Location ID Separation Protocol. Gregory Johnson -

Size: px

Start display at page:

Download "Location ID Separation Protocol. Gregory Johnson -"

Clifton Chad McCarthy
5 years ago
Views:

1 Location ID Separation Protocol Gregory Johnson - grjohnso@cisco.com

2 LISP - Agenda LISP Overview LISP Operations LISP Use Cases LISP Status (Standards and in the Community) Summary 2

nd location Internet Today s Internet Behavior Loc/ID overloaded semantic w.z.y.9 When the device moves, it gets a new IPv4 or IPv6 address for its new identityand location x.

4 LISP Overview What do we mean by location and identity? x.y.z.1 Device IPv4 or IPv6 address represents identityand location Internet Today s Internet Behavior Loc/ID overloaded semantic w.z.y.9 When the device moves, it gets a new IPv4 or IPv6 address for its new identityand location x.y.z.1 Device IPv4 or IPv6 address represents identity only. a.b.c.1 Internet e.f.g.7 LISP Behavior Loc/ID split x.y.z.1 When the device moves, keeps its IPv4 or IPv6 address. It has the same identity Its location is here! Only the location changes Overview 4

25 ] DNS Server DNS URL Resolution LISP resolves locators for queried identities LISP router

5 LISP Overview LISP Mapping Resolution DNS analog LISP Map Lookup is analogous to a DNS lookup DNS resolves IP addresses for URLs host [ who is ]? [ ] DNS Server DNS URL Resolution LISP resolves locators for queried identities LISP router [ where is x.y.z.1 ]? [ location is a.b.c.1 ] LISP Mapping System LISP Identity-to-location Map Resolution 5

LISP Overview A level of indirection - (RFC 6830) LISP creates a Level

the IP address of a host just as it is today (Rou1ng Locator) is the IP

hop w.x.y.1e.f.g.h x.y.w.2e.f.g.h z.q.r.5e.f.g.h z.q.r.5e.f.g.h xtr MS/MR EID a.

a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.

6 LISP Overview A level of indirection - (RFC 6830) LISP creates a Level of indirec4on with two namespaces: EID and EID (Endpoint Iden1fier) is the IP address of a host just as it is today (Rou1ng Locator) is the IP address of the LISP router for the host Non- LISP EID Space Prefix Next- hop w.x.y.1e.f.g.h x.y.w.2e.f.g.h z.q.r.5e.f.g.h z.q.r.5e.f.g.h xtr MS/MR EID a.a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5 EID a.a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5 EID- to- mapping EID a.a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5 EID- to- mapping is the distributed architecture that maps EIDs to s PxTR xtr xtr Space EID Space Overview 6

8 LISP Data Header Format IPv4 EID/IPv4 Example draft-ietf-lisp-12 IPv4 Outer Header: Router supplies s UDP LISP header IPv4 Inner Header: Host supplies EIDs Operations 8

9 LISP Data Header Format IPv6 EID/IPv4 Example draft-ietf-lisp-09 IPv4 Outer Header supplies s UDP LISP header IPv4 Inner Header: Host supplies IPv6 Inner EIDs Header: Host supplies EIDs Operations 9

LISP Data Plane Ingress/Egress Tunnel Router (xtr) S1 Provider A 10.

10 LISP Data Plane Ingress/Egress Tunnel Router (xtr) S1 Provider A /8 Provider X /8 D1 S packet flow S2 Provider B /8 Provider Y /8 packet flow D2 D Ingress Tunnel Router Receives packets from site-facing interfaces Encapsulates to remote LISP site (or natively forwards to non-lisp site) Egress Tunnel Router Receives packets from core-facing interfaces De-caps and delivers packets to local EIDs at the site Operations 10

LISP Data Plane Unicast Packet Forwarding PI

0.0.2 -> 3.0.0.3 10.0.0.1 11.0.0.1 3 Provider A 10.

0.0.0/8 Provider Y 13.0.0.0/8 12.0.0.2 7 13.0.0.2 D1 D2 8 D 1 DNS entry: D.

0.0.3 11.0.0.1 -> 12.0.0.2 2.0.0.2 -> 3.0.0.3 2.

Locators -> Red Physical link Mapping Entry

0.0/24 Locator-set: 12.0.0.2, priority: 1, weight: 50 (D1) 13.

