[manet] SMF-11 review
Ulrich Herberg <ulrich@herberg.name> Wed, 30 March 2011 15:11 UTC
Return-Path: <ulrich@herberg.name>
X-Original-To: manet@core3.amsl.com
Delivered-To: manet@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5457C3A6B6B for <manet@core3.amsl.com>; Wed, 30 Mar 2011 08:11:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.977
X-Spam-Level:
X-Spam-Status: No, score=-0.977 tagged_above=-999 required=5 tests=[AWL=-1.500, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_25=0.6, J_CHICKENPOX_63=0.6, MANGLED_SHOP=2.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y+gNIq2ZInF7 for <manet@core3.amsl.com>; Wed, 30 Mar 2011 08:11:49 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id D5D4A3A6B6F for <manet@ietf.org>; Wed, 30 Mar 2011 08:11:42 -0700 (PDT)
Received: by vws12 with SMTP id 12so1258592vws.31 for <manet@ietf.org>; Wed, 30 Mar 2011 08:13:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herberg.name; s=dkim; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=tDfs8Tw1kbRwuKSdVXejUocRamEpXFRv5oN1gzIGU4I=; b=kqIhVD6/mCcWbYgRdOHJFARS9h8RyrAGlv/5sFo5IRQ6JdXrOSmC4ZwzAVxLN6p/NI sBejb+/gJ3W3pkpp493rSTV4Mx1vfBAYzbAEjwR/r+2PyLPE/G02t0KjIuOJGgxK/FIx RdD6e4hRyz+PWo3xPzEmJuK2e+85rpLpV9ZAM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=herberg.name; s=dkim; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=BaHh/0CtbpFopKFmKuiFqLz3dAdYf6eNoKT9oh+9ew3N/A99cOvkHf22dZ1w7rl1EX d6SSUUXLhXvVe6Vbj9Ne4q4pdzHKAMu5dG6QtAzzaW9CtzsOkhoHLCrt9dUIzQexRRWE ivMpFCljR1QlZJ6lcvTGX+gPAEytVKyDNjeYg=
MIME-Version: 1.0
Received: by 10.220.46.234 with SMTP id k42mr357076vcf.133.1301497999079; Wed, 30 Mar 2011 08:13:19 -0700 (PDT)
Received: by 10.220.29.201 with HTTP; Wed, 30 Mar 2011 08:13:19 -0700 (PDT)
Date: Wed, 30 Mar 2011 17:13:19 +0200
Message-ID: <AANLkTinMcyKzez2q8t_2_Sos0LCzxCS06c48KkKcgj_Z@mail.gmail.com>
From: Ulrich Herberg <ulrich@herberg.name>
To: manet@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Wed, 30 Mar 2011 14:11:43 -0700
Subject: [manet] SMF-11 review
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 15:11:57 -0000
Hi, as promised, my review of the last revision of SMF. As said in the meeting, the draft has improved a lot in terms of readability and consistency since -10. My remaining issues are a number of smaller fixes, nothing that really changes the spec. As in my previous review, my comments are enclosed by "UH> ================". Network Working Group J. Macker, editor Internet-Draft NRL Intended status: Experimental SMF Design Team Expires: September 15, 2011 IETF MANET WG March 14, 2011 Simplified Multicast Forwarding draft-ietf-manet-smf-11 Abstract This document describes a Simplified Multicast Forwarding (SMF) mechanism that provides basic IP multicast forwarding suitable for wireless mesh and mobile ad hoc network (MANET) use. SMF defines techniques for multicast duplicate packet detection (DPD) to be applied in the forwarding process and includes maintenance and checking operations for both IPv4 and IPv6 protocol use. SMF also specifies mechanisms for applying reduced relay sets to achieve more efficient multicast data distribution within a mesh topology versus simple flooding. UH> ================ UH> simple or classic flooding? UH> ================ The document describes interactions with other protocols and multiple deployment approaches. Distributed algorithms for selecting reduced relay sets and related discussion are provided in the Appendices. Basic issues relating to the operation of multicast MANET border routers are discussed but ongoing work remains in this area beyond the scope of this document. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 15, 2011. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. Macker, editor & SMF Design Team Expires September 15, 2011 [Page 1] Internet-Draft SMF March 2011 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English. Macker, editor & SMF Design Team Expires September 15, 2011 [Page 2] Internet-Draft SMF March 2011 Table of Contents 1. Requirements Notation . . . . . . . . . . . . . . . . . . . . 5 2. Introduction and Scope . . . . . . . . . . . . . . . . . . . . 5 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 3. Design Overview . . . . . . . . . . . . . . . . . . . . . . . 6 4. SMF Applicability . . . . . . . . . . . . . . . . . . . . . . 8 5. SMF Packet Processing and Forwarding . . . . . . . . . . . . . 9 6. SMF Duplicate Packet Detection . . . . . . . . . . . . . . . . 11 6.1. IPv6 Duplicate Packet Detection . . . . . . . . . . . . . 12 6.1.1. IPv6 SMF-DPD Header Option . . . . . . . . . . . . . . 12 6.1.2. IPv6 Identification-based DPD . . . . . . . . . . . . 15 6.1.3. IPv6 Hash-based DPD . . . . . . . . . . . . . . . . . 17 6.2. IPv4 Duplicate Packet Detection . . . . . . . . . . . . . 18 6.2.1. IPv4 Identification-based DPD . . . . . . . . . . . . 18 6.2.2. IPv4 Hash-based DPD . . . . . . . . . . . . . . . . . 20 7. Relay Set Selection . . . . . . . . . . . . . . . . . . . . . 20 7.1. Non-Reduced Relay Set Forwarding . . . . . . . . . . . . . 20 7.2. Reduced Relay Set Forwarding . . . . . . . . . . . . . . . 21 8. SMF Neighborhood Discovery Requirements . . . . . . . . . . . 23 8.1. SMF Relay Algorithm TLV Types . . . . . . . . . . . . . . 24 8.1.1. SMF Message TLV Type . . . . . . . . . . . . . . . . . 24 8.1.2. SMF Address Block TLV Type . . . . . . . . . . . . . . 25 9. SMF Border Gateway Considerations . . . . . . . . . . . . . . 26 9.1. Forwarded Multicast Groups . . . . . . . . . . . . . . . . 27 9.2. Multicast Group Scoping . . . . . . . . . . . . . . . . . 28 9.3. Interface with Exterior Multicast Routing Protocols . . . 28 9.4. Multiple Border Routers . . . . . . . . . . . . . . . . . 29 10. Security Considerations . . . . . . . . . . . . . . . . . . . 30 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 11.1. IPv6 SMF-DPD Header Extension . . . . . . . . . . . . . . 32 11.2. SMF Type-Length-Value . . . . . . . . . . . . . . . . . . 33 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34 13.1. Normative References . . . . . . . . . . . . . . . . . . . 34 13.2. Informative References . . . . . . . . . . . . . . . . . . 35 Appendix A. Essential Connecting Dominating Set (E-CDS) Algorithm . . . . . . . . . . . . . . . . . . . . . . 36 A.1. E-CDS Relay Set Selection Overview . . . . . . . . . . . . 37 A.2. E-CDS Forwarding Rules . . . . . . . . . . . . . . . . . . 38 A.3. E-CDS Neighborhood Discovery Requirements . . . . . . . . 38 A.4. E-CDS Selection Algorithm . . . . . . . . . . . . . . . . 41 Appendix B. Source-based Multipoint Relay (S-MPR) . . . . . . . . 43 B.1. S-MPR Relay Set Selection Overview . . . . . . . . . . . . 43 B.2. S-MPR Forwarding Rules . . . . . . . . . . . . . . . . . . 44 B.3. S-MPR Neighborhood Discovery Requirements . . . . . . . . 45 B.4. S-MPR Selection Algorithm . . . . . . . . . . . . . . . . 47 Appendix C. Multipoint Relay Connected Dominating Set Macker, editor & SMF Design Team Expires September 15, 2011 [Page 3] Internet-Draft SMF March 2011 (MPR-CDS) Algorithm . . . . . . . . . . . . . . . . . 48 C.1. MPR-CDS Relay Set Selection Overview . . . . . . . . . . . 48 C.2. MPR-CDS Forwarding Rules . . . . . . . . . . . . . . . . . 49 C.3. MPR-CDS Neighborhood Discovery Requirements . . . . . . . 50 C.4. MPR-CDS Selection Algorithm . . . . . . . . . . . . . . . 50 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 51 Macker, editor & SMF Design Team Expires September 15, 2011 [Page 4] Internet-Draft SMF March 2011 1. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Introduction and Scope Unicast routing protocol designs for MANET and wireless mesh use UH> ================ UH> is it designs or designed? not sure... UH> ================ often apply distributed algorithms to flood routing control plane messages within an interior wireless routing domain. UH> ================ UH> "interior"? Is that different than just "routing domain", as used later? UH> ================ For example, algorithms specified within [RFC3626] and [RFC3684] provide distributed methods of dynamically electing reduced relay sets that attempt to efficiently flood routing control messages while maintaining a connected set under dynamic topological conditions. In one sense, Simplified Multicast Forwarding (SMF) extends the efficient flooding concept to the data forwarding plane. Therefore, SMF provides an appropriate multicast forwarding capability for use cases where localized, efficient flooding is considered an effective design approach. The baseline design is intended to provide a basic, best effort multicast forwarding capability that is constrained to operate within an interior MANET or wireless mesh routing domain. UH> ================ UH> same comment as before, "interior [...] routing domain"?. The difference between "MANET [...] routing domain" and "wireless mesh routing domain" is not clear to me. Maybe just say "MANET routing domain"? UH> ================ An SMF routing domain is an instance of a SMF UH> ================ UH> s/a SMF/an SMF/ ? UH> ================ routing protocol with common policies that is under a single network administration authority. UH> ================ UH> I wonder whether that is always applicable. For example, I am not quite sure that the FunkFeuer network is under a "single network administration authority". Everybody is free to join, simply by running the protocol. UH> ================ The main design goals of this SMF specification are to adapt efficient relay sets in MANET type environments [RFC2501] and to define the needed IPv4 and IPv6 multicast duplicate packet detection (DPD) mechanisms to support multi-hop, packet forwarding. 