draft-ietf-shim6-proto-12.txt   rfc5533.txt 
SHIM6 WG E. Nordmark Network Working Group E. Nordmark
Internet-Draft Sun Microsystems Request for Comments: 5533 Sun Microsystems
Intended status: Standards Track M. Bagnulo Category: Standards Track M. Bagnulo
Expires: August 10, 2009 UC3M UC3M
February 6, 2009
Shim6: Level 3 Multihoming Shim Protocol for IPv6 Shim6: Level 3 Multihoming Shim Protocol for IPv6
draft-ietf-shim6-proto-12.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at Status of This Memo
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on August 10, 2009. This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents in effect on the date of
(http://trustee.ietf.org/license-info) in effect on the date of publication of this document (http://trustee.ietf.org/license-info).
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document.
to this document.
Abstract Abstract
This document defines the Shim6 protocol, a layer 3 shim for This document defines the Shim6 protocol, a layer 3 shim for
providing locator agility below the transport protocols, so that providing locator agility below the transport protocols, so that
multihoming can be provided for IPv6 with failover and load sharing multihoming can be provided for IPv6 with failover and load-sharing
properties, without assuming that a multihomed site will have a properties, without assuming that a multihomed site will have a
provider independent IPv6 address prefix which is announced in the provider-independent IPv6 address prefix announced in the global IPv6
global IPv6 routing table. The hosts in a site which has multiple routing table. The hosts in a site that has multiple provider-
provider allocated IPv6 address prefixes, will use the Shim6 protocol allocated IPv6 address prefixes will use the Shim6 protocol specified
specified in this document to setup state with peer hosts, so that in this document to set up state with peer hosts so that the state
the state can later be used to failover to a different locator pair, can later be used to failover to a different locator pair, should the
should the original one stop working. original one stop working.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction ....................................................4
1.1. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Goals ......................................................5
1.2. Non-Goals . . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Non-Goals ..................................................5
1.3. Locators as Upper-layer IDentifiers (ULID) . . . . . . . 6 1.3. Locators as Upper-Layer Identifiers (ULID) .................6
1.4. IP Multicast . . . . . . . . . . . . . . . . . . . . . . 7 1.4. IP Multicast ...............................................7
1.5. Renumbering Implications . . . . . . . . . . . . . . . . 8 1.5. Renumbering Implications ...................................8
1.6. Placement of the shim . . . . . . . . . . . . . . . . . . 9 1.6. Placement of the Shim ......................................9
1.7. Traffic Engineering . . . . . . . . . . . . . . . . . . . 11 1.7. Traffic Engineering .......................................11
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 13 2. Terminology ....................................................12
2.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 13 2.1. Definitions ...............................................12
2.2. Notational Conventions . . . . . . . . . . . . . . . . . 16 2.2. Notational Conventions ....................................15
2.3. Conceptual . . . . . . . . . . . . . . . . . . . . . . . 16 2.3. Conceptual ................................................15
3. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 17 3. Assumptions ....................................................15
4. Protocol Overview . . . . . . . . . . . . . . . . . . . . . . 19 4. Protocol Overview ..............................................17
4.1. Context Tags . . . . . . . . . . . . . . . . . . . . . . 21 4.1. Context Tags ..............................................19
4.2. Context Forking . . . . . . . . . . . . . . . . . . . . . 21 4.2. Context Forking ...........................................19
4.3. API Extensions . . . . . . . . . . . . . . . . . . . . . 22 4.3. API Extensions ............................................20
4.4. Securing Shim6 . . . . . . . . . . . . . . . . . . . . . 22 4.4. Securing Shim6 ............................................20
4.5. Overview of Shim Control Messages . . . . . . . . . . . . 23 4.5. Overview of Shim Control Messages .........................21
4.6. Extension Header Order . . . . . . . . . . . . . . . . . 24 4.6. Extension Header Order ....................................22
5. Message Formats . . . . . . . . . . . . . . . . . . . . . . . 26 5. Message Formats ................................................23
5.1. Common Shim6 Message Format . . . . . . . . . . . . . . . 26 5.1. Common Shim6 Message Format ...............................23
5.2. Payload Extension Header Format . . . . . . . . . . . . . 27 5.2. Shim6 Payload Extension Header Format .....................24
5.3. Common Shim6 Control header . . . . . . . . . . . . . . . 27 5.3. Common Shim6 Control Header ...............................25
5.4. I1 Message Format . . . . . . . . . . . . . . . . . . . . 29 5.4. I1 Message Format .........................................26
5.5. R1 Message Format . . . . . . . . . . . . . . . . . . . . 30 5.5. R1 Message Format .........................................28
5.6. I2 Message Format . . . . . . . . . . . . . . . . . . . . 32 5.6. I2 Message Format .........................................29
5.7. R2 Message Format . . . . . . . . . . . . . . . . . . . . 34 5.7. R2 Message Format .........................................31
5.8. R1bis Message Format . . . . . . . . . . . . . . . . . . 35 5.8. R1bis Message Format ......................................33
5.9. I2bis Message Format . . . . . . . . . . . . . . . . . . 37 5.9. I2bis Message Format ......................................34
5.10. Update Request Message Format . . . . . . . . . . . . . . 39 5.10. Update Request Message Format ............................37
5.11. Update Acknowledgement Message Format . . . . . . . . . . 40 5.11. Update Acknowledgement Message Format ....................38
5.12. Keepalive Message Format . . . . . . . . . . . . . . . . 41 5.12. Keepalive Message Format .................................40
5.13. Probe Message Format . . . . . . . . . . . . . . . . . . 42 5.13. Probe Message Format .....................................40
5.14. Error Message Format . . . . . . . . . . . . . . . . . . 42 5.14. Error Message Format .....................................40
5.15. Option Formats . . . . . . . . . . . . . . . . . . . . . 43 5.15. Option Formats ...........................................42
5.15.1. Responder Validator Option Format . . . . . . . . . 46 5.15.1. Responder Validator Option Format .................44
5.15.2. Locator List Option Format . . . . . . . . . . . . . 46 5.15.2. Locator List Option Format ........................44
5.15.3. Locator Preferences Option Format . . . . . . . . . 48 5.15.3. Locator Preferences Option Format .................46
5.15.4. CGA Parameter Data Structure Option Format . . . . . 50 5.15.4. CGA Parameter Data Structure Option Format ........48
5.15.5. CGA Signature Option Format . . . . . . . . . . . . 50 5.15.5. CGA Signature Option Format .......................49
5.15.6. ULID Pair Option Format . . . . . . . . . . . . . . 51 5.15.6. ULID Pair Option Format ...........................49
5.15.7. Forked Instance Identifier Option Format . . . . . . 52 5.15.7. Forked Instance Identifier Option Format ..........50
5.15.8. Keepalive Timeout Option Format . . . . . . . . . . 52 5.15.8. Keepalive Timeout Option Format ...................50
6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 53 6. Conceptual Model of a Host .....................................51
6.1. Conceptual Data Structures . . . . . . . . . . . . . . . 53 6.1. Conceptual Data Structures ................................51
6.2. Context STATES . . . . . . . . . . . . . . . . . . . . . 55 6.2. Context STATES ............................................52
7. Establishing ULID-Pair Contexts . . . . . . . . . . . . . . . 57 7. Establishing ULID-Pair Contexts ................................54
7.1. Uniqueness of Context Tags . . . . . . . . . . . . . . . 57 7.1. Uniqueness of Context Tags ................................54
7.2. Locator Verification . . . . . . . . . . . . . . . . . . 57 7.2. Locator Verification ......................................55
7.3. Normal context establishment . . . . . . . . . . . . . . 58 7.3. Normal Context Establishment ..............................56
7.4. Concurrent context establishment . . . . . . . . . . . . 58 7.4. Concurrent Context Establishment ..........................56
7.5. Context recovery . . . . . . . . . . . . . . . . . . . . 60 7.5. Context Recovery ..........................................58
7.6. Context confusion . . . . . . . . . . . . . . . . . . . . 62 7.6. Context Confusion .........................................60
7.7. Sending I1 messages . . . . . . . . . . . . . . . . . . . 63 7.7. Sending I1 Messages .......................................61
7.8. Retransmitting I1 messages . . . . . . . . . . . . . . . 64 7.8. Retransmitting I1 Messages ................................62
7.9. Receiving I1 messages . . . . . . . . . . . . . . . . . . 64 7.9. Receiving I1 Messages .....................................62
7.10. Sending R1 messages . . . . . . . . . . . . . . . . . . . 65 7.10. Sending R1 Messages ......................................63
7.10.1. Generating the R1 Validator . . . . . . . . . . . . 66 7.10.1. Generating the R1 Validator .......................64
7.11. Receiving R1 messages and sending I2 messages . . . . . . 66 7.11. Receiving R1 Messages and Sending I2 Messages ............64
7.12. Retransmitting I2 messages . . . . . . . . . . . . . . . 67 7.12. Retransmitting I2 Messages ...............................65
7.13. Receiving I2 messages . . . . . . . . . . . . . . . . . . 68 7.13. Receiving I2 Messages ....................................66
7.14. Sending R2 messages . . . . . . . . . . . . . . . . . . . 69 7.14. Sending R2 Messages ......................................67
7.15. Match for Context Confusion . . . . . . . . . . . . . . . 70 7.15. Match for Context Confusion ..............................68
7.16. Receiving R2 messages . . . . . . . . . . . . . . . . . . 70 7.16. Receiving R2 Messages ....................................69
7.17. Sending R1bis messages . . . . . . . . . . . . . . . . . 71 7.17. Sending R1bis Messages ...................................69
7.17.1. Generating the R1bis Validator . . . . . . . . . . . 72 7.17.1. Generating the R1bis Validator ....................70
7.18. Receiving R1bis messages and sending I2bis messages . . . 72 7.18. Receiving R1bis Messages and Sending I2bis Messages ......71
7.19. Retransmitting I2bis messages . . . . . . . . . . . . . . 73 7.19. Retransmitting I2bis Messages ............................72
7.20. Receiving I2bis messages and sending R2 messages . . . . 74 7.20. Receiving I2bis Messages and Sending R2 Messages .........72
8. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 76 8. Handling ICMP Error Messages ...................................74
9. Teardown of the ULID-Pair Context . . . . . . . . . . . . . . 79 9. Teardown of the ULID-Pair Context ..............................76
10. Updating the Peer . . . . . . . . . . . . . . . . . . . . . . 80 10. Updating the Peer .............................................77
10.1. Sending Update Request messages . . . . . . . . . . . . . 80 10.1. Sending Update Request Messages ..........................77
10.2. Retransmitting Update Request messages . . . . . . . . . 80 10.2. Retransmitting Update Request Messages ...................78
10.3. Newer Information While Retransmitting . . . . . . . . . 81 10.3. Newer Information while Retransmitting ...................78
10.4. Receiving Update Request messages . . . . . . . . . . . . 81 10.4. Receiving Update Request Messages ........................79
10.5. Receiving Update Acknowledgement messages . . . . . . . . 83 10.5. Receiving Update Acknowledgement Messages ................81
11. Sending ULP Payloads . . . . . . . . . . . . . . . . . . . . 85 11. Sending ULP Payloads ..........................................81
11.1. Sending ULP Payload after a Switch . . . . . . . . . . . 85 11.1. Sending ULP Payload after a Switch .......................82
12. Receiving Packets . . . . . . . . . . . . . . . . . . . . . . 87 12. Receiving Packets .............................................83
12.1. Receiving payload without extension headers . . . . . . . 87 12.1. Receiving Payload without Extension Headers ..............83
12.2. Receiving Payload Extension Headers . . . . . . . . . . . 87 12.2. Receiving Shim6 Payload Extension Headers ................83
12.3. Receiving Shim Control messages . . . . . . . . . . . . . 88 12.3. Receiving Shim Control Messages ..........................84
12.4. Context Lookup . . . . . . . . . . . . . . . . . . . . . 88 12.4. Context Lookup ...........................................84
13. Initial Contact . . . . . . . . . . . . . . . . . . . . . . . 91 13. Initial Contact ...............................................86
14. Protocol constants . . . . . . . . . . . . . . . . . . . . . 92 14. Protocol Constants ............................................87
15. Implications Elsewhere . . . . . . . . . . . . . . . . . . . 93 15. Implications Elsewhere ........................................88
15.1. Congestion Control Considerations . . . . . . . . . . . . 93 15.1. Congestion Control Considerations ........................88
15.2. Middle-boxes considerations . . . . . . . . . . . . . . . 93 15.2. Middle-Boxes Considerations ..............................88
15.3. Operation and Management Considerations . . . . . . . . . 94 15.3. Operation and Management Considerations ..................89
15.4. Other considerations . . . . . . . . . . . . . . . . . . 95 15.4. Other Considerations .....................................90
16. Security Considerations . . . . . . . . . . . . . . . . . . . 97 16. Security Considerations .......................................91
16.1. Interaction with IPSec . . . . . . . . . . . . . . . . . 98 16.1. Interaction with IPSec ...................................93
16.2. Residual Threats . . . . . . . . . . . . . . . . . . . . 99 16.2. Residual Threats .........................................94
17. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 101 17. IANA Considerations ...........................................95
18. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 103 18. Acknowledgements ..............................................97
19. Appendix: Possible Protocol Extensions . . . . . . . . . . . 104 19. References ....................................................97
20. Appendix: Simplified STATE Machine . . . . . . . . . . . . . 106 19.1. Normative References .....................................97
20.1. Simplified STATE Machine diagram . . . . . . . . . . . . 111 19.2. Informative References ...................................97
21. Appendix: Context Tag Reuse . . . . . . . . . . . . . . . . . 113 Appendix A. Possible Protocol Extensions ........................100
21.1. Context Recovery . . . . . . . . . . . . . . . . . . . . 113 Appendix B. Simplified STATE Machine ............................101
21.2. Context Confusion . . . . . . . . . . . . . . . . . . . . 113 B.1. Simplified STATE Machine Diagram ........................108
21.3. Three Party Context Confusion . . . . . . . . . . . . . . 114 Appendix C. Context Tag Reuse ...................................109
21.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 114 C.1. Context Recovery ........................................109
22. Appendix: Design Alternatives . . . . . . . . . . . . . . . . 115 C.2. Context Confusion .......................................109
22.1. Context granularity . . . . . . . . . . . . . . . . . . . 115 C.3. Three-Party Context Confusion .........................110
22.2. Demultiplexing of data packets in Shim6 communications . 115 C.4. Summary .................................................110
22.2.1. Flow-label . . . . . . . . . . . . . . . . . . . . . 116 Appendix D. Design Alternatives .................................111
22.2.2. Extension Header . . . . . . . . . . . . . . . . . . 118 D.1. Context Granularity .....................................111
22.3. Context Loss Detection . . . . . . . . . . . . . . . . . 119 D.2. Demultiplexing of Data Packets in Shim6 Communications ..111
22.4. Securing locator sets . . . . . . . . . . . . . . . . . . 121 D.2.1. Flow Label .........................................112
22.5. ULID-pair context establishment exchange . . . . . . . . 124 D.2.2. Extension Header ...................................115
22.6. Updating locator sets . . . . . . . . . . . . . . . . . . 125 D.3. Context-Loss Detection ................................115
22.7. State Cleanup . . . . . . . . . . . . . . . . . . . . . . 125 D.4. Securing Locator Sets ...................................117
23. Appendix: Change Log . . . . . . . . . . . . . . . . . . . . 128 D.5. ULID-Pair Context-Establishment Exchange ............120
24. References . . . . . . . . . . . . . . . . . . . . . . . . . 135 D.6. Updating Locator Sets ...................................121
24.1. Normative References . . . . . . . . . . . . . . . . . . 135 D.7. State Cleanup ...........................................122
24.2. Informative References . . . . . . . . . . . . . . . . . 135
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 137
1. Introduction 1. Introduction
This document describes a layer 3 shim approach and protocol for This document describes a layer 3 shim approach and protocol for
providing locator agility below the transport protocols, so that providing locator agility below the transport protocols, so that
multihoming can be provided for IPv6 with failover and load sharing multihoming can be provided for IPv6 with failover and load-sharing
properties [10], without assuming that a multihomed site will have a properties [11], without assuming that a multihomed site will have a
provider independent IPv6 address which is announced in the global provider-independent IPv6 address announced in the global IPv6
IPv6 routing table. The hosts in a site which has multiple provider routing table. The hosts in a site that has multiple provider-
allocated IPv6 address prefixes, will use the Shim6 protocol allocated IPv6 address prefixes will use the Shim6 protocol specified
specified in this document to setup state with peer hosts, so that in this document to set up state with peer hosts so that the state
the state can later be used to failover to a different locator pair, can later be used to failover to a different locator pair, should the
should the original one stop working (the term locator is defined in original one stop working (the term locator is defined in Section 2).
Section 2).
The Shim6 protocol is a site multihoming solution in the sense that The Shim6 protocol is a site-multihoming solution in the sense that
it allows existing communication to continue when a site that has it allows existing communication to continue when a site that has
multiple connections to the internet experiences an outage on a multiple connections to the Internet experiences an outage on a
subset of these connections or further upstream. However, Shim6 subset of these connections or further upstream. However, Shim6
processing is performed in individual hosts rather than through site- processing is performed in individual hosts rather than through site-
wide mechanisms. wide mechanisms.
We assume that redirection attacks are prevented using Hash Based We assume that redirection attacks are prevented using Hash-Based
Addresses (HBA) as defined in [3]. Addresses (HBA) as defined in [3].
The reachability and failure detection mechanisms, including how a The reachability and failure-detection mechanisms, including how a
new working locator pair is discovered after a failure, are specified new working locator pair is discovered after a failure, are specified
in a separate document [4]. This document allocates message types in RFC 5534 [4]. This document allocates message types and option
and option types for that sub-protocol, and leaves the specification types for that sub-protocol, and leaves the specification of the
of the message and option formats as well as the protocol behavior to message and option formats, as well as the protocol behavior, to RFC
that document. 5534.
1.1. Goals 1.1. Goals
The goals for this approach are to: The goals for this approach are to:
o Preserve established communications in the presence of certain o Preserve established communications in the presence of certain
classes of failures, for example, TCP connections and UDP streams. classes of failures, for example, TCP connections and UDP streams.
o Have minimal impact on upper layer protocols in general and on o Have minimal impact on upper-layer protocols in general and on
transport protocols and applications in particular. transport protocols and applications in particular.
o Address the security threats in [14] through the combination of o Address the security threats in [15] through a combination of the
the HBA/CGA approach specified in a separate document [3] and HBA/CGA approach specified in RFC 5535 [3] and the techniques
techniques described in this document. described in this document.
o Not require extra roundtrip up front to setup shim specific state. o Not require an extra roundtrip up front to set up shim-specific
Instead allow the upper layer traffic (e.g., TCP) to flow as state. Instead, allow the upper-layer traffic (e.g., TCP) to flow
normal and defer the setup of the shim state until some number of as normal and defer the set up of the shim state until some number
packets have been exchanged. of packets have been exchanged.
o Take advantage of multiple locators/addresses for load spreading o Take advantage of multiple locators/addresses for load spreading
so that different sets of communication to a host (e.g., different so that different sets of communication to a host (e.g., different
connections) might use different locators of the host. Note that connections) might use different locators of the host. Note that
this might cause load to be spread unevenly, thus we use the term this might cause load to be spread unevenly; thus, we use the term
"load spreading" instead of "load balancing". This capability "load spreading" instead of "load balancing". This capability
might enable some forms of traffic engineering, but the details might enable some forms of traffic engineering, but the details
for traffic engineering, including what requirements can be for traffic engineering, including what requirements can be
satisfied, are not specified in this document, and form part of a satisfied, are not specified in this document, and form part of
potential extensions to this protocol. potential extensions to this protocol.
1.2. Non-Goals 1.2. Non-Goals
The assumption is that the problem we are trying to solve is site The problem we are trying to solve is site multihoming, with the
multihoming, with the ability to have the set of site prefixes change ability to have the set of site prefixes change over time due to site
over time due to site renumbering. Further, we assume that such renumbering. Further, we assume that such changes to the set of
changes to the set of locator prefixes can be relatively slow and locator prefixes can be relatively slow and managed: slow enough to
managed; slow enough to allow updates to the DNS to propagate (since allow updates to the DNS to propagate (since the protocol defined in
the protocol defined in this document depends on the DNS to find the this document depends on the DNS to find the appropriate locator
appropriate locator sets). Note, however that it is an explicit non- sets). However, note that it is an explicit non-goal to make
goal to make communication survive a renumbering event (which causes communication survive a renumbering event (which causes all the
all the locators of a host to change to a new set of locators). This locators of a host to change to a new set of locators). This
proposal does not attempt to solve the related problem of host proposal does not attempt to solve the related problem of host
mobility. However, it might turn out that the Shim6 protocol can be mobility. However, it might turn out that the Shim6 protocol can be
a useful component for future host mobility solutions, e.g., for a useful component for future host mobility solutions, e.g., for
route optimization. route optimization.
Finally, this proposal also does not try to provide a new network Finally, this proposal also does not try to provide a new network-
level or transport level identifier name space distinct from the level or transport-level identifier name space distinct from the
current IP address name space. Even though such a concept would be current IP address name space. Even though such a concept would be
useful to Upper Layer Protocols (ULPs) and applications, especially useful to upper-layer protocols (ULPs) and applications, especially
if the management burden for such a name space was negligible and if the management burden for such a name space was negligible and
there was an efficient yet secure mechanism to map from identifiers there was an efficient yet secure mechanism to map from identifiers
to locators, such a name space isn't necessary (and furthermore to locators, such a name space isn't necessary (and furthermore
doesn't seem to help) to solve the multihoming problem. doesn't seem to help) to solve the multihoming problem.
The Shim6 proposal doesn't fully separate the identifier and locator The Shim6 proposal doesn't fully separate the identifier and locator
functions that have traditionally been overloaded in the IP address. functions that have traditionally been overloaded in the IP address.
However, throughout this document the term "identifier", or more However, throughout this document the term "identifier" or, more
specifically, Upper Layer Identifier (ULID) refers to the identifying specifically, upper-layer identifier (ULID), refers to the
function of an IPv6 address, and "locator" to the network layer identifying function of an IPv6 address. "Locator" refers to the
routing and forwarding properties of an IPv6 address. network-layer routing and forwarding properties of an IPv6 address.
1.3. Locators as Upper-layer IDentifiers (ULID) 1.3. Locators as Upper-Layer Identifiers (ULID)
The approach described in this document does not introduce a new The approach described in this document does not introduce a new
identifier name space but instead uses the locator that is selected identifier name space but instead uses the locator that is selected
in the initial contact with the remote peer as the preserved Upper- in the initial contact with the remote peer as the preserved upper-
Layer Identifier (ULID). While there may be subsequent changes in layer identifier (ULID). While there may be subsequent changes in
the selected network level locators over time in response to failures the selected network-level locators over time (in response to
in using the original locator, the upper level protocol stack failures in using the original locator), the upper-level protocol
elements will continue to use this upper level identifier without stack elements will continue to use this upper-level identifier
change. without change.
This implies that the ULID selection is performed as today's default This implies that the ULID selection is performed as today's default
address selection as specified in RFC 3484 [7]. Some extensions are address selection as specified in RFC 3484 [7]. Some extensions are
needed to RFC 3484 to try different source addresses, whether or not needed to RFC 3484 to try different source addresses, whether or not
the Shim6 protocol is used, as outlined in [8]. Underneath, and the Shim6 protocol is used, as outlined in [9]. Underneath, and
transparently, the multihoming shim selects working locator pairs transparently, the multihoming shim selects working locator pairs
with the initial locator pair being the ULID pair. If communication with the initial locator pair being the ULID pair. If communication
subsequently fails the shim can test and select alternate locators. subsequently fails, the shim can test and select alternate locators.
A subsequent section discusses the issues when the selected ULID is A subsequent section discusses the issues that arise when the
not initially working hence there is a need to switch locators up selected ULID is not initially working, which creates the need to
front. switch locators up front.
Using one of the locators as the ULID has certain benefits for Using one of the locators as the ULID has certain benefits for
applications which have long-lived session state or performs applications that have long-lived session state or that perform
callbacks or referrals, because both the FQDN and the 128-bit ULID callbacks or referrals, because both the Fully Qualified Domain Name
work as handles for the applications. However, using a single 128- (FQDN) and the 128-bit ULID work as handles for the applications.
bit ULID doesn't provide seamless communication when that locator is
unreachable. See [17] for further discussion of the application However, using a single 128-bit ULID doesn't provide seamless
implications. communication when that locator is unreachable. See [18] for further
discussion of the application implications.
There has been some discussion of using non-routable addresses, such There has been some discussion of using non-routable addresses, such
as Unique-Local Addresses (ULAs) [13], as ULIDs in a multihoming as Unique-Local Addresses (ULAs) [14], as ULIDs in a multihoming
solution. While this document doesn't specify all aspects of this, solution. While this document doesn't specify all aspects of this,
it is believed that the approach can be extended to handle the non- it is believed that the approach can be extended to handle the non-
routable address case. For example, the protocol already needs to routable address case. For example, the protocol already needs to
handle ULIDs that are not initially reachable. Thus the same handle ULIDs that are not initially reachable. Thus, the same
mechanism can handle ULIDs that are permanently unreachable from mechanism can handle ULIDs that are permanently unreachable from
outside their site. The issue becomes how to make the protocol outside their site. The issue becomes how to make the protocol
perform well when the ULID is known a priori to be not reachable perform well when the ULID is known a priori to be unreachable (e.g.,
(e.g. the ULID is a ULA), for instance, avoiding any timeout and the ULID is a ULA), for instance, avoiding any timeout and retries in
retries in this case. In addition one would need to understand how this case. In addition, one would need to understand how the ULAs
the ULAs would be entered in the DNS to avoid a performance impact on would be entered in the DNS to avoid a performance impact on
existing, non-Shim6 aware, IPv6 hosts potentially trying to existing, non-Shim6-aware IPv6 hosts potentially trying to
communicate to the (unreachable) ULA. communicate to the (unreachable) ULA.
1.4. IP Multicast 1.4. IP Multicast
IP Multicast requires that the IP source address field contain a IP multicast requires that the IP Source Address field contain a
topologically correct locator for interface that is used to send the topologically correct locator for the interface that is used to send
packet, since IP multicast routing uses both the source address and the packet, since IP multicast routing uses both the source address
the destination group to determine where to forward the packet. In and the destination group to determine where to forward the packet.
particular, it need to be able to do the RPF check. (This isn't much In particular, IP multicast routing needs to be able to do the
different than the situation with widely implemented ingress Reverse Path Forwarding (RPF) check. (This isn't much different than
filtering [6] for unicast.) the situation with widely implemented ingress filtering [6] for
unicast.)
While in theory it would be possible to apply the shim re-mapping of While in theory it would be possible to apply the shim re-mapping of
the IP address fields between ULIDs and locators, the fact that all the IP address fields between ULIDs and locators, the fact that all
the multicast receivers would need to know the mapping to perform, the multicast receivers would need to know the mapping to perform
makes such an approach difficult in practice. Thus it makes sense to makes such an approach difficult in practice. Thus, it makes sense
have multicast ULPs operate directly on locators and not use the to have multicast ULPs operate directly on locators and not use the
shim. This is quite a natural fit for protocols which use RTP [9], shim. This is quite a natural fit for protocols that use RTP [10],
since RTP already has an explicit identifier in the form of the SSRC since RTP already has an explicit identifier in the form of the
field in the RTP headers. Thus the actual IP address fields are not synchronization source (SSRC) field in the RTP headers. Thus, the
important to the application. actual IP address fields are not important to the application.
In summary, IP multicast will not need the shim to remap the IP In summary, IP multicast will not need the shim to remap the IP
addresses. addresses.
This doesn't prevent the receiver of multicast to change its This doesn't prevent the receiver of multicast to change its
locators, since the receiver is not explicitly identified; the locators, since the receiver is not explicitly identified; the
destination address is a multicast address and not the unicast destination address is a multicast address and not the unicast
locator of the receiver. locator of the receiver.
1.5. Renumbering Implications 1.5. Renumbering Implications
As stated above, this approach does not try to make communication As stated above, this approach does not try to make communication
survive renumbering in the general case. survive renumbering in the general case.
When a host is renumbered, the effect is that one or more locators When a host is renumbered, the effect is that one or more locators
become invalid, and zero or more locators are added to the host's become invalid, and zero or more locators are added to the host's
network interface. This means that the set of locators that is used network interface. This means that the set of locators that is used
in the shim will change, which the shim can handle as long as not all in the shim will change, which the shim can handle as long as not all
the original locators become invalid at the same time and depending the original locators become invalid at the same time; the shim's
on the time that is required to update the DNS and for those updates ability to handle this also depends on the time that is required to
to propagate. update the DNS and for those updates to propagate.
But IP addresses are also used as ULIDs, and making the communication But IP addresses are also used as ULIDs, and making the communication
survive locators becoming invalid can potentially cause some survive locators becoming invalid can potentially cause some
confusion at the upper layers. The fact that a ULID might be used confusion at the upper layers. The fact that a ULID might be used
with a different locator over time open up the possibility that with a different locator over time opens up the possibility that
communication between two ULIDs might continue to work after one or communication between two ULIDs might continue to work after one or
both of those ULIDs are no longer reachable as locators, for example both of those ULIDs are no longer reachable as locators, for example,
due to a renumbering event. This opens up the possibility that the due to a renumbering event. This opens up the possibility that the
ULID (or at least the prefix on which it is based) is reassigned to ULID (or at least the prefix on which it is based) may be reassigned
another site while it is still being used (with another locator) for to another site while it is still being used (with another locator)
existing communication. for existing communication.
In the worst case we could end up with two separate hosts using the In the worst case, we could end up with two separate hosts using the
same ULID while both of them are communicating with the same host. same ULID while both of them are communicating with the same host.
