair Test Reply Message Format - - If a host receives a Locator Pair Test message, and the Target ULID - is one of its IP addresses, then it will send this reply. - - TBD: If ULID doesn't match, does it just ignore the test message? Or - send some error? - - TBD: Should the responder instead return its ULID, so that it is - easier for the sender to determine which of the IPv6 addresses from - the DNS correspond to different hosts vs. different locators for the - same host? - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 15 | Reserved | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Request Nonce | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - + Target ULID + - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - + Options + - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - Fields: - - Next Header: NO_NXT_HDR (59). - - Type: 15 - - Reserved: 24-bit field. Reserved for future use. Zero on + Reserved2: 16-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. + Receiver Context Tag: 32-bit field. The Context Tag the receiver has + allocated for the context. + Request Nonce: 32-bit unsigned integer. Copied from the Reachability + Probe message. - Request Nonce: 32-bit unsigned integer. Copied from the test - message. - - Target ULID: 128-bit IPv6 address. Copied from the test message. - TBD: Or should the host be able to fill this in to - make it easier for the peer to determine which - locators refer to the same host? - - The following options are allowed in the message: - - TBD any options?: + No options are currently defined for this message. -5.17 Context Locator Pair Explore Message Format +5.13 Context Locator Pair Explore Message Format - This is a placeholder for the protocol mechanism outlined in [6]. + This is a placeholder for the protocol mechanism outlined in [7]. The idea behind that mechanism is to be able to handle the case when one locator pair works in from A to B, and another locator pair works from B to A, but there is no locator pair which works in both directions. The protocol mechanism is that as A is sending explore - packets to B, B will observe which locator pairs it has received from - and report that back in explore packets it is sending to A. + messages to B, B will observe which locator pairs it has received + from and report that back in explore messages it is sending to A. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 59 | Hdr Ext Len | Checksum | + | 59 | Hdr Ext Len |0| Type = 11 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | 16 | Res | Receiver Context Tag | + | Sequence Number | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Sequence Number | + | Receiver Context Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Next Header: NO_NXT_HDR (59). - - Type: 16 - - Res: 4-bit field. Reserved for future use. Zero on + Type: 11 + Reserved1: 7-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. - - Receiver Context Tag: 20-bit field. The Context Tag the peer has + Sequence Number: 16-bit unsigned integer. Used to determine which + messages have been received by the peer. + Receiver Context Tag: 32-bit field. The Context Tag the receiver has allocated for the context. - Sequence Number: 32-bit unsigned integer. Used to determine which - packets have been received by the peer. - The following options are allowed in the message: - Explorer Results: Indication of what Explorer messages the sender has recently received from the peer. -6. Option Formats +5.14 Option Formats - The options follow the same layout as in RFC 2461 [2]. Thus they all - are a multiple of 8 octets. + All of the TLV parameters have a length (including Type and Length + fields) which is a multiple of 8 bytes. When needed, padding MUST be + added to the end of the parameter so that the total length becomes a + multiple of 8 bytes. This rule ensures proper alignment of data. If + padding is added, the Length field MUST NOT include the padding. Any + added padding bytes MUST be zeroed by the sender, and their values + SHOULD NOT be checked by the receiver. + Consequently, the Length field indicates the length of the Contents + field (in bytes). The total length of the TLV parameter (including + Type, Length, Contents, and Padding) is related to the Length field + according to the following formula: + + Total Length = 11 + Length - (Length + 3) % 8; 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type | Length | ... | + | Type |C| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ~ ... ~ + | | + / Contents / + / +-+-+-+-+-+-+-+-+ + | | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - - Type: 8-bit identifier of the type of option. The options + Type: 15-bit identifier of the type of option. The options defined in this document are below. - - Length: 8-bit unsigned integer. The length of the option - (including the type and length fields) in units of 8 - octets. The value 0 is invalid. Nodes MUST silently - discard an ND packet that contains an option with - length zero. + C: Critical. One if this parameter is critical, and MUST + be recognized by the recipient, zero otherwise. An + implementation might view the C bit as part of the + Type field, by multiplying the type values in this + specification by two. + Length: Length of the Contents, in bytes. + Contents: Parameter specific, defined by Type. + Padding: Padding, 0-7 bytes, added if needed. +------------------------------+------+ | Option Name | Type | +------------------------------+------+ | Validator | 1 | - | | | | Locator List | 2 | - | | | | Locator Preferences | 3 | - | | | | CGA Parameter Data Structure | 4 | - | | | | CGA Signature | 5 | - | | | | ULID Pair | 6 | - | | | | Packet In Error | 7 | - | | | | Explorer Results | 8 | +------------------------------+------+ Table 2 -6.1 Validator Option Format +5.14.1 Validator Option Format The responder can choose exactly what input uses to compute the validator, and what one-way function (MD5, SHA1) it uses, as long as - the reponder can verify that the validator it receives back in the I2 - packet is indeed one that 1) it computed, 2) it computed for the + the responder can verify that the validator it receives back in the + I2 message is indeed one that 1) it computed, 2) it computed for the particular context, and 3) that it isn't a replayed I2 message. One way for the responder to do this is to maintain a single secret (S) and a running counter for the Responder Nonce. For each I1 message, the responder can then increase the counter, use the counter value as the responder nonce, and use the following information as input to the one-way function: - o The the secret S - o That Responder Nonce - o The Initiator Context Tag from the I1 message - o The ULIDs from the I1 message - o The locators from the I1 message (strictly only needed if they are different from the ULIDs) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type = 1 | Length | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | Type = 1 |0| Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Validator ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Validator: Variable length content whose interpretation is local to the responder. -6.2 Locator List Option Format +5.14.2 Locator List Option Format The Locator List Option is used to carry all the locators of the sender. Note that the order of the locators is important, since the - Locator Preferences and the Explorer packet refers to the locators by - using the index in the list. + Locator Preferences and the Explorer message refers to the locators + by using the index in the list. + + Note that we carry all the locators in this option even though some + of them can be created automatically from the CGA Parameter Data + Structure. - TBD: Do we need this when all the locators are contained in the PDS? 