2.1. Terminology UH> ================ UH> I suggest to change the title to "Terminology and Notations" and add some text explaining the kind of notations (e.g. <TaggerId>) for fields and variables, similar to RFC 5444 UH> ================ The following abbreviations are used throughout this document: Macker, editor & SMF Design Team Expires September 15, 2011 [Page 5] Internet-Draft SMF March 2011 +--------------+---------------------------------+ | Abbreviation | Definition | +--------------+---------------------------------+ | MANET | Mobile Ad hoc Network | | SMF | Simplified Multicast Forwarding | | CF | Classical Flooding | | CDS | Connected Dominating Set | | MPR | Multi-Point Relay | | S-MPR | Source-based MPR | | MPR-CDS | MPR-based CDS | | E-CDS | Essential CDS | | NHDP | Neighborhood Discovery Protocol | | SMF-DPD | SMF-Duplicate Packet Detection | | I-DPD | Identification-based DPD | | H-DPD | Hash-based DPD | | HAV | Hash-assist Value | | FIB | Forwarding Information Base | | TLV | type-length-value encoding | | DoS | Denial of Service | +--------------+---------------------------------+ 3. Design Overview Figure 1 provides an overview of the logical SMF node UH> ================ UH> At many places in the draft, the word "node" is still used, instead of "router", as in other cases. I suggest to replace "node" with "router" throughout the doc. UH> ================ architecture, consisting of "Neighborhood Discovery", "Relay Set Selection" and "Forwarding Process" components. Typically, relay set selection (or self-election) occurs based on dynamic input from a neighborhood discovery process. SMF supports the case where neighborhood discovery and/or relay set selection information is obtained from a coexistent process (e.g., a lower layer mechanism or a unicast routing protocol using relay sets). In some algorithm designs, the forwarding decision for a packet can also depend on previous hop or incoming interface information. The asterisks (*) in Figure 1 mark the primitives and relationships needed by relay set algorithms requiring previous-hop packet forwarding knowledge. Macker, editor & SMF Design Team Expires September 15, 2011 [Page 6] Internet-Draft SMF March 2011 ______________ _____________ | | | | | Neighborhood | | Relay Set | | Discovery |------------->| Selection | | Protocol | neighbor | Algorithm | |______________| info |_____________| \ / \ / neighbor\ /forwarding info* \ ____________ / status \ | | / `-->| Forwarding |<--' | Process | ~~~~~~~~~~~~~~~~~>|____________|~~~~~~~~~~~~~~~~~> incoming packet, forwarded packets interface id*, and previous hop* Figure 1: SMF Node Architecture There are certain IP multicast packets, defined later in this specification UH> ================ UH> better: "defined in section XX of this specification" UH> ================ , that are "non-forwardable" and these multicast packets will be ignored by the SMF forwarding engine. The SMF forwarding engine MAY also work with policies and management interfaces to allow additional filtering control over which multicast packets are considered for potential SMF forwarding. This interface would allow more refined dynamic forwarding control once such techniques are matured for MANET operation. At present further discussion of dynamic control is left to future work. Interoperable SMF implementations MUST use a common DPD approach and be able to process the header options defined in this document for IPv6 operation. We define Classical Flooding (CF), UH> ================ UH> I prefer to use passive instead of "we...", i.e. "CF is defined as ... " UH> ================ as the simplest case of SMF multicast forwarding. With CF, each SMF router forwards each received multicast packet exactly once. In this case, the need for any relay set selection or neighborhood topology information is eliminated at the expense of additional network overhead. In CF mode, the SMF-DPD functionality is still required. While SMF supports a CF mode of operation UH> ================ UH> add comma UH> ================ the use of more efficient relay set modes is RECOMMENDED to reduce contention and congestion caused by unnecessary packet retransmissions [NTSC99]. An efficient, reduced relay set is realized by selecting and maintaining a subset of all possible routers in a MANET routing domain. Known distributed relay set selection algorithms have demonstrated the ability to provide and maintain a dynamic connected set for forwarding multicast IP packets [MDC04]. A few such relay set selection algorithms are described in the Appendices of this Macker, editor & SMF Design Team Expires September 15, 2011 [Page 7] Internet-Draft SMF March 2011 document and the basic designs borrow directly from previously documented IETF work. SMF relay set configuration is extensible and additional relay set algorithms beyond those specified here can be accommodated in future work. Determining and maintaining an optimized set of forwarding nodes generally requires dynamic neighborhood topology information. Neighborhood topology discovery functions MAY be externally provided by a MANET unicast routing protocol or by using the MANET NeighborHood Discovery Protocol (NHDP) [RFC6130] running in concurrence with SMF. Additionally, this specification allows alternative lower layer interfaces (radio router interface) to provide the necessary neighborhood information to aid in supporting more effective relay set election. Fundamentally, an SMF implementation SHOULD provide the ability for multicast forwarding state to be dynamically managed per operating network interface. Some of the relay state maintenance options and interactions are outlined later UH> ================ UH> remove the word "later" UH> ================ in Section 7. This document states specific requirements for neighborhood discovery with respect to the forwarding process and the relay set selection algorithms described herein. For determining dynamic relay sets in the absence of other control interfaces, SMF relies on the MANET NHDP specification to assist in IP layer 2-hop neighborhood state discovery and maintenance for relay set election. "SMF_TYPE" and "SMF_NBR_TYPE" Message and Address Block, respectfully, UH> ================ UH> "respectively"? UH> ================ TLV structures (per [RFC5444]) are defined for use with the NHDP protocol. It is RECOMMENDED that all nodes performing SMF operation in conjunction with NHDP, include these TLV types in any NHDP HELLO messages generated. This capability allows for nodes participating in SMF to be explicitly identified along with their respective dynamic relay set algorithm. 4. SMF Applicability Within dynamic wireless routing topologies, maintaining traditional forwarding trees to support a multicast routing protocol is often not as effective as in wired networks due to the reduced reliability and increased dynamics of mesh topologies [MGL04] [GM99]. A basic packet forwarding service reaching all connected routers running the SMF protocol within a localized routing domain UH> ================ UH> "localized routing domain"? is that the same as "interior routing domain" or just "routing domain"? UH> ================ may provide a useful group communication paradigm for various classes of applications. Applications that could take advantage of a simple multicast forwarding service include multimedia streaming, interactive group- based messaging and applications, peer-to-peer middleware multicasting, and multi-hop mobile discovery or registration services. SMF is likely only appropriate for deployment in limited dynamic wireless routing domains so that the flooding process can be contained. The limited SMF routing domains are further defined as Macker, editor & SMF Design Team Expires September 15, 2011 [Page 8] Internet-Draft SMF March 2011 administratively scoped multicast forwarding domains in Section 9.2. Note again that Figure 1 provides a notional architecture for typical SMF-capable nodes. A goal is that simple leaf nodes UH> ================ UH> remove "simple"? I think that this is not quite clear what a "leaf" node (/router) is in the context of the draft. UH> ================ may also participate in multicast traffic transmission and reception with standard IP network layer semantics (e.g., special or unnecessary encapsulation of IP packets should be avoided in this case). It is important that SMF deployments in localized edge network settings UH> ================ UH> definition of "localized edge network settings"? UH> ================ are able to connect and interoperate with existing standard multicast protocols operating within more conventional Internet infrastructures. A multicast border router or proxy mechanism MUST be used when deployed alongside more fixed-infrastructure IP multicast routing such Protocol Independent Multicast (PIM) variants [RFC3973] and [RFC4601]. Present experimental SMF implementations have demonstrated gateway functionality at MANET border routers operating with existing external IP multicast routing protocols [CDHM07],[DHS08],and UH> ================ UH> space missing before "and" and before "[DHS08]" UH> ================ [DHG09]. SMF may be extended or combined with other mechanisms to provide increased reliability and group specific filtering, but the details for this are not discussed here. UH> ================ UH> s/here/in this document/ UH> ================ 5. SMF Packet Processing and Forwarding The SMF Packet Processing and Forwarding actions are conducted with the following packet handling activities: 1. Processing of outbound, locally-generated multicast packets. 2. Reception and processing of inbound packets on specific network interfaces. The purpose of intercepting outbound, locally-generated multicast packets is to apply any added packet marking needed to satisfy the DPD requirements so that proper forwarding may be conducted. Note that for some system configurations the interception of outbound packets for this purpose is not necessary. UH> ================ UH? such as? why? UH> ================ Inbound multicast packets are received by the SMF implementation and processed for possible forwarding. This document does not presently support forwarding of directed broadcast addresses [RFC2644]. SMF implementations MUST be capable of forwarding IP multicast packets with destination addresses that are not node-local and link-local for IPv6 as defined in [RFC4291] and that are not within the local network control block as defined by [RFC5771] This will help support generic multi-hop multicast application needs or to distribute designated multicast traffic ingressing the SMF routing domain via border routers. The multicast addresses to be forwarded should be maintained by an a priori list or a dynamic Macker, editor & SMF Design Team Expires September 15, 2011 [Page 9] Internet-Draft SMF March 2011 forwarding information base (FIB) that MAY interact with future MANET dynamic group membership extensions or management functions. There will also be a well-known multicast group for SMF. UH> ================ UH> "will be"? should we write a document defining that and cite it here? UH> ================ This multicast group is specified to contain all routers within an SMF routing domain, so that packets transmitted to the multicast address associated with the group will be delivered to all connected routers running SMF. Due the mobile nature of a MANET, routers running SMF may not be topologically connected at particular times. For IPv6, the multicast address is specified to be "site-local". The name of the multicast group is "SL-MANET-ROUTERS". Minimally SMF MUST forward, as instructed by the relay set selection algorithm, unique (non-duplicate) packets received for this well-known group address when the TTL or hop limit value in the IP header is greater than 1. SMF MUST forward all additional global scope addresses specified within the dynamic FIB or configured list as well. In all cases, the following rules MUST be observed for SMF multicast forwarding: 1. IP multicast packets with TTL <= 1 UH> ================ UH> "TTL / hop limit" UH> ================ MUST NOT be forwarded. 2. Link local IP multicast packets MUST NOT be forwarded. 3. Incoming IP multicast packets with an IP source address matching one of those of the local SMF router interface(s) MUST NOT be forwarded. 4. Received frames with the MAC source address matching any MAC address of the routers interfaces MUST NOT be forwarded. 5. Received packets for which SMF cannot reasonably ensure temporal DPD uniqueness UH> ================ UH> Maybe "temporal uniqueness" should be defined before. UH> ================ MUST NOT be forwarded. 