--- 1/draft-ietf-shim6-proto-04.txt 2006-05-25 22:12:40.000000000 +0200 +++ 2/draft-ietf-shim6-proto-05.txt 2006-05-25 22:12:40.000000000 +0200 @@ -1,19 +1,19 @@ SHIM6 WG E. Nordmark Internet-Draft Sun Microsystems -Expires: September 5, 2006 M. Bagnulo +Expires: November 16, 2006 M. Bagnulo UC3M - March 4, 2006 + May 15, 2006 Level 3 multihoming shim protocol - draft-ietf-shim6-proto-04.txt + draft-ietf-shim6-proto-05.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that @@ -24,21 +24,21 @@ and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on September 5, 2006. + This Internet-Draft will expire on November 16, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract The SHIM6 protocol is a layer 3 shim for providing locator agility below the transport protocols, so that multihoming can be provided for IPv6 with failover and load sharing properties, without assuming @@ -46,187 +46,188 @@ prefix which is announced in the global IPv6 routing table. The hosts in a site which has multiple provider allocated IPv6 address prefixes, will use the shim6 protocol specified in this document to setup state with peer hosts, so that the state can later be used to failover to a different locator pair, should the original one stop working. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 - 1.1 Goals . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 1.2 Non-Goals . . . . . . . . . . . . . . . . . . . . . . . 6 - 1.3 Locators as Upper-layer Identifiers . . . . . . . . . . 6 - 1.4 IP Multicast . . . . . . . . . . . . . . . . . . . . . . 7 - 1.5 Renumbering Implications . . . . . . . . . . . . . . . . 8 - 1.6 Placement of the shim . . . . . . . . . . . . . . . . . 9 - 1.7 Traffic Engineering . . . . . . . . . . . . . . . . . . 11 - 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 12 - 2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . 12 - 2.2 Notational Conventions . . . . . . . . . . . . . . . . . 15 - 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . 16 - 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . 17 - 4.1 Context Tags . . . . . . . . . . . . . . . . . . . . . . 19 - 4.2 Context Forking . . . . . . . . . . . . . . . . . . . . 19 - 4.3 API Extensions . . . . . . . . . . . . . . . . . . . . . 20 - 4.4 Securing shim6 . . . . . . . . . . . . . . . . . . . . . 20 - 4.5 Overview of Shim Control Messages . . . . . . . . . . . 21 - 4.6 Extension Header Order . . . . . . . . . . . . . . . . . 22 - 5. Message Formats . . . . . . . . . . . . . . . . . . . . . . 24 - 5.1 Common shim6 Message Format . . . . . . . . . . . . . . 24 - 5.2 Payload Extension Header Format . . . . . . . . . . . . 24 - 5.3 Common Shim6 Control header . . . . . . . . . . . . . . 25 - 5.4 I1 Message Format . . . . . . . . . . . . . . . . . . . 27 - 5.5 R1 Message Format . . . . . . . . . . . . . . . . . . . 28 - 5.6 I2 Message Format . . . . . . . . . . . . . . . . . . . 30 - 5.7 R2 Message Format . . . . . . . . . . . . . . . . . . . 31 - 5.8 R1bis Message Format . . . . . . . . . . . . . . . . . . 33 - 5.9 I2bis Message Format . . . . . . . . . . . . . . . . . . 34 - 5.10 Update Request Message Format . . . . . . . . . . . . . 36 - 5.11 Update Acknowledgement Message Format . . . . . . . . . 38 - 5.12 Keepalive Message Format . . . . . . . . . . . . . . . . 39 - 5.13 Probe Message Format . . . . . . . . . . . . . . . . . . 39 - 5.14 Option Formats . . . . . . . . . . . . . . . . . . . . . 39 - 5.14.1 Responder Validator Option Format . . . . . . . . . 41 - 5.14.2 Locator List Option Format . . . . . . . . . . . . . 42 - 5.14.3 Locator Preferences Option Format . . . . . . . . . 43 - 5.14.4 CGA Parameter Data Structure Option Format . . . . . 45 - 5.14.5 CGA Signature Option Format . . . . . . . . . . . . 46 - 5.14.6 ULID Pair Option Format . . . . . . . . . . . . . . 47 - 5.14.7 Forked Instance Identifier Option Format . . . . . . 48 - 5.14.8 Probe Option Format . . . . . . . . . . . . . . . . 48 - 5.14.9 Reachability Option Format . . . . . . . . . . . . . 48 - 5.14.10 Payload Reception Report Option Format . . . . . . 48 - 6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 49 - 6.1 Conceptual Data Structures . . . . . . . . . . . . . . . 49 - 6.2 Context States . . . . . . . . . . . . . . . . . . . . . 50 - 7. Establishing ULID-Pair Contexts . . . . . . . . . . . . . . 52 - 7.1 Uniqness of Context Tags . . . . . . . . . . . . . . . . 52 - 7.2 Locator Verification . . . . . . . . . . . . . . . . . . 52 - 7.3 Normal context establishment . . . . . . . . . . . . . . 53 - 7.4 Concurrent context establishment . . . . . . . . . . . . 53 - 7.5 Context recovery . . . . . . . . . . . . . . . . . . . . 55 - 7.6 Context confusion . . . . . . . . . . . . . . . . . . . 57 - 7.7 Sending I1 messages . . . . . . . . . . . . . . . . . . 58 - 7.8 Retransmitting I1 messages . . . . . . . . . . . . . . . 58 - 7.9 Receiving I1 messages . . . . . . . . . . . . . . . . . 59 - 7.9.1 Generating the R1 Validator . . . . . . . . . . . . 60 - 7.10 Receiving R1 messages and sending I2 messages . . . . . 61 - 7.11 Retransmitting I2 messages . . . . . . . . . . . . . . . 62 - 7.12 Receiving I2 messages . . . . . . . . . . . . . . . . . 62 - 7.13 Sending R2 messages . . . . . . . . . . . . . . . . . . 64 - 7.14 Match for Context Confusion . . . . . . . . . . . . . . 64 - 7.15 Receiving R2 messages . . . . . . . . . . . . . . . . . 65 - 7.16 Sending R1bis messages . . . . . . . . . . . . . . . . . 66 - 7.16.1 Generating the R1bis Validator . . . . . . . . . . . 66 - 7.17 Receiving R1bis messages and sending I2bis messages . . 67 - 7.18 Retransmitting I2bis messages . . . . . . . . . . . . . 68 - 7.19 Receiving I2bis messages and sending R2 messages . . . . 68 - 8. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 70 - 9. Teardown of the ULID-Pair Context . . . . . . . . . . . . . 72 - 10. Updating the Peer . . . . . . . . . . . . . . . . . . . . 73 - 10.1 Sending Update Request messages . . . . . . . . . . . . 73 - 10.2 Retransmitting Update Request messages . . . . . . . . . 73 - 10.3 Newer Information While Retransmitting . . . . . . . . . 74 - 10.4 Receiving Update Request messages . . . . . . . . . . . 74 - 10.5 Receiving Update Acknowledgement messages . . . . . . . 76 - 11. Sending ULP Payloads . . . . . . . . . . . . . . . . . . . 77 - 11.1 Sending ULP Payload after a Switch . . . . . . . . . . . 77 - 12. Receiving Packets . . . . . . . . . . . . . . . . . . . . 79 - 12.1 Receiving Payload Extension Headers . . . . . . . . . . 79 - 12.2 Receiving Shim Control messages . . . . . . . . . . . . 79 - 12.3 Context Lookup . . . . . . . . . . . . . . . . . . . . . 80 - 13. Initial Contact . . . . . . . . . . . . . . . . . . . . . 82 - 14. Protocol constants . . . . . . . . . . . . . . . . . . . . 83 - 15. Implications Elsewhere . . . . . . . . . . . . . . . . . . 84 - 16. Security Considerations . . . . . . . . . . . . . . . . . 86 - 17. IANA Considerations . . . . . . . . . . . . . . . . . . . 88 - 18. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 90 - A. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . 91 - B. Possible Protocol Extensions . . . . . . . . . . . . . . . . 92 - C. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 94 - D. Simplified State Machine . . . . . . . . . . . . . . . . . . 97 - D.1 Simplified State Machine diagram . . . . . . . . . . . . 102 - E. Context Tag Reuse . . . . . . . . . . . . . . . . . . . . . 103 - E.1 Context Recovery . . . . . . . . . . . . . . . . . . . . 103 - E.2 Context Confusion . . . . . . . . . . . . . . . . . . . 103 - E.3 Three Party Context Confusion . . . . . . . . . . . . . 104 - F. Design Alternatives . . . . . . . . . . . . . . . . . . . . 105 - F.1 Context granularity . . . . . . . . . . . . . . . . . . 105 - F.2 Demultiplexing of data packets in shim6 communications . 105 - F.2.1 Flow-label . . . . . . . . . . . . . . . . . . . . . 106 - F.2.2 Extension Header . . . . . . . . . . . . . . . . . . 108 - F.3 Context Loss Detection . . . . . . . . . . . . . . . . . 109 - F.4 Securing locator sets . . . . . . . . . . . . . . . . . 111 - F.5 ULID-pair context establishment exchange . . . . . . . . 114 - F.6 Updating locator sets . . . . . . . . . . . . . . . . . 115 - F.7 State Cleanup . . . . . . . . . . . . . . . . . . . . . 115 - 19. References . . . . . . . . . . . . . . . . . . . . . . . . 118 - 19.1 Normative References . . . . . . . . . . . . . . . . . . 118 - 19.2 Informative References . . . . . . . . . . . . . . . . . 118 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 120 - Intellectual Property and Copyright Statements . . . . . . . 121 + 1.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 5 + 1.2. Non-Goals . . . . . . . . . . . . . . . . . . . . . . . . 6 + 1.3. Locators as Upper-layer Identifiers . . . . . . . . . . . 6 + 1.4. IP Multicast . . . . . . . . . . . . . . . . . . . . . . 7 + 1.5. Renumbering Implications . . . . . . . . . . . . . . . . 8 + 1.6. Placement of the shim . . . . . . . . . . . . . . . . . . 9 + 1.7. Traffic Engineering . . . . . . . . . . . . . . . . . . . 10 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 12 + 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 12 + 2.2. Notational Conventions . . . . . . . . . . . . . . . . . 15 + 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 16 + 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 17 + 4.1. Context Tags . . . . . . . . . . . . . . . . . . . . . . 19 + 4.2. Context Forking . . . . . . . . . . . . . . . . . . . . . 19 + 4.3. API Extensions . . . . . . . . . . . . . . . . . . . . . 20 + 4.4. Securing shim6 . . . . . . . . . . . . . . . . . . . . . 20 + 4.5. Overview of Shim Control Messages . . . . . . . . . . . . 21 + 4.6. Extension Header Order . . . . . . . . . . . . . . . . . 22 + 5. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 24 + 5.1. Common shim6 Message Format . . . . . . . . . . . . . . . 24 + 5.2. Payload Extension Header Format . . . . . . . . . . . . . 24 + 5.3. Common Shim6 Control header . . . . . . . . . . . . . . . 25 + 5.4. I1 Message Format . . . . . . . . . . . . . . . . . . . . 27 + 5.5. R1 Message Format . . . . . . . . . . . . . . . . . . . . 28 + 5.6. I2 Message Format . . . . . . . . . . . . . . . . . . . . 29 + 5.7. R2 Message Format . . . . . . . . . . . . . . . . . . . . 31 + 5.8. R1bis Message Format . . . . . . . . . . . . . . . . . . 33 + 5.9. I2bis Message Format . . . . . . . . . . . . . . . . . . 34 + 5.10. Update Request Message Format . . . . . . . . . . . . . . 36 + 5.11. Update Acknowledgement Message Format . . . . . . . . . . 38 + 5.12. Keepalive Message Format . . . . . . . . . . . . . . . . 39 + 5.13. Probe Message Format . . . . . . . . . . . . . . . . . . 39 + 5.14. Option Formats . . . . . . . . . . . . . . . . . . . . . 40 + 5.14.1. Responder Validator Option Format . . . . . . . . . 42 + 5.14.2. Locator List Option Format . . . . . . . . . . . . . 42 + 5.14.3. Locator Preferences Option Format . . . . . . . . . 44 + 5.14.4. CGA Parameter Data Structure Option Format . . . . . 46 + 5.14.5. CGA Signature Option Format . . . . . . . . . . . . 46 + 5.14.6. ULID Pair Option Format . . . . . . . . . . . . . . 47 + 5.14.7. Forked Instance Identifier Option Format . . . . . . 48 + 5.14.8. Probe Option Format . . . . . . . . . . . . . . . . 48 + 5.14.9. Reachability Option Format . . . . . . . . . . . . . 49 + 5.14.10. Payload Reception Report Option Format . . . . . . . 49 + 6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 50 + 6.1. Conceptual Data Structures . . . . . . . . . . . . . . . 50 + 6.2. Context States . . . . . . . . . . . . . . . . . . . . . 51 + 7. Establishing ULID-Pair Contexts . . . . . . . . . . . . . . . 53 + 7.1. Uniqueness of Context Tags . . . . . . . . . . . . . . . 53 + 7.2. Locator Verification . . . . . . . . . . . . . . . . . . 53 + 7.3. Normal context establishment . . . . . . . . . . . . . . 54 + 7.4. Concurrent context establishment . . . . . . . . . . . . 54 + 7.5. Context recovery . . . . . . . . . . . . . . . . . . . . 56 + 7.6. Context confusion . . . . . . . . . . . . . . . . . . . . 58 + 7.7. Sending I1 messages . . . . . . . . . . . . . . . . . . . 59 + 7.8. Retransmitting I1 messages . . . . . . . . . . . . . . . 59 + 7.9. Receiving I1 messages . . . . . . . . . . . . . . . . . . 60 + 7.10. Sending R1 messages . . . . . . . . . . . . . . . . . . . 61 + 7.10.1. Generating the R1 Validator . . . . . . . . . . . . 61 + 7.11. Receiving R1 messages and sending I2 messages . . . . . . 62 + 7.12. Retransmitting I2 messages . . . . . . . . . . . . . . . 63 + 7.13. Receiving I2 messages . . . . . . . . . . . . . . . . . . 63 + 7.14. Sending R2 messages . . . . . . . . . . . . . . . . . . . 65 + 7.15. Match for Context Confusion . . . . . . . . . . . . . . . 65 + 7.16. Receiving R2 messages . . . . . . . . . . . . . . . . . . 66 + 7.17. Sending R1bis messages . . . . . . . . . . . . . . . . . 67 + 7.17.1. Generating the R1bis Validator . . . . . . . . . . . 67 + 7.18. Receiving R1bis messages and sending I2bis messages . . . 68 + 7.19. Retransmitting I2bis messages . . . . . . . . . . . . . . 69 + 7.20. Receiving I2bis messages and sending R2 messages . . . . 69 + 8. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 71 + 9. Teardown of the ULID-Pair Context . . . . . . . . . . . . . . 73 + 10. Updating the Peer . . . . . . . . . . . . . . . . . . . . . . 74 + 10.1. Sending Update Request messages . . . . . . . . . . . . . 74 + 10.2. Retransmitting Update Request messages . . . . . . . . . 74 + 10.3. Newer Information While Retransmitting . . . . . . . . . 75 + 10.4. Receiving Update Request messages . . . . . . . . . . . . 75 + 10.5. Receiving Update Acknowledgement messages . . . . . . . . 77 + 11. Sending ULP Payloads . . . . . . . . . . . . . . . . . . . . 78 + 11.1. Sending ULP Payload after a Switch . . . . . . . . . . . 78 + 12. Receiving Packets . . . . . . . . . . . . . . . . . . . . . . 80 + 12.1. Receiving Payload Extension Headers . . . . . . . . . . . 80 + 12.2. Receiving Shim Control messages . . . . . . . . . . . . . 80 + 12.3. Context Lookup . . . . . . . . . . . . . . . . . . . . . 81 + 13. Initial Contact . . . . . . . . . . . . . . . . . . . . . . . 83 + 14. Protocol constants . . . . . . . . . . . . . . . . . . . . . 84 + 15. Implications Elsewhere . . . . . . . . . . . . . . . . . . . 85 + 16. Security Considerations . . . . . . . . . . . . . . . . . . . 87 + 17. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89 + 18. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 91 + Appendix A. Possible Protocol Extensions . . . . . . . . . . 92 + Appendix B. Simplified State Machine . . . . . . . . . . . . 94 + Appendix B.1. Simplified State Machine diagram . . . . . . . . 100 + Appendix C. Context Tag Reuse . . . . . . . . . . . . . . . . 101 + Appendix C.1. Context Recovery . . . . . . . . . . . . . . . . 101 + Appendix C.2. Context Confusion . . . . . . . . . . . . . . . . 101 + Appendix C.3. Three Party Context Confusion . . . . . . . . . . 102 + Appendix D. Design Alternatives . . . . . . . . . . . . . . . 103 + Appendix D.1. Context granularity . . . . . . . . . . . . . . . 103 + Appendix D.2. Demultiplexing of data packets in shim6 + communications . . . . . . . . . . . . . . . . . 103 + Appendix D.2.1. Flow-label . . . . . . . . . . . . . . . . . . . 104 + Appendix D.2.2. Extension Header . . . . . . . . . . . . . . . . 106 + Appendix D.3. Context Loss Detection . . . . . . . . . . . . . 107 + Appendix D.4. Securing locator sets . . . . . . . . . . . . . . 109 + Appendix D.5. ULID-pair context establishment exchange . . . . 112 + Appendix D.6. Updating locator sets . . . . . . . . . . . . . . 113 + Appendix D.7. State Cleanup . . . . . . . . . . . . . . . . . . 113 + Appendix E. Change Log . . . . . . . . . . . . . . . . . . . 