Re: [rrg] Map and Encaps
Dino Farinacci <dino@cisco.com> Mon, 05 January 2009 01:09 UTC
Return-Path: <rrg-bounces@irtf.org>
X-Original-To: rrg-archive@ietf.org
Delivered-To: ietfarch-rrg-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E058B3A69D5; Sun, 4 Jan 2009 17:09:08 -0800 (PST)
X-Original-To: rrg@core3.amsl.com
Delivered-To: rrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D59893A69D5 for <rrg@core3.amsl.com>; Sun, 4 Jan 2009 17:09:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.535
X-Spam-Level:
X-Spam-Status: No, score=-6.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SjgzLOBururQ for <rrg@core3.amsl.com>; Sun, 4 Jan 2009 17:09:06 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 32E7A3A69CC for <rrg@irtf.org>; Sun, 4 Jan 2009 17:09:06 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,329,1228089600"; d="scan'208";a="223625627"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 05 Jan 2009 01:08:53 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n0518rR5006940; Sun, 4 Jan 2009 17:08:53 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n0518p1s009731; Mon, 5 Jan 2009 01:08:51 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 4 Jan 2009 17:08:53 -0800
Received: from moveme.cisco.com ([10.21.149.142]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 4 Jan 2009 17:08:53 -0800
Message-Id: <480765D0-01B8-472B-B132-2320CC346480@cisco.com>
From: Dino Farinacci <dino@cisco.com>
To: Pekka Nikander <pekka.nikander@nomadiclab.com>
In-Reply-To: <47BA4B32-C6A1-44DE-A040-1EE7017C39AC@nomadiclab.com>
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Sun, 04 Jan 2009 17:08:52 -0800
References: <20081216190034.CB6236BE587@mercury.lcs.mit.edu> <66EAB6CC-9438-44BE-ACF2-86AD17307FB5@nomadiclab.com> <A26562FE-AE8B-4B16-9FBF-3A50EB39429E@cisco.com> <1A4C4166-0A84-40FF-9599-6281237844AF@nomadiclab.com> <D1B3196D-D935-47BF-9B84-C4376A455D38@cisco.com> <47BA4B32-C6A1-44DE-A040-1EE7017C39AC@nomadiclab.com>
X-Mailer: Apple Mail (2.930.3)
X-OriginalArrivalTime: 05 Jan 2009 01:08:53.0199 (UTC) FILETIME=[2CE25DF0:01C96ED2]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=12072; t=1231117733; x=1231981733; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dino@cisco.com; z=From:=20Dino=20Farinacci=20<dino@cisco.com> |Subject:=20Re=3A=20[rrg]=20Map=20and=20Encaps |Sender:=20; bh=t/UNUnAjXpyyi9bpl7g+8oFPRTz7ciutKlaBCpc87f8=; b=vWKn3mjHFd3ykmmHzaft6xadyOTgydvzPhkmu9clKgiNjr7HXJg8g5OiuM NJLMkpeMrdB0Eis6WTLqXZtwK3BeEyjPXX8T/DHw2OqcPJqqUv1HRbMn6UHT 4K5bfInx5w;
Authentication-Results: sj-dkim-3; header.From=dino@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: rrg@irtf.org, Noel Chiappa <jnc@mercury.lcs.mit.edu>
Subject: Re: [rrg] Map and Encaps
X-BeenThere: rrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IRTF Routing Research Group <rrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/listinfo/rrg>, <mailto:rrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/pipermail/rrg>
List-Post: <mailto:rrg@irtf.org>
List-Help: <mailto:rrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/rrg>, <mailto:rrg-request@irtf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: rrg-bounces@irtf.org
Errors-To: rrg-bounces@irtf.org
Thanks for your detailed responses Pekka. You answered all my questions. Dino On Dec 28, 2008, at 12:01 PM, Pekka Nikander wrote: > [Those who do not care about details, may skip to the end where I > generalise.] > >>> The current implementation supports both IPv4 and IPv6 legacy >>> hosts. So, it does support an IPv4 legacy site, if that is what >>> you ask. IIRC, currently you manually configure the mapping >>> between Host Identities and the IPv4 addresses given to the legacy >>> hosts. But that could be automated. >> >> And is it one-to-one? Or is the IPv4 address the HIP-proxy box at >> the edge of a site perhaps? > > In the implementation today, the mapping between the internal legacy > IPv4 or IPv6 addresses (EIDs in LISPish) and the HIP Host Identies > maintained at the proxy is one-to-one. The external IPv4 or IPv6 > address of the HIP-proxy box is just liked the RLOC in LISP. I can > imagine a HIP-based box that has only one Host Identity (HI), or > fewer HIs than there are internal legacy hosts, but I wouldn't call > it a proxy but perhaps a "HIP tunnel box" or something else > instead. (It wouldn't be too different from an IPsec security GW, > and therefore it wouldn't be very interesting to me.) > > The idea of the proxy is that from the HIP point of view a proxy > looks like a number of HIP hosts sitting at one shared IP address > (or a few shared IP addresses if the proxy is multihomed). Hence, > from the HIP protocol point of view, it doesn't really matter if > what looks like a proxy is really a proxy, a host having a number of > Host Identities, or perhaps a host running a number of virtual > machines each having a separate Host Identity. (HIP allows multiple > Host Identities to be assigned to a single host.) > >>> The current implementation supports connecting to both IPv4 and >>> IPv6 hosts from legacy IPv4 and IPv6 hosts. Just like host HIP, >>> the proxy can do IPv4-IPv6 protocol translation in the fly if >>> needed. (Apps that carry IP addresses in the