Network Working Group | F. Templin, Ed. |
Internet-Draft | Boeing Research & Technology |
Obsoletes: rfc6706 (if approved) | June 6, 2014 |
Intended status: Standards Track | |
Expires: December 8, 2014 |
Transmission of IPv6 Packets over AERO Links
draft-templin-aerolink-25.txt
This document specifies the operation of IPv6 over tunnel virtual Non-Broadcast, Multiple Access (NBMA) links using Asymmetric Extended Route Optimization (AERO). Nodes attached to AERO links can exchange packets via trusted intermediate routers that provide forwarding services to reach off-link destinations and redirection services for route optimization. AERO provides an IPv6 link-local address format known as the AERO address for operation of the IPv6 Neighbor Discovery (ND) protocol. Admission control and provisioning are supported by the Dynamic Host Configuration Protocol for IPv6 (DHCPv6), and node mobility is naturally supported through dynamic neighbor cache updates.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 8, 2014.
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document specifies the operation of IPv6 over tunnel virtual Non-Broadcast, Multiple Access (NBMA) links using Asymmetric Extended Route Optimization (AERO). The AERO link can be used for tunneling to neighboring nodes on either IPv6 or IPv4 networks, i.e., AERO views the IPv6 and IPv4 networks as equivalent links for tunneling. Nodes attached to AERO links can exchange packets via trusted intermediate routers that provide forwarding services to reach off-link destinations and redirection services for route optimization that addresses the requirements outlined in [RFC5522].
AERO proivdes an IPv6 link-local address format known as the AERO address used for operation of the IPv6 Neighbor Discovery (ND) [RFC4861] protocol. Admission control and provisioning are supported by the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) [RFC3315], and node mobility is naturally supported through dynamic neighbor cache updates. The remainder of this document presents the AERO specification.
The terminology in the normative references applies; the following terms are defined within the scope of this document:
Throughout the document, the simple terms "Client", "Server" and "Relay" refer to "AERO Client", "AERO Server" and "AERO Relay", respectively. Capitalization is used to distinguish these terms from DHCPv6 client/server/relay. This is an important distinction, since an AERO Server may be a DHCPv6 relay, and an AERO Relay may be a DHCPv6 server.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
The following sections specify the operation of IPv6 over Asymmetric Extended Route Optimization (AERO) links:
AERO Relays relay packets between nodes connected to the same AERO link and also forward packets between the AERO link and the native IPv6 network. The relaying process entails re-encapsulation of IPv6 packets that were received from a first AERO node and are to be forwarded without modification to a second AERO node.
AERO Servers configure their AERO interfaces as router interfaces, and provide default routing services to AERO Clients. AERO Servers configure a DHCPv6 relay or server function and facilitate DHCPv6 Prefix Delegation (PD) exchanges. An AERO Server may also act as an AERO Relay.
AERO Clients act as requesting routers to receive IPv6 prefixes through a DHCPv6 PD exchange via AERO Servers over the AERO link. (Each client MAY associate with multiple Servers, but associating with many Servers may result in excessive control message overhead.) Each AERO Client receives at least a /64 prefix delegation, and may receive even shorter prefixes.
AERO Clients that act as routers configure their AERO interfaces as router interfaces and sub-delegate portions of their received prefix delegations to links on EUNs. End system applications on AERO Clients that act as routers bind to EUN interfaces (i.e., and not the AERO interface).
AERO Clients that act as ordinary hosts configure their AERO interfaces as host interfaces and assign one or more IPv6 addresses taken from their received prefix delegations to the AERO interface but DO NOT assign the delegated prefix itself to the AERO interface. Instead, the host assigns the delegated prefix to a "black hole" route so that unused portions of the prefix are nullified. End system applications on AERO Clients that act as hosts bind directly to the AERO interface.
An AERO address is an IPv6 link-local address with an embedded IPv6 prefix and assigned to a Client's AERO interface. The AERO address is formatted as follows:
The AERO address begins with the prefix fe80::/64 and includes in its interface identifier the base /64 prefix taken from the Client's delegated IPv6 prefix. The base prefix is determined by masking the delegated prefix with the prefix length. For example, if the AERO Client receives the prefix delegation:
it constructs its AERO address as:
The AERO address remains stable as the Client moves between topological locations, i.e., even if its underlying addresses change.
AERO interfaces use IPv6-in-IPv6 encapsulation [RFC2473] to exchange tunneled packets with AERO neighbors attached to an underlying IPv6 network, and use IPv6-in-IPv4 encapsulation [RFC4213] to exchange tunneled packets with AERO neighbors attached to an underlying IPv4 network. AERO interfaces can also operate over secured tunnel types such as IPsec [RFC4301] or TLS [RFC5246]. When Network Address Translator (NAT) traversal and/or filtering middlebox traversal may be necessary, a UDP header is further inserted immediately above the IP encapsulation header.
Servers assign the address fe80:: to their AERO interfaces as a link-local Subnet Router Anycast address. Servers and Relays also assign a link-local address fe80::ID to support the operation of the IPv6 Neighbor Discovery protocol and the inter-Server/Relay routing system (see: [IRON]). Each address fe80::ID MUST be unique, and MUST NOT collide with any potential AERO addresses (e.g., fe80::1, fe80::2, fe80::3, etc).
When a Client enables an AERO interface, it invokes DHCPv6 PD using the temporary IPv6 link-local source address fe80::ffff:ffff:ffff:ffff. After the Client receives a prefix delegation, it assigns the corresponding AERO address to the AERO interface and deprecates the temporary address, i.e., the Client invokes DHCPv6 to bootstrap the provisioning of a unique link-local address before invoking IPv6 ND.
