Internet DRAFT - draft-jadin-spring-ipv6-segment-routing-dns-rr

draft-jadin-spring-ipv6-segment-routing-dns-rr







Source Packet Routing in Networking                             M. Jadin
Internet-Draft                                                 UCLouvain
Intended status: Experimental                                    F. Clad
Expires: September 6, 2018                           Cisco Systems, Inc.
                                                          O. Bonaventure
                                                               UCLouvain
                                                          March 05, 2018


          A DNS Resource Record for IPv6 Segment Routing (SR6)
           draft-jadin-spring-ipv6-segment-routing-dns-rr-00

Abstract

   This document defines the IPv6 Segment Routing (SR6) Resource Record
   (RR).  This Resource Record gives a path to reach a given
   destination.  The path is encoded with an IPv6 Segment List.  The
   host uses a Segment Routing Header (SRH) derived from the SR6 RR to
   reach the destination.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 6, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must



Jadin, et al.           Expires September 6, 2018               [Page 1]

Internet-Draft                   SRv6-RR                      March 2018


   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Reserved Keywords . . . . . . . . . . . . . . . . . . . .   3
   2.  Resource Record Format  . . . . . . . . . . . . . . . . . . .   3
     2.1.  SR6 RDATA Wire format . . . . . . . . . . . . . . . . . .   3
       2.1.1.  The SID Number field  . . . . . . . . . . . . . . . .   4
       2.1.2.  The Flags field . . . . . . . . . . . . . . . . . . .   4
       2.1.3.  The Tag field . . . . . . . . . . . . . . . . . . . .   5
       2.1.4.  The Segment List[n] field . . . . . . . . . . . . . .   5
       2.1.5.  The Type Length Value (TLV) objects . . . . . . . . .   5
     2.2.  The SR6 RR Presentation Format  . . . . . . . . . . . . .   5
     2.3.  SR6 RR Example  . . . . . . . . . . . . . . . . . . . . .   6
   3.  SRH derivation from SR6 RR  . . . . . . . . . . . . . . . . .   6
     3.1.  Derived SRH Example . . . . . . . . . . . . . . . . . . .   6
   4.  Security considerations . . . . . . . . . . . . . . . . . . .   7
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   Segment Routing is a new architecture
   [I-D.ietf-spring-segment-routing] that leverages the source routing
   paradigm.  Two data planes are being defined to support this
   architecture: MPLS [I-D.ietf-spring-segment-routing-mpls] and IPv6
   through the IPv6 Segment Routing Header
   [I-D.ietf-6man-segment-routing-header].  This new architecture has a
   variety of use cases that are discussed in
   [I-D.ietf-spring-ipv6-use-cases]
   [I-D.ietf-spring-resiliency-use-cases] and
   [I-D.ietf-spring-oam-usecase].

   Segment Routing was initially defined as a technique to enable
   network operators to better control the flow of packets inside their
   network.  Most use cases leverage Segment Routing on routers only.
   In contrast with the MPLS data plane that is traditionally only
   supported on routers, the IPv6 Segment Routing Header is supported on
   both routers [SR6Demo] and on endhosts [SR6Linux].  The ability of
   setting and processing the IPv6 Segment Routing Header on endhosts
   opens new "end-to-end" use cases for Segment Routing.  We can



Jadin, et al.           Expires September 6, 2018               [Page 2]

Internet-Draft                   SRv6-RR                      March 2018


   envision networks where clients set the IPv6 Segment Routing Header
   in all the packets they send to reach a given server along a specific
   path that depends on the client's or the network policies.  However,
   the ability to set and process the IPv6 Segment Routing Header on
   endhosts [SR6Linux] is not sufficient to support real services.
   Those endhosts also need a way to learn the IPv6 Segment Routing
   Header that they need to use to reach a given destination according
   to the network policies.  Several mechanisms are being discussed to
   distribute the IPv6 addresses that are used as Segments
   [I-D.ietf-6man-segment-routing-header].  However, these mechanisms
   typically extend routing protocols such as BGP
   [I-D.ietf-spring-segment-routing-msdc], OSPF
   [I-D.ietf-ospf-ospfv3-segment-routing-extensions] or IS-IS
   [I-D.ietf-isis-segment-routing-extensions] and do not reach endhosts.

   In this document, we propose to extend the Domain Name System to
   distribute IPv6 Segment Routing Headers to endhosts.  Our main use
   case are enterprise networks where the network administrator could
   use the DNS resolver to distribute IPv6 Segment Routing Headers to
   endhosts according to the enterprise policies.  This use case is
   described in more details in a forthcoming paper [SRN2018].

   This document is organized as follows.  Section 2 gives the wire and
   presentation formats of the proposed SR6 Resource Record.  Section 3
   describes how endhosts can construct an IPv6 Segment Routing Header
   from an SR6 RR.

