RFC 5533
Shim6: Level 3 Multihoming Shim Protocol for IPv6
Pages: 124
Proposed Standard
Proposed Standard
Part 1 of 5 – Pages 1 to 16
Network Working Group E. Nordmark Request for Comments: 5533 Sun Microsystems Category: Standards Track M. Bagnulo UC3M June 2009 Shim6: Level 3 Multihoming Shim Protocol for IPv6 Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.Abstract
This document defines the Shim6 protocol, a layer 3 shim for providing locator agility below the transport protocols, so that multihoming can be provided for IPv6 with failover and load-sharing properties, without assuming that a multihomed site will have a provider-independent IPv6 address prefix announced in the global IPv6 routing table. The hosts in a site that has multiple provider- allocated IPv6 address prefixes will use the Shim6 protocol specified in this document to set up state with peer hosts so that the state can later be used to failover to a different locator pair, should the original one stop working.
Table of Contents
1. Introduction ....................................................4 1.1. Goals ......................................................5 1.2. Non-Goals ..................................................5 1.3. Locators as Upper-Layer Identifiers (ULID) .................6 1.4. IP Multicast ...............................................7 1.5. Renumbering Implications ...................................8 1.6. Placement of the Shim ......................................9 1.7. Traffic Engineering .......................................11 2. Terminology ....................................................12 2.1. Definitions ...............................................12 2.2. Notational Conventions ....................................15 2.3. Conceptual ................................................15 3. Assumptions ....................................................15 4. Protocol Overview ..............................................17 4.1. Context Tags ..............................................19 4.2. Context Forking ...........................................19 4.3. API Extensions ............................................20 4.4. Securing Shim6 ............................................20 4.5. Overview of Shim Control Messages .........................21 4.6. Extension Header Order ....................................22 5. Message Formats ................................................23 5.1. Common Shim6 Message Format ...............................23 5.2. Shim6 Payload Extension Header Format .....................24 5.3. Common Shim6 Control Header ...............................25 5.4. I1 Message Format .........................................26 5.5. R1 Message Format .........................................28 5.6. I2 Message Format .........................................29 5.7. R2 Message Format .........................................31 5.8. R1bis Message Format ......................................33 5.9. I2bis Message Format ......................................34 5.10. Update Request Message Format ............................37 5.11. Update Acknowledgement Message Format ....................38 5.12. Keepalive Message Format .................................40 5.13. Probe Message Format .....................................40 5.14. Error Message Format .....................................40 5.15. Option Formats ...........................................42 5.15.1. Responder Validator Option Format .................44 5.15.2. Locator List Option Format ........................44 5.15.3. Locator Preferences Option Format .................46 5.15.4. CGA Parameter Data Structure Option Format ........48 5.15.5. CGA Signature Option Format .......................49 5.15.6. ULID Pair Option Format ...........................49 5.15.7. Forked Instance Identifier Option Format ..........50 5.15.8. Keepalive Timeout Option Format ...................50 6. Conceptual Model of a Host .....................................51 6.1. Conceptual Data Structures ................................51
6.2. Context STATES ............................................52
7. Establishing ULID-Pair Contexts ................................54
7.1. Uniqueness of Context Tags ................................54
7.2. Locator Verification ......................................55
7.3. Normal Context Establishment ..............................56
7.4. Concurrent Context Establishment ..........................56
7.5. Context Recovery ..........................................58
7.6. Context Confusion .........................................60
7.7. Sending I1 Messages .......................................61
7.8. Retransmitting I1 Messages ................................62
7.9. Receiving I1 Messages .....................................62
7.10. Sending R1 Messages ......................................63
7.10.1. Generating the R1 Validator .......................64
7.11. Receiving R1 Messages and Sending I2 Messages ............64
7.12. Retransmitting I2 Messages ...............................65
7.13. Receiving I2 Messages ....................................66
7.14. Sending R2 Messages ......................................67
7.15. Match for Context Confusion ..............................68
7.16. Receiving R2 Messages ....................................69
7.17. Sending R1bis Messages ...................................69
7.17.1. Generating the R1bis Validator ....................70
7.18. Receiving R1bis Messages and Sending I2bis Messages ......71
7.19. Retransmitting I2bis Messages ............................72
7.20. Receiving I2bis Messages and Sending R2 Messages .........72
8. Handling ICMP Error Messages ...................................74