AERO interfaces maintain a neighbor cache and use an adaptation of standard unicast IPv6 ND messaging. AERO interfaces use unicast Neighbor Solicitation (NS), Neighbor Advertisement (NA), Router Solicitation (RS) and Router Advertisement (RA) messages the same as for any IPv6 link. AERO interfaces use two redirection message types -- the first being the standard Redirect message and the second known as a Predirect message (see Section 3.9). AERO links further use link-local-only addressing; hence, Clients ignore any Prefix Information Options (PIOs) they may receive in RA messages.
AERO interface Redirect/Predirect messages include Target Link Layer Address Options (TLLAOs) formatted as shown in Figure 1:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 2 | Length = 3 | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Link ID | Preference | UDP Port Number (or 0) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-- --+ | | +-- IP Address --+ | | +-- --+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: AERO Target Link Layer Address Option (TLLAO) Format
In this format, Link ID is an integer value between 0 and 255 corresponding to an underlying interface of the target node, and Preference is an integer value between 0 and 255 indicating the node's preference for this underlying interface, with 0 being highest preference and 255 being lowest. UDP Port Number and IP Address are set to the addresses used by the target node when it sends encapsulated packets over the underlying interface. When no UDP encapsulation is used, UDP Port Number is set to 0. When the encapsulation IP address family is IPv4, IP Address is formed as an IPv4-compatible IPv6 address [RFC4291].
AERO interface Redirect/Predirect messages can both update and create neighbor cache entries, including link-layer address information. Redirect/Predirect messages SHOULD include a Timestamp option (see Section 5.3 of [RFC3971]) that other AERO nodes can use to verify the message time of origin.
AERO interface NS/NA/RS/RA messages update timers in existing neighbor cache entires but do not update link-layer addresses nor create new neighbor cache entries. NS/RS messages SHOULD include a Nonce option (see Section 5.3 of [RFC3971]) that the recipient echoes back in the corresponding NA/RA response. Unsolicited NA/RA messages are not used on AERO interfaces, and SHOULD be ignored on receipt.
AERO interfaces may be configured over multiple underlying interfaces. For example, common handheld devices of the current era have both wireless local area network (aka "WiFi") and cellular wireless links. These links are typically used "one at a time" with low-cost WiFi preferred and highly-available cellular wireless as a standby. In a more complex example, aircraft frequently have many wireless data link types (e.g. satellite-based, terrestrial, air-to-air directional, etc.) with diverse performance and cost properties.
If a Client's multiple underlying interfaces are used "one at a time" (i.e., all other interfaces are in standby mode while one interface is active), then Predirect/Redirect messages include only a single TLLAO with Link ID set to 0.
If the Client has multiple active underlying interfaces, then from the perspective of IPv6 ND it would appear to have a single link-local address with multiple link-layer addresses. In that case, Predirect/Redirect messages MAY include multiple TLLAOs -- each with a different Link ID that corresponds to an underlying interface of the Client. Further details on coordination of multiple active underlying interfaces are outside the scope of this specification.
Each AERO interface maintains a conceptual neighbor cache that includes an entry for each neighbor it communicates with on the AERO link, the same as for any IPv6 interface [RFC4861]. Neighbor cache entries are created and maintained as follows:
When an AERO Server relays a DHCPv6 Reply message to an AERO Client, it creates or updates a neighbor cache entry for the Client based on the AERO address corresponding to the prefix in the IA_PD option as the Client's network layer address and with the Client's encapsulation IP address and UDP port number as the link-layer address.
When an AERO Client receives a DHCPv6 Reply message from an AERO Server, it creates or updates a neighbor cache entry for the Server based on the Reply message link-local source address as the network layer address, and the encapsulation IP source address and UDP source port number as the link-layer address.
When an AERO Client receives a valid Predirect message it creates or updates a neighbor cache entry for the Predirect target network-layer and link-layer addresses, and also creates an IPv6 forwarding table entry for the predirected (source) prefix. The node then sets an "ACCEPT" timer for the neighbor and uses this timer to determine whether messages received from the predirected neighbor can be accepted.
When an AERO Client receives a valid Redirect message it creates or updates a neighbor cache entry for the Redirect target network-layer and link-layer addresses, and also creates an IPv6 forwarding table entry for the redirected (destination) prefix. The node then sets a "FORWARD" timer for the neighbor and uses this timer to determine whether packets can be sent directly to the redirected neighbor. The node also maintains a constant value MAX_RETRY to limit the number of keepalives sent when a neighbor may have gone unreachable.
When an AERO Client receives a valid NS message it (re)sets the ACCEPT timer for the neighbor to ACCEPT_TIME.
When an AERO Client receives a valid NA message, it (re)sets the FORWARD timer for the neighbor to FORWARD_TIME.
It is RECOMMENDED that FORWARD_TIME be set to the default constant value 30 seconds to match the default REACHABLE_TIME value specified for IPv6 neighbor discovery [RFC4861].
It is RECOMMENDED that ACCEPT_TIME be set to the default constant value 40 seconds to allow a 10 second window so that the AERO redirection procedure can converge before the ACCEPT timer decrements below FORWARD_TIME.
It is RECOMMENDED that MAX_RETRY be set to 3 the same as described for IPv6 neighbor discovery address resolution in Section 7.3.3 of [RFC4861].
Different values for FORWARD_TIME, ACCEPT_TIME, and MAX_RETRY MAY be administratively set, if necessary, to better match the AERO link's performance characteristics; however, if different values are chosen, all nodes on the link MUST consistently configure the same values. In particular, ACCEPT_TIME SHOULD be set to a value that is sufficiently longer than FORWARD_TIME to allow the AERO redirection procedure to converge.
AERO nodes use a simple data origin authentication for encapsulated packets they receive from other nodes. In particular, AERO nodes accept encapsulated packets with a link-layer source address belonging to one of their current AERO Servers and accept encapsulated packets with a link-layer source address that is correct for the network-layer source address.
