Internet Engineering Task Force (IETF) V. Fuller
Request for Comments: 6836
Category: Experimental D. Farinacci
ISSN: 2070-1721 D. Meyer
D. Lewis
Cisco Systems
January 2013
Internet Engineering Task Force (IETF) V. Fuller
Request for Comments: 6836
Category: Experimental D. Farinacci
ISSN: 2070-1721 D. Meyer
D. Lewis
Cisco Systems
January 2013
Locator/ID Separation Protocol Alternative Logical Topology (LISP+ALT)
定位器/ID分离协议替代逻辑拓扑(LISP+ALT)
Abstract
摘要
This document describes a simple distributed index system to be used by a Locator/ID Separation Protocol (LISP) Ingress Tunnel Router (ITR) or Map-Resolver (MR) to find the Egress Tunnel Router (ETR) that holds the mapping information for a particular Endpoint Identifier (EID). The MR can then query that ETR to obtain the actual mapping information, which consists of a list of Routing Locators (RLOCs) for the EID. Termed the Alternative Logical Topology (ALT), the index is built as an overlay network on the public Internet using the Border Gateway Protocol (BGP) and Generic Routing Encapsulation (GRE).
本文档描述了一个简单的分布式索引系统,用于定位器/ID分离协议(LISP)入口隧道路由器(ITR)或映射解析器(MR)查找出口隧道路由器(ETR),该路由器保存特定端点标识符(EID)的映射信息。然后,MR可以查询该ETR以获得实际映射信息,该信息包括EID的路由定位器(RLOC)列表。该索引称为替代逻辑拓扑(ALT),使用边界网关协议(BGP)和通用路由封装(GRE)在公共互联网上构建为覆盖网络。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for examination, experimental implementation, and evaluation.
本文件不是互联网标准跟踪规范;它是为检查、实验实施和评估而发布的。
This document defines an Experimental Protocol for the Internet community. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文档为互联网社区定义了一个实验协议。本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6836.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6836.
Copyright Notice
版权公告
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3
2. Definition of Terms .............................................5
3. The LISP-ALT Model ..............................................8
3.1. Routability of EIDs ........................................8
3.1.1. Mechanisms for an ETR to Originate EID-Prefixes .....9
3.1.2. Mechanisms for an ITR to Forward to EID-Prefixes ....9
3.1.3. Map-Server Model Preferred ..........................9
3.2. Connectivity to Non-LISP Sites ............................10
3.3. Caveats on the Use of Data-Probes .........................10
4. LISP+ALT: Overview .............................................10
4.1. ITR Traffic Handling ......................................11
4.2. EID Assignment - Hierarchy and Topology ...................12
4.3. Use of GRE and BGP between LISP-ALT Routers ...............14
5. EID-Prefix Propagation and Map-Request Forwarding ..............14
5.1. Changes to ITR Behavior with LISP+ALT .....................15
5.2. Changes to ETR Behavior with LISP+ALT .....................15
5.3. ALT Datagram Forwarding Failure ...........................16
6. BGP Configuration and Protocol Considerations ..................16
6.1. Autonomous System Numbers (ASNs) in LISP+ALT ..............16
6.2. Subsequent Address Family Identifier (SAFI) for LISP+ALT ..17
7. EID-Prefix Aggregation .........................................17
7.1. Stability of the ALT ......................................18
7.2. Traffic Engineering Using LISP ............................18
7.3. Edge Aggregation and Dampening ............................19
7.4. EID Assignment Flexibility vs. ALT Scaling ................19
8. Connecting Sites to the ALT Network ............................20
8.1. ETRs Originating Information into the ALT .................20
8.2. ITRs Using the ALT ........................................21
9. Security Considerations ........................................22
9.1. Apparent LISP+ALT Vulnerabilities .........................22
9.2. Survey of LISP+ALT Security Mechanisms ....................23
9.3. Use of Additional BGP Security Mechanisms .................24
10. Acknowledgments ...............................................24
11. References ....................................................24
11.1. Normative References .....................................24
11.2. Informative References ...................................25
1. Introduction ....................................................3
2. Definition of Terms .............................................5
3. The LISP-ALT Model ..............................................8
3.1. Routability of EIDs ........................................8
3.1.1. Mechanisms for an ETR to Originate EID-Prefixes .....9
3.1.2. Mechanisms for an ITR to Forward to EID-Prefixes ....9
3.1.3. Map-Server Model Preferred ..........................9
3.2. Connectivity to Non-LISP Sites ............................10
3.3. Caveats on the Use of Data-Probes .........................10
4. LISP+ALT: Overview .............................................10
4.1. ITR Traffic Handling ......................................11
4.2. EID Assignment - Hierarchy and Topology ...................12
4.3. Use of GRE and BGP between LISP-ALT Routers ...............14
5. EID-Prefix Propagation and Map-Request Forwarding ..............14
5.1. Changes to ITR Behavior with LISP+ALT .....................15
5.2. Changes to ETR Behavior with LISP+ALT .....................15
5.3. ALT Datagram Forwarding Failure ...........................16
6. BGP Configuration and Protocol Considerations ..................16
6.1. Autonomous System Numbers (ASNs) in LISP+ALT ..............16
6.2. Subsequent Address Family Identifier (SAFI) for LISP+ALT ..17
7. EID-Prefix Aggregation .........................................17
7.1. Stability of the ALT ......................................18
7.2. Traffic Engineering Using LISP ............................18
7.3. Edge Aggregation and Dampening ............................19
7.4. EID Assignment Flexibility vs. ALT Scaling ................19
8. Connecting Sites to the ALT Network ............................20
8.1. ETRs Originating Information into the ALT .................20
8.2. ITRs Using the ALT ........................................21
9. Security Considerations ........................................22
9.1. Apparent LISP+ALT Vulnerabilities .........................22
9.2. Survey of LISP+ALT Security Mechanisms ....................23
9.3. Use of Additional BGP Security Mechanisms .................24
10. Acknowledgments ...............................................24
11. References ....................................................24
11.1. Normative References .....................................24
11.2. Informative References ...................................25
This document describes the LISP+ALT system, used by an [RFC6830] Ingress Tunnel Router (ITR) or MR to find the Egress Tunnel Router (ETR) that holds the RLOC mapping information for a particular Endpoint Identifier (EID). The ALT network is built using the Border Gateway Protocol (BGP) [RFC4271], BGP multiprotocol extensions
本文档描述了LISP+ALT系统,[RFC6830]入口隧道路由器(ITR)或MR使用该系统查找出口隧道路由器(ETR),该路由器保存特定端点标识符(EID)的RLOC映射信息。ALT网络使用边界网关协议(BGP)[RFC4271],BGP多协议扩展构建
[RFC4760], and Generic Routing Encapsulation (GRE) [RFC2784] to construct an overlay network of devices (ALT-Routers) that operate on EID-Prefixes and use EIDs as forwarding destinations.
[RFC4760]和通用路由封装(GRE)[RFC2784]构建一个覆盖设备网络(ALT路由器),这些设备在EID前缀上运行,并使用EID作为转发目的地。
ALT-Routers advertise hierarchically delegated segments of the EID namespace (i.e., prefixes) toward the rest of the ALT; they also forward traffic destined for an EID covered by one of those prefixes toward the network element that is authoritative for that EID and is the origin of the BGP advertisement for that EID-Prefix. An ITR uses this overlay to send a LISP Map-Request (defined in [RFC6830]) to the ETR that holds the EID-to-RLOC mapping for a matching EID-Prefix. In most cases, an ITR does not connect directly to the overlay network but instead sends Map-Requests via a Map-Resolver (described in [RFC6833]) that does. Likewise, in most cases, an ETR does not connect directly to the overlay network but instead registers its EID-Prefixes with a Map-Server that advertises those EID-Prefixes on to the ALT and forwards Map-Requests for them to the ETR.
ALT路由器向ALT的其余部分发布EID名称空间(即前缀)的分层委托段;它们还将发送到由这些前缀之一覆盖的EID的流量转发到对该EID具有权威性并且是该EID前缀的BGP公告来源的网元。ITR使用此覆盖向ETR发送LISP映射请求(在[RFC6830]中定义),ETR保存匹配EID前缀的EID到RLOC映射。在大多数情况下,ITR不直接连接到覆盖网络,而是通过映射解析器(如[RFC6833]中所述)发送映射请求。同样,在大多数情况下,ETR不直接连接到覆盖网络,而是向地图服务器注册其EID前缀,该服务器将这些EID前缀播发到ALT,并将其地图请求转发到ETR。
It is important to note that the ALT does not distribute actual EID-to-RLOC mappings. What it does provide is a forwarding path from an ITR (or MR) that requires an EID-to-RLOC mapping to an ETR that holds that mapping. The ITR/MR uses this path to send an ALT Datagram (see Section 3) to an ETR, which then responds with a Map-Reply containing the needed mapping information.
需要注意的是,ALT并没有将实际的EID分发到RLOC映射。它提供的是从需要EID到RLOC映射的ITR(或MR)到保存该映射的ETR的转发路径。ITR/MR使用此路径将ALT数据报(见第3节)发送到ETR,ETR随后用包含所需映射信息的映射回复进行响应。
One design goal for LISP+ALT is to use existing technology wherever possible. To this end, the ALT is intended to be built using off-the-shelf routers that already implement the required protocols (BGP and GRE); little, if any, LISP-specific modifications should be needed for such devices to be deployed on the ALT (see Section 7 for aggregation requirements). Note, though, that organizational and operational considerations suggest that ALT-Routers be both logically and physically separate from the "native" Internet packet transport system; deploying this overlay on those routers that are already participating in the global routing system and actively forwarding Internet traffic is not recommended.
LISP+ALT的一个设计目标是尽可能使用现有技术。为此,ALT计划使用已经实现所需协议(BGP和GRE)的现成路由器构建;在ALT上部署此类设备时,几乎不需要(如果有)特定于LISP的修改(聚合要求见第7节)。不过,请注意,组织和操作方面的考虑表明,ALT路由器在逻辑和物理上都与“本机”互联网数据包传输系统分离;不建议在已经参与全局路由系统并主动转发Internet流量的路由器上部署此覆盖。
This specification is experimental, and there are areas where further experience is needed to understand the best implementation strategy, operational model, and effects on Internet operations. These areas include:
本规范是实验性的,在某些领域需要进一步的经验来理解最佳实施策略、运营模式以及对互联网运营的影响。这些领域包括:
o application effects of on-demand route map discovery
o 按需路线图发现的应用效果
o tradeoff in connection setup time vs. ALT design and performance when using a Map Request instead of carrying initial user data in a Data-Probe
o 使用映射请求而不是在数据探测器中携带初始用户数据时,连接设置时间与ALT设计和性能之间的权衡
o best practical ways to build ALT hierarchies
o 构建ALT层次结构的最佳实用方法
o effects of route leakage from ALT to the current Internet, particularly for LISP-to-non-LISP interworking
o 从ALT到当前Internet的路由泄漏的影响,尤其是LISP到非LISP互通
o effects of exceptional situations, such as denial-of-service (DoS) attacks
o 异常情况的影响,例如拒绝服务(DoS)攻击
Experimentation, measurements, and deployment experience on these aspects is appreciated. While these issues are conceptually well-understood (e.g., an ALT lookup causes potential delay for the first packet destined to a given network), the real-world operational effects are much less clear.
