Internet-Draft | IPv6 Query for IOAM Capabilities | June 2024 |
Min & Mirsky | Expires 22 December 2024 | [Page] |
This document describes the application of the mechanism of discovering In-situ OAM (IOAM) capabilities, described in RFC 9359 "Echo Request/Reply for Enabled In Situ OAM (IOAM) Capabilities", in IPv6 networks. IPv6 Node IOAM Request uses the IPv6 Node Information messages, allowing the IOAM encapsulating node to discover the enabled IOAM capabilities of each IOAM transit and IOAM decapsulating node.¶
This document updates RFCs 4620 and 4884.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 22 December 2024.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
IPv6 encapsulation for In-situ OAM (IOAM) data is defined in [RFC9486], which uses the IPv6 hop-by-hop and destination options to carry IOAM data fields ([RFC9197], [RFC9326]).¶
As specified in [RFC9359], the echo request/reply can be used by the IOAM encapsulating node to discover the enabled IOAM capabilities at the IOAM transit and decapsulating nodes.¶
As specified in [RFC4443], the Internet Control Message Protocol for IPv6 (ICMPv6) is an integral part of IPv6, and the base protocol MUST be fully implemented by every IPv6 node. ICMPv6 messages defined in [RFC4443] include error messages and informational messages, and the latter are referred to as ICMPv6 Echo Request/Reply messages. [RFC4884] defines ICMPv6 Extension Structure by which multi-part ICMPv6 error messages are supported. [RFC8335] defines ICMPv6 Extended Echo Request/Reply messages, and the ICMPv6 Extended Echo Request contains an ICMPv6 Extension Structure customized for this message. Both [RFC4884] and [RFC8335] provide sound principles and examples on extending ICMPv6 messages.¶
As specified in [RFC4620], two types of IPv6 Node Information messages, the Node Information Query (or NI Query) and the Node Information Reply (or NI Reply), also known as ICMPv6 messages, are used for a Querier node to query information of a Responder node.¶
This document describes the IPv6 Node IOAM Query functionality, which uses the IPv6 Node Information messages, allowing the IOAM encapsulating node to discover the enabled IOAM capabilities of each IOAM transit and IOAM decapsulating node.¶
The IOAM encapsulating node sends an NI Query to each IOAM transit and decapsulating node. Upon receiving the query, each node executes access control procedures. If access is granted, the node returns an NI Reply indicating its enabled IOAM capabilities. The NI Reply contains an ICMPv6 Extension Structure customized to this message, and the ICMPv6 Extension Structure contains one or more IOAM Capabilities Objects.¶
Before the IOAM encapsulating node sends the NI Query, it must know the IPv6 address of each node along the transport path of the data packet to which IOAM data will be added. This can be achieved by executing an ICMPv6/UDP traceroute or by provisioning an explicit path at the IOAM encapsulating node. In an Equal-Cost Multipath (ECMP) scenario, the same values in any ECMP-affecting fields (e.g., the 3-tuple of the Flow Label, Source Address, and Destination Address fields as per [RFC6437]) of the IOAM data packets MUST be populated in the NI Query, ensuring fate sharing between the NI Query and the IOAM data packets.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The Node IOAM Request message is encapsulated in an IPv6 header [RFC8200], like any ICMPv6 message.¶
The Node IOAM Request message has the following format:¶
IPv6 Header fields:¶
Source Address: The Source Address identifies the IOAM encapsulating node. It MUST be a valid IPv6 unicast address.¶
Destination Address: The Destination Address identifies the IOAM transit or decapsulating node. It MUST be a valid IPv6 unicast address.¶
ICMPv6 fields:¶
Type: NI Query. The value is 139 as allocated for [RFC4620].¶
Code: The value is (TBD1). The Data field contains a list of IOAM Namespace-IDs, which are the subject of this query.¶
Checksum: The ICMPv6 checksum.¶
Qtype: The value is (TBD2). Which indicates the NI Query is a node IOAM capabilities query.¶
Flags: The same as defined in [RFC4620]. Flags are Qtype-specific, the NI Query Qtype used in this document has no defined flags.¶
