RFC 5533
Shim6: Level 3 Multihoming Shim Protocol for IPv6
Pages: 124
Proposed Standard
Proposed Standard
Part 2 of 5 – Pages 17 to 50
4. Protocol Overview
The Shim6 protocol operates in several phases over time. The following sequence illustrates the concepts: o An application on host A decides to contact an application on host B using some upper-layer protocol. This results in the ULP on host A sending packets to host B. We call this the initial contact. Assuming the IP addresses selected by default address selection [7] and its extensions [9] work, then there is no action by the shim at this point in time. Any shim context establishment can be deferred until later. o Some heuristic on A or B (or both) determine that it is appropriate to pay the Shim6 overhead to make this host-to-host communication robust against locator failures. For instance, this heuristic might be that more than 50 packets have been sent or received, or that there was a timer expiration while active packet exchange was in place. This makes the shim initiate the 4-way, context-establishment exchange. The purpose of this heuristic is to avoid setting up a shim context when only a small number of packets is exchanged between two hosts. As a result of this exchange, both A and B will know a list of locators for each other. If the context-establishment exchange fails, the initiator will then know that the other end does not support Shim6, and will continue with standard (non-Shim6) behavior for the session. o Communication continues without any change for the ULP packets. In particular, there are no Shim6 Extension headers added to the ULP packets, since the ULID pair is the same as the locator pair. In addition, there might be some messages exchanged between the shim sublayers for (un)reachability detection. o At some point in time, something fails. Depending on the approach to reachability detection, there might be some advice from the ULP, or the shim (un)reachability detection might discover that there is a problem. At this point in time, one or both ends of the communication need to probe the different alternate locator pairs until a working pair is found, and then switch to using that locator pair. o Once a working alternative locator pair has been found, the shim will rewrite the packets on transmit and tag the packets with the Shim6 Payload Extension header, which contains the receiver's
Context Tag. The receiver will use the Context Tag to find the
context state, which will indicate which addresses to place in the
IPv6 header before passing the packet up to the ULP. The result
is that, from the perspective of the ULP, the packet passes
unmodified end-to-end, even though the IP routing infrastructure
sends the packet to a different locator.
o The shim (un)reachability detection will monitor the new locator
pair as it monitored the original locator pair, so that subsequent
failures can be detected.
o In addition to failures detected based on end-to-end observations,
one endpoint might know for certain that one or more of its
locators is not working. For instance, the network interface
might have failed or gone down (at layer 2), or an IPv6 address
might have become deprecated or invalid. In such cases, the host
can signal its peer that trying this address is no longer
recommended. This triggers something similar to a failure
handling, and a new working locator pair must be found.
The protocol also has the ability to express other forms of
locator preferences. A change in any preference can be signaled
to the peer, which will have made the peer record the new
preferences. A change in the preferences might optionally make
the peer want to use a different locator pair. In this case, the
peer follows the same locator switching procedure as after a
failure (by verifying that its peer is indeed present at the
alternate locator, etc).
o When the shim thinks that the context state is no longer used, it
can garbage collect the state; there is no coordination necessary
with the peer host before the state is removed. There is a
recovery message defined to be able to signal when there is no
context state, which can be used to detect and recover from both
premature garbage collection as well as from complete state loss
(crash and reboot) of a peer.
The exact mechanism to determine when the context state is no
longer used is implementation dependent. For example, an
implementation might use the existence of ULP state (where known
to the implementation) as an indication that the state is still
used, combined with a timer (to handle ULP state that might not be
known to the shim sublayer) to determine when the state is likely
to no longer be used.
