Network Working Group B. Carpenter
Internet-Draft IBM
Intended status: Informational June 4, 2007
Expires: December 6, 2007
General Identifier-Locator Mapping Considerations
draft-carpenter-idloc-map-cons-01
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 6, 2007.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document presents various general considerations about the
mapping between identifiers and locators at the network and routing
level in the Internet.
Carpenter Expires December 6, 2007 [Page 1]
Internet-Draft Identifier-Locator Mapping June 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Definition of terms . . . . . . . . . . . . . . . . . . . 3
1.2. Related Work . . . . . . . . . . . . . . . . . . . . . . . 5
2. Identifier and Locator Behaviour Today . . . . . . . . . . . . 5
3. Is a Split the Solution? . . . . . . . . . . . . . . . . . . . 8
3.1. Completely Disjoint Namespaces . . . . . . . . . . . . . . 9
3.2. Partially Disjoint Namespaces . . . . . . . . . . . . . . 10
3.3. Common Requirements . . . . . . . . . . . . . . . . . . . 11
4. Mapping Goals . . . . . . . . . . . . . . . . . . . . . . . . 12
4.1. Many Locator Namespaces . . . . . . . . . . . . . . . . . 13
4.2. One Identifier Namespace . . . . . . . . . . . . . . . . . 13
4.3. Reversible Mapping Issues . . . . . . . . . . . . . . . . 13
4.4. Two-Faced Maps? . . . . . . . . . . . . . . . . . . . . . 13
4.5. Is the Map Isotropic? . . . . . . . . . . . . . . . . . . 13
4.6. Scale . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.7. What Does an Identifier Look Like? . . . . . . . . . . . . 14
4.8. Do Identifiers have Useful Properties? . . . . . . . . . . 14
4.9. What Does a Locator Look Like? . . . . . . . . . . . . . . 15
4.10. Who Needs the Map? . . . . . . . . . . . . . . . . . . . . 15
4.11. What is the lifetime of a mapping? . . . . . . . . . . . . 16
4.12. How Does the Map Relate to Mobility? . . . . . . . . . . . 16
4.13. Who chooses the Locator? . . . . . . . . . . . . . . . . . 17
4.14. Push, Pull, Push/Pull . . . . . . . . . . . . . . . . . . 17
5. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 17
6. Security Considerations . . . . . . . . . . . . . . . . . . . 18
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18
9. Change log [RFC Editor: please remove this section] . . . . . 19
10. Informative References . . . . . . . . . . . . . . . . . . . . 19
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 21
Intellectual Property and Copyright Statements . . . . . . . . . . 22
Carpenter Expires December 6, 2007 [Page 2]
Internet-Draft Identifier-Locator Mapping June 2007
1. Introduction
In the discussions following the IAB Routing and Addressing workshop
[I-D.iab-raws-report], a common observation is that a key issue in
today's Internet is the overlapping semantics of IP addresses used as
'locators' and as 'identifiers.' A common conclusion from this is
that the architectural solution is a 'identifier-locator split'
(sometimes abbreviated as 'id-loc'). This conclusion is discussed
below. However, if we accept that locators and identifiers have
different (even if possibly overlapping) semantics, the question
immediately arises of how they can be mapped onto one another. Given
a locator, which identifier(s) refer to the same entity? Given an
identifier, which locator(s) refer to the same enity? The main part
of this document discusses the considerations raised by these
questions.
Suggested discussion list: ram@iab.org.
1.1. Definition of terms
IP Address: an IPv4 or IPv6 address, viewed as an opaque 32 or 128
bit quantity.
Stack: An active instantiation of the TCP/IP model; one participant
or the process on one side of an end-to-end communication. That
participant may move and may be represented by multiple hosts.
Quoting from an unpublished document produced within the former
Namespace Research Group [NSRG]:
------------Start Quotation------------
Carpenter Expires December 6, 2007 [Page 3]
Internet-Draft Identifier-Locator Mapping June 2007
Today, a host may represent multiple entities. This happens when a
service provider hosts many web sites on one server. Similarly, a
single entity may be represented by multiple hosts. Replicated web
servers are just such an example. These entities are "protocol
stacks" or simply "stacks", instantiations of the TCP/IP model, be
they across one or many hosts. A stack is defined as one
participant or the process on one side of an end-to-end
communication. That participant may move and may be represented by
multiple hosts.
__________________ ________________________
| | | |
| _______________| |____________________ |
| /_______________| |___________________ /| |
| | A P P L I| |C A T I O N |f| |
| |----------------| |-------------------|o| |
| | T R A N | | P O R T |o| |
| |----------------| |-------------------|.| |
| | I N T E| |R N E T |c| |
| |----------------| |-------------------|o| |
| | F R A M| | I N G |m| |
| |----------------| |-------------------| / |
| |________________| |___________________|/ |
| | | |
|__________________| |________________________|
Figure 4: Another application: single stack represented by multiple
hosts
Each instance of a stack has a name, a "stack name". At an
architectural level the Name Space Research Group debated the value
of such names, and their associated costs. Forms of this name are
used in numerous places today. SSH uses public/private key pairs to
identify end points. An HTTP cookie anonymously identifies one end
of a communication, in such a manner that both the connection and the
IP address of the other end point may change many times. Stack names
are intended to identify mobile nodes, devices behind NATs, and
participants in a content delivery or overlay network.
