One document matched: draft-templin-aerolink-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc strict='yes'?>
<?rfc iprnotified='no'?>
<rfc category="std" docName="draft-templin-aerolink-01.txt" ipr="trust200902"
obsoletes="rfc6706">
<front>
<title abbrev="AERO">Transmission of IPv6 Packets over AERO Links</title>
<author fullname="Fred L. Templin" initials="F. L." role="editor"
surname="Templin">
<organization>Boeing Research & Technology</organization>
<address>
<postal>
<street>P.O. Box 3707</street>
<city>Seattle</city>
<region>WA</region>
<code>98124</code>
<country>USA</country>
</postal>
<email>fltemplin@acm.org</email>
</address>
</author>
<date day="03" month="January" year="2014"/>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<abstract>
<t>This document specifies the operation of IPv6 over tunnel virtual
Non-Broadcast, Multiple Access (NBMA) links using Automatic Extended
Route Optimization (AERO). Nodes attached to AERO links can exchange
packets via trusted intermediate routers on the link that provide
forwarding services to reach off-link destinations and/or redirection
services to inform the node of an on-link neighbor that is closer to the
final destination. Operation of the IPv6 Neighbor Discovery (ND)
protocol over AERO links is based on an IPv6 link local address format
known as the AERO address.</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>This document specifies the operation of IPv6 over tunnel virtual
Non-Broadcast, Multiple Access (NBMA) links using Automatic Extended
Route Optimization (AERO). Nodes attached to AERO links can exchange
packets via trusted intermediate routers on the link that provide
forwarding services to reach off-link destinations and/or redirection
services to inform the node of an on-link neighbor that is closer to the
final destination.</t>
<t>Nodes on AERO links use an IPv6 link-local address format known as
the AERO Address. This address type has properties that statelessly link
IPv6 Neighbor Discovery (ND) to IPv6 routing. The AERO link can be used
for tunneling to neighboring nodes on either IPv6 or IPv4 networks,
i.e., AERO views the IPv6 and IPv4 networks as equivalent links for
tunneling. The remainder of this document presents the AERO
specification.</t>
</section>
<section anchor="terminology" title="Terminology">
<t>The terminology in the normative references applies; the following
terms are defined within the scope of this document:</t>
<t><list style="hanging">
<t hangText="AERO link"><vspace/>a Non-Broadcast, Multiple Access
(NBMA) tunnel virtual overlay configured over a node's attached IPv6
and/or IPv4 networks. All nodes on the AERO link appear as
single-hop neighbors from the perspective of IPv6.</t>
<t hangText="AERO interface"><vspace/>a node's attachment to an AERO
link.</t>
<t hangText="AERO address"><vspace/>an IPv6 link-local address
assigned to an AERO interface and constructed as specified in
Section 3.3.</t>
<t hangText="AERO node"><vspace/>a node that is connected to an AERO
link and that participates in IPv6 Neighbor Discovery over the
link.</t>
<t hangText="AERO Server ("server")"><vspace/>a node that
configures an advertising router interface on an AERO link over
which it can provide default forwarding and redirection services for
other AERO nodes.</t>
<t hangText="AERO Client ("client")"><vspace/>a node that
configures a non-advertising router interface on an AERO link over
which it can connect End User Networks (EUNs) to the AERO link.</t>
<t hangText="AERO Relay ("relay")"><vspace/>a node that
relays IPv6 packets between Servers on the same AERO link, and/or
that forwards IPv6 packets between the AERO link and the IPv6
Internet. An AERO Relay may or may not also be configured as an AERO
Server.</t>
<t hangText="ingress tunnel endpoint (ITE)"><vspace/>an AERO
interface endpoint that injects packets into an AERO link.</t>
<t hangText="egress tunnel endpoint (ETE)"><vspace/>an AERO
interface endpoint that receives tunneled packets from an AERO
link.</t>
<t hangText="underlying network"><vspace/>a connected IPv6 or IPv4
network routing region over which AERO nodes tunnel IPv6
packets.</t>
<t hangText="underlying interface"><vspace/>an AERO node's interface
point of attachment to an underlying network.</t>
<t hangText="underlying address"><vspace/>an IPv6 or IPv4 address
assigned to an AERO node's underlying interface. When UDP
encapsulation is used, the UDP port number is also considered as
part of the underlying address. Underlying addresses are used as the
source and destination addresses of the AERO encapsulation
header.</t>
<t hangText="link-layer address"><vspace/>the same as defined for
"underlying address" above.</t>
<t hangText="network layer address"><vspace/>an IPv6 address used as
the source or destination address of the inner IPv6 packet
header.</t>
<t hangText="end user network (EUN)"><vspace/>an IPv6 network
attached to a downstream interface of an AERO Client (where the AERO
interface is seen as the upstream interface).</t>
</list></t>
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"/>.</t>
</section>
<section title="Asymmetric Extended Route Optimization (AERO)">
<t>The following sections specify the operation of IPv6 over Automatic
Extended Route Optimization (AERO) links:</t>
<section anchor="interface" title="AERO Interface Characteristics">
<t>All nodes connected to an AERO link configure their AERO interfaces
as router interfaces (not host interfaces). End system applications
therefore do not bind directly to the AERO interface, but rather bind
to end user network (EUN) interfaces beyond which their packets may be
forwarded over an AERO interface.</t>
<t>AERO interfaces use IPv6-in-IPv6 encapsulation <xref
target="RFC2473"/> to exchange tunneled packets with AERO neighbors
attached to an underlying IPv6 network, and use IPv6-in-IPv4
encapsulation <xref target="RFC4213"/> to exchange tunneled packets
with AERO neighbors attached to an underlying IPv4 network. AERO
interfaces can also use IPsec encapsulation <xref target="RFC4301"/>
(either IPv6-in-IPv6 or IPv6-in-IPv4) in environments where strong
authentication and confidentiality are required.</t>
<t>AERO interfaces further use the Subnetwork Encapsulation and
Adaptation Layer (SEAL) <xref target="I-D.templin-intarea-seal"/> and
can therefore configure an unlimited Maximum Transmission Unit (MTU).
