LISP-GPE conforms, as a UDP-based encapsulation protocol, to the UDP usage guidelines specified in [RFC 8085
]. The applicability of these guidelines is dependent on the underlay IP network and the nature of the encapsulated payload.
] outlines two applicability scenarios for UDP applications: 1) the general Internet and 2) a controlled environment. A controlled environment means a single administrative domain or adjacent set of cooperating domains. A network in a controlled environment can be managed to operate under certain conditions, whereas, in the general Internet, this cannot be done. Hence, requirements for a tunnel protocol operating under a controlled environment can be less restrictive than the requirements of the general Internet.
The LISP-GPE scope of applicability is the same set of use cases covered by [RFC 9300
] for the LISP data plane protocol. The common property of these use cases is a large set of cooperating entities seeking to communicate over the public Internet or other large underlay IP infrastructures while keeping the addressing and topology of the cooperating entities separate from the underlay and Internet topology, routing, and addressing.
LISP-GPE is meant to be deployed in network environments operated by a single operator or adjacent set of cooperating network operators that fit with the definition of controlled environments in [RFC 8085
For the purpose of this document, a Traffic-Managed Controlled Environment (TMCE), outlined in [RFC 8086
], is defined as an IP network that is traffic-engineered and/or otherwise managed (e.g., via the use of traffic rate limiters) to avoid congestion. Significant portions of the text in this section are based on [RFC 8086
It is the responsibility of the network operators to ensure that the guidelines/requirements in this section are followed as applicable to their LISP-GPE deployments.
LISP-GPE does not provide congestion-control functionality and relies on the payload protocol traffic for congestion control. As such, LISP-GPE MUST
be used with congestion-controlled traffic or within a network that is traffic managed to avoid congestion (TMCE). An operator of a traffic-managed network (TMCE) may avoid congestion by careful provisioning of their networks, rate limiting of user data traffic, and traffic engineering according to path capacity.
Keeping in mind the recommendation above, new encapsulated payloads, when registered with LISP-GPE, MUST
be accompanied by a set of guidelines derived from Section 5
of RFC 9300
. Such new protocols should be designed for explicit congestion signals to propagate consistently from lower-layer protocols into IP. Then, the IP internetwork layer can act as a portability layer to carry congestion notifications from non-IP-aware congested nodes up to the transport layer (L4). By following the guidelines in [ENCAP-GUIDE
], subnetwork designers can enable a Layer 2 protocol to participate in congestion control without dropping packets, via propagation of Explicit Congestion Notification (ECN) data [RFC 3168
] to receivers.
For IP payloads, Section 5.3
of RFC 9300
specifies how to handle UDP checksums, encouraging implementors to consider UDP checksum usage guidelines in Section 3.4
of RFC 8085
when it is desirable to protect UDP and LISP headers against corruption.
In order to protect the integrity of LISP-GPE headers, options, and payloads (for example, to avoid misdelivery of payloads to different tenant systems in the case of data corruption), the outer UDP checksum SHOULD
be used with LISP-GPE when transported over IPv4. The UDP checksum provides a statistical guarantee that a payload was not corrupted in transit. These integrity checks are not strong from a coding or cryptographic perspective and are not designed to detect physical-layer errors or malicious modifications of the datagram (see Section 3.4
of RFC 8085
). In deployments where such a risk exists, an operator SHOULD
use additional data integrity mechanisms, such as those offered by IPsec.
An operator MAY
choose to disable a UDP checksum and use a zero checksum if LISP-GPE packet integrity is provided by other data integrity mechanisms, such as IPsec or additional checksums, or if one of the conditions in Section 4.3.1
(a, b, or c) is met.
By default, a UDP checksum MUST
be used when LISP-GPE is transported over IPv6. A tunnel endpoint MAY
be configured for use with a zero UDP checksum if additional requirements described in this section are met.
When LISP-GPE is used over IPv6, a UDP checksum is used to protect IPv6 headers, UDP headers, and LISP-GPE headers and payloads from potential data corruption. As such, by default, LISP-GPE MUST
use a UDP checksum when transported over IPv6. An operator MAY
choose to configure to operate with a zero UDP checksum if operating in a traffic-managed controlled environment, as stated in Section 4.1
, if one of the following conditions is met:
It is known that packet corruption is exceptionally unlikely (perhaps based on an operator's knowledge of equipment types in their underlay network), and the operator is willing to take the risk of undetected packet corruption.