This potential source for confusion is avoided requiring that any This potential source for confusion is avoided by requiring that any
communication using a ULID MUST be terminated when the ULID becomes communication using a ULID MUST be terminated when the ULID becomes
invalid (due to the underlying prefix becoming invalid). This invalid (due to the underlying prefix becoming invalid). This
behavior can be accomplished by explicitly discarding the shim state behavior can be accomplished by explicitly discarding the shim state
when the ULID becomes invalid. The context recovery mechanism will when the ULID becomes invalid. The context-recovery mechanism will
then make the peer aware that the context is gone, and that the ULID then make the peer aware that the context is gone and that the ULID
is no longer present at the same locator(s). is no longer present at the same locator(s).
1.6. Placement of the shim 1.6. Placement of the Shim
----------------------- -----------------------
| Transport Protocols | | Transport Protocols |
----------------------- -----------------------
-------------- ------------- IP endpoint -------------- ------------- IP endpoint
| Frag/reass | | Dest opts | sub-layer | Frag/reass | | Dest opts | sub-layer
-------------- ------------- -------------- -------------
--------------------- ---------------------
| Shim6 shim layer | | Shim6 shim layer |
--------------------- ---------------------
------ IP routing ------ IP routing
| IP | sub-layer | IP | sub-layer
------ ------
Figure 1: Protocol stack Figure 1: Protocol Stack
The proposal uses a multihoming shim layer within the IP layer, i.e., The proposal uses a multihoming shim layer within the IP layer, i.e.,
below the ULPs, as shown in Figure 1, in order to provide ULP below the ULPs, as shown in Figure 1, in order to provide ULP
independence. The multihoming shim layer behaves as if it is independence. The multihoming shim layer behaves as if it is
associated with an extension header, which would be placed after any associated with an extension header, which would be placed after any
routing-related headers in the packet (such as any hop-by-hop routing-related headers in the packet (such as any hop-by-hop
options, or routing header). However, when the locator pair is the options). However, when the locator pair is the ULID pair, there is
ULID pair there is no data that needs to be carried in an extension no data that needs to be carried in an extension header; thus, none
header, thus none is needed in that case. is needed in that case.
Layering the fragmentation header above the multihoming shim makes Layering the Fragmentation header above the multihoming shim makes
reassembly robust in the case that there is broken multi-path routing reassembly robust in the case that there is broken multi-path routing
which results in using different paths, hence potentially different that results in using different paths, hence potentially different
source locators, for different fragments. Thus, the multihoming shim source locators, for different fragments. Thus, the multihoming shim
layer is placed between the IP endpoint sublayer, which handles layer is placed between the IP endpoint sublayer (which handles
fragmentation, reassembly, and the IP routing sublayer, which selects fragmentation and reassembly) and the IP routing sublayer (which
which next hop and interface to use for sending out packets. selects the next hop and interface to use for sending out packets).
Applications and upper layer protocols use ULIDs which the Shim6 Applications and upper-layer protocols use ULIDs that the Shim6 layer
layer map to/from different locators. The Shim6 layer maintains maps to/from different locators. The Shim6 layer maintains state,
state, called ULID-pair context, per ULID pair (that is, applies to called ULID-pair context, per ULID pair (that is, such state applies
all ULP connections between the ULID pair) in order to perform this to all ULP connections between the ULID pair) in order to perform
mapping. The mapping is performed consistently at the sender and the this mapping. The mapping is performed consistently at the sender
receiver so that ULPs see packets that appear to be sent using ULIDs and the receiver so that ULPs see packets that appear to be sent
from end to end. This property is maintained even though the packets using ULIDs from end to end. This property is maintained even though
travel through the network containing locators in the IP address the packets travel through the network containing locators in the IP
fields, and even though those locators may be changed by the address fields, and even though those locators may be changed by the
transmitting Shim6 layer. transmitting Shim6 layer.
The context state is maintained per remote ULID i.e. approximately The context state is maintained per remote ULID, i.e., approximately
per peer host, and not at any finer granularity. In particular, it per peer host, and not at any finer granularity. In particular, the
is independent of the ULPs and any ULP connections. However, the context state is independent of the ULPs and any ULP connections.
forking capability enables shim-aware ULPs to use more than one However, the forking capability enables Shim6-aware ULPs to use more
locator pair at a time for an single ULID pair. than one locator pair at a time for a single ULID pair.
---------------------------- ---------------------------- ---------------------------- ----------------------------
| Sender A | | Receiver B | | Sender A | | Receiver B |
| | | | | | | |
| ULP | | ULP | | ULP | | ULP |
| | src ULID(A)=L1(A) | | ^ | | | src ULID(A)=L1(A) | | ^ |
| | dst ULID(B)=L1(B) | | | src ULID(A)=L1(A) | | | dst ULID(B)=L1(B) | | | src ULID(A)=L1(A) |
| v | | | dst ULID(B)=L1(B) | | v | | | dst ULID(B)=L1(B) |
| multihoming shim | | multihoming shim | | multihoming shim | | multihoming shim |
| | src L2(A) | | ^ | | | src L2(A) | | ^ |
| | dst L3(B) | | | src L2(A) | | | dst L3(B) | | | src L2(A) |
| v | | | dst L3(B) | | v | | | dst L3(B) |
| IP | | IP | | IP | | IP |
---------------------------- ---------------------------- ---------------------------- ----------------------------
| ^ | ^
------- cloud with some routers ------- ------- cloud with some routers -------
Figure 2: Mapping with changed locators Figure 2: Mapping with Changed Locators
The result of this consistent mapping is that there is no impact on The result of this consistent mapping is that there is no impact on
the ULPs. In particular, there is no impact on pseudo-header the ULPs. In particular, there is no impact on pseudo-header
checksums and connection identification. checksums and connection identification.
Conceptually, one could view this approach as if both ULIDs and Conceptually, one could view this approach as if both ULIDs and
locators are being present in every packet, and with a header locators are present in every packet, and as if a header-compression
compression mechanism applied that removes the need for the ULIDs to mechanism is applied that removes the need for the ULIDs to be
be carried in the packets once the compression state has been carried in the packets once the compression state has been
established. In order for the receiver to recreate a packet with the established. In order for the receiver to re-create a packet with
correct ULIDs there is a need to include some "compression tag" in the correct ULIDs, there is a need to include some "compression tag"
the data packets. This serves to indicate the correct context to use in the data packets. This serves to indicate the correct context to
for decompression when the locator pair in the packet is insufficient use for decompression when the locator pair in the packet is
to uniquely identify the context. insufficient to uniquely identify the context.
There are different types of interactions between the Shim6 layer and There are different types of interactions between the Shim6 layer and
other protocols. Those intereactions are influenced by the usage of other protocols. Those interactions are influenced by the usage of
the addresses that these other protocols do and the impact of the the addresses in these other protocols and the impact of the Shim6
Shim6 mapping on these usages. A detailed analysis of the mapping on these usages. A detailed analysis of the interactions of
interactions of different portocols, including SCTP, MIP and HIP can different protocols, including the Stream Control Transmission
be found in [18]. Moreover, some applications may need to have a Protocol (SCTP), mobile IP (MIP), and Host Identity Protocol (HIP),
richer interaction with the Shim6 sub-layer. In order to enable can be found in [19]. Moreover, some applications may need to have a
that, a API [22] has been defined to enable greater control and richer interaction with the Shim6 sublayer. In order to enable that,
an API [23] has been defined to enable greater control and
information exchange for those applications that need it. information exchange for those applications that need it.
1.7. Traffic Engineering 1.7. Traffic Engineering
At the time of this writing it is not clear what requirements for At the time of this writing, it is not clear what requirements for
traffic engineering make sense for the Shim6 protocol, since the traffic engineering make sense for the Shim6 protocol, since the
requirements must both result in some useful behavior as well as be requirements must both result in some useful behavior as well as be
implementable using a host-to-host locator agility mechanism like implementable using a host-to-host locator agility mechanism like
Shim6. Shim6.
Inherent in a scalable multihoming mechanism that separates the Inherent in a scalable multihoming mechanism that separates the
locator function of the IP address from identifying function of the locator function of the IP address from identifying function of the
IP address is that each host ends up with multiple locators. This IP address is that each host ends up with multiple locators. This
means that at least for initial contact, it is the remote peer means that, at least for initial contact, it is the remote peer
application (or layer working on its behalf) needs to select an application (or layer working on its behalf) that needs to select an
initial ULID, which automatically becomes the initial locator. In initial ULID, which automatically becomes the initial locator. In
the case of Shim6 this is performed by applying RFC 3484 address the case of Shim6, this is performed by applying RFC 3484 address
selection. selection.
This is quite different than the common case of IPv4 multihoming This is quite different than the common case of IPv4 multihoming
where the site has a single IP address prefix, since in that case the where the site has a single IP address prefix, since in that case the
peer performs no destination address selection. peer performs no destination address selection.
Thus in "single prefix multihoming" the site, and in many cases its Thus, in "single prefix multihoming", the site (and in many cases its
upstream ISPs, can use BGP to exert some control of the ingress path upstream ISPs) can use BGP to exert some control of the ingress path
used to reach the site. This capability does not by itself exist used to reach the site. This capability does not by itself exist in
"multiple prefix multihoming" such as Shim6. It is conceivable that "multiple prefix multihoming" approaches such as Shim6. It is
extensions allowing site or provider guidance of host-based conceivable that extensions allowing site or provider guidance of
mechanisms could be developed. But t should be noted that traffic host-based mechanisms could be developed. But it should be noted
engineering via BGP, MPLS or other similar techniques can still be that traffic engineering via BGP, MPLS, or other similar techniques
applied for traffic on each individual prefix; Shim6 does not remove can still be applied for traffic on each individual prefix; Shim6
the capability for this. It does provide some additional does not remove the capability for this. It does provide some
capabilities for hosts to choose between prefixes. additional capabilities for hosts to choose between prefixes.
These capabilities also carry some risk for non-optimal behaviour These capabilities also carry some risk for non-optimal behaviour
when more than one mechanism attempts to correct problems at the same when more than one mechanism attempts to correct problems at the same
time. However, it should be noted that this is not necessarily a time. However, it should be noted that this is not necessarily a
situation brought about by Shim6. A more constrained form of this situation brought about by Shim6. A more constrained form of this
capability already exists in IPv6 itself via its support of multiple capability already exists in IPv6, itself, via its support of
prefixes and address selection rules for starting new communications. multiple prefixes and address-selection rules for starting new
Even IPv4 hosts with multiple interfaces may have limited communications. Even IPv4 hosts with multiple interfaces may have
capabilities to choose interfaces on which they communicate. limited capabilities to choose interfaces on which they communicate.
Similarly, upper layers may choose different addresses. Similarly, upper layers may choose different addresses.
In general, it is expected that Shim6 is applicable in relatively In general, it is expected that Shim6 is applicable in relatively
small sites and individual hosts where BGP-style traffic engineering small sites and individual hosts where BGP-style traffic engineering
operations are unavailable, unlikely or, if run with provider operations are unavailable, unlikely, or if run with provider-
independent addressing, might even be harmful considering the growth independent addressing, possibly even harmful, considering the growth
rates in the global routing table. rates in the global routing table.
The protocol provides a placeholder, in the form of the Locator The protocol provides a placeholder, in the form of the Locator
Preferences option, which can be used by hosts to express priority Preferences option, that can be used by hosts to express priority and
and weight values for each locator. This option is merely a place weight values for each locator. This option is merely a placeholder
holder when it comes to providing traffic engineering; in order to when it comes to providing traffic engineering; in order to use this
use this in a large site there would have to be a mechanism by which in a large site, there would have to be a mechanism by which the host
the host can find out what preference values to use, either can find out what preference values to use, either statically (e.g.,
statically (e.g., some new DHCPv6 option) or dynamically. some new DHCPv6 option) or dynamically.
Thus traffic engineering is listed as a possible extension in Thus, traffic engineering is listed as a possible extension in
Section 19. Appendix A.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1]. document are to be interpreted as described in RFC 2119 [1].
2.1. Definitions 2.1. Definitions
This document introduces the following terms: This document introduces the following terms:
upper layer protocol (ULP) upper-layer protocol (ULP)
A protocol layer immediately above IP. Examples A protocol layer immediately above IP. Examples
are transport protocols such as TCP and UDP, are transport protocols such as TCP and UDP;
control protocols such as ICMP, routing protocols control protocols such as ICMP; routing protocols
such as OSPF, and internet or lower-layer such as OSPF; and Internet or lower-layer
protocols being "tunneled" over (i.e., protocols being "tunneled" over (i.e.,
encapsulated in) IP such as IPX, AppleTalk, or IP encapsulated in) IP, such as the Internet Packet
itself. Exchange (IPX), AppleTalk, or IP itself.
interface A node's attachment to a link. interface A node's attachment to a link.
address An IP layer name that contains both topological address An IP-layer name that both contains topological
significance and acts as a unique identifier for significance and acts as a unique identifier for
an interface. 128 bits. This document only uses an interface. 128 bits. This document only uses
the "address" term in the case where it isn't the "address" term in the case where it isn't
specific whether it is a locator or an specific whether it is a locator or an
identifier. identifier.
locator An IP layer topological name for an interface or locator An IP-layer topological name for an interface or
a set of interfaces. 128 bits. The locators are a set of interfaces. 128 bits. The locators are
carried in the IP address fields as the packets carried in the IP address fields as the packets
traverse the network. traverse the network.
identifier An IP layer name for an IP layer endpoint. The identifier An IP-layer name for an IP-layer endpoint. The
transport endpoint name is a function of the transport endpoint name is a function of the
transport protocol and would typically include transport protocol and would typically include
the IP identifier plus a port number. the IP identifier plus a port number.
NOTE: This proposal does not specify any new form NOTE: This proposal does not specify any new form
of IP layer identifier, but still separates the of IP-layer identifier, but still separates the
identifying and locating properties of the IP identifying and locating properties of the IP
addresses. addresses.
upper-layer identifier (ULID) upper-layer identifier (ULID)
An IP address which has been selected for An IP address that has been selected for
communication with a peer to be used by the upper communication with a peer to be used by the
layer protocol. 128 bits. This is used for upper-layer protocol. 128 bits. This is used for
pseudo-header checksum computation and connection pseudo-header checksum computation and connection
identification in the ULP. Different sets of identification in the ULP. Different sets of
communication to a host (e.g., different communication to a host (e.g., different
connections) might use different ULIDs in order connections) might use different ULIDs in order
to enable load spreading. to enable load spreading.
Since the ULID is just one of the IP locators/ Since the ULID is just one of the IP locators/
addresses of the node, there is no need for a addresses of the node, there is no need for a
separate name space and allocation mechanisms. separate name space and allocation mechanisms.
address field The source and destination address fields in the address field The Source and Destination Address fields in the
IPv6 header. As IPv6 is currently specified this IPv6 header. As IPv6 is currently specified,
fields carry "addresses". If identifiers and these fields carry "addresses". If identifiers
locators are separated these fields will contain and locators are separated, these fields will
locators for packets on the wire. contain locators for packets on the wire.
FQDN Fully Qualified Domain Name FQDN Fully Qualified Domain Name
ULID-pair context The state that the multihoming shim maintains ULID-pair context The state that the multihoming shim maintains
between a pair of Upper-layer identifiers. The between a pair of upper-layer identifiers. The
context is identified by a context tag for each context is identified by a Context Tag for each
direction of the communication, and also direction of the communication and also by a
identified by the pair of ULID and a Forked ULID-pair and a Forked Instance Identifier (see
Instance Identifier (see below). below).
Context tag Each end of the context allocates a context tag Context Tag Each end of the context allocates a Context Tag
for the context. This is used to uniquely for the context. This is used to uniquely
associate both received control packets and associate both received control packets and Shim6
payload extension headers as belonging to the Payload Extension headers as belonging to the
context. context.
Current locator pair current locator pair
Each end of the context has a current locator Each end of the context has a current locator
pair which is used to send packets to the peer. pair that is used to send packets to the peer.
The two ends might use different current locator However, the two ends might use different current
pairs though. locator pairs.
Default context At the sending end, the shim uses the ULID pair default context At the sending end, the shim uses the ULID pair
(passed down from the ULP) to find the context (passed down from the ULP) to find the context
for that pair. Thus, normally, a host can have for that pair. Thus, normally, a host can have
at most one context for a ULID pair. We call at most one context for a ULID pair. We call
this the "default context". this the "default context".
Context forking A mechanism which allows ULPs that are aware of context forking A mechanism that allows ULPs that are aware of
multiple locators to use separate contexts for multiple locators to use separate contexts for
the same ULID pair, in order to be able use the same ULID pair, in order to be able use
different locator pairs for different different locator pairs for different
communication to the same ULID. Context forking communication to the same ULID. Context forking
causes more than just the default context to be causes more than just the default context to be
created for a ULID pair. created for a ULID pair.
Forked Instance Identifier (FII) Forked Instance Identifier (FII)
In order to handle context forking, a context is In order to handle context forking, a context is
identified by a ULID-pair and a forked context identified by a ULID pair and a Forked Context
identifier. The default context has a FII of Identifier. The default context has an FII of
zero. zero.
Initial contact We use this term to refer to the pre-shim initial contact We use this term to refer to the pre-shim
communication when some ULP decides to start communication when a ULP decides to start
communicating with a peer by sending and communicating with a peer by sending and
receiving ULP packets. Typically this would not receiving ULP packets. Typically, this would not
invoke any operations in the shim, since the shim invoke any operations in the shim, since the shim
can defer the context establishment until some can defer the context establishment until some
arbitrary later point in time. arbitrary, later point in time.
Hash Based Addresses (HBA) Hash-Based Addresses (HBA)
A form of IPv6 address where the interface ID is A form of IPv6 address where the interface ID is
derived from a cryptographic hash of all the derived from a cryptographic hash of all the
prefixes assigned to the host. See [3]. prefixes assigned to the host. See [3].
Cryptographically Generated Addresses (CGA) Cryptographically Generated Addresses (CGA)
A form of IPv6 address where the interface ID is A form of IPv6 address where the interface ID is
derived from a cryptographic hash of the public derived from a cryptographic hash of the public
key. See [2]. key. See [2].
CGA Parameter Data Structure (PDS) CGA Parameter Data Structure (PDS)
The information that CGA and HBA exchanges in The information that CGA and HBA exchange in
order to inform the peer of how the interface ID order to inform the peer of how the interface ID
was computed. See [2], [3]. was computed. See [2] and [3].
2.2. Notational Conventions 2.2. Notational Conventions
A, B, and C are hosts. X is a potentially malicious host. A, B, and C are hosts. X is a potentially malicious host.
FQDN(A) is the Fully qualified Domain Name for A. FQDN(A) is the Fully Qualified Domain Name for A.
Ls(A) is the locator set for A, which consists of the locators L1(A), Ls(A) is the locator set for A, which consists of the locators L1(A),
L2(A), ... Ln(A). The locator set in not ordered in any particular L2(A), ... Ln(A). The locator set is not ordered in any particular
way other than maybe what is returned by the DNS. A host might form way other than maybe what is returned by the DNS. A host might form
different locators sets containing different subnets of the hosts IP different locator sets containing different subnets of the host's IP
addresses. This is necessary in some cases for security reasons. addresses. This is necessary in some cases for security reasons.
See Section 16.1. See Section 16.1.
ULID(A) is an upper-layer ID for A. In this proposal, ULID(A) is ULID(A) is an upper-layer identifier for A. In this proposal,
always one member of A's locator set. ULID(A) is always one member of A's locator set.
CT(A) is a context tag assigned by A. CT(A) is a Context Tag assigned by A.
STATE (in uppercase) refers to the the specific state of the state STATE (in uppercase) refers to the specific state of the state
machine described in Section 6.2 machine described in Section 6.2
2.3. Conceptual 2.3. Conceptual
This document also makes use of internal conceptual variables to This document also makes use of internal conceptual variables to
describe protocol behavior and external variables that an describe protocol behavior and external variables that an
implementation must allow system administrators to change. The implementation must allow system administrators to change. The
specific variable names, how their values change, and how their specific variable names, how their values change, and how their
settings influence protocol behavior are provided to demonstrate settings influence protocol behavior are provided to demonstrate
protocol behavior. An implementation is not required to have them in protocol behavior. An implementation is not required to have them in
skipping to change at page 17, line 16 skipping to change at page 15, line 49
The design intent is to ensure that the Shim6 protocol is capable of The design intent is to ensure that the Shim6 protocol is capable of
handling path failures independently of the number of IP addresses handling path failures independently of the number of IP addresses
(locators) available to the two communicating hosts, and (locators) available to the two communicating hosts, and
independently of which host detects the failure condition. independently of which host detects the failure condition.
Consider, for example, the case in which both A and B have active Consider, for example, the case in which both A and B have active
Shim6 state and where A has only one locator while B has multiple Shim6 state and where A has only one locator while B has multiple
locators. In this case, it might be that B is trying to send a locators. In this case, it might be that B is trying to send a
packet to A, and has detected a failure condition with the current packet to A, and has detected a failure condition with the current
locator pair. Since B has multiple locators it presumably has locator pair. Since B has multiple locators, it presumably has
multiple ISPs, and consequently likely has alternate egress paths multiple ISPs, and (consequently) likely has alternate egress paths
toward A. B cannot vary the destination address (i.e., A's locator), toward A. B cannot vary the destination address (i.e., A's locator),
since A has only one locator. However, B may need to vary the source since A has only one locator. However, B may need to vary the source
address in order to ensure packet delivery. address in order to ensure packet delivery.
In many cases normal operation of IP routing may cause the packets to In many cases, normal operation of IP routing may cause the packets
follow a path towards the correct (currently operational) egress. In to follow a path towards the correct (currently operational) egress.
some cases it is possible that a path may be selected based on the In some cases, it is possible that a path may be selected based on
source address, implying that B will need to select a source address the source address, implying that B will need to select a source
corresponding to the currently operating egress. The details of how address corresponding to the currently operating egress. The details
routing can be accomplished is beyond the scope of this document of how routing can be accomplished is beyond the scope of this
document.
Also, when the site's ISPs perform ingress filtering based on packet Also, when the site's ISPs perform ingress filtering based on packet
source addresses, Shim6 assumes that packets sent with different source addresses, Shim6 assumes that packets sent with different
source and destination combinations have a reasonable chance of source and destination combinations have a reasonable chance of
making it through the relevant ISP's ingress filters. This can be making it through the relevant ISP's ingress filters. This can be
accomplished in several ways (all outside the scope of this accomplished in several ways (all outside the scope of this
document), such as having the ISPs relax their ingress filters, or document), such as having the ISPs relax their ingress filters or
selecting the egress such that it matches the IP source address selecting the egress such that it matches the IP source address
prefix. In the case that one egress path has failed but another is prefix. In the case that one egress path has failed but another is
operating correctly, it may be necessary for the packet's source operating correctly, it may be necessary for the packet's source
(node B in the previous paragraph) to select a source address that (node B in the previous paragraph) to select a source address that
corresponds to the operational egress, in order to pass the ISP's corresponds to the operational egress, in order to pass the ISP's
ingress filters. ingress filters.
The Shim6 approach assumes that there are no IPv6-to-IPv6 NATs on the The Shim6 approach assumes that there are no IPv6-to-IPv6 NATs on the
paths, i.e., that the two ends can exchange their own notion of their paths, i.e., that the two ends can exchange their own notion of their
IPv6 addresses and that those addresses will also make sense to their IPv6 addresses and that those addresses will also make sense to their
peer. peer.
The security of the Shim6 protocol relies on the usage of Hash Based The security of the Shim6 protocol relies on the usage of Hash-Based
Addresses (HBA) [3] and/or Cryptographically Generated Addresses Addresses (HBA) [3] and/or Cryptographically Generated Addresses
(CGA) [2]. In the case that HBAs are used, all the addresses (CGA) [2]. In the case that HBAs are used, all the addresses
assigned to the host that are included in the Shim6 protocol (either assigned to the host that are included in the Shim6 protocol (either
as a locator or as a ULID) must be part of the same HBA set. In the as a locator or as a ULID) must be part of the same HBA set. In the
case that CGAs are used, the address used as ULID must be a CGA but case that CGAs are used, the address used as ULID must be a CGA, but
the other addresses that are used as locators do not need to be the other addresses that are used as locators do not need to be
neither CGAs nor HBAs. It should be noted that it is perfectly either CGAs or HBAs. It should be noted that it is perfectly
acceptable to run the Shim6 protocol between a host that has multiple acceptable to run the Shim6 protocol between a host that has multiple
locators and another host that has a single IP address. In this locators and another host that has a single IP address. In this
case, the address of the host with a single address does not need to case, the address of the host with a single address does not need to
be an HBA nor a CGA. be an HBA or a CGA.
4. Protocol Overview 4. Protocol Overview
The Shim6 protocol operates in several phases over time. The The Shim6 protocol operates in several phases over time. The
following sequence illustrates the concepts: following sequence illustrates the concepts:
o An application on host A decides to contact an application on host o An application on host A decides to contact an application on host
B using some upper-layer protocol. This results in the ULP on B using some upper-layer protocol. This results in the ULP on
host A sending packets to host B. We call this the initial host A sending packets to host B. We call this the initial
contact. Assuming the IP addresses selected by Default Address contact. Assuming the IP addresses selected by default address
Selection [7] and its extensions [8] work, then there is no action selection [7] and its extensions [9] work, then there is no action
by the shim at this point in time. Any shim context establishment by the shim at this point in time. Any shim context establishment
can be deferred until later. can be deferred until later.
o Some heuristic on A or B (or both) determine that it is o Some heuristic on A or B (or both) determine that it is
appropriate to pay the Shim6 overhead to make this host-to-host appropriate to pay the Shim6 overhead to make this host-to-host
communication robust against locator failures. For instance, this communication robust against locator failures. For instance, this
heuristic might be that more than 50 packets have been sent or heuristic might be that more than 50 packets have been sent or
received, or a timer expiration while active packet exchange is in received, or that there was a timer expiration while active packet
place. This makes the shim initiate the 4-way context exchange was in place. This makes the shim initiate the 4-way,
establishment exchange. The purpose of this heuristic is to avoid context-establishment exchange. The purpose of this heuristic is
setting up a shim context when only a small number of packets is to avoid setting up a shim context when only a small number of
exchanged between two hosts. packets is exchanged between two hosts.
As a result of this exchange, both A and B will know a list of As a result of this exchange, both A and B will know a list of
locators for each other. locators for each other.
If the context establishment exchange fails, the initiator will If the context-establishment exchange fails, the initiator will
then know that the other end does not support Shim6, and will then know that the other end does not support Shim6, and will
continue with standard (non-Shim6) behavior for the session. continue with standard (non-Shim6) behavior for the session.
o Communication continues without any change for the ULP packets. o Communication continues without any change for the ULP packets.
In particular, there are no shim extension headers added to the In particular, there are no Shim6 Extension headers added to the
ULP packets, since the ULID pair is the same as the locator pair. ULP packets, since the ULID pair is the same as the locator pair.
In addition, there might be some messages exchanged between the In addition, there might be some messages exchanged between the
shim sub-layers for (un)reachability detection. shim sublayers for (un)reachability detection.
o At some point in time something fails. Depending on the approach o At some point in time, something fails. Depending on the approach
to reachability detection, there might be some advice from the to reachability detection, there might be some advice from the
ULP, or the shim (un)reachability detection might discover that ULP, or the shim (un)reachability detection might discover that
there is a problem. there is a problem.
At this point in time one or both ends of the communication need At this point in time, one or both ends of the communication need
to probe the different alternate locator pairs until a working to probe the different alternate locator pairs until a working
pair is found, and switch to using that locator pair. pair is found, and then switch to using that locator pair.
o Once a working alternative locator pair has been found, the shim o Once a working alternative locator pair has been found, the shim
will rewrite the packets on transmit, and tag the packets with will rewrite the packets on transmit and tag the packets with the
Shim6 Payload extension header, which contains the receiver's Shim6 Payload Extension header, which contains the receiver's
context tag. The receiver will use the context tag to find the Context Tag. The receiver will use the Context Tag to find the
context state which will indicate which addresses to place in the context state, which will indicate which addresses to place in the
IPv6 header before passing the packet up to the ULP. The result IPv6 header before passing the packet up to the ULP. The result
is that from the perspective of the ULP the packet passes is that, from the perspective of the ULP, the packet passes
unmodified end-to-end, even though the IP routing infrastructure unmodified end-to-end, even though the IP routing infrastructure
sends the packet to a different locator. sends the packet to a different locator.
o The shim (un)reachability detection will monitor the new locator o The shim (un)reachability detection will monitor the new locator
pair as it monitored the original locator pair, so that subsequent pair as it monitored the original locator pair, so that subsequent
failures can be detected. failures can be detected.
o In addition to failures detected based on end-to-end observations, o In addition to failures detected based on end-to-end observations,
one endpoint might know for certain that one or more of its one endpoint might know for certain that one or more of its
locators is not working. For instance, the network interface locators is not working. For instance, the network interface
might have failed or gone down (at layer 2), or an IPv6 address might have failed or gone down (at layer 2), or an IPv6 address
might have become deprecated or invalid. In such cases the host might have become deprecated or invalid. In such cases, the host
can signal its peer that this address is no longer recommended to can signal its peer that trying this address is no longer
try. This triggers something similar to a failure handling and a recommended. This triggers something similar to a failure
new working locator pair must be found. handling, and a new working locator pair must be found.
The protocol also has the ability to express other forms of The protocol also has the ability to express other forms of
locator preferences. A change in any preferences can be signaled locator preferences. A change in any preference can be signaled
to the peer, which will have made the peer record the new to the peer, which will have made the peer record the new
preferences. A change in the preferences might optionally make preferences. A change in the preferences might optionally make
the peer want to use a different locator pair. In this case, the the peer want to use a different locator pair. In this case, the
peer follows the same locator switching procedure as after a peer follows the same locator switching procedure as after a
failure (by verifying that its peer is indeed present at the failure (by verifying that its peer is indeed present at the
alternate locator, etc). alternate locator, etc).
o When the shim thinks that the context state is no longer used, it o When the shim thinks that the context state is no longer used, it
can garbage collect the state; there is no coordination necessary can garbage collect the state; there is no coordination necessary
with the peer host before the state is removed. There is a with the peer host before the state is removed. There is a
recovery message defined to be able to signal when there is no recovery message defined to be able to signal when there is no
context state, which can be used to detect and recover from both context state, which can be used to detect and recover from both
premature garbage collection, as well as complete state loss premature garbage collection as well as from complete state loss
(crash and reboot) of a peer. (crash and reboot) of a peer.
