Internet-Draft | ICMP for Validation | September 2024 |
Liu & Liu | Expires 30 March 2025 | [Page] |
This document introduces the mechanism to verify the data plane against the control plane and detect data plane failures in IPv6/SRv6 networks by extending ICMPv6 messages.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 30 March 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
An SR-MPLS SID/MPLS label can be related with various FEC information, e.g, VPN IP prefix [RFC4365], EVPN service information [RFC7432], flex algorithms[RFC9350] and etc. Most of these information would be advertised via control plane protocols(e.g, IGP, BGP, etc).¶
Procedures for simple and efficient mechanisms to verify the data plane against the control plane using LSP Ping in MPLS network are well defined in [RFC8029]. Normally, when a new feature is introduced and the MPLS label is associated with new information, the LSP Ping mechanism is still applicable by defining new FEC sub-TLV with the new information encoded in it.¶
[RFC9489] defines procedures to detect data plane failures using LSP Ping in MPLS networks deploying EVPN. Figure 1 is an unicast data plane connectivity check scenario provided in [RFC9489]. CE1 is dual-homed to PE1 and PE2, PE1 and PE2 both announced a MAC route for CE1 with the same C-MAC but different RDs. On PE3, when an operator performs a connectivity check for the C-MAC address on PE1, the operator initiates an LSP Ping request with the Target FEC Stack TLV containing the C-MAC address, the corresponding RD and other necessary fields in the packet. The egress PE will process the packet and perform checks for the EVPN-related information carried in Target FEC Stack TLV.¶
For VPN/EVPN services over SRv6 as in [RFC9252], the requirements to detect data plane failures are similar. Besides VPN/EVPN information, IPv6 addresses(mainly SRv6 SID), can be related with other information/functions such as flex algorithm [RFC9350] [RFC9502], SRv6 endpoint behaviors [RFC8986], service functions [I-D.ietf-spring-sr-service-programming] and so on. Operators may want to validate these information as well. But there's no such mechanism in IPv6/SRv6 yet.¶
RFC9259 describes how the existing ICMPv6 mechanisms for ping and traceroute can be used in an SRv6 network for data plane connectivity check purpose.This document introduces the mechanism to verify the data plane against the control plane and detect data plane failures in IPv6/SRv6 networks by extending ICMPv6 messages.¶
Editor's Note: Instead of extending ICMPv6 Node Information Query (or NI Query) and the Node Information Reply (or NI Reply) based on [RFC4620], this document introducing ICMPv6 Validation Request and ICMPv6 Validation Reply messages by defining two new types of ICMPv6 messages taking example from [RFC8335]. The reason is that NI Query and NI Reply are originally defined for discovering information about nodes, such as names and addresses, while this document aims to provide an IP-related information validation mechanism, which makes RFC4620 not quite suitable.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The Validation Request message is defined for ICMPv6[RFC4443]. Like any ICMPv6 message, the ICMPv6 Validation Request message is encapsulated in an IPv6 header.¶
The structure of ICMPv6 Validation Request is shown in Figure 2, where:¶
The Validation Information Object is shown in Figure 3, where:¶
C-Type Object Payload -------- ----------- 0 Revsered¶
It should be noticed that this document only defines fundamental packet formats and processing rules, the detailed C-Type values and the corresponding information carried in object payload is out of the scope of the document and would be defined in separate documents. For example, [I-D.liu-bess-srv6-evpn-validation] provides solutions to detect data plane failures for EVPN over SRv6 leveraging the mechanism defined in this document.¶
The Validation Reply message is defined for ICMPv6. Like any other ICMPv6 messages, the ICMP Extended Echo Reply message is encapsulated in an IPv6 header. Figure 4 describes the ICMPv6 Validation Reply message.¶
ICMP fields:¶
Code: Values are¶
(0) Validation passed¶
(1) Malformed request received¶
(2) One or more of the objects were not understood¶
(3) Information mismatch¶
A node that originates an ICMPv6 validation request message SHOULD first determine which IPv6 address/SRv6 SID needs to be verified with what information. How the sender node get the information is out of scope of the document.¶
