Internet Engineering Task ForceIndependent Submission D. FarinacciInternet-DraftRequest for Comments: 8112 lispers.netIntended status: ExperimentalCategory: Informational A. JainExpires: June 18, 2015ISSN: 2070-1721 Juniper Networks I. Kouvelas Arista D. LewisciscoCisco SystemsDecember 15, 2014 LISP-DDTMay 2017 Locator/ID Separation Protocol Delegated Database Tree (LISP-DDT) Referral Internet Groper (RIG)draft-farinacci-lisp-rig-05Abstract A simple tool called theLISP-DDTLocator/ID Separation Protocol Delegated Database Tree (LISP-DDT) Referral Internet Groperor 'rig'(RIG), also referred to in this document as "rig", can be used to query theLISP-DDTLISP- DDT hierarchy. Thisdraftdocument describes how the'rig'"rig" tool works. Status of This Memo ThisInternet-Draftdocument is not an Internet Standards Track specification; it is published for informational purposes. This issubmitted in full conformance witha contribution to theprovisionsRFC Series, independently ofBCP 78any other RFC stream. The RFC Editor has chosen to publish this document at its discretion andBCP 79. Internet-Draftsmakes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor areworking documentsnot a candidate for any level oftheInternetEngineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The listStandard; see Section 2 of RFC 7841. Information about the currentInternet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximumstatus ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on June 18, 2015.http://www.rfc-editor.org/info/rfc8112. Copyright Notice Copyright (c)20142017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.Table of Contents 1. Introduction ....................................................2 2. Requirements Language. . . . . . . . . . . . . . . . . . . . 2 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2...........................................3 3.DefinitionDefinitions of Terms. . . . . . . . . . . . . . . . . . . . . 3............................................3 4. Basic Overview. . . . . . . . . . . . . . . . . . . . . . . 5..................................................5 5. Implementation Details. . . . . . . . . . . . . . . . . . . 7..........................................7 6. Security Considerations. . . . . . . . . . . . . . . . . . . 9.........................................9 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . 9.............................................9 8. References. . . . . . . . . . . . . . . . . . . . . . . . . 9......................................................9 8.1. Normative References. . . . . . . . . . . . . . . . . . 9.......................................9 8.2. Informative References. . . . . . . . . . . . . . . . . 10 Appendix A.....................................10 Acknowledgments. . . . . . . . . . . . . . . . . . 10...................................................11 Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . . 11................................................11 1.Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2.IntroductionLISP"The Locator/ID Separation Protocol (LISP)" [RFC6830] specifies an architecture and mechanism for replacing the semantics of an address currently used by IP with two separatename spaces:namespaces: EndpointIDsIdentifiers (EIDs), used withinsites,sites; and Routing Locators (RLOCs), used on the transit networks that make up the Internet infrastructure. To achieve this separation,the Locator/ID Separation Protocol (LISP)LISP defines protocol mechanisms for mapping from EIDs to RLOCs. In addition, LISP assumes the existence of a database to store and propagate those mappings globally. This document focuses on theLISP-DDT [LISP-DDT]LISP Delegated Database Tree (LISP-DDT) [RFC8111] mapping database system. The'rig'"rig" tool is a manual management tool to query the LISP-DDT mapping database hierarchy. It can be run by all deviceswhichthat implement LISP, includingITRs, ETRs, PITRs, PETRs,Ingress Tunnel Routers (ITRs), Egress Tunnel Routers (ETRs), Proxy ITRs (PITRs), Proxy ETRs (PETRs), Map-Resolvers, Map-Servers, and LISP-DDT nodes, as well as by a host system at either aLISP- capableLISP-capable or non-LISP-capable site. The LISP-DDT'rig'"rig" tool is similar to the'lig' [RFC6835]"LISP Internet Groper" ("lig") tool [RFC6835] in that they are both diagnostic tools to query a database. However,'rig'the "rig" tool is used to find Map-Servers serving an EID-prefix, specifically within a LISP-DDT mapping database framework. And'lig'"lig" can be used on top of any mapping database system to retrieve locators used for packet encapsulation.1.2. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described inRFC 2119 [RFC2119].BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 3.DefinitionDefinitions of Terms EndpointIDIdentifier (EID):An EID isa 32-bit (for IPv4) or 128-bit (for IPv6) value (or an address encodedby [LISP-LCAF])per [RFC8060]) used in the source and destination address fields of the first(most inner)(innermost) LISP header of a packet. The host obtains a destination EID the same way it obtains a destination addresstoday,today -- forexampleexample, through a Domain Name System (DNS) [RFC1034] lookup or a SessionInvitationInitiation Protocol (SIP) [RFC3261] exchange. The source EID is obtained via existing mechanisms used to set a host's "local" IP address. An EID used on the public Internet must have the same properties as any other IP address used in that manner; this means, among other things, that it must be globally unique. An EID is allocated to a host from an EID-prefix block associated with the site where the host is located. An EID can be used by a host to refer to other hosts. EIDs MUST NOT be used as LISP RLOCs. Note that EID blocks MAY be assigned in a hierarchical manner, independent of the network topology, to facilitate scaling of the mapping database. In addition, an EID block assigned to a site may have site-local structure (subnetting) for routing within the site; this structure is not visible to the global routing system. In theory, the bit string that represents an EID for one device can represent an RLOC for a different device. As the architecture is realized, if a given bit string is both an RLOC and an EID, it must refer to the same entity in both cases. When used indiscussions"discussions" with other Locator/ID separation proposals, a LISP EID will be calledaan "LEID". Throughout this document, any references to "EID"refersrefer to an LEID. Extended EID (XEID):Aa LISP EID, optionally extended with anon- zeronon-zero Instance ID (IID) if the EID is intended for use in a context where it may not be a unique value, such asonin a Virtual Private Network where"private"private address space [RFC1918] is used. See"Using Virtualization and Segmentation with LISP" inSection 5.5 of [RFC6830] for more discussion ofInstance IDs.IIDs. Routing Locator (RLOC):A RLOC isan IPv4[RFC0791][RFC791] or IPv6 [RFC2460] address of anegress tunnel routerEgress Tunnel Router (ETR).AAn RLOC is the output of an EID-to-RLOC mapping lookup. An EID maps to one or more RLOCs. Typically, RLOCs are numbered fromtopologically-topologically aggregatable blocks that are assigned to a site at each point to which it attaches to the global Internet; where the topology is defined by the connectivity of provider networks, RLOCs can be thought of asPAProvider-Assigned (PA) addresses. Multiple RLOCs can be assigned to the same ETR device or to multiple ETR devices at a site. DDTNode: Anode: a network infrastructure component responsible for specificXEID-prefixXEID-prefix(es) and for the delegation of more-specificsub- prefixessub-prefixes to other DDT nodes. DDTClient: Aclient: a network infrastructure component that sendsMap- RequestDDT Map-Request messages and implements the iterative following ofMap- ReferralMap-Referral results. Typically, a DDT client will be aMap ResolverMap-Resolver (as defined by [RFC6833]), but it is also possible for an ITR to implement DDT client functionality. A DDT client can be a device that is originating'rig'"rig" requests. DDTMap Server: AMap-Server: a DDT node that also implementsMap ServerMap-Server functionality (forwarding Map-Requests and/or returningMap- RepliesMap-Replies if offeringproxy-modea proxy Map-Reply service) for a subset of its delegated