tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 5533

Proposed STD
Pages: 124
Top     in Index     Prev     Next
in Group Index     No Prev: Lowest Number in Group     Next in Group     Group: SHIM6

Shim6: Level 3 Multihoming Shim Protocol for IPv6

Part 1 of 5, p. 1 to 16
None       Next RFC Part

 


Top       ToC       Page 1 
Network Working Group                                        E. Nordmark
Request for Comments: 5533                              Sun Microsystems
Category: Standards Track                                     M. Bagnulo
                                                                    UC3M
                                                               June 2009


           Shim6: Level 3 Multihoming Shim Protocol for IPv6

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   This document defines the Shim6 protocol, a layer 3 shim for
   providing locator agility below the transport protocols, so that
   multihoming can be provided for IPv6 with failover and load-sharing
   properties, without assuming that a multihomed site will have a
   provider-independent IPv6 address prefix announced in the global IPv6
   routing table.  The hosts in a site that has multiple provider-
   allocated IPv6 address prefixes will use the Shim6 protocol specified
   in this document to set up state with peer hosts so that the state
   can later be used to failover to a different locator pair, should the
   original one stop working.

Top       Page 2 
Table of Contents

   1. Introduction ....................................................4
      1.1. Goals ......................................................5
      1.2. Non-Goals ..................................................5
      1.3. Locators as Upper-Layer Identifiers (ULID) .................6
      1.4. IP Multicast ...............................................7
      1.5. Renumbering Implications ...................................8
      1.6. Placement of the Shim ......................................9
      1.7. Traffic Engineering .......................................11
   2. Terminology ....................................................12
      2.1. Definitions ...............................................12
      2.2. Notational Conventions ....................................15
      2.3. Conceptual ................................................15
   3. Assumptions ....................................................15
   4. Protocol Overview ..............................................17
      4.1. Context Tags ..............................................19
      4.2. Context Forking ...........................................19
      4.3. API Extensions ............................................20
      4.4. Securing Shim6 ............................................20
      4.5. Overview of Shim Control Messages .........................21
      4.6. Extension Header Order ....................................22
   5. Message Formats ................................................23
      5.1. Common Shim6 Message Format ...............................23
      5.2. Shim6 Payload Extension Header Format .....................24
      5.3. Common Shim6 Control Header ...............................25
      5.4. I1 Message Format .........................................26
      5.5. R1 Message Format .........................................28
      5.6. I2 Message Format .........................................29
      5.7. R2 Message Format .........................................31
      5.8. R1bis Message Format ......................................33
      5.9. I2bis Message Format ......................................34
      5.10. Update Request Message Format ............................37
      5.11. Update Acknowledgement Message Format ....................38
      5.12. Keepalive Message Format .................................40
      5.13. Probe Message Format .....................................40
      5.14. Error Message Format .....................................40
      5.15. Option Formats ...........................................42
           5.15.1. Responder Validator Option Format .................44
           5.15.2. Locator List Option Format ........................44
           5.15.3. Locator Preferences Option Format .................46
           5.15.4. CGA Parameter Data Structure Option Format ........48
           5.15.5. CGA Signature Option Format .......................49
           5.15.6. ULID Pair Option Format ...........................49
           5.15.7. Forked Instance Identifier Option Format ..........50
           5.15.8. Keepalive Timeout Option Format ...................50
   6. Conceptual Model of a Host .....................................51
      6.1. Conceptual Data Structures ................................51

