draft-ietf-shim6-proto-02.txt   draft-ietf-shim6-proto-03.txt 
SHIM6 WG E. Nordmark SHIM6 WG E. Nordmark
Internet-Draft Sun Microsystems Internet-Draft Sun Microsystems
Expires: March 5, 2006 September 2005 Expires: March 5, 2006 M. Bagnulo
UC3M
September 2005
Level 3 multihoming shim protocol Level 3 multihoming shim protocol
draft-ietf-shim6-proto-02.txt draft-ietf-shim6-proto-03.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 41 skipping to change at page 1, line 43
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 5, 2006. This Internet-Draft will expire on March 5, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2005).
Abstract Abstract
The SHIM6 working group is exploring a layer 3 shim approach for The SHIM6 working group is specifying a layer 3 shim approach and
providing locator agility below the transport protocols, so that protocol for providing locator agility below the transport protocols,
multihoming can be provided for IPv6 with failover and load spreading so that multihoming can be provided for IPv6 with failover and load
properties, without assuming that a multihomed site will have a spreading properties, without assuming that a multihomed site will
provider independent IPv6 address prefix which is announced in the have a provider independent IPv6 address prefix which is announced in
global IPv6 routing table. The hosts in a site which has multiple the global IPv6 routing table. The hosts in a site which has
provider allocated IPv6 address prefixes, will use the shim6 protocol multiple provider allocated IPv6 address prefixes, will use the shim6
specified in this document to setup state with peer hosts, so that protocol specified in this document to setup state with peer hosts,
the state can later be used to failover to a different locator pair, so that the state can later be used to failover to a different
should the original one stop working. locator pair, should the original one stop working.
This document picks a particular approach to such a protocol and
tries to flush out a bunch of details, with the hope that the WG can
better understand the details in this proposal as well as discovering
and understanding alternative designs that might be better. Thus
this proposal is my no means cast in stone as the direction; quite to
the contrary it is a depth first exploration of the design space.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1 Goals . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Non-Goals . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2 Non-Goals . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Locators as Upper-layer Identifiers . . . . . . . . . . . 5 1.3 Locators as Upper-layer Identifiers . . . . . . . . . . 6
1.4 IP Multicast . . . . . . . . . . . . . . . . . . . . . . . 6 1.4 IP Multicast . . . . . . . . . . . . . . . . . . . . . . 7
1.5 Renumbering Implications . . . . . . . . . . . . . . . . . 6 1.5 Renumbering Implications . . . . . . . . . . . . . . . . 7
1.6 Placement of the shim . . . . . . . . . . . . . . . . . . 7 1.6 Placement of the shim . . . . . . . . . . . . . . . . . 8
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 9 1.7 Traffic Engineering . . . . . . . . . . . . . . . . . . 10
2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . 9 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2 Notational Conventions . . . . . . . . . . . . . . . . . . 11 2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . 12
3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2 Notational Conventions . . . . . . . . . . . . . . . . . 14
4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . 12 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . 16
4.1 Context Tags . . . . . . . . . . . . . . . . . . . . . . . 13 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . 17
4.2 Securing shim6 . . . . . . . . . . . . . . . . . . . . . . 14 4.1 Context Tags . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Overview of Shim Control Messages . . . . . . . . . . . . 14 4.2 Context Forking . . . . . . . . . . . . . . . . . . . . 19
4.4 Locator Validation . . . . . . . . . . . . . . . . . . . . 16 4.3 API Extensions . . . . . . . . . . . . . . . . . . . . . 20
5. Message Formats . . . . . . . . . . . . . . . . . . . . . . 16 4.4 Securing shim6 . . . . . . . . . . . . . . . . . . . . . 20
5.1 Common shim6 Message Format . . . . . . . . . . . . . . . 16 4.5 Overview of Shim Control Messages . . . . . . . . . . . 21
5.2 Payload Message Format . . . . . . . . . . . . . . . . . . 17 4.6 Extension Header Order . . . . . . . . . . . . . . . . . 22
5.3 Common Shim6 Control header . . . . . . . . . . . . . . . 17 4.7 Locator Validation . . . . . . . . . . . . . . . . . . . 22
5.4 I1 Message Format . . . . . . . . . . . . . . . . . . . . 19 5. Message Formats . . . . . . . . . . . . . . . . . . . . . . 24
5.5 R1 Message Format . . . . . . . . . . . . . . . . . . . . 20 5.1 Common shim6 Message Format . . . . . . . . . . . . . . 24
5.6 I2 Message Format . . . . . . . . . . . . . . . . . . . . 21 5.2 Payload Extension Header Format . . . . . . . . . . . . 24
5.7 R2 Message Format . . . . . . . . . . . . . . . . . . . . 22 5.3 Common Shim6 Control header . . . . . . . . . . . . . . 25
5.8 No Context Error Message Format . . . . . . . . . . . . . 23 5.4 I1 Message Format . . . . . . . . . . . . . . . . . . . 27
5.9 Update Request Message Format . . . . . . . . . . . . . . 24 5.5 R1 Message Format . . . . . . . . . . . . . . . . . . . 28
5.10 Update Acknowledgement Message Format . . . . . . . . . 25 5.6 I2 Message Format . . . . . . . . . . . . . . . . . . . 30
5.11 Reachability Probe Message Format . . . . . . . . . . . 26 5.7 R2 Message Format . . . . . . . . . . . . . . . . . . . 31
5.12 Reachability Reply Message Format . . . . . . . . . . . 27 5.8 R1bis Message Format . . . . . . . . . . . . . . . . . . 33
5.13 Keepalive Message Format . . . . . . . . . . . . . . . . 28 5.9 I2bis Message Format . . . . . . . . . . . . . . . . . . 34
5.14 SHIM6 Probe Message Format . . . . . . . . . . . . . . . 29 5.10 Update Request Message Format . . . . . . . . . . . . . 36
5.15 Option Formats . . . . . . . . . . . . . . . . . . . . . 29 5.11 Update Acknowledgement Message Format . . . . . . . . . 38
5.15.1 Validator Option Format . . . . . . . . . . . . . . 30 5.12 Keepalive Message Format . . . . . . . . . . . . . . . . 39
5.15.2 Locator List Option Format . . . . . . . . . . . . . 31 5.13 Probe Message Format . . . . . . . . . . . . . . . . . . 39
5.15.3 Locator Preferences Option Format . . . . . . . . . 32 5.14 Option Formats . . . . . . . . . . . . . . . . . . . . . 39
5.15.4 CGA Parameter Data Structure Option Format . . . . . 33 5.14.1 Validator Option Format . . . . . . . . . . . . . . 41
5.15.5 CGA Signature Option Format . . . . . . . . . . . . 34 5.14.2 Locator List Option Format . . . . . . . . . . . . . 42
5.15.6 ULID Pair Option Format . . . . . . . . . . . . . . 34 5.14.3 Locator Preferences Option Format . . . . . . . . . 43
5.15.7 Packet In Error Option Format . . . . . . . . . . . 35 5.14.4 CGA Parameter Data Structure Option Format . . . . . 45
5.15.8 SHIM6 Event Option Format . . . . . . . . . . . . . 35 5.14.5 CGA Signature Option Format . . . . . . . . . . . . 46
6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 35 5.14.6 ULID Pair Option Format . . . . . . . . . . . . . . 46
6.1 Conceptual Data Structures . . . . . . . . . . . . . . . . 36 5.14.7 Forked Instance Identifier Option Format . . . . . . 47
7. Establishing Host Pair Contexts . . . . . . . . . . . . . . 36 5.14.8 Probe Option Format . . . . . . . . . . . . . . . . 48
7.1 Normal context establishment . . . . . . . . . . . . . . . 36 5.14.9 Reachability Option Format . . . . . . . . . . . . . 48
7.2 Concurrent context establishment . . . . . . . . . . . . . 37 5.14.10 Payload Reception Report Option Format . . . . . . 48
7.3 Context recovery . . . . . . . . . . . . . . . . . . . . . 38 6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 49
7.4 Context confusion . . . . . . . . . . . . . . . . . . . . 39 6.1 Conceptual Data Structures . . . . . . . . . . . . . . . 49
7.5 Sending I1 messages . . . . . . . . . . . . . . . . . . . 40 6.2 Context States . . . . . . . . . . . . . . . . . . . . . 50
7.6 Receiving I1 messages . . . . . . . . . . . . . . . . . . 40 7. Establishing ULID-Pair Contexts . . . . . . . . . . . . . . 52
7.7 Receiving R1 messages . . . . . . . . . . . . . . . . . . 41 7.1 Normal context establishment . . . . . . . . . . . . . . 52
7.8 Retransmitting I2 messages . . . . . . . . . . . . . . . . 41 7.2 Concurrent context establishment . . . . . . . . . . . . 52
7.9 Receiving I2 messages . . . . . . . . . . . . . . . . . . 41 7.3 Context recovery . . . . . . . . . . . . . . . . . . . . 54
7.10 Receiving R2 messages . . . . . . . . . . . . . . . . . 42 7.4 Context confusion . . . . . . . . . . . . . . . . . . . 56
8. No Such Content Errors . . . . . . . . . . . . . . . . . . . 42 7.5 Sending I1 messages . . . . . . . . . . . . . . . . . . 57
9. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 42 7.6 Retransmitting I1 messages . . . . . . . . . . . . . . . 57
10. Teardown of the Host Pair Context . . . . . . . . . . . . . 43 7.7 Receiving I1 messages . . . . . . . . . . . . . . . . . 58
11. Updating the Locator Pairs . . . . . . . . . . . . . . . . . 44 7.7.1 Generating the R1 validator . . . . . . . . . . . . 59
12. Various Probe Mechanisms . . . . . . . . . . . . . . . . . . 44 7.8 Receiving R1 messages and sending I2 messages . . . . . 59
13. Rehoming to a Different Locator Pair . . . . . . . . . . . . 44 7.9 Retransmitting I2 messages . . . . . . . . . . . . . . . 60
14. Sending ULP Payloads . . . . . . . . . . . . . . . . . . . . 44 7.10 Receiving I2 messages . . . . . . . . . . . . . . . . . 61
14.1 Sending ULP Payload after a Switch . . . . . . . . . . . 45 7.11 Sending R2 messages . . . . . . . . . . . . . . . . . . 62
15. Receiving Packets . . . . . . . . . . . . . . . . . . . . . 45 7.12 Match for Context Confusion . . . . . . . . . . . . . . 62
16. Initial Contact . . . . . . . . . . . . . . . . . . . . . . 46 7.13 Receiving R2 messages . . . . . . . . . . . . . . . . . 63
17. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . 46 7.14 Sending R1bis packets . . . . . . . . . . . . . . . . . 64
18. Implications Elsewhere . . . . . . . . . . . . . . . . . . . 47 7.14.1 Generating the R1bis validator . . . . . . . . . . . 64
19. Security Considerations . . . . . . . . . . . . . . . . . . 48 7.15 Receiving R1bis messages and sending I2bis messages . . 65
20. IANA Considerations . . . . . . . . . . . . . . . . . . . . 49 7.16 Receiving I2bis messages and sending R2 messages . . . . 66
21. Possible Protocol Extensions . . . . . . . . . . . . . . . . 49 8. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 68
22. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 50 9. Teardown of the ULID-Pair Context . . . . . . . . . . . . . 69
23. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 50 10. Updating the Peer . . . . . . . . . . . . . . . . . . . . 70
A. Design Alternatives . . . . . . . . . . . . . . . . . . . . 51 10.1 Sending Update Request messages . . . . . . . . . . . . 70
A.1 Context granularity . . . . . . . . . . . . . . . . . . . 51 10.2 Retransmitting Update Request messages . . . . . . . . . 70
A.2 Demultiplexing of data packets in shim6 communications . . 51 10.3 Newer Information While Retransmitting . . . . . . . . . 71
A.2.1 Flow-label . . . . . . . . . . . . . . . . . . . . . . 52 10.4 Receiving Update Request messages . . . . . . . . . . . 71
A.2.2 Extension Header . . . . . . . . . . . . . . . . . . . 54 10.5 Receiving Update Acknowledgement messages . . . . . . . 73
A.3 Context Loss Detection . . . . . . . . . . . . . . . . . . 54 11. Sending ULP Payloads . . . . . . . . . . . . . . . . . . . 74
A.4 Securing locator sets . . . . . . . . . . . . . . . . . . 57 11.1 Sending ULP Payload after a Switch . . . . . . . . . . . 74
A.5 Host-pair context establishment exchange . . . . . . . . . 59 12. Receiving Packets . . . . . . . . . . . . . . . . . . . . 76
A.6 Updating locator sets . . . . . . . . . . . . . . . . . . 60 12.1 Receiving Payload Extension Headers . . . . . . . . . . 76
A.7 State Cleanup . . . . . . . . . . . . . . . . . . . . . . 61 12.2 Receiving Shim Control messages . . . . . . . . . . . . 76
24. References . . . . . . . . . . . . . . . . . . . . . . . . . 61 12.3 Context Lookup . . . . . . . . . . . . . . . . . . . . . 77
24.1 Normative References . . . . . . . . . . . . . . . . . . 61 13. Initial Contact . . . . . . . . . . . . . . . . . . . . . 79
24.2 Informative References . . . . . . . . . . . . . . . . . 62 14. Protocol constants . . . . . . . . . . . . . . . . . . . . 80
Author's Address . . . . . . . . . . . . . . . . . . . . . . 63 15. Open Issues . . . . . . . . . . . . . . . . . . . . . . . 81
Intellectual Property and Copyright Statements . . . . . . . 64 16. Implications Elsewhere . . . . . . . . . . . . . . . . . . 82
17. Security Considerations . . . . . . . . . . . . . . . . . 84
18. IANA Considerations . . . . . . . . . . . . . . . . . . . 86
19. Possible Protocol Extensions . . . . . . . . . . . . . . . 88
20. Change Log . . . . . . . . . . . . . . . . . . . . . . . . 90
21. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 93
A. Simplified State Machine . . . . . . . . . . . . . . . . . . 94
A.1 Simplified State Machine diagram . . . . . . . . . . . . 99
B. Context Tag Reuse . . . . . . . . . . . . . . . . . . . . . 100
B.1 Context Recovery . . . . . . . . . . . . . . . . . . . . 100
B.2 Context Confusion . . . . . . . . . . . . . . . . . . . 100
B.3 Three Party Context Confusion . . . . . . . . . . . . . 101
C. Design Alternatives . . . . . . . . . . . . . . . . . . . . 102
C.1 Context granularity . . . . . . . . . . . . . . . . . . 102
C.2 Demultiplexing of data packets in shim6 communications . 102
C.2.1 Flow-label . . . . . . . . . . . . . . . . . . . . . 103
C.2.2 Extension Header . . . . . . . . . . . . . . . . . . 105
C.3 Context Loss Detection . . . . . . . . . . . . . . . . . 106
C.4 Securing locator sets . . . . . . . . . . . . . . . . . 108
C.5 ULID-pair context establishment exchange . . . . . . . . 111
C.6 Updating locator sets . . . . . . . . . . . . . . . . . 112
C.7 State Cleanup . . . . . . . . . . . . . . . . . . . . . 112
22. References . . . . . . . . . . . . . . . . . . . . . . . . 115
22.1 Normative References . . . . . . . . . . . . . . . . . . 115
22.2 Informative References . . . . . . . . . . . . . . . . . 115
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 117
Intellectual Property and Copyright Statements . . . . . . . 118
1. Introduction 1. Introduction
The SHIM6 working group, and the MULTI6 WG that preceded it, is The SHIM6 working group, and the MULTI6 WG that preceded it, was
exploring a layer 3 shim approach for providing locator agility below exploring and is now specifying a layer 3 shim approach and protocol
the transport protocols, so that multihoming can be provided for IPv6 for providing locator agility below the transport protocols, so that
with failover and load spreading properties [14], without assuming multihoming can be provided for IPv6 with failover and load spreading
that a multihomed site will have a provider independent IPv6 address properties [16], without assuming that a multihomed site will have a
which is announced in the global IPv6 routing table. The hosts in a provider independent IPv6 address which is announced in the global
site which has multiple provider allocated IPv6 address prefixes, IPv6 routing table. The hosts in a site which has multiple provider
will use the shim6 protocol specified in this document to setup state allocated IPv6 address prefixes, will use the shim6 protocol
with peer hosts, so that the state can later be used to failover to a specified in this document to setup state with peer hosts, so that
different locator pair, should the original one stop working. the state can later be used to failover to a different locator pair,
should the original one stop working.
This document takes the outlines contained in [22] and [21] and This document takes the outlines contained in [25] and [24] and
expands to an actual proposed protocol. expands to an actual protocol specification.
We assume that redirection attacks are prevented using the mechanism We assume that redirection attacks are prevented using the mechanism
specified in HBA [6]. specified in HBA [7].
The WG mailing list is discussing the scheme used for reachability
detection [7]. The schemes that are being discussed are Context
Unreachability Detection (CUD) or Force Bidirectional communication
Detection (FBD). This document doesn't discuss the tradeoffs between
the two, but it does suggest a set of keepalive and probe messages
that are sufficient to handle both. Once the WG has decided which
approach to take, we can remove the unneeded messages.
There is a related but slightly separate issue of how the hosts can
find which of the locator pairs is working after a failure. This is
discussed in [8].
NOTE that the direction taken in the latest version of [8] is to use The reachability detection and failure detection, including how a new
FBD and some new SHIM6 message types. Some of that work has been working locator pair is discovered after a failure, is specified in
reflected in this document, but there are other edits that remain. separate documents ([9] and [8]). This document allocates message
types and option types for that sub-protocol, and leaves the
specification of the message and option formats as well as the
protocol behavior to a separate draft.
1.1 Goals 1.1 Goals
The goals for this approach is to: The goals for this approach is to:
o Preserve established communications through failures, for example, o Preserve established communications through failures, for example,
TCP connections and application communications using UDP. TCP connections and application communications using UDP.
o Have no impact on upper layer protocols in general and on o Have no impact on upper layer protocols in general and on
transport protocols in particular. transport protocols in particular.
o Address the security threats in [17] through a separate document
[6], and techniques described in this document. o Address the security threats in [20] through a separate document
[7], and techniques described in this document.
o No extra roundtrip for setup; deferred setup. o No extra roundtrip for setup; deferred setup.
o Take advantage of multiple locators/addresses for load spreading o Take advantage of multiple locators/addresses for load spreading
so that different sets of communication to a host (e.g., different so that different sets of communication to a host (e.g., different
connections) might use different locators of the host. connections) might use different locators of the host. This might
enable some forms of traffic engineering, but the details for
traffic engineering, including what requirements can be satisfied,
have not yet been worked out.
1.2 Non-Goals 1.2 Non-Goals
The assumption is that the problem we are trying to solve is site The assumption is that the problem we are trying to solve is site
multihoming, with the ability to have the set of site locator multihoming, with the ability to have the set of site locator
prefixes change over time due to site renumbering. Further, we prefixes change over time due to site renumbering. Further, we
assume that such changes to the set of locator prefixes can be assume that such changes to the set of locator prefixes can be
relatively slow and managed; slow enough to allow updates to the DNS relatively slow and managed; slow enough to allow updates to the DNS
to propagate. But it is not a goal to try to make communication to propagate. But it is not a goal to try to make communication
survive a renumbering event (which causes all the locators of a host survive a renumbering event (which causes all the locators of a host
to change to a new set of locators). This proposal does not attempt to change to a new set of locators). This proposal does not attempt
to solve, perhaps related, problems such as host multihoming or host to solve the, perhaps related, problem of host mobility. However, it
mobility. might turn out that the shim6 protocol can be a useful component,
e.g., for route optimization in the context of host mobility.
This proposal also does not try to provide an IP identifier. Even This proposal also does not try to provide a new network level
though such a concept would be useful to ULPs and applications, identifier namespace separated from the current IP address namespace.
Even though such a concept would be useful to ULPs and applications,
especially if the management burden for such a name space was zero especially if the management burden for such a name space was zero
and there was an efficient yet secure mechanism to map from and there was an efficient yet secure mechanism to map from
identifiers to locators, such a name space isn't necessary (and identifiers to locators, such a name space isn't necessary (and
furthermore doesn't seem to help) to solve the multihoming problem. furthermore doesn't seem to help) to solve the multihoming problem.
1.3 Locators as Upper-layer Identifiers 1.3 Locators as Upper-layer Identifiers
Central to this approach is to not introduce a new identifier name Central to this approach is to not introduce a new identifier name
space but instead use one of the locators as the upper-layer ID, space but instead use one of the locators as the upper-layer ID,
while allowing the locators used in the address fields to change over while allowing the locators used in the address fields to change over
time in response to failures of using the original locator. time in response to failures of using the original locator.
This implies that the ULID selection is performed as today's default This implies that the ULID selection is performed as today's default
address selection as specified in [12]. Underneath, and address selection as specified in RFC 3484 [13]. Some extensions are
needed to RFC 3484 to try different source addresses, whether or not
the shim6 protocol is used, as outlined in [14]. Underneath, and
transparently, the multihoming shim selects working locator pairs transparently, the multihoming shim selects working locator pairs
with the initial locator pair being the ULID pair. When with the initial locator pair being the ULID pair. When
communication fails the shim can test and select alternate locators. communication fails the shim can test and select alternate locators.
A subsequent section discusses the issues when the selected ULID is A subsequent section discusses the issues when the selected ULID is
not initially working hence there is a need to switch locators up not initially working hence there is a need to switch locators up
front. front.
Using one of the locators as the ULID has certain benefits for Using one of the locators as the ULID has certain benefits for
applications which have long-lived session state, or performs applications which have long-lived session state, or performs
callbacks or referrals, because both the FQDN and the 128-bit ULID callbacks or referrals, because both the FQDN and the 128-bit ULID
work as handles for the applications. However, using a single 128- work as handles for the applications. However, using a single 128-
bit ULID doesn't provide seamless communication when that locator is bit ULID doesn't provide seamless communication when that locator is
unreachable. See [18] for further discussion of the application unreachable. See [21] for further discussion of the application
implications. implications.
There has been some discussion of using non-routable locators, such There has been some discussion of using non-routable locators, such
as unique-local addresses [16], as ULIDs in a multihoming solution. as unique-local addresses [19], as ULIDs in a multihoming solution.
While this document doesn't specify all aspects of this, it is While this document doesn't specify all aspects of this, it is
believed that the approach can be extended to handle such a case. believed that the approach can be extended to handle such a case.
For example, the protocol already needs to handle ULIDs that are not For example, the protocol already needs to handle ULIDs that are not
initially reachable. Thus the same mechanism can handle ULIDs that initially reachable. Thus the same mechanism can handle ULIDs that
are permanently unreachable from outside their site. The issue are permanently unreachable from outside their site. The issue
becomes how to make the protocol perform well when the ULID is not becomes how to make the protocol perform well when the ULID is known
reachable, for instance, avoiding any timeout and retries in this a priori to be not reachable (e.g., the ULID is a ULA), for instance,
case. In addition one would need to understand how the ULAs would be avoiding any timeout and retries in this case. In addition one would
entered in the DNS to avoid a performance impact on existing, non- need to understand how the ULAs would be entered in the DNS to avoid
shim6 aware, IPv6 hosts potentially trying to communicate to the a performance impact on existing, non-shim6 aware, IPv6 hosts
(unreachable) ULA. potentially trying to communicate to the (unreachable) ULA.
