draft-ietf-shim6-proto-07.txt   draft-ietf-shim6-proto-08.txt 
SHIM6 WG E. Nordmark SHIM6 WG E. Nordmark
Internet-Draft Sun Microsystems Internet-Draft Sun Microsystems
Expires: May 28, 2007 M. Bagnulo Expires: November 2, 2007 M. Bagnulo
UC3M UC3M
November 24, 2006 Shim6: Level 3 Multihoming Shim Protocol for IPv6
draft-ietf-shim6-proto-08.txt
Level 3 multihoming shim protocol
draft-ietf-shim6-proto-07.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 28, 2007. This Internet-Draft will expire on November 2, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
The SHIM6 protocol is a layer 3 shim for providing locator agility This document defines the Shim6 protocol, a layer 3 shim for
below the transport protocols, so that multihoming can be provided providing locator agility below the transport protocols, so that
for IPv6 with failover and load sharing properties, without assuming multihoming can be provided for IPv6 with failover and load sharing
that a multihomed site will have a provider independent IPv6 address properties, without assuming that a multihomed site will have a
prefix which is announced in the global IPv6 routing table. The provider independent IPv6 address prefix which is announced in the
hosts in a site which has multiple provider allocated IPv6 address global IPv6 routing table. The hosts in a site which has multiple
prefixes, will use the shim6 protocol specified in this document to provider allocated IPv6 address prefixes, will use the Shim6 protocol
setup state with peer hosts, so that the state can later be used to specified in this document to setup state with peer hosts, so that
failover to a different locator pair, should the original one stop the state can later be used to failover to a different locator pair,
working. should the original one stop working.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2. Non-Goals . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Non-Goals . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Locators as Upper-layer Identifiers . . . . . . . . . . . 6 1.3. Locators as Upper-layer IDentifiers (ULID) . . . . . . . 6
1.4. IP Multicast . . . . . . . . . . . . . . . . . . . . . . 7 1.4. IP Multicast . . . . . . . . . . . . . . . . . . . . . . 7
1.5. Renumbering Implications . . . . . . . . . . . . . . . . 8 1.5. Renumbering Implications . . . . . . . . . . . . . . . . 8
1.6. Placement of the shim . . . . . . . . . . . . . . . . . . 9 1.6. Placement of the shim . . . . . . . . . . . . . . . . . . 9
1.7. Traffic Engineering . . . . . . . . . . . . . . . . . . . 10 1.7. Traffic Engineering . . . . . . . . . . . . . . . . . . . 11
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 12 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 12 2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 12
2.2. Notational Conventions . . . . . . . . . . . . . . . . . 15 2.2. Notational Conventions . . . . . . . . . . . . . . . . . 15
3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 16 3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 16
4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 17 4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 17
4.1. Context Tags . . . . . . . . . . . . . . . . . . . . . . 19 4.1. Context Tags . . . . . . . . . . . . . . . . . . . . . . 19
4.2. Context Forking . . . . . . . . . . . . . . . . . . . . . 19 4.2. Context Forking . . . . . . . . . . . . . . . . . . . . . 19
4.3. API Extensions . . . . . . . . . . . . . . . . . . . . . 20 4.3. API Extensions . . . . . . . . . . . . . . . . . . . . . 20
4.4. Securing shim6 . . . . . . . . . . . . . . . . . . . . . 20 4.4. Securing Shim6 . . . . . . . . . . . . . . . . . . . . . 20
4.5. Overview of Shim Control Messages . . . . . . . . . . . . 21 4.5. Overview of Shim Control Messages . . . . . . . . . . . . 21
4.6. Extension Header Order . . . . . . . . . . . . . . . . . 22 4.6. Extension Header Order . . . . . . . . . . . . . . . . . 22
5. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 24 5. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 24
5.1. Common shim6 Message Format . . . . . . . . . . . . . . . 24 5.1. Common Shim6 Message Format . . . . . . . . . . . . . . . 24
5.2. Payload Extension Header Format . . . . . . . . . . . . . 24 5.2. Payload Extension Header Format . . . . . . . . . . . . . 25
5.3. Common Shim6 Control header . . . . . . . . . . . . . . . 25 5.3. Common Shim6 Control header . . . . . . . . . . . . . . . 25
5.4. I1 Message Format . . . . . . . . . . . . . . . . . . . . 27 5.4. I1 Message Format . . . . . . . . . . . . . . . . . . . . 27
5.5. R1 Message Format . . . . . . . . . . . . . . . . . . . . 28 5.5. R1 Message Format . . . . . . . . . . . . . . . . . . . . 28
5.6. I2 Message Format . . . . . . . . . . . . . . . . . . . . 29 5.6. I2 Message Format . . . . . . . . . . . . . . . . . . . . 30
5.7. R2 Message Format . . . . . . . . . . . . . . . . . . . . 31 5.7. R2 Message Format . . . . . . . . . . . . . . . . . . . . 32
5.8. R1bis Message Format . . . . . . . . . . . . . . . . . . 33 5.8. R1bis Message Format . . . . . . . . . . . . . . . . . . 33
5.9. I2bis Message Format . . . . . . . . . . . . . . . . . . 34 5.9. I2bis Message Format . . . . . . . . . . . . . . . . . . 34
5.10. Update Request Message Format . . . . . . . . . . . . . . 36 5.10. Update Request Message Format . . . . . . . . . . . . . . 36
5.11. Update Acknowledgement Message Format . . . . . . . . . . 38 5.11. Update Acknowledgement Message Format . . . . . . . . . . 38
5.12. Keepalive Message Format . . . . . . . . . . . . . . . . 39 5.12. Keepalive Message Format . . . . . . . . . . . . . . . . 39
5.13. Probe Message Format . . . . . . . . . . . . . . . . . . 39 5.13. Probe Message Format . . . . . . . . . . . . . . . . . . 39
5.14. Option Formats . . . . . . . . . . . . . . . . . . . . . 40 5.14. Error Message Format . . . . . . . . . . . . . . . . . . 40
5.14.1. Responder Validator Option Format . . . . . . . . . 42 5.15. Option Formats . . . . . . . . . . . . . . . . . . . . . 41
5.14.2. Locator List Option Format . . . . . . . . . . . . . 42 5.15.1. Responder Validator Option Format . . . . . . . . . 43
5.14.3. Locator Preferences Option Format . . . . . . . . . 44 5.15.2. Locator List Option Format . . . . . . . . . . . . . 44
5.14.4. CGA Parameter Data Structure Option Format . . . . . 46 5.15.3. Locator Preferences Option Format . . . . . . . . . 46
5.14.5. CGA Signature Option Format . . . . . . . . . . . . 46 5.15.4. CGA Parameter Data Structure Option Format . . . . . 48
5.14.6. ULID Pair Option Format . . . . . . . . . . . . . . 47 5.15.5. CGA Signature Option Format . . . . . . . . . . . . 48
5.14.7. Forked Instance Identifier Option Format . . . . . . 48 5.15.6. ULID Pair Option Format . . . . . . . . . . . . . . 49
5.14.8. Keepalive Timeout Option Format . . . . . . . . . . 48 5.15.7. Forked Instance Identifier Option Format . . . . . . 50
6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 49 5.15.8. Keepalive Timeout Option Format . . . . . . . . . . 50
6.1. Conceptual Data Structures . . . . . . . . . . . . . . . 49 6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 51
6.2. Context States . . . . . . . . . . . . . . . . . . . . . 50 6.1. Conceptual Data Structures . . . . . . . . . . . . . . . 51
7. Establishing ULID-Pair Contexts . . . . . . . . . . . . . . . 52 6.2. Context States . . . . . . . . . . . . . . . . . . . . . 52
7.1. Uniqueness of Context Tags . . . . . . . . . . . . . . . 52 7. Establishing ULID-Pair Contexts . . . . . . . . . . . . . . . 54
7.2. Locator Verification . . . . . . . . . . . . . . . . . . 52 7.1. Uniqueness of Context Tags . . . . . . . . . . . . . . . 54
7.3. Normal context establishment . . . . . . . . . . . . . . 53 7.2. Locator Verification . . . . . . . . . . . . . . . . . . 54
7.4. Concurrent context establishment . . . . . . . . . . . . 53 7.3. Normal context establishment . . . . . . . . . . . . . . 55
7.5. Context recovery . . . . . . . . . . . . . . . . . . . . 55 7.4. Concurrent context establishment . . . . . . . . . . . . 55
7.6. Context confusion . . . . . . . . . . . . . . . . . . . . 57 7.5. Context recovery . . . . . . . . . . . . . . . . . . . . 57
7.7. Sending I1 messages . . . . . . . . . . . . . . . . . . . 58 7.6. Context confusion . . . . . . . . . . . . . . . . . . . . 59
7.8. Retransmitting I1 messages . . . . . . . . . . . . . . . 58 7.7. Sending I1 messages . . . . . . . . . . . . . . . . . . . 60
7.9. Receiving I1 messages . . . . . . . . . . . . . . . . . . 59 7.8. Retransmitting I1 messages . . . . . . . . . . . . . . . 61
7.10. Sending R1 messages . . . . . . . . . . . . . . . . . . . 60 7.9. Receiving I1 messages . . . . . . . . . . . . . . . . . . 61
7.10.1. Generating the R1 Validator . . . . . . . . . . . . 60 7.10. Sending R1 messages . . . . . . . . . . . . . . . . . . . 62
7.11. Receiving R1 messages and sending I2 messages . . . . . . 61 7.10.1. Generating the R1 Validator . . . . . . . . . . . . 63
7.12. Retransmitting I2 messages . . . . . . . . . . . . . . . 62 7.11. Receiving R1 messages and sending I2 messages . . . . . . 63
7.13. Receiving I2 messages . . . . . . . . . . . . . . . . . . 62 7.12. Retransmitting I2 messages . . . . . . . . . . . . . . . 64
7.14. Sending R2 messages . . . . . . . . . . . . . . . . . . . 64 7.13. Receiving I2 messages . . . . . . . . . . . . . . . . . . 64
7.15. Match for Context Confusion . . . . . . . . . . . . . . . 64 7.14. Sending R2 messages . . . . . . . . . . . . . . . . . . . 66
7.16. Receiving R2 messages . . . . . . . . . . . . . . . . . . 65 7.15. Match for Context Confusion . . . . . . . . . . . . . . . 66
7.17. Sending R1bis messages . . . . . . . . . . . . . . . . . 66 7.16. Receiving R2 messages . . . . . . . . . . . . . . . . . . 67
7.17.1. Generating the R1bis Validator . . . . . . . . . . . 66 7.17. Sending R1bis messages . . . . . . . . . . . . . . . . . 68
7.18. Receiving R1bis messages and sending I2bis messages . . . 67 7.17.1. Generating the R1bis Validator . . . . . . . . . . . 69
7.19. Retransmitting I2bis messages . . . . . . . . . . . . . . 68 7.18. Receiving R1bis messages and sending I2bis messages . . . 69
7.20. Receiving I2bis messages and sending R2 messages . . . . 68 7.19. Retransmitting I2bis messages . . . . . . . . . . . . . . 70
8. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 70 7.20. Receiving I2bis messages and sending R2 messages . . . . 70
9. Teardown of the ULID-Pair Context . . . . . . . . . . . . . . 72 8. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 73
10. Updating the Peer . . . . . . . . . . . . . . . . . . . . . . 73 9. Teardown of the ULID-Pair Context . . . . . . . . . . . . . . 75
10.1. Sending Update Request messages . . . . . . . . . . . . . 73 10. Updating the Peer . . . . . . . . . . . . . . . . . . . . . . 76
10.2. Retransmitting Update Request messages . . . . . . . . . 73 10.1. Sending Update Request messages . . . . . . . . . . . . . 76
10.3. Newer Information While Retransmitting . . . . . . . . . 74 10.2. Retransmitting Update Request messages . . . . . . . . . 76
10.4. Receiving Update Request messages . . . . . . . . . . . . 74 10.3. Newer Information While Retransmitting . . . . . . . . . 77
10.5. Receiving Update Acknowledgement messages . . . . . . . . 76 10.4. Receiving Update Request messages . . . . . . . . . . . . 77
11. Sending ULP Payloads . . . . . . . . . . . . . . . . . . . . 77 10.5. Receiving Update Acknowledgement messages . . . . . . . . 79
11.1. Sending ULP Payload after a Switch . . . . . . . . . . . 77 11. Sending ULP Payloads . . . . . . . . . . . . . . . . . . . . 80
12. Receiving Packets . . . . . . . . . . . . . . . . . . . . . . 79 11.1. Sending ULP Payload after a Switch . . . . . . . . . . . 80
12.1. Receiving Payload Extension Headers . . . . . . . . . . . 79 12. Receiving Packets . . . . . . . . . . . . . . . . . . . . . . 82
12.2. Receiving Shim Control messages . . . . . . . . . . . . . 79 12.1. Receiving payload without extension headers . . . . . . . 82
12.3. Context Lookup . . . . . . . . . . . . . . . . . . . . . 80 12.2. Receiving Payload Extension Headers . . . . . . . . . . . 82
13. Initial Contact . . . . . . . . . . . . . . . . . . . . . . . 82 12.3. Receiving Shim Control messages . . . . . . . . . . . . . 83
14. Protocol constants . . . . . . . . . . . . . . . . . . . . . 83 12.4. Context Lookup . . . . . . . . . . . . . . . . . . . . . 83
15. Implications Elsewhere . . . . . . . . . . . . . . . . . . . 84 13. Initial Contact . . . . . . . . . . . . . . . . . . . . . . . 86
16. Security Considerations . . . . . . . . . . . . . . . . . . . 86 14. Protocol constants . . . . . . . . . . . . . . . . . . . . . 87
17. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89 15. Implications Elsewhere . . . . . . . . . . . . . . . . . . . 88
18. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 91 15.1. Congestion Control Considerations . . . . . . . . . . . . 88
Appendix A. Possible Protocol Extensions . . . . . . . . . . 92 15.2. Middle-boxes considerations . . . . . . . . . . . . . . . 88
Appendix B. Simplified State Machine . . . . . . . . . . . . 94 15.3. Other considerations . . . . . . . . . . . . . . . . . . 89
Appendix B.1. Simplified State Machine diagram . . . . . . . . 100 16. Security Considerations . . . . . . . . . . . . . . . . . . . 91
Appendix C. Context Tag Reuse . . . . . . . . . . . . . . . . 101 17. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 94
Appendix C.1. Context Recovery . . . . . . . . . . . . . . . . 101 18. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 96
Appendix C.2. Context Confusion . . . . . . . . . . . . . . . . 101 Appendix A. Possible Protocol Extensions . . . . . . . . . . 97
Appendix C.3. Three Party Context Confusion . . . . . . . . . . 102 Appendix B. Simplified State Machine . . . . . . . . . . . . 99
Appendix D. Design Alternatives . . . . . . . . . . . . . . . 103 Appendix B.1. Simplified State Machine diagram . . . . . . . . 104
Appendix D.1. Context granularity . . . . . . . . . . . . . . . 103 Appendix C. Context Tag Reuse . . . . . . . . . . . . . . . . 106
Appendix D.2. Demultiplexing of data packets in shim6 Appendix C.1. Context Recovery . . . . . . . . . . . . . . . . 106
communications . . . . . . . . . . . . . . . . . 103 Appendix C.2. Context Confusion . . . . . . . . . . . . . . . . 106
Appendix D.2.1. Flow-label . . . . . . . . . . . . . . . . . . . 104 Appendix C.3. Three Party Context Confusion . . . . . . . . . . 107
Appendix D.2.2. Extension Header . . . . . . . . . . . . . . . . 106 Appendix D. Design Alternatives . . . . . . . . . . . . . . . 108
Appendix D.3. Context Loss Detection . . . . . . . . . . . . . 107 Appendix D.1. Context granularity . . . . . . . . . . . . . . . 108
Appendix D.4. Securing locator sets . . . . . . . . . . . . . . 109 Appendix D.2. Demultiplexing of data packets in Shim6
Appendix D.5. ULID-pair context establishment exchange . . . . 112 communications . . . . . . . . . . . . . . . . . 108
Appendix D.6. Updating locator sets . . . . . . . . . . . . . . 113 Appendix D.2.1. Flow-label . . . . . . . . . . . . . . . . . . . 109
Appendix D.7. State Cleanup . . . . . . . . . . . . . . . . . . 113 Appendix D.2.2. Extension Header . . . . . . . . . . . . . . . . 111
Appendix E. Change Log . . . . . . . . . . . . . . . . . . . 116 Appendix D.3. Context Loss Detection . . . . . . . . . . . . . 112
19. References . . . . . . . . . . . . . . . . . . . . . . . . . 120 Appendix D.4. Securing locator sets . . . . . . . . . . . . . . 114
19.1. Normative References . . . . . . . . . . . . . . . . . . 120 Appendix D.5. ULID-pair context establishment exchange . . . . 117
19.2. Informative References . . . . . . . . . . . . . . . . . 120 Appendix D.6. Updating locator sets . . . . . . . . . . . . . . 118
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 123 Appendix D.7. State Cleanup . . . . . . . . . . . . . . . . . . 118
Intellectual Property and Copyright Statements . . . . . . . . . 124 Appendix E. Change Log . . . . . . . . . . . . . . . . . . . 121
19. References . . . . . . . . . . . . . . . . . . . . . . . . . 127
19.1. Normative References . . . . . . . . . . . . . . . . . . 127
19.2. Informative References . . . . . . . . . . . . . . . . . 127
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 130
Intellectual Property and Copyright Statements . . . . . . . . . 131
1. Introduction 1. Introduction
This document describes a layer 3 shim approach and protocol for This document describes a layer 3 shim approach and protocol for
providing locator agility below the transport protocols, so that providing locator agility below the transport protocols, so that
multihoming can be provided for IPv6 with failover and load sharing multihoming can be provided for IPv6 with failover and load sharing
properties [16], without assuming that a multihomed site will have a properties [16], without assuming that a multihomed site will have a
provider independent IPv6 address which is announced in the global provider independent IPv6 address which is announced in the global
IPv6 routing table. The hosts in a site which has multiple provider IPv6 routing table. The hosts in a site which has multiple provider
allocated IPv6 address prefixes, will use the shim6 protocol allocated IPv6 address prefixes, will use the Shim6 protocol
specified in this document to setup state with peer hosts, so that specified in this document to setup state with peer hosts, so that
the state can later be used to failover to a different locator pair, the state can later be used to failover to a different locator pair,
should the original one stop working. should the original one stop working (the term locator is defined in
Section 2).
We assume that redirection attacks are prevented using the mechanism The Shim6 protocol is a site multihoming solution in the sense that
specified in HBA [8]. it allows existing communication to continue when a site that has
multiple connections to the internet experiences an outage on a
subset of these connections or further upstream. However, Shim6
processing is performed in individual hosts rather than through site-
wide mechanisms.
We assume that redirection attacks are prevented using Hash Based
Addresses (HBA) as defined in [8].
The reachability and failure detection mechanisms, including how a The reachability and failure detection mechanisms, including how a
new working locator pair is discovered after a failure, are specified new working locator pair is discovered after a failure, are specified
in a separate document [9]. This document allocates message types in a separate document [9]. This document allocates message types
and option types for that sub-protocol, and leaves the specification and option types for that sub-protocol, and leaves the specification
of the message and option formats as well as the protocol behavior to of the message and option formats as well as the protocol behavior to
that document. that document.
1.1. Goals 1.1. Goals
The goals for this approach are to: The goals for this approach are to:
o Preserve established communications in the presence of certain o Preserve established communications in the presence of certain
classes of failures, for example, TCP connections and UDP streams. classes of failures, for example, TCP connections and UDP streams.
o Have minimal impact on upper layer protocols in general and on o Have minimal impact on upper layer protocols in general and on
transport protocols in particular. transport protocols and applications in particular.
o Address the security threats in [20] through the combination of o Address the security threats in [20] through the combination of
the HBA/CGA approach specified in a separate document [8] and the HBA/CGA approach specified in a separate document [8] and
techniques described in this document. techniques described in this document.
o Not require extra roundtrip up front to setup shim specific state. o Not require extra roundtrip up front to setup shim specific state.
Instead allow the upper layer traffic (e.g., TCP) to flow as Instead allow the upper layer traffic (e.g., TCP) to flow as
normal and defer the setup of the shim state until some number of normal and defer the setup of the shim state until some number of
packets have been exchanged. packets have been exchanged.
skipping to change at page 6, line 20 skipping to change at page 6, line 28
The assumption is that the problem we are trying to solve is site The assumption is that the problem we are trying to solve is site
multihoming, with the ability to have the set of site prefixes change multihoming, with the ability to have the set of site prefixes change
over time due to site renumbering. Further, we assume that such over time due to site renumbering. Further, we assume that such
changes to the set of locator prefixes can be relatively slow and changes to the set of locator prefixes can be relatively slow and
managed; slow enough to allow updates to the DNS to propagate (since managed; slow enough to allow updates to the DNS to propagate (since
the protocol defined in this document depends on the DNS to find the the protocol defined in this document depends on the DNS to find the
appropriate locator sets). Note, however that it is an explicit non- appropriate locator sets). Note, however that it is an explicit non-
goal to make communication survive a renumbering event (which causes goal to make communication survive a renumbering event (which causes
all the locators of a host to change to a new set of locators). This all the locators of a host to change to a new set of locators). This
proposal does not attempt to solve the related problem of host proposal does not attempt to solve the related problem of host
mobility. However, it might turn out that the shim6 protocol can be mobility. However, it might turn out that the Shim6 protocol can be
a useful component for future host mobility solutions, e.g., for a useful component for future host mobility solutions, e.g., for
route optimization. route optimization.
Finally, this proposal also does not try to provide a new network Finally, this proposal also does not try to provide a new network
level or transport level identifier name space distinct from the level or transport level identifier name space distinct from the
current IP address name space. Even though such a concept would be current IP address name space. Even though such a concept would be
useful to Upper Layer Protocols (ULPs) and applications, especially useful to Upper Layer Protocols (ULPs) and applications, especially
if the management burden for such a name space was negligible and if the management burden for such a name space was negligible and
there was an efficient yet secure mechanism to map from identifiers there was an efficient yet secure mechanism to map from identifiers
to locators, such a name space isn't necessary (and furthermore to locators, such a name space isn't necessary (and furthermore
doesn't seem to help) to solve the multihoming problem. doesn't seem to help) to solve the multihoming problem.
1.3. Locators as Upper-layer Identifiers The Shim6 proposal doesn't fully separate the identifier and locator
functions that have traditionally been overloaded in the IP address.
However, throughout this document the term "identifier", or more
specifically, Upper Layer Identifier (ULID) refers to the identifying
function of an IPv6 address, and "locator" to the network layer
routing and forwarding properties of an IPv6 address.
1.3. Locators as Upper-layer IDentifiers (ULID)
The approach described in this document does not introduce a new The approach described in this document does not introduce a new
identifier name space but instead uses the locator that is selected identifier name space but instead uses the locator that is selected
in the initial contact with the remote peer as the preserved Upper- in the initial contact with the remote peer as the preserved Upper-
Layer Identifier (ULID). While there may be subsequent changes in Layer Identifier (ULID). While there may be subsequent changes in
the selected network level locators over time in response to failures the selected network level locators over time in response to failures
in using the original locator, the upper level protocol stack in using the original locator, the upper level protocol stack
elements will continue to use this upper level identifier without elements will continue to use this upper level identifier without
change. change.
This implies that the ULID selection is performed as today's default This implies that the ULID selection is performed as today's default
address selection as specified in RFC 3484 [13]. Some extensions are address selection as specified in RFC 3484 [13]. Some extensions are
needed to RFC 3484 to try different source addresses, whether or not needed to RFC 3484 to try different source addresses, whether or not
the shim6 protocol is used, as outlined in [14]. Underneath, and the Shim6 protocol is used, as outlined in [14]. Underneath, and
transparently, the multihoming shim selects working locator pairs transparently, the multihoming shim selects working locator pairs
with the initial locator pair being the ULID pair. If communication with the initial locator pair being the ULID pair. If communication
subsequently fails the shim can test and select alternate locators. subsequently fails the shim can test and select alternate locators.
A subsequent section discusses the issues when the selected ULID is A subsequent section discusses the issues when the selected ULID is
not initially working hence there is a need to switch locators up not initially working hence there is a need to switch locators up
front. front.
Using one of the locators as the ULID has certain benefits for Using one of the locators as the ULID has certain benefits for
applications which have long-lived session state or performs applications which have long-lived session state or performs
callbacks or referrals, because both the FQDN and the 128-bit ULID callbacks or referrals, because both the FQDN and the 128-bit ULID
work as handles for the applications. However, using a single 128- work as handles for the applications. However, using a single 128-
bit ULID doesn't provide seamless communication when that locator is bit ULID doesn't provide seamless communication when that locator is
unreachable. See [23] for further discussion of the application unreachable. See [23] for further discussion of the application
implications. implications.
