| rfc9837v1.txt | rfc9837.txt | |||
|---|---|---|---|---|
| skipping to change at line 199 ¶ | skipping to change at line 199 ¶ | |||
| the option. The packet MUST be processed according to the setting of | the option. The packet MUST be processed according to the setting of | |||
| the two highest-order bits of the Option Type (see NOTE below). | the two highest-order bits of the Option Type (see NOTE below). | |||
| NOTE: For this experiment, the Option Type is set to '01011110', | NOTE: For this experiment, the Option Type is set to '01011110', | |||
| i.e., 0x5E. The highest-order two bits are set to 01, indicating | i.e., 0x5E. The highest-order two bits are set to 01, indicating | |||
| that the required action by a destination node that does not | that the required action by a destination node that does not | |||
| recognize the option is to discard the packet. The third highest- | recognize the option is to discard the packet. The third highest- | |||
| order bit is set to 0, indicating that Option Data cannot be modified | order bit is set to 0, indicating that Option Data cannot be modified | |||
| along the path between the packet's source and its destination. The | along the path between the packet's source and its destination. The | |||
| remaining low-order bits are set to '11110' to indicate the single | remaining low-order bits are set to '11110' to indicate the single | |||
| IPv6 Destination Option Type code point available for experimentation | IPv6 Destination Option Type code point available in the "Destination | |||
| in the "Destination Options and Hop-by-Hop Options" registry [V6MSG]. | Options and Hop-by-Hop Options" registry [V6MSG] for experimentation. | |||
| 4. Forwarding Plane Considerations | 4. Forwarding Plane Considerations | |||
| The ingress PE encapsulates the customer data in a tunnel header. | The ingress PE encapsulates the customer data in a tunnel header. | |||
| The tunnel header MUST contain an IPv6 header and a Destination | The tunnel header MUST contain an IPv6 header and a Destination | |||
| Options header that immediately precedes the customer data. It MAY | Options header that immediately precedes the customer data. It MAY | |||
| also include any legal combination of IPv6 extension headers. | also include any legal combination of IPv6 extension headers. | |||
| The IPv6 header contains: | The IPv6 Header contains the following (all defined in [RFC8200]): | |||
| * Version - Defined in [RFC8200]. MUST be equal to 6. | * Version - MUST be equal to 6. | |||
| * Traffic Class - Defined in [RFC8200]. | * Traffic Class | |||
| * Flow Label - Defined in [RFC8200]. | * Flow Label | |||
| * Payload Length - Defined in [RFC8200]. | * Payload Length | |||
| * Next Header - Defined in [RFC8200]. | * Next Header | |||
| * Hop Limit - Defined in [RFC8200]. | * Hop Limit | |||
| * Source Address - Defined in [RFC8200]. Represents an interface on | * Source Address - Represents an interface on the ingress PE router. | |||
| the ingress PE router. This address SHOULD be chosen according to | This address SHOULD be chosen according to guidance provided in | |||
| guidance provided in [RFC6724]. | [RFC6724]. | |||
| * Destination Address - Defined in [RFC8200]. Represents an | * Destination Address - Represents an interface on the egress PE | |||
| interface on the egress PE router. This address SHOULD be chosen | router. This address SHOULD be chosen according to guidance | |||
| according to guidance provided in [RFC6724]. | provided in [RFC6724]. | |||
| The IPv6 Destination Options Extension Header contains: | The IPv6 Destination Options Extension Header contains the following | |||
| (all defined in [RFC8200]): | ||||
| * Next Header - Defined in [RFC8200]. MUST identify the protocol of | * Next Header - MUST identify the protocol of the customer data. | |||
| the customer data. | ||||
| * Hdr Ext Len - Defined in [RFC8200]. | * Hdr Ext Len | |||
| * Options - Defined in [RFC8200]. In this experiment, the Options | * Options - In this experiment, the Options field MUST contain | |||
| field MUST contain exactly one VPN Service Option as defined in | exactly one VPN Service Option as defined in Section 3 of this | |||
| Section 3 of this document. It MAY also contain any legal | document. It MAY also contain any legal combination of other | |||
| combination of other Destination Options. | Destination Options. | |||
| 5. Control Plane Considerations | 5. Control Plane Considerations | |||
