tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 5533

 
 
 

Shim6: Level 3 Multihoming Shim Protocol for IPv6

Part 3 of 5, p. 51 to 86
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 51 
6.  Conceptual Model of a Host

   This section describes a conceptual model of one possible data
   structure organization that hosts will maintain for the purposes of
   Shim6.  The described organization is provided to facilitate the
   explanation of how the Shim6 protocol should behave.  This document
   does not mandate that implementations adhere to this model as long as
   their external behavior is consistent with that described in this
   document.

6.1.  Conceptual Data Structures

   The key conceptual data structure for the Shim6 protocol is the ULID-
   pair context.  This is a data structure that contains the following
   information:

   o  The state of the context.  See Section 6.2.

   o  The peer ULID: ULID(peer).

   o  The local ULID: ULID(local).

   o  The Forked Instance Identifier: FII.  This is zero for the default
      context, i.e., when there is no forking.

   o  The list of peer locators with their preferences: Ls(peer).

   o  The generation number for the most recently received, verified
      peer locator list.

   o  For each peer locator, the verification method to use (from the
      Locator List option).

   o  For each peer locator, a flag specifying whether it has been
      verified using HBA or CGA, and a bit specifying whether the
      locator has been probed to verify that the ULID is present at that
      location.

   o  The current peer locator is the locator used as the destination
      address when sending packets: Lp(peer).

   o  The set of local locators and the preferences: Ls(local).

   o  The generation number for the most recently sent Locator List
      option.

   o  The current local locator is the locator used as the source
      address when sending packets: Lp(local).

Top      Up      ToC       Page 52 
   o  The Context Tag used to transmit control messages and Shim6
      Payload Extension headers; this is allocated by the peer:
      CT(peer).

   o  The context to expect in received control messages and Shim6
      Payload Extension headers; this is allocated by the local host:
      CT(local).

   o  Timers for retransmission of the messages during context-
      establishment and update messages.

   o  Depending how an implementation determines whether a context is
      still in use, there might be a need to track the last time a
      packet was sent/received using the context.

   o  Reachability state for the locator pairs as specified in [4].

   o  During pair exploration, information about the Probe messages that
      have been sent and received as specified in [4].

   o  During context-establishment phase, the Initiator Nonce, Responder
      Nonce, Responder Validator, and timers related to the different
      packets sent (I1,I2, R2), as described in Section 7.

6.2.  Context STATES

   The STATES that are used to describe the Shim6 protocol are as
   follows:

Top      Up      ToC       Page 53 
   +---------------------+---------------------------------------------+
   | STATE               | Explanation                                 |
   +---------------------+---------------------------------------------+
   | IDLE                | State machine start                         |
   |                     |                                             |
   | I1-SENT             | Initiating context-establishment exchange   |
   |                     |                                             |
   | I2-SENT             | Waiting to complete context-establishment   |
   |                     | exchange                                    |
   |                     |                                             |
   | I2BIS-SENT          | Potential context loss detected             |
   |                     |                                             |
   | ESTABLISHED         | SHIM context established                    |
   |                     |                                             |
   | E-FAILED            | Context-establishment exchange failed       |
   |                     |                                             |
   | NO-SUPPORT          | ICMP Unrecognized Next Header type          |
   |                     | (type 4, code 1) received, indicating       |
   |                     | that Shim6 is not supported                 |
   +---------------------+---------------------------------------------+

   In addition, in each of the aforementioned STATES, the following
   state information is stored:

Top      Up      ToC       Page 54 
   +---------------------+---------------------------------------------+
   | STATE               | Information                                 |
   +---------------------+---------------------------------------------+
   | IDLE                | None                                        |
   |                     |                                             |
   | I1-SENT             | ULID(peer), ULID(local), [FII], CT(local),  |
   |                     | INIT Nonce, Lp(local), Lp(peer), Ls(local)  |
   |                     |                                             |
   | I2-SENT             | ULID(peer), ULID(local), [FII], CT(local),  |
   |                     | INIT Nonce, RESP Nonce, Lp(local), Lp(peer),|
   |                     | Ls(local), Responder Validator              |
   |                     |                                             |
   | ESTABLISHED         | ULID(peer), ULID(local), [FII], CT(local),  |
   |                     | CT(peer), Lp(local), Lp(peer), Ls(local),   |
   |                     | Ls(peer), INIT Nonce?(to receive late R2)   |
   |                     |                                             |
   | I2BIS-SENT          | ULID(peer), ULID(local), [FII], CT(local),  |
   |                     | CT(peer), Lp(local), Lp(peer), Ls(local),   |
   |                     | Ls(peer), CT(R1bis), RESP Nonce,            |
   |                     | INIT Nonce, Responder Validator             |
   |                     |                                             |
   | E-FAILED            | ULID(peer), ULID(local)                     |
   |                     |                                             |
   | NO-SUPPORT          | ULID(peer), ULID(local)                     |
   +---------------------+---------------------------------------------+

7.  Establishing ULID-Pair Contexts

   ULID-pair contexts are established using a 4-way exchange, which
   allows the responder to avoid creating state on the first packet.  As
   part of this exchange, each end allocates a Context Tag and shares
   this Context Tag and its set of locators with the peer.

   In some cases, the 4-way exchange is not necessary -- for instance,
   when both ends try to set up the context at the same time, or when
   recovering from a context that has been garbage collected or lost at
   one of the hosts.

7.1.  Uniqueness of Context Tags

   As part of establishing a new context, each host has to assign a
   unique Context Tag.  Since the Shim6 Payload Extension headers are
   demultiplexed based solely on the Context Tag value (without using
   the locators), the Context Tag MUST be unique for each context.

Top      Up      ToC       Page 55 
   It is important that Context Tags are hard to guess for off-path
   attackers.  Therefore, if an implementation uses structure in the
   Context Tag to facilitate efficient lookups, at least 30 bits of the
   Context Tag MUST be unstructured and populated by random or pseudo-
   random bits.

   In addition, in order to minimize the reuse of Context Tags, the host
   SHOULD randomly cycle through the unstructured tag name space that is
   reserved for randomly assigned Context Tag values (e.g., following
   the guidelines described in [13]).

7.2.  Locator Verification

   The peer's locators might need to be verified during context
   establishment as well as when handling locator updates in Section 10.

   There are two separate aspects of locator verification.  One is to
   verify that the locator is tied to the ULID, i.e., that the host that
   "owns" the ULID is also the one that is claiming the locator
   "ownership".  The Shim6 protocol uses the HBA or CGA techniques for
   doing this verification.  The other aspect is to verify that the host
   is indeed reachable at the claimed locator.  Such verification is
   needed not only to make sure communication can proceed but also to
   prevent 3rd party flooding attacks [15].  These different aspects of
   locator verification happen at different times since the first might
   need to be performed before packets can be received by the peer with
   the source locator in question, but the latter verification is only
   needed before packets are sent to the locator.

   Before a host can use a locator (different than the ULID) as the
   source locator, it must know that the peer will accept packets with
   that source locator as part of this context.  Thus, the HBA/CGA
   verification SHOULD be performed by the host before the host
   acknowledges the new locator by sending either an Update
   Acknowledgement message or an R2 message.

   Before a host can use a locator (different than the ULID) as the
   destination locator, it MUST perform the HBA/CGA verification if this
   was not performed upon reception of the locator set.  In addition, it
   MUST verify that the ULID is indeed present at that locator.  This
   verification is performed by doing a return-routability test as part
   of the Probe sub-protocol [4].

   If the verification method in the Locator List option is not
   supported by the host, or if the verification method is not
   consistent with the CGA Parameter Data Structure (e.g., the Parameter
   Data Structure doesn't contain the multiprefix extension and the
   verification method says to use HBA), then the host MUST ignore the

Top      Up      ToC       Page 56 
   Locator List and the message in which it is contained.  The host
   SHOULD generate a Shim6 Error message with Error Code=2 and with the
   Pointer referencing the octet in the verification method that was
   found inconsistent.