The exact mechanism to determine when the context state is no The exact mechanism to determine when the context state is no
longer used is implementation dependent. For example, an longer used is implementation dependent. For example, an
implementation might use the existence of ULP state (where known implementation might use the existence of ULP state (where known
to the implementation) as an indication that the state is still to the implementation) as an indication that the state is still
used, combined with a timer (to handle ULP state that might not be used, combined with a timer (to handle ULP state that might not be
known to the shim sub-layer) to determine when the state is likely known to the shim sublayer) to determine when the state is likely
to no longer be used. to no longer be used.
NOTE 1: The ULP packets in Shim6 can be carried completely unmodified NOTE 1: The ULP packets in Shim6 can be carried completely unmodified
as long as the ULID pair is used as the locator pair. After a switch as long as the ULID pair is used as the locator pair. After a switch
to a different locator pair the packets are "tagged" with a Shim6 to a different locator pair, the packets are "tagged" with a Shim6
extension header, so that the receiver can always determine the Extension header so that the receiver can always determine the
context to which they belong. This is accomplished by including an context to which they belong. This is accomplished by including an
8-octet Shim6 Payload Extension header before the (extension) headers 8-octet Shim6 Payload Extension header before the (extension) headers
that are processed by the IP endpoint sublayer and ULPs. If that are processed by the IP endpoint sublayer and ULPs. If,
subsequently the original ULIDs are selected as the active locator subsequently, the original ULIDs are selected as the active locator
pair then the tagging of packets with the Shim6 extension header is pair, then the tagging of packets with the Shim6 Extension header is
no longer necessary. no longer necessary.
4.1. Context Tags 4.1. Context Tags
A context between two hosts is actually a context between two ULIDs. A context between two hosts is actually a context between two ULIDs.
The context is identified by a pair of context tags. Each end gets The context is identified by a pair of Context Tags. Each end gets
to allocate a context tag, and once the context is established, most to allocate a Context Tag, and once the context is established, most
Shim6 control messages contain the context tag that the receiver of Shim6 control messages contain the Context Tag that the receiver of
the message allocated. Thus at a minimum the combination of <peer the message allocated. Thus, at a minimum, the combination of <peer
ULID, local ULID, local context tag> have to uniquely identify one ULID, local ULID, local Context Tag> have to uniquely identify one
context. But since the Payload extension headers are demultiplexed context. But, since the Shim6 Payload Extension headers are
without looking at the locators in the packet, the receiver will need demultiplexed without looking at the locators in the packet, the
to allocate context tags that are unique for all its contexts. The receiver will need to allocate Context Tags that are unique for all
context tag is a 47-bit number (the largest which can fit in an its contexts. The Context Tag is a 47-bit number (the largest that
8-octet extension header), while preserving one bit to differentiate can fit in an 8-octet extension header), while preserving one bit to
the Shim6 signalling messages from the Shim6 header included in data differentiate the Shim6 signaling messages from the Shim6 header
packets, allowing both to use the same protocol number. included in data packets, allowing both to use the same protocol
number.
The mechanism for detecting a loss of context state at the peer The mechanism for detecting a loss of context state at the peer
assumes that the receiver can tell the packets that need locator assumes that the receiver can tell the packets that need locator
rewriting, even after it has lost all state (e.g., due to a crash rewriting, even after it has lost all state (e.g., due to a crash
followed by a reboot). This is achieved because after a rehoming followed by a reboot). This is achieved because, after a rehoming
event the packets that need receive-side rewriting, carry the Payload event, the packets that need receive-side rewriting carry the Shim6
extension header. Payload Extension header.
4.2. Context Forking 4.2. Context Forking
It has been asserted that it will be important for future ULPs, in It has been asserted that it will be important for future ULPs -- in
particular, future transport protocols, to be able to control which particular, future transport protocols -- to be able to control which
locator pairs are used for different communication. For instance, locator pairs are used for different communication. For instance,
host A and host B might communicate using both VoIP traffic and ftp host A and host B might communicate using both Voice over IP (VoIP)
traffic, and those communications might benefit from using different traffic and ftp traffic, and those communications might benefit from
locator pairs. However, the basic Shim6 mechanism uses a single using different locator pairs. However, the basic Shim6 mechanism
current locator pair for each context, thus a single context cannot uses a single current locator pair for each context; thus, a single
accomplish this. context cannot accomplish this.
For this reason, the Shim6 protocol supports the notion of context For this reason, the Shim6 protocol supports the notion of context
forking. This is a mechanism by which a ULP can specify (using some forking. This is a mechanism by which a ULP can specify (using some
API not yet defined) that a context for e.g., the ULID pair <A1, B2> API not yet defined) that a context, e.g., the ULID pair <A1, B2>,
should be forked into two contexts. In this case the forked-off should be forked into two contexts. In this case, the forked-off
context will be assigned a non-zero Forked Instance Identifier, while context will be assigned a non-zero Forked Instance Identifier, while
the default context has FII zero. the default context has FII zero.
The Forked Instance Identifier (FII) is a 32-bit identifier which has The Forked Instance Identifier (FII) is a 32-bit identifier that has
no semantics in the protocol other then being part of the tuple which no semantics in the protocol other than being part of the tuple that
identifies the context. For example, a host might allocate FIIs as identifies the context. For example, a host might allocate FIIs as
sequential numbers for any given ULID pair. sequential numbers for any given ULID pair.
No other special considerations are needed in the Shim6 protocol to No other special considerations are needed in the Shim6 protocol to
handle forked contexts. handle forked contexts.
Note that forking as specified does NOT allow A to be able to tell B Note that forking as specified does NOT allow A to be able to tell B
that certain traffic (a 5-tuple?) should be forked for the reverse that certain traffic (a 5-tuple?) should be forked for the reverse
direction. The Shim6 forking mechanism as specified applies only to direction. The Shim6 forking mechanism as specified applies only to
the sending of ULP packets. If some ULP wants to fork for both the sending of ULP packets. If some ULP wants to fork for both
directions, it is up to the ULP to set this up, and then instruct the directions, it is up to the ULP to set this up and then instruct the
shim at each end to transmit using the forked context. shim at each end to transmit using the forked context.
4.3. API Extensions 4.3. API Extensions
Several API extensions have been discussed for Shim6, but their Several API extensions have been discussed for Shim6, but their
actual specification is out of scope for this document. The simplest actual specification is out of scope for this document. The simplest
one would be to add a socket option to be able to have traffic bypass one would be to add a socket option to be able to have traffic bypass
the shim (not create any state, and not use any state created by the shim (not create any state and not use any state created by other
other traffic). This could be an IPV6_DONTSHIM socket option. Such traffic). This could be an IPV6_DONTSHIM socket option. Such an
an option would be useful for protocols, such as DNS, where the option would be useful for protocols, such as DNS, where the
application has its own failover mechanism (multiple NS records in application has its own failover mechanism (multiple NS records in
the case of DNS) and using the shim could potentially add extra the case of DNS) and using the shim could potentially add extra
latency with no added benefits. latency with no added benefits.
Some other API extensions are discussed in Section 19. The actual Some other API extensions are discussed in Appendix A. The actual
API extensions are defined in [22]. API extensions are defined in [23].
4.4. Securing Shim6 4.4. Securing Shim6
The mechanisms are secured using a combination of techniques: The mechanisms are secured using a combination of techniques:
o The HBA technique [3] for verifying the locators to prevent an o The HBA technique [3] for verifying the locators to prevent an
attacker from redirecting the packet stream to somewhere else. attacker from redirecting the packet stream to somewhere else.
o Requiring a Reachability Probe+Reply /defined in [4]) before a new o Requiring a Reachability Probe+Reply (defined in [4]) before a new
locator is used as the destination, in order to prevent 3rd party locator is used as the destination, in order to prevent 3rd party
flooding attacks. flooding attacks.
o The first message does not create any state on the responder. o The first message does not create any state on the responder.
Essentially a 3-way exchange is required before the responder Essentially, a 3-way exchange is required before the responder
creates any state. This means that a state-based DoS attack creates any state. This means that a state-based DoS attack
(trying to use up all of memory on the responder) at least (trying to use up all memory on the responder) at least provides
provides an IPv6 address that the attacker was using. an IPv6 address that the attacker was using.
o The context establishment messages use nonces to prevent replay o The context-establishment messages use nonces to prevent replay
attacks, and to prevent off-path attackers from interfering with attacks and to prevent off-path attackers from interfering with
the establishment. the establishment.
o Every control message of the Shim6 protocol, past the context o Every control message of the Shim6 protocol, past the context
establishment, carry the context tag assigned to the particular establishment, carries the Context Tag assigned to the particular
context. This implies that an attacker needs to discover that context. This implies that an attacker needs to discover that
context tag before being able to spoof any Shim6 control message. Context Tag before being able to spoof any Shim6 control message.
Such discovery probably requires any potential attacker to be Such discovery probably requires any potential attacker to be
along the path in order to be sniff the context tag value. The along the path in order to sniff the Context Tag value. The
result is that through this technique, the Shim6 protocol is result is that through this technique, the Shim6 protocol is
protected against off-path attackers. protected against off-path attackers.
4.5. Overview of Shim Control Messages 4.5. Overview of Shim Control Messages
The Shim6 context establishment is accomplished using four messages; The Shim6 context establishment is accomplished using four messages;
I1, R1, I2, R2. Normally they are sent in that order from initiator I1, R1, I2, R2. Normally, they are sent in that order from initiator
and responder, respectively. Should both ends attempt to set up and responder, respectively. Should both ends attempt to set up
context state at the same time (for the same ULID pair), then their context state at the same time (for the same ULID pair), then their
I1 messages might cross in flight, and result in an immediate R2 I1 messages might cross in flight, and result in an immediate R2
message. [The names of these messages are borrowed from HIP [19].] message. (The names of these messages are borrowed from HIP [20].)
R1bis and I2bis messages are defined, which are used to recover a R1bis and I2bis messages are defined; they are used to recover a
context after it has been lost. A R1bis message is sent when a Shim6 context after it has been lost. An R1bis message is sent when a
control or Payload extension header arrives and there is no matching Shim6 control or Shim6 Payload Extension header arrives and there is
context state at the receiver. When such a message is received, it no matching context state at the receiver. When such a message is
will result in the re-creation of the Shim6 context using the I2bis received, it will result in the re-creation of the Shim6 context
and R2 messages. using the I2bis and R2 messages.
The peers' lists of locators are normally exchanged as part of the The peers' lists of locators are normally exchanged as part of the
context establishment exchange. But the set of locators might be context-establishment exchange. But the set of locators might be
dynamic. For this reason there are Update Request and Update dynamic. For this reason, there are Update Request and Update
Acknowledgement messages, and a Locator List option. Acknowledgement messages as well as a Locator List option.
Even when the list of locators is fixed, a host might determine that Even when the list of locators is fixed, a host might determine that
some preferences might have changed. For instance, it might some preferences might have changed. For instance, it might
determine that there is a locally visible failure that implies that determine that there is a locally visible failure that implies that
some locator(s) are no longer usable. This uses a Locator some locator(s) are no longer usable. This uses a Locator
Preferences option in the Update Request message. Preferences option in the Update Request message.
The mechanism for (un)reachability detection is called Forced The mechanism for (un)reachability detection is called Forced
Bidirectional Communication (FBD). FBD uses a Keepalive message Bidirectional Communication (FBD). FBD uses a Keepalive message
which is sent when a host has received packets from its peer but has which is sent when a host has received packets from its peer but has
not yet sent any packets from its ULP to the peer. The message type not yet sent any packets from its ULP to the peer. The message type
is reserved in this document, but the message format and processing is reserved in this document, but the message format and processing
rules are specified in [4]. rules are specified in [4].
In addition, when the context is established and there is a In addition, when the context is established and there is a
subsequent failure there needs to be a way to probe the set of subsequent failure, there needs to be a way to probe the set of
locator pairs to efficiently find a working pair. This document locator pairs to efficiently find a working pair. This document
reserves a Probe message type, with the packet format and processing reserves a Probe message type, with the packet format and processing
rules specified in [4]. rules specified in [4].
The above probe and keepalive messages assume we have an established The above Probe and Keepalive messages assume we have an established
ULID-pair context. However, communication might fail during the ULID-pair context. However, communication might fail during the
initial contact (that is, when the application or transport protocol initial contact (that is, when the application or transport protocol
is trying to setup some communication). This is handled using the is trying to setup some communication). This is handled using the
mechanisms in the ULP to try different address pairs as specified in mechanisms in the ULP to try different address pairs as specified in
[7] [8]. In the future versions of the protocol, and with a richer [7] and [9]. In future versions of the protocol, and with a richer
API between the ULP and the shim, the shim might be help optimize API between the ULP and the shim, the shim might be able to help
discovering a working locator pair during initial contact. This is optimize discovering a working locator pair during initial contact.
for further study. This is for further study.
4.6. Extension Header Order 4.6. Extension Header Order
Since the shim is placed between the IP endpoint sub-layer and the IP Since the shim is placed between the IP endpoint sublayer and the IP
routing sub-layer, the shim header will be placed before any endpoint routing sublayer, the Shim header will be placed before any Endpoint
extension headers (fragmentation headers, destination options header, Extension headers (Fragmentation headers, Destination Options header,
AH, ESP), but after any routing related headers (hop-by-hop AH, ESP) but after any routing-related headers (Hop-by-Hop Extensions
extensions header, routing header, a destinations options header header, Routing header, and a Destinations Options header, which
which precedes a routing header). When tunneling is used, whether precedes a Routing header). When tunneling is used, whether IP-in-IP
IP-in-IP tunneling or the special form of tunneling that Mobile IPv6 tunneling or the special form of tunneling that Mobile IPv6 uses
uses (with Home Address Options and Routing header type 2), there is (with Home Address options and Routing header type 2), there is a
a choice whether the shim applies inside the tunnel or outside the choice whether the shim applies inside the tunnel or outside the
tunnel, which affects the location of the Shim6 header. tunnel, which affects the location of the Shim6 header.
In most cases IP-in-IP tunnels are used as a routing technique, thus In most cases, IP-in-IP tunnels are used as a routing technique;
it makes sense to apply them on the locators which means that the thus, it makes sense to apply them on the locators, which means that
sender would insert the Shim6 header after any IP-in-IP the sender would insert the Shim6 header after any IP-in-IP
encapsulation; this is what occurs naturally when routers apply IP- encapsulation. This is what occurs naturally when routers apply IP-
in-IP encapsulation. Thus the packets would have: in-IP encapsulation. Thus, the packets would have:
o Outer IP header o Outer IP header
o Inner IP header o Inner IP header
o Shim6 Extension header (if needed)
o Shim6 extension header (if needed)
o ULP o ULP
But the shim can also be used to create "shimmed tunnels" i.e., where
an IP-in-IP tunnel uses the shim to be able to switch the tunnel But the shim can also be used to create "shimmed tunnels", i.e.,
endpoint addresses between different locators. In such a case the where an IP-in-IP tunnel uses the shim to be able to switch the
packets would have: tunnel endpoint addresses between different locators. In such a
case, the packets would have:
o Outer IP header o Outer IP header
o Shim6 extension header (if needed) o Shim6 Extension header (if needed)
o Inner IP header o Inner IP header
o ULP o ULP
In any case, the receiver behavior is well-defined; a receiver In any case, the receiver behavior is well-defined; a receiver
processes the extension headers in order. However, the precise processes the Extension headers in order. However, the precise
interaction between Mobile IPv6 and Shim6 is for further study, but interaction between Mobile IPv6 and Shim6 is for further study; it
it might make sense to have Mobile IPv6 operate on locators as well, might make sense to have Mobile IPv6 operate on locators as well,
meaning that the shim would be layered on top of the MIPv6 mechanism. meaning that the shim would be layered on top of the MIPv6 mechanism.
5. Message Formats 5. Message Formats
The Shim6 messages are all carried using a new IP protocol number [to The Shim6 messages are all carried using a new IP protocol number
be assigned by IANA]. The Shim6 messages have a common header, (140). The Shim6 messages have a common header (defined below) with
defined below, with some fixed fields, followed by type specific some fixed fields, followed by type-specific fields.
fields.
The Shim6 messages are structured as an IPv6 extension header since The Shim6 messages are structured as an IPv6 Extension header since
the Payload extension header is used to carry the ULP packets after a the Shim6 Payload Extension header is used to carry the ULP packets
locator switch. The Shim6 control messages use the same extension after a locator switch. The Shim6 control messages use the same
header formats so that a single "protocol number" needs to be allowed extension header formats so that a single "protocol number" needs to
through firewalls in order for Shim6 to function across the firewall. be allowed through firewalls in order for Shim6 to function across
the firewall.
5.1. Common Shim6 Message Format 5.1. Common Shim6 Message Format
The first 17 bits of the Shim6 header is common for the Payload The first 17 bits of the Shim6 header is common for the Shim6 Payload
extension header and the control messages and looks as follows: Extension header and for the control messages. It looks as follows:
0 1 0 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Hdr Ext Len |P| | Next Header | Hdr Ext Len |P|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: The payload which follows this header. Next Header: The payload that follows this header.
Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in
8-octet units, not including the first 8 octets. 8-octet units, not including the first 8 octets.
P: A single bit to distinguish Payload extension headers P: A single bit to distinguish Shim6 Payload Extension
from control messages. headers from control messages.
Shim6 signalling packets may not be larger than 1280 bytes, including Shim6 signaling packets may not be larger than 1280 bytes, including
the IPv6 header and any intermediate headers between the IPv6 header the IPv6 header and any intermediate headers between the IPv6 header
and the Shim6 header. One way to meet this requirement is to omit and the Shim6 header. One way to meet this requirement is to omit
part of the locator address information if with this information part of the locator address information if, with this information
included, the packet would become larger than 1280 bytes. Another included, the packet would become larger than 1280 bytes. Another
option is to perform option engineering, dividing into different option is to perform option engineering, dividing into different
Shim6 messages the information to be transmitted. An implementation Shim6 messages the information to be transmitted. An implementation
may impose administrative restrictions to avoid excessively large may impose administrative restrictions to avoid excessively large
Shim6 packets, such as a limitation on the number of locators to be Shim6 packets, such as a limitation on the number of locators to be
used. used.
5.2. Payload Extension Header Format 5.2. Shim6 Payload Extension Header Format
The payload extension headers is used to carry ULP packets where the The Shim6 Payload Extension header is used to carry ULP packets where
receiver must replace the content of the source and/or destination the receiver must replace the content of the Source and/or
fields in the IPv6 header before passing the packet to the ULP. Thus Destination fields in the IPv6 header before passing the packet to
this extension header is required when the locators pair that is used the ULP. Thus, this extension header is required when the locator
is not the same as the ULID pair. pair that is used is not the same as the ULID pair.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | 0 |1| | | Next Header | 0 |1| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Receiver Context Tag | | Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: The payload which follows this header. Next Header: The payload that follows this header.
Hdr Ext Len: 0 (since the header is 8 octets). Hdr Ext Len: 0 (since the header is 8 octets).
P: Set to one. A single bit to distinguish this from the P: Set to one. A single bit to distinguish this from the
Shim6 control messages. Shim6 control messages.
Receiver Context Tag: 47-bit unsigned integer. Allocated by the Receiver Context Tag:
receiver for use to identify the context. 47-bit unsigned integer. Allocated by the receiver to
identify the context.
5.3. Common Shim6 Control header 5.3. Common Shim6 Control Header
The common part of the header has a next header and header extension The common part of the header has a Next Header field and a Header
length field which is consistent with the other IPv6 extension Extension Length field that are consistent with the other IPv6
headers, even if the next header value is always "NO NEXT HEADER" for Extension headers, even if the Next Header value is always "NO NEXT
the control messages. HEADER" for the control messages.
The Shim6 headers must be a multiple of 8 octets, hence the minimum The Shim6 headers must be a multiple of 8 octets; hence, the minimum
size is 8 octets. size is 8 octets.
The common shim control message header is as follows: The common Shim6 Control message header is as follows:
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Hdr Ext Len |P| Type |Type-specific|S| | Next Header | Hdr Ext Len |P| Type |Type-specific|S|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | | | Checksum | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Type-specific format | | Type-specific format |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59). Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59).
Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in
8-octet units, not including the first 8 octets. 8-octet units, not including the first 8 octets.
P: Set to zero. A single bit to distinguish this from P: Set to zero. A single bit to distinguish this from
the Shim6 payload extension header. the Shim6 Payload Extension header.
Type: 7-bit unsigned integer. Identifies the actual message Type: 7-bit unsigned integer. Identifies the actual message
from the table below. Type codes 0-63 will not from the table below. Type codes 0-63 will not
trigger R1bis messages on a missing context, while 64- trigger R1bis messages on a missing context, while
127 will trigger R1bis. codes 64-127 will trigger R1bis.
S: A single bit set to zero which allows Shim6 and HIP to S: A single bit set to zero that allows Shim6 and HIP to
have a common header format yet telling Shim6 and HIP have a common header format yet still distinguishes
messages apart. between Shim6 and HIP messages.
Checksum: 16-bit unsigned integer. The checksum is the 16-bit Checksum: 16-bit unsigned integer. The checksum is the 16-bit
one's complement of the one's complement sum of the one's complement of the one's complement sum of the
entire Shim6 header message starting with the Shim6 entire Shim6 header message, starting with the Shim6
next header field, and ending as indicated by the Hdr Next Header field and ending as indicated by the Hdr
Ext Len. Thus when there is a payload following the Ext Len. Thus, when there is a payload following the
Shim6 header, the payload is NOT included in the Shim6 Shim6 header, the payload is NOT included in the Shim6
checksum. Note that unlike protocol like ICMPv6, checksum. Note that, unlike protocols like ICMPv6,
there is no pseudo-header checksum part of the there is no pseudo-header checksum part of the
checksum, in order to provide locator agility without checksum; this provides locator agility without having
having to change the checksum. to change the checksum.
Type-specific: Part of message that is different for different Type-specific: Part of the message that is different for different
message types. message types.
+------------+-----------------------------------------------------+ +------------+----------------------------------------------------+
| Type Value | Message | | Type Value | Message |
+------------+-----------------------------------------------------+ +------------+----------------------------------------------------+
| 1 | I1 (first establishment message from the initiator) | | 1 | I1 (1st establishment message from the initiator) |
| | | | 2 | R1 (1st establishment message from the responder) |
| 2 | R1 (first establishment message from the responder) |
| | |
| 3 | I2 (2nd establishment message from the initiator) | | 3 | I2 (2nd establishment message from the initiator) |
| | |
| 4 | R2 (2nd establishment message from the responder) | | 4 | R2 (2nd establishment message from the responder) |
| | |
| 5 | R1bis (Reply to reference to non-existent context) | | 5 | R1bis (Reply to reference to non-existent context) |
| | | | 6 | I2bis (Reply to an R1bis message) |
| 6 | I2bis (Reply to a R1bis message) |
| | |
| 64 | Update Request | | 64 | Update Request |
| | |
| 65 | Update Acknowledgement | | 65 | Update Acknowledgement |
| | |
| 66 | Keepalive | | 66 | Keepalive |
| | |
| 67 | Probe Message | | 67 | Probe Message |
| | |
| 68 | Error Message | | 68 | Error Message |
+------------+-----------------------------------------------------+ +------------+----------------------------------------------------+
Table 1 Table 1
5.4. I1 Message Format 5.4. I1 Message Format
The I1 message is the first message in the context establishment The I1 message is the first message in the context-establishment
exchange. exchange.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 1 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 1 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| | | Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Initiator Context Tag | | Initiator Context Tag |
skipping to change at page 30, line 19 skipping to change at page 27, line 36
are no options. are no options.
Type: 1 Type: 1
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Initiator Context Tag: 47-bit field. The Context Tag the initiator Initiator Context Tag:
has allocated for the context. 47-bit field. The Context Tag that the initiator has
allocated for the context.
Initiator Nonce: 32-bit unsigned integer. A random number picked by Initiator Nonce:
the initiator which the responder will return in the 32-bit unsigned integer. A random number picked by
the initiator, which the responder will return in the
R1 message. R1 message.
The following options are defined for this message: The following options are defined for this message:
ULID pair: When the IPv6 source and destination addresses in the ULID pair: When the IPv6 source and destination addresses in the
IPv6 header does not match the ULID pair, this option IPv6 header does not match the ULID pair, this option
MUST be included. An example of this is when MUST be included. An example of this is when
recovering from a lost context. recovering from a lost context.
Forked Instance Identifier: When another instance of an existent Forked Instance Identifier:
context with the same ULID pair is being created, a When another instance of an existent context with the
Forked Instance Identifier option MUST be included to same ULID pair is being created, a Forked Instance
distinguish this new instance from the existent one. Identifier option MUST be included to distinguish this
new instance from the existent one.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15. option will be handled by an implementation. See Section 5.15.
5.5. R1 Message Format 5.5. R1 Message Format
The R1 message is the second message in the context establishment The R1 message is the second message in the context-establishment
exchange. The responder sends this in response to an I1 message, exchange. The responder sends this in response to an I1 message,
without creating any state specific to the initiator. without creating any state specific to the initiator.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 2 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 2 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 | | Checksum | Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 31, line 36 skipping to change at page 29, line 5
are no options. are no options.
Type: 2 Type: 2
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Initiator Nonce: 32-bit unsigned integer. Copied from the I1 Initiator Nonce:
message. 32-bit unsigned integer. Copied from the I1 message.
Responder Nonce: 32-bit unsigned integer. A number picked by the Responder Nonce:
responder which the initiator will return in the I2 32-bit unsigned integer. A number picked by the
responder, which the initiator will return in the I2
message. message.
The following options are defined for this message: The following options are defined for this message:
Responder Validator: Variable length option. This option MUST be Responder Validator:
included in the R1 message. Typically it contains a Variable length option. This option MUST be included
hash generated by the responder, which the responder in the R1 message. Typically, it contains a hash
uses together with the Responder Nonce value to verify generated by the responder, which the responder uses
that an I2 message is indeed sent in response to a R1 together with the Responder Nonce value to verify that
an I2 message is indeed sent in response to an R1
message, and that the parameters in the I2 message are message, and that the parameters in the I2 message are
the same as those in the I1 message. the same as those in the I1 message.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15. option will be handled by an implementation. See Section 5.15.
5.6. I2 Message Format 5.6. I2 Message Format
The I2 message is the third message in the context establishment The I2 message is the third message in the context-establishment
exchange. The initiator sends this in response to a R1 message, exchange. The initiator sends this in response to an R1 message,
after checking the Initiator Nonce, etc. after checking the Initiator Nonce, etc.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 3 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 3 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| | | Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Initiator Context Tag | | Initiator Context Tag |
skipping to change at page 33, line 5 skipping to change at page 30, line 19
are no options. are no options.
Type: 3 Type: 3
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Initiator Context Tag: 47-bit field. The Context Tag the initiator Initiator Context Tag:
has allocated for the context. 47-bit field. The Context Tag that the initiator has
allocated for the context.
Initiator Nonce: 32-bit unsigned integer. A random number picked by Initiator Nonce:
the initiator which the responder will return in the 32-bit unsigned integer. A random number picked by
the initiator, which the responder will return in the
R2 message. R2 message.
Responder Nonce: 32-bit unsigned integer. Copied from the R1 Responder Nonce:
message. 32-bit unsigned integer. Copied from the R1 message.
Reserved2: 32-bit field. Reserved for future use. Zero on Reserved2: 32-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. (Needed to transmit. MUST be ignored on receipt. (Needed to
make the options start on a multiple of 8 octet make the options start on a multiple of 8 octet
boundary.) boundary.)
The following options are defined for this message: The following options are defined for this message:
Responder Validator: Variable length option. This option MUST be Responder Validator:
included in the I2 message and MUST be generated Variable length option. This option MUST be included
copying the Responder Validator option received in the in the I2 message and MUST be generated by copying the
R1 message. Responder Validator option received in the R1 message.
ULID pair: When the IPv6 source and destination addresses in the ULID pair: When the IPv6 source and destination addresses in the
IPv6 header does not match the ULID pair, this option IPv6 header do not match the ULID pair, this option
MUST be included. An example of this is when MUST be included. An example of this is when
recovering from a lost context. recovering from a lost context.
Forked Instance Identifier: When another instance of an existent Forked Instance Identifier:
context with the same ULID pair is being created, a When another instance of an existent context with the
Forked Instance Identifier option MUST be included to same ULID pair is being created, a Forked Instance
distinguish this new instance from the existent one. Identifier option MUST be included to distinguish this
new instance from the existent one.
Locator list: Optionally sent when the initiator immediately wants Locator List: Optionally sent when the initiator immediately wants
to tell the responder its list of locators. When it to tell the responder its list of locators. When it
is sent, the necessary HBA/CGA information for is sent, the necessary HBA/CGA information for
verifying the locator list MUST also be included. verifying the locator list MUST also be included.
Locator Preferences: Optionally sent when the locators don't all Locator Preferences:
have equal preference. Optionally sent when the locators don't all have equal
preference.
CGA Parameter Data Structure: This option MUST be included in the I2 CGA Parameter Data Structure:
message when the locator list is included so the This option MUST be included in the I2 message when
receiver can verify the locator list. the locator list is included so the receiver can
verify the locator list.
CGA Signature: This option MUST be included in the I2 message when CGA Signature: This option MUST be included in the I2 message when
some of the locators in the list use CGA (and not HBA) some of the locators in the list use CGA (and not HBA)
for verification. for verification.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15. option will be handled by an implementation. See Section 5.15.