11 LISP Data Plane Unicast Packet Forwarding PI EID-prefix /24 PI EID-prefix /24 S 2 S1 S > Provider A /8 Provider B / Provider X /8 Provider Y / D1 D2 8 D 1 DNS entry: D.abc.com A > > > > > Legend: EIDs -> Green Locators -> Red Physical link Mapping Entry EID-prefix: /24 Locator-set: , priority: 1, weight: 50 (D1) , priority: 1, weight: 50 (D2) This policy controlled by destination site Operations 11

12 LISP Control Plane Control Plane Messages Control Plane EID Registration Map-Register messages Sent by to Map-Server to register its associated EID prefixes Specifies the (s) to be used by the Map-Server when forwarding Map-Requests to the Control Plane Data-triggered mapping service Map-Request messages Sent by an when it needs an EID/ mapping, to test an for reachability, or to refresh a mapping before TTL expiration Map-Reply messages Sent by an in response to a valid map-request to provide the EID/ mapping and site ingress Policy for the requested EID Operations 12

13 LISP Control Plane Map-Server/Map-Resolver (MS/MR) = Mapping Database System S1 MR Provider A /8 MS Provider X /8 D1 S S2 Provider B /8 Provider Y /8 D2 D MR Map-Resolver ReceivesMap-Requestfrom. Forwards Map-Request onto the topology. Sends Negative Map-Replies in response to Map-Requests for non-lisp sites. DDT = Delegated Database Tree is Replacing LISP ALT MS Map-Server LISP site s Register their EID prefixes here; requires configured lisp site policy, authentication key. Injects routes for registered site EID prefixes into BGP topology. Receives Map-Requests via and forwards them to registered s. Operations 13

14 LISP Control Plane Mapping Database (), Map-Cache () Mapping-Database EID-to- mappings in all s for local LISP site MR MS is authoritative for its EIDs, sends Map-Replies to s Provider A Provider X s can tailor policy based on Map-Request source / /8 Decentralization S1 increases attack resiliency = Mapping Database System D1 S S2 Provider B /8 Provider Y /8 D2 D LISP Map Cache Lives on s and only stores mappings for sites to which is currently sending packets. Map-Cache populated by sending Map-Requests through and receiving Map-Replies from s s must respect Map-Reply policy, including TTLs, up/down status, priorities/weights Operations 14

15 LISP Control Plane Map-Registration example = Mapping Database System Other 3/8 sites PI EID-prefix /24 S MR Provider A / MS Provider X / D1 PI EID-prefix /24 S S Provider B /8 Provider Y / D2 D Legend: EIDs -> Green Locators -> Red BGP-over-GRE Physical link /8 propagation includes the Map-Resolver [3] /8 MS advertises into BGP over GRE [2] > LISP Map-Register (udp 4342) SHA / , [1] Operations 15

16 LISP Control Plane Map-Request example = Mapping Database System PI EID-prefix /24 S MR Provider A / MS Provider X / D1 PI EID-prefix /24 S S > DNS entry: D.abc.com A Legend: EIDs -> Green Locators -> Red BGP-over-GRE Physical link How do I get to ? [1] Provider B / > LISP ECM (udp 4342) > Map-Request (udp 4342) nonce Provider Y /8 [2] [3] [4] > Map-Request (udp 4342) D > nonce > Map-Request (udp 4342) nonce D LISP ECM (udp 4342) [5] Operations 16

17 LISP Control/Data Plane over IP Encryptors Map-Server/Map-Resolver (MS/MR), xtr MR MS S S1 S2 Provider A /8 Provider B /8 BLACK IP Transport Provider X /8 Provider Y /8 D1 D2 D next-hops point to the KG, single IP address represents all EID s BLACK transport can be any available today in the DoD/IC LISP Leverages native IP encapsulation (IP/UDP), so no manual tunnels Offers multi-homing, v6 over v4, v6 over v6, etc Mobility, VPN 17

18 LISP Interworking Proxy Ingress/Egress Tunnel Routers (P/P) = Mapping Database System S1 MR Provider A /8 P MS Provider X /8 P D1 S S2 Provider B /8 Provider Y /8 D2 D P Proxy Receives traffic from non-lispsites; encapsulates traffic to LISP sites Advertises coarse-aggregate EID prefixes LISP sites see ingress TE day-one P Proxy Allows IPv6 LISPsites with IPv4 s to reach IPv6 LISPsites that only have IPv6 s Allows LISPsites with urpf restrictions to reach non-lispsites Operations 18

LISP Interworking Proxy Ingress Tunnel Router example PI EID-prefix 2.0.0.0/24 S1 10.0.0.1 MR Provider A 10.0.0.0/8 65.1.1.1 66.

0.0.0/24 S S2 11.0.0.1 Provider B 11.0.0.0/8 3.0.0.0/8 Provider Y 13.0.0.0/8 13.0.0.2 D2 D 65.1.1.1 ->3.0.0.1 [1] Non-LISP Site 3.