Data: Following the NI Query header, the Data field is a List of IOAM Namespace-IDs, which is also called IOAM Capabilities Query Container payload in Section 3.1 of [RFC9359].¶
The format of a Node IOAM Request can vary from deployment to deployment.¶
In a deployment where only the default Namespace-ID is used, the Node IOAM Request is depicted as the following:¶
In a deployment where two Namespace-IDs (Namespace-ID1 and Namespace-ID2) are used, the Node IOAM Request is depicted as the following:¶
When a Node IOAM Request message is received, the length of the message is determined by the Payload Length field in the IPv6 Header, as specified in [RFC8200].¶
The Node IOAM Reply message is encapsulated in an IPv6 header [RFC8200], like any ICMPv6 message.¶
The Node IOAM Reply message has the following format:¶
IPv6 Header fields:¶
Source Address: Copied from the Destination Address field of the invoking Node IOAM Request packet.¶
Destination Address: Copied from the Source Address field of the invoking Node IOAM Request packet.¶
ICMPv6 fields:¶
Type: NI Reply. The value is 140 as allocated for [RFC4620].¶
Code: The values are (TBD3) No Matched Namespace-ID, and (TBD4) Exceed the minimum IPv6 MTU. See Section 5 for details.¶
Checksum: The ICMPv6 checksum.¶
Qtype: Copied from the Qtype field of the invoking Node IOAM Request.¶
Flags: The same as defined in [RFC4620]. Flags are Qtype-specific, the NI Reply Qtype used in this document has no defined flags.¶
Nonce: Copied from the Nonce field of the invoking Node IOAM Request.¶
Data: Following the NI Reply header, the Data field is a List of IOAM Capabilities Objects, which is also called IOAM Capabilities Response Container payload in Section 3.2 of [RFC9359]. Section 7 of [RFC4884] defines the ICMP Extension Structure. As per RFC 4884, the Extension Structure contains exactly one Extension Header followed by one or more objects. When applied to the Node IOAM Reply message, the ICMP Extension Structure MUST contain one or more IOAM Capabilities Objects.¶
All ICMPv6 IOAM Capabilities Objects are encapsulated in a Node IOAM Reply message.¶
Each ICMPv6 IOAM Capabilities Object has the following format:¶
Object fields:¶
Class-Num: IOAM Capabilities Objects. The values are listed as the following:¶
Value Object Name ----- ----------- TBD5 IOAM Tracing Capabilities Object TBD6 IOAM Proof of Transit Capabilities Object TBD7 IOAM Edge-to-Edge Capabilities Object TBD8 IOAM DEX Capabilities Object TBD9 IOAM End-of-Domain Object¶
C-Type: Values are listed as the following:¶
Class-Num C-Type C-Type Name --------- ------ ----------- TBD5 0 Reserved 1 Pre-allocated Tracing TBD6 0 Reserved TBD7 0 Reserved TBD8 0 Reserved TBD9 0 Reserved¶
The format of a Node IOAM Reply can vary from deployment to deployment.¶
In a deployment where only the default Namespace-ID is used, the IOAM Pre-allocated Tracing Capabilities and the IOAM Proof of Transit Capabilities are enabled at the IOAM transit node that received a Node IOAM Request, the Node IOAM Reply is depicted as the following:¶
In a deployment where two Namespace-IDs (Namespace-ID1 and Namespace-ID2) are used, for both Namespace-ID1 and Namespace-ID2 the IOAM Pre-allocated Tracing Capabilities and the IOAM Proof of Transit Capabilities are enabled at the IOAM transit node that received a Node IOAM Request, the Node IOAM Reply is depicted as the following:¶
In a deployment where only the default Namespace-ID is used, the IOAM Pre-allocated Tracing Capabilities, the IOAM Proof of Transit Capabilities, and the IOAM Edge-to-Edge Capabilities are enabled at the IOAM decapsulating node that received a Node IOAM Request, the Node IOAM Reply is depicted as the following:¶
When a Node IOAM Reply message is received, the length of the message is determined by the Payload Length field in the IPv6 Header, as specified in [RFC8200].¶
The Code field in the Node IOAM Reply MUST be set to (TBD3) No Matched Namespace-ID if any of the following conditions apply:¶
The Node IOAM Request does not include any Namespace-ID.¶
None of the contained list of IOAM Namespace-IDs is recognized.¶
None of the contained list of IOAM Namespace-IDs is enabled.¶