7.3.  Normal Context Establishment

   The normal context establishment consists of a 4-message exchange in
   the order of I1, R1, I2, R2, as can be seen in Figure 3.

         Initiator                          Responder

          IDLE                               IDLE
               ------------- I1 -------------->
          I1-SENT
               <------------ R1 ---------------
                                             IDLE
               ------------- I2 -------------->
          I2-SENT
               <------------ R2 ---------------
          ESTABLISHED                        ESTABLISHED

                  Figure 3: Normal Context Establishment

7.4.  Concurrent Context Establishment

   When both ends try to initiate a context for the same ULID pair, then
   we might end up with crossing I1 messages.  Alternatively, since no
   state is created when receiving the I1, a host might send an I1 after
   having sent an R1 message.

   Since a host remembers that it has sent an I1, it can respond to an
   I1 from the peer (for the same ULID pair) with an R2, resulting in
   the message exchange shown in Figure 4.  Such behavior is needed for
   reasons such as correctly responding to retransmitted I1 messages,
   which occur when the R2 message has been lost.

Top      Up      ToC       Page 57 
         Host A                             Host B

          IDLE                               IDLE
               -\
          I1-SENT---\
                     ---\                  /---
                         --- I1 ---\   /---  I1-SENT
                                    ---\
                        /--- I1 ---/    ---\
                   /---                     -->
               <---

               -\
          I1-SENT---\
                     ---\                  /---
                         --- R2 ---\   /---  I1-SENT
                                    ---\
                        /--- R2 ---/    ---\
                   /---                     -->
               <---                          ESTABLISHED
          ESTABLISHED

                      Figure 4: Crossing I1 Messages

   If a host has received an I1 and sent an R1, it has no state to
   remember this.  Thus, if the ULP on the host sends down packets, this
   might trigger the host to send an I1 message itself.  Thus, while one
   end is sending an I1, the other is sending an I2, as can be seen in
   Figure 5.

Top      Up      ToC       Page 58 
         Host A                             Host B

          IDLE                               IDLE
               -\
                 ---\
          I1-SENT    ---\
                         --- I1 ---\
                                    ---\
                                        ---\
                                            -->

                                           /---
                                       /---  IDLE
                                    ---
                        /--- R1--/
                   /---
               <---

               -\
          I2-SENT---\
                     ---\                  /---
                         --- I2---\   /---   I1-SENT
                                    ---\
                        /--- I1 ---/    ---\
                   /---                     -->
               <---                          ESTABLISHED

               -\
          I2-SENT---\
                     ---\                  /---
                         --- R2 ---\   /---
                                    ---\
                        /--- R2 ---/    ---\
                   /---                     -->
               <---                          ESTABLISHED
          ESTABLISHED

                       Figure 5: Crossing I2 and I1

7.5.  Context Recovery

   Due to garbage collection, we can end up with one end having and
   using the context state, and the other end not having any state.  We
   need to be able to recover this state at the end that has lost it
   before we can use it.

Top      Up      ToC       Page 59 
   This need can arise in the following cases:

   o  The communication is working using the ULID pair as the locator
      pair but a problem arises, and the end that has retained the
      context state decides to probe alternate locator pairs.

   o  The communication is working using a locator pair that is not the
      ULID pair; hence, the ULP packets sent from a peer that has
      retained the context state use the Shim6 Payload Extension header.

   o  The host that retained the state sends a control message (e.g., an
      Update Request message).

   In all cases, the result is that the peer without state receives a
   shim message for which it has no context for the Context Tag.

   We can recover the context by having the node that doesn't have a
   context state send back an R1bis message, and then complete the
   recovery with an I2bis and R2 message, as can be seen in Figure 6.

           Host A                             Host B

         Context for
         CT(peer)=X                         Discards context for
                                            CT(local)=X

          ESTABLISHED                        IDLE

               ---- payload, probe, etc. -----> No context state
                                                for CT(local)=X

               <------------ R1bis ------------
                                             IDLE

               ------------- I2bis ----------->
          I2BIS_SENT
               <------------ R2 ---------------
          ESTABLISHED                        ESTABLISHED

                    Figure 6: Context Loss at Receiver

   If one end has garbage collected or lost the context state, it might
   try to create a new context state (for the same ULID pair), by
   sending an I1 message.  In this case, the peer (that still has the
   context state) will reply with an R1 message, and the full 4-way
   exchange will be performed again, as can be seen in Figure 7.

Top      Up      ToC       Page 60 
           Host A                             Host B

         Context for
         CT(peer)=X                         Discards context for
         ULIDs A1, B1                       CT(local)=X

          ESTABLISHED                        IDLE

        Finds  <------------ I1 --------------- Tries to set up
        existing                                for ULIDs A1, B1
        context,
        but CT(peer)                         I1-SENT
        doesn't match
               ------------- R1 --------------->
        Left old context
        in ESTABLISHED

               <------------ I2 ---------------
        Re-create context
        with new CT(peer)                    I2-SENT
        and Ls(peer).

          ESTABLISHED
               ------------- R2 -------------->
          ESTABLISHED                        ESTABLISHED

                     Figure 7: Context Loss at Sender

7.6.  Context Confusion

   Since each end might garbage collect the context state, we can have
   the case where one end has retained the context state and tries to
   use it, while the other end has lost the state.  We discussed this in
   the previous section on recovery.  But, for the same reasons, when
   one host retains Context Tag X as CT(peer) for ULID pair <A1, B1>,
   the other end might end up allocating that Context Tag as CT(local)
   for another ULID pair (e.g., <A3, B1>) between the same hosts.  In
   this case, we cannot use the recovery mechanisms since there needs to
   be separate Context Tags for the two ULID pairs.

   This type of "confusion" can be observed in two cases (assuming it is
   A that has retained the state and B that has dropped it):

   o  B decides to create a context for ULID pair <A3, B1>, allocates X
      as its Context Tag for this, and sends an I1 to A.

Top      Up      ToC       Page 61 
   o  A decides to create a context for ULID pair <A3, B1> and starts
      the exchange by sending I1 to B.  When B receives the I2 message,
      it allocates X as the Context Tag for this context.

   In both cases, A can detect that B has allocated X for ULID pair <A3,
   B1> even though A still has X as CT(peer) for ULID pair <A1, B1>.
   Thus, A can detect that B must have lost the context for <A1, B1>.

   The confusion can be detected when I2/I2bis/R2 is received, since we
   require that those messages MUST include a sufficiently large set of
   locators in a Locator List option that the peer can determine whether
   or not two contexts have the same host as the peer by comparing if
   there is any common locators in Ls(peer).

   The old context that used the Context Tag MUST be removed; it can no
   longer be used to send packets.  Thus, A would forcibly remove the
   context state for <A1, B1, X> so that it can accept the new context
   for <A3, B1, X>.  An implementation MAY re-create a context to
   replace the one that was removed -- in this case, for <A1, B1>.  The
   normal I1, R1, I2, R2 establishment exchange would then pick unique
   Context Tags for that replacement context.  This re-creation is
   OPTIONAL, but might be useful when there is ULP communication that is
   using the ULID pair whose context was removed.

   Note that an I1 message with a duplicate Context Tag should not cause
   the removal of the old context state; this operation needs to be
   deferred until the reception of the I2 message.