1.4 IP Multicast 1.4 IP Multicast
IP Multicast requires that the IP source address field contain a IP Multicast requires that the IP source address field contain a
topologically correct locator for interface that is used to send the topologically correct locator for interface that is used to send the
packet, since IP multicast routing uses both the source address and packet, since IP multicast routing uses both the source address and
the destination group to determine where to forward the packet. the destination group to determine where to forward the packet.
(This isn't much different than the situation with widely implemented (This isn't much different than the situation with widely implemented
ingress filtering [10] for unicast.) ingress filtering [11] for unicast.)
While in theory it would be possible to apply the shim re-mapping of While in theory it would be possible to apply the shim re-mapping of
the IP address fields between ULIDs and locators, the fact that all the IP address fields between ULIDs and locators, the fact that all
the multicast receivers would need to know the mapping to perform, the multicast receivers would need to know the mapping to perform,
makes such an approach difficult in practice. Thus it makes sense to makes such an approach difficult in practice. Thus it makes sense to
have multicast ULPs operate directly on locators and not use the have multicast ULPs operate directly on locators and not use the
shim. This is quite a natural fit for protocols which use RTP [13], shim. This is quite a natural fit for protocols which use RTP [15],
since RTP already has an explicit identifier in the form of the SSRC since RTP already has an explicit identifier in the form of the SSRC
field in the RTP headers. Thus the actual IP address fields are not field in the RTP headers. Thus the actual IP address fields are not
important to the application. important to the application.
In summary, IP multicast will not use the shim to remap the IP
addresses.
1.5 Renumbering Implications 1.5 Renumbering Implications
As stated above, this approach does not try to make communication As stated above, this approach does not try to make communication
survive renumbering. However, the fact that a ULID might be used survive renumbering. However, the fact that a ULID might be used
with a different locator over time open up the possibility that with a different locator over time open up the possibility that
communication between two ULIDs might continue to work after one or communication between two ULIDs might continue to work after one or
both of those ULIDs are no longer reachable as locators, for example both of those ULIDs are no longer reachable as locators, for example
due to a renumbering event. This opens up the possibility that the due to a renumbering event. This opens up the possibility that the
ULID (or at least the prefix on which it is based) is reassigned to ULID (or at least the prefix on which it is based) is reassigned to
another site while it is still being used (with another locator) for another site while it is still being used (with another locator) for
existing communication. existing communication.
Worst case we could end up with two separate hosts using the same Worst case we could end up with two separate hosts using the same
ULID while both of them are communicating with the same host. ULID while both of them are communicating with the same host.
This potential source for confusion can be avoided if we require that This potential source for confusion can be avoided if we require that
any communication using a ULID must be terminated when the ULID any communication using a ULID must be terminated when the ULID
becomes invalid (due to the underlying prefix becoming invalid). becomes invalid (due to the underlying prefix becoming invalid). If
that behavior is desired, it can be accomplished by explicitly
discarding the shim state when the ULID becomes invalid. The context
recovery mechanism will then make the peer aware that the context is
gone, and that the ULID is no longer present at the same locator(s).
However, this might be an overkill. Even when an IPv6 prefix is However, terminating the communication might be overkill. Even when
retired and reassigned to some other site, there is still a very an IPv6 prefix is retired and reassigned to some other site, there is
small probability that another host in that site picks the same 128 a very small probability that another host in that site picks the
bit address (whether using DHCPv6, stateless address same 128 bit address (whether using DHCPv6, stateless address
autoconfiguration, or picking a random interface ID [11]). Should autoconfiguration, or picking a random interface ID [12]). Should
the identical address be used by another host, then there still the identical address be used by another host, then there still
wouldn't be a problem until that host attempts to communicate with wouldn't be a problem until that host attempts to communicate with
the same host with which the initial user of the IPv6 address was the same peer host with which the initial user of the IPv6 address
communicating. was communicating.
The protocol as specified in this document does not perform any
action when an address becomes invalid. As we gain further
understanding of the practical impact of renumbering this might
change in a future version of the protocol.
1.6 Placement of the shim 1.6 Placement of the shim
----------------------- -----------------------
| Transport Protocols | | Transport Protocols |
----------------------- -----------------------
------ ------- -------------- ------------- IP endpoint ------ ------- -------------- ------------- IP endpoint
| AH | | ESP | | Frag/reass | | Dest opts | sub-layer | AH | | ESP | | Frag/reass | | Dest opts | sub-layer
------ ------- -------------- ------------- ------ ------- -------------- -------------
skipping to change at page 7, line 47 skipping to change at page 9, line 14
independence. The multihoming shim layer behaves as if it is independence. The multihoming shim layer behaves as if it is
associated with an extension header, which would be placed after any associated with an extension header, which would be placed after any
routing-related headers in the packet (such as any hop-by-hop routing-related headers in the packet (such as any hop-by-hop
options, or routing header). However, when the locator pair is the options, or routing header). However, when the locator pair is the
ULID pair there is no data that needs to be carried in an extension ULID pair there is no data that needs to be carried in an extension
header, thus none is needed in that case. header, thus none is needed in that case.
Layering AH and ESP above the multihoming shim means that IPsec can Layering AH and ESP above the multihoming shim means that IPsec can
be made to be unaware of locator changes the same way that transport be made to be unaware of locator changes the same way that transport
protocols can be unaware. Thus the IPsec security associations protocols can be unaware. Thus the IPsec security associations
remain stable even though the locators are changing. The MOBIKE WG remain stable even though the locators are changing.
is looking at ways to have IPsec security associations survive even
though the IP addresses changes, which is a different approach.
Layering the fragmentation header above the multihoming shim makes Layering the fragmentation header above the multihoming shim makes
reassembly robust in the case that there is broken multi-path routing reassembly robust in the case that there is broken multi-path routing
which results in using different paths, hence potentially different which results in using different paths, hence potentially different
source locators, for different fragments. Thus, effectively the source locators, for different fragments. Thus, effectively the
multihoming shim layer is placed between the IP endpoint sublayer, multihoming shim layer is placed between the IP endpoint sublayer,
which handles fragmentation, reassembly, and IPsec, and the IP which handles fragmentation, reassembly, and IPsec, and the IP
routing sublayer, which selects which next hop and interface to use routing sublayer, which selects which next hop and interface to use
for sending out packets. for sending out packets.
Applications and upper layer protocols use ULIDs which the shim6 Applications and upper layer protocols use ULIDs which the shim6
layer will map to/from different locators. The shim6 layer maintains layer will map to/from different locators. The shim6 layer maintains
state, called host-pair context, per ULID pairs (that is, applies to state, called ULID-pair context, per ULID pairs (that is, applies to
all ULP connections between the ULID pair) in order to perform this all ULP connections between the ULID pair) in order to perform this
mapping. The mapping is performed consistently at the sender and the mapping. The mapping is performed consistently at the sender and the
receiver, thus from the perspective of the upper layer protocols, receiver, thus from the perspective of the upper layer protocols,
packets appear to be sent using ULIDs from end to end, even though packets appear to be sent using ULIDs from end to end, even though
the packets travel through the network containing locators in the IP the packets travel through the network containing locators in the IP
address fields, and even though those locators might be changed by address fields, and even though those locators might be changed by
the transmitting shim6 layer. the transmitting shim6 layer.
The context state in this approach is maintained per remote ULID i.e. The context state in this approach is maintained per remote ULID i.e.
approximately per peer host, and not at any finer granularity. In approximately per peer host, and not at any finer granularity. In
skipping to change at page 8, line 51 skipping to change at page 10, line 28
| ^ | ^
------- cloud with some routers ------- ------- cloud with some routers -------
Figure 2: Mapping with changed locators Figure 2: Mapping with changed locators
The result of this consistent mapping is that there is no impact on The result of this consistent mapping is that there is no impact on
the ULPs. In particular, there is no impact on pseudo-header the ULPs. In particular, there is no impact on pseudo-header
checksums and connection identification. checksums and connection identification.
Conceptually one could view this approach as if both ULIDs and Conceptually one could view this approach as if both ULIDs and
locators are being present in every packet, but with a header locators are being present in every packet, and with a header
compression mechanism applied that removes the need for the ULIDs compression mechanism applied that removes the need for the ULIDs to
once the state has been established. In order for the receiver to be carried in the packets once the compression state has been
recreate a packet with the correct ULIDs there might be a need to established. In order for the receiver to recreate a packet with the
include some "compression tag" in the data packets. This would serve correct ULIDs there is a need to include some "compression tag" in
to indicate the correct context to use for decompression when the the data packets. This serves to indicate the correct context to use
locator pair in the packet is insufficient to uniquely identify the for decompression when the locator pair in the packet is insufficient
context. to uniquely identify the context.
1.7 Traffic Engineering
At the time of this writing it is not clear what requirements for
traffic engineering make sense for the shim6 protocol, since the
requirements must both result in some useful behavior as well as be
implementable using a host-to-host locator agility mechanism like
shim6. What is clear that whatever they are, shim6 will not be able
to provide identical capabilities to traffic engineering using BGP
and Provide Independent IP addresses.
The protocol provides a placeholder, in the form of the Locator
Preferences option, which can be used by hosts to express priority
and weight values for each locator. This is intentionally made
identical to the DNS SRV [10] specification of priority and weight,
so that DNS SRV records can be used for initial contact and the shim
for failover, and they can use the same way to describe the
preferences. The format allows adding additional notions of
"metrics" over time. But this is merely a place holder; even in
order to use this there would have to be a mechanism by which the
host can find out what preference values to use, either statically
(e.g., some new DHCPv6 option) or dynamically.
2. Terminology 2. Terminology
This document uses the terms MUST, SHOULD, RECOMMENDED, MAY, SHOULD This document uses the terms MUST, SHOULD, RECOMMENDED, MAY, SHOULD
NOT and MUST NOT defined in RFC 2119 [1]. The terms defined in RFC NOT and MUST NOT defined in RFC 2119 [1]. The terms defined in RFC
2460 [2] are also used. 2460 [2] are also used.
2.1 Definitions 2.1 Definitions
This document introduces the following terms (taken from [22]): This document introduces the following terms (taken from [25]):
upper layer protocol (ULP) upper layer protocol (ULP)
A protocol layer immediately above IP. Examples A protocol layer immediately above IP. Examples
are transport protocols such as TCP and UDP, are transport protocols such as TCP and UDP,
control protocols such as ICMP, routing protocols control protocols such as ICMP, routing protocols
such as OSPF, and internet or lower-layer such as OSPF, and internet or lower-layer
protocols being "tunneled" over (i.e., protocols being "tunneled" over (i.e.,
encapsulated in) IP such as IPX, AppleTalk, or IP encapsulated in) IP such as IPX, AppleTalk, or IP
itself. itself.
interface A node's attachment to a link. interface A node's attachment to a link.
skipping to change at page 9, line 45 skipping to change at page 12, line 39
the "address" term in the case where it isn't the "address" term in the case where it isn't
specific whether it is a locator or an specific whether it is a locator or an
identifier. identifier.
locator An IP layer topological name for an interface or locator An IP layer topological name for an interface or
a set of interfaces. 128 bits. The locators are a set of interfaces. 128 bits. The locators are
carried in the IP address fields as the packets carried in the IP address fields as the packets
traverse the network. traverse the network.
identifier An IP layer name for an IP layer endpoint (stack identifier An IP layer name for an IP layer endpoint (stack
name in [24]). The transport endpoint name is a name in [27]). The transport endpoint name is a
function of the transport protocol and would function of the transport protocol and would
typically include the IP identifier plus a port typically include the IP identifier plus a port
number. number.
NOTE: This proposal does not specify any new form NOTE: This proposal does not specify any new form
of IP layer identifier, but still separates the of IP layer identifier, but still separates the
identifying and locating properties of the IP identifying and locating properties of the IP
addresses. addresses.
upper-layer identifier (ULID) upper-layer identifier (ULID)
An IP address which has been selected for An IP address which has been selected for
skipping to change at page 10, line 28 skipping to change at page 13, line 27
separate name space and allocation mechanisms. separate name space and allocation mechanisms.
address field The source and destination address fields in the address field The source and destination address fields in the
IPv6 header. As IPv6 is currently specified this IPv6 header. As IPv6 is currently specified this
fields carry "addresses". If identifiers and fields carry "addresses". If identifiers and
locators are separated these fields will contain locators are separated these fields will contain
locators for packets on the wire. locators for packets on the wire.
FQDN Fully Qualified Domain Name FQDN Fully Qualified Domain Name
Host-pair context The state that the multihoming shim maintains. ULID-pair context The state that the multihoming shim maintains
The context is for a ULID pair, and is identified between a pair of Upper-layer identifiers. The
by a context tag for each direction of the context is identified by a context tag for each
communication. direction of the communication, and also
identified by the pair of ULID and a Forked
Instance Identifier (see below).
Context tag Each end of the context allocates a context tag Context tag Each end of the context allocates a context tag
for the context. This is used to uniquely for the context. This is used to uniquely
associate both received control packets and associate both received control packets and
payload packets with the shim6 Payload extension payload extension headers as belonging to the
header as belonging to the context. context.
Current locator pair Each end of the context has a current locator Current locator pair Each end of the context has a current locator
pair which is used to send packets to be peer. pair which is used to send packets to be peer.
The two ends might use different current locator The two ends might use different current locator
pairs though. pairs though.
Default context At the sending end, the shim uses the ULID pair Default context At the sending end, the shim uses the ULID pair
(passed down from the ULP) to find the context (passed down from the ULP) to find the context
for that pair. Thus, normally, a host can have for that pair. Thus, normally, a host can have
at most one context for a ULID pair. We call at most one context for a ULID pair. We call
this the "default context". this the "default context".
Context forking A mechanism which allows ULPs that are aware of Context forking A mechanism which allows ULPs that are aware of
multiple locators to use separate contexts for multiple locators to use separate contexts for
the same ULID pair, in order to be able use the same ULID pair, in order to be able use
different locator pairs for different different locator pairs for different
communication to the same ULID. Context forking communication to the same ULID. Context forking
causes more than just the default context to be causes more than just the default context to be
created for a ULID pair. created for a ULID pair.
Forked Instance Identifier (FII) In order to handle context forking,
a context is identified by a ULID-pair and a
forked context identifier. The default context
has a FII of zero.
Initial contact We use this term to refer to the pre-shim
communication when some ULP decides to start
communicating with a peer by sending and
receiving ULP packets. Typically this would not
invoke any operations in the shim, since the shim
can defer the context establishment until some
arbitrary later point in time.
2.2 Notational Conventions 2.2 Notational Conventions
A, B, and C are hosts. X is a potentially malicious host. A, B, and C are hosts. X is a potentially malicious host.
FQDN(A) is the domain name for A. FQDN(A) is the domain name for A.
Ls(A) is the locator set for A, which consists of the locators L1(A), Ls(A) is the locator set for A, which consists of the locators L1(A),
L2(A), ... Ln(A). L2(A), ... Ln(A).
ULID(A) is an upper-layer ID for A. In this proposal, ULID(A) is ULID(A) is an upper-layer ID for A. In this proposal, ULID(A) is
always one member of A's locator set. always one member of A's locator set.
CT(x) is a Context Tag.
This document also makes use of internal conceptual variables to This document also makes use of internal conceptual variables to
describe protocol behavior and external variables that an describe protocol behavior and external variables that an
implementation must allow system administrators to change. The implementation must allow system administrators to change. The
specific variable names, how their values change, and how their specific variable names, how their values change, and how their
settings influence protocol behavior are provided to demonstrate settings influence protocol behavior are provided to demonstrate
protocol behavior. An implementation is not required to have them in protocol behavior. An implementation is not required to have them in
the exact form described here, so long as its external behavior is the exact form described here, so long as its external behavior is
consistent with that described in this document. See Section 6 for a consistent with that described in this document. See Section 6 for a
description of the conceptual data structures. description of the conceptual data structures.
skipping to change at page 12, line 10 skipping to change at page 17, line 9
has done a good enough job of trying to find a working path to the has done a good enough job of trying to find a working path to the
peer. Since we want the protocol to provide benefits even if the peer. Since we want the protocol to provide benefits even if the
peer has a single locator, this seems to imply that the choice of peer has a single locator, this seems to imply that the choice of
source locator needs to somehow affect the exit path from the source locator needs to somehow affect the exit path from the
site. site.
4. Protocol Overview 4. Protocol Overview
The shim6 protocol operates in several phases over time. The The shim6 protocol operates in several phases over time. The
following sequence illustrates the concepts: following sequence illustrates the concepts:
o An application on host A decides to contact B using some upper- o An application on host A decides to contact B using some upper-
layer protocol. This results in the ULP on A sending packets to layer protocol. This results in the ULP on A sending packets to
B. We call this the initial contact. Assuming the IP addresses B. We call this the initial contact. Assuming the IP addresses
selected by Default Address Selection [12] work, then there is no selected by Default Address Selection [13] and its extensions [14]
action by the shim at this point in time. Any shim context work, then there is no action by the shim at this point in time.
establishment can be deferred until later. Any shim context establishment can be deferred until later.
o Some heuristic on A or B (or both) determine that it might make o Some heuristic on A or B (or both) determine that it might make
sense to make this communication robust against locator failures. sense to make this communication robust against locator failures.
For instance, this heuristic might be that more than 50 packets For instance, this heuristic might be that more than 50 packets
have been sent or received. This makes the shim initiate the have been sent or received, or a timer expiration while active
packet exchange is in place. This makes the shim initiate the
4-way context establishment exchange. 4-way context establishment exchange.
As a result of this exchange, both A and B will know a list of As a result of this exchange, both A and B will know a list of
locators for each other. locators for each other.
If the context establishment exchange fails, the initiator will If the context establishment exchange fails, the initiator will
then know that the other end does not support shim6, and will then know that the other end does not support shim6, and will
revert to standard unicast behavior for the session. revert to standard unicast behavior for the session.
o Communication continues without any change for the ULP packets. o Communication continues without any change for the ULP packets.
In particular, there are no shim extension headers added to the
ULP packets, since the ULID pair is the same as the locator pair.
In addition, there might be some messages exchanged between the In addition, there might be some messages exchanged between the
shim sub-layers for (un)reachability detection. shim sub-layers for (un)reachability detection.
o At some point in time something fails. Depending on the approach o At some point in time something fails. Depending on the approach
to reachability detection, there might be some advise from the to reachability detection, there might be some advise from the
ULP, or the shim (un)reachability detection might discover that ULP, or the shim (un)reachability detection might discover that
there is a problem. there is a problem.
At this point in time one or both ends of the communication need At this point in time one or both ends of the communication need
to probe and explore the different alternate locator pairs until a to probe the different alternate locator pairs until a working
working pair is found, and rehome to using that pair. pair is found, and rehome to using that pair.
o Once a working alternative locator pair has been found, the shim o Once a working alternative locator pair has been found, the shim
will rewrite the packets on transmit, and tag the packets with will rewrite the packets on transmit, and tag the packets with
shim6 Payload message as an extension header, which contains the shim6 Payload extension header, which contains the receiver's
receiver's context tag. The receiver will use the <Source context tag. The receiver will use the context tag to find the
Locator, Destination Locator, Context Tag> to find the context context state which will indicate which addresses to place in the
state which will indicate which addresses to place in the IPv6 IPv6 header before passing the packet up to the ULP. The result
header before passing the packet up to the ULP. The result is is that from the perspective of the ULP the packet passes
that from the perspective of the ULP the packet passes unmodified unmodified end-to-end, even though the IP routing infrastructure
end-to-end, even though the IP routing infrastructure sends the sends the packet to a different locator.
packet to a different locator.
o The shim (un)reachability detection will monitor the new locator o The shim (un)reachability detection will monitor the new locator
pair as it monitored the original locator pair, so that subsequent pair as it monitored the original locator pair, so that subsequent
failures can be detected. failures can be detected.
o In addition to failures detected based on end-to-end observations, o In addition to failures detected based on end-to-end observations,
one endpoint might be know for certain that one or more of its one endpoint might be know for certain that one or more of its
locators is not working. For instance, the network interface locators is not working. For instance, the network interface
might have failed or gone down (at layer 2), or an IPv6 address might have failed or gone down (at layer 2), or an IPv6 address
might have become invalid. In such cases the host can signal its might have become deprecated or invalid. In such cases the host
peer that this address is no longer recommended to try. Thus this can signal its peer that this address is no longer recommended to
triggers something similar to a failure handling in that a new, try. Thus this triggers something similar to a failure handling
working locator pair must be found. in that a new, working locator pair must be found.
The protocol also has the ability to express other forms of
locator preferences. A change in any preferences can be signaled
to the peer, which might make the peer choose to try a different
locator pair. Thus, this can also be treated similarly to a
failure.
The Working Group has discussed whether or not hosts can express
other forms of locator preferences. If this is the case, a change
in the preferences can be signaled to the peer, which might make
the peer choose to try a different locator pair. Thus, this can
also be treated similarly to a failure.
o When the shim thinks that the context state is no longer used, it o When the shim thinks that the context state is no longer used, it
can garbage collect the state; there is no coordination necessary can garbage collect the state; there is no coordination necessary
with the peer host before the state is removed. There is an error with the peer host before the state is removed. There is a
message defined to be able to signal when there is no context recovery message defined to be able to signal when there is no
state, which can be used to detect and recover from both premature context state, which can be used to detect and recover from both
garbage collection, as well as complete state loss (crash and premature garbage collection, as well as complete state loss
reboot) of a peer. (crash and reboot) of a peer.
The ULP packets in shim6 are carried completely unmodified as long as The exact mechanism to determine when the context state is no
the ULID pair is used as the locator pair. After a switch to a longer used is implementation dependent. An implementation might
different locator pair the packets are "tagged" with a shim6 use the existence of ULP state (where known to the implementation)
as an indication that the state is still used, combined with a
timer (to handle ULP state that might not be known to the shim
sub-layer) to determine when the state is likely to no longer be
used.
NOTE: The ULP packets in shim6 are carried completely unmodified as
long as the ULID pair is used as the locator pair. After a switch to
a different locator pair the packets are "tagged" with a shim6
extension header, so that the receiver can always determine the extension header, so that the receiver can always determine the
context to which they belong. This is accomplished by including an context to which they belong. This is accomplished by including an
8-octet "shim payload" extension header before the (extension) 8-octet shim payload extension header before the (extension) headers
headers that are processed by the IP endpoint sublayer and ULPs. that are processed by the IP endpoint sublayer and ULPs.
4.1 Context Tags 4.1 Context Tags
A context between two hosts is actually a context between two ULIDs. A context between two hosts is actually a context between two ULIDs.
The context is identified by a pair of context tags. Each end gets The context is identified by a pair of context tags. Each end gets
to allocate a context tag, and once the context is established, the to allocate a context tag, and once the context is established, the
shim6 control messages contain the context tag that the receiver of shim6 control messages contain the context tag that the receiver of
the message allocated. Thus at a minimum the combination of <peer the message allocated. Thus at a minimum the combination of <peer
ULID, local ULID, local context tag> MUST uniquely identify one ULID, local ULID, local context tag> MUST uniquely identify one
context. context. But since the Payload extension headers are demultiplexed
without looking at the locators in the packet, the receiver MUST
In addition, the non-shim6 messages, which we call payload packets, allocate context tags that are unique for all its contexts. In
will not contain the ULIDs after a failure. This introduces the addition, in order to minimize the reuse of context tags, the host
requirement that the <peer locator, local locator, local context tag> SHOULD randomly cycle through the 2^47 context tag values,(e.g.