5.7. R2 Message Format 5.7. R2 Message Format
The R2 message is the fourth message in the context establishment The R2 message is the fourth message in the context-establishment
exchange. The responder sends this in response to an I2 message. exchange. The responder sends this in response to an I2 message.
The R2 message is also used when both hosts send I1 messages at the The R2 message is also used when both hosts send I1 messages at the
same time and the I1 messages cross in flight. same time and the I1 messages cross in flight.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 4 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 4 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| | | Checksum |R| |
skipping to change at page 34, line 47 skipping to change at page 32, line 36
are no options. are no options.
Type: 4 Type: 4
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Responder Context Tag: 47-bit field. The Context Tag the responder Responder Context Tag:
has allocated for the context. 47-bit field. The Context Tag that the responder has
allocated for the context.
Initiator Nonce: 32-bit unsigned integer. Copied from the I2 Initiator Nonce:
message. 32-bit unsigned integer. Copied from the I2 message.
The following options are defined for this message: The following options are defined for this message:
Locator List: Optionally sent when the responder immediately wants Locator List: Optionally sent when the responder immediately wants
to tell the initiator its list of locators. When it to tell the initiator its list of locators. When it
is sent, the necessary HBA/CGA information for is sent, the necessary HBA/CGA information for
verifying the locator list MUST also be included. verifying the locator list MUST also be included.
Locator Preferences: Optionally sent when the locators don't all Locator Preferences:
have equal preference. Optionally sent when the locators don't all have equal
preference.
CGA Parameter Data Structure: Included when the locator list is CGA Parameter Data Structure:
included so the receiver can verify the locator list. Included when the locator list is included so the
receiver can verify the locator list.
CGA Signature: Included when the some of the locators in the list use CGA Signature: Included when some of the locators in the list use CGA
CGA (and not HBA) for verification. (and not HBA) for verification.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15. option will be handled by an implementation. See Section 5.15.
5.8. R1bis Message Format 5.8. R1bis Message Format
Should a host receive a packet with a shim Payload extension header Should a host receive a packet with a Shim6 Payload Extension header
or Shim6 control message with type code 64-127 (such as an Update or or Shim6 control message with type code 64-127 (such as an Update or
Probe message), and the host does not have any context state for the Probe message), and the host does not have any context state for the
received context tag, then it will generate a R1bis message. received Context Tag, then it will generate a R1bis message.
This message allows the sender of the packet referring to the non- This message allows the sender of the packet referring to the non-
existent context to re-establish the context with a reduced context existent context to re-establish the context with a reduced context-
establishment exchange. Upon the reception of the R1bis message, the establishment exchange. Upon the reception of the R1bis message, the
receiver can proceed reestablishing the lost context by directly receiver can proceed with re-establishing the lost context by
sending an I2bis message. directly sending an I2bis message.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 5 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 5 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| | | Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Packet Context Tag | | Packet Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 36, line 29 skipping to change at page 34, line 4
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options. are no options.
Type: 5 Type: 5
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Packet Context Tag: 47-bit unsigned integer. The context tag Packet Context Tag:
contained in the received packet that triggered the 47-bit unsigned integer. The Context Tag contained in
generation of the R1bis message. the received packet that triggered the generation of
the R1bis message.
Responder Nonce: 32-bit unsigned integer. A number picked by the Responder Nonce:
32-bit unsigned integer. A number picked by the
responder which the initiator will return in the I2bis responder which the initiator will return in the I2bis
message. message.
The following options are defined for this message: The following options are defined for this message:
Responder Validator: Variable length option. Typically a hash Responder Validator:
generated by the responder, which the responder uses Variable length option. Typically, a hash generated
together with the Responder Nonce value to verify that by the responder, which the responder uses together
an I2bis message is indeed sent in response to a R1bis with the Responder Nonce value to verify that an I2bis
message is indeed sent in response to an R1bis
message. message.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15. option will be handled by an implementation. See Section 5.15.
5.9. I2bis Message Format 5.9. I2bis Message Format
The I2bis message is the third message in the context recovery The I2bis message is the third message in the context-recovery
exchange. This is sent in response to a R1bis message, after exchange. This is sent in response to an R1bis message, after
checking that the R1bis message refers to an existing context, etc. checking that the R1bis message refers to an existing context, etc.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 6 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 6 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| | | Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Initiator Context Tag | | Initiator Context Tag |
skipping to change at page 38, line 8 skipping to change at page 35, line 44
are no options. are no options.
Type: 6 Type: 6
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Initiator Context Tag: 47-bit field. The Context Tag the initiator Initiator Context Tag:
has allocated for the context. 47-bit field. The Context Tag that the initiator has
allocated for the context.
Initiator Nonce: 32-bit unsigned integer. A random number picked by Initiator Nonce:
the initiator which the responder will return in the 32-bit unsigned integer. A random number picked by
the initiator, which the responder will return in the
R2 message. R2 message.
Responder Nonce: 32-bit unsigned integer. Copied from the R1bis Responder Nonce:
32-bit unsigned integer. Copied from the R1bis
message. message.
Reserved2: 49-bit field. Reserved for future use. Zero on Reserved2: 49-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. (Note that 17 transmit. MUST be ignored on receipt. (Note that 17
bits are not sufficient since the options need start bits are not sufficient since the options need to
on a multiple of 8 octet boundary.) start on a multiple-of-8-octet boundary.)
Packet Context Tag: 47-bit unsigned integer. Copied from the Packet Packet Context Tag:
Context Tag contained in the received R1bis. 47-bit unsigned integer. Copied from the Packet
Context Tag field contained in the received R1bis.
The following options are defined for this message: The following options are defined for this message:
Responder Validator: Variable length option. Just a copy of the Responder Validator:
Responder Validator option in the R1bis message. Variable length option. Just a copy of the Responder
Validator option in the R1bis message.
ULID pair: When the IPv6 source and destination addresses in the ULID pair: When the IPv6 source and destination addresses in the
IPv6 header does not match the ULID pair, this option IPv6 header do not match the ULID pair, this option
MUST be included. MUST be included.
Forked Instance Identifier: When another instance of an existent Forked Instance Identifier:
context with the same ULID pair is being created, a When another instance of an existent context with the
Forked Instance Identifier option is included to same ULID pair is being created, a Forked Instance
distinguish this new instance from the existent one. Identifier option is included to distinguish this new
instance from the existent one.
Locator list: Optionally sent when the initiator immediately wants Locator List: Optionally sent when the initiator immediately wants
to tell the responder its list of locators. When it to tell the responder its list of locators. When it
is sent, the necessary HBA/CGA information for is sent, the necessary HBA/CGA information for
verifying the locator list MUST also be included. verifying the locator list MUST also be included.
Locator Preferences: Optionally sent when the locators don't all Locator Preferences:
have equal preference. Optionally sent when the locators don't all have equal
preference.
CGA Parameter Data Structure: Included when the locator list is CGA Parameter Data Structure:
included so the receiver can verify the locator list. Included when the locator list is included so the
receiver can verify the locator list.
CGA Signature: Included when the some of the locators in the list use CGA Signature: Included when some of the locators in the list use CGA
CGA (and not HBA) for verification. (and not HBA) for verification.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15. option will be handled by an implementation. See Section 5.15.
5.10. Update Request Message Format 5.10. Update Request Message Format
The Update Request Message is used to update either the list of The Update Request message is used to update either the list of
locators, the locator preferences, and both. When the list of locators, the locator preferences, or both. When the list of
locators is updated, the message also contains the option(s) locators is updated, the message also contains the option(s)
necessary for HBA/CGA to secure this. The basic sanity check that necessary for HBA/CGA to secure this. The basic sanity check that
prevents off-path attackers from generating bogus updates is the prevents off-path attackers from generating bogus updates is the
context tag in the message. Context Tag in the message.
The update message contains options (the Locator List and the Locator The Update Request message contains options (the Locator List and the
Preferences) that, when included, completely replace the previous Locator Preferences) that, when included, completely replace the
locator list and locator preferences, respectively. Thus there is no previous locator list and locator preferences, respectively. Thus,
mechanism to just send deltas to the locator list. there is no mechanism to just send deltas to the locator list.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 64 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 64 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| | | Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Receiver Context Tag | | Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 40, line 4 skipping to change at page 37, line 43
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options. are no options.
Type: 64 Type: 64
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Receiver Context Tag: 47-bit field. The Context Tag the receiver Receiver Context Tag:
has allocated for the context. 47-bit field. The Context Tag that the receiver has
allocated for the context.
Request Nonce: 32-bit unsigned integer. A random number picked by Request Nonce:
the initiator which the peer will return in the 32-bit unsigned integer. A random number picked by
acknowledgement message. the initiator, which the peer will return in the
Update Acknowledgement message.
The following options are defined for this message: The following options are defined for this message:
Locator List: The list of the sender's (new) locators. The locators Locator List: The list of the sender's (new) locators. The locators
might be unchanged and only the preferences have might be unchanged and only the preferences have
changed. changed.
Locator Preferences: Optionally sent when the locators don't all Locator Preferences:
have equal preference. Optionally sent when the locators don't all have equal
preference.
CGA Parameter Data Structure (PDS): Included when the locator list CGA Parameter Data Structure (PDS):
is included and the PDS was not included in the I2/ Included when the locator list is included and the PDS
I2bis/R2 messages, so the receiver can verify the was not included in the I2/ I2bis/R2 messages, so the
locator list. receiver can verify the locator list.
CGA Signature: Included when the some of the locators in the list use CGA Signature: Included when some of the locators in the list use CGA
CGA (and not HBA) for verification. (and not HBA) for verification.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15. option will be handled by an implementation. See Section 5.15.
5.11. Update Acknowledgement Message Format 5.11. Update Acknowledgement Message Format
This message is sent in response to a Update Request message. It This message is sent in response to an Update Request message. It
implies that the Update Request has been received, and that any new implies that the Update Request has been received and that any new
locators in the Update Request can now be used as the source locators locators in the Update Request can now be used as the source locators
of packets. But it does not imply that the (new) locators have been of packets. But it does not imply that the (new) locators have been
verified to be used as a destination, since the host might defer the verified to be used as a destination, since the host might defer the
verification of a locator until it sees a need to use a locator as verification of a locator until it sees a need to use a locator as
the destination. the destination.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 65 | Reserved1 |0| | 59 | Hdr Ext Len |0| Type = 65 | Reserved1 |0|
skipping to change at page 41, line 36 skipping to change at page 39, line 36
are no options. are no options.
Type: 65 Type: 65
Reserved1: 7-bit field. Reserved for future use. Zero on Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. transmit. MUST be ignored on receipt.
Receiver Context Tag: 47-bit field. The Context Tag the receiver Receiver Context Tag:
has allocated for the context. 47-bit field. The Context Tag the receiver has
allocated for the context.
Request Nonce: 32-bit unsigned integer. Copied from the Update Request Nonce: 32-bit unsigned integer. Copied from the Update
Request message. Request message.
No options are currently defined for this message. No options are currently defined for this message.
Future protocol extensions might define additional options for this Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15. option will be handled by an implementation. See Section 5.15.
skipping to change at page 42, line 14 skipping to change at page 40, line 20
on a context, it always receives some packets in the reverse on a context, it always receives some packets in the reverse
direction. When the ULP is sending bidirectional traffic, no extra direction. When the ULP is sending bidirectional traffic, no extra
packets need to be inserted. But for a unidirectional ULP traffic packets need to be inserted. But for a unidirectional ULP traffic
pattern, the shim will send back some Keepalive messages when it is pattern, the shim will send back some Keepalive messages when it is
receiving ULP packets. receiving ULP packets.
5.13. Probe Message Format 5.13. Probe Message Format
This message and its semantics are defined in [4]. This message and its semantics are defined in [4].
The goal of this mechanism is to test whether locator pairs work or The goal of this mechanism is to test whether or not locator pairs
not in the general case. In particular, this mechanism is to be able work in the general case. In particular, this mechanism is to be
to handle the case when one locator pair works in from A to B, and able to handle the case when one locator pair works from A to B and
another locator pair works from B to A, but there is no locator pair another locator pair works from B to A, but there is no locator pair
which works in both directions. The protocol mechanism is that as A that works in both directions. The protocol mechanism is that, as A
is sending probe messages to B, B will observe which locator pairs it is sending Probe messages to B, B will observe which locator pairs it
has received from and report that back in probe messages it is has received and report that back in Probe messages it sends to A.
sending to A.
5.14. Error Message Format 5.14. Error Message Format
The Error Message is generated by a Shim6 receiver upon the reception The Error message is generated by a Shim6 receiver upon the reception
of a Shim6 message containing critical information that cannot be of a Shim6 message containing critical information that cannot be
processed properly. processed properly.
In the case that a Shim6 node receives a Shim6 packet which contains In the case that a Shim6 node receives a Shim6 packet that contains
information that is critical for the Shim6 protocol that is not information that is critical for the Shim6 protocol and that is not
supported by the receiver, it sends an Error Message back to the supported by the receiver, it sends an Error Message back to the
originator of the Shim6 message. The Error Message is originator of the Shim6 message. The Error message is
unacknowledged. unacknowledged.
In addition, Shim6 Error messages defined in this section can be used In addition, Shim6 Error messages defined in this section can be used
to identify problems with Shim6 implementations. In order to do to identify problems with Shim6 implementations. In order to do so,
that, a range of Error Code Types is reserved for that purpose. In a range of Error Code types is reserved for that purpose. In
particular, implementations may generate Shim6 Error messages with particular, implementations may generate Shim6 Error messages with
Code Type in that range instead of silently discarding Shim6 packets Code types in that range, instead of silently discarding Shim6
during the debugging process. packets during the debugging process.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 68 | Error Code |0| | 59 | Hdr Ext Len |0| Type = 68 | Error Code |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Pointer | | Checksum | Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Packet in error + + Packet in error +
skipping to change at page 43, line 16 skipping to change at page 41, line 27
Fields: Fields:
Next Header: NO_NXT_HDR (59). Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets. Depends on Hdr Ext Len: At least 1, since the header is 16 octets. Depends on
the specific Error Data. the specific Error Data.
Type: 68 Type: 68
Error Code: 7-bit field describing the error that generated the Error Code: 7-bit field describing the error that generated the
Error Message. See Error Code list below Error message. See Error Code list below.
Pointer: 16-bit field.Identifies the octet offset within the Pointer: 16-bit field.Identifies the octet offset within the
invoking packet where the error was detected. invoking packet where the error was detected.
Packet in error: As much of invoking packet as possible without the Packet in error:
As much of invoking packet as possible without the
Error message packet exceeding the minimum IPv6 MTU. Error message packet exceeding the minimum IPv6 MTU.
The following Error Codes are defined: The following Error Codes are defined:
+---------+---------------------------------------------------------+ +---------+---------------------------------------------------------+
| Code | Description | | Code | Description |
| Value | | | Value | |
+---------+---------------------------------------------------------+ +---------+---------------------------------------------------------+
| 0 | Unknown Shim6 message type | | 0 | Unknown Shim6 message type |
| | | | 1 | Critical option not recognized |
| 1 | Critical Option not recognized |
| | |
| 2 | Locator verification method failed (Pointer to the | | 2 | Locator verification method failed (Pointer to the |
| | inconsistent Verification method octet) | | | inconsistent verification method octet) |
| | |
| 3 | Locator List Generation number out of sync. | | 3 | Locator List Generation number out of sync. |
| | |
| 4 | Error in the number of locators in a Locator Preference | | 4 | Error in the number of locators in a Locator Preference |
| | option | | | option |
| | |
| 120-127 | Reserved for debugging purposes | | 120-127 | Reserved for debugging purposes |
+---------+---------------------------------------------------------+ +---------+---------------------------------------------------------+
Table 2 Table 2
5.15. Option Formats 5.15. Option Formats
The format of the options is a snapshot of the current HIP option The format of the options is a snapshot of the current HIP option
format [19]. However, there is no intention to track any changes to format [20]. However, there is no intention to track any changes to
the HIP option format, nor is there an intent to use the same name the HIP option format, nor is there an intent to use the same name
space for the option type values. But using the same format will space for the option type values. But using the same format will
hopefully make it easier to import HIP capabilities into Shim6 as hopefully make it easier to import HIP capabilities into Shim6 as
extensions to Shim6, should this turn out to be useful. extensions to Shim6, should this turn out to be useful.
All of the TLV parameters have a length (including Type and Length All of the TLV parameters have a length (including Type and Length
fields) which is a multiple of 8 bytes. When needed, padding MUST be fields) that is a multiple of 8 bytes. When needed, padding MUST be
added to the end of the parameter so that the total length becomes a added to the end of the parameter so that the total length becomes a
multiple of 8 bytes. This rule ensures proper alignment of data. If multiple of 8 bytes. This rule ensures proper alignment of data. If
padding is added, the Length field MUST NOT include the padding. Any padding is added, the Length field MUST NOT include the padding. Any
added padding bytes MUST be zeroed by the sender, and their values added padding bytes MUST be zeroed by the sender, and their values
SHOULD NOT be checked by the receiver. SHOULD NOT be checked by the receiver.
Consequently, the Length field indicates the length of the Contents Consequently, the Length field indicates the length of the Contents
field (in bytes). The total length of the TLV parameter (including field (in bytes). The total length of the TLV parameter (including
Type, Length, Contents, and Padding) is related to the Length field Type, Length, Contents, and Padding) is related to the Length field
according to the following formula: according to the following formula:
Total Length = 11 + Length - (Length + 3) mod 8; Total Length = 11 + Length - (Length + 3) mod 8;
The Total Length of the option is the smallest multiple of 8 bytes The total length of the option is the smallest multiple of 8 bytes
that allows for the 4 bytes of option header and the option itself. that allows for the 4 bytes of the Option header and option, itself.
The amount of padding required can be calculated as follows: The amount of padding required can be calculated as follows:
padding = 7 - ((Length + 3) mod 8) padding = 7 - ((Length + 3) mod 8)
And: And:
Total Length = 4 + Length + padding Total Length = 4 + Length + padding
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
skipping to change at page 44, line 43 skipping to change at page 43, line 4
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type |C| Length | | Type |C| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ~ ~ ~
~ Contents ~ ~ Contents ~
~ +-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+
~ | Padding | ~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Type: 15-bit identifier of the type of option. The options Type: 15-bit identifier of the type of option. The options
defined in this document are below. defined in this document are below.
C: Critical. One if this parameter is critical, and MUST C: Critical. One, if this parameter is critical and MUST
be recognized by the recipient, zero otherwise. An be recognized by the recipient; zero otherwise. An
implementation might view the C bit as part of the implementation might view the C-bit as part of the
Type field, by multiplying the type values in this Type field by multiplying the type values in this
specification by two. specification by two.
Length: Length of the Contents, in bytes. Length: Length of the Contents, in bytes.
Contents: Parameter specific, defined by Type. Contents: Parameter-specific, defined by Type.
Padding: Padding, 0-7 bytes, added if needed. Padding: Padding, 0-7 bytes, added if needed.
+------+------------------------------+ +------+------------------------------+
| Type | Option Name | | Type | Option Name |
+------+------------------------------+ +------+------------------------------+
| 1 | Responder Validator | | 1 | Responder Validator |
| | |
| 2 | Locator List | | 2 | Locator List |
| | |
| 3 | Locator Preferences | | 3 | Locator Preferences |
| | |
| 4 | CGA Parameter Data Structure | | 4 | CGA Parameter Data Structure |
| | |
| 5 | CGA Signature | | 5 | CGA Signature |
| | |
| 6 | ULID Pair | | 6 | ULID Pair |
| | |
| 7 | Forked Instance Identifier | | 7 | Forked Instance Identifier |
| | |
| 10 | Keepalive Timeout Option | | 10 | Keepalive Timeout Option |
+------+------------------------------+ +------+------------------------------+
Table 3 Table 3
Future protocol extensions might define additional options for the Future protocol extensions might define additional options for the
Shim6 messages. The C-bit in the option format defines how such a Shim6 messages. The C-bit in the option format defines how such a
new option will be handled by an implementation. new option will be handled by an implementation.
If a host receives an option that it does not understand (an option If a host receives an option that it does not understand (an option
that was defined in some future extension to this protocol) or is not that was defined in some future extension to this protocol) or that
listed as a valid option for the different message types above, then is not listed as a valid option for the different message types
the Critical bit in the option determines the outcome. above, then the Critical bit in the option determines the outcome.
o If C=0 then the option is silently ignored, and the rest of the o If C=0, then the option is silently ignored, and the rest of the
message is processed. message is processed.
o If C=1 then the host SHOULD send back a Shim6 Error Message with o If C=1, then the host SHOULD send back a Shim6 Error message with
Error Code=1, with the Pointer referencing the first octet in the Error Code=1, with the Pointer field referencing the first octet
Option Type field. When C=1 the rest of the message MUST NOT be in the Option Type field. When C=1, the rest of the message MUST
processed. NOT be processed.
5.15.1. Responder Validator Option Format 5.15.1. Responder Validator Option Format
The responder can choose exactly what input is used to compute the The responder can choose exactly what input is used to compute the
validator, and what one-way function (such as MD5, SHA1) it uses, as validator and what one-way function (such as MD5 or SHA1) it uses, as
long as the responder can check that the validator it receives back long as the responder can check that the validator it receives back
in the I2 or I2bis message is indeed one that: in the I2 or I2bis message is indeed one that:
1)- it computed, 1) computed,
2)- it computed for the particular context, and 2) computed for the particular context, and
3)- that it isn't a replayed I2/I2bis message. 3) isn't a replayed I2/I2bis message.
Some suggestions on how to generate the validators are captured in Some suggestions on how to generate the validators are captured in
Section 7.10.1 and Section 7.17.1. Sections 7.10.1 and 7.17.1.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 1 |0| Length | | Type = 1 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Validator ~ ~ Validator ~
~ +-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+
~ | Padding | ~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 46, line 43 skipping to change at page 44, line 41
Fields: Fields:
Validator: Variable length content whose interpretation is local Validator: Variable length content whose interpretation is local
to the responder. to the responder.
Padding: Padding, 0-7 bytes, added if needed. See Padding: Padding, 0-7 bytes, added if needed. See
Section 5.15. Section 5.15.
5.15.2. Locator List Option Format 5.15.2. Locator List Option Format
The Locator List Option is used to carry all the locators of the The Locator List option is used to carry all the locators of the
sender. Note that the order of the locators is important, since the sender. Note that the order of the locators is important, since the
Locator Preferences refers to the locators by using the index in the Locator Preferences option refers to the locators by using the index
list. in the list.
Note that we carry all the locators in this option even though some Note that we carry all the locators in this option even though some
of them can be created automatically from the CGA Parameter Data of them can be created automatically from the CGA Parameter Data
Structure. Structure.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 2 |0| Length | | Type = 2 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
skipping to change at page 47, line 23 skipping to change at page 45, line 23
+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+ |
~ ~ ~ ~
~ +-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+
~ | Padding | ~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Locators 1 through N ~ ~ Locators 1 through N ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Locator List Generation: 32-bit unsigned integer. Indicates a Locator List Generation:
generation number which is increased by one for each 32-bit unsigned integer. Indicates a generation
new locator list. This is used to ensure that the number that is increased by one for each new locator
index in the Locator Preferences refer to the right list. This is used to ensure that the index in the
version of the locator list. Locator Preferences refers to the right version of the
locator list.
Num Locators: 8-bit unsigned integer. The number of locators that Num Locators: 8-bit unsigned integer. The number of locators that
are included in the option. We call this number "N" are included in the option. We call this number "N"
below. below.
Verification Method: N octets. The i'th octet specifies the Verification Method:
verification method for the i'th locator. N octets. The ith octet specifies the verification
method for the ith locator.
Padding: Padding, 0-7 bytes, added if needed so that the Padding: Padding, 0-7 bytes, added if needed so that the
Locators start on a multiple of 8 octet boundary. Locators start on a multiple-of-8-octet boundary.
NOTE that for this option there is never a need to pad Note that for this option, there is never a need to
at the end, since the locators are a multiple of 8 pad at the end since the Locators are a multiple-of-8-
octets in length. This internal padding is included octets in length. This internal padding is included
in the length field. in the Length field.
Locators: N 128-bit locators. Locators: N 128-bit locators.
The defined verification methods are: The defined verification methods are:
+-------+----------+ +---------+----------------------------------+
| Value | Method | | Value | Method |
+-------+----------+ +---------+----------------------------------+
| 0 | Reserved | | 0 | Reserved |
| | |
| 1 | HBA | | 1 | HBA |
| | |
| 2 | CGA | | 2 | CGA |
| | | | 3-200 | Allocated using Standards action |
| 3-255 | Reserved | | 201-254 | Experimental use |
+-------+----------+ | 255 | Reserved |
+---------+----------------------------------+
Table 4 Table 4
5.15.3. Locator Preferences Option Format 5.15.3. Locator Preferences Option Format
The Locator Preferences option can have some flags to indicate The Locator Preferences option can have some flags to indicate
whether or not a locator is known to work. In addition, the sender whether or not a locator is known to work. In addition, the sender
can include a notion of preferences. It might make sense to define can include a notion of preferences. It might make sense to define
"preferences" as a combination of priority and weight the same way "preferences" as a combination of priority and weight, the same way
that DNS SRV records has such information. The priority would that DNS SRV records have such information. The priority would
provide a way to rank the locators, and within a given priority, the provide a way to rank the locators, and, within a given priority, the
weight would provide a way to do some load sharing. See [5] for how weight would provide a way to do some load sharing. See [5] for how
SRV defines the interaction of priority and weight. SRV defines the interaction of priority and weight.
The minimum notion of preferences we need is to be able to indicate The minimum notion of preferences we need is to be able to indicate
that a locator is "dead". We can handle this using a single octet that a locator is "dead". We can handle this using a single octet
flag for each locator. flag for each locator.
We can extend that by carrying a larger "element" for each locator. We can extend that by carrying a larger "element" for each locator.
This document presently also defines 2-octet and 3-octet elements, This document presently also defines 2-octet and 3-octet elements,
and we can add more information by having even larger elements if and we can add more information by having even larger elements if
need be. need be.
The locators are not included in the preference list. Instead, the The locators are not included in the preference list. Instead, the
first element refers to locator that was in the first element in the first element refers to the locator that was in the first element in
Locator List option. The generation number carried in this option the Locator List option. The generation number carried in this
and the Locator List option is used to verify that they refer to the option and the Locator List option is used to verify that they refer
same version of the locator list. to the same version of the locator list.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 3 |0| Length | | Type = 3 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Locator List Generation | | Locator List Generation |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Element Len | Element[1] | Element[2] | Element[3] | | Element Len | Element[1] | Element[2] | Element[3] |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ... ~ ~ ... ~
~ +-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+
~ | Padding | ~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Case of Element Len = 1 is depicted. Case of Element Len = 1 is depicted.
Fields: Fields:
Locator List Generation: 32-bit unsigned integer. Indicates a Locator List Generation:
generation number for the locator list to which the 32-bit unsigned integer. Indicates a generation
elements should apply. number for the locator list to which the elements
should apply.
Element Len: 8-bit unsigned integer. The length in octets of each Element Len: 8-bit unsigned integer. The length in octets of each
element. This specification defines the cases when element. This specification defines the cases when
the length is 1, 2, or 3. the length is 1, 2, or 3.
Element[i]: A field with a number of octets defined by the Element Element[i]: A field with a number of octets defined by the Element
Len field. Provides preferences for the i'th locator Len field. Provides preferences for the ith locator
in the Locator List option that is in use. in the Locator List option that is in use.
Padding: Padding, 0-7 bytes, added if needed. See Padding: Padding, 0-7 bytes, added if needed. See
Section 5.15. Section 5.15.
When the Element length equals one, then the element consists of only When the Element length equals one, then the element consists of only
a one octet flags field. The currently defined set of flags are: a one-octet Flags field. The currently defined set of flags are:
BROKEN: 0x01 BROKEN: 0x01
TRANSIENT: 0x02 TRANSIENT: 0x02
The intent of the BROKEN flag is to inform the peer that a given The intent of the BROKEN flag is to inform the peer that a given
locator is known to be not working. The intent of TRANSIENT is to locator is known to be not working. The intent of TRANSIENT is to
allow the distinction between more stable addresses and less stable allow the distinction between more stable addresses and less stable
addresses when Shim6 is combined with IP mobility, when we might have addresses when Shim6 is combined with IP mobility, and when we might
more stable home locators, and less stable care-of-locators. have more stable home locators and less stable care-of-locators.
When the Element length equals two, then the element consists of a 1 When the Element length equals two, then the element consists of a
octet flags field followed by a 1 octet priority field. The priority one-octet Flags field followed by a one-octet Priority field. This
has the same semantics as the priority in DNS SRV records. Priority field has the same semantics as the Priority field in DNS
SRV records.
When the Element length equals three, then the element consists of a When the Element length equals three, then the element consists of a
1 octet flags field followed by a 1 octet priority field, and a 1 one-octet Flags field followed by a one-octet Priority field and a
octet weight field. The weight has the same semantics as the weight one-octet Weight field. This Weight field has the same semantics as
in DNS SRV records. the Weight field in DNS SRV records.
This document doesn't specify the format when the Element length is This document doesn't specify the format when the Element length is
more than three, except that any such formats MUST be defined so that more than three, except that any such formats MUST be defined so that
the first three octets are the same as in the above case, that is, a the first three octets are the same as in the above case, that is, a
of a 1 octet flags field followed by a 1 octet priority field, and a one-octet Flags field followed by a one-octet Priority field, and a
1 octet weight field. one-octet Weight field.