------------End Quotation------------
Locator: A binary quantity (not necessarily an IP Address) that can
be used by a routing or forwarding device to decide where to send a
packet.
Identifier: A binary quantity (not necessarily an IP Address) that
can be used by a Stack "A" to uniquely identify another Stack "B"
Carpenter Expires December 6, 2007 [Page 4]
Internet-Draft Identifier-Locator Mapping June 2007
both for bilateral communication and for informing a third Stack "C"
that it should communicate with Stack "B". (Note that there is an
assumption in this definition that a Stack is the entity we require
to identify; in this era of virtualized servers with failover
capabilities, and of mobile clients, this seems to be a reasonable
assumption.)
Namespace: a set of natural numbers, each of which is referred to as
a name. Since it is a set, by definition each name is unique and
thus the namespace is unambiguous. Locators and Identifiers must
belong to specific namespaces.
Namespace Context: the context within which a given namespace retains
its uniqueness property. (For example, the Namespace Context of the
Namespace created by [RFC1918] is a single Internet site.)
1.2. Related Work
[I-D.nikander-ram-ilse] discusses the design space for Identifier-
Locator Separation and contains excellent background references.
[I-D.farinacci-lisp], [I-D.wang-ietf-efit], and [I-D.templin-ipvlx]
discuss solutions along the encapsulation axis. SHIM6
[I-D.ietf-shim6-proto] is a host-based solution along the dynamic
translation axis. [GSE] was a router-based solution along the
dynamic translation axis. HIP [RFC4423] is a real new namespace.
Early thinking on this whole topic should be credited to Noel Chiappa
[ENDPOINTS], who in turn cites related work back to 1978.
2. Identifier and Locator Behaviour Today
[RFC2101] discussed "IPv4 Address Behaviour Today" (where "today" was
February 1997). It focused on the then new issues caused by private
addresses [RFC1918], dynamic address allocation, and network address
translation. Its fundamental observations remain true:
------------Start Quotation------------
Carpenter Expires December 6, 2007 [Page 5]
Internet-Draft Identifier-Locator Mapping June 2007
Due to dynamic address allocation and increasingly frequent
network renumbering, temporal uniqueness of IPv4 addresses is no
longer globally guaranteed, which puts their use as identifiers
into severe question. Due to the proliferation of Intranets,
spatial uniqueness is also no longer guaranteed across routing
realms; interconnecting routing realms could be accomplished via
either ALGs or NATs. In principle such interconnection will have
less functionality than if those Intranets were directly
connected. In practice the difference in functionality may or may
not matter, depending on individual circumstances.
...
As far as temporal uniqueness (identifier-like behaviour) is
concerned, the IPv6 model [RFC 1884] is very similar to the current
state of the IPv4 model, only more so. IPv6 will provide mechanisms
to autoconfigure IPv6 addresses on IPv6 hosts. Prefix changes,
requiring the global IPv6 addresses of all hosts under a given prefix
to change, are to be expected. Thus, IPv6 will amplify the existing
problem of finding stable identifiers to be used for end-to-end
security and for session bindings such as TCP state.
The IAB feels that this is unfortunate, and that the transition to
IPv6 would be an ideal occasion to provide upper layer end-to-end
protocols with temporally unique identifiers. The exact nature of
these identifiers requires further study.
------------End Quotation------------
How is the discrepancy between identifier and locator namespaces
handled today (2007)?
The discrepancy can be summarised as follows: the progressive
shortage of IPv4 addresses, coupled with the lack of economic
incentive to deploy IPv6, has led to generalised use of private
addresses within enterprise and home networks. Thus, we have
disjoint Locator Namespaces - roughly speaking, one very large
Locator Namespace commonly referred to as the Internet, and a
separate Locator Namespace for every network "behind" a NAT.
However, much software, and many protocols, have been designed on the
assumption that we have a single Identifier Namespace, which is
furthermore assumed to be identical to the Internet Locator
Namespace. Neither of these assumptions is true.
We should also note that with IPv6 partially deployed, we already
have two distinct Internet Locator Namespaces. Mathematically, we
could consider them as a single Locator Namespace (with the
unambiguous IPv4 space being mapped as a subset of IPv6 space), but
little existing software is prepared to treat IPv4 and IPv6 as a
single Identifier Namespace, even though IPv6 does not suffer from
Carpenter Expires December 6, 2007 [Page 6]
Internet-Draft Identifier-Locator Mapping June 2007
IPv4's problem of ambiguous addresses.