The AERO node considers the link-layer source address correct for the network-layer source address if there is an IPv6 forwarding table entry that matches the network-layer source address as well as a neighbor cache entry corresponding to the next hop that includes the link-layer address and the ACCEPT timer is non-zero.
Note that this simple data origin authentication only applies to environments in which link-layer addresses cannot be spoofed. Additional security mitigations may be necessary in other environments.
The AERO link Maximum Transmission Unit (MTU) is 64KB minus the encapsulation overhead for IPv4 [RFC0791] and 4GB minus the encapsulation overhead for IPv6 [RFC2675]. This is the most that IPv4 and IPv6 (respectively) can convey within the constraints of protocol constants, but actual sizes available for tunneling will frequently be much smaller.
The base tunneling specifications for IPv4 and IPv6 typically set a static MTU on the tunnel interface to 1500 bytes minus the encapsulation overhead or smaller still if the tunnel is likely to incur additional encapsulations on the path. This can result in path MTU related black holes when packets that are too large to be accommodated over the AERO link are dropped, but the resulting ICMP Packet Too Big (PTB) messages are lost on the return path. As a result, AERO nodes use the following MTU mitigations to accommodate larger packets.
AERO nodes set their AERO interface MTU to the larger of the underlying interface MTU minus the encapsulation overhead, and 1500 bytes. (If there are multiple underlying interfaces, the node sets the AERO interface MTU according to the largest underlying interface MTU, or 64KB /4G minus the encapsulation overhead if the largest MTU cannot be determined.) AERO nodes optionally cache other per-neighbor MTU values in the underlying IP path MTU discovery cache initialized to the underlying interface MTU.
AERO nodes admit packets that are no larger than 1280 bytes minus the encapsulation overhead (*) as well as packets that are larger than 1500 bytes into the tunnel without fragmentation, i.e., as long as they are no larger than the AERO interface MTU before encapsulation and also no larger than the cached per-neighbor MTU following encapsulation. For IPv4, the node sets the "Don't Fragment" (DF) bit to 0 for packets no larger than 1280 bytes minus the encapsulation overhead (*) and sets the DF bit to 1 for packets larger than 1500 bytes. If a large packet is lost in the path, the node may optionally cache the MTU reported in the resulting PTB message or may ignore the message, e.g., if there is a possibility that the message is spurious.
For packets destined to an AERO node that are larger than 1280 bytes minus the encapsulation overhead (*) but no larger than 1500 bytes, the node uses IP fragmentation to fragment the encapsulated packet into two pieces (where the first fragment contains 1024 bytes of the original IPv6 packet) then admits the fragments into the tunnel. If the encapsulation protocol is IPv4, the node admits each fragment into the tunnel with DF set to 0 and subject to rate limiting to avoid reassembly errors [RFC4963][RFC6864]. For both IPv4 and IPv6, the node also sends a 1500 byte probe message (**) to the neighbor, subject to rate limiting.
To construct a probe, the node prepares an NS message with a Nonce option plus trailing padding octets added to a length of 1500 bytes without including the length of the padding in the IPv6 Payload Length field. The node then encapsulates the NS in the encapsulation headers (while including the length of the padding in the encapsulation header length fields), sets DF to 1 (for IPv4) and sends the padded NS message to the neighbor. If the neighbor returns an NA message with a correct Nonce value, the node may then send whole packets within this size range and (for IPv4) relax the rate limiting requirement. (Note that the trailing padding SHOULD NOT be included within the Nonce option itself but rather as padding beyond the last option in the NS message; otherwise, the (large) Nonce option would be echoed back in the solicited NA message and may be lost at a link with a small MTU along the reverse path.)
AERO nodes MUST be capable of reassembling packets up to 1500 bytes plus the encapsulation overhead length. It is therefore RECOMMENDED that AERO nodes be capable of reassembling at least 2KB.
(*) Note that if it is known without probing that the minimum Path MTU to an AERO node is MINMTU bytes (where 1280 < MINMTU < 1500) then MINMTU can be used instead of 1280 in the fragmentation threshold considerations listed above.
(**) It is RECOMMENDED that no probes smaller than 1500 bytes be used for MTU probing purposes, since smaller probes may be fragmented if there is a nested tunnel somewhere on the path to the neighbor. Probe sizes larger than 1500 bytes MAY be used, but may be unnecessary since original sources are expected to implement [RFC4821] when sending large packets.
AERO interfaces encapsulate IPv6 packets according to whether they are entering the AERO interface for the first time or if they are being forwarded out the same AERO interface that they arrived on. This latter form of encapsulation is known as "re-encapsulation".
AERO interfaces encapsulate packets per the specifications in [RFC2473][RFC4213][RFC4301][RFC5246] except that the interface copies the "Hop Limit", "Traffic Class" and "Congestion Experienced" values in the packet's IPv6 header into the corresponding fields in the encapsulation header. For packets undergoing re-encapsulation, the AERO interface instead copies the "TTL/Hop Limit", "Type of Service/Traffic Class" and "Congestion Experienced" values in the original encapsulation header into the corresponding fields in the new encapsulation header (i.e., the values are transferred between encapsulation headers and *not* copied from the encapsulated packet's network-layer header).
When AERO UDP encapsulation is used, the AERO interface encapsulates the packet per the specifications in [RFC2473][RFC4213] except that it inserts a UDP header between the encapsulation header and IPv6 packet header. The AERO interface sets the UDP source port to a constant value that it will use in each successive packet it sends, sets the UDP checksum field to zero (see: [RFC6935][RFC6936]) and sets the UDP length field to the length of the IPv6 packet plus 8 bytes for the UDP header itself. For packets sent via a Server, the AERO interface sets the UDP destination port to 8060 (i.e., the IANA-registered port number for AERO) when AERO-only encapsulation is used. For packets sent to a neighboring Client, the AERO interface sets the UDP destination port to the port value stored in the neighbor cache entry for this neighbor.