116 + 19. References . . . . . . . . . . . . . . . . . . . . . . . . . 120 + 19.1. Normative References . . . . . . . . . . . . . . . . . . 120 + 19.2. Informative References . . . . . . . . . . . . . . . . . 120 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 122 + Intellectual Property and Copyright Statements . . . . . . . . . 123 1. Introduction This document describes a layer 3 shim approach and protocol for providing locator agility below the transport protocols, so that multihoming can be provided for IPv6 with failover and load sharing properties [15], without assuming that a multihomed site will have a provider independent IPv6 address which is announced in the global IPv6 routing table. The hosts in a site which has multiple provider allocated IPv6 address prefixes, will use the shim6 protocol specified in this document to setup state with peer hosts, so that the state can later be used to failover to a different locator pair, should the original one stop working. We assume that redirection attacks are prevented using the mechanism specified in HBA [7]. - The reachability detection and failure detection, including how a new - working locator pair is discovered after a failure, is specified in a + The reachability and failure detection, including how a new working + locator pair is discovered after a failure, is specified in a separate documents [8] This document allocates message types and option types for that sub-protocol, and leaves the specification of the message and option formats as well as the protocol behavior to that document. -1.1 Goals +1.1. Goals The goals for this approach is to: o Preserve established communications through certain classes of failures, for example, TCP connections and application communications using UDP. o Have minimal impact on upper layer protocols in general and on transport protocols in particular. o Address the security threats in [19] through the combination of the HBA/CGA approach specified in a separate document [7], and techniques described in this document. - o Do not require an extra roundtrip up front to setup shim specific - state. Instead allow the upper layer traffic (e.g., TCP) to flow - as normal and defer the setup of the shim state until some number - of packets have been exchanged. + o Not require extra roundtrip up front to setup shim specific state. + Instead allow the upper layer traffic (e.g., TCP) to flow as + normal and defer the setup of the shim state until some number of + packets have been exchanged. o Take advantage of multiple locators/addresses for load spreading so that different sets of communication to a host (e.g., different connections) might use different locators of the host. Note that this might cause load to be spread unevenly, thus we use the term "load spreading" instead of "load balancing". This capability might enable some forms of traffic engineering, but the details for traffic engineering, including what requirements can be satisfied, are not specified in this document, and form part of a potential extensions to this protocol. -1.2 Non-Goals +1.2. Non-Goals The assumption is that the problem we are trying to solve is site multihoming, with the ability to have the set of site locator prefixes change over time due to site renumbering. Further, we assume that such changes to the set of locator prefixes can be relatively slow and managed; slow enough to allow updates to the DNS to propagate. But it is not a goal to try to make communication survive a renumbering event (which causes all the locators of a host to change to a new set of locators). This proposal does not attempt to solve the, perhaps related, problem of host mobility. However, it @@ -235,21 +236,21 @@ This proposal also does not try to provide a new network level or transport level identifier namespace separated from the current IP address namespace. Even though such a concept would be useful to ULPs and applications, especially if the management burden for such a name space was negligible and there was an efficient yet secure mechanism to map from identifiers to locators, such a name space isn't necessary (and furthermore doesn't seem to help) to solve the multihoming problem. -1.3 Locators as Upper-layer Identifiers +1.3. Locators as Upper-layer Identifiers This approach does not introduce a new identifier name space but instead uses the locator that is selected in the initial contact with the remote peer as the preserved upper-level identifier. While there may be subsequent changes in the selected network level locators over time in response to failures in using the original locator, the upper level protocol stack elements will continue to use this upper level identifier without change. This implies that the ULID selection is performed as today's default @@ -278,21 +279,21 @@ For example, the protocol already needs to handle ULIDs that are not initially reachable. Thus the same mechanism can handle ULIDs that are permanently unreachable from outside their site. The issue becomes how to make the protocol perform well when the ULID is known a priori to be not reachable (e.g., the ULID is a ULA), for instance, avoiding any timeout and retries in this case. In addition one would need to understand how the ULAs would be entered in the DNS to avoid a performance impact on existing, non-shim6 aware, IPv6 hosts potentially trying to communicate to the (unreachable) ULA. -1.4 IP Multicast +1.4. IP Multicast IP Multicast requires that the IP source address field contain a topologically correct locator for interface that is used to send the packet, since IP multicast routing uses both the source address and the destination group to determine where to forward the packet. (This isn't much different than the situation with widely implemented ingress filtering [10] for unicast.) While in theory it would be possible to apply the shim re-mapping of the IP address fields between ULIDs and locators, the fact that all @@ -305,21 +306,21 @@ important to the application. In summary, IP multicast will not need the shim to remap the IP addresses. This doesn't prevent the receiver of multicast to change its locators, since the receiver is not explicitly identified; the destination address is a multicast address and not the unicast locator of the receiver. -1.5 Renumbering Implications +1.5. Renumbering Implications As stated above, this approach does not try to make communication survive renumbering in the general case. When a host is renumbered, the effect is that one or more locators become invalid, and zero or more locators are added to the host's network interface. This means that the set of locators that is used in the shim will change, which the shim can handle as long as not all the original locators become invalid at the same time. @@ -327,22 +328,22 @@ survive locators becoming invalid can potentially cause some confusion at the upper layers. The fact that a ULID might be used with a different locator over time open up the possibility that communication between two ULIDs might continue to work after one or both of those ULIDs are no longer reachable as locators, for example due to a renumbering event. This opens up the possibility that the ULID (or at least the prefix on which it is based) is reassigned to another site while it is still being used (with another locator) for existing communication. - Worst case we could end up with two separate hosts using the same - ULID while both of them are communicating with the same host. + In the worst case we could end up with two separate hosts using the + same ULID while both of them are communicating with the same host. This potential source for confusion can be avoided if we require that any communication using a ULID must be terminated when the ULID becomes invalid (due to the underlying prefix becoming invalid). If that behavior is desired, it can be accomplished by explicitly discarding the shim state when the ULID becomes invalid. The context recovery mechanism will then make the peer aware that the context is gone, and that the ULID is no longer present at the same locator(s). However, terminating the communication might be overkill. Even when @@ -353,42 +354,42 @@ the identical address be used by another host, then there still wouldn't be a problem until that host attempts to communicate with the same peer host with which the initial user of the IPv6 address was communicating. The protocol as specified in this document does not perform any action when an address becomes invalid. As we gain further understanding of the practical impact of renumbering this might change in a future version of the protocol. -1.6 Placement of the shim +1.6. Placement of the shim ----------------------- | Transport Protocols | ----------------------- ------ ------- -------------- ------------- IP endpoint | AH | | ESP | | Frag/reass | | Dest opts | sub-layer ------ ------- -------------- ------------- --------------------- | shim6 shim layer | --------------------- ------ IP routing | IP | sub-layer ------ Figure 1: Protocol stack - The proposal uses an multihoming shim layer within the IP layer, - i.e., below the ULPs, as shown in Figure 1, in order to provide ULP + The proposal uses a multihoming shim layer within the IP layer, i.e., + below the ULPs, as shown in Figure 1, in order to provide ULP independence. The multihoming shim layer behaves as if it is associated with an extension header, which would be placed after any routing-related headers in the packet (such as any hop-by-hop options, or routing header). However, when the locator pair is the ULID pair there is no data that needs to be carried in an extension header, thus none is needed in that case. Layering AH and ESP above the multihoming shim means that IPsec can be made to be unaware of locator changes the same way that transport protocols can be unaware. Thus the IPsec security associations @@ -446,21 +447,21 @@ Conceptually one could view this approach as if both ULIDs and locators are being present in every packet, and with a header compression mechanism applied that removes the need for the ULIDs to be carried in the packets once the compression state has been established. In order for the receiver to recreate a packet with the correct ULIDs there is a need to include some "compression tag" in the data packets. This serves to indicate the correct context to use for decompression when the locator pair in the packet is insufficient to uniquely identify the context. -1.7 Traffic Engineering +1.7. Traffic Engineering At the time of this writing it is not clear what requirements for traffic engineering make sense for the shim6 protocol, since the requirements must both result in some useful behavior as well as be implementable using a host-to-host locator agility mechanism like shim6. Inherent in a scalable multihoming mechanism that separates locators from identifiers is that each host ends up with multiple locators. This means that at least for initial contact, it is the remote peer @@ -483,29 +484,29 @@ that DNS SRV records can be used for initial contact and the shim for failover, and they can use the same way to describe the preferences. The format allows adding additional notions of "metrics" over time. But the Locator Preference option is merely a place holder when it comes to providing traffic engineering; in order to use this in a large site there would have to be a mechanism by which the host can find out what preference values to use, either statically (e.g., some new DHCPv6 option) or dynamically. Thus traffic engineering is listed as a possible extension in - Appendix B. + Appendix A. 2. Terminology This document uses the terms MUST, SHOULD, RECOMMENDED, MAY, SHOULD NOT and MUST NOT defined in RFC 2119 [1]. The terms defined in RFC 2460 [2] are also used. -2.1 Definitions +2.1. Definitions This document introduces the following terms: upper layer protocol (ULP) A protocol layer immediately above IP. Examples are transport protocols such as TCP and UDP, control protocols such as ICMP, routing protocols such as OSPF, and internet or lower-layer protocols being "tunneled" over (i.e., encapsulated in) IP such as IPX, AppleTalk, or IP @@ -611,21 +612,21 @@ Cryptographically Generated Addresses (CGA) A form of IPv6 address where the interface ID is derived from a cryptographic hash of the public key. See [6]. CGA Parameter Data Structure (PDS) The information that CGA and HBA exchanges in order to inform the peer of how the interface ID was computed. See [6]., [7]. -2.2 Notational Conventions +2.2. Notational Conventions A, B, and C are hosts. X is a potentially malicious host. FQDN(A) is the domain name for A. Ls(A) is the locator set for A, which consists of the locators L1(A), L2(A), ... Ln(A). ULID(A) is an upper-layer ID for A. In this proposal, ULID(A) is always one member of A's locator set. @@ -781,42 +782,42 @@ as long as the ULID pair is used as the locator pair. After a switch to a different locator pair the packets are "tagged" with a shim6 extension header, so that the receiver can always determine the context to which they belong. This is accomplished by including an 8-octet shim6 Payload Extension header before the (extension) headers that are processed by the IP endpoint sublayer and ULPs. If subsequently the original ULIDs are selected as the active locator pair then the tagging of packets with the shim6 extension header can also be stopped. -4.1 Context Tags +4.1. Context Tags A context between two hosts is actually a context between two ULIDs. The context is identified by a pair of context tags. Each end gets to allocate a context tag, and once the context is established, most shim6 control messages contain the context tag that the receiver of the message allocated. Thus at a minimum the combination of have to uniquely identify one context. But since the Payload extension headers are demultiplexed without looking at the locators in the packet, the receiver will need to allocate context tags that are unique for all its contexts. The context tag is a 47-bit number (the largest which can fit in an 8-octet extension header). The mechanism for detecting a loss of context state at the peer that is currently proposed in this document assumes that the receiver can tell the packets that need locator rewriting, even after it has lost all state (e.g., due to a crash followed by a reboot). This is achieved because after a rehoming event the packets that need receive-side rewriting, carry the Payload extension header. -4.2 Context Forking +4.2. Context Forking It has been asserted that it will be important for future ULPs, in particular, future transport protocols, to be able to control which locator pairs are used for different communication. For instance, host A and host B might communicate using both VoIP traffic and ftp traffic, and those communications might benefit from using different locator pairs. However, the fundamental shim6 mechanism uses a single current locator pair for each context, thus a single context can not accomplish this. @@ -835,35 +836,35 @@ No other special considerations are needed in the shim6 protocol to handle forked contexts. Note that forking as specified does NOT allow A to be able to tell B that certain traffic (a 5-tuple?) should be forked for the reverse direction. The shim6 forking mechanism as specified applies only to the sending of ULP packets. If some ULP wants to fork for both directions, it is up to the ULP to set this up, and then instruct the shim at each end to transmit using the forked context. -4.3 API Extensions +4.3. API Extensions Several API extensions have been discussed for shim6, but their actual specification is out of scope for this document. The simplest one would be to add a socket option to be able to have traffic bypass the shim (not create any state, and not use any state created by other traffic). This could