The OSPF Opaque LSA Option
RFC 2370
| Document | Type |
RFC
- Proposed Standard
(July 1998)
Obsoleted by RFC 5250
Updated by RFC 3630
|
|
|---|---|---|---|
| Author | Rob Coltun | ||
| Last updated | 2013-03-02 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| IESG | Responsible AD | (None) | |
| Send notices to | (None) |
RFC 2370
MPLS Working Group Rajiv Asati
Internet Draft Cisco
Updates: 5036 (if approved)
Intended status: Standards Track Vishwas Manral
Expires: June 28, 2014 Hewlett-Packard, Inc.
Rajiv Papneja
Huawei
Carlos Pignataro
Cisco
December 28, 2013
Updates to LDP for IPv6
draft-ietf-mpls-ldp-ipv6-11
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 8, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
Asati, et. al Expires June 28, 2014 [Page 1]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Abstract
The Label Distribution Protocol (LDP) specification defines
procedures to exchange label bindings over either IPv4, or IPv6 or
both networks. This document corrects and clarifies the LDP behavior
when IPv6 network is used (with or without IPv4). This document
updates RFC 5036.
Table of Contents
1. Introduction...................................................3
1.1. Scope.....................................................4
1.1.1. Topology Scenarios...................................4
1.1.2. LDP TTL Security.....................................5
2. Specification Language.........................................5
3. LSP Mapping....................................................6
4. LDP Identifiers................................................6
5. Peer Discovery.................................................7
5.1. Basic Discovery Mechanism.................................7
5.2. Extended Discovery Mechanism..............................8
6. LDP Session Establishment and Maintenance......................8
6.1. Transport connection establishment........................9
6.2. Maintaining Hello Adjacencies............................10
6.3. Maintaining LDP Sessions.................................11
7. Label Distribution............................................12
8. LDP Identifiers and Next Hop Addresses........................12
9. LDP TTL Security..............................................13
10. IANA Considerations..........................................13
11. Security Considerations......................................14
12. Acknowledgments..............................................14
13. Additional Contributors......................................14
14. References...................................................16
14.1. Normative References....................................16
14.2. Informative References..................................16
Appendix.........................................................17
Author's Addresses...............................................17
Asati, et. al Expires June 28, 2014 [Page 2]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013quot; (see Section 10.6
of [OSPF], receiving Database Description packets from a neighbor in
state ExStart). A neighbor is opaque-capable if and only if it sets
the O-bit in the Options field of its Database Description packets;
the O-bit is not set in packets other than Database Description
Coltun Standards Track [Page 4]
RFC 2370 The OSPF Opaque LSA Option July 1998
packets. Then, in the next step of the Database Exchange process,
Opaque LSAs are included in the Database summary list that is sent to
the neighbor (see Sections 3.2 below and 10.3 of [OSPF]) if and only
if the neighbor is opaque capable.
When flooding Opaque-LSAs to adjacent neighbors, a opaque-capable
router looks at the neighbor's opaque capability. Opaque LSAs are
only flooded to opaque-capable neighbors. To be more precise, in
Section 13.3 of [OSPF], Opaque LSAs are only placed on the link-state
retransmission lists of opaque-capable neighbors. However, when send
ing Link State Update packets as multicasts, a non-opaque-capable
neighbor may (inadvertently) receive Opaque LSAs. The non-opaque-
capable router will then simply discard the LSA (see Section 13 of
[OSPF], receiving LSAs having unknown LS types).
3.2 Modifications To The Neighbor State Machine
The state machine as it exists in section 10.3 of [OSPF] remains
unchanged except for the action associated with State: ExStart,
Event: NegotiationDone which is where the Database summary list is
built. To incorporate the Opaque LSA in OSPF this action is changed
to the following.
State(s): ExStart
Event: NegotiationDone
New state: Exchange
Action: The router must list the contents of its entire area
link-state database in the neighbor Database summary
list. The area link-state database consists of the
Router LSAs, Network LSAs, Summary LSAs and types 9 and
10 Opaque LSAs contained in the area structure, along
with AS External and type-11 Opaque LSAs contained in
the global structure. AS External and type-11 Opaque
LSAs are omitted from a virtual neighbor's Database
summary list. AS External LSAs and type-11 Opaque LSAs
are omitted from the Database summary list if the area
has been configured as a stub area (see Section 3.6 of
[OSPF]).
Type-9 Opaque LSAs are omitted from the Database summary
list if the interface associated with the neighbor is
not the interface associated with the Opaque LSA (as
noted upon reception).
Coltun Standards Track [Page 5]
RFC 2370 The OSPF Opaque LSA Option July 1998
Any advertisement whose age is equal to MaxAge is
omitted from the Database summary list. It is instead
added to the neighbor's link-state retransmission list.
A summary of the Database summary list will be sent to
the neighbor in Database Description packets. Each
Database Description Packet has a DD sequence number,
and is explicitly acknowledged. Only one Database
Description Packet is allowed to be outstanding at any
one time. For more detail on the sending and receiving
of Database Description packets, see Sections 10.6 and
10.8 of [OSPF].