| The FIB can be populated by: | The FIB can be populated by: | |||
| * An operator, using a Command-Line Interface (CLI) | * An operator, using a Command-Line Interface (CLI) | |||
| * A controller, using the Path Computation Element Communication | * A controller, using the Path Computation Element Communication | |||
| Protocol (PCEP) [RFC5440] or the Network Configuration Protocol | Protocol (PCEP) [RFC5440] or the Network Configuration Protocol | |||
| (NETCONF) [RFC6241] | (NETCONF) [RFC6241] | |||
| * A routing protocol | * A routing protocol | |||
| Routing protocol extensions that support the IPv6 VPN Service | Routing protocol extensions that support the VPN Service Option are | |||
| Destination Option are beyond the scope of this document. | beyond the scope of this document. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document has no IANA actions. | This document has no IANA actions. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| A VPN is characterized by the following security policy: | A VPN is characterized by the following security policy: | |||
| * Nodes outside of a VPN cannot inject traffic into the VPN. | * Nodes outside of a VPN cannot inject traffic into the VPN. | |||
| * Nodes inside a VPN cannot send traffic outside of the VPN. | * Nodes inside a VPN cannot send traffic outside of the VPN. | |||
| A set of PE routers cooperate to enforce this security policy. If a | A set of PE routers cooperate to enforce this security policy. If a | |||
| device outside of that set could impersonate a device inside of the | device outside of that set could impersonate a device inside of the | |||
| set, it would be possible for that device to subvert security policy. | set, it would be possible for that device to subvert security policy. | |||
| Therefore, impersonation must not be possible. The following | Therefore, impersonation must not be possible. The following | |||
| paragraphs describe procedures that prevent impersonation. | paragraphs describe procedures that prevent impersonation. | |||
| The IPv6 VPN Service Destination Option can be deployed: | The VPN Service Option can be deployed: | |||
| * On the global Internet | * On the global Internet | |||
| * Inside of a limited domain | * Inside of a limited domain | |||
| When the IPv6 VPN Service Destination Option is deployed on the | When the VPN Service Option is deployed on the global Internet, the | |||
| global Internet, the tunnel that connects the ingress PE to the | tunnel that connects the ingress PE to the egress PE MUST be | |||
| egress PE MUST be cryptographically protected by one of the | cryptographically protected by one of the following: | |||
| following: | ||||
| * The IPv6 Authentication Header (AH) [RFC4302] | * The IPv6 Authentication Header (AH) [RFC4302] | |||
| * The IPv6 Encapsulating Security Payload (ESP) Header [RFC4303] | * The IPv6 Encapsulating Security Payload (ESP) Header [RFC4303] | |||
| When the IPv6 VPN Service Destination Option is deployed in a limited | When the VPN Service Option is deployed in a limited domain, all | |||
| domain, all nodes at the edge of limited domain MUST maintain Access | nodes at the edge of limited domain MUST maintain Access Control | |||
| Control Lists (ACLs). These ACLs MUST discard packets that satisfy | Lists (ACLs). These ACLs MUST discard packets that satisfy the | |||
| the following criteria: | following criteria: | |||
| * Contain an IPv6 VPN Service Option | * Contain a VPN Service Option | |||
| * Contain an IPv6 Destination Address that represents an interface | * Contain an IPv6 Destination Address that represents an interface | |||
| inside of the limited domain | inside of the limited domain | |||
| The mitigation techniques mentioned above operate in fail-open mode. | The mitigation techniques mentioned above operate in fail-open mode. | |||
| That is, they require explicit configuration in order to ensure that | That is, they require explicit configuration in order to ensure that | |||
| packets using the approach described in this document do not leak out | packets using the approach described in this document do not leak out | |||
| of a domain. See [SAFE-LIM-DOMAINS] for a discussion of fail-open | of a domain. See [SAFE-LIM-DOMAINS] for a discussion of fail-open | |||
| and fail-closed modes. | and fail-closed modes. | |||
| End of changes. 19 change blocks. | ||||
| 35 lines changed or deleted | 34 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||