Efficient Route Invalidation
RFC 9009

Note: This ballot was opened for revision 12 and is now closed.

Alvaro Retana Yes

Benjamin Kaduk No Objection

Comment (2019-06-25 for -12)
I think that we need greater clarity about whether the DCOSequence
number is just a series of monotonic (i.e., time-ordered) nonces (to be
echoed back for matching request/response) or a full-on sequence counter
that allows for loss detection as well as providing in-order delivery.
It sounds like we just need the time-ordering and single-use properties,
but I'm not entirely sure.  I wavered about making this a Discuss point
but ended up not doing so since I'm not sure how much harm is being
risked.  (I also mention this topic a couple times in the
section-by-section comments below.)

I agree with Barry that the Abstract is really hard to parse.

Section 1.2

   RPL uses NPDAO messaging in the storing mode so that the node
   changing it routing adjacencies can invalidate the previous route.

nit: "its routing adjacencies"

   This is needed so that nodes along the previous path can release any
   resources (such as the routing entry) it maintains on behalf of
   target node.

nit: singular/plural mismatch "nodes"/"it maintains"

Section 4.1

                                                            When node A
   receives the regular DAO, it finds that it already has a routing
   table entry on behalf of the target address of node D.  It finds
   however that the next hop information for reaching node D has changed
   i.e., node D has decided to change the paths.  In this case, Node A
   which is the common ancestor node for node D along the two paths
   (previous and new), should generate a DCO which traverses downwards
   in the network.

I can't decide whether or not it helps readability to reiterate that in
addition to creating the DCO, node A also does normal DAO processing
(e.g., forwarding to the 6LBR).  I guess the example in A.1 does show
this normal processing, so maybe it's overkill to also do so here.

Section 4.2

               Transit Information Option should be carried in the DAO
   message with I-flag set in case route invalidation is sought for the
   corresponding target(s).

nit: this text as written implies thatthe I-flag is set in the DAO
itself, not the TIO therein.

I'd also suggest to s/in case/when/ for clarity.

   The common ancestor node SHOULD generate a DCO message in response to
   this I-flag when it sees that the routing adjacencies have changed
   for the target.  I-flag governs the ownership of the DCO message in a
   way that the target node is still in control of its own route
   invalidation.

nit: "The I-flag" (start of last sentence).

I'd further suggest rewording to something like "The I-flag is intended
to give the target node control over its own route invalidation, serving
as a signal to request DCO generation; in normal operation a DCO would
not otherwise be generated"; the current text about "ownership" has some
weird connotations/implications and this text also implicitly assumes
that DAO/TIO/I-flag will never be maliciously generated.  It is also a
little weaker about unsolicited DCO, per Section 4.5

Section 4.3

   A new ICMPv6 RPL control message type is defined by this
   specification called as "Destination Cleanup Object" (DCO), which is

nit: either "called" or "known as" or "referred to as" would be fine;
"called as" is a grammatical mismatch.

   DCOSequence: Incremented at each unique DCO message from a node and
   echoed in the DCO-ACK message.  The initial DCOSequence can be chosen
   randomly by the node.

What's the behavior if a sequence number is skipped?  (Why do we have a
sequence number if we aren't going to detect and act on this condition?)
Ah, I see Section 4.3.3, but perhaps a forward-reference is in order.

Section 4.3.4

It seems that the "Reserved" field should be called "Flags", since a
registry is being created for it.

(I trust that the language about the D flag and DODAGID optionality from
Barry's ballot thread is consistent between DCO and DCO-ACK.)

Section 4.4

   1.  If a node sends a DCO message with newer or different information
       than the prior DCO message transmission, it MUST increment the
       DCOSequence field by at least one.  A DCO message transmission
       that is identical to the prior DCO message transmission MAY
       increment the DCOSequence field.