be an IPV6_DONTSHIM socket option. Such an option would be useful for protocols, such as DNS, where the application has its own failover mechanism (multiple NS records in the case of DNS) and using the shim could potentially add extra latency with no added benefits. - Some other API extensions are discussed in Appendix B + Some other API extensions are discussed in Appendix A -4.4 Securing shim6 +4.4. Securing shim6 The mechanisms are secured using a combination of techniques: o The HBA technique [7] for verifying the locators to prevent an attacker from redirecting the packet stream to somewhere else. o Requiring a Reachability Probe+Reply before a new locator is used as the destination, in order to prevent 3rd party flooding attacks. @@ -879,21 +880,21 @@ o Every control message of the shim6 protocol, past the context establishment, carry the context tag assigned to the particular context. This implies that an attacker needs to discover that context tag before being able to spoof any shim6 control message. Such discovery probably requires to be along the path in order to be sniff the context tag value. The result is that through this technique, the shim6 protocol is protected against off-path attackers. -4.5 Overview of Shim Control Messages +4.5. Overview of Shim Control Messages The shim6 context establishment is accomplished using four messages; I1, R1, I2, R2. Normally they are sent in that order from initiator and responder, respectively. Should both ends attempt to set up context state at the same time (for the same ULID pair), then their I1 messages might cross in flight, and result in an immediate R2 message. [The names of these messages are borrowed from HIP [25].] R1bis and I2bis messages are defined, which are used to recover a context after it has been lost. A R1bis message is sent when a shim6 @@ -929,32 +930,32 @@ The above probe and keepalive messages assume we have an established ULID-pair context. However, communication might fail during the initial contact (that is, when the application or transport protocol is trying to setup some communication). This is handled using the mechanisms in the ULP to try different address pairs as specified in [12] [13]. In the future versions of the protocol, and with a richer API between the ULP and the shim, the shim might be help optimize discovering a working locator pair during initial contact. This is for further study. -4.6 Extension Header Order +4.6. Extension Header Order Since the shim is placed between the IP endpoint sub-layer and the IP routing sub-layer in the host, the shim header will be placed before any endpoint extension headers (fragmentation headers, destination options header, AH, ESP), but after any routing related headers (hop- by-hop extensions header, routing header, a destinations options header which precedes a routing header). When tunneling is used, whether IP-in-IP tunneling or the special form of tunneling that Mobile IPv6 uses (with Home Address Options and Routing header type 2), there is a choice whether the shim applies inside the tunnel or - outside the tunnel, which effects the location of the shim6 header. + outside the tunnel, which affects the location of the shim6 header. In most cases IP-in-IP tunnels are used as a routing technique, thus it makes sense to apply them on the locators which means that the sender would insert the shim6 header after any IP-in-IP encapsulation; this is what occurs naturally when routers apply IP- in-IP encapsulation. Thus the packets would have: o Outer IP header o Inner IP header @@ -988,42 +989,42 @@ be assigned by IANA]. The shim6 messages have a common header, defined below, with some fixed fields, followed by type specific fields. The shim6 messages are structured as an IPv6 extension header since the Payload extension header is used to carry the ULP packets after a locator switch. The shim6 control messages use the same extension header formats so that a single "protocol number" needs to be allowed through firewalls in order for shim6 to function across the firewall. -5.1 Common shim6 Message Format +5.1. Common shim6 Message Format The first 17 bits of the shim6 header is common for the Payload extension header and the control messages and looks as follows: 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len |P| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: Next Header: The payload which follows this header. Hdr Ext Len: 8-bit unsigned integer. Length of the shim6 header in 8-octet units, not including the first 8 octets. P: A single bit to distinguish Payload extension headers from control messages. -5.2 Payload Extension Header Format +5.2. Payload Extension Header Format The payload extension headers is used to carry ULP packets where the receiver must replace the content of the source and/or destination fields in the IPv6 header before passing the packet to the ULP. Thus this extension header is required when the locators pair that is used is not the same as the ULID pair. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -1037,21 +1038,21 @@ Next Header: The payload which follows this header. Hdr Ext Len: 0 (since the header is 8 octets). P: Set to one. A single bit to distinguish this from the shim6 control messages. Receiver Context Tag: 47-bit unsigned integer. Allocated by the receiver for use to identify the context. -5.3 Common Shim6 Control header +5.3. Common Shim6 Control header The common part of the header has a next header and header extension length field which is consistent with the other IPv6 extension headers, even if the next header value is always "NO NEXT HEADER" for the control messages; only the payload extension header use the Next Header field. The shim6 headers must be a multiple of 8 octets, hence the minimum size is 8 octets. @@ -1119,21 +1120,21 @@ | | | | 65 | Update Acknowledgement | | | | | 66 | Keepalive | | | | | 67 | Probe Message | +------------+-----------------------------------------------------+ Table 1 -5.4 I1 Message Format +5.4. I1 Message Format The I1 message is the first message in the context establishment exchange. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 59 | Hdr Ext Len |0| Type = 1 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum |R| | @@ -1173,21 +1175,25 @@ ULID pair: When the IPv6 source and destination addresses in the IPv6 header does not match the ULID pair, this option MUST be included. An example of this is when recovering from a lost context. Forked Instance Identifier: When another instance of an existent context with the same ULID pair is being created, a Forked Instance Identifier option is included to distinguish this new instance from the existent one. -5.5 R1 Message Format + Future protocol extensions might define additional options for this + message. The C-bit in the option format defines how such a new + option will be handled by an implementation. See Section 5.14. + +5.5. R1 Message Format The R1 message is the second message in the context establishment exchange. The responder sends this in response to an I1 message, without creating any state specific to the initiator. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 59 | Hdr Ext Len |0| Type = 2 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -1226,21 +1231,25 @@ The following options are defined for this message: Responder Validator: Variable length option. Typically a hash generated by the responder, which the responder uses together with the Responder Nonce value to verify that an I2 message is indeed sent in response to a R1 message, and that the parameters in the I2 message are the same as those in the I1 message. -5.6 I2 Message Format + Future protocol extensions might define additional options for this + message. The C-bit in the option format defines how such a new + option will be handled by an implementation. See Section 5.14. + +5.6. I2 Message Format The I2 message is the third message in the context establishment exchange. The initiator sends this in response to a R1 message, after checking the Initiator Nonce, etc. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 59 | Hdr Ext Len |0| Type = 3 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -1311,21 +1320,25 @@ Locator Preferences: Optionally sent when the locators don't all have equal preference. CGA Parameter Data Structure: Included when the locator list is included so the receiver can verify the locator list. CGA Signature: Included when the some of the locators in the list use CGA (and not HBA) for verification. -5.7 R2 Message Format + Future protocol extensions might define additional options for this + message. The C-bit in the option format defines how such a new + option will be handled by an implementation. See Section 5.14. + +5.7. R2 Message Format The R2 message is the fourth message in the context establishment exchange. The responder sends this in response to an I2 message. The R2 message is also used when both hosts send I1 messages at the same time and the I1 messages cross in flight. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 59 | Hdr Ext Len |0| Type = 4 | Reserved1 |0| @@ -1371,21 +1384,25 @@ Locator Preferences: Optionally sent when the locators don't all have equal preference. CGA Parameter Data Structure: Included when the locator list is included so the receiver can verify the locator list. CGA Signature: Included when the some of the locators in the list use CGA (and not HBA) for verification. -5.8 R1bis Message Format + Future protocol extensions might define additional options for this + message. The C-bit in the option format defines how such a new + option will be handled by an implementation. See Section 5.14. + +5.8. R1bis Message Format Should a host receive a packet with a shim Payload extension header or shim6 control message with type code 64-127 (such as an Update or Probe message), and the host does not have any context state for the received context tag, then it will generate a R1bis message. This message allows the sender of the packet referring to the non- existent context to re-establish the context with a reduced context establishment exchange. Upon the reception of the R1bis message, the receiver can proceed reestablishing the lost context by directly @@ -1430,21 +1448,25 @@ message. The following options are defined for this message: Responder Validator: Variable length option. Typically a hash generated by the responder, which the responder uses together with the Responder Nonce value to verify that an I2bis message is indeed sent in response to a R1bis message. -5.9 I2bis Message Format + Future protocol extensions might define additional options for this + message. The C-bit in the option format defines how such a new + option will be handled by an implementation. See Section 5.14. + +5.9. I2bis Message Format The I2bis message is the third message in the context recovery exchange. This is sent in response to a R1bis message, after checking that the R1bis message refers to an existing context, etc. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 59 | Hdr Ext Len |0| Type = 6 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -1521,21 +1543,25 @@ Locator Preferences: Optionally sent when the locators don't all have equal preference. CGA Parameter Data Structure: Included when the locator list is included so the receiver can verify the locator list. CGA Signature: Included when the some of the locators in the list use CGA (and not HBA) for verification. -5.10 Update Request Message Format + Future protocol extensions might define additional options for this + message. The C-bit in the option format defines how such a new + option will be handled by an implementation. See Section 5.14. + +5.10. Update Request Message Format The Update Request Message is used to update either the list of locators, the locator preferences, and both. When the list of locators is updated, the message also contains the option(s) necessary for HBA/CGA to secure this. The basic sanity check that prevents off-path attackers from generating bogus updates is the context tag in the message. The update message contains options (the Locator List and the Locator Preferences) that, when included, completely replace the previous @@ -1590,21 +1616,25 @@ equal preference. CGA Parameter Data Structure (PDS): Included when the locator list is included and the PDS was not included in the I2/I2bis/R2 messages, so the receiver can verify the locator list. CGA Signature: Included when the some of the locators in the list use CGA (and not HBA) for verification. -5.11 Update Acknowledgement Message Format + Future protocol extensions might define additional options for this + message. The C-bit in the option format defines how such a new + option will be handled by an implementation. See Section 5.14. + +5.11. Update Acknowledgement Message Format This message is sent in response to a Update Request message. It implies that the Update Request has been received, and that any new locators in the Update Request can now be used as the source locators of packets. But it does not imply that the (new) locators have been verified to be used as a destination, since the host might defer the verification of a locator until it sees a need to use a locator as the destination. 0 1 2 3 @@ -1639,43 +1669,47 @@ transmit. MUST be ignored on receipt. Receiver Context Tag: 47-bit field. The Context Tag the receiver has allocated for the context. Request Nonce: 32-bit unsigned integer. Copied from the Update Request message. No options are currently defined for this message. -5.12 Keepalive Message Format + Future protocol extensions might define additional options for this + message. The C-bit in the option format defines how such a new + option will be handled by an implementation. See Section 5.14. + +5.12. Keepalive Message Format This message format is defined in [8]. The message is used to ensure that when a peer is sending ULP packets on a context, it always receives some packets in the reverse direction. When the ULP is sending bidirectional traffic, no extra packets need to be inserted. But for a unidirectional ULP traffic pattern, the shim will send back some Keepalive messages when it is receiving ULP packets. -5.13 Probe Message Format +5.13. Probe Message Format This message and its semantics are defined in [8]. The idea behind that mechanism is to be able to handle the case when one locator pair works in from A to B, and another locator pair works from B to A, but there is no locator pair which works in both directions. The protocol mechanism is that as A is sending probe messages to B, B will observe which locator pairs it has received from and report that back in probe messages it is sending to A. -5.14 Option Formats +5.14. Option Formats The format of the options is a snapshot of the current HIP option format [25]. However, there is no intention to track any changes to the HIP option format, nor is there an intent to use the same name space for the option type values. But using the same format will hopefully make it easier to import HIP capabilities into shim6 as extensions to shim6, should this turn out to be useful. All of the TLV parameters have a length (including Type and Length fields) which is a multiple of 8 bytes. When needed, padding MUST be @@ -1739,55 +1773,72 @@ | | | | 10 | Probe Option | | | | | 11 | Reachability Option | | | | | 12 | Payload Reception Report Option | +------+---------------------------------+ Table 2 -5.14.1 Responder Validator Option Format + Future protocol extensions might define additional options for the + SHIM6 messages. The C-bit in the option format defines how such a + new option will be handled by an implementation. - The responder can choose exactly what input uses to compute the + If a host receives an option that it does not understand (an option + that was defined in some future extension to this protocol) or is not + listed as a valid option for the different message types above, then + the Critical bit in the option determines the outcome. + + o If C=0 then the option is silently ignored, and the rest of the + message is processed. + + o If C=1 then the host SHOULD send back an ICMP parameter problem + (type 4, code 1), with the Pointer referencing the first octet in + the option Type field. When C=1 the message MUST NOT be + processed. + +5.14.1. Responder Validator Option Format + + The responder can choose exactly what input is used to compute the validator, and what one-way function (MD5, SHA1) it uses, as long as the responder can check that the validator it receives back in the I2 or I2bis message is indeed one that: 1)- it computed, 2)- it computed for the particular context, and 3)- that it isn't a replayed I2/I2bis message. Some suggestions on how to generate the validators are captured in - Section 7.9.1 and Section 7.16.1. + Section 7.10.1 and Section 7.17.1. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 1 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Validator ~ ~ +-+-+-+-+-+-+-+-+ ~ | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: Validator: Variable length content whose interpretation is local to the responder. Padding: Padding, 0-7 bytes, added if needed. See Section 5.14. -5.14.2 Locator List Option Format +5.14.2. Locator List Option Format The Locator List Option is used to carry all the locators of the sender. Note that the order of the locators is important, since the Locator Preferences refers to the locators by using the index in the list. Note that we carry all the locators in this option even though some of them can be created automatically from the CGA Parameter Data Structure. @@ -1840,21 +1891,21 @@ | | | | 1 | HBA | | | | | 2 | CGA | | | | | 3-255 | Reserved | +-------+----------+ Table 3 -5.14.3 Locator Preferences Option Format +5.14.3. Locator Preferences Option Format The Locator Preferences option can have some flags to indicate whether or not a locator is known to work. In addition, the sender can include a notion of preferences. It might make sense to define "preferences" as a combination of priority and weight the same way that DNS SRV records has such information. The priority would provide a way to rank the locators, and within a given priority, the weight would provide a way to do some load sharing. See [9] for how SRV defines the interaction of priority and weight. @@ -1926,21 +1977,21 @@ 1 octet flags field followed by a 1 octet priority field, and a 1 octet weight field. The weight has the same semantics as the weight in DNS SRV records. This document doesn't specify the format when the Element length is more than three, except that any such formats MUST be defined so that the first three octets are the same as in the above case, that is, a of a 1 octet flags field followed by a 1 octet priority field, and a 1 octet weight field. -5.14.4 CGA Parameter Data Structure Option Format +5.14.4. CGA Parameter Data Structure Option Format This option contains the CGA Parameter Data Structure (PDS). When HBA is used to verify the locators, the PDS contains the HBA multiprefix extension. When CGA is used to verify the locators, in addition to the PDS option, the host also needs to include the signature in the form of a CGA Signature option. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -1943,29 +1994,30 @@ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 4 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ CGA Parameter Data Structure ~ ~ +-+-+-+-+-+-+-+-+ ~ | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Fields: CGA Parameter Data Structure: Variable length content. Content defined in [6] and [7]. Padding: Padding, 0-7 bytes, added if needed. See Section 5.14. -5.14.5 CGA Signature Option Format +5.14.5. CGA Signature Option Format When CGA is used for verification of one or more of the locators in the Locator List option, then the message in question will need to contain this option. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 5 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -1990,21 +2042,21 @@ 3. The subset of locators included in the correspondent Locator List Option which verification method is set to CGA. The locators MUST be included in the order they are listed in the Locator List Option. Padding: Padding, 0-7 bytes, added if needed. See Section 5.14. -5.14.6 ULID Pair Option Format +5.14.6. ULID Pair Option Format I1, I2, and I2bis messages MUST contain the ULID pair; normally this is in the IPv6 source and destination fields. In case that the ULID for the context differ from the address pair included in the source and destination address fields of the IPv6 packet used to carry the I1/I2/I2bis message, the ULID pair option MUST be included in the I1/ I2/I2bis message. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 @@ -2026,58 +2078,58 @@ Reserved2: 32-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. (Needed to make the ULIDs start on a multiple of 8 octet boundary.) Sender ULID: A 128-bit IPv6 address. Receiver ULID: A 128-bit IPv6 address. -5.14.7 Forked Instance Identifier Option Format +5.14.7. Forked Instance Identifier Option Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 7 |0| Length = 4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Forked Instance Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: Forked Instance Identifier: 32-bit field containing the identifier of the particular forked instance. -5.14.8 Probe Option Format +5.14.8. Probe Option Format This option is defined in [8]. -5.14.9 Reachability Option Format +5.14.9. Reachability Option Format This option is defined in [8]. -5.14.10 Payload Reception Report Option Format +5.14.10. Payload Reception Report Option Format This option is defined in [8]. 6. Conceptual Model of a Host This section describes a conceptual model of one possible data structure organization that hosts will maintain for the purposes of shim6. The described organization is provided to facilitate the explanation of how the shim6 protocol should behave. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document. -6.1 Conceptual Data Structures +6.1. Conceptual Data Structures The key conceptual data structure for the shim6 protocol is the ULID pair context. This is a data structure which contains the following information: o The state of the context. See Section 6.2. o The peer ULID; ULID(peer) o The local ULID; ULID(local) @@ -2116,21 +2168,21 @@ o Depending how an implementation determines whether a context is still in use, there might be a need to track the last time a packet was sent/received using the context. o Reachability state for the locator pairs as specified in [8]. o During pair exploration, information about the probe messages that have been sent and received as specified in [8]. -6.2 Context States +6.2. Context States The states that are used to describe the shim6 protocol are as follows: +---------------------+---------------------------------------------+ | State | Explanation | +---------------------+---------------------------------------------+ | IDLE | State machine start | | | | | I1-SENT | Initiating context establishment exchange | @@ -2138,23 +2190,23 @@ | I2-SENT | Waiting to complete context establishment | | | exchange | | | | | I2BIS-SENT | Potential context loss detected | | | | | | | | ESTABLISHED | SHIM context established | | | | | E-FAILED | Context establishment exchange failed | | | | - | NO-SUPPORT | ICMP payload type unknown (type 4, code 1) | - | | received indicating that shim6 is not | - | | supported | + | NO-SUPPORT | ICMP Unrecognized Next Header type | + | | (type 4, code 1) received indicating | + | | that shim6 is not supported | +---------------------+---------------------------------------------+ In addition, in each of the aforementioned states, the following state information is stored: +---------------------+---------------------------------------------+ | State | Information | +---------------------+---------------------------------------------+ | IDLE | None | | | | | I1-SENT | ULID(peer), ULID(local), [FII], CT(local), | @@ -2182,32 +2234,32 @@ ULID-pair contexts are established using a 4-way exchange, which allows the responder to avoid creating state on the first packet. As part of this exchange each end allocates a context tag, and it shares this context tag and its set of locators with the peer. In some cases the 4-way exchange is not necessary, for instance when both ends try to setup the context at the same time, or when recovering from a context that has been garbage collected or lost at one of the hosts. -7.1 Uniqness of Context Tags +7.1. Uniqueness of Context Tags As part of establishing a new context, each host has to assign a unique context tag. Since the Payload Extension headers are demultiplexed based solely on the context tag value (without using the locators), the context tag MUST be unique for each context. In addition, in order to minimize the reuse of context tags, the host SHOULD randomly cycle through the 2^47 context tag values,(e.g. following the guidelines described in [17]). -7.2 Locator Verification +7.2. Locator Verification The peer's locators might need to be verified during context establishment as well as when handling locator updates in Section 10. There are two separate aspects of locator verification. One is to verify that the locator is tied to the ULID, i.e., that the host which "owns" the ULID is also the one that is claiming the locator "ownership". The shim6 protocol uses the HBA or CGA techniques for doing this verification. The other is to verify that the host is indeed reachable at the claimed locator. Such verification is needed @@ -2235,40 +2287,40 @@ If the verification method in the Locator List option is not supported by the host, or if the verification method is not consistent with the CGA Parameter Data Structure (e.g., the Parameter Data Structure doesn't contain the multiprefix extension, and the verification method says to use HBA), then the host MUST ignore the Locator List and the message in which it is contained, and the host SHOULD generates an ICMP parameter problem (type 4, code 0), with the Pointer referencing the octet in the Verification method that was found inconsistent. -7.3 Normal context establishment +7.3. Normal context establishment The normal context establishment consists of a 4 message exchange in the order of I1, R1, I2, R2 as can be seen in Figure 24. Initiator Responder IDLE IDLE ------------- I1 --------------> I1-SENT <------------ R1 --------------- IDLE ------------- I2 --------------> I2-SENT <------------ R2 --------------- ESTABLISHED ESTABLISHED Figure 24: Normal context establishment -7.4 Concurrent context establishment +7.4. Concurrent context establishment When both ends try to initiate a context for the same ULID pair, then we might end up with crossing I1 messages. Alternatively, since no state is created when receiving the I1, a host might send a I1 after having sent a R1 message. Since a host remembers that it has sent an I1, it can respond to an I1 from the peer (for the same ULID-pair), with a R2, resulting in the message exchange shown in Figure 25. Such behavior is needed for other reasons such as to correctly respond to retransmitted I1 @@ -2336,21 +2388,21 @@ ---\ /--- --- R2 ---\ /--- ---\ /--- R2 ---/ ---\ /--- --> <--- ESTABLISHED ESTABLISHED Figure 26: Crossing I2 and I1 -7.5 Context recovery +7.5. Context recovery Due to garbage collection, we can end up with one end having and using the context state, and the other end not having any state. We need to be able to recover this state at the end that has lost it, before we can use it. This need can arise in the following cases: o The communication is working using the ULID pair as the locator pair, but a problem arises, and the end that has retained the @@ -2420,21 +2472,21 @@ with new CT(peer) I2-SENT and Ls(peer). ESTABLISHED ------------- R2 --------------> ESTABLISHED ESTABLISHED Figure 28: Context loss at sender -7.6 Context confusion +7.6. Context confusion Since each end might garbage collect the context state we can have the case when one end has retained the context state and tries to use it, while the other end has lost the state. We discussed this in the previous section on recovery. But for the same reasons, when one host retains context tag X as CT(peer) for ULID pair , the other end might end up allocating that context tag as CT(local) for another ULID pair, e.g., between the same hosts. In this case we can not use the recovery mechanisms since there needs to be separate context tags for the two ULID pairs. @@ -2466,65 +2518,65 @@ re-create a context to replace the one that was removed; in this case for . The normal I1, R1, I2, R2 establishment exchange would then pick unique context tags for that replacement context. This re- creation is OPTIONAL, but might be useful when there is ULP communication which is using the ULID pair whose context was removed. Note that an I1 message with a duplicate context tag should not cause the removal of the old context state; this operation needs to be deferred until the reception of the I2 message. -7.7 Sending I1 messages +7.7. Sending I1 messages When the shim layer decides to setup a context for a ULID pair, it starts by allocating and initializing the context state for its end. As part of this it assigns a random context tag to the context that is not being used as CT(local) by any other context . In the case that a new API is used and the ULP requests a forked context, the Forked Instance Identifier value will be set to a non-zero value. Otherwise, the FII value is zero. Then the initiator can send an I1 message and set the context state to I1-SENT. The I1 message MUST include the ULID pair; normally in the IPv6 source and destination fields. But if the ULID pair for the context is not used as locator pair for the I1 message, then a ULID option MUST be included in the I1 message. In addition, if a Forked Instance Identifier value is non-zero, the I1 message MUST include a Context Instance Identifier option containing the correspondent value. -7.8 Retransmitting I1 messages +7.8. Retransmitting I1 messages If the host does not receive an I2 or R2 message in response to the I1 message after I1_TIMEOUT time, then it needs to retransmit the I1 message. The retransmissions should use a retransmission timer with binary exponential backoff to avoid creating congestion issues for the network when lots of hosts perform I1 retransmissions. Also, the actual timeout value should be randomized between 0.5 and 1.5 of the nominal value to avoid self-synchronization. If, after I1_RETRIES_MAX retransmissions, there is no response, then most likely the peer does not implement the shim6 protocol, or there could be a firewall that blocks the protocol. In this case it makes sense for the host to remember to not try again to establish a context with that ULID. However, any such negative caching should retained for at most NO_R1_HOLDDOWN_TIME, to be able to later setup a context should the problem have been that the host was not reachable at all when the shim tried to establish the context. - If the host receives an ICMP error with "payload type unknown" (type - 4, code 1) and the included packet is the I1 message it just sent, - then this is a more reliable indication that the peer ULID does not - implement shim6. Again, in this case, the host should remember to - not try again to establish a context with that ULID. Such negative - caching should retained for at most ICMP_HOLDDOWN_TIME, which should - be significantly longer than the previous case. + If the host receives an ICMP error with "Unrecognized Next Header" + type (type 4, code 1) and the included packet is the I1 message it + just sent, then this is a more reliable indication that the peer ULID + does not implement shim6. Again, in this case, the host should + remember to not try again to establish a context with that ULID. + Such negative caching should retained for at most ICMP_HOLDDOWN_TIME, + which should be significantly longer than the previous case. -7.9 Receiving I1 messages +7.9. Receiving I1 messages A host MUST silently discard any received I1 messages that do not satisfy all of the following validity checks in addition to those specified in Section 12.2: o The Hdr Ext Len field is at least 1, i.e., the length is at least 16 octets. Upon the reception of an I1 message, the host extracts the ULID pair and the Forked Instance Identifier from the message. If there is no @@ -2557,37 +2609,42 @@ available for the existent context. o If the context tags do not match, then it probably means that the Initiator has lost the context information for this context and it is trying to establish a new one for the same ULID-pair. In this case, the host replies with a R1 message as specified below. This completes the I1 processing, with the context state being unchanged. If the state exists in other state (I1-SENT, I2-SENT, I2BIS-SENT), we - are in the situation of Concurrent context establishment described - in Section 7.4. In this case, the host leaves CT(peer) unchanged, - and replies with a R2 message. This completes the I1 processing, - with the context state being unchanged. + are in the situation of Concurrent context establishment described in + Section 7.4. In this case, the host leaves CT(peer) unchanged, and + replies with a R2 message. This completes the I1 processing, with + the context state being unchanged. + +7.10. Sending R1 messages When the host needs to send a R1 message in response to the I1 message, it copies the Initiator Nonce from the I1 message to the R1 message, generates a Responder Nonce and calculates a Responder Validator option as suggested in the following section. No state is - created on the host in this case. + created on the host in this case.