1.1.  Reserved Keywords

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  Resource Record Format

   This document proposes a new type of Resource Record: the IPv6
   Segment Routing (SR6) Resource Record.  This RR has a new DNS Type,
   (suggested value *TDB*) to be assigned by IANA.  The SR6 RR MUST be
   in the IN class.

2.1.  SR6 RDATA Wire format

   The SR6 RR contains a set of flags, a tag and a list of segments
   represented as IPv6 addresses.  Its wire format is provided in
   Figure 1.  It encodes a subset of the IPv6 Segment Routing Header
   defined in [I-D.ietf-6man-segment-routing-header].





Jadin, et al.           Expires September 6, 2018               [Page 3]

Internet-Draft                   SRv6-RR                      March 2018


                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---------------+---------------+------------------------------+
    |  SID Number   |     Flags     |             Tag              |
    +---------------+---------------+------------------------------+
    |                                                              |
    |           Segment List[1] (128 bits IPv6 address)            |
    |                                                              |
    |                                                              |
    +--------------------------------------------------------------+
    |                                                              |
    |                              ...                             |
    |                                                              |
    |                                                              |
    +--------------------------------------------------------------+
    |                                                              |
    |           Segment List[n] (128 bits IPv6 address)            |
    |                                                              |
    |                                                              |
    +--------------------------------------------------------------+
    /                                                              /
    /        Optional Type Length Value objects (variable)         /
    /                                                              /
    +--------------------------------------------------------------+


                       Figure 1: SR6 Resource Record

2.1.1.  The SID Number field

   The SID Number field indicates the number of Segments present in the
   Segment List.

2.1.2.  The Flags field

   A subset of the flags defined in the IPv6 Segment Routing Header
   [I-D.ietf-6man-segment-routing-header] may appear inside the SR6 RR.

     0 1 2 3 4 5 6 7
    +-+-+-+-+-+-----+
    |  U  |A|H|  U  |
    +-+-+-+-+-+-----+

                         Figure 2: SR6 Flags field

   o  U: These flags are currently unused and reserved for future use.
      They SHOULD be unset on transmission and MUST be ignored upon
      receipt.



Jadin, et al.           Expires September 6, 2018               [Page 4]

Internet-Draft                   SRv6-RR                      March 2018


   o  A-flag: Alert flag.  If present, it indicates that important Type
      Length Value (TLV) objects are present.

   o  H-flag: HMAC flag.  If set, the derived SRH MUST be protected by
      an HMAC TLV object, defined in
      [I-D.ietf-6man-segment-routing-header].

2.1.3.  The Tag field

   The Tag field is an opaque value that MUST be equal to the tag field
   of the derived SRH, defined in
   [I-D.ietf-6man-segment-routing-header].

2.1.4.  The Segment List[n] field

   The Segment List[n] field is a list of 128 bit IPv6 addresses with
   the nth address representing the nth segment in the Segment List.
   This list is used to construct the SRH, as discussed in Section 3.

2.1.5.  The Type Length Value (TLV) objects

   A subset of the SRH TLV objects, defined in
   [I-D.ietf-6man-segment-routing-header], MAY be added at the end of
   the SR6 RR.  This document only allows the Opaque Container and
   Padding TLV objects.

   o  The Opaque Container TLV objects MUST be copied at the end of the
      derived SRH.

   o  The Padding TLV objects do not carry any information and so, they
      MAY be ignored during the SRH derivation.

   Future versions of this document will discuss the support of other
   TLV objects.

2.2.  The SR6 RR Presentation Format

   The presentation format of the RDATA portion is as follows:

   o  The Flags field MUST be represented as an unsigned decimal
      integer.

   o  The Tag field MUST be represented as an unsigned decimal integer.

   o  The Segment List MUST be represented as IPv6 addresses separated
      by commas.  They MUST appear in the same order as in the wire
      format (Section 2.1).




Jadin, et al.           Expires September 6, 2018               [Page 5]

Internet-Draft                   SRv6-RR                      March 2018


   o  The TLV objects MUST be represented as a sequence of case-
      insensitive hexadecimal digits.  White spaces are allowed within
      the hexadecimal text.

2.3.  SR6 RR Example

   example.com. 86400 IN AAAA 2001:abcd::5

   example.com. 86400 IN SRH 8 3 fc00::1,fc00::5 (03120000DA1F9C8094
                                                  E834A7BC71965A47A1B6C)

              Figure 3: Textual representation of SR6 records

   The first four text fields of the second line in Figure 3 specify the
   name, TTL, Class, and RR type (SR6).  Value 8 indicates that only the
   A-flag is set.  Value 3 is the Tag field value.  The next part is the
   Segment List represented as a list of comma separated IPv6 addresses.
   The text between the parentheses is the hexadecimal representation of
   the TLV objects.