To work around these false assumptions, several measures have been
taken, none of them as a result of architectural design:
o Network Address Translation. Effectively, a NAT creates a dynamic
mapping between two Locator Namespace Contexts (sometimes using a
port number to tag the mapping). The focus of a NAT is to enable
packet delivery despite the namespace being fragmented; thus it
acts as a context boundary in the Identifier Namespace. NATs and
their associated ALGs attempt to hide this by (for example)
recomputing TCP checksums. However, it is a fundamental fact that
the NATs and ALGs cannot know how the two ends of a communication
use the Identifier Namespace, and therefore it is logically
impossible for them to fix up the Identifier Namespace in general.
Furthermore, NATs do not publish the Identifier/Locator mappings
they have created, so the affected Stacks have no sure way to
discover it.
o Discovery by probing. For a specific application or set of
applications, a way round the namespace discrepancy can be
constructed, essentially by deducing from external evidence the
Identifier/Locator mapping that a NAT has created, and signalling
that mapping to all interested Stacks. The best known examples
are STUN [RFC3489] and ICE [I-D.ietf-mmusic-ice].
o Build your own namespace. Fortunately for people wishing to
construct novel Internet applications, there is a very convenient
way to ignore the whole problem: make use of the fact that every
NAT has an associated ALG that translates HTTP/TCP packets
appropriately, and incidentally that HTTP passes through most
security checks. Similarly, an HTTP proxy can hide an IPv4/IPv6
boundary. Thus, despite the strong recommendation to the contrary
in [RFC3205], many application suites have been built to run over
HTTP, basing the roots of their own Identifier Namespaces in some
way in the DNS. An interesting example is the massive Web
Services suite, whose XML-based namespace derives its uniqueness
from the uniqueness of DNS names
[<http://www.w3.org/TR/ws-addr-core/#namespaces>]. It is clear
that if this technique were not available, we would have
confronted the network's Identifier Namespace problem years ago,
or all innovation would have stopped.
A separate observation about today's situation is that we can loosely
divide upper layer implementations (transport layer and above) into
two classes:
1. Those that use a socket API, or the equivalent, on the
traditional assumption that an IP Address is simultaneously a
unique Locator and a unique Identifier. These are automatically
subject to unpredictable problems when they encounter Identifier/
Locator ambiguity.
Carpenter Expires December 6, 2007 [Page 7]
Internet-Draft Identifier-Locator Mapping June 2007
2. Those that avoid this assumption, for example by creating their
own namespace or relying completely on the DNS.
Confusion can nevertheless occur, for example in an application that
believes that using a URL-based namespace protects it from ambiguity,
but encounters a URL containing a literal Net 10 address. One can
easily imagine http://10.1.1.1:80/ referring to different entities at
the two ends of a session.
A related issue is the way network elements are monitored and
managed. Network operations staff know that the IP Address of a
network element (router, switch, bridge, server or user device) both
identifies and locates it. In a network of any size, the IP
Addresses of network elements are embedded in network configuration
and monitoring systems in many ways. The assumption generally made
by operations staff is that there is a single namespace, but this may
be false. An illustration of this assumption is that many MIBs
include IP Addresses; the contents of such MIBs cannot readily be
used outside their original Namespace Context. In enterprise
networks that contain internal NATs, this is a known source of
operational difficulty. It is in fact the motivator for one of the
largest reported IPv6 deployment projects
[<http://www.nanog.org/mtg-0606/pdf/alain-durand.pdf>].
3. Is a Split the Solution?
Given that our problem is overlapping namespaces, it's tempting to
conclude immediately that splitting them is the solution. In a split
solution, sites and hosts would have global network-level identities
independent of the routing system and of individual service
providers. The routing system would be free to assign and manipulate
locators so as to assist route aggregation, support multihoming, and
implement path selection policies. But what would a split mean, and
is it practical?
As implied by the previous section, there are cases where a split
would increase rather than decrease confusion. Enterprise network
operations would be strongly affected - would the normal way to
identify a misbehaving box be its locator or its identifier? Network
management systems and configuration databases would have to be
upgraded to support both. Firewalls would have to deal with
fundamental change, since identifiers rather than locators would be
the focus of many attacks. The way the DNS and the socket API are
related to each other might change. Any upper layer implementation
that believes that an IP Address is both a Locator and an Identifier
would be in even greater trouble than today. And of course the
fragile superstructure built on NATs and ALGs would be severely
Carpenter Expires December 6, 2007 [Page 8]
Internet-Draft Identifier-Locator Mapping June 2007
challenged, especially during the transitional phase.
This is, no doubt, why the IAB's suggestion in [RFC2101], quoted
above, has borne no fruit, except for HIP [RFC4423], which still
remains R&D. But if we are to respond to the currently perceived
routing and addressing problem, a choice must be made.
Two different approaches seem to be possible:
1. Completely disjoint namespaces. Identifiers can never be used as
Locators, and vice versa.
2. Partially disjoint namespaces. In some Namespace Contexts,
Identifiers can be used as Locators, and vice versa. In other
Namespace Contexts, they cannot.
Since the choice between these two approaches will have significant
impact on the mapping mechanism, they are now discussed in more
detail.
3.1. Completely Disjoint Namespaces
In this class of solution, there is no overlap or possible ambiguity
between an Identifier and a Locator. They are defined and managed
orthogonally, apart from the mapping function. They never need to be
disentangled by use of context information. They will not be
equivalent when used as parameters of an API.
Conceptually, in this document, Identifiers identify stacks, not end-
systems or application instances. Thus, http://www.example.com
cannot be a stack Identifier. The full process of sending the first
packet of a session would consist of these conceptual stages:
1. Map 'www.example.com' to an Identifier (i.e. map the application
Namespace into the network stack Namespace).
2. Construct the first packet to be sent to this stack at this
Identifier.
3. Map the Identifier into a Locator.
4. Forward the packet towards that Locator.
5. At or near the receiving stack, restore the original Identifier
if it has not been trasmitted in the packet. This requires a
reverse map from Locator to Identifier.
We may assume for present purposes that step 1 will involve the DNS.
Step 3 will use the mapping service that is the object of this
document. It may take place in the sending host, or it may take
place in a nearby router. But since the two namespaces are disjoint,
it will happen exactly once. Step 5 is the converse, if needed.
It seems evident that this model of completely disjoint namespaces is
'correct' from a logical (computer science) point of view. It is in
Carpenter Expires December 6, 2007 [Page 9]
Internet-Draft Identifier-Locator Mapping June 2007
fact a classical layering solution reminiscent of, but not mapping
exactly onto, the OSI model. ("Stacks" are a new layer, above the
network endpoint layer and below the transport layer.) It definitely
requires a namespace mapping mechanism acting at the layer boundary.
If fully executed, this would clean up many of the glitches caused by
IP address fragmentation today. From a practical point of view, the
technical community will have to decide if there is an operationally
and economically viable path to deployment of such a solution.
3.2. Partially Disjoint Namespaces
In this class of solution, we decide in advance that the syntax of an
Identifier and that of a Locator are the same. Thus we can have
overlapping scopes. A given token could simultaneously be a member
of two Namespaces, distinguished only by context.
One simple model for this is illustrated as follows. Identifiers are
defined to be all global in scope - there is exactly one Internet
Identifier Namespace. Locators are defined to have either 'stub
scope' or 'Internet scope'. A 'stub' is what is sometimes called a
site network or an enterprise network; its main distinguishing
characteristic is that it is not providing transit.
_______________________________________________________________
| |
| Internet Identifier Context |
| _________________ _____________________ _______________ |
| | Stub1 Locator | | Internet Locator | | Stub2 Locator | |
| | Context |-| Context |-| Context | |
| |_________________| |_____________________| |_______________| |
| |
|_______________________________________________________________|
In this simple model, and assuming the same syntax for Identifiers
and Locators, we could for example decide that a Stack inside Stub1
has Identifier=Locator in that context, but has different Locators in
the Internet and Stub2 contexts. A Stack inside Stub2 has
Identifier=Locator in that context, but different Locators in the
Internet and Stub1 contexts. It is this ability to equate Identifier
and Locator in the local stub network that principally distinguishes
the partially disjoint model from the completely disjoint model. As
far out from the sending host as that equality is valid, the
Identifier/Locator behaves exactly like a classical IP Address.
To be clear, there is no reason why all Locators could not be
Carpenter Expires December 6, 2007 [Page 10]
Internet-Draft Identifier-Locator Mapping June 2007
globally unique - today's ambiguous IPv4 addresses are a side-effect
of the limited size of IPv4 addresses. If that constraint was
applied, the three Locator Namespaces shown above could be strict
subsets of the Internet Identifier Namespace, as a design choice.
It should be noted that there are echoes of this model in both SHIM6
[I-D.ietf-shim6-proto] and LISP [I-D.farinacci-lisp], but they both
have rather more complexity than described above.
An operational advantage of this class of model is that it allows
upper layers and management systems to treat the Identifier and
Locator Namespaces as identical within the local (stub) context.
Network management systems, as long as they stay within a single
Locator Namespace Context, will be essentially unaffected. On the
other hand, management across a Locator Namespace boundary would be
just as awkward as management across a NAT today, unless the
management system was updated to address network elements by
Identifier.
Another practical advantage of this class of model is that if
Identifiers and Locators, which share syntax, are in the same format
as today's IPv6 addresses, upper layer software can to a large extent
continue to use today's APIs.