6. When packets are forwarded, TTL or hop limit MUST be decremented by one. Note that rule #3 is important because over some types of wireless interfaces, the originating SMF router may receive re-transmissions of its own packets when they are forwarded by adjacent routers. This rule avoids unnecessary retransmission of locally-generated packets even when other forwarding decision rules would apply. An additional processing rule also needs to be considered based upon a potential security threat. UH> ================ UH> Maybe it would be interesting to add a rule number 7 to the previous list, which says something like "any further filtering can be applied by extensions to this specification", similar to NHDP, which allows to easily "hook in" extensions, e.g. for security? UH> ================ As discussed further in Section 10, there may be concern in some SMF deployments that malicious nodes may conduct a denial-of-service attack by remotely "previewing" (e.g., via a directional receive antenna) packets that an SMF node would be forwarding and conduct a "pre-play" attack by transmitting the packet before the SMF node would otherwise receive it but with a reduced TTL (or Hop Limit UH> ================ UH> s/Hop Limit/hop limit/ UH> ================ ) field value. This form of attack could cause an SMF node to create a DPD entry that would block the proper forwarding of the valid packet (with correct TTL UH> ================ UH> / hop limit. Or maybe, at first usage of "TTL", add a comment that throughout the document, TTL is used both for TTL (in IPv4) and hop limit (IPv6) UH> ================ ) through the SMF area. UH> ================ UH> s/SMF area/SMF routing domain/ UH> ================ A RECOMMENDED approach to prevent this attack, when it is a concern, would be to cache temporal packet TTL values along with the per- packet DPD state (hash value(s) and/or identifier as described in Macker, editor & SMF Design Team Expires September 15, 2011 [Page 10] Internet-Draft SMF March 2011 Section 6). Then, if a subsequent matching (with respect to DPD) packet arrives with a larger TTL value than the packet that was previously forwarded, SMF should forward the new packet and update the TTL value cached with corresponding DPD state to the new, larger TTL value. There may be temporal cases where SMF would unnecessarily forward some duplicate packets using this approach, but those cases are expected to be minimal and acceptable when compared with the potential threat of denied service. Once these criteria UH> ================ UH> which criteria? UH> ================ have been met, an SMF implementation MUST make a forwarding decision dependent upon the relay set selection algorithm in use. One of the requirements of SMF is that it be configured to run a particular relay set selection algorithm when launched. If the SMF implementation is using Classical Flooding (CF), the forwarding decision is implicit once DPD uniqueness is determined. Otherwise, a forwarding decision depends upon the current interface-specific relay set state. The descriptions of the relay set selection algorithms in the Appendices to this document specify the respective heuristics for multicast packet forwarding and specific DPD or other processing required to achieve correct SMF behavior in each case. For example, one class of forwarding is based upon relay set election status and the packet's previous hop, while other classes designate the local SMF router as a forwarder for all neighboring nodes. 6. SMF Duplicate Packet Detection Duplicate packet detection (DPD) is often a requirement in MANET or wireless mesh packet forwarding mechanisms because packets may be transmitted out the same physical interface upon which they arrived and nodes may also receive copies of previously-transmitted packets from other forwarding neighbors. SMF operation requires DPD and implementations MUST provide mechanisms to detect and reduce the likelihood of forwarding duplicate multicast packets using temporal packet identification. It is RECOMMENDED this be implemented by keeping a history of recently-processed multicast packets for comparison to incoming packets. A DPD packet cache history SHOULD be kept long enough to span the maximum network traversal lifetime, MAX_PACKET_LIFETIME, of multicast packets being forwarded within an SMF routing domain. The DPD mechanism SHOULD avoid keeping unnecessary state for packet flows such as those that are locally- generated or link-local destinations that would not be considered for forwarding as presented in Section 5. For both IPv4 and IPv6, this document describes two basic multicast duplicate packet detection mechanisms: header content identification-based (I-DPD) and hash- based (H-DPD) duplicate detection. I-DPD is a mechanism using specific packet headers, and option headers in the case of IPv6, in combination with flow state to estimate the temporal uniqueness of a Macker, editor & SMF Design Team Expires September 15, 2011 [Page 11] Internet-Draft SMF March 2011 packet. H-DPD uses hashing of the particular packet fields and payloads to provide an estimation of temporal uniqueness. Trade-offs of the two approaches to DPD merit different consideration UH> ================ s/consideration/considerations/ UH> ================ dependent upon the specific SMF deployment scenario. Because of the potential addition of a hop-by-hop option header with IPv6, SMF deployments MUST be configured to use a common mechanism and DPD algorithm. The main difference between IPv4 and IPv6 SMF-DPD specification is the avoidance of any additional header options in the IPv4 case. For each network interface, SMF implementations MUST maintain DPD packet state as needed to support the forwarding heuristics of the relay set algorithm used. In general this involves keeping track of previously forwarded packets so that duplicates are not forwarded, but some relay techniques have additional considerations, such as discussed in Appendix B.2. Additional details of I-DPD and H-DPD processing and maintenance for different classes of packets are described in the following sections. 6.1. IPv6 Duplicate Packet Detection This section describes the mechanisms and options for SMF IPv6 DPD. The core IPv6 packet header does not provide any explicit identification header field that can be exploited for I-DPD. The following areas are described to support IPv6 DPD and each is covered in more detail in particular subsections: 1. the hop-by-hop SMF-DPD option header, 2. the use of IPv6 fragment header fields for I-DPD when they exist, 3. the use of IPsec sequencing for I-DPD when a non-fragmented, IPsec header is detected, and 4. an H-DPD approach assisted, as needed, by the SMF-DPD option header. SMF MUST provide a DPD marking module that can insert the hop-by-hop IPv6 header option defined in this section. This process MUST come after any source-based fragmentation that may occur with IPv6. As with IPv4, SMF IPv6 DPD is presently specified to allow either a packet hash or header identification method for DPD. An SMF implementation MUST be configured to operate either in H-DPD or I-DPD mode and perform the appropriate routines outlined in the following sections. 6.1.1. IPv6 SMF-DPD Header Option The base IPv6 packet header does not contain a unique identifier suitable for DPD. This section defines an IPv6 Hop-by-Hop Option Macker, editor & SMF Design Team Expires September 15, 2011 [Page 12] Internet-Draft SMF March 2011 [RFC2460] to serve this purpose for IPv6 I-DPD. Additionally, the header option provides a mechanism to guarantee non-collision of hash values for different packets when H-DPD is used. If this is the only hop-by-hop option present, the optional "TaggerId" field UH> ================ UH> would be good to explain the use of the field here UH> ================ (see below) is not included, and the size of the DPD packet identifier (sequence number) or hash token is 24 bits or less, UH> ================ UH> why 24 bits or less? UH> ================ this will result in the addition of 8 bytes to the IPv6 packet header including the "Next Header", "Header Extension Length", SMF-DPD option fields, and padding. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... |0|0|0| OptType | Opt. Data Len | UH> ================ UH> why are these first 16 bits empty? maybe just remove them? same for all following figures UH> ================ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |H| DPD Identifier Option Fields or Hash Assist Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fig. 2 - IPv6 SMF-DPD Hop-by-Hop Header Option "Option Type" = (Lower 5 bits pending IANA assignment, highest order MUST be 000). By having these three bits be zero, this specification requires that nodes not recognizing this option type should skip over this option and continue processing the header and that the option must not change en route [RFC2460]. "Opt. Data Len" = Length of option content (I.e., 1 + (<IdType> ? (<IdLen> + 1): 0) + Length(DPD ID)). UH> ================ UH> I don't like that notation :-) <IdType> is not a "condition" (I know, I am fan of Java more than C, which would allow such "dirty" expressions ;-) UH> I'd prefer using English to describe this. UH> ================ "H-bit" = a hash indicator bit value identifying DPD marking type. 0 == sequence-based approach w/ optional taggerId UH> ================ UH> s/taggerId/TaggerId/ UH> ================ and a tuple-based sequence number. 1 == indicates a hash assist value (HAV) field follows to aid in avoiding hash-based DPD collisions. When the "H-bit" is cleared (zero value), the SMF-DPD format to support I-DPD operation is specified as shown in Figure 2 and defines the extension header in accordance with [RFC2460]. Macker, editor & SMF Design Team Expires September 15, 2011 [Page 13] Internet-Draft SMF March 2011 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... |0|0|0| OptType | Opt. Data Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0|TidTyp|TidLen| TaggerId (optional) ... | UH> ================ UH> it looks like TidType is 3.5 bits long. I know, it doesn't fit in there... not sure there is a better way UH> ================ +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Identifier ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: IPv6 SMF-DPD Header Option in I-DPD mode The "TidType" is UH> ================ UH> maybe use the same style for these definitions as before, i.e. with: "field" = definition... UH> ================ a 3-bit field indicating the presence and type of the optional "TaggerId" field. The optional "TaggerId" is used to differentiate multiple ingressing border gateways that may commonly apply the SMF-DPD option header to packets from a particular source. This is provided for experimental purposes. The following table lists the valid TaggerId types: +---------+-------+-------------------------------------------------+ | Name | Value | Purpose | +---------+-------+-------------------------------------------------+ | NULL | 0 | Indicates no "TaggerId" field is present. | | | | "TidLen" MUST also be set to ZERO. | | DEFAULT | 1 | A "TaggerId" of non-specific context is | | | | present. "TidLen + 1" defines the length of | | | | the TaggerId field in bytes. | | IPv4 | 2 | A "TaggerId" representing an IPv4 address is | | | | present. The "TidLen" MUST be set to 3. | | IPv6 | 3 | A "TaggerId" representing an IPv6 address is | | | | present. The "TidLen" MUST be set to 15. | | ExtId | 7 | RESERVED FOR FUTURE USE (possible