4.0 Protocol Data Structures
The Opaque option is described herein in terms of its operation on
various protocol data structures. These data structures are included
for explanatory uses only, and are not intended to constrain an
implementation. In addition to the data structures listed below, this
specification references the various data structures (e.g., OSPF
neighbors) defined in [OSPF].
In an OSPF router, the following item is added to the list of global
OSPF data structures described in Section 5 of [OSPF]:
o Opaque capability. Indicates whether the router is running the
Opaque option (i.e., capable of storing Opaque LSAs). Such a
router will continue to inter-operate with non-opaque-capable
OSPF routers.
4.1 Additions To The OSPF Neighbor Structure
The OSPF neighbor structure is defined in Section 10 of [OSPF]. In
an opaque-capable router, the following items are added to the OSPF
neighbor structure:
o Neighbor Options. This field was already defined in the OSPF
specification. However, in opaque-capable routers there is a new
option which indicates the neighbor's Opaque capability. This new
option is learned in the Database Exchange process through
reception of the neighbor's Database Description packets, and
determines whether Opaque LSAs are flooded to the neighbor. For a
more detailed explanation of the flooding of the Opaque LSA see
section 3 of this document.
Coltun Standards Track [Page 6]
RFC 2370 The OSPF Opaque LSA Option July 1998
5.0 Management Considerations
This section identifies the current OSPF MIB [OSPFMIB] capabilities
that are applicable to the Opaque option and lists the additional
management information which is required for its support.
Opaque LSAs are types 9, 10 and 11 link-state advertisements. The
link-state ID of the Opaque LSA is divided into an Opaque type field
(the first 8 bits) and a type-specific ID (the remaining 24 bits).
The packet format of the Opaque LSA is given in Appendix A. The
range of topological distribution (i.e., the flooding scope) of an
Opaque LSA is identified by its link-state type.
o Link-State type 9 Opaque LSAs have a link-local scope. Type-9
Opaque LSAs are flooded on a single local (sub)network but are
not flooded beyond the local (sub)network.
o Link-state type 10 Opaque LSAs have an area-local scope. Type-10
Opaque LSAs are flooded throughout a single area but are not
flooded beyond the borders of the associated area.
o Link-state type 11 Opaque LSAs have an Autonomous-System-wide
scope. The flooding scope of type-11 LSAs are equivalent to the
flooding scope of AS-external (type-5) LSAs.
The OSPF MIB provides a number of objects that can be used to manage
and monitor an OSPF router's Link-State Database. The ones that are
relevant to the Opaque option are as follows.
The ospfGeneralGroup defines two objects for keeping track of newly
originated and newly received LSAs (ospfOriginateNewLsas and
ospfRxNewLsas respectively).
The OSPF MIB defines a set of optional traps. The ospfOriginateLsa
trap signifies that a new LSA has been originated by a router and
the ospfMaxAgeLsa trap signifies that one of the LSAs in the
router's link-state database has aged to MaxAge.
The ospfAreaTable describes the configured parameters and
cumulative statistics of the router's attached areas. This table
includes a count of the number of LSAs contained in the area's
link-state database (ospfAreaLsaCount), and a sum of the LSA's LS
checksums contained in this area (ospfAreaLsaCksumSum). This sum
can be used to determine if there has been a change in a router's
link-state database, and to compare the link-state database of two
routers.
Coltun Standards Track [Page 7]
RFC 2370 The OSPF Opaque LSA Option July 1998
The ospfLsdbTable describes the OSPF Process's link-state database
(excluding AS-external LSAs). Entries in this table are indexed
with an Area ID, a link-state type, a link-state ID and the
originating router's Router ID.
The management objects that are needed to support the Opaque option
are as follows.
An Opaque-option-enabled object is needed to indicate if the Opaque
option is enabled on the router.
The origination and reception of new Opaque LSAs should be
reflected in the counters ospfOriginateNewLsas and ospfRxNewLsas
(inclusive for types 9, 10 and 11 Opaque LSAs).
If the OSPF trap option is supported, the origination of new Opaque
LSAs and purging of MaxAge Opaque LSAs should be reflected in the
ospfOriginateLsa and ospfMaxAgeLsa traps (inclusive for types 9, 10
and 11 Opaque LSAs).
The number of type-10 Opaque LSAs should be reflected in
ospfAreaLsaCount; the checksums of type-10 Opaque LSAs should be
included in ospfAreaLsaChksumSum.
Type-10 Opaque LSAs should be included in the ospfLsdbTable. Note
that this table does not include a method of examining the Opaque
type field (in the Opaque option this is a sub-field of the link-
state ID).
Up until now, LSAs have not had a link-local scope so there is no
method of requesting the number of, or examining the LSAs that are
associated with a specific OSPF interface. A new group of
management objects are required to support type-9 Opaque LSAs.