(Note that the information used to + generate the R1 reply message is either contained in the received I1 + message or it is global information that is not associated with the + particular requested context (the S and the Responder nonce values)). When the host needs to send a R2 message in response to the I1 message, it copies the Initiator Nonce from the I1 message to the R2 message, and otherwise follows the normal rules for forming an R2 - message (see Section 7.13). + message (see Section 7.14). -7.9.1 Generating the R1 Validator +7.10.1. Generating the R1 Validator One way for the responder to properly generate validators is to maintain a single secret (S) and a running counter for the Responder Nonce. In the case the validator is generated to be included in a R1 message, for each I1 message. The responder can increase the counter, use the counter value as the responder nonce, and use the following information as input to the one-way function: @@ -2601,21 +2658,21 @@ o The locators from the I1 message (strictly only needed if they are different from the ULIDs) o The forked instance identifier if such option was included in the I1 message and then the output of the hash function is used as the validator octet string. -7.10 Receiving R1 messages and sending I2 messages +7.11. Receiving R1 messages and sending I2 messages A host MUST silently discard any received R1 messages that do not satisfy all of the following validity checks in addition to those specified in Section 12.2: o The Hdr Ext Len field is at least 1, i.e., the length is at least 16 octets. Upon the reception of an R1 message, the host extracts the Initiator Nonce and the Locator Pair from the message (the latter from the @@ -2646,56 +2703,58 @@ This is not required to be the same than the one included in the previous I1 message. The I2 message also includes the Initiator's locator list and the CGA parameter data structure. If CGA (and not HBA) is used to verify the locator list, then Initiator also signs the key parts of the message and includes a CGA signature option containing the signature. When the I2 message has been sent, the state is set to I2-SENT. -7.11 Retransmitting I2 messages +7.12. Retransmitting I2 messages If the initiator does not receive an R2 message after I2_TIMEOUT time after sending an I2 message it MAY retransmit the I2 message, using binary exponential backoff and randomized timers. The Responder Validator option might have a limited lifetime, that is, the peer might reject Responder Validator options that are older than VALIDATOR_MIN_LIFETIME to avoid replay attacks. Thus the initiator SHOULD fall back to retransmitting the I1 message when there is no R2 received after retransmitting the I2 message I2_RETRIES_MAX times. -7.12 Receiving I2 messages +7.13. Receiving I2 messages A host MUST silently discard any received I2 messages that do not satisfy all of the following validity checks in addition to those specified in Section 12.2: o The Hdr Ext Len field is at least 2, i.e., the length is at least 24 octets. Upon the reception of an I2 message, the host extracts the ULID pair and the Forked Instance identifier from the message. If there is no ULID-pair option, then the ULID pair is taken from the source and destination fields in the IPv6 header. If there is no FII option in the message, then the FII value is taken to be zero. - Next the host verifies that the Responder Nonce is a recent one, and - that the Responder Validator option matches the validator the host - would have computed for the ULID, locators, responder nonce, and FII. + Next the host verifies that the Responder Nonce is a recent one + (Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be + considered recent), and that the Responder Validator option matches + the validator the host would have computed for the ULID, locators, + responder nonce, and FII. If a CGA Parameter Data Structure (PDS) is included in the message, then the host MUST verify if the actual PDS contained in the message corresponds to the ULID(peer). If any of the above verifications fails, then the host silently - discard the message and it has completed the I2 processing. + discards the message and it has completed the I2 processing. If all the above verifications are successful, then the host proceeds to look for a context state for the Initiator. The host looks for a context with the extracted ULID pair and FII. If none exist then state of the (non-existing) context is viewed as being IDLE, thus the actions depend on the state as follows: o If the state is IDLE (i.e., the context does not exist) the host allocates a context tag (CT(local)), creates the context state for the context, and sets its state to ESTABLISHED. It records @@ -2725,46 +2784,46 @@ verifies if the source locator is included in Ls(peer) or, it is included in the Locator List contained in the the I2 message and the HBA/CGA verification for this specific locator is successful * If this is not the case, then the message is silently discarded and the context state remains unchanged. * If this is the case, then the host updates the context information (CT(peer), Ls(peer)) with the data contained in the I2 message and the host MUST send a R2 message back as - specified in Section 7.13. Note that before updating Ls(peer) + specified in Section 7.14. Note that before updating Ls(peer) information, the host SHOULD perform the HBA/CGA validation of the peer's locator set at this point in time as specified in Section 7.2. The context state remains unchanged. -7.13 Sending R2 messages +7.14. Sending R2 messages Before the host sends the R2 message it MUST look for a possible context confusion i.e. where it would end up with multiple contexts - using the same CT(peer) for the same peer host. See Section 7.14. + using the same CT(peer) for the same peer host. See Section 7.15. When the host needs to send an R2 message, the host forms the message using its locators and its context tag, copies the Initiator Nonce from the triggering message (I2, I2bis, or I1), and includes the necessary options so that the peer can verify the locators. In particular, the R2 message includes the Responder's locator list and the PDS option. If CGA (and not HBA) is used to verify the locator list, then the Responder also signs the key parts of the message and includes a CGA Signature option containing the signature. R2 messages are never retransmitted. If the R2 message is lost, then the initiator will retransmit either the I2/I2bis or I1 message. Either retransmission will cause the responder to find the context state and respond with an R2 message. -7.14 Match for Context Confusion +7.15. Match for Context Confusion When the host receives an I2, I2bis, or R2 it MUST look for a possible context confusion i.e. where it would end up with multiple contexts using the same CT(peer) for the same peer host. This can happen when it has received the above messages since they create a new context with a new CT(peer). Same issue applies when CT(peer) is updated for an existing context. The host takes CT(peer) for the newly created or updated context, and looks for other contexts which: @@ -2789,21 +2848,21 @@ discarded it), or it MAY attempt to re-establish the old context by sending a new I1 message and moving its state to I1-SENT. In any case, once that this situation is detected, the host MUST NOT keep two contexts with overlapping Ls(peer) locator sets and the same context tag in ESTABLISHED state, since this would result in demultiplexing problems on the peer. o If both are the same, then this context is actually the context that is created or updated, hence there is no confusion. -7.15 Receiving R2 messages +7.16. Receiving R2 messages A host MUST silently discard any received R2 messages that do not satisfy all of the following validity checks in addition to those specified in Section 12.2: o The Hdr Ext Len field is at least 1, i.e., the length is at least 16 octets. Upon the reception of an R2 message, the host extracts the Initiator Nonce and the Locator Pair from the message (the latter from the @@ -2818,32 +2877,33 @@ o If state is I1-SENT, I2-SENT, or I2BIS-SENT then the host performs the following actions: If a CGA Parameter Data Structure (PDS) is included in the message, then the host MUST verify that the actual PDS contained in the message corresponds to the ULID(peer) as specified in Section 7.2. If the verification fails, then the message is silently dropped. If the verification succeeds, then the host records the information from the R2 message in the context state; it records the peer's locator set and CT(peer). The host SHOULD perform the HBA/CGA verification of the peer's locator set at this point in time, as specified in Section 7.2. + The host sets its state to ESTABLISHED. o If the state is ESTABLISHED, the R2 message is silently ignored, (since this is likely to be a reply to a retransmitted I2 message). Before the host completes the R2 processing it MUST look for a possible context confusion i.e. where it would end up with multiple contexts using the same CT(peer) for the same peer host. See - Section 7.14. + Section 7.15. -7.16 Sending R1bis messages +7.17. Sending R1bis messages Upon the receipt of a shim6 payload extension header where there is no current SHIM6 context at the receiver, the receiver is to respond with an R1bis message in order to enable a fast re-establishment of the lost SHIM6 context. Also a host is to respond with a R1bis upon receipt of any control messages that has a message type in the range 64-127 (i.e., excluding the context setup messages such as I1, R1, R1bis, I2, I2bis, R2 and future extensions), where the control message refers to a non @@ -2858,21 +2918,21 @@ o The Responder Nonce is a number picked by the responder which the initiator will return in the I2bis message. o Packet Context Tag is the context tag contained in the received packet that triggered the generation of the R1bis message. o The Responder Validator option is included, with a validator that is computed as suggested in the next section. -7.16.1 Generating the R1bis Validator +7.17.1. Generating the R1bis Validator One way for the responder to properly generate validators is to maintain a single secret (S) and a running counter for the Responder Nonce. In the case the validator is generated to be included in a R1bis message, for each received payload extension header or control message, the responder can increase the counter, use the counter value as the responder nonce, and use the following information as input to the one-way function: @@ -2881,21 +2941,21 @@ o That Responder Nonce o The Receiver Context tag included in the received packet o The locators from the received packet and then the output of the hash function is used as the validator octet string. -7.17 Receiving R1bis messages and sending I2bis messages +7.18. Receiving R1bis messages and sending I2bis messages A host MUST silently discard any received R1bis messages that do not satisfy all of the following validity checks in addition to those specified in Section 12.2: o The Hdr Ext Len field is at least 1, i.e., the length is at least 16 octets. Upon the reception of an R1bis message, the host extracts the Packet Context Tag and the Locator Pair from the message (the latter from @@ -2917,51 +2977,52 @@ including the computed Responder Validator option, the Packet Context Tag, and the Responder Nonce received in the R1bis message. This I2bis message is sent using the locator pair included in the R1bis message. In the case that this locator pair differs from the ULID pair defined for this context, then an ULID option MUST be included in the I2bis message. In addition, if the Forked Instance Identifier for this context is non-zero, then a Forked Instance Identifier option carrying the instance identifier value for this context MUST be included in the I2bis message. -7.18 Retransmitting I2bis messages +7.19. Retransmitting I2bis messages If the initiator does not receive an R2 message after I2bis_TIMEOUT time after sending an I2bis message it MAY retransmit the I2bis message, using binary exponential backoff and randomized timers. The Responder Validator option might have a limited lifetime, that is, the peer might reject Responder Validator options that are older than VALIDATOR_MIN_LIFETIME to avoid replay attacks. Thus the initiator SHOULD fall back to retransmitting the I1 message when there is no R2 received after retransmitting the I2bis message I2bis_RETRIES_MAX times. -7.19 Receiving I2bis messages and sending R2 messages +7.20. Receiving I2bis messages and sending R2 messages A host MUST silently discard any received I2bis messages that do not satisfy all of the following validity checks in addition to those specified in Section 12.2: o The Hdr Ext Len field is at least 3, i.e., the length is at least 32 octets. Upon the reception of an I2bis message, the host extracts the ULID pair and the Forked Instance identifier from the message. If there is no ULID-pair option, then the ULID pair is taken from the source and destination fields in the IPv6 header. If there is no FII option in the message, then the FII value is taken to be zero. - Next the host verifies that the Responder Nonce is a recent one, and - that the Responder Validator option matches the validator the host - would have computed for the ULID, locators, responder nonce, and FII - as part of sending an R1bis message. + Next the host verifies that the Responder Nonce is a recent one + (Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be + considered recent), and that the Responder Validator option matches + the validator the host would have computed for the ULID, locators, + responder nonce, and FII as part of sending an R1bis message. If a CGA Parameter Data Structure (PDS) is included in the message, then the host MUST verify if the actual PDS contained in the message corresponds to the ULID(peer). If any of the above verifications fails, then the host silently discard the message and it has completed the I2bis processing. If both verifications are successful, then the host proceeds to look for a context state for the Initiator. The host looks for a context @@ -2971,21 +3032,21 @@ o If the state is IDLE (i.e., the context does not exist) the host allocates a context tag (CT(local)), creates the context state for the context, and sets its state to ESTABLISHED. The host SHOULD NOT use the Packet Context Tag in the I2bis message for CT(local); instead it should pick a new random context tag just as when it processes an I2 message. It records CT(peer), and the peer's locator set as well as its own locator set in the context. It SHOULD perform the HBA/CGA verification of the peer's locator set at this point in time as specified in Section 7.2. Then the host - sends an R2 message back as specified in Section 7.13. + sends an R2 message back as specified in Section 7.14. o If the state is I1-SENT, then the host verifies if the source locator is included in Ls(peer) or, it is included in the Locator List contained in the the I2 message and the HBA/CGA verification for this specific locator is successful * If this is not the case, then the message is silently discarded. The the context state remains unchanged. * If this is the case, then the host updates the context @@ -3000,31 +3061,32 @@ verifies if the source locator is included in Ls(peer) or, it is included in the Locator List contained in the the I2 message and the HBA/CGA verification for this specific locator is successful * If this is not the case, then the message is silently discarded. The the context state remains unchanged. * If this is the case, then the host updates the context information (CT(peer), Ls(peer)) with the data contained in the I2 message and the host MUST send a R2 message back as - specified in Section 7.13. Note that before updating Ls(peer) + specified in Section 7.14. Note that before updating Ls(peer) information, the host SHOULD perform the HBA/CGA validation of the peer's locator set at this point in time as specified in Section 7.2. The context state remains unchanged. 