MUST uniquely identify the context. Since the peer's set of locators following the guidelines described in [18]. The context tag is a 47-
might be dynamic the simplest form of unique allocation of the local bit number (the largest which can fit in an 8-octet extension
context tag is to pick a number that is unique on the host. Hosts header).
which serve multiple ULIDs using disjoint sets of locators can
maintain the context tag allocation per such disjoint set.
The mechanism for detecting a loss of context state at the peer that The mechanism for detecting a loss of context state at the peer that
is currently proposed in this document assumes that the receiver can is currently proposed in this document assumes that the receiver can
tell the packets that need locator rewriting, even after it has lost tell the packets that need locator rewriting, even after it has lost
all state (e.g., due to a crash followed by a reboot). This is all state (e.g., due to a crash followed by a reboot). This is
achieved because after a rehoming event the packets that need achieved because after a rehoming event the packets that need
receive-side rewriting, carry the Payload Message extension header. receive-side rewriting, carry the Payload extension header.
Even though we do not overload the flow label field to carry the Even though we do not overload the flow label field to carry the
context tag, any protocol (such as RSVP or NSIS) which signals context tag, any protocol (such as RSVP or NSIS) which signals
information about flows from the host stack to devices in the path, information about flows from the host stack to devices in the path,
need to be made aware of the locator agility introduced by a layer 3 need to be made aware of the locator agility introduced by a layer 3
shim, so that the signaling can be performed for the locator pairs shim, so that the signaling can be performed for the locator pairs
that are currently being used. that are currently being used.
TBD: add forking - multiple contexts between ULID pairs, default 4.2 Context Forking
context, etc. Need to explain that context forking assumes an API
from the ULP.
TBD: add that shim can be disabled for some ULP traffic if we define It has been asserted that it will be important for future ULPs, in
an API for this purpose. particular, future transport protocols, to be able to control which
locator pairs are used for different communication. For instance,
host A and host B might communicate using both VoIP traffic and ftp
traffic, and those communications might benefit from using different
locator pairs. However, the fundamental shim6 mechanism uses a
single current locator pair for each context, thus a single context
can not accomplish this.
4.2 Securing shim6 For this reason, the shim6 protocol supports the notion of context
forking. This is a mechanism by which a ULP can specify (using some
API not yet defined) that a context for e.g., the ULID pair <A1, B2>
should be forked into two contexts. In this case the forked-off
context will be assigned a non-zero Forked Instance Identifier, while
the default context has FII zero.
No other special considerations are needed in the shim6 protocol to
handle forked contexts.
Note that forking as specified does NOT allow A to be able to tell B
that certain traffic (a 5-tuple?) should be forked for the reverse
direction. The shim forking mechanism as specified applies only to
the sending of ULP packets. If some ULP wants to fork for both
directions, it is up to the ULP to set this up, and then instruct the
shim at each end to transmit using the forked context.
4.3 API Extensions
Several API extensions have been discussed for shim6, but their
actual specification is out of scope for this document. The simplest
one would be to add a socket option to be able to have traffic bypass
the shim (not create any state, and not use any state created by
other traffic). This could be an IPV6_DONTSHIM socket option. Such
an option would be useful for protocols, such as DNS, where the
application has its own failover mechanism (multiple NS records in
the case of DNS) and using the shim could potentially add extra
latency with no added benefits.
Some other API extensions are discussed in Section 19
4.4 Securing shim6
The mechanisms are secured using a combination of techniques: The mechanisms are secured using a combination of techniques:
o The HBA technique [6] for validating the locators to prevent an
o The HBA technique [7] for validating the locators to prevent an
attacker from redirecting the packet stream to somewhere else. attacker from redirecting the packet stream to somewhere else.
o Requiring a Reachability Probe+Reply before a new locator is used o Requiring a Reachability Probe+Reply before a new locator is used
as the destination, in order to prevent 3rd party flooding as the destination, in order to prevent 3rd party flooding
attacks. attacks.
o The first message does not create any state on the responder. o The first message does not create any state on the responder.
Essentially a 3-way exchange is required before the responder Essentially a 3-way exchange is required before the responder
creates any state. This means that a state-based DoS attack creates any state. This means that a state-based DoS attack
(trying to use up all of memory on the responder) at least (trying to use up all of memory on the responder) at least
provides an IPv6 address that the attacker was using. provides an IPv6 address that the attacker was using.
o The context establishment messages use nonces to prevent replay o The context establishment messages use nonces to prevent replay
attacks. attacks, and to prevent off-path attackers from interfering with
the establishment.
4.3 Overview of Shim Control Messages o Every control message of the shim6 protocol, past the context
establishment, carry the context tag assigned to the particular
context. This implies that an attacker needs to discover that
context tag before being able to spoof any shim6 control message.
Such discovery probably requires to be along the path in order to
be sniff the context tag value. The result is that through this
technique, the shim6 protocol is protected against off-path
attackers.
4.5 Overview of Shim Control Messages
The shim context establishment is accomplished using four messages; The shim context establishment is accomplished using four messages;
I1, R1, I2, R2. Normally they are sent in that order from initiator I1, R1, I2, R2. Normally they are sent in that order from initiator
and responder, respectively. Should both ends attempt to set up and responder, respectively. Should both ends attempt to set up
context state at the same time (for the same ULID pair), then their context state at the same time (for the same ULID pair), then their
I1 messages might cross in flight, and result in an immediate R2 I1 messages might cross in flight, and result in an immediate R2
message. [The names of these messages are borrowed from HIP [23].] message. [The names of these messages are borrowed from HIP [26].]
There is a No Context error message defined, when a control or R1bis and I2bis messages are defined, which are used to recover a
payload packet arrives and there is no matching context state at the context after it has been lost. A R1bis message is sent when a shim6
receiver. When such a message is received, it will result in the control or payload extension header arrives and there is no matching
destruction of the shim context and a re-establishment. context state at the receiver. When such a message is received, it
will result in the re-creation of the shim context using the I2bis
and R2 messages.
The peers' lists of locators are normally exchanged as part of the The peers' lists of locators are normally exchanged as part of the
context establishment exchange. But the set of locators might be context establishment exchange. But the set of locators might be
dynamic. For this reason there is a Locator List Update message and dynamic. For this reason there is a Update message and Update
acknowledgement. acknowledgement, and a Locator List option.
Even though the list of locators is fixed, a host might determine Even when the list of locators is fixed, a host might determine that
that some preferences might have changed. For instance, it might some preferences might have changed. For instance, it might
determine that there is a locally visible failure that implies that determine that there is a locally visible failure that implies that
some locator(s) are no longer usable. Currently this mechanism has a some locator(s) are no longer usable. This uses a Locator
separate message pair (Rehome Request and acknowledgement), but Preferences option in the Update message.
perhaps this can be encoded using the Locator List Update message
pair with a preference option and no change to the list of locators.
At least two approaches (CUD and FBD) have been discussed for the
shim (un)reachability detection [7]. This document attempt to define
messages for both cases; once the WG has picked an approach we can
delete any unneeded messages.
The CUD approach uses a probe message and acknowledgement, which can The mechanism for (un)reachability detection is called Force
be suppressed e.g. using positive advise from the ULP. This message Bidirectional Communication (FBD). The FBD approach uses a Keepalive
pair also seems needed to verify that the host is indeed present at a message, which is sent when a host has received packets from the
new locator before the data stream is redirected to that locator, in peer, but the ULP has not given the host an opportunity to send any
order to prevent 3rd party DoS attacks. payload packet to the peer. The message type is reserved in this
document, but the message format and processing rules are specified
in [9].
The FBD approach uses a keepalive message, which is sent when a host In addition, when the context is established and there is a failure
has received packets from the peer, but the ULP has not given the there needs to be a way to probe the set of locator pairs to
host an opportunity to send any payload packet to the peer. efficiently find a working pair. This document reserves an Probe
message type, with the packet format and processing rules specified
in [9].
The above probe and keepalive messages assume we have an established The above probe and keepalive messages assume we have an established
host-pair context. However, communication might fail during the ULID-pair context. However, communication might fail during the
initial context (that is, when the application or transport protocol initial contact (that is, when the application or transport protocol
is trying to setup some communication). If we want the shim to be is trying to setup some communication). This is handled using the
able to optimize discovering a working locator pair in that case, we mechanisms in the ULP to try different address pairs as specified in
need a mechanism to test the reachability of locators independent of [13] [14]. In the future versions of the protocol, and with a richer
some context. We define a locator pair test message and API between the ULP and the shim, the shim might be help optimize
acknowledgement for this purpose, even though it isn't yet clear discovering a working locator pair during initial contact. This is
whether we need such a thing. for further study.
Finally, when the context is established and there is a failure there 4.6 Extension Header Order
needs to be a way to probe and explore the set of locator pairs to
efficiently find a working pair. We define an explore message as a
place holder for some mechanism in this space [8].
4.4 Locator Validation Since the shim is placed between the IP endpoint sub-layer and the IP
routing sub-layer in the host, the shim header MUST be placed before
any endpoint extension headers (fragmentation headers, destination
options header, AH, ESP), but after any routing related headers (hop-
by-hop extensions header, routing header, a destinations options
header which precedes a routing header). When tunneling is used,
whether IP-in-IP tunneling or the special form of tunneling that
Mobile IPv6 uses (with Home Address Options and Routing header type
2), there is a choice whether the shim applies inside the tunnel or
outside the tunnel, which effects the location of the shim6 header.
In most cases IP-in-IP tunnels are used as a routing technique, thus
it makes sense to apply them on the locators which means that the
sender would insert the shim6 header after any IP-in-IP
encapsulation; this is what occurs naturally when routers apply IP-
in-IP encapsulation. In any case the receiver behavior is well-
defined; a receiver processes the extension headers in order. The
precise interaction between Mobile IPv6 and shim6 is for further
study, but it might make sense to have Mobile IPv6 operate on
locators as well, meaning that the shim would be layered on top of
the MIPv6 mechanism.
4.7 Locator Validation
There are two separate aspects of locator validation. One is to
verify that the locator is tied to the ULID, i.e., that the host
which "owns" the ULID also "owns" the locator. The shim6 protocol
uses the HBA and CGA techniques for doing this validation. The other
is to verify that the host is indeed reachable at the claimed
locator. Such verification is needed both to make sure communication
can proceed, but also to prevent 3rd party flooding attacks [20].
These different verifications happen at different times, since the
first might need to be performed before packets can be received by
the peer with the source locator in question, but the latter
verification is only needed before packets are sent to the locator.
Before a host can use a locator (different than the ULID) as the Before a host can use a locator (different than the ULID) as the
source locator, it must know that the peer will accept packets with source locator, it must know that the peer will accept packets with
that source locator as being part of this context. The peer might that source locator as being part of this context. Thus the HBA and
wish to do some verification of the locator before accepting it as a CGA verification SHOULD be performed by the host before the host
source address. This document does not require any such acknowledges the new locator, by sending an Update Acknowledgement
verification. But if it is done by a host, in all cases such message, or an R2 message.
verification need to be finished before the host acknowledges the new
locator, by sending an Update Acknowledgement message, R2 an message.
Before a host can use a locator (different than the ULID) as the Before a host can use a locator (different than the ULID) as the
destination locator it must perform the full verification of the destination locator it MUST perform the HBA/CGA verification if this
locator. This includes both verifying it using HBA/CGA, and was not performed before upon the reception of the locator set. In
verifying that the ULID is indeed reachable at the locator. The addition, it MUST verify that the ULID is indeed present at that
latter in order to prevent 3rd party flooding attacks. locator. This verification is performed by doing a return-
routability test as part of the Probe sub-protocol [20].
If the verification method in the Locator List option is not
supported by the host, or if the verification method is not
consistent with what it in the CGA Parameter Data Structure (e.g.,
the PDS doesn't contain the multiprefix extension, and the
verification method says to use HBA), then the host MUST ignore the
Locator List and the packet in which it is contained, and the host
SHOULD generates an ICMP parameter problem (type 4, code 0), with the
Pointer referencing the octet in the Verification method that was
found inconsistent.
5. Message Formats 5. Message Formats
The shim6 messages are all carried using a new IP protocol number TBD The shim6 messages are all carried using a new IP protocol number [to
[to be assigned by IANA]. The shim6 messages have a common header, be assigned by IANA]. The shim6 messages have a common header,
defined below, with some fixed fields, followed by type specific defined below, with some fixed fields, followed by type specific
fields. fields.
The shim6 messages are structured as an IPv6 extension header since The shim6 messages are structured as an IPv6 extension header since
the Payload Message is used to carry the ULP packets after a locator the Payload extension header is used to carry the ULP packets after a
switch. The shim6 control messages use the same extension header locator switch. The shim6 control messages use the same extension
formats so that a single "protocol number" needs to be allowed header formats so that a single "protocol number" needs to be allowed
through firewalls in order for shim6 to function across the firewall. through firewalls in order for shim6 to function across the firewall.
5.1 Common shim6 Message Format 5.1 Common shim6 Message Format
The first 17 bits of the shim6 header is common for the Payload The first 17 bits of the shim6 header is common for the Payload
Message and the control messages and looks as follows: extension header and the control messages and looks as follows:
0 1 0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Hdr Ext Len |P| | Next Header | Hdr Ext Len |P|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: The payload which follows this header. Next Header: The payload which follows this header.
Hdr Ext Len: 8-bit unsigned integer. Length of the shim6 header in Hdr Ext Len: 8-bit unsigned integer. Length of the shim6 header in
8-octet units, not including the first 8 octets. 8-octet units, not including the first 8 octets.
P: A single bit to distinguish Payload messages from P: A single bit to distinguish Payload extension headers
control messages. from control messages.
5.2 Payload Message Format
The payload message is used to carry ULP packets where the receiver 5.2 Payload Extension Header Format
must replace the content of the source and or destination fields in
the IPv6 header before passing the packet to the ULP. Thus this
extension header is included when the locators pair that is used is
not the same as the ULID pair.
Since the shim is placed between the IP endpoint sub-layer and the IP The payload extension headers is used to carry ULP packets where the
routing sub-layer in the host, the shim header will be placed before receiver must replace the content of the source and/or destination
any endpoint extension headers (fragmentation headers, destination fields in the IPv6 header before passing the packet to the ULP. Thus
options header, AH, ESP), but after any routing related headers (hop- this extension header is included when the locators pair that is used
by-hop extensions header, routing header, a destinations options is not the same as the ULID pair.
header which precedes a routing header). When tunneling is used,
whether IP-in-IP tunneling or the special form of tunneling that
Mobile IPv6 uses (with Home Address Options and Routing header type
2), there is a choice whether the shim applies inside the tunnel or
outside the tunnel, which effects the location of the shim6 header.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | 0 |1| Reserved | | Next Header | 0 |1| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Receiver Context Tag | | Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: The payload which follows this header. Next Header: The payload which follows this header.
Hdr Ext Len: 0 (since the header is 8 octets). Hdr Ext Len: 0 (since the header is 8 octets).
P: Set to one. A single bit to distinguish this from the P: Set to one. A single bit to distinguish this from the
shim6 control messages. shim6 control messages.
Reserved: Reserved for future use. Zero on transmit. MUST be
ignored on receipt. Receiver Context Tag: 47-bit unsigned integer. Allocated by the
Receiver Context Tag: 32-bit unsigned integer. Allocated by the receiver for use to identify the context.
receiver for use to identify the context (together
with the source and destination locators).
5.3 Common Shim6 Control header 5.3 Common Shim6 Control header
The common part of the header has a next header and header extension The common part of the header has a next header and header extension
length field which is consistent with the other IPv6 extension length field which is consistent with the other IPv6 extension
headers, even if the next header value is always "NO NEXT HEADER" for headers, even if the next header value is always "NO NEXT HEADER" for
the control messages; only the payload messages use the Next Header the control messages; only the payload extension header use the Next
field. Header field.
The shim6 headers must be a multiple of 8 octets, hence the minimum The shim6 headers must be a multiple of 8 octets, hence the minimum
size is 8 octets. size is 8 octets.
The common message header is as follows: The common shim control message header is as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Hdr Ext Len |0| Type |Type specific|0| | Next Header | Hdr Ext Len |0| Type |Type-specific|0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | | | Checksum | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Type specific format | | Type-specific format |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59). Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59).
Indicates the next header value for the shim6 payload
messages.
Hdr Ext Len: 8-bit unsigned integer. Length of the shim6 header in Hdr Ext Len: 8-bit unsigned integer. Length of the shim6 header in
8-octet units, not including the first 8 octets. 8-octet units, not including the first 8 octets.
P: Set to zero. A single bit to distinguish this from P: Set to zero. A single bit to distinguish this from
the shim6 payload messages. the shim6 payload extension header.
Type: 7-bit unsigned integer. Identifies the actual message Type: 7-bit unsigned integer. Identifies the actual message
from the table below. from the table below. Type codes 0-63 will not
trigger R1bis messages on a missing context, while 64-
127 will trigger R1bis.
0: A single bit (set to zero) which allows shim6 and HIP 0: A single bit (set to zero) which allows shim6 and HIP
to have a common header format yet telling shim6 and to have a common header format yet telling shim6 and
HIP messages apart. HIP messages apart.
Checksum: 16-bit unsigned integer. The checksum is the 16-bit Checksum: 16-bit unsigned integer. The checksum is the 16-bit
one's complement of the one's complement sum of the one's complement of the one's complement sum of the
entire shim6 header message starting with the shim6 entire shim6 header message starting with the shim6
next header field, and ending as indicated by the Hdr next header field, and ending as indicated by the Hdr
Ext Len. Thus when there is a payload following the Ext Len. Thus when there is a payload following the
shim6 header, the payload is NOT included in the shim6 shim6 header, the payload is NOT included in the shim6
checksum. checksum. Note that unlike protocol like ICMPv6,
there is no pseudo-header checksum part of the
checksum, in order to provide locator agility without
having to change the checksum.
Type-specific: Part of message that is different for different
message types.
+------------+-----------------------------------------------------+ +------------+-----------------------------------------------------+
| Type Value | Message | | Type Value | Message |
+------------+-----------------------------------------------------+ +------------+-----------------------------------------------------+
| 1 | I1 (first establishment message from the initiator) | | 1 | I1 (first establishment message from the initiator) |
| | |
| 2 | R1 (first establishment message from the responder) | | 2 | R1 (first establishment message from the responder) |
| | |
| 3 | I2 (2nd establishment message from the initiator) | | 3 | I2 (2nd establishment message from the initiator) |
| | |
| 4 | R2 (2nd establishment message from the responder) | | 4 | R2 (2nd establishment message from the responder) |
| 5 | No Context Error | | | |
| 6 | Update Request | | 5 | R1bis (Reply to reference to non-existent context) |
| 7 | Update Acknowledgement | | | |
| 8 | Reachability Probe | | 6 | I2bis (Reply to a R1bis message) |
| 9 | Reachability Reply | | | |
| 10 | Keepalive | | 64 | Update Request |
| 11 | SHIM6 Probe Message | | | |
| 65 | Update Acknowledgement |
| | |
| 66 | Keepalive |
| | |
| 67 | Probe Message |
+------------+-----------------------------------------------------+ +------------+-----------------------------------------------------+
Table 1 Table 1
5.4 I1 Message Format 5.4 I1 Message Format
The I1 message is the first message in the context establishment The I1 message is the first message in the context establishment
exchange. exchange.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 1 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 1 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 | | Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Initiator Context Tag | | Initiator Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce | | Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Options + + Options +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 1 Type: 1
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Initiator Context Tag: 32-bit field. The Context Tag the initiator
Initiator Context Tag: 47-bit field. The Context Tag the initiator
has allocated for the context. has allocated for the context.
Initiator Nonce: 32-bit unsigned integer. A random number picked by Initiator Nonce: 32-bit unsigned integer. A random number picked by
the initiator which the responder will return in the the initiator which the responder will return in the
R1 message. R1 message.
The following options are allowed in the message: The following options are defined for this message:
ULID pair: TBD Do we need to carry the ULIDs, or assume they are
the same as the address fields in the IPv6 header? ULID pair: When the IPv6 source and destination addresses in the
Depends on how we handle failures during initial IPv6 header does not match the ULID pair, this option
contact. We also need it to be able to reestablish MUST be included. An example of this is when
the host-pair context after a failure when one end has recovering from a lost context.
lost the context state.
Forked Instance Identifier: When another instance of an existent
context with the same ULID pair is being created, a
Forked Instance Identifier option is included to
distinguish this new instance from the existent one.
5.5 R1 Message Format 5.5 R1 Message Format
The R1 message is the second message in the context establishment The R1 message is the second message in the context establishment
exchange. The responder sends this in response to an I1 message, exchange. The responder sends this in response to an I1 message,
without creating any state specific to the initiator. without creating any state specific to the initiator.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 20, line 44 skipping to change at page 29, line 22
| Initiator Nonce | | Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Nonce | | Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Options + + Options +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 2 Type: 2
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Initiator Nonce: 32-bit unsigned integer. Copied from the I1 Initiator Nonce: 32-bit unsigned integer. Copied from the I1
message. message.
Responder Nonce: 32-bit unsigned integer. A number picked by the Responder Nonce: 32-bit unsigned integer. A number picked by the
responder which the initiator will return in the I2 responder which the initiator will return in the I2
message. message.
The following options are allowed in the message: The following options are defined for this message:
Responder Validator: Variable length option. Typically a hash Responder Validator: Variable length option. Typically a hash
generated by the responder, which the responder uses generated by the responder, which the responder uses
together with the Responder Nonce value to verify that together with the Responder Nonce value to verify that
an I2 message is indeed sent in response to a R1 an I2 message is indeed sent in response to a R1
message, and that the parameters in the I2 message are message, and that the parameters in the I2 message are
the same as those in the I1 message. the same as those in the I1 message.
5.6 I2 Message Format 5.6 I2 Message Format
The I2 message is the third message in the context establishment The I2 message is the third message in the context establishment
exchange. The initiator sends this in response to a R1 message, exchange. The initiator sends this in response to a R1 message,
after checking the Initiator Nonce, etc. after checking the Initiator Nonce, etc.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 3 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 3 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 | | Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Initiator Context Tag | | Initiator Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce | | Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Nonce | | Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Options + + Options +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 2, since the header is 24 octets when there
are no options.
Type: 3 Type: 3
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Initiator Context Tag: 32-bit field. The Context Tag the initiator Initiator Context Tag: 47-bit field. The Context Tag the initiator
has allocated for the context. has allocated for the context.
Initiator Nonce: 32-bit unsigned integer. A random number picked by Initiator Nonce: 32-bit unsigned integer. A random number picked by
the initiator which the responder will return in the the initiator which the responder will return in the
R2 message. R2 message.
Responder Nonce: 32-bit unsigned integer. Copied from the R1 Responder Nonce: 32-bit unsigned integer. Copied from the R1
message. message.
The following options are allowed in the message: Reserved2: 32-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. (Needed to
make the options start on a multiple of 8 octet
boundary.)
The following options are defined for this message:
Responder Validator: Variable length option. Just a copy of the Responder Validator: Variable length option. Just a copy of the
Validator option in the R1 message. Validator option in the R1 message.
ULID pair: TBD Do we need to carry the ULIDs, or assume they are
the same as the address fields in the IPv6 header? We ULID pair: When the IPv6 source and destination addresses in the
also need it to be able to reestablish the host-pair IPv6 header does not match the ULID pair, this option
context after a failure when one end has lost the MUST be included. An example of this is when
context state. recovering from a lost context.