prefixes. Map-Server functions, including proxying Map-Replies, are described in [RFC6833]. DDTMap Resolver: AMap-Resolver: a network infrastructure element that accepts a Map-Request, adds the XEID to its lookup queue, then queries one or more DDT nodes for the requested EID, following returned referrals until it receives one with thethe ms-ack action.MS-ACK action code [RFC8111]. This indicates that the Map-Request has been sent to a Map-Server that will forward it to an ETR that, in turn, will provide a Map-Reply to the original sender. A DDTMap ResolverMap-Resolver maintains both (1) a cache of Map-Referral message results (termed the "referral cache") containing RLOCs for DDT nodes responsible for XEID-prefixes of interest(termed the "referral cache") plusand (2) a lookup queue of XEIDs that are being resolved through iterative querying of DDT nodes. Encapsulated Map-Request:Aa LISP Map-Request that is carried within an Encapsulated ControlMessage, whichMessage (ECM) and that has an additional LISP header prepended. Sent to UDP destination port 4342. The "outer" addresses areglobally-routableglobally routable IP addresses, also known as RLOCs. Used by an ITR when sending a Map-Request to a Map-Resolver and by a Map-Server when forwarding a Map-Request to an ETR as documented in [RFC6833]. Map-Referral:Aa LISP message sent by a DDT node when it receives a DDT Map-Request for an XEID that matches a configured XEID-prefix delegation.TheA non-Negative Map-Referral message includes a"referral","referral" -- a set of RLOCs for DDT nodes that have more information about thesub- prefix;sub-prefix; a DDT client "follows the referral" by sending another DDT Map-Request to one of those RLOCs to obtain either an answer or another referral to DDT nodes responsible for a more-specific XEID-prefix. Authoritative XEID-prefix:Anan XEID-prefix delegated to a DDT node and for which the DDT node may provide further delegations of more-specific sub-prefixes. 4. Basic OverviewThe LISP Delegated Database Tree [LISP-DDT],LISP-DDT [RFC8111] is ahierarchical,hierarchical distributed databasewhichthat embodies the delegation of authority to provide mappings from LISPEndpoint Identifiers (EIDs)EIDs toRouting Locators (RLOCs).RLOCs. It is astatically-definedstatically defined distribution of the EID namespace among a set of LISP-speakingservers,servers calledDDT nodes."DDT nodes". Each DDT node is configured as "authoritative" for one or moreEID- prefixes,EID-prefixes, along with the set of RLOCs forMap ServersMap-Servers or "child" DDT nodes to which more-specific EID-prefixes are delegated. Map-Resolvers send Map-Requests to the DDT hierarchy and maintainreferral-cachesreferral caches by receiving Map-Referral messages from DDT nodes. Map-Resolvers follow the DDT hierarchy for a given EID lookup based on the EID-prefix and delegation referrals contained in theMap- ReferralMap-Referral messages. Theintention of rig"rig" tool is intended to perform the same operation as that of a Map-Resolver but to also be used as a management tool for the network administrator. When therig"rig" command is run, an Encapsulated Control MessageMap- RequestMap-Request is sent for a destination EID. When a LISP-DDT Map-Referral is returned, the contents are displayed to the user. The information displayed includes: o A delegated EID-prefix configured in aDDT-nodeDDT node or a configured site EID-prefix in a DDT Map-Server that matches the requested EID. o The type ofDDT-node whichDDT node that sent the Map-Referral. o The action code and TTL set by the sender of the Map-Referral. o The referral RLOC addresses from the Map-Referral message. o A round-trip-time estimate for theECM-Map-Request/Map-ReferralECM-Map-Request / Map-Referral message exchange. A possible syntax for arig"rig" command MAY be: rig [instance-id <iid>] <eid> to <ddt-node> [follow-all-referrals] Parameterdescription:descriptions: [instance-id<iid>>]:<iid>]: <iid> is theinstance-IDIID portion of theExtended EIDXEID used as a VPN identifier or for other future purposes. When the DDT hierarchy is not configured withinstance-IDs,IIDs, this argument is omitted from the command line. <eid>: <eid> is either a Fully Qualified Domain Name or a destination EID that is being queried in the LISP-DDT mapping database. <ddt-node>: <ddt-node> is the RLOC address of anyDDT-nodeDDT node in the DDT hierarchy. This can be the DDT root node, a DDT transit node, or a DDT Map-Server. [follow-all-referrals]:whenWhen this keyword isusedused, each referral RLOC is queried sorig"rig" can descend the entire DDT hierarchy starting from the node <ddt-node>. When this keyword is not used, one of the referral RLOCs will be selected to descend a branch of the DDT hierarchy. Therig"rig" utility not only shows branches of the delegation hierarchy but can also report: o When a DDT Map-Server would forward a Map-Request to the ETRs at a registered LISP site. This is known asa 'ms-acknowledgement'an "MS-ACK" action. o When a DDT Map-Server sends anegative referralNegative Map-Referral indicating that a requested EID is configured but not registered to the mapping database system. This is known as an'ms-not-registered'"MS-NOT-REGISTERED" action. o When a DDT node is sending referrals for a transit or leaf node in the hierarchy. These are known as'node-referral'"NODE-REFERRAL" and'ms- referral'"MS-REFERRAL" actions, respectively. o When aDDT-nodeDDT node finds a hole in the address space that has not been allocated or configured in the delegation hierarchy. This is typically associated with a hole in a DDT node's configured authoritative prefix. This is known as a'delegation-hole'"DELEGATION-HOLE" action. o When aDDT-nodeDDT node finds a hole in the address space that has not been allocated or configured in the delegation hierarchy at all. This is typically associated with a hole that is outside of a DDT node's authoritative prefix. This is known as'non-authoritative'a "NOT-AUTHORITATIVE" action. Refer to[LISP-DDT][RFC8111] for moredetaildetails about Map-Referral actions. 5. Implementation Details TheciscoCisco LISP prototype implementations on IOS and NX-OShas righave "rig" support for IPv4 and IPv6 EIDs in either the default instance or a non-zeroinstance-ID.IID. The IOS syntax is: rig [instance-id <iid>] <eid> to <ddt-node> [follow-all-referrals] The NX-OS syntax is: rig [instance-id <iid>] { <hostname> | {<eid> |<eid6>}}<eid6>} } to{<ddt-hostname>{ <ddt-hostname> | {<ddt> |<ddt6>}}<ddt6>} } Here is some sample IOS output: Router# rig 12.0.1.1 to 1.1.1.1 Send Map-Request to DDT-node 1.1.1.1 ... node referral, rtt: 0 ms EID-prefix: [0] 12.0.0.0/16, ttl: 1440 referrals: 2.2.2.2 Send Map-Request to DDT-node 2.2.2.2 ... node referral, rtt: 0 ms EID-prefix: [0] 12.0.1.0/24, ttl: 1440 referrals: 4.4.4.4, 5.5.5.5 Send Map-Request to DDT-node 4.4.4.4 ... map-server acknowledgement, rtt: 0 ms EID-prefix: [0] 12.0.1.0/28, ttl: 1440 referrals: 4.4.4.4, 5.5.5.5 Router# rig 12.0.1.1 to 1.1.1.1 follow-all-referrals Send Map-Request to DDT-node 1.1.1.1 ... node referral, rtt: 4 ms EID-prefix: [0] 12.0.0.0/16, ttl: 1440 referrals: 2.2.2.2 Send Map-Request to DDT-node 2.2.2.2 ... node referral, rtt: 0 ms EID-prefix: [0] 12.0.1.0/24, ttl: 1440 referrals: 4.4.4.4, 5.5.5.5 Send Map-Request to DDT-node 4.4.4.4 ... map-server acknowledgement, rtt: 0 ms EID-prefix: [0] 12.0.1.0/28, ttl: 1440 referrals: 4.4.4.4, 5.5.5.5 Send Map-Request to DDT-node 5.5.5.5 ... map-server acknowledgement, rtt: 0 ms EID-prefix: [0] 12.0.1.0/28, ttl: 1440 referrals: 4.4.4.4, 5.5.5.5 No more referrals to pursue. Here is some sample NX-OS output: Router# rig 12.0.1.1 to 1.1.1.1 rig LISP-DDT hierarchy for EID [0] 12.0.1.1 Send Map-Request to DDT-node 1.1.1.1 ... replied, rtt: 0.003509 secs EID-prefix [0] *, ttl: 1440, action: node-referral, referrals: 2.2.2.2, priority/weight: 0/0 Send Map-Request to DDT-node 2.2.2.2 ... replied, rtt: 0.003173 secs EID-prefix [0] 12.0.0.0/20, ttl: 1440, action: node-referral, referrals: 3.3.3.3, priority/weight: 0/0 Send Map-Request to DDT-node 3.3.3.3 ... replied, rtt: 0.004145 secs EID-prefix [0] 12.0.1.0/24, ttl: 1440, action: node-referral, referrals: 5.5.5.5, priority/weight: 0/0 6.6.6.6, priority/weight: 0/0 Send Map-Request to DDT-node 6.6.6.6 ... replied, rtt: 0.005800 secs EID-prefix [0] 12.0.1.0/28, ttl: 1440, action: ms-ack, referrals: 5.5.5.5, priority/weight: 0/0 6.6.6.6, priority/weight: 0/0 6. Security Considerations The use ofrig"rig" does not affect the security of the LISPinfrastructureinfrastructure, as it is simply a tool thatfacilitiesfacilitates diagnostic querying. See [RFC6830],[LISP-DDT],[RFC6833], [RFC7835], and[LISP-THREATS][RFC8111] for descriptions of the security properties of the LISP infrastructure. LISPrig"rig" provides easy access to the information in the public mapping database. Therefore, it is important to protect the mapping information for private use. This can be provided by disallowing access to specific mapping entries orto placeplacing such entries in a private mapping database system. 7. IANA Considerations This documentmakes no request of the IANA.does not require any IANA actions. 8. References 8.1. Normative References[LISP-DDT] Fuller, V., Lewis, D., Ermagan, V., and A. Jain, "LISP Delegated Database Tree", draft-ietf-lisp-ddt-04.txt (work in progress), September 2014. [RFC0791][RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, DOI 10.17487/RFC0791, September1981.1981, <http://www.rfc-editor.org/info/rfc791>. [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, DOI 10.17487/RFC1034, November1987.1987, <http://www.rfc-editor.org/info/rfc1034>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March1997.1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The Locator/ID Separation Protocol (LISP)", RFC 6830, DOI 10.17487/RFC6830, January2013.2013, <http://www.rfc-editor.org/info/rfc6830>. [RFC6833] Fuller, V. and D. Farinacci, "Locator/ID Separation Protocol (LISP) Map-Server Interface", RFC 6833, DOI 10.17487/RFC6833, January2013.2013, <http://www.rfc-editor.org/info/rfc6833>. [RFC6835] Farinacci, D. and D. Meyer, "The Locator/ID Separation Protocol Internet Groper (LIG)", RFC 6835, DOI 10.17487/RFC6835, January2013. 8.2. Informative References [LISP-LCAF] Farinacci, D., Meyer,2013, <http://www.rfc-editor.org/info/rfc6835>. [RFC8111] Fuller, V., Lewis, D., Ermagan, V., Jain, A., andJ. Snijders, "LISP Canonical Address Format (LCAF)", draft-ietf-lisp-lcaf-07 (workA. Smirnov, "Locator/ID Separation Protocol Delegated Database Tree (LISP-DDT)", RFC 8111, DOI 10.17487/RFC8111, May 2017, <http://www.rfc-editor.org/info/rfc8111>. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase inprogress), . [LISP-THREATS] Iannone, L., Saucez,RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <http://www.rfc-editor.org/info/rfc8174>. 8.2. Informative References [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., andO. Bonaventure, "LISP Threats Analysis", draft-ietf-lisp-threats-09.txt (work in progress), April 2014.E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, <http://www.rfc-editor.org/info/rfc1918>. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, December1998.1998, <http://www.rfc-editor.org/info/rfc2460>. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June2002. Appendix A.2002, <http://www.rfc-editor.org/info/rfc3261>. [RFC7835] Saucez, D., Iannone, L., and O. Bonaventure, "Locator/ID Separation Protocol (LISP) Threat Analysis", RFC 7835, DOI 10.17487/RFC7835, April 2016, <http://www.rfc-editor.org/info/rfc7835>. [RFC8060] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical Address Format (LCAF)", RFC 8060, DOI 10.17487/RFC8060, February 2017, <http://www.rfc-editor.org/info/rfc8060>. Acknowledgments The authors would like to thank Damien Saucez and Fabio Maino for their ideas and comments. Appreciation also goes to Joel Halpern, Luigi Iannone, and Nevil Brownlee forprogressingtheir help with thisdocument to Informational RFC.document. Authors' Addresses Dino Farinacci lispers.net San Jose, CaliforniaUSAUnited States of America Phone: 408-718-2001 Email: farinacci@gmail.com Amit Jain Juniper Networks San Jose, CaliforniaUSAUnited States of America Email: atjain@juniper.net Isidor Kouvelascisco Systems Tasman Ave. San Jose,Arista Santa Clara, CaliforniaUSAUnited States of America Email:kouvelas@cisco.comkouvelas@arista.com Darrel LewisciscoCisco Systems Tasman Ave. San Jose, CaliforniaUSAUnited States of America Email: darlewis@cisco.com