8. Handling ICMP Error Messages The routers in the path as well as the destination might generate various ICMP error messages, such as host unreachable, packet too - big, and payload type unknown. It is critical that these packets - make it back up to the ULPs so that they can take appropriate action. + big, and Unrecognized Next Header type. It is critical that these + packets make it back up to the ULPs so that they can take appropriate + action. This is an implementation issue in the sense that the mechanism is completely local to the host itself. But the issue of how ICMP errors are correctly dispatched to the ULP on the host are important, hence this section specifies the issue. +--------------+ | IPv6 Header | | | +--------------+ @@ -3123,70 +3185,70 @@ Since there is no explicit, coordinated removal of the context state, there are potential issues around context tag reuse. One end might remove the state, and potentially reuse that context tag for some other communication, and the peer might later try to use the old context (which it didn't remove). The protocol has mechanisms to recover from this, which work whether the state removal was total and accidental (e.g., crash and reboot of the host), or just a garbage collection of shim state that didn't seem to be used. However, the host should try to minimize the reuse of context tags by trying to - randomly cycle through the 2^47 context tag values. (See Appendix E + randomly cycle through the 2^47 context tag values. (See Appendix C for a summary how the recovery works in the different cases.) 10. Updating the Peer The Update Request and Acknowledgement are used both to update the list of locators (only possible when CGA is used to verify the locator(s)), as well as updating the preferences associated with each locator. -10.1 Sending Update Request messages +10.1. Sending Update Request messages When a host has a change in the locator set, then it can communicate this to the peer by sending an Update Request. When a host has a change in the preferences for its locator set, it can also communicate this to the peer. The Update Request message can include just a Locator List option, to convey the new set of locators (which requires a CGA signature option as well), just a Locator Preferences option, or both a new Locator List and new Locator Preferences. Should the host send a new Locator List, the host picks a new random local generation number, records this in the context, and puts it in the Locator List option. Any Locator Preference option, whether send in the same Update Request or in some future Update Request, will use that generation number to make sure the preferences get applied to the correct version of the locator list. The host picks a random Request Nonce for each update, and keeps the same nonce for any retransmissions of the Update Request. The nonce is used to match the acknowledgement with the request. -10.2 Retransmitting Update Request messages +10.2. Retransmitting Update Request messages If the host does not receive an Update Acknowledgement R2 message in response to the Update Request message after UPDATE_TIMEOUT time, then it needs to retransmit the Update Request message. The retransmissions should use a retransmission timer with binary exponential backoff to avoid creating congestion issues for the network when lots of hosts perform Update Request retransmissions. Also, the actual timeout value should be randomized between 0.5 and 1.5 of the nominal value to avoid self-synchronization. Should there be no response, the retransmissions continue forever. The binary exponential backoff stops at MAX_UPDATE_TIMEOUT. But the only way the retransmissions would stop when there is no acknowledgement, is when the shim, through the Probe protocol or some other mechanism, decides to discard the context state due to lack of ULP usage in combination with no responses to the Probes. -10.3 Newer Information While Retransmitting +10.3. Newer Information While Retransmitting There can be at most one outstanding Update Request message at any time. Thus until e.g. an update with a new Locator List has been acknowledged, any even newer Locator List or new Locator Preferences can not just be sent. However, when there is newer information and the older information has not yet been acknowledged, the host can instead of waiting for an acknowledgement, abandon the previous update and construct a new Update Request (with a new Request Nonce) which includes the new information as well as the information that hadn't yet been acknowledged. @@ -3204,33 +3266,33 @@ o Form a Locator Preference option which uses the new generation number and has the BROKEN flag for the first locator. o Send the Update Request and start a retransmission timer. Any Update Acknowledgement which doesn't match the current request nonce, for instance an acknowledgement for the abandoned Update Request, will be silently ignored. -10.4 Receiving Update Request messages +10.4. Receiving Update Request messages A host MUST silently discard any received Update Request messages that do not satisfy all of the following validity checks in addition to those specified in Section 12.2: o The Hdr Ext Len field is at least 1, i.e., the length is at least 16 octets. Upon the reception of an Update Request message, the host extracts the Context Tag from the message. It then looks for a context which has a CT(local) that matches the context tag. If no such context is - found, it sends a R1bis message as specified in Section 7.16. + found, it sends a R1bis message as specified in Section 7.17. Since context tags can be reused, the host MUST verify that the IPv6 source address field is part of Ls(peer) and that the IPv6 destination address field is part of Ls(local). If this is not the case, the sender of the Update Request has a stale context which happens to match the CT(local) for this context. In this case the host MUST send a R1bis message, and otherwise ignore the Update Request message. If a CGA Parameter Data Structure (PDS) is included in the message, @@ -3277,34 +3339,34 @@ new locator list or locator preferences have been recorded, the host sends an Update Acknowledgement message, copying the nonce from the request, and using the CT(peer) in as the Receiver Context Tag. Any new locators, or more likely new locator preferences, might result in the host wanting to select a different locator pair for the context. For instance, if the Locator Preferences lists the current Lp(peer) as BROKEN. The host uses the Probe message in [8] to verify that the new locator is reachable before changing Lp(peer). -10.5 Receiving Update Acknowledgement messages +10.5. Receiving Update Acknowledgement messages A host MUST silently discard any received Update Acknowledgement messages that do not satisfy all of the following validity checks in addition to those specified in Section 12.2: o The Hdr Ext Len field is at least 1, i.e., the length is at least 16 octets. Upon the reception of an Update Acknowledgement message, the host extracts the Context Tag and the Request Nonce from the message. It then looks for a context which has a CT(local) that matches the context tag. If no such context is found, it sends a R1bis message - as specified in Section 7.16. + as specified in Section 7.17. Since context tags can be reused, the host MUST verify that the IPv6 source address field is part of Ls(peer) and that the IPv6 destination address field is part of Ls(local). If this is not the case, the sender of the Update Acknowledgement has a stale context which happens to match the CT(local) for this context. In this case the host MUST send a R1bis message, and otherwise ignore the Update Acknowledgement message. Then, depending on the state of the context: @@ -3342,21 +3404,21 @@ If this is the case, then packets can be sent unmodified by the shim. If it is not the case, then the logic in Section 11.1 will need to be used. There will also be some maintenance activity relating to (un)reachability detection, whether packets are sent with the original locators or not. The details of this is out of scope for this document and is specified in [8]. -11.1 Sending ULP Payload after a Switch +11.1. Sending ULP Payload after a Switch When sending packets, if there is a ULID-pair context for the ULID pair, and the ULID pair is no longer used as the locator pair, then the sender needs to transform the packet. Apart from replacing the IPv6 source and destination fields with a locator pair, an 8-octet header is added so that the receiver can find the context and inverse the transformation. If there has been a failure causing a switch, and later the context switches back to sending things using the ULID pair as the locator @@ -3385,26 +3447,26 @@ 12. Receiving Packets As in normal IPv6 receive side packet processing the receiver parses the (extension) headers in order. Should it find a shim6 extension header it will look at the "P" field in that header. If this bit is zero, then the packet must be passed to the shim6 payload handling for rewriting. Otherwise, the packet is passed to the shim6 control handling. -12.1 Receiving Payload Extension Headers +12.1. Receiving Payload Extension Headers The receiver extracts the context tag from the payload extension header, and uses this to find a ULID-pair context. If no context is found, the receiver SHOULD generate a R1bis message (see - Section 7.16). + Section 7.17). Then, depending on the state of the context: o If ESTABLISHED: Proceed to process message. o If I1-SENT, discard the message and stay in I1-SENT. o If I2-SENT, then send R2 and proceed to process the message. o If I2BIS-SENT, then send R2 and proceed to process the message. @@ -3418,21 +3480,21 @@ header value (which might be some function associated with the IP endpoint sublayer, or a ULP). If the host is using some heuristic for determining when to perform a deferred context establishment, then the host might need to do some accounting (count the number of packets sent and received) for packets that does not have a shim6 extension header and for which there is no context. But the need for this depends on what heuristics the implementation has chosen. -12.2 Receiving Shim Control messages +12.2. Receiving Shim Control messages A shim control message has the checksum field verified. The Shim header length field is also verified against the length of the IPv6 packet to make sure that the shim message doesn't claim to end past the end of the IPv6 packet. Finally, it checks that the neither the IPv6 destination field nor the IPv6 source field is a multicast address. If any of those checks fail, the packet is silently dropped. The message is then dispatched based on the shim message type. Each @@ -3441,21 +3503,21 @@ unknown to the receiver, then an ICMPv6 Parameter Problem error is generated and sent back. The pointer field in the Parameter Problem is set to point at the first octet of the shim message type. The error is rate limited just like other ICMP errors [5]. All the control messages can contain any options with C=0. If there is any option in the message with C=1 that isn't known to the host, then the host MUST send an ICMPv6 Parameter Problem, with the Pointer field referencing the first octet of the Option Type. -12.3 Context Lookup +12.3. Context Lookup We assume that each shim context has its own state machine. We assume that a dispatcher delivers incoming packets to the state machine that it belongs to. Here we describe the rules used for the dispatcher to deliver packets to the correct shim context state machine. There is one state machine per context identified that is conceptually identified by ULID pair and Forked Instance Identifier (which is zero by default), or identified by CT(local). However, the @@ -3547,21 +3609,21 @@ providing an easy to use connect-by-name() API for TCP and other connection-oriented transports is easy; providing a similar capability at the API for UDP is hard due to the protocol itself not providing any "success" feedback. But even the UDP issue is one of APIs and implementation. 