Forked Instance Identifier: When another instance of an existent
context with the same ULID pair is being created, a
Forked Instance Identifier option is included to
distinguish this new instance from the existent one.
Locator list: Optionally sent when the initiator immediately wants Locator list: Optionally sent when the initiator immediately wants
to tell the responder its list of locators. When it to tell the responder its list of locators. When it
is sent, the necessary HBA/CGA information for is sent, the necessary HBA/CGA information for
validating the locator list MUST also be included. validating the locator list MUST also be included.
Locator Preferences: Optionally sent when the locators don't all have Locator Preferences: Optionally sent when the locators don't all have
equal preference. equal preference.
CGA Parameter Data Structure: Included when the locator list is CGA Parameter Data Structure: Included when the locator list is
included so the receiver can verify the locator list. included so the receiver can verify the locator list.
CGA Signature: Included when the some of the locators in the list use CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for validation. CGA (and not HBA) for validation.
5.7 R2 Message Format 5.7 R2 Message Format
The R2 message is the fourth message in the context establishment The R2 message is the fourth message in the context establishment
exchange. The responder sends this in response to an I2 message. exchange. The responder sends this in response to an I2 message.
The R2 message is also used when both hosts send I1 messages at the The R2 message is also used when both hosts send I1 messages at the
same time and the I1 messages cross in flight. same time and the I1 messages cross in flight.
skipping to change at page 22, line 44 skipping to change at page 32, line 10
The R2 message is the fourth message in the context establishment The R2 message is the fourth message in the context establishment
exchange. The responder sends this in response to an I2 message. exchange. The responder sends this in response to an I2 message.
The R2 message is also used when both hosts send I1 messages at the The R2 message is also used when both hosts send I1 messages at the
same time and the I1 messages cross in flight. same time and the I1 messages cross in flight.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 4 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 4 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 | | Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Responder Context Tag | | Responder Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce | | Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Options + + Options +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
skipping to change at page 23, line 7 skipping to change at page 32, line 22
| Responder Context Tag | | Responder Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce | | Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Options + + Options +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 4 Type: 4
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Responder Context Tag: 32-bit field. The Context Tag the responder
Responder Context Tag: 47-bit field. The Context Tag the responder
has allocated for the context. has allocated for the context.
Initiator Nonce: 32-bit unsigned integer. Copied from the I2 Initiator Nonce: 32-bit unsigned integer. Copied from the I2
message. message.
The following options are allowed in the message: The following options are defined for this message:
Locator List: Optionally sent when the responder immediately wants Locator List: Optionally sent when the responder immediately wants
to tell the initiator its list of locators. When it to tell the initiator its list of locators. When it
is sent, the necessary HBA/CGA information for is sent, the necessary HBA/CGA information for
validating the locator list MUST also be included. validating the locator list MUST also be included.
Locator Preferences: Optionally sent when the locators don't all have Locator Preferences: Optionally sent when the locators don't all have
equal preference. equal preference.
CGA Parameter Data Structure: Included when the locator list is CGA Parameter Data Structure: Included when the locator list is
included so the receiver can verify the locator list. included so the receiver can verify the locator list.
CGA Signature: Included when the some of the locators in the list use CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for validation. CGA (and not HBA) for validation.
5.8 No Context Error Message Format 5.8 R1bis Message Format
Should a host receive a packet with a shim Payload message or shim6 Should a host receive a packet with a shim Payload extension header
control message, such a a locator update, and the host does not have or shim6 control message with type code 64-127 (such as an Update or
any context state for the locators (in the IPv6 source and Probe message), and the host does not have any context state for the
destination fields) and the context tag, then it will generate a No locators (in the IPv6 source and destination fields) and the context
Context Error. The error includes the packet that was received, tag, then it will generate a R1bis packet.
subject to the packet not exceeding 1280 octets.
This packet allows the sender of the packet referring to the non-
existent context to re-establish the context with a reduced packet
exchange. Upon the reception of the R1bis packet, the receiver can
proceed reestablishing the lost context by directly sending an I2bis
message.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 5 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 5 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 | | Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Packet Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Options + + Options +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 5 Type: 5
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
The following options are allowed in the message: Packet Context Tag: 47-bit unsigned integer. The context tag
Packet in Error: Variable length option containing the IPv6 packet contained in the received packet that triggered the
that was in error, starting with the IPv6 header, and generation of the R1bis packet.
normally containing the full packet. If the resulting
No Context Error message would exceed 1280 octets, the
Packet In Error option will not include the full
packet in error in order to limit the error to 1280
octets.
5.9 Update Request Message Format Responder Nonce: 32-bit unsigned integer. A number picked by the
responder which the initiator will return in the I2bis
message.
The Update Request Message is used to update either the list or The following options are defined for this message:
locators, the locator preferences, and both. When the list of
locators is updated, the message also contains the option(s)
necessary for HBA/CGA to secure this. The basic sanity check that
prevents off-path attackers from generating bogus updates is the
context tag in the message.
The update message contains options (the Locator List and the Locator Responder Validator: Variable length option. Typically a hash
Preferences) that, when included, completely replace the previous generated by the responder, which the responder uses
locator list and locator preferences, respectively. Thus there is no together with the Responder Nonce value to verify that
mechanisms to just send deltas to the locator list. an I2bis message is indeed sent in response to a R1bis
message.
5.9 I2bis Message Format
The I2bis message is the third message in the context recovery
exchange. This is sent in response to a R1bis message, after
checking that the R1bis message refers to an existing context, etc.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 6 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 6 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 | | Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Initiator Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Receiver Context Tag | | Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce | | Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved2 |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Packet Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Options + + Options +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 3, since the header is 32 octets when there
are no options.
Type: 6 Type: 6
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Receiver Context Tag: 32-bit field. The Context Tag the receiver has
allocated for the context.
Request Nonce: 32-bit unsigned integer. A random number picked by
the initiator which the peer will return in the
acknowledgement message.
The following options are allowed in the message: Initiator Context Tag: 47-bit field. The Context Tag the initiator
Locator List: The list of the senders (new) locators. The locators has allocated for the context.
might be unchanged and only the preferences have
changed.
Locator Preferences: Optionally sent when the locators don't all have
equal preference.
CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for validation.
5.10 Update Acknowledgement Message Format Initiator Nonce: 32-bit unsigned integer. A random number picked by
the initiator which the responder will return in the
R2 message.
This message is sent in response to a Update Request message. It Responder Nonce: 32-bit unsigned integer. Copied from the R1bis
implies that the Update Request has been received, and that any new message.
locators in the Update Request can now be used as the source locators
of packets. But it does not imply that the (new) locators have been
verified to be used as a destination, since the host might defer the
verification of a locator until it sees a need to use a locator as
the destination.
0 1 2 3 Reserved2: 49-bit field. Reserved for future use. Zero on
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 transmit. MUST be ignored on receipt. (Note that 17
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ bits are not sufficient since the options need start
| 59 | Hdr Ext Len |0| Type = 7 | Reserved1 |0| on a multiple of 8 octet boundary.)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Packet Context Tag: 47-bit unsigned integer. Copied from the Packet
Context Tag contained in the received R1bis.
Next Header: NO_NXT_HDR (59). The following options are defined for this message:
Type: 7
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Receiver Context Tag: 32-bit field. The Context Tag the receiver has
allocated for the context.
Request Nonce: 32-bit unsigned integer. Copied from the Update
Request message.
No options are currently defined for this message. Responder Validator: Variable length option. Just a copy of the
Validator option in the R1bis message.
5.11 Reachability Probe Message Format ULID pair: When the IPv6 source and destination addresses in the
IPv6 header does not match the ULID pair, this option
MUST be included.
TBD: Given [8] we do not need this message any more. Forked Instance Identifier: When another instance of an existent
context with the same ULID pair is being created, a
Forked Instance Identifier option is included to
distinguish this new instance from the existent one.
The Reachability Probe message is used to prevent 3rd party DoS Locator list: Optionally sent when the initiator immediately wants
attacks, and can also be used to verify whether a context is to tell the responder its list of locators. When it
reachable at a given locator should that be needed for the general is sent, the necessary HBA/CGA information for
reachability detection mechanism (e.g., if we pick the CUD mechanism validating the locator list MUST also be included.
where one end sends probes and expects a reply).
Before a host uses a locator for the peer that is different than the Locator Preferences: Optionally sent when the locators don't all have
ULID, it needs to verify that the peer is indeed present at that equal preference.
locator by sending a Context Verify and receiving an acknowledgement.
This message includes the ULID pair as well as the context tag, so CGA Parameter Data Structure: Included when the locator list is
that the peer can indeed verify that it has that ULID and that the included so the receiver can verify the locator list.
context tag is correct.
CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for validation.
5.10 Update Request Message Format
The Update Request Message is used to update either the list or
locators, the locator preferences, and both. When the list of
locators is updated, the message also contains the option(s)
necessary for HBA/CGA to secure this. The basic sanity check that
prevents off-path attackers from generating bogus updates is the
context tag in the message.
The update message contains options (the Locator List and the Locator
Preferences) that, when included, completely replace the previous
locator list and locator preferences, respectively. Thus there is no
mechanism to just send deltas to the locator list.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 8 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 64 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Receiver Context Tag | | Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce | | Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Options + + Options +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Type: 8
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 64
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Receiver Context Tag: 32-bit field. The Context Tag the receiver has
Receiver Context Tag: 47-bit field. The Context Tag the receiver has
allocated for the context. allocated for the context.
Request Nonce: 32-bit unsigned integer. A random number picked by Request Nonce: 32-bit unsigned integer. A random number picked by
the initiator which the responder will return in the the initiator which the peer will return in the
acknowledgement message. acknowledgement message.
The following options are allowed in the message: The following options are defined for this message:
ULID pair: The ULID pair that is being probed.
5.12 Reachability Reply Message Format Locator List: The list of the sender's (new) locators. The locators
might be unchanged and only the preferences have
changed.
TBD: Given [8] we do not need this message any more. Locator Preferences: Optionally sent when the locators don't all have
equal preference.
This is sent in response to a Reachability Probe message. Although, CGA Parameter Data Structure: Included when the locator list is
if the receiver of the Reachability Probe does not have a matching included and the PDS was not included in the
context it will send a No Context Error message. I2/I2bis/R2 messages, so the receiver can verify the
locator list.
CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for validation.
5.11 Update Acknowledgement Message Format
This message is sent in response to a Update Request message. It
implies that the Update Request has been received, and that any new
locators in the Update Request can now be used as the source locators
of packets. But it does not imply that the (new) locators have been
verified to be used as a destination, since the host might defer the
verification of a locator until it sees a need to use a locator as
the destination.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 9 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 65 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Receiver Context Tag | | Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce | | Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Options + + Options +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
skipping to change at page 27, line 45 skipping to change at page 38, line 47
| Receiver Context Tag | | Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce | | Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Options + + Options +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Type: 9
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 65
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Receiver Context Tag: 32-bit field. The Context Tag the receiver has
allocated for the context.
Request Nonce: 32-bit unsigned integer. Copied from the request
message.
The following options are allowed in the message: Receiver Context Tag: 47-bit field. The Context Tag the receiver has
ULID pair: The ULID pair that is being probed. Copied from the allocated for the context.
Probe message.
5.13 Keepalive Message Format Request Nonce: 32-bit unsigned integer. Copied from the Update
Request message.
TBD: Given [8] we do not need this message any more. No options are currently defined for this message.
The keepalive message would be used if we decide to do the Force 5.12 Keepalive Message Format
Bidirectional communication as a way to get verification that the
locator pair continues to work. If we are not going to do FBD we
probably will not need this message.
0 1 2 3 This message format is defined in [9].
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 10 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: The message is used to ensure that when a peer is sending ULP packets
Next Header: NO_NXT_HDR (59). on a context, it always receives some packets in the reverse
Type: 10 direction. When the ULP is sending bidirectional traffic, no extra
Reserved1: 7-bit field. Reserved for future use. Zero on packets need to be inserted. But for a unidirectional ULP traffic
transmit. MUST be ignored on receipt. pattern, the shim will send back some Keepalive messages when it is
Reserved2: 16-bit field. Reserved for future use. Zero on receiving ULP packets.
transmit. MUST be ignored on receipt.
Receiver Context Tag: 32-bit field. The Context Tag the receiver has
allocated for the context.
Request Nonce: 32-bit unsigned integer. Copied from the Reachability 5.13 Probe Message Format
Probe message.
No options are currently defined for this message. This message and its semantics are defined in [9].
5.14 SHIM6 Probe Message Format The idea behind that mechanism is to be able to handle the case when
one locator pair works in from A to B, and another locator pair works
from B to A, but there is no locator pair which works in both
directions. The protocol mechanism is that as A is sending probe
messages to B, B will observe which locator pairs it has received
from and report that back in probe messages it is sending to A.
This message and its semantics are defined in [8]. The idea behind 5.14 Option Formats
that mechanism is to be able to handle the case when one locator pair
works in from A to B, and another locator pair works from B to A, but
there is no locator pair which works in both directions. The
protocol mechanism is that as A is sending probe messages to B, B
will observe which locator pairs it has received from and report that
back in probe messages it is sending to A.
5.15 Option Formats The format of the options is a snapshot of the current HIP option
format [26]. However, there is no intend to track any changes to the
HIP option format, nor is there an intent to use the same name space
for the option type values. But using the same format will hopefully
make it easier to import HIP capabilities into shim6 as extensions to
shim6, should this turn out to be useful.
All of the TLV parameters have a length (including Type and Length All of the TLV parameters have a length (including Type and Length
fields) which is a multiple of 8 bytes. When needed, padding MUST be fields) which is a multiple of 8 bytes. When needed, padding MUST be
added to the end of the parameter so that the total length becomes a added to the end of the parameter so that the total length becomes a
multiple of 8 bytes. This rule ensures proper alignment of data. If multiple of 8 bytes. This rule ensures proper alignment of data. If
padding is added, the Length field MUST NOT include the padding. Any padding is added, the Length field MUST NOT include the padding. Any
added padding bytes MUST be zeroed by the sender, and their values added padding bytes MUST be zeroed by the sender, and their values
SHOULD NOT be checked by the receiver. SHOULD NOT be checked by the receiver.
Consequently, the Length field indicates the length of the Contents Consequently, the Length field indicates the length of the Contents
skipping to change at page 29, line 42 skipping to change at page 40, line 26
Type, Length, Contents, and Padding) is related to the Length field Type, Length, Contents, and Padding) is related to the Length field
according to the following formula: according to the following formula:
Total Length = 11 + Length - (Length + 3) % 8; Total Length = 11 + Length - (Length + 3) % 8;
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type |C| Length | | Type |C| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | ~ ~
/ Contents / ~ Contents ~
/ +-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+
| | Padding | ~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Type: 15-bit identifier of the type of option. The options Type: 15-bit identifier of the type of option. The options
defined in this document are below. defined in this document are below.
C: Critical. One if this parameter is critical, and MUST C: Critical. One if this parameter is critical, and MUST
be recognized by the recipient, zero otherwise. An be recognized by the recipient, zero otherwise. An
implementation might view the C bit as part of the implementation might view the C bit as part of the
Type field, by multiplying the type values in this Type field, by multiplying the type values in this
specification by two. specification by two.
Length: Length of the Contents, in bytes. Length: Length of the Contents, in bytes.
Contents: Parameter specific, defined by Type. Contents: Parameter specific, defined by Type.
Padding: Padding, 0-7 bytes, added if needed. Padding: Padding, 0-7 bytes, added if needed.
+------------------------------+------+ +------+---------------------------------+
| Option Name | Type | | Type | Option Name |
+------------------------------+------+ +------+---------------------------------+
| Validator | 1 | | 1 | Validator |
| Locator List | 2 | | | |
| Locator Preferences | 3 | | 2 | Locator List |
| CGA Parameter Data Structure | 4 | | | |
| CGA Signature | 5 | | 3 | Locator Preferences |
| ULID Pair | 6 | | | |
| Packet In Error | 7 | | 4 | CGA Parameter Data Structure |
| SHIM6 Event Option | 8 | | | |
+------------------------------+------+ | 5 | CGA Signature |
| | |
| 6 | ULID Pair |
| | |
| 7 | Forked Instance Identifier |
| | |
| 10 | Probe Option |
| | |
| 11 | Reachability Option |
| | |
| 12 | Payload Reception Report Option |
+------+---------------------------------+
Table 2 Table 2
5.15.1 Validator Option Format 5.14.1 Validator Option Format
The responder can choose exactly what input uses to compute the The responder can choose exactly what input uses to compute the
validator, and what one-way function (MD5, SHA1) it uses, as long as validator, and what one-way function (MD5, SHA1) it uses, as long as
the responder can verify that the validator it receives back in the the responder can verify that the validator it receives back in the
I2 message is indeed one that 1) it computed, 2) it computed for the I2 or I2bis message is indeed one that:
particular context, and 3) that it isn't a replayed I2 message.
1)- it computed,
2)- it computed for the particular context, and
3)- that it isn't a replayed I2/I2bis message.
Some suggestions on how to generate the validators are captured in
Section 7.7.1 and Section 7.14.1.
One way for the responder to do this is to maintain a single secret
(S) and a running counter for the Responder Nonce. For each I1
message, the responder can then increase the counter, use the counter
value as the responder nonce, and use the following information as
input to the one-way function:
o The the secret S
o That Responder Nonce
o The Initiator Context Tag from the I1 message
o The ULIDs from the I1 message
o The locators from the I1 message (strictly only needed if they are
different from the ULIDs)
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 1 |0| Length | | Type = 1 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Validator ~ ~ Validator ~
~ +-+-+-+-+-+-+-+-+
~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Validator: Variable length content whose interpretation is local Validator: Variable length content whose interpretation is local
to the responder. to the responder.
5.15.2 Locator List Option Format Padding: Padding, 0-7 bytes, added if needed. See
Section 5.14.
5.14.2 Locator List Option Format
The Locator List Option is used to carry all the locators of the The Locator List Option is used to carry all the locators of the
sender. Note that the order of the locators is important, since the sender. Note that the order of the locators is important, since the
Locator Preferences refers to the locators by using the index in the Locator Preferences refers to the locators by using the index in the
list. list.
Note that we carry all the locators in this option even though some Note that we carry all the locators in this option even though some
of them can be created automatically from the CGA Parameter Data of them can be created automatically from the CGA Parameter Data
Structure. Structure.
TBD: We can get a simpler format if we split this into two options:
one with the locators and one with just the verification methods.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 2 |0| Length | | Type = 2 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Locator List Generation | | Locator List Generation |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Num Locators | N Octets of Verification Method | | Num Locators | N Octets of Verification Method |
+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+ |
~ ~ ~ ~
~ +-+-+-+-+-+-+-+-+
~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Locators 1 through N ~ ~ Locators 1 through N ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Locator List Generation: 32-bit unsigned integer. Indicates a Locator List Generation: 32-bit unsigned integer. Indicates a
generation number which is increased by one for each generation number which is increased by one for each
new locator list. This is used to ensure that the new locator list. This is used to ensure that the
index in the Locator Preferences refer to the right index in the Locator Preferences refer to the right
version of the locator list. version of the locator list.
Num Locators: 8-bit unsigned integer. The number of locators that Num Locators: 8-bit unsigned integer. The number of locators that
are included in the option. We call this number "N" are included in the option. We call this number "N"
below. below.
Verification Method: N octets. The i'th octet specifies the Verification Method: N octets. The i'th octet specifies the
verification method for the i'th locator. verification method for the i'th locator.
Padding: Padding, 0-7 bytes, added if needed so that the
Locators start on a multiple of 8 octet boundary.
NOTE that for this option there is never a need to pad
at the end, since the locators are a multiple of 8
octets in length. This internal padding is included
in the length field.
Locators: N 128-bit locators. Locators: N 128-bit locators.
The defined verification methods are: The defined verification methods are:
+-------+----------+ +-------+----------+
| Value | Method | | Value | Method |
+-------+----------+ +-------+----------+
| 0 | Reserved | | 0 | Reserved |
| | |
| 1 | HBA | | 1 | HBA |
| | |
| 2 | CGA | | 2 | CGA |
| | |
| 3-255 | Reserved | | 3-255 | Reserved |
+-------+----------+ +-------+----------+
Table 3 Table 3
5.15.3 Locator Preferences Option Format 5.14.3 Locator Preferences Option Format
The Locator Preferences option can have some flags to indicate The Locator Preferences option can have some flags to indicate
whether or not a locator is known to work. In addition, the sender whether or not a locator is known to work. In addition, the sender
can include a notion of preferences. It might make sense to define can include a notion of preferences. It might make sense to define
"preferences" as a combination of priority and weight the same way "preferences" as a combination of priority and weight the same way
that DNS SRV records has such information. The priority would that DNS SRV records has such information. The priority would
provide a way to rank the locators, and within a given priority, the provide a way to rank the locators, and within a given priority, the
weight would provide a way to do some load sharing. See [9] for how weight would provide a way to do some load sharing. See [10] for how
SRV defines the interaction of priority and weight. SRV defines the interaction of priority and weight.
The minimum notion of preferences we need is to be able to indicate The minimum notion of preferences we need is to be able to indicate
that a locator is "dead". We can handle this using a single octet that a locator is "dead". We can handle this using a single octet
flag for each locator. flag for each locator.
We can extend that by carrying a larger "element" for each locator. We can extend that by carrying a larger "element" for each locator.
This document presently also defines 2-octet and 3-octet elements, This document presently also defines 2-octet and 3-octet elements,
and we can add more information by having even larger elements if and we can add more information by having even larger elements if
need be. need be.
skipping to change at page 33, line 15 skipping to change at page 44, line 31
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 3 |0| Length | | Type = 3 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Locator List Generation | | Locator List Generation |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Element Len | Element[1] | Element[2] | Element[3] | | Element Len | Element[1] | Element[2] | Element[3] |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ... ~ ~ ... ~
~ +-+-+-+-+-+-+-+-+
~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Case of Element Len = 1 is depicted. Case of Element Len = 1 is depicted.
Fields: Fields:
Locator List Generation: 32-bit unsigned integer. Indicates a Locator List Generation: 32-bit unsigned integer. Indicates a
generation number for the locator list to which the generation number for the locator list to which the
elements should apply. elements should apply.
Element Len: 8-bit unsigned integer. The length in octets of each Element Len: 8-bit unsigned integer. The length in octets of each
element. This draft defines the cases when the length element. This draft defines the cases when the length
is 1, 2, or 3. is 1, 2, or 3.
Element[i]: A field with a number of octets defined by the Element Element[i]: A field with a number of octets defined by the Element
Len field. Provides preferences for the i'th locator Len field. Provides preferences for the i'th locator
in the Locator List option that is in use. in the Locator List option that is in use.
Padding: Padding, 0-7 bytes, added if needed. See
Section 5.14.
When the Element length equals one, then the element consists of only When the Element length equals one, then the element consists of only
a flags field. The set of flags is TBD: Assume there will be two a one octet flags field. The currently defined set of flags are:
initially: BROKEN and TEMPORARY. The intent of the latter is to
allow the distinction between more stable addresses and less stable
addresses when shim6 is combined with IP mobility, when we might have
more stable home locators, and less stable care-of-locators.
When the Element length equals two, the the element consists of a 1 BROKEN: 0x01
TEMPORARY: 0x02
The intent of TEMPORARY is to allow the distinction between more
stable addresses and less stable addresses when shim6 is combined
with IP mobility, when we might have more stable home locators, and
less stable care-of-locators.