9. Teardown of the ULID-Pair Context ..............................76
10. Updating the Peer .............................................77
10.1. Sending Update Request Messages ..........................77
10.2. Retransmitting Update Request Messages ...................78
10.3. Newer Information while Retransmitting ...................78
10.4. Receiving Update Request Messages ........................79
10.5. Receiving Update Acknowledgement Messages ................81
11. Sending ULP Payloads ..........................................81
11.1. Sending ULP Payload after a Switch .......................82
12. Receiving Packets .............................................83
12.1. Receiving Payload without Extension Headers ..............83
12.2. Receiving Shim6 Payload Extension Headers ................83
12.3. Receiving Shim Control Messages ..........................84
12.4. Context Lookup ...........................................84
13. Initial Contact ...............................................86
14. Protocol Constants ............................................87
15. Implications Elsewhere ........................................88
15.1. Congestion Control Considerations ........................88
15.2. Middle-Boxes Considerations ..............................88
15.3. Operation and Management Considerations ..................89
15.4. Other Considerations .....................................90
16. Security Considerations .......................................91
16.1. Interaction with IPSec ...................................93
16.2. Residual Threats .........................................94
17. IANA Considerations ...........................................95
18. Acknowledgements ..............................................97
19. References ....................................................97
19.1. Normative References .....................................97
19.2. Informative References ...................................97
Appendix A. Possible Protocol Extensions ........................100
Appendix B. Simplified STATE Machine ............................101
B.1. Simplified STATE Machine Diagram ........................108
Appendix C. Context Tag Reuse ...................................109
C.1. Context Recovery ........................................109
C.2. Context Confusion .......................................109
C.3. Three-Party Context Confusion ...........................110
C.4. Summary .................................................110
Appendix D. Design Alternatives .................................111
D.1. Context Granularity .....................................111
D.2. Demultiplexing of Data Packets in Shim6 Communications ..111
D.2.1. Flow Label .........................................112
D.2.2. Extension Header ...................................115
D.3. Context-Loss Detection ..................................115
D.4. Securing Locator Sets ...................................117
D.5. ULID-Pair Context-Establishment Exchange ................120
D.6. Updating Locator Sets ...................................121
D.7. State Cleanup ...........................................122
1. Introduction
This document describes a layer 3 shim approach and protocol for
providing locator agility below the transport protocols, so that
multihoming can be provided for IPv6 with failover and load-sharing
properties [11], without assuming that a multihomed site will have a
provider-independent IPv6 address announced in the global IPv6
routing table. The hosts in a site that has multiple provider-
allocated IPv6 address prefixes will use the Shim6 protocol specified
in this document to set up state with peer hosts so that the state
can later be used to failover to a different locator pair, should the
original one stop working (the term locator is defined in Section 2).
The Shim6 protocol is a site-multihoming solution in the sense that
it allows existing communication to continue when a site that has
multiple connections to the Internet experiences an outage on a
subset of these connections or further upstream. However, Shim6
processing is performed in individual hosts rather than through site-
wide mechanisms.
We assume that redirection attacks are prevented using Hash-Based
Addresses (HBA) as defined in [3].
The reachability and failure-detection mechanisms, including how a new working locator pair is discovered after a failure, are specified in RFC 5534 [4]. This document allocates message types and option types for that sub-protocol, and leaves the specification of the message and option formats, as well as the protocol behavior, to RFC 5534.1.1. Goals
The goals for this approach are to: o Preserve established communications in the presence of certain classes of failures, for example, TCP connections and UDP streams. o Have minimal impact on upper-layer protocols in general and on transport protocols and applications in particular. o Address the security threats in [15] through a combination of the HBA/CGA approach specified in RFC 5535 [3] and the techniques described in this document. o Not require an extra roundtrip up front to set up shim-specific state. Instead, allow the upper-layer traffic (e.g., TCP) to flow as normal and defer the set up of the shim state until some number of packets have been exchanged. o Take advantage of multiple locators/addresses for load spreading so that different sets of communication to a host (e.g., different connections) might use different locators of the host. Note that this might cause load to be spread unevenly; thus, we use the term "load spreading" instead of "load balancing". This capability might enable some forms of traffic engineering, but the details for traffic engineering, including what requirements can be satisfied, are not specified in this document, and form part of potential extensions to this protocol.1.2. Non-Goals
