Internet-Draft | ICMP for Validation | July 2023 |
Liu | Expires 11 January 2024 | [Page] |
This document introduces the mechanism to verify the data plane against the control plane in IPv6/SRv6 networks by extending ICMPv6 messages.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
An MPLS label can be related with various FEC information, e.g, VPN IP prefix [RFC4365], LDP IP prefix[RFC5036], flex algorithms[RFC9350] and etc. Most of these information can be advertised via control plane protocols(e.g, IGP, BGP, etc).¶
Procedures for simple and efficient mechanisms to verify the data plane against the control plane using LSP Ping in MPLS network are well defined in [RFC8029]. Normally, when a new feature is introduced and the MPLS label is associated with new information, the LSP Ping mechanism is still applicable by defining new FEC sub-TLV with the new information encoded in it.¶
On the other hand, IP addresses, especially the IPv6 addresses/SRv6 SIDs, can be related with extra information/functions besides basic forwarding/routing semantics.¶
Below is a non-exhaustive list of the information that can be related with IP addresses/SRv6 SIDs and propagated to the control plane.¶
In IP networks, there're requirements to check the consistency between the control plane and the data plane to localize faults.¶
Take IPv4 VPN as an example, in MPLS, an MPLS label is allocated for the VPN prefix, the label is advertised together with the VPN prefix via BGP [RFC4365]. To verify this information, VPN IPv4 Prefix FEC sub-TLV is defined which carries the VPN prefix to be verified via LSP ping[RFC8029]. Similarly, in SRv6, an SRv6 SID is associated with a VPN prefix, and they are advertised together via BGP[RFC9252]. One may want to verify the SID-related VPN prefix just like what is done in MPLS-VPN.¶
This document introduces the mechanism to verify the data plane against the control plane in IPv6 networks by extending ICMPv6 messages, considering that the requirements are stronger in IPv6.¶
Editor's Note: Instead of extending ICMPv6 Node Information Query (or NI Query) and the Node Information Reply (or NI Reply) based on [RFC4620], this document introducing ICMPv6 Validation Request and ICMPv6 Validation Reply messages by defining two new types of ICMPv6 messages taking example from [RFC8335]. The reason is that NI Query and NI Reply are originally defined for discovering information about nodes, such as names and addresses, while this document aims to provide an IP-related information validation mechanism, which makes RFC4620 not quite suitable.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].¶
The Validation Request message is defined for ICMPv6[RFC4443]. Like any ICMPv6 message, the ICMPv6 Validation Request message is encapsulated in an IPv6 header.¶
The structure of ICMP Validation Request is shown in Figure 1, where:¶
The Validation Information Object is shown in Figure 2, where:¶
C-Type Object Payload -------- ----------- 1 Endpoint Behavior 2 IPv6 Prefix IGP Algorithm 3 SRv6 IGP-Adjacency Segment 4 VPN IPv4 Prefix 5 VPN IPv6 Prefix¶
Other C-Type values and the corresponding information carried in object payload will be defined as needed.¶
When the endpoint behavior[RFC8986] of an SRv6 SID needs to be verified, the following format of object payload is used.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Endpoint Behavior | Must Be Zero | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
Endpoint Behavior: 2 octets. The codepoints for the Endpoint behaviors are defined in the "SRv6 Endpoint Behaviors" registry defined in [RFC8986].¶
IGP Flex-Algorithm can be used with both Segment Routing data planes(i.e, SR-MPLS and SRv6) [RFC9350] and for regular IPv4 and IPv6 prefixes [I-D.ietf-lsr-ip-flexalgo] .¶
When the algorithm of an SRv6 SID or IPv6 prefix needs to be verified, the following format of object payload is used.¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Protocol | Algorithm | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
Set to 0 if the default algorithm is used. Set to 1 if Strict Shortest Path First (Strict-SPF) algorithm is used. For Flex-Algo, the Algorithm field MUST be set with the algorithm value (values can be 128-255).¶
SRv6 End SIDs inherit the algorithm from the parent locator.¶
This object payload is applicable for SRv6 IGP-Adjacency defined in [RFC8402]. The format is as specified below:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Adj. Type | Protocol | Algorithm | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ~ | Local Interface ID (4 or 16 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ~ | Remote Interface ID (4 or 16 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ~ | Advertising Node Identifier (4 or 6 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ ~ | Receiving Node Identifier (4 or 6 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
Set to 0 if the default algorithm is used. Set to 1 if Strict Shortest Path First (Strict-SPF) algorithm is used. For Flex-Algo, the Algorithm field MUST be set with the algorithm value (values can be 128-255).¶
The algorithm is specified in the individual SRv6 Adjacency SID.¶
IPv4 VPN Over SRv6 Core is introduced in [RFC9252], where an SRv6 service SID is associated with a VPN IPv4 prefix at the egress PE.¶
When the related VPN IPv4 prefix of an SRv6 service SID needs to be verified, the following format of object payload is used. The Value field consists of the RD advertised with the VPN IPv4 prefix, the IPv4 prefix (with trailing 0 bits to make 32 bits in all), and a prefix length, as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Route Distinguisher | | (8 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 prefix | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Prefix Length | Must Be Zero | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
The RD is an 8-octet identifier, it does not contain any inherent information. The purpose of the RD is solely to allow one to create distinct routes to a common IPv4 address prefix. The encoding of the RD is not important here. When matching this field to the local information, it is treated as an opaque value.¶
IPv6 VPN Over SRv6 Core is introduced in [RFC9252], where an SRv6 service SID is associated with a VPN IPv6 prefix at the egress PE.¶
