Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 5533

Shim6: Level 3 Multihoming Shim Protocol for IPv6

Pages: 124
Proposed Standard
Part 1 of 5 – Pages 1 to 16
None   None   Next

Top   ToC   RFC5533 - Page 1
Network Working Group                                        E. Nordmark
Request for Comments: 5533                              Sun Microsystems
Category: Standards Track                                     M. Bagnulo
                                                                    UC3M
                                                               June 2009


           Shim6: Level 3 Multihoming Shim Protocol for IPv6

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

This document defines the Shim6 protocol, a layer 3 shim for providing locator agility below the transport protocols, so that multihoming can be provided for IPv6 with failover and load-sharing properties, without assuming that a multihomed site will have a provider-independent IPv6 address prefix announced in the global IPv6 routing table. The hosts in a site that has multiple provider- allocated IPv6 address prefixes will use the Shim6 protocol specified in this document to set up state with peer hosts so that the state can later be used to failover to a different locator pair, should the original one stop working.
Top   ToC   RFC5533 - Page 2

Table of Contents

1. Introduction ....................................................4 1.1. Goals ......................................................5 1.2. Non-Goals ..................................................5 1.3. Locators as Upper-Layer Identifiers (ULID) .................6 1.4. IP Multicast ...............................................7 1.5. Renumbering Implications ...................................8 1.6. Placement of the Shim ......................................9 1.7. Traffic Engineering .......................................11 2. Terminology ....................................................12 2.1. Definitions ...............................................12 2.2. Notational Conventions ....................................15 2.3. Conceptual ................................................15 3. Assumptions ....................................................15 4. Protocol Overview ..............................................17 4.1. Context Tags ..............................................19 4.2. Context Forking ...........................................19 4.3. API Extensions ............................................20 4.4. Securing Shim6 ............................................20 4.5. Overview of Shim Control Messages .........................21 4.6. Extension Header Order ....................................22 5. Message Formats ................................................23 5.1. Common Shim6 Message Format ...............................23 5.2. Shim6 Payload Extension Header Format .....................24 5.3. Common Shim6 Control Header ...............................25 5.4. I1 Message Format .........................................26 5.5. R1 Message Format .........................................28 5.6. I2 Message Format .........................................29 5.7. R2 Message Format .........................................31 5.8. R1bis Message Format ......................................33 5.9. I2bis Message Format ......................................34 5.10. Update Request Message Format ............................37 5.11. Update Acknowledgement Message Format ....................38 5.12. Keepalive Message Format .................................40 5.13. Probe Message Format .....................................40 5.14. Error Message Format .....................................40 5.15. Option Formats ...........................................42 5.15.1. Responder Validator Option Format .................44 5.15.2. Locator List Option Format ........................44 5.15.3. Locator Preferences Option Format .................46 5.15.4. CGA Parameter Data Structure Option Format ........48 5.15.5. CGA Signature Option Format .......................49 5.15.6. ULID Pair Option Format ...........................49 5.15.7. Forked Instance Identifier Option Format ..........50 5.15.8. Keepalive Timeout Option Format ...................50 6. Conceptual Model of a Host .....................................51 6.1. Conceptual Data Structures ................................51
Top   ToC   RFC5533 - Page 3
      6.2. Context STATES ............................................52
   7. Establishing ULID-Pair Contexts ................................54
      7.1. Uniqueness of Context Tags ................................54
      7.2. Locator Verification ......................................55
      7.3. Normal Context Establishment ..............................56
      7.4. Concurrent Context Establishment ..........................56