extended ID) | +---------+-------+-------------------------------------------------+ Table 1: TaggerId Types This format allows a quick check of the "TidType" field to determine if a "TaggerId" field is present. If the <TidType> UH> ================ UH> is there a difference between the notation "TidType" and <TidType>? See my comment to add a "notations" description to the terminology section. UH> ================ is NULL, then the length of the DPD packet <Identifier> field corresponds to the UH> ================ UH> remove "the" UH> ================ (<Opt. Data Len> - 1). If the <TidType> is non-NULL, then the length of the "TaggerId" field is equal to (<TidLen> - 1) and the remainder of the option data comprises the DPD packet <Identifier> field. When the "TaggerId" field is present, the <Identifier> field can be considered a unique packet identifier in the context of the <taggerId UH> ================ UH> taggerId or TaggerId? UH> ================ :srcAddr: dstAddr> tuple. When the "TaggerId" field is not present, then it is assumed the source host UH> ================ UH> host? or router? UH> ================ applied the SMF-DPD option and the <Identifier> can be considered unique in the context of the IPv6 packet header <srcAddr:dstAddr> tuple. IPv6 I-DPD operation details Macker, editor & SMF Design Team Expires September 15, 2011 [Page 14] Internet-Draft SMF March 2011 are described in Section 6.1.2. When the "H-bit" in the SMF-DPD option data is set, the data content value is interpreted as a Hash-Assist Value (HAV) used to facilitate H-DPD operation. In this case, source hosts UH> ================ UH> host? router? UH> ================ or ingressing gateways apply the SMF-DPD with a HAV only when required to differentiate the hash value of a new packet with respect to hash values in the DPD cache. This situation can be detected locally on the node by running the hash algorithm and checking the DPD cache. UH> ================ UH> change . to , UH> ================ prior ingressing a previously unmarked packet or a locally sourced packet. This helps to guarantee the uniqueness of generated hash values when H-DPD is used. Additionally, this also avoids the added overhead of applying the SMF-DPD option header to every packet. For many hash algorithms, it is expected that only sparse use of the SMF-DPD option may be required. The format of the SMF-DPD header option for H-DPD operation is given in Figure 3. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ... |0|0|0| OptType | Opt. Data Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| Hash Assist Value (HAV) ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 3: IPv6 SMF_DPD Header Option in H-DPD Mode UH> ================ UH> There is an inconsistency throughout the document between SMF_DPD and SMF-DPD UH> ================ The SMF-DPD option should be applied with a HAV UH> ================ UH> s/a/an/ UH> ================ to produce a unique hash digest for packets within the context of the IPv6 packet header <srcAddr>. The size of the HAV field is implied by the "Opt. Data Len". The appropriate size of the field depends upon the collision properties of the specific hash algorithm used. More details on IPv6 H-DPD operation are provided in Section 6.1.3. 6.1.2. IPv6 Identification-based DPD The following table summarizes the IPv6 I-DPD processing and forwarding decision approach. Within the table '*' indicates an ignore field condition. UH> ================ UH> describe what's an "ignore field condition" UH> ================ Macker, editor & SMF Design Team Expires September 15, 2011 [Page 15] Internet-Draft SMF March 2011 +-------------+-----------+-----------+-----------------------------+ | IPv6 | IPv6 | IPv6 | SMF IPv6 I-DPD Mode Action | | Fragment | IPsec | I-DPD | | | Header | Header | Header | | +-------------+-----------+-----------+-----------------------------+ | Present | * | * | Use Fragment Header I-DPD | | | | | Check and Process for | | | | | Forwarding | UH> ================ UH> adding horizontal lines between rows could make it easier to read UH> ================ | Not Present | Present | * | Use IPsec Header I-DPD | | | | | Check and Process for | | | | | Forwarding | | Present | * | Present | Invalid, do not Forward | | Not Present | Present | Present | Invalid, do not Forward | | Not Present | Not | Not | Add I-DPD Header,and | | | Present | Present | Process for Forwarding | | Not Present | Not | Present | Use I-DPD Header Check and | | | Present | | Process for Forwarding | +-------------+-----------+-----------+-----------------------------+ Table 2: IPv6 I-DPD Processing Rules If the IPv6 multicast packet UH> ================ UH> which? "a packet received on a router, considered for forwarding..." or similar.. UH> ================ UH> ================ UH> The following would be easier to read, if it was an ennummeration, e.g. 1. if the packet is an IPv6 fragement, then... 2. else, if it is an... UH> ================ is an IPv6 fragment, SMF MUST use the fragment extension header fields for packet identification. This identifier can be considered unique in the context of the <srcAddr: dstAddr> of the IP packet. If the packet is an unfragmented IPv6 IPsec packet, SMF MUST use IPsec fields for packet identification. The IPsec header <sequence> field can be considered a unique identifier in the context of the <IPsecType:srcAddr:dstAddr:SPI> UH> ================ UH> maybe write what the abbreviation SPI stands for and cite IPsec UH> ================ where the "IPsecType" is either AH or ESP [RFC4302]. For unfragmented, non-IPsec, IPv6 packets, the use of the SMF-DPD header option is necessary to support I-DPD operation. The SMF-DPD header option is applied in the context of the <srcAddr> of the IP packet. End systems UH> ================ UH> End systems sounds like hosts. Do you mean routers? UH> ================ or ingressing SMF gateways are responsible for applying this option to support DPD. The following table UH> ================ UH> s/The following table/Table 3/ UH> ================ summarizes these packet identification types: +-----------+---------------------------------+---------------------+ | IPv6 | Packet DPD ID Context | Packet DPD ID | | Packet | | | | Type | | | +-----------+---------------------------------+---------------------+ | Fragment | <srcAddr:dstAddr> | <fragmentOffset:id> | | IPsec | <IPsecType:srcAddr:dstAddr:SPI> | <sequence> | | Packet | | | | Regular | <[taggerId:] UH> ================ UH> the notation <[taggerId:] is unclear. Also, it should be TaggerId UH> ================ srcAddr:dstAddr> | <SMF-DPD option | | Packet | | header id> | +-----------+---------------------------------+---------------------+ Macker, editor & SMF Design Team Expires September 15, 2011 [Page 16] Internet-Draft SMF March 2011 Table 3: IPv6 I-DPD Packet Identification Types "IPsecType" is either Authentication Header (AH) or Encapsulating Security Payload (ESP). UH> ================ UH> That has been said only a few sentences before UH> ================ The "TaggerId" is an optional field of the IPv6 SMF-DPD header option. 6.1.3. IPv6 Hash-based DPD A default hash-based DPD approach (H-DPD) for use by SMF is specified as follows. An MD5 [RFC1321] hash UH> ================ UH> hm, why fix to MD5 (deprecated)? couldn't we use a registry and then list possible signature methods in the appendix? UH> ================ of the non-mutable header fields, options fields, and data content of the IPv6 multicast packet is used to produce a 128-bit digest. The least significant 64 bits of this digest is used for SMF packet identification. The approach for calculating this hash value SHOULD follow the same guidelines described for calculating the Integrity Check Value (ICV) described in [RFC4302] with respect to non-mutable fields. This approach should have a reasonably low probability of digest collision when packet headers and content are varying. MD5 is being applied in SMF only to provide a low probability of collision and is not being used for cryptographic or authentication purposes. A history of the packet hash values SHOULD be maintained within the context of the IPv6 packet header <srcAddr>. SMF ingress points (i.e., source hosts UH> ================ UH> hosts / routers? UH> ================ or gateways) use this history to confirm that new packets are unique with respect to their hash value. The Hash-assist Value (HAV) field described in Section 6.1.1 is provided as a differentiating field when a digest collision would otherwise occur. Note that the HAV is an immutable option field and SMF MUST process any included HAV values (see Section 6.1.1) in its hash calculation. If a packet results in a digest collision (i.e., by checking the H-DPD digest history) within the DPD cache kept by SMF forwarders, the packet should UH> ================ UH> should or SHOULD? UH> ================ be silently dropped. If a digest collision is detected at an SMF ingress point the H-DPD option header is constructed with a randomly generated HAV. A UH> ================ UH> s/a/an/ UH> ================ HAV is recalculated as needed to produce a non-colliding hash value prior to forwarding. The multicast packet is then forwarded with the added IPv6 SMF-DPD header option. The MD5 indexing and IPv6 HAV approaches are specified at present for consistency and robustness to suit experimental uses. Future approaches and experimentation may discover designs UH> ================ UH> s/designs/design/ UH> ================ tradeoffs in hash robustness and efficiency worth considering. Enhancements MAY include reducing the maximum payload length that is processed, determining shorter indexes, or applying more efficient hashing algorithms. Use of the HAV functionality may allow for application of "lighter-weight" hashing techniques that might not have been Macker, editor & SMF Design Team Expires September 15, 2011 [Page 17] Internet-Draft SMF March 2011 initially considered due to poor collision properties otherwise. UH> ================ UH> I suggest use of registry in the appendix UH> ================ Such techniques could reduce packet processing overhead and memory requirements. 6.2. IPv4 Duplicate Packet Detection This section describes the mechanisms and options for IPv4 DPD. The IPv4 packet header [RFC0791] 16-bit "Identification" field MAY be used for DPD assistance, but practical limitations may require alternative approaches in some situations. The following areas are described to support IPv4 DPD: 1. the use of IPv4 fragment header fields for I-DPD when they exist, 2. the use of IPsec sequencing for I-DPD when a non-fragmented IPv4 IPsec packet is detected, and 3. a H-DPD approach. UH> ================ UH> s/a/an/ UH> ================ A specific SMF-DPD marking option is not specified for IPv4 since header options are not as tractable for end systems UH> ================ UH> hosts / routers? UH> ================ as for IPv6. IPv4 packets from a particular source are assumed to be marked with a temporally unique value in the "Identification" field of the packet header that can serve for SMF-DPD purposes. However, in present operating system networking kernels, the IPv4 header "Identification" value is not always generated properly, especially when the "don't fragment" (DF) bit is set. The IPv4 I-DPD mode of this specification requires that IPv4 "Identification" fields are managed reasonably by source hosts UH> ================ UH> host? router? UH> ================ and that temporally unique values are set within the context of the packet header <protocol:srcAddr:dstAddr> tuple. If this is not expected during an SMF deployment, then it is RECOMMENDED that the H-DPD method be used as a more reliable approach. Since IPv4 SMF does not specify an options header UH> ================ UH> option header or options header? UH> ================ , the interoperability constraints are looser than the IPv6 version and forwarders may be operate with mixed H-DPD and I-DPD modes as long as they consistently perform the appropriate DPD routines outlined in the following sections. However, it is RECOMMENDED that a deployment be configured with a common mode for operational consistency. 