It is determined through observational measurements (perhaps through historic or current traffic flows that use a non-zero checksum) that the level of packet corruption is tolerably low, and the operator is willing to take the risk of undetected corruption.
LISP-GPE payloads are carrying applications that are tolerant of misdelivered or corrupted packets (perhaps through higher-layer checksum validation and/or reliability through retransmission).
In addition, LISP-GPE tunnel implementations using a zero UDP checksum MUST
meet the following requirements:
Use of a UDP checksum over IPv6 MUST be the default configuration for all LISP-GPE tunnels.
If LISP-GPE is used with a zero UDP checksum over IPv6, then such xTR implementations MUST meet all the requirements specified in Section 4 of RFC 6936 and requirement 1 specified in Section 5 of RFC 6936.
The Egress Tunnel Router (ETR) that decapsulates the packet SHOULD check that the source and destination IPv6 addresses are valid for the LISP-GPE tunnel that is configured to receive a zero UDP checksum and discard other packets that fail such checks.
The Ingress Tunnel Router (ITR) that encapsulates the packet MAY use different IPv6 source addresses for each LISP-GPE tunnel that uses zero UDP checksum mode in order to strengthen the decapsulator's check of the IPv6 source address (i.e., the same IPv6 source address is not to be used with more than one IPv6 destination address, irrespective of whether that destination address is a unicast or multicast address). When this is not possible, it is RECOMMENDED to use each source address for as few LISP-GPE tunnels that use a zero UDP checksum as is feasible.
Measures SHOULD be taken to prevent LISP-GPE traffic over IPv6 with a zero UDP checksum from escaping into the general Internet. Examples of such measures include employing packet filters at the Proxy Egress Tunnel Router (PETR) and/or keeping logical or physical separation of the LISP network from networks in the general Internet.
The above requirements do not change the requirements specified in [RFC 6935
], [RFC 6936
], or [RFC 8200
The requirement to check the source IPv6 address in addition to the destination IPv6 address, plus the recommendation against the reuse of source IPv6 addresses among LISP-GPE tunnels, collectively provide some mitigation for the absence of UDP checksum coverage of the IPv6 header. A traffic-managed controlled environment that satisfies at least one of the three conditions listed at the beginning of this section provides additional assurance.
When encapsulating IP (including over Ethernet) packets, [RFC 2983
] provides guidance for mapping packets that contain Differentiated Services Code Point (DSCP) information between inner and outer IP headers. The Pipe model typically fits better with network virtualization. The DSCP value on the tunnel header is set based on a policy (which may be a fixed value, one based on the inner traffic class, or some other mechanism for grouping traffic). Some aspects of the Uniform model (which treats the inner and outer DSCP value as a single field by copying on ingress and egress) may also apply, such as the ability to remark the inner header on tunnel egress based on transit marking. However, the Uniform model is not conceptually consistent with network virtualization, which seeks to provide strong isolation between encapsulated traffic and the physical network.
] describes the mechanism for exposing ECN capabilities on IP tunnels and propagating congestion markers to the inner packets. This behavior MUST
be followed for IP packets encapsulated in LISP-GPE.
Though the Uniform model or the Pipe model could be used for TTL (or Hop Limit in the case of IPv6) handling when tunneling IP packets, the Pipe model is more aligned with network virtualization. [RFC 2003
] provides guidance on handling TTL between inner IP headers and outer IP tunnels; this model is more aligned with the Pipe model and is recommended for use with LISP-GPE for network-virtualization applications.
When a LISP-GPE router performs Ethernet encapsulation, the inner 802.1Q 3-bit Priority Code Point ('PCP') field [IEEE.802.1Q_2014
be mapped from the encapsulated frame to the DSCP codepoint of the Differentiated Services ('DS') field defined in [RFC 2474
When a LISP-GPE router performs Ethernet encapsulation, the inner-header 802.1Q VLAN Identifier (VID) [IEEE.802.1Q_2014
be mapped to, or used to determine, the LISP 'Instance ID' (IID) field.
Refer to Section 7
for considerations about the use of integrity protection for deployments, such as the public Internet, concerned with on-path attackers.