When the related VPN IPv6 prefix of an SRv6 service SID needs to be verified, the following format of object payload is used.¶
The object payload field consists of the RD advertised with the VPN IPv6 prefix, the IPv6 prefix (with trailing 0 bits to make 128 bits in all), and a prefix length, as follows:¶
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Route Distinguisher | | (8 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv6 prefix | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Prefix Length | Must Be Zero | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+¶
The RD is an 8-octet identifier, it does not contain any inherent information. The purpose of the RD is solely to allow one to create distinct routes to a common IPv4 address prefix. The encoding of the RD is not important here. When matching this field to the local information, it is treated as an opaque value.¶
The Validation Reply message is defined for ICMPv6. Like any ICMPv6 message, the ICMP Extended Echo Reply message is encapsulated in an IPv6 header. Figure 3 describes the ICMPv6 Validation Reply message.¶
ICMP fields:¶
Code: Values are¶
(0) Validation passed¶
(1) Malformed request received¶
(2) One or more of the objects were not understood¶
(3) Information mismatch¶
A node that originates an ICMP validation request message SHOULD first determine which IP address needs to be verified with what information. How the sender node get the information is out of scope of the document.¶
An ICMPv6 validation request contains one or more Validation Information objects, depending on how the user wants to do the validation. For example, an SRv6 service SID is related with an endpoint behavior and an IPv4 VPN prefix, if one wants to verify both information of the SID via one request message, an ICMPv6 validation request is sent with two validation information objects in it. Or one may choose to send two individual ICMPv6 validation requests, each carries one validation information object to verify these two information separately.¶
The target IP is the IP address/SRv6 SID to be verified and MUST be a unicast address. The ICMPv6 validation request is sent with the target IP address/SRv6 SID set as the destination address of the IP header field without SRH, or set as the last segment with SRH. The Source Address of the ICMPv6 packet MUST be a unicast address belonging to the node.¶
The Hop Limit SHOULD be set to 255 to prevent transit nodes from processing the validation request.¶
All transit nodes process the validation request message like any other IPv6 data packets and hence do not require any change.¶
As specified in [RFC4443], if a router receives a packet with a Hop Limit of zero, or if a router decrements a packet's Hop Limit to zero, it MUST discard the packet and originate an ICMPv6 Time Exceeded message with Code 0 to the source of the packet. The source address SHOULD be set as a local address of the router.¶
The target node is a node receiving an validation request where the target IP of that message is locally configured as a segment or local interface.¶
When the validation request packet arrives at the target node, and any of the following conditions apply, the node MUST silently discard the incoming message:¶
Otherwise, if the packet is well formed, the target node verifies the information encoded in the Validation Information Object against the corresponding local information.¶
When a node receives an ICMPv6 Validation Request, it MUST format an ICMPv6 Validation Reply as follows:¶
The Code field MUST be set to 0 if all the the information encoded in the Validation Information Object is consistent with the the corresponding local information on the target node.¶
The Code field MUST be set to 1 if any of the following conditions apply:¶
The Code field MUST be set to 2 if one or more of the objects are not understood by the node.¶
The Code field MUST be set to 3 if the information in the Validation Information Object(s) is not consistent with the local information and validation is not passed.¶
A node should only receive a validation reply in response to a validation request that it sent. Thus, on receipt of a validation reply, the node should parse the packet to ensure that it is well-formed, then attempt to match up the validation reply with a validation request that it had previously sent, using the Identifier and Sequence Number. If no match is found, the node ignores the echo reply.¶
Section 4.6 of [RFC4884] provides a list of extensible ICMP messages (i.e., messages that can carry the ICMP Extension Structure). This document adds the ICMPv6 Validation Request message and the ICMPv6 Validation Reply message to that list.¶
This document requests the following actions from IANA:¶
Add an entry to the "ICMPv6 "type" Numbers" registry, representing the Validation Reply. This entry has the following codes:¶
(0) Validation passed¶
(1) Malformed request received¶
(2) One or more of the objects were not understood¶
(3) Information mismatch¶
Add an entry to the "ICMP Extension Object Classes and Class Sub-types" registry, representing the Validation Information Object with C-types:¶
(1) Endpoint Behavior¶
(2) IPv6 Prefix IGP Algorithm¶
(3) SRv6 IGP-Adjacency Segment¶
(4) VPN IPv4 Prefix¶
(5) VPN IPv6 Prefix¶
C-Type values are assignable on a first-come-first-serve (FCFS) basis with a range of 0-255.¶
All codes mentioned above are assigned on a First Come First Serve (FCFS) basis with a range of 0-255.¶
Security considerations discussed in [RFC4443] and[RFC4884] apply to this document.¶
To protect against unauthorized sources using validation request messages to obtain network information, it is RECOMMENDED that implementations provide a means of checking the source addresses of validation request messages against an access list before accepting the message.¶
The validation mechanism SHOULD be only used in the limited domain. The validation request contains the control plane information, policies should be implemented on the edge devices of the domain to prevent the information from being leaked into other domains.¶
In order to protect local resources, implementations SHOULD rate-limit incoming ICMP Request messages.¶