NOTE 1: The ULP packets in Shim6 can be carried completely unmodified
as long as the ULID pair is used as the locator pair. After a switch
to a different locator pair, the packets are "tagged" with a Shim6
Extension header so that the receiver can always determine the context to which they belong. This is accomplished by including an 8-octet Shim6 Payload Extension header before the (extension) headers that are processed by the IP endpoint sublayer and ULPs. If, subsequently, the original ULIDs are selected as the active locator pair, then the tagging of packets with the Shim6 Extension header is no longer necessary.4.1. Context Tags
A context between two hosts is actually a context between two ULIDs. The context is identified by a pair of Context Tags. Each end gets to allocate a Context Tag, and once the context is established, most Shim6 control messages contain the Context Tag that the receiver of the message allocated. Thus, at a minimum, the combination of <peer ULID, local ULID, local Context Tag> have to uniquely identify one context. But, since the Shim6 Payload Extension headers are demultiplexed without looking at the locators in the packet, the receiver will need to allocate Context Tags that are unique for all its contexts. The Context Tag is a 47-bit number (the largest that can fit in an 8-octet extension header), while preserving one bit to differentiate the Shim6 signaling messages from the Shim6 header included in data packets, allowing both to use the same protocol number. The mechanism for detecting a loss of context state at the peer assumes that the receiver can tell the packets that need locator rewriting, even after it has lost all state (e.g., due to a crash followed by a reboot). This is achieved because, after a rehoming event, the packets that need receive-side rewriting carry the Shim6 Payload Extension header.4.2. Context Forking
It has been asserted that it will be important for future ULPs -- in particular, future transport protocols -- to be able to control which locator pairs are used for different communication. For instance, host A and host B might communicate using both Voice over IP (VoIP) traffic and ftp traffic, and those communications might benefit from using different locator pairs. However, the basic Shim6 mechanism uses a single current locator pair for each context; thus, a single context cannot accomplish this. For this reason, the Shim6 protocol supports the notion of context forking. This is a mechanism by which a ULP can specify (using some API not yet defined) that a context, e.g., the ULID pair <A1, B2>,
should be forked into two contexts. In this case, the forked-off context will be assigned a non-zero Forked Instance Identifier, while the default context has FII zero. The Forked Instance Identifier (FII) is a 32-bit identifier that has no semantics in the protocol other than being part of the tuple that identifies the context. For example, a host might allocate FIIs as sequential numbers for any given ULID pair. No other special considerations are needed in the Shim6 protocol to handle forked contexts. Note that forking as specified does NOT allow A to be able to tell B that certain traffic (a 5-tuple?) should be forked for the reverse direction. The Shim6 forking mechanism as specified applies only to the sending of ULP packets. If some ULP wants to fork for both directions, it is up to the ULP to set this up and then instruct the shim at each end to transmit using the forked context.4.3. API Extensions
Several API extensions have been discussed for Shim6, but their actual specification is out of scope for this document. The simplest one would be to add a socket option to be able to have traffic bypass the shim (not create any state and not use any state created by other traffic). This could be an IPV6_DONTSHIM socket option. Such an option would be useful for protocols, such as DNS, where the application has its own failover mechanism (multiple NS records in the case of DNS) and using the shim could potentially add extra latency with no added benefits. Some other API extensions are discussed in Appendix A. The actual API extensions are defined in [23].4.4. Securing Shim6
The mechanisms are secured using a combination of techniques: o The HBA technique [3] for verifying the locators to prevent an attacker from redirecting the packet stream to somewhere else. o Requiring a Reachability Probe+Reply (defined in [4]) before a new locator is used as the destination, in order to prevent 3rd party flooding attacks.
o The first message does not create any state on the responder.
Essentially, a 3-way exchange is required before the responder
creates any state. This means that a state-based DoS attack
(trying to use up all memory on the responder) at least provides
an IPv6 address that the attacker was using.
o The context-establishment messages use nonces to prevent replay
attacks and to prevent off-path attackers from interfering with
the establishment.
o Every control message of the Shim6 protocol, past the context
establishment, carries the Context Tag assigned to the particular
context. This implies that an attacker needs to discover that
Context Tag before being able to spoof any Shim6 control message.
Such discovery probably requires any potential attacker to be
along the path in order to sniff the Context Tag value. The
result is that through this technique, the Shim6 protocol is
protected against off-path attackers.
4.5. Overview of Shim Control Messages
The Shim6 context establishment is accomplished using four messages;
I1, R1, I2, R2. Normally, they are sent in that order from initiator
and responder, respectively. Should both ends attempt to set up
context state at the same time (for the same ULID pair), then their
I1 messages might cross in flight, and result in an immediate R2
message. (The names of these messages are borrowed from HIP [20].)
R1bis and I2bis messages are defined; they are used to recover a
context after it has been lost. An R1bis message is sent when a
Shim6 control or Shim6 Payload Extension header arrives and there is
no matching context state at the receiver. When such a message is
received, it will result in the re-creation of the Shim6 context
using the I2bis and R2 messages.
The peers' lists of locators are normally exchanged as part of the
context-establishment exchange. But the set of locators might be
dynamic. For this reason, there are Update Request and Update
Acknowledgement messages as well as a Locator List option.
Even when the list of locators is fixed, a host might determine that
some preferences might have changed. For instance, it might
determine that there is a locally visible failure that implies that
some locator(s) are no longer usable. This uses a Locator
Preferences option in the Update Request message.