The AERO interface next sets the IP protocol number in the encapsulation header to the appropriate value for the first protocol layer within the encapsulation (e.g., IPv6, UDP, IPsec, etc.). When IPv6 is used as the encapsulation protocol, the interface then sets the flow label value in the encapsulation header the same as described in [RFC6438]. When IPv4 is used as the encapsulation protocol, the AERO interface sets the DF bit as discussed in Section 3.6.
AERO interfaces decapsulate packets destined either to the node itself or to a destination reached via an interface other than the receiving AERO interface. When AERO UDP encapsulation is used (i.e., when a UDP header with destination port 8060 is present) the interface examines the first octet of the encapsulated packet. If the most significant four bits of the first octet encode the value '0110' (i.e., the version number value for IPv6), the packet is accepted and the encapsulating UDP header is discarded; otherwise, the packet is discarded.
Further decapsulation then proceeds according to the appropriate tunnel type [RFC2473][RFC4213][RFC4301][RFC5246].
AERO Clients observe the IPv6 node requirements defined in [RFC6434]. AERO Clients first discover the link-layer addresses of AERO Servers via static configuration, or through an automated means such as DNS name resolution. In the absence of other information, the Client resolves the Fully-Qualified Domain Name (FQDN) "linkupnetworks.domainname", where "domainname" is the DNS domain appropriate for the Client's attached underlying network. After discovering the link-layer addresses, the Client associates with one or more of the corresponding Servers.
To associate with a Server, the Client acts as a requesting router to request an IPv6 prefix through DHCPv6 PD [RFC3315][RFC3633][RFC6355] using fe80::ffff:ffff:ffff:ffff as the IPv6 source address (see Section 3.3), 'All_DHCP_Relay_Agents_and_Servers' as the IPv6 destination address and the link-layer address of the Server as the link-layer destination address. The Client includes a DHCPv6 Unique Identifier (DUID) in the Client Identifier option of its DHCPv6 messages (as well as a DHCPv6 authentication option if necessary) to identify itself to the DHCPv6 server. If the Client is pre-provisioned with an IPv6 prefix associated with the AERO service, it MAY also include the prefix in an IA_PD option in its DHCPv6 Request to indicate its preferred prefix to the DHCPv6 server. The Client then sends the encapsulated DHCPv6 request via an underlying interface.
When the Client receives its prefix delegation via a Reply from the DHCPv6 server, it creates a neighbor cache entry with the Server's link-local address (i.e., fe80::ID) as the network layer address and the Server's encapsulation address as the link-layer addresses. Next, the Client assigns the AERO address derived from the delegated prefix to the AERO interface and sub-delegates the prefix to nodes and links within its attached EUNs (the AERO address thereafter remains stable as the Client moves). The Client also sets both the ACCEPT and FORWARD timers for each Server to infinity, since the Client will remain with this Server unless it explicitly terminates the association. The Client further renews its prefix delegation by performing DHCPv6 Renew/Reply exchanges with its AERO address as the IPv6 source address, 'All_DHCP_Relay_Agents_and_Servers' as the IPv6 destination address, the link-layer address of a Server as the link-layer destination address and the same DUID and authentication information. If the Client wishes to associate with multiple Servers, it can perform DHCPv6 Renew/Reply exchanges via each of the Servers.
The Client then sends an RS message to each of its associated Servers to receive an RA message with a default router lifetime and any other link-specific parameters. When the Client receives an RA message, it configures or updates a default route according to the default router lifetime but ignores any Prefix Information Options (PIOs) included in the RA message since the AERO link is link-local-only. The Client further ignores any RS messages it might receive, since only Servers may process RS messages.
The Client then sends periodic RS messages to each Server (subject to rate limiting) to obtain new RA messages for Neighbor Unreachability Detection (NUD), to refresh any network state, and to update the default router lifetime and any other link-specific parameters. The Client can also forward IPv6 packets destined to networks beyond its local EUNs via a Server as an IPv6 default router. The Server may in turn return a redirection message informing the Client of a neighbor on the AERO link that is topologically closer to the final destination (see Section 3.9).
Note that, since the Client's AERO address is configured from the unique DHCPv6 prefix delegation it receives, there is no need for Duplicate Address Detection (DAD) on AERO links. Other nodes maliciously attempting to hijack an authorized Client's AERO address will be denied access to the network by the DHCPv6 server due to an unacceptable link-layer address and/or security parameters (see: Security Considerations).
AERO Servers observe the IPv6 router requirements defined in [RFC6434] and further configure a DHCPv6 relay function on their AERO links. AERO Servers arrange to add their (link-layer) IP Addresses to the DNS resource records for the FQDN "linkupnetworks.domainname" before entering service.
When an AERO Server relays a prospective Client's DHCPv6 PD messages to the DHCPv6 server, it wraps each message in a "Relay-forward" message per [RFC3315] and includes a DHCPv6 Interface Identifier option that encodes a value that identifies the AERO link to the DHCPv6 server. Without creating internal state, the Server then includes the Client's link-layer address in a DHCPv6 Client Link Layer Address Option (CLLAO) [RFC6939] with the link-layer address format shown in Figure 1 (i.e., Link ID followed by Preference followed by UDP Port Number followed by IP Address). The Server sets the CLLAO 'option-length' field to 22 (2 plus the length of the link-layer address) and sets the 'link-layer type' field to TBD (see: IANA Considerations). The Server finally includes a DHCPv6 Echo Request Option (ERO) [RFC4994] that encodes the option code for the CLLAO in a 'requested-option-code-n' field, then relays the message to the DHCPv6 server. The CLLAO information will therefore subsequently be echoed back in the DHCPv6 server's "Relay-reply" message.