      7.5. Context Recovery ..........................................58
      7.6. Context Confusion .........................................60
      7.7. Sending I1 Messages .......................................61
      7.8. Retransmitting I1 Messages ................................62
      7.9. Receiving I1 Messages .....................................62
      7.10. Sending R1 Messages ......................................63
           7.10.1. Generating the R1 Validator .......................64
      7.11. Receiving R1 Messages and Sending I2 Messages ............64
      7.12. Retransmitting I2 Messages ...............................65
      7.13. Receiving I2 Messages ....................................66
      7.14. Sending R2 Messages ......................................67
      7.15. Match for Context Confusion ..............................68
      7.16. Receiving R2 Messages ....................................69
      7.17. Sending R1bis Messages ...................................69
           7.17.1. Generating the R1bis Validator ....................70
      7.18. Receiving R1bis Messages and Sending I2bis Messages ......71
      7.19. Retransmitting I2bis Messages ............................72
      7.20. Receiving I2bis Messages and Sending R2 Messages .........72
   8. Handling ICMP Error Messages ...................................74
   9. Teardown of the ULID-Pair Context ..............................76
   10. Updating the Peer .............................................77
      10.1. Sending Update Request Messages ..........................77
      10.2. Retransmitting Update Request Messages ...................78
      10.3. Newer Information while Retransmitting ...................78
      10.4. Receiving Update Request Messages ........................79
      10.5. Receiving Update Acknowledgement Messages ................81
   11. Sending ULP Payloads ..........................................81
      11.1. Sending ULP Payload after a Switch .......................82
   12. Receiving Packets .............................................83
      12.1. Receiving Payload without Extension Headers ..............83
      12.2. Receiving Shim6 Payload Extension Headers ................83
      12.3. Receiving Shim Control Messages ..........................84
      12.4. Context Lookup ...........................................84
   13. Initial Contact ...............................................86
   14. Protocol Constants ............................................87
   15. Implications Elsewhere ........................................88
      15.1. Congestion Control Considerations ........................88
      15.2. Middle-Boxes Considerations ..............................88
      15.3. Operation and Management Considerations ..................89
      15.4. Other Considerations .....................................90
   16. Security Considerations .......................................91
      16.1. Interaction with IPSec ...................................93
Top   ToC   RFC5533 - Page 4
      16.2. Residual Threats .........................................94
   17. IANA Considerations ...........................................95
   18. Acknowledgements ..............................................97
   19. References ....................................................97
      19.1. Normative References .....................................97
      19.2. Informative References ...................................97
   Appendix A.  Possible Protocol Extensions ........................100
   Appendix B.  Simplified STATE Machine ............................101
      B.1.  Simplified STATE Machine Diagram ........................108
   Appendix C.  Context Tag Reuse ...................................109
      C.1.  Context Recovery ........................................109
      C.2.  Context Confusion .......................................109
      C.3.  Three-Party Context Confusion ...........................110
      C.4.  Summary .................................................110
   Appendix D.  Design Alternatives .................................111
      D.1.  Context Granularity .....................................111
      D.2.  Demultiplexing of Data Packets in Shim6 Communications ..111
        D.2.1.   Flow Label .........................................112
        D.2.2.   Extension Header ...................................115
      D.3.  Context-Loss Detection ..................................115
      D.4.  Securing Locator Sets ...................................117
      D.5.  ULID-Pair Context-Establishment Exchange ................120
      D.6.  Updating Locator Sets ...................................121
      D.7.  State Cleanup ...........................................122