在这些方面的实验、测量和部署经验值得赞赏。虽然这些问题在概念上已得到很好的理解(例如,ALT查找会导致发送到给定网络的第一个数据包的潜在延迟),但实际操作效果却不太清楚。
The remainder of this document is organized as follows: Section 2 provides the definitions of terms used in this document. Section 3 outlines the LISP-ALT model, where EID-Prefixes are advertised using BGP on an overlay network (the "ALT") and Map-Requests are forwarded across it. Section 4 provides a basic overview of the LISP Alternative Logical Topology architecture, and Section 5 describes how the ALT uses BGP to propagate EID reachability over the overlay network. Section 6 describes other considerations for using BGP on the ALT. Section 7 describes the construction of the ALT aggregation hierarchy, and Section 8 discusses how LISP-ALT elements are connected to form the overlay network. Section 9 discusses security considerations relevant to LISP+ALT.
本文件的其余部分组织如下:第2节提供了本文件中所用术语的定义。第3节概述了LISP-ALT模型,其中EID前缀在覆盖网络(“ALT”)上使用BGP进行广告,映射请求在覆盖网络上转发。第4节提供了LISP替代逻辑拓扑结构的基本概述,第5节描述了ALT如何使用BGP在覆盖网络上传播EID可达性。第6节描述了在ALT上使用BGP的其他注意事项。第7节描述了ALT聚合层次结构的构造,第8节讨论了如何连接LISP-ALT元素以形成覆盖网络。第9节讨论了与LISP+ALT相关的安全注意事项。
This section provides high-level definitions of LISP concepts and components involved with and affected by LISP+ALT.
本节提供与LISP+ALT相关并受其影响的LISP概念和组件的高级定义。
Alternative Logical Topology (ALT): The virtual overlay network made up of tunnels between LISP-ALT Routers. The Border Gateway Protocol (BGP) runs between ALT-Routers and is used to carry reachability information for EID-Prefixes. The ALT provides a way to forward Map-Requests (and, if supported, Data-Probes) toward the ETR that "owns" an EID-Prefix. As a tunneled overlay, its performance is expected to be quite limited, so using it to forward high-bandwidth flows of Data-Probes is strongly discouraged (see Section 3.3 for additional discussion).
替代逻辑拓扑(ALT):由LISP-ALT路由器之间的隧道组成的虚拟覆盖网络。边界网关协议(BGP)在ALT路由器之间运行,用于传输EID前缀的可达性信息。ALT提供了一种向“拥有”EID前缀的ETR转发映射请求(以及,如果支持,数据探测)的方法。作为隧道覆盖,其性能预计将非常有限,因此强烈反对使用它转发数据探测器的高带宽流(更多讨论请参见第3.3节)。
ALT-Router: The device that runs on the ALT. The ALT is a static network built using tunnels between ALT-Routers. These routers are deployed in a roughly hierarchical mesh in which routers at each level in the topology are responsible for aggregating EID-Prefixes learned from those logically "below" them and advertising summary prefixes to those logically "above" them.
ALT路由器:在ALT上运行的设备。ALT是使用ALT路由器之间的隧道构建的静态网络。这些路由器部署在一个大致分层的网状结构中,拓扑结构中每一层的路由器负责聚合从逻辑上“低于”它们的路由器中学习到的EID前缀,并将摘要前缀发布到逻辑上“高于”它们的路由器中。
Prefix learning and propagation between ALT-Routers is done using BGP. An ALT-Router at the lowest level, or "edge" of the ALT, learns EID-Prefixes from its "client" ETRs. See Section 3.1 for a description of how EID-Prefixes are learned at the "edge" of the ALT. See also Section 6 for details on how BGP is configured between the different network elements. When an ALT-Router receives an ALT Datagram, it looks up the destination EID in its forwarding table (composed of EID-Prefix routes it learned from neighboring ALT-Routers) and forwards it to the logical next hop on the overlay network.
使用BGP完成ALT路由器之间的前缀学习和传播。最低级别的ALT路由器或ALT的“边缘”从其“客户端”ETR中学习EID前缀。有关如何在ALT的“边缘”学习EID前缀的说明,请参见第3.1节。有关如何在不同网络元素之间配置BGP的详细信息,请参见第6节。当ALT路由器接收到ALT数据报时,它在其转发表中查找目标EID(由从相邻ALT路由器学到的EID前缀路由组成),并将其转发到覆盖网络上的逻辑下一跳。
Endpoint ID (EID): A 32-bit (for IPv4) or 128-bit (for IPv6) value used to identify the ultimate source or destination for a LISP-encapsulated packet. See [RFC6830] for details.
端点ID(EID):用于标识LISP封装数据包的最终源或目标的32位(对于IPv4)或128位(对于IPv6)值。详见[RFC6830]。
EID-Prefix: A set of EIDs delegated in a power-of-two block. Information about EID-Prefixes is exchanged among ALT-Routers (not on the global Internet) using BGP, and EID-Prefixes are expected to be assigned in a hierarchical manner such that they can be aggregated by ALT-Routers. Such a block is characterized by a prefix and a length. Note that while the ALT routing system considers an EID-Prefix to be an opaque block of EIDs, an end site may put site-local, topologically relevant structure (subnetting) into an EID-Prefix for intra-site routing.
EID前缀:在两个块的幂中委派的一组EID。关于EID前缀的信息在使用BGP的ALT路由器(不在全球互联网上)之间交换,并且EID前缀预期以分层方式分配,以便它们可以由ALT路由器聚合。这种块的特征是前缀和长度。请注意,尽管ALT路由系统将EID前缀视为EID的不透明块,但终端站点可能会将站点本地拓扑相关结构(子网)放入EID前缀中,以进行站点内路由。
Aggregated EID-Prefixes: A set of individual EID-Prefixes that have been aggregated in the [RFC4632] sense.
聚合EID前缀:在[RFC4632]意义上聚合的一组单个EID前缀。
Map-Server (MS): An edge ALT-Router that provides a registration function for non-ALT-connected ETRs, originates EID-Prefixes into the ALT on behalf of those ETRs, and forwards Map-Requests to them. See [RFC6833] for details.
地图服务器(MS):边缘ALT路由器,为非ALT连接的ETR提供注册功能,代表这些ETR将EID前缀发送到ALT中,并将地图请求转发给它们。详见[RFC6833]。
Map-Resolver (MR): An edge ALT-Router that accepts an Encapsulated Map-Request from a non-ALT-connected ITR, decapsulates it, and forwards it on to the ALT toward the ETR that owns the requested EID-Prefix. See [RFC6833] for details.
映射解析器(MR):一种边缘ALT路由器,它接受来自非ALT连接的ITR的封装映射请求,将其解除封装,并将其转发到ALT上,指向拥有所请求EID前缀的ETR。详见[RFC6833]。
Ingress Tunnel Router (ITR): A router that sends LISP Map-Requests or encapsulates IP datagrams with LISP headers, as defined in [RFC6830]. In this document, "ITR" refers to any device implementing ITR functionality, including a Proxy-ITR (see [RFC6832]). Under some circumstances, a LISP Map-Resolver may also originate Map-Requests (see [RFC6833]).
入口隧道路由器(ITR):发送LISP映射请求或用LISP头封装IP数据报的路由器,如[RFC6830]中所定义。在本文档中,“ITR”指实现ITR功能的任何设备,包括代理ITR(参见[RFC6832])。在某些情况下,LISP映射解析器也可能发起映射请求(请参见[RFC6833])。
Egress Tunnel Router (ETR): A router that sends LISP Map-Replies in response to LISP Map-Requests and decapsulates LISP-encapsulated IP datagrams for delivery to end-systems, as defined in [RFC6830]. In this document, "ETR" refers to any device implementing ETR functionality, including a Proxy-ETR (see [RFC6832]). Under some circumstances, a LISP Map-Server may also respond to Map-Requests (see [RFC6833]).
出口隧道路由器(ETR):根据[RFC6830]中的定义,发送LISP Map回复以响应LISP Map请求,并对LISP封装的IP数据报进行去封装以交付给终端系统的路由器。在本文件中,“ETR”指实现ETR功能的任何设备,包括代理ETR(见[RFC6832])。在某些情况下,LISP映射服务器也可能响应映射请求(请参见[RFC6833])。
Routing Locator (RLOC): A routable IP address for a LISP Tunnel Router (ITR or ETR). Interchangeably referred to as a "locator" in this document. An RLOC is also the output of an EID-to-RLOC mapping lookup; an EID-Prefix maps to one or more RLOCs. Typically, RLOCs are numbered from topologically aggregatable blocks that are assigned to a site at each point where it attaches to the global Internet; where the topology is defined by the connectivity of provider networks, RLOCs can be thought of as Provider-Assigned (PA) addresses. Routing for RLOCs is not carried on the ALT.
路由定位器(RLOC):LISP隧道路由器(ITR或ETR)的可路由IP地址。在本文件中可替换地称为“定位器”。RLOC也是EID到RLOC映射查找的输出;EID前缀映射到一个或多个RLOC。通常,RLOC从拓扑上可聚合的块中进行编号,这些块在其连接到全球互联网的每个点处分配给站点;如果拓扑由提供商网络的连接性定义,则可以将RLOC视为提供商分配(PA)地址。RLOC的路由不在ALT上进行。
EID-to-RLOC Mapping: A binding between an EID-Prefix and the set of RLOCs that can be used to reach it; sometimes simply referred to as a "mapping".
EID到RLOC映射:EID前缀和可用于访问它的RLOC集之间的绑定;有时简单地称为“映射”。
EID-Prefix Reachability: An EID-Prefix is said to be "reachable" if at least one of its Locators is reachable. That is, an EID-Prefix is reachable if the ETR that is authoritative for a given EID-to-RLOC mapping is reachable.
EID前缀可访问性:如果EID前缀至少有一个定位器是可访问的,则称其为“可访问”。也就是说,如果给定EID到RLOC映射的权威ETR是可访问的,则EID前缀是可访问的。
Default Mapping: A mapping entry for EID-Prefix 0.0.0.0/0 (::/0 for IPv6). It maps to a Locator-Set used for all EIDs in the Internet. If there is a more-specific EID-Prefix in the map-cache, it overrides the Default Mapping entry. The Default Mapping entry can be learned by configuration or from a Map-Reply message.
默认映射:EID前缀0.0.0.0/0的映射项(::/0表示IPv6)。它映射到用于Internet中所有EID的定位器集。如果地图缓存中有更具体的EID前缀,它将覆盖默认的地图条目。默认映射条目可以通过配置或映射回复消息学习。
ALT Default Route: An EID-Prefix value of 0.0.0.0/0 (or ::/0 for IPv6) that may be learned from the ALT or statically configured on an edge ALT-Router. The ALT Default Route defines a forwarding path for a packet to be sent into the ALT on a router that does not have a full ALT forwarding database.