6.2.1. IPv4 Identification-based DPD The following table UH> ================ UH> s/The following table/Table 4/ UH> ================ summarizes the IPv4 I-DPD processing approach once a packet has passed the basic forwardable criteria described in Section 5. Within the table '*' indicates an ignore field condition. DF, MF, Fragment offset correspond to related fields and flags defined in [RFC0791]. Macker, editor & SMF Design Team Expires September 15, 2011 [Page 18] Internet-Draft SMF March 2011 +------+------+----------+---------+--------------------------------+ | DF | MF | Fragment | IPsec | IPv4 I-DPD Action | | flag | flag | offset | | | +------+------+----------+---------+--------------------------------+ | 1 | 1 | * | * | Invalid, Do Not Forward | | 1 | 0 | nonzero | * | Invalid, Do Not Forward | | * | 0 | zero | not | Tuple I-DPD Check and Process | | | | | Present | for Forwarding | | * | 0 | zero | Present | IPsec enhanced Tuple I-DPD | | | | | | Check and Process for | | | | | | Forwarding | | 0 | 0 | nonzero | * | Extended Fragment Offset Tuple | | | | | | I-DPD Check and Process for | | | | | | Forwarding | | 0 | 1 | zero or | * | Extended Fragment Offset Tuple | | | | nonzero | | I-DPD Check and Process for | | | | | | Forwarding | +------+------+----------+---------+--------------------------------+ Table 4: IPv4 I-DPD Processing Rules For performance reasons, IPv4 network fragmentation and reassembly of multicast packets within wireless MANET networks should be minimized, yet SMF provides the forwarding of fragments when they occur. If the IPv4 multicast packet is a fragment, SMF MUST use the fragmentation header fields for packet identification. This identification can be considered temporally unique in the context of the <protocol:srcAddr: dstAddr> of the IPv4 packet. If the packet is an unfragmented IPv4 IPsec packet, SMF MUST use IPsec fields for packet identification. The IPsec header <sequence> field can be considered a unique identifier in the context of the <IPsecType:srcAddr:dstAddr:SPI> where the "IPsecType" is either AH or ESP [RFC4302]. Finally, for unfragmented, non-IPsec, IPv4 packets, the "Identification" field can be used for I-DPD purposes. The "Identification" UH> ================ UH> <Identification> or "Identification" (see comment same pages before) UH> ================ field can be considered unique in the context of the IPv4 <protocol:scrAddr: dstAddr> tuple. The following table UH> ================ UH> s/The following table/Table 5/ UH> ================ summarizes these packet identification types: +-----------+---------------------------------+---------------------+ | IPv4 | Packet Identification Context | Packet Identifier | | Packet | | | | Type | | | +-----------+---------------------------------+---------------------+ | Fragment | <protocol:srcAddr:dstAddr> | <fragmentOffset:id> | | IPsec | <IPsecType:srcAddr:dstAddr:SPI> | <sequence> | | Packet | | | Macker, editor & SMF Design Team Expires September 15, 2011 [Page 19] Internet-Draft SMF March 2011 | Regular | <protocol:srcAddr:dstAddr> | <identification | | Packet | | field> | +-----------+---------------------------------+---------------------+ Table 5: IPv4 I-DPD Packet Identification Types "IPsecType" is either Authentication Header (AH) or Encapsulating Security Payload (ESP). The limited size (16 bits) of the IPv4 header "Identification" field [RFC0791] may result in more frequent value field wrapping, particularly if a common sequence space is used by a source for multiple destinations. If I-DPD operation is required, the use of the "internal hashing" technique described in Section 10 may mitigate this limitation of the IPv4 "Identification" field for SMF-DPD. In this case the "internal hash" value would be concatenated with the "Identification" value for I-DPD operation. 6.2.2. IPv4 Hash-based DPD To ensure consistent IPv4 H-DPD operation among SMF nodes, a default hashing approach is specified. This is similar to that specified UH> ================ UH>+ " in section xx " UH> ================ for IPv6, but the H-DPD header option with HAV is not considered. SMF MUST perform an MD5 [RFC1321] UH> ================ UH> same comment as before, maybe put a flexible hashing using a registry? UH> ================ hash of the immutable header fields, option fields and data content of the IPv4 multicast packet resulting in a 128-bit digest. The least significant 64 bits of this digest is UH> ================ UH> s/is/are/ UH> ================ used for SMF packet identification. The approach for calculating the hash value SHOULD follow the same guidelines described for calculating the Integrity Check Value (ICV) described in [RFC4302] with respect to non-mutable fields. A history of the packet hash values SHOULD be maintained in the context of <protocol:srcAddr: dstAddr>. The context for IPv4 is more specific than that of IPv6 since the SMF-DPD HAV cannot be employed to mitigate hash collisions. The MD5 hash is specified at present for consistency and robustness. Future approaches and experimentation may discover design tradeoffs in hash robustness and efficiency worth considering for future revisions of SMF. This MAY include reducing the packet payload length that is processed, determining shorter indexes, or applying a more efficient hashing algorithm. 7. Relay Set Selection UH> ================ UH> Maybe add a sentence here before 7.1. It looks weird to have no text between two headers. UH> ================ 7.1. Non-Reduced Relay Set Forwarding SMF implementations MUST support CF as a basic forwarding mechanism when reduced relay set information is not available or not selected Macker, editor & SMF Design Team Expires September 15, 2011 [Page 20] Internet-Draft SMF March 2011 for operation. In CF mode, each node transmits a locally generated or newly received forwardable packet exactly once. The DPD techniques described in Section 6 are critical to proper operation and prevent duplicate packet retransmissions by the same forwarding node. 7.2. Reduced Relay Set Forwarding MANET reduced relay sets are often achieved by distributed algorithms that can dynamically calculate a topological connected dominating set (CDS). A goal of SMF is to apply reduced relay sets for more efficient multicast dissemination within dynamic topologies. To accomplish this SMF MUST UH> ================ UH>maybe: s/SMF/an SMF implementation/ UH> ================ support the ability to modify its multicast packet forwarding rules based upon relay set state received dynamically during operation. In this way, SMF forwarding operates effectively as neighbor adjacencies or multicast forwarding policies within the topology change. In early SMF experimental prototyping, the relay set information has been derived from coexistent unicast routing control plane traffic flooding processes [MDC04]. From this experience, extra pruning considerations were sometimes required when utilizing a relay set from a separate routing protocol process. As an example, relay sets formed for the unicast control plane flooding MAY include additional redundancy that may not be desired for multicast forwarding use (e.g., biconnected relay set). Here is a recommended criteria list for SMF relay set selection algorithm candidates: 1. Robustness to topological dynamics and mobility 2. Localized election or coordination of any relay sets 3. Reasonable minimization of CDS relay set size given above constraints 4. Heuristic support for preference or election metrics Some relay set algorithms meeting these criteria are described in the Appendices of this document. Additional relay set selection algorithms may be specified in separate specifications in the future. Each Appendix subsection in this document can serve as a template for specifying additional relay algorithms. Figure 4 depicts a UH> ================ UH> s/a/an/ UH> ================ information flow diagram of possible relay set control options. The SMF Relay Set State UH> ================ UH>Relay Set or relay set (as later in the paragraph)? UH> ================ represents the information base that is used by SMF in the forwarding decision process. The relay set control option diagram demonstrates that the SMF relay set Macker, editor & SMF Design Team Expires September 15, 2011 [Page 21] Internet-Draft SMF March 2011 state may be determined by fundamentally three different methods: independent operation with NHDP [RFC5444] input providing dynamic network neighborhood adjacency information that is then used by a particular relay set selection, slave operation with an existing unicast MANET routing protocol that is capable of providing CDS election information that can be used by SMF, and cross layer operation that may involve lower layer neighbor or link information. Other heuristics to influence and control election can come from network management or other interfaces as shown on the right UH> ================ UH> + " of the figure" UH> ================ . Of course CF mode, UH> ================ UH> move comma to right after "of course"? UH> ================ simplifies the control and does not require other input but relies solely on DPD. Possible L2 Trigger/Information | | ______________ ______v_____ __________________ | MANET | | | | | | Neighborhood | | Relay Set | | Other Heuristics | | Discovery |----------->| Selection |<------| (Preference,etc) | | Protocol | neighbor | Algorithm | | Net Management | |______________| info |____________| |__________________| \ / \ / neighbor\ / Dynamic Relay info* \ ____________ / Set Status \ | SMF | / (State, {neighbor info}) `-->| Relay Set |<--' | State | -->|____________| / / ______________ | Coexistent | | MANET | | Unicast | | Process | |______________| Figure 4: SMF Reduced Relay Set Information Flow More discussion is provided on the three styles of SMF operation with reduced relay sets as illustrated in Figure 4 : UH> ================ UH> remove blank after "4" UH> ================ 1. Independent operation: In this case, SMF operates independently from any unicast routing protocols. To support reduced relay sets SMF MUST perform its own relay set selection using information gathered from signaling. It is RECOMMENDED that an associated MANET NHDP process be use UH> ================ UH> s/use/used/ UH> ================ for this signaling. NHDP Macker, editor & SMF Design Team Expires September 15, 2011 [Page 22] Internet-Draft SMF March 2011 messaging SHOULD be appended with additional [RFC5444] type- length-value (TLV) content to support SMF-specific requirements as discussed in [RFC6130] and for the applicable relay set algorithm described in the Appendices of this document or future specifications. Unicast routing protocols may co-exist, even using the same NHDP process, but signaling that supports reduced relay set selection for SMF is independent of these protocols. 