A corresponding disadvantage is that, unlike the completely disjoint
model, there is no 'a priori' distinction between an Identifier and a
Locator. Network elements and Stacks would need to be able to treat
tokens that look like an IP Address much as they do today, but with a
clear definition of the context within which Identifiers and Locators
are the same thing, and of the contexts in which they are not. As
has been discovered for IPv6 scoped addresses [RFC4007], there is
significant complexity in attaching scope rules to what is otherwise
an architecturally opaque address value. Any design based on a
partially disjoint model needs to specify how context and scope are
managed, and this may add to the requirements for a mapping service
and for APIs.
3.3. Common Requirements
Consider three Stacks A, B and C in three adminstratively separate
sites. What Locator and Identitfier properties do they require?
Within its site, A must have an Identifier and Locator that are
conveniently mapped for the operational staff (if not equal), and do
not vary in a way unexpected by those operational staff. The same is
true for B and C respectively.
When communicating with B, A must provide an Identifier that B can
Carpenter Expires December 6, 2007 [Page 11]
Internet-Draft Identifier-Locator Mapping June 2007
rely on, and conversely. To send its packets, A must either know a
Locator for B that is valid in the context of site A, or send the
packet to a router that knows such a Locator (given B's Identifier).
The same is true in the reverse direction.
It is irrelevant to A and B if the Locator used by A (or A's router)
is only valid locally at site A, i.e. if the locator changes once or
several times along the way. All that matters is that the packet be
delivered to B, still carrying A's Identifier.
A must also be able to communicate with C on the same basis, and
furthermore tell C that it may communicate with B as part of the same
application. Since we have admitted that the Locator that A (or A's
router) knows for B may only be valid locally, it is required that A
only needs to communicate B's Identifier to C.
However, we must be careful not to read too much into this. By
communicating an Identifier to C, A does not undertake to tell C how
to reach B. Finding a Locator for B is out-of-band, and should be
subject to B's security policies and whatever routing arrangements
are in place between C and B.
We conclude that:
o On-site, Identifiers and Locators may or may not be split,
depending on whether the completely or partially disjoint model is
chosen.
o To go off-site, it is necessary to know which Locator leads
towards a given Identifier. Either the sending Stack or its
router could know this.
o The Identifier of the sending Stack must be delivered unchanged to
the receiving Stack.
o It must be possible to refer third party Stacks to a remote
Stack's Identifier.
Another likely common requirement is that whatever plays the part of
the socket API should provide sufficient features for the upper layer
protocol that it can deal with transitional situations, where some
Stacks support the id-loc split and others don't. In the case of
partially disjoint namespaces, the API must provide features to allow
the upper layer protocol to discriminate between Locators and
Identifiers if necessary.
4. Mapping Goals
With the above as background we can consider the goals of a mapping
mechanism between Identifier Namespace and Locator Namespaces (note
the plural).
Carpenter Expires December 6, 2007 [Page 12]
Internet-Draft Identifier-Locator Mapping June 2007
It is assumed that application Namespaces, and in particular domain
names, will be mapped to Identifiers independently, for example using
existing or new DNS RR types.
4.1. Many Locator Namespaces
Every site using [RFC1918] has its own Locator Namespace. The IPv4
Internet constitutes another Locator Namespace, and IPv6 constitutes
a Locator Namespace. Furthermore, sites using IPv6 ULAs [RFC4193]
will have their own Locator Namespaces. We cannot exclude the
existence of additional (possibly secret) Locator Namespaces.
4.2. One Identifier Namespace
Going forward, we should aim to have exactly one Identifier Namespace
at network level. In different contexts, it will be mapped to
different Locator Namespaces.
4.3. Reversible Mapping Issues
Clearly mapping from an Identifier to a set of Locators must be
possible. Since we require every packet to be delivered carrying its
original Identifier, reverse mapping would be needed if packets do
not carry their original Identifier en route. This has important
implications. If reverse mapping is not required, it would be quite
possible for the Locator used for transport across the Internet to be
highly multiplexed - in the limit, all packets sent to a given site
could be sent to the same Locator. (For an analogy, compare the way
that all IPv6 packets for a 6to4 site are sent to the same IPv4
address [RFC3056]). Such a simpification could have a dramatic
effect on the size and frequency of mapping updates.
4.4. Two-Faced Maps?
Since the Locator Namespace within a site is in the general case
different from the Internet Locator Namespace, there could in theory
be a need for two maps at a given site: Identifier Namespace to the
site's Locator Namespace, and Identifier Namespace to the Internet
Locator Namespace (plus some complications due to IPv4 and IPv6 being
different Internet Locator Namespaces). Two-faced maps can be
avoided only if we choose the partially disjoint option and deem that
within the site, Identifier equals Locator.
4.5. Is the Map Isotropic?
The short answer is: highly unlikely. It is not true by construction
that if the best Locator for B when sending from A has value L(A,B),
and the best Locator for B when sending from C has value L(C,B), then
Carpenter Expires December 6, 2007 [Page 13]
Internet-Draft Identifier-Locator Mapping June 2007
L(A,B)=L(C,B). In fact, it is not true by construction that L(A,B)
is necessarily a valid locator when sending from C to B. A trivial
example is when L(A,B) is 10.1.1.1/32. It may be true that B has
some Locators that are globally valid, but this cannot be assumed
unless the system is designed that way.