This entails the insertion of a SEAL header (i.e., an IPv6 fragment
header with the S bit set to 1) between the inner IPv6 header and the
outer IP encapsulation header. When NAT traversal and/or filtering
middlebox traversal is necessary, a UDP header is further inserted
between the outer IP encapsulation header and the SEAL header. (Note
that while <xref target="RFC6980"/> forbids fragmentation of IPv6 ND
messages, the SEAL fragmentation header applies only to the outer
tunnel encapsulation and not the inner IPv6 ND packet.)</t>
<t>AERO interfaces maintain a neighbor cache and use an adaptation of
standard unicast IPv6 ND messaging in which Router Solicitation (RS),
Router Advertisement (RA), Neighbor Solicitation (NS) and Neighbor
Advertisement (NA) messages do not include Source/Target Link Layer
Address Options (S/TLLAO). Instead, AERO nodes determine the
link-layer addresses of neighbors by examining the encapsulation
source address of any RS/RA/NS/NA messages they receive and ignore any
S/TLLAOs included in these messages. This is vital to the operation of
AERO in environments in which AERO neighbors are separated by Network
Address Translators (NATs) - either IPv4 or IPv6.</t>
<t>AERO Redirect messages include a TLLAO the same as for any IPv6
link. The TLLAO includes the link-layer address of the target node,
including both the IP address and the UDP source port number used by
the target when it sends UDP-encapsulated packets over the AERO
interface (the TLLAO instead encodes the value 0 when the target does
not use UDP encapsulation). TLLAOs for target nodes that use an IPv6
underlying address include the full 16 bytes of the IPv6 address as
shown in <xref target="tllaov6"/>, while TLLAOs for target nodes that
use an IPv4 underlying address include only the 4 bytes of the IPv4
address as shown in <xref target="tllaov4"/>.</t>
<t><figure anchor="tllaov6" title="AERO TLLAO Format for IPv6">
<artwork><![CDATA[ 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 2 | Length = 3 | UDP Source Port (or 0) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+-- --+
| |
+-- IPv6 Address --+
| |
+-- --+
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure><figure anchor="tllaov4"
title="AERO TLLAO Format for IPv4">
<artwork><![CDATA[ 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 2 | Length = 1 | UDP Source Port (or 0) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IPv4 Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
</figure>Finally, nodes on AERO interfaces use a simple data origin
authentication for encapsulated packets they receive from other nodes.
In particular, AERO Clients accept encapsulated packets with a
link-layer source address belonging to their current AERO Server. AERO
nodes also accept encapsulated packets with a link-layer source
address that is correct for the network-layer source address. The AERO
node considers the link-layer source address correct for the
network-layer source address if there is an IPv6 route that matches
the network-layer source address as well as a neighbor cache entry
corresponding to the next hop that includes the link-layer
address.</t>
</section>
<section anchor="node-types" title="AERO Node Types">
<t>AERO Servers configure their AERO link interfaces as advertising
router interfaces (see <xref target="RFC4861"/>, Section 6.2.2) and
may therefore send Router Advertisement (RA) messages that include
non-zero Router Lifetimes.</t>
<t>AERO Clients configure their AERO link interfaces as
non-advertising router interfaces, i.e., even if the AERO Client
otherwise displays the outward characteristics of an ordinary host
(for example, the Client may internally configure both an AERO
interface and (virtual) EUN interfaces). AERO Clients are provisioned
with IPv6 Prefix Delegations either through a DHCPv6 Prefix Delegation
exchange with an AERO Server over the AERO link or via a static
delegation obtained through an out-of-band exchange with an AERO link
prefix delegation authority.</t>
<t>AERO Relays relay packets between Servers connected to the same
AERO link and also forward packets between the AERO link and the
native IPv6 network. The relaying process entails re-encapsulation of
IPv6 packets that were received from a first AERO Server and are to be
forwarded without modification to a second AERO Server.</t>
</section>
<section anchor="aero-address" title="AERO Addresses">
<t>An AERO address is an IPv6 link-local address assigned to an AERO
interface and with a 64-bit IPv6 prefix embedded within the interface
identifier. The AERO address is formatted as:</t>
<t><list style="empty">
<t>fe80::[64-bit IPv6 prefix]</t>
</list></t>
<t>Each AERO Client configures an AERO address based on the delegated
prefix it has received from the AERO link prefix delegation authority.