When the Element length equals two, then the element consists of a 1
octet flags field followed by a 1 octet priority field. The priority octet flags field followed by a 1 octet priority field. The priority
has the same semantics as the priority in DNS SRV records. has the same semantics as the priority in DNS SRV records.
When the Element length equals three, the the element consists of a 1 When the Element length equals three, then the element consists of a
octet flags field followed by a 1 octet priority field, and a 1 octet 1 octet flags field followed by a 1 octet priority field, and a 1
weight field. The weight has the same semantics as the weight in DNS octet weight field. The weight has the same semantics as the weight
SRV records. in DNS SRV records.
5.15.4 CGA Parameter Data Structure Option Format 5.14.4 CGA Parameter Data Structure Option Format
This option contains the CGA parameter data structure (hereafter This option contains the CGA parameter data structure (hereafter
called the PDS). When HBA is used to validate the locators, the PDS called the PDS). When HBA is used to validate the locators, the PDS
contains the HBA multiprefix extension. When CGA is used to validate contains the HBA multiprefix extension. When CGA is used to validate
the locators, in addition to the CGA PDS, the signature will need to the locators, in addition to the CGA PDS, the signature will need to
be included as a CGA Signature option. be included as a CGA Signature option.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 4 |0| Length | | Type = 4 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ CGA Parameter Data Structure ~ ~ CGA Parameter Data Structure ~
~ +-+-+-+-+-+-+-+-+
~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
CGA Parameter Data Structure: Variable length content. Content CGA Parameter Data Structure: Variable length content. Content
defined in [5] and [6]. defined in [6] and [7].
5.15.5 CGA Signature Option Format Padding: Padding, 0-7 bytes, added if needed. See
Section 5.14.
5.14.5 CGA Signature Option Format
When CGA is used for validation of one or more of the locators in the When CGA is used for validation of one or more of the locators in the
PDS, then the message in question will need to contain this option. Locator List option, then the message in question will need to
contain this option.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 5 |0| Length | | Type = 5 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ CGA Signature ~ ~ CGA Signature ~
~ +-+-+-+-+-+-+-+-+
~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
CGA Signature: A variable-length field containing a PKCS#1 v1.5 CGA Signature: A variable-length field containing a PKCS#1 v1.5
signature, constructed by using the sender's private signature, constructed by using the sender's private
key over the following sequence of octets: key over the following sequence of octets:
1. The 128-bit CGA Message Type tag [CGA] value for 1. The 128-bit CGA Message Type tag [CGA] value for
SHIM6, 0x4A 30 5662 4858 574B 3655 416F 506A 6D48. SHIM6, 0x4A 30 5662 4858 574B 3655 416F 506A 6D48.
(The tag value has been generated randomly by the (The tag value has been generated randomly by the
editor of this specification.). editor of this specification.).
2. The Locator List Generation value of the 2. The Locator List Generation value of the
correspondent Locator List Option. correspondent Locator List Option.
3. The subset of locators included in the 3. The subset of locators included in the
correspondent Locator List Option which validation correspondent Locator List Option which validation
method is set to CGA. The locators MUST be method is set to CGA. The locators MUST be
included in the order they are listed in the included in the order they are listed in the
Locator List Option. Locator List Option.
5.15.6 ULID Pair Option Format Padding: Padding, 0-7 bytes, added if needed. See
Section 5.14.
It isn't clear whether we need this option. It depends whether we 5.14.6 ULID Pair Option Format
want to be able to setup a context for a ULID pair when that ULID
pair can't be used to communicate. Thus the IPv6 addresses in the I1, I2, and I2bis messages MUST contain the ULID pair; normally this
context establishment would not be the ULIDs. is in the IPv6 source and destination fields. In case that the ULID
for the context differ from the address pair included in the source
and destination address fields of the IPv6 packet used to carry the
I1/I2/I2bis message, the ULID pair option MUST be included in the I1/
I2/I2bis message.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 2 |0| Length | | Type = 6 |0| Length = 36 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Sender ULID + + Sender ULID +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Receiver ULID + + Receiver ULID +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Reserved: 48-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. Reserved2: 32-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. (Needed to
make the ULIDs start on a multiple of 8 octet
boundary.)
Sender ULID: A 128-bit IPv6 address. Sender ULID: A 128-bit IPv6 address.
Receiver ULID: A 128-bit IPv6 address. Receiver ULID: A 128-bit IPv6 address.
5.15.7 Packet In Error Option Format 5.14.7 Forked Instance Identifier Option Format
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 7 |0| Length | | Type = 7 |0| Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ IPv6 header, shim6/TCP/UDP header, etc ~ | Forked Instance Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Packet: A variable length field which contains the packet in
error starting with the IPv6 header.
5.15.8 SHIM6 Event Option Format Forked Instance Identifier: 32-bit field containing the identifier of
the particular forked instance.
This option is defined in [8]. 5.14.8 Probe Option Format
This option is defined in [9].
5.14.9 Reachability Option Format
This option is defined in [9].
5.14.10 Payload Reception Report Option Format
This option is defined in [9].
6. Conceptual Model of a Host 6. Conceptual Model of a Host
This section describes a conceptual model of one possible data This section describes a conceptual model of one possible data
structure organization that hosts will maintain for the purposes of structure organization that hosts will maintain for the purposes of
shim6. The described organization is provided to facilitate the shim6. The described organization is provided to facilitate the
explanation of how the shim6 protocol should behave. This document explanation of how the shim6 protocol should behave. This document
does not mandate that implementations adhere to this model as long as does not mandate that implementations adhere to this model as long as
their external behavior is consistent with that described in this their external behavior is consistent with that described in this
document. document.
6.1 Conceptual Data Structures 6.1 Conceptual Data Structures
The key conceptual data structure for the shim6 protocol is the host The key conceptual data structure for the shim6 protocol is the ULID
pair context. This is a data structure which contains the following pair context. This is a data structure which contains the following
information: information:
o The state of the context. See Section 6.2.
o The peer ULID; ULID(peer) o The peer ULID; ULID(peer)
o The local ULID; ULID(local) o The local ULID; ULID(local)
o The Forked Instance Identifier; FII. This is zero for the default
context i.e., when there is no forking.
o The list of peer locators, with their preferences; Ls(peer) o The list of peer locators, with their preferences; Ls(peer)
o The generation number for the most recently received, validated
peer locator list.
o For each peer locator, the validation method to use (from the o For each peer locator, the validation method to use (from the
Locator List option). Locator List option).
o For each peer locator, a bit whether it has been validated using o For each peer locator, a bit whether it has been validated using
HBA or CGA, and a bit whether the locator has been probed to HBA or CGA, and a bit whether the locator has been probed to
verify that the ULID is present at that location. verify that the ULID is present at that location.
o The preferred peer locator - used as destination; Lp(peer) o The preferred peer locator - used as destination; Lp(peer)
o The set of local locators and the preferences; Ls(local) o The set of local locators and the preferences; Ls(local)
o The generation number for the most recently sent Locator List
option.
o The preferred local locator - used as source; Lp(local) o The preferred local locator - used as source; Lp(local)
o The context tag used to transmit control messages and ULP packets
- allocated by the peer; CT(peer) o The context tag used to transmit control messages and payload
o The context to expect in received control messages and extension extension headers - allocated by the peer; CT(peer)
headers - allocated by the local host; CT(local) o The context to expect in received control messages and payload
o Reachability state for the locator pairs. extension headers - allocated by the local host; CT(local)
o Timers for retransmission of the messages during context
establishment and update messages.
o Depending how an implementation determines whether a context is
still in use, there might be a need to track the last time a
packet was sent/received using the context.
o Reachability state for the locator pairs as specified in [9].
o During pair exploration, information about the probe messages that o During pair exploration, information about the probe messages that
have been sent and received. have been sent and received as specified in [9].
The receiver finds the context by looking it up using <Source 6.2 Context States
Locator, Destination Locator, CT(local)>, where the context tag is in
the shim header. The sender needs to be able to find the context
state when a ULP packet is passed down from the ULP. In that case
the lookup key is the pair of ULIDs.
7. Establishing Host Pair Contexts The states that are used to describe the shim6 protocol are as
follows:
Host pair contexts are established using a 4-way exchange, which +---------------------+---------------------------------------------+
| State | Explanation |
+---------------------+---------------------------------------------+
| IDLE | State machine start |
| | |
| I1-SENT | Initiating context establishment exchange |
| | |
| I2-SENT | Waiting to complete context establishment |
| | exchange |
| | |
| I2BIS-SENT | Potential context loss detected |
| | |
| | |
| ESTABLISHED | SHIM context established |
| | |
| E-FAILED | Context establishment exchange failed |
| | |
| NO-SUPPORT | ICMP payload type unknown (type 4, code 1) |
| | received indicating that shim6 is not |
| | supported |
+---------------------+---------------------------------------------+
In addition, in each of the aforementioned states, the following
state information is stored:
+---------------------+---------------------------------------------+
| State | Information |
+---------------------+---------------------------------------------+
| IDLE | None |
| | |
| I1-SENT | ULID(peer), ULID(local), [FII], CT(local), |
| | INIT nonce, Lp(local), Lp(peer), Ls(local) |
| | |
| I2-SENT | ULID(peer), ULID(local), [FII], CT(local), |
| | INIT nonce, RESP nonce, Lp(local), Lp(peer),|
| | Ls(local) |
| | |
| ESTABLISHED | ULID(peer), ULID(local), [FII], CT(local), |
| | CT(peer), Lp(local), Lp(peer), Ls(local) |
| | Ls(peer), INIT nonce?(to receive late R2) |
| | |
| I2BIS-SENT | ULID(peer), ULID(local), [FII], CT(local), |
| | CT(peer), Lp(local), Lp(peer), Ls(local) |
| | Ls(peer), CT(R1bis) |
| | |
| E-FAILED | ULID(peer), ULID(local) |
| | |
| NO-SUPPORT | ULID(peer), ULID(local) |
+---------------------+---------------------------------------------+
7. Establishing ULID-Pair Contexts
ULID-pair contexts are established using a 4-way exchange, which
allows the responder to avoid creating state on the first packet. As allows the responder to avoid creating state on the first packet. As
part of this exchange each end allocates a context tag, and it shares part of this exchange each end allocates a context tag, and it shares
this context tag and its set of locators with the peer. this context tag and its set of locators with the peer.
In some cases the 4-way exchange is not necessary, for instance when In some cases the 4-way exchange is not necessary, for instance when
both ends try to setup the context at the same time, or when both ends try to setup the context at the same time, or when
recovering from a context that has been garbage collected or lost at recovering from a context that has been garbage collected or lost at
one of the hosts. one of the hosts.
7.1 Normal context establishment 7.1 Normal context establishment
The normal context establishment consists of a 4 message exchange in The normal context establishment consists of a 4 message exchange in
the order of I1, R1, I2, R2. the order of I1, R1, I2, R2.
Initiator Responder Initiator Responder
IDLE IDLE
------------- I1 --------------> ------------- I1 -------------->
I1-SENT
<------------ R1 --------------- <------------ R1 ---------------
IDLE
------------- I2 --------------> ------------- I2 -------------->
I2-SENT
<------------ R2 --------------- <------------ R2 ---------------
ESTABLISHED ESTABLISHED
Figure 24 Figure 24
7.2 Concurrent context establishment 7.2 Concurrent context establishment
When both ends try to initiate a context for the same ULID pair, then When both ends try to initiate a context for the same ULID pair, then
we might end up with crossing I1 messages, or since the no state is we might end up with crossing I1 messages. Alternatively, since no
created when receiving the I1, a host might send a I1 after having state is created when receiving the I1, a host might send a I1 after
sent a R1 message. having sent a R1 message.
Since a host remembers that it has sent an I1, it can respond to an Since a host remembers that it has sent an I1, it can respond to an
I1 from the peer (for the same ULID), with a R2. I1 from the peer (for the same ULID), with a R2. Such behavior is
needed to correctly respond to retransmitted I1 messages, which might
be needed if the R2 message has been lost.
Initiator Responder Host A Host B
IDLE IDLE
-\ -\
---\ I1-SENT---\
---\ /--- ---\ /---
--- I1 ---\ /--- --- I1 ---\ /--- I1-SENT
---\ ---\
/--- I1 ---/ ---\ /--- I1 ---/ ---\
/--- --> /--- -->
<--- <---
-\ -\
---\ I1-SENT---\
---\ /--- ---\ /---
--- R2 ---\ /--- --- R2 ---\ /--- I1-SENT
---\ ---\
/--- R2 ---/ ---\ /--- R2 ---/ ---\
/--- --> /--- -->
<--- <--- ESTABLISHED
ESTABLISHED
Figure 25 Figure 25
If a host has received an I1 and sent an R1, then a ULP can trigger If a host has received an I1 and sent an R1, it has no state to
it to send an I1 message itself, since it doesn't retain any state remember this. Thus if the ULP on the host sends down packets, this
when receiving the I1 message. Thus while one end is sending an I1 might trigger the host to send an I1 message itself. Thus while one
the other is sending an I2. end is sending an I1 the other is sending an I2.
Initiator Responder Host A Host B
IDLE IDLE
-\ -\
---\ ---\
---\ I1-SENT ---\
--- I1 ---\ --- I1 ---\
---\ ---\
---\ ---\
--> -->
/--- /---
/--- /--- IDLE
--- ---
/--- R1--/ /--- R1--/
/--- /---
<--- <---
-\ -\
---\ I2-SENT---\
---\ /--- ---\ /---
--- I2---\ /--- --- I2---\ /--- I1-SENT
---\ ---\
/--- I1 ---/ ---\ /--- I1 ---/ ---\
/--- --> /--- -->
<--- <--- I1-SENT
-\ -\
---\ I2-SENT---\
---\ /--- ---\ /---
--- R2 ---\ /--- --- R2 ---\ /---
---\ ---\
/--- R2 ---/ ---\ /--- R2 ---/ ---\
/--- --> /--- -->
<--- <--- ESTABLISHED
ESTABLISHED
Figure 26 Figure 26
7.3 Context recovery 7.3 Context recovery
Due to garbage collection, we can end up with one end having and Due to garbage collection, we can end up with one end having and
using the context state, and the other end not having any state. We using the context state, and the other end not having any state. We
need to be able to recover this state at the end that has lost it, need to be able to recover this state at the end that has lost it,
before we can use it. before we can use it.
This need can arise in two cases: This need can arise in the following cases:
o The communication is working using the ULID pair as the locator o The communication is working using the ULID pair as the locator
pair, but a problem arises, and the end that has retained the pair, but a problem arises, and the end that has retained the
context state decides to probe and explore alternate locator context state decides to probe alternate locator pairs.
pairs.
o The communication is working using a locator pair that is not the o The communication is working using a locator pair that is not the
ULID pair, hence the ULP packets sent from a peer that has ULID pair, hence the ULP packets sent from a peer that has
retained the context state use the shim payload header. retained the context state use the shim payload extension header.
In both cases the result is that the peer without state receives a
shim message for which it has to context for the <source locator,
destination locator, context tag>.
In both of those case we can recover the context by having the node o The host that retained the state sends a control message (e.g. an
which doesn't have a context state, send back an R1bis [TBD] message, UPDATE message).
and have this complete a recover with a I2 and R2 message.
In all the cases the result is that the peer without state receives a
shim message for which it has to context for the context tag.
In all of those cases we can recover the context by having the node
which doesn't have a context state, send back an R1bis message, and
have then complete the recovery with a I2bis and R2 message.
Host A Host B
Context for
CT(peer)=X Discards context for
CT(local)=X
ESTABLISHED IDLE
---- payload, probe, etc. -----> No context state
for CT(local)=X
<------------ R1bis ------------
IDLE
------------- I2bis ----------->
I2BIS_SENT
<------------ R2 ---------------
ESTABLISHED ESTABLISHED
Figure 27
If one end has garbage collected or lost the context state, it might If one end has garbage collected or lost the context state, it might
try to create the context state (for the same ULID pair), by sending try to create a new context state (for the same ULID pair), by
an I1 message. The peer can simply reply with an R2 message in this sending an I1 message. The peer (that still has the context state)
case. can simply reply with an R2 message in this case.
Host A Host B
Context for
CT(peer)=X Discards context for
ULIDs A1, B1 CT(local)=X
ESTABLISHED IDLE
Finds <------------ I1 --------------- Tries to setup
existing for ULIDs A1, B1
context I1-SENT
------------- R2 -------------->
ESTABLISHED ESTABLISHED
Figure 28
7.4 Context confusion 7.4 Context confusion
Since each end might garbage collect the context state we can have Since each end might garbage collect the context state we can have
the case when one end has retained the context state and tries to use the case when one end has retained the context state and tries to use
it, while the other end has lost the state. We discussed this in the it, while the other end has lost the state. We discussed this in the
previous section on recovery. But for the same reasons, when one previous section on recovery. But for the same reasons, when one
host retains context tag X for ULID pair <A1, B1>, the other end host retains context tag X for ULID pair <A1, B1>, the other end
might end up allocating that context tag for another ULID pair, e.g., might end up allocating that context tag for another ULID pair, e.g.,
<A3, B1> between the same hosts. In this case we can not use the <A3, B1> between the same hosts. In this case we can not use the
skipping to change at page 39, line 39 skipping to change at page 56, line 35
it, while the other end has lost the state. We discussed this in the it, while the other end has lost the state. We discussed this in the
previous section on recovery. But for the same reasons, when one previous section on recovery. But for the same reasons, when one
host retains context tag X for ULID pair <A1, B1>, the other end host retains context tag X for ULID pair <A1, B1>, the other end
might end up allocating that context tag for another ULID pair, e.g., might end up allocating that context tag for another ULID pair, e.g.,
<A3, B1> between the same hosts. In this case we can not use the <A3, B1> between the same hosts. In this case we can not use the
recovery mechanisms since there needs to be separate context tags for recovery mechanisms since there needs to be separate context tags for
the two ULID pairs. the two ULID pairs.
This type of "confusion" can be observed in two cases (assuming it is This type of "confusion" can be observed in two cases (assuming it is
A that has retained the state and B has dropped it): A that has retained the state and B has dropped it):
o B decides to create a context for ULID pair <A3, B1>, and o B decides to create a context for ULID pair <A3, B1>, and
allocates X as its context tag for this, and sends an I1 to A. allocates X as its context tag for this, and sends an I1 to A.
o A decides to create a context for ULID pair <A3, B1>, and starts o A decides to create a context for ULID pair <A3, B1>, and starts
the exchange by sending I1 to B. When B receives the I2 message, the exchange by sending I1 to B. When B receives the I2 message,
it allocates X as the context tag for this context. it allocates X as the context tag for this context.
In both cases, A can detect that B has allocated X for ULID pair <A3, In both cases, A can detect that B has allocated X for ULID pair <A3,
B1> even though that A still X as CT(peer) for ULID pair <A1, B1>. B1> even though that A still X as CT(peer) for ULID pair <A1, B1>.
Thus A can detect that B must have lost the context for <A1, B1>. Thus A can detect that B must have lost the context for <A1, B1>.
The solution to this issue is TBD. The know possibilities are: The confusion can be detected when I2/I2bis/R2 is received since we
o Have A forcibly destroy the context for <A1, B1>, so that it can require that those messages MUST include a sufficiently large set of
accept the new context for <A3, B1>. locators in a Locator List option that the peer can determine whether
or not two contexts have the same host as the peer by comparing if
there is any common locators in Ls(peer).
o Have A accept the context for <A3, B1>, forget about the old The requirement is that the old context which used the context tag
context, but initiate a new (replacement) context for <A1, B1> by MUST be removed; it can no longer be used to send packets. Thus A
sending an I1 message. That I1 through R2 exchange will make B would forcibly remove the context state for <A1, B1, X>, so that it
allocate a new context tag for <A1, B1>. can accept the new context for <A3, B1, X>. An implementation MAY
o Avoid the problem by changing the context tag allocation so that A re-create a context to replace the one that was removed; in this case
and B allocates half of the bits (16 each) of the context tags, so for <A1, B1>. The normal I1, R1, I2, R2 establishment exchange would
that even if one end looses state, the peer can make sure that the then pick unique context tags for that replacement context. This re-
context tags for each context are unique. creation is OPTIONAL, but might be useful when there is ULP
communication which is using the ULID pair whose context was removed.
7.5 Sending I1 messages 7.5 Sending I1 messages
When the shim layer decides to setup a context for a ULID pair, it When the shim layer decides to setup a context for a ULID pair, it
starts by allocating and initializing the context state for its end. starts by allocating and initializing the context state for its end.
As part of this it assigns its context tag to the context. Then it As part of this it assigns a random context tag to the context that
can send an I1 message. is not being used as CT(local) by any other context . In the case
that a new API is used and the ULP requests a forked context, the
Forked Instance Identifier value will be set to a non-zero value.
Otherwise, the FII value is zero. Then the initiator can send an I1
message and set the context state to I1-SENT. The I1 message MUST
include the ULID pair; normally in the IPv6 source and destination
fields. But if the ULID pair for the context is not used as locator
pair for the I1 message, then a ULID option MUST be included in the
I1 message. In addition, if a Forked Instance Identifier value is
non-zero, the I1 message MUST include a Context Instance Identifier
option containing the correspondent value.
7.6 Retransmitting I1 messages
If the host does not receive an I2 or R2 message in response to the If the host does not receive an I2 or R2 message in response to the
I1 message, then it needs to retransmit the I1 message. The I1 message after I1_TIMEOUT time, then it needs to retransmit the I1
retransmissions should use a retransmission timer with binary message. The retransmissions should use a retransmission timer with
exponential backoff to avoid creating congestion issues for the binary exponential backoff to avoid creating congestion issues for
network when lots of hosts perform this. the network when lots of hosts perform I1 retransmissions. Also, the
actual timeout value should be randomized between 0.5 and 1.5 of the
nominal value to avoid self-synchronization.
If, after several retransmissions, there is no response, then most If, after I1_RETRIES_MAX retransmissions, there is no response, then
likely the peer does not implement the shim6 protocol, or there could most likely the peer does not implement the shim6 protocol, or there
be a firewall that blocks the protocol. In this case it makes sense could be a firewall that blocks the protocol. In this case it makes
for the host to remember to not try again to establish a host pair sense for the host to remember to not try again to establish a
context with that ULID. However, any such negative caching should context with that ULID. However, any such negative caching should
retained for a limit time; a few minutes would be appropriate, to retained for at most NO_R1_HOLDDOWN_TIME, to be able to later setup a
allow things to recover should the host not be reachable at all when context should the problem have been that the host was not reachable
the shim tries to establish the context. at all when the shim tried to establish the context.
If the host receives an ICMP error with "payload type unknown" and If the host receives an ICMP error with "payload type unknown" (type
the included packet is the I1 packet it just sent, then this is a 4, code 1) and the included packet is the I1 packet it just sent,
more reliable indication that the peer ULID does not implement shim6. then this is a more reliable indication that the peer ULID does not
implement shim6. Again,in this case, the host should remember to not
try again to establish a context with that ULID. Such negative
caching should retained for at most ICMP_HOLDDOWN_TIME, which should
be significantly longer than the previous case.
7.6 Receiving I1 messages 7.7 Receiving I1 messages
If the host looks up a context for the ULID pair and the peer's (not A host MUST silently discard any received I1 messages that do not
its) context tag. If it finds such a context, the it needs to verify satisfy all of the following validity checks in addition to those
that the locators in the message are in fact part of the locator sets specified in Section 12.2:
that are recorded in the existing context state. If this is not the
case, then the I1 message MUST be silently ignored. (This can only
happen when there is an ULID pair option in the I1 message.) If the
locators are ok, then the host can respond with an R2 message as if
it had received an I2 message and not an I1 message.