There has been some discussion of using non-routable addresses, such There has been some discussion of using non-routable addresses, such
as Unique-Local Addresses (ULAs) [19], as ULIDs in a multihoming as Unique-Local Addresses (ULAs) [19], as ULIDs in a multihoming
solution. While this document doesn't specify all aspects of this, solution. While this document doesn't specify all aspects of this,
it is believed that the approach can be extended to handle the non- it is believed that the approach can be extended to handle the non-
routable address case.. For example, the protocol already needs to routable address case. For example, the protocol already needs to
handle ULIDs that are not initially reachable. Thus the same handle ULIDs that are not initially reachable. Thus the same
mechanism can handle ULIDs that are permanently unreachable from mechanism can handle ULIDs that are permanently unreachable from
outside their site. The issue becomes how to make the protocol outside their site. The issue becomes how to make the protocol
perform well when the ULID is known a priori to be not reachable perform well when the ULID is known a priori to be not reachable
(e.g., the ULID is a ULA), for instance, avoiding any timeout and (e.g. the ULID is a ULA), for instance, avoiding any timeout and
retries in this case. In addition one would need to understand how retries in this case. In addition one would need to understand how
the ULAs would be entered in the DNS to avoid a performance impact on the ULAs would be entered in the DNS to avoid a performance impact on
existing, non-shim6 aware, IPv6 hosts potentially trying to existing, non-Shim6 aware, IPv6 hosts potentially trying to
communicate to the (unreachable) ULA. communicate to the (unreachable) ULA.
1.4. IP Multicast 1.4. IP Multicast
IP Multicast requires that the IP source address field contain a IP Multicast requires that the IP source address field contain a
topologically correct locator for interface that is used to send the topologically correct locator for interface that is used to send the
packet, since IP multicast routing uses both the source address and packet, since IP multicast routing uses both the source address and
the destination group to determine where to forward the packet. In the destination group to determine where to forward the packet. In
particular, it need to be able to do the RPF check. (This isn't much particular, it need to be able to do the RPF check. (This isn't much
different than the situation with widely implemented ingress different than the situation with widely implemented ingress
skipping to change at page 8, line 23 skipping to change at page 8, line 38
survive renumbering in the general case. survive renumbering in the general case.
When a host is renumbered, the effect is that one or more locators When a host is renumbered, the effect is that one or more locators
become invalid, and zero or more locators are added to the host's become invalid, and zero or more locators are added to the host's
network interface. This means that the set of locators that is used network interface. This means that the set of locators that is used
in the shim will change, which the shim can handle as long as not all in the shim will change, which the shim can handle as long as not all
the original locators become invalid at the same time and depending the original locators become invalid at the same time and depending
on the time that is required to update the DNS and for those updates on the time that is required to update the DNS and for those updates
to propagate. to propagate.
But IP addresses are also used as ULID, and making the communication But IP addresses are also used as ULIDs, and making the communication
survive locators becoming invalid can potentially cause some survive locators becoming invalid can potentially cause some
confusion at the upper layers. The fact that a ULID might be used confusion at the upper layers. The fact that a ULID might be used
with a different locator over time open up the possibility that with a different locator over time open up the possibility that
communication between two ULIDs might continue to work after one or communication between two ULIDs might continue to work after one or
both of those ULIDs are no longer reachable as locators, for example both of those ULIDs are no longer reachable as locators, for example
due to a renumbering event. This opens up the possibility that the due to a renumbering event. This opens up the possibility that the
ULID (or at least the prefix on which it is based) is reassigned to ULID (or at least the prefix on which it is based) is reassigned to
another site while it is still being used (with another locator) for another site while it is still being used (with another locator) for
existing communication. existing communication.
skipping to change at page 9, line 16 skipping to change at page 9, line 24
----------------------- -----------------------
| Transport Protocols | | Transport Protocols |
----------------------- -----------------------
------ ------- -------------- ------------- IP endpoint ------ ------- -------------- ------------- IP endpoint
| AH | | ESP | | Frag/reass | | Dest opts | sub-layer | AH | | ESP | | Frag/reass | | Dest opts | sub-layer
------ ------- -------------- ------------- ------ ------- -------------- -------------
--------------------- ---------------------
| shim6 shim layer | | Shim6 shim layer |
--------------------- ---------------------
------ IP routing ------ IP routing
| IP | sub-layer | IP | sub-layer
------ ------
Figure 1: Protocol stack Figure 1: Protocol stack
The proposal uses a multihoming shim layer within the IP layer, i.e., The proposal uses a multihoming shim layer within the IP layer, i.e.,
below the ULPs, as shown in Figure 1, in order to provide ULP below the ULPs, as shown in Figure 1, in order to provide ULP
skipping to change at page 9, line 49 skipping to change at page 10, line 8
Layering the fragmentation header above the multihoming shim makes Layering the fragmentation header above the multihoming shim makes
reassembly robust in the case that there is broken multi-path routing reassembly robust in the case that there is broken multi-path routing
which results in using different paths, hence potentially different which results in using different paths, hence potentially different
source locators, for different fragments. Thus, effectively the source locators, for different fragments. Thus, effectively the
multihoming shim layer is placed between the IP endpoint sublayer, multihoming shim layer is placed between the IP endpoint sublayer,
which handles fragmentation, reassembly, and IPsec, and the IP which handles fragmentation, reassembly, and IPsec, and the IP
routing sublayer, which selects which next hop and interface to use routing sublayer, which selects which next hop and interface to use
for sending out packets. for sending out packets.
Applications and upper layer protocols use ULIDs which the shim6 Applications and upper layer protocols use ULIDs which the Shim6
layer map to/from different locators. The shim6 layer maintains layer map to/from different locators. The Shim6 layer maintains
state, called ULID-pair context, per ULID pairs (that is, applies to state, called ULID-pair context, per ULID pair (that is, applies to
all ULP connections between the ULID pair) in order to perform this all ULP connections between the ULID pair) in order to perform this
mapping. The mapping is performed consistently at the sender and the mapping. The mapping is performed consistently at the sender and the
receiver so that ULPs see packets that appear to be sent using ULIDs receiver so that ULPs see packets that appear to be sent using ULIDs
from end to end. This property is maintained even though the packets from end to end. This property is maintained even though the packets
travel through the network containing locators in the IP address travel through the network containing locators in the IP address
fields, and even though those locators may be changed by the fields, and even though those locators may be changed by the
transmitting shim6 layer. . transmitting Shim6 layer.
The context state is maintained per remote ULID i.e. approximately The context state is maintained per remote ULID i.e. approximately
per peer host, and not at any finer granularity. In particular, it per peer host, and not at any finer granularity. In particular, it
is independent of the ULPs and any ULP connections. However, the is independent of the ULPs and any ULP connections. However, the
forking capability enables shim-aware ULPs to use more than one forking capability enables shim-aware ULPs to use more than one
locator pair at a time for an single ULID pair. locator pair at a time for an single ULID pair.
---------------------------- ---------------------------- ---------------------------- ----------------------------
| Sender A | | Receiver B | | Sender A | | Receiver B |
| | | | | | | |
skipping to change at page 11, line 4 skipping to change at page 11, line 12
be carried in the packets once the compression state has been be carried in the packets once the compression state has been
established. In order for the receiver to recreate a packet with the established. In order for the receiver to recreate a packet with the
correct ULIDs there is a need to include some "compression tag" in correct ULIDs there is a need to include some "compression tag" in
the data packets. This serves to indicate the correct context to use the data packets. This serves to indicate the correct context to use
for decompression when the locator pair in the packet is insufficient for decompression when the locator pair in the packet is insufficient
to uniquely identify the context. to uniquely identify the context.
1.7. Traffic Engineering 1.7. Traffic Engineering
At the time of this writing it is not clear what requirements for At the time of this writing it is not clear what requirements for
traffic engineering make sense for the shim6 protocol, since the traffic engineering make sense for the Shim6 protocol, since the
requirements must both result in some useful behavior as well as be requirements must both result in some useful behavior as well as be
implementable using a host-to-host locator agility mechanism like implementable using a host-to-host locator agility mechanism like
shim6. Shim6.
Inherent in a scalable multihoming mechanism that separates locators Inherent in a scalable multihoming mechanism that separates the
from identifiers is that each host ends up with multiple locators. locator function of the IP address from identifying function of the
This means that at least for initial contact, it is the remote peer IP address is that each host ends up with multiple locators. This
that needs to select which peer locator to try first. In the case of means that at least for initial contact, it is the remote peer
shim6 this is performed by applying RFC 3484 address selection. application (or layer working on its behalf) needs to select an
initial ULID, which automatically becomes the initial locator. In
the case of Shim6 this is performed by applying RFC 3484 address
selection.
This is quite different than the common case of IPv4 multihoming This is quite different than the common case of IPv4 multihoming
where the site has a single IP address prefix, since in that case the where the site has a single IP address prefix, since in that case the
peer performs no destination address selection. peer performs no destination address selection.
Thus in "single prefix multihoming" the site, and in many cases its Thus in "single prefix multihoming" the site, and in many cases its
upstream ISPs, can use BGP to exert some control of the ingress path upstream ISPs, can use BGP to exert some control of the ingress path
used to reach the site. This capability can't easily be recreated in used to reach the site. This capability can't easily be recreated in
"multiple prefix multihoming" such as shim6. "multiple prefix multihoming" such as Shim6.
The protocol provides a placeholder, in the form of the Locator The protocol provides a placeholder, in the form of the Locator
Preferences option, which can be used by hosts to express priority Preferences option, which can be used by hosts to express priority
and weight values for each locator. This is intentionally made and weight values for each locator. This is intentionally made
identical to the DNS SRV [10] specification of priority and weight, identical to the DNS SRV [10] specification of priority and weight,
so that DNS SRV records can be used for initial contact and the shim so that DNS SRV records can be used for initial contact and the shim
for failover, and they can use the same way to describe the for failover, and they can use the same way to describe the
preferences. But the Locator Preference option is merely a place preferences. But the Locator Preference option is merely a place
holder when it comes to providing traffic engineering; in order to holder when it comes to providing traffic engineering; in order to
use this in a large site there would have to be a mechanism by which use this in a large site there would have to be a mechanism by which
the host can find out what preference values to use, either the host can find out what preference values to use, either
statically (e.g., some new DHCPv6 option) or dynamically. statically (e.g., some new DHCPv6 option) or dynamically.
Thus traffic engineering is listed as a possible extension in Thus traffic engineering is listed as a possible extension in
Appendix A. Appendix A.
2. Terminology 2. Terminology
This document uses the terms MUST, SHOULD, RECOMMENDED, MAY, SHOULD This document uses the terms MUST, SHOULD, RECOMMENDED, MAY, SHOULD
NOT and MUST NOT defined in RFC 2119 [1]. The terms defined in RFC NOT and MUST NOT defined in RFC 2119 [1].
2460 [2] are also used.
2.1. Definitions 2.1. Definitions
This document introduces the following terms: This document introduces the following terms:
upper layer protocol (ULP) upper layer protocol (ULP)
A protocol layer immediately above IP. Examples A protocol layer immediately above IP. Examples
are transport protocols such as TCP and UDP, are transport protocols such as TCP and UDP,
control protocols such as ICMP, routing protocols control protocols such as ICMP, routing protocols
such as OSPF, and internet or lower-layer such as OSPF, and internet or lower-layer
skipping to change at page 16, line 7 skipping to change at page 16, line 7
implementation must allow system administrators to change. The implementation must allow system administrators to change. The
specific variable names, how their values change, and how their specific variable names, how their values change, and how their
settings influence protocol behavior are provided to demonstrate settings influence protocol behavior are provided to demonstrate
protocol behavior. An implementation is not required to have them in protocol behavior. An implementation is not required to have them in
the exact form described here, so long as its external behavior is the exact form described here, so long as its external behavior is
consistent with that described in this document. See Section 6 for a consistent with that described in this document. See Section 6 for a
description of the conceptual data structures. description of the conceptual data structures.
3. Assumptions 3. Assumptions
The design intent is to ensure that the shim6 protocol is capable of The design intent is to ensure that the Shim6 protocol is capable of
handling path failures independently of the number of IP addresses handling path failures independently of the number of IP addresses
(locators) available to the two communicating hosts, and (locators) available to the two communicating hosts, and
independently of which host detects the failure condition. independently of which host detects the failure condition.
Consider, for example, the case in which both A and B have active Consider, for example, the case in which both A and B have active
shim6 state and where A has only one locator while B has multiple Shim6 state and where A has only one locator while B has multiple
locators. In this case, it might be that B is trying to send a locators. In this case, it might be that B is trying to send a
packet to A, and has detected a failure condition with the current packet to A, and has detected a failure condition with the current
locator pair. Since B has multiple locators it presumably has locator pair. Since B has multiple locators it presumably has
multiple ISPs, and consequently likely has alternate egress paths multiple ISPs, and consequently likely has alternate egress paths
toward A. However, B cannot vary the destination address (i.e., A's toward A. However, B cannot vary the destination address (i.e., A's
locator), since A has only one locator. locator), since A has only one locator.
The above scenario leads to the assumption that a host should be able The above scenario leads to the assumption that a host should be able
to cause different egress paths from its site to be used. The most to cause different egress paths from its site to be used. The most
reasonable approach to accomplish this is to have the host use reasonable approach to accomplish this is to have the host use
different source addresses and have the source address affect the different source addresses and have the source address affect the
selection of the site egress. The details of how this can be selection of the site egress. The details of how this can be
accomplished is beyond the scope of this document, but without this accomplished is beyond the scope of this document, but without this
capability the ability of the shim to try different "paths" by trying capability the ability of the shim to try different "paths" by trying
different locator pairs will have limited utility. different locator pairs will have limited utility.
The above assumption applies whether or not the ISPs perform ingress The above assumption applies whether or not the ISPs perform ingress
filtering. filtering.
In addition, when the site's ISPs perform ingress filtering based on In addition, when the site's ISPs perform ingress filtering based on
packet source addresses, shim6 assumes that packets sent with packet source addresses, Shim6 assumes that packets sent with
different source and destination combinations have a reasonable different source and destination combinations have a reasonable
chance of making it through the relevant ISP's ingress filters. This chance of making it through the relevant ISP's ingress filters. This
can be accomplished in several ways (all outside the scope of this can be accomplished in several ways (all outside the scope of this
document), such as having the ISPs relax there ingress filters, or document), such as having the ISPs relax their ingress filters, or
selecting the egress such that it matches the IP source address selecting the egress such that it matches the IP source address
prefix. prefix.
Further discussion of this issue is captured in [21]. Further discussion of this issue is captured in [21].
The shim6 approach assumes that there are no IPv6-to-IPv6 NATs on the The Shim6 approach assumes that there are no IPv6-to-IPv6 NATs on the
paths, i.e., that the two ends can exchange their own notion of their paths, i.e., that the two ends can exchange their own notion of their
IPv6 addresses and that those addresses will also make sense to their IPv6 addresses and that those addresses will also make sense to their
peer. peer.
4. Protocol Overview 4. Protocol Overview
The shim6 protocol operates in several phases over time. The The Shim6 protocol operates in several phases over time. The
following sequence illustrates the concepts: following sequence illustrates the concepts:
o An application on host A decides to contact an application on host o An application on host A decides to contact an application on host
B using some upper-layer protocol. This results in the ULP on B using some upper-layer protocol. This results in the ULP on
host A sending packets to host B. We call this the initial host A sending packets to host B. We call this the initial
contact. Assuming the IP addresses selected by Default Address contact. Assuming the IP addresses selected by Default Address
Selection [13] and its extensions [14] work, then there is no Selection [13] and its extensions [14] work, then there is no
action by the shim at this point in time. Any shim context action by the shim at this point in time. Any shim context
establishment can be deferred until later. establishment can be deferred until later.
o Some heuristic on A or B (or both) determine that it is o Some heuristic on A or B (or both) determine that it is
appropriate to pay the shim6 overhead to make this host-to-host appropriate to pay the Shim6 overhead to make this host-to-host
communication robust against locator failures. For instance, this communication robust against locator failures. For instance, this
heuristic might be that more than 50 packets have been sent or heuristic might be that more than 50 packets have been sent or
received, or a timer expiration while active packet exchange is in received, or a timer expiration while active packet exchange is in
place. This makes the shim initiate the 4-way context place. This makes the shim initiate the 4-way context
establishment exchange. establishment exchange. The purpose of this heuristic is to avoid
setting up a shim context when only a small number of packets is
exchanged between two hosts.
As a result of this exchange, both A and B will know a list of As a result of this exchange, both A and B will know a list of
locators for each other. locators for each other.
If the context establishment exchange fails, the initiator will If the context establishment exchange fails, the initiator will
then know that the other end does not support shim6, and will then know that the other end does not support Shim6, and will
continue with standard unicast behavior for the session. continue with standard (non-Shim6) behavior for the session.
o Communication continues without any change for the ULP packets. o Communication continues without any change for the ULP packets.
In particular, there are no shim extension headers added to the In particular, there are no shim extension headers added to the
ULP packets, since the ULID pair is the same as the locator pair. ULP packets, since the ULID pair is the same as the locator pair.
In addition, there might be some messages exchanged between the In addition, there might be some messages exchanged between the
shim sub-layers for (un)reachability detection. shim sub-layers for (un)reachability detection.
o At some point in time something fails. Depending on the approach o At some point in time something fails. Depending on the approach
to reachability detection, there might be some advice from the to reachability detection, there might be some advice from the
ULP, or the shim (un)reachability detection might discover that ULP, or the shim (un)reachability detection might discover that
there is a problem. there is a problem.
At this point in time one or both ends of the communication need At this point in time one or both ends of the communication need
to probe the different alternate locator pairs until a working to probe the different alternate locator pairs until a working
pair is found, and switch to using that locator pair. pair is found, and switch to using that locator pair.
o Once a working alternative locator pair has been found, the shim o Once a working alternative locator pair has been found, the shim
will rewrite the packets on transmit, and tag the packets with will rewrite the packets on transmit, and tag the packets with
shim6 Payload extension header, which contains the receiver's Shim6 Payload extension header, which contains the receiver's
context tag. The receiver will use the context tag to find the context tag. The receiver will use the context tag to find the
context state which will indicate which addresses to place in the context state which will indicate which addresses to place in the
IPv6 header before passing the packet up to the ULP. The result IPv6 header before passing the packet up to the ULP. The result
is that from the perspective of the ULP the packet passes is that from the perspective of the ULP the packet passes
unmodified end-to-end, even though the IP routing infrastructure unmodified end-to-end, even though the IP routing infrastructure
sends the packet to a different locator. sends the packet to a different locator.
o The shim (un)reachability detection will monitor the new locator o The shim (un)reachability detection will monitor the new locator
pair as it monitored the original locator pair, so that subsequent pair as it monitored the original locator pair, so that subsequent
failures can be detected. failures can be detected.
skipping to change at page 19, line 7 skipping to change at page 19, line 7
(crash and reboot) of a peer. (crash and reboot) of a peer.
The exact mechanism to determine when the context state is no The exact mechanism to determine when the context state is no
longer used is implementation dependent. For example, an longer used is implementation dependent. For example, an
implementation might use the existence of ULP state (where known implementation might use the existence of ULP state (where known
to the implementation) as an indication that the state is still to the implementation) as an indication that the state is still
used, combined with a timer (to handle ULP state that might not be used, combined with a timer (to handle ULP state that might not be
known to the shim sub-layer) to determine when the state is likely known to the shim sub-layer) to determine when the state is likely
to no longer be used. to no longer be used.
NOTE: The ULP packets in shim6 can be carried completely unmodified NOTE: The ULP packets in Shim6 can be carried completely unmodified
as long as the ULID pair is used as the locator pair. After a switch as long as the ULID pair is used as the locator pair. After a switch
to a different locator pair the packets are "tagged" with a shim6 to a different locator pair the packets are "tagged" with a Shim6
extension header, so that the receiver can always determine the extension header, so that the receiver can always determine the
context to which they belong. This is accomplished by including an context to which they belong. This is accomplished by including an
8-octet shim6 Payload Extension header before the (extension) headers 8-octet Shim6 Payload Extension header before the (extension) headers
that are processed by the IP endpoint sublayer and ULPs. If that are processed by the IP endpoint sublayer and ULPs. If
subsequently the original ULIDs are selected as the active locator subsequently the original ULIDs are selected as the active locator
pair then the tagging of packets with the shim6 extension header is pair then the tagging of packets with the Shim6 extension header is
no longer necesary. no longer necessary.
4.1. Context Tags 4.1. Context Tags
A context between two hosts is actually a context between two ULIDs. A context between two hosts is actually a context between two ULIDs.
The context is identified by a pair of context tags. Each end gets The context is identified by a pair of context tags. Each end gets
to allocate a context tag, and once the context is established, most to allocate a context tag, and once the context is established, most
shim6 control messages contain the context tag that the receiver of Shim6 control messages contain the context tag that the receiver of
the message allocated. Thus at a minimum the combination of <peer the message allocated. Thus at a minimum the combination of <peer
ULID, local ULID, local context tag> have to uniquely identify one ULID, local ULID, local context tag> have to uniquely identify one
context. But since the Payload extension headers are demultiplexed context. But since the Payload extension headers are demultiplexed
without looking at the locators in the packet, the receiver will need without looking at the locators in the packet, the receiver will need
to allocate context tags that are unique for all its contexts. The to allocate context tags that are unique for all its contexts. The
context tag is a 47-bit number (the largest which can fit in an context tag is a 47-bit number (the largest which can fit in an
8-octet extension header). 8-octet extension header), while preserving one bit to differentiate
the Shim6 signalling messages from the Shim6 header included in data
packets, allowing both to use the same protocol number.
The mechanism for detecting a loss of context state at the peer The mechanism for detecting a loss of context state at the peer
assumes that the receiver can tell the packets that need locator assumes that the receiver can tell the packets that need locator
rewriting, even after it has lost all state (e.g., due to a crash rewriting, even after it has lost all state (e.g., due to a crash
followed by a reboot). This is achieved because after a rehoming followed by a reboot). This is achieved because after a rehoming
event the packets that need receive-side rewriting, carry the Payload event the packets that need receive-side rewriting, carry the Payload
extension header. extension header.
4.2. Context Forking 4.2. Context Forking
It has been asserted that it will be important for future ULPs, in It has been asserted that it will be important for future ULPs, in
particular, future transport protocols, to be able to control which particular, future transport protocols, to be able to control which
locator pairs are used for different communication. For instance, locator pairs are used for different communication. For instance,
host A and host B might communicate using both VoIP traffic and ftp host A and host B might communicate using both VoIP traffic and ftp
traffic, and those communications might benefit from using different traffic, and those communications might benefit from using different
locator pairs. However, the basic shim6 mechanism uses a single locator pairs. However, the basic Shim6 mechanism uses a single
current locator pair for each context, thus a single context cannot current locator pair for each context, thus a single context cannot
accomplish this. accomplish this.
For this reason, the shim6 protocol supports the notion of context For this reason, the Shim6 protocol supports the notion of context
forking. This is a mechanism by which a ULP can specify (using some forking. This is a mechanism by which a ULP can specify (using some
API not yet defined) that a context for e.g., the ULID pair <A1, B2> API not yet defined) that a context for e.g., the ULID pair <A1, B2>
should be forked into two contexts. In this case the forked-off should be forked into two contexts. In this case the forked-off
context will be assigned a non-zero Forked Instance Identifier, while context will be assigned a non-zero Forked Instance Identifier, while
the default context has FII zero. the default context has FII zero.
The Forked Instance Identifier (FII) is a 32-bit identifier which has The Forked Instance Identifier (FII) is a 32-bit identifier which has
no semantics in the protocol other then being part of the tuple which no semantics in the protocol other then being part of the tuple which
identifies the context. For example, a host migth allocate FIIs as identifies the context. For example, a host might allocate FIIs as
sequential numbers for any given ULID pair. sequential numbers for any given ULID pair.
No other special considerations are needed in the shim6 protocol to No other special considerations are needed in the Shim6 protocol to
handle forked contexts. handle forked contexts.
Note that forking as specified does NOT allow A to be able to tell B Note that forking as specified does NOT allow A to be able to tell B
that certain traffic (a 5-tuple?) should be forked for the reverse that certain traffic (a 5-tuple?) should be forked for the reverse
direction. The shim6 forking mechanism as specified applies only to direction. The Shim6 forking mechanism as specified applies only to
the sending of ULP packets. If some ULP wants to fork for both the sending of ULP packets. If some ULP wants to fork for both
directions, it is up to the ULP to set this up, and then instruct the directions, it is up to the ULP to set this up, and then instruct the
shim at each end to transmit using the forked context. shim at each end to transmit using the forked context.
4.3. API Extensions 4.3. API Extensions
Several API extensions have been discussed for shim6, but their Several API extensions have been discussed for Shim6, but their
actual specification is out of scope for this document. The simplest actual specification is out of scope for this document. The simplest
one would be to add a socket option to be able to have traffic bypass one would be to add a socket option to be able to have traffic bypass
the shim (not create any state, and not use any state created by the shim (not create any state, and not use any state created by
other traffic). This could be an IPV6_DONTSHIM socket option. Such other traffic). This could be an IPV6_DONTSHIM socket option. Such
an option would be useful for protocols, such as DNS, where the an option would be useful for protocols, such as DNS, where the
application has its own failover mechanism (multiple NS records in application has its own failover mechanism (multiple NS records in
the case of DNS) and using the shim could potentially add extra the case of DNS) and using the shim could potentially add extra
latency with no added benefits. latency with no added benefits.
Some other API extensions are discussed in Appendix A Some other API extensions are discussed in Appendix A
4.4. Securing shim6 4.4. Securing Shim6
The mechanisms are secured using a combination of techniques: The mechanisms are secured using a combination of techniques:
o The HBA technique [8] for verifying the locators to prevent an o The HBA technique [8] for verifying the locators to prevent an
attacker from redirecting the packet stream to somewhere else. attacker from redirecting the packet stream to somewhere else.
o Requiring a Reachability Probe+Reply /defined in [9]) before a new o Requiring a Reachability Probe+Reply /defined in [9]) before a new
locator is used as the destination, in order to prevent 3rd party locator is used as the destination, in order to prevent 3rd party
flooding attacks. flooding attacks.
o The first message does not create any state on the responder. o The first message does not create any state on the responder.