The address begins with the prefix fe80::/64 and includes in its
interface identifier the base /64 prefix taken from the Client's
delegated IPv6 prefix. The base prefix is determined by masking the
delegated prefix with the prefix length. For example, if an AERO
Client has received the prefix delegation:</t>
<t><list style="empty">
<t>2001:db8:1000:2000::/56</t>
</list>it would construct its AERO address as:</t>
<t><list style="empty">
<t>fe80::2001:db8:1000:2000</t>
</list>An AERO Client may receive multiple IPv6 prefix delegations,
in which case it would configure multiple AERO addresses - one for
each delegated prefix.</t>
<t>Each AERO Server configures the special AERO address fe80::1 to
support the operation of IPv6 Neighbor Discovery over the AERO link;
the address therefore has the properties of an IPv6 Anycast address.
While all Servers configure the same AERO address and therefore cannot
be distinguished from one another at the network layer, Clients can
still distinguish Servers at the link layer by examining the Servers'
link-layer addresses.</t>
<t>Nodes that are configured as pure AERO Relays (i.e., and that do
not also act as Servers) do not configure an IPv6 address of any kind
on their AERO interfaces. The Relay's AERO interface is therefore used
purely for transit and does not participate in IPv6 ND message
exchanges.</t>
</section>
<section anchor="avoidance-fig"
title="AERO Reference Operational Scenario">
<t><xref target="no-onlink-prefix-fig"/> depicts the AERO reference
operational scenario. The figure shows an AERO Server('A'), two AERO
Clients ('B', 'D') and three ordinary IPv6 hosts ('C', 'E', 'F'):</t>
<figure anchor="no-onlink-prefix-fig"
title="AERO Reference Operational Scenario">
<artwork><![CDATA[ .-(::::::::)
.-(::: IPv6 :::)-. +-------------+
(:::: Internet ::::)--| Host F |
`-(::::::::::::)-' +-------------+
`-(::::::)-' 2001:db8:3::1
|
+--------------+
| AERO Server A|
| (C->B; E->D) |
+--------------+
fe80::1
L2(A)
|
X-----+-----------+-----------+--------X
| AERO Link |
L2(B) L2(D)
fe80::2001:db8:0:0 fe80::2001:db8:1:0 .-.
+--------------+ +--------------+ ,-( _)-.
| AERO Client B| | AERO Client D| .-(_ IPv6 )-.
| (default->A) | | (default->A) |--(__ EUN )
+--------------+ +--------------+ `-(______)-'
2001:DB8:0::/48 2001:DB8:1::/48 |
| 2001:db8:1::1
.-. +-------------+
,-( _)-. 2001:db8:0::1 | Host E |
.-(_ IPv6 )-. +-------------+ +-------------+
(__ EUN )--| Host C |
`-(______)-' +-------------+
]]></artwork>
</figure>
<t>In <xref target="no-onlink-prefix-fig"/>, AERO Server ('A')
connects to the AERO link and connects to the IPv6 Internet, either
directly or via other IPv6 routers (not shown). Server ('A') assigns
the address fe80::1 to its AERO interface with link-layer address
L2(A). Server ('A') next arranges to add L2(A) to a published list of
valid Servers for the AERO link.</t>
<t>AERO Client ('B') assigns the address fe80::2001:db8:0:0 to its
AERO interface with link-layer address L2(B). Client ('B') configures
a default route via the AERO interface with next-hop network-layer
address fe80::1 and link-layer address L2(A), then sub-delegates the
prefix 2001:db8:0::/48 to its attached EUNs. IPv6 host ('C') connects
to the EUN, and configures the network-layer address
2001:db8:0::1.</t>
<t>AERO Client ('D') assigns the address fe80::2001:db8:1:0 to its
AERO interface with link-layer address L2(D). Client ('D') configures
a default route via the AERO interface with next-hop network-layer
address fe80::1 and link-layer address L2(A), then sub-delegates the
network-layer prefix 2001:db8:1::/48 to its attached EUNs. IPv6 host
('E') connects to the EUN, and configures the network-layer address
2001:db8:1::1.</t>
<t>Finally, IPv6 host ('F') connects to an IPv6 network outside of the
AERO link domain. Host ('F') configures its IPv6 interface in a manner
specific to its attached IPv6 link, and assigns the network-layer
address 2001:db8:3::1 to its IPv6 link interface.</t>
</section>
<section anchor="aeropd"
title="AERO Prefix Delegation and Router Discovery">
<section anchor="aeropd-client" title="AERO Client Behavior">
<t>AERO Clients observe the IPv6 router requirements defined in
<xref target="RFC6434"/> except that they act as "hosts" on their
AERO interfaces for the purpose of prefix delegation and router
discovery in the same fashion as for IPv6 Customer Premises
Equipment (CPE) routers <xref target="RFC6204"/>. AERO Clients first
discover the link-layer address of an AERO Server via static
configuration, or through an automated means such as DNS name
resolution. In the absence of other information, the Client resolves
the name "linkupnetworks.[domainname]", where [domainname] is the
DNS domain appropriate for the Client's attached underlying
network.</t>
<t>After discovering the link-layer address, the Client then acts as
