Internet DRAFT - draft-cheng-nsis-flowid-issues

draft-cheng-nsis-flowid-issues







Next Steps in Signaling (nsis)                                  H. Cheng
Internet-Draft                                                  J. Huang
Expires: April 27, 2006                                         T. Sanda
                                                                   T. Ue
                                                               Panasonic
                                                        October 24, 2005


             NSIS Flow ID and packet classification issues
                 draft-cheng-nsis-flowid-issues-02.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 27, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   In current NSIS signaling, there are two main functions depending on
   Flow ID, i.e. signaling message routing, data packet classification.
   Specifically, the same information carried by the MRI is also used to
   derive the packet classification at NSLP layer.  This arrangement
   assumes that identical information is required by the two functions
   at two different layers, and thus has limitations.  With the



Cheng, et al.            Expires April 27, 2006                 [Page 1]

Internet-Draft             NSIS Flow ID issues              October 2005


   introduction of NSIS applications in more complicated scenarios, such
   assumption can no longer hold.  Therefore, keeping the dependency
   between the two functions hinders the development of NSIS.  Efforts
   have been made in different NSLP layer applications to extend the
   relationship, e.g.  QoS NSLP.  This draft studied the possibility of
   disjoining the information for the two functions.  Problems faced by
   the current system and different remedy options are discussed.  With
   these details, it is intended to help the reader to evaluate the
   feasibility of redefining the packet classification information
   signaling in NSIS.


Table of Contents

   1.  Conventions used in this document  . . . . . . . . . . . . . .  3
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  6
   4.  Problem analysis for Flow ID usage . . . . . . . . . . . . . .  7
     4.1.  Multiple addresses involved session  . . . . . . . . . . .  8
     4.2.  Predictive signaling scenario  . . . . . . . . . . . . . .  9
     4.3.  Packet classification information manipulations  . . . . . 10
   5.  Separation of MRI and Packet Classification Information  . . . 13
     5.1.  Considerations with multiple addresses involved
           sessions . . . . . . . . . . . . . . . . . . . . . . . . . 13
       5.1.1.  Different options for multiple addresses support . . . 13
       5.1.2.  Support of multiple addresses using Filer List . . . . 15
     5.2.  Considerations with predictive signaling support . . . . . 16
     5.3.  Considerations for packet classification information
           manipulation . . . . . . . . . . . . . . . . . . . . . . . 16
     5.4.  Changes at the framework/NTLP layer  . . . . . . . . . . . 17
     5.5.  Changes at the NSLP layer  . . . . . . . . . . . . . . . . 18
   6.  Impact analysis  . . . . . . . . . . . . . . . . . . . . . . . 19
     6.1.  Single object vs. separate objects . . . . . . . . . . . . 19
     6.2.  Location of the packet classification object . . . . . . . 19
       6.2.1.  Object placed in NTLP layer  . . . . . . . . . . . . . 20
       6.2.2.  Object placed in NSLP layer  . . . . . . . . . . . . . 20
       6.2.3.  Object placed in QSPEC . . . . . . . . . . . . . . . . 21
     6.3.  General packet classifier vs. model specific classifier  . 21
   7.  Possible optimization with the PACKET_CLASSIFIER object  . . . 22
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 23
   9.  Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 24
   10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 26
     11.1. Normative Reference  . . . . . . . . . . . . . . . . . . . 26
     11.2. Informative References . . . . . . . . . . . . . . . . . . 26
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28
   Intellectual Property and Copyright Statements . . . . . . . . . . 29




Cheng, et al.            Expires April 27, 2006                 [Page 2]

Internet-Draft             NSIS Flow ID issues              October 2005


1.  Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC2119 [1].














































Cheng, et al.            Expires April 27, 2006                 [Page 3]

Internet-Draft             NSIS Flow ID issues              October 2005


2.  Introduction

   With the NSIS framework design [2], signaling message routing and
   data flow classification are two important functions at two layers,
   i.e.  NTLP and NSLP respectively.  However, information to support
   the two functions is derived from the same element, Flow ID.  This
   type of arrangement has limitation on the NSIS application, and
   creates problem when deployment setting is not as assumed.
   Therefore, this aspect of the design needs to be reviewed and
   improved.

   The linkage between the two functions is based on the path-coupled
   signaling principle of the framework.  In a path coupled MRM, the
   signaling message is suppose to go through the exact path of the data
   flow.  To this end, NTLP layer protocol needs to use a MRI resembling
   the flow identification as much as possible.  In the GIST draft [3],
   the MRI has been set as the Flow ID for the path-coupled MRM (or a
   simplified version of Flow ID for loose-end MRM).  This essentially
   sets the information for the message routing and flow identification
   (packet classification) to be identical.  The MRI is passed from the
   NSLP through a set of API to the NTLP layer when a NSLP message is to
   be sent, and passed from NTLP layer up to NSLP layer when a NSLP
   message is received.  Due to the assumption that flow identification
   is always the same as MRI, NSLP applications, e.g.  QoS NSLP [4], no
   longer has an element to carry the packet classification information.
   Thus, MRI is used by the NSLP layer to derive the packet
   classification information.

   Obviously, such an arrangement brings problem when the routing
   information does not synchronize with the flow identification
   information.  There are two possible cases, i.e. when the flow
   identification (classification) information has a wider scope than
   that used for routing, and when the flow identification information
   has a more specific scope than that use for routing.  Section 4
   discusses in detail of the scenarios where problems exist.