These objects should include a count of type-9 Opaque LSAs, a
checksum sum and a table for displaying the link-state database for
type-9 Opaque LSAs on a per-interface basis. Entries in this table
should be indexed with an Area ID, interface's IP address, Opaque
type, link-state ID and the originating router's Router ID.
Prior to the introduction of type-11 Opaque LSAs, AS-External
(type-5) LSAs have been the only link-state types which have an
Autonomous-System-wide scope. A new group of objects are required
to support type-11 Opaque LSAs. These objects should include a
count of type-11 Opaque LSAs, a type-11 checksum sum and a table
for displaying the type-11 link-state database. Entries in this
table should be indexed with the Opaque type, link-state ID and the
Coltun Standards Track [Page 8]
RFC 2370 The OSPF Opaque LSA Option July 1998
originating router's Router ID. The type-11 link-state database
table will allow type-11 LSAs to be displayed once for the router
rather than once in each non-stub area.
6.0 Security Considerations
There are two types of issues that need be addressed when looking at
protecting routing protocols from misconfigurations and malicious
attacks. The first is authentication and certification of routing
protocol information. The second is denial of service attacks
resulting from repetitive origination of the same router
advertisement or origination a large number of distinct
advertisements resulting in database overflow. Note that both of
these concerns exist independently of a router's support for the
Opaque option.
To address the authentication concerns, OSPF protocol exchanges are
authenticated. OSPF supports multiple types of authentication; the
type of authentication in use can be configured on a per network
segment basis. One of OSPF's authentication types, namely the
Cryptographic authentication option, is believed to be secure against
passive attacks and provide significant protection against active
attacks. When using the Cryptographic authentication option, each
router appends a "message digest" to its transmitted OSPF packets.
Receivers then use the shared secret key and received digest to
verify that each received OSPF packet is authentic.
The quality of the security provided by the Cryptographic
authentication option depends completely on the strength of the
message digest algorithm (MD5 is currently the only message digest
algorithm specified), the strength of the key being used, and the
correct implementation of the security mechanism in all communicating
OSPF implementations. It also requires that all parties maintain the
secrecy of the shared secret key. None of the standard OSPF
authentication types provide confidentiality. Nor do they protect
against traffic analysis. For more information on the standard OSPF
security mechanisms, see Sections 8.1, 8.2, and Appendix D of [OSPF].
[DIGI] describes the extensions to OSPF required to add digital
signature authentication to Link State data and to provide a
certification mechanism for router data. [DIGI] also describes the
added LSA processing and key management as well as a method for
migration from, or co-existence with, standard OSPF V2.
Repetitive origination of advertisements are addressed by OSPF by
mandating a limit on the frequency that new instances of any
particular LSA can be originated and accepted during the flooding
procedure. The frequency at which new LSA instances may be
Coltun Standards Track [Page 9]
RFC 2370 The OSPF Opaque LSA Option July 1998
1. Introduction
The LDP [RFC5036] specification defines procedures and messages for
exchanging FEC-label bindings over either IPv4 or IPv6 or both (e.g.
dual-stack) networks.
However, RFC5036 specification has the following deficiencies in
regards to IPv6 usage:
1) LSP Mapping: No rule defined for mapping a particular packet to a
particular LSP that has an Address Prefix FEC element containing
IPv6 address of the egress router
2) LDP Identifier: No details specific to IPv6 usage
3) LDP Discovery: No details for using a particular IPv6 destination
(multicast) address or the source address (with or without IPv4
co-existence)
4) LDP Session establishment: No rule for handling both IPv4 and
IPv6 transport address optional objects in a Hello message, and
subsequently two IPv4 and IPv6 transport connections
5) LDP Label Distribution: No rule for advertising IPv4 or/and IPv6
FEC-label bindings over an LDP session, and denying the co-
existence of IPv4 and IPv6 FEC Elements in the same FEC TLV
6) Next Hop Address & LDP Identifier: No rule for accommodating the
usage of duplicate link-local IPv6 addresses
7) LDP TTL Security: No rule for built-in Generalized TTL Security
Mechanism (GTSM) in LDP
This document addresses the above deficiencies by specifying the
desired behavior/rules/details for using LDP in IPv6 enabled
networks (IPv6-only or Dual-stack networks).
Note that this document updates RFC5036.
Asati, et. al Expires June 28, 2014 [Page 3]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
1.1. Scope
1.1.1. Topology Scenarios
The following scenarios in which the LSRs may be inter-connected via
one or more dual-stack interfaces (figure 1), or one or more single-
stack interfaces (figure 2 and figure 3) are addressed by this
document:
R1------------------R2
IPv4+IPv6
Figure 1 LSRs connected via a Dual-stack Interface
IPv4
R1=================R2
IPv6
Figure 2 LSRs connected via two single-stack Interfaces
R1------------------R2---------------R3
IPv4 IPv6
Figure 3 LSRs connected via a single-stack Interface
Note that the topology scenario illustrated in figure 1 also covers
the case of a single-stack interface (IPv4, say) being converted to
a dual-stacked interface by enabling IPv6 routing as well as IPv6
LDP, even though the IPv4 LDP session may already be established
between the LSRs.