a requesting router to obtain IPv6 prefixes through DHCPv6 Prefix
Delegation <xref target="RFC3633"/> via the Server. (The Client can
also obtain prefixes through out-of-band means such as static
administrative configuration, etc.). After the Client acquires
prefixes, it sub-delegates them to nodes and links within its
attached EUNs. It also assigns the link-local AERO address(es) taken
from its delegated prefix(es) to the AERO interface (see: Section
3.3).</t>
<t>After acquiring prefixes, the Client next prepares a unicast IPv6
Router Solicitation (RS) message using its AERO address as the
network-layer source address and fe80::1 as the network-layer
destination address. The Client then tunnels the packet to the
Server using one of its underlying addresses as the link-layer
source address and using an underlying address of the Server as the
link-layer destination address. The Server in turn returns a unicast
Router Advertisement (RA) message, which the Client uses to create
an IPv6 neighbor cache entry for the Server on the AERO interface
per <xref target="RFC4861"/>. The link-layer address for the
neighbor cache entry is taken from the link-layer source address of
the RA message.</t>
<t>After obtaining prefixes and performing an initial RS/RA exchange
with a Server, the Client continues to send periodic RS messages to
the server to obtain new RAs in order to keep neighbor cache entries
alive. The Client can also forward IPv6 packets destined to networks
beyond its local EUNs via the Server as an IPv6 default router. The
Server may in turn return a Redirect message informing the Client of
a neighbor on the AERO link that is topologically closer to the
final destination as specified in <xref target="predirect"/>.</t>
</section>
<section anchor="aeropd-server" title="AERO Server Behavior">
<t>AERO Servers observe the IPv6 router requirements defined in
<xref target="RFC6434"/>. They further configure a DHCPv6
relay/server function on their AERO links and/or provide an
administrative interface for delegation of network-layer addresses
and prefixes. When the Server delegates prefixes, it also
establishes forwarding table entries that list the AERO address of
the Client as the next hop toward the delegated IPv6 prefixes (where
the AERO address is constructed as specified in Section 3.3).</t>
<t>Servers respond to RS messages from Clients on their advertising
AERO interfaces by returning an RA message. When the Server receives
an RS message, it creates or updates a neighbor cache entry using
the network layer source address as the neighbor's network layer
address and using the link-layer source address of the RS message as
the neighbor's link-layer address.</t>
<t>When the Server forwards a packet via the same AERO interface on
which it arrived, it initiates an AERO route optimization procedure
as specified in <xref target="predirect"/>.</t>
</section>
</section>
<section anchor="predirect" title="AERO Redirection">
<t><xref target="avoidance-fig"/> describes the AERO reference
operational scenario. We now discuss the operation and protocol
details of AERO Redirection with respect to this reference
scenario.</t>
<section anchor="redirect" title="Classical Redirection Approaches">
<t>With reference to <xref target="no-onlink-prefix-fig"/>, when the
IPv6 source host ('C') sends a packet to an IPv6 destination host
('E'), the packet is first forwarded via the EUN to AERO Client
('B'). Client ('B') then forwards the packet over its AERO interface
to AERO Server ('A'), which then forwards the packet to AERO Client
('D'), where the packet is finally forwarded to the IPv6 destination
host ('E'). When Server ('A') forwards the packet back out on its
advertising AERO interface, it must arrange to redirect Client ('B')
toward Client ('D') as a better next-hop node on the AERO link that
is closer to the final destination. However, this redirection
process applied to AERO interfaces must be more carefully
orchestrated than on ordinary links since the parties may be
separated by potentially many underlying network routing hops.</t>
<t>Consider a first alternative in which Server ('A') informs Client
('B') only and does not inform Client ('D') (i.e., "classical
redirection"). In that case, Client ('D') has no way of knowing that
Client ('B') is authorized to forward packets from their claimed
network-layer source addresses, and it may simply elect to drop the
packets. Also, Client ('B') has no way of knowing whether Client
('D') is performing some form of source address filtering that would
reject packets arriving from a node other than a trusted default
router, nor whether Client ('D') is even reachable via a direct path
that does not involve Server ('A').</t>
<t>Consider a second alternative in which Server ('A') informs both