Top      ToC       Page 3 
      6.2. Context STATES ............................................52
   7. Establishing ULID-Pair Contexts ................................54
      7.1. Uniqueness of Context Tags ................................54
      7.2. Locator Verification ......................................55
      7.3. Normal Context Establishment ..............................56
      7.4. Concurrent Context Establishment ..........................56
      7.5. Context Recovery ..........................................58
      7.6. Context Confusion .........................................60
      7.7. Sending I1 Messages .......................................61
      7.8. Retransmitting I1 Messages ................................62
      7.9. Receiving I1 Messages .....................................62
      7.10. Sending R1 Messages ......................................63
           7.10.1. Generating the R1 Validator .......................64
      7.11. Receiving R1 Messages and Sending I2 Messages ............64
      7.12. Retransmitting I2 Messages ...............................65
      7.13. Receiving I2 Messages ....................................66
      7.14. Sending R2 Messages ......................................67
      7.15. Match for Context Confusion ..............................68
      7.16. Receiving R2 Messages ....................................69
      7.17. Sending R1bis Messages ...................................69
           7.17.1. Generating the R1bis Validator ....................70
      7.18. Receiving R1bis Messages and Sending I2bis Messages ......71
      7.19. Retransmitting I2bis Messages ............................72
      7.20. Receiving I2bis Messages and Sending R2 Messages .........72
   8. Handling ICMP Error Messages ...................................74
   9. Teardown of the ULID-Pair Context ..............................76
   10. Updating the Peer .............................................77
      10.1. Sending Update Request Messages ..........................77
      10.2. Retransmitting Update Request Messages ...................78
      10.3. Newer Information while Retransmitting ...................78
      10.4. Receiving Update Request Messages ........................79
      10.5. Receiving Update Acknowledgement Messages ................81
   11. Sending ULP Payloads ..........................................81
      11.1. Sending ULP Payload after a Switch .......................82
   12. Receiving Packets .............................................83
      12.1. Receiving Payload without Extension Headers ..............83
      12.2. Receiving Shim6 Payload Extension Headers ................83
      12.3. Receiving Shim Control Messages ..........................84
      12.4. Context Lookup ...........................................84
   13. Initial Contact ...............................................86
   14. Protocol Constants ............................................87
   15. Implications Elsewhere ........................................88
      15.1. Congestion Control Considerations ........................88
      15.2. Middle-Boxes Considerations ..............................88
      15.3. Operation and Management Considerations ..................89
      15.4. Other Considerations .....................................90
   16. Security Considerations .......................................91
      16.1. Interaction with IPSec ...................................93

Top      ToC       Page 4 
      16.2. Residual Threats .........................................94
   17. IANA Considerations ...........................................95
   18. Acknowledgements ..............................................97
   19. References ....................................................97
      19.1. Normative References .....................................97
      19.2. Informative References ...................................97
   Appendix A.  Possible Protocol Extensions ........................100
   Appendix B.  Simplified STATE Machine ............................101
      B.1.  Simplified STATE Machine Diagram ........................108
   Appendix C.  Context Tag Reuse ...................................109
      C.1.  Context Recovery ........................................109
      C.2.  Context Confusion .......................................109
      C.3.  Three-Party Context Confusion ...........................110
      C.4.  Summary .................................................110
   Appendix D.  Design Alternatives .................................111
      D.1.  Context Granularity .....................................111
      D.2.  Demultiplexing of Data Packets in Shim6 Communications ..111
        D.2.1.   Flow Label .........................................112
        D.2.2.   Extension Header ...................................115
      D.3.  Context-Loss Detection ..................................115
      D.4.  Securing Locator Sets ...................................117
      D.5.  ULID-Pair Context-Establishment Exchange ................120
      D.6.  Updating Locator Sets ...................................121
      D.7.  State Cleanup ...........................................122

1.  Introduction

   This document describes a layer 3 shim approach and protocol for
   providing locator agility below the transport protocols, so that
   multihoming can be provided for IPv6 with failover and load-sharing
   properties [11], without assuming that a multihomed site will have a
   provider-independent IPv6 address announced in the global IPv6
   routing table.  The hosts in a site that has multiple provider-
   allocated IPv6 address prefixes will use the Shim6 protocol specified
   in this document to set up state with peer hosts so that the state
   can later be used to failover to a different locator pair, should the
   original one stop working (the term locator is defined in Section 2).

   The Shim6 protocol is a site-multihoming solution in the sense that
   it allows existing communication to continue when a site that has
   multiple connections to the Internet experiences an outage on a
   subset of these connections or further upstream.  However, Shim6
   processing is performed in individual hosts rather than through site-
   wide mechanisms.

   We assume that redirection attacks are prevented using Hash-Based
   Addresses (HBA) as defined in [3].

Top      ToC       Page 5 
   The reachability and failure-detection mechanisms, including how a
   new working locator pair is discovered after a failure, are specified
   in RFC 5534 [4].  This document allocates message types and option
   types for that sub-protocol, and leaves the specification of the
   message and option formats, as well as the protocol behavior, to RFC
   5534.