Essentially a 3-way exchange is required before the responder Essentially a 3-way exchange is required before the responder
creates any state. This means that a state-based DoS attack creates any state. This means that a state-based DoS attack
(trying to use up all of memory on the responder) at least (trying to use up all of memory on the responder) at least
provides an IPv6 address that the attacker was using. provides an IPv6 address that the attacker was using.
o The context establishment messages use nonces to prevent replay o The context establishment messages use nonces to prevent replay
attacks, and to prevent off-path attackers from interfering with attacks, and to prevent off-path attackers from interfering with
the establishment. the establishment.
o Every control message of the shim6 protocol, past the context o Every control message of the Shim6 protocol, past the context
establishment, carry the context tag assigned to the particular establishment, carry the context tag assigned to the particular
context. This implies that an attacker needs to discover that context. This implies that an attacker needs to discover that
context tag before being able to spoof any shim6 control message. context tag before being able to spoof any Shim6 control message.
Such discovery probably requires to be along the path in order to Such discovery probably requires any potential attacker to be
be sniff the context tag value. The result is that through this along the path in order to be sniff the context tag value. The
technique, the shim6 protocol is protected against off-path result is that through this technique, the Shim6 protocol is
attackers. protected against off-path attackers.
4.5. Overview of Shim Control Messages 4.5. Overview of Shim Control Messages
The shim6 context establishment is accomplished using four messages; The Shim6 context establishment is accomplished using four messages;
I1, R1, I2, R2. Normally they are sent in that order from initiator I1, R1, I2, R2. Normally they are sent in that order from initiator
and responder, respectively. Should both ends attempt to set up and responder, respectively. Should both ends attempt to set up
context state at the same time (for the same ULID pair), then their context state at the same time (for the same ULID pair), then their
I1 messages might cross in flight, and result in an immediate R2 I1 messages might cross in flight, and result in an immediate R2
message. [The names of these messages are borrowed from HIP [26].] message. [The names of these messages are borrowed from HIP [26].]
R1bis and I2bis messages are defined, which are used to recover a R1bis and I2bis messages are defined, which are used to recover a
context after it has been lost. A R1bis message is sent when a shim6 context after it has been lost. A R1bis message is sent when a Shim6
control or Payload extension header arrives and there is no matching control or Payload extension header arrives and there is no matching
context state at the receiver. When such a message is received, it context state at the receiver. When such a message is received, it
will result in the re-creation of the shim6 context using the I2bis will result in the re-creation of the Shim6 context using the I2bis
and R2 messages. and R2 messages.
The peers' lists of locators are normally exchanged as part of the The peers' lists of locators are normally exchanged as part of the
context establishment exchange. But the set of locators might be context establishment exchange. But the set of locators might be
dynamic. For this reason there is a Update Request and Update dynamic. For this reason there are Update Request and Update
Acknowledgement messages, and a Locator List option. Acknowledgement messages, and a Locator List option.
Even when the list of locators is fixed, a host might determine that Even when the list of locators is fixed, a host might determine that
some preferences might have changed. For instance, it might some preferences might have changed. For instance, it might
determine that there is a locally visible failure that implies that determine that there is a locally visible failure that implies that
some locator(s) are no longer usable. This uses a Locator some locator(s) are no longer usable. This uses a Locator
Preferences option in the Update Request message. Preferences option in the Update Request message.
The mechanism for (un)reachability detection is called Forced The mechanism for (un)reachability detection is called Forced
Bidirectional Communication (FBD). FBD uses a Keepalive message Bidirectional Communication (FBD). FBD uses a Keepalive message
skipping to change at page 22, line 34 skipping to change at page 22, line 36
Since the shim is placed between the IP endpoint sub-layer and the IP Since the shim is placed between the IP endpoint sub-layer and the IP
routing sub-layer, the shim header will be placed before any endpoint routing sub-layer, the shim header will be placed before any endpoint
extension headers (fragmentation headers, destination options header, extension headers (fragmentation headers, destination options header,
AH, ESP), but after any routing related headers (hop-by-hop AH, ESP), but after any routing related headers (hop-by-hop
extensions header, routing header, a destinations options header extensions header, routing header, a destinations options header
which precedes a routing header). When tunneling is used, whether which precedes a routing header). When tunneling is used, whether
IP-in-IP tunneling or the special form of tunneling that Mobile IPv6 IP-in-IP tunneling or the special form of tunneling that Mobile IPv6
uses (with Home Address Options and Routing header type 2), there is uses (with Home Address Options and Routing header type 2), there is
a choice whether the shim applies inside the tunnel or outside the a choice whether the shim applies inside the tunnel or outside the
tunnel, which affects the location of the shim6 header. tunnel, which affects the location of the Shim6 header.
In most cases IP-in-IP tunnels are used as a routing technique, thus In most cases IP-in-IP tunnels are used as a routing technique, thus
it makes sense to apply them on the locators which means that the it makes sense to apply them on the locators which means that the
sender would insert the shim6 header after any IP-in-IP sender would insert the Shim6 header after any IP-in-IP
encapsulation; this is what occurs naturally when routers apply IP- encapsulation; this is what occurs naturally when routers apply IP-
in-IP encapsulation. Thus the packets would have: in-IP encapsulation. Thus the packets would have:
o Outer IP header o Outer IP header
o Inner IP header o Inner IP header
o Shim6 extension header (if needed) o Shim6 extension header (if needed)
o ULP o ULP
skipping to change at page 23, line 17 skipping to change at page 23, line 19
o Outer IP header o Outer IP header
o Shim6 extension header (if needed) o Shim6 extension header (if needed)
o Inner IP header o Inner IP header
o ULP o ULP
In any case, the receiver behavior is well-defined; a receiver In any case, the receiver behavior is well-defined; a receiver
processes the extension headers in order. However, the precise processes the extension headers in order. However, the precise
interaction between Mobile IPv6 and shim6 is for further study, but interaction between Mobile IPv6 and Shim6 is for further study, but
it might make sense to have Mobile IPv6 operate on locators as well, it might make sense to have Mobile IPv6 operate on locators as well,
meaning that the shim would be layered on top of the MIPv6 mechanism. meaning that the shim would be layered on top of the MIPv6 mechanism.
5. Message Formats 5. Message Formats
The shim6 messages are all carried using a new IP protocol number [to The Shim6 messages are all carried using a new IP protocol number [to
be assigned by IANA]. The shim6 messages have a common header, be assigned by IANA]. The Shim6 messages have a common header,
defined below, with some fixed fields, followed by type specific defined below, with some fixed fields, followed by type specific
fields. fields.
The shim6 messages are structured as an IPv6 extension header since The Shim6 messages are structured as an IPv6 extension header since
the Payload extension header is used to carry the ULP packets after a the Payload extension header is used to carry the ULP packets after a
locator switch. The shim6 control messages use the same extension locator switch. The Shim6 control messages use the same extension
header formats so that a single "protocol number" needs to be allowed header formats so that a single "protocol number" needs to be allowed
through firewalls in order for shim6 to function across the firewall. through firewalls in order for Shim6 to function across the firewall.
5.1. Common shim6 Message Format 5.1. Common Shim6 Message Format
The first 17 bits of the shim6 header is common for the Payload The first 17 bits of the Shim6 header is common for the Payload
extension header and the control messages and looks as follows: extension header and the control messages and looks as follows:
0 1 0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Hdr Ext Len |P| | Next Header | Hdr Ext Len |P|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: The payload which follows this header. Next Header: The payload which follows this header.
Hdr Ext Len: 8-bit unsigned integer. Length of the shim6 header in Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in
8-octet units, not including the first 8 octets. 8-octet units, not including the first 8 octets.
P: A single bit to distinguish Payload extension headers P: A single bit to distinguish Payload extension headers
from control messages. from control messages.
Shim6 signalling packets may not be larger than 1280 bytes, including
the IPv6 header and any intermediate headers between the IPv6 header
and the Shim6 header. One way to meet this requirement is to omit
part of the locator address information if with this information
included, the packet would become larger than 1280 bytes.Another
option is to perform option engineering, dividing into different
Shim6 messages the information to be transmitted. An implementation
may impose administrative restrictions to avoid excessively large
Shim6 packets, such as a limitation on the number of locators to be
used.
5.2. Payload Extension Header Format 5.2. Payload Extension Header Format
The payload extension headers is used to carry ULP packets where the The payload extension headers is used to carry ULP packets where the
receiver must replace the content of the source and/or destination receiver must replace the content of the source and/or destination
fields in the IPv6 header before passing the packet to the ULP. Thus fields in the IPv6 header before passing the packet to the ULP. Thus
this extension header is required when the locators pair that is used this extension header is required when the locators pair that is used
is not the same as the ULID pair. is not the same as the ULID pair.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 25, line 13 skipping to change at page 25, line 28
| Receiver Context Tag | | Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: The payload which follows this header. Next Header: The payload which follows this header.
Hdr Ext Len: 0 (since the header is 8 octets). Hdr Ext Len: 0 (since the header is 8 octets).
P: Set to one. A single bit to distinguish this from the P: Set to one. A single bit to distinguish this from the
shim6 control messages. Shim6 control messages.
Receiver Context Tag: 47-bit unsigned integer. Allocated by the Receiver Context Tag: 47-bit unsigned integer. Allocated by the
receiver for use to identify the context. receiver for use to identify the context.
5.3. Common Shim6 Control header 5.3. Common Shim6 Control header
The common part of the header has a next header and header extension The common part of the header has a next header and header extension
length field which is consistent with the other IPv6 extension length field which is consistent with the other IPv6 extension
headers, even if the next header value is always "NO NEXT HEADER" for headers, even if the next header value is always "NO NEXT HEADER" for
the control messages; only the payload extension header use the Next the control messages.
Header field.
The shim6 headers must be a multiple of 8 octets, hence the minimum The Shim6 headers must be a multiple of 8 octets, hence the minimum
size is 8 octets. size is 8 octets.
The common shim control message header is as follows: The common shim control message header is as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Hdr Ext Len |0| Type |Type-specific|0| | Next Header | Hdr Ext Len |0| Type |Type-specific|0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | | | Checksum | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Type-specific format | | Type-specific format |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59). Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59).
Hdr Ext Len: 8-bit unsigned integer. Length of the shim6 header in Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in
8-octet units, not including the first 8 octets. 8-octet units, not including the first 8 octets.
P: Set to zero. A single bit to distinguish this from P: Set to zero. A single bit to distinguish this from
the shim6 payload extension header. the Shim6 payload extension header.
Type: 7-bit unsigned integer. Identifies the actual message Type: 7-bit unsigned integer. Identifies the actual message
from the table below. Type codes 0-63 will not from the table below. Type codes 0-63 will not
trigger R1bis messages on a missing context, while 64- trigger R1bis messages on a missing context, while 64-
127 will trigger R1bis. 127 will trigger R1bis.
0: A single bit (set to zero) which allows shim6 and HIP 0: A single bit (set to zero) which allows Shim6 and HIP
to have a common header format yet telling shim6 and to have a common header format yet telling Shim6 and
HIP messages apart. HIP messages apart.
Checksum: 16-bit unsigned integer. The checksum is the 16-bit Checksum: 16-bit unsigned integer. The checksum is the 16-bit
one's complement of the one's complement sum of the one's complement of the one's complement sum of the
entire shim6 header message starting with the shim6 entire Shim6 header message starting with the Shim6
next header field, and ending as indicated by the Hdr next header field, and ending as indicated by the Hdr
Ext Len. Thus when there is a payload following the Ext Len. Thus when there is a payload following the
shim6 header, the payload is NOT included in the shim6 Shim6 header, the payload is NOT included in the Shim6
checksum. Note that unlike protocol like ICMPv6, checksum. Note that unlike protocol like ICMPv6,
there is no pseudo-header checksum part of the there is no pseudo-header checksum part of the
checksum, in order to provide locator agility without checksum, in order to provide locator agility without
having to change the checksum. having to change the checksum.
Type-specific: Part of message that is different for different Type-specific: Part of message that is different for different
message types. message types.
+------------+-----------------------------------------------------+ +------------+-----------------------------------------------------+
| Type Value | Message | | Type Value | Message |
skipping to change at page 26, line 50 skipping to change at page 27, line 27
| | | | | |
| 6 | I2bis (Reply to a R1bis message) | | 6 | I2bis (Reply to a R1bis message) |
| | | | | |
| 64 | Update Request | | 64 | Update Request |
| | | | | |
| 65 | Update Acknowledgement | | 65 | Update Acknowledgement |
| | | | | |
| 66 | Keepalive | | 66 | Keepalive |
| | | | | |
| 67 | Probe Message | | 67 | Probe Message |
| | |
| 68 | Error Message |
+------------+-----------------------------------------------------+ +------------+-----------------------------------------------------+
Table 1 Table 1
5.4. I1 Message Format 5.4. I1 Message Format
The I1 message is the first message in the context establishment The I1 message is the first message in the context establishment
exchange. exchange.
0 1 2 3 0 1 2 3
skipping to change at page 28, line 17 skipping to change at page 28, line 40
MUST be included. An example of this is when MUST be included. An example of this is when
recovering from a lost context. recovering from a lost context.
Forked Instance Identifier: When another instance of an existent Forked Instance Identifier: When another instance of an existent
context with the same ULID pair is being created, a context with the same ULID pair is being created, a
Forked Instance Identifier option is included to Forked Instance Identifier option is included to
distinguish this new instance from the existent one. distinguish this new instance from the existent one.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.14. option will be handled by an implementation. See Section 5.15.
5.5. R1 Message Format 5.5. R1 Message Format
The R1 message is the second message in the context establishment The R1 message is the second message in the context establishment
exchange. The responder sends this in response to an I1 message, exchange. The responder sends this in response to an I1 message,
without creating any state specific to the initiator. without creating any state specific to the initiator.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 29, line 28 skipping to change at page 30, line 5
Responder Validator: Variable length option. Typically a hash Responder Validator: Variable length option. Typically a hash
generated by the responder, which the responder uses generated by the responder, which the responder uses
together with the Responder Nonce value to verify that together with the Responder Nonce value to verify that
an I2 message is indeed sent in response to a R1 an I2 message is indeed sent in response to a R1
message, and that the parameters in the I2 message are message, and that the parameters in the I2 message are
the same as those in the I1 message. the same as those in the I1 message.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.14. option will be handled by an implementation. See Section 5.15.
5.6. I2 Message Format 5.6. I2 Message Format
The I2 message is the third message in the context establishment The I2 message is the third message in the context establishment
exchange. The initiator sends this in response to a R1 message, exchange. The initiator sends this in response to a R1 message,
after checking the Initiator Nonce, etc. after checking the Initiator Nonce, etc.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 31, line 30 skipping to change at page 31, line 37
Forked Instance Identifier: When another instance of an existent Forked Instance Identifier: When another instance of an existent
context with the same ULID pair is being created, a context with the same ULID pair is being created, a
Forked Instance Identifier option is included to Forked Instance Identifier option is included to
distinguish this new instance from the existent one. distinguish this new instance from the existent one.
Locator list: Optionally sent when the initiator immediately wants Locator list: Optionally sent when the initiator immediately wants
to tell the responder its list of locators. When it to tell the responder its list of locators. When it
is sent, the necessary HBA/CGA information for is sent, the necessary HBA/CGA information for
verifying the locator list MUST also be included. verifying the locator list MUST also be included.
Locator Preferences: Optionally sent when the locators don't all have Locator Preferences: Optionally sent when the locators don't all
equal preference. have equal preference.
CGA Parameter Data Structure: Included when the locator list is CGA Parameter Data Structure: Included when the locator list is
included so the receiver can verify the locator list. included so the receiver can verify the locator list.
CGA Signature: Included when the some of the locators in the list use CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for verification. CGA (and not HBA) for verification.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.14. option will be handled by an implementation. See Section 5.15.
5.7. R2 Message Format 5.7. R2 Message Format
The R2 message is the fourth message in the context establishment The R2 message is the fourth message in the context establishment
exchange. The responder sends this in response to an I2 message. exchange. The responder sends this in response to an I2 message.
The R2 message is also used when both hosts send I1 messages at the The R2 message is also used when both hosts send I1 messages at the
same time and the I1 messages cross in flight. same time and the I1 messages cross in flight.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 32, line 49 skipping to change at page 33, line 10
Initiator Nonce: 32-bit unsigned integer. Copied from the I2 Initiator Nonce: 32-bit unsigned integer. Copied from the I2
message. message.
The following options are defined for this message: The following options are defined for this message:
Locator List: Optionally sent when the responder immediately wants Locator List: Optionally sent when the responder immediately wants
to tell the initiator its list of locators. When it to tell the initiator its list of locators. When it
is sent, the necessary HBA/CGA information for is sent, the necessary HBA/CGA information for
verifying the locator list MUST also be included. verifying the locator list MUST also be included.
Locator Preferences: Optionally sent when the locators don't all have Locator Preferences: Optionally sent when the locators don't all
equal preference. have equal preference.
CGA Parameter Data Structure: Included when the locator list is CGA Parameter Data Structure: Included when the locator list is
included so the receiver can verify the locator list. included so the receiver can verify the locator list.
CGA Signature: Included when the some of the locators in the list use CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for verification. CGA (and not HBA) for verification.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.14. option will be handled by an implementation. See Section 5.15.
5.8. R1bis Message Format 5.8. R1bis Message Format
Should a host receive a packet with a shim Payload extension header Should a host receive a packet with a shim Payload extension header
or shim6 control message with type code 64-127 (such as an Update or or Shim6 control message with type code 64-127 (such as an Update or
Probe message), and the host does not have any context state for the Probe message), and the host does not have any context state for the
received context tag, then it will generate a R1bis message. received context tag, then it will generate a R1bis message.
This message allows the sender of the packet referring to the non- This message allows the sender of the packet referring to the non-
existent context to re-establish the context with a reduced context existent context to re-establish the context with a reduced context
establishment exchange. Upon the reception of the R1bis message, the establishment exchange. Upon the reception of the R1bis message, the
receiver can proceed reestablishing the lost context by directly receiver can proceed reestablishing the lost context by directly
sending an I2bis message. sending an I2bis message.
0 1 2 3 0 1 2 3
skipping to change at page 34, line 31 skipping to change at page 34, line 36
The following options are defined for this message: The following options are defined for this message:
Responder Validator: Variable length option. Typically a hash Responder Validator: Variable length option. Typically a hash
generated by the responder, which the responder uses generated by the responder, which the responder uses
together with the Responder Nonce value to verify that together with the Responder Nonce value to verify that
an I2bis message is indeed sent in response to a R1bis an I2bis message is indeed sent in response to a R1bis
message. message.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.14. option will be handled by an implementation. See Section 5.15.
5.9. I2bis Message Format 5.9. I2bis Message Format
The I2bis message is the third message in the context recovery The I2bis message is the third message in the context recovery
exchange. This is sent in response to a R1bis message, after exchange. This is sent in response to a R1bis message, after
checking that the R1bis message refers to an existing context, etc. checking that the R1bis message refers to an existing context, etc.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 36, line 35 skipping to change at page 36, line 35
Forked Instance Identifier: When another instance of an existent Forked Instance Identifier: When another instance of an existent
context with the same ULID pair is being created, a context with the same ULID pair is being created, a
Forked Instance Identifier option is included to Forked Instance Identifier option is included to
distinguish this new instance from the existent one. distinguish this new instance from the existent one.
Locator list: Optionally sent when the initiator immediately wants Locator list: Optionally sent when the initiator immediately wants
to tell the responder its list of locators. When it to tell the responder its list of locators. When it
is sent, the necessary HBA/CGA information for is sent, the necessary HBA/CGA information for
verifying the locator list MUST also be included. verifying the locator list MUST also be included.
Locator Preferences: Optionally sent when the locators don't all have Locator Preferences: Optionally sent when the locators don't all
equal preference. have equal preference.
CGA Parameter Data Structure: Included when the locator list is CGA Parameter Data Structure: Included when the locator list is
included so the receiver can verify the locator list. included so the receiver can verify the locator list.
CGA Signature: Included when the some of the locators in the list use CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for verification. CGA (and not HBA) for verification.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.14. option will be handled by an implementation. See Section 5.15.
5.10. Update Request Message Format 5.10. Update Request Message Format
The Update Request Message is used to update either the list of The Update Request Message is used to update either the list of
locators, the locator preferences, and both. When the list of locators, the locator preferences, and both. When the list of
locators is updated, the message also contains the option(s) locators is updated, the message also contains the option(s)
necessary for HBA/CGA to secure this. The basic sanity check that necessary for HBA/CGA to secure this. The basic sanity check that
prevents off-path attackers from generating bogus updates is the prevents off-path attackers from generating bogus updates is the
context tag in the message. context tag in the message.
skipping to change at page 37, line 44 skipping to change at page 37, line 44
are no options. are no options.
Type: 64 Type: 64
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Receiver Context Tag: 47-bit field. The Context Tag the receiver has Receiver Context Tag: 47-bit field. The Context Tag the receiver
allocated for the context. has allocated for the context.
Request Nonce: 32-bit unsigned integer. A random number picked by Request Nonce: 32-bit unsigned integer. A random number picked by
the initiator which the peer will return in the the initiator which the peer will return in the
acknowledgement message. acknowledgement message.
The following options are defined for this message: The following options are defined for this message:
Locator List: The list of the sender's (new) locators. The locators Locator List: The list of the sender's (new) locators. The locators
might be unchanged and only the preferences have might be unchanged and only the preferences have
changed. changed.
Locator Preferences: Optionally sent when the locators don't all have Locator Preferences: Optionally sent when the locators don't all
equal preference. have equal preference.
CGA Parameter Data Structure (PDS): Included when the locator list is CGA Parameter Data Structure (PDS): Included when the locator list
included and the PDS was not included in the is included and the PDS was not included in the I2/
I2/I2bis/R2 messages, so the receiver can verify the I2bis/R2 messages, so the receiver can verify the
locator list. locator list.
CGA Signature: Included when the some of the locators in the list use CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for verification. CGA (and not HBA) for verification.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.14. option will be handled by an implementation. See Section 5.15.
5.11. Update Acknowledgement Message Format 5.11. Update Acknowledgement Message Format
This message is sent in response to a Update Request message. It This message is sent in response to a Update Request message. It
implies that the Update Request has been received, and that any new implies that the Update Request has been received, and that any new
locators in the Update Request can now be used as the source locators locators in the Update Request can now be used as the source locators
of packets. But it does not imply that the (new) locators have been of packets. But it does not imply that the (new) locators have been
verified to be used as a destination, since the host might defer the verified to be used as a destination, since the host might defer the
verification of a locator until it sees a need to use a locator as verification of a locator until it sees a need to use a locator as
the destination. the destination.
skipping to change at page 39, line 18 skipping to change at page 39, line 18
are no options. are no options.
Type: 65 Type: 65
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Receiver Context Tag: 47-bit field. The Context Tag the receiver has Receiver Context Tag: 47-bit field. The Context Tag the receiver
allocated for the context. has allocated for the context.
Request Nonce: 32-bit unsigned integer. Copied from the Update Request Nonce: 32-bit unsigned integer. Copied from the Update
Request message. Request message.
No options are currently defined for this message. No options are currently defined for this message.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.14. option will be handled by an implementation. See Section 5.15.
5.12. Keepalive Message Format 5.12. Keepalive Message Format
This message format is defined in [9]. This message format is defined in [9].
The message is used to ensure that when a peer is sending ULP packets The message is used to ensure that when a peer is sending ULP packets
on a context, it always receives some packets in the reverse on a context, it always receives some packets in the reverse
direction. When the ULP is sending bidirectional traffic, no extra direction. When the ULP is sending bidirectional traffic, no extra
packets need to be inserted. But for a unidirectional ULP traffic packets need to be inserted. But for a unidirectional ULP traffic
pattern, the shim will send back some Keepalive messages when it is pattern, the shim will send back some Keepalive messages when it is
receiving ULP packets. receiving ULP packets.
5.13. Probe Message Format 5.13. Probe Message Format
This message and its semantics are defined in [9]. This message and its semantics are defined in [9].
The idea behind that mechanism is to be able to handle the case when The goal of this mechanism is to test whether locator pairs work or
one locator pair works in from A to B, and another locator pair works not in the general case. In particular, this mechanism is to be able
from B to A, but there is no locator pair which works in both to handle the case when one locator pair works in from A to B, and
directions. The protocol mechanism is that as A is sending probe another locator pair works from B to A, but there is no locator pair
messages to B, B will observe which locator pairs it has received which works in both directions. The protocol mechanism is that as A
from and report that back in probe messages it is sending to A. is sending probe messages to B, B will observe which locator pairs it
has received from and report that back in probe messages it is
sending to A.
5.14. Option Formats 5.14. Error Message Format
The Error Message is generated by a Shim6 receiver upon the reception
of a Shim6 message containing critical information that cannot be
processed properly.
In the case that a Shim6 node receives a Shim6 packet which contains
information that is critical for the Shim6 protocol that is not
supported by the receiver, it sends an Error Message back to the
originator of the Shim6 message. The Error Message is
unacknowledged.
In addition, Shim6 Error messages defined in this section can be used
to identify problems with Shim6 implementations. In order to do
that, a range of Error Code Types is reserved for that purpose. In
particular, implementations may generate Shim6 Error messages with
Code Type in that range instead of silently discarding Shim6 packets
during the debugging process.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 68 | Error Code |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Packet in error +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets. Depends on
the specific Error Data.
Type: 68
Error Code: 7-bit field describing the error that generated the
Error Message. See Error Code list below
Pointer: 16-bit field.Identifies the octet offset within the
invoking packet where the error was detected.