Client ('B') and Client ('D') separately, via independent
redirection control messages (i.e., "augmented redirection"). In
that case, if Client ('B') receives the redirection control message
but Client ('D') does not, subsequent packets sent by Client ('B')
could be dropped due to filtering since Client ('D') would not have
a route to verify their source network-layer addresses. Also, if
Client ('D') receives the redirection control message but Client
('B') does not, subsequent packets sent in the reverse direction by
Client ('D') would be lost.</t>
<t>Since both of these alternatives have shortcomings, a new
redirection technique (i.e., "AERO redirection") is needed.</t>
</section>
<section title="AERO Redirection Concept of Operations">
<t>Again, with reference to <xref target="no-onlink-prefix-fig"/>,
when source host ('C') sends a packet to destination host ('E'), the
packet is first forwarded over the source host's attached EUN to
Client ('B'), which then forwards the packet via its AERO interface
to Server ('A').</t>
<t>Using AERO redirection, Server ('A') then forwards the packet out
the same AERO interface toward Client ('D') and also sends an AERO
"Predirect" message forward to Client ('D') as specified in <xref
target="sending_pre"/>. The Predirect message includes Client
('B')'s network- and link-layer addresses as well as information
that Client ('D') can use to determine the IPv6 prefix used by
Client ('B') . After Client ('D') receives the Predirect message, it
process the message and returns an AERO Redirect message destined
for Client ("B") via Server ('A') as specified in <xref
target="processing"/>. During the process, Client ('D') also creates
or updates a neighbor cache entry for Client ('B'), and creates an
IPv6 route for Client ('B')'s IPv6 prefix.</t>
<t>When Server ('A') receives the Redirect message, it processes the
message and forwards it on to Client ('B') as specified in <xref
target="forwarding"/>. The message includes Client ('D')'s network-
and link-layer addresses as well as information that Client ('B')
can use to determine the IPv6 prefix used by Client ('D'). After
Client ('B') receives the Redirect message, it processes the message
as specified in <xref target="processing_re"/>. During the process,
Client ('B') also creates or updates a neighbor cache entry for
Client ('D'), and creates an IPv6 route for Client ('D')'s IPv6
prefix.</t>
<t>Following the above Predirect/Redirect message exchange,
forwarding of packets from Client ('B') to Client ('D') without
involving Server ('A) as an intermediary is enabled. The mechanisms
that support this exchange are specified in the following
sections.</t>
</section>
<section anchor="rmsg" title="AERO Redirection Message Format">
<t>AERO Redirect/Predirect messages use the same format as for
ICMPv6 Redirect messages depicted in Section 4.5 of <xref
target="RFC4861"/>, but also include a new field (the "Prefix
Length" field) taken from the Redirect message Reserved field. The
Redirect/Predirect messages are formatted as shown in <xref
target="aero-redirect"/>:</t>
<figure anchor="aero-redirect"
title="AERO Redirect/Predirect Message Format">
<artwork><![CDATA[
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type (=137) | Code (=0/1) | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Prefix Length | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Target Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Destination Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options ...
+-+-+-+-+-+-+-+-+-+-+-+-
]]></artwork>
</figure>
<t/>
</section>
<section anchor="sending_pre" title="Sending Predirects">
<t>When an AERO Server forwards a packet out the same AERO interface
that it arrived on, the Server sends a Predirect message forward
toward the AERO Client nearest the destination instead of sending a
Redirect message back to AERO Client nearest the source.</t>
<t>In the reference operational scenario, when Server ('A') forwards
a packet sent by Client ('B') toward Client ('D'), it also sends a
Predirect message forward toward Client ('D'), subject to rate
limiting (see Section 8.2 of <xref target="RFC4861"/>). Server ('A')
prepares the Predirect message as follows:</t>
<t><list style="symbols">
<t>the link-layer source address is set to 'L2(A)' (i.e., the
underlying address of Server ('A')).</t>
<t>the link-layer destination address is set to 'L2(D)' (i.e.,
the underlying address of Client ('D')).</t>
<t>the network-layer source address is set to fe80::1 (i.e., the
AERO address of Server ('A')).</t>
<t>the network-layer destination address is set to
fe80::2001:db8:1:0 (i.e., the AERO address of Client ('D')).</t>
<t>the Type is set to 137.</t>
<t>the Code is set to 1 to indicate "Predirect".</t>
<t>the Prefix Length is set to the length of the prefix to be