ALT默认路由:EID前缀值为0.0.0.0/0(对于IPv6为::/0),可以从ALT中学习,也可以在边缘ALT路由器上静态配置。ALT默认路由为要发送到没有完整ALT转发数据库的路由器上的ALT的数据包定义转发路径。
The LISP-ALT model uses the same basic query/response protocol that is documented in [RFC6830]. In particular, LISP+ALT provides two types of packets that an ITR can originate to obtain EID-to-RLOC mappings:
LISP-ALT模型使用与[RFC6830]中所述相同的基本查询/响应协议。特别是,LISP+ALT提供了两种类型的数据包,ITR可以发起这些数据包来获得EID到RLOC的映射:
Map-Request: A Map-Request message is sent into the ALT to request an EID-to-RLOC mapping. The ETR that owns the mapping will respond to the ITR with a Map-Reply message. Since the ALT only forwards on EID destinations, the destination address of the Map-Request sent on the ALT must be an EID.
映射请求:将映射请求消息发送到ALT以请求EID到RLOC的映射。拥有映射的ETR将使用映射回复消息响应ITR。由于ALT仅在EID目的地上转发,因此在ALT上发送的映射请求的目的地地址必须是EID。
Data-Probe: Alternatively, an ITR may encapsulate and send the first data packet destined for an EID with no known RLOCs into the ALT as a Data-Probe. This might be done to minimize packet loss and to probe for the mapping. As above, the authoritative ETR for the EID-Prefix will respond to the ITR with a Map-Reply message when it receives the data packet over the ALT. As a side-effect, the encapsulated data packet is delivered to the end-system at the ETR site. Note that the Data-Probe's inner IP destination address, which is an EID, is copied to the outer IP destination address so that the resulting packet can be routed over the ALT. See Section 3.3 for caveats on the usability of Data-Probes.
数据探测:或者,ITR可以将目的地为EID且没有已知RLOC的第一个数据包作为数据探测封装并发送到ALT中。这可能是为了最小化数据包丢失和探测映射。如上所述,EID前缀的权威ETR在通过ALT接收数据包时,将使用Map回复消息对ITR作出响应。作为一种副作用,封装的数据包被传送到ETR站点的终端系统。请注意,数据探测器的内部IP目标地址(EID)被复制到外部IP目标地址,以便生成的数据包可以通过ALT路由。有关数据探测器可用性的注意事项,请参见第3.3节。
The term "ALT Datagram" is shorthand for a Map-Request or Data-Probe to be sent into or forwarded on the ALT. Note that such packets use an RLOC as the outer-header source IP address and an EID as the outer-header destination IP address.
术语“ALT数据报”是发送到ALT或在ALT上转发的映射请求或数据探测的缩写。请注意,此类数据包使用RLOC作为外部报头源IP地址,使用EID作为外部报头目标IP地址。
Detailed descriptions of the LISP packet types referenced by this document may be found in [RFC6830].
本文件引用的LISP数据包类型的详细说明见[RFC6830]。
A LISP EID has the same syntax as an IP address and can be used, unaltered, as the source or destination of an IP datagram. In general, though, EIDs are not routable on the public Internet; LISP+ ALT provides a separate, virtual network, known as the LISP Alternative Logical Topology (ALT) on which a datagram using an EID as an IP destination address may be transmitted. This network is built as an overlay on the public Internet using tunnels to interconnect ALT-Routers. BGP runs over these tunnels to propagate path information needed to forward ALT Datagrams. Importantly, while the ETRs are the source(s) of the unaggregated EID-Prefixes, LISP+ALT uses existing BGP mechanisms to aggregate this information.
LISP EID与IP地址具有相同的语法,可以作为IP数据报的源或目标使用,不作更改。不过,一般来说,EID不能在公共互联网上路由;LISP+ALT提供了一个独立的虚拟网络,称为LISP替代逻辑拓扑(ALT),在该网络上可以传输使用EID作为IP目标地址的数据报。该网络构建为覆盖在公共互联网上,使用隧道互连ALT路由器。BGP通过这些隧道传播转发ALT数据报所需的路径信息。重要的是,虽然ETR是未聚合EID前缀的来源,但LISP+ALT使用现有的BGP机制来聚合此信息。
There are three ways that an ETR may originate its mappings into the ALT:
ETR可以通过三种方式将其映射到ALT:
1. By registration with a Map-Server, as documented in [RFC6833]. This is the common case and is expected to be used by the majority of ETRs.
1. 通过向地图服务器注册,如[RFC6833]中所述。这是常见的情况,预计大多数ETR都会使用。
2. Using a "static route" on the ALT. Where no Map-Server is available, an edge ALT-Router may be configured with a "static EID-Prefix route" pointing to an ETR.
2. 在ALT上使用“静态路由”。在没有地图服务器的情况下,边缘ALT路由器可以配置指向ETR的“静态EID前缀路由”。
3. Edge connection to the ALT. If a site requires fine-grained control over how its EID-Prefixes are advertised into the ALT, it may configure its ETR(s) with tunnel and BGP connections to edge ALT-Routers.
3. 到ALT的边缘连接。如果站点需要对其EID前缀在ALT中的播发方式进行细粒度控制,则可以使用到边缘ALT路由器的隧道和BGP连接配置其ETR。
There are three ways that an ITR may send ALT Datagrams:
ITR可以通过三种方式发送ALT数据报:
1. Through a Map-Resolver, as documented in [RFC6833]. This is the common case and is expected to be used by the majority of ITRs.
1. 通过映射解析器,如[RFC6833]中所述。这是常见的情况,预计大多数ITR都会使用。
2. Using a "default route". Where a Map-Resolver is not available, an ITR may be configured with a static ALT Default Route pointing to an edge ALT-Router.
2. 使用“默认路由”。在地图解析器不可用的情况下,可以使用指向边缘ALT路由器的静态ALT默认路由配置ITR。
3. Edge connection to the ALT. If a site requires fine-grained knowledge of what prefixes exist on the ALT, it may configure its ITR(s) with tunnel and BGP connections to edge ALT-Routers.
3. 到ALT的边缘连接。如果站点需要关于ALT上存在哪些前缀的细粒度知识,则可以使用到边缘ALT路由器的隧道和BGP连接配置其ITR。
The ALT-connected ITR and ETR cases are expected to be rare, as the Map-Server/Map-Resolver model is simpler for an ITR/ETR operator to use and also provides a more general service interface to not only the ALT but to other mapping databases that may be developed in the future.
预计ALT连接的ITR和ETR案例将很少见,因为地图服务器/地图解析器模型对于ITR/ETR操作员来说使用起来更简单,而且还为ALT以及将来可能开发的其他地图数据库提供了更通用的服务接口。
As stated above, EIDs used as IP addresses by LISP sites are not routable on the public Internet. This implies that, absent a mechanism for communication between LISP and non-LISP sites, connectivity between them is not possible. To resolve this problem, an "interworking" technology has been defined; see [RFC6832] for details.
如上所述,LISP站点用作IP地址的EID不能在公共Internet上路由。这意味着,由于缺少LISP和非LISP站点之间的通信机制,它们之间的连接是不可能的。为了解决这个问题,定义了“互通”技术;详见[RFC6832]。
It is worth noting that there has been a great deal of discussion and controversy about whether Data-Probes are a good idea. On the one hand, using them offers a method of avoiding the "first packet drop" problem when an ITR does not have a mapping for a particular EID-Prefix. On the other hand, forwarding data packets on the ALT would require that it either be engineered to support relatively high traffic rates, which is not generally feasible for a tunneled network, or that it be carefully designed to aggressively rate-limit traffic to avoid congestion or DoS attacks. There may also be issues caused by different latency or other performance characteristics between the ALT path taken by an initial Data-Probe and the "Internet" path taken by subsequent packets on the same flow once a mapping is in place on an ITR. For these reasons, the use of Data-Probes is not recommended at this time; they should only be originated from an ITR when explicitly configured to do so, and such configuration should only be enabled when performing experiments intended to test the viability of using Data-Probes.
值得注意的是,关于数据探测是否是一个好主意,已经有了大量的讨论和争议。一方面,当ITR没有特定EID前缀的映射时,使用它们提供了一种避免“第一数据包丢失”问题的方法。另一方面,在ALT上转发数据包需要将其设计为支持相对较高的通信速率,这对于隧道网络来说通常是不可行的,或者需要仔细设计以积极地限制通信速率以避免拥塞或DoS攻击。一旦在ITR上建立映射,初始数据探测器采用的ALT路径和同一流上后续数据包采用的“Internet”路径之间的不同延迟或其他性能特征也可能导致问题。由于这些原因,目前不建议使用数据探针;只有在明确配置时,它们才应来自ITR,并且只有在执行旨在测试使用数据探针可行性的实验时,才应启用此类配置。
LISP+ALT is a hybrid push/pull architecture. Aggregated EID-Prefixes are advertised among the ALT-Routers and to those (rare) ITRs that are directly connected via a tunnel and BGP to the ALT. Specific EID-to-RLOC mappings are requested by an ITR (and returned by an ETR) using LISP when it sends a request either via a Map-Resolver or to an edge ALT-Router.
LISP+ALT是一种混合的推/拉体系结构。聚合的EID前缀在ALT路由器之间以及通过隧道和BGP直接连接到ALT的那些(罕见)ITR之间播发。当ITR通过映射解析程序或边缘ALT路由器发送请求时,特定的EID到RLOC映射由ITR使用LISP请求(并由ETR返回)。
The basic idea embodied in LISP+ALT is to use BGP, running on a tunneled overlay network (the ALT), to establish reachability between ALT-Routers. The ALT BGP Routing Information Base (RIB) is comprised of EID-Prefixes and associated next hops. ALT-Routers interconnect using BGP and propagate EID-Prefix updates among themselves. EID-Prefix information is learned from ETRs at the "edge" of the ALT either through the use of the Map-Server interface (the common case), by static configuration, or by BGP-speaking ETRs.
LISP+ALT中包含的基本思想是使用运行在隧道覆盖网络(ALT)上的BGP在ALT路由器之间建立可达性。ALT BGP路由信息库(RIB)由EID前缀和相关的下一跳组成。ALT路由器使用BGP互连,并在它们之间传播EID前缀更新。EID前缀信息可通过使用地图服务器接口(常见情况)、静态配置或讲BGP的ETR从ALT“边缘”的ETR中获取。
Map-Resolvers learns paths through the ALT to Map-Servers for EID-Prefixes. An ITR will normally use a Map-Resolver to send its ALT Datagrams on to the ALT but may, in unusual cases (see Section 3.1.2), use a static ALT Default Route or connect to the ALT using BGP. Likewise, an ETR will normally register its prefixes in the mapping database using a Map-Server or can sometimes (see Section 3.1.1) connect directly to the ALT using BGP. See [RFC6833] for details on Map-Servers and Map-Resolvers.