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type = 2 | Length | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | - | Reserveds | + | Type = 2 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ~ Locators ~ + | Locator List Generation | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Num Locators | N Octets of Verification Method | + +-+-+-+-+-+-+-+-+ | + ~ ~ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ~ Locators 1 through N ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - Fields: + Locator List Generation: 32-bit unsigned integer. Indicates a + generation number which is increased by one for each + new locator list. This is used to ensure that the + index in the Locator Preferences and Explorer results + refer to the right version of the locator list. + Num Locators: 8-bit unsigned integer. The number of locators that + are included in the option. We call this number "N" + below. + Verification Method: N octets. The i'th octet specifies the + verification method for the i'th locator. + Locators: N 128-bit locators. - Reserved: 48-bit field. Reserved for future use. Zero on - transmit. MUST be ignored on receipt. + The defined verification methods are: - Locators: A variable number of 128-bit locators. The number of - locators present can be determined by the option - length field. + +-------+----------+ + | Value | Method | + +-------+----------+ + | 0 | Reserved | + | 1 | HBA | + | 2 | CGA | + | 3-255 | Reserved | + +-------+----------+ -6.3 Locator Preferences Option Format + Table 3 + +5.14.3 Locator Preferences Option Format The Locator Preferences option can have some flags to indicate whether or not a locator is known to work. In addition, the sender can include a notion of preferences. It might make sense to define "preferences" as a combination of priority and weight the same way that DNS SRV records has such information. The priority would provide a way to rank the locators, and within a given priority, the weight would provide a way to do some load sharing. See [8] for how SRV defines the interaction of priority and weight. - As of this draft we define the preferences to include three 8-bit - fields: a priority, a weight, and 8-bits of flags. The intent is - that the TBD flags can carry information such as "this locator is - not working", and "this locator is temporary". The latter allows - making the distinction between more stable addresses and less stable - addresses when shim6 is combined with IP mobility, when we might have - more stable home locators, and less stable care-of-locators. + The minimum notion of preferences we need is to be able to indicate + that a locator is "dead". We can handle this using a single octet + flag for each locator. + + We can extend that by carrying a larger "element" for each locator. + This document presently also defines 2-octet and 3-octet elements, + and we can add more information by having even larger elements if + need be. The locators are not included in the preference list. Instead, the first element refers to locator that was in the first element in the - Locator List option. This assumes that the Locator List option is - stable. See Section 17. + Locator List option. The generation number carried in this option + and the Locator List option is used to verify that they refer to the + same version of the locator list. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type = 3 | Length | Pri[1] | Weight[1] | + | Type = 3 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Flags[1] | Pri[2] | Weight[2] | Flags[2] | + | Locator List Generation | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Element Len | Element[1] ... | Element[2] | + | ... | Element[3] ... | ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ~ ... ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: + Locator List Generation: 32-bit unsigned integer. Indicates a + generation number for the locator list to which the + elements should apply. + Element Len: 8-bit unsigned integer. The length in octets of each + element. This draft defines the cases when the length + is 1, 2, or 3. + Element[i]: A field with a number of octets defined by the Element + Len field. Provides preferences for the i'th locator + in the Locator List option that is in use. - Pri[i]: 8-bit unsigned integer. The Priority associated with - the i'th locator in the Locator List option that is in - use. - - Weight[i]: 8-bit unsigned integer. The Weight associated with - the i'th locator in the Locator List option that is in - use. + When the Element length equals one, then the element consists of only + a flags field. The set of flags is TBD: Assume there will be two + initially: BROKEN and TEMPORARY. The intent of the latter is to + allow the distinction between more stable addresses and less stable + addresses when shim6 is combined with IP mobility, when we might have + more stable home locators, and less stable care-of-locators. - Flags[i]: 8-bit unsigned integer. The flags associated with the - i'th locator in the Locator List option that is in - use. + When the Element length equals two, the the element consists of a 1 + octet flags field followed by a 1 octet priority field. The priority + has the same semantics as the priority in DNS SRV records. - The set of flags is TBD: Assume there will be two initially: BROKEN - and TEMPORARY. + When the Element length equals three, the the element consists of a 1 + octet flags field followed by a 1 octet priority field, and a 1 octet + weight field. The weight has the same semantics as the weight in DNS + SRV records. -6.4 CGA Parameter Data Structure Option Format +5.14.4 CGA Parameter Data Structure Option Format This option contains the CGA parameter data structure (hereafter called the PDS). When HBA is used to validate the locators, the PDS contains the HBA multiprefix extension. When CGA is used to validate the locators, in addition to the CGA PDS, the signature will need to be included as a CGA Signature option. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type = 4 | Length | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | Type = 4 |0| Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ CGA Parameter Data Structure ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - CGA Parameter Data Structure: Variable length content. Content - defined in [4]. + defined in [5]. -6.5 CGA Signature Option Format +5.14.5 CGA Signature Option Format When CGA is used for validation of one or more of the locators in the PDS, then the message in question will need to contain this option. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type = 5 | Length | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | - ~ CGA Signature ~ + | Type = 5 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: + CGA Signature: Variable length content. Content defined in [5]. - CGA Signature: Variable length content. Content defined in [4]. - -6.6 ULID Pair Option Format +5.14.6 ULID Pair Option Format It isn't clear whether we need this option. It depends whether we want to be able to setup a context for a ULID pair when that ULID pair can't be used to communicate. Thus the IPv6 addresses in the context establishment would not be the ULIDs. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type = 6 | Length | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | - | Reserveds | + | Type = 2 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Sender ULID + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Receiver ULID + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -1489,143 +1513,418 @@ | | + Sender ULID + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Receiver ULID + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - Reserved: 48-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. - Sender ULID: A 128-bit IPv6 address. - Receiver ULID: A 128-bit IPv6 address. -6.7 Packet In Error Option Format +5.14.7 Packet In Error Option Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type = 7 | Length | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | - | Reserveds | + | Type = 7 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ IPv6 header, shim6/TCP/UDP header, etc ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: - - Reserved: 48-bit field. Reserved for future use. Zero on - transmit. MUST be ignored on receipt. - Packet: A variable length field which contains the packet in error starting with the IPv6 header. -6.8 Explorer Results Option Format +5.14.8 Explorer Results Option Format + + TBD: This needs to indicate which explorer messages (sequence + numbers, source and destination locators?) that have been recently + received, in order to detect which locator pairs work when there is + no locator pair which works in both directions. When indicating + locators it makes sense to use the offset in the Locator List (that + was carries in the Locator List option), since this takes less space + than including the locators themselves. + + TBD: add that data and other shim control messages are included in + the learned results. - TBD: This needs to indicate which explorer packets (sequence numbers, - source and destination locators) that have been recently received, in - order to detect which locator pairs work when there is no locator - pair which works in both directions. When indicating locators it - makes sense to use the offset in the Locator List (that was carries - in the LLU option), since this takes less space than including the - locators themselves. p 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Type = 8 | Length | TBD | + | Type = 8 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ~ ... ~ + | Sender Locator List Generation | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Receiver Locator List Generation | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ~ Explorer Results ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: + Sender Locator List Generation: The generation number for the + sender's locator list to which the indices below + refer. + Receiver Locator List Generation: The generation number for the + receiver's locator list to which the indices below + refer. + Explorer Results: This field contains a list of elements, where each + element indicates one locator pair for which the + sender of the option has recently received a message. + Each result occupies 32 bits. The list should be + ordered so that the most recently heard locator pairs + are first. SHOULD NOT include locator pairs that were + last received more than some number of seconds ago. + p + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Sender Index | Receiver Index| Sequence Number | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - TBD: + Fields: + Sender Index: 8-bit unsigned Integer. The Index is relative to the + sender's locator list. + Receiver Index: 8-bit unsigned Integer. The Index is relative to the + receiver locator list. + Sequence Number: 16-bit unsigned Integer. The Sequence number of the + explorer message in which the locator pair < sender + index, receiver index> was last heard. If this + locator pair was last heard in a message other than an + Explore message, then this number is zero. -7. Conceptual Model of a Host +6. Conceptual Model of a Host This section describes a conceptual model of one possible data structure organization that hosts will maintain for the purposes of shim6. The described organization is provided to facilitate the explanation of how the shim6 protocol should behave. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document. -7.1 Conceptual Data Structures +6.1 Conceptual Data Structures The key conceptual data structure for the shim6 protocol is the host pair context. This is a data structures which contains the following information: - o The peer ULID; ULID(peer) - o The local ULID; ULID(local) - o The list of peer locators, with their preferences; Ls(peer) - o For each peer locator, a bit whether it has been validated using HBA, and a bit whether the locator has been probed to verify that the ULID is present at that location. - o The preferred peer locator - used as destination; Lp(peer) - o The set of local locators and the preferences; Ls(local) - o The preferred local locator - used as source; Lp(local) - - o The context tag used to transmit packets - allocated by the peer; - CT(peer) - - o The context to expect in received packets - allocated by the local - host; CT(local) - + o The context tag used to transmit control messages and ULP packets + - allocated by the peer; CT(peer) + o The context to expect in received control messages and extension + headers - allocated by the local host; CT(local) o Reachability state for the locator pairs. - - o During pair exploration, information about the explore packets + o During pair exploration, information about the explore messages that have been sent and received. The receiver finds the context by looking it up using , where the context tag is in - the Flow Label field for ULP payload packets, and in the shim headers - for control messages. The sender needs to be able to find the - context state when a packet is passed down from the ULP. In that - case the lookup key is the pair of ULIDs. + the shim header. The sender needs to be able to find the context + state when a ULP packet is passed down from the ULP. In that case + the lookup key is the pair of ULIDs. -8. Establishing Host Pair Contexts +7. Establishing Host Pair Contexts - TBD + Host pair contexts are established using a 4-way exchange, which + allows the responder to avoid creating state on the first packet. As + part of this exchange each end allocates a context tag, and it shares + this context tag and its set of locators with the peer. -8.1 Sending I1 messages + In some cases the 4-way exchange is not necessary, for instance when + both ends try to setup the context at the same time, or when + recovering from a context that has been garbage collected or lost at + one of the hosts. -8.2 Receiving I1 messages +7.1 Normal context establishment -8.3 Receiving R1 messages + The normal context establishment consists of a 4 message exchange in + the order of I1, R1, I2, R2. -8.4 Retransmitting I1 messages + Initiator Responder -8.5 Receiving I2 messages + ------------- I1 --------------> -8.6 Retransmitting I2 messages + <------------ R1 --------------- -8.7 Concurrent context establishment + ------------- I2 --------------> -9. No Such Content Errors + <------------ R2 --------------- + + Figure 26 + +7.2 Concurrent context establishment + + When both ends try to initiate a context for the same ULID pair, then + we might end up with crossing I1 messages, or since the no state is + created when receiving the I1, a host might send a I1 after having + sent a R1 message. + + Since a host remembers that it has sent an I1, it can respond to an + I1 from the peer (for the same ULID), with a R2. + + Initiator Responder + + -\ + ---\ + ---\ /--- + --- I1 ---\ /--- + ---\ + /--- I1 ---/ ---\ + /--- --> + <--- + + -\ + ---\ + ---\ /--- + --- R2 ---\ /--- + ---\ + /--- R2 ---/ ---\ + /--- --> + <--- + Figure 27 + + If a host has received an I1 and sent an R1, then a ULP can trigger + it to send an I1 message itself, since it doesn't retain any state + when receiving the I1 message. Thus while one end is sending an I1 + the other is sending an I2. + + Initiator Responder + + -\ + ---\ + ---\ + --- I1 ---\ + ---\ + ---\ + --> + + /--- + /--- + --- + /--- R1--/ + /--- + <--- + + -\ + ---\ + ---\ /--- + --- I2---\ /--- + ---\ + /--- I1 ---/ ---\ + /--- --> + <--- + + -\ + ---\ + ---\ /--- + --- R2 ---\ /--- + ---\ + /--- R2 ---/ ---\ + /--- --> + <--- + + Figure 28 + +7.3 Context recovery + + Due to garbage collection, we can end up with one end having and + using the context state, and the other end not having any state. We + need to be able to recover this state at the end that has lost it, + before we can use it. + + This need can arise in two cases: + The communication is working using the ULID pair as the locator + pair, but a problem arises, and the end that has retained the + context state decides to explore alternate locator pairs. + The communication is working using a locator pair that is not the + ULID pair, hence the ULP packets sent from a peer that has + retained the context state use the shim payload header. + In both cases the result is that the peer without state receives a + shim message for which it has to context for the . + + In both of those case we can recover the context by having the node + which doesn't have a context state, send back an R1bis [TBD] message, + and have this complete a recover with a I2 and R2 message. + + If one end has garbage collected or lost the context state, it might + try to create the context state (for the same ULID pair), by sending + an I1 message. The peer can simply reply with an R2 message in this + case. + +7.4 Context confusion + + Since each end might garbage collect the context state we can have + the case when one end has retained the context state and tries to use + it, while the other end has lost the state. We discussed this in the + previous section on recovery. But for the same reasons, when one + host retains context tag X for ULID pair , the other end + might end up allocating that context tag for another ULID pair, e.g., + between the same hosts. In this case we can not use the + recovery mechanisms since there needs to be separate context tags for + the two ULID pairs. + + This type of "confusion" can be observed in two cases (assuming it is + A that has retained the state and B has dropped it): + B decides to create a context for ULID pair has to be unique when received by the peer, the local host should also only be able to find one context that matches this tuple. - Should the ULP packet have been conveyed using the protocol type - encoding (Section 4.2), then that encoding must be undone for the - packet in error before it is delivered to the ULP. If the ULP packet - had been encapsulated in a shim6 payload message, then this extension - header must be removed. The result needs to be that the ULP receives - an ICMP error where the contained "packet in error" looks as if the - shim did not exist. + If the ULP packet had been encapsulated in a shim6 payload message, + then this extension header must be removed. The result needs to be + that the ULP receives an ICMP error where the contained "packet in + error" looks as if the shim did not exist. -11. Taredown of the Host Pair Context +10. Teardown of the Host Pair Context - Each host can unilaterally decide when to tare down a host-pair - context. It is RECOMMENDED that hosts not tare down the context when + Each host can unilaterally decide when to tear down a host-pair + context. It is RECOMMENDED that hosts not tear down the context when they know that there is some upper layer protocol that might use the context. For example, an implementation might know this is there is an open socket which is connected to the ULID(peer). However, there might be cases when the knowledge is not readily available to the shim layer, for instance for UDP applications which not not connect their sockets, or any application which retains some higher level state across (TCP) connections and UDP packets. Thus it is RECOMMENDED that implementations minimize premature - taredown by observing the amount of traffic that is sent and received - using the context, and only after it appears quiescent, tare down the + teardown by observing the amount of traffic that is sent and received + using the context, and only after it appears quiescent, tear down the state. -12. Updating the Locator Pairs +11. Updating the Locator Pairs TBD -13. Various Probe Mechanisms +12. Various Probe Mechanisms TBD -14. Rehoming to a Different Locator Pair +13. Rehoming to a Different Locator Pair TBD -15. Payload Packets before a Switch +14. Payload Packets before a Switch When there is no context state for the ULID pair on the sender, there is no effect on how ULP packets are sent. If the host is using some heuristic for determining when to perform a deferred context establishment, then the host might need to do some accounting (count the number of packets sent and received) even before there is a host- pair context. This need to count packets might also appear on the receive side, depending on what heuristics the implementation has chosen. If there is a host-pair context for the ULID pair, then the sender needs to verify whether context uses the ULIDs as locators, that is, whether