Internet DRAFT - draft-jadin-spring-ipv6-segment-routing-dns-rr
draft-jadin-spring-ipv6-segment-routing-dns-rr
Source Packet Routing in Networking M. Jadin
Internet-Draft UCLouvain
Intended status: Experimental F. Clad
Expires: September 6, 2018 Cisco Systems, Inc.
O. Bonaventure
UCLouvain
March 05, 2018
A DNS Resource Record for IPv6 Segment Routing (SR6)
draft-jadin-spring-ipv6-segment-routing-dns-rr-00
Abstract
This document defines the IPv6 Segment Routing (SR6) Resource Record
(RR). This Resource Record gives a path to reach a given
destination. The path is encoded with an IPv6 Segment List. The
host uses a Segment Routing Header (SRH) derived from the SR6 RR to
reach the destination.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 6, 2018.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Jadin, et al. Expires September 6, 2018 [Page 1]
Internet-Draft SRv6-RR March 2018
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Reserved Keywords . . . . . . . . . . . . . . . . . . . . 3
2. Resource Record Format . . . . . . . . . . . . . . . . . . . 3
2.1. SR6 RDATA Wire format . . . . . . . . . . . . . . . . . . 3
2.1.1. The SID Number field . . . . . . . . . . . . . . . . 4
2.1.2. The Flags field . . . . . . . . . . . . . . . . . . . 4
2.1.3. The Tag field . . . . . . . . . . . . . . . . . . . . 5
2.1.4. The Segment List[n] field . . . . . . . . . . . . . . 5
2.1.5. The Type Length Value (TLV) objects . . . . . . . . . 5
2.2. The SR6 RR Presentation Format . . . . . . . . . . . . . 5
2.3. SR6 RR Example . . . . . . . . . . . . . . . . . . . . . 6
3. SRH derivation from SR6 RR . . . . . . . . . . . . . . . . . 6
3.1. Derived SRH Example . . . . . . . . . . . . . . . . . . . 6
4. Security considerations . . . . . . . . . . . . . . . . . . . 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
7.1. Normative References . . . . . . . . . . . . . . . . . . 8
7.2. Informative References . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction
Segment Routing is a new architecture
[I-D.ietf-spring-segment-routing] that leverages the source routing
paradigm. Two data planes are being defined to support this
architecture: MPLS [I-D.ietf-spring-segment-routing-mpls] and IPv6
through the IPv6 Segment Routing Header
[I-D.ietf-6man-segment-routing-header]. This new architecture has a
variety of use cases that are discussed in
[I-D.ietf-spring-ipv6-use-cases]
[I-D.ietf-spring-resiliency-use-cases] and
[I-D.ietf-spring-oam-usecase].
Segment Routing was initially defined as a technique to enable
network operators to better control the flow of packets inside their
network. Most use cases leverage Segment Routing on routers only.
In contrast with the MPLS data plane that is traditionally only
supported on routers, the IPv6 Segment Routing Header is supported on
both routers [SR6Demo] and on endhosts [SR6Linux]. The ability of
setting and processing the IPv6 Segment Routing Header on endhosts
opens new "end-to-end" use cases for Segment Routing. We can
Jadin, et al. Expires September 6, 2018 [Page 2]
Internet-Draft SRv6-RR March 2018
envision networks where clients set the IPv6 Segment Routing Header
in all the packets they send to reach a given server along a specific
path that depends on the client's or the network policies. However,
the ability to set and process the IPv6 Segment Routing Header on
endhosts [SR6Linux] is not sufficient to support real services.
Those endhosts also need a way to learn the IPv6 Segment Routing
Header that they need to use to reach a given destination according
to the network policies. Several mechanisms are being discussed to
distribute the IPv6 addresses that are used as Segments
[I-D.ietf-6man-segment-routing-header]. However, these mechanisms
typically extend routing protocols such as BGP
[I-D.ietf-spring-segment-routing-msdc], OSPF
[I-D.ietf-ospf-ospfv3-segment-routing-extensions] or IS-IS
[I-D.ietf-isis-segment-routing-extensions] and do not reach endhosts.
In this document, we propose to extend the Domain Name System to
distribute IPv6 Segment Routing Headers to endhosts. Our main use
case are enterprise networks where the network administrator could
use the DNS resolver to distribute IPv6 Segment Routing Headers to
endhosts according to the enterprise policies. This use case is
described in more details in a forthcoming paper [SRN2018].