14. Protocol constants The protocol uses the following constants: - I1_RETRIES_MAX + I1_RETRIES_MAX = 4 I1_TIMEOUT = 4 seconds NO_R1_HOLDDOWN_TIME = 1 min ICMP_HOLDDOWN_TIME = 10 min I2_TIMEOUT = 4 seconds I2_RETRIES_MAX = 2 @@ -3697,40 +3759,56 @@ "too much" ingress filtering between the attackers new location and the communicating peers. But this doesn't seem to be that severe, because once the R1bis causes the context to be re- established, a new pair of context tags will be used, which will not be known to the attacker. If this is still a concern, we could require a 2-way handshake "did you really loose the state?" in response to the error message. o It might be possible for an attacker to try random 47-bit context tags and see if they can cause disruption for communication - between two hosts. If a 47-bit tag, which is the largest that - fits in an 8-octet extension header, isn't sufficient, one could - use an even larger tag in the shim6 control messages, and use the - low-order 47 bits in the payload extension header. + between two hosts. In particular, in the case of payload packets, + the effects of such attack would be similar of those of an + attacker sending packets with spoofed source address. In the case + of control packets, it is not enough to find the correct context + tag, but additional information is required (e.g. nonces, proper + source addresses) (see previous bullet for the case of R1bis). If + a 47-bit tag, which is the largest that fits in an 8-octet + extension header, isn't sufficient, one could use an even larger + tag in the shim6 control messages, and use the low-order 47 bits + in the payload extension header. o When the payload extension header is used, an attacker that can guess the 47-bit random context tag, can inject packets into the context with any source locator. Thus if there is ingress filtering between the attacker, this could potentially allow to bypass the ingress filtering. However, in addition to guessing the 47-bit context tag, the attacker also needs to find a context where, after the receiver's replacement of the locators with the ULIDs, the the ULP checksum is correct. But even this wouldn't be sufficient with ULPs like TCP, since the TCP port numbers and sequence numbers must match an existing connection. Thus, even though the issues for off-path attackers injecting packets are different than today with ingress filtering, it is still very hard for an off-path attacker to guess. If IPsec is applied then the issue goes away completely. + o The validator included in the R1 and R1bis packets are generated + as a hash of several input parameters. However, most of the + inputs are actually determined by the sender, and only the secret + value S is unknown to the sender. However, the resulting + protection is deemed to be enough since it would be easier for the + attacker to just obtain a new validator sending a I1 packet than + performing all the computations required to determine the secret + S. However, it is recommended that the host changes the secret S + periodically. + 17. IANA Considerations IANA is directed to allocate a new IP Protocol Number value for the SHIM6 Protocol. IANA is directed to record a CGA message type for the SHIM6 Protocol in the [CGA] namespace registry with the value 0x4A30 5662 4858 574B 3655 416F 506A 6D48. IANA is directed to establish a SHIM6 Parameter Registry with two @@ -3766,23 +3844,23 @@ | 66 | Keepalive | | | | | 67 | Probe Message | | | | | 68-123 | Can be allocated using Standards Action | | | | | 124-127 | For Experimental use | +------------+-----------------------------------------------------+ The initial contents of the SHIM6 Options registry are as follows: - +--------------+----------------------------------+ + +-------------+----------------------------------+ | Type | Option Name | - +--------------+----------------------------------+ + +-------------+----------------------------------+ | 0 | RESERVED | | | | | 1 | Responder Validator | | | | | 2 | Locator List | | | | | 3 | Locator Preferences | | | | | 4 | CGA Parameter Data Structure | | | | @@ -3796,36 +3874,31 @@ | | | | 10 | Probe Option | | | | | 11 | Reachability Option | | | | | 12 | Payload Reception Report Option | | | | | 13-16383 | Allocated using Standards action | | | | | 16384-32767 | For Experimental use | - +--------------+----------------------------------+ + +-------------+----------------------------------+ 18. Acknowledgements Over the years many people active in the multi6 and shim6 WGs have contributed ideas a suggestions that are reflected in this specification. Special thanks to the careful comments from Geoff - Houston and Shinta Sugimoto on earlier versions of this draft. - -Appendix A. Open Issues - - The following known open issues in this protocol specification are: - - o NONE. + Huston, Shinta Sugimoto and Pekka Savola on earlier versions of this + draft. -Appendix B. Possible Protocol Extensions +Appendix A. Possible Protocol Extensions During the development of this protocol, several issues have been brought up as important one to address, but are ones that do not need to be in the base protocol itself but can instead be done as extensions to the protocol. The key ones are: o As stated in the assumptions in Section 3, the in order for the shim6 protocol to be able to recover from a wide range of failures, for instance when one of the communicating hosts is singly-homed, and cope with a site's ISPs that do ingress @@ -3902,145 +3975,21 @@ o ULP specified timers for the reachability detection mechanism (which can be useful particularly when there are forked contexts). o Pre-verify some "backup" locator pair, so that the failover time can be shorter. o Study how shim6 and Mobile IPv6 might interact. There existing an initial draft on this topic [21]. -Appendix C. Change Log - - The following changes have been made since draft-ietf-shim6-proto-03: - - o Editorial clarifications based on comments from Geoff, Shinta, - Jari. - - o Added "no IPv6 NATs as an explicit assumption. - - o Moving some things out of the Introduction and Overview sections - to remove all SHOULDs and MUSTs from there. - - o Added requirement that any Locator Preference options which use an - element length greater than 3 octets have the already defined - first 3 octets of flags, priority and weight. - - o Fixed security hole where a single message (I1) could cause - CT(peer) to be updated. Now a three-way handshake is required - before CT(peer) is updated for an existing context. - - The following changes have been made since draft-ietf-shim6-proto-02: - - o Replaced the Context Error message with the R1bis message. - - o Removed the Packet In Error option, since it was only used in the - Context Error message. - - o Introduced a I2bis message which is sent in response to an I1bis - message, since the responders processing is quite in this case - than in the regular R1 case. - - o Moved the packet formats for the Keepalive and Probe message types - and Event option to [8]. Only the message type values and option - type value are specified for those in this document. - - o Removed the unused message types. - - o Added a state machine description as an appendix. - - o Filled in all the TBDs - except the IANA assignment of the - protocol number. - - o Specified how context recovery and forked contexts work together. - This required the introduction of a Forked Instance option to be - able to tell which of possibly forked instances is being - recovered. - - o Renamed the "host-pair context" to be "ULID-pair context". - - o Picked some initial retransmit timers for I1 and I2; 4 seconds. - - o Added timer values as protocol constants. The retransmit timers - use binary exponential backoff and randomization (between .5 and - 1.5 of the nominal value). - - o Require that the R1/R1bis verifiers be usable for some minimum - time so that the initiator knows for how long time it can safely - retransmit I2 before it needs to go back to sending I1 again. - Picked 30 seconds. - - o Split the message type codes into 0-63, which will not generate - R1bis messages, and 64-127 which will generate R1bis messages. - This allows extensibility of the protocol with new message types - while being able to control when R1bis is generated. - - o Expanded the context tag from 32 to 47 bits. - - o Specified that enough locators need to be included in I2 and R2 - messages. Specified that the HBA/CGA verification must be - performed when the locator set is received. - - o Specified that ICMP parameter problem errors are sent in certain - error cases, for instance when the verification method is unknown - to the receiver, or there is an unknown message type or option - type. - - o Renamed "payload message" to be "payload extension header". - - o Many editorial clarifications suggested by Geoff Huston. - - o Modified the dispatching of payload extension header to only - compare CT(local) i.e., not compare the source and destination - IPv6 address fields. - - The following changes have been made since draft-ietf-shim6-proto-00: - - o Removed the use of the flow label and the overloading of the IP - protocol numbers. Instead, when the locator pair is not the ULID - pair, the ULP payloads will be carried with an 8 octet extension - header. The belief is that it is possible to remove these extra - bytes by defining future shim6 extensions that exchange more - information between the hosts, without having to overload the flow - label or the IP protocol numbers. - - o Grew the context tag from 20 bits to 32 bits, with the possibility - to grow it to 47 bits. This implies changes to the message - formats. - - o Almost by accident, the new shim6 message format is very close to - the HIP message format. - - o Adopted the HIP format for the options, since this makes it easier - to describe variable length options. The original, ND-style, - option format requires internal padding in the options to make - them 8 octet length in total, while the HIP format handles that - using the option length field. - - o Removed some of the control messages, and renamed the other ones. - - o Added a "generation" number to the Locator List option, so that - the peers can ensure that the preferences refer to the right - "version" of the Locator List. - - o In order for FBD and exploration to work when there the use of the - context is forked, that is different ULP messages are sent over - different locator pairs, things are a lot easier if there is only - one current locator pair used for each context. Thus the forking - of the context is now causing a new context to be established for - the same ULID; the new context having a new context tag. The - original context is referred to as the "default" context for the - ULID pair. - - o Added more background material and textual descriptions. - -Appendix D. Simplified State Machine +Appendix B. Simplified State Machine The states are defined in Section 6.2. The intent is that the stylized description below be consistent with the textual description in the specification, but should they conflict, the textual description is normative. The following table describes the possible actions in state IDLE and their respective triggers: +---------------------+---------------------------------------------+ @@ -4240,26 +4189,70 @@ +---------------------+---------------------------------------------+ | Trigger | Action | +---------------------+---------------------------------------------+ | Wait for | Go to IDLE | | ICMP_HOLDDOWN_TIME | | | | | | Any packet | Process as in IDLE | +---------------------+---------------------------------------------+ -Appendix D.1 Simplified State Machine diagram +Appendix B.1. Simplified State Machine diagram - For the time being, a pdf version of the state machine diagram can be - found at: http://www.it.uc3m.es/marcelo/state_machine.pdf + Timeout/Null +------------+ + I1/R1 +------------------| NO SUPPORT | + Payload or Control/R1bis | +------------+ + +---------+ | ^ + | | | ICMP Error/Null| + | V V | + +-----------------+ Timeout/Null +----------+ | + | |<---------------| E-FAILED | | + +-| IDLE | +----------+ | + I2 or I2bis/R2 | | | ^ | + | +-----------------+ (Tiemout#>MAX)/Null| | + | ^ | | | + | | +------+ | | + I2 or I2bis/R2 | | Heuristic/I1| I1/R2 | | + Payload/Null | | | Control/Null | | + I1/R1 or R2 | +--+ | Payload/Null | | + R1 or R2/Null | |Heuristic/Null | (Tiemout#| | + | ESTABLISHED |<----------------------------| I1-SENT | + | | | | + +-------------------+ +----------------+ + | ^ ^ | ^ ^ + | | |R2/Null +-------------+ | | + | | +----------+ |R1/I2 | | + | | | V | | + | | +------------------+ | | + | | | |-------------+ | + | | | I2-SENT | (Timeout#>Max)/I1 | + | | | | | + | | +------------------+ | + | | | ^ | + | | +--------------+ | + | | I1 or I2bis or I2 or Payload/R2 | + | | (Timeout#Max)/I1 | + | R2/Null| +------------------------------------------+ + | V | + | +-------------------+ + | | |<-+ (Timeout#| I2bis-SENT | | I1 or I2 or I2bis/R2 + R1bis/I2bis | |--+ R1 or R1bis/Null + +-------------------+ Payload/R2 -Appendix E. Context Tag Reuse +Appendix C. Context Tag Reuse The shim6 protocol doesn't have a mechanism for coordinated state removal between the peers, because such state removal doesn't seem to help given that a host can crash and reboot at any time. A result of this is that the protocol needs to be robust against a context tag being reused for some other context. This section summarizes the different cases in which a tag can be reused, and how the recovery works. The different cases are exemplified by the following case. Assume @@ -4275,43 +4268,43 @@ . We've called this "Context Recovery" in this document. o The context tag is reassigned to a context for a different ULID pair between the same to hosts, e.g., . We've called this "Context Confusion" in this document. o The context tag is reassigned to a context between B and other host C, for instance for the ULID pair . That is a form of three party context confusion. -Appendix E.1 Context Recovery +Appendix C.1. Context Recovery This case is relatively simple, and is discussed in Section 7.5. The observation is that since the ULID pair is the same, when either A or B tries to establish the new context, A can keep the old context while B re-creates the context with the same context tag CT(B) = X. -Appendix E.2 Context Confusion +Appendix C.2. Context Confusion This cases is a bit more complex, and is discussed in Section 7.6. When the new context is created, whether A or B initiates it, host A can detect when it receives B's locator set (in the I2, or R2 message), that it ends up with two contexts to the same peer host (overlapping Ls(peer) locator sets) that have the same context tag CT(peer) = X. At this point in time host A can clear up any possibility of causing confusion by not using the old context to send any more packets. It either just discards the old context (it might not be used by any ULP traffic, since B had discarded it), or it recreates a different context for the old ULID pair (), for which B will assign a unique CT(B) as part of the normal context establishment mechanism. -Appendix E.3 Three Party Context Confusion +Appendix C.3. Three Party Context Confusion The third case does not have a place where the old state on A can be verified, since the new context is established between B and C. Thus when B receives payload extension headers with X as the context tag, it will find the context for , hence rewrite the packets to have C3 in the source address field and B2 in the destination address field before passing them up to the ULP. This rewriting is correct when the packets are in fact sent by host C, but if host A ever happens to send a packet using the old context, then the ULP on A sends a packet with ULIDs and the packet arrives at the ULP @@ -4339,29 +4332,29 @@ In summary, there are cases where a context tag might be reused while some peer retains the state, but the protocol can recover from it. The probability of these events is low given the 47 bit context tag size. However, it is important that these recovery mechanisms be tested. Thus during development and testing it is recommended that implementations not use the full 47 bit space, but instead keep e.g. the top 40 bits as zero, only leaving the host with 128 unique context tags. This will help test the recovery mechanisms. -Appendix F. Design Alternatives +Appendix D. Design Alternatives This document has picked a certain set of design choices in order to try to work out a bunch of the details, and stimulate discussion. But as has been discussed on the mailing list, there are other choices that make sense. This appendix tries to enumerate some alternatives. -Appendix F.1 Context granularity +Appendix D.1. Context granularity Over the years various suggestions have been made whether the shim should, even if it operates at the IP layer, be aware of ULP connections and sessions, and as a result be able to make separate shim contexts for separate ULP connections and sessions. A few different options have been discussed: o Each ULP connection maps to its own shim context. o The shim is unaware of the ULP notion of connections and just @@ -4379,21 +4372,21 @@ that want different communication to use different locator pairs, for instance for quality or cost reasons. The protocol has a shim which operates with host-level granularity (strictly speaking, with ULID-pair granularity, to be able to amortize the context establishment over multiple ULP connections. This is combined with the ability for shim-aware ULPs to request context forking so that different ULP traffic can use different locator pairs. -Appendix F.2 Demultiplexing of data packets in shim6 communications +Appendix D.2. Demultiplexing of data packets in shim6 communications Once a ULID-pair context is established between two hosts, packets may carry locators that differ from the ULIDs presented to the ULPs using the established context. One of main functions of the SHIM6 layer is to perform the mapping between the locators used to forward packets through the network and the ULIDs presented to the ULP. In order to perform that translation for incoming packets, the SHIM6 layer needs to first identify which of the incoming packets need to be translated and then perform the mapping between locators and ULIDs using the associated context. Such operation is called @@ -4418,21 +4411,21 @@ packet to determine the shim context to be used to perform the operation. Two mechanisms for carrying the context tag information have been considered in depth during the shim protocol design. Those carrying the context tag in the flow label field of the IPv6 header and the usage of a new extension header to carry the context tag. In this appendix we will describe the pros and cons of each approach and justify the selected option. -Appendix F.2.1 Flow-label +Appendix D.2.1. Flow-label A possible approach is to carry the context tag in the Flow Label field of the IPv6 header. This means that when a shim6 context is established, a Flow Label value is associated with this context (and perhaps a separate flow label for each direction). The simplest approach that does this is to have the triple identify the context at the receiver. @@ -4528,21 +4521,21 @@ would be the preferred approach if the context tag is to be carried in the Flow Label field. This is not only because it imposes the minimum constraints to the Flow Label allocation strategies, limiting the restrictions only to those packets that need to be translated by the shim, but also because Context Loss detection mechanisms greatly benefit from the fact that shim data packets are identified as such, allowing the receiving end to identify if a shim context associated to a received packet is suppose to exist, as it will be discussed in the Context Loss detection appendix below. -Appendix F.2.2 Extension Header +Appendix D.2.2. Extension Header Another approach, which is the one selected for this protocol, is to carry the context tag in a new Extension Header. These context tags are allocated by the receiving end during the shim6 protocol initial negotiation, implying that each context will have two context tags, one for each direction. Data packets will be demultiplexed using the context tag carried in the Extension Header. This seems a clean approach since it does not overload existing fields. However, it introduces additional overhead in the packet due to the additional header. The additional overhead introduced is 8 octets. However, it @@ -4552,21 +4545,21 @@ ULIDs do not require a context tag, since no rewriting is necessary at the receiver. This approach would reduce the overhead, because the additional header is only required after a failure. On the other hand, this approach would cause changes in the available MTU for some packets, since packets that include the Extension Header will have an MTU 8 octets shorter. However, path changes through the network can result in different MTU in any case, thus having a locator change, which implies a path change, affect the MTU doesn't introduce any new issues. -Appendix F.3 Context Loss Detection +Appendix D.3. Context Loss Detection In this appendix we will present different approaches considered to detect context loss and potential context recovery strategies. The scenario being considered is the following: Node A and Node B are communicating using IPA1 and IPB1. Sometime later, a shim context is established between them, with IPA1 and IPB1 as ULIDs and IPA1,...,IPAn and IPB1,...,IPBm as locator set respectively. It may happen, that later on, one of the hosts, e.g. Host A looses the shim context. The reason for this can be that Host A has a more @@ -4666,21 +4659,21 @@ exchange and at this point time may be critical since we are reestablishing a context that is currently needed (because context loss detection may occur after a failure). So, another option, which is the one used in this protocol, is to replace the error message by a modified R1 message, so that the time required to perform the context establishment exchange can be reduced. Upon the reception of this modified R1 message, the end that still has the context state can finish the context establishment exchange and restore the lost context. -Appendix F.4 Securing locator sets +Appendix D.4. Securing locator sets The adoption of a protocol like SHIM that allows the binding of a given ULID with a set of locators opens the doors for different types of redirection attacks as described in [19]. The goal in terms of security for the design of the shim protocol is not to introduce any new vulnerability in the Internet architecture. It is a non-goal to provide additional protection than the currently available in the single-homed IPv6 Internet. Multiple security mechanisms were considered to protect the shim @@ -4789,21 +4782,21 @@ So, the design decision adopted was that both mechanisms HBA and CGA are supported, so that when only stable address sets are required, the nodes can benefit from the low computational cost offered by HBA while when dynamic locator sets are required, this can be achieved through CGAs with an additional cost. Moreover, because HBAs are defined as a CGA extension, the addresses available in a node can simultaneously be CGAs and HBAs, allowing the usage of the HBA and CGA functionality when needed without requiring a change in the addresses used. -Appendix F.5 ULID-pair context establishment exchange +Appendix D.5. ULID-pair context establishment exchange Two options were considered for the ULID-pair context establishment exchange: a 2-way handshake and a 4-way handshake. A key goal for the design of this exchange was that protection against DoS attacks. The attack under consideration was basically a situation where an attacker launches a great amount of ULID-pair establishment request packets, exhausting victim's resources, similar to TCP SYN flooding attacks. @@ -4837,36 +4830,36 @@ should be noted, that because this is 2-way exchange, it is not possible to use the number of half open sessions (as in TCP) to detect an ongoing attack and different heuristics need to be considered. The design decision taken was that considering the current impact of DoS attacks and the low impact of the 4-way exchange in the shim protocol thanks to the deferred context establishment capability, a 4-way exchange would be adopted for the base protocol. -Appendix F.6 Updating locator sets +Appendix D.6. Updating locator sets There are two possible approaches to the addition and removal of locators: atomic and differential approaches. The atomic approach essentially send the complete locators set each time that a variation in the locator set occurs. The differential approach send the differences between the existing locator set and the new one. The atomic approach imposes additional overhead, since all the locator set has to be exchanged each time while the differential approach requires re-synchronization of both ends through changes i.e. that both ends have the same idea about what the current locator set is. Because of the difficulties imposed by the synchronization requirement, the atomic approach was selected. -Appendix F.7 State Cleanup +Appendix D.7. State Cleanup There are essentially two approaches for discarding an existing state about locators, keys and identifiers of a correspondent node: a coordinated approach and an unilateral approach. In the unilateral approach, each node discards the information about the other node without coordination with the other node based on some local timers and heuristics. No packet exchange is required for this. In this case, it would be possible that one of the nodes has discarded the state while the other node still hasn't. In this case, @@ -4923,23 +4916,174 @@ coordinated approach using a CLOSE/CLOSE ACK exchange, there is still the possibility of a host rebooting without having the time to perform the CLOSE exchange. So, it is true that the coordinated approach eliminates the possibility of a context confusion situation because premature garbage collection, but it does not prevents the same situations due to a crash and reboot of one of the involved hosts. The result is that even if we went for a coordinated approach, we would still need to deal with context confusion and provide the means to detect and recover from this situations. +Appendix E. Change Log + + [RFC Editor: please remove this section] + + The following changes have been made since draft-ietf-shim6-proto-04: + + o Defined I1_RETRIES_MAX as 4. + + o Added text in section 7.9 clarifying the no per context state is + stored at the receiver in order to reply an I1 message. + + o Added text in section 5 and in section 5.14 in particular, on + defining additional options (including critical and non critical + options). + + o Added text in the security considerations about threats related to + secret S for generating the validators and recommendation to + change S periodically. + + o Added text in the security considerations about the effects of + attacks based on guessing the context tag being similar to + spoofing source addresses in the case of payload packets. + + o Added clarification on what a recent nonce is in I2 and I2bis. + + o Removed (empty) open issues section. + + o Editorial corrections. + + The following changes have been made since draft-ietf-shim6-proto-03: + + o Editorial clarifications based on comments from Geoff, Shinta, + Jari. + + o Added "no IPv6 NATs as an explicit assumption. + + o Moving some things out of the Introduction and Overview sections + to remove all SHOULDs and MUSTs from there. + + o Added requirement that any Locator Preference options which use an + element length greater than 3 octets have the already defined + first 3 octets of flags, priority and weight. + + o Fixed security hole where a single message (I1) could cause + CT(peer) to be updated. Now a three-way handshake is required + before CT(peer) is updated for an existing context. + + The following changes have been made since draft-ietf-shim6-proto-02: + + o Replaced the Context Error message with the R1bis message. + + o Removed the Packet In Error option, since it was only used in the + Context Error message. + + o Introduced a I2bis message which is sent in response to an I1bis + message, since the responders processing is quite in this case + than in the regular R1 case. + + o Moved the packet formats for the Keepalive and Probe message types + and Event option to [8]. Only the message type values and option + type value are specified for those in this document. + + o Removed the unused message types. + + o Added a state machine description as an appendix. + + o Filled in all the TBDs - except the IANA assignment of the + protocol number. + + o Specified how context recovery and forked contexts work together. + This required the introduction of a Forked Instance option to be + able to tell which of possibly forked instances is being + recovered. + + o Renamed the "host-pair context" to be "ULID-pair context". + + o Picked some initial retransmit timers for I1 and I2; 4 seconds. + + o Added timer values as protocol constants. The retransmit timers + use binary exponential backoff and randomization (between .5 and + 1.5 of the nominal value). + + o Require that the R1/R1bis verifiers be usable for some minimum + time so that the initiator knows for how long time it can safely + retransmit I2 before it needs to go back to sending I1 again. + Picked 30 seconds. + + o Split the message type codes into 0-63, which will not generate + R1bis messages, and 64-127 which will generate R1bis messages. + This allows extensibility of the protocol with new message types + while being able to control when R1bis is generated. + + o Expanded the context tag from 32 to 47 bits. + + o Specified that enough locators need to be included in I2 and R2 + messages. Specified that the HBA/CGA verification must be + performed when the locator set is received. + + o Specified that ICMP parameter problem errors are sent in certain + error cases, for instance when the verification method is unknown + to the receiver, or there is an unknown message type or option + type. + + o Renamed "payload message" to be "payload extension header". + + o Many editorial clarifications suggested by Geoff Huston. + + o Modified the dispatching of payload extension header to only + compare CT(local) i.e., not compare the source and destination + IPv6 address fields. + + The following changes have been made since draft-ietf-shim6-proto-00: + + o Removed the use of the flow label and the overloading of the IP + protocol numbers. Instead, when the locator pair is not the ULID + pair, the ULP payloads will be carried with an 8 octet extension + header. The belief is that it is possible to remove these extra + bytes by defining future shim6 extensions that exchange more + information between the hosts, without having to overload the flow + label or the IP protocol numbers. + + o Grew the context tag from 20 bits to 32 bits, with the possibility + to grow it to 47 bits. This implies changes to the message + formats. + + o Almost by accident, the new shim6 message format is very close to + the HIP message format. + + o Adopted the HIP format for the options, since this makes it easier + to describe variable length options. The original, ND-style, + option format requires internal padding in the options to make + them 8 octet length in total, while the HIP format handles that + using the option length field. + + o Removed some of the control messages, and renamed the other ones. + + o Added a "generation" number to the Locator List option, so that + the peers can ensure that the preferences refer to the right + "version" of the Locator List. + + o In order for FBD and exploration to work when there the use of the + context is forked, that is different ULP messages are sent over + different locator pairs, things are a lot easier if there is only + one current locator pair used for each context. Thus the forking + of the context is now causing a new context to be established for + the same ULID; the new context having a new context tag. The + original context is referred to as the "default" context for the + ULID pair. + + o Added more background material and textual descriptions. + 19. References -19.1 Normative References +19.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [3] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. @@ -4954,21 +5098,21 @@ RFC 3972, March 2005. [7] Bagnulo, M., "Hash Based Addresses (HBA)", draft-ietf-shim6-hba-01 (work in progress), October 2005. [8] Arkko, J. and I. Beijnum, "Failure Detection and Locator Pair Exploration Protocol for IPv6 Multihoming", draft-ietf-shim6-failure-detection-03 (work in progress), December 2005. -19.2 Informative References +19.2. Informative References [9] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000. [10] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000. [11] Narten, T. and R. Draves, "Privacy Extensions for Stateless