19 LISP Interworking Proxy Ingress Tunnel Router example PI EID-prefix /24 S MR Provider A / P MS Provider X /8 P [2] > > D1 [3] > PI EID-prefix /24 S S Provider B / /8 Provider Y / D2 D > [1] Non-LISP Site > [5] > [4] Non-LISP Site /16 Operations 19

20 LISP and Security LISP-Sec Security LISP-SEC is a set of security mechanisms that provide origin authentication, integrity and anti-replay protection to LISP's EID-to- mapping data conveyed via mapping lookup process. LISP-SEC also enables verification of authorization on EID- prefix claims in Map-Reply messages, ensuring that the sender of a Map-Reply that provides the location for a given EID-prefix is entitled to do so according to the EID prefix registered in the associated Map Server. 20

v6-over-v6 v4-over-v6, v4-over-v4 VM-Mobility Data Center HQ LISP Site Internet User Network Data Center 1 LISP routers Internet VM move Data

22 LISP Use Cases Overview Efficient Multi-Homing LISP Site LISP routers Internet IPv6 Transition Support v6 services LISP router v6 IPv4 Internet v4 v6 LISP router v6 IPv6 Internet IP Portability Ingress Traffic Engineering without BGP Network Virtualization - VPN v6-over-v4, v6-over-v6 v4-over-v6, v4-over-v4 VM-Mobility Data Center HQ LISP Site Internet User Network Data Center 1 LISP routers Internet VM move Data Center 2 LISP routers Remote Remote.. 10k.. Remote Remote VM a.b.c.1 VM a.b.c.1 Reduced CapEx/OpEx Segmentation Cloud / Layer 3 VM moves Segmentation 22

23 LiSP Network Virtualization Layer 3 Virtualization Options VRF Lite VRF Lite over IP (GRE) VRF Lite over DMVPN/GET-VPN MPLS VPN MPLS VPN over IP (P2P GRE) MPLS VPN over DMVPN * MPLS VPN over Multipoint GRE (mgre) * Virtualization with LISP * Leverage GET VPN on any mgre Solutions 23

24 LISP Data Format Example IPv4 EID/IPv4 Example draft-ietf-lisp-15 IPv4 Outer Header: Router supplies s UDP LISP header IPv4 Inner Header: Host supplies EIDs Instance ID Maps Aligns with VRF Definition 24

LISP Use Case Multi-Tenancy Network Virtualization Over the Top PI EID-prefix 2.0.0.0/24 S1 10.0.0.1 65.1.1.1 66.2.2.2 MR Provider A 10.0.0.0/8 ALT ALT ALT ALT MS Provider X 12.0.0.0/8 12.0.0.2 D1 PI EID-prefix 3.

25 LISP Use Case Multi-Tenancy Network Virtualization Over the Top PI EID-prefix /24 S MR Provider A /8 ALT ALT ALT ALT MS Provider X / D1 PI EID-prefix /24 S S Provider B /8 Provider Y / D2 D VRFs Legend: EIDs -> Green Locators -> Red BGP-over-GRE Physical link Allows network segmentation on xtr (CE to SP) PE routers require minimal routes ( address only) VRF Segmentation is applied to CE/xTR SP PE has minimal customer routes (ideal if Enterprise PE) CE/xTR can add additional customer (per VRF), and routes are hidden from SP network. Can add GET VPN for additional data security (IPSec) 25

26 LISP Use Cases VM-Mobility Needs: VM-Mobility across subnets Move detection, dynamic EID-to- mappings, traffic redirection LISP Solution: OTV + LISP to extend subnets LISP for VM-moves across subnets Benefits: Integrated Mobility Connections maintained across moves No /32 route injection No DNS updates required IPv4/IPv6 Support ARP elimination Data Center 1 LISP router Applicability: VM a.b.c.1 VM OS agnostic Internet VM move VM a.b.c.1 Data Center 2 LISP router Services Creation (disaster recovery, cloud burst, etc.) Customers/EFTs: Cisco IT Qualcomm More 26

27 LISP Use Cases VM-Mobility Case Study Topology, Initial Map Cache entries EID Host 1: / / / Branch EID Space, /25 CPE - xtr Enterprise Remote Site EID Map Cache Table / EID Map Cache Table / / N7K - xtr MS/MR Enterprise WAN Enterprise Core EID N7K - xtr Map Cache Table / WEST EAST VM2 : VM1 : DC EID Space, Home Subnet /24 DC EID Space, Home Subnet /24 VM3 :

LISP Use Cases VM-Mobility Case Study traffic flows before move Before Move Traffic Flows EID Host 1: 10.10.30.1 10.10.10.0/24 192.168.10.1 192.168.10.2 10.10.20.0/24 192.168.20.1 192.168.20.2 10.10.30.0/24 192.168.30.1 Branch EID Space, 10.