7.7.  Sending I1 Messages

   When the shim layer decides to set up a context for a ULID pair, it
   starts by allocating and initializing the context state for its end.
   As part of this, it assigns a random Context Tag to the context that
   is not being used as CT(local) by any other context .  In the case
   that a new API is used and the ULP requests a forked context, the
   Forked Instance Identifier value will be set to a non-zero value.
   Otherwise, the FII value is zero.  Then the initiator can send an I1
   message and set the context STATE to I1-SENT.  The I1 message MUST
   include the ULID pair -- normally, in the IPv6 Source and Destination
   fields.  But if the ULID pair for the context is not used as a
   locator pair for the I1 message, then a ULID option MUST be included
   in the I1 message.  In addition, if a Forked Instance Identifier
   value is non-zero, the I1 message MUST include a Context Instance
   Identifier option containing the correspondent value.

Top      Up      ToC       Page 62 
7.8.  Retransmitting I1 Messages

   If the host does not receive an R1 or R2 message in response to the
   I1 message after I1_TIMEOUT time, then it needs to retransmit the I1
   message.  The retransmissions should use a retransmission timer with
   binary exponential backoff to avoid creating congestion issues for
   the network when lots of hosts perform I1 retransmissions.  Also, the
   actual timeout value should be randomized between 0.5 and 1.5 of the
   nominal value to avoid self-synchronization.

   If, after I1_RETRIES_MAX retransmissions, there is no response, then
   most likely the peer does not implement the Shim6 protocol (or there
   could be a firewall that blocks the protocol).  In this case, it
   makes sense for the host to remember not to try again to establish a
   context with that ULID.  However, any such negative caching should be
   retained for at most NO_R1_HOLDDOWN_TIME, in order to be able to
   later set up a context should the problem have been that the host was
   not reachable at all when the shim tried to establish the context.

   If the host receives an ICMP error with "Unrecognized Next Header"
   type (type 4, code 1) and the included packet is the I1 message it
   just sent, then this is a more reliable indication that the peer ULID
   does not implement Shim6.  Again, in this case, the host should
   remember not to try again to establish a context with that ULID.
   Such negative caching should be retained for at most
   ICMP_HOLDDOWN_TIME, which should be significantly longer than the
   previous case.

7.9.  Receiving I1 Messages

   A host MUST silently discard any received I1 messages that do not
   satisfy all of the following validity checks in addition to those
   specified in Section 12.3:

   o  The Hdr Ext Len field is at least 1, i.e., the length is at least
      16 octets.

   Upon the reception of an I1 message, the host extracts the ULID pair
   and the Forked Instance Identifier from the message.  If there is no
   ULID-pair option, then the ULID pair is taken from the Source and
   Destination fields in the IPv6 header.  If there is no FII option in
   the message, then the FII value is taken to be zero.

   Next, the host looks for an existing context that matches the ULID
   pair and the FII.

   If no state is found (i.e., the STATE is IDLE), then the host replies
   with an R1 message as specified below.

Top      Up      ToC       Page 63 
   If such a context exists in ESTABLISHED STATE, the host verifies that
   the locator of the initiator is included in Ls(peer).  (This check is
   unnecessary if there is no ULID-pair option in the I1 message.)

   If the state exists in ESTABLISHED STATE and the locators do not fall
   in the locator sets, then the host replies with an R1 message as
   specified below.  This completes the I1 processing, with the context
   STATE being unchanged.

   If the state exists in ESTABLISHED STATE and the locators do fall in
   the sets, then the host compares CT(peer) for the context with the CT
   contained in the I1 message.

   o  If the Context Tags match, then this probably means that the R2
      message was lost and this I1 is a retransmission.  In this case,
      the host replies with an R2 message containing the information
      available for the existent context.

   o  If the Context Tags do not match, then it probably means that the
      initiator has lost the context information for this context and is
      trying to establish a new one for the same ULID pair.  In this
      case, the host replies with an R1 message as specified below.
      This completes the I1 processing, with the context STATE being
      unchanged.

   If the state exists in other STATE (I1-SENT, I2-SENT, I2BIS-SENT), we
   are in the situation of concurrent context establishment, described
   in Section 7.4.  In this case, the host leaves CT(peer) unchanged and
   replies with an R2 message.  This completes the I1 processing, with
   the context STATE being unchanged.

7.10.  Sending R1 Messages

   When the host needs to send an R1 message in response to the I1
   message, it copies the Initiator Nonce from the I1 message to the R1
   message, generates a Responder Nonce, and calculates a Responder
   Validator option as suggested in the following section.  No state is
   created on the host in this case.  (Note that the information used to
   generate the R1 reply message is either contained in the received I1
   message or is global information that is not associated with the
   particular requested context (the S and the Responder Nonce values.))

   When the host needs to send an R2 message in response to the I1
   message, it copies the Initiator Nonce from the I1 message to the R2
   message, and otherwise follows the normal rules for forming an R2
   message (see Section 7.14).

Top      Up      ToC       Page 64 
7.10.1.  Generating the R1 Validator

   As it is stated in Section 5.15.1, the validator-generation mechanism
   is a local choice since the validator is generated and verified by
   the same node, i.e., the responder.  However, in order to provide the
   required protection, the validator needs to be generated by
   fulfilling the conditions described in Section 5.15.1.  One way for
   the responder to properly generate validators is to maintain a single
   secret (S) and a running counter (C) for the Responder Nonce that is
   incremented in fixed periods of time (this allows the responder to
   verify the age of a Responder Nonce, independently of the context in
   which it is used).

   When the validator is generated to be included in an R1 message sent
   in response to a specific I1 message, the responder can perform the
   following procedure to generate the validator value:

   First, the responder uses the current counter C value as the
   Responder Nonce.

   Second, it uses the following information (concatenated) as input to
   the one-way function:

   o  The secret S

   o  That Responder Nonce

   o  The Initiator Context Tag from the I1 message

   o  The ULIDs from the I1 message

   o  The locators from the I1 message (strictly only needed if they are
      different from the ULIDs)

   o  The Forked Instance Identifier, if such option was included in the
      I1 message

   Third, it uses the output of the hash function as the validator value
   included in the R1 message.

7.11.  Receiving R1 Messages and Sending I2 Messages

   A host MUST silently discard any received R1 messages that do not
   satisfy all of the following validity checks in addition to those
   specified in Section 12.3:

   o  The Hdr Ext Len field is at least 1, i.e., the length is at least
      16 octets.

Top      Up      ToC       Page 65 
   Upon the reception of an R1 message, the host extracts the Initiator
   Nonce and the Locator Pair from the message (the latter from the
   Source and Destination fields in the IPv6 header).  Next, the host
   looks for an existing context that matches the Initiator Nonce and
   where the locators are contained in Ls(peer) and Ls(local),
   respectively.  If no such context is found, then the R1 message is
   silently discarded.

   If such a context is found, then the host looks at the STATE:

   o  If the STATE is I1-SENT, then it sends an I2 message as specified
      below.

   o  In any other STATE (I2-SENT, I2BIS-SENT, ESTABLISHED), then the
      host has already sent an I2 message and this is probably a reply
      to a retransmitted I1 message, so this R1 message MUST be silently
      discarded.

   When the host sends an I2 message, it includes the Responder
   Validator option that was in the R1 message.  The I2 message MUST
   include the ULID pair -- normally, in the IPv6 Source and Destination
   fields.  If a ULID-pair option was included in the I1 message, then
   it MUST be included in the I2 message as well.  In addition, if the
   Forked Instance Identifier value for this context is non-zero, the I2
   message MUST contain a Forked Instance Identifier option carrying the
   Forked Instance Identifier value.  Besides, the I2 message contains
   an Initiator Nonce.  This is not required to be the same as the one
   included in the previous I1 message.

   The I2 message may also include the initiator's locator list.  If
   this is the case, then it must also include the CGA Parameter Data
   Structure.  If CGA (and not HBA) is used to verify one or more of the
   locators included in the locator list, then the initiator must also
   include a CGA Signature option containing the signature.