3.  SRH derivation from SR6 RR

   This section describes the construction of the IPv6 Segment Routing
   Header from an SR6 RR.  The H-flag and A-flag of the SRH MUST be
   copied from their equivalent fields in the SR6 RR.  All the other
   flags MUST be set to 0.

   The Tag field of the SRH MUST be copied from the SR6 RR Tag field.

   The SRH Segment List is composed of the destination address as first
   segment and of the SR6 RR Segment List for the rest of the list.
   Therefore, SRH Segments Left and Last Entry fields MUST be set to the
   SR6 RR SID Number field.

   Opaque Container TLV objects MUST be added at the end of the SRH if
   they were present in the Resource Record.  Additional Padding TLV
   objects MAY be added to the SRH.  If the H-flag is set, a HMAC TLV
   MUST be computed for the SRH.  The order of the SRH TLV objects MAY
   be different from the SR6 RR TLV objects.

3.1.  Derived SRH Example

   The following SRH is derived from the SR6 RR example in Section 2.3.








Jadin, et al.           Expires September 6, 2018               [Page 6]

Internet-Draft                   SRv6-RR                      March 2018


                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +---------------+---------------+---------------+---------------+
    | Next Header   |     0x4B      |     0x04      |     0x02      |
    +---------------+---------------+---------------+---------------+
    |     0x02      |0 0 0 1 0 0 0 0|            0x0003             |
    +---------------+---------------+-------------------------------+
    |                                                               |
    |                         2001:abcd::5                          |
    |                                                               |
    |                                                               |
    +---------------------------------------------------------------+
    |                                                               |
    |                            fc00::1                            |
    |                                                               |
    |                                                               |
    +---------------------------------------------------------------+
    |                                                               |
    |                            fc00::5                            |
    |                                                               |
    |                                                               |
    +---------------+---------------+---------------+---------------+
    |      0x03     |      0x12     |      0x00     |      0x00     |
    +---------------+---------------+---------------+---------------+
    |                                                               |
    |               0xDA1F9C8094E834A7BC71965A47A1B6C               |
    |                                                               |
    |                                                               |
    +---------------------------------------------------------------+

                      Figure 4: Example of built SRH

4.  Security considerations

   [I-D.ietf-6man-segment-routing-header] explores security issues
   related to the SRH itself.
   [I-D.filsfils-spring-srv6-network-programming] documents how an
   administrative domain can prevent external traffic from using its
   SRv6-based services.  This section focuses on the security threats
   raised by the SR6 RR.

   Since the SR6 RR provides a SRH to be used by endhosts, the endhosts
   that request SR6 RR must trust the information received from their
   DNS resolver.  In many networks, this trust comes from the network
   configuration.  In addition, techniques such as DNSSEC [RFC4033] or
   DNS over TLS [RFC7858] can be used to prevent situations where an
   attacker could modify the SR6 RR of DNS responses.




Jadin, et al.           Expires September 6, 2018               [Page 7]

Internet-Draft                   SRv6-RR                      March 2018


5.  IANA Considerations

   This document requests IANA to assign a DNS RR data type value for
   the SR6 RR type under the "Resource Record (RR) TYPEs" subregistry
   under the "Domain Name System (DNS) Parameters" registry.

6.  Acknowledgements

   The authors would like to thank David Lebrun for his contribution to
   the design of the SR6 RR.

7.  References

7.1.  Normative References

   [I-D.ietf-6man-segment-routing-header]
              Previdi, S., Filsfils, C., Raza, K., Dukes, D., Leddy, J.,
              Field, B., daniel.voyer@bell.ca, d.,
              daniel.bernier@bell.ca, d., Matsushima, S., Leung, I.,
              Linkova, J., Aries, E., Kosugi, T., Vyncke, E., Lebrun,
              D., Steinberg, D., and R. Raszuk, "IPv6 Segment Routing
              Header (SRH)", draft-ietf-6man-segment-routing-header-08
              (work in progress), January 2018.

   [I-D.ietf-spring-segment-routing]
              Filsfils, C., Previdi, S., Ginsberg, L., Decraene, B.,
              Litkowski, S., and R. Shakir, "Segment Routing
              Architecture", draft-ietf-spring-segment-routing-15 (work
              in progress), January 2018.

   [I-D.ietf-spring-segment-routing-mpls]
              Bashandy, A., Filsfils, C., Previdi, S., Decraene, B.,
              Litkowski, S., and R. Shakir, "Segment Routing with MPLS
              data plane", draft-ietf-spring-segment-routing-mpls-12
              (work in progress), February 2018.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
              editor.org/info/rfc2119>.