applied to Target address.</t>
<t>the Target Address is set to fe80::2001:db8:0::0 (i.e., the
AERO address of Client ('B')).</t>
<t>the Destination Address is set to the IPv6 source address of
the packet that triggered the Predirection event.</t>
<t>the message includes a TLLAO set to 'L2(B)' (i.e., the
underlying address of Client ('B')).</t>
<t>the message includes a Redirected Header Option (RHO) that
contains the originating packet truncated to ensure that at
least the network-layer header is included but the size of the
message does not exceed 1280 bytes.</t>
</list></t>
<t>Server ('A') then sends the message forward to Client ('D').</t>
</section>
<section anchor="processing"
title="Processing Predirects and Sending Redirects">
<t>When Client ('D') receives a Predirect message, it accepts the
message only if it has a link-layer source address of the Server,
i.e. 'L2(A)'. Client ('D') further accepts the message only if it is
willing to serve as a redirection target. Next, Client ('D')
validates the message according to the ICMPv6 Redirect message
validation rules in Section 8.1 of <xref target="RFC4861"/>.</t>
<t>In the reference operational scenario, when the Client ('D')
receives a valid Predirect message, it either creates or updates a
neighbor cache entry that stores the Target Address of the message
as the network-layer address of Client ('B') and stores the
link-layer address found in the TLLAO as the link-layer address of
Client ('B'). Client ('D') then applies the Prefix Length to the
Interface Identifier portion of the Target Address and records the
resulting IPv6 prefix in its IPv6 forwarding table.</t>
<t>After processing the message, Client ('D') prepares a Redirect
message response as follows:</t>
<t><list style="symbols">
<t>the link-layer source address is set to 'L2(D)' (i.e., the
link-layer address of Client ('D')).</t>
<t>the link-layer destination address is set to 'L2(A)' (i.e.,
the link-layer address of Server ('A')).</t>
<t>the network-layer source address is set to 'L3(D)' (i.e., the
AERO address of Client ('D')).</t>
<t>the network-layer destination address is set to 'L3(B)'
(i.e., the AERO address of Client ('B')).</t>
<t>the Type is set to 137.</t>
<t>the Code is set to 0 to indicate "Redirect".</t>
<t>the Prefix Length is set to the length of the prefix to be
applied to the Target and Destination address.</t>
<t>the Target Address is set to fe80::2001:db8:1::1 (i.e., the
AERO address of Client ('D')).</t>
<t>the Destination Address is set to the IPv6 destination
address of the packet that triggered the Redirection event.</t>
<t>the message includes a TLLAO set to 'L2(D)' (i.e., the
underlying address of Client ('D')).</t>
<t>the message includes as much of the RHO copied from the
corresponding AERO Predirect message as possible such that at
least the network-layer header is included but the size of the
message does not exceed 1280 bytes.</t>
</list></t>
<t>After Client ('D') prepares the Redirect message, it sends the
message to Server ('A').</t>
</section>
<section anchor="forwarding"
title="Re-encapsulating and Forwarding Redirects">
<t>When Server ('A') receives a Redirect message, it accepts the
message only if it has a neighbor cache entry that associates the
message's link-layer source address with the network-layer source
address. Next, Server ('A') validates the message according to the
ICMPv6 Redirect message validation rules in Section 8.1 of <xref
target="RFC4861"/>. Following validation, Server ('A')
re-encapsulates the Redirect as discussed in <xref
target="I-D.templin-intarea-seal"/>, and then forwards a
re-encapsulated Redirect on to Client ('B') as follows.</t>
<t>In the reference operational scenario, Server ('A') receives the
Redirect message from Client ('D') and prepares to forward a
corresponding Redirect message to Client ('B'). Server ('A') then
verifies that Client ('D') is authorized to use the Prefix Length in
the Redirect message when applied to the AERO address in the
network-layer source of the Redirect message, and discards the
message if verification fails. Otherwise, Server ('A')
re-encapsulates the redirect by changing the link-layer source
address of the message to 'L2(A)', changing the network-layer source
address of the message to fe80::1, and changing the link-layer
destination address to 'L2(B)' . Server ('A') finally forwards the
re-encapsulated message to the ingress node ('B') without
decrementing the network-layer IPv6 header Hop Limit field.</t>
<t>While not shown in <xref target="no-onlink-prefix-fig"/>, AERO
Relays forward Redirect and Predirect messages in exactly this same
fashion described above. See <xref target="chaining-fig"/> in
Appendix A for an extension of the reference operational scenario
that includes Relays.</t>
</section>