Note that the topology scenario illustrated in figure 2 also covers
the case of two routers getting connected via an additional single-
stack interface (IPv6 routing and IPv6 LDP), even though the IPv4
LDP session may already be established between the LSRs over the
existing interface(s).
Asati, et. al Expires June 28, 2014 [Page 4]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
1.1.2. LDP TTL Security
LDP TTL Security mechanism specified by this document applies only
to single-hop LDP peering sessions, but not to multi-hop LDP peering
sessions, in line with Section 5.5 of [RFC5082] that describes
Generalized TTL Security Mechanism (GTSM).
As a consequence, any LDP feature that relies on multi-hop LDP
peering session would not work with GTSM and will warrant
(statically or dynamically) disabling GTSM. Please see section 8.
2. Specification Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Abbreviations:
LDP - Label Distribution Protocol
LDPv4 - LDP for enabling IPv4 MPLS forwarding
LDPv6 - LDP for enabling IPv6 MPLS forwarding
LDPoIPv4 - LDP over IPv4 transport session
LDPoIPv6 - LDP over IPv6 transport session
FEC - Forwarding Equivalence Class
TLV - Type Length Value
LSR - Label Switch Router
LSP - Label Switched Path
LSPv4 - IPv4-signaled Label Switched Path [RFC4798]
LSPv6 - IPv6-signaled Label Switched Path [RFC4798]
AFI - Address Family Identifier
Asati, et. al Expires June 28, 2014 [Page 5]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
3. LSP Mapping
Section 2.1 of [RFC5036] specifies the procedure for mapping a
particular packet to a particular LSP using three rules. Quoting the
3rd rule from RFC5036:
"If it is known that a packet must traverse a particular egress
router, and there is an LSP that has an Address Prefix FEC element
that is a /32 address of that router, then the packet is mapped to
that LSP."
Suffice to say, this rule is correct for IPv4, but not for IPv6,
since an IPv6 router may not have any /32 address.
This document proposes to modify this rule by also including a /128
address (for IPv6). In fact, it should be reasonable to just say
IPv4 or IPv6 address instead of /32 or /128 addresses as shown below
in the updated rule:
"If it is known that a packet must traverse a particular egress
router, and there is an LSP that has an Address Prefix FEC element
that is an IPv4 or IPv6 address of that router, then the packet is
mapped to that LSP."
4. LDP Identifiers
Section 2.2.2 of [RFC5036] specifies formulating at least one LDP
Identifier, however, it doesn't provide any consideration in case of
IPv6 (with or without dual-stacking).
The first four octets of the LDP identifier, the 32-bit LSR Id (e.g.
(i.e. LDP Router Id), identify the LSR and is a globally unique
value within the MPLS network. This is regardless of the address
family used for the LDP session. Hence, this document preserves the
usage of 32-bit (unsigned non-zero integer) LSR Id on an IPv6 only
LSR (note that BGP has also mandated using 32-bit BGP Router ID on
an IPv6 only Router [RFC6286]).
Please note that 32-bit LSR Id value would not map to any IPv4-
address in an IPv6 only LSR (i.e., single stack), nor would there
be an expectation of it being DNS-resolvable. In IPv4 deployments,
Asati, et. al Expires June 28, 2014 [Page 6]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
the LSR Id is typically derived from an IPv4 address, generally
assigned to a loopback interface. In IPv6 only deployments, this
32-bit LSR Id must be derived by some other means that guarantees
global uniqueness within the MPLS network, similar to that of BGP
Identifier [RFC6286].
This document qualifies the first sentence of last paragraph of
Section 2.5.2 of [RFC5036] to be per address family and therefore
updates that sentence to the following: "For a given address family,
an LSR MUST advertise the same transport address in all Hellos that
advertise the same label space." This rightly enables the per-
platform label space to be shared between IPv4 and IPv6.
In summary, this document not only allows the usage of a common LDP
identifier i.e. same LSR-Id (aka LDP Router-Id), but also the common
Label space id for both IPv4 and IPv6 on a dual-stack LSR.
This document reserves 0.0.0.0 as the LSR-Id, and prohibits its
usage.
5. Peer Discovery
5.1. Basic Discovery Mechanism
Section 2.4.1 of [RFC5036] defines the Basic Discovery mechanism for
directly connected LSRs. Following this mechanism, LSRs periodically
sends LDP Link Hellos destined to "all routers on this subnet" group
multicast IP address.
Interesting enough, per the IPv6 addressing architecture [RFC4291],
IPv6 has three "all routers on this subnet" multicast addresses:
FF01:0:0:0:0:0:0:2 = Interface-local scope
FF02:0:0:0:0:0:0:2 = Link-local scope
FF05:0:0:0:0:0:0:2 = Site-local scope
[RFC5036] does not specify which particular IPv6 'all routers on
this subnet' group multicast IP address should be used by LDP Link
Hellos.