   In an effort to bridge the difference between MRI and flow
   identification information, some NSLP applications introduced new
   objects.  For example, QoS NSLP [4] included a PACKET_CLASSIFIER
   object.  However, since the new object still heavily relies on the
   MRI to derive the packet classification information, it does not
   solve the problem.

   Rather than trying objects to extend MRI, this draft investigate the
   possibility of using a disjoint object at NSLP layer to carry the
   packet classification information.  With an extensible format, the
   new object can easily support multiple address pairs.  This helps in
   a multihoming environment, and makes it possible to signal for flows



Cheng, et al.            Expires April 27, 2006                 [Page 4]

Internet-Draft             NSIS Flow ID issues              October 2005


   not specified by the MRI.  Different aspects of introducing such an
   object are discussed in the draft, e.g. place of the object, NAT
   traversal issues, etc.  With the recent discussion in the mailing
   list regarding packet classification, it is the intension of the
   draft to provide views on relevant issues to help the WG to reach
   consensus on the topic.













































Cheng, et al.            Expires April 27, 2006                 [Page 5]

Internet-Draft             NSIS Flow ID issues              October 2005


3.  Terminology

   The Terminology defined in [2], [3] and [4] applies to this draft.
   In addition, the following terms are used:

   Filter List: A list of address attributes that can be used for
   classifying the packets associated with a particular flow.

   Flow Identification and Data Packet Classification are used
   interchangeably in this draft.









































Cheng, et al.            Expires April 27, 2006                 [Page 6]

Internet-Draft             NSIS Flow ID issues              October 2005


4.  Problem analysis for Flow ID usage

   In the existing NSIS Working Group drafts, the Flow ID is defined as
   an identifier that "provide enough information such that the
   signaling flow receives the same treatment along the data path as the
   actual data itself" [2].  It is also identified that information to
   be used for the identifier includes Source IP address, Destination IP
   address, protocol identifier and higher layer (port) addressing, flow
   label, SPI filed of IPsec data, and DSCP/TOS filed.  The reason for
   placing the Flow ID in the NTLP layer is to allow visibility and
   modification at the address boundaries [2].  There are multiple
   usages of Flow ID described in NSIS drafts.

   In the GIST document [3], for a path-coupled MRM, the Flow ID is
   utilized as the Message-Routing-Information (MRI).  The MRI is then
   required to be set at NSLP message sender.  A formation of the Flow
   ID is provided as:

      Flow-Identifier = Network-layer-version

                        Source-address prefix-length

                        Destination-address prefix-length

                        IP-protocol

                        Traffic-class

                        [flow-label]

                        [ipsec-SPI/L4-ports]

   In the signaling applications, it is usually necessary to have
   information about the packet classification for the enforcement.
   Based on the description of the signaling applications drafts, this
   information has to be derived from the MRI.  For example, in the QoS-
   NSLP draft [4], the packet classification information is derived from
   the MRI fields indicated by the PACKET_CLASSIFIER object.  Therefore,
   it is assumed that the QNE would set the Packet Classifier in its
   Traffic Control module based on a subset of the MRI information.

   In the QoS-NSLP draft [4], it is also mentioned that the Flow ID is
   used for the signaling state management.  For example, it will help
   the QNE to detect a mobility event.

   It is obvious from the above that the Flow ID is heavily depended on
   in the NSIS signaling, and therefore has multiple functions
   associated.  This kind of overloading of the Flow ID works fine with



Cheng, et al.            Expires April 27, 2006                 [Page 7]

Internet-Draft             NSIS Flow ID issues              October 2005


   a simplified static network environment.  However, with scales of the
   network growing and complexities increasing, adverse impacts are
   introduced to NSIS, with the Flow ID striving to meet the
   requirements of all the functions.  Following sections provide detail
   analysis of three examples where Flow ID of current NSIS design may
   not function properly.

4.1.  Multiple addresses involved session

   According to the definition of the data flow, it is possible that
   multiple addresses are involved.  The multiple addresses could be
   different IP addresses, different port numbers, or different higher
   layer protocol types, etc.  With the development of the networking
   technology, it is becoming common to use multiple streams sessions.
   These streams may make use of different addresses, but could still
   goes through the same data path.  Multihoming, multi-threading, and
   aggregation, etc., are the possible reasons that require different
   addresses to be signaled over one session.  Below are some of the
   detail examples:

   - Edge to edge signaling is a case that may involve multiple
   addresses in the flow signaled.  For example, if several flows are
   aggregated at a domain entry point, the signaling sent for the
   aggregated flow would contain several sets of addressing information.

   - The multiple addresses could also be the different higher protocol
   addresses, e.g. several port numbers used in a multiple thread
   session.  This type of multi-thread method is widely used in some
   popular FTP clients.  Usually, a download session would be limited by
   the server resource allocation and network condition.  The throughput
   achieved is thus also limited.  To boost the downloading speed, the
   FTP clients establish multiple connections with the server, and
   download the file simultaneously.  This would achieve much higher
   throughput.  In the process, the terminal device will use multiple
   ports in the communication for the multiple connections.  Since all
   these concurrent connections belong to the same session, it is better
   for NSIS to signal all the port numbers in one single signaling
   message.