2. Operation with CDS-aware unicast routing protocol: In this case, a coexistent unicast routing protocol provides dynamic relay set state based upon its own control plane CDS or neighborhood discovery information. 3. Cross-layer Operation: In this case, SMF operates using neighborhood status and triggers from a cross-layer information base for dynamic relay set selection and maintenance (e.g., lower link layer). 8. SMF Neighborhood Discovery Requirements This section defines the requirements for use of the MANET Neighborhood Discovery Protocol (NHDP) [RFC6130] to support SMF operation. Note that basic CF forwarding requires no neighborhood topology knowledge since in this configured mode every SMF node relays all traffic. Supporting more reduced SMF relay set operation requires the discovery and maintenance of dynamic neighborhood topology information. The MANET NHDP protocol can be leveraged UH> ================ UH> + "to" UH> ================ provide this necessary information, however there are SMF-specific requirements for related NHDP use. This is the case for both "independent" SMF operation where NHDP is being used specifically to support SMF or when one NHDP instance is used for both for UH> ================ UH> "is used for both for" (I am not a native speaker, but it seems weird...) UH> ================ SMF and a coexistent MANET unicast routing protocol. NHDP HELLO messages and the resultant neighborhood information base are described separately within the NHDP specification. To summarize, the NHDP protocol provides the following basic functions: 1. 1-hop neighbor link sensing and bidirectionality checks of neighbor links, 2. 2-hop neighborhood discovery including collection of 2-hop neighbors and connectivity information, 3. Collection and maintenance of the above information across multiple interfaces, and 4. A method for signaling SMF information throughout the 2-hop neighborhood through the use of TLV extensions. Appendices (A-C) of this document describe CDS-based relay set selection algorithms that can achieve efficient SMF operation, even in dynamic, mobile networks and each of the algorithms has been Macker, editor & SMF Design Team Expires September 15, 2011 [Page 23] Internet-Draft SMF March 2011 initially experimented within a working SMF prototype [MDDA07]. When using these algorithms in conjunction with NHDP, a method verifying neighbor SMF operation is required in order to insure correct relay set selection. NHDP along with SMF operation verification provides the necessary information required by these algorithms to conduct relay set selection. Verification of SMF operation may be done administratively or through the use of the SMF relay algorithms TLVs defined in the following subsections. Use of the SMF relay algorithm TLVs is RECOMMENDED when using NHDP for SMF neighborhood discovery. The following sub-sections specify some SMF-specific TLV types supporting general SMF operation or supporting the algorithms described in the Appendices. The Appendices describing several relay set algorithms also specify any additional requirements for use with NHDP and reference the applicable TLV types as needed. 8.1. SMF Relay Algorithm TLV Types This section specifies TLV types to be used within NHDP messages to identify the CDS relay set selection algorithm(s) in use. Two TLV types are defined, one message TLV type and one address TLV type. 8.1.1. SMF Message TLV Type The message TLV type denoted SMF_TYPE is used to identify the existence of an SMF instance operating in conjunction with NHDP. This message TLV type makes use of the extended type field as defined by [RFC5444] to convey the CDS relay set selection algorithm currently in use by the SMF message originator. When NHDP is used to support SMF operation, the SMF_TYPE TLV, containing the extended type field with the appropriate value, SHOULD be included in NHDP_HELLO messages (HELLO messages as defined in [RFC6130]. This allows SMF nodes to learn when neighbors are configured to use NHDP for information exchange including algorithm type and related algorithm information. This information can be used to take action, such as ignoring neighbor information using incompatible algorithms. It is possible that SMF neighbors MAY be configured differently and still operate cooperatively, but these cases will vary dependent upon the algorithm types designated. This document defines the following Message TLV type as specified in Table 6 conforming to [RFC5444]. The TLV extended type field is used to contain the sender's "Relay Algorithm Type". The interpretation of the "value" content of these TLVs is defined per "Relay Algorithm Type" and may contain algorithm specific information. Macker, editor & SMF Design Team Expires September 15, 2011 [Page 24] Internet-Draft SMF March 2011 +---------------+----------------+--------------------+ | | TLV syntax | Field Values | UH> ================ UH> s/syntax/Syntax/ UH> ================ +---------------+----------------+--------------------+ | type | <tlv-type> | SMF_TYPE | | extended type | <tlv-type-ext> | <relayAlgorithmId> | | length | <length> | variable | | value | <value> | variable | +---------------+----------------+--------------------+ Table 6: SMF Type Message TLV In Table 6 <relayAlgorithmId> is an 8-bit field containing a number 0-255 representing the "Relay Algorithm Type" of the originator address of the corresponding NHDP message. Possible values for the <relayAlgorithmId> are defined in Table 7. The table provides value assignments, future IANA assignment spaces, and an experimental space. The experimental space use MUST NOT assume uniqueness and thus should not be used UH> ================ UH> should not or SHOULD NOT UH> ================ for general interoperable deployment prior to official IANA assignment. +-------------+--------------------+--------------------------------+ | Type Value | Extended Type | Algorithm | | | Value | | +-------------+--------------------+--------------------------------+ | SMF_TYPE | 0 | CF | | SMF_TYPE | 1 | S-MPR | | SMF_TYPE | 2 | E-CDS | | SMF_TYPE | 3 | MPR-CDS | | SMF_TYPE | 4-127 | Future Assignment STD action | | SMF_TYPE | 128-239 | No STD action required | | SMF_TYPE | 240-255 | Experimental Space | +-------------+--------------------+--------------------------------+ Table 7: SMF Relay Algorithm Type Values Acceptable <length> and <value> fields of an SMF_TYPE TLV are dependent on the extended type value (i.e. relay algorithm type). The appropriate algorithm type, as conveyed in the <tlv-type-ext> field, defines the meaning and format of its TLV <value> field. For the algorithms defined by this document, see the appropriate appendix for the <value> field format. 8.1.2. SMF Address Block TLV Type An address block TLV type, denoted SMF_NBR_TYPE (i.e., SMF neighbor relay algorithm) is specified in Table 8. This TLV enables CDS relay algorithm operation and configuration to be shared among 2-hop Macker, editor & SMF Design Team Expires September 15, 2011 [Page 25] Internet-Draft SMF March 2011 neighborhoods. Some relay algorithms require two hop neighbor configuration in order to correctly select relay sets. It is also useful when mixed relay algorithm operation is possible, some examples of mixed use is UH> ================ UH> s/is/are/ UH> ================ outlined in the appendices. The message SMF_TYPE TLV UH> ================ UH> I think in RFC5444 it is Message TLV and not message TLV. (similiar for address.. etc). UH> ================ and address block SMF_NBR_TYPE TLV types share a common format. +---------------+----------------+--------------------+ | | TLV syntax | Field Values | +---------------+----------------+--------------------+ | type | <tlv-type> | SMF_NBR_TYPE | | extended type | <tlv-type-ext> | <relayAlgorithmId> | | length | <length> | variable | | value | <value> | variable | +---------------+----------------+--------------------+ Table 8: SMF Type Address Block TLV <relayAlgorithmId> in Table 8 is an 8-bit unsigned integer field containing a number 0-255 representing the "Relay Algorithm Type" value that corresponds to any associated address in the address block. Note that "Relay Algorithm Type" values for 2-hop neighbors can be conveyed in a single TLV or multiple value TLVs as described in [RFC5444]. It is expected that SMF nodes using NHDP construct address blocks with SMF_NBR_TYPE TLVs to advertise "Relay Algorithm Type" and to advertise neighbor algorithm values received in SMF_TYPE TLVs from those neighbors. Again values for the <relayAlgorithmId> are defined in Table 8. The interpretation of the "value" field of SMF_NBR_TYPE TLVs is defined per "Relay Algorithm Type" and may contain algorithm specific information. See the appropriate appendix for definitions of value fields for the algorithms defined by this document. 9. SMF Border Gateway Considerations It is expected that SMF will be used to provide simple forwarding of multicast traffic within a MANET or mesh routing topology. A border router gateway approach should be used to allow interconnection of SMF areas UH> ================ UH> SMF routing domain? UH> ================ with networks using other multicast routing protocols, such as PIM. It is important to note that there are many scenario- specific issues that should be addressed when discussing border multicast routers. At the present time, experimental deployments of SMF and PIM border router approaches have been demonstrated[DHS08]. UH> ================ UH> missing blank before [DHS08] UH> ================ Some of the functionality border routers may need to address includes Macker, editor & SMF Design Team Expires September 15, 2011 [Page 26] Internet-Draft SMF March 2011 the following: 1. Determining which multicast group traffic transits the border router whether entering or exiting the attached SMF routing domain. 2. Enforcement of TTL threshold or other scoping policies. 3. Any marking or labeling to enable DPD on ingressing packets. 4. Interface with exterior multicast routing protocols. 5. Possible operation with multiple border routers (presently beyond scope of this document). 6. Provisions for participating non-SMF nodes. Each of these areas is discussed in more detail in the following subsections. Note the behavior of SMF border routers is the same as that of non-border SMF nodes when forwarding packets on interfaces within the SMF routing domain. Packets that are passed outbound to interfaces operating fixed-infrastructure multicast routing protocols SHOULD be evaluated for duplicate packet status since present standard multicast forwarding mechanisms do not usually perform this function. 9.1. Forwarded Multicast Groups Mechanisms for dynamically determining groups for forwarding into a MANET SMF routing domain is an evolving technology area. Ideally, only groups for which there is active group membership should be injected into the SMF domain. This can be accomplished by providing an IPv4 Internet Group Membership Protocol (IGMP) or IPv6 Multicast Listener Discovery (MLD) proxy protocol so that MANET SMF nodes can inform attached border routers (and hence multicast networks) of their current group membership status. For specific systems and services it may be possible to statically configure group membership joins in border routers, but it is RECOMMENDED that some form of IGMP/MLD proxy or other explicit, dynamic control of membership be provided. Specification of such an IGMP/MLD proxy protocol is beyond the scope of this document. For outbound traffic, SMF border routers can perform duplicate packet detection and forward non-duplicate traffic that meets TTL/hop limit and scoping criteria and forward packet to interfaces external to the SMF routing domain. Appropriate IP multicast routing (PIM, etc) on those interfaces can then make further forwarding decisions with respect to the multicast packet. Note that the presence of multiple border routers associated with a MANET routing domain raises additional issues. This is further discussed in Section 9.4 but further work is expected to be needed here. Macker, editor & SMF Design Team Expires September 15, 2011 [Page 27] Internet-Draft SMF March 2011 9.2. Multicast Group Scoping Multicast scoping is used by network administrators to control the network routing domains reachable by multicast packets. This is usually done by configuring external interfaces of border routers in the border of a routing domain to not forward multicast packets which must be kept within the routing region. UH> ================ UH> routing domain? UH> ================ This is commonly done based on TTL of messages or the basis of group addresses. These schemes are known respectively as: 1. TTL scoping. 2. Administrative scoping. For IPv4, network administrators can configure border routers with the appropriate TTL thresholds or administratively scoped multicast groups for the router interfaces as with any traditional multicast router. However, for the case of TTL scoping it SHOULD be taken into account that the packet could traverse multiple hops within the MANET SMF routing domain before reaching the border router. Thus, TTL thresholds SHOULD be selected carefully. For IPv6, multicast address spaces include information about the scope of the group. Thus, border routers of an SMF routing domain know if they must forward a packet based on the IPv6 multicast group address. For the case of IPv6, it is RECOMMENDED that a MANET SMF routing domain be designated a site-scoped multicast domain. Thus, all IPv6 site-scoped multicast packets in the range FF05::/16 SHOULD be kept within the MANET SMF routing domain by border routers. IPv6 packets in any other wider range scopes (i.e. FF08::/16, FF0B::/16 and FF0E::16) MAY traverse border routers unless other restrictions different from the scope applies. Given that scoping of multicast packets is performed at the border routers, and given that existing scoping mechanisms are not designed to work with mobile routers, it is assumed that non-border routers running SMF will not stop forwarding multicast data packets of an appropriate site scoping. That is, it is assumed that an SMF routing domain is a site-scoped multicast area. 9.3. Interface with Exterior Multicast Routing Protocols The traditional operation of multicast routing protocols is tightly integrated with the group membership function. Leaf routers are configured to periodically gather group membership information, while intermediate routers conspire to create multicast trees connecting routers with directly-connected multicast sources and routers with active multicast receivers. In the concrete case of SMF, border routers can be considered leaf routers. Mechanisms for multicast Macker, editor & SMF Design Team Expires September 15, 2011 [Page 28] Internet-Draft SMF March 2011 sources and receivers to interoperate with border routers over the multihop MANET SMF routing domain as if they were directly connected to the router need to be defined. The following issues need to be addressed: 1. A mechanism by which border routers gather membership information 2. A mechanism by which multicast sources are known by the border router 3. A mechanism for exchange of exterior routing protocol messages across the SMF routing domain if the SMF routing domain is to provide transit connectivity for multicast traffic. It is beyond the scope of this document to address implementation solutions to these issues. As described in Section 9.1, IGMP/MLD proxy mechanisms can be deployed to address some of these issues. Similarly, exterior routing protocol messages could be tunneled or conveyed across an SMF routing domain but doing this robustly in a distributed wireless environment likely requires additional considerations outside the scope of this document. The need for the border router to receive traffic from recognized multicast sources within the SMF routing domain is important to potentially achieve interoperability with existing routing protocols. For instance, PIM-S requires routers with locally attached multicast sources to register them to the Rendezvous Point (RP) so that nodes can join the multicast tree. In addition, if those sources are not advertised to other autonomous systems (AS) using Multicast Source Discovery Protocol (MSDP), receivers in those external networks are not able to join the multicast tree for that source. 9.4. Multiple Border Routers An SMF domain UH> ================ UH> routing domain? UH> ================ might be deployed with multiple participating nodes having connectivity to external, fixed-infrastructure networks. Allowing multiple nodes to forward multicast traffic to/from the SMF routing domain can be beneficial since it can increase reliability, and provide better service. For example, if the SMF routing domain were to fragment with different SMF nodes maintaining connectivity to different border routers, multicast service could still continue successfully. But, the case of multiple border routers connecting a SMF routing domain to external networks presents several challenges for SMF: 1. Handling duplicate unmarked IPv4 or IPv6 (without IPsec encapsulation or DPD option) packets possibly injected by multiple border routers. Macker, editor & SMF Design Team Expires September 15, 2011 [Page 29] Internet-Draft SMF March 2011 2. Source-based relay algorithms handling of duplicate traffic injected by multiple border routers. 3. Determination of which border router(s) will forward outbound multicast traffic. 4. Additional challenges with interfaces to exterior multicast routing protocols. When multiple border routers are present they may be alternatively (due to route changes) or simultaneously injecting common traffic into the MANET routing region that has not been previously marked for SMF-DPD. Different border routers would not be able to implicitly synchronize sequencing of injected traffic since they may not receive exactly the same messages due to packet losses. For IPv6 I-DPD operation, the optional "TaggerId" field described for the SMF-DPD header option can be used to mitigate this issue. When multiple border routers are injecting a flow into a MANET routing region, UH> ================ UH> routing region? Is there a difference between MANET routing domain and SMF routing domain? UH> ================ there are two forwarding policies that SMF nodes running I-DPD may implement: 1. Redundantly forward the multicast flows (identified by <srcAddr: dstAddr>) from each border router, performing DPD processing on a <taggerID:dstAddr> or <taggerID:srcAddr:dstAddr> basis, or 2. Use some basis to select the flow of one tagger (border router) over the others and forward packets for applicable flows (identified by <sourceAddress:dstAddr>) only for the selected "Tagger ID" until timeout or some other criteria to favor another tagger occurs. It is RECOMMENDED that the first approach be used in the case of I-DPD operation. Additional specification may be required to describe an interoperable forwarding policy based on this second option. Note that the implementation of the second option requires that per-flow (i.e., <srcAddr::dstAddr>) state be maintained for the selected "Tagger ID". The deployment of H-DPD operation may alleviate DPD resolution when ingressing traffic comes from multiple border routers. Non-colliding hash indexes (those not requiring the H-DPD options header in IPv6) should be resolved effectively. 10. Security Considerations Gratuitous use of option headers can cause problems in routers. Other IP routers external to an SMF routing domains UH> ================ UH> s/domains/domain/ UH> ================ that might receive forwarded multicast should UH> ================ UH> should or SHOULD? UH> ================ ignore SMF-specific header options when encountered. The header options types are encoded appropriately to allow for this behavior. Macker, editor & SMF Design Team Expires September 15, 2011 [Page 30] Internet-Draft SMF March 2011 Here we briefly discuss several SMF denial-of-service (DoS) attack scenarios and we provide some initial recommended mitigation strategies. UH> ================ UH> I'd prefer to not use "we". (instead, "several SMF DoS attack scenarios are discussed..." etc) UH> ================ A potential denial-of-service attack against SMF forwarding is possible when a malicious node has a form of wormhole access to multiple part of a network topology. In the wireless ad hoc case, a directional antenna is one way to provide such a wormhole physically. If such a node can preview forwarded packets in one part of the network and forward modified versions to another part of the network it can perform the following attack. The malicious node could reduce the TTL or Hop Limit of the packet and transmit it to the SMF node causing it to forward the packet with a limited TTL (or even drop it) and make a DPD entry that could block or limit the subsequent forwarding of later-arriving valid packets with correct TTL values. This would be a relatively low-cost, high-payoff attack that would be hard to detect and thus attractive to potential attackers. An approach of caching TTL information with DPD state and taking appropriate forwarding actions is identified in Section 5 to mitigate this form of attack. Sequence-based packet identifiers are predictable and thus provide an opportunity for a DoS attack against forwarding. Forwarding protocols that use DPD techniques, such as SMF, may be vulnerable to DoS attacks based on spoofing packets with apparently valid packet identifier fields. In wireless environments, where SMF will most likely be used, the opportunity for such attacks may be more prevalent than in wired networks. In the case of IPv4 packets, fragmented IP packets or packets with IPsec headers applied, the DPD "identifier portions" of potential future packets that might be forwarded is highly predictable and easily subject to denial-of- service attacks against forwarding. A RECOMMENDED technique to counter this concern is for SMF implementations to generate an "internal" hash value that is concatenated with the explicit I-DPD packet identifier to form a unique identifier that is a function of the packet content as well as the visible identifier. SMF implementations could seed their hash generation with a random value to make it unlikely that an external observer could guess how to spoof packets used in a denial-of-service attack against forwarding. Since the hash computation and state is kept completely internal to SMF nodes, the cryptographic properties of this hashing would not need to be extensive and thus possibly of low complexity. Experimental implementations may determine that a lightweight hash of even only portions of packets may suffice to serve this purpose. While H-DPD is not as readily susceptible to this form of DoS attack, it is possible that a sophisticated adversary could use side information to construct spoofing packets to mislead forwarders using Macker, editor & SMF Design Team Expires September 15, 2011 [Page 31] Internet-Draft SMF March 2011 a well-known hash algorithm. Thus, similarly, a separate "internal" hash value could be concatenated with the well-known hash value to alleviate this security concern. The support of forwarding IPsec packets without further modification for both IPv4 and IPv6 is supported by this specification. Authentication mechanisms to identify the source of IPv6 option headers should be considered to reduce vulnerability to a variety of attacks. UH> ================ UH> maybe add something that the security considerations of the used neighbor discovery mechanism (NHDP) also applies UH> ================ 11. IANA Considerations This document raises multiple IANA Considerations. These include the IPv6 SMF_DPD hop-by-hop Header Extension defined and multiple Type- Length-Value (TLV) constructs UH> ================ UH> missing ( UH> ================ [RFC5444]) to be used with NHDP [RFC6130]operation UH> ================ UH> missing blank UH> ================ as needed to support different forms of SMF operation. There is one message TLV type and one address TLV type needed to be assigned for SMF purposes as discussed in Section 8.1. The value of the IPv6 SMF-DPD Hop-by-Hop Option Type is TBD (to be assigned). The SL-MANET-ROUTERS multicast address will be registered for both IPv4 and IPv6 multicast address spaces. 11.1. IPv6 SMF-DPD Header Extension This document requests IANA assignment of the "SMF_DPD" hop-by-hop option type from the IANA "IPv6 Hop-by-Hop Options Option Type" registry (see Section 5.5 of [RFC2780]). The format of this new option type is described in Section 6.1.1. A portion of the option data content is the taggger identifier type "TidType" that provides a context for the "TaggerId" that is optionally included to identify the node that added the SMF_DPD option to the packet. This document defines a namespace for IPv6 SMF_DPD Tagger Identifier Type values: ietf:manet:smf:taggerIdTypes The values that can be assigned within the "ietf:manet:smf: taggerIdTypes" name-space are numeric indexes in the range [0, 7], boundaries included. All assignment requests are granted on an "IETF Consensus" basis as defined in [RFC5226]. This specification registers Tagger Identification Type values from Table 9 in the registry "ietf:manet:smf:taggerIdTypes": Macker, editor & SMF Design Team Expires September 15, 2011 [Page 32] Internet-Draft SMF March 2011 +----------+-------+---------------+ | Mnemonic | Value | Reference | +----------+-------+---------------+ | NULL | 0 | This document | | DEFAULT | 1 | This document | | IPv4 | 2 | This document | | IPv6 | 3 | This document | | ExtId | 7 | This document | +----------+-------+---------------+ Table 9: TaggerId Types 11.2. SMF Type-Length-Value This document requests IANA assignment of one message "SMF_TYPE" TLV type and one address block "SMF_NBR_TYPE" TLV type from the [RFC6130] specific registry space. The common format of these new TLV types is described in Table 6 and Table 8. Furthermore this document defines a namespace for algorithm ID types using the extended type TLV value field defined by [RFC5444]. Both SMF_TYPE and SMF_NBR_TYPE TLVs use this namespace. ietf:manet:packetbb:nhdp:smf:relayAlgorithmID The values that can be assigned within the "ietf:manet:packetbb:nhdp: smf:relayAlgorithmID" name-space are numeric indexes in the range [0, 239], boundaries included. Assignment requests for the [0-127] are granted on an "IETF Consensus" basis as defined in [RFC5226]. Standards action is not required for assignment requests of the range [128-239]. Documents requesting relayAlgorithmId values SHOULD define value field uses contained by the SMF_TYPE:<relayAlgorithmId> and SMF_NBR_TYPE:<relayAlgorithmId> full type TLVs. This specification registers the following Relay Algorithm ID Type values shown in Table 10 in the registry "ietf:manet:packetbb:nhdp: smf:relayAlgorithmID UH> ================ UH> missing " UH> ================ +----------+-------+------------+ | Mnemonic | Value | Reference | +----------+-------+------------+ | CF | 0 | | | S-MPR | 1 | Appendix B | | E-CDS | 2 | Appendix A | | MPR-CDS | 3 | Appendix C | +----------+-------+------------+ Table 10: Relay Set Algorithm Type Values Macker, editor & SMF Design Team Expires September 15, 2011 [Page 33] Internet-Draft SMF March 2011 12. Acknowledgments Many of the concepts and mechanisms used and adopted by SMF resulted from many years of discussion and related work within the MANET working group since the late 1990s. There are obviously many contributors to past discussions and related draft documents within the working group that have influenced the development of SMF concepts that deserve acknowledgment. In particular, the document is largely a direct product of the earlier SMF design team within the IETF MANET working group and borrows text and implementation ideas from the related individuals and activities. Some of the direct contributors who have been involved in design, content editing, prototype implementation, major commenting, and core discussions are listed below in alphabetical order. We appreciate all the input and feedback from the many community members and early implementation users we have heard from that are not on this list as well. Key contributors/authors in alphabetical order: Brian Adamson Teco Boot Ian Chakeres Thomas Clausen Justin Dean Brian Haberman Ulrich Herberg Charles Perkins Pedro Ruiz Fred Templin Maoyu Wang The RFC text was produced using Marshall Rose's xml2rfc tool and Bill Fenner's XMLmind add-ons. 13. References 13.1. Normative References [E-CDS] Ogier, R., "MANET Extension of OSPF Using CDS Flooding", Proceedings of the 62nd IETF , March 2005. UH> ================ UH> is that required to be normative? Anyways, better cite the RFC than the IETF proceedings (RFC5614) UH> ================ [MPR-CDS] Adjih, C., Jacquet, P., and L. Viennot, "Computing Connected Dominating Sets with Multipoint Relays", Ad Hoc and Sensor Wireless Networks , January 2005. UH> ================ UH> is that required to be normative? UH> ================ [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981. Macker, editor & SMF Design Team Expires September 15, 2011 [Page 34] Internet-Draft SMF March 2011 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992. UH> ================ UH> if we use a code point instead, we would not need to cite MD5 (or not normatively) UH> ================ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC2644] Senie, D., "Changing the Default for Directed Broadcasts in Routers", BCP 34, RFC 2644, August 1999. [RFC2780] Bradner, S., "IANA Allocation Guidelines For Values In the Internet Protocol and Related Headers", March 2000. UH> ================ UH> add RFC 2780 before "March 2000", like for the other citations UH> ================ [RFC3626] Clausen, T. and P. Jacquet, "Optimized Link State Routing Protocol", 2003. UH> ================ UH> month and RFC number missing before 2003 UH> ================ [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. [RFC4302] Kent, S., "IP Authentication Header", December 2005. UH> ================ UH> RFC number missing before Dec. 2005 UH> ================ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, May 2008. [RFC5444] Clausen, T. and et al, UH> ================ UH> and et al doesn't work :-) better cite all authors, like for the other citations UH> ================ "Generalized MANET Packet/Message Format", RFC 5444, February 2009. [RFC5771] Cotton, M., Vegoda, L., and D. Meyer, "IANA Guidelines for IPv4 Multicast Address Assignment", RFC 5771, March 2010. [RFC6130] Clausen, T. and et al, "MANET Neighborhood Discovery Protocol", RFC 6130, March 2011. UH> ================ UH> The precise title is "Mobile Ad Hoc Network (MANET) Neighborhood Discovery Protocol (NHDP)" UH> ================ 13.2. Informative References [CDHM07] Chakeres, I., Danilov, C., and T. Henderson, "Connecting MANET Multicast", IEEE MILCOM 2007 Proceedings , 2007. UH> ================ UH> remove blank after Proceedings. similiarly, there are some blanks too much in the following cites UH> ================ [DHG09] Danilov, C., Henderson, T., and T. Goff, "Experiment and field demonstration of a 802.11-based ground-UAV mobile ad-hoc network", Proceedings of the 28th IEEE conference on Military Communications , 2009. [DHS08] Danilov, C., Henderson, T., and T. Spagnolo, "MANET Multicast with Multiple Gateways", IEEE MILCOM 2008 Macker, editor & SMF Design Team Expires September 15, 2011 [Page 35] Internet-Draft SMF March 2011 Proceedings , 2008. [GM99] Garcia-Luna-Aceves, JJ. and E. Madruga, "The core-assisted mesh protocol", Selected Areas in Communications, IEEE Journal on Volume 17, Issue 8, August 1999. [JLMV02] Jacquet, P., Laouiti, V., Minet, P., and L. Viennot, "Performance of multipoint relaying in ad hoc mobile routing protocols", Networking , 2002. [MDC04] Macker, J., Dean, J., and W. Chao, "Simplified Multicast Forwarding in Mobile Ad hoc Networks", IEEE MILCOM 2004 Proceedings , 2004. [MDDA07] Macker, J., Downard, I., Dean, J., and R. Adamson, "Evaluation of distributed cover set algorithms in mobile ad hoc network for simplified multicast forwarding", ACM SIGMOBILE Mobile Computing and Communications Review Volume 11 , Issue 3, July 2007. [MGL04] Mohapatra, P., Gui, C., and J. Li, "Group Communications in Mobile Ad hoc Networks", IEEE Computer Vol. 37, No. 2, February 2004. [NTSC99] Ni, S., Tseng, Y., Chen, Y., and J. Sheu, "The Broadcast Storm Problem in Mobile Ad hoc Networks", Proceedings Of ACM Mobicom 99 , 1999. [RFC2501] Macker, JP. and MS. Corson, "Mobile Ad hoc Networking (MANET): Routing Protocol Performance Issues and Evaluation Considerations", 1999. UH> ================ UH> month and RFC number UH> ================ [RFC3684] Ogier, R., Templin, F., and M. Lewis, "Topology Dissemination Based on Reverse-Path Forwarding", 2003. UH> ================ UH> month and RFC number UH> ================ [RFC3973] Adams, A., Nicholas, J., and W. Siadak, "Protocol Independent Multicast - Dense Mode (PIM-DM): Protocol Specification (Revised)", RFC 3973, January 2005. [RFC4601] Fenner, B., Handley, M., Holbrook, H., and I. Kouvelas, "Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised)", RFC 4601, August 2006.
- [manet] SMF-11 review Ulrich Herberg