When the DHCPv6 server issues the IPv6 prefix delegation in a "Relay-reply" message via the AERO Server (acting as a DHCPv6 relay), the Server obtains the Client's link-layer address from the echoed CLLAO option and obtains the Client's delegated prefix from the included IA_PD option. The Server then creates a neighbor cache entry for the Client's AERO address with the Client's link-layer address as the link-layer address for the neighbor cache entry. The neighbor cache entry is created with both ACCEPT and FORWARD timers set to infinity, since the Client will remain with this Server unless it explicitly terminates the association (however, the Server SHOULD set a finite expiration timer for the neighbor cache entry itself in case the Client goes unreachable for an extended period of time).
The Server also configures an IPv6 forwarding table entry that lists the Client's AERO address as the next hop toward the delegated IPv6 prefix with a lifetime derived from the DHCPv6 lease lifetime. The Server finally injects the Client's prefix as an IPv6 route into the inter-Server/Relay routing system (see: [IRON]) then relays the DHCPv6 message to the Client while using fe80::ID as the IPv6 source address, the link-local address found in the "peer address" field of the Relay-reply message as the IPv6 destination address, and the Client's link-layer address as the destination link-layer address.
Servers respond to NS/RS messages from Clients on their AERO interfaces by returning an NA/RA message. The Server SHOULD NOT include PIOs in the RA messages it sends to Clients, since the Client will ignore any such options.
Servers ignore any RA messages they may receive from a Client. Servers MAY examine RA messages received from other Servers for consistency verification purposes.
When the Server forwards a packet via the same AERO interface on which it arrived, it initiates an AERO route optimization procedure as specified in Section 3.9.
Figure 2 depicts the AERO redirection reference operational scenario. The figure shows an AERO Server('A'), two AERO Clients ('B', 'C') and three ordinary IPv6 hosts ('D', 'E', 'F'):
.-(::::::::) .-(::: IPv6 :::)-. +-------------+ (:::: Internet ::::)--| Host F | `-(::::::::::::)-' +-------------+ `-(::::::)-' 2001:db8:2::1 | +--------------+ | AERO Server A| | (D->B; E->C) | +--------------+ fe80::ID L2(A) | X-----+-----------+-----------+--------X | AERO Link | L2(B) L2(C) fe80::2001:db8:0:0 fe80::2001:db8:1:0 .-. +--------------+ +--------------+ ,-( _)-. | AERO Client B| | AERO Client C| .-(_ IPv6 )-. | (default->A) | | (default->A) |--(__ EUN ) +--------------+ +--------------+ `-(______)-' 2001:DB8:0::/48 2001:DB8:1::/48 | | 2001:db8:1::1 .-. +-------------+ ,-( _)-. 2001:db8:0::1 | Host E | .-(_ IPv6 )-. +-------------+ +-------------+ (__ EUN )--| Host D | `-(______)-' +-------------+
Figure 2: AERO Reference Operational Scenario
In Figure 2, AERO Server ('A') connects to the AERO link and connects to the IPv6 Internet, either directly or via an AERO Relay (not shown). Server ('A') assigns the address fe80::ID to its AERO interface with link-layer address L2(A). Server ('A') next arranges to add L2(A) to a published list of valid Servers for the AERO link.
AERO Client ('B') receives the IPv6 prefix 2001:db8:0::/48 in a DHCPv6 PD exchange via AERO Server ('A') then assigns the address fe80::2001:db8:0:0 to its AERO interface with link-layer address L2(B). Client ('B') configures a default route and neighbor cache entry via the AERO interface with next-hop address fe80::ID and link-layer address L2(A), then sub-delegates the prefix 2001:db8:0::/48 to its attached EUNs. IPv6 host ('D') connects to the EUN, and configures the address 2001:db8:0::1.
AERO Client ('C') receives the IPv6 prefix 2001:db8:1::/48 in a DHCPv6 PD exchange via AERO Server ('A') then assigns the address fe80::2001:db8:1:0 to its AERO interface with link-layer address L2(C). Client ('C') configures a default route and neighbor cache entry via the AERO interface with next-hop address fe80::ID and link-layer address L2(A), then sub-delegates the prefix 2001:db8:1::/48 to its attached EUNs. IPv6 host ('E') connects to the EUN, and configures the address 2001:db8:1::1.
Finally, IPv6 host ('F') connects to an IPv6 network outside of the AERO link domain. Host ('F') configures its IPv6 interface in a manner specific to its attached IPv6 link, and assigns the address 2001:db8:2::1 to its IPv6 link interface.
With reference to Figure 2, when the IPv6 source host ('D') sends a packet to an IPv6 destination host ('E'), the packet is first forwarded via the EUN to AERO Client ('B'). Client ('B') then forwards the packet over its AERO interface to AERO Server ('A'), which then re-encapsulates and forwards the packet to AERO Client ('C'), where the packet is finally forwarded to the IPv6 destination host ('E'). When Server ('A') re-encapsulates and forwards the packet back out on its advertising AERO interface, it must arrange to redirect Client ('B') toward Client ('C') as a better next-hop node on the AERO link that is closer to the final destination. However, this redirection process applied to AERO interfaces must be more carefully orchestrated than on ordinary links since the parties may be separated by potentially many underlying network routing hops.
Consider a first alternative in which Server ('A') informs Client ('B') only and does not inform Client ('C') (i.e., "classical redirection"). In that case, Client ('C') has no way of knowing that Client ('B') is authorized to forward packets from the claimed source address, and it may simply elect to drop the packets. Also, Client ('B') has no way of knowing whether Client ('C') is performing some form of source address filtering that would reject packets arriving from a node other than a trusted default router, nor whether Client ('C') is even reachable via a direct path that does not involve Server ('A').
Consider a second alternative in which Server ('A') informs both Client ('B') and Client ('C') separately, via independent redirection control messages (i.e., "augmented redirection"). In that case, if Client ('B') receives the redirection control message but Client ('C') does not, subsequent packets sent by Client ('B') could be dropped due to filtering since Client ('C') would not have a route to verify the claimed source address. Also, if Client ('C') receives the redirection control message but Client ('B') does not, subsequent packets sent in the reverse direction by Client ('C') would be lost.