Packet in error: As much of invoking packet as possible without the
Error message packet exceeding the minimum IPv6 MTU.
The following Error Codes are defined:
+---------+---------------------------------------------------------+
| Code | Description |
| Value | |
+---------+---------------------------------------------------------+
| 0 | Unknown Shim6 message type |
| | |
| 1 | Critical Option not recognized |
| | |
| 2 | Locator verification method failed (Pointer to the |
| | inconsistent Verification method octet) |
| | |
| 3 | Locator List Generation number out of sync. |
| | |
| 4 | Error in the number of locators in a Locator Preference |
| | option |
| | |
| 120-127 | Reserved for debugging pruposes |
+---------+---------------------------------------------------------+
Table 2
5.15. Option Formats
The format of the options is a snapshot of the current HIP option The format of the options is a snapshot of the current HIP option
format [26]. However, there is no intention to track any changes to format [26]. However, there is no intention to track any changes to
the HIP option format, nor is there an intent to use the same name the HIP option format, nor is there an intent to use the same name
space for the option type values. But using the same format will space for the option type values. But using the same format will
hopefully make it easier to import HIP capabilities into shim6 as hopefully make it easier to import HIP capabilities into Shim6 as
extensions to shim6, should this turn out to be useful. extensions to Shim6, should this turn out to be useful.
All of the TLV parameters have a length (including Type and Length All of the TLV parameters have a length (including Type and Length
fields) which is a multiple of 8 bytes. When needed, padding MUST be fields) which is a multiple of 8 bytes. When needed, padding MUST be
added to the end of the parameter so that the total length becomes a added to the end of the parameter so that the total length becomes a
multiple of 8 bytes. This rule ensures proper alignment of data. If multiple of 8 bytes. This rule ensures proper alignment of data. If
padding is added, the Length field MUST NOT include the padding. Any padding is added, the Length field MUST NOT include the padding. Any
added padding bytes MUST be zeroed by the sender, and their values added padding bytes MUST be zeroed by the sender, and their values
SHOULD NOT be checked by the receiver. SHOULD NOT be checked by the receiver.
Consequently, the Length field indicates the length of the Contents Consequently, the Length field indicates the length of the Contents
field (in bytes). The total length of the TLV parameter (including field (in bytes). The total length of the TLV parameter (including
Type, Length, Contents, and Padding) is related to the Length field Type, Length, Contents, and Padding) is related to the Length field
according to the following formula: according to the following formula:
Total Length = 11 + Length - (Length + 3) % 8; Total Length = 11 + Length - (Length + 3) mod 8;
The Total Length of the option is the smallest multiple of 8 bytes
that allows for the 4 bytes of option header and the option itself.
The amount of padding required can be calculated as follows:
padding = 7 - ((Length + 3) mod 8)
And:
Total Length = 4 + Length + padding
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type |C| Length | | Type |C| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~ ~ ~
~ Contents ~ ~ Contents ~
~ +-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+
~ | Padding | ~ | Padding |
skipping to change at page 41, line 31 skipping to change at page 43, line 25
| | | | | |
| 5 | CGA Signature | | 5 | CGA Signature |
| | | | | |
| 6 | ULID Pair | | 6 | ULID Pair |
| | | | | |
| 7 | Forked Instance Identifier | | 7 | Forked Instance Identifier |
| | | | | |
| 10 | Keepalive Timeout Option | | 10 | Keepalive Timeout Option |
+------+------------------------------+ +------+------------------------------+
Table 2 Table 3
Future protocol extensions might define additional options for the Future protocol extensions might define additional options for the
SHIM6 messages. The C-bit in the option format defines how such a Shim6 messages. The C-bit in the option format defines how such a
new option will be handled by an implementation. new option will be handled by an implementation.
If a host receives an option that it does not understand (an option If a host receives an option that it does not understand (an option
that was defined in some future extension to this protocol) or is not that was defined in some future extension to this protocol) or is not
listed as a valid option for the different message types above, then listed as a valid option for the different message types above, then
the Critical bit in the option determines the outcome. the Critical bit in the option determines the outcome.
o If C=0 then the option is silently ignored, and the rest of the o If C=0 then the option is silently ignored, and the rest of the
message is processed. message is processed.
o If C=1 then the host SHOULD send back an ICMP parameter problem o If C=1 then the host SHOULD send back a Shim6 Error Message with
(type 4, code 1), with the Pointer referencing the first octet in Error Code=1, with the Pointer referencing the first octet in the
the option Type field. When C=1 the message MUST NOT be Option Type field. When C=1 the rest of the message MUST NOT be
processed. processed.
5.14.1. Responder Validator Option Format 5.15.1. Responder Validator Option Format
The responder can choose exactly what input is used to compute the The responder can choose exactly what input is used to compute the
validator, and what one-way function (MD5, SHA1) it uses, as long as validator, and what one-way function (such as MD5, SHA1) it uses, as
the responder can check that the validator it receives back in the I2 long as the responder can check that the validator it receives back
or I2bis message is indeed one that: in the I2 or I2bis message is indeed one that:
1)- it computed, 1)- it computed,
2)- it computed for the particular context, and 2)- it computed for the particular context, and
3)- that it isn't a replayed I2/I2bis message. 3)- that it isn't a replayed I2/I2bis message.
Some suggestions on how to generate the validators are captured in Some suggestions on how to generate the validators are captured in
Section 7.10.1 and Section 7.17.1. Section 7.10.1 and Section 7.17.1.
skipping to change at page 42, line 37 skipping to change at page 44, line 30
~ +-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+
~ | Padding | ~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Validator: Variable length content whose interpretation is local Validator: Variable length content whose interpretation is local
to the responder. to the responder.
Padding: Padding, 0-7 bytes, added if needed. See Padding: Padding, 0-7 bytes, added if needed. See
Section 5.14. Section 5.15.
5.14.2. Locator List Option Format 5.15.2. Locator List Option Format
The Locator List Option is used to carry all the locators of the The Locator List Option is used to carry all the locators of the
sender. Note that the order of the locators is important, since the sender. Note that the order of the locators is important, since the
Locator Preferences refers to the locators by using the index in the Locator Preferences refers to the locators by using the index in the
list. list.
Note that we carry all the locators in this option even though some Note that we carry all the locators in this option even though some
of them can be created automatically from the CGA Parameter Data of them can be created automatically from the CGA Parameter Data
Structure. Structure.
skipping to change at page 44, line 17 skipping to change at page 46, line 17
+-------+----------+ +-------+----------+
| 0 | Reserved | | 0 | Reserved |
| | | | | |
| 1 | HBA | | 1 | HBA |
| | | | | |
| 2 | CGA | | 2 | CGA |
| | | | | |
| 3-255 | Reserved | | 3-255 | Reserved |
+-------+----------+ +-------+----------+
Table 3 Table 4
5.14.3. Locator Preferences Option Format 5.15.3. Locator Preferences Option Format
The Locator Preferences option can have some flags to indicate The Locator Preferences option can have some flags to indicate
whether or not a locator is known to work. In addition, the sender whether or not a locator is known to work. In addition, the sender
can include a notion of preferences. It might make sense to define can include a notion of preferences. It might make sense to define
"preferences" as a combination of priority and weight the same way "preferences" as a combination of priority and weight the same way
that DNS SRV records has such information. The priority would that DNS SRV records has such information. The priority would
provide a way to rank the locators, and within a given priority, the provide a way to rank the locators, and within a given priority, the
weight would provide a way to do some load sharing. See [10] for how weight would provide a way to do some load sharing. See [10] for how
SRV defines the interaction of priority and weight. SRV defines the interaction of priority and weight.
skipping to change at page 45, line 36 skipping to change at page 47, line 36
Element Len: 8-bit unsigned integer. The length in octets of each Element Len: 8-bit unsigned integer. The length in octets of each
element. This specification defines the cases when element. This specification defines the cases when
the length is 1, 2, or 3. the length is 1, 2, or 3.
Element[i]: A field with a number of octets defined by the Element Element[i]: A field with a number of octets defined by the Element
Len field. Provides preferences for the i'th locator Len field. Provides preferences for the i'th locator
in the Locator List option that is in use. in the Locator List option that is in use.
Padding: Padding, 0-7 bytes, added if needed. See Padding: Padding, 0-7 bytes, added if needed. See
Section 5.14. Section 5.15.
When the Element length equals one, then the element consists of only When the Element length equals one, then the element consists of only
a one octet flags field. The currently defined set of flags are: a one octet flags field. The currently defined set of flags are:
BROKEN: 0x01 BROKEN: 0x01
TEMPORARY: 0x02 TRANSIENT: 0x02
The intent of the BROKEN flag is to inform the peer that a given The intent of the BROKEN flag is to inform the peer that a given
locator is known to be not working. The intent of TEMPORARY is to locator is known to be not working. The intent of TRANSIENT is to
allow the distinction between more stable addresses and less stable allow the distinction between more stable addresses and less stable
addresses when shim6 is combined with IP mobility, when we might have addresses when Shim6 is combined with IP mobility, when we might have
more stable home locators, and less stable care-of-locators. more stable home locators, and less stable care-of-locators.
When the Element length equals two, then the element consists of a 1 When the Element length equals two, then the element consists of a 1
octet flags field followed by a 1 octet priority field. The priority octet flags field followed by a 1 octet priority field. The priority
has the same semantics as the priority in DNS SRV records. has the same semantics as the priority in DNS SRV records.
When the Element length equals three, then the element consists of a When the Element length equals three, then the element consists of a
1 octet flags field followed by a 1 octet priority field, and a 1 1 octet flags field followed by a 1 octet priority field, and a 1
octet weight field. The weight has the same semantics as the weight octet weight field. The weight has the same semantics as the weight
in DNS SRV records. in DNS SRV records.
This document doesn't specify the format when the Element length is This document doesn't specify the format when the Element length is
more than three, except that any such formats MUST be defined so that more than three, except that any such formats MUST be defined so that
the first three octets are the same as in the above case, that is, a the first three octets are the same as in the above case, that is, a
of a 1 octet flags field followed by a 1 octet priority field, and a of a 1 octet flags field followed by a 1 octet priority field, and a
1 octet weight field. 1 octet weight field.
5.14.4. CGA Parameter Data Structure Option Format 5.15.4. CGA Parameter Data Structure Option Format
This option contains the CGA Parameter Data Structure (PDS). When This option contains the CGA Parameter Data Structure (PDS). When
HBA is used to verify the locators, the PDS contains the HBA HBA is used to verify the locators, the PDS contains the HBA
multiprefix extension. When CGA is used to verify the locators, in multiprefix extension. When CGA is used to verify the locators, in
addition to the PDS option, the host also needs to include the addition to the PDS option, the host also needs to include the
signature in the form of a CGA Signature option. signature in the form of a CGA Signature option.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 46, line 41 skipping to change at page 48, line 41
~ +-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+
~ | Padding | ~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
CGA Parameter Data Structure: Variable length content. Content CGA Parameter Data Structure: Variable length content. Content
defined in [6] and [8]. defined in [6] and [8].
Padding: Padding, 0-7 bytes, added if needed. See Padding: Padding, 0-7 bytes, added if needed. See
Section 5.14. Section 5.15.
5.14.5. CGA Signature Option Format 5.15.5. CGA Signature Option Format
When CGA is used for verification of one or more of the locators in When CGA is used for verification of one or more of the locators in
the Locator List option, then the message in question will need to the Locator List option, then the message in question will need to
contain this option. contain this option.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 5 |0| Length | | Type = 5 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 47, line 22 skipping to change at page 49, line 22
~ | Padding | ~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
CGA Signature: A variable-length field containing a PKCS#1 v1.5 CGA Signature: A variable-length field containing a PKCS#1 v1.5
signature, constructed by using the sender's private signature, constructed by using the sender's private
key over the following sequence of octets: key over the following sequence of octets:
1. The 128-bit CGA Message Type tag [CGA] value for 1. The 128-bit CGA Message Type tag [CGA] value for
SHIM6, 0x4A 30 5662 4858 574B 3655 416F 506A 6D48. Shim6, 0x4A 30 5662 4858 574B 3655 416F 506A 6D48.
(The tag value has been generated randomly by the (The tag value has been generated randomly by the
editor of this specification.). editor of this specification.).
2. The Locator List Generation value of the 2. The Locator List Generation value of the
correspondent Locator List Option. correspondent Locator List Option.
3. The subset of locators included in the 3. The subset of locators included in the
correspondent Locator List Option which correspondent Locator List Option which
verification method is set to CGA. The locators verification method is set to CGA. The locators
MUST be included in the order they are listed in MUST be included in the order they are listed in
the Locator List Option. the Locator List Option.
Padding: Padding, 0-7 bytes, added if needed. See Padding: Padding, 0-7 bytes, added if needed. See
Section 5.14. Section 5.15.
5.14.6. ULID Pair Option Format 5.15.6. ULID Pair Option Format
I1, I2, and I2bis messages MUST contain the ULID pair; normally this I1, I2, and I2bis messages MUST contain the ULID pair; normally this
is in the IPv6 source and destination fields. In case that the ULID is in the IPv6 source and destination fields. In case that the ULID
for the context differ from the address pair included in the source for the context differ from the address pair included in the source
and destination address fields of the IPv6 packet used to carry the and destination address fields of the IPv6 packet used to carry the
I1/I2/I2bis message, the ULID pair option MUST be included in the I1/ I1/I2/I2bis message, the ULID pair option MUST be included in the I1/
I2/I2bis message. I2/I2bis message.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 48, line 32 skipping to change at page 50, line 32
Reserved2: 32-bit field. Reserved for future use. Zero on Reserved2: 32-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. (Needed to transmit. MUST be ignored on receipt. (Needed to
make the ULIDs start on a multiple of 8 octet make the ULIDs start on a multiple of 8 octet
boundary.) boundary.)
Sender ULID: A 128-bit IPv6 address. Sender ULID: A 128-bit IPv6 address.
Receiver ULID: A 128-bit IPv6 address. Receiver ULID: A 128-bit IPv6 address.
5.14.7. Forked Instance Identifier Option Format 5.15.7. Forked Instance Identifier Option Format
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 7 |0| Length = 4 | | Type = 7 |0| Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Forked Instance Identifier | | Forked Instance Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Forked Instance Identifier: 32-bit field containing the identifier of Forked Instance Identifier: 32-bit field containing the identifier
the particular forked instance. of the particular forked instance.
5.14.8. Keepalive Timeout Option Format 5.15.8. Keepalive Timeout Option Format
This option is defined in [9]. This option is defined in [9].
6. Conceptual Model of a Host 6. Conceptual Model of a Host
This section describes a conceptual model of one possible data This section describes a conceptual model of one possible data
structure organization that hosts will maintain for the purposes of structure organization that hosts will maintain for the purposes of
shim6. The described organization is provided to facilitate the Shim6. The described organization is provided to facilitate the
explanation of how the shim6 protocol should behave. This document explanation of how the Shim6 protocol should behave. This document
does not mandate that implementations adhere to this model as long as does not mandate that implementations adhere to this model as long as
their external behavior is consistent with that described in this their external behavior is consistent with that described in this
document. document.
6.1. Conceptual Data Structures 6.1. Conceptual Data Structures
The key conceptual data structure for the shim6 protocol is the ULID The key conceptual data structure for the Shim6 protocol is the ULID
pair context. This is a data structure which contains the following pair context. This is a data structure which contains the following
information: information:
o The state of the context. See Section 6.2. o The state of the context. See Section 6.2.
o The peer ULID; ULID(peer) o The peer ULID; ULID(peer)
o The local ULID; ULID(local) o The local ULID; ULID(local)
o The Forked Instance Identifier; FII. This is zero for the default o The Forked Instance Identifier; FII. This is zero for the default
context i.e., when there is no forking. context i.e., when there is no forking.
o The list of peer locators, with their preferences; Ls(peer) o The list of peer locators, with their preferences; Ls(peer)
o The generation number for the most recently received, verified o The generation number for the most recently received, verified
peer locator list. peer locator list.
o For each peer locator, the verification method to use (from the o For each peer locator, the verification method to use (from the
Locator List option). Locator List option).
o For each peer locator, a bit whether it has been verified using o For each peer locator, a flag whether it has been verified using
HBA or CGA, and a bit whether the locator has been probed to HBA or CGA, and a bit whether the locator has been probed to
verify that the ULID is present at that location. verify that the ULID is present at that location.
o The preferred peer locator - used as destination; Lp(peer) o The preferred peer locator - used as destination; Lp(peer)
o The set of local locators and the preferences; Ls(local) o The set of local locators and the preferences; Ls(local)
o The generation number for the most recently sent Locator List o The generation number for the most recently sent Locator List
option. option.
skipping to change at page 50, line 19 skipping to change at page 52, line 19
o Depending how an implementation determines whether a context is o Depending how an implementation determines whether a context is
still in use, there might be a need to track the last time a still in use, there might be a need to track the last time a
packet was sent/received using the context. packet was sent/received using the context.
o Reachability state for the locator pairs as specified in [9]. o Reachability state for the locator pairs as specified in [9].
o During pair exploration, information about the probe messages that o During pair exploration, information about the probe messages that
have been sent and received as specified in [9]. have been sent and received as specified in [9].
o During context establishment phase, Init Nonce, Responder Nonce,
Responder Validator and timers related to the different packets
sent (I1,I2, R2), as described in Section 7
6.2. Context States 6.2. Context States
The states that are used to describe the shim6 protocol are as The states that are used to describe the Shim6 protocol are as
follows: follows:
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
| State | Explanation | | State | Explanation |
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
| IDLE | State machine start | | IDLE | State machine start |
| | | | | |
| I1-SENT | Initiating context establishment exchange | | I1-SENT | Initiating context establishment exchange |
| | | | | |
| I2-SENT | Waiting to complete context establishment | | I2-SENT | Waiting to complete context establishment |
skipping to change at page 50, line 43 skipping to change at page 52, line 47
| | | | | |
| I2BIS-SENT | Potential context loss detected | | I2BIS-SENT | Potential context loss detected |
| | | | | |
| | | | | |
| ESTABLISHED | SHIM context established | | ESTABLISHED | SHIM context established |
| | | | | |
| E-FAILED | Context establishment exchange failed | | E-FAILED | Context establishment exchange failed |
| | | | | |
| NO-SUPPORT | ICMP Unrecognized Next Header type | | NO-SUPPORT | ICMP Unrecognized Next Header type |
| | (type 4, code 1) received indicating | | | (type 4, code 1) received indicating |
| | that shim6 is not supported | | | that Shim6 is not supported |
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
In addition, in each of the aforementioned states, the following In addition, in each of the aforementioned states, the following
state information is stored: state information is stored:
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
| State | Information | | State | Information |
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
| IDLE | None | | IDLE | None |
| | | | | |
| I1-SENT | ULID(peer), ULID(local), [FII], CT(local), | | I1-SENT | ULID(peer), ULID(local), [FII], CT(local), |
| | INIT nonce, Lp(local), Lp(peer), Ls(local) | | | INIT nonce, Lp(local), Lp(peer), Ls(local) |
| | | | | |
| I2-SENT | ULID(peer), ULID(local), [FII], CT(local), | | I2-SENT | ULID(peer), ULID(local), [FII], CT(local), |
| | INIT nonce, RESP nonce, Lp(local), Lp(peer),| | | INIT nonce, RESP nonce, Lp(local), Lp(peer),|
| | Ls(local) | | | Ls(local), Responder Validator |
| | | | | |
| ESTABLISHED | ULID(peer), ULID(local), [FII], CT(local), | | ESTABLISHED | ULID(peer), ULID(local), [FII], CT(local), |
| | CT(peer), Lp(local), Lp(peer), Ls(local) | | | CT(peer), Lp(local), Lp(peer), Ls(local) |
| | Ls(peer), INIT nonce?(to receive late R2) | | | Ls(peer), INIT nonce?(to receive late R2) |
| | | | | |
| I2BIS-SENT | ULID(peer), ULID(local), [FII], CT(local), | | I2BIS-SENT | ULID(peer), ULID(local), [FII], CT(local), |
| | CT(peer), Lp(local), Lp(peer), Ls(local) | | | CT(peer), Lp(local), Lp(peer), Ls(local) |
| | Ls(peer), CT(R1bis) | | | Ls(peer), CT(R1bis), RESP nonce, |
| | INIT nonce, Responder validator |
| | | | | |
| E-FAILED | ULID(peer), ULID(local) | | E-FAILED | ULID(peer), ULID(local) |
| | | | | |
| NO-SUPPORT | ULID(peer), ULID(local) | | NO-SUPPORT | ULID(peer), ULID(local) |
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
7. Establishing ULID-Pair Contexts 7. Establishing ULID-Pair Contexts
ULID-pair contexts are established using a 4-way exchange, which ULID-pair contexts are established using a 4-way exchange, which
allows the responder to avoid creating state on the first packet. As allows the responder to avoid creating state on the first packet. As
skipping to change at page 52, line 24 skipping to change at page 54, line 24
recovering from a context that has been garbage collected or lost at recovering from a context that has been garbage collected or lost at
one of the hosts. one of the hosts.
7.1. Uniqueness of Context Tags 7.1. Uniqueness of Context Tags
As part of establishing a new context, each host has to assign a As part of establishing a new context, each host has to assign a
unique context tag. Since the Payload Extension headers are unique context tag. Since the Payload Extension headers are
demultiplexed based solely on the context tag value (without using demultiplexed based solely on the context tag value (without using
the locators), the context tag MUST be unique for each context. the locators), the context tag MUST be unique for each context.
It is important that context tags are hard to guess for off-path
attackers. Therefore, if an implementation uses structure in the
context tag to facilitate efficient lookups, at least 30 bits of the
context tag MUST be unstructured and populated by random or pseudo-
random bits.
In addition, in order to minimize the reuse of context tags, the host In addition, in order to minimize the reuse of context tags, the host
SHOULD randomly cycle through the 2^47 context tag values,(e.g. SHOULD randomly cycle through the unstrucutred tag name space
following the guidelines described in [18]). reserved for randomly assigned context tag values,(e.g. following the
guidelines described in [18]).
7.2. Locator Verification 7.2. Locator Verification
The peer's locators might need to be verified during context The peer's locators might need to be verified during context
establishment as well as when handling locator updates in Section 10. establishment as well as when handling locator updates in Section 10.
There are two separate aspects of locator verification. One is to There are two separate aspects of locator verification. One is to
verify that the locator is tied to the ULID, i.e., that the host verify that the locator is tied to the ULID, i.e., that the host
which "owns" the ULID is also the one that is claiming the locator which "owns" the ULID is also the one that is claiming the locator
"ownership". The shim6 protocol uses the HBA or CGA techniques for "ownership". The Shim6 protocol uses the HBA or CGA techniques for
doing this verification. The other is to verify that the host is doing this verification. The other is to verify that the host is
indeed reachable at the claimed locator. Such verification is needed indeed reachable at the claimed locator. Such verification is needed
both to make sure communication can proceed, but also to prevent 3rd both to make sure communication can proceed, but also to prevent 3rd
party flooding attacks [20]. These different verifications happen at party flooding attacks [20]. These different verifications happen at
different times, since the first might need to be performed before different times, since the first might need to be performed before
packets can be received by the peer with the source locator in packets can be received by the peer with the source locator in
question, but the latter verification is only needed before packets question, but the latter verification is only needed before packets
are sent to the locator. are sent to the locator.
Before a host can use a locator (different than the ULID) as the Before a host can use a locator (different than the ULID) as the
skipping to change at page 53, line 18 skipping to change at page 55, line 25
addition, it MUST verify that the ULID is indeed present at that addition, it MUST verify that the ULID is indeed present at that
locator. This verification is performed by doing a return- locator. This verification is performed by doing a return-
routability test as part of the Probe sub-protocol [9]. routability test as part of the Probe sub-protocol [9].
If the verification method in the Locator List option is not If the verification method in the Locator List option is not
supported by the host, or if the verification method is not supported by the host, or if the verification method is not
consistent with the CGA Parameter Data Structure (e.g., the Parameter consistent with the CGA Parameter Data Structure (e.g., the Parameter
Data Structure doesn't contain the multiprefix extension, and the Data Structure doesn't contain the multiprefix extension, and the
verification method says to use HBA), then the host MUST ignore the verification method says to use HBA), then the host MUST ignore the
Locator List and the message in which it is contained, and the host Locator List and the message in which it is contained, and the host
SHOULD generates an ICMP parameter problem (type 4, code 0), with the SHOULD generate a Shim6 Error Message with Error Code=2, with the
Pointer referencing the octet in the Verification method that was Pointer referencing the octet in the Verification method that was
found inconsistent. found inconsistent.
7.3. Normal context establishment 7.3. Normal context establishment
The normal context establishment consists of a 4 message exchange in The normal context establishment consists of a 4 message exchange in
the order of I1, R1, I2, R2 as can be seen in Figure 24. the order of I1, R1, I2, R2 as can be seen in Figure 25.
Initiator Responder Initiator Responder
IDLE IDLE IDLE IDLE
------------- I1 --------------> ------------- I1 -------------->
I1-SENT I1-SENT
<------------ R1 --------------- <------------ R1 ---------------
IDLE IDLE
------------- I2 --------------> ------------- I2 -------------->
I2-SENT I2-SENT
<------------ R2 --------------- <------------ R2 ---------------
ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED
Figure 24: Normal context establishment Figure 25: Normal context establishment
7.4. Concurrent context establishment 7.4. Concurrent context establishment
When both ends try to initiate a context for the same ULID pair, then When both ends try to initiate a context for the same ULID pair, then
we might end up with crossing I1 messages. Alternatively, since no we might end up with crossing I1 messages. Alternatively, since no
state is created when receiving the I1, a host might send a I1 after state is created when receiving the I1, a host might send a I1 after
having sent a R1 message. having sent a R1 message.
