HIP | R. Moskowitz |
Internet-Draft | X. Xu |
Intended status: Standards Track | B. Liu |
Expires: December 29, 2017 | Huawei |
June 27, 2017 |
Fast HIP Host Mobility
draft-moskowitz-hip-fast-mobility-02.txt
This document describes mobility scenarios and how to aggressively support them in HIP. The goal is minimum lag in the mobility event.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 29, 2017.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document expands on HIP Host Mobility to describe a set of mobility scenarios that can be addressed by mechanisms that accelerate the basic HIP mobility UPDATE exchange.
HIP Host Mobility performs a return address validation to ensure that the UPDATE address is reachable by the peer. Two reasons are given for this approach: middleboxes blocking return reachablity and malicious peers providing false address updates to flood a target.
The approach here is to start using the new address while it is being validated. Worst case is a few packets are lost or sent to a wrong target. These are acceptable risks while gaining a fast address update that works in most cases.
One mechanism used is to piggyback data using Next Header even while the mobile peer address is flagged UNVERIFIED. This is practical as the new peer address is authenticated by the HIP_MAC in UPDATE. The UPDATE can neither be forged nor can it be replayed. The verification is more to ensure reverse reachability particularly across NATs and firewalls.
Another mechanism expands the use of the VIA_RVS parameter to "shotgun" mobility UPDATEs. These and other optimizations will be covered in detail.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
Most mobility environments are built with a "break then make" model for connectivity. Thus there is measurable time between the old address being unusable and the new address being functional. Adding mobility convergence times just further aggravates the delay which negatively impacts the user experience.
The "make then break" model for connectivity is supported via HIP multihoming and is the subject of a separate recommendation.
HIP mobility relies on a 3 packet UPDATE exchange which in some cases can be optimized to 2 packets. This can be further delayed in a "double-jump" scenario with waiting for the direct connection to fail before falling over to contacting the peer's RVS. These processes have resulted in other technologies to be preferred over HIP as they have faster convergence even if they achieve this while sacrificing security.
A HIP Host that has the potential to 'move' (acquire a new address for an interface) during the lifetime of a HIP association SHOULD be registered to an RVS. Such a HIP host SHOULD always inform its peer of its RVS address, as it may experience a "Double-Jump" move as in Section 6.
In an RVS assisted base exchange, the Responder ensures the Initiator knows its RVS with the VIA_RVS parameter in the R1 as specified in HIP Rendezvous Extension. However, the Responder has no mechanism to learn the Initiator's RVS address. Additionally, it is possible for an Initiator to directly contact the Responder and thus not learn about the Responder's RVS in the base exchange.
A host may not publish its RVS if it does not wish to be easily discovered. It still should notify its peers of its RVS if it expects to be found in some move scenarios.
The HIP base exchange needs to include more RVS information.
The VIA_RVS parameter is defined in HIP Rendezvous Extension for use in R1, but only identifies the Responder's RVS to the Initiator when the I1 was routed through the RVS.
Firstly, a Responder SHOULD always provide its VIA_RVS information in R1 even when the I1 came directly from the Initiator. Secondly, the Initiator SHOULD always provide its VIA_RVS information in I2. The VIA_RVS address is always maintained as part of the HIT to IP addressing information. Through these two expansions in the availability of VIA_RVS, the hosts are assured to possess their peer's RVS address to "shotgun" UPDATEs and thus accelerate mobility.
Data traffic between host A and B may use ESP with HIP, IPnIP, IPnHIP or any other tunneling protocol. If ESP, or to some extent IPnHIP, the relationship of the tunnel SAs with the HIP SA puts a high level of trust on the following fast mobility. With IPnIP, the risk is similar to MIPv6. Adding a MAC of the IPnIP or IPnHIP datagram into the HIP UPDATE as in Section 7 adds an additional level of validation during the fast mobility.
The following sections define the operation of a HIP UPDATE payload followed by some transport (e.g. TCP or UDP) payload in a single IP datagram. This multicontent IP datagram works best with a smaller window size for the higher layer. The normal operation is to compare the size of the transport datagram plus HIP UPDATE payload and ensure it is less than the MTU. An implementation may be able to adjust the transport window size downward so that the higher layer could still fill it and the whole piece then still fit within the MTU.