<section anchor="processing_re" title="Processing Redirects">
<t>When Client ('B') receives the Redirect message, it accepts the
message only if it has a link-layer source address of the Server,
i.e. 'L2(A)'. Next, Client ('B') validates the message according to
the ICMPv6 Redirect message validation rules in Section 8.1 of <xref
target="RFC4861"/>. Following validation, Client ('B') then
processes the message as follows.</t>
<t>In the reference operational scenario, when Client ('B') receives
the Redirect message, it either creates or updates a neighbor cache
entry that stores the Target Address of the message as the
network-layer address of Client ('D') and stores the link-layer
address found in the TLLAO as the link-layer address of Client
('D'). Client ('B') then applies the Prefix Length to the Interface
Identifier portion of the Target Address and records the resulting
IPv6 prefix in its IPv6 forwarding table.</t>
<t>Now, Client ('B') has an IPv6 forwarding table entry for
Client('D')'s prefix, and Client ('D') has an IPv6 forwarding table
entry for Client ('B')'s prefix. Thereafter, the clients may
exchange ordinary network-layer data packets directly without
forwarding through Server ('A').</t>
</section>
<section anchor="reachable"
title="Neighbor Reachability Considerations">
<t>When Client ('B') receives a redirection message informing it of
Client ('D') as a better next hop, there is a question in point as
to whether Client ('D') can be reached directly without forwarding
through Server ('A'). On some AERO links, it may be reasonable for
Client ('B') to (optimistically) assume that reachability is
transitive, and to immediately begin forwarding data packets to
Client ('D') without testing reachability.</t>
<t>On AERO links in which an optimistic assumption of transitive
reachability may be unreasonable, however, Client ('B') can continue
to send packets via Server ('A') until it tests the direct path to
Client ('D'), e.g., by sending an initial NS message to elicit an NA
response. The Clients thereafter follow the Neighbor Unreachability
Detection (NUD) procedures in Section 7.3 of <xref
target="RFC4861"/>, and can resume sending packets via Server ('A')
at any time the direct path appears to be failing.</t>
<t>If Client ('B') is unable to elicit an NA response from Client
('D') after MAX_RETRY attempts, it should consider the direct path
to be unusable for forwarding purposes but still viable for ingress
filtering purposes.</t>
<t>If a direct path between the Clients can be established, they can
thereafter process any link-layer errors as a hint that the direct
path has either failed or has become intermittent.</t>
</section>
<section title="Mobility and Link-Layer Address Change Considerations">
<t>When Client ('B') needs to change its link-layer address (e.g.,
due to a mobility event, due to a change in underlying network
interface, etc.), it sends an immediate NS message forward to Client
('D'), which then discovers the new link-layer address.</t>
<t>If both Client ('B') and Client ('D') change their link-layer
addresses simultaneously, the NS/NA exchanges between the two
neighbors may fail. In that case, the Clients follow the same
neighbor unreachability procedures specified in Section 3.7.9.</t>
</section>
<section anchor="version"
title="Underlying Protocol Version Considerations">
<t>Again with reference to <xref target="no-onlink-prefix-fig"/>,
Client ('B') may connect only to an IPvX underlying network, while
Client ('D') connects only to an IPvY underlying network. In that
case, Client ('B') has no means for reaching Client ('D') directly
(since they connect to underlying networks of different IP protocol
versions) and so must ignore any Redirects and continue to send
packets via Server ('A').</t>
</section>
</section>
</section>
<section anchor="implement" title="Implementation Status">
<t>An early implementation is available at:
http://linkupnetworks.com/seal/sealv2-1.0.tgz.</t>
</section>
<section anchor="iana" title="IANA Considerations">
<t>There are no IANA actions required for this document.</t>
</section>
<section anchor="secure" title="Security Considerations">
<t>AERO link security considerations are the same as for standard IPv6
Neighbor Discovery <xref target="RFC4861"/> except that AERO improves on
some aspects. In particular, AERO is dependent on a trust basis between
AERO Clients and Servers, where the Clients only engage in the AERO
mechanism when it is facilitated by a trusted Server.</t>
<t>AERO links must be protected against link-layer address spoofing
attacks in which an attacker on the link pretends to be a trusted
neighbor. Links that provide link-layer securing mechanisms (e.g., WiFi
networks) and links that provide physical security (e.g., enterprise
network LANs) provide a first line of defense that is often sufficient.