   When the I2 message has been sent, the STATE is set to I2-SENT.

7.12.  Retransmitting I2 Messages

   If the initiator does not receive an R2 message after I2_TIMEOUT time
   after sending an I2 message, it MAY retransmit the I2 message, using
   binary exponential backoff and randomized timers.  The Responder
   Validator option might have a limited lifetime -- that is, the peer
   might reject Responder Validator options that are older than
   VALIDATOR_MIN_LIFETIME to avoid replay attacks.  In the case that the
   initiator decides not to retransmit I2 messages, or in the case that

Top      Up      ToC       Page 66 
   the initiator still does not receive an R2 message after
   retransmitting I2 messages I2_RETRIES_MAX times, the initiator SHOULD
   fall back to retransmitting the I1 message.

7.13.  Receiving I2 Messages

   A host MUST silently discard any received I2 messages that do not
   satisfy all of the following validity checks in addition to those
   specified in Section 12.3:

   o  The Hdr Ext Len field is at least 2, i.e., the length is at least
      24 octets.

   Upon the reception of an I2 message, the host extracts the ULID pair
   and the Forked Instance Identifier from the message.  If there is no
   ULID-pair option, then the ULID pair is taken from the Source and
   Destination fields in the IPv6 header.  If there is no FII option in
   the message, then the FII value is taken to be zero.

   Next, the host verifies that the Responder Nonce is a recent one
   (nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be
   considered recent) and that the Responder Validator option matches
   the validator the host would have computed for the ULID, locators,
   Responder Nonce, Initiator Nonce, and FII.

   If a CGA Parameter Data Structure (PDS) is included in the message,
   then the host MUST verify if the actual PDS contained in the message
   corresponds to the ULID(peer).

   If any of the above verifications fail, then the host silently
   discards the message; it has completed the I2 processing.

   If all the above verifications are successful, then the host proceeds
   to look for a context state for the initiator.  The host looks for a
   context with the extracted ULID pair and FII.  If none exist, then
   STATE of the (non-existing) context is viewed as being IDLE; thus,
   the actions depend on the STATE as follows:

   o  If the STATE is IDLE (i.e., the context does not exist), the host
      allocates a Context Tag (CT(local)), creates the context state for
      the context, and sets its STATE to ESTABLISHED.  It records
      CT(peer) and the peer's locator set as well as its own locator set
      in the context.  It SHOULD perform the HBA/CGA verification of the
      peer's locator set at this point in time, as specified in
      Section 7.2.  Then, the host sends an R2 message back as specified
      below.

Top      Up      ToC       Page 67 
   o  If the STATE is I1-SENT, then the host verifies if the source
      locator is included in Ls(peer) or in the Locator List contained
      in the I2 message and that the HBA/CGA verification for this
      specific locator is successful.

      *  If this is not the case, then the message is silently discarded
         and the context STATE remains unchanged.

      *  If this is the case, then the host updates the context
         information (CT(peer), Ls(peer)) with the data contained in the
         I2 message, and the host MUST send an R2 message back as
         specified below.  Note that before updating Ls(peer)
         information, the host SHOULD perform the HBA/CGA validation of
         the peer's locator set at this point in time, as specified in
         Section 7.2.  The host moves to ESTABLISHED STATE.

   o  If the STATE is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host
      verifies if the source locator is included in Ls(peer) or in the
      Locator List contained in the I2 message and that the HBA/CGA
      verification for this specific locator is successful.

      *  If this is not the case, then the message is silently discarded
         and the context STATE remains unchanged.

      *  If this is the case, then the host updates the context
         information (CT(peer), Ls(peer)) with the data contained in the
         I2 message, and the host MUST send an R2 message back as
         specified in Section 7.14.  Note that before updating Ls(peer)
         information, the host SHOULD perform the HBA/CGA validation of
         the peer's locator set at this point in time, as specified in
         Section 7.2.  The context STATE remains unchanged.

7.14.  Sending R2 Messages

   Before the host sends the R2 message, it MUST look for a possible
   context confusion, i.e., where it would end up with multiple contexts
   using the same CT(peer) for the same peer host.  See Section 7.15.

   When the host needs to send an R2 message, the host forms the message
   and its Context Tag, and copies the Initiator Nonce from the
   triggering message (I2, I2bis, or I1).  In addition, it may include
   alternative locators and necessary options so that the peer can
   verify them.  In particular, the R2 message may include the
   responder's locator list and the PDS option.  If CGA (and not HBA) is
   used to verify the locator list, then the responder also signs the
   key parts of the message and includes a CGA Signature option
   containing the signature.

Top      Up      ToC       Page 68 
   R2 messages are never retransmitted.  If the R2 message is lost, then
   the initiator will retransmit either the I2/I2bis or I1 message.
   Either retransmission will cause the responder to find the context
   state and respond with an R2 message.

7.15.  Match for Context Confusion

   When the host receives an I2, I2bis, or R2, it MUST look for a
   possible context confusion, i.e., where it would end up with multiple
   contexts using the same CT(peer) for the same peer host.  This can
   happen when the host has received the above messages, since they
   create a new context with a new CT(peer).  The same issue applies
   when CT(peer) is updated for an existing context.

   The host takes CT(peer) for the newly created or updated context, and
   looks for other contexts which:

   o  Are in STATE ESTABLISHED or I2BIS-SENT

   o  Have the same CT(peer)

   o  Have an Ls(peer) that has at least one locator in common with the
      newly created or updated context

   If such a context is found, then the host checks if the ULID pair or
   the Forked Instance Identifier are different than the ones in the
   newly created or updated context:

   o  If either or both are different, then the peer is reusing the
      Context Tag for the creation of a context with different ULID pair
      or FII, which is an indication that the peer has lost the original
      context.  In this case, we are in a context confusion situation,
      and the host MUST NOT use the old context to send any packets.  It
      MAY just discard the old context (after all, the peer has
      discarded it), or it MAY attempt to re-establish the old context
      by sending a new I1 message and moving its STATE to I1-SENT.  In
      any case, once that this situation is detected, the host MUST NOT
      keep two contexts with overlapping Ls(peer) locator sets and the
      same Context Tag in ESTABLISHED STATE, since this would result in
      demultiplexing problems on the peer.

   o  If both are the same, then this context is actually the context
      that is created or updated; hence, there is no confusion.

Top      Up      ToC       Page 69 
7.16.  Receiving R2 Messages

   A host MUST silently discard any received R2 messages that do not
   satisfy all of the following validity checks in addition to those
   specified in Section 12.3:

   o  The Hdr Ext Len field is at least 1, i.e., the length is at least
      16 octets.

   Upon the reception of an R2 message, the host extracts the Initiator
   Nonce and the Locator Pair from the message (the latter from the
   Source and Destination fields in the IPv6 header).  Next, the host
   looks for an existing context that matches the Initiator Nonce and
   where the locators are Lp(peer) and Lp(local), respectively.  Based
   on the STATE:

   o  If no such context is found, i.e., the STATE is IDLE, then the
      message is silently dropped.

   o  If STATE is I1-SENT, I2-SENT, or I2BIS-SENT, then the host
      performs the following actions.  If a CGA Parameter Data Structure
      (PDS) is included in the message, then the host MUST verify that
      the actual PDS contained in the message corresponds to the
      ULID(peer) as specified in Section 7.2.  If the verification
      fails, then the message is silently dropped.  If the verification
      succeeds, then the host records the information from the R2
      message in the context state; it records the peer's locator set
      and CT(peer).  The host SHOULD perform the HBA/CGA verification of
      the peer's locator set at this point in time, as specified in
      Section 7.2.  The host sets its STATE to ESTABLISHED.

   o  If the STATE is ESTABLISHED, the R2 message is silently ignored,
      (since this is likely to be a reply to a retransmitted I2
      message).