This document is organized as follows. Section 2 gives the wire and
presentation formats of the proposed SR6 Resource Record. Section 3
describes how endhosts can construct an IPv6 Segment Routing Header
from an SR6 RR.
1.1. Reserved Keywords
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Resource Record Format
This document proposes a new type of Resource Record: the IPv6
Segment Routing (SR6) Resource Record. This RR has a new DNS Type,
(suggested value *TDB*) to be assigned by IANA. The SR6 RR MUST be
in the IN class.
2.1. SR6 RDATA Wire format
The SR6 RR contains a set of flags, a tag and a list of segments
represented as IPv6 addresses. Its wire format is provided in
Figure 1. It encodes a subset of the IPv6 Segment Routing Header
defined in [I-D.ietf-6man-segment-routing-header].
Jadin, et al. Expires September 6, 2018 [Page 3]
Internet-Draft SRv6-RR March 2018
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+------------------------------+
| SID Number | Flags | Tag |
+---------------+---------------+------------------------------+
| |
| Segment List[1] (128 bits IPv6 address) |
| |
| |
+--------------------------------------------------------------+
| |
| ... |
| |
| |
+--------------------------------------------------------------+
| |
| Segment List[n] (128 bits IPv6 address) |
| |
| |
+--------------------------------------------------------------+
/ /
/ Optional Type Length Value objects (variable) /
/ /
+--------------------------------------------------------------+
Figure 1: SR6 Resource Record
2.1.1. The SID Number field
The SID Number field indicates the number of Segments present in the
Segment List.
2.1.2. The Flags field
A subset of the flags defined in the IPv6 Segment Routing Header
[I-D.ietf-6man-segment-routing-header] may appear inside the SR6 RR.
0 1 2 3 4 5 6 7
+-+-+-+-+-+-----+
| U |A|H| U |
+-+-+-+-+-+-----+
Figure 2: SR6 Flags field
o U: These flags are currently unused and reserved for future use.
They SHOULD be unset on transmission and MUST be ignored upon
receipt.
Jadin, et al. Expires September 6, 2018 [Page 4]
Internet-Draft SRv6-RR March 2018
o A-flag: Alert flag. If present, it indicates that important Type
Length Value (TLV) objects are present.
o H-flag: HMAC flag. If set, the derived SRH MUST be protected by
an HMAC TLV object, defined in
[I-D.ietf-6man-segment-routing-header].
2.1.3. The Tag field
The Tag field is an opaque value that MUST be equal to the tag field
of the derived SRH, defined in
[I-D.ietf-6man-segment-routing-header].
2.1.4. The Segment List[n] field
The Segment List[n] field is a list of 128 bit IPv6 addresses with
the nth address representing the nth segment in the Segment List.
This list is used to construct the SRH, as discussed in Section 3.
2.1.5. The Type Length Value (TLV) objects
A subset of the SRH TLV objects, defined in
[I-D.ietf-6man-segment-routing-header], MAY be added at the end of
the SR6 RR. This document only allows the Opaque Container and
Padding TLV objects.
o The Opaque Container TLV objects MUST be copied at the end of the
derived SRH.
o The Padding TLV objects do not carry any information and so, they
MAY be ignored during the SRH derivation.
Future versions of this document will discuss the support of other
TLV objects.
2.2. The SR6 RR Presentation Format
The presentation format of the RDATA portion is as follows:
o The Flags field MUST be represented as an unsigned decimal
integer.
o The Tag field MUST be represented as an unsigned decimal integer.
o The Segment List MUST be represented as IPv6 addresses separated
by commas. They MUST appear in the same order as in the wire
format (Section 2.1).
Jadin, et al. Expires September 6, 2018 [Page 5]
Internet-Draft SRv6-RR March 2018
o The TLV objects MUST be represented as a sequence of case-
insensitive hexadecimal digits. White spaces are allowed within
the hexadecimal text.
2.3. SR6 RR Example
example.com. 86400 IN AAAA 2001:abcd::5
example.com. 86400 IN SRH 8 3 fc00::1,fc00::5 (03120000DA1F9C8094
E834A7BC71965A47A1B6C)
Figure 3: Textual representation of SR6 records
The first four text fields of the second line in Figure 3 specify the
name, TTL, Class, and RR type (SR6). Value 8 indicates that only the
A-flag is set. Value 3 is the Tag field value. The next part is the
Segment List represented as a list of comma separated IPv6 addresses.