   With the current definition of MRI, there is no way for the multiple
   addresses to be accurately represented.  As quoted above, the MRI
   format only allows a simple prefix for the IP (source and
   destination) address fields.  This may suit for the routing, e.g. to
   represent a group of address within a subnet.  It is not sufficient
   for signaling the packet classification.  For example, with two
   source addresses belong to the same subnet, the two data flows could
   be routed along the same path.  However, if the source addresses are
   wildcarded and fed to the NSLP (eventually RMF) for enforcement,



Cheng, et al.            Expires April 27, 2006                 [Page 8]

Internet-Draft             NSIS Flow ID issues              October 2005


   every node in that subnet connecting to the same peer (destination
   address) would be classified into the same session.  This is
   obviously not acceptable for the QoS enforcement.  Other than the IP
   address prefix, current MRI format does not even provide any
   wildcarding or masking tools for other fields.  Therefore, it is not
   possible to represent multiple address information of other fields,
   e.g. port number, traffic class, etc.

   The latest QoS NSLP draft [4] introduced a PACKET_CLASSIFIER object
   to help deriving the packet classification information.  However, due
   to its simple format, and heavy dependency on the existing MRI, it
   cannot solve the above problem.  For the path-coupled routing MRM,
   the PACKET_CLASSIFIER data is just a two byte field with 8 bits
   utilized.  It can only simply indicate which field of the MRI should
   be considered in deriving the packet classifier.  Obviously, if the
   MRI cannot accurately represent the multiple address flow as
   described above, the PACKET_CLASSIFIER does not help either.  The
   packet classifier constructed would be either too wide, i.e. when one
   or more fields are omitted, or too narrow, i.e. when every field is
   used.

   To solve this problem, a method for signal accurate flow
   classification information needs to be provided.  Different options
   are discussed in detail in section 5.1.

4.2.  Predictive signaling scenario

   Predictive routing support in NSIS is mentioned in [3], where the
   signaling is sent along the path that the data flow may or will
   follow in the future.  The use of predictive routing is crucial for
   make-before-break reservation on predictive paths in mobility
   scenarios.  Make-before-break is necessary for minimum QoS
   interruption at the time of handover [5], since performing NSIS
   signaling after the MN's actual handover causes service interruption
   due to the delay in signaling path establishment.

   Example procedure of make-before-break is as following: when the MN
   intends to handover, it obtains the information of new subnetwork and
   a suitable proxy NE on the predictive path, such as new Access Router
   (nAR), by using proper mobility protocols e.g.  FMIP [10] or CARD
   [11]; then the MN asks the nAR to perform NSIS signaling along
   predictive route.  At this stage nAR may or may not obtain MN's nCoA
   which is necessary for generating packet classifier for the
   predictive path.

   Even if the nAR doesn't have MN's nCoA, it is still desirable that
   the nAR can start the signaling, e.g. establish the NSIS signaling
   path for the MN, so that when the MN moves into the new network, the



Cheng, et al.            Expires April 27, 2006                 [Page 9]

Internet-Draft             NSIS Flow ID issues              October 2005


   QoS path is ready for use with least signaling.  For the path coupled
   MRM, it is obvious that the actual data flow will go pass the nAR.
   Therefore, it is not a problem for the nAR to act as a proxy for the
   MN to pre-establish the signaling path, e.g. send out Query messages
   to find out the QNEs, and check out the resources available over the
   predictive path.  However, with the current definition of NSIS, e.g.
   QoS NSLP [4], the Flow ID (MRI) in use will also dedicate the packet
   classifier for the flow, i.e. the PACKET_CLASSIFIER indicates which
   field of MRI to be used for packet classifier.  Therefore, the nAR
   would not be able to generate a proper Flow ID for this signaling
   without knowing the MN's nCoA.  If the nAR uses an arbitrary address
   to create the Flow ID, the whole signaling process needs to be
   repeated when the MN's nCoA is assigned.  This means nAR cannot send
   any signaling message until obtaining MN's NCoA.  This renders the
   usage of make-before-break limited.

   Obviously, this problem calls for a possibility of separating the
   message routing information from the actual packet classification
   information.  Different options to achieve that and considerations
   are discussed in section 5.2.

4.3.  Packet classification information manipulations

   In certain cases, the address information, e.g. port number, may
   change during the process of a flow.  According to the current
   definition of Flow ID and MRI, it may result in the change of the
   Flow ID (which may trigger further NSIS signaling procedures).

   An example of the address varying application process is the
   establishment of a H.323 session [12].  Protocol like H.323
   establishes the session progressively with the help of different
   auxiliary protocols.  Figure 1 shows a typical example of a H.323
   session establishment process.


















Cheng, et al.            Expires April 27, 2006                [Page 10]

Internet-Draft             NSIS Flow ID issues              October 2005


      +--------+                                +--------+
      | Node A |                                | Node B |
      +--------+                                +--------+
          |                                         |
          |  SETUP (To well known port,e.g. 1720)   | ---+
          |---------------------------------------->|    |
          |                                         |    |Stage 1
          |           ALERTING                      |    | Q.931
          |<----------------------------------------|    | (TCP)
          |                                         |    |
          |        Connect (H.245 Address)          |    |
          |<----------------------------------------| ---+
          |                                         |
          |       H.245 Exchanges                   | ---+
          |<--------------------------------------->|    |
          |                                         |    |
          |   Open LogicChannel (RTCP Address)      |    |
          |---------------------------------------->|    |
          |                                         |    |Stage 2
          | Open LogicChannel Ack(RTCP, RTP address)|    | H.245
          |<----------------------------------------|    |  (TCP)
          |                                         |    |
          |   Open LogicChannel (RTCP Address)      |    |
          |<----------------------------------------|    |
          |                                         |    |
          | Open LogicChannel Ack(RTCP, RTP address)|    |
          |---------------------------------------->| ---+
          |                                         |
          |    RTP Stream                           | ---+
          |---------------------------------------->|    |
          |                                         |    |Stage 3
          |    RTP Stream                           |    | RTP
          |<----------------------------------------|    | (UDP)
          |                                         |    |
          |    RTCP Stream                          |    |
          |<--------------------------------------->| ---+