1. Introduction

This document describes a layer 3 shim approach and protocol for providing locator agility below the transport protocols, so that multihoming can be provided for IPv6 with failover and load-sharing properties [11], without assuming that a multihomed site will have a provider-independent IPv6 address announced in the global IPv6 routing table. The hosts in a site that has multiple provider- allocated IPv6 address prefixes will use the Shim6 protocol specified in this document to set up state with peer hosts so that the state can later be used to failover to a different locator pair, should the original one stop working (the term locator is defined in Section 2). The Shim6 protocol is a site-multihoming solution in the sense that it allows existing communication to continue when a site that has multiple connections to the Internet experiences an outage on a subset of these connections or further upstream. However, Shim6 processing is performed in individual hosts rather than through site- wide mechanisms. We assume that redirection attacks are prevented using Hash-Based Addresses (HBA) as defined in [3].
Top   ToC   RFC5533 - Page 5
   The reachability and failure-detection mechanisms, including how a
   new working locator pair is discovered after a failure, are specified
   in RFC 5534 [4].  This document allocates message types and option
   types for that sub-protocol, and leaves the specification of the
   message and option formats, as well as the protocol behavior, to RFC
   5534.

1.1. Goals

The goals for this approach are to: o Preserve established communications in the presence of certain classes of failures, for example, TCP connections and UDP streams. o Have minimal impact on upper-layer protocols in general and on transport protocols and applications in particular. o Address the security threats in [15] through a combination of the HBA/CGA approach specified in RFC 5535 [3] and the techniques described in this document. o Not require an extra roundtrip up front to set up shim-specific state. Instead, allow the upper-layer traffic (e.g., TCP) to flow as normal and defer the set up of the shim state until some number of packets have been exchanged. o Take advantage of multiple locators/addresses for load spreading so that different sets of communication to a host (e.g., different connections) might use different locators of the host. Note that this might cause load to be spread unevenly; thus, we use the term "load spreading" instead of "load balancing". This capability might enable some forms of traffic engineering, but the details for traffic engineering, including what requirements can be satisfied, are not specified in this document, and form part of potential extensions to this protocol.

1.2. Non-Goals

The problem we are trying to solve is site multihoming, with the ability to have the set of site prefixes change over time due to site renumbering. Further, we assume that such changes to the set of locator prefixes can be relatively slow and managed: slow enough to allow updates to the DNS to propagate (since the protocol defined in this document depends on the DNS to find the appropriate locator sets). However, note that it is an explicit non-goal to make communication survive a renumbering event (which causes all the locators of a host to change to a new set of locators). This proposal does not attempt to solve the related problem of host
Top   ToC   RFC5533 - Page 6
   mobility.  However, it might turn out that the Shim6 protocol can be
   a useful component for future host mobility solutions, e.g., for
   route optimization.

   Finally, this proposal also does not try to provide a new network-
   level or transport-level identifier name space distinct from the
   current IP address name space.  Even though such a concept would be
   useful to upper-layer protocols (ULPs) and applications, especially
   if the management burden for such a name space was negligible and
   there was an efficient yet secure mechanism to map from identifiers
   to locators, such a name space isn't necessary (and furthermore
   doesn't seem to help) to solve the multihoming problem.

   The Shim6 proposal doesn't fully separate the identifier and locator
   functions that have traditionally been overloaded in the IP address.
   However, throughout this document the term "identifier" or, more
   specifically, upper-layer identifier (ULID), refers to the
   identifying function of an IPv6 address.  "Locator" refers to the
   network-layer routing and forwarding properties of an IPv6 address.

1.3. Locators as Upper-Layer Identifiers (ULID)

The approach described in this document does not introduce a new identifier name space but instead uses the locator that is selected in the initial contact with the remote peer as the preserved upper- layer identifier (ULID). While there may be subsequent changes in the selected network-level locators over time (in response to failures in using the original locator), the upper-level protocol stack elements will continue to use this upper-level identifier without change. This implies that the ULID selection is performed as today's default address selection as specified in RFC 3484 [7]. Some extensions are needed to RFC 3484 to try different source addresses, whether or not the Shim6 protocol is used, as outlined in [9]. Underneath, and transparently, the multihoming shim selects working locator pairs with the initial locator pair being the ULID pair. If communication subsequently fails, the shim can test and select alternate locators. A subsequent section discusses the issues that arise when the selected ULID is not initially working, which creates the need to switch locators up front. Using one of the locators as the ULID has certain benefits for applications that have long-lived session state or that perform callbacks or referrals, because both the Fully Qualified Domain Name (FQDN) and the 128-bit ULID work as handles for the applications.
Top   ToC   RFC5533 - Page 7
   However, using a single 128-bit ULID doesn't provide seamless
   communication when that locator is unreachable.  See [18] for further
   discussion of the application implications.

   There has been some discussion of using non-routable addresses, such
   as Unique-Local Addresses (ULAs) [14], as ULIDs in a multihoming
   solution.  While this document doesn't specify all aspects of this,
   it is believed that the approach can be extended to handle the non-
   routable address case.  For example, the protocol already needs to
   handle ULIDs that are not initially reachable.  Thus, the same
   mechanism can handle ULIDs that are permanently unreachable from
   outside their site.  The issue becomes how to make the protocol
   perform well when the ULID is known a priori to be unreachable (e.g.,
   the ULID is a ULA), for instance, avoiding any timeout and retries in
   this case.  In addition, one would need to understand how the ULAs
   would be entered in the DNS to avoid a performance impact on
   existing, non-Shim6-aware IPv6 hosts potentially trying to
   communicate to the (unreachable) ULA.

