Internet-Draft | LISP-PubSub | June 2021 |
Rodriguez-Natal, et al. | Expires 30 December 2021 | [Page] |
This document specifies an extension to the Request/Reply based LISP Control Plane to enable Publish/Subscribe (PubSub) operation.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 30 December 2021.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
The Locator/ID Separation Protocol (LISP) [I-D.ietf-lisp-rfc6830bis] [I-D.ietf-lisp-rfc6833bis] splits current IP addresses in two different namespaces, Endpoint Identifiers (EIDs) and Routing Locators (RLOCs). LISP uses a map-and-encap approach that relies on (1) a Mapping System (basically a distributed database) that stores and disseminates EID-RLOC mappings and on (2) LISP tunnel routers (xTRs) that encapsulate and decapsulate data packets based on the content of those mappings.¶
Ingress Tunnel Routers (ITRs) / Re-encapsulating Tunnel Routers (RTRs) / Proxy Ingress Tunnel Routers (PITRs) pull EID-to-RLOC mapping information from the Mapping System by means of an explicit request message. Section 6.1 of [I-D.ietf-lisp-rfc6833bis] indicates how Egress Tunnel Routers (ETRs) can tell ITRs/RTRs/PITRs about mapping changes. This document presents a Publish/Subscribe (PubSub) extension in which the Mapping System can notify ITRs/RTRs/PITRs about mapping changes. When this mechanism is used, mapping changes can be notified faster and can be managed in the Mapping System versus the LISP sites.¶
In general, when an ITR/RTR/PITR wants to be notified for mapping changes for a given EID-prefix, the following steps occur:¶
This operation is repeated for all EID-prefixes for which ITR/RTR/PITR want to be notified. The ITR/RTR/PITR can set the N-bit for several EID-prefixes within a single Map-Request.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The specification described in this document makes the following deployment assumptions:¶
The distribution of xTR-IDs (and Site-IDs) are out of the scope of this document.¶
Figure 1 shows the format of the updated Map-Request to support the PubSub functionality.¶
The following is added to the Map-Request message defined in Section 5.2 of [I-D.ietf-lisp-rfc6833bis]:¶
The xTR subscribes for changes for a given EID-prefix by sending a Map-Request to the Mapping System with the N-bit set on the EID-Record. The xTR builds a Map-Request according to Section 5.3 of [I-D.ietf-lisp-rfc6833bis] but also does the following:¶
The Map-Request is forwarded to the appropriate Map-Server through the Mapping System. This document does not assume that a Map-Server is pre-assigned to handle the subscription state for a given xTR. The Map-Server that receives the Map-Request will be the Map-Server responsible to notify that specific xTR about future mapping changes for the subscribed mapping records.¶
Upon receipt of the Map-Request, the Map-Server processes it as described in Section 8.3 of [I-D.ietf-lisp-rfc6833bis]. Furthermore, upon processing, for each EID-Record that has the N-bit set to 1, the Map-Server proceeds to add the xTR-ID contained in the Map-Request to the list of xTRs that have requested to be subscribed to that mapping record.¶
If the xTR-ID is added to the list, the Map-Server MUST send a Map-Notify message back to the xTR to acknowledge the successful subscription. The Map-Server MUST follow the specification in Section 5.7 of [I-D.ietf-lisp-rfc6833bis] to build the Map-Notify with the following considerations:¶
When the xTR receives a Map-Notify with a nonce that matches one in the list of outstanding Map-Request messages sent with an N-bit set, it knows that the Map-Notify is to acknowledge a successful subscription. The xTR processes this Map-Notify as described in Section 5.7 of [I-D.ietf-lisp-rfc6833bis] with the following considerations. The xTR MUST use its security association with the Map-Server (see Section 7.1) to validate the authentication data on the Map-Notify. The xTR MUST use the Map-Notify to populate its map-cache with the returned EID-prefix and RLOC-set.¶
The subscription of an xTR-ID to the list of subscribers for the EID-Record may fail for a number of reasons. For example, because of local configuration policies (such as accept and drop lists of subscribers), or because the Map-Server has exhausted the resources to dedicate to the subscription of that EID-Record (e.g., the number of subscribers excess the capacity of the Map-Server).¶