The text between the parentheses is the hexadecimal representation of
the TLV objects.
3. SRH derivation from SR6 RR
This section describes the construction of the IPv6 Segment Routing
Header from an SR6 RR. The H-flag and A-flag of the SRH MUST be
copied from their equivalent fields in the SR6 RR. All the other
flags MUST be set to 0.
The Tag field of the SRH MUST be copied from the SR6 RR Tag field.
The SRH Segment List is composed of the destination address as first
segment and of the SR6 RR Segment List for the rest of the list.
Therefore, SRH Segments Left and Last Entry fields MUST be set to the
SR6 RR SID Number field.
Opaque Container TLV objects MUST be added at the end of the SRH if
they were present in the Resource Record. Additional Padding TLV
objects MAY be added to the SRH. If the H-flag is set, a HMAC TLV
MUST be computed for the SRH. The order of the SRH TLV objects MAY
be different from the SR6 RR TLV objects.
3.1. Derived SRH Example
The following SRH is derived from the SR6 RR example in Section 2.3.
Jadin, et al. Expires September 6, 2018 [Page 6]
Internet-Draft SRv6-RR March 2018
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------+---------------+---------------+---------------+
| Next Header | 0x4B | 0x04 | 0x02 |
+---------------+---------------+---------------+---------------+
| 0x02 |0 0 0 1 0 0 0 0| 0x0003 |
+---------------+---------------+-------------------------------+
| |
| 2001:abcd::5 |
| |
| |
+---------------------------------------------------------------+
| |
| fc00::1 |
| |
| |
+---------------------------------------------------------------+
| |
| fc00::5 |
| |
| |
+---------------+---------------+---------------+---------------+
| 0x03 | 0x12 | 0x00 | 0x00 |
+---------------+---------------+---------------+---------------+
| |
| 0xDA1F9C8094E834A7BC71965A47A1B6C |
| |
| |
+---------------------------------------------------------------+
Figure 4: Example of built SRH
4. Security considerations
[I-D.ietf-6man-segment-routing-header] explores security issues
related to the SRH itself.
[I-D.filsfils-spring-srv6-network-programming] documents how an
administrative domain can prevent external traffic from using its
SRv6-based services. This section focuses on the security threats
raised by the SR6 RR.
Since the SR6 RR provides a SRH to be used by endhosts, the endhosts
that request SR6 RR must trust the information received from their
DNS resolver. In many networks, this trust comes from the network
configuration. In addition, techniques such as DNSSEC [RFC4033] or
DNS over TLS [RFC7858] can be used to prevent situations where an
attacker could modify the SR6 RR of DNS responses.
Jadin, et al. Expires September 6, 2018 [Page 7]
Internet-Draft SRv6-RR March 2018
5. IANA Considerations
This document requests IANA to assign a DNS RR data type value for
the SR6 RR type under the "Resource Record (RR) TYPEs" subregistry
under the "Domain Name System (DNS) Parameters" registry.
6. Acknowledgements
The authors would like to thank David Lebrun for his contribution to
the design of the SR6 RR.
7. References
7.1. Normative References
[I-D.ietf-6man-segment-routing-header]
Previdi, S., Filsfils, C., Raza, K., Dukes, D., Leddy, J.,
Field, B., daniel.voyer@bell.ca, d.,
daniel.bernier@bell.ca, d., Matsushima, S., Leung, I.,
Linkova, J., Aries, E., Kosugi, T., Vyncke, E., Lebrun,
D., Steinberg, D., and R. Raszuk, "IPv6 Segment Routing
Header (SRH)", draft-ietf-6man-segment-routing-header-08
(work in progress), January 2018.
[I-D.ietf-spring-segment-routing]
Filsfils, C., Previdi, S., Ginsberg, L., Decraene, B.,
Litkowski, S., and R. Shakir, "Segment Routing
Architecture", draft-ietf-spring-segment-routing-15 (work
in progress), January 2018.