This document specifies the usage of link-local scope e.g.
FF02:0:0:0:0:0:0:2 as the destination multicast IP address in IPv6
LDP Link Hellos. An LDP Hello packet received on any of the other
Asati, et. al Expires June 28, 2014 [Page 7]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
originated is set equal to once every MinLSInterval seconds, whose
value is 5 seconds (see Section 12.4 of [OSPF]). The frequency at
which new LSA instances are accepted during flooding is once every
MinLSArrival seconds, whose value is set to 1 (see Section 13,
Appendix B and G.5 of [OSPF]).
Proper operation of the OSPF protocol requires that all OSPF routers
maintain an identical copy of the OSPF link-state database. However,
when the size of the link-state database becomes very large, some
routers may be unable to keep the entire database due to resource
shortages; we term this "database overflow". When database overflow
is anticipated, the routers with limited resources can be
accommodated by configuring OSPF stub areas and NSSAs. [OVERFLOW]
details a way of gracefully handling unanticipated database
overflows.
7.0 IANA Considerations
Opaque types are maintained by the IANA. Extensions to OSPF which
require a new Opaque type must be reviewed by the OSPF working group.
In the event that the OSPF working group has disbanded the review
shall be performed by a recommended Designated Expert.
Following the policies outlined in [IANA], Opaque type values in the
range of 0-127 are allocated through an IETF Consensus action and
Opaque type values in the range of 128-255 are reserved for private
and experimental use.
8.0 References
[ARA] Coltun, R., and J. Heinanen, "The OSPF Address Resolution
Advertisement Option", Work in Progress.
[DEMD] Moy, J., "Extending OSPF to Support Demand Circuits", RFC
1793, April 1995.
[DIGI] Murphy, S., Badger, M., and B. Wellington, "OSPF with Digital
Signatures", RFC 2154, June 1997.
[IANA] Narten, T., and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", Work in Progress.
[MOSPF] Moy, J., "Multicast Extensions to OSPF", RFC 1584, March
1994.
Coltun Standards Track [Page 10]
RFC 2370 The OSPF Opaque LSA Option July 1998
[NSSA] Coltun, R., and V. Fuller, "The OSPF NSSA Option", RFC 1587,
March 1994.
[OSPF] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.
[OSPFMIB] Baker, F., and R. Coltun, "OSPF Version 2 Management
Information Base", RFC 1850, November 1995.
[OVERFLOW] Moy, J., "OSPF Database Overflow", RFC 1765,
March 1995.
9.0 Author's Information
Rob Coltun
FORE Systems
Phone: (703) 245-4543
EMail: rcoltun@fore.com
Coltun Standards Track [Page 11]
RFC 2370 The OSPF Opaque LSA Option July 1998
Appendix A: OSPF Data formats
This appendix describes the format of the Options Field followed by
the packet format of the Opaque LSA.
A.1 The Options Field
The OSPF Options field is present in OSPF Hello packets, Database
Description packets and all link-state advertisements. The Options
field enables OSPF routers to support (or not support) optional
capabilities, and to communicate their capability level to other OSPF
routers. Through this mechanism routers of differing capabilities can
be mixed within an OSPF routing domain.
When used in Hello packets, the Options field allows a router to
reject a neighbor because of a capability mismatch. Alternatively,
when capabilities are exchanged in Database Description packets a
router can choose not to forward certain link-state advertisements to
a neighbor because of its reduced functionality. Lastly, listing
capabilities in link-state advertisements allows routers to forward
traffic around reduced functionality routers by excluding them from
parts of the routing table calculation.
Six bits of the OSPF Options field have been assigned, although only
the O-bit is described completely by this memo. Each bit is
described briefly below. Routers should reset (i.e., clear)
unrecognized bits in the Options field when sending Hello packets or
Database Description packets and when originating link-state
advertisements. Conversely, routers encountering unrecognized Option
bits in received Hello Packets, Database Description packets or
link-state advertisements should ignore the capability and process
the packet/advertisement normally.
+------------------------------------+
| * | O | DC | EA | N/P | MC | E | * |
+------------------------------------+
The Options Field
E-bit
This bit describes the way AS-external-LSAs are flooded, as
described in Sections 3.6, 9.5, 10.8 and 12.1.2 of [OSPF].
MC-bit
This bit describes whether IP multicast datagrams are forwarded
according to the specifications in [MOSPF].
Coltun Standards Track [Page 12]
RFC 2370 The OSPF Opaque LSA Option July 1998
N/P-bit
This bit describes the handling of Type-7 LSAs, as specified in
[NSSA].
DC-bit
This bit describes the router's handling of demand circuits, as
specified in [DEMD].
EA-bit
This bit describes the router's willingness to receive and
forward External-Attributes-LSAs, as specified in [EAL].
O-bit
This bit describes the router's willingness to receive and
forward Opaque-LSAs as specified in this document.
A.2 The Opaque LSA
Opaque LSAs are Type 9, 10 and 11 link-state advertisements. These
advertisements may be used directly by OSPF or indirectly by some
application wishing to distribute information throughout the OSPF
domain. The function of the Opaque LSA option is to provide for
future extensibility of OSPF.
Opaque LSAs contain some number of octets (of application-specific
data) padded to 32-bit alignment. Like any other LSA, the Opaque LSA
uses the link-state database distribution mechanism for flooding this
information throughout the topology. However, the Opaque LSA has a
flooding scope associated with it so that the scope of flooding may
be link-local (type 9), area-local (type 10) or the entire OSPF
routing domain (type 11). Section 3 of this document describes the
flooding procedures for the Opaque LSA.
Coltun Standards Track [Page 13]
RFC 2370 The OSPF Opaque LSA Option July 1998
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LS age | Options | 9, 10 or 11 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Opaque Type | Opaque ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Advertising Router |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LS Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| LS checksum | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| Opaque Information |
+ +
| ... |
Link-State Type
The link-state type of the Opaque LSA identifies the LSA's range of
topological distribution. This range is referred to as the Flooding
Scope. The following explains the flooding scope of each of the
link-state types.
o A value of 9 denotes a link-local scope. Opaque LSAs with a
link-local scope are not flooded beyond the local (sub)network.
o A value of 10 denotes an area-local scope. Opaque LSAs with a
area-local scope are not flooded beyond the area that they are
originated into.
o A value of 11 denotes that the LSA is flooded throughout the
Autonomous System (e.g., has the same scope as type-5 LSAs).
Opaque LSAs with AS-wide scope are not flooded into stub areas.
Syntax Of The Opaque LSA's Link-State ID
The link-state ID of the Opaque LSA is divided into an Opaque Type
field (the first 8 bits) and an Opaque ID (the remaining 24 bits).
See section 7.0 of this document for a description of Opaque type
allocation and assignment.
Coltun Standards Track [Page 14]
RFC 2370 The OSPF Opaque LSA Option July 1998
Appendix B. Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
destination addresses must be dropped. Additionally, the link-local
IPv6 address MUST be used as the source IP address in IPv6 LDP Link
Hellos.
Also, the LDP Link Hello packets must have their IPv6 Hop Limit set
to 255, and be checked for the same upon receipt before any further
processing, as specified in Generalized TTL Security Mechanism
(GTSM)[RFC5082]. The built-in inclusion of GTSM automatically
protects IPv6 LDP from off-link attacks.
More importantly, if an interface is a dual-stack LDP interface
(e.g. enabled with both IPv6 and IPv4 LDP), then the LSR must
periodically send both IPv6 and IPv4 LDP Link Hellos (using the same
LDP Identifier per section 4) on that interface and be able to
receive them. This facilitates discovery of IPv6-only, IPv4-only and
dual-stack peers on the interface's subnet.
An implementation should prefer sending IPv6 LDP link Hellos
before sending IPv4 LDP Link Hellos on a dual-stack interface, if
possible.
Lastly, the IPv6 and IPv4 LDP Link Hellos MUST carry the same LDP
identifier (assuming per-platform label space usage).
5.2. Extended Discovery Mechanism
Suffice to say, the extended discovery mechanism (defined in section
2.4.2 of [RFC5036]) doesn't require any additional IPv6 specific
consideration, since the targeted LDP Hellos are sent to a pre-
configured (unicast) destination IPv6 address.
The link-local IP addresses MUST NOT be used as the source or
destination IPv6 addresses in extended discovery.
6. LDP Session Establishment and Maintenance
Section 2.5.1 of [RFC5036] defines a two-step process for LDP
session establishment, once the peer discovery has completed (LDP
Hellos have been exchanged):
1. Transport connection establishment
2. Session initialization
Asati, et. al Expires June 28, 2014 [Page 8]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
The forthcoming sub-sections discuss the LDP consideration for IPv6
and/or dual-stacking in the context of session establishment and
maintenance.
6.1. Transport connection establishment
Section 2.5.2 of [RFC5036] specifies the use of an optional
transport address object (TLV) in LDP Link Hello message to convey
the transport (IP) address, however, it does not specify the
behavior of LDP if both IPv4 and IPv6 transport address objects
(TLV) are sent in a Hello message or separate Hello messages. More
importantly, it does not specify whether both IPv4 and IPv6
transport connections should be allowed, if there were Hello
adjacencies for both IPv4 and IPv6 whether over a single interface
or multiple interfaces.
This document specifies that:
1. An LSR MUST NOT send a Hello containing both IPv4 and IPv6
transport address optional objects. In other words, there MUST
be at most one optional Transport Address object in a Hello
message. An LSR MUST include only the transport address whose
address family is the same as that of the IP packet carrying
Hello.
2. An LSR SHOULD accept the Hello message that contains both IPv4
and IPv6 transport address optional objects, but MUST use only
the transport address whose address family is the same as that
of the IP packet carrying Hello. An LSR SHOULD accept only the
first transport object for a given Address family in the
received Hello message, and ignore the rest, if the LSR
receives more than one transport object.