The problem we are trying to solve is site multihoming, with the ability to have the set of site prefixes change over time due to site renumbering. Further, we assume that such changes to the set of locator prefixes can be relatively slow and managed: slow enough to allow updates to the DNS to propagate (since the protocol defined in this document depends on the DNS to find the appropriate locator sets). However, note that it is an explicit non-goal to make communication survive a renumbering event (which causes all the locators of a host to change to a new set of locators). This proposal does not attempt to solve the related problem of host
mobility. However, it might turn out that the Shim6 protocol can be a useful component for future host mobility solutions, e.g., for route optimization. Finally, this proposal also does not try to provide a new network- level or transport-level identifier name space distinct from the current IP address name space. Even though such a concept would be useful to upper-layer protocols (ULPs) and applications, especially if the management burden for such a name space was negligible and there was an efficient yet secure mechanism to map from identifiers to locators, such a name space isn't necessary (and furthermore doesn't seem to help) to solve the multihoming problem. The Shim6 proposal doesn't fully separate the identifier and locator functions that have traditionally been overloaded in the IP address. However, throughout this document the term "identifier" or, more specifically, upper-layer identifier (ULID), refers to the identifying function of an IPv6 address. "Locator" refers to the network-layer routing and forwarding properties of an IPv6 address.1.3. Locators as Upper-Layer Identifiers (ULID)
The approach described in this document does not introduce a new identifier name space but instead uses the locator that is selected in the initial contact with the remote peer as the preserved upper- layer identifier (ULID). While there may be subsequent changes in the selected network-level locators over time (in response to failures in using the original locator), the upper-level protocol stack elements will continue to use this upper-level identifier without change. This implies that the ULID selection is performed as today's default address selection as specified in RFC 3484 [7]. Some extensions are needed to RFC 3484 to try different source addresses, whether or not the Shim6 protocol is used, as outlined in [9]. Underneath, and transparently, the multihoming shim selects working locator pairs with the initial locator pair being the ULID pair. If communication subsequently fails, the shim can test and select alternate locators. A subsequent section discusses the issues that arise when the selected ULID is not initially working, which creates the need to switch locators up front. Using one of the locators as the ULID has certain benefits for applications that have long-lived session state or that perform callbacks or referrals, because both the Fully Qualified Domain Name (FQDN) and the 128-bit ULID work as handles for the applications.
However, using a single 128-bit ULID doesn't provide seamless communication when that locator is unreachable. See [18] for further discussion of the application implications. There has been some discussion of using non-routable addresses, such as Unique-Local Addresses (ULAs) [14], as ULIDs in a multihoming solution. While this document doesn't specify all aspects of this, it is believed that the approach can be extended to handle the non- routable address case. For example, the protocol already needs to handle ULIDs that are not initially reachable. Thus, the same mechanism can handle ULIDs that are permanently unreachable from outside their site. The issue becomes how to make the protocol perform well when the ULID is known a priori to be unreachable (e.g., the ULID is a ULA), for instance, avoiding any timeout and retries in this case. In addition, one would need to understand how the ULAs would be entered in the DNS to avoid a performance impact on existing, non-Shim6-aware IPv6 hosts potentially trying to communicate to the (unreachable) ULA.1.4. IP Multicast
IP multicast requires that the IP Source Address field contain a topologically correct locator for the interface that is used to send the packet, since IP multicast routing uses both the source address and the destination group to determine where to forward the packet. In particular, IP multicast routing needs to be able to do the Reverse Path Forwarding (RPF) check. (This isn't much different than the situation with widely implemented ingress filtering [6] for unicast.) While in theory it would be possible to apply the shim re-mapping of the IP address fields between ULIDs and locators, the fact that all the multicast receivers would need to know the mapping to perform makes such an approach difficult in practice. Thus, it makes sense to have multicast ULPs operate directly on locators and not use the shim. This is quite a natural fit for protocols that use RTP [10], since RTP already has an explicit identifier in the form of the synchronization source (SSRC) field in the RTP headers. Thus, the actual IP address fields are not important to the application. In summary, IP multicast will not need the shim to remap the IP addresses. This doesn't prevent the receiver of multicast to change its locators, since the receiver is not explicitly identified; the destination address is a multicast address and not the unicast locator of the receiver.