5.15.4. CGA Parameter Data Structure Option Format 5.15.4. CGA Parameter Data Structure Option Format
This option contains the CGA Parameter Data Structure (PDS). When This option contains the CGA Parameter Data Structure (PDS). When
HBA is used to verify the locators, the PDS contains the HBA HBA is used to verify the locators, the PDS contains the HBA
multiprefix extension in addition to the PDS mandatory fields and multiprefix extension in addition to the PDS mandatory fields and
other extensions unrelated to Shim6 that the PDS might have. When other extensions unrelated to Shim6 that the PDS might have. When
CGA is used to verify the locators, in addition to the PDS option, CGA is used to verify the locators, in addition to the PDS option,
the host also needs to include the signature in the form of a CGA the host also needs to include the signature in the form of a CGA
Signature option. Signature option.
skipping to change at page 50, line 39 skipping to change at page 48, line 43
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 4 |0| Length | | Type = 4 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ CGA Parameter Data Structure ~ ~ CGA Parameter Data Structure ~
~ +-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+
~ | Padding | ~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
CGA Parameter Data Structure: Variable length content. Content CGA Parameter Data Structure:
defined in [2] and [3]. Variable length content. Content defined in [2] and
[3].
Padding: Padding, 0-7 bytes, added if needed. See Padding: Padding, 0-7 bytes, added if needed. See
Section 5.15. Section 5.15.
5.15.5. CGA Signature Option Format 5.15.5. CGA Signature Option Format
When CGA is used for verification of one or more of the locators in When CGA is used for verification of one or more of the locators in
the Locator List option, then the message in question will need to the Locator List option, then the message in question will need to
contain this option. contain this option.
skipping to change at page 51, line 22 skipping to change at page 49, line 28
~ | Padding | ~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
CGA Signature: A variable-length field containing a PKCS#1 v1.5 CGA Signature: A variable-length field containing a PKCS#1 v1.5
signature, constructed by using the sender's private signature, constructed by using the sender's private
key over the following sequence of octets: key over the following sequence of octets:
1. The 128-bit CGA Message Type tag [CGA] value for 1. The 128-bit CGA Message Type tag [CGA] value for
Shim6, 0x4A 30 5662 4858 574B 3655 416F 506A 6D48. Shim6: 0x4A 30 5662 4858 574B 3655 416F 506A 6D48.
(The tag value has been generated randomly by the (The tag value has been generated randomly by the
editor of this specification.). editor of this specification.).
2. The Locator List Generation value of the 2. The Locator List Generation number of the
correspondent Locator List Option. correspondent Locator List option.
3. The subset of locators included in the 3. The subset of locators included in the
correspondent Locator List Option which correspondent Locator List option whose
verification method is set to CGA. The locators verification method is set to CGA. The locators
MUST be included in the order they are listed in MUST be included in the order in which they are
the Locator List Option. listed in the Locator List Option.
Padding: Padding, 0-7 bytes, added if needed. See Padding: Padding, 0-7 bytes, added if needed. See
Section 5.15. Section 5.15.
5.15.6. ULID Pair Option Format 5.15.6. ULID Pair Option Format
I1, I2, and I2bis messages MUST contain the ULID pair; normally this I1, I2, and I2bis messages MUST contain the ULID pair; normally, this
is in the IPv6 source and destination fields. In case that the ULID is in the IPv6 Source and Destination fields. In case the ULID for
for the context differ from the address pair included in the source the context differs from the address pair included in the Source and
and destination address fields of the IPv6 packet used to carry the Destination Address fields of the IPv6 packet used to carry the I1/
I1/I2/I2bis message, the ULID pair option MUST be included in the I1/ I2/I2bis message, the ULID Pair option MUST be included in the I1/I2/
I2/I2bis message. I2bis message.
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 6 |0| Length = 36 | | Type = 6 |0| Length = 36 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved2 | | Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Sender ULID + + Sender ULID +
skipping to change at page 52, line 25 skipping to change at page 50, line 25
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
+ Receiver ULID + + Receiver ULID +
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Reserved2: 32-bit field. Reserved for future use. Zero on Reserved2: 32-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. (Needed to transmit. MUST be ignored on receipt. (Needed to
make the ULIDs start on a multiple of 8 octet make the ULIDs start on a multiple-of-8-octet
boundary.) boundary.)
Sender ULID: A 128-bit IPv6 address. Sender ULID: A 128-bit IPv6 address.
Receiver ULID: A 128-bit IPv6 address. Receiver ULID: A 128-bit IPv6 address.
5.15.7. Forked Instance Identifier Option Format 5.15.7. Forked Instance Identifier Option Format
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 7 |0| Length = 4 | | Type = 7 |0| Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Forked Instance Identifier | | Forked Instance Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields: Fields:
Forked Instance Identifier: 32-bit field containing the identifier Forked Instance Identifier:
of the particular forked instance. 32-bit field containing the identifier of the
particular forked instance.
5.15.8. Keepalive Timeout Option Format 5.15.8. Keepalive Timeout Option Format
This option is defined in [4]. This option is defined in [4].
6. Conceptual Model of a Host 6. Conceptual Model of a Host
This section describes a conceptual model of one possible data This section describes a conceptual model of one possible data
structure organization that hosts will maintain for the purposes of structure organization that hosts will maintain for the purposes of
Shim6. The described organization is provided to facilitate the Shim6. The described organization is provided to facilitate the
explanation of how the Shim6 protocol should behave. This document explanation of how the Shim6 protocol should behave. This document
does not mandate that implementations adhere to this model as long as does not mandate that implementations adhere to this model as long as
their external behavior is consistent with that described in this their external behavior is consistent with that described in this
document. document.
6.1. Conceptual Data Structures 6.1. Conceptual Data Structures
The key conceptual data structure for the Shim6 protocol is the ULID The key conceptual data structure for the Shim6 protocol is the ULID-
pair context. This is a data structure which contains the following pair context. This is a data structure that contains the following
information: information:
o The state of the context. See Section 6.2. o The state of the context. See Section 6.2.
o The peer ULID; ULID(peer) o The peer ULID: ULID(peer).
o The local ULID; ULID(local) o The local ULID: ULID(local).
o The Forked Instance Identifier; FII. This is zero for the default o The Forked Instance Identifier: FII. This is zero for the default
context i.e., when there is no forking. context, i.e., when there is no forking.
o The list of peer locators, with their preferences; Ls(peer) o The list of peer locators with their preferences: Ls(peer).
o The generation number for the most recently received, verified o The generation number for the most recently received, verified
peer locator list. peer locator list.
o For each peer locator, the verification method to use (from the o For each peer locator, the verification method to use (from the
Locator List option). Locator List option).
o For each peer locator, a flag whether it has been verified using o For each peer locator, a flag specifying whether it has been
HBA or CGA, and a bit whether the locator has been probed to verified using HBA or CGA, and a bit specifying whether the
verify that the ULID is present at that location. locator has been probed to verify that the ULID is present at that
location.
o The current peer locator, is the locator used as destination o The current peer locator is the locator used as the destination
address when sending packets; Lp(peer) address when sending packets: Lp(peer).
o The set of local locators and the preferences; Ls(local) o The set of local locators and the preferences: Ls(local).
o The generation number for the most recently sent Locator List o The generation number for the most recently sent Locator List
option. option.
o The current local locator, is the locator used as source address o The current local locator is the locator used as the source
when sending packets; Lp(local) address when sending packets: Lp(local).
o The context tag used to transmit control messages and payload
extension headers - allocated by the peer; CT(peer)
o The context to expect in received control messages and payload o The Context Tag used to transmit control messages and Shim6
extension headers - allocated by the local host; CT(local) Payload Extension headers; this is allocated by the peer:
CT(peer).
o Timers for retransmission of the messages during context o The context to expect in received control messages and Shim6
Payload Extension headers; this is allocated by the local host:
CT(local).
o Timers for retransmission of the messages during context-
establishment and update messages. establishment and update messages.
o Depending how an implementation determines whether a context is o Depending how an implementation determines whether a context is
still in use, there might be a need to track the last time a still in use, there might be a need to track the last time a
packet was sent/received using the context. packet was sent/received using the context.
o Reachability state for the locator pairs as specified in [4]. o Reachability state for the locator pairs as specified in [4].
o During pair exploration, information about the probe messages that o During pair exploration, information about the Probe messages that
have been sent and received as specified in [4]. have been sent and received as specified in [4].
o During context establishment phase, Init Nonce, Responder Nonce, o During context-establishment phase, the Initiator Nonce, Responder
Responder Validator and timers related to the different packets Nonce, Responder Validator, and timers related to the different
sent (I1,I2, R2), as described in Section 7 packets sent (I1,I2, R2), as described in Section 7.
6.2. Context STATES 6.2. Context STATES
The STATES that are used to describe the Shim6 protocol are as The STATES that are used to describe the Shim6 protocol are as
follows: follows:
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
| STATE | Explanation | | STATE | Explanation |
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
| IDLE | State machine start | | IDLE | State machine start |
| | | | | |
| I1-SENT | Initiating context establishment exchange | | I1-SENT | Initiating context-establishment exchange |
| | | | | |
| I2-SENT | Waiting to complete context establishment | | I2-SENT | Waiting to complete context-establishment |
| | exchange | | | exchange |
| | | | | |
| I2BIS-SENT | Potential context loss detected | | I2BIS-SENT | Potential context loss detected |
| | | | | |
| | |
| ESTABLISHED | SHIM context established | | ESTABLISHED | SHIM context established |
| | | | | |
| E-FAILED | Context establishment exchange failed | | E-FAILED | Context-establishment exchange failed |
| | | | | |
| NO-SUPPORT | ICMP Unrecognized Next Header type | | NO-SUPPORT | ICMP Unrecognized Next Header type |
| | (type 4, code 1) received indicating | | | (type 4, code 1) received, indicating |
| | that Shim6 is not supported | | | that Shim6 is not supported |
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
In addition, in each of the aforementioned STATES, the following In addition, in each of the aforementioned STATES, the following
state information is stored: state information is stored:
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
| STATE | Information | | STATE | Information |
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
| IDLE | None | | IDLE | None |
| | | | | |
| I1-SENT | ULID(peer), ULID(local), [FII], CT(local), | | I1-SENT | ULID(peer), ULID(local), [FII], CT(local), |
| | INIT nonce, Lp(local), Lp(peer), Ls(local) | | | INIT Nonce, Lp(local), Lp(peer), Ls(local) |
| | | | | |
| I2-SENT | ULID(peer), ULID(local), [FII], CT(local), | | I2-SENT | ULID(peer), ULID(local), [FII], CT(local), |
| | INIT nonce, RESP nonce, Lp(local), Lp(peer),| | | INIT Nonce, RESP Nonce, Lp(local), Lp(peer),|
| | Ls(local), Responder Validator | | | Ls(local), Responder Validator |
| | | | | |
| ESTABLISHED | ULID(peer), ULID(local), [FII], CT(local), | | ESTABLISHED | ULID(peer), ULID(local), [FII], CT(local), |
| | CT(peer), Lp(local), Lp(peer), Ls(local) | | | CT(peer), Lp(local), Lp(peer), Ls(local), |
| | Ls(peer), INIT nonce?(to receive late R2) | | | Ls(peer), INIT Nonce?(to receive late R2) |
| | | | | |
| I2BIS-SENT | ULID(peer), ULID(local), [FII], CT(local), | | I2BIS-SENT | ULID(peer), ULID(local), [FII], CT(local), |
| | CT(peer), Lp(local), Lp(peer), Ls(local) | | | CT(peer), Lp(local), Lp(peer), Ls(local), |
| | Ls(peer), CT(R1bis), RESP nonce, | | | Ls(peer), CT(R1bis), RESP Nonce, |
| | INIT nonce, Responder validator | | | INIT Nonce, Responder Validator |
| | | | | |
| E-FAILED | ULID(peer), ULID(local) | | E-FAILED | ULID(peer), ULID(local) |
| | | | | |
| NO-SUPPORT | ULID(peer), ULID(local) | | NO-SUPPORT | ULID(peer), ULID(local) |
+---------------------+---------------------------------------------+ +---------------------+---------------------------------------------+
7. Establishing ULID-Pair Contexts 7. Establishing ULID-Pair Contexts
ULID-pair contexts are established using a 4-way exchange, which ULID-pair contexts are established using a 4-way exchange, which
allows the responder to avoid creating state on the first packet. As allows the responder to avoid creating state on the first packet. As
part of this exchange each end allocates a context tag, and it shares part of this exchange, each end allocates a Context Tag and shares
this context tag and its set of locators with the peer. this Context Tag and its set of locators with the peer.
In some cases the 4-way exchange is not necessary, for instance when In some cases, the 4-way exchange is not necessary -- for instance,
both ends try to setup the context at the same time, or when when both ends try to set up the context at the same time, or when
recovering from a context that has been garbage collected or lost at recovering from a context that has been garbage collected or lost at
one of the hosts. one of the hosts.
7.1. Uniqueness of Context Tags 7.1. Uniqueness of Context Tags
As part of establishing a new context, each host has to assign a As part of establishing a new context, each host has to assign a
unique context tag. Since the Payload Extension headers are unique Context Tag. Since the Shim6 Payload Extension headers are
demultiplexed based solely on the context tag value (without using demultiplexed based solely on the Context Tag value (without using
the locators), the context tag MUST be unique for each context. the locators), the Context Tag MUST be unique for each context.
It is important that context tags are hard to guess for off-path It is important that Context Tags are hard to guess for off-path
attackers. Therefore, if an implementation uses structure in the attackers. Therefore, if an implementation uses structure in the
context tag to facilitate efficient lookups, at least 30 bits of the Context Tag to facilitate efficient lookups, at least 30 bits of the
context tag MUST be unstructured and populated by random or pseudo- Context Tag MUST be unstructured and populated by random or pseudo-
random bits. random bits.
In addition, in order to minimize the reuse of context tags, the host In addition, in order to minimize the reuse of Context Tags, the host
SHOULD randomly cycle through the unstructured tag name space SHOULD randomly cycle through the unstructured tag name space that is
reserved for randomly assigned context tag values,(e.g. following the reserved for randomly assigned Context Tag values (e.g., following
guidelines described in [12]). the guidelines described in [13]).
7.2. Locator Verification 7.2. Locator Verification
The peer's locators might need to be verified during context The peer's locators might need to be verified during context
establishment as well as when handling locator updates in Section 10. establishment as well as when handling locator updates in Section 10.
There are two separate aspects of locator verification. One is to There are two separate aspects of locator verification. One is to
verify that the locator is tied to the ULID, i.e., that the host verify that the locator is tied to the ULID, i.e., that the host that
which "owns" the ULID is also the one that is claiming the locator "owns" the ULID is also the one that is claiming the locator
"ownership". The Shim6 protocol uses the HBA or CGA techniques for "ownership". The Shim6 protocol uses the HBA or CGA techniques for
doing this verification. The other is to verify that the host is doing this verification. The other aspect is to verify that the host
indeed reachable at the claimed locator. Such verification is needed is indeed reachable at the claimed locator. Such verification is
both to make sure communication can proceed, but also to prevent 3rd needed not only to make sure communication can proceed but also to
party flooding attacks [14]. These different verifications happen at prevent 3rd party flooding attacks [15]. These different aspects of
different times, since the first might need to be performed before locator verification happen at different times since the first might
packets can be received by the peer with the source locator in need to be performed before packets can be received by the peer with
question, but the latter verification is only needed before packets the source locator in question, but the latter verification is only
are sent to the locator. needed before packets are sent to the locator.
Before a host can use a locator (different than the ULID) as the Before a host can use a locator (different than the ULID) as the
source locator, it must know that the peer will accept packets with source locator, it must know that the peer will accept packets with
that source locator as being part of this context. Thus the HBA/CGA that source locator as part of this context. Thus, the HBA/CGA
verification SHOULD be performed by the host before the host verification SHOULD be performed by the host before the host
acknowledges the new locator, by sending an Update Acknowledgement acknowledges the new locator by sending either an Update
message, or an R2 message. Acknowledgement message or an R2 message.
Before a host can use a locator (different than the ULID) as the Before a host can use a locator (different than the ULID) as the
destination locator it MUST perform the HBA/CGA verification if this destination locator, it MUST perform the HBA/CGA verification if this
was not performed before upon the reception of the locator set. In was not performed upon reception of the locator set. In addition, it
addition, it MUST verify that the ULID is indeed present at that MUST verify that the ULID is indeed present at that locator. This
locator. This verification is performed by doing a return- verification is performed by doing a return-routability test as part
routability test as part of the Probe sub-protocol [4]. of the Probe sub-protocol [4].
If the verification method in the Locator List option is not If the verification method in the Locator List option is not
supported by the host, or if the verification method is not supported by the host, or if the verification method is not
consistent with the CGA Parameter Data Structure (e.g., the Parameter consistent with the CGA Parameter Data Structure (e.g., the Parameter
Data Structure doesn't contain the multiprefix extension, and the Data Structure doesn't contain the multiprefix extension and the
verification method says to use HBA), then the host MUST ignore the verification method says to use HBA), then the host MUST ignore the
Locator List and the message in which it is contained, and the host Locator List and the message in which it is contained. The host
SHOULD generate a Shim6 Error Message with Error Code=2, with the SHOULD generate a Shim6 Error message with Error Code=2 and with the
Pointer referencing the octet in the Verification method that was Pointer referencing the octet in the verification method that was
found inconsistent. found inconsistent.
7.3. Normal context establishment 7.3. Normal Context Establishment
The normal context establishment consists of a 4 message exchange in The normal context establishment consists of a 4-message exchange in
the order of I1, R1, I2, R2 as can be seen in Figure 3. the order of I1, R1, I2, R2, as can be seen in Figure 3.
Initiator Responder Initiator Responder
IDLE IDLE IDLE IDLE
------------- I1 --------------> ------------- I1 -------------->
I1-SENT I1-SENT
<------------ R1 --------------- <------------ R1 ---------------
IDLE IDLE
------------- I2 --------------> ------------- I2 -------------->
I2-SENT I2-SENT
<------------ R2 --------------- <------------ R2 ---------------
ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED
Figure 3: Normal context establishment Figure 3: Normal Context Establishment
7.4. Concurrent context establishment 7.4. Concurrent Context Establishment
When both ends try to initiate a context for the same ULID pair, then When both ends try to initiate a context for the same ULID pair, then
we might end up with crossing I1 messages. Alternatively, since no we might end up with crossing I1 messages. Alternatively, since no
state is created when receiving the I1, a host might send a I1 after state is created when receiving the I1, a host might send an I1 after
having sent a R1 message. having sent an R1 message.
Since a host remembers that it has sent an I1, it can respond to an Since a host remembers that it has sent an I1, it can respond to an
I1 from the peer (for the same ULID-pair), with a R2, resulting in I1 from the peer (for the same ULID pair) with an R2, resulting in
the message exchange shown in Figure 4. Such behavior is needed for the message exchange shown in Figure 4. Such behavior is needed for
other reasons such as to correctly respond to retransmitted I1 reasons such as correctly responding to retransmitted I1 messages,
messages, which occur when the R2 message has been lost. which occur when the R2 message has been lost.
Host A Host B Host A Host B
IDLE IDLE IDLE IDLE
-\ -\
I1-SENT---\ I1-SENT---\
---\ /--- ---\ /---
--- I1 ---\ /--- I1-SENT --- I1 ---\ /--- I1-SENT
---\ ---\
/--- I1 ---/ ---\ /--- I1 ---/ ---\
skipping to change at page 59, line 34 skipping to change at page 57, line 27
-\ -\
I1-SENT---\ I1-SENT---\
---\ /--- ---\ /---
--- R2 ---\ /--- I1-SENT --- R2 ---\ /--- I1-SENT
---\ ---\
/--- R2 ---/ ---\ /--- R2 ---/ ---\
/--- --> /--- -->
<--- ESTABLISHED <--- ESTABLISHED
ESTABLISHED ESTABLISHED
Figure 4: Crossing I1 messages Figure 4: Crossing I1 Messages
If a host has received an I1 and sent an R1, it has no state to If a host has received an I1 and sent an R1, it has no state to
remember this. Thus if the ULP on the host sends down packets, this remember this. Thus, if the ULP on the host sends down packets, this
might trigger the host to send an I1 message itself. Thus while one might trigger the host to send an I1 message itself. Thus, while one
end is sending an I1 the other is sending an I2 as can be seen in end is sending an I1, the other is sending an I2, as can be seen in
Figure 5. Figure 5.
Host A Host B Host A Host B
IDLE IDLE IDLE IDLE
-\ -\
---\ ---\
I1-SENT ---\ I1-SENT ---\
--- I1 ---\ --- I1 ---\
---\ ---\
skipping to change at page 60, line 44 skipping to change at page 58, line 44
---\ /--- ---\ /---
--- R2 ---\ /--- --- R2 ---\ /---
---\ ---\
/--- R2 ---/ ---\ /--- R2 ---/ ---\
/--- --> /--- -->
<--- ESTABLISHED <--- ESTABLISHED
ESTABLISHED ESTABLISHED
Figure 5: Crossing I2 and I1 Figure 5: Crossing I2 and I1
7.5. Context recovery 7.5. Context Recovery
Due to garbage collection, we can end up with one end having and Due to garbage collection, we can end up with one end having and
using the context state, and the other end not having any state. We using the context state, and the other end not having any state. We
need to be able to recover this state at the end that has lost it, need to be able to recover this state at the end that has lost it
before we can use it. before we can use it.
This need can arise in the following cases: This need can arise in the following cases:
o The communication is working using the ULID pair as the locator o The communication is working using the ULID pair as the locator
pair, but a problem arises, and the end that has retained the pair but a problem arises, and the end that has retained the
context state decides to probe alternate locator pairs. context state decides to probe alternate locator pairs.
o The communication is working using a locator pair that is not the o The communication is working using a locator pair that is not the
ULID pair, hence the ULP packets sent from a peer that has ULID pair; hence, the ULP packets sent from a peer that has
retained the context state use the Shim6 Payload extension header. retained the context state use the Shim6 Payload Extension header.
o The host that retained the state sends a control message (e.g. an o The host that retained the state sends a control message (e.g., an
Update Request message). Update Request message).
In all the cases the result is that the peer without state receives a In all cases, the result is that the peer without state receives a
shim message for which it has no context for the context tag. shim message for which it has no context for the Context Tag.
In all of those cases we can recover the context by having the node We can recover the context by having the node that doesn't have a
which doesn't have a context state, send back an R1bis message, and context state send back an R1bis message, and then complete the
have then complete the recovery with a I2bis and R2 message as can be recovery with an I2bis and R2 message, as can be seen in Figure 6.
seen in Figure 6.
Host A Host B Host A Host B
Context for Context for
CT(peer)=X Discards context for CT(peer)=X Discards context for
CT(local)=X CT(local)=X
ESTABLISHED IDLE ESTABLISHED IDLE
---- payload, probe, etc. -----> No context state ---- payload, probe, etc. -----> No context state
for CT(local)=X for CT(local)=X
<------------ R1bis ------------ <------------ R1bis ------------
IDLE IDLE
------------- I2bis -----------> ------------- I2bis ----------->
I2BIS_SENT I2BIS_SENT
<------------ R2 --------------- <------------ R2 ---------------
ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED
Figure 6: Context loss at receiver Figure 6: Context Loss at Receiver
If one end has garbage collected or lost the context state, it might If one end has garbage collected or lost the context state, it might
try to create a new context state (for the same ULID pair), by try to create a new context state (for the same ULID pair), by
sending an I1 message. The peer (that still has the context state) sending an I1 message. In this case, the peer (that still has the
will reply with an R1 message and the full 4-way exchange will be context state) will reply with an R1 message, and the full 4-way
performed again in this case as can be seen in Figure 7. exchange will be performed again, as can be seen in Figure 7.
Host A Host B Host A Host B
Context for Context for
CT(peer)=X Discards context for CT(peer)=X Discards context for
ULIDs A1, B1 CT(local)=X ULIDs A1, B1 CT(local)=X
ESTABLISHED IDLE ESTABLISHED IDLE
Finds <------------ I1 --------------- Tries to setup Finds <------------ I1 --------------- Tries to setup
existing for ULIDs A1, B1 existing for ULIDs A1, B1
context, context,
but CT(peer) I1-SENT but CT(peer) I1-SENT
doesn't match doesn't match
------------- R1 ---------------> ------------- R1 --------------->
Left old context Left old context
in ESTABLISHED in ESTABLISHED
<------------ I2 --------------- <------------ I2 ---------------
Recreate context Re-create context
with new CT(peer) I2-SENT with new CT(peer) I2-SENT
and Ls(peer). and Ls(peer).
ESTABLISHED ESTABLISHED
------------- R2 --------------> ------------- R2 -------------->
ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED
Figure 7: Context loss at sender Figure 7: Context Loss at Sender
7.6. Context confusion 7.6. Context Confusion
Since each end might garbage collect the context state we can have Since each end might garbage collect the context state, we can have
the case when one end has retained the context state and tries to use the case where one end has retained the context state and tries to
it, while the other end has lost the state. We discussed this in the use it, while the other end has lost the state. We discussed this in
previous section on recovery. But for the same reasons, when one the previous section on recovery. But, for the same reasons, when
host retains context tag X as CT(peer) for ULID pair <A1, B1>, the one host retains Context Tag X as CT(peer) for ULID pair <A1, B1>,
other end might end up allocating that context tag as CT(local) for the other end might end up allocating that Context Tag as CT(local)
another ULID pair, e.g., <A3, B1> between the same hosts. In this for another ULID pair (e.g., <A3, B1>) between the same hosts. In
case we can not use the recovery mechanisms since there need to be this case, we cannot use the recovery mechanisms since there needs to
separate context tags for the two ULID pairs. be separate Context Tags for the two ULID pairs.
This type of "confusion" can be observed in two cases (assuming it is This type of "confusion" can be observed in two cases (assuming it is
A that has retained the state and B has dropped it): A that has retained the state and B that has dropped it):
o B decides to create a context for ULID pair <A3, B1>, and o B decides to create a context for ULID pair <A3, B1>, allocates X
allocates X as its context tag for this, and sends an I1 to A. as its Context Tag for this, and sends an I1 to A.
o A decides to create a context for ULID pair <A3, B1>, and starts o A decides to create a context for ULID pair <A3, B1> and starts
the exchange by sending I1 to B. When B receives the I2 message, the exchange by sending I1 to B. When B receives the I2 message,
it allocates X as the context tag for this context. it allocates X as the Context Tag for this context.
In both cases, A can detect that B has allocated X for ULID pair <A3, In both cases, A can detect that B has allocated X for ULID pair <A3,
B1> even though that A still X as CT(peer) for ULID pair <A1, B1>. B1> even though A still has X as CT(peer) for ULID pair <A1, B1>.
Thus A can detect that B must have lost the context for <A1, B1>. Thus, A can detect that B must have lost the context for <A1, B1>.
The confusion can be detected when I2/I2bis/R2 is received since we The confusion can be detected when I2/I2bis/R2 is received, since we
require that those messages MUST include a sufficiently large set of require that those messages MUST include a sufficiently large set of
locators in a Locator List option that the peer can determine whether locators in a Locator List option that the peer can determine whether
or not two contexts have the same host as the peer by comparing if or not two contexts have the same host as the peer by comparing if
there is any common locators in Ls(peer). there is any common locators in Ls(peer).
The requirement is that the old context which used the context tag The old context that used the Context Tag MUST be removed; it can no
MUST be removed; it can no longer be used to send packets. Thus A longer be used to send packets. Thus, A would forcibly remove the
would forcibly remove the context state for <A1, B1, X>, so that it context state for <A1, B1, X> so that it can accept the new context
can accept the new context for <A3, B1, X>. An implementation MAY for <A3, B1, X>. An implementation MAY re-create a context to
re-create a context to replace the one that was removed; in this case replace the one that was removed -- in this case, for <A1, B1>. The
for <A1, B1>. The normal I1, R1, I2, R2 establishment exchange would normal I1, R1, I2, R2 establishment exchange would then pick unique
then pick unique context tags for that replacement context. This re- Context Tags for that replacement context. This re-creation is
creation is OPTIONAL, but might be useful when there is ULP OPTIONAL, but might be useful when there is ULP communication that is
communication which is using the ULID pair whose context was removed. using the ULID pair whose context was removed.
Note that an I1 message with a duplicate context tag should not cause Note that an I1 message with a duplicate Context Tag should not cause
the removal of the old context state; this operation needs to be the removal of the old context state; this operation needs to be
deferred until the reception of the I2 message. deferred until the reception of the I2 message.
7.7. Sending I1 messages 7.7. Sending I1 Messages
When the shim layer decides to setup a context for a ULID pair, it When the shim layer decides to setup a context for a ULID pair, it
starts by allocating and initializing the context state for its end. starts by allocating and initializing the context state for its end.
As part of this it assigns a random context tag to the context that As part of this, it assigns a random Context Tag to the context that
is not being used as CT(local) by any other context . In the case is not being used as CT(local) by any other context . In the case
that a new API is used and the ULP requests a forked context, the that a new API is used and the ULP requests a forked context, the
Forked Instance Identifier value will be set to a non-zero value. Forked Instance Identifier value will be set to a non-zero value.
Otherwise, the FII value is zero. Then the initiator can send an I1 Otherwise, the FII value is zero. Then the initiator can send an I1
message and set the context STATE to I1-SENT. The I1 message MUST message and set the context STATE to I1-SENT. The I1 message MUST
include the ULID pair; normally in the IPv6 source and destination include the ULID pair -- normally, in the IPv6 Source and Destination
fields. But if the ULID pair for the context is not used as locator fields. But if the ULID pair for the context is not used as a
pair for the I1 message, then a ULID option MUST be included in the locator pair for the I1 message, then a ULID option MUST be included
I1 message. In addition, if a Forked Instance Identifier value is in the I1 message. In addition, if a Forked Instance Identifier
non-zero, the I1 message MUST include a Context Instance Identifier value is non-zero, the I1 message MUST include a Context Instance
option containing the correspondent value. Identifier option containing the correspondent value.