1.1.  Goals

   The goals for this approach are to:

   o  Preserve established communications in the presence of certain
      classes of failures, for example, TCP connections and UDP streams.

   o  Have minimal impact on upper-layer protocols in general and on
      transport protocols and applications in particular.

   o  Address the security threats in [15] through a combination of the
      HBA/CGA approach specified in RFC 5535 [3] and the techniques
      described in this document.

   o  Not require an extra roundtrip up front to set up shim-specific
      state.  Instead, allow the upper-layer traffic (e.g., TCP) to flow
      as normal and defer the set up of the shim state until some number
      of packets have been exchanged.

   o  Take advantage of multiple locators/addresses for load spreading
      so that different sets of communication to a host (e.g., different
      connections) might use different locators of the host.  Note that
      this might cause load to be spread unevenly; thus, we use the term
      "load spreading" instead of "load balancing".  This capability
      might enable some forms of traffic engineering, but the details
      for traffic engineering, including what requirements can be
      satisfied, are not specified in this document, and form part of
      potential extensions to this protocol.

1.2.  Non-Goals

   The problem we are trying to solve is site multihoming, with the
   ability to have the set of site prefixes change over time due to site
   renumbering.  Further, we assume that such changes to the set of
   locator prefixes can be relatively slow and managed: slow enough to
   allow updates to the DNS to propagate (since the protocol defined in
   this document depends on the DNS to find the appropriate locator
   sets).  However, note that it is an explicit non-goal to make
   communication survive a renumbering event (which causes all the
   locators of a host to change to a new set of locators).  This
   proposal does not attempt to solve the related problem of host

Top      ToC       Page 6 
   mobility.  However, it might turn out that the Shim6 protocol can be
   a useful component for future host mobility solutions, e.g., for
   route optimization.

   Finally, this proposal also does not try to provide a new network-
   level or transport-level identifier name space distinct from the
   current IP address name space.  Even though such a concept would be
   useful to upper-layer protocols (ULPs) and applications, especially
   if the management burden for such a name space was negligible and
   there was an efficient yet secure mechanism to map from identifiers
   to locators, such a name space isn't necessary (and furthermore
   doesn't seem to help) to solve the multihoming problem.

   The Shim6 proposal doesn't fully separate the identifier and locator
   functions that have traditionally been overloaded in the IP address.
   However, throughout this document the term "identifier" or, more
   specifically, upper-layer identifier (ULID), refers to the
   identifying function of an IPv6 address.  "Locator" refers to the
   network-layer routing and forwarding properties of an IPv6 address.

1.3.  Locators as Upper-Layer Identifiers (ULID)

   The approach described in this document does not introduce a new
   identifier name space but instead uses the locator that is selected
   in the initial contact with the remote peer as the preserved upper-
   layer identifier (ULID).  While there may be subsequent changes in
   the selected network-level locators over time (in response to
   failures in using the original locator), the upper-level protocol
   stack elements will continue to use this upper-level identifier
   without change.

   This implies that the ULID selection is performed as today's default
   address selection as specified in RFC 3484 [7].  Some extensions are
   needed to RFC 3484 to try different source addresses, whether or not
   the Shim6 protocol is used, as outlined in [9].  Underneath, and
   transparently, the multihoming shim selects working locator pairs
   with the initial locator pair being the ULID pair.  If communication
   subsequently fails, the shim can test and select alternate locators.
   A subsequent section discusses the issues that arise when the
   selected ULID is not initially working, which creates the need to
   switch locators up front.

   Using one of the locators as the ULID has certain benefits for
   applications that have long-lived session state or that perform
   callbacks or referrals, because both the Fully Qualified Domain Name
   (FQDN) and the 128-bit ULID work as handles for the applications.

Top      ToC       Page 7 
   However, using a single 128-bit ULID doesn't provide seamless
   communication when that locator is unreachable.  See [18] for further
   discussion of the application implications.

   There has been some discussion of using non-routable addresses, such
   as Unique-Local Addresses (ULAs) [14], as ULIDs in a multihoming
   solution.  While this document doesn't specify all aspects of this,
   it is believed that the approach can be extended to handle the non-
   routable address case.  For example, the protocol already needs to
   handle ULIDs that are not initially reachable.  Thus, the same
   mechanism can handle ULIDs that are permanently unreachable from
   outside their site.  The issue becomes how to make the protocol
   perform well when the ULID is known a priori to be unreachable (e.g.,
   the ULID is a ULA), for instance, avoiding any timeout and retries in
   this case.  In addition, one would need to understand how the ULAs
   would be entered in the DNS to avoid a performance impact on
   existing, non-Shim6-aware IPv6 hosts potentially trying to
   communicate to the (unreachable) ULA.