Lp(peer) == ULID(peer) and Lp(local) == ULID(local). If this is the case, then packets will be sent unmodified by the - shim. If it is not the case, then the logic in Section 16 will need + shim. If it is not the case, then the logic in Section 15 will need to be used. There will also be some maintenance activity relating to (un)reachability detection, whether packets are sent with the original locators or not. The details of this is out of scope for - this document and will be covered is follow-ons to [5]. + this document and will be covered is follow-ons to [6]. -16. Payload Packets after a Switch +15. Payload Packets after a Switch When sending packets, if there is a host-pair context for the ULID pair, and the ULID pair is no longer used as the locator pair, then - the sender needs to transfer the packet. The transformation depends - on the payload type, since some protocol values can be carried - without adding a shim6 extension header, and others need an 8-octet - header. + the sender needs to transform the packet. Apart from replacing the + IPv6 source and destination fields with a locator pair, an 8-octet + header is added so that the receiver can find the context and inverse + the transformation. - Before the payload dependent transformation, the IP address fields - are replaced. The IPv6 source address field is set to Lp(local) and - the destination address field is set to Lp(peer). NOTE that this - MUST NOT cause any recalculation of the ULP checksums, since the ULP - checksums are carried end-to-end and the ULP pseudo-header contains - the ULIDs which are preserved end-to-end. + First, the IP address fields are replaced. The IPv6 source address + field is set to Lp(local) and the destination address field is set to + Lp(peer). NOTE that this MUST NOT cause any recalculation of the ULP + checksums, since the ULP checksums are carried end-to-end and the ULP + pseudo-header contains the ULIDs which are preserved end-to-end. - The sender skips any "routing sub-layer extension headers", thus it - skips any hop-by-hop extension header, any routing header, and any - destination options header that is followed by a routing header. The - (extension) header that follows after that is viewed as the ULP + The sender skips any "routing sub-layer extension headers" that the + ULP might have included, thus it skips any hop-by-hop extension + header, any routing header, and any destination options header that + is followed by a routing header. After any such headers the shim6 + extension header will be added. This might be before a Fragment + header, a Destination Options header, an ESP or AH header, or a ULP header. - If the ULP header is of a type listed in Section 4.2, then it is - replaced by the "foo-in-shim6 value for that protocol type. And in - this case, the context tag CT(peer) is placed in the flow label field - in the IPv6 header. Then the packet can be passed to the IP routing - sub-layer. - - If the ULP header type is not listed in that section, then a shim6 - Payload extension header is inserted in the packet before the ULP - header. In this case the context tag CT(peer) is also placed in the - flow label field, and the packet is passed down to the routing sub- - layer. TBD: We could use the Reserved field in the payload message - instead of using flow label in this case. + The inserted shim6 Payload extension header includes the peer's + context tag. The receiver parses the (extension) headers in order. Should it find a shim6 extension header it will look at the type field in that header. If the type is Payload message, then the packet must be - passed to the shim6 payload handling for rewriting. If the receiver - finds one of the eight additional payload type (for "foo-inside- - shim6"), then it treats this analogous to the case of a shim6 payload - extension header. + passed to the shim6 payload handling for rewriting. (Otherwise, the + shim6 control messages are handled as specified in other parts of + this document.) - In both cases the receiver extracts the context tag from the IPv6 - flow label field, and uses this together with the IPv6 source and - destination address fields to find a host-pair context. If no - context is found, the receiver SHOULD generate a No Such Context - error message (see Section 9). + The receiver extracts the context tag from the payload message + header, and uses this together with the IPv6 source and destination + address fields to find a host-pair context. If no context is found, + the receiver SHOULD generate a No Such Context error message (see + Section 8). With the context in hand, the receiver can now replace the IP address - fields with the ULIDs kept in the context. Finally, the traces of - the shim are removed from the packet; any payload extension header is - removed, and the next header value in the preceding header is set to - be the actual protocol number for the payload. Then the packet can - be passed to the ULP. + fields with the ULIDs kept in the context. Finally, the Payload + extension header is removed from the packet (so that the ULP doesn't + get confused by it), and the next header value in the preceding + header is set to be the actual protocol number for the payload. Then + the packet can be passed to the protocol identified by the next + header value (which might be some function associated with the IP + endpoint sublayer, or a ULP). -17. Open Issues +16. Open Issues The following open issues are known: - o Is there need for keeping the list of locators private between the two communicating endpoints? We can potentially accomplish that when using CGA but not with HBA, but it comes at the cost of doing some public key encryption and decryption operations as part of the context establishment. - o Forking the context state. On the mailing list we've discussed the need to fork the context state, so that different ULP streams can be sent using different locator pairs. No protocol extensions are needed if any forking is done independently by each endpoint. But if we want A to be able to tell B that certain traffic (a 5-tuple?) should be forked, then we need a way to convey this in the shim6 protocol. The hard part would be defining what selectors can be specified for the filter which determines which traffic uses which of the forks. So the question is whether we really need signaling for forking, or whether it is sufficient to @@ -1775,232 +2061,149 @@ can be sent using different locator pairs. No protocol extensions are needed if any forking is done independently by each endpoint. But if we want A to be able to tell B that certain traffic (a 5-tuple?) should be forked, then we need a way to convey this in the shim6 protocol. The hard part would be defining what selectors can be specified for the filter which determines which traffic uses which of the forks. So the question is whether we really need signaling for forking, or whether it is sufficient to allow each endpoint to do its own selection of which locator pair it is using for which traffic. - o If we allow forking, it seems like the mechanism for