7.8. Retransmitting I1 messages 7.8. Retransmitting I1 Messages
If the host does not receive an I2 or R2 message in response to the If the host does not receive an R1 or R2 message in response to the
I1 message after I1_TIMEOUT time, then it needs to retransmit the I1 I1 message after I1_TIMEOUT time, then it needs to retransmit the I1
message. The retransmissions should use a retransmission timer with message. The retransmissions should use a retransmission timer with
binary exponential backoff to avoid creating congestion issues for binary exponential backoff to avoid creating congestion issues for
the network when lots of hosts perform I1 retransmissions. Also, the the network when lots of hosts perform I1 retransmissions. Also, the
actual timeout value should be randomized between 0.5 and 1.5 of the actual timeout value should be randomized between 0.5 and 1.5 of the
nominal value to avoid self-synchronization. nominal value to avoid self-synchronization.
If, after I1_RETRIES_MAX retransmissions, there is no response, then If, after I1_RETRIES_MAX retransmissions, there is no response, then
most likely the peer does not implement the Shim6 protocol, or there most likely the peer does not implement the Shim6 protocol (or there
could be a firewall that blocks the protocol. In this case it makes could be a firewall that blocks the protocol). In this case, it
sense for the host to remember to not try again to establish a makes sense for the host to remember not to try again to establish a
context with that ULID. However, any such negative caching should context with that ULID. However, any such negative caching should be
retained for at most NO_R1_HOLDDOWN_TIME, to be able to later setup a retained for at most NO_R1_HOLDDOWN_TIME, in order to be able to
context should the problem have been that the host was not reachable later set up a context should the problem have been that the host was
at all when the shim tried to establish the context. not reachable at all when the shim tried to establish the context.
If the host receives an ICMP error with "Unrecognized Next Header" If the host receives an ICMP error with "Unrecognized Next Header"
type (type 4, code 1) and the included packet is the I1 message it type (type 4, code 1) and the included packet is the I1 message it
just sent, then this is a more reliable indication that the peer ULID just sent, then this is a more reliable indication that the peer ULID
does not implement Shim6. Again, in this case, the host should does not implement Shim6. Again, in this case, the host should
remember to not try again to establish a context with that ULID. remember not to try again to establish a context with that ULID.
Such negative caching should retained for at most ICMP_HOLDDOWN_TIME, Such negative caching should be retained for at most
which should be significantly longer than the previous case. ICMP_HOLDDOWN_TIME, which should be significantly longer than the
previous case.
7.9. Receiving I1 messages 7.9. Receiving I1 Messages
A host MUST silently discard any received I1 messages that do not A host MUST silently discard any received I1 messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.3: specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an I1 message, the host extracts the ULID pair Upon the reception of an I1 message, the host extracts the ULID pair
and the Forked Instance Identifier from the message. If there is no and the Forked Instance Identifier from the message. If there is no
ULID-pair option, then the ULID pair is taken from the source and ULID-pair option, then the ULID pair is taken from the Source and
destination fields in the IPv6 header. If there is no FII option in Destination fields in the IPv6 header. If there is no FII option in
the message, then the FII value is taken to be zero. the message, then the FII value is taken to be zero.
Next the host looks for an existing context which matches the ULID Next, the host looks for an existing context that matches the ULID
pair and the FII. pair and the FII.
If no state is found (i.e., the STATE is IDLE), then the host replies If no state is found (i.e., the STATE is IDLE), then the host replies
with a R1 message as specified below. with an R1 message as specified below.
If such a context exists in ESTABLISHED STATE, the host verifies that If such a context exists in ESTABLISHED STATE, the host verifies that
the locator of the Initiator is included in Ls(peer) (This check is the locator of the initiator is included in Ls(peer). (This check is
unnecessary if there is no ULID-pair option in the I1 message). unnecessary if there is no ULID-pair option in the I1 message.)
If the state exists in ESTABLISHED STATE and the locators do not fall If the state exists in ESTABLISHED STATE and the locators do not fall
in the locator sets, then the host replies with a R1 message as in the locator sets, then the host replies with an R1 message as
specified below. This completes the I1 processing, with the context specified below. This completes the I1 processing, with the context
STATE being unchanged. STATE being unchanged.
If the state exists in ESTABLISHED STATE and the locators do fall in If the state exists in ESTABLISHED STATE and the locators do fall in
the sets, then the host compares CT(peer) for the context with the CT the sets, then the host compares CT(peer) for the context with the CT
contained in the I1 message. contained in the I1 message.
o If the context tags match, then this probably means that the R2 o If the Context Tags match, then this probably means that the R2
message was lost and this I1 is a retransmission. In this case, message was lost and this I1 is a retransmission. In this case,
the host replies with a R2 message containing the information the host replies with an R2 message containing the information
available for the existent context. available for the existent context.
o If the context tags do not match, then it probably means that the o If the Context Tags do not match, then it probably means that the
Initiator has lost the context information for this context and it initiator has lost the context information for this context and is
is trying to establish a new one for the same ULID-pair. In this trying to establish a new one for the same ULID pair. In this
case, the host replies with a R1 message as specified below. This case, the host replies with an R1 message as specified below.
completes the I1 processing, with the context STATE being This completes the I1 processing, with the context STATE being
unchanged. unchanged.
If the state exists in other STATE (I1-SENT, I2-SENT, I2BIS-SENT), we If the state exists in other STATE (I1-SENT, I2-SENT, I2BIS-SENT), we
are in the situation of Concurrent context establishment described in are in the situation of concurrent context establishment, described
Section 7.4. In this case, the host leaves CT(peer) unchanged, and in Section 7.4. In this case, the host leaves CT(peer) unchanged and
replies with a R2 message. This completes the I1 processing, with replies with an R2 message. This completes the I1 processing, with
the context STATE being unchanged. the context STATE being unchanged.
7.10. Sending R1 messages 7.10. Sending R1 Messages
When the host needs to send a R1 message in response to the I1 When the host needs to send an R1 message in response to the I1
message, it copies the Initiator Nonce from the I1 message to the R1 message, it copies the Initiator Nonce from the I1 message to the R1
message, generates a Responder Nonce and calculates a Responder message, generates a Responder Nonce, and calculates a Responder
Validator option as suggested in the following section. No state is Validator option as suggested in the following section. No state is
created on the host in this case.(Note that the information used to created on the host in this case.(Note that the information used to
generate the R1 reply message is either contained in the received I1 generate the R1 reply message is either contained in the received I1
message or it is global information that is not associated with the message or is global information that is not associated with the
particular requested context (the S and the Responder nonce values)). particular requested context (the S and the Responder Nonce values.))
When the host needs to send a R2 message in response to the I1 When the host needs to send an R2 message in response to the I1
message, it copies the Initiator Nonce from the I1 message to the R2 message, it copies the Initiator Nonce from the I1 message to the R2
message, and otherwise follows the normal rules for forming an R2 message, and otherwise follows the normal rules for forming an R2
message (see Section 7.14). message (see Section 7.14).
7.10.1. Generating the R1 Validator 7.10.1. Generating the R1 Validator
As it is stated in Section 5.15.1, the Validator generation mechanism As it is stated in Section 5.15.1, the validator-generation mechanism
is a local choice since the validator is generated and verified by is a local choice since the validator is generated and verified by
the same node i.e. the responder. However, in order to provide the the same node, i.e., the responder. However, in order to provide the
required protection, the Validator needs to be generated fullflling required protection, the validator needs to be generated by
the conditions described in Section 5.15.1. One way for the fulfilling the conditions described in Section 5.15.1. One way for
responder to properly generate validators is to maintain a single the responder to properly generate validators is to maintain a single
secret (S) and a running counter (C) for the Responder Nonce that is secret (S) and a running counter (C) for the Responder Nonce that is
incremented in fixed periods of time (this allows the Responder to incremented in fixed periods of time (this allows the responder to
verify the age of a Responder Nonce, independently of the context in verify the age of a Responder Nonce, independently of the context in
which it is used). which it is used).
When the validator is generated to be included in a R1 message, that When the validator is generated to be included in an R1 message sent
is sent in respose to a specific I1 message, the responder can in response to a specific I1 message, the responder can perform the
perform the following procedure to generate the validator value: following procedure to generate the validator value:
First, the responder uses the current counter C value as the First, the responder uses the current counter C value as the
Responder Nonce. Responder Nonce.
Second, it uses the following information (concatenated) as input to Second, it uses the following information (concatenated) as input to
the one-way function: the one-way function:
o The secret S o The secret S
o That Responder Nonce o That Responder Nonce
o The Initiator Context Tag from the I1 message o The Initiator Context Tag from the I1 message
o The ULIDs from the I1 message o The ULIDs from the I1 message
o The locators from the I1 message (strictly only needed if they are o The locators from the I1 message (strictly only needed if they are
different from the ULIDs) different from the ULIDs)
o The forked instance identifier if such option was included in the o The Forked Instance Identifier, if such option was included in the
I1 message I1 message
Third, it uses the output of the hash function as the validator value Third, it uses the output of the hash function as the validator value
included in the R1 message. included in the R1 message.
7.11. Receiving R1 messages and sending I2 messages 7.11. Receiving R1 Messages and Sending I2 Messages
A host MUST silently discard any received R1 messages that do not A host MUST silently discard any received R1 messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.3: specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an R1 message, the host extracts the Initiator Upon the reception of an R1 message, the host extracts the Initiator
Nonce and the Locator Pair from the message (the latter from the Nonce and the Locator Pair from the message (the latter from the
source and destination fields in the IPv6 header). Next the host Source and Destination fields in the IPv6 header). Next, the host
looks for an existing context which matches the Initiator Nonce and looks for an existing context that matches the Initiator Nonce and
where the locators are contained in Ls(peer) and Ls(local), where the locators are contained in Ls(peer) and Ls(local),
respectively. If no such context is found, then the R1 message is respectively. If no such context is found, then the R1 message is
silently discarded. silently discarded.
If such a context is found, then the host looks at the STATE: If such a context is found, then the host looks at the STATE:
o If the STATE is I1-SENT, then it sends an I2 message as specified o If the STATE is I1-SENT, then it sends an I2 message as specified
below. below.
o In any other STATE (I2-SENT, I2BIS-SENT, ESTABLISHED) then the o In any other STATE (I2-SENT, I2BIS-SENT, ESTABLISHED), then the
host has already sent an I2 message then this is probably a reply host has already sent an I2 message and this is probably a reply
to a retransmitted I1 message, so this R1 message MUST be silently to a retransmitted I1 message, so this R1 message MUST be silently
discarded. discarded.
When the host sends an I2 message, then it includes the Responder When the host sends an I2 message, it includes the Responder
Validator option that was in the R1 message. The I2 message MUST Validator option that was in the R1 message. The I2 message MUST
include the ULID pair; normally in the IPv6 source and destination include the ULID pair -- normally, in the IPv6 Source and Destination
fields. If a ULID-pair option was included in the I1 message then it fields. If a ULID-pair option was included in the I1 message, then
MUST be included in the I2 message as well. In addition, if the it MUST be included in the I2 message as well. In addition, if the
Forked Instance Identifier value for this context is non-zero, the I2 Forked Instance Identifier value for this context is non-zero, the I2
message MUST contain a Forked Instance Identifier Option carrying message MUST contain a Forked Instance Identifier option carrying the
this value. Besides, the I2 message contains an Initiator Nonce. Forked Instance Identifier value. Besides, the I2 message contains
This is not required to be the same than the one included in the an Initiator Nonce. This is not required to be the same as the one
previous I1 message. included in the previous I1 message.
The I2 message may also include the Initiator's locator list. If The I2 message may also include the initiator's locator list. If
this is the the case, then it must also include the CGA Parameter this is the case, then it must also include the CGA Parameter Data
Data Structure. If CGA (and not HBA) is used to verify one or more Structure. If CGA (and not HBA) is used to verify one or more of the
of the locators included in the locator list, then Initiator must locators included in the locator list, then the initiator must also
also include a CGA signature option containing the signature. include a CGA Signature option containing the signature.
When the I2 message has been sent, the STATE is set to I2-SENT. When the I2 message has been sent, the STATE is set to I2-SENT.
7.12. Retransmitting I2 messages 7.12. Retransmitting I2 Messages
If the initiator does not receive an R2 message after I2_TIMEOUT time If the initiator does not receive an R2 message after I2_TIMEOUT time
after sending an I2 message it MAY retransmit the I2 message, using after sending an I2 message, it MAY retransmit the I2 message, using
binary exponential backoff and randomized timers. The Responder binary exponential backoff and randomized timers. The Responder
Validator option might have a limited lifetime, that is, the peer Validator option might have a limited lifetime -- that is, the peer
might reject Responder Validator options that are older than might reject Responder Validator options that are older than
VALIDATOR_MIN_LIFETIME to avoid replay attacks. In the case that the VALIDATOR_MIN_LIFETIME to avoid replay attacks. In the case that the
initiator decides not to retransmit I2 messages or in the case that initiator decides not to retransmit I2 messages, or in the case that
the initiator still does not receive an R2 message after the initiator still does not receive an R2 message after
retransmitting I2 messages I2_RETRIES_MAX times, the initiator SHOULD retransmitting I2 messages I2_RETRIES_MAX times, the initiator SHOULD
fall back to retransmitting the I1 message. fall back to retransmitting the I1 message.
7.13. Receiving I2 messages 7.13. Receiving I2 Messages
A host MUST silently discard any received I2 messages that do not A host MUST silently discard any received I2 messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.3: specified in Section 12.3:
o The Hdr Ext Len field is at least 2, i.e., the length is at least o The Hdr Ext Len field is at least 2, i.e., the length is at least
24 octets. 24 octets.
Upon the reception of an I2 message, the host extracts the ULID pair Upon the reception of an I2 message, the host extracts the ULID pair
and the Forked Instance identifier from the message. If there is no and the Forked Instance Identifier from the message. If there is no
ULID-pair option, then the ULID pair is taken from the source and ULID-pair option, then the ULID pair is taken from the Source and
destination fields in the IPv6 header. If there is no FII option in Destination fields in the IPv6 header. If there is no FII option in
the message, then the FII value is taken to be zero. the message, then the FII value is taken to be zero.
Next the host verifies that the Responder Nonce is a recent one Next, the host verifies that the Responder Nonce is a recent one
(Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be (nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be
considered recent), and that the Responder Validator option matches considered recent) and that the Responder Validator option matches
the validator the host would have computed for the ULID, locators, the validator the host would have computed for the ULID, locators,
responder nonce, initiator nonce and FII. Responder Nonce, Initiator Nonce, and FII.
If a CGA Parameter Data Structure (PDS) is included in the message, If a CGA Parameter Data Structure (PDS) is included in the message,
then the host MUST verify if the actual PDS contained in the message then the host MUST verify if the actual PDS contained in the message
corresponds to the ULID(peer). corresponds to the ULID(peer).
If any of the above verifications fails, then the host silently If any of the above verifications fail, then the host silently
discards the message and it has completed the I2 processing. discards the message; it has completed the I2 processing.
If all the above verifications are successful, then the host proceeds If all the above verifications are successful, then the host proceeds
to look for a context state for the Initiator. The host looks for a to look for a context state for the initiator. The host looks for a
context with the extracted ULID pair and FII. If none exist then context with the extracted ULID pair and FII. If none exist, then
STATE of the (non-existing) context is viewed as being IDLE, thus the STATE of the (non-existing) context is viewed as being IDLE; thus,
actions depend on the STATE as follows: the actions depend on the STATE as follows:
o If the STATE is IDLE (i.e., the context does not exist) the host o If the STATE is IDLE (i.e., the context does not exist), the host
allocates a context tag (CT(local)), creates the context state for allocates a Context Tag (CT(local)), creates the context state for
the context, and sets its STATE to ESTABLISHED. It records the context, and sets its STATE to ESTABLISHED. It records
CT(peer), and the peer's locator set as well as its own locator CT(peer) and the peer's locator set as well as its own locator set
set in the context. It SHOULD perform the HBA/CGA verification of in the context. It SHOULD perform the HBA/CGA verification of the
the peer's locator set at this point in time, as specified in peer's locator set at this point in time, as specified in
Section 7.2. Then the host sends an R2 message back as specified Section 7.2. Then, the host sends an R2 message back as specified
below. below.
o If the STATE is I1-SENT, then the host verifies if the source o If the STATE is I1-SENT, then the host verifies if the source
locator is included in Ls(peer) or, it is included in the Locator locator is included in Ls(peer) or in the Locator List contained
List contained in the I2 message and the HBA/CGA verification for in the I2 message and that the HBA/CGA verification for this
this specific locator is successful specific locator is successful.
* If this is not the case, then the message is silently discarded * If this is not the case, then the message is silently discarded
and the context STATE remains unchanged. and the context STATE remains unchanged.
* If this is the case, then the host updates the context * If this is the case, then the host updates the context
information (CT(peer), Ls(peer)) with the data contained in the information (CT(peer), Ls(peer)) with the data contained in the
I2 message and the host MUST send a R2 message back as I2 message, and the host MUST send an R2 message back as
specified below. Note that before updating Ls(peer) specified below. Note that before updating Ls(peer)
information, the host SHOULD perform the HBA/CGA validation of information, the host SHOULD perform the HBA/CGA validation of
the peer's locator set at this point in time as specified in the peer's locator set at this point in time, as specified in
Section 7.2. The host moves to ESTABLISHED STATE. Section 7.2. The host moves to ESTABLISHED STATE.
o If the STATE is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host o If the STATE is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host
verifies if the source locator is included in Ls(peer) or, it is verifies if the source locator is included in Ls(peer) or in the
included in the Locator List contained in the I2 message and the Locator List contained in the I2 message and that the HBA/CGA
HBA/CGA verification for this specific locator is successful verification for this specific locator is successful.
* If this is not the case, then the message is silently discarded * If this is not the case, then the message is silently discarded
and the context STATE remains unchanged. and the context STATE remains unchanged.
* If this is the case, then the host updates the context * If this is the case, then the host updates the context
information (CT(peer), Ls(peer)) with the data contained in the information (CT(peer), Ls(peer)) with the data contained in the
I2 message and the host MUST send a R2 message back as I2 message, and the host MUST send an R2 message back as
specified in Section 7.14. Note that before updating Ls(peer) specified in Section 7.14. Note that before updating Ls(peer)
information, the host SHOULD perform the HBA/CGA validation of information, the host SHOULD perform the HBA/CGA validation of
the peer's locator set at this point in time as specified in the peer's locator set at this point in time, as specified in
Section 7.2. The context STATE remains unchanged. Section 7.2. The context STATE remains unchanged.
7.14. Sending R2 messages 7.14. Sending R2 Messages
Before the host sends the R2 message it MUST look for a possible Before the host sends the R2 message, it MUST look for a possible
context confusion i.e. where it would end up with multiple contexts context confusion, i.e., where it would end up with multiple contexts
using the same CT(peer) for the same peer host. See Section 7.15. using the same CT(peer) for the same peer host. See Section 7.15.
When the host needs to send an R2 message, the host forms the message When the host needs to send an R2 message, the host forms the message
its context tag, copies the Initiator Nonce from the triggering and its Context Tag, and copies the Initiator Nonce from the
message (I2, I2bis, or I1). In addition, it may include alternative triggering message (I2, I2bis, or I1). In addition, it may include
locators and the the necessary options so that the peer can verify alternative locators and necessary options so that the peer can
them. In particular, the R2 message may include the Responder's verify them. In particular, the R2 message may include the
locator list and the PDS option. If CGA (and not HBA) is used to responder's locator list and the PDS option. If CGA (and not HBA) is
verify the locator list, then the Responder also signs the key parts used to verify the locator list, then the responder also signs the
of the message and includes a CGA Signature option containing the key parts of the message and includes a CGA Signature option
signature. containing the signature.
R2 messages are never retransmitted. If the R2 message is lost, then R2 messages are never retransmitted. If the R2 message is lost, then
the initiator will retransmit either the I2/I2bis or I1 message. the initiator will retransmit either the I2/I2bis or I1 message.
Either retransmission will cause the responder to find the context Either retransmission will cause the responder to find the context
state and respond with an R2 message. state and respond with an R2 message.
7.15. Match for Context Confusion 7.15. Match for Context Confusion
When the host receives an I2, I2bis, or R2 it MUST look for a When the host receives an I2, I2bis, or R2, it MUST look for a
possible context confusion i.e. where it would end up with multiple possible context confusion, i.e., where it would end up with multiple
contexts using the same CT(peer) for the same peer host. This can contexts using the same CT(peer) for the same peer host. This can
happen when it has received the above messages since they create a happen when the host has received the above messages, since they
new context with a new CT(peer). Same issue applies when CT(peer) is create a new context with a new CT(peer). The same issue applies
updated for an existing context. when CT(peer) is updated for an existing context.
The host takes CT(peer) for the newly created or updated context, and The host takes CT(peer) for the newly created or updated context, and
looks for other contexts which: looks for other contexts which:
o Are in STATE ESTABLISHED or I2BIS-SENT. o Are in STATE ESTABLISHED or I2BIS-SENT
o Have the same CT(peer). o Have the same CT(peer)
o Where Ls(peer) has at least one locator in common with the newly o Have an Ls(peer) that has at least one locator in common with the
created or updated context. newly created or updated context
If such a context is found, then the host checks if the ULID pair or If such a context is found, then the host checks if the ULID pair or
the Forked Instance Identifier different than the ones in the newly the Forked Instance Identifier are different than the ones in the
created or updated context: newly created or updated context:
o If either or both are different, then the peer is reusing the o If either or both are different, then the peer is reusing the
context tag for the creation of a context with different ULID pair Context Tag for the creation of a context with different ULID pair
or FII, which is an indication that the peer has lost the original or FII, which is an indication that the peer has lost the original
context. In this case, we are in the Context confusion situation, context. In this case, we are in a context confusion situation,
and the host MUST NOT use the old context to send any packets. It and the host MUST NOT use the old context to send any packets. It
MAY just discard the old context (after all, the peer has MAY just discard the old context (after all, the peer has
discarded it), or it MAY attempt to re-establish the old context discarded it), or it MAY attempt to re-establish the old context
by sending a new I1 message and moving its STATE to I1-SENT. In by sending a new I1 message and moving its STATE to I1-SENT. In
any case, once that this situation is detected, the host MUST NOT any case, once that this situation is detected, the host MUST NOT
keep two contexts with overlapping Ls(peer) locator sets and the keep two contexts with overlapping Ls(peer) locator sets and the
same context tag in ESTABLISHED STATE, since this would result in same Context Tag in ESTABLISHED STATE, since this would result in
demultiplexing problems on the peer. demultiplexing problems on the peer.
o If both are the same, then this context is actually the context o If both are the same, then this context is actually the context
that is created or updated, hence there is no confusion. that is created or updated; hence, there is no confusion.
7.16. Receiving R2 messages 7.16. Receiving R2 Messages
A host MUST silently discard any received R2 messages that do not A host MUST silently discard any received R2 messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.3: specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an R2 message, the host extracts the Initiator Upon the reception of an R2 message, the host extracts the Initiator
Nonce and the Locator Pair from the message (the latter from the Nonce and the Locator Pair from the message (the latter from the
source and destination fields in the IPv6 header). Next the host Source and Destination fields in the IPv6 header). Next, the host
looks for an existing context which matches the Initiator Nonce and looks for an existing context that matches the Initiator Nonce and
where the locators are Lp(peer) and Lp(local), respectively. Based where the locators are Lp(peer) and Lp(local), respectively. Based
on the STATE: on the STATE:
o If no such context is found, i.e., the STATE is IDLE, then the o If no such context is found, i.e., the STATE is IDLE, then the
message is silently dropped. message is silently dropped.
o If STATE is I1-SENT, I2-SENT, or I2BIS-SENT then the host performs o If STATE is I1-SENT, I2-SENT, or I2BIS-SENT, then the host
the following actions: If a CGA Parameter Data Structure (PDS) is performs the following actions. If a CGA Parameter Data Structure
included in the message, then the host MUST verify that the actual (PDS) is included in the message, then the host MUST verify that
PDS contained in the message corresponds to the ULID(peer) as the actual PDS contained in the message corresponds to the
specified in Section 7.2. If the verification fails, then the ULID(peer) as specified in Section 7.2. If the verification
message is silently dropped. If the verification succeeds, then fails, then the message is silently dropped. If the verification
the host records the information from the R2 message in the succeeds, then the host records the information from the R2
context state; it records the peer's locator set and CT(peer). message in the context state; it records the peer's locator set
The host SHOULD perform the HBA/CGA verification of the peer's and CT(peer). The host SHOULD perform the HBA/CGA verification of
locator set at this point in time, as specified in Section 7.2. the peer's locator set at this point in time, as specified in
The host sets its STATE to ESTABLISHED. Section 7.2. The host sets its STATE to ESTABLISHED.
o If the STATE is ESTABLISHED, the R2 message is silently ignored, o If the STATE is ESTABLISHED, the R2 message is silently ignored,
(since this is likely to be a reply to a retransmitted I2 (since this is likely to be a reply to a retransmitted I2
message). message).
Before the host completes the R2 processing it MUST look for a Before the host completes the R2 processing, it MUST look for a
possible context confusion i.e. where it would end up with multiple possible context confusion, i.e., where it would end up with multiple
contexts using the same CT(peer) for the same peer host. See contexts using the same CT(peer) for the same peer host. See
Section 7.15. Section 7.15.
7.17. Sending R1bis messages 7.17. Sending R1bis Messages
Upon the receipt of a Shim6 payload extension header where there is Upon the receipt of a Shim6 Payload Extension header where there is
no current Shim6 context at the receiver, the receiver is to respond no current Shim6 context at the receiver, the receiver is to respond
with an R1bis message in order to enable a fast re-establishment of with an R1bis message in order to enable a fast re-establishment of
the lost Shim6 context. the lost Shim6 context.
Also a host is to respond with a R1bis upon receipt of any control Also, a host is to respond with an R1bis upon receipt of any control
messages that has a message type in the range 64-127 (i.e., excluding messages that have a message type in the range 64-127 (i.e.,
the context setup messages such as I1, R1, R1bis, I2, I2bis, R2 and excluding the context-setup messages such as I1, R1, R1bis, I2,
future extensions), where the control message refers to a non I2bis, R2, and future extensions), where the control message refers
existent context. to a non-existent context.
We assume that all the incoming packets that trigger the generation We assume that all the incoming packets that trigger the generation
of an R1bis message contain a locator pair (in the address fields of of an R1bis message contain a locator pair (in the address fields of
the IPv6 header) and a Context Tag. the IPv6 header) and a Context Tag.
Upon reception of any of the packets described above, the host will Upon reception of any of the packets described above, the host will
reply with an R1bis including the following information: reply with an R1bis including the following information:
o The Responder Nonce is a number picked by the responder which the o The Responder Nonce is a number picked by the responder that the
initiator will return in the I2bis message. initiator will return in the I2bis message.
o Packet Context Tag is the context tag contained in the received o Packet Context Tag is the Context Tag contained in the received
packet that triggered the generation of the R1bis message. packet that triggered the generation of the R1bis message.
o The Responder Validator option is included, with a validator that o The Responder Validator option is included, with a validator that
is computed as suggested in the next section. is computed as suggested in the next section.
7.17.1. Generating the R1bis Validator 7.17.1. Generating the R1bis Validator
One way for the responder to properly generate validators is to One way for the responder to properly generate validators is to
maintain a single secret (S) and a running counter C for the maintain a single secret (S) and a running counter C for the
Responder Nonce that is incremented in fixed periods of time (this Responder Nonce that is incremented in fixed periods of time (this
allows the Responder to verify the age of a Responder Nonce, allows the responder to verify the age of a Responder Nonce,
independently of the context in which it is used). independently of the context in which it is used).
When the validator is generated to be included in a R1bis message, When the validator is generated to be included in an R1bis message --
that is sent in respose to a specific controls packet or packet that is, sent in response to a specific control packet or a packet
containing the Shim6 payload extension header message, the responder containing the Shim6 Payload Extension header message -- the
can perform the following procedure to generate the validator value: responder can perform the following procedure to generate the
validator value:
First, the responder uses the counter C value as the Responder Nonce. First, the responder uses the counter C value as the Responder Nonce.
Second, it uses the following information (concatenated) as input to Second, it uses the following information (concatenated) as input to
the one-way function: the one-way function:
o The secret S o The secret S
o That Responder Nonce o That Responder Nonce
o The Receiver Context tag included in the received packet o The Receiver Context Tag included in the received packet
o The locators from the received packet o The locators from the received packet
Third, it uses the output of the hash function as the validator Third, it uses the output of the hash function as the validator
string. string.
7.18. Receiving R1bis messages and sending I2bis messages 7.18. Receiving R1bis Messages and Sending I2bis Messages
A host MUST silently discard any received R1bis messages that do not A host MUST silently discard any received R1bis messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.3: specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an R1bis message, the host extracts the Packet Upon the reception of an R1bis message, the host extracts the Packet
Context Tag and the Locator Pair from the message (the latter from Context Tag and the Locator Pair from the message (the latter from
the source and destination fields in the IPv6 header). Next the host the Source and Destination fields in the IPv6 header). Next, the
looks for an existing context where the Packet Context Tag matches host looks for an existing context where the Packet Context Tag
CT(peer) and where the locators match Lp(peer) and Lp(local), matches CT(peer) and where the locators match Lp(peer) and Lp(local),
respectively. respectively.
o If no such context is not found, i.e., the STATE is IDLE, then the o If no such context is found, i.e., the STATE is IDLE, then the
R1bis message is silently discarded. R1bis message is silently discarded.
o If the STATE is I1-SENT, I2-SENT, or I2BIS-SENT, then the R1bis o If the STATE is I1-SENT, I2-SENT, or I2BIS-SENT, then the R1bis
message is silently discarded. message is silently discarded.
o If the STATE is ESTABLISHED, then we are in the case where the o If the STATE is ESTABLISHED, then we are in the case where the
peer has lost the context and the goal is to try to re-establish peer has lost the context, and the goal is to try to re-establish
it. For that, the host leaves CT(peer) unchanged in the context it. For that, the host leaves CT(peer) unchanged in the context
state, transitions to I2BIS-SENT STATE, and sends a I2bis message, state, transitions to I2BIS-SENT STATE, and sends an I2bis
including the computed Responder Validator option, the Packet message, including the computed Responder Validator option, the
Context Tag, and the Responder Nonce received in the R1bis Packet Context Tag, and the Responder Nonce that were received in
message. This I2bis message is sent using the locator pair the R1bis message. This I2bis message is sent using the locator
included in the R1bis message. In the case that this locator pair pair included in the R1bis message. In the case that this locator
differs from the ULID pair defined for this context, then an ULID pair differs from the ULID pair defined for this context, then a
option MUST be included in the I2bis message. In addition, if the ULID option MUST be included in the I2bis message. In addition,
Forked Instance Identifier for this context is non-zero, then a if the Forked Instance Identifier for this context is non-zero,
Forked Instance Identifier option carrying the instance identifier then a Forked Instance Identifier option carrying the instance
value for this context MUST be included in the I2bis message. The identifier value for this context MUST be included in the I2bis
I2bis message may also include a locator list. If this is the the message. The I2bis message may also include a locator list. If
case, then it must also include the CGA Parameter Data Structure. this is the case, then it must also include the CGA Parameter Data
If CGA (and not HBA) is used to verify one or more of the locators Structure. If CGA (and not HBA) is used to verify one or more of
included in the locator list, then Initiator must also include a the locators included in the locator list, then the initiator must
CGA signature option containing the signature. also include a CGA Signature option containing the signature.