In other instances, securing mechanisms such as Secure Neighbor
Discovery (SeND) <xref target="RFC3971"/> or IPsec <xref
target="RFC4301"/> must be used.</t>
</section>
<section anchor="ack" title="Acknowledgements">
<t>Discussions both on the v6ops list and in private exchanges helped
shape some of the concepts in this work. Individuals who contributed
insights include Mikael Abrahamsson, Fred Baker, Stewart Bryant, Brian
Carpenter, Brian Haberman, Joel Halpern, and Lee Howard. Members of the
IESG also provided valuable input during their review process that
greatly improved the document. Special thanks go to Stewart Bryant, Joel
Halpern and Brian Haberman for their shepherding guidance.</t>
<t>This work has further been encouraged and supported by Boeing
colleagues including Balaguruna Chidambaram, Jeff Holland, Cam Brodie,
Yueli Yang, Wen Fang, Ed King, Mike Slane, Kent Shuey, Gen MacLean, and
other members of the BR&T and BIT mobile networking teams.</t>
<t>Earlier works on NBMA tunneling approaches are found in <xref
target="RFC2529"/><xref target="RFC5214"/><xref target="RFC5569"/>.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.0768"?>
<?rfc include="reference.RFC.0791"?>
<?rfc include="reference.RFC.0792"?>
<?rfc include="reference.RFC.2119"?>
<?rfc include="reference.RFC.2460"?>
<?rfc include="reference.RFC.2473"?>
<?rfc include="reference.RFC.4213"?>
<?rfc include="reference.RFC.4861"?>
<?rfc include="reference.RFC.4862"?>
<?rfc include="reference.RFC.6434"?>
<?rfc include="reference.I-D.templin-intarea-seal"?>
</references>
<references title="Informative References">
<?rfc include="reference.RFC.3315"?>
<?rfc include="reference.RFC.3633"?>
<reference anchor="IRON">
<front>
<title>The Internet Routing Overlay Network (IRON)</title>
<author fullname="Fred Templin" initials="F" surname="Templin">
<organization/>
</author>
<date day="15" month="June" year="2012"/>
<abstract>
<t>Since the Internet must continue to support escalating growth
due to increasing demand, it is clear that current routing
architectures and operational practices must be updated. This
document proposes an Internet Routing Overlay Network (IRON)
architecture that supports sustainable growth while requiring no
changes to end systems and no changes to the existing routing
system. In addition to routing scaling, IRON further addresses
other important issues including mobility management, mobile
networks, multihoming, traffic engineering, NAT traversal and
security. While business considerations are an important
determining factor for widespread adoption, they are out of scope
for this document.</t>
</abstract>
</front>
<seriesInfo name="Work in" value="Progress"/>
</reference>
<?rfc include="reference.RFC.3971"?>
<?rfc include="reference.RFC.2529"?>
<?rfc include="reference.RFC.5214"?>
<?rfc include="reference.RFC.4301"?>
<?rfc include="reference.RFC.5569"?>
<?rfc include="reference.RFC.6204"?>
<?rfc include="reference.RFC.6980"?>
</references>
<section anchor="scaling" title="AERO Server and Relay Interworking">
<t><xref target="no-onlink-prefix-fig"/> depicts a reference AERO
operational scenario with a single Server on the AERO link. In order to
support scaling to larger numbers of nodes, the AERO link can deploy
multiple Servers and Relays, e.g., as shown in <xref
target="chaining-fig"/>.</t>
<t><figure anchor="chaining-fig" title="AERO Server/Relay Interworking">
<artwork><![CDATA[ .-(::::::::)
.-(::: IPv6 :::)-.
(:: Internetwork ::)
`-(::::::::::::)-'
`-(::::::)-'
|
+--------------+ +------+-------+ +--------------+
|AERO Server C | | AERO Relay D | |AERO Server E |
| (default->D) | | (A->C; G->E) | | (default->D) |
| (A->B) | +-------+------+ | (G->F) |
+-------+------+ | +------+-------+
| | |
X---+---+-------------------+------------------+---+---X
| AERO Link |
+-----+--------+ +--------+-----+
|AERO Client B | |AERO Client F |
| (default->C) | | (default->E) |
+--------------+ +--------------+
.-. .-.
,-( _)-. ,-( _)-.
.-(_ IPv6 )-. .-(_ IPv6 )-.
(__ EUN ) (__ EUN )
`-(______)-' `-(______)-'
| |
+--------+ +--------+
| Host A | | Host G |
+--------+ +--------+
]]></artwork>
</figure>In this example, AERO Client ('B') associates with AERO
Server ('C'), while AERO Client ('F') associates with AERO Server ('E').
Furthermore, AERO Servers ('C') and ('E') do not associate with each
other directly, but rather have an association with AERO Relay ('D')
(i.e., a router that has full topology information concerning its
associated Servers and their Clients). Relay ('D') connects to the AERO
link, and also connects to the native IPv6 Internetwork.</t>
<t>When host ('A') sends a packet toward destination host ('G'), IPv6
forwarding directs the packet through the EUN to Client ('B'), which
forwards the packet to Server ('C') in absence of more-specific
forwarding information. Server ('C') forwards the packet, and it also
generates an AERO Predirect message that is then forwarded through Relay
('D') to Server ('E'). When Server ('E') receives the message, it
forwards the message to Client ('F').</t>
<t>After processing the AERO Predirect message, Client ('F') sends an
AERO Redirect message to Server ('E'). Server ('E'), in turn, forwards
the message through Relay ('D') to Server ('C'). When Server ('C')
receives the message, it forwards the message to Client ('B') informing
it that host 'G's EUN can be reached via Client ('F'), thus completing
the AERO redirection.</t>
<t>The network layer routing information shared between Servers and
Relays must be carefully coordinated in a manner outside the scope of
this document. In particular, Relays require full topology information,
while individual Servers only require partial topology information
(i.e., they only need to know the EUN prefixes associated with their
current set of Clients). See <xref target="IRON"/> for an architectural
discussion of routing coordination between Relays and Servers.</t>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:40:17 |