reachability detection, whether it is CUD or FBD, must be applied separately for each locator pair that is in use. Without forking a single locator pair will be in use for each host-pair context, hence things would be simpler. - - o Having the Locator List option contain all the prefixes implies - extra bytes when the locators are also in the CGA Parameter Data - Structure option. To optimize this will still need to provide an - ordered list, so that the Locator Preferences can refer to the - locators by "index". (The Explore Results option might need to - refer to them by index as well.) - - o The index to a locator might get out of synch between the two ends - if messages with a new Locator List option is lost. It might make - sense to include a "generation" or "locator list version" number - in the Locator List option so that the Locator Preference (and - Explorer Result) options can refer to a particular version of the - list. - o The specified mechanism (of relying on No Such Context errors) doesn't always detect the loss of the context on the peer when the - original ULID=locators are used. See Section 18 for other + original ULID=locators are used. See Section 17 for other options. - o Which messages need sequence numbers to prevent parts of the - protocol to operate on stale information should the shim6 - information get out of date? Just the Locator List Update - message? - - o The CGA PDS might not need to be included in every LLU message. - If it is associated with the ULID, it is sufficient to exchange it - once. Then a HBA-protected LLU would not need anything (it can - just change the preferences for the locators in any case), and a - CGA-protected LLU would just need the signature option. - - o In the LLU do we need to indicate which locators need to be - validated using HBA vs. CGA? Or it could tell which locators are - in the HBA extension in the PDS, and assume any others need CGA - validation. - - o What happens when a host runs out of 20 bit context tags? When is + o In the Locator List option, do we need to indicate which locators + need to be validated using HBA vs. CGA? Or it could tell which + locators are in the HBA extension in the PDS, and assume any + others need CGA validation. + o What happens when a host runs out of N bit context tags? When is it safe for a host to reuse a context tag? With the unilateral - taredown one end might discard the context state long before the + teardown one end might discard the context state long before the other end. -18. Design Alternatives +17. Design Alternatives This document has picked a certain set of design choices in order to try to work out a bunch of the details, and stimulate discussion. But as has been discussed on the mailing list, there are other choices that make sense. This section tries to enumerate some alternatives. -18.1 State Cleanup +17.1 State Cleanup This document uses a timer based cleanup mechanism, as specified in - Section 11. + Section 10. An alternative would be to use an explicit CLOSE mechanism, akin to - the one specified in HIP [17]. If an explicit CLOSE handshake and + the one specified in HIP [22]. If an explicit CLOSE handshake and associated timer is used, then there would no longer be a need for the No Context Error message due to a peer having garbage collected its end of the context. However, there is still potentially a need to have a No Context Error message in the case of a complete state loss of the peer (also known as a crash followed by a reboot). Only if we assume that the reboot takes at least the CLOSE timer, or that it is ok to not provide complete service until CLOSE timer minutes after the crash, can we completely do away with the No Context Error message. - If there is no need for the No Context Error message, this also means - that it might be possible to remove the need to explicitly - identifying the shim6 payload packets after a locator switch, neither - using the foo-inside-shim6 protocol number nor using the shim6 - Payload message. In essence, the receiver could identify the context - based on the locator pair and the Flow Label in the received packets. - - There might be some debugging and operational issues with removing - the explicit identification of the shim6 packets after a locator - switch. Should the receiver have lost the context state, then there - will be no indication that something is going wrong. The shim on the - receiver would happily pass up the packets unmodified to the ULP, and - the ULP would most likely see a checksum error. The checksum error - is caused by the ULP packet having different IP addresses than the - packet that the sending ULP passed down to its shim. - -18.2 Not Overloading the Flow Label - - This document overloads the Flow Label field as a context tag for - packets that are sent after the locators have been switched, that is, - the packets where the sending shim has replaced the ULIDs with some - other locator pair. - - An alternative would be to not do this, and instead always use the - shim6 Payload message to encapsulate the payloads when the locators - are different than the ULIDs. While this doesn't remove the need to - have any QoS signaling protocol be aware of the shim6 architectural - implications Section 19, it does offer some other simplifications to - the protocol, namely that there would no longer be a need to use - designated protocol number values for the "foo-inside-shim6"; the - cases when those protocol numbers are used would instead use the - Payload message. The downside of always using the Payload message - after a failure is that the path MTU usable by the ULP would be 8 - octets less. - -18.3 Detecting Context Loss +17.2 Detecting Context Loss This document specifies that context loss is detected by receiving a No Such Context error message from the peer. Such messages are generated in response to a shim6 message that contain a the peer's context tag, including the shim6 Payload messages, when the receiver doesn't have matching context. They are also generated in response to data packets after a locator switch (because such payload packets - are identified as such using the overloaded protocol field specified - in Section 4.2). - - This approach has the disadvantage of the overloaded protocol type, - and it also doesn't detect the loss of context state when the - original ULIDs are used as locators, because there might be no shim6 - messages exchanged if the reachability detection manages to suppress - any extra packets. - - Discussion: it isn't clear we could remove the protocol type - overloading with this approach, because without protocol type - overloading it is undefined in what order the receiver would do - things. Normally the receiver follows the next header chain and - processes things in order. This also works with an overloaded - protocol type; that next header value is basically indicating that - there is a zero length shim payload header. Thus the sender can - control whether this happens before the processing of some other - extension header or after. Without any such indication in