The mechanism for (un)reachability detection is called Forced Bidirectional Communication (FBD). FBD uses a Keepalive message which is sent when a host has received packets from its peer but has not yet sent any packets from its ULP to the peer. The message type is reserved in this document, but the message format and processing rules are specified in [4]. In addition, when the context is established and there is a subsequent failure, there needs to be a way to probe the set of locator pairs to efficiently find a working pair. This document reserves a Probe message type, with the packet format and processing rules specified in [4]. The above Probe and Keepalive messages assume we have an established ULID-pair context. However, communication might fail during the initial contact (that is, when the application or transport protocol is trying to set up some communication). This is handled using the mechanisms in the ULP to try different address pairs as specified in [7] and [9]. In future versions of the protocol, and with a richer API between the ULP and the shim, the shim might be able to help optimize discovering a working locator pair during initial contact. This is for further study.4.6. Extension Header Order
Since the shim is placed between the IP endpoint sublayer and the IP routing sublayer, the Shim header will be placed before any Endpoint Extension headers (Fragmentation headers, Destination Options header, AH, ESP) but after any routing-related headers (Hop-by-Hop Extensions header, Routing header, and a Destinations Options header, which precedes a Routing header). When tunneling is used, whether IP-in-IP tunneling or the special form of tunneling that Mobile IPv6 uses (with Home Address options and Routing header type 2), there is a choice whether the shim applies inside the tunnel or outside the tunnel, which affects the location of the Shim6 header. In most cases, IP-in-IP tunnels are used as a routing technique; thus, it makes sense to apply them on the locators, which means that the sender would insert the Shim6 header after any IP-in-IP encapsulation. This is what occurs naturally when routers apply IP- in-IP encapsulation. Thus, the packets would have: o Outer IP header o Inner IP header
o Shim6 Extension header (if needed) o ULP But the shim can also be used to create "shimmed tunnels", i.e., where an IP-in-IP tunnel uses the shim to be able to switch the tunnel endpoint addresses between different locators. In such a case, the packets would have: o Outer IP header o Shim6 Extension header (if needed) o Inner IP header o ULP In any case, the receiver behavior is well-defined; a receiver processes the Extension headers in order. However, the precise interaction between Mobile IPv6 and Shim6 is for further study; it might make sense to have Mobile IPv6 operate on locators as well, meaning that the shim would be layered on top of the MIPv6 mechanism.5. Message Formats
The Shim6 messages are all carried using a new IP protocol number (140). The Shim6 messages have a common header (defined below) with some fixed fields, followed by type-specific fields. The Shim6 messages are structured as an IPv6 Extension header since the Shim6 Payload Extension header is used to carry the ULP packets after a locator switch. The Shim6 control messages use the same extension header formats so that a single "protocol number" needs to be allowed through firewalls in order for Shim6 to function across the firewall.5.1. Common Shim6 Message Format
The first 17 bits of the Shim6 header is common for the Shim6 Payload Extension header and for the control messages. It looks as follows: 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len |P| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: The payload that follows this header.
Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in
8-octet units, not including the first 8 octets.
P: A single bit to distinguish Shim6 Payload Extension
headers from control messages.
Shim6 signaling packets may not be larger than 1280 bytes, including
the IPv6 header and any intermediate headers between the IPv6 header
and the Shim6 header. One way to meet this requirement is to omit
part of the locator address information if, with this information
included, the packet would become larger than 1280 bytes. Another
option is to perform option engineering, dividing into different
Shim6 messages the information to be transmitted. An implementation
may impose administrative restrictions to avoid excessively large
Shim6 packets, such as a limitation on the number of locators to be
used.
5.2. Shim6 Payload Extension Header Format
The Shim6 Payload Extension header is used to carry ULP packets where
the receiver must replace the content of the Source and/or
Destination fields in the IPv6 header before passing the packet to
the ULP. Thus, this extension header is required when the locator
pair that is used is not the same as the ULID pair.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | 0 |1| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: The payload that follows this header.
Hdr Ext Len: 0 (since the header is 8 octets).
P: Set to one. A single bit to distinguish this from the
Shim6 control messages.
Receiver Context Tag:
47-bit unsigned integer. Allocated by the receiver to
identify the context.
5.3. Common Shim6 Control Header
The common part of the header has a Next Header field and a Header
Extension Length field that are consistent with the other IPv6
Extension headers, even if the Next Header value is always "NO NEXT
HEADER" for the control messages.
The Shim6 headers must be a multiple of 8 octets; hence, the minimum
size is 8 octets.
The common Shim6 Control message header is as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Hdr Ext Len |P| Type |Type-specific|S|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Type-specific format |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59).