1.4. IP Multicast

IP multicast requires that the IP Source Address field contain a topologically correct locator for the interface that is used to send the packet, since IP multicast routing uses both the source address and the destination group to determine where to forward the packet. In particular, IP multicast routing needs to be able to do the Reverse Path Forwarding (RPF) check. (This isn't much different than the situation with widely implemented ingress filtering [6] for unicast.) While in theory it would be possible to apply the shim re-mapping of the IP address fields between ULIDs and locators, the fact that all the multicast receivers would need to know the mapping to perform makes such an approach difficult in practice. Thus, it makes sense to have multicast ULPs operate directly on locators and not use the shim. This is quite a natural fit for protocols that use RTP [10], since RTP already has an explicit identifier in the form of the synchronization source (SSRC) field in the RTP headers. Thus, the actual IP address fields are not important to the application. In summary, IP multicast will not need the shim to remap the IP addresses. This doesn't prevent the receiver of multicast to change its locators, since the receiver is not explicitly identified; the destination address is a multicast address and not the unicast locator of the receiver.
Top   ToC   RFC5533 - Page 8

1.5. Renumbering Implications

As stated above, this approach does not try to make communication survive renumbering in the general case. When a host is renumbered, the effect is that one or more locators become invalid, and zero or more locators are added to the host's network interface. This means that the set of locators that is used in the shim will change, which the shim can handle as long as not all the original locators become invalid at the same time; the shim's ability to handle this also depends on the time that is required to update the DNS and for those updates to propagate. But IP addresses are also used as ULIDs, and making the communication survive locators becoming invalid can potentially cause some confusion at the upper layers. The fact that a ULID might be used with a different locator over time opens up the possibility that communication between two ULIDs might continue to work after one or both of those ULIDs are no longer reachable as locators, for example, due to a renumbering event. This opens up the possibility that the ULID (or at least the prefix on which it is based) may be reassigned to another site while it is still being used (with another locator) for existing communication. In the worst case, we could end up with two separate hosts using the same ULID while both of them are communicating with the same host. This potential source for confusion is avoided by requiring that any communication using a ULID MUST be terminated when the ULID becomes invalid (due to the underlying prefix becoming invalid). This behavior can be accomplished by explicitly discarding the shim state when the ULID becomes invalid. The context-recovery mechanism will then make the peer aware that the context is gone and that the ULID is no longer present at the same locator(s).
Top   ToC   RFC5533 - Page 9

1.6. Placement of the Shim

----------------------- | Transport Protocols | ----------------------- -------------- ------------- IP endpoint | Frag/reass | | Dest opts | sub-layer -------------- ------------- --------------------- | Shim6 shim layer | --------------------- ------ IP routing | IP | sub-layer ------ Figure 1: Protocol Stack The proposal uses a multihoming shim layer within the IP layer, i.e., below the ULPs, as shown in Figure 1, in order to provide ULP independence. The multihoming shim layer behaves as if it is associated with an extension header, which would be placed after any routing-related headers in the packet (such as any hop-by-hop options). However, when the locator pair is the ULID pair, there is no data that needs to be carried in an extension header; thus, none is needed in that case. Layering the Fragmentation header above the multihoming shim makes reassembly robust in the case that there is broken multi-path routing that results in using different paths, hence potentially different source locators, for different fragments. Thus, the multihoming shim layer is placed between the IP endpoint sublayer (which handles fragmentation and reassembly) and the IP routing sublayer (which selects the next hop and interface to use for sending out packets). Applications and upper-layer protocols use ULIDs that the Shim6 layer maps to/from different locators. The Shim6 layer maintains state, called ULID-pair context, per ULID pair (that is, such state applies to all ULP connections between the ULID pair) in order to perform this mapping. The mapping is performed consistently at the sender and the receiver so that ULPs see packets that appear to be sent using ULIDs from end to end. This property is maintained even though the packets travel through the network containing locators in the IP address fields, and even though those locators may be changed by the transmitting Shim6 layer.
Top   ToC   RFC5533 - Page 10
   The context state is maintained per remote ULID, i.e., approximately
   per peer host, and not at any finer granularity.  In particular, the
   context state is independent of the ULPs and any ULP connections.
   However, the forking capability enables Shim6-aware ULPs to use more
   than one locator pair at a time for a single ULID pair.

    ----------------------------          ----------------------------
    | Sender A                 |          | Receiver B               |
    |                          |          |                          |
    |     ULP                  |          |     ULP                  |
    |      | src ULID(A)=L1(A) |          |      ^                   |
    |      | dst ULID(B)=L1(B) |          |      | src ULID(A)=L1(A) |
    |      v                   |          |      | dst ULID(B)=L1(B) |
    |   multihoming shim       |          |   multihoming shim       |
    |      | src L2(A)         |          |      ^                   |
    |      | dst L3(B)         |          |      | src L2(A)         |
    |      v                   |          |      | dst L3(B)         |
    |      IP                  |          |      IP                  |
    ----------------------------          ----------------------------
           |                                     ^
           ------- cloud with some routers -------

                  Figure 2: Mapping with Changed Locators

   The result of this consistent mapping is that there is no impact on
   the ULPs.  In particular, there is no impact on pseudo-header
   checksums and connection identification.

   Conceptually, one could view this approach as if both ULIDs and
   locators are present in every packet, and as if a header-compression
   mechanism is applied that removes the need for the ULIDs to be
   carried in the packets once the compression state has been
   established.  In order for the receiver to re-create a packet with
   the correct ULIDs, there is a need to include some "compression tag"
   in the data packets.  This serves to indicate the correct context to
   use for decompression when the locator pair in the packet is
   insufficient to uniquely identify the context.

   There are different types of interactions between the Shim6 layer and
   other protocols.  Those interactions are influenced by the usage of
   the addresses in these other protocols and the impact of the Shim6
   mapping on these usages.  A detailed analysis of the interactions of
   different protocols, including the Stream Control Transmission
   Protocol (SCTP), mobile IP (MIP), and Host Identity Protocol (HIP),
   can be found in [19].  Moreover, some applications may need to have a
   richer interaction with the Shim6 sublayer.  In order to enable that,
   an API [23] has been defined to enable greater control and
   information exchange for those applications that need it.
Top   ToC   RFC5533 - Page 11

1.7. Traffic Engineering

At the time of this writing, it is not clear what requirements for traffic engineering make sense for the Shim6 protocol, since the requirements must both result in some useful behavior as well as be implementable using a host-to-host locator agility mechanism like Shim6. Inherent in a scalable multihoming mechanism that separates the locator function of the IP address from identifying function of the IP address is that each host ends up with multiple locators. This means that, at least for initial contact, it is the remote peer application (or layer working on its behalf) that needs to select an initial ULID, which automatically becomes the initial locator. In the case of Shim6, this is performed by applying RFC 3484 address selection. This is quite different than the common case of IPv4 multihoming where the site has a single IP address prefix, since in that case the peer performs no destination address selection. Thus, in "single prefix multihoming", the site (and in many cases its upstream ISPs) can use BGP to exert some control of the ingress path used to reach the site. This capability does not by itself exist in "multiple prefix multihoming" approaches such as Shim6. It is conceivable that extensions allowing site or provider guidance of host-based mechanisms could be developed. But it should be noted that traffic engineering via BGP, MPLS, or other similar techniques can still be applied for traffic on each individual prefix; Shim6 does not remove the capability for this. It does provide some additional capabilities for hosts to choose between prefixes. These capabilities also carry some risk for non-optimal behaviour when more than one mechanism attempts to correct problems at the same time. However, it should be noted that this is not necessarily a situation brought about by Shim6. A more constrained form of this capability already exists in IPv6, itself, via its support of multiple prefixes and address-selection rules for starting new communications. Even IPv4 hosts with multiple interfaces may have limited capabilities to choose interfaces on which they communicate. Similarly, upper layers may choose different addresses. In general, it is expected that Shim6 is applicable in relatively small sites and individual hosts where BGP-style traffic engineering operations are unavailable, unlikely, or if run with provider- independent addressing, possibly even harmful, considering the growth rates in the global routing table.
Top   ToC   RFC5533 - Page 12
   The protocol provides a placeholder, in the form of the Locator
   Preferences option, that can be used by hosts to express priority and
   weight values for each locator.  This option is merely a placeholder
   when it comes to providing traffic engineering; in order to use this
   in a large site, there would have to be a mechanism by which the host
   can find out what preference values to use, either statically (e.g.,
   some new DHCPv6 option) or dynamically.