While reading up to this point I managed to confuse myself about Path
Sequence (which must be consistent from DAO to DCO) and the separate
DAOSequence and DCOSequence fields.  To check my (less confused)
understanding, I guess if I could over-summarize, Path Sequence is like
a generation counter for a given node's position in the routing
topology, and the other two are for managing retransmission/ack of the
respective update messages.  So if that mental model is correct, then
there's not any value from trying to introduce a shared sequence number
space for DCO and DAO, even though they are frequently going to be
generated at the same time, especially since they have different
recipients.  Right?

I do agree with the other discussion that we need clarity about whether
the increment is exactly one or larger values are allowed (plus,
presumably, whether the recipient should infer anything from a sequence
number gap).  I do note that these are expected to be "lollipop
sequence counters" per RFC 6550.

   4.  A node receiving a unicast DCO message with the 'K' flag set
       SHOULD respond with a DCO-ACK.  A node receiving a DCO message
       without the 'K' flag set MAY respond with a DCO-ACK, especially
       to report an error condition.

This seems redundant with Section 4.3's "A node receiving a DCO message
without the 'K' flag set MAY respond with a DCO-ACK, especially to
report an error condition."

Section 4.4

   The scope of DCOSequence values is unique to each node.

recipient or originator?

Section 4.5

   path on behalf of the target entry.  The 6LR has all the state
   information namely, the Target address and the Path Sequence,

nit: comma before "namely".

Section 4.6.2

   Even with the changed semantics, the current NPDAO mechanism in
   [RFC6550] can still be used, for example, when the route lifetime
   expiry of the target happens or when the node simply decides to
   gracefully terminate the RPL session on graceful node shutdown.

Er, what changed semantics?  This document does not have an Updates:
relationship to any other document.

Section 4.6.3

   Note that there is no requirement of synchronization between DCO and
   DAOs.  The DelayDCO timer simply ensures that the DCO control
   overhead can be reduced and is only needed when the network contains
   nodes using multiple preferred parent.

This ("no requirement of synchronization") is because the benefit of DCO
is in expiring routes faster than their normal expiration time to save
local storage, rather than to provide synchronous route migration?  (It
might be worth reiterating, if you want.)

Section 7

   This document introduces the ability for a common ancestor node to
   invalidate a route on behalf of the target node.  The common ancestor
   node is directed to do so by the target node using the 'I' flag in
   DCO's Transit Information Option.  However, the common ancestor node

nit(?): there's perhaps some wordsmithing possible about "is directed to
do so", given the next sentence and Section 4.5.

   is also met.  Having said that a malicious 6LR may spoof a DAO on
   behalf of the (sub) child with the I-flag set and can cause route
   invalidation on behalf of the (sub) child node.

IIUC, such a malicious 6LR might also spoof a DAO even without this
mechanism (to invalidate the "proper" Path Sequence) or otherwise cause
denial of service by dropping traffic entirely, so perhaps we want to
add another clause ", so this new mechanism does not present a
substantially increased risk of disruption".

   This document assumes that the security mechanisms as defined in
   [RFC6550] are followed, which means that the common ancestor node and
   all the 6LRs are part of the RPL network because they have the
   required credentials.  A non-secure RPL network needs to take into
   consideration the risks highlighted in this section.

I'd consider adding "as well as those highlighted in [RFC6550]" to the
end.

Appendix A.1

   6.  Node G receives the DCO(tgt=D,pathseq=x+1).  It checks if the
       received path sequence is latest as compared to the stored path
       sequence.  If it is latest, Node G invalidates routing entry of
       target D and forwards the (un)reachability information downstream
       to B in DCO(tgt=D,pathseq=x+1).

This wording of "latest as compared to" feels unusual to me; I would
have expected "is later than the stored path sequence" and "If it is
later", but perhaps there is a convention here that I'm missing.

nit: "invalidates the routing entry"

   9.  The propagation of the DCO will stop at any node where the node
       does not have an routing information associated with the target.
       If the routing information is present and its Path Sequence is
       higher, then still the DCO is dropped.

nit: maybye reword to "If cached routing information is present and the
cached Path Sequence is higher than the value in the DCO, then the DCO
is dropped".