Hdr Ext Len: 8-bit unsigned integer. Length of the Shim6 header in
8-octet units, not including the first 8 octets.
P: Set to zero. A single bit to distinguish this from
the Shim6 Payload Extension header.
Type: 7-bit unsigned integer. Identifies the actual message
from the table below. Type codes 0-63 will not
trigger R1bis messages on a missing context, while
codes 64-127 will trigger R1bis.
S: A single bit set to zero that allows Shim6 and HIP to
have a common header format yet still distinguishes
between Shim6 and HIP messages.
Checksum: 16-bit unsigned integer. The checksum is the 16-bit
one's complement of the one's complement sum of the
entire Shim6 header message, starting with the Shim6
Next Header field and ending as indicated by the Hdr
Ext Len. Thus, when there is a payload following the
Shim6 header, the payload is NOT included in the Shim6
checksum. Note that, unlike protocols like ICMPv6,
there is no pseudo-header checksum part of the
checksum; this provides locator agility without having
to change the checksum.
Type-specific: Part of the message that is different for different
message types.
+------------+----------------------------------------------------+
| Type Value | Message |
+------------+----------------------------------------------------+
| 1 | I1 (1st establishment message from the initiator) |
| 2 | R1 (1st establishment message from the responder) |
| 3 | I2 (2nd establishment message from the initiator) |
| 4 | R2 (2nd establishment message from the responder) |
| 5 | R1bis (Reply to reference to non-existent context) |
| 6 | I2bis (Reply to an R1bis message) |
| 64 | Update Request |
| 65 | Update Acknowledgement |
| 66 | Keepalive |
| 67 | Probe Message |
| 68 | Error Message |
+------------+----------------------------------------------------+
Table 1
5.4. I1 Message Format
The I1 message is the first message in the context-establishment
exchange.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 1 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Initiator Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 1
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Initiator Context Tag:
47-bit field. The Context Tag that the initiator has
allocated for the context.
Initiator Nonce:
32-bit unsigned integer. A random number picked by
the initiator, which the responder will return in the
R1 message.
The following options are defined for this message:
ULID pair: When the IPv6 source and destination addresses in the
IPv6 header does not match the ULID pair, this option
MUST be included. An example of this is when
recovering from a lost context.
Forked Instance Identifier:
When another instance of an existent context with the
same ULID pair is being created, a Forked Instance
Identifier option MUST be included to distinguish this
new instance from the existent one.
Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15.
5.5. R1 Message Format
The R1 message is the second message in the context-establishment
exchange. The responder sends this in response to an I1 message,
without creating any state specific to the initiator.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 2 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 2
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Initiator Nonce:
32-bit unsigned integer. Copied from the I1 message.
Responder Nonce:
32-bit unsigned integer. A number picked by the
responder, which the initiator will return in the I2
message.
The following options are defined for this message:
Responder Validator:
Variable length option. This option MUST be included
in the R1 message. Typically, it contains a hash
generated by the responder, which the responder uses
together with the Responder Nonce value to verify that
an I2 message is indeed sent in response to an R1
message, and that the parameters in the I2 message are
the same as those in the I1 message.
Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15.
5.6. I2 Message Format
The I2 message is the third message in the context-establishment
exchange. The initiator sends this in response to an R1 message,
after checking the Initiator Nonce, etc.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 3 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Initiator Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 2, since the header is 24 octets when there
are no options.
Type: 3
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Initiator Context Tag:
47-bit field. The Context Tag that the initiator has
allocated for the context.
Initiator Nonce:
32-bit unsigned integer. A random number picked by
the initiator, which the responder will return in the
R2 message.
Responder Nonce:
32-bit unsigned integer. Copied from the R1 message.
Reserved2: 32-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. (Needed to
make the options start on a multiple of 8 octet
boundary.)
The following options are defined for this message:
Responder Validator:
Variable length option. This option MUST be included
in the I2 message and MUST be generated by copying the
Responder Validator option received in the R1 message.
ULID pair: When the IPv6 source and destination addresses in the
IPv6 header do not match the ULID pair, this option
MUST be included. An example of this is when
recovering from a lost context.
Forked Instance Identifier:
When another instance of an existent context with the
same ULID pair is being created, a Forked Instance
Identifier option MUST be included to distinguish this
new instance from the existent one.
Locator List: Optionally sent when the initiator immediately wants
to tell the responder its list of locators. When it
is sent, the necessary HBA/CGA information for
verifying the locator list MUST also be included.
Locator Preferences:
Optionally sent when the locators don't all have equal
preference.
CGA Parameter Data Structure:
This option MUST be included in the I2 message when
the locator list is included so the receiver can
verify the locator list.