Since a host remembers that it has sent an I1, it can respond to an Since a host remembers that it has sent an I1, it can respond to an
I1 from the peer (for the same ULID-pair), with a R2, resulting in I1 from the peer (for the same ULID-pair), with a R2, resulting in
the message exchange shown in Figure 25. Such behavior is needed for the message exchange shown in Figure 26. Such behavior is needed for
other reasons such as to correctly respond to retransmitted I1 other reasons such as to correctly respond to retransmitted I1
messages, which occur when the R2 message has been lost. messages, which occur when the R2 message has been lost.
Host A Host B Host A Host B
IDLE IDLE IDLE IDLE
-\ -\
I1-SENT---\ I1-SENT---\
---\ /--- ---\ /---
--- I1 ---\ /--- I1-SENT --- I1 ---\ /--- I1-SENT
skipping to change at page 54, line 27 skipping to change at page 56, line 34
-\ -\
I1-SENT---\ I1-SENT---\
---\ /--- ---\ /---
--- R2 ---\ /--- I1-SENT --- R2 ---\ /--- I1-SENT
---\ ---\
/--- R2 ---/ ---\ /--- R2 ---/ ---\
/--- --> /--- -->
<--- ESTABLISHED <--- ESTABLISHED
ESTABLISHED ESTABLISHED
Figure 25: Crossing I1 messages Figure 26: Crossing I1 messages
If a host has received an I1 and sent an R1, it has no state to If a host has received an I1 and sent an R1, it has no state to
remember this. Thus if the ULP on the host sends down packets, this remember this. Thus if the ULP on the host sends down packets, this
might trigger the host to send an I1 message itself. Thus while one might trigger the host to send an I1 message itself. Thus while one
end is sending an I1 the other is sending an I2 as can be seen in end is sending an I1 the other is sending an I2 as can be seen in
Figure 26. Figure 27.
Host A Host B Host A Host B
IDLE IDLE IDLE IDLE
-\ -\
---\ ---\
I1-SENT ---\ I1-SENT ---\
--- I1 ---\ --- I1 ---\
---\ ---\
---\ ---\
skipping to change at page 55, line 42 skipping to change at page 57, line 42
-\ -\
I2-SENT---\ I2-SENT---\
---\ /--- ---\ /---
--- R2 ---\ /--- --- R2 ---\ /---
---\ ---\
/--- R2 ---/ ---\ /--- R2 ---/ ---\
/--- --> /--- -->
<--- ESTABLISHED <--- ESTABLISHED
ESTABLISHED ESTABLISHED
Figure 26: Crossing I2 and I1 Figure 27: Crossing I2 and I1
7.5. Context recovery 7.5. Context recovery
Due to garbage collection, we can end up with one end having and Due to garbage collection, we can end up with one end having and
using the context state, and the other end not having any state. We using the context state, and the other end not having any state. We
need to be able to recover this state at the end that has lost it, need to be able to recover this state at the end that has lost it,
before we can use it. before we can use it.
This need can arise in the following cases: This need can arise in the following cases:
o The communication is working using the ULID pair as the locator o The communication is working using the ULID pair as the locator
pair, but a problem arises, and the end that has retained the pair, but a problem arises, and the end that has retained the
context state decides to probe alternate locator pairs. context state decides to probe alternate locator pairs.
o The communication is working using a locator pair that is not the o The communication is working using a locator pair that is not the
ULID pair, hence the ULP packets sent from a peer that has ULID pair, hence the ULP packets sent from a peer that has
retained the context state use the shim6 Payload extension header. retained the context state use the Shim6 Payload extension header.
o The host that retained the state sends a control message (e.g. an o The host that retained the state sends a control message (e.g. an
Update Request message). Update Request message).
In all the cases the result is that the peer without state receives a In all the cases the result is that the peer without state receives a
shim message for which it has to context for the context tag. shim message for which it has no context for the context tag.
In all of those cases we can recover the context by having the node In all of those cases we can recover the context by having the node
which doesn't have a context state, send back an R1bis message, and which doesn't have a context state, send back an R1bis message, and
have then complete the recovery with a I2bis and R2 message as can be have then complete the recovery with a I2bis and R2 message as can be
seen in Figure 27. seen in Figure 28.
Host A Host B Host A Host B
Context for Context for
CT(peer)=X Discards context for CT(peer)=X Discards context for
CT(local)=X CT(local)=X
ESTABLISHED IDLE ESTABLISHED IDLE
---- payload, probe, etc. -----> No context state ---- payload, probe, etc. -----> No context state
for CT(local)=X for CT(local)=X
<------------ R1bis ------------ <------------ R1bis ------------
IDLE IDLE
------------- I2bis -----------> ------------- I2bis ----------->
I2BIS_SENT I2BIS_SENT
<------------ R2 --------------- <------------ R2 ---------------
ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED
Figure 27: Context loss at receiver Figure 28: Context loss at receiver
If one end has garbage collected or lost the context state, it might If one end has garbage collected or lost the context state, it might
try to create a new context state (for the same ULID pair), by try to create a new context state (for the same ULID pair), by
sending an I1 message. The peer (that still has the context state) sending an I1 message. The peer (that still has the context state)
will reply with an R1 message and the full 4-way exchange will be will reply with an R1 message and the full 4-way exchange will be
performed again in this case as can be seen in Figure 28. performed again in this case as can be seen in Figure 29.
Host A Host B Host A Host B
Context for Context for
CT(peer)=X Discards context for CT(peer)=X Discards context for
ULIDs A1, B1 CT(local)=X ULIDs A1, B1 CT(local)=X
ESTABLISHED IDLE ESTABLISHED IDLE
Finds <------------ I1 --------------- Tries to setup Finds <------------ I1 --------------- Tries to setup
skipping to change at page 57, line 32 skipping to change at page 59, line 32
<------------ I2 --------------- <------------ I2 ---------------
Recreate context Recreate context
with new CT(peer) I2-SENT with new CT(peer) I2-SENT
and Ls(peer). and Ls(peer).
ESTABLISHED ESTABLISHED
------------- R2 --------------> ------------- R2 -------------->
ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED
Figure 28: Context loss at sender Figure 29: Context loss at sender
7.6. Context confusion 7.6. Context confusion
Since each end might garbage collect the context state we can have Since each end might garbage collect the context state we can have
the case when one end has retained the context state and tries to use the case when one end has retained the context state and tries to use
it, while the other end has lost the state. We discussed this in the it, while the other end has lost the state. We discussed this in the
previous section on recovery. But for the same reasons, when one previous section on recovery. But for the same reasons, when one
host retains context tag X as CT(peer) for ULID pair <A1, B1>, the host retains context tag X as CT(peer) for ULID pair <A1, B1>, the
other end might end up allocating that context tag as CT(local) for other end might end up allocating that context tag as CT(local) for
another ULID pair, e.g., <A3, B1> between the same hosts. In this another ULID pair, e.g., <A3, B1> between the same hosts. In this
case we can not use the recovery mechanisms since there needs to be case we can not use the recovery mechanisms since there need to be
separate context tags for the two ULID pairs. separate context tags for the two ULID pairs.
This type of "confusion" can be observed in two cases (assuming it is This type of "confusion" can be observed in two cases (assuming it is
A that has retained the state and B has dropped it): A that has retained the state and B has dropped it):
o B decides to create a context for ULID pair <A3, B1>, and o B decides to create a context for ULID pair <A3, B1>, and
allocates X as its context tag for this, and sends an I1 to A. allocates X as its context tag for this, and sends an I1 to A.
o A decides to create a context for ULID pair <A3, B1>, and starts o A decides to create a context for ULID pair <A3, B1>, and starts
the exchange by sending I1 to B. When B receives the I2 message, the exchange by sending I1 to B. When B receives the I2 message,
skipping to change at page 59, line 12 skipping to change at page 61, line 16
If the host does not receive an I2 or R2 message in response to the If the host does not receive an I2 or R2 message in response to the
I1 message after I1_TIMEOUT time, then it needs to retransmit the I1 I1 message after I1_TIMEOUT time, then it needs to retransmit the I1
message. The retransmissions should use a retransmission timer with message. The retransmissions should use a retransmission timer with
binary exponential backoff to avoid creating congestion issues for binary exponential backoff to avoid creating congestion issues for
the network when lots of hosts perform I1 retransmissions. Also, the the network when lots of hosts perform I1 retransmissions. Also, the
actual timeout value should be randomized between 0.5 and 1.5 of the actual timeout value should be randomized between 0.5 and 1.5 of the
nominal value to avoid self-synchronization. nominal value to avoid self-synchronization.
If, after I1_RETRIES_MAX retransmissions, there is no response, then If, after I1_RETRIES_MAX retransmissions, there is no response, then
most likely the peer does not implement the shim6 protocol, or there most likely the peer does not implement the Shim6 protocol, or there
could be a firewall that blocks the protocol. In this case it makes could be a firewall that blocks the protocol. In this case it makes
sense for the host to remember to not try again to establish a sense for the host to remember to not try again to establish a
context with that ULID. However, any such negative caching should context with that ULID. However, any such negative caching should
retained for at most NO_R1_HOLDDOWN_TIME, to be able to later setup a retained for at most NO_R1_HOLDDOWN_TIME, to be able to later setup a
context should the problem have been that the host was not reachable context should the problem have been that the host was not reachable
at all when the shim tried to establish the context. at all when the shim tried to establish the context.
If the host receives an ICMP error with "Unrecognized Next Header" If the host receives an ICMP error with "Unrecognized Next Header"
type (type 4, code 1) and the included packet is the I1 message it type (type 4, code 1) and the included packet is the I1 message it
just sent, then this is a more reliable indication that the peer ULID just sent, then this is a more reliable indication that the peer ULID
does not implement shim6. Again, in this case, the host should does not implement Shim6. Again, in this case, the host should
remember to not try again to establish a context with that ULID. remember to not try again to establish a context with that ULID.
Such negative caching should retained for at most ICMP_HOLDDOWN_TIME, Such negative caching should retained for at most ICMP_HOLDDOWN_TIME,
which should be significantly longer than the previous case. which should be significantly longer than the previous case.
7.9. Receiving I1 messages 7.9. Receiving I1 messages
A host MUST silently discard any received I1 messages that do not A host MUST silently discard any received I1 messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.2: specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an I1 message, the host extracts the ULID pair Upon the reception of an I1 message, the host extracts the ULID pair
and the Forked Instance Identifier from the message. If there is no and the Forked Instance Identifier from the message. If there is no
ULID-pair option, then the ULID pair is taken from the source and ULID-pair option, then the ULID pair is taken from the source and
destination fields in the IPv6 header. If there is no FII option in destination fields in the IPv6 header. If there is no FII option in
the message, then the FII value is taken to be zero. the message, then the FII value is taken to be zero.
skipping to change at page 60, line 51 skipping to change at page 63, line 8
particular requested context (the S and the Responder nonce values)). particular requested context (the S and the Responder nonce values)).
When the host needs to send a R2 message in response to the I1 When the host needs to send a R2 message in response to the I1
message, it copies the Initiator Nonce from the I1 message to the R2 message, it copies the Initiator Nonce from the I1 message to the R2
message, and otherwise follows the normal rules for forming an R2 message, and otherwise follows the normal rules for forming an R2
message (see Section 7.14). message (see Section 7.14).
7.10.1. Generating the R1 Validator 7.10.1. Generating the R1 Validator
One way for the responder to properly generate validators is to One way for the responder to properly generate validators is to
maintain a single secret (S) and a running counter for the Responder maintain a single secret (S) and a running counter (C) for the
Nonce. Responder Nonce that is incremented in fixed periods of time (this
allows the Responder to verify the age of a Responder Nonce,
independently of the context in which it is used).
In the case the validator is generated to be included in a R1 In the case the validator is generated to be included in a R1
message, for each I1 message. The responder can increase the message, for each I1 message. The responder use the current counter
counter, use the counter value as the responder nonce, and use the C value as the Responder Nonce, and use the following information
following information concatenated as input to the one-way function: concatenated as input to the one-way function:
o The the secret S o The secret S
o That Responder Nonce o That Responder Nonce
o The Initiator Context Tag from the I1 message o The Initiator Context Tag from the I1 message
o The ULIDs from the I1 message o The ULIDs from the I1 message
o The locators from the I1 message (strictly only needed if they are o The locators from the I1 message (strictly only needed if they are
different from the ULIDs) different from the ULIDs)
o The forked instance identifier if such option was included in the o The forked instance identifier if such option was included in the
I1 message I1 message
and then the output of the hash function is used as the validator and then the output of the hash function is used as the validator
octet string. octet string.
7.11. Receiving R1 messages and sending I2 messages 7.11. Receiving R1 messages and sending I2 messages
A host MUST silently discard any received R1 messages that do not A host MUST silently discard any received R1 messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.2: specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an R1 message, the host extracts the Initiator Upon the reception of an R1 message, the host extracts the Initiator
Nonce and the Locator Pair from the message (the latter from the Nonce and the Locator Pair from the message (the latter from the
source and destination fields in the IPv6 header). Next the host source and destination fields in the IPv6 header). Next the host
looks for an existing context which matches the Initiator Nonce and looks for an existing context which matches the Initiator Nonce and
where the locators are contained in Ls(peer) and Ls(local), where the locators are contained in Ls(peer) and Ls(local),
respectively. If no such context is found, then the R1 message is respectively. If no such context is found, then the R1 message is
skipping to change at page 62, line 30 skipping to change at page 64, line 38
When the I2 message has been sent, the state is set to I2-SENT. When the I2 message has been sent, the state is set to I2-SENT.
7.12. Retransmitting I2 messages 7.12. Retransmitting I2 messages
If the initiator does not receive an R2 message after I2_TIMEOUT time If the initiator does not receive an R2 message after I2_TIMEOUT time
after sending an I2 message it MAY retransmit the I2 message, using after sending an I2 message it MAY retransmit the I2 message, using
binary exponential backoff and randomized timers. The Responder binary exponential backoff and randomized timers. The Responder
Validator option might have a limited lifetime, that is, the peer Validator option might have a limited lifetime, that is, the peer
might reject Responder Validator options that are older than might reject Responder Validator options that are older than
VALIDATOR_MIN_LIFETIME to avoid replay attacks. Thus the initiator VALIDATOR_MIN_LIFETIME to avoid replay attacks. In the case that the
SHOULD fall back to retransmitting the I1 message when there is no R2 initiator decides not to retransmit I2 messages or in the case that
received after retransmitting the I2 message I2_RETRIES_MAX times. the initiator still does not recieve an R2 message after
retransmitting I2 messages I2_RETRIES_MAX times, the initiator SHOULD
fall back to retransmitting the I1 message.
7.13. Receiving I2 messages 7.13. Receiving I2 messages
A host MUST silently discard any received I2 messages that do not A host MUST silently discard any received I2 messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.2: specified in Section 12.3:
o The Hdr Ext Len field is at least 2, i.e., the length is at least o The Hdr Ext Len field is at least 2, i.e., the length is at least
24 octets. 24 octets.
Upon the reception of an I2 message, the host extracts the ULID pair Upon the reception of an I2 message, the host extracts the ULID pair
and the Forked Instance identifier from the message. If there is no and the Forked Instance identifier from the message. If there is no
ULID-pair option, then the ULID pair is taken from the source and ULID-pair option, then the ULID pair is taken from the source and
destination fields in the IPv6 header. If there is no FII option in destination fields in the IPv6 header. If there is no FII option in
the message, then the FII value is taken to be zero. the message, then the FII value is taken to be zero.
Next the host verifies that the Responder Nonce is a recent one Next the host verifies that the Responder Nonce is a recent one
(Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be (Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be
considered recent), and that the Responder Validator option matches considered recent), and that the Responder Validator option matches
the validator the host would have computed for the ULID, locators, the validator the host would have computed for the ULID, locators,
responder nonce, and FII. responder nonce, initiator nonce and FII.
If a CGA Parameter Data Structure (PDS) is included in the message, If a CGA Parameter Data Structure (PDS) is included in the message,
then the host MUST verify if the actual PDS contained in the message then the host MUST verify if the actual PDS contained in the message
corresponds to the ULID(peer). corresponds to the ULID(peer).
If any of the above verifications fails, then the host silently If any of the above verifications fails, then the host silently
discards the message and it has completed the I2 processing. discards the message and it has completed the I2 processing.
If all the above verifications are successful, then the host proceeds If all the above verifications are successful, then the host proceeds
to look for a context state for the Initiator. The host looks for a to look for a context state for the Initiator. The host looks for a
skipping to change at page 63, line 30 skipping to change at page 65, line 41
allocates a context tag (CT(local)), creates the context state for allocates a context tag (CT(local)), creates the context state for
the context, and sets its state to ESTABLISHED. It records the context, and sets its state to ESTABLISHED. It records
CT(peer), and the peer's locator set as well as its own locator CT(peer), and the peer's locator set as well as its own locator
set in the context. It SHOULD perform the HBA/CGA verification of set in the context. It SHOULD perform the HBA/CGA verification of
the peer's locator set at this point in time, as specified in the peer's locator set at this point in time, as specified in
Section 7.2. Then the host sends an R2 message back as specified Section 7.2. Then the host sends an R2 message back as specified
below. below.
o If the state is I1-SENT, then the host verifies if the source o If the state is I1-SENT, then the host verifies if the source
locator is included in Ls(peer) or, it is included in the Locator locator is included in Ls(peer) or, it is included in the Locator
List contained in the the I2 message and the HBA/CGA verification List contained in the I2 message and the HBA/CGA verification for
for this specific locator is successful this specific locator is successful
* If this is not the case, then the message is silently discarded * If this is not the case, then the message is silently discarded
and the context state remains unchanged. and the context state remains unchanged.
* If this is the case, then the host updates the context * If this is the case, then the host updates the context
information (CT(peer), Ls(peer)) with the data contained in the information (CT(peer), Ls(peer)) with the data contained in the
I2 message and the host MUST send a R2 message back as I2 message and the host MUST send a R2 message back as
specified below. Note that before updating Ls(peer) specified below. Note that before updating Ls(peer)
information, the host SHOULD perform the HBA/CGA validation of information, the host SHOULD perform the HBA/CGA validation of
the peer's locator set at this point in time as specified in the peer's locator set at this point in time as specified in
Section 7.2. The host moves to ESTABLISHED state. Section 7.2. The host moves to ESTABLISHED state.
o If the state is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host o If the state is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host
verifies if the source locator is included in Ls(peer) or, it is verifies if the source locator is included in Ls(peer) or, it is
included in the Locator List contained in the the I2 message and included in the Locator List contained in the I2 message and the
the HBA/CGA verification for this specific locator is successful HBA/CGA verification for this specific locator is successful
* If this is not the case, then the message is silently discarded * If this is not the case, then the message is silently discarded
and the context state remains unchanged. and the context state remains unchanged.
* If this is the case, then the host updates the context * If this is the case, then the host updates the context
information (CT(peer), Ls(peer)) with the data contained in the information (CT(peer), Ls(peer)) with the data contained in the
I2 message and the host MUST send a R2 message back as I2 message and the host MUST send a R2 message back as
specified in Section 7.14. Note that before updating Ls(peer) specified in Section 7.14. Note that before updating Ls(peer)
information, the host SHOULD perform the HBA/CGA validation of information, the host SHOULD perform the HBA/CGA validation of
the peer's locator set at this point in time as specified in the peer's locator set at this point in time as specified in
skipping to change at page 65, line 27 skipping to change at page 67, line 37
same context tag in ESTABLISHED state, since this would result in same context tag in ESTABLISHED state, since this would result in
demultiplexing problems on the peer. demultiplexing problems on the peer.
o If both are the same, then this context is actually the context o If both are the same, then this context is actually the context
that is created or updated, hence there is no confusion. that is created or updated, hence there is no confusion.
7.16. Receiving R2 messages 7.16. Receiving R2 messages
A host MUST silently discard any received R2 messages that do not A host MUST silently discard any received R2 messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.2: specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an R2 message, the host extracts the Initiator Upon the reception of an R2 message, the host extracts the Initiator
Nonce and the Locator Pair from the message (the latter from the Nonce and the Locator Pair from the message (the latter from the
source and destination fields in the IPv6 header). Next the host source and destination fields in the IPv6 header). Next the host
looks for an existing context which matches the Initiator Nonce and looks for an existing context which matches the Initiator Nonce and
where the locators are Lp(peer) and Lp(local), respectively. Based where the locators are Lp(peer) and Lp(local), respectively. Based
on the state: on the state:
skipping to change at page 66, line 18 skipping to change at page 68, line 28
(since this is likely to be a reply to a retransmitted I2 (since this is likely to be a reply to a retransmitted I2
message). message).
Before the host completes the R2 processing it MUST look for a Before the host completes the R2 processing it MUST look for a
possible context confusion i.e. where it would end up with multiple possible context confusion i.e. where it would end up with multiple
contexts using the same CT(peer) for the same peer host. See contexts using the same CT(peer) for the same peer host. See
Section 7.15. Section 7.15.
7.17. Sending R1bis messages 7.17. Sending R1bis messages
Upon the receipt of a shim6 payload extension header where there is Upon the receipt of a Shim6 payload extension header where there is
no current SHIM6 context at the receiver, the receiver is to respond no current Shim6 context at the receiver, the receiver is to respond
with an R1bis message in order to enable a fast re-establishment of with an R1bis message in order to enable a fast re-establishment of
the lost SHIM6 context. the lost Shim6 context.
Also a host is to respond with a R1bis upon receipt of any control Also a host is to respond with a R1bis upon receipt of any control
messages that has a message type in the range 64-127 (i.e., excluding messages that has a message type in the range 64-127 (i.e., excluding
the context setup messages such as I1, R1, R1bis, I2, I2bis, R2 and the context setup messages such as I1, R1, R1bis, I2, I2bis, R2 and
future extensions), where the control message refers to a non future extensions), where the control message refers to a non
existent context. existent context.
We assume that all the incoming packets that trigger the generation We assume that all the incoming packets that trigger the generation
of an R1bis message contain a locator pair (in the address fields of of an R1bis message contain a locator pair (in the address fields of
the IPv6 header) and a Context Tag. the IPv6 header) and a Context Tag.
skipping to change at page 66, line 48 skipping to change at page 69, line 11
o Packet Context Tag is the context tag contained in the received o Packet Context Tag is the context tag contained in the received
packet that triggered the generation of the R1bis message. packet that triggered the generation of the R1bis message.
o The Responder Validator option is included, with a validator that o The Responder Validator option is included, with a validator that
is computed as suggested in the next section. is computed as suggested in the next section.
7.17.1. Generating the R1bis Validator 7.17.1. Generating the R1bis Validator
One way for the responder to properly generate validators is to One way for the responder to properly generate validators is to
maintain a single secret (S) and a running counter for the Responder maintain a single secret (S) and a running counter C for the
Nonce. Responder Nonce that is incremented in fixed periods of time (this
allows the Responder to verify the age of a Responder Nonce,
independently of the context in which it is used).
In the case the validator is generated to be included in a R1bis In the case the validator is generated to be included in a R1bis
message, for each received payload extension header or control message, for each received payload extension header or control
message, the responder can increase the counter, use the counter message, the responder use the counter C value as the Responder
value as the responder nonce, and use the following information Nonce, and use the following information concatenated as input to the
concatenated as input to the one-way function: one-way function:
o The the secret S o The secret S
o That Responder Nonce o That Responder Nonce
o The Receiver Context tag included in the received packet o The Receiver Context tag included in the received packet
o The locators from the received packet o The locators from the received packet
and then the output of the hash function is used as the validator and then the output of the hash function is used as the validator
octet string. octet string.
7.18. Receiving R1bis messages and sending I2bis messages 7.18. Receiving R1bis messages and sending I2bis messages
A host MUST silently discard any received R1bis messages that do not A host MUST silently discard any received R1bis messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.2: specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an R1bis message, the host extracts the Packet Upon the reception of an R1bis message, the host extracts the Packet
Context Tag and the Locator Pair from the message (the latter from Context Tag and the Locator Pair from the message (the latter from
the source and destination fields in the IPv6 header). Next the host the source and destination fields in the IPv6 header). Next the host
looks for an existing context where the Packet Context Tag matches looks for an existing context where the Packet Context Tag matches
CT(peer) and where the locators match Lp(peer) and Lp(local), CT(peer) and where the locators match Lp(peer) and Lp(local),
respectively. respectively.
skipping to change at page 68, line 14 skipping to change at page 70, line 29
Forked Instance Identifier option carrying the instance identifier Forked Instance Identifier option carrying the instance identifier
value for this context MUST be included in the I2bis message. value for this context MUST be included in the I2bis message.
7.19. Retransmitting I2bis messages 7.19. Retransmitting I2bis messages
If the initiator does not receive an R2 message after I2bis_TIMEOUT If the initiator does not receive an R2 message after I2bis_TIMEOUT
time after sending an I2bis message it MAY retransmit the I2bis time after sending an I2bis message it MAY retransmit the I2bis
message, using binary exponential backoff and randomized timers. The message, using binary exponential backoff and randomized timers. The
Responder Validator option might have a limited lifetime, that is, Responder Validator option might have a limited lifetime, that is,
the peer might reject Responder Validator options that are older than the peer might reject Responder Validator options that are older than
VALIDATOR_MIN_LIFETIME to avoid replay attacks. Thus the initiator VALIDATOR_MIN_LIFETIME to avoid replay attacks. In the case that the
SHOULD fall back to retransmitting the I1 message when there is no R2 initiator decides not to retransmit I2bis messages or in the case
received after retransmitting the I2bis message I2bis_RETRIES_MAX that the initiator still does not recieve an R2 message after
times. retransmitting I2bis messages I2bis_RETRIES_MAX times, the initiator
SHOULD fallback to retransmitting the I1 message.