   Figure 1.  An example session establishment process using H.323

   In the above example, the actual RTP session will only be initiated
   at stage 3, which means the port address may change several times
   before the first RTP data packet is sent out.  However, the NSIS
   messaging needs to start in Stage 1, e.g. to open the firewall
   pinholes.  The problem created from this is that when the address
   information changes, the Flow ID needs to be changed accordingly, so
   that NSIS aware nodes along the path can obtain the correct packet
   classification information.  Otherwise, the local enforcer, e.g. the



Cheng, et al.            Expires April 27, 2006                [Page 11]

Internet-Draft             NSIS Flow ID issues              October 2005


   RMF, could not perform its function correctly.

   However, the change in the Flow ID means another round of NTLP layer
   path establishment according to GIST draft [3].  The reason is that
   the primary key of the message routing state is the combination of
   MRI, SID and NSLPID.  Change of Flow ID means a primary key change
   and the message routing state has to be re-established.  Besides
   this, in the process mentioned above, there could be multiple ports
   opened at the same time, and different transport protocol utilized.
   All these call for a simple way of changing the packet classification
   information along the signaling path without affecting the signaling
   state information.

   Another type of scenarios that requires manipulation of the packet
   classification information of a session is the tunneling case, as
   described in [13].  In such cases, the flow binding requires the
   packet classification information to be merged, and modified during
   the lifetime of the session.

   All these call for a simple way of changing the packet classification
   information along the signaling path without affecting the signaling
   state information.  Section 5.3 provides a detail analysis of the
   options to deal with this requirement.




























Cheng, et al.            Expires April 27, 2006                [Page 12]

Internet-Draft             NSIS Flow ID issues              October 2005


5.  Separation of MRI and Packet Classification Information

   In view of all the problems of the Flow ID in supporting scenarios
   described in previous section, there are three major issues to be
   resolved:

   - NSIS signaling should allow accurate indication of multiple
   addresses information in the signaling of packet classification
   information.

   - NSIS signaling should allow a separation of the message routing
   information and packet classification information when necessary.
   This will facilitates the NSIS signaling from non-end hosts.

   - NSIS signaling should allow modification of the packet
   classification information without affecting the signaling and
   routing state.

   There are different ways to achieve the above goals.  Options and
   considerations are discussed in detail in the following subsections.
   With the discussion, the authors come to a conclusion that utilizing
   a separate object for carrying the packet classification information
   serves the above purpose and is a good trade off between different
   considerations.

   The suggested object could take different form.  Below is an example
   format for it:

   Filter List ::= <List Length> <Action> <* Filter Spec>;

   where the "Filter Spec" is basically a packet classifier that
   provides packet classification information.  For example, the MF
   Classifier defined in RFC2475 [14] could be a good candidate.  List
   Length indicates the number of Filter Spec included, and the Action
   indicates how to treat the previous filters of the same Flow ID.
   Example actions to be taken are: ADD, SUB, and REPLACE.

   Following subsections provide detail discussion of the considerations
   for different scenarios.

5.1.  Considerations with multiple addresses involved sessions

5.1.1.  Different options for multiple addresses support

   One obvious way to support the multiple address involved
   communication session is to use multiple signaling sessions for each
   set of address.  However, this solution faces a couple of problems.
   One problem is the significant increase in signaling, processing, and



Cheng, et al.            Expires April 27, 2006                [Page 13]

Internet-Draft             NSIS Flow ID issues              October 2005


   state management overheads.  The increment of the overhead is in
   proportion to the number of address combinations.  For example, when
   an application session makes use of five different ports on a MN,
   five separate NSIS sessions needs to be signaled.  The other problem
   is that certain relationships have to be enforced between these
   signaling sessions.  These sessions should share the same fate and
   probably share the resource reserved because they actually signal for
   the same application.  This kind of relationship enforcement between
   signaling sessions may further complicate the signaling and state
   management logics.

   Another possible way to carry the multiple address information is to
   signal multiple times, each with the same Session ID and a different
   Flow ID that accurately represents one of the address information in
   use.  Obviously, this creates signaling overhead as well.  Besides
   that, it may also cause difficulties in state management on NSIS
   nodes.  For example, a QNE receiving several messages with different
   Flow IDs will not be able to decide the proper action.  The REPLACE
   flag introduced in [4] provides a way to indicate the action to the
   QNEs.  Nevertheless, it requires explicit signaling for the
   management of these different Flow IDs.  For instance, if a mobility
   event happened, the state with the old Flow IDs should be replaced
   with a new set with new Flow IDs.  Therefore, the signaling message
   needs to indicate state with which particular Flow IDs should be
   replaced, and which should be kept.  This requires extra state
   management logic at the QNEs.

   The root of the issues lies on the incapability of the MRI to carry
   multiple addresses information.  Therefore, solution could be
   achieved by either modifying the MRI format to accommodate more
   complicated information or utilizing extra objects.  For example, the
   MRI could add a masking/wildcarding tool for each of the fields.