CGA Signature: This option MUST be included in the I2 message when
some of the locators in the list use CGA (and not HBA)
for verification.
Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15.
5.7. R2 Message Format
The R2 message is the fourth message in the context-establishment
exchange. The responder sends this in response to an I2 message.
The R2 message is also used when both hosts send I1 messages at the
same time and the I1 messages cross in flight.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 4 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Responder Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 4
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Responder Context Tag:
47-bit field. The Context Tag that the responder has
allocated for the context.
Initiator Nonce:
32-bit unsigned integer. Copied from the I2 message.
The following options are defined for this message:
Locator List: Optionally sent when the responder immediately wants
to tell the initiator its list of locators. When it
is sent, the necessary HBA/CGA information for
verifying the locator list MUST also be included.
Locator Preferences:
Optionally sent when the locators don't all have equal
preference.
CGA Parameter Data Structure:
Included when the locator list is included so the
receiver can verify the locator list.
CGA Signature: Included when some of the locators in the list use CGA
(and not HBA) for verification.
Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15.
5.8. R1bis Message Format
Should a host receive a packet with a Shim6 Payload Extension header
or Shim6 control message with type code 64-127 (such as an Update or
Probe message), and the host does not have any context state for the
received Context Tag, then it will generate a R1bis message.
This message allows the sender of the packet referring to the non-
existent context to re-establish the context with a reduced context-
establishment exchange. Upon the reception of the R1bis message, the
receiver can proceed with re-establishing the lost context by
directly sending an I2bis message.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 5 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Packet Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 5
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Packet Context Tag:
47-bit unsigned integer. The Context Tag contained in
the received packet that triggered the generation of
the R1bis message.
Responder Nonce:
32-bit unsigned integer. A number picked by the
responder which the initiator will return in the I2bis
message.
The following options are defined for this message:
Responder Validator:
Variable length option. Typically, a hash generated
by the responder, which the responder uses together
with the Responder Nonce value to verify that an I2bis
message is indeed sent in response to an R1bis
message.
Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15.
5.9. I2bis Message Format
The I2bis message is the third message in the context-recovery
exchange. This is sent in response to an R1bis message, after
checking that the R1bis message refers to an existing context, etc.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 6 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Initiator Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved2 |
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Packet Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 3, since the header is 32 octets when there
are no options.
Type: 6
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Initiator Context Tag:
47-bit field. The Context Tag that the initiator has
allocated for the context.
Initiator Nonce:
32-bit unsigned integer. A random number picked by
the initiator, which the responder will return in the
R2 message.
Responder Nonce:
32-bit unsigned integer. Copied from the R1bis
message.
Reserved2: 49-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. (Note that 17
bits are not sufficient since the options need to
start on a multiple-of-8-octet boundary.)
Packet Context Tag:
47-bit unsigned integer. Copied from the Packet
Context Tag field contained in the received R1bis.
The following options are defined for this message:
Responder Validator:
Variable length option. Just a copy of the Responder
Validator option in the R1bis message.
ULID pair: When the IPv6 source and destination addresses in the
IPv6 header do not match the ULID pair, this option
MUST be included.
Forked Instance Identifier:
When another instance of an existent context with the
same ULID pair is being created, a Forked Instance
Identifier option is included to distinguish this new
instance from the existent one.
Locator List: Optionally sent when the initiator immediately wants
to tell the responder its list of locators. When it
is sent, the necessary HBA/CGA information for
verifying the locator list MUST also be included.
Locator Preferences:
Optionally sent when the locators don't all have equal
preference.
CGA Parameter Data Structure:
Included when the locator list is included so the
receiver can verify the locator list.
CGA Signature: Included when some of the locators in the list use CGA
(and not HBA) for verification.
Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15.
5.10. Update Request Message Format
The Update Request message is used to update either the list of locators, the locator preferences, or both. When the list of locators is updated, the message also contains the option(s) necessary for HBA/CGA to secure this. The basic sanity check that prevents off-path attackers from generating bogus updates is the Context Tag in the message. The Update Request message contains options (the Locator List and the Locator Preferences) that, when included, completely replace the previous locator list and locator preferences, respectively. Thus, there is no mechanism to just send deltas to the locator list. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 59 | Hdr Ext Len |0| Type = 64 | Reserved1 |0| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum |R| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Receiver Context Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Request Nonce | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Options + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: Next Header: NO_NXT_HDR (59). Hdr Ext Len: At least 1, since the header is 16 octets when there are no options. Type: 64 Reserved1: 7-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. R: 1-bit field. Reserved for future use. Zero on transmit. MUST be ignored on receipt. Receiver Context Tag: 47-bit field. The Context Tag that the receiver has allocated for the context.