payload are likely >>> to break, unless you do ALG, too.) >> >> The translation is a big deal when it comes to details. How does an >> IPv6 HIT get translated into an IPv4 address, presumably used as a >> HIT on IPv4 system? > > The HIT is the internal representation (handle) for a Host Identity, > used in the protocol itself. When proxied, the internal legacy IP > addresses (EIDs) used between the proxy and the legacy hosts do not > need to be HITs -- they can be basically any IP addresses. Such > addresses, at least when used at the host-internal legacy socket API > for HIP hosts, are called Local Scope Identifiers (LSIs) in the HIP > architecture document. For the proxy, the usage could probably be > extended, so that LISPish EID would be LSI in HIPpish. :-) > > For IPv6, it might well make sense to use ORCHID-based HITs as LSIs, > but obviously you cannot use that for IPv4. > > When there is an incoming packet, either internally at a host > through the legacy API, or through the internal interface at a > proxy, the LSIs are mapped to the HIs, as I already explained. At > the same time, the TCP (and UDP) checksums are recomputed as if > there was an IPv6 pseudo-header and the SRC and DST address fields > contained the HITs. See Section 4.5.1. of RFC 5201 for the exact > details. > > Hence, in the packets between any two HIP hosts, the checksums are > always based on the HITs, using the IPv6 pseudo-header format. > Then, obviously, if something else is used between the HIP proxy and > legacy hosts, the checksums must be recomputed. This then leads to > the situation where simple protocols, such as SSH, benefit from an > implicit IPv4-IPv6 conversion in the case where one end uses IPv4 > LSIs and the other end IPv6 LSIs. > > But as you say, once you go to more complex protocols, such as > tunnel-mode IPsec or protocols carrying IP addresses in the > playloads, things get complicated and typically require that the > same LSIs are used at both ends. > >>> From the RRG point of view, of course, there are a number of >>> operational issues that we haven't thought, and that I think you >>> LISP folks have thought a lot, like managing the mappings >>> automatically and in a large scale. >> >> Meaning that HIP-proxy isn't ready to be deployed yet? > > The HIP proxy has never been meant to solve the RRG problem, at > least not until now :-). The proxy was developed to solve a > completely different problem: to make it possible to provide > simultaneous mobility and multi-homing to a number of co-operating > legacy sites and hosts. > > So, the HIP proxy is ready to be deployed if you have a single > organisation that cares about its internal connectivity over the > Internet and wants to make such communication more robust. > > For multi-organisation situation, the protocols themselves work. > However, AFAIK, nobody has cared to think about the operational > aspects, such as how to maintain the mappings between the > organisations etc. Hence, if you mean that HIP-proxy is not ready > to be deployed in such a situation, you are right. > >>> In more detail, from the functional point of view, the proxy does >>> as follows: >>> >>> 1. The IP addresses in an incoming packet from a proxied legacy >>> host are mapped to Host Identities. (If the destination address >>> cannot be mapped, the packet is not processed by the proxy and >>> typically NATed out. Furthermore, as this mapping is a one-to-one >>> mapping (equivalence relation), and therefore the implementation >>> does not have to do it in practise. >> >> So a mapping database would have to hold entries for all globally >> reachable hosts? > > As you can see from above, the focus has been on the single- > organisation situation, where one can easily maintain the LSI->HI > mappings for all reachable destinations. > > OTOH, if you consider a situation where the destination LSI is a > legacy IP address and there is no information about how to map it > into a HI, I could imagine opportunistic HIP could be used; see > Section 4.1.6. of RFC 5201. That could probably be combined with > some additional mapping mechanism, such as any of those proposed for > LISP. The result would still support HIP-based combined mobility > and multi-homing, as the database would only be used for the initial > HIP association setup. > >>> 2. The "tunnels" (encapsulation format + destination locator) >>> associated with destination Host Identity are determined, and one >>> of them is selected for the packet, according to a policy. Right >>> now HIP supports only ESP BEET mode tunnels, but adding other >>> types of tunnels (like IPv4 encapsulation) is quite easy, mostly >>> details. >>> >>> 3. The packet is encapsulated and sent out. >> >> Do you know ahead of time the destination locator is reachable? >> That is, by another means than having the destination locator's >> route in the routing table? > > That is addressed in the HIP mobility and multihoming RFC. See > Section 5.4. of RFC 5206. Furthermore, as the HIP control packet > format is bit-by-bit compatible with the SHIM6 control packet > format, the protocol defined in draft-ietf-shim6-failure- > detection-09 can be trivially reused. (AFAIK, some HIP > implementations