7.20. Receiving I2bis messages and sending R2 messages 7.20. Receiving I2bis messages and sending R2 messages
A host MUST silently discard any received I2bis messages that do not A host MUST silently discard any received I2bis messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.2: specified in Section 12.3:
o The Hdr Ext Len field is at least 3, i.e., the length is at least o The Hdr Ext Len field is at least 3, i.e., the length is at least
32 octets. 32 octets.
Upon the reception of an I2bis message, the host extracts the ULID Upon the reception of an I2bis message, the host extracts the ULID
pair and the Forked Instance identifier from the message. If there pair and the Forked Instance identifier from the message. If there
is no ULID-pair option, then the ULID pair is taken from the source is no ULID-pair option, then the ULID pair is taken from the source
and destination fields in the IPv6 header. If there is no FII option and destination fields in the IPv6 header. If there is no FII option
in the message, then the FII value is taken to be zero. in the message, then the FII value is taken to be zero.
Next the host verifies that the Responder Nonce is a recent one Next the host verifies that the Responder Nonce is a recent one
(Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be (Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be
considered recent), and that the Responder Validator option matches considered recent), and that the Responder Validator option matches
the validator the host would have computed for the ULID, locators, the validator the host would have computed for the locators,
responder nonce, and FII as part of sending an R1bis message. Responder Nonce, and Receiver Context tag as part of sending an R1bis
message.
If a CGA Parameter Data Structure (PDS) is included in the message, If a CGA Parameter Data Structure (PDS) is included in the message,
then the host MUST verify if the actual PDS contained in the message then the host MUST verify if the actual PDS contained in the message
corresponds to the ULID(peer). corresponds to the ULID(peer).
If any of the above verifications fails, then the host silently If any of the above verifications fails, then the host silently
discard the message and it has completed the I2bis processing. discard the message and it has completed the I2bis processing.
If both verifications are successful, then the host proceeds to look If both verifications are successful, then the host proceeds to look
for a context state for the Initiator. The host looks for a context for a context state for the Initiator. The host looks for a context
skipping to change at page 69, line 18 skipping to change at page 71, line 34
NOT use the Packet Context Tag in the I2bis message for CT(local); NOT use the Packet Context Tag in the I2bis message for CT(local);
instead it should pick a new random context tag just as when it instead it should pick a new random context tag just as when it
processes an I2 message. It records CT(peer), and the peer's processes an I2 message. It records CT(peer), and the peer's
locator set as well as its own locator set in the context. It locator set as well as its own locator set in the context. It
SHOULD perform the HBA/CGA verification of the peer's locator set SHOULD perform the HBA/CGA verification of the peer's locator set
at this point in time as specified in Section 7.2. Then the host at this point in time as specified in Section 7.2. Then the host
sends an R2 message back as specified in Section 7.14. sends an R2 message back as specified in Section 7.14.
o If the state is I1-SENT, then the host verifies if the source o If the state is I1-SENT, then the host verifies if the source
locator is included in Ls(peer) or, it is included in the Locator locator is included in Ls(peer) or, it is included in the Locator
List contained in the the I2 message and the HBA/CGA verification List contained in the I2 message and the HBA/CGA verification for
for this specific locator is successful this specific locator is successful
* If this is not the case, then the message is silently * If this is not the case, then the message is silently
discarded. The the context state remains unchanged. discarded. The the context state remains unchanged.
* If this is the case, then the host updates the context * If this is the case, then the host updates the context
information (CT(peer), Ls(peer)) with the data contained in the information (CT(peer), Ls(peer)) with the data contained in the
I2 message and the host MUST send a R2 message back as I2 message and the host MUST send a R2 message back as
specified below. Note that before updating Ls(peer) specified below. Note that before updating Ls(peer)
information, the host SHOULD perform the HBA/CGA validation of information, the host SHOULD perform the HBA/CGA validation of
the peer's locator set at this point in time as specified in the peer's locator set at this point in time as specified in
Section 7.2. The host moves to ESTABLISHED state. Section 7.2. The host moves to ESTABLISHED state.
o If the state is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host o If the state is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host
verifies if the source locator is included in Ls(peer) or, it is verifies if the source locator is included in Ls(peer) or, it is
included in the Locator List contained in the the I2 message and included in the Locator List contained in the I2 message and the
the HBA/CGA verification for this specific locator is successful HBA/CGA verification for this specific locator is successful
* If this is not the case, then the message is silently * If this is not the case, then the message is silently
discarded. The the context state remains unchanged. discarded. The the context state remains unchanged.
* If this is the case, then the host updates the context * If this is the case, then the host updates the context
information (CT(peer), Ls(peer)) with the data contained in the information (CT(peer), Ls(peer)) with the data contained in the
I2 message and the host MUST send a R2 message back as I2 message and the host MUST send a R2 message back as
specified in Section 7.14. Note that before updating Ls(peer) specified in Section 7.14. Note that before updating Ls(peer)
information, the host SHOULD perform the HBA/CGA validation of information, the host SHOULD perform the HBA/CGA validation of
the peer's locator set at this point in time as specified in the peer's locator set at this point in time as specified in
Section 7.2. The context state remains unchanged. Section 7.2. The context state remains unchanged.
skipping to change at page 70, line 38 skipping to change at page 73, line 38
| on host | ICMP error handler | on host | ICMP error handler
Packet +--------------+ Packet +--------------+
| ULP | | ULP |
in | Header | in | Header |
+--------------+ +--------------+
Error | | Error | |
~ Data ~ ~ Data ~
| | | |
- - +--------------+ - - - - +--------------+ - -
Figure 29: ICMP error handling without payload extension header Figure 30: ICMP error handling without payload extension header
When the ULP packets are sent without the payload extension header, When the ULP packets are sent without the payload extension header,
that is, while the initial locators=ULIDs are working, this that is, while the initial locators=ULIDs are working, this
introduces no new concerns; an implementation's existing mechanism introduces no new concerns; an implementation's existing mechanism
for delivering these errors to the ULP will work. See Figure 29. for delivering these errors to the ULP will work. See Figure 30.
But when the shim on the transmitting side inserts the payload But when the shim on the transmitting side inserts the payload
extension header and replaces the ULIDs in the IP address fields with extension header and replaces the ULIDs in the IP address fields with
some other locators, then an ICMP error coming back will have a some other locators, then an ICMP error coming back will have a
"packet in error" which is not a packet that the ULP sent. Thus the "packet in error" which is not a packet that the ULP sent. Thus the
implementation will have to apply the reverse mapping to the "packet implementation will have to apply the reverse mapping to the "packet
in error" before passing the ICMP error up to the ULP. See in error" before passing the ICMP error up to the ULP. See
Figure 30. Figure 31.
+--------------+ +--------------+
| IPv6 Header | | IPv6 Header |
| | | |
+--------------+ +--------------+
| ICMPv6 | | ICMPv6 |
| Header | | Header |
- - +--------------+ - - - - +--------------+ - -
| IPv6 Header | | IPv6 Header |
| src, dst as | Needs to be | src, dst as | Needs to be
IPv6 | modified by | transformed to IPv6 | modified by | transformed to
| shim on host | have ULIDs | shim on host | have ULIDs
+--------------+ in src, dst fields, +--------------+ in src, dst fields,
Packet | SHIM6 ext. | and SHIM6 ext. Packet | Shim6 ext. | and Shim6 ext.
| Header | header removed | Header | header removed
in +--------------+ before it can be in +--------------+ before it can be
| Transport | dispatched to the ULP | Transport | dispatched to the ULP
Error | Header | ICMP error handler. Error | Header | ICMP error handler.
+--------------+ +--------------+
| | | |
~ Data ~ ~ Data ~
| | | |
- - +--------------+ - - - - +--------------+ - -
Figure 30: ICMP error handling with payload extension header Figure 31: ICMP error handling with payload extension header
Note that this mapping is different than when receiving packets from Note that this mapping is different than when receiving packets from
the peer with a payload extension headers, because in that case the the peer with a payload extension headers, because in that case the
packets contain CT(local). But the ICMP errors have a "packet in packets contain CT(local). But the ICMP errors have a "packet in
error" with an payload extension header containing CT(peer). This is error" with an payload extension header containing CT(peer). This is
because they were intended to be received by the peer. In any case, because they were intended to be received by the peer. In any case,
since the <Source Locator, Destination Locator, CT(peer)> has to be since the <Source Locator, Destination Locator, CT(peer)> has to be
unique when received by the peer, the local host should also only be unique when received by the peer, the local host should also only be
able to find one context that matches this tuple. able to find one context that matches this tuple.
skipping to change at page 72, line 22 skipping to change at page 75, line 22
there might be cases when the knowledge is not readily available to there might be cases when the knowledge is not readily available to
the shim layer, for instance for UDP applications which do not the shim layer, for instance for UDP applications which do not
connect their sockets, or any application which retains some higher connect their sockets, or any application which retains some higher
level state across (TCP) connections and UDP packets. level state across (TCP) connections and UDP packets.
Thus it is RECOMMENDED that implementations minimize premature Thus it is RECOMMENDED that implementations minimize premature
teardown by observing the amount of traffic that is sent and received teardown by observing the amount of traffic that is sent and received
using the context, and only after it appears quiescent, tear down the using the context, and only after it appears quiescent, tear down the
state. A reasonable approach would be not to tear down a context state. A reasonable approach would be not to tear down a context
until at least 5 minutes have passed since the last message was sent until at least 5 minutes have passed since the last message was sent
or received using the context. or received using the context. (Note that packets that use the ULID
pair as locator pair and that do not require address rewriting by the
Shim6 layer are also considered as packets using the associated Shim6
context)
Since there is no explicit, coordinated removal of the context state, Since there is no explicit, coordinated removal of the context state,
there are potential issues around context tag reuse. One end might there are potential issues around context tag reuse. One end might
remove the state, and potentially reuse that context tag for some remove the state, and potentially reuse that context tag for some
other communication, and the peer might later try to use the old other communication, and the peer might later try to use the old
context (which it didn't remove). The protocol has mechanisms to context (which it didn't remove). The protocol has mechanisms to
recover from this, which work whether the state removal was total and recover from this, which work whether the state removal was total and
accidental (e.g., crash and reboot of the host), or just a garbage accidental (e.g., crash and reboot of the host), or just a garbage
collection of shim state that didn't seem to be used. However, the collection of shim state that didn't seem to be used. However, the
host should try to minimize the reuse of context tags by trying to host should try to minimize the reuse of context tags by trying to
skipping to change at page 74, line 41 skipping to change at page 77, line 41
o Send the Update Request and start a retransmission timer. o Send the Update Request and start a retransmission timer.
Any Update Acknowledgement which doesn't match the current request Any Update Acknowledgement which doesn't match the current request
nonce, for instance an acknowledgement for the abandoned Update nonce, for instance an acknowledgement for the abandoned Update
Request, will be silently ignored. Request, will be silently ignored.
10.4. Receiving Update Request messages 10.4. Receiving Update Request messages
A host MUST silently discard any received Update Request messages A host MUST silently discard any received Update Request messages
that do not satisfy all of the following validity checks in addition that do not satisfy all of the following validity checks in addition
to those specified in Section 12.2: to those specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an Update Request message, the host extracts Upon the reception of an Update Request message, the host extracts
the Context Tag from the message. It then looks for a context which the Context Tag from the message. It then looks for a context which
has a CT(local) that matches the context tag. If no such context is has a CT(local) that matches the context tag. If no such context is
found, it sends a R1bis message as specified in Section 7.17. found, it sends a R1bis message as specified in Section 7.17.
Since context tags can be reused, the host MUST verify that the IPv6 Since context tags can be reused, the host MUST verify that the IPv6
skipping to change at page 75, line 27 skipping to change at page 78, line 27
o If ESTABLISHED: Proceed to process message. o If ESTABLISHED: Proceed to process message.
o If I1-SENT, discard the message and stay in I1-SENT. o If I1-SENT, discard the message and stay in I1-SENT.
o If I2-SENT, then send I2 and proceed to process the message. o If I2-SENT, then send I2 and proceed to process the message.
o If I2BIS-SENT, then send I2bis and proceed to process the message. o If I2BIS-SENT, then send I2bis and proceed to process the message.
The verification issues for the locators carried in the Locator The verification issues for the locators carried in the Locator
Update message are specified in Section 7.2. If the locator list can Update message are specified in Section 7.2. If the locator list can
not be verified, this procedure might send an ICMP Parameter Problem not be verified, this procedure should send a Shim6 Error message
error. In any case, if it can not be verified, there is no further with Error Code=2. In any case, if it can not be verified, there is
processing of the Update Request. no further processing of the Update Request.
Once any Locator List option in the Update Request has been verified, Once any Locator List option in the Update Request has been verified,
the peer generation number in the context is updated to be the one in the peer generation number in the context is updated to be the one in
the Locator List option. the Locator List option.
If the Update message contains a Locator Preference option, then the If the Update message contains a Locator Preference option, then the
Generation number in the preference option is compared with the peer Generation number in the preference option is compared with the peer
generation number in the context. If they do not match, then the generation number in the context. If they do not match, then the
host generates an ICMP parameter problem (type 4, code 0) with the host generates a Shim6 Error Message with Error Code=3 with the
Pointer field referring to the first octet in the Generation number Pointer field referring to the first octet in the Generation number
in the Locator Preference option. In addition, if the number of in the Locator Preference option. In addition, if the number of
elements in the Locator Preference option does not match the number elements in the Locator Preference option does not match the number
of locators in Ls(peer), then an ICMP parameter problem is sent with of locators in Ls(peer), then a Shim6 Error Message with Error Code=4
the Pointer referring to the first octet of the Length field in the is sent with the Pointer referring to the first octet of the Length
Locator Preference option. In both cases of failures, no further field in the Locator Preference option. In both cases of failures,
processing is performed for the Locator Update message. no further processing is performed for the Locator Update message.
If the generation number matches, the locator preferences are If the generation number matches, the locator preferences are
recorded in the context. recorded in the context.
Once the Locator List option (if present) has been verified and any Once the Locator List option (if present) has been verified and any
new locator list or locator preferences have been recorded, the host new locator list or locator preferences have been recorded, the host
sends an Update Acknowledgement message, copying the nonce from the sends an Update Acknowledgement message, copying the nonce from the
request, and using the CT(peer) in as the Receiver Context Tag. request, and using the CT(peer) in as the Receiver Context Tag.
Any new locators, or more likely new locator preferences, might Any new locators, or more likely new locator preferences, might
result in the host wanting to select a different locator pair for the result in the host wanting to select a different locator pair for the
context. For instance, if the Locator Preferences lists the current context. For instance, if the Locator Preferences lists the current
Lp(peer) as BROKEN. The host uses the Probe message in [9] to verify Lp(peer) as BROKEN. The host uses the Probe message in [9] to verify
that the new locator is reachable before changing Lp(peer). that the new locator is reachable before changing Lp(peer).
10.5. Receiving Update Acknowledgement messages 10.5. Receiving Update Acknowledgement messages
A host MUST silently discard any received Update Acknowledgement A host MUST silently discard any received Update Acknowledgement
messages that do not satisfy all of the following validity checks in messages that do not satisfy all of the following validity checks in
addition to those specified in Section 12.2: addition to those specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an Update Acknowledgement message, the host Upon the reception of an Update Acknowledgement message, the host
extracts the Context Tag and the Request Nonce from the message. It extracts the Context Tag and the Request Nonce from the message. It
then looks for a context which has a CT(local) that matches the then looks for a context which has a CT(local) that matches the
context tag. If no such context is found, it sends a R1bis message context tag. If no such context is found, it sends a R1bis message
as specified in Section 7.17. as specified in Section 7.17.
skipping to change at page 78, line 8 skipping to change at page 81, line 8
First, the IP address fields are replaced. The IPv6 source address First, the IP address fields are replaced. The IPv6 source address
field is set to Lp(local) and the destination address field is set to field is set to Lp(local) and the destination address field is set to
Lp(peer). NOTE that this MUST NOT cause any recalculation of the ULP Lp(peer). NOTE that this MUST NOT cause any recalculation of the ULP
checksums, since the ULP checksums are carried end-to-end and the ULP checksums, since the ULP checksums are carried end-to-end and the ULP
pseudo-header contains the ULIDs which are preserved end-to-end. pseudo-header contains the ULIDs which are preserved end-to-end.
The sender skips any "routing sub-layer extension headers" that the The sender skips any "routing sub-layer extension headers" that the
ULP might have included, thus it skips any hop-by-hop extension ULP might have included, thus it skips any hop-by-hop extension
header, any routing header, and any destination options header that header, any routing header, and any destination options header that
is followed by a routing header. After any such headers the shim6 is followed by a routing header. After any such headers the Shim6
extension header will be added. This might be before a Fragment extension header will be added. This might be before a Fragment
header, a Destination Options header, an ESP or AH header, or a ULP header, a Destination Options header, an ESP or AH header, or a ULP
header. header.
The inserted shim6 Payload extension header includes the peer's The inserted Shim6 Payload extension header includes the peer's
context tag. It takes on the next header value from the preceding context tag. It takes on the next header value from the preceding
extension header, since that extension header will have a next header extension header, since that extension header will have a next header
value of SHIM6. value of Shim6.
12. Receiving Packets 12. Receiving Packets
As in normal IPv6 receive side packet processing the receiver parses The receive side of the communication can receive packets associated
the (extension) headers in order. Should it find a shim6 extension to a Shim6 context with or without the Shim6 extenson header. In
header it will look at the "P" field in that header. If this bit is case that the ULID pair is being used as locator pair, the packets
zero, then the packet must be passed to the shim6 payload handling received will not have the Shim6 extension header and will be
for rewriting. Otherwise, the packet is passed to the shim6 control processed by the Shim6 layer as described below. If the received
handling. packet does carry the Shim6 extension header, as in normal IPv6
receive side packet processing the receiver parses the (extension)
headers in order. Should it find a Shim6 extension header it will
look at the "P" field in that header. If this bit is zero, then the
packet must be passed to the Shim6 payload handling for rewriting.
Otherwise, the packet is passed to the Shim6 control handling.
12.1. Receiving Payload Extension Headers 12.1. Receiving payload without extension headers
The receiver extracts the IPv6 source and destination fields, and
uses this to find a ULID-pair context, such that the IPv6 address
fields match the ULID(local) and ULID(peer). If such a context is
found, the context appears not to be quiescent and this should be
remembered in order to avoid tearing down the context and for
reachability detection porpuses as described in [9]. The host
continues with the normal processing of the IP packet.
12.2. Receiving Payload Extension Headers
The receiver extracts the context tag from the payload extension The receiver extracts the context tag from the payload extension
header, and uses this to find a ULID-pair context. If no context is header, and uses this to find a ULID-pair context. If no context is
found, the receiver SHOULD generate a R1bis message (see found, the receiver SHOULD generate a R1bis message (see
Section 7.17). Section 7.17).
Then, depending on the state of the context: Then, depending on the state of the context:
o If ESTABLISHED: Proceed to process message. o If ESTABLISHED: Proceed to process message.
skipping to change at page 79, line 43 skipping to change at page 83, line 9
extension header is removed from the packet (so that the ULP doesn't extension header is removed from the packet (so that the ULP doesn't
get confused by it), and the next header value in the preceding get confused by it), and the next header value in the preceding
header is set to be the actual protocol number for the payload. Then header is set to be the actual protocol number for the payload. Then
the packet can be passed to the protocol identified by the next the packet can be passed to the protocol identified by the next
header value (which might be some function associated with the IP header value (which might be some function associated with the IP
endpoint sublayer, or a ULP). endpoint sublayer, or a ULP).
If the host is using some heuristic for determining when to perform a If the host is using some heuristic for determining when to perform a
deferred context establishment, then the host might need to do some deferred context establishment, then the host might need to do some
accounting (count the number of packets sent and received) for accounting (count the number of packets sent and received) for
packets that does not have a shim6 extension header and for which packets that does not have a Shim6 extension header and for which
there is no context. But the need for this depends on what there is no context. But the need for this depends on what
heuristics the implementation has chosen. heuristics the implementation has chosen.
12.2. Receiving Shim Control messages 12.3. Receiving Shim Control messages
A shim control message has the checksum field verified. The Shim A shim control message has the checksum field verified. The Shim
header length field is also verified against the length of the IPv6 header length field is also verified against the length of the IPv6
packet to make sure that the shim message doesn't claim to end past packet to make sure that the shim message doesn't claim to end past
the end of the IPv6 packet. Finally, it checks that the neither the the end of the IPv6 packet. Finally, it checks that the neither the
IPv6 destination field nor the IPv6 source field is a multicast IPv6 destination field nor the IPv6 source field is a multicast
address. If any of those checks fail, the packet is silently address. If any of those checks fail, the packet is silently
dropped. dropped.
The message is then dispatched based on the shim message type. Each The message is then dispatched based on the shim message type. Each
message type is then processed as described elsewhere in this message type is then processed as described elsewhere in this
document. If the packet contains a shim message type which is document. If the packet contains a shim message type which is
unknown to the receiver, then an ICMPv6 Parameter Problem error is unknown to the receiver, then a Shim6 Error Message with Error Code=0
generated and sent back. The pointer field in the Parameter Problem is generated and sent back. The Pointer field is set to point at the
is set to point at the first octet of the shim message type. The first octet of the shim message type.
error is rate limited just like other ICMP errors [5].
All the control messages can contain any options with C=0. If there All the control messages can contain any options with C=0. If there
is any option in the message with C=1 that isn't known to the host, is any option in the message with C=1 that isn't known to the host,
then the host MUST send an ICMPv6 Parameter Problem, with the Pointer then the host MUST send a Shim6 Error Message with Error Code=1, with
field referencing the first octet of the Option Type. the Pointer field referencing the first octet of the Option Type.
12.3. Context Lookup 12.4. Context Lookup
We assume that each shim context has its own state machine. We We assume that each shim context has its own state machine. We
assume that a dispatcher delivers incoming packets to the state assume that a dispatcher delivers incoming packets to the state
machine that it belongs to. Here we describe the rules used for the machine that it belongs to. Here we describe the rules used for the
dispatcher to deliver packets to the correct shim context state dispatcher to deliver packets to the correct shim context state
machine. machine.
There is one state machine per context identified that is There is one state machine per context identified that is
conceptually identified by ULID pair and Forked Instance Identifier conceptually identified by ULID pair and Forked Instance Identifier
(which is zero by default), or identified by CT(local). However, the (which is zero by default), or identified by CT(local). However, the
skipping to change at page 81, line 28 skipping to change at page 84, line 41
o Payload extension headers: Deliver to the context with CT(local) o Payload extension headers: Deliver to the context with CT(local)
equal to the Receiver Context Tag included in the packet. equal to the Receiver Context Tag included in the packet.
o Other control messages (Update, Keepalive, Probe): Deliver to the o Other control messages (Update, Keepalive, Probe): Deliver to the
context with CT(local) equal to the Receiver Context Tag included context with CT(local) equal to the Receiver Context Tag included
in the packet. Verify that the IPv6 source address field is part in the packet. Verify that the IPv6 source address field is part
of Ls(peer) and that the IPv6 destination address field is part of of Ls(peer) and that the IPv6 destination address field is part of
Ls(local). If not, send a R1bis message. Ls(local). If not, send a R1bis message.
o ICMP errors which contain a shim6 payload extension header or o Shim6 Error Messages and ICMP errors which contain a Shim6 payload
other shim control packet in the "packet in error": Use the extension header or other shim control packet in the "packet in
"packet in error" for dispatching as follows. Deliver to the error": Use the "packet in error" for dispatching as follows.
context with CT(peer) equal to the Receiver Context Tag, Lp(local) Deliver to the context with CT(peer) equal to the Receiver Context
being the IPv6 source address, and Lp(peer) being the IPv6 Tag, Lp(local) being the IPv6 source address, and Lp(peer) being
destination address. the IPv6 destination address.
In addition, the shim on the sending side needs to be able to find In addition, the shim on the sending side needs to be able to find
the context state when a ULP packet is passed down from the ULP. In the context state when a ULP packet is passed down from the ULP. In
that case the lookup key is the pair of ULIDs and FII=0. If we have that case the lookup key is the pair of ULIDs and FII=0. If we have
a ULP API that allows the ULP to do context forking, then presumably a ULP API that allows the ULP to do context forking, then presumably
the ULP would pass down the Forked Instance Identifier. the ULP would pass down the Forked Instance Identifier.
13. Initial Contact 13. Initial Contact
The initial contact is some non-shim communication between two ULIDs, The initial contact is some non-shim communication between two ULIDs,
as described in Section 2. At that point in time there is no as described in Section 2. At that point in time there is no
activity in the shim. activity in the shim.
Whether the shim ends up being used or not (e.g., the peer might not Whether the shim ends up being used or not (e.g., the peer might not
support shim6) it is highly desirable that the initial contact can be support Shim6) it is highly desirable that the initial contact can be
established even if there is a failure for one or more IP addresses. established even if there is a failure for one or more IP addresses.