Request Nonce:
32-bit unsigned integer. A random number picked by
the initiator, which the peer will return in the
Update Acknowledgement message.
The following options are defined for this message:
Locator List: The list of the sender's (new) locators. The locators
might be unchanged and only the preferences have
changed.
Locator Preferences:
Optionally sent when the locators don't all have equal
preference.
CGA Parameter Data Structure (PDS):
Included when the locator list is included and the PDS
was not included in the I2/ I2bis/R2 messages, so the
receiver can verify the locator list.
CGA Signature: Included when some of the locators in the list use CGA
(and not HBA) for verification.
Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15.
5.11. Update Acknowledgement Message Format
This message is sent in response to an Update Request message. It
implies that the Update Request has been received and that any new
locators in the Update Request can now be used as the source locators
of packets. But it does not imply that the (new) locators have been
verified to be used as a destination, since the host might defer the
verification of a locator until it sees a need to use a locator as
the destination.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 65 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |R| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets when there
are no options.
Type: 65
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
R: 1-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Receiver Context Tag:
47-bit field. The Context Tag the receiver has
allocated for the context.
Request Nonce: 32-bit unsigned integer. Copied from the Update
Request message.
No options are currently defined for this message.
Future protocol extensions might define additional options for this
message. The C-bit in the option format defines how such a new
option will be handled by an implementation. See Section 5.15.
5.12. Keepalive Message Format
This message format is defined in [4]. The message is used to ensure that when a peer is sending ULP packets on a context, it always receives some packets in the reverse direction. When the ULP is sending bidirectional traffic, no extra packets need to be inserted. But for a unidirectional ULP traffic pattern, the shim will send back some Keepalive messages when it is receiving ULP packets.5.13. Probe Message Format
This message and its semantics are defined in [4]. The goal of this mechanism is to test whether or not locator pairs work in the general case. In particular, this mechanism is to be able to handle the case when one locator pair works from A to B and another locator pair works from B to A, but there is no locator pair that works in both directions. The protocol mechanism is that, as A is sending Probe messages to B, B will observe which locator pairs it has received and report that back in Probe messages it sends to A.5.14. Error Message Format
The Error message is generated by a Shim6 receiver upon the reception of a Shim6 message containing critical information that cannot be processed properly. In the case that a Shim6 node receives a Shim6 packet that contains information that is critical for the Shim6 protocol and that is not supported by the receiver, it sends an Error Message back to the originator of the Shim6 message. The Error message is unacknowledged. In addition, Shim6 Error messages defined in this section can be used to identify problems with Shim6 implementations. In order to do so, a range of Error Code types is reserved for that purpose. In particular, implementations may generate Shim6 Error messages with Code types in that range, instead of silently discarding Shim6 packets during the debugging process.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 68 | Error Code |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Packet in error +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Next Header: NO_NXT_HDR (59).
Hdr Ext Len: At least 1, since the header is 16 octets. Depends on
the specific Error Data.
Type: 68
Error Code: 7-bit field describing the error that generated the
Error message. See Error Code list below.
Pointer: 16-bit field. Identifies the octet offset within the
invoking packet where the error was detected.
Packet in error:
As much of invoking packet as possible without the
Error message packet exceeding the minimum IPv6 MTU.
The following Error Codes are defined:
+---------+---------------------------------------------------------+
| Code | Description |
| Value | |
+---------+---------------------------------------------------------+
| 0 | Unknown Shim6 message type |
| 1 | Critical option not recognized |
| 2 | Locator verification method failed (Pointer to the |
| | inconsistent verification method octet) |
| 3 | Locator List Generation number out of sync. |
| 4 | Error in the number of locators in a Locator Preference |
| | option |
| 120-127 | Reserved for debugging purposes |
+---------+---------------------------------------------------------+
Table 2
5.15. Option Formats
The format of the options is a snapshot of the current HIP option format [20]. However, there is no intention to track any changes to the HIP option format, nor is there an intent to use the same name space for the option type values. But using the same format will hopefully make it easier to import HIP capabilities into Shim6 as extensions to Shim6, should this turn out to be useful. All of the TLV parameters have a length (including Type and Length fields) that is a multiple of 8 bytes. When needed, padding MUST be added to the end of the parameter so that the total length becomes a multiple of 8 bytes. This rule ensures proper alignment of data. If padding is added, the Length field MUST NOT include the padding. Any added padding bytes MUST be zeroed by the sender, and their values SHOULD NOT be checked by the receiver. Consequently, the Length field indicates the length of the Contents field (in bytes). The total length of the TLV parameter (including Type, Length, Contents, and Padding) is related to the Length field according to the following formula: Total Length = 11 + Length - (Length + 3) mod 8; The total length of the option is the smallest multiple of 8 bytes that allows for the 4 bytes of the Option header and option, itself. The amount of padding required can be calculated as follows: padding = 7 - ((Length + 3) mod 8) And: Total Length = 4 + Length + padding 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type |C| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ~ ~ Contents ~ ~ +-+-+-+-+-+-+-+-+ ~ | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Type: 15-bit identifier of the type of option. The options
defined in this document are below.