   Since the change of MRI format will affect numerous aspects of the
   NTLP layer implementation, this draft proposes to use a separate
   Filter List object in NSLP layer to carry data packet classification
   information.  This way, the MRI/Flow ID is freed from the address
   dependency.  It can then take any form or using a much relaxed
   criteria for masking, as long as it provides enough information to
   allow the NSIS nodes to route the message correctly.  The Filter List
   is now carried in the NSLP layer, and therefore, should be set by the
   end nodes, which has the ultimate information about the application
   layer of the session.  This means a faster and more accurate
   interaction between NSIS signaling and application becomes possible.
   Since the packet classifying is only meaningful to the NSLP
   application enforcer, e.g. the RMF in QoS NSLP case, having Filter
   List in the NSLP layer alleviates NTLP layer's burden on the
   processing of this information.



Cheng, et al.            Expires April 27, 2006                [Page 14]

Internet-Draft             NSIS Flow ID issues              October 2005


   Following subsection describes deployment examples of using the new
   object.

5.1.2.  Support of multiple addresses using Filer List

   For the scenarios described in section 4.1, the use of Filter List
   solves the dilemma of using the MRI.  As the Filter List allows
   accurate representation of the multiple addresses involved in the
   session, it does not require NTLP layer to care about the actual
   packet addresses.  By doing this, the NTLP layer only needs to
   establish the correct signaling path.  Simple wildcarding would then
   be useful to find out the common routing path.  For example, for a
   session with different addresses, the NTLP layer can use a MRI with
   wildcarding without worrying the accuracy of the address presentation
   because the filter information is carried in the NSLP payload.  The
   wildcarded MRI is only used for the route decision of the NSIS
   message, and the NSLP layer message with the Filter List can be
   configured by the corresponding entity, e.g.  RMF, with correct
   settings.  The introduction of the Filter List does not limit the
   NTLP layer's choice of Flow ID value.  Instead, it gives NTLP more
   flexibility in selecting a proper Flow ID.

   Usually the routing does not really require that all the fields of
   the MRI.  For example, a normal router would only decide the route
   based on the destination address.  Therefore most fields of the MRI
   could be set to a default value, e.g. 0x00.  Since the state
   information stored at the NSIS node is indexed by both the Session ID
   and the MRI, the above means saving in the key length used.  For
   example, in the current NSIS draft, the key for the MRI would need to
   at least include source address, destination address, etc, since it
   also is used for packet classifying.  In the proposed scheme with
   Filter List, the key for the MRI only need to have the destination
   address if the routing is based on destination address only.

   When a flow involves multiple addresses, it is possible to experience
   a divergence in the data path when the flow passes through a network
   section with load balancing supported.  In this case, reservation on
   some of the split path may not be done correctly.  There are several
   ways to address this issue.  One possible method is to require the
   Load Balancing Initiator (LB-I) to duplicate the signaling message
   and send over every split path with the QSPEC adjusted accordingly.
   Another method is to force the LB-I to route all the packets
   identified by the Filter List to the same link.  It is also possible
   for the QNI to be aware of the load balancing paths through the
   initial path discovery process, and construct the QSPEC and filter
   list accordingly.





Cheng, et al.            Expires April 27, 2006                [Page 15]

Internet-Draft             NSIS Flow ID issues              October 2005


5.2.  Considerations with predictive signaling support

   For the predictive signaling, one possible way to solve the problem
   is to pre-allocate an address for the MN for the predictive path.  In
   this case, for example, the nAR can reserve an address for the MN
   when it proxy the signaling for it.  When the MN actually moves to
   the new location, it must make use of the address pre-allocated by
   the nAR.  For this option, there needs to have a mechanism that can
   guarantee the proper address for the MN can be pre-allocated.  It
   infer a stateful address allocation scheme, since if stateless
   address formation is used, the nAR would not have the information to
   generate the new address.  Another issue with this scheme is that it
   may cause waste in the address space.  The MN's signaling over the
   predictive path could be simply a Query of the QoS level supported.
   MN may not eventually move to the new location.  Therefore, requiring
   an allocation of an address for the MN for such a signaling decreases
   the utilization efficiency of the resources.

   The use of a separate object in NSLP layer stands as another option
   to support the proxy predictive signaling.  When the nAR does not
   know MN's nCoA, it generates a Flow ID with its own IP address, and
   sends signaling messages such as QUERY using it.  Since the actual
   data flow has not started yet, actual packet classification
   information, i.e.  Filter List, is not necessary.  By sending the
   QUERY, path state between the nAR and CN is installed and QoS
   resource availability along the path is gathered as well.  When the
   MN connects to the new subnetwork, the signaling path has already
   been established.  The MN only has to update the state of the rest
   part of the new path and update the whole path with a RESERVE message
   containing Filter List.  Since it is an update message, and all the
   signaling states are in place, it is much faster than a new RESERVE
   message with a different Flow ID.

   Comparing the above two options, the use of separate packet
   classification object obviously provides a more flexible support for
   the predictive signaling.

5.3.  Considerations for packet classification information manipulation

   With the current NSIS Flow ID definition, the change of packet
   classification information means a change in the Flow ID, and thus
   requires another round of signaling.  This usually results in a
   signaling state update on all the QNEs.  Certain scenarios require a
   merge of the original and new flow states to achieve desired QoS
   enforcement results, e.g. as described in [13].  For this purpose, an
   intra-session association object, ASSOCIATE_FLOW_SESSION, is
   introduced in [13].  The new object helps to link different flows
   within a Session together, so that the packet classification



Cheng, et al.            Expires April 27, 2006                [Page 16]

Internet-Draft             NSIS Flow ID issues              October 2005


   information could be manipulated on the QNEs.