1.5. Renumbering Implications
As stated above, this approach does not try to make communication survive renumbering in the general case. When a host is renumbered, the effect is that one or more locators become invalid, and zero or more locators are added to the host's network interface. This means that the set of locators that is used in the shim will change, which the shim can handle as long as not all the original locators become invalid at the same time; the shim's ability to handle this also depends on the time that is required to update the DNS and for those updates to propagate. But IP addresses are also used as ULIDs, and making the communication survive locators becoming invalid can potentially cause some confusion at the upper layers. The fact that a ULID might be used with a different locator over time opens up the possibility that communication between two ULIDs might continue to work after one or both of those ULIDs are no longer reachable as locators, for example, due to a renumbering event. This opens up the possibility that the ULID (or at least the prefix on which it is based) may be reassigned to another site while it is still being used (with another locator) for existing communication. In the worst case, we could end up with two separate hosts using the same ULID while both of them are communicating with the same host. This potential source for confusion is avoided by requiring that any communication using a ULID MUST be terminated when the ULID becomes invalid (due to the underlying prefix becoming invalid). This behavior can be accomplished by explicitly discarding the shim state when the ULID becomes invalid. The context-recovery mechanism will then make the peer aware that the context is gone and that the ULID is no longer present at the same locator(s).
1.6. Placement of the Shim
----------------------- | Transport Protocols | ----------------------- -------------- ------------- IP endpoint | Frag/reass | | Dest opts | sub-layer -------------- ------------- --------------------- | Shim6 shim layer | --------------------- ------ IP routing | IP | sub-layer ------ Figure 1: Protocol Stack The proposal uses a multihoming shim layer within the IP layer, i.e., below the ULPs, as shown in Figure 1, in order to provide ULP independence. The multihoming shim layer behaves as if it is associated with an extension header, which would be placed after any routing-related headers in the packet (such as any hop-by-hop options). However, when the locator pair is the ULID pair, there is no data that needs to be carried in an extension header; thus, none is needed in that case. Layering the Fragmentation header above the multihoming shim makes reassembly robust in the case that there is broken multi-path routing that results in using different paths, hence potentially different source locators, for different fragments. Thus, the multihoming shim layer is placed between the IP endpoint sublayer (which handles fragmentation and reassembly) and the IP routing sublayer (which selects the next hop and interface to use for sending out packets). Applications and upper-layer protocols use ULIDs that the Shim6 layer maps to/from different locators. The Shim6 layer maintains state, called ULID-pair context, per ULID pair (that is, such state applies to all ULP connections between the ULID pair) in order to perform this mapping. The mapping is performed consistently at the sender and the receiver so that ULPs see packets that appear to be sent using ULIDs from end to end. This property is maintained even though the packets travel through the network containing locators in the IP address fields, and even though those locators may be changed by the transmitting Shim6 layer.
The context state is maintained per remote ULID, i.e., approximately per peer host, and not at any finer granularity. In particular, the context state is independent of the ULPs and any ULP connections. However, the forking capability enables Shim6-aware ULPs to use more than one locator pair at a time for a single ULID pair. ---------------------------- ---------------------------- | Sender A | | Receiver B | | | | | | ULP | | ULP | | | src ULID(A)=L1(A) | | ^ | | | dst ULID(B)=L1(B) | | | src ULID(A)=L1(A) | | v | | | dst ULID(B)=L1(B) | | multihoming shim | | multihoming shim | | | src L2(A) | | ^ | | | dst L3(B) | | | src L2(A) | | v | | | dst L3(B) | | IP | | IP | ---------------------------- ---------------------------- | ^ ------- cloud with some routers ------- Figure 2: Mapping with Changed Locators The result of this consistent mapping is that there is no impact on the ULPs. In particular, there is no impact on pseudo-header checksums and connection identification. Conceptually, one could view this approach as if both ULIDs and locators are present in every packet, and as if a header-compression mechanism is applied that removes the need for the ULIDs to be carried in the packets once the compression state has been established. In order for the receiver to re-create a packet with the correct ULIDs, there is a need to include some "compression tag" in the data packets. This serves to indicate the correct context to use for decompression when the locator pair in the packet is insufficient to uniquely identify the context. There are different types of interactions between the Shim6 layer and other protocols. Those interactions are influenced by the usage of the addresses in these other protocols and the impact of the Shim6 mapping on these usages. A detailed analysis of the interactions of different protocols, including the Stream Control Transmission Protocol (SCTP), mobile IP (MIP), and Host Identity Protocol (HIP), can be found in [19]. Moreover, some applications may need to have a richer interaction with the Shim6 sublayer. In order to enable that, an API [23] has been defined to enable greater control and information exchange for those applications that need it.