The approach taken is to rely on the applications and the transport The approach taken is to rely on the applications and the transport
protocols to retry with different source and destination addresses, protocols to retry with different source and destination addresses,
consistent with what is already specified in Default Address consistent with what is already specified in Default Address
Selection [13], and some fixes to that specification [14] to make it Selection [13], and some fixes to that specification [14] to make it
try different source addresses and not only different destination try different source addresses and not only different destination
addresses. addresses.
The implementation of such an approach can potentially result in long The implementation of such an approach can potentially result in long
skipping to change at page 84, line 7 skipping to change at page 88, line 7
performing independent shim operations at the same time. performing independent shim operations at the same time.
The randomization is applied after the binary exponential backoff. The randomization is applied after the binary exponential backoff.
Thus the first retransmission would happen based on a uniformly Thus the first retransmission would happen based on a uniformly
distributed random number in the range [0.5*4, 1.5*4] seconds, the distributed random number in the range [0.5*4, 1.5*4] seconds, the
second retransmission [0.5*8, 1.5*8] seconds after the first one, second retransmission [0.5*8, 1.5*8] seconds after the first one,
etc. etc.
15. Implications Elsewhere 15. Implications Elsewhere
The general shim6 approach, as well as the specifics of this proposed 15.1. Congestion Control Considerations
solution, has implications elsewhere. The key implications are:
When the locator pair currently used for exchanging packets in a
Shim6 context becomes unreachable, the Shim6 layer will divert the
communication through an alternative locator pair, which in most
cases will result in redirecting the packet flow through an
alternative network path. In this case, it reccomended that the
Shim6 follows the reccomendation defined in [28] and it informs the
upper layers about the path change, in order to allow the congestion
control mechanisms of the upper layers can react accordingly.
15.2. Middle-boxes considerations
Data packets belonging to a Shim6 context carrying the Shim6 Payload
Header contain alternative locators other than the ULIDs in the
source and destination address fields of the IPv6 header. On the
other hand, the upper layers of the peers involved in the
communication operate on the ULID pair presented by the Shim6 layer
to them, rather on the locator pair contained in the IPv6 header of
the actual packets. It should be noted that the Shim6 layer does not
modify the data packets, but because a constant ULID pair is
presented to upper layers irrespective of the locator pair changes,
the relation between the upper layer header (such as TCP, UDP, ICMP,
ESP, etc) and the IPv6 header is modified. In particular, when the
Shim6 Extension header is present in the packet, if those data
packets are TCP, UDP or ICMP packets, the presudoheader used for the
checksum calculation will contain the ULID pair, rather than the
locator pair contained in the data packet.
It is possible that some firewalls or other middle boxes try to
verify the validity of upper layer sanity checks of the packet on the
fly. If they do that based on the actual source and destination
addresses contained in the IPv6 header without considering the Shim6
context information (in particular without replacing the locator pair
by the ULID pair used by the Shim6 context) such verifications may
fail. Those middle-boxes need to be updated in order to be able to
parse the Shim6 payload header and find the next header header after
that. It is recommended that firewalls and other middle-boxes do not
drop packets that carry the Shim6 Payload header with apparently
incorrect upper layer validity checks that involve the addresses in
the IPv6 header for their computation, unless they are able to
determine the ULID pair of the Shim6 context associated to the data
packet and use the ULID pair for the verification of the validity
check.
In the particular case of TCP, UDP and ICMP checksums, it is
recommended that firewalls and other middle-boxes do not drop TCP,
UDP and ICMP packets that carry the Shim6 Payload header with
apparently incorrect checksums when using the addresses in the IPv6
header for the pseudoheader computation, unless they implement are
able to determine the ULID pair of the Shim6 context associated to
the data packet and use the ULID pair to determine the checksum that
must be present in a packet with addresses rewritten by Shim6.
In addition, firewalls that today pass limited traffic, e.g.,
outbound TCP connections, would presumably block the Shim6 protocol.
This means that even when Shim6 capable hosts are communicating, the
I1 messages would be dropped, hence the hosts would not discover that
their peer is Shim6 capable. This is in fact a feature, since if the
hosts managed to establish a ULID-pair context, then the firewall
would probably drop the "different" packets that are sent after a
failure (those using the Shim6 payload extension header with a TCP
packet inside it). Thus stateful firewalls that are modified to pass
Shim6 messages should also be modified to pass the payload extension
header, so that the shim can use the alternate locators to recover
from failures. This presumably implies that the firewall needs to
track the set of locators in use by looking at the Shim6 control
exchanges. Such firewalls might even want to verify the locators
using the HBA/CGA verification themselves, which they can do without
modifying any of the Shim6 packets they pass through.
15.3. Other considerations
The general Shim6 approach, as well as the specifics of this proposed
solution, has implications elsewhere, including:
o Applications that perform referrals, or callbacks using IP o Applications that perform referrals, or callbacks using IP
addresses as the 'identifiers' can still function in limited ways, addresses as the 'identifiers' can still function in limited ways,
as described in [23]. But in order for such applications to be as described in [23]. But in order for such applications to be
able to take advantage of the multiple locators for redundancy, able to take advantage of the multiple locators for redundancy,
the applications need to be modified to either use fully qualified the applications need to be modified to either use fully qualified
domain names as the 'identifiers', or they need to pass all the domain names as the 'identifiers', or they need to pass all the
locators as the 'identifiers' i.e., the 'identifier' from the locators as the 'identifiers' i.e., the 'identifier' from the
applications perspective becomes a set of IP addresses instead of applications perspective becomes a set of IP addresses instead of
a single IP address. a single IP address.
o Firewalls that today pass limited traffic, e.g., outbound TCP
connections, would presumably block the shim6 protocol. This
means that even when shim6 capable hosts are communicating, the I1
messages would be dropped, hence the hosts would not discover that
their peer is shim6 capable. This is in fact a feature, since if
the hosts managed to establish a ULID-pair context, then the
firewall would probably drop the "different" packets that are sent
after a failure (those using the shim6 payload extension header
with a TCP packet inside it). Thus stateful firewalls that are
modified to pass shim6 messages should also be modified to pass
the payload extension header, so that the shim can use the
alternate locators to recover from failures. This presumably
implies that the firewall needs to track the set of locators in
use by looking at the shim6 control exchanges. Such firewalls
might even want to verify the locators using the HBA/CGA
verification themselves, which they can do without modifying any
of the shim6 packets they pass through.
o Signaling protocols for QoS or other things that involve having o Signaling protocols for QoS or other things that involve having
devices in the network path look at IP addresses and port numbers, devices in the network path look at IP addresses and port numbers,
or IP addresses and Flow Labels, need to be invoked on the hosts or IP addresses and Flow Labels, need to be invoked on the hosts
when the locator pair changes due to a failure. At that point in when the locator pair changes due to a failure. At that point in
time those protocols need to inform the devices that a new pair of time those protocols need to inform the devices that a new pair of
IP addresses will be used for the flow. Note that this is the IP addresses will be used for the flow. Note that this is the
case even though this protocol, unlike some earlier proposals, case even though this protocol, unlike some earlier proposals,
does not overload the flow label as a context tag; the in-path does not overload the flow label as a context tag; the in-path
devices need to know about the use of the new locators even though devices need to know about the use of the new locators even though
the flow label stays the same. the flow label stays the same.
o MTU implications. The path MTU mechanisms we use are robust o MTU implications. The path MTU mechanisms we use are robust
against different packets taking different paths through the against different packets taking different paths through the
Internet, by computing a minimum over the recently observed path Internet, by computing a minimum over the recently observed path
MTUs. When shim6 fails over from using one locator pair to MTUs. When Shim6 fails over from using one locator pair to
another pair, this means that packets might travel over a another pair, this means that packets might travel over a
different path through the Internet, hence the path MTU might be different path through the Internet, hence the path MTU might be
quite different. Perhaps such a path change would be a good hint quite different. Perhaps such a path change would be a good hint
to the path MTU mechanism to try a larger MTU? to the path MTU mechanism to try a larger MTU?
The fact that the shim will add an 8 octet payload extension The fact that the shim will add an 8 octet Payload Extension
header to the ULP packets after a locator switch, can also affect header to the ULP packets after a locator switch, can also affect
the usable path MTU for the ULPs. In this case the MTU change is the usable path MTU for the ULPs. In this case the MTU change is
local to the sending host, thus conveying the change to the ULPs local to the sending host, thus conveying the change to the ULPs
is an implementation matter. is an implementation matter.
o The precise interaction between Mobile IPv6 and shim6 is for
further study, but it might make sense to have Mobile IPv6 operate
on locators, meaning that the shim would be layered on top of the
MIPv6 mechanism.
16. Security Considerations 16. Security Considerations
This document satisfies the concerns specified in [20] as follows: This document satisfies the concerns specified in [20] as follows:
o The HBA [6] and CGA technique [8] for verifying the locators to o The HBA [6] and CGA technique [8] for verifying the locators to
prevent an attacker from redirecting the packet stream to prevent an attacker from redirecting the packet stream to
somewhere else. The minimum acceptable key length for public keys somewhere else. The minimum acceptable key length for public keys
used in the generation of CGAs SHOULD be 1024 bits. Any used in the generation of CGAs SHOULD be 1024 bits. Any
implementation should follow prudent cryptographic practice in implementation should follow prudent cryptographic practice in
determining the appropriate key lengths. determining the appropriate key lengths.
o Requiring a Reachability Probe+Reply before a new locator is used o Requiring a Reachability Probe+Reply before a new locator is used
as the destination, in order to prevent 3rd party flooding as the destination, in order to prevent 3rd party flooding
attacks. attacks.
o The first message does not create any state on the responder. o The first message does not create any state on the responder.
Essentially a 3-way exchange is required before the responder Essentially a 3-way exchange is required before the responder
creates any state. This means that a state-based DoS attack creates any state. This means that a state-based DoS attack
(trying to use up all of memory on the responder) at least (trying to use up all of memory on the responder) at least
requires the attacker to create state, cosnuming his own resources requires the attacker to create state, consuming his own resources
and also it provides an IPv6 address that the attacker was using. and also it provides an IPv6 address that the attacker was using.
o The context establishment messages use nonces to prevent replay o The context establishment messages use nonces to prevent replay
attacks, and to prevent off-path attackers from interfering with attacks, and to prevent off-path attackers from interfering with
the establishment. the establishment.
o Every control message of the shim6 protocol, past the context o Every control message of the Shim6 protocol, past the context
establishment, carry the context tag assigned to the particular establishment, carry the context tag assigned to the particular
context. This implies that an attacker needs to discover that context. This implies that an attacker needs to discover that
context tag before being able to spoof any shim6 control message. context tag before being able to spoof any Shim6 control message.
Such discovery probably requires to be along the path in order to Such discovery probably requires to be along the path in order to
be sniff the context tag value. The result is that through this be sniff the context tag value. The result is that through this
technique, the shim6 protocol is protected against off-path technique, the Shim6 protocol is protected against off-path
attackers. attackers.
Interaction with IPSec Interaction with IPSec
The shim6 sub-layer is implemented below the IPSec layer within the The Shim6 sub-layer is implemented below the IPSec layer within the
IP layer. This deserves some additional considerations for a couple IP layer. This deserves some additional considerations for a couple
of specific cases: First, it should be noted that the shim6 approach of specific cases: First, it should be noted that the Shim6 approach
does not preclude using IPSEC tunnels on shim6 packets within the does not preclude using IPSEC tunnels on Shim6 packets within the
network transit path. Second, in case that IPSec is implemented as network transit path. Second, in case that IPSec is implemented as
Bump-In-The-Wire (BITW) [7] it is expected that the shim6 sub-layer Bump-In-The-Wire (BITW) [7], either the shim MUST be disabled, or the
is also implemnted in the same fashion. shim MUST also be implemented as Bump-In-The-Wire, in order to
satisfy the requirement that IPsec is layered above the shim.
Some of the residual threats in this proposal are: Some of the residual threats in this proposal are:
o An attacker which arrives late on the path (after the context has o An attacker which arrives late on the path (after the context has
been established) can use the R1bis message to cause one peer to been established) can use the R1bis message to cause one peer to
recreate the context, and at that point in time the attacker can recreate the context, and at that point in time the attacker can
observe all of the exchange. But this doesn't seem to open any observe all of the exchange. But this doesn't seem to open any
new doors for the attacker since such an attacker can observe the new doors for the attacker since such an attacker can observe the
context tags that are being used, and once known it can use those context tags that are being used, and once known it can use those
to send bogus messages. to send bogus messages.
o An attacker which is present on the path so that it can find out o An attacker which is present on the path so that it can find out
the context tags, can generate a R1bis message after it has moved the context tags, can generate a R1bis message after it has moved
off the path. For this packet to be effective it needs to have a off the path. For this packet to be effective it needs to have a
source locator which belongs to the context, thus there can not be source locator which belongs to the context, thus there can not be
"too much" ingress filtering between the attackers new location "too much" ingress filtering between the attackers new location
and the communicating peers. But this doesn't seem to be that and the communicating peers. But this doesn't seem to be that
severe, because once the R1bis causes the context to be re- severe, because once the R1bis causes the context to be re-
established, a new pair of context tags will be used, which will established, a new pair of context tags will be used, which will
not be known to the attacker. If this is still a concern, we not be known to the attacker. If this is still a concern, we
could require a 2-way handshake "did you really loose the state?" could require a 2-way handshake "did you really lose the state?"
in response to the error message. in response to the error message.
o It might be possible for an attacker to try random 47-bit context o It might be possible for an attacker to try random 47-bit context
tags and see if they can cause disruption for communication tags and see if they can cause disruption for communication
between two hosts. In particular, in the case of payload packets, between two hosts. In particular, in the case of payload packets,
the effects of such attack would be similar of those of an the effects of such attack would be similar of those of an
attacker sending packets with spoofed source address. In the case attacker sending packets with spoofed source address. In the case
of control packets, it is not enough to find the correct context of control packets, it is not enough to find the correct context
tag, but additional information is required (e.g. nonces, proper tag, but additional information is required (e.g. nonces, proper
source addresses) (see previous bullet for the case of R1bis). If source addresses) (see previous bullet for the case of R1bis). If
a 47-bit tag, which is the largest that fits in an 8-octet a 47-bit tag, which is the largest that fits in an 8-octet
extension header, isn't sufficient, one could use an even larger extension header, isn't sufficient, one could use an even larger
tag in the shim6 control messages, and use the low-order 47 bits tag in the Shim6 control messages, and use the low-order 47 bits
in the payload extension header. in the payload extension header.
o When the payload extension header is used, an attacker that can o When the payload extension header is used, an attacker that can
guess the 47-bit random context tag, can inject packets into the guess the 47-bit random context tag, can inject packets into the
context with any source locator. Thus if there is ingress context with any source locator. Thus if there is ingress
filtering between the attacker, this could potentially allow to filtering between the attacker, this could potentially allow to
bypass the ingress filtering. However, in addition to guessing bypass the ingress filtering. However, in addition to guessing
the 47-bit context tag, the attacker also needs to find a context the 47-bit context tag, the attacker also needs to find a context
where, after the receiver's replacement of the locators with the where, after the receiver's replacement of the locators with the
ULIDs, the the ULP checksum is correct. But even this wouldn't be ULIDs, the the ULP checksum is correct. But even this wouldn't be
sufficient with ULPs like TCP, since the TCP port numbers and sufficient with ULPs like TCP, since the TCP port numbers and
sequence numbers must match an existing connection. Thus, even sequence numbers must match an existing connection. Thus, even
though the issues for off-path attackers injecting packets are though the issues for off-path attackers injecting packets are
different than today with ingress filtering, it is still very hard different than today with ingress filtering, it is still very hard
for an off-path attacker to guess. If IPsec is applied then the for an off-path attacker to guess. If IPsec is applied then the
issue goes away completely. issue goes away completely.
o The validator included in the R1 and R1bis packets are generated o The validator included in the R1 and R1bis packets are generated
as a hash of several input parameters. However, most of the as a hash of several input parameters. While most of the inputs
inputs are actually determined by the sender, and only the secret are actually determined by the sender, and only the secret value S
value S is unknown to the sender. However, the resulting is unknown to the sender, the resulting protection is deemed to be
protection is deemed to be enough since it would be easier for the enough since it would be easier for the attacker to just obtain a
attacker to just obtain a new validator sending a I1 packet than new validator sending a I1 packet than performing all the
performing all the computations required to determine the secret computations required to determine the secret S. Nevertheless, it
S. However, it is recommended that the host changes the secret S is recommended that the host changes the secret S periodically.
periodically.
17. IANA Considerations 17. IANA Considerations
IANA is directed to allocate a new IP Protocol Number value for the IANA is directed to allocate a new IP Protocol Number value for the
SHIM6 Protocol. Shim6 Protocol.
IANA is directed to record a CGA message type for the SHIM6 Protocol IANA is directed to record a CGA message type for the Shim6 Protocol
in the [CGA] namespace registry with the value 0x4A30 5662 4858 574B in the [CGA] namespace registry with the value 0x4A30 5662 4858 574B
3655 416F 506A 6D48. 3655 416F 506A 6D48.
IANA is directed to establish a SHIM6 Parameter Registry with two IANA is directed to establish a Shim6 Parameter Registry with three
components: SHIM6 Type registrations and SHIM6 Options registrations. components: Shim6 Type registrations, Shim6 Options registrations
Shim6 Error Code registrations.
The initial contents of the SHIM6 Type registry are as follows: The initial contents of the Shim6 Type registry are as follows:
+------------+-----------------------------------------------------+ +------------+-----------------------------------------------------+
| Type Value | Message | | Type Value | Message |
+------------+-----------------------------------------------------+ +------------+-----------------------------------------------------+
| 0 | RESERVED | | 0 | RESERVED |
| | | | | |
| 1 | I1 (first establishment message from the initiator) | | 1 | I1 (first establishment message from the initiator) |
| | | | | |
| 2 | R1 (first establishment message from the responder) | | 2 | R1 (first establishment message from the responder) |
| | | | | |
skipping to change at page 90, line 4 skipping to change at page 95, line 4
| 65 | Update Acknowledgement | | 65 | Update Acknowledgement |
| | | | | |
| 66 | Keepalive | | 66 | Keepalive |
| | | | | |
| 67 | Probe Message | | 67 | Probe Message |
| | | | | |
| 68-123 | Can be allocated using Standards Action | | 68-123 | Can be allocated using Standards Action |
| | | | | |
| 124-127 | For Experimental use | | 124-127 | For Experimental use |
+------------+-----------------------------------------------------+ +------------+-----------------------------------------------------+
The initial contents of the SHIM6 Options registry are as follows: The initial contents of the Shim6 Options registry are as follows:
+-------------+----------------------------------+ +-------------+----------------------------------+
| Type | Option Name | | Type | Option Name |
+-------------+----------------------------------+ +-------------+----------------------------------+
| 0 | RESERVED | | 0 | RESERVED |
| | | | | |
| 1 | Responder Validator | | 1 | Responder Validator |
| | | | | |
| 2 | Locator List | | 2 | Locator List |
| | | | | |
skipping to change at page 91, line 5 skipping to change at page 95, line 34
| | | | | |
| 8-9 | Allocated using Standards action | | 8-9 | Allocated using Standards action |
| | | | | |
| 10 | Keepalive Timeout Option | | 10 | Keepalive Timeout Option |
| | | | | |
| 11-16383 | Allocated using Standards action | | 11-16383 | Allocated using Standards action |
| | | | | |
| 16384-32767 | For Experimental use | | 16384-32767 | For Experimental use |
+-------------+----------------------------------+ +-------------+----------------------------------+
The initial contents of the Shim6 Error Code registry are as follows:
+------------+--------------------------------------------+
| Code Value | Description |
+------------+--------------------------------------------+
| 0 | Unknown Shim6 message type |
| | |
| 1 | Critical Option not recognized |
| | |
| 2 | Locator verification method failed |
| | |
| 3 | Locator List Generation number out of sync |
| | |
| 4 | Error in the number of locators |
| | |
| 120-127 | Reserved for debugging pruposes |
+------------+--------------------------------------------+
18. Acknowledgements 18. Acknowledgements
Over the years many people active in the multi6 and shim6 WGs have Over the years many people active in the multi6 and shim6 WGs have
contributed ideas a suggestions that are reflected in this contributed ideas a suggestions that are reflected in this
specification. Special thanks to the careful comments from Geoff specification. Special thanks to the careful comments from Geoff
Huston, Shinta Sugimoto, Pekka Savola, Dave Meyer, Deguang Le, Jari Huston, Shinta Sugimoto, Pekka Savola, Dave Meyer, Deguang Le, Jari
Arkko, Iljitsch van Beijnum, Jim Bound, Brian Carpenter, Sebastien Arkko, Iljitsch van Beijnum, Jim Bound, Brian Carpenter, Sebastien
Barre and Tom Henderson on earlier versions of this document. Barre, Matthijs Mekking, Dave Thaler, Bob Braden Wesley Eddy and Tom
Henderson on earlier versions of this document.
Appendix A. Possible Protocol Extensions Appendix A. Possible Protocol Extensions
During the development of this protocol, several issues have been During the development of this protocol, several issues have been
brought up as important one to address, but are ones that do not need brought up as important one to address, but are ones that do not need
to be in the base protocol itself but can instead be done as to be in the base protocol itself but can instead be done as
extensions to the protocol. The key ones are: extensions to the protocol. The key ones are:
o As stated in the assumptions in Section 3, the in order for the o As stated in the assumptions in Section 3, the in order for the
shim6 protocol to be able to recover from a wide range of Shim6 protocol to be able to recover from a wide range of
failures, for instance when one of the communicating hosts is failures, for instance when one of the communicating hosts is
singly-homed, and cope with a site's ISPs that do ingress singly-homed, and cope with a site's ISPs that do ingress
filtering based on the source IPv6 address, there is a need for filtering based on the source IPv6 address, there is a need for
the host to be able to influence the egress selection from its the host to be able to influence the egress selection from its
site. Further discussion of this issue is captured in [21]. site. Further discussion of this issue is captured in [21].
o Is there need for keeping the list of locators private between the o Is there need for keeping the list of locators private between the
two communicating endpoints? We can potentially accomplish that two communicating endpoints? We can potentially accomplish that
when using CGA but not with HBA, but it comes at the cost of doing when using CGA but not with HBA, but it comes at the cost of doing
some public key encryption and decryption operations as part of some public key encryption and decryption operations as part of
the context establishment. The suggestion is to leave this for a the context establishment. The suggestion is to leave this for a
future extension to the protocol. future extension to the protocol.
o Defining some form of end-to-end "compression" mechanism that o Defining some form of end-to-end "compression" mechanism that
removes the need for including the Shim6 Payload extension header removes the need for including the Shim6 Payload extension header
when the locator pair is not the ULID pair. when the locator pair is not the ULID pair.
o Supporting the dynamic setting of locator preferences on a site- o Supporting the dynamic setting of locator preferences on a site-
wide basis, and use the Locator Preference option in the shim6 wide basis, and use the Locator Preference option in the Shim6
protocol to convey these preferences to remote communicating protocol to convey these preferences to remote communicating
hosts. This could mirror the DNS SRV record's notion of priority hosts. This could mirror the DNS SRV record's notion of priority
and weight. and weight.
o Potentially recommend that more application protocols use DNS SRV o Potentially recommend that more application protocols use DNS SRV
records to allow a site some influence on load spreading for the records to allow a site some influence on load spreading for the
initial contact (before the shim6 context establishment) as well initial contact (before the Shim6 context establishment) as well
as for traffic which does not use the shim. as for traffic which does not use the shim.
o Specifying APIs for the ULPs to be aware of the locators the shim o Specifying APIs for the ULPs to be aware of the locators the shim
is using, and be able to influence the choice of locators is using, and be able to influence the choice of locators
(controlling preferences as well as triggering a locator pair (controlling preferences as well as triggering a locator pair
switch). This includes providing APIs the ULPs can use to fork a switch). This includes providing APIs the ULPs can use to fork a
shim context. shim context.
o Whether it is feasible to relax the suggestions for when context o Whether it is feasible to relax the suggestions for when context
state is removed, so that one can end up with an asymmetric state is removed, so that one can end up with an asymmetric
skipping to change at page 93, line 17 skipping to change at page 98, line 17
the client send either a shim control message (e.g., probe message the client send either a shim control message (e.g., probe message
because it sees a problem), or a ULP packet in an payload because it sees a problem), or a ULP packet in an payload
extension header (because it had earlier failed over to an extension header (because it had earlier failed over to an
alternative locator pair, but had been silent for a while). This alternative locator pair, but had been silent for a while). This
seems to provide the benefits of the shim as long as the client seems to provide the benefits of the shim as long as the client
can detect the failure. If the client doesn't send anything, and can detect the failure. If the client doesn't send anything, and
it is the server that tries to send, then it will not be able to it is the server that tries to send, then it will not be able to
recover because the shim on the server has no context state, hence recover because the shim on the server has no context state, hence
doesn't know any alternate locator pairs. doesn't know any alternate locator pairs.
o Study whether a host explicitly fail communication when a ULID o Study what it would take to make the Shim6 control protocol not
becomes invalid (based on RFC 2462 lifetimes or DHCPv6), or should
we let the communication continue using the invalidated ULID (it
can certainly work since other locators will be used).
o Study what it would take to make the shim6 control protocol not
rely at all on a stable source locator in the packets. This can rely at all on a stable source locator in the packets. This can
probably be accomplished by having all the shim control messages probably be accomplished by having all the shim control messages
include the ULID-pair option. include the ULID-pair option.
o If each host might have lots of locators, then the currently o If each host might have lots of locators, then the currently
requirement to include essentially all of them in the I2 and R2 requirement to include essentially all of them in the I2 and R2
messages might be constraining. If this is the case we can look messages might be constraining. If this is the case we can look
into using the CGA Parameter Data Structure for the comparison, into using the CGA Parameter Data Structure for the comparison,
instead of the prefix sets, to be able to detect context instead of the prefix sets, to be able to detect context
confusion. This would place some constraint on a (logical) only confusion. This would place some constraint on a (logical) only
skipping to change at page 93, line 44 skipping to change at page 98, line 39
crafted rules on how two PDSs are compared for "being the same crafted rules on how two PDSs are compared for "being the same
host". But if we don't expect more than a handful locators per host". But if we don't expect more than a handful locators per
host, then we don't need this added complexity. host, then we don't need this added complexity.
o ULP specified timers for the reachability detection mechanism o ULP specified timers for the reachability detection mechanism
(which can be useful particularly when there are forked contexts). (which can be useful particularly when there are forked contexts).
o Pre-verify some "backup" locator pair, so that the failover time o Pre-verify some "backup" locator pair, so that the failover time
can be shorter. can be shorter.
o Study how shim6 and Mobile IPv6 might interact. There existing an o Study how Shim6 and Mobile IPv6 might interact. There existing an
initial draft on this topic [22]. initial draft on this topic [22].