   Different from the approach taken by [13], the use of a separate
   Filter List object can achieve the similar purpose.  Since the Filter
   List object introduced supports the Action indication, new Filter
   Spec could be progressively added when the new address information is
   available.  For example, when a new port has been added to the
   communication session, the NSLP layer can issue a new message with
   the Filter List object carrying an Action field indicating "ADD".
   The receiving NSLP aware node could take this new port information
   and merge it with the existing packet classification information for
   the same Session ID and Flow ID.

   Comparing the two options, the approach in [13] preserves the current
   MRI and Flow ID definition.  It keeps the change in NSLP layer and
   slightly modifies the QNE behaviors.  The disadvantage of this option
   is the signaling overhead introduced.  Every signaling message needs
   to carry the new association object, which includes the additional
   Flow IDs.  The other issue is the signaling using a new Flow ID when
   new packet classification information needs to be added.  This may
   involves the path discovery procedure for the new Flow ID, which
   could be time consuming.

   For the Filter List object option, the NSLP layer packet
   classification definition is modified.  The classification
   information is no longer depending on the MRI.  However, to signal
   for additional address information, the same Flow ID could be used.
   This means only an update of the signaling state on the QNE is
   necessary.  Therefore, it can be faster.

5.4.  Changes at the framework/NTLP layer

   By introducing the Filter List object into the NSLP layer, the NTLP
   layer is relieved from signaling the actual data packet
   classification information.  This looses its dependency on the data
   plane addressing information.  Therefore, the design and operation of
   the NTLP layer has more flexibility.  For example, the state pre-
   establishment and use of the proxy is much easier.

   The current design of the Flow ID or the MRI can still be used in the
   NTLP layer for the message routing information signaling.  However,
   it does not need to be bound by the actual addressing information of
   the data flow, e.g. the port number, etc.  It does not require change
   in the current design of the GIST, but relaxed some of the
   requirements.  Also, the state management can be simplified due to
   the above reasons.  For example, the state information storage and
   retrieval can be speeded up as described in previous sections.




Cheng, et al.            Expires April 27, 2006                [Page 17]

Internet-Draft             NSIS Flow ID issues              October 2005


   Since the NTLP does not need to modify the Flow ID or MRI every time
   the address changes, the state maintained on the NSIS nodes will be
   more stable, and thus requires less operation in updating.

5.5.  Changes at the NSLP layer

   Use of the Filter List in the NSLP layer requires some enhancement at
   the NSLP nodes.  The new NSLP layer needs to be able to manage the
   packet classification information, e.g. the Filter List.  It no
   longer depends on the NTLP layer to obtain the filter information,
   and therefore need to be able to process them.  Most of the time, the
   Filter List should be passed directly to the local enforcer, e.g. the
   RMF in the QoS NSLP case together with the QSPEC.  This means the
   NSLP layer does not need to include much extra functions.

   For the operation of the scheme, the NSLP now need to have some
   interaction with the application or the addressing management.  The
   NSLP application now needs to obtain all those addressing information
   from these entities to construct the Filter List at the end nodes.
   However, it does not mean the NSLP have to communicate with them
   directly.  The current design could still be kept, so that the NSLP
   can communicate with them via NTLP using some extra APIs.  It is for
   further study if it is better to have the NSLP interacts directly
   with the application layer.



























Cheng, et al.            Expires April 27, 2006                [Page 18]

Internet-Draft             NSIS Flow ID issues              October 2005


6.  Impact analysis

   This section provides a detail analysis of the different aspects of
   introducing the Filter List object to the design of NSIS protocols.
   Some of the recent discussions in the mailing list on the topic are
   also covered.

6.1.  Single object vs. separate objects

   In the current NSIS framework, although the message routing and
   packet classification are two different functions, they uses the
   information derived from the same object, MRI.  The reasoning for
   using a single object for the two functions is based on the address
   boundary traversing consideration.  When a single object is used, the
   address boundary node, e.g.  NAT, only need to modify this object.
   Information derived from the modified object could always be
   synchronized.  Therefore, it is guaranteed that information used for
   the two functions are referring to the same flow.

   A possibility of meeting the requirements listed in section 5 using a
   single object is to modify the MRI format.  This way, the extra
   packet classification information introduced in the Filter List could
   be incorporated into MRI.  However, it will affect almost every
   aspects of the current GIST operation, and therefore is not
   appropriate.

   The use of a single object assumes that the signaled flow must be the
   same as that defined in MRI.  However, in certain case, more
   flexibility is desirable.  For example, the metering application
   [15], is expecting that some extra filter information could be
   carried in the NSLP layer other than the MRI.

   When two disjoining objects are used for the two functions, the
   address boundary node needs to apply changes twice.  In order to
   guarantee the synchronization of the information, exactly the same
   rules should be used on the two objects, e.g. same mapping used on
   the MRI should be used on Filter List.  For normal address boundary
   nodes using a comparatively static rules, this should be easily
   achievable.  No major issue could be envisaged, e.g. passing a NAT.
   If the address boundary node is using very dynamic rules for the
   address processing, problem may exist for the data flow, similar to
   the load balancing case.

6.2.  Location of the packet classification object

   When considering the location of the Filter List object, there are
   generally three options: in NTLP layer, in NSLP layer, or in QSPEC.
   These three options all have advantages and disadvantages.  Following



Cheng, et al.            Expires April 27, 2006                [Page 19]

Internet-Draft             NSIS Flow ID issues              October 2005


   brief discussions give an overview of the pros and cons.  The
   considerations are focusing on the signaling overhead and NAT
   traversing.