1.7. Traffic Engineering
At the time of this writing, it is not clear what requirements for traffic engineering make sense for the Shim6 protocol, since the requirements must both result in some useful behavior as well as be implementable using a host-to-host locator agility mechanism like Shim6. Inherent in a scalable multihoming mechanism that separates the locator function of the IP address from identifying function of the IP address is that each host ends up with multiple locators. This means that, at least for initial contact, it is the remote peer application (or layer working on its behalf) that needs to select an initial ULID, which automatically becomes the initial locator. In the case of Shim6, this is performed by applying RFC 3484 address selection. This is quite different than the common case of IPv4 multihoming where the site has a single IP address prefix, since in that case the peer performs no destination address selection. Thus, in "single prefix multihoming", the site (and in many cases its upstream ISPs) can use BGP to exert some control of the ingress path used to reach the site. This capability does not by itself exist in "multiple prefix multihoming" approaches such as Shim6. It is conceivable that extensions allowing site or provider guidance of host-based mechanisms could be developed. But it should be noted that traffic engineering via BGP, MPLS, or other similar techniques can still be applied for traffic on each individual prefix; Shim6 does not remove the capability for this. It does provide some additional capabilities for hosts to choose between prefixes. These capabilities also carry some risk for non-optimal behaviour when more than one mechanism attempts to correct problems at the same time. However, it should be noted that this is not necessarily a situation brought about by Shim6. A more constrained form of this capability already exists in IPv6, itself, via its support of multiple prefixes and address-selection rules for starting new communications. Even IPv4 hosts with multiple interfaces may have limited capabilities to choose interfaces on which they communicate. Similarly, upper layers may choose different addresses. In general, it is expected that Shim6 is applicable in relatively small sites and individual hosts where BGP-style traffic engineering operations are unavailable, unlikely, or if run with provider- independent addressing, possibly even harmful, considering the growth rates in the global routing table.
The protocol provides a placeholder, in the form of the Locator Preferences option, that can be used by hosts to express priority and weight values for each locator. This option is merely a placeholder when it comes to providing traffic engineering; in order to use this in a large site, there would have to be a mechanism by which the host can find out what preference values to use, either statically (e.g., some new DHCPv6 option) or dynamically. Thus, traffic engineering is listed as a possible extension in Appendix A.2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1].2.1. Definitions
This document introduces the following terms: upper-layer protocol (ULP) A protocol layer immediately above IP. Examples are transport protocols such as TCP and UDP; control protocols such as ICMP; routing protocols such as OSPF; and Internet or lower-layer protocols being "tunneled" over (i.e., encapsulated in) IP, such as the Internet Packet Exchange (IPX), AppleTalk, or IP itself. interface A node's attachment to a link. address An IP-layer name that both contains topological significance and acts as a unique identifier for an interface. 128 bits. This document only uses the "address" term in the case where it isn't specific whether it is a locator or an identifier. locator An IP-layer topological name for an interface or a set of interfaces. 128 bits. The locators are carried in the IP address fields as the packets traverse the network. identifier An IP-layer name for an IP-layer endpoint. The transport endpoint name is a function of the transport protocol and would typically include the IP identifier plus a port number.
NOTE: This proposal does not specify any new form
of IP-layer identifier, but still separates the
identifying and locating properties of the IP
addresses.
upper-layer identifier (ULID)
An IP address that has been selected for
communication with a peer to be used by the
upper-layer protocol. 128 bits. This is used for
pseudo-header checksum computation and connection
identification in the ULP. Different sets of
communication to a host (e.g., different
connections) might use different ULIDs in order
to enable load spreading.
Since the ULID is just one of the IP locators/
addresses of the node, there is no need for a
separate name space and allocation mechanisms.
address field The Source and Destination Address fields in the
IPv6 header. As IPv6 is currently specified,
these fields carry "addresses". If identifiers
and locators are separated, these fields will
contain locators for packets on the wire.
FQDN Fully Qualified Domain Name
ULID-pair context The state that the multihoming shim maintains
between a pair of upper-layer identifiers. The
context is identified by a Context Tag for each
direction of the communication and also by a
ULID-pair and a Forked Instance Identifier (see
below).
Context Tag Each end of the context allocates a Context Tag
for the context. This is used to uniquely
associate both received control packets and Shim6
Payload Extension headers as belonging to the
context.
current locator pair
Each end of the context has a current locator
pair that is used to send packets to the peer.