The map will therefore almost certainly have some of the properties
of a routing system - the entries for a given Identifier will be
different at different points in the topology.
4.6. Scale
We want no arbitrary scaling limits. However, proposed scaling
targets are 10 to 100 billion Stacks (which scales the Identifier
Namespace), and 10 million sites. Although the latter does not
directly scale the Internet's Locator Namespace, it indicates the
worst-case granularity of the routing table for that Locator
Namespace. If we don't do better than random allocation of address
blocks to sites, we will end up with 10 million routing table
entries.
4.7. What Does an Identifier Look Like?
This is of course a question that HIP [RFC4423] has looked at,
although focussed on "hosts" rather than Stacks. In practice, the
difference is probably not so important - a Stack can be viewed as a
virtual host - and HIP in fact settled on using a HIT (Host Identity
Tag) as a 128-bit representation for a Host Identity in actual
packets. HIP further posits that "a HIT should be unique in the
whole IP universe as long as it is being used." Whether or not we
accept the HIP/HIT model, in the partially disjoint model, choosing
near-128 bit opaque binary objects as the baseline for Stack
Identifiers seems like the obvious conclusion, and can easily be
rendered compatible with IPv6 or embedded IPv4 addresses. In the
fully disjoint model, the format of an Identifier is currently
unconstrained.
4.8. Do Identifiers have Useful Properties?
Thus far we assumed that Identifiers are opaque binary objects. Is
this a correct assumption? We may want them to be designed for
efficient lookup, and we may discover cryptographic requirements.
Both architectural and design decisions need to be taken on this
point.
If they are truly opaque (e.g., HITs) they have no structure, cannot
be aggregated in any sort of hierarchy, and cannot be used for any
kind of structured lookup. If used on-site as Locators, HITs force
Carpenter Expires December 6, 2007 [Page 14]
Internet-Draft Identifier-Locator Mapping June 2007
use of flat routing. If Identifiers are (for example) equated
locally to Locators, and specifically to IPv6 Unique Local Addresses
(ULA) [RFC4193], they can be organized to match a site's subnet
infrastructure and be used in a convenient way in on-site routing and
in reverse DNS. However, for mobile systems, this argument can only
apply on the home site; once the system roams to another site, its
ULA can no longer be used as a Locator even it remains as the
Identifier. Therefore, we must be cautious about relying on any
address-like properties of Identifiers.
4.9. What Does a Locator Look Like?
Unless we plan to destroy the Internet and build a new one, it seems
probable that it will look like an IPv4 or IPv6 prefix. Note that it
doesn't need to be a full address: routing an IPv4 packet to the site
border router handling a given /24 may be necessary and sufficient,
if that border router knows how to resolve the Identifier to a local
Stack Locator. So it is suggested that Locators in the map look
like:
Address type:Prefix/MaskLength
and of course it is legitimate to use /32 or /128 masks.
4.10. Who Needs the Map?
The minimal model is that the map is needed at every border router
that connects a customer site (or a local ISP) to one or more transit
providers. In that case, Stack A will simply send a packet to Stack
Identifier B in care of its default router, and the border router
will invoke the map to forward the packet to a Locator for B's site.
B's border router will remap, if necessary, to B's local Locator.
(However, that remapping will be a no-operation if, in the partially
disjoint model, Identifier equals stub Locator.)
In more complex scenarios, several Locator remappings could occur in
transit. In other words, in addition to A's and B's border routers,
which both sit at a point where the Locator Namespace Context
changes, the packet flows through another router at which such a
change occurs. Although this would represent a discontinuity in the
Internet Locator Namespace, it would not break the Identifier/Locator
mapping model. In fact, a Locator remapping can be regarded as a
property of the routing system and quite distinct from the
Identifier/Locator map. It's an open question whether a general
Locator/Locator mapping system is needed.
Note that if sites A and B were actually interconnected by an IP-
level VPN rather than by the Internet, this could readily be
represented in the map held by the two border routers. It's really
Carpenter Expires December 6, 2007 [Page 15]
Internet-Draft Identifier-Locator Mapping June 2007
just a different way of representing a specific route.
Finally, the map could be held by the sending hosts. In a sense this
is what SHIM6 [I-D.ietf-shim6-proto] proposes, except that SHIM6
derives its map session-by-session without directly involving the
routing system. But SHIM6 could certainly work equally well if it
acquired the map globally from some source, and moving SHIM6
functionality from the host to a proxy is being studied.
4.11. What is the lifetime of a mapping?
At a given instant in time, an Identifier will correspond to one or
more Locators. The mapping between a given Identifier and a given
Locator must have some valid lifetime, which is unlikely to be
infinite. For example, imagine a server with a permanent Identifier.