映射解析器通过ALT来学习EID前缀映射服务器的路径。ITR通常使用Map解析器将其ALT数据报发送到ALT,但在特殊情况下(见第3.1.2节),可以使用静态ALT默认路由或使用BGP连接到ALT。同样,ETR通常会使用地图服务器在地图数据库中注册其前缀,或者有时(参见第3.1.1节)可以使用BGP直接连接到ALT。有关映射服务器和映射解析器的详细信息,请参见[RFC6833]。
Note that while this document specifies the use of Generic Routing Encapsulation (GRE) as a tunneling mechanism, there is no reason that parts of the ALT cannot be built using other tunneling technologies, particularly in cases where GRE does not meet security, management, or other operational requirements. References to "GRE tunnel" in later sections of this document should therefore not be taken as prohibiting or precluding the use of other tunneling mechanisms. Note also that two ALT-Routers that are directly adjacent (with no layer-3 router hops between them) need not use a tunnel between them; in this case, BGP may be configured across the interfaces that connect to their common subnet, and that subnet is then considered to be part of the ALT topology. The use of techniques such as "eBGP multihop" to connect ALT-Routers that do not share a tunnel or common subnet is not recommended, as the non-ALT routers in between the ALT-Routers in such a configuration may not have information necessary to forward ALT Datagrams destined to EID-Prefixes exchanged across that BGP session.
请注意,虽然本文档指定使用通用路由封装(GRE)作为隧道机制,但没有理由不能使用其他隧道技术构建ALT的部分,特别是在GRE不满足安全、管理或其他操作要求的情况下。因此,本文件后面章节中提及的“GRE隧道”不应被视为禁止或排除使用其他隧道机制。还要注意的是,两个直接相邻的ALT路由器(它们之间没有第3层路由器跳数)不需要在它们之间使用隧道;在这种情况下,可以跨连接到其公共子网的接口配置BGP,然后将该子网视为ALT拓扑的一部分。不建议使用诸如“eBGP多跳”之类的技术来连接不共享隧道或公共子网的ALT路由器,因为在这种配置中,ALT路由器之间的非ALT路由器可能不具有转发通过该BGP会话交换的注定为EID前缀的ALT数据报所需的信息。
In summary, LISP+ALT uses BGP to build paths through ALT-Routers so that an ALT Datagram sent into the ALT can be forwarded to the ETR that holds the EID-to-RLOC mapping for that EID-Prefix. This reachability is carried as IPv4 or IPv6 Network Layer Reachability Information (NLRI) without modification (since an EID-Prefix has the same syntax as an IPv4 or IPv6 address prefix). ALT-Routers establish BGP sessions with one another, forming the ALT. An ALT-Router at the "edge" of the topology learns EID-Prefixes originated by authoritative ETRs. Learning may be through the Map-Server interface, by static configuration, or via BGP with the ETRs. An ALT-Router may also be configured to aggregate EID-Prefixes received from ETRs or from other LISP-ALT Routers that are topologically "downstream" from it.
总之,LISP+ALT使用BGP通过ALT路由器构建路径,以便发送到ALT的ALT数据报可以转发到ETR,ETR保存该EID前缀的EID到RLOC映射。此可达性作为IPv4或IPv6网络层可达性信息(NLRI)携带,无需修改(因为EID前缀的语法与IPv4或IPv6地址前缀相同)。ALT路由器彼此建立BGP会话,形成ALT。位于拓扑“边缘”的ALT路由器学习权威ETR发出的EID前缀。学习可以通过地图服务器接口、静态配置或通过带有ETRs的BGP进行。ALT路由器还可以配置为聚合从ETR或从拓扑上“下游”的其他LISP-ALT路由器接收的EID前缀。
When an ITR receives a packet originated by an end-system within its site (i.e., a host for which the ITR is the exit path out of the site) and the destination EID for that packet is not known in the ITR's map-cache, the ITR creates either a Map-Request for the destination EID or the original packet encapsulated as a Data-Probe
当ITR在其站点(即,ITR是站点出口路径的主机)内接收到由终端系统发起的数据包,并且该数据包的目标EID在ITR的映射缓存中未知时,ITR为目标EID或封装为数据探测器的原始数据包创建映射请求
(see Section 3.3 for caveats on the usability of Data-Probes). The result, known as an ALT Datagram, is then sent to an ALT-Router (see also [RFC6833] for non-ALT-connected ITRs, noting that Data-Probes cannot be sent to a Map-Resolver). This "first-hop" ALT-Router uses EID-Prefix routing information learned from other ALT-Routers via BGP to guide the packet to the ETR that "owns" the prefix. Upon receipt by the ETR, normal LISP processing occurs: the ETR responds to the ITR with a LISP Map-Reply that lists the RLOCs (and, thus, the ETRs to use) for the EID-Prefix. For Data-Probes, the ETR also decapsulates the packet and transmits it toward its destination.
(有关数据探针可用性的注意事项,请参见第3.3节)。结果称为ALT数据报,然后发送到ALT路由器(对于未连接ALT的ITR,另请参见[RFC6833],注意数据探测不能发送到Map解析器)。此“第一跳”ALT路由器使用通过BGP从其他ALT路由器学习的EID前缀路由信息将数据包引导到“拥有”前缀的ETR。ETR收到后,将进行正常的LISP处理:ETR使用LISP映射回复ITR,其中列出EID前缀的RLOC(以及要使用的ETR)。对于数据探测,ETR还对数据包进行解封,并将其发送到目的地。
Upon receipt of the Map-Reply, the ITR installs the RLOC information for a given prefix into a local mapping database. With these mapping entries stored, additional packets destined to the given EID-Prefix are routed directly to an RLOC without use of the ALT, until either the entry's Time to Live (TTL) has expired or the ITR can otherwise find no reachable ETR. Note that a current mapping may exist that contains no reachable RLOCs; this is known as a Negative Cache Entry, and it indicates that packets destined to the EID-Prefix are to be dropped.
收到映射回复后,ITR将给定前缀的RLOC信息安装到本地映射数据库中。存储这些映射条目后,发送到给定EID前缀的附加数据包将直接路由到RLOC,而不使用ALT,直到条目的生存时间(TTL)过期或ITR无法找到可访问的ETR为止。注意,可能存在不包含可到达RLOC的当前映射;这被称为负缓存项,它表示要丢弃以EID前缀为目的地的数据包。
Full details on Map-Request/Map-Reply processing may be found in [RFC6830].
有关Map请求/Map回复处理的完整详细信息,请参见[RFC6830]。
Traffic routed on to the ALT consists solely of ALT Datagrams, i.e., Map-Requests and Data-Probes (if supported). Given the relatively low performance expected of a tunneled topology, ALT-Routers (and Map-Resolvers) should aggressively rate-limit the ingress of ALT Datagrams from ITRs and, if possible, should be configured to not accept packets that are not ALT Datagrams.
路由到ALT的流量仅由ALT数据报组成,即映射请求和数据探测(如果支持)。鉴于隧道拓扑的预期性能相对较低,ALT路由器(和Map解析器)应积极限制从ITR进入ALT数据报的速率,如果可能,应配置为不接受非ALT数据报的数据包。
The ALT database is organized in a hierarchical manner with EID-Prefixes aggregated on power-of-2 block boundaries. Where a LISP site has multiple EID-Prefixes that are aligned on a power-of-2 block boundary, they should be aggregated into a single EID-Prefix for advertisement. The ALT network is built in a roughly hierarchical, partial mesh that is intended to allow aggregation where clearly defined hierarchical boundaries exist. Building such a structure should minimize the number of EID-Prefixes carried by LISP+ALT nodes near the top of the hierarchy.
ALT数据库以分层方式组织,EID前缀聚集在二次幂块边界上。如果LISP站点具有多个EID前缀,且这些前缀在二次幂块边界上对齐,则应将它们聚合为一个EID前缀以进行广告。ALT网络构建在一个大致分层的局部网格中,旨在允许在存在明确定义的分层边界的地方进行聚合。构建这样的结构应该尽量减少层次结构顶部附近LISP+ALT节点携带的EID前缀数量。
Routes on the ALT do not need to respond to changes in policy, subscription, or underlying physical connectivity, so the topology can remain relatively static and aggregation can be sustained. Because routing on the ALT uses BGP, the same rules apply for generating aggregates; in particular, an ALT-Router should only be
ALT上的路由不需要响应策略、订阅或基础物理连接的更改,因此拓扑可以保持相对静态,聚合可以持续。因为ALT上的路由使用BGP,所以相同的规则适用于生成聚合;特别是,ALT路由器应仅为
configured to generate an aggregate if it is configured with BGP sessions to all of the originators of components (more-specific prefixes) of that aggregate. Not all of the components need to be present for the aggregate to be originated (some may be holes in the covering prefix, and some may be down), but the aggregating router must be configured to learn the state of all of the components.
配置为生成聚合,如果该聚合配置了与该聚合组件(更具体的前缀)的所有发起人的BGP会话。并非所有组件都需要存在才能发起聚合(一些可能是覆盖前缀中的漏洞,一些可能是关闭的),但聚合路由器必须配置为了解所有组件的状态。
Under what circumstances the ALT-Router actually generates the aggregate is a matter of local policy: in some cases, it will be statically configured to do so at all times with a "static discard" route. In other cases, it may be configured to only generate the aggregate prefix if at least one of the components of the aggregate is learned via BGP.
在什么情况下,ALT路由器实际生成聚合是本地策略的问题:在某些情况下,它将被静态配置为始终使用“静态丢弃”路由生成聚合。在其他情况下,如果通过BGP学习了聚合的至少一个组件,则可以将其配置为仅生成聚合前缀。
An ALT-Router must not generate an aggregate that includes a non-LISP-speaking hole unless it can be configured to return a Negative Map-Reply with action="Natively-Forward" (see [RFC6830]) if it receives an ALT Datagram that matches that hole. If it receives an ALT Datagram that matches a LISP-speaking hole that is currently not reachable, it should return a Negative Map-Reply with action="drop". Negative Map-Replies should be returned with a short TTL, as specified in [RFC6833]. Note that an off-the-shelf, non-LISP-speaking router configured as an aggregating ALT-Router cannot send Negative Map-Replies, so such a router must never originate an aggregate that includes a non-LISP-speaking hole.
ALT路由器不得生成包含非LISP语音孔的聚合,除非可以配置为在收到与该孔匹配的ALT数据报时返回带有action=“native Forward”(请参见[RFC6830])的否定映射回复。如果它接收到一个ALT数据报,该数据报与当前无法访问的LISP语音孔相匹配,它应该返回一个带有action=“drop”的否定映射回复。按照[RFC6833]中的规定,负面映射回复应返回一个简短的TTL。请注意,配置为聚合ALT路由器的现成非LISP语音路由器不能发送否定的Map回复,因此此类路由器不得发起包含非LISP语音孔的聚合。
This implies that two ALT-Routers that share an overlapping set of prefixes must exchange those prefixes if either is to generate and export a covering aggregate for those prefixes. It also implies that an ETR that connects to the ALT using BGP must maintain BGP sessions with all of the ALT-Routers that are configured to originate an aggregate that covers that prefix and that each of those ALT-Routers must be explicitly configured to know the set of EID-Prefixes that make up any aggregate that it originates. See also [RFC6833] for an example of other ways that prefix origin consistency and aggregation can be maintained.