If the subscription fails, the Map-Server MUST send a Map-Reply to the originator of the Map-Request, as described in Section 8.3 of [I-D.ietf-lisp-rfc6833bis]. The xTR processes the Map-Reply as specified in Section 8.1 of [I-D.ietf-lisp-rfc6833bis].¶
If an xTR-ID is successfully added to the list of subscribers for an EID-Record, the Map-Server MUST extract the nonce and ITR-RLOCs present in the Map-Request, and store the association between the EID-Record, xTR-ID, ITR-RLOCs and nonce. Any already present state regarding ITR-RLOCs and/or nonce for the same xTR-ID MUST be overwritten.¶
The following specifies the procedure to remove a subscription. If the Map-Request only has one ITR-RLOC with AFI = 0 (i.e., Unknown Address), the Map-Server MUST remove the subscription state for that xTR-ID. In this case, the Map-Server MUST send the Map-Notify to the source RLOC of the Map-Request.¶
When an EID-Record is removed from the Map-Server (either when explicitly withdrawn or when its TTL expires), the Map-Server notifies its subscribers (if any) via a Map-Notify with TTL equal 0.¶
The publish procedure is implemented via Map-Notify messages that the Map-Server sends to xTRs. The xTRs acknowledge the reception of Map-Notifies via sending Map-Notify-Ack messages back to the Map-Server. The complete mechanism works as follows.¶
When a mapping stored in a Map-Server is updated (e.g., via a Map-Register from an ETR), the Map-Server MUST notify the subscribers of that mapping via sending Map-Notify messages with the most updated mapping information. The Map-Notify message sent to each of the subscribers as a result of an update event MUST follow the exact encoding and logic defined in Section 5.7 of [I-D.ietf-lisp-rfc6833bis] for Map-Notify, except for the following:¶
When the xTR receives a Map-Notify with an EID not local to the xTR, the xTR knows that the Map-Notify has been received to update an entry on its map-cache. Processing of unsolicited Map-Notify messages MUST be explicitly enabled via configuration at the xTR. The xTR MUST keep track of the last nonce seen in a Map-Notify received as a publication from the Map-Server for the EID-Record. If a Map-Notify received as a publication has a nonce value that is not greater than the saved nonce, the xTR drops the Map-Notify message and logs the fact a replay attack could have occurred. To compare two nonces, the xTR uses the serial number arithmetic defined in [RFC1982] with SERIAL_BITS = 64. The nonce field space (64 bits) is considered large enough to not be depleted during normal operation of the protocol (e.g., assuming a fast publication rate of one Map-Notify per EID-Record per Map-Server per second, the nonce field space will not be depleted in 0.5 trillion years). The same considerations discussed in Section 5.6 of [I-D.ietf-lisp-rfc6833bis] regarding storing Map-Register nonces apply here for Map-Notify nonces.¶
The xTR processes the received Map-Notify as specified in Section 5.7 of [I-D.ietf-lisp-rfc6833bis], with the following considerations. The xTR MUST use its security association with the Map-Server (see Section 7.1) to validate the authentication data on the Map-Notify. The xTR MUST use the mapping information carried in the Map-Notify to update its internal map-cache. The xTR MUST acknowledge the Map-Notify by sending back a Map-Notify-Ack (specified in Section 5.7 of [I-D.ietf-lisp-rfc6833bis]), with the nonce from the Map-Notify, to the Map-Server. If after a configurable timeout, the Map-Server has not received back the Map-Notify-Ack, it can try to send the Map-Notify to a different ITR-RLOC for that xTR-ID. If the Map-Server tries all the ITR-RLOCs without receiving a response, it may stop trying to send the Map-Notify.¶
Generic security considerations related to LISP control messages are discussed in Section 9 of [I-D.ietf-lisp-rfc6833bis].¶
In the particular case of PubSub, cache poisoning via malicious Map-Notify messages is avoided by the use of nonce and the security association between the ITRs and the Map-Servers.¶