C: Critical. One, if this parameter is critical and MUST
be recognized by the recipient; zero otherwise. An
implementation might view the C-bit as part of the
Type field by multiplying the type values in this
specification by two.
Length: Length of the Contents, in bytes.
Contents: Parameter-specific, defined by Type.
Padding: Padding, 0-7 bytes, added if needed.
+------+------------------------------+
| Type | Option Name |
+------+------------------------------+
| 1 | Responder Validator |
| 2 | Locator List |
| 3 | Locator Preferences |
| 4 | CGA Parameter Data Structure |
| 5 | CGA Signature |
| 6 | ULID Pair |
| 7 | Forked Instance Identifier |
| 10 | Keepalive Timeout Option |
+------+------------------------------+
Table 3
Future protocol extensions might define additional options for the
Shim6 messages. The C-bit in the option format defines how such a
new option will be handled by an implementation.
If a host receives an option that it does not understand (an option
that was defined in some future extension to this protocol) or that
is not listed as a valid option for the different message types
above, then the Critical bit in the option determines the outcome.
o If C=0, then the option is silently ignored, and the rest of the
message is processed.
o If C=1, then the host SHOULD send back a Shim6 Error message with
Error Code=1, with the Pointer field referencing the first octet
in the Option Type field. When C=1, the rest of the message MUST
NOT be processed.
5.15.1. Responder Validator Option Format
The responder can choose exactly what input is used to compute the validator and what one-way function (such as MD5 or SHA1) it uses, as long as the responder can check that the validator it receives back in the I2 or I2bis message is indeed one that: 1) computed, 2) computed for the particular context, and 3) isn't a replayed I2/I2bis message. Some suggestions on how to generate the validators are captured in Sections 7.10.1 and 7.17.1. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 1 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ Validator ~ ~ +-+-+-+-+-+-+-+-+ ~ | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: Validator: Variable length content whose interpretation is local to the responder. Padding: Padding, 0-7 bytes, added if needed. See Section 5.15.5.15.2. Locator List Option Format
The Locator List option is used to carry all the locators of the sender. Note that the order of the locators is important, since the Locator Preferences option refers to the locators by using the index in the list. Note that we carry all the locators in this option even though some of them can be created automatically from the CGA Parameter Data Structure.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 2 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Locator List Generation |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Num Locators | N Octets of Verification Method |
+-+-+-+-+-+-+-+-+ |
~ ~
~ +-+-+-+-+-+-+-+-+
~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Locators 1 through N ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Locator List Generation:
32-bit unsigned integer. Indicates a generation
number that is increased by one for each new locator
list. This is used to ensure that the index in the
Locator Preferences refers to the right version of the
locator list.
Num Locators: 8-bit unsigned integer. The number of locators that
are included in the option. We call this number "N"
below.
Verification Method:
N octets. The ith octet specifies the verification
method for the ith locator.
Padding: Padding, 0-7 bytes, added if needed so that the
Locators start on a multiple-of-8-octet boundary.
Note that for this option, there is never a need to
pad at the end since the Locators are a multiple-of-8-
octets in length. This internal padding is included
in the Length field.
Locators: N 128-bit locators.
The defined verification methods are:
+---------+----------------------------------+ | Value | Method | +---------+----------------------------------+ | 0 | Reserved | | 1 | HBA | | 2 | CGA | | 3-200 | Allocated using Standards action | | 201-254 | Experimental use | | 255 | Reserved | +---------+----------------------------------+ Table 45.15.3. Locator Preferences Option Format
The Locator Preferences option can have some flags to indicate whether or not a locator is known to work. In addition, the sender can include a notion of preferences. It might make sense to define "preferences" as a combination of priority and weight, the same way that DNS SRV records have such information. The priority would provide a way to rank the locators, and, within a given priority, the weight would provide a way to do some load sharing. See [5] for how SRV defines the interaction of priority and weight. The minimum notion of preferences we need is to be able to indicate that a locator is "dead". We can handle this using a single octet flag for each locator. We can extend that by carrying a larger "element" for each locator. This document presently also defines 2-octet and 3-octet elements, and we can add more information by having even larger elements if need be. The locators are not included in the preference list. Instead, the first element refers to the locator that was in the first element in the Locator List option. The generation number carried in this option and the Locator List option is used to verify that they refer to the same version of the locator list.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 3 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Locator List Generation |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Element Len | Element[1] | Element[2] | Element[3] |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ... ~
~ +-+-+-+-+-+-+-+-+
~ | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Case of Element Len = 1 is depicted.