The Code field in the Node IOAM Reply MUST be set to (TBD4) Exceed the minimum IPv6 MTU if the formatted NI Reply packet exceeds the minimum IPv6 MTU (i.e., 1280 octets). In this case, all objects MUST be stripped before forwarding the Node IOAM Reply to its destination.¶
Section 4.6 of [RFC4884] provides a list of extensible ICMP messages (i.e., messages that can carry the ICMP Extension Structure). This document adds the IPv6 Node Information Reply message to that list.¶
This document requests the following IANA actions:¶
Add the following Code to the "Type 139 - ICMP Node Information Query" sub-registry:¶
(TBD1) The Data field contains a List of IOAM Namespace-IDs which is the Subject of this Query¶
Add the following Codes to the "Type 140 - ICMP Node Information Response" sub-registry:¶
Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry:¶
(TBD5) IOAM Tracing Capabilities Object¶
Add the following C-types to the "Sub-types - Class TBD5 - IOAM Tracing Capabilities Object" sub-registry:¶
Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry:¶
(TBD6) IOAM Proof of Transit Capabilities Object¶
Add the following C-types to the "Sub-types - Class TBD6 - IOAM Proof of Transit Capabilities Object" sub-registry:¶
(0) Reserved¶
Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry:¶
(TBD7) IOAM Edge-to-Edge Capabilities Object¶
Add the following C-types to the "Sub-types - Class TBD7 - IOAM Edge-to-Edge Capabilities Object" sub-registry:¶
(0) Reserved¶
Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry:¶
(TBD8) IOAM DEX Capabilities Object¶
Add the following C-types to the "Sub-types - Class TBD8 - IOAM DEX Capabilities Object" sub-registry:¶
(0) Reserved¶
Add the following to the "ICMP Extension Object Classes and Class Sub-types" registry:¶
(TBD9) IOAM End-of-Domain Object¶
Add the following C-types to the "Sub-types - Class TBD9 - IOAM End-of-Domain Object" sub-registry:¶
(0) Reserved¶
All codes mentioned above are assigned on a First Come First Serve (FCFS) basis with a range of 0-255.¶
Security issues discussed in [RFC4620] and [RFC9359] apply to this document.¶
This document recommends using IP Authentication Header [RFC4302] or IP Encapsulating Security Payload Header [RFC4303] to provide integrity protection for IOAM capabilities information.¶
This document recommends using IP Encapsulating Security Payload Header [RFC4303] to provide privacy protection for IOAM capabilities information.¶
This document recommends that the network operators establish policies that restrict access to IPv6 Node IOAM Query functionality. In order to enforce these policies, nodes that support IPv6 Node IOAM Query functionality MUST support the following configuration options:¶
Enable/disable IPv6 Node IOAM Query functionality. By default, IPv6 Node IOAM Query functionality is disabled.¶
Define enabled Namespace-IDs. By default, all Namespace-IDs except the default one (i.e., Namespace-ID 0x0000) are disabled.¶
For each enabled Namespace-ID, define the prefixes from which Node IOAM Request messages are permitted.¶
In order to protect local resources, implementations SHOULD rate-limit incoming Node IOAM Request messages.¶
Considering the packet size of the Node IOAM Reply could be much larger than that of the Node IOAM Request, to mitigate the potential amplification attack by using the Node IOAM Request with a spoofed source address, which is similar to the amplification attack by sending an ICMPv6 ECHO_REQUEST to ff02::1 with a spoofed source address (refer to Section 2.3.5 of [RFC9099]), an implementation that supports this specification MUST support an option of padding a Node IOAM Request packet to the Path MTU or the minimum IPv6 MTU [RFC8200], which can ensure that the Node IOAM Reply packet would not be larger than the invoking Node IOAM Request packet. The network operators can choose to enforce the padding option or not in their networks.¶
The authors would like to acknowledge Eric Vyncke and Erik Kline for their valuable suggestions on using IPv6 Node Information Queries as the basis.¶
The authors would like to acknowledge Bob Hinden for his valuable suggestions on the ICMPv6 message format.¶
The authors would like to acknowledge Chongfeng Xie, Zhenqiang Li, David Lamparter, and Daniel King for their review and helpful comments.¶