这意味着共享一组重叠前缀的两个ALT路由器必须交换这些前缀,如果其中一个要生成并导出这些前缀的覆盖聚合。这还意味着使用BGP连接到ALT的ETR必须与所有配置为发起覆盖该前缀的聚合的ALT路由器保持BGP会话,并且必须明确配置这些ALT路由器中的每一个,以了解构成其发起的任何聚合的EID前缀集。另请参见[RFC6833]以获取维护前缀源一致性和聚合的其他方法的示例。
As an example, consider ETRs that are originating EID-Prefixes for 10.1.0.0/24, 10.1.64.0/24, 10.1.128.0/24, and 10.1.192.0/24. An ALT-Router should only be configured to generate an aggregate for 10.1.0.0/16 if it has BGP sessions configured with all of these ETRs, in other words, only if it has sufficient knowledge about the state of those prefixes to summarize them. If the Router originating 10.1.0.0/16 receives an ALT Datagram destined for 10.1.77.88, a non-LISP destination covered by the aggregate, it returns a Negative Map-Reply with action "Natively-Forward". If it receives an ALT
作为一个例子,考虑ESTR是EID前缀为101.0.0/24,101.64.0/24,101.128 0/24,和101.192.0/24。如果ALT路由器的BGP会话配置了所有这些ETR,则只应将其配置为生成10.1.0.0/16的聚合,换句话说,只有当它对这些前缀的状态有足够的了解以对其进行汇总时,才应将其配置为生成聚合。如果源于10.1.0.0/16的路由器接收到一个目的地为10.1.77.88的ALT数据报(聚合所覆盖的非LISP目的地),它将返回一个带有“本机转发”操作的否定映射回复。如果它收到ALT
Datagram destined for 10.1.128.199 but the configured LISP prefix 10.1.128.0/24 is unreachable, it returns a Negative Map-Reply with action "drop".
目标为10.1.128.199的数据报,但无法访问配置的LISP前缀10.1.128.0/24,它返回带有操作“drop”的否定映射回复。
Note: Much is currently uncertain about the best way to build the ALT network; as testing and prototype deployment proceed, a guide to how to best build the ALT network will be developed.
注:目前关于构建ALT网络的最佳方式还不确定;随着测试和原型部署的进行,将制定如何最佳构建ALT网络的指南。
The ALT network is built using GRE tunnels between ALT-Routers. BGP sessions are configured over those tunnels, with each ALT-Router acting as a separate Autonomous System (AS) "hop" in a Path Vector for BGP. For the purposes of LISP+ALT, the AS-path is used solely as a shortest-path determination and loop-avoidance mechanism. Because all next hops are on tunnel interfaces, no IGP is required to resolve those next hops to exit interfaces.
ALT网络是使用ALT路由器之间的GRE隧道构建的。BGP会话通过这些隧道进行配置,每个ALT路由器充当BGP路径向量中的独立自治系统(作为“跳”)。对于LISP+ALT,AS路径仅用作最短路径确定和循环避免机制。因为所有下一跳都在隧道接口上,所以不需要IGP来解析这些下一跳以退出接口。
LISP+ALT's use of GRE and BGP facilitates deployment and operation of LISP because no new protocols need to be defined, implemented, or used on the overlay topology; existing BGP/GRE tools and operational expertise are also re-used. Tunnel address assignment is also easy: since the addresses on an ALT tunnel are only used by the pair of routers connected to the tunnel, the only requirement of the IP addresses used to establish that tunnel is that the attached routers be reachable by each other; any addressing plan, including private addressing, can therefore be used for ALT tunnels.
LISP+ALT对GRE和BGP的使用促进了LISP的部署和操作,因为无需在覆盖拓扑上定义、实施或使用新协议;现有的BGP/GRE工具和运营专业知识也被重新利用。隧道地址分配也很容易:由于ALT隧道上的地址仅由连接到隧道的一对路由器使用,用于建立该隧道的IP地址的唯一要求是连接的路由器彼此可以访问;因此,任何寻址计划(包括专用寻址)都可以用于ALT隧道。
As described in Section 8.2, an ITR sends an ALT Datagram to a given EID-to-RLOC mapping. The ALT provides the infrastructure that allows these requests to reach the authoritative ETR.
如第8.2节所述,ITR向给定的EID到RLOC映射发送ALT数据报。ALT提供了允许这些请求到达权威ETR的基础结构。
Note that under normal circumstances Map-Replies are not sent over the ALT; an ETR sends a Map-Reply to one of the ITR RLOCs learned from the original Map-Request. See Sections 6.1.2 and 6.2 of [RFC6830] for more information on the use of the Map-Request 'ITR RLOC Address' field. Keep in mind that the 'ITR RLOC Address' field supports multiple RLOCs in multiple address families, so a Map-Reply sent in response to a Map-Request is not necessarily sent back to the Map-Request RLOC source.
请注意,在正常情况下,Map回复不会通过ALT发送;ETR向从原始Map请求中学习的其中一个ITR RLOC发送Map回复。有关Map请求“ITR RLOC地址”字段使用的更多信息,请参见[RFC6830]第6.1.2节和第6.2节。请记住,“ITR RLOC地址”字段支持多个地址族中的多个RLOC,因此响应Map请求发送的Map应答不一定发送回Map请求RLOC源。
There may be scenarios, perhaps to encourage caching of EID-to-RLOC mappings by ALT-Routers, where Map-Replies could be sent over the ALT or where a "first-hop" ALT-Router might modify the originating RLOC on a Map-Request received from an ITR to force the Map-Reply to be
可能存在这样的情况,可能是为了鼓励ALT路由器缓存EID到RLOC的映射,其中Map应答可以通过ALT发送,或者“第一跳”ALT路由器可以修改从ITR接收的Map请求上的原始RLOC,以强制执行Map应答
returned to the "first-hop" ALT-Router. These cases will not be supported by initial LISP+ALT implementations but may be subject to future experimentation.
返回到“第一跳”ALT路由器。这些情况将不受初始LISP+ALT实现的支持,但可能会在将来进行实验。
ALT-Routers propagate path information via BGP ([RFC4271]) that is used by ITRs to send ALT Datagrams toward the appropriate ETR for each EID-Prefix. BGP is run on the inter-ALT-Router links, and possibly between an edge ("last-hop") ALT-Router and an ETR or between an edge ("first-hop") ALT-Router and an ITR. The ALT BGP RIB consists of aggregated EID-Prefixes and their next hops toward the authoritative ETR for that EID-Prefix.
ALT路由器通过BGP([RFC4271])传播路径信息,ITRs使用BGP向每个EID前缀的相应ETR发送ALT数据报。BGP在ALT路由器间链路上运行,可能在边缘(“最后一跳”)ALT路由器和ETR之间或边缘(“第一跳”)ALT路由器和ITR之间运行。ALT BGP RIB由聚合的EID前缀及其向该EID前缀的权威ETR的下一跳组成。
As previously described, an ITR will usually use the Map-Resolver interface and will send its Map Requests to a Map-Resolver. When an ITR instead connects via tunnels and BGP to the ALT, it sends ALT Datagrams to one of its "upstream" ALT-Routers; these are sent only to obtain new EID-to-RLOC mappings -- RLOC probe and cache TTL refresh Map-Requests are not sent on the ALT. As in basic LISP, it should use one of its RLOCs as the source address of these queries; it should not use a tunnel interface as the source address, as doing so will cause replies to be forwarded over the tunneled topology and may be problematic if the tunnel interface address is not routed throughout the ALT. If the ITR is running BGP with the LISP-ALT Router(s), it selects the appropriate ALT-Router based on the BGP information received. If it is not running BGP, it uses a statically configured ALT Default Route to select an ALT-Router.
如前所述,ITR通常使用Map解析器接口,并将其Map请求发送给Map解析器。当ITR通过隧道和BGP连接到ALT时,它将ALT数据报发送到其“上游”ALT路由器之一;发送这些请求只是为了获得新的EID到RLOC映射——RLOC探测和缓存TTL刷新映射请求不会在ALT上发送。与基本LISP一样,它应该使用其中一个RLOC作为这些查询的源地址;它不应使用隧道接口作为源地址,因为这样做会导致通过隧道拓扑转发回复,如果隧道接口地址未在整个ALT中路由,则可能会出现问题。如果ITR使用LISP-ALT路由器运行BGP,它根据收到的BGP信息选择适当的ALT路由器。如果没有运行BGP,它将使用静态配置的ALT默认路由来选择ALT路由器。
As previously described, an ETR will usually use the Map-Server interface (see [RFC6833]) and will register its EID-Prefixes with its configured Map-Servers. When an ETR instead connects using BGP to one or more ALT-Routers, it announces its EID-Prefix(es) to those ALT-Routers.
如前所述,ETR通常使用地图服务器接口(请参见[RFC6833]),并将其EID前缀注册到其配置的地图服务器。当ETR使用BGP连接到一个或多个ALT路由器时,它会向这些ALT路由器宣布其EID前缀。
As documented in [RFC6830], when an ETR generates a Map-Reply message to return to a querying ITR, it sets the outer-header IP destination address to one of the requesting ITR's RLOCs so that the Map-Reply will be sent on the underlying Internet topology, not on the ALT; this avoids any latency penalty (or "stretch") that might be incurred by sending the Map-Reply via the ALT, reduces load on the ALT, and ensures that the Map-Reply can be routed even if the original ITR does not have an ALT-routed EID. For details on how an ETR selects which ITR RLOC to use, see Section 6.1.5 of [RFC6830].