do so already now.) > >>> At the other end, the processing continues: >>> >>> 4. The packet is decapsulated and the right Host Identities are >>> determined. >> >> If the mapping is 1-to-1, how does the HIP-proxy know to >> decapsulate? And how does it know a HIP encapsulated packet is >> transited through the box that shouldn't be decapsualted? > > I don't quite understand your questions, so forgive me if I don't > address just what you ask for. > > The HIP proxy knows that it needs to decapsulate since a) the packet > has, as its destination address, one of the local addresses > configured to the proxy box and b) the packet has the encapsulation > format (currently ESP). As the packet is destined to the proxy > itself, the packet is handed up in the stack and not forwarded. As > a result, the packet goes to the protocol module that handles the > decapsulation. So, there is no magic involved in that. > > In the light of that, I don't understand your latter question at all. > > ------------------ > >>> This is quite flexible. For example, I don't see any reason why >>> the LISP IPv4-in-IPv4 encapsulation header format couldn't be >>> used, if so desired. The only data plane "difference" >> >> The encapsulation format in LISP is one of many values LISP brings, >> but there are more important ones. > > I completely agree that LISP has lots of functions, and many > functions that AFAICS could be reused for HIP-proxy based solution. > HIP also has lots of values that it brings. Like baseline security, > mobility at different levels of granularity from sites to individual > flows, and multi-homing tightly integrated with mobility. > > ------------------- > >> Well, we know today (haven't proved it yet) that two HIP hosts can >> talk to each other over an IPv4 Internet using LISP encapsulation. >> And since the packets to the LISP ITR look like regular IPv6 >> packets, those embedded addresses (the HITs) *are* EIDs from the >> LISP router point of view. So they would be used as keys for the >> mapping database lookup to get locators returned. > > So, if I understand you Dino correctly, we seem to agree that from > the functional point of view, a HIP proxy and LISP xTRs perform a > pretty similar function. That was the point I had, in reaction to > what Noel wrote: > >>>>>> As far as HIP goes, I think it's a neat concept, includes good >>>>>> ideas, and I >>>>>> hope it catches on. However, two things. First, the installed- >>>>>> base/evolution >>>>>> issues are significant - while new applications can use it, HIP >>>>>> isn't a great >>>>>> deal of help when dealing with legacy hosts/applications/etc. >>>>>> Second, HIP >>>>>> does nothing to provide us with a superior internetwork layer >>>>>> (including a >>>>>> new routing architecture). > > In the light of the discussion above, I believe that it should now > be clear that Noel was wrong in what comes to HIP being able to help > legacy hosts or applications, and what comes to its *potential* in > helping to build a superior internetworking layer. Granted, HIP and > not even the HIP proxy does not as such provide "a superior > internetworking layer". But it *could* help building one, if so > desired. > > At this point, my only addition would be to again refer to the > expired "generix" draft, http://tools.ietf.org/html/draft-nikander-ram-generix-proxying-00 > , from two years ago. I still maintain that there is no real > difference, from the deployment point of view, between host-based > and network-based solutions. One can implement a host-based > solution in the network, as the HIP proxy example shows. Or one can > "squeeze" a network-based solution into a host. > > When solving the final target architecture, I think people should > think about the eventual, potential features it could give. And > then work out the deployment path. > > My understanding is that the LISP folks have done a great job in > terms of thinking how it could be widely deployed already at step > 1. Obviously, the HIP community has had a completely different > focus, thinking in small and trying to figure out how to deploy HIP > first within single organisations, and then gradually get benefits > from other organisations perhaps also adopting HIP. > > --Pekka > _______________________________________________ rrg mailing list rrg@irtf.org https://www.irtf.org/mailman/listinfo/rrg
- Re: [rrg] Map and Encaps HeinerHummel
- Re: [rrg] Map and Encaps Noel Chiappa
- Re: [rrg] Map and Encaps Noel Chiappa
- Re: [rrg] Map and Encaps William Herrin
- Re: [rrg] Map and Encaps Scott Brim
- Re: [rrg] Map and Encaps HeinerHummel
- Re: [rrg] Map and Encaps Noel Chiappa
- Re: [rrg] Map and Encaps Roland Dobbins
- Re: [rrg] Map and Encaps Scott Brim
- Re: [rrg] Map and Encaps Shane Amante
- Re: [rrg] Map and Encaps Dino Farinacci
- Re: [rrg] Map and Encaps Templin, Fred L
- Re: [rrg] Map and Encaps Noel Chiappa
- Re: [rrg] Map and Encaps HeinerHummel
- Re: [rrg] Map and Encaps Pekka Nikander
- Re: [rrg] Map and Encaps Dino Farinacci
- Re: [rrg] Map and Encaps Pekka Nikander
- Re: [rrg] Map and Encaps Dino Farinacci
- Re: [rrg] Map and Encaps Pekka Nikander
- Re: [rrg] Map and Encaps Dan Jen
- Re: [rrg] Map and Encaps Dino Farinacci