An ICMPv6 validation request contains one or more Validation Information objects, depending on how the user wants to do the validation. For example, an SRv6 service SID is related with an endpoint behavior and an IPv4 VPN prefix, if one wants to verify both information of the SID via one request message, an ICMPv6 validation request is sent with two validation information objects in it. Or one may choose to send two individual ICMPv6 validation requests, each carries one validation information object to verify these two information separately.¶
The target IP is the IP address/SRv6 SID to be verified and MUST be a unicast address. The ICMPv6 validation request is sent with the target IP address/SRv6 SID set as the destination address of the IP header field without SRH for the SRv6 best-effort connectivity case, or set as the last segment with SRH. The Source Address of the ICMPv6 packet MUST be a unicast address belonging to the node.¶
The Hop Limit SHOULD be set to 255 to prevent transit nodes from processing the validation request.¶
All transit nodes process the validation request message like any other IPv6 data packets and hence do not require any change.¶
As specified in [RFC4443], if a router receives a packet with a Hop Limit of zero, or if a router decrements a packet's Hop Limit to zero, it MUST discard the packet and originate an ICMPv6 Time Exceeded message with Code 0 to the source of the packet. The source address SHOULD be set as a local address of the router.¶
The target node is a node receiving an validation request where the target IP of that message is locally configured as a segment or local interface.¶
When the validation request packet arrives at the target node, and any of the following conditions apply, the node MUST silently discard the incoming message:¶
Otherwise, if the packet is well formed, the target node verifies the information encoded in the Validation Information Object against the corresponding local information and state.¶
When a node receives an ICMPv6 Validation Request, it MUST format an ICMPv6 Validation Reply as follows:¶
The Code field MUST be set to 0 if all the the information encoded in the Validation Information Object is consistent with the the corresponding local information on the target node.¶
The Code field MUST be set to 1 if any of the following conditions apply:¶
The Code field MUST be set to 2 if one or more of the objects are not understood by the node.¶
The Code field MUST be set to 3 if the information in the Validation Information Object(s) is not consistent with the local information and validation is not passed.¶
A node should only receive a validation reply in response to a validation request that it sent. Thus, on receipt of a validation reply, the node should parse the packet to ensure that it is well-formed, then attempt to match up the validation reply with a validation request that it had previously sent, using the Identifier and Sequence Number. If no match is found, the node ignores the echo reply.¶
Section 4.6 of [RFC4884] provides a list of extensible ICMP messages (i.e., messages that can carry the ICMP Extension Structure). This document adds the ICMPv6 Validation Request message and the ICMPv6 Validation Reply message to that list.¶
This document requests the following actions from IANA:¶
Add an entry to the "ICMPv6 "type" Numbers" registry, representing the Validation Reply. This entry has the following codes:¶
(0) Validation passed¶
(1) Malformed request received¶
(2) One or more of the objects were not understood¶
(3) Information mismatch¶
Add an entry to the "ICMP Extension Object Classes and Class Sub-types" registry, representing the Validation Information Object with C-types:¶
(0) Reserved¶
C-Type values are assignable on a first-come-first-serve (FCFS) basis with a range of 0-255.¶
All codes mentioned above are assigned on a First Come First Serve (FCFS) basis with a range of 0-255.¶
Security considerations discussed in [RFC4443] and[RFC4884] apply to this document.¶
To protect against unauthorized sources using validation request messages to obtain network information, it is RECOMMENDED that implementations provide a means of checking the source addresses of validation request messages against an access list before accepting the message.¶
The validation mechanism SHOULD be only used in the limited domain. The validation request contains the control plane information, policies should be implemented on the edge devices of the domain to prevent the information from being leaked into other domains.¶
In order to protect local resources, implementations SHOULD rate-limit incoming ICMP Request messages.¶
The authors would like to thank Greg Mirsky, Bruno Decraene, Matthew Bocci, Zafar Ali, Ali Sajassi and Jorge Rabadan for their comments and suggestions.¶