Since both of these alternatives have shortcomings, a new redirection technique (i.e., "AERO redirection") is needed.
Again, with reference to Figure 2, when source host ('D') sends a packet to destination host ('E'), the packet is first forwarded over the source host's attached EUN to Client ('B'), which then forwards the packet via its AERO interface to Server ('A').
Server ('A') then re-encapsulates and forwards the packet out the same AERO interface toward Client ('C') and also sends an AERO "Predirect" message forward to Client ('C') as specified in Section 3.9.5. The Predirect message includes Client ('B')'s network- and link-layer addresses as well as information that Client ('C') can use to determine the IPv6 prefix used by Client ('B') . After Client ('C') receives the Predirect message, it process the message and returns an AERO Redirect message destined for Client ('B') via Server ('A') as specified in Section 3.9.6. During the process, Client ('C') also creates or updates a neighbor cache entry for Client ('B') and creates an IPv6 forwarding table entry for Client ('B')'s IPv6 prefix.
When Server ('A') receives the Redirect message, it re-encapsulates the message and forwards it on to Client ('B') as specified in Section 3.9.7. The message includes Client ('C')'s network- and link-layer addresses as well as information that Client ('B') can use to determine the IPv6 prefix used by Client ('C'). After Client ('B') receives the Redirect message, it processes the message as specified in Section 3.9.8. During the process, Client ('B') also creates or updates a neighbor cache entry for Client ('C') and creates an IPv6 forwarding table entry for Client ('C')'s IPv6 prefix.
Following the above Predirect/Redirect message exchange, forwarding of packets from Client ('B') to Client ('C') without involving Server ('A) as an intermediary is enabled. The mechanisms that support this exchange are specified in the following sections.
AERO Redirect/Predirect messages use the same format as for ICMPv6 Redirect messages depicted in Section 4.5 of [RFC4861], but also include a new "Prefix Length" field taken from the low-order 8 bits of the Redirect message Reserved field (valid values for the Prefix Length field are 0 through 64). The Redirect/Predirect messages are formatted as shown in Figure 3:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type (=137) | Code (=0/1) | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | Prefix Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Target Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + + | | + Destination Address + | | + + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options ... +-+-+-+-+-+-+-+-+-+-+-+-
Figure 3: AERO Redirect/Predirect Message Format
When a Server forwards a packet out the same AERO interface that it arrived on, the Server sends a Predirect message forward toward the AERO Client nearest the destination instead of sending a Redirect message back to the Client nearest the source.
In the reference operational scenario, when Server ('A') forwards a packet sent by Client ('B') toward Client ('C'), it also sends a Predirect message forward toward Client ('C'), subject to rate limiting (see Section 8.2 of [RFC4861]). Server ('A') prepares the Predirect message as follows:
Server ('A') then sends the message forward to Client ('C').
When Client ('C') receives a Predirect message, it accepts the message only if the message has a link-layer source address of the Server, i.e. 'L2(A)'. Client ('C') further accepts the message only if it is willing to serve as a redirection target. Next, Client ('C') validates the message according to the ICMPv6 Redirect message validation rules in Section 8.1 of [RFC4861].
In the reference operational scenario, when Client ('C') receives a valid Predirect message, it either creates or updates a neighbor cache entry that stores the Target Address of the message as the network-layer address of Client ('B') and stores the link-layer address found in the TLLAO as the link-layer address(es) of Client ('B'). Client ('C') then sets the neighbor cache entry ACCEPT timer with timeout value ACCEPT_TIME. Next, Client ('C') applies the Prefix Length to the Destination Address and records the resulting IPv6 prefix in its IPv6 forwarding table.
After processing the message, Client ('C') prepares a Redirect message response as follows:
After Client ('C') prepares the Redirect message, it sends the message to Server ('A').
When Server ('A') receives a Redirect message from Client ('C'), it validates the message according to the ICMPv6 Redirect message validation rules in Section 8.1 of [RFC4861] and also verifies that Client ('C') is authorized to use the Prefix Length in the Redirect message when applied to the AERO address in the network-layer source of the Redirect message by searching for the AERO address' embedded prefix in the IPv6 routing table. If validation fails, Server ('A') discards the message; otherwise, it copies the correct UDP Port number and IP Address into the TLLAO supplied by Client ('C').
Server ('A') then examines the network layer destination address of the message to determine the IPv6 next hop toward the prefix of Client ('B') by searching for the AERO address' embedded prefix in the IPv6 routing table. If the next hop is reached via the AERO interface, Server ('A') re-encapsulates the Redirect and relays it on to Client ('B') by changing the link-layer source address of the message to 'L2(A)', changing the link-layer destination address to 'L2(B)' and changing the network layer source address to fe80::ID. Server ('A') finally forwards the re-encapsulated message to Client ('B') without decrementing the network-layer IPv6 header Hop Limit field.
While not shown in Figure 2, AERO Relays relay Redirect and Predirect messages in exactly this same fashion described above. See Figure 4 in Appendix A for an extension of the reference operational scenario that includes Relays.
When Client ('B') receives the Redirect message, it accepts the message only if it has a link-layer source address of the Server, i.e. 'L2(A)'. Next, Client ('B') validates the message according to the ICMPv6 Redirect message validation rules in Section 8.1 of [RFC4861]. Following validation, Client ('B') then processes the message as follows.
In the reference operational scenario, when Client ('B') receives the Redirect message, it either creates or updates a neighbor cache entry that stores the Target Address of the message as the network-layer address of Client ('C') and stores the link-layer address found in the TLLAO as the link-layer address of Client ('C'). Client ('B') then sets the neighbor cache entry FORWARD timer with timeout value FORWARD_TIME. Next, Client ('B') applies the Prefix Length to the Destination Address and records the resulting IPv6 prefix in its IPv6 forwarding table.