如[RFC6830]中所述,当ETR生成映射回复消息以返回查询ITR时,它将外部报头IP目的地地址设置为请求ITR的RLOC之一,以便映射回复将在基础互联网拓扑上发送,而不是在ALT上发送;这避免了通过ALT发送Map应答可能引起的任何延迟损失(或“拉伸”),减少了ALT上的负载,并确保即使原始ITR没有ALT路由EID,也可以路由Map应答。有关ETR如何选择使用哪个ITR RLOC的详细信息,请参见[RFC6830]第6.1.5节。
Intermediate ALT-Routers forward ALT Datagrams using normal, hop-by-hop routing on the ALT overlay network. Should an ALT-Router not be able to forward an ALT Datagram, whether due to an unreachable next hop, TTL exceeded, or other problem, it has several choices:
中间ALT路由器使用ALT覆盖网络上的正常逐跳路由转发ALT数据报。如果ALT路由器无法转发ALT数据报,无论是由于无法到达下一跳、超出TTL或其他问题,它有几种选择:
o If the ALT-Router understands LISP, as is the case for a Map-Resolver or Map-Server, it may respond to a forwarding failure by returning a Negative Map-Reply, as described in Section 4.2 and [RFC6833].
o 如果ALT路由器理解LISP,就像Map解析器或Map服务器一样,它可以通过返回否定的Map应答来响应转发失败,如第4.2节和[RFC6833]所述。
o If the ALT-Router does not understand LISP, it may attempt to return an ICMP message to the source IP address of the packet that cannot be forwarded. Since the source address is an RLOC, an ALT-Router would send this ICMP message using "native" Internet connectivity, not via the ALT overlay.
o 如果ALT路由器不理解LISP,它可能会尝试将ICMP消息返回到无法转发的数据包的源IP地址。由于源地址是RLOC,ALT路由器将使用“本机”互联网连接发送此ICMP消息,而不是通过ALT覆盖。
o A non-LISP-capable ALT-Router may also choose to silently drop the non-forwardable ALT Datagram.
o 不支持LISP的ALT路由器也可以选择静默地丢弃不可转发的ALT数据报。
[RFC6830] and [RFC6833] define how the source of an ALT Datagram should handle each of these cases. The last case, where an ALT Datagram is silently discarded, will generally result in several retransmissions by the source, followed by treating the destination as unreachable via LISP when no Map-Reply is received. If a problem on the ALT is severe enough to prevent ALT Datagrams from being delivered to a specific EID, this is probably the only sensible way to handle this case.
[RFC6830]和[RFC6833]定义了ALT数据报的源应如何处理这些情况。最后一种情况是,ALT数据报被悄悄地丢弃,这通常会导致源多次重新传输,然后在没有收到Map应答时,通过LISP将目标视为无法访问。如果ALT上的问题严重到足以阻止ALT数据报被传递到特定的EID,那么这可能是处理这种情况的唯一明智的方法。
Note that the use of GRE tunnels should prevent MTU problems from ever occurring on the ALT; an ALT Datagram that exceeds an intermediate MTU will be fragmented at that point and will be reassembled by the target of the GRE tunnel.
注意,使用GRE隧道应防止在ALT上发生MTU问题;超过中间MTU的ALT数据报将在该点被分段,并由GRE隧道的目标重新组装。
The primary use of BGP today is to define the global Internet routing topology in terms of its participants, known as Autonomous Systems. LISP+ALT specifies the use of BGP to create a global overlay network (the ALT) for finding EID-to-RLOC mappings. While related to the global routing database, the ALT serves a very different purpose and is organized into a very different hierarchy. Because LISP+ALT does use BGP, however, it uses ASNs in the paths that are propagated among ALT-Routers. To avoid confusion, LISP+ALT should use newly assigned
如今,BGP的主要用途是根据参与者定义全球互联网路由拓扑,称为自治系统。LISP+ALT指定使用BGP创建全局覆盖网络(ALT)以查找EID到RLOC的映射。虽然与全局路由数据库相关,但ALT的用途截然不同,并且被组织到一个非常不同的层次结构中。但是,由于LISP+ALT确实使用BGP,因此它在ALT路由器之间传播的路径中使用ASN。为避免混淆,LISP+ALT应使用新指定的
AS numbers that are unrelated to the ASNs used by the global routing system. Exactly how this new space will be assigned and managed will be determined during the deployment of LISP+ALT.
作为与全局路由系统使用的ASN无关的号码。具体如何分配和管理这个新空间将在LISP+ALT的部署过程中确定。
Note that the ALT-Routers that make up the "core" of the ALT will not be associated with any existing core-Internet ASN because the ALT topology is completely separate from, and independent of, the global Internet routing system.
请注意,构成ALT“核心”的ALT路由器将不会与任何现有的核心Internet ASN关联,因为ALT拓扑完全独立于全局Internet路由系统。
As defined by this document, LISP+ALT may be implemented using BGP without modification. Given the fundamental operational difference between propagating global Internet routing information (the current dominant use of BGP) and creating an overlay network for finding EID-to-RLOC mappings (the use of BGP as proposed by this document), it may be desirable to assign a new SAFI [RFC4760] to prevent operational confusion and difficulties, including the inadvertent leaking of information from one domain to the other. The use of a separate SAFI would make it easier to debug many operational problems but would come at a significant cost: unmodified, off-the-shelf routers that do not understand the new SAFI could not be used to build any part of the ALT network. At present, this document does not request the assignment of a new SAFI; additional experimentation may suggest the need for one in the future.
根据本文件的定义,LISP+ALT可以使用BGP实现,无需修改。鉴于传播全球互联网路由信息(目前主要使用BGP)和创建覆盖网络以查找EID到RLOC映射(本文件建议使用BGP)之间的基本操作差异,可能需要分配一个新的SAFI[RFC4760],以防止操作混乱和困难,包括信息从一个域意外泄漏到另一个域。使用单独的SAFI将使调试许多操作问题变得更容易,但会带来巨大的成本:不了解新SAFI的未经修改的现成路由器无法用于构建ALT网络的任何部分。目前,本文件未要求分配新的SAFI;额外的实验可能表明将来需要一个。
To facilitate EID-Prefix aggregation, the ALT BGP topology is provisioned in a hierarchical manner; the fact that all inter-node links are tunnels means that topology can be constrained to follow the EID-Prefix assignment hierarchy. Redundant links are provisioned to compensate for node and link failures. A basic assumption is that as long as the routers are up and running, the underlying Internet will provide alternative routes to maintain tunnel and BGP connectivity among ALT-Routers.
为了便于EID前缀聚合,以分层方式提供ALT BGP拓扑;所有节点间链路都是隧道这一事实意味着拓扑可以约束为遵循EID前缀分配层次结构。提供冗余链路以补偿节点和链路故障。一个基本假设是,只要路由器启动并运行,底层互联网将提供替代路由,以维持ALT路由器之间的隧道和BGP连接。
Note that, as mentioned in Section 4.2, the use of BGP by LISP+ALT requires that information only be aggregated where all active more-specific prefixes of a generated aggregate prefix are known. This is no different than the way that BGP route aggregation works in the existing global routing system: a service provider only generates an aggregate route if it is configured to learn all prefixes that make up that aggregate.
请注意,如第4.2节所述,LISP+ALT使用BGP时,仅当生成的聚合前缀的所有活动的更具体的前缀已知时,才需要聚合信息。这与BGP路由聚合在现有全局路由系统中的工作方式没有什么不同:服务提供商仅在配置为学习组成该聚合的所有前缀时才会生成聚合路由。
It is worth noting that LISP+ALT does not directly propagate EID-to-RLOC mappings. What it does is provide a mechanism for an ITR to communicate with the ETR that holds the mapping for a particular EID-Prefix. This distinction is important when considering the stability of BGP on the ALT network as compared to the global routing system. It also has implications for how site-specific EID-Prefix information may be used by LISP but not propagated by LISP+ALT (see Section 7.2 below).
值得注意的是,LISP+ALT不会直接将EID传播到RLOC映射。它所做的是为ITR提供一种与ETR通信的机制,ETR保存特定EID前缀的映射。与全局路由系统相比,在考虑ALT网络上BGP的稳定性时,这种区别非常重要。它还暗示了特定于站点的EID前缀信息如何被LISP使用,而不是通过LISP+ALT传播(见下文第7.2节)。
RLOC prefixes are not propagated through the ALT, so their reachability is not determined through the use of LISP+ALT. Instead, reachability of RLOCs is learned through the LISP ITR-ETR exchange. This means that link failures or other service disruptions that may cause the reachability of an RLOC to change are not known to the ALT. Changes to the presence of an EID-Prefix on the ALT occur much less frequently: only at subscription time or in the event of a failure of the ALT infrastructure itself. This means that "flapping" (frequent BGP updates and withdrawals due to prefix state changes) is not likely and mapping information cannot become "stale" due to slow propagation through the ALT BGP mesh.
RLOC前缀不是通过ALT传播的,因此它们的可达性不是通过使用LISP+ALT来确定的。相反,RLOC的可达性是通过LISP ITR-ETR交换来学习的。这意味着ALT不知道可能导致RLOC可达性改变的链路故障或其他服务中断。ALT上EID前缀存在的改变发生的频率要低得多:仅在订阅时或ALT基础设施本身发生故障时发生。这意味着“拍打”(由于前缀状态更改而导致频繁的BGP更新和撤销)不太可能发生,并且映射信息不会因为通过ALT BGP网格的传播速度慢而变得“过时”。
Since an ITR learns an EID-to-RLOC mapping directly from the ETR that owns it, it is possible to perform site-to-site Traffic Engineering by setting the preference and/or weight fields, and by including more-specific EID-to-RLOC information in Map-Reply messages.
由于ITR直接从拥有它的ETR学习EID到RLOC的映射,因此可以通过设置首选项和/或权重字段,并通过在映射回复消息中包含更具体的EID到RLOC信息来执行站点到站点的流量工程。
This is a powerful mechanism that can conceivably replace the traditional practice of routing prefix deaggregation for Traffic Engineering purposes. Rather than propagating more-specific information into the global routing system for local or regional optimization of traffic flows, such more-specific information can be exchanged, through LISP (not LISP+ALT), on an as-needed basis between only those ITRs/ETRs (and, thus, site pairs) that need it. Such an exchange of "more-specifics" between sites facilitates Traffic Engineering by allowing richer and more fine-grained policies to be applied without advertising additional prefixes into either the ALT or the global routing system.
这是一种功能强大的机制,可以替代传统的路由前缀解聚集做法,用于流量工程目的。与其将更具体的信息传播到全局路由系统中以实现交通流的局部或区域优化,还可以根据需要通过LISP(而不是LISP+ALT)在需要的ITR/ETR(以及站点对)之间交换此类更具体的信息。这种站点间“更多细节”的交换通过允许应用更丰富、更细粒度的策略,而无需在ALT或全局路由系统中公布额外前缀,从而促进了流量工程。
Note that these new Traffic Engineering capabilities are an attribute of LISP and are not specific to LISP+ALT; discussion is included here because the BGP-based global routing system has traditionally used propagation of more-specific routes as a crude form of Traffic Engineering.
请注意,这些新的流量工程功能是LISP的一个属性,并不特定于LISP+ALT;这里包括讨论,因为基于BGP的全局路由系统传统上使用更具体路由的传播作为流量工程的一种粗略形式。
Normal BGP best common practices apply to the ALT network. In particular, first-hop ALT-Routers will aggregate EID-Prefixes and dampen changes to them in the face of excessive updates. Since EID-Prefix assignments are not expected to change as frequently as global routing BGP prefix reachability, such dampening should be very rare and might be worthy of logging as an exceptional event. It is again worth noting that the ALT carries only EID-Prefixes, used to construct a BGP path to each ETR (or Map-Server) that originates each prefix; the ALT does not carry reachability information about RLOCs. In addition, EID-Prefix information may be aggregated as the topology and address assignment hierarchy allow. Since the topology is all tunneled and can be modified as needed, reasonably good aggregation should be possible. In addition, since most ETRs are expected to connect to the ALT using the Map-Server interface, Map-Servers will implement a natural "edge" for the ALT where dampening and aggregation can be applied. For these reasons, the set of prefix information on the ALT can be expected to be both better aggregated and considerably less volatile than the actual EID-to-RLOC mappings.