[I-D.ietf-spring-segment-routing-mpls]
Bashandy, A., Filsfils, C., Previdi, S., Decraene, B.,
Litkowski, S., and R. Shakir, "Segment Routing with MPLS
data plane", draft-ietf-spring-segment-routing-mpls-12
(work in progress), February 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
7.2. Informative References
Jadin, et al. Expires September 6, 2018 [Page 8]
Internet-Draft SRv6-RR March 2018
[I-D.filsfils-spring-srv6-network-programming]
Filsfils, C., Leddy, J., daniel.voyer@bell.ca, d.,
daniel.bernier@bell.ca, d., Steinberg, D., Raszuk, R.,
Matsushima, S., Lebrun, D., Decraene, B., Peirens, B.,
Salsano, S., Naik, G., Elmalky, H., Jonnalagadda, P.,
Sharif, M., Ayyangar, A., Mynam, S., Henderickx, W.,
Bashandy, A., Raza, K., Dukes, D., Clad, F., and P.
Camarillo, "SRv6 Network Programming", draft-filsfils-
spring-srv6-network-programming-03 (work in progress),
December 2017.
[I-D.ietf-isis-segment-routing-extensions]
Previdi, S., Ginsberg, L., Filsfils, C., Bashandy, A.,
Gredler, H., Litkowski, S., Decraene, B., and J. Tantsura,
"IS-IS Extensions for Segment Routing", draft-ietf-isis-
segment-routing-extensions-15 (work in progress), December
2017.
[I-D.ietf-ospf-ospfv3-segment-routing-extensions]
Psenak, P., Filsfils, C., Previdi, S., Gredler, H.,
Shakir, R., Henderickx, W., and J. Tantsura, "OSPFv3
Extensions for Segment Routing", draft-ietf-ospf-ospfv3-
segment-routing-extensions-11 (work in progress), January
2018.
[I-D.ietf-spring-ipv6-use-cases]
Brzozowski, J., Leddy, J., Filsfils, C., Maglione, R., and
M. Townsley, "IPv6 SPRING Use Cases", draft-ietf-spring-
ipv6-use-cases-12 (work in progress), December 2017.
[I-D.ietf-spring-oam-usecase]
Geib, R., Filsfils, C., Pignataro, C., and N. Kumar, "A
Scalable and Topology-Aware MPLS Dataplane Monitoring
System", draft-ietf-spring-oam-usecase-10 (work in
progress), December 2017.
[I-D.ietf-spring-resiliency-use-cases]
Filsfils, C., Previdi, S., Decraene, B., and R. Shakir,
"Resiliency use cases in SPRING networks", draft-ietf-
spring-resiliency-use-cases-12 (work in progress),
December 2017.
[I-D.ietf-spring-segment-routing-msdc]
Filsfils, C., Previdi, S., Mitchell, J., Aries, E., and P.
Lapukhov, "BGP-Prefix Segment in large-scale data
centers", draft-ietf-spring-segment-routing-msdc-08 (work
in progress), December 2017.
Jadin, et al. Expires September 6, 2018 [Page 9]
Internet-Draft SRv6-RR March 2018
[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements",
RFC 4033, DOI 10.17487/RFC4033, March 2005,
<https://www.rfc-editor.org/info/rfc4033>.
[RFC7858] Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
and P. Hoffman, "Specification for DNS over Transport
Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
2016, <https://www.rfc-editor.org/info/rfc7858>.
[SR6Demo] Filsfils, C., Clad, F., Camarillo, P., Liste, J.,
Jonnalagadda, P., Sharif, M., Salsano, S., and A.
AbdelSalam, "IPv6 Segment Routing", SIGCOMM'17, Industrial
demo , August 2017.
[SR6Linux]
Lebrun, D. and O. Bonaventure, "Implementing IPv6 Segment
Routing in the Linux Kernel.", Applied Networking Research
Workshop 2017 , July 2017,
<http://www.segment-routing.org>.
[SRN2018] Lebrun, D., Jadin, M., Clad, F., Filsfils, C., and O.
Bonaventure, "Software Resolved Networks - Rethinking
Enterprise Networks with IPv6 Segment Routing", SOSR'18 -
Symposium on SDN Research, 2018 , 2018,
<https://inl.info.ucl.ac.be/publications/software-
resolved-networks-rethinking-enterprise-networks-ipv6-
segment-routing>.
Authors' Addresses
Mathieu Jadin
UCLouvain
Email: mathieu.jadin@uclouvain.be
Francois Clad
Cisco Systems, Inc.
Email: fclad@cisco.com
Olivier Bonaventure
UCLouvain
Email: olivier.bonaventure@uclouvain.be
Jadin, et al. Expires September 6, 2018 [Page 10]