Now, Client ('B') has an IPv6 forwarding table entry for Client('C')'s prefix and a neighbor cache entry with a valid FORWARD time, while Client ('C') has an IPv6 forwarding table entry for Client ('B')'s prefix with a valid ACCEPT time. Thereafter, Client ('B') may forward ordinary network-layer data packets directly to Client ("C") without involving Server ('A') and Client ('C') can verify that the packets came from an acceptable source. (In order for Client ('C') to forward packets to Client ('B') a corresponding Predirect/Redirect message exchange is required in the reverse direction.)
In some environments, the Server nearest the Client may need to serve as the redirection target, e.g., if direct Client-to-Client communications are not possible. In that case, the Redirect message Target Address encodes the link-local address of the Server instead of the link-local address of the Client.
AERO nodes send unicast NS messages to elicit NA messages from neighbors the same as described for Neighbor Unreachability Detection (NUD) in [RFC4861]. When an AERO node sends an NS/NA message, it MUST use its AERO address as the IPv6 source address and the link-local address of the neighbor as the IPv6 destination address. When an AERO node receives an NS/NA message, it accepts the message if it has a neighbor cache entry for the neighbor; otherwise, it ignores the message.
When a source Client is redirected to a target Client it SHOULD test the direct path to the target by sending an initial NS message to elicit a solicited NA response. While testing the path, the source Client can either continue sending packets via the Server or maintain a small queue of packets until target reachability is confirmed. The source Client SHOULD thereafter continue to test the direct path to the target Client (see Section 7.3 of [RFC4861]) periodically in order to keep neighbor cache entries alive. In particular, the source Client sends NS messages to the target Client subject to rate limiting in order to receive solicited NA messages. If at any time the direct path appears to be failing, the source Client can resume sending packets via the Server which may or may not result in a new redirection event.
When a target Client receives an NS message from a source Client, it resets the ACCEPT timer to ACCEPT_TIME if a neighbor cache entry exists; otherwise, it discards the NS message.
When a source Client receives a solicited NA message from a target Client, it resets the FORWARD timer to FORWARD_TIME if a neighbor cache entry exists; otherwise, it discards the NA message.
When the FORWARD timer on a neighbor cache entry expires, the source Client resumes sending any subsequent packets via the Server and may (eventually) receive a new Redirect message. When the ACCEPT timer on a neighbor cache entry expires, the target Client discards any subsequent packets received directly from the source Client. When both the FORWARD and ACCEPT timers on a neighbor cache entry expire, the Client deletes both the neighbor cache entry and the corresponding IPv6 forwarding table entry.
If the source Client is unable to elicit an NA response from the target Client after MAX_RETRY attempts, it SHOULD consider the direct path unusable for forwarding purposes. Otherwise, the source Client considers the path usable and SHOULD thereafter process any link-layer errors as a hint that the direct path to the target Client has either failed or has become intermittent.
When a Client needs to change its link-layer address (e.g., due to a mobility event), it performs an immediate DHCPv6 Renew/Reply via each of its Servers using the new link-layer address as the source. The DHCPv6 Renew/Reply exchange will update each Server's neighbor cache. Next, the Client sends a Predirect message to each of its active neighbors via a Server as follows:
When the Server receives the Predirect message, it copies the correct UDP port number and IP address into the TLLAO supplied by the Client, changes the link-layer source address to its own address, changes the link-layer destination address to the address of the neighbor, changes the network layer source address to fe80::ID, then forwards the Predirect message to the neighbor based on an IPv6 route matching the AERO address in the network layer destination address. When the neighbor receives the Predirect message, it returns a Redirect message the same as specified in Section 3.9.
When a Client associates with a new Server, it issues a new DHCPv6 Renew message via the new Server as the DHCPv6 relay. The new Server then relays the message to the DHCPv6 server and processes the resulting exchange. After the Client receives the resulting DHCPv6 Reply message, it sends an RS message to the new Server to receive a new RA message.
When a Client disassociates with an existing Server, it sends a "terminating RS" message to the old Server. The terminating RS message is prepared exactly the same as for an ordinary RS message, except that the Code field contains the value '1'. When the old Server receives the terminating RS message, it withdraws the IPv6 route from the routing system and deletes the neighbor cache entry and IPv6 forwarding table entry for the Client. The old Server then returns an RA message with default router lifetime set to 0 which the Client can use to verify that the termination signal has been processed. The client then deletes both the default route and the neighbor cache entry for the old Server. (Note that the Client and the old Server MAY impose a small delay before deleting the neighbor cache and IPv6 forwarding table entries so that any packets already in the system can still be delivered to the Client.)
A source Client may connect only to an IPvX underlying network, while the target Client connects only to an IPvY underlying network. In that case, the target and source Clients have no means for reaching each other directly (since they connect to underlying networks of different IP protocol versions) and so must ignore any redirection messages and continue to send packets via the Server.
When the underlying network does not support multicast, AERO nodes map IPv6 link-scoped multicast addresses (including 'All_DHCP_Relay_Agents_and_Servers') to the underlying IP address of a Server.
When the underlying network supports multicast, AERO nodes use the multicast address mapping specification found in [RFC2529] for IPv4 underlying networks and use a direct multicast mapping for IPv6 underlying networks. (In the latter case, "direct multicast mapping" means that if the IPv6 multicast destination address of the encapsulated packet is "M", then the IPv6 multicast destination address of the encapsulating header is also "M".)
When the AERO link does not provide DHCPv6 services, operation can still be accommodated through administrative configuration of prefixes on AERO Clients. In that case, administrative configurations of IPv6 routes and AERO interface neighbor cache entries on both the Server and Client are also necessary. However, this may preclude the ability for Clients to dynamically change to new Servers, and can expose the AERO link to misconfigurations unless the administrative configurations are carefully coordinated.
