IPv6 Query for Enabled In-situ OAM Capabilities

IPv6 encapsulation for In-situ OAM (IOAM) data is defined in , which uses the IPv6 hop-by-hop and destination options to carry IOAM data fields (, ). As specified in , the echo request/reply can be used by the IOAM encapsulating node to discover the enabled IOAM capabilities at the IOAM transit and decapsulating nodes. As specified in , the Internet Control Message Protocol for IPv6 (ICMPv6) is an integral part of IPv6. ICMPv6 messages include error messages and informational messages. defines ICMP Extension Structure by which multi-part ICMPv6 error messages are supported. updates by adding two ICMPv6 informational messages, ICMPv6 Query Request message and ICMPv6 Query Response message, to the supporting list of ICMP Extension Structure. The two added ICMPv6 messages are used for a Querying node to query information of a Queried node. This document describes the IPv6 Node IOAM Query functionality, which uses the ICMPv6 Query messages, allowing the IOAM encapsulating node to discover the enabled IOAM capabilities of each IOAM transit and IOAM decapsulating node. The IOAM encapsulating node sends an IOAM Query Request to each IOAM transit and decapsulating node. Upon receiving the query, each node executes access control procedures. If access is granted, the node returns an IOAM Query Response indicating its enabled IOAM capabilities. The IOAM Query Request contains an ICMP Extension Structure including one IOAM Query Object, and the IOAM Query Response contains an ICMP Extension Structure including one or more IOAM Capabilities Objects. Before the IOAM encapsulating node sends the IOAM Query Request, it must know the IPv6 address of each node along the transport path of the data packet to which IOAM data will be added. This can be achieved by executing an ICMPv6/UDP traceroute or by provisioning an explicit path at the IOAM encapsulating node. In an Equal-Cost Multipath (ECMP) scenario, the same values in any ECMP-affecting fields (e.g., the 3-tuple of the Flow Label, Source Address, and Destination Address fields as per ) of the IOAM data packets MUST be populated in the IOAM Query Request, ensuring fate sharing between the IOAM Query Request and the IOAM data packets.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The IOAM Query Request message is encapsulated in an IPv6 header , like any ICMPv6 message. The IOAM Query Request message has the following format:

IPv6 Header fields: Source Address: The Source Address identifies the IOAM encapsulating node. It MUST be a valid IPv6 unicast address. Destination Address: The Destination Address identifies the IOAM transit or decapsulating node. It MUST be a valid IPv6 unicast address. ICMPv6 fields: ICMPv6 header: The values of Type, Code, Checksum, Identifier, and Sequence Number are the same as specified in . Following the ICMPv6 header, it's an ICMP Extension Structure () containing an IOAM Query Object and an Pad Object (). The IOAM Query Object is also known as Query Request Object in .

The IOAM Query Object has the following format:

Object fields: Class-Num: IOAM Query Object. The value is TBD1. C-Type: MUST be set to 0 and MUST be ignored upon receipt. Length: Length of the object, measured in octets, including the Object Header and payload. Object payload: Following the IOAM Query Object Header is the IOAM Query Object Payload, which is defined in Section 3.1 of ..

The format of an IOAM Query Request can vary from deployment to deployment. In a deployment where only the default Namespace-ID is used, the IOAM Query Request is depicted as the following:

In a deployment where two Namespace-IDs (Namespace-ID1 and Namespace-ID2) are used, the IOAM Query Request is depicted as the following:

When an IOAM Query Request message is received, the length of the message is determined by the Payload Length field in the IPv6 Header, as specified in .

The IOAM Query Response message is encapsulated in an IPv6 header , like any ICMPv6 message. The IOAM Query Response message has the following format:

IPv6 Header fields: Source Address: Copied from the Destination Address field of the invoking IOAM Query Request packet. Destination Address: Copied from the Source Address field of the invoking IOAM Query Request packet. ICMPv6 fields: ICMPv6 header: The values of Type, Code, Checksum, Identifier, and Sequence Number are the same as specified in . Besides, two more values (4) No Matched Namespace-ID and (5) Exceed the minimum IPv6 MTU are defined for Code field. See for details. Following the ICMPv6 header, it's an ICMP Extension Structure () containing one or more IOAM Capabilities Objects. The IOAM Capabilities Object is also known as Query Response Object in .