7.2.  Informative References









Jadin, et al.           Expires September 6, 2018               [Page 8]

Internet-Draft                   SRv6-RR                      March 2018


   [I-D.filsfils-spring-srv6-network-programming]
              Filsfils, C., Leddy, J., daniel.voyer@bell.ca, d.,
              daniel.bernier@bell.ca, d., Steinberg, D., Raszuk, R.,
              Matsushima, S., Lebrun, D., Decraene, B., Peirens, B.,
              Salsano, S., Naik, G., Elmalky, H., Jonnalagadda, P.,
              Sharif, M., Ayyangar, A., Mynam, S., Henderickx, W.,
              Bashandy, A., Raza, K., Dukes, D., Clad, F., and P.
              Camarillo, "SRv6 Network Programming", draft-filsfils-
              spring-srv6-network-programming-03 (work in progress),
              December 2017.

   [I-D.ietf-isis-segment-routing-extensions]
              Previdi, S., Ginsberg, L., Filsfils, C., Bashandy, A.,
              Gredler, H., Litkowski, S., Decraene, B., and J. Tantsura,
              "IS-IS Extensions for Segment Routing", draft-ietf-isis-
              segment-routing-extensions-15 (work in progress), December
              2017.

   [I-D.ietf-ospf-ospfv3-segment-routing-extensions]
              Psenak, P., Filsfils, C., Previdi, S., Gredler, H.,
              Shakir, R., Henderickx, W., and J. Tantsura, "OSPFv3
              Extensions for Segment Routing", draft-ietf-ospf-ospfv3-
              segment-routing-extensions-11 (work in progress), January
              2018.

   [I-D.ietf-spring-ipv6-use-cases]
              Brzozowski, J., Leddy, J., Filsfils, C., Maglione, R., and
              M. Townsley, "IPv6 SPRING Use Cases", draft-ietf-spring-
              ipv6-use-cases-12 (work in progress), December 2017.

   [I-D.ietf-spring-oam-usecase]
              Geib, R., Filsfils, C., Pignataro, C., and N. Kumar, "A
              Scalable and Topology-Aware MPLS Dataplane Monitoring
              System", draft-ietf-spring-oam-usecase-10 (work in
              progress), December 2017.

   [I-D.ietf-spring-resiliency-use-cases]
              Filsfils, C., Previdi, S., Decraene, B., and R. Shakir,
              "Resiliency use cases in SPRING networks", draft-ietf-
              spring-resiliency-use-cases-12 (work in progress),
              December 2017.

   [I-D.ietf-spring-segment-routing-msdc]
              Filsfils, C., Previdi, S., Mitchell, J., Aries, E., and P.
              Lapukhov, "BGP-Prefix Segment in large-scale data
              centers", draft-ietf-spring-segment-routing-msdc-08 (work
              in progress), December 2017.




Jadin, et al.           Expires September 6, 2018               [Page 9]

Internet-Draft                   SRv6-RR                      March 2018


   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, DOI 10.17487/RFC4033, March 2005,
              <https://www.rfc-editor.org/info/rfc4033>.

   [RFC7858]  Hu, Z., Zhu, L., Heidemann, J., Mankin, A., Wessels, D.,
              and P. Hoffman, "Specification for DNS over Transport
              Layer Security (TLS)", RFC 7858, DOI 10.17487/RFC7858, May
              2016, <https://www.rfc-editor.org/info/rfc7858>.

   [SR6Demo]  Filsfils, C., Clad, F., Camarillo, P., Liste, J.,
              Jonnalagadda, P., Sharif, M., Salsano, S., and A.
              AbdelSalam, "IPv6 Segment Routing", SIGCOMM'17, Industrial
              demo , August 2017.

   [SR6Linux]
              Lebrun, D. and O. Bonaventure, "Implementing IPv6 Segment
              Routing in the Linux Kernel.", Applied Networking Research
              Workshop 2017 , July 2017,
              <http://www.segment-routing.org>.

   [SRN2018]  Lebrun, D., Jadin, M., Clad, F., Filsfils, C., and O.
              Bonaventure, "Software Resolved Networks - Rethinking
              Enterprise Networks with IPv6 Segment Routing", SOSR'18 -
              Symposium on SDN Research, 2018 , 2018,
              <https://inl.info.ucl.ac.be/publications/software-
              resolved-networks-rethinking-enterprise-networks-ipv6-
              segment-routing>.

Authors' Addresses

   Mathieu Jadin
   UCLouvain

   Email: mathieu.jadin@uclouvain.be


   Francois Clad
   Cisco Systems, Inc.

   Email: fclad@cisco.com


   Olivier Bonaventure
   UCLouvain

   Email: olivier.bonaventure@uclouvain.be




Jadin, et al.           Expires September 6, 2018              [Page 10]