the - packet, the receiver would find a shim context based on the . But would it process this - before or after some other extension header, such as a MIPv6 Home - Address Option, or IP-in-IP encapsulation header? + are identified as such by using the payload message header). - An alternative would be to remove the protocol field overloading and - mandate that there be some low-frequency periodic Reachability Probe/ - Reply messages, even when there is bidirectional communication and - the ULPs report that they are doing fine. Such an approach would be - able to detect state loss even before there is a locator switch. + This approach has the disadvantage that it doesn't detect the loss of + context state when the original ULIDs are used as locators, because + there might be no shim6 messages exchanged if the reachability + detection manages to suppress any extra messages. - Presumably such probes can be suppressed when there are no ULP - packets being sent to the peer. + The Interim Meeting discussed ways to recover the context state at + one end when the other end sees a failure (and starts sending Explore + messages). The discussed approach is to use a R1 (or R1bis) message + in response to a message with an unknown context, which would cause + the context to be recreated. -19. Implications Elsewhere +18. Implications Elsewhere The general shim6 approach, as well as the specifics of this proposed solution, has implications elsewhere. The key implications are: - - o Applications that perform referals, or callbacks using IP + o Applications that perform referrals, or callbacks using IP addresses as the 'identifiers' can still function in limited ways, - as described in [12]. But in order for such applications to be + as described in [17]. But in order for such applications to be able to take advantage of the multiple locators for redundancy, the applications need to be modified to either use fully qualified domain names as the 'identifiers', or they need to pass all the locators as the 'identifiers' i.e., the 'identifier' from the applications perspective becomes a set of IP addresses instead of a single IP address. - o Firewalls that today pass limited traffic, e.g., outbound TCP connections, would presumably block the shim6 protocol. This means that even when shim6 capable hosts are communicating, the I1 - packets would be dropped, hence the hosts would not discover that + messages would be dropped, hence the hosts would not discover that their peer is shim6 capable. This is in fact a feature, since if the hosts managed to establish a host-pair context, then the firewall would probably drop the "different" packets that are sent - after a failure (either using a "TCP-inside-shim6" protocol - number, or using the shim6 payload packet with a TCP packet inside - it). Thus stateful firewalls that are modified to allow shim6 - packets through should also be modified to allow the payload - packets through after a failure. This presumably implies that the - firewall needs to track the set of locators in use by looking at - the shim6 exchanges. - + after a failure (those using the shim6 payload message with a TCP + packet inside it). Thus stateful firewalls that are modified to + allow shim6 messages through should also be modified to allow the + payload messages through after a failure. This presumably implies + that the firewall needs to track the set of locators in use by + looking at the shim6 exchanges. Such firewalls might even want to + verify the locators using the HBA/CGA verification themselves. o Signaling protocols for QoS or other things that involve having devices in the network path look at IP addresses and port numbers, or IP addresses and Flow Labels, need to be invoked on the hosts when the locator pair changes due to a failure. At that point in time those protocols need to inform the devices that a new pair of - IP addresses will be used for the flow, as well as a new Flow - Label being used. - + IP addresses will be used for the flow. Note that this is the + case even though we no longer overload the flow label as a context + tag; the in-path devices need to know about the use of the new + locators even though the flow label stays the same. o MTU implications. The path MTU mechanisms we use are robust against different packets taking different paths through the Internet, by computing a minimum over the recently observed path MTUs. When shim6 fails over from using one locator pair to another pair, this means that packets might travel over a - different path through the Internt, hence the path MTU might be + different path through the Internet, hence the path MTU might be quite different. Perhaps such a path change would be a good hint to the path MTU mechanism to try a larger MTU? The fact that the shim, at least for uncommon payload types, will add an 8 octet extension header (the payload message) after a locator switch, can also affect the usable path MTU for the ULPs. In this case the MTU change is local to the sending host, thus conveying the change to the ULPs is an implementation matter. -20. Security Considerations +19. Security Considerations - Some of the residual threats in this proposal are: + This document satisfies the concerns specified in [16] as follows: + o TBD: Using HBA or CGA for ... + Some of the residual threats in this proposal are: o An attacker which arrives late on the path (after the context has been established) can use the No Such Context error to cause one peer to recreate the context, and at that point in time the attacker can observe all of the exchange. But this doesn't seem to open any new doors for the attacker since such an attacker can observe the Context tags that are being used, and once known it can use those to send bogus messages. - o An attacker which is present on the path so that it can find out the context tags, can generate a No Such Context error after it has moved off the path. For this packet to be effective it needs to have a source locator which belongs to the context, thus there can not be "too much" ingress filtering between the attackers new location and the communicating peers. But this doesn't seem to be that severe, because once the error causes the context to be torn down and re-established, a new pair of context tags will be used, which will not be known to the attacker. If this is still a concern, we could require a 2-way handshake "did you really loose @@ -1998,107 +2201,167 @@ the context tags, can generate a No Such Context error after it has moved off the path. For this packet to be effective it needs to have a source locator which belongs to the context, thus there can not be "too much" ingress filtering between the attackers new location and the communicating peers. But this doesn't seem to be that severe, because once the error causes the context to be torn down and re-established, a new pair of context tags will be used, which will not be known to the attacker. If this is still a concern, we could require a 2-way handshake "did you really loose the state?" in response to the error message. - - o