3. An LSR MUST send separate Hellos (each containing either IPv4
or IPv6 transport address optional object) for each IP address
family, if LDP was enabled for both IP address families.
4. An LSR MUST use a global unicast IPv6 address in IPv6 transport
address optional object of outgoing targeted hellos, and check
for the same in incoming targeted hellos (i.e. MUST discard the
hello, if it failed the check).
5. An LSR MUST prefer using global unicast IPv6 address for an LDP
session with a remote LSR, if it had to choose between global
unicast IPv6 address and unique-local or link-local IPv6
Asati, et. al Expires June 28, 2014 [Page 9]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
address (pertaining to the same LDP Identifier) for the
transport connection.
6. An LSR SHOULD NOT create (or honor the request for creating) a
TCP connection for a new LDP session with a remote LSR, if they
already have an LDP session (for the same LDP Identifier)
established over whatever IP version transport.
This means that only one transport connection is established,
regardless of one or two Hello adjacencies (one for IPv4 and
another for IPv6) are created & maintained over a single
interface (scenario 1 in section 1.1) or multiple interfaces
(scenario 2 in section 1.1) between two LSRs.
7. An LSR SHOULD prefer the LDP/TCP connection over IPv6 for a new
LDP session with a remote LSR, if it has both IPv4 and IPv6
hello adjacencies for the same (peer) LDP Identifier (over a
dual-stack interface, or two or more single-stack IPv4 and IPv6
interfaces). This applies to the section 2.5.2 of RFC5036.
Each LSR, assuming an active role for whichever address
family(s), should enforce this LDP/TCP connection over IPv6
preference for a time-period (default value is 15 seconds),
after which LDP/TCP connection over IPv4 should be attempted.
This enforcement is independent of whether the LSR is assuming
the active role for IPv4. This timer is started upon receiving
the first hello from the neighbor.
8. An LSR SHOULD prefer the LDP/TCP connection over IPv6 for a new
LDP session with a remote LSR, if they attempted two TCP
connections using different transport address families (IPv4
and IPv6) simultaneously.
An implementation may provide an option to favor one AFI (IPv4, say)
over another AFI (IPv6, say) for the TCP transport connection, so as
to use the favored IP version for the LDP session, and force
deterministic active/passive roles.
6.2. Maintaining Hello Adjacencies
In line with the section 2.5.5 of RFC5036, this draft describes that
if an LSR has a dual-stack interface, which is enabled with both
Asati, et. al Expires June 28, 2014 [Page 10]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
IPv6 and IPv4 LDP, then the LSR must periodically send and receive
both IPv6 and IPv4 LDP Link Hellos.
This ensures successful LDP discovery and subsequent peering using
the appropriate (address family) transport on a multi-access or
broadcast interface (even if there are IPv6-only, IPv4-only and
dual-stack LSRs connected to that interface).
While the LSR receives both IPv4 and IPv6 LDP Link Hello messages on
the interface, this document however allows an LSR to maintain
Rx-side Link Hello adjacency for the address family that has been
used for the establishment of the LDP session (either IPv4 or IPv6),
or to maintain Rx-side Link Hellp adjacency for both IPv4 and IPv6
address families.
6.3. Maintaining LDP Sessions
Two LSRs maintain a single LDP session between them (i.e. not tear
down an existing session), as described in section 6.1, whether
- they are connected via a dual-stack LDP enabled interface or via
two single-stack LDP enabled interfaces;
- a single-stack interface is converted to a dual-stack interface
(e.g. figure 1) on either LSR;
- an additional single-stack or dual-stack interface is added or
removed between two LSRs (e.g. figure 2).
Needless to say that the procedures defined in section 6.1 should
result in preferring LDPoIPv6 session only after the loss of an
existing LDP session (because of link failure, node failure, reboot
etc.).
If the last hello adjacency for a given address family goes down
(e.g. due to dual-stack interfaces being converted into a single-
stack interfaces on one LSR etc.), and that address family is the
same as the one used in the transport connection, then the transport
connection (LDP session) SHOULD be reset. Otherwise, the LDP session
should stay intact.
If the LDP session is torn down for whatever reason (LDP disabled
for the corresponding transport, hello adjacency expiry etc.), then
the LSRs should initiate establishing a new LDP session as per the
procedures described in section 6.1 of this document along with
RFC5036.
Asati, et. al Expires June 28, 2014 [Page 11]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
7. Label Distribution
An LSR MUST NOT allocate and advertise FEC-Label bindings for link-
local IPv6 address, and ignore such bindings, if ever received. An
LSR MUST treat the IPv4-mapped IPv6 address, defined in section
2.5.5.2 of [RFC4291], the same as that of a global IPv6 address and
not mix it with the 'corresponding' IPv4 address.
Additionally, to ensure backward compatibility (and interoperability
with IPv4-only LDP implementations) in light of section 3.4.1.1 of
RFC5036, as rationalized in the Appendix A.1, this document
specifies that -
1. An LSR MUST NOT send a label mapping message with a FEC TLV
containing FEC Elements of different address family. In other
words, a FEC TLV in the label mapping message MUST contain the
FEC Elements belonging to the same address family.