7.19. Retransmitting I2bis messages 7.19. Retransmitting I2bis Messages
If the initiator does not receive an R2 message after I2bis_TIMEOUT If the initiator does not receive an R2 message after I2bis_TIMEOUT
time after sending an I2bis message it MAY retransmit the I2bis time after sending an I2bis message, it MAY retransmit the I2bis
message, using binary exponential backoff and randomized timers. The message, using binary exponential backoff and randomized timers. The
Responder Validator option might have a limited lifetime, that is, Responder Validator option might have a limited lifetime -- that is,
the peer might reject Responder Validator options that are older than the peer might reject Responder Validator options that are older than
VALIDATOR_MIN_LIFETIME to avoid replay attacks. In the case that the VALIDATOR_MIN_LIFETIME to avoid replay attacks. In the case that the
initiator decides not to retransmit I2bis messages or in the case initiator decides not to retransmit I2bis messages, or in the case
that the initiator still does not receive an R2 message after that the initiator still does not receive an R2 message after
retransmitting I2bis messages I2bis_RETRIES_MAX times, the initiator retransmitting I2bis messages I2bis_RETRIES_MAX times, the initiator
SHOULD fallback to retransmitting the I1 message. SHOULD fallback to retransmitting the I1 message.
7.20. Receiving I2bis messages and sending R2 messages 7.20. Receiving I2bis Messages and Sending R2 Messages
A host MUST silently discard any received I2bis messages that do not A host MUST silently discard any received I2bis messages that do not
satisfy all of the following validity checks in addition to those satisfy all of the following validity checks in addition to those
specified in Section 12.3: specified in Section 12.3:
o The Hdr Ext Len field is at least 3, i.e., the length is at least o The Hdr Ext Len field is at least 3, i.e., the length is at least
32 octets. 32 octets.
Upon the reception of an I2bis message, the host extracts the ULID Upon the reception of an I2bis message, the host extracts the ULID
pair and the Forked Instance identifier from the message. If there pair and the Forked Instance Identifier from the message. If there
is no ULID-pair option, then the ULID pair is taken from the source is no ULID-pair option, then the ULID pair is taken from the Source
and destination fields in the IPv6 header. If there is no FII option and Destination fields in the IPv6 header. If there is no FII option
in the message, then the FII value is taken to be zero. in the message, then the FII value is taken to be zero.
Next the host verifies that the Responder Nonce is a recent one Next, the host verifies that the Responder Nonce is a recent one
(Nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be (nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be
considered recent), and that the Responder Validator option matches considered recent) and that the Responder Validator option matches
the validator the host would have computed for the locators, the validator the host would have computed for the locators,
Responder Nonce, and Receiver Context tag as part of sending an R1bis Responder Nonce, and Receiver Context Tag as part of sending an R1bis
message. message.
If a CGA Parameter Data Structure (PDS) is included in the message, If a CGA Parameter Data Structure (PDS) is included in the message,
then the host MUST verify if the actual PDS contained in the message then the host MUST verify if the actual PDS contained in the message
corresponds to the ULID(peer). corresponds to the ULID(peer).
If any of the above verifications fails, then the host silently If any of the above verifications fail, then the host silently
discard the message and it has completed the I2bis processing. discards the message; it has completed the I2bis processing.
If both verifications are successful, then the host proceeds to look If both verifications are successful, then the host proceeds to look
for a context state for the Initiator. The host looks for a context for a context state for the initiator. The host looks for a context
with the extracted ULID pair and FII. If none exist then STATE of with the extracted ULID pair and FII. If none exist, then STATE of
the (non-existing) context is viewed as being IDLE, thus the actions the (non-existing) context is viewed as being IDLE; thus, the actions
depend on the STATE as follows: depend on the STATE as follows:
o If the STATE is IDLE (i.e., the context does not exist) the host o If the STATE is IDLE (i.e., the context does not exist), the host
allocates a context tag (CT(local)), creates the context state for allocates a Context Tag (CT(local)), creates the context state for
the context, and sets its STATE to ESTABLISHED. The host SHOULD the context, and sets its STATE to ESTABLISHED. The host SHOULD
NOT use the Packet Context Tag in the I2bis message for CT(local); NOT use the Packet Context Tag in the I2bis message for CT(local);
instead it should pick a new random context tag just as when it instead, it should pick a new random Context Tag just as when it
processes an I2 message. It records CT(peer), and the peer's processes an I2 message. It records CT(peer) and the peer's
locator set as well as its own locator set in the context. It locator set as well as its own locator set in the context. It
SHOULD perform the HBA/CGA verification of the peer's locator set SHOULD perform the HBA/CGA verification of the peer's locator set
at this point in time as specified in Section 7.2. Then the host at this point in time, as specified in Section 7.2. Then the host
sends an R2 message back as specified in Section 7.14. sends an R2 message back as specified in Section 7.14.
o If the STATE is I1-SENT, then the host verifies if the source o If the STATE is I1-SENT, then the host verifies if the source
locator is included in Ls(peer) or, it is included in the Locator locator is included in Ls(peer) or in the Locator List contained
List contained in the I2 message and the HBA/CGA verification for in the I2bis message and if the HBA/CGA verification for this
this specific locator is successful specific locator is successful.
* If this is not the case, then the message is silently * If this is not the case, then the message is silently
discarded. The the context STATE remains unchanged. discarded. The context STATE remains unchanged.
* If this is the case, then the host updates the context * If this is the case, then the host updates the context
information (CT(peer), Ls(peer)) with the data contained in the information (CT(peer), Ls(peer)) with the data contained in the
I2 message and the host MUST send a R2 message back as I2bis message, and the host MUST send an R2 message back as
specified below. Note that before updating Ls(peer) specified below. Note that before updating Ls(peer)
information, the host SHOULD perform the HBA/CGA validation of information, the host SHOULD perform the HBA/CGA validation of
the peer's locator set at this point in time as specified in the peer's locator set at this point in time, as specified in
Section 7.2. The host moves to ESTABLISHED STATE. Section 7.2. The host moves to ESTABLISHED STATE.
o If the STATE is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host o If the STATE is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host
whther at least one of the two following conditions hold: i) if determines whether at least one of the two following conditions
the source locator is included in Ls(peer) or, ii) if the source hold: i) if the source locator is included in Ls(peer) or, ii) if
locator is included in the Locator List contained in the I2 the source locator is included in the Locator List contained in
message and the HBA/CGA verification for this specific locator is the I2bis message and if the HBA/CGA verification for this
successful specific locator is successful.
* If none of the two aforementioned conditions hold, then the * If none of the two aforementioned conditions hold, then the
message is silently discarded. The the context STATE remains message is silently discarded. The context STATE remains
unchanged. unchanged.
* If at least one of the two aforementioned conditions hold, then * If at least one of the two aforementioned conditions hold, then
the host updates the context information (CT(peer), Ls(peer)) the host updates the context information (CT(peer), Ls(peer))
with the data contained in the I2 message and the host MUST with the data contained in the I2bis message, and the host MUST
send a R2 message back as specified in Section 7.14. Note that send an R2 message back, as specified in Section 7.14. Note
before updating Ls(peer) information, the host SHOULD perform that before updating Ls(peer) information, the host SHOULD
the HBA/CGA validation of the peer's locator set at this point perform the HBA/CGA validation of the peer's locator set at
in time as specified in Section 7.2. The context STATE remains this point in time, as specified in Section 7.2. The context
unchanged. STATE remains unchanged.
8. Handling ICMP Error Messages 8. Handling ICMP Error Messages
The routers in the path as well as the destination might generate The routers in the path as well as the destination might generate
ICMP error messages. In some cases, the Shim6 can take action and ICMP error messages. In some cases, the Shim6 can take action and
solve the solve the problem that resulted in the error. In other solve the problem that resulted in the error. In other cases, the
cases, the Shim6 layer can not solve the problem and it is critical Shim6 layer cannot solve the problem, and it is critical that these
that these packets make it back up to the ULPs so that they can take packets make it back up to the ULPs so that they can take appropriate
appropriate action. action.
This is an implementation issue in the sense that the mechanism is This is an implementation issue in the sense that the mechanism is
completely local to the host itself. But the issue of how ICMP completely local to the host itself. But the issue of how ICMP
errors are correctly dispatched to the ULP on the host are important, errors are correctly dispatched to the ULP on the host are important;
hence this section specifies the issue. hence, this section specifies the issue.
All ICMP messages MUST be delivered to the ULP in all cases except All ICMP messages MUST be delivered to the ULP in all cases, except
when Shim6 successfully acts on the message (e.g. selects a new when Shim6 successfully acts on the message (e.g., selects a new
path). There SHOULD be a configuration option to unconditionally path). There SHOULD be a configuration option to unconditionally
deliver all ICMP messages (including ones acted on by shim6) to the deliver all ICMP messages (including ones acted on by shim6) to the
ULP. ULP.
According to that recommendation, the following ICMP error messages According to that recommendation, the following ICMP error messages
should be processed by the Shim6 layer and not passed to the ULP: should be processed by the Shim6 layer and not passed to the ULP:
ICMP error Destination unreachable with codes 0 (No route to
destination), 1 (Communication with destination administratively ICMP error Destination Unreachable, with codes:
prohibited), 2 (Beyond scope of source address), 3 (Address 0 (No route to destination)
unreachable), 5 (Source address failed ingress/egress policy), 6 1 (Communication with destination administratively prohibited)
(Reject route to destination), ICMP Time exceeded error, ICMP 2 (Beyond scope of source address)
Parameter problem error with the parameter that caused the error 3 (Address unreachable)
being a Shim6 parameter. 5 (Source address failed ingress/egress policy)
6 (Reject route to destination)
ICMP Time exceeded error.
ICMP Parameter problem error, with the parameter that caused the
error being a Shim6 parameter.
The following ICMP error messages report problems that cannot be The following ICMP error messages report problems that cannot be
addressed by the Shim6 layer and that should be passed to the ULP (as addressed by the Shim6 layer and that should be passed to the ULP (as
described below): ICMP Packet too big error, ICMP Destination described below):
Unreachable with Code 4 (Port unreachable) ICMP Parameter problem (if
the parameter that caused the problem is not a Shim6 parameter). ICMP Packet too big error.
ICMP Destination Unreachable with Code 4 (Port unreachable).
ICMP Parameter problem (if the parameter that caused the problem
is not a Shim6 parameter).
+--------------+ +--------------+
| IPv6 Header | | IPv6 Header |
| | | |
+--------------+ +--------------+
| ICMPv6 | | ICMPv6 |
| Header | | Header |
- - +--------------+ - - - - +--------------+ - -
| IPv6 Header | | IPv6 Header |
| src, dst as | Can be dispatched | src, dst as | Can be dispatched
skipping to change at page 77, line 25 skipping to change at page 75, line 25
| on host | ICMP error handler | on host | ICMP error handler
Packet +--------------+ Packet +--------------+
| ULP | | ULP |
in | Header | in | Header |
+--------------+ +--------------+
Error | | Error | |
~ Data ~ ~ Data ~
| | | |
- - +--------------+ - - - - +--------------+ - -
Figure 8: ICMP error handling without payload extension header Figure 8: ICMP Error Handling without the
Shim6 Payload Extension Header
When the ULP packets are sent without the payload extension header, When the ULP packets are sent without the Shim6 Payload Extension
that is, while the initial locators=ULIDs are working, this header -- that is, while the initial locators=ULIDs are working --
introduces no new concerns; an implementation's existing mechanism this introduces no new concerns; an implementation's existing
for delivering these errors to the ULP will work. See Figure 8. mechanism for delivering these errors to the ULP will work. See
Figure 8.
But when the shim on the transmitting side inserts the payload But when the shim on the transmitting side inserts the Shim6 Payload
extension header and replaces the ULIDs in the IP address fields with Extension header and replaces the ULIDs in the IP address fields with
some other locators, then an ICMP error coming back will have a some other locators, then an ICMP error coming back will have a
"packet in error" which is not a packet that the ULP sent. Thus the "packet in error", which is not a packet that the ULP sent. Thus,
implementation will have to apply the reverse mapping to the "packet the implementation will have to apply reverse mapping to the "packet
in error" before passing the ICMP error up to the ULP, including the in error" before passing the ICMP error up to the ULP, including the
ICMP extensions defined in [24]. See Figure 9. ICMP extensions defined in [25]. See Figure 9.
+--------------+ +--------------+
| IPv6 Header | | IPv6 Header |
| | | |
+--------------+ +--------------+
| ICMPv6 | | ICMPv6 |
| Header | | Header |
- - +--------------+ - - - - +--------------+ - -
| IPv6 Header | | IPv6 Header |
| src, dst as | Needs to be | src, dst as | Needs to be
IPv6 | modified by | transformed to IPv6 | modified by | transformed to
| shim on host | have ULIDs | shim on host | have ULIDs
+--------------+ in src, dst fields, +--------------+ in src, dst fields,
Packet | Shim6 ext. | and Shim6 ext. Packet | Shim6 ext. | and Shim6 Ext.
| Header | header removed | Header | header removed
in +--------------+ before it can be in +--------------+ before it can be
| Transport | dispatched to the ULP | Transport | dispatched to the ULP
Error | Header | ICMP error handler. Error | Header | ICMP error handler.
+--------------+ +--------------+
| | | |
~ Data ~ ~ Data ~
| | | |
- - +--------------+ - - - - +--------------+ - -
Figure 9: ICMP error handling with payload extension header Figure 9: ICMP Error Handling with the Shim6 Payload Extension Header
Note that this mapping is different than when receiving packets from Note that this mapping is different than when receiving packets from
the peer with a payload extension headers, because in that case the the peer with Shim6 Payload Extension headers because, in that case,
packets contain CT(local). But the ICMP errors have a "packet in the packets contain CT(local). But the ICMP errors have a "packet in
error" with an payload extension header containing CT(peer). This is error" with a Shim6 Payload Extension header containing CT(peer).
because they were intended to be received by the peer. In any case, This is because they were intended to be received by the peer. In
since the <Source Locator, Destination Locator, CT(peer)> has to be any case, since the <Source Locator, Destination Locator, CT(peer)>
unique when received by the peer, the local host should also only be has to be unique when received by the peer, the local host should
able to find one context that matches this tuple. also only be able to find one context that matches this tuple.
If the ICMP error is a Packet Too Big, the reported MTU must be If the ICMP error is a "packet too big", the reported MTU must be
adjusted to be 8 octets less, since the shim will add 8 octets when adjusted to be 8 octets less, since the shim will add 8 octets when
sending packets. sending packets.
After the "packet in error" has had the original ULIDs inserted, then After the "packet in error" has had the original ULIDs inserted, then
this payload extension header can be removed. The result is a this Shim6 Payload Extension header can be removed. The result is a
"packet in error" that is passed to the ULP which looks as if the "packet in error" that is passed to the ULP which looks as if the
shim did not exist. shim did not exist.
9. Teardown of the ULID-Pair Context 9. Teardown of the ULID-Pair Context
Each host can unilaterally decide when to tear down a ULID-pair Each host can unilaterally decide when to tear down a ULID-pair
context. It is RECOMMENDED that hosts do not tear down the context context. It is RECOMMENDED that hosts do not tear down the context
when they know that there is some upper layer protocol that might use when they know that there is some upper-layer protocol that might use
the context. For example, an implementation might know this if there the context. For example, an implementation might know this if there
is an open socket which is connected to the ULID(peer). However, is an open socket that is connected to the ULID(peer). However,
there might be cases when the knowledge is not readily available to there might be cases when the knowledge is not readily available to
the shim layer, for instance for UDP applications which do not the shim layer, for instance, for UDP applications that do not
connect their sockets, or any application which retains some higher connect their sockets or for any application that retains some
level state across (TCP) connections and UDP packets. higher-level state across (TCP) connections and UDP packets.
Thus it is RECOMMENDED that implementations minimize premature Thus, it is RECOMMENDED that implementations minimize premature
teardown by observing the amount of traffic that is sent and received teardown by observing the amount of traffic that is sent and received
using the context, and only after it appears quiescent, tear down the using the context, and tear down the state only after it appears
state. A reasonable approach would be not to tear down a context quiescent. A reasonable approach would be to not tear down a context
until at least 5 minutes have passed since the last message was sent until at least 5 minutes have passed since the last message was sent
or received using the context. (Note that packets that use the ULID or received using the context. (Note that packets that use the ULID
pair as locator pair and that do not require address rewriting by the pair as a locator pair and that do not require address rewriting by
Shim6 layer are also considered as packets using the associated Shim6 the Shim6 layer are also considered as packets using the associated
context) Shim6 context.)
Since there is no explicit, coordinated removal of the context state, Since there is no explicit, coordinated removal of the context state,
there are potential issues around context tag reuse. One end might there are potential issues around Context Tag reuse. One end might
remove the state, and potentially reuse that context tag for some remove the state and potentially reuse that Context Tag for some
other communication, and the peer might later try to use the old other communication, and the peer might later try to use the old
context (which it didn't remove). The protocol has mechanisms to context (which it didn't remove). The protocol has mechanisms to
recover from this, which work whether the state removal was total and recover from this, which work whether the state removal was total and
accidental (e.g., crash and reboot of the host), or just a garbage accidental (e.g., crash and reboot of the host) or just a garbage
collection of shim state that didn't seem to be used. However, the collection of shim state that didn't seem to be used. However, the
host should try to minimize the reuse of context tags by trying to host should try to minimize the reuse of Context Tags by trying to
randomly cycle through the 2^47 context tag values. (See Section 21 randomly cycle through the 2^47 Context Tag values. (See Appendix C
for a summary how the recovery works in the different cases.) for a summary of how the recovery works in the different cases.)
10. Updating the Peer 10. Updating the Peer
The Update Request and Acknowledgement are used both to update the The Update Request and Acknowledgement are used both to update the
list of locators (only possible when CGA is used to verify the list of locators (only possible when CGA is used to verify the
locator(s)), as well as updating the preferences associated with each locator(s)) and to update the preferences associated with each
locator. locator.
10.1. Sending Update Request messages 10.1. Sending Update Request Messages
When a host has a change in the locator set, then it can communicate When a host has a change in the locator set, it can communicate this
this to the peer by sending an Update Request. When a host has a to the peer by sending an Update Request. When a host has a change
change in the preferences for its locator set, it can also in the preferences for its locator set, it can also communicate this
communicate this to the peer. The Update Request message can include to the peer. The Update Request message can include just a Locator
just a Locator List option, to convey the new set of locators, just a List option (to convey the new set of locators), just a Locator
Locator Preferences option, or both a new Locator List and new Preferences option, or both a new Locator List and new Locator
Locator Preferences. Preferences.
Should the host send a new Locator List, the host picks a new random Should the host send a new Locator List, the host picks a new random,
local generation number, records this in the context, and puts it in local generation number, records this in the context, and puts it in
the Locator List option. Any Locator Preference option, whether send the Locator List option. Any Locator Preference option, whether sent
in the same Update Request or in some future Update Request, will use in the same Update Request or in some future Update Request, will use
that generation number to make sure the preferences get applied to that generation number to make sure the preferences get applied to
the correct version of the locator list. the correct version of the locator list.
The host picks a random Request Nonce for each update, and keeps the The host picks a random Request Nonce for each update and keeps the
same nonce for any retransmissions of the Update Request. The nonce same nonce for any retransmissions of the Update Request. The nonce
is used to match the acknowledgement with the request. is used to match the acknowledgement with the request.
The UPDATE message can also include a CGA Parameter Data Structure The Update Request message can also include a CGA Parameter Data
(this is needed if the CGA PDS was not previously exchanged,). If Structure (this is needed if the CGA PDS was not previously
CGA (and not HBA) is used to verify one or more of the locators exchanged). If CGA (and not HBA) is used to verify one or more of
included in the locator list, then a CGA signature option containing the locators included in the locator list, then a CGA Signature
the signature must also be included in the UPDATE message. option containing the signature must also be included in the Update
Request message.
10.2. Retransmitting Update Request messages 10.2. Retransmitting Update Request Messages
If the host does not receive an Update Acknowledgement R2 message in If the host does not receive an Update Acknowledgement R2 message in
response to the Update Request message after UPDATE_TIMEOUT time, response to the Update Request message after UPDATE_TIMEOUT time,
then it needs to retransmit the Update Request message. The then it needs to retransmit the Update Request message. The
retransmissions should use a retransmission timer with binary retransmissions should use a retransmission timer with binary
exponential backoff to avoid creating congestion issues for the exponential backoff to avoid creating congestion issues for the
network when lots of hosts perform Update Request retransmissions. network when lots of hosts perform Update Request retransmissions.
Also, the actual timeout value should be randomized between 0.5 and Also, the actual timeout value should be randomized between 0.5 and
1.5 of the nominal value to avoid self-synchronization. 1.5 of the nominal value to avoid self-synchronization.
Should there be no response, the retransmissions continue forever. Should there be no response, the retransmissions continue forever.
The binary exponential backoff stops at MAX_UPDATE_TIMEOUT. But the The binary exponential backoff stops at MAX_UPDATE_TIMEOUT. But the
only way the retransmissions would stop when there is no only way the retransmissions would stop when there is no
acknowledgement, is when the shim, through the Probe protocol or some acknowledgement is when Shim6, through the REAP protocol or some
other mechanism, decides to discard the context state due to lack of other mechanism, decides to discard the context state due to lack of
ULP usage in combination with no responses to the Probes. ULP usage in combination with no responses to the REAP protocol.
10.3. Newer Information While Retransmitting 10.3. Newer Information while Retransmitting
There can be at most one outstanding Update Request message at any There can be at most one outstanding Update Request message at any
time. Thus until e.g. an update with a new Locator List has been time. Thus until, for example, an update with a new Locator List has
acknowledged, any even newer Locator List or new Locator Preferences been acknowledged, any newer Locator List or new Locator Preferences
can not just be sent. However, when there is newer information and can not just be sent. However, when there is newer information and
the older information has not yet been acknowledged, the host can the older information has not yet been acknowledged, the host can,
instead of waiting for an acknowledgement, abandon the previous instead of waiting for an acknowledgement, abandon the previous
update and construct a new Update Request (with a new Request Nonce) update and construct a new Update Request (with a new Request Nonce)
which includes the new information as well as the information that that includes the new information as well as the information that
hadn't yet been acknowledged. hasn't yet been acknowledged.
For example, if the original locator list was just (A1, A2), and if For example, if the original locator list was just (A1, A2), and if
an Update Request with the Locator List (A1, A3) is outstanding, and an Update Request with the Locator List (A1, A3) is outstanding, and
the host determines that it should both add A4 to the locator list, the host determines that it should both add A4 to the locator list
and mark A1 as BROKEN, then it would need to: and mark A1 as BROKEN, then it would need to:
o Pick a new random Request Nonce for the new Update Request. o Pick a new random Request Nonce for the new Update Request.
o Pick a new random Generation number for the new locator list. o Pick a new random generation number for the new locator list.
o Form the new locator list - (A1, A3, A4) o Form the new locator list: (A1, A3, A4).
o Form a Locator Preference option which uses the new generation o Form a Locator Preference option that uses the new generation
number and has the BROKEN flag for the first locator. number and has the BROKEN flag for the first locator.
o Send the Update Request and start a retransmission timer. o Send the Update Request and start a retransmission timer.
Any Update Acknowledgement which doesn't match the current request Any Update Acknowledgement that doesn't match the current Request
nonce, for instance an acknowledgement for the abandoned Update Nonce (for instance, an acknowledgement for the abandoned Update
Request, will be silently ignored. Request) will be silently ignored.
10.4. Receiving Update Request messages 10.4. Receiving Update Request Messages
A host MUST silently discard any received Update Request messages A host MUST silently discard any received Update Request messages
that do not satisfy all of the following validity checks in addition that do not satisfy all of the following validity checks in addition
to those specified in Section 12.3: to those specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an Update Request message, the host extracts Upon the reception of an Update Request message, the host extracts
the Context Tag from the message. It then looks for a context which the Context Tag from the message. It then looks for a context that
has a CT(local) that matches the context tag. If no such context is has a CT(local) that matches the Context Tag. If no such context is
found, it sends a R1bis message as specified in Section 7.17. found, it sends an R1bis message as specified in Section 7.17.
Since context tags can be reused, the host MUST verify that the IPv6 Since Context Tags can be reused, the host MUST verify that the IPv6
source address field is part of Ls(peer) and that the IPv6 Source Address field is part of Ls(peer) and that the IPv6
destination address field is part of Ls(local). If this is not the Destination Address field is part of Ls(local). If this is not the
case, the sender of the Update Request has a stale context which case, the sender of the Update Request has a stale context that
happens to match the CT(local) for this context. In this case the happens to match the CT(local) for this context. In this case, the
host MUST send a R1bis message, and otherwise ignore the Update host MUST send an R1bis message and otherwise ignore the Update
Request message. Request message.
If a CGA Parameter Data Structure (PDS) is included in the message, If a CGA Parameter Data Structure (PDS) is included in the message,
then the host MUST verify if the actual PDS contained in the packet then the host MUST verify if the actual PDS contained in the packet
corresponds to the ULID(peer). If this verification fails, the corresponds to the ULID(peer). If this verification fails, the
message is silently discarded. message is silently discarded.
Then, depending on the STATE of the context: Then, depending on the STATE of the context:
o If ESTABLISHED: Proceed to process message. o If ESTABLISHED, proceed to process message.
o If I1-SENT, discard the message and stay in I1-SENT. o If I1-SENT, discard the message and stay in I1-SENT.
o If I2-SENT, then send I2 and proceed to process the message. o If I2-SENT, send I2 and proceed to process the message.
o If I2BIS-SENT, then send I2bis and proceed to process the message. o If I2BIS-SENT, send I2bis and proceed to process the message.
The verification issues for the locators carried in the Locator The verification issues for the locators carried in the Update
Update message are specified in Section 7.2. If the locator list can Request message are specified in Section 7.2. If the locator list
not be verified, this procedure should send a Shim6 Error message cannot be verified, this procedure should send a Shim6 Error message
with Error Code=2. In any case, if it can not be verified, there is with Error Code=2. In any case, if it can not be verified, there is
no further processing of the Update Request. no further processing of the Update Request.
Once any Locator List option in the Update Request has been verified, Once any Locator List option in the Update Request has been verified,
the peer generation number in the context is updated to be the one in the peer generation number in the context is updated to be the one in
the Locator List option. the Locator List option.
If the Update message contains a Locator Preference option, then the If the Update Request message contains a Locator Preference option,
Generation number in the preference option is compared with the peer then the generation number in the preference option is compared with
generation number in the context. If they do not match, then the the peer generation number in the context. If they do not match,
host generates a Shim6 Error Message with Error Code=3 with the then the host generates a Shim6 Error message with Error Code=3 and
Pointer field referring to the first octet in the Generation number with the Pointer field referring to the first octet in the Locator
in the Locator Preference option. In addition, if the number of List Generation number in the Locator Preference option. In
elements in the Locator Preference option does not match the number addition, if the number of elements in the Locator Preference option
of locators in Ls(peer), then a Shim6 Error Message with Error Code=4 does not match the number of locators in Ls(peer), then a Shim6 Error
is sent with the Pointer referring to the first octet of the Length message with Error Code=4 is sent with the Pointer field referring to
field in the Locator Preference option. In both cases of failures, the first octet of the Length field in the Locator Preference option.
no further processing is performed for the Locator Update message. In both cases of failure, no further processing is performed for the
Update Request message.
If the generation number matches, the locator preferences are If the generation numbers match, the locator preferences are recorded
recorded in the context. in the context.
Once the Locator List option (if present) has been verified and any Once the Locator List option (if present) has been verified and any
new locator list or locator preferences have been recorded, the host new locator list or locator preferences have been recorded, the host
sends an Update Acknowledgement message, copying the nonce from the sends an Update Acknowledgement message, copying the nonce from the
request, and using the CT(peer) in as the Receiver Context Tag. request and using the CT(peer) as the Receiver Context Tag.
Any new locators, or more likely new locator preferences, might Any new locators (or, more likely, new locator preferences) might
result in the host wanting to select a different locator pair for the result in the host wanting to select a different locator pair for the
context. For instance, if the Locator Preferences lists the current context -- for instance, if the Locator Preferences option lists the
Lp(peer) as BROKEN. The host uses the reachability exploration current Lp(peer) as BROKEN. The host uses the reachability
procedure described in [4] to verify that the new locator is exploration procedure described in [4] to verify that the new locator
reachable before changing Lp(peer). is reachable before changing Lp(peer).
10.5. Receiving Update Acknowledgement messages 10.5. Receiving Update Acknowledgement Messages
A host MUST silently discard any received Update Acknowledgement A host MUST silently discard any received Update Acknowledgement
messages that do not satisfy all of the following validity checks in messages that do not satisfy all of the following validity checks in
addition to those specified in Section 12.3: addition to those specified in Section 12.3:
o The Hdr Ext Len field is at least 1, i.e., the length is at least o The Hdr Ext Len field is at least 1, i.e., the length is at least
16 octets. 16 octets.