In some AERO link scenarios, there may be no Servers on the link and/or no need for Clients to use a Server as an intermediary trust anchor. In that case, each Client can then act as its own Server to establish neighbor cache entries and IPv6 forwarding table entries by performing direct Client-to-Client Predirect/Redirect exchanges, and some other form of trust basis must be applied so that each Client can verify that the prospective neighbor is authorized to use its claimed prefix.
When there is no Server on the link, Clients must arrange to receive prefix delegations and publish the delegations via a secure alternate prefix delegation authority through some means outside the scope of this document.
IPv6 hosts serviced by an AERO Client can reach IPv4-only services via a NAT64 gateway [RFC6146] within the IPv6 network.
AERO nodes can use the Default Address Selection Policy with DHCPv6 option [RFC7078] the same as on any IPv6 link.
All other (non-multicast) functions that operate over ordinary IPv6 links operate in the same fashion over AERO links.
An application-layer implementation is in progress.
The IANA is instructed to assign a new 2-octet Hardware Type number for AERO in the "arp-parameters" registry per Section 2 of [RFC5494]. The number is assigned from the 2-octet Unassigned range with Hardware Type "AERO" and with this document as the reference.
AERO link security considerations are the same as for standard IPv6 Neighbor Discovery [RFC4861] except that AERO improves on some aspects. In particular, AERO uses a trust basis between Clients and Servers, where the Clients only engage in the AERO mechanism when it is facilitated by a trust anchor. AERO also uses DHCPv6 authentication for Client authentication and admissions control.
AERO links must be protected against link-layer address spoofing attacks in which an attacker on the link pretends to be a trusted neighbor. Links that provide link-layer securing mechanisms (e.g., WiFi networks) and links that provide physical security (e.g., enterprise network wired LANs) provide a first line of defense that is often sufficient. In other instances, additional securing mechanisms such as Secure Neighbor Discovery (SeND) [RFC3971], IPsec [RFC4301] or TLS [RFC5246] may be necessary.
AERO Clients MUST ensure that their connectivity is not used by unauthorized nodes on EUNs to gain access to a protected network, i.e., AERO Clients that act as IPv6 routers MUST NOT provide routing services for unauthorized nodes. (This concern is no different than for ordinary hosts that receive an IP address delegation but then "share" the address with unauthorized nodes via an IPv6/IPv6 NAT function.)
On some AERO links, establishment and maintenance of a direct path between neighbors requires secured coordination such as through the Internet Key Exchange (IKEv2) protocol [RFC5996] to establish a security association.
Discussions both on IETF lists and in private exchanges helped shape some of the concepts in this work. Individuals who contributed insights include Mikael Abrahamsson, Fred Baker, Stewart Bryant, Brian Carpenter, Wojciech Dec, Brian Haberman, Joel Halpern, Sascha Hlusiak, Lee Howard, Joe Touch and Bernie Volz. Members of the IESG also provided valuable input during their review process that greatly improved the document. Special thanks go to Stewart Bryant, Joel Halpern and Brian Haberman for their shepherding guidance.
This work has further been encouraged and supported by Boeing colleagues including Keith Bartley, Dave Bernhardt, Cam Brodie, Balaguruna Chidambaram, Wen Fang, Anthony Gregory, Jeff Holland, Ed King, Gen MacLean, Kent Shuey, Mike Slane, Julie Wulff, Yueli Yang, and other members of the BR&T and BIT mobile networking teams.
Earlier works on NBMA tunneling approaches are found in [RFC2529][RFC5214][RFC5569].
Figure 2 depicts a reference AERO operational scenario with a single Server on the AERO link. In order to support scaling to larger numbers of nodes, the AERO link can deploy multiple Servers and Relays, e.g., as shown in Figure 4.
.-(::::::::) .-(::: IPv6 :::)-. (:: Internetwork ::) `-(::::::::::::)-' `-(::::::)-' | +--------------+ +------+-------+ +--------------+ |AERO Server C | | AERO Relay D | |AERO Server E | | (default->D) | | (A->C; G->E) | | (default->D) | | (A->B) | +-------+------+ | (G->F) | +-------+------+ | +------+-------+ | | | X---+---+-------------------+------------------+---+---X | AERO Link | +-----+--------+ +--------+-----+ |AERO Client B | |AERO Client F | | (default->C) | | (default->E) | +--------------+ +--------------+ .-. .-. ,-( _)-. ,-( _)-. .-(_ IPv6 )-. .-(_ IPv6 )-. (__ EUN ) (__ EUN ) `-(______)-' `-(______)-' | | +--------+ +--------+ | Host A | | Host G | +--------+ +--------+
Figure 4: AERO Server/Relay Interworking
When host ('A') sends a packet toward destination host ('G'), IPv6 forwarding directs the packet through the EUN to Client ('B'), which forwards the packet to Server ('C') in absence of more-specific forwarding information. Server ('C') forwards the packet, and it also generates an AERO Predirect message that is then forwarded through Relay ('D') to Server ('E'). When Server ('E') receives the message, it forwards the message to Client ('F').
After processing the AERO Predirect message, Client ('F') sends an AERO Redirect message to Server ('E'). Server ('E'), in turn, forwards the message through Relay ('D') to Server ('C'). When Server ('C') receives the message, it forwards the message to Client ('B') informing it that host 'G's EUN can be reached via Client ('F'), thus completing the AERO redirection.
The network layer routing information shared between Servers and Relays must be carefully coordinated in a manner outside the scope of this document. In particular, Relays require full topology information, while individual Servers only require partial topology information (i.e., they only need to know the EUN prefixes associated with their current set of Clients). See [IRON] for an architectural discussion of routing coordination between Relays and Servers.