It might be possible for an attacker to try random 24-bit context + o It might be possible for an attacker to try random 32-bit context tags and see if they can cause disruption for communication between two hosts. We can make this harder by using a larger - context tag (64-bits?) in the shim6 control messages, and use the - low-order 24 bits as the flow label. + context tag; 47 bits is the largest that fit in the 8-octet + payload header. If this isn't sufficient, one could use an even + larger tag in the shim6 control messages, and use the low-order 47 + bits in the payload header. -21. Acknowledgements +20. IANA Considerations + + IANA needs to allocate a new IP Next Header value for this protocol. + + TBD: the IANA rules for the shim6 message types and option types. + +21. Change Log + + The following changes have been made since draft-ietf-shim6-proto-00: + o Removed the use of the flow label and the overloading of the IP + protocol numbers. Instead, when the locator pair is not the ULID + pair, the ULP payloads will be carried with an 8 octet extension + header. The belief is that it is possible to remove these extra + bytes by defining future shim6 extensions that exchange more + information between the hosts, without having to overload the flow + label or the IP protocol numbers. + o Grew the context tag from 20 bits to 32 bits, with the possibility + to grow it to 47 bits. This implies changes to the message + formats. + o Almost by accident, the new shim6 message format is very close to + the HIP message format. + o Adopted the HIP format for the options, since this makes it easier + to describe variable length options. The original, ND-style, + option format requires internal padding in the options to make + them 8 octet length in total, while the HIP format handles that + using the option length field. + o Removed some of the control messages, and renamed the other ones. + o Added a "generation" number to the Locator List option, so that + the peers can ensure that the preferences refer to the right + "version" of the Locator List. + o In order for FBD and exploration to work when there the use of the + context is forked, that is different ULP messages are sent over + different locator pairs, things are a lot easier if there is only + one current locator pair used for each context. Thus the forking + of the context is now causing a new context to be established for + the same ULID; the new context having a new context tag. The + original context is referred to as the "default" context for the + ULID pair. + o Added more background material and textual descriptions. + +22. Acknowledgements Over the years many people active in the multi6 and shim6 WGs have contributed ideas a suggestions that are reflected in this draft. Thanks to Marcelo Bagnulo for providing comments on earlier versions of this draft. -22. References +23. References -22.1 Normative References +23.1 Normative References - [1] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) + [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [2] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. - [2] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery + [3] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. - [3] Thomson, S. and T. Narten, "IPv6 Stateless Address + [4] Thomson, S. and T. Narten, "IPv6 Stateless Address Autoconfiguration", RFC 2462, December 1998. - [4] Bagnulo, M., "Hash Based Addresses (HBA)", + [5] Bagnulo, M., "Hash Based Addresses (HBA)", draft-ietf-shim6-hba-00 (work in progress), July 2005. - [5] Beijnum, I., "Shim6 Reachability Detection", + [6] Beijnum, I., "Shim6 Reachability Detection", draft-ietf-shim6-reach-detect-00 (work in progress), July 2005. - [6] Arkko, J., "Failure Detection and Locator Selection Design - Considerations", draft-ietf-shim6-failure-detection-00 (work in - progress), July 2005. - -22.2 Informative References + [7] Arkko, J., "Failure Detection and Locator Pair Exploration + Design for IPv6 Multihoming", + draft-ietf-shim6-failure-detection-01 (work in progress), + October 2005. - [7] Bradner, S., "Key words for use in RFCs to Indicate Requirement - Levels", BCP 14, RFC 2119, March 1997. +23.2 Informative References [8] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000. - [9] Draves, R., "Default Address Selection for Internet Protocol + [9] Ferguson, P. and D. Senie, "Network Ingress Filtering: + Defeating Denial of Service Attacks which employ IP Source + Address Spoofing", BCP 38, RFC 2827, May 2000. + + [10] Narten, T. and R. Draves, "Privacy Extensions for Stateless + Address Autoconfiguration in IPv6", RFC 3041, January 2001. + + [11] Draves, R., "Default Address Selection for Internet Protocol version 6 (IPv6)", RFC 3484, February 2003. - [10] Abley, J., Black, B., and V. Gill, "Goals for IPv6 Site- + [12] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, + "RTP: A Transport Protocol for Real-Time Applications", STD 64, + RFC 3550, July 2003. + + [13] Abley, J., Black, B., and V. Gill, "Goals for IPv6 Site- Multihoming Architectures", RFC 3582, August 2003. - [11] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, "IPv6 + [14] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, "IPv6 Flow Label Specification", RFC 3697, March 2004. - [12] Nordmark, E., "Shim6 Application Referral Issues", + [15] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast + Addresses", RFC 4193, October 2005. + + [16] Nordmark, E., "Threats relating to IPv6 multihoming solutions", + draft-ietf-multi6-multihoming-threats-03 (work in progress), + January 2005. + + [17] Nordmark, E., "Shim6 Application Referral Issues", draft-ietf-shim6-app-refer-00 (work in progress), July 2005. - [13] Abley, J., "Shim6 Applicability Statement", + [18] Abley, J., "Shim6 Applicability Statement", draft-ietf-shim6-applicability-00 (work in progress), July 2005. - [14] Huston, G., "Architectural Commentary on Site Multi-homing + [19] Huston, G., "Architectural Commentary on Site Multi-homing using a Level 3 Shim", draft-ietf-shim6-arch-00 (work in progress), July 2005. - [15] Bagnulo, M. and J. Arkko, "Functional decomposition of the + [20] Bagnulo, M. and J. Arkko, "Functional decomposition of the multihoming protocol", draft-ietf-shim6-functional-dec-00 (work in progress), July 2005. - [16] Nordmark, E. and M. Bagnulo, "Multihoming L3 Shim Approach", + [21] Nordmark, E. and M. Bagnulo, "Multihoming L3 Shim Approach", draft-ietf-shim6-l3shim-00 (work in progress), July 2005. - [17] Moskowitz, R., "Host Identity Protocol", draft-ietf-hip-base-03 + [22] Moskowitz, R., "Host Identity Protocol", draft-ietf-hip-base-03 (work in progress), June 2005. - [18] Lear, E. and R. Droms, "What's In A Name:Thoughts from the + [23] Lear, E. and R. Droms, "What's In A Name:Thoughts from the NSRG", draft-irtf-nsrg-report-10 (work in progress), September 2003. Author's Address Erik Nordmark Sun Microsystems 17 Network Circle - Menlo Park, CA 94043 + Menlo Park, CA 94025 USA Phone: +1 650 786 2921 Email: erik.nordmark@sun.com Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in