   Thus, traffic engineering is listed as a possible extension in
   Appendix A.

2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1].

2.1. Definitions

This document introduces the following terms: upper-layer protocol (ULP) A protocol layer immediately above IP. Examples are transport protocols such as TCP and UDP; control protocols such as ICMP; routing protocols such as OSPF; and Internet or lower-layer protocols being "tunneled" over (i.e., encapsulated in) IP, such as the Internet Packet Exchange (IPX), AppleTalk, or IP itself. interface A node's attachment to a link. address An IP-layer name that both contains topological significance and acts as a unique identifier for an interface. 128 bits. This document only uses the "address" term in the case where it isn't specific whether it is a locator or an identifier. locator An IP-layer topological name for an interface or a set of interfaces. 128 bits. The locators are carried in the IP address fields as the packets traverse the network. identifier An IP-layer name for an IP-layer endpoint. The transport endpoint name is a function of the transport protocol and would typically include the IP identifier plus a port number.
Top   ToC   RFC5533 - Page 13
                       NOTE: This proposal does not specify any new form
                       of IP-layer identifier, but still separates the
                       identifying and locating properties of the IP
                       addresses.

   upper-layer identifier (ULID)
                       An IP address that has been selected for
                       communication with a peer to be used by the
                       upper-layer protocol. 128 bits.  This is used for
                       pseudo-header checksum computation and connection
                       identification in the ULP.  Different sets of
                       communication to a host (e.g., different
                       connections) might use different ULIDs in order
                       to enable load spreading.

                       Since the ULID is just one of the IP locators/
                       addresses of the node, there is no need for a
                       separate name space and allocation mechanisms.

   address field       The Source and Destination Address fields in the
                       IPv6 header.  As IPv6 is currently specified,
                       these fields carry "addresses".  If identifiers
                       and locators are separated, these fields will
                       contain locators for packets on the wire.

   FQDN                Fully Qualified Domain Name

   ULID-pair context   The state that the multihoming shim maintains
                       between a pair of upper-layer identifiers.  The
                       context is identified by a Context Tag for each
                       direction of the communication and also by a
                       ULID-pair and a Forked Instance Identifier (see
                       below).

   Context Tag         Each end of the context allocates a Context Tag
                       for the context.  This is used to uniquely
                       associate both received control packets and Shim6
                       Payload Extension headers as belonging to the
                       context.

   current locator pair
                       Each end of the context has a current locator
                       pair that is used to send packets to the peer.
                       However, the two ends might use different current
                       locator pairs.
Top   ToC   RFC5533 - Page 14
   default context     At the sending end, the shim uses the ULID pair
                       (passed down from the ULP) to find the context
                       for that pair.  Thus, normally, a host can have
                       at most one context for a ULID pair.  We call
                       this the "default context".

   context forking     A mechanism that allows ULPs that are aware of
                       multiple locators to use separate contexts for
                       the same ULID pair, in order to be able use
                       different locator pairs for different
                       communication to the same ULID.  Context forking
                       causes more than just the default context to be
                       created for a ULID pair.

   Forked Instance Identifier (FII)
                       In order to handle context forking, a context is
                       identified by a ULID pair and a Forked Context
                       Identifier.  The default context has an FII of
                       zero.

   initial contact     We use this term to refer to the pre-shim
                       communication when a ULP decides to start
                       communicating with a peer by sending and
                       receiving ULP packets.  Typically, this would not
                       invoke any operations in the shim, since the shim
                       can defer the context establishment until some
                       arbitrary, later point in time.