6.2.1.  Object placed in NTLP layer

   Firstly, when the Filter List is used as NTLP layer object, it
   introduces unnecessary burden to the NTLP.  Placing it in the NTLP
   layer means that the object needs to be included in every NSIS
   message.  However, the packet classification information is only
   meaningful to the RMF, and is only necessary in certain NSLP
   messages, e.g.  QoS NSLP RESERVE.  Therefore, unnecessary signaling
   overhead is resulted.

   When the Filer List is placed in the NTLP layer, it is the easiest to
   achieve NAT traversal support of the signaling.  The NAT node only
   needs to be NTLP layer aware to process the information.  Current NAT
   behavior specified in the GIST draft [4] will still be usable.

6.2.2.  Object placed in NSLP layer

   When the Filter List object is placed in the NSLP layer, the NSLP
   application knows when it should be included in the signaling.  For
   example, a QoS NSLP NOTIFY message may not include the packet
   classification information object.  This helps to reduce the overhead
   of the signaling compared with the case where it is placed in NTLP
   layer.

   However, the packet classification object needs to be made stackable
   to support stackable QSPEC.  The main reason for this is due to the
   direct relationship between the packet classification information and
   the specific QoS Model.  Therefore, when the QSPECs are stacked, the
   corresponding packet classification information also needs to be
   preserved so that it could be referred correctly when the QSPECs are
   popped.

   The NAT traversal aspect of this option is slightly complicated than
   the NTLP layer based choice.  Basically, in this case, the NAT is
   required to be able to process the common NSLP layer object other
   than being NTLP aware.  The Filter List object could be placed in a
   fixed position in NSLP layer when presented, e.g. with a flag
   indication.  Then, the NAT is able to apply the same address mapping
   rule on the Filter List, similar to what it does on the MRI.  It is
   also possible for the NAT to insert the NAT-Object that contains the
   mapping rules, so that the next hop NSLP aware node, e.g.  QNE, could
   actually perform the modification to the Filter List.





Cheng, et al.            Expires April 27, 2006                [Page 20]

Internet-Draft             NSIS Flow ID issues              October 2005


6.2.3.  Object placed in QSPEC

   The last choice is to place the Filter List in the QSPEC.  This seems
   logical, since the packet classification would be utilized directly
   by the RMF, which is decided by the specific QoS Model.  In this
   case, the QoS Model could optimize the information to be carried in
   the Filter List.

   However, this also means that the Filter List object is only
   accessible for a node with knowledge of the QoS Model of concern.
   Therefore, it will be extremely difficult for the signaling message
   to traverse an address boundary, e.g. a NAT.  For this option to work
   in a NATed network, the NAT node must be the specific QoS Model
   aware, which is a hard requirement to meet.

6.3.  General packet classifier vs. model specific classifier

   As mentioned in section 6.2.3, the packet classification information
   is relevant to the QoS Model (eventually RMF) in use.  Therefore,
   different QoS Model may have different requirements on packet
   classification format.  For example, intra domain DiffServ signaling
   may only require DSCP information, whereas edge to edge signaling may
   require MF classifier.  Therefore, there are options to have the
   packet classification defined according to the QoS Model or kept
   general.

   The choice of the packet classifier depends on where the object is
   placed.  In the case of section 6.2.1 and 6.2.2 (i.e. in NTLP layer
   or NSLP layer), the packet classifier needs to be general, because it
   is common for all the QoS Models.  For the general packet classifier,
   the MF Classifier defined in the RFC2475 [14] is a good candidate.

   Only in the case of section 6.2.3 (i.e. in QSPEC), the packet
   classifier could be made using fields that is required by the
   specific QoS model associated.  In order to achieve this, the QSPEC
   needs to define a set of basic elements, so that, when needed, QoS
   Model specific packet classifier could be formed using the basic
   elements.













Cheng, et al.            Expires April 27, 2006                [Page 21]

Internet-Draft             NSIS Flow ID issues              October 2005


7.  Possible optimization with the PACKET_CLASSIFIER object

   As discussed in the previous section, the Filter List may not be
   necessary for all the scenarios.  For those static and simple
   addressing cases, the conventional MRI way is sufficient.  Therefore,
   to optimize the signaling efficiency, the Filter List object could be
   made optional with a flag set at the signaling header.  Below is an
   example of using an indication derived from the PACKET_CLASSIFIER
   object in the QoS NSLP case.

   For example, the modified method specific data format of the
   PACKET_CLASSIFIER object for a path-coupled routing MRM, as in
   section 5.1.3.5 of QoS NSLP [4], is specified as following:



      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |X|Y|P|T|F|S|A|B|   Reserved  |L|
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



   Wherein, the new flag L is to indicate if a separate Filter List is
   used in the NSLP for packet classification information.  When the
   flag L is set, all the other fields should be set to zero.

   Therefore, a QNE first checks if the L bit of the PACKET_CLASSIFIER
   object is set.  If it is not set, the QNE will make use of the MRI
   and other fields of the PACKET_CLASSIFIER object to derive the packet
   classifier.

   When the QNE finds out that the L flag is set, it will obtain the
   packet classification information directly from the Filter List
   object instead of the MRI.

