Appendix A.2

I feel like we should probably mention the DelayDAO timer as well as the
DelayDCO one.

I think this is a side note, but it seems like the timer mechanism for
DelayDAO (and by extension, DelayDCO) are a bit fragile, as one party
has to wait for the full timeout before sending the message (e.g., N22
in this example) that the other party is waiting the timeout to receive
(e.g., N11).  So it seems like we are still susceptible to transport
delay/jitter and race conditions at some point in the network, even if
it's not the next-hop of the target node.  But if that's a property of
DelayDAO from RFC 6550, it doesn't really make sense to try to address
it in this document (and it's also possible I misunderstand the
situation).

Martin Vigoureux No Objection

Comment (2019-06-27 for -12)
Hi,

thank you for this document.

I only have minor comments/questions:
* Please expand LLNs

* it's a bit pity that D flag is bit '0' in DCO and bit '1' in DCO-ACK

* 0x05 RPL Target and 0x06 Transit Information are RPL Control Message Options but they are not really DCO Options as they MUST be present.

* it is not fully clear to me whether Path Sequence can or should be incremented on DCO retry.

* I'm not sure this has any meaning (didn't have enough time to think about this scenario) but what would happen if D sends a DAO which never reaches A and A decides to send an unsolicited DCO. How would D react to receiving a message with a sequence number which is smaller than the one it has sent? Is that an issue?

* I feel that imposing the unused flags to be set to zero is not necessary. MUST ignore the unspecified flags is sufficient.

Roman Danyliw No Objection

Comment (2019-06-26 for -12)
A few areas of ambiguity:

(1) Section 4.3.  Per “DCOSequence: Incremented at each unique DCO message …”:

-- To confirm, DCOSequence is getting incremented for each new unique DCO message?  If so, how is it incremented?

-- How is roll-over handled?

(2) Section 4.3.4.  Per the Status field and “The remaining status values are reserved as rejection codes”, where are those rejections codes described and enumerated?

A few editorial nits:

** Section 1.  Editorial Nit.  s/RPL has an optional messaging/RPL has operational messaging/

** Section 2.3.  Expand the word.  s/async/asynchronous/

** Section 4.2.  Typo. s/[RFC6550] allows parent address/[RFC6550] allows the parent address/

** Section 4.3.  All of the other fields descriptions in this section specify the size of the field (e.g., 8-bit) but the description of DCOSequence does not

** Section 4.3.2.  Cite the references for the permitted options

** Section 4.3.3. Typo.  s/seqeunce/sequence/

** Section 4.6.1.  Per “Note that setting the I-flag”, this sentence would read more clearly without the double negative.

Warren Kumari No Objection

Comment (2019-06-26 for -12)
No email
send info
Thank you for writing this. 

I have a few suggestions / nits:
1: Please choose one version of "pro-active" vs "proactive"

2: "In Figure 1, when node D decides to switch the path from B to C, it sends a regular DAO to node C with reachability information containing target as address of D and an incremented Path Sequence."
I found this really hard to parse -- I know what you were trying to say, but I couldn't make the words do that :-)
I think that the issue is "containing target as address of D" -- perhaps "containing the address of D as the target"? Or something?

Éric Vyncke No Objection

Comment (2019-06-27 for -12)
Thank you all for the work put into this clear and well-written document. I have only one COMMENT:  DCO should be mentioned in the abstract as the document goes beyond a problem description (as currently described in the abstract).

(Adam Roach; former steering group member) No Objection

No Objection (2019-06-26 for -12)
Thanks to the authors for a well-written and easy-to-follow document.
I only have two tiny editorial suggestions.

---------------------------------------------------------------------------

§1.2:

>  RPL uses NPDAO messaging in the storing mode so that the node
>  changing it routing adjacencies can invalidate the previous route.

Nit: "...changing its routing..."