1.4.  IP Multicast

   IP multicast requires that the IP Source Address field contain a
   topologically correct locator for the interface that is used to send
   the packet, since IP multicast routing uses both the source address
   and the destination group to determine where to forward the packet.
   In particular, IP multicast routing needs to be able to do the
   Reverse Path Forwarding (RPF) check.  (This isn't much different than
   the situation with widely implemented ingress filtering [6] for
   unicast.)

   While in theory it would be possible to apply the shim re-mapping of
   the IP address fields between ULIDs and locators, the fact that all
   the multicast receivers would need to know the mapping to perform
   makes such an approach difficult in practice.  Thus, it makes sense
   to have multicast ULPs operate directly on locators and not use the
   shim.  This is quite a natural fit for protocols that use RTP [10],
   since RTP already has an explicit identifier in the form of the
   synchronization source (SSRC) field in the RTP headers.  Thus, the
   actual IP address fields are not important to the application.

   In summary, IP multicast will not need the shim to remap the IP
   addresses.

   This doesn't prevent the receiver of multicast to change its
   locators, since the receiver is not explicitly identified; the
   destination address is a multicast address and not the unicast
   locator of the receiver.

Top      ToC       Page 8 
1.5.  Renumbering Implications

   As stated above, this approach does not try to make communication
   survive renumbering in the general case.

   When a host is renumbered, the effect is that one or more locators
   become invalid, and zero or more locators are added to the host's
   network interface.  This means that the set of locators that is used
   in the shim will change, which the shim can handle as long as not all
   the original locators become invalid at the same time; the shim's
   ability to handle this also depends on the time that is required to
   update the DNS and for those updates to propagate.

   But IP addresses are also used as ULIDs, and making the communication
   survive locators becoming invalid can potentially cause some
   confusion at the upper layers.  The fact that a ULID might be used
   with a different locator over time opens up the possibility that
   communication between two ULIDs might continue to work after one or
   both of those ULIDs are no longer reachable as locators, for example,
   due to a renumbering event.  This opens up the possibility that the
   ULID (or at least the prefix on which it is based) may be reassigned
   to another site while it is still being used (with another locator)
   for existing communication.

   In the worst case, we could end up with two separate hosts using the
   same ULID while both of them are communicating with the same host.

   This potential source for confusion is avoided by requiring that any
   communication using a ULID MUST be terminated when the ULID becomes
   invalid (due to the underlying prefix becoming invalid).  This
   behavior can be accomplished by explicitly discarding the shim state
   when the ULID becomes invalid.  The context-recovery mechanism will
   then make the peer aware that the context is gone and that the ULID
   is no longer present at the same locator(s).

Top      ToC       Page 9 
1.6.  Placement of the Shim

                             -----------------------
                             | Transport Protocols |
                             -----------------------

                          -------------- -------------    IP endpoint
                          | Frag/reass | | Dest opts |    sub-layer
                          -------------- -------------

                              ---------------------
                              | Shim6 shim layer  |
                              ---------------------

                                     ------               IP routing
                                     | IP |               sub-layer
                                     ------

                         Figure 1: Protocol Stack

   The proposal uses a multihoming shim layer within the IP layer, i.e.,
   below the ULPs, as shown in Figure 1, in order to provide ULP
   independence.  The multihoming shim layer behaves as if it is
   associated with an extension header, which would be placed after any
   routing-related headers in the packet (such as any hop-by-hop
   options).  However, when the locator pair is the ULID pair, there is
   no data that needs to be carried in an extension header; thus, none
   is needed in that case.

   Layering the Fragmentation header above the multihoming shim makes
   reassembly robust in the case that there is broken multi-path routing
   that results in using different paths, hence potentially different
   source locators, for different fragments.  Thus, the multihoming shim
   layer is placed between the IP endpoint sublayer (which handles
   fragmentation and reassembly) and the IP routing sublayer (which
   selects the next hop and interface to use for sending out packets).

   Applications and upper-layer protocols use ULIDs that the Shim6 layer
   maps to/from different locators.  The Shim6 layer maintains state,
   called ULID-pair context, per ULID pair (that is, such state applies
   to all ULP connections between the ULID pair) in order to perform
   this mapping.  The mapping is performed consistently at the sender
   and the receiver so that ULPs see packets that appear to be sent
   using ULIDs from end to end.  This property is maintained even though
   the packets travel through the network containing locators in the IP
   address fields, and even though those locators may be changed by the
   transmitting Shim6 layer.