Assume it has four corresponding Locators, the IPv6 and IPv4
addresses of the site's border routers, which are connected to two
different ISPs. When the site decides to cancel one of its ISPs, the
two corresponding locators become invalid.
Lifetime could be much shorter for client machines configured
dynamically each time they connect to a site network, using DHCP or
IPv6 Neighbor Discovery. When such a machine boots up, it might
acquire a new Identifier, possibly equal to its Locator in the site
context. This will need to be mapped to all external Locators valid
for the site. That mapping will be valid only until the client
machine is removed from the site network. Even if there is a way to
give a client machine a permanent Identifier, its Locator mappings
will be created at reboot.
How quickly will such changes in the map be propagated through the
Internet? Will old mappings be deleted from cache when a lifetime
expires, or will there be an explicit delete?
4.12. How Does the Map Relate to Mobility?
Is it correct, and sufficient, to say that whatever Locator a mobile
system is currently using belongs to some site or other, and the
Identifier/Locator mapping for that site applies? In other words,
can we deem that id-loc mapping is orthogonal to mobility? Or must
we ask how a site discovers the appropriate mapping when a visiting
mobile node appears? Alternatively, should we consider that dynamic
id-loc mapping is itself a mobility mechanism? What lessons can we
learn from Mobile IP? In fact, is Mobile IP anything other than an
id-loc mapping system, where the Home Agent fulfils the role of an
id-loc mapper?
Carpenter Expires December 6, 2007 [Page 16]
Internet-Draft Identifier-Locator Mapping June 2007
4.13. Who chooses the Locator?
Because of multihoming, it's likely that the map will contain more
than one Locator for a given Identifier. An important consideration
is that the choice of locator should be under policy control, in
order that traffic should flow along the paths preferred by site or
ISP managers. The map needs to provide for some elementary policy
constructs such as precedence.
4.14. Push, Pull, Push/Pull
In a naive push model, the originator of a mapping entry pushes it
out to all those who may need it, which in the limiting case is every
node in the Internet. In a naive pull model, a node that needs a
mapping entry (to map the first packet of a session) pulls the entry
when it needs it. Clearly, as described, both of these models have
major issues.
The naive push model would need to flood the entire Internet whenever
a mapping entry changes. Even if we can design to have one mapping
entry per site, that makes a target of flooding the Internet with
updates from 10 million sites. The rate is unknown, but presumably
many times today's BGP4 update rate, and presumably unsustainable.
The naive pull model would insert a substantial lookup delay
(probably measured in tens or hundreds of milliseconds) at the
beginning of every applications session that could not make use of a
locally cached mapping entry. This would be a major problem,
particularly for massive server farms serving tens of thousands of
effectively random Internet users, where the chance of having a
suitable cached mapping entry would be low. Also, it would cause a
risk of unacceptable glitches in real time sessions, if dynamic
remapping became necessary during a session.
The answer probably lies in some intermediate Push/Pull model where
mapping changes are opportunistically flooded to caching map servers
around the network, and opportunistically discovered by mapping
nodes, with a fallback to a pull model when needed. While the DNS
may serve as a general model for such a solution, it is far from
obvious that the DNS is the right tool as it stands today.
5. Conclusion
This document doesn't draw a conclusion as to whether the completely
disjoint or partially disjoint namespaces model is better, but the
community needs to make a clear decision. Neither does it analyze
map distribution mechanisms in detail, where again a community choice
Carpenter Expires December 6, 2007 [Page 17]
Internet-Draft Identifier-Locator Mapping June 2007
of mechanism is needed. It is hoped the foregoing discussion will
provide background for the choices to be made.
6. Security Considerations
An important decision must be made whether the mapping mechanism will
exist only in boxes deemed to be intrinsically trusted (i.e. routers
accessible exclusively by trusted personnel) or whether it will also
exist in boxes liable to general attack threats (i.e. hosts
accessible to a wide variety of users and not necessarily maintained
professionally). The threat analysis for a solution will be
significantly different in the two cases.
This document does not attempt a threat analysis in a vacuum. It is
clear that if Internet routing comes to depend on an Identifier to
Locator mapping service, that service could become an attack vector
for either packet diversion or denial of service unless adequately
protected. Thus, it seems very likely that the mapping elements must
be cryptographicaly authenticated to prevent tampering, and possible
DoS attacks must be anticipated. The threat analyses for MULTI6
[RFC4218], SHIM6 (see Security Considerations in
[I-D.ietf-shim6-proto]) and LISP [I-D.bagnulo-lisp-threat] are
illustrative.
A major purpose of a Stack Identifier is to give assurance to the
other end of a communication that it's talking to the right entity.
There are various cases in current-day TCP/IP where the IP Address is
used for that, on the theory that we know the packets we send are
being directed there; we should be looking for something stronger.
This implies a possible need for Identifiers to be authenticated,
regardless of mapping issues.