Host A triggers a HIP mobility UPDATE with Locator to inform Host B of new address. Host B, upon validating Host A HIP UPDATE, continues with Address Verification.
Host A triggers a HIP mobility UPDATE with Locator to inform Host B of new address. As the UPDATE + datagram would exceed the MTU, the datagram is sent separately after receipt of the HIP UPDATE from Host B.
The HIP UPDATE packets vary in length as follows:
Host A sends HIP UPDATE with Locator to inform Host B of new address. Datagram is appended to HIP UPDATE using Next Header. Host B, upon validating Host A HIP UPDATE, sends next header to proper module and continues with Address Verification. This datagram is processed even though the address is UNVERIFIED.
The ESP and IPnHIP anti-replay window managed by their envelope sequence number can protect against replayed UPDATE+ESP packets prior to address verification.
After Host B receives a HIP mobility UPDATE from A it has data to send to A. Or Host B may have been sending data to Host A while Host A was moving. The old data may have been lost; for example the data is over UDP with no keepalives during the move time. The old data may be in a retransmission state; for example the data is over TCP. Or the data reached the interface from the higher layer at the same time that the HIP UPDATE with new locator was successfully processed.
Host B sends the HIP UPDATE validation followed by the IPv6 datagram. Host B may place the address in ACTIVE state or wait from HIP UPDATE confirmation from Host A.
Host B sends the HIP UPDATE validation within the IPv6 datagram. Host B may place the address in ACTIVE state or wait from HIP UPDATE confirmation from Host A.
The HIP mobility UPDATE will fail without the use of RVS. In fact both RVS are needed for both UPDATEs to find its peer. This is why the "shotgun" acceleration SHOULD always be used when the peer's RVS is known.
Shotgunning is the process of sending the same UPDATE to more than one LOCATOR. In particular it refers to sending the UPDATE to at least the peer's last known IP address and to its RVS address learned from the VIA_RVS for either the R1 or I2 packet.
A host MUST be prepared to receive and discard multiple HIP mobility UPDATEs. The duplicates will be readily identified as having the same SEQ (UPDATE sequence umber).
Shotgunning SHOULD always be used when an RVS is known. A peer never knows of a "double-jump" event until after it receives its peer's UPDATE.
Host A triggers a HIP mobility UPDATE with Locator to inform Host B of new address. Host B, upon validating Host A HIP UPDATE, continues with Address Verification.
No attempt should be made to piggyback the two UPDATE processes. They may run simultaneously but not in the same IP datagrams.
The following acceleration advice presents a number of challenges. The best rule of thumb is to send the data as soon as possible.
Same process as Section 6.3
Host A sends HIP UPDATE with Locator to inform Host B of new address. Datagram is appended to HIP UPDATE using Next Header. Host B, may have already sent a datagram with its original HIP UPDATE. If since then a receipt of Host A's UPDATE it has more data to transmit, upon validating Host A HIP UPDATE, sends next header to proper module and continues with Address Verification. This datagram is processed even though the address is UNVERIFIED.
IPnHIP has superior resiliency to attack over IPnIP as it uses an ESP-styled sequence number and the HIP SPI rather than the encapsulated IP addresses. Still a host SHOULD use the PAYLOAD_MIC from HICCUPS whenever an IPnHIP datagram is appended to a HIP mobility UPDATE. This effectively blocks any substitution attack. It also lengthens the HIP UPDATE by 24 bytes which may result in NOT being able to append the IPnHIP datagram and stay within the MTU.
Use of the PAYLOAD_MIC is a recommendation and not a requirement. The risk of bloating the UPDATE packet such that the IPnHIP payload cannot be carried in the same datagram may be reason enough not to use it.
The following change to the "Host Identity Protocol (HIP) Parameters" registries has been made:
The PAYLOAD_MIC parameter used here is defined in HICCUPS which is an Experimental RFC. Here it is being used in a Standards Track document.
HIP fast mobility does not introduce any new security considerations beyond that in HIP Host Mobility. If anything its requirement to know and use the RVS for a peer improve the frequency of a successful mobility notification.
The term "shotgun" for fast mobility comes from the InfraHIP project. The HIP UPDATE lengths were supplied by Jeff Ahrenholz.
Sue Hares of Huawei and Jeff Ahrenholz of Tempered Networks contributed to the clarity in this document.
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |