WDIFF

draft-ietf-shim6-proto-00.txt --> draft-ietf-shim6-proto-01.txt

SHIM6 WG E. Nordmark
Internet-Draft Sun Microsystems
Expires: March 31, 5, 2006 September 27, 2005

Level 3 multihoming shim protocol
draft-ietf-shim6-proto-00.txt
draft-ietf-shim6-proto-01.txt

Status of this Memo

By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This Internet-Draft will expire on March 31, 5, 2006.

Abstract

The SHIM6 working group is exploring a layer 3 shim approach for
providing locator agility below the transport protocols, so that
multihoming can be provided for IPv6 with failover and load spreading
properties, without assuming that a multihomed site will have a
provider independent IPv6 address which is announced in the global
IPv6 routing table. The hosts in a site which has multiple provider
allocated IPv6 address prefixes, will use the shim6 protocol
specified in this document to setup state with peer hosts, so that
the state can later be used to failover to a different locator pair,

Nordmark Expires March 31, 5, 2006 [Page 1]

Internet-Draft Shim6 Protocol September 2005

should the original one stop working.

This document picks a particular approach to such a protocol and
tries to flush out a bunch of details, with the hope that the WG can
better understand the details in this proposal as well as discovering
and understanding alternative designs that might be better. Thus
this proposal is my no means cast in stone as the direction; quite to
the contrary it is a depth first exploration of the design space.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Placement of the shim Goals . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . 4
1.2 Non-Goals . . . . . . . . . . . . . . . . . 5
2.1 Definitions . . . . . . . 5
1.3 Locators as Upper-layer Identifiers . . . . . . . . . . . 5
1.4 IP Multicast . . . . . 5
2.2 Notational Conventions . . . . . . . . . . . . . . . . . . 6
3. Assumptions
1.5 Renumbering Implications . . . . . . . . . . . . . . . . . 6
1.6 Placement of the shim . . . . . . . 7
4. Protocol Overview . . . . . . . . . . . 7
2. Terminology . . . . . . . . . . . . 8
4.1 Context Tags and Use of Flow Label . . . . . . . . . . . . 9
4.2 Protocol type overloading
2.1 Definitions . . . . . . . . . . . . . . . . 10
4.3 Securing shim6 . . . . . . . 9
2.2 Notational Conventions . . . . . . . . . . . . . . . 11
4.4 Overview of Shim Control Messages . . . 10
3. Assumptions . . . . . . . . . 11
5. Message Formats . . . . . . . . . . . . . . . 11
4. Protocol Overview . . . . . . . 14
5.1 Common Shim6 header . . . . . . . . . . . . . . 11
4.1 Context Tags . . . . . 14
5.2 I1 Message Format . . . . . . . . . . . . . . . . . . 13
4.2 Securing shim6 . . 15
5.3 R1 Message Format . . . . . . . . . . . . . . . . . . . . 16
5.4 I2 Message Format 14
4.3 Overview of Shim Control Messages . . . . . . . . . . . . 14
5. Message Formats . . . . . . . . 17
5.5 R2 Message Format . . . . . . . . . . . . . . 15
5.1 Payload Message Format . . . . . . 19
5.6 No Context Error Message Format . . . . . . . . . . . . 15
5.2 Common Shim6 Control header . 20
5.7 Locator List Update Message Format . . . . . . . . . . . . 21
5.8 Locator List Update Acknowledgement . . 16
5.3 I1 Message Format . . . . 22
5.9 Rehome Request Message Format . . . . . . . . . . . . . . 23
5.10 Rehome Acknowledgement . . 17
5.4 R1 Message Format . . . . . . . . . 23
5.11 Reachability Probe Message Format . . . . . . . . . . . 23
5.12 Reachability Probe Reply 18
5.5 I2 Message Format . . . . . . . . 24
5.13 Payload Message Format . . . . . . . . . . . . . 19
5.6 R2 Message Format . . . . 25
5.14 Keepalive Message Format . . . . . . . . . . . . . . . . 26
5.15 Locator Pair Test 21
5.7 No Context Error Message Format . . . . . . . . . . . . 27
5.16 Locator Pair Test Reply . 22
5.8 Update Request Message Format . . . . . . . . . 28
5.17 Context Locator Pair Explore Message Format . . . . . 23
5.9 Update Acknowledgement Message Format . 29
6. Option Formats . . . . . . . . . 24
5.10 Reachability Probe Message Format . . . . . . . . . . . 24
5.11 Reachability Reply Message Format . . . 31
6.1 Validator Option Format . . . . . . . . 25
5.12 Keepalive Message Format . . . . . . . . . 32
6.2 . . . . . . . 26
5.13 Context Locator List Option Pair Explore Message Format . . . . . . 27
5.14 Option Formats . . . . . . . . . . 32
6.3 . . . . . . . . . . . 28
5.14.1 Validator Option Format . . . . . . . . . . . . . . 29
5.14.2 Locator Preferences List Option Format . . . . . . . . . . . . 33
6.4 CGA Parameter Data Structure . 30
5.14.3 Locator Preferences Option Format . . . . . . . . 34
6.5 . 31
5.14.4 CGA Signature Parameter Data Structure Option Format . . . . . 32
5.14.5 CGA Signature Option Format . . . . . . . . . . . . 35
6.6 33
5.14.6 ULID Pair Option Format . . . . . . . . . . . . . . . . . 35
6.7 33
5.14.7 Packet In Error Option Format . . . . . . . . . . . . . . 36 34

Nordmark Expires March 31, 5, 2006 [Page 2]

Internet-Draft Shim6 Protocol September 2005

6.8

5.14.8 Explorer Results Option Format . . . . . . . . . . . . . . 36
7. 34
6. Conceptual Model of a Host . . . . . . . . . . . . . . . . . 38
7.1 35
6.1 Conceptual Data Structures . . . . . . . . . . . . . . . . 38
8. 36
7. Establishing Host Pair Contexts . . . . . . . . . . . . . . 40
8.1 Sending I1 messages 36
7.1 Normal context establishment . . . . . . . . . . . . . . . 37
7.2 Concurrent context establishment . . . . . . . 40
8.2 Receiving I1 messages . . . . . . 37
7.3 Context recovery . . . . . . . . . . . . 40
8.3 Receiving R1 . . . . . . . . . 38
7.4 Context confusion . . . . . . . . . . . . . . . . . . . . 39
7.5 Sending I1 messages . . . . . . . . . . . . . . . . . . . 40
8.4 Retransmitting
7.6 Receiving I1 messages . . . . . . . . . . . . . . . . . . 40
8.5
7.7 Receiving I2 R1 messages . . . . . . . . . . . . . . . . . . 40
8.6 41
7.8 Retransmitting I2 messages . . . . . . . . . . . . . . . . 40
8.7 Concurrent context establishment 41
7.9 Receiving I2 messages . . . . . . . . . . . . . 40
9. . . . . . 41
7.10 Receiving R2 messages . . . . . . . . . . . . . . . . . 42
8. No Such Content Errors . . . . . . . . . . . . . . . . . . . 41
10. 42
9. Handling ICMP Error Messages . . . . . . . . . . . . . . . . 42
11. Taredown
10. Teardown of the Host Pair Context . . . . . . . . . . . . . 43
12.
11. Updating the Locator Pairs . . . . . . . . . . . . . . . . . 44
13. 43
12. Various Probe Mechanisms . . . . . . . . . . . . . . . . . . 45
14. 43
13. Rehoming to a Different Locator Pair . . . . . . . . . . . . 46
15. 43
14. Payload Packets before a Switch . . . . . . . . . . . . . . 47
16. 43
15. Payload Packets after a Switch . . . . . . . . . . . . . . . 48
17. 44
16. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . 50
18. 45
17. Design Alternatives . . . . . . . . . . . . . . . . . . . . 52
18.1 46
17.1 State Cleanup . . . . . . . . . . . . . . . . . . . . . 52
18.2 Not Overloading the Flow Label 46
17.2 Detecting Context Loss . . . . . . . . . . . . . 52
18.3 Detecting Context Loss . . . . 46
18. Implications Elsewhere . . . . . . . . . . . . . . . . 53
19. Implications Elsewhere . . . 47
19. Security Considerations . . . . . . . . . . . . . . . . . . 55 48
20. Security IANA Considerations . . . . . . . . . . . . . . . . . . 57 . . 48
21. Acknowledgements Change Log . . . . . . . . . . . . . . . . . . . . . . 58 . . . 49
22. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 49
23. References . . . . . . . . . . . . . . . . . . . . . . . . . 59
22.1 49
23.1 Normative References . . . . . . . . . . . . . . . . . . 59
22.2 49
23.2 Informative References . . . . . . . . . . . . . . . . . 59 50
Author's Address . . . . . . . . . . . . . . . . . . . . . . 60 51
Intellectual Property and Copyright Statements . . . . . . . 61 52

Nordmark Expires March 31, 5, 2006 [Page 3]

Internet-Draft Shim6 Protocol September 2005

1. Introduction

The SHIM6 working group, and the MULTI6 WG that preceded it, is
exploring a layer 3 shim approach for providing locator agility below
the transport protocols, so that multihoming can be provided for IPv6
with failover and load spreading properties, properties [13], without assuming
that a multihomed site will have a provider independent IPv6 address
which is announced in the global IPv6 routing table. The hosts in a
site which has multiple provider allocated IPv6 address prefixes,
will use the shim6 protocol specified in this document to setup state
with peer hosts, so that the state can later be used to failover to a
different locator pair, should the original one stop working.

This document takes the outlines contained in [16] [21] and [15] [20] and
expands to an actual proposed protocol.

We assume that redirection attacks are prevented using the mechanism
specified in HBA [4]. [5].

The WG mailing list is discussing the scheme used for reachability
detection [5]. [6]. The schemes that are being discussed are Context
Unreachability Detection (CUD) or Force Bidirectional communication
Detection (FBD). This document doesn't discuss the tradeoffs between
the two, but it does suggest a set of keepalive and probe messages
that are sufficient to handle both. Once the WG has decided which
approach to take, we can remove the unneeded messages.

There is a related but slightly separate issue of how the hosts can
find which of the locator pairs is working after a failure. This is
discussed in [6]. [7]. We don't yet know how these details will be done,
but this draft specifies a separate "Explore" message as a
placeholder for such a protocol mechanism.

1.1 Placement Goals

The goals for this approach is to:
o Preserve established communications through failures, for example,
TCP connections and application communications using UDP.
o Have no impact on upper layer protocols in general and on
transport protocols in particular.
o Address the security threats in [16] through a separate document
[5], and techniques described in this document.
o No extra roundtrip for setup; deferred setup.
o Take advantage of multiple locators/addresses for load spreading
so that different sets of communication to a host (e.g., different
connections) might use different locators of the shim

TBD: Copy material from [16]. host.

Nordmark Expires March 31, 5, 2006 [Page 4]

Internet-Draft Shim6 Protocol September 2005

2. Terminology

This document uses the terms MUST, SHOULD, RECOMMENDED, MAY, SHOULD
NOT and MUST NOT defined in RFC 2119 [7].

1.2 Non-Goals

The terms defined in RFC
2460 [1] are also used.

2.1 Definitions

This document introduces assumption is that the following terms (taken from [16]):

upper layer protocol (ULP)
A protocol layer immediately above IP. Examples problem we are transport protocols such as TCP and UDP,
control protocols such as ICMP, routing protocols
such as OSPF, and internet or lower-layer
protocols being "tunneled" trying to solve is site
multihoming, with the ability to have the set of site locator
prefixes change over (i.e.,
encapsulated in) IP such as IPX, AppleTalk, or IP
itself.

interface A node's attachment time due to a link.

address An IP layer name site renumbering. Further, we
assume that contains both topological
significance and acts as a unique identifier for
an interface. 128 bits. This document only uses such changes to the "address" term in set of locator prefixes can be
relatively slow and managed; slow enough to allow updates to the case where it isn't
specific whether DNS
to propagate. But it is not a locator or goal to try to make communication
survive a identifier.

locator An IP layer topological name for an interface or renumbering event (which causes all the locators of a host
to change to a new set of interfaces. 128 bits. The locators are
carried in the IP address fields locators). This proposal does not attempt
to solve, perhaps related, problems such as the packets
traverse the network.

identifier An IP layer name for host multihoming or host
mobility.

This proposal also does not try to provide an IP layer endpoint (stack
name in [18]). The transport endpoint name is identifier. Even
though such a
function of the transport protocol and concept would
typically include be useful to ULPs and applications,
especially if the IP identifier plus management burden for such a port
number.
NOTE: This proposal does name space was zero
and there was an efficient yet secure mechanism to map from
identifiers to locators, such a name space isn't necessary (and
furthermore doesn't seem to help) to solve the multihoming problem.

1.3 Locators as Upper-layer Identifiers

Central to this approach is to not specify any introduce a new form
of IP layer identifier, identifier name
space but still separates the
identifying and locating properties instead use one of the IP
addresses. locators as the upper-layer identifier (ULID)
An IP locator which has been selected for
communication with a peer to be used by ID,
while allowing the upper
layer protocol. 128 bits. This is locators used for
pseudo-header checksum computation and connection
identification in the ULP. Different sets of

Nordmark Expires March 31, 2006 [Page 5]

Internet-Draft Shim6 Protocol September 2005

communication address fields to a host (e.g., different
connections) might use different ULIDs change over
time in order response to enable load spreading.

Since the ULID is just one failures of using the IP locators/
addresses of original locator.

This implies that the node, there ULID selection is no need for a
separate name space and allocation mechanisms.

address field The source and destination performed as today's default
address fields in the
IPv6 header. As IPv6 is currently selection as specified this
fields carry "addresses". If identifiers in [11]. Underneath, and
locators are separated these fields will contain
locators for packets on the wire.

FQDN Fully Qualified Domain Name

Host-pair context The state that
transparently, the multihoming shim maintains for
a particular peer. The peer is identified by one
or more ULIDs.

2.2 Notational Conventions

A, B, selects working locator pairs
with the initial locator pair being the ULID pair. When
communication fails the shim can test and C are hosts. X select alternate locators.
A subsequent section discusses the issues when the selected ULID is a potentially malicious host.

FQDN(A)
not initially working hence there is a need to switch locators up
front.

Using one of the domain name for A.

Ls(A) is locators as the locator set ULID has certain benefits for A,
applications which consists of have long-lived session state, or performs
callbacks or referrals, because both the locators L1(A),
L2(A), ... Ln(A).

ULID(A) is an upper-layer ID FQDN and the 128-bit ULID
work as handles for A. In this proposal, ULID(A) the applications. However, using a single 128-
bit ULID doesn't provide seamless communication when that locator is
always one member
unreachable. See [17] for further discussion of A's locator set.

This document also makes use of internal conceptual variables to
describe protocol behavior and external variables that an
implementation must allow system administrators to change. The
specific variable names, how their values change, and how their
settings influence protocol behavior are provided to demonstrate
protocol behavior. An implementation is not required to have them in the exact form described here, so long application
implications.

There has been some discussion of using non-routable locators, such
as its external behavior is
consistent with that described unique-local addresses [15], as ULIDs in this document. See Section 7 for a
description multihoming solution.
While this document doesn't specify all aspects of this, it is
believed that the conceptual data structures. approach can be extended to handle such a case.

Nordmark Expires March 31, 5, 2006 [Page 6] 5]

Internet-Draft Shim6 Protocol September 2005

3. Assumptions

The general approach of a level3 shim as well as this specific
proposal makes the following assumptions:

o When there is ingress filtering in the ISPs, that the use of all
{source, destination} locator pairs will cause

For example, the packets protocol already needs to exit
using different ISPs so handle ULIDs that all exit ISPs are not
initially reachable. Thus the same mechanism can be tried. Since
there might be only one destination locator, handle ULIDs that
are permanently unreachable from outside their site. The issue
becomes how to make the protocol perform well when the peer
supports shim6 but ULID is not multihomed,
reachable, for instance, avoiding any timeout and retries in this implies that the
selection of the exit ISP should be related
case. In addition one would need to understand how the source address ULAs would be
entered in the packets.

o Even without ingress filtering, there is DNS to avoid a performance impact on existing, non-
shim6 aware, IPv6 hosts potentially trying to communicate to the assumption
(unreachable) ULA.

1.4 IP Multicast

IP Multicast requires that if the host tries all {source, destination} IP source address field contain a
topologically correct locator pairs, for interface that it
has done a good enough job of trying to find a working path is used to send the
peer. Since we want
packet, since IP multicast routing uses both the protocol source address and
the destination group to provide benefits even if determine where to forward the
peer has a single locator, this seems packet.
(This isn't much different than the situation with widely implemented
ingress filtering [9] for unicast.)

While in theory it would be possible to imply that apply the choice shim re-mapping of
source locator needs to somehow affect
the exit path from IP address fields between ULIDs and locators, the
site.

Nordmark Expires March 31, 2006 [Page 7]

Internet-Draft Shim6 Protocol September 2005

4. Protocol Overview

The shim6 protocol operates in several phases over time. The
following sequence illustrates fact that all
the concepts:

o An application on host A decides multicast receivers would need to contact B using some upper-
layer protocol. know the mapping to perform,
makes such an approach difficult in practice. Thus it makes sense to
have multicast ULPs operate directly on locators and not use the
shim. This results is quite a natural fit for protocols which use RTP [12],
since RTP already has an explicit identifier in the ULP on A sending packets to
B. We call this form of the initial contact. Assuming SSRC
field in the RTP headers. Thus the actual IP addresses
selected by Default Address Selection [9] work, then there is no
action by address fields are not
important to the shim at application.

1.5 Renumbering Implications

As stated above, this point in time. Any shim context
establishment can be deferred until later.

o Some heuristic on A or B (or both) determine that it might make
sense approach does not try to make this communication robust against locator failures.
For instance, this heuristic
survive renumbering. However, the fact that a ULID might be used
with a different locator over time open up the possibility that more than 50 packets
have been sent
communication between two ULIDs might continue to work after one or received.
both of those ULIDs are no longer reachable as locators, for example
due to a renumbering event. This makes opens up the shim initiate possibility that the
4-way context establishment exchange.

As a result of this exchange,
ULID (or at least the prefix on which it is based) is reassigned to
another site while it is still being used (with another locator) for
existing communication.

Worst case we could end up with two separate hosts using the same
ULID while both A and B will know a list of
locators them are communicating with the same host.

This potential source for each other.

o Communication continues without confusion can be avoided if we require that
any change for the ULP packets.
In addition, there might communication using a ULID must be some messages exchanged between the
shim sub-layers for (un)reachability detection.

o At some point in time something fails. Depending on terminated when the approach ULID
becomes invalid (due to reachability detection, there the underlying prefix becoming invalid).

Nordmark Expires March 5, 2006 [Page 6]

Internet-Draft Shim6 Protocol September 2005

However, this might be an overkill. Even when an IPv6 prefix is
retired and reassigned to some advise from the
ULP, or the shim (un)reachability detection might discover that other site, there is still a problem.

At this point very
small probability that another host in time one or both ends of the communication need
to explore that site picks the different alternate locator pairs until a working
pair is found, and rehome to same 128
bit address (whether using that pair.

o Once DHCPv6, stateless address
autoconfiguration, or picking a working alternative locator pair has been found, the shim
will rewrite the packets on transmit, and tag random interface ID [10]). Should
the packets with identical address be used by another host, then there still
wouldn't be a
shim context tag, and send them on the wire. The receiver will
use the <Source Locator, Destination Locator, Context Tag> problem until that host attempts to find communicate with
the context state which will indicate same host with which addresses to place in
the IPv6 header before passing the packet up to the ULP. The
result is that from the perspective initial user of the ULP the packet passes
unmodified end-to-end, even though IPv6 address was
communicating.

1.6 Placement of the shim

-----------------------
| Transport Protocols |
-----------------------

---------------------
| shim6 shim layer |
---------------------

------ IP routing infrastructure
sends
| IP | sub-layer
------

Figure 1: Protocol stack

The proposal uses an multihoming shim layer within the packet IP layer,
i.e., below the ULPs, as shown in Figure 1, in order to a different locator.

o provide ULP
independence. The multihoming shim (un)reachability detection will monitor the new locator
pair layer behaves as if it monitored the original locator pair, so that subsequent
failures can is
associated with an extension header, which would be detected.

Nordmark Expires March 31, 2006 [Page 8]

Internet-Draft Shim6 Protocol September 2005

o When ordered
immediately after any hop-by-hop options in the shim thinks that packet. However,
when the context state locator pair is no longer used, it
can garbage collect the state; ULID pair there is no coordination necessary
with the peer host before the state is removed. There is an error
message defined data that needs to
be able to signal when there is no context
state, which can be used to detect and recover from both premature
garbage collection, as well as complete state loss (crash and
reboot) of a peer.

The data packets in shim6 are carried completely unmodified as long
as the ULID pair in an extension header, thus none is used as needed in that case.

Layering AH and ESP above the locator pair. After a switch multihoming shim means that IPsec can
be made to a
different be unaware of locator pair changes the packets are "tagged" so same way that the receiver transport
protocols can always determine be unaware. Thus the context IPsec security associations
remain stable even though the locators are changing. The MOBIKE WG
is looking at ways to which they belong. For commonly
used have IPsec security associations survive even
though the IP protocols this addresses changes, which is done by using a different value in approach.

Layering the Flow
Label field, that is, there is no additional fragmentation header added to above the
packets. But for other IP protocol types multihoming shim makes
reassembly robust in the case that there is an extra 8 byte
header inserted, broken multi-path routing
which carries results in using different paths, hence potentially different

Nordmark Expires March 5, 2006 [Page 7]

Internet-Draft Shim6 Protocol September 2005

source locators, for different fragments. Thus, effectively the next header value.

4.1 Context Tags and Use of Flow Label

A context between to hosts
multihoming shim layer is actually a context placed between two ULIDs.
The context is identified by the IP endpoint sublayer,
which handles fragmentation, reassembly, and IPsec, and the IP
routing sublayer, which on a pair of context tags. Each end gets host selects which default router to allocate a context tag, use
etc.

Applications and once the context is established, upper layer protocols use ULIDs which the shim6 control messages contain the context tag that the receiver of
the message allocated. Thus at a minimum the combination of <peer
ULID, local ULID, local context> tag MUST uniquely identify one
context.

In addition, the non-shim6 messages, which we call payload packets,
layer will not contain the ULIDs after a failure. This introduces the
requirement that map to/from different locators. The shim6 layer maintains
state, called host-pair context, per ULID pairs (that is, applies to
all ULP connections between the <peer locator, local locator, local context tag>
MUST uniquely identify ULID pair) in order to perform this
mapping. The mapping is performed consistently at the context. Since sender and the peer's set of locators
might be dynamic
receiver, thus from the simplest form of unique allocation perspective of the local
context tag is upper layer protocols,
packets appear to pick a number that is unique on the host. Hosts
which serve multiple ULIDs be sent using disjoint sets of locators can
maintain the context tag allocation per such disjoint set.

As an optimization, ULIDs from end to ensure that payload packets, end, even after the
locators have been switched from being the original ones, do not
require an extra shim extension header, though
the proposal uses packets travel through the Flow
Label field network containing locators in the IPv6 header to carry the context tag for common
upper layer protocols such as TCP IP
address fields, and UDP. This works as follows:

o even though those locators might be changed by
the transmitting shim6 layer.

The allocation context state in this approach is maintained per remote ULID i.e.
approximately per peer host, and usage not at any finer granularity. In
particular, it is independent of the flow label during the initial
communication is unchanged. Thus ULPs and any ULP connections.
However, the TCP, UDP, etc packets are
sent with a flow label which is allocated according forking capability enables shim-aware ULPs to [11].

o When the context is created, each endpoint picks use more
than one locator pair at a time for an unused context
tag based single ULID pair.

---------------------------- ----------------------------
| Sender A | | Receiver B |
| | | |
| ULP | | ULP |
| | src ULID(A)=L1(A) | | ^ |
| | dst ULID(B)=L1(B) | | | src ULID(A)=L1(A) |
| v | | | dst ULID(B)=L1(B) |
| multihoming shim | | multihoming shim |
| | src L2(A) | | ^ |
| | dst L3(B) | | | src L2(A) |
| v | | | dst L3(B) |
| IP | | IP |
---------------------------- ----------------------------
| ^
------- cloud with some routers -------

Figure 2: Mapping with changed locators

The result of this consistent mapping is that there is no impact on
the constraints above, which ULPs. In particular, there is also not used no impact on pseudo-header
checksums and connection identification.

Conceptually one could view this approach as if both ULIDs and
locators are being present in every packet, but with a header
compression mechanism applied that removes the need for the ULIDs

Nordmark Expires March 31, 5, 2006 [Page 9] 8]

Internet-Draft Shim6 Protocol September 2005

flow label for the set of locators.

o The context tag is used by the shim to refer to

once the shim state in has been established. In order for the control messages (such as probes, and locator updates.

o The payload traffic (TCP, UDP, etc.) continue receiver to flow unchanged.

o Should
recreate a packet with the correct ULIDs there might be a need to switch to a different locator pair, then
the TCP, UDP, etc packets will be sent using an alternate locator
pair, and with a flow label that is
include some "compression tag" in the same as data packets. This would serve
to indicate the (20 bit) correct context tag.

The mechanism to use for detecting a loss of context state at decompression when the peer that
is currently proposed
locator pair in this document assumes that the receiver can
tell the packets that need locator rewriting, even after it has lost
all state (e.g., due to a crash followed by a reboot). The next
section specifies how this can be done.

Note that there packet is no need for a single context insufficient to have more than one
context tag; whether uniquely identify the locator pair is <A1, B2>, <A1, B3> or <A2,
B3>
context.

2. Terminology

This document uses the same context tag is used terms MUST, SHOULD, RECOMMENDED, MAY, SHOULD
NOT and MUST NOT defined in RFC 2119 [1]. The terms defined in RFC
2460 [2] are also used.

2.1 Definitions

This document introduces the flow label field. Only the
payload packets using the original <A1, B1> locator pair use the flow
label (which is different than the context tag).

Whether we overload the flow label field to carry the context tag or
not, any following terms (taken from [21]):
upper layer protocol (such (ULP)
A protocol layer immediately above IP. Examples
are transport protocols such as RSVP TCP and UDP,
control protocols such as ICMP, routing protocols
such as OSPF, and internet or NSIS) which signals information
about flows from the host stack to devices in the path, need lower-layer
protocols being "tunneled" over (i.e.,
encapsulated in) IP such as IPX, AppleTalk, or IP
itself.
interface A node's attachment to be
made aware of the locator agility introduced by a link.
address An IP layer 3 shim, so name that the signaling can be performed contains both topological
significance and acts as a unique identifier for
an interface. 128 bits. This document only uses
the locator pairs that are
currently being used.

4.2 Protocol type overloading

The mechanism "address" term in the case where it isn't
specific whether it is a locator or a identifier.
locator An IP layer topological name for detecting an interface or
a loss set of context state at the peer that
is currently proposed interfaces. 128 bits. The locators are
carried in this document assumes that the receiver can
tell IP address fields as the packets that need locator rewriting, even after it has lost
all state (e.g., due to a crash followed by a reboot). There is
traverse the network.
identifier An IP layer name for an
alternative to detection of lost state outlined IP layer endpoint (stack
name in Section 18. [23]). The idea transport endpoint name is to steal a partial bit from
function of the transport protocol type fields that
are used in and would
typically include the Next Header values, so that IP identifier plus a port
number.
NOTE: This proposal does not specify any new form
of IP layer identifier, but still separates the
identifying and locating properties of the IP
addresses.
upper-layer identifier (ULID)
An IP locator which has been selected for
communication with a peer to be used by the common upper
layer
protocols can be identified.

For example:

o TCP has protocol 6; TCP using alternate locators has protocol P. protocol. 128 bits. This is used for
pseudo-header checksum computation and connection

Nordmark Expires March 31, 5, 2006 [Page 10] 9]

Internet-Draft Shim6 Protocol September 2005

o UDP has protocol 17; TCP using alternate locators has protocol
P+1.

o ICMPv6 has protocol 58; ICMPv6 using alternate locators has
protocol P+2.

o SCTP has protocol 132; SCTP using alternate locators has protocol
P+3.

o DCCP has protocol ??; DCCP using alternate locators has protocol
P+4.

o ESP has protocol 50; ESP using alternate locators has protocol
P+5.

o AH has protocol 51; AH using alternate locators has protocol P+6.

o FRAG has protocol 44; FRAG using alternate locators has protocol
P+7.

Thus with 7 or so additional protocol field values we can do

identification in the ULP. Different sets of
communication to a
reasonable job host (e.g., different
connections) might use different ULIDs in order
to enable load spreading.

Since the ULID is just one of overloading the flow label IP locators/
addresses of the node, there is no need for a
separate name space and allocation mechanisms.
address field The source and get detection
of lost destination address fields in the
IPv6 header. As IPv6 is currently specified this
fields carry "addresses". If identifiers and
locators are separated these fields will contain
locators for packets on the wire.
FQDN Fully Qualified Domain Name
Host-pair context state.

4.3 Securing shim6 The mechanisms are secured using state that the multihoming shim maintains for
a combination of techniques:

o particular peer. The HBA technique [4] context is for validating a ULID
pair, as is identified by a context tag for each
direction.
Context tag Each end of the locators context allocates a context tag
for the context. This is used to prevent an
attacker from redirecting uniquely
associate both received control packets and
payload packets with the packet stream shim6 Payload extension
header as belonging to somewhere else.

o Requiring a Reachability Probe+Reply before the context.
Current locator pair Each end of the context has a new current locator
pair which is used
as the destination, in order to prevent 3rd party flooding
attacks.

o send packets to be peer.
The first message does not create any state on two ends might use different locator pairs
though.
Default context At the responder.
Essentially a 3-way exchange is required before sending end, the responder
creates any state. This means that a state-based DoS attack
(trying to use up all of memory on shim uses the responder) at least
provides an IPv6 address that ULID pair
(passed down from the attacker was using.

o The context establishment messages use nonces ULP) to prevent replay
attacks.

4.4 Overview of Shim Control Messages

The shim find the context establishment is accomplished using four messages;

Nordmark Expires March 31, 2006 [Page 11]

Internet-Draft Shim6 Protocol September 2005

I1, R1, I2, R2. Normally they
for that pair. Thus, normally, a host can have
at most one context for a ULID pair. We call
this the "default context".
Context forking A mechanism which allows ULPs that are sent aware of
multiple locators to use separate contexts for
the same ULID pair, in that order from initiator
and responder, respectively. Should both ends attempt to set up
context state at be able use
different locator pairs for different
communication to the same time (for ULID. Context forking
causes more than just the same default context to be
created for a ULID pair), then their
I1 messages might cross in flight, pair.

2.2 Notational Conventions

A, B, and result in an immediate R2
message. [The names of these messages C are borrowed from HIP [17].]

There hosts. X is a No Contex error message defined, when a control or payload
packet arrives and there potentially malicious host.

FQDN(A) is no matching context state at the
receiver. When such a message domain name for A.

Ls(A) is received, it will result in the
destruction locator set for A, which consists of the shim context and a re-establishment.

The peers' lists of locators are normally exchanged as part L1(A),
L2(A), ... Ln(A).

Nordmark Expires March 5, 2006 [Page 10]

Internet-Draft Shim6 Protocol September 2005

ULID(A) is an upper-layer ID for A. In this proposal, ULID(A) is
always one member of A's locator set.

This document also makes use of internal conceptual variables to
describe protocol behavior and external variables that an
implementation must allow system administrators to change. The
specific variable names, how their values change, and how their
settings influence protocol behavior are provided to demonstrate
protocol behavior. An implementation is not required to have them in
the
context establishment exchange. But exact form described here, so long as its external behavior is
consistent with that described in this document. See Section 6 for a
description of the set conceptual data structures.

3. Assumptions

The general approach of locators might be
dynamic. For a level3 shim as well as this reason specific
proposal makes the following assumptions:
o When there is a Locator List Update message and
acknowledgement.

Even though ingress filtering in the list of locators is fixed, a host might determine ISPs, that some preferences might have changed. For instance, it might
determine the use of all
<source, destination> locator pairs will cause the packets to exit
using different ISPs so that all exit ISPs can be tried. Since
there might be only one destination locator, when the peer
supports shim6 but is a locally visible failure that not multihomed, this implies that
some locator(s) are no longer usable. Currently this mechanism has a
separate message pair (Rehome Request and acknowledgement), but
perhaps this can the
selection of the exit ISP should be encoded using related to the Locator List Update message
pair with source address
in the packets.
o Even without ingress filtering, there is the assumption that if
the host tries all <source, destination> locator pairs, that it
has done a preference option and no change good enough job of trying to find a working path to the list of locators.

At least two approaches (CUD and FBD) have been discussed for
peer. Since we want the
shim (un)reachability detection [5]. This document attempt protocol to define
messages for both cases; once provide benefits even if the WG
peer has picked an approach we can
delete any unneeded messages.

The CUD approach uses a probe message and acknowledgement, which can
be suppressed e.g. using positive advise from the ULP. This message
pair also single locator, this seems needed to verify imply that the host is indeed present at a
new choice of
source locator before the data stream is redirected to that locator, in
order needs to prevent 3rd party DoS attacks.

The FBD approach uses a keepalive message, which is sent when a host
has received packets from somehow affect the peer, but exit path from the ULP has not given
site.

4. Protocol Overview

The shim6 protocol operates in several phases over time. The
following sequence illustrates the concepts:
o An application on host an opportunity to send any payload packet A decides to contact B using some upper-
layer protocol. This results in the peer.

The above probe and keepalive messages assume we have an established
host-pair context. However, communication might fail during ULP on A sending packets to
B. We call this the initial context (that is, when contact. Assuming the application or transport protocol IP addresses
selected by Default Address Selection [11] work, then there is trying to setup some communication). If we want no
action by the shim to be
able to optimize discovering a working locator pair at this point in time. Any shim context
establishment can be deferred until later.
o Some heuristic on A or B (or both) determine that case, we
need a mechanism it might make
sense to test the reachability of locators independent of
some context. We define a make this communication robust against locator pair test message and
acknowledgement for failures.
For instance, this purpose, even though it isn't yet clear
whether we need such a thing. heuristic might be that more than 50 packets
have been sent or received. This makes the shim initiate the
4-way context establishment exchange.

Nordmark Expires March 31, 5, 2006 [Page 12] 11]

Internet-Draft Shim6 Protocol September 2005

Finally, when

As a result of this exchange, both A and B will know a list of
locators for each other.

If the context is established establishment exchange fails, the initiator will
then know that the other end does not support shim6, and will
revert to standard unicast behavior for the session.
o Communication continues without any change for the ULP packets.
In addition, there is a failure there
needs might be some messages exchanged between the
shim sub-layers for (un)reachability detection.
o At some point in time something fails. Depending on the approach
to reachability detection, there might be some advise from the
ULP, or the shim (un)reachability detection might discover that
there is a way problem.

At this point in time one or both ends of the communication need
to explore the set of different alternate locator pairs to efficiently
find until a working pair. We define an explore message as a placeholder
for some mechanism in this space [6].

Nordmark Expires March 31, 2006 [Page 13]

Internet-Draft Shim6 Protocol September 2005

5. Message Formats

The shim6 messages are all carried
pair is found, and rehome to using that pair.
o Once a new IP protocol number TBD
[to be assigned by IANA]. The shim6 messages have a common header,
defined below, with some fixed fields, followed by type specific
fields.

5.1 Common Shim6 header

The common part of the header working alternative locator pair has a next header been found, the shim
will rewrite the packets on transmit, and header tag the packets with
shim6 Payload message as an extension
length field header, which is consistent with contains the other IPv6 extension
headers, even if
receiver's context tag. The receiver will use the next header value is only used for data payload <Source
Locator, Destination Locator, Context Tag> to find the context
state which is carried with a shim6 will indicate which addresses to place in the IPv6
header on before passing the front. packet up to the ULP. The shim6 headers must be a multiple result is
that from the perspective of 8 octets, hence the minimum
size is 8 octets. ULP the packet passes unmodified
end-to-end, even though the IP routing infrastructure sends the
packet to a different locator.
o The common message header is shim (un)reachability detection will monitor the new locator
pair as follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Hdr Ext Len | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | |
+-+-+-+-+-+-+-+-+ |
| Type specific format |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Next Header: 8-bit selector. Normally set to NO_NXT_HDR (59).
Indicates it monitored the next header value original locator pair, so that subsequent
failures can be detected.
o In addition to failures detected based on end-to-end observations,
one endpoint might be know for the shim6 payload
messages.

Hdr Ext Len: 8-bit unsigned integer. Length certain that one or more of the shim6 header in
8-octet units, its
locators is not including working. For instance, the first 8 octets.

Checksum: 16-bit unsigned integer. network interface
might have failed or gone down (at layer 2), or an IPv6 address
might have become invalid. In such cases the host can signal its
peer that this address is no longer recommended to try. Thus this
triggers something similar to a failure handling in that a new,
working locator pair must be found.

The checksum Working Group has discussed whether or not hosts can express
other forms of locator preferences. If this is the 16-bit
one's complement of case, a change
in the one's complement sum of preferences can be signaled to the
entire shim6 header message starting with peer, which might make
the shim6
next header field, and ending as indicated by peer choose to try a different locator pair. Thus, this can
also be treated similarly to a failure.
o When the Hdr
Ext Len. Thus when shim thinks that the context state is no longer used, it
can garbage collect the state; there is a payload following no coordination necessary
with the
shim6 header, peer host before the payload state is NOT included in the shim6
checksum. removed. There is an error
message defined to be able to signal when there is no context

Nordmark Expires March 31, 5, 2006 [Page 14] 12]

Internet-Draft Shim6 Protocol September 2005

Type: 8-bit unsigned integer. Identifies the actual message

state, which can be used to detect and recover from both premature
garbage collection, as well as complete state loss (crash and
reboot) of a peer.

The ULP packets in shim6 are carried completely unmodified as long as
the table below.

+------------+-----------------------------------------------------+
| Type Value | Message |
+------------+-----------------------------------------------------+
| 1 | I1 (first establishment message from ULID pair is used as the initiator) |
| | |
| 2 | R1 (first establishment message from locator pair. After a switch to a
different locator pair the responder) |
| | |
| 3 | I2 (2nd establishment message from packets are "tagged" with a shim6
extension header, so that the initiator) |
| | |
| 4 | R2 (2nd establishment message from receiver can always determine the responder) |
| | |
| 5 | No
context to which they belong. This is accomplished by including an
8-octet "shim payload" extension header before the (extension)
headers that are processed by the IP endpoint sublayer and ULPs.

4.1 Context Error |
| | |
| 6 | Locator List Update |
| | |
| 7 | Locator List Update Acknowledgement |
| | |
| 8 | Rehome Request |
| | |
| 9 | Rehome Acknowledgement |
| | |
| 10 | Reachability Probe |
| | |
| 11 | Reachability Probe Reply |
| | |
| 12 | Payload |
| | |
| 13 | Keepalive |
| | |
| 14 | Locator Pair Test |
| | |
| 15 | Locator Pair Test Reply |
| | |
| 16 | Context Locator pair explore |
+------------+-----------------------------------------------------+

Table 1

5.2 I1 Message Format Tags

A context between two hosts is actually a context between two ULIDs.
The I1 message context is identified by a pair of context tags. Each end gets
to allocate a context tag, and once the context is established, the first message in
shim6 control messages contain the context establishment
exchange.

Nordmark Expires March 31, 2006 [Page 15]

Internet-Draft Shim6 Protocol September 2005

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 1 | Res | Initiator Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Next Header: NO_NXT_HDR (59).

Type: 1

Res: 4-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.

Initiator Context Tag: 20-bit field. The Context Tag tag that the initiator
has allocated for receiver of
the message allocated. Thus at a minimum the combination of <peer
ULID, local ULID, local context> tag MUST uniquely identify one
context.

Initiator Nonce: 32-bit unsigned integer. A random number picked by

In addition, the initiator non-shim6 messages, which the responder we call payload packets,
will return in not contain the
R1 message.

The following options are allowed in ULIDs after a failure. This introduces the message:

ULID pair: TBD Do we need to carry
requirement that the ULIDs, or assume they are <peer locator, local locator, local context tag>
MUST uniquely identify the same as context. Since the address fields in peer's set of locators
might be dynamic the IPv6 header?
Depends on how we handle failures during initial
contact.

5.3 R1 Message Format

The R1 message simplest form of unique allocation of the local
context tag is to pick a number that is unique on the second message in host. Hosts
which serve multiple ULIDs using disjoint sets of locators can
maintain the context establishment
exchange. tag allocation per such disjoint set.

The responder sends this mechanism for detecting a loss of context state at the peer that
is currently proposed in response this document assumes that the receiver can
tell the packets that need locator rewriting, even after it has lost
all state (e.g., due to an I1 message,
without creating a crash followed by a reboot).

Even though we do not overload the flow label field to carry the
context tag, any state specific protocol (such as RSVP or NSIS) which signals
information about flows from the host stack to devices in the path,
need to be made aware of the initiator. locator agility introduced by a layer 3
shim, so that the signaling can be performed for the locator pairs
that are currently being used.

TBD: add forking - multiple contexts between ULID pairs, default
context, etc

Nordmark Expires March 31, 5, 2006 [Page 16] 13]

Internet-Draft Shim6 Protocol September 2005

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 2 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Next Header: NO_NXT_HDR (59).

Type: 2

Reserved: 24-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.

Initiator Nonce: 32-bit unsigned integer. Copied from the I1
message.

Responder Nonce: 32-bit unsigned integer. A number picked by the
initiator which the initiator will return in the I2
message.

4.2 Securing shim6

The following options mechanisms are allowed in the message:

Responder Validator: Variable length mandatory option. Typically secured using a
hash generated by the responder, which the responder
uses together with combination of techniques:
o The HBA technique [5] for validating the Responder Nonce value locators to verify
that prevent an I2 message is indeed sent in response
attacker from redirecting the packet stream to somewhere else.
o Requiring a R1
message, and that the parameters in the I2 message are
the same Reachability Probe+Reply before a new locator is used
as those in the I1 message.

5.4 I2 Message Format destination, in order to prevent 3rd party flooding
attacks.
o The I2 message is the third first message in does not create any state on the context establishment
exchange. The initiator sends this in response to responder.
Essentially a R1 message,
after checking 3-way exchange is required before the Initiator Nonce, etc.

Nordmark Expires March 31, 2006 [Page 17]

Internet-Draft Shim6 Protocol September 2005

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 3 | Res | Initiator Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Next Header: NO_NXT_HDR (59).

Type: 3

Res: 4-bit field. Reserved for future use. Zero on
transmit. MUST be ignored responder
creates any state. This means that a state-based DoS attack
(trying to use up all of memory on receipt.

Initiator Context Tag: 20-bit field. The Context Tag the initiator
has allocated for responder) at least
provides an IPv6 address that the attacker was using.
o The context

Initiator Nonce: 32-bit unsigned integer. A random number picked by
the initiator which the responder will return in the
R2 message.

Responder Nonce: 32-bit unsigned integer. Copied from the R1
message. establishment messages use nonces to prevent replay
attacks.

4.3 Overview of Shim Control Messages

The following options shim context establishment is accomplished using four messages;
I1, R1, I2, R2. Normally they are allowed sent in the message:

Responder Validator: Variable length mandatory option. Copied that order from
the Validator in the R1 message.

ULID pair: TBD Do we need initiator
and responder, respectively. Should both ends attempt to carry the ULIDs, or assume they are set up
context state at the same as time (for the address fields same ULID pair), then their
I1 messages might cross in the IPv6 header?

Locator list: Optionally sent flight, and result in an immediate R2
message. [The names of these messages are borrowed from HIP [22].]

There is a No Context error message defined, when a control or
payload packet arrives and there is no matching context state at the initiator immediately wants
to tell
receiver. When such a message is received, it will result in the
destruction of the shim context and a re-establishment.

The peers' lists of locators are normally exchanged as part of the
context establishment exchange. But the set of locators might be
dynamic. For this reason there is a Locator List Update message and
acknowledgement.

Even though the responder its list of locators. When locators is fixed, a host might determine
that some preferences might have changed. For instance, it might
determine that there is sent, a locally visible failure that implies that
some locator(s) are no longer usable. Currently this mechanism has a
separate message pair (Rehome Request and acknowledgement), but
perhaps this can be encoded using the necessary HBA/CGA information for
validating Locator List Update message
pair with a preference option and no change to the locator list MUST also be included. of locators.

At least two approaches (CUD and FBD) have been discussed for the
shim (un)reachability detection [6]. This document attempt to define
messages for both cases; once the WG has picked an approach we can
delete any unneeded messages.

Nordmark Expires March 31, 5, 2006 [Page 18] 14]

Internet-Draft Shim6 Protocol September 2005

Locator Preferences: Optionally sent when

The CUD approach uses a probe message and acknowledgement, which can
be suppressed e.g. using positive advise from the locators don't all have
equal preference.

CGA Parameter Data Structure: Included when ULP. This message
pair also seems needed to verify that the host is indeed present at a
new locator list before the data stream is
included so redirected to that locator, in
order to prevent 3rd party DoS attacks.

The FBD approach uses a keepalive message, which is sent when a host
has received packets from the receiver can verify peer, but the locator list.

CGA Signature: Included ULP has not given the
host an opportunity to send any payload packet to the peer.

The above probe and keepalive messages assume we have an established
host-pair context. However, communication might fail during the
initial context (that is, when the application or transport protocol
is trying to setup some of communication). If we want the locators shim to be
able to optimize discovering a working locator pair in that case, we
need a mechanism to test the list use
CGA (and not HBA) for validation.

5.5 R2 Message Format

The R2 reachability of locators independent of
some context. We define a locator pair test message and
acknowledgement for this purpose, even though it isn't yet clear
whether we need such a thing.

Finally, when the context is established and there is a failure there
needs to be a way to explore the fourth set of locator pairs to efficiently
find a working pair. We define an explore message as a place holder
for some mechanism in the context establishment
exchange. The responder sends this in response to an I2 message. space [7].

5. Message Formats

The R2 message is also used when both hosts send I1 shim6 messages at the
same time and the I1 are all carried using a new IP protocol number TBD
[to be assigned by IANA]. The shim6 messages cross have a common header,
defined below, with some fixed fields, followed by type specific
fields.

5.1 Payload Message Format

The payload message is used to carry ULP packets where the receiver
must replace the content of the source and or destination fields in flight.
the IPv6 header before passing the packet to the ULP. Thus this
extension header is included when the locators pair that is used is
not the same as the ULID pair.

Since the shim is placed between the IP endpoint sub-layer and the IP
routing sub-layer in the host, the shim header will be placed before
any endpoint extension headers (fragmentation headers, destination
options header, AH, ESP), but after any routing related headers (hop-
by-hop extensions header, routing header, a destinations options
header which precedes a routing header). When tunneling is used,
whether IP-in-IP tunneling or the special form of tunneling that
Mobile IPv6 uses (with Home Address Options and Routing header type

Nordmark Expires March 5, 2006 [Page 15]

Internet-Draft Shim6 Protocol September 2005

2), there is a choice whether the shim applies inside the tunnel or
outside the tunnel, which effects the location of the shim6 header.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len Next Header | Checksum 0 |1| Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 4 | Res | Responder Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Next Header: NO_NXT_HDR (59).

Type: 4

Res: 4-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.

Responder The payload which follows this header.
Hdr Ext Len: 0 (since the header is 8 octets).
Reserved: Reserved for future use. Zero on transmit. MUST be
ignored on receipt.
Receiver Context Tag: 20-bit field. 32-bit unsigned integer. Allocated by the
receiver for use to identify the context (together
with the source and destination locators).

5.2 Common Shim6 Control header

The Context Tag common part of the responder header has allocated a next header and header extension
length field which is consistent with the other IPv6 extension
headers, even if the next header value is always "NO NEXT HEADER" for
the context

Initiator Nonce: 32-bit unsigned integer. Copied from control messages; only the I2
message. payload messages use the Next Header
field.

The following options are allowed in shim6 headers must be a multiple of 8 octets, hence the message: minimum
size is 8 octets.

The common message header is as follows:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | Hdr Ext Len |0| Type |Type specific|0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Type specific format |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Nordmark Expires March 31, 5, 2006 [Page 19] 16]

Internet-Draft Shim6 Protocol September 2005

Locator List: Optionally sent when the responder immediately wants

Next Header: 8-bit selector. Normally set to tell the initiator its list of locators. When it
is sent, NO_NXT_HDR (59).
Indicates the necessary HBA/CGA information next header value for
validating the locator list MUST also be included.

Locator Preferences: Optionally sent when shim6 payload
messages.
Hdr Ext Len: 8-bit unsigned integer. Length of the locators don't all have
equal preference.

CGA Parameter Data Structure: Included when shim6 header in
8-octet units, not including the locator list is
included so first 8 octets.
Type: 7-bit unsigned integer. Identifies the receiver can verify actual message
from the locator list.

CGA Signature: Included when table below.
0: A single bit (set to zero) which allows shim6 and HIP
to have a common header format yet telling shim6 and
HIP messages apart.
Checksum: 16-bit unsigned integer. The checksum is the some 16-bit
one's complement of the locators in one's complement sum of the list use
CGA (and not HBA) for validation.

5.6 No Context Error Message Format

Should a host receive a packet (payload packet or
entire shim6 control header message such a a locator update) and the host does not have any
context state for the locators (in starting with the IPv6 source and destination
fields) shim6
next header field, and ending as indicated by the context tag, then it will generate Hdr
Ext Len. Thus when there is a No Context
Error. The error includes payload following the packet that was received, subject to
shim6 header, the packet not exceeding 1280 octets.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ payload is NOT included in the shim6
checksum.

Fields:

Next Header: NO_NXT_HDR (59).

Type: 5

Reserved: 24-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt. | No Context Error |
| 6 | Update Request |
| 7 | Update Acknowledgement |
| 8 | Reachability Probe |
| 9 | Reachability Reply |
| 10 | Keepalive |
| 11 | Context Locator Pair Explore |
+------------+-----------------------------------------------------+

Table 1

5.3 I1 Message Format

The following options are allowed I1 message is the first message in the message: context establishment
exchange.

Nordmark Expires March 31, 5, 2006 [Page 20] 17]

Internet-Draft Shim6 Protocol September 2005

Packet in Error: Variable length mandatory option containing the IPv6
packet that was in error, starting with the IPv6
header, and normally containing the full packet. If
the resulting No Context Error message would exceed
1280 octets, the Packet In Error option will not
include the full packet in error in order to limit the
error to 1280 octets.

5.7 Locator List Update Message Format

The Locator List Update (LLU) Message contains a complete replacement
of the senders locator list, and the options necessary for HBA/CGA to
secure this. The basic sanity check that prevents off-path attackers
from generating bogus updates is the context tag in the message.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 1 | Checksum | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 6 Checksum | Res Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Next Header: NO_NXT_HDR (59).
Type: 6

Res: 4-bit 1
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Initiator Context Tag: 20-bit 32-bit field. The Context Tag the initiator
has allocated for the context.

Request
Initiator Nonce: 32-bit unsigned integer. A random number picked by
the initiator which the responder will return in the
acknowledgement
R1 message.

The following options are allowed in the message:

Nordmark Expires March 31, 2006 [Page 21]

Internet-Draft Shim6 Protocol September 2005

Locator List: The list of the senders (new) locators. The locators
might be unchanged and only the preferences have
changed.

Locator Preferences: Optionally sent when the locators don't all have
equal preference.

CGA Parameter Data Structure: Included so the receiver can verify
ULID pair: TBD Do we need to carry the
locator list.

CGA Signature: Included when ULIDs, or assume they are
the some of same as the locators address fields in the list use
CGA (and not HBA) for validation.

5.8 Locator List Update Acknowledgement IPv6 header?
Depends on how we handle failures during initial
contact.

5.4 R1 Message Format

This

The R1 message is sent the second message in the context establishment
exchange. The responder sends this in response to a LLU message. an I1 message,
without creating any state specific to the initiator.

Nordmark Expires March 5, 2006 [Page 18]

Internet-Draft Shim6 Protocol September 2005

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 2 | Checksum | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 7 Checksum | Res Reserved2 | Responder Context Tag
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Next Header: NO_NXT_HDR (59).
Type: 7

Res: 4-bit 2
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.

Initiator Context Tag: 20-bit
Reserved2: 16-bit field. The Context Tag the responder
has allocated Reserved for the context.

Request future use. Zero on
transmit. MUST be ignored on receipt.
Initiator Nonce: 32-bit unsigned integer. Copied from the LLU I1
message.
Responder Nonce: 32-bit unsigned integer. A number picked by the
responder which the initiator will return in the I2
message.

The following options are allowed in the message:

Nordmark Expires March 31, 2006 [Page 22]

Internet-Draft Shim6 Protocol September 2005

TBD any options?:

5.9 Rehome Request Message Format

TBD Is there any use to have
Responder Validator: Variable length option. Typically a separate Rehome pair of messages? The
sender can indicates its new knowledge of one of its locators (such
as it no longer working) using hash
generated by the LLU message. Would it be useful
to be able to specify just failure or preference changes without
listing responder, which the actual locators? This would require that responder uses
together with the locator
list is ordered so that a Rehome Request can refer Responder Nonce value to the locators by
some short index.

Perhaps this functionality can be accomplished by sending a Locator
Update message and only including new Locator Preferences, without
including any Locator List option? If so, we don't need a separate
message.

5.10 Rehome Acknowledgement Message Format

TBD: See above.

5.11 Reachability Probe Message Format

The Reachability Probe verify that
an I2 message is used to prevent 3rd party DoS
attacks, and can also be used indeed sent in response to verify whether a context is
reachable at a given locator should that be needed for the general
reachability detection mechanism (e.g., if we pick the CUD mechanism
where one end sends probes R1
message, and expects a reply).

Before a host uses a locator for the peer that is different than the
ULID, it needs to verify that parameters in the peer is indeed present at that
locator by sending a Context Verify and receiving an acknowledgement.
This I2 message includes are
the ULID pair as well same as those in the context tag, so
that I1 message.

5.5 I2 Message Format

The I2 message is the peer can indeed verify that it has that ULID and that third message in the context tag is correct. establishment
exchange. The initiator sends this in response to a R1 message,
after checking the Initiator Nonce, etc.

Nordmark Expires March 31, 5, 2006 [Page 23] 19]

Internet-Draft Shim6 Protocol September 2005

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 3 | Checksum | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 10 Checksum | Res Reserved2 | Receiver
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Initiator Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Next Header: NO_NXT_HDR (59).
Type: 10

Res: 4-bit 3
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.

Receiver Context Tag: 20-bit
Reserved2: 16-bit field. The Context Tag the peer Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Initiator Context Tag: 32-bit field. The Context Tag the initiator
has allocated for the context.

Request
Initiator Nonce: 32-bit unsigned integer. A random number picked by
the initiator which the responder will return in the
acknowledgement
R2 message.
Responder Nonce: 32-bit unsigned integer. Copied from the R1
message.

The following options are allowed in the message:
Responder Validator: Variable length option. Just a copy of the
Validator option in the R1 message.
ULID pair: The ULID pair that is being probed.

5.12 Reachability Probe Reply Message Format

This is sent TBD Do we need to carry the ULIDs, or assume they are
the same as the address fields in response the IPv6 header?
Locator list: Optionally sent when the initiator immediately wants
to a Reachability Probe message. Although,
if tell the receiver responder its list of locators. When it
is sent, the RT does not necessary HBA/CGA information for
validating the locator list MUST also be included.
Locator Preferences: Optionally sent when the locators don't all have a matching context it will
send a No Context Error message.
equal preference.

Nordmark Expires March 31, 5, 2006 [Page 24] 20]

Internet-Draft Shim6 Protocol September 2005

CGA Parameter Data Structure: Included when the locator list is
included so the receiver can verify the locator list.
CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for validation.

5.6 R2 Message Format

The R2 message is the fourth message in the context establishment
exchange. The responder sends this in response to an I2 message.
The R2 message is also used when both hosts send I1 messages at the
same time and the I1 messages cross in flight.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 4 | Checksum | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 11 Checksum | Res Reserved2 | Receiver
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Responder Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Initiator Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Next Header: NO_NXT_HDR (59).
Type: 11

Res: 4-bit 4
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.

Receiver
Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Responder Context Tag: 20-bit 32-bit field. The Context Tag the peer responder
has allocated for the context.

Request
Initiator Nonce: 32-bit unsigned integer. Copied from the request I2
message.

The following options are allowed in the message:

ULID pair: The ULID pair that is being probed. Copied from
Locator List: Optionally sent when the
Probe message.

5.13 Payload Message Format

The payload message is used for payload which do not have a
designated "foo-inside-shim6" protocol type, as specified in
Section 4.2.

Since responder immediately wants
to tell the shim initiator its list of locators. When it
is placed between the IP endpoint sub-layer and the IP
routing sub-layer in sent, the host, necessary HBA/CGA information for
validating the shim header will locator list MUST also be placed before
any endpoint extension headers (fragmentation headers, destination
options header, AH, ESP), but after any routing related headers (hop-
by-hop extensions header, routing header, a destinations options
header which precedes a routing header). When tunneling is used,
whether IP-in-IP tunneling or the special form of tunneling that included.

Nordmark Expires March 31, 5, 2006 [Page 25] 21]

Internet-Draft Shim6 Protocol September 2005

Mobile IPv6 uses (with Home Address Options and Routing header type
2), there

Locator Preferences: Optionally sent when the locators don't all have
equal preference.
CGA Parameter Data Structure: Included when the locator list is a choice whether
included and the shim applies inside PDS was not included in the tunnel or
outside context
establishment messages, so the tunnel, which effects receiver can verify the location
locator list.
CGA Signature: Included when the some of the locators in the list use
CGA (and not HBA) for validation.

5.7 No Context Error Message Format

Should a host receive a packet with a shim Payload message or shim6 header.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Next Header | 0 | Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 12 | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Next Header: The payload which follows this header.

Hdr Ext Len: 0 (since the header is 8 octets).

Checksum: The checksum of
control message, such a a locator update, and the 8 octets.

Type: 12

Reserved: Reserved host does not have
any context state for future use. Zero on transmit. MUST be
ignored on receipt.

5.14 Keepalive Message Format

The keepalive message would be used if we decide to do the Force
Bidirectional communication as locators (in the IPv6 source and
destination fields) and the context tag, then it will generate a way to get verification that No
Context Error. The error includes the
locator pair continues to work. If we are not going packet that was received,
subject to do FBD we
probably will the packet not need this message. exceeding 1280 octets.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 5 | Checksum | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 13 | Res Checksum | Receiver Context Tag Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Nordmark Expires March 31, 2006 [Page 26]

Internet-Draft Shim6 Protocol September 2005
Next Header: NO_NXT_HDR (59).
Type: 13

Res: 4-bit 5
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.

Receiver Context Tag: 20-bit
Reserved2: 16-bit field. The Context Tag the peer has
allocated Reserved for the context. future use. Zero on
transmit. MUST be ignored on receipt.

The following options are allowed in the message:

TBD any options?:

5.15 Locator Pair Test Message Format

The above Reachability Probe message probes a context. This message
just probes a locator. If we are going to handle failure during
initial contact using the shim, then the shim needs to be able to
find out what locators are working (and that they correspond to a
desirable ULID) without assuming there is a context setup, and
without knowing
Packet in Error: Variable length option containing the actual ULID. The latter is needed so IPv6 packet
that we can
handle the case when was in error, starting with the AAAA RRset contains any combination of
multiple hosts IPv6 header, and multiple IP addresses for a given host. Having
the responder send back the ULID that corresponds to a particular
locator allows
normally containing the initiator to take full packet. If the AAAA RRset and determine
which IPv6 addresses therein are for different hosts.

Once we understand how resulting
No Context Error message would exceed 1280 octets, the shim
Packet In Error option will be involved in locator failures
during initial contact, then we can determine whether we need this
mechanism, and whether it can be overloaded on the Probe Message
(e.g., by making not include the Receiver Context tag optional full
packet in error in order to limit the
Reachability Probe message). error to 1280
octets.

Nordmark Expires March 31, 5, 2006 [Page 27] 22]

Internet-Draft Shim6 Protocol September 2005

5.8 Update Request Message Format

The Update Request Message is used to update either the list or
locators, the locator preferences, and both. When the list of
locators is updated, the message also contains the option(s)
necessary for HBA/CGA to secure this. The basic sanity check that
prevents off-path attackers from generating bogus updates is the
context tag in the message.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 6 | Checksum | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 14 Checksum | Reserved Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Target ULID +
| Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Next Header: NO_NXT_HDR (59).
Type: 14

Reserved: 24-bit 6
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.

Request Nonce: 32-bit unsigned integer. A random number picked by
the sender which the target will
Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Receiver Context Tag: 32-bit field. The Context Tag the receiver has
allocated for the context.
Request Nonce: 32-bit unsigned integer. A random number picked by
the initiator which the peer will return in the reply
acknowledgement message.

Target ULID: 128-bit IPv6 address.

The following options are allowed in the message:

TBD any options?:

5.16 Locator Pair Test Reply Message Format

If a host receives a
Locator Pair Test message, and the Target ULID
is one List: The list of its IP addresses, then it will send this reply.

TBD: If ULID doesn't match, does it just ignore the test message? Or
send some error?

TBD: Should the responder instead return its ULID, so that it is
easier for senders (new) locators. The locators
might be unchanged and only the sender to determine which of preferences have
changed.
Locator Preferences: Optionally sent when the IPv6 addresses from locators don't all have
equal preference.

Nordmark Expires March 31, 5, 2006 [Page 28] 23]

Internet-Draft Shim6 Protocol September 2005

CGA Signature: Included when the some of the DNS correspond to different hosts vs. different locators in the list use
CGA (and not HBA) for validation.

5.9 Update Acknowledgement Message Format

This message is sent in response to a Update Request message. It
implies that the
same host? Update Request has been received, and that any new
locators in the Update Request can now be used as the source locators
of packets. But it does not imply that the (new) locators have been
verified and will be used as a destination, since the host might
defer the verification of a locator until it is used as a
destination.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 7 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Reserved2 | 15
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Target ULID +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Next Header: NO_NXT_HDR (59).
Type: 15

Reserved: 24-bit 7
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Receiver Context Tag: 32-bit field. The Context Tag the receiver has
allocated for the context.
Request Nonce: 32-bit unsigned integer. Copied from the test
message.

Target ULID: 128-bit IPv6 address. Copied from the test Update
Request message.
TBD: Or should the host be able to fill this in to
make it easier for the peer to determine which
locators refer to the same host?

The following

No options are allowed in the message:

TBD any options?:

5.17 Context Locator Pair Explore currently defined for this message.

5.10 Reachability Probe Message Format

This is a placeholder for the protocol mechanism outlined in [6].

The idea behind that mechanism Reachability Probe message is used to prevent 3rd party DoS
attacks, and can also be able to handle the case when
one locator pair works in from A used to B, and another verify whether a context is
reachable at a given locator pair works should that be needed for the general

Nordmark Expires March 31, 5, 2006 [Page 29] 24]

Internet-Draft Shim6 Protocol September 2005

from B to A, but there is no locator pair which works in both
directions. The protocol

reachability detection mechanism is (e.g., if we pick the CUD mechanism
where one end sends probes and expects a reply).

Before a host uses a locator for the peer that as A is sending explore
packets to B, B will observe which locator pairs different than the
ULID, it has received from
and report needs to verify that back in explore packets it the peer is indeed present at that
locator by sending to A.

0 1 2 3
0 1 2 3 4 5 6 7 a Context Verify and receiving an acknowledgement.
This message includes the ULID pair as well as the context tag, so
that the peer can indeed verify that it has that ULID and that the
context tag is correct.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 8 | Checksum | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 16 Checksum | Reserved2 | Res
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Next Header: NO_NXT_HDR (59).
Type: 16

Res: 4-bit 8
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Receiver Context Tag: 20-bit 32-bit field. The Context Tag the peer receiver has
allocated for the context.

Sequence Number:
Request Nonce: 32-bit unsigned integer. Used to determine which
packets have been received A random number picked by
the peer. initiator which the responder will return in the
acknowledgement message.

The following options are allowed in the message:

Explorer Results: Indication of what Explorer messages
ULID pair: The ULID pair that is being probed.

5.11 Reachability Reply Message Format

This is sent in response to a Reachability Probe message. Although,
if the sender has
recently received from receiver of the peer. Reachability Probe does not have a matching
context it will send a No Context Error message.

Nordmark Expires March 31, 5, 2006 [Page 30] 25]

Internet-Draft Shim6 Protocol September 2005

6. Option Formats

The options follow the same layout as in RFC 2461 [2]. Thus they all
are a multiple of 8 octets.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 9 | Length Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ... Checksum | Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ... ~
| Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Next Header: NO_NXT_HDR (59).
Type: 8-bit identifier of the type of option. The options
defined in this document are below.

Length: 8-bit unsigned integer. The length of the option
(including the type and length fields) in units of 8
octets. 9
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Receiver Context Tag: 32-bit field. The value 0 Context Tag the receiver has
allocated for the context.
Request Nonce: 32-bit unsigned integer. Copied from the request
message.

The following options are allowed in the message:
ULID pair: The ULID pair that is invalid. Nodes MUST silently
discard an ND packet being probed. Copied from the
Probe message.

5.12 Keepalive Message Format

The keepalive message would be used if we decide to do the Force
Bidirectional communication as a way to get verification that contains an option with
length zero.

Nordmark Expires March 5, 2006 [Page 26]

Internet-Draft Shim6 Protocol September 2005

0 1 2 3
0 1 |
| | |
| Locator List | 2 |
| | |
| Locator Preferences | 3 |
| | |
| CGA Parameter Data Structure | 4 |
| | |
| CGA Signature | 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 10 | Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | ULID Pair | 6 |
| | Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Packet In Error Receiver Context Tag | 7
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Request Nonce |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Options +
| Explorer Results | 8 |
+------------------------------+------+

Table 2

Nordmark Expires March 31, 2006 [Page 31]

Internet-Draft Shim6 Protocol September 2005

6.1 Validator Option Format
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Next Header: NO_NXT_HDR (59).
Type: 10
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Reserved2: 16-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Receiver Context Tag: 32-bit field. The responder can choose exactly what input uses to compute the
validator, and what one-way function (MD5, SHA1) it uses, as long as
the reponder can verify that the validator it receives back in Context Tag the I2
packet is indeed one that 1) it computed, 2) it computed receiver has
allocated for the
particular context, and 3) that it isn't a replayed I2 context.
Request Nonce: 32-bit unsigned integer. Copied from the Reachability
Probe message.

One way

No options are currently defined for the responder to do this message.

5.13 Context Locator Pair Explore Message Format

This is to maintain a single secret
(S) and a running counter placeholder for the Responder Nonce. For each I1
message, the responder can then increase the counter, use the counter
value as the responder nonce, and use the following information as
input to the one-way function:

o The the secret S

o That Responder Nonce

o protocol mechanism outlined in [7].
The Initiator Context Tag from idea behind that mechanism is to be able to handle the I1 message

o The ULIDs case when
one locator pair works in from the I1 message

o The locators A to B, and another locator pair works
from the I1 message (strictly only needed if they are
different from the ULIDs)

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 1 | Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
~ Validator ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Validator: Variable length content whose interpretation is local B to the responder.

6.2 Locator List Option Format A, but there is no locator pair which works in both
directions. The Locator List Option protocol mechanism is used to carry all the locators of the
sender. Note that the order of the locators as A is important, since the
Locator Preferences and the Explorer packet refers sending explore
messages to the locators by
using the index in the list.

TBD: Do we need this when all the locators are contained B, B will observe which locator pairs it has received
from and report that back in the PDS? explore messages it is sending to A.

Nordmark Expires March 31, 5, 2006 [Page 32] 27]

Internet-Draft Shim6 Protocol September 2005

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 59 | Hdr Ext Len |0| Type = 2 11 | Length Reserved1 |0|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserveds Receiver Context Tag |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Locators ~
| |
+ Options +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Reserved: 48-bit
Next Header: NO_NXT_HDR (59).
Type: 11
Reserved1: 7-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.

Locators: A variable number of 128-bit locators. The number of
locators present can be determined
Sequence Number: 16-bit unsigned integer. Used to determine which
messages have been received by the option
length peer.
Receiver Context Tag: 32-bit field.

6.3 Locator Preferences Option Format The Locator Preferences option can have some flags to indicate
whether or not a locator is known to work. In addition, Context Tag the receiver has
allocated for the context.

The following options are allowed in the message:
Explorer Results: Indication of what Explorer messages the sender
can include a notion has
recently received from the peer.

5.14 Option Formats

All of preferences. It might make sense to define
"preferences" as the TLV parameters have a combination of priority length (including Type and weight the same way
that DNS SRV records has such information. The priority would
provide Length
fields) which is a way multiple of 8 bytes. When needed, padding MUST be
added to rank the locators, and within a given priority, end of the
weight would provide a way to do some load sharing. See [8] for how
SRV defines parameter so that the interaction total length becomes a
multiple of priority and weight.

As 8 bytes. This rule ensures proper alignment of this draft we define data. If
padding is added, the preferences to Length field MUST NOT include three 8-bit
fields: a priority, a weight, the padding. Any
added padding bytes MUST be zeroed by the sender, and 8-bits their values
SHOULD NOT be checked by the receiver.

Consequently, the Length field indicates the length of flags. The intent is
that the TBD flags can carry information such as "this locator is
not working", and "this locator is temporary". Contents
field (in bytes). The latter allows
making total length of the distinction between more stable addresses TLV parameter (including
Type, Length, Contents, and less stable
addresses when shim6 Padding) is combined with IP mobility, when we might have
more stable home locators, and less stable care-of-locators.

The locators are not included in the preference list. Instead, the
first element refers related to locator that was in the first element in the
Locator List option. This assumes that Length field
according to the Locator List option is
stable. See Section 17.

Nordmark Expires March 31, 2006 following formula:

Total Length = 11 + Length - (Length + 3) % 8;

Nordmark Expires March 5, 2006 [Page 33] 28]

Internet-Draft Shim6 Protocol September 2005

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 3 | |C| Length | Pri[1] | Weight[1] |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Flags[1] | Pri[2]
/ Contents /
/ +-+-+-+-+-+-+-+-+
| Weight[2] | Flags[2] Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ... ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Pri[i]: 8-bit unsigned integer. The Priority associated with
the i'th locator in the Locator List option that is in
use.

Weight[i]: 8-bit unsigned integer. The Weight associated with
the i'th locator in
Type: 15-bit identifier of the Locator List option that is in
use.

Flags[i]: 8-bit unsigned integer. type of option. The flags associated with the
i'th locator in the Locator List option that is options
defined in
use.

The set of flags is TBD: Assume there will be two initially: BROKEN
and TEMPORARY.

6.4 CGA Parameter Data Structure Option Format

This option contains the CGA this document are below.
C: Critical. One if this parameter data structure (hereafter
called the PDS). When HBA is used to validate critical, and MUST
be recognized by the locators, recipient, zero otherwise. An
implementation might view the PDS
contains C bit as part of the HBA multiprefix extension. When CGA is used to validate
Type field, by multiplying the locators, type values in addition to the CGA PDS, this
specification by two.
Length: Length of the signature will need to
be included as a CGA Signature option.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 Contents, in bytes.
Contents: Parameter specific, defined by Type.
Padding: Padding, 0-7 bytes, added if needed.

+------------------------------+------+
| Option Name | Type |
+------------------------------+------+
| Validator | 1 |
| Locator List | 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = 4
| Length Locator Preferences | 3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
~ CGA Parameter Data Structure ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Nordmark Expires March 31, 2006 | 4 |
| CGA Signature | 5 |
| ULID Pair | 6 |
| Packet In Error | 7 |
| Explorer Results | 8 |
+------------------------------+------+

Table 2

5.14.1 Validator Option Format

The responder can choose exactly what input uses to compute the
validator, and what one-way function (MD5, SHA1) it uses, as long as
the responder can verify that the validator it receives back in the
I2 message is indeed one that 1) it computed, 2) it computed for the
particular context, and 3) that it isn't a replayed I2 message.

One way for the responder to do this is to maintain a single secret

Nordmark Expires March 5, 2006 [Page 34] 29]

Internet-Draft Shim6 Protocol September 2005

CGA Parameter Data Structure: Variable length content. Content
defined in [4].

6.5 CGA Signature Option Format

When CGA is used

(S) and a running counter for validation of one or more of the locators in Responder Nonce. For each I1
message, the
PDS, responder can then increase the message in question will need counter, use the counter
value as the responder nonce, and use the following information as
input to contain this option. the one-way function:
o The the secret S
o That Responder Nonce
o The Initiator Context Tag from the I1 message
o The ULIDs from the I1 message
o The locators from the I1 message (strictly only needed if they are
different from the ULIDs)

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 5 | 1 |0| Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ CGA Signature Validator ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

CGA Signature:
Validator: Variable length content. Content defined in [4].

6.6 ULID Pair content whose interpretation is local
to the responder.

5.14.2 Locator List Option Format

It isn't clear whether we need this option. It depends whether we
want to be able

The Locator List Option is used to setup a context for a ULID pair when carry all the locators of the
sender. Note that ULID
pair can't be used the order of the locators is important, since the
Locator Preferences and the Explorer message refers to communicate. Thus the IPv6 addresses locators
by using the index in the
context establishment would not list.

Note that we carry all the locators in this option even though some
of them can be created automatically from the ULIDs. CGA Parameter Data
Structure.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 6 | 2 |0| Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| Reserveds |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Sender ULID +
| Locator List Generation |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Num Locators |
+ Receiver ULID + N Octets of Verification Method |
+-+-+-+-+-+-+-+-+ |
~ ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Locators 1 through N ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Nordmark Expires March 31, 5, 2006 [Page 35] 30]

Internet-Draft Shim6 Protocol September 2005

Reserved: 48-bit field. Reserved

Fields:
Locator List Generation: 32-bit unsigned integer. Indicates a
generation number which is increased by one for future use. Zero on
transmit. MUST be ignored on receipt.

Sender ULID: A 128-bit IPv6 address.

Receiver ULID: A each
new locator list. This is used to ensure that the
index in the Locator Preferences and Explorer results
refer to the right version of the locator list.
Num Locators: 8-bit unsigned integer. The number of locators that
are included in the option. We call this number "N"
below.
Verification Method: N octets. The i'th octet specifies the
verification method for the i'th locator.
Locators: N 128-bit IPv6 address.

6.7 Packet In Error Option Format

0 1 2 3 locators.

The defined verification methods are:

+-------+----------+
| Value | Method |
+-------+----------+
| 0 | Reserved |
| 1 | HBA |
| 2 | CGA |
| 3-255 | Reserved |
+-------+----------+

Table 3

5.14.3 Locator Preferences Option Format

The Locator Preferences option can have some flags to indicate
whether or not a locator is known to work. In addition, the sender
can include a notion of preferences. It might make sense to define
"preferences" as a combination of priority and weight the same way
that DNS SRV records has such information. The priority would
provide a way to rank the locators, and within a given priority, the
weight would provide a way to do some load sharing. See [8] for how
SRV defines the interaction of priority and weight.

The minimum notion of preferences we need is to be able to indicate
that a locator is "dead". We can handle this using a single octet
flag for each locator.

We can extend that by carrying a larger "element" for each locator.
This document presently also defines 2-octet and 3-octet elements,
and we can add more information by having even larger elements if
need be.

The locators are not included in the preference list. Instead, the

Nordmark Expires March 5, 2006 [Page 31]

Internet-Draft Shim6 Protocol September 2005

first element refers to locator that was in the first element in the
Locator List option. The generation number carried in this option
and the Locator List option is used to verify that they refer to the
same version of the locator list.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 7 | 3 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Locator List Generation |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserveds Element Len | Element[1] ... | Element[2] |
| ... | Element[3] ... | ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ IPv6 header, shim6/TCP/UDP header, etc ... ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Reserved: 48-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.

Packet: A variable length field
Locator List Generation: 32-bit unsigned integer. Indicates a
generation number for the locator list to which contains the packet
elements should apply.
Element Len: 8-bit unsigned integer. The length in
error starting octets of each
element. This draft defines the cases when the length
is 1, 2, or 3.
Element[i]: A field with a number of octets defined by the IPv6 header.

6.8 Explorer Results Option Format Element
Len field. Provides preferences for the i'th locator
in the Locator List option that is in use.

When the Element length equals one, then the element consists of only
a flags field. The set of flags is TBD: This needs Assume there will be two
initially: BROKEN and TEMPORARY. The intent of the latter is to indicate which explorer packets (sequence numbers,
source
allow the distinction between more stable addresses and destination locators) that less stable
addresses when shim6 is combined with IP mobility, when we might have been recently received,
more stable home locators, and less stable care-of-locators.

When the Element length equals two, the the element consists of a 1
octet flags field followed by a 1 octet priority field. The priority
has the same semantics as the priority in
order DNS SRV records.

When the Element length equals three, the the element consists of a 1
octet flags field followed by a 1 octet priority field, and a 1 octet
weight field. The weight has the same semantics as the weight in DNS
SRV records.

5.14.4 CGA Parameter Data Structure Option Format

This option contains the CGA parameter data structure (hereafter

Nordmark Expires March 5, 2006 [Page 32]

Internet-Draft Shim6 Protocol September 2005

called the PDS). When HBA is used to validate the locators, the PDS
contains the HBA multiprefix extension. When CGA is used to validate
the locators, in addition to the CGA PDS, the signature will need to
be included as a CGA Signature option.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 4 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ CGA Parameter Data Structure ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
CGA Parameter Data Structure: Variable length content. Content
defined in [5].

5.14.5 CGA Signature Option Format

When CGA is used for validation of one or more of the locators in the
PDS, then the message in question will need to contain this option.

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 5 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
CGA Signature: Variable length content. Content defined in [5].

5.14.6 ULID Pair Option Format

It isn't clear whether we need this option. It depends whether we
want to be able to setup a context for a ULID pair when that ULID
pair can't be used to communicate. Thus the IPv6 addresses in the
context establishment would not be the ULIDs.

Nordmark Expires March 5, 2006 [Page 33]

Internet-Draft Shim6 Protocol September 2005

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 2 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Sender ULID +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ Receiver ULID +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Reserved: 48-bit field. Reserved for future use. Zero on
transmit. MUST be ignored on receipt.
Sender ULID: A 128-bit IPv6 address.
Receiver ULID: A 128-bit IPv6 address.

5.14.7 Packet In Error Option Format

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 7 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ IPv6 header, shim6/TCP/UDP header, etc ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Packet: A variable length field which contains the packet in
error starting with the IPv6 header.

5.14.8 Explorer Results Option Format

TBD: This needs to indicate which explorer messages (sequence
numbers, source and destination locators?) that have been recently
received, in order to detect which locator pairs work when there is
no locator pair which works in both directions. When indicating
locators it makes sense to use the offset in the Locator List (that
was carries in the Locator List option), since this takes less space
than including the locators themselves.

TBD: add that data and other shim control messages are included in
the learned results.

Nordmark Expires March 5, 2006 [Page 34]

Internet-Draft Shim6 Protocol September 2005

p
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 8 |0| Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sender Locator List Generation |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Receiver Locator List Generation |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ Explorer Results ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Sender Locator List Generation: The generation number for the
sender's locator list to which the indices below
refer.
Receiver Locator List Generation: The generation number for the
receiver's locator list to which the indices below
refer.
Explorer Results: This field contains a list of elements, where each
element indicates one locator pair for which the
sender of the option has recently received a message.
Each result occupies 32 bits. The list should be
ordered so that the most recently heard locator pairs
are first. SHOULD NOT include locator pairs that were
last received more than some number of seconds ago.
p
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sender Index | Receiver Index| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:
Sender Index: 8-bit unsigned Integer. The Index is relative to the
sender's locator list.
Receiver Index: 8-bit unsigned Integer. The Index is relative to the
receiver locator list.
Sequence Number: 16-bit unsigned Integer. The Sequence number of the
explorer message in which the locator pair < sender
index, receiver index> was last heard. If this
locator pair was last heard in a message other than an
Explore message, then this number is zero.

6. Conceptual Model of a Host

This section describes a conceptual model of one possible data

Nordmark Expires March 5, 2006 [Page 35]

Internet-Draft Shim6 Protocol September 2005

structure organization that hosts will maintain for the purposes of
shim6. The described organization is provided to facilitate the
explanation of how the shim6 protocol should behave. This document
does not mandate that implementations adhere to this model as long as
their external behavior is consistent with that described in this
document.

6.1 Conceptual Data Structures

The key conceptual data structure for the shim6 protocol is the host
pair context. This is a data structures which contains the following
information:
o The peer ULID; ULID(peer)
o The local ULID; ULID(local)
o The list of peer locators, with their preferences; Ls(peer)
o For each peer locator, a bit whether it has been validated using
HBA, and a bit whether the locator has been probed to verify that
the ULID is present at that location.
o The preferred peer locator - used as destination; Lp(peer)
o The set of local locators and the preferences; Ls(local)
o The preferred local locator - used as source; Lp(local)
o The context tag used to transmit control messages and ULP packets
- allocated by the peer; CT(peer)
o The context to expect in received control messages and extension
headers - allocated by the local host; CT(local)
o Reachability state for the locator pairs.
o During pair exploration, information about the explore messages
that have been sent and received.

The receiver finds the context by looking it up using <Source
Locator, Destination Locator, CT(local)>, where the context tag is in
the shim header. The sender needs to be able to find the context
state when a ULP packet is passed down from the ULP. In that case
the lookup key is the pair of ULIDs.

7. Establishing Host Pair Contexts

Host pair contexts are established using a 4-way exchange, which
allows the responder to avoid creating state on the first packet. As
part of this exchange each end allocates a context tag, and it shares
this context tag and its set of locators with the peer.

In some cases the 4-way exchange is not necessary, for instance when
both ends try to setup the context at the same time, or when
recovering from a context that has been garbage collected or lost at
one of the hosts.

Nordmark Expires March 5, 2006 [Page 36]

Internet-Draft Shim6 Protocol September 2005

7.1 Normal context establishment

The normal context establishment consists of a 4 message exchange in
the order of I1, R1, I2, R2.

Initiator Responder

------------- I1 -------------->

<------------ R1 ---------------

------------- I2 -------------->

<------------ R2 ---------------

Figure 26

7.2 Concurrent context establishment

When both ends try to initiate a context for the same ULID pair, then
we might end up with crossing I1 messages, or since the no state is
created when receiving the I1, a host might send a I1 after having
sent a R1 message.

Since a host remembers that it has sent an I1, it can respond to an
I1 from the peer (for the same ULID), with a R2.

Initiator Responder

-\
---\
---\ /---
--- I1 ---\ /---
---\
/--- I1 ---/ ---\
/--- -->
<---

-\
---\
---\ /---
--- R2 ---\ /---
---\
/--- R2 ---/ ---\
/--- -->
<---

Nordmark Expires March 5, 2006 [Page 37]

Internet-Draft Shim6 Protocol September 2005

Figure 27

If a host has received an I1 and sent an R1, then a ULP can trigger
it to send an I1 message itself, since it doesn't retain any state
when receiving the I1 message. Thus while one end is sending an I1
the other is sending an I2.

Initiator Responder

-\
---\
---\
--- I1 ---\
---\
---\
-->

/---
/---
---
/--- R1--/
/---
<---

-\
---\
---\ /---
--- I2---\ /---
---\
/--- I1 ---/ ---\
/--- -->
<---

-\
---\
---\ /---
--- R2 ---\ /---
---\
/--- R2 ---/ ---\
/--- -->
<---

Figure 28

7.3 Context recovery

Due to garbage collection, we can end up with one end having and

Nordmark Expires March 5, 2006 [Page 38]

Internet-Draft Shim6 Protocol September 2005

using the context state, and the other end not having any state. We
need to be able to recover this state at the end that has lost it,
before we can use it.

This need can arise in two cases:
The communication is working using the ULID pair as the locator
pair, but a problem arises, and the end that has retained the
context state decides to explore alternate locator pairs.
The communication is working using a locator pair that is not the
ULID pair, hence the ULP packets sent from a peer that has
retained the context state use the shim payload header.
In both cases the result is that the peer without state receives a
shim message for which it has to context for the <source locator,
destination locator, context tag>.

In both of those case we can recover the context by having the node
which doesn't have a context state, send back an R1bis [TBD] message,
and have this complete a recover with a I2 and R2 message.

If one end has garbage collected or lost the context state, it might
try to create the context state (for the same ULID pair), by sending
an I1 message. The peer can simply reply with an R2 message in this
case.

7.4 Context confusion

Since each end might garbage collect the context state we can have
the case when one end has retained the context state and tries to use
it, while the other end has lost the state. We discussed this in the
previous section on recovery. But for the same reasons, when one
host retains context tag X for ULID pair <A1, B1>, the other end
might end up allocating that context tag for another ULID pair, e.g.,
<A3, B1> between the same hosts. In this case we can not use the
recovery mechanisms since there needs to be separate context tags for
the two ULID pairs.

This type of "confusion" can be observed in two cases (assuming it is
A that has retained the state and B has dropped it):
B decides to create a context for ULID pair <A3, B1&gt, and
allocates X as its context tag for this, and sends an I1 to A.
A decides to create a context for ULID pair <A3, B1&gt, and starts
the exchange by sending I1 to B. When B receives the I2 message,
it allocates X as the context tag for this context.
In both cases, A can detect that B has allocated X for ULID pair <A3,
B1&gt even though that A still X as CT(peer) for ULID pair <A1,
B1&gt. Thus A can detect that B must have lost the context for <A1,
B1&gt.

Nordmark Expires March 5, 2006 [Page 39]

Internet-Draft Shim6 Protocol September 2005

The solution to this issue is TBD. The know possibilities are:
Have A forcibly destroy the context for <A1, B1&gt, so that it can
accept the new context for <A3, B1&gt.
Have A accept the context for <A3, B1&gt, forget about the old
context, but initiate a new (replacement) context for <A1, B1&gt
by sending an I1 message. That I1 through R2 exchange will make B
allocate a new context tag for <A1, B1&gt.
Avoid the problem by changing the context tag allocation so that A
and B allocates half of the bits (16 each) of the context tags, so
that even if one end looses state, the peer can make sure that the
context tags for each context are unique.

7.5 Sending I1 messages

When the shim layer decides to setup a context for a ULID pair, it
starts by allocating and initializing the context state for its end.
As part of this it assigns its context tag to the context. Then it
can send an I1 message.

If the host does not receive an I2 or R2 message in response to the
I1 message, then it needs to retransmit the I1 message. The
retransmissions should use a retransmission timer with binary
exponential backoff to avoid creating congestion issues for the
network when lots of hosts perform this.

If, after several retransmissions, there is no response, then most
likely the peer does not implement the shim6 protocol, or there could
be a firewall that blocks the protocol. In this case it makes sense
for the host to remember to not try again to establish a host pair
context with that ULID. However, any such negative caching should
retained for a limit time; a few minutes would be appropriate, to
allow things to recover should the host not be reachable at all when
the shim tries to establish the context.

If the host receives an ICMP error with "payload type unknown" and
the included packet is the I1 packet it just sent, then this is a
more reliable indication that the peer ULID does not implement shim6.

7.6 Receiving I1 messages

If the host looks up a context for the ULID pair and the peer's (not
its) context tag. If it finds such a context, the it needs to verify
that the locators in the message are in fact part of the locator sets
that are recorded in the existing context state. If this is not the
case, then the I1 message MUST be silently ignored. (This can only
happen when there is an ULID pair option in the I1 message.) If the
locators are ok, then the host can respond with an R2 message as if
it had received an I2 message and not an I1 message.

Nordmark Expires March 5, 2006 [Page 40]

Internet-Draft Shim6 Protocol September 2005

If there is no existing context state, then the host forms a verifier
and sends this back to the peer in an I2 message. No state is
created on the host in this case.

7.7 Receiving R1 messages

When the host receives an R1 message, it verifies that the nonce
matches what it sent in the I1 message, and that it has context state
for the ULID pair. It then sends an I2 message, which includes the
verifier option that was in the R1 message. The I2 message also
includes A's locator pairs work list and the CGA parameter set. If CGA (and not
HBA) is used to verify the locator list, then A also signs things and
includes a CGA signature option.

The host may receive an R1[bis] TBD message that was not sent in
response to an I1 message but instead sent as a result of context
recovery. The difference between an R1bis and an R1 message is that
the former use the context tag of the responder??? TBD how there are
handled and whether they are identical to an R1.

7.8 Retransmitting I2 messages

If the initiator does not receive an R2 message after sending an I2
message it MAY retransmit the I2 message. But since the verifier
option might have a limited lifetime, that is, the peer might reject
verifier options that are too old to avoid replay attacks, the
initiator SHOULD fall back to retransmitting the I1 message when
there is no response to one or a few I2 messages.

7.9 Receiving I2 messages

The responder checks that the nonce and the verifier option is
consistent with what it might have sent in a recent R1 message (by
verifying the hash it computed.) If this is ok, then the host checks
if it already has context state for the ULID pair and the CT(peer).
If it has such state, the I2 message was probably a retransmission.
In this case the host sends an R2 message.

If there is no context state, the responder allocates a context tag
(CT(local)) and creates the context state for the context. It
records the peer's locator
pair which works set as well as its own locator set in both directions. When indicating locators it
makes sense to use the offset in
context. It MAY verify the Locator List (that was carries peers locator set at this point in time,
but the LLU option), since this takes less space than including requirement is that a locator MUST be verified before the
host starts sending packets to that locator, thus the host MAY defer
the verification until later.

The host forms an R2 message with its locators themselves.
p
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 8 | Length | TBD |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
~ ... ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Fields:

Nordmark Expires March 31, 2006 [Page 36]

Internet-Draft Shim6 Protocol September 2005

TBD: and its context tag,
and includes the necessary options so that the peer can verify the

Nordmark Expires March 31, 5, 2006 [Page 37] 41]

Internet-Draft Shim6 Protocol September 2005

7. Conceptual Model of a Host

This section describes a conceptual model of one possible data
structure organization that hosts

locators.

R2 messages are never retransmitted. If the R2 message is lost, then
the initiator will maintain for retransmit either the purposes of
shim6. I2 or I1 message. Either
retransmission will cause the responder to find the context state and
respond with an R2 message.

7.10 Receiving R2 messages

The described organization is provided initiator can receive an R2 message in response to facilitate either an I1
or an I2 message, but the
explanation handling of how the shim6 protocol should behave. This document
does not mandate that implementations adhere to this model as long as
their external behavior R2 is consistent with that described the same in this
document.

7.1 Conceptual Data Structures both
cases. The key conceptual data structure for host first verifies that the shim6 protocol nonce is the host
pair context. This is a data structures which contains same as the following
information:

o The peer ULID; ULID(peer)

o The local ULID; ULID(local)

o The list of peer locators, with their preferences; Ls(peer)

o For each peer locator, a bit whether one
it has been validated using
HBA, and a bit whether sent (in the locator has been probed to verify that I1 or I2 message). If it doesn't match, the ULID R2
message is present at that location.

o The preferred peer locator - used as destination; Lp(peer)

o The set of local locators and the preferences; Ls(local)

o The preferred local locator - used as source; Lp(local)

o The context tag used to transmit packets - allocated by the peer;
CT(peer)

o The context to expect in received packets - allocated by silently dropped.

Then the local
host; CT(local)

o Reachability state for host records the locator pairs.

o During pair exploration, information about from the explore packets
that have been sent and received.

The receiver finds R2 message in the
context by looking it up using <Source
Locator, Destination Locator, CT(local)>, where state. It records the context tag is peer's locator set in the Flow Label field for ULP payload packets, and in context. It
MAY verify the shim headers
for control messages. The sender needs to be able to find peers locator set at this point in time, but the
context state when a packet
requirement is passed down from that a locator MUST be verified before the ULP. In host starts
sending packets to that

Nordmark Expires March 31, 2006 [Page 38]

Internet-Draft Shim6 Protocol September 2005

case locator, thus the lookup key is host MAY defer the pair of ULIDs.

Nordmark Expires March 31, 2006 [Page 39]

Internet-Draft Shim6 Protocol September 2005
verification until later.

8. Establishing Host Pair Contexts

TBD

8.1 Sending I1 messages

8.2 Receiving I1 messages

8.3 Receiving R1 messages

8.4 Retransmitting I1 messages

8.5 Receiving I2 messages

8.6 Retransmitting I2 messages

8.7 Concurrent context establishment

Nordmark Expires March 31, 2006 [Page 40]

Internet-Draft Shim6 Protocol September 2005

9. No Such Content Errors

TBD

Nordmark Expires March 31, 2006 [Page 41]

Internet-Draft Shim6 Protocol September 2005

10.

The Interim Meeting discussed ways to recover the context state at
one end when the other end sees a failure (and starts sending Explore
messages). The discussed approach is to use a R1 (or R1bis) message
in response to a message with an unknown context, which would cause
the context to be recreated.

9. Handling ICMP Error Messages

The routers in the path as well as the destination might generate
various ICMP error messages, such as host unreachable, packet too
big, and payload type unknown. It is critical that these packets
make it back up to the ULPs so that they can take appropriate action.

When the ULP packets are sent unmodified, that is, while the initial
locators=ULIDs are working, this introduces no new concerns; an
implementation's existing mechanism for delivering these errors to
the ULP will work. But when the shim on the transmitting side
replaces the ULIDs in the IP address fields with some other locators,
then an ICMP error coming back will have a "packet in error" which is
not a packet that the ULP sent. Thus the implementation will have to
apply the reverse mapping to the "packet in error" before passing the
ICMP error up to the ULP.

Nordmark Expires March 5, 2006 [Page 42]

Internet-Draft Shim6 Protocol September 2005

This mapping is different than when receiving ULP packets from the
peer, because in that case the packets contain CT(local). But the
ICMP errors have a "packet in error" with CT(peer) since they were
intended to be received by the peer. In any case, since the <Source
Locator, Destination Locator, CT(peer)> has to be unique when
received by the peer, the local host should also only be able to find
one context that matches this tuple.

Should the ULP packet have been conveyed using the protocol type
encoding (Section 4.2), then that encoding must be undone for the
packet in error before it is delivered to the ULP.

If the ULP packet had been encapsulated in a shim6 payload message,
then this extension header must be removed. The result needs to be
that the ULP receives an ICMP error where the contained "packet in
error" looks as if the shim did not exist.

Nordmark Expires March 31, 2006 [Page 42]

Internet-Draft Shim6 Protocol September 2005

11. Taredown

10. Teardown of the Host Pair Context

Each host can unilaterally decide when to tare tear down a host-pair
context. It is RECOMMENDED that hosts not tare tear down the context when
they know that there is some upper layer protocol that might use the
context. For example, an implementation might know this is there is
an open socket which is connected to the ULID(peer). However, there
might be cases when the knowledge is not readily available to the
shim layer, for instance for UDP applications which not not connect
their sockets, or any application which retains some higher level
state across (TCP) connections and UDP packets.

Thus it is RECOMMENDED that implementations minimize premature
taredown
teardown by observing the amount of traffic that is sent and received
using the context, and only after it appears quiescent, tare down the
state.

Nordmark Expires March 31, 2006 [Page 43]

Internet-Draft Shim6 Protocol September 2005

12. it appears quiescent, tear down the
state.

11. Updating the Locator Pairs

TBD

Nordmark Expires March 31, 2006 [Page 44]

Internet-Draft Shim6 Protocol September 2005

13.

12. Various Probe Mechanisms

TBD

Nordmark Expires March 31, 2006 [Page 45]

Internet-Draft Shim6 Protocol September 2005

14.

13. Rehoming to a Different Locator Pair

TBD

Nordmark Expires March 31, 2006 [Page 46]

Internet-Draft Shim6 Protocol September 2005

15.

14. Payload Packets before a Switch

When there is no context state for the ULID pair on the sender, there
is no effect on how ULP packets are sent. If the host is using some
heuristic for determining when to perform a deferred context
establishment, then the host might need to do some accounting (count

Nordmark Expires March 5, 2006 [Page 43]

Internet-Draft Shim6 Protocol September 2005

the number of packets sent and received) even before there is a host-
pair context. This need to count packets might also appear on the
receive side, depending on what heuristics the implementation has
chosen.

If there is a host-pair context for the ULID pair, then the sender
needs to verify whether context uses the ULIDs as locators, that is,
whether Lp(peer) == ULID(peer) and Lp(local) == ULID(local).

If this is the case, then packets will be sent unmodified by the
shim. If it is not the case, then the logic in Section 16 15 will need
to be used.

There will also be some maintenance activity relating to
(un)reachability detection, whether packets are sent with the
original locators or not. The details of this is out of scope for
this document and will be covered is follow-ons to [5].

Nordmark Expires March 31, 2006 [Page 47]

Internet-Draft Shim6 Protocol September 2005

16. [6].

15. Payload Packets after a Switch

When sending packets, if there is a host-pair context for the ULID
pair, and the ULID pair is no longer used as the locator pair, then
the sender needs to transfer transform the packet. The transformation depends
on Apart from replacing the payload type, since some protocol values can be carried
without adding a shim6 extension header,
IPv6 source and others need destination fields with a locator pair, an 8-octet
header.

Before
header is added so that the payload dependent transformation, receiver can find the context and inverse
the transformation.

First, the IP address fields are replaced. The IPv6 source address
field is set to Lp(local) and the destination address field is set to
Lp(peer). NOTE that this MUST NOT cause any recalculation of the ULP
checksums, since the ULP checksums are carried end-to-end and the ULP
pseudo-header contains the ULIDs which are preserved end-to-end.

The sender skips any "routing sub-layer extension headers", headers" that the
ULP might have included, thus it skips any hop-by-hop extension
header, any routing header, and any destination options header that
is followed by a routing header. The
(extension) header that follows after that is viewed as the ULP
header.

If After any such headers the ULP shim6
extension header is of a type listed in Section 4.2, then it is
replaced by the "foo-in-shim6 value for that protocol type. And in
this case, the context tag CT(peer) is placed in the flow label field
in the IPv6 header. Then the packet can will be passed to the IP routing
sub-layer.

If the ULP header type is not listed in that section, then added. This might be before a Fragment
header, a Destination Options header, an ESP or AH header, or a ULP
header.

The inserted shim6 Payload extension header is inserted in the packet before the ULP
header. In this case the context tag CT(peer) is also placed in the
flow label field, and the packet is passed down to the routing sub-
layer. TBD: We could use the Reserved field in includes the payload message
instead of using flow label in this case. peer's
context tag.

The receiver parses the (extension) headers in order. Should it find
a shim6 extension header it will look at the type field in that
header. If the type is Payload message, then the packet must be
passed to the shim6 payload handling for rewriting. If (Otherwise, the receiver
finds one

Nordmark Expires March 5, 2006 [Page 44]

Internet-Draft Shim6 Protocol September 2005

shim6 control messages are handled as specified in other parts of the eight additional payload type (for "foo-inside-
shim6"), then it treats
this analogous to the case of a shim6 payload
extension header.

In both cases the document.)

The receiver extracts the context tag from the IPv6
flow label field, payload message
header, and uses this together with the IPv6 source and destination
address fields to find a host-pair context. If no context is found,
the receiver SHOULD generate a No Such Context error message (see
Section 9).

Nordmark Expires March 31, 2006 [Page 48]

Internet-Draft Shim6 Protocol September 2005 8).

With the context in hand, the receiver can now replace the IP address
fields with the ULIDs kept in the context. Finally, the traces of
the shim are removed from the packet; any payload Payload
extension header is
removed, removed from the packet (so that the ULP doesn't
get confused by it), and the next header value in the preceding
header is set to be the actual protocol number for the payload. Then
the packet can be passed to the ULP.

Nordmark Expires March 31, 2006 [Page 49]

Internet-Draft Shim6 Protocol September 2005

17. protocol identified by the next
header value (which might be some function associated with the IP
endpoint sublayer, or a ULP).

16. Open Issues

The following open issues are known:
o Is there need for keeping the list of locators private between the
two communicating endpoints? We can potentially accomplish that
when using CGA but not with HBA, but it comes at the cost of doing
some public key encryption and decryption operations as part of
the context establishment.
o Forking the context state. On the mailing list we've discussed
the need to fork the context state, so that different ULP streams
can be sent using different locator pairs. No protocol extensions
are needed if any forking is done independently by each endpoint.
But if we want A to be able to tell B that certain traffic (a
5-tuple?) should be forked, then we need a way to convey this in
the shim6 protocol. The hard part would be defining what
selectors can be specified for the filter which determines which
traffic uses which of the forks. So the question is whether we
really need signaling for forking, or whether it is sufficient to
allow each endpoint to do its own selection of which locator pair
it is using for which traffic.

o If we allow forking, it seems like the mechanism for reachability
detection, whether it is CUD or FBD, must be applied separately
for each locator pair that is in use. Without forking a single
locator pair will be in use for each host-pair context, hence
things would be simpler.

o Having the Locator List option contain all the prefixes implies
extra bytes when the locators are also in the CGA Parameter Data
Structure option. To optimize this will still need to provide an
ordered list, so that the Locator Preferences can refer to the
locators by "index". (The Explore Results option might need to
refer to them by index as well.)

o The index each endpoint to a locator might get out do its own selection of synch between which locator pair
it is using for which traffic.
o If we allow forking, it seems like the two ends
if messages with a new Locator List option mechanism for reachability
detection, whether it is lost. It might make
sense to include a "generation" CUD or "locator list version" number
in the Locator List option so FBD, must be applied separately
for each locator pair that the Locator Preference (and
Explorer Result) options can refer to is in use. Without forking a particular version of the
list. single
locator pair will be in use for each host-pair context, hence
things would be simpler.
o The specified mechanism (of relying on No Such Context errors)
doesn't always detect the loss of the context on the peer when the
original ULID=locators are used. See Section 18 17 for other
options.

Nordmark Expires March 31, 5, 2006 [Page 50] 45]

Internet-Draft Shim6 Protocol September 2005

o Which messages need sequence numbers to prevent parts of the
protocol to operate on stale information should the shim6
information get out of date? Just In the Locator List Update
message?

o The CGA PDS might not need to be included in every LLU message.
If it is associated with the ULID, it is sufficient to exchange it
once. Then a HBA-protected LLU would not need anything (it can
just change the preferences for the locators in any case), and a
CGA-protected LLU would just need the signature option.

o In the LLU option, do we need to indicate which locators
need to be validated using HBA vs. CGA? Or it could tell which
locators are in the HBA extension in the PDS, and assume any
others need CGA validation.
o What happens when a host runs out of 20 N bit context tags? When is
it safe for a host to reuse a context tag? With the unilateral
taredown
teardown one end might discard the context state long before the
other end.

Nordmark Expires March 31, 2006 [Page 51]

Internet-Draft Shim6 Protocol September 2005

18.

17. Design Alternatives

This document has picked a certain set of design choices in order to
try to work out a bunch of the details, and stimulate discussion.
But as has been discussed on the mailing list, there are other
choices that make sense. This section tries to enumerate some
alternatives.

18.1

17.1 State Cleanup

This document uses a timer based cleanup mechanism, as specified in
Section 11. 10.

An alternative would be to use an explicit CLOSE mechanism, akin to
the one specified in HIP [17]. [22]. If an explicit CLOSE handshake and
associated timer is used, then there would no longer be a need for
the No Context Error message due to a peer having garbage collected
its end of the context. However, there is still potentially a need
to have a No Context Error message in the case of a complete state
loss of the peer (also known as a crash followed by a reboot). Only
if we assume that the reboot takes at least the CLOSE timer, or that
it is ok to not provide complete service until CLOSE timer minutes
after the crash, can we completely do away with the No Context Error
message.

If there

17.2 Detecting Context Loss

This document specifies that context loss is no need for the detected by receiving a
No Such Context Error message, this also means
that it might be possible to remove error message from the need peer. Such messages are
generated in response to explicitly
identifying the a shim6 payload packets after message that contain a locator switch, neither
using the foo-inside-shim6 protocol number nor using peer's
context tag, including the shim6 Payload message. In essence, messages, when the receiver could identify the context
based on the locator pair and the Flow Label
doesn't have matching context. They are also generated in the received packets.

There might be some debugging and operational issues with removing
the explicit identification of the shim6 response
to data packets after a locator
switch. Should the receiver have lost the context state, then there
will be no indication that something is going wrong. The shim on the
receiver would happily pass up the switch (because such payload packets unmodified to the ULP, and
the ULP would most likely see a checksum error. The checksum error
is caused
are identified as such by using the ULP packet having different IP addresses than the
packet that the sending ULP passed down to its shim.