Fields:
Locator List Generation:
32-bit unsigned integer. Indicates a generation
number for the locator list to which the elements
should apply.
Element Len: 8-bit unsigned integer. The length in octets of each
element. This specification defines the cases when
the length is 1, 2, or 3.
Element[i]: A field with a number of octets defined by the Element
Len field. Provides preferences for the ith locator
in the Locator List option that is in use.
Padding: Padding, 0-7 bytes, added if needed. See
Section 5.15.
When the Element length equals one, then the element consists of only
a one-octet Flags field. The currently defined set of flags are:
BROKEN: 0x01
TRANSIENT: 0x02
The intent of the BROKEN flag is to inform the peer that a given
locator is known to be not working. The intent of TRANSIENT is to
allow the distinction between more stable addresses and less stable
addresses when Shim6 is combined with IP mobility, and when we might
have more stable home locators and less stable care-of-locators.
When the Element length equals two, then the element consists of a one-octet Flags field followed by a one-octet Priority field. This Priority field has the same semantics as the Priority field in DNS SRV records. When the Element length equals three, then the element consists of a one-octet Flags field followed by a one-octet Priority field and a one-octet Weight field. This Weight field has the same semantics as the Weight field in DNS SRV records. This document doesn't specify the format when the Element length is more than three, except that any such formats MUST be defined so that the first three octets are the same as in the above case, that is, a one-octet Flags field followed by a one-octet Priority field, and a one-octet Weight field.5.15.4. CGA Parameter Data Structure Option Format
This option contains the CGA Parameter Data Structure (PDS). When HBA is used to verify the locators, the PDS contains the HBA multiprefix extension in addition to the PDS mandatory fields and other extensions unrelated to Shim6 that the PDS might have. When CGA is used to verify the locators, in addition to the PDS option, the host also needs to include the signature in the form of a CGA Signature option. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 4 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ CGA Parameter Data Structure ~ ~ +-+-+-+-+-+-+-+-+ ~ | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: CGA Parameter Data Structure: Variable length content. Content defined in [2] and [3]. Padding: Padding, 0-7 bytes, added if needed. See Section 5.15.
5.15.5. CGA Signature Option Format
When CGA is used for verification of one or more of the locators in the Locator List option, then the message in question will need to contain this option. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 5 |0| Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ CGA Signature ~ ~ +-+-+-+-+-+-+-+-+ ~ | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fields: CGA Signature: A variable-length field containing a PKCS#1 v1.5 signature, constructed by using the sender's private key over the following sequence of octets: 1. The 128-bit CGA Message Type tag [CGA] value for Shim6: 0x4A 30 5662 4858 574B 3655 416F 506A 6D48. (The tag value has been generated randomly by the editor of this specification.). 2. The Locator List Generation number of the correspondent Locator List option. 3. The subset of locators included in the correspondent Locator List option whose verification method is set to CGA. The locators MUST be included in the order in which they are listed in the Locator List Option. Padding: Padding, 0-7 bytes, added if needed. See Section 5.15.5.15.6. ULID Pair Option Format
I1, I2, and I2bis messages MUST contain the ULID pair; normally, this is in the IPv6 Source and Destination fields. In case the ULID for the context differs from the address pair included in the Source and Destination Address fields of the IPv6 packet used to carry the I1/ I2/I2bis message, the ULID Pair option MUST be included in the I1/I2/ I2bis message.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 6 |0| Length = 36 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Sender ULID +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Receiver ULID +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Reserved2: 32-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. (Needed to
make the ULIDs start on a multiple-of-8-octet
boundary.)
Sender ULID: A 128-bit IPv6 address.
Receiver ULID: A 128-bit IPv6 address.
5.15.7. Forked Instance Identifier Option Format
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 7 |0| Length = 4 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Forked Instance Identifier |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Fields:
Forked Instance Identifier:
32-bit field containing the identifier of the
particular forked instance.
5.15.8. Keepalive Timeout Option Format
This option is defined in [4].
(next page on part 3)