Top      ToC       Page 10 
   The context state is maintained per remote ULID, i.e., approximately
   per peer host, and not at any finer granularity.  In particular, the
   context state is independent of the ULPs and any ULP connections.
   However, the forking capability enables Shim6-aware ULPs to use more
   than one locator pair at a time for a single ULID pair.

    ----------------------------          ----------------------------
    | Sender A                 |          | Receiver B               |
    |                          |          |                          |
    |     ULP                  |          |     ULP                  |
    |      | src ULID(A)=L1(A) |          |      ^                   |
    |      | dst ULID(B)=L1(B) |          |      | src ULID(A)=L1(A) |
    |      v                   |          |      | dst ULID(B)=L1(B) |
    |   multihoming shim       |          |   multihoming shim       |
    |      | src L2(A)         |          |      ^                   |
    |      | dst L3(B)         |          |      | src L2(A)         |
    |      v                   |          |      | dst L3(B)         |
    |      IP                  |          |      IP                  |
    ----------------------------          ----------------------------
           |                                     ^
           ------- cloud with some routers -------

                  Figure 2: Mapping with Changed Locators

   The result of this consistent mapping is that there is no impact on
   the ULPs.  In particular, there is no impact on pseudo-header
   checksums and connection identification.

   Conceptually, one could view this approach as if both ULIDs and
   locators are present in every packet, and as if a header-compression
   mechanism is applied that removes the need for the ULIDs to be
   carried in the packets once the compression state has been
   established.  In order for the receiver to re-create a packet with
   the correct ULIDs, there is a need to include some "compression tag"
   in the data packets.  This serves to indicate the correct context to
   use for decompression when the locator pair in the packet is
   insufficient to uniquely identify the context.

   There are different types of interactions between the Shim6 layer and
   other protocols.  Those interactions are influenced by the usage of
   the addresses in these other protocols and the impact of the Shim6
   mapping on these usages.  A detailed analysis of the interactions of
   different protocols, including the Stream Control Transmission
   Protocol (SCTP), mobile IP (MIP), and Host Identity Protocol (HIP),
   can be found in [19].  Moreover, some applications may need to have a
   richer interaction with the Shim6 sublayer.  In order to enable that,
   an API [23] has been defined to enable greater control and
   information exchange for those applications that need it.

Top      ToC       Page 11 
1.7.  Traffic Engineering

   At the time of this writing, it is not clear what requirements for
   traffic engineering make sense for the Shim6 protocol, since the
   requirements must both result in some useful behavior as well as be
   implementable using a host-to-host locator agility mechanism like
   Shim6.

   Inherent in a scalable multihoming mechanism that separates the
   locator function of the IP address from identifying function of the
   IP address is that each host ends up with multiple locators.  This
   means that, at least for initial contact, it is the remote peer
   application (or layer working on its behalf) that needs to select an
   initial ULID, which automatically becomes the initial locator.  In
   the case of Shim6, this is performed by applying RFC 3484 address
   selection.

   This is quite different than the common case of IPv4 multihoming
   where the site has a single IP address prefix, since in that case the
   peer performs no destination address selection.

   Thus, in "single prefix multihoming", the site (and in many cases its
   upstream ISPs) can use BGP to exert some control of the ingress path
   used to reach the site.  This capability does not by itself exist in
   "multiple prefix multihoming" approaches such as Shim6.  It is
   conceivable that extensions allowing site or provider guidance of
   host-based mechanisms could be developed.  But it should be noted
   that traffic engineering via BGP, MPLS, or other similar techniques
   can still be applied for traffic on each individual prefix; Shim6
   does not remove the capability for this.  It does provide some
   additional capabilities for hosts to choose between prefixes.

   These capabilities also carry some risk for non-optimal behaviour
   when more than one mechanism attempts to correct problems at the same
   time.  However, it should be noted that this is not necessarily a
   situation brought about by Shim6.  A more constrained form of this
   capability already exists in IPv6, itself, via its support of
   multiple prefixes and address-selection rules for starting new
   communications.  Even IPv4 hosts with multiple interfaces may have
   limited capabilities to choose interfaces on which they communicate.
   Similarly, upper layers may choose different addresses.