2. An LSR MUST NOT send an Address message (or Address Withdraw
message) with an Address List TLV containing IP addresses of
different address family. In other words, an Address List TLV
in the Address (or Address Withdraw) message MUST contain the
addresses belonging to the same address family.
An LSR MAY constrain the advertisement of FEC-label bindings for a
particular address family by negotiating the IP Capability for a
given AFI, as specified in [IPPWCap] document.
8. LDP Identifiers and Next Hop Addresses
RFC5036 section 2.7 specifies the logic for mapping the IP routing
next-hop (of a given FEC) to an LDP peer so as to find the correct
label entry for that FEC. The logic involves using the IP routing
next-hop address as an index into the (peer Address) database (which
is populated by the Address message containing mapping between each
peer's local addresses and its LDP Identifier) to determine the LDP
peer.
However, this logic is insufficient to deal with duplicate IPv6
(link-local) next-hop addresses used by two or more peers. The
reason is that all interior IPv6 routing protocols (can) use link-
local IPv6 addresses as the IP routing next-hops, and 'IPv6
Addressing Architecture [RFC4291]' allows a link-local IPv6 address
to be used on more than one links.
Asati, et. al Expires June 28, 2014 [Page 12]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
Hence, this logic is extended by this specification to involve not
only the IP routing next-hop address, but also the IP routing next-
hop interface to uniquely determine the LDP peer(s). The next-hop
address-based LDP peer mapping is to be done through LDP peer
address database (populated by Address messages received from the
LDP peers), whereas next-hop interface-based LDP peer mapping is to
be done through LDP hello adjacency/interface database (populated by
hello messages from the LDP peers).
This extension solves the problem of two or more peers using the
same link-local IPv6 address (in other words, duplicate addresses)
as the IP routing next-hops.
Lastly, for better scale and optimization, an LSR may advertise only
the link-local IPv6 addresses in the Address message, assuming that
the peer uses only the link-local IPv6 addresses as static and/or
dynamic IP routing next-hops.
9. LDP TTL Security
This document recommends enabling Generalized TTL Security Mechanism
(GTSM) for LDP, as specified in [RFC6720], for the LDP/TCP transport
connection over IPv6 (i.e. LDPoIPv6).
[RFC6720] allows for the implementation to statically
(configuration) and/or dynamically override the default behavior
(enable/disable GTSM) on a per-peer basis. Suffice to say that such
an option could be set on either LSR (since GTSM negotiation would
ultimately disable GTSM between LSR and its peer(s)).
The GTSM inclusion is intended to automatically protect IPv6 LDP
peering session from off-link attacks.
10. IANA Considerations
None.
Asati, et. al Expires June 28, 2014 [Page 13]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
11. Security Considerations
The extensions defined in this document only clarify the behavior of
LDP, they do not define any new protocol procedures. Hence, this
document does not add any new security issues to LDP.
While the security issues relevant for the [RFC5036] are relevant
for this document as well, this document reduces the chances of off-
link attacks when using IPv6 transport connection by including the
use of GTSM procedures [RFC5082].
Moreover, this document allows the use of IPsec [RFC4301] for IPv6
protection, hence, LDP can benefit from the additional security as
specified in [RFC4835] as well as [RFC5920].
12. Acknowledgments
We acknowledge the authors of [RFC5036], since some text in this
document is borrowed from [RFC5036].
Thanks to Bob Thomas for providing critical feedback to improve this
document early on.
Many thanks to Eric Rosen, Lizhong Jin, Bin Mo, Mach Chen, Shane
Amante, Pranjal Dutta, Mustapha Aissaoui, Matthew Bocci, Mark Tinka,
Tom Petch, Kishore Tiruveedhula, Manoj Dutta, Vividh Siddha, Qin Wu,
and Loa Andersson for thoroughly reviewing this document, and
providing insightful comments and multiple improvements.
Also, thanks to Andre Pelletier (who brought up the issue about
active/passive determination, and helped us craft the appropriate
solutions).
13. Additional Contributors
The following individuals contributed to this document:
Kamran Raza
Cisco Systems, Inc.
2000 Innovation Drive
Kanata, ON K2K-3E8, Canada
Email: skraza@cisco.com
Asati, et. al Expires June 28, 2014 [Page 14]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
Nagendra Kumar
Cisco Systems, Inc.
SEZ Unit, Cessna Business Park,
Bangalore, KT, India
Email: naikumar@cisco.com
Andre Pelletier
Email: apelleti@cisco.com
Asati, et. al Expires June 28, 2014 [Page 15]
Internet-Draft draft-ietf-mpls-ldp-ipv6 December 28, 2013
14. References
14.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4291] Hinden, R. and S. Deering, "Internet Protocol Version 6
(IPv6) Addressing Architecture&Coltun Standards Track [Page 15]