However, the two ends might use different current
locator pairs.
default context At the sending end, the shim uses the ULID pair
(passed down from the ULP) to find the context
for that pair. Thus, normally, a host can have
at most one context for a ULID pair. We call
this the "default context".
context forking A mechanism that allows ULPs that are aware of
multiple locators to use separate contexts for
the same ULID pair, in order to be able use
different locator pairs for different
communication to the same ULID. Context forking
causes more than just the default context to be
created for a ULID pair.
Forked Instance Identifier (FII)
In order to handle context forking, a context is
identified by a ULID pair and a Forked Context
Identifier. The default context has an FII of
zero.
initial contact We use this term to refer to the pre-shim
communication when a ULP decides to start
communicating with a peer by sending and
receiving ULP packets. Typically, this would not
invoke any operations in the shim, since the shim
can defer the context establishment until some
arbitrary, later point in time.
Hash-Based Addresses (HBA)
A form of IPv6 address where the interface ID is
derived from a cryptographic hash of all the
prefixes assigned to the host. See [3].
Cryptographically Generated Addresses (CGA)
A form of IPv6 address where the interface ID is
derived from a cryptographic hash of the public
key. See [2].
CGA Parameter Data Structure (PDS)
The information that CGA and HBA exchange in
order to inform the peer of how the interface ID
was computed. See [2] and [3].
2.2. Notational Conventions
A, B, and C are hosts. X is a potentially malicious host. FQDN(A) is the Fully Qualified Domain Name for A. Ls(A) is the locator set for A, which consists of the locators L1(A), L2(A), ... Ln(A). The locator set is not ordered in any particular way other than maybe what is returned by the DNS. A host might form different locator sets containing different subnets of the host's IP addresses. This is necessary in some cases for security reasons. See Section 16.1. ULID(A) is an upper-layer identifier for A. In this proposal, ULID(A) is always one member of A's locator set. CT(A) is a Context Tag assigned by A. STATE (in uppercase) refers to the specific state of the state machine described in Section 6.22.3. Conceptual
This document also makes use of internal conceptual variables to describe protocol behavior and external variables that an implementation must allow system administrators to change. The specific variable names, how their values change, and how their settings influence protocol behavior are provided to demonstrate protocol behavior. An implementation is not required to have them in the exact form described here, so long as its external behavior is consistent with that described in this document. See Section 6 for a description of the conceptual data structures.3. Assumptions
The design intent is to ensure that the Shim6 protocol is capable of handling path failures independently of the number of IP addresses (locators) available to the two communicating hosts, and independently of which host detects the failure condition. Consider, for example, the case in which both A and B have active Shim6 state and where A has only one locator while B has multiple locators. In this case, it might be that B is trying to send a packet to A, and has detected a failure condition with the current locator pair. Since B has multiple locators, it presumably has multiple ISPs, and (consequently) likely has alternate egress paths
toward A. B cannot vary the destination address (i.e., A's locator), since A has only one locator. However, B may need to vary the source address in order to ensure packet delivery. In many cases, normal operation of IP routing may cause the packets to follow a path towards the correct (currently operational) egress. In some cases, it is possible that a path may be selected based on the source address, implying that B will need to select a source address corresponding to the currently operating egress. The details of how routing can be accomplished is beyond the scope of this document. Also, when the site's ISPs perform ingress filtering based on packet source addresses, Shim6 assumes that packets sent with different source and destination combinations have a reasonable chance of making it through the relevant ISP's ingress filters. This can be accomplished in several ways (all outside the scope of this document), such as having the ISPs relax their ingress filters or selecting the egress such that it matches the IP source address prefix. In the case that one egress path has failed but another is operating correctly, it may be necessary for the packet's source (node B in the previous paragraph) to select a source address that corresponds to the operational egress, in order to pass the ISP's ingress filters. The Shim6 approach assumes that there are no IPv6-to-IPv6 NATs on the paths, i.e., that the two ends can exchange their own notion of their IPv6 addresses and that those addresses will also make sense to their peer. The security of the Shim6 protocol relies on the usage of Hash-Based Addresses (HBA) [3] and/or Cryptographically Generated Addresses (CGA) [2]. In the case that HBAs are used, all the addresses assigned to the host that are included in the Shim6 protocol (either as a locator or as a ULID) must be part of the same HBA set. In the case that CGAs are used, the address used as ULID must be a CGA, but the other addresses that are used as locators do not need to be either CGAs or HBAs. It should be noted that it is perfectly acceptable to run the Shim6 protocol between a host that has multiple locators and another host that has a single IP address. In this case, the address of the host with a single address does not need to be an HBA or a CGA.
(next page on part 2)