   Before the host completes the R2 processing, it MUST look for a
   possible context confusion, i.e., where it would end up with multiple
   contexts using the same CT(peer) for the same peer host.  See
   Section 7.15.

7.17.  Sending R1bis Messages

   Upon the receipt of a Shim6 Payload Extension header where there is
   no current Shim6 context at the receiver, the receiver is to respond
   with an R1bis message in order to enable a fast re-establishment of
   the lost Shim6 context.

Top      Up      ToC       Page 70 
   Also, a host is to respond with an R1bis upon receipt of any control
   messages that have a message type in the range 64-127 (i.e.,
   excluding the context-setup messages such as I1, R1, R1bis, I2,
   I2bis, R2, and future extensions), where the control message refers
   to a non-existent context.

   We assume that all the incoming packets that trigger the generation
   of an R1bis message contain a locator pair (in the address fields of
   the IPv6 header) and a Context Tag.

   Upon reception of any of the packets described above, the host will
   reply with an R1bis including the following information:

   o  The Responder Nonce is a number picked by the responder that the
      initiator will return in the I2bis message.

   o  Packet Context Tag is the Context Tag contained in the received
      packet that triggered the generation of the R1bis message.

   o  The Responder Validator option is included, with a validator that
      is computed as suggested in the next section.

7.17.1.  Generating the R1bis Validator

   One way for the responder to properly generate validators is to
   maintain a single secret (S) and a running counter C for the
   Responder Nonce that is incremented in fixed periods of time (this
   allows the responder to verify the age of a Responder Nonce,
   independently of the context in which it is used).

   When the validator is generated to be included in an R1bis message --
   that is, sent in response to a specific control packet or a packet
   containing the Shim6 Payload Extension header message -- the
   responder can perform the following procedure to generate the
   validator value:

   First, the responder uses the counter C value as the Responder Nonce.

   Second, it uses the following information (concatenated) as input to
   the one-way function:

   o  The secret S

   o  That Responder Nonce

   o  The Receiver Context Tag included in the received packet

   o  The locators from the received packet

Top      Up      ToC       Page 71 
   Third, it uses the output of the hash function as the validator
   string.

7.18.  Receiving R1bis Messages and Sending I2bis Messages

   A host MUST silently discard any received R1bis messages that do not
   satisfy all of the following validity checks in addition to those
   specified in Section 12.3:

   o  The Hdr Ext Len field is at least 1, i.e., the length is at least
      16 octets.

   Upon the reception of an R1bis message, the host extracts the Packet
   Context Tag and the Locator Pair from the message (the latter from
   the Source and Destination fields in the IPv6 header).  Next, the
   host looks for an existing context where the Packet Context Tag
   matches CT(peer) and where the locators match Lp(peer) and Lp(local),
   respectively.

   o  If no such context is found, i.e., the STATE is IDLE, then the
      R1bis message is silently discarded.

   o  If the STATE is I1-SENT, I2-SENT, or I2BIS-SENT, then the R1bis
      message is silently discarded.

   o  If the STATE is ESTABLISHED, then we are in the case where the
      peer has lost the context, and the goal is to try to re-establish
      it.  For that, the host leaves CT(peer) unchanged in the context
      state, transitions to I2BIS-SENT STATE, and sends an I2bis
      message, including the computed Responder Validator option, the
      Packet Context Tag, and the Responder Nonce that were received in
      the R1bis message.  This I2bis message is sent using the locator
      pair included in the R1bis message.  In the case that this locator
      pair differs from the ULID pair defined for this context, then a
      ULID option MUST be included in the I2bis message.  In addition,
      if the Forked Instance Identifier for this context is non-zero,
      then a Forked Instance Identifier option carrying the instance
      identifier value for this context MUST be included in the I2bis
      message.  The I2bis message may also include a locator list.  If
      this is the case, then it must also include the CGA Parameter Data
      Structure.  If CGA (and not HBA) is used to verify one or more of
      the locators included in the locator list, then the initiator must
      also include a CGA Signature option containing the signature.

Top      Up      ToC       Page 72 
7.19.  Retransmitting I2bis Messages

   If the initiator does not receive an R2 message after I2bis_TIMEOUT
   time after sending an I2bis message, it MAY retransmit the I2bis
   message, using binary exponential backoff and randomized timers.  The
   Responder Validator option might have a limited lifetime -- that is,
   the peer might reject Responder Validator options that are older than
   VALIDATOR_MIN_LIFETIME to avoid replay attacks.  In the case that the
   initiator decides not to retransmit I2bis messages, or in the case
   that the initiator still does not receive an R2 message after
   retransmitting I2bis messages I2bis_RETRIES_MAX times, the initiator
   SHOULD fall back to retransmitting the I1 message.

7.20.  Receiving I2bis Messages and Sending R2 Messages

   A host MUST silently discard any received I2bis messages that do not
   satisfy all of the following validity checks in addition to those
   specified in Section 12.3:

   o  The Hdr Ext Len field is at least 3, i.e., the length is at least
      32 octets.

   Upon the reception of an I2bis message, the host extracts the ULID
   pair and the Forked Instance Identifier from the message.  If there
   is no ULID-pair option, then the ULID pair is taken from the Source
   and Destination fields in the IPv6 header.  If there is no FII option
   in the message, then the FII value is taken to be zero.

   Next, the host verifies that the Responder Nonce is a recent one
   (nonces that are no older than VALIDATOR_MIN_LIFETIME SHOULD be
   considered recent) and that the Responder Validator option matches
   the validator the host would have computed for the locators,
   Responder Nonce, and Receiver Context Tag as part of sending an R1bis
   message.

   If a CGA Parameter Data Structure (PDS) is included in the message,
   then the host MUST verify if the actual PDS contained in the message
   corresponds to the ULID(peer).

   If any of the above verifications fail, then the host silently
   discards the message; it has completed the I2bis processing.

   If both verifications are successful, then the host proceeds to look
   for a context state for the initiator.  The host looks for a context
   with the extracted ULID pair and FII.  If none exist, then STATE of
   the (non-existing) context is viewed as being IDLE; thus, the actions
   depend on the STATE as follows:

Top      Up      ToC       Page 73 
   o  If the STATE is IDLE (i.e., the context does not exist), the host
      allocates a Context Tag (CT(local)), creates the context state for
      the context, and sets its STATE to ESTABLISHED.  The host SHOULD
      NOT use the Packet Context Tag in the I2bis message for CT(local);
      instead, it should pick a new random Context Tag just as when it
      processes an I2 message.  It records CT(peer) and the peer's
      locator set as well as its own locator set in the context.  It
      SHOULD perform the HBA/CGA verification of the peer's locator set
      at this point in time, as specified in Section 7.2.  Then the host
      sends an R2 message back as specified in Section 7.14.

   o  If the STATE is I1-SENT, then the host verifies if the source
      locator is included in Ls(peer) or in the Locator List contained
      in the I2bis message and if the HBA/CGA verification for this
      specific locator is successful.

      *  If this is not the case, then the message is silently
         discarded.  The context STATE remains unchanged.

      *  If this is the case, then the host updates the context
         information (CT(peer), Ls(peer)) with the data contained in the
         I2bis message, and the host MUST send an R2 message back as
         specified below.  Note that before updating Ls(peer)
         information, the host SHOULD perform the HBA/CGA validation of
         the peer's locator set at this point in time, as specified in
         Section 7.2.  The host moves to ESTABLISHED STATE.

   o  If the STATE is ESTABLISHED, I2-SENT, or I2BIS-SENT, then the host
      determines whether at least one of the two following conditions
      hold: i) if the source locator is included in Ls(peer) or, ii) if
      the source locator is included in the Locator List contained in
      the I2bis message and if the HBA/CGA verification for this
      specific locator is successful.