18.2 Not Overloading the Flow Label payload message header).

This document overloads the Flow Label field as a context tag for
packets that are sent after approach has the locators have been switched, disadvantage that is,
the packets where it doesn't detect the sending shim has replaced loss of
context state when the original ULIDs with some
other locator pair. are used as locators, because
there might be no shim6 messages exchanged if the reachability
detection manages to suppress any extra messages.

Nordmark Expires March 31, 5, 2006 [Page 52] 46]

Internet-Draft Shim6 Protocol September 2005

An alternative would be

The Interim Meeting discussed ways to recover the context state at
one end when the other end sees a failure (and starts sending Explore
messages). The discussed approach is to not do this, and instead always use a R1 (or R1bis) message
in response to a message with an unknown context, which would cause
the context to be recreated.

18. Implications Elsewhere

The general shim6 approach, as well as the
shim6 Payload message to encapsulate specifics of this proposed
solution, has implications elsewhere. The key implications are:
o Applications that perform referrals, or callbacks using IP
addresses as the payloads when 'identifiers' can still function in limited ways,
as described in [17]. But in order for such applications to be
able to take advantage of the multiple locators
are different than the ULIDs. While this doesn't remove for redundancy,
the applications need to
have any QoS signaling protocol be aware of the shim6 architectural
implications Section 19, it does offer some other simplifications modified to either use fully qualified
domain names as the protocol, namely that there would no longer be a 'identifiers', or they need to use
designated protocol number values for pass all the "foo-inside-shim6";
locators as the
cases when those protocol numbers are used would instead use 'identifiers' i.e., the
Payload message. The downside of always using 'identifier' from the Payload message
after
applications perspective becomes a failure is set of IP addresses instead of
a single IP address.
o Firewalls that today pass limited traffic, e.g., outbound TCP
connections, would presumably block the path MTU usable by shim6 protocol. This
means that even when shim6 capable hosts are communicating, the ULP I1
messages would be 8
octets less.

18.3 Detecting Context Loss

This document specifies dropped, hence the hosts would not discover that context loss
their peer is detected by receiving a
No Such Context error message from the peer. Such messages are
generated in response to a shim6 message that contain capable. This is in fact a feature, since if
the peer's
context tag, including the shim6 Payload messages, when the receiver
doesn't have matching context. They are also generated in response hosts managed to data establish a host-pair context, then the
firewall would probably drop the "different" packets that are sent
after a locator switch (because such failure (those using the shim6 payload packets message with a TCP
packet inside it). Thus stateful firewalls that are identified as such using modified to
allow shim6 messages through should also be modified to allow the overloaded protocol field specified
in Section 4.2).
payload messages through after a failure. This approach has the disadvantage of presumably implies
that the overloaded protocol type,
and it also doesn't detect firewall needs to track the loss set of context state when locators in use by
looking at the
original ULIDs are used as locators, because there might be no shim6
messages exchanged if the reachability detection manages exchanges. Such firewalls might even want to suppress
any extra packets.

Discussion: it isn't clear we could remove
verify the protocol type
overloading with this approach, because without protocol type
overloading it is undefined locators using the HBA/CGA verification themselves.
o Signaling protocols for QoS or other things that involve having
devices in what order the receiver would do
things. Normally network path look at IP addresses and port numbers,
or IP addresses and Flow Labels, need to be invoked on the receiver follows hosts
when the next header chain and
processes things in order. This also works with an overloaded
protocol type; locator pair changes due to a failure. At that next header value is basically indicating point in
time those protocols need to inform the devices that
there is a zero length shim payload header. Thus the sender can
control whether this happens before the processing new pair of some other
extension header or after. Without any such indication in
IP addresses will be used for the flow. Note that this is the
packet,
case even though we no longer overload the receiver would find flow label as a shim context based on
tag; the <Source
Locator, Destination Locator, Flow Label>. But would it process this
before or after some other extension header, such as a MIPv6 Home
Address Option, or IP-in-IP encapsulation header?

An alternative would be in-path devices need to remove know about the protocol field overloading and
mandate that there be some low-frequency periodic Reachability Probe/
Reply messages, use of the new
locators even when there is bidirectional communication and though the ULPs report that they flow label stays the same.
o MTU implications. The path MTU mechanisms we use are doing fine. Such an approach would be
able to detect state loss even before there is robust
against different packets taking different paths through the
Internet, by computing a minimum over the recently observed path
MTUs. When shim6 fails over from using one locator switch. pair to
another pair, this means that packets might travel over a
different path through the Internet, hence the path MTU might be

Nordmark Expires March 31, 5, 2006 [Page 53] 47]

Internet-Draft Shim6 Protocol September 2005

Presumably

quite different. Perhaps such probes can a path change would be suppressed when there are no ULP
packets being sent a good hint
to the peer.

Nordmark Expires March 31, 2006 [Page 54]

Internet-Draft Shim6 Protocol September 2005

19. Implications Elsewhere

The general shim6 approach, as well as the specifics of this proposed
solution, has implications elsewhere. path MTU mechanism to try a larger MTU?

The key implications are:

o Applications fact that perform referals, or callbacks using IP
addresses as the 'identifiers' can still function in limited ways,
as described in [12]. But in order shim, at least for such applications to be
able to take advantage of uncommon payload types, will
add an 8 octet extension header (the payload message) after a
locator switch, can also affect the multiple locators usable path MTU for redundancy, the applications need to be modified to either use fully qualified
domain names as ULPs.
In this case the 'identifiers', or they need MTU change is local to pass all the
locators as sending host, thus
conveying the 'identifiers' i.e., change to the 'identifier' from ULPs is an implementation matter.

19. Security Considerations

This document satisfies the
applications perspective becomes a set of IP addresses instead concerns specified in [16] as follows:
o TBD: Using HBA or CGA for ...

Some of
a single IP address. the residual threats in this proposal are:
o Firewalls that today pass limited traffic, e.g., outbound TCP
connections, would presumably block An attacker which arrives late on the shim6 protocol. This
means that even when shim6 capable hosts are communicating, path (after the I1
packets would be dropped, hence context has
been established) can use the hosts would not discover that
their No Such Context error to cause one
peer is shim6 capable. This is to recreate the context, and at that point in fact a feature, since if time the hosts managed
attacker can observe all of the exchange. But this doesn't seem
to establish a host-pair context, then open any new doors for the
firewall would probably drop attacker since such an attacker can
observe the "different" packets Context tags that are sent
after a failure (either using a "TCP-inside-shim6" protocol
number, or using being used, and once known it
can use those to send bogus messages.
o An attacker which is present on the path so that it can find out
the shim6 payload packet with context tags, can generate a TCP No Such Context error after it
has moved off the path. For this packet inside
it). Thus stateful firewalls that are modified to allow shim6
packets through should also be modified effective it needs
to allow the payload
packets through after have a failure. This presumably implies that the
firewall needs source locator which belongs to track the set of locators in use by looking at the shim6 exchanges.

o Signaling protocols for QoS or other things that involve having
devices in context, thus there
can not be "too much" ingress filtering between the network path look at IP addresses and port numbers,
or IP addresses attackers new
location and Flow Labels, need the communicating peers. But this doesn't seem to be invoked on
that severe, because once the hosts
when error causes the locator pair changes due to a failure. At that point in
time those protocols need context to inform the devices that be torn
down and re-established, a new pair of
IP addresses context tags will be used for used,
which will not be known to the flow, as well as attacker. If this is still a new Flow
Label being used.

o MTU implications. The path MTU mechanisms
concern, we use are robust
against different packets taking different paths through could require a 2-way handshake "did you really loose
the state?" in response to the error message.
o It might be possible for an attacker to try random 32-bit context
tags and see if they can cause disruption for communication
between two hosts. We can make this harder by using a larger
context tag; 47 bits is the
Internet, by computing a minimum over largest that fit in the recently observed path
MTUs. When shim6 fails over from using one locator pair to
another pair, 8-octet
payload header. If this means that packets might travel over a
different path through isn't sufficient, one could use an even
larger tag in the Internt, hence shim6 control messages, and use the path MTU might be
quite different. Perhaps such a path change would be a good hint
to low-order 47
bits in the path MTU mechanism payload header.

20. IANA Considerations

IANA needs to try allocate a larger MTU?

The fact that new IP Next Header value for this protocol.

TBD: the shim, at least IANA rules for uncommon payload types, will the shim6 message types and option types.

Nordmark Expires March 31, 5, 2006 [Page 55] 48]

Internet-Draft Shim6 Protocol September 2005

add

21. Change Log

The following changes have been made since draft-ietf-shim6-proto-00:
o Removed the use of the flow label and the overloading of the IP
protocol numbers. Instead, when the locator pair is not the ULID
pair, the ULP payloads will be carried with an 8 octet extension header (the payload message) after a
locator switch, can also affect the usable path MTU for the ULPs.
In this case the MTU change
header. The belief is local that it is possible to remove these extra
bytes by defining future shim6 extensions that exchange more
information between the sending host, thus
conveying the change hosts, without having to overload the ULPs is an implementation matter.

Nordmark Expires March 31, 2006 [Page 56]

Internet-Draft Shim6 Protocol September 2005

20. Security Considerations

Some of flow
label or the residual threats in this proposal are: IP protocol numbers.
o An attacker which arrives late on the path (after Grew the context has
been established) can use tag from 20 bits to 32 bits, with the No Such Context error possibility
to cause one
peer grow it to 47 bits. This implies changes to recreate the context, and at that point in time the
attacker can observe all of message
formats.
o Almost by accident, the exchange. But this doesn't seem
to open any new doors shim6 message format is very close to
the HIP message format.
o Adopted the HIP format for the attacker options, since such an attacker can
observe this makes it easier
to describe variable length options. The original, ND-style,
option format requires internal padding in the Context tags options to make
them 8 octet length in total, while the HIP format handles that are being used,
using the option length field.
o Removed some of the control messages, and once known it
can use those to send bogus messages. renamed the other ones.
o An attacker which is present on Added a "generation" number to the path Locator List option, so that it can find out
the context tags, peers can generate a No Such Context error after it
has moved off ensure that the path. For this packet to be effective it needs
to have a source locator which belongs preferences refer to the context, thus there
can not be "too much" ingress filtering between right
"version" of the attackers new
location Locator List.
o In order for FBD and the communicating peers. But this doesn't seem exploration to be
that severe, because once work when there the error causes use of the
context to be torn
down and re-established, is forked, that is different ULP messages are sent over
different locator pairs, things are a new lot easier if there is only
one current locator pair of context tags will be used,
which will not be known to used for each context. Thus the forking
of the attacker. If this context is still a
concern, we could require now causing a 2-way handshake "did you really loose
the state?" in response new context to the error message.

o It might be possible established for an attacker to try random 24-bit
the same ULID; the new context
tags and see if they can cause disruption for communication
between two hosts. We can make this harder by using having a larger new context tag (64-bits?) in the shim6 control messages, and use the
low-order 24 bits tag. The
original context is referred to as the flow label.

Nordmark Expires March 31, 2006 [Page 57]

Internet-Draft Shim6 Protocol September 2005

21. "default" context for the
ULID pair.
o Added more background material and textual descriptions.

22. Acknowledgements

Over the years many people active in the multi6 and shim6 WGs have
contributed ideas a suggestions that are reflected in this draft.

Thanks to Marcelo Bagnulo for providing comments on earlier versions
of this draft.

23. References

23.1 Normative References

[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.

Nordmark Expires March 31, 5, 2006 [Page 58] 49]

Internet-Draft Shim6 Protocol September 2005

22. References

22.1 Normative References

[1]

[2] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
Specification", RFC 2460, December 1998.

[2]

[3] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery
for IP Version 6 (IPv6)", RFC 2461, December 1998.

[3]

[4] Thomson, S. and T. Narten, "IPv6 Stateless Address
Autoconfiguration", RFC 2462, December 1998.

[4]

[5] Bagnulo, M., "Hash Based Addresses (HBA)",
draft-ietf-shim6-hba-00 (work in progress), July 2005.

[5]

[6] Beijnum, I., "Shim6 Reachability Detection",
draft-ietf-shim6-reach-detect-00 (work in progress), July 2005.

[6]

[7] Arkko, J., "Failure Detection and Locator Selection Pair Exploration
Design
Considerations", draft-ietf-shim6-failure-detection-00 for IPv6 Multihoming",
draft-ietf-shim6-failure-detection-01 (work in progress), July
October 2005.

22.2

23.2 Informative References

[7] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.

[8] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.

[9] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000.

[10] Narten, T. and R. Draves, "Privacy Extensions for Stateless
Address Autoconfiguration in IPv6", RFC 3041, January 2001.

[11] Draves, R., "Default Address Selection for Internet Protocol
version 6 (IPv6)", RFC 3484, February 2003.

[10]

[12] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson,
"RTP: A Transport Protocol for Real-Time Applications", STD 64,
RFC 3550, July 2003.

[13] Abley, J., Black, B., and V. Gill, "Goals for IPv6 Site-
Multihoming Architectures", RFC 3582, August 2003.

[11]

[14] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, "IPv6
Flow Label Specification", RFC 3697, March 2004.

[12]

[15] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", RFC 4193, October 2005.

Nordmark Expires March 5, 2006 [Page 50]

Internet-Draft Shim6 Protocol September 2005

[16] Nordmark, E., "Threats relating to IPv6 multihoming solutions",
draft-ietf-multi6-multihoming-threats-03 (work in progress),
January 2005.

[17] Nordmark, E., "Shim6 Application Referral Issues",
draft-ietf-shim6-app-refer-00 (work in progress), July 2005.

[13]

[18] Abley, J., "Shim6 Applicability Statement",
draft-ietf-shim6-applicability-00 (work in progress),
July 2005.

Nordmark Expires March 31, 2006 [Page 59]

Internet-Draft Shim6 Protocol September 2005

[14]

[19] Huston, G., "Architectural Commentary on Site Multi-homing
using a Level 3 Shim", draft-ietf-shim6-arch-00 (work in
progress), July 2005.

[15]

[20] Bagnulo, M. and J. Arkko, "Functional decomposition of the
multihoming protocol", draft-ietf-shim6-functional-dec-00 (work
in progress), July 2005.

[16]

[21] Nordmark, E. and M. Bagnulo, "Multihoming L3 Shim Approach",
draft-ietf-shim6-l3shim-00 (work in progress), July 2005.

[17]

[22] Moskowitz, R., "Host Identity Protocol", draft-ietf-hip-base-03
(work in progress), June 2005.

[18]

[23] Lear, E. and R. Droms, "What's In A Name:Thoughts from the
NSRG", draft-irtf-nsrg-report-10 (work in progress),
September 2003.

Author's Address

Erik Nordmark
Sun Microsystems
17 Network Circle
Menlo Park, CA 94043 94025
USA

Phone: +1 650 786 2921
Email: erik.nordmark@sun.com

Nordmark Expires March 31, 5, 2006 [Page 60] 51]

Internet-Draft Shim6 Protocol September 2005

Intellectual Property Statement

The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.

Disclaimer of Validity

This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.

Acknowledgment

Funding for the RFC Editor function is currently provided by the
Internet Society.

Nordmark Expires March 31, 5, 2006 [Page 61] 52]

----