LISP Locator/ID Separation Protocol

Transcription

1 LISP Locator/ID Separation Protocol Hernán Contreras G. Consulting Systems Engineer

2 LISP Next Gen Routing Architecture Locator-ID Separation Protocol (LISP) Elevator Pitch LISP is a Next-Generation Routing Architecture not just a feature The LISP delivers: Internet & Intranet Scalability: Reduction of Core Routing Table IP state ISP transparency Flexible Routing Policy Prefix Portability Seamless Mobility IPv4/IPv6 co-existence VPN semantics (multi-tenancy) Directory Resolution & Registration Data Path 2

3 LISP Overview Why was LISP developed? LISP originally conceived to address Internet Scaling What causes scaling issues? IP addresses denote both location and identity today Overloaded IP address semantic makes efficient routing impossible IPv6 does not fix this Why are scaling issues bad? Routers require tons of expensive memory to hold the Internet Routing Table in the forwarding plane of a router It s expensive for network builders/operators Replacing equipment for the wrong reason (to hold the routing table rather than implementing new features ) It s not environmentally GREEN routing scalability is the most important problem facing the Internet today and must be solved Internet Architecture Board (IAB) October 2006 Workshop (written as RFC 4984) 3

4 LISP Overview What Pollutes the Internet? Provider D /24 Provider /8 C /24 Provider A /8 Provider H Provider B /8 Internet Provider G /8 Provider Y /8 Provider Z /8 Provider W Provider X / / / / /8 R1 R2 Provider Assigned (PA) /24 R1 R2 Provider Independent (PI) /8 4

5 LISP Overview Locator/ID Separation LISP creates two Name Spaces: EID (Endpoint Identifier) is the host IP address RLOC (Routing Locator) is the infrastructure IP address of the LISP router Provider X /8 EID Space R1 S R2 Locator Space Provider Y /8 EIDs Used inside of sites End-site addresses for hosts and routers EIDs go in DNS records same as today! Generally not globally routed on underlying infrastructure New namespace RLOCs Used in the Core Infrastructure addresses for LISP routers and ISP routers Routed just like today! Hosts do not know about them Globally routed and aggregated along the Internet connectivity topology Existing namespace In LISP, the EID can move independently of the RLOC 5

6 LISP Overview Why does Locator/ID Split solve this problem? Before Loc/ID Split B Provider Z Provider D 13/8 12/8 11/8 Provider /24 C /9 10/ / /9 Provider W Provider H Provider G Provider A /8 Provider B /8 Internet Some-Core-Rtr# show ip route bgp /8 is variably subnetted, 15 subnets, 8 masks B /24 [20/0] via , 3d19h /8 is variably subnetted, 8 subnets, 4 masks B /8 [20/0] via , 1d17h /8 is variably subnetted, 29 subnets, 6 masks B /16 [20/0] via , 3d19h B /22 [20/0] via , 3d19h /8 is variably subnetted, 13 subnets, 4 masks B /8 [20/0] via , 14:00:10 B /10 [20/0] via , 5d23h /8 is variably subnetted, 2 subnets, 1 masks B /9 [20/0] via , 14:00: /9 [20] via , 3d19h Provider Y /8 Existing locator Namespace Provider X / / / /30 R1 R /30 Provider Assigned (PA) / / / /30 R1 R2 Provider Independent (PI) / /30 Addresses at sites, both PA and PI, can get de-aggregated by multi-homing Aggregates for infrastructure addresses (e.g. CE-PE links) get advertised as well 7

7 LISP Overview Why does Locator/ID Split solve this problem? Off-line control plane After Loc/ID Split New host Namespace Provider D 11/8 Provider /24 C 10/ /24 15/8 Provider H Provider G Provider A / / / Provider B /8 Internet Provider Z 13/8 12/8 Provider Y /8 Existing locator Namespace Some-Core-Rtr# show ip route bgp /8 is variably subnetted, 15 subnets, 8 masks /8 is variably subnetted, 8 subnets, 4 masks B /8 [20/0] via , 1d17h /8 is variably subnetted, 29 subnets, 6 masks B /16 [20/0] via , 3d19h B /22 [20/0] via , 3d19h /8 is variably subnetted, 13 subnets, 4 masks B /8 [20/0] via , 14:00:10 B /10 [20/0] via , 5d23h 15/8 Provider W Provider X / / / /30 R1 R /30 Provider Assigned (PA) / / / /30 R1 R2 Provider Independent (PI) / /30 Addresses at sites, both PA and PI, can get de-aggregated by multi-homing Aggregates for infrastructure addresses (e.g. CE-PE links) get advertised as well 8

8 LISP Overview LISP Data Plane Concepts EID packets are encapsulated in RLOC packets and forwarded over the Internet Network-based Map and Encap approach Requires the fewest changes to existing systems only the CPE No changes in hosts, DNS, or Core infrastructure New Mapping Service required for EID-to-RLOC mapping resolution Design for encapsulation and router placement source host 7. Application 6. Presentation 5. Session 4. Transport peer-to-peer communications peer-to-peer communications 7. Application 6. Presentation 5. Session 4. Transport destination host 3. Network (host) 3. Network (host) 3. Network (host) (LISP UDP) (LISP UDP) (LISP UDP) 3. Network (host) 3. Network (LISP) 3. Network (LISP) 3. Network (LISP) 3. Network (host) 2. Data Link 2. Data Link 2. Data Link 2. Data Link 2. Data Link 1. Physical 1. Physical 1. Physical 1. Physical 1. Physical En-cap packets LISP Internet LISP De-cap packets 9

9 LISP Overview LISP Header Format draft-ietf-lisp-15 Outer Header: Router supplies RLOCs UDP LISP header Inner Header: Host supplies EIDs 10

10 LISP Operations LISP Components Ingress/Egress Tunnel Router (xtr) S1 MR Provider A /8 P MS Provider X /8 P D1 S S2 Provider B /8 Provider Y /8 D2 D Ingress Tunnel Router Receives packets from site-facing interfaces Encaps to remote LISP site or natively forwards to non-lisp site Egress Tunnel Router Receives packets from core-facing interfaces De-caps and delivers to local EIDs at the site 11

11 LISP Operations Data Plane Example Unicast Packet Forwarding PI EID-prefix /24 PI EID-prefix /24 S Provider A /8 Provider X / D1 S S > Provider B /8 Provider Y / D2 D DNS entry: D.abc.com A > > > > > Legend: EIDs -> Green Locators -> Red Physical link Mapping Entry EID-prefix: /24 Locator-set: , priority: 1, weight: 50 (D1) , priority: 1, weight: 50 (D2) This policy controlled by destination site 12

12 LISP Operations Control Plane Mapping Database & Map Cache LISP Mapping-Database Stored in all s of each LISP site, not centralized EID-to-RLOC mappings in all s for each LISP site is authoritative for MR its EIDs, sends Map-Replies to MS s Provider A Provider X s can tailor policy S /8 based on Map-Request source /8 P P Decentralization increases attack resiliency D1 S S2 Provider B /8 Provider Y /8 D2 D LISP Map Cache Obtained and stored in s for the sites they are currently sending packets to Map-Cache populated by Map-Replies from s Stored in s only for sites to which they are currently sending packets s must respect policy of Map-Reply mapping data including TTLs, RLOC up/down status, RLOC priorities/weights 14

13 LISP Operations LISP Components Map-Server/Map-Resolver (MS/MR) S1 MR Provider A /8 P MS Provider X /8 P D1 S S2 Provider B /8 Provider Y /8 D2 D MR Map-Resolver Receives Map-Request encapsulated from De-caps Map-Request, forwards thru service interface onto the topology Sends Negative Map-Replies in response to Map-Requests for non-lisp sites MS Map-Server LISP s Register here; requires configured lisp site policy, key Injects routes for registered LISP sites into thru service interface Receives Map-Requests via ; encaps Map-Requests to registered s When is used, Map-Servers advertise EID-prefixes 15

14 LISP Operations LISP Components LISP- Topology () S1 MR Provider A /8 P MS Provider X /8 P D1 S S2 Provider B Provider Y /8 Alternative Topology /8 Advertises EID-prefixes in Alternate BGP topology over GRE Service interface for Map-Requests and Map-Replies Devices with service interface include: MS, MR, xtr, PxTR -only router aggregates peering connections and can be off-the-shelf gear, a router, commodity Linux host, etc. D2 D 17

15 LISP Operations How LISP- Works When sites are attached to the with GRE tunnels EID-prefix / > ? > rtr -rtr? < / > rtr -rtr? < / < /24 EID-prefix /24 EID-prefix /24 Legend: EIDs -> Green Locators -> Red -rtr -rtr GRE Tunnel Low Opex Physical link Map-Request Map-Reply? > > > EID-prefix /24 18

16 LISP Modular Mapping Database Infrastructure Legend: LISP Sites -> green 1st layer access infrastructure -> blue 2nd layer core infrastructure -> red Want the ability to swap Mapping Database Infrastructure without changing sites xtrs xtrs xtrs xtrs xtrs MS/MRs xtrs xtrs xtrs MS/MRs xtrs MS/MRs xtrs MS/MRs MS/MRs xtrs MS/MRs MS/MRs MS/MRs xtrs xtrs xtrs xtrs xtrs xtrs 19

17 LISP Operations Control Plane Example Registration PI EID-prefix /24 S MR Provider A /8 MS Provider X /8 Other 3/8 sites D1 PI EID-prefix /24 S S Provider B /8 Provider Y / D2 D Legend: EIDs -> Green Locators -> Red BGP-over-GRE Physical link /8 advertise throughout Including to Map-Resolver [3] /8 MS advertises into BGP over GRE [2] > LISP Map-Register (udp 4342) SHA-1 [1] 20

18 LISP Operations Control Plane Example Map Request PI EID-prefix /24 S MR Provider A /8 MS Provider X / D1 PI EID-prefix /24 S S > Provider B /8 Provider Y / D2 D DNS entry: D.abc.com A Legend: EIDs -> Green Locators -> Red BGP-over-GRE Physical link How do I get to ? [1] > LISP ECM (udp 4342) > Map-Request (udp 4342) nonce [2] [3] [4] > Map-Request (udp 4342) > LISP ECM (udp 4342) [5] nonce > Map-Request (udp 4342) nonce 21

19 LISP Operations Control Plane Example Map Reply PI EID-prefix /24 S MR Provider A /8 MS Provider X / D1 PI EID-prefix /24 S S Provider B /8 Provider Y / D2 D Legend: EIDs -> Green Locators -> Red BGP-over-GRE Physical link Mapping Entry EID-prefix: /24 Locator-set: , priority: 1, weight: 50 (D1) , priority: 1, weight: 50 (D2) > Map-Reply (udp 4342) nonce / [1, 50] [1, 50] [6] 22

20 Interworking Using LISP-NAT > R-prefix / > NR-prefix /16 R-prefix / /12 Forward / NR-prefix /16 R-prefix /16 Legend: LISP Sites -> Green (and EIDs) non-lisp Sites -> Red (and RLOCs) xtr > > Forward Local/Uncoordinated Solution Translate > > NR-prefix /16 24

21 Interworking Using PTRs (2) (1) > > > R-prefix /16 R-prefix /16 R-prefix /16 PTR BGP Advertise: /8 PTR BGP Advertise: /8 PTR BGP Advertise: / Encapsulate Forward Natively (3) > / / NR-prefix /16 NR-prefix /16 NR-prefix /16 Infrastructure Solution Legend: LISP Sites -> Green (and EIDs) non-lisp Sites -> Red (and RLOCs) xtr 25

22 LISP Summary Key Takeaways LISP creates a level of indirection that separates End Host addresses from Site address to resolve Internet scaling issues LISP requires no host changes, minimal CPE changes, and adds some infrastructure components to the core LISP enables simplified multi-homing with ingress traffic engineering without the need for BGP LISP enables End Host mobility without requiring renumbering LISP is an open standard (no Cisco IPR) LISP Attributes Designed for router encapsulation Designed for Locator Reachability Support Unicast and Multicast Data Support for IPv4 IPv6 EIDs (hosts) and RLOCs (locators) LISP Ground Rules Network-based solution No host changes No new addressing to site devices; minimal configuration changes Incrementally deployable; interoperable with existing Internet 29

23 LISP Use- Cases Mul0- Homing/Redundancy Use- Case Descrip0on Needs: Site connectivity to multiple providers Low OpEx/CapEx Site 1 xtr LISP Solution: LISP provides a streamlined solution for handling multi-provider connectivity and policy without BGP complexity Benefits: ISP A ISP B Multi-homing across different providers Simple policy management Ingress Traffic Engineering Egress Traffic Engineering xtr Site 2 xtr LISP encap/decap 34

24 LISP Use Cases LISP Mobility Solution > > > > S LISP EID-prefix /8 S1 S DNS entry: mn.abc.com A Provider A /8 Provider B /8 3G Provider /8 WiFi Provider /8 4G Provider / > EID: MN roams, stays multi-homed and TCP connections do not reset Map-Cache Entry: EID-prefix: /32 Locator-set: , priority: 1, weight: , priority: 1, weight: 50 Map-Cache Entry: EID-prefix: /32 Locator-set: , priority: 2, weight: , priority: 1, weight: EID: Legend: EIDs -> Green Locators -> Red 36

25 LISP Use- Cases Highly Scalable VPNs Use- Case Descrip0on Needs: Highly-scalable, low OpEx VPNs Remove IGP scaling limitations for Branch WAN aggregation LISP Solution: Using LISP in-lieu of the IGP resolves the adjacency scaling issues Benefits: Very high scale WAN aggregation (1000s of sites) IPv4 over IPv6 Encapsulation (LISP Mixed Mode) W/ No Encryption W/ Encryption Any to Any Access IPv4 LISP Hub Site Data Data xtr IPv4 IPv4 Encrypted IPv4 IPv6 IPv6 IPv6 Network VPN Platform Service: Private LISP EID Mapping/Resolution GET Key Distribution LISP MS/MR GET VPN KS Minimal State on Branch Routers xtr xtr xtr ISP Transparency LISP Integrated Benefits Data IPv4 IPv4 LISP Spoke Site Data IPv4 IPv4 LISP Spoke Site Data IPv4 IPv4 LISP Spoke Site Integrated Multi-homing and simple policy Integrated Segmentation Integrated Mobility IPv4/IPv6 Co-Existence 37

26 LISP for IPv6 Transition =Ingress Tunnel Router Customers Mapping Service =Ingress Tunnel Router Customers S EIDs S1 S2 IPv4 IPv4 SP Backbone(s) (RLOCs) IPv6 PE TR/XLAT IPv6 D1 D2 EIDs D S -> D RLOC-S2 -> RLOC-D1 S -> D Scales SP Backbone/Internet routing by tunneling PI Customer space (EID) across aggregated SP Backbone/Internet routing space (RLOC) Customers PI IPv4 and/or IPv6 routing space, EIDs only RLOC-S2 -> RLOC-D1 S -> D Tunnel Routers attach customer EID networks to Internet, encaps/decaps EID packets in RLOC headers based on mappings Mapping Service manages EID-RLOC mappings on Tunnel Routers VPNs Internet(s) S -> D 38

27 IPv4-IPv6 Interworking Architecture Cisco Pilot Deployment: 6-to-6-over-4 using LISP IPv6 Internet Non-LISP IPv6 Site P P PTR PTR P Cisco IPv4 IPv4 M-R M-R M-R M-S IPv4 Internet IPv4 RLOC IPv6 EID xtr lisp6. cisco.com AAAA Record Advertised by Cisco.com IPv4 NEW SERVERS SERVERS Current SERVERS IPv4 42

28 LISP Summary References Locator/ID Separation Protocol (LISP) - draft-ietf-lisp-15; 10-Jan LISP Map Server - draft-ietf-lisp-ms-11; 20-Aug LISP - draft-ietf-lisp-alt-08; 09-Sep LISP Interworking - draft-ietf-lisp-interworking-02; 01-Jul LISP Multicast - draft-ietf-lisp-multicast-08; 13-Sep LISP MIB draf-lisp-mib-02; 01-Jun LISP Internet Groper (LIG) draft--lisp-lig-06; 09-Sep

29 International LISP Network Cisco-operated >3 years operational >60 sites, 10 countries Built for LISP demonstration, experimentation, and proof-of-concept testing IPv4 and IPv6 P/P Conduct Experiments Provide course-adjustments for protocol architecture Test Multiple Implementations Prove Topology maps to EID Address Allocation Delegations Emulate MSP Business Models Protocol Learning Tool for Users Test bed for building Management Tools 46

30 LISP Summary References You can find additional information about the topics and products covered in this session at the following links: Notable sites: (Facebook) (Cisco) External Mailer: 48

31 50