---------------------------------------------------------------------------

§6.2:

>  The following bits are currently defined:

This value appears to be an enumeration rather than a bitmap, right? I think you
want to replace "bits" with "values" in this sentence.

(Alissa Cooper; former steering group member) No Objection

No Objection ( for -12)
No email
send info

(Barry Leiba; former steering group member) No Objection

No Objection (2019-06-24 for -12)
(Sorry, updated to add a second substantive comment that I forgot to put in the first time.)

I have two substantive comments:

— Section 1 —

   Further a new pro-active route invalidation message called
   as "Destination Cleanup Object" (DCO) is specified which fulfills
   requirements of an optimized route invalidation messaging.

It's a small thing, but given that this is a Standards Track document, but lots of it is not specifying a standard, I think it would be useful to call out the part that is.  Maybe this way?:

NEW
   Further, a new pro-active route invalidation message called
   as "Destination Cleanup Object" (DCO) is specified which fulfills
   requirements of an optimized route invalidation messaging.
   This Standards Track specification is in Section 4.
END

— Section 4.3 —
With respect to the K flag, it’s clear from the description that if you set the K flag you expect a response and you’re likely to retry if you don’t get it.  Cool.  It’s clear that if you don’t set the K flag you might or might not get a reply, and are more likely to get a reply for an error.  Also cool.  What’s not clear is whether it’s reasonable to retry if you don’t get a reply, and you didn’t set the K flag.  I suspect that it’s not reasonable, because you didn’t ask for a reply, and I think it would help to say that: something like, “When the sender does not set the ‘K’ flag it is an indication that the sender does not expect a response, and the sender SHOULD NOT retry the DCO.”

The rest is a bunch of editorial comments, but only editorial comments.

General: I’ll note that the RFC Editor will change all the section titles to title case.  So, for example, “Invalidate routes of dependent nodes” will become “Invalidate Routes of Dependent Nodes”.  It would not be a bad thing to make those changes now, to save the RFC Editor the time.

— Abstract —

The abstract reads very badly to my eyes.  I think it comes from an effort to stuff it all into one sentence.  The Introduction actually says it in two sentences, and I think that works lots better:

   This document explains the problems
   associated with the current use of NPDAO messaging and also discusses
   the requirements for an optimized route invalidation messaging
   scheme.  Further a new pro-active route invalidation message called
   as "Destination Cleanup Object" (DCO) is specified which fulfills
   requirements of an optimized route invalidation messaging.

— Section 1 —

In “distance-vector-based routing scheme”, you need two hyphens, as shown here.

   RPL has an optional messaging in the form of DAO

Here “messaging” is a modifier, but it’s not modifying anything.  An optional messaging *what*? — you need a noun there.  Or maybe you just need to remove “an”, which also fixes the problem.

— Section 1.2 —

   so that the node
   changing it routing adjacencies can invalidate the previous route.

“its routing adjacencies” (possessive)

   This is needed so that nodes along the previous path can release any
   resources (such as the routing entry) it maintains

There’s a number mismatch here: “nodes” and “it maintains”.  You probably want “they maintain”.

— Section 1.3 —

In the section title, you either need to make it not a question (“Why NPDAO Is Important”) or change the word order to be consistent with the question (“Why Is NPDAO Important?”).

   to better achieve resource utilization.

I think “to better optimize resource utilization” is better.

— Section 4.3 —

   DODAGID (optional): 128-bit unsigned integer set by a DODAG root that
   uniquely identifies a DODAG.  This field MUST be present when the 'D'
   flag is set.

It’s probably not a real issue, but it seems mildly odd to me to mark it “optional” and then say that it MUST be set sometimes.  Probably just me.  But maybe this?:

NEW
   DODAGID: 128-bit unsigned integer set by a DODAG root that uniquely
   identifies a DODAG.  This field MUST be present when the 'D' flag is
   set and is OPTIONAL otherwise.
END

(Also in Section 4.3.4)

— Section 4.3.4 —

   If
   'K' flag is not set then the receiver of the DCO message MAY send a
   DCO-ACK to signal an error condition.