   In general, it is expected that Shim6 is applicable in relatively
   small sites and individual hosts where BGP-style traffic engineering
   operations are unavailable, unlikely, or if run with provider-
   independent addressing, possibly even harmful, considering the growth
   rates in the global routing table.

Top      ToC       Page 12 
   The protocol provides a placeholder, in the form of the Locator
   Preferences option, that can be used by hosts to express priority and
   weight values for each locator.  This option is merely a placeholder
   when it comes to providing traffic engineering; in order to use this
   in a large site, there would have to be a mechanism by which the host
   can find out what preference values to use, either statically (e.g.,
   some new DHCPv6 option) or dynamically.

   Thus, traffic engineering is listed as a possible extension in
   Appendix A.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [1].

2.1.  Definitions

   This document introduces the following terms:

   upper-layer protocol (ULP)
                       A protocol layer immediately above IP.  Examples
                       are transport protocols such as TCP and UDP;
                       control protocols such as ICMP; routing protocols
                       such as OSPF; and Internet or lower-layer
                       protocols being "tunneled" over (i.e.,
                       encapsulated in) IP, such as the Internet Packet
                       Exchange (IPX), AppleTalk, or IP itself.

   interface           A node's attachment to a link.

   address             An IP-layer name that both contains topological
                       significance and acts as a unique identifier for
                       an interface. 128 bits.  This document only uses
                       the "address" term in the case where it isn't
                       specific whether it is a locator or an
                       identifier.

   locator             An IP-layer topological name for an interface or
                       a set of interfaces. 128 bits.  The locators are
                       carried in the IP address fields as the packets
                       traverse the network.

   identifier          An IP-layer name for an IP-layer endpoint.  The
                       transport endpoint name is a function of the
                       transport protocol and would typically include
                       the IP identifier plus a port number.

Top      ToC       Page 13 
                       NOTE: This proposal does not specify any new form
                       of IP-layer identifier, but still separates the
                       identifying and locating properties of the IP
                       addresses.

   upper-layer identifier (ULID)
                       An IP address that has been selected for
                       communication with a peer to be used by the
                       upper-layer protocol. 128 bits.  This is used for
                       pseudo-header checksum computation and connection
                       identification in the ULP.  Different sets of
                       communication to a host (e.g., different
                       connections) might use different ULIDs in order
                       to enable load spreading.

                       Since the ULID is just one of the IP locators/
                       addresses of the node, there is no need for a
                       separate name space and allocation mechanisms.

   address field       The Source and Destination Address fields in the
                       IPv6 header.  As IPv6 is currently specified,
                       these fields carry "addresses".  If identifiers
                       and locators are separated, these fields will
                       contain locators for packets on the wire.

   FQDN                Fully Qualified Domain Name

   ULID-pair context   The state that the multihoming shim maintains
                       between a pair of upper-layer identifiers.  The
                       context is identified by a Context Tag for each
                       direction of the communication and also by a
                       ULID-pair and a Forked Instance Identifier (see
                       below).

   Context Tag         Each end of the context allocates a Context Tag
                       for the context.  This is used to uniquely
                       associate both received control packets and Shim6
                       Payload Extension headers as belonging to the
                       context.

   current locator pair
                       Each end of the context has a current locator
                       pair that is used to send packets to the peer.
                       However, the two ends might use different current
                       locator pairs.

Top      ToC       Page 14 
   default context     At the sending end, the shim uses the ULID pair
                       (passed down from the ULP) to find the context
                       for that pair.  Thus, normally, a host can have
                       at most one context for a ULID pair.  We call
                       this the "default context".

   context forking     A mechanism that allows ULPs that are aware of
                       multiple locators to use separate contexts for
                       the same ULID pair, in order to be able use
                       different locator pairs for different
                       communication to the same ULID.  Context forking
                       causes more than just the default context to be
                       created for a ULID pair.

   Forked Instance Identifier (FII)
                       In order to handle context forking, a context is
                       identified by a ULID pair and a Forked Context
                       Identifier.  The default context has an FII of
                       zero.

   initial contact     We use this term to refer to the pre-shim
                       communication when a ULP decides to start
                       communicating with a peer by sending and
                       receiving ULP packets.  Typically, this would not
                       invoke any operations in the shim, since the shim
                       can defer the context establishment until some
                       arbitrary, later point in time.