   Hash-Based Addresses (HBA)
                       A form of IPv6 address where the interface ID is
                       derived from a cryptographic hash of all the
                       prefixes assigned to the host.  See [3].

   Cryptographically Generated Addresses (CGA)
                       A form of IPv6 address where the interface ID is
                       derived from a cryptographic hash of the public
                       key.  See [2].

   CGA Parameter Data Structure (PDS)
                       The information that CGA and HBA exchange in
                       order to inform the peer of how the interface ID
                       was computed.  See [2] and [3].
Top   ToC   RFC5533 - Page 15

2.2. Notational Conventions

A, B, and C are hosts. X is a potentially malicious host. FQDN(A) is the Fully Qualified Domain Name for A. Ls(A) is the locator set for A, which consists of the locators L1(A), L2(A), ... Ln(A). The locator set is not ordered in any particular way other than maybe what is returned by the DNS. A host might form different locator sets containing different subnets of the host's IP addresses. This is necessary in some cases for security reasons. See Section 16.1. ULID(A) is an upper-layer identifier for A. In this proposal, ULID(A) is always one member of A's locator set. CT(A) is a Context Tag assigned by A. STATE (in uppercase) refers to the specific state of the state machine described in Section 6.2

2.3. Conceptual

This document also makes use of internal conceptual variables to describe protocol behavior and external variables that an implementation must allow system administrators to change. The specific variable names, how their values change, and how their settings influence protocol behavior are provided to demonstrate protocol behavior. An implementation is not required to have them in the exact form described here, so long as its external behavior is consistent with that described in this document. See Section 6 for a description of the conceptual data structures.

3. Assumptions

The design intent is to ensure that the Shim6 protocol is capable of handling path failures independently of the number of IP addresses (locators) available to the two communicating hosts, and independently of which host detects the failure condition. Consider, for example, the case in which both A and B have active Shim6 state and where A has only one locator while B has multiple locators. In this case, it might be that B is trying to send a packet to A, and has detected a failure condition with the current locator pair. Since B has multiple locators, it presumably has multiple ISPs, and (consequently) likely has alternate egress paths
Top   ToC   RFC5533 - Page 16
   toward A.  B cannot vary the destination address (i.e., A's locator),
   since A has only one locator.  However, B may need to vary the source
   address in order to ensure packet delivery.

   In many cases, normal operation of IP routing may cause the packets
   to follow a path towards the correct (currently operational) egress.
   In some cases, it is possible that a path may be selected based on
   the source address, implying that B will need to select a source
   address corresponding to the currently operating egress.  The details
   of how routing can be accomplished is beyond the scope of this
   document.

   Also, when the site's ISPs perform ingress filtering based on packet
   source addresses, Shim6 assumes that packets sent with different
   source and destination combinations have a reasonable chance of
   making it through the relevant ISP's ingress filters.  This can be
   accomplished in several ways (all outside the scope of this
   document), such as having the ISPs relax their ingress filters or
   selecting the egress such that it matches the IP source address
   prefix.  In the case that one egress path has failed but another is
   operating correctly, it may be necessary for the packet's source
   (node B in the previous paragraph) to select a source address that
   corresponds to the operational egress, in order to pass the ISP's
   ingress filters.

   The Shim6 approach assumes that there are no IPv6-to-IPv6 NATs on the
   paths, i.e., that the two ends can exchange their own notion of their
   IPv6 addresses and that those addresses will also make sense to their
   peer.

   The security of the Shim6 protocol relies on the usage of Hash-Based
   Addresses (HBA) [3] and/or Cryptographically Generated Addresses
   (CGA) [2].  In the case that HBAs are used, all the addresses
   assigned to the host that are included in the Shim6 protocol (either
   as a locator or as a ULID) must be part of the same HBA set.  In the
   case that CGAs are used, the address used as ULID must be a CGA, but
   the other addresses that are used as locators do not need to be
   either CGAs or HBAs.  It should be noted that it is perfectly
   acceptable to run the Shim6 protocol between a host that has multiple
   locators and another host that has a single IP address.  In this
   case, the address of the host with a single address does not need to
   be an HBA or a CGA.


(next page on part 2)

Next Section