If there is no existing context state, then the host forms a verifier o The Hdr Ext Len field is at least 1, i.e., the length is at least
and sends this back to the peer in an I2 message. No state is 16 octets.
created on the host in this case.
7.7 Receiving R1 messages Upon the reception of an I1 message, the host extracts the ULID pair
and the Forked Instance identifier from the message. If there is no
ULID-pair option, then the ULID pair is taken from the source and
destination fields in the IPv6 header. If there is no FII option in
the message, then the FII value is taken to be zero.
When the host receives an R1 message, it verifies that the nonce Next the host looks for an existing context which matches the ULID
matches what it sent in the I1 message, and that it has context state pair and the FII. If such a context exists, the host verifies that
for the ULID pair. It then sends an I2 message, which includes the the locator of the Initiator is included in Ls(peer) (This check is
verifier option that was in the R1 message. The I2 message also unnecessary if there is no ULID-pair option in the I1 message). If
includes A's locator list and the CGA parameter data structure. If the locators do not fall in the locator sets, then the host MUST
CGA (and not HBA) is used to verify the locator list, then A also discard the I1 packet and perform no further processing.
signs the key parts of the message and includes a CGA signature
option containing the signature.
The host may receive an R1[bis] TBD message that was not sent in If no state is found (i.e., the state is IDLE), or the locators do
response to an I1 message but instead sent as a result of context fall in the sets, then the host looks at the state of the context:
recovery. The difference between an R1bis and an R1 message is that
the former use the context tag of the responder. TBD how there are
handled and whether they are identical to an R1.
7.8 Retransmitting I2 messages o If the state is IDLE, then the host will form an R1 packet as
specified below.
If the initiator does not receive an R2 message after sending an I2 o If the state is ESTABLISHED, it means that the Initiator has lost
message it MAY retransmit the I2 message. But since the verifier the context information for this context and it is trying to
establish a new one. In this case, the host MUST update the
existing context and replace CT(peer) with the Initiator Context
Tag included in the I1 message and then reply with an R2 message,
including the associated state information. In this case the host
MUST look for any other (old) context with a matching CT(peer) as
specified in Section 7.12. This completes the I1 processing, with
the context state being unchanged.
o In an other state (I1-SENT, I2-SENT, I2BIS-SENT), we are in the
situation of Concurrent context establishment described above. In
this case, the host sets CT(peer) to the Initiator Context tag of
the I1 packet, and replies with a R2 message. This completes the
I1 processing, with the context state being unchanged.
When the host needs to send a R1 message in response to the I1
message, it copies the Initiator Nonce from the I1 message to the R1
message, generates a Responder Nonce and calculates a validator as
suggested in the following section. No state is created on the host
in this case.
When the host needs to send a R2 message in response to the I1
message, it copies the Initiator Nonce from the I1 message to the R2
message, and otherwise follows the normal rules for forming an R2
message (see Section 7.11).
7.7.1 Generating the R1 validator
One way for the responder to properly generate validators is to
maintain a single secret (S) and a running counter for the Responder
Nonce.
In the case the validator is generated to be included in a R1 packet,
for each I1 message. The responder can increase the counter, use the
counter value as the responder nonce, and use the following
information as input to the one-way function:
o The the secret S
o That Responder Nonce
o The Initiator Context Tag from the I1 message
o The ULIDs from the I1 message
o The locators from the I1 message (strictly only needed if they are
different from the ULIDs)
o The forked instance identifier if such option was included in the
I1 message
and then the output of the hash function as validator string.
7.8 Receiving R1 messages and sending I2 messages
A host MUST silently discard any received R1 messages that do not
satisfy all of the following validity checks in addition to those
specified in Section 12.2:
o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets.
Upon the reception of an R1 message, the host extracts the Initiator
Nonce and the Locator Pair from the message (the latter from the
source and destination fields in the IPv6 header). Next the host
looks for an existing context which matches the Initiator Nonce and
where the locators are contained in Ls(peer) and Ls(local),
respectively. If no such context is not found, then the R1 packet is
silently discarded.
If such a context is found, then the host looks at the state:
o If the state is I1-SENT, then it sends an I2 message as specified
below.
o In any other state (I2-SENT, I2BIS-SENT, ESTABLISHED) then the
host has already sent an I2 packet then this is probably a reply
to a retransmitted I1 packet, so this R1 message MUST be silently
discarded.
When the host sends an I2 message, then it includes the validator
option that was in the R1 message. The I2 message MUST include the
ULID pair; normally in the IPv6 source and destination fields. If a
ULID-pair option was included in the I1 message then it MUST be
included in the I2 message as well. In addition, if the Forked
Instance Identifier value for this context is non-zero, the I2
message MUST contain a Forked Instance Identifier Option carrying
this value. Besides, the I2 message contains an Initiator Nonce.
This is not required to be the same than the one included in the
previous I1 message.
The I2 message also includes the Initiator's locator list and the CGA
parameter data structure. If CGA (and not HBA) is used to verify the
locator list, then Initiator also signs the key parts of the message
and includes a CGA signature option containing the signature.
When the I2 message has been sent, the state is set to I2-SENT.
7.9 Retransmitting I2 messages
If the initiator does not receive an R2 message after I2_TIMEOUT time
after sending an I2 message it MAY retransmit the I2 message, using
binary exponential backoff and randomized timers. The validator
option might have a limited lifetime, that is, the peer might reject option might have a limited lifetime, that is, the peer might reject
verifier options that are too old to avoid replay attacks, the verifier options that are older than VALIDATOR_MIN_LIFETIME to avoid
initiator SHOULD fall back to retransmitting the I1 message when replay attacks. Thus the initiator SHOULD fall back to
there is no response to one or a few I2 messages. retransmitting the I1 message when there is no R2 received after
retransmitting the I2 message I2_RETRIES_MAX times.
7.9 Receiving I2 messages 7.10 Receiving I2 messages
The responder checks that the nonce and the verifier option is A host MUST silently discard any received I2 messages that do not
consistent with what it might have sent in a recent R1 message (by satisfy all of the following validity checks in addition to those
verifying the hash it computed.) If this is ok, then the host checks specified in Section 12.2:
if it already has context state for the ULID pair and the CT(peer).
If it has such state, the I2 message was probably a retransmission.
In this case the host sends an R2 message.
If there is no context state, the responder allocates a context tag o The Hdr Ext Len field is at least 2, i.e., the length is at least
(CT(local)) and creates the context state for the context. It 24 octets.
records the peer's locator set as well as its own locator set in the
context. It MAY verify the peers locator set at this point in time,
but the requirement is that a locator MUST be verified before the
host starts sending packets to that locator, thus the host MAY defer
the verification until later.
The host forms an R2 message with its locators and its context tag, Upon the reception of an I2 message, the host extracts the ULID pair
and includes the necessary options so that the peer can verify the and the Forked Instance identifier from the message. If there is no
locators. ULID-pair option, then the ULID pair is taken from the source and
destination fields in the IPv6 header. If there is no FII option in
the message, then the FII value is taken to be zero.
Next the host verifies that the Responder Nonce is a recent one, and
that the Validator option matches the validator the host would have
computed for the ULID, locators, responder nonce, and FII.
If a CGA Parameter Data Structure is included in the message, then
the host MUST verify if the actual PDS contained in the packet
corresponds to the ULID(peer).
If at least one of the above verification fails, then it silently
discard the packet and it has completed the I2 processing.
If both verifications are successful, then the host proceeds to look
for a context state for the Initiator. The host looks for a context
with the extracted ULID pair and FII. If none exist then state of
the (non-existing) context is viewed as being IDLE, thus the actions
depend on the state as follows:
o If the state is IDLE (i.e., the context does not exist) the host
allocates a context tag (CT(local)) creates the context state for
the context, sets its state to ESTABLISHED. It records the peer's
locator set as well as its own locator set in the context. It
SHOULD perform the HBA/CGA verification of the peer's locator set
at this point in time. Then the host sends an R2 message back as
specified below.
o If the state is ESTABLISHED, CT(peer) matches the Initiator
Context tag, and the IPv6 source address is contained in Ls(peer)
then this I2 message is probably a retransmit, so the host MUST
send a R2 message back as specified below.
o If the state is ESTABLISHED, and if at least one of the following
conditions is true: either the CT(peer) is not the same as the
Initiator Context tag, or the IPv6 source address is not contained
in Ls(peer) then silently discard the packet. Then the host has
completed the I2 processing.
o In other state (I1-SENT, I2-SENT, or I2BIS-SENT) then we are in
the Concurrent context establishment situation described above.
Then it replies with a R2 message as specified below. The state
of the context remains unchanged.
7.11 Sending R2 messages
Before the host sends the R2 message it MUST look for a possible
context confusion i.e. where it would end up with multiple contexts
using the same CT(peer) for the same peer host. See Section 7.12.
In any case that the host sends an R2 message, the host forms the R2
message with its locators and its context tag, copies the Initiator
Nonce from the I2 message, and includes the necessary options so that
the peer can verify the locators. In particular, the R2 message also
includes the Responder's locator list and the CGA parameter data
structure. If CGA (and not HBA) is used to verify the locator list,
then the Responder also signs the key parts of the message and
includes a CGA signature option containing the signature.
R2 messages are never retransmitted. If the R2 message is lost, then R2 messages are never retransmitted. If the R2 message is lost, then
the initiator will retransmit either the I2 or I1 message. Either the initiator will retransmit either the I2/I2bis or I1 message.
retransmission will cause the responder to find the context state and Either retransmission will cause the responder to find the context
respond with an R2 message. state and respond with an R2 message.
7.10 Receiving R2 messages 7.12 Match for Context Confusion
The initiator can receive an R2 message in response to either an I1 When the host receives an I2, I2bis, or R2 it MUST look for a
or an I2 message, but the handling of the R2 is the same in both possible context confusion i.e. where it would end up with multiple
cases. The host first verifies that the nonce is the same as the one contexts using the same CT(peer) for the same peer host. This can
it sent (in the I1 or I2 message). If it doesn't match, the R2 happen when it has received the above messages since they create a
new context with a new CT(peer). Same issue applies when CT(peer) is
updated for an existing context.
The host takes CT(peer) for the newly created or updated context, and
looks for other contexts which:
o Are in state ESTABLISHED or I2BIS-SENT.
o Have the same CT(peer).
o Where Ls(peer) has at least one locator in common with the newly
created or updated context.
If such a context is found, then the host checks if the ULID pair or
the Forked Instance Identifier different than the ones in the newly
created or updated context:
o If this is true, then the peer is trying to reuse the context tag
for the creation of a context with different ULID pair or FII,
which is a signal that the Initiator has lost the other context.
In this case, we are in the Context confusion situation, and the
host MUST NOT use the old context to send any packets. It MAY
just discard the old context (after all, the peer has discarded
it), or it MAY attempt to re-establish the old context by sending
a new I1 message and moving its state to I1-SENT. In any case,
once that this situation is detected, the host MUST not keep two
contexts with overlapping Ls(peer) locator sets and the same
context tag in ESTABLISHED state, since this would result in
demultiplexing problems on the peer.
o If this is not true, then the local host must be broken, since it
should have detected the existence of a context for the same ULID
pair and FII earlier.
7.13 Receiving R2 messages
A host MUST silently discard any received R2 messages that do not
satisfy all of the following validity checks in addition to those
specified in Section 12.2:
o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets.
Upon the reception of an R2 message, the host extracts the Initiator
Nonce and the Locator Pair from the message (the latter from the
source and destination fields in the IPv6 header). Next the host
looks for an existing context which matches the Initiator Nonce and
where the locators are Lp(peer) and Lp(local), respectively. Based
on the state:
o If no such context is found, i.e., the state is IDLE, then the
message is silently dropped. message is silently dropped.
Then the host records the information from the R2 message in the o If state is I1-SENT, I2-SENT, or I2BIS-SENT then the host performs
context state. It records the peer's locator set in the context. It the following actions: If a CGA Parameter Data Structure is
MAY verify the peers locator set at this point in time, but the included in the message, then the host MUST verify if the actual
requirement is that a locator MUST be verified before the host starts PDS contained in the packet corresponds to the ULID(peer). If the
sending packets to that locator, thus the host MAY defer the verification fails, then the message is silently dropped. If the
verification until later. verification succeeds, then the host records the information from
the R2 message in the context state. It records the peer's
locator set in the context. It SHOULD perform the HBA/CGA
verification of the peer's locator set at this point in time.
8. No Such Content Errors o If the state is ESTABLISHED, the R2 message is silently ignored.
TBD Before the host completes the R2 processing it MUST look for a
possible context confusion i.e. where it would end up with multiple
contexts using the same CT(peer) for the same peer host. See
Section 7.12.
The Interim Meeting discussed ways to recover the context state at 7.14 Sending R1bis packets
one end when the other end sees a failure (and starts sending Probe
messages). The discussed approach is to use a R1 (or R1bis) message
in response to a message with an unknown context, which would cause
the context to be recreated.
The idea is that on receipt of a SHIM6 payload packet where there is Upon the receipt of a shim6 payload extension header where there is
no current SHIM6 context at the receiver, the receiver is to respond no current SHIM6 context at the receiver, the receiver is to respond
with an R1bis packet in order to re-establish SHIM6 context. The with an R1bis packet in order to enable a fast re-establishment of
R1bis packet differs from the R1 packet in that an R1 packet echoes the lost SHIM6 context.
the I1 fields, while this R1bis offers state back to the sender. One
key difference is that the I1 packet contains the initiator's context
tag, while the payload message header contains the receivers context
tag. Either way the next control packet is an I2 in response. The
senders previous context state is to be flushed in receipt of the R2
packet following the R1bis, I2 exchange.
The details of this type of exchange needs to be worked out, but the Also a host is to respond with a R1bis upon receipt of any control
likely result is that we will not need a separate "No context" error messages that has a message type in the range 64-127 (i.e., excluding
message. the context setup messages such as I1, R1, R1bis, I2, I2bis, R2 and
future extensions), where the control message refers to a non
existent context.
9. Handling ICMP Error Messages We assume that all the incoming packets that trigger the generation
of an R1bis packet contain a locator pair (in the address fields of
the IPv6 header) and a Context Tag.
Upon reception of any of the packets described above, the host will
reply with an R1bis including the following information:
o The Responder Nonce is a number picked by the responder which the
initiator will return in the I2bis message.
o Packet Context Tag is the context tag contained in the received
packet that triggered the generation of the R1bis packet.
o The Validator option is included, with a validator that is
computed as suggested in the next section.
7.14.1 Generating the R1bis validator
One way for the responder to properly generate validators is to
maintain a single secret (S) and a running counter for the Responder
Nonce.
In the case the validator is generated to be included in a R1bis
packet, for each received payload extension header or control packet,
the responder can increase the counter, use the counter value as the
responder nonce, and use the following information as input to the
one-way function:
o The the secret S
o That Responder Nonce
o The Context tag included in the received packet
o The locators from the received packet
and then use the output of the hash function as validator string.
7.15 Receiving R1bis messages and sending I2bis messages
A host MUST silently discard any received R1bis messages that do not
satisfy all of the following validity checks in addition to those
specified in Section 12.2:
o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets.
Upon the reception of an R1bis message, the host extracts the Packet
Context Tag and the Locator Pair from the message (the latter from
the source and destination fields in the IPv6 header). Next the host
looks for an existing context where the Packet Context Tag matches
CT(peer) and where the locators match Lp(peer) and Lp(local),
respectively.
o If no such context is not found, i.e., the state is IDLE, then the
R1bis packet is silently discarded.
o If the state is I1-SENT, I2-SENT, or I2BIS-SENT, then the R1bis
packet is silently discarded.
o If the state is ESTABLISHED, then we are in the case where the
peer has lost the context and the goal is to try to re-establish
it. For that, the host leaves CT(peer) unchanged in the context
state, transitions to I2BIS-SENT state, and sends a I2bis packet,
including in it the Validator, the Packet Context Tag, and the
Responder Nonce received in the R1bis packet. This I2bis packet
is sent using the locator pair included in the R1bis packet. In
the case that this locator pair differs from the ULID pair defined
for this context, then an ULID option MUST be included in the
I2bis packet. In addition, if the Forked Instance Identifier for
this context is non-zero, then a Forked Instance Identifier option
carrying the instance identifier value for this context MUST be
included in the I2bis message.
7.16 Receiving I2bis messages and sending R2 messages
A host MUST silently discard any received I2bis messages that do not
satisfy all of the following validity checks in addition to those
specified in Section 12.2:
o The Hdr Ext Len field is at least 3, i.e., the length is at least
32 octets.
Upon the reception of an I2bis message, the host extracts the ULID
pair and the Forked Instance identifier from the message. If there
is no ULID-pair option, then the ULID pair is taken from the source
and destination fields in the IPv6 header. If there is no FII option
in the message, then the FII value is taken to be zero.
Next the host verifies that the Responder Nonce is a recent one, and
that the Validator option matches the validator the host would have
computed for the ULID, locators, responder nonce, and FII as part of
sending an R1bis message.
If a CGA Parameter Data Structure is included in the message, then
the host MUST verify if the actual PDS contained in the packet
corresponds to the ULID(peer).
If at least one of the above verification fails, then it silently
discard the packet and it has completed the I2bis processing.
If both verifications are successful, then the host proceeds to look
for a context state for the Initiator. The host looks for a context
with the extracted ULID pair and FII. If none exist then state of
the (non-existing) context is viewed as being IDLE, thus the actions
depend on the state as follows:
o If the state is IDLE (i.e., the context does not exist) the host
allocates a context tag (CT(local)) creates the context state for
the context, sets its state to ESTABLISHED. The host SHOULD NOT
use the Packet Context Tag in the I2bis packet for CT(local);
instead it should pick a new random context tag just as when it
processes an I2 message. It records the peer's locator set as
well as its own locator set in the context. It SHOULD perform the
HBA/CGA verification of the peer's locator set at this point in
time. Then the host sends an R2 message back as specified in
Section 7.11.
o If the state is ESTABLISHED, CT(peer) matches the Initiator
Context tag, and the IPv6 source address is contained in Ls(peer)
then this I2bis message is probably a retransmit, so the host MUST
send a R2 message back as specified below.
o If the state is ESTABLISHED, and if at least one of the following
conditions is true: either the CT(peer) is not the same as the
Initiator Context tag, or the IPv6 source address is not contained
in Ls(peer) then silently discard the packet. Then the host has
completed the I2bis processing.
o In other state (I1-SENT, I2-SENT, or I2BIS-SENT) then we are in
the Concurrent context establishment situation described above.
Then it replies with a R2 message as specified in section
Section 7.11. The state of the context remains unchanged.
8. Handling ICMP Error Messages
The routers in the path as well as the destination might generate The routers in the path as well as the destination might generate
various ICMP error messages, such as host unreachable, packet too various ICMP error messages, such as host unreachable, packet too
big, and payload type unknown. It is critical that these packets big, and payload type unknown. It is critical that these packets
make it back up to the ULPs so that they can take appropriate action. make it back up to the ULPs so that they can take appropriate action.
When the ULP packets are sent unmodified, that is, while the initial When the ULP packets are sent unmodified, that is, while the initial
locators=ULIDs are working, this introduces no new concerns; an locators=ULIDs are working, this introduces no new concerns; an
implementation's existing mechanism for delivering these errors to implementation's existing mechanism for delivering these errors to
the ULP will work. But when the shim on the transmitting side the ULP will work. But when the shim on the transmitting side
skipping to change at page 43, line 26 skipping to change at page 68, line 30
ICMP error up to the ULP. ICMP error up to the ULP.
This mapping is different than when receiving ULP packets from the This mapping is different than when receiving ULP packets from the
peer, because in that case the packets contain CT(local). But the peer, because in that case the packets contain CT(local). But the
ICMP errors have a "packet in error" with CT(peer) since they were ICMP errors have a "packet in error" with CT(peer) since they were
intended to be received by the peer. In any case, since the <Source intended to be received by the peer. In any case, since the <Source
Locator, Destination Locator, CT(peer)> has to be unique when Locator, Destination Locator, CT(peer)> has to be unique when
received by the peer, the local host should also only be able to find received by the peer, the local host should also only be able to find
one context that matches this tuple. one context that matches this tuple.
If the ULP packet had been encapsulated in a shim6 payload message, If the ULP packet had been encapsulated in a shim6 payload extension
then this extension header must be removed. The result needs to be header, then this extension header must be removed. The result needs
that the ULP receives an ICMP error where the contained "packet in to be that the ULP receives an ICMP error where the contained "packet
error" looks as if the shim did not exist. in error" looks as if the shim did not exist.
10. Teardown of the Host Pair Context 9. Teardown of the ULID-Pair Context
Each host can unilaterally decide when to tear down a host-pair Each host can unilaterally decide when to tear down a ULID-pair
context. It is RECOMMENDED that hosts not tear down the context when context. It is RECOMMENDED that hosts not tear down the context when
they know that there is some upper layer protocol that might use the they know that there is some upper layer protocol that might use the
context. For example, an implementation might know this is there is context. For example, an implementation might know this is there is
an open socket which is connected to the ULID(peer). However, there an open socket which is connected to the ULID(peer). However, there
might be cases when the knowledge is not readily available to the might be cases when the knowledge is not readily available to the
shim layer, for instance for UDP applications which not not connect shim layer, for instance for UDP applications which not connect their
their sockets, or any application which retains some higher level sockets, or any application which retains some higher level state
state across (TCP) connections and UDP packets. across (TCP) connections and UDP packets.
Thus it is RECOMMENDED that implementations minimize premature Thus it is RECOMMENDED that implementations minimize premature
teardown by observing the amount of traffic that is sent and received teardown by observing the amount of traffic that is sent and received
using the context, and only after it appears quiescent, tear down the using the context, and only after it appears quiescent, tear down the
state. state. A reasonable approach would be to not tear down a context
until at least 5 minutes have passed since the last message was sent
or received using the context.
TBD: The Interim meeting discussed whether it was feasible to relax Since there is no explicit, coordinated removal of the context state,
this so that one can end up with an asymmetric distribution of the there are potential issues around context tag reuse. One end might
context state and still get (most of) the shim benefits. For remove the state, and potentially reuse that context tag for some
example, the busy server would go through the context setup but would other communication, and the peer might later try to use the old
quickly remove the context state after this (in order to save memory) context (which it didn't remove). The protocol has mechanisms to
but the not-so-busy client would retain the context state. The recover from this, which work whether the state removal was total and
context recover mechanism presented in Section 7.3 would then be accidental (e.g., crash and reboot of the host), or just a garbage
recreate the state should the client send either a shim control collection of shim state that didn't seem to be used. However, the
message (e.g., probe message because it sees a problem), or a ULP host should try to minimize the reuse of context tags by trying to
packet in an payload extension header (because it had earlier failed randomly cycle through the 2^47 context tag values. (See Appendix B
over to an alternative locator pair, but had been silent for a for a summary how the recovery works in the different cases.)
while). This seems to provide the benefits of the shim as long as
the client can detect the failure. If the client doesn't send
anything, and it is the server that tries to send, then it will not
be able to recover because the shim on the server has no context
state, hence doesn't know any alternate locator pairs.
11. Updating the Locator Pairs 10. Updating the Peer
TBD The Update Request and Acknowledgement are used both to update the
list of locators (only possible when CGA is used to verify the
locator(s)), as well as updating the preferences associated with each
locator.