This should probably be made parallel to the description of the K flag above (and in 4.4 bullet 4 below), and say, “especially to report an error condition.”

— Section 4.4 —

   1.  If a node sends a DCO message with newer or different information
       than the prior DCO message transmission, it MUST increment the
       DCOSequence field by at least one.  A DCO message transmission
       that is identical to the prior DCO message transmission MAY
       increment the DCOSequence field.

I’m starting this by saying that I don’t think you need to change anything here, but given that I’ve just polled several SSAC folks, simply because I happen to be at ICANN right now, about the specific meaning of “increment”, I have to relate this:

All say that one can “increment by <a number>”, and that’s fine.  But we are divided on what “increment” without a number being specified means.  Some say it means “by one” if you don’t specify.  Others say that if you don’t specify, then the number is, well, unspecified and can be anything.  In the text above, you say “by at least one” the first time, which is crystal clear.  The second time you use “increment”, you don’t specify.

Now, I’m groping here, but I wonder whether there could possibly be interoperability trouble caused by a recipient expecting an identical DCO message to have a DCOSequence that is the same or +1, but won’t tolerate an increase >1.  No, probably not, probably not.  You’re right; I can’t imagine this being a problem in practice.

Never mind.

(But if you care to, you might change “increment” to “increase” to get around this silly babble.  Or not.  As you choose.)

I clearly have too much time on my hands.

Nit: In bullet 5, “i.e.” needs a comma in front of it, as well as behind.  Or, better, just remove “i.e.” and the sentence works perfectly well.

— Section 4.5 —
Nits: In bullet 2, “routing table is full thus resulting in an eviction of existing routing entry.”
1. There should be a comma before “thus”.
2. Remove “an” before “eviction”.
3. Put that removed “an” before “existing”.  (Or, alternatively, make it “entries”, plural.)

— Section 4.6.1 —

   Dependent nodes do not have any indication regarding if any of its
   parent nodes in turn have decided to switch their parent.

Nits: There are a couple of number problems here.  “Nodes” doesn’t match “its” (you need “their”).  And “parent nodes” doesn’t match “their parent” (probably “their parents”, but maybe “any of their parents”).

Similarly, the “its” in the subsequent sentence should be “their”.

And “counterproductive” is one word.

— Section 4.6.2 —
Nits: “Moreover” needs a comma after it.

In the second paragraph, “an alternate and more optimized way” should use “alternative” instead of alternate” (the distinction matter more in UK English than in US English).

— Section 4.6.3 —

Nits: “This documents recommends” should say “document” (singular).

“all possible parent set” should say “sets” (plural).

“requirement of synchronization” should say “requirement for synchronization”.

— Section 7 —
Nits: In the second paragraph, “if the ancestor nodes sees” should say “ancestor” (singular).  And “Having said that” needs a comma after it.

(Deborah Brungard; former steering group member) No Objection

No Objection ( for -12)
No email
send info

(Magnus Westerlund; former steering group member) No Objection

No Objection ( for -12)
No email
send info

(Mirja Kühlewind; former steering group member) (was Discuss) No Objection

No Objection (2019-07-08 for -15)
Thanks for addressing my discuss!


Old comments below for the record:

One question on section 4.6.2: You present use of NPDAO and DCO as two options, however, the problem with the I flag is that the sender does not know if the ancestor understand the signal. Wouldn't it also make sense to use both in some cases, e.g. send DAO with I flag first and if you don't receive a DCO after some limited time, you also send the NPDAO?

Nits:
sec 1.2: s/so that the node changing it routing adjacencies/so that the node changing its routing adjacencies/ -> "it" instead of "its"

(Suresh Krishnan; former steering group member) No Objection

No Objection (2019-06-26 for -12)
* Section 4.3

"A new ICMPv6 RPL control message type" 

Shouldn't this be "code" instead of "type" given that the RPL control message types are ICMPv6 codes?