      *  If none of the two aforementioned conditions hold, then the
         message is silently discarded.  The context STATE remains
         unchanged.

      *  If at least one of the two aforementioned conditions hold, then
         the host updates the context information (CT(peer), Ls(peer))
         with the data contained in the I2bis message, and the host MUST
         send an R2 message back, as specified in Section 7.14.  Note
         that before updating Ls(peer) information, the host SHOULD
         perform the HBA/CGA validation of the peer's locator set at
         this point in time, as specified in Section 7.2.  The context
         STATE remains unchanged.

Top      Up      ToC       Page 74 
8.  Handling ICMP Error Messages

   The routers in the path as well as the destination might generate
   ICMP error messages.  In some cases, the Shim6 can take action and
   solve the problem that resulted in the error.  In other cases, the
   Shim6 layer cannot solve the problem, and it is critical that these
   packets make it back up to the ULPs so that they can take appropriate
   action.

   This is an implementation issue in the sense that the mechanism is
   completely local to the host itself.  But the issue of how ICMP
   errors are correctly dispatched to the ULP on the host are important;
   hence, this section specifies the issue.

   All ICMP messages MUST be delivered to the ULP in all cases, except
   when Shim6 successfully acts on the message (e.g., selects a new
   path).  There SHOULD be a configuration option to unconditionally
   deliver all ICMP messages (including ones acted on by shim6) to the
   ULP.

   According to that recommendation, the following ICMP error messages
   should be processed by the Shim6 layer and not passed to the ULP:

      ICMP error Destination Unreachable, with codes:
         0 (No route to destination)
         1 (Communication with destination administratively prohibited)
         2 (Beyond scope of source address)
         3 (Address unreachable)
         5 (Source address failed ingress/egress policy)
         6 (Reject route to destination)

      ICMP Time exceeded error.

      ICMP Parameter problem error, with the parameter that caused the
      error being a Shim6 parameter.

   The following ICMP error messages report problems that cannot be
   addressed by the Shim6 layer and that should be passed to the ULP (as
   described below):

      ICMP Packet too big error.

      ICMP Destination Unreachable with Code 4 (Port unreachable).

      ICMP Parameter problem (if the parameter that caused the problem
      is not a Shim6 parameter).

Top      Up      ToC       Page 75 
                +--------------+
                | IPv6 Header  |
                |              |
                +--------------+
                |    ICMPv6    |
                |    Header    |
         - -    +--------------+   - -
                | IPv6 Header  |
                | src, dst as  |   Can be dispatched
        IPv6    | sent by ULP  |   unmodified to ULP
                | on host      |   ICMP error handler
        Packet  +--------------+
                |     ULP      |
        in      |    Header    |
                +--------------+
        Error   |              |
                ~     Data     ~
                |              |
         - -    +--------------+   - -

                Figure 8: ICMP Error Handling without the
                      Shim6 Payload Extension Header

   When the ULP packets are sent without the Shim6 Payload Extension
   header -- that is, while the initial locators=ULIDs are working --
   this introduces no new concerns; an implementation's existing
   mechanism for delivering these errors to the ULP will work.  See
   Figure 8.

   But when the shim on the transmitting side inserts the Shim6 Payload
   Extension header and replaces the ULIDs in the IP address fields with
   some other locators, then an ICMP error coming back will have a
   "packet in error", which is not a packet that the ULP sent.  Thus,
   the implementation will have to apply reverse mapping to the "packet
   in error" before passing the ICMP error up to the ULP, including the
   ICMP extensions defined in [25].  See Figure 9.

Top      Up      ToC       Page 76 
                +--------------+
                | IPv6 Header  |
                |              |
                +--------------+
                |    ICMPv6    |
                |    Header    |
         - -    +--------------+   - -
                | IPv6 Header  |
                | src, dst as  |   Needs to be
        IPv6    | modified by  |   transformed to
                | shim on host |   have ULIDs
                +--------------+   in src, dst fields,
        Packet  |  Shim6 ext.  |   and Shim6 Ext.
                |    Header    |   header removed
         in     +--------------+   before it can be
                |  Transport   |   dispatched to the ULP
        Error   |    Header    |   ICMP error handler.
                +--------------+
                |              |
                ~     Data     ~
                |              |
         - -    +--------------+   - -

   Figure 9: ICMP Error Handling with the Shim6 Payload Extension Header

   Note that this mapping is different than when receiving packets from
   the peer with Shim6 Payload Extension headers because, in that case,
   the packets contain CT(local).  But the ICMP errors have a "packet in
   error" with a Shim6 Payload Extension header containing CT(peer).
   This is because they were intended to be received by the peer.  In
   any case, since the <Source Locator, Destination Locator, CT(peer)>
   has to be unique when received by the peer, the local host should
   also only be able to find one context that matches this tuple.

   If the ICMP error is a "packet too big", the reported MTU must be
   adjusted to be 8 octets less, since the shim will add 8 octets when
   sending packets.

   After the "packet in error" has had the original ULIDs inserted, then
   this Shim6 Payload Extension header can be removed.  The result is a
   "packet in error" that is passed to the ULP which looks as if the
   shim did not exist.

9.  Teardown of the ULID-Pair Context

   Each host can unilaterally decide when to tear down a ULID-pair
   context.  It is RECOMMENDED that hosts do not tear down the context
   when they know that there is some upper-layer protocol that might use

Top      Up      ToC       Page 77 
   the context.  For example, an implementation might know this if there
   is an open socket that is connected to the ULID(peer).  However,
   there might be cases when the knowledge is not readily available to
   the shim layer, for instance, for UDP applications that do not
   connect their sockets or for any application that retains some
   higher-level state across (TCP) connections and UDP packets.

   Thus, it is RECOMMENDED that implementations minimize premature
   teardown by observing the amount of traffic that is sent and received
   using the context, and tear down the state only after it appears
   quiescent.  A reasonable approach would be to not tear down a context
   until at least 5 minutes have passed since the last message was sent
   or received using the context.  (Note that packets that use the ULID
   pair as a locator pair and that do not require address rewriting by
   the Shim6 layer are also considered as packets using the associated
   Shim6 context.)

   Since there is no explicit, coordinated removal of the context state,
   there are potential issues around Context Tag reuse.  One end might
   remove the state and potentially reuse that Context Tag for some
   other communication, and the peer might later try to use the old
   context (which it didn't remove).  The protocol has mechanisms to
   recover from this, which work whether the state removal was total and
   accidental (e.g., crash and reboot of the host) or just a garbage
   collection of shim state that didn't seem to be used.  However, the
   host should try to minimize the reuse of Context Tags by trying to
   randomly cycle through the 2^47 Context Tag values.  (See Appendix C
   for a summary of how the recovery works in the different cases.)

10.  Updating the Peer

   The Update Request and Acknowledgement are used both to update the
   list of locators (only possible when CGA is used to verify the
   locator(s)) and to update the preferences associated with each
   locator.

10.1.  Sending Update Request Messages

   When a host has a change in the locator set, it can communicate this
   to the peer by sending an Update Request.  When a host has a change
   in the preferences for its locator set, it can also communicate this
   to the peer.  The Update Request message can include just a Locator
   List option (to convey the new set of locators), just a Locator
   Preferences option, or both a new Locator List and new Locator
   Preferences.

Top      Up      ToC       Page 78 
   Should the host send a new Locator List, the host picks a new random,
   local generation number, records this in the context, and puts it in
   the Locator List option.  Any Locator Preference option, whether sent
   in the same Update Request or in some future Update Request, will use
   that generation number to make sure the preferences get applied to
   the correct version of the locator list.

   The host picks a random Request Nonce for each update and keeps the
   same nonce for any retransmissions of the Update Request.  The nonce
   is used to match the acknowledgement with the request.

   The Update Request message can also include a CGA Parameter Data
   Structure (this is needed if the CGA PDS was not previously
   exchanged).  If CGA (and not HBA) is used to verify one or more of
   the locators included in the locator list, then a CGA Signature
   option containing the signature must also be included in the Update
   Request message.

10.2.  Retransmitting Update Request Messages

   If the host does not receive an Update Acknowledgement R2 message in
   response to the Update Request message after UPDATE_TIMEOUT time,
   then it needs to retransmit the Update Request message.  The
   retransmissions should use a retransmission timer with binary
   exponential backoff to avoid creating congestion issues for the
   network when lots of hosts perform Update Request retransmissions.
   Also, the actual timeout value should be randomized between 0.5 and
   1.5 of the nominal value to avoid self-synchronization.

   Should there be no response, the retransmissions continue forever.
   The binary exponential backoff stops at MAX_UPDATE_TIMEOUT.  But the
   only way the retransmissions would stop when there is no
   acknowledgement is when Shim6, through the REAP protocol or some
   other mechanism, decides to discard the context state due to lack of
   ULP usage in combination with no responses to the REAP protocol.

10.3.  Newer Information while Retransmitting

   There can be at most one outstanding Update Request message at any
   time.  Thus until, for example, an update with a new Locator List has
   been acknowledged, any newer Locator List or new Locator Preferences
   cannot just be sent.  However, when there is newer information and
   the older information has not yet been acknowledged, the host can,
   instead of waiting for an acknowledgement, abandon the previous
   update and construct a new Update Request (with a new Request Nonce)
   that includes the new information as well as the information that
   hasn't yet been acknowledged.

Top      Up      ToC       Page 79 
   For example, if the original locator list was just (A1, A2), and if
   an Update Request with the Locator List (A1, A3) is outstanding, and
   the host determines that it should both add A4 to the locator list
   and mark A1 as BROKEN, then it would need to:

   o  Pick a new random Request Nonce for the new Update Request.

   o  Pick a new random generation number for the new locator list.

   o  Form the new locator list: (A1, A3, A4).

   o  Form a Locator Preference option that uses the new generation
      number and has the BROKEN flag for the first locator.

   o  Send the Update Request and start a retransmission timer.

   Any Update Acknowledgement that doesn't match the current Request
   Nonce (for instance, an acknowledgement for the abandoned Update
   Request) will be silently ignored.

10.4.  Receiving Update Request Messages

   A host MUST silently discard any received Update Request messages
   that do not satisfy all of the following validity checks in addition
   to those specified in Section 12.3:

   o  The Hdr Ext Len field is at least 1, i.e., the length is at least
      16 octets.

   Upon the reception of an Update Request message, the host extracts
   the Context Tag from the message.  It then looks for a context that
   has a CT(local) that matches the Context Tag.  If no such context is
   found, it sends an R1bis message as specified in Section 7.17.

   Since Context Tags can be reused, the host MUST verify that the IPv6
   Source Address field is part of Ls(peer) and that the IPv6
   Destination Address field is part of Ls(local).  If this is not the
   case, the sender of the Update Request has a stale context that
   happens to match the CT(local) for this context.  In this case, the
   host MUST send an R1bis message and otherwise ignore the Update
   Request message.

   If a CGA Parameter Data Structure (PDS) is included in the message,
   then the host MUST verify if the actual PDS contained in the packet
   corresponds to the ULID(peer).  If this verification fails, the
   message is silently discarded.

Top      Up      ToC       Page 80 
   Then, depending on the STATE of the context:

   o  If ESTABLISHED, proceed to process message.

   o  If I1-SENT, discard the message and stay in I1-SENT.

   o  If I2-SENT, send I2 and proceed to process the message.

   o  If I2BIS-SENT, send I2bis and proceed to process the message.

   The verification issues for the locators carried in the Update
   Request message are specified in Section 7.2.  If the locator list
   cannot be verified, this procedure should send a Shim6 Error message
   with Error Code=2.  In any case, if it cannot be verified, there is
   no further processing of the Update Request.

   Once any Locator List option in the Update Request has been verified,
   the peer generation number in the context is updated to be the one in
   the Locator List option.

   If the Update Request message contains a Locator Preference option,
   then the generation number in the preference option is compared with
   the peer generation number in the context.  If they do not match,
   then the host generates a Shim6 Error message with Error Code=3 and
   with the Pointer field referring to the first octet in the Locator
   List Generation number in the Locator Preference option.  In
   addition, if the number of elements in the Locator Preference option
   does not match the number of locators in Ls(peer), then a Shim6 Error
   message with Error Code=4 is sent with the Pointer field referring to
   the first octet of the Length field in the Locator Preference option.
   In both cases of failure, no further processing is performed for the
   Update Request message.

   If the generation numbers match, the locator preferences are recorded
   in the context.

   Once the Locator List option (if present) has been verified and any
   new locator list or locator preferences have been recorded, the host
   sends an Update Acknowledgement message, copying the nonce from the
   request and using the CT(peer) as the Receiver Context Tag.

   Any new locators (or, more likely, new locator preferences) might
   result in the host wanting to select a different locator pair for the
   context -- for instance, if the Locator Preferences option lists the
   current Lp(peer) as BROKEN.  The host uses the reachability
   exploration procedure described in [4] to verify that the new locator
   is reachable before changing Lp(peer).

Top      Up      ToC       Page 81 
10.5.  Receiving Update Acknowledgement Messages

   A host MUST silently discard any received Update Acknowledgement
   messages that do not satisfy all of the following validity checks in
   addition to those specified in Section 12.3:

   o  The Hdr Ext Len field is at least 1, i.e., the length is at least
      16 octets.

   Upon the reception of an Update Acknowledgement message, the host
   extracts the Context Tag and the Request Nonce from the message.  It
   then looks for a context that has a CT(local) that matches the
   Context Tag.  If no such context is found, it sends an R1bis message
   as specified in Section 7.17.

   Since Context Tags can be reused, the host MUST verify that the IPv6
   Source Address field is part of Ls(peer) and that the IPv6
   Destination Address field is part of Ls(local).  If this is not the
   case, the sender of the Update Acknowledgement has a stale context
   that happens to match the CT(local) for this context.  In this case,
   the host MUST send an R1bis message and otherwise ignore the Update
   Acknowledgement message.

   Then, depending on the STATE of the context:

   o  If ESTABLISHED, proceed to process message.

   o  If I1-SENT, discard the message and stay in I1-SENT.

   o  If I2-SENT, send R2 and proceed to process the message.

   o  If I2BIS-SENT, send R2 and proceed to process the message.

   If the Request Nonce doesn't match the nonce for the last sent Update
   Request for the context, then the Update Acknowledgement is silently
   ignored.  If the nonce matches, then the update has been completed
   and the Update retransmit timer can be reset.

11.  Sending ULP Payloads

   When there is no context state for the ULID pair on the sender, there
   is no effect on how ULP packets are sent.  If the host is using some
   heuristic for determining when to perform a deferred context
   establishment, then the host might need to do some accounting (count
   the number of packets sent and received) even before there is a ULID-
   pair context.

Top      Up      ToC       Page 82 
   If the context is not in ESTABLISHED or I2BIS-SENT STATE, then there
   is also no effect on how the ULP packets are sent.  Only in the
   ESTABLISHED and I2BIS-SENT STATEs does the host have CT(peer) and
   Ls(peer) set.

   If there is a ULID-pair context for the ULID pair, then the sender
   needs to verify whether the context uses the ULIDs as locators --
   that is, whether Lp(peer) == ULID(peer) and Lp(local) == ULID(local).

   If this is the case, then packets can be sent unmodified by the shim.
   If it is not the case, then the logic in Section 11.1 will need to be
   used.

   There will also be some maintenance activity relating to
   (un)reachability detection, whether or not packets are sent with the
   original locators.  The details of this are out of scope for this
   document and are specified in [4].

11.1.  Sending ULP Payload after a Switch

   When sending packets, if there is a ULID-pair context for the ULID
   pair, and if the ULID pair is no longer used as the locator pair,
   then the sender needs to transform the packet.  Apart from replacing
   the IPv6 Source and Destination fields with a locator pair, an
   8-octet header is added so that the receiver can find the context and
   inverse the transformation.

   If there has been a failure causing a switch, and later the context
   switches back to sending things using the ULID pair as the locator
   pair, then there is no longer a need to do any packet transformation
   by the sender; hence, there is no need to include the 8-octet
   Extension header.

   First, the IP address fields are replaced.  The IPv6 Source Address
   field is set to Lp(local) and the Destination Address field is set to
   Lp(peer).  Note that this MUST NOT cause any recalculation of the ULP
   checksums, since the ULP checksums are carried end-to-end and the ULP
   pseudo-header contains the ULIDs that are preserved end-to-end.

   The sender skips any "Routing Sublayer Extension headers" that the
   ULP might have included; thus, it skips any Hop-by-Hop Extension
   header, any Routing header, and any Destination Options header that
   is followed by a Routing header.  After any such headers, the Shim6
   Extension header will be added.  This might be before a Fragment
   header, a Destination Options header, an ESP or AH header, or a ULP
   header.

Top      Up      ToC       Page 83 
   The inserted Shim6 Payload Extension header includes the peer's
   Context Tag.  It takes on the Next Header value from the preceding
   Extension header, since that Extension header will have a Next Header
   value of Shim6.

12.  Receiving Packets

   The receive side of the communication can receive packets associated
   to a Shim6 context, with or without the Shim6 Extension header.  In
   case the ULID pair is being used as a locator pair, the packets
   received will not have the Shim6 Extension header and will be
   processed by the Shim6 layer as described below.  If the received
   packet does carry the Shim6 Extension header, as in normal IPv6
   receive-side packet processing, the receiver parses the (extension)
   headers in order.  Should it find a Shim6 Extension header, it will
   look at the "P" field in that header.  If this bit is zero, then the
   packet must be passed to the Shim6 payload handling for rewriting.
   Otherwise, the packet is passed to the Shim6 control handling.

12.1.  Receiving Payload without Extension Headers

   The receiver extracts the IPv6 Source and Destination fields and uses
   this to find a ULID-pair context, such that the IPv6 address fields
   match the ULID(local) and ULID(peer).  If such a context is found,
   the context appears not to be quiescent; this should be remembered in
   order to avoid tearing down the context and for reachability
   detection purposes as described in [4].  The host continues with the
   normal processing of the IP packet.

12.2.  Receiving Shim6 Payload Extension Headers

   The receiver extracts the Context Tag from the Shim6 Payload
   Extension header and uses this to find a ULID-pair context.  If no
   context is found, the receiver SHOULD generate an R1bis message (see
   Section 7.17).

   Then, depending on the STATE of the context:

   o  If ESTABLISHED, proceed to process message.

   o  If I1-SENT, discard the message and stay in I1-SENT.

   o  If I2-SENT, send I2 and proceed to process the message.

   o  If I2BIS-SENT, send I2bis and proceed to process the message.

Top      Up      ToC       Page 84 
   With the context in hand, the receiver can now replace the IP address
   fields with the ULIDs kept in the context.  Finally, the Shim6
   Payload Extension header is removed from the packet (so that the ULP
   doesn't get confused by it), and the Next Header value in the
   preceding header is set to be the actual protocol number for the
   payload.  Then the packet can be passed to the protocol identified by
   the Next Header value (which might be some function associated with
   the IP endpoint sublayer or a ULP).

   If the host is using some heuristic for determining when to perform a
   deferred context establishment, then the host might need to do some
   accounting (count the number of packets sent and received) for
   packets that do not have a Shim6 Extension header and for which there
   is no context.  But the need for this depends on what heuristics the
   implementation has chosen.

12.3.  Receiving Shim Control Messages

   A shim control message has the Checksum field verified.  The Shim
   Header Length field is also verified against the length of the IPv6
   packet to make sure that the shim message doesn't claim to end past
   the end of the IPv6 packet.  Finally, it checks that neither the IPv6
   Destination field nor the IPv6 Source field is a multicast address or
   an unspecified address.  If any of those checks fail, the packet is
   silently dropped.

   The message is then dispatched based on the shim message type.  Each
   message type is then processed as described elsewhere in this
   document.  If the packet contains a shim message type that is unknown
   to the receiver, then a Shim6 Error message with Error Code=0 is
   generated and sent back.  The Pointer field is set to point at the
   first octet of the shim message type.

   All the control messages can contain any options with C=0.  If there
   is any option in the message with C=1 that isn't known to the host,
   then the host MUST send a Shim6 Error message with Error Code=1 with
   the Pointer field referencing the first octet of the Option Type.

12.4.  Context Lookup

   We assume that each shim context has its own STATE machine.  We
   assume that a dispatcher delivers incoming packets to the STATE
   machine that it belongs to.  Here, we describe the rules used for the
   dispatcher to deliver packets to the correct shim context STATE
   machine.

Top      Up      ToC       Page 85 
   There is one STATE machine per identified context that is
   conceptually identified by the ULID pair and Forked Instance
   Identifier (which is zero by default) or identified by CT(local).
   However, the detailed lookup rules are more complex, especially
   during context establishment.

   Clearly, if the required context is not established, it will be in
   IDLE STATE.

   During context establishment, the context is identified as follows:

   o  I1 packets: Deliver to the context associated with the ULID pair
      and the Forked Instance Identifier.

   o  I2 packets: Deliver to the context associated with the ULID pair
      and the Forked Instance Identifier.

   o  R1 packets: Deliver to the context with the locator pair included
      in the packet and the Initiator Nonce included in the packet (R1
      does not contain a ULID pair or the CT(local)).  If no context
      exists with this locator pair and Initiator Nonce, then silently
      discard.

   o  R2 packets: Deliver to the context with the locator pair included
      in the packet and the Initiator Nonce included in the packet (R2
      does not contain a ULID pair or the CT(local)).  If no context
      exists with this locator pair and Initiator Nonce, then silently
      discard.

   o  R1bis packets: Deliver to the context that has the locator pair
      and the CT(peer) equal to the Packet Context Tag included in the
      R1bis packet.

   o  I2bis packets: Deliver to the context associated with the ULID
      pair and the Forked Instance Identifier.

   o  Shim6 Payload Extension headers: Deliver to the context with
      CT(local) equal to the Receiver Context Tag included in the
      packet.

   o  Other control messages (Update, Keepalive, Probe): Deliver to the
      context with CT(local) equal to the Receiver Context Tag included
      in the packet.  Verify that the IPv6 Source Address field is part
      of Ls(peer) and that the IPv6 Destination Address field is part of
      Ls(local).  If not, send an R1bis message.

Top      Up      ToC       Page 86 
   o  Shim6 Error messages and ICMP errors that contain a Shim6 Payload
      Extension header or other shim control packet in the "packet in
      error": Use the "packet in error" for dispatching as follows.
      Deliver to the context with CT(peer) equal to the Receiver Context
      Tag -- Lp(local) being the IPv6 source address and Lp(peer) being
      the IPv6 destination address.

   In addition, the shim on the sending side needs to be able to find
   the context state when a ULP packet is passed down from the ULP.  In
   that case, the lookup key is the pair of ULIDs and FII=0.  If we have
   a ULP API that allows the ULP to do context forking, then presumably
   the ULP would pass down the Forked Instance Identifier.



(page 86 continued on part 4)

Next RFC Part