10.1 Sending Update Request messages
When a host has a change in the locator set, then it can communicate
this to the peer by sending an Update Request. When a host has a
change in the preferences for its locator set, it can also
communicate this to the peer. The Update Request message can include
just a Locator List option, to convey the new set of locators (which
requires a CGA signature option as well), just a Locator Preferences
option, or both a new Locator List and new Locator Preferences.
Should the host send a new Locator List, the host picks a new random
local generation number, records this in the context, and puts it in
the Locator List option. Any Locator Preference option, whether send
in the same Update Request or in some future Update Request, will use
that generation number to make sure the preferences get applied to
the correct version of the locator list.
The host picks a random Request Nonce for each update, and keeps the
same nonce for any retransmissions of the Update Request. The nonce
is used to match the acknowledgement with the request.
10.2 Retransmitting Update Request messages
If the host does not receive an Update Acknowledgement R2 message in
response to the Update Request message after UPDATE_TIMEOUT time,
then it needs to retransmit the Update Request message. The
retransmissions should use a retransmission timer with binary
exponential backoff to avoid creating congestion issues for the
network when lots of hosts perform I1 retransmissions. Also, the
actual timeout value should be randomized between 0.5 and 1.5 of the
nominal value to avoid self-synchronization.
Should there be no response, the retransmissions continue forever.
The binary exponential backoff stops at MAX_UPDATE_TIMEOUT. But the
only way the retransmissions would stop when there is no
acknowledgement, is when the shim, through the Probe protocol or some
other mechanism, decides to discard the context state due to lack of
ULP usage in combination with no responses to the Probes.
10.3 Newer Information While Retransmitting
There can be at most one outstanding Update Request message at any
time. Thus until e.g. an update with a new Locator List has been
acknowledged, any even newer Locator List or new Locator Preferences
can not just be sent. However, when there is newer information and
the older information has not yet been acknowledged, the host can
instead of waiting for an acknowledgement, abandon the previous
update and construct a new Update Request (with a new Request Nonce)
which includes the new information as well as the information that
hadn't yet been acknowledged.
For example, if the original locator list was just (A1, A2), and if
an Update Request with the Locator List (A1, A3) is outstanding, and
the host determines that it should both add A4 to the locator list,
and mark A1 as BROKEN, then it would need to:
o Pick a new random Request Nonce for the new Update Request.
o Pick a new random Generation number for the new locator list.
o Form the new locator list - (A1, A3, A4)
o Form a Locator Preference option which uses the new generation
number and has the BROKEN flag for the first locator.
o Send the Update Request and start a retransmission timer.
Any Update Acknowledgement which doesn't match the current request
nonce, for instance an acknowledgement for the abandoned Update
Request, will be silently ignored.
10.4 Receiving Update Request messages
A host MUST silently discard any received Update Request messages
that do not satisfy all of the following validity checks in addition
to those specified in Section 12.2:
o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets.
Upon the reception of an Update Request message, the host extracts
the Context Tag from the message. It then looks for a context which
has a CT(local) that matches the context tag. If no such context is
found, it sends a R1bis message as specified in Section 7.14.
Since context tags can be reused, the host MUST verify that the IPv6
source address field is part of Ls(peer) and that the IPv6
destination address field is part of Ls(local). If this is not the
case, the sender of the Update Request has a stale context which
happens to match the CT(local) for this context. In this case the
host MUST send a R1bis message, and otherwise ignore the Update
Request message.
If a CGA Parameter Data Structure is included in the message, then
the host MUST verify if the actual PDS contained in the packet
corresponds to the ULID(peer). If this verification fails, the
message is silently discarded.
Then, depending on the state of the context:
o If ESTABLISHED: Proceed to process message.
o If I1-SENT, discard the message and stay in I1-SENT.
o If I2-SENT, then send R2 and proceed to process the message.
o If I2BIS-SENT, then send R2 and proceed to process the message.
The validation issues for the locators carried in the Locator Update The validation issues for the locators carried in the Locator Update
message are specified in Section 4.4. message are specified in Section 4.7. If the locator list can not be
validated, this procedure might send an ICMP Parameter Problem error.
In any case, if it can not be validated, there is no further
processing of the Update Request.
12. Various Probe Mechanisms Once any Locator List option in the Update Request has been
validated, the peer generation number in the context is updated to be
the one in the Locator List option.
TBD If the Update message contains a Locator Preference option, then the
Generation number in the preference option is compared with the peer
generation number in the context. If they do not match, then the
host generates an ICMP parameter problem (type 4, code 0) with the
Pointer field referring to the first octet in the Generation number
in the Locator Preference option. In addition, if the number of
elements in the Locator Preference option does not match the number
of locators in Ls(peer), then an ICMP parameter problem is sent with
the Pointer referring to the first octet of the Length field in the
Locator Preference option. In both cases of failures, no further
processing is performed for the Locator Update message.
13. Rehoming to a Different Locator Pair If the generation number matches, the locator preferences are
recorded in the context.
TBD Once the Locator List option (if present) has been validated and any
new locator list or locator preferences have been recorded, the host
sends an Update Acknowledgement message, copying the nonce from the
request, and using the CT(peer) in as the Receiver Context tag.
14. Sending ULP Payloads Any new locators, or more likely new locator preferences, might
result in the host wanting to select a different locator pair for the
context. For instance, if the Locator Preferences lists the current
Lp(peer) as BROKEN. The host uses the Probe message in [9] to verify
that the new locator is reachable before changing Lp(peer).
10.5 Receiving Update Acknowledgement messages
A host MUST silently discard any received Update Acknowledgement
messages that do not satisfy all of the following validity checks in
addition to those specified in Section 12.2:
o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets.
Upon the reception of an Update Acknowledgement message, the host
extracts the Context Tag and the Request Nonce from the message. It
then looks for a context which has a CT(local) that matches the
context tag. If no such context is found, it sends a R1bis message
as specified in Section 7.14.
Since context tags can be reused, the host MUST verify that the IPv6
source address field is part of Ls(peer) and that the IPv6
destination address field is part of Ls(local). If this is not the
case, the sender of the Update Acknowledgement has a stale context
which happens to match the CT(local) for this context. In this case
the host MUST send a R1bis message, and otherwise ignore the Update
Acknowledgement message.
Then, depending on the state of the context:
o If ESTABLISHED: Proceed to process message.
o If I1-SENT, discard the message and stay in I1-SENT.
o If I2-SENT, then send R2 and proceed to process the message.
o If I2BIS-SENT, then send R2 and proceed to process the message.
If the Request Nonce doesn't match the Nonce for the last sent Update
Request for the context, then the Update Acknowledgement is silently
ignored. If the nonce matches, then the update has been completed
and the Update retransmit timer can be reset.
11. Sending ULP Payloads
When there is no context state for the ULID pair on the sender, there When there is no context state for the ULID pair on the sender, there
is no effect on how ULP packets are sent. If the host is using some is no effect on how ULP packets are sent. If the host is using some
heuristic for determining when to perform a deferred context heuristic for determining when to perform a deferred context
establishment, then the host might need to do some accounting (count establishment, then the host might need to do some accounting (count
the number of packets sent and received) even before there is a host- the number of packets sent and received) even before there is a ULID-
pair context. pair context.
If there is a host-pair context for the ULID pair, then the sender If the context is not in ESTABLISHED or I2BIS-SENT state, then it
there is also no effect on how the ULP packets are sent. Only in the
ESTABLISHED and I2BIS-SENT states does the host have CT(peer) and
Ls(peer) set.
If there is a ULID-pair context for the ULID pair, then the sender
needs to verify whether context uses the ULIDs as locators, that is, needs to verify whether context uses the ULIDs as locators, that is,
whether Lp(peer) == ULID(peer) and Lp(local) == ULID(local). whether Lp(peer) == ULID(peer) and Lp(local) == ULID(local).
If this is the case, then packets will be sent unmodified by the If this is the case, then packets will be sent unmodified by the
shim. If it is not the case, then the logic in Section 14.1 will shim. If it is not the case, then the logic in Section 11.1 will
need to be used. need to be used.
There will also be some maintenance activity relating to There will also be some maintenance activity relating to
(un)reachability detection, whether packets are sent with the (un)reachability detection, whether packets are sent with the
original locators or not. The details of this is out of scope for original locators or not. The details of this is out of scope for
this document and will be covered is follow-ons to [7]. this document and will be covered is follow-ons to [8].
14.1 Sending ULP Payload after a Switch 11.1 Sending ULP Payload after a Switch
When sending packets, if there is a host-pair context for the ULID When sending packets, if there is a ULID-pair context for the ULID
pair, and the ULID pair is no longer used as the locator pair, then pair, and the ULID pair is no longer used as the locator pair, then
the sender needs to transform the packet. Apart from replacing the the sender needs to transform the packet. Apart from replacing the
IPv6 source and destination fields with a locator pair, an 8-octet IPv6 source and destination fields with a locator pair, an 8-octet
header is added so that the receiver can find the context and inverse header is added so that the receiver can find the context and inverse
the transformation. the transformation.
First, the IP address fields are replaced. The IPv6 source address First, the IP address fields are replaced. The IPv6 source address
field is set to Lp(local) and the destination address field is set to field is set to Lp(local) and the destination address field is set to
Lp(peer). NOTE that this MUST NOT cause any recalculation of the ULP Lp(peer). NOTE that this MUST NOT cause any recalculation of the ULP
checksums, since the ULP checksums are carried end-to-end and the ULP checksums, since the ULP checksums are carried end-to-end and the ULP
skipping to change at page 45, line 32 skipping to change at page 76, line 5
ULP might have included, thus it skips any hop-by-hop extension ULP might have included, thus it skips any hop-by-hop extension
header, any routing header, and any destination options header that header, any routing header, and any destination options header that
is followed by a routing header. After any such headers the shim6 is followed by a routing header. After any such headers the shim6
extension header will be added. This might be before a Fragment extension header will be added. This might be before a Fragment
header, a Destination Options header, an ESP or AH header, or a ULP header, a Destination Options header, an ESP or AH header, or a ULP
header. header.
The inserted shim6 Payload extension header includes the peer's The inserted shim6 Payload extension header includes the peer's
context tag. context tag.
15. Receiving Packets 12. Receiving Packets
As in normal IPv6 receive side packet processing the receiver parses As in normal IPv6 receive side packet processing the receiver parses
the (extension) headers in order. Should it find a shim6 extension the (extension) headers in order. Should it find a shim6 extension
header it will look at the type field in that header. If the type is header it will look at the "P" field in that header. If this bit is
Payload message, then the packet must be passed to the shim6 payload zero, then the packet must be passed to the shim6 payload handling
handling for rewriting. (Otherwise, the shim6 control messages are for rewriting. Otherwise, the packet is passed to the shim6 control
handled as specified in other parts of this document.) handling.
The receiver extracts the context tag from the payload message 12.1 Receiving Payload Extension Headers
header, and uses this together with the IPv6 source and destination
address fields to find a host-pair context. If no context is found, The receiver extracts the context tag from the payload extension
the receiver SHOULD generate a No Such Context error message (see header, and uses this to find a ULID-pair context. If no context is
Section 8). found, the receiver SHOULD generate a R1bis message (see
Section 7.14).
Then, depending on the state of the context:
o If ESTABLISHED: Proceed to process message.
o If I1-SENT, discard the message and stay in I1-SENT.
o If I2-SENT, then send R2 and proceed to process the message.
o If I2BIS-SENT, then send R2 and proceed to process the message.
With the context in hand, the receiver can now replace the IP address With the context in hand, the receiver can now replace the IP address
fields with the ULIDs kept in the context. Finally, the Payload fields with the ULIDs kept in the context. Finally, the Payload
extension header is removed from the packet (so that the ULP doesn't extension header is removed from the packet (so that the ULP doesn't
get confused by it), and the next header value in the preceding get confused by it), and the next header value in the preceding
header is set to be the actual protocol number for the payload. Then header is set to be the actual protocol number for the payload. Then
the packet can be passed to the protocol identified by the next the packet can be passed to the protocol identified by the next
header value (which might be some function associated with the IP header value (which might be some function associated with the IP
endpoint sublayer, or a ULP). endpoint sublayer, or a ULP).
If the host is using some heuristic for determining when to perform a If the host is using some heuristic for determining when to perform a
deferred context establishment, then the host might need to do some deferred context establishment, then the host might need to do some
accounting (count the number of packets sent and received) for accounting (count the number of packets sent and received) for
packets that does not have a shim6 extension header. But the need packets that does not have a shim6 extension header and for which
for this depends on what heuristics the implementation has chosen. there is no context. But the need for this depends on what
heuristics the implementation has chosen.
16. Initial Contact 12.2 Receiving Shim Control messages
TBD Describe what inital contact is (basically some non-shim A shim control message has the checksum field verified. The Shim
communication starts between two ULIDs), and what the implications header length field is also verified against the length of the IPv6
are of failures. Basic option is to rely on the application retrying packet to make sure that the shim message doesn't claim to end past
and RFC 3484bis ordering of source and destination ULIDs. the end of the IPv6 packet. Finally, it checks that the neither the
IPv6 destination field nor the IPv6 source field is a multicast
address. If any of those checks fail, the packet is silently
dropped.
17. Open Issues The message is then dispatched based on the shim message type. Each
message type is then processed as described elsewhere in this
document. If the packet contains a shim message type which is
unknown to the receiver, then an ICMPv6 Parameter Problem error is
generated and sent back. The pointer field in the Parameter Problem
is set to point at the first octet of the shim message type. The
error is rate limited just like other ICMP errors [5].
All the control messages can contain any options with C=0. If there
is any option in the message with C=1 that isn't known to the host,
then the host MUST send an ICMPv6 Parameter Problem, with the Pointer
field referencing the first octet of the Option Type.
12.3 Context Lookup
We assume that each shim context has its own state machine. We
assume that a dispatcher delivers incoming packets to the state
machine that it belongs to. Here we describe the rules used for the
dispatcher to deliver packets to the correct shim context state
machine.
There is one state machine per context identified that is
conceptually identified by ULID pair and Forked Instance Identifier
(which is zero by default), or identified by CT(local). However, the
detailed lookup rules are more complex, especially during context
establishment.
Clearly, if the required context is not established, it will be in
IDLE state.
During context establishment, the context is identified as follows:
o I1 packets: Deliver to the context associated with the ULID pair
and the Forked Instance Identifier.
o I2 packets: Deliver to the context associated with the ULID pair
and the Forked Instance Identifier.
o R1 packets: Deliver to the context with the locator pair included
in the packet and the Initiator nonce included in the packet (R1
does not contain ULID pair nor the CT(local)). If no context
exist with this locator pair and Initiator nonce, then silently
discard.
o R2 packets: Deliver to the context with the locator pair included
in the packet and the Initiator nonce included in the packet (R2
does not contain ULID pair nor the CT(local)). If no context
exists with this locator pair and INIT nonce, then silently
discard.
o R1bis packet: deliver to the context that has the locator pair and
the CT(peer) equal to the Packet Context Tag included in the R1bis
packet.
o I2bis packets: Deliver to the context associated with the ULID
pair and the Forked Instance Identifier.
o Payload extension headers: Deliver to the context with CT(local)
equal to the Receiver Context Tag included in the packet.
o Other control messages (Update, Keepalive, Probe): Deliver to the
context with CT(local) equal to the Receiver Context Tag included
in the packet. Verify that the IPv6 source address field is part
of Ls(peer) and that the IPv6 destination address field is part of
Ls(local). If not, send a R1bis message.
o ICMP errors which contain a shim6 payload extension header or
other shim control packet in the "packet in error": Use the
"packet in error" for dispatching as follows. Deliver to the
context with CT(peer) equal to the Receiver Context Tag, Lp(local)
being the IPv6 source address, and Lp(peer) being the IPv6
destination address.
In addition, the shim on the sending side needs to be able to find
the context state when a ULP packet is passed down from the ULP. In
that case the lookup key is the pair of ULIDs and FII=0. If we have
a ULP API that allows the ULP to do context forking, then presumably
the ULP would pass down the Forked Instance Identifier.
13. Initial Contact
The initial contact is some non-shim communication between two ULIDs,
as defined in Section 2. At that point in time there is no activity
in the shim.
Whether the shim ends up being used or not (e.g., the peer might not
support shim6) it is highly desirable that the initial contact can be
established even if there is a failure for one or more IP addresses.
The approach taken is to rely on the applications and the transport
protocols to retry with different source and destination addresses,
consistent with what is already specified in Default Address
Selection [13], and some fixes to that specification [14] to make it
try different source addresses and not only different destination
addresses.
The implementation of such an approach can potentially result in long
timeouts. For instance, a naive implementation at the socket API
which uses getaddrinfo() to retrieve all destination addresses and
then tries to bind() and connect() to try all source and destination
address combinations waiting for TCP to time out for each combination
before trying the next one.
However, if implementations encapsulate this in some new connect-by-
name() API, and use non-blocking connect calls, it is possible to
cycle through the available combinations in a more rapid manner until
a working source and destination pair is found. Thus the issues in
this domain are issues of implementations and the current socket API,
and not issues of protocol specification. In all honesty, while
providing an easy to use connect-by-name() API for TCP and other
connection-oriented transports is easy; providing a similar
capability at the API for UDP is hard due to the protocol itself not
providing any "success" feedback. But even the UDP issue is one of
APIs and implementation.
14. Protocol constants
The protocol uses the following constants:
I1_RETRIES_MAX
I1_TIMEOUT = 4 seconds
NO_R1_HOLDDOWN_TIME = 1 min
ICMP_HOLDDOWN_TIME = 10 min
I2_TIMEOUT = 4 seconds
I2_RETRIES_MAX = 2
VALIDATOR_MIN_LIFETIME = 30 seconds
UPDATE_TIMEOUT = 4 seconds
The retransmit timers (I1_TIMEOUT, I2_TIMEOUT, UPDATE_TIMEOUT) are
subject to binary exponential backoff, as well as randomization
across a range of 0.5 and 1.5 times the nominal (backed off) value.
This removes any risk of synchronization between lots of hosts
performing independent shim operations at the same time.
The randomization is applied after the binary exponential backoff.
Thus the first retransmission would happen based on a uniformly
distributed random number in the range [0.5*4, 1.5*4] seconds, the
second retransmission [0.5*8, 1.5*8] seconds after the first one,
etc.
15. Open Issues
The following open issues are known: The following open issues are known:
o Forking the context state. On the mailing list we've discussed
the need to fork the context state, so that different ULP streams
can be sent using different locator pairs. No protocol extensions
are needed if any forking is done independently by each endpoint.
But if we want A to be able to tell B that certain traffic (a
5-tuple?) should be forked, then we need a way to convey this in
the shim6 protocol. The hard part would be defining what
selectors can be specified for the filter which determines which
traffic uses which of the forks. So the question is whether we
really need signaling for forking, or whether it is sufficient to
allow each endpoint to do its own selection of which locator pair
it is using for which traffic.
o If we allow forking, it seems like the mechanism for reachability
detection, whether it is CUD or FBD, must be applied separately
for each locator pair that is in use. Without forking a single
locator pair will be in use for each host-pair context, hence
things would be simpler.
o What happens when a host runs out of N bit context tags? When is
it safe for a host to reuse a context tag? With the unilateral
teardown one end might discard the context state long before the
other end.
o Should a host explicitly fail communication when a ULID becomes
invalid (based on RFC 2462 lifetimes or DHCPv6), or should we let
the communication continue using the invalidated ULID (it can
certainly work since other locators will be used).
o Should we rename "host-pair context" to be "ULID-pair context"?
If we've decided this is per ULID pair that might make sense.
o We need to pick some initial retransmit timers for I1 and I2. Is o NONE.
4 seconds ok?
o Should we require that the R1 verifier be usable for some minimum
time so that the initiator knows for how long time it can safely
retransmit I2 before it needs to go back to sending I1 again?
o Should we expand the context tag from 32 to 47 bits?
o Should we make the receiver not use the source locator to find the
context, but instead only use the context tag? (and optionally,
the destination locator). This would provide some flexibility for
the future. The potential downside, which we would need to
understand, is packet injection. *If* there is ingress filtering,
then we get some extra checking by including the source locator in
the lookup. But an on-path attacker can inject packets at will,
whether the source locator is part of the lookup or not. An off-
path attacker would have a hard time to guess a 47-bit number.
o Include locator list in R1 message to deal with R2 being dropped?
o Should we allow a host to intentionally discard the context state,
with the assumption that the peer is responsible to maintain it,
and detect failures? This might be useful in asymetric case, e.g.
a server which serves lots of clients, but it can't recover from
all failures. For instance, if the client doesn't send anything
for a while, and when the server starts to send the locator pair
doesn't work any more. In this case the server can do nothing
since it doesn't have a context with alternate locators, and the
client can't possibly know that the server might be having
problems reaching it.
o When does a host need to verify the locator list? Immediately
i.e. before accepting packets from those locators as the source
address? Or before sending packets to those locators? There are
some issues if it isn't verified immediately since it allows an
on-path attacker to send bogus update messages which can not be
verified; that would potentially make the host no longer accept
packets from the actual locator that the peer is using, and when
it tries to verify the locators it would find that they are "bad"
and has no alternate peer locator it can use. This is the case
even if the peer has sent a locator list as long as the attacker
has sent a more recent one.
18. Implications Elsewhere 16. Implications Elsewhere
The general shim6 approach, as well as the specifics of this proposed The general shim6 approach, as well as the specifics of this proposed
solution, has implications elsewhere. The key implications are: solution, has implications elsewhere. The key implications are:
o Applications that perform referrals, or callbacks using IP o Applications that perform referrals, or callbacks using IP
addresses as the 'identifiers' can still function in limited ways, addresses as the 'identifiers' can still function in limited ways,
as described in [18]. But in order for such applications to be as described in [21]. But in order for such applications to be
able to take advantage of the multiple locators for redundancy, able to take advantage of the multiple locators for redundancy,
the applications need to be modified to either use fully qualified the applications need to be modified to either use fully qualified
domain names as the 'identifiers', or they need to pass all the domain names as the 'identifiers', or they need to pass all the
locators as the 'identifiers' i.e., the 'identifier' from the locators as the 'identifiers' i.e., the 'identifier' from the
applications perspective becomes a set of IP addresses instead of applications perspective becomes a set of IP addresses instead of
a single IP address. a single IP address.
o Firewalls that today pass limited traffic, e.g., outbound TCP o Firewalls that today pass limited traffic, e.g., outbound TCP
connections, would presumably block the shim6 protocol. This connections, would presumably block the shim6 protocol. This
means that even when shim6 capable hosts are communicating, the I1 means that even when shim6 capable hosts are communicating, the I1
messages would be dropped, hence the hosts would not discover that messages would be dropped, hence the hosts would not discover that
their peer is shim6 capable. This is in fact a feature, since if their peer is shim6 capable. This is in fact a feature, since if
the hosts managed to establish a host-pair context, then the the hosts managed to establish a ULID-pair context, then the
firewall would probably drop the "different" packets that are sent firewall would probably drop the "different" packets that are sent
after a failure (those using the shim6 payload message with a TCP after a failure (those using the shim6 payload extension header
packet inside it). Thus stateful firewalls that are modified to with a TCP packet inside it). Thus stateful firewalls that are
allow shim6 messages through should also be modified to allow the modified to pass shim6 messages should also be modified to pass
payload messages through after a failure. This presumably implies the payload extension header, so that the shim can use the
that the firewall needs to track the set of locators in use by alternate locators to recover from failures. This presumably
looking at the shim6 exchanges. Such firewalls might even want to implies that the firewall needs to track the set of locators in
verify the locators using the HBA/CGA verification themselves. use by looking at the shim6 control exchanges. Such firewalls
might even want to verify the locators using the HBA/CGA
verification themselves, which they can do without modifying any
of the shim6 packets they pass through.
o Signaling protocols for QoS or other things that involve having o Signaling protocols for QoS or other things that involve having
devices in the network path look at IP addresses and port numbers, devices in the network path look at IP addresses and port numbers,
or IP addresses and Flow Labels, need to be invoked on the hosts or IP addresses and Flow Labels, need to be invoked on the hosts
when the locator pair changes due to a failure. At that point in when the locator pair changes due to a failure. At that point in
time those protocols need to inform the devices that a new pair of time those protocols need to inform the devices that a new pair of
IP addresses will be used for the flow. Note that this is the IP addresses will be used for the flow. Note that this is the
case even though we no longer overload the flow label as a context case even though this protocol, unlike some earlier proposals,
tag; the in-path devices need to know about the use of the new does not overload the flow label as a context tag; the in-path
locators even though the flow label stays the same. devices need to know about the use of the new locators even though
the flow label stays the same.
o MTU implications. The path MTU mechanisms we use are robust o MTU implications. The path MTU mechanisms we use are robust
against different packets taking different paths through the against different packets taking different paths through the
Internet, by computing a minimum over the recently observed path Internet, by computing a minimum over the recently observed path
MTUs. When shim6 fails over from using one locator pair to MTUs. When shim6 fails over from using one locator pair to
another pair, this means that packets might travel over a another pair, this means that packets might travel over a
different path through the Internet, hence the path MTU might be different path through the Internet, hence the path MTU might be
quite different. Perhaps such a path change would be a good hint quite different. Perhaps such a path change would be a good hint
to the path MTU mechanism to try a larger MTU? to the path MTU mechanism to try a larger MTU?