Any id-loc mapping scheme will have an impact on privacy, e.g.
facilitating or hindering the tracking of an individual's or host's
activities over time. Whatever id-loc schemes are proposed should be
specific about their impact in this area. Also, is there any
relation to topology hiding [RFC4864]?
7. IANA Considerations
This document requests no action by the IANA.
8. Acknowledgements
There are years of previous thinking and writing on this topic in the
Carpenter Expires December 6, 2007 [Page 18]
Internet-Draft Identifier-Locator Mapping June 2007
Internet technical community. No claim to originality is made, and
overlooked references will be gladly added.
Contributions and comments by Eliot Lear, Russ White, Stephen
Farrell, Noel Chiappa, John Leslie, Alvaro Vives and others are
gratefully acknowledged.
This document was produced using the xml2rfc tool [RFC2629].
9. Change log [RFC Editor: please remove this section]
draft-carpenter-idloc-map-cons-01: significant reorganization,
especially distinguishing disjoint and overlapping namespace models;
included feedback comments, 2007-06-04
draft-carpenter-idloc-map-cons-00: original version, 2007-04-17
10. Informative References
[ENDPOINTS]
Chiappa, N., "Endpoints and Endpoint Names: A Proposed
Enhancement to the Internet Architecture [unpublished,
see http://ana.lcs.mit.edu/~jnc//tech/endpoints.txt]",
June 1995.
[GSE] O'Dell, M., "GSE - An Alternate Addressing Architecture
for IPv6 [unpublished]", February 1997.
[I-D.bagnulo-lisp-threat]
Bagnulo, M., "Preliminary LISP Threat Analysis",
draft-bagnulo-lisp-threat-00 (work in progress),
March 2007.
[I-D.farinacci-lisp]
Farinacci, D., "Locator/ID Separation Protocol (LISP)",
draft-farinacci-lisp-00 (work in progress), January 2007.
[I-D.iab-raws-report]
Meyers, D., "Report from the IAB Workshop on Routing and
Addressing", draft-iab-raws-report-02 (work in progress),
April 2007.
[I-D.ietf-mmusic-ice]
Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Methodology for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols",
Carpenter Expires December 6, 2007 [Page 19]
Internet-Draft Identifier-Locator Mapping June 2007
draft-ietf-mmusic-ice-15 (work in progress), March 2007.
[I-D.ietf-shim6-proto]
Bagnulo, M. and E. Nordmark, "Shim6: Level 3 Multihoming
Shim Protocol for IPv6", draft-ietf-shim6-proto-08 (work
in progress), April 2007.
[I-D.nikander-ram-ilse]
Nikander, P., "Identifier / Locator Separation:
Exploration of the Design Space (ILSE)",
draft-nikander-ram-ilse-00 (work in progress),
February 2007.
[I-D.templin-ipvlx]
Templin, F., "The IPvLX Architecture",
draft-templin-ipvlx-08 (work in progress), May 2007.
[I-D.wang-ietf-efit]
Massey, D., "A Proposal for Scalable Internet Routing &
Addressing", draft-wang-ietf-efit-00 (work in progress),
February 2007.
[NSRG] Lear, E. and R. Droms, "What's In A Name: Thoughts from
the NSRG [unpublished]", September 2003.
[RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
E. Lear, "Address Allocation for Private Internets",
BCP 5, RFC 1918, February 1996.
[RFC2101] Carpenter, B., Crowcroft, J., and Y. Rekhter, "IPv4
Address Behaviour Today", RFC 2101, February 1997.
[RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
June 1999.
[RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains
via IPv4 Clouds", RFC 3056, February 2001.
[RFC3205] Moore, K., "On the use of HTTP as a Substrate", BCP 56,
RFC 3205, February 2002.
[RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy,
"STUN - Simple Traversal of User Datagram Protocol (UDP)
Through Network Address Translators (NATs)", RFC 3489,
March 2003.
[RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., and
B. Zill, "IPv6 Scoped Address Architecture", RFC 4007,
Carpenter Expires December 6, 2007 [Page 20]
Internet-Draft Identifier-Locator Mapping June 2007
March 2005.
[RFC4193] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005.
[RFC4218] Nordmark, E. and T. Li, "Threats Relating to IPv6
Multihoming Solutions", RFC 4218, October 2005.
[RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol
(HIP) Architecture", RFC 4423, May 2006.
[RFC4864] Van de Velde, G., Hain, T., Droms, R., Carpenter, B., and
E. Klein, "Local Network Protection for IPv6", RFC 4864,
May 2007.
Author's Address
Brian Carpenter
IBM
8 Chemin de Blandonnet
1214 Vernier,
Switzerland
Email: brian.e.carpenter@gmail.com
Carpenter Expires December 6, 2007 [Page 21]
Internet-Draft Identifier-Locator Mapping June 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Carpenter Expires December 6, 2007 [Page 22]