The IOAM Capabilities Object has the following format:

Object fields: Class-Num: IOAM Capabilities Objects. The values are listed as the following:

C-Type: Values are listed as the following:

Length: Length of the object, measured in octets, including the Object Header and payload. Object payload: Following the IOAM Capabilities Object Header is the IOAM Capabilities Object payload, which is defined in Sections 3.2.1, 3.2.3, 3.2.4, 3.2.5, and 3.2.6 of .

The format of an IOAM Query Response can vary from deployment to deployment. In a deployment where only the default Namespace-ID is used, the IOAM Pre-allocated Tracing Capabilities and the IOAM Proof of Transit Capabilities are enabled at the IOAM transit node that received an IOAM Query Request, the IOAM Query Response is depicted as the following:

In a deployment where two Namespace-IDs (Namespace-ID1 and Namespace-ID2) are used, for both Namespace-ID1 and Namespace-ID2 the IOAM Pre-allocated Tracing Capabilities and the IOAM Proof of Transit Capabilities are enabled at the IOAM transit node that received an IOAM Query Request, the IOAM Query Response is depicted as the following:

In a deployment where only the default Namespace-ID is used, the IOAM Pre-allocated Tracing Capabilities, the IOAM Proof of Transit Capabilities, and the IOAM Edge-to-Edge Capabilities are enabled at the IOAM decapsulating node that received an IOAM Query Request, the IOAM Query Response is depicted as the following:

When an IOAM Query Response message is received, the length of the message is determined by the Payload Length field in the IPv6 Header, as specified in .

The Code field in the IOAM Query Response MUST be set to (4) No Matched Namespace-ID if any of the following conditions apply: The IOAM Query Request does not include any Namespace-ID. None of the contained list of IOAM Namespace-IDs is recognized. None of the contained list of IOAM Namespace-IDs is enabled. The Code field in the IOAM Query Response MUST be set to (5) Exceed the minimum IPv6 MTU if the formatted IOAM Query Response packet exceeds the minimum IPv6 MTU (i.e., 1280 octets). In this case, all objects MUST be stripped before forwarding the IOAM Query Response to its destination.

This document requests the following actions from IANA: Add the following Codes to the "Type TBD - Query Response" subregistry: (4) No Matched Namespace-ID (5) Exceed the minimum IPv6 MTU Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry: (TBD1) IOAM Query Object Add the following C-types to the "Sub-types - Class TBD1 - IOAM Query Object" subregistry: (0) Reserved Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry: (TBD2) IOAM Tracing Capabilities Object Add the following C-types to the "Sub-types - Class TBD2 - IOAM Tracing Capabilities Object" subregistry: (0) Reserved (1) Pre-allocated Tracing Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry: (TBD3) IOAM Proof of Transit Capabilities Object Add the following C-types to the "Sub-types - Class TBD3 - IOAM Proof of Transit Capabilities Object" subregistry: (0) Reserved Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry: (TBD4) IOAM Edge-to-Edge Capabilities Object Add the following C-types to the "Sub-types - Class TBD4 - IOAM Edge-to-Edge Capabilities Object" subregistry: (0) Reserved Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry: (TBD5) IOAM DEX Capabilities Object Add the following C-types to the "Sub-types - Class TBD5 - IOAM DEX Capabilities Object" subregistry: (0) Reserved Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry: (TBD6) IOAM End-of-Domain Object Add the following C-types to the "Sub-types - Class TBD6 - IOAM End-of-Domain Object" subregistry: (0) Reserved All codes mentioned above are assigned on a First Come First Serve (FCFS) basis with a range of 0-255.

Security issues discussed in and apply to this document. This document recommends using IP Authentication Header or IP Encapsulating Security Payload Header to provide integrity protection for IOAM capabilities information. This document recommends using IP Encapsulating Security Payload Header to provide privacy protection for IOAM capabilities information. This document recommends that the network operators establish policies that restrict access to IPv6 Node IOAM Query functionality. In order to enforce these policies, nodes that support IPv6 Node IOAM Query functionality MUST support the following configuration options: Enable/disable IPv6 Node IOAM Query functionality. By default, IPv6 Node IOAM Query functionality is disabled. Define enabled Namespace-IDs. By default, all Namespace-IDs except the default one (i.e., Namespace-ID 0x0000) are disabled. For each enabled Namespace-ID, define the prefixes from which the IOAM Query Request messages are permitted. In order to protect local resources, implementations SHOULD rate-limit incoming IOAM Query Request messages.

The authors would like to acknowledge Eric Vyncke, Erik Kline, and Bob Hinden for their valuable suggestions. The authors would like to acknowledge Chongfeng Xie, Zhenqiang Li, David Lamparter, and Daniel King for their review and helpful comments.