Locator/ID Separation Protocol (LISP)

Size: px

Start display at page:

Download "Locator/ID Separation Protocol (LISP)"

Marlene Edwards
5 years ago
Views:

1 Locator/ID Separation Protocol (LISP) Damien Saucez* INRIA Sophia Antipolis FRNOG 18, December 2 th, 2011 * special thanks to Olivier Bonaventure, Luigi Iannone and Dino Farinacci

2 Disclaimer Not a vendor Not an operator LISP will not solve all the problems try to stay with the facts (now) 2

3 Agenda Why Separating Identifiers from Locators? Locator/ID Separation Protocol (LISP) LISP Use Case Open Questions 3

4 Why Separating Identifiers from Locators? 4

5 Bad Traffic Engineering Outgoing TE is ok Incoming TE is not can be hard, only tricks (BGP, DNS, NAT) Scalability issues Table size (Memory) Churn (CPU) 5

6 The IP Schizophrenia The IP addresses currently used by endhosts play two complementary roles Identifier role: the IP address identifies (with port) the endpoint of transport flows Locator role: the IP address indicates the paths used to reach the endhost these paths are updated by routing protocols after each topology change 6

7 The Locator/Identifier Separation Today, changing the locator means changing the identifier, breaking the pending flows Separating the locator and the identifier roles to avoid breaking the flows Host-based approach Network-based approach 7

8 Host-based Loc/ID split Transport layer Network layer Roles Translates the packets so that Transport layer only sees the host identifier Network layer only sees locators Manages the set of locators Switches from one locator to another upon move or after link failure Hosts maintain flow state 8 [HIP, ILNP, shim6, Six/One, MPTCP(?)]

9 Host-based Loc/ID split Transport layer Network layer Identifier: Ia Roles Translates the packets so that Transport layer only sees the host identifier Network layer only sees locators Manages the set of locators Switches from one locator to another upon move or after link failure Hosts maintain flow state 8 [HIP, ILNP, shim6, Six/One, MPTCP(?)]

10 Host-based Loc/ID split Transport layer Identifier: Ia Roles Translates the packets so that Transport layer only sees the host identifier Network layer Locators: {Ra, Rb} Network layer only sees locators Manages the set of locators Switches from one locator to another upon move or after link failure Hosts maintain flow state 8 [HIP, ILNP, shim6, Six/One, MPTCP(?)]

Host-based Loc/ID split Transport layer Specific shim layer Identifier: Ia Roles Translates the packets so that Transport layer only sees the host identifier Network layer Locators: {Ra, Rb}

11 Host-based Loc/ID split Transport layer Specific shim layer Identifier: Ia Roles Translates the packets so that Transport layer only sees the host identifier Network layer Locators: {Ra, Rb} Network layer only sees locators Manages the set of locators Switches from one locator to another upon move or after link failure Hosts maintain flow state 8 [HIP, ILNP, shim6, Six/One, MPTCP(?)]

12 Network-based Loc/ID split A/a A/a a C/c B/b B/b b

13 Network-based Loc/ID split Host s IP stack unchanged Each host has one stable IP address Used as identifier Not globally routable A/a A/a a C/c c B/b B/b b Transport layer Network layer 9

14 Network-based Loc/ID split Each edge router owns Globally routable addresses Used as locators Mapping mechanism is used to find locators associated to one identifier Packets from hosts are modified at the edge before being sent on Internet A/a A/a Host s IP stack unchanged a Each host has one stable IP address Used as identifier Not globally routable C/c c B/b B/b b Transport layer Network layer Locators for C/c: a.1.2.3, b

15 Benefits of Identifier and Locator separation* Reduction of the DFZ routing table size No provider lock-in More traffic control and cost-effective multihoming Mobility 10 * in theory

16 Locator/ID Separation Protocol (LISP) 11

17 Design Goals* No end-systems (hosts) changes (1) Minimize required changes to the Internet infrastructure (2) and the number of routers which have to be modified (5) Avoid or minimize packet loss when EID-to-RLOC mappings need to be performed (7) Be incrementally deployable (3) No router hardware change (4) and minimize router software changes (6) 12 *explicitly stated until -08

18 LISP Philosophy Split the IP address space in two at the border routers Endpoint IDentifiers (EID) identify end-systems and edge routers non-globally routable end systems in a site share the same EID prefix Routing LOCators (RLOC) attached to core routers (router interfaces) globally routable Use Map-and-Encap to glue the two spaces 13

19 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 14

20 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 dst: cafe 2001:DB8A::beef 14

21 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR dst: cafe AS1 2001:DB8A::/56 ITR AS3 2/8 2001:DB8A::beef 14

22 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR Map-Request: 2001:DB8B::cafe? ITR dst: cafe AS1 2001:DB8A::/56 ITR AS3 2/8 2001:DB8A::beef 14

23 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR Map-Reply: 2001:DB8B::/ % % ITR dst: cafe AS1 2001:DB8A::/56 ITR AS3 2/8 2001:DB8A::beef 14

24 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR / dst: cafe ITR AS1 2001:DB8A::/56 ITR AS3 2/8 2001:DB8A::beef 14

25 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ dst: cafe ETR :DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 14

26 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 dst: cafe 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 14

27 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR dst: cafe ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 14

28 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 15

29 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR :DB8A::beef ITR AS1 2001:DB8A::/56 15 ITR AS3 2/8 Endpoint Identifiers (EID)

30 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 15

31 Mapping System 2001:DB8B::/ % LISP in a nutshell Routing Locators 100% (RLOC) Routing Locators (RLOC) 2001:DB8A::/ % % AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 15

32 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 15

33 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 Ingress Tunnel Routers (ITR) Ingress Tunnel Routers (ITR) ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 15

34 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 15

35 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR Egress Tunnel Routers (ETR) 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 15

36 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 15

37 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR EID-to-RLOC database AS1 2001:DB8A::/56 ITR AS3 2/8 2001:DB8A::beef 15

38 Mapping System 2001:DB8B::/ % % 2001:DB8A::/ % % LISP in a nutshell AS4 3/8 AS2 1/ ETR 2001:DB8B::cafe AS5 2001:DB8B::/56 ETR ITR AS3 AS1 2001:DB8A::/56 ITR /8 2001:DB8A::beef 15

39 Terminology Ingress Tunnel Router (ITR): a router which accepts a packet which addresses are identifiers. The router maps the destination address of the packet to an RLOC and prepends a LISP header before forwarding the encapsulated packet. Egress Tunnel Router (ETR): a router which accepts a LISP encapsulated packet. The router strips the LISP header and forwards the packet based on the next header 16

40 Terminology EID-to-RLOC Database: a globally distributed database that contains all known EID-prefix to RLOC mappings LISP Cache: EID-to-RLOC Database stored at the ITR LISP Database: EID-to-RLOC Database stored at the ETR 17

41 Under the hood 18

42 Data-plane packets (IP(UDP:4341(LISP(XXX)))) Encapsulating Encapsulated / Version IHL Type of Service Total Length / Identification Flags Fragment Offset OH Time to Live Protocol = 17 Header Checksum Source Routing Locator \ \ Destination Routing Locator / Source Port = xxxx Dest Port = 4341 UDP \ UDP Length UDP Checksum L N L E V I flags Nonce/Map-Version I \ S / Instance ID/Locator Status Bits P / Version IHL Type of Service Total Length / Identification Flags Fragment Offset IH Time to Live Protocol Header Checksum Source EID \ \ Destination EID Fixed Destination Port: 4341 Possible virtualization with Instance ID

43 Data-plane packets (IP(UDP:4341(LISP(XXX)))) Encapsulating Encapsulated / Version IHL Type of Service Total Length / Identification Flags Fragment Offset OH Time to Live Protocol = 17 Header Checksum Source Routing Locator \ \ Destination Routing Locator / Source Port = xxxx Dest Port = 4341 UDP \ UDP Length UDP Checksum L N L E V I flags Nonce/Map-Version I \ S / Instance ID/Locator Status Bits P / Version IHL Type of Service Total Length / Identification Flags Fragment Offset IH Time to Live Protocol Header Checksum Source EID \ \ Destination EID Src/Dst Locators: Source/Destination Locators IPv4 or IPv6 Fixed Destination Port: 4341 Possible virtualization with Instance ID Source/Destination Locators Src/Dst Identifiers: IPv4 or IPv6 or... RLOC AFI independent!

44 Control Plane Packets (IP(UDP:4342(LISP_control))) Map-Request (ITR => MR/ETR) request for a mapping Map-Reply (ETR/MS => ITR) provides the mapping requested by a Map-Request Map-Register (ETR => MS) register a mapping to the mapping system Map-Notify (MS => ETR) confirm a mapping registration IPv4 or IPv6 Header (uses RLOC addresses) / Source Port = xxxx Dest Port = 4342 UDP \ UDP Length UDP Checksum LCM LISP Control Message

45 What is in a mapping? A mapping associates an EID prefix to a list of RLOC of arbitrary AFI Each RLOC receives a priority and a weight L4-flows are balanced between RLOCs of same priority, proportionally to the weight Mappings can be empty to announce holes Mappings are time limited 21 +-> Record TTL R Locator Count EID mask-len ACT A Reserved e c Rsvd Map-Version Number EID-prefix-AFI o r EID-prefix d / Priority Weight M Priority M Weight L o Unused Flags L p R Loc-AFI c \ Locator +->

46 Infrastructure Mapping Database modularity Interworking of LISP and non LISP networks 22

47 Mapping Database modularity Mapping Database MR MS ITR ETR /24

48 Mapping Database modularity LISP+ALT Mapping ebgp Database overlay MR MS ITR ETR /24

49 Mapping Database modularity LISP+ALT IS-IS overlay LISP+ALT Mapping ebgp Database overlay MR MS ITR 23 ETR /24

50 Mapping Database modularity DHT LISP+ALT IS-IS overlay LISP+ALT Mapping ebgp Database overlay MR MS ITR 23 ETR /24

51 Mapping Database modularity DNS-based DHT LISP+ALT IS-IS overlay LISP+ALT Mapping ebgp Database overlay MR MS ITR 23 ETR /24

52 Mapping Database modularity LISP-DDT DNS-based DHT LISP+ALT IS-IS overlay LISP+ALT Mapping ebgp Database overlay MR MS ITR 23 ETR /24

53 Mapping Registration LISP+ALT ebgp overlay MR MS ITR 24 ETR /24

54 Mapping Registration LISP+ALT ebgp overlay MR MS 1. Map-Register: /24, ETR ITR 24 ETR /24

55 Mapping Registration LISP+ALT ebgp overlay 2. BGP Update MR /24 2 MS 1. Map-Register: /24, ETR ITR ETR /24

56 Mapping Registration LISP+ALT ebgp overlay 2. BGP Update MR /24 2 MS 1. Map-Register: /24, ETR 3. Map-Notify: 1 3 ITR /24, ETR ETR /24

57 Mapping retrieval LISP+ALT ebgp overlay MR MS ITR 25 ETR /24

58 Mapping retrieval LISP+ALT ebgp overlay MR MS. Packet to ITR 25 ETR /24

59 Mapping retrieval LISP+ALT ebgp overlay MR MS. Packet to Map-Request for to Encapsulated to MR 1 ITR 25 ETR /24

60 Mapping retrieval LISP+ALT ebgp overlay 3. Map-Request for to MR 3 MS. Packet to Map-Request for to Encapsulated to MR 1 ITR 25 ETR /24

61 Mapping retrieval LISP+ALT ebgp overlay 3. Map-Request for to Packet to MR 2 3 MS 4. Map-Request for Map-Request for to Encapsulated to to ETR 4 Encapsulated to MR 1 ITR 25 ETR /24

62 Mapping retrieval LISP+ALT ebgp overlay 3. Map-Request for to Packet to ITR MR /24, ETR 25 MS 4. Map-Request for Map-Request for to Encapsulated to to ETR Encapsulated to MR 5 5. Map-Reply: 4 ETR /24

63 Interworking LISP /24 xtr-luigi PITR PETR BGP update: /16 xtr-damien / /24

64 Non-LISP to LISP /16 xtr-luigi PITR PETR BGP update: /16 xtr-damien / /24

65 Non-LISP to LISP /16 xtr-luigi PITR 1. Packet to PETR BGP update: / xtr-damien / /24

66 Non-LISP to LISP /16 2. Packet to Encapsulated to xtr-luigi xtr-damien PITR 1. Packet to PETR 2 BGP update: / xtr-damien / /24

67 Non-LISP to LISP /16 2. Packet to Encapsulated to xtr-luigi xtr-damien PITR 1. Packet to PETR 2 BGP update: / xtr-damien 3 3. Packet to / /24

68 LISP to non-lisp /16 xtr-luigi PITR BGP update: /16 PETR xtr-damien / /24

69 LISP to non-lisp /16 xtr-luigi PITR BGP update: /16 PETR xtr-damien 1 1. Packet to / /24

70 LISP to non-lisp /16 2. Packet to xtr-luigi Encapsulated to PETR PITR BGP update: /16 PETR 2 xtr-damien 1 1. Packet to / /24

71 LISP to non-lisp /16 2. Packet to xtr-luigi Encapsulated to PETR PITR BGP update: /16 PETR Packet to xtr-damien Packet to / /24

72 LISP Use Cases 29

73 Low OpEx site multihoming 2001:DB8:F:: ETR-A /24 ETR-B

74 Low OpEx site Basic LISP feature multihoming 2001:DB8:F:: ETR-A /24 ETR-B

75 Low OpEx site multihoming Basic LISP feature ETR-A Primary, ETR-B Backup (IPv6 just in case...) , prio: 1, weight: , prio: 10, weight: :DB8:F:11, prio 100, weight: :DB8:F:: ETR-A /24 ETR-B

76 Low OpEx site multihoming Basic LISP feature ETR-A Primary, ETR-B Backup (IPv6 just in case...) , prio: 1, weight: , prio: 10, weight: :DB8:F:11, prio 100, weight: 100 ETR-A: 60%, ETR-B: 40% (IPv6 just in case...) , prio: 1, weight: , prio: 1, weight: :DB8:F:11, prio 99, weight: :DB8:F:: ETR-A / ETR-B

77 IPv6/IPv4 coexistence IPv6 BGP update: 2001:DB8:A::/56 PxTR 2001:DB8:F::/56 xtr / :DB8:A::/56 31

78 IPv6/IPv4 coexistence IPv6 BGP update: 2001:DB8:A::/56 PxTR 2001:DB8:F::/56 xtr 1 1. Packet to / :DB8:A::/ :DB8:F::1 31

79 IPv6/IPv4 coexistence IPv6 BGP update: 2001:DB8:A::/56 2. Packet to 2001:DB8:F::1 Encapsulated to PxTR 2 PxTR 2001:DB8:F::/56 xtr 1 1. Packet to / :DB8:A::/ :DB8:F::1 31

80 IPv6/IPv4 coexistence IPv6 3. Packet to BGP update: 2001:DB8:A::/56 2. Packet to 2001:DB8:F::1 2001:DB8:F::1 3 Encapsulated to PxTR PxTR 2001:DB8:F::/56 2 xtr 1 1. Packet to / :DB8:A::/ :DB8:F::1 31

81 IPv6/IPv4 coexistence IPv6 BGP update: 2001:DB8:A::/56 PxTR 2001:DB8:F::/56 xtr / :DB8:A::/56 32

82 IPv6/IPv4 coexistence IPv6 1. Packet to BGP update: 2001:DB8:A::/ :DB8:A::42 1 PxTR 2001:DB8:F::/56 xtr / :DB8:A::/56 32

83 IPv6/IPv4 coexistence IPv6 1. Packet to BGP update: 2001:DB8:A::/ :DB8:A::42 2. Packet to 2001:DB8:A::42 1 Encapsulated to xtr PxTR 2001:DB8:F::/56 2 xtr / :DB8:A::/56 32

84 IPv6/IPv4 coexistence IPv6 1. Packet to BGP update: 2001:DB8:A::/ :DB8:A::42 2. Packet to 2001:DB8:A::42 1 Encapsulated to xtr PxTR 2001:DB8:F::/56 2 xtr 2 3. Packet to / :DB8:A::/ :DB8:A::42 32

85 IPv6/IPv4 coexistence IPv6 BGP update: 2001:DB8:A::/56 PxTR 2001:DB8:F::/56 xtr / :DB8:A::/56 32

86 Multi-tenant VPN Sales /25 xtr_s xtr_rd R&D /25 xtr VLAN69 VLAN42 R&D Sales / /25 33

87 Multi-tenant VPN Sales /25 xtr_s xtr_rd R&D /25 VRF R&D: instance-id: /25: xtr_rd VLAN42 xtr VLAN69 Sales VRF Sales: instance-id /25: xtr_s 33 R&D / /25

88 Multi-tenant VPN 1. Packet to 1 Sales / xtr_rd R&D /25 xtr_s VRF R&D: instance-id: /25: xtr_rd VLAN42 xtr VLAN69 Sales VRF Sales: instance-id /25: xtr_s 33 R&D / /25

Multi-tenant VPN 1. Packet to 1 Sales 192.0.2.128/25 xtr_s 192.0.2.42 2. Packet to 192.0.2.42 xtr_rd Encapsulated to xtr, instance-id: 96 2 R&D 192.0.2.128/25 VRF R&D: instance-id: 24 192.

89 Multi-tenant VPN 1. Packet to 1 Sales /25 xtr_s Packet to xtr_rd Encapsulated to xtr, instance-id: 96 2 R&D /25 VRF R&D: instance-id: /25: xtr_rd VLAN42 xtr VLAN69 Sales VRF Sales: instance-id /25: xtr_s 33 R&D / /25

90 Multi-tenant VPN 1. Packet to 1 Sales /25 xtr_s Packet to xtr_rd Encapsulated to xtr, instance-id: 96 2 R&D /25 VRF R&D: instance-id: /25: xtr_rd VLAN42 xtr VLAN Packet to Sales VRF Sales: instance-id /25: xtr_s 33 R&D / /25 VLAN 69

91 LISP Mobile Nodes LISP+ALT ebgp overlay /24 MR BGP /24 MS / / /24

92 LISP Mobile Nodes LISP+ALT ebgp overlay /24 MR BGP /24 MS 1. Map-Register: /32, / / /24

93 LISP Mobile Nodes LISP+ALT ebgp overlay /24 MR BGP /24 MS / / /24

94 LISP Mobile Nodes LISP+ALT ebgp overlay /24 MR BGP /24 2. Map-Request for MS / / /24

95 LISP Mobile Nodes LISP+ALT ebgp overlay /24 MR BGP /24 MS / / /24

96 LISP Mobile Nodes LISP+ALT ebgp overlay /24 MR BGP /24 MS 3 3. Map-Reply: /32, / / /24

97 LISP Mobile Nodes LISP+ALT ebgp overlay /24 MR BGP /24 MS / / /24

98 LISP Mobile Nodes LISP+ALT ebgp overlay /24 MR BGP /24 MS / / /24

99 LISP Mobile Nodes LISP+ALT ebgp overlay / /24 MR BGP /24 MS /24

100 LISP Mobile Nodes MR LISP+ALT ebgp overlay 1. Map-Register: /32, BGP /24 1 MS / / /24 2. Change notification: /24, /24

101 LISP Mobile Nodes LISP+ALT ebgp overlay / / /24 MR BGP /24 MS /24

102 Open Questions 35

103 Network Resiliency Today, preserving the prefixes reachability is mainly performed locally In LISP, the legacy Internet is EID agnostic Recovery only once ITR discover ETR failure ITR periodically probes RLOCs Important part of LISP WG new charter 36

104 Network Security Who control the mappings control the traffic Denial of service Eavesdropping... Firewalls? DPI? Important part of LISP WG new charter 37

105 Conclusion 38

106 Summary LISP uses map-and-encap to separate IP s ID and locator roles Improve network multi-homing Transparent for the end-users Incrementally deployable Mobility support See 5:55 pm for a configuration hands on (possible to play with live routers) 39

107 Bibliography draft-ietf-lisp draft-ietf-lisp-alt draft-fuller-ddt draft-ietf-lisp-ms draft-ietf-lisp-map-versioning draft-ietf-lisp-mn draft-ietf-lisp-lig draft-ietf-lisp-threats draft-ietf-lisp-sec draft-farinacci-lisp-lcaf Jackab et al., LISP-TREE: A DNS Hierarchy to Support the LISP Mapping System Iannone and Bonaventure, On the cost of caching locacor/id mappings Kim et al, A Deep Dive into the LISP Cache and What ISPs Should Know about It Ohmori et al, Analyses on First Packet Drops of LISP in End-to-End Bidirectional Communications 40

108 ?? /**/ 41

109 Backup 42

110 LISP Philosophy 2/2 Follows the Map-and-Encap principle a mapping system maps EID prefixes onto site router s RLOCs ITR routers encapsulate the packets received from end systems before sending them toward the destination RLOC ETR routers decapsulate the packets received from the Internet before sending them towards the destination end system 43

111 LISP is over UDP UDP to traverse firewalls/nat, limit the impact of ECMP hashing on reordering... Source port is random but per-flow source port is recommended Destination port is fixed to 4341 Checksum is important if IPv6 RLOCs 44

112 Locator Status Bits A vector of 32 bits (L bit set to 1 if LSB is present) Each source locator is mapped to one position in the vector if locator_status_bit[i] = 1 RLOC i is reachable else RLOC i is not reachable Each RLOC has an implicit position in the LSB How to set the bit? What is her meaning? 45

113 Mapping Systems 46

114 NERD: A Not-so-novel EID to RLOC Database 47

115 NERD The only proposed push model Composed of 4 parts a network database format; a change distribution format; a database retrieval/bootstrapping method; a change distribution method Principles An authority computes the mapping database based on the stored registrations The database signed by the authority is stored on servers ITR poll regularly the database servers to update their own mapping database 48

116 LISP+ALT 49

117 LISP+ALT An pull model mapping system A mapping mechanism that relies on an alternate topology to distribute mapping requests to mapping servers LISP ITR routers sending mapping request messages to ALT routers ALT routers forward those mapping messages between themselves on an overlay topology built by using GRE tunnels 50

118 LISP+ALT BGP announces where the mappings can be found Map-Requests are forwarded on the ALT Map-Replies are forwarded on the legacy Internet (directly sent to the ITRs RLOC)! BGP does not give the mappings! 51

119 LISP+ALT 52

120 LISP+ALT issues Complex system with tunnels, BGP protocol (no discussion about policies),... Still relies on lots of error-prone manual configuration Scalability will depend on whether aggregation will be possible If mapping requests are lost due to congestion, difficult to diagnose the problem or send them via another path Security needs to be studied 53

121 LISP+ALT, big question How to deploy it? aggregation vs recovery vs TE how to cache the mappings? 54

122 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 b.1.2.3, p=2 a ETR1 C/c ITR ETR2 b ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

123 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 b.1.2.3, p=2 Status bits = a ETR1 PAYLOAD C/c ITR ETR2 b ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

124 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 b.1.2.3, p=2 Status bits = ITR PAYLOAD a ETR1 C/c ETR2 b ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

125 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 b.1.2.3, p=2 a ETR1 C/c ITR ETR2 b ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

126 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 b.1.2.3, p=2 a ETR1 C/c ITR ETR2 b Status bits = PAYLOAD ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

127 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 b.1.2.3, p=2 Status bits = ITR PAYLOAD a ETR1 ETR2 b C/c ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

128 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 b.1.2.3, p=2 a ETR1 C/c ITR ETR2 b ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

129 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 b.1.2.3, p=2 ETR1 C/c ITR ETR2 b ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

130 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 b.1.2.3, p=2 ETR1 C/c ITR ETR2 b Status bits = PAYLOAD ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

131 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 b.1.2.3, p=2 Status bits = ITR PAYLOAD ETR1 C/c ETR2 b ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

132 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 >b.1.2.3, p=2 Status bits = ITR PAYLOAD ETR1 C/c ETR2 b ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

133 Solving the reachability problem with the locator status bits C/c >a.1.2.3, p=1 >b.1.2.3, p=2 ETR1 C/c ITR ETR2 b ETR2 notices the failure and informs all ITRs to which it is sending LISP encapsulated packets by setting the reachability bit of ETR1 to 0 55

134 Solving the reachability problem with the SMR bit C/c >a.1.2.3, p=1 b.1.2.3, p=2 a ETR1 C/c ITR ETR2 b ETR1 has been decommissioned and ETR2 wants that all the sites currently sending encapsulated data to itself update the mapping 56

135 Solving the reachability problem with the SMR bit C/c >a.1.2.3, p=1 b.1.2.3, p=2 C/c ITR ETR2 b ETR1 has been decommissioned and ETR2 wants that all the sites currently sending encapsulated data to itself update the mapping 56

136 Solving the reachability problem with the SMR bit C/c >a.1.2.3, p=1 b.1.2.3, p=2 C/c ITR ETR2 SMR =1 b Map-Request ETR1 has been decommissioned and ETR2 wants that all the sites currently sending encapsulated data to itself update the mapping 56

137 Solving the reachability problem with the SMR bit C/c >a.1.2.3, p=1 b.1.2.3, p=2 SMR =1 ITR Map-Request C/c ETR2 b ETR1 has been decommissioned and ETR2 wants that all the sites currently sending encapsulated data to itself update the mapping 56

138 Solving the reachability problem with the SMR bit C/c >a.1.2.3, p=1 b.1.2.3, p=2 nonce = 1234 ITR Map-Request ETR2 b C/c ETR1 has been decommissioned and ETR2 wants that all the sites currently sending encapsulated data to itself update the mapping 56

139 Solving the reachability problem with the SMR bit C/c >a.1.2.3, p=1 b.1.2.3, p=2 C/c ITR ETR2 b nonce = 1234 Map-Request ETR1 has been decommissioned and ETR2 wants that all the sites currently sending encapsulated data to itself update the mapping 56

140 Solving the reachability problem with the SMR bit C/c >a.1.2.3, p=1 b.1.2.3, p=2 C/c ITR ETR2 b nonce = 1234 Map-Reply ETR1 has been decommissioned and ETR2 wants that all the sites currently sending encapsulated data to itself update the mapping 56

141 Solving the reachability problem with the SMR bit C/c >a.1.2.3, p=1 b.1.2.3, p=2 nonce = 1234 ITR Map-Reply C/c ETR2 b ETR1 has been decommissioned and ETR2 wants that all the sites currently sending encapsulated data to itself update the mapping 56

142 Solving the reachability problem with the SMR bit C/c C/c >a.1.2.3, p=1 >b.1.2.3, p=1 b.1.2.3, p=2 nonce = 1234 ITR Map-Reply C/c ETR2 b ETR1 has been decommissioned and ETR2 wants that all the sites currently sending encapsulated data to itself update the mapping 56

143 Solving the reachability problem with the SMR bit C/c C/c >a.1.2.3, p=1 >b.1.2.3, p=1 b.1.2.3, p=2 C/c ITR ETR2 b ETR1 has been decommissioned and ETR2 wants that all the sites currently sending encapsulated data to itself update the mapping 56

144 Solving the reachability problem with the Echo-Nonce Algorithm xtr I wants to know if the RLOC she uses to reach ETR E is reachable: generate a nonce n when encap to E set E=1 Next time E sends a packet to I, she sets the nonce to n If I receives the nonce within a given time, she considers the RLOC reachable, otherwise E is considered unreachable 57

145 The reachability problem Today, preserving the prefixes reachability is mainly performed locally In LISP, the legacy Internet is EID agnostic 58

146 The reachability problem in today s Internet A/a A/a A/a A/a A/a A/a In today s Internet, routing protocols converge after a link failure to ensure that multihomed prefixes such as A/a remain reachable 59

147 The reachability problem in today s Internet A/a A/a A/a A/a In today s Internet, routing protocols converge after a link failure to ensure that multihomed prefixes such as A/a remain reachable 59

148 The reachability problem in a LISP-based Internet C/c >a.1.2.3, p=1 b.1.2.3, p=2 A/a a A/a A ETR1 A/a C/c ITR B/b B/b B B/b ETR2 b Upon failure of ETR1, A continues to advertise A/a via BGP How can ITR notice that ETR1 failed and that ETR2 should be used instead? 60

149 The reachability problem in a LISP-based Internet C/c >a.1.2.3, p=1 b.1.2.3, p=2 A/a A/a A A/a C/c ITR B/b B/b B B/b ETR2 b Upon failure of ETR1, A continues to advertise A/a via BGP How can ITR notice that ETR1 failed and that ETR2 should be used instead? 60

150 Solving the reachability problem with RLOC Probing Periodically probe the RLOCs to check their reachability 61

151 Host vs Network-based Loc/ID split Both can coexist At home, connected directly to the wall Let my ISP do the stuff for me In the street, calling with Skype over WIFI&3G Prefer WIFI to 3G when possible 62

152 Header details (IP(UDP(LISP(IP)))) Encapsulating Encapsulated / Version IHL Type of Service Total Length / Identification Flags Fragment Offset OH Time to Live Protocol = 17 Header Checksum Source Routing Locator \ \ Destination Routing Locator / Source Port = xxxx Dest Port = 4341 UDP \ UDP Length UDP Checksum L N L E V I flags Nonce/Map-Version I \ S / Instance ID/Locator Status Bits P / Version IHL Type of Service Total Length / Identification Flags Fragment Offset IH Time to Live Protocol Header Checksum Source EID \ \ Destination EID

153 Header details (IP(UDP(LISP(IP)))) Encapsulating Source/Destination Locators Encapsulated / Version IHL Type of Service Total Length / Identification Flags Fragment Offset OH Time to Live Protocol = 17 Header Checksum Source Routing Locator \ \ Destination Routing Locator / Source Port = xxxx Dest Port = 4341 UDP \ UDP Length UDP Checksum L N L E V I flags Nonce/Map-Version I \ S / Instance ID/Locator Status Bits P / Version IHL Type of Service Total Length / Identification Flags Fragment Offset IH Time to Live Protocol Header Checksum Source EID \ \ Destination EID

154 Header details (IP(UDP(LISP(IP)))) Encapsulating Source/Destination Locators Hash based Source Port Encapsulated / Version IHL Type of Service Total Length / Identification Flags Fragment Offset OH Time to Live Protocol = 17 Header Checksum Source Routing Locator \ \ Destination Routing Locator / Source Port = xxxx Dest Port = 4341 UDP \ UDP Length UDP Checksum L N L E V I flags Nonce/Map-Version I \ S / Instance ID/Locator Status Bits P / Version IHL Type of Service Total Length / Identification Flags Fragment Offset IH Time to Live Protocol Header Checksum Source EID \ \ Destination EID

155 Header details (IP(UDP(LISP(IP)))) Encapsulating Source/Destination Locators Hash based Source Port Encapsulated / Version IHL Type of Service Total Length / Identification Flags Fragment Offset OH Time to Live Protocol = 17 Header Checksum Source Routing Locator \ \ Destination Routing Locator / Source Port = xxxx Dest Port = 4341 UDP \ UDP Length UDP Checksum L N L E V I flags Nonce/Map-Version I \ S / Instance ID/Locator Status Bits P / Version IHL Type of Service Total Length / Identification Flags Fragment Offset IH Time to Live Protocol Header Checksum Source EID \ \ Destination EID Fixed Destination port 63

156 Header details (IP(UDP(LISP(IP)))) Encapsulating Source/Destination Locators Hash based Source Port Encapsulated / Version IHL Type of Service Total Length / Identification Flags Fragment Offset OH Time to Live Protocol = 17 Header Checksum Source Routing Locator \ \ Destination Routing Locator / Source Port = xxxx Dest Port = 4341 UDP \ UDP Length UDP Checksum L N L E V I flags Nonce/Map-Version I \ S / Instance ID/Locator Status Bits P / Version IHL Type of Service Total Length / Identification Flags Fragment Offset IH Time to Live Protocol Header Checksum Source EID \ \ Destination EID Fixed Destination port Encap data integrity check 63

157 Header details (IP(UDP(LISP(IP)))) Encapsulating Source/Destination Locators Hash based Source Port Encapsulated N: Nonce present bit N: L: Locator Nonce present Status Bits bit present bit L: E: Locator Echo-Nonce Status request Bits present bit bit E: V: Echo-Nonce Map-Version request present bit I: Instance ID bit / Version IHL Type of Service Total Length / Identification Flags Fragment Offset OH Time to Live Protocol = 17 Header Checksum Source Routing Locator \ \ Destination Routing Locator / Source Port = xxxx Dest Port = 4341 UDP \ UDP Length UDP Checksum L N L E V I flags Nonce/Map-Version I \ S / Instance ID/Locator Status Bits P / Version IHL Type of Service Total Length / Identification Flags Fragment Offset IH Time to Live Protocol Header Checksum Source EID \ \ Destination EID Fixed Destination port Encap data integrity check 63

158 Header details (IP(UDP(LISP(IP)))) Encapsulating Source/Destination Locators Hash based Source Port Encapsulated N: Nonce present bit N: L: Locator Nonce present Status Bits bit present bit L: E: Locator Echo-Nonce Status request Bits present bit bit E: V: Echo-Nonce Map-Version request present bit I: Instance ID bit / Version IHL Type of Service Total Length / Identification Flags Fragment Offset OH Time to Live Protocol = 17 Header Checksum Source Routing Locator \ \ Destination Routing Locator / Source Port = xxxx Dest Port = 4341 UDP \ UDP Length UDP Checksum L N L E V I flags Nonce/Map-Version I \ S / Instance ID/Locator Status Bits P / Version IHL Type of Service Total Length / Identification Flags Fragment Offset IH Time to Live Protocol Header Checksum Source EID \ \ Destination EID Fixed Destination port Encap data integrity check Packet unique identifier or version 63

159 Header details (IP(UDP(LISP(IP)))) Encapsulating Source/Destination Locators Hash based Source Port Encapsulated N: Nonce present bit N: L: Locator Nonce present Status Bits bit present bit L: E: Locator Echo-Nonce Status request Bits present bit bit E: V: Echo-Nonce Map-Version request present bit I: Instance ID bit / Version IHL Type of Service Total Length / Identification Flags Fragment Offset OH Time to Live Protocol = 17 Header Checksum Source Routing Locator \ \ Destination Routing Locator / Source Port = xxxx Dest Port = 4341 UDP \ UDP Length UDP Checksum L N L E V I flags Nonce/Map-Version I \ S / Instance ID/Locator Status Bits P / Version IHL Type of Service Total Length / Identification Flags Fragment Offset IH Time to Live Protocol Header Checksum Source EID \ \ Destination EID Fixed Destination port Encap data integrity check Packet unique identifier or version Source locator reachability or Instance ID or both 63

LISP (Locator/Identifier Separation Protocol)

LISP (Locator/Identifier Separation Protocol) Damien Saucez* June 28 th, 2010 http://inl.info.ucl.ac.be *Thanks to Olivier Bonaventure and Pierre François Department of Computing Science and Engineering