Cheng, et al.            Expires April 27, 2006                [Page 22]

Internet-Draft             NSIS Flow ID issues              October 2005


8.  Security Considerations

   Major security issues for NSIS are addressed in [6], where the
   Section 4.4 mentions use of a Flow ID without source and destination
   IP addresses.  If a Flow ID is used for traffic classification of
   data packets as well, then identity spoofing and injecting traffic is
   much easier since a packet only needs to be marked and an adversary
   can use a nearly arbitrary endpoint identifier to achieve the desired
   result.

   The filter List method described in this draft allows the separation
   of the Flow ID and packet classification information.  Different
   usage of the Flow can be employed, e.g. as described in [6].  Traffic
   classifier for data packets, however, may still use the conventional
   Flow ID information as a filter so that threat does not increase by
   using a Filter List.



































Cheng, et al.            Expires April 27, 2006                [Page 23]

Internet-Draft             NSIS Flow ID issues              October 2005


9.  Conclusion

   This draft discussed issues faced by the NSIS design regarding its
   use of the Flow ID for carrying data packet classification
   information.  A solution to the problems is proposed by introducing a
   Filter List object in the NSLP layer.  This solution provides support
   for the scenarios that is not supported by the current NSIS
   framework.  It also requires little change to the current NSIS
   design.  Detail analysis of the impact to different components of the
   NSIS framework, NTLP and NSLP is provided, and it shows that the
   proposed solution is effective and easy to be incorporated into the
   current NSIS system.







































Cheng, et al.            Expires April 27, 2006                [Page 24]

Internet-Draft             NSIS Flow ID issues              October 2005


10.  Acknowledgements

   This section contains the acknowledgements.
















































Cheng, et al.            Expires April 27, 2006                [Page 25]

Internet-Draft             NSIS Flow ID issues              October 2005


11.  References

11.1.  Normative Reference

   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [2]  Hancock, R., "Next Steps in Signaling (NSIS): Framework",
        RFC 4080, Informational , June 2005.

   [3]  Schulzrinne, H. and R. Hancock, "GIST: General Internet
        Signaling Transport", Internet Draft draft-ietf-nsis-ntlp-08,
        Work in progress , September 2005.

   [4]  Manner, J., "NSLP for Quality-of-Service Signaling", Internet
        Draft draft-ietf-nsis-qos-nslp-08, Work in progress ,
        October 2005.

   [5]  Chaskar, H., "Requirements of a Quality of Service (QoS)
        Solution for Mobile IP", RFC 3383, September 2003.

   [6]  Tschofenig, H., "Security Threats for NSIS", RFC 4081,
        Informational , June 2005.

   [7]  Ash, J., Bader, A., and C. Kappler, "QoS-NSLP QSpec Template",
        Internet Draft draft-ietf-nsis-qspec-06, Work in Progress ,
        October 2005.

   [8]  Brunner, M., "Requirement for Signaling Protocols", RFC 3726,
        April 2004.

   [9]  Braden, R., "Resource ReSerVation Protocol (RSVP) -- Version 1
        Functional Specification", RFC 2205, September 1997.

11.2.  Informative References

   [10]  Koodli, R., "Fast Handovers for Mobile IPv6", RFC 4068,
         July 2005.

   [11]  Liebsch, M., "Candidate Access Router Discovery (CARD)",
         RFC 4066, July 2005.

   [12]  International Telecommunication Union (ITU) Telecommunication
         Standardization Sector (ITU-T), "Packet-based multimedia
         communications systems", ITU-T H. 323, July 2003.

   [13]  Shen, C., "NSIS Operation Over IP Tunnels", Internet
         Draft draft-shen-nsis-tunnel-00, Work in Progress , July 2005.



Cheng, et al.            Expires April 27, 2006                [Page 26]

Internet-Draft             NSIS Flow ID issues              October 2005


   [14]  Blake, S., "An Architecture for Differentiated Services",
         RFC 2475, Informational , December 1998.

   [15]  Dressler, F., "NSLP for Metering Configuration Signaling",
         Internet Draft draft-dressler-nsis-metering-nslp-02, Work in
         Progress , July 2005.













































Cheng, et al.            Expires April 27, 2006                [Page 27]

Internet-Draft             NSIS Flow ID issues              October 2005


Authors' Addresses

   Hong Cheng
   Panasonic Singapore Laboratories
   Block 1022, Tai Seng Industrial Estate
   #06-3530, Tai Seng Avenue
   Singapore  534415
   Singapore

   Phone: +65 6550 5477
   Email: hong.cheng@sg.panasonic.com


   Jack Huang
   Panasonic Singapore Laboratories
   Block 1022, Tai Seng Industrial Estate
   #06-3530, Tai Seng Avenue
   Singapore  534415
   Singapore

   Phone: +65 6550 5414
   Email: jack.huangqj@sg.panasonic.com


   Takako Sanda
   Matsushita Electric Industrial Co., Ltd. (Panasonic)
   5-3, Hikarino-oka, Yokosuka City
   Kanagawa  239-0847
   Japan

   Phone: +81 46 840 5764
   Email: sanda.takako@jp.panasonic.com


   Toyoki Ue
   Matsushita Electric Industrial Co., Ltd. (Panasonic)
   5-3, Hikarino-oka, Yokosuka City
   Kanagawa  239-0847
   Japan

   Phone: +81 46 840 5816
   Email: ue.toyoki@jp.panasonic.com









Cheng, et al.            Expires April 27, 2006                [Page 28]

Internet-Draft             NSIS Flow ID issues              October 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Cheng, et al.            Expires April 27, 2006                [Page 29]