Upon the reception of an Update Acknowledgement message, the host Upon the reception of an Update Acknowledgement message, the host
extracts the Context Tag and the Request Nonce from the message. It extracts the Context Tag and the Request Nonce from the message. It
then looks for a context which has a CT(local) that matches the then looks for a context that has a CT(local) that matches the
context tag. If no such context is found, it sends a R1bis message Context Tag. If no such context is found, it sends an R1bis message
as specified in Section 7.17. as specified in Section 7.17.
Since context tags can be reused, the host MUST verify that the IPv6 Since Context Tags can be reused, the host MUST verify that the IPv6
source address field is part of Ls(peer) and that the IPv6 Source Address field is part of Ls(peer) and that the IPv6
destination address field is part of Ls(local). If this is not the Destination Address field is part of Ls(local). If this is not the
case, the sender of the Update Acknowledgement has a stale context case, the sender of the Update Acknowledgement has a stale context
which happens to match the CT(local) for this context. In this case that happens to match the CT(local) for this context. In this case,
the host MUST send a R1bis message, and otherwise ignore the Update the host MUST send an R1bis message and otherwise ignore the Update
Acknowledgement message. Acknowledgement message.
Then, depending on the STATE of the context: Then, depending on the STATE of the context:
o If ESTABLISHED: Proceed to process message. o If ESTABLISHED, proceed to process message.
o If I1-SENT, discard the message and stay in I1-SENT. o If I1-SENT, discard the message and stay in I1-SENT.
o If I2-SENT, then send R2 and proceed to process the message. o If I2-SENT, send R2 and proceed to process the message.
o If I2BIS-SENT, then send R2 and proceed to process the message. o If I2BIS-SENT, send R2 and proceed to process the message.
If the Request Nonce doesn't match the Nonce for the last sent Update If the Request Nonce doesn't match the nonce for the last sent Update
Request for the context, then the Update Acknowledgement is silently Request for the context, then the Update Acknowledgement is silently
ignored. If the nonce matches, then the update has been completed ignored. If the nonce matches, then the update has been completed
and the Update retransmit timer can be reset. and the Update retransmit timer can be reset.
11. Sending ULP Payloads 11. Sending ULP Payloads
When there is no context state for the ULID pair on the sender, there When there is no context state for the ULID pair on the sender, there
is no effect on how ULP packets are sent. If the host is using some is no effect on how ULP packets are sent. If the host is using some
heuristic for determining when to perform a deferred context heuristic for determining when to perform a deferred context
establishment, then the host might need to do some accounting (count establishment, then the host might need to do some accounting (count
the number of packets sent and received) even before there is a ULID- the number of packets sent and received) even before there is a ULID-
pair context. pair context.
If the context is not in ESTABLISHED or I2BIS-SENT STATE, then it If the context is not in ESTABLISHED or I2BIS-SENT STATE, then there
there is also no effect on how the ULP packets are sent. Only in the is also no effect on how the ULP packets are sent. Only in the
ESTABLISHED and I2BIS-SENT STATES does the host have CT(peer) and ESTABLISHED and I2BIS-SENT STATEs does the host have CT(peer) and
Ls(peer) set. Ls(peer) set.
If there is a ULID-pair context for the ULID pair, then the sender If there is a ULID-pair context for the ULID pair, then the sender
needs to verify whether context uses the ULIDs as locators, that is, needs to verify whether the context uses the ULIDs as locators --
whether Lp(peer) == ULID(peer) and Lp(local) == ULID(local). that is, whether Lp(peer) == ULID(peer) and Lp(local) == ULID(local).
If this is the case, then packets can be sent unmodified by the shim. If this is the case, then packets can be sent unmodified by the shim.
If it is not the case, then the logic in Section 11.1 will need to be If it is not the case, then the logic in Section 11.1 will need to be
used. used.
There will also be some maintenance activity relating to There will also be some maintenance activity relating to
(un)reachability detection, whether packets are sent with the (un)reachability detection, whether or not packets are sent with the
original locators or not. The details of this is out of scope for original locators. The details of this are out of scope for this
this document and is specified in [4]. document and are specified in [4].
11.1. Sending ULP Payload after a Switch 11.1. Sending ULP Payload after a Switch
When sending packets, if there is a ULID-pair context for the ULID When sending packets, if there is a ULID-pair context for the ULID
pair, and the ULID pair is no longer used as the locator pair, then pair, and if the ULID pair is no longer used as the locator pair,
the sender needs to transform the packet. Apart from replacing the then the sender needs to transform the packet. Apart from replacing
IPv6 source and destination fields with a locator pair, an 8-octet the IPv6 Source and Destination fields with a locator pair, an
header is added so that the receiver can find the context and inverse 8-octet header is added so that the receiver can find the context and
the transformation. inverse the transformation.
If there has been a failure causing a switch, and later the context If there has been a failure causing a switch, and later the context
switches back to sending things using the ULID pair as the locator switches back to sending things using the ULID pair as the locator
pair, then there is no longer a need to do any packet transformation pair, then there is no longer a need to do any packet transformation
by the sender, hence there is no need to include the 8-octet by the sender; hence, there is no need to include the 8-octet
extension header. Extension header.
First, the IP address fields are replaced. The IPv6 source address First, the IP address fields are replaced. The IPv6 Source Address
field is set to Lp(local) and the destination address field is set to field is set to Lp(local) and the Destination Address field is set to
Lp(peer). NOTE that this MUST NOT cause any recalculation of the ULP Lp(peer). Note that this MUST NOT cause any recalculation of the ULP
checksums, since the ULP checksums are carried end-to-end and the ULP checksums, since the ULP checksums are carried end-to-end and the ULP
pseudo-header contains the ULIDs which are preserved end-to-end. pseudo-header contains the ULIDs that are preserved end-to-end.
The sender skips any "routing sub-layer extension headers" that the The sender skips any "Routing Sublayer Extension headers" that the
ULP might have included, thus it skips any hop-by-hop extension ULP might have included; thus, it skips any Hop-by-Hop Extension
header, any routing header, and any destination options header that header, any Routing header, and any Destination Options header that
is followed by a routing header. After any such headers the Shim6 is followed by a Routing header. After any such headers, the Shim6
extension header will be added. This might be before a Fragment Extension header will be added. This might be before a Fragment
header, a Destination Options header, an ESP or AH header, or a ULP header, a Destination Options header, an ESP or AH header, or a ULP
header. header.
The inserted Shim6 Payload extension header includes the peer's The inserted Shim6 Payload Extension header includes the peer's
context tag. It takes on the next header value from the preceding Context Tag. It takes on the Next Header value from the preceding
extension header, since that extension header will have a next header Extension header, since that Extension header will have a Next Header
value of Shim6. value of Shim6.
12. Receiving Packets 12. Receiving Packets
The receive side of the communication can receive packets associated The receive side of the communication can receive packets associated
to a Shim6 context with or without the Shim6 extension header. In to a Shim6 context, with or without the Shim6 Extension header. In
case that the ULID pair is being used as locator pair, the packets case the ULID pair is being used as a locator pair, the packets
received will not have the Shim6 extension header and will be received will not have the Shim6 Extension header and will be
processed by the Shim6 layer as described below. If the received processed by the Shim6 layer as described below. If the received
packet does carry the Shim6 extension header, as in normal IPv6 packet does carry the Shim6 Extension header, as in normal IPv6
receive side packet processing the receiver parses the (extension) receive-side packet processing, the receiver parses the (extension)
headers in order. Should it find a Shim6 extension header it will headers in order. Should it find a Shim6 Extension header, it will
look at the "P" field in that header. If this bit is zero, then the look at the "P" field in that header. If this bit is zero, then the
packet must be passed to the Shim6 payload handling for rewriting. packet must be passed to the Shim6 payload handling for rewriting.
Otherwise, the packet is passed to the Shim6 control handling. Otherwise, the packet is passed to the Shim6 control handling.
12.1. Receiving payload without extension headers 12.1. Receiving Payload without Extension Headers
The receiver extracts the IPv6 source and destination fields, and The receiver extracts the IPv6 Source and Destination fields and uses
uses this to find a ULID-pair context, such that the IPv6 address this to find a ULID-pair context, such that the IPv6 address fields
fields match the ULID(local) and ULID(peer). If such a context is match the ULID(local) and ULID(peer). If such a context is found,
found, the context appears not to be quiescent and this should be the context appears not to be quiescent; this should be remembered in
remembered in order to avoid tearing down the context and for order to avoid tearing down the context and for reachability
reachability detection purposes as described in [4]. The host detection purposes as described in [4]. The host continues with the
continues with the normal processing of the IP packet. normal processing of the IP packet.
12.2. Receiving Payload Extension Headers 12.2. Receiving Shim6 Payload Extension Headers
The receiver extracts the context tag from the payload extension The receiver extracts the Context Tag from the Shim6 Payload
header, and uses this to find a ULID-pair context. If no context is Extension header and uses this to find a ULID-pair context. If no
found, the receiver SHOULD generate a R1bis message (see context is found, the receiver SHOULD generate an R1bis message (see
Section 7.17). Section 7.17).
Then, depending on the STATE of the context: Then, depending on the STATE of the context:
o If ESTABLISHED: Proceed to process message. o If ESTABLISHED, proceed to process message.
o If I1-SENT, discard the message and stay in I1-SENT. o If I1-SENT, discard the message and stay in I1-SENT.
o If I2-SENT, then send I2 and proceed to process the message. o If I2-SENT, send I2 and proceed to process the message.
o If I2BIS-SENT, then send I2bis and proceed to process the message. o If I2BIS-SENT, send I2bis and proceed to process the message.
With the context in hand, the receiver can now replace the IP address With the context in hand, the receiver can now replace the IP address
fields with the ULIDs kept in the context. Finally, the Payload fields with the ULIDs kept in the context. Finally, the Shim6
extension header is removed from the packet (so that the ULP doesn't Payload Extension header is removed from the packet (so that the ULP
get confused by it), and the next header value in the preceding doesn't get confused by it), and the Next Header value in the
header is set to be the actual protocol number for the payload. Then preceding header is set to be the actual protocol number for the
the packet can be passed to the protocol identified by the next payload. Then the packet can be passed to the protocol identified by
header value (which might be some function associated with the IP the Next Header value (which might be some function associated with
endpoint sublayer, or a ULP). the IP endpoint sublayer or a ULP).
If the host is using some heuristic for determining when to perform a If the host is using some heuristic for determining when to perform a
deferred context establishment, then the host might need to do some deferred context establishment, then the host might need to do some
accounting (count the number of packets sent and received) for accounting (count the number of packets sent and received) for
packets that does not have a Shim6 extension header and for which packets that do not have a Shim6 Extension header and for which there
there is no context. But the need for this depends on what is no context. But the need for this depends on what heuristics the
heuristics the implementation has chosen. implementation has chosen.
12.3. Receiving Shim Control messages 12.3. Receiving Shim Control Messages
A shim control message has the checksum field verified. The Shim A shim control message has the Checksum field verified. The Shim
header length field is also verified against the length of the IPv6 Header Length field is also verified against the length of the IPv6
packet to make sure that the shim message doesn't claim to end past packet to make sure that the shim message doesn't claim to end past
the end of the IPv6 packet. Finally, it checks that the neither the the end of the IPv6 packet. Finally, it checks that neither the IPv6
IPv6 destination field nor the IPv6 source field is a multicast Destination field nor the IPv6 Source field is a multicast address or
address nor the unspecified address. If any of those checks fail, an unspecified address. If any of those checks fail, the packet is
the packet is silently dropped. silently dropped.
The message is then dispatched based on the shim message type. Each The message is then dispatched based on the shim message type. Each
message type is then processed as described elsewhere in this message type is then processed as described elsewhere in this
document. If the packet contains a shim message type which is document. If the packet contains a shim message type that is unknown
unknown to the receiver, then a Shim6 Error Message with Error Code=0 to the receiver, then a Shim6 Error message with Error Code=0 is
is generated and sent back. The Pointer field is set to point at the generated and sent back. The Pointer field is set to point at the
first octet of the shim message type. first octet of the shim message type.
All the control messages can contain any options with C=0. If there All the control messages can contain any options with C=0. If there
is any option in the message with C=1 that isn't known to the host, is any option in the message with C=1 that isn't known to the host,
then the host MUST send a Shim6 Error Message with Error Code=1, with then the host MUST send a Shim6 Error message with Error Code=1 with
the Pointer field referencing the first octet of the Option Type. the Pointer field referencing the first octet of the Option Type.
12.4. Context Lookup 12.4. Context Lookup
We assume that each shim context has its own STATE machine. We We assume that each shim context has its own STATE machine. We
assume that a dispatcher delivers incoming packets to the STATE assume that a dispatcher delivers incoming packets to the STATE
machine that it belongs to. Here we describe the rules used for the machine that it belongs to. Here, we describe the rules used for the
dispatcher to deliver packets to the correct shim context STATE dispatcher to deliver packets to the correct shim context STATE
machine. machine.
There is one STATE machine per context identified that is There is one STATE machine per identified context that is
conceptually identified by ULID pair and Forked Instance Identifier conceptually identified by the ULID pair and Forked Instance
(which is zero by default), or identified by CT(local). However, the Identifier (which is zero by default) or identified by CT(local).
detailed lookup rules are more complex, especially during context However, the detailed lookup rules are more complex, especially
establishment. during context establishment.
Clearly, if the required context is not established, it will be in Clearly, if the required context is not established, it will be in
IDLE STATE. IDLE STATE.
During context establishment, the context is identified as follows: During context establishment, the context is identified as follows:
o I1 packets: Deliver to the context associated with the ULID pair o I1 packets: Deliver to the context associated with the ULID pair
and the Forked Instance Identifier. and the Forked Instance Identifier.
o I2 packets: Deliver to the context associated with the ULID pair o I2 packets: Deliver to the context associated with the ULID pair
and the Forked Instance Identifier. and the Forked Instance Identifier.
o R1 packets: Deliver to the context with the locator pair included o R1 packets: Deliver to the context with the locator pair included
in the packet and the Initiator nonce included in the packet (R1 in the packet and the Initiator Nonce included in the packet (R1
does not contain ULID pair nor the CT(local)). If no context does not contain a ULID pair or the CT(local)). If no context
exist with this locator pair and Initiator nonce, then silently exists with this locator pair and Initiator Nonce, then silently
discard. discard.
o R2 packets: Deliver to the context with the locator pair included o R2 packets: Deliver to the context with the locator pair included
in the packet and the Initiator nonce included in the packet (R2 in the packet and the Initiator Nonce included in the packet (R2
does not contain ULID pair nor the CT(local)). If no context does not contain a ULID pair or the CT(local)). If no context
exists with this locator pair and INIT nonce, then silently exists with this locator pair and Initiator Nonce, then silently
discard. discard.
o R1bis packet: deliver to the context that has the locator pair and o R1bis packets: Deliver to the context that has the locator pair
the CT(peer) equal to the Packet Context Tag included in the R1bis and the CT(peer) equal to the Packet Context Tag included in the
packet. R1bis packet.
o I2bis packets: Deliver to the context associated with the ULID o I2bis packets: Deliver to the context associated with the ULID
pair and the Forked Instance Identifier. pair and the Forked Instance Identifier.
o Payload extension headers: Deliver to the context with CT(local) o Shim6 Payload Extension headers: Deliver to the context with
equal to the Receiver Context Tag included in the packet. CT(local) equal to the Receiver Context Tag included in the
packet.
o Other control messages (Update, Keepalive, Probe): Deliver to the o Other control messages (Update, Keepalive, Probe): Deliver to the
context with CT(local) equal to the Receiver Context Tag included context with CT(local) equal to the Receiver Context Tag included
in the packet. Verify that the IPv6 source address field is part in the packet. Verify that the IPv6 Source Address field is part
of Ls(peer) and that the IPv6 destination address field is part of of Ls(peer) and that the IPv6 Destination Address field is part of
Ls(local). If not, send a R1bis message. Ls(local). If not, send an R1bis message.
o Shim6 Error Messages and ICMP errors which contain a Shim6 payload o Shim6 Error messages and ICMP errors that contain a Shim6 Payload
extension header or other shim control packet in the "packet in Extension header or other shim control packet in the "packet in
error": Use the "packet in error" for dispatching as follows. error": Use the "packet in error" for dispatching as follows.
Deliver to the context with CT(peer) equal to the Receiver Context Deliver to the context with CT(peer) equal to the Receiver Context
Tag, Lp(local) being the IPv6 source address, and Lp(peer) being Tag -- Lp(local) being the IPv6 source address and Lp(peer) being
the IPv6 destination address. the IPv6 destination address.
In addition, the shim on the sending side needs to be able to find In addition, the shim on the sending side needs to be able to find
the context state when a ULP packet is passed down from the ULP. In the context state when a ULP packet is passed down from the ULP. In
that case the lookup key is the pair of ULIDs and FII=0. If we have that case, the lookup key is the pair of ULIDs and FII=0. If we have
a ULP API that allows the ULP to do context forking, then presumably a ULP API that allows the ULP to do context forking, then presumably
the ULP would pass down the Forked Instance Identifier. the ULP would pass down the Forked Instance Identifier.
13. Initial Contact 13. Initial Contact
The initial contact is some non-shim communication between two ULIDs, The initial contact is some non-shim communication between two ULIDs,
as described in Section 2. At that point in time there is no as described in Section 2. At that point in time, there is no
activity in the shim. activity in the shim.
Whether the shim ends up being used or not (e.g., the peer might not Whether or not the shim ends up being used (e.g., the peer might not
support Shim6) it is highly desirable that the initial contact can be support Shim6), it is highly desirable that the initial contact can
established even if there is a failure for one or more IP addresses. be established even if there is a failure for one or more IP
addresses.
The approach taken is to rely on the applications and the transport The approach taken is to rely on the applications and the transport
protocols to retry with different source and destination addresses, protocols to retry with different source and destination addresses,
consistent with what is already specified in Default Address consistent with what is already specified in "Default Address
Selection [7], and some fixes to that specification [8] to make it Selection for IPv6" [7] as well as with some fixes to that
try different source addresses and not only different destination specification [9], to make it try different source addresses and not
addresses. only different destination addresses.
The implementation of such an approach can potentially result in long The implementation of such an approach can potentially result in long
timeouts. For instance, a naive implementation at the socket API timeouts. For instance, consider a naive implementation at the
which uses getaddrinfo() to retrieve all destination addresses and socket API that uses getaddrinfo() to retrieve all destination
then tries to bind() and connect() to try all source and destination addresses and then tries to bind() and connect() to try all source
address combinations waiting for TCP to time out for each combination and destination address combinations and waits for TCP to time out
before trying the next one. for each combination before trying the next one.
However, if implementations encapsulate this in some new connect-by- However, if implementations encapsulate this in some new connect-by-
name() API, and use non-blocking connect calls, it is possible to name() API and use non-blocking connect calls, it is possible to
cycle through the available combinations in a more rapid manner until cycle through the available combinations in a more rapid manner until
a working source and destination pair is found. Thus the issues in a working source and destination pair is found. Thus, the issues in
this domain are issues of implementations and the current socket API, this domain are issues of implementations and the current socket API,
and not issues of protocol specification. In all honesty, while and not issues of protocol specification. In all honesty, while
providing an easy to use connect-by-name() API for TCP and other providing an easy to use connect-by-name() API for TCP and other
connection-oriented transports is easy; providing a similar connection-oriented transports is easy, providing a similar
capability at the API for UDP is hard due to the protocol itself not capability at the API for UDP is hard due to the protocol itself not
providing any "success" feedback. But even the UDP issue is one of providing any "success" feedback. Yet, even the UDP issue is one of
APIs and implementation. APIs and implementation.
14. Protocol constants 14. Protocol Constants
The protocol uses the following constants: The protocol uses the following constants:
I1_RETRIES_MAX = 4 I1_RETRIES_MAX = 4
I1_TIMEOUT = 4 seconds I1_TIMEOUT = 4 seconds
NO_R1_HOLDDOWN_TIME = 1 min NO_R1_HOLDDOWN_TIME = 1 min
ICMP_HOLDDOWN_TIME = 10 min ICMP_HOLDDOWN_TIME = 10 min
skipping to change at page 92, line 32 skipping to change at page 87, line 35
I2bis_RETRIES_MAX = 2 I2bis_RETRIES_MAX = 2
VALIDATOR_MIN_LIFETIME = 30 seconds VALIDATOR_MIN_LIFETIME = 30 seconds
UPDATE_TIMEOUT = 4 seconds UPDATE_TIMEOUT = 4 seconds
MAX_UPDATE_TIMEOUT = 120 seconds MAX_UPDATE_TIMEOUT = 120 seconds
The retransmit timers (I1_TIMEOUT, I2_TIMEOUT, UPDATE_TIMEOUT) are The retransmit timers (I1_TIMEOUT, I2_TIMEOUT, UPDATE_TIMEOUT) are
subject to binary exponential backoff, as well as randomization subject to binary exponential backoff as well as to randomization
across a range of 0.5 and 1.5 times the nominal (backed off) value. across a range of 0.5 and 1.5 times the nominal (backed off) value.
This removes any risk of synchronization between lots of hosts This removes any risk of synchronization between lots of hosts
performing independent shim operations at the same time. performing independent shim operations at the same time.
The randomization is applied after the binary exponential backoff. The randomization is applied after the binary exponential backoff.
Thus the first retransmission would happen based on a uniformly Thus, the first retransmission would happen based on a uniformly
distributed random number in the range [0.5*4, 1.5*4] seconds, the distributed random number in the range of [0.5*4, 1.5*4] seconds; the
second retransmission [0.5*8, 1.5*8] seconds after the first one, second retransmission, [0.5*8, 1.5*8] seconds after the first one,
etc. etc.
15. Implications Elsewhere 15. Implications Elsewhere
15.1. Congestion Control Considerations 15.1. Congestion Control Considerations
When the locator pair currently used for exchanging packets in a When the locator pair currently used for exchanging packets in a
Shim6 context becomes unreachable, the Shim6 layer will divert the Shim6 context becomes unreachable, the Shim6 layer will divert the
communication through an alternative locator pair, which in most communication through an alternative locator pair, which in most
cases will result in redirecting the packet flow through an cases will result in redirecting the packet flow through an
alternative network path. In this case, it recommended that the alternative network path. In this case, it is recommended that the
Shim6 follows the recommendation defined in [20] and it informs the Shim6 follows the recommendation defined in [21] and informs the
upper layers about the path change, in order to allow the congestion upper layers about the path change, in order to allow the congestion
control mechanisms of the upper layers to react accordingly. control mechanisms of the upper layers to react accordingly.
15.2. Middle-boxes considerations 15.2. Middle-Boxes Considerations
Data packets belonging to a Shim6 context carrying the Shim6 Payload Data packets belonging to a Shim6 context carrying the Shim6 Payload
Header contain alternative locators other than the ULIDs in the header contain alternative locators other than the ULIDs in the
source and destination address fields of the IPv6 header. On the Source and Destination Address fields of the IPv6 header. On the
other hand, the upper layers of the peers involved in the other hand, the upper layers of the peers involved in the
communication operate on the ULID pair presented by the Shim6 layer communication operate on the ULID pair presented to them by the Shim6
to them, rather on the locator pair contained in the IPv6 header of layer, rather than on the locator pair contained in the IPv6 header
the actual packets. It should be noted that the Shim6 layer does not of the actual packets. It should be noted that the Shim6 layer does
modify the data packets, but because a constant ULID pair is not modify the data packets but, because a constant ULID pair is
presented to upper layers irrespective of the locator pair changes, presented to upper layers irrespective of the locator pair changes,
the relation between the upper layer header (such as TCP, UDP, ICMP, the relation between the upper-layer header (such as TCP, UDP, ICMP,
ESP, etc) and the IPv6 header is modified. In particular, when the ESP, etc) and the IPv6 header is modified. In particular, when the
Shim6 Extension header is present in the packet, if those data Shim6 Extension header is present in the packet, if those data
packets are TCP, UDP or ICMP packets, the pseudoheader used for the packets are TCP, UDP, or ICMP packets, the pseudo-header used for the
checksum calculation will contain the ULID pair, rather than the checksum calculation will contain the ULID pair, rather than the
locator pair contained in the data packet. locator pair contained in the data packet.
It is possible that some firewalls or other middle boxes try to It is possible that some firewalls or other middle-boxes will try to
verify the validity of upper layer sanity checks of the packet on the verify the validity of upper-layer sanity checks of the packet on the
fly. If they do that based on the actual source and destination fly. If they do that based on the actual source and destination
addresses contained in the IPv6 header without considering the Shim6 addresses contained in the IPv6 header without considering the Shim6
context information (in particular without replacing the locator pair context information (in particular, without replacing the locator
by the ULID pair used by the Shim6 context) such verifications may pair by the ULID pair used by the Shim6 context), such verifications
fail. Those middle-boxes need to be updated in order to be able to may fail. Those middle-boxes need to be updated in order to be able
parse the Shim6 payload header and find the next header header after to parse the Shim6 Payload header and find the next header. It is
that. It is recommended that firewalls and other middle-boxes do not recommended that firewalls and other middle-boxes do not drop packets
drop packets that carry the Shim6 Payload header with apparently that carry the Shim6 Payload header with apparently incorrect upper-
incorrect upper layer validity checks that involve the addresses in layer validity checks that involve the addresses in the IPv6 header
the IPv6 header for their computation, unless they are able to for their computation, unless they are able to determine the ULID
determine the ULID pair of the Shim6 context associated to the data pair of the Shim6 context associated to the data packet and use the
packet and use the ULID pair for the verification of the validity ULID pair for the verification of the validity check.
check.
In the particular case of TCP, UDP and ICMP checksums, it is In the particular case of TCP, UDP, and ICMP checksums, it is
recommended that firewalls and other middle-boxes do not drop TCP, recommended that firewalls and other middle-boxes do not drop TCP,
UDP and ICMP packets that carry the Shim6 Payload header with UDP, and ICMP packets that carry the Shim6 Payload header with
apparently incorrect checksums when using the addresses in the IPv6 apparently incorrect checksums when using the addresses in the IPv6
header for the pseudoheader computation, unless they implement are header for the pseudo-header computation, unless they are able to
able to determine the ULID pair of the Shim6 context associated to determine the ULID pair of the Shim6 context associated to the data
the data packet and use the ULID pair to determine the checksum that packet and use the ULID pair to determine the checksum that must be
must be present in a packet with addresses rewritten by Shim6. present in a packet with addresses rewritten by Shim6.
In addition, firewalls that today pass limited traffic, e.g., In addition, firewalls that today pass limited traffic, e.g.,
outbound TCP connections, would presumably block the Shim6 protocol. outbound TCP connections, would presumably block the Shim6 protocol.
This means that even when Shim6 capable hosts are communicating, the This means that even when Shim6-capable hosts are communicating, the
I1 messages would be dropped, hence the hosts would not discover that I1 messages would be dropped; hence, the hosts would not discover
their peer is Shim6 capable. This is in fact a feature, since if the that their peer is Shim6-capable. This is, in fact, a benefit since,
hosts managed to establish a ULID-pair context, then the firewall if the hosts managed to establish a ULID-pair context, the firewall
would probably drop the "different" packets that are sent after a would probably drop the "different" packets that are sent after a
failure (those using the Shim6 payload extension header with a TCP failure (those using the Shim6 Payload Extension header with a TCP
packet inside it). Thus stateful firewalls that are modified to pass packet inside it). Thus, stateful firewalls that are modified to
Shim6 messages should also be modified to pass the payload extension pass Shim6 messages should also be modified to pass the Shim6 Payload
header, so that the shim can use the alternate locators to recover Extension header so that the shim can use the alternate locators to
from failures. This presumably implies that the firewall needs to recover from failures. This presumably implies that the firewall
track the set of locators in use by looking at the Shim6 control needs to track the set of locators in use by looking at the Shim6
exchanges. Such firewalls might even want to verify the locators control exchanges. Such firewalls might even want to verify the
using the HBA/CGA verification themselves, which they can do without locators using the HBA/CGA verification themselves, which they can do
modifying any of the Shim6 packets they pass through. without modifying any of the Shim6 packets through which they pass.
15.3. Operation and Management Considerations 15.3. Operation and Management Considerations
This section considers some aspects related to the operations and This section considers some aspects related to the operations and
management of the Shim6 protocol. management of the Shim6 protocol.
Deployment of th Shim6 protocol: The Shim6 protocol is a host based Deployment of the Shim6 protocol: The Shim6 protocol is a host-based
solution, so, in order to be deployed, the stacks of the hosts using solution. So, in order to be deployed, the stacks of the hosts using
the Shim6 protocol need to be updated to support it. This enables an the Shim6 protocol need to be updated to support it. This enables an
incremental deployment of the protocol, since it does not requires a incremental deployment of the protocol since it does not require a
flag day for the deployment, just single host updates. If the Shim6 flag day for the deployment -- just single host updates. If the
solution will be deployed in a site, host can be gradually updated to Shim6 solution will be deployed in a site, the host can be gradually
support the solution. Moreover, for supporting the Shim6 protocol, updated to support the solution. Moreover, for supporting the Shim6
only end hosts need to be updated and no router changes are required. protocol, only end hosts need to be updated and no router changes are
However, it should be noted that in order to benefit from the Shim6 required. However, it should be noted that, in order to benefit from
protocol, both ends of a communication should support the protocol, the Shim6 protocol, both ends of a communication should support the
meaning that both hosts must be updated to be able to use the Shim6 protocol, meaning that both hosts must be updated to be able to use
protocol. Nevertheless, the Shim6 protocol uses a deferred context the Shim6 protocol. Nevertheless, the Shim6 protocol uses a deferred
setup capability, that allows to establish normal IPv6 communications context-setup capability that allows end hosts to