The fact that the shim, at least for uncommon payload types, will The fact that the shim will add an 8 octet payload extension
add an 8 octet extension header (the payload message) after a header to the ULP packets after a locator switch, can also affect
locator switch, can also affect the usable path MTU for the ULPs. the usable path MTU for the ULPs. In this case the MTU change is
In this case the MTU change is local to the sending host, thus local to the sending host, thus conveying the change to the ULPs
conveying the change to the ULPs is an implementation matter. is an implementation matter.
19. Security Considerations 17. Security Considerations
This document satisfies the concerns specified in [17] as follows: This document satisfies the concerns specified in [20] as follows:
o TBD: Using HBA or CGA for ...
o The HBA technique [7] for validating the locators to prevent an
attacker from redirecting the packet stream to somewhere else.
o Requiring a Reachability Probe+Reply before a new locator is used
as the destination, in order to prevent 3rd party flooding
attacks.
o The first message does not create any state on the responder.
Essentially a 3-way exchange is required before the responder
creates any state. This means that a state-based DoS attack
(trying to use up all of memory on the responder) at least
provides an IPv6 address that the attacker was using.
o The context establishment messages use nonces to prevent replay
attacks, and to prevent off-path attackers from interfering with
the establishment.
o Every control message of the shim6 protocol, past the context
establishment, carry the context tag assigned to the particular
context. This implies that an attacker needs to discover that
context tag before being able to spoof any shim6 control message.
Such discovery probably requires to be along the path in order to
be sniff the context tag value. The result is that through this
technique, the shim6 protocol is protected against off-path
attackers.
Some of the residual threats in this proposal are: Some of the residual threats in this proposal are:
o An attacker which arrives late on the path (after the context has o An attacker which arrives late on the path (after the context has
been established) can use the No Such Context error to cause one been established) can use the R1bis message to cause one peer to
peer to recreate the context, and at that point in time the recreate the context, and at that point in time the attacker can
attacker can observe all of the exchange. But this doesn't seem observe all of the exchange. But this doesn't seem to open any
to open any new doors for the attacker since such an attacker can new doors for the attacker since such an attacker can observe the
observe the Context tags that are being used, and once known it Context tags that are being used, and once known it can use those
can use those to send bogus messages. to send bogus messages.
o An attacker which is present on the path so that it can find out o An attacker which is present on the path so that it can find out
the context tags, can generate a No Such Context error after it the context tags, can generate a R1bis message after it has moved
has moved off the path. For this packet to be effective it needs off the path. For this packet to be effective it needs to have a
to have a source locator which belongs to the context, thus there source locator which belongs to the context, thus there can not be
can not be "too much" ingress filtering between the attackers new "too much" ingress filtering between the attackers new location
location and the communicating peers. But this doesn't seem to be and the communicating peers. But this doesn't seem to be that
that severe, because once the error causes the context to be torn severe, because once the R1bis causes the context to be re-
down and re-established, a new pair of context tags will be used, established, a new pair of context tags will be used, which will
which will not be known to the attacker. If this is still a not be known to the attacker. If this is still a concern, we
concern, we could require a 2-way handshake "did you really loose could require a 2-way handshake "did you really loose the state?"
the state?" in response to the error message. in response to the error message.
o It might be possible for an attacker to try random 32-bit context
o It might be possible for an attacker to try random 47-bit context
tags and see if they can cause disruption for communication tags and see if they can cause disruption for communication
between two hosts. We can make this harder by using a larger between two hosts. If a 47-bit tag, which is the largest that
context tag; 47 bits is the largest that fit in the 8-octet fits in an 8-octet extension header, isn't sufficient, one could
payload header. If this isn't sufficient, one could use an even use an even larger tag in the shim6 control messages, and use the
larger tag in the shim6 control messages, and use the low-order 47 low-order 47 bits in the payload extension header.
bits in the payload header.
20. IANA Considerations o When the payload extension header is used, an attacker that can
guess the 47-bit random context tag, can inject packets into the
context with any source locator. Thus if there is ingress
filtering between the attacker, this could potentially allow to
bypass the ingress filtering. However, in addition to guessing
the 47-bit context tag, the attacker also needs to find a context
where, after the receiver's replacement of the locators with the
ULIDs, the the ULP checksum is correct. But even this wouldn't be
sufficient with ULPs like TCP, since the TCP port numbers and
sequence numbers must match an existing connection. Thus, even
though the issues for off-path attackers injecting packets are
different than today with ingress filtering, it is still very hard
for an off-path attacker to guess. If IPsec is applied then the
issue goes away completely.
IANA needs to allocate a new IP Next Header value for this protocol. 18. IANA Considerations
IANA needs to allocate a new IP Protocol Number value for this
protocol.
IANA also needs to record a CGA message type for this protocol in the IANA also needs to record a CGA message type for this protocol in the
[CGA] namespace, 0x4A30 5662 4858 574B 3655 416F 506A 6D48. [CGA] namespace, 0x4A30 5662 4858 574B 3655 416F 506A 6D48.
TBD: the IANA rules for the shim6 message types and option types. This protocol introduces a new shim6 message type name space. The
initial assignment of the types is shown below.
21. Possible Protocol Extensions +------------+-----------------------------------------------------+
| Type Value | Message |
+------------+-----------------------------------------------------+
| 0 | RESERVED |
| | |
| 1 | I1 (first establishment message from the initiator) |
| | |
| 2 | R1 (first establishment message from the responder) |
| | |
| 3 | I2 (2nd establishment message from the initiator) |
| | |
| 4 | R2 (2nd establishment message from the responder) |
| | |
| 5 | R1bis (Reply to reference to non-existent context) |
| | |
| 6 | I2bis (Reply to a R1bis message) |
| | |
| 7-59 | Can be allocated using Standards Action |
| | |
| 60-63 | For Experimental use |
| | |
| 64 | Update Request |
| | |
| 65 | Update Acknowledgement |
| | |
| 66 | Keepalive |
| | |
| 67 | Probe Message |
| | |
| 68-123 | Can be allocated using Standards Action |
| | |
| 124-127 | For Experimental use |
+------------+-----------------------------------------------------+
This protocol introduces a new shim6 option type name space. The
initial assignment of the types is shown below.
+--------------+----------------------------------+
| Type | Option Name |
+--------------+----------------------------------+
| 0 | RESERVED |
| | |
| 1 | Validator |
| | |
| 2 | Locator List |
| | |
| 3 | Locator Preferences |
| | |
| 4 | CGA Parameter Data Structure |
| | |
| 5 | CGA Signature |
| | |
| 6 | ULID Pair |
| | |
| 7 | Forked Instance Identifier |
| | |
| 8-9 | Allocated using Standards action |
| | |
| 10 | Probe Option |
| | |
| 11 | Reachability Option |
| | |
| 12 | Payload Reception Report Option |
| | |
| 13-16383 | Allocated using Standards action |
| | |
| 16384-32767 | For Experimental use |
+--------------+----------------------------------+
19. Possible Protocol Extensions
During the development of this protocol, several issues have been During the development of this protocol, several issues have been
brought up as important one to address, but are ones that do not need brought up as important one to address, but are ones that do not need
to be in the base protocol itself but can instead be done as to be in the base protocol itself but can instead be done as
extensions to the protocol. The key ones are: extensions to the protocol. The key ones are:
o Is there need for keeping the list of locators private between the o Is there need for keeping the list of locators private between the
two communicating endpoints? We can potentially accomplish that two communicating endpoints? We can potentially accomplish that
when using CGA but not with HBA, but it comes at the cost of doing when using CGA but not with HBA, but it comes at the cost of doing
some public key encryption and decryption operations as part of some public key encryption and decryption operations as part of
the context establishment. The suggestion is to leave this for a the context establishment. The suggestion is to leave this for a
future extension to the protocol. future extension to the protocol.
o Defining some form of end-to-end "compression" mechanism that o Defining some form of end-to-end "compression" mechanism that
removes the need for including the Shim6 Payload extension header removes the need for including the Shim6 Payload extension header
when the locator pair is not the ULID pair. when the locator pair is not the ULID pair.
skipping to change at page 50, line 9 skipping to change at page 88, line 23
two communicating endpoints? We can potentially accomplish that two communicating endpoints? We can potentially accomplish that
when using CGA but not with HBA, but it comes at the cost of doing when using CGA but not with HBA, but it comes at the cost of doing
some public key encryption and decryption operations as part of some public key encryption and decryption operations as part of
the context establishment. The suggestion is to leave this for a the context establishment. The suggestion is to leave this for a
future extension to the protocol. future extension to the protocol.
o Defining some form of end-to-end "compression" mechanism that o Defining some form of end-to-end "compression" mechanism that
removes the need for including the Shim6 Payload extension header removes the need for including the Shim6 Payload extension header
when the locator pair is not the ULID pair. when the locator pair is not the ULID pair.
22. Change Log o Specifying a complete solution which carries locator preferences,
both within a site (e.g., DHCP option?), and use the Locator
Preference option to carry those in the shim protocol. This could
mirror the DNS SRV record's notion of priority and weight.
o Specifying APIs for the ULPs to be aware of the locators the shim
is using, and be able to influence the choice of locators. This
includes providing APIs the ULPs can use to fork a shim context.
o Whether it is feasible to relax the suggestions for when context
state is removed, so that one can end up with an asymmetric
distribution of the context state and still get (most of) the shim
benefits. For example, the busy server would go through the
context setup but would quickly remove the context state after
this (in order to save memory) but the not-so-busy client would
retain the context state. The context recovery mechanism
presented in Section 7.3 would then be recreate the state should
the client send either a shim control message (e.g., probe message
because it sees a problem), or a ULP packet in an payload
extension header (because it had earlier failed over to an
alternative locator pair, but had been silent for a while). This
seems to provide the benefits of the shim as long as the client
can detect the failure. If the client doesn't send anything, and
it is the server that tries to send, then it will not be able to
recover because the shim on the server has no context state, hence
doesn't know any alternate locator pairs.
o Study whether a host explicitly fail communication when a ULID
becomes invalid (based on RFC 2462 lifetimes or DHCPv6), or should
we let the communication continue using the invalidated ULID (it
can certainly work since other locators will be used).
o Study what it would take to make the shim6 control protocol not
rely at all on a stable source locator in the packets. This can
probably be accomplished by having all the shim control messages
include the ULID-pair option.
o If each host might have lots of locators, then the currently
requirement to include essentially all of them in the I2 and R2
messages might be constraining. If this is the case we can look
into using the CGA Parameter Data Structure for the comparison,
instead of the prefix sets, to be able to detect context
confusion. This would place some constraint on a (logical) only
using e.g., one CGA public key, and would require some carefully
crafted rules on how two PDSs are compared for "being the same
host". But if we don't expect more than a handful locators per
host, then we don't need this added complexity.
20. Change Log
The following changes have been made since draft-ietf-shim6-proto-02:
o Replaced the Context Error message with the R1bis message.
o Removed the Packet In Error option, since it was only used in the
Context Error message.
o Introduced a I2bis message which is sent in response to an I1bis
message, since the responders processing is quite in this case
than in the regular R1 case.
o Moved the packet formats for the Keepalive and Probe message types
and Event option to [9]. Only the message type values and option
type value are specified for those in this document.
o Removed the unused message types.
o Added a state machine description as an appendix.
o Filled in all the TBDs - except the IANA assignment of the
protocol number.
o Specified how context recovery and forked contexts work together.
This required the introduction of a Forked Instance option to be
able to tell which of possibly forked instances is being
recovered.
o Renamed the "host-pair context" to be "ULID-pair context".
o Picked some initial retransmit timers for I1 and I2; 4 seconds.
o Added timer values as protocol constants. The retransmit timers
use binary exponential backoff and randomization (between .5 and
1.5 of the nominal value).
o Require that the R1/R1bis verifiers be usable for some minimum
time so that the initiator knows for how long time it can safely
retransmit I2 before it needs to go back to sending I1 again.
Picked 30 seconds.
o Split the message type codes into 0-63, which will not generate
R1bis messages, and 64-127 which will generate R1bis messages.
This allows extensibility of the protocol with new message types
while being able to control when R1bis is generated.
o Expanded the context tag from 32 to 47 bits.
o Specified that enough locators need to be included in I2 and R2
messages. Specified that the HBA/CGA verification must be
performed when the locator set is received.
o Specified that ICMP parameter problem errors are sent in certain
error cases, for instance when the validation method is unknown to
the receiver, or there is an unknown message type or option type.
o Renamed "payload message" to be "payload extension header".
o Many editorial clarifications suggested by Geoff Huston.
o Modified the dispatching of payload extension header to only
compare CT(local) i.e., not compare the source and destination
IPv6 address fields.
The following changes have been made since draft-ietf-shim6-proto-00: The following changes have been made since draft-ietf-shim6-proto-00:
o Removed the use of the flow label and the overloading of the IP o Removed the use of the flow label and the overloading of the IP
protocol numbers. Instead, when the locator pair is not the ULID protocol numbers. Instead, when the locator pair is not the ULID
pair, the ULP payloads will be carried with an 8 octet extension pair, the ULP payloads will be carried with an 8 octet extension
header. The belief is that it is possible to remove these extra header. The belief is that it is possible to remove these extra
bytes by defining future shim6 extensions that exchange more bytes by defining future shim6 extensions that exchange more
information between the hosts, without having to overload the flow information between the hosts, without having to overload the flow
label or the IP protocol numbers. label or the IP protocol numbers.
o Grew the context tag from 20 bits to 32 bits, with the possibility o Grew the context tag from 20 bits to 32 bits, with the possibility
to grow it to 47 bits. This implies changes to the message to grow it to 47 bits. This implies changes to the message
formats. formats.
o Almost by accident, the new shim6 message format is very close to o Almost by accident, the new shim6 message format is very close to
the HIP message format. the HIP message format.
o Adopted the HIP format for the options, since this makes it easier o Adopted the HIP format for the options, since this makes it easier
to describe variable length options. The original, ND-style, to describe variable length options. The original, ND-style,
option format requires internal padding in the options to make option format requires internal padding in the options to make
them 8 octet length in total, while the HIP format handles that them 8 octet length in total, while the HIP format handles that
using the option length field. using the option length field.
o Removed some of the control messages, and renamed the other ones. o Removed some of the control messages, and renamed the other ones.
o Added a "generation" number to the Locator List option, so that o Added a "generation" number to the Locator List option, so that
the peers can ensure that the preferences refer to the right the peers can ensure that the preferences refer to the right
"version" of the Locator List. "version" of the Locator List.
o In order for FBD and exploration to work when there the use of the o In order for FBD and exploration to work when there the use of the
context is forked, that is different ULP messages are sent over context is forked, that is different ULP messages are sent over
different locator pairs, things are a lot easier if there is only different locator pairs, things are a lot easier if there is only
one current locator pair used for each context. Thus the forking one current locator pair used for each context. Thus the forking
of the context is now causing a new context to be established for of the context is now causing a new context to be established for
the same ULID; the new context having a new context tag. The the same ULID; the new context having a new context tag. The
original context is referred to as the "default" context for the original context is referred to as the "default" context for the
ULID pair. ULID pair.
o Added more background material and textual descriptions. o Added more background material and textual descriptions.
23. Acknowledgements 21. Acknowledgements
Over the years many people active in the multi6 and shim6 WGs have Over the years many people active in the multi6 and shim6 WGs have
contributed ideas a suggestions that are reflected in this draft. contributed ideas a suggestions that are reflected in this draft.
Thanks to Marcelo Bagnulo for providing comments on earlier versions Appendix A. Simplified State Machine
of this draft.
Appendix A. Design Alternatives The states are defined in Section 6.2. The intent is that the
stylized description below be consistent with the textual description
in the specification, but should they conflict, the textual
description is normative.
The following table describes the possible actions in state IDLE and
their respective triggers:
+---------------------+---------------------------------------------+
| Trigger | Action |
+---------------------+---------------------------------------------+
| Receive I1 | Send R1 and stay in IDLE |
| | |
| Heuristics trigger | Send I1 and move to I1-SENT |
| a new context | |
| establishment | |
| | |
| Receive I2, verify | If successful, send R2 and move to |
| validator and | ESTABLISHED |
| RESP nonce | |
| | If fail, stay in IDLE |
| | |
| Receive I2bis, | If successful, send R2 and move to |
| verify validator | ESTABLISHED |
| and RESP nonce | |
| | If fail, stay in IDLE |
| | |
| R1, R1bis, R2 | N/A (This context lacks the required info |
| | for the dispatcher to deliver them) |
| | |
| Receive payload | Send R1bis and stay in IDLE |
| extension header | |
| or other control | |
| packet | |
+---------------------+---------------------------------------------+
The following table describes the possible actions in state I1-SENT
and their respective triggers:
+---------------------+---------------------------------------------+
| Trigger | Action |
+---------------------+---------------------------------------------+
| Receive R1, verify | If successful, send I2 and move to I2-SENT |
| INIT nonce | |
| | If fail, discard and stay in I1-SENT |
| | |
| Receive I1 | Send R2 and stay in I1-SENT |
| | |
| Receive R2, verify | If successful, move to ESTABLISHED |
| INIT nonce | |
| | If fail, discard and stay in I1-SENT |
| | |
| Receive I2, verify | If successful, send R2 and move to |
| validator and RESP | ESTABLISHED |
| nonce | |
| | If fail, discard and stay in I1-SENT |
| | |
| Receive I2bis, | If successful, send R2 and move to |
| verify validator | ESTABLISHED |
| and RESP nonce | |
| | If fail, discard and stay in I1-SENT |
| | |
| Timeout, increment | If counter =< I1_RETRIES_MAX, send I1 and |
| timeout counter | stay in I1-SENT |
| | |
| | If counter > I1_RETRIES_MAX, go to E-FAILED |
| | |
| Receive ICMP payload| Move to E-FAILED |
| unknown error | |
| | |
| R1bis | N/A (Dispatcher doesn't deliver since |
| | CT(peer) is not set) |
| | |
| Receive Payload or | Discard and stay in I1-SENT |
| extension header | |
| or other control | |
| packet | |
+---------------------+---------------------------------------------+
The following table describes the possible actions in state I2-SENT
and their respective triggers:
+---------------------+---------------------------------------------+
| Trigger | Action |
+---------------------+---------------------------------------------+
| Receive R2, verify | If successful move to ESTABLISHED |
| INIT nonce | |
| | If fail, stay in I2-SENT |
| | |
| Receive I1 | Send R2 and stay in I2-SENT |
| | |
| Receive I2 | Send R2 and stay in I2-SENT |
| verify validator | |
| and RESP nonce | |
| | |
| Receive I2bis | Send R2 and stay in I2-SENT |
| verify validator | |
| and RESP nonce | |
| | |
| Receive R1 | Discard and stay in I2-SENT |
| | |
| Timeout, increment | If counter =< I2_RETRIES_MAX, send I2 and |
| timeout counter | stay in I2-SENT |
| | |
| | If counter > I2_RETRIES_MAX, send I1 and go |
| | to I1-SENT |
| | |
| R1bis | N/A (Dispatcher doesn't deliver since |
| | CT(peer) is not set) |
| | |
| Receive payload or | Accept and send I2 (probably R2 was sent |
| extension header | by peer and lost) |
| other control | |
| packet | |
+---------------------+---------------------------------------------+
The following table describes the possible actions in state I2BIS-
SENT and their respective triggers:
+---------------------+---------------------------------------------+
| Trigger | Action |
+---------------------+---------------------------------------------+
| Receive R2, verify | If successful move to ESTABLISHED |
| INIT nonce | |
| | If fail, stay in I2BIS-SENT |
| | |
| Receive I1 | Send R2 and stay in I2BIS-SENT |
| | |
| Receive I2 | Send R2 and stay in I2BIS-SENT |
| verify validator | |
| and RESP nonce | |
| | |
| Receive I2bis | Send R2 and stay in I2BIS-SENT |
| verify validator | |
| and RESP nonce | |
| | |
| Receive R1 | Discard and stay in I2BIS-SENT |
| | |
| Timeout, increment | If counter =< I2_RETRIES_MAX, send I2bis |
| timeout counter | and stay in I2BIS-SENT |
| | |
| | If counter > I2_RETRIES_MAX, send I1 and |
| | go to I1-SENT |
| | |
| R1bis | N/A (Dispatcher doesn't deliver since |
| | CT(peer) is not set) |
| | |
| Receive payload or | Accept and send I2bis (probably R2 was |
| extension header | sent by peer and lost) |
| other control | |
| packet | |
+---------------------+---------------------------------------------+
The following table describes the possible actions in state
ESTABLISHED and their respective triggers:
+---------------------+---------------------------------------------+
| Trigger | Action |
+---------------------+---------------------------------------------+
| Receive I1 | Send R2 and stay in ESTABLISHED |
| | |
| Receive I2, verify | If successful, then send R2 and stay in |
| validator and RESP | ESTABLISHED |
| nonce | |
| | Otherwise, discard and stay in ESTABLISHED |
| | |
| Receive I2bis, | If successful, then send R2 and stay in |
| verify validator | ESTABLISHED |
| and RESP nonce | |
| | Otherwise, discard and stay in ESTABLISHED |
| | |
| Receive R2 | Discard and stay in ESTABLISHED |
| | |
| Receive R1 | Discard and stay in ESTABLISHED |
| | |
| Receive R1bis | Send I2bis and move to I2BIS-SENT |
| | |
| | |
| Receive payload or | Process and stay in ESTABLISHED |
| extension header | |
| other control | |
| packet | |
| | |