Appendix B. Simplified State Machine Appendix B. Simplified State Machine
The states are defined in Section 6.2. The intent is that the The states are defined in Section 6.2. The intent is that the
stylized description below be consistent with the textual description stylized description below be consistent with the textual description
in the specification, but should they conflict, the textual in the specification, but should they conflict, the textual
description is normative. description is normative.
The following table describes the possible actions in state IDLE and The following table describes the possible actions in state IDLE and
skipping to change at page 101, line 7 skipping to change at page 106, line 7
| R2/Null| +------------------------------------------+ | R2/Null| +------------------------------------------+
| V | | V |
| +-------------------+ | +-------------------+
| | |<-+ (Timeout#<Max)/I2bis | | |<-+ (Timeout#<Max)/I2bis
+-------->| I2bis-SENT | | I1 or I2 or I2bis/R2 +-------->| I2bis-SENT | | I1 or I2 or I2bis/R2
R1bis/I2bis | |--+ R1 or R1bis/Null R1bis/I2bis | |--+ R1 or R1bis/Null
+-------------------+ Payload/I2bis +-------------------+ Payload/I2bis
Appendix C. Context Tag Reuse Appendix C. Context Tag Reuse
The shim6 protocol doesn't have a mechanism for coordinated state The Shim6 protocol doesn't have a mechanism for coordinated state
removal between the peers, because such state removal doesn't seem to removal between the peers, because such state removal doesn't seem to
help given that a host can crash and reboot at any time. A result of help given that a host can crash and reboot at any time. A result of
this is that the protocol needs to be robust against a context tag this is that the protocol needs to be robust against a context tag
being reused for some other context. This section summarizes the being reused for some other context. This section summarizes the
different cases in which a tag can be reused, and how the recovery different cases in which a tag can be reused, and how the recovery
works. works.
The different cases are exemplified by the following case. Assume The different cases are exemplified by the following case. Assume
host A and B were communicating using a context with the ULID pair host A and B were communicating using a context with the ULID pair
<A1, B2>, and that B had assigned context tag X to this context. We <A1, B2>, and that B had assigned context tag X to this context. We
skipping to change at page 103, line 45 skipping to change at page 108, line 45
that want different communication to use different locator pairs, for that want different communication to use different locator pairs, for
instance for quality or cost reasons. instance for quality or cost reasons.
The protocol has a shim which operates with host-level granularity The protocol has a shim which operates with host-level granularity
(strictly speaking, with ULID-pair granularity, to be able to (strictly speaking, with ULID-pair granularity, to be able to
amortize the context establishment over multiple ULP connections. amortize the context establishment over multiple ULP connections.
This is combined with the ability for shim-aware ULPs to request This is combined with the ability for shim-aware ULPs to request
context forking so that different ULP traffic can use different context forking so that different ULP traffic can use different
locator pairs. locator pairs.
Appendix D.2. Demultiplexing of data packets in shim6 communications Appendix D.2. Demultiplexing of data packets in Shim6 communications
Once a ULID-pair context is established between two hosts, packets Once a ULID-pair context is established between two hosts, packets
may carry locators that differ from the ULIDs presented to the ULPs may carry locators that differ from the ULIDs presented to the ULPs
using the established context. One of main functions of the SHIM6 using the established context. One of main functions of the Shim6
layer is to perform the mapping between the locators used to forward layer is to perform the mapping between the locators used to forward
packets through the network and the ULIDs presented to the ULP. In packets through the network and the ULIDs presented to the ULP. In
order to perform that translation for incoming packets, the SHIM6 order to perform that translation for incoming packets, the Shim6
layer needs to first identify which of the incoming packets need to layer needs to first identify which of the incoming packets need to
be translated and then perform the mapping between locators and ULIDs be translated and then perform the mapping between locators and ULIDs
using the associated context. Such operation is called using the associated context. Such operation is called
demultiplexing. It should be noted that because any address can be demultiplexing. It should be noted that because any address can be
used both as a locator and as a ULID, additional information other used both as a locator and as a ULID, additional information other
than the addresses carried in packets, need to be taken into account than the addresses carried in packets, need to be taken into account
for this operation. for this operation.
For example, if a host has address A1 and A2 and starts communicating For example, if a host has address A1 and A2 and starts communicating
with a peer with addresses B1 and B2, then some communication with a peer with addresses B1 and B2, then some communication
(connections) might use the pair <A1, B1> as ULID and others might (connections) might use the pair <A1, B1> as ULID and others might
use e.g., <A2, B2>. Initially there are no failures so these address use e.g., <A2, B2>. Initially there are no failures so these address
pairs are used as locators i.e. in the IP address fields in the pairs are used as locators i.e. in the IP address fields in the
packets on the wire. But when there is a failure the shim6 layer on packets on the wire. But when there is a failure the Shim6 layer on
A might decide to send packets that used <A1, B1> as ULIDs using <A2, A might decide to send packets that used <A1, B1> as ULIDs using <A2,
B2> as the locators. In this case B needs to be able to rewrite the B2> as the locators. In this case B needs to be able to rewrite the
IP address field for some packets and not others, but the packets all IP address field for some packets and not others, but the packets all
have the same locator pair. have the same locator pair.
In order to accomplish the demultiplexing operation successfully, In order to accomplish the demultiplexing operation successfully,
data packets carry a context tag that allows the receiver of the data packets carry a context tag that allows the receiver of the
packet to determine the shim context to be used to perform the packet to determine the shim context to be used to perform the
operation. operation.
Two mechanisms for carrying the context tag information have been Two mechanisms for carrying the context tag information have been
considered in depth during the shim protocol design. Those carrying considered in depth during the shim protocol design. Those carrying
the context tag in the flow label field of the IPv6 header and the the context tag in the flow label field of the IPv6 header and the
usage of a new extension header to carry the context tag. In this usage of a new extension header to carry the context tag. In this
appendix we will describe the pros and cons of each approach and appendix we will describe the pros and cons of each approach and
justify the selected option. justify the selected option.
Appendix D.2.1. Flow-label Appendix D.2.1. Flow-label
A possible approach is to carry the context tag in the Flow Label A possible approach is to carry the context tag in the Flow Label
field of the IPv6 header. This means that when a shim6 context is field of the IPv6 header. This means that when a Shim6 context is
established, a Flow Label value is associated with this context (and established, a Flow Label value is associated with this context (and
perhaps a separate flow label for each direction). perhaps a separate flow label for each direction).
The simplest approach that does this is to have the triple <Flow The simplest approach that does this is to have the triple <Flow
Label, Source Locator, Destination Locator> identify the context at Label, Source Locator, Destination Locator> identify the context at
the receiver. the receiver.
The problem with this approach is that because the locator sets are The problem with this approach is that because the locator sets are
dynamic, it is not possible at any given moment to be sure that two dynamic, it is not possible at any given moment to be sure that two
contexts for which the same context tag is allocated will have contexts for which the same context tag is allocated will have
skipping to change at page 105, line 45 skipping to change at page 110, line 45
of the communication allocates the Flow Label value used for incoming of the communication allocates the Flow Label value used for incoming
packets, in order to assign them uniquely. For this, a shim packets, in order to assign them uniquely. For this, a shim
negotiation of the Flow Label value to use in the communication is negotiation of the Flow Label value to use in the communication is
needed before exchanging data packets. This poses problems with non- needed before exchanging data packets. This poses problems with non-
shim capable hosts, since they would not be able to negotiate an shim capable hosts, since they would not be able to negotiate an
acceptable value for the Flow Label. This limitation can be lifted acceptable value for the Flow Label. This limitation can be lifted
by marking the packets that belong to shim sessions from those that by marking the packets that belong to shim sessions from those that
do not. These marking would require at least a bit in the IPv6 do not. These marking would require at least a bit in the IPv6
header that is not currently available, so more creative options header that is not currently available, so more creative options
would be required, for instance using new Next Header values to would be required, for instance using new Next Header values to
indicate that the packet belongs to a shim6 enabled communication and indicate that the packet belongs to a Shim6 enabled communication and
that the Flow Label carries context information as proposed in the that the Flow Label carries context information as proposed in the
now expired NOID draft. . However, even if this is done, this now expired NOID draft. However, even if this is done, this approach
approach is incompatible with the deferred establishment capability is incompatible with the deferred establishment capability of the
of the shim protocol, which is a preferred function, since it shim protocol, which is a preferred function, since it suppresses the
suppresses the delay due to the shim context establishment prior to delay due to the shim context establishment prior to initiation of
initiation of the communication and it also allows nodes to define at the communication and it also allows nodes to define at which stage
which stage of the communication they decide, based on their own of the communication they decide, based on their own policies, that a
policies, that a given communication requires to be protected by the given communication requires to be protected by the shim.
shim.
In order to cope with the identified limitations, an alternative In order to cope with the identified limitations, an alternative
approach that does not constraints the flow label values used by approach that does not constraints the flow label values used by
communications that are using ULIDs equal to the locators (i.e. no communications that are using ULIDs equal to the locators (i.e. no
shim translation) is to only require that different flow label values shim translation) is to only require that different flow label values
are assigned to different shim contexts. In such approach are assigned to different shim contexts. In such approach
communications start with unmodified flow label usage (could be zero, communications start with unmodified flow label usage (could be zero,
or as suggested in [17]). The packets sent after a failure when a or as suggested in [17]). The packets sent after a failure when a
different locator pair is used would use a completely different flow different locator pair is used would use a completely different flow
label, and this flow label could be allocated by the receiver as part label, and this flow label could be allocated by the receiver as part
skipping to change at page 107, line 5 skipping to change at page 112, line 4
the shim, but also because Context Loss detection mechanisms greatly the shim, but also because Context Loss detection mechanisms greatly
benefit from the fact that shim data packets are identified as such, benefit from the fact that shim data packets are identified as such,
allowing the receiving end to identify if a shim context associated allowing the receiving end to identify if a shim context associated
to a received packet is suppose to exist, as it will be discussed in to a received packet is suppose to exist, as it will be discussed in
the Context Loss detection appendix below. the Context Loss detection appendix below.
Appendix D.2.2. Extension Header Appendix D.2.2. Extension Header
Another approach, which is the one selected for this protocol, is to Another approach, which is the one selected for this protocol, is to
carry the context tag in a new Extension Header. These context tags carry the context tag in a new Extension Header. These context tags
are allocated by the receiving end during the shim6 protocol initial are allocated by the receiving end during the Shim6 protocol initial
negotiation, implying that each context will have two context tags, negotiation, implying that each context will have two context tags,
one for each direction. Data packets will be demultiplexed using the one for each direction. Data packets will be demultiplexed using the
context tag carried in the Extension Header. This seems a clean context tag carried in the Extension Header. This seems a clean
approach since it does not overload existing fields. However, it approach since it does not overload existing fields. However, it
introduces additional overhead in the packet due to the additional introduces additional overhead in the packet due to the additional
header. The additional overhead introduced is 8 octets. However, it header. The additional overhead introduced is 8 octets. However, it
should be noted that the context tag is only required when a locator should be noted that the context tag is only required when a locator
other than the one used as ULID is contained in the packet. Packets other than the one used as ULID is contained in the packet. Packets
where both the source and destination address fields contain the where both the source and destination address fields contain the
ULIDs do not require a context tag, since no rewriting is necessary ULIDs do not require a context tag, since no rewriting is necessary
skipping to change at page 107, line 34 skipping to change at page 112, line 33
Appendix D.3. Context Loss Detection Appendix D.3. Context Loss Detection
In this appendix we will present different approaches considered to In this appendix we will present different approaches considered to
detect context loss and potential context recovery strategies. The detect context loss and potential context recovery strategies. The
scenario being considered is the following: Node A and Node B are scenario being considered is the following: Node A and Node B are
communicating using IPA1 and IPB1. Sometime later, a shim context is communicating using IPA1 and IPB1. Sometime later, a shim context is
established between them, with IPA1 and IPB1 as ULIDs and established between them, with IPA1 and IPB1 as ULIDs and
IPA1,...,IPAn and IPB1,...,IPBm as locator set respectively. IPA1,...,IPAn and IPB1,...,IPBm as locator set respectively.
It may happen, that later on, one of the hosts, e.g. Host A looses It may happen, that later on, one of the hosts, e.g. Host A loses
the shim context. The reason for this can be that Host A has a more the shim context. The reason for this can be that Host A has a more
aggressive garbage collection policy than HostB or that an error aggressive garbage collection policy than HostB or that an error
occurred in the shim layer at host A resulting in the loss of the occurred in the shim layer at host A resulting in the loss of the
context state. context state.
The mechanisms considered in this appendix are aimed to deal with The mechanisms considered in this appendix are aimed to deal with
this problem. There are essentially two tasks that need to be this problem. There are essentially two tasks that need to be
performed in order to cope with this problem: first, the context loss performed in order to cope with this problem: first, the context loss
must be detected and second the context needs to be recovered/ must be detected and second the context needs to be recovered/
reestablished. reestablished.
Mechanisms for detecting context. loss Mechanisms for detecting context loss.
These mechanisms basically consist in that each end of the context These mechanisms basically consist in that each end of the context
periodically sends a packet containing context-specific information periodically sends a packet containing context-specific information
to the other end. Upon reception of such packets, the receiver to the other end. Upon reception of such packets, the receiver
verifies that the required context exists. In case that the context verifies that the required context exists. In case that the context
does not exist, it sends a packet notifying the problem to the does not exist, it sends a packet notifying the problem to the
sender. sender.
An obvious alternative for this would be to create a specific context An obvious alternative for this would be to create a specific context
keepalive exchange, which consists in periodically sending packets keepalive exchange, which consists in periodically sending packets
skipping to change at page 115, line 5 skipping to change at page 120, line 5
could be interpreted by A as belonging to context 2 (if no proper could be interpreted by A as belonging to context 2 (if no proper
care is taken). Again we are in a context confusion situation. care is taken). Again we are in a context confusion situation.
One could think that using a coordinated approach would eliminate One could think that using a coordinated approach would eliminate
these context confusion situations, making the protocol much simpler. these context confusion situations, making the protocol much simpler.
However, this is not the case, because even in the case of a However, this is not the case, because even in the case of a
coordinated approach using a CLOSE/CLOSE ACK exchange, there is still coordinated approach using a CLOSE/CLOSE ACK exchange, there is still
the possibility of a host rebooting without having the time to the possibility of a host rebooting without having the time to
perform the CLOSE exchange. So, it is true that the coordinated perform the CLOSE exchange. So, it is true that the coordinated
approach eliminates the possibility of a context confusion situation approach eliminates the possibility of a context confusion situation
because premature garbage collection, but it does not prevents the because premature garbage collection, but it does not prevent the
same situations due to a crash and reboot of one of the involved same situations due to a crash and reboot of one of the involved
hosts. The result is that even if we went for a coordinated hosts. The result is that even if we went for a coordinated
approach, we would still need to deal with context confusion and approach, we would still need to deal with context confusion and
provide the means to detect and recover from this situations. provide the means to detect and recover from this situations.
Appendix E. Change Log Appendix E. Change Log
[RFC Editor: please remove this section] [RFC Editor: please remove this section]
The following changes have been made since draft-ietf-shim6-proto-07:
o New Error Message format added in the Format section
o Added new registry for Error codes in the IANA considerations
section
o Changed the Format section so a Shim6 error message is sent back
when a crtical option is not recognized (instead of an ICMP error
message)
o Changed the ULID estbalishment section so that a Shim6 error
message is sent back when the locator verification is not
recgnized or not consistent with the current CGA PDS
o Changed the Locator Update section so that Shim6 error messages
are sent instead of ICMP error messages
o Changed the receiving packet section so that Shim6 error messages
are generated instead of ICMP error messages
o added new section about middle box consideration in the
implication elsewhere section
o added text for allowing strcuture in context tag name space, while
still randomly cycling though part of the tag name space
o changed the name of TEMPORARY flag for the TRANSIENT flag
o clarified option length calculation
o Editorial commnets from Iljitsch review
o added new sub-section in the introduction about congestion
notification to upper layer and include a reference to
I-D.schuetz-tcpm-tcp-rlci
o added reccomendation to keep the shim6 message length below 1280
bytes
o added the init nonce in the description of the verification of the
validator when receiving I2 messages
o removed FII and ULID in the verification of the validator when
receiving I2BIS meesages, and added receiver context tag.
o Clarified section about retransmision of I2 and I2bis messages, in
case that the initiator decides not to retransmit I2/I2bis
messages and retransmits I1 message
o Clarified the effect of packets associated with a context but
without the shim6 header when considering tearing down a context
o Added new section in section 12 about how to process packets
associated with a context that do not carry the shim6 ext header
o Added respon der validator as information stored in I2-SENT and
Responder validator, init nonce and RESP nonce as information
available in I2BISSENT
o Added Init Nonce, Responder Nonce, and Responder validator as
information available for a shim6 context in the conceptual model
during establishment phase.
o Clarified how the Responder Validator is calculated based on a
running counter that is independent of any received message
o Editorial corrections resulting from Dave Thaler and Bob Braden
reviews.
The following changes have been made since draft-ietf-shim6-proto-06: The following changes have been made since draft-ietf-shim6-proto-06:
o Changed wording in the renumberin considerations section, so that o Changed wording in the renumberin considerations section, so that
a shim6 context using a ULID that has been renumbered, MUST be a shim6 context using a ULID that has been renumbered, MUST be
discarded discarded
o Included text in the security considerations about IPSec BITW and o Included text in the security considerations about IPSec BITW and
IPSec tunnels. IPSec tunnels.
o Added text about the minimum key length of CGA in the security o Added text about the minimum key length of CGA in the security
considerations section considerations section
o fixed Payload/update message processing o fixed Payload/update message processing
o synchonized with READ draft o synchonized with READ draft
The following changes have been made since draft-ietf-shim6-proto-05: The following changes have been made since draft-ietf-shim6-proto-05:
o Removed the possibility to keep on uding the ULID after a o Removed the possibility to keep on using the ULID after a
renumbering event renumbering event
o Editorial corrections resulting from Dave Meyer's and Jim Bound's o Editorial corrections resulting from Dave Meyer's and Jim Bound's
reviews. reviews.
The following changes have been made since draft-ietf-shim6-proto-04: The following changes have been made since draft-ietf-shim6-proto-04:
o Defined I1_RETRIES_MAX as 4. o Defined I1_RETRIES_MAX as 4.
o Added text in section 7.9 clarifying the no per context state is o Added text in section 7.9 clarifying the no per context state is
stored at the receiver in order to reply an I1 message. stored at the receiver in order to reply an I1 message.
skipping to change at page 118, line 50 skipping to change at page 125, line 24
o Modified the dispatching of payload extension header to only o Modified the dispatching of payload extension header to only
compare CT(local) i.e., not compare the source and destination compare CT(local) i.e., not compare the source and destination
IPv6 address fields. IPv6 address fields.
The following changes have been made since draft-ietf-shim6-proto-00: The following changes have been made since draft-ietf-shim6-proto-00:
o Removed the use of the flow label and the overloading of the IP o Removed the use of the flow label and the overloading of the IP
protocol numbers. Instead, when the locator pair is not the ULID protocol numbers. Instead, when the locator pair is not the ULID
pair, the ULP payloads will be carried with an 8 octet extension pair, the ULP payloads will be carried with an 8 octet extension
header. The belief is that it is possible to remove these extra header. The belief is that it is possible to remove these extra
bytes by defining future shim6 extensions that exchange more bytes by defining future Shim6 extensions that exchange more
information between the hosts, without having to overload the flow information between the hosts, without having to overload the flow
label or the IP protocol numbers. label or the IP protocol numbers.
o Grew the context tag from 20 bits to 32 bits, with the possibility o Grew the context tag from 20 bits to 32 bits, with the possibility
to grow it to 47 bits. This implies changes to the message to grow it to 47 bits. This implies changes to the message
formats. formats.
o Almost by accident, the new shim6 message format is very close to o Almost by accident, the new Shim6 message format is very close to
the HIP message format. the HIP message format.
o Adopted the HIP format for the options, since this makes it easier o Adopted the HIP format for the options, since this makes it easier
to describe variable length options. The original, ND-style, to describe variable length options. The original, ND-style,
option format requires internal padding in the options to make option format requires internal padding in the options to make
them 8 octet length in total, while the HIP format handles that them 8 octet length in total, while the HIP format handles that
using the option length field. using the option length field.
o Removed some of the control messages, and renamed the other ones. o Removed some of the control messages, and renamed the other ones.
skipping to change at page 120, line 36 skipping to change at page 127, line 36
RFC 3972, March 2005. RFC 3972, March 2005.
[7] Kent, S. and K. Seo, "Security Architecture for the Internet [7] Kent, S. and K. Seo, "Security Architecture for the Internet
Protocol", RFC 4301, December 2005. Protocol", RFC 4301, December 2005.
[8] Bagnulo, M., "Hash Based Addresses (HBA)", [8] Bagnulo, M., "Hash Based Addresses (HBA)",
draft-ietf-shim6-hba-02 (work in progress), October 2006. draft-ietf-shim6-hba-02 (work in progress), October 2006.
[9] Arkko, J. and I. Beijnum, "Failure Detection and Locator Pair [9] Arkko, J. and I. Beijnum, "Failure Detection and Locator Pair
Exploration Protocol for IPv6 Multihoming", Exploration Protocol for IPv6 Multihoming",
draft-ietf-shim6-failure-detection-06 (work in progress), draft-ietf-shim6-failure-detection-07 (work in progress),
September 2006. December 2006.
19.2. Informative References 19.2. Informative References
[10] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for [10] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782, specifying the location of services (DNS SRV)", RFC 2782,
February 2000. February 2000.
[11] Ferguson, P. and D. Senie, "Network Ingress Filtering: [11] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000. Address Spoofing", BCP 38, RFC 2827, May 2000.
skipping to change at page 121, line 48 skipping to change at page 128, line 48
[24] Bagnulo, M. and J. Abley, "Applicability Statement for the [24] Bagnulo, M. and J. Abley, "Applicability Statement for the
Level 3 Multihoming Shim Protocol (Shim6)", Level 3 Multihoming Shim Protocol (Shim6)",
draft-ietf-shim6-applicability-02 (work in progress), draft-ietf-shim6-applicability-02 (work in progress),
October 2006. October 2006.
[25] Huston, G., "Architectural Commentary on Site Multi-homing [25] Huston, G., "Architectural Commentary on Site Multi-homing
using a Level 3 Shim", draft-ietf-shim6-arch-00 (work in using a Level 3 Shim", draft-ietf-shim6-arch-00 (work in
progress), July 2005. progress), July 2005.
[26] Moskowitz, R., "Host Identity Protocol", draft-ietf-hip-base-06 [26] Moskowitz, R., "Host Identity Protocol", draft-ietf-hip-base-07
(work in progress), June 2006. (work in progress), February 2007.
[27] Eronen, P., "IKEv2 Mobility and Multihoming Protocol (MOBIKE)", [27] Eronen, P., "IKEv2 Mobility and Multihoming Protocol (MOBIKE)",
draft-ietf-mobike-protocol-08 (work in progress), draft-ietf-mobike-protocol-08 (work in progress),
February 2006. February 2006.
[28] Schuetz, S., "TCP Response to Lower-Layer Connectivity-Change
Indications", draft-schuetz-tcpm-tcp-rlci-01 (work in
progress), March 2007.
Authors' Addresses Authors' Addresses
Erik Nordmark Erik Nordmark
Sun Microsystems Sun Microsystems
17 Network Circle 17 Network Circle
Menlo Park, CA 94025 Menlo Park, CA 94025
USA USA
Phone: +1 650 786 2921 Phone: +1 650 786 2921
Email: erik.nordmark@sun.com Email: erik.nordmark@sun.com
skipping to change at page 124, line 5 skipping to change at page 131, line 5
Marcelo Bagnulo Marcelo Bagnulo
Universidad Carlos III de Madrid Universidad Carlos III de Madrid
Av. Universidad 30 Av. Universidad 30
Leganes, Madrid 28911 Leganes, Madrid 28911
SPAIN SPAIN
Phone: +34 91 6248814 Phone: +34 91 6248814
Email: marcelo@it.uc3m.es Email: marcelo@it.uc3m.es
URI: http://www.it.uc3m.es URI: http://www.it.uc3m.es
Intellectual Property Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 124, line 29 skipping to change at page 131, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 243 change blocks. 
463 lines changed or deleted 755 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/