普通BGP最佳通用做法适用于ALT网络。特别是,第一跳ALT路由器将聚合EID前缀,并在过度更新时抑制对它们的更改。由于EID前缀分配预计不会像全局路由BGP前缀可达性那样频繁更改,因此这种抑制应该非常罕见,可能值得作为异常事件记录。再次值得注意的是,ALT只携带EID前缀,用于构造到每个ETR(或地图服务器)的BGP路径,该路径产生每个前缀;ALT不携带有关RLOC的可达性信息。此外,可以在拓扑和地址分配层次结构允许的情况下聚合EID前缀信息。由于拓扑都是隧道式的,并且可以根据需要进行修改,因此应该可以进行合理良好的聚合。此外,由于大多数ETR预计将使用地图服务器接口连接到ALT,因此地图服务器将为ALT实现一个自然的“边缘”,可以应用阻尼和聚合。由于这些原因,与实际的EID到RLOC映射相比,可以预期ALT上的前缀信息集具有更好的聚合性和更少的易失性。
There are major open questions regarding how the ALT will be deployed and what organization(s) will operate it. In a simple, non-distributed world, centralized administration of EID-Prefix assignment and ALT network design would facilitate a well-aggregated ALT routing system. Business and other realities will likely result in a more complex, distributed system involving multiple levels of prefix delegation, multiple operators of parts of the ALT infrastructure, and a combination of competition and cooperation among the participants. In addition, the re-use of existing IP address assignments, both Provider-Independent ("PI") and Provider-Assigned ("PA"), to avoid renumbering when sites transition to LISP will further complicate the processes of building and operating the ALT.
关于如何部署ALT以及哪些组织将操作ALT,存在一些重大的开放性问题。在一个简单的非分布式世界中,集中管理EID前缀分配和ALT网络设计将有助于形成一个聚合良好的ALT路由系统。业务和其他现实可能会导致一个更复杂的分布式系统,涉及多个级别的前缀委派、ALT基础设施部分的多个运营商,以及参与者之间的竞争与合作。此外,重新使用现有的IP地址分配(独立于提供商(“PI”)和提供商分配(“PA”),以避免在站点转换为LISP时重新编号,这将进一步使ALT的构建和操作过程复杂化。
A number of conflicting considerations need to be kept in mind when designing and building the ALT. Among them are:
在设计和建造ALT时,需要牢记一些相互冲突的考虑因素。其中包括:
1. Target ALT routing state size and level of aggregation. As described in Section 7.1, the ALT should not suffer from the same performance constraints or stability issues as does the Internet global routing system, so some reasonable level of deaggregation and an increased number of EID-Prefixes beyond what might be considered ideal should be acceptable. That said, measures, such as tunnel rehoming to preserve aggregation when sites move from one mapping provider to another and implementing aggregation at
1. 目标ALT路由状态大小和聚合级别。如第7.1节所述,ALT不应受到与Internet全局路由系统相同的性能约束或稳定性问题,因此一些合理的解聚集级别和超出理想值的EID前缀数量的增加是可以接受的。也就是说,当站点从一个映射提供者移动到另一个映射提供者时,需要采取一些措施,例如隧道重新命名以保持聚合,并在
multiple levels in the hierarchy to collapse deaggregation at lower levels, should be taken to reduce unnecessary explosion of ALT routing state.
层次结构中的多个级别在较低级别上折叠解聚集,以减少ALT路由状态的不必要爆炸。
2. Number of operators of parts of the ALT and how they will be organized (hierarchical delegation vs. shared administration). This will determine not only how EID-Prefixes are assigned but also how tunnels are configured and how EID-Prefixes can be aggregated between different parts of the ALT.
2. ALT部分的操作员数量及其组织方式(分层委托与共享管理)。这不仅将决定EID前缀的分配方式,还将决定隧道的配置方式以及如何在ALT的不同部分之间聚合EID前缀。
3. Number of connections between different parts of the ALT. Tradeoffs will need to be made among resilience, performance, and placement of aggregation boundaries.
3. ALT不同部分之间的连接数。需要在恢复能力、性能和聚合边界的放置之间进行权衡。
4. EID-Prefix portability between competing operators of the ALT infrastructure. A significant benefit for an end site to adopt LISP is the availability of EID space that is not tied to a specific connectivity provider; it is important to ensure that an end site doesn't trade lock-in to a connectivity provider for lock-in to a provider of its EID assignment, ALT connectivity, or Map-Server facilities.
4. EID前缀在ALT基础设施的竞争运营商之间的可移植性。终端站点采用LISP的一个重要好处是EID空间的可用性,而不受特定连接提供商的限制;确保终端站点不会将对连接提供程序的锁定转换为对其EID分配、ALT连接或地图服务器设施的提供程序的锁定,这一点很重要。
This is, by no means, an exhaustive list.
这绝不是一份详尽的清单。
While resolving these issues is beyond the scope of this document, the authors recommend that existing distributed resource structures, such as the IANA/Regional Internet Registries and the ICANN/Domain Registrar, be carefully considered when designing and deploying the ALT infrastructure.
虽然解决这些问题超出了本文件的范围,但作者建议,在设计和部署ALT基础设施时,应仔细考虑现有的分布式资源结构,如IANA/区域互联网注册中心和ICANN/域注册中心。
EID-Prefix information is originated into the ALT by three different mechanisms:
EID前缀信息由三种不同的机制产生到ALT中:
Map-Server: In most cases, a site will configure its ETR(s) to register with one or more Map-Servers (see [RFC6833]) and does not participate directly in the ALT.
地图服务器:在大多数情况下,站点会将其ETR配置为向一个或多个地图服务器注册(请参见[RFC6833]),而不会直接参与ALT。
BGP: For sites requiring complex control over their EID-Prefix origination into the ALT, an ETR may connect to the LISP+ALT overlay network by running BGP to one or more ALT-Routers over tunnel(s). The ETR advertises reachability for its EID-Prefixes over these BGP connection(s). The edge ALT-Router(s) that receive(s) these prefixes then propagate(s) them into the ALT.
BGP:对于需要对其EID前缀发起到ALT进行复杂控制的站点,ETR可以通过在隧道上运行BGP到一个或多个ALT路由器来连接到LISP+ALT覆盖网络。ETR通过这些BGP连接公布其EID前缀的可达性。接收这些前缀的边缘ALT路由器然后将它们传播到ALT中。
Here, the ETR is simply a BGP peer of ALT-Router(s) at the edge of the ALT. Where possible, an ALT-Router that receives EID-Prefixes from an ETR via BGP should aggregate that information.
在这里,ETR只是ALT边缘ALT路由器的BGP对等方。在可能的情况下,通过BGP从ETR接收EID前缀的ALT路由器应聚合该信息。
Configuration: One or more ALT-Routers may be configured to originate an EID-Prefix on behalf of the non-BGP-speaking ETR that is authoritative for a prefix. As in the case above, the ETR is connected to ALT-Router(s) using GRE tunnel(s), but rather than BGP being used, the ALT-Router(s) are configured with what are in effect "static routes" for the EID-Prefixes "owned" by the ETR. The GRE tunnel is used to route Map-Requests to the ETR.
配置:可以将一个或多个ALT路由器配置为代表对前缀具有权威性的非BGP语言ETR发起EID前缀。与上述情况一样,ETR使用GRE隧道连接到ALT路由器,但不是使用BGP,而是使用ETR“拥有”的EID前缀的有效“静态路由”配置ALT路由器。GRE隧道用于将Map请求路由到ETR。
Note: In all cases, an ETR may register to multiple Map-Servers or connect to multiple ALT-Routers for the following reasons:
注意:在所有情况下,ETR可能注册到多个地图服务器或连接到多个ALT路由器,原因如下:
* redundancy, so that a particular ETR is still reachable even if one path or tunnel is unavailable.
* 冗余,因此即使一条路径或隧道不可用,特定ETR仍然可以访问。
* to connect to different parts of the ALT hierarchy if the ETR "owns" multiple EID-to-RLOC mappings for EID-Prefixes that cannot be aggregated by the same ALT-Router (i.e., are not topologically "close" to each other in the ALT).
* 如果ETR“拥有”EID前缀的多个EID到RLOC映射,且不能由同一个ALT路由器聚合(即,在ALT中拓扑上彼此不“接近”),则连接到ALT层次结构的不同部分。
In the common configuration, an ITR does not need to know anything about the ALT, since it sends Map-Requests to one of its configured Map-Resolvers (see [RFC6833]). There are two exceptional cases:
在通用配置中,ITR不需要知道关于ALT的任何信息,因为它将Map请求发送到其配置的Map解析器之一(请参见[RFC6833])。有两种例外情况:
Static default: If a Map-Resolver is not available but an ITR is adjacent to an ALT-Router (either over a common subnet or through the use of a tunnel), it can use an ALT Default Route to cause all ALT Datagrams to be sent to that ALT-Router. This case is expected to be rare.
静态默认:如果地图解析程序不可用,但ITR与ALT路由器相邻(通过公共子网或通过使用隧道),它可以使用ALT默认路由将所有ALT数据报发送到该ALT路由器。这种情况预计很少见。
Connection to ALT: A site with complex Internet connectivity may need more fine-grained distinction between traffic to LISP-capable and non-LISP-capable sites. Such a site may configure each of its ITRs to connect directly to the ALT, using a tunnel and BGP connection. In this case, the ITR will receive EID-Prefix routes from its BGP connection to the ALT-Router and will LISP-encapsulate and send ALT Datagrams through the tunnel to the ALT-Router. Traffic to other destinations may be forwarded (without LISP encapsulation) to non-LISP next-hop routers that the ITR knows.
连接到ALT:具有复杂Internet连接的站点可能需要更精细地区分到支持LISP和不支持LISP的站点的流量。这样的站点可以使用隧道和BGP连接将其每个ITR配置为直接连接到ALT。在这种情况下,ITR将从其BGP连接接收到ALT路由器的EID前缀路由,并将LISP封装并通过隧道将ALT数据报发送到ALT路由器。到其他目的地的流量可以转发(无LISP封装)到ITR知道的非LISP下一跳路由器。
In general, an ITR that connects to the ALT does so only to ALT-Routers at the "edge" of the ALT (typically two for redundancy). There may, though, be situations where an ITR would connect to other ALT-Routers to receive additional, shorter-path information about a portion of the ALT of interest to it. This can be accomplished by establishing GRE tunnels between the ITR and the set of ALT-Routers with the additional information. This is a purely local policy issue between the ITR and the ALT-Routers in question.
通常,连接到ALT的ITR只连接到ALT“边缘”的ALT路由器(通常两个用于冗余)。然而,可能存在这样的情况:ITR将连接到其他ALT路由器,以接收关于其感兴趣的ALT部分的附加、较短路径信息。这可以通过在ITR和具有附加信息的ALT路由器组之间建立GRE隧道来实现。这纯粹是ITR和相关ALT路由器之间的本地政策问题。
As described in [RFC6833], Map-Resolvers do not accept or forward Data-Probes; in the rare scenario that an ITR does support and originate Data-Probes, it must do so using one of the exceptional configurations described above. Note that the use of Data-Probes is discouraged at this time (see Section 3.3).
如[RFC6833]所述,映射解析器不接受或转发数据探测;在ITR确实支持并发起数据探测的罕见情况下,它必须使用上述一种特殊配置来支持和发起数据探测。注意,此时不鼓励使用数据探针(见第3.3节)。
LISP+ALT shares many of the security characteristics of BGP. Its security mechanisms are comprised of existing technologies in wide operational use today, so securing the ALT should be mostly a matter of applying the same technology that is used to secure the BGP-based global routing system (see Section 9.3 below).
LISP+ALT具有BGP的许多安全特性。其安全机制由目前广泛使用的现有技术组成,因此保护ALT主要是应用与保护基于BGP的全局路由系统相同的技术(见下文第9.3节)。
This section briefly lists the known potential vulnerabilities of LISP+ALT.
本节简要列出了LISP+ALT的已知潜在漏洞。
Mapping integrity: Potential for an attacker to insert bogus mappings to black-hole (create a DoS attack) or intercept LISP data-plane packets.
映射完整性:攻击者可能将虚假映射插入黑洞(创建DoS攻击)或拦截LISP数据平面数据包。
ALT-Router availability: Can an attacker DoS the ALT-Routers connected to a given ETR? If a site's ETR cannot advertise its EID-to-RLOC mappings, the site is essentially unavailable.
ALT路由器可用性:攻击者能否拒绝连接到给定ETR的ALT路由器?如果站点的ETR无法公布其EID到RLOC的映射,则该站点基本上不可用。
ITR mapping/resources: Can an attacker force an ITR or ALT-Router to drop legitimate mapping requests by flooding it with random destinations for which it will generate large numbers of Map-Requests and fill its map-cache? Further study is required to see the impact of admission control on the overlay network.
ITR映射/资源:攻击者能否通过向ITR或ALT路由器发送随机目的地来强制其丢弃合法映射请求,从而生成大量映射请求并填充其映射缓存?需要进一步研究,以了解接入控制对覆盖网络的影响。
EID Map-Request exploits for reconnaissance: Can an attacker learn about a LISP site's TE policy by sending legitimate mapping requests and then observing the RLOC mapping replies? Is this information useful in attacking or subverting peer relationships? Note that any public LISP mapping database will have similar data-plane reconnaissance issues.
EID映射请求利用漏洞进行侦察:攻击者能否通过发送合法映射请求,然后观察RLOC映射回复来了解LISP站点的TE策略?这些信息在攻击或破坏同伴关系时有用吗?请注意,任何公共LISP映射数据库都会有类似的数据平面侦察问题。
Scaling of ALT-Router resources: Paths through the ALT may be of lesser bandwidth than more "direct" paths; this may make them more prone to high-volume DoS attacks. For this reason, all components of the ALT (ETRs and ALT-Routers) should be prepared to rate-limit traffic (ALT Datagrams) that could be received across the ALT.
扩展ALT路由器资源:通过ALT的路径可能比更多“直接”路径的带宽更小;这可能会使他们更容易受到大量拒绝服务攻击。因此,ALT的所有组件(ETR和ALT路由器)都应准备好对通过ALT接收的流量(ALT数据报)进行速率限制。
UDP Map-Reply from ETR: Since Map-Replies are sent directly from the ETR to the ITR's RLOC, the ITR's RLOC may be vulnerable to various types of DoS attacks (this is a general property of LISP, not a LISP+ALT vulnerability).
来自ETR的UDP映射回复:由于映射回复直接从ETR发送到ITR的RLOC,ITR的RLOC可能容易受到各种类型的DoS攻击(这是LISP的一般属性,而不是LISP+ALT漏洞)。
More-specific prefix leakage: Because EID-Prefixes on the ALT are expected to be fairly well-aggregated and EID-Prefixes propagated out to the global Internet (see [RFC6832]) much more so, accidental leaking or malicious advertisement of an EID-Prefix into the global routing system could cause traffic redirection away from a LISP site. This is not really a new problem, though, and its solution can only be achieved by much more strict prefix filtering and authentication on the global routing system. Section 9.3 describes an existing approach to solving this problem.
更具体的前缀泄漏:由于预期ALT上的EID前缀会得到相当好的聚合,并且EID前缀会传播到全局Internet(请参见[RFC6832]),更重要的是,EID前缀意外泄漏或恶意播发到全局路由系统可能会导致流量重定向远离LISP站点。不过,这并不是一个新问题,它的解决方案只能通过对全局路由系统进行更严格的前缀过滤和身份验证来实现。第9.3节描述了解决该问题的现有方法。
Explicit peering: The devices themselves can prioritize incoming packets as well as potentially do key checks in hardware to protect the control plane.
显式对等:设备本身可以对传入的数据包进行优先级排序,还可以在硬件中执行密钥检查以保护控制平面。
Use of TCP to connect elements: This makes it difficult for third parties to inject packets.
使用TCP连接元素:这使得第三方很难注入数据包。
Use of HMAC to protect BGP/TCP connections: Hashed Message Authentication Code (HMAC) [RFC5925] is used to verify the integrity and authenticity of TCP connections used to exchange BGP messages, making it nearly impossible for third-party devices to either insert or modify messages.
使用HMAC保护BGP/TCP连接:哈希消息身份验证码(HMAC)[RFC5925]用于验证用于交换BGP消息的TCP连接的完整性和真实性,这使得第三方设备几乎不可能插入或修改消息。
Message sequence numbers and nonce values in messages: This allows an ITR to verify that the Map-Reply from an ETR is in response to a Map-Request originated by that ITR (this is a general property of LISP; LISP+ALT does not change this behavior).
消息中的消息序列号和nonce值:这允许ITR验证来自ETR的映射回复是否响应该ITR发起的映射请求(这是LISP的常规属性;LISP+ALT不会更改此行为)。
LISP+ALT's use of BGP allows it to take advantage of BGP security features designed for existing Internet BGP use. This means that LISP+ALT can and should use technology developed for adding security to BGP (in the IETF SIDR working group or elsewhere) to provide authentication of EID-Prefix origination and EID-to-RLOC mappings.
LISP+ALT对BGP的使用允许它利用为现有互联网BGP使用而设计的BGP安全功能。这意味着LISP+ALT可以而且应该使用为BGP(在IETF SIDR工作组或其他地方)增加安全性而开发的技术,以提供EID前缀发起和EID到RLOC映射的身份验证。
The authors would like to specially thank J. Noel Chiappa, who was a key contributor to the design of the Content distribution Overlay Network Service for LISP (LISP-CONS) mapping database (many ideas from which made their way into LISP+ALT) and who has continued to provide invaluable insight as the LISP effort has evolved. Others who have provided valuable contributions include John Zwiebel, Hannu Flinck, Amit Jain, John Scudder, Scott Brim, and Jari Arkko.
作者要特别感谢J.Noel Chiappa,他是LISP(LISP-CONS)映射数据库内容分发覆盖网络服务设计的关键贡献者(许多想法由此进入LISP+ALT),并且随着LISP工作的发展,他继续提供了宝贵的见解。其他做出宝贵贡献的人包括约翰·兹维贝尔、汉努·弗林克、阿米特·贾因、约翰·斯卡德尔、斯科特·布里姆和贾里·阿尔科。
[RFC2784] Farinacci, D., Li, T., Hanks, S., Meyer, D., and P. Traina, "Generic Routing Encapsulation (GRE)", RFC 2784, March 2000.
[RFC2784]Farinaci,D.,Li,T.,Hanks,S.,Meyer,D.,和P.Traina,“通用路由封装(GRE)”,RFC 27842000年3月。
[RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006.
[RFC4271]Rekhter,Y.,Li,T.,和S.Hares,“边境网关协议4(BGP-4)”,RFC 42712006年1月。
[RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan", BCP 122, RFC 4632, August 2006.
[RFC4632]Fuller,V.和T.Li,“无类域间路由(CIDR):互联网地址分配和聚合计划”,BCP 122,RFC 4632,2006年8月。
[RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter, "Multiprotocol Extensions for BGP-4", RFC 4760, January 2007.
[RFC4760]Bates,T.,Chandra,R.,Katz,D.,和Y.Rekhter,“BGP-4的多协议扩展”,RFC 4760,2007年1月。
[RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The Locator/ID Separation Protocol (LISP)", RFC 6830, January 2013.
[RFC6830]Farinaci,D.,Fuller,V.,Meyer,D.,和D.Lewis,“定位器/身份分离协议(LISP)”,RFC 6830,2013年1月。
[RFC6833] Fuller, V. and D. Farinacci, "Locator/ID Separation Protocol (LISP) Map-Server Interface", RFC 6833, January 2013.
[RFC6833]Fuller,V.和D.Farinaci,“定位器/ID分离协议(LISP)地图服务器接口”,RFC 6833,2013年1月。
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP Authentication Option", RFC 5925, June 2010.
[RFC5925]Touch,J.,Mankin,A.,和R.Bonica,“TCP认证选项”,RFC 59252010年6月。
[RFC6832] Lewis, D., Meyer, D., Farinacci, D., and V. Fuller, "Interworking between Locator/ID Separation Protocol (LISP) and Non-LISP Sites", RFC 6832, January 2013.
[RFC6832]Lewis,D.,Meyer,D.,Farinaci,D.,和V.Fuller,“定位器/ID分离协议(LISP)和非LISP站点之间的互通”,RFC 6832,2013年1月。
Authors' Addresses
作者地址
Vince Fuller
文斯·富勒
EMail: vaf@vaf.net
EMail: vaf@vaf.net
Dino Farinacci Cisco Systems Tasman Drive San Jose, CA 95134 USA
美国加利福尼亚州圣何塞市塔斯曼大道迪诺·法里纳奇思科系统公司,邮编95134
EMail: farinacci@gmail.com
EMail: farinacci@gmail.com
Dave Meyer Cisco Systems Tasman Drive San Jose, CA 95134 USA
美国加利福尼亚州圣何塞市塔斯曼大道戴夫·迈耶思科系统公司,邮编95134
EMail: dmm@1-4-5.net
EMail: dmm@1-4-5.net
Darrel Lewis Cisco Systems Tasman Drive San Jose, CA 95134 USA
美国加利福尼亚州圣何塞市塔斯曼大道达雷尔·刘易斯思科系统公司,邮编95134
EMail: darlewis@cisco.com
EMail: darlewis@cisco.com