Since Map-Notifies from the Map-Server to the ITR need to be authenticated, there is a need for a soft-state or hard-state security association (e.g. a PubSubKey) between the ITRs and the Map-Servers. For some controlled deployments, it might be possible to have a shared PubSubKey (or set of keys) between the ITRs and the Map-Servers. However, if pre-shared keys are not used in the deployment, LISP-SEC [I-D.ietf-lisp-sec] can be used as follows to create a security association between the ITR and the MS.¶
First, when the ITR is sending a Map-Request with the N-bit set following Section 5, the ITR also performs the steps described in Section 5.4 of [I-D.ietf-lisp-sec]. The ITR can then generate a PubSubKey by deriving a key from the OTK as follows: PubSubKey = KDF( OTK ), where KDF is the Key Derivation Function indicated by the OTK Wrapping ID. If OTK Wrapping ID equals NULL-KEY-WRAP-128 then the PubSubKey is the OTK. Note that as opposed to the pre-shared PubSubKey, this generated PubSubKey is different per EID-Record the ITR subscribes to (since the ITR will use a different OTK per Map-Request).¶
When the Map-Server receives the Map-Request it follows Section 5. If according to Section 5 the Map-Server is to reply with a Map-Reply (e.g. due to PubSub not supported or subscription not accepted), then it follows normal LISP-SEC procedure described in Section 5.7 of [I-D.ietf-lisp-sec]. No PubSubKey or security association is created in this case.¶
Otherwise, if, by following Section 5, the Map-Server is to reply with a Map-Notify (e.g. due to subscription accepted) to a received Map-Request, the following extra steps take place (note that if the MS replies with a Map-Notify, none of the regular LISP-SEC steps regarding Map-Reply described in Section 5.7 of [I-D.ietf-lisp-sec] takes place).¶
Misbehaving nodes may send massive subscription requests which may lead to exhaust the resources of Map-Servers. Furthermore, frequently changing the state of a subscription may also be considered as an attack vector. To mitigate such issues, xTRs SHOULD rate-limit Map-Requests and Map-Servers SHOULD rate-limit Map-Notifies. Rate-limiting Map-Requests is discussed in Section 5.3 of [I-D.ietf-lisp-rfc6833bis] and the same guidelines apply here. To rate-limit Map-Notifies, a Map-Server MUST NOT send more than one Map-Notify per second to a particular xTR-ID. This parameter MUST be configurable. Note that when the Map-Notify rate-limit threshold is met for a particular xTR-ID, the Map-Server will silently discard additional subscription requests from that xTR-ID. Similarly, for pending mapping updates that need to be notified to that xTR-ID, the Map-Server will combine them into a single Map-Notify (with multiple EID-records) which it will send when the rate-limit mechanism allows it to transmit again Map-Notifies to that xTR-ID.¶
Dino Farinacci lispers.net San Jose, CA USA Email: farinacci@gmail.com Johnson Leong Email: johnsonleong@gmail.com Fabio Maino Cisco 170 Tasman Drive San Jose, CA USA Email: fmaino@cisco.com Christian Jacquenet Orange Rennes 35000 France Email: christian.jacquenet@orange.com Stefano Secci Cnam France Email: stefano.secci@cnam.fr¶
This work is partly funded by the ANR LISP-Lab project #ANR-13-INFR-009 (https://www.lisp-lab.org).¶
This document requests IANA to assign a new bit from the "LISP Control Plane Header Bits: Map-Request" sub-registry under the "Locator/ID Separation Protocol (LISP) Parameters" registry available at [IANA-LISP]. The position of this bit in the Map-Request message can be found in Figure 1.¶
Spec Name | IANA Name | Bit Position | Description |
---|---|---|---|
I | map-request-I | 11 | xTR-ID Bit |
This document also requests the creation of a new sub-registry entitled "LISP Map-Request Record Bits" under the "Locator/ID Separation Protocol (LISP) Parameters" registry available at [IANA-LISP].¶
The initial content of this sub-registry is shown below:¶
Spec Name | IANA Name | Bit Position | Description |
---|---|---|---|
N | map-request-N | 1 | Notification-Requested Bit |
Bits in position 2-8 are for future assignment.¶
The policy for allocating new bits from this sub-registry is Specification Required (Section 4.6 of [RFC8126]).¶