10.30.0/24 192.168.30.1 N7K - xtr MS/MR 192.168.10.1 192.168.10.2 Enterprise WAN 192.168.30.1<->192.168.10.2 10.10.30.1<->10.10.10.1 Enterprise Core 192.168.20.2<->192.168.10.2 10.10.20.1<->10.10.10.1 192.168.20.1 192.168.20.2 EID N7K - xtr Map Cache Table 10.

28 LISP Use Cases VM-Mobility Case Study traffic flows before move Before Move Traffic Flows EID Host 1: / / / Branch EID Space, / <-> CPE - xtr Enterprise Remote Site EID Map Cache Table / EID Map Cache Table / / N7K - xtr MS/MR Enterprise WAN <-> <-> Enterprise Core <-> <-> EID N7K - xtr Map Cache Table / <-> <-> <-> WEST EAST <-> VM2 : VM1 : DC EID Space, Home Subnet /24 DC EID Space, Home Subnet /24 VM3 :

LISP Use Cases VM-Mobility Case Study map cache updates after move Before Move Traffic Flows 3 Branch EID Space, 10.10.30.0/25 MS/MR Host 1: 10.10.30.1 192.168.30.1 CPE - xtr Enterprise WAN Enterprise Core 2 Enterprise Remote Site 10.

29 LISP Use Cases VM-Mobility Case Study map cache updates after move Before Move Traffic Flows 3 Branch EID Space, /25 MS/MR Host 1: CPE - xtr Enterprise WAN Enterprise Core 2 Enterprise Remote Site / N7K - xtr N7K - xtr 4 EID EID Map Cache Table / / / / / / EID Map Cache Table / / EID Map Cache Table / / WEST EAST VM2 : DC EID Space, DC EID Space, VM3 : Home Subnet Home Subnet / /24 VM1 :

LISP Use Cases VM-Mobility Case Study traffic flows after move Before Move Traffic Flows EID EID Map Cache Table 10. 10.20.0/24 192.168.20.1 192.168.20.2 10.10.30.0/24 192.168.30.1 10.10.10.0/24 192.168.10.1 192.168.10.2 10.10.20.0/24 192.168.20.1 192.168.20.2 10.10.30.0/24 192.168.30.1 10.10.10.1/32 192.

168.30.1<->192.168.20.1 10.10.30.1<->10.10.10.1 192.168.10.1<->192.168.20.1 Enterprise Core 10.10.10.2<->10.10.10.1 Enterprise Remote Site EID 192.168.20.1 192.168.20.2 AWer Move Map Cache Table N7K - xtr 10.

10.10.2<->10.10.10.1 10.10.30.1<->10.10.10.1 10.10.20.1<->10.10.10.1 10.10.20.1<->10.10.10.1 VM2 : 10.10.10.2 DC EID Space, Home Subnet 10.10.10.0/24 DC EID Space, Home Subnet 10.10.20.0/24 VM1 : 10.

30 LISP Use Cases VM-Mobility Case Study traffic flows after move Before Move Traffic Flows EID EID Map Cache Table / / / / / / Branch EID Space, /25 MS/MR / N7K - xtr Host 1: <-> CPE - xtr Enterprise WAN <-> <-> <-> Enterprise Core <-> Enterprise Remote Site EID AWer Move Map Cache Table N7K - xtr / / EID Map Cache Table / / WEST EAST <-> <-> <-> <-> <-> VM2 : DC EID Space, Home Subnet /24 DC EID Space, Home Subnet /24 VM1 : VM3 :

31 LISP Status Cisco s LISP Software Release Strategy Development Strategy Early Deployment (ED) Software Engineering Builds - LISP ED releases available on CCO as hidden posts - Not orderable via the Cisco Global Configuration tool - Intended only for deployment on LISP nodes - Not intended nor recommended for production deployment scenarios - TAC supported (unless deployed in non-lisp environment) - Refer to LISP Early ED Software Release Product Bulletin for details Production LISP Deployment Software Mainline integration - LISP production software images available via CCO download - Orderable via the Cisco Global Configuration tool - Approved for use in all production deployment scenarios Cisco LISP Code: - TAC supported 31

32 LISP References Resources LISP Information IETF LISP WG hbp://tools.iee.org/wg/lisp/ LISP Beta NetworkhBp:// Cisco hbp://lisp.cisco.com (v4 and v6) Cisco LISP MarketinghBp:// Mailing Lists IETF LISP LISP Interest (public)lisp- Cisco LISP Questionslisp- 32

LISP Locator/ID Separation Protocol

LISP Locator/ID Separation Protocol Hernán Contreras G. Consulting Systems Engineer hcontrer@cisco.com LISP Next Gen Routing Architecture Locator-ID Separation Protocol (LISP) Elevator Pitch LISP is a