   Hash-Based Addresses (HBA)
                       A form of IPv6 address where the interface ID is
                       derived from a cryptographic hash of all the
                       prefixes assigned to the host.  See [3].

   Cryptographically Generated Addresses (CGA)
                       A form of IPv6 address where the interface ID is
                       derived from a cryptographic hash of the public
                       key.  See [2].

   CGA Parameter Data Structure (PDS)
                       The information that CGA and HBA exchange in
                       order to inform the peer of how the interface ID
                       was computed.  See [2] and [3].

Top      ToC       Page 15 
2.2.  Notational Conventions

   A, B, and C are hosts.  X is a potentially malicious host.

   FQDN(A) is the Fully Qualified Domain Name for A.

   Ls(A) is the locator set for A, which consists of the locators L1(A),
   L2(A), ...  Ln(A).  The locator set is not ordered in any particular
   way other than maybe what is returned by the DNS.  A host might form
   different locator sets containing different subnets of the host's IP
   addresses.  This is necessary in some cases for security reasons.
   See Section 16.1.

   ULID(A) is an upper-layer identifier for A.  In this proposal,
   ULID(A) is always one member of A's locator set.

   CT(A) is a Context Tag assigned by A.

   STATE (in uppercase) refers to the specific state of the state
   machine described in Section 6.2

2.3.  Conceptual

   This document also makes use of internal conceptual variables to
   describe protocol behavior and external variables that an
   implementation must allow system administrators to change.  The
   specific variable names, how their values change, and how their
   settings influence protocol behavior are provided to demonstrate
   protocol behavior.  An implementation is not required to have them in
   the exact form described here, so long as its external behavior is
   consistent with that described in this document.  See Section 6 for a
   description of the conceptual data structures.

3.  Assumptions

   The design intent is to ensure that the Shim6 protocol is capable of
   handling path failures independently of the number of IP addresses
   (locators) available to the two communicating hosts, and
   independently of which host detects the failure condition.

   Consider, for example, the case in which both A and B have active
   Shim6 state and where A has only one locator while B has multiple
   locators.  In this case, it might be that B is trying to send a
   packet to A, and has detected a failure condition with the current
   locator pair.  Since B has multiple locators, it presumably has
   multiple ISPs, and (consequently) likely has alternate egress paths

Top      ToC       Page 16 
   toward A.  B cannot vary the destination address (i.e., A's locator),
   since A has only one locator.  However, B may need to vary the source
   address in order to ensure packet delivery.

   In many cases, normal operation of IP routing may cause the packets
   to follow a path towards the correct (currently operational) egress.
   In some cases, it is possible that a path may be selected based on
   the source address, implying that B will need to select a source
   address corresponding to the currently operating egress.  The details
   of how routing can be accomplished is beyond the scope of this
   document.

   Also, when the site's ISPs perform ingress filtering based on packet
   source addresses, Shim6 assumes that packets sent with different
   source and destination combinations have a reasonable chance of
   making it through the relevant ISP's ingress filters.  This can be
   accomplished in several ways (all outside the scope of this
   document), such as having the ISPs relax their ingress filters or
   selecting the egress such that it matches the IP source address
   prefix.  In the case that one egress path has failed but another is
   operating correctly, it may be necessary for the packet's source
   (node B in the previous paragraph) to select a source address that
   corresponds to the operational egress, in order to pass the ISP's
   ingress filters.

   The Shim6 approach assumes that there are no IPv6-to-IPv6 NATs on the
   paths, i.e., that the two ends can exchange their own notion of their
   IPv6 addresses and that those addresses will also make sense to their
   peer.

   The security of the Shim6 protocol relies on the usage of Hash-Based
   Addresses (HBA) [3] and/or Cryptographically Generated Addresses
   (CGA) [2].  In the case that HBAs are used, all the addresses
   assigned to the host that are included in the Shim6 protocol (either
   as a locator or as a ULID) must be part of the same HBA set.  In the
   case that CGAs are used, the address used as ULID must be a CGA, but
   the other addresses that are used as locators do not need to be
   either CGAs or HBAs.  It should be noted that it is perfectly
   acceptable to run the Shim6 protocol between a host that has multiple
   locators and another host that has a single IP address.  